User Guide for Cisco Security Manager 4.4 February 2013 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface lvii Conventions lvii Obtaining Documentation, Obtaining Support, and Security Guidelines CHAPTER 1 Getting Started with Security Manager lviii 1-1 Product Overview 1-1 Primary Benefits of Cisco Security Manager 1-2 Security Manager Policy Feature Sets 1-4 Security Manager Applications Overview 1-6 Device Monitoring Overview 1-6 IPv6 Support in Security Manager 1-7 Policy Object Changes in Security Manager 4.
Contents Edit Menu (Configuration Manager) 1-29 View Menu (Configuration Manager) 1-30 Policy Menu (Configuration Manager) 1-30 Map Menu (Configuration Manager) 1-31 Manage Menu (Configuration Manager) 1-32 Tools Menu (Configuration Manager) 1-33 Activities Menu (Configuration Manager) 1-34 Tickets Menu (Configuration Manager) 1-34 Launch Menu (Configuration Manager) 1-35 Help Menu (Configuration Manager) 1-36 Toolbar Reference (Configuration Manager) 1-36 Using Global Search 1-39 Using Selectors 1-42 Filt
Contents Setting Up CNS on Cisco IOS Routers in Event-Bus Mode Setting Up CNS on Cisco IOS Routers in Call-Home Mode Configuring Licenses on Cisco ASA Devices Configuring Licenses on Cisco IOS Devices Initializing IPS Devices CHAPTER 3 2-9 2-10 2-11 2-12 2-12 Managing the Device Inventory 3-1 Understanding the Device Inventory 3-1 Understanding the Device View 3-1 Understanding Device Names and What Is Considered a Device Understanding Device Credentials 3-4 Understanding Device Properties 3-6 3-3
Contents Showing Device Containment 3-53 Cloning a Device 3-54 Deleting Devices from the Security Manager Inventory Device Delete Validation Dialog Box 3-56 3-55 Working with Device Groups 3-57 Understanding Device Grouping 3-57 Edit Device Groups Dialog Box 3-58 Creating Device Group Types 3-59 Creating Device Groups 3-60 Deleting Device Groups or Group Types 3-60 Adding Devices to or Removing Them From Device Groups Working with Device Status View CHAPTER 4 Managing Activities 3-60 3-61 4-1 Unde
Contents Service Policies vs. Platform-Specific Policies 5-2 Local Policies vs. Shared Policies 5-3 Understanding Rule Inheritance 5-4 Inheritance vs.
Contents Creating a New Shared Policy 5-51 Modifying Policy Assignments in Policy View Deleting a Shared Policy 5-53 5-51 Managing Policy Bundles 5-53 Creating a New Policy Bundle 5-54 Cloning a Policy Bundle 5-55 Renaming a Policy Bundle 5-55 Assigning Policy Bundles to Devices 5-56 CHAPTER 6 Managing Policy Objects 6-1 Selecting Objects for Policies 6-2 Policy Object Manager 6-4 Policy Object Manager: Undocking and Docking Policy Object Manager Shortcut Menu 6-8 6-8 Working with Policy Objects
Contents AAA Server Dialog Box—LDAP Settings 6-37 AAA Server Dialog Box—NT Settings 6-40 AAA Server Dialog Box—SDI Settings 6-40 AAA Server Dialog Box—HTTP-FORM Settings 6-41 Add and Edit LDAP Attribute Map Dialog Boxes 6-43 Add and Edit LDAP Attribute Map Value Dialog Boxes 6-44 Add and Edit Map Value Dialog Boxes 6-44 Creating AAA Server Group Objects 6-45 AAA Server Group Dialog Box 6-46 Creating Access Control List Objects 6-49 Creating Extended Access Control List Objects 6-50 Creating Standard Access
Contents Configuring Port List Objects 6-87 Configuring Service Objects 6-89 How Policy Objects are Provisioned as Object Groups 6-91 How Network/Host, Port List, and Service Objects are Named When Provisioned As Object Groups 6-92 How Service Objects are Provisioned as Object Groups 6-92 CHAPTER 7 Managing FlexConfigs 7-1 Understanding FlexConfig Policies and Policy Objects 7-2 Using CLI Commands in FlexConfig Policy Objects 7-2 Using Scripting Language Instructions 7-3 Scripting Language Example 1:
Contents Deployment Task Flow in Workflow Mode 8-5 Job States in Workflow Mode 8-6 Deployment Job Approval 8-7 Deployment Jobs and Multiple Users 8-8 Including Devices in Deployment Jobs or Schedules 8-8 Understanding Deployment Methods 8-8 Deploying Directly to a Device 8-9 Deploying to a Device through an Intermediate Server 8-10 Deploying to a File 8-11 Understanding How Out-of-Band Changes are Handled 8-12 Handling Device OS Version Mismatches 8-13 Overview of the Deployment Manager and Configuration A
Contents Suspending or Resuming Deployment Schedules 8-55 Adding Configuration Versions from a Device to the Configuration Archive Viewing and Comparing Archived Configuration Versions 8-56 Configuration Version Viewer 8-56 Viewing Deployment Transcripts 8-58 8-55 Rolling Back Configurations 8-59 Understanding Configuration Rollback 8-59 Understanding Rollback for Devices in Multiple Context Mode 8-61 Understanding Rollback for Failover Devices 8-61 Understanding Rollback for Catalyst 6500/7600 Devices 8
Contents CHAPTER 10 Managing the Security Manager Server 10-1 Overview of Security Manager Server Management and Administration 10-1 Managing a Cluster of Security Manager Servers 10-2 Overview of Security Manager Server Cluster Management 10-2 Splitting a Security Manager Server 10-3 Synchronizing Shared Policies Among Security Manager Servers 10-4 Exporting the Device Inventory 10-5 Exporting the Device Inventory from the Security Manager Client 10-6 Supported CSV Formats for Inventory Import/Expor
Contents Deployment Page 11-9 Device Communication Page 11-16 Add Certificate Dialog Box 11-19 Device Groups Page Discovery Page 11-20 11-21 Event Management Page 11-22 Health and Performance Monitoring Page Identity Settings Page 11-25 11-26 Image Manager Page 11-28 IPS Updates Page 11-30 Edit Update Server Settings Dialog Box 11-34 Edit Auto Update Settings Dialog Box 11-37 Edit Signature Download Filter Settings Dialog Box ISE Settings Page 11-38 11-39 Licensing Page 11-40 CSM Tab, Licens
Contents ACL Naming Conventions 12-5 Resolving ACL Name Conflicts Between Policies 12-6 Managing Your Rules Tables 12-7 Using Rules Tables 12-7 Adding and Removing Rules 12-9 Editing Rules 12-9 Adding or Editing Address Cells in Rules Tables 12-11 Adding or Editing User Cells in Rules Tables 12-12 Adding or Editing Services Cells in Rules Tables 12-12 Adding or Editing Interfaces or Zones Cells in Rules Tables 12-13 Editing Category Cells in Rules Tables 12-14 Editing Description Cells in Rules Tables 12
Contents Configuring Identity Options 13-15 Creating Identity User Group Objects 13-19 Selecting Identity Users in Policies 13-21 Configuring Identity-Based Firewall Rules 13-21 Configuring Cut-Through Proxy 13-23 Collecting User Statistics 13-25 Filtering VPN Traffic with Identity-Based Rules 13-26 Monitoring Identity Firewall Policies CHAPTER 14 13-27 Managing TrustSec Firewall Policies 14-1 Overview of TrustSec Firewall Policies 14-1 Understanding SGT and SXP Support in Cisco TrustSec 14-2 Roles i
Contents Clear Connection Configuration Dialog Box 15-22 AAA Firewall Page, MAC-Exempt List Tab 15-23 Firewall AAA MAC Exempt Setting Dialog Box 15-24 AAA Page 15-25 Firewall AAA IOS Timeout Value Setting 15-27 CHAPTER 16 Managing Firewall Access Rules 16-1 Understanding Access Rules 16-1 Understanding Global Access Rules 16-3 Understanding Device Specific Access Rule Behavior 16-4 Understanding Access Rule Address Requirements and How Rules Are Deployed 16-5 Configuring Access Rules 16-7 Access Rul
Contents Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices Configuring Inspection Rules 17-4 17-5 Inspection Rules Page 17-7 Add or Edit Inspect/Application FW Rule Wizard 17-10 Add or Edit Inspect/Application FW Rule Wizard, Step 2 17-12 Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page Configure DNS Dialog Box 17-18 Configure SMTP Dialog Box 17-18 Configure ESMTP Dialog Box 17-18 Configure Fragments Dialog Box 17-19 Configure IMAP or POP3 Dialog Boxes 17-
Contents HTTP Map Port Misuse Tab 17-56 HTTP Map Transfer Encoding Tab 17-57 Configuring HTTP Maps for ASA 7.2+ and PIX 7.2+ Devices 17-58 HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes 17-59 Configuring IM Maps for ASA 7.2+, PIX 7.2+ Devices 17-64 IM Class and Policy Map (ASA 7.2+/PIX 7.
Contents CHAPTER 19 Managing Firewall Botnet Traffic Filter Rules Understanding Botnet Traffic Filtering 19-1 19-1 Task Flow for Configuring the Botnet Traffic Filter 19-2 Configuring the Dynamic Database 19-4 Adding Entries to the Static Database 19-5 Enabling DNS Snooping 19-6 Enabling Traffic Classification and Actions for the Botnet Traffic Filter Botnet Traffic Filter Rules Page 19-9 Dynamic Blacklist Configuration Tab 19-10 Traffic Classification Tab 19-11 BTF Enable Rules Editor 19-12 BTF Drop
Contents HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes 21-21 IMAP and POP3 Class Maps Add or Edit Match Criterion Dialog Boxes 21-23 SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes 21-24 SMTP Class Maps Add or Edit Match Criterion Dialog Boxes 21-25 Sun RPC Class Maps Add or Edit Match Criterion Dialog Boxes 21-28 Local Web Filter Class Add or Edit Match Criterion Dialog Boxes 21-28 N2H2 and Websense Class Add or Edit Match Criterion Dialog Boxes 21-29 Configuring Inspect Parameter Map
Contents Edit Transparent Mask Dialog Box CHAPTER 23 22-7 Configuring Network Address Translation 23-1 Understanding Network Address Translation 23-2 Types of Address Translation 23-3 About “Simplified” NAT on ASA 8.
Contents Understanding and Configuring VPN Default Policies 24-12 Using Device Overrides to Customize VPN Policies 24-13 Understanding VRF-Aware IPsec 24-14 VRF-Aware IPsec One-Box Solution 24-14 VRF-Aware IPsec Two-Box Solution 24-15 Enabling and Disabling VRF on Catalyst Switches and 7600 Devices 24-17 Accessing Site-to-Site VPN Topologies and Policies 24-17 Site-to-Site VPN Manager Window 24-18 Configuring VPN Topologies in Device View 24-19 Site-To-Site VPN Discovery 24-19 Supported and Unsupported T
Contents CHAPTER 25 Configuring IKE and IPsec Policies 25-1 Overview of IKE and IPsec Configurations 25-2 Comparing IKE Version 1 and 2 25-4 Understanding IKE 25-5 Deciding Which Encryption Algorithm to Use 25-6 Deciding Which Hash Algorithm to Use 25-6 Deciding Which Diffie-Hellman Modulus Group to Use Deciding Which Authentication Method to Use 25-8 Configuring an IKE Proposal 25-9 Configuring IKEv1 Proposal Policy Objects 25-10 Configuring IKEv2 Proposal Policy Objects 25-13 25-7 Understanding IPs
Contents IKEv2 Authentication (Override) Dialog Box CHAPTER 26 GRE and DM VPNs 25-66 26-1 Understanding the GRE Modes Page 26-1 GRE and Dynamic GRE VPNs 26-2 Understanding GRE 26-2 Advantages of IPsec Tunneling with GRE 26-3 How Does Security Manager Implement GRE? 26-3 Prerequisites for Successful Configuration of GRE 26-3 Understanding GRE Configuration for Dynamically Addressed Spokes Configuring IPsec GRE VPNs 26-5 Configuring GRE Modes for GRE or GRE Dynamic IP VPNs 26-6 26-5 Dynamic Multipo
Contents CHAPTER 28 Group Encrypted Transport (GET) VPNs 28-1 Understanding Group Encrypted Transport (GET) VPNs 28-2 Understanding the GET VPN Registration Process 28-4 Choosing the Rekey Transport Mechanism 28-6 Configuring Redundancy Using Cooperative Key Servers 28-7 Configuring Fail-Close to Protect Registration Failures 28-8 Understanding the GET VPN Security Policy and Security Associations Understanding Time-Based Anti-Replay 28-11 Configuring GET VPN 28-10 28-12 Generating and Synchronizi
Contents Create Group Policy Wizard—Full Tunnel Page 29-20 Create Group Policy Wizard—Clientless and Thin Client Access Modes Page 29-22 Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (ASA and PIX 7.
Contents SSL VPN Access Policy Page 30-37 Configuring an Access Policy 30-40 Configuring Other SSL VPN Settings (ASA) 30-41 Configuring SSL VPN Performance Settings (ASA) 30-42 Configuring SSL VPN Content Rewrite Rules (ASA) 30-43 Configuring SSL VPN Encoding Rules (ASA) 30-45 Configuring SSL VPN Proxies and Proxy Bypass (ASA) 30-47 Configuring SSL VPN Browser Plug-ins (ASA) 30-50 Understanding SSL VPN AnyConnect Client Settings 30-52 Configuring SSL VPN AnyConnect Client Settings (ASA) 30-53 Understanding
Contents Cisco Secure Desktop Manager Policy Editor Dialog Box CHAPTER 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices 31-40 32-1 Overview of Remote Access VPN Policies for IOS and PIX 6.3 Devices 32-2 Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices) 32-3 IPsec Proposal Editor (IOS, PIX 6.
Contents Add and Edit Post Parameter Dialog Boxes 33-36 Add and Edit SSL VPN Customization Dialog Boxes 33-37 SSL VPN Customization Dialog Box—Title Panel 33-39 SSL VPN Customization Dialog Box—Language 33-40 Add and Edit Language Dialog Boxes 33-42 SSL VPN Customization Dialog Box—Logon Form 33-42 SSL VPN Customization Dialog Box—Informational Panel 33-43 SSL VPN Customization Dialog Box—Copyright Panel 33-44 SSL VPN Customization Dialog Box—Full Customization 33-45 SSL VPN Customization Dialog Box—Tool
Contents CHAPTER 34 Using Map View 34-1 Understanding Maps and Map View 34-1 Understanding the Map View Main Page 34-2 Map Toolbar 34-4 Using the Navigation Window 34-4 Maps Context Menus 34-5 Managed Device Node Context Menu 34-5 Multiple Selected Nodes Context Menu 34-6 VPN Connection Context Menu 34-6 Layer 3 Link Context Menu 34-7 Map Object Context Menu 34-7 Map Background Context Menu 34-7 Access Permissions for Maps 34-8 Working With Maps 34-8 Creating New or Default Maps 34-9 Opening Maps 34-10
Contents Editing VPN Policies or Peers From the Map 34-22 Managing Device Policies in Map View 34-22 Performing Basic Policy Management in Map View Managing Firewall Policies in Map View 34-23 Managing Firewall Settings in Map View 34-23 CHAPTER 35 Getting Started with IPS Configuration 34-22 35-1 Understanding IPS Network Sensing 35-1 Capturing Network Traffic 35-2 Correctly Deploying the Sensor 35-4 Tuning the IPS 35-4 Overview of IPS Configuration Identifying Allowed Hosts 35-5 35-7 Configuri
Contents Promiscuous Mode 36-2 Inline Interface Mode 36-3 Inline VLAN Pair Mode 36-3 VLAN Group Mode 36-4 Deploying VLAN Groups 36-5 Configuring Interfaces 36-6 Understanding the IPS Interfaces Policy 36-6 Viewing a Summary of IPS Interface Configuration 36-8 Configuring Physical Interfaces 36-10 Modify Physical Interface Map Dialog Box 36-11 Configuring Bypass Mode 36-12 Configuring CDP Mode 36-13 Configuring Inline Interface Pairs 36-13 Configuring Inline VLAN Pairs 36-14 Configuring VLAN Groups 36-15 C
Contents Enabling and Disabling Signatures 38-10 Editing Signatures 38-11 Edit Signature or Add Custom Signature Dialog Boxes 38-12 Adding Custom Signatures 38-16 Engine Options 38-17 Cloning Signatures 38-18 Editing Signature Parameters (Tuning Signatures) 38-19 Edit Signature Parameters Dialog Box 38-21 Editing the Component List for Meta Engine Signatures 38-25 Obsoletes Dialog Box 38-26 Configuring Signature Settings CHAPTER 39 Configuring Event Action Rules 38-27 39-1 Understanding the IPS Event
Contents Understanding Anomaly Detection Thresholds and Histograms 40-9 Configuring Anomaly Detection Thresholds and Histograms 40-11 Dest Port or Protocol Map Dialog Box 40-12 Histogram Dialog Box 40-13 CHAPTER 41 Configuring Global Correlation 41-1 Understanding Global Correlation 41-1 Understanding Reputation 41-2 Understanding Network Participation 41-3 Global Correlation Requirements and Limitations 41-4 Configuring Global Correlation Inspection and Reputation Configuring Network Participation
Contents Manually Applying IPS Updates Managing IPS Certificates Rebooting IPS Sensors CHAPTER 44 43-7 43-10 43-11 Configuring IOS IPS Routers 44-1 Understanding Cisco IOS IPS 44-1 Understanding IPS Subsystems and Support of IOS IPS Revisions 44-2 Cisco IOS IPS Signature Scanning with Lightweight Signatures 44-2 Router Configuration Files and Signature Event Action Processor (SEAP) Cisco IOS IPS Limitations and Restrictions 44-3 44-3 Overview of Cisco IOS IPS Configuration 44-3 Initial Preparatio
Contents CHAPTER 46 Configuring Bridging Policies on Firewall Devices About Bridging on Firewall Devices Bridging Support for FWSM 3.
Contents Configuring Management Access 48-5 Configuring Secure Shell Access 48-5 Add and Edit SSH Host Dialog Boxes 48-6 Configuring SNMP 48-7 SNMP Terminology 48-8 SNMP Page 48-8 SNMP Trap Configuration Dialog Box 48-9 Add SNMP Host Access Entry Dialog Box 48-12 Telnet Page 48-13 Telnet Configuration Dialog Box CHAPTER 49 Configuring Failover 48-14 49-1 Understanding Failover 49-1 Active/Active Failover 49-3 Stateful Failover 49-4 Basic Failover Configuration 49-5 Adding a Security Context to Fa
Contents Creating Service Level Agreements 50-8 Configuring SLA Monitor Objects 50-9 CHAPTER 51 Configuring Server Access Settings on Firewall Devices AUS Page 51-1 Add and Edit Auto Update Server Dialog Boxes 51-1 51-3 DHCP Relay Page 51-5 Add and Edit DHCP Relay Agent Configuration Dialog Boxes Add and Edit DHCP Relay Server Configuration Dialog Boxes 51-5 51-6 DHCP Relay IPv6 Page 51-7 Add and Edit DHCP Relay IPv6 Agent Configuration Dialog Boxes Add and Edit DHCP Relay IPv6 Server Configuration
Contents Edit Logging Filters Dialog Box 52-8 Configuring Logging Setup 52-9 Logging Setup Page 52-10 Configuring Rate Limit Levels 52-12 Rate Limit Page 52-13 Add/Edit Rate Limit for Syslog Logging Levels Dialog Box 52-13 Add/Edit Rate Limited Syslog Message Dialog Box 52-14 Configuring Syslog Server Setup 52-15 Server Setup Page 52-16 Logging Levels 52-18 Add/Edit Syslog Message Dialog Box Defining Syslog Servers 52-20 Syslog Servers Page 52-21 Add/Edit Syslog Server Dialog Box CHAPTER 53 52-19 52-
Contents Add/Edit Rendezvous Point Dialog Box 53-16 PIM Page - Route Tree Tab 53-17 PIM Page - Request Filter Tab 53-18 Add/Edit Multicast Group Rules Dialog Box 53-19 CHAPTER 54 Configuring Routing Policies on Firewall Devices Configuring No Proxy ARP 54-1 54-1 Configuring OSPF 54-2 About OSPF 54-2 General Tab 54-3 OSPF Advanced Dialog Box 54-4 Area Tab 54-6 Add/Edit Area/Area Networks Dialog Box 54-7 Range Tab 54-8 Add/Edit Area Range Network Dialog Box 54-9 Neighbors Tab 54-10 Add/Edit Static Neig
Contents RIP Page for PIX/ASA 6.3–7.1 and FWSM 54-41 Add/Edit RIP Configuration (PIX/ASA 6.3–7.1 and FWSM) Dialog Boxes RIP Page for PIX/ASA 7.
Contents Managing Security Contexts 57-4 Add/Edit Security Context Dialog Box (FWSM) 57-5 Add/Edit Security Context Dialog Box (PIX/ASA) 57-7 Allocate Interfaces Dialog Box (PIX/ASA only) 57-8 CHAPTER 58 Managing Routers 58-1 Configuring Routers Running IOS Software Releases 12.1 and 12.
Contents SHDSL on Cisco IOS Routers 59-40 Defining SHDSL Controllers 59-40 SHDSL Policy Page 59-41 SHDSL Controller Dialog Box 59-42 Controller Auto Name Generator Dialog Box 59-45 PVCs on Cisco IOS Routers 59-46 Understanding Virtual Paths and Virtual Channels 59-46 Understanding ATM Service Classes 59-47 Understanding ATM Management Protocols 59-48 Understanding ILMI 59-49 Understanding OAM 59-50 Defining ATM PVCs 59-50 Defining OAM Management on ATM PVCs 59-53 PVC Policy Page 59-54 PVC Dialog Box 59-5
Contents AAA Page—Authorization Tab 60-7 Command Authorization Dialog Box 60-9 AAA Page—Accounting Tab 60-10 Command Accounting Dialog Box 60-12 User Accounts and Device Credentials on Cisco IOS Routers Defining Accounts and Credential Policies 60-14 Accounts and Credential s Policy Page User Account Dialog Box 60-17 60-13 60-15 Bridging on Cisco IOS Routers 60-18 Bridge-Group Virtual Interfaces 60-18 Defining Bridge Groups 60-19 Bridging Policy Page 60-20 Bridge Group Dialog Box 60-21 Time Zone Setti
Contents VTY Line Dialog Box—Authentication Tab 60-55 VTY Line Dialog Box—Authorization Tab 60-56 VTY Line Dialog Box—Accounting Tab 60-57 Command Authorization Dialog Box—Line Access 60-60 Command Accounting Dialog Box—Line Access 60-61 Optional SSH Settings on Cisco IOS Routers Defining Optional SSH Settings 60-63 Secure Shell Policy Page 60-63 60-64 SNMP on Cisco IOS Routers 60-66 Defining SNMP Agent Properties Enabling SNMP Traps 60-68 60-67 SNMP Policy Page 60-69 Permission Dialog Box 60-70 Trap
Contents DHCP Policy Page 60-92 DHCP Database Dialog Box IP Pool Dialog Box 60-94 NTP on Cisco IOS Routers Defining NTP Servers CHAPTER 61 60-94 60-96 60-97 NTP Policy Page 60-98 NTP Server Dialog Box 60-99 Configuring Identity Policies 61-1 802.1x on Cisco IOS Routers 61-1 Understanding 802.1x Device Roles 61-2 802.1x Interface Authorization States 61-2 Topologies Supported by 802.1x 61-3 Defining 802.1x Policies 61-4 802.
Contents Syslog Servers Policy Page 62-10 Syslog Server Dialog Box 62-11 NetFlow Policy Page 62-12 Adding and Editing NetFlow Interface Settings CHAPTER 63 Configuring Quality of Service 62-15 63-1 Quality of Service on Cisco IOS Routers 63-1 Quality of Service and CEF 63-2 Understanding Matching Parameters 63-2 Understanding Marking Parameters 63-3 Understanding Queuing Parameters 63-4 Tail Drop vs.
Contents BGP Routing Policy Page 64-4 BGP Page—Setup Tab 64-4 Neighbors Dialog Box 64-6 BGP Page—Redistribution Tab 64-6 BGP Redistribution Mapping Dialog Box 64-7 EIGRP Routing on Cisco IOS Routers 64-8 Defining EIGRP Routes 64-9 Defining EIGRP Interface Properties 64-10 Redistributing Routes into EIGRP 64-12 EIGRP Routing Policy Page 64-13 EIGRP Page—Setup Tab 64-13 EIGRP Setup Dialog Box 64-14 EIGRP Page—Interfaces Tab 64-15 EIGRP Interface Dialog Box 64-16 EIGRP Page—Redistribution Tab 64-17 EIGRP Re
Contents OSPF Redistribution Mapping Dialog Box 64-39 OSPF Max Prefix Mapping Dialog Box 64-41 RIP Routing on Cisco IOS Routers 64-42 Defining RIP Setup Parameters 64-42 Defining RIP Interface Authentication Settings Redistributing Routes into RIP 64-44 RIP Routing Policy Page 64-45 RIP Page—Setup Tab 64-45 RIP Page—Authentication Tab 64-46 RIP Authentication Dialog Box 64-47 RIP Page—Redistribution Tab 64-48 RIP Redistribution Mapping Dialog Box Static Routing on Cisco IOS Routers Defining Static Routes 6
Contents VLAN Groups 65-31 Creating or Editing VLAN Groups 65-32 Deleting VLAN Groups 65-33 Interfaces/VLANs Page—VLAN Groups Tab 65-33 Create and Edit VLAN Group Dialog Boxes 65-34 Service Module Slot Selector Dialog Box 65-35 VLAN Selector Dialog Box 65-36 VLAN ACLs (VACLs) 65-36 Creating or Editing VACLs 65-37 Deleting VACLs 65-39 VLAN Access Lists Page 65-39 Create and Edit VLAN ACL Dialog Boxes 65-41 Create and Edit VLAN ACL Content Dialog Boxes 65-42 IDSM Settings 65-44 Creating or Editing EtherCha
Contents Event Details Pane 66-24 Preparing for Event Management 66-24 Ensuring Time Synchronization 66-25 Configuring ASA and FWSM Devices for Event Management Configuring IPS Devices for Event Management 66-26 66-25 Managing the Event Manager Service 66-27 Starting, Stopping, and Configuring the Event Manager Service 66-27 Monitoring the Event Manager Service 66-28 Selecting Devices to Monitor 66-31 Monitoring Event Data Store Disk Space Usage 66-31 Archiving or Backing Up and Restoring the Event Dat
Contents Monitoring and Mitigating Botnet Activity 66-52 Understanding the Syslog Messages That Indicate Actionable Events 66-53 Monitoring Botnet Using the Security Manager Event Viewer 66-53 Monitoring Botnet Using the Security Manager Report Manager 66-55 Monitoring Botnet Activity Using the Adaptive Security Device Manager (ASDM) Mitigating Botnet Traffic 66-56 Removing False Positive IPS Events from the Event Table 66-58 CHAPTER 67 Managing Reports 66-56 67-1 Understanding Report Management 67-1
Contents Scheduling Reports 67-27 Viewing Report Schedules 67-28 Configuring Report Schedules 67-28 Viewing Scheduled Report Results 67-30 Enabling and Disabling Report Schedules 67-30 Deleting Report Schedules 67-31 Troubleshooting Report Manager CHAPTER 68 67-31 Health and Performance Monitoring 68-1 Health and Performance Monitor Overview Trend Information 68-2 Monitoring Multiple Contexts 68-3 HPM Access Control 68-1 68-3 Preparing for Health and Performance Monitoring Launching the Health and
Contents Alerts: Viewing 68-37 Alerts: Acknowledging and Clearing Alerts: History 68-39 CHAPTER 69 68-38 Using External Monitoring, Troubleshooting, and Diagnostic Tools 69-1 Viewing Inventory Status 69-1 Inventory Status Window 69-2 Starting Device Managers 69-4 Troubleshooting Device Managers 69-5 Access Rule Look-up from Device Managers 69-6 Navigating to an Access Rule from ASDM 69-7 Navigating to an Access Rule from SDM 69-8 Launching Cisco Prime Security Manager 69-9 Detecting ASA CX Modules 69
Contents Administrative Settings for Image Manager 70-4 Bootstrapping Devices for Image Manager 70-6 Working with Images 70-8 View All Images 70-8 Download Images to the Repository 70-10 Working with Bundles 70-11 Creating Bundles 70-12 View Images by Bundle 70-13 Renaming Bundles 70-13 Deleting Bundles 70-13 Deleting Images from Bundles 70-14 Working with Devices 70-14 Viewing Device Inventory 70-14 Manage Images on a Device 70-15 View Device Memory 70-17 Configuring the Image Install Location 70-17 A
Preface Conventions This document uses the following conventions: Item Convention Commands, keywords, special terminology, and options that should boldface font be selected during procedures Variables for which you supply values and new or important terminology italic font Displayed session and system information, paths and file names screen Information you enter boldface screen font Variables you enter italic screen font Menu items and button names boldface font Indicates menu items to select,
Preface Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be deliv
PA R T 1 The Basics of Using Security Manager
CH A P T E R 1 Getting Started with Security Manager The following topics describe Cisco Security Manager, how to get started with the application, and how to complete its configuration.
Chapter 1 Getting Started with Security Manager Product Overview The following topics provide an overview of Security Manager: • Primary Benefits of Cisco Security Manager, page 1-2 • Security Manager Policy Feature Sets, page 1-4 • Security Manager Applications Overview, page 1-6 • Device Monitoring Overview, page 1-6 • IPv6 Support in Security Manager, page 1-7 Primary Benefits of Cisco Security Manager These are the primary benefits of working with Security Manager: • Scalable network manag
Chapter 1 Getting Started with Security Manager Product Overview • Intelligent analysis of firewall policies—The conflict detection feature analyzes and reports rules that overlap or conflict with other rules. The ACL hit count feature checks in real-time whether specific rules are being hit or triggered by packets. • Sophisticated rule table editing—In-line editing, ability to cut, copy, and paste rules and to change their order in the rule table.
Chapter 1 Getting Started with Security Manager Product Overview Security Manager Policy Feature Sets Security Manager provides the following primary feature sets for configuration policies: • Firewall Services Configuration and management of firewall policies across multiple platforms, including IOS routers, ASA/PIX devices, and Catalyst Firewall Service Modules (FWSMs).
Chapter 1 Getting Started with Security Manager Product Overview Setup and configuration of IPsec and SSL VPNs between servers and mobile remote workstations running Cisco VPN client or AnyConnect client software. For more information, see Chapter 29, “Managing Remote Access VPNs: The Basics”.
Chapter 1 Getting Started with Security Manager Product Overview • FlexConfigs Flexconfig policies and policy objects enable you to provision features that are available on the device but not natively supported by Security Manager. They enable you to manually specify a set of CLI commands and to deploy them to devices using Security Manager’s provisioning mechanisms. These commands can be either prepended or appended to the commands generated by Security Manager to provision security policies.
Chapter 1 Getting Started with Security Manager Product Overview • Event Viewer—This integrated tool allows you to view events on ASA, FWSM, and IPS devices and correlate them to the related configuration policies. This helps you identify problems, troubleshoot configurations, and then fix the configurations and redeploy them. For more information, see Chapter 66, “Viewing Events”.
Chapter 1 Getting Started with Security Manager Product Overview In general, you can configure IPv6 policies on the following types of device. In addition, you can monitor IPv6 alerts generated by IPS, ASA, and FWSM devices. For other types of devices, use FlexConfig policies to configure IPv6 settings. For more specific information on IPv6 device support, see the Supported Devices and Software Versions for Cisco Security Manager document on Cisco.com. • ASA—Release 7.
Chapter 1 Getting Started with Security Manager Logging In to and Exiting Security Manager • Event Viewer—Events that include IPv6 addresses are supported, and the addresses are displayed in the same columns as IPv4 addresses: Source, Destination, and IPLog Address (for IPS alerts). However, you must configure the device to use IPv4 for sending events to the Security Manager server. All event communications use IPv4 transport. For more information on Event Viewer, see Chapter 66, “Viewing Events”.
Chapter 1 Getting Started with Security Manager Logging In to and Exiting Security Manager • Logging In to and Exiting the Security Manager Client, page 1-11 Understanding User Permissions Cisco Security Manager authenticates your username and password before you can log in. After you are authenticated, Security Manager establishes your role within the application. This role defines your permissions (also called privileges), which are the set of tasks or operations that you are authorized to perform.
Chapter 1 Getting Started with Security Manager Logging In to and Exiting Security Manager Step 4 • Server Administration—Click this item to open the CiscoWorks Common Services Server page. CiscoWorks Common Services is the foundation software that manages the server. Use it to configure and manage back-end server features such as server maintenance and troubleshooting, local user definition, and so on.
Chapter 1 Getting Started with Security Manager Using Configuration Manager - Overview • In both Workflow and non-Workflow mode, you cannot log into the same server from a single workstation and have more than one active session using the same user account. You are reminded that you are already logged in and asked to reuse the existing open application. • In both workflow modes, you can log into different servers using the same (or different) user name from the same workstation.
Chapter 1 Getting Started with Security Manager Using Configuration Manager - Overview • Map view—Provides a visual representation of your network, which is primarily useful for visualizing and configuring site-to-site VPNs. For more information, see Map View Overview, page 1-16. Each view presents a different way to access Configuration Manager functionality. What you can do, and how you do it, are determined by the view you select.
Chapter 1 Getting Started with Security Manager Using Configuration Manager - Overview Figure 1-1 Device View Overview 1 Title bar 2 Menu bar (see Menu Bar Reference for Configuration Manager, page 1-27) 3 Toolbar (see Toolbar Reference (Configuration Manager), page 1-36) 4 Work area 5 Policy selector 6 Device selector (see Using Selectors, page 1-42) The title bar displays the following information about Security Manager: • Your login name.
Chapter 1 Getting Started with Security Manager Using Configuration Manager - Overview This is a policy-centric view in which you can see all the shareable policy types supported by Security Manager. You can select a specific policy type and create, view, or modify shared policies of that type. You can also see the devices to which each shared policy is assigned and change the assignments as required. For more information, see Managing Shared Policies in Policy View, page 5-47.
Chapter 1 Getting Started with Security Manager Using Configuration Manager - Overview Map View Overview Map view in Configuration Manager enables you to create customized, visual topology maps of your network, within which you can view connections between your devices and easily configure VPNs and access control settings. The following figure identifies the functional areas of the Map view. For more information, see Chapter 34, “Using Map View”.
Chapter 1 Getting Started with Security Manager Using Configuration Manager - Overview Task Flow for Configuring Security Policies The basic user task flow for configuring security policies on devices involves adding devices to the Security Manager inventory, defining the policies, and then deploying them to the devices. You perform these tasks in Configuration Manager. The following briefly describes the steps in a typical user task flow: Step 1 Prepare devices for management.
Chapter 1 Getting Started with Security Manager Using Configuration Manager - Overview In non-Workflow mode, submitting and deploying your changes can be done in a single action. In Workflow mode, you first submit your activity and then you create a deployment job to deploy your changes. For more information, see Chapter 8, “Managing Deployment”. Policy and Policy Object Overview A policy is a set of rules or parameters that define a particular aspect of network configuration.
Chapter 1 Getting Started with Security Manager Using Configuration Manager - Overview activities so that a single activity contains only logically-related policy changes. You can configure Workflow mode to require a separate approver, so that configuration changes cannot be made without oversight. After approval, the user defines a separate deployment job to push the policy changes to the devices. For more information, see Working in Workflow Mode, page 1-19.
Chapter 1 Getting Started with Security Manager Using Configuration Manager - Overview For information about enabling or disabling Workflow mode or enabling or disabling Ticket Management, see Changing Workflow Modes, page 1-26. In Workflow mode: • A user must create an activity before defining or changing policy configurations in Configuration Manager. The activity is essentially a proposal to make configuration changes.
Chapter 1 Getting Started with Security Manager Using Configuration Manager - Overview Note Workflow mode works in the same manner whether Ticket Management is enabled or not. Enabling Ticket Management in Workflow mode simply enables the Ticket field for use with Activities. Entering a ticket ID is not required, but if one is used, the Ticket field can be configured to link to an external change management system. For more information, see Ticket Management.
Chapter 1 Getting Started with Security Manager Using the JumpStart to Learn About Security Manager Table 1-1 Comparison Between Workflow Mode and Non-Workflow Mode in Configuration Manager (Continued) Non-Workflow Mode with Ticket Management Enabled Non-Workflow Mode with Ticket Management Disabled Workflow Mode At what stage are the CLI commands for my configuration changes generated? When initiating deployment. When initiating deployment. When creating a deployment job.
Chapter 1 Getting Started with Security Manager Completing the Initial Security Manager Configuration • Links in the page enable you to drill down to more detailed information in the JumpStart or to relevant information in the online help. Completing the Initial Security Manager Configuration After you install Security Manager, there are several configuration steps you might want to perform to complete the installation.
Chapter 1 Getting Started with Security Manager Completing the Initial Security Manager Configuration • Tip Select a workflow mode. The default mode is non-Workflow mode with Ticket Management enabled. In non-Workflow mode, users have more freedom to create and deploy configurations.
Chapter 1 Getting Started with Security Manager Completing the Initial Security Manager Configuration Configuring an SMTP Server and Default Addresses for E-Mail Notifications Security Manager can send e-mail notifications for several types of events such as deployment job completion, activity approval, or ACL rule expiration. To enable e-mail notifications, you must configure an SMTP server that Security Manager can use for sending the e-mails.
Chapter 1 Getting Started with Security Manager Completing the Initial Security Manager Configuration Changing Workflow Modes You can change the workflow mode that Security Manager enforces if you have the appropriate administrator permissions. Changing the workflow mode has significant effects on users. Before making a change, be sure to understand the following: • When you change the workflow mode, the change will take effect for all Security Manager users working from the same server.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Step 7 • Ticket System URL—To provide linking between a Ticket ID and an external ticket management system. • Ticket History—Specify how long to keep information related to tickets. Click Save to save and apply changes.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features File Menu (Configuration Manager) The following table describes the commands on the File menu in Configuration Manager. The menu items differ depending on the workflow mode. Table 1-2 File Menu (Configuration Manager) Command Description New Device Initiates the wizard to add a new device. See Adding Devices to the Device Inventory, page 3-6.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Table 1-2 File Menu (Configuration Manager) (Continued) Command Description Discard Discards all configuration changes since the last submission. (non-Workflow mode only) To validate the current activity in Workflow mode, select Activities > Discard Activity. Edit Device Groups Edits device groups. See Working with Device Groups, page 3-57. New Device Group Adds a device group.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features View Menu (Configuration Manager) The View menu in Configuration Manager contains commands to navigate within the user interface or to alter the toolbar. Table 1-4 View Menu Menu Command Description Device View Opens Device view. See Device View Overview, page 1-13. Device Status View Opens the Device Status View window. See Working with Device Status View, page 3-61. Map View Opens Map view.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Table 1-5 Policy Menu (Configuration Manager) (Continued) Menu Command Description Discover Policies on Device Discovers policies on a device. See Discovering Policies, page 5-12 Discover VPN Policies Opens the Discover VPN Policies wizard. See Site-To-Site VPN Discovery, page 24-19. Map Menu (Configuration Manager) The Map menu in Configuration Manager contains commands for using the Map view.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Table 1-6 Map Menu (Configuration Manager) (Continued) Menu Command Description Show/Hide Navigation Window Displays or hides the navigation window on the open map. See Using the Navigation Window, page 34-4. Undock/Dock Map View Undocks the maps window, allowing you to use other features while keeping the map open.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Tools Menu (Configuration Manager) The Tools menu in Configuration Manager contains commands that start tools that run in a window separate from the Security Manager main interface. This enables you to access features without closing the page from which you are currently working.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Table 1-8 Tools Menu (Configuration Manager) (Continued) Menu Command Description Security Manager Administration Configures system-wide settings that control the functioning of Security Manager. For information, see Chapter 11, “Configuring Security Manager Administrative Settings”.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Table 1-10 Tickets Menu (Configuration Manager) (Continued) Menu Command Description Validate Ticket Validates the open ticket. See Validating an Activity/Ticket, page 4-18. Submit Ticket Submits the open ticket. See Understanding Activity/Ticket States, page 4-4. Discard Ticket Discards the open ticket. See Discarding an Activity/Ticket, page 4-22.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Table 1-11 Launch Menu (Configuration Manager) (Continued) Menu Command Description Health & Performance Monitor Opens the Health & Performance Monitor (HPM), where you can view device status and traffic information across your network, and view and acknowledge device-specific alerts. See Chapter 68, “Health and Performance Monitoring” for more information.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Table 1-13 Button Configuration Manager Toolbar (Continued) Description Opens the Policy view. For more information, see Managing Shared Policies in Policy View, page 5-47. Opens the Policy Bundle view. For more information, see Managing Policy Bundles, page 5-53. Opens the Policy Object Manager. For more information, see Chapter 6, “Managing Policy Objects”. Opens the Site-to-Site VPN Manager.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Table 1-13 Button Configuration Manager Toolbar (Continued) Description Opens the Image Manager application. For more information, see Chapter 70, “Using Image Manager”. Opens the Health & Performance Monitor application. For more information, see Chapter 68, “Health and Performance Monitoring”. Opens online help for the current page. For more information, see Accessing Online Help, page 1-49.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Using Global Search Security Manager provides a global search feature to make finding and working with information that you are interested in easier. The Global Search feature allows you to search for devices, policy objects, policies, and tickets that contain a particular search string. The scope of the search can be limited to just devices, policy objects, policies, or tickets.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features – Port Forwarding List – Services – Single Sign On Servers – SLA Monitors – SSL VPN Bookmarks – SSL VPN Customizations – SSL VPN Gateways – SSL VPN Smart Tunnel Auto Signon Lists – SSL VPN Smart Tunnels – Text Objects – Time Ranges – Traffic Flows – User Groups – WINS Server Lists • Policies: – AAA Rules – Access Rules – IPv6 Access Rules – Inspection Rules – Translation Rules – Web Filter Rules – Zon
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Acting on Search Results You can perform the following actions on the items returned from your search: • Export Data (All)—Allows you to export the search results for the selected category in CSV format.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Using Selectors Selectors appear in several places in the user interface; for example, the Device selector in Device view (see Figure 1-1). These tree structures enable you to select items (like devices) on which to perform actions. Several types of items can appear in a selector, depending on the task you are performing. Items in selectors are presented in a hierarchy of folders.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Step 3 Step 4 • Match Any of the Following—Creates an OR relationship among the filter criteria. Policies matching any of your criteria are included in the filter. • Match All of the Following—Creates an AND relationship among the filter criteria. Only those policies matching all your criteria are included in the filter.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Table 1-14 Create Filter Dialog Box (Continued) Element Description Match Any of the Following When you select this option an OR relationship is created among the filtering criteria you define. An item must satisfy only one of the rules in the filter to be displayed in the list.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features Using Tables Many policies in Security Manager use tables. A small number of policies use a specialized type of table called a rules table. Rules tables have extra features compared to standard tables; for more information, see Using Rules Tables, page 12-7. Standard tables include these basic features: • Table filter—You can filter the rows displayed to help you find items in a large table.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features • Tip Any filter you apply is kept in the left most menu below the Advanced Filter entry. You can apply the filter by selecting it from the list. However, this list can have at most 10 entries. When you create your eleventh filter, your oldest filter is removed from the list. If you select a filter and add criteria, you are modifying that filter rather than creating a new one.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features The only places where you can include non-ASCII, non-English languages in device configurations is in the SSL VPN Bookmarks and SSL VPN Customization policy objects, which are used in configuring browser-based clientless SSL VPNs on ASA devices. For information on how you can support local languages for these objects, see Localizing SSL VPN Web Pages for ASA Devices, page 30-68.
Chapter 1 Getting Started with Security Manager Understanding Basic Security Manager Interface Features – Hostscan Image For all other file operations, you can create or select files only on the Security Manager server--you cannot use a drive mounted on the server, and you cannot use your client system. Tip You can control whether file operations are allowed on the Security Manager client from Tools > Security Manager Administration > Customize Desktop.
Chapter 1 Getting Started with Security Manager Accessing Online Help • Dialog Box is too big for the screen—The minimum screen resolution for the Security Manager client is actually bigger than the best screen resolution available on many laptops (for screen resolution requirements, see the client system requirements in the Installation Guide for Cisco Security Manager).
Chapter 1 Getting Started with Security Manager Accessing Online Help User Guide for Cisco Security Manager 4.
CH A P T E R 2 Preparing Devices for Management Before you start to manage a device using Security Manager, you should prepare the device with at least a minimal configuration. The following sections describe the basic device configurations needed for various transport protocols or device types. Before configuring transport protocols, determine the requirements for your devices by reading Understanding Device Communication Requirements, page 2-1.
Chapter 2 Preparing Devices for Management Understanding Device Communication Requirements • SSL (HTTPS)—Secure Socket Layer, which is an HTTPS connection, is the only transport protocol used with PIX Firewalls, Adaptive Security Appliances (ASA), and Firewall Services Modules (FWSM). It is also the default protocol for IPS devices and for routers running Cisco IOS Software release 12.3 or higher. If you use SSL as the transport protocol on Cisco IOS routers, you must also configure SSH on the routers.
Chapter 2 Preparing Devices for Management Setting Up SSL (HTTPS) Setting Up SSL (HTTPS) With many devices, you can use the Secure Socket Layer (SSL) protocol, also known as HTTPS, to communicate with the device. When you deploy configurations with this protocol, Security Manager encrypts the configuration file before sending it to the device.
Chapter 2 Preparing Devices for Management Setting Up SSL (HTTPS) Step 5 • ip_address—The IP address of the Security Manager server. • netmask—The network mask for the IP address. • if_name—The device interface name (default is inside) from which Security Manager initiates the HTTP connection. Save the current configuration in Flash memory.
Chapter 2 Preparing Devices for Management Setting Up SSH Step 7 Verify that SSL is set up on the device. The Device should respond with an “enabled” status. hostname# show ip http server secure status Setting Up SSH You can use the Secure Shell (SSH) protocol to communicate with Cisco IOS Routers, Catalyst switches, and Catalyst 6500/7600 devices. This protocol provides strong authentication and secure communications over insecure channels. Security Manager supports both SSH versions 1.5 and 2.
Chapter 2 Preparing Devices for Management Setting Up SSH Step 3 (Optional) Configure a user account in the local database of the device. hostname(config)# username name password 0 password Step 4 Exit configuration mode and return to Exec mode. hostname(config)# exit Step 5 Save the configuration changes.
Chapter 2 Preparing Devices for Management Setting Up AUS or Configuration Engine Preventing Non-SSH Connections (Optional) After configuring SSH, you can configure the Cisco IOS routers, Catalyst switches, and Catalyst 6500/7600 devices to use SSH connections only. Related Topics Step 1 • Critical Line-Ending Conventions for SSH, page 2-5 • Testing Authentication, page 2-5 • Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices, page 2-6 Enter configuration mode.
Chapter 2 Preparing Devices for Management Setting Up AUS or Configuration Engine Setting Up AUS on PIX Firewall and ASA Devices You can configure PIX firewalls and ASA devices to use the AUS protocol to contact an Auto Update Server or CNS Configuration Engine for configuration and image updates. When using Configuration Engine, the device uses the same AUS protocol used for Auto Update Server, so the configuration is the same.
Chapter 2 Preparing Devices for Management Setting Up AUS or Configuration Engine Setting Up CNS on Cisco IOS Routers in Event-Bus Mode You can configure Cisco IOS routers to use the CNS protocol to contact a Cisco Configuration Engine for configuration and image updates. The Configuration Engine can operate in two modes, event-bus and call-home. The following procedure describes how to configure a router to use event-bus mode.
Chapter 2 Preparing Devices for Management Setting Up AUS or Configuration Engine Setting Up CNS on Cisco IOS Routers in Call-Home Mode You can configure Cisco IOS routers to use the CNS protocol to contact a Cisco Configuration Engine for configuration and image updates. The Configuration Engine can operate in two modes, event-bus and call-home. The following table describes the tasks to complete to configure a router to use call-home mode.
Chapter 2 Preparing Devices for Management Configuring Licenses on Cisco ASA Devices Step 7 Specify a name for a Command Scheduler policy and enter kron-policy configuration mode. The name can be 1 to 31 characters. If the list-name is new, a policy list structure is created. If the list-name is not new, the existing policy list is edited. hostname(config)# kron policy-list list-name Step 8 Retrieve the configuration from the staged CNS job. Specify the IP address of the CNS server.
Chapter 2 Preparing Devices for Management Configuring Licenses on Cisco IOS Devices Manager determines the state of the Failover license and sets the property appropriately. You are responsible for ensuring that the property remains accurate. You will see deployment failures if the property is selected but the device has an inactive Failover license.
Chapter 2 Preparing Devices for Management Initializing IPS Devices • Web server port • Use default ports You configure these settings through the setup command in Intrusion Prevention System Device Manager (IDM) or in a command-line session, depending upon which platform is used by your IPS device. For a list of supported IPS platforms, see the supported devices and software versions information at the following URL: http://www.cisco.com/en/US/products/ps6498/products_device_support_tables_list.html.
Chapter 2 Preparing Devices for Management Initializing IPS Devices User Guide for Cisco Security Manager 4.
CH A P T E R 3 Managing the Device Inventory Before you can manage devices in Security Manager, you must prepare the devices for management, then add those devices to the Security Manager device inventory. After you add the devices, you can view and edit device information, configure policies on devices, copy and share policies, clone devices, and so on.
Chapter 3 Managing the Device Inventory Understanding the Device Inventory Figure 3-1 Devices Page Device selector (1, 3, 4, 5)—Contains the following: • Add and Delete buttons (4, 5)—Enables you to add and delete devices from the Security Manager inventory. • Filter field (3)—Enables you to display a subset of devices based on the filtering criteria you define. For details, see Filtering Items in Selectors, page 1-42. • Device tree—Lists the device groups and devices that exist in the system.
Chapter 3 Managing the Device Inventory Understanding the Device Inventory Figure 3-2 Device Icons 1 Adaptive Security Appliances (ASA) 5 Catalyst Switch 2 PIX Firewall 6 Catalyst 7600 Series Router 3 7 Catalyst security Services Modules: Firewall Services Module (FWSM) and ASA-SM 4 Cisco IOS Router • VPN 3000 Concentrator 8 Intrusion Prevention System (IPS) Shortcut menu options—When you right-click a device or device group, you get a menu of commands related to that device or group.
Chapter 3 Managing the Device Inventory Understanding the Device Inventory All physical devices appear in the device selectors. In addition, these are the types of virtual devices that appear in the device selectors: • Tip You can control whether the display name is added to the context name using the Prepend Device Name when Generating Security Context Names property on the Discovery settings page (see Discovery Page, page 11-21).
Chapter 3 Managing the Device Inventory Understanding the Device Inventory • When you add a device manually or from network discovery. For more information, see these topics: – Adding Devices from the Network, page 3-11 – Adding Devices by Manual Definition, page 3-25 • By editing the device properties. For more information, see Viewing or Changing Device Properties, page 3-39.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Understanding Device Properties You define device properties when you add devices to Security Manager. Device properties are general information about the device, credentials, the group the device is assigned to, and policy overrides.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory The New Device wizard guides you through the process of adding devices to the inventory. You can add devices from many different sources, and the path through the wizard differs significantly based on the method you are using. To start the New Device wizard, from Device view, select File > New Device, or click the Add button in the device selector. Note There is also another way to add devices. If you exported a .
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory – Cons—You cannot use this method to add Catalyst 6500/7600 or IPS devices. When adding groups of configuration files, all files must be for the same device type. Also, you cannot successfully discover policies that require a connection with the device.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Tips • Generic router support encompasses ISR and ASR hardware models that are not natively supported. It does not encompass software versions that are not yet supported. In other words, Security Manager allows you to manage unsupported hardware platforms if those platforms are running a supported software release. This type of generic support works best for new models of series that are already explicitly supported.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Unsupported Features on ASA Clusters These features cannot be configured with clustering enabled, and the commands will be rejected.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory – RSH – SUNRPC – TFTP – XDMCP • Dynamic routing (spanned EtherChannel mode only) • Multicast routing (individual interface mode only) • Static route monitoring • IGMP multicast control plane protocol processing (data plane forwarding is distributed across the cluster) • PIM multicast control plane protocol processing (data plane forwarding is distributed across the cluster) • Authentication and Authorization for netw
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory • Prepare the devices to be managed by Security Manager. For more information, see Chapter 2, “Preparing Devices for Management”. • If you are using ACS for authentication, define the devices in ACS. See the Installation Guide for Cisco Security Manager.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Tip Step 7 If you are discovering policies while adding a device, carefully read any messages that are presented to you. These messages can contain important recommendations on the next steps you should take. For example, when you add Cisco IOS routers or Catalyst devices, we recommend that you immediately deploy the discovered configuration to a file so that Security Manager can take over ownership of the configuration.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Related Topics • Understanding the Device View, page 3-1 • Adding Devices from the Network, page 3-11 • Device Credentials Page, page 3-44 • Device Groups Page, page 3-48 • Discovering Policies, page 5-12 • Device Communication Page, page 11-16 Field Reference Table 3-2 New Device Wizard, Device Information Page When Adding Devices from the Network Element Description Identity IP Type You can add only devices
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Table 3-2 New Device Wizard, Device Information Page When Adding Devices from the Network (Continued) Element Description OS Type The family of the operating system running on the device. You must be careful to select the correct type, because your selection affects how Security Manager tries to log into the device and obtain its configuration. The options are: • Tip Transport Protocol IOS 12.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Table 3-2 New Device Wizard, Device Information Page When Adding Devices from the Network (Continued) Element Description System Context Whether to discover the system execution space of a PIX Firewall 7, ASA, or FWSM device that is running in multiple-context mode.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Table 3-2 New Device Wizard, Device Information Page When Adding Devices from the Network (Continued) Element Description Discover Device Settings Discover The type of elements that should be discovered and added to the inventory. You have these options: • Policies and Inventory—Discover policies, interfaces, and service modules (if applicable). This is the default and recommended option.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Table 3-2 New Device Wizard, Device Information Page When Adding Devices from the Network (Continued) Element Description Discover Policies for Security Context Whether to discover policies for security contexts. Security contexts apply to PIX Firewall, ASA, or FWSM devices. This field is active only if you select Static for IP Type and System Context.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Table 3-3 Service Module Credentials Dialog Box (Continued) Element Description Connect to FWSM How Security Manager should access the FWSM: Management IP • Directly—Connect to the FWSM using its management IP address. This is the recommended approach. It is the required method if you are connecting to a failover device; otherwise, Security Manager might connect to a standby FWSM after a failover.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory • When performing policy discovery on a device that is already in the network. See Discovering Policies on Devices Already in Security Manager, page 5-15. Field Reference Table 3-4 IPS Module Discovery Dialog Box Element Description Discovery The type of discovery for this module: IP Address • Discover Inventory and Policies—Discover inventory and security policies. This is the recommended option.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory • Prepare the devices to be managed by Security Manager. For more information, see Chapter 2, “Preparing Devices for Management”. • If you are using ACS for authentication, define the devices in ACS. See the Installation Guide for Cisco Security Manager. • Copy the device configuration files to a directory on the Security Manager server. You cannot use a mounted drive.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Step 8 If you added a device that is managed by an Auto Update Server or Configuration engine, with the device selected in the device selector, select Tools > Device Properties. Select the server used with the device in the Auto Update or Configuration Engine settings. You can add the server if it is not listed. For more information, see Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 3-35.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Table 3-5 New Device Wizard, Device Information Page When Adding Devices from Configuration Files (Continued) Element Description Configuration Files The configuration files from the devices you are adding to the inventory. You can specify more than one configuration file, but they must all be for the same device type. Separate the file names with commas.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Table 3-5 New Device Wizard, Device Information Page When Adding Devices from Configuration Files (Continued) Element Description Discover Device Settings Discover The type of elements that should be discovered and added to the inventory. You have these options: • Policies and Inventory—Discover policies, interfaces, and service modules (if applicable). This is the default and recommended option.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Adding Devices by Manual Definition If a device is not yet active on the network, you can add it to Security Manager and preprovision a configuration for the device. In general, you should not use manual definition for a device that exists in the network, because it is much easier to use one of the other techniques for adding devices.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory When you are finished filling in the device information, click Next to proceed to the Device Credentials page. Step 4 (Optional) On the Device Credentials page, enter the usernames and passwords required to log into the device. Typically, you need to enter the primary device credentials, which are the traditional User EXEC mode and Privileged EXEC mode passwords.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Field Reference Table 3-6 New Device Wizard, Device Information Page When Adding New Devices Element Description Device Type Device Type selector Organizes the devices by device-type and device-family. Select the device type for the new device.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Table 3-6 New Device Wizard, Device Information Page When Adding New Devices (Continued) Element Description Operating System OS Type The type of operating system. Based on the device type, the OS type is selected automatically. Image Name The name of the image that will run on the device. Target OS Version The target OS version for which you want to apply the configuration.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Table 3-6 New Device Wizard, Device Information Page When Adding New Devices (Continued) Element Description Security Context of Unmanaged Device Whether to manage a security context whose parent (the PIX Firewall, ASA, or FWSM device) is not managed by Security Manager.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Before You Begin Before beginning this procedure, ensure the following preparations have been made: • Prepare the devices to be managed by Security Manager. For more information, see Chapter 2, “Preparing Devices for Management”. • If you are using ACS for authentication, define the devices in ACS. See the Installation Guide for Cisco Security Manager.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Tip Step 4 If you are discovering policies while adding a device, carefully read any messages that are presented. These messages can contain important recommendations on the next steps you should take. For example, when you add Cisco IOS routers or Catalyst devices, we recommend that you immediately deploy the discovered configuration to a file so that Security Manager can take ownership of the configuration.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Tip If you are adding devices that contain modules, for example, a Catalyst switch with an FWSM, you are prompted for module discovery information after you click Finish. Navigation Path To start the New Device wizard, from Device view, select File > New Device, or click the Add button in the device selector.
Chapter 3 Managing the Device Inventory Adding Devices to the Device Inventory Table 3-7 New Device Wizard, Device Information Page When Adding Devices from Inventory Files (Continued) Element Description Details Pane Below the device import table is a pane that displays the details for the device selected in the table. The Identity information repeats the table fields. The Status text box displays an extended explanation of the import status.
Chapter 3 Managing the Device Inventory Working with the Device Inventory Table 3-7 New Device Wizard, Device Information Page When Adding Devices from Inventory Files (Continued) Element Description Platform Settings Whether to discover the platform settings, which are also called platform-specific policy domains. Platform-specific policy domains exist on firewall devices and Cisco IOS routers. These domains contain policies that configure features that are specific to the selected platform.
Chapter 3 Managing the Device Inventory Working with the Device Inventory • Changing Critical Device Properties, page 3-50 • Showing Device Containment, page 3-53 • Cloning a Device, page 3-54 • Deleting Devices from the Security Manager Inventory, page 3-55 In addition to these topics, see the following related topics:.
Chapter 3 Managing the Device Inventory Working with the Device Inventory Tip Security Manager cannot determine the software version running on a Configuration Engine when you add it. However, Security Manager cannot deploy configurations correctly to all versions of Configuration. Ensure that your Configuration Engines are running a supported release (see the release notes for this version of the product to see which Configuration Engine versions are supported at http://www.cisco.
Chapter 3 Managing the Device Inventory Working with the Device Inventory Tip Security Manager cannot determine the software version running on a Configuration Engine when you add it. However, Security Manager cannot deploy configurations correctly to all versions of Configuration. Ensure that your Configuration Engines are running a supported release (see the release notes for this version of the product to see which Configuration Engine versions are supported at http://www.cisco.
Chapter 3 Managing the Device Inventory Working with the Device Inventory Table 3-8 Server Properties Dialog Box (Continued) Element Description Port The port number that the device managed by the Auto Update Server or Configuration Engine uses to communicate with the server. The port number is typically 443. URN This field is displayed only for Auto Update Servers. The uniform resource name for the Auto Update Server. The URN is the name that identifies the resource on the Internet.
Chapter 3 Managing the Device Inventory Working with the Device Inventory • Viewing or Changing Device Properties, page 3-39 Adding or Changing Interface Modules Many devices allow you to add or change interface modules. When you make a change to the interface modules hosted in a device, you change the device’s inventory. If you add or change an interface card, you should rediscover the inventory on the device.
Chapter 3 Managing the Device Inventory Working with the Device Inventory • General—General information about the device, such as the device identity, the operating system running on the device, and transport settings. For information about the fields, see Device Properties: General Page, page 3-40. • Credentials—The device credentials required to log into the device. For information about the fields, see Device Credentials Page, page 3-44. • Device Groups—The groups to which the device belongs.
Chapter 3 Managing the Device Inventory Working with the Device Inventory Table 3-9 Device Properties General Page (Continued) Element Description Hostname The DNS hostname for the device. (Static IP only) This is not necessarily the same name that is configured as the hostname on the device. This property is not updated with the hostname specified in the Hostname device property. It is also not updated with the name defined in the device configuration if you rediscover the device.
Chapter 3 Managing the Device Inventory Working with the Device Inventory Table 3-9 Device Properties General Page (Continued) Element Description Operational Mode The mode in which the device is operating. This field is displayed only if the OS type is FWSM, ASA, or PIX Firewall 7.0+. The options available are: Transparent or Router. If you choose Multi for Contexts, this mode defaults to Mixed. Mixed applies only to ASA 9.0+ and FWSM 3.1+ devices, and ASA-SMs.
Chapter 3 Managing the Device Inventory Working with the Device Inventory Table 3-9 Device Properties General Page (Continued) Element Description Server The Auto Update Server or Configuration Engine that manages the device. For AUS, this server should match the one defined in the AUS policy (see AUS Page, page 51-1). You can add servers to the list by selecting Add Servers, which opens the Server Properties dialog box (see Server Properties Dialog Box, page 3-36.
Chapter 3 Managing the Device Inventory Working with the Device Inventory Device Credentials Page Use the Device Credentials page to add or change the usernames and passwords that are required for device access. For information about device credentials, see Understanding Device Credentials, page 3-4. The Credentials page is the same whether you are adding a new device (in the New Device wizard), or viewing an existing device’s properties.
Chapter 3 Managing the Device Inventory Working with the Device Inventory Field Reference Table 3-10 Device Credentials Page Element Description Primary Credentials Required for all device types. These credentials are used for SSH and Telnet connections, and for HTTP and HTTPS connections if you select Use Primary Credentials in the HTTP group.
Chapter 3 Managing the Device Inventory Working with the Device Inventory Table 3-10 Device Credentials Page (Continued) Element Description HTTPS Port The port to use for HTTPS connections. The default is port 443 (unless a different default is configured in the Security Manager device communication settings). To change the default, first deselect Use Default. Change this setting only if the device is configured to accept HTTPS connections on a different port.
Chapter 3 Managing the Device Inventory Working with the Device Inventory Navigation Path To open the RX-Boot Mode Credentials dialog box, click RX-Boot Mode in the Device Credentials Page in either the New Device wizard (when adding a device manually or from the network), or the Device Properties page. SNMP Credentials Dialog Box Use the SNMP Credentials dialog box to add SNMP credentials.
Chapter 3 Managing the Device Inventory Working with the Device Inventory Table 3-11 SNMP Credentials Dialog Box (Continued) Element Description Engine ID Enter the hexadecimal identifier for the SNMP v3 authorization agent in the device. Device Groups Page Use the Device Groups page to assign the device to device groups. You can also edit or delete device groups from this page.
Chapter 3 Managing the Device Inventory Working with the Device Inventory • From the Device selector, double-click a device, then click Cluster Information. • Select a device and select Tools > Device Properties, then click Cluster Information.
Chapter 3 Managing the Device Inventory Working with the Device Inventory The Policy Object Overrides folder in the table of contents includes all of the types of objects for which you can create overrides for the particular type of device. When you select an object type, the existing policy objects that are configured to allow device overrides appear in the table in the right pane, if any. If an object has an override already defined for the device, the Value Overridden? column contains a check mark.
Chapter 3 Managing the Device Inventory Working with the Device Inventory • Upgrading from any ASA 8.0(x)-8.2(x) image to another ASA 8.0(x)-8.2(x) image, retaining the same security context and mode configuration. Note Note Upgrading to 8.3(x) or higher from an 8.2(x) or lower release does change the feature set. You must delete these devices then add them back into the Security Manager database. • Upgrading from any FWSM 2.x image to another 2.
Chapter 3 Managing the Device Inventory Working with the Device Inventory If you make these changes, and you do not have any policies defined that are affected by the change, you might be able to change the target OS version of the device. Security Manager prevents you from changing the target OS version of a managed device to a version that changes the types of policies that are available for that device, and informs you when it cannot make the change (identifying the problem policies).
Chapter 3 Managing the Device Inventory Working with the Device Inventory Step 2 Share the local policies defined on the device: a. Right-click the device in the Device selector, then select Share Device Policies. By default, all policies configured on the device (local and shared) are selected for sharing in the Share Policies wizard. b. Deselect the check box next to each existing shared policy, as indicated by the hand in the policy icon.
Chapter 3 Managing the Device Inventory Working with the Device Inventory • For FWSM, PIX Firewall 7.0, and ASA devices—The security contexts defined on the device. For information about security contexts, see Chapter 57, “Configuring Security Contexts on Firewall Devices”. • IPS devices—The virtual sensors defined on the device.
Chapter 3 Managing the Device Inventory Working with the Device Inventory • Clone VPN Assignments—Whether to copy the VPN assignments defined for the device. This field is displayed only if the device supports VPN assignments. You can clone the VPN assignments of a device that is a spoke in a hub-and-spoke configuration, or a device that participates in a full mesh topology. If you clone a spoke device, the new device is added to the VPN as a new spoke with the same policies.
Chapter 3 Managing the Device Inventory Working with the Device Inventory Tip Step 2 When you select a device group, you are deleting only the devices in the group, you are not deleting the group itself. For information on deleting device groups, see Deleting Device Groups or Group Types, page 3-60. You are asked to confirm that you want to delete the devices. Security Manager then validates whether the device can be deleted.
Chapter 3 Managing the Device Inventory Working with Device Groups Working with Device Groups You can create device groups to help you organize your devices for more effective device management.
Chapter 3 Managing the Device Inventory Working with Device Groups Figure 3-3 Device Groups Security Manager lets you create or delete group and group types, and put devices in groups, in many locations in the interface: • When adding devices to the inventory—The New Device wizard includes a Device Grouping page, where you can create device group types and select a group for the newly-added device. You can also select a default group to which all new devices are added.
Chapter 3 Managing the Device Inventory Working with Device Groups • Right-click a device group type or a device group in the Device selector and select Edit Device Groups. • Select File > Edit Device Groups. • From the Device Grouping page in the New Device wizard or for existing devices, the device properties, select Edit Groups from a group type list. See Device Groups Page.
Chapter 3 Managing the Device Inventory Working with Device Groups Step 4 Click OK to close the Edit Device Groups page. Creating Device Groups This procedure describes the most direct method to create device groups. For information on other methods of adding groups, see Understanding Device Grouping, page 3-57. Device groups are the lower-level categories in your device group hierarchy, and are added either within a device group type (top-level) or within another device group.
Chapter 3 Managing the Device Inventory Working with Device Status View Related Topics • Understanding Device Grouping, page 3-57 • Filtering Items in Selectors, page 1-42 Step 1 Select the device group in the Device selector, right-click and select Add Devices to Group. The Add Devices to Group dialog box appears. Step 2 To add devices to the group, select the devices in the Available Devices selector and click >> to move them to the Selected Devices list.
Chapter 3 Managing the Device Inventory Working with Device Status View Figure 3-4 Device Status View Field Reference Table 3-15 Device Status View Element Description Device Status Summary Boxes The Device Status Summary boxes provide a high-level view of the overall status of the devices in the Device Status View. The counts shown in the summary boxes reflect the status for the devices in the currently selected device group.
Chapter 3 Managing the Device Inventory Working with Device Status View Table 3-15 Element Device Status View (Continued) Description Device Status View Toolbar The Device Status View toolbar provides the following buttons: Note These options are all also available from the right-click menu for a device. Allows you to export the device status information to a PDF file. Allows you to print the device status information.
Chapter 3 Managing the Device Inventory Working with Device Status View Table 3-15 Device Status View (Continued) Element Description Device Status Table Display Name The display name for the device. This is the name used for display in the Security Manager Device selector and is not necessarily the same as the host name for the device. Managed Whether Security Manager manages the device. Monitored Whether the device is monitored by the Health and Performance Monitor.
CH A P T E R 4 Managing Activities Whether you are using Workflow or non-Workflow mode, all policy configuration is done within an activity, which is also called a configuration session in non-Workflow mode. In Workflow mode, you must explicitly create and manage activities, whereas in non-Workflow mode much of the activity creation and management is done automatically for you.
Chapter 4 Managing Activities Understanding Activities Note Workflow mode works in the same manner whether Ticket Management is enabled or not. Enabling Ticket Management in Workflow mode simply enables the Ticket field for use with Activities. Entering a ticket ID is not required, but if one is used, the Ticket field can be configured to link to an external change management system. For more information, see Ticket Management.
Chapter 4 Managing Activities Understanding Activities In addition, the changes you make within an activity are visible only within the activity. Other users see only the last approved committed configurations, unless they view your activity before you close it (in Workflow mode). Activity Approval When you enable Workflow mode, you can choose to operate with or without an activity approver.
Chapter 4 Managing Activities Understanding Activities the configuration. For example, if you are validating an activity, another user can create a deployment job. Similarly, if you are previewing the configuration before deployment, another user is permitted to do the same. This is because these two operations are limited to reading the committed configuration; they do not make any changes to it.
Chapter 4 Managing Activities Understanding Activities Table 4-1 Activity/Ticket States (Continued) State Description Submitted The activity was submitted for review and approval or the ticket was submitted. (In Workflow mode, this state is available only if you have activity approval required. For more information, see Workflow Page, page 11-54.) No further changes can be made within the activity/ticket.
Chapter 4 Managing Activities Understanding Activities Figure 4-1 Activity Workflow without an Approver Create/open activity Editable Close activity Define configurations Approve activity COMMITTED 77254 Approved User Guide for Cisco Security Manager 4.
Chapter 4 Managing Activities Working with Activities/Tickets Figure 4-2 Activity Workflow with an Approver Create/open activity Editable Close activity Define configurations Submit activity Submitted Open activity (read-only) Approve activity Reject activity Approved Editable 73772 COMMITTED Working with Activities/Tickets The following topics provide information to help you use activities and configuration sessions: • Accessing Activity Functions in Workflow Mode, page 4-8 • Accessing
Chapter 4 Managing Activities Working with Activities/Tickets • Closing an Activity/Ticket, page 4-16 • Viewing Change Reports, page 4-16 • Validating an Activity/Ticket, page 4-18 • Submitting an Activity for Approval (Workflow Mode with Activity Approver), page 4-20 • Approving or Rejecting an Activity (Workflow Mode), page 4-21 • Discarding an Activity/Ticket, page 4-22 • Viewing Activity/Ticket Status and History, page 4-23 Accessing Activity Functions in Workflow Mode In Workflow mode,
Chapter 4 Managing Activities Working with Activities/Tickets Table 4-2 Button Activities Tool Bar Buttons and Commands When Workflow Mode Is Enabled Activities Menu Command Description Validate Activity Validates the integrity of changed policies within the current activity. By validating an activity, you can check for configuration errors that you might have introduced by your policy changes. Submit Activity In Workflow mode with an activity approver, submits the activity for approval.
Chapter 4 Managing Activities Working with Activities/Tickets Table 4-3 Button Tickets Tool Bar Buttons and Commands When Ticket Management Is Enabled in Non-Workflow Mode Activities Menu Command Description New Ticket Creates a ticket. Open Ticket Opens a ticket. You can open a ticket when it is in the Edit state. Close Ticket Saves all changes made while the ticket was open and closes it. You can close a ticket when it is in the Edit Open state.
Chapter 4 Managing Activities Working with Activities/Tickets Navigation Path • In non-Workflow mode with Ticket Management enabled, click the Ticket Manager button on the Main toolbar, or select Manage > Tickets. • In Workflow mode, click the Activity Manager button on the Main toolbar, or select Manage > Activities.
Chapter 4 Managing Activities Working with Activities/Tickets Table 4-4 Activity/Ticket Manager Window (Continued) Element Description Submit button In Workflow mode with an activity approver, click this button to submit the selected activity. Submitting the activity sends notification that the activity is ready for review to the specified approver. You can submit an activity when it is in the Edit or the Edit Open state.
Chapter 4 Managing Activities Working with Activities/Tickets Table 4-4 Activity/Ticket Manager Window (Continued) Element Description Discard button Click this button to discard the selected activity/ticket. Devices associated with the activity/ticket are unlocked, meaning they can be used by other activities/tickets. Multiple activities/tickets can be discarded at the same time. You are prompted for a comment. For more information, see Discarding an Activity/Ticket, page 4-22.
Chapter 4 Managing Activities Working with Activities/Tickets Creating an Activity/Ticket In Workflow mode, before you create or change policies or assign policies to devices, you must create an activity. In non-Workflow mode, if you have Ticket Management enabled, before you create or change policies or assign policies to devices, you must create a ticket. Tip In non-Workflow mode with Ticket Management disabled, activities are created automatically when needed.
Chapter 4 Managing Activities Working with Activities/Tickets You can choose from the following options: • Create a new activity/ticket—Create a completely new activity/ticket, specifying an activity name or ticket ID and optionally a description of the purpose of the activity/ticket. The default activity/ticket name contains the username, date, and time the activity/ticket was created. • Open an existing activity/ticket—To open the activity/ticket you select from the Activity/Ticket list.
Chapter 4 Managing Activities Working with Activities/Tickets Related Topics • Understanding Activities, page 4-1 Closing an Activity/Ticket You can close an activity without approving it (or submitting it for approval) or close a ticket without submitting it if you or others want to continue configuring policies at a later time. A person with administrator privileges can close an activity/ticket opened by another user.
Chapter 4 Managing Activities Working with Activities/Tickets – Select File > View Changes to view the changes made during the current configuration session. – Select Manage > Change Reports to view the changes made during previous sessions (which are closed when you submit or discard your changes). Select a configuration session from the Change Report window and click View Changes. (See Selecting a Change Report in Non-Workflow Mode with Ticket Management Disabled, page 4-18.
Chapter 4 Managing Activities Working with Activities/Tickets – Blue—Indicates the new value of a changed item. • Shared Policies section—Changes to all shared policies are displayed here. • Policy Bundles—Changes to all policy bundles are displayed here. • Policy Objects—Changes to all policy objects are displayed here. • VPN—Changes to VPN topologies and policies are displayed here, including newly discovered VPNs and deleted VPN topologies.
Chapter 4 Managing Activities Working with Activities/Tickets • FlexConfig object references—All object references are resolvable. If FlexConfig objects reference non-existent objects, a warning with a list of the missing objects results.
Chapter 4 Managing Activities Working with Activities/Tickets Submitting an Activity for Approval (Workflow Mode with Activity Approver) In Workflow mode with an activity approver, you must submit activities for approval. When you submit the activity, the integrity and deployability of the activity is validated. For details about the validation process and report, see Validating an Activity/Ticket, page 4-18.
Chapter 4 Managing Activities Working with Activities/Tickets Note Security Manager warns you if the e-mail cannot be sent and you must contact the approver directly. Approving or Rejecting an Activity (Workflow Mode) Before the changes in an activity are committed to the database, you must approve the activity. If you have activity approval permissions, you can open an activity, review the policies and policy assignments, and then either approve or reject the activity.
Chapter 4 Managing Activities Working with Activities/Tickets The Approve Activity, Reject Activity, or Reject Multiple Activities dialog box appears. Step 2 In the Comment field, enter a brief explanation of why you are approving or rejecting the activity or activities. If you are rejecting, you might want to include suggested revisions. Step 3 Click OK (for a single activity) or Reject (for multiple activities).
Chapter 4 Managing Activities Working with Activities/Tickets Non-Workflow Mode with Ticket Management Enabled—Do one of the following: • To discard a single ticket, do one of the following: – Open a ticket, then click the Discard button on the tickets toolbar or select Tickets > Discard Ticket. – Select Manage > Tickets. From the Ticket Manager window, select a ticket, then click Discard. Only a ticket in the Edit or Edit Open state can be discarded.
Chapter 4 Managing Activities Working with Activities/Tickets User Guide for Cisco Security Manager 4.
CH A P T E R 5 Managing Policies The following topics describe the concept of policies in Cisco Security Manager and how to use and manage them.
Chapter 5 Managing Policies Understanding Policies Settings-Based Policies vs. Rule-Based Policies Security Manager policies are structured as either rule-based policies or settings-based policies. Rule-Based Policies Rule-based policies contain one or more rules that govern how to handle traffic on a selected device, such as the access rules and inspection rules defined as part of a firewall service.
Chapter 5 Managing Policies Understanding Policies For example, the firewall policy domain contains policies for access rules, inspection rules, and transparent rules, among others. The site-to-site VPN policy domain contains policies for IKE proposals, IPsec proposals, and preshared keys, among others. Service policies can be applied to any kind of device, regardless of platform, although there may be some variation in policy definition depending on the device type.
Chapter 5 Managing Policies Understanding Policies Any changes that you make to a shared policy are automatically applied to all the devices to which it is assigned. As a result, shared policies both streamline the process of policy creation and help maintain consistency and uniformity in your device configurations. For more information about the actions you can perform on shared policies, see Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34.
Chapter 5 Managing Policies Understanding Policies Rule Order When Using Inheritance As described in Understanding Access Rules, page 16-1, an access list (ACL) consists of rules (also called access control entries or ACEs) arranged in a table. An incoming packet is compared against the first rule in the ACL. If the packet matches the rule, the packet is permitted or denied, depending on the rule.
Chapter 5 Managing Policies Understanding Policies Having default rules makes it possible to define a global default rule, such as “deny any any”, that appears at the end of all access rule lists and provides a final measure of security should gaps exist in the mandatory rules and default rules that appear above it in the rules table.
Chapter 5 Managing Policies Understanding Policies Therefore, when working with rule-based policies such as access rules, you must use discretion when choosing these options. Use inheritance to supplement the local rules on the device with additional rules from a parent policy. Use assignment to replace the policy on the device with a selected shared policy.
Chapter 5 Managing Policies Understanding Policies Tip Security Manager also obtains activity (or configuration session) locks, which are broader in scope than policy locks, when users perform some actions. For more information, see Activities and Locking, page 4-3. Lock Types Security Manager uses two different types of locks: • Policy content locks—Locks the content of a particular policy. The banner displayed above the work area reads: This data for this policy is locked by activity/user: .
Chapter 5 Managing Policies Understanding Policies Understanding Locking and Policies Table 5-1 on page 5-9 summarizes the effects of policy locks in Security Manager. Note The ability to modify policies and policy assignments is dependent on the user permissions assigned to the user. See the Installation Guide for Cisco Security Manager. Table 5-1 Locking Summary If Another User or Activity... Changes a policy definition Changes the definition of a rule-based policy with descendants You Cannot...
Chapter 5 Managing Policies Understanding Policies In order to view and modify site-to-site VPN policies, you must have the required permissions for each device in the VPN topology. You also need permissions to add a device to a VPN topology. If you have different levels of permissions to the devices in the VPN topology, the lowest permission level is applied to the entire topology.
Chapter 5 Managing Policies Understanding Policies configurations of these types that were configured using other methods. For example, if you decide not to manage SNMP policies, any SNMP configurations that you configured using CLI commands are unknown to Security Manager. Caution If you use AUS or CNS to deploy configurations to ASA or PIX devices, be aware that the device downloads a full configuration from AUS or CNS.
Chapter 5 Managing Policies Discovering Policies Note Features that are unmanaged by Security Manager can still be modified manually with CLI commands or FlexConfigs. For more information about FlexConfigs, see Chapter 7, “Managing FlexConfigs”. Discovering Policies Policy discovery enables you to bring your existing network configuration into Security Manager to be managed. Policy discovery can be performed by importing the configuration of a live device or by importing a configuration file.
Chapter 5 Managing Policies Discovering Policies Remote Access VPN Policies, page 29-12. For more information about performing policy discovery, see Adding Devices to the Device Inventory, page 3-6 and Discovering Policies on Devices Already in Security Manager, page 5-15. Note If you add a device using a configuration file, and discover security policies while adding the device, Security Manager cannot successfully discover policies that require that files be downloaded from the discovered device.
Chapter 5 Managing Policies Discovering Policies When you discover policies on an IPS device, the virtual sensors defined on the device are also discovered along with the policies defined for the virtual sensors. If more than one virtual sensor uses the same policy, that policy is created as a shared policy and is assigned to the virtual sensors. Policies defined for a single virtual sensor, or only for the parent device, are created as local policies.
Chapter 5 Managing Policies Discovering Policies • If the Security Manager policy supports only extended ACLs (for example, firewall service policies), any standard ACLs configured on the device for that policy are imported as extended ACLs. • If the Security Manager policy supports only standard ACLs (for example, SNMP traps on IOS routers), any extended ACLs configured on the device for that policy are imported as standard ACLs.
Chapter 5 Managing Policies Discovering Policies Before You Begin Ensure that no one is configuring policies on the device or deploying configurations to the device. If you rediscover policies on a device while a deployment job is deploying configurations to the device, you might not be able to see the deployed changes after the rediscovery. Use the Deployment Manager to determine if there are active jobs that include the device before you rediscover policies (select Manage > Deployments).
Chapter 5 Managing Policies Discovering Policies an OS version for which a factory default configuration exists). You can discover the default configuration only for devices that run in single-context mode or for individual security contexts. Tip: We recommend that you use the Factory Default Configuration settings when you add PIX, ASA, and FWSM devices manually (as described in Adding Devices by Manual Definition, page 3-25).
Chapter 5 Managing Policies Discovering Policies c. • To change options for all devices of a given type, select the device type folder and modify the Discover Device Settings options. If the Discover drop-down list shows Multiple Values, then there are different discovery options selected for devices of that type. If you change the value, it changes for all devices.
Chapter 5 Managing Policies Discovering Policies Field Reference Table 5-2 Create Discovery Task Dialog Box Element Description Discovery Task Name The name assigned to the discovery task. Security Manager automatically generates a name for the task based on the current date and time, but you can modify this name as desired. Selected Devices table The devices you selected for rediscovery.
Chapter 5 Managing Policies Discovering Policies Table 5-2 Create Discovery Task Dialog Box (Continued) Element Description Discover Policies for Security Contexts Whether to discover policies for each security context that is configured on a firewall device running in multiple-context mode. This field applies only to PIX, ASA, and FWSM devices.
Chapter 5 Managing Policies Discovering Policies Viewing Policy Discovery Task Status When you initiate policy discovery a discovery task is created. For each policy discovery initiation, only one task is created regardless of the number of devices being discovered. You can view the status of the current policy discovery task in the Discovery Status dialog box, which opens automatically when the task is initiated.
Chapter 5 Managing Policies Discovering Policies Field Reference Table 5-3 Discovery Status Dialog Box Element Description Progress bar Indicates what percentage of the discovery task on the current device has been completed. Status The current state of the discovery task. Devices to be discovered The total number of devices being discovered during this task. The number includes service modules, security contexts, and virtual sensors.
Chapter 5 Managing Policies Discovering Policies Table 5-3 Discovery Status Dialog Box (Continued) Element Description Generate Report button Click this button to create a discovery status report for this job. The report is a PDF file, saved to your client system, that includes a summary of the job. You can use this report for your own purposes or to aid in troubleshooting a problem with Cisco TAC. For more information, see Generating Deployment or Discovery Status Reports, page 10-28.
Chapter 5 Managing Policies Discovering Policies Table 5-4 Policy Discovery Status Page (Continued) Element Description End Time The time the task stopped. Status The overall status of the task. One of the following: Generate Report button • Completed successfully—The task succeeded. • Completed with errors—The task was partially successful. This could occur if all policies were not discovered or if the device was added but no policies were discovered.
Chapter 5 Managing Policies Discovering Policies Table 5-4 Policy Discovery Status Page (Continued) Element Description State These fields have the same meaning, although different names are used in the Discovery Details and Import Details tables. The fields describe the status of the task for the device: Details Discovered From (Discovery Details only) Messages list • Device Added—The device was successfully added to the inventory.
Chapter 5 Managing Policies Discovering Policies Answer: Typically, you should discover policies when you add devices to Security Manager. However, if you are creating devices in Security Manager (instead of importing live devices or configuration files), you must perform policy discovery after adding the device. You should also perform policy discovery in order to synchronize Security Manager with any out-of-band changes that have been made to the device, for example through the CLI.
Chapter 5 Managing Policies Discovering Policies Question: How does Security Manager handle my current CLI naming schemes for ACLs and object groups? Answer: When you discover policies from a device, Security Manager tries to use the same names you have used. However, depending on your naming scheme, some minor differences might occur between what you defined on your device and the policies created through discovery.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager Question: Why are parts of the AAA method list definitions configured on my router not discovered? Answer: Security Manager does not support certain keywords, such as if-needed. Method lists containing these keywords are discovered without the keyword. If the default AAA definitions on the device contain unsupported keywords, the entire command is not discovered.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager Table 5-5 Policy Status Icons (Continued) Icon Status A local policy is configured. The definition of this policy affects only the device or VPN topology on which it is configured. A shared policy is configured. Any changes to the definition of this policy affect all of the devices or VPN topologies to which this policy is assigned. A policy bundle is configured.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager Related Topics • Understanding the Device View, page 3-1 • Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-28 • Copying Policies Between Devices, page 5-31 • Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34 Step 1 In Device view, select a device from the Device selector, then select a policy for that device from the Device Policies selector
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager your organization, and you can select different methods for each device. For general information about deployment, see Working with Deployment and the Configuration Archive, page 8-26.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager Step 2 • Right-click the device in the Device selector, then select Copy Policies Between Devices. The Copy Policies wizard selects the device as the source device and starts at step 2, the Select Policies to Copy page. You can change the source device by clicking Back. Tip You can also right click a device in Map view and select Copy Policies Between Devices.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager The device selector displays only those devices that support all of the policies you selected to copy. If you do not see all of the devices to which you want to copy policies, you can return to the policy selection page and deselect the more restrictive policies, and use the wizard a second time to copy the restrictive policies to the subset of devices that support them.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager • IOS router policies—Core connectivity policies, such as basic interface settings and accounts and credentials policies cannot be unassigned from the device on which they are created. If you unassign a device access policy that was used to define the password for configuring the device, you might prevent Security Manager from configuring that device in the future.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager As an alternative to sharing local policies, you can create new shared policies and manage them at the network level using Policy view. For more information, see Managing Shared Policies in Policy View, page 5-47.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager • That the shared policy was imported. Imported policies might be re-imported at some point if the policy is managed on a different server. Any changes that you make are eliminated if the policy is imported again. Before editing the policy, ensure that you understand the protocols used in your organization for policy management and importation.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager • Modifying Shared Policy Definitions in Device View or the Site-to-Site VPN Manager, page 5-45 • Modifying Shared Policy Assignments in Device View or the Site-to-Site VPN Manager, page 5-46 • Inheritance vs.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager Table 5-6 Policy Shortcut Commands (Continued) Clone Policy Creates a copy of a policy with a new name. Use this option to create a new policy with the same definition as the policy from which it was created, which you can then edit. See Cloning (Copying) a Shared Policy, page 5-44. Rename Policy Renames the selected policy. See Renaming a Shared Policy, page 5-45.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager Policy names can contain up to 255 characters, including spaces and special characters. Sharing Multiple Policies of a Selected Device With one procedure, you can share multiple policies configured on a particular device. When you perform this procedure, you can choose to share all the policies configured on the device or only some of them.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager Step 2 On the Select Policies to Share page, select all policies that you want to share. Initially, all shareable policies configured on the device, whether local or shared, are selected. Deselect the check box next to each policy that you do not want to share. Following are some tips: Step 3 • Local policies that are not checked remain local to the selected device.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager Step 2 • (Device view only) Select Policy > Unshare Policy. • Right-click the selected shared policy, then select Unshare Policy. Click OK. The shared policy is converted into a local policy for the selected device or VPN topology. The shared policy icon in the Policies selector is replaced by the local policy icon.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager The Assign Shared Policy dialog box is displayed if there are any shared policies available for assignment. Step 2 Select a shared policy from the displayed list to assign to the device or VPN topology and click OK. If the policy does not allow inheritance, the shared policy is assigned to the selected device and you are finished.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager Step 1 In Device view, select a device from the Device selector, then select a shared policy assigned to that device from the Device Policies selector. You must select a rule-based policy, such as access rules. The details of the policy appear in the work area. Step 2 Do one of the following: • Select Policy > Add Local Rules. • Right-click the policy, then select Add Local Rules.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager • Select Policy > Inherit Rules. • Right-click the policy, then select Inherit Rules. • (Device view only) Click the link in the Inherits From field in the policy banner. The Inherit Rules dialog box is displayed, containing a list of all shared policies of the selected type, including any inheritance relationships among them.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager Renaming a Shared Policy You can rename a shared policy. The new name is immediately reflected in all devices and VPN topologies to which the policy is assigned.
Chapter 5 Managing Policies Managing Policies in Device View and the Site-to-Site VPN Manager Step 3 Click Save. You are asked to confirm that you want to save your changes, reminding you that the changes you made will be applied to all devices or topologies to which the policy is assigned. Modifying Shared Policy Assignments in Device View or the Site-to-Site VPN Manager You can modify the list of devices or VPN topologies assigned a particular shared policy as required.
Chapter 5 Managing Policies Managing Shared Policies in Policy View Tip Step 3 To assign a policy to all the devices in a device group, select the name of the device group, then click >>. Click OK to save your assignment changes. Managing Shared Policies in Policy View Use Policy view to globally manage all the shared policies configured in Security Manager.
Chapter 5 Managing Policies Managing Shared Policies in Policy View Figure 5-4 Policy View 1 Assignments tab 5 Shared Policy selector 2 Work area and Details tab 6 Shared Policy filter 3 Save button 7 Policy Type selector 4 Create a Policy and Delete a Policy buttons • (7) Policy Type Selector—Lists the policy types available in Security Manager, divided by category.
Chapter 5 Managing Policies Managing Shared Policies in Policy View – Details—Use this tab to view and edit the definition of the selected policy. You can modify the definition as required; click Save in the work area to save your changes. Changes affect all devices or VPN topologies to which the policy is assigned. The information displayed on the Details tab is identical to the information displayed in Device view or the Site-to-Site VPN Manager and can be modified in exactly the same way.
Chapter 5 Managing Policies Managing Shared Policies in Policy View You can expand and collapse the selector as required to view all the available policy types and subtypes. To create a new policy, right click the policy type and select New [policy type] Policy or click the Create a Policy button in the shared policy selector. Selecting a policy type from the Policy Type selector displays all the shared policies of that type in the Shared Policy selector.
Chapter 5 Managing Policies Managing Shared Policies in Policy View Creating a New Shared Policy Use Policy view to create a new shared policy. In most cases, the new policy starts out undefined, but in certain cases (for example, many site-to-site VPN policies, such as IPsec proposals and GRE modes) default values are supplied. In all cases, the new policy is not initially assigned to any devices.
Chapter 5 Managing Policies Managing Shared Policies in Policy View When you unassign a shared policy from a device or VPN topology, Security Manager removes the policy from the planned configuration of that device or VPN topology. When the configuration defined by the policy is deployed, any configuration of the same type that is already configured on the device (including the devices in the VPN topology) is removed. For more information, see Unassigning a Policy, page 5-33.
Chapter 5 Managing Policies Managing Policy Bundles Deleting a Shared Policy Use Policy view to delete a shared policy from Security Manager. Before you delete a shared policy, you should unassign it from any devices that use it, and configure replacement policies for those devices. If a shared policy is assigned to a device, when the policy is deleted the device no longer has a policy configured for the deleted shared policy, other than whatever defaults might exist for the policy type.
Chapter 5 Managing Policies Managing Policy Bundles This section contains the following topics: • Creating a New Policy Bundle, page 5-54 • Cloning a Policy Bundle, page 5-55 • Renaming a Policy Bundle, page 5-55 • Assigning Policy Bundles to Devices, page 5-56 Creating a New Policy Bundle You can use the Policy Bundle view to create new policy bundles. When creating a policy bundle, you can only assign one shared policy of each type to the policy bundle.
Chapter 5 Managing Policies Managing Policy Bundles Cloning a Policy Bundle You can use Policy Bundle view to create a new policy bundle by cloning an existing bundle. Related Topics Step 1 • Managing Policy Bundles, page 5-53 • Creating a New Policy Bundle, page 5-54 • Renaming a Policy Bundle, page 5-55 • Assigning Policy Bundles to Devices, page 5-56 In Policy Bundle view, right-click an existing policy bundle in the Policy Bundle selector, then select Clone Policy Bundle.
Chapter 5 Managing Policies Managing Policy Bundles Assigning Policy Bundles to Devices You can modify the list of devices assigned a particular policy bundle as required. Multiple policy bundles can be assigned to a device as long as the policy types in those policy bundles do not overlap. When assigning a policy bundle to a device, if local policies on that device are the same policy type as those contained in the policy bundle, you are given the option to inherit or replace the existing policies.
CH A P T E R 6 Managing Policy Objects Policy objects enable you to define logical collections of elements. They are reusable, named components that can be used by other objects and policies. Objects aid policy definition by eliminating the need to define that component each time you define a policy. When used, an object becomes an integral component of the object or policy.
Chapter 6 Managing Policy Objects Selecting Objects for Policies Selecting Objects for Policies Modifying Policies using Drag and Drop If you are modifying an existing policy, you can easily update the policy definition by dragging and dropping objects from the Policy Object Manager onto the applicable field in the policy.
Chapter 6 Managing Policy Objects Selecting Objects for Policies Table 6-1 Object Selectors Element Description Type The type of object to display in the selector, if there is an option. For example: Available [object type] • You can choose between network/host objects and interface roles when configuring sources and destinations in some rule-based policies.
Chapter 6 Managing Policy Objects Policy Object Manager Policy Object Manager Use the Policy Object Manager to: • View all available objects grouped by object type. • Create, copy, edit, and delete policy objects. • Drag and drop objects onto existing policies to update the policy definition. • Generate usage reports, which describe how selected objects are being used by other Security Manager objects and policies.
Chapter 6 Managing Policy Objects Policy Object Manager Field Reference Table 6-2 Policy Object Manager Window Element Description Object Type selector, or table Lists the object types available in Security Manager. When you select of contents an object type, all existing objects of that type are listed in the table in the right pane. (Left pane) The objects are organized into three folders: Favorites, Recent Objects, and All Object Types.
Chapter 6 Managing Policy Objects Policy Object Manager Table 6-2 Policy Object Manager Window (Continued) Element Description Export Use the Export feature to download a CSV file of the object data for the selected object type. Print Use the Print feature to print the object data for the selected object type. Filter Allows you to filter the rows displayed to help you find items in a large table. For more information, see Filtering Tables, page 1-45.
Chapter 6 Managing Policy Objects Policy Object Manager Table 6-2 Policy Object Manager Window (Continued) Element Description Referenced Whether the object is being used in any policy definitions. You can find out which policies or policy objects are using the selected object and any device overrides for the object using the Find Usage feature (see Generating Object Usage Reports, page 6-14).
Chapter 6 Managing Policy Objects Policy Object Manager Policy Object Manager: Undocking and Docking Whenever you open the Policy Object Manager, it is initially displayed as a pane in the lower half of the current view to make dragging and dropping objects easier.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures Table 6-3 Policy Object Manager Shortcut Menu (Continued) Menu Command Description Clone Object Select this command to create a copy of the policy object. For more information, see Cloning (Duplicating) Objects, page 6-13. Copy Object Choose this command to copy one or more selected objects to the system Clipboard. Tip Paste Object You can also use Ctrl+C to copy objects.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures Tip • Using the Policy Object Manager window. This option is best suited for situations where you are defining one or more objects outside of the context of defining a particular policy. See Policy Object Manager, page 6-4. • Using object selectors. When you define a policy that uses objects, object selectors include buttons for creating and editing objects so you don’t have to leave the policy you are defining.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures Step 2 • Add and Edit LDAP Attribute Map Dialog Boxes, page 6-43 • Understanding Map Objects, page 6-72 • Understanding Networks/Hosts Objects, page 6-74 • PKI Enrollment Dialog Box, page 25-54 • Add or Edit Port Forwarding List Dialog Boxes, page 33-28 • Configuring Port List Objects, page 6-87 • Creating Cisco Secure Desktop Configuration Objects, page 32-18 • Understanding and Specifying Services and Service
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures Editing Objects You can edit any user-defined object as required. Changes that you make to the object are reflected in all policies (and other objects) that use the object. However, if an override for the object is already defined for a device, your edits are not reflected in the object used on those devices. Tips • You cannot edit predefined objects, but you can copy them to create new objects.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures • Objects can be filtered in the rules tables based on category, facilitating rule maintenance. For example, you might want to create a network/host object and keep track of its use for administrative purposes. When you define this network/host object, you associate it with a category. When you view the access rules table, you can easily identify those rules that use your network/host object.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures Viewing Object Details You can view contents of an object in read-only mode, even when the object is locked by another activity. This is useful when you need to view complete configuration details for complex objects whose definitions cannot be fully displayed in the Policy Object Manager window or when your user privileges allow you only to view object information.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures Table 6-4 Object Usage Dialog Box Element Description Name General information about the object for which you are finding usage is displayed at the top of the Object Usage dialog box. Type Description Devices Policies The type of references you want to view. For example, you can select Objects to view only references to the object from other objects.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures Table 6-4 Object Usage Dialog Box (Continued) Element Description Details Panel Shows additional details for certain types of references: • Devices - For supported policy types, device information is displayed in the Details panel.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures Step 3 Right-click the object you want to delete and select Delete Object, or select the object and click the Delete Object button. You are asked to confirm the deletion. Managing Object Overrides When you create a policy object, you can elect to allow the object to be overridden. This makes it possible to create a generic object to enable you to create general policies.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures Device-level object overrides are especially important when the global object is included in the definition of a VPN policy, which applies to every device in the VPN topology. For example, you select a PKI enrollment object when defining a PKI policy on a site-to-site VPN. If the hub of your VPN uses a different CA server than the spokes, you must use device-level overrides to specify the CA server used by the hub.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures Related Topics • Understanding Policy Object Overrides for Individual Devices, page 6-17 • Allowing a Policy Object to Be Overridden, page 6-18 • Creating or Editing Object Overrides for Multiple Devices At A Time, page 6-19 • Deleting Device-Level Object Overrides, page 6-21 Step 1 (Device view) Right-click a device in the Device selector and select Device Properties.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures Step 3 Double-click the checkmark, or right-click the object and select Edit Device Overrides, to open the Policy Object Overrides Window, page 6-20. The window contains a table listing each device for which an override is defined for the object. Tip Step 4 You can also edit the overridable object and click Edit next to the Overrides field.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures Navigation Path Open the Policy Object Manager, page 6-4. Select an object type that can be overridden (its object page contains a column called Overrides), then do one of the following: • Double-click the green checkmark in the Overrides column. • Right-click the object and select Edit Device Overrides. • Edit the overridable object and click Edit next to the Overrides field.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures You can also manually create a CSV file that you can import. For example, you might obtain a list of IP addresses that identify networks or hosts that should be denied entry to your network. You can create a CSV file that will bulk-load the list as one or more network/host objects if that is easier than manually creating the object in the Policy Object Manager.
Chapter 6 Managing Policy Objects Working with Policy Objects—Basic Procedures -c {true | false} -d {true | false} -h (Optional.) When importing objects, whether to enable policy object conflict detection. • false—An object is imported even if an existing object has the same content. • true—If an existing object has the same content as an imported object, the imported object is skipped.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects • Node—The display name of the device on which an override of the policy object is defined. If the policy object is defined on the global level, the field is empty. When importing objects, if the display name does not match a device already in the Security Manager inventory, the object is skipped and not imported. • Description—The description of the object, if any.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects • Accounting—Accounting is used to track the services users are accessing, as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS or TACACS+ security server (depending on which security method you have implemented) in the form of accounting records.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects • TACACS+—Terminal Access Controller Access Control System (TACACS+) is a security application that provides centralized validation of users attempting to gain access to a router or network access server. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects When user authentication for VPN access has succeeded and the applicable tunnel-group policy specifies an LDAP authorization server group, the ASA, PIX, or FWSM device queries the LDAP server and applies the authorizations it receives to the VPN session. • HTTP-Form—These devices can use the HTTP Form protocol for single sign-on (SSO) authentication of WebVPN users only.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Predefined AAA Authentication Server Groups There are several predefined AAA server groups that define an authentication method without specifying particular AAA servers. In policies such as IPSec proposals, you can use these predefined server groups to define the types of AAA authentication to perform and the order in which to perform them. Table 6-6 on page 6-28 describes the predefined AAA authentication server groups.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects • For TACACS+: CSM-tac-grp Both of these special AAA server groups are marked in the Policy Object Manager as the default groups for their protocol. This is indicated by the Make this Group the Default AAA Server Group check box. These groups are created solely for the purpose of management by Security Manager.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects • Supported AAA Server Types, page 6-25 • Additional AAA Support on ASA, PIX, and FWSM Devices, page 6-26 • Understanding AAA Server and Server Group Objects, page 6-24 Step 1 Select Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager, page 6-4). Step 2 Select AAA Servers from the Object Type selector.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Note You cannot edit the protocol if the object is already included in a AAA server group. Navigation Path Select Manage > Policy Objects, then select AAA Servers from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Table 6-7 AAA Server Dialog Box—General Settings (Continued) Element Description Timeout The amount of time to wait for a response to a request until the AAA server is considered unresponsive. If there are other servers in the group, the next server is tried. Protocol • Cisco IOS routers—The range is 1-1000 seconds. The default is 5 seconds. • ASA/PIX 7.x+, FWSM 3.1+ devices—The range is 1-300 seconds.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects • Understanding AAA Server and Server Group Objects, page 6-24 • AAA Server Group Dialog Box, page 6-46 Field Reference Table 6-8 AAA Server Dialog Box—RADIUS Settings Element Description Key The shared secret that is used to encrypt data between the network device (client) and AAA server. The key is a case-sensitive, alphanumeric string of up to 127 characters. Special characters are permitted.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Table 6-8 AAA Server Dialog Box—RADIUS Settings (Continued) Element Description RADIUS Password A case-sensitive, alphanumeric keyword of up to 127 characters that is common among users who access this RADIUS authorization server through this device. Enter the password again in the Confirm field. Confirm (ASA, PIX 7.x+, and FWSM The RADIUS authorization server requires a password and username 3.x+ devices only.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Table 6-8 AAA Server Dialog Box—RADIUS Settings (Continued) Element Description The method for handling the netmask expressions that are contained in downloadable ACLs received from the RADIUS server. The (ASA, PIX 7.x+, and FWSM ASA/PIX/FWSM expects downloadable ACLs to contain standard 3.x+ devices only.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Field Reference Table 6-9 AAA Server Dialog Box—TACACS+ Settings Element Description Key The shared secret that is used to encrypt data between the client and the AAA server. The key is a case-sensitive, alphanumeric string of up to 127 characters (U.S. English). Spaces and special characters are permitted. Confirm The key you define in this field must match the key on the TACACS+ server.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects AAA Server Dialog Box—LDAP Settings Use the LDAP settings in the AAA Server dialog box to configure an LDAP AAA server object. Note This type of AAA server can be configured only on ASA, PIX 7.x+, FWSM 3.1+, and IOS devices. Navigation Path Go to the Add or Edit AAA Server Dialog Box, page 6-30 and select LDAP in the Protocol field.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Table 6-11 AAA Server Dialog Box—LDAP Settings (Continued) Element Description LDAP Hierarchy Location The base distinguished name (DN), which is the location in the LDAP hierarchy where the authentication server should being searching when it receives an authorization request. For example, OU=Cisco. The maximum length is 128 characters. The string is case-sensitive.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Table 6-11 AAA Server Dialog Box—LDAP Settings (Continued) Element Description LDAP Server Type The type of LDAP server used for AAA: • Auto-Detect—The ASA/PIX/FWSM device tries to determine the server type automatically. This is the default. • Microsoft—The LDAP server is a Microsoft Active Directory server.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Table 6-11 AAA Server Dialog Box—LDAP Settings (Continued) Element Description Authentication bind-first You can configure the sequence of search and bind of an authentication request with this option. The default is search first and then bind. No Authorization Required No authorization required for authentication requests.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Related Topics • Creating AAA Server Objects, page 6-29 • Understanding AAA Server and Server Group Objects, page 6-24 • AAA Server Group Dialog Box, page 6-46 Field Reference Table 6-13 AAA Server Dialog Box—SDI Settings Element Description Server Port The port used for communicating with the AAA server. The default is 5500. Retry Interval The interval between attempts to contact the AAA server.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Field Reference Table 6-14 AAA Server Dialog Box—HTTP-Form Settings Element Description Start URL The URL from which the WebVPN server of the security appliance should retrieve an optional pre-login cookie. The maximum URL length is 1024 characters. The authenticating web server might execute a pre-login sequence by sending a Set-Cookie header along with the login page content.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Add and Edit LDAP Attribute Map Dialog Boxes Use the Add and Edit LDAP (Lightweight Directory Access Protocol) Attribute Map dialog boxes to populate the attribute map with name mappings that translate Cisco LDAP attribute names to custom, user-defined attribute names.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Table 6-15 Add and Edit LDAP Attribute Map Dialog Boxes (Continued) Element Description Allow Value Override per Device Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-18 and Understanding Policy Object Overrides for Individual Devices, page 6-17.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Creating AAA Server Group Objects You can create AAA server group objects for Security Manager policies requiring AAA services, such as authentication and authorization. Each AAA server group object can contain multiple AAA servers, all of which use the same protocol, such as RADIUS or TACACS+.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Step 5 Select the protocol to be used by the servers in the group. Step 6 Enter the names of the AAA server policy objects that define the AAA servers to include in the group. Click Select to select the objects from a list filtered by the protocol you selected. You can also create new AAA server objects from the selection list. Separate multiple objects with commas.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Field Reference Table 6-17 AAA Server Group Dialog Box Element Description Name The object name (up to 16 characters when using this object with firewall devices; up to 128 characters for Cisco IOS routers). Object names are not case-sensitive. Spaces are not supported. Consider the following important points: • Cisco IOS routers do not support AAA server groups named RADIUS, TACACS, or TACACS+.
Chapter 6 Managing Policy Objects Understanding AAA Server and Server Group Objects Table 6-17 AAA Server Group Dialog Box (Continued) Element Description AD Agent Mode Whether the servers in the group are Active Directory agents, which are used in identity-aware firewall configurations. You must select this option for an AD agent group to indicate that the group is not a full-function RADIUS server group. (ASA 8.4(2+) devices only.) Use the AD agent group in the Identity Options policy.
Chapter 6 Managing Policy Objects Creating Access Control List Objects Table 6-17 AAA Server Group Dialog Box (Continued) Element Description Group Accounting Mode When using the RADIUS or TACACS+ protocols, the method for sending accounting messages to the AAA servers in the group: (PIX, ASA, FWSM devices only.
Chapter 6 Managing Policy Objects Creating Access Control List Objects Creating Extended Access Control List Objects Extended access control lists allow you to permit or deny traffic from specific IP addresses to specific destination IP address and port, and specify the protocol of the traffic, such as ICMP, TCP, UDP, and so forth. Extended ACLs range from 100 to 199, and for devices running Cisco IOS Software Release 12.0.1 and higher, 2000 to 2699.
Chapter 6 Managing Policy Objects Creating Access Control List Objects Related Topics • Creating Access Control List Objects, page 6-49 • Understanding Access Rule Address Requirements and How Rules Are Deployed, page 16-5 • Creating Policy Objects, page 6-9 • Understanding Networks/Hosts Objects, page 6-74 • Understanding and Specifying Services and Service and Port List Objects, page 6-86 Step 1 Choose Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager, page
Chapter 6 Managing Policy Objects Creating Access Control List Objects • Identifying OSPF route redistribution. • Filtering users of a community string using SNMP. • Configuring VLAN ACLs for a Catalyst 6500/7600 device.
Chapter 6 Managing Policy Objects Creating Access Control List Objects applications from almost any computer that can reach HTTPS Internet sites. WebVPN uses Secure Socket Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site. The following table presents examples of Web VPN ACLs.
Chapter 6 Managing Policy Objects Creating Access Control List Objects Step 8 • If you choose Access Control Entry for Type, specify the characteristics of the traffic that you want to match and whether you are permitting or denying the traffic. You can filter based on the network destination of the traffic (Network Filter) or the web address (URL Filter). For detailed information about the fields on the dialog box, see Add and Edit Web Access Control Entry Dialog Boxes, page 6-60.
Chapter 6 Managing Policy Objects Creating Access Control List Objects • Step 8 If you choose ACL Object, select the object in the available objects list and click >> to add it to the list of selected objects. Click OK to save your changes. The dialog box closes and you return to the Add Unified Access List dialog box. The new entry is shown in the table. If necessary, select it and click the up or down buttons to position it at the desired location.
Chapter 6 Managing Policy Objects Creating Access Control List Objects Table 6-20 Add and Edit Access List Dialog Boxes (Continued) Element Description Access Control Entry table The access control entries (ACEs) and ACL objects that are part of the ACL. The table displays the name of the entry or object, description, options, services, and other attributes of the entry.
Chapter 6 Managing Policy Objects Creating Access Control List Objects • Understanding Access Rule Address Requirements and How Rules Are Deployed, page 16-5 • Understanding Networks/Hosts Objects, page 6-74 • Understanding and Specifying Services and Service and Port List Objects, page 6-86 • Filtering Items in Selectors, page 1-42 Field Reference Table 6-21 Add and Edit Extended Access Control Entry Dialog Boxes Element Description Type The type of entry you are adding.
Chapter 6 Managing Policy Objects Creating Access Control List Objects Table 6-21 Add and Edit Extended Access Control Entry Dialog Boxes (Continued) Element Description Source The source or destination of the traffic. You can enter more than one value by separating the items with commas. Destination You can enter any combination of the following address types. For more information, see Specifying IP Addresses During Policy Definition, page 6-81. • Network/host object.
Chapter 6 Managing Policy Objects Creating Access Control List Objects Table 6-21 Add and Edit Extended Access Control Entry Dialog Boxes (Continued) Element Description Description An optional description of the object. Advanced button Click this button to define logging options for the entry: • For PIX, ASA, and FWSM devices, you can enable: – Default logging—If a packet is denied, message 106023 is generated. If a packet is permitted, no message is generated.
Chapter 6 Managing Policy Objects Creating Access Control List Objects Table 6-22 Add and Edit Standard Access Control Entry Dialog Boxes (Continued) Element Description Action The action to take on traffic defined in the entry: • Permit—The service associated with this ACL is applied to this traffic. That is, the traffic is permitted to use the service. • Deny—The service associated with this ACL is not applied to this traffic.
Chapter 6 Managing Policy Objects Creating Access Control List Objects • Understanding Networks/Hosts Objects, page 6-74 • Understanding and Specifying Services and Service and Port List Objects, page 6-86 • Filtering Items in Selectors, page 1-42 Field Reference Table 6-23 Add and Edit Web Access Control Entry Dialog Boxes Element Description Type The type of entry you are adding. The fields on the dialog box change based on your selection.
Chapter 6 Managing Policy Objects Creating Access Control List Objects Table 6-23 Add and Edit Web Access Control Entry Dialog Boxes (Continued) Element Description Ports The port numbers or port list policy objects that define the port the traffic uses, if you want to use port identification. You can enter more than one value by separating the items with commas. (Network Filter only.) You can enter any combination of the following types: URL Filter • Port list object.
Chapter 6 Managing Policy Objects Creating Access Control List Objects Related Topics • Creating Unified Access Control List Objects, page 6-54 • Understanding Access Rule Address Requirements and How Rules Are Deployed, page 16-5 • Understanding Networks/Hosts Objects, page 6-74 • Understanding and Specifying Services and Service and Port List Objects, page 6-86 • Filtering Items in Selectors, page 1-42 Field Reference Table 6-24 Add and Edit Unified Access Control Entry Dialog Boxes Element
Chapter 6 Managing Policy Objects Creating Access Control List Objects Table 6-24 Add and Edit Unified Access Control Entry Dialog Boxes (Continued) Element Description Source Provide traffic sources for this rule; can be networks and hosts. You can enter values or object names, or Select objects, for one or more of the following: • Networks/Hosts – You can specify a various network, host and interface definitions, either individually or as objects.
Chapter 6 Managing Policy Objects Creating Access Control List Objects Table 6-24 Add and Edit Unified Access Control Entry Dialog Boxes (Continued) Element Description Users (ASA 8.4.2+ only) Enter or Select the Active Directory (AD) user names, user groups, or identity user group objects for the ACE, if any. The user specification is conjoined to the source address to limit the match to user addresses within the source address range.
Chapter 6 Managing Policy Objects Configuring Time Range Objects Configuring Time Range Objects Use the Add or Edit Time Range dialog box to create, edit, or copy a time range object. You can create time range objects for use when creating time-based ACLs and some firewall rules. While similar to extended ACLs in function, time-based ACLs allow for access control based on time considerations.
Chapter 6 Managing Policy Objects Understanding Interface Role Objects Recurring Ranges Dialog Box Use the Recurring Ranges dialog box to add or edit recurring time intervals that are defined as part of a time range object. You can define as many recurring ranges as required. Navigation Path Go to the Add or Edit Time Range dialog box and click the New Recurring Range button under Recurring Ranges, or select a range and click Edit Recurring Range. See Configuring Time Range Objects, page 6-66.
Chapter 6 Managing Policy Objects Understanding Interface Role Objects Interface roles serve as an indirection entity between interfaces on the one hand and policies on the other. This enables you to apply policies to particular device interfaces based on the assigned role. Additionally, if you change the naming convention used for a particular interface type, you do not need to determine which policies are affected by the change. All you do is edit the interface role.
Chapter 6 Managing Policy Objects Understanding Interface Role Objects Step 3 Right-click in the work area, then select New Object. The Interface Role dialog box appears. Step 4 Enter a name for the object and optionally a description of the object. Names can be up to 128 characters, descriptions up to 1024. Step 5 Enter one or more naming patterns for the interface role object. The names are the complete or partial names of interfaces, subinterfaces, and other virtual interfaces.
Chapter 6 Managing Policy Objects Understanding Interface Role Objects Field Reference Table 6-27 Interface Role Dialog Box Element Description Name The name of the policy object. A maximum of 128 characters is allowed. Description A description of the policy object. A maximum of 1024 characters is allowed. Interface Name Patterns The names to include in this interface role. The names are the complete or partial names of interfaces, subinterfaces, and other virtual interfaces.
Chapter 6 Managing Policy Objects Understanding Interface Role Objects By selecting from a list, you can ensure that your entry is valid. For more information, see Selecting Objects for Policies, page 6-2. When a policy allows multiple interfaces, separate entries with commas. In policies and object selectors, icons distinguish between interfaces and interface roles. If you create interface roles with the same name as interfaces, be careful to select exactly what you want. Table 6-28 explains the icons.
Chapter 6 Managing Policy Objects Understanding Map Objects Handling Name Conflicts between Interfaces and Interface Roles Under normal circumstances, you can configure an interface role that has the same name as an actual interface on the device. If you use object selectors when defining policies (see Selecting Objects for Policies, page 6-2), both the interface and the interface role are listed as available choices, enabling you to select either option.
Chapter 6 Managing Policy Objects Understanding Map Objects Class Maps Class maps are subordinate to policy maps. You cannot specify a class map directly in a device policy. Instead, you create a policy map to incorporate the class map. The class map itself defines the match conditions for the traffic that you want to target in an inspection rule or zone-based firewall rule. • ASA/PIX 7.2 and higher, and FWSM devices—You can create class maps for the inspection of DNS, FTP, HTTP, IM, and SIP traffic.
Chapter 6 Managing Policy Objects Understanding Networks/Hosts Objects • Inspection Rules—When configuring inspection rules, you can use Security Manager to create policy map objects for the following applications: DCE/RPC, DNS, ESMTP, FTP, GTP, H.323, HTTP, IM, IP options, IPsec, NetBIOS, SIP, Skinny, and SNMP. for more information, see Configuring Protocols and Maps for Inspection, page 17-21.
Chapter 6 Managing Policy Objects Understanding Networks/Hosts Objects Networks/Hosts group objects make it easier to manage scalable policies. By using the associative capabilities of Networks/Hosts objects, you can expand your policies along with your network. For example, when you make changes to the list of addresses contained in a Networks/Hosts object, the changes propagate to all other Networks/Hosts objects, and to policies that refer to that Networks/Hosts object.
Chapter 6 Managing Policy Objects Understanding Networks/Hosts Objects Although discontiguous network masks are not typically used for network configurations, they are sometimes used for certain commands, such as filtering commands when defining access control lists (ACLs). Security Manager supports the use of nonstandard network masks in the policies whose CLI commands support them. An error is displayed if you try to define a discontiguous network mask in a policy that does not support them.
Chapter 6 Managing Policy Objects Understanding Networks/Hosts Objects Step 1 Choose Policy Objects from the Manage menu, or click the Policy Object Manager button in the button bar, to open the Policy Object Manager pane in the lower section of the Configuration Manager window; see Policy Object Manager, page 6-4 for more information. Step 2 Select Networks/Hosts in the Object Type selector.
Chapter 6 Managing Policy Objects Understanding Networks/Hosts Objects When you create IPv4-based Host, Network, or Address Range objects for use on ASA 8.3+ devices, or unified Host, Network, or Address Range objects for use on ASA 9.0.1+ devices, you can also configure object NAT rules on the NAT tab of the dialog box. In both cases, you must select Allow Value Override per Device to allow object NAT.
Chapter 6 Managing Policy Objects Understanding Networks/Hosts Objects Table 6-30 Network/Host Dialog Box (General Tab) (Continued) Element Description Group object options Available Networks/Hosts Members In Group Type in comma separated IP addresses The Members In Group list shows the networks, hosts, and other network/host objects that are included in this object.
Chapter 6 Managing Policy Objects Understanding Networks/Hosts Objects Table 6-30 Network/Host Dialog Box (General Tab) (Continued) Element Description Network object options IP Address Net Mask/Prefix The IPv4 or IPv6 address that represents the network; for example, 10.100.10.0 or 2001:DB8::/32. If you entered an IPv4 address, enter its subnet mask in the Net Mask/Prefix field.
Chapter 6 Managing Policy Objects Understanding Networks/Hosts Objects c. Step 3 Double-click each device in the Policy Object Overrides dialog box, then modify the address field for the value required by that device. Define a policy that requires this object. You can use one of two methods: • Define the policy on a single device in Device view, share the policy, then assign the policy to the other devices.
Chapter 6 Managing Policy Objects Understanding Networks/Hosts Objects – IPv6 representation of an IPv4 address. When dealing in mixed IPv4/IPv6 environments, you can represent the IPv4 addresses in an alternate IPv6 format: x:x:x:x:x:x:d.d.d.d, where the Xs are the hexadecimal values of the first 6 fields, and the Ds are the IPv4 address with the octets separated by periods. The first 6 fields are either all zeros, ::FFFF, or 2001:DB8::. For example, 0:0:0:0:0:0:10.1.68.
Chapter 6 Managing Policy Objects Understanding Pool Objects Understanding Pool Objects Pool objects have the following uses: • Specifying pools for use in Layer 3 load balancing for ASA clusters • Specifying pools for use in Layer 3 OSPFv3 on ASA clusters The following topics describe how to work with pool objects: • Add or Edit IPv4 Pool Dialog Box, page 6-83 • Add or Edit IPv6 Pool Dialog Box, page 6-84 • Add or Edit MAC Address Pool Dialog Box, page 6-85 Add or Edit IPv4 Pool Dialog Box Use
Chapter 6 Managing Policy Objects Understanding Pool Objects Table 6-31 Add IPv4 Pool Object Dialog Box (Continued) Element Description Allow Value Override per Device Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-18 and Understanding Policy Object Overrides for Individual Devices, page 6-17. Overrides Edit button Note IPv4 Pool objects are always overridable.
Chapter 6 Managing Policy Objects Understanding Pool Objects Table 6-32 Add IPv6 Pool Object Dialog Box (Continued) Element Description Allow Value Override per Device Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-18 and Understanding Policy Object Overrides for Individual Devices, page 6-17.
Chapter 6 Managing Policy Objects Understanding and Specifying Services and Service and Port List Objects Understanding and Specifying Services and Service and Port List Objects Many policies in Security Manager require that you identify a service to which the policy applies. A service is a protocol and port definition that identifies a particular type of traffic. In many cases, you can specify the service directly in the policy.
Chapter 6 Managing Policy Objects Understanding and Specifying Services and Service and Port List Objects When you specify ports, you can also use the following special keywords: lt (less than), gt (greater than), eq (equal to), and neq (not equal to), followed by a number. For example, lt 440 specifies all ports less than 440. Tip To create port list objects, select Services > Port Lists in the Policy Object Manager and click the Add Object button.
Chapter 6 Managing Policy Objects Understanding and Specifying Services and Service and Port List Objects Related Topics • Understanding and Specifying Services and Service and Port List Objects, page 6-86 • Configuring Service Objects, page 6-89 Field Reference Table 6-34 Port List Dialog Box Element Description Name The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 6-9.
Chapter 6 Managing Policy Objects Understanding and Specifying Services and Service and Port List Objects Configuring Service Objects Use the Add and Edit Service dialog boxes to create or edit service objects. You can create a service object to describe a type of traffic carried by the devices in your network. When creating a service object, you must specify the protocol used by the service.
Chapter 6 Managing Policy Objects Understanding and Specifying Services and Service and Port List Objects Table 6-35 Add and Edit Service Dialog Boxes (Continued) Element Description Services (for groups) The services to include in this policy object. When creating a Service Group, you can enter more than one service by separating services with commas. When creating a Service Object, you can enter one service only. Service (for objects) You can specify services using the following formats.
Chapter 6 Managing Policy Objects How Policy Objects are Provisioned as Object Groups Table 6-35 Add and Edit Service Dialog Boxes (Continued) Element Description Allow Value Override per Device Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-18 and Understanding Policy Object Overrides for Individual Devices, page 6-17.
Chapter 6 Managing Policy Objects How Policy Objects are Provisioned as Object Groups How Network/Host, Port List, and Service Objects are Named When Provisioned As Object Groups In most cases, network/host, port list, and service objects can be provisioned as object groups without changing the object name. Table 6-36 on page 6-92 describes how object names are changed when the names cannot be converted directly to object groups on supported devices.
Chapter 6 Managing Policy Objects How Policy Objects are Provisioned as Object Groups Tip For ASA 8.3+ devices, service objects are provisioned using the object service command instead of the object-group command. Table 6-37 How Service Objects are Provisioned as Object Groups Condition Generated Object Group Examples Service object contains the ICMP protocol and ICMP message types.
Chapter 6 Managing Policy Objects How Policy Objects are Provisioned as Object Groups Table 6-37 How Service Objects are Provisioned as Object Groups (Continued) Condition Service object contains the TCP&UDP protocol and includes defined ports. Generated Object Group Examples Service object serv1: tcp&udp/400,600/23-80, 566 Object group: object-group service serv1 tcp port-object range 23 80 port-object eq 566 object-group service serv1.
CH A P T E R 7 Managing FlexConfigs FlexConfig policies allow you to configure device commands that are not otherwise supported by Security Manager. By using Flexconfigs, you can extend Security Manager’s control over a device configuration and take advantage of new device features before upgrading the product. FlexConfig policies are made up of FlexConfig objects. These objects are essentially subroutines that can include scripting language commands, device commands, and variables.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Understanding FlexConfig Policies and Policy Objects FlexConfig policy objects are used in FlexConfig policies. They allow you to configure device features that are not otherwise supported by Security Manager, or to otherwise fine-tune your device configurations. These policy objects include device configuration commands, variables, and optionally, scripting language instructions to control processing.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Note If you are deploying to a device, you should remove most appended commands after the initial deployment. This is especially true for object groups, where any unbound object group is replaced in the Ending Command section during command generation, then re-sent each time the configuration is deployed to a device. The device displays an error because the firewall device shows that the object group already exists.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Object Body #foreach ($phone in [ [ "2000", "15105552000", "1/0/0" ], [ "2100", "15105552100", "1/0/1" ], [ "2200", "15105552200", "1/0/2" ] ] ) dial-peer voice $phone.get(0) pots destination-pattern $phone.get(1) port $phone.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects session target ipv4:150.50.55.55 Understanding FlexConfig Object Variables Variables in FlexConfig policy objects start with the $ character. For example, in the following line, $inside is a variable: interface $inside There are three types of variables you can use in a FlexConfig policy object: • Policy object variables—Static variables that reference a specific property.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects • Local Variables—Variables that are local in the looping and assignment derivatives (the for each and set statements). Local variables get their values directly from the Velocity Template Engine. There is no need to supply values for the local variables. To insert a local variable, simply type it in.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Step 8 Click OK to save the policy object. You can now add the object to a device’s local or shared FlexConfig policy. FlexConfig System Variables System variables reference values during deployment when commands are generated. Security Manager provides a set of defined system variables for you to use in defining FlexConfig policy objects. The values come from the policies you create for the target devices.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-1 Device System Variables (Applying to All Device Types) (Continued) Name Dimension Description SYS_IMAGE_NAME 0 Device image name as defined on the Tools > Device Properties > General tab. SYS_INTERFACE_IP_LIST 1 IP addresses and masks of the interfaces configured in the Interfaces policy. The IP address and mask are in the x.x.x.x/nn format (for example, 10.20.1.2/24).
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-1 Device System Variables (Applying to All Device Types) (Continued) Name Dimension Description SYS_SYS_OID 0 System object ID (SysObjId) of the device, which is determined when you add the device to Security Manager.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-2 Firewall System Variables (Continued) Name Dimension Description SYS_FW_BRIDGE_INTERFA CE_NAMES 1 Names of bridge interfaces. This variable applies only to IOS transparent firewalls. Configure the Firewall > Transparent Rules policies to generate values for this variable. SYS_FW_ETHERTYPERULE_ 1 ACL_NAMES Names of ethertype access-lists applied to interfaces for traffic filtering coming in or going out.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-2 Firewall System Variables (Continued) Name Dimension Description SYS_FW_INSPECT_OUT_NA ME 1 Names of Inspect rules applied to Cisco IOS router interfaces in the outbound direction. Each element of this array has a one-to-one correspondence with the SYS_INTERFACE_NAME_LIST variable for Cisco IOS routers. Configure Inspection Rules policies as values for this variable. This variable is optional.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-2 Firewall System Variables (Continued) Name Dimension Description SYS_FW_MPCRULE_TRAFFI CFLOW_ TUNNELGROUPNAME 1 Names of tunnel groups specified in Traffic Flow objects. Traffic Flow objects configure class-map commands on PIX/ASA devices, and the names of the tunnel groups listed in Traffic Flow objects populate this variable.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-2 Firewall System Variables (Continued) Name Dimension Description SYS_FW_POLICY_STATIC_ ACL_NAMES 1 Names of ACLs used in the policy static commands that include access lists. Configure NAT 0 (NAT > Translation Rules > Policy NAT) to generate values for this variable. The variable contains the access-list names used by the nat-0, policy nat, and policy static commands. This variable applies to only PIX 6.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-4 VPN System Variables Name Dimension Description Topology Variables related to the VPN in which a device participates. Configure VPNs to generate values for these variables. SYS_VPN_TOPOLOGY 1 Virtual private network (VPN) topology type. Possible values are HUB_AND_SPOKE, POINT_TO_POINT, and FULL_MESH. SYS_VPN_TOPOLOGY_NAM E 1 Name of the VPN topology in which the device participates.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-4 VPN System Variables (Continued) Name Dimension Description SYS_VPN_REM_PEER_BAK_ 3 TUNNEL_SRC IP address of the VPN endpoint of remote peers. In IPSec, the endpoint is the VPN interface; in GRE, it is the tunnel source. SYS_VPN_REM_PEER_DEVI CE_NAME 2 Device hostnames of remote peers. SYS_VPN_REM_PEER_LOGI CAL_ PRIVATE_IP 2 Interface tunnel IP addresses of remote peers.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-4 VPN System Variables (Continued) Name Dimension Description SYS_VPN_IKE_PRIORITY 1 Priority number of the IKE policy Configure an IKE Proposal policy to generate values for this variable. SYS_VPN_NEGOTIATION_M ODE 1 Negotiation method. Possible values are MAIN_ADDRESS, MAIN_HOST, and AGGRESSIVE. Configure a Preshared Key policy to generate values for this variable.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-4 VPN System Variables (Continued) Name Dimension Description SYS_VPN_VRF_PROCESS_N UMBER 1 Interior gateway protocol (IGP) process numbers. SYS_VPN_VRF_RD 1 RD values. SYS_VPN_VRF_ROUTING_P ROTOCOL 1 Interior gateway protocol (IGP) values. IGP is used for routing the IPSec aggregator toward the Provider Edge (PE)/Multiprotocol Label Switching (MPLS) network.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-4 VPN System Variables (Continued) Name Dimension SYS_GM_GET_ENABLED_IN 1 TF_NAME Description VPN-enabled outside interface to the provider edge (PE). Traffic originating or terminating on this interface is evaluated for encryption or decryption, as appropriate. Configure group members to generate values for this variable (Manage > Site-to-Site VPNs > Group Members).
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-5 Remote Access System Variables (Continued) Name Dimension Description SYS_IOS_RA_VRF_NAME 1 Virtual routing and forwarding (VRF) names for Cisco IOS devices. Predefined FlexConfig Policy Objects Security Manager provides predefined FlexConfig policy objects for you to use. These policy objects have predefined commands and scripting. Predefined FlexConfig policy objects are read-only objects.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-6 Predefined ASA FlexConfig Policy Objects (Continued) Name Description ASA_define_traffic_flow_tu nnel _group Defines site-to-site VPN tunnel groups listed in the SYS_FW_MPCRULE_TRAFFICFLOW_TUNNELGROUPNAME system variable. This variable is populated with tunnel group names defined in Traffic Flow objects. ASA_established Permits return access for outbound connections through the security appliance.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-6 Predefined ASA FlexConfig Policy Objects (Continued) Name Description ASA_svc_image Provides an ASA SSL VPN Client image. It copies the SVC image from /CSCOpx/tftpboot/device-hostname on the CSM server to the device, then configures the SVC image path. Make sure you fill out the device’s hostname in Device Properties.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-8 Predefined Cisco IOS FlexConfig Policy Objects (Continued) Name Description IOS_config_root_wireless_station Creates and configures the root radio station for a wireless LAN on Cisco IOS routers such as the 851 and 871. IOS_console_AAA_bypass Provides examples of the following scenarios: • Enables the authentication, authorization, and accounting (AAA) access-control model. • Sets AAA at login.
Chapter 7 Managing FlexConfigs Understanding FlexConfig Policies and Policy Objects Table 7-9 Predefined PIX 6.3 Firewall FlexConfig Policy Objects Name Description PIX6.3_nat0_acl_compiled Generates a compiled access list for NAT 0 access-control lists. PIX6.3_policy_nat_acl_compiled Generates a compiled access list for Policy NAT ACLs PIX6.3_policy_static_acl_compiled Generates a compiled access list for Policy Static ACLs. PIX_VPDN Configures a virtual private dialup network (VPDN).
Chapter 7 Managing FlexConfigs Configuring FlexConfig Policies and Policy Objects Table 7-10 Predefined Router FlexConfig Policy Objects (Continued) Name Description ROUTER_interface_prevent_dos _attacks Prevents denial-of-service (DOS) attacks on all device interfaces. This FlexConfig policy object uses the list of interface names from the SYS_INTERFACE_NAME_LIST system variable. ROUTER_OSPF_no_router_Id Removes the router OSPF ID for each OSPF process.
Chapter 7 Managing FlexConfigs Configuring FlexConfig Policies and Policy Objects 3. Preview the configuration to verify that it is correct. 4. Share the policy object with another device. 5. Deploy the configuration to the devices. You can use this scenario as an example to implement other features by creating copies of and modifying predefined FlexConfig policy objects or by creating your own objects. Before You Begin Add two ASA devices to Security Manager for this scenario.
Chapter 7 Managing FlexConfigs Configuring FlexConfig Policies and Policy Objects Step 3 Edit the new FlexConfig policy object to use the new variable by doing the following: a. Select FlexConfigs from the table of contents. b. Double-click MyASA_MGCP. The Edit FlexConfig dialog box appears. c. Edit $callAgentList to read $mycallAgentList. d. Click OK. A warning appears that reads: “The following variables are undefined: mycallAgentList Define them now?” e. Click Yes to the warning.
Chapter 7 Managing FlexConfigs Configuring FlexConfig Policies and Policy Objects gateway 10.10.10.116 102 command-queue 150 exit policy-map inbound_policy class sj_mgcp_class inspect mgcp inbound_mgcp exit exit service-policy inbound_policy interface outside Step 6 If you have additional ASA devices that require MGCP, you can share this policy with them by doing the following: a. Right-click FlexConfigs in the Policy selector and select Share Policy. The Share Policy dialog box appears. b.
Chapter 7 Managing FlexConfigs Configuring FlexConfig Policies and Policy Objects Before You Begin Ensure that your commands do not conflict in any way with the VPN or firewall configuration on the devices. Keep the following in mind: • Security Manager does not manipulate or validate your commands; it simply deploys them to the devices. • If there is more than one set of commands for an interface, only the last set of commands is deployed.
Chapter 7 Managing FlexConfigs Configuring FlexConfig Policies and Policy Objects If you want to remove a variable, select it in the object body and click the Cut button or press the Backspace or Delete key. When you click OK to save your changes, the variable is removed from the list of variables. Tip Step 7 Click the Validate FlexConfig icon button above the object body to check the integrity and deployability of the object. Step 8 Click OK to save the object.
Chapter 7 Managing FlexConfigs Configuring FlexConfig Policies and Policy Objects Table 7-11 FlexConfigs Editor Dialog Box (Continued) Element Description Negate For The name of the FlexConfig object whose commands are undone in this FlexConfig object. This field is for informational purposes only and does not affect the processing of the object.
Chapter 7 Managing FlexConfigs Configuring FlexConfig Policies and Policy Objects Table 7-11 FlexConfigs Editor Dialog Box (Continued) Element Description Object Property The property of the object. The object property name is in the following format: type.name.data.property where Dimension • Type—The type of object, for example Text, Network, AAA Server, and so on. • Name—The name of the object. • Data—Indicates that the property of the object is data. • Property—The property of the data.
Chapter 7 Managing FlexConfigs Configuring FlexConfig Policies and Policy Objects Create the variable by first selecting the dimension: a simple single-value variable (dimension 0), a list of variables (dimension 1) or a table or variables (dimension 2). After you create the desired grid by selecting the dimension and if applicable, the number of rows and columns, enter the data into each cell by first clicking in the cell.
Chapter 7 Managing FlexConfigs Configuring FlexConfig Policies and Policy Objects Navigation Path In the Add or Edit FlexConfig Dialog Box, if you enter a variable name but do not define its values, when you click OK, Security Manager displays a warning and asks if you want to define the variables. If you click Yes, this dialog box is opened.
Chapter 7 Managing FlexConfigs Configuring FlexConfig Policies and Policy Objects Table 7-14 Property Selector Dialog Box (Continued) Element Description Name The name of variable. This field is not available when you are defining undefined variables. Description An optional description of the variable. This field is not available when you are defining undefined variables.
Chapter 7 Managing FlexConfigs FlexConfig Policy Page Related Topics • Understanding FlexConfig Policies and Policy Objects, page 7-2 • Creating FlexConfig Policy Objects, page 7-27 • Chapter 5, “Managing Policies” • Chapter 8, “Managing Deployment” FlexConfig Policy Page Use the FlexConfig Policy page to create FlexConfig policies.
Chapter 7 Managing FlexConfigs FlexConfig Policy Page Table 7-15 FlexConfigs Policy Page (Continued) Element Description Edit button Click this button to edit the selected FlexConfig policy object. Your changes affect all devices that use the edited object; your changes are not local policy object overrides for the device.
Chapter 7 Managing FlexConfigs Troubleshooting FlexConfigs Table 7-16 Values Assignment Dialog Box (Continued) Element Description Dimension The structure of the data in the variable: • 0—scalar (a single string) • 1—one-dimensional array (a list of strings) • 2—two-dimensional table (a table of strings) Optional Whether the variable value can be empty. Description A description of the variable.
Chapter 7 Managing FlexConfigs Troubleshooting FlexConfigs An error response from the device prevented successful completion of this operation. The device provided the following description: reload cancel No reload is scheduled Unfortunately, deployment always fails due to fact that both commands are pushed too fast, such that the reload cancel is sent before the reload schedule is activated on the device.
CH A P T E R 8 Managing Deployment The settings and policies you define in Security Manager must be deployed to your devices so that you can implement them in your network. The steps you take to deploy configurations to devices depend on whether you are using Workflow mode or non-Workflow mode. Although non-Workflow mode is the default mode of operation for Security Manager, you can use Workflow mode if your company requires it. For more information, see Workflow and Activities Overview, page 1-18.
Chapter 8 Managing Deployment Understanding Deployment Table 8-1 Overview of the Deployment Process Steps Deployment Steps Step 1 Security Manager obtains the current configuration for the device and compares it to the latest saved policies for the device in Security Manager. What Security Manager considers to be the current configuration depends on the type of device, the deployment method, and the settings for deployment preferences.
Chapter 8 Managing Deployment Understanding Deployment During deployment, if Security Manager determines that the configuration on the device differs from the last-deployed configuration, Security Manager overwrites the changes by default. You can control this behavior using the deployment preferences; select Tools > Security Manager Administration, then select Deployment, and look for the When Out of Band Changes Detected setting.
Chapter 8 Managing Deployment Understanding Deployment Note These options are not available when Ticket Management is enabled. – Select File > Deploy. – Select Manage > Deployments and click Deploy. 2. Define the job: You specify parameters, such as the devices to which you want to deploy the configurations and whether you want to deploy directly to the devices or to a file.
Chapter 8 Managing Deployment Understanding Deployment Deployment in Workflow Mode These topics help you understand deployment in Workflow mode: • Deployment Task Flow in Workflow Mode, page 8-5 • Job States in Workflow Mode, page 8-6 • Deployment Job Approval, page 8-7 • Deployment Jobs and Multiple Users, page 8-8 Deployment Task Flow in Workflow Mode The following is a typical task flow in Workflow mode (see Figure 8-1): 1.
Chapter 8 Managing Deployment Understanding Deployment Figure 8-1 Deployment Task Flow in Workflow Mode 1. Create job Edit 2. Define job 3. Submit job Submitted 4. Approve job 4. Reject job Approved Rejected 120464 5. Deploy job Deployed Job States in Workflow Mode In Workflow mode, the Status column in the Deployment Manager window lists the state of each job. The following table lists and describes all possible job states.
Chapter 8 Managing Deployment Understanding Deployment Table 8-3 Job States in Workflow Mode (Continued) State Description Approved The job was approved and is ready to be deployed. The job can be deployed while it is in the Approved state. Rejected The job was rejected. You can open the job for editing or discard the job while it is in the Rejected state. This state occurs only when Workflow mode is enabled with deployment job approval required. Discarded The job was discarded.
Chapter 8 Managing Deployment Understanding Deployment Deployment Jobs and Multiple Users Only one user can define or change parameters or devices within an individual deployment job at one time. However, multiple users can work on the same deployment job in sequence: if a deployment job is closed, another user can open it and make changes to it. Multiple users can work in parallel on different deployment jobs.
Chapter 8 Managing Deployment Understanding Deployment The method you choose to use depends on the processes and procedures of your organization and the transport protocols supported by a particular type of device. If you are using Configuration Engine (CNS) or Auto Update Server (AUS), use those deployment methods. You must use one of these for devices that use dynamic IP addresses.
Chapter 8 Managing Deployment Understanding Deployment Table 8-4 Default Deployment Transport Protocols Device Type Transport Protocol Description ASA, IOS 12.3 and higher routers, FWSM, PIX Firewall, IPS sensors SSL (HTTPS) (Default) Security Manager deploys the configuration to the device using the Secure Socket Layer (SSL) protocol, otherwise known as HTTPS. With this protocol, Security Manager encrypts the configuration file and sends it to the device.
Chapter 8 Managing Deployment Understanding Deployment • Catalyst device interface switchport (interface switchport) Security Manager uses an intermediate server if you have configured the device to use one.
Chapter 8 Managing Deployment Understanding Deployment To set a default directory for file deployments, select Tools > Security Manager Administration, then select Deployment (see Deployment Page, page 11-9). If you select File for the default deployment method, you also select the default directory. When you create a deployment job, you can change this directory for that job.
Chapter 8 Managing Deployment Understanding Deployment Before you deploy configurations, you might want to detect whether there are out of band changes on a device and analyze whether you want to recreate those changes in Security Manager policies, or allow Security Manager to overwrite the changes. For more information, see Detecting and Analyzing Out of Band Changes, page 8-46.
Chapter 8 Managing Deployment Understanding Deployment Table 8-5 Scenario Deployment Action Based on OS Version Match or Mismatch (Continued) OS Version in Security Manager Database Device has newer ASA 8.1(1) minor OS version. OS Version On Device OS Version Used In Deployment Action ASA 8.1(2) ASA 8.1(2) Security Manager warns that it has detected a different OS version on the device than the one in the Security Manager database.
Chapter 8 Managing Deployment Understanding Deployment Table 8-5 Deployment Action Based on OS Version Match or Mismatch (Continued) Scenario Device has a new major OS version. OS Version in Security Manager Database OS Version On Device OS Version Used In Deployment Action ASA 7.2(4) ASA 8.2(1) None. Deployment Security Manager fails. reports an error indicating that it has detected a different OS version on the device than the one in the Security Manager database.
Chapter 8 Managing Deployment Overview of the Deployment Manager and Configuration Archive Table 8-5 Scenario Device has an older major OS version Deployment Action Based on OS Version Match or Mismatch (Continued) OS Version in Security Manager Database OS Version On Device OS Version Used In Deployment Action ASA 8.2(1) ASA 7.2(4) None. Deployment Security Manager fails.
Chapter 8 Managing Deployment Overview of the Deployment Manager and Configuration Archive • Aborting deployment jobs—You can stop a deployment job even if it is currently running. However, aborting a job that is in process does not roll back the configuration on devices that have already been reconfigured, or on devices that are in the process of being reconfigured. Only devices for which deployment has not started are prevented from being reconfigured.
Chapter 8 Managing Deployment Overview of the Deployment Manager and Configuration Archive Field Reference Table 8-6 Deployment Manager Window (Workflow Mode) Element Description Deployment Jobs Tab This tab shows individual deployment jobs. Select a job in the upper pane to view its details in the tabs in the lower pane. Name The name of the job. Last Action The date and time that the job or status was changed based on the time zone of the server, not the time zone of the client.
Chapter 8 Managing Deployment Overview of the Deployment Manager and Configuration Archive Table 8-6 Deployment Manager Window (Workflow Mode) (Continued) Element Description Reject button In Workflow mode, click this button to reject the selected job if you are not satisfied with the configurations generated for the devices. You can reject jobs only in workflow mode with a deployment job approver. After a job is rejected, it can be opened for editing or discarded.
Chapter 8 Managing Deployment Overview of the Deployment Manager and Configuration Archive Table 8-6 Deployment Manager Window (Workflow Mode) (Continued) Element Description Refresh button Click this button to reload job information from the Security Manager server. If the message Auto Refresh is On is displayed beneath the table, the job list is automatically refreshed periodically. (All modes.) Note Redeploy button (Non-Workflow mode only.
Chapter 8 Managing Deployment Overview of the Deployment Manager and Configuration Archive Table 8-6 Deployment Manager Window (Workflow Mode) (Continued) Element Description Details tab Displays detailed information for the selected job. The table lists each device included in the job, whether deployment succeeded or failed, the tickets containing changes that are part of the job for the device, and a summary of the number of warnings, errors, or failures for the device.
Chapter 8 Managing Deployment Overview of the Deployment Manager and Configuration Archive Navigation Path In Workflow mode, select a job or schedule in the Deployment Manager and click the appropriate button to perform the desired action. Deployment Schedules Tab, Deployment Manager Use the Deployment Schedules tab on the Deployment Manager window to create regularly recurring deployment jobs.
Chapter 8 Managing Deployment Overview of the Deployment Manager and Configuration Archive Table 8-7 Deployment Schedules Tab, Deployment Manager Window (Continued) Element Description Description The description of the job schedule. Double-click the icon to see the description. Create button Click this button to create a deployment job schedule. The Schedule dialog box opens where you can create the schedule (see Schedule Dialog Box, page 8-53.
Chapter 8 Managing Deployment Overview of the Deployment Manager and Configuration Archive Table 8-7 Deployment Schedules Tab, Deployment Manager Window (Continued) Element Description Resume button Click this button to reactivate a suspended schedule. You are prompted for a comment to explain the suspension, and an e-mail is generated to the approver in Workflow mode. Summary tab Displays summary information about the selected schedule.
Chapter 8 Managing Deployment Overview of the Deployment Manager and Configuration Archive You can sort the list of configuration versions for a device by clicking on the column heading that you want to sort on. Clicking the column heading toggles between sorting the rows in ascending or descending order. You can also control the fields displayed by right-clicking on any column heading and selecting or deselecting the desired column names under the Show Columns command.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Table 8-8 Configuration Archive Window (Continued) Element Description Transcript Icon When double-clicked, displays a transcript of a configuration version that was deployed to a device. A transcript is the log file of transactions between Security Manager and a device captured during a deployment or rollback operation.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive • Creating or Editing Deployment Schedules, page 8-52 • Suspending or Resuming Deployment Schedules, page 8-55 • Adding Configuration Versions from a Device to the Configuration Archive, page 8-55 • Viewing and Comparing Archived Configuration Versions, page 8-56 • Viewing Deployment Transcripts, page 8-58 Viewing Deployment Status and History for Jobs and Schedules Using the Deployment Manager, you can view stat
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive • Deploying Configurations to a Token Management Server, page 8-43 • Previewing Configurations, page 8-45 • Redeploying Configurations to Devices, page 8-49 • Aborting Deployment Jobs, page 8-51 • Rolling Back Configurations to Devices Using the Deployment Manager, page 8-65 • Creating or Editing Deployment Schedules, page 8-52 • Suspending or Resuming Deployment Schedules, page 8-55 Tips for Successful Depl
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive • The status of deployments to Catalyst 6500/7600 devices shows deployment to the device as well as its interface contexts when policy changes contain interface commands that affect the interface contexts (child devices). This can occur when you deploy a policy change that affects a VLAN in which the switch participates or when you update inventory, for example, by adding or deleting interface contexts.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Step 1 • Understanding Deployment Methods, page 8-8 • Deploying Configurations Using an Auto Update Server or CNS Configuration Engine, page 8-42 • Deploying Configurations to a Token Management Server, page 8-43 • Managing Device Communication Settings and Certificates, page 9-4 • Understanding How Out-of-Band Changes are Handled, page 8-12 Do one of the following in non-Workflow mode: • Select File > Submit
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive – File—Deploys the configuration file to a directory you select on the Security Manager server. For more information, see Deploying to a File, page 8-11. Before proceeding with the deployment, you can do the following: Step 3 • Preview proposed configurations and compare them against last deployed configurations or current running configurations. Right-click the device and select Preview Config.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Field Reference Table 8-9 Edit Deploy Method Dialog Box Element Description Device The name of the device. Method The deployment method to use: • Device—Deploys the configuration directly to the device or to the transport mechanism specified for the device. For more information, see Deploying Directly to a Device, page 8-9 or Deploying to a Device through an Intermediate Server, page 8-10.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Related Topics • Creating and Editing Deployment Jobs, page 8-36 • Deploying Configurations in Non-Workflow Mode, page 8-29 • Deploying Configurations in Workflow Mode, page 8-35 Field Reference Table 8-10 Partial VPN Deployment Warning Dialog Box Element Description VPN The name of the VPN. Missing Devices All the devices in the VPN that were not selected for deployment.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Field Reference Table 8-11 Deployment Status Details Dialog Box Element Description Deployment Status Details Progress Status Bar A visual representation and percentage of devices that were successfully updated. Status The status of the deployment. The possible states are Deploying, Aborted, Successful, and Failed. For descriptions of these states, see Job States in Non-Workflow Mode, page 8-4.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Table 8-11 Deployment Status Details Dialog Box (Continued) Element Description Generate Report button Click this button to create a deployment status report for this job. The report is a PDF file, saved to your client system, that includes a summary of the job plus the full and delta configurations and the job transcript.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Step 1 Click the Deployment Manager button in the Main toolbar. The Deployment Manager window appears. Click the Deployment Jobs tab if it is not active. Step 2 Create the deployment job. Click Create and enter the job properties. For the procedure, see Creating and Editing Deployment Jobs, page 8-36. When you finish creating a job, you can select whether to submit it.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Related Topics Step 1 • Overview of the Deployment Process, page 8-1 • Including Devices in Deployment Jobs or Schedules, page 8-8 • Understanding Deployment Methods, page 8-8 • Understanding How Out-of-Band Changes are Handled, page 8-12 • Job States in Workflow Mode, page 8-6 Click the Deployment Manager button in the Main toolbar. The Deployment Manager window appears.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Step 4 • Preview proposed configurations and compare them against last deployed configurations or current running configurations. Right-click the device and select Preview Config. For more information, see Previewing Configurations, page 8-45. • Analyze the devices for out of band changes by clicking the Detect OOB Changes button.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive • Deploying a Deployment Job in Workflow Mode, page 8-40 Submitting Deployment Jobs In some organizations, before jobs can be deployed, they must be approved by a separate user with the appropriate permissions. In this case, Workflow mode is enabled with a deployment job approver, and you must submit the job to this user for review. The user reviews the job and either approves or rejects it.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive In Workflow mode without a deployment job approver, you can create and approve the job at the same time. For more information, see Creating and Editing Deployment Jobs, page 8-36. When you reject a job, the devices in the job immediately become available for inclusion in other jobs. A rejected job cannot be deployed, but it can be opened for viewing and editing.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Related Topics Step 1 • Overview of the Deployment Process, page 8-1 • Deployment Manager Window, page 8-17 • Including Devices in Deployment Jobs or Schedules, page 8-8 • Understanding Deployment Methods, page 8-8 • Managing Device Communication Settings and Certificates, page 9-4 Click the Deployment Manager button in the Main toolbar. The Deployment Manager window appears.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Step 1 Click the Deployment Manager button in the Main toolbar. The Deployment Manager window appears. Click the Deployment Jobs tab if it is not active. Step 2 Select the job to discard. Step 3 Click Discard. You are prompted for an optional comment to explain why you are discarding the job.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive • Tip Step 4 Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 3-35 After you add a device to the Security Manager inventory, you can change the assigned server in the device properties. Right-click the device and select Device Properties. Configure the server using the device properties if you could not identify it while adding the device.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive • Managing Device Communication Settings and Certificates, page 9-4 Step 1 Set up the TMS as an FTP server. Security Manager uses FTP to deploy the configuration file to the TMS, from which it can be downloaded and encrypted onto an eToken. The eToken can then be connected to the USB port of a router and the configuration downloaded. See the TMS product documentation for more information.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Previewing Configurations There are many ways to preview a device configuration. You can select a device from the Device selector and select Tools > Preview Configuration, or you can click the Preview Config button in several dialog boxes. Tip You can also right click a device in Map view and select Preview Configuration.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Table 8-12 Config Version Viewer (Preview Configuration) Dialog Box Element Description Proposed Config Type The type of configuration you want to view. For example, you can view the full configuration or just the delta (the changes from the last deployed configuration). The proposed configuration is displayed in the left pane. Compare to Version Choose a configuration to compare against the proposed configuration.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Tip Out of band change detection is available only for IOS, ASA, PIX, FWSM devices, and security contexts; it is not available for IPS devices. However, the settings for handling out of band changes during deployment also apply to IPS devices; the difference is that you cannot proactively analyze these changes in IPS devices prior to deployment.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Tip If you are detecting changes during deployment, when you close the OOB Changes dialog box, the device names in the deployment dialog box are color-coded based on the results: green indicates out of band change; red indicates an error during the detection process; no color change indicates no out of band changes.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Field Reference Table 8-13 OOB Changes Dialog Box Element Description Selected Devices list (left pane) This list contains all devices you selected to evaluate for out of band changes, organized in device groups (if any). Select a device to see the results in the right pane.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive • If the new device is not exactly identical to the old device, follow the procedure described in Changes That Change the Feature Set in Security Manager, page 3-51. Before You Begin • Make sure that devices have been bootstrapped. For more information, see Chapter 2, “Preparing Devices for Management”.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Note • Note Step 4 To set the deployment method for more than one device at a time, select the devices, right-click and select Edit Selected Deploy Method. The Edit Selected Deploy Method dialog box opens where you can make your selections.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Creating or Editing Deployment Schedules You can create deployment schedules to create deployment jobs at regular intervals. Schedules can help you ensure that the selected devices get regular configuration updates.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive • If you are not using an approver, select the schedule in the table and click Approve to approve it yourself and to activate the schedule. Schedule Dialog Box Use the Schedule dialog box to create a regularly recurring deployment job.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Table 8-14 Schedule Dialog Box (Continued) Element Description Time (Start) The time of day to run the schedule. The time is in 24-hour format and is based on the server time zone, not the client time zone. Recurrence How often to create a deployment job based on this schedule: Run Indefinitely End Date and Time • One time—Run this job once on the day specified as the start date at the specified start time.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Related Topics • Including Devices in Deployment Jobs or Schedules, page 8-8 • Creating or Editing Deployment Schedules, page 8-52 • Filtering Items in Selectors, page 1-42 Suspending or Resuming Deployment Schedules You can suspend an active deployment schedule without discarding it and then reactivate it later when you want to resume creating jobs based on the schedule.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Step 3 Click Add from Device. Security Manager logs into the device, retrieves the running configuration, and adds it to the archive. Viewing and Comparing Archived Configuration Versions Using the Configuration Archive, you can view the previous configurations for a device, compare versions of the configuration, and view the transcripts related to configuration deployment.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive pane, and you can select another version for comparison from the list on the upper right of this window. For more information on viewing and comparing versions, see Viewing and Comparing Archived Configuration Versions, page 8-56. Navigation Path Select Manage > Configuration Archive, select a device whose configuration you want to view, select the configuration, and click View.
Chapter 8 Managing Deployment Working with Deployment and the Configuration Archive Table 8-15 Configuration Version Viewer Window (Configuration Archive) (Continued) Element Description Previous Difference button Moves the cursor to the previous difference noted between the configuration versions. Current Difference button Using the cursor, focuses on the currently selected difference in the window.
Chapter 8 Managing Deployment Rolling Back Configurations Field Reference Table 8-16 Transcript Viewer Window Element Description Version ID The configuration version for which you are viewing transcripts: • Previous—Display the transcripts for the version in the sequence before the one currently selected. • Next—Display the transcripts for the version in the sequence after the one currently selected. • Last—Display the transcripts for the last version in the list.
Chapter 8 Managing Deployment Rolling Back Configurations Caution It is usually a better idea to fix the configuration in Security Manager and deploy the fixed configuration, because rolling back a configuration creates a situation where the configuration defined in Security Manager is not the same one running on the device. After rollback, you should rediscover policies on the device to make the device configuration and its configuration in Security Manager consistent.
Chapter 8 Managing Deployment Rolling Back Configurations Related Topics • Rolling Back Configurations to Devices Using the Deployment Manager, page 8-65 • Using Rollback to Deploy Archived Configurations, page 8-66 Understanding Rollback for Devices in Multiple Context Mode If the configuration of the system execution space to which you are rolling back specifies connectivity options to security contexts (for example, vlan config) and there is a mismatch between the configuration selected for rollbac
Chapter 8 Managing Deployment Rolling Back Configurations 2. Service modules. 3. Chassis. We recommend performing rediscovery after the rollback operation is complete. If you are rolling back an FWSM deployment and the system is configured to retrieve security certificates when adding devices, you might need to retrieve the certificate after the rollback operation is complete.
Chapter 8 Managing Deployment Rolling Back Configurations • Note Security Manager warns you about IPS devices that must be downgraded more than one level, and as a result, Security Manager cannot do it. You must use the Cisco IPS CLI for such downgrades. The warning dialog box displays the version to which the device must be reimaged or downgraded. The option of downgrading an IOS IPS device during rollback is not available, because IOS IPS devices do not support downgrade.
Chapter 8 Managing Deployment Rolling Back Configurations Commands that Can Cause Conflicts after Rollback The following commands can potentially cause conflicts after rollback is performed: • http server enable port http ip_address net_mask interface_name Applicable only to security contexts (not the system execution space). • allocate-interface {physical_interface | subinterface} [map_name] [visible | invisible] Applicable only to the system execution space under the context subcommand.
Chapter 8 Managing Deployment Rolling Back Configurations Commands to Recover from Failover Misconfiguration after Rollback If a switchover happens during rollback and the two units are no longer synchronized, you might need to use the following commands to recover: • failover active group_number • failover reset group_number • failover reload-standby • clear configure failover For more information on these commands, please refer to the command reference for your security appliance.
Chapter 8 Managing Deployment Rolling Back Configurations Before You Begin When you roll back a configuration, the action is not done as part of an activity or configuration session, which means the device is not locked. Thus, it is possible that two users might roll back configurations simultaneously on a device, which can generate unexpected problems. Before rolling back a configuration, ensure that there are no active deployment jobs for the device listed in the Deployment Manager window.
Chapter 8 Managing Deployment Rolling Back Configurations Roll back configurations only in extreme circumstances.
Chapter 8 Managing Deployment Rolling Back Configurations • Understanding Rollback for Devices in Multiple Context Mode, page 8-61 • Understanding Rollback for Failover Devices, page 8-61 • Understanding Rollback for Catalyst 6500/7600 Devices, page 8-61 • Understanding Rollback for IPS and IOS IPS, page 8-62 • Commands that Can Cause Conflicts after Rollback, page 8-64 • Commands to Recover from Failover Misconfiguration after Rollback, page 8-65 Step 1 Select Manage > Configuration Archive
CH A P T E R 9 Troubleshooting Device Communication and Deployment One of the more likely areas where you can run into problems is with actions where Security Manager must log into a device. These types of actions include policy discovery and deployment using live devices, or actions that involve retrieving information from a device.
Chapter 9 Troubleshooting Device Communication and Deployment Testing Device Connectivity Before You Begin Security Manager uses the settings on the Device Communication page to determine the connection timeout, how often to retry the connection, the transport protocol, and which credentials to use. To configure these settings, select Tools > Security Manager Administration and select Device Communication from the table of contents.
Chapter 9 Troubleshooting Device Communication and Deployment Testing Device Connectivity Device Connectivity Test Dialog Box Use the Device Connectivity Test dialog box to view whether Security Manager can contact the device using the configured credentials. Navigation Path To start the device connectivity test, click Test Connectivity from the Credentials page in one of these areas: • New Device wizard when adding a device manually. See Adding Devices by Manual Definition, page 3-25.
Chapter 9 Troubleshooting Device Communication and Deployment Managing Device Communication Settings and Certificates Managing Device Communication Settings and Certificates If you discover device inventory and policies directly from devices, or deploy configurations to devices rather than to files, you must configure Security Manager to use the transport protocols that your devices use. For some device types, only one transport protocol is supported, so you do not need to make a choice.
Chapter 9 Troubleshooting Device Communication and Deployment Managing Device Communication Settings and Certificates Tip Having an accurate certificate is required for successful HTTPS communications; Security Manager cannot communicate with the device without the correct certificate, which prevents configuration deployment. When using self-signed certificates, the device might create a new certificate if Security Manager attempts to access it using the wrong certificate.
Chapter 9 Troubleshooting Device Communication and Deployment Managing Device Communication Settings and Certificates Security Certificate Rejected When Discovering Device If an error occurs when you attempt to discover a device, and the error message states that the security certificate received from the device was rejected, you need to update the certificate.
Chapter 9 Troubleshooting Device Communication and Deployment Managing Device Communication Settings and Certificates Related Topics • Manually Adding SSL Certificates for Devices that Use HTTPS Communications, page 9-4 • Managing IPS Certificates, page 43-10 • Adding Devices to the Device Inventory, page 3-6 • Chapter 2, “Preparing Devices for Management” Troubleshooting SSH Connection Problems For devices that use SSH as the transport protocol, Security Manager automatically detects the appropri
Chapter 9 Troubleshooting Device Communication and Deployment Resolving Red X Marks in the Device Selector • On the Device Properties General page, ensure that the hostname, domain name, and IP address are correct. Keep in mind that the Hostname and Accounts and Credentials policies for the device define the actual names and credentials that get configured on the device. However, the policies are not used for device communication.
Chapter 9 Troubleshooting Device Communication and Deployment Troubleshooting Deployment Step 3 Select the AUS or Configuration Engine that manages the selected devices from the Server list. If the correct server is not listed, select + Add Server... to add it to the inventory using the Server Properties Dialog Box, page 3-36. For more information on adding AUS or Configuration Engine servers to the inventory, see Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 3-35.
Chapter 9 Troubleshooting Device Communication and Deployment Troubleshooting Deployment Changing How Security Manager Responds to Device Messages Security Manager has built-in responses to many of the response messages that can be encountered when configuring a device. You might find that messages Security Manager treats as errors are messages that you want to ignore or treat as informational.
Chapter 9 Troubleshooting Device Communication and Deployment Troubleshooting Deployment It is easiest to determine the message you want to ignore by looking at the transcript of a deployment job that encountered the error using the following procedure. Related Topics • Step 1 Viewing Deployment Status and History for Jobs and Schedules, page 8-27 Click the Deployment Manager button in the Main toolbar. The Deployment Manager window appears. Click the Deployment Jobs tab if it is not active.
Chapter 9 Troubleshooting Device Communication and Deployment Troubleshooting Deployment Error While Attempting to Remove Unreferenced Object If you enable the Remove Unreferenced Object Groups from Device option on the Tools > Security Manager Administration > Deployment page, Security Manager will remove objects during deployment that are not used in any policies managed or discovered by Security Manager.
Chapter 9 Troubleshooting Device Communication and Deployment Troubleshooting Deployment Related Topics • Troubleshooting Device Communication Failures, page 9-7 • Managing Device Communication Settings and Certificates, page 9-4 • Managing IPS Certificates, page 43-10 • Understanding Device Communication Requirements, page 2-1 Updating VPNs That Include Routing Processes Problem: When you define and deploy changes to a routing process that is being used by a VPN topology (using either the Site-to
Chapter 9 Troubleshooting Device Communication and Deployment Troubleshooting Deployment 2. Next, configure policy B to replace policy A, but instead of deploying policy B to the device, deploy it to a file instead. When this deployment completes, Security Manager creates a snapshot with policy B that replaces the previous snapshot with policy A. However, because you did not deploy policy B to the device, the CLI commands that are required to negate policy A have not been deployed.
Chapter 9 Troubleshooting Device Communication and Deployment Troubleshooting Deployment This option can be used only on site-to-site VPNs. For remote access VPNs, you need to create an ACL object that explicitly denies the flow containing VPN traffic and define this ACL as part of a dynamic rule in the NAT policy. For more information, see NAT Page: Dynamic Rules, page 23-10. Unable to Deploy ADSL or PVC Policy Problem: Deployment fails for your ADSL or PVC policy.
Chapter 9 Troubleshooting Device Communication and Deployment Troubleshooting Deployment Deployment Fails for Interface Settings Problem: Deployment fails for interface settings on a Catalyst 6500/7600 device. Solution: Certain interface settings (such as speed, duplex, and MTU settings) are specific to particular card types and are not validated prior to deployment. Make sure to enter the correct values for your specific card type to ensure successful deployment.
Chapter 9 Troubleshooting Device Communication and Deployment Troubleshooting Deployment 5. Deploy the configuration to the device again. After you set the value to true, discovery and deployment checks the CPU utilization and generates error messages if the CPU utilization is not within the configured value set in the DCS.FWSM.minThresholdLimit property. The default value is 85.
Chapter 9 Troubleshooting Device Communication and Deployment Troubleshooting Deployment Deployment Failures to Devices Managed by AUS Deployment might fail when deploying to multiple AUS-managed devices after starting the AUS if you perform deployment before the Auto Update Server (AUS) is fully operational. The AUS requires time to start up after the following operations: • New installation or upgrade. • Manual restart (including after a power outage).
Chapter 9 Troubleshooting Device Communication and Deployment Troubleshooting Deployment • Call home mode setup—The device is not connected to Configuration Engine in this mode; therefore, all Security Manager operations that require the retrieval of the device configuration using Configuration Engine are not supported. This includes discovery, preview configuration, display running configuration, and connectivity tests (and rollback, for IOS devices).
Chapter 9 Troubleshooting Device Communication and Deployment Troubleshooting Deployment Answer: If you see the following errors in debug mode: *Feb 23 21:42:15.677: CNS exec decode: Unknown hostname cnsServer-lnx.cisco.com ... 474F6860: 72726F72 2D6D6573 73616765 3E584D4C error-message>XML 474F6870: 5F504152 53455F45 52524F52 3C2F6572 _PARSE_ERROR Verify the following: • The CNS commands use a fully-qualified host name (host name and domain name). • The device contains the ip domain name command.
CH A P T E R 10 Managing the Security Manager Server The following topics describe some system management tasks related to the general operation of the Security Manager product: • Overview of Security Manager Server Management and Administration, page 10-1 • Managing a Cluster of Security Manager Servers, page 10-2 • Installing Security Manager License Files, page 10-16 • Certificate Trust Management, page 10-17 • Working with Audit Reports, page 10-19 • Taking Over Another User’s Work, page 10
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers To learn more about the things you can do with Common Services, browse the Common Services online help. Managing a Cluster of Security Manager Servers A Security Manager server cluster is two or more Security Manager servers used to manage a network. Typically, you want to maintain some relationship between the servers.
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers There is no automatic process for maintaining the same set of shared policies among a cluster of servers. Instead, you must manually export them from your main server and import them into the remaining servers. For more information, see Synchronizing Shared Policies Among Security Manager Servers, page 10-4.
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers Step 5 On each of the new Security Manager servers, select File > Import to import the exported information to the new servers. For more detailed information, see Importing Policies or Devices, page 10-13. Tip Step 6 Verify that each of the new Security Manager servers can manage the newly-imported devices.
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers • When importing shared policies and policy objects, the imported information always replaces any existing shared policies or policy objects of the same name.
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers CiscoWorks Common Services Device Credential Repository (DCR), Cisco Security Monitoring, Analysis and Response System (CS-MARS), or Security Manager, or you can open it and view it in a spreadsheet or text editor program. The .dev file is suitable for importing into another Security Manager server only. For more information, see Exporting the Device Inventory from the Security Manager Client, page 10-6.
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers – The VPN topologies in which the devices participate. However, a VPN topology is exported only if all devices that participate in the topology are included in the export. Extranet VPNs are always exported. Thus, the export file includes the complete policy configuration for the selected devices. The file created has the extension .
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers • When selecting security contexts or virtual sensors, be sure to select the host device as well. Also, if a device is part of a VPN, ensure that you select all devices in the VPN when exporting devices, policies, and policy objects. • When selecting IPS or IOS IPS devices, make sure that you have already applied an IPS signature update to the device.
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers Click Save to return to the Export Inventory dialog box. The Export Inventory To field is updated with the export file information. Step 5 Click OK to create the export file. A message indicates when the export completes and whether there were errors in the export. When you click OK, if there are problems during the export, a dialog box opens listing the messages.
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers – anc_os_version. The ancillary target operating system version, which is the IPS target operating system version. If present, it can be any of the supported IOS-IPS versions. This field is required for IOS IPS devices. You can use these CSV files with any program that supports the file format. You can also create a CSV file yourself and use the file to import inventory into Security Manager.
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers -s {Dhdoirtg} (Optional.) The fields you are selecting to include in the output. If you do not specify the -s option, all fields are included. You can specify one or more of the following: • D—Display name. • h—Host name. • d—Domain name. • o—Operating system (OS) type. • I—Image name. • r—Running OS version. • t—Target OS version. • g—Device groups. -h (Optional.
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers Tips • You can export to the Security Manager server or to the local Security Manager client. You can control the ability to export to or import from the local Security Manager client from Tools > Security Manager Administration > Customize Desktop. For more information, see Customize Desktop Page, page 11-6.
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers • To select all shared policies that have been modified since a certain date, enter that date in the Modified since field and click Select >> next to the Modified since field. You can enter the date in MMM DD YYYY format or you can click the Calendar to select the desired date. • To select all shared policies, select the All folder and click Select >> under Browse All Shared Policies.
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers • When importing devices, the server must have a sufficient Security Manager license to support the number and types of devices that you are importing. Ensure that you install a professional license before importing device types that require it. For information on installing licenses, see Installing Security Manager License Files, page 10-16.
Chapter 10 Managing the Security Manager Server Managing a Cluster of Security Manager Servers • Selecting or Specifying a File or Directory in Security Manager, page 1-47 • Customize Desktop Page, page 11-6 Step 1 In Configuration Manager, select File > Import to open the Import dialog box. Step 2 Click Browse to select the file. Make sure that you select the desired file type (either .pol or .dev) from the Files of Type list on the Select a File dialog box.
Chapter 10 Managing the Security Manager Server Installing Security Manager License Files • Workflow mode with an approver—Select Activities > Submit Activity. The activity must be approved before the changes are committed. If you are not happy with the import, you can discard the activity or configuration session. However, when importing devices, the devices are added outside an activity or configuration session.
Chapter 10 Managing the Security Manager Server Certificate Trust Management – If you are not a registered Cisco.com user, go to http://tools.cisco.com/RPF/register/register.do. After registration, the base software license is sent to the e-mail address that you provided during registration. In addition to receiving a PAK and license for Security Manager, you might receive one additional PAK for each incremental device count pack you purchased.
Chapter 10 Managing the Security Manager Server Certificate Trust Management Certificate Trust Management Feature The certificate trust management feature in Security Manager has these characteristics: • It behaves like a browser. It imparts trust to what you, as the user, consciously trust. • It allows you to view the certificate and use your discretion in accepting it. • It proactively validates a certificate to help you judge whether to accept or reject it.
Chapter 10 Managing the Security Manager Server Working with Audit Reports Because certificates are stored, if you upgrade to Security Manager 4.4 from a previous version, all communication with Cisco.com will fail. To resolve this problem, you must retrieve the certificates from the image meta-data locator and the download site URL.
Chapter 10 Managing the Security Manager Server Working with Audit Reports • Purging Audit Log Entries, page 10-22 Generating the Audit Report You can view the audit log to analyze the events that have occurred in the Security Manager System. This information can help you track changes that users have made to devices or to identify other system events of interest. The Audit Report window provides extensive search criteria to help you view the specific audit log entries that interest you.
Chapter 10 Managing the Security Manager Server Working with Audit Reports Related Topics • Understanding Audit Reports, page 10-19 • Generating the Audit Report, page 10-20 Field Reference Table 10-1 Audit Report Window Element Description Search Criteria (Left Pane) The left side of the Audit Report window contains the search criteria for the report. The default report lists all state changes from yesterday and today, sorted with the most recent changes at the top.
Chapter 10 Managing the Security Manager Server Working with Audit Reports Table 10-1 Audit Report Window (Continued) Element Description Audit Report (Right Pane) The right side of the Audit Report window contains the audit report. Each row represents one audit entry. Double-click a row to open the Audit Message Details dialog box, where you can view a more readable layout of the information and to see the specific messages associated with the entry.
Chapter 10 Managing the Security Manager Server Taking Over Another User’s Work Related Topics • Understanding Audit Reports, page 10-19 • Generating the Audit Report, page 10-20 • Using the Audit Report Window, page 10-20 Taking Over Another User’s Work A user with administrative privileges can take over the work of another user in non-Workflow mode.
Chapter 10 Managing the Security Manager Server Backing up and Restoring the Security Manager Database net start crmdmgtd Backing up and Restoring the Security Manager Database You should regularly back up the Security Manager database in case you need to recover your work. Tip The Security Manager database backup does not include the event data store used by the Event Manager service.
Chapter 10 Managing the Security Manager Server Backing up and Restoring the Security Manager Database • In non-Workflow mode: – To commit changes, select File > Submit. – To discard uncommitted changes, select File > Discard. If there are multiple users with pending data, the changes for those users must also be committed or discarded. If you need to commit or discard changes for another user, you can take over that user’s session.
Chapter 10 Managing the Security Manager Server Backing up and Restoring the Security Manager Database Example The following command assumes that you are in the directory containing the perl and backup.pl commands. It creates a compressed backup and log file in the backups directory and sends notifications to admin@domain.com.
Chapter 10 Managing the Security Manager Server Generating Data for the Cisco Technical Assistance Center C:\Progra~1\CSCOpx\bin\perl C:\Progra~1\CSCOpx\bin\restorebackup.pl -d C:\var\backup Tip If you are restoring a database that contains RME data, you might be asked if you want to collect inventory data. Collecting this data can take a long time. You might want to respond No and then configure RME to schedule an inventory. In RME, select Devices > Inventory.
Chapter 10 Managing the Security Manager Server Generating Data for the Cisco Technical Assistance Center Tip When creating the diagnostics file from the command line, you must allow the command to complete before closing the window or subsequent attempts to run the CSMDiagnostics command will not work properly. If you mistakenly close the window, delete the C:\Program Files\CSCOpx\MDC\etc\mdcsupporttemp folder before attempting to use the command again.
Chapter 10 Managing the Security Manager Server Generating Data for the Cisco Technical Assistance Center – For previously completed jobs, by selecting the job in the Policy Discovery Status dialog box and clicking the Generate Report button. See Policy Discovery Status Page, page 5-23. Generating a Partial Database Backup for the Cisco Technical Assistance Center Caution This topic explains how to create a partial database backup.
Chapter 10 Managing the Security Manager Server Generating Data for the Cisco Technical Assistance Center email=email_address (Optional.) The email address where you want notifications sent. If you do not want to specify an email address, but you need to specify a subsequent parameter, enter email without the equal sign or address. You must configure SMTP settings in CiscoWorks Common Services to enable notifications.
CH A P T E R 11 Configuring Security Manager Administrative Settings Security Manager has default settings for many system functions that you can change if they do not fit the needs of your organization. To view and change these settings, select Tools > Security Manager Administration. You can then select items from the table of contents on the left of the window to view the default settings related to that item. On most pages, when you change a setting, you must click Save to save your changes.
Chapter 11 Configuring Security Manager Administrative Settings API Settings Page • Logs Page, page 11-45 • Policy Management Page, page 11-46 • Policy Objects Page, page 11-48 • Rule Expiration Page, page 11-49 • Server Security Page, page 11-50 • Take Over User Session Page, page 11-51 • Ticket Management Page, page 11-52 • Token Management Page, page 11-53 • VPN Policy Defaults Page, page 11-54 • Workflow Page, page 11-55 • Wall Settings Page, page 11-57 API Settings Page The Sec
Chapter 11 Configuring Security Manager Administrative Settings Configuration Archive Page Related Topics • Creating and Managing Layer 3 Links on the Map, page 34-19 • Displaying Your Network on the Map, page 34-14 Field Reference Table 11-2 AutoLink Page Element Description Enable AutoLink for 10.0.0.0/8 Whether to automatically include or omit (deselected) these private networks from the maps you create. Enable AutoLink for 172.16.0.0/12 Enable AutoLink for 192.168.0.
Chapter 11 Configuring Security Manager Administrative Settings CS-MARS Page Field Reference Table 11-3 Configuration Archive Page Element Description Max. Versions per Device The number of configuration versions you want to retain for each managed device, from 1 to 100. If you reduce the number, you can click Purge Now to immediately delete extra versions.
Chapter 11 Configuring Security Manager Administrative Settings CS-MARS Page Related Topics • Registering CS-MARS Servers in Security Manager, page 69-24 Field Reference Table 11-4 CS-MARS Page Element Description CS-MARS Devices The CS-MARS servers that are registered with Security Manager. • To add a server, click the Add (+) button and fill in the New or Edit CS-MARS Device Dialog Box, page 11-5. • To edit a server, select it and click the Edit (pencil) button.
Chapter 11 Configuring Security Manager Administrative Settings Customize Desktop Page Field Reference Table 11-5 Add or Edit CS-MARS Device Dialog Box Element Description CS-MARS Hostname/IP The IP address or fully-qualified DNS host name of the CS-MARS server. Tip Username Password User Type If you add a CS-MARS global controller, do not add any of the local controllers that the global controller monitors.
Chapter 11 Configuring Security Manager Administrative Settings Customize Desktop Page Field Reference Table 11-6 Customize Desktop Page Element Description Reset ‘Do Not Ask’ on Warnings button Click this button to reestablish ‘Are you sure...?’ pop-up warnings. When you perform some actions, you are warned about the consequences and you are given the option to not be warned again. If you selected Do Not Ask Me Again for any of these warnings, clicking this button reenables the warning.
Chapter 11 Configuring Security Manager Administrative Settings Debug Options Page Debug Options Page Use the Debug Options page to configure the severity level of messages to include in debugging logs and to determine what other debugging information is collected. You should change debugging levels only if the Cisco Technical Assistance Center (TAC) asks you to change them. This makes it possible for you to include more detailed information in the CSMDiagnostics.zip file.
Chapter 11 Configuring Security Manager Administrative Settings Deployment Page Table 11-7 Debug Options Page (Continued) Element Description Health and Performance Monitor Debug Level The message severity level for the Health and Performance Monitor subsystem. Image Manager Debug Level The message severity level for the Image Manager subsystem. Firewall Services Debug Level The message severity level for firewall-related policies.
Chapter 11 Configuring Security Manager Administrative Settings Deployment Page Table 11-8 Deployment Page (Continued) Element Description Default Deployment Method The method to use as the default method for deploying configurations to devices: Directory • Device—Deploys the configuration directly to the device or to the transport mechanism specified for the device. For more information, see Deploying Directly to a Device, page 8-9.
Chapter 11 Configuring Security Manager Administrative Settings Deployment Page Table 11-8 Deployment Page (Continued) Element Description Deploy to Device Reference Configuration The configuration that Security Manager uses to compare new policies against the previous configuration for the device, if you are deploying the configuration directly to the device (or to a transport server). • Archive—The most recently archived configuration.
Chapter 11 Configuring Security Manager Administrative Settings Deployment Page Table 11-8 Deployment Page (Continued) Element Description Mask Passwords and Keys When Viewing Configs and Transcripts The conditions, if any, under which Security Manager will mask the following items so that they cannot be read: passwords for users, enable mode, Telnet, and console; SNMP community strings; keys, including those for TACACS+, Preshared Key, RADIUS server, ISAKMP, failover, web VPN attributes, logging po
Chapter 11 Configuring Security Manager Administrative Settings Deployment Page Table 11-8 Deployment Page (Continued) Element Description ACL Parameters Optimize the Deployment of Access Rules For How firewall rules are deployed. You can choose one of the following: • Speed (default)—Increases deployment speed by sending only the delta (difference) between the new and old ACLs. This is the recommended option.
Chapter 11 Configuring Security Manager Administrative Settings Deployment Page Table 11-8 Deployment Page (Continued) Element Description Whether Security Manager should share a single access control list (ACL) for an access rule policy with more than one interface. If you do not select this option, Security Manager creates unique ACLs for every (IPv4 and IPv6 access rules.) interface to which you apply an IPv4 or IPv6 access rule policy.
Chapter 11 Configuring Security Manager Administrative Settings Deployment Page Table 11-8 Deployment Page (Continued) Element Description Remove Unreferenced Access-lists on Device Whether to delete any access lists that are not being used by other CLI commands managed by Security Manager from devices during deployment. (IPv4 and IPv6 access rules.
Chapter 11 Configuring Security Manager Administrative Settings Deployment Page Table 11-8 Deployment Page (Continued) Element Description Create Object Groups for Policy Objects (PIX, ASA, FWSM, IOS 12.4(20)T+) Whether Security Manager should create object groups, such as network objects, service group objects, and identity user group objects, to replace comma-separated values in a rule table cell for the indicated devices.
Chapter 11 Configuring Security Manager Administrative Settings Device Communication Page Table 11-8 Deployment Page (Continued) Element Description During validation, check for usage of ’any’ Building Block (BB) in IPS Device Policies. Whether to check for the "any" policy object (also called "any" building block), as described, for these reasons: ’any’ has a new name starting with CSM 4.4 • Beginning with Security Manager 4.
Chapter 11 Configuring Security Manager Administrative Settings Device Communication Page Table 11-9 Device Communication Page (Continued) Element Description Socket Read Timeout For SSH and Telnet sessions, the maximum number of seconds Security Manager can wait for incoming data before concluding that the connection is lost. Transport Protocol (IPS) The default transport protocol for IPS sensors and routers that include the IPS feature. The default is HTTPS. Transport Protocol (IOS Routers 12.
Chapter 11 Configuring Security Manager Administrative Settings Device Communication Page Table 11-9 Device Communication Page (Continued) Element Description Device Authentication Certificates (IPS) How to handle device authentication certificates for SSL (HTTPS) communications.
Chapter 11 Configuring Security Manager Administrative Settings Device Groups Page Table 11-9 Device Communication Page (Continued) Element Description Overwrite SSH Keys Whether Security Manager can overwrite the SSH key for a device when it changes on the device. For SSH connections, a correct key is required for successful communication. Deselect this check box with caution, and only if you require a greater level of security.
Chapter 11 Configuring Security Manager Administrative Settings Discovery Page Related Topics • Understanding Device Grouping, page 3-57 • Working with Device Groups, page 3-57 Field Reference Table 11-11 Device Groups Page Element Description Groups Displays the device groups and group types. To rename a group or type, select it and then click it again to make the text editable. Type in the new name and press Enter. Add Type button Click this button to create a new group type.
Chapter 11 Configuring Security Manager Administrative Settings Discovery Page Field Reference Table 11-12 Discovery Page Element Description Prepend Device Name when Generating Security Context Names Whether the name of the device that contains the security context should be added to the front of the security context’s name. For example, if a security context is named admin, and it is contained in the device with the display name 10.100.15.16, the name that will appear in the Device selector is 10.
Chapter 11 Configuring Security Manager Administrative Settings Event Management Page Table 11-12 Discovery Page (Continued) Element Description On Error, Rollback Discovery for Entire Device Whether Security Manager should roll back all discovered policies if even one error is encountered for a single policy during policy discovery. When deselected, Security Manager keeps the policies successfully discovered and discards only those policies with errors.
Chapter 11 Configuring Security Manager Administrative Settings Event Management Page Field Reference Table 11-13 Event Management Page Element Description Event Management Options Enable Event Management Whether to enable the Event Manager service, which allows Security Manager to collect event information. If you disable this feature, you cannot use the Event Viewer or Report Manager applications.
Chapter 11 Configuring Security Manager Administrative Settings Event Management Page Table 11-13 Event Management Page (Continued) Element Description Extended Store Management Options Auto Copy Events to Extended Store Whether you want to define an extended storage location for event storage. Events are copied from the regular event storage location to the extended location so that they remain available for use.
Chapter 11 Configuring Security Manager Administrative Settings Health and Performance Monitoring Page Table 11-13 Event Management Page (Continued) Element Description Error Notification Email IDs The email addresses that should receive notifications if problems arise with the use of the extended storage location. Separate multiple addresses with commas.
Chapter 11 Configuring Security Manager Administrative Settings Identity Settings Page Field Reference Table 11-14 Health and Performance Monitoring Page Element Description Event Management Options Enable Health and Performance Monitoring Lets you enable or disable the Health and Performance Monitoring service, which allows Security Manager to collect event information. If you disable this feature, you cannot use the HPM application.
Chapter 11 Configuring Security Manager Administrative Settings Identity Settings Page Field Reference Table 11-15 Identity Settings Page Element Description Domain-AD Server Group Mapping table. Each row in the table defines the Active Directory (AD) server group to use for a NetBIOS domain for use with identity-aware firewall policies on ASA devices. Default Domain • To add an entry, click the Add Row (+) button and fill in the Add AD Domain Server dialog box.
Chapter 11 Configuring Security Manager Administrative Settings Image Manager Page Table 11-15 Identity Settings Page (Continued) Element Description For user strings without domain If you select something other than LOCAL for the default domain, how to handle username or user group names that you type in without a domain name: • Auto determine user/user-group from AD—Check the AD server associated with the default domain to determine whether the name is for a user or user group, and add the appropr
Chapter 11 Configuring Security Manager Administrative Settings Image Manager Page Field Reference Table 11-16 Image Manager Page Element Description Use IPS Updates Settings If checked, the other settings on this page are disabled and the default prevails (the Cisco.com credentials from the IPS Updates page apply). Caution If checked, be sure that the Cisco.com credentials from the IPS Updates page are configured correctly. On that page, the default value for "Update From:" is "Local Server.
Chapter 11 Configuring Security Manager Administrative Settings IPS Updates Page Table 11-16 Image Manager Page (Continued) Element Description Retrieve Certificate Used to connect to and retrieve the certificate from the selected ‘"Contact URL’." After retrieving the certificate it opens the Certificate Verification dialog, which along with a brief summary of the certificate, i.e.
Chapter 11 Configuring Security Manager Administrative Settings IPS Updates Page Tips • To apply IPS updates manually, select Tools > Apply IPS Update. For more information, see Manually Applying IPS Updates, page 43-7. • If you later decide that you did not want to apply a signature update, you can revert to the previous update level by selecting the Signatures policy on the device, clicking the View Update Level button, and clicking Revert. Beginning with version 4.
Chapter 11 Configuring Security Manager Administrative Settings IPS Updates Page Table 11-17 IPS Updates Page (Continued) Element Description Check for Updates button These buttons check for updates, or download signature and sensor updates that have not already been downloaded to the Security Manager server, from the IPS Update server. You must configure an IPS Update server before checking for updates or downloading them (click Edit Settings in the Update Server group).
Chapter 11 Configuring Security Manager Administrative Settings IPS Updates Page Table 11-17 IPS Updates Page (Continued) Element Description Auto Update Mode Establishes whether, and to what extent, automatic updates are performed. Contains the following options: • Download, Apply, and Deploy Updates • Disable Auto Update • Check for Updates • Download Updates • Download and Apply Updates By default, auto update is disabled.
Chapter 11 Configuring Security Manager Administrative Settings IPS Updates Page Table 11-17 IPS Updates Page (Continued) Element Description Notify Email The e-mail address to which notifications of automatic updates are sent. If you enter more than one address, separate the addresses with commas. A notification is sent when an update: Apply Update To Type Edit Row button Devices to be Auto Updated • Is available for download. • Has been downloaded. • Has been downloaded and applied.
Chapter 11 Configuring Security Manager Administrative Settings IPS Updates Page Edit Update Server Settings Dialog Box Use the Edit Update Server Settings dialog box to configure the server to use for obtaining IPS updates. If necessary, you can configure a proxy server for communicating with the update server. Also, use the Edit Update Server Settings dialog box for certificate trust management. (Security Manager downloads IPS packages from Cisco.
Chapter 11 Configuring Security Manager Administrative Settings IPS Updates Page Table 11-18 Edit Update Server Settings Dialog Box (Continued) Element Description User Name The username to log into the IPS update server. If you are configuring a local server that does not require a user login, leave this field blank. If you are specifying a Cisco.com username, the user account on Cisco.com must be eligible for downloading strong encryption software.
Chapter 11 Configuring Security Manager Administrative Settings IPS Updates Page Table 11-18 Edit Update Server Settings Dialog Box (Continued) Element Description Retrieve Certificate Used to connect to and retrieve the certificate from the selected ‘"Contact URL’." After retrieving the certificate it opens the Certificate Verification dialog, which along with a brief summary of the certificate, i.e.
Chapter 11 Configuring Security Manager Administrative Settings IPS Updates Page Navigation Path Select a device or policy on in the Apply Update To table on the IPS Updates page (see IPS Updates Page, page 11-31) and click the Edit Row button. Field Reference Table 11-19 Edit Auto Update Settings Dialog Box Element Description Auto Update The type of sensor updates to apply to the selected devices or shared policies.
Chapter 11 Configuring Security Manager Administrative Settings ISE Settings Page • Automating IPS Updates, page 43-6 Field Reference Table 11-20 Edit Signature Download Filter Settings Dialog Box Element Description Filter Type: No filter All available signatures for all available engines are downloaded. Filter Type: Download all signatures for engine versions starting with All available signatures for the engine that you select (E4, E3, E2, or E1) are downloaded.
Chapter 11 Configuring Security Manager Administrative Settings Licensing Page Licensing Page Use the Licensing page to manage licenses for the Security Manager application and for IPS devices. For more information, see Managing IPS Licenses, page 43-1. Navigation Path Select Tools > Security Manager Administration and select Licensing from the table of contents. Field Reference Table 11-22 Licensing Page Element Description CSM tab The license settings for the Security Manager application.
Chapter 11 Configuring Security Manager Administrative Settings Licensing Page IPS Tab, Licensing Page Use the IPS tab on the Licensing page to view the list of installed IPS device licenses, to install new or updated licenses, or to redeploy licenses. The license list shows current licenses, unlicensed devices, devices with expired licenses, and devices with invalid licenses. Navigation Path Select Tools > Security Manager Administration, select Licensing from the table of contents, and click IPS.
Chapter 11 Configuring Security Manager Administrative Settings Licensing Page Table 11-24 IPS Tab, Licensing Page (Continued) Element Description Redeploy Selected Licenses button Click this button to redeploy licenses to the selected devices. Redeploying licenses might be necessary when you have obtained an updated license file and it was not applied to the device successfully during an automatic update.
Chapter 11 Configuring Security Manager Administrative Settings Licensing Page Verifying IPS Devices for License Update or Redeployment When you select a device on the Licensing > IPS tab (see IPS Tab, Licensing Page, page 11-42) and try to update the license from Cisco.com (CCO) or redeploy the license, you are first shown a list of devices that will be updated.
Chapter 11 Configuring Security Manager Administrative Settings Logs Page Table 11-25 License Update Status Details Dialog Box (Continued) Element Description Status The current state of the update task. Devices to be updated The total number of devices being updated during this task. Devices updated successfully The number of devices updated without errors. Devices updated with errors The number of devices that generated errors during the update.
Chapter 11 Configuring Security Manager Administrative Settings Policy Management Page Field Reference Table 11-26 Logs Page Element Description Keep Audit Log For The maximum number of days to save audit report entries before deleting them. If the number of entries in the log exceeds the number entered in the Purge Audit Log After field, old log entries might be deleted before they reach this age.
Chapter 11 Configuring Security Manager Administrative Settings Policy Management Page Caution If you use AUS or CNS to deploy configurations to ASA or PIX devices, be aware that the device downloads a full configuration from AUS or CNS. Thus, reducing the policies managed by Security Manager actually removes the configurations from the device. If you intend to deselect some ASA/PIX policies for management to use other applications along with Security Manager to configure devices, do not use AUS or CNS.
Chapter 11 Configuring Security Manager Administrative Settings Policy Objects Page Table 11-27 Policy Management Page (Continued) Element Description Save button Saves your changes. If you are unmanaging a policy, you are shown a list of devices that have the policy assigned to them. Security Manager must be able to obtain the required locks to unassign the policy from all devices, or you must manually unassign the policies (or remove the locks) before unmanaging the policy.
Chapter 11 Configuring Security Manager Administrative Settings Rule Expiration Page Table 11-28 Policy Objects Page (Continued) Element Description Default Source Ports The port range value that is used as the default source port range for service objects. You can choose one of the following: • Use all ports—Includes all ports from 1 to 65535. • Use secure ports—Includes all ports from 1024 to 65535.
Chapter 11 Configuring Security Manager Administrative Settings Server Security Page Table 11-29 Rule Expiration Page (Continued) Element Description Email Format The format of the e-mail message: • Text—The e-mail is sent in HTML and plain text formats. • XML—The e-mail is sent using an XML markup. This option might be appropriate if you decide to write a program to automatically process and respond to notifications. Save button Saves your changes.
Chapter 11 Configuring Security Manager Administrative Settings Take Over User Session Page Table 11-30 Server Security Page (Continued) Element Description Single Sign On button Opens Common Services and displays the Single Sign-On Setup page. With Single Sign On (SSO), you can use your browser session to transparently navigate to multiple CiscoWorks servers without having to authenticate to each of them.
Chapter 11 Configuring Security Manager Administrative Settings Ticket Management Page Ticket Management Page Use the Ticket Management page to enable Ticket Management, to configure a ticketing system URL for integration with an external change management system, and to configure purge settings for ticket information. When Ticket Management is enabled, every Image Management installation job must have an assigned ticket or it will not be performed.
Chapter 11 Configuring Security Manager Administrative Settings Token Management Page Table 11-31 Ticket Management Page (Continued) Element Description Purge Tickets (including change report) Older than The number of days that ticket information should be kept in the Ticket Manager table. The default is 30. You can specify from 1 to 120 days. Click Purge Now to delete all tickets older than the number of days specified.
Chapter 11 Configuring Security Manager Administrative Settings VPN Policy Defaults Page Table 11-32 Token Management Page (Continued) Element Description Password The password for the username. Enter the password in both fields. Confirm Password Directory in the TMS Server The directory on the TMS server where deployed configuration files for Config Files will be downloaded. The root FTP directory (“.”) is the default FTP location on the TMS server.
Chapter 11 Configuring Security Manager Administrative Settings Workflow Page • Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS and PIX 6.3 Devices), page 29-35 Field Reference Table 11-33 VPN Policy Defaults Page Element Description DMVPN tab Lists the policy types for which you can configure default policies for the Dynamic Multipoint VPN technology.
Chapter 11 Configuring Security Manager Administrative Settings Workflow Page Field Reference Table 11-34 Workflow Page Element Description Workflow Control Enable Workflow Whether to enable Workflow mode. When Workflow mode is enabled, you can select whether to have an approver for activities and deployment jobs. Require Activity Approval Whether to require that activities be approved explicitly by an assigned approver.
Chapter 11 Configuring Security Manager Administrative Settings Wall Settings Page Table 11-34 Workflow Page (Continued) Element Description Keep job per schedule for The number of days that deployment job information should be kept in the Deployment Job table for each job schedule. This setting applies only to jobs that were initiated by a schedule. The default is 30. You can specify from 1 to 180 days. Click Purge Now to delete all jobs older than the number of days specified.
Chapter 11 Configuring Security Manager Administrative Settings Wall Settings Page When the Wall feature is enabled, you can open the Wall window by clicking Tools > Wall... or by clicking the Wall icon in Configuration Manager. You can also open the Wall window by clicking the Wall icon in Health and Performance Monitor or Image Manager. You cannot open the Wall window in Event Viewer or Report Manager. Detailed Wall feature help is available on the Wall window by clicking the help icon.
Chapter 11 Configuring Security Manager Administrative Settings Wall Settings Page Notification Alert On receipt of a new message and when the Wall window is not focused, a new notification alert popup is shown to you. You can simply click on the notification to launch the Wall window. When the notification alert popup is shown to you, the Wall window icon also flashes with the message count displayed.
Chapter 11 Configuring Security Manager Administrative Settings Wall Settings Page User Guide for Cisco Security Manager 4.
PA R T 2 Firewall Services and NAT
CH A P T E R 12 Introduction to Firewall Services The Firewall policy folder (in either Device or Policy view) includes firewall-related policies that you can deploy to the Adaptive Security Appliance (ASA), PIX Firewall (PIX), Catalyst Firewall Services Module (FWSM), and security routers running Cisco IOS Software. These policies allow you to control network access through a device.
Chapter 12 Introduction to Firewall Services Overview of Firewall Services • Zone-based firewall rules—These rules replace access rules, inspection rules, and web filter rules on IOS devices if you want to configure your rules based on zones instead of interfaces. A zone is a defined group of interfaces that perform the same security role (such as Inside or Outside). By using zone rules, you can create more compact device configurations than you can by using the other types of rules.
Chapter 12 Introduction to Firewall Services Overview of Firewall Services • One of the following: – Inspection rules (In direction), web filter rules (In direction), botnet rules, service policy rules (IPS, QoS, Connection)—All of these are applied to the traffic. For devices that do not allow you to configure the direction, all rules are considered to be in the In direction.
Chapter 12 Introduction to Firewall Services Overview of Firewall Services ACL Names Preserved by Security Manager Security Manager tries to preserve user-defined access control list (ACL) names as they appear in device configurations. Security Manager can preserve the ACL names configured on a device in the following circumstances: • If the ACL name is specified in Security Manager.
Chapter 12 Introduction to Firewall Services Overview of Firewall Services • ACLs named _ are not valid on IOS devices. Security Manager strips off the suffix prior to deployment. This also means that you cannot assign an IOS device more than one ACL object with the same numbered prefix. However, named ACLs that have a numbered suffix are allowed, for example, ACLname_1. • Numbered ACLs must use the correct number ranges for IOS devices.
Chapter 12 Introduction to Firewall Services Overview of Firewall Services Table 12-1 ACL Naming Conventions (Continued) Policy Type NAT0 ACLs NAT ACLs Naming Convention • Inbound: CSM_nat0_InterfaceName_in • Outbound: CSM_nat0_InterfaceName • Inbound: CSM_nat_InterfaceName_poolID_in • Outbound: CSM_nat_InterfaceName_poolID Note NAT Policy Static Translation Rules ACLs • For PIX 6.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables • Access list ACLs • AAA ACLs • Static ACLs • NAT0 ACLs • NAT ACLs For example, if an access ACL and a NAT0 ACL try to reuse the same ACL, the access ACL uses the original name as configured on the device and the NAT0 ACL is renamed by Security Manager.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Figure 12-1 Rules Table Example Following is an explanation of the numbered call-outs of the rules table features: • Device and policy identification banner (1)—The banner provides information about policy sharing and inheritance and includes the ability to perform some actions. For detailed information, see Using the Policy Banner, page 5-35.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables – Edit the selected rule (pencil icon)—For more information, see Editing Rules, page 12-9. – Delete the selected rule (trash can icon)—For more information, see Adding and Removing Rules, page 12-9.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables The ability to edit a cell is limited by whether it makes sense to edit the content. For example, Inspection Rules have many limitations based on how the rule is configured: • If you applied the rule to All Interfaces, you cannot edit source or destination addresses, the interface, or the direction of the rule.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables • Policy View—You are shown the patterns defined in the policy objects and entries defined for the policy. Entries are sorted alphabetically, with numbers and special characters coming first.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables • Right-click an address cell in a rules table and select Edit Sources or Edit Destinations or a similar command. The data replaces the content of the selected cells. • Select an entry in an address cell and select Edit . The data replaces the selected entry. • Select multiple rules, right-click a Sources or Destination cell, and select Add Sources or Add Destinations. The data is appended to the data already in the cell.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 6-86. For detailed information on editing firewall rules cells, see Editing Rules, page 12-9. Navigation Path Do any of the following in a rules policy that includes services: Tip • Right-click a Services cell in a rules table and select Edit Services.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Editing Category Cells in Rules Tables Use the Edit Category dialog box to change the category assigned to a rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-12. For detailed information on editing firewall rules cells, see Editing Rules, page 12-9. Navigation Path Right-click a Category cell in a rules policy that includes categories and select Edit Category.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Figure 12-2 1 List Filter Field Filter-parameters button. 2 Clear button. To search for a specific text string in the Show Contents list: • Click in the List Filter field to place the text cursor, and then begin typing. These are “live filter” fields. That is, as you type each character, entries that do not include your current text string are removed from the list or table.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Navigation Path Do any of the following in a rules policy that includes sources, user, destinations, services, interfaces, zones, or other fields that specify networks, identity user groups, interfaces, or services. You can also show contents when using tools that work with rules, such as importing rules.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables • If you create a new network/host object named network10.100 for all networks in the 10.100.0.0/16 range, you can search and replace all subordinate network specifications. For example, you can search for ^10.100* to find all addresses like 10.100.10.0/24. Select the Find Whole Words Only and Allow Wildcard options, and enter network10.100 as the replacement string.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Field Reference Table 12-2 Find and Replace Page Element Description Type The type of item you are trying to find. Select the type, then select which columns you want to search. If you select All Columns, the columns searched are those also listed with the All Columns item (the search does not consider every column in the table). • Network—A network/host object name, or the IP address of a host or network.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Table 12-2 Find and Replace Page (Continued) Element Description Find Whole Words Only Whether the search should find and select only whole words, which are strings delimited by spaces or punctuation. For example, a whole word search for SanJose will find SanJose but not SanJose1.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables When you find that you need to rearrange the order of a rule, select the rule that needs to be moved and click the Up Row (up arrow) or Down Row (down arrow) buttons as appropriate. If these buttons do not appear beneath the rules table, rule order does not matter and you cannot rearrange them. If you use sections to organize your rules, you can move rules only within the section.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables • User-defined sections, which are convenient groupings that help you organize rules so that you can evaluate and edit the policy more easily. These types of sections are most useful for policies that contain a large number of rules. All rules within a section must be sequential; you cannot group rules randomly. If you want to identify non-contiguous rules as being related, you can assign the same category to the rules.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables • Moving Rules and the Importance of Rule Order, page 12-19 • Enabling and Disabling Rules, page 12-20 Add and Edit Rule Section Dialog Boxes Use the Add and Edit Rule Section dialog boxes to add or edit a user-defined section heading in a rules table. For detailed information about how to use sections to organize a rules table, see Using Sections to Organize Rules Tables, page 12-20.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables These can be combined into a single rule: permit TCP for source 10.100.10.1 to destination 10.100.12.1, 10.100.13.1. Multidimensional sorting is used to combine rules. For example, for access rules: 1. Rules are sorted by their sources, so rules with the same source are placed together. 2. Same-source rules are sorted by destination, so rules with the same source and destination are placed together. 3.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Tip Step 5 If a column type is not listed, then combined rules must have the identical content in those cells except for the Description cell. Rules that have different content for the cells are not combined. Click OK to generate the combination and display the results in the Rule Combiner Results Dialog Box. Analyze the results and evaluate whether you want to save the combinations.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Table 12-4 Combine Rules Selection Summary Dialog Box (Continued) Element Description Choose which columns to combine The columns in the rules table that can be combined. Any columns that you do not select must have the identical content for two rules to be combined (even those not listed as combinable, except for the Description column).
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables changes by discarding your activity or configuration session (for example, File > Discard in non-Workflow mode), but this also discards any other changes you have made to other policies. Once you submit your changes or your activity is approved, you cannot undo your changes. • You are allowed to run the Combine Rules tool even if you are combining rules for a policy that you are not allowed to save.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Table 12-5 Combined Rules Results Summary (Continued) Element Description Detail Report button Click this button to create an HTML report of the results. The report summarizes the results and also provides the details about the resulting rules and the rules that were combined to create the new rule. For combined rules that have a lot of entries in cells, this report makes it easier to read the results.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Related Topics • Chapter 15, “Managing Firewall AAA Rules” • Chapter 16, “Managing Firewall Access Rules” Converting IPv4 Rules to Unified Rules Prior to the release of Security Manager 4.4 and versions 9.0 and higher of the ASA, separate pages, policies and policy objects were provided for configuring IPv4 and IPv6 firewall rules and policies. With Security Manager 4.4 and ASA 9.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables • Device or Map view—The query is limited to the selected device. However, you can query across all supported rule types. This allows you to compare different types of rules that apply to the same traffic. • Policy view—The query is limited to the selected policy. You see only rules that are defined in that policy, and you cannot query other types of policies.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables You can query rules from these types of policies: AAA rules, access rules, inspection rules, web filter rules for ASA/PIX/FWSM, and zone based firewall rules. When setting up your query, you must select at least one rule type; enabled, disabled or both; permitted, denied, or both; and mandatory, default, or both.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Table 12-6 Querying Device or Policy Dialog Box (Continued) Element Description Sources The source or destination of the traffic. You can enter more than one value by separating the items with commas. Destinations Note If you leave a field blank, the query matches any address for that field. You can enter any combination of the following address types to define the source or destination of the traffic.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Table 12-6 Querying Device or Policy Dialog Box (Continued) Element Description Services The services that define the type of traffic that is acted on. You can enter more than one value by separating the items with commas. Note If you leave the field blank, the query matches any service. You can enter any combination of service objects and service types (which are typically a protocol and port combination).
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables • Results Table—This table lists all rules that match your query. If you queried more than one type of rule, select the rule type you want to examine in the Display field. The columns in the table are the same as those for that type of rule, except for the following: – Match Status—Indicates how the rule matches your query: Complete Match—The rule matches all query parameters.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Example Policy Query Result Figure 12-4 shows an example of a policy query report on access rules. The criteria does not limit source, destination, service, and interface parameters, but limits the query to enabled rules. Both shared and local rules are included. The Query Parameters section shows the query criteria for the report.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables Optimizing Network Object Groups When Deploying Firewall Rules When you deploy firewall rules policies to an ASA, PIX, FWSM, or IOS 12.4(20)T+ device, you can configure Security Manager to evaluate and optimize the network/host policy objects that you use in the rules when it creates the associated network object groups on the device. Optimization merges adjacent networks and removes redundant network entries.
Chapter 12 Introduction to Firewall Services Managing Your Rules Tables For example, if an object group named CSM_INLINE_55 contains the hosts 10.100.10.15, 10.100.10.18, and 10.100.10.25, importing an access control list by expanding the objects will create a rule that includes all three addresses in the source (or destination, as appropriate) cell rather than a network/host policy object named CSM_INLINE_55.
CH A P T E R 13 Managing Identity-Aware Firewall Policies Identity-aware firewall policies allow you to control traffic based on user identity or a host’s fully-qualified domain name. For example, you can selectively allow a specific type of traffic for one user group while disallowing it for another user group, instead of allowing or disallowing all of that traffic. With fully-qualified domain names, you could disallow HTTP access to a specific server while allowing HTTP traffic to all other servers.
Chapter 13 Managing Identity-Aware Firewall Policies Overview of Identity-Aware Firewall Policies Identity-based firewall services enhance the existing access control and security policy mechanisms by allowing users or groups to be specified as sources, and FQDNs in place of source or destination IP addresses. Identity-based security policies can be interleaved without restriction between traditional IP address based rules.
Chapter 13 Managing Identity-Aware Firewall Policies Overview of Identity-Aware Firewall Policies • IPv4 cut-through proxy. User names are not acquired for IPv6 cut-through proxy. If the user includes the domain name during authentication, the user is associated with the domain name. Otherwise, the domain is the default domain as configured in the Identity Options policy. See Configuring Cut-Through Proxy, page 13-23.
Chapter 13 Managing Identity-Aware Firewall Policies Overview of Identity-Aware Firewall Policies Table 13-1 Requirements for Identity-Aware Firewall Policies (Continued) Requirement Description AD agent You must configure off-box AD agents to act as an intermediary between the ASA and the AD servers. The AD agent maintains an active mapping of users to IP address.
Chapter 13 Managing Identity-Aware Firewall Policies Overview of Identity-Aware Firewall Policies Table 13-1 Requirements for Identity-Aware Firewall Policies (Continued) Requirement Description NetBIOS logout probing If you enable NetBIOS logout probing, the ASA can use NetBIOS to determine if an inactive user is logged off so the user can be removed from the database. The probe uses UDP-encapsulated NetBIOS traffic.
Chapter 13 Managing Identity-Aware Firewall Policies Overview of Identity-Aware Firewall Policies Table 13-1 Requirements for Identity-Aware Firewall Policies (Continued) Requirement Description If you use fully-qualified domain name (FQDN) network/host objects in firewall rules, you must configure the domain name system (DNS) (Required for fully-qualified settings as described in DNS Page, page 51-13. These settings identify domain name usage.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies Configuring the Firewall to Provide Identity-Aware Services To provide identity-aware firewall services to your network, you need to configure several policies to enable the firewall to process user-based or fully-qualified domain name (FQDN)-based rules.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies This section contains the following topics: • Enabling Identity-Aware Firewall Services, page 13-8 • Creating Identity User Group Objects, page 13-19 • Selecting Identity Users in Policies, page 13-21 • Configuring Identity-Based Firewall Rules, page 13-21 • Configuring Cut-Through Proxy, page 13-23 • Collecting User Statistics, page 13-25 • Filtering VPN Traffic with Identity-Based Rules, page
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies Microsoft AD servers are the only type of LDAP server that you can use in the identity firewall configuration. You must also abide by the following limitations for communications between Security Manager and Active Directory: – Do not select the Enable LDAP over SSL option. – Do not select the SASL Kerberos Authentication option. Only simple and SASL MD5 authentication mechanisms are supported.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies You can use the wizard multiple times to configure different NetBIOS domains. However, the wizard always prompts for AD agent information. Because you can configure a single group for AD agents, not a separate group per domain, the selection overwrites any AD agent configuration that you have already made. So be sure to select the same AAA server group for the AD agents each time you run the wizard.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies • From the Identity Settings Security Manager Administration page, click the Add or Edit buttons for the settings table. These settings determine which servers are used when using Find to locate a user or user group name when configuring firewall rules or identity user group objects. See Identity Settings Page, page 11-26.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies Field Reference Table 13-3 Identity Configuration Wizard Active Directory Settings Element Description NetBIOS Domain The NetBIOS domain for this AD server group. The domain name can be up to 32 characters, typically in all uppercase. For example, if the user specification is DOMAIN\user1, DOMAIN is the NetBIOS domain name.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies Table 13-3 Identity Configuration Wizard Active Directory Settings (Continued) Element Description Interface The interface whose IP address should be used for all outgoing packets (known as the source interface). Enter the name of an interface or interface role, or click Select to select it from a list or to create a new interface role.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies Field Reference Table 13-4 Identity Configuration Wizard Active Directory Agent Settings Element Description Select Existing AD Agent Group Select this option if the AAA server group policy object that identifies the required AD agents already exists. The object must use the RADIUS protocol, and should have the option AD Agent Mode selected.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies Table 13-4 Identity Configuration Wizard Active Directory Agent Settings (Continued) Element Description Add Secondary AD Agent Click this button only if you want to create an additional agent. The agent is used in case the first agent becomes unavailable.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies Related Topics • Identifying Active Directory Servers and Agents, page 13-8 • Requirements for Identity-Aware Firewall Policies, page 13-3 Field Reference Table 13-5 Identity Options Advanced Tab Element Description Enable User Identity Whether to enable the device to obtain user identity information from the AD agent and AD servers, if they are configured on the AD Setup tab.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies Table 13-5 Identity Options Advanced Tab (Continued) Element Description NetBIOS Logout Probe Enable (NetBIOS Logout Probe) Whether to enable the NetBIOS logout probe. You can use the probe to proactively determine if a user has logged out of the network, allowing the device to remove the user-to-IP address mapping more quickly than if idle timeout is the only mechanism used for this purpose.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies Table 13-5 Identity Options Advanced Tab (Continued) Element Description Users Idle Timeout The amount of time, in minutes, to allow the user to be idle before removing the user-to-IP address mapping in the database. Once removed, the user must log in again to update the mapping (for example, by using Ctrl+Alt+Delete to lock the workstation, then log in again).
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies Table 13-5 Identity Options Advanced Tab (Continued) Element Description Retrieve User Information How the ASA should retrieve user-to-IP address mappings from the AD agent. • Full Download (default for ASA non-5505 devices)—On boot, the ASA obtains the full user-to-IP address mapping database from the AD agent, and then gets incremental updates as users log into and out of the network.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies • Requirements for Identity-Aware Firewall Policies, page 13-3 • Identity Settings Page, page 11-26 • Creating Policy Objects, page 6-9 Step 1 Select Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager, page 6-4). Step 2 Select Identity User Group from the Object Type selector.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies Selecting Identity Users in Policies In any policy or policy object that allows the specification of identity users, whether directly or through the selection of an identity user group object, you can click the Select button next to the User field to help you enter the information.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies Guidelines For Adding Identity-Based Rules Following are some general guidelines and recommendations for adding identity-based rules: • FQDN (fully-qualified domain name) network/host objects are allowed in both Source and Destination fields. For information on configuring these objects, see Creating Networks/Hosts Objects, page 6-76.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies • Access Rules—Select Firewall > Access Rules and see Configuring Access Rules, page 16-7. • Inspection Rules—Select Firewall > Inspection Rules and see Configuring Inspection Rules, page 17-5. • Policies that use extended ACL policy objects—Several firewall policies use extended ACL policy objects to define traffic matching criteria instead of incorporating a rule table directly in the policy.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies You can configure cut-through proxy to account for this possibility. With cut-through proxy, if a user is blocked, the user can sign on directly to the ASA, and the ASA will update the user-to-IP mapping to correctly reflect the current IP address for the user. The new mapping is forwarded to all contexts that contain the interface where the HTTP/HTTPS packets are received and authenticated.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies • Step 3 (Policy view) Select Firewall > AAA Rules from the Policy Type selector. Select an existing policy or create a new one. Create the following rules using the Add Row button. For detailed information about the fields in the Add AAA Rules dialog box, see Add and Edit AAA Rule Dialog Boxes, page 15-13.
Chapter 13 Managing Identity-Aware Firewall Policies Configuring Identity-Aware Firewall Policies Step 1 Do one of the following: • (Device view) Select an ASA device, then select Platform > Service Policy Rules > IPS, QoS, and Connection Rules from the Policy selector. • (Policy view) Select PIX/ASA/FWSM Platform > Service Policy Rules > IPS, QoS, and Connection Rules from the Policy Type selector. Select an existing policy or create a new one.
Chapter 13 Managing Identity-Aware Firewall Policies Monitoring Identity Firewall Policies interface access rules, deselect the Enable IPsec over Sysopt option on the ISAKMP/IPsec tab of the RA VPN Global Settings policy. See Configuring VPN Global ISAKMP/IPsec Settings, page 25-30. Monitoring Identity Firewall Policies You can use Event Viewer to monitor identity-aware firewall policies the same way you would monitor other types of policies and events.
Chapter 13 Managing Identity-Aware Firewall Policies Monitoring Identity Firewall Policies User Guide for Cisco Security Manager 4.
CH A P T E R 14 Managing TrustSec Firewall Policies Cisco TrustSec provides an access-control solution that builds upon an existing identity-aware infrastructure to ensure data confidentiality between network devices and integrate security access services on one platform. In the Cisco TrustSec solution, enforcement devices utilize a combination of user attributes and end-point attributes to make role-based and identity-based access control decisions.
Chapter 14 Managing TrustSec Firewall Policies Overview of TrustSec Firewall Policies • Provides a growing mobile and complex workforce with appropriate and more secure access from any device • Lowers security risks by providing comprehensive visibility of who and what is connecting to the wired or wireless network • Offers exceptional control over activity of network users accessing physical or cloud-based IT resources • Reduces total cost of ownership through centralized, highly secure access po
Chapter 14 Managing TrustSec Firewall Policies Overview of TrustSec Firewall Policies Access requestors include end-point devices such PCs, laptops, mobile phones, printers, cameras, and MACsec-capable IP phones. • Policy Decision Point (PDP): A policy decision point is responsible for making access control decisions. The PDP provides features such as 802.1x, MAB, and Web authentication. The PDP supports authorization and enforcement through VLAN, DACL, and security group access (SGACL/SXP/SGT).
Chapter 14 Managing TrustSec Firewall Policies Overview of TrustSec Firewall Policies Figure 14-1 Security Group Name Based Policy Enforcement Deployment Implementing Cisco TrustSec allows for configuration of security policies supporting server segmentation. • A pool of servers can be assigned an SGT for simplified policy management. • The SGT information is retained within the infrastructure of Cisco Trustsec capable switches.
Chapter 14 Managing TrustSec Firewall Policies Overview of TrustSec Firewall Policies Figure 14-2 Security Policy Enforcement 1. An end-point device connects to an access layer device directly or via remote access and authenticates with Cisco TrustSec. 2. The access layer device authenticates the end-point device with the ISE by using authentication methods such as 802.1X or web authentication.
Chapter 14 Managing TrustSec Firewall Policies Overview of TrustSec Firewall Policies About Speaker and Listener Roles The ASA supports SXP to send and receive IP-SGT mappings to and from other network devices. Employing SXP allows security devices and firewalls to learn identity information from access switches without the need for hardware upgrades or changes. SXP can also be used to pass IP-SGT mappings from upstream devices (such as datacenter devices) back to the downstream devices.
Chapter 14 Managing TrustSec Firewall Policies Configuring TrustSec Firewall Policies 6. Specify a device name, device ID, password, and a download interval for the ASA. See the ISE documentation for the details to perform these tasks. Creating a Security Group on the ISE When configuring the ASA to communicate with the ISE, you specify a AAA server. When configuring the AAA server on the ASA, you must specify a server group. The security group must be configured to use the RADIUS protocol. 1.
Chapter 14 Managing TrustSec Firewall Policies Configuring TrustSec Firewall Policies Configuring Cisco TrustSec Services This procedure explains how to enable and configure Cisco TrustSec in Cisco Security Manager and on the required security devices. Before You Begin Before configuring an ASA to integrate with Cisco TrustSec, you must meet the prerequisites explained in Prerequisites for Integrating an ASA with Cisco TrustSec, page 14-6.
Chapter 14 Managing TrustSec Firewall Policies Configuring TrustSec Firewall Policies Table 14-1 SXP Settings Page (Continued) Element Description Retry Timer The default time interval between ASA attempts to set up new SXP connections between SXP peers. Enter the retry timer value as a number of seconds in the range of 0 to 64000 seconds. If you specify 0 seconds, the timer never expires and the ASA will not attempt to connect to SXP peers. By default, the timer value is 120 seconds.
Chapter 14 Managing TrustSec Firewall Policies Configuring TrustSec Firewall Policies Note ASA Software 9.0(1)+ is required for TrustSec firewall. Related Topics Step 1 Step 2 • Prerequisites for Integrating an ASA with Cisco TrustSec, page 14-6 • About Speaker and Listener Roles, page 14-6 • Configuring Security Exchange Protocol (SXP) Settings, page 14-8 Do one of the following: • (Device view) Select an ASA device, then select TrustSec > SXP Connection Peers from the Policy selector.
Chapter 14 Managing TrustSec Firewall Policies Configuring TrustSec Firewall Policies • (Policy view) Select TrustSec > SXP Connection Peers from the Policy selector. Select an existing policy or create a new one. – To add an entry, click the Add Row (+) button. – To edit an entry, select it and click the Edit Row (pencil) button.
Chapter 14 Managing TrustSec Firewall Policies Configuring TrustSec Firewall Policies Creating Security Group Objects You can create security group object groups for use in features that support Cisco TrustSec by including the group in an extended ACL, which in turn can be used in an access rule, for example. When integrated with Cisco TrustSec, the ASA downloads security group information from the Cisco Identity Services Engine (ISE).
Chapter 14 Managing TrustSec Firewall Policies Configuring TrustSec Firewall Policies • In Type in comma separated (Name or Tag), first select the type of entry you are making, Name or Tag. Type in a valid security group name or tag number, then click the Add >> button between the lists. Separate multiple names or tags with commas; they are added as separate lines in the members list. • To remove an item from the object, select it in the Members list and click the << Remove button between the lists.
Chapter 14 Managing TrustSec Firewall Policies Monitoring TrustSec Firewall Policies Firewall Policies That Support Security Groups Security group rules are allowed on ASA 9.0.1+ only. The following policies allow you to configure security groups: • AAA Rules—Select Firewall > AAA Rules and see Configuring AAA Rules for ASA, PIX, and FWSM Devices, page 15-4. • Access Rules—Select Firewall > Access Rules and see Configuring Access Rules, page 16-7.
CH A P T E R 15 Managing Firewall AAA Rules You can use Authentication, Authorization, and Accounting (AAA) rules to control access to network resources based on user privileges rather than by IP addresses. If you configure authentication rules, users must enter a username and password whenever they attempt to access a network behind the protected device. Once authenticated, you can further require that the user account be checked to ensure the user is authorized for network access.
Chapter 15 Managing Firewall AAA Rules Understanding How Users Authenticate is high security, where you want to carefully control access. AAA rules are also useful for circumstances where you need to maintain per-user accounting records for billing, security, or resource allocation purposes. The AAA rules policy actually configures three separate types of rule, and the configuration of these rules differs significantly between IOS devices on the one hand and ASA, PIX, and FWSM devices on the other hand.
Chapter 15 Managing Firewall AAA Rules Understanding How Users Authenticate Users are prompted only for HTTP, HTTPS, FTP, and Telnet connections (if you configure those protocols to require authentication).
Chapter 15 Managing Firewall AAA Rules Configuring AAA Rules for ASA, PIX, and FWSM Devices For ASA, PIX, and FWSM devices, the security appliance uses a custom login screen. Like with HTTP, you can configure the interface to use interactive authentication, in which case HTTPS connections use the same authentication page as HTTP connections. You must configure the interface separately for HTTPS redirection; use the Firewall > Settings > AAA Firewall policy.
Chapter 15 Managing Firewall AAA Rules Configuring AAA Rules for ASA, PIX, and FWSM Devices Step 2 • (Device view) Select Firewall > AAA Rules from the Policy selector. • (Policy view) Select Firewall > AAA Rules from the Policy Type selector. Select an existing policy or create a new one. Select the row after which you want to create the rule and click the Add Row button or right-click and select Add Row. This opens the Add and Edit AAA Rule Dialog Boxes, page 15-13.
Chapter 15 Managing Firewall AAA Rules Configuring AAA Rules for ASA, PIX, and FWSM Devices and successfully authenticate (and be authorized, if you include that action) before any other types of connections are allowed. For accounting rules, you can specify any TCP or UDP service (or simply TCP and UDP themselves), if you want to account for all types of traffic. • AAA Server Group—The AAA server group policy object to be used for authentication, authorization, or accounting.
Chapter 15 Managing Firewall AAA Rules Configuring AAA Rules for IOS Devices • If you want to exempt some devices from your AAA rules based on their media access control (MAC) address, click the MAC Exempt List tab to open the AAA Firewall Page, MAC-Exempt List Tab, page 15-23. Enter a name for the exemption list, and then click the Add Row button and fill in the Firewall AAA MAC Exempt Setting Dialog Box, page 15-24 to add the MAC address to the table with a permit rule.
Chapter 15 Managing Firewall AAA Rules Configuring AAA Rules for IOS Devices Step 1 Step 2 Do one of the following to open the AAA Rules Page, page 15-10: • (Device view) Select Firewall > AAA Rules from the Policy selector. • (Policy view) Select Firewall > AAA Rules from the Policy Type selector. Select an existing policy or create a new one. Select the row after which you want to create the rule and click the Add Row button or right-click and select Add Row.
Chapter 15 Managing Firewall AAA Rules Configuring AAA Rules for IOS Devices Step 4 If you did not select the right row before adding the rule, select the new rule and use the up and down arrow buttons to position the rule appropriately. For more information, see Moving Rules and the Importance of Rule Order, page 12-19. Step 5 Select Firewall > Settings > AuthProxy (in Device or Policy view) to open the AAA Page, page 15-25.
Chapter 15 Managing Firewall AAA Rules AAA Rules Page AAA Rules Page Use the AAA Rules page to configure AAA rules for device interfaces. AAA rules configure network access control (called authentication proxy on IOS devices), which forces the user to authenticate when attempting network connections that traverse the device.
Chapter 15 Managing Firewall AAA Rules AAA Rules Page Field Reference Table 15-1 AAA Rules Page Element Description Expand all rows/Collapse all Use these buttons to expand or collapse all sections in the rules table. rows Note The buttons are located in the upper-right corner of the Filter area above the access rules table. Conflict Indicator icons Identifies conflicts and provides a quick visual representation of the type of conflict.
Chapter 15 Managing Firewall AAA Rules AAA Rules Page Table 15-1 AAA Rules Page (Continued) Element Description AuthProxy The protocols that require authentication using the authentication proxy method. This applies only to IOS devices. You can right-click the AuthProxy cell in an existing AAA rule and choose Edit AuthProxy to change your selections. See AuthProxy Dialog Box, page 15-18 for more information.
Chapter 15 Managing Firewall AAA Rules AAA Rules Page • If you right-click a rule in the table, the options may include editing functions relative to the specific table cell right-clicked. For example, the command “Edit Server Group” is included when you right-click a Server Group cell. See Editing Rules, page 12-9 for more information. • The Combine Rules option is also included in the right-click menu. See Combining Rules, page 12-22 for more information.
Chapter 15 Managing Firewall AAA Rules AAA Rules Page Table 15-2 Add and Edit AAA Rules Dialog Boxes (Continued) Element Description Sources Provide traffic sources for this rule; can be networks, security groups, and users. You can enter values or object names, or Select objects, for one or more of the following types of sources: • Network – You can specify a various network, host and interface definitions, either individually or as objects.
Chapter 15 Managing Firewall AAA Rules AAA Rules Page Table 15-2 Add and Edit AAA Rules Dialog Boxes (Continued) Element Description Destinations Provide traffic destinations for this rule; can be networks or security groups. As with Sources, you can enter values or object names, or Select objects, for one or more destinations of Network and Security Group (ASA 9.0+) type. Services The services that define the type of traffic upon which to act.
Chapter 15 Managing Firewall AAA Rules AAA Rules Page Table 15-2 Add and Edit AAA Rules Dialog Boxes (Continued) Element Description The Authentication Action, Authorization Action, and Accounting Action check boxes define the types of rules that will be generated on the device. Each type generates a separate set of commands, but if you select more than one option, your other selections in this dialog box are limited to those supported by all selected actions.
Chapter 15 Managing Firewall AAA Rules AAA Rules Page Table 15-2 Add and Edit AAA Rules Dialog Boxes (Continued) Element Description AAA Server Group (PIX, ASA, FWSM) The AAA server group policy object that defines the AAA server that should provide authentication, authorization, or accounting for the traffic defined in the rule. Enter the name of the policy object or click Select to select it from a list or to create a new object.
Chapter 15 Managing Firewall AAA Rules AAA Rules Page Edit AAA Option Dialog Box Use the Edit AAA Option dialog box to select whether the rule performs authentication (with or without user identity), authorization, or accounting. Authorization and accounting rules work only on ASA, PIX, and FWSM devices.
Chapter 15 Managing Firewall AAA Rules AAA Firewall Settings Policies AAA Firewall Settings Policies The AAA firewall settings policy configurations influence the behavior of your AAA rules.
Chapter 15 Managing Firewall AAA Rules AAA Firewall Settings Policies Field Reference Table 15-3 Advanced Setting Tab, AAA Firewall Settings Page Element Description Use Secure HTTP Authentication Whether to require users making HTTP requests that traverse the security appliance to first authenticate with the security appliance using SSL (HTTPS). The user is prompted for username and password.
Chapter 15 Managing Firewall AAA Rules AAA Firewall Settings Policies Table 15-3 Advanced Setting Tab, AAA Firewall Settings Page (Continued) Element Description Disable FTP Authentication Challenge Whether to disable authentication challenges for the indicated protocols. By default, the FWSM prompts the user for a username and password when a AAA rule enforces authentication for traffic in a new session and the protocol of the traffic is FTP, Telnet, HTTP, or HTTPS.
Chapter 15 Managing Firewall AAA Rules AAA Firewall Settings Policies Field Reference Table 15-4 Interactive Authentication Configuration Dialog Box Element Description Protocol The protocol that you want to listen for, either HTTP or HTTPS. If you want to listen for both protocols on an interface, add the interface to the table twice. Interface The interface or interface role on which to enable listeners.
Chapter 15 Managing Firewall AAA Rules AAA Firewall Settings Policies AAA Firewall Page, MAC-Exempt List Tab Use the MAC Exempt List tab of the AAA Firewall settings policy to identify hosts that should be exempt from authentication and authorization for ASA, PIX, and FWSM 3.x+ devices.
Chapter 15 Managing Firewall AAA Rules AAA Firewall Settings Policies Table 15-6 MAC-Exempt List Tab, AAA Firewall Settings Page (Continued) Element Description MAC Exempt List table The MAC exempt rules that you want to implement. The table shows the MAC addresses and masks (in hexadecimal) and whether you are permitting them (exempting them from authentication and authorization) or denying them (making them go through standard authentication and authorization).
Chapter 15 Managing Firewall AAA Rules AAA Firewall Settings Policies AAA Page Use the AAA firewall settings policy to identify the servers and banners to use for the authentication proxy and to configure non-default timeout values. The authentication proxy for IOS devices is a service that forces users to log in and authenticate when trying to make HTTP, Telnet, or FTP connections through an IOS device.
Chapter 15 Managing Firewall AAA Rules AAA Firewall Settings Policies Table 15-8 AAA Firewall Settings Policy (Continued) Element Description General Tab Authorization Server Groups The AAA server group policy objects that identify the LDAP, TACACS+, or RADIUS servers that will provide per-user authorization control. You can also use the LOCAL user database defined on the device. Enter the names of the server group objects, or click Select to select them from a list or to create new objects.
Chapter 15 Managing Firewall AAA Rules AAA Firewall Settings Policies Table 15-8 AAA Firewall Settings Policy (Continued) Element Description Use HTTP banner from File Whether you want to use your own web page to authenticate HTTP connections. Enter the URL for your HTTP banner. URL If you configure both HTTP banner text and a URL, the URL banner take precedence; however, the banner text is also configured on the device.
Chapter 15 Managing Firewall AAA Rules AAA Firewall Settings Policies Field Reference Table 15-9 Firewall AAA IOS Timeout Value Setting Dialog Box Element Description Interfaces The interfaces or interface roles for which you are configuring timeout values. Enter the names of the interfaces or roles, or click Select to select them from a list or to create new interface roles. Separate multiple entries with commas.
Chapter 15 Managing Firewall AAA Rules AAA Firewall Settings Policies Table 15-9 Firewall AAA IOS Timeout Value Setting Dialog Box (Continued) Element Description HTTP/NTLM Tab The HTTP and the NTLM areas contain the same following fields and selections: Set the Inactivity/Cache Time and the Absolute Time for HTTP/NTLM and then, if desired, select Enable Passive Authentication. Finally, select the Identity Policy that you want to apply.
Chapter 15 Managing Firewall AAA Rules AAA Firewall Settings Policies User Guide for Cisco Security Manager 4.
CH A P T E R 16 Managing Firewall Access Rules Access rules define the rules that traffic must meet to pass through an interface. When you define rules for incoming traffic, they are applied to the traffic before any other policies are applied (with the exception of less common AAA rules). In that sense, they are your first line of defense. Tip For some types of devices, you can configure IPv6 access rules in addition to IPv4 access rules.
Chapter 16 Managing Firewall Access Rules Understanding Access Rules When you deploy access rules to devices, they become one or more entries (ACEs) to access control lists (ACLs) that are attached to interfaces. Typically, these rules are the first security policy applied to packets; they are your first line of defense.
Chapter 16 Managing Firewall Access Rules Understanding Access Rules • Configuring Settings for Access Control, page 16-20 • Expanding Object Groups During Discovery, page 12-35 • Importing Rules, page 16-37 • Adding and Removing Rules, page 12-9 • Editing Rules, page 12-9 • Enabling and Disabling Rules, page 12-20 • Moving Rules and the Importance of Rule Order, page 12-19 Understanding Global Access Rules Traditionally, access rules (ACLs), which control which traffic can flow through a de
Chapter 16 Managing Firewall Access Rules Understanding Access Rules will ask you if the rule can be created at the nearest valid location. You must accept the suggestion or the rule will not be added to the table. You can always move the rule after creating it if the suggested location is not ideal (but without violating the rules on order). • You cannot inherit a policy if the rules in the inherited policy will violate the required order.
Chapter 16 Managing Firewall Access Rules Understanding Access Rules If an access rule allows TCP/UDP traffic in one direction, the appliance automatically allows return traffic (you do not need to configure a corresponding rule for the return traffic), except for ICMP traffic, which does require a return rule (where you permit the reverse source and destination), or you must create an inspection rule for ICMP.
Chapter 16 Managing Firewall Access Rules Understanding Access Rules Tips • Because you can use network/host objects to identify a source or destination, and you can configure deployment optimization for rules, there is not always a one-to-one relationship between an access rule and ACEs in the CLI definition of an ACL. • All access lists created from firewall rules are extended access lists (rather than standard).
Chapter 16 Managing Firewall Access Rules Configuring Access Rules Configuring Access Rules Access rules policies define the rules for allowing traffic to pass through an interface. If you do not configure an access rules policy, the device behavior differs based on device type as explained in Understanding Device Specific Access Rule Behavior, page 16-4. Note With the release of Security Manager 4.4 and versions 9.
Chapter 16 Managing Firewall Access Rules Configuring Access Rules Tip Step 3 If you do not select a row, the new rule is added at the end of the local scope. You can also select an existing row and edit either the entire row or specific cells. For more information, see Editing Rules, page 12-9. Special rules apply if you mix interface-specific and global rules in a policy; for more information, see Understanding Global Access Rules, page 16-3. Configure the rule.
Chapter 16 Managing Firewall Access Rules Configuring Access Rules Note If you have conflict detection enabled, Security Manager will analyze the new rule to see if it conflicts or overlaps with other rules. For more information, see Using Automatic Conflict Detection, page 16-25. Step 4 If you did not select the right row before adding the rule, select the new rule and use the up and down arrow buttons to position the rule appropriately.
Chapter 16 Managing Firewall Access Rules Configuring Access Rules • (Device view) Select a device, then select Firewall > Access Rules (or Firewall > Settings > IPv6 Access Rules) from the Policies selector. • (Policy view) Select Firewall > Access Rules (or Firewall > Settings > IPv6 Access Rules) from the Policy Type selector. Create a new policy or select an existing one.
Chapter 16 Managing Firewall Access Rules Configuring Access Rules Table 16-1 Access Rules Page (Continued) Element Description Service The services or service objects that specify the protocol and port of the traffic to which the rule applies. Multiple entries are displayed on separate lines within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 6-86.
Chapter 16 Managing Firewall Access Rules Configuring Access Rules Table 16-1 Access Rules Page (Continued) Element Description Enable conflict detection Enable or disable automatic conflict detection. This feature is enabled by default and the setting is managed per user. Disabling conflict detection for one access rules table will also disable the feature for other access rules tables.
Chapter 16 Managing Firewall Access Rules Configuring Access Rules • The Import Rules and Combine Rules options are also included in the right-click menu. See Importing Rules, page 16-37 and Combining Rules, page 12-22 for more information about these options. Add and Edit Access Rule Dialog Boxes Use the Add and Edit Access Rule dialog boxes to add and edit security-device access rules. Note With the release of Security Manager 4.4 and versions 9.
Chapter 16 Managing Firewall Access Rules Configuring Access Rules Table 16-2 Add and Edit Access Rule Dialog Boxes (Continued) Element Description Sources Provide traffic sources for this rule; can be networks, security groups, and users. You can enter values or object names, or Select objects, for one or more of the following types of sources: • Network – You can specify a various network, host and interface definitions, either individually or as objects.
Chapter 16 Managing Firewall Access Rules Configuring Access Rules Table 16-2 Add and Edit Access Rule Dialog Boxes (Continued) Element Description Destinations Provide traffic destinations for this rule; can be networks or security groups. As with Sources, you can enter values or object names, or Select objects, for one or more destinations of Network and Security Group (ASA 9.0+) type. Services The services that define the type of traffic upon which to act.
Chapter 16 Managing Firewall Access Rules Configuring Access Rules Navigation Path To access the Advanced dialog box: • In the Add and Edit Access Rule Dialog Boxes, page 16-13, click the Advanced button. To access one of the Edit options dialog boxes: • Right-click the Options or Expiration Date cell in an access rule (on the Access Rules Page, page 16-9) and choose the related Edit command. To change the rule direction, right-click the Dir. cell and choose the opposite direction (in or out).
Chapter 16 Managing Firewall Access Rules Configuring Access Rules Table 16-3 Advanced Dialog Box (Continued) Element Description Enable Logging (IOS) Whether to generate an informational logging message about the packet that matches the entry; the message will be sent to the console for IOS devices. Log Input (IPv4 only; neither option Select Log Input to include the input interface and source MAC address presented on the IPv6 Access or virtual circuit in the logging output.
Chapter 16 Managing Firewall Access Rules Configuring Access Rules Table 16-3 Advanced Dialog Box (Continued) Element Description Rule Expiration Lets you configure an expiration date for the rule. Click the calendar icon to select a date. For more information, see Configuring Expiration Dates for Access Rules, page 16-19.
Chapter 16 Managing Firewall Access Rules Configuring Expiration Dates for Access Rules Table 16-4 Hit Count Selection Summary Dialog Box (Continued) Element Description Rules Selected The rules for which you want to obtain hit count details; choose: • Select the rules option to obtain information for only those rules you selected. You can select the rows related to the name of a scope, a section name, multiple individual rules, or create a filter and select all filtered rules.
Chapter 16 Managing Firewall Access Rules Configuring Settings for Access Control Related Topics • Rule Expiration Page, page 11-48 • Configuring Access Rules, page 16-7 Configuring Settings for Access Control You can configure various settings that apply to security-device access control lists. These settings work in conjunction with your access rules policy.
Chapter 16 Managing Firewall Access Rules Configuring Settings for Access Control You can edit existing entries in the list by selecting them and clicking Edit Row, or delete them by clicking Delete Row. Access Control Settings Page Use the Access Control Settings page to configure settings to use in conjunction with your access rules policy. You can control some performance and logging features, and configure ACL names for individual interfaces. Note With the release of Security Manager 4.
Chapter 16 Managing Firewall Access Rules Configuring Settings for Access Control Field Reference Table 16-5 Access Control Settings Page Element Description The maximum number of concurrent deny flows that the device is Maximum number of concurrent flows (PIX, ASA, allowed to create. Syslog message 106101 is generated when the device reaches the number.
Chapter 16 Managing Firewall Access Rules Configuring Settings for Access Control Table 16-5 Access Control Settings Page (Continued) Element Description Access Control settings table The table lists the interfaces for which you want to configure special processing. The interface name can be a specific interface or an interface role (which can apply settings to more than one interface at a time), or Global for global ACL settings on ASA 8.3+ devices.
Chapter 16 Managing Firewall Access Rules Configuring Settings for Access Control Field Reference Table 16-6 Firewall ACL Setting Dialog Box Element Description Interface Specify whether you are configuring settings for specific interfaces (or interface roles), or for global rules on ASA 8.3+ devices. Global (ASA 8.3+) If you select Interface, specify the name of the interface or interface role for which you are configuring settings.
Chapter 16 Managing Firewall Access Rules Using Automatic Conflict Detection Table 16-6 Firewall ACL Setting Dialog Box (Continued) Element Description Enable Access List Compilation (PIX 6.x) Whether to compile access lists on this interface for PIX 6.x devices. This setting overrides the equivalent global setting that you configure on the Access Control Settings page.
Chapter 16 Managing Firewall Access Rules Using Automatic Conflict Detection network-object 10.2.1.1 255.255.255.255 • Redundant Rule—Two rules apply the same action to the same type of traffic, and removing the base rule would not change the ultimate result. For example, if a rule permitting FTP traffic for a particular network were followed by a rule allowing IP traffic for that same network, and there were no rules in between denying access, then the first rule is redundant and can be deleted.
Chapter 16 Managing Firewall Access Rules Using Automatic Conflict Detection Note If a rule contains an FQDN network/host object, the FQDN object is ignored, but the rule is otherwise included in the analysis. Note Disabled rules are not evaluated during conflict detection.
Chapter 16 Managing Firewall Access Rules Using Automatic Conflict Detection Figure 16-1 Automatic Conflict Detection 1 Conflict Indicator icons 2 Enable Conflict Detection 3 Generate Report button 4 Annotation Display Options 5 Conflict navigation bar 6 Conflict Details area 7 Conflict Navigation buttons Conflict Indicator Icons The Conflict Indicator icons are used to identify conflicts and to provide a quick visual representation of the type of conflict.
Chapter 16 Managing Firewall Access Rules Using Automatic Conflict Detection Note For an explanation of the types of conflicts, see Understanding Automatic Conflict Detection, page 16-25. Redundant Object Redundant Rule Partially Redundant Rule Shadowed Rule Partially Shadowed Rule Note If an access rule has multiple conflicts or if it has a user note attached to it, the conflict indicator icon for that rule will have a small plus sign (+) on it.
Chapter 16 Managing Firewall Access Rules Using Automatic Conflict Detection Annotation Display Options button Click the Annotation Display Options button to open the Annotation Display Options dialog box, which is used for selecting the types of conflicts that should be reported. For an explanation of the types of conflicts, see Understanding Automatic Conflict Detection, page 16-25.
Chapter 16 Managing Firewall Access Rules Using Automatic Conflict Detection Conflict Details Area The Conflict Details pane shows details for the selected conflict. The pane can be docked and undocked as needed. If the Conflict Details pane is docked while the Policy Object Manager pane is also docked, you can navigate between the two features using the tabs at the bottom of the window. The conflicting rules are shown together in a table for easier direct comparison.
Chapter 16 Managing Firewall Access Rules Using Automatic Conflict Detection • (Policy view) Select Firewall > Access Rules from the Policy Type selector and select an existing policy. This opens the Access Rules Page, page 16-9. If conflict detection is enabled, the access rules will be analyzed for conflicts after the table has been loaded. If conflict detection is not enabled, select Enable conflict detection to begin the conflict analysis. The analysis progress is shown below the rules table.
Chapter 16 Managing Firewall Access Rules Viewing Hit Count Details Step 6 Click on the Conflict Indicator icon for the selected conflict to open the Conflict Details pane. For more information on the Conflict Indicator icons, see Understanding the Automatic Conflict Detection User Interface, page 16-27. The Conflict Details pane shows details for the selected conflict. The conflicting rules are shown together in a table for easier direct comparison. The type of conflict is shown above the table.
Chapter 16 Managing Firewall Access Rules Viewing Hit Count Details • Hit count statistics are based on ACL, not on interface. If you select Enable ACL Sharing for Firewall Rules on the Security Manager Administration Deployment page (see Deployment Page, page 11-9), any shared ACL provides statistics that are combined from all interfaces that share the ACL.
Chapter 16 Managing Firewall Access Rules Viewing Hit Count Details Table 16-7 ACE Hit Count Details Window (Continued) Element Description Expanded Table This view lists hit count information for the access control list entry (ACE) for the rule selected in the Access Rules table (on the Access Rules Page, page 16-9) when you opened this window. The list contains more than one ACE if the access rule generated more than one ACE when you deployed the policy to the device.
Chapter 16 Managing Firewall Access Rules Viewing Hit Count Details • Figure 16-2 shows the default view. The upper table lists the rules as they exist in your access rules policy, either all rules or just the ones you selected before generating the report. When you select a rule, the ACEs created on the device for that rule are listed in the expanded table in the lower half of the window. When you initially open the report, the expanded table shows the ACEs for all policies listed in the upper table.
Chapter 16 Managing Firewall Access Rules Importing Rules Figure 16-3 Raw ACE Table Related Topics • Understanding Access Rules, page 16-1 • Configuring Access Rules, page 16-7 Importing Rules Typically, when you add a device to Security Manager, you discover policies from the device. This action populates your access rules policy with the access control entries (ACEs) from all active ACLs on the device.
Chapter 16 Managing Firewall Access Rules Importing Rules Step 4 On the Import Rules Wizard—Enter Parameters Page, page 16-38: • Enter the desired CLI information in the running-configuration format appropriate for the selected device. For examples of importable CLI-based rules, see Examples of Imported Rules, page 16-41. • Specify whether you are creating an interface-specific rule (and enter the interface or interface role to which you want the rules to apply), or for ASA 8.
Chapter 16 Managing Firewall Access Rules Importing Rules Related Topics • Importing Rules, page 16-37 • Understanding Interface Role Objects, page 6-67 Field Reference Table 16-8 Import Rules - Enter Parameters Dialog Box Element Description CLI The OS commands that define the rules and related objects that you want to import. These rules must be in running-configuration format, so they are best copied and pasted from a configuration (use Ctrl+V to paste into the field).
Chapter 16 Managing Firewall Access Rules Importing Rules Navigation Path For information on starting the Import Rules wizard, see Import Rules Wizard—Enter Parameters Page, page 16-38 Related Topics • Importing Rules, page 16-37 Field Reference Table 16-9 Import Rules Wizard—Status Page Element Description Progress bar Shows the status of the import process. Status The status of the imported configuration. Rules Imported The number of rules that will be imported.
Chapter 16 Managing Firewall Access Rules Importing Rules • Access Rules Page, page 16-9 • Understanding Networks/Hosts Objects, page 6-74 • Understanding Interface Role Objects, page 6-67 • Understanding and Specifying Services and Service and Port List Objects, page 6-86 • Filtering Tables, page 1-45 Field Reference Table 16-10 Import Rules Wizard—Preview Page Element Description Rules tab The rules that were created from your CLI and that will be imported to the access rules policy.
Chapter 16 Managing Firewall Access Rules Importing Rules This example creates a network/host object named ftp_servers and two access rules. Example 2: Restrict web access during working hours (ASA devices) The following example denies HTTP requests between the hours of 8 AM and 6 PM, which are typical work hours. time-range no-http periodic weekdays 8:00 to 18:00 access-list 101 deny tcp any any eq www time-range no-http This example creates a time range object named no-http and one access rule.
Chapter 16 Managing Firewall Access Rules Optimizing Access Rules Automatically During Deployment remark Do not allow Smith workstation through deny 172.16.3.13 This example creates two rules, converting the standard rules to extended rules (to any destination). The remarks are saved in the description field. For more examples of ACLs in command language format, see the following: • IOS Devices—http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_create_I P_apply.html#wp1027258.
Chapter 16 Managing Firewall Access Rules Optimizing Access Rules Automatically During Deployment • Adjacent ACEs—Where two entries are similar enough that a single entry can do the same job. There can be no intervening rules that change which packets will hit each rule. Consider the following example: access-list myacl permit ip 1.1.1.0 255.255.255.128 any access-list myacl permit ip 1.1.1.128 255.255.255.128 any The two ACEs are merged into one: access-list myacl permit ip 1.1.1.0 255.255.255.0 any.
Chapter 16 Managing Firewall Access Rules Optimizing Access Rules Automatically During Deployment Step 3 Save the file. The settings take effect immediately and will be applied to all subsequent deployment jobs. You can generate optimization reports for deployment jobs by selecting Capture Discovery/Deployment Debugging Snapshots to File, which is located in Tools > Security Manager Administration > Debug Options.
Chapter 16 Managing Firewall Access Rules Optimizing Access Rules Automatically During Deployment User Guide for Cisco Security Manager 4.
CH A P T E R 17 Managing Firewall Inspection Rules Inspection rules configure protocol inspection on a device. Inspection opens temporary holes in your access rules to allow return traffic for connections initiated within your trusted network. When traffic is inspected, the device also implements additional controls to eliminate mal-formed packets based on the inspected protocols. The device commands generated for inspection rules vary based on device type. For devices running ASA, PIX 7.0+, and FWSM 3.
Chapter 17 Managing Firewall Inspection Rules Understanding Inspection Rules CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when inspected traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall.
Chapter 17 Managing Firewall Inspection Rules Understanding Inspection Rules In many cases, you will configure inspection in one direction only at a single interface, which causes traffic to be permitted back into the internal network only if the traffic is part of a permissible (valid, existing) session. This is a typical configuration for protecting your internal networks from traffic that originates on the Internet. You can also configure inspection in two directions at one or more interfaces.
Chapter 17 Managing Firewall Inspection Rules Understanding Inspection Rules • Understanding Access Rule Requirements for Inspection Rules, page 17-4 • Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 17-4 • Configuring Inspection Rules, page 17-5 Understanding Access Rule Requirements for Inspection Rules Access rules are applied before inspection rules. Therefore, you must ensure that your access rules do not prohibit traffic that you want inspected.
Chapter 17 Managing Firewall Inspection Rules Configuring Inspection Rules Inspection helps to protect against DoS attacks in other ways. Inspection looks at packet sequence numbers in TCP connections to see if they are within expected ranges and drops any suspicious packets. You can also configure inspection to drop half-open connections, which require firewall processing and memory resources to maintain.
Chapter 17 Managing Firewall Inspection Rules Configuring Inspection Rules • Choosing the Interfaces for Inspection Rules, page 17-2 • Selecting Which Protocols To Inspect, page 17-3 • Understanding Access Rule Requirements for Inspection Rules, page 17-4 • Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 17-4 • Configuring Protocols and Maps for Inspection, page 17-21 • Understanding Map Objects, page 6-72 Before You Begin You might have a set of inspection r
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page • Source and Destination Address and Port (PIX 7.x+, ASA, FWSM 3.x+)—Select this option for the same reason you would select Destination Address and Port for IOS devices, although you have the additional option of identifying the source of the traffic. When you click Next, you are prompted for the source and destination addresses and the service port information. Note For FWSM 2.x and PIX 6.
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page Note With the release of Security Manager 4.4 and versions 9.0 and higher of the ASA, the separate policies and objects for configuring IPv4 and IPv6 inspection rules were “unified,” meaning one set of inspection rules in which you can use either IPv4 or IPv6 addresses, or a mixture of both. (See Policy Object Changes in Security Manager 4.4, page 1-9 for additional information.
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page Field Reference Table 17-1 Inspection Rules Page Element Description Expand all rows/Collapse all Use these buttons to expand or collapse all sections in the rules table. rows Note The buttons are located in the upper-right corner of the Filter area above the inspection rules table. Conflict Indicator icons Identifies conflicts and provides a quick visual representation of the type of conflict.
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page Table 17-1 Inspection Rules Page (Continued) Element Description Inspected Protocol The protocol to be inspected and possibly some configuration settings for the protocol. You can right-click this cell and choose Edit Inspected Protocol to edit this; see Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, page 17-16 for more information. Time Range The time range policy object assigned to the rule.
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page • Understanding Access Rule Requirements for Inspection Rules, page 17-4 • Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 17-4 • Configuring Inspection Rules, page 17-5 Navigation Path From the Inspection Rules Page, page 17-7, click the Add Row button or select a row and click the Edit Row button.
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page Table 17-2 Add and Edit Inspect/Application FW Rule Wizard Step 1: Traffic Match Method Element Description Default Protocol Ports Inspect traffic based on the default ports assigned to a protocol. You will select a protocol on the next page (Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, page 17-16). Limit inspection between source and destination IP addresses (PIX 7.x+, ASA, FWSM 3.
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page • If you select Default Protocol Ports on the first page and do select Limit inspection between source and destination IP addresses, the second page consists of the options described in the second table in this section. (The third page will consist of the options described in Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, page 17-16.
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page Table 17-3 Add and Edit Inspect/Application FW Rule Wizard Step 2: Protocol and Port Page Element Description Ports The port(s) used by the traffic you want to inspect. Valid values range from 1 to 65535. • Single—Specify one port number only. • Range—Specify a range of ports, for example, 10000-11000. When configuring custom ports, be aware that port ranges might not be supported on all platforms or OS versions.
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page Table 17-4 Add and Edit Inspect/Application FW Rule Wizard Step 2: Action, Sources, Destinations, and Services Page (Continued) Element Description Sources Provide traffic sources for this rule; can be networks, security groups, and users.
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page Table 17-4 Add and Edit Inspect/Application FW Rule Wizard Step 2: Action, Sources, Destinations, and Services Page (Continued) Element Description Destinations Provide traffic destinations for this rule; can be networks or security groups. As with Sources, you can enter values or object names, or Select objects, for one or more destinations of Network and Security Group (ASA 9.0+) type.
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page • Editing Rules, page 12-9 • Filtering Tables, page 1-45 Field Reference Table 17-5 Inspected Protocol Options Element Description Protocols table Lists the protocols that can be inspected. You can select one protocol per rule.
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page Configure DNS Dialog Box Use the Configure DNS dialog box to configure settings for DNS inspection on PIX 7.0+, ASA, FWSM, and IOS devices. Navigation Path Go to the Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, page 17-16, select DNS in the protocols table, and click Configure. Field Reference Table 17-6 Configure DNS Dialog Box Element Description Maximum DNS Packet Length The maximum DNS packet length.
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page Navigation Path Go to the Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, page 17-16, select ESMTP in the protocols table, and click Configure. Configure Fragments Dialog Box Use the Configure Fragments dialog box to edit settings for fragment inspection on IOS devices.
Chapter 17 Managing Firewall Inspection Rules Inspection Rules Page Field Reference Table 17-8 Configure IMAP or POP3 Dialog Boxes Element Description Reset Connection on Invalid IMAP/POP3 packet Whether to reset, or drop, the connection between the client and server if an invalid packet is encountered. The client will have to repeat the validation process to reconnect to the server.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Navigation Path Go to the Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, page 17-16, select HTTP or IM in the protocols table, and click Configure. Configuring Protocols and Maps for Inspection When you configure inspection rules for a device, you select the protocols that you want to inspect. Some of these protocols allow additional configuration for deep inspection.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-10 Configuring Protocols for Deep Inspection in Inspection Rules Protocol Device Types Policy Map Class Map (ASA, PIX, FWSM only) DNS ASA, PIX, FWSM, IOS DNS DNS Description and Match Criteria Reference Inspect traffic based on a wide variety of criteria using the class and policy map, which allow extensive control over DNS packets.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-10 Configuring Protocols for Deep Inspection in Inspection Rules (Continued) Class Map (ASA, PIX, FWSM only) Protocol Device Types Policy Map HTTP ASA, PIX, FWSM, IOS HTTP (ASA HTTP (ASA, PIX, FWSM) 7.1.x, PIX 7.1.x, FWSM 3.x, IOS) HTTP (ASA 7.2+, PIX 7.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-10 Configuring Protocols for Deep Inspection in Inspection Rules (Continued) Protocol Device Types Policy Map Class Map (ASA, PIX, FWSM only) NetBIOS ASA, PIX 7.x+, FWSM NetBIOS (none) Inspect NetBIOS traffic to translate IP addresses in the NetBIOS name service (NBNS) packets according to the security appliance NAT configuration. You can drop packets that violate the protocol.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-10 Configuring Protocols for Deep Inspection in Inspection Rules (Continued) Protocol Device Types Policy Map Class Map (ASA, PIX, FWSM only) ESMTP ASA, PIX 7.x+, FWSM 3.x+, IOS ESMTP (none) Inspect ESMTP traffic. For IOS, you can configure only maximum data length. For ASA, PIX, FWSM, you can inspect traffic based on a wide variety of criteria. See Configuring ESMTP Maps, page 17-34.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection • Configuring Regular Expressions for Inspection Maps, page 17-86 • Configuring Regular Expression Groups, page 17-85 Configuring Class Maps for Inspection Policies Use the Add and Edit Class Map dialog boxes to define class maps to be used in policy maps of the same type. The name of the dialog box indicates the type of map you are creating.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-11 Add or Edit Class Maps Dialog Boxes for Inspection Rules (Continued) Element Description Match table The Match table lists the criteria included in the class map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion and the criterion and value that is inspected.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection • Configuring Protocols and Maps for Inspection, page 17-21 Field Reference Table 17-12 Add and Edit DCE/RPC Dialog Boxes Element Description Name The name of the policy object. A maximum of 40 characters is allowed. Description A description of the policy object. A maximum of 200 characters is allowed. Pinhole Timeout The timeout for DCE/RPC pinholes. The default is 2 minutes (00:02:00).
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Navigation Path Select Manage > Policy Objects, then select Maps > Policy Maps > Inspect > DNS from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-13 Add and Edit DNS Map Dialog Boxes (Continued) Element Description Allow Value Override per Device Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-18 and Understanding Policy Object Overrides for Individual Devices, page 6-17.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Navigation Path Click the Filtering tab on the Add and Edit DNS Map dialog boxes. See Configuring DNS Maps, page 17-28.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection When creating a DNS policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit DNS Map dialog boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring DNS Maps, page 17-28.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-16 DNS Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes Element Description Value The DNS type you want to inspect: (for DNS Type criterion) • DNS Type Field Name—Matches the name of a DNS type: – A—IPv4 address. – AXFR—Full (zone) transfer. – CNAME—Canonical name. – IXFR—Incremental (zone) transfer. – NS—Authoritative name server. – SOA—Start of a zone of authority.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Configuring ESMTP Maps Use the Add and Edit ESMTP Map dialog boxes to define the match criterion and values for the ESMTP inspect map. An ESMTP policy map lets you change the default configuration values used for ESMTP inspection. ESMTP inspection detects attacks, including spam, phising, malformed message attacks, and buffer overflow/underflow attacks.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-17 Add and Edit ESMTP Map Dialog Boxes (Continued) Element Description Match Condition and Action Tab The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Navigation Path In the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit ESMTP Map dialog boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring ESMTP Maps, page 17-34.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-18 ESMTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes Element Description Value The regular expression you want to evaluate. You can select one of the following: MIME Encoding • Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-19 Add and Edit FTP Map Dialog Boxes (Continued) Element Description Match Condition and Action Tab The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Field Reference Table 17-20 FTP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes Element Description Match Type Enables you to use an existing FTP class map or define a new FTP class map. Class Name (Policy Map only) Criterion Type Action (Policy Map only) • Use Specified Values—You want to define the class map on this dialog box.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-20 FTP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes Element Description Request Commands The FTP commands you want to inspect: Value • Append (APPE)—Appends to a file. • Delete (DELE)—Deletes a file at the server site. • Help (HELP)—Provides help information from the server. • Put (PUT)—FTP client command for the stor (store a file) command.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection A GTP map object lets you change the default configuration values used for GTP application inspection. The GTP protocol is designed to provide security for wireless connections to TCP/IP networks such as the Internet. You can use a GTP map to control timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance. Tip GTP inspection requires a special license.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-21 Add and Edit GTP Map Dialog Boxes (Continued) Element Description Permit Errors Whether to permit packets with errors or different GTP versions. By default, all invalid packets or packets that failed during parsing are dropped. Edit Timeouts button Click this button to configure time out values for various operations.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection You cannot use the Network/Host object named “any.” Navigation Path From the Add and Edit GTP Map dialog boxes, click the Add button in the Permit Response table, or select a row and click the Edit button. See Configuring GTP Maps, page 17-40. GTP Map Timeouts Dialog Box Use the GTP Map Timeouts dialog box to set timeout values for a GTP Map.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection • Configuring Protocols and Maps for Inspection, page 17-21 Field Reference Table 17-23 GTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes Element Description Criterion Specifies which criterion of GTP traffic to match: Type Action • Access Point Name—Matches the access point name so you can define the access points to drop when GTP application inspection is enabled.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-23 GTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes (Continued) Element Description ID Type The numeric identifier of the message that you want to act on. • Value—A single message ID. • Range—A range of message IDs. Minimum Length The minimum number of bytes in the UDP payload. Maximum Length The maximum number of bytes in the UDP payload.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-24 Add and Edit H.323 Map Dialog Boxes (Continued) Element Description Description A description of the policy object. A maximum of 200 characters is allowed. Parameters tab HSI Group table The HSI groups to include in the map. The group number, IP address of the HSI host, and IP addresses and interface names of the clients connected to the security appliance are shown in the table.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-24 Add and Edit H.323 Map Dialog Boxes (Continued) Element Description Match Condition and Action Tab The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Add or Edit HSI Endpoint IP Address Dialog Boxes Us the Add or Edit HSI Endpoint IP Address dialog box to add end points to an HSI group. Navigation Path From the Add and Edit HSI Group dialog boxes, click the Add Row button in the end point table, or select a row and click the Edit Row button. See Configuring H.323 Maps, page 17-45.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Field Reference Table 17-27 H.323 Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes Element Description Match Type Enables you to use an existing H.323 class map or define a new H.323 class map. Class Name (Policy Map only) Criterion Type Action (Policy Map only) • Use Specified Values—You want to define the class map on this dialog box.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices Use the Add and Edit HTTP Map dialog boxes to define HTTP maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x, and IOS devices. The enhanced HTTP inspection feature, which is also known as an application firewall, verifies that HTTP messages conform to RFC 2616, use RFC-defined methods, and comply with various other criteria.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-28 Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices Element Description Category The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-12. Allow Value Override per Device Whether to allow the object definition to be changed at the device level.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-29 HTTP Map General Tab (Continued) Element Description Verify Content-type field belongs to the supported internal content-type list. Whether you want to configure the action to be taken for traffic whose content type does not belong to the supported internal content-type list. Possible actions are: • Allow Packet—Allow the message. • Drop Packet—Close the connection.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Field Reference Table 17-30 HTTP Map Entity Length Tab Element Description Inspect URI Length Whether to enable inspection based on the length of the URI. If you select this option, configure the following: • Maximum—The desired maximum length, in bytes, of the URI, from 1 to 65535. • Excessive URI Length Action—The action to take when the length is exceeded: – Allow Packet—Allow the message.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-30 HTTP Map Entity Length Tab (Continued) Element Description Inspect Body Length Whether to enable inspection based on the length of the message body. If you select this option, configure the following: • Minimum Threshold—The desired minimum length, in bytes, of the message body, from 1 to 65535. • Maximum Threshold—The desired maximum length, in bytes, of the message body, from 1 to 65535.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Field Reference Table 17-31 HTTP Map RFC Request Method Element Description Available and Selected Methods The Available Methods list contains the request methods defined in RFC 2616. Action To configure an action for a method, select it, then select an action and optionally select Generate Syslog if you want a message added to the syslog when an HTTP request containing the selected method is encountered.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Field Reference Table 17-32 HTTP Map Extension Request Method Tab Element Description Available and Selected Methods The Available Methods list contains the extension request methods defined in RFC 2616.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Field Reference Table 17-33 HTTP Map Port Misuse Tab Element Description Available and Selected Application Categories The Available Application Categories list contains the categories for which you can define firewall inspection settings.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Field Reference Table 17-34 HTTP Map Transfer Encoding Tab Element Description Available and Selected Encoding Types The Available Encoding Types list contains the types of transfer encoding for which you can define firewall inspection settings.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-35 Add and Edit HTTP Map Dialog Boxes (ASA 7.2+/PIX 7.2+) (Continued) Element Description Description A description of the policy object. A maximum of 200 characters is allowed. Parameters tab Body Match Maximum The maximum number of characters in the body of an HTTP message that should be searched in a body match. Tip A high value can have a significant impact on performance.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection • Select an HTTP class map when creating an HTTP policy map. • Define the match criterion, value, and action directly in an HTTP policy map. These types of maps are used only for devices running ASA 7.2 or higher, or PIX 7.2 or higher, operating systems. The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection • Response Header Field Count—Applies the regular expression match to the header of the response based on a specified number of header fields. • Response Header Field Length—Applies the regular expression match to the header of the response based on a specified field length. • Response Header Content Type—Specifies the content type to evaluate in the content-type header field of the response.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-36 HTTP Class and Policy Maps (ASA 7.2+/PIX 7.2+) Add and Edit Match Condition and Action Dialog Boxes (Continued) Element Description Type Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-36 HTTP Class and Policy Maps (ASA 7.2+/PIX 7.2+) Add and Edit Match Condition and Action Dialog Boxes (Continued) Element Description Value The regular expression you want to evaluate. You can select one of the following: • Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-36 HTTP Class and Policy Maps (ASA 7.2+/PIX 7.2+) Add and Edit Match Condition and Action Dialog Boxes (Continued) Element Description Content Type The content type to evaluate as specified in the content-type header field. You can select one of the following: Request Method • Specified By—A predefined MIME type. • Unknown—The MIME type is not known.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Field Reference Table 17-37 Add and Edit IM Map Dialog Boxes Element Description Name The name of the policy object. A maximum of 40 characters is allowed. Description A description of the policy object. A maximum of 200 characters is allowed. Match Condition and Action Tab The Match All table lists the criteria included in the policy map.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection When creating an IM policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit IM Map dialog boxes for ASA 7.2/PIX 7.2, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring IM Maps for ASA 7.2+, PIX 7.2+ Devices, page 17-64.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-38 IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes (Continued) Element Description Variable Fields The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see. Value The regular expression you want to evaluate.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Field Reference Table 17-39 Add and Edit IM Map (IOS) Dialog Boxes Element Description Name The name of the policy object. A maximum of 40 characters is allowed. Description A description of the policy object. A maximum of 200 characters is allowed. Service Tabs The tabs represent different IM service providers. The settings available on each tab are identical.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection If you do not configure IP options inspection, the ASA device drops packets that have any options configured, with one exception. In routed mode, packets that contain the router alert option are allowed. (To disallow router alert packets, create an IP options map with router alert deselected, and configure an inspection rule to inspect IP Options using the policy map.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-40 Add and Edit IP Options Map Dialog Boxes (Continued) Element Description Category The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-12. Allow Value Override per Device Whether to allow the object definition to be changed at the device level.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Field Reference Table 17-41 Add and Edit IPv6 Map Dialog Boxes Element Description Name The name of the policy object. A maximum of 40 characters is allowed. Description A description of the policy object. A maximum of 200 characters is allowed. Parameters tab Permit only known Extension Whether the ASA should verify the IPv6 extension header.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Navigation Path In the Policy Object Manager, from the Match Condition and Action tab on the Add or Edit IPv6 Map dialog boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring IPv6 Maps, page 17-70.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Field Reference Table 17-42 IPv6 Policy Maps Add or Edit Match Condition and Action Dialog Boxes Element Description Criterion Choose the type of IPv6 Extension Header to match: • Authentication Header (AH)—Provides integrity and data-origin authentication for IP packets. • Destination Options Header—Used for IPv6 Mobility, as well as in support of certain applications.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-42 IPv6 Policy Maps Add or Edit Match Condition and Action Dialog Boxes (Continued) Element Description Action Choose the action you want the device to take for traffic that matches the defined criteria: • Drop Packet—Matching packets are dropped without notification. • Drop Packet and Log—Matching packets are logged and then dropped. • Log—Matching packets are logged and processing continues.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-43 Add and Edit IPsec Pass Through Map Dialog Boxes (Continued) Element Description Allow ESP Whether to allow ESP traffic. If you select this option, you can configure the maximum number of ESP tunnels that each client can have and the amount of time that an ESP tunnel can be idle before it is closed (in hours:minutes:seconds format). The default timeout is 10 minutes (00:10:00).
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-44 Add or Edit NetBIOS Map Dialog Boxes (Continued) Element Description Check for Protocol Violation Whether to check for NETBIOS protocol violations. If you select this option, select the action you want to take when violations occur. Action Category The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-12.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-45 ScanSafe Add Match Condition and Action Dialog Box (Continued) Element Description Parameters Category Allows you to select Cat-A through Cat-G. This is the category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-12.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Field Reference Table 17-46 Add and Edit SIP Map Dialog Box Element Description Name The name of the policy object. A maximum of 40 characters is allowed. Description A description of the policy object. A maximum of 200 characters is allowed. Parameters tab Enable SIP Instant Messaging Extensions Whether to enable Instant Messaging extensions.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-46 Add and Edit SIP Map Dialog Box (Continued) Element Description Allow Value Override per Device Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-18 and Understanding Policy Object Overrides for Individual Devices, page 6-17.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-47 SIP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes Element Description Criterion Specifies which criterion of SIP traffic to match. Type Action (Policy Map only) • Called Party—Matches the called party as specified in the To header. • Calling Party—Matches the calling party as specified in the From header. • Content Length—Matches the Content Length header.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-47 SIP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes Element Description Content Type The content type to evaluate as specified in the content-type header field. You can select one of the following: Resource Method • SDP—Matches an SDP SIP content header type.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Skinny (SCCP) is a simplified protocol used in VoIP networks. Cisco IP Phones using SCCP can coexist in an H.323 environment. When used with Cisco CallManager, the SCCP client can interoperate with H.323 compliant terminals. Application layer functions in the security appliance recognize SCCP version 3.3. There are 5 versions of the SCCP protocol: 2.4, 3.0.4, 3.1.1, 3.2, and 3.3.2.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-48 Add and Edit Skinny Map Dialog Boxes (Continued) Element Description Match Condition and Action Tab The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-49 Skinny Policy Maps Add and Edit Match Condition and Action Dialog Boxes Element Description ID Type The hexadecimal value for the message ID to inspect: Action • Value—Matches a single hexadecimal value. • Range—Matches a range of values. The action you want the device to take for traffic that matches the defined criteria.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-50 Add and Edit SNNP Map Dialog Boxes (Continued) Element Description Allow Value Override per Device Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-18 and Understanding Policy Object Overrides for Individual Devices, page 6-17.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-51 Add and Edit Regular Expression Class Map Dialog Boxes (Continued) Element Description Allow Value Override per Device Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-18 and Understanding Policy Object Overrides for Individual Devices, page 6-17.
Chapter 17 Managing Firewall Inspection Rules Configuring Protocols and Maps for Inspection Table 17-52 Add and Edit Regular Expression Dialog Boxes (Continued) Element Description Allow Value Override per Device Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-18 and Understanding Policy Object Overrides for Individual Devices, page 6-17.
Chapter 17 Managing Firewall Inspection Rules Configuring Settings for Inspection Rules for IOS Devices Table 17-53 Metacharacters Used to Build Regular Expressions (Continued) Character Description Notes Minimum repeat quantifier Repeat at least x times. For example, ab(xy){2,}z matches abxyxyz, abxyxyxyz, etc. [abc] Character class Matches any character in the brackets. For example, [abc] matches a, b, or c.
Chapter 17 Managing Firewall Inspection Rules Configuring Settings for Inspection Rules for IOS Devices • (Policy view) Select Firewall > Settings > Inspection from the Policy Type selector. Create a new policy or select an existing one. • (Map view) Right-click a device and select Edit Firewall Settings > Inspection. The following table explains the available inspection settings.
Chapter 17 Managing Firewall Inspection Rules Configuring Settings for Inspection Rules for IOS Devices Table 17-54 Inspection Page (Continued) Element Description Thresholds per Host Max Sessions Per Host The number of half-open TCP sessions with the same host destination address that can exist at a time before the software starts deleting half-open sessions to the host. Possible values are 1-4294967295. The default is 50.
Chapter 17 Managing Firewall Inspection Rules Configuring Settings for Inspection Rules for IOS Devices Related Topics • Understanding Inspection Rules, page 17-1 • Configuring Inspection Rules, page 17-5 • Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 17-4 User Guide for Cisco Security Manager 4.
Chapter 17 Managing Firewall Inspection Rules Configuring Settings for Inspection Rules for IOS Devices User Guide for Cisco Security Manager 4.
CH A P T E R 18 Managing Firewall Web Filter Rules Web filter rules policies define policies for allowing or preventing web traffic based on the requested URL or the applet content of the traffic. For ASA, PIX, and FWSM devices, you can also filter FTP and HTTPS traffic. How you configure web filter rules is different depending on whether the device uses ASA, PIX or FWSM software as opposed to Cisco IOS Software.
Chapter 18 Managing Firewall Web Filter Rules Configuring Web Filter Rules for ASA, PIX, and FWSM Devices Beside filtering requests based on URL, you can do some applet filtering, stripping out ActiveX or Java applets. You might want to do this to prevent applet downloads from sites you otherwise want to allow if you do not fully trust the site. You can configure your rules to block these applets from specific sites while allowing them from trusted sites.
Chapter 18 Managing Firewall Web Filter Rules Configuring Web Filter Rules for ASA, PIX, and FWSM Devices Tip Step 3 If you do not select a row, the new rule is added at the end of the local scope. You can also select an existing row and edit either the entire row or specific cells. For more information, see Editing Rules, page 12-9. Configure the rule. Following are the highlights of what you typically need to decide.
Chapter 18 Managing Firewall Web Filter Rules Configuring Web Filter Rules for ASA, PIX, and FWSM Devices Tip Rules cannot overlap. For example, if you create two rules with the same, or overlapping, source, destination, and service, you cannot deploy them. Also, you should order any filter-except rules below the filter rule to which they are creating an exemption.
Chapter 18 Managing Firewall Web Filter Rules Configuring Web Filter Rules for ASA, PIX, and FWSM Devices Table 18-1 Web Filter Rules Page (ASA, PIX, FWSM) (Continued) Element Description Options Additional configuration options for the selected protocol, if any. For detailed descriptions, see Edit Web Filter Options Dialog Box, page 18-9. Category The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-12.
Chapter 18 Managing Firewall Web Filter Rules Configuring Web Filter Rules for ASA, PIX, and FWSM Devices • Configuring Settings for Web Filter Servers, page 18-15 Field Reference Table 18-2 Add and Edit PIX/ASA/FWSM Web Filter Rule Dialog Boxes Element Description Enable Rule Whether to enable the rule, which means the rule becomes active when you deploy the configuration to the device. Disabled rules are shown overlain with hash marks in the rule table.
Chapter 18 Managing Firewall Web Filter Rules Configuring Web Filter Rules for ASA, PIX, and FWSM Devices Table 18-2 Add and Edit PIX/ASA/FWSM Web Filter Rule Dialog Boxes (Continued) Element Description Sources The source or destination of the traffic. You can enter more than one value by separating the items with commas. Destinations You can enter any combination of the following address types to define the source or destination of the traffic.
Chapter 18 Managing Firewall Web Filter Rules Configuring Web Filter Rules for ASA, PIX, and FWSM Devices Table 18-2 Add and Edit PIX/ASA/FWSM Web Filter Rule Dialog Boxes (Continued) Element Description Long URL How to handle URLs that are longer than the maximum allowed by the filtering server: 4 KB for Websense, 3 KB for Smartfilter (N2H2). Many times, long URLs are due to parameter lists, and you can use the Truncate CGI request by removing CGI parameters option to handle those URLs.
Chapter 18 Managing Firewall Web Filter Rules Configuring Web Filter Rules for ASA, PIX, and FWSM Devices Table 18-3 Edit Web Filter Type Dialog Box (Continued) Element Description Type The type of traffic that should be filtered (or exempted from filtering) for this rule. For filtering that uses an external server, consult the documentation for your version of the server to determine if it supports that type of filtering. Configure the filtering server on the Web Filter Settings Page, page 18-16.
Chapter 18 Managing Firewall Web Filter Rules Configuring Web Filter Rules for IOS Devices Table 18-4 Edit Web Filter Options Dialog Box (Continued) Element Description Block connection to HTTP Proxy Server Whether to prevent users from connecting to an HTTP proxy server.
Chapter 18 Managing Firewall Web Filter Rules Configuring Web Filter Rules for IOS Devices • Step 1 Step 2 Do one of the following to open the Web Filter Rules Page (IOS), page 18-11: • Device view—Select Firewall > Web Filter Rules from the Policy selector. • Policy view—Select Firewall > Web Filter Rules (IOS) from the Policy Type select. Select an existing policy or create a new one. Configure the interfaces on which you will filter HTTP traffic.
Chapter 18 Managing Firewall Web Filter Rules Configuring Web Filter Rules for IOS Devices When you configure web filter rules, also configure web filter settings in the Firewall > Settings > Web Filter policy. The settings identify the web filtering server and contain other settings that control the overall functioning of the policy. For example, you can use the settings policy to allow all web traffic if the filtering server becomes unavailable.
Chapter 18 Managing Firewall Web Filter Rules Configuring Web Filter Rules for IOS Devices Table 18-5 Web Filter Rules Page (IOS) (Continued) Element Description Exclusive Domains tab The local web filter list. This list is checked before web requests are sent to the filtering server and applies to all interfaces on which you configure web filtering. If you know there are specific domains that you will always allow (such as your organization’s own domain name), or disallow, you can list them here.
Chapter 18 Managing Firewall Web Filter Rules Configuring Web Filter Rules for IOS Devices Table 18-6 IOS Web Filter Rule and Applet Scanner Dialog Box (Continued) Element Description Java Applet Scanning If you select Enable Java Applet Scanning, the device checks for the presence of Java applets in HTTP traffic coming from web servers to internal hosts.
Chapter 18 Managing Firewall Web Filter Rules Configuring Settings for Web Filter Servers Field Reference Table 18-7 IOS Web Filter Exclusive Domain Name Dialog Box Element Description Traffic Whether you want to permit access to the listed web sites or deny access to them. Domain Name The domain names or host IP addresses of web sites that you are permitting or denying. Separate multiple entries with commas. For domain names, you can enter a full or partial name. For example, cisco.
Chapter 18 Managing Firewall Web Filter Rules Configuring Settings for Web Filter Servers • IOS devices—The most interesting setting is Allow Traffic when Servers Unreachable, which determines whether you allow any web connections if the filtering servers are unavailable. If you do not select this option, all web traffic is cut off if the servers go offline for any reason. The remaining settings configure logging and cache size options.
Chapter 18 Managing Firewall Web Filter Rules Configuring Settings for Web Filter Servers Field Reference Table 18-8 Web Filter Page Element Description Web Filter Server Type The type of web filter server you are using: • None—You are not using web filter servers. • Websense—You use Websense servers. • Secure Computing SmartFilter/N2H2—You use Smartfilter servers. If you select this option, you can specify the server port to use for communication in the Port field.
Chapter 18 Managing Firewall Web Filter Rules Configuring Settings for Web Filter Servers Table 18-8 Web Filter Page (Continued) Element Description Maximum Requests The maximum number of outstanding requests that can exist at any given time. If the specified number is exceeded, new requests are dropped. The default is 1000. Packet Buffer The maximum number of HTTP responses that can be stored in the packet buffer of the device while it waits for the web filter server to allow or deny the request.
Chapter 18 Managing Firewall Web Filter Rules Configuring Settings for Web Filter Servers Web Filter Server Configuration Dialog Box Use the Web Filter Server Configuration dialog box to configure the external web filter servers you want to use with your Web Filter Rules policies. You can configure Websense or Smartfilter (N2H2) servers. Navigation Path From the Web Filter Settings Page, page 18-16, click Add Row beneath the Web Filter Servers table, or select a row and click Edit Row.
Chapter 18 Managing Firewall Web Filter Rules Configuring Settings for Web Filter Servers User Guide for Cisco Security Manager 4.
CH A P T E R 19 Managing Firewall Botnet Traffic Filter Rules Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address.
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Task Flow for Configuring the Botnet Traffic Filter Unlisted addresses do not generate any syslog messages, but addresses on the blacklist, whitelist, and graylist generate syslog messages differentiated by type. Botnet Traffic Filter Databases The Botnet Traffic Filter uses two databases for known addresses. You can use both databases together, or you can disable use of the dynamic database and use the static database alone.
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Task Flow for Configuring the Botnet Traffic Filter Step 1 Enable use of a DNS server. This procedure enables security appliance use of a DNS server. In multiple context mode, enable DNS per context. For more information, see DNS Page, page 51-13 Step 2 Enable use of the dynamic database. This procedure enables database updates from the Cisco update server, and also enables use of the downloaded dynamic database by the security appliance.
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Task Flow for Configuring the Botnet Traffic Filter Configuring the Dynamic Database This procedure enables database updates, and also enables use of the downloaded dynamic database by the security appliance. In multiple context mode, you enable downloading of the dynamic database on the System context so that it is available to all security contexts. You can then decide, on a per-context basis, whether to enable use of the dynamic database or not.
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Task Flow for Configuring the Botnet Traffic Filter Step 4 On the Dynamic Blacklist Configuration tab, select Use Dynamic Blacklist to enable use of the dynamic database. Note In multiple context mode, these settings are disabled on the System context. Adding Entries to the Static Database The static database lets you augment the dynamic database with domain names, IP addresses, or network addresses that you want to blacklist or whitelist.
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Task Flow for Configuring the Botnet Traffic Filter Step 4 Click OK. Enabling DNS Snooping This procedure enables inspection of DNS packets and enables Botnet Traffic Filter snooping, which compares the domain name with those on the dynamic database or static database, and adds the name and IP address to the Botnet Traffic Filter DNS reverse lookup cache.
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Task Flow for Configuring the Botnet Traffic Filter Botnet Traffic Filter can also drop the connection when matching traffic is encountered. For a particular interface, you can specify only one enable rule that identifies the traffic that is subject to Botnet Traffic Filtering; however, you can specify multiple drop rules to identify traffic that should be dropped by the Botnet Traffic Filter.
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Task Flow for Configuring the Botnet Traffic Filter For devices in multiple context mode, you configure traffic classification on the security context. Note This opens the Botnet Traffic Filter Rules Page, page 19-9. Step 2 To enable the Botnet Traffic Filter on specified traffic, follow these steps: a. On the Traffic Classification tab, click Add Row under the Enable Rules table. This opens the BTF Enable Rules Editor, page 19-12. b.
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Botnet Traffic Filter Rules Page • d. To specify the traffic that you want to monitor, click Select to the right of the ACL field to select an Access Control List object that identifies the traffic that you want to monitor. For example, you might want to monitor all port 80 traffic on the outside interface. For more information about Access Control List objects, see Creating Access Control List Objects, page 6-49.
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Botnet Traffic Filter Rules Page Related Topics • Understanding Botnet Traffic Filtering, page 19-1 • Task Flow for Configuring the Botnet Traffic Filter, page 19-2 • Dynamic Blacklist Configuration Tab, page 19-10 • Traffic Classification Tab, page 19-11 • BTF Enable Rules Editor, page 19-12 • BTF Drop Rules Editor, page 19-13 • Whitelist/Blacklist Tab, page 19-14 • Device Whitelist or Device Blacklist Dialog Box, page 19-15 • Con
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Botnet Traffic Filter Rules Page Table 19-1 Dynamic Blacklist Configuration Tab (Continued) Element Description Use Dynamic Blacklist Enables use of the dynamic database for the Botnet Traffic Filter. Note Treat Ambiguous traffic as Blacklist In multiple context mode, you configure use of the database on a per-context basis. When selected, graylisted traffic will be treated as blacklisted traffic for action purposes.
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Botnet Traffic Filter Rules Page • Task Flow for Configuring the Botnet Traffic Filter, page 19-2 • Botnet Traffic Filter Rules Page, page 19-9 • Dynamic Blacklist Configuration Tab, page 19-10 • Whitelist/Blacklist Tab, page 19-14 • Device Whitelist or Device Blacklist Dialog Box, page 19-15 • Configure DNS Dialog Box, page 17-18 BTF Enable Rules Editor Use the BTF Enable Rules Editor to specify the interfaces on which you want to enab
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Botnet Traffic Filter Rules Page Table 19-2 BTF Enable Rules Editor (Continued) Element Description ACL Specifies the access-list to use for identifying the traffic that you want to monitor. If you do not specify an access list, by default you monitor all traffic.
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Botnet Traffic Filter Rules Page Field Reference Table 19-3 BTF Drop Rules Editor Element Description Interfaces The interfaces or interface roles on which you want to enable the Botnet Traffic Filter. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list.
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Botnet Traffic Filter Rules Page The Device Whitelist contains domain names or IP addresses of sites that are deemed to be acceptable. If the dynamic database includes blacklisted addresses that you think should not be blacklisted, you can manually enter them into a static whitelist. Static whitelist entries take precedence over entries in the static blacklist and the Cisco dynamic database.
Chapter 19 Managing Firewall Botnet Traffic Filter Rules Botnet Traffic Filter Rules Page • Understanding Botnet Traffic Filtering, page 19-1 • Task Flow for Configuring the Botnet Traffic Filter, page 19-2 • Botnet Traffic Filter Rules Page, page 19-9 • Dynamic Blacklist Configuration Tab, page 19-10 • Traffic Classification Tab, page 19-11 • BTF Enable Rules Editor, page 19-12 • BTF Drop Rules Editor, page 19-13 • Whitelist/Blacklist Tab, page 19-14 • Configure DNS Dialog Box, page 17-
CH A P T E R 20 Working with ScanSafe Web Security Security Manager provides integration with ScanSafe Web Security. ScanSafe Web Security is a cloud-based SaaS (Security as a Service) function that makes available its web security data centers at various locations worldwide. When ScanSafe Web Security is integrated with a router, selected HTTP and HTTPS traffic is redirected to ScanSafe Cloud for content scanning and for malware detection by other means.
Chapter 20 Working with ScanSafe Web Security Configuring ScanSafe Web Security Security Manager does not support the following features: • PAM configuration when inspect or ZBF rules for http/https are not present • Auth-proxy using LDAP on older IOS versions. (That is, only IOS versions that support ScanSafe Web Security) • Identity policy with auth-proxy as AAA method. (Support only for NTLM and http-basic.
Chapter 20 Working with ScanSafe Web Security Configuring ScanSafe Web Security To configure ScanSafe Web Security, perform the following steps: Step 1 From the Policy Types selector, select Firewall > ScanSafe Web Security. The ScanSafe Web Security page appears with the Interfaces tab selected.
Chapter 20 Working with ScanSafe Web Security ScanSafe Web Security Page Step 19 Specify the Session Idle Timeout period in seconds (default 300). Step 20 Specify the source address by doing one of the following: • Click the IP Address button and then enter the IP address. • Click the Interface button, and then click the Select button and browse the Interface Selector to select an interface. Note Step 21 Enter the License and select the checkbox if it is encrypted.
Chapter 20 Working with ScanSafe Web Security ScanSafe Web Security Page Related Topics • Chapter 20, “Working with ScanSafe Web Security” • Configuring ScanSafe Web Security, page 20-2 • ScanSafe Web Security Settings Page, page 20-6 • Add and Edit Default User Groups Dialog Box, page 20-6 • AAA Rules Page, page 15-10 Field Reference Element Description Interfaces Tab —Filter Details on using filters in Security Manager are found at Filtering Tables, page 1-45.
Chapter 20 Working with ScanSafe Web Security ScanSafe Web Security Settings Page Element Description —Selected ACLS When configured, only regular expressions that are in the Selected Regular Expressions list are sent to ScanSafe Cloud. User Groups Tab —Default User A global name that is sent to the ScanSafe Web Security server when there is no content-scan-session specific user name. Use it when you want the same content scan policy for all users in a branch office (for example).
Chapter 20 Working with ScanSafe Web Security ScanSafe Web Security Settings Page • Add and Edit Default User Groups Dialog Box, page 20-6 • AAA Rules Page, page 15-10 Navigation Path (Policy view) Select Firewall and open Settings from the Policy Type selector. Then click ScanSafe Web Security to open the ScanSafe Web Security Settings Page. (Device view) Select Firewall and open Settings from the Policy Type selector. Then click ScanSafe Web Security to open the ScanSafe Web Security Settings Page.
Chapter 20 Working with ScanSafe Web Security ScanSafe Web Security Settings Page User Guide for Cisco Security Manager 4.
CH A P T E R 21 Managing Zone-based Firewall Rules The Zone-based Firewall feature (also known as Zone-based Policy Firewall) allows unidirectional application of IOS firewall policies between groups of interfaces known as “zones.” That is, interfaces are assigned to zones, and firewall rules are applied to specific types of traffic moving in one direction between the zones.
Chapter 21 Figure 21-1 Managing Zone-based Firewall Rules Basic Security Zone Topology DMZ Internet 193017 Private This example configuration typically would have three main policies (sets of rules) defining: • Private zone connectivity to the Internet • Private zone connectivity to DMZ hosts • Internet zone connectivity to DMZ hosts Zone-based firewalls impose a prohibitive default security posture.
Chapter 21 Managing Zone-based Firewall Rules Understanding the Zone-based Firewall Rules • Zone-based Firewall Rules Page, page 21-57 Understanding the Zone-based Firewall Rules Zones establish the security borders of your network. A zone defines a boundary where traffic is subjected to inspection or filtering as it crosses to another region of your network. The default zone-based firewall policy between zones is “deny all.
Chapter 21 Managing Zone-based Firewall Rules Understanding the Zone-based Firewall Rules • Interfaces that have not been assigned to a zone can still function as classical router ports and might still have other types of firewall rules configured on them.
Chapter 21 Managing Zone-based Firewall Rules Understanding the Zone-based Firewall Rules • Understanding the Relationship Between Services and Protocols in Zone-based Firewall Rules, page 21-10 • General Recommendations for Zone-based Firewall Rules, page 21-11 • Developing and Applying Zone-based Firewall Rules, page 21-12 The Self Zone The router itself is defined as a separate security zone, with the fixed name Self, and since IOS firewalls support examination of traffic (TCP, UDP and H.
Chapter 21 Managing Zone-based Firewall Rules Understanding the Zone-based Firewall Rules interfaces in that security zone. Connections can be isolated in a VPN DMZ if connectivity must be limited by a specific policy. Or, if VPN connectivity is implicitly trusted, VPN connections can be placed in the same security zone as the trusted inside network.
Chapter 21 Managing Zone-based Firewall Rules Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules In this illustration: • The interface providing common services is a member of the zone “common.” • All of VRF A is in a single zone, “vrf_A.” • VRF B, which has multiple interfaces, is partitioned into two zones “vrf_B_1” and “vrf_B_2.” • Zone Z1 does not have VRF interfaces.
Chapter 21 Managing Zone-based Firewall Rules Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules might be applied to traffic that matches your Deny rule. (To preview the configuration, save your changes and select Tools > Preview Configuration. For more information, see Previewing Configurations, page 8-45.
Chapter 21 Managing Zone-based Firewall Rules Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules Table 21-1 Relationship Between Permit/Deny and Action in Zone-based Rules (Continued) Permit / Deny Service Rule Action Protocol Result Deny Pass DNS Skip the rule for DNS traffic and evaluate the next class map. Either a subsequent class map with a Permit rule is applied, or the class default rule is applied. TCP The Pass action is ignored.
Chapter 21 Managing Zone-based Firewall Rules Understanding the Relationship Between Services and Protocols in Zone-based Firewall Rules Table 21-1 Relationship Between Permit/Deny and Action in Zone-based Rules (Continued) Permit / Deny Service Rule Action Protocol Result Permit Content Filter HTTP Allow and inspect HTTP traffic, and apply URL filtering maps to selectively permit or deny Web connections based on the Web sites requested.
Chapter 21 Managing Zone-based Firewall Rules General Recommendations for Zone-based Firewall Rules In general, you can leave the default entry (IP) in the Services field for all of your zone-based firewall rules, using the Protocol table to identify specific protocols that you want to Drop, Pass, or Inspect. If you do elect to specify a Service other than IP, ensure that your selection does not conflict with any protocols listed in the Protocol table.
Chapter 21 Managing Zone-based Firewall Rules Developing and Applying Zone-based Firewall Rules • Use sections to organize the rules for each zone pair. Sections make it easy for you to see all of the rules for a pair, which can be critical if your rules have sequential dependencies. For more information on working with sections, see Using Sections to Organize Rules Tables, page 12-20.
Chapter 21 Managing Zone-based Firewall Rules Adding Zone-Based Firewall Rules • Step 1 Step 2 Moving Rules and the Importance of Rule Order, page 12-19 Access the Zone-based Firewall Rules Page, page 21-57 as follows: • (Device view) Select an IOS router and then select Firewall > Zone Based Firewall Rules from the Policy selector. • (Policy view) Select Firewall > Zone Based Firewall Rules from the Policy Type selector. Select an existing policy or create a new one.
Chapter 21 Managing Zone-based Firewall Rules Adding Zone-Based Firewall Rules • Drop – Matching traffic is silently dropped; no notification of the drop is sent to the originating host. • Drop and Log – Matching traffic is dropped and a syslog message generated; no notification of the drop is sent to the originating host. • Pass – Traffic is forwarded. This action is unidirectional; Pass allows traffic in only the specified direction.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies c. When the chosen Action is Content Filter, configure the URL filtering: 1. Click Configure next to the Protocol field to customize the HTTP PAM settings, and to apply an HTTP deep-inspection policy map. See the Configure Protocol Dialog Box, page 21-65 for more information 2.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Table 21-2 Policy Objects for Zone-based Firewall Inspection Rules Protocol Minimu m IOS Softwar e Version Instant Messaging: 12.4(9) T AOL, ICQ, MSN Messenger, Windows Messenger, Yahoo Messenger Policy Map Class Map Paramet Description and Match Criteria er Map Reference IM (Zone based IOS) AOL Protocol Inspect traffic based on the type of Info service (text-chat or any other).
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Table 21-2 Protocol Policy Objects for Zone-based Firewall Inspection Rules (Continued) Minimu m IOS Softwar e Version Policy Map Class Map Paramet Description and Match Criteria er Map Reference SMTP (Simple Mail Transfer Protocol) 12.4(6) T SMTP SMTP None Inspect traffic based on data length. See SMTP Class Maps Add or Edit Match Criterion Dialog Boxes, page 21-25. Stun-ice 12.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies – Sun RPC Class Maps Add or Edit Match Criterion Dialog Boxes, page 21-28 – Local Web Filter Class Add or Edit Match Criterion Dialog Boxes, page 21-28 – N2H2 and Websense Class Add or Edit Match Criterion Dialog Boxes, page 21-29 • For 12.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Table 21-3 Add or Edit Class Maps Dialog Boxes for Zone-Based Firewall Policies (Continued) Element Description Match table The Match table lists the criteria included in the class map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion and the criterion and value that is inspected.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Zone-based Firewall IM Application Class Maps: Add or Edit Match Condition Dialog Boxes Use the Add or Edit Match Criterion dialog boxes for the various instant messenger (IM) application classes used with zone-based firewall policies to define a match criterion and value for the class map.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Table 21-4 Zone-based Firewall P2P Application Class Maps Add or Edit Match Condition Dialog Boxes (Continued) Element Description File Name The name of the file associated with the traffic. You can use regular expressions to specify a name pattern. For information on the metacharacters you can use to build regular expressions, see Metacharacters Used to Build Regular Expressions, page 17-87.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Navigation Path From the Add or Edit Class Maps dialog boxes for the HTTP (IOS) class, right-click inside the table and select Add Row or right-click a row and select Edit Row. See Configuring Class Maps for Zone-Based Firewall Policies, page 21-17.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Table 21-5 HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes (Continued) Element Description Encoding Type If you select transfer encoding in the Header Option field, you can select these types: • All—All of the transfer encoding types. • Chunked—The message body is transferred as a series of chunks; each chunk contains its own size indicator.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Related Topics • Understanding Map Objects, page 6-72 • Configuring Inspection Maps for Zone-based Firewall Policies, page 21-15 • Understanding the Zone-based Firewall Rules, page 21-3 SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes Use the Add or Edit Match Criterion dialog boxes for the SIP (IOS) class used with zone-based firewall policies to define a match criterion and value for
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Table 21-6 SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes (Continued) Element Description Method The request method you want to inspect: • ack—Acknowledges that the previous message is valid and accepted. • bye—Signifies the intention to terminate a call. • cancel—Terminates any pending request.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies • Body Regular Expression—Applies a regular expression to match the content types and content encoding types for text and HTML in the body of an e-mail message. Only text or HTML that uses 7-bit or 8-bit encoding is checked. The regular expression cannot be scanned in messages that use another encoding type (such as base64 or zip files).
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Field Reference Table 21-7 SMTP Class Add or Edit Match Criterion Dialog Boxes Element Description Criterion Specifies which criterion of SMTP traffic to match. The criteria are described above. Type Specifies that the map includes traffic that matches the criterion. Variable Fields The following fields vary based on what you select in the Criterion field.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Sun RPC Class Maps Add or Edit Match Criterion Dialog Boxes Use the Add or Edit Match Criterion dialog boxes for the Sun Remote Procedure Call (RPC) classes used with zone-based firewall policies to define a match criterion and value for the class map. You can enter the RPC protocol number that you want to match. See the Sun RPC documentation for information about protocol numbers.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Table 21-8 Local Web Filter Class Add or Edit Match Criterion Dialog Boxes (Continued) Element Description URLF Glob Parameter Map The URLF Glob parameter map object that defines the URL patterns that you want to match. Ensure that the object you select has the appropriate content for the type of matching you selected. Enter the name of the object.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Field Reference Table 21-9 Add or Edit Inspect Parameter Map Dialog Boxes Element Description Name The name of the policy object. A maximum of 40 characters is allowed. Description A description of the policy object. A maximum of 200 characters is allowed. DNS Timeout The length of time, in seconds, for which a DNS lookup session is managed while there is no activity.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Table 21-9 Add or Edit Inspect Parameter Map Dialog Boxes (Continued) Element Description TCP Max Incomplete Hosts The threshold and blocking time (in minutes) for TCP host-specific denial-of-service (DoS) detection and prevention.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Table 21-9 Add or Edit Inspect Parameter Map Dialog Boxes (Continued) Element Description Allow Value Override per Device Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-18 and Understanding Policy Object Overrides for Individual Devices, page 6-17.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Table 21-10 Add or Edit Protocol Info Parameter Map Dialog Boxes (Continued) Element Description Category The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-12. Allow Value Override per Device Whether to allow the object definition to be changed at the device level.
Chapter 21 Managing Zone-based Firewall Rules Configuring Inspection Maps for Zone-based Firewall Policies Related Topics • Understanding Map Objects, page 6-72 • Configuring Inspection Maps for Zone-based Firewall Policies, page 21-15 • Configuring Content Filtering Maps for Zone-based Firewall Policies, page 21-35 • Understanding the Zone-based Firewall Rules, page 21-3 Field Reference Table 21-11 Add or Edit Policy Maps Dialog Boxes for Zone-Based Firewall Policies Element Description Name
Chapter 21 Managing Zone-based Firewall Rules Configuring Content Filtering Maps for Zone-based Firewall Policies Related Topics • Understanding Map Objects, page 6-72 • Configuring Inspection Maps for Zone-based Firewall Policies, page 21-15 • Configuring Content Filtering Maps for Zone-based Firewall Policies, page 21-35 • Understanding the Zone-based Firewall Rules, page 21-3 Field Reference Table 21-12 Add or Edit Match Condition and Action Dialog Boxes for Zone-Based Firewall Policies Eleme
Chapter 21 Managing Zone-based Firewall Rules Configuring Content Filtering Maps for Zone-based Firewall Policies • For devices running releases below 12.4(20)T, you must create a URL Filter parameter map. In the Policy Object Manager, select Maps > Parameter Maps > Web Filter > URL Filter, and review the detailed usage information in Configuring URL Filter Parameter Maps, page 21-42.
Chapter 21 Managing Zone-based Firewall Rules Configuring Content Filtering Maps for Zone-based Firewall Policies Class Maps for Zone-Based Firewall Policies, page 21-17, Local Web Filter Class Add or Edit Match Criterion Dialog Boxes, page 21-28, and Configuring URLF Glob Parameter Maps, page 21-44. SmartFilter (N2H2) or Websense Filtering—The class maps for N2H2 and Websense define any server response as the matching criterion.
Chapter 21 Managing Zone-based Firewall Rules Configuring Content Filtering Maps for Zone-based Firewall Policies • Configuring Content Filtering Maps for Zone-based Firewall Policies, page 21-35 • Understanding the Zone-based Firewall Rules, page 21-3 Field Reference Table 21-13 Add or Edit Local Web Filter Parameter Map Dialog Boxes Element Description Name The name of the policy object. A maximum of 40 characters is allowed. Description A description of the policy object.
Chapter 21 Managing Zone-based Firewall Rules Configuring Content Filtering Maps for Zone-based Firewall Policies Related Topics • Understanding Map Objects, page 6-72 • Configuring Content Filtering Maps for Zone-based Firewall Policies, page 21-35 • Understanding the Zone-based Firewall Rules, page 21-3 Field Reference Table 21-14 Add or Edit N2H2 or WebSense Parameter Map Dialog Boxes Element Description Name The name of the policy object. A maximum of 40 characters is allowed.
Chapter 21 Managing Zone-based Firewall Rules Configuring Content Filtering Maps for Zone-based Firewall Policies Table 21-14 Add or Edit N2H2 or WebSense Parameter Map Dialog Boxes (Continued) Element Description Truncate Hostname Whether to truncate the URLs: Truncate Script Parameters • If you do not select an option, URLs are not truncated. • If you select Hostname, URLs are truncated at the end of the domain name.
Chapter 21 Managing Zone-based Firewall Rules Configuring Content Filtering Maps for Zone-based Firewall Policies Table 21-15 Add or Edit External Filter Dialog Box (Continued) Element Description Timeout The number of seconds that the router waits for a response from the server. The range is from 1 to 300. Outside Whether the server is outside the network.
Chapter 21 Managing Zone-based Firewall Rules Configuring Content Filtering Maps for Zone-based Firewall Policies Table 21-16 Add or Edit Trend Parameter Map Dialog Boxes (Continued) Element Description Maximum Responses The maximum number of HTTP responses that can be buffered. The range is from 0 and 20000. The default is 200. Truncate Hostname Whether to truncate URLs at the end of the domain name. Category The category assigned to the object.
Chapter 21 Managing Zone-based Firewall Rules Configuring Content Filtering Maps for Zone-based Firewall Policies Table 21-17 Add or Edit URL Filter Parameter Map Dialog Boxes (Continued) Element Description Whitelisted and Blacklisted Domains tables These tables define the domain names for which the software will not contact the external URL filtering server. Domain names on the whitelist are always allowed. Domain names on the blacklist are always blocked.
Chapter 21 Managing Zone-based Firewall Rules Configuring Content Filtering Maps for Zone-based Firewall Policies Table 21-17 Add or Edit URL Filter Parameter Map Dialog Boxes (Continued) Element Description Truncate Hostname Whether to truncate the URLs: Truncate Script Parameters • If you do not select an option, URLs are not truncated. • If you select Hostname, URLs are truncated at the end of the domain name.
Chapter 21 Managing Zone-based Firewall Rules Configuring Content Filtering Maps for Zone-based Firewall Policies A single URLF Glob must also be limited to one of these types of URL segments: • Strings that appear in the server name of a URL, which includes the name of the server and the domain name of the network. For example, www.cisco.com. • Strings that appear in URL keywords, which are the strings that appear between / characters in a URL, or which are the file names.
Chapter 21 Managing Zone-based Firewall Rules Configuring Content Filtering Maps for Zone-based Firewall Policies Table 21-18 Add or Edit URLF Glob Parameter Map Dialog Boxes (Continued) Element Description Value The server domains or keywords for the URLs you are targeting. Enter only one type of glob: either all server domains, or all URL keywords, but not a mixture of both. If you include more than one entry, separate the entries with new lines.
Chapter 21 Managing Zone-based Firewall Rules Changing the Default Drop Behavior Field Reference Table 21-19 Add and Edit FTP Map Dialog Boxes Element Description Name The name of the policy object. A maximum of 40 characters is allowed. Description A description of the policy object. A maximum of 200 characters is allowed. Parameters tab Parameter Type Parameter Map The type of parameter map to include in the Web Filter policy map. Select None if you do not want to select a parameter map.
Chapter 21 Managing Zone-based Firewall Rules Configuring Settings for Zone-based Firewall Rules For the purposes of this discussion, the most interesting of these commands is policy-map, which is used to apply your zone policy for each pair of zones. That is, for any given zone-pair, all rules defining traffic (classes) and actions are applied within one policy-map.
Chapter 21 Managing Zone-based Firewall Rules Configuring Settings for Zone-based Firewall Rules The Zones tab lists all unreferenced zones defined on the device; that is, zones without any associated interfaces, rules or policies. Unreferenced zones are usually found and listed during device discovery, but you also can create named, “empty” zones here. Step 3 (Optional) On the VPN tab, supply the name of the zone specifically set up for VPN traffic.
Chapter 21 Managing Zone-based Firewall Rules Configuring Settings for Zone-based Firewall Rules Navigation Path To access the Zone Based Firewall page, do one of the following: • (Device view) Select a device, then select Firewall > Settings > Zone Based Firewall from the Policy selector. • (Policy view) Select Firewall > Settings > Zone Based Firewall from the Policy Type selector. Create a new policy or select an existing one.
Chapter 21 Managing Zone-based Firewall Rules Configuring Settings for Zone-based Firewall Rules Table 21-20 Element Zone Based Firewall Page (Continued) Description Global Parameters (ASR) tab This tab displays global, logging-related settings specific to ASR devices. Configure these settings as follows: • Log Dropped Packets – Select this option to log all packets dropped by the device; syslog logging must be enabled to view the information.
Chapter 21 Managing Zone-based Firewall Rules Configuring Settings for Zone-based Firewall Rules Field Reference Table 21-21 Zone Based Firewall Page - Content Filter Tab Element Description Trend Micro Server Settings Cache-entry-lifetime (hrs) How long, in hours, a look-up request to the Trend Micro server remains in the router’s local URL cache table. The allowed range is 0 to 120; the default value is 24.
Chapter 21 Managing Zone-based Firewall Rules Troubleshooting Zone-based Rules and Configurations Related Topics • Zone Based Firewall Page, page 21-49 • Understanding the Zone-based Firewall Rules, page 21-3 • Configuring Settings for Zone-based Firewall Rules, page 21-48 Troubleshooting Zone-based Rules and Configurations Zone-based firewall rules are powerful, but also complex.
Chapter 21 Managing Zone-based Firewall Rules Troubleshooting Zone-based Rules and Configurations When you deploy these rules, Security Manager generates the following configuration. The bold letters are added for reference in the explanation that follows the configuration. A. class-map type inspect http match-any HTTPcmap match req-resp protocol-violation match request port-misuse any ! B. policy-map type inspect http HTTPpmap class type inspect http HTTPcmap reset log ! C.
Chapter 21 Managing Zone-based Firewall Rules Troubleshooting Zone-based Rules and Configurations H. class-map type inspect match-any CSM_ZBF_CLASS_MAP_5 match protocol tcp match protocol udp ! I.
Chapter 21 Managing Zone-based Firewall Rules Troubleshooting Zone-based Rules and Configurations ! The following list explains how the rules in Security Manager are converted to device-configuration commands, to aid your understanding of the relationship between the two. The list numbering corresponds to the rule numbers from the rules table in Security Manager (see the previous illustration): 1. This rule drops all traffic from the 10.100.10.0/24 network.
Chapter 21 Managing Zone-based Firewall Rules Zone-based Firewall Rules Page 8. Finally, there is an automatic rule, which appears as the final class-default rule in the policy map (I). This rule drops any traffic that does not match one of the class maps referenced in the policy map (I). For example, ICMP traffic from the internal network to the Internet will not be allowed. For information on configuring a different class-default rule, see Changing the Default Drop Behavior, page 21-47.
Chapter 21 Managing Zone-based Firewall Rules Zone-based Firewall Rules Page Table 21-22 Zone Based Firewall Rules Page (Continued) Element Description Permit Indicates whether the rule permits or denies traffic. • Permit – Shown as a green check mark. • Deny – Shown as a red circle with a slash. Source Identifies source networks and hosts for this rule. Networks/hosts can be provided as named objects, or as IP addresses. See Understanding Networks/Hosts Objects, page 6-74 for more information.
Chapter 21 Managing Zone-based Firewall Rules Zone-based Firewall Rules Page Table 21-22 Zone Based Firewall Rules Page (Continued) Element Description Last Ticket(s) Shows the ticket(s) associated with last modification to the rule. You can click the ticket ID in the Last Ticket(s) column to view details of the ticket and to navigate to the ticket.
Chapter 21 Managing Zone-based Firewall Rules Zone-based Firewall Rules Page Table 21-23 Add and Edit Zone based Firewall Rule Dialog Boxes (Continued) Element Description Traffic Define the traffic flow to which this rule is applied. Match Choose whether to Permit or Deny matched traffic. See Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules, page 21-7 for additional information about this option.
Chapter 21 Managing Zone-based Firewall Rules Zone-based Firewall Rules Page Table 21-23 Add and Edit Zone based Firewall Rule Dialog Boxes (Continued) Element Description Action The action applied to traffic that matches this rule. Choose the desired Action: Action: Drop, Drop and Log, Pass, Pass and Log • Drop – Silently drops all packets for the specified Services. The default action for all traffic. • Drop and Log – Matched traffic is logged and dropped.
Chapter 21 Managing Zone-based Firewall Rules Zone-based Firewall Rules Page Table 21-23 Add and Edit Zone based Firewall Rule Dialog Boxes (Continued) Element Description Action: Inspect Inspect provides state-based traffic control—the device maintains connection or session information for TCP and UDP traffic, meaning return traffic in reply to connection requests is permitted.
Chapter 21 Managing Zone-based Firewall Rules Zone-based Firewall Rules Page Table 21-23 Add and Edit Zone based Firewall Rule Dialog Boxes (Continued) Element Description Action: Content Filter Content Filter provides URL filtering based on a supplied parameter or policy map. The router intercepts HTTP requests, performs protocol-related inspection, and optionally contacts a third-party server to determine whether the requests should be allowed or blocked.
Chapter 21 Managing Zone-based Firewall Rules Zone-based Firewall Rules Page Field Reference Table 21-24 Advanced Options Dialog Box Element Description Time Range This feature lets you define time periods during which this zone-based firewall rule is active. If you do not specify a time range, the rule is immediately and always active. Enter the name of a time-range object, or click Select to choose one from a list in the Time Ranges Selector dialog box.
Chapter 21 Managing Zone-based Firewall Rules Zone-based Firewall Rules Page • Selecting Objects for Policies, page 6-2 • Configure Protocol Dialog Box, page 21-65 Table 21-25 Protocol Selector Dialog Box Element Description Available Protocols A list of protocols that can be selected for a zone-based firewall rule. Tip Selected Protocols You can create a custom protocol by clicking the Create button below the Selected Protocols column, opening the Configure Protocol Dialog Box, page 21-65.
Chapter 21 Managing Zone-based Firewall Rules Zone-based Firewall Rules Page Table 21-26 Configure Protocol Dialog Box Element Description Protocol Name The name of the selected protocol. If you are creating a custom protocol, you can enter a name of up to 19 characters. Custom protocol names must begin with user-. Enable Signature This option is available only when editing the peer-to-peer (eDonkey, FastTrack, Gnutella, Kazaa2) protocols.
Chapter 21 Managing Zone-based Firewall Rules Zone-based Firewall Rules Page Table 21-26 Configure Protocol Dialog Box (Continued) Element Description Networks If this protocol/port mapping is only for specific networks or hosts, enter the names or IP addresses of the networks or hosts, or the names of the network/host objects. You can click Select to open the Networks/Hosts Selector. Separate multiple entries with commas. User Guide for Cisco Security Manager 4.
Chapter 21 Managing Zone-based Firewall Rules Zone-based Firewall Rules Page User Guide for Cisco Security Manager 4.
CH A P T E R 22 Managing Transparent Firewall Rules Transparent firewall rules are access control rules for non-IP layer 2 traffic. You can use these rules to permit or drop traffic based on the Ethertype value in the layer-2 packet. This chapter contains the following topics: • Configuring Transparent Firewall Rules, page 22-1 • Transparent Rules Page, page 22-3 Configuring Transparent Firewall Rules Transparent firewall rules are access control rules for non-IP layer 2 traffic.
Chapter 22 Managing Transparent Firewall Rules Configuring Transparent Firewall Rules Tip On ASA, PIX, and FWSM in transparent mode, you must configure access rules to allow any IP traffic to pass through the device. Transparent rules control layer 2 non-IP traffic only. Also, see NAT in Transparent Mode, page 23-15 for information about using network address translation on security devices. You can also configure other types of firewall rules on these interfaces.
Chapter 22 Managing Transparent Firewall Rules Transparent Rules Page If you want to create a single rule to apply to a group of EtherTypes, convert the EtherTypes to binary and calculate an appropriate mask where 1 means to interpret the EtherType literally, and 0 means that any value should be allowed in the position. You must then convert your mask into hexadecimal. Click OK when you are finished defining your rule.
Chapter 22 Managing Transparent Firewall Rules Transparent Rules Page • Filtering Tables, page 1-45 Field Reference Table 22-1 Transparent Rules Page Element Description No. The ordered rule number. Permit Whether a rule permits or denies traffic based on the conditions set: • Permit—Shown as a green check mark. • Deny—Shown as a red circle with slash. EtherType The Ethernet packet type, which is the EtherType value in the packet. This can be a hexadecimal code or a keyword.
Chapter 22 Managing Transparent Firewall Rules Transparent Rules Page Table 22-1 Transparent Rules Page (Continued) Element Description Delete Row button Click this button to delete the selected rule. Add and Edit Transparent Firewall Rule Dialog Boxes Use the Add and Edit Transparent Firewall Rule dialog boxes to add and edit transparent firewall rules, which are configured as EtherType access control lists on the device.
Chapter 22 Managing Transparent Firewall Rules Transparent Rules Page Table 22-2 Add and Edit Transparent Firewall Rule Dialog Boxes (Continued) Element Description Traffic Direction The direction of the traffic to which this rule applies: EtherType • In—Packets entering an interface. • Out—Packets exiting an interface. The hexadecimal code or keyword (for ASA/PIX/FWSM only) that identifies the traffic based on the EtherType value in the packet.
Chapter 22 Managing Transparent Firewall Rules Transparent Rules Page Edit Transparent EtherType Dialog Box Use the Edit Transparent EtherType dialog box to edit the EtherType in a transparent firewall rule. Enter the hexadecimal code that identifies the traffic. For ASA/PIX/FWSM devices, you can also select the keyword for some types of traffic. For a list of codes, see RFC 1700 at http://www.ietf.org/rfc/rfc1700.txt and search for “Ether Type.
Chapter 22 Managing Transparent Firewall Rules Transparent Rules Page User Guide for Cisco Security Manager 4.
CH A P T E R 23 Configuring Network Address Translation These topics provide conceptual information about network address translation (NAT) in general, and about translation types and various implementations: • Understanding Network Address Translation, page 23-2 – Types of Address Translation, page 23-3 – About “Simplified” NAT on ASA 8.
Chapter 23 Configuring Network Address Translation Understanding Network Address Translation Understanding Network Address Translation Address translation substitutes the real address in a packet with a mapped address that is routable on the destination network. As part of the process, the device also records the substitution in a translation database; these records are known as “xlate” entries.
Chapter 23 Configuring Network Address Translation Understanding Network Address Translation • About “Simplified” NAT on ASA 8.3+ Devices, page 23-3 Types of Address Translation The following table briefly describes the various types of address translation. Table 23-1 Note Types of Address Translation Static NAT Fixed translation of real source addresses to specific mapped addresses—each source address is always translated to the same mapped address, regardless of IP protocol and port number.
Chapter 23 Configuring Network Address Translation Understanding Network Address Translation All NAT rules on the device—static NAT, dynamic PAT, and dynamic NAT—are presented in a single table, and essentially the same dialog box is used to configure all NAT rules. The NAT rules are interface independent (that is, interfaces are optional), meaning the rules are independent of security levels also. NAT rules are no longer dependent on security levels.
Chapter 23 Configuring Network Address Translation NAT Policies on Cisco IOS Routers Bi-directional or Twice NAT When creating a manual static rule, you can select the “Bi-directional” option, which will produce an entry in the rules table that actually represents two static NAT rules, encompassing both translation directions. That is, a static rule is created for the specified source/translated address pairing, along with a mirror rule for the translated address/source pairing.
Chapter 23 Configuring Network Address Translation NAT Policies on Cisco IOS Routers NAT Page: Interface Specification Before creating NAT rules, you must define the “direction” of the traffic to be translated by specifying the Inside and Outside interfaces. Inside interfaces typically connect to a LAN that the router serves. Outside interfaces typically connect to your organization’s WAN or to the Internet.
Chapter 23 Configuring Network Address Translation NAT Policies on Cisco IOS Routers • You define a static NAT rule for a single host by entering the original address to translate and the global address to which it is translated. The global address may be taken from an interface on the device.
Chapter 23 Configuring Network Address Translation NAT Policies on Cisco IOS Routers Field Reference Table 23-2 Add/Edit NAT Static Rule Dialog Boxes Element Description Static Rule Type The type of local address to be translated by this static rule: Original Address • Static Host – A single host requiring static address translation. • Static Network – A subnet requiring static address translation. • Static Port – A single port requiring static address translation.
Chapter 23 Configuring Network Address Translation NAT Policies on Cisco IOS Routers Table 23-2 Add/Edit NAT Static Rule Dialog Boxes (Continued) Element Description Advanced This section contains optional, advanced translation options. The Advanced options are available only when the Specify IP option is the selected method for defining the translated address(es). Note • No Alias – When selected, disables automatic aliasing for the global IP address translation.
Chapter 23 Configuring Network Address Translation NAT Policies on Cisco IOS Routers the IP address for the inside device is one of the addresses from that second address pool, and it uses this address when it communicates with the inside device. The router running NAT takes care of the translations at this point. To disable the translation of the address inside the payload, check the No Payload option when you create a static NAT rule based on a global IP translation.
Chapter 23 Configuring Network Address Translation NAT Policies on Cisco IOS Routers Navigation Path • (Device view) Select NAT from the Policy selector, then click the Dynamic Rules tab. • (Policy view) Select NAT (Router) > Translation Rules from the Policy Type selector. Select an existing policy or create a new one, and then click the Dynamic Rules tab.
Chapter 23 Configuring Network Address Translation NAT Policies on Cisco IOS Routers Table 23-3 NAT Dynamic Rule Dialog Box (Continued) Element Description Translated Address Use the options in this section of the dialog box to specify the method and address(es) used for dynamic translation: • Use Interface IP – Select this option to specify that the globally registered IP address assigned to a particular interface be used as the translated address; port addressing ensures each translation is uniqu
Chapter 23 Configuring Network Address Translation NAT Policies on Cisco IOS Routers NAT Page: Timeouts Use the NAT Timeouts tab of the router’s NAT page to manage the timeout values for port address (overload) translations. These timeouts cause a dynamic translation to expire after a specified period of inactivity.
Chapter 23 Configuring Network Address Translation NAT Policies on Cisco IOS Routers Table 23-4 NAT Timeouts Tab (Continued) Element Description UDP Timeout (sec.) The timeout value applied to User Datagram Protocol (UDP) ports. The default is 300 seconds (5 minutes). Note DNS Timeout (sec.) The timeout value applied to Domain Naming System (DNS) server connections. The default is 60 seconds. Note TCP Timeout (sec.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices NAT Policies on Security Devices The following topics describe configuring network address translation (NAT) options on managed security appliances: PIX firewalls, Firewall Service Modules (FWSMs) on Catalyst switches, pre-version-8.3 Adaptive Security Appliances (ASAs), and ASA 8.3+ devices.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices • (Policy view) Select NAT (PIX/ASA/FWSM) > Translation Options from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Translation Options to create a new policy.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices The following sections describe configuring network address translation on PIX and FWSM devices, and on pre-8.3-version ASAs. (See Configuring NAT on ASA 8.3+ Devices, page 23-32 for information about configuring NAT on ASA 8.3+ devices.) • Address Pools, page 23-17 • Translation Rules: PIX, FWSM, and pre-8.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-6 Address Pools Dialog Box (Continued) Element Description Pool ID Enter a unique identification number for this address pool, an integer between 1 and 2147483647. When configuring a dynamic NAT rule, you select a Pool ID to specify the pool of addresses to be used for translation. IP address ranges Enter or Select the addresses to be assigned to this address pool.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices • Static Rules Tab, page 23-25 – Use this tab to configure static translation rules for a security appliance or shared policy. • General Tab, page 23-30 – Use this tab to view all current translation rules, listed in the order that they will be evaluated on the device. Note The General tab is visible only for PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices in transparent mode.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box Use the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box to define and edit translation exemption rules on PIX, FWSM and pre-8.3 ASA devices in router mode, and FWSM 3.2 devices in transparent mode. Navigation Path You can access the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box from the Translation Exemptions (NAT 0 ACL) tab.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Dynamic Rules Tab Use the Dynamic Rules tab of the Translation Rules page to view and configure dynamic NAT and PAT rules. Rules are evaluated sequentially in the order listed. The row number indicates the rule’s position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices • Translation Rules: PIX, FWSM, and pre-8.3 ASA, page 23-18 • Advanced NAT Options Dialog Box, page 23-28 • Select Address Pool Dialog Box, page 23-22 Field Reference Table 23-8 Add/Edit Dynamic Translation Rule Dialog Box Element Description Enable Rule If checked, the rule is enabled. Deselect this option to disable the rule without deleting it.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-9 Select Address Pool Dialog Box (Continued) Element Description IP Address Ranges The IP addresses assigned to the pool; “interface” in this list indicates PAT is enabled on the specified Interface. Description The description provided for the address pool. Selected Row This field identifies the pool currently selected in the list.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Add/Edit Policy Dynamic Rules Dialog Box Use the Add/Edit Policy Dynamic Rules dialog box to define and edit dynamic translation rules based on source and destination addresses and services. Navigation Path You can access the Add/Edit Policy Dynamic Rules dialog box from the Policy Dynamic Rules tab. See Policy Dynamic Rules Tab, page 23-23 for more information. Related Topics • Configuring NAT on PIX, FWSM, and pre-8.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-10 Add/Edit Policy Dynamic Rules Dialog Box (Continued) Element Description Description Enter a description of the rule. Advanced button Click to open the Advanced NAT Options Dialog Box, page 23-28 to configure advanced settings for this rule. Static Rules Tab Use the Static Rules tab of the Translation Rules page to view and configure static translation rules for a security appliance or shared policy.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices • Add/Edit Static Rule Dialog Box, page 23-26 • Advanced NAT Options Dialog Box, page 23-28 • General Tab, page 23-30 • Standard rules table topics: – Using Rules Tables, page 12-7 – Filtering Tables, page 1-45 – Table Columns and Column Heading Features, page 1-46 Add/Edit Static Rule Dialog Box Use the Add/Edit Static Rule dialog box to add or edit static translation rules for a firewall device or shared policy.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-11 Add/Edit Static Rule Dialog Box (Continued) Element Description Services If Policy NAT is enabled, enter or Select the Services to which the rule applies. Note For Static Policy NAT, IP is the only Service that can be specified.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices For detailed information on editing firewall rules cells, see Editing Rules, page 12-9. Navigation Path Right-click the Translated Address cell in the Static Rules table (on the NAT > Translation Rules page) and choose Edit Translated Address.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Field Reference Table 23-12 Advanced NAT Options Dialog Box Element Description Translate the DNS replies that match the translation rule If checked, the security appliance rewrites DNS replies so an outside client can resolve the name of an inside host using an inside DNS server, and vice versa.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-12 Advanced NAT Options Dialog Box (Continued) Element Description Timeout For PIX 6.x devices, enter a timeout value for this translation rule, in the format hh:mm:ss.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices • Standard rules table topics: – Using Rules Tables, page 12-7 – Filtering Tables, page 1-45 – Table Columns and Column Heading Features, page 1-46 Field Reference Table 23-13 General Tab - Translation Rules Summary Table Element Note Description Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-13 General Tab - Translation Rules Summary Table (Continued) Element Description Maximum UDP Connections The maximum number of UDP connections allowed to connect to the statically translated IP address. If zero, the number of connections is unlimited. This option is set in the Advanced NAT Options Dialog Box, page 23-28. Timeout For PIX 6.x devices, this is the timeout value for a static translation rule.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Two types of NAT rules are displayed in this table: “manual” rules added by you and any other users, and “automatic” rules generated and applied by Security Manager when an object with NAT properties is assigned to the device. These are referred to as “NAT rules” and “Network Object NAT rules,” respectively.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices – Filtering Tables, page 1-45 – Table Columns and Column Heading Features, page 1-46 Navigation Path • (Device view) Select NAT > Translation Rules from the Device Policy selector. • (Policy view) Select NAT (PIX/ASA/FWSM) > Translation Rules from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Translation Rules to create a new policy.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Add and Edit NAT Rule Dialog Boxes Use the Add NAT Rule dialog box to add a NAT rule to the selected ASA 8.3+ device; this dialog box is not available on earlier-version ASAs, nor on PIX or FWSM devices. Refer to Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 23-17 for information about adding and editing NAT rules on those devices.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-14 Add and Edit NAT Rule Dialog Boxes (Continued) Element Description Source NAT Type The type of translation rule you are creating: • Static – Provides static assignment of real addresses to mapped addresses.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-14 Add and Edit NAT Rule Dialog Boxes (Continued) Element Description PAT Pool Address Translation This option is available when Dynamic NAT and PAT is the selected Type. The related parameters let you specify a “pool” of IP addresses to be used for specifically for port address translation, as well as change the algorithm used for PAT mapping.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-14 Add and Edit NAT Rule Dialog Boxes (Continued) Element Description Destination Translation Use the options in this section to configure optional static translation of destination addresses: Note If defined, Destination Translation is always static, regardless of the rule Type. Note These options are not available on devices operating in transparent mode.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-14 Add and Edit NAT Rule Dialog Boxes (Continued) Element Description Translate DNS replies that match this rule When checked, addresses embedded in DNS replies that match this rule are rewritten. For DNS replies traversing from a mapped interface to a real interface, the Address (or “A”) record is rewritten from the mapped value to the real value.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-14 Add and Edit NAT Rule Dialog Boxes (Continued) Element Description Unidirectional This feature lets you configure a static NAT rule in a single direction only; or dual rules, one each for both directions (forward and reverse). When selected, a single static NAT is created, as specified by the other options in this dialog box. Dynamic rules are uni-directional by default.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Refer to Add and Edit NAT Rule Dialog Boxes, page 23-35 for more information about the defining translation rules. Round Robin Port Assignment On version 8.4.2 and later ASA devices, you also can specify an alternate method of port assignment during PAT processing.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Field Reference Table 23-15 Network/Host Dialog Box NAT Tab Element Description Add Automatic Address Translation NAT Rule If checked, a network address translation (NAT) rule, as defined here, will be applied to the device specified in the Translated By field. The rule will appear in the Network Object NAT Rule section of the Translation Rules table for that device (see Translation Rules: ASA 8.3+, page 23-32).
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-15 Network/Host Dialog Box NAT Tab (Continued) Element Description PAT Pool Address Translation This option is available when Dynamic NAT and PAT is the selected Type. The related parameters let you specify a “pool” of IP addresses to be used for specifically for port address translation, as well as change the algorithm used for PAT mapping.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-15 Network/Host Dialog Box NAT Tab (Continued) Element Description Service Translation Use the options in this section of the Advanced panel to configure static port address translation: (Available for Static rules only.) Note Service Translation and the Translate DNS replies that match this rule option cannot be used together. Protocol Whether a TCP or UDP port.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-15 Network/Host Dialog Box NAT Tab (Continued) Element Description Perform route lookup for Destination Interface If this option is selected, the egress interface is determined using route look-up instead of using the specified Destination Interface. Be sure this box is checked for a NAT Exempt rule. This option is supported only for Static Identity NAT.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices • (Policy view) Select NAT (PIX/ASA/FWSM) > Per-Session NAT Rules from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click Translation Rules to create a new policy. The Per-Session NAT Rules page is displayed. Adding, Editing and Deleting Rules To add a per-session NAT rule: 1. Select the rule under which the rule is to be added.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices • Permit UDP from any (IPv4 and IPv6) to domain These rules do not appear in the rule table. Note You cannot remove these rules, and they always exist after any manually-created rules. Because rules are evaluated in order, you can override the default rules.
Chapter 23 Configuring Network Address Translation NAT Policies on Security Devices Table 23-16 Add and Edit NAT Rule Dialog Boxes (Continued) Element Description Category (Optional) Choose a category to assign to the rule. Categories can help you organize and identify rules and objects; see Using Category Objects, page 6-12 for more information. Note Description This option is not available when Dynamic NAT and PAT is the chosen rule Type. (Optional) Provide a description of the rule.
PA R T 3 VPN Configuration
CH A P T E R 24 Managing Site-to-Site VPNs: The Basics A virtual private network (VPN) consists of multiple remote peers transmitting private data securely to one another over an unsecured network, such as the Internet. Site-to-site VPNs use tunnels to encapsulate data packets within normal IP packets for forwarding over IP-based networks, using encryption to ensure privacy and authentication to ensure integrity of data.
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding VPN Topologies Understanding VPN Topologies A VPN topology specifies the peers and the networks that are part of the VPN and how they connect to one another. After you create a VPN topology, the policies that can be applied to your VPN topology become available for configuration, depending on the assigned IPsec technology.
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding VPN Topologies A hub is generally located at an enterprise’s main office. Spoke devices are generally located at an enterprise’s branch offices. In a hub-and-spoke topology, most traffic is initiated by hosts at the spoke site, but some traffic might be initiated from the central site to the spokes.
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding VPN Topologies Full Mesh VPN Topologies A full mesh topology works well in a complicated network where all peers need to communicate with each other. In this topology type, every device in the network communicates with every other device through a unique IPsec tunnel.
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding IPsec Technologies and Policies Related Topics • Understanding IPsec Technologies and Policies, page 24-5 • Implicitly Supported Topologies, page 24-5 • Creating or Editing VPN Topologies, page 24-28 • Chapter 25, “Configuring IKE and IPsec Policies” Implicitly Supported Topologies In addition to the three main VPN topologies, other more complex topologies can be created as combinations of these topologies.
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding IPsec Technologies and Policies • Including Unmanaged or Non-Cisco Devices in a VPN, page 24-11 • Understanding and Configuring VPN Default Policies, page 24-12 • Using Device Overrides to Customize VPN Policies, page 24-13 • Understanding VRF-Aware IPsec, page 24-14 Understanding Mandatory and Optional Policies for Site-to-Site VPNs Some site-to-site VPN policies are mandatory, which means that you must configure them to create a VP
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding IPsec Technologies and Policies Table 24-1 Site-to-Site VPN IPsec Technologies and Policies (Continued) Technology IPsec/GRE (Generic Routing Encapsulation) Mandatory Policies • IKE Proposal • IPsec Proposal • One of: IKEv1 Preshared Key or IKEv1 Public Key Infrastructure • GRE Modes GRE Dynamic IP • IKE Proposal See Understanding GRE Configuration for Dynamically Addressed Spokes, page 26-5.
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding IPsec Technologies and Policies Table 24-1 Site-to-Site VPN IPsec Technologies and Policies (Continued) Technology Mandatory Policies GET VPN • Group Encryption See Understanding Group Encrypted Transport (GET) VPNs, page 28-2.
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding IPsec Technologies and Policies • IKEv1 Preshared Key. See Configuring IKEv1 Preshared Key Policies, page 25-44. • IKEv1 Public Key Infrastructure. See Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs, page 25-50. • Server Load Balance. See Configuring Server Load Balancing in Large Scale DMVPN, page 26-17. • User Group Policy. See Configuring a User Group Policy for Easy VPN, page 27-14.
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding IPsec Technologies and Policies Table 24-2 Devices Supported by Each IPsec Technology (Continued) Technology Supported Platforms Dynamic Multipoint VPN (DMVPN), Large Scale DMVPN. DMVPN configuration is supported on Cisco IOS 12.3T devices and later, and on ASRs running Cisco IOS XE Software 2.x or later (known as 12.2(33)XNA+ in Security Manager).
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding IPsec Technologies and Policies Including Unmanaged or Non-Cisco Devices in a VPN Your VPN might include devices that you cannot, or should not, manage in Security Manager. These include: • Cisco devices that Security Manager supports, but for which your organization is not responsible.
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding IPsec Technologies and Policies Understanding and Configuring VPN Default Policies For most VPN policies that are mandatory, Security Manager includes “factory default” settings for the policies. These defaults are generic, and might not be appropriate for your network, but they do allow you to complete the creation of a VPN without having to stop and start over when you do not have the needed shared policy configured.
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding IPsec Technologies and Policies Step 2 If desired, create defaults for the VPN endpoints. These defaults are interface role objects, which identify the interface names used for VPN connections (for example, GigabitEthernet0/1). Create separate roles for internal and external VPN interfaces. a. Select Manage > Policy Objects to open the Policy Object Manager, page 6-4. b. Select Interface Roles from the table of contents. c.
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding IPsec Technologies and Policies • Creating or Editing Object Overrides for Multiple Devices At A Time, page 6-19 Understanding VRF-Aware IPsec One obstacle to successfully deploying peer-to-peer VPNs is the separation of routing tables, and the use of overlapping addresses, which usually results from using private IP addresses in customer networks.
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding IPsec Technologies and Policies The following illustration shows the topology of a one-box solution.
Chapter 24 Managing Site-to-Site VPNs: The Basics Understanding IPsec Technologies and Policies Figure 24-5 VRF-Aware IPsec Two-Box Solution Using the two-box solution, you configure VRF-Aware IPsec on devices in your VPN topology, as follows: 1. Configure the connection between the IPsec Aggregator and the PE device. Create a hub-and-spoke VPN topology and assign an IPsec technology to it.
Chapter 24 Managing Site-to-Site VPNs: The Basics Accessing Site-to-Site VPN Topologies and Policies • Defining the Endpoints and Protected Networks, page 24-33 Enabling and Disabling VRF on Catalyst Switches and 7600 Devices Deployment fails when you change the virtual routing and forwarding (VRF) mode on the Catalyst switches and 7600 hub of an existing site-to-site VPN.
Chapter 24 Managing Site-to-Site VPNs: The Basics Accessing Site-to-Site VPN Topologies and Policies open the Site-to-Site VPN Manager to edit the policies for the selected VPN. This device view policy is essentially a short-cut into the Site-to-Site VPN Manager. For more information about using this policy, see Configuring VPN Topologies in Device View, page 24-19. • Site-to-Site VPN folder in Policy view—Policy view is used to create shared policies.
Chapter 24 Managing Site-to-Site VPNs: The Basics Site-To-Site VPN Discovery The options and methods for configuring shared policies from the Site-to-Site VPN Manager are the same as those from Device view, as explained in the sections under Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34 and Using the Policy Banner, page 5-35. You can share, assign, unassign, edit assignments, and rename policies, but no VPN policies allow inheritance.
Chapter 24 Managing Site-to-Site VPNs: The Basics Site-To-Site VPN Discovery Note You can also discover configurations on devices in remote access VPNs that are already deployed in your network. See Discovering Remote Access VPN Policies, page 29-12.
Chapter 24 Managing Site-to-Site VPNs: The Basics Site-To-Site VPN Discovery provisioning mechanism leverages the content of the existing configuration as much as possible (assuming the content matches the policies configured in Security Manager), but does not retain the naming conventions used in the CLI commands.
Chapter 24 Managing Site-to-Site VPNs: The Basics Site-To-Site VPN Discovery Tip Because Extranet VPN discovery involves the analysis of a single device (the managed device), most of these rules do not apply to Extranet VPN discovery. Any rule that involves consistency of values among devices in the VPN is not applicable. Table 24-3 VPN Discovery Rules If this condition exists: Security Manager cannot contact a device in the VPN for live device discovery.
Chapter 24 Managing Site-to-Site VPNs: The Basics Site-To-Site VPN Discovery Table 24-3 VPN Discovery Rules (Continued) If this condition exists: There are inconsistencies in the policies or values in the VPN configurations across the devices in the VPN. The VPN discovery is handled as follows: • If the values on the hub and the spokes differ, preference is given to the values on the hub.
Chapter 24 Managing Site-to-Site VPNs: The Basics Site-To-Site VPN Discovery Table 24-3 VPN Discovery Rules (Continued) If this condition exists: The VPN discovery is handled as follows: A User Group policy is configured with VPN policy discovery fails with the following error: backup servers using hostnames instead Policy Discovery Failed: of an IP addresses. com.cisco.nm.vms.discovery.
Chapter 24 Managing Site-to-Site VPNs: The Basics Site-To-Site VPN Discovery • IPsec Technology—The IPsec technology assigned to the VPN—Regular IPsec, IPsec/GRE, GRE Dynamic IP (sub-technology), DMVPN, Easy VPN, or GET VPN. The topology you select controls what is available in this list. If you selected IPsec/GRE, you must also specify the type which may be Standard (for IPsec/GRE) or Spokes with Dynamic IP (to configure GRE Dynamic IP).
Chapter 24 Managing Site-to-Site VPNs: The Basics Site-To-Site VPN Discovery If you want to maintain your original definitions, or create a new VPN that has spokes with different definitions, you can choose one of two approaches: • Define multiple VPN topologies in Security Manager, where each topology includes spokes containing matching spoke definitions.
Chapter 24 Managing Site-to-Site VPNs: The Basics Site-To-Site VPN Discovery device specific policies, such as VPN interfaces and protected networks, and any High Availability (HA) policies that are configured on hubs, can be rediscovered. VPN global policies, such as IKE proposals or PKI enrollments, cannot be rediscovered.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Step 5 Click Finish to close the wizard and start the rediscovery process. The Discovery Status window opens and displays the status of the rediscovery and indicates whether the rediscovery of each device has been successful or has failed (see Viewing Policy Discovery Task Status, page 5-21). Error or warning messages are provided to indicate the source of any problems, which may be VPN specific or device specific.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Tip After you create a topology, you cannot change the technology used in the VPN. Instead, you must delete the old VPN and create a new one using the desired technology.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-4 Create/Edit VPN Wizard Pages (Continued) Page Hub and Spoke VPN — Synchronize Keys dialog box. When completing the Create VPN wizard for a GET VPN, you are asked if you want to synchronize keys. Clicking Yes initiates the process. Point to Point Full Mesh VPN VPN — Step 6 (GET VPN only.) See Generating and Synchronizing RSA Keys, page 28-13.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies The following table describes the options you can configure when defining the name and technology. Table 24-5 Name and Technology Page Element Description Name A unique name that identifies the VPN topology. Description Information about the VPN topology.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Selecting Devices for Your VPN Topology Note This topic does not apply to Extranet VPNs. For information about selecting devices in an Extranet VPN, see Creating or Editing Extranet VPNs, page 24-63. Use the Device Selection page (or tab) of the Create VPN wizard and Edit VPN dialog box to select the devices to include in the VPN topology.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies – Select the devices that you want to define as spokes (or clients in an Easy VPN configuration) and click >> next to the Spokes list. – If you are configuring a Large Scale DMVPN with IPsec Terminator topology, you must also select the Catalyst 6500/7600 devices you want to be IPsec Terminators in your Large Scale DMVPN configuration.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Tips: • This configuration applies to all IPsec technology types except GET VPN. To configure GET VPN endpoints when creating the VPN, see Defining GET VPN Peers, page 24-57. For existing GET VPNs, configure endpoints using the Key Servers and Group Members policies; see Configuring GET VPN Key Servers, page 28-18 and Configuring GET VPN Group Members, page 28-20.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies topology where the hub is a Catalyst 6500/7600 device that has these modules installed. For more information, see Configuring a Firewall Services Module (FWSM) Interface with VPNSM or VPNSPA/VSPA, page 24-45. – VRF Aware IPsec tab—To configure a VRF-Aware IPsec policy on a hub (IPsec Aggregator) in a hub-and-spoke VPN topology.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Field Reference Table 24-6 Edit Endpoints Dialog Box, VPN Interface Tab Element Description Enable the VPN Interface Changes on All Selected Peers Available if you selected more than one device on the Endpoints page for editing. VPN Interface The VPN interface defined for the selected device.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-6 Edit Endpoints Dialog Box, VPN Interface Tab (Continued) Element Description Local Peer IPSec Termination Unavailable if the selected technology is Easy VPN. Specifies the IP address of the VPN interface of the local router. You can select one of the following options: • Tunnel Source IP Address—Use the IP address of the tunnel source.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-6 Edit Endpoints Dialog Box, VPN Interface Tab (Continued) Element Description Dial Backup Settings Enable Backup Available if the selected device is an IOS router that is in a point-to-point or full mesh topology, or that is a spoke in a hub-and-spoke topology, or that is a remote client in an Easy VPN topology.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Configuring Dial Backup You can use dial backup to provide a fallback link for a primary, direct connection when the primary link becomes unavailable. You can configure dial backup on Cisco IOS security routers that participate in a point-to-point, Extranet, or full mesh VPN topology, or that are spokes in a hub-and-spoke topology. You can also configure it on a remote client router running IOS version 12.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies This action opens the Edit Endpoints dialog box. Select the VPN Interface tab if it is not already selected. Step 3 On the VPN Interface tab, configure the following options related to dial backup. If you are creating a new VPN, you need to configure the other settings (such as VPN interface) as well. For detailed reference information for these options, see Configuring VPN Interface Endpoint Settings, page 24-35.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Field Reference Table 24-7 Dial Backup Settings Dialog Box Element Description Next Hop Forwarding If required, enter the next hop IP address of the ISDN BRI or analog modem backup interface (that is, the IP address to which the backup Backup Next Hop IP Address interface will connect when it is active).
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies • If you are configuring a VPNSM or VPNSPA/VSPA with VRF-Aware IPsec on a device, the device cannot belong to a different VPN topology in which VRF-Aware IPsec is not configured. For more information, see Configuring VRF Aware IPsec Settings, page 24-46. • Create an inside VLAN on the Catalyst 6500/7600 device, or edit an existing port or VLAN configuration.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Field Reference Table 24-8 Edit Endpoints Dialog Box, VPN Interface Tab’s VPNSM/VPN SPA/VSPA Settings Element Description Enable the VPN Interface Changes on All Selected Peers Note Available if you selected more than one Catalyst 6500/7600 device for editing in the Endpoints page. When selected, applies any changes you make in the VPN interface tab to all the selected devices.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-8 Edit Endpoints Dialog Box, VPN Interface Tab’s VPNSM/VPN SPA/VSPA Settings Element Description Tunnel Source Note Available only for a hub when the selected technology is IPsec/GRE or DMVPN. Specifies the tunnel source address to be used by the GRE or DMVPN tunnel on the spoke side.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Identifying the Protected Networks for Endpoints Use the Protected Networks tab on the Edit Endpoints dialog box to edit the protected networks that are defined on devices in the Endpoints table. (See Defining the Endpoints and Protected Networks, page 24-33.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Use the FWSM tab on the Edit Endpoints dialog box to define the settings that enable you to connect between the FWSM and a VPNSM or VPNSPA/VSPA that is already configured on a Catalyst 6500/7600 device. The FWSM tab is available only in a hub-and-spoke VPN topology when the selected hub is a Catalyst 6500/7600 device.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies • In a VPN topology with two hubs, you must configure VRF-Aware IPsec on both devices. • You cannot configure VRF-Aware IPsec on a device that belongs to another VPN topology in which VRF-Aware IPsec is not configured. • You cannot configure VRF-Aware IPsec on hubs that have been configured with high availability. See Configuring High Availability in Your VPN Topology, page 24-49.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-10 Edit Endpoints Dialog Box, VRF Aware IPsec Tab (Continued) Element Description Route Distinguisher The unique identifier of the VRF routing table on the IPsec Aggregator. This unique route distinguisher maintains the routing separation for each VPN across the MPLS core to the other PE routers.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-10 Edit Endpoints Dialog Box, VRF Aware IPsec Tab (Continued) Element Description Next Hop IP Address The IP address of the Provider Edge (PE) or the interface that is connected to the IPsec Aggregator, if you are using static routing. (2-Box solution, static routing only.) Redistribute Static Route (2-Box solution, non-static routing only.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies • The same auto-generated preshared key must be used for authentication on all peers. If you specified not to use this option when configuring a preshared key policy, this is overridden during configuration of High Availability. For more information, see Configuring IKEv1 Preshared Key Policies, page 25-44.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-11 High Availability Page (Continued) Element Description Enable Stateful Failover Whether to enable stateful failover, which uses Stateful SwitchOver (SSO) to ensure that state information is shared between the HSRP devices in the HA group.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-12 GET VPN Group Encryption Policy Page Element Description Group Settings Tab Group Name The name of the Group Name of Interpretation (GDOI) group. This name is the same as a VPN name. Group Identity A parameter that is used to identify the group. All key servers and group members use this parameter to identify with the group.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-12 GET VPN Group Encryption Policy Page (Continued) Element Description Key Distribution The transport method to be used to distribute keys to each group member, either unicast or multicast. For help deciding which to use, see Choosing the Rekey Transport Mechanism, page 28-6. If you select unicast, the key server sends a rekey message to each registered group member and waits for an acknowledgment.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-12 GET VPN Group Encryption Policy Page (Continued) Element Description Security Associations Tab Security Associations table Use the Security Associations table to define security associations for the VPN. The columns in the table summarize the settings for an entry and are explained in Add New or Edit Security Association Dialog Box, page 24-55.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Related Topics • Understanding the GET VPN Registration Process, page 28-4 • Understanding Group Encrypted Transport (GET) VPNs, page 28-2 • Configuring GET VPN, page 28-12 Add New or Edit Security Association Dialog Box Use the Add New or Edit Security Association dialog boxes to define an IPSec profile (name and transform set only) and security policy used by the selected GET VPN topology.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-13 Add New Security Association Dialog Box (Continued) Element Description Security Policy The access control list policy object defined for the security association. Click Select to choose from a list of predefined ACL objects or to create a new one.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-13 Add New Security Association Dialog Box (Continued) Element Description Enable IPSec Lifetime Whether to configure an IPsec security association lifetime that overrides the global setting, which is configured in the Global Settings for GET VPN policy (see Configuring Global Settings for GET VPN, page 28-16).
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Step 1 Configure the key servers if the default settings are not appropriate. For each key server you want to modify, select it, click the Edit (pencil) button beneath the table, and configure at least following settings. For information on all available settings, see Edit Key Server Dialog Box, page 28-19. • Identity Interface—Select the interface that group members use to identify the key server and register with it.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies • The initial defaults listed in this page are configured in the Security Manager Administration VPN Policy Defaults Page, page 11-53. If no specific default was configured for a mandatory policy, the Factory Default policy is selected. For more information about configuring default policies, see Understanding and Configuring VPN Default Policies, page 24-12.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Note The summary for standard VPNs is significantly different from the summary for Extranet VPNs. This table is divided in two, with the top half explaining summaries for standard VPNs, and the bottom half explaining summaries for Extranet VPNs. Table 24-14 VPN Summary Page Element Description Summary Information for Standard VPNs Name The name of the VPN topology.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-14 VPN Summary Page (Continued) Element Description Transform Sets The IPsec IKEv1 transform sets that specify the authentication and encryption algorithms that will be used to secure the traffic in the VPN tunnel. See Configuring IPsec Proposals in Site-to-Site VPNs, page 25-21. Note Preshared Key IPsec IKEv2 transform sets are not displayed in the summary.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing VPN Topologies Table 24-14 VPN Summary Page (Continued) Element Description High Availability Available if the VPN topology type is hub-and-spoke. If a High Availability policy is configured on a device in your hub-and-spoke VPN topology, displays the details of the policy. See Configuring High Availability in Your VPN Topology, page 24-49. VRF-Aware IPsec Available if the VPN topology type is hub-and-spoke.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing Extranet VPNs Related Topics • Configuring an IKE Proposal, page 25-9 • Configuring IPsec Proposals in Site-to-Site VPNs, page 25-21 • Configuring IKEv1 Preshared Key Policies, page 25-44 • Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs, page 25-50 • Configuring GRE Modes for GRE or GRE Dynamic IP VPNs, page 26-6 • Configuring GRE Modes for DMVPN, page 26-12 • Configuring Large Scale DMVPNs, page
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing Extranet VPNs • You can configure Extranet VPN connections for regular IPsec point-to-point connections only. For example, you cannot use this method to identify a GET VPN key server that exists in your service provider’s network. To configure all other types of Extranet connections, you must add dummy unmanaged devices to the Security Manager inventory as described in Including Unmanaged or Non-Cisco Devices in a VPN, page 24-11.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing Extranet VPNs – Protected Networks—The networks that the device is protecting for this VPN. Click Select to display the Protected Network Selection dialog box in which you can specify the protected networks using an interface name, interface role object, network/host group object, or ACL object. You can also use the Protected Network Selection dialog box to define new network/host group or ACL objects.
Chapter 24 Managing Site-to-Site VPNs: The Basics Creating or Editing Extranet VPNs Note • The DH Group attribute (for Diffie-Hellman modulus group) is called Modulus Group in other policies and policy objects. Configure the IKE Phase 2 (IPsec) Proposal parameters. Most of these parameters will be used to create an IPsec transform set policy object with the name ExtranetName_transformSet.
Chapter 24 Managing Site-to-Site VPNs: The Basics Deleting a VPN Topology Deleting a VPN Topology Deleting a VPN topology removes IPsec tunnels between peers and all configurations associated with the VPN topology from the devices and networks assigned to the site-to-site VPN. The actual VPN is not removed from the network until you deploy configurations. Step 1 Step 2 Do one of the following: • Select Manage > Site-To-Site VPNs to open the Site-to-Site VPN Manager Window, page 24-18.
Chapter 24 Managing Site-to-Site VPNs: The Basics Deleting a VPN Topology User Guide for Cisco Security Manager 4.
CH A P T E R 25 Configuring IKE and IPsec Policies This chapter describes how to configure Internet Protocol Security (IPsec) and the Internet Security Association and Key Management Protocol (ISAKMP, or IKE) standards to build site-to-site and remote access IPsec Virtual Private Networks (VPNs). These policies are used in regular IPsec and other types of IPsec-based VPN technologies to build VPN tunnels.
Chapter 25 Configuring IKE and IPsec Policies Overview of IKE and IPsec Configurations Overview of IKE and IPsec Configurations Internet Key Exchange (IKE) is a key management protocol that is used to authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and to automatically establish IPsec security associations (SAs). The IKE negotiation comprises two phases. Phase 1 negotiates a security association between two IKE peers, which enables the peers to communicate securely in Phase 2.
Chapter 25 Configuring IKE and IPsec Policies Overview of IKE and IPsec Configurations • Preshared keys—For remote access IKEv1 IPsec VPNs, you define the preshared keys in the Connection Profiles policy; preshared keys are not supported for IKEv2 in remote access VPNs. For site-to-site VPNs, you define the keys in the IKEv1 Preshared Keys or the IKEv2 Authentication policy based on the IKE version you are using.
Chapter 25 Configuring IKE and IPsec Policies Overview of IKE and IPsec Configurations – Configuring VPN Global ISAKMP/IPsec Settings, page 25-30 – Configuring VPN Global IKEv2 Settings, page 25-34 – Configuring VPN Global NAT Settings, page 25-38 – Configuring VPN Global General Settings, page 25-40 • Step 5 Configuring Global Settings for GET VPN, page 28-16 If you are configuring a remote access IKEv2 IPsec VPN, you must also configure several policies for SSL VPN.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKE Related Topics • Overview of IKE and IPsec Configurations, page 25-2 • Configuring an IKE Proposal, page 25-9 Understanding IKE Internet Key Exchange (IKE), also called Internet Security Association and Key Management Protocol (ISAKMP), is the negotiation protocol that lets two hosts agree on how to build an IPsec security association (SA). It provides a common framework for agreeing on the format of SA attributes.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKE When IKE negotiation begins, the peer that initiates the negotiation sends all of its policies to the remote peer, and the remote peer searches for a match with its own policies, in priority order. A match between IKE policies exists if they have the same encryption, hash (integrity and PRF for IKEv2), authentication, and Diffie-Hellman values, and an SA lifetime less than or equal to the lifetime in the policy sent.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKE The following options, which are even more secure, are available for IKEv2 configurations on ASA 8.4(2+) devices: – SHA512—A 512-bit key. – SHA384—A 384-bit key. – SHA256—A 256-bit key. • MD5 (Message Digest 5) produces a 128-bit digest and uses less processing time for an overall faster performance than SHA, but it is considered to be weaker than SHA.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKE Related Topics • Understanding IKE, page 25-5 • Configuring an IKE Proposal, page 25-9 Deciding Which Authentication Method to Use Security Manager supports two methods for peer device authentication in a VPN communication: • Preshared Key—Preshared keys allow for a secret key to be shared between two peers and to be used by IKE during the authentication phase.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKE Related Topics • Understanding IKE, page 25-5 • Configuring an IKE Proposal, page 25-9 Configuring an IKE Proposal In Security Manager, an IKE proposal is a mandatory policy when you configure a site-to-site or remote access IPsec VPN.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKE – (Policy view) Select Site-to-Site VPN > IKE Proposal from the Policy Types selector. Select an existing shared policy or create a new one. Step 2 In each of the IKEv1 Proposals and IKEv2 Proposals fields, click Select to choose the policy objects that define the settings for an IKE version 1 or version 2 proposal. Configure proposals only for those IKE versions supported in the VPN.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKE Tip You can also access this dialog box when configuring the IKE Proposal policy as explained in Configuring an IKE Proposal, page 25-9.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKE Table 25-1 IKEv1 Proposal Dialog Box (Continued) Element Description Hash Algorithm The hash algorithm used in the IKE proposal. The hash algorithm creates a message digest, which is used to ensure message integrity. Options are: Modulus Group • SHA (Secure Hash Algorithm)—Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5. • MD5 (Message Digest 5)—Produces a 128-bit digest.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKE Table 25-1 IKEv1 Proposal Dialog Box (Continued) Element Description Authentication Method The method of authentication to use between the two peers. For information on how this selection determines which other policies you must configure, see Deciding Which Authentication Method to Use, page 25-8.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKE Tip Unlike IKEv1, you do not specify the authentication method in the IKE proposal. For more information on how to configure the authentication method in IKEv2, see Deciding Which Authentication Method to Use, page 25-8. Navigation Path Select Manage > Policy Objects, then select IKE Proposals > IKEv2 Proposals from the Object Type Selector.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKE Table 25-2 IKEv2 Proposal Dialog Box (Continued) Element Description Encryption Algorithm The encryption algorithm used to establish the Phase 1 SA for protecting Phase 2 negotiations. Click Select and select all of the algorithms that you want to allow in the VPN: • AES-GCM-256—Encrypts according to the Advanced Encryption Standard in Galois/Counter Mode using 256-bit keys. (ASA 5580 and ASA 5500-X Series devices running 9.0.1+ only).
Chapter 25 Configuring IKE and IPsec Policies Understanding IKE Table 25-2 IKEv2 Proposal Dialog Box (Continued) Element Description Integrity (Hash) Algorithm The integrity portion of the hash algorithm used in the IKE proposal. The hash algorithm creates a message digest, which is used to ensure message integrity. Click Select and select all of the algorithms that you want to allow in the VPN: Note • If using AES-GCM, AES-GCM-192, or AES-GCM-256, you must select Null as the Integrity Algorithm.
Chapter 25 Configuring IKE and IPsec Policies Understanding IPsec Proposals Table 25-2 IKEv2 Proposal Dialog Box (Continued) Element Description Modulus Group The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group.
Chapter 25 Configuring IKE and IPsec Policies Understanding IPsec Proposals The following topics explain IPsec proposal concepts and procedures in more detail: • Understanding IPsec Proposals for Site-to-Site VPNs, page 25-18 – Understanding Crypto Maps, page 25-18 – Understanding Transform Sets, page 25-19 – Understanding Reverse Route Injection, page 25-20 • Configuring IPsec Proposals in Site-to-Site VPNs, page 25-21 • Configuring IPSec IKEv1 or IKEv2 Transform Set Policy Objects, page 25-25 •
Chapter 25 Configuring IKE and IPsec Policies Understanding IPsec Proposals When two peers try to establish an SA, they must each have at least one compatible crypto map entry. The transform set defined in the crypto map entry is used in the IPsec security negotiation to protect the data flows specified by that crypto map’s IPsec rules. Dynamic crypto map policies are used in site-to-site VPNs when an unknown remote peer tries to initiate an IPsec security association with the local hub.
Chapter 25 Configuring IKE and IPsec Policies Understanding IPsec Proposals Selecting Tunnel Mode for IKEv1 Transform Sets When defining an IKEv1 transform set, you must specify which IPsec mode of operation to use—tunnel mode or transport mode. You can use the AH and ESP protocols to protect an entire IP payload (Tunnel mode) or just the upper-layer protocols of an IP payload (Transport mode).
Chapter 25 Configuring IKE and IPsec Policies Understanding IPsec Proposals • For dynamic crypto maps, routes are created upon the successful establishment of IPsec security associations (SAs) for those remote proxies. The next hop back to those remote proxies is through the remote VPN router whose address is learned and applied during the creation of the dynamic crypto map template. The routes are deleted after the SAs are deleted.
Chapter 25 Configuring IKE and IPsec Policies Understanding IPsec Proposals • Understanding IPsec Proposals for Site-to-Site VPNs, page 25-18 Field Reference Table 25-3 IPsec Proposal Page, Site-to-Site VPNs (except Easy VPN) Element Description A crypto map combines all the components required to set up IPsec security associations (SA). When two peers try to establish an SA, they (Hub and spoke and full mesh must each have at least one compatible crypto map entry. For more topologies only.
Chapter 25 Configuring IKE and IPsec Policies Understanding IPsec Proposals Table 25-3 IPsec Proposal Page, Site-to-Site VPNs (except Easy VPN) (Continued) Element Description Enable Perfect Forward Secrecy Whether to use Perfect Forward Secrecy (PFS) to generate and use a unique session key for each encrypted exchange.
Chapter 25 Configuring IKE and IPsec Policies Understanding IPsec Proposals Table 25-3 IPsec Proposal Page, Site-to-Site VPNs (except Easy VPN) (Continued) Element Description Reverse Route Supported on ASA devices, PIX 7.0+ devices, and Cisco IOS routers except 7600 devices. Reverse Route Injection (RRI) enables static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint.
Chapter 25 Configuring IKE and IPsec Policies Understanding IPsec Proposals Selecting the IKE Version for Devices in Site-to-Site VPNs Use the IKE Version tab in the IPsec Proposal page to select which version of IKE to use for each device in a hub-and-spoke or full mesh site-to-site VPN. This tab appears only in the Site-to-Site VPN Manager; you cannot configure the options in Policy view, because they are specific to the actual devices in a VPN topology.
Chapter 25 Configuring IKE and IPsec Policies Understanding IPsec Proposals • Note Authentication Header (AH)—Provides authentication and anti-replay services. AH does not provide encryption and has largely been superseded by ESP. It is also supported on routers only. AH is IP protocol type 51. We recommend using both encryption and authentication on IPSec tunnels.
Chapter 25 Configuring IKE and IPsec Policies Understanding IPsec Proposals Table 25-4 IPSec IKEv1 or IKEv2 Transform Set Dialog Box (Continued) Element Description Description A description of the policy object. A maximum of 1024 characters is allowed. Mode The mode in which the IPSec tunnel operates: (IKEv1 only.) • Tunnel—Tunnel mode encapsulates the entire IP packet. The IPSec header is added between the original IP header and a new IP header. This is the default.
Chapter 25 Configuring IKE and IPsec Policies Understanding IPsec Proposals Table 25-4 IPSec IKEv1 or IKEv2 Transform Set Dialog Box (Continued) Element Description ESP Encryption The Encapsulating Security Protocol (ESP) encryption algorithm that the transform set should use. For more information on the following options, see Deciding Which Encryption Algorithm to Use, page 25-6. For IKEv1, select one of the following options.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings Table 25-4 IPSec IKEv1 or IKEv2 Transform Set Dialog Box (Continued) Element Description ESP Hash Algorithm (IKEv1) The hash or integrity algorithm to use in the transform set for authentication. For IKEv1, the default is to use SHA for ESP authentication and to not use AH authentication. For IKEv2, there is no default. The AH hash algorithm is used on routers only.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings – (Device View) Select Remote Access VPN > Global Settings from the Policy selector. – (Policy View) Select Remote Access VPN > Global Settings from the Policy Type selector. Select an existing policy or create a new one. • For site-to-site VPNs, do one of the following: – Open the Site-to-Site VPN Manager Window, page 24-18, select a topology in the VPNs selector, then select VPN Global Settings in the Policies selector.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings Navigation Path • For remote access VPNs, do one of the following: – (Device View) Select Remote Access VPN > Global Settings from the Policy selector. Click the ISAKMP/IPsec Settings tab. – (Policy View) Select Remote Access VPN > Global Settings from the Policy Type selector. Select an existing policy or create a new one, then click the ISAKMP/IPsec Settings tab.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings Table 25-5 VPN Global Settings Page, ISAKMP/IPsec Settings Tab (Continued) Element Description Identity During Phase I IKE negotiations, peers must identify themselves to each other. Select one of the following: • Address—Use the IP address of the host exchanging ISAKMP identity information. This is the default. • Hostname—Use the fully-qualified domain name of the host exchanging ISAKMP identity information.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings Table 25-5 VPN Global Settings Page, ISAKMP/IPsec Settings Tab (Continued) Element Description Xauth Timeout Supported on Cisco IOS routers and Catalyst 6500/7600 devices in remote access VPN and Easy VPN topologies only. The number of seconds the device will wait for a system response to the Xauth challenge.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings Table 25-5 VPN Global Settings Page, ISAKMP/IPsec Settings Tab (Continued) Element Description Enable SPI Recovery Supported on routers running IOS version 12.3(2)T and later, in addition to Catalyst 6500/7600 devices running version 12.2(18)SXE and later. (Site-to-site VPNs only.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings If used in conjunction with the Maximum SAs in Negotiation option, configure a lower cookie-challenge threshold. Navigation Path • For remote access VPNs, do one of the following: – (Device View) Select Remote Access VPN > Global Settings from the Policy selector. Click the IKEv2 Settings tab. – (Policy View) Select Remote Access VPN > Global Settings from the Policy Type selector.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings Table 25-6 VPN Global Settings Page, IKEv2 Settings Tab (Continued) Element Description Enable Cookie Challenge Whether to send cookie challenges to peer devices in response to SA initiate packets, which can help thwart denial of service (DoS) attacks. The default is to use cookie challenges when 50% of the available SAs are in negotiation.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings Table 25-6 VPN Global Settings Page, IKEv2 Settings Tab (Continued) Element Description If you configure load balancing, using the ASA Cluster Load Balance policy, you can specify the IKEv2 negotiation phase in which a user can Redirect Connections During be redirected to another device in the cluster. Select one of these (Remote access VPNs only.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings Note When you enable PAT on Cisco IOS routers, an additional NAT rule is implicitly created for split-tunneled traffic on deployment. This NAT rule, which denies VPN-tunneled traffic and permits all other traffic (using the external interface as the IP address pool), is not reflected as a router platform policy. You can remove the NAT rule by disabling this feature.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings Navigation Path • For remote access VPNs, do one of the following: – (Device View) Select Remote Access VPN > Global Settings from the Policy selector. Click the NAT Settings tab. – (Policy View) Select Remote Access VPN > Global Settings from the Policy Type selector. Select an existing policy or create a new one, then click the NAT Settings tab.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings Table 25-7 VPN Global Settings Page, NAT Settings Tab (Continued) Element Description Enable PAT (Port Address Translation) on Split Tunneling for Spokes Supported on Cisco IOS routers and Catalyst 6500/7600 devices. (Site-to-site VPNs only.) PAT can associate thousands of private NAT addresses with a small group of public IP address through the use of port addressing.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings – Open the Site-to-Site VPN Manager Window, page 24-18, select a topology in the VPNs selector, then select VPN Global Settings in the Policies selector. Click the General Settings tab. – (Policy view) Select Site-to-Site VPN > VPN Global Settings from the Policy Types selector. Select an existing shared policy or create a new one, then click the General Settings tab.
Chapter 25 Configuring IKE and IPsec Policies Configuring VPN Global Settings Table 25-8 VPN Global Settings Page, General Settings Tab (Continued) Element Description DF Bit Supported on Cisco IOS routers, Catalyst 6500/7600 devices, PIX 7.0+ and ASA devices. A Do Not Fragment (DF) bit within an IP header determines whether a device is allowed to fragment a packet.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs Table 25-8 VPN Global Settings Page, General Settings Tab (Continued) Element Description Enable Default Route Supported on Cisco IOS routers and Catalyst 6500/7600 devices. When selected, the device uses the configured external interface as the default outbound route for all incoming traffic.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs Note If you are configuring DMVPN with direct spoke-to-spoke connectivity, you create a wildcard key on the spokes. • Main mode fully qualified domain name (FQDN)—Negotiation is based on DNS resolution, with no reliance on IP address. This option can only be used if the DNS resolution service is available for the host.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs Table 25-9 IKEv1 Preshared Key Page (Continued) Element Description Auto Generated When selected, allocates a random key to the participating peers. This ensures security because a different key is generated for every hub-spoke connection. Auto Generated is the default selection.
Chapter 25 Configuring IKE and IPsec Policies Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs Table 25-9 IKEv1 Preshared Key Page (Continued) Element Description Main Mode Address Use this negotiation method for exchanging key information if the IP address of the devices is known. Negotiation is based on IP address. Main mode provides the highest security because it has three two-way exchanges between the initiator and receiver. Main mode address is the default negotiation method.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies Understanding Public Key Infrastructure Policies Security Manager supports IPsec configuration with Certification Authority (CA) servers that manage certificate requests and issue certificates to devices in your VPN topology.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies • Manually creating an enrollment request that you can submit to a CA server offline, by copying the CA server’s certificates from another device. Use this method if your device cannot establish a direct connection to the CA server or if you want to generate an enrollment request and send it to the server at a later time. Note This method enables you to deploy the PKI policy either to devices or to files.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies Note You do not need to configure the name of the user group on the hub (Easy VPN server). For more information, see PKI Enrollment Dialog Box—Certificate Subject Name Tab, page 25-61. • To deploy PKI policies to files (not to live devices), the following prerequisites must be met: – Routers must run Cisco IOS Software 12.3(7)T or later.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies 5. Either select browse for a file (and browse to the TFTP server and select the .req file) or open the just received by TFTP .req file with WordPad/Notepad and copy/paste the contents in the first window. 6. Export the .crt file from the CA and put it on the TFTP server. 7. Configure the ‘crypto ca import
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies The Public Key Infrastructure page opens, displaying the currently selected CA server, if any, in the Selected field. Step 2 Select the PKI enrollment policy object that defines the desired CA server in the Available CA Servers list. You can do the following to modify the listed objects: • To add a new PKI enrollment object, click the Create (+) button. The Add PKI Enrollment dialog box opens.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies Related Topics Step 1 Step 2 • Understanding Public Key Infrastructure Policies, page 25-47 • Deciding Which Authentication Method to Use, page 25-8 To create the PKI enrollment object, open the PKI Enrollment dialog box. You can access this dialog box in two ways: • From the Public Key Infrastructure policy—Click the Create (+) button beneath the Selected field.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies In Security Manager, CA servers are predefined as PKI enrollment objects that you can use in your PKI policies. A PKI enrollment object contains the server information and enrollment parameters that are required for creating enrollment requests for CA certificates. For more information about Public Key Infrastructure policies, see Understanding Public Key Infrastructure Policies, page 25-47.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies • To add a new PKI enrollment object, click the Create (+) button below the list of available servers. The Add PKI Enrollment dialog box opens. For detailed information about the attributes of a PKI enrollment object, see PKI Enrollment Dialog Box, page 25-54. • To change the configuration of an existing object, select it in either list and click the Edit (pencil) button.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies Field Reference Table 25-10 PKI Enrollment Dialog Box Element Description Name The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 6-9. Description An optional description of the object.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies Related Topics • PKI Enrollment Dialog Box—Enrollment Parameters Tab, page 25-59 • PKI Enrollment Dialog Box—Certificate Subject Name Tab, page 25-61 • PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab, page 25-62 Field Reference Table 25-11 PKI Enrollment Dialog Box—CA Information Tab Element Description CA Server Nickname The name used to identify the CA server in the certificate request.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies Table 25-11 PKI Enrollment Dialog Box—CA Information Tab (Continued) Element Description Enrollment URL The URL of the CA server to which devices should attempt to enroll. The URL can be in the following formats: (URL enrollment only.) • SCEP—Uses an HTTP URL in the form of http://CA_name:port, where CA_name is the host DNS name or IP address of the CA server. The port number is mandatory.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies Table 25-11 PKI Enrollment Dialog Box—CA Information Tab (Continued) Element Description Revocation Check Support The type of certificate revocation checking to be performed: • Checking Not Performed—This is the default. The device does not perform any revocation checking, even if a CRL is on the device. • CRL Check Required—The device must check a CRL.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies PKI Enrollment Dialog Box—Enrollment Parameters Tab Use the Enrollment Parameters tab of the PKI Enrollment dialog box to define the retry settings to use when the device contacts the CA server as well as the settings for generating the RSA key pair to associate with the certificate.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies Table 25-12 PKI Enrollment Dialog Box—Enrollment Parameters Tab (Continued) Element Description Certificate Auto-Enrollment The percentage of the current certificate’s lifetime after which the router requests a new certificate. For example, if you enter 70, the router requests a new certificate after 70% of the lifetime of the current certificate has been reached. Values range from 10% to 100%.
Chapter 25 Configuring IKE and IPsec Policies Understanding Public Key Infrastructure Policies PKI Enrollment Dialog Box—Certificate Subject Name Tab Use the Certificate Subject Name tab of the PKI Enrollment dialog box to optionally define additional information about the device in certificate requests sent to the CA server. This information is placed in the certificate and can be viewed by any party who receives the certificate from the router. Enter all information using the standard LDAP X.500 format.
Chapter 25 Configuring IKE and IPsec Policies Configuring IKEv2 Authentication in Site-to-Site VPNs Table 25-13 PKI Enrollment Dialog Box—Certificate Subject Name Tab (Continued) Element Description Email (E) The email address to include in the certificate. PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab Use the Trusted CA Hierarchy tab of the PKI Enrollment dialog box to define the trusted CA servers within an hierarchical PKI framework.
Chapter 25 Configuring IKE and IPsec Policies Configuring IKEv2 Authentication in Site-to-Site VPNs Tip The IKEv2 Authentication policy is not a shared policy. You must configure the policy for each VPN topology in which you support IKEv2 negotiations. You cannot configure global IKEv2 authentication options for use by all of your VPN topologies. When using the Create VPN wizard, even if you elect to support IKEv2, the IKEv2 Authentication policy is never configured.
Chapter 25 Configuring IKE and IPsec Policies Configuring IKEv2 Authentication in Site-to-Site VPNs • To delete an override, select it in the table and click the Delete Row (trash can) button. IKEv2 Authentication Policy Use the IKEv2 Authentication policy to configure the device authentication settings for Internet Key Exchange (IKE) version 2 in site-to-site VPNs. These settings apply to ASA 8.4(1)+ devices only.
Chapter 25 Configuring IKE and IPsec Policies Configuring IKEv2 Authentication in Site-to-Site VPNs Field Reference Table 25-14 IKEv2 Authentication Policy Element Description Global IKEv2 Authentication Settings Tab Key Specification Use a preshared key for authentication in the VPN. Configure one of the following: • User Defined—Enter the desired global key and enter it again in the Confirm field. The key can be 1 to 128 characters. • Auto Generated—Have Security Manager generate a key for you.
Chapter 25 Configuring IKE and IPsec Policies Configuring IKEv2 Authentication in Site-to-Site VPNs Table 25-14 IKEv2 Authentication Policy (Continued) Element Description Override IKEv2 Authentication Settings tab The table lists the IKEv2 authentication overrides defined for the VPN. These policies take precedence over the preshared key/PKI configuration defined in the global settings.
Chapter 25 Configuring IKE and IPsec Policies Configuring IKEv2 Authentication in Site-to-Site VPNs Table 25-15 IKEv2 Authentication Dialog Box (Continued) Element Description IKEv2 Authentication Mode The IKEv2 authentication mode to use between the selected local and remote peers. Select one of the following: • Key Specification—A user-defined preshared key, from 1 to 128 characters. Enter the desired key and enter it again in the Confirm field.
Chapter 25 Configuring IKE and IPsec Policies Configuring IKEv2 Authentication in Site-to-Site VPNs User Guide for Cisco Security Manager 4.
CH A P T E R 26 GRE and DM VPNs You can configure Generic Routing Encapsulation (GRE) and Dynamic Multipoint (DM) VPNs that include GRE mode configurations. You can configure IPsec GRE VPNs for hub-and-spoke, point-to-point, and full mesh VPN topologies. DMVPN is available for hub-and-spoke topologies only.
Chapter 26 GRE and DM VPNs GRE and Dynamic GRE VPNs Note When configuring an IPsec/GRE, GRE Dynamic IP, or DMVPN routing policy, Security Manager adds a routing protocol to all the devices in the secured IGP, on deployment. If you want to maintain this secured IGP, you must create a router platform policy (on each member device) using the same routing protocol and autonomous system (or process ID) number as defined in the GRE Modes policy.
Chapter 26 GRE and DM VPNs GRE and Dynamic GRE VPNs • Understanding GRE Configuration for Dynamically Addressed Spokes, page 26-5 Advantages of IPsec Tunneling with GRE The main advantages of IPsec tunneling with GRE are the following: Note • GRE uses a routing protocol by which every IPsec peer knows the status of every other peer at all times. • GRE provides higher resiliency than IKE keepalive. • Spoke-to-spoke connectivity is supported when you use GRE.
Chapter 26 GRE and DM VPNs GRE and Dynamic GRE VPNs – OSPF—Open Shortest Path First is a link-state, hierarchical protocol that features least-cost routing, multipath routing, and load balancing. Using OSPF, a host that obtains a change to a routing table or detects a change in the network immediately multicasts the information to all other hosts in the network, so that all will have the same routing table information. For more information, see OSPF Routing on Cisco IOS Routers, page 64-19.
Chapter 26 GRE and DM VPNs GRE and Dynamic GRE VPNs Understanding GRE Configuration for Dynamically Addressed Spokes When a spoke has a dynamic IP address, there is no fixed GRE tunnel source address (to be used by the GRE tunnel on the spoke side) or destination address (to be used by the GRE tunnel on the hub side). Therefore, Security Manager creates additional loopback interfaces on the hub and the spoke, to be used as the GRE tunnel endpoints.
Chapter 26 GRE and DM VPNs GRE and Dynamic GRE VPNs Related Topics • Understanding IKE, page 25-5 • Understanding GRE, page 26-2 • Prerequisites for Successful Configuration of GRE, page 26-3 • Advantages of IPsec Tunneling with GRE, page 26-3 Configuring GRE Modes for GRE or GRE Dynamic IP VPNs Use the GRE Modes policy to define the routing and tunnel parameters for IPsec tunneling in a GRE or GRE Dynamic IP VPN.
Chapter 26 GRE and DM VPNs GRE and Dynamic GRE VPNs Table 26-1 GRE Modes Page for GRE or GRE Dynamic IP VPNs (Continued) Element Description Hold Time The number of seconds the router will wait to receive a hello message before invalidating the connection. The range is between 1 and 65535. The default hold time is 15 seconds (three times the hello interval). (EIGRP only.) Delay (EIGRP only.) Failover Delay (EIGRP only.) Bandwidth (EIGRP only.
Chapter 26 GRE and DM VPNs GRE and Dynamic GRE VPNs Table 26-1 GRE Modes Page for GRE or GRE Dynamic IP VPNs (Continued) Element Description Failover Cost The cost of sending a packet on the secondary (failover) route interface. (OSPF or RIPv2 only.) You can enter a value in the range 1-65535 for OSPF (the default is 125), or in the range 1-15 for RIPv2 (the default is 2).
Chapter 26 GRE and DM VPNs Dynamic Multipoint VPNs (DMVPN) Table 26-1 GRE Modes Page for GRE or GRE Dynamic IP VPNs (Continued) Element Description Configure Unique Tunnel Source for each Tunnel When enabled, each GRE tunnel interface in the VPN is assigned a unique tunnel source. In the Tunnel Source IP Range field, enter a subnet IP to be used as tunnel sources. Note Tunnel Source IP Range (GRE Dynamic IP only.) When enabled, this feature is set for all GRE tunnel interfaces in the VPN.
Chapter 26 GRE and DM VPNs Dynamic Multipoint VPNs (DMVPN) Understanding DMVPN Dynamic Multipoint VPN (DMVPN) enables better scaling of large and small IPsec VPNs by combining generic routing encapsulation (GRE) tunnels, IP Security (IPsec) encryption, and Next Hop Resolution Protocol (NHRP) routing. (For information about large scale DMVPNs, see Configuring Large Scale DMVPNs, page 26-16.) Security Manager supports DMVPN using the EIGRP, OSPF, and RIPv2 dynamic routing protocols, and GRE static routes.
Chapter 26 GRE and DM VPNs Dynamic Multipoint VPNs (DMVPN) When you configure the GRE Modes policy for a DMVPN, you can elect to allow spokes to create these direct connections. You must select the DMVPN phase to use for these connections: • Phase 2—Spoke to spoke connections go through regional hubs and routing protocol updates from hubs to spokes are not summarized. • Phase 3 (Default)—Spokes can create direct connections with each other and routing updates from hubs to spokes are summarized.
Chapter 26 GRE and DM VPNs Dynamic Multipoint VPNs (DMVPN) Configuring DMVPN To configure a hub-and-spoke Dynamic Multipoint VPN, use the Create VPN wizard as described in Creating or Editing VPN Topologies, page 24-28. You can also edit the membership of the VPN, or some of its policies, using the described procedures. If you are creating a Large Scale DMVPN, also see Configuring Large Scale DMVPNs, page 26-16.
Chapter 26 GRE and DM VPNs Dynamic Multipoint VPNs (DMVPN) Table 26-2 GRE Modes Page for DMVPN Element Description Routing Parameters Tab Routing Protocol Select the required dynamic routing protocol, or static route, to be used in the DMVPN tunnel. Options include the EIGRP, OSPF, and RIPv2 dynamic routing protocols, and GRE static routes. On-Demand Routing (ODR) is also supported. On-Demand Routing is not a routing protocol.
Chapter 26 GRE and DM VPNs Dynamic Multipoint VPNs (DMVPN) Table 26-2 GRE Modes Page for DMVPN (Continued) Element Description Hub Network Area ID The ID number of the area in which the hub’s protected networks will be advertised, including the tunnel subnet. You can enter any number. The default is 0. (OSPF only.) Spoke Protected Network Area ID (OSPF only.) Authentication Key (OSPF and RIPv2.
Chapter 26 GRE and DM VPNs Dynamic Multipoint VPNs (DMVPN) Table 26-2 GRE Modes Page for DMVPN (Continued) Element Description Tunnel Parameters Tab Tunnel IP Range The IP address range of the inside tunnel interface IP address, including the unique subnet mask. This field defines a subnet, such as 10.1.1.0/24.
Chapter 26 GRE and DM VPNs Dynamic Multipoint VPNs (DMVPN) Table 26-2 GRE Modes Page for DMVPN (Continued) Element Description Hold time The time, in seconds, that routers will keep information provided in authoritative NHRP responses. The cached IP-to-NBMA address mapping entries are discarded after the hold time expires. The default is 300 seconds. Authentication An authentication string that controls whether the source and destination NHRP stations allow intercommunication.
Chapter 26 GRE and DM VPNs Dynamic Multipoint VPNs (DMVPN) After you create the Large Scale DMVPN topology, a Server Load Balance policy is configured on the IPsec Terminators with all the required parameters, which you can edit if required. Initially, all hubs are given the same priority and number of VPN connections. For information on configuring the Server Load Balance policy, see Configuring Server Load Balancing in Large Scale DMVPN, page 26-17.
Chapter 26 GRE and DM VPNs Dynamic Multipoint VPNs (DMVPN) Field Reference Table 26-3 Edit Load Balancing Parameters Dialog Box Element Description Weight The capacity of the hub relative to other hubs connected to the IPsec Terminator, based on the weighted round robin (WRR) scheduling algorithm. You can enter a value between 1 and 255. The default is 1. Max Connections The maximum number of active connections to the IPsec Terminator that are permitted to the hub.
CH A P T E R 27 Easy VPN Easy VPN is a hub-and-spoke VPN topology that can be used with a variety of routers, PIX, and ASA devices. Policies are defined mostly on the hub and pushed to remote spoke VPN devices, ensuring that clients have up-to-date policies in place before establishing a secure connection.
Chapter 27 Easy VPN Understanding Easy VPN • Easy VPN Configuration Modes, page 27-3 • Easy VPN and IKE Extended Authentication (Xauth), page 27-4 • Overview of Configuring Easy VPN, page 27-5 • Important Notes About Easy VPN Configuration, page 27-6 Easy VPN with Dial Backup Dial backup for Easy VPN allows you to configure a dial backup tunnel connection on your remote client device.
Chapter 27 Easy VPN Understanding Easy VPN VPN configuration compared to the more complex process of using access control lists (ACLs) with a crypto map. Dynamic VTIs function like any other real interface so that you can apply quality of service (QoS), firewall, and other security services as soon as the tunnel is active. Dynamic VTIs use a virtual template infrastructure for dynamic instantiation and management of IPsec interfaces.
Chapter 27 Easy VPN Understanding Easy VPN Note All modes of operation can also support split tunneling, which allows secure access to corporate resources through the VPN tunnel while also allowing Internet access through a connection to an ISP or other service (thereby eliminating the corporate network from the path for web access). You configure the mode in the Client Connection Characteristics policy as described in Configuring Client Connection Characteristics for Easy VPN, page 27-7.
Chapter 27 Easy VPN Understanding Easy VPN Note • Auto—The Easy VPN tunnel is established automatically when the Easy VPN configuration is delivered to the device configuration file. If the tunnel times out or fails, the tunnel automatically reconnects and retries indefinitely. This is the default option. • Traffic Triggered Activation—The Easy VPN tunnel is established whenever outbound local (LAN side) traffic is detected.
Chapter 27 Easy VPN Understanding Easy VPN Note 4. After the IKE SA is successfully established, and if the VPN server is configured for Xauth, the client waits for a “username/password” challenge and then responds to the challenge of the peer. The information that is entered is checked against authentication entities using authentication, authorization, and accounting (AAA) protocols such as RADIUS and TACACS+. Token cards may also be used via AAA proxy.
Chapter 27 Easy VPN Configuring Client Connection Characteristics for Easy VPN Configuring Client Connection Characteristics for Easy VPN Use the Client Connection Characteristics page to specify how traffic will be routed in the Easy VPN topology and how the VPN tunnel will be established. The characteristics defined in this policy are configured on the remote clients.
Chapter 27 Easy VPN Configuring Client Connection Characteristics for Easy VPN Table 27-1 Easy VPN Client Connection Characteristics Page (Continued) Element Description Xauth Credentials Source Select how you want to enter the Xauth credentials for user authentication when you establish a VPN connection with the server: • Device Stored Credentials (default)—The username and password are saved on the device itself in the device’s configuration file to be used each time the tunnel is established.
Chapter 27 Easy VPN Configuring Client Connection Characteristics for Easy VPN Table 27-1 Easy VPN Client Connection Characteristics Page (Continued) Element Description User Authentication Method (IOS) Available only if you selected the Interactive Entered Credentials option for the Xauth credentials source. The option applies to remote IOS routers only.
Chapter 27 Easy VPN Configuring an IPsec Proposal for Easy VPN Table 27-2 Credentials Dialog Box (Continued) Element Description Category The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-12. Allow Value Override per Device Whether to allow the object definition to be changed at the device level.
Chapter 27 Easy VPN Configuring an IPsec Proposal for Easy VPN Field Reference Table 27-3 Easy VPN IPsec Proposal Tab Element Description IKEv1 Transform Sets The transform sets to be used for your tunnel policy. Transform sets specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel. You can select up to 11 transform sets. For more information, see Understanding Transform Sets, page 25-19. Transform sets may use only tunnel mode IPsec operation.
Chapter 27 Easy VPN Configuring an IPsec Proposal for Easy VPN Table 27-3 Easy VPN IPsec Proposal Tab (Continued) Element Description Group Policy Lookup/AAA Authorization Method Supported on Cisco IOS routers only. The AAA authorization method list that will be used to define the order in which the group policies are searched. Group policies can be configured on both the local server or on an external AAA server.
Chapter 27 Easy VPN Configuring a Connection Profile Policy for Easy VPN Related Topics • Understanding Easy VPN, page 27-1 • Configuring an IPsec Proposal for Easy VPN, page 27-10 Field Reference Table 27-4 Easy VPN IPSec Proposal, Dynamic VTI Tab Element Description Enable Dynamic VTI When selected, enables Security Manager to implicitly create a dynamic virtual template interface on the device.
Chapter 27 Easy VPN Configuring a User Group Policy for Easy VPN On the PIX7.0+/ASA Connection Profiles page, you can connection profiles on your Easy VPN server. Related Topics Step 1 • Creating or Editing VPN Topologies, page 24-28 • Understanding IPsec Technologies and Policies, page 24-5 • Understanding Easy VPN, page 27-1 Do one of the following: • (Site-to-Site VPN Manager Window, page 24-18) Select an Easy VPN topology in the VPNs selector, then select Connection Profiles (PIX 7.
Chapter 27 Easy VPN Configuring a User Group Policy for Easy VPN Related Topics • Understanding Easy VPN, page 27-1 User Guide for Cisco Security Manager 4.
Chapter 27 Easy VPN Configuring a User Group Policy for Easy VPN User Guide for Cisco Security Manager 4.
CH A P T E R 28 Group Encrypted Transport (GET) VPNs Cisco Group Encrypted Transport virtual private network (GET VPN) is a full-mesh VPN technology that can be used in a variety of WAN environments, including IP and Multiprotocol Label Switching (MPLS). GET VPN comprises a set of features that are necessary to secure IP multicast group traffic or unicast traffic over a private WAN that originates on or flows through a Cisco IOS device.
Chapter 28 Group Encrypted Transport (GET) VPNs Understanding Group Encrypted Transport (GET) VPNs • Configuring Global Settings for GET VPN, page 28-16 • Configuring GET VPN Key Servers, page 28-18 • Configuring GET VPN Group Members, page 28-20 • Using Passive Mode to Migrate to GET VPN, page 28-23 • Troubleshooting GET VPN Configurations, page 28-25 Understanding Group Encrypted Transport (GET) VPNs Networked applications such as voice and video increase the need for instantaneous, branch-in
Chapter 28 Group Encrypted Transport (GET) VPNs Understanding Group Encrypted Transport (GET) VPNs • Key servers—The routers that act as key servers are the gatekeepers to the topology. The group member must successfully register with a key server before becoming an active member of the VPN. The key servers control the shared service policy, and generate and transmit keys to group members. Key servers cannot be group members themselves, but a single key server can service more than one topology.
Chapter 28 Group Encrypted Transport (GET) VPNs Understanding the GET VPN Registration Process 2. Group members exchange IP packets that are encrypted using IPsec. Only the group members are an active part of the VPN. 3. As needed, the key server pushes a rekey message to the group members. The rekey message contains new IPsec policy and keys to use when old IPsec security associations (SAs) expire.
Chapter 28 Group Encrypted Transport (GET) VPNs Understanding the GET VPN Registration Process The key server generates the group policy and IPsec security associations (SAs) for the GDOI group. The information generated by the key server includes multiple TEK attributes, traffic encryption policy, lifetime, source and destination, a Security Parameter Index (SPI) ID that is associated with each TEK, and the rekey policy (one KEK).
Chapter 28 Group Encrypted Transport (GET) VPNs Understanding the GET VPN Registration Process • Decide whether to require authorization for group members to join the group. You can use certificate authorization (which requires that you also configure the Public Key Infrastructure policy) or preshared keys. Configuring authorization is required if the key server serves more than one group.
Chapter 28 Group Encrypted Transport (GET) VPNs Understanding the GET VPN Registration Process Fortunately, it is possible to mix multicast and unicast in a single GET VPN topology so long as all key servers support multicast. When deciding which transport mechanism to use, consider the following recommendations: • If all key servers and group members, and the network, support multicast, use multicast.
Chapter 28 Group Encrypted Transport (GET) VPNs Understanding the GET VPN Registration Process Tips • The RSA key must be the same on all cooperative key servers. For information on synchronizing the RSA key, see Generating and Synchronizing RSA Keys, page 28-13. • It is a best practice to enable periodic ISAKMP keepalives between key servers so that the primary key server can track and display the state of the other secondary key servers.
Chapter 28 Group Encrypted Transport (GET) VPNs Understanding the GET VPN Registration Process The reason deny works this way in fail-close mode is because fail-close includes an implicit ACL statement that gets added at the bottom of the list of crypto map ACLs. This statement is permit ip any any, which matches all traffic. Because there is no IPsec security association due to the fact that registration has yet to occur, there is no way to encrypt the remaining traffic and it is dropped.
Chapter 28 Group Encrypted Transport (GET) VPNs Understanding the GET VPN Security Policy and Security Associations Understanding the GET VPN Security Policy and Security Associations GET VPN uses crypto map access control lists (ACLs) to identify the traffic that needs to be encrypted in the VPN. These ACLs also identify traffic that should be sent as clear text instead of being encrypted (essentially, traffic that lies outside of the VPN).
Chapter 28 Group Encrypted Transport (GET) VPNs Understanding the GET VPN Security Policy and Security Associations • Key server security policies and security associations—When you configure the Group Encryption Policy for the GET VPN, as described in Defining GET VPN Group Encryption, page 24-51, you configure ACLs that identify the traffic that should be encrypted and protected in the VPN.
Chapter 28 Group Encrypted Transport (GET) VPNs Configuring GET VPN GET VPN uses the Synchronous Anti-Replay (SAR) mechanism to provide anti-replay protection for multisender traffic. SAR is independent of real-world Network Time Protocol (NTP) clock or sequential-counter mechanisms (which guarantee packets are received and processed in order). A SAR clock advances regularly. The time tracked by this clock is called pseudotime.
Chapter 28 Group Encrypted Transport (GET) VPNs Generating and Synchronizing RSA Keys • For security associations (ACL rules) and IPSec policies, select Group Encryption Policy > Security Associations. See Defining GET VPN Group Encryption, page 24-51. • For preshared key policies, select IKEv1 Preshared Key. See Configuring IKEv1 Preshared Key Policies, page 25-44. • For public key (PKI) policies, select Public Key Infrastructure.
Chapter 28 Group Encrypted Transport (GET) VPNs Generating and Synchronizing RSA Keys • The key server uses the private RSA key to authenticate rekey messages from the group members. • The key server provides the public RSA key to group members during registration. • The key server uses the private key to sign the key encryption key (KEK) and traffic encryption key (TEK). The absence of an RSA key prevents the key server from creating the KEK and TEK.
Chapter 28 Group Encrypted Transport (GET) VPNs Configuring the IKE Proposal for GET VPN This command prints out the public and private keys to the terminal, where you can copy them to the clipboard for import into the other key servers. The keys are demarcated by ----BEGIN/END PUBLIC KEY---- and ----BEGIN/END RSA PRIVATE KEY----.Note that you can also export to a URL; see the Cisco IOS Security Command Reference on Cisco.com for detailed usage information. 3.
Chapter 28 Group Encrypted Transport (GET) VPNs Configuring Global Settings for GET VPN Table 28-1 IKE Proposal for GET VPN Policy (Continued) Element Description IKE Proposal Overrides The number of seconds that the ISAKMP SA for key servers and group members is valid. When the lifetime is exceeded, the SA expires and must be renegotiated between the peers. Values can be 1 to 86400. • If you are using cooperative key servers (more than one key server), set the key server lifetime high.
Chapter 28 Group Encrypted Transport (GET) VPNs Configuring Global Settings for GET VPN Table 28-2 Global Settings for GET VPN Element Description Enable Keepalive (Key Servers Only) Whether to enable dead peer detection (DPD) keepalive messages between key servers. If there is more than one key server (cooperative key servers), you should enable periodic keepalive so the servers know each other’s status and can elect a new primary server when necessary.
Chapter 28 Group Encrypted Transport (GET) VPNs Configuring GET VPN Key Servers Table 28-2 Global Settings for GET VPN (Continued) Element Description IPsec Settings Select Enable Lifetime if you want to change the default lifetime settings for IPsec SAs. You can configure a lifetime based on the volume of traffic (in kilobytes) between group members, seconds, or both. The key expires when either of the values is reached.
Chapter 28 Group Encrypted Transport (GET) VPNs Configuring GET VPN Key Servers about key server redundancy, see Configuring Redundancy Using Cooperative Key Servers, page 28-7. Note that you can override this order for individual group members; see Configuring GET VPN Group Members, page 28-20 and Edit Group Member Dialog Box, page 28-21.
Chapter 28 Group Encrypted Transport (GET) VPNs Configuring GET VPN Group Members Field Reference Table 28-3 Edit Key Server Dialog Box Element Description Identity Interface The interface that group members use to identify the key server and register with it. The default is the Loopback interface role, which identifies all Loopback interfaces. Priority A number between 1-100 that designates the role of the key server, either primary or secondary.
Chapter 28 Group Encrypted Transport (GET) VPNs Configuring GET VPN Group Members • Understanding Group Encrypted Transport (GET) VPNs, page 28-2 • Configuring GET VPN, page 28-12 • Configuring VPN Topologies in Device View, page 24-19 • Filtering Tables, page 1-45 Edit Group Member Dialog Box Use the Edit Group Members dialog box to change the attributes defined for a group member of a GET VPN topology.
Chapter 28 Group Encrypted Transport (GET) VPNs Configuring GET VPN Group Members Table 28-4 Edit Group Member Dialog Box (Continued) Element Description Security Policy The local group member security ACL used to deny some group member-specific traffic over and above the security ACL downloaded from the key server. Denied traffic is sent in clear text rather than encrypted. For detailed information, see Understanding the GET VPN Security Policy and Security Associations, page 28-10.
Chapter 28 Group Encrypted Transport (GET) VPNs Using Passive Mode to Migrate to GET VPN Table 28-4 Edit Group Member Dialog Box (Continued) Element Description Enable Passive SA Mode Whether to put the group member into passive security association (SA) mode, which means the group member installs the SA in the inbound direction only. This means the group member can receive encrypted data, but it sends clear text data only.
Chapter 28 Group Encrypted Transport (GET) VPNs Using Passive Mode to Migrate to GET VPN Step 1 Create the new GET VPN topology in Security Manager using the Create VPN wizard. When you are in the wizard, ensure that you make these selections: • When selecting devices, choose the key servers for the topology, but for group members, select the first set of group members that will be migrated. For more information, see Selecting Devices for Your VPN Topology, page 24-32.
Chapter 28 Group Encrypted Transport (GET) VPNs Troubleshooting GET VPN Configurations Step 6 In the Site-to-Site VPN Manager, select the GET VPN topology, then select Group Encryption Policy. Deselect Receive Only. This turns off SA receive-only mode at the topology level. Step 7 Deploy the configuration changes to all devices in the VPN. Now the GET VPN should be operating in fully encrypted mode for the original group members that you tested.
Chapter 28 Group Encrypted Transport (GET) VPNs Troubleshooting GET VPN Configurations • Normally, network address translation (NAT) is not used in the type of WAN environments where GET VPN is deployed. However, if you use NAT, ensure that the security policy ACL has permit statements for the translated addresses. Also, if you are using Network Address Translation-Traversal (NAT-T), the GDOI protocol port changes to 4500.
CH A P T E R 29 Managing Remote Access VPNs: The Basics Cisco Security Manager lets you configure both remote access IPSec VPNs and remote access SSL VPNs. Security Manager provides flexible configuration and management of remote access VPNs: • You can discover existing remote access VPN configuration policies from existing live devices or from configuration files. Then, you can change and deploy new or updated policies, as necessary.
Chapter 29 Managing Remote Access VPNs: The Basics Understanding Remote Access VPNs Understanding Remote Access IPSec VPNs Remote access IPSec VPNs permit secure, encrypted connections between a company’s private network and remote users, by establishing an encrypted IPSec tunnel across the Internet using broadband cable, DSL, dial-up, or other connections. A remote access IPSec VPN consists of a VPN client and a VPN headend device, or VPN gateway.
Chapter 29 Managing Remote Access VPNs: The Basics Understanding Remote Access VPNs Note SSL VPN is supported on ASA 5500 devices running software version 8.0 and later, running in single-context and router modes, on Cisco 870, 880, 890, 1800, 2800, 3700, 3800, 7200, and 7301 Series routers running software version 12.4(6)T and later, and on Cisco 1900, 2900, and 3900 Series routers running software version 15.0(1)M and later. For the 880 Series routers, the minimum software version is 12.
Chapter 29 Managing Remote Access VPNs: The Basics Understanding Remote Access VPNs Figure 29-1 Secure SSL VPN Access Example SSL VPN Access Modes SSL VPN provides three modes of remote access on IOS routers: Clientless, Thin Client and Full Client. On ASA devices, there are two modes: Clientless (which includes Clientless and Thin Client port forwarding) and AnyConnect Client (a full client).
Chapter 29 Managing Remote Access VPNs: The Basics Understanding Remote Access VPNs Note The TCP port-forwarding proxy works only with Sun’s Java Runtime Environment (JRE) version 1.4 or later. A Java applet is loaded through the browser that verifies the JRE version. The Java applet refuses to run if a compatible JRE version is not detected. When using Thin Client mode, you should be aware of the following: • The remote user must allow the Java applet to download and install.
Chapter 29 Managing Remote Access VPNs: The Basics Understanding Remote Access VPNs – Manually copy the files from the \csm folder on the active unit to the failover unit. – After deploying the policies to the active unit, force a failover and redeploy the policies to the now-active unit. • If you are using a VPN cluster for load balancing, the same supporting files must be deployed to all devices in the cluster. Cisco Secure Desktop (CSD) Packages These packages are for ASA SSL VPNs.
Chapter 29 Managing Remote Access VPNs: The Basics Understanding Remote Access VPNs Packages are available for the following workstation operating systems (OS). For specific information on which OS versions that each client supports, see the documentation for the AnyConnect client on Cisco.com. • Linux—Packages start with anyconnect-linux, or anyconnect-linux-64 for 64-bit versions.
Chapter 29 Managing Remote Access VPNs: The Basics Understanding Devices Supported by Each Remote Access VPN Technology • SSL VPN license information cannot be imported into Security Manager. As a result, certain command parameters, such as vpn sessiondb and max-webvpn-session-limit, cannot be validated. • You must configure DNS on each device in the topology in order to use clientless SSL VPN. Without DNS, the device cannot retrieve named URLs, but only URLs with IP addresses.
Chapter 29 Managing Remote Access VPNs: The Basics Overview of Remote Access VPN Policies Tip Some device models have NO-VPN versions, which do not support VPN configuration. Thus, although the 3845 model might be supported for a type of VPN, the 3845 NOVPN model is not supported. In addition, the Cisco Catalyst 6500 series ASA Services Module (running software release 8.5(x)) does not support any type of VPN.
Chapter 29 Managing Remote Access VPNs: The Basics Overview of Remote Access VPN Policies Note You cannot configure SSL VPNs on PIX devices; PIX devices support remote access IKEv1 IPsec VPNs only. • Policies used with remote access IKEv1 and IKEv2 IPsec and SSL VPNs: – ASA Cluster Load Balancing (ASA/PIX 7.0+)—In a remote client configuration in which you are using two or more devices connected to the same network to handle remote sessions, you can configure these devices to share their session load.
Chapter 29 Managing Remote Access VPNs: The Basics Overview of Remote Access VPN Policies You can match the group from the DN rules, the Organization Unit (OU) field, the IKE identity, or the peer IP address. You can use any or all of these methods. For more information, see Configuring Certificate to Connection Profile Map Policies (ASA), page 30-29.
Chapter 29 Managing Remote Access VPNs: The Basics Discovering Remote Access VPN Policies Discovering Remote Access VPN Policies Security Manager allows you to import the configurations of remote access IPSec VPN policies during policy discovery. You can also discover SSL VPN policies on ASA devices, but not on IOS devices.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard regardless of the device to which it is assigned. For example, if you use the object 10.100.10.1DfltGrpPolicy with device 10.200.11.1, Security Manager still uses “DfltGrpPolicy” in the configuration. Note Although these default connection profiles use the DfltCustomization object for SSL VPN portal customization, Security Manager does not discover it.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices) This procedure describes how to create or edit SSL VPNs on ASA devices using the Remote Access SSL VPN Configuration Wizard.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard • Group Policies—This table lists all group policies currently used on the device, whether for SSL or IPsec VPNs. You can click Edit to add other group policies. • Global IP Address Pool—Enter the address pools from which IP addresses are assigned. The server uses these address pools in the order listed. If all addresses in the first pool have been assigned, it uses the next pool, and so on.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Related Topics • Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices), page 29-14 • Understanding Interface Role Objects, page 6-67 Field Reference Table 29-2 SSL VPN Wizard—Access Page (ASA) Element Description Interfaces to Enable SSL VPN Service The interfaces or interface roles that identify the interfaces on which you want to enable SSL VPN connections.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Related Topics • Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices), page 29-14 • ASA Group Policies Dialog Box, page 33-1 • Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 30-66 • Understanding Networks/Hosts Objects, page 6-74 • Understanding AAA Server and Server Group Objects, page 6-24 Field Reference Table 29-3 SSL VPN Configuration
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Table 29-3 SSL VPN Configuration Wizard, Connection Profile Page (ASA) (Continued) Element Description Connection URL The URL of the connection profile. This URL provides users with direct access to the customized portal page.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Creating User Groups with the Create Group Policy Wizard When you are using the Remote Access SSL VPN Configuration wizard to create an SSL VPN on ASA or IOS devices, you can create new ASA group policy or IOS user group objects using a wizard. The wizard lets you configure select elements of the group, so you might need to edit the object after creating it to configure additional settings.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Step 5 On the Full Client page, select whether to restrict access to full tunnel only or to allow other methods of access if the full client download fails. Also, specify DNS and WINS server information, and configure split tunneling if you want to allow it. For an explanation of the options, see Create Group Policy Wizard—Full Tunnel Page, page 29-20. Step 6 Click Next.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Field Reference Table 29-4 Create User Group Wizard—Full Tunnel Page Element Description Mode The access modes to allow in the SSL VPN. Select one of the following: • Use Other Access Modes if SSL VPN Client Download Fails—To allow the remote client to use clientless or thin client access modes if the download of the VPN client fails. • Full Tunnel Only—Prohibit clientless or thin client access.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Table 29-4 Create User Group Wizard—Full Tunnel Page (Continued) Element Description Split Tunnel Option Whether to allow split tunneling and if so, which traffic should be secured or transmitted unencrypted across the public network: Networks (ASA device only.) Destinations (IOS device only.) • Disabled—(Default) No traffic goes in the clear or to any other destination than the gateway.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Note This page is only available if you selected the Clientless or Thin Client options in step 1 of the Create Group Policy wizard. Navigation Path For information on starting the Create Group Policy wizard, see Creating User Groups with the Create Group Policy Wizard, page 29-19.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (ASA and PIX 7.0+ Devices) This procedure describes how to create IPSec VPNs on ASA or PIX 7.0+ devices using the Remote Access VPN Configuration Wizard. Tip The wizard allows you to select shared policies to use in the VPN on the Defaults page (the final step of the wizard).
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Specify the pools as address ranges or network/host objects that contain address ranges, in the format Start_Address-End_Address, for example, 10.100.10.2-10.100.10.254. Click Select to select network/host objects or to create new objects.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard • c. Step 14 Step 15 There are several additional connection profile settings that are not configured in the wizard. Examine the tabs in the Connection Profile dialog box to determine if additional changes are required. Click OK in the Connection Profiles dialog box to save your changes. (IKEv2 Requirement.) Select the Remote Access VPN > SSL VPN > Access policy and configure at least the following.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Remote Access VPN Configuration Wizard—IPSec VPN Connection Profile Page (ASA) Use the Connection Profile page of the Remote Access VPN Configuration wizard to configure the connection profile policies on your security appliance for a remote access IPSec VPN.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Table 29-6 Remote Access VPN Configuration Wizard, IPSec Connection Profile Page (ASA) Element Description Authentication Server Group The name of the authentication server group (LOCAL if the tunnel group is configured on the local device). Enter the name of a AAA server group object or click Select to select it from a list or to create a new object.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Table 29-7 Remote Access VPN Configuration Wizard, IPSec VPN Wizard—IPSec Settings (ASA) Element Description Trustpoint Name The name of the PKI enrollment policy object that defines the trustpoint name if any trustpoints are configured for IKEv1 connections.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Remote Access VPN Configuration Wizard—Defaults Page Use the Defaults page of the Remote Access VPN Configuration wizard to select the shared policies to assign to the remote access IPSec VPN. Initially, the policies selected are those configured in the Security Manager Administration VPN Defaults for remote access VPNs.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Table 29-8 Remote Access VPN Configuration Wizard, Defaults Page (Continued) Element Description IPSec Proposal Defines the crypto maps required to set up IPsec security associations (SAs), including IPsec rules, transform sets, remote peers, and other parameters that might be necessary to define an IPsec SA.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Step 7 Select the user groups that will be used in your SSL VPN policy. User groups define the resources available to users when connecting to an SSL VPN gateway. The table shows whether full client access is enabled for the group. Click Edit to select the desired groups, or to create new groups. Step 8 Configure the AAA options for authentication, authentication domain, and accounting.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Field Reference Table 29-9 SSL VPN Configuration Wizard, Gateway and Context Page Element Description Gateway The gateway to be used as a proxy for connections to the protected resources in your SSL VPN. Options are: Gateway Name • Use Existing Gateway—When selected, enables you to use an existing gateway for your SSL VPN.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Table 29-9 SSL VPN Configuration Wizard, Gateway and Context Page (Continued) Element Description Context Name The name of the context that defines the virtual configuration of the SSL VPN. Note To simplify the management of multiple context configurations, make the context name the same as the domain or virtual hostname.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard Field Reference Table 29-10 SSL VPN Configuration Wizard, Portal Page Customization Page Element Description Title The text displayed at the top of the page. Control the color using the Primary settings in the Title Color and Text Color fields. Logo The graphic displayed next to the title. Select None, Default, or Custom.
Chapter 29 Managing Remote Access VPNs: The Basics Using the Remote Access VPN Configuration Wizard • If the required user group is not in the list, click Create (+) to open the Add User Groups dialog box, which enables you to create or edit a user group object. See Add or Edit User Group Dialog Box, page 33-58. • You can edit an existing user group by selecting it in either list and clicking Edit (pencil). • To deselect a user group, select it and click <<. Step 6 Click Next.
CH A P T E R 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices You can configure and manage remote access IPsec on devices running Cisco ASA Software or PIX 7.0+, and SSL VPNs on ASA 8.0+ devices (but not on PIX devices). Additionally, you can use IKE version 2 (IKEv2) negotiations in remote access IPsec VPNs on ASA 8.4(x) devices. Tip No VPN configuration is supported on Cisco Catalyst 6500 Series ASA Service Modules and the ASA Software Release 8.5(x) used on the module.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Overview of Remote Access VPN Policies for ASA and PIX 7.0+ Devices • Customizing Clientless SSL VPN Portals, page 30-65 Overview of Remote Access VPN Policies for ASA and PIX 7.0+ Devices When you configure remote access VPNs on ASA or PIX 7.0+ devices, you use the following policies based on the type of VPN you are configuring. Possible remote access VPN types are: IKE version 1 (IKEv1) IPsec, IKE version 2 (IKEv2) IPsec, and SSL.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Overview of Remote Access VPN Policies for ASA and PIX 7.0+ Devices – Public Key Infrastructure—You can create a Public Key Infrastructure (PKI) policy to generate enrollment requests for CA certificates and RSA keys, and to manage keys and certificates. Certification Authority (CA) servers are used to manage these certificate requests and issue certificates to users who connect to your IPsec or SSL remote access VPN.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Understanding Cluster Load Balancing (ASA) Table 30-1 Remote Access VPN Policy Requirements for ASA Devices (Continued) Policy Required, Optional Dynamic Access Optional for all VPN types. Global Settings Required: IKEv2 IPsec. Optional: IKEv1 IPsec, SSL. Group Policies Required for all VPN types. Public Key Infrastructure Required: IKEv2 IPsec. Also required if you configure any trustpoints for IKEv1 IPsec or SSL VPNs.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Understanding Cluster Load Balancing (ASA) The role of virtual cluster master is not tied to a physical device—it can shift among devices. If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster IP address. The virtual cluster master then directs these connections to another active device in the cluster.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) Step 4 Step 5 Step 6 • UDP Port—Specify the UDP destination port for the virtual cluster to which the device belongs. The port is typically 9023, but if that port is in use by another application, enter the UDP destination port number that you want to use for load balancing.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) the connection is denied. Both the AnyConnect VPN client (SSL VPN or IKEv2 IPSec VPN) and Clientless SSL VPN support double authentication. The AnyConnect client supports double authentication on Windows computers (including supported Windows Mobile devices and Start Before Login), Mac computers, and Linux computers.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) Step 8 Click OK. Connection Profiles Page Use the Connection Profiles page to manage connection profile policies for remote access VPN or Easy VPN topologies. Use of this policy differs depending on the type of VPN you are configuring: • Remote access SSL VPN—The policy is used only for ASA devices.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) • (Policy view) Select Site-to-Site VPN > Connection Profiles (PIX7.0/ASA). Select an existing policy or create a new one.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) Table 30-2 Connection Profile General Tab (Continued) Element Description Client Address Assignment DHCP Servers The DHCP servers to be used for client address assignments. The servers are used in the order listed. Enter the IP addresses of the DHCP servers or the names of network/host policy objects that define the DHCP server addresses.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) Field Reference Table 30-3 Add/Edit Interface Specific Client Address Pools Dialog Box Element Description Interface The interface to which you are assigning an address pool. Enter the interface name or the name of an interface role object, or click Select to select an interface or object or to create a new object. Address Pool The address pool to assign to the interface.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) Table 30-4 Connection Profile AAA Tab (Continued) Element Description Authentication Server Group The name of the authentication server group (LOCAL if the tunnel group is configured on the local device). Enter the name of a AAA server group object or click Select to select it from a list or to create a new object.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) Table 30-4 Connection Profile AAA Tab (Continued) Element Description Enable Notification Upon Password Expiration to Allow User to Change Password Whether to have the security appliance notify the remote user at login that the current password is about to expire or has expired, and to then offer the user the opportunity to change the password.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) Navigation Path Open the AAA or Secondary AAA tabs in the Connection Profiles dialog box (see AAA Tab (Connection Profiles), page 30-11 or Secondary AAA Tab (Connection Profiles), page 30-14), then click Add Row below the Interface-Specific Address Pools table, or select a row in the table and click Edit Row.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) Field Reference Table 30-6 Connection Profile Secondary AAA Tab Element Description Enable Double Authentication Whether to enable double authentication, which prompts the user for two sets of credentials (username and password) before completing the remote access VPN connection.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) Field Reference Table 30-7 Connection Profiles IPsec Tab Element Description Preshared Key The preshared key for the connection profile. The maximum length of a preshared key is 127 characters. Enter the key again in the Confirm field. (IKEv1 only.) You cannot configure preshared keys for IKEv2 remote access VPNs. Tip Trustpoint Name (IKEv1 only.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) Table 30-7 Connection Profiles IPsec Tab (Continued) Element Description Client Software Update table The VPN client revision level and URLs for client platforms. You can configure different revision levels for All Windows Platforms, (IKEv1 only.) Windows 95/98/ME, Windows NT4.0/2000/XP, or the VPN3002 Hardware Client.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) • Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 30-66 Field Reference Table 30-9 Connection Profile SSL Tab Element Description WINS Servers List The name of the WINS (Windows Internet Naming Server) servers list to use for CIFS name resolution. Click Select to select the WINS servers list policy object or to create a new object.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Connection Profiles (ASA, PIX 7.0+) Table 30-9 Connection Profile SSL Tab (Continued) Element Description Reject Radius Message Whether you want to display to remote users a RADIUS message about their authentication failure. Connection Aliases table A list of alternate names by which the tunnel group can be referred to. The status indicates whether the name is enabled for use or disabled (cannot be used).
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Group Policies for Remote Access VPNs Field Reference Table 30-10 Add/Edit Connection Alias Dialog Box Element Description Enabled Whether to enable the connection alias. You must enable the alias for users to use it. Connection Alias The alternative name for the connection profile. The connection alias that you specify here appears in a list on the user’s login page.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Group Policies for Remote Access VPNs Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic Access policy, an ASA device checks for Group policies that specify the setting.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Group Policies for Remote Access VPNs • Group policy source—Identifies whether the user group’s attributes and values are stored internally (locally) on the security appliance or externally on an AAA server. If the user group is an external type, no other settings need to be configured for it. For more information, see ASA Group Policies Dialog Box, page 33-1.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Configuring Group Policies for Remote Access VPNs Step 1 Do one of the following: • (Device view) With an ASA or PIX 7.0+ device selected, select Remote Access VPN > Group Policies from the Policy selector. • (Policy view) Select Remote Access VPN > Group Policies (ASA) from the Policy Type selector. Select an existing policy or create a new one. The Group Policies page opens.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Understanding SSL VPN Server Verification (ASA) Step 8 Step 9 To configure the user group for an SSL VPN, from the SSL VPN folder in the Settings pane: a. Select Clientless to configure the Clientless mode of access to the corporate network in an SSL VPN. For a description of these settings, see ASA Group Policies SSL VPN Clientless Settings, page 33-10. b.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Understanding SSL VPN Server Verification (ASA) • Configuring SSL VPN Server Verification (ASA), page 30-61 • Configuring Trusted Pool Settings (ASA), page 30-26 • Using the Trustpool Manager, page 30-27 Configuring Trusted Pool Settings (ASA) Use the Trusted Pool Settings page to configure options for certificate revocation. You can also launch the Trustpool Manager.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Understanding SSL VPN Server Verification (ASA) Table 30-12 Trusted Pool Page (Continued) Element Description Launch Trustpool Manager Launches the Trustpool Manager, which is used to manage Trustpool certificates. You can use the Trustpool Manager to perform the following: For more information, see Using the Trustpool Manager, page 30-27.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with IPSec VPN Policies – Select bundle file—If the bundle is stored on your machine, click Import from a file, then click Browse Local Files and navigate to the bundle. – Import default bundle—Select this option to import the default bundle. 3. Specify the following import options: – Clear all certificates before import—Whether to clear the trustpool before importing the bundle.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with IPSec VPN Policies This section contains the following topics: • Configuring Certificate to Connection Profile Map Policies (ASA), page 30-29 • Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX 7.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with IPSec VPN Policies To match user permission groups based on fields of the certificate, you define rules that specify the fields to match for a group and then enable each rule for that selected group. You must first define a connection profile (tunnel group) before you can create and map a rule to it.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with IPSec VPN Policies If the map does not already exist, create it by clicking the Add Row (+) button beneath the upper table and fill in the Map Rule dialog box for creating maps. In the dialog box, you must select the connection profile for the map, assign a relative priority between 1 and 65535 (lower numbers have higher priority), and a unique map name. b. Ensure that the map is actually selected.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with IPSec VPN Policies Table 30-13 Map Rule Dialog Box (Upper Table) (Continued) Element Description Priority The priority number of the matching rule, between 1 and 65535. A lower number has a higher priority. For example, a matching rule with a priority number of 2, has a higher priority than a matching rule with a priority number of 5.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with IPSec VPN Policies Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX 7.0+ Devices) This procedure describes how to create or edit an IPsec proposal for your remote access VPN server when the server is an ASA or PIX 7.0+ device. If you are configuring an IPsec proposal for IOS or PIX 6.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with IPSec VPN Policies Navigation Path • (Device view) Select Remote Access VPN > IPSec VPN > IPsec Proposal (ASA/PIX 7.x) from the Policy selector. Click the Add Row (+) or Edit Row (pencil) buttons. • (Policy view) Select Remote Access VPN > IPSec VPN > IPsec Proposal (ASA/PIX 7.x) from the Policy Type selector. Select an existing policy or create a new one. Click the Add Row (+) or Edit Row (pencil) buttons.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with IPSec VPN Policies Table 30-15 IPsec Proposal Editor, ASA and PIX 7.0+ Devices) (Continued) Element Description IKEv1 Transform Sets The transform sets to use for your tunnel policy. Transform sets specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel. The transform sets are different for each IKE version; select objects for each supported version.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies Table 30-15 IPsec Proposal Editor, ASA and PIX 7.0+ Devices) (Continued) Element Description Enable Traffic Flow Confidentiality (TFC) Packets Enable dummy TFC packets that mask the traffic profile which traverses the tunnel. Note You must have an IKEv2 IPsec proposal set on the Tunnel Policy (Crypto Map) Basic tab before enabling TFC.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies Field Reference Table 30-16 SSL VPN Access Policy Page Element Description Access Interface Table The Access Interface table lists the interfaces that are configured for remote access SSL or IKEv2 IPSec VPN connections.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies Table 30-16 SSL VPN Access Policy Page (Continued) Element Description Default Idle Timeout The amount of time, in seconds, that an SSL or IKEv2 IPSec VPN session can be idle before the security appliance terminates it.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies Access Interface Configuration Dialog Box Use the Access Interface Configuration dialog box to configure an interface on an ASA device for remote access SSL or IKEv2 IPSec VPN connections. Navigation Path Open the SSL VPN Access policy (see SSL VPN Access Policy Page, page 30-37), then click Add Row below the interface table, or select a row in the table and click Edit Row.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies The Access page opens. For a description of the elements on this page, see SSL VPN Access Policy Page, page 30-37.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies You can then configure the settings on the following tabs: • Performance tab—To configure caching to improve SSL VPN performance. See Configuring SSL VPN Performance Settings (ASA), page 30-42. • Content Rewrite tab—To create rules that permit users to browse certain sites and applications without going through the security appliance itself.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies Step 2 • (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other Settings from the Policy selector. Click the Performance tab if it is not already selected. • (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies If you do not want some applications and web resources, such as public web sites, to go through the security appliance, you can create rewrite rules that permit users to browse certain sites and applications without going through the security appliance itself. This is similar to split tunneling in an IPsec VPN connection.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies Related Topics • Configuring Other SSL VPN Settings (ASA), page 30-41 Field Reference Table 30-18 Add or Edit Content Rewrite Dialog Box Element Description Enable When selected, enables content rewriting on the security appliance for the rewrite rule. Some applications do not require this processing, such as external public web sites.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies The SSL VPN portal pages downloaded from the CIFS server to the SSL VPN user encode the value of the SSL VPN file-encoding attribute identifying the server, or if one does not, they inherit the value of the character encoding attribute. The remote user’s browser maps this value to an entry in its character encoding set to determine the proper character set to use.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies – CIFS Server IP, CIFS Server Host—Select one of these options to specify the CIFS server either by IP address or hostname. If you select IP address, you can either enter the IP address or the name of a network/host object that specifies one or more individual IP addresses.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies • (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one. Step 2 On the Other Settings page, click the Proxy tab. The Proxy tab displays any currently defined proxies and proxy rules.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies Tip If you configure proxy bypass rules, you must also configure the SSL VPN Access policy. For more information, see Configuring an Access Policy, page 30-40. Add or Edit Proxy Bypass Dialog Box Use the Add or Edit Proxy Bypass dialog box to set proxy bypass rules when the security appliance should perform little or no content rewriting.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies Table 30-19 Add or Edit Proxy Bypass Dialog Box (Continued) Element Description URL Select the http or https protocol, then enter a URL to which you want to apply proxy bypass. URLs used for proxy bypass allow a maximum of 128 bytes. The port for HTTP is 80 and for HTTPS it is 443, unless you specify another port.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies When the user in a clientless SSL VPN session clicks the associated menu option on the portal page, the portal page displays a window to the interface and displays a help pane. The user can select the protocol displayed in the drop-down menu and enter the URL in the Address field to establish a connection.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies – Citrix (ICA)—For Citrix MetaFrame services. – Post—For post services. – Plug-in File—The name of the File policy object that defines the plug-in file. Enter the name of the File object or click Select to select an object or to create a new one. For more information on creating File Objects, see Add and Edit File Object Dialog Boxes, page 33-25.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies AnyConnect Client Profiles An AnyConnect client profile is a group of configuration parameters, stored in an XML file, that the client uses to configure the connection entries that appear in the client user interface. These parameters (XML tags) include the names and addresses of host computers and settings to enable additional client features.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies Tip Ensure that you add AnyConnect images of the required releases. For example, if you are configuring an IKEv2 IPsec VPN, you must include an AnyConnect 3.0 or higher image. In general, the image versions must support the features you are deploying in the remote access VPN.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies To use this profile, ensure that you specify the profile name in an ASA Group Policy object assigned to the security appliance (in the Full Client settings page as described in ASA Group Policies SSL VPN Full Client Settings, page 33-13).
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies Table 30-20 Add or Edit AnyConnect Client Image Dialog Box (Continued) Element Description Image Order The order in which the security appliance downloads the client images to the remote workstation. It downloads the image in priority order. Therefore, you should enter a lower value for the image used by the most commonly-encountered operating system.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies To configure the ASA to allow KCD, once the ASA joins the domain, an entry should appear under the Users and Computers list on the domain controller for the ASA. In the Properties dialog box, on the Delegation tab, select Trust this computer for delegation to specified services only, and then select Use any authentication protocol.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies 3. The KDC returns the requested tickets to the ASA. Even though these tickets are passed to the ASA, they contain the user’s authorization data. Note These first steps comprise protocol transition; after these steps, a user who authenticated to the ASA using a non-Kerberos authentication protocol is transparently authenticated to the KDC using Kerberos. 4.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies • Kerberos authentication requires that the clock between the hosts to be synchronized with a maximum drift of 5 minutes (this is the default setting). This restriction is applicable to the clocks on the ASA, the domain controller, and the application servers. Configuring the same NTP server for all servers should address the requirement.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies • (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one. Step 2 On the Other Settings page, click the AnyConnect Custom Attribute tab. The AnyConnect Custom Attribute tab lists all defined custom attributes.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies Configuring SSL VPN Advanced Settings (ASA) Use the Advanced tab of the SSL VPN Other Settings page to configure the memory, on-screen keyboard, and internal password features on ASA devices. All of these settings are optional.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies When you connect to a remote server via a web browser using the HTTPS protocol, the server will provide a digital certificate signed by a CA to identify itself. Web browsers ship with a collection of CA certificates which are used to verify the validity of the server certificate. This is a form of public key infrastructure (PKI).
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies • Configuring an ASA Device as a Shared License Client, page 30-64 • Configuring an ASA Device as a Shared License Server, page 30-65 Navigation Path • (Device View) Select an ASA device using version 8.2 or higher, and select Remote Access VPN > SSL VPN > Shared License from the Policy selector. • (Policy View) Select Remote Access VPN > SSL VPN > Shared License (ASA 8.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Working with SSL and IKEv2 IPSec VPN Policies Table 30-22 SSL VPN Shared License Page (Continued) Element Description Configure Backup shared SSL VPN License Server Whether to configure a backup server for the shared license server.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Customizing Clientless SSL VPN Portals • Backup Server—When selected, the client also acts as the backup server. In this case, you must also specify the interfaces to be used for this purpose. Configuring an ASA Device as a Shared License Server This procedures describe how to configure an ASA device as a shared license server. Tip Step 1 You must ensure that the SSL VPN Shared License Server activation key is present on the device.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Customizing Clientless SSL VPN Portals Step 2 Select SSL VPN Customization from the Object Type selector. The SSL VPN Customization page opens, displaying a list of the existing SSL VPN Customization objects. Step 3 Right-click in the work area and select New Object. The Add SSL VPN Customization dialog box appears (see Add and Edit SSL VPN Customization Dialog Boxes, page 33-37).
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Customizing Clientless SSL VPN Portals • Title Panel—Determine whether the Portal page will have a title displayed in the web page itself. If you enable the title panel, you can specify the title, font, font size and weight, styles, and colors used. You can also select a File object that identifies a logo graphic. For more information about the settings, see SSL VPN Customization Dialog Box—Title Panel, page 33-39.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Customizing Clientless SSL VPN Portals for complex script or East Asian languages. If you want to type in text directly, you also need to install an appropriate keyboard; otherwise, you can use a text editor that supports the language’s characters and copy and paste text from a document that contains the text you want to use. You can also enter non-ASCII languages into SSL VPN Bookmarks objects.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Customizing Clientless SSL VPN Portals • Creating Policy Objects, page 6-9 • Add and Edit SSL VPN Customization Dialog Boxes, page 33-37 Creating Your Own SSL VPN Logon Page for ASA Devices You can create your own custom SSL VPN Logon page rather than use the page provided by the security appliance for browser-based clientless SSL VPNs.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Customizing Clientless SSL VPN Portals • If you are creating the object for use on an IOS device, enter the title of the bookmark, which is displayed to users, and the URL. Be careful to select the correct protocol for the URL. Click OK to add the bookmark to the table of bookmarks. • If you are creating the object for use on an ASA device, you have many more options.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Customizing Clientless SSL VPN Portals These are the available macro substitutions: – CSCO_WEBVPN_USERNAME The username used to log into the SSL VPN. – CSCO_WEBVPN_PASSWORD The password used to log into the SSL VPN. – CSCO_WEBVPN_INTERNAL_PASSWORD The internal resource password entered when logging into the SSL VPN.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Customizing Clientless SSL VPN Portals Users of Microsoft Windows Vista who use smart tunnels (or port forwarding) must add the URL of the ASA device to the Trusted Site zone. Configure the Trusted Site zone in Internet Explorer (Tools > Internet Options, Security tab). Tip • The user’s browser must be enabled with Java, Microsoft ActiveX, or both.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Customizing Clientless SSL VPN Portals f. Step 2 Step 3 Click OK to save the object. (Optional) Create an SSL VPN smart tunnel auto sign-on list policy object: a. Select Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager, page 6-4), and select SSL VPN Smart Tunnel Auto Signon Lists from the table of contents.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Customizing Clientless SSL VPN Portals Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL VPNs Clientless SSL VPN uses WINS and the Common Internet File System (CIFS) protocol to access or share files, printers, and other machine resources on remote systems.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Customizing Clientless SSL VPN Portals • Set as Master Browser—Select this option if the server is a master browser, which maintains the list of computers and shared resources. Other fields are optional; change them if you want non-default values. For more information, see Add or Edit WINS Server Dialog Box, page 33-74. Click OK to save your changes.
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices Customizing Clientless SSL VPN Portals User Guide for Cisco Security Manager 4.
CH A P T E R 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) This chapter explains Dynamic Access Policies (DAP) for assigning remote access users to connection profiles (tunnel groups). You can configure these policies for remote access IKEv1 IPsec on ASA 8.0+ devices, IKEv2 IPsec on ASA 8.4(x) devices, and SSL VPNs on ASA 8.0+ (except 8.5) devices. For information on configuring other remote access policies for ASA and PIX 7.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Configuring Dynamic Access Policies • Tip DfltAccess Policy—Always the last entry in the DAP summary table, always with a priority of 0. You can configure Access Policy attributes for the default access policy, but it does not contain—and you cannot configure—AAA or endpoint attributes. You cannot delete the DfltAccessPolicy, and it must be the last entry in the summary table.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Configuring Dynamic Access Policies Step 4 Specify a priority for the DAP record. The security appliance applies access policies in the order you set here, highest number having the highest priority. Step 5 Enter a description for the DAP record. Step 6 In the Main tab, configure the DAP attributes and the type of remote access method supported by the DAP system on your security appliance.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Configuring Dynamic Access Policies DAP complements AAA services. It provides a limited set of authorization attributes that can override those AAA provides. The security appliance selects DAP records based on the AAA authorization information for the user and posture assessment information for the session.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Configuring Dynamic Access Policies • If the installed program does support active scan, and active scan is enabled for the program, Host Scan reports the presence of the software. Again the security appliance selects DAP records that specify the program. • If the installed program does support active scan and active scan is disabled for the program, Host Scan ignores the presence of the software.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Configuring Dynamic Access Policies Table 31-2 Endpoint Attribute Definitions (Continued) File endpoint.file.label.exists endpoint.file.label.lastmodified Secure Desktop endpoint.file.label.crc.32 true – The files exists integer – Seconds since file was last modified integer – CRC32 hash of the file NAC endpoint.nac.status NAC string - User defined status string Operating System endpoint.os.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Configuring Dynamic Access Policies Examples of DAP Logical Expressions Study these examples for help in creating logical expressions in LUA. • This AAA LUA expression tests for a match on usernames that begin with "b". It uses the string library and a regular expression: not(string.find(aaa.cisco.username, "^b") == nil) • This endpoint expression tests for a match on CLIENTLESS OR CVC client types: endpoint.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Configuring Dynamic Access Policies Step 1 Do one of the following: • (Device view) With an ASA device selected, select Remote Access VPN > Dynamic Access from the Policy selector. • (Policy view) Select Remote Access VPN > Dynamic Access (ASA) from the Policy Type selector. Select an existing policy or create a new one. The Dynamic Access page opens.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Configuring Dynamic Access Policies All session information is encrypted, and all traces of the session data are removed from the remote client when the session is terminated, even if the connection terminates abruptly. This ensures that cookies, browser history, temporary files, and downloaded content do not remain on a system. When the session closes, CSD overwrites and removes all data using a U.S.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) The editor contains these main items (select them in the table of contents): • Prelogin Policies—This is a decision tree. When a user attempts a connection, the user’s system is evaluated against your rules and the first rule that matches is applied. Typically, you create policies for secure locations, home locations, and insecure public locations.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Navigation Path • (Device View) Select an ASA device; then select Remote Access VPN > Dynamic Access (ASA) from the Policy selector. • (Policy View) Select Remote Access VPN > Dynamic Access (ASA) from the Policy Type selector. Select an existing policy or create a new one.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-3 Dynamic Access Policy Page (ASA) (Continued) Element Description Hostscan Package Specify the name of the File Object that identifies the Hostscan package you want to upload to the device. Click Select to select an existing File Object or to create a new one. For more information, see Add and Edit File Object Dialog Boxes, page 33-25.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Field Reference Table 31-4 Add/Edit Dynamic Access Policy Dialog Box Element Description Name The name of the dynamic access policy record (up to 128 characters). Priority A priority for the dynamic access policy record. The security appliance applies access policies in the order you set here, highest number having the highest priority.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-5 Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued) Element Description Content Values of the AAA and endpoint attributes criteria that the security appliance uses for selecting and applying a dynamic access policy record during session establishment.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-5 Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued) Element Description File Server Browsing Specify the file server browsing setting to be configured on the portal page: • Unchanged—Uses values from the group policy that applies to this session. • Enable—Enables CIFS browsing for file servers or shared features.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-5 Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued) Element Description HTTP Proxy Specify how you want to configure the security appliance to terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers: • Unchanged—Uses values from the group policy that applies to this session.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-5 Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued) Element Description URL Entry Using SSL VPN does not ensure that communication with every site is secure. SSL VPN ensures the security of data transmission between the remote user’s PC or workstation and the security appliance on the corporate network.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-5 Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued) Element Description Port Forwarding Select an option for the port forwarding lists that apply to this DAP record: Port Forwarding List • Unchanged—Removes the attributes from the running configuration. • Enable—Enables port forwarding on the device. • Disable—Disables port forwarding on the device.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-5 Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued) Element Description User Message Enter a text message to display on the portal page when this DAP record is selected. Maximum 128 characters. A user message displays as a yellow orb. When a user logs on it blinks three times to attract attention, and then it is still.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Note • Device—Creates an endpoint attribute of type Device. The Device Criterion lets you provide specific device information for use during the associated prelogin policy checking. See Add/Edit DAP Entry Dialog Box > Device, page 31-28. • File—Creates an endpoint attribute of type File.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied. Navigation Path Open the Add/Edit Dynamic Access Policy Dialog Box, page 31-12 with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-6 Add/Edit DAP Entry Dialog Box > AAA Attributes Cisco (Continued) Element Description Connection Profiles Select the check box, select the matching criteria (for example, is) from the drop-down list, and select the connection profile from a list of all the SSL VPN Connection Profile policies defined on the security appliance.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Field Reference Table 31-7 Add/Edit DAP Entry Dialog Box > AAA Attributes LDAP Element Description Criterion Shows AAA Attributes LDAP as the selection criterion. Attribute ID Specify the name of the LDAP attribute map in the dynamic access policy. LDAP attribute maps take the attribute names that you define and map them to Cisco-defined attributes. A maximum of 64 characters is allowed.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-8 Add/Edit DAP Entry Dialog Box > AAA Attributes RADIUS (Continued) Element Description Attribute ID Specify the name of the RADIUS attribute name or number in the dynamic access policy. A maximum of 64 characters is allowed. RADIUS attribute names do not contain the cVPN3000 prefix to better reflect support for all three security appliances (VPN 3000, PIX, and the ASA).
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-9 Add/Edit DAP Entry Dialog Box > Anti-Spyware (Continued) Element Description Type Select one of the following options and assign the associated values: • Not Installed—Select if the absence of the named anti-spyware from the remote PC is sufficient to match the prelogin policy you are configuring.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) • Configuring Dynamic Access Policies, page 31-2 Field Reference Table 31-10 Add/Edit DAP Entry Dialog Box > Anti-Virus Element Description Criterion Shows Anti-Virus as the selection criterion.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied. Navigation Path Open the Add/Edit Dynamic Access Policy Dialog Box, page 31-12 with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Navigation Path Open the Add/Edit Dynamic Access Policy Dialog Box, page 31-12 with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Application as the Criterion.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Field Reference Table 31-13 Add/Edit DAP Entry Dialog Box > Device Element Description Criterion Shows Device as the selected Criterion. Host Name Select this option, choose a match criterion (is or isn’t) from the related drop-down list, and then enter the device host name to be matched.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-14 Add/Edit DAP Entry Dialog Box > File (Continued) Element Description Endpoint ID Select a string that identifies an endpoint for files. Dynamic access policies use this ID to match Cisco Secure Desktop host scan attributes for dynamic access policy selection. You must configure Host Scan before you configure this attribute.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Related Topics • Understanding DAP Attributes, page 31-3 • Configuring DAP Attributes, page 31-7 • Configuring Dynamic Access Policies, page 31-2 Field Reference Table 31-15 Add/Edit DAP Entry Dialog Box > NAC Element Description Criterion Shows NAC as the selection criterion.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-16 Add/Edit DAP Entry Dialog Box > Operating System (Continued) Element Description OS Version Select the check box, then select the matching criteria (for example, is) from the drop-down list, and select the OS version from the list. Select Apple Plugin for iPhones and similar devices.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-17 Add/Edit DAP Entry Dialog Box > Personal Firewall (Continued) Element Description Product ID Select a unique identifier for the product that is supported by the selected vendor from the list. Product Description Available only if you selected that this endpoint attribute and all its settings must be available on the remote PC.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Add/Edit DAP Entry Dialog Box > Process You can specify a set of process names, which form a part of Basic Host Scan. The host scan, which includes Basic Host Scan and Endpoint Assessment, or Advanced Endpoint Assessment; occurs after the prelogin assessment but before the assignment of a dynamic access policy.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-19 Add/Edit DAP Entry Dialog Box > Process (Continued) Element Description Path Select the check box, then select the matching criteria (for example, is) from the drop-down list, and enter the name of the process. You can display it in Microsoft Windows by opening the Windows Task Manager window and clicking the Processes tab.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-20 Add/Edit DAP Entry Dialog Box > Registry (Continued) Element Description Type Select one of the following options and assign the associated values: • Matches—Select if the mere presence of the named registry key on the remote PC is sufficient to match the prelogin policy you are configuring.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) • You are configuring the Match Any/Match All operation within each endpoint type. The security appliance evaluates each type of endpoint attribute, and then performs a logical AND operation on all of the configured endpoints. That is, each user must satisfy the conditions of ALL of the endpoints you configure, as well as the AAA attributes.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-21 Add/Edit Dynamic Access Policy Dialog Box > Logical Operations Tab (Continued) Element Description Registry Registry key scans apply only to computers running Windows Microsoft Windows operating systems. Basic Host Scan ignores registry key scans if the computer is running Mac OS or Linux.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Table 31-22 Add/Edit Dynamic Access Policy Dialog Box > Advanced Expressions Tab (Continued) Element Description Relationship Drop-down List Specify the relationship between the basic selection rules and the logical expressions you enter on this tab, that is, whether the new attributes add to or substitute for the AAA and endpoint attributes already set.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) Related Topics • Understanding DAP Attributes, page 31-3 • Configuring DAP Attributes, page 31-7 • Configuring Dynamic Access Policies, page 31-2 User Guide for Cisco Security Manager 4.
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) Dynamic Access Page (ASA) User Guide for Cisco Security Manager 4.
CH A P T E R 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices You can configure and manage remote access IPsec on devices running Cisco IOS Software or PIX 6.3, and SSL VPNs on IOS 12.4(6)T or higher devices (but not on PIX devices). For more information on the specific device models supported, see Understanding Devices Supported by Each Remote Access VPN Technology, page 29-8. The configuration of these remote access VPNs are the same for these device types. ASA and PIX 7.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Overview of Remote Access VPN Policies for IOS and PIX 6.3 Devices Overview of Remote Access VPN Policies for IOS and PIX 6.3 Devices When you configure remote access VPNs on IOS or PIX 6.3 devices, you use the following policies based on the type of VPN you are configuring. Note that you cannot configure SSL VPNs on PIX 6.3 devices.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices) Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices) This procedure describes how to create or edit an IPsec proposal for your remote access VPN server when the server uses Cisco IOS Software or PIX release 6.3. An IPsec proposal is a collection of one or more crypto maps.
Chapter 32 Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices) Managing Remote Access VPNs on IOS and PIX 6.3 Devices IPsec Proposal Editor (IOS, PIX 6.3 Devices) Use the IPsec Proposal Editor to create or edit an IPsec proposal for an IOS or PIX 6.3 device, including Catalyst 6500/7600, in your remote access VPN. The editor has two tabs—General and Dynamic VTI/VRF Aware IPsec. This topic explains the basic settings on the General tab.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices) Table 32-1 IPsec Proposal Editor, General Tab, IOS and PIX 6.3 Devices (Continued) Element Description IKEv1 Transform Sets The transform sets to be used for your tunnel policy. Transform sets specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel. You can select up to nine transform sets.
Chapter 32 Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices) Table 32-1 Managing Remote Access VPNs on IOS and PIX 6.3 Devices IPsec Proposal Editor, General Tab, IOS and PIX 6.3 Devices (Continued) Element Description User Authentication The AAA or Xauth user authentication method that defines the order in (Xauth)/AAA Authentication which user accounts are searched.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices) Table 32-2 VPNSM/VPN SPA/VSPA Settings Dialog Box (Continued) Element Description Slot The number designating the slot location of the VPNSM or VPNSPA/VSPA. If you are configuring a VPNSPA/VSPA, the subslot number is also required. Subslot Note External Port The external port or VLAN that connects to the inside VLAN.
Chapter 32 Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices) Managing Remote Access VPNs on IOS and PIX 6.3 Devices When this feature is enabled, Security Manager implicitly creates the virtual template interface for the selected device in a remote access VPN. All you must do is provide the IP address on the server that will be used as the virtual template interface, or use an existing loopback interface.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices) Table 32-3 IPsec Proposal Editor, Dynamic VTI/VRF Aware IPsec Tab (Continued) Element Description CA Server Select the Certification Authority (CA) server to use for managing certificate requests for the device. Click Select to select the PKI enrollment policy object that defines the CA server, or to create a new object.
Chapter 32 Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices) Table 32-3 Managing Remote Access VPNs on IOS and PIX 6.3 Devices IPsec Proposal Editor, Dynamic VTI/VRF Aware IPsec Tab (Continued) Element Description Interface Towards Provider Edge Available only for 2-Box VRF. The VRF forwarding interface on the IPsec Aggregator towards the PE device. Click Select to select the interface or interface role object, or to create a new object that identifies the interface.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring High Availability in Remote Access VPNs (IOS) Configuring High Availability in Remote Access VPNs (IOS) Use the High Availability page to configure a High Availability (HA) policy on a Cisco IOS router or Cisco Catalyst switch in a remote access VPN.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring High Availability in Remote Access VPNs (IOS) Table 32-4 High Availability Page, Remote Access VPNs Element Description Inside Virtual IP The IP address that is shared by the devices in the HA group and that represents the inside interface of the HA group.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring User Group Policies Configuring User Group Policies Use the User Groups (IOS/PIX 6.x) policy to specify user groups for your remote access IPSec VPN server. You can configure user groups on a Cisco IOS router, PIX 6.3 Firewall, or Catalyst 6500 /7600 device. When you configure a remote access VPN server, you must create user groups to which remote clients will belong.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring an SSL VPN Policy (IOS) • You can edit the properties of a User Group object by selecting it in either list and clicking the Edit button. Configuring an SSL VPN Policy (IOS) Use the SSL VPN policy to configure the SSL VPN connection policies for an IOS router. From this page, you can create, edit, or delete SSL VPN policies.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring an SSL VPN Policy (IOS) • User Groups— The user groups that will be used in your SSL VPN policy. User groups define the resources available to users when connecting to an SSL VPN gateway. To add a user group, click Add Row to open a list of existing user group policy objects from which you can select the group. If the desired group does not already exist, click the Create button below the available groups list and create it.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring an SSL VPN Policy (IOS) Table 32-5 SSL VPN Context Editor Dialog Box (Continued) Element Description Portal Page tab Defines the design of the login page for the SSL VPN policy. The display box at the bottom of the tab changes to show you how your selections will look. You can configure: Secure Desktop tab • Title—The text displayed at the top of the page.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring an SSL VPN Policy (IOS) Related Topics • Configuring an SSL VPN Policy (IOS), page 32-14 • Add or Edit SSL VPN Gateway Dialog Box, page 33-50 • Understanding AAA Server and Server Group Objects, page 6-24 Field Reference Table 32-6 SSL VPN Context Editor General Tab (IOS) Element Description Enable SSL VPN Whether to activate the SSL VPN connection, putting it “In Service”.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring an SSL VPN Policy (IOS) Table 32-6 SSL VPN Context Editor General Tab (IOS) (Continued) Element Description User Groups The user groups that will be used in your SSL VPN policy. User groups define the resources available to users when connecting to an SSL VPN gateway. The table shows whether full client, CIFS file access, and thin client is enabled for the group.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring an SSL VPN Policy (IOS) Related Topics • Cisco Secure Desktop on IOS Configuration Example Using SDM, http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa7 b.shtml • Setting Up CSD for Microsoft Windows Clients, http://www.cisco.com/en/US/docs/security/csd/csd311/csd_for_vpn3k_cat6k/configuration/guide/ CSDwin.
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices Configuring an SSL VPN Policy (IOS) User Guide for Cisco Security Manager 4.
CH A P T E R 33 Configuring Policy Objects for Remote Access VPNs There are several policy objects that you use primarily or exclusively with remote access VPNs. Some of these objects, the ASA Group Policies and User Group objects, are also used with Easy VPN site-to-site topologies. This reference explains the configuration of these policy objects.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Note You must select the technology for which you are creating the object. Depending on the selected technology, the appropriate settings are available for configuration. If you select the IKEv1 or IKEv2 options, the IKE Proposal and IPSec Proposal policies must also be configured to support the selected IKE version. Navigation Path Select ASA Group Policies in the Policy Object Manager, page 6-4.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Table 33-1 Add or Edit ASA Group Policies Dialog Box, including Technology Settings Element Description Technology settings These settings control what you can define in the group policy: • Group Policy Type—Whether you are storing the group policy on the ASA device itself (Internal) or on a AAA server (External). You cannot change this option when editing an object.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Table 33-1 Add or Edit ASA Group Policies Dialog Box, including Technology Settings Element Description SSL VPN Settings for SSL VPN: Connection Settings • Clientless—Settings for the clientless mode of access to the corporate network in an SSL VPN. See ASA Group Policies SSL VPN Clientless Settings, page 33-10.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Table 33-2 ASA Group Policies Client Configuration Settings (Continued) Element Description IPsec Backup Servers Specify the backup server configuration: Servers List • Keep Client Configuration—The security appliance sends no backup server information to the client. The client uses its own backup server list, if configured. This is the default.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Field Reference Table 33-3 ASA Group Policies Client Firewall Attributes Element Description Firewall Mode The firewall requirements for client systems for the group: • No Firewall—Do not use a firewall. You cannot configure any other options on the page. • Firewall Required—All users in this group must use the designated firewall.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Table 33-3 ASA Group Policies Client Firewall Attributes (Continued) Element Description Custom Firewall The attributes that define the required or optional firewall if you select custom firewall as the firewall type: • Vendor ID—The number that identifies the vendor of the custom firewall. Values are 1-255. • Product ID—The number that identifies the product or model of the custom firewall.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Table 33-4 ASA Group Policies Hardware Client Attributes (Continued) Element Description Enable LEAP Bypass Whether to enable Lightweight Extensible Authentication Protocol (LEAP) packets from wireless devices behind a VPN hardware client to travel across a VPN tunnel prior to user authentication.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Field Reference Table 33-5 ASA Group Policies IPSec Settings Element Description Enable Re-Authentication on Whether the security appliance should prompt the user to enter a IKE Re-Key username and password during initial Phase 1 IKE negotiation and also prompt for user authentication whenever an IKE rekey occurs, providing additional security.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Add or Edit Client Access Rules Dialog Box Use the Client Access Rules dialog box to create or edit the priority, action, VPN client type and VPN client version for a client access rule. Navigation Path From ASA Group Policies IPSec Settings, page 33-8, click the Add Row button beneath the Client Access Rules table, or select a rule and click the Edit Row button.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Navigation Path Select SSL VPN > Clientless from the table of contents in the ASA Group Policies Dialog Box, page 33-1. Field Reference Table 33-7 ASA Group Policies SSL VPN Clientless Settings Element Description Portal Page Websites The name of the SSL VPN bookmarks policy object that includes the website URLs to display on the portal page. These websites help users access desired resources.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Table 33-7 ASA Group Policies SSL VPN Clientless Settings (Continued) Element Description Auto Start Smart Tunnel Whether to start smart tunnel access automatically upon user login. If you do not select this option, the user must start the tunnel manually through the Application Access tools on the portal page.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Supported Mobile Devices • iPad—Citrix Receiver version 4.x or later • iPhone/iTouch—Citrix Receiver version 4.x or later • Android 2.x/3.x/4.0/4.1 phone—Citrix Receiver version 2.x or later • Android 4.0 phone—Citrix Receiver version 2.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Field Reference Table 33-9 ASA Group Policies SSL VPN Full Client Settings Element Description Enable Full Client Whether to enable full client mode. Mode The mode in which to operate the SSL VPN: • Use Other Access Modes if AnyConnect Client Download Fails—If the full client fails to download to the remote user, allow the user to make clientless or thin client access to the VPN.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Table 33-9 ASA Group Policies SSL VPN Full Client Settings (Continued) Element Description Key Renegotiation Method The method by which the tunnel key is refreshed for the remote user group client: • Disabled—Disables the tunnel key refresh. • Use Existing Tunnel—Renegotiates the SSL tunnel connection. • Create New Tunnel—Initiates a new tunnel connection.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Table 33-9 ASA Group Policies SSL VPN Full Client Settings (Continued) Element Description AnyConnect Module The modules that the AnyConnect client needs to enable optional features. Click Select to select the applicable modules from the Add AnyConnect Module dialog box.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Table 33-9 ASA Group Policies SSL VPN Full Client Settings (Continued) Element Description Prompt User to Choose Client Whether to ask the user to download the client. Enter the number of seconds the user has to make a selection in the Time User Has to Choose field. The default is 120 seconds.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Field Reference Table 33-10 ASA Group Policies SSL VPN Settings Element Description Home Page The URL of the SSL VPN home page. The page is displayed when users log into the VPN. If you do not enter a URL, no home page is displayed. Authentication Failure Message The message to deliver to a remote user who successfully logs into the VPN but has no VPN privileges, and so can do nothing.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Table 33-10 ASA Group Policies SSL VPN Settings (Continued) Element Description Portal Page Customization The name of the SSL VPN customization policy object that defines the appearance of the portal web page. The portal page allows the remote user access to all the resources available on the SSL VPN network. If you do not specify an object, the default page appearance is used.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Field Reference Table 33-11 Add or Edit Auto Signon Rules Dialog Box Element Description Allow IP Select this option to configure an IP address or subnet for the rule. Any server within this subnet is supplied the specified login credentials. • To enter the IP address of a single server, enter the full IP address and use 255.255.255.255 as the subnet mask.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Table 33-12 ASA Group Policies DNS/WINS Settings (Continued) Element Description Secondary WINS Server The IP address of the primary WINS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object. DHCP Network Scope The scope of the DHCP network for the group.
Chapter 33 Configuring Policy Objects for Remote Access VPNs ASA Group Policies Dialog Box Table 33-13 ASA Group Policies Split Tunneling Settings (Continued) Element Description Tunnel Option The policy you want to enable for split tunneling: Networks • Disabled—(Default) No traffic goes in the clear or to any other destination than the security appliance. Remote users reach networks through the corporate network and do not have access to local networks.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit Secure Desktop Configuration Dialog Box Table 33-14 ASA Group Policies Connection Settings (Continued) Element Description Address Pools Specifies the name of one or more IPv4 address pools to use for this group policy. Enter the names of the IPv4 address pool objects separated by a comma or click Select to select the objects from a list or to create a new objects.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit Secure Desktop Configuration Dialog Box ml. The first part of the configuration example explains setting up SDM, which you can ignore. Instead, look for the sections that describe setting up Windows locations midway through the example. The screen shots will help you identify when you are looking at CSD configuration.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit File Object Dialog Boxes Table 33-15 Add or Edit Secure Desktop Configuration Dialog Box (Continued) Element Description VPN Feature Policy Select the check boxes to enable these features if installation or location matching fails: • Web Browsing • File Access • Port Forwarding • Full Tunneling Windows CE VPN Feature Policy The Windows CE options enable you to configure a VPN feature policy to enable or restrict web b
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit File Object Dialog Boxes When you create a file object, Security Manager makes a copy of the file in its storage system. These files are backed up whenever you create a backup of the Security Manager database, and they are restored if you restore the database. When you deploy configurations that specify a file object, the associated file is download to the device in the appropriate directory.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit File Object Dialog Boxes Table 33-16 Add and Edit File Object Dialog Boxes (Continued) Element Description File Type The type of file. If you create the object while configuring a policy, the correct file type is pre-selected. Options are: File • Image—For graphic files. • Cisco Secure Desktop Package • Plug-In—For browser plug-in files.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit Port Forwarding List Dialog Boxes Navigation Path Select Manage > Policy Objects, then select File Objects from the Object Type Selector. Add or Edit a file object and from the Add or Edit File Object dialog box, click Browse to open the File Object — Choose a file dialog box.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit Port Forwarding List Dialog Boxes Navigation Path Select Manage > Policy Objects, then select Port Forwarding List from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit Single Sign On Server Dialog Boxes Add or Edit A Port Forwarding Entry Dialog Box Use the Add or Edit A Port Forwarding Entry dialog boxes to create a new port forwarding list entry or edit an existing one. Navigation Path Go to the Add or Edit Port Forwarding List Dialog Boxes, page 33-28 and click the Add Row button or select an entry and click the Edit Row button beneath the Port Forwarding List table.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit Single Sign On Server Dialog Boxes Note The SAML Browser Artifact profile method of exchanging assertions is not supported. Navigation Path Select Single Sign On Servers in the Policy Object Manager, page 6-4. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit Bookmarks Dialog Boxes Table 33-20 Add or Edit Single Sign-On Server Dialog Box (Continued) Element Description Trustpoint The name of the PKI enrollment policy object that identifies the certificate authority (CA) server that acts as the trustpoint that contains the certificate to use to sign the SAML-type browser assertion. Enter the name or click Select to select it from a list or to create a new object. (SAML POST only.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit Bookmarks Dialog Boxes Field Reference Table 33-21 Add and Edit Bookmarks Dialog Boxes Element Description Name The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 6-9. Description An optional description of the object.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit Bookmarks Dialog Boxes Field Reference Table 33-22 Add and Edit Bookmark Entry Dialog Boxes Element Description Bookmark Option Select whether you want to define a new SSL VPN Bookmark entry or use the entries from an existing object: Select Auto sign-on Application • Enter Bookmark—You want to define a bookmark entry.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit Bookmarks Dialog Boxes Table 33-22 Add and Edit Bookmark Entry Dialog Boxes (Continued) Element Description Enable Favorite URL Option Whether to display the bookmark entry on the portal home page. Deselect the check box if you want the bookmark entry to appear on the application page only. Advanced Form and URL Settings These settings are applicable only to SSL VPN portals hosted on ASA devices running software version 8.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit Bookmarks Dialog Boxes Table 33-22 Add and Edit Bookmark Entry Dialog Boxes (Continued) Element Description Post Parameters The list of the names and values of the Post parameters for the bookmark entry. Post Script • To add a parameter, click the Add button and fill in the Add Post Parameter dialog box (see Add and Edit Post Parameter Dialog Boxes, page 33-36). • To edit a parameter, select it and click the Edit button.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit SSL VPN Customization Dialog Boxes Add and Edit SSL VPN Customization Dialog Boxes Use the Add and Edit SSL VPN Customization dialog boxes to create, copy, and edit SSL VPN Customization objects. An SSL VPN Customization policy object describes how to customize web pages for a browser-based clientless SSL VPN hosted on an ASA 8.x device.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit SSL VPN Customization Dialog Boxes Table 33-24 Add and Edit SSL VPN Customization Dialog Boxes (Continued) Element Description Logon Page The Logon web page is the one users see first when connecting to the SSL VPN portal. It is used for logging into the VPN.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit SSL VPN Customization Dialog Boxes Table 33-24 Add and Edit SSL VPN Customization Dialog Boxes (Continued) Element Description Portal Page The Portal web page is the one users see after logging into the SSL VPN; it is the home page.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit SSL VPN Customization Dialog Boxes Navigation Path From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Title Panel in the table of contents to configure the title of the Logon page, or Portal Page > Title Panel to configure the title of the Portal page.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit SSL VPN Customization Dialog Boxes Navigation Path From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Language in the table of contents.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit SSL VPN Customization Dialog Boxes Add and Edit Language Dialog Boxes Use the Add and Edit Language dialog boxes to add or edit an entry for a language you will support for automatic browser language selection or in the Language Selector drop-down list.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit SSL VPN Customization Dialog Boxes Table 33-28 SSL VPN Customization Dialog Box—Logon Page (Continued) Element Description Message The message that appears in the login box above the username and password fields. You can enter a maximum of 256 characters. Username Prompt The text of the prompt for the username entry field. Password Prompt The text of the prompt for the password entry field.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit SSL VPN Customization Dialog Boxes Field Reference Table 33-29 SSL VPN Customization Dialog Box—Informational Panel Element Description Display Informational Panel Whether to display the Informational panel. The default is to not display the panel. If you select this option, you can configure the panel using the other fields on this page.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit SSL VPN Customization Dialog Boxes SSL VPN Customization Dialog Box—Full Customization Use the Full Customization page of the SSL VPN Customization dialog box to identify your own custom Logon page. The custom page replaces the Logon page settings available on the dialog box. For information on creating a custom Logon page, see Creating Your Own SSL VPN Logon Page for ASA Devices, page 30-70.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit SSL VPN Customization Dialog Boxes Table 33-32 SSL VPN Customization Dialog Box—Toolbar (Continued) Element Description Prompt Box Title The text of the prompt for the field where users select the protocol of the target web page and enter the URL. Browse Button Text The name of the button the user clicks to go to the target URL. Logout Prompt The text of the prompt for logging out of the SSL VPN.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit SSL VPN Customization Dialog Boxes Navigation Path From the Add and Edit SSL VPN Customization Dialog Boxes, select Portal Page > Custom Panes in the table of contents.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit SSL VPN Customization Dialog Boxes Navigation Path From the SSL VPN Customization Dialog Box—Custom Panes page, click the Add Row button in the Custom Pane table, or select a pane and click the Edit Row button. Field Reference Table 33-35 Add and Edit Custom Pane Dialog Boxes Element Description Enable Whether to display the custom pane on the Portal page.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit SSL VPN Customization Dialog Boxes Field Reference Table 33-36 SSL VPN Customization Dialog Box—Home Page Element Description Enable Custom Intranet Web Whether to display a custom Intranet web page, which also enables Page URL bookmarks to be displayed on the Portal page. If you select this option, you can configure the panel using the other fields on this page. URL List Mode How you want to display URL lists on the home page.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit SSL VPN Gateway Dialog Box Table 33-37 SSL VPN Customization Dialog Box—Logout Page (Continued) Element Description Border Color The color of the border around the logout box. Click Select to choose a color. Title Font Color The color of the font and background for the title area of the page. Click Select to choose a color.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit SSL VPN Gateway Dialog Box Table 33-38 Add and Edit SSL VPN Gateway Dialog Boxes (Continued) Element Description IP Address The IP address for the gateway, which is the address to which remote users connect: • Use Static IP Address—Specify the address that you want to use. You must also configure this address on an interface on the router.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit Smart Tunnel List Dialog Boxes Table 33-38 Add and Edit SSL VPN Gateway Dialog Boxes (Continued) Element Description Allow Value Override per Device Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-18 and Understanding Policy Object Overrides for Individual Devices, page 6-17.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit Smart Tunnel List Dialog Boxes Table 33-39 Add and Edit Smart Tunnel Lists Dialog Boxes (Continued) Element Description Smart Tunnel Entries table The applications to which users will be allowed smart tunnel access through the SSL VPN, including the name of the application and its location on client workstations.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit Smart Tunnel List Dialog Boxes Table 33-40 Add and Edit Smart Tunnel Entry Dialog Boxes (Continued) Element Description App Path The filename and optionally, the path, of the application. This entry can be up to 128 characters. Use one of the following: • Filename—For example, outlook.exe. By only specifying the file name, it does not matter where users install the application on their workstations.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit Smart Tunnel Auto Signon List Dialog Boxes Table 33-40 Add and Edit Smart Tunnel Entry Dialog Boxes (Continued) Element Description Hash Value (Optional) The hash value for the application. By specifying a hash value, you can ensure that the user does not rename another application to use a supported filename and thus start an unsupported and undesired application over the smart tunnel.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit Smart Tunnel Auto Signon List Dialog Boxes You can include other SSL VPN smart tunnel auto sign-on list objects in an object. Thus, you can create a set of objects that identify your basic list of servers and include those objects in another object that expands upon that list of servers. Navigation Path Select Manage > Policy Objects, then select SSL VPN Smart Tunnel Auto Signon Lists from the Object Type selector.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add and Edit Smart Tunnel Auto Signon List Dialog Boxes Navigation Path From Add and Edit Smart Tunnel Auto Signon List Dialog Boxes, page 33-55, click the Add Row button beneath the Smart Tunnel Auto Signon Entries table, or select an entry and click the Edit Row button.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Add or Edit User Group Dialog Box Use the Add or Edit User Group dialog box to create or edit a user group object. User group objects are used in Easy VPN topologies, remote access VPNs, and SSL VPNs for IOS devices. When you configure a remote access VPN, SSL VPN, or Easy VPN server, you can create user groups to which remote clients belong.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Table 33-43 User Group Dialog Box (Continued) Element Description Settings Pane The body of the dialog box is a pane with a table of contents on the left and settings related to the item selected in the table of contents on the right. You must first configure technology settings, then you can select items from the table of contents on the left and configure the options you require.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Table 33-43 User Group Dialog Box (Continued) Element Description Category The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-12. User Group Dialog Box—General Settings The general settings you configure for your user group include the authentication method, IP address pool information, and connection attributes for PIX 6.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Table 33-44 User Group Dialog Box—General Settings (Continued) Element Description PIX Only Attributes These attributes apply only to PIX 6.3 devices. • Idle Time—The timeout period for VPN connections, in seconds. If no communication occurs on the connection during this period, the device terminates the connection. The minimum is 60 seconds, and the maximum time is 35791394 minutes.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box User Group Dialog Box—Split Tunneling Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box User Group Dialog Box—IOS Client Settings Configure IOS client settings to define Cisco IOS specific options for your user group, including firewall settings for VPN clients. Note These settings apply in Easy VPN and remote access IPSec VPN configurations. Navigation Path Select Client Settings (IOS) from the table of contents in the Add or Edit User Group Dialog Box, page 33-58.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Table 33-47 User Group Dialog Box—Client Settings (IOS) (Continued) Element Description Policy Type Specifies the CPP firewall policy type: • Check Presence—Instructs the server to check for the presence of the specified firewall type. • Central Policy Push—The actual policy, such as the input and output access lists, that must be applied by the specified client firewall type.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Table 33-48 User Group Dialog Box—IOS Xauth Options (Continued) Element Description Enable Group-Lock Whether to enable group lock, which requires that the user enter the extended Xauth username in one of the following formats: • username/groupname • username\groupname • username@groupname • username%groupname The group that is specified after the delimiter is then compared to the group identifier t
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Navigation Path Open the User Group Dialog Box—IOS Client VPN Software Update, page 33-65, then click Add Row, or select an item in the table and click Edit Row. Related Topics • Add or Edit User Group Dialog Box, page 33-58 Field Reference Table 33-49 Add or Edit Client Update Dialog Box Element Description System Type The platform on which the IOS VPN client operates.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Table 33-50 User Group Dialog Box—Advanced PIX Options (Continued) Element Description Enable Device Pass-Through Whether to use Media Access Control (MAC) addresses to bypass authentication for devices, such as Cisco IP phones, that do not support AAA authentication.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Field Reference Table 33-51 User Group Dialog Box—Clientless Settings Element Description Portal Page Websites The name of the SSL VPN bookmarks policy object that includes the web site URLs to display on the portal page. These web sites help users access desired resources. Enter the name of the object or click Select to select it from a list or to create a new object.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Related Topics • Create Group Policy Wizard—Clientless and Thin Client Access Modes Page, page 29-22 Field Reference Table 33-52 User Group Dialog Box—Thin Client Settings Element Description Enable Thin Client Whether to allow thin client access to the SSL VPN. Port Forward List The name of the port forwarding list policy object assigned to this group.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Table 33-53 User Group Dialog Box—Full Tunnel Settings (Continued) Element Description Use Other Access Modes if SSL VPN Client Download Fails Whether to allow users to connect to the SSL VPN even if a problem prevents the client from downloading, installing, and starting correctly on the user’s system.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Table 33-54 User Group Dialog Box—Split Tunneling Settings (Continued) Element Description Split DNS Names A list of domain names to be resolved through the split tunnel to the private network. All other names are resolved using the public DNS server. Enter up to 10 entries in the list of domains, separated by commas. The entire string can be no longer than 255 characters.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit User Group Dialog Box Table 33-55 User Group Dialog Box—Browser Proxy Settings (Continued) Element Description Proxy Server The address of the proxy server: Proxy Server Port • IP address—The IP address or the name of a network/host object that specifies the address. Click Select to select the object from a list. • Name—The fully qualified domain name, for example, proxy.example.com.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit WINS Server List Dialog Box Add or Edit WINS Server List Dialog Box Use the WINS Server Lists dialog box to create, copy, and edit WINS server list objects. A WINS Server List object defines a list of Windows Internet Naming Server (WINS) servers, which are used to translate Windows file server names to IP addresses. Navigation Path Select Manage > Policy Objects, then select WINS Server Lists from the Object Type Selector.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit WINS Server List Dialog Box Navigation Path From the Add or Edit WINS Server List Dialog Box, click the Add button beneath the WINS Server List table, or select a server in the table and click the Edit button.
Chapter 33 Configuring Policy Objects for Remote Access VPNs Add or Edit WINS Server List Dialog Box User Guide for Cisco Security Manager 4.
CH A P T E R 34 Using Map View The following topics describe how to use the Map view: • Understanding Maps and Map View, page 34-1 • Working With Maps, page 34-8 • Displaying Your Network on the Map, page 34-14 • Managing VPNs in Map View, page 34-20 • Managing Device Policies in Map View, page 34-22 Understanding Maps and Map View The Security Manager Map view provides a graphical view of your VPN and Layer 3 network topology.
Chapter 34 Using Map View Understanding Maps and Map View This section contains the following topics: • Understanding the Map View Main Page, page 34-2 • Map Toolbar, page 34-4 • Using the Navigation Window, page 34-4 • Maps Context Menus, page 34-5 • Access Permissions for Maps, page 34-8 Understanding the Map View Main Page Map view enables you to create customized, visual topology maps of your network, within which you can view connections between your devices and easily configure VPNs and a
Chapter 34 Using Map View Understanding Maps and Map View Figure 34-1 Map View Main Page 1 Title bar 2 Navigation window (see Using the Navigation Window, page 34-4) 3 Menu bar (see Map Menu (Configuration Manager), page 1-31) 4 Toolbar (see Toolbar Reference (Configuration Manager), page 1-36) 5 Map toolbar (see Map Toolbar, page 34-4) 6 Map (see Understanding Map Elements, page 34-14) Related Topics • Understanding Maps and Map View, page 34-1 • Working With Maps, page 34-8 • Displayi
Chapter 34 Using Map View Understanding Maps and Map View Map Toolbar The following table describes the buttons on the map toolbar. Table 34-1 Map Toolbar Toolbar Button Description Selects objects on the map. Click the button, then click items on the map. Pans the map. Click the button, click and hold on the map, then drag the cursor. Zooms in on the map. Zooms out from the map. Zooms the map to fill a rectangle that you draw. Zooms the map to include the entire map. Zooms the map to actual size.
Chapter 34 Using Map View Understanding Maps and Map View The title bar in the navigation window displays the name of the map. If the map has unsaved changes, an asterisk (*) appears next to the map name. For information on other ways to pan and zoom maps, see Panning, Centering, and Zooming Maps, page 34-11. Maps Context Menus The following topics describe the menus that contain maps commands. To open the context menus, right-click map elements.
Chapter 34 Using Map View Understanding Maps and Map View Table 34-2 Managed Device Node Context Menu (Continued) Menu Command Description Inventory Status Displays the Inventory Status window for the device. See Inventory Status Window, page 69-2. Show VPN Peers Shows peers in VPNs in which the device participates. Preview Configuration Previews the device configuration with all committed changes included.
Chapter 34 Using Map View Understanding Maps and Map View Table 34-4 VPN Connection Context Menu Menu Command Description Edit VPN Peers Edits the peers in the VPN. Edit VPN Policies Edits the VPN policies. Layer 3 Link Context Menu The Layer 3 Link context menu opens when you right-click on a layer 3 link on the map. Table 34-5 Layer 3 Link Context Menu Menu Command Description Link Properties Displays the link properties. Delete Link Deletes the link from the map.
Chapter 34 Using Map View Working With Maps Table 34-7 Map Background Context Menu (Continued) Menu Command Description Open Map Opens a saved map. Save Map Saves the open map. Show/Hide Navigation Window Toggles the display of the navigation window on the map. Map Properties Displays the properties of the map. Hierarchical layout Arranges the network nodes in a hierarchical layout. Radial layout Arranges the network nodes in a radial layout.
Chapter 34 Using Map View Working With Maps • Saving Maps, page 34-10 • Deleting Maps, page 34-10 • Exporting Maps, page 34-11 • Arranging Map Elements, page 34-11 • Panning, Centering, and Zooming Maps, page 34-11 • Selecting Map Elements, page 34-12 • Searching for Map Nodes, page 34-12 • Using Linked Maps, page 34-13 • Setting the Map Background Properties, page 34-13 Creating New or Default Maps You have two options for creating a new map: • Create an empty map—To create a new empty
Chapter 34 Using Map View Working With Maps Opening Maps To open an existing map, select Map > Open Map, select the desired map from the list of available maps, and click OK. You must already be in Map view (select View > Map View). If you currently have a map open with unsaved changes, you are asked if you want to save it. The list of available maps includes a special map called the Default Map. This map contains all of the managed devices and VPNs in the inventory.
Chapter 34 Using Map View Working With Maps Exporting Maps When viewing a map, you can export the map to a scalable vector graphics (SVG) image file for use outside of Security Manager. Related Topics • Working With Maps, page 34-8 • Understanding Map Elements, page 34-14 Step 1 Select Map > Export Map. The Export Topology Map to SVG dialog box opens. Step 2 Browse to the location in which to save the file. Step 3 Enter a filename in the File name field.
Chapter 34 Using Map View Working With Maps To zoom in or out of a map: • To change the zoom level of the map in predefined increments: – To zoom in on the map, select Map > Zoom In, or click the Zoom In toolbar button. – To zoom out from the map, select Map > Zoom Out, or click the Zoom Out toolbar button. • To zoom into a specific area of the map, click Zoom Rectangle in the map toolbar, then click the map and drag a rectangle around the area.
Chapter 34 Using Map View Working With Maps Using Linked Maps A linked map is a map that you associate with a map element on another map. Because it is not practical to include all the nodes on a large network in a single map, you can use linked maps to create a hierarchical topology of your network. You cannot link a node to the another node in the same map. Before You Begin You must create the map to link to before you can link to it.
Chapter 34 Using Map View Displaying Your Network on the Map Displaying Your Network on the Map You use the map view to represent your network topology by creating maps. A map is a visual representation of your network, or a portion of it if it is too large to fit on a single map. Maps consist of map elements that represent devices, links, and other objects in your network. For more information about map, see Working With Maps, page 34-8.
Chapter 34 Using Map View Displaying Your Network on the Map Table 34-9 Device Node Types (Continued) Node Type Icon Description Catalyst 6500/7600 or Catalyst switch When you select a Catalyst device node, any Firewall Service Modules contained in it are highlighted. Firewall Services Module (FWSM) When you select a Firewall Services Module, the security contexts it contains are highlighted on the map. FWSM security context When you select a security context, the parent device is highlighted.
Chapter 34 Using Map View Displaying Your Network on the Map Related Topics • Using Map Objects To Represent Network Topology, page 34-17 • Creating and Managing Layer 3 Links on the Map, page 34-19 Displaying Managed Devices on the Map A device node represents a device that is managed by Security Manager. You add a device node to a map by selecting the device from the Security Manager inventory.
Chapter 34 Using Map View Displaying Your Network on the Map • When you select an IPS device, the nodes that represent virtual sensors defined on the device are highlighted. • You can view a list of the security contexts contained in an ASA, firewall, or FWSM device, or the virtual sensors contained in an IPS device, by right-clicking the node and selecting Show Containment. This command also shows the service modules in a device that has them.
Chapter 34 Using Map View Displaying Your Network on the Map Add Map Object and Node Properties Dialog Boxes For unmanaged map objects, the Add Map Object and Node Properties dialog boxes are the same. Use the Add Map Object dialog box to add an object to the map. Use the Node Properties dialog box to view or edit map object properties. For more information, see Using Map Objects To Represent Network Topology, page 34-17.
Chapter 34 Using Map View Displaying Your Network on the Map Interface Properties Dialog Box Use the Interface Properties dialog box to add and edit interfaces on map objects. For more information, see Using Map Objects To Represent Network Topology, page 34-17. Navigation Path To open this dialog box, click the Add or Edit button in the Add Map Object and Node Properties Dialog Boxes, page 34-18.
Chapter 34 Using Map View Managing VPNs in Map View Step 1 In Map view, click Map > Add Link or the Add Link button in the toolbar. Step 2 Click one of the map elements to connect, then click the other map element to connect. Step 3 If the map elements contain interfaces, select the source and destination interfaces for the link in the Select Interfaces and Link Properties Dialog Boxes, then click OK. The Add Link dialog box might open, depending on which interfaces you select.
Chapter 34 Using Map View Managing VPNs in Map View Displaying Existing VPNs on the Map To display an existing VPN on the map, select Map > Show VPNs on Map. You are prompted with a list of existing VPNs. Select the ones you want from the available VPNs list and click >> to move them to the selected list. Tip You can also remove a VPN using this command. Select the VPNs you want to remove from the selected VPNs list and click <<. When you remove a VPN, only the VPN tunnels are removed.
Chapter 34 Using Map View Managing Device Policies in Map View Editing VPN Policies or Peers From the Map You can edit VPN policies, or the peers that participate in a VPN, from map view. To edit policies or peers, right-click a VPN tunnel or device node and select one of these commands: • Edit VPN Policies—To open the Site-to-Site VPN Manager, where you can edit the policies that define the VPN. For more information, see Site-to-Site VPN Manager Window, page 24-18.
Chapter 34 Using Map View Managing Device Policies in Map View • Chapter 5, “Managing Policies” Managing Firewall Policies in Map View You can configure firewall policies on a device in Map view. These policies are local to the device rather than being shared policies (you must use Policy view to configure shared policies). Tip If you want to assign a shared policy to a device, see Performing Basic Policy Management in Map View, page 34-22.
Chapter 34 Using Map View Managing Device Policies in Map View Tip If you want to assign a shared policy to a device, see Performing Basic Policy Management in Map View, page 34-22.
PA R T 4 IPS Configuration
CH A P T E R 35 Getting Started with IPS Configuration Cisco Intrusion Prevention System (IPS) Sensors are network devices that perform real-time monitoring of network traffic for suspicious activities and active network attacks. The IPS sensor analyzes network packets and flows to determine whether their contents appear to indicate an attack against your network.
Chapter 35 Getting Started with IPS Configuration Understanding IPS Network Sensing Tip Cisco IPS sensors and Cisco IOS IPS devices are often referred to collectively as IPS devices or simply sensors. However, Cisco IOS IPS does not run the full dedicated IPS software, and its configuration does not include IPS device-specific policies. Additionally, the amount of sensing that you can perform with Cisco IOS IPS is more limited.
Chapter 35 Getting Started with IPS Configuration Understanding IPS Network Sensing Figure 35-1 Comprehensive IPS Deployment Solutions Public services segment Multiple IPS sensors deliver a highly scalable, load-balanced solution via Cisco Etherchannel technology on Cisco Catalyst Switches Attacker Sensor deployed in IDS mode Sensor deployed in IPS mode Main campus Internet Sensor deployed in IPS mode Sensor deployed in IPS mode Campus core 148416 Service provider, partner, or branch office net
Chapter 35 Getting Started with IPS Configuration Understanding IPS Network Sensing • Generate IP session logs, session replay, and trigger packets display. IP session logs are used to gather information about unauthorized use. IP log files are written when events occur that you have configured the appliance to look for. • Implement multiple packet drop actions to stop worms and viruses.
Chapter 35 Getting Started with IPS Configuration Overview of IPS Configuration • Filter out known false positives caused by specialized software, such as vulnerability scanner and load balancers by one of the following methods: – You can configure the sensor to ignore the alerts from the IP addresses of the scanner and load balancer. – You can configure the sensor to allow these alerts and then use Event Viewer to filter out the false positives. • Filter the Informational alerts.
Chapter 35 Getting Started with IPS Configuration Overview of IPS Configuration Step 4 • IDSM—Configure the IDSM Settings Catalyst platform policy. For more information, see IDSM Settings, page 65-44. • IPS modules on ASA devices—Configure the Platform > Service Policy Rules > IPS, QoS, and Connection Rules policy on the host ASA to specify the traffic that should be inspected. For more information, see About IPS Modules on ASA Devices, page 56-14 and IPS, QoS, and Connection Rules Page, page 56-5.
Chapter 35 Getting Started with IPS Configuration Identifying Allowed Hosts Step 9 If you use any of the Request Block or Request Rate Limit event actions, configure blocking or rate limiting hosts. See Configuring IPS Blocking and Rate Limiting, page 42-7. Step 10 Configure other desired advanced IPS services.
Chapter 35 Getting Started with IPS Configuration Configuring SNMP Specifically, you must add either the IP address of the Security Manager server, or its network address, or Security Manager cannot configure the device. Also add the addresses of all other management hosts that you use, such as CS-MARS. Tip Step 1 Step 2 If you add host addresses only, you will be limited to using those workstations to access the device.
Chapter 35 Getting Started with IPS Configuration Configuring SNMP Trap-directed notification has the following advantage—if a manager is responsible for a large number of devices, and each device has a large number of objects, it is impractical to poll or request information from every object on every device. The solution is for each agent on the managed device to notify the manager without solicitation. It does this by sending a message known as a trap of the event.
Chapter 35 Getting Started with IPS Configuration Configuring SNMP Step 4 If you configure trap destinations, you must also ensure that the desired alerts include the Request SNMP Trap action. You have the following options for adding this action: • (Easy way.) Create an event action override to add the Request SNMP Trap action to all alerts of a specified risk rating (IPS > Event Actions > Event Action Overrides policy).
Chapter 35 Getting Started with IPS Configuration Configuring SNMP Table 35-1 General Configuration Tab, SNMP Policy for IPS Sensors (Continued) Element Description Read-Write Community String The community string required for read-write access to the sensor. SNMP set requests from the management station must supply this string to get responses from the sensor; it can also be used on get requests. This string gives access to all SNMP get and set requests. Use the string to help identify the sensor.
Chapter 35 Getting Started with IPS Configuration Configuring SNMP Table 35-2 SNMP Trap Configuration Tab, SNMP Policy for IPS Sensors (Continued) Element Description Error Filter The type of events that will generate SNMP traps based on the severity of the event: fatal, error, or warning. Select all severities that you want; use Ctrl+click to select multiple values. The sensor sends notifications of events of the selected severities only.
Chapter 35 Getting Started with IPS Configuration Managing User Accounts and Password Requirements Table 35-3 SNMP Trap Communication Dialog Box (Continued) Element Description Trap Community String The community string of the trap. If you do not enter a trap string, the default trap string defined on the SNMP Trap Communication tab is used for traps sent to this destination. Trap Port The port used by the SNMP management station to receive traps.
Chapter 35 Getting Started with IPS Configuration Managing User Accounts and Password Requirements • Viewer—Users can view the device configuration and events, but they cannot modify any configuration data except their user passwords. • Operator—Users can view everything and they can modify the following options: – Signature tuning (priority, disable or enable). – Virtual sensor definition. – Managed routers. – Their user passwords.
Chapter 35 Getting Started with IPS Configuration Managing User Accounts and Password Requirements Because Security Manager configures even unchanged passwords, all managed passwords must satisfy the password requirements defined in the Password Requirements policy. Thus, you can have a mix of managed and unmanaged account passwords. For example, you can have a set of shared user accounts that are centrally managed, and manage these account passwords in Security Manager.
Chapter 35 Getting Started with IPS Configuration Managing User Accounts and Password Requirements – When previewing configurations, you can see changes to the user accounts by selecting to IPS(Delta – User Passwords). However, passwords are masked. For more information, see Previewing Configurations, page 8-45. – If you are rolling back configurations, the user accounts are never rolled back. The current status and configuration of user accounts does not change.
Chapter 35 Getting Started with IPS Configuration Managing User Accounts and Password Requirements • If you change the password for the user defined in the device properties, which Security Manager uses to deploy configurations to the device, Security Manager uses the existing credentials defined in the device properties to log into the device and deploy changes. After successful deployment, the device properties are then changed to use your new settings.
Chapter 35 Getting Started with IPS Configuration Managing User Accounts and Password Requirements Navigation Path From the IPS platform User Accounts policy, click the Add Row (+) button to create a new account, or select an existing account and click the Edit Row (pencil) button. For information on accessing the User Accounts policy, see Configuring IPS User Accounts, page 35-16. Field Reference Table 35-4 Add or Edit User Dialog Box Element Description User Name The username for the account.
Chapter 35 Getting Started with IPS Configuration Managing User Accounts and Password Requirements Table 35-5 Password Requirements Policy Element Description Attempt Limit How many times a user is allowed to try to log into the device before you lock the user account due to excessive failed attempts. The default is 0, which indicates unlimited authentication attempts. For security purposes, you should change this number.
Chapter 35 Getting Started with IPS Configuration Managing User Accounts and Password Requirements • Key— You must specify the shared secret key that is defined on the RADIUS server. Although this field is optional for a generic AAA server object, IPS requires a key. • Port—Ensure that the RADIUS Authentication/Authorization port is correct. Note that the default port in the AAA server object is different from the IPS default, which is 1812.
Chapter 35 Getting Started with IPS Configuration Identifying an NTP Server • RADIUS NAS ID—The Network Access ID, which identifies the service requesting authentication. The value can be no NAS-ID, cisco-ips, or a NAS-ID already configured on the RADIUS server. The default is cisco-ips. • Enable Local Fallback—Whether you want to fall back to local user account authentication if all RADIUS servers are unavailable. This option is selected by default.
Chapter 35 Getting Started with IPS Configuration Identifying DNS Servers Step 2 In the NTP Server IP Address field, enter the IP address of the NTP server. You can also enter the name of a network/host object that identifies the single host address of the server, or click Select to select the object from a list or to create a new one. Step 3 If the NTP server does not require authentication, deselect the Authenticated NTP checkbox.
Chapter 35 Getting Started with IPS Configuration Identifying an HTTP Proxy Server Identifying an HTTP Proxy Server If you configure global correlation on an IPS 7.0+ sensor, and your network requires the use of HTTP proxies to connect to the Internet, you need to configure the HTTP Proxy policy to identify a proxy that the IPS sensor can use. When downloading global correlation updates, the IPS sensor connects to the update server using this proxy. The proxy must be able to resolve DNS names.
Chapter 35 Getting Started with IPS Configuration Configuring the External Product Interface • Agents that reside on and protect network hosts. • A management console, which is an application that manages agents. It downloads security policy updates to agents and uploads operational information from agents. Before You Begin Add the external product as an allowed host so that Security Manager allows the sensor to communicate with the external product.
Chapter 35 Getting Started with IPS Configuration Configuring the External Product Interface Table 35-6 External Product Interface Dialog Box (Continued) Element Description Interface Type Identifies the physical interface type, which is always Extended SDEE. Enable receipt of information Whether information is allowed to be passed from the external product to the sensor. SDEE URL The URL on the CSA MC the IPS uses to retrieve information using SDEE communication.
Chapter 35 Getting Started with IPS Configuration Configuring IPS Logging Policies Table 35-6 External Product Interface Dialog Box (Continued) Element Description Enable receipt of watch listed Whether to allow the receipt of the watch list information from CSA addresses MC. The watch list information received from a CSA MC is deleted if you disable this option. Manual Watch List RR increase The percentage of the manual watch list risk rating (RR). The default is 25, and the valid range is 0 to 35.
Chapter 35 Getting Started with IPS Configuration IPS Health Monitor Field Reference Table 35-7 IPS Logging Page Element Description Interface Notifications Tab Missed Packets Threshold The percent of missed packets that has to occur before you want to receive notification. The default is 0, and the range is 0 to 100. Notification Interval The length of time, in seconds, that you want to check for the percentage of missed packets. The default is 30, and the range is 5 to 3600.
Chapter 35 Getting Started with IPS Configuration IPS Health Monitor • (Policy view) Select IPS > Platform > Device Admin > Health Monitor from the Policy Type selector, then select an existing policy or create a new one. Note In policy view, no validation is performed if a shared IPS Health Monitor policy is applied to an IPS device running less than 6.1. Security Manager ignores such policies during deployment to device and captures them in deployment logs also.
Chapter 35 Getting Started with IPS Configuration Configuring IPS Security Settings Configuring IPS Security Settings Use the IPS Security Settings policy to configure two items that are important to the security of your IPS devices: Note • Permit packet capture logging—With this feature, IPS devices can prevent users from arbitrarily executing packet capture/display/iplog commands. In previous versions of Security Manager, such actions leave no trace of who executed the command.
Chapter 35 Getting Started with IPS Configuration Configuring IPS Security Settings User Guide for Cisco Security Manager 4.
CH A P T E R 36 Managing IPS Device Interfaces Dedicated IPS appliances and service modules have their own interface configuration, whereas Cisco IOS IPS devices are configured using the regular router interface policies. This chapter explains how to configure interfaces for dedicated IPS appliances and service modules only.
Chapter 36 Managing IPS Device Interfaces Understanding Interface Modes mode, packets do not flow through the sensor; the sensor analyzes a copy of the monitored traffic. In inline mode, the IPS is in the traffic flow and can directly affect the traffic. For more information about sensing modes, see Understanding Interface Modes, page 36-2. Note • On appliances, all sensing interfaces are disabled by default. You must enable them to use them. On modules, the sensing interfaces are permanently enabled.
Chapter 36 Managing IPS Device Interfaces Understanding Interface Modes assistance from other networking devices, for example, routers and firewalls, to respond to an attack. While such response actions can prevent some classes of attacks, in atomic attacks the single packet has the chance of reaching the target system before the promiscuous-based sensor can apply an ACL modification on a managed device (such as a firewall, switch, or router). By default, all sensing interfaces are in promiscuous mode.
Chapter 36 Managing IPS Device Interfaces Understanding Interface Modes ID field in the 802.1q header of each received packet with the ID of the egress VLAN on which the sensor forwards the packet. The sensor drops all packets received on any VLANs that are not assigned to inline VLAN pairs. Notes: • You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair. • Inline VLAN pairs are not supported on IPS modules for routers or ASA devices.
Chapter 36 Managing IPS Device Interfaces Understanding Interface Modes • Note Non-802.1q encapsulated traffic is associated with the unassigned VLAN group and it is not possible to assign the native VLAN to any other VLAN group. You can configure a port on a switch as either an access port or a trunk port. On an access port, all traffic is in a single VLAN is called the access VLAN.
Chapter 36 Managing IPS Device Interfaces Configuring Interfaces Configuring Interfaces Use the Interfaces policy for IPS appliances and service modules to configure the interface settings for the device. The following topics explain how to configure the various types of settings. These topics do not apply to Cisco IOS IPS devices, which use the standard router interface policies.
Chapter 36 Managing IPS Device Interfaces Configuring Interfaces Field Reference Table 36-1 IPS Interfaces Policy Element Description Physical Interfaces tab The physical interfaces that are available on the device. You can edit these interfaces only (select the device and click the Edit Row button); you must perform inventory discovery on the device to obtain the correct list of physical interfaces, for example, if you add an interface card to the device.
Chapter 36 Managing IPS Device Interfaces Configuring Interfaces Table 36-1 IPS Interfaces Policy (Continued) Element Description Summary tab A summary of how you have configured the sensing interfaces—the interfaces you have configured for promiscuous mode, the interfaces you have configured as inline pairs, and the interfaces you have configured as inline VLAN pairs. For more information, see Viewing a Summary of IPS Interface Configuration, page 36-8.
Chapter 36 Managing IPS Device Interfaces Configuring Interfaces Tip Not all service modules have a summary tab. Navigation Path (Device view) Select Interfaces from the Policy selector. Click the Summary tab.
Chapter 36 Managing IPS Device Interfaces Configuring Interfaces Configuring Physical Interfaces The Physical Interfaces tab of the IPS Interfaces policy lists the existing physical interfaces on your sensor and their associated settings. You cannot add or delete physical interfaces in this policy; instead, you must use policy discovery to obtain the current list of interfaces from the device.
Chapter 36 Managing IPS Device Interfaces Configuring Interfaces Modify Physical Interface Map Dialog Box Use the Modify Physical Interface Map dialog box to change the configuration of the physical interfaces of an IPS sensor. For the procedure, see Configuring Physical Interfaces, page 36-10. Navigation Path (Device view) Select Interfaces from the Policy selector. On the Physical Interfaces tab, select an interface and click the Edit Row button.
Chapter 36 Managing IPS Device Interfaces Configuring Interfaces Table 36-3 Modify Physical Interface Map Dialog Box (Continued) Element Description Specify Interface for TCP Reset Whether to send TCP resets on an alternate interface when this interface is used for promiscuous monitoring and the reset action is triggered by a signature firing. interface-name If you select this option, select the alternate TCP reset interface from the interface-name list.
Chapter 36 Managing IPS Device Interfaces Configuring Interfaces If the monitoring process of the sensor is down, traffic bypasses the sensor until the sensor is running again. The sensor then inspects the traffic. Auto mode is useful during sensor upgrades to ensure that traffic is still flowing while the sensor is being upgraded. Auto mode also helps to ensure traffic continues to pass through the sensor if the monitoring process fails.
Chapter 36 Managing IPS Device Interfaces Configuring Interfaces • Defining A Virtual Sensor, page 37-5 • Editing Policies for a Virtual Sensor, page 37-9 • Assigning Interfaces to Virtual Sensors, page 37-4 Step 1 (Device view) Select Interfaces from the Policy selector, then click the Inline Pairs tab. Step 2 Do one of the following: • To add a pair, click the Add Row button. The Add Interface Pair dialog box opens. • To edit a pair, select it and click the Edit Row button.
Chapter 36 Managing IPS Device Interfaces Configuring Interfaces Related Topics • Understanding Interfaces, page 36-1 • Configuring Bypass Mode, page 36-12 • Configuring CDP Mode, page 36-13 • Configuring Physical Interfaces, page 36-10 • Configuring VLAN Groups, page 36-15 Step 1 (Device view) Select Interfaces from the Policy selector, then click the VLAN Pairs tab. Step 2 Do one of the following: • To add a pair, click the Add Row button. The Add VLAN Pair dialog box opens.
Chapter 36 Managing IPS Device Interfaces Configuring Interfaces Note VLAN groups are supported in IPS 6.0 and later only. Not all IPS appliances or service modules support VLAN groups. If the VLAN Groups tab does not appear in the Interfaces policy, the device you are configuring does not support the feature.
Chapter 36 Managing IPS Device Interfaces Configuring Interfaces – Range of free VLAN IDs—The group contains specific VLANs. In the Range box, enter any combination of single VLAN IDs or ranges (separate starting and ending ID with a hyphen), and separate multiple entries with commas. For example, 10, 12-25, 33-49. VLAN numbers are from 1 to 4095. The VLAN ID cannot already be in another VLAN group for the selected interface.
Chapter 36 Managing IPS Device Interfaces Configuring Interfaces User Guide for Cisco Security Manager 4.
CH A P T E R 37 Configuring Virtual Sensors All IPS devices and service modules have a base virtual sensor named vs0. When you configure the IPS appliance or service module, you must configure the base vs0 sensor to assign interfaces to it. This assignment tells the device which interfaces to inspect. There are also other settings that are configured on virtual sensors. In addition to the base vs0 virtual sensor, many IPS appliances and service modules allow you to create user-defined virtual sensors.
Chapter 37 Configuring Virtual Sensors Understanding the Virtual Sensor Note • Note No packet is processed by more than one virtual sensor; you cannot assign the same physical or logical interface to more than one sensor. Packets from interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups that are not assigned to any virtual sensor are disposed of according to the inline bypass configuration that you define in the Interfaces policy.
Chapter 37 Configuring Virtual Sensors Understanding the Virtual Sensor Advantages and Restrictions of Virtualization An advantage of using virtual sensors is that you can operate more than one virtual sensor on one appliance while configuring each virtual sensor differently with regard to signature behavior and traffic feed.
Chapter 37 Configuring Virtual Sensors Understanding the Virtual Sensor the IPS. A further complication in this situation is the necessity of allowing asymmetric traffic to merge for proper tracking of streams when the traffic for either direction is received from different VLANs or interfaces. To deal with this situation, you can set the mode so that streams are perceived as unique if they are received on separate interfaces or VLANs (or the subinterface for VLAN pairs).
Chapter 37 Configuring Virtual Sensors Defining A Virtual Sensor There can be many inline VLAN groups on the same inline interface pair, but the VLANs assigned cannot overlap. Once a VLAN group is assigned to an inline interface pair it is no longer a plain inline interface pair and can only be used for inline VLAN groups. VLAN groups cannot be assigned to inline VLAN pairs. You must configure the interfaces before you can assign them to virtual sensors.
Chapter 37 Configuring Virtual Sensors Defining A Virtual Sensor Related Topics Step 1 • Understanding Interfaces, page 36-1 • Understanding Interface Modes, page 36-2 • Advantages and Restrictions of Virtualization, page 37-3 • Inline TCP Session Tracking Mode, page 37-3 • Understanding Normalizer Mode, page 37-4 • Assigning Interfaces to Virtual Sensors, page 37-4 • Identifying the Virtual Sensors for a Device, page 37-5 • Editing Policies for a Virtual Sensor, page 37-9 (Device view
Chapter 37 Configuring Virtual Sensors Defining A Virtual Sensor Step 6 If you created a new virtual sensor, you must submit your changes to the database for the new virtual sensor to appear in the device selector in Device view. • Non-Workflow mode—Select File > Submit. • Workflow mode—Select Activities > Approve Activity, or if you are operating with an activity approver, Activities > Submit Activity. The activity must be approved before the virtual sensor appears in the device selector.
Chapter 37 Configuring Virtual Sensors Defining A Virtual Sensor Field Reference Table 37-1 Add or Edit Virtual Sensor Dialog Box Element Description Virtual Sensor Name The name of the virtual sensor. The virtual sensor name can be up to 64 characters and it cannot contain spaces. The name of the default virtual sensor is vs0. You cannot change the name after you create the virtual sensor. To change a virtual sensor name, delete the sensor and create a new sensor with the desired name.
Chapter 37 Configuring Virtual Sensors Editing Policies for a Virtual Sensor Table 37-1 Add or Edit Virtual Sensor Dialog Box (Continued) Element Description Normalizer Mode The type of Normalizer mode you need for traffic inspection. For more information, see Understanding Normalizer Mode, page 37-4. • Strict Evasion Protection—(Default) If a packet is missed for any reason, all packets after the missed packet are not processed.
Chapter 37 Configuring Virtual Sensors Deleting A Virtual Sensor – Chapter 39, “Configuring Event Action Rules” – Configuring Anomaly Detection, page 40-6 All other policies are configured on the parent device, and the configurations apply to all virtual sensors configured on the device. Deleting A Virtual Sensor Virtual sensors appear in the device selector in Device view. However, you cannot delete them from the selector using the same command used for other devices.
CH A P T E R 38 Defining IPS Signatures You can use Security Manager to configure IPS signatures for dedicated IPS appliances and service modules or Cisco IOS IPS devices. When configuring signatures for Cisco IOS IPS, keep in mind that the router cannot use as many signatures as a dedicated appliance or service module.
Chapter 38 Defining IPS Signatures Understanding Signatures Cisco IPS contains over 10,000 built-in default signatures. You cannot rename or delete signatures from the list of built-in signatures, but you can retire signatures to remove them from the sensing engine. You can later activate retired signatures; however, this process requires the sensing engines to rebuild their configuration, which takes time and could delay the processing of traffic.
Chapter 38 Defining IPS Signatures Understanding Signatures Tip If this window is not visible to you, expand it with the up arrow button in the bottom-left corner of the Signatures page. To hide this window, collapse it with the corresponding down arrow, also in the bottom-left corner of the Signatures page. You can resize this window with standard controls. Understanding Signature Inheritance Signature inheritance for IPS devices is different than for any other Security Manager rules-based policy.
Chapter 38 Defining IPS Signatures Configuring Signatures IPS signature purge now runs at midnight every day. Configuring Signatures The Signatures policy is where you configure signatures for Cisco IPS sensors and Cisco IOS IPS devices.
Chapter 38 Defining IPS Signatures Configuring Signatures • Understanding Signature Inheritance, page 38-3 • Enabling and Disabling Signatures, page 38-10 • Cloning Signatures, page 38-18 • Editing Signature Parameters (Tuning Signatures), page 38-19 • Configuring Event Action Filters, page 39-4 • Chapter 39, “Configuring Event Action Rules” Field Reference Table 38-1 Signature Policy Element Description ID The signature ID, which is the unique numerical value assigned to this signature.
Chapter 38 Defining IPS Signatures Configuring Signatures Table 38-1 Signature Policy (Continued) Element Description Retired The conditions under which the signature is retired, if any. A retired signature is removed from the signature engine. You can activate a retired signature to place it back in the signature engine. Timesaver Use the retired field to unload disabled signatures on your IOS-IPS device to achieve the most favorable memory consumption of that device.
Chapter 38 Defining IPS Signatures Configuring Signatures Table 38-1 Signature Policy (Continued) Element Description Edit button Click this button to edit the selected signature. You can edit one signature at a time. For more information, see the following topics: Delete button • Editing Signatures, page 38-11 • Edit Signature or Add Custom Signature Dialog Boxes, page 38-12 Click this button to delete the selected custom signatures. You cannot delete Cisco-defined signatures.
Chapter 38 Defining IPS Signatures Configuring Signatures Table 38-2 Signature Shortcut Menu (Continued) Menu Command Description Enable, Disable Places the signature in the enabled or disabled state, respectively. Disabled signatures appear with crosshatching over them. For more information, see Enabling and Disabling Signatures, page 38-10. Show Events Enables navigation to the Cisco Security MARS application to view the realtime or historical events detected by the selected signature.
Chapter 38 Defining IPS Signatures Configuring Signatures • Replace Actions—The actions that you select completely replace those defined in the signature. To open this dialog box, right-click the Actions cell of a signature and select Replace Actions With > More. • Edit Actions—The actions that you select completely replace those defined in the signature. To open this dialog box, right-click the Actions cell of a signature and select Edit Actions.
Chapter 38 Defining IPS Signatures Configuring Signatures Table 38-3 Update Level Dialog Box (Continued) Element Description Deployed Level This column displays the patch level that is currently running on the selected device. Major Update Identifies the major update level. Minor Update Identifies the minor update level. Service Pack Identifies the service pack level. Patch Identifies the patch level. Engine Identifies the engine level.
Chapter 38 Defining IPS Signatures Configuring Signatures Step 2 Right-click the signature whose enabled status you want to change and select Enable or Disable, as appropriate. Editing Signatures You can edit signatures to change their behavior. For example, you can change the action that should be taken when a signature fires, or the severity and fidelity ratings used to calculate the risk rating of the signature. Some signatures have special requirements.
Chapter 38 Defining IPS Signatures Configuring Signatures Step 4 • You cannot edit a Default signature. Default signatures are the Cisco-defined version of a signature. Before you can edit a Default signature, you must convert it either to a Local signature (one defined specifically on the selected device) or a shared-policy-specific signature (one defined in a shared policy).
Chapter 38 Defining IPS Signatures Configuring Signatures Field Reference Table 38-4 Edit Signature or Add Custom Signature Dialog Boxes Element Description Source Policy The policy in which you are editing the signature: (Edit signature only.) • Default—The default Cisco-defined signature, which you cannot edit. You must select something other than Default to edit the signature. • Local—The signature is a local signature defined specifically for the selected device.
Chapter 38 Defining IPS Signatures Configuring Signatures Table 38-4 Edit Signature or Add Custom Signature Dialog Boxes (Continued) Element Description The base risk rating value of the signature, which is calculated by multiplying the fidelity rating and the severity factor and dividing them Risk Rating by 100 (Fidelity Rating x Severity Factor /100). This value is read only; (Fields have slightly different you cannot directly change it.
Chapter 38 Defining IPS Signatures Configuring Signatures Table 38-4 Edit Signature or Add Custom Signature Dialog Boxes (Continued) Element Description Retired The conditions under which the signature is retired, if any. A retired signature is removed from the signature engine. You can activate a retired signature to place it back in the signature engine.
Chapter 38 Defining IPS Signatures Configuring Signatures Adding Custom Signatures If you want to look for traffic patterns that are not identified by the built-in signatures, you can create your own custom signatures to define the traffic patterns. Even if a built-in signature covers the traffic pattern, you might want to create a custom signature to edit the detailed signature parameters without altering the default signature.
Chapter 38 Defining IPS Signatures Configuring Signatures Note Beginning with Security Manager 4.4, you can specify a signature ID and a subsignature ID while adding a custom signature. If you specify a signatureID/subsignature ID combination that already exists, you will receive an error message. Engine Options The following list identifies the options you can specifying in the Engine field of the Edit Signature Parameters dialog box.
Chapter 38 Defining IPS Signatures Configuring Signatures • Service H225—Inspects VoIP traffic. • service-http—Inspects HTTP traffic. The WEBPORTS variable defines inspection port for HTTP traffic. • Service IDENT—Inspects IDENT (client and server) traffic. • Service MSRPC—Inspects MSRPC traffic. • Service MSSQL—Inspects Microsoft SQL traffic. • Service NTP—Inspects NTP traffic. • service-rpc—Inspects RPC traffic. • Service SMB—Inspects SMB traffic.
Chapter 38 Defining IPS Signatures Configuring Signatures Step 1 Do one of the following: • (Device view) Select IPS > Signatures > Signatures from the Policy selector. • (Policy view, IPS appliances and service modules) Select IPS > Signatures > Signatures, then select an existing policy or create a new one. • (Policy view, Cisco IOS IPS devices) Select IPS (Router) > Signatures, then select an existing policy or create a new one. The Signature page appears; see Signatures Page, page 38-4.
Chapter 38 Defining IPS Signatures Configuring Signatures Step 1 Do one of the following: • (Device view) Select IPS > Signatures > Signatures from the Policy selector. • (Policy view, IPS appliances and service modules) Select IPS > Signatures > Signatures, then select an existing policy or create a new one. • (Policy view, Cisco IOS IPS devices) Select IPS (Router) > Signatures, then select an existing policy or create a new one. The Signature page appears; see Signatures Page, page 38-4.
Chapter 38 Defining IPS Signatures Configuring Signatures Step 5 Change the settings as desired, then click OK to save your changes. You are returned to the Edit Signature dialog box. Step 6 Click OK in the Edit Signature dialog box to save your changes to the signature. Tip If you decide that your edits did not have the desired effect, or you suspect that you made a mistake, you can click the Restore Defaults button in the Edit Signature dialog box to erase your changes. You can then start over.
Chapter 38 Defining IPS Signatures Configuring Signatures Navigation Path From the Edit Signature or Add Custom Signature dialog boxes, click the Edit Parameters button. For information on opening these dialog boxes, see Edit Signature or Add Custom Signature Dialog Boxes, page 38-12. Tip If the button is not active, you must first select Local or the name of a shared policy from the Source Policy field, or clone the signature to create a custom policy.
Chapter 38 Defining IPS Signatures Configuring Signatures Table 38-5 Edit Signature Parameters Dialog Box (Continued) Elements Description SubSignature ID The unique numerical value assigned to this subsignature. The subsignature ID identifies a more granular version of a broad signature. The value is 0 to 255. Promiscuous Delta Modifies the seriousness of an alert when operating in promiscuous mode. The value is subtracted from an alert’s overall risk rating.
Chapter 38 Defining IPS Signatures Configuring Signatures Table 38-5 Edit Signature Parameters Dialog Box (Continued) Elements Description Event Counter How the sensor counts events. For example, you can specify that you want the sensor to send an alert only if the same signature fires 5 times for the same address set. Configure the following values: Alert Frequency Summary Mode (Alert Frequency group) • Event Count—The number of times an event must occur before an alert is generated.
Chapter 38 Defining IPS Signatures Configuring Signatures Table 38-5 Edit Signature Parameters Dialog Box (Continued) Elements Description Summary Key The storage type used to summarize alerts. Choose Attacker address, Attacker address and victim port, Attacker and victim addresses, Attacker and victim addresses and ports, or Victim address. The default is Attacker address. (Summary Mode group.) Specify Global Summary Threshold (Summary Mode group.
Chapter 38 Defining IPS Signatures Configuring Signatures To modify the components list: • Add new components—Click the Add Entry (+) button to the left of the inactive list. The Add Signature Parameter—List Entry dialog box opens. Configure the following values: – Entry Key—A name for the component. – Component Sig ID—The signature ID of the signature you are looking for. – Component SubSig ID—The subsignature ID; enter 0 if there are no subsignatures.
Chapter 38 Defining IPS Signatures Configuring Signature Settings Configuring Signature Settings Use the Signature Settings page to define settings for IPS appliances and service modules (but not Cisco IOS IPS devices). These settings define the following policies: Tip • Application policy—Enable or disable HTTP, determine and specify the maximum number of HTTP requests, specify AIC web ports, and enable or disable FTP.
Chapter 38 Defining IPS Signatures Configuring Signature Settings Table 38-6 Signature Settings Page (Continued) Element Description TCP Reassembly Mode The mode the sensor should use to reassemble TCP sessions with the following options: • Note Asymmetric—May only be seeing one direction of bidirectional traffic flow. Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions.
CH A P T E R 39 Configuring Event Action Rules An IPS event is an IPS message that contains an alert, a block request, a status message, or an error message. An event action is the sensor’s response to an event. An event action happens only if the event is not filtered. Possible event actions are TCP reset, block host, block connection, IP logging, and capturing the alert trigger packet. Event actions were known as alarms in Cisco IPS versions earlier than 5.x.
Chapter 39 Configuring Event Action Rules Understanding IPS Event Actions 2. The Event Action Overrides policy is processed. If the risk rating of the event matches an override rule, the actions identified in the override rule are added to the actions defined in the signature. The overrides do not replace the actions specified in the signature. For information on configuring overrides, see Configuring Event Action Overrides, page 39-13. 3. The Event Action Filters policy is processed.
Chapter 39 Configuring Event Action Rules Understanding IPS Event Actions Table 39-1 IPS Event Actions Menu Command Description Deny Attacker Inline Terminates the current packet and future packets from this attacker address for a specified period of time. The IPS must be operating in inline mode. For Cisco IOS IPS devices, no connection can be established from the attacker to the router until the shun time expires. Tip Deny Attacker/Service Pair Inline This is the most severe of the deny actions.
Chapter 39 Configuring Event Action Rules Configuring Event Action Filters Table 39-1 IPS Event Actions (Continued) Menu Command Description Product Alert Writes the event to the Event Store as an alert. For Cisco IOS IPS devices, the notification is sent through syslog or SDEE. Note A Produce Alert event action is added for an event when global correlation has increased the risk rating of an event, and has added either the Deny Packet Inline or Deny Attacker Inline event action.
Chapter 39 Configuring Event Action Rules Configuring Event Action Filters Related Topics • Step 1 Understanding the IPS Event Action Process, page 39-1 Do one of the following to open the Event Action Filters policy: • (Device view) Select IPS > Event Actions > Event Action Filters from the Policy selector. • (Policy view, IPS appliances and service modules) Select IPS > Event Actions > Event Action Filters, then select an existing policy or create a new one.
Chapter 39 Configuring Event Action Rules Configuring Event Action Filters • Stop on Match—Whether to define this filter rule as a stop rule. This setting determines how the remaining rules in the event action filter rules table are processed: – If you select this option, and an event meets the conditions of the rule, this rule is the final rule tested for the event.
Chapter 39 Configuring Event Action Rules Configuring Event Action Filters • You can inherit event action filter rules policies. Thus, you could configure a shared policy in Policy view that includes filter rules that you want to share among all of your devices, inherit that rule for each device (in Device view), and in Device view configure local filter rules that are unique to each device. For more information on inheriting policies, see: – Creating a New Shared Policy, page 5-51 – Inheritance vs.
Chapter 39 Configuring Event Action Rules Configuring Event Action Filters Table 39-2 Event Action Filters Page (Continued) Element Description IDs The signature identifiers to which this rule applies. Subs The subsignature identifiers. Attackers The IP address of the attacker that triggers the filter rule, which can be a host address, an address range (such as 0.0.0.0-255.255.255.
Chapter 39 Configuring Event Action Rules Configuring Event Action Filters Table 39-2 Event Action Filters Page (Continued) Element Description Up Row and Down Row buttons (arrow icons) Click these buttons to move the selected rules up or down within a scope. Filter rules are processed in order top to bottom for each event. If the conditions of an event match those defined for a filter, and the filter has the Stop field set to Yes, that filter is applied and no additional filters are considered.
Chapter 39 Configuring Event Action Rules Configuring Event Action Filters Field Reference Table 39-3 Filter Item Dialog Box Element Description Active Whether the filter rule is active and enabled. Active means that the filter has been put into the filter list and will take effect on filtering events. The default is that the rule is both active and enabled, which means that the rule is used when events are processed. Enabled (Active does not apply to Cisco IOS IPS devices.
Chapter 39 Configuring Event Action Rules Configuring Event Action Filters Table 39-3 Filter Item Dialog Box (Continued) Element Description Attacker Port The port used by the attacker host. This is the port from which the offending packet originated. You can also enter a range of ports. The default value is a range of all ports (0-65535). Victim IPv4 Address The IP address of the host being attacked (the recipient of the offending packet).
Chapter 39 Configuring Event Action Rules Configuring Event Action Filters Table 39-3 Filter Item Dialog Box (Continued) Element Description Actions to Subtract The actions that should be removed from the event, should the conditions of the event meet the criteria of the event action filter. You can select one or more actions in this list box. All selected actions are removed from the event. Use Ctrl+click to select multiple values.
Chapter 39 Configuring Event Action Rules Configuring Event Action Overrides Configuring Event Action Overrides You can add an event action override to change the actions associated with an event based on the risk rating of that event. Event action overrides are a way to add event actions globally without having to configure each signature individually. Each event action has an associated risk rating range.
Chapter 39 Configuring Event Action Rules Configuring IPS Event Action Network Information • To export the entire list of overrides to a comma-separated values (CSV) file, click Export to File, navigate to an appropriate folder on the Security Manager server, change the file name if you do not like the default name, and click Save.
Chapter 39 Configuring Event Action Rules Configuring IPS Event Action Network Information • Passive OS fingerprinting and OS mappings (OS Identification tab)—You can enable the sensor to use information about the operating system running on a device to determine the attack relevance rating, which is a component of the overall risk rating. Passive OS fingerprinting and OS mappings are available on devices running IPS 6.x+ software only, and are not available on Cisco IOS IPS devices.
Chapter 39 Configuring Event Action Rules Configuring IPS Event Action Network Information • (Policy view, IPS appliances and service modules) Select IPS > Event Actions > Network Information, then select an existing policy or create a new one. Click the IPv4 Target Value Ratings tab or the IPv6 Target Value Ratings tab. • (Policy view, Cisco IOS IPS devices) Select IPS (Router) > Event Actions > Network Information, then select an existing policy or create a new one.
Chapter 39 Configuring Event Action Rules Configuring IPS Event Action Network Information Field Reference Table 39-5 Target Value Rating Dialog Box Element Description Value The target value rating to associate with the specified addresses. From highest to lowest importance: Mission Critical, High, Medium, Low, No Value. This list includes only those value ratings that you have not already configured in the target value ratings table. You change this option when editing a ratings category.
Chapter 39 Configuring Event Action Rules Configuring IPS Event Action Network Information The sensor uses OS information to determine the relevance of the attack signature to the targeted host. The attack relevance is the attack relevance rating component of the risk rating value for the attack alert. There are three sources of OS information. The sensor ranks the sources of OS information in the following order: 1.
Chapter 39 Configuring Event Action Rules Configuring IPS Event Action Network Information More specific mappings should be at the beginning of the list. Overlap in the IP address range sets is allowed, but the entry closest to the beginning of the list takes precedence. Tip There is a bug in IPS 6.0 versions lower than 6.0(5) related to the Network Information policy.
Chapter 39 Configuring Event Action Rules Configuring IPS Event Action Network Information Table 39-6 OS Identification Tab (Continued) OS Maps table The list of OS mappings, showing the IP addresses of the hosts and the operating systems to which they are mapped. When looking for a match, the sensor goes from top to bottom and selects the first rule that matches the IP address. • To add a mapping, click the Add Row button and fill in the Add OS Map dialog box (see OS Map Dialog Box, page 39-20).
Chapter 39 Configuring Event Action Rules Configuring Settings for Event Actions Table 39-7 OS Map Dialog Box (Continued) Element Description OS Type The operating system running on the identified hosts. Select the most appropriate option from the list. You can select multiple options (using Ctrl+click) to indicate that there is more than one possible OS. Tip Because these mappings take precedence over learned mappings, you probably are better off not assigning General OS, Other, or Unknown OS.
Chapter 39 Configuring Event Action Rules Configuring Settings for Event Actions Table 39-8 Event Actions Settings Policy (Continued) Element Description Enable Event Action Summarizer When selected, enables the Summarizer component. The Summarizer groups events into a single alert, thus decreasing the number of alerts the sensor sends out. (IPS appliances and service modules only.) By default, the Summarizer is enabled. If you disable it, all signatures are set to Fire All with no summarization.
Chapter 39 Configuring Event Action Rules Configuring Settings for Event Actions Table 39-8 Event Actions Settings Policy (Continued) Element Description Maximum Number of Denied Limits the number of denied attackers possible in the system at any one time. Attackers (IPS appliances and service modules only.) The range is 0 to 100000000. The default is 10000. Enable One Way TCP Reset When selected, enables a one-way TCP reset for deny packet inline actions for TCP-based alerts.
Chapter 39 Configuring Event Action Rules Configuring Settings for Event Actions User Guide for Cisco Security Manager 4.
CH A P T E R 40 Managing IPS Anomaly Detection Anomaly detection is designed to recognize network congestion caused by worm traffic that exhibits scanning behavior. Anomaly detection also will identify infected hosts on the network that are scanning for other vulnerable hosts. Anomaly detection is enabled by default, but there are some configuration settings you should adjust to use it effectively. Note The sensor must use IPS software version 6.x or higher to configure anomaly detection.
Chapter 40 Managing IPS Anomaly Detection Understanding Anomaly Detection • Knowing When to Turn Off Anomaly Detection, page 40-4 • Configuring Anomaly Detection Signatures, page 40-4 • Configuring Anomaly Detection, page 40-6 Worm Viruses Worm viruses are automated, self-propagating, intrusion agents that make copies of themselves and then facilitate their spread. Worm viruses attack a vulnerable host, infect it, and then use it as a base to attack other vulnerable hosts.
Chapter 40 Managing IPS Anomaly Detection Understanding Anomaly Detection Although anomaly detection is in detect mode by default, it conducts an initial learning accept mode for the default period of 24 hours. We assume that during this phase no attack is being carried out. Anomaly detection creates an initial baseline, known as a knowledge base, of the network traffic.
Chapter 40 Managing IPS Anomaly Detection Understanding Anomaly Detection You can configure the illegal zone with IP address ranges that should never be seen in normal traffic, for example, unallocated IP addresses or part of your internal IP address range that is unoccupied. An illegal zone can be very helpful for accurate detection, because we do not expect any legal traffic to reach this zone. This allows very low thresholds, which in turn can lead to very quick worm virus detection.
Chapter 40 Managing IPS Anomaly Detection Understanding Anomaly Detection Table 40-1 Anomaly Detection Worm Signatures Signature ID Subsignature ID Name Description 13000 0 Internal TCP Scanner Identified a single scanner over a TCP protocol in the internal zone. 13000 1 Internal TCP Scanner Identified a worm attack over a TCP protocol in the internal zone; the TCP histogram threshold was crossed and a scanner over a TCP protocol was identified.
Chapter 40 Managing IPS Anomaly Detection Configuring Anomaly Detection Table 40-1 Anomaly Detection Worm Signatures (Continued) Signature ID Subsignature ID Name Description 13006 1 Illegal TCP Scanner Identified a worm attack over a TCP protocol in the illegal zone; the TCP histogram threshold was crossed and a scanner over a TCP protocol was identified. 13007 0 Illegal UDP Scanner Identified a single scanner over a UDP protocol in the illegal zone.
Chapter 40 Managing IPS Anomaly Detection Configuring Anomaly Detection Step 2 • Learning Accept Mode—The configuration for learning mode, including how the knowledge base is handled. • Internal Zone, Illegal Zone, External Zone—The zones of your network that you define. You can configure unique settings for each zone. For an explanation of the zones, see Anomaly Detection Zones, page 40-3.
Chapter 40 Managing IPS Anomaly Detection Configuring Anomaly Detection • If you configured the Anomaly Detection policy as a shared policy in Policy view, select the IPS device to which the policy is assigned, or that hosts a virtual sensor to which the policy is assigned. Then, complete the following steps in the Virtual Sensors policy: a. Select the desired virtual sensor in the table and click the Edit Row button. b.
Chapter 40 Managing IPS Anomaly Detection Configuring Anomaly Detection Tip Although you can use Security Manager to configure how knowledge bases are generated, you cannot manage the knowledge bases themselves. Use the IPS Device Manager (IDM), or IPS Manager Express (IME) instead. Using IDM (or IME), you can load, delete, and rename knowledge bases, and upload them to or download them from an external server. For more information about what you can do, see the online help for IDM or IME.
Chapter 40 Managing IPS Anomaly Detection Configuring Anomaly Detection During learning mode, anomaly detection develops histograms for each TCP and UDP port, and for other protocols, to create a baseline of the normal behavior of your network (see Anomaly Detection Modes, page 40-2). For example, the histogram for a TCP port lists the “normal” number of source addresses that make incomplete connections to a certain number of destination addresses during a minute.
Chapter 40 Managing IPS Anomaly Detection Configuring Anomaly Detection Configuring Anomaly Detection Thresholds and Histograms Anomaly detection uses thresholds and histograms to determine if scanning behavior is an attack. In most cases, you can use the default thresholds and the histograms that anomaly detection generates during learning mode (see Anomaly Detection Modes, page 40-2). However, you might want to fine-tune these settings.
Chapter 40 Managing IPS Anomaly Detection Configuring Anomaly Detection The content of this table is fixed; you cannot add or delete items. However, you can select a row and click Edit Row (pencil) to change the number of source addresses configured for a threshold setting. See Histogram Dialog Box, page 40-13. Step 4 Repeat the process for each combination of zone and protocol for which you are defining non-default settings.
Chapter 40 Managing IPS Anomaly Detection Configuring Anomaly Detection Table 40-2 Destination Port or Protocol Map Dialog Box (Continued) Element Description Override Scanner Settings Whether to override the scanner settings for this service or protocol. You must select this option to enable the remaining fields on the dialog box. Scanner Threshold The scanner threshold for this port or protocol. The range is 5 to 1000. The default is 200.
Chapter 40 Managing IPS Anomaly Detection Configuring Anomaly Detection Field Reference Table 40-3 Histogram Dialog Box Element Description Number of Destination IP Addresses The histogram bucket you are defining. The buckets have a fixed number of destination addresses: Low (5 addresses); Medium (20); High (100). Tip Number of Source IP Addresses A histogram can have a single entry for each destination bucket (low, medium, high).
CH A P T E R 41 Configuring Global Correlation You can configure global correlation so that your sensors are aware of network devices with a reputation for malicious activity and can take action against them. Global correlation allows you to dynamically use information about malicious activity collected from networks around the globe to change the risk rating of events that have known bad devices as their source. To configure global correlation, your sensor must be running IPS 7.0+ software.
Chapter 41 Configuring Global Correlation Understanding Global Correlation • Network Participation—The sensor sends alert and TCP fingerprint data to the SensorBase Network so that other users can share in the community knowledge. For more information, see Understanding Network Participation, page 41-3. Global correlation has the following goals: Tip • Dealing intelligently with alerts thus improving efficacy. • Improving protection against known malicious sites.
Chapter 41 Configuring Global Correlation Understanding Global Correlation Using reputation scores to adjust the risk rating of an event improves the efficacy of the sensor by improving the following metrics: • False positives as a percentage of actionable events. • False negatives as a percentage of threats that do not result in actionable events. • Actionable events as a percentage of all events.
Chapter 41 Configuring Global Correlation Understanding Global Correlation Table 41-1 Network Participation Data Sharing and Usage Participation Level Type of Data Purpose Partial Protocol attributes (TCP maximum segment size and options string, for example). Tracks potential threats and helps Cisco to understand threat exposure. Attack type (signature fired, including signature ID and version, risk rating, and reputation, for example). Used to understand current attacks and attack severity.
Chapter 41 Configuring Global Correlation Configuring Global Correlation Inspection and Reputation • Firewall access for port 80, 443 traffic—Because global correlation updates occur through the sensor management interface, any firewall that lies between the sensor and the internet must allow traffic on ports 80 and 443. You can also use an HTTP proxy (see Identifying an HTTP Proxy Server, page 35-23).
Chapter 41 Configuring Global Correlation Configuring Global Correlation Inspection and Reputation Tip When you view IPS events in Event Viewer, there are several columns specific to global correlation that you can add to the event table; these columns are not shown by default, so you must add them to your view. To monitor global correlation in general, use the IPS device manager (IDM) and look at the Sensor Health gadget.
Chapter 41 Configuring Global Correlation Configuring Network Participation Configuring Network Participation Use the Network Participation policy to configure the sensor to send data to the SensorBase Network. You can configure the sensor to fully participate and send all data to the SensorBase Network, or you can configure the sensor to collect the data but to omit potentially sensitive data, such as the destination IP address of trigger packets.
Chapter 41 Configuring Global Correlation Configuring Network Participation User Guide for Cisco Security Manager 4.
CH A P T E R 42 Configuring Attack Response Controller for Blocking and Rate Limiting You can configure an IPS device to implement blocks or rate limits to control attacks. Blocking and rate limiting are primarily of use when operating in promiscuous mode. When operating in inline mode, it is much more efficient to have the IPS drop traffic itself.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Understanding IPS Blocking ARC completes the action response for a new block in no more than 7 seconds. In most cases, it completes the action response in less time. To meet this performance goal, you should not configure the sensor to perform blocks at too high a rate or to manage too many blocking devices and interfaces.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Understanding IPS Blocking On Cisco IOS Software devices (routers and Catalyst 6500 series switches), ARC creates blocks by applying ACLs; on Catalyst 6500/7600 devices that run the Catalyst operating system, ARC creates blocks by applying VACLs. ACLs and VACLs permit or deny passage of data packets through interface directions or VLANs. Each ACL or VACL contains permit and deny conditions that apply to IP addresses.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Understanding IPS Blocking • Signatures policy—You can add the request block actions to individual signatures. This requires editing each signature to add the action. This can be a time-consuming approach, but it allows you to configure blocking for just the types of events that concern you most. For more information, see Configuring Signatures, page 38-4.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Understanding IPS Blocking When you configure a router interface or switch VLAN as a blocking interface, you can optionally specify the names of pre- and post-ACLs or VACLs. Although specifying ACL or VACL names is optional, if you have configured ACLs or VACLs on the interface or VLAN, you must identify them to the IPS or ARC will remove them from your device configuration.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Understanding IPS Blocking If ARC is managing a device and you need to configure the ACL/VACLs on that device, you should disable blocking first. You want to avoid a situation in which both you and ARC could be making a change at the same time on the same device. This could cause the device or ARC to fail. If you need to modify the Pre-Block or Post-Block ACL/VACL, do the following: 1. Disable blocking on the sensor.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Configuring IPS Blocking and Rate Limiting Configuring IPS Blocking and Rate Limiting If you use the Request Block Host, Request Block Connection, or Request Rate Limit actions on any signatures, or add them to events using the event action override policy, you must configure blocking devices. If you do not use these actions, there is no need to configure blocking devices.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Blocking Page Step 6 • To edit a device, select it and click the Edit Row button. • To delete a device, select it and click the Delete Row button. Click the Never Block Hosts and Networks tab and identify the hosts and networks that should never be blocked. These lists affect blocking actions, but they do not affect limiting actions.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Blocking Page Field Reference Table 42-1 IPS Blocking Policy Element Description General tab The basic settings required to enable blocking and rate limiting. For information about the options on the General tab, see General Tab, IPS Blocking Policy, page 42-10. User Profiles tab The connection credential information profiles for logging into the blocking devices.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Blocking Page Table 42-1 IPS Blocking Policy (Continued) Element Description Firewall tab The ASA, PIX, and FWSM devices to be used as blocking devices. The table shows the IP address (or network/host object) of the device, the communication method used to log into it, the NAT address of the sensor (0.0.0.0 if NAT is not used), and the name of the profile that is used for logging into the device.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Blocking Page Navigation Path • (Device view) Select Platform > Security > Blocking from the Policy selector. If necessary, select the General tab. • (Policy view) Select IPS > Platform > Security > Blocking, then select an existing policy or create a new one. If necessary, select the General tab.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Blocking Page Table 42-2 General Tab, IPS Blocking Policy (Continued) Element Description Max Blocks The maximum number of entries to block. The range is 1 to 65535. The default is 250. Max Interfaces The maximum number of interfaces for performing blocks. For example, a PIX 500 series security appliance counts as one interface. A router with one interface counts as one, but a router with two interfaces counts as two.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Blocking Page Table 42-3 User Profile Dialog Box (Continued) Element Description Enable Password The enable password for entering Privileged EXEC Mode (enable mode), if required. Master Blocking Sensor Dialog Box Use the Add or Modify Master Blocking Sensor dialog box to configure a master blocking sensor. For more information about master blocking sensors, see Understanding the Master Blocking Sensor, page 42-6.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Blocking Page Router, Firewall, Cat6K Device Dialog Box Use the Add or Modify Router, Firewall, or Cat6K Device dialog box to configure a device as a blocking device for an IPS sensor. The name of the dialog box indicates the type of device you are adding: Tip • Router—IOS Software routers and Catalyst 6500/7600 devices. These devices can do rate limiting as well as blocking.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Blocking Page Table 42-5 Router, Firewall, Cat6K Device Dialog Boxes (Continued) Element Description The interfaces on the device that should be used for blocking or rate Interfaces and directions where blocks will be applied limiting. The table shows the interface name, direction, and the names of existing ACLs that the IPS device should incorporate into the (table) blocking ACL. (Routers only.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Blocking Page Field Reference Table 42-6 Router Block Interface Dialog Box Element Description Interface Name The name of the interface on the router that the IPS should use for blocking. Enter the name exactly as it is configured on the router (for example, GigabitEthernet0/1). Direction The direction to apply the blocking ACL, In or Out.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Blocking Page Field Reference Table 42-7 Cat6k Block VLAN Dialog Box Element Description VLAN The number of the VLAN on the Catalyst 6500/7600 device that the IPS should use for blocking. The number can be 1 to 4094 and must be defined on the device. Pre VACL Name The VLAN ACLs to combine with the blocking entries that the IPS creates to implement blocking actions.
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting Blocking Page User Guide for Cisco Security Manager 4.
CH A P T E R 43 Managing IPS Sensors To perform day-to-day sensor management, you typically need to use a device manager such as the IPS Device Manager (IDM). Security Manager is focused on policy and event management.
Chapter 43 Managing IPS Sensors Managing IPS Licenses Related Topics • Redeploying IPS License Files, page 43-2 Step 1 Select Tools > Security Manager Administration and select Licensing from the table of contents. Step 2 Click the IPS tab (see IPS Tab, Licensing Page, page 11-41). The table lists all IPS devices in the device inventory and displays the status of their licenses. The status can be valid, invalid, expired, no license, or trial license.
Chapter 43 Managing IPS Sensors Managing IPS Licenses The status of the update task is shown in the License Update Status Details dialog box (see License Update Status Details Dialog Box, page 11-43). Automating IPS License File Updates Security Manager can automatically apply IPS license updates to your IPS devices on a regular schedule. To successfully configure automatic updates, you must have a Cisco.com support contract that includes the serial numbers of your IPS devices.
Chapter 43 Managing IPS Sensors Managing IPS Updates Managing IPS Updates You can use Security Manager to apply sensor and signature updates to your IPS devices and shared policies. Through Security Manager, you can download updates and either set up automatic updates or apply them manually. Signature updates are available only for IPS 5.1(4) and higher. Tip If you have problems applying patches, service packs, or signature updates, check the time on your IPS sensor.
Chapter 43 Managing IPS Sensors Managing IPS Updates Step 3 Enter the identifying information for your server. Based on the server type selected in the Update From field: • Cisco.com—Enter a Cisco.com username and password. The user account you specify must have applied for eligibility to download strong encryption software. To verify the account has the appropriate permissions, go to Cisco.com and try to download an IPS update package.
Chapter 43 Managing IPS Sensors Managing IPS Updates Step 1 Select Tools > Security Manager Administration and select IPS Updates from the table of contents to open the IPS Updates page (see IPS Updates Page, page 11-30). Step 2 Review the status information in the Update Status group, and do any of the following: • Click Check for Updates. A dialog box opens to display the results of the operation. Click Start to have Security Manager log into the IPS Update server and check for updates.
Chapter 43 Managing IPS Sensors Managing IPS Updates Step 2 In the Auto Update Settings group in the lower portion of the page, select an auto update mode to establish the extent of automation. Choices include: • Download, Apply, and Deploy Updates—Security Manager checks for updates according to your schedule, downloads them to the Security Manager server, applies them to the selected devices and policies, and starts a deployment job to update the affected devices.
Chapter 43 Managing IPS Sensors Managing IPS Updates Before You Begin Configure the IPS Update server as described in Configuring the IPS Update Server, page 43-4. Related Topics Note • Checking for IPS Updates and Downloading Them, page 43-5 • Selecting a Signature Category for Cisco IOS IPS, page 44-6 This note describes a difference between the update packages for IPS 7.1.3 and those used for earlier versions.
Chapter 43 Managing IPS Sensors Managing IPS Updates Step 3 On the second page of the wizard, select the local signature policies (representing devices not assigned to any shared signature policy) and shared signature policies you want to update from the Apply Updates To list. Use the Type field to toggle between the types of policies. You can select any combination of local and shared policies. When you select a policy, the devices that use the policy are selected for update.
Chapter 43 Managing IPS Sensors Managing IPS Certificates Managing IPS Certificates When you configure Security Manager to use SSL (HTTPS) to communicate with your IPS devices, the certificate configured on the device must match the certificate stored in Security Manager’s certificate store. Mismatched certificates will result in communication failures during policy discovery or deployment. IPS devices use self-signed certificates that have a fixed validity period of about 2 years.
Chapter 43 Managing IPS Sensors Rebooting IPS Sensors • Certificate Status on Device—Shows the current status of the certificate as it exists on the device: – Valid Certificate—The certificate is good and within the validity date range. – Expired Certificate—The certificate has passed its Valid Until date and is now expired. Select the device and click Regenerate Certificate to create a new valid certificate on the device and to have the certificate loaded into the Security Manager certificate store.
Chapter 43 Managing IPS Sensors Rebooting IPS Sensors To reboot the sensor, select it in Device view, right-click and select Reboot Device. You are asked to confirm that you want to reboot. Security Manager does not provide status information on the reboot process. User Guide for Cisco Security Manager 4.
CH A P T E R 44 Configuring IOS IPS Routers Some Cisco IOS routers, such as integrated services routers (ISRs), include native IPS capabilities based on IPS 5.1 software. You can configure some basic IPS inspection on these devices to supplement IPS sensor inspection or to support small networks.
Chapter 44 Configuring IOS IPS Routers Understanding Cisco IOS IPS For an overall understanding of the Cisco IOS IPS configuration process, see Overview of Cisco IOS IPS Configuration, page 44-3.
Chapter 44 Configuring IOS IPS Routers Overview of Cisco IOS IPS Configuration Router Configuration Files and Signature Event Action Processor (SEAP) As of Cisco IOS Release 12.4(11)T, signature definition files (SDFs) are no longer used by Cisco IOS IPS. Thus, you cannot not use the deprecated built-in signature sets, 128.sdf, 256.sdf, and attack-drop.sdf, with Security Manager.
Chapter 44 Configuring IOS IPS Routers Overview of Cisco IOS IPS Configuration Cisco IOS IPS is a more limited feature meant for branch offices and small to medium sized networks, or to distribute IPS throughout a network. You typically cannot employ as many signatures in a Cisco IOS IPS router compared to a dedicated appliance. You also cannot configure advanced features such as global correlation, because Cisco IOS IPS is based on IPS Software version 5.1.
Chapter 44 Configuring IOS IPS Routers Overview of Cisco IOS IPS Configuration Initial Preparation of a Cisco IOS IPS Router Before you add a Cisco IOS IPS router to the Security Manager inventory, you need to perform some preparatory steps. The white paper Getting Started with Cisco IOS IPS with 5.x Format Signatures on Cisco.com provides a step-by-step explanation of a basic configuration.
Chapter 44 Configuring IOS IPS Routers Overview of Cisco IOS IPS Configuration Step 3 Syslog is configured for IPS notifications by default. If you want to use SDEE for notifications, enable SDEE: router# configure terminal router(config)# ip ips notify sdee Step 4 Select a signature category to compile. For detailed information, see Selecting a Signature Category for Cisco IOS IPS, page 44-6. Selecting a Signature Category for Cisco IOS IPS Cisco IPS appliances and Cisco IOS IPS with IPS 5.
Chapter 44 Configuring IOS IPS Routers Overview of Cisco IOS IPS Configuration Configuring General Settings for Cisco IOS IPS Use the General Settings page to specify the global settings used for Cisco IOS IPS properties defined for a particular router. The default settings are appropriate for most situations; however, you must specify an IPS configuration file location.
Chapter 44 Configuring IOS IPS Routers Overview of Cisco IOS IPS Configuration Table 44-1 General Settings Page (Continued) Element Description Maximum Messages The maximum number of SDEE messages that you want the router to store, in the range of 10-500. Storing more messages uses more router memory. The default is 200. IPS Config Location Properties IPS Config Location The location where the router will save IOS IPS specific configuration files.
Chapter 44 Configuring IOS IPS Routers Overview of Cisco IOS IPS Configuration • (Device view) Select IPS > Interface Rules from the Policy selector. • (Policy view) Select IPS (Router) > Interface Rules from the Policy selector. Select an existing policy or create a new one. The policy shows any existing interface rules, including the rule name, the name of the ACL that defines which traffic is inspected (if any), and the interface and traffic direction that is inspected.
Chapter 44 Configuring IOS IPS Routers Overview of Cisco IOS IPS Configuration Table 44-2 Add or Edit IPS Rule Dialog Box (Continued) Element Description ACL Name The name of the ACL policy object that defines which traffic should be subject to IPS inspection. If you do not specify an ACL, all traffic on the interface/direction pairs listed in the Interface Pairs table is subject to inspection.
Chapter 44 Configuring IOS IPS Routers Overview of Cisco IOS IPS Configuration Table 44-3 Adding or Editing Pair Dialog Box (Continued) Element Description Interfaces The interface on which to apply this IPS rule. Enter the name of an interface or interface role object, or click Select to select the interface or interface role from a list or to create a new interface role. If you use interface roles, the rule is applied to all interfaces on the device that are defined by the role.
Chapter 44 Configuring IOS IPS Routers Overview of Cisco IOS IPS Configuration User Guide for Cisco Security Manager 4.
PA R T 5 PIX/ASA/FWSM Device Configuration
CH A P T E R 45 Managing Firewall Devices The following topics describe configuration and management of security services and policies on Cisco security devices: Adaptive Security Appliances (ASAs), PIX Firewalls, and the Catalyst 6500 series switch Services Modules—that is, Firewall Services Modules (FWSMs) and ASA-SMs.
Chapter 45 Managing Firewall Devices Default Firewall Configurations The Adaptive Security Appliance service module (ASA-SM) provides high-speed security services across Layers 2 through 7, and you can install up to four ASA-SM blades in a single switch, providing scalability to 64 Gbps. See Cisco Catalyst 6500 Series ASA Services Module for more information.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces This section contains the following topics: • Understanding Device Interfaces, page 45-3 • Managing Device Interfaces, Hardware Ports, and Bridge Groups, page 45-14 • Advanced Interface Settings (PIX/ASA/FWSM), page 45-42 Understanding Device Interfaces An interface is a point of connection between a security device and some other network device.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces • Interfaces in Routed and Transparent Modes, page 45-4 • Interfaces in Single and Multiple Contexts, page 45-5 • Understanding ASA 5505 Ports and Interfaces, page 45-6 • Configuring Subinterfaces (PIX/ASA), page 45-7 • Configuring Redundant Interfaces, page 45-7 • Configuring EtherChannels, page 45-8 Security Appliance Configurations Firewall devices allow a variety of configurations, and the configuration determine
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Bridge Groups Beginning with the ASA 8.4.1 and FWSM 3.1, in transparent mode, you can increase the number of interfaces available to a device or context through use of bridge groups. You can configure up to eight bridge groups; on an FWSM each group can contain two interfaces; on an ASA each group can contain four interfaces. See Add/Edit Bridge Group Dialog Box, page 45-41 for more information.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Note In failover configurations, you must enable Stateful Failover for session information to be passed from the standby unit or failover group to the active unit or failover group. To assign an FWSM virtual interface to an asymmetric routing group, simply specify an ASR Group ID in the Add/Edit Interface Dialog Box: Advanced Tab (ASA/PIX 7.0+), page 45-27.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Configuring Subinterfaces (PIX/ASA) Subinterfaces let you divide a physical interface into multiple logical interfaces that are tagged with different VLAN IDs. Because VLANs keep traffic separate on a given physical interface, you can increase the number of interfaces available to your network without adding additional physical interfaces or security appliances.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces standby interface becomes active and starts passing traffic. This feature is separate from device-level failover, but you can configure redundant interfaces as well as failover, if desired. You can configure up to eight redundant interface pairs. A redundant interface functions as a single interface (inside, outside, etc.), with only one of the member pair active at any one time.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces An EtherChannel interface is configured and used in the same manner as a single physical interface. You can configure up to 48 EtherChannels, each of which consists of between one and eight active Fast Ethernet, Gigabit Ethernet, or Ten-Gigabit Ethernet ports. Note You cannot use a redundant interface as part of an EtherChannel, nor can you use an EtherChannel as part of a redundant interface.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces • Note Disable failover while the configuration changes are being made, and then re-enable it (failover will not occur in the interim). As with any other type of interface assigned as a failover link, the EtherChannel interface cannot be named. Further, none of the EtherChannel’s member interfaces can be named.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces As mentioned, an EtherChannel can consist of between one and eight active links, with up to 16 assigned to the group (on the General panel). Use these fields to indicate the minimum and maximum number of interfaces that can be active in this channel group at any given time. Step 8 Continue configuring this interface, as described in Add/Edit Interface Dialog Box (PIX 7.0+/ASA/FWSM), page 45-19.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Related Topics • Configuring EtherChannels, page 45-8 Editing LACP Port Parameters for an Existing EtherChannel Interface Follow these steps to edit an existing EtherChannel-assigned interface: Step 1 In the table on the device’s Interfaces page, select an interface that is a Member of a Port-channel group.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces The algorithm can use one or a combination of the following packet-header fields to determine link assignment: source IP address, destination IP address, source MAC address, destination MAC address, TCP/UDP port numbers, or VLAN IDs.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces • src-port – Source TCP/UDP port only. • vlan-dst-ip – Destination IP address and VLAN ID pairing. • vlan-dst-ip-port – Combination of destination IP address, TCP/UDP port, and VLAN ID. • vlan-only – VLAN ID only. • vlan-src-dst-ip – Source and destination IP address, and VLAN ID. • vlan-src-dst-ip-port – Source and destination IP address, TCP/UDP port, and VLAN ID. • vlan-src-ip – Source IP address and VLAN ID.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Step 2 Select the security device you want to configure. Step 3 Select Interfaces in the Device Policy selector. The Interfaces page is displayed. The information displayed, and the page itself, varies based on the selected device type and version, the operational mode (routed versus transparent), and whether the device hosts single or multiple contexts.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-2 Add/Edit Interface Dialog Box (PIX 6.3) (Continued) Element Description Name Provide an interface name up to 48 characters in length. The Name should be a memorable name for the interface that relates to its use. Supported interface names are: Hardware Port • Inside—Connects to your internal network. Must be most secure interface. • DMZ—Demilitarized zone (Intermediate interface).
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-2 Add/Edit Interface Dialog Box (PIX 6.3) (Continued) Element Description Speed and Duplex Lists the speed options for a physical interface; not applicable to logical interfaces. Choose one of the following options: • auto – Sets Ethernet speed automatically. The auto keyword can be used only with the Intel 10/100 automatic speed-sensing network interface card. • 10baset – 10-Mbps Ethernet half-duplex.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-2 Add/Edit Interface Dialog Box (PIX 6.3) (Continued) Element Description Roles For more information on roles and how to define and use them, see Understanding Interface Role Objects, page 6-67. All interface roles assigned to this interface are listed in this field.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces • Use DHCP – Enables Dynamic Host Configuration Protocol (DHCP) for automatic assignment of an IP address from a DHCP server on the connected network. The following options become available: – Obtain Default Route using DHCP – Check this box to obtain a default route from the DHCP server so that you do not need to configure a default static route. – Retry Count – The number of times the PIX will resend the DHCP request.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Depending on device type, operating-system version and operating mode (router or transparent), the Type options presented will be two, three or all of the following: – Physical Interface – Choose this option to configure a physical interface on the device. – Sub-Interface – Choose this option to configure a logical interface (or VLAN connection) associated with a previously defined physical interface.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces • Add/Edit Interface Dialog Box: Advanced Tab (ASA/PIX 7.0+), page 45-27 • Configuring IPv6 Interfaces (ASA/FWSM), page 45-29 • Understanding ASA 5505 Ports and Interfaces, page 45-6 • Configuring Hardware Ports on an ASA 5505, page 45-39 Table 45-3 General tab: Add/Edit Interface Dialog Box Element Description Enable Interface Enables this interface to pass traffic. By default, all physical interfaces are shut down.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-3 General tab: Add/Edit Interface Dialog Box (Continued) Element Description Interface On the ASA 5505, the Hardware Port is specified on the Hardware Ports panel (see Configuring Hardware Ports on an ASA 5505, page 45-39). Also, this option is not part of Catalyst 6500 services module (ASA-SM and FWSM) configuration.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-3 General tab: Add/Edit Interface Dialog Box (Continued) Element Description Name Provide an identifier for this interface of up to 48 characters in length. The name should be a memorable name for the interface that relates to its use.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-3 General tab: Add/Edit Interface Dialog Box (Continued) Element Description Media Type When Interface is the chosen Type and you enter a hardware port ID with slot/port numbers in the Hardware Port field, these options are enabled. (These options apply to ASA slot/port interfaces only.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-3 General tab: Add/Edit Interface Dialog Box (Continued) Element Description IP Address Catalyst 6500 services modules (ASA-SMs and FWSMs) in routed mode only. Subnet Mask Use these two fields to assign an IP address and subnet mask to the VLAN interface. The IP address must be unique for each interface. The Subnet Mask can be expressed in dotted decimal format (for example, 255.255.255.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-3 General tab: Add/Edit Interface Dialog Box (Continued) Element Description Primary Interface When Redundant Interface is the chosen interface Type, choose the primary member of the redundant interface pair from the Primary Interface list of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces cannot be used for a redundant interface pair.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Add/Edit Interface Dialog Box: Advanced Tab (ASA/PIX 7.0+) The Add/Edit Interface Dialog Box (PIX 7.0+/ASA/FWSM), page 45-19, is used to define and configure interfaces, subinterfaces, redundant, and EtherChannel interfaces on ASA and PIX 7.0+ devices. You can access the Add/Edit Interface dialog box from the Interfaces page. See Managing Device Interfaces, Hardware Ports, and Bridge Groups, page 45-14 for more information.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-4 Advanced tab: Add/Edit Interface Dialog Box (ASA/PIX 7.0+) (Continued) Element Description Roles All interface roles assigned to this interface are listed in this field. Role assignments are based on pattern matching between the Name given to this interface and all currently defined Interface Role objects in Cisco Security Manager.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-4 Advanced tab: Add/Edit Interface Dialog Box (ASA/PIX 7.0+) (Continued) Element Description IPv4 Address Pool Enter or select the IPv4 Pool object that represents the pool of addresses to use. MAC Address Pool Enter or select the MAC Pool object that represents the pool of MAC addresses to use. ASA Cluster (Layer 2); available on ASA 5580 and 5585 devices in cluster mode only.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Navigation Path You can access the IPv6 panel in the Add Interface and Edit Interface dialog boxes, which are accessed from the ASA or FWSM Interfaces page, as described in Managing Device Interfaces, Hardware Ports, and Bridge Groups, page 45-14. Related Topics • IPv6 Support in Security Manager, page 1-7 • Add/Edit Interface Dialog Box: General Tab (PIX 7.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-5 IPv6 tab: Add/Edit Interface Dialog Box (ASA/FWSM) (Continued) Element Description DAD Attempts To specify the number of consecutive neighbor solicitation messages that are sent on an interface during duplicate address detection (DAD), enter a number from 0 to 600 in this field. Entering 0 disables duplicate address detection on the interface.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-5 IPv6 tab: Add/Edit Interface Dialog Box (ASA/FWSM) (Continued) Element Description Other Config Flag Whether or not to set the flag "other-config-flag" in the IPv6 router advertisement packet. Enable RA When checked, IPv6 router advertisement transmissions are enabled on the interface.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-5 IPv6 tab: Add/Edit Interface Dialog Box (ASA/FWSM) (Continued) Element Description Interface IPv6 Addresses The IPv6 addresses assigned to the interface are specified in this section of the dialog box. • Link-Local Address – To override the link-local address that is automatically generated for the interface, enter the desired IPv6 link-local address in this field.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces • From the Management IPv6 page of an ASA 5505 in transparent firewall mode (version 8.2 and 8.3 devices only). Click the Add Row or Edit Row buttons beneath the table in the Interfaces IPv6 Addresses section to open the dialog box. Related Topics • IPv6 Prefix Editor Dialog Box, page 45-34 • Add/Edit Interface Dialog Box (PIX 7.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces By default, prefixes configured as addresses on an interface are advertised in router advertisements. If you configure specific prefixes for advertisement, then only those prefixes are advertised. The valid and preferred lifetimes are counted down in real time. Alternately, a date can be set to specify the expiration of a prefix. When the expiration is reached, the prefix is no longer advertised.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-7 IPv6 Prefix Editor Dialog Box (Continued) Element Description Prefix Lifetime You can expand this section of the dialog box to display the following expiration options: • Lifetime Duration – Select this option to define prefix expiration as a length of time; the following options are enabled: – Valid Lifetime – The amount of time (in seconds) that the specified IPv6 prefix is advertised as being valid.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces In multiple-context mode, interface IP addresses are set in the context configuration. Note Do not use addresses previously used for routers, hosts, or any other firewall device commands, such as an IP address in the global pool or a static NAT entry. Also, do not specify IP Type information for an interface you intend to use as a redundant interface.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces – VPDN Group Name (required) – Choose the Virtual Private Dialup Network (VPDN) group that contains the authentication method and user name/password to use for network connection, negotiation and authentication. See Managing VPDN Groups, page 45-45 for more information. – IP Address – If provided, this static IP address is used for connection and authentication, instead of a negotiated address.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Further, if you use failover, you can provide a standby MAC address. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address. Note The following options appear only on the Advanced tab of the Add Interface and Edit Interface dialog boxes presented by PIX 7.2+ and ASA 7.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Field Reference Table 45-8 Configure Hardware Ports Dialog Box Element Description Enable Interface Select this option to enable this switch port. You can deselect this option to disable the port, but retain its configuration information. Isolated Select this option to prevent this port from communicating with other isolated or “protected” switch ports on the same VLAN.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-8 Configure Hardware Ports Dialog Box (Continued) Element Description Speed Choose a speed for the port: 10, 100, or Auto. The Auto setting is recommended, and the default. If you set Speed to anything other than Auto for PoE ports Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Field Reference Table 45-9 Add/Edit Bridge Group Dialog Box Element Description Name Enter a name for this bridge group. ID Enter an identifier for this bridge group; can be an integer between 1 and 100. Interface A Choose the first interface or VLAN to assign to this bridge group; all interfaces defined on the Interfaces panel are listed.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces ASA generates a default prefix. This prefix is converted to a 4-digit hexadecimal number. The prefix ensures that each ASA uses unique MAC addresses (using different prefix values), so you can have multiple ASAs on a network segment, for example. • Traffic between interfaces with same security levels – This parameter controls communication between interfaces and subinterfaces on the same security level.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Step 1 Step 2 In the Advanced Interface Settings dialog box, choose the option that identifies how you want this device to handle Traffic between interfaces with the same security levels: • Disabled—Communication between interfaces on the same security level is not allowed. • Inter-interface—Enables traffic flows between interfaces with the same security level setting.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces Table 45-10 Add and Edit PPPoE User Dialog Boxes (Continued) Element Description Confirm Re-enter the password. Store Username and Password in Local Flash If checked, this PPPoE user information will be stored in the device’s local flash memory, ensuring it cannot be inadvertently overwritten.
Chapter 45 Managing Firewall Devices Configuring Firewall Device Interfaces User Guide for Cisco Security Manager 4.
CH A P T E R 46 Configuring Bridging Policies on Firewall Devices This chapter contains the following topics: • About Bridging on Firewall Devices, page 46-1 • Bridging Support for FWSM 3.
Chapter 46 Configuring Bridging Policies on Firewall Devices About Bridging on Firewall Devices To configure a transparent firewall, use the following policies. When configuring an ASA/PIX/FWSM device in multiple-context mode, configure these policies on each transparent security context. • Firewall > Access Rules—Access rules control layer 3 and higher traffic using extended access control lists.
Chapter 46 Configuring Bridging Policies on Firewall Devices Bridging Support for FWSM 3.1 – In Device view, select the device or security context, then select Tools > Device Properties. On the General page, enter the new management IP address in the IP Address field. On the Credentials tab, update the username and password fields with account credentials that can log into the management interface.
Chapter 46 Configuring Bridging Policies on Firewall Devices ARP Table Page Field Reference Table 46-1 ARP Table Page Element Description Timeout (seconds) The amount of time, between 60 and 4294967 seconds, before the security appliance rebuilds the ARP table. The default is 14400 seconds. Rebuilding the ARP table automatically updates new host information and removes old host information. You might want to reduce the timeout because the host information changes frequently.
Chapter 46 Configuring Bridging Policies on Firewall Devices ARP Inspection Page Table 46-2 Add/Edit ARP Configuration dialog box (Continued) Element Description IP Address The IP address of the host. MAC Address The MAC address of the host; for example, 00e0.1e4e.3d8b. Enable Alias When selected, enables proxy ARP for this mapping. If the security appliance receives an ARP request for the specified IP address, it responds with the security appliance MAC address.
Chapter 46 Configuring Bridging Policies on Firewall Devices Managing the IPv6 Neighbor Cache Table 46-3 ARP Inspection Page (Continued) Element Description Flood Enabled Indicates whether packets that do not match any element of a static ARP entry should be flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, the security appliance drops the packet.
Chapter 46 Configuring Bridging Policies on Firewall Devices MAC Address Table Page Note The IPv6 Neighbor Cache entries are the IPv6 equivalent of the static ARP entries, managed on the ARP Table Page, page 46-3. If an entry for a specified IPv6 address already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery process—the entry is automatically converted to a static entry.
Chapter 46 Configuring Bridging Policies on Firewall Devices MAC Learning Page • Management IP Page, page 46-10 Field Reference Table 46-6 MAC Address Table Page Element Description Aging Time (minutes) Sets the number of minutes, between 5 and 720 (12 hours), that a MAC address entry stays in the MAC address table before timing out. 5 minutes is the default. MAC Address Table Interface The interface to which the MAC address is associated. MAC Address The MAC address; for example, 00e0.1e4e.
Chapter 46 Configuring Bridging Policies on Firewall Devices MAC Learning Page • (Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC Learning from the Policy Type selector. Right-click MAC Learning to create a policy, or select an existing policy from the Shared Policy selector.
Chapter 46 Configuring Bridging Policies on Firewall Devices Management IP Page Management IP Page A transparent firewall does not participate in IP routing. The only IP configuration required for the device is specification of a management IP address, which is used as the source address for traffic originating on the device, such as system messages or communications with AAA servers. You can also use this address for remote-management access.
Chapter 46 Configuring Bridging Policies on Firewall Devices Management IPv6 Page (ASA 5505) However, if you do not configure a global management address, you need to configure interface link-local addresses, as described in Configuring IPv6 Interfaces (ASA/FWSM), page 45-29. Note that you can configure both IPv6 and IPv4 management addresses on a device. On an ASA 5505 in transparent mode, use the Management IPv6 page to enable IPv6, configure neighbor solicitation, and manage IPv6 interface addresses.
Chapter 46 Configuring Bridging Policies on Firewall Devices Management IPv6 Page (ASA 5505) Table 46-11 Management IPv6 Page (Continued) Element Description DAD Attempts To specify the number of consecutive neighbor solicitation messages that are sent on an interface during duplicate address detection (DAD), enter a number from 0 to 600 in this field. Entering 0 disables duplicate address detection. Entering 1 configures a single transmission without follow-up transmissions; this is the default.
Chapter 46 Configuring Bridging Policies on Firewall Devices Management IPv6 Page (ASA 5505) Table 46-11 Management IPv6 Page (Continued) Element Description Interface IPv6 Addresses The IPv6 address(es) assigned to the management interface are listed in this table. Use the Add Row, Edit Row, and Delete Row buttons below this table to manage these entries. (These are standard buttons, as described in Using Tables, page 1-45.
Chapter 46 Configuring Bridging Policies on Firewall Devices Management IPv6 Page (ASA 5505) User Guide for Cisco Security Manager 4.
CH A P T E R 47 Configuring Device Administration Policies on Firewall Devices The Device Admin section contains pages for configuring device administration policies for firewall devices.
Chapter 47 Configuring Device Administration Policies on Firewall Devices About AAA on Security Devices • Authorization—Authorization controls user capabilities after users are authenticated. Authorization controls the services and commands available to each authenticated user. If you do not enable authorization, authentication alone would provide the same access to services for all authenticated users.
Chapter 47 Configuring Device Administration Policies on Firewall Devices About AAA on Security Devices Table 47-1 Summary of AAA Support (Continued) Database Type AAA Service Local RADIUS TACACS+ SDI NT Kerberos LDAP HTTP Form VPN users Yes Yes No No No No Yes No Firewall sessions No Yes2 Yes No No No No No No Yes No No No No No VPN No connectio ns Yes Yes No No No No No Firewall sessions No Yes Yes No No No No No Administ No rators Yes Yes No No N
Chapter 47 Configuring Device Administration Policies on Firewall Devices About AAA on Security Devices For users who need fallback support, we recommend that their user names and passwords in the Local database match their user names and passwords on the AAA servers. This provides transparent fallback support.
Chapter 47 Configuring Device Administration Policies on Firewall Devices About AAA on Security Devices Configuring AAA - Authentication Tab The AAA page presents three tabbed panels; the Authentication panel is presented when you navigate to the AAA page. Use these options to control privileged access to the device console, to restrict access by connection type, and to define access messages. Use the Authorization Tab, page 47-6 to control the services and commands available to authenticated users.
Chapter 47 Configuring Device Administration Policies on Firewall Devices About AAA on Security Devices Table 47-2 Authentication Tab (Continued) Element Description Require AAA Authorization for the following types of connections Select the connections that require authorization. For each type, users are allowed up to three attempts to access the firewall console. If this number is exceeded, an “access denied” message is displayed.
Chapter 47 Configuring Device Administration Policies on Firewall Devices About AAA on Security Devices Related Topics • About AAA on Security Devices, page 47-1 • Accounting Tab, page 47-7 Field Reference Table 47-3 Authorization Tab Element Description Enable Authorization for Command Access Requires authorization for accessing firewall commands. Server Group Specify the server group to use for authorization.
Chapter 47 Configuring Device Administration Policies on Firewall Devices Configuring Banners Table 47-4 Accounting Tab (Continued) Element Description Require AAA Accounting for the following types of connections Connection type Server Group Specify the connection types that will generate accounting records: • HTTP—Enable or disable the generation of accounting records to mark the establishment and termination of admin sessions created over HTTP.
Chapter 47 Configuring Device Administration Policies on Firewall Devices Configuring Boot Image/Configuration Settings There is no limit on the length of a banner other than RAM and flash-memory limits. You can only use ASCII characters, including new-line (press the Enter key), which counts as two characters.
Chapter 47 Configuring Device Administration Policies on Firewall Devices Configuring Boot Image/Configuration Settings Field Reference Table 47-5 Boot Image/Configuration Page Element Description Boot Config Location Enter the path to and name of the configuration file to be used when the system is loaded. On an ASA, you can use any of the following syntactical constructs: • disk0:/[path/]filename The value “disk0” represents the internal flash card.
Chapter 47 Configuring Device Administration Policies on Firewall Devices Setting the Device Clock Navigation Path You can access the Images dialog box from the Boot Image/Configuration page. For more information, see Configuring Boot Image/Configuration Settings, page 47-9.
Chapter 47 Configuring Device Administration Policies on Firewall Devices Setting the Device Clock • (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Clock from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one. Field Reference Table 47-7 Clock Page Element Description Device Time Zone Choose a time zone for the device. These options represent Greenwich Mean Time (GMT) plus or minus a number of hours.
Chapter 47 Configuring Device Administration Policies on Firewall Devices Configuring Device Credentials Table 47-7 Clock Page (Continued) Element Description Weekday Choose the day of the week on which daylight savings time begins or ends. Hour Choose the hour, from 0 to 23, in which daylight savings time begins or ends. Minute Choose the minute, from 00 to 59, at which daylight savings time begins or ends.
Chapter 47 Configuring Device Administration Policies on Firewall Devices Configuring Device Credentials Field Reference Table 47-8 Credentials Page Element Description Username Enter a user name for logging into the device. The name must be at least four characters; the maximum is 64 characters. Entries are case-sensitive. Password Provide a password for logging into the device (EXEC mode) with the specified Username. This password must be at least three characters; the maximum is 32 characters.
CH A P T E R 48 Configuring Device Access Settings on Firewall Devices The Device Access section, located under the Device Admin folder in the Policy selector, contains pages for defining access to firewall devices.
Chapter 48 Configuring Device Access Settings on Firewall Devices HTTP Page HTTP Page Use the table on the HTTP page to manage the interfaces configured to access the HTTP server on a device, as well as HTTP redirect to HTTPS on those interfaces. You also can enable or disable the HTTP server on the device from this page. Administrative access by the specific device manager requires HTTPS access. Note To redirect HTTP, the interface requires an access list that permits HTTP.
Chapter 48 Configuring Device Access Settings on Firewall Devices Configuring ICMP Table 48-2 HTTP Configuration Dialog Box (Continued) Element Description IP Address/Netmask Enter the IP address and netmask, separated by a forward slash (“/”) of the host or network that is permitted to establish an HTTP connection with the device. Alternately, you can click Select to select a Networks/Hosts object.
Chapter 48 Configuring Device Access Settings on Firewall Devices Configuring ICMP Field Reference Table 48-3 ICMP Page Element Description ICMP Rules Table Use the Add Row, Edit Row, and Delete Row buttons below this table to manage ICMP rules. Add Row opens the Add ICMP dialog box, while Edit Row opens the Edit ICMP dialog box. See Add and Edit ICMP Dialog Boxes, page 48-4 for information about these dialog boxes.
Chapter 48 Configuring Device Access Settings on Firewall Devices Configuring Management Access Table 48-4 Add and ICMP Dialog Boxes (Continued) Element Description Network Enter a host name or IP address, or Select a Networks/Hosts object, to define the specified ICMP message source. Configuring Management Access Use the Management Access page to enable or disable access on a high-security interface so you can perform management functions on the device.
Chapter 48 Configuring Device Access Settings on Firewall Devices Configuring Secure Shell Access Field Reference Table 48-5 Secure Shell Page Element Description SSH Version Specify the SSH version(s) accepted by the device: choose 1, 2, or 1 and 2. By default, SSH Version 1 and SSH Version 2 connections are accepted. Timeout Enter the number of minutes, 1 to 60, the Secure Shell session can remain idle before the device closes it. The default value is 5 minutes.
Chapter 48 Configuring Device Access Settings on Firewall Devices Configuring SNMP Field Reference Table 48-6 Add and Edit Host Dialog Boxes Element Description Interface Enter or Select the name of the device interface on which SSH connections are permitted. IP Addresses Enter the name or IP address for each host or network that is permitted to establish an SSH connection with the security device on the specified interface; use commas to separate multiple entries.
Chapter 48 Configuring Device Access Settings on Firewall Devices Configuring SNMP SNMP Terminology Here are definitions for some common SNMP terms: • Agent – The SNMP server running on the security appliance. The agent responds to requests for information and action from the management station. The agent also controls access to its management information base (MIB), the collection of data objects that can be viewed or changed by the SNMP manager.
Chapter 48 Configuring Device Access Settings on Firewall Devices Configuring SNMP Table 48-7 SNMP Page (Continued) Element Description Read Community String Enter the password used by a SNMP management station when sending requests to this device. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The security device uses the password to determine if the incoming SNMP request is valid.
Chapter 48 Configuring Device Access Settings on Firewall Devices Configuring SNMP In the SNMP Trap Configuration dialog box, available traps are presented on four tabbed panels: Standard, Entity MIB, Resource, and Other. Navigation Path You can access the SNMP Trap Configuration dialog box from the SNMP Page, page 48-8.
Chapter 48 Configuring Device Access Settings on Firewall Devices Configuring SNMP Table 48-8 Element Entity MIB Resource SNMP Trap Configuration Dialog Box (Continued) Description • Field Replaceable Unit Insert – A Field Replaceable Unit (FRU) has been inserted, as indicated. (FRUs include assemblies such as power supplies, fans, processor modules, interface modules, etc.) • Field Replaceable Unit Remove – A Field Replaceable Unit (FRU) has been removed, as indicated in the notification.
Chapter 48 Configuring Device Access Settings on Firewall Devices Configuring SNMP Table 48-8 SNMP Trap Configuration Dialog Box (Continued) Element Other Description • IPSec Start – IPsec has started, as indicated in the notification. • IPSec Stop – IPsec has stopped, as indicated in the notification. • IKEv2 Start – Internet Key Exchange version 2 (IKEv2) exchange initiated. • IKEv2 Stop – Internet Key Exchange version 2 (IKEv2) exchange terminated.
Chapter 48 Configuring Device Access Settings on Firewall Devices Telnet Page Field Reference Table 48-9 Add SNMP Host Access Entry Dialog Box Element Description Interface Name Enter or Select the interface on which this SNMP management station contacts the device. IP Address Enter the IP address, or Select a Networks/Hosts object, representing the SNMP management station. UDP Port (Optional) Enter a UDP port for requests from the SNMP host.
Chapter 48 Configuring Device Access Settings on Firewall Devices Telnet Page Related Topics • Telnet Configuration Dialog Box, page 48-14 Field Reference Table 48-10 Telnet Page Element Description Timeout Number of minutes a Telnet session can remain idle before the firewall device closes it. Values can range from 1 to 1440 minutes. Telnet Access Table Interface Interface that receives Telnet packets from the client.
CH A P T E R 49 Configuring Failover The Failover page provides access to failover settings for the selected security appliance. The available settings and the overall appearance of the Failover page may change slightly, depending upon the type of device selected, its mode of operation (routed or transparent), and its context mode (single or multiple). In other words, how you configure failover depends upon both the operating mode and the security context of the security appliance.
Chapter 49 Configuring Failover Understanding Failover The linked security appliances communicate failover information over a dedicated link. This failover link can be either a LAN-based connection or, on PIX security appliances, a dedicated serial failover cable.
Chapter 49 Configuring Failover Understanding Failover In addition, failover can be stateless or stateful: • Stateless – Also referred to as “regular” failover. With stateless failover, all active connections are dropped when failover occurs. Clients need to re-establish connections when the new active unit takes over. • Stateful – The active unit in the failover pair continually passes per-connection state information to the standby unit.
Chapter 49 Configuring Failover Understanding Failover • When one unit starts while the other unit is already active, the unit that is starting up receives the configuration from the already active unit. After both units are running, commands are replicated from one unit to the other as follows: • Commands entered within a security context are replicated from the unit on which the security context is in the active state to the peer unit.
Chapter 49 Configuring Failover Basic Failover Configuration • NAT translation table • TCP connection table (except for HTTP), including the timeout connection • HTTP connection states (if HTTP replication is enabled) • H.
Chapter 49 Configuring Failover Basic Failover Configuration Step 1 • Additional Steps for an Active/Standby Failover Configuration, page 49-9 • Failover Policies, page 49-10 Ensure Device View is your present application view; if necessary, click the Device View button on the toolbar. Note For more information on using the Device View to configure device policies, see Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-28. Step 2 Select the appliance you want to configure.
Chapter 49 Configuring Failover Basic Failover Configuration e. Step 10 Enter the Subnet Mask for both IP addresses. Both must be on the same subnet. (Optional) Follow these steps to enable and configure an interface for Stateful Failover communications between the two devices: a. Assign a device Interface for update communications, and then press the Tab key on your keyboard to update the page. You can type in a port ID (e.g.
Chapter 49 Configuring Failover Basic Failover Configuration The following steps outline creating a new security context and adding it to failover group 2. 1. Create the new security context. Be sure to define: context Name, Configuration URL, assign an Interface, choose Failover Group 2, and provide a Management IP Address. See “Managing Security Contexts” for more information. 2. Save and submit these changes. 3.
Chapter 49 Configuring Failover Additional Steps for an Active/Standby Failover Configuration Additional Steps for an Active/Standby Failover Configuration Cisco Security Manager lets you authenticate a PIX/ASA/FWSM device by validating the certificate installed on the device.
Chapter 49 Configuring Failover Failover Policies Failover Policies This section lists the pages that describe configuring failover on various types of security appliances; the pages are organized by device type. PIX 6.x Firewalls • Failover Page (PIX 6.3), page 49-10 – Edit Failover Interface Configuration Dialog Box (PIX 6.
Chapter 49 Configuring Failover Failover Policies Field Reference Table 49-1 Failover Page (PIX 6.3) Element Description Failover Failover Method Choose the type of failover link: Serial Cable or LAN Based. If you choose Serial Cable, ensure the physical cable is connected to both devices. Enable Failover Check this box to enable failover on this device. Ensure that both devices have the same software version, activation key type, flash memory, and RAM.
Chapter 49 Configuring Failover Failover Policies Note The failover interface cannot be configured for PPPoE. Navigation Path You can access the Edit Failover Interface Configuration dialog box from the Interface Configuration table on the Failover Page (PIX 6.3), page 49-10. Related Topics • Failover Policies, page 49-10 Field Reference Table 49-2 Edit Failover Interface Configuration Dialog Box (PIX 6.3) Element Description Interface The name of the interface; read-only.
Chapter 49 Configuring Failover Failover Policies Navigation Path To access this feature, select a FWSM in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.
Chapter 49 Configuring Failover Failover Policies Table 49-3 Failover Page (FWSM) (Continued) Element Description LAN Failover VLAN Enter the numeric ID of the VLAN interface you are using for the failover link; for example, 11. This list is not automatically populated with VLAN IDs—you must highlight “Not Selected” and type the desired VLAN ID number; press your keyboard’s Tab key to activate the related fields.
Chapter 49 Configuring Failover Failover Policies Table 49-3 Failover Page (FWSM) (Continued) Element Description Shared Key (FWSM 3.1.1+ only) The options in this section let you encrypt the communications between the active and standby devices by providing a shared encryption key. Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key.
Chapter 49 Configuring Failover Failover Policies Field Reference Table 49-4 Advanced Settings Dialog Box Element Description Interface Policy Select a failed-interfaces option and provide an appropriate value. Number of failed interfaces When the number of failed monitored interfaces exceeds this value, the security appliance fails over. Valid values range from 1 to 250.
Chapter 49 Configuring Failover Failover Policies • From the Bridge Group Configuration table in the Advanced Settings Dialog Box, page 49-15 presented by an FWSM in transparent mode. Related Topics • Failover Policies, page 49-10 • Failover Page (ASA/PIX 7.0+), page 49-17 • Failover Page (FWSM), page 49-12 Field Reference Table 49-5 Edit Failover Bridge Group Configuration Dialog Box Element Description Name Identifies the bridge group; not editable.
Chapter 49 Configuring Failover Failover Policies Table 49-6 Failover Page (ASA/PIX 7.0+) (Continued) Element Description Enable Failover Check this box to enable failover on this device. Ensure that both devices have the same software version, activation key type, flash memory, and RAM. On PIX devices with LAN Based chosen as the Failover Method, and on all ASAs, you must next configure the logical LAN Failover interface and, optionally, the stateful failover interface.
Chapter 49 Configuring Failover Failover Policies Table 49-6 Failover Page (ASA/PIX 7.0+) (Continued) Element Description Active/Standby In an Active/Standby configuration, the active security appliance handles all network traffic passing through the failover pair. The standby security appliance does not handle network traffic until a failure occurs on the active security appliance.
Chapter 49 Configuring Failover Failover Policies Table 49-6 Failover Page (ASA/PIX 7.0+) (Continued) Element Description Logical Name Enter the logical name of the interface on the active firewall device to communicate with standby device for failover. When configured for stateful failover, the interface is directly connected to the standby device. Active IP Address Specify the IP address of the active interface. Standby IP Address Specify the IP address of the standby interface.
Chapter 49 Configuring Failover Failover Policies Navigation Path You can access the Settings dialog box by clicking the Settings button on the Failover Page (ASA/PIX 7.0+), page 49-17. Note The following reference table presents all fields that can be presented in the Settings dialog box. The fields actually presented depend on operating mode (routed or transparent) and whether the device is hosting single or multiple contexts.
Chapter 49 Configuring Failover Failover Policies Table 49-7 Settings Dialog Box (Continued) Element Description MAC Address Mapping In Active/Standby mode, this table lists interface-virtual MAC address mappings. This is a standard Security Manager table, with Add Row, Edit Row and Delete Row buttons, which are described in Using Tables, page 1-45. To add or edit interface mappings, click the Add Row or Edit Row button to open the Add/Edit Interface MAC Address Dialog Box, page 49-22.
Chapter 49 Configuring Failover Failover Policies Field Reference Table 49-8 Add/Edit Interface MAC Address Dialog Box Element Description Physical Interface Choose the physical interface on which failover virtual MAC addresses are to be configured. MAC Address Active Interface Enter a virtual MAC address for the active interface in hexadecimal format (for example, 0023.4567.89ab). Standby Interface Enter a virtual MAC address for the standby interface in hexadecimal format (for example, 0023.
Chapter 49 Configuring Failover Failover Policies Table 49-9 Edit Failover Interface Configuration Dialog Box (Continued) Element Description Monitor this interface for failure Specifies whether this interface is monitored for failure: check this box to enable monitoring. The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged between the security appliance failover pair during every interface poll time period.
Chapter 49 Configuring Failover Failover Policies Field Reference Table 49-10 Edit Failover Group Dialog Box Element Description Preferred Role Specifies the unit in the failover pair, primary or secondary, on which this failover group appears in the active state when both units start up simultaneously, or when the Preempt option is selected. Choose Primary or Secondary.
Chapter 49 Configuring Failover Failover Policies You can select an entry in the table and click the Edit Row button to open the Edit Failover Bridge Group Configuration Dialog Box, page 49-16, where you can specify a standby IP address for the selected bridge group. Navigation Path Select a security context in Device View and then select Platform > Device Admin > Failover from the Device Policy selector.
CH A P T E R 50 Configuring Hostname, Resources, User Accounts, and SLAs The following topics describe configuring the host name on a security appliance, defining and managing Resource classes on Firewall Services Modules (FWSMs) in multiple-context mode, managing user accounts in the Local user database, and monitoring service level agreements (SLAs) to perform route tracking.
Chapter 50 Configuring Hostname, Resources, User Accounts, and SLAs Resource Management on Multi-context FWSMs Field Reference Table 50-1 Hostname Page Element Description Host Name Enter a unique device name to help you differentiate among devices; for example, PIX-510-A. Note Domain Name We recommend that you use a unique host name for each device you manage. The device name can be up to 63 alphanumeric (U.S.
Chapter 50 Configuring Hostname, Resources, User Accounts, and SLAs Resource Management on Multi-context FWSMs Default Class All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class. If a context belongs to a class other than the default class, those class settings always override the default class settings.
Chapter 50 Configuring Hostname, Resources, User Accounts, and SLAs Resource Management on Multi-context FWSMs Navigation Path You can access the Add Resource and Edit Resource dialog boxes from the Resources Page, page 50-3.
Chapter 50 Configuring Hostname, Resources, User Accounts, and SLAs Resource Management on Multi-context FWSMs Table 50-2 Add and Edit Resource Dialog Boxes (Continued) Element Description Connections Sets the Absolute Limit for concurrent TCP or UDP connections. You can set the limit as an absolute value by entering an integer between 0 (system limit) and 999900, or you can assign more than 100 percent if you want to oversubscribe the device.
Chapter 50 Configuring Hostname, Resources, User Accounts, and SLAs Configuring User Accounts Table 50-2 Add and Edit Resource Dialog Boxes (Continued) Element Description ASDM Sets the limit for ASDM management sessions (the default is 5). You can set the limit as an absolute value by entering an integer between 1 and 5, or you can enter a percentage between 3.0 and 15.0. The system allows a maximum of 80 concurrent sessions divided between all contexts.
Chapter 50 Configuring Hostname, Resources, User Accounts, and SLAs Monitoring Service Level Agreements (SLAs) To Maintain Connectivity • To edit the settings for an account, select it and click the Edit Row button. • To delete a user account, select it and click the Delete Row button. Navigation Path • (Device view) Select Platform > Device Admin > User Accounts from the Device Policy selector.
Chapter 50 Configuring Hostname, Resources, User Accounts, and SLAs Monitoring Service Level Agreements (SLAs) To Maintain Connectivity default route to a secondary ISP in case the primary ISP becomes unavailable. This technique, called Dual ISP, provides security appliances with a form of high availability, which is a vital part of providing customers with the services to which they are entitled. Without route tracking, there is no inherent mechanism for determining if the route is up or down.
Chapter 50 Configuring Hostname, Resources, User Accounts, and SLAs Monitoring Service Level Agreements (SLAs) To Maintain Connectivity c. d. Step 2 The monitoring options are appropriate for most connections, so you need only configure the following: • Name—The name of the object. • SLA Monitor ID—An identifying number for the monitoring process. The number must be unique within a device configuration. • Monitored Address—The address that you are monitoring.
Chapter 50 Configuring Hostname, Resources, User Accounts, and SLAs Monitoring Service Level Agreements (SLAs) To Maintain Connectivity Related Topics • Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 50-7 • Policy Object Manager, page 6-4 Field Reference Table 50-4 SLA Monitor Dialog Box Element Description Name The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects, page 6-9.
Chapter 50 Configuring Hostname, Resources, User Accounts, and SLAs Monitoring Service Level Agreements (SLAs) To Maintain Connectivity Table 50-4 SLA Monitor Dialog Box (Continued) Element Description Request Data Size The size of the ICMP request packet payload, in bytes. Values range from 0 to 16384 bytes. The default is 28 bytes, which creates a total ICMP packet of 64 bytes. Do not set this value higher than the maximum allowed by the protocol or the Path Maximum Transmission Unit (PMTU).
Chapter 50 Configuring Hostname, Resources, User Accounts, and SLAs Monitoring Service Level Agreements (SLAs) To Maintain Connectivity User Guide for Cisco Security Manager 4.
CH A P T E R 51 Configuring Server Access Settings on Firewall Devices The Server Access section contains pages for configuring server access on firewall devices; Server Access is under Device Admin in the Device or Policy selector.
Chapter 51 Configuring Server Access Settings on Firewall Devices AUS Page Navigation Path • (Device view) Select Platform > Device Admin > Server Access > AUS from the Device Policy selector. • (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > AUS from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Chapter 51 Configuring Server Access Settings on Firewall Devices AUS Page Table 51-1 AUS Page (Continued) Element Description Poll Type Choose the method defining how often the AUS server is polled for updates: • At Specified Frequency – If you choose this option, the Poll Period field is displayed: – Poll Period – Specify the number of minutes the device waits between polls of the AUS server; valid values are 1 to 35791.
Chapter 51 Configuring Server Access Settings on Firewall Devices AUS Page also send a command to the security appliance to send an immediate polling request at any time. Communication between the Auto Update server and the security appliance requires a communications path and local CLI configuration on each security appliance. Note The URL for contacting this AUS server is produced by concatenating the Protocol://Username:Password@IP IP Address(:Port)/Path provided in these dialog boxes.
Chapter 51 Configuring Server Access Settings on Firewall Devices DHCP Relay Page DHCP Relay Page Use the DHCP Relay page to configure DHCP relay services for security devices. Dynamic Host Configuration Protocol (DHCP) relay passes DHCP requests received on one interface to an external DHCP server located behind a different interface. To configure DHCP relay, you need to specify at least one DHCP relay server and then enable a DHCP relay agent on the interface receiving DHCP requests.
Chapter 51 Configuring Server Access Settings on Firewall Devices DHCP Relay Page Note You cannot enable a DHCP relay agent on an interface where a DHCP relay server is configured. The DHCP relay agent works only with external DHCP servers; it will not forward DHCP requests to a security appliance interface configured as a DHCP server.
Chapter 51 Configuring Server Access Settings on Firewall Devices DHCP Relay IPv6 Page Field Reference Table 51-5 Add and Edit DHCP Relay Server Configuration Dialog Boxes Element Description Server Enter the IP address or Select a Networks/Hosts object representing the external DHCP server to which DHCP requests are forwarded. Interface Enter or Select the interface through which DHCP requests are forwarded to the external DHCP server.
Chapter 51 Configuring Server Access Settings on Firewall Devices DHCP Relay IPv6 Page Table 51-6 DHCP Relay IPv6 Page (Continued) Element Description DHCP Servers table This table lists the interfaces on which DHCP relay IPv6 is configured. Use the Add Row, Edit Row, and Delete Row buttons to manage these entries. The Add Row button opens the Add DHCP Relay IPv6 Server Configuration dialog box, while Edit Row opens the Edit DHCP Relay IPv6 Server Configuration dialog box.
Chapter 51 Configuring Server Access Settings on Firewall Devices Configuring DHCP Servers Add and Edit DHCP Relay IPv6 Server Configuration Dialog Boxes Use the Add DHCP Relay IPv6 Server Configuration dialog box to define a new DHCPv6 relay server; use the Edit DHCP Relay IPv6 Server Configuration dialog box to update existing server information. You can define up to four DHCPv6 relay servers.
Chapter 51 Configuring Server Access Settings on Firewall Devices Configuring DHCP Servers If your firewall is also acting as a DHCP client on the outside interface, you can enable auto-negotiated IP configuration. This allows the firewall to pass the DNS, WINS and domain name parameters it gets from the outside interface (as a DHCP client) to hosts on its inside network. Alternatively, you can manually specify the DNS, WINS and domain name parameters.
Chapter 51 Configuring Server Access Settings on Firewall Devices Configuring DHCP Servers Table 51-9 DHCP Server Page (Continued) Element Description Primary DNS Server Enter the IP address or Select a Networks/Hosts object representing the primary DNS server for a DHCP client. Primary WINS Server Enter the IP address or Select a Networks/Hosts object representing the primary WINS server for a DHCP client.
Chapter 51 Configuring Server Access Settings on Firewall Devices Configuring DHCP Servers Field Reference Table 51-10 Add/Edit DHCP Server Interface Configuration Dialog Boxes Element Description Interface Identifies the interface on which you are configuring a DHCP server. Enter an interface name, or select an interface object. DHCP Address Pool Enter an IP address or a range of addresses, separated by a hyphen, that the DHCP server will use when assigning IP addresses.
Chapter 51 Configuring Server Access Settings on Firewall Devices DNS Page Add/Edit DHCP Server Option Dialog Box The Add and Edit DHCP Server Option dialog boxes let you configure DHCP server option parameters, to provide additional information to DHCP clients. For example, DHCP option 150 and DHCP option 66 provide TFTP server information to Cisco IP Phones and Cisco IOS routers.
Chapter 51 Configuring Server Access Settings on Firewall Devices DNS Page Navigation Path • (Device view) Select Platform > Device Admin > Server Access > DNS from the Device Policy selector. • (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > DNS from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Chapter 51 Configuring Server Access Settings on Firewall Devices DNS Page Table 51-13 DNS Page (Continued) Element Description DefaultDNS Server Group (ASA 8.4(2)+) Additional settings that apply to the DefaultDNS server group only. These settings are used when resolving FQDN network/host objects to IP addresses. • Poll Timer—The time, in minutes, of the polling cycle used to resolve FQDN network/host objects to IP addresses. FQDN objects are resolved only if they are used in a firewall policy.
Chapter 51 Configuring Server Access Settings on Firewall Devices DNS Page Table 51-14 Add/Edit DNS Server Group Dialog Boxes (Continued) Element Description DNS Servers Lists the DNS servers in this group. You can specify up to six servers to which DNS requests can be forwarded. The security appliance tries each DNS server in top-to-bottom order until it receives a response.
Chapter 51 Configuring Server Access Settings on Firewall Devices Configuring DDNS Table 51-15 Add DNS Server Dialog Box (Continued) Element Description DNS Server The IP address, or the host network/host object that defines the address, of the DNS server. Enter the address or click Select to select the network/host object from a list or to create a new object.
Chapter 51 Configuring Server Access Settings on Firewall Devices Configuring DDNS Add/Edit DDNS Interface Rule Dialog Box Use the Add/Edit DDNS Interface Rule dialog box to manage rules for dynamic DNS updates. These rules are defined on a per-interface basis. Navigation Path You access the Add/Edit DDNS Interface Rule dialog box from the Configuring DDNS, page 51-17.
Chapter 51 Configuring Server Access Settings on Firewall Devices NTP Page Field Reference Table 51-18 DDNS Update Methods Dialog Box Element Description Update Methods This table lists the currently defined update methods. Use the buttons below the table to manage these entries. Add Row button Opens the Add/Edit DDNS Update Methods Dialog Box, page 51-19 where you can define a new update method.
Chapter 51 Configuring Server Access Settings on Firewall Devices NTP Page Note This page is not available on Catalyst 6500 service modules (the Firewall Services Module and the Adaptive Security Appliance Service Module). Use the NTP page to enable NTP and manage the NTP servers used to dynamically set the time on a security device. Note Time derived from an NTP server overrides any time set manually on the Clock page.
Chapter 51 Configuring Server Access Settings on Firewall Devices SMTP Server Page Field Reference Table 51-21 NTP Server Configuration Dialog Box Element Description IP Address Enter or Select the IP address of the NTP server. Preferred If checked, this NTP server is the preferred server when multiple servers are similarly accurate. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one.
Chapter 51 Configuring Server Access Settings on Firewall Devices TFTP Server Page Field Reference Table 51-22 SMTP Server Page Element Description Primary Server IP Address Enter or Select the IP address of the SMTP server. Secondary Server IP Address Enter or Select the IP address of a back-up SMTP server. TFTP Server Page The Trivial File Transfer Protocol (TFTP) is a simple client/server file transfer protocol described in RFC783 and RFC1350 Rev. 2.
CH A P T E R 52 Configuring Logging Policies on Firewall Devices The Logging feature lets you enable and manage NetFlow “collectors,” and enable system logging, set up logging parameters, configure event lists (syslog filters), apply the filters to a destination, set up syslog messages, configure syslog servers, and specify e-mail notification parameters.
Chapter 52 Configuring Logging Policies on Firewall Devices NetFlow Page Related Topics • Using Rules Tables, page 12-7 • Filtering Tables, page 1-45 • Table Columns and Column Heading Features, page 1-46 Field Reference Table 52-1 NetFlow Page Element Description Enable Flow Export If checked, NetFlow data export is enabled. Template Export Interval Interval (in minutes) between transmissions of flow information to the collectors.
Chapter 52 Configuring Logging Policies on Firewall Devices E-Mail Setup Page E-Mail Setup Page The E-Mail Setup page (PIX 7.0/ASA Only) lets you set up a source e-mail address, as well as a list of recipients for specified syslog messages to be sent as e-mails. You can filter the syslog messages sent to a destination e-mail address by severity. The table shows which entries have been set up.
Chapter 52 Configuring Logging Policies on Firewall Devices Event Lists Page Table 52-4 Add/Edit Email Recipient Dialog Box (Continued) Element Description Syslog Severity list Choose the severity of the syslogs to be emailed to this recipient; messages of the chosen severity and higher are sent. Message severity levels are described in Logging Levels, page 52-18. Event Lists Page The Event Lists page (PIX 7.0+/ASA only) lets you define a set of syslog message filters for logging.
Chapter 52 Configuring Logging Policies on Firewall Devices Event Lists Page Table 52-5 Message Classes and Associated Message ID Numbers (Continued) Class Definition Message ID Numbers rm Resource Manager 321 session User Session 106, 108, 201, 202, 204, 302, 303, 304, 305, 314, 405, 406, 407, 500, 502, 607, 608, 609, 616, 620, 703, 710 snmp SNMP 212 sys System 199, 211, 214, 216, 306, 307, 315, 414, 604, 605, 606, 610, 612, 614, 615,701, 711 vpdn PPTP and L2TP Sessions 213, 403, 603
Chapter 52 Configuring Logging Policies on Firewall Devices Event Lists Page Table 52-6 Add/Edit Event List Dialog Box (Continued) Element Description Event Class/Severity Filters This table lists the event class and severity level filters defined for this event list. Use the Add Row, Edit Row and Delete Row buttons below this table to manage the entries. Add Row and Edit Row open the Add/Edit Syslog Class Dialog Box, page 52-6.
Chapter 52 Configuring Logging Policies on Firewall Devices Logging Filters Page Related Topics • Add/Edit Syslog Class Dialog Box, page 52-6 • Event Lists Page, page 52-4 Field Reference Message IDs – Enter a syslog message ID, or a range of IDs. Use a hyphen to specify a range; for example, 101001-101010. Message IDs must be between 100000 and 999999. Message IDs and their corresponding messages are listed in the System Log Message guides for the appropriate product.
Chapter 52 Configuring Logging Policies on Firewall Devices Logging Filters Page Field Reference Table 52-8 Logging Filters Page Element Description Logging Destination Lists the name of the logging destination to which messages matching this filter are sent. Logging destinations are as follows: Syslogs From All Event Classes • Internal Buffer. Messages matching this filter are published to the internal buffer of the security appliance. • Console.
Chapter 52 Configuring Logging Policies on Firewall Devices Configuring Logging Setup Field Reference Table 52-9 Edit Logging Filters Dialog Box Element Description Logging Destination list Specifies the logging destination for this filter: • Internal Buffer. Messages matching this filter are published to the internal buffer of the security appliance. • Console. Messages matching this filter are published to any console port connections. • Telnet Sessions.
Chapter 52 Configuring Logging Policies on Firewall Devices Configuring Logging Setup Step 1 Select Platform > Logging > Syslog > Logging Setup to display the Logging Setup page. Step 2 Check Enable Logging. This option enables logging on the security appliance. Step 3 To enable logging on the failover unit paired with this security appliance, select the Enable logging on the standby failover unit check box.
Chapter 52 Configuring Logging Policies on Firewall Devices Configuring Logging Setup Field Reference Table 52-10 Logging Setup Page Element Description Enable Logging Turns on logging for the main security appliance. Enable Logging on the Failover Standby Unit Turns on logging for the standby security appliance, if available. Send syslogs in EMBLEM format (PIX7.x+, ASA, FWSM 3.x+) Enables EMBLEM format logging for every logging destination.
Chapter 52 Configuring Logging Policies on Firewall Devices Configuring Rate Limit Levels Configuring Rate Limit Levels The Rate Limit page lets you specify the maximum number of log messages of specific types (e.g., “alert” or “critical”), and messages with specific Syslog IDs, that can be generated within given periods of time. You can specify individual limits for each logging level, and each Syslog message ID. If the settings conflict, the Syslog message ID limits take precedence.
Chapter 52 Configuring Logging Policies on Firewall Devices Configuring Rate Limit Levels • To delete a message limit entry from the Individually Rate Limited Syslog Messages table, select it and then click the Delete Row button under the table. A confirmation dialog box may be displayed; click OK to delete the entry.
Chapter 52 Configuring Logging Policies on Firewall Devices Configuring Rate Limit Levels Navigation Path You can access the Add/Edit Rate Limit for Syslog Logging Levels dialog box from the Rate Limit page. For more information, see Rate Limit Page, page 52-13.
Chapter 52 Configuring Logging Policies on Firewall Devices Configuring Syslog Server Setup Configuring Syslog Server Setup You can configure general syslog server settings to set the facility code to be included in syslog messages that are sent to syslog servers, specify whether a timestamp is included in each message, specify the device ID to include in messages, view and modify the severity levels for messages, and disable the generation of specific messages.
Chapter 52 Configuring Logging Policies on Firewall Devices Configuring Syslog Server Setup • To add a rule, click the Add Row button and fill in the Add/Edit Syslog Message Dialog Box, page 52-19. You select the message number whose configuration you want to change, and then select the new severity level, or select Suppressed to disable the generation of the message. Typically, you would not change the severity level and disable the message, but you can make changes to both fields if desired.
Chapter 52 Configuring Logging Policies on Firewall Devices Configuring Syslog Server Setup Table 52-14 Server Setup Page (Continued) Element Description Enable Timestamp on Each Syslog Message Whether to include the date and time a message was generated in syslog messages. The default is to not include time stamps. Enable Syslog Device ID Whether to configure a device ID in non-EMBLEM-format syslog messages.
Chapter 52 Configuring Logging Policies on Firewall Devices Configuring Syslog Server Setup Table 52-14 Server Setup Page (Continued) Element Description Syslog Message table Use this table to enable or disable the generation of specific syslog messages, or to change the severity level of a message. If you do not want to constrict which message types are generated, or change any message severity levels, you do not need to configure anything in this table.
Chapter 52 Configuring Logging Policies on Firewall Devices Configuring Syslog Server Setup Table 52-15 Logging Levels (Continued) Logging Level Type Description 7 Debugging Generates syslog messages that assist you in debugging. Also generates logs that identify the commands issued during FTP sessions and the URLs requested during HTTP sessions. Includes all emergency, alert, critical, error, warning, notification, and information messages. - Disabled No logging.
Chapter 52 Configuring Logging Policies on Firewall Devices Defining Syslog Servers Defining Syslog Servers The Syslog Servers page lets you specify the syslog servers to which the security appliance will send syslog messages. To make use of the syslog servers you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.
Chapter 52 Configuring Logging Policies on Firewall Devices Defining Syslog Servers Syslog Servers Page The Syslog Servers page lets you specify the syslog servers to which the security appliance sends syslog messages. To make use of the syslog servers you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.
Chapter 52 Configuring Logging Policies on Firewall Devices Defining Syslog Servers Add/Edit Syslog Server Dialog Box The Add/Edit Syslog Servers dialog box lets you add or edit the syslog servers to which the security appliance will send syslog messages. To make use of the syslog servers you define, you must enable logging using the Logging Setup page and set up the appropriate filters for destinations using the Logging Filters page.
Chapter 52 Configuring Logging Policies on Firewall Devices Defining Syslog Servers Table 52-18 Add/Edit Syslog Server Dialog Box (Continued) Element Description Log messages in Cisco EMBLEM format (UDP only) Whether to log messages in Cisco EMBLEM format. The syslog server must use UDP. Note If the syslog server is a Cisco Security MARS appliance, do not select this option. Cisco Security MARS does not process the EMBLEM format. User Guide for Cisco Security Manager 4.
Chapter 52 Configuring Logging Policies on Firewall Devices Defining Syslog Servers User Guide for Cisco Security Manager 4.
CH A P T E R 53 Configuring Multicast Policies on Firewall Devices The Multicast section contains pages for defining IP multicast routing on security devices. Multicast routing is supported in single-context, routed mode only. Enabling multicast routing enables IGMP and PIM on all interfaces by default. Internet Group Management Protocol (IGMP) is used to learn whether members of a group are present on directly attached subnets. Hosts join multicast groups by sending IGMP report messages.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring IGMP Navigation Path • (Device view) Select Platform > Multicast > Enable PIM and IGMP from the Device Policy selector. • (Policy view) Select PIX/ASA/FWSM Platform > Multicast > Enable PIM and IGMP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring IGMP Navigation Path • (Device view) Select Platform > Multicast > IGMP from the Device Policy selector. • (Policy view) Select PIX/ASA/FWSM Platform > Multicast > IGMP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one. IGMP Page - Protocol Tab Use the Protocol tab to configure IGMP parameters for an interface on the security appliance.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring IGMP Table 53-1 Protocol Tab (Continued) Element Description Forward Interface The name of the interface to which the selected interface forwards IGMP host reports if IGMP forwarding is enabled. Configure IGMP Parameters Dialog Box Use the Configure IGMP Parameters dialog box to configure IGMP parameters for an interface on the security appliance.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring IGMP Table 53-2 Configure IGMP Parameters Dialog Box (Continued) Element Description Query Timeout The period of time, in seconds, before the security appliance takes over querying the interface, after the previous appliance has stopped doing so. Valid values range from 60 to 300 seconds. The default value is 255 seconds.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring IGMP Table 53-3 Configure IGMP Access Group Parameters Dialog Box (Continued) Element Description Multicast Group Network Enter or Select the multicast group address(es) assigned to the specified interface. You can provide one or more IP address/netmask entries, one or more Networks/Hosts objects, or a combination of both; separate the entries with commas. Group network addresses can range from 224.0.0.0 to 239.255.255.255.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring IGMP Field Reference Table 53-5 Configure IGMP Static Group Parameters Dialog Box Element Description Interface The name of the interface with which the static group is associated. Multicast Group The multicast group address to which this rule applies. The group address must be from 224.0.0.0 to 239.255.255.255. IGMP Page - Join Group Tab Use the Join Group tab to configure an interface to be a member of a multicast group.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring Multicast Routes Field Reference Table 53-7 Configure IGMP Join Group Parameters Dialog Box Element Description Interface The name of the interface for which you are configuring multicast group membership. Join Group The multicast group address to which this rule applies. The group address must be from 224.0.0.0 to 239.255.255.255.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring Multicast Boundary Filters Field Reference Table 53-8 Add/Edit MRoute Configuration Dialog Box Element Description Source Interface Enter or Select the incoming interface for the multicast route. Source Network Enter the IP address and mask of the multicast source, or select a Networks/Hosts object. Output Interface/Dense (Optional) Enter or Select the outgoing interface for the multicast route.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring Multicast Boundary Filters Navigation Path You can access the Add/Edit MBoundary Configuration dialog box from the Configuring Multicast Boundary Filters, page 53-9.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring PIM Configuring PIM Protocol independent multicast (PIM) provides a scalable method for determining the best paths in a network for distributing a specific multicast transmission to each host that has registered using IGMP to receive the transmission. Routers and security devices use PIM to maintain tables for forwarding multicast datagrams.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring PIM Related Topics • PIM Page - Rendezvous Points Tab, page 53-15 • PIM Page - Route Tree Tab, page 53-17 • PIM Page - Request Filter Tab, page 53-18 Add/Edit PIM Protocol Dialog Box Use the Add/Edit PIM Protocol dialog box to configure PIM properties for an interface on a security appliance running PIX 7.x or later.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring PIM On an ASA running version 7.2(1) or later, you can use the Neighbor Filter tab to control the devices that can become PIM neighbors. This panel is used to define and manage the per-interface neighbor filter list. Refer to Add/Edit PIM Neighbor Filter Dialog Box, page 53-13 for a description of the fields on this panel. Navigation Path You access the Protocol tab from the PIM page.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring PIM The PIM bidirectional neighbor filters enable the transition from a sparse-mode-only network to a “bidir” network by letting you specify the devices that should participate in DF election, while still allowing all devices to participate in the sparse-mode domain. The bidir-enabled devices can elect a DF from among themselves, even when there are non-bidir devices on the segment.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring PIM Table 53-13 Add/Edit PIM Bidirectional Neighbor Filter Dialog Box (Continued) Element Description Neighbor Filter Group Enter a single multicast address, or a multicast group address, to which the chosen Action applies. A group address range can be entered using either a standard subnet mask (e.g., 239.0.0.0 255.0.0.0), or using CIDR prefix notation (e.g., 239.0.0.0/8). You also can Select a named network/host object.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring PIM Add/Edit Rendezvous Point Dialog Box Use the Add/Edit Rendezvous Point dialog box to add an entry to the Rendezvous Points table, or to edit an existing rendezvous point entry. Please note the following: • You cannot use the same rendezvous point address twice. • You cannot specify “All Groups” for more than one rendezvous point.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring PIM Add/Edit Multicast Group Rules Dialog Box Use the Add/Edit Multicast Group Rules dialog box to create a multicast group rule, or modify a multicast group rule, for the Multicast Groups table in the Add/Edit Rendezvous Point dialog box.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring PIM Field Reference Table 53-17 Route Tree Tab Element Description If.., specify how the PIM register messages from various sources are filtered Select a tree/groups option: Multicast Groups table • Use Shortest Path Tree for All Groups – The security appliance uses shortest-path tree for all multicast groups. • Use Shared Tree for All Groups – The security appliance uses shared tree for all multicast groups.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring PIM Field Reference Table 53-18 Request Filter Tab Element Description Filter PIM register messages Choose how PIM register messages are filtered for different multicast using groups: Route Map • None – Do not filter PIM register messages. • route-map – Filter PIM register messages using a specified route map; the Route Map field is activated.
Chapter 53 Configuring Multicast Policies on Firewall Devices Configuring PIM Field Reference Table 53-19 Add/Edit Multicast Group Rules Dialog Box Element Description Action Choose permit to create a rule that allows the specified Source of the specified Destination multicast traffic to register with the security appliance; choose deny to create a rule that denies registration to the specified Source/Destination multicast traffic.
CH A P T E R 54 Configuring Routing Policies on Firewall Devices The Routing section in Security Manager contains pages for defining and managing routing settings for security appliances.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Navigation Path • (Device view) Select Platform > Routing > No Proxy ARP from the Device Policy selector. • (Policy view) Select PIX/ASA/FWSM Platform > Routing > No Proxy ARP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF A router that has interfaces in multiple areas is called an Area Border Router (ABR). A router that acts as a gateway to redistribute traffic between routers using OSPF and routers using other routing protocols is called an Autonomous System Boundary Router (ASBR). An ABR uses LSAs to send information about available routes to other OSPF routers.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Field Reference Table 54-1 OSPF General Tab Element Description The General tab provides two identical sections; each is used to enable one OSPF process. The following options are available in each section. Enable this OSPF Process Check this box to enable an OSPF process. You cannot enable an OSPF process if you have RIP enabled on the security appliance. Deselect this option to remove the OSPF process.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Table 54-2 OSPF Advanced Dialog Box (Continued) Element Description Adjacency Changes These options specify the syslog messages sent when adjacency changes occur. Administrative Route Distances Timers (in seconds) • Log Adjacency Changes – When selected, the security appliance sends a syslog message whenever an OSPF neighbor goes up or down. This option is selected by default.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Table 54-2 OSPF Advanced Dialog Box (Continued) Element Description Default Information Originate Settings used by an ASBR to generate a default external route into an OSPF routing domain.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Field Reference Table 54-3 Area Tab Element Description OSPF Process The OSPF process the area applies to. Area ID The area ID. Area Type The area type (Normal, Stub, or NSSA). Networks The area networks. Options The options, if any, set for the area type. Authentication The type of authentication set for the area (None, Password, or MD5). Cost The default cost for the area.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Table 54-4 Add/Edit Area/Area Networks Dialog Box (Continued) Element Description Summary (allows sending LSAs into the stub area) When the area being defined is a stub area, deselecting this check box prevents LSAs from being sent into the stub area. This check box is selected by default for stub areas. NSSA Choose this option to make the area a not-so-stubby area. NSSAs accept Type 7 LSAs.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Related Topics • Add/Edit Area Range Network Dialog Box, page 54-9 Field Reference Table 54-5 Range Tab Element Description Process ID The ID of the OSPF process associated with the route summary. Area ID The ID of the area associated with the route summary. Network The summary IP address and network mask.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Neighbors Tab Use the Neighbors tab to define static neighbors. You need to define a static neighbor for each point-to-point, non-broadcast interface. You also need to define a static route for each static neighbor in the Neighbors table. Navigation Path You can access the Neighbors tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF, page 54-2.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Redistribution Tab Use the Redistribution tab to define the rules for redistributing routes from one routing domain to another. Navigation Path You can access the Redistribution tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF, page 54-2.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Field Reference Table 54-10 OSPF Redistribution Settings Dialog Box Element Description OSPF Process Select the OSPF process associated with the route redistribution entry. Route Type Select the source protocol from which the routes are being redistributed. You can choose one of the following options: Match • Static—The route is a static route.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Virtual Link Tab Use the Virtual Link tab to create virtual links. If you add an area to an OSPF network, and it is not possible to connect the area directly to the backbone area, you need to create a virtual link. A virtual link connects two OSPF devices that have a common area, called the transit area. One of the OSPF devices must be connected to the backbone area.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Table 54-12 Add/Edit OSPF Virtual Link Configuration Dialog Box (Continued) Element Description Area ID Select the area shared by the neighbor OSPF devices. The selected area cannot be an NSSA or a stub area. Peer Router Enter the IP address of the virtual link neighbor. Hello Interval The interval, in seconds, between hello packets sent on an interface.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Table 54-12 Add/Edit OSPF Virtual Link Configuration Dialog Box (Continued) Element Description MD5 IDs and Keys Contains the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID. • MD5 Key ID and MD5 Key Table – MD5 Key ID—A numerical key identifier. Valid values range from 1 to 255.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Navigation Path You can access the Filtering tab from the OSPF page. For more information about the OSPF page, see Configuring OSPF, page 54-2. Related Topics • Add/Edit Filtering Dialog Box, page 54-16 Field Reference Table 54-14 Filtering Tab Element Description OSPF Process The OSPF process associated with the filter entry. Area ID The ID of the area associated with the filter entry.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Table 54-15 Add/Edit Filtering Dialog Box (Continued) Element Description Traffic Direction Select the traffic direction to filter. Choose “Inbound” to filter LSAs coming into an OSPF area or “Outbound” to filter LSAs going out of an OSPF area. Sequence Number Enter a sequence number for the filter. Valid values range from 1 to 4294967294.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Table 54-16 Summary Address Tab (Continued) Element Description Tag A 32-bit decimal value attached to each external route. This value is not used by OSPF itself. It may be used to communicate information between ASBRs. Advertise Displays “true” if the summary routes are advertised. Displays “false” if the summary route is not advertised.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Field Reference Table 54-18 Interface Tab Element Description Interface The name of the interface to which the configuration applies. Authentication The type of OSPF authentication enabled on the interface. The authentication type can be one of the following values: • None—OSPF authentication is disabled. • Password—Clear text password authentication is enabled. • MD5—MD5 authentication is enabled.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Table 54-18 Interface Tab (Continued) Element Description Dead Interval The interval, in seconds, in which no hello packets are received, causing neighbors to declare a router down. Valid values range from 1 to 65535. The default value of this setting is four times the interval set by the Hello Interval field.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPF Table 54-19 Add/Edit Interface Dialog Box (Continued) Element Description MD5 Key IDs and Keys Contains the settings for entering the MD5 keys and parameters when MD5 authentication is enabled. All devices on the interface using OSPF authentication must use the same MD5 key and ID. • Key ID—Enter a numerical key identifier. Valid values range from 1 to 255. • Key—An alphanumeric character string of up to 16 bytes.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Configuring OSPFv3 The OSPFv3 page provides two tabbed panels for configuring OSPF (Open Shortest Path First) version 3 routing on a firewall device. Navigation Path • (Device view) Select Platform > Routing > OSPFv3 from the Device Policy selector. • (Policy view) Select PIX/ASA/FWSM Platform > Routing > OSPFv3 from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Think of a link as being an interface on a networking device. A link-state protocol makes its routing decisions based on the states of the links that connect source and destination devices. The state of a link is a description of that interface and its relationship to its neighboring networking devices.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 • If used in an ASA cluster, OSPFv3 encryption should be disabled. • The Layer 3 cluster pool is not shared between OSPFv3 and the interface. Related Topics • Configuring OSPFv3, page 54-22 • Process Tab, page 54-24 • OSPFv3 Interface Tab, page 54-34 Process Tab Use the Process tab on the OSPFv3 page to enable and configure up to two OSPFv3 routing processes.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Table 54-20 Process Tab (Continued) Element Description Area Use the tabs and tables in this panel to manage area, range and virtual-link definitions. See Area Tab (OSPFv3), page 54-28 for more about these definitions. Redistribution Use this panel to manage redistribution definitions. See Add/Edit Redistribution Dialog Box (OSPFv3), page 54-32 for more about these definitions.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Table 54-21 OSPF Advanced Dialog Box (Continued) Element Description Adjacency Changes These options specify the syslog messages sent when adjacency changes occur: Administrative Route Distances • Log Adjacency Changes – When selected, the security appliance sends a syslog message whenever an OSPF neighbor goes up or down. Checking this box enables the Include Details option.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Table 54-21 OSPF Advanced Dialog Box (Continued) Element Description Timers (in milliseconds) LSA and SPF throttling provide a dynamic mechanism to slow LSA updates in OSPFv3 during times of network instability, and allow faster OSPFv3 convergence by providing LSA rate limiting.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Table 54-21 OSPF Advanced Dialog Box (Continued) Element Description Default Information Originate Settings used by an ASBR to generate a default external route into an OSPFv3 routing domain: • Enable Default Information Originate – Check this box to enable generation of a default route into the OSPFv3 routing domain; the following options become available: – Always advertise the default route – Check this box to always
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Related Topics • About OSPFv3, page 54-22 • OSPFv3 Interface Tab, page 54-34 Add/Edit Area Dialog Box (OSPFv3) Use the Add/Edit Area dialog box to define parameters for the area. Navigation Path You can access the Add/Edit Area dialog box from the Area Tab (OSPFv3), page 54-28.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Table 54-22 Add/Edit Area Dialog Box (Continued) Element Description Type Define the area type by choosing one of the following: • Normal – Make the area a standard OSPFv3 area. This option is selected by default when you first create an area. • NSSA – Make the area a “not-so-stubby area.” NSSAs accept Type 7 LSAs. When you choose this option, the Default Information Originate options are enabled.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 • About OSPFv3, page 54-22 • Process Tab, page 54-24 Field Reference Table 54-23 Add/Edit Range Dialog Box Element Description Area ID This read-only entry is the ID of the area to which this range applies. IPv6 Prefix/Length The IPv6 address(es) for the routes being summarized. Tip Cost You can click Select to select the networks from a list of network objects.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Table 54-24 Add/Edit Virtual Link Dialog Box (Continued) Element Description Peer Router ID Enter the IP address of the virtual link neighbor. Tip You can click Select to select from a list of network objects. TTL Security The time-to-live (TTL) security hop count on a virtual link. The hop count value can range from 1 to 254.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Field Reference Table 54-25 Add/Edit Redistribution Dialog Box Element Description Source Protocol Choose the source protocol for route redistribution: Metric • Connected – Redistributes connected routes (routes established automatically by virtue of having an IP address enabled on the interface) to the OSPFv3 routing process. Connected routes are redistributed as external to the autonomous system.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Table 54-25 Add/Edit Redistribution Dialog Box (Continued) Element Description NSSA External 1 Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes. NSSA External 2 Routes that are external to the autonomous system, but are imported into OSPF as Type 2 NSSA routes.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Refer to Using Tables, page 1-45 for basic information about working with Security Manager tables. Navigation Path Click the Interface tab on the OSPFv3 page to display this panel. For more information about the OSPFv3 page, see Configuring OSPFv3, page 54-22.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Table 54-27 Add/Edit Interface Dialog Box (Continued) Element Description Disable MTU mismatch detection Check this box to disable the OSPFv3 MTU mismatch detection when database description (DBD) packets are received. Flood Reduction Check this box to suppress unnecessary flooding of LSAs in stable topologies.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Table 54-27 Add/Edit Interface Dialog Box (Continued) Element Description Transmit Delay The estimated time, in seconds, required to send an LSA packet on the interface. LSAs in the update packet have their ages increased by the amount specified by this field before transmission. If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Table 54-27 Add/Edit Interface Dialog Box (Continued) Element Description Encryption Algorithm Choose the type of encryption to use: • 3des – Triple DES; the Data Encryption Standard cipher algorithm is applied three times to each packet. • aes-cbc – Encryption is based on the Advanced Encryption Standard with Cipher Block Chaining, to produce a key of the size chosen with the Key Type parameter.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring OSPFv3 Navigation Path You can access the Add/Edit Neighbor dialog box from the Neighbor panel under the OSPFv3 Interface Tab, page 54-34. Related Topics • Configuring OSPFv3, page 54-22 • About OSPFv3, page 54-22 • Process Tab, page 54-24 Field Reference Table 54-28 Add/Edit Neighbor Dialog Box Element Description Interface The interface associated with this neighbor definition (read-only).
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring RIP Configuring RIP Routing Information Protocol (RIP) is a dynamic routing protocol, or more precisely, an interior gateway protocol that is based on distance vectors. RIP uses hop count as the metric for path selection. When RIP is enabled on an interface, the interface exchanges RIP broadcast packets with neighboring devices to dynamically learn about and advertise routes.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring RIP • Configuring No Proxy ARP, page 54-1 • Configuring Routing Information Protocol – a chapter from the “Cisco IOS IP Configuration Guide, Release 12.2,” providing additional detailed information about RIP RIP Page for PIX/ASA 6.3–7.1 and FWSM Use this RIP page to enable the Routing Information Protocol (RIP) on an interface in any FWSM, or in a PIX/ASA running a pre-7.2 version operating system.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring RIP Field Reference Table 54-29 Add/Edit RIP Configuration (PIX/ASA 6.3-7.1 and FWSM) Dialog Boxes Element Description Interface Enter or Select the interface for the RIP configuration. You cannot configure two different RIP configurations on the same interface.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring RIP • RIP - Interface Tab, page 54-47 Navigation Path • (Device view) Select Platform > Routing > RIP from the Device Policy selector. • (Policy view) Select PIX/ASA/FWSM Platform > Routing > RIP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one. When creating a shared RIP policy, you must choose a Version in the Create a Policy dialog box, as follows: – PIX/ASA 6.3-7.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring RIP Field Reference Table 54-30 Setup Tab Element Description Networks Define one or more networks for RIP routing. Enter IP address(es), or enter or Select the desired Network/Hosts objects (see Understanding Networks/Hosts Objects, page 6-74); IP addresses must not contain any subnet information. There is no limit to the number of networks you can add to the security appliance configuration.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring RIP Table 54-30 Setup Tab (Continued) Element Description Enable Auto-Summary When Send and Receive Version 2 is the chosen RIP Version, this option is available. When checked, automatic route summarization is enabled. Disable automatic summarization if you must perform routing between disconnected subnets. When automatic summarization is disabled, subnets are advertised.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring RIP Table 54-31 Add/Edit Redistribution Dialog Box (Continued) Element Description Process ID Enter the process ID when the OSPF protocol is chosen. Match If you are redistributing OSPF routes into the RIP routing process, you can select specific types of OSPF routes to redistribute. Ctrl-click to select multiple types: • Internal – Routes internal to the autonomous system (AS) are redistributed.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring RIP Add/Edit Filter Dialog Box Use the Add Filter and Edit Filter dialog boxes to add and edit RIP filters on the RIP - Filtering Tab, page 54-46. Filters are used to limit network information in incoming and outgoing RIP advertisements. Except for their titles, these two dialog boxes are identical. Navigation Path You can access the Add and Edit Filter dialog boxes from the Filtering tab on the RIP Page for PIX/ASA 7.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring Static Routes Add/Edit Interface Dialog Box Use the Add Interface and Edit Interface dialog boxes to add and edit RIP interface configurations on the RIP - Interface Tab, page 54-47. Except for their titles, these two dialog boxes are identical. Navigation Path You can access the Add and Edit Interface dialog boxes from the Interface tab on the RIP Page for PIX/ASA 7.2 and Later, page 54-42.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring Static Routes (OSPF)-derived routes have a default administrative distance of 100. To configure a back-up static route that is overridden by an OSPF route, specify a metric value for the static route that is greater than 100. This is referred to as a “floating” static route.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring Static Routes Field Reference Table 54-34 Add/Edit Static Route Dialog Box Element Description Interface Enter or Select the interface to which this static route applies. Network Enter or Select the destination network(s). You can provide one or more IP address/netmask entries, one or more Networks/Hosts objects, or a combination of both; separate the entries with commas. Enter “0.0.0.0/0” or “any” to specify a default route.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring Static Routes Navigation Path You can access the Add/Edit IPv6 Static Route dialog box from the IPv6 Static Route page. Click the Add Row button to add a new static route; select an existing static route and click the Edit Row button to edit that route.
Chapter 54 Configuring Routing Policies on Firewall Devices Configuring Static Routes User Guide for Cisco Security Manager 4.
CH A P T E R 55 Configuring Security Policies on Firewall Devices You can configure general security settings for the device using the General page and the Timeouts page under Platform > Security. You can enable anti-spoofing on interfaces, configure IP fragment settings, and configure a variety of timeout values for the device.
Chapter 55 Configuring Security Policies on Firewall Devices General Page Table 55-1 General Page (Continued) Element Description Global Fragment Settings Use these options to configure global fragment settings for the device. You can override these settings for individual interfaces; see Add/Edit General Security Configuration Dialog Box, page 55-3 for more information. Enable Default Settings Check this box to enable the default fragment settings fields.
Chapter 55 Configuring Security Policies on Firewall Devices General Page Anti-spoofing Unicast Reverse Path Forwarding (RPF) guards against IP spoofing—a packet using an incorrect source IP address to obscure its true source—by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table. Normally, the security appliance looks only at the destination address when determining where to forward the packet.
Chapter 55 Configuring Security Policies on Firewall Devices Configuring Timeouts • Configuring Floodguard, Anti-Spoofing and Fragment Settings, page 55-2 Field Reference Table 55-2 Add/Edit General Security Configuration Dialog Box Element Description Interface Enter or Select the name of the interface for which you want to configure anti-spoofing or fragment settings. Enable Anti-Spoofing Check this box to enable Unicast RPF (anti-spoofing) on the specified interface.
Chapter 55 Configuring Security Policies on Firewall Devices Configuring Timeouts Field Reference Table 55-3 Timeouts Page Element Description To change the timeout value for a parameter, click the radio button to the left of the parameter entry to activate it, and then enter the new value in the parameter field. To reset any value to its default, click the related Default button. Clicking the Disable button, where provided, disables the timeout by setting its value to 0:00:00.
Chapter 55 Configuring Security Policies on Firewall Devices Configuring Timeouts Table 55-3 Timeouts Page (Continued) Element Description SIP Disconnect (PIX 6.3(5), Length of time idle after which a SIP session is deleted if the 200 OK PIX/ASA 7.2+, FWSM 3.2+) is not received for a CANCEL or a BYE message. The minimum value is 0:0:1; the maximum value is 0:10:0. The default value is 0:02:00. SIP Invite (PIX 6.3(5), Length of time idle after which pinholes for PROVISIONAL responses PIX/ASA 7.
CH A P T E R 56 Configuring Service Policy Rules on Firewall Devices This section describes configuring service policy rules. Service policies provide a consistent and flexible way to configure certain security appliance features, including priority queuing, application inspection, and QoS (quality of service). For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications.
Chapter 56 Configuring Service Policy Rules on Firewall Devices About Service Policy Rules • ASA CX redirection (see About the ASA CX, page 56-15) • User statistics for identity-based firewall policies The configuration options for these features are presented on two pages in Security Manager—Priority Queues and IPS, QoS and Connection Rules—accessed by navigating to Platform > Service Policy Rules.
Chapter 56 Configuring Service Policy Rules on Firewall Devices About TCP State Bypass About TCP State Bypass By default, all traffic that enters an ASA or FWSM is inspected using the Adaptive Security Algorithm, and is either allowed through or dropped based on the security policy.
Chapter 56 Configuring Service Policy Rules on Firewall Devices Priority Queues Page Related Topics • About Service Policy Rules, page 56-1 Priority Queues Page Priority queues let you define how traffic is prioritized in the network. You can define a series of filters based on packet characteristics to cause traffic to be placed in a higher or lower priority queue. The queue with the highest priority is serviced first until it is empty, then the lower queues are serviced in sequence.
Chapter 56 Configuring Service Policy Rules on Firewall Devices IPS, QoS, and Connection Rules Page Related Topics • Chapter 56, “Configuring Service Policy Rules on Firewall Devices” • Insert/Edit Service Policy (MPC) Rule Wizard, page 56-6 • About Service Policy Rules, page 56-1 • Understanding Queuing Parameters, page 63-4 Field Reference Table 56-1 Priority Queue Configuration Dialog Box Element Description Interface Name Specify the interface to which this rule applies; you can enter the
Chapter 56 Configuring Service Policy Rules on Firewall Devices IPS, QoS, and Connection Rules Page ASA CX Auth Proxy Configuration The CXSC Auth Proxy button below the IPS, QoS, and Connection Rules table opens the Add/Edit CXSC Auth Proxy Configuration dialog box, which is described in ASA CX Auth Proxy Configuration, page 56-16. The CXSC Auth Proxy button is available below the IPS, QoS, and Connection Rules table only in Device view; it is not visible in Policy view.
Chapter 56 Configuring Service Policy Rules on Firewall Devices IPS, QoS, and Connection Rules Page Related Topics • Step 2. Configure the traffic class, page 56-7 • Step 3. Configure the MPC actions, page 56-8 Table 56-2 Insert/Edit Service Policy (MPC) Rule Wizard—Step 1. Configure a Service Policy. Element Description Enable The Current MPC Rule Check this box to enable this service policy rule.
Chapter 56 Configuring Service Policy Rules on Firewall Devices IPS, QoS, and Connection Rules Page • Step 3. Configure the MPC actions, page 56-8 Step 3. Configure the MPC actions The third step in the Insert/Edit Service Policy (MPC) Rule Wizard involves specifying IPS, CXSC, Connection Setting, QoS, CSC, User Statistics, and ScanSafe Web Security parameters for the rule; each set of parameters is presented on a separate tabbed panel. Related Topics • Step 1.
Chapter 56 Configuring Service Policy Rules on Firewall Devices IPS, QoS, and Connection Rules Page Table 56-3 Insert/Edit Service Policy (MPC) Rule Wizard—Step 3. Configure the actions. Element Description CXSC tab Note Security Manager uses “CXSC” in places to refer to an ASA CX Security Services Processor (SSP). Enable CXSC For This Traffic Check this box to enable redirection of this traffic flow to an ASA CX installed in the ASA.
Chapter 56 Configuring Service Policy Rules on Firewall Devices IPS, QoS, and Connection Rules Page Table 56-3 Insert/Edit Service Policy (MPC) Rule Wizard—Step 3. Configure the actions.
Chapter 56 Configuring Service Policy Rules on Firewall Devices IPS, QoS, and Connection Rules Page Table 56-3 Insert/Edit Service Policy (MPC) Rule Wizard—Step 3. Configure the actions. Element Description Connection Timeouts You can specify the following connection timeout settings for this traffic flow: • Embryonic Connection Timeout – Specify the idle time until an embryonic connection slot is freed. Enter 0:0:0 to disable timeout for the connection.
Chapter 56 Configuring Service Policy Rules on Firewall Devices IPS, QoS, and Connection Rules Page Table 56-3 Insert/Edit Service Policy (MPC) Rule Wizard—Step 3. Configure the actions. Element Description Randomize TCP Sequence Number Enables the Randomize Sequence Number feature. Disable this feature only if another inline security appliance is also randomizing sequence numbers and the result is scrambling the data.
Chapter 56 Configuring Service Policy Rules on Firewall Devices IPS, QoS, and Connection Rules Page Table 56-3 Insert/Edit Service Policy (MPC) Rule Wizard—Step 3. Configure the actions. Element Description Input (Traffic Policing) Enables policing of traffic flowing into the device; these options apply to ASA/PIX 7.2+ devices only.
Chapter 56 Configuring Service Policy Rules on Firewall Devices IPS, QoS, and Connection Rules Page About IPS Modules on ASA Devices You can install a variety of IPS modules, such as the Advanced Inspection and Prevention Security Services Module (AIP-SSM), in some ASA device models. The IPS modules supported by each ASA model differ.
Chapter 56 Configuring Service Policy Rules on Firewall Devices IPS, QoS, and Connection Rules Page The next illustration depicts traffic flow when the IPS module is running in Promiscuous mode. In this example, the IPS module sends a shun message to the ASA for traffic it has identified as a threat.
Chapter 56 Configuring Service Policy Rules on Firewall Devices Configuring Traffic Flow Objects Related Topics • About Service Policy Rules, page 56-1 ASA CX Auth Proxy Configuration If you enabled ASA CX authentication proxy—on the CXSC tab during Step 3 of the Insert/Edit Service Policy (MPC) Rule Wizard; see Step 3.
Chapter 56 Configuring Service Policy Rules on Firewall Devices Configuring Traffic Flow Objects These dialog boxes also can be opened by clicking the Create or Edit buttons in the Traffic Flows Selector while defining a Service Policy rule. See for Step 2. Configure the traffic class, page 56-7 more information about selecting a Traffic Flow class.
Chapter 56 Configuring Service Policy Rules on Firewall Devices Configuring Traffic Flow Objects Table 56-5 Add and Edit Traffic Flow Dialog Boxes (Continued) Element Description Available ACLs A list of the access control list (ACL) objects that you can select for the map. Select the ACL that defines the target traffic, or click the Create button to add a new object. You can also select an object and click Edit to change its definition.
Chapter 56 Configuring Service Policy Rules on Firewall Devices Configuring Traffic Flow Objects Table 56-6 Default Inspection Traffic Value Port CTIQBE TCP/2748 CuSeeMe UDP/7648 DNS over UDP UDP/53 FTP TCP/21 GTP UDP/2123, 3386 NAT Limitations Comments No NAT support for name resolution through WINS. No PTR records are changed. H.323, H.225 TCP/1720, 1718 No NAT on same security interfaces. No static PAT. RAS UDP/1718, 1719 No NAT on same security interfaces. No static PAT.
Chapter 56 Configuring Service Policy Rules on Firewall Devices Configuring TCP Maps Table 56-6 Default Inspection Traffic (Continued) Value Port TFTP UDP/69 XDMCP UDP/177 NAT Limitations Comments Payload IP addresses are not translated. No NAT or PAT. Configuring TCP Maps Use the Add and Edit TCP Map dialog boxes to define TCP normalization maps for use with IPS, QoS, and Connection Rules service policies.
Chapter 56 Configuring Service Policy Rules on Firewall Devices Configuring TCP Maps Table 56-7 Add and Edit TCP Map Dialog Boxes (Continued) Element Description Queue Limit The maximum number of out-of-order packets that can be buffered and put in order for a TCP connection; enter a value between 1 and 250.
Chapter 56 Configuring Service Policy Rules on Firewall Devices Configuring TCP Maps Table 56-7 Add and Edit TCP Map Dialog Boxes (Continued) Element Description Enable TTL Evasion Protection Enables the TTL evasion protection offered by the security appliance. Do not enable this option if you want to prevent attacks that attempt to evade security policy. For example, an attacker can send a packet that passes policy with a very short TTL.
Chapter 56 Configuring Service Policy Rules on Firewall Devices Configuring TCP Maps Field Reference Table 56-8 Add and Edit TCP Option Range Dialog Boxes Element Description Lower The lower bound of the range; enter either 6 or 7, or an integer from 9 to 255. Note The Lower bound must be less than or equal to the Upper bound. Upper The upper bound of the range; enter either 6 or 7, or an integer from 9 to 255.
Chapter 56 Configuring Service Policy Rules on Firewall Devices Configuring TCP Maps User Guide for Cisco Security Manager 4.
CH A P T E R 57 Configuring Security Contexts on Firewall Devices You can define multiple security “contexts” on a single security appliance. Each context operates as an independent virtual device, with its own security policy, interfaces and administrators. Multiple contexts are similar to having multiple stand-alone devices. Many features are supported in multiple-context mode, including routing tables, firewall features, IPS, and management.
Chapter 57 Configuring Security Contexts on Firewall Devices Checklist for Configuring Multiple Security Contexts Similarly, Cisco Security Manager does not support restoring an existing device to single-context mode. To perform this task, you must delete the device and any of its child contexts from Security Manager, restore single-context operation using a device manager or CLI input, and then add the device again to Security Manager.
Chapter 57 Configuring Security Contexts on Firewall Devices Checklist for Configuring Multiple Security Contexts Step Task Step 2 Define an Admin context for administering the base security appliance. This task is called out separately to ensure you define a context and IP address specifically for administration of the security appliance. The process is the same as defining a security context; however, during the process, be sure to check Admin Context to designate this as the administration context.
Chapter 57 Configuring Security Contexts on Firewall Devices Managing Security Contexts Step Task Step 4 Submit/deploy to generate the virtual firewalls as children of the base appliance. You must create the desired contexts on the security appliance before you can begin defining the individual settings of each context. To create contexts on the appliance, you must define them, and then either submit changes in Workflow mode, or deploy the changes to the security appliance in non-Workflow mode.
Chapter 57 Configuring Security Contexts on Firewall Devices Managing Security Contexts Step 1 Ensure Device View is your present application view; if necessary, click the Device View button on the toolbar. For more information on using the Device View to configure device policies, see Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-28). Step 2 Select the appliance you want to configure.
Chapter 57 Configuring Security Contexts on Firewall Devices Managing Security Contexts Navigation Path You can access the Add Security Context and Edit Security Context dialog boxes from the Security Contexts page, as described in Managing Security Contexts, page 57-4. Field Reference Table 57-1 Add/Edit Security Context Dialog Box (FWSM) Element Description Name Enter a name of up to 32 characters for the context.
Chapter 57 Configuring Security Contexts on Firewall Devices Managing Security Contexts Add/Edit Security Context Dialog Box (PIX/ASA) The Add Security Context and Edit Security Context dialog boxes let you define and maintain contexts for the currently selected PIX/ASA security appliance. (Except for their titles, the two dialog boxes are identical.) Note that at least one security context must be designated as the Admin context.
Chapter 57 Configuring Security Contexts on Firewall Devices Managing Security Contexts Table 57-2 Add/Edit Security Context Dialog Box (PIX/ASA) (Continued) Element Description ScanSafe Settings To enable ScanSafe inspection in this context, select Enable ScanSafe Web Security. To override the license specified in the system configuration, enter a license ID in the License field; must be 32 hexadecimal characters. See Chapter 20, “Working with ScanSafe Web Security” for more information.
Chapter 57 Configuring Security Contexts on Firewall Devices Managing Security Contexts Field Reference Table 57-3 Allocate Interfaces Dialog Box Element Description Physical Interface Choose a physical interface to assign to this context. In transparent firewall mode, you can assign only an interface that has not been allocated to another context. If you choose an interface already assigned to another context, you must also specify an subinterface.
Chapter 57 Configuring Security Contexts on Firewall Devices Managing Security Contexts User Guide for Cisco Security Manager 4.
PA R T 6 Router and Switch Device Configuration
CH A P T E R 58 Managing Routers Cisco Security Manager supports the management and configuration of security features and other platform-specific features on Cisco IOS access security routers. You configure these features in the form of policies, each of which defines a different aspect of the configuration of the router. For a detailed explanation of the policy paradigm used by Security Manager, see Chapter 5, “Managing Policies”.
Chapter 58 Managing Routers Configuring Routers Running IOS Software Releases 12.1 and 12.
Chapter 58 Managing Routers Discovering Router Policies • FlexConfigs. See Chapter 7, “Managing FlexConfigs”. All other policies require Cisco IOS Software Release 12.3 or higher. For more information about supported devices, see Supported Devices and Software Versions for Cisco Security Manager. Discovering Router Policies You can discover the configurations of your Cisco IOS routers and import these configurations as policies into Security Manager.
Chapter 58 Managing Routers Discovering Router Policies User Guide for Cisco Security Manager 4.
CH A P T E R 59 Configuring Router Interfaces This chapter contains the following topics: • Basic Interface Settings on Cisco IOS Routers, page 59-1 • Router Interfaces Page, page 59-7 • Advanced Interface Settings on Cisco IOS Routers, page 59-13 • Advanced Interface Settings Page, page 59-15 • IPS Module Interface Settings on Cisco IOS Routers, page 59-22 • IPS Module Interface Settings Page, page 59-22 • CEF Interface Settings on Cisco IOS Routers, page 59-24 • CEF Interface Settings Pag
Chapter 59 Configuring Router Interfaces Basic Interface Settings on Cisco IOS Routers Related Topics • Available Interface Types, page 59-2 • Defining Basic Router Interface Settings, page 59-3 • Deleting a Cisco IOS Router Interface, page 59-6 Available Interface Types Table 59-1 on page 59-2 describes the types of interfaces that can be configured on Cisco IOS routers. Table 59-1 Router Interface Types Type Description Null Null interface.
Chapter 59 Configuring Router Interfaces Basic Interface Settings on Cisco IOS Routers Table 59-1 Router Interface Types (Continued) Type Description Loopback A logical interface that emulates an interface that is always up. For example, having a loopback interface on the router prevents a loss of adjacency with neighboring OSPF routers if the physical interfaces on the router go down. The name of a loopback interface must end with a number ranging from 0-2147483647.
Chapter 59 Configuring Router Interfaces Basic Interface Settings on Cisco IOS Routers Note Basic interface settings are always local to the device on which they are configured. You cannot share this policy with other devices. You can, however, share advanced interface settings. For more information, see Advanced Interface Settings on Cisco IOS Routers, page 59-13.
Chapter 59 Configuring Router Interfaces Basic Interface Settings on Cisco IOS Routers Step 9 Define additional properties of the interface/subinterface: • Use the Negotiation check box to enable and disable auto-negotiation for the interface. Auto-negotiation detects the capabilities of remote devices and negotiates the best possible performance between the two devices. When Negotiation is enabled, the Fast Ethernet Duplex and Speed options are disabled.
Chapter 59 Configuring Router Interfaces Basic Interface Settings on Cisco IOS Routers Note Note Frame relay must be configured on the parent interface. IETF Frame Relay encapsulation provides interoperability between a Cisco IOS router and equipment from other vendors. To configure Cisco Frame Relay encapsulation, use CLI commands or FlexConfigs. Step 11 (Optional) Enter a description of up to 1024 characters for the interface.
Chapter 59 Configuring Router Interfaces Router Interfaces Page Router Interfaces Page Use the Router Interfaces page to view, create, edit, and delete interface definitions (physical and virtual) on a selected Cisco IOS router. The Router Interfaces page displays interfaces that were discovered by Security Manager as well as interfaces added manually after you added the device to the system. Note Unlike other router policies, the Interfaces policy cannot be shared among multiple devices.
Chapter 59 Configuring Router Interfaces Router Interfaces Page Create Router Interface Dialog Box Use the Create Router Interface dialog box to create and edit physical and virtual interfaces on the selected Cisco IOS router. Tip Interface configuration is specific to the type of device. Many of the options on this page might be greyed out for specific device or interface types because they do not apply or they are not configurable.
Chapter 59 Configuring Router Interfaces Router Interfaces Page Table 59-3 Create Router Interface Dialog Box (Continued) Element Description IP The method of IP address assignment for the interface: • Static IP—Defines a static IP address and subnet mask for the interface. Enter this information in the fields that appear below the option. Note You can define the mask using either dotted decimal (for example, 255.255.255.255) or CIDR notation (/32).
Chapter 59 Configuring Router Interfaces Router Interfaces Page Table 59-3 Create Router Interface Dialog Box (Continued) Element Description Duplex The interface transmission mode: Speed • None—The transmission mode is returned to its device-specific default setting. • Full—The interface transmits and receives at the same time (full duplex). • Half—The interface can transmit or receive, but not at the same time (half duplex). This is the default.
Chapter 59 Configuring Router Interfaces Router Interfaces Page Table 59-3 Create Router Interface Dialog Box (Continued) Element Description Encapsulation The type of encapsulation performed by the interface: • None—No encapsulation. • DOT1Q—VLAN encapsulation, as defined by the IEEE 802.1Q standard. Applies only to Ethernet subinterfaces. • Frame Relay—IETF Frame Relay encapsulation. Applies only to serial interfaces (not serial subinterfaces).
Chapter 59 Configuring Router Interfaces Router Interfaces Page Table 59-3 Create Router Interface Dialog Box (Continued) Element Description DLCI Applies only to serial subinterfaces with Frame Relay encapsulation. Enter the data-link connection identifier to associate with the subinterface. Valid values range from 16 to 1007. Note Security Manager configures serial subinterfaces as point-to-point not multipoint. Description Additional information about the interface (up to 1024 characters).
Chapter 59 Configuring Router Interfaces Advanced Interface Settings on Cisco IOS Routers Advanced Interface Settings on Cisco IOS Routers In addition to the basic interface definitions that you can define on the Interfaces page, Security Manager provides a method for defining selected advanced settings on interfaces that support those settings. Unlike the basic interface settings defined on the Interface page, you can share an advanced settings policy with multiple devices.
Chapter 59 Configuring Router Interfaces Advanced Interface Settings on Cisco IOS Routers Step 3 Configure the advanced settings required for the selected interface. For details about each setting, see Advanced Interface Settings Dialog Box, page 59-16. Step 4 Click OK to save your definitions. Your definitions are displayed in the Advanced Interface Settings table.
Chapter 59 Configuring Router Interfaces Advanced Interface Settings Page Table 59-5 Tip Default UDP Services Forwarded to Helper Addresses (Continued) Service Port DNS 53 NetBIOS datagram service 138 NetBIOS name service 137 TACACS 49 TFTP 69 Time 37 To forward additional UDP services, use the CLI or FlexConfigs to configure the ip forward-protocol command. Use the no form of this command to prevent the forwarding of any of the default services listed in Table 59-5 on page 59-14.
Chapter 59 Configuring Router Interfaces Advanced Interface Settings Page • (Policy view) Select Router Interfaces > Settings > Advanced Settings from the Policy Type selector. Right-click Advanced Settings to create a policy, or select an existing policy from the Shared Policy selector.
Chapter 59 Configuring Router Interfaces Advanced Interface Settings Page Table 59-6 Advanced Interface Settings Dialog Box (Continued) Element Description Load Interval The length of time, in seconds, used to calculate the average load on the interface. Valid values range from 30 to 600 seconds, in multiples of 30 seconds. The default is 300 seconds (5 minutes). Load interval is not supported on subinterfaces. Modify the default to shorten the length of time over which load averages are computed.
Chapter 59 Configuring Router Interfaces Advanced Interface Settings Page Table 59-6 Advanced Interface Settings Dialog Box (Continued) Element Description Interface Throughput Delay The expected delay for the interface in tens of microseconds (for example, 3000 translates to 30,000 microseconds). You can enter a value between 1 and 16777215, and the default varies by the type of interface. Higher-level protocols might use delay information to make operating decisions.
Chapter 59 Configuring Router Interfaces Advanced Interface Settings Page Table 59-6 Advanced Interface Settings Dialog Box (Continued) Element Description Additional Settings Enable Maintenance Operation Protocol (MOP) Whether to enable MOP on the interface. You can use MOP for utility services such as uploading and downloading system software, remote testing, and problem diagnosis.
Chapter 59 Configuring Router Interfaces Advanced Interface Settings Page Table 59-6 Advanced Interface Settings Dialog Box (Continued) Element Description Enable Directed Broadcasts Whether to have directed broadcast packets “exploded” as a link-layer broadcast when this interface is directly connected to the destination subnet. When deselected, directed broadcast packets that are intended for the subnet to which this interface is directly connected are dropped rather than being broadcast.
Chapter 59 Configuring Router Interfaces Advanced Interface Settings Page Table 59-6 Advanced Interface Settings Dialog Box (Continued) Element Description Mode How strict to make unicast RFP: • Loose Mode—The default. Examines incoming packets to determine whether the source address is in the Forwarding Information Base (FIB) and permits the packet if the source is reachable through any interface on the router.
Chapter 59 Configuring Router Interfaces IPS Module Interface Settings on Cisco IOS Routers IPS Module Interface Settings on Cisco IOS Routers On some routers, you can install IPS modules such as the Cisco Intrusion Prevention System Advanced Integration Module or Network Module. When installed and active, you must configure the IPS Module interface settings policy to define the following: Tip • The name of the interface between the module and the router. • The failure mode of the module.
Chapter 59 Configuring Router Interfaces IPS Module Interface Settings Page Caution Cisco IOS IPS and the Cisco IPS module cannot be used together. Cisco IOS IPS must be disabled when the IPS module is installed. Navigation Path • (Device view) Select Interfaces > Settings > IPS Module from the Policy selector. • (Policy view) Select Router Interfaces > Settings > IPS Module from the Policy Type selector. Create a new policy or select an existing policy from the Shared Policy selector.
Chapter 59 Configuring Router Interfaces CEF Interface Settings on Cisco IOS Routers Navigation Path Go to the IPS Module Interface Settings Page, page 59-22, then click the Add or Edit button beneath the IPS Module Service Module Monitoring Settings table.
Chapter 59 Configuring Router Interfaces CEF Interface Settings Page Tip After you have defined a CEF interface settings policy, you can share the policy and assign it to other devices. This provides a convenient method for configuring multiple devices with identical settings. See Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34. Before You Begin Define basic interface settings. See Basic Interface Settings on Cisco IOS Routers, page 59-1.
Chapter 59 Configuring Router Interfaces CEF Interface Settings Page Field Reference Table 59-9 CEF Interface Settings Page Element Description Enable Cisco Express Forwarding Whether to enable CEF globally on the device. The option is greyed out if you cannot disable CEF on the device. You can configure other settings on the page only if you enable CEF globally. CEF Network Accounting These options are for configuring CEF accounting globally.
Chapter 59 Configuring Router Interfaces Dialer Interfaces on Cisco IOS Routers Related Topics • CEF Interface Settings on Cisco IOS Routers, page 59-24 • Basic Interface Settings on Cisco IOS Routers, page 59-1 Field Reference Table 59-10 CEF Interface Settings Dialog Box Element Description Interface Name The name of the interface or interface role for which you are configuring CEF. Enter the name or click Select to select the interface or interface role.
Chapter 59 Configuring Router Interfaces Dialer Interfaces on Cisco IOS Routers Before You Begin Define the virtual and physical dialer interfaces on the router. See Basic Interface Settings on Cisco IOS Routers, page 59-1. Note In addition, you can optionally define interface roles for the virtual and physical dialer interfaces. See Defining Dialer Profiles, page 59-27.
Chapter 59 Configuring Router Interfaces Dialer Interfaces on Cisco IOS Routers Defining BRI Interface Properties You configure the properties of the physical BRI interfaces used for dialer interface policies by selecting the appropriate interface or interface role, defining the dialer pools to which the interface belongs, and defining the ISDN switch type. It is the dialer pool that connects the physical interface with the virtual dialer interface.
Chapter 59 Configuring Router Interfaces Dialer Policy Page Step 7 Click OK to save your definitions locally on the client and close the dialog box. The interface definition appears in the Dialer Physical Interfaces table on the Dialer Interface page. Dialer Policy Page Use the Dialer page to define the relationship between physical Basic Rate Interface (BRI) and virtual dialer interfaces. You use these dialer interfaces when you configure the dial backup feature for site-to-site VPNs.
Chapter 59 Configuring Router Interfaces Dialer Policy Page Dialer Profile Dialog Box Use the Dialer Profile dialog box to add or edit dialer profiles. Navigation Path Go to the Dialer Policy Page, page 59-30, then click the Add or Edit button beneath the Dialer Profile table.
Chapter 59 Configuring Router Interfaces Dialer Policy Page Dialer Physical Interface Dialog Box Use the Dialer Physical Interface dialog box to add or edit the properties that associate physical BRI interfaces with dialer interfaces. Note Use FlexConfigs to define other types of physical dialer interfaces, such as ATM and Ethernet. For more information, see Understanding FlexConfig Policies and Policy Objects, page 7-2.
Chapter 59 Configuring Router Interfaces ADSL on Cisco IOS Routers Table 59-13 Dialer Physical Interface Dialog Box (Continued) Element Description Switch Type The ISDN switch type.
Chapter 59 Configuring Router Interfaces ADSL on Cisco IOS Routers Asymmetric Digital Subscriber Line (ADSL) is a form of DSL where the data flow downstream to customer sites is much greater than the data flow upstream to the central office (CO). This asymmetric setup is well-suited for applications where users typically download far more information than they send, such as web surfing, video-on-demand, and remote LAN access.
Chapter 59 Configuring Router Interfaces ADSL on Cisco IOS Routers Table 59-15 on page 59-35 describes the operating modes that are supported on each ADSL device that can be configured with Security Manager.
Chapter 59 Configuring Router Interfaces ADSL Policy Page The ADSL page is displayed. See Table 59-16 on page 59-37 for a description of the fields on this page. Step 2 Click the Add button beneath the table to display the ADSL Settings dialog box. See Table 59-17 on page 59-38 for a description of the fields in this dialog box.
Chapter 59 Configuring Router Interfaces ADSL Policy Page Related Topics • PVC Policy Page, page 59-54 • SHDSL Policy Page, page 59-41 • ADSL on Cisco IOS Routers, page 59-33 • Table Columns and Column Heading Features, page 1-46 • Filtering Tables, page 1-45 Field Reference Table 59-16 ADSL Page Element Description ATM Interface The ATM interface on which ADSL settings are defined. Interface Card The type of device or ADSL interface card on which the ATM interface resides.
Chapter 59 Configuring Router Interfaces ADSL Policy Page Field Reference Table 59-17 ADSL Settings Dialog Box Element Description ATM Interface The ATM interface on which ADSL settings are defined. Enter the name of an interface or interface role, or click Select to select it. If the object that you want is not listed, click the Create button to create it. Interface Card Note We recommend that you do not define an interface role that includes ATM interfaces from different interface cards.
Chapter 59 Configuring Router Interfaces ADSL Policy Page Table 59-17 ADSL Settings Dialog Box (Continued) Element Interface Card (continued) Description • 857 ADSL—Cisco 857 Integrated Service Router with an ADSL interface. • 876 ADSL—Cisco 876 Integrated Services Router with an ADSL interface. • 877 ADSL—Cisco 877 Integrated Services Router with an ADSL interface. • 1801 ADSLoPOTS—Cisco 1801 Integrated Services Router that provides ADSL over POTS.
Chapter 59 Configuring Router Interfaces SHDSL on Cisco IOS Routers SHDSL on Cisco IOS Routers Digital Subscriber Line (DSL) is a family of technologies that transports data over existing twisted-pair copper wire. DSL uses frequencies that are beyond the upper list used by POTS (plain old telephone service) to deliver broadband applications, such as multimedia and video, over the local loop (or last mile) that connects the telephone company’s central office to customer sites.
Chapter 59 Configuring Router Interfaces SHDSL Policy Page Note When you deploy an SHDSL policy with ATM mode enabled, an ATM interface is created automatically on the router. Perform rediscovery to add the interface into Security Manager. You can then define PVCs on the ATM interface as required. See Defining ATM PVCs, page 59-50. Before You Begin • Make sure that an SHDSL controller in installed on the device.
Chapter 59 Configuring Router Interfaces SHDSL Policy Page • (Policy view) Select Router Interfaces > Settings > DSL > SHDSL from the Policy Type selector. Right-click SHDSL to create a policy, or select an existing policy from the Shared Policy selector.
Chapter 59 Configuring Router Interfaces SHDSL Policy Page • Discovering Policies on Devices Already in Security Manager, page 5-15 Field Reference Table 59-19 SHDSL Dialog Box Element Description Name The name of the controller. Enter a name manually, or click Select to display a dialog box for generating a name. See Controller Auto Name Generator Dialog Box, page 59-45. Description Additional information about the controller (up to 80 characters).
Chapter 59 Configuring Router Interfaces SHDSL Policy Page Table 59-19 SHDSL Dialog Box (Continued) Element Description Line Mode The line mode used by the controller: • auto—The controller operates in the same mode as the other line termination (2-wire line 0, 2-wire line 1, or 4-wire enhanced). This is the default for CPE line termination. • 2-wire—The controller operates in two-wire mode. This is the default for CO line termination. • 4-wire—The controller operates in four-wire mode.
Chapter 59 Configuring Router Interfaces SHDSL Policy Page Table 59-19 SHDSL Dialog Box (Continued) Element Description Current The current signal-to-noise (SNR) ratio on the controller, in decibels (dB). Valid values range from -10 to 10 dB. This option can create a more stable line by making the line train more than current noise margin plus SNR ratio threshold during training time. If any external noise is applied that is less than the set SNR margin, the line will be stable.
Chapter 59 Configuring Router Interfaces PVCs on Cisco IOS Routers Table 59-20 Controller Auto Name Generator Dialog Box (Continued) Element Description Result The name generated by Security Manager from the information you entered for the controller location. The name displayed in this field is read-only. Tip After closing this dialog box, you can edit the generated name in the SHDSL dialog box, if required.
Chapter 59 Configuring Router Interfaces PVCs on Cisco IOS Routers As shown in Figure 59-2, a virtual path is a bundle of virtual channels, all of which are switched transparently across the ATM network on the basis of the common VPI. A VPC can be thought of as a bundle of VCCs with the same VPI value.
Chapter 59 Configuring Router Interfaces PVCs on Cisco IOS Routers configuration on CBR may vary with different platforms. For more details, see Understanding the CBR Service Category for ATM VCs at: http://www.cisco.com/en/US/tech/tk39/tk51/technologies_tech_note09186a0080094e6a.shtml. • Unspecified Bit Rate (UBR) This is a service class where the network management makes no Quality of Service (QoS) commitment.
Chapter 59 Configuring Router Interfaces PVCs on Cisco IOS Routers Related Topics • Understanding Virtual Paths and Virtual Channels, page 59-46 • Understanding ATM Service Classes, page 59-47 • Defining ATM PVCs, page 59-50 • Defining OAM Management on ATM PVCs, page 59-53 • PVCs on Cisco IOS Routers, page 59-46 Understanding ILMI The Integrated Local Management Interface (ILMI) is a protocol defined by the ATM Forum for setting and capturing physical layer, ATM layer, virtual path, and virtual
Chapter 59 Configuring Router Interfaces PVCs on Cisco IOS Routers Understanding OAM The Operation, Administration, and Maintenance (OAM) feature provides fault management and performance management for ATM and is based on the standard defined in ITU recommendation I.610. OAM detects network connectivity failures on a PVC and reacts by bringing down the PVC. Without OAM, a PVC would remain up after network connectivity is lost.
Chapter 59 Configuring Router Interfaces PVCs on Cisco IOS Routers For information about defining F5 Operation, Administration, and Maintenance (OAM) management, such as loopbacks and continuity checks, on PVCs, see Defining OAM Management on ATM PVCs, page 59-53. Before You Begin Note • When configuring ATM over DSL, make sure that you have configured either an ADSL policy (seeADSL on Cisco IOS Routers, page 59-33) or an SHDSL policy (SHDSL on Cisco IOS Routers, page 59-40).
Chapter 59 Configuring Router Interfaces PVCs on Cisco IOS Routers c. Note Do not select an encapsulation type when defining the management PVC. Note If you modify the virtual template settings on an existing PVC, you must enter the shutdown command followed by the no shutdown command on the ATM subinterface to restart the interface. This causes the newly configured parameters to take effect. Select the Enable ILMI check box to enable the ILMI to manage this PVC.
Chapter 59 Configuring Router Interfaces PVCs on Cisco IOS Routers Note Step 10 To edit a PVC, select it from the table, then click Edit. To remove a PVC, select it, then click Delete. Repeat Step 2 through Step 9 to define additional PVCs.
Chapter 59 Configuring Router Interfaces PVC Policy Page Step 4 (Optional) Enable end-to-end CC cells on the PVC, using the procedure described in Step 3 for segment CC cells. Step 5 (Optional) Configure additional loopback cell parameters: Step 6 Step 7 Step 8 a. Click the OAM tab. b. Select the Enable OAM Retry check box, then define the down count, up count, and retry frequency. See Table 59-28 on page 59-66 for a description of the available options.
Chapter 59 Configuring Router Interfaces PVC Policy Page Field Reference Table 59-21 PVC Page Element Description ATM Interface The ATM interface on which the PVC is defined. Interface Card The type of device or WAN interface card on which the ATM interface resides. PVC ID The Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) of the PVC. Settings Additional settings configured for the PVC, including encapsulation, the number of PPPoE sessions, and the VPN service name.
Chapter 59 Configuring Router Interfaces PVC Policy Page • WIC-1-SHDSL-V3—A 1-port multiline G.SHDSL WAN interface card with support for 2-wire mode and 4-wire mode (standard & enhanced). • NM-1A-T3—A 1-port ATM network module with a T3 link. • NM-1A-OC3-POM—A 1-port ATM network module with an optical carrier level 3 (OC-3) link and three operating modes (multimode, single-mode intermediate reach (SMIR), and single-mode long-reach (SMLR)). • NM-1A-E3—A 1-port ATM network module with an E3 link.
Chapter 59 Configuring Router Interfaces PVC Policy Page Table 59-22 PVC Dialog Box (Continued) Element Description Protocol tab Defines the IP protocol mappings configured for the PVC (static maps or Inverse ARP). See PVC Dialog Box—Protocol Tab, page 59-63. Advanced button Defines F5 Operation, Administration, and Maintenance (OAM) settings for the PVC. See PVC Advanced Settings Dialog Box—OAM Tab, page 59-66.
Chapter 59 Configuring Router Interfaces PVC Policy Page Table 59-23 PVC Dialog Box—Settings Tab (Continued) Element Description VCI The 16-bit virtual channel identifier of the PVC. In conjunction with the VPI, identifies the next destination of a cell as it passes through a series of ATM switches on the way to its destination. Valid values vary by platform. Typically, values up to 31 are reserved for special traffic (such as ILMI) and should not be used. 3 and 4 are invalid.
Chapter 59 Configuring Router Interfaces PVC Policy Page Table 59-23 PVC Dialog Box—Settings Tab (Continued) Element Description Type Does not apply when the Management PVC (ILMI) check box is enabled. The ATM adaptation layer (AAL) and encapsulation type to use on the PVC: Virtual Template • [blank]—The encapsulation type is not defined. (When deployed, aal5snap is applied.) • aal2—For PVCs dedicated to AAL2 Voice over ATM.
Chapter 59 Configuring Router Interfaces PVC Policy Page Table 59-23 PVC Dialog Box—Settings Tab (Continued) Element Description Protocol Applies only when aal5mux is the defined encapsulation type. The protocol carried by the MUX-encapsulated PVC: • frame-relay—Frame-Relay-ATM Network Interworking (FRF.5) on the Cisco MC3810. • fr-atm-srv—Frame-Relay-ATM Service Interworking (FRF.8) on the Cisco MC3810. • ip—IP protocol. • ppp—IETF-compliant PPP over ATM.
Chapter 59 Configuring Router Interfaces PVC Policy Page Note QoS values are highly hardware dependent. Please refer to your router documentation for additional details about the settings that can be configured on your device. Navigation Path Go to the PVC Dialog Box, page 59-55, then click the QoS tab.
Chapter 59 Configuring Router Interfaces PVC Policy Page Table 59-24 PVC Dialog Box—QoS Tab (Continued) Element Description ABR The following fields are displayed when ABR is selected as the Bit Rate: • PCR—The peak cell rate in kilobits per second (kbps). It specifies the maximum value of the ABR. • MCR—The minimum cell rate in kilobits per second (kbps). It specifies the minimum value of the ABR. The ABR varies between the MCR and the PCR.
Chapter 59 Configuring Router Interfaces PVC Policy Page Table 59-24 PVC Dialog Box—QoS Tab (Continued) Element Description VBR-RT The following fields are displayed when VBR-RT is selected as the Bit Rate: • Peak Rate—The peak information rate for realtime traffic in kilobits per second (kbps). • Average Rate—The average information rate for realtime traffic in kilobits per second (kbps). This value must be lower than or equal to the peak rate.
Chapter 59 Configuring Router Interfaces PVC Policy Page Field Reference Table 59-25 PVC Dialog Box—Protocol Tab Element Description IP Protocol Mapping Displays the IP protocol mappings configured for the PVC. Add button Opens the Define Mapping Dialog Box, page 59-64. From here you can define an IP protocol mapping. Edit button Opens the Define Mapping Dialog Box, page 59-64. From here you can edit the selected mapping. Delete button Deletes the selected mapping from the table.
Chapter 59 Configuring Router Interfaces PVC Policy Page Field Reference Table 59-26 Define Mapping Dialog Box Element Description IP Options The type of IP protocol mapping to use: • IP Address—Select this option when using static mapping. Enter the address or the name of a network/host object, or click Select to select it. If the object that you want is not listed, click the Create button to create it. • InARP—Inverse ARP. Select this option when using dynamic mapping.
Chapter 59 Configuring Router Interfaces PVC Policy Page PVC Advanced Settings Dialog Box—OAM Tab Use the OAM tab of the PVC Advanced Settings dialog box to define: • The number of loopback cell responses that move the PVC to the down or up state. • The number of alarm indication signal/remote defect indication (AIS/RDI) cells that move the PVC to the down or up state. • The number and frequency of segment/end continuity check (CC) activation and deactivation requests that are sent on this PVC.
Chapter 59 Configuring Router Interfaces PVC Policy Page Table 59-28 PVC Advanced Settings Dialog Box—OAM Tab (Continued) Element Description Enable AIS-RDI Detection When selected, alarm indication signal (AIS) cells and remote defect indication (RDI) cells are used to report connectivity failures at the ATM layer of the PVC. When deselected, AIS/RDI cells are disabled. AIS cells notify downstream devices of the connectivity failure.
Chapter 59 Configuring Router Interfaces PVC Policy Page Table 59-28 PVC Advanced Settings Dialog Box—OAM Tab (Continued) Element Description Retry Frequency The interval between activation/deactivation retries, in seconds. The default is 30 seconds. PVC Advanced Settings Dialog Box—OAM-PVC Tab Use the OAM-PVC tab of the PVC Advanced Settings dialog box to enable loopback cells and connectivity checks (CCs) on the PVC. These functions test the connectivity of the virtual connection.
Chapter 59 Configuring Router Interfaces PVC Policy Page Table 59-29 PVC Advanced Settings Dialog Box—OAM-PVC Tab (Continued) Element Description Direction Applies only when CC management is enabled. The direction in which CC cells are transmitted: Keep VC up after segment failure • both—CC cells are transmitted in both directions. • sink—CC cells are transmitted toward the router that initiated the CC activation request.
Chapter 59 Configuring Router Interfaces PPP on Cisco IOS Routers Table 59-29 PVC Advanced Settings Dialog Box—OAM-PVC Tab (Continued) Element Description Keep VC up after segment failure When selected, specifies that if AIS/RDI cells are received, the PVC is not brought down because of a segment CC failure. When deselected, the PVC is brought down because of a segment CC failure.
Chapter 59 Configuring Router Interfaces PPP on Cisco IOS Routers As shown in Figure 59-3, traffic routed across an MLP link is fragmented, with the fragments being sent across the different physical links. At the remote end of the link, the fragments are reassembled and forwarded to the next hop toward their ultimate destination. By using multiple physical links, MLP provides a way to temporarily use the additional bandwidth afforded by these links.
Chapter 59 Configuring Router Interfaces PPP on Cisco IOS Routers • Multilink You cannot define PPP connections on: • Subinterfaces. • Serial interfaces with Frame Relay encapsulation. • Virtual template interfaces defined as Ethernet or tunnel types (serial is supported). Note You cannot configure PPP on serial interfaces that are configured for Frame Relay encapsulation. See Defining Basic Router Interface Settings, page 59-3.
Chapter 59 Configuring Router Interfaces PPP on Cisco IOS Routers Note c. Step 5 If you choose AAA Policy Default List, the device uses the default authorization methods defined in the AAA policy. See Defining AAA Services, page 60-4. (Optional) Define the username and password to send in response to PAP authentication requests. Note Step 8 If you modify the default list, your changes affect all PPP connections on the devices that use this list.
Chapter 59 Configuring Router Interfaces PPP on Cisco IOS Routers Defining Multilink PPP Bundles You enable Multilink PPP (MLP) on the selected interface by selecting the check box at the top of the Multilink tab in the PPP dialog box. You can optionally enable Multiclass Multilink PPP (MCMP), which prevents delay-sensitive traffic from fragmentation, and interleaving, which enables packets to be interspersed among the fragments of larger packets.
Chapter 59 Configuring Router Interfaces PPP/MLP Policy Page Step 6 (Optional) Modify the default maximum size of link transmit queues when using FIFO and non-FIFO (QoS) queuing. Step 7 Click OK to close the dialog box. Your definitions are displayed on the PPP page. PPP/MLP Policy Page Use the PPP/MLP page to create, edit, and delete PPP connections on the router. For more information, see Defining PPP Connections, page 59-71.
Chapter 59 Configuring Router Interfaces PPP/MLP Policy Page PPP Dialog Box Use the PPP dialog box to configure PPP connections on the router. When you configure a PPP connection, you can define the type of authentication and authorization to perform and define multilink parameters. Navigation Path Go to the PPP/MLP Policy Page, page 59-75, then click the Add or Edit button beneath the table.
Chapter 59 Configuring Router Interfaces PPP/MLP Policy Page Table 59-31 PPP Dialog Box (Continued) Element Description MLP tab Defines how to split and recombine sequential datagrams across multiple logical data links using Multilink PPP (MLP). See PPP Dialog Box—MLP Tab, page 59-79. This tab is greyed out and cannot be opened for devices that do not support the configuration settings.
Chapter 59 Configuring Router Interfaces PPP/MLP Policy Page Table 59-32 PPP Dialog Box—PPP Tab (Continued) Element Description Options The authentication options to use: • Call In—When selected, authentication is performed on incoming calls. • Call Out—When selected, authentication is performed on outgoing calls. • Call Back—When selected, authentication is performed on callback. • One Time—When selected, one-time passwords are used for authentication.
Chapter 59 Configuring Router Interfaces PPP/MLP Policy Page Table 59-32 PPP Dialog Box—PPP Tab (Continued) Element Description Password The password to send in PAP authentication requests. Enter the password again in the Confirm field. The password can contain 1 to 25 uppercase or lowercase alphanumeric characters. The password is case sensitive. The username and password are sent if the peer requests the router to authenticate itself using PAP.
Chapter 59 Configuring Router Interfaces PPP/MLP Policy Page Related Topics • PPP Dialog Box—PPP Tab, page 59-77 Field Reference Table 59-33 PPP Dialog Box—MLP Tab Element Description Enable Multilink PPP (MLP) When selected, MLP is enabled on this PPP connection. When deselected, MLP is disabled. Allow Multiple Data Classes When selected, enables multiple data classes on the MLP bundle. Delay-sensitive traffic is placed into Class 1, where it can be interleaved but never fragmented.
Chapter 59 Configuring Router Interfaces PPP/MLP Policy Page Table 59-33 PPP Dialog Box—MLP Tab (Continued) Element Description Endpoint Type The identifier used by the router when transmitting packets on the MLP bundle: • [null]—Negotiation is conducted without using an endpoint discriminator. (No CLI command is generated.) • Hostname—The hostname of the router. This option is useful when multiple routers are using the same username to authenticate but have different hostnames.
Chapter 59 Configuring Router Interfaces PPP/MLP Policy Page User Guide for Cisco Security Manager 4.
CH A P T E R 60 Router Device Administration This chapter contains the following topics: • AAA on Cisco IOS Routers, page 60-2 • AAA Policy Page, page 60-6 • User Accounts and Device Credentials on Cisco IOS Routers, page 60-13 • Accounts and Credential s Policy Page, page 60-15 • Bridging on Cisco IOS Routers, page 60-18 • Bridging Policy Page, page 60-20 • Time Zone Settings on Cisco IOS Routers, page 60-22 • Clock Policy Page, page 60-23 • CPU Utilization Settings on Cisco IOS Routers,
Chapter 60 Router Device Administration AAA on Cisco IOS Routers • DHCP on Cisco IOS Routers, page 60-87 • DHCP Policy Page, page 60-92 • NTP on Cisco IOS Routers, page 60-96 • NTP Policy Page, page 60-98 AAA on Cisco IOS Routers Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your Cisco IOS router.
Chapter 60 Router Device Administration AAA on Cisco IOS Routers Supported Accounting Types AAA accounting enables you to track the services the users are accessing and the amount of network resources that they are consuming. Security Manager supports the following accounting types: • Connection—Records information about all outbound connections made from this device, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin connections.
Chapter 60 Router Device Administration AAA on Cisco IOS Routers Note The device attempts to communicate with the next listed method only when there is no response from the previous method. If the AAA service fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access or services—the process stops and no other methods are attempted.
Chapter 60 Router Device Administration AAA on Cisco IOS Routers Note If you select None as a method, it must appear as the last method in the list. Step 3 (Optional) In the Maximum Number of Attempts field, define the maximum number of unsuccessful authentication attempts to allow before a user is locked out. Step 4 (Optional) Define which authorization methods to use on users who have been successfully authenticated: a. Click the Authorization tab on the AAA page.
Chapter 60 Router Device Administration AAA Policy Page AAA Policy Page Use the AAA page to define the default authentication, authorization, and accounting methods to use on the router. You do this by configuring method lists, which define which methods to use and the sequence in which to use them. Note You can use the method lists defined in this policy as default settings when you configure AAA on the router’s console port and VTY lines.
Chapter 60 Router Device Administration AAA Policy Page Navigation Path Go to the AAA Policy Page, page 60-6, then click the Authentication tab.
Chapter 60 Router Device Administration AAA Policy Page • Command—Authorizes the use of all EXEC mode commands that are associated with specific privilege levels. Note You can use the method lists defined in this policy on the console and VTY lines that are used to communicate with the device. See Console Policy Page, page 60-42 and VTY Line Dialog Box—Authentication Tab, page 60-55. Navigation Path Go to the AAA Policy Page, page 60-6, then click the Authorization tab.
Chapter 60 Router Device Administration AAA Policy Page Table 60-3 AAA Page—Authorization Tab (Continued) Element Description Enable CLI/EXEC Operations Authorization When selected, this type of authorization determines whether the user is permitted to open an EXEC (CLI) session, using the methods defined in the method list. When deselected, EXEC authorization is not performed. Prioritized Method List Defines a sequential list of methods to be queried when authorizing a user.
Chapter 60 Router Device Administration AAA Policy Page Field Reference Table 60-4 Command Authorization Dialog Box Element Description Privilege Level The privilege level for which you want to define a command accounting list. Valid values range from 0 to 15. Prioritized Method List Defines a sequential list of methods to be used when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them.
Chapter 60 Router Device Administration AAA Policy Page Field Reference Table 60-5 AAA Page—Accounting Tab Element Description Connection Accounting settings Enable Connection Accounting When selected, enables the recording of information about outbound connections (such as Telnet) made over this device, using the methods defined in the method list. When deselected, connection accounting is not performed.
Chapter 60 Router Device Administration AAA Policy Page Table 60-5 AAA Page—Accounting Tab (Continued) Element Description Enable Broadcast to Multiple When selected, enables the sending of accounting records to multiple Servers AAA servers. Accounting records are sent simultaneously to the first server in each AAA server group defined in the method list. If the first server is unavailable, failover occurs using the backup servers defined within that group.
Chapter 60 Router Device Administration User Accounts and Device Credentials on Cisco IOS Routers Table 60-6 Command Accounting Dialog Box (Continued) Element Description Generate Accounting Records for Defines when the device sends an accounting notice to the accounting server: Prioritized Method List • Start and Stop—Generates accounting records at the beginning and the end of the user process.
Chapter 60 Router Device Administration User Accounts and Device Credentials on Cisco IOS Routers Note If you use this policy to define a password, be careful later not to unassign this policy without assigning a replacement policy before your next deployment. If you deploy a device access policy that removes this password and the device contains a different type of password not known to Security Manager, such as a line console password, you will not be able to configure this device in the future.
Chapter 60 Router Device Administration Accounts and Credential s Policy Page b. Step 3 Enter a password, then enter it again in the Confirm field. The password that you enter must be in clear text. If you are configuring the enable secret password, the password is encrypted on deployment. (Optional) Select the Enable Password Encryption Service check box to encrypt all passwords on the device.
Chapter 60 Router Device Administration Accounts and Credential s Policy Page Field Reference Table 60-7 Accounts and Credentials Page Element Description Enable Secret Password The enable secret password for entering privileged EXEC mode on the router. This option offers better security than the Enable Password option. The enable secret password can contain between 1-25 alphanumeric characters. The first character must be a letter. Spaces are allowed, but leading spaces are ignored.
Chapter 60 Router Device Administration Accounts and Credential s Policy Page User Account Dialog Box Employ the User Account dialog box to define a username and password combination that can be used by Security Manager to access the router. You can also define the privilege level of the user account, which determines whether you can configure all commands on this router or only a subset of them.
Chapter 60 Router Device Administration Bridging on Cisco IOS Routers Bridging on Cisco IOS Routers Bridging policies enable you to perform transparent bridging (as specified in RFC 1286) on selected interfaces that you have configured to function as a bridge group. Security Manager supports integrated routing and bridging, which makes it possible to route a specific protocol between routed interfaces and bridge groups, or route a specific protocol between bridge groups.
Chapter 60 Router Device Administration Bridging on Cisco IOS Routers Figure 60-2 Bridge-Group Virtual Interface Routed interface Bridge group 1 E0 E1 E3 10.0.0.1 BVI 1 10.0.0.2 Bridged interfaces 181105 E2 When you enable routing for a given protocol on the BVI, packets coming from a routed interface that are destined for a host in a bridged domain are routed to the BVI and then forwarded to the corresponding bridged interface.
Chapter 60 Router Device Administration Bridging Policy Page • (Policy view) Select Router Platform > Device Admin > Bridging from the Policy Type selector. Select an existing policy or create a new one. The Bridging page is displayed. See Table 60-9 on page 60-20 for a description of the fields on this page. Step 2 Click the Add button under the table to display the Bridge Group dialog box. See Table 60-10 on page 60-21 for a description of the fields in this dialog box.
Chapter 60 Router Device Administration Bridging Policy Page Table 60-9 Bridging Page (Continued) Element Description Add button Opens the Bridge Group Dialog Box, page 60-21. From here you can define a bridge group. Edit button Opens the Bridge Group Dialog Box, page 60-21. From here you can edit the bridge group. Delete button Deletes the selected bridge groups from the table. Bridge Group Dialog Box Use the Bridge Group dialog box to define bridge groups on the router.
Chapter 60 Router Device Administration Time Zone Settings on Cisco IOS Routers Table 60-10 Bridge Group Dialog Box (Continued) Element Description Group Interfaces The interfaces that are included in the bridge group. Enter the name of one or more interfaces and interface roles, or click Select to select them. If the object that you want is not listed, click the Create button to create it.
Chapter 60 Router Device Administration Clock Policy Page Step 2 Select the time zone in which the router is located. Time zones are listed according the number of hours behind or ahead of Greenwich Mean Time (GMT). Step 3 (Optional) Select the method for determining the start and end dates for DST: Step 4 • Set by Date—Select this option when DST starts and ends on fixed dates. Continue with Step 4.
Chapter 60 Router Device Administration Clock Policy Page Field Reference Table 60-11 Clock Page Element Description Device Time Zone The time zone in which the router is located, expressed in relation to GMT (Greenwich Mean Time), also known as UTC (Coordinated Universal Time). Daylight Savings Time (Summer Time) The type of DST to apply to the local time on the router: • Set by Date—Enables you to define the exact date and time when DST begins and ends.
Chapter 60 Router Device Administration CPU Utilization Settings on Cisco IOS Routers Table 60-11 Clock Page (Continued) Element Description End The relative date and time when daylight savings time ends: • Month—Select the month. • Week—Select the week of the month (1, 2, 3, 4, first, or last). • Weekday—Select the day of the week. • Hour—Select the hour. • Minute—Select the minute.
Chapter 60 Router Device Administration CPU Policy Page Step 2 (Optional) Define the CPU utilization settings of the router, as required. See Table 60-12 on page 60-26 for a description of the available fields. CPU Policy Page Use the CPU page to configure settings related to router CPU utilization, including the thresholds for sending log messages, the size of the CPU history table, and whether to enable automatic CPU Hog profiling.
Chapter 60 Router Device Administration CPU Policy Page Table 60-12 CPU Page (Continued) Element Description CPU Total Utilization The thresholds for total CPU utilization that trigger notifications: CPU Interrupt Utilization • Enable CPU Total Utilization—When selected, CPU total utilization thresholds are enabled. When deselected, these thresholds are disabled and do not trigger notifications. This is the default.
Chapter 60 Router Device Administration HTTP and HTTPS on Cisco IOS Routers Table 60-12 CPU Page (Continued) Element Description CPU Process Utilization The thresholds for CPU process utilization that trigger notifications: • Enable CPU Process Utilization—When selected, CPU process utilization thresholds are enabled. When deselected, these thresholds are disabled and do not trigger notifications. This is the default.
Chapter 60 Router Device Administration HTTP and HTTPS on Cisco IOS Routers Defining HTTP Policies When you define an HTTP policy, you can: • Enable and disable HTTP and SSL functionality on the router. • Specify the ports used by each protocol. • Optionally define a standard, numbered ACL that restricts access to the device using these protocols. In addition, you can define the methods of AAA authentication and authorization methods to perform on users.
Chapter 60 Router Device Administration HTTP and HTTPS on Cisco IOS Routers Step 4 (Optional) In the Allow Connection From field, enter the name of the standard, numbered ACL object that specifies which addresses can use HTTP and HTTPS on this device, or click Select to select the ACL object from a list or to create a new one. Use this option to restrict access to these protocols.
Chapter 60 Router Device Administration HTTP Policy Page Step 8 (Optional) Create command authorization definitions for specific privilege levels: a. Click the Add button under the Command Authorization Override table. The Command Authorization Override dialog box is displayed. See Table 60-15 on page 60-34 for a description of the fields in this dialog box. b. Configure the command authorization definition as required. c. Click OK.
Chapter 60 Router Device Administration HTTP Policy Page Field Reference Table 60-13 HTTP Page—Setup Tab Element Description Enable HTTP When selected, an HTTP server is enabled on the router. When deselected, HTTP is disabled on the router. This is the default for devices that were not discovered. HTTP Port The port number to use for HTTP. Valid values are 80 or any value from 1024 to 65535. The default is 80.
Chapter 60 Router Device Administration HTTP Policy Page Field Reference Table 60-14 HTTP Page—AAA Tab Element Description Authenticate Using The type of authentication to use: • AAA—Performs AAA login authentication. • Enable Password—Uses the enable password configured on the router. This is the default. • Local Database—Uses the local username database configured on the router. • TACACS—Uses the TACACS or XTACACS server configured on the router.
Chapter 60 Router Device Administration HTTP Policy Page Table 60-14 HTTP Page—AAA Tab (Continued) Element Description Prioritized Method List Applies only when the Enable CLI/EXEC Operations Authorization check box is selected. Defines a sequential list of methods to be queried when authorizing a user to open an EXEC (CLI) session. Enter the names of one or more AAA server group objects (up to four), or click Select to select them.
Chapter 60 Router Device Administration Line Access on Cisco IOS Routers Table 60-15 Command Authorization Dialog Box (Continued) Element Description Prioritized Method List Defines a sequential list of methods to be used when authorizing a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them. Use the up and down arrows in the object selector to define the order in which the selected server groups should be used.
Chapter 60 Router Device Administration Line Access on Cisco IOS Routers • Incoming and outgoing ACLs that restrict the connections that are permitted on the console. • Whether VRF connections are permitted on the console. Related Topics • Step 1 Line Access on Cisco IOS Routers, page 60-35 Do one of the following: • (Device view) Select Platform > Device Admin > Device Access > Line Access > Console from the Policy selector, then click the Setup tab in the work area.
Chapter 60 Router Device Administration Line Access on Cisco IOS Routers Defining Console Port AAA Settings By default, authentication, authorization, and accounting are not performed on the console port. When you configure one or more of these access control options, you can either make use of the default method lists defined in the device’s AAA policy or define a custom method list containing one or more AAA methods.
Chapter 60 Router Device Administration Line Access on Cisco IOS Routers Step 6 (Optional) Create command accounting definitions for specific privilege levels: a. Click the Add button under the Commands Accounting table. The Command Accounting Dialog Box—Line Access, page 60-61 is displayed. b. Configure the command accounting definition as required. c. Click OK. The dialog box closes and the accounting method is displayed in the Commands Accounting table. d. Repeat a. through c.
Chapter 60 Router Device Administration Line Access on Cisco IOS Routers Note You can create only one definition per VTY line. An error is displayed if you create a VTY line definition that overlaps an existing definition. Note If you use Security Manager to configure the default VTY lines (0-4), your definition overrides the default settings on the device. If you later delete this definition from Security Manager, the input protocol settings are retained and the other default settings are restored.
Chapter 60 Router Device Administration Line Access on Cisco IOS Routers Caution Setting the inbound connections setting to None might prevent Security Manager from connecting to the device after deployment. Note Step 9 You must configure AAA authentication when the VTY line permits the SSH and rlogin protocols. See Defining VTY Line AAA Settings, page 60-40.
Chapter 60 Router Device Administration Line Access on Cisco IOS Routers • (Policy view) Select Router Platform > Device Admin > Device Access > Line Access > VTY from the Policy Type selector. Select an existing policy or create a new one. The VTY page is displayed. See Table 60-20 on page 60-50 for a description of the fields on this page. Step 2 Select a VTY line definition in the Lines tables, click the Edit button to display the VTY Line dialog box, then click the Authentication tab.
Chapter 60 Router Device Administration Console Policy Page Console Policy Page Use the Console page to configure access to the router over the console port.
Chapter 60 Router Device Administration Console Policy Page Table 60-16 Console Page—Setup Tab (Continued) Element Description Privilege Level The privilege level assigned to users connected to the console port. Valid values range from 0 to 15: • 0—Grants access to these commands only: disable, enable, exit, help, and logout. • 1—Enables nonprivileged access to the router (normal EXEC-mode use privileges). • 15—Enables privileged access to the router (traditional enable privileges).
Chapter 60 Router Device Administration Console Policy Page Table 60-16 Console Page—Setup Tab (Continued) Element Description Output Protocols The protocols that you can use for outgoing connections on the console port: • All—All supported protocols are permitted. Supported protocols include LAT, MOP, NASI, PAD, rlogin, SSH, Telnet, and V.120. • None—No protocols are permitted. This makes the port unusable by outgoing connections.
Chapter 60 Router Device Administration Console Policy Page Field Reference Table 60-17 Console Page—Authentication Tab Element Description Authenticate Using Authentication settings for the console port: • None—Authentication is not performed. This is the default. • Local Database—Uses the local username database for authentication. • AAA Policy Default List—Uses the default authentication method list that is defined in the device’s AAA policy. See AAA Page—Authentication Tab, page 60-6.
Chapter 60 Router Device Administration Console Policy Page • Console Page—Authentication Tab, page 60-44 • Console Page—Accounting Tab, page 60-47 • VTY Line Dialog Box—Authorization Tab, page 60-56 • Filtering Tables, page 1-45 Field Reference Table 60-18 Console Page—Authorization Tab Element Description EXEC Authorization settings Authorize EXEC Operations The authorization method that determines whether a user is allowed to Using run an EXEC session: Prioritized Method List • None—Aut
Chapter 60 Router Device Administration Console Policy Page Table 60-18 Console Page—Authorization Tab (Continued) Element Description Edit button Opens the Command Authorization Dialog Box—Line Access, page 60-60. From here you can edit the command authorization definition. Delete button Deletes the selected command authorization definitions from the table.
Chapter 60 Router Device Administration Console Policy Page Table 60-19 Console Page—Accounting Tab (Continued) Element Description Generate Accounting Records for Applies only when Custom Method List is selected as the EXEC method. Defines when the device sends an accounting notice to the accounting server: Prioritized Method List • Start and Stop—Generates accounting records at the beginning and the end of the user process.
Chapter 60 Router Device Administration Console Policy Page Table 60-19 Console Page—Accounting Tab (Continued) Element Description Generate Accounting Records for Applies only when Custom Method List is selected as the connection method. Defines when the device sends an accounting notice to the accounting server: Prioritized Method List • Start and Stop—Generates accounting records at the beginning and the end of the user process.
Chapter 60 Router Device Administration VTY Policy Page Table 60-19 Console Page—Accounting Tab (Continued) Element Description Add button Opens the Command Accounting Dialog Box—Line Access, page 60-61. From here you can configure a command accounting definition. Edit button Opens the Command Accounting Dialog Box—Line Access, page 60-61. From here you can edit the command accounting definition. Delete button Deletes the selected command accounting definitions from the table.
Chapter 60 Router Device Administration VTY Policy Page Table 60-20 VTY Lines Page (Continued) Element Description Outbound ACL The ACL used to limit outbound traffic. Authentication The type of AAA authentication used. Authorization The types of AAA authorization used. Accounting The types of AAA accounting used. VTY Line Page Buttons Add button Opens the VTY Line Dialog Box, page 60-51. From here you can define a VTY line or line group.
Chapter 60 Router Device Administration VTY Policy Page Table 60-21 VTY Line Dialog Box (Continued) Element Description Authorization tab Defines the types of AAA authorization to perform on users who access the VTY line. See VTY Line Dialog Box—Authorization Tab, page 60-56. Accounting tab Defines the types of AAA accounting to perform on users who access the VTY line. See VTY Line Dialog Box—Accounting Tab, page 60-57.
Chapter 60 Router Device Administration VTY Policy Page Table 60-22 VTY Line Dialog Box—Setup Tab (Continued) Element Description Password The password for accessing this VTY line. The password is case sensitive and can contain up to 80 alphanumeric characters. The first character cannot be a number. Spaces are not allowed. Enter the password again in the Confirm field. Privilege Level The privilege level assigned to users on this VTY line.
Chapter 60 Router Device Administration VTY Policy Page Table 60-22 VTY Line Dialog Box—Setup Tab (Continued) Element Description Input Protocols The protocols that you can use for incoming connections on this line: • All—All supported protocols are permitted. Supported protocols include LAT, MOP, NASI, PAD, rlogin, SSH, Telnet, and V.120. • None—No protocols are permitted. This makes the port unusable by incoming SSH, Telnet, and rlogin connections.
Chapter 60 Router Device Administration VTY Policy Page Table 60-22 VTY Line Dialog Box—Setup Tab (Continued) Element Description Outbound Access List The name of the ACL object that restricts outgoing connections on this line. Enter the name of the ACL object, or click Select to select it. If the object that you want is not listed, click the Create button to create it.
Chapter 60 Router Device Administration VTY Policy Page Table 60-23 VTY Line Dialog Box—Authentication Tab (Continued) Element Description Prioritized Method List Applies only when Custom Method List is selected as the authentication method. Defines a sequential list of methods to be queried when authenticating a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them.
Chapter 60 Router Device Administration VTY Policy Page Table 60-24 VTY Line Dialog Box—Authorization Tab (Continued) Element Description Authorize EXEC Operations The authorization method that determines whether a user is allowed to Using run an EXEC session: Prioritized Method List • None—Authorization is not performed. This is the default. • AAA Policy Default List—Uses the default authorization method list that is defined in the device’s AAA policy. See AAA Page—Authorization Tab, page 60-7.
Chapter 60 Router Device Administration VTY Policy Page Note You must enable AAA services on the router to use this feature; otherwise, deployment will fail. See Defining AAA Services, page 60-4. Navigation Path Go to the VTY Line Dialog Box, page 60-51, then click the Accounting tab.
Chapter 60 Router Device Administration VTY Policy Page Table 60-25 VTY Line Dialog Box—Accounting Tab (Continued) Element Description Prioritized Method List Applies only when Custom Method List is selected as the EXEC method. Defines a sequential list of methods to be queried when creating accounting methods for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them.
Chapter 60 Router Device Administration VTY Policy Page Table 60-25 VTY Line Dialog Box—Accounting Tab (Continued) Element Description Prioritized Method List Applies only when Custom Method List is selected as the connection method. Defines a sequential list of methods to be queried when creating accounting methods for a user. Enter the names of one or more AAA server group objects (up to four), or click Select to select them.
Chapter 60 Router Device Administration VTY Policy Page Navigation Path From the Console Page—Authorization Tab, page 60-45 or the VTY Line Dialog Box—Authorization Tab, page 60-56, click the Add button beneath the Command Authorization table.
Chapter 60 Router Device Administration VTY Policy Page • VTY Policy Page, page 60-50 Field Reference Table 60-27 Command Accounting Dialog Box—Line Access Element Description Privilege Level The privilege level for which you want to define a command accounting list. Valid values range from 0 to 15. Note If you do not define a value, level 1 is assigned by default. This value does not appear in the device configuration.
Chapter 60 Router Device Administration Optional SSH Settings on Cisco IOS Routers Optional SSH Settings on Cisco IOS Routers Secure Shell (SSH) is an application and a protocol that uses encryption to provide secure communication between a client and server. You can use SSH to connect remotely to a Cisco IOS router over a VTY line and establish an EXEC session. SSH is the recommended replacement for other protocols, such as Telnet and rlogin, in environments where security is a concern.
Chapter 60 Router Device Administration Secure Shell Policy Page • (Policy view) Select Router Platform > Device Admin > Device Access > Secure Shell from the Policy Type selector. Select an existing policy or create a new one. The Secure Shell page is displayed. See Table 60-28 on page 60-65 for a description of the fields on this page. Step 2 Step 3 (Optional) Modify the following default settings: a. The version of SSH to support. b.
Chapter 60 Router Device Administration Secure Shell Policy Page Note You must configure SSH on the device using CLI commands before adding the device to Security Manager. This is because Security Manager uses SSH (as well as SSL) to communicate with Cisco IOS routers. For more information, see Setting Up SSH, page 2-5. Navigation Path • (Device view) Select Platform > Device Admin > Device Access > Secure Shell from the Policy selector.
Chapter 60 Router Device Administration SNMP on Cisco IOS Routers Table 60-28 Secure Shell Page (Continued) Element Description RSA Key Pair The name of the RSA key pair to use for SSH connections. If you do not enter a value, the router uses the RSA key pair generated from its hostname and domain name. This is the default. Tip Regenerate Key During Deployment Use the CLI command show crypto key mypubkey rsa to display the names and values of each key pair configured on the device.
Chapter 60 Router Device Administration SNMP on Cisco IOS Routers • Enabling SNMP Traps, page 60-68 Defining SNMP Agent Properties When you define the properties of the SNMP agent, you must define the community string and community string type, as well as the address and properties of the SNMP host that receives the traps. SNMP community strings are embedded passwords to MIBs, which store data about the router’s operation and are meant to be available to authenticated remote users.
Chapter 60 Router Device Administration SNMP on Cisco IOS Routers Step 5 Click Configure Traps to display the SNMP Traps dialog box, which is used to select which traps to enable on the router. For more information, see Enabling SNMP Traps, page 60-68. Enabling SNMP Traps The router immediately sends notifications, also called SNMP traps, to the designated SNMP host (management station) when a defined condition occurs, such as a link up, link down, or a syslog event.
Chapter 60 Router Device Administration SNMP Policy Page SNMP Policy Page Use the SNMP page to configure the parameters necessary to send traps from the router to a designated SNMP host. These traps are unsolicited messages that notify the SNMP host of important events occurring on the router. For more information, see Defining SNMP Agent Properties, page 60-67. Navigation Path • (Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector.
Chapter 60 Router Device Administration SNMP Policy Page Table 60-29 SNMP Page (Continued) Element Description SNMP Server Properties The name and contact information of the system administrator responsible for the SNMP server/agent (that is, the router). The person managing the SNMP host can use this information when tracking down the source of unusual events. The maximum length of each of these properties is 255 characters, including spaces.
Chapter 60 Router Device Administration SNMP Policy Page Table 60-30 Permission Dialog Box (Continued) Element Description Read-Write This community string type provides read-write access to all objects in the MIB (except community strings). Read-Only This community string type provides read-only access to all objects in the MIB (except community strings). This is the default.
Chapter 60 Router Device Administration SNMP Policy Page Table 60-31 Trap Receiver Dialog Box (Continued) Element Description User Name Applies only when version 3 is selected. The password required to access the SNMP host. Enter the string again in the Confirm field. We recommend that you use one of the strings defined in the Permissions table as the password to the SNMP host. You may, however, enter a different password. String length ranges from 1 to 128 characters.
Chapter 60 Router Device Administration SNMP Policy Page Field Reference Table 60-32 SNMP Traps Dialog Box Element Description Standard SNMP Traps Enables or disables standard SNMP traps. Options are: IPsec Traps • Cold start—Sends a trap when the router reinitializes in a way that could change the configuration of the SNMP agent (or any other trap-receiving entity).
Chapter 60 Router Device Administration DNS on Cisco IOS Routers Table 60-32 SNMP Traps Dialog Box (Continued) Element Description Other Traps Enables or disables additional SNMP traps. Options are: • Syslog—Sends syslog messages to the SNMP host. • TTY—Sends Cisco-specific notifications when a Transmission Control Protocol (TCP) connection closes. • BGP—Sends notifications when Border Gateway Protocol (BGP) state changes occur. See BGP Routing on Cisco IOS Routers, page 64-1.
Chapter 60 Router Device Administration DNS on Cisco IOS Routers Defining DNS Policies When you define a DNS policy in Security Manager, you can specify the remote DNS servers used by the router for hostname-to-address translations. In addition, you can define a static host table that contains local translations used exclusively by this device. Having selected addresses in this type of cache can speed the translation process by eliminating the need to query the DNS servers.
Chapter 60 Router Device Administration DNS Policy Page DNS Policy Page Use the DNS policy page to define the local IP host table and the Domain Name System (DNS) servers that the router should use for translating hostnames to IP addresses. You can also prevent the router from performing DNS lookups by disabling the DNS feature. Navigation Path • (Device view) Select Platform > Device Admin > DNS from the Policy selector.
Chapter 60 Router Device Administration Hostnames and Domain Names on Cisco IOS Routers Field Reference Table 60-34 IP Host Dialog Box Element Description Host Name The hostname to include in the router’s local host table. Addresses The addresses to associate with the hostname. Enter one or more addresses or network/host objects, or click Select to select an object from a list or to create a new object. You can define a maximum of three addresses per hostname.
Chapter 60 Router Device Administration Hostname Policy Page Hostname Policy Page Use the Hostname page to define the hostname and domain name assigned to the router. For more information, see Defining Hostname Policies, page 60-77. Navigation Path • (Device view) Select Platform > Device Admin > Hostname from the Policy selector. • (Policy view) Select Router Platform > Device Admin > Hostname from the Policy Type selector.
Chapter 60 Router Device Administration Memory Policy Page In addition, you can define: • The lower thresholds for processor and I/O memory. Log messages are sent when available memory drops below these thresholds. • The types of sanity checks to perform. Related Topics Step 1 • Memory Settings on Cisco IOS Routers, page 60-78 • Logging on Cisco IOS Routers, page 62-1 Do one of the following: • (Device view) Select Platform > Device Admin > Memory from the Policy selector.
Chapter 60 Router Device Administration Memory Policy Page Field Reference Table 60-36 Memory Page Element Description Maintain Memory Log The number of hours that the router should maintain the log containing the history of memory consumption on the device. Valid values range from 12 to 72 hours. The default is 24 (1 day). Note Processor Threshold The processor memory threshold in kilobytes. When available processor memory falls below this threshold, a notification message is triggered.
Chapter 60 Router Device Administration Secure Device Provisioning on Cisco IOS Routers Secure Device Provisioning on Cisco IOS Routers Secure Device Provisioning (SDP) offers an integrated solution for streamlining VPN and network security deployment.
Chapter 60 Router Device Administration Secure Device Provisioning on Cisco IOS Routers • Defining Secure Device Provisioning Policies, page 60-83 Contents of Bootstrap Configuration The bootstrap configuration provided by SDP typically does the following: • Sets the petitioner’s hostname. • Synchronizes the petitioner’s system clock with the registrar. • Sets the petitioner’s trustpoint. • Sets the petitioner’s authentication and authorization mechanism. • Pushes the CA certificate.
Chapter 60 Router Device Administration Secure Device Provisioning on Cisco IOS Routers Defining Secure Device Provisioning Policies The petitioner component is automatically enabled on all Cisco IOS routers. The SDP policy in Security Manager enables the registrar. To define an SDP policy you must define: • The AAA server group containing the AAA server that the registrar uses to authenticate and authorize the introducer. • The CA server to which the petitioner enrolls during the bootstrap process.
Chapter 60 Router Device Administration Secure Device Provisioning on Cisco IOS Routers Step 4 Select the source of the introduction page that is displayed after you log in to the registrar. The introduction page indicates whether authorization was successfully completed and contains a button for completing the process of obtaining the bootstrap configuration. If you do not select the default welcome page, you must enter the URL required to access a different welcome page that you prepared elsewhere.
Chapter 60 Router Device Administration Secure Device Provisioning Policy Page Related Topics • Secure Device Provisioning on Cisco IOS Routers, page 60-81 • Defining Secure Device Provisioning Policies, page 60-83 • Understanding FlexConfig Policies and Policy Objects, page 7-2 Secure Device Provisioning Policy Page Secure Device Provisioning (SDP) policies (formerly known as Easy Secure Device Deployment or EzSDD) enable you to configure a Cisco IOS router as a registrar.
Chapter 60 Router Device Administration Secure Device Provisioning Policy Page Table 60-37 Secure Device Provisioning Page (Continued) Element Description Petitioner Authentication The CA server that authenticates the identity of the petitioner: • Note • Introduction Page Local CA Server—Select this option when the router itself is already configured to act as the CA server. Enter the name of the local CA in the field provided.
Chapter 60 Router Device Administration DHCP on Cisco IOS Routers Table 60-37 Secure Device Provisioning Page (Continued) Element Description Bootstrap Configuration The source of the bootstrap configuration to provide to the petitioner for first-time configuration: • Non-Security Manager URL—Used when the bootstrap configuration is located externally to Security Manager. Enter its location in the URL field.
Chapter 60 Router Device Administration DHCP on Cisco IOS Routers addresses the server can use. These addresses are provided to client devices for a defined period of time called a lease. When this lease expires, the address is returned to the address pool, enabling the DHCP server to assign it to a different device.
Chapter 60 Router Device Administration DHCP on Cisco IOS Routers For example, you can have the DHCP relay agent replace the forwarded message with a new relay message. Additionally, you can choose whether to have the relay agent check the validity of relay information contained within forwarded BOOTREPLY messages.
Chapter 60 Router Device Administration DHCP on Cisco IOS Routers Note Secured ARP disables dynamic ARP learning on an interface.
Chapter 60 Router Device Administration DHCP on Cisco IOS Routers Step 4 Under IP Pools, click the Add button to display the IP Pool Dialog Box, page 60-94. From here you can define the address pools to be used by the DHCP server. For more information, see Defining DHCP Address Pools, page 60-91. Step 5 (Optional) When you use a relay agent to manage requests from DHCP clients located on a different subnet from the DHCP server, define the following DHCP relay options: a.
Chapter 60 Router Device Administration DHCP Policy Page DHCP Policy Page Use the DHCP policy page to define a DHCP server policy on the selected router. This includes specifying the address pools used by the DHCP server when assigning addresses to requesting clients. For more information, see Defining DHCP Policies, page 60-90. Navigation Path • (Device view) Select Platform > Device Admin > Server Access > DHCP from the Policy selector.
Chapter 60 Router Device Administration DHCP Policy Page Table 60-38 DHCP Policy Page (Continued) Element Description Default Router The IP addresses of the default routers used by DHCP clients. DNS Server The IP addresses of the DNS servers used by DHCP clients. NetBIOS (WINS) Server The IP addresses of the Windows Internet Naming Service (WINS) servers used by Microsoft DHCP clients. Domain Name The domain name for DHCP clients.
Chapter 60 Router Device Administration DHCP Policy Page DHCP Database Dialog Box Use the DHCP Database dialog box to define external DHCP database agents that contain the automatic bindings. Each database URL that you define must be unique. For more information, see Understanding DHCP Database Agents, page 60-88. Navigation Path Go to the DHCP Policy Page, page 60-92, then click the Add or Edit button beneath the Databases table.
Chapter 60 Router Device Administration DHCP Policy Page Field Reference Table 60-40 IP Pool Dialog Box Element Description Pool Name The name of the IP pool. Network The IP address and subnet mask of the IP pool. This subnet contains the range of available IP addresses that the DHCP server may assign to clients. Enter an address and mask or the name of a network/host object, or click Select to select an object from a list or to create a new one.
Chapter 60 Router Device Administration NTP on Cisco IOS Routers Table 60-40 IP Pool Dialog Box (Continued) Element Description Lease Never Expires When selected, the DHCP server permanently assigns IP addresses to its clients. When deselected, addresses are leased for a predefined amount of time, as defined in the Time Length field. Time Length (DD:HH:MM) Applies only when the Lease Never Expires check box is deselected.
Chapter 60 Router Device Administration NTP on Cisco IOS Routers Defining NTP Servers This procedure describes how to define the NTP servers that the routers users to synchronize time. After the NTP policy is deployed, the router uses an algorithm (based on factors such as delay, dispersion, and jitter) to determine which NTP server is the most accurate and synchronizes to that one.
Chapter 60 Router Device Administration NTP Policy Page Step 8 Click OK to save your definitions locally on the client and close the dialog box. Your definitions are displayed in the Servers table. Note To edit an NTP server, select it from the Servers table, then click Edit. To remove an NTP server, select it, then click Delete. If the key defined on the server you delete is not defined on a different NTP server, the key is also deleted.
Chapter 60 Router Device Administration NTP Policy Page Table 60-41 NTP Page (Continued) Element Description Enable NTP Authentication When selected, enables authentication using MD5 when connecting to an NTP server. When deselected, authentication is disabled. Servers Table IP Address The IP address of the NTP server. Source Interface The source address for all packets sent to this NTP server. This setting overrides the global setting defined at the top of the page.
Chapter 60 Router Device Administration NTP Policy Page Field Reference Table 60-42 NTP Server Dialog Box Element Description IP Address The IP address of the NTP server. Enter an address or the name of a network/host object, or click Select to select the object from a list or to create a new one. Source Interface The source address for all packets sent to this NTP server.
CH A P T E R 61 Configuring Identity Policies This chapter contains the following topics: • 802.1x on Cisco IOS Routers, page 61-1 • 802.1x Policy Page, page 61-5 • Network Admission Control on Cisco IOS Routers, page 61-8 • Network Admission Control Policy Page, page 61-14 802.1x on Cisco IOS Routers The IEEE 802.1x standard defines 802.
Chapter 61 Configuring Identity Policies 802.1x on Cisco IOS Routers • Topologies Supported by 802.1x, page 61-3 • Defining 802.1x Policies, page 61-4 Understanding 802.1x Device Roles 802.1x port-based authentication uses the following device roles: • Client—The workstation requesting access to the VPN. It must be running 802.1x-compliant client software, such as that offered with the Microsoft Windows XP operating system. • Authentication server—Authenticates clients.
Chapter 61 Configuring Identity Policies 802.1x on Cisco IOS Routers • Force authorized—Disables 802.1x authentication, which causes the interface to move to the authorized state without authenticating the client. After a client is successfully authenticated, the interface state changes to authorized, which enables all frames from the client to enter the network. If authentication fails, the interface remains in the unauthorized state, but authentication can be retried.
Chapter 61 Configuring Identity Policies 802.1x on Cisco IOS Routers Related Topics • Understanding 802.1x Device Roles, page 61-2 • 802.1x Interface Authorization States, page 61-2 • Defining 802.1x Policies, page 61-4 • 802.1x on Cisco IOS Routers, page 61-1 Defining 802.1x Policies You configure an 802.1x policy by defining: • The AAA server group containing the AAA server that authenticates hosts that are trying to connect to the network.
Chapter 61 Configuring Identity Policies 802.1x Policy Page Step 3 Step 4 In the Virtual Template field, enter the name of the interface or interface role that serves as the untrusted, virtual interface for carrying unauthenticated traffic, or click Select to select an interface role from a list or to create a new role. For more information, see Specifying Interfaces During Policy Definition, page 6-70.
Chapter 61 Configuring Identity Policies 802.1x Policy Page Field Reference Table 61-1 802.1x Page Element Description AAA Server Group The RADIUS AAA server group that authenticates the credentials of users trying to access a VPN tunnel. Enter the name of a AAA server group object, or click Add to select one from a list or to create a new AAA server group object.
Chapter 61 Configuring Identity Policies 802.1x Policy Page Table 61-1 802.1x Page (Continued) Element Description Control type The control state of the interface, which determines whether the host is granted access to the network. Options are: Enable client reauthentication • Force Authorize—Disables 802.1x authentication and causes the interface to move to the authorized state without requiring any authentication exchange.
Chapter 61 Configuring Identity Policies Network Admission Control on Cisco IOS Routers Table 61-1 802.1x Page (Continued) Element Description Supplicant period The number of seconds the router waits before retransmitting EAP-Request/Identity packets to the supplicant (client PC). If the router sends an EAP-Request/Identity packet to the client PC (supplicant) and the supplicant does not respond, the router sends the packet again after this interval elapses.
Chapter 61 Configuring Identity Policies Network Admission Control on Cisco IOS Routers • Cisco 1700 Series Modular Access Routers (1710, 1720, 1750) • Cisco 1600 Series (1601, 1602, 1603, 1604, 1605) • Cisco ASR 1000 Series Aggregation Services Routers (all models) • Cisco 800 Series (801, 803, 805, 811, 813, 828, 851, 857, 871, 876, 877, 878) • Cisco SOHO 90 Series Secure Broadband Routers (91, 96, 97) • Cisco SOHO 77 Series (71, 76, 77 ADSL, 77 H ADSL, 78) Understanding NAC Components NAC c
Chapter 61 Configuring Identity Policies Network Admission Control on Cisco IOS Routers 3. The CTA sends its posture credentials to the NAD using EAP over UDP. 4. The NAD sends these posture credentials to the ACS using RADIUS. 5. The ACS performs posture validation, which determines whether to allow the device to access the network. (If necessary, the ACS requests additional posture validation from a third-party server.
Chapter 61 Configuring Identity Policies Network Admission Control on Cisco IOS Routers Step 2 Enter the name of the AAA server group containing the AAA server that performs posture validation, or click Select to select the server group from a list or to create a new one. The selected AAA server group must contain ACS devices running RADIUS. Note Step 3 Each AAA server in the selected group must be configured to communicate with an interface that exists on the router; otherwise, validation fails.
Chapter 61 Configuring Identity Policies Network Admission Control on Cisco IOS Routers Related Topics Step 1 • Defining NAC Setup Parameters, page 61-10 • Defining NAC Identity Parameters, page 61-13 • Network Admission Control on Cisco IOS Routers, page 61-8 Do one of the following: • (Device view) Select Platform > Identity > Network Admission Control from the Policy selector, then click the Interfaces tab in the work area.
Chapter 61 Configuring Identity Policies Network Admission Control on Cisco IOS Routers Defining NAC Identity Parameters By default, any traffic over the selected interfaces that match the intercept ACL is subjected to posture validation before it is permitted to enter the network. However, you can create an exception list of predefined actions to apply to specific devices. You use identity profiles to create this exception list.
Chapter 61 Configuring Identity Policies Network Admission Control Policy Page Network Admission Control Policy Page Network Admission Control (NAC) policies enable Cisco IOS routers acting as network access devices (NADs) to enforce access privileges when an endpoint tries to connect to a network. Access decisions are made on the basis of information provided by the endpoint device, such as its current antivirus state, thus keeping insecure nodes from infecting the network.
Chapter 61 Configuring Identity Policies Network Admission Control Policy Page Field Reference Table 61-2 Network Admission Control Setup Tab Element Description AAA Server Group The AAA server group used for NAC authentication. You must select a server group consisting of Cisco Secure Access Control Server (ACS) devices running the RADIUS protocol. Enter the name of a AAA server group object, or click Select to select the object from a list or to create a new one.
Chapter 61 Configuring Identity Policies Network Admission Control Policy Page Table 61-2 Network Admission Control Setup Tab (Continued) Element Description Port The UDP port to use for EAP over UDP sessions. Valid values range from 1 to 65535. The default is 21862. Note Enable Logging For NAC to work, the default ACL on this router must permit UDP traffic over the port designated here for EAP over UDP traffic. For more information, see Chapter 16, “Managing Firewall Access Rules”.
Chapter 61 Configuring Identity Policies Network Admission Control Policy Page Table 61-3 Network Admission Control Interfaces Tab (Continued) Element Description Edit button Opens the NAC Interface Configuration Dialog Box, page 61-17. From here you can edit the selected NAC interface. Delete button Deletes the selected NAC interfaces from the table.
Chapter 61 Configuring Identity Policies Network Admission Control Policy Page Network Admission Control Page—Identities Tab Use the Network Admission Control Identities tab to view, create, edit, and delete NAC identity profiles and identity actions. Identity profiles define a specific action to perform on traffic received from selected devices, as identified by their IP address, MAC address, or device type.
Chapter 61 Configuring Identity Policies Network Admission Control Policy Page NAC Identity Profile Dialog Box Use the NAC Identity Profile dialog box to add or edit the NAC profiles assigned to devices that match a specific identity. Identity profiles define a NAC action to apply to all traffic coming from a specific device, based on its IP address, MAC address, or device type (for IP phones).
Chapter 61 Configuring Identity Policies Network Admission Control Policy Page Field Reference Table 61-7 NAC Identity Action Dialog Box Element Description Name A descriptive name for the identity action. Use this name when you select an action to assign to a NAC identity profile. See NAC Identity Profile Dialog Box, page 61-19. Access Control Lists The ACL that defines how to handle traffic received from a device which is assigned a profile that includes this action.
CH A P T E R 62 Configuring Logging Policies This chapter contains the following topics: • Logging on Cisco IOS Routers, page 62-1 • Syslog Logging Setup Policy Page, page 62-7 • Syslog Servers Policy Page, page 62-10 • NetFlow Policy Page, page 62-12 Logging on Cisco IOS Routers Security Manager provides the following policies for configuring logging on a Cisco IOS router: Note • Syslog Logging Setup—Enable the syslog-logging feature, and define basic logging parameters.
Chapter 62 Configuring Logging Policies Logging on Cisco IOS Routers Note To send syslog messages from the router to a syslog server, you must also define the IP address of the syslog server. For more information, see Defining Syslog Servers, page 62-3.
Chapter 62 Configuring Logging Policies Logging on Cisco IOS Routers Note Step 6 (Optional) Define a rate limit to prevent a flood of output messages: a. Select Enable Rate Limit. This option is selected by default. b. Enter the maximum number of messages that can be sent per second. c. Select the severity levels to exclude from the rate limit. For example, if you select 2 (critical), all syslog messages of severity levels 0-2 are sent to the syslog server regardless of the defined rate limit. d.
Chapter 62 Configuring Logging Policies Logging on Cisco IOS Routers Step 1 Do one of the following to access the router’s Syslog Servers page: • (Device view) Select Platform > Logging > Syslog Servers from the Policy selector. • (Policy view) Select Router Platform > Logging > Syslog Servers from the Policy Type selector. Select an existing policy or create a new one. The Syslog Servers page is displayed. See Table 62-3 on page 62-11 for a description of the fields on this page.
Chapter 62 Configuring Logging Policies Logging on Cisco IOS Routers • Logging on Cisco IOS Routers, page 62-1 NetFlow on Cisco IOS Routers The ability to characterize IP traffic and understand how and where it flows is critical for network availability, performance and troubleshooting. Monitoring IP traffic flows facilitates accurate capacity planning, and ensures that network resources are used appropriately in support of organizational goals.
Chapter 62 Configuring Logging Policies Logging on Cisco IOS Routers Related Topics • Logging on Cisco IOS Routers, page 62-1 • Defining NetFlow Parameters, page 62-6 • NetFlow Policy Page, page 62-12 Defining NetFlow Parameters This procedure describes enabling NetFlow logging on the router.
Chapter 62 Configuring Logging Policies Syslog Logging Setup Policy Page • Version – Define the record format to be used for flow data by choosing the appropriate NetFlow version number from this drop-down list. You can choose the blank entry to disable this option. – 1 – The original record format. No additional parameters are required. – 5 – The most widely adopted format; includes Border Gateway Protocol (BGP) autonomous system (AS) information and flow sequence numbers.
Chapter 62 Configuring Logging Policies Syslog Logging Setup Policy Page Note If you unassign a logging setup policy, the default logging configuration is restored on the device upon deployment. Navigation Path • (Device view) Select Platform > Logging > Syslog Logging Setup from the Policy selector. • (Policy view) Select Router Platform > Logging > Syslog Logging Setup from the Policy Type selector.
Chapter 62 Configuring Logging Policies Syslog Logging Setup Policy Page Table 62-2 Syslog Logging Setup Page (Continued) Element Description Logging Buffer Defines whether log messages are saved locally to a buffer on the device. • Enable Buffer—When selected, log messages are saved to a buffer on the device. This is the default. When deselected, a log buffer is not maintained on the device. • Buffer Size—The size of the buffer in bytes.
Chapter 62 Configuring Logging Policies Syslog Servers Policy Page Table 62-2 Syslog Logging Setup Page (Continued) Element Description Rate Limit Limits the rate of log messages sent to the syslog server. • Enable Rate Limit—When selected, the rate limit is enabled. When deselected, the rate limit is disabled. • Messages per Sec.—The maximum number of logging messages that can be sent per second. Valid values range from 1 to 10000. The default is 10 messages per second.
Chapter 62 Configuring Logging Policies Syslog Servers Policy Page Note To enable logging to the syslog servers defined on this page, you must enable logging and define basic parameters on the Syslog Logging Setup Policy Page, page 62-7. Navigation Path • (Device view) Select Platform > Logging > Syslog Servers from the Policy selector. • (Policy view) Select Router Platform > Logging > Syslog Servers from the Policy Type selector.
Chapter 62 Configuring Logging Policies NetFlow Policy Page • Understanding Networks/Hosts Objects, page 6-74 Field Reference Table 62-4 Syslog Server Dialog Box Element Description IP Address The IP address of the syslog server. Enter an IP address or the name of a network/host object, or click Select to select the object from a list or to create a new one. Forward Messages in XML Format When selected, log messages are sent to the syslog server in XML format.
Chapter 62 Configuring Logging Policies NetFlow Policy Page Field Reference Table 62-5 NetFlow Page Element Description Setup tab Primary Destination Redundant Destination The primary and secondary NetFlow collector. You must select a primary collector to enable NetFlow data collection on this device. To disable transmission of NetFlow data to either of these collectors, choose the blank entry from the drop-down list.
Chapter 62 Configuring Logging Policies NetFlow Policy Page Table 62-5 NetFlow Page (Continued) Element Description Version The NetFlow version number, which defines the record format to be used for flow. You can choose the blank entry to disable this option. • 1—The original record format. No additional parameters are required. • 5—The most widely adopted format; includes Border Gateway Protocol (BGP) autonomous system (AS) information and flow sequence numbers.
Chapter 62 Configuring Logging Policies NetFlow Policy Page Adding and Editing NetFlow Interface Settings Use the Add NetFlow Interface Settings and Edit NetFlow Interface Settings dialog boxes to enable and disable NetFlow ingress and egress reporting for specific router interfaces. Note Except for their titles, these two dialog boxes are identical. The following information applies to both.
Chapter 62 Configuring Logging Policies NetFlow Policy Page User Guide for Cisco Security Manager 4.
CH A P T E R 63 Configuring Quality of Service This chapter contains the following topics: • Quality of Service on Cisco IOS Routers, page 63-1 • Quality of Service Policy Page, page 63-19 Quality of Service on Cisco IOS Routers Quality of service (QoS) refers to the ability of a network to provide priority service to selected network traffic over various underlying technologies, including Frame Relay, ATM, Ethernet and 802.1 networks, SONET, and IP-routed networks.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers Quality of Service and CEF Cisco Express Forwarding (CEF) is an advanced Layer 3 IP switching technology that optimizes network performance and scalability for all kinds of networks. It defines the fastest method by which a Cisco IOS router forwards packets from ingress to egress interfaces.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers Understanding Marking Parameters Marking parameters enable you to classify packets, which entails using a traffic descriptor to categorize a packet within a specific group. This defines the packet and makes it accessible for QoS handling on the network.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers Understanding Queuing Parameters Queuing manages congestion on traffic leaving a Cisco IOS router by determining the order in which to send packets out over an interface, based on priorities you assign to those packets.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers interface begins to show signs of congestion. By dropping some packets early instead of waiting until the queue is full, WRED avoids dropping large numbers of packets at once and allows the transmission line to be used fully at all times.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers LLQ defines the maximum bandwidth that you can allocate to priority traffic during times of congestion. Setting a maximum ensures that nonpriority traffic does not starve (meaning that this traffic is also provided with bandwidth). When the device is not congested, the priority class traffic is allowed to exceed its allocated bandwidth.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers meet downstream requirements, you can eliminate bottlenecks in topologies with data-rate mismatches. Shaping can either be performed on selected QoS classes or at the interface level (hierarchical shaping).
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers mean rate = burst size / time interval These terms are defined as follows: • Mean rate—Also called the committed information rate (CIR), it specifies how much data can be sent or forwarded per unit time on average. The CIR is defined either as an absolute value or as a percentage of the available bandwidth on the interface.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers Figure 63-3 Two-Token Bucket Algorithm Bc Be Tc: Tokens in bucket #1 Te: Tokens in bucket #2 SIZE < TC yes Action Conform no SIZE < Tc+ Te no yes SIZE > Tc+ Te yes Exceed Violate Drop 144754 Transmit Remark Packet When you use traffic policing, the token-bucket algorithm provides three actions for each packet: a conform action, an exceed action, and an optional violate action.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers packets from progressing after a specified rate limit is reached. For example, a system administrator can limit all TCP/SYN packets that are destined for the CP to a maximum rate of 1 megabit per second. Additional packets beyond this limit are silently discarded.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers After you create your interface definitions, you must define one or more QoS classes on each interface. QoS classes contain the matching criteria that determine which packets are included in the class and the QoS functions (marking, queuing, policing, and shaping) to apply to that traffic.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers Step 6 (Optional) Define interface-level (hierarchical) shaping parameters. See Table 63-4 on page 63-21 for details. Note Step 7 Click OK. The QoS interface definition is displayed in the upper table of the Quality of Service page. Note Step 8 When you enable hierarchical shaping on an interface, you cannot define shaping parameters for specific QoS classes. Shaping can be used only on output traffic.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers QoS policies defined on the control plane override any QoS parameters defined on an interface of the same device. Note QoS is applied to packets on a first-match basis. The router examines the table of QoS classes starting from the top and applies the properties of the first class whose matching criteria matches the packet. Therefore, it is important that you define and order your classes carefully.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers Note You do not define matching parameters when configuring the default class.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers b. Enter one or more ACLs, or click Select to select an ACL object from a list or to create a new one. Traffic that matches these ACL definitions matches this criterion. c. When you finish, click OK twice to save your definitions and return to the QoS Class dialog box. Your selections are displayed in the ACL field. Tip Use the up and down arrows to order the ACLs.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers Step 6 Continue as described in Defining QoS Policies, page 63-10. Defining QoS Class Queuing Parameters When you define queuing parameters, you can specify the amount of available bandwidth to provide to the traffic in this QoS class. You can also define a fixed amount of bandwidth that must be provided to high-priority traffic; you can define the priority parameter on only one class per interface.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers – Fair queue—Enter the number of queues to reserve for the default class. Values range in powers of 2 from 16 to 4096. By default, the number of queues is based on the available bandwidth of the selected interface. For more information, seeTable 63-2 on page 63-6. – Bandwidth—Enter the amount of bandwidth to allocate to this class. You can define this amount by percentage or by an absolute value of kilobits per second.
Chapter 63 Configuring Quality of Service Quality of Service on Cisco IOS Routers Step 1 On the Quality of Service page, click the Add button beneath the QoS Classes table, or select a class and then click the Edit button. The QoS Class dialog box is displayed. Step 2 Click the Policing tab. See Table 63-9 on page 63-29 for a description of the fields on this tab. Step 3 Select the Enable Policing check box. Step 4 Define CIR, confirm burst, and excess burst values.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page • Shaping is not available when you configure QoS on the control plane. For more information about shaping, see Understanding Policing and Shaping Parameters, page 63-6. Tip To configure shaping on all the QoS classes defined for the interface (hierarchical shaping), see Defining QoS on Interfaces, page 63-10.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page • Table Columns and Column Heading Features, page 1-46 • Filtering Tables, page 1-45 Field Reference Table 63-3 Quality of Service Page Element Description Apply To The router component on which to define the QoS policy: • Interfaces—Configures QoS classes on specific interfaces. • Control Plane—Configures QoS on the router control plane. See Understanding Control Plane Policing, page 63-9.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page QoS Policy Dialog Box Use the QoS Policy dialog box to select an interface on which you want to define QoS parameters. In addition, you can use this dialog box to configure a single set of shaping parameters for all the traffic on the selected interface (known as hierarchical shaping). Using hierarchical shaping eliminates the need to configure shaping parameters for each QoS class defined on the interface.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page Table 63-4 QoS Policy Dialog Box (Continued) Element Description Type The type of shaping to perform: CIR • Average—Limits the data rate for each interval to the sustained burst rate (also known as the Committed Burst rate or Bc), achieving an average rate no higher than the committed information rate (CIR). Additional packets are buffered until they can be sent.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page QoS Class Dialog Box Use the QoS Class dialog box to create or edit a QoS class on a selected interface or control plane of a Cisco IOS router. You can define up to 16 classes on a single interface and 256 classes for the device as a whole. Note QoS is applied to packets on a first-match basis.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page Table 63-5 Note QoS Class Dialog Box (Continued) Element Description Marking tab Marks the traffic in this class so that downstream devices can properly identify it. See QoS Class Dialog Box—Marking Tab, page 63-26. Queuing and Congestion Avoidance tab Defines how to queue the output traffic in this class. See QoS Class Dialog Box—Queuing and Congestion Avoidance Tab, page 63-27.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page Table 63-6 QoS Class Dialog Box—Matching Tab (Continued) Element Description Protocol One or more protocols included in this class map. Click Add to display a selector. Select one or more items from the Available Protocols list, then click >> to add them to the Selected Protocols list. The only protocol available for the control plane is ARP; ARP and CDP are not available for input classes configured on an interface.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page Related Topics • Defining QoS Class Matching Parameters, page 63-13 • Defining QoS on Interfaces, page 63-10 • Defining QoS on the Control Plane, page 63-12 • Quality of Service Policy Page, page 63-19 • Selecting Objects for Policies, page 6-2 QoS Class Dialog Box—Marking Tab Use the Marking tab of the QoS Class dialog box to classify packets.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page Table 63-7 QoS Class Dialog Box—Marking Tab (Continued) Element Description Precedence The precedence value with which to mark the traffic in this class: DSCP • network (7) • internet match (6) • critical (5) • flash-override (4) • flash (3) • immediate (2) • priority (1) • routine (0) The DSCP value (0 to 63) with which to mark the traffic in this class.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page Table 63-8 QoS Class Dialog Box—Queuing and Congestion Avoidance Tab (Continued) Element Description Priority Configure low-latency queuing (LLQ) in this class to ensure that priority traffic, such as voice traffic, receives the defined bandwidth (see Low-Latency Queuing, page 63-5). Specify the amount of bandwidth allocated to high-priority traffic on this interface by: (Non-default classes only.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page Table 63-8 QoS Class Dialog Box—Queuing and Congestion Avoidance Tab (Continued) Element Description WRED Weight for Mean Queue Depth The exponential weight factor to use to calculate the average queue size. Use this option when defining WRED instead of tail drop (queue limit) for this class.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page Table 63-9 QoS Class Dialog Box—Policing Tab (Continued) Element Description CIR The average data rate (also known as the committed information rate or CIR). You can define this amount by: • Percentage—Valid values range from 0 to 100% of the overall available bandwidth. • Bit/sec—Valid values range from 8000 to 2000000000 bits per second.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page Table 63-9 QoS Class Dialog Box—Policing Tab (Continued) Element Description Violate action The action to take on packets that cannot be serviced by either the conform bucket or the exceed bucket. The actions available for selection depend on the defined exceed action. For example, if you select one of the set options as the exceed action, you cannot select transmit as the violate action.
Chapter 63 Configuring Quality of Service Quality of Service Policy Page Table 63-10 QoS Class Dialog Box—Shaping Tab (Continued) Element Description Type The type of shaping to perform: CIR • Average—Limits the data rate for each interval to the sustained burst rate (also known as the committed burst rate or Bc), achieving an average rate no higher than the committed information rate (CIR). Additional packets are buffered until they can be sent.
CH A P T E R 64 Configuring Routing Policies This chapter contains the following topics: • BGP Routing on Cisco IOS Routers, page 64-1 • BGP Routing Policy Page, page 64-4 • EIGRP Routing on Cisco IOS Routers, page 64-8 • EIGRP Routing Policy Page, page 64-13 • OSPF Routing on Cisco IOS Routers, page 64-19 • OSPF Interface Policy Page, page 64-30 • OSPF Process Policy Page, page 64-34 • RIP Routing on Cisco IOS Routers, page 64-42 • RIP Routing Policy Page, page 64-45 • Static Routing o
Chapter 64 Configuring Routing Policies BGP Routing on Cisco IOS Routers Note • Defining BGP Routes, page 64-2 • Redistributing Routes into BGP, page 64-3 Security Manager supports versions 2, 3 and 4 of BGP, as defined in RFCs 1163, 1267 and 1771.
Chapter 64 Configuring Routing Policies BGP Routing on Cisco IOS Routers Step 3 (Optional) Enter the addresses of the networks that are local to this AS. You can use a combination of addresses and network/host objects, or click Select to select an object from a list or to create a new one. For more information, see Specifying IP Addresses During Policy Definition, page 6-81. Step 4 Define external and internal BGP neighbors for the routers: a.
Chapter 64 Configuring Routing Policies BGP Routing Policy Page • (Device view) Select Platform > Routing > BGP from the Policy selector, then click the Redistribution tab in the work area. • (Policy view) Select Router Platform > Routing > BGP from the Policy Type selector. Select an existing policy or create a new one, and then click the Redistribution tab. The BGP Redistribution tab is displayed. See Table 64-3 on page 64-7 for a description of the fields on this tab.
Chapter 64 Configuring Routing Policies BGP Routing Policy Page Navigation Path Go to the BGP Routing Policy Page, page 64-4, then click the Setup tab. Related Topics • Defining BGP Routes, page 64-2 • BGP Page—Redistribution Tab, page 64-6 • Specifying IP Addresses During Policy Definition, page 6-81 • Understanding Networks/Hosts Objects, page 6-74 Field Reference Table 64-1 BGP Setup Tab Element Description AS Number The number of the autonomous system in which the router is located.
Chapter 64 Configuring Routing Policies BGP Routing Policy Page Table 64-1 BGP Setup Tab (Continued) Element Description Log-Neighbor When selected, enables the logging of messages that are generated when a BGP neighbors resets, connects to the network, or is disconnected. This is the default. When deselected, message logging is disabled. Neighbors Dialog Box Use the Neighbors dialog box to define the internal and external neighbors of the selected router.
Chapter 64 Configuring Routing Policies BGP Routing Policy Page Navigation Path Go to the BGP Routing Policy Page, page 64-4, then click the Redistribution tab. Related Topics • Redistributing Routes into BGP, page 64-3 • BGP Page—Setup Tab, page 64-4 • Table Columns and Column Heading Features, page 1-46 • Filtering Tables, page 1-45 Field Reference Table 64-3 BGP Redistribution Tab Element Description Protocol The protocol that is being redistributed.
Chapter 64 Configuring Routing Policies EIGRP Routing on Cisco IOS Routers Field Reference Table 64-4 BGP Redistribution Mapping Dialog Box Element Description Protocol to Redistribute The routing protocol that is being redistributed: • Static—Redistributes IP or OSI static routes. You can define a single mapping for each route. • EIGRP—Redistributes an EIGRP autonomous system. Enter the AS number in the displayed field. You can define a single mapping for each AS.
Chapter 64 Configuring Routing Policies EIGRP Routing on Cisco IOS Routers A router running EIGRP stores all its neighbors’ routing tables so that it can quickly adapt to alternate routes. If no appropriate route exists, EIGRP queries its neighbors to discover an alternate route. These queries propagate until an alternate route is found. EIGRP sends incremental updates when the state of a destination changes, instead of sending the entire contents of the routing table.
Chapter 64 Configuring Routing Policies EIGRP Routing on Cisco IOS Routers Step 2 On the EIGRP Setup tab, select an EIGRP route from the table, then click Edit, or click Add to create a route. The EIGRP Setup dialog box appears. See Table 64-6 on page 64-14 for a description of the fields in this dialog box. Step 3 Enter the autonomous system number for the route. This number identifies the autonomous system to other routers. Step 4 Enter the addresses of the networks to include in the EIGRP route.
Chapter 64 Configuring Routing Policies EIGRP Routing on Cisco IOS Routers Figure 64-1 EIGRP Split Horizon Example Router Two Bandwidth = 10000 Delay = 100 Bandwidth = 56 Delay = 2000 Router Four Network A Bandwidth = 128 Delay = 1000 Bandwidth = 56 Delay = 2000 Router Three 144750 Router One Bandwidth = 56 Delay = 2000 Split horizon is enabled by default on all EIGRP interfaces, because it typically optimizes communications among multiple routing devices.
Chapter 64 Configuring Routing Policies EIGRP Routing on Cisco IOS Routers Step 4 Enter the name of the interface or interface role to define, or click Select to select an interface role from a list or to create a new one. For more information, see Specifying Interfaces During Policy Definition, page 6-70. Step 5 (Optional) In the Hello Interval field, modify the default interval between hello packets sent over the selected interfaces.
Chapter 64 Configuring Routing Policies EIGRP Routing Policy Page Step 2 On the EIGRP Redistribution tab, select a row from the EIGRP Redistribution Mappings table, then click Edit, or click Add to create a mapping. The EIGRP Redistribution Mapping dialog box appears. See Table 64-10 on page 64-18 for a description of the fields in this dialog box. Step 3 Select an existing EIGRP AS from the displayed list. Step 4 Select the protocol whose routes you want to redistribute into the selected EIGRP AS.
Chapter 64 Configuring Routing Policies EIGRP Routing Policy Page Related Topics • Defining EIGRP Routes, page 64-9 • EIGRP Page—Interfaces Tab, page 64-15 • EIGRP Page—Redistribution Tab, page 64-17 • Table Columns and Column Heading Features, page 1-46 • Filtering Tables, page 1-45 Field Reference Table 64-5 EIGRP Setup Tab Element Description AS Number The autonomous system number that identifies the autonomous system to other routers.
Chapter 64 Configuring Routing Policies EIGRP Routing Policy Page Table 64-6 EIGRP Setup Dialog Box (Continued) Element Description Networks The networks associated with the EIGRP route. Enter one or more network addresses or network/host objects, separated by commas. Click Select to select network/host objects from a list of existing objects, or to create new objects. Passive Interfaces The interfaces that do not send updates to their routing neighbors.
Chapter 64 Configuring Routing Policies EIGRP Routing Policy Page Table 64-7 EIGRP Interfaces Tab (Continued) Element Description Interfaces The interfaces related to the selected EIGRP autonomous system that have specially defined values. Split Horizon Indicates whether the split horizon feature is enabled or disabled for the selected interface. Hello Interval The defined interval between hello packets sent to neighboring routers. Add button Opens the EIGRP Interface Dialog Box, page 64-16.
Chapter 64 Configuring Routing Policies EIGRP Routing Policy Page Table 64-8 EIGRP Interface Dialog Box (Continued) Element Description Split Horizon When selected, the split horizon feature is used to prevent routing loops. When deselected, split horizon is disabled. When split horizon is disabled, the router can advertise a route out of the same interface through which it learned the route.
Chapter 64 Configuring Routing Policies EIGRP Routing Policy Page Table 64-9 EIGRP Redistribution Tab (Continued) Element Description Match When redistributing an OSPF process, indicates the types of OSPF routes that are being redistributed. Add button Opens the EIGRP Redistribution Mapping Dialog Box, page 64-18. From here you can define EIGRP redistribution mappings. Edit button Opens the EIGRP Redistribution Mapping Dialog Box, page 64-18.
Chapter 64 Configuring Routing Policies OSPF Routing on Cisco IOS Routers Table 64-10 EIGRP Redistribution Mapping Dialog Box (Continued) Element Protocol to Redistribute (continued) Description • OSPF—Redistributes a different OSPF process. You can define a single mapping for each process. Select a process from the displayed list, then select one or more match criteria: – Internal—Routes that are internal to a specific AS.
Chapter 64 Configuring Routing Policies OSPF Routing on Cisco IOS Routers A router that has interfaces in multiple OSPF areas is called an Area Border Router (ABR). An ABR uses LSAs to send information about available routes to other OSPF routers. A router that acts as a gateway to redistribute traffic between routers using OSPF and routers using other routing protocols is called an Autonomous System Boundary Router (ASBR). Any router can act as an ABR or ASBR.
Chapter 64 Configuring Routing Policies OSPF Routing on Cisco IOS Routers Step 5 b. Enter the names of one or more interfaces or interface roles, or click Select to select an interface role from a list or to create a new one. For more information, see Specifying Interfaces During Policy Definition, page 6-70. c. Click OK to save your changes and return to the OSPF Setup dialog box. Click OK to save your definitions locally on the client and close the dialog box.
Chapter 64 Configuring Routing Policies OSPF Routing on Cisco IOS Routers Step 7 • Specifying clear-text authentication for an area sets the authentication to Type 1 (simple password). All routers on a network must use the same clear-text password to communicate with each other using OSPF. • MD5 passwords need not be the same throughout an area, but they must be the same between neighbors.
Chapter 64 Configuring Routing Policies OSPF Routing on Cisco IOS Routers Type 1 versus Type 2 External Routes Two types of OSPF external routes exist, Type 1 and Type 2. The difference between the two is related to how the cost (metric) of the route is calculated. The cost of a Type 1 route is the sum of the external cost and the internal cost used to reach that route. The cost of a Type 2 route is based on the external cost only. By default, external routes are defined as Type 2.
Chapter 64 Configuring Routing Policies OSPF Routing on Cisco IOS Routers When you define a maximum prefix value, you can decide whether to prevent additional routes from being redistributed once this maximum is reached, or whether to only issue a warning. The redistribution limit applies to all IP redistributed prefixes, including summarized ones. The limit does not apply to default routes or prefixes that are generated as a result of type 7 to type 5 translations.
Chapter 64 Configuring Routing Policies OSPF Routing on Cisco IOS Routers Defining OSPF Interface Settings You can modify a variety of interface-specific OSPF parameters. This procedure describes how to define these parameters.
Chapter 64 Configuring Routing Policies OSPF Routing on Cisco IOS Routers Note Do not use clear text authentication in OSPF packets for security purposes, because the unencrypted authentication key is sent in every packet. Use clear text authentication only when security is not an issue, for example, to ensure that misconfigured hosts do not participate in routing. Step 5 (Optional) Under Properties, configure interface parameters as required.
Chapter 64 Configuring Routing Policies OSPF Routing on Cisco IOS Routers DR and BDR election is performed via the Hello protocol. The router with the highest OSPF priority becomes the DR for that segment. The same process is then repeated for the BDR. In the case of a tie, the router with the higher router ID (RID) is elected. By default, each interface is given a priority of 1, but you can assign a higher priority to selected interfaces, as required.
Chapter 64 Configuring Routing Policies OSPF Routing on Cisco IOS Routers Related Topics • Understanding Interface Cost, page 64-26 • Understanding Interface Priority, page 64-26 • Disabling MTU Mismatch Detection, page 64-27 • Understanding OSPF Timer Settings, page 64-28 • Understanding the OSPF Network Type, page 64-29 • Understanding OSPF Interface Authentication, page 64-29 • Defining OSPF Interface Settings, page 64-25 Understanding OSPF Timer Settings OSPF uses a series of timers dur
Chapter 64 Configuring Routing Policies OSPF Routing on Cisco IOS Routers Understanding the OSPF Network Type You can manually configure the OSPF network type on an interface as either broadcast or nonbroadcast multiaccess (NBMA), regardless of the default media type. For example, you can use this feature to configure broadcast networks (such as Ethernet, Token Ring, and FDDI) as NBMA when your network contains routers that do not support multicast addressing.
Chapter 64 Configuring Routing Policies OSPF Interface Policy Page Whenever you configure an interface with a new key, the router sends multiple copies of the same packet, each authenticated by different keys. The router stops sending duplicate packets when it detects that all of its neighbors have adopted the new key.
Chapter 64 Configuring Routing Policies OSPF Interface Policy Page Table 64-11 OSPF Interface Page (Continued) Element Description Cost The cost of sending packets over the selected interface, if this value is different from the cost as normally calculated. Priority The priority of the selected interface. MTU Ignore Indicates whether Maximum Transmission Rate (MTU) detection is disabled on the selected interface.
Chapter 64 Configuring Routing Policies OSPF Interface Policy Page Field Reference Table 64-12 OSPF Interface Dialog Box Element Description Interface The OSPF interface to configure. Enter the name of an interface or interface role, or click Select to select the object from a list or to create a new one. Authentication Type—The authentication type used by the selected interface: • MD5—Uses the MD5 hash algorithm for authentication. This is the default.
Chapter 64 Configuring Routing Policies OSPF Interface Policy Page Table 64-12 OSPF Interface Dialog Box (Continued) Element Description MTU Ignore When selected, ignores MTU mismatches between neighboring routers. When deselected, MTU mismatch detection is enabled. Note Database Filter Typically, this option is not used, because it can cause routers to become stuck in exstart/exchange state, which prevents OSPF adjacency from being established.
Chapter 64 Configuring Routing Policies OSPF Process Policy Page Table 64-12 OSPF Interface Dialog Box (Continued) Element Description Configure Network Type When selected, enables you to select a network type that differs from the default medium used by the interface. When deselected, the network type is equivalent to the default medium used by the interface.
Chapter 64 Configuring Routing Policies OSPF Process Policy Page Note For more information about OSPF interface policies, see OSPF Interface Policy Page, page 64-30. Navigation Path • (Device view) Select Platform > Routing > OSPF Process from the Policy selector. • (Policy view) Select Router Platform > Routing > OSPF Process from the Policy Type selector. Right-click OSPF Process to create a policy, or select an existing policy from the Shared Policy selector.
Chapter 64 Configuring Routing Policies OSPF Process Policy Page Navigation Path Go to the OSPF Process Page—Setup Tab, page 64-35, then click the Add or Edit button beneath the table. Related Topics • Defining OSPF Process Settings, page 64-20 Field Reference Table 64-14 OSPF Setup Dialog Box Element Description Process ID The process ID number for the OSPF process. This number identifies the OSPF process to other routers. It does not need to match the process ID on other devices.
Chapter 64 Configuring Routing Policies OSPF Process Policy Page • OSPF Process Page—Redistribution Tab, page 64-38 • OSPF Interface Policy Page, page 64-30 • Table Columns and Column Heading Features, page 1-46 • Filtering Tables, page 1-45 Field Reference Table 64-15 OSPF Process Area Tab Element Description Area ID The ID number of the area associated with the process. Process ID The process ID that identifies the OSPF routing process to other routers.
Chapter 64 Configuring Routing Policies OSPF Process Policy Page Table 64-16 OSPF Area Dialog Box (Continued) Element Description Networks The networks to add to the OSPF area. Enter one or more network addresses or network/host objects, or click Select to select the object from a list or to create a new one. Authentication The type of authentication used for the area: • MD5—(Recommended) Uses the MD5 hash algorithm for authentication. • Clear Text—Uses clear text for authentication.
Chapter 64 Configuring Routing Policies OSPF Process Policy Page Table 64-17 OSPF Process Redistribution Tab (Continued) Element Description Metric Type The external link type associated with the default route advertised into the OSPF routing domain. Subnets Indicates whether routes that are subnetted are also being redistributed. Add button Opens the OSPF Redistribution Mapping Dialog Box, page 64-39. From here you can define OSPF redistribution mappings.
Chapter 64 Configuring Routing Policies OSPF Process Policy Page Field Reference Table 64-18 OSPF Redistribution Mapping Dialog Box Element Description Process ID The OSPF process into which other routes are being redistributed. You must select a process ID number from the list of OSPF processes defined in the OSPF Process Page—Setup Tab, page 64-35.
Chapter 64 Configuring Routing Policies OSPF Process Policy Page Table 64-18 OSPF Redistribution Mapping Dialog Box (Continued) Element Description Limit to Subnets When selected, only subnetted routes are redistributed. When deselected, subnetted routes are not redistributed. OSPF Max Prefix Mapping Dialog Box Use the OSPF Max Prefix Mapping dialog box to add or edit the maximum number of routes that can be redistributed into an OSPF process.
Chapter 64 Configuring Routing Policies RIP Routing on Cisco IOS Routers RIP Routing on Cisco IOS Routers Routing Information Protocol (RIP) is an Interior Gateway Protocol (IGP) that was created for use in small, homogeneous networks. RIP is a distance-vector protocol that sends routing-update messages at regular intervals (in a process called advertising) and whenever the network topology changes.
Chapter 64 Configuring Routing Policies RIP Routing on Cisco IOS Routers The RIP Setup tab is displayed (see RIP Page—Setup Tab, page 64-45). Step 2 Enter the addresses of the directly connected networks whose interfaces are to receive RIP updates. You can use a combination of addresses and network/host objects; separate addresses with commas. Click Select to select network/host objects from a list of existing objects, or to create new network/host objects.
Chapter 64 Configuring Routing Policies RIP Routing on Cisco IOS Routers Note Step 5 We do not recommend that you use clear text authentication in RIP packets, because the unencrypted authentication key is sent in every packet. Use plain text authentication only when security is not an issue, for example, to ensure that misconfigured hosts do not participate in routing. Click OK to save your definitions locally on the client and close the dialog box.
Chapter 64 Configuring Routing Policies RIP Routing Policy Page Step 5 • Select the Default Metric check box, then enter the default metric of the redistributed routes. The metric determines the priority of the routes. • Select the Transparent check box to maintain the original metric of the routes being redistributed into RIP. Click OK to save your definitions locally on the client and close the dialog box.
Chapter 64 Configuring Routing Policies RIP Routing Policy Page Field Reference Table 64-20 RIP Setup Tab Element Description Networks The directly connected networks associated with the RIP route. Enter one or more network addresses or network/host objects, separated by commas. Click Select to select network/host objects from a list of existing objects, or to create new objects. Passive Interfaces The interfaces that do not send updates to their routing neighbors.
Chapter 64 Configuring Routing Policies RIP Routing Policy Page Table 64-21 RIP Authentication Tab (Continued) Element Description Key ID The identification number of the authentication key used for MD5 authentication. Add button Opens the RIP Authentication Dialog Box, page 64-47. From here you can define authentication for an additional RIP interface. Edit button Opens the RIP Authentication Dialog Box, page 64-47.
Chapter 64 Configuring Routing Policies RIP Routing Policy Page Table 64-22 RIP Authentication Dialog Box (Continued) Element Description Key The shared key used for authentication (MD5 or clear text). This key must be shared with all other devices sending updates to, and receiving updates from, the selected device. The key can contain up to 80 alphanumeric characters; the first character cannot be a number. Spaces are allowed. Enter the key again in the Confirm field.
Chapter 64 Configuring Routing Policies RIP Routing Policy Page RIP Redistribution Mapping Dialog Box Use the RIP Redistribution Mapping dialog box to add or edit the properties of an RIP redistribution mapping. Navigation Path Go to the RIP Page—Redistribution Tab, page 64-48, then click the Add or Edit button beneath the table.
Chapter 64 Configuring Routing Policies Static Routing on Cisco IOS Routers Table 64-24 RIP Redistribution Mapping Dialog Box (Continued) Element Description Transparent Metric When selected, maintains the original metric of the route being redistributed. When deselected, the value specified in the Metric field is used.
Chapter 64 Configuring Routing Policies Static Routing Policy Page • (Policy view) Select Router Platform > Routing > Static Routing from the Policy Type selector. Select an existing policy or create a new one. The Static Routing page is displayed. See Table 64-25 on page 64-52 for a description of the fields on this page. Step 2 On the Static Routing page, select a static route from the table, then click Edit, or click Add to create a route. The Static Routing dialog box appears.
Chapter 64 Configuring Routing Policies Static Routing Policy Page • Filtering Tables, page 1-45 Field Reference Table 64-25 Static Routing Page Element Description Prefix The destination IP address of the static route. Prefix Mask The net mask of the selected IP address. Default Route Indicates whether the static route is the default route for unknown packets being forwarded by this router.
Chapter 64 Configuring Routing Policies Static Routing Policy Page Field Reference Table 64-26 Static Routing Dialog Box Element Description Destination Network Address information for the destination network defined by this static route. • Use as Default Route—When selected, makes this the default route on this router. A default route is used when the route from a source to a destination is unknown or when it is not feasible for the router to maintain many routes in its routing table.
Chapter 64 Configuring Routing Policies Static Routing Policy Page User Guide for Cisco Security Manager 4.
CH A P T E R 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Cisco Security Manager supports the management and configuration of security services and other platform-specific services on Cisco Catalyst switches and Cisco 7600 Series routers. You can manage Catalyst switches and 7600 devices configured in VTP transparent or VTP client/server mode.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Viewing Catalyst Summary Information At any time, you can also rediscover the configurations of devices that you are already managing with Security Manager. Be aware, however, that we do not recommend rediscovery generally because performing rediscovery overwrites the policies that you have defined in Security Manager. For more information, see Discovering Policies on Devices Already in Security Manager, page 5-15.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Viewing a Summary of Catalyst Interfaces, VLANs, and VLAN Groups Table 65-1 Catalyst Summary Info Page (Continued) Element Description Last Update Displays a time stamp for the most recent discovery. Total Ports Displays the total number of configured ports, combining access ports, routed ports, and trunk ports. Access Ports Displays the number of configured access ports on the chassis.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Viewing a Summary of Catalyst Interfaces, VLANs, and VLAN Groups • Interfaces/VLANs Page—VLAN Groups Tab, page 65-33 • Interfaces/VLANs Page—Interfaces Tab, page 65-7 • Viewing Catalyst Summary Information, page 65-2 • Filtering Tables, page 1-45 Field Reference Table 65-2 Interfaces/VLANs Page—Summary Tab Element Description VLAN ID The VLAN ID associated with an interface or subinterface.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Interfaces You use the Interfaces tab on the Interfaces/VLANs page to view and manage the following types of ports: • Access ports—A switching port that is used to connect host machines or servers. An access port belongs to and carries the traffic of only one VLAN. Traffic is received and sent in native formats with no VLAN tagging.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Step 1 • Interfaces/VLANs Page—Interfaces Tab, page 65-7 • Interfaces, page 65-5 (Device view) Select a Catalyst device, select Interfaces/VLANs from the Policy selector, then click the Interfaces tab in the work area. The Interfaces tab is displayed. For a description of the fields on this tab, see Interfaces/VLANs Page—Interfaces Tab, page 65-7.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Deleting Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers Although you can delete the definition of an interface at any time, use this option with great care. If the relevant device includes the interface definition in any policy definitions, deleting the interface causes these policy definitions to fail when they are deployed to the device.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Table 65-3 Interfaces/VLANs Page—Interfaces Tab (Continued) Element Description Mode Configuration mode for physical ports: • Access • Routed • Trunk • Dynamic Auto • Dynamic Desirable • Unsupported VLAN ID The VLAN ID associated with the described subinterface, displayed only for Ethernet interfaces and VLAN interfaces. IP Address The IP address of the interface.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Create and Edit Interface Dialog Boxes—Access Port Mode Use the Create Interface dialog box (or the Edit Interface dialog box) to configure the attributes of physical and virtual interfaces that run in access port mode. Navigation Path Go to the Interfaces/VLANs Page—Interfaces Tab, page 65-7, click Add or Edit to open the Create/Edit Interface dialog box, then select Access Port from the Mode list.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Table 65-4 Create and Edit Interface Dialog Boxes—Access Port Mode (Continued) Element Description Access Port settings VLAN ID (Select button) Displays the interface-specific identity of the VLAN to use in access port mode, if you have selected a VLAN. Otherwise, click Select to open the VLAN Selector Dialog Box, page 65-36. The VLAN ID specifies where 802.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Table 65-4 Create and Edit Interface Dialog Boxes—Access Port Mode (Continued) Element Description Capture VLANs (Select button) Enables you to identify the VLANs where VACLs should receive forwarded VLAN packets. This option is available if you selected the Enable VACL Capture check box. Enter a comma-separated list of VLAN IDs or click Select to open the VLAN Selector Dialog Box, page 65-36.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Table 65-4 Create and Edit Interface Dialog Boxes—Access Port Mode (Continued) Element Description Flow Control Send The flow control setting for outgoing frames: Roles • Off—The port does not send flow control frames to the neighboring port. • On—The port sends flow control frames to the neighboring port. • Desired—The port allows, but does not require, flow control frames.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Table 65-5 Create and Edit Interface Dialog Boxes—Routed Port Mode (Continued) Element Description Name (Select button) Displays the generated interface name, if the name has been set. Click Select to open the Interface Auto Name Generator Dialog Box, page 59-12. From here, you can enter or edit the details that Security Manager uses to generate an interface name.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Table 65-5 Create and Edit Interface Dialog Boxes—Routed Port Mode (Continued) Element Description Description A text description of the interface. Enter up to 240 characters on a single line, without using carriage returns. Note Flow Control Receive For multiple context mode, the system description is independent of the context description.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Field Reference Table 65-6 Create and Edit Interface Dialog Boxes—Trunk Port Mode Element Description Enable Interface When selected, enables the interface. When deselected, disables the interface using the shutdown command. Type Specifies whether the definitions apply to an interface or a subinterface. For details about defining a subinterface, see Create and Edit Interface Dialog Boxes—Subinterfaces, page 65-22.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Table 65-6 Create and Edit Interface Dialog Boxes—Trunk Port Mode (Continued) Element Description Native VLAN (Select button) Enables you to select the Native VLAN to associate with this interface, using the ID specified in the VLAN ID field. (If no VLAN ID is specified for the Native VLAN, the default is 1.) This option applies to you only if you are configuring a physical interface that is meant to serve as an 802.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Table 65-6 Create and Edit Interface Dialog Boxes—Trunk Port Mode (Continued) Element Description Enable Port Security Applies only to devices running IOS Software Version 12.2(18)SXE2 or later. When selected, enables you to restrict input to an interface by limiting the MAC addresses that are allowed to access the port. When deselected, disables port security. Note Max.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Table 65-6 Create and Edit Interface Dialog Boxes—Trunk Port Mode (Continued) Element Description MTU The maximum transmission unit, which refers to the largest packet size (in bytes) that can be handled by the interface. The range of valid values depends on the interface type. Description A text description of the interface. Enter up to 240 characters on a single line, without using carriage returns.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces • Interface Auto Name Generator Dialog Box, page 59-12 • Understanding FlexConfig Policies and Policy Objects, page 7-2 • Understanding Interface Role Objects, page 6-67 Field Reference Table 65-7 Create and Edit Interface Dialog Boxes—Dynamic Mode Element Description Enable Interface When selected, enables the interface. When deselected, disables the interface using the shutdown command.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Table 65-7 Create and Edit Interface Dialog Boxes—Dynamic Mode (Continued) Element Description Encapsulation Select one of the following: • DOT1Q—Specifies VLAN encapsulation on the trunk link, as defined by the IEEE 802.1Q standard. Applies only to Ethernet subinterfaces. • ISL—Specifies ISL encapsulation on the trunk link. 10-Gigabit Ethernet ports do not support ISL encapsulation.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Table 65-7 Create and Edit Interface Dialog Boxes—Dynamic Mode (Continued) Element Description Prune VLANs (Select button) Enables you to specify which VLANs are eligible for pruning. Enter the VLAN IDs. Use commas to separate multiple VLANs or use a hyphen to indicate a range of VLANs (for example, 12,17,22 or 2-200.) Alternatively, click Select to open the VLAN Selector Dialog Box, page 65-36.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Table 65-7 Create and Edit Interface Dialog Boxes—Dynamic Mode (Continued) Element Description Flow Control Receive The flow control setting for incoming frames: • Off—The port does not use flow control, regardless of whether the neighboring port requests flow control. • On—The port uses flow control, as dictated by the neighboring port. • Desired—The port allows, but does not require, flow control frames.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Field Reference Table 65-8 Create and Edit Interface Dialog Boxes—Subinterfaces Element Description Enable Interface When selected, enables the subinterface. When deselected, disables the subinterface using the shutdown command. Type Specifies whether the definitions apply to an interface or a subinterface. Select Subinterface. Parent Identifies the parent interface of the subinterface. Subint.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers Interfaces Create and Edit Interface Dialog Boxes—Unsupported Mode If you discover an interface configured with a mode that is not supported by Security Manager (such as dot1q-tunnel or private-vlan), the interface is displayed in Unsupported mode. You can view the attributes of this interface, but you cannot make any changes to the configuration unless you first change the mode.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLANs Table 65-9 Create and Edit Interface Dialog Boxes—Unsupported Mode (Continued) Element Description Duplex Displays the duplex setting of the interface: • Auto—Autonegotiates the duplex. • Half—Sends and receives data, but not at the same time • Full—Sends and receives data at the same time. If the speed is set to Auto, the duplex setting must also be set to Auto.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLANs Security Manager helps you to create VLANs and define VLAN settings for the defined interfaces on Cisco Catalyst switches and Cisco 7600 Series routers, their supported services modules, and their security contexts.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLANs Step 8 Step 9 (Optional) For a Layer 3 VLAN, define a switched virtual interface (SVI): a. To make the SVI active, select the Enable Interface check box. An SVI enables routing between VLANs and provides IP host connectivity to the switch. If you do not select this check box, the SVI is created in shutdown mode. b. Enter the IP address for the SVI. c.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLANs Navigation Path • (Device view) Select Interfaces/VLANs from the Device selector, then click the VLANs tab.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLANs Related Topics • Understanding FlexConfig Policies and Policy Objects, page 7-2 • Create and Edit VLAN Group Dialog Boxes, page 65-34 • Interface Selector Dialog Box—VLAN ACL Content, page 65-43 Field Reference Table 65-11 Create and Edit VLAN Dialog Box Element Description VLAN ID Displays the VLAN ID if one is configured. Otherwise, enter the ID manually. The VLAN ID specifies where 802.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLANs Table 65-11 Create and Edit VLAN Dialog Box (Continued) Element Description Switch Virtual Interface Applies only when defining a Layer 3 VLAN. Access Ports (Select button) • Enable Interface—When selected, enables the switched virtual interface (SVI), which is a virtual interface that you can attach to any VLAN. The SVI enables routing between VLANs and provides IP host connectivity to the switch.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLAN Groups Field Reference Table 65-12 Access Port Selector Dialog Box Element Description Available Access Ports Displays the access ports that are not assigned to a particular VLAN. Add >> button Adds interfaces that are selected in the Available Access Ports list to the Selected Access Ports list. Remove << button Removes selected interfaces from the Selected Access Ports list.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLAN Groups • Which VLANs belong to each VLAN group. VLAN groups can be used when assigning VLANs to an FWSM security context. A VLAN group can be assigned to multiple FWSMs, and each FWSM can have multiple VLAN groups assigned to it. To perform this assignment, see Add/Edit Security Context Dialog Box (FWSM), page 57-5.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLAN Groups Step 4 To associate the VLAN group with specific service module slots, enter their slot numbers in the Service Module Slots text box, or click Select to open a selector. Note Defining this association makes it possible to later assign this VLAN group to a security context on the FWSM. See Add/Edit Security Context Dialog Box (FWSM), page 57-5.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLAN Groups • Create and Edit VLAN Group Dialog Boxes, page 65-34 • Filtering Tables, page 1-45 Field Reference Table 65-14 Interfaces/VLANs Page—VLAN Groups Tab Element Description VLAN Group Numeric ID of a VLAN group that is configured on the selected device.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLAN Groups Table 65-15 Create and Edit VLAN Group Dialog Boxes (Continued) Element Description Service Module Slots (Select The chassis slot number (in which the relevant services module is button) installed) that is associated with the interface through which a particular VLAN participates in the VLAN group. Enter the slot number or click Select to open the Service Module Slot Selector Dialog Box, page 65-35.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLAN ACLs (VACLs) VLAN Selector Dialog Box Use the VLAN Selector dialog box to associate VLANs with interfaces, VLAN groups, security contexts, and VACLs. Navigation Path You can access this dialog box when you define interfaces, VLAN groups, IDSM settings, or VACLs by clicking the Select button in any field used for defining VLANs.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLAN ACLs (VACLs) Note Security Manager does not support the creation or configuration of MAC ACLs (MACLs), which are named ACLs that are sometimes used with VACLs to filter IPX, DECnet, AppleTalk, VINES, or XNS traffic based on MAC addresses. When you configure a VACL and apply it to a VLAN, all packets entering the VLAN are checked against the VACL.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLAN ACLs (VACLs) Related Topics Step 1 • Deleting VACLs, page 65-39 • Creating or Editing VLANs, page 65-26 • Creating or Editing VLAN Groups, page 65-32 • Create and Edit VLAN ACL Dialog Boxes, page 65-41 • VLAN Access Lists Page, page 65-39 Do one of the following: • (Device view) Select a Catalyst device, then select Platform > VLAN Access Lists from the Policy selector.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLAN ACLs (VACLs) Note The order in which you place the sequences is significant. When a flow matches a permit ACL entry, the associated action is taken without checking the remaining sequences. When a flow matches a deny ACL entry, it is checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLAN ACLs (VACLs) Related Topics • Creating Access Control List Objects, page 6-49 • Create and Edit VLAN ACL Dialog Boxes, page 65-41 • Create and Edit VLAN ACL Content Dialog Boxes, page 65-42 • Filtering Tables, page 1-45 Field Reference Table 65-18 VLAN Access Lists Page Element Description VLAN Access Lists table VLAN ACL Displays the VLAN ACL name. Sequence Specifies the map sequence number.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLAN ACLs (VACLs) Table 65-18 VLAN Access Lists Page (Continued) Element Description Capture Interfaces Identifies the interface that captures forwarded packets in which the capture bit is set. You can configure any interface as the capture interface. The capture action sets the capture bit for the forwarded packets so that ports with the capture function enabled can receive the packets. Only forwarded packets can be captured.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLAN ACLs (VACLs) Table 65-19 Create and Edit VLAN ACL Dialog Boxes (Continued) Element Description Sequence Map table The sequence maps included in the VLAN access map.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers VLAN ACLs (VACLs) Table 65-20 Create and Edit VLAN ACL Content Dialog Boxes (Continued) Element Description Action The option to perform on packets that meet the criteria defined in the match ACLs: Interfaces (Select button) • Drop—Drops the packets. • Drop/Log—Logs the dropped packets. • Forward—Forwards the packets to their destination (using hardware switching).
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers IDSM Settings Table 65-21 Interface Selector Dialog Box (Continued) Element Description Remove << button Removes selected interfaces from the Selected Interfaces list. Selected Interfaces Displays the interfaces that are selected.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers IDSM Settings Related Topics • VLANs, page 65-25 • Chapter 65, “Managing Cisco Catalyst Switches and Cisco 7600 Series Routers” Creating or Editing EtherChannel VLAN Definitions When defining an EtherChannel VLAN definition, you must: • Define the slot-port combination containing the data ports to include in the channel group. • Select the sensing mode used by the data ports.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers IDSM Settings Note Step 5 From the Mode list, select the running mode of the EtherChannel VLAN. If you select Capture, select the check box to configure the specified channel group as a capture destination. Note Step 6 Associating one module data port with the VLAN enables you to configure the port at the group level instead of configuring it manually.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers IDSM Settings The following restrictions apply: • You may have a single definition only for each data port. • You cannot create a data port definition if the port is already defined as part of a channel group.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers IDSM Settings Deleting Data Port VLAN Definitions You can delete a data port VLAN definition on the IDSM. Related Topics Step 1 • Creating or Editing Data Port VLAN Definitions, page 65-46 • Deleting EtherChannel VLAN Definitions, page 65-46 • IDSM Settings, page 65-44 Do one of the following: • (Device view) Select a Catalyst device, then select Platform > IDSM Settings from the Policy selector.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers IDSM Settings Table 65-22 IDSM Settings Page (Continued) Element Description Module Slot-Data Port Identifies the IDSM service module data port by number (1 or 2) to distinguish between the two ports. Each IDSM service module (blade) has two data ports. You can configure a data port individually or you can assign it to an EtherChannel group.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers IDSM Settings • IDSM Slot-Port Selector Dialog Box, page 65-51 • Service Module Slot Selector Dialog Box, page 65-35 Field Reference Table 65-23 Create and Edit IDSM EtherChannel VLANs Dialog Boxes Element Description Channel Group The EtherChannel group to which the Ethernet interface is assigned.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers IDSM Settings Field Reference Table 65-24 Create and Edit IDSM Data Port VLANs Dialog Boxes Element Description Slot-Port Associates the chassis slot number (in which the relevant services module is installed) with the data port in the format x -y, where x is the slot number and y is the port number. For example, 2-1 refers to data port 1 in slot 2. Click Select to open the IDSM Slot-Port Selector Dialog Box, page 65-51.
Chapter 65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers IDSM Settings Table 65-25 IDSM Slot-Port Selector Dialog Box (Continued) Element Description Add >> button Applies only when selecting slot-ports for EtherChannel VLANs. Adds IDSM slot-port objects that you selected in the Available IDSM Slot-Ports list to the Selected IDSM Slot-Ports list. Remove << button Applies only when selecting slot-ports for EtherChannel VLANs.
PA R T 7 Monitoring, Reporting, and Diagnostics
CH A P T E R 66 Viewing Events Event Viewer enables you to selectively monitor, view, and examine events from ASA (including ASA-SM), FWSM and IPS devices. Events are organized into views that you can filter or search to find events that interest you. You can create customized views and filters to fit your needs, or use the predefined views included in the application.
Chapter 66 Viewing Events Introduction to Event Viewer Capabilities This section briefly describes some key activities that Event Viewer can facilitate.
Chapter 66 Viewing Events Introduction to Event Viewer Capabilities • View High Threat IPS Events—You can filter a view to display all events that exceed a certain threat level. On a properly tuned IPS sensor, this should be a manageable flow of events to watch in a real-time view. Views and Filters When you view events in Event Viewer, you open a view.
Chapter 66 Viewing Events Introduction to Event Viewer Capabilities • You must have system administrator privileges to change the Event Management administrative settings page, where you enable or disable the service and configure storage location and other settings, as described in Starting, Stopping, and Configuring the Event Manager Service, page 66-27 and Event Management Page, page 11-22 If you use ACS to control access to Security Manager, you can also control the following: • You can control ac
Chapter 66 Viewing Events Introduction to Event Viewer Capabilities Table 66-1 Event Viewer Scope and Limits Item Description Device Support You can view events collected from the following types of devices. Although Event Viewer has been tested with the indicated software releases, you might be able to use it with older software releases. • ASA devices (including ASA-SM) and security contexts—All 8.x releases. • FWSM devices and security contexts—Releases 3.1.17, 3.2.17, 4.0.10, and 4.1.
Chapter 66 Viewing Events Introduction to Event Viewer Capabilities Deeply Parsed Syslogs The structure and contents of standard syslogs and the elements comprised by each are detailed in the System Logs documentation for the device and software version you are using. You can find the documentation on Cisco.com at these locations: • ASA Devices: http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html • FWSM Devices: http://www.cisco.
Chapter 66 Viewing Events Overview of Event Viewer Table 66-2 Deeply Parsed Syslogs (Continued) Syslog Category Syslog ID Total Number of Syslogs Etherchannel 426001-426003 3 Cluster 302022- 302027 6 Overview of Event Viewer Use Event Viewer to view events and alerts collected from monitored firewall and IPS devices. For more information about selecting devices for monitoring, see Selecting Devices to Monitor, page 66-31.
Chapter 66 Viewing Events Overview of Event Viewer The following list explains the main Event Viewer window in more detail. • (1) Menu Bar—General commands for performing actions in Event Viewer, including the following menus: – File, for operations on views. For information on the commands, see Event Viewer File Menu, page 66-8. – View, for operations within a view and general system management. For information on the commands, see Event Viewer View Menu, page 66-9.
Chapter 66 Viewing Events Overview of Event Viewer Table 66-3 File Menu in Event Viewer (Continued) Command Description Save Saves changes made to the active view, including filters (for custom views only), table preferences such as selected columns, column width, and sort order, the time range, and color rules. See Saving Views, page 66-38. If you want to save filter changes for a predefined view, you must use Save As to create a new custom view.
Chapter 66 Viewing Events Overview of Event Viewer Table 66-4 View Menu in Event Viewer (Continued) Command Description Start Initiates retrieving events to update the current view’s event table. The event table then displays events received from the moment you clicked Start back to either the limit of the time mode or the event table pagination limit. Alternatively, click the Start button on the event table toolbar. Stop Stops event retrieval.
Chapter 66 Viewing Events Overview of Event Viewer View List The left pane of the Event Viewer main window displays a list of available views as shown in the following illustration. A view is a set of filters and other properties, including color rules, selected columns and their positions and widths, and the default time window, that let you define a subset of events.
Chapter 66 Viewing Events Overview of Event Viewer – Open in New Tab—Opens the view in a new tab, so that no existing open views are closed. See Opening Views, page 66-34. – Save As—Saves the view as a new custom view. See Saving Views, page 66-38. – Edit—Edits the custom view name and description. See Editing a Custom View Name or Description, page 66-38. – Delete—Deletes the custom view. See Deleting Custom Views, page 66-39. – View Description—Displays the description for the view.
Chapter 66 Viewing Events Overview of Event Viewer Figure 66-3 Event Monitoring Window 1 View tabs. 6 Time slider. 2 View Settings pane. 7 Event Details pane. 3 Event table toolbar. 8 Column selector button. 4 Filtered column icon. 9 Open view scroll buttons and list. 5 Event table. The Event Monitoring window contains these main elements: • View tabs (1, 9)—When you open a view, it is represented as a tab in the window.
Chapter 66 Viewing Events Overview of Event Viewer • View Settings pane (2)—Use the View Settings pane to define the column filters and color rules to use in a view. You can open and close the pane by clicking anywhere in the heading or by toggling the View > Show View Settings command. The View Settings pane contains two tabs: Filter and Color Rules. These tabs are shown along the bottom of the pane.
Chapter 66 Viewing Events Overview of Event Viewer Table 66-5 Event Table Toolbar Elements Callout Name Description 1 Search Within Results Field This tool is also known as the Quick Filter. Use it to search for a word or phrase as well as to limit the scope of the search to certain columns. Further, you can select whether the search term used should be considered case sensitive, whether wildcards may be used, and whether a match may be partial, case sensitive, exact, or anywhere within a string.
Chapter 66 Viewing Events Overview of Event Viewer Table 66-5 Event Table Toolbar Elements (Continued) Callout Name Description 5 Start Click Start to reload or restart the listing of events in the Event Table. Clicking Start retrieves any events that have (Equivalent to View > Start.) occurred since you originally loaded the table. 6 Stop Click Stop to halt the listing of events in the Event Table. If you are in a real-time view, the Time Selector indicates the (Equivalent to View > Stop.
Chapter 66 Viewing Events Overview of Event Viewer Table 66-6 Event Viewer Column Descriptions Column Label Description AAA Group The AAA group policy. AAA Server The server that handles user requests for access; it performs authentication, authorization, and accounting. AAA User The AAA username. ACE Hash1 The hashcode1 and hashcode2 of the access control list entry (ACE). ACE Hash2 Hash codes are required for successful policy lookups from syslog 106023 and 106100 events.
Chapter 66 Viewing Events Overview of Event Viewer Table 66-6 Event Viewer Column Descriptions (Continued) Column Label Description Destination The IP Address or hostname of the traffic destination (for ASA and FWSM) or the attack target (for IPS). It can be multi-valued and contain IPv4 or IPv6 addresses. If View > Show Network Host Objects is selected and a host object is defined that matches the destination IP address, the host object name is displayed.
Chapter 66 Viewing Events Overview of Event Viewer Table 66-6 Event Viewer Column Descriptions (Continued) Column Label Description Event Summary Specifies that this is a summary alert, representing one or more alerts with common characteristics. The numeric value indicates the number of times the signature fired since the last summary alert with a matching initialAlert attribute value. Event Type ID For ASA or FWSM, the syslog ID.
Chapter 66 Viewing Events Overview of Event Viewer Table 66-6 Event Viewer Column Descriptions (Continued) Column Label Description Initial Alert This field applies to a summary alert, representing one or more alerts with common characteristics. The value of InitialAlert provides the event ID of the last non-summary evIdsAlert with the same characteristic (sigid/subsigid). Ip Log ID The IP Log Identifier that uniquely identifies (with host-scope) an iplog document.
Chapter 66 Viewing Events Overview of Event Viewer Table 66-6 Event Viewer Column Descriptions (Continued) Column Label Description NAT Type The type of network address translation, for example Static or Dynamic. New Time The time to which the device clock was changed. New Version The system software version after an upgrade installation. No. The number of the event (row) in the current display. This is a simple sequential number and is not related to the content of the event.
Chapter 66 Viewing Events Overview of Event Viewer Table 66-6 Event Viewer Column Descriptions (Continued) Column Label Description Sig Details The details of the reported signature that was triggered and resulted in the generation of the alert. Sig ID The Sig ID value is used by the alert originator to identify the activity. It identifies the pre-defined signature defined for this activity. Signature Version The version of the signature definition used to generate an alert.
Chapter 66 Viewing Events Overview of Event Viewer Table 66-6 Event Viewer Column Descriptions (Continued) Column Label Description Truncated Whether the trigger packet contained in the event is truncated. Tunnel Type The VPN tunnel type. Type The AAA type, for example authentication, authorization, or accounting. Upgrade Name The name of the upgrade package that was uninstalled. URI The URI of the auto-upgrade server directory.
Chapter 66 Viewing Events Preparing for Event Management The time range of the events displayed in the event table is determined by the selected time interval. For more information, see Selecting the Time Range for Events, page 66-39. The following table explains the pagination controls to the right of the time slider. Table 66-7 Element Time Slider Paging Controls Description Previous page (earlier) and next page (later). The size of page varies according to the selected time mode.
Chapter 66 Viewing Events Preparing for Event Management Ensuring Time Synchronization Standard network management practice includes consideration of time differences and network device synchronization. Typically, this includes the use of a Network Time Protocol (NTP) server. Event Viewer is most easily used with a common time standard.
Chapter 66 Viewing Events Preparing for Event Management Note You can use EMBLEM message format if you desire; both traditional and EMBLEM formats are supported. Keep in mind that EMBLEM is not supported by CS-MARS, so do not send EMBLEM-formatted messages to a CS-MARS server. For detailed information about the options in the Syslog Servers policy, see Syslog Servers Page, page 52-21.
Chapter 66 Viewing Events Managing the Event Manager Service For more information about configuring the Allowed Hosts policy, see Identifying Allowed Hosts, page 35-7. • Tip Platform > Device Admin > Server Access > NTP—(Recommended) Configure the same NTP server that you use for the Security Manager server to ensure consistent date and time information for easy event correlation. If you use different servers, ensure the servers are synchronized.
Chapter 66 Viewing Events Managing the Event Manager Service Related Topics • Monitoring Event Data Store Disk Space Usage, page 66-31 Step 1 In the main Security Manager window (not Event Viewer), select Tools > Security Manager Administration and select Event Management from the table of contents. Step 2 Do one of the following: • To enable, or start, the Event Manager service, select Enable Event Management. • To disable, or stop, the Event Manager service, deselect Enable Event Management.
Chapter 66 Viewing Events Managing the Event Manager Service To view detailed information, click on the alert status icon. A bubble opens that shows summary statistics for the past five minutes, including the number of events received and dropped and event server alert messages, if any. Click the alert status icon again to close the bubble. When the bubble is open, you can click the Details link in the bubble to view more detailed information.
Chapter 66 Viewing Events Managing the Event Manager Service Table 66-8 Event Manager Status Messages (Continued) Alert Message Alert Level Possible Action The event data store location does High not exist, therefore events cannot be stored. The event data store location as configured in the Security Manager Administrative Settings does not exist or the Security Manager server does not have the required read/write permissions to the location.
Chapter 66 Viewing Events Managing the Event Manager Service Selecting Devices to Monitor All ASA and FWSM devices and security contexts, and IPS devices and virtual sensors, that are added to the Security Manager database are automatically selected for monitoring in Event Viewer. Note To reliably report events from contexts in multiple-context mode, Cisco Event Viewer requires an IP address for the management interface of each context.
Chapter 66 Viewing Events Managing the Event Manager Service For both the primary and extended locations, when the allocated space is 90% full, the oldest event data is deleted from storage to make room for new data. Data is copied from the primary store to the extended store, if you configure one, so in most cases events deleted from the primary storage continue to be available for querying from the extended storage location, until they are rotated out of the extended storage.
Chapter 66 Viewing Events Using Event Viewer e. Step 2 In the Security Manager client’s Tools > Security Manager Administration > Event Management page, select the Enable Event Management check box and click Save. You are prompted to verify that you want to start the service; click Yes and wait until you are notified that the service has started.
Chapter 66 Viewing Events Using Event Viewer • Creating Custom Views, page 66-37 • Editing a Custom View Name or Description, page 66-38 • Switching Between Real-Time and Historical Views, page 66-38 • Saving Views, page 66-38 • Deleting Custom Views, page 66-39 Opening Views You can open up to four historical views and one real-time view in Event Viewer.
Chapter 66 Viewing Events Using Event Viewer If you have already floated a view, you can select Floating to and choose one of the already-floated windows. The view becomes a new tab in that window. • Docking a view—To move a floating view back to the main Event Viewer window, right-click the view tab and select Docking.
Chapter 66 Viewing Events Using Event Viewer Switching Between Source/Destination IP Addresses and Host Object Names You can view source and destination IP addresses or you can view the host object name of objects that match a source or destination IP address. By default, the Event Viewer shows host object names when available. IP address to host name mapping is supported only for the source and destination of events.
Chapter 66 Viewing Events Using Event Viewer – Use the Foreground (which is the text color), Background, and Font Type (either Bold or Italics) controls to define how the severity should be presented in the table. The Preview Text area shows how your rule will look. • To edit a rule, select it and click the Edit button. • To delete a rule, select it and click the Delete button. Creating Custom Views A custom view is one in which you define the filters in the view settings.
Chapter 66 Viewing Events Using Event Viewer Editing a Custom View Name or Description To change the name of a custom view, or the custom view’s description, do one of the following: • Select the custom view in the view list and click the Edit button above the list. • Right-click the custom view in the view list and select Edit. Then, make the desired changes to the custom view name or description and click OK.
Chapter 66 Viewing Events Using Event Viewer Note View names can be up to 128 characters and contain alphanumeric characters, spaces, hyphens (-), underscore characters (_), plus signs (+), periods, and ampersands (&). The description can be up to 1024 characters. Deleting Custom Views You can delete custom views, but you cannot delete predefined views. To delete a custom view, do one of the following: • Select it in the view list and click the Delete (trash can) button above the list.
Chapter 66 Viewing Events Using Event Viewer • To view events from a specific day, select is on and then select the date from the displayed calendar. • To view events from a specific date and time range, select is between and select the first and last days and times from the displayed calendars. • To view real-time events, select Real Time.
Chapter 66 Viewing Events Using Event Viewer • Click Start in the toolbar, or select View > Start. The table is refreshed based on your currently selected time range. For real-time views, the event stream restarts. • Select a different time range using the Time Selector in the toolbar or the View > Mode command. • Select a different time slice using the vertical slider or the pagination controls in the time slider below the event table.
Chapter 66 Viewing Events Using Event Viewer event matches 10.10.10.12. For devices that do not have overrides, the events must match 10.10.10.10. Furthermore, if Device A has an event that matches 10.10.10.10, that event is not listed because it does not match the device-level override. Thus, using policy objects can provide results that vary by device and therefore match more closely to your policy definitions.
Chapter 66 Viewing Events Using Event Viewer The items listed in the available values column are determined by the values currently present in the events listed in the events table. For address and service fields, the list also includes policy objects. If there are a lot of available values, you can search for the desired value by typing into the edit box above the list; the list is filtered as you type. Click the down arrow next to the Q to change how your search string is evaluated for matches.
Chapter 66 Viewing Events Using Event Viewer Filtering on a Text String Use the quick filter to search for text strings in events. As you type a search keyword, the events table automatically excludes non-matching events as you type. You can search on all columns (the default), or you can select a specific column in which to search. The following illustration shows the quick filter, which is on the right of the event table toolbar (see Event Table Toolbar, page 66-14).
Chapter 66 Viewing Events Using Event Viewer When clearing filters, the filter definition is removed from the view settings, but the change is not permanent until you click Save. Thus, you can remove filters temporarily without redefining the view settings. You can clear filters one at a time or clear all filters: • To clear a single filter, so any of the following: – Select the filter in the View Settings pane and click Delete. – Select (All) from the drop-down list of a filtered column.
Chapter 66 Viewing Events Using Event Viewer Table 66-9 Event Context Menu Command Description Clear This Filter Removes the filter defined for this column. The command is available only if you right-click on a cell that is in a filtered column. The filter is removed from the view settings. You must save the view to make your change permanent. Clear All Filters Removes all filters from the view settings. This command is available only if there is at least one column filter.
Chapter 66 Viewing Events Using Event Viewer Table 66-9 Event Context Menu (Continued) Command Description Copy commands You can use the following commands to copy event data to the clipboard. You can then paste the data into a spreadsheet or other program for your use. For more information, see Copying Event Records, page 66-48. • Copy Cell—Copies the contents of the cell you right-click to the clipboard.
Chapter 66 Viewing Events Using Event Viewer – Copy button—Click the down arrow on this button and select All Rows or Selected Rows. The information is copied to the clipboard, and you can paste it into another application. Note that the Selected Rows command works only if you select at least one row in the table. • Next, Previous buttons—Click these buttons to scroll through the events currently displayed in the event table. Next moves up and Previous moves down in the table.
Chapter 66 Viewing Events Using Event Viewer The main reason you would want to perform policy lookup is to adjust a policy based on the events that it is generating. For example, an access rule might be dropping traffic that you actually want to allow. Because you are looking at the event, you know there is a policy that is causing the event, so with a few clicks, you can get from that event to the policy that you need to reconfigure.
Chapter 66 Viewing Events Examples of Event Analysis • Step 1 Right-click the event in Event Viewer and select Go To Policy. Tip Step 2 If your organization is using ACS to control access, you must have View Device privileges to the device, and also View privileges to the firewall or IPS policy, to perform policy lookup. If you do not have all permissions, you will get an “Unable to Find Matching Rule” error if you try to look up a matching rule.
Chapter 66 Viewing Events Examples of Event Analysis This procedure assumes that you have first determined that access to the server is not being denied by policy and that the firewall should allow access to the server. Step 1 Ask the user for the IP address of the workstation and server. Step 2 Open Event Viewer, for example, by selecting Launch > Event Viewer in Configuration Manager. Step 3 Double-click the Firewall Traffic Events view to open it.
Chapter 66 Viewing Events Examples of Event Analysis Tip If the traffic is denied because of the implicit deny any rule at the end of the access list, the Go To Policy command cannot take you to the rule. For tips about rule lookup, see Looking Up a Security Manager Policy from Event Viewer, page 66-48. a. Right-click the event and select Go To Policy. You are taken to Device view with the rule selected. You are notified if a matching rule cannot be found. b.
Chapter 66 Viewing Events Examples of Event Analysis • Monitoring Botnet Using the Security Manager Event Viewer, page 66-53 • Monitoring Botnet Using the Security Manager Report Manager, page 66-55 • Monitoring Botnet Activity Using the Adaptive Security Device Manager (ASDM), page 66-56 • Mitigating Botnet Traffic, page 66-56 Understanding the Syslog Messages That Indicate Actionable Events Botnet Traffic Filter events use syslog message numbers 338xxx.
Chapter 66 Viewing Events Examples of Event Analysis Step 2 Double-click Botnet Events from the list of predefined views in the left pane. You must double-click to activate the view and load it into the right pane. To verify the view has been opened, ensure that the tab name for the view in the right pane says “Botnet Events.” The following illustration shows an example of the botnet events view.
Chapter 66 Viewing Events Examples of Event Analysis Figure 66-7 Step 4 Botnet Event Details for Message 338004, Botnet Destination Blacklist To narrow the list of events to those generated by a single ASA, click the drop-down arrow in the Device column and select the desired device from the list. If you want to narrow the list to multiple ASAs, select Custom from the drop-down list and select the desired devices in the dialog box that appears.
Chapter 66 Viewing Events Examples of Event Analysis If you want to generate the report on a regular basis, you can configure a schedule as described in Configuring Report Schedules, page 67-28. Monitoring Botnet Activity Using the Adaptive Security Device Manager (ASDM) The Adaptive Security Device Manager (ASDM) includes botnet reporting features. A read-only version of ASDM is installed with the Security Manager client as a device manager, and you can start ASDM from within Security Manager.
Chapter 66 Viewing Events Examples of Event Analysis Tip Step 2 Messages 338201-3382004 are for greylisted traffic. You might want to first determine if the greylisted traffic is truly objectionable before stopping the traffic. Stop the botnet traffic: • Messages 338005-338008 and 338203-338204 indicate that the ASA is already dropping the traffic for you. Traffic classification drop rules cover the blacklisted or greylisted addresses.
Chapter 66 Viewing Events Examples of Event Analysis Removing False Positive IPS Events from the Event Table An IPS appliance or service module (IPS device) triggers an alarm when a given packet or sequence of packets matches the characteristics of known attack profiles defined in the IPS signatures. False positives (benign triggers) occur when the IPS reports certain benign activity as malicious.
Chapter 66 Viewing Events Examples of Event Analysis For more information about configuring event action filter rules, see Configuring Event Action Filters, page 39-4. The following procedure shows how to use filtering in Event Viewer to remove false positives from the events list. It uses network/host policy objects to accomplish the filtering.
Chapter 66 Viewing Events Examples of Event Analysis c. In the Custom Filter for Source dialog box, select the policy object you created and click the right-arrow button to move it to the selected list. Also, select the Not option next to the Condition option. The following illustration shows how the dialog box should look. d. Click OK. The filter is added to the view settings and is used to remove events from the table. e. Select File > Save As to save the changes as a new custom view.
CH A P T E R 67 Managing Reports Use the Report Manager application to view security and usage reports for devices and remote access IPsec and SSL VPNs.
Chapter 67 Managing Reports Understanding Report Management Note Report Manager does not report on FWSM events even though Event Viewer works with FWSM.
Chapter 67 Managing Reports Understanding Report Management • Extranet VPN Configuration Summaries—You can print, or generate a PDF file of, a summary of the configuration of an Extranet VPN. This summary can include the preshared key used for the connection. You can use this information to maintain a current record of connections between your network and the networks of partners or service providers. For more information, see Viewing a Summary of a VPN Topology’s Configuration, page 24-59.
Chapter 67 Managing Reports Understanding Report Management Understanding Report Manager Data Aggregation Report Manager aggregates information that is collected from monitored devices by the Event Manager service. Thus, to view reports about a device, you must also be monitoring the device in Event Viewer. Report Manager collects data using two techniques.
Chapter 67 Managing Reports Understanding Report Management Report Manager aggregates this collected information at 15-minute, hourly, daily, and monthly intervals. Fifteen-minute aggregated data is kept a day, hourly data up to five days, and the other data for 90 days.
Chapter 67 Managing Reports Overview of Report Manager – Viewing Scheduled Report Results, page 67-30 – Enabling and Disabling Report Schedules, page 67-30 – Deleting Report Schedules, page 67-31 • You must have system administrator or network administrator privileges to see a list of all custom reports configured on the server and to delete another user’s custom report. See Managing Custom Reports, page 67-27.
Chapter 67 Managing Reports Overview of Report Manager Figure 67-1 Report Manager Main Window The following list explains the main Report Manager window and its call-outs in more detail. • Menu Bar (1)—General commands for performing actions in Report Manager. For a description of the commands, see Report Manager Menus, page 67-8.
Chapter 67 Managing Reports Overview of Report Manager You can use the Maximize control (7) above the pane to make it take over the entire workspace (hiding the report list). After maximizing the pane, the control changes to a Restore control to return the main window to a two-pane view. You can use the right and left arrows, and the Show List icon button, to scroll through the open reports or to go directly to a report.
Chapter 67 Managing Reports Overview of Report Manager Table 67-2 Report Manager Menu Reference (Continued) Menu Command Description Tools Default Report Settings Configures the default settings for predefined system reports. See Configuring Default Settings for Reports, page 67-24. Custom Report List Displays all custom reports configured on the server, not just those that you created. You can manage reports from this window. See Managing Custom Reports, page 67-27.
Chapter 67 Managing Reports Overview of Report Manager • Right-click shortcut menu (not shown)—If you right-click on a report, you get a list of additional commands that you can perform, such as opening the report, creating a schedule, or saving the report as a new report. • Edit button (3)—Click the Edit button to change the name of the selected custom report. You can edit custom reports only. For more information, see Renaming Reports, page 67-26.
Chapter 67 Managing Reports Overview of Report Manager • Heading and toolbar (2)—The top of the settings pane includes the heading (for example, Top Sources - Settings) and a row of buttons for manipulating the settings. You can open or close the pane by clicking the heading or the up arrow button in the far right of the toolbar. The other buttons have the following functions: – Create Schedule button—Creates a new schedule for automatically generating reports based on these settings.
Chapter 67 Managing Reports Overview of Report Manager Figure 67-4 Report Manager Generated Report Pane and Toolbar The Report List includes the following controls (illustration call-outs cited): • Report toolbar (1)—The top of the generated report pane is a row of controls for generating and manipulating reports. The controls have the following functions: – Generate Report button—Generates a report based on the criteria defined in the report settings (in the upper pane).
Chapter 67 Managing Reports Understanding the Predefined System Reports in Report Manager – Window size control (3)—If you hover the mouse pointer over the vertical dashes below the graphic in the center of the window, you can click and move the pointer to change the size of the graphical portion of the report. The graphic is automatically resized as you increase or decrease the size of the area. In fact, you can hover over any part of the top of the table to access this control.
Chapter 67 Managing Reports Understanding the Predefined System Reports in Report Manager • Top Destinations—This report ranks the session destinations of all built/deny firewall events received by Security Manager. The report shows the destination IP address, the count of the number of events for each address, and the percentage of the count compared to the sum of all counts in the report.
Chapter 67 Managing Reports Understanding the Predefined System Reports in Report Manager – Malware Site—The domain name or IP address in the dynamic filter database to which the traffic was initiated. – List Type—Whether the site is on the black list or the grey list. – Connections Logged—The count of the number of connections logged or monitored for each site. – Connections Blocked—The count of the number of connections that were blocked (dropped) by botnet traffic filtering for each site.
Chapter 67 Managing Reports Understanding the Predefined System Reports in Report Manager Understanding General VPN Reports Report Manager includes predefined system reports that you can use to analyze general remote access VPN usage in your network. These reports are not specific to the connection types used in the VPN. The following reports are available in the System Reports > VPN folder.
Chapter 67 Managing Reports Understanding the Predefined System Reports in Report Manager • Top Victims—This report ranks the victim (destination) addresses that generated the highest numbers of recorded IPS alerts. The report shows the victim address, the count of the number of alerts for each address, and the percentage of the count compared to the sum of all counts in the report. The default report includes information for all attackers, victims, and signatures for both blocked and unblocked actions.
Chapter 67 Managing Reports Working with Reports in Report Manager • IPS Simulation Mode—This report provides a comparison of alerts in inline (IPS) and promiscuous (IDS or IPS simulation) modes. The report shows the number and percentage of alerts based on mode, either Non Simulation Count (inline) or Simulation Mode Count (promiscuous). The IPS sensor cannot directly block attacks that occur in promiscuous mode.
Chapter 67 Managing Reports Working with Reports in Report Manager Related Topics Step 1 • Overview of Report Manager, page 67-6 • Creating Custom Reports, page 67-20 • Arranging Report Windows, page 67-25 • Troubleshooting Report Manager, page 67-31 In Report Manager, do one of the following to open a report: • Double-click the name of the report in the report list (in the left pane). • Select the report in the reports list and select File > Open.
Chapter 67 Managing Reports Working with Reports in Report Manager – Count—The number of times the item appears in an event or related statistic. – Percentage—The ratio of the reported characteristic to the total sum of that characteristic in the report. The ratio includes only those numbers included in a report, so for example, you could get a different percentage for the same item in a top 10 verses a top 25 report.
Chapter 67 Managing Reports Working with Reports in Report Manager Step 4 Click the Save As button in the settings toolbar, or select File > Save As. Step 5 Enter the name of the report and optionally a description and click OK. Report names can be up to 64 characters and contain alphanumeric characters, spaces, hyphens (-), and the underscore character (_). The description can be up to 1024 characters.
Chapter 67 Managing Reports Working with Reports in Report Manager The device list is pre-filtered to show devices of the appropriate type only. For example, if you are editing the settings for a firewall report, IPS devices do not appear in the list of selectable devices. • Time—To change the time span used to select events and data to include in the report. The time is based on the Security Manager server time.
Chapter 67 Managing Reports Working with Reports in Report Manager – Signature ID (IPS top attackers, top signatures, top victims)—The signatures to include in the report. To specify signatures, click the Edit button next to the field and select the desired signatures. You can select a folder to select all signatures in the folder. Note In the predefined system reports, you cannot specify values for all three of the Signature ID, Attacker IP, and Victim IP criteria.
Chapter 67 Managing Reports Working with Reports in Report Manager • (PDF only.) The graphical representation of the report data. • The tabular report data. In PDFs, the information is represented as a table. In CSVs, the information is comma-separated, with the first row being the column headings. To export the report, click the down arrow in the Export button above the report and select either As PDF or As CSV. You are prompted to select a folder for the report.
Chapter 67 Managing Reports Working with Reports in Report Manager Arranging Report Windows You can open up to five report windows at one time. Reports are opened as tabbed windows in the right pane of the main Report Manager window, in the most recently used area (“tabbed group”) if there is more than one area. The commands to arrange the windows appear if you right-click the tab for the report window as shown in the following illustration.
Chapter 67 Managing Reports Working with Reports in Report Manager Tip When you save a report, you are saving the settings that define the report. You are not saving the generated content of the report. If you want to save the generated content of the report, that is, the graphs and the report data, you must export the report rather than save it. • To save changes to a custom report, do one of the following in Report Manager: – Select File > Save from the menu bar.
Chapter 67 Managing Reports Scheduling Reports Tip When you close a report, none of the generated report data is preserved. If you want to preserve the generated data, you must print it or export it before you close the report window. You can also use the following techniques to close the report windows without exiting Report Manager: • Close a report—Select File > Close Report to close the currently-viewed report, or right-click the desired report tab and select Close.
Chapter 67 Managing Reports Scheduling Reports This section contains the following topics: • Viewing Report Schedules, page 67-28 • Configuring Report Schedules, page 67-28 • Viewing Scheduled Report Results, page 67-30 • Enabling and Disabling Report Schedules, page 67-30 • Deleting Report Schedules, page 67-31 Viewing Report Schedules You can view a list of report schedules that are configured in Report Manager.
Chapter 67 Managing Reports Scheduling Reports Related Topics Step 1 • Overview of Report Manager, page 67-6 • Opening and Generating Reports, page 67-18 • Viewing Report Schedules, page 67-28 • Troubleshooting Report Manager, page 67-31 In Report Manager, do one of the following: • On the Reports tab, open the report for which you are creating a new schedule by double-clicking the name of the report in the report list (in the left pane).
Chapter 67 Managing Reports Scheduling Reports Step 3 Click OK to save the schedule. New schedules are added to the schedules list on the Schedules tab. Viewing Scheduled Report Results Typically, report schedules include e-mail addresses to which generated reports are sent. You can also view reports generated from schedules in Report Manager. If you have system administrator or network administrator privileges, you can view results generated by other users’ schedules.
Chapter 67 Managing Reports Troubleshooting Report Manager • Viewing Report Schedules, page 67-28 Step 1 In Report Manager, select the Scheduled Reports tab, then if necessary, the Schedule List sub-tab. This tab lists all currently-defined schedules that you are authorized to see. Step 2 Select the schedule whose status you want to change and click either the Enable or Disable button. Deleting Report Schedules You can delete report schedules if you no longer need them.
Chapter 67 Managing Reports Troubleshooting Report Manager • Ensure that these devices are appropriately configured for sending events to Security Manager, and that events from the device appear in Event Viewer. Ensure that the device and Security Manager are using the same syslog port. For information on configuring the devices, see Configuring ASA and FWSM Devices for Event Management, page 66-25 and Configuring IPS Devices for Event Management, page 66-26.
Chapter 67 Managing Reports Troubleshooting Report Manager Solution: The top attackers, top victims, and top signatures predefined reports include criteria for signature, victim IP address, and attacker IP address. However, you cannot configure all three criteria in a predefined report. Instead, you can configure the criteria on which the report is based (for example, victim IP address for the top victims report) plus one, and only one, of the remaining values.
Chapter 67 Managing Reports Troubleshooting Report Manager User Guide for Cisco Security Manager 4.
CH A P T E R 68 Health and Performance Monitoring The Health and Performance Monitor (HPM) application lets you monitor key health and performance data for ASA devices, IPS devices, and VPN services by providing network-level visibility into device status and traffic information. A variety of views are provided—All Devices, Firewall Devices, IPS Devices, VPN Summary, and so on—and you can create your own customized views. A configurable listing of device alerts is also available.
Chapter 68 Health and Performance Monitoring Health and Performance Monitor Overview • Report Manager – Collects, displays and exports network usage and security information for ASA and IPS devices, and for remote-access IPsec and SSL VPNs. These reports aggregate security data such as top sources, destinations, attackers, victims, as well as security information such as top bandwidth, duration, and throughput users. Data is also aggregated for hourly, daily, and monthly periods.
Chapter 68 Health and Performance Monitoring HPM Access Control For additional graphical information about the health and performance of a specific device, you can launch the related device manager by right-clicking the entry for a device, a cluster node, or the system context for a multi-context device, and then choosing Device Manager from the pop-up menu. See Starting Device Managers, page 69-4 for more information about the device managers.
Chapter 68 Health and Performance Monitoring Preparing for Health and Performance Monitoring • You can control access to the Health and Performance Monitoring administrative settings page (in Security Manager’s Configuration Manager) where HPM is enabled or disabled, as described in Health and Performance Monitoring Page, page 11-25. The user must have the Modify > Policies > HPM Admin privilege to access this page (or any other administrative settings page).
Chapter 68 Health and Performance Monitoring Managing Monitored Devices • Choose All Programs > Cisco Security Manager Client > Health and Performance Monitor from the Windows Start menu (your command path may differ slightly). • Double-click the Health and Performance Monitor icon on your system desktop. • Choose Launch > Health and Performance Monitor from the Configuration Manager, Event Viewer, Image Manager, or Report Manager applications.
Chapter 68 Health and Performance Monitoring HPM Window Step 6 Select the types of VPN to be monitored on specific devices by checking the appropriate boxes. Step 7 Click Save to save and apply your changes, and close the device selector. HPM Window The Health and Performance Monitor (HPM) application window is where you view status information and alerts collected from monitored firewall and IPS devices, as well as remote-access (RA) and site-to-site (S2S) VPN information, across your network.
Chapter 68 Health and Performance Monitoring HPM Window Figure 68-1 Health and Performance Monitor Window 1 Monitoring button. 3 Quick-launch buttons. 2 Alerts button. 4 Monitoring/Alerts display area. The HPM window consists of three main elements: • Monitoring button (1) – Click this button to view device and VPN health and performance data. See HPM Window: Monitoring Display, page 68-23 for more information.
Chapter 68 Health and Performance Monitoring HPM Window Working with Table Columns You can customize the different tables of information presented in HPM as follows: • Sort a table such entries in a particular column are in ascending or descending order. – Click a column heading—anywhere but on a drop-down menu button—to sort the table such that the column entries are in ascending order (indicated by a small grey up-arrow).
Chapter 68 Health and Performance Monitoring HPM Window The order of the entries in the Choose Columns to Display dialog box reflects the ordering of the columns when displayed. (However, the ordering of the rows in the following table does not necessarily reflect ordering of the columns as displayed.) See Showing and Hiding Table Columns, page 68-8 for information about opening the Choose Columns to Display dialog box.
Chapter 68 Health and Performance Monitoring HPM Window Table 68-1 Available Table Columns for Device-related Views (Continued) Column Name Available in View* Description Memory (%) IPS, Firewall Memory usage as a percentage of the total available. CPU (%) IPS, Firewall CPU usage as a percentage of the total available. Model IPS, Firewall Device type and model number. For example, ASA 5510, or IPS 4270. Version IPS, Firewall Software version running on this device.
Chapter 68 Health and Performance Monitoring HPM Window Table 68-1 Available Table Columns for Device-related Views (Continued) Column Name Available in View* Description Connections Firewall Number of active connections when device was polled. Xlates Firewall Address translation counter. Connections/second Firewall Number of connections established per second. Translations/second Firewall Number of translations per second.
Chapter 68 Health and Performance Monitoring HPM Window Table 68-1 Available Table Columns for Device-related Views (Continued) Available in View* Description Column Name Syn Attack Dropped Packets Firewall Number of packets dropped because of SYN flooding. Available only at cluster level for ASA clusters; not available for individual nodes. Total Interface Dropped Packets Total number of dropped packets on all interfaces.
Chapter 68 Health and Performance Monitoring HPM Window Table 68-2 Available Table Columns for VPN-related Views (Continued) Column Name Available in View Description User Group Policy RA The name of the ASA VPN user group to which this user belongs. Column-based Filtering, page 68-15 is available. Gateway RA IP address of the VPN gateway to which the user is connected. Column-based Filtering, page 68-15 is available.
Chapter 68 Health and Performance Monitoring HPM Window Table 68-2 Available Table Columns for VPN-related Views (Continued) Column Name Available in View Description Connection Time S2S Time and date (HH:MM:SS day-of-week MMM DD YYYY) when connection was initiated. Time is displayed in 24-hour Coordinated Universal Time (UTC) notation. Status S2S Tunnel connection status; this will be Up or Down.
Chapter 68 Health and Performance Monitoring HPM Window Table 68-3 Available Data Columns for the Alerts Table Column Name Description Device Name (always selected) Name of this device on which this alert was triggered, as provided in the Security Manager inventory. Column-based Filtering, page 68-15 is available. Node The Node Name if this alert was generated by a member of an ASA load-balancing cluster Column-based Filtering, page 68-15 is available. Device Type Type of device: ASA or IPS.
Chapter 68 Health and Performance Monitoring HPM Window • All – Choose All to remove or “undo” a filter from this column. The table is updated to show all entries for this parameter. For example, if you filtered the Severity column of the Alerts table to display only Critical alerts, choosing this option will re-display all Critical and Warning alerts. • Custom – Choose Custom to open the Custom Filter dialog box where you can create a custom filter based on the information in that column.
Chapter 68 Health and Performance Monitoring HPM Window Available and selected Values lists – In most cases, the dialog box presents two Values lists, as shown in the previous illustration. To select a value for the custom filter, highlight it in the left list, which contains available values for the column, and click the right arrow to add it to the list of selected values on the right. You can select multiple values.
Chapter 68 Health and Performance Monitoring HPM Window To search for a specific text string in the devices list, the VPNs list, the Alerts table, or the View Cleared Alerts window: • Click in the List Filter field to place the text cursor, and then begin typing. These are “live filter” fields. That is, as you type each character, entries that do not include your current text string are removed from the list or table.
Chapter 68 Health and Performance Monitoring Monitoring Devices Monitoring Devices The HPM Monitoring display presents View controls, view panels, and detailed information about the currently selected device, as described in HPM Window: Monitoring Display, page 68-23. To switch to the Monitoring screen: • Click the Monitoring button below the HPM menu bar. (Click the Alerts button to return to the Alerts screen.
Chapter 68 Health and Performance Monitoring Monitoring Devices Figure 68-3 Health and Performance Monitor: Views Pane The Views pane includes the following controls: • (1) Push Pin button – Click the Push Pin button to control display of the Views list. When the list is displayed as a pane of the HPM window (the pin is vertical), click the button to collapse the pane into the left edge of the window, leaving a labeled tab; the Monitoring pane is expanded to fill the HPM window.
Chapter 68 Health and Performance Monitoring Monitoring Devices This section contains the following topics: • Views: Opening and Closing, page 68-21 • Views: Tiling Horizontally or Vertically, page 68-21 • Views: Floating and Docking, page 68-22 • Views: Custom, page 68-22 Views: Opening and Closing All available views are listed in the Views pane, on the left side of the HPM window. The Monitoring pane displays open views, with each open view presented as a separate tabbed panel.
Chapter 68 Health and Performance Monitoring Monitoring Devices The selected view and the other view(s) are distributed to share the Monitoring pane equally, either horizontally or vertically depending on your choice. Note that if there are more than two views open when you choose one of these commands, the selected view is tiled, with the remaining group of tabbed views displayed as the other tile.
Chapter 68 Health and Performance Monitoring Monitoring Devices This can be a System View or an existing custom view. 2. Choose Save As from the File menu to open the Save View As dialog box. You also can right-click the selected view and choose Save As from the pop-up menu to open the dialog box. 3. Provide a Name for the new view, and optionally a Description. 4. Specify the devices to be monitored for this view: check and clear entries in the device-selector area of the dialog box. 5.
Chapter 68 Health and Performance Monitoring Monitoring Devices Figure 68-4 Health and Performance Monitor: the Monitoring Display 1 Views list. 4 Status of devices or VPNs. 2 Monitoring view controls. 5 Selected device details. 3 Summary of all devices. The Monitoring display consists of five main elements: • Views list (1) – This pane lists all views available—click an entry in this list to open that view in the Monitoring pane.
Chapter 68 Health and Performance Monitoring Monitoring Devices • Selected device or VPN details (5) – This section provides detailed information about the device or VPN currently highlighted in the device list. The details section is described in greater detail in Monitoring Views: Device or VPN Details, page 68-26.
Chapter 68 Health and Performance Monitoring Monitoring Devices Monitoring Views: Device or VPN Details The HPM Window: Monitoring Display, page 68-23 presents views and detailed information about the currently selected device or VPN. All device-related views and the VPN Summary view provide three or four tabbed panels of detailed information for the individual device or VPN currently selected in the device-status table above it.
Chapter 68 Health and Performance Monitoring Monitoring Devices – Other Details – A listing of certificate and TrustPoint details. See Managing Monitored Devices, page 68-5 for information about selecting devices for VPN monitoring. Monitoring Views: VPN, RA and S2S The HPM Monitoring display presents a variety of device- and VPN-related data views, as described in HPM Window: Monitoring Display, page 68-23.
Chapter 68 Health and Performance Monitoring Alerts and Notifications Step 1 Click the appropriate tab to display the View you want to export (that is, Priority Devices, VPN Summary, All Devices, or another). Tip Step 2 To export the data for a subset of all entries in a particular view, create a custom view that includes only the desired devices. See Views: Custom, page 68-22 for information.
Chapter 68 Health and Performance Monitoring Alerts and Notifications You also can enable email alert notifications. If configured, an email is sent to the specified address(es) whenever an alert is generated. You can provide multiple addresses for each category of alerts (Firewall and IPS). Note An email notification is sent the first time an alert is logged, and when the severity of an alert changes from warning to critical (but not vice-versa).
Chapter 68 Health and Performance Monitoring Alerts and Notifications Figure 68-5 Health and Performance Monitor: Alerts Display 1 Alerts button. 5 Clear button. 2 List Filter field. 6 Acknowledge button. 3 Alerts table. 7 View Cleared Alerts button. 4 Refresh button. The Alerts display consists of seven main elements: • Alerts button (1) – The HPM window displays either Monitoring information for devices and VPNs, or a table of alerts generated by monitored devices.
Chapter 68 Health and Performance Monitoring Alerts and Notifications Note • Tip See Alerts: Acknowledging and Clearing, page 68-38 for additional information about clearing and acknowledging alerts. Acknowledge button (6) – When one or more alerts are selected, you can click this button to open the Acknowledge dialog box. If desired, you can enter a note that will be applied to the selected alerts. Click the Acknowledge button to close the dialog box and mark all highlighted alerts as acknowledged.
Chapter 68 Health and Performance Monitoring Alerts and Notifications Step 3 Step 4 On the FW panel, configure firewall-related alerts—click the FW tab to display the panel. 1. To enable email Notifications when firewall alerts are generated, enter one or more valid addresses in the Email Addresses field; separate multiple addresses with commas. 2. Use the checkboxes in the section headings to enable and disable specific alerts. Expand a section to update those alert definitions.
Chapter 68 Health and Performance Monitoring Alerts and Notifications Table 68-4 IPS Alerts Configuration (Continued) Setting Description SensorApp Status Errors generated by the SensorApp application are tallied. Alerts and Notifications are generated when the number of events reaches the specified Occurrences value. Bypass Mode Any time bypass mode is triggered, one Occurrence is tallied for this setting.
Chapter 68 Health and Performance Monitoring Alerts and Notifications Table 68-5 Firewall Alerts Configuration Setting Description Failover Peer Status The status of the link to the device’s failover peer is polled periodically. Each failed contact attempt is tallied as one Occurrence. Alerts and notifications are generated when the number of occurrences reaches the values specified here.
Chapter 68 Health and Performance Monitoring Alerts and Notifications Table 68-5 Firewall Alerts Configuration (Continued) Setting Description CPU Usage An Occurrence is tallied each time CPU usage exceeds the specified Threshold percentage. This is per stand-alone device; per node of a single-context cluster; and per node for the system context only in a multi-context cluster. Alerts and notifications are generated when the number of occurrences reaches the values specified here.
Chapter 68 Health and Performance Monitoring Alerts and Notifications Tip When VPN alerts are enabled, HPM polls the monitored devices and contexts at normal and Priority intervals (ten and five minutes, respectively), according to your normal/Priority designations. You also can enable SNMP monitoring which updates HPM tunnel status immediately upon processing the traps. See Configuring SNMP for S2S Polling, page 68-36 for more about enabling SNMP processing for HPM.
Chapter 68 Health and Performance Monitoring Alerts and Notifications – authnopriv (authentication, no privacy) – User name, Password, Auth Algorithm, and Engine ID are required. – authpriv (authentication and privacy) – User name, Password, Auth Algorithm, Privacy Password, Privacy Algorithm, and Engine ID are required. Again, configuration of SNMP v3 is performed separately, as described in the next section.
Chapter 68 Health and Performance Monitoring Alerts and Notifications Note See Managing Monitored Devices, page 68-5 for information about specifying the devices to be monitored. To switch to the Alerts screen: • Click the Alerts button below the HPM menu bar. (Click the Monitoring button to return to the Monitoring screen.) The Alerts listing is a basic table, consisting of rows and columns, with each row representing one alert from a given device.
Chapter 68 Health and Performance Monitoring Alerts and Notifications Note Alerts can be cleared automatically by HPM if you change the relevant threshold(s). Like alerts you have cleared, these alerts can be viewed in the View Cleared Alerts window (see Alerts: History, page 68-39). Notes and other information for cleared alerts are saved in an Alerts database for 30 days. Alerts: History All alerts generated for monitored devices are displayed as a table in the HPM window.
Chapter 68 Health and Performance Monitoring Alerts and Notifications User Guide for Cisco Security Manager 4.
CH A P T E R 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools A high degree of network availability is a requirement for large enterprises and service providers. Network managers face various challenges in maintaining network availability, including unscheduled down time, lack of expertise, insufficient tools, complex technologies, business consolidation, and competing markets.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Viewing Inventory Status Step 1 In Device view, select Tools > Inventory Status to open the Inventory Status Window, page 69-2. Step 2 Select the device whose detailed status you want to view in the upper table. The detailed information is shown in the tabs in the lower pane. The information is organized into folders; click the +/- icons to open and close folders, or double-click the folder name.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Viewing Inventory Status Field Reference Table 69-1 Inventory Status Window Element Description Device Summary Information for All Devices (Upper Pane) Export button Click this button to export the inventory as a comma-separated values (CSV) file. You are prompted to specify a file name and to select a folder on the Security Manager server. You can use the export file for reference or analysis.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Starting Device Managers Starting Device Managers You can start a device manager to view a device’s configuration and status from within Security Manager. You can start device managers for ASA, ASA-SM, PIX, FWSM, IPS, and IOS devices. Each device manager includes several monitoring and diagnostic features that provide information regarding the services running on the device and a snapshot of the overall health of the system.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Starting Device Managers Table 69-2 Device Managers Available in Security Manager Device Manager Description IDM The IPS Device Manager (IDM) lets you monitor IPS sensors and modules that are part of the Security Manager inventory. See the IDM documentation for more information about using this device manager. PDM The PIX Device Manager (PDM) lets you monitor PIX 6.x devices and early FWSMs, specifically FWSM releases 1.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Starting Device Managers • All users associated with any of the CiscoWorks Common Services roles have permission to start device managers from Security Manager, with the exception of the Help Desk role or any of the predefined Cisco Secure ACS roles. Ensure you have appropriate permissions. • SSL/HTTPS must be enabled on the target device to provide secure communications between Security Manager and the device.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Starting Device Managers device tests the packet against each access rule in the order listed. When a rule is matched, the device performs the specified action, either permitting the packet into the device for further processing, or denying entry. If the packet does not match any rule, the packet is denied. Activity on your firewall or router can be monitored through syslog messages.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Starting Device Managers Step 2 Select Launch > Device Manager to start ASDM. For more information about starting device managers, see Starting Device Managers, page 69-4. Step 3 In the ASDM window, click the Monitoring button to display the Monitoring panel; click Logging in the left pane to access the log-viewing options. Step 4 Select either Real-time Log Viewer or Log Buffer.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Launching Cisco Prime Security Manager Step 3 In the SDM window, click the Monitoring button to display the Monitoring panel; click Logging in the left pane to access the log-viewing options. The Logging pane appears with Syslog tab displayed. Step 4 To view the access rule that triggered a specific syslog message, select the message and click the Go to Rule in CSM button above the table of log messages.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Launching Cisco Prime Security Manager Step 2 Right-click the selected device and choose Prime Security Manager from the pop-up menu. Alternatively, you can choose Prime Security Manager from the Configuration Manager’s Launch menu. (These commands are available only when you have selected an ASA CX.) A new browser window opens, displaying the PRSM log-in screen.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Launching Cisco Prime Security Manager When a CX module is detected on an ASA, the management IP address of the module itself is fetched and the ASA CX section of the Device Properties window is updated; see Device Properties: General Page, page 3-40. The management IP address is used to cross-launch PRSM.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Analyzing an ASA or PIX Configuration Using Packet Tracer 2. Copy the CSV file to the client system. This file can be edited, if necessary. 3. Launch PRSM and import the CSV file. Analyzing an ASA or PIX Configuration Using Packet Tracer Packet tracer is a policy debugging tool for ASA and PIX security appliances running version 7.2.1+ that are not operating in transparent mode.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Analyzing an ASA or PIX Configuration Using Packet Tracer To use Packet Tracer: Step 1 (Device view) Right click on the ASA or PIX 7.2.1+ device and select Packet Tracer on the shortcut menu to open the Packet Tracer window. Step 2 Select the interface you want to test from the Interfaces list. The list contains all interfaces defined on the device.
Chapter 69 Analyzing Connectivity Issues Using the Ping, Trace Route, or NS Lookup Tools Using External Monitoring, Troubleshooting, and Diagnostic Tools The detailed information organizes the results in folders that correspond to the phases, with an Action column that indicates the results of the phase (checkmark for passed, red X for dropped). To open a folder, click its heading. Detailed information can include the specific configuration commands evaluated and the data derived from show commands.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Analyzing Connectivity Issues Using the Ping, Trace Route, or NS Lookup Tools Table 69-3 Profiles of the Ping, Trace Route, and NS Lookup Troubleshooting Commands Tool Profile Ping Use Ping to test whether a particular host is reachable across an IP network and to measure the round-trip time for packets sent from the local host to a destination computer.
Chapter 69 Analyzing Connectivity Issues Using the Ping, Trace Route, or NS Lookup Tools Tip Step 1 Using External Monitoring, Troubleshooting, and Diagnostic Tools • Pinging through a security appliance—Ping packets originating from the Ping tool may pass through an intermediate security appliance on their way to a device.The echo packets also pass through two of its interfaces as they return.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Analyzing Connectivity Issues Using the Ping, Trace Route, or NS Lookup Tools Analyzing Configuration Using TraceRoute The Traceroute tool helps you to determine the route that packets will take to their destination. The tool prints the result of each probe sent. Every line of output corresponds to a TTL value in increasing order. Traceroute can return useful information about TCP/IP connectivity across your network.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Using the Packet Capture Wizard Table 69-5 Step 6 Traceroute Fields (Continued) Field Description TTL Min[optional] The minimum TTL value for the first probes. (Default is 1.) TTL Max[optional] The maximum TTL value for the first probes.(Default is 30.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Using the Packet Capture Wizard The Packet Capture Wizard also supports packet captures on ASA clusters. If you run the Packet Capture Wizard on the master unit of an ASA cluster, you are given the option of capturing data for just the selected device or all devices in the cluster.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Using the Packet Capture Wizard – Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0. – Choose the protocol type to capture from the drop-down list. Available protocol types to capture are ah, eigrp, esp, gre, icmp, icmp6, igmp, igrp, ip, ipinip, nos, ospf, pcp, pim, snp, tcp, or udp. If the protocol is ICMP, select the ICMP type from the drop-down list.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Using the Packet Capture Wizard • Read capture buffer every 10 seconds—Select this option to automatically retrieve captured data every 10 seconds. You must use the circular buffer when selecting this option. • Use a circular buffer—Select this option to continue capturing packets after the buffer is full. When you choose this setting, if all the buffer storage is used, the capture starts overwriting the oldest packets.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager • Click Clear Device Buffer to remove the current content and allow room in the buffer to capture more packets. Note • Step 14 We recommend saving captures prior to clearing the device buffers. If you do not save captures prior to clearing the device buffers, captured data will be lost.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager Checklist for Integrating CS-MARS with Security Manager To enable the cross-communication between CS-MARS and Security Manager (as described in Integrating CS-MARS and Security Manager, page 69-22), you must identify the applications to each other and ensure that devices managed by both applications are configured appropriately. The following table describes the integration steps.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager Configuring the Security Manager Server to Respond to CS-MARS Policy Queries CS-MARS must be allowed access to the Security Manager server so that it can perform policy lookup queries and obtain policy information.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager Step 2 Click the Add button to add a CS-MARS server. The New CS-MARS Device dialog box opens (see New or Edit CS-MARS Device Dialog Box, page 11-5 for detailed information). Step 3 In the New CS-MARS Device dialog box, enter the IP address or fully qualified DNS host name of the server, and a user name and password for logging into the server.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager Step 2 Click General in the table of contents to open the General properties page (see Device Properties: General Page, page 3-40). Step 3 In the CS-MARS Monitoring group, click Discover CS-MARS. Security Manager determines which registered controller is monitoring the device, if any. If there are more than one, you are prompted to select which CS-MARS controller to use.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager • Problems with the synchronization between rules and reported events can occur in the following situations: – The device has been added to Security Manager, but the configuration or changes to it have not been saved to the database. This is especially true for access rules that have been changed but not deployed since the device was added to CS-MARS.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager The following topics explain event lookup in more detail: • Viewing CS-MARS Events for an Access Rule, page 69-28 • Viewing CS-MARS Events for an IPS Signature, page 69-30 Viewing CS-MARS Events for an Access Rule From the Firewall > Access Rules policy in Security Manager, you can select an access rule and view related event information in CS-MARS.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager To view events for a source or destination address, right-click the address in the Source or Destination cell and choose one of the following commands (the specific command differs depending on the cell you select): – Show Events > Realtime > Matching this Source/Destination—To view real-time query results in CS-MARS for events with a matching source or destination address.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager • Viewing CS-MARS Events for an IPS Signature, page 69-30 Viewing CS-MARS Events for an IPS Signature When an IPS or IOS IPS device detects and reports a network intrusion by comparing incoming traffic to a configured signature, a syslog message is generated on the device.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager • Depending on how credentials verification is set up on your system, you might be prompted to log into CS-MARS. For more information, see Registering CS-MARS Servers in Security Manager, page 69-24. • All custom signatures are categorized as “Unknown Device Event Type” events in CS-MARS.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager If you decide to edit a rule, click the rule number, and you are taken to the rule in the Access Rule policy in the Security Manager client. You can then make your edits, save them, and then deploy configurations. Remember that your changes are not made to the device until you deploy them. For more information on configuring access rules, see Configuring Access Rules, page 16-7.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager 302014 A TCP connection between two hosts was torn down. 302015 A UDP connection between two hosts was created. 302016 A UDP connection between two hosts was torn down. 302020 A ICMP connection between two hosts was created. 302021 A ICMP connection between two hosts was torn down. Router messages On Cisco IOS routers, syslog messages are also generated for access rules.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager messages with an equivalent NetFlow event; the NetFlow Event IDs and Extended Event IDs are included. For information on how to disable NetFlow equivalent syslog messages, see Server Setup Page, page 52-16. Syslog ID Syslog Description NetFlow Event ID Extended Event ID 302013 302015 302017 302020 TCP, UDP, GRE, and ICMP connection creation. 1 = Flow Created. 0 = Ignore.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager Extended Event ID Event Description 1003 FLOW DENIED The security appliance denied an attempt to connect to the interface service. For example, this message appears (with the service SNMP) when the security appliance receives an SNMP request from an unauthorized SNMP management station. 1004 FLOW DENIED The flow was denied because the first packet was not a TCP SYN packet.
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools Integrating CS-MARS and Security Manager User Guide for Cisco Security Manager 4.
PA R T 8 Image Management
CH A P T E R 70 Using Image Manager Image Manager is a tool to simplify the distribution and management of images on internal and edge firewall devices in your network.
Chapter 70 Using Image Manager Getting Started with Image Manager • the steps that are necessary to ensure your devices are configured to work with Image Manager.
Chapter 70 Using Image Manager Getting Started with Image Manager Note • Failover configuration—Two identical ASA devices configured to failover for high availability. They can be configured to be in Active/Active or Active/Standby failover. Refer to http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/ha_overview.html. Image update on an Active/Active failover pair is not supported in Image Manager.
Chapter 70 Using Image Manager Getting Started with Image Manager • AnyConnect Client Profile files • DAP Configuration XML • Full Customization XML files After the SSL VPN images have been copied to the device using Image Manager, the remote access VPN policies must be configured in Configuration Manager to make use of these images.
Chapter 70 Using Image Manager Getting Started with Image Manager Refer to the Configuration Manager documentation for workflow control setting information. Tip Step 3 a. Select Workflow. b. To require that Install Jobs be approved explicitly by an assigned approver before they are installed on devices, select Require Deployment & Install Image Approval. If you select this option, make sure you configure appropriate email notification settings.
Chapter 70 Using Image Manager Getting Started with Image Manager Step 5 • IP or Hostname • Port • Username • Password • Confirmation (of Password) f. Click Test Connection test connectivity to Cisco.com with the configured settings. g. Click Save. Configure Purge Interval for Image Install Jobs a. Select Image Manager. b. Enter a purge value to specify how many days should pass between purges, in the Purge Jobs Older Than field.
Chapter 70 Using Image Manager Working with Images Step 2 Ensure that the configuration register setting is set to boot with the image list in the running configuration. a. Register value: 0x1,0x3,0x5, 0x7, 0x9 Note b. Register value: 0x1 is the recommended setting. Do not set to boot to rommon mode. (Otherwise device will not be rebooted and the image upgrade will be aborted.
Chapter 70 Using Image Manager Working with Images Note Only images that are downloaded to the Image Repository can be used for image upgrade jobs. Note Beginning with Security Manager release 4.4, when Security Manager contacts Cisco.com to update images or to check on the availability of image updates, an additional certificate validation is performed. The update or download fails if you have not accepted the most recent certificate.
Chapter 70 Using Image Manager Working with Images • Type • Version • Location • Size • Description • Comments (you can add and edit comments for an image). To view all images, do the following: Step 1 Check for new images available on Cisco.com a. Configure the credentials for reaching Cisco.com by navigating to Tools > Security Manager Administration > Image Manager. b. In the upper right corner, click the double arrow Check for Updates icon. c.
Chapter 70 Using Image Manager Working with Images "Image Meta-data Locator" URL, the image download may fail with an error to accept the certificate of the image download URL. You must retrieve and accept the certificate from the download URL given in the error message to proceed with the image download. Tip Images can also be downloaded from the Compatible Images tab. For details see Manage Images on a Device, page 70-15.
Chapter 70 Using Image Manager Working with Bundles Note f. When completed, select a device group in Security Manager and view the image in the listing. By sorting the list on Update Time, you can easily view the most recent image. Tip g. If the image to be downloaded already exists in the repository, the system displays an error. Alternatively, you can download an image file using the drag-and-drop method.
Chapter 70 Using Image Manager Working with Bundles To create a bundle, do the following: Step 1 From the Bundles heading in the selector, click the Add Bundle (plus sign) icon. Step 2 In the Create Bundle dialog box that opens, enter the name for the new bundle. Step 3 Click OK. The bundle is listed under the Bundles heading in the selector. Step 4 From the Images section of the selector, select an image to be bundled. Then click on the Release Notes tab.
Chapter 70 Using Image Manager Working with Bundles b. Enter the bundle name in the search field under the Bundles banner. The list of bundles displays only the specified bundle. Renaming Bundles Bundles can easily be renamed to provide better organization or to more accurately reflect the contents of the bundle. To rename a bundle, do the following: Step 1 From the Bundles heading in the selector, select a bundle. Step 2 Right-click the bundle name and, from the drop-down list, select Rename Bundle.
Chapter 70 Using Image Manager Working with Devices Working with Devices The following topics explain how to work with devices in Image Manager. Note For a cluster, only the master node supports the download of files from storage.
Chapter 70 Using Image Manager Working with Devices • Serial Number— • RAM Size— • Running OS Version—Version of OS on the particular member • CCL IP—Cluster Link IP address • CCL MAC—Cluster Link MAC address The Device View table for a Failover device has columns that include Name, Status (for example Standby or Active), Serial Number, RAM size, and Running OS Version. The Failover Device table lists these elements by Primary and Secondary devices for the failover pair nodes.
Chapter 70 Using Image Manager Working with Devices Note If a particular device is part of a cluster, you can navigate through the cluster to view device storage details. Tip The device may have more than one storage area, for example, disk1. Be sure to scroll down to see secondary (flash) storage capacity. Step 4 Note the available disk space on the device.
Chapter 70 Using Image Manager Working with Devices Note Only physical devices can display memory capacity, clusters do not. To view the details of the memory on a device, do the following: Step 1 From the Devices area of the selector panel, choose the device to examine. Details of the selected device appear in upper window of the Device Summary page. Step 2 Caution In the upper panel, examine the RAM listing. Image Manager warns you if there is insufficient RAM on a device to load the new image.
Chapter 70 Using Image Manager About Image Updates on Devices Using Image Manager Note For cluster and failover devices, if all the physical member devices do not have the disk that is selected as the Image Install location, then there will be a validation error when you try to install images on the cluster or failover device. You need to select the Image Install location to be a disk that is present on every member device in the cluster or the failover to proceed with installing images.
Chapter 70 Using Image Manager About Image Updates on Devices Using Image Manager 2. Create an image upgrade job on the active device of the pair, and run the image upgrade job. 3. After the upgrade has occurred, manually convert the pair back to active/active configuration, as existed before the upgrade, by making the required failover groups active on one unit and the remaining failover groups to be active on the other physical unit. 4.
Chapter 70 Using Image Manager About Image Updates on Devices Using Image Manager • Via the new master, the old master is reloaded with the new image. This procedure for image update followed by Image Manager ensures minimal switchovers and minimal disruption of traffic. Device State Changes During and After Image Update Image upgrade is a critical operation and hence there is a need to depict visually, and inform users of, all image update operations.
Chapter 70 Using Image Manager About Image Updates on Devices Using Image Manager Validating a Proposed Image Update on a Device You can validate the image update job on one or more devices prior to actually performing it. The following list details the various validations that are performed: • Insufficient disk space on the ASA device to accommodate the selected images. An error is displayed in this case. You must navigate to the Storage tab for that device and delete one or more images to make space.
Chapter 70 Using Image Manager About Image Updates on Devices Using Image Manager changes to the NAT policy model in Security Manager for Version 8.3. Hence, when a device is upgraded to ASA 8.3, that device is put into the Configuration Required state to indicate to the Configuration user that some changes are required in Configuration Manager to make the device operational.
Chapter 70 Using Image Manager About Image Updates on Devices Using Image Manager • Tip Step 4 The same result is obtained by assigning images to devices or by assigning devices to images. Select one or more items (images or devices) by moving them to the window on the right. Tip Step 5 Select Devices and Assign to Images You can use pre-defined bundles rather than images by clicking Bundles and selecting the bundle. Click Next and assign the other item (images or devices).
Chapter 70 Using Image Manager About Image Updates on Devices Using Image Manager Using the Image Installation Wizard to Install Images on Devices You can use this feature to create a job to assign and install images on devices. An assignment is simply an association of an image and a device that defines an installation job. Note If you have the workflow function enabled, you must perform the additional steps described for obtaining authorization before you can accomplish installation.
Chapter 70 Using Image Manager About Image Updates on Devices Using Image Manager • Step 9 Successful—No action required. Right-click on the assignment for more options: • Move Up/Move Down—Select these options for a multi-device job when you want to change the order in which the devices will get updated. This feature can be used to order or sequence the devices when the Install Images to Devices job option is set to Sequential.
Chapter 70 Using Image Manager About Image Updates on Devices Using Image Manager These are located in the top frame in Job properties for the job. Tip • Action— • Approve • Reject • Deploy • Submit If you reject a job, the status is set to Rejected, after which you discard the job. When you discard a job the status is shown as Discarded and all the job’s action buttons are disabled. If you approve a job, the status is set to Approved.
Chapter 70 Using Image Manager About Image Updates on Devices Using Image Manager Tip You can halt the job by clicking Abort. Please see Aborting an Image Installation Job, page 70-32 for important information about aborting an installation job. You can discard a job before the scheduled run time by clicking Discard. Step 13 When the job starts deploying, notice the change in the state of the devices to Update in progress state in the device tree in Configuration Manager and Image Manager.
Chapter 70 Using Image Manager About Image Updates on Devices Using Image Manager Step 18 If the device is set to Configuration Required or Maintenance state after the image update operation, follow the steps below to complete the post-image update requirements to make the device functional from Configuration Manager: a. Click on the device in the device tree in Configuration Manager or Image Manager. A balloon tip appears showing the device information. b. View the contents of the balloon tip.
Chapter 70 Using Image Manager About Image Updates on Devices Using Image Manager To selectively install one or more compatible images on a device or device group, do the following: Step 1 Select a device in the Devices area of the selector and navigate to the Compatible Images tab. Step 2 Select one or more Repository images in the Compatible Images tab. Step 3 Right-click a selected image and click Install.
Chapter 70 Using Image Manager Working with Jobs Step 4 Right-click a selected device and click Install. The Image Installation wizard appears with the selected devices pre-assigned or moved to the right pane in the Select Devices page. Step 5 Click Next. The Select Images page of the wizard is displayed. Step 6 Select the images you want to install, and then click Next. Tip You can also select a bundle in the Bundles tab. The Confirm Assignments page of the wizard is displayed.
Chapter 70 Using Image Manager Working with Jobs Viewing Image Installation Job Summary You can use the Image Manager tool to monitor image installation and deployment jobs. You can view the history and status of jobs that Image Manager has performed, as well as the summary, details, or history of any particular job. Note Comprehensive details of job state changes are available in Configuration Manager (see Job States in Non-Workflow Mode, page 8-4 or Job States in Workflow Mode, page 8-6).
Chapter 70 Using Image Manager Working with Jobs To view the details associated with a job, do the following: Step 1 In the selector, under Jobs, click Install Jobs. Tip The Status column in the Jobs selector indicates whether a job is Submitted, Approved, Deployed, In Progress, or Failed. The main window displays the Jobs list in the upper pane. Step 2 Step 3 Select a job to examine.
Chapter 70 Using Image Manager Working with Jobs • If Parallel is selected, then all the devices till that batch will undergo image upgrade. All devices from the next batch onwards will be aborted. Retry a Failed Image Install Job If your attempts to deploy an image to one or more devices fails, you can retry the job. However, you should retry the entire job and not attempt to simply continue from a failed step.
Chapter 70 Using Image Manager Working with Jobs Image Installation Job Approval Workflow Image update is a critical operation that has the potential to cause downtime for devices and your network. Hence, change control and management for image install operations is crucial. Change management for image installation jobs is done using the Deployment Workflow framework of Configuration Manager. This ensures that all image installation jobs need to be approved before getting executed or deployed.
Chapter 70 Using Image Manager Troubleshooting Image Management g. Once the job is approved, the job can be deployed by clicking Deploy. The job state is changed to Deploying and image install job execution is started. h. If the job is rejected or any other changes are required to be made for a job, the job can be edited by clicking Edit. The Image Assignments page of the wizard showing all the devices and images is displayed.
Chapter 70 Using Image Manager Troubleshooting Image Management • Tip Register your acceptance of the Cisco Encryption Software Usage Handling and Distribution Policy. The policy is found at: http://tools.cisco.com/legal/k9/controller/do/k9Check.x?eind=Y. Image Download from Cisco.com is Slow • Ensure proxy is configured • Trace route from Security Manger to Cisco.com Check for Updates Fails Go to the Security Manager administrative settings page and test connectivity to Cisco.com.
Chapter 70 Using Image Manager Troubleshooting Image Management Image Install Job failure –Error: "Invalid flash device" • Check if flash exists on the device: – Right-click on device in IM > Test File Copy to Device – Connect to device, and check whether it is a multiple-context device that is being managed as a single context device in Security Manager – Rediscover the device selecting to discover System Context. Then, retry the image install job.
Chapter 70 Using Image Manager Troubleshooting Image Management User Guide for Cisco Security Manager 4.
INDEX device administration Numerics local fallback 12.1 and 12.2 47-3 network access managing routers 58-2 in IKE proposals 47-4 PIX/ASA/FWSM 3DES encryption algorithm 47-5 Accounting tab 25-6 47-4 47-7 Authentication tab 802.1x Authorization tab 802.
Index configuring security group aware About Configuration Manager command 14-13 configuring settings ABR for IOS devices in Map view deleting definition 34-24 for PIX/ASA/FWSM in Map view converting IPv4 editing creating 12-28 12-20 moving preserving ACL names configuring ACL names AAA server group objects configuring settings 16-20 Access Control Settings page 6-45 predefined authentication groups Access Group tab (IGMP) 6-28 16-21 53-5 Event Viewer 66-3 Health and Performanc
Index access rules preserving ACL names access control settings Access Rules page 12-4 Report Manager reports 16-21, 16-23 firewall traffic reports 16-9 ACL naming conventions resolving conflicts 12-5 67-13 16-31 address requirements 16-5 rule attributes Advanced dialog box 16-15 sharing ACLs among interfaces combining rules example understanding interpreting results procedure 16-20 34-23 14-13 controlling non-IP layer-2 traffic 22-1 12-9 understanding processing order understan
Index command replication configuration synchronization Active/Standby failover Add/Edit AnyConnect Client Image dialog box (ASA) 30-55 49-4 49-3 Add/Edit AnyConnect Custom Attributes dialog box (ASA) 30-59, 30-60 49-2 Active Directory (AD) Add/Edit Collector dialog box collecting user statistics 13-25 Add/Edit Content Rewrite dialog box (ASA) configuring agent communication options 13-15, 14-8, 14-10 enabling for identity-aware firewall identifying AD servers and agents Add/Edit DAP Entry D
Index Add Client Access Rules dialog box Add Client Update dialog box Add Column dialog box General tab 33-10 overview 33-65 Add Custom Signature dialog box Add DCE/RPC Map dialog box 17-56 RFC Request Method tab 33-47 Add Destinations dialog box 17-50 Port Misuse tab 33-47 Add Custom Pane dialog box 17-51 Transfer Encoding tab 38-12 17-54 17-57 ASA 7.2+ and PIX 7.
Index Add Map Object dialog box MSN Messenger class maps 34-18 Add Map Value dialog box 6-44 Add Match Condition and Action dialog box DNS policy maps 21-29 POP3 class maps 21-23 SIP (IOS) class maps 17-31 ESMTP policy maps N2H2 class maps SIP class maps 17-35 17-38 SMTP class maps GTP policy maps 17-43 Sun RPC class maps H.
Index Add Regular Expression Group dialog box Add Sun RPC Class Map dialog box 17-85 Address Pools Add Sun RPC Map dialog box PIX/ASA/FWSM add/edit Add TCP Map dialog box 23-17 address pools overriding in connection profiles 29-8 1-29 Add Rule Section dialog box Add Service dialog box Add Services dialog box Add SIP Map dialog box 56-16 22-5 Add User dialog box Add Smart Tunnel Auto Signon Lists dialog box Add Smart Tunnel Lists dialog box 21-33 Add SNMP Map dialog box 17-84 Add Sources
Index Add Websense Web Filter Class Map dialog box 17-26, 21-17 configuring 35-26 analysis reports Add Web Type Access List dialog box 6-55 generating Add Windows Messenger Class Map dialog box 17-26, 21-17 Add WINS Server dialog box admin context 12-13 57-1 17-26, 21-17 configuring signatures 40-4 configuring thresholds 40-11 administrative settings, configuring admin password, changing modes 5-10 40-2 40-1 understanding histograms 10-23 40-9 understanding thresholds ADSL ADSL
Index configuration inspection ASA CX 46-4 CX 46-5 inspection, enable/disable table about 46-6 56-15 ASA devices 46-3 5505 ARP table static entry hardware port configuration 46-3, 46-4 ASA AAA support ASDM CX about 69-5 Auth Proxy Configuration 3-39 9-4 Bridge Groups add/edit 69-10 Failover 45-41 Catalyst Service Module Add Failover Group edit bridge group 49-24 49-16 IPS, QoS, and Connection Rules ASA CX Auth Proxy Configuration IPS modules 45-1 adding SSL thumbprints manua
Index PPPoE Users VPDN groups licenses creating IPSec 45-44 creating SSL 45-45 customizing 2-11 monitoring service level agreements object group search fragmentation settings group policies, creating 30-52, 30-53 configuring HTTP/HTTPS proxies and proxy bypass 30-47 IKE proposals 25-9 IKEv2 settings 25-34 content rewrite rules IPsec proposals 30-43 30-45 30-56, 30-58 other settings 30-25, 30-26, 30-27, 30-61 25-30 30-1 25-38 30-2 post URL method and macro substitutions in bookmarks
Index DNS/WINS settings hardware client attributes IPSec settings configuring default settings 33-20 purging entries 33-7 10-22 understanding 33-8 split tunneling settings 10-19 working with 33-21 11-44 10-19 SSL VPN clientless settings 33-10 Audit Message Detail dialog box SSL VPN full client settings 33-13 Audit Report command SSL VPN settings generating and viewing 33-1 ASA Image Management understanding 70-14, 70-30 ASBR ASCII limitations for text 10-20 AUS 1-46 deploying
Index AuthProxy dialog box BGP routing 15-18 BGP Routing Policy page AuthProxy settings policy configuring defining routes 15-9 autolink omitting reserved networks from maps 11-2 automatic conflict detection resolving conflicts understanding 64-6 on Cisco IOS routers 64-1 Redistribution tab 16-25 Setup tab 16-27 64-3 64-4 PIM 33-19 Auto Update Server (AUS) 53-13 blocking, IPS configuring 3-35 42-7 configuring ARC 10-17 PIX/ASA/FWSM troubleshooting deployment 3-36 configuring
Index configuring in Map view ASA 5505 34-23 configuring the dynamic database configuring with IPS global correlation databases Management IPv6 19-4 46-10 PIX/ASA/FWSM 41-1 ARP configuration 19-1 46-4 Device Blacklist dialog box 19-15 ARP Inspection Device Whitelist dialog box 19-15 ARP Inspection, enable/disable Drop Rules Editor ARP Table 19-13 Dynamic Blacklist Configuration tab enabling DNS snooping field definitions illustrations MAC Address Table MAC Learning 19-9 46-7 46-8
Index default transport protocol deployment Interfaces tab 11-17 Service Module Slot Selector dialog box 8-29 FlexConfig object samples IPS blocking devices rollback restrictions Summary tab 7-21 VLAN Groups tab 5-13 VLANs tab 45-1 Catalyst 6500/7600 switches Create and Edit VLAN ACL dialog boxes 5-13 VLAN Access Lists page remote access VPNs Dynamic VTI/VRF Aware IPsec settings IPsec proposals 65-27 Create and Edit VLAN ACL Content dialog boxes 65-42 8-28 Catalyst devices high availab
Index deleting VLANs certificates for IPS package downloads 65-27 discovering policies certificate to connection profile map policies 65-1 generating interface names IDSM settings configuring policy 65-6 configuring rules 65-44 IDSM Settings page 30-29 30-29 certificate trust management 65-48 interfaces 65-5 Change Report dialog box managing 65-1 change reports routed ports viewing 65-5 viewing interface and VLAN summary VLAN Access Lists page VLAN ACLs (VACLs) VLAN groups VLANs 65
Index Cisco IOS Routers optional SSH settings 60-63 configuring IOS IPS 44-1 OSPF routing IPS blocking devices 42-4 permanent virtual connections (PVCs) Cisco IOS routers 802.
Index understanding understanding 6-72 Clear Connection Configuration dialog box 15-22 CLI commands 30-4 understanding FQDN redirection 30-5 CNS FlexConfig objects call-home mode 7-2 client connection characteristics configuration modes deploying configurations deployment method 27-3 configuring policies for Easy VPN extended authentication (xauth) clientless access mode 2-10 event-bus mode 27-7 8-42 8-10 2-9 setting up on PIX Firewall and ASA devices 27-4 color rules, configuring
Index viewing and comparing configuration versions viewing transcripts window 8-56 8-24 Configuration Archive command 1-32 8-61 understanding out-of-band changes 8-12 8-56 configuration session selecting session for change reports 3-35 CNS call-home mode 2-10 CNS event-bus mode 2-9 setting up 8-62 rolling back multiple context mode viewing and comparing 11-3 Configuration Engine adding 8-61 rolling back IPS and IOS IPS 8-58 Configuration Archive page rolling back failover devices v
Index Secondary AAA tab SSL tab defining for SSL VPN on ASA 30-14 Context-Based Access Control 30-18 choosing interfaces connection profiles configuring configuring 30-6 configuring for Easy VPN 17-2 17-5 configuring identity aware 27-13 properties selecting protocols 30-11 general IPSec understanding 30-9 17-1 understanding access rule requirements 30-16 30-8 Context Editor dialog box (IOS) secondary AAA 30-14 contexts see “security contexts” 30-18 sharing among multiple ASAs C
Index Create Overrides for Device dialog box Create Policy Bundle dialog box Create Text Object dialog box Create Ticket dialog box historical and real-time lookup 6-20 looking up 5-54 7-31 4-14 Create VPN Topology wizard Device Selection page Endpoints page 69-33 69-26 registering in Security Manager supported log messages 24-49 viewing access rule events 24-30 CS-MARS page 24-58 69-28 69-30 11-4 CSMDiagnostics.zip credential objects setting debug options 27-9 11-8 CSMDiagnostics.
Index backing up and restoring generating partial backups for TAC restoring Deploy command 10-24 Deploy Job dialog box 10-29 properties Add Other Devices dialog box Auto Update Server 17-21 DCS.properties file 8-29 changes not deployed when using schedules DCS.doSerialAccessForFWSMVCs property DCS.FWSM.
Index rolling back configurations, command conflicts 8-64 rolling back configurations, commands to recover from failover misconfiguration 8-65 rolling back configurations, failover devices 8-61 troubleshooting VRF-aware IPsec on Catalyst 6500/7600 devices 24-17 understanding 8-1 understanding configuration rollback 8-59 rolling back configurations, IPS and IOS IPS devices 8-62 using a Cisco Networking Services (CNS) server 8-42 rolling back configurations, multiple context mode 8-61 viewing devi
Index Deployment Workflow Commentary dialog boxes Deploy Saved Changes dialog box device administration policies configuring on firewall devices 8-29 DES encryption algorithm in IKE proposals 8-21 device authentication adding SSL thumbprints manually 25-6 Designated Router Device Blacklist dialog box 53-12 Destination Contents dialog box Dest Port Map dialog box device clusters 12-14 1-33 device changing device message severity level 69-1 troubleshooting failures Device Access 9-7 Devic
Index DCR, CS-MARS, Security Manager formats 10-6 device with policies overview 10-6 10-10 importing 3-50 understanding 10-13 importing with policies viewing or changing 3-39 creating object overrides deleting overrides 69-11 overview testing device connectivity 9-1 6-21 3-39 to appear as an error message understanding contents 3-3 understanding device clusters understanding generic devices 3-8 3-34 adding 3-6 adding configurations to the Configuration Archive 8-55 adding from conf
Index deployment to troubleshooting communication and deployment 8-9 detecting out-of-band changes troubleshooting device discovery failures 8-46 discovering or changing CS-MARS controller discovering policies 69-25 discovering policies on existing devices unsharing policies 5-15 image version changes with no policy effects including in deployment jobs or schedules 3-50 24-11 what counts as a device filtering 1-42 1-42 Device Server Assignment dialog box adding existing managed working wi
Index Device Whitelist dialog box Dialer Physical Interface dialog box 19-15 DHCP Dialer Policy page Cisco IOS routers 59-30 Dialer Profile dialog box defining address pools defining policies on Cisco IOS routers 60-91 59-31 59-27 Diffie-Hellman groups 60-90 DHCP Database dialog box in IKE proposals 60-94 25-7 DHCP Policy page 60-92 Digital Subscriber Line (DSL) IP Pool dialog box 60-94 digital subscriber line-access multiplexer (DSLAM) 59-34 overview 60-87 understanding database
Index Distributed Traffic Shaping (DTS) DNS Policy page 63-6 DMVPN (Dynamic Multipoint VPN) advantages of using with GRE configuring IP Host dialog box overview 26-11 configuring GRE modes DSLAM 26-12 large scale DMVPNs 26-17 spoke-to-spoke connections 31-3, 31-7 configuring 26-10 managing 24-9 31-2 31-1 understanding 26-10 DNS 67-15, 67-16 dynamic access policies attributes 26-1, 26-9 supported platforms 31-1 dynamic access policies (DAP) configuring for inspection rules Add/Edi
Index Main tab understanding 31-13 Dynamic Access Policy page (ASA) understanding dynamic VTI 31-10 Cisco Secure Desktop Manager Policy Editor dialog box 31-40 Dynamic Access policy page (ASA) > Add/Edit Dynamic Access Policy dialog box 31-12 Dynamic Blacklist Configuration tab dynamic crypto maps user group policies Edit AAA Option dialog box Edit AAA Rule dialog box 15-18 15-13 6-30 Edit AAA Server Group dialog box 25-18 Edit Access Rule dialog box Edit Actions dialog box 17-18 Edit activit
Index Edit Device Groups command Extension Request Method tab 1-29 Edit Device Groups dialog box General tab 3-58 Edit DNS Class Map dialog box overview 17-26 Edit DNS Map dialog box Filtering tab overview 17-26, 21-17 24-45 17-57 17-26, 21-17 Edit IKEv1 Proposal dialog box 25-10 Edit IKEv2 Proposal dialog box 25-13 Edit IMAP Map dialog box 24-45 VPNSM/VPN SPA/VSPA settings, VPN Interface tab 24-41 VRF Aware IPsec tab 24-46 Edit ESMTP Map dialog box Edit Extended Access List dialog b
Index DNS policy maps SIP (IOS) class maps 17-31 ESMTP policy maps SIP class maps 17-35 17-79 FTP policy maps 17-38 SMTP class maps GTP policy maps 17-43 Sun RPC class maps H.323 (IOS) policy maps H.323 policy maps 21-34 21-34 1-29 17-26, 21-17 21-38 17-26, 21-17 Edit NAT Rule dialog box 21-34 ASA 8.
Index Edit Selected Deployment Method dialog box 8-31 Edit Server dialog box Edit Server Group dialog box Edit Service dialog box Edit Services dialog box 21-33 15-18 6-89 Edit Signature Parameter—Component List dialog box 38-25 Edit Signature Parameters dialog box Edit SMTP Class Map dialog box Edit SMTP Map dialog box 21-33 Edit SNMP Map dialog box 17-84 Edit URL Domain Name dialog box Language 33-55 Title Panel Browser Proxy settings 12-11 Client (IOS) settings 33-37 Clientless settin
Index Device Selection tab Edit Endpoints dialog box Endpoints tab recipient set-up Edit Web Filter Map dialog box PIX/ASA/FWSM 6-60 Edit Web Filter Type dialog box 53-1 Encapsulating Security Protocol (ESP) encryption algorithm 25-28 21-46 Edit Web Filter Options dialog box 18-9 encoding rules 18-8 Edit Websense Parameter Map dialog box defining for SSL VPN (ASA) 21-38 Edit Websense Web Filter Class Map dialog box 17-26, Edit Web Type Access List dialog box 17-26, 21-17 DES (Data Enc
Index upgrading to permanent license CS-MARS 10-16 event lists 69-32 looking up 69-27 looking up policies based on related events 52-4 add/edit Netflow support for policy lookup 52-5 syslog class viewing access rule events add/edit syslog message ID add/edit ensuring time synchronization Event Action Filters page clearing filters 39-7 Event Action Override dialog box Event Action Overrides page context menu 39-14 configuring filter rules 39-4 configuring network information 66-45
Index Event Viewer filters archiving (backing up) the event data store arranging views 66-32 clearing 66-34 ASA devices, configuring to provide events columns 66-25 configuring color rules column based overview 66-36 configuring Event Manager service 66-41 66-43 66-39 submission requirements for policy objects 66-27 text searches (quick filter) 66-48 creating custom views 66-37 time range 66-39 deleting custom views 66-39 time slider 66-40 editing view name and description ensurin
Index using command replication 66-33 using views view list configuration synchronization 66-33 add new context to group 2 66-11 View menu reference Event Viewer command edit bridge group 1-35 FWSM configuring for IOS devices 49-12 PIX/ASA 1-29 Exit command (Report Manager) exiting 49-17 settings Cisco Security Management Suite server CiscoWorks Common Services Security Manager 49-15 Add Failover Group 67-8 1-10 1-10 expiration dates 49-24 49-20 PIX/ASA/FWSM 49-10 active/activ
Index attributes 33-25 selecting 33-27 firewall AAA firewall advanced settings files deploying to configuring 8-11 selecting or specifying Filter Item dialog box advanced settings exporting policy tips configuring AAA page 39-4 example rule 15-23 AAA firewall policy 39-9 39-9 configuring 15-6 MAC exempt lists 1-47 filter rules, event action (IPS) attributes 15-19 15-19 15-6 15-25 AAA rules 66-58 configuring AAA firewall settings 39-4 configuring AuthProxy settings 39-7 15-6
Index import examples importing configuring identity options 16-41 configuring rules 16-37 IPS blocking, affect of managing enabling 16-1 optimizing during deployment managing 16-1 understanding global 16-4 understanding requirements when using inspection 17-4 adding rules 15-9 configuring settings conflict detection 14-13 34-23 17-1 17-4 inspection settings 18-15 configuring for IOS devices 34-23 16-25 introduction 17-88 12-1 IPv6 access rules 12-28 configuring expiration dates
Index policy discovery managing 5-13 policy query understanding example report add/edit zones 12-28 interpreting results preserving ACL names advanced options 21-63 12-4 configuring PAM 21-65 configuring rules 21-12, 21-59 resolving access rule conflicts 15-19 configuring settings 16-31 resolving ACL naming conflicts Content Filter tab 12-6 security group aware policies configuring ISE settings 11-39 system variables 21-49 21-57 21-49 WAAS tab adding or editing a rule Zones t
Index Fit to Window command adding objects 1-31 FlexConfig objects changing object order adding to policies ASA samples configuring 7-19 changing order in policies editing 7-34 Cisco IOS Software samples previewing CLI creating (scenario) managing router samples report windows 7-33 7-32 67-25 view windows 7-34 floodguard 7-23 66-34 55-2 FQDN objects 7-19 creating example of looping example of two-dimensional looping understanding 6-76 understanding 7-3 example of looping wi
Index full tunnel client access mode IPv6, add/edit prefixes 29-5 FWSM managing AAA support about PDM 45-1 adding SSL thumbprints manually rollback command conflicts 8-61 security contexts 45-41 configuration 46-3 changing deployment method to serial for multiple-context mode 9-16 configuring for event management setting up SSL (HTTPS) 66-25 configuring transparent firewall rules 57-5 selecting policy types to manage TCP State Bypass 11-18 56-3 troubleshooting deployment 22-1 5-10
Index editing global settings 28-21 IKE proposal remote access VPN 28-15 configuring key servers adding 28-19 editing 28-19 Gnutella class map objects creating mandatory and optional policies migrating to overview 25-29 21-15 match criteria 24-6 21-20 GRE (generic routing encapsulation) VPN 28-23 advantages of IPsec tunneling with GRE 28-1 receive-only SAs configuring 28-23 registration 26-5 configuring GRE modes choosing the rekey transport mechanism configuring fail-close mode
Index creating creating 30-23 understanding 17-21 properties 30-22 VPNs 17-45 IOS configuring bookmarks creating 30-70 configuring portal appearance match conditions and actions 30-66 configuring WINS servers for file system access 30-76 customizing match conditions and actions in IKE proposals post URL method and macro substitutions in bookmarks 30-72 Group Policies page 21-34 17-48 hash algorithms 30-65 smart tunnels 21-15 30-73 MD5 25-7 SHA 25-6 25-6 Health & Performance M
Index defining configuring 60-77 Hostname Policy page overview export data 60-78 68-31 68-27 filters 60-77 column based HPM access control introduction 68-3 Alerts firewall IPS 68-33 launching 68-4 List Filter 68-17 device details 68-35 VPN, SNMP configuration alerts 68-26 device status list 68-36 68-25 RA and S2S views 68-28 acknowledging clearing Summary 68-38 history overview 68-39 viewing Alerts display 2-3, 68-4 Remote Access 68-6 log-off user 68-29 Monitoring
Index HTTP Policy page description 60-31 24-2 overview 60-28 joined hub-and-spoke topology Setup tab 60-31 tiered hub-and-spoke topologies PIX/ASA/FWSM 48-2 configuration 48-2 17-21 ICMP rules HTTP (ASA7.1.x/PIX7.1.x/FWSM3.
Index identity user group objects creating comparing version 1 and 2 configuring IKE and IPsec policies 13-19 selecting configuring IKEv2 authentication 13-21 user identity acquisition configuring proposal 13-2 idle timeout, Security Manager client encryption algorithms hash algorithms 69-5 IDSM overview 25-6 25-5 IKE keepalive understanding 3-18 deleting Data Port VLANs 65-45 65-48 deleting EtherChannel VLANs 25-30 IKE proposal objects 65-46 defining EtherChannel VLANs v1 proper
Index Add Image configuring for inspection rules 70-10 Bootstrapping Devices bundled images bundles IMAP class map objects 70-6 creating 70-27 70-12 delete 70-13, 70-14 rename view images match conditions for zone-based firewalls IMAP policy map objects 70-15 configuring install location creating 70-17 creating 70-1 installation wizard installing images on selected devices policy objects retry on installation failure 70-32 supported platforms Status page 70-3 16-40 16-39 inher
Index configuring policy maps 41-5 inspection map objects Add Country Network Codes dialog box 17-42 understanding Edit Country Network Codes dialog box 17-42 6-72 inspection rules Inspect parameter map objects ACL naming conventions properties 12-5 add/edit rule wizard 17-10, 17-12, 17-16 choosing interfaces 17-2 configuring Inspect Parameters map objects creating configuring custom protocol name configuring DNS settings Security Manager client 17-20 17-19 Interface Name Conflict
Index Catalyst switches and 7600 Series routers Access Port Selector dialog box Router Interfaces page 59-7 understanding helper addresses 65-30 Create and Edit Interface dialog boxes-Access Port mode 65-9 Create and Edit Interface dialog boxes-Dynamic Port mode 65-18 configuring IOS IPS rules 44-8 configuring multiple contexts 57-2 distinguishing from interface roles 6-70 failover Create and Edit Interface dialog boxes-Other mode 65-24 MAC address Create and Edit Interface dialog boxes-subi
Index add/edit adding devices manually 45-19 Advanced settings configuring contexts device status view 45-42 working with 45-2 managing 45-5 DDNS update rules manage 3-1 understanding 45-20 understanding MAC address viewing inventory status working with 45-38 Inventory Status window 45-15 Inverse ARP 45-4 6-70 69-2 59-60 22-1 remote access IPSec VPNs 65-43 36-6 user group policies 32-13 remote access IPsec VPNs Interface Specific Client Address Pools dialog box 30-10 creating
Index configuration overview configuring understanding subsystems and revisions 44-3 IOS Software Release 12.1 and 12.
Index understanding histograms understanding thresholds understanding worms when to turn off deployment of passwords 40-9 deployment topology 40-9 42-7 configuring ARC configuring router blocking interfaces configuring user profiles 42-15 42-12 overview 39-1 possible actions settings 39-2 39-1 39-21 66-4 35-1 configuring 42-4 41-1 configuring inspection and reputation configuring network participation 42-1 capturing network traffic data collected 35-2 understanding changing those sel
Index physical interface properties promiscuous mode roles editing Meta engine component list 36-11 editing or tuning parameters 36-2 enabling or disabling 36-1 sensing modes overview understanding engines 36-2 viewing summary VLAN group mode IPS modules for ASA license, exporting policy 56-14 11-42 licenses automating updating 38-4 shortcut menu 38-7 understanding 38-1 38-9 SSL certificate configuration 43-1 redeploying 38-21 viewing update level 43-3 managing 38-3 parameters
Index IPsec advantages of IPsec tunneling with GRE remote access VPNs configuring access policies for IKEv2 (ASA), configuring 30-40 26-5 configuring GRE modes 26-6 dynamically addressed spokes access policies for IKEv2 (ASA), reference 30-37 access policies for IKEv2 (ASA), understanding 30-36 implementation overview 26-5 26-3 26-1, 26-2 prerequisites for successful configuration certificate to connection profile map policy (IKEv1) 30-29 supported platforms understanding 26-2 IPSec Cli
Index supported platforms for remote access VPNs understanding Neighbor cache 29-8 specifying addresses in policies 24-5 IPSec transform set objects attributes support in Security Manager ACL naming conventions 25-19 IPSec VPN deleting zone-based firewalls editing 16-19 requirements moving 3-19 IPS Module Discovery dialog box IPS Rules dialog box 13-3 12-19 preserving ACL names 3-19 IPS Module interface settings policies 12-4 sharing ACLs among interfaces 59-22 understanding global
Index creating and editing deployment in non-Workflow mode 8-29 creating and editing deployment in Workflow mode 8-36 Deployment Manager discarding Key Servers Selection dialog box 28-21 40-8 8-16 L including devices in 8-8 LACP 8-39 interface assigned to an EtherChannel states Workflow mode submitting mandatory and optional policies 8-39 Join Group tab (IGMP) 45-11 large scale Dynamic Multipoint VPN (DMVPN) 8-6 joined hub-and-spoke topology JumpStart 28-18 knowledge base structure (IPS)
Index Link Properties dialog box filters, editing 34-20 load balancing levels configuring in large scale DMVPN configuring IOS IPS deny actions message editing 26-17 NetFlow 21-28 52-1 rate limit levels Local Web Filter parameter map objects server 21-37 set-up locking 52-6 syslog message ID 4-3 devices and policies objects 52-15 52-10 syslog class activities 52-14 52-16 server setup 21-35 syslog servers 5-9 52-6 52-20, 52-21 syslog servers, add/edit 5-10 understanding 5
Index add/edit Protocol Info properties 46-8 interface 49-22 Trend properties learning 46-8 URLF Glob properties learning, enable/disable table creating for inspection rules MAC exempt lists rule attributes creating for zone-based firewall inspection 15-24 Maintenance Operation Protocol (MOP), enabling 59-19 48-5 management address requirements for IPv6 devices 35-23 Map menu GTP properties 17-40 IM (IOS) properties IPv6 properties 46-10 17-21 creating for zone-based firewall cont
Index maps removing managed devices access permissions renaming 34-8 adding existing managed devices adding new managed devices arranging elements background color saving 34-16 understanding 34-13 34-22 configuring firewall policies 17-26, 21-17 Layer 3 link 34-10 displaying managed devices 34-16 34-14 elements, understanding 34-14 excluding private and reserved networks 34-7 managed device node map background 34-16 displaying your network map objects 34-7 selected nodes 11-2 VP
Index editing Map view Autolink Settings page copying between devices overview PIX/ASA/FWSM 11-2 PIX/ASA/FWSM 34-22 limits 1-16, 34-1 Map View command maximum segment size (MSS) 59-81 PIX/ASA/FWSM URLF Glob parameter maps PIX/ASA/FWSM configuration MD5 hash algorithm 53-9 Modify Physical Interface Map dialog box 53-10 CS-MARS 60-80 integrating with Security Manager memory settings device managers, using Cisco IOS routers defining device status 60-78 overview 60-78 Memory Policy p
Index IGMP parameters 53-4 IGMP Protocol tab N 53-3 IGMP Static Group parameters IGMP Static Group tab N2H2 (Smartfilter) 53-6 configuring for web filter rules policies 53-6 MBoundary configuration 53-9 MBoundary interface configuration MRoute configuration 53-10 Multicast Boundary Filter page Multicast Group rule 53-14 9-15 PIM Route Tree tab 9-14 NAT policies 53-11 PIM Request Filter tab 53-16 53-15 53-18 Add/Edit Per-Session NAT rules dialog boxes 23-46 NBAR enabling protocol
Index PIX/ASA/FWSM Dynamic Rules dialog box 52-1 add/edit collector Dynamic Rules tab 52-2 network/host objects attributes General tab attributes, NAT creating Policy Dynamic Rules tab naming when provisioned as object groups network masks 6-92 Select Address Pool Static Rules tab 12-35 6-80 using in Event Viewer filters network access device (NAD) 23-25 Translation Options page 61-9 Translation Rules page Network Address Translation (NAT) Add/Edit Per-Session NAT rules dialog boxes 23
Index DMVPN spoke-to-spoke connections network masks discontiguous discovering Node Properties dialog box 6-75 viewing 6-76 understanding device details 6-75 network participation, IPS configuring changing modes deploying 41-3 understanding reputation 8-45 configurations rolling back network sensing deployment topology 8-65 creating tickets 35-2 deployment 35-4 4-14 8-3 deployment jobs 35-1 tuning recommendations aborting 35-4 Network Time Protocol (NTP) opening tickets creat
Index policy discovery 5-14 object group search ASA 8.3+ devices PIX 6.
Index changing variable values configuring 7-34 7-27 7-34 system variables understanding 7-34 7-7 effects on activities 17-40 managing 17-45 HTTP (ASA7.2+/PIX7.2+) policy map 21-38 NetBIOS policy map 17-75 network/host optimizing when deploying firewall rules 13-19 understanding 13-21 user identity acquisition 13-2 12-35 6-74 using in Event Viewer filters 66-59 network/host objects IKE proposals v1 properties 25-10 v2 properties 25-13 IM (ASA7.2+/PIX7.
Index parameter map single sign-on server creating for zone-based firewall content filtering 21-35 creating for zone-based firewall inspection properties SIP (ASA/PIX/FWSM) policy map 21-15 PKI enrollments properties 25-55 defining certificate attributes properties 25-61 defining enrollment parameters attributes 25-62 creating for zone-based firewall inspection properties properties configuring 21-15 configuring naming when provisioned as object groups 30-66 creating custom Logon page
Index selecting understanding 14-13 URLF Glob parameter map properties Openable Activities dialog box Openable Tickets dialog box 21-44 URLF Glob parameter maps metacharacters Open Activity command Open Map command 21-42 user groups advanced PIX 6.
Index defining area settings Area Range 64-21 54-30 defining interface settings 64-25 Area tab defining setup parameters 64-20 Interface configuration Edit Interfaces dialog box 64-36 Interface tab Max Prefix Mapping dialog box OSPF Process Policy page overview Redistribution tab handling 54-31 8-13 other settings advanced settings configuring for SSL VPN (ASA) 54-4 Area/Area networks avoiding 54-9 Filtering tab understanding 54-16 Interface configuration creating for single de
Index creating device manager 21-15 match conditions and actions packageMonitorInterval packet capture configuring for SSL VPN (ASA) 69-18 performance tuning 1-33 30-42 43-6 permanent virtual connections (PVC) 69-12 Pair dialog box 24-33 performance settings 43-6 Packet Capture Wizard command packet tracer Peers page 21-34 69-5 Define Mapping dialog box 44-10 PAM 59-64 PVC Advanced Settings dialog box zone-based firewall PVC dialog box configuring PVC Policy page 21-65 paramet
Index Route Tree tab ping security context 53-17 understanding 69-14, 69-15 Ping, TraceRoute and NSLookup command 1-33 PDM PIX/ASA configuring boot image/configuration add/edit contexts 47-9 45-14 understanding Advanced tab IP Type about 45-36 45-38 PPPoE Users 45-44 redundant 57-1 AUS, add/edit server AUS page 51-3 51-1 DDNS interface rule 45-7 VPDN groups 45-3 Server Access 45-7 subinterfaces 45-4 security contexts 45-27 MAC address DDNS page 45-45 security contexts
Index PIX/ASA/FWSM Platform event lists AAA 52-4 event lists, add/edit Accounting tab Authorization tab anti-spoofing ARP Inspection levels message limits 46-6 configuring DHCP servers configuring routing NetFlow 51-9 configuring multicast routing 52-19 52-13 52-1 rate limits, add/edit 54-1 console timeout 48-1 server 52-16 set-up 52-10 syslog class 50-1 HTTP configuration 52-6 52-6 HTTP page 48-2 syslog servers ICMP rules 48-3 syslog servers, add/edit Enable PIM and IGMP g
Index Multicast Boundary Filter page Multicast Group rule OSPF - advanced settings 53-9 OSPF - Area/Area networks 53-17 Multicast Routes page OSPF - Area Range 53-8 PIM Bidirectional Neighbor Filter PIM Request Filter tab PIM Route Tree tab OSPF - Range tab 53-16 54-8 OSPF - static neighbor Address Pools page 54-11 54-10 OSPF - Summary Address tab 23-17 OSPFv3 23-17 Advanced NAT Options dialog box Dynamic Rules dialog box Dynamic Rules tab OSPFv3 - Area Range OSPFv3 - Area tab 23-30
Index AAA support RIP (PIX/ASA 7.2+) Interface configuration 54-48 about RIP (PIX/ASA 7.2+) Redistribution 54-45 RIP (PIX/ASA 7.2+) Redistribution configuration 54-45 RIP (PIX/ASA 7.
Index defining trusted CA hierarchy properties discovering 25-62 5-12 discovering on existing devices 25-54 plug ins exporting configuring browser Point-to-Point Protocol (PPP) adding objects defining multilink PPP bundles 59-70 Point-to-Point protocol (PPP) configuring 59-75 editing 59-76 7-24 7-34 FlexConfig Policy page previewing CLI 24-3 adding local rules to shared policies assigning shared policies 5-42 understanding importing 5-41 inheritance vs.
Index managing policy objects 5-28 modifying assignments site-to-site VPNs preserving ACL names 5-46 security contexts 6-70 specifying IP addresses understanding 6-81 synchronizing among Security Manager servers unassigning 10-4 using global search to find specific policies viewing discovery task status VPN defaults 1-39 5-21 5-12 3-8 Policy Discovery Status command Policy Discovery Status page 5-21 1-32 5-23 Policy Dynamic Translation Rule 11-53 PIX/ASA/FWSM policy assignments modi
Index creating connection with policy management 6-45 default server groups on IOS devices predefined authentication groups understanding creating 6-28 attributes 6-24 27-9 DCE/RPC policy map properties 6-29 supported additional types for ASA/PIX/FWSM 6-26 supported types understanding deleting 6-16 properties 6-24 editing 17-28 6-12 ESMTP policy map 6-49 properties extended objects 6-50 standard objects 6-51, 6-54 web objects 17-27 DNS policy map 6-25 access control lists cre
Index H.323 (ASA/PIX/FWSM) policy map properties HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map 17-50 17-58 12-35 6-74 66-59 naming when provisioned as object groups 6-92 networks/hosts v1 properties 25-10 v2 properties 25-13 IM (ASA7.2+/PIX7.
Index properties pools understanding SSL VPN bookmark 6-83 configuring port forwarding lists properties configuring 6-92 port lists localizing 6-86 properties attributes 6-91 regular expression group policy map 33-55 SSL VPN smart tunnel lists attributes 17-85 regular expression objects metacharacters 33-50 SSL VPN smart tunnel auto sign-on lists provisioning as object groups 33-52 configuring properties 56-20 text 17-86 creating security group 7-31 time ranges 14-12 selecti
Index client VPN software update (IOS) settings DNS/WINS settings general settings 33-65 33-61 33-60 modifying assignments overview 1-14 selectors 5-49 5-51 IOS client settings 33-63 Shared Policy selector options IOS Xauth settings 33-64 understanding split tunneling settings (Easy VPN/remote access IPSec VPN) 33-62 SSL VPN connection settings 33-73 SSL VPN full tunnel settings 33-69 SSL VPN split tunneling settings technology settings thin client settings viewing details 33-58 21-23
Index FQDN (fully qualified domain name) negotiation 25-44 main mode address negotiation understanding defining HTTP/HTTPS for SSL VPN (ASA) proxy ARP 25-43 enabling on IOS routers 25-43 59-19 proxy bypass rules Preview Configuration command 1-33 defining HTTP/HTTPS for SSL VPN (ASA) Prime Security Manager see PRSM 30-47 30-47 proxy server 69-9 configuring HTTP for IPS global correlation Prime Security Manager command 1-35 35-23 PRSM print sharing Report Manager reports Print command
Index Queuing and Congestion Avoidance tab Shaping tab overview 63-27 69-27 troubleshooting 63-31 QoS queuing 69-26 Event Viewer default class looking up policies based on related events 63-6 defining for classes 63-16 Querying Device or Policy dialog box tail drop vs.
Index Reject Activity dialog box configuring bookmarks 4-21 Reject Deployment Job dialog box configuring WINS servers for file system access 30-76 8-21, 8-39 remote access IPsec user logging off 30-28 access policies for IKEv2 (ASA), configuring 30-40 68-27 remote access VPN access policies for IKEv2 (ASA), reference system variables 7-18 IPsec VPN Defaults page certificate to connection profile map policy (IKEv1) 30-29 29-30 IPsec Settings page (ASA) 29-28 IPsec VPN Connection Profile
Index understanding NAT settings group policies, creating 25-37 user group policies for IOS, PIX 6.3 32-13 group policies, understanding VPNSM, VPN SPA, VSPA settings 32-6 IKEv2 settings IPsec proposals attributes for IOS and PIX 6.3 devices 30-33 32-4 configuring for ASA and PIX 7.0+ devices configuring for IOS and PIX 6.3 devices managing 30-33 32-3 managing (ASA, PIX 7.0+) managing (IOS, PIX 6.
Index closing viewing schedule results 67-26 configuring default settings viewing schedules 67-24 configuring devices to provide reports configuring Event Manager service configuring schedules 67-3 66-27 creating custom reports 67-27 67-31 disabling schedules enabling schedules 66-55 67-23 generated report pane and toolbar disabling schedules scheduling reports 10-28 67-21 67-30 12-34 67-23 67-18 generating policy query managing opening 67-1 understanding access control general IPS r
Index Report Manager generated report pane and toolbar 67-11 (PIX/ASA 7.
Index Accounts and Credentials Policy page User Accounts dialog box 60-15 DNS Policy page 60-17 ADSL policy Interface dialog box 59-37 advanced interface settings policy Interfaces tab Advanced Interface Settings dialog box Advanced Interface Settings page 59-16 59-15 BGP policy BGP Redistribution tab Redistribution tab BGP Routing Policy page BGP Setup tab AAA tab 64-4 64-7 bridging policy Bridge Group dialog box Bridging Policy page CEF interface policy 64-13 60-78 60-32 Command Autho
Index Dynamic Rule dialog box 23-11 Interface Specification tab 23-6 Static Rule dialog box Static Rules tab NetFlow policy Secure Shell Policy page SHDSL policy Controller Auto Name Generator dialog box 59-45 23-7 23-6 SHDSL Controller dialog box 62-5, 62-12 SHDSL Policy page NTP policy NTP Policy page SNMP Policy page 60-72 OSPF Interface Policy page 64-41 Setup dialog box 64-52 64-51 syslog servers policy 64-34 Redistribution Mapping dialog box Static Routing dialog box Static Rout
Index Network Admission Control (NAC) enabling unicast reverse path forwarding (RFP) 61-8 Interface policies ADSL enabling virtual fragment reassembly (VFR) 59-33 advanced settings basic settings setting up SSL (HTTPS) 62-1 dynamic rules static rules timeouts 9-13 system variables 23-10 PIM 62-1 Network Time Protocol (NTP) quality of service (QoS) PIX/ASA/FWSM 63-1 static routing 54-2 about OSPFv3 54-22 64-8 authentication 54-2 64-19 configuring on 54-1 64-1 EIGRP routing RIP r
Index OSPF - Summary Address configuration OSPF - Summary Address tab OSPFv3 54-18 into OSPF 54-17 OSPFv3 - advanced settings OSPFv3 - Area Range OSPF Process Redistribution tab 54-29 OSPFv3 - Interface configuration RIP Redistribution tab 54-35 OSPFv3 - static neighbor generating, synchronizing for GET VPN 54-38 OSPFv3 - Virtual Link configuration OSPF - Virtual Link configuration 54-34 54-31 54-15 generating 16-31 RIP (PIX/ASA 6.3–7.
Index access rule look-up S device manager Save As command (Report Manager) Save command 67-8 Save command (Report Manager) Save Map As command Save Map command 67-8 secure desktop manager policies configuring 34-10 configuring AAA for administrative introducers 60-84 20-6 scenarios contents of bootstrap creating FlexConfigs 7-24 defining policies SCEP (Simple Certificate Enrollment Protocol) CA server authentication introducers 67-28 registrars 67-31 disabling in Report Manager 67-30
Index admin context overview Configuration Manager interface overview configuring administrative settings 57-1 configuring multiple getting started 57-2 configuring on firewall devices deleting FWSM FWSM installing client 5-13 configuration managing Resources Resources logging into and exiting 50-2 managing the server 50-3 PIX/ASA overview allocate interfaces configuration enabling multi-context mode 57-1 restoring single-context mode 3-53 10-1 1-12 Security Manager Online command P
Index Select VPN to Configure dialog box self near-end crosstalk (SNEXT) Self zone configuration overview for IOS IPS 34-22 configuring AAA 59-45 44-3 35-19 configuring Analysis Engine global variables 21-5 sensors, IPS configuring DNS servers allowed hosts anomaly detection configuring 35-22 configuring HTTP proxy server 35-7 configuring NTP configuring histograms configuring SNMP 40-11 configuring learning accept mode 35-23 35-21 configuring OS maps 40-6 39-18 35-8 configuring t
Index configuring inline interface pairs configuring inline VLAN pairs configuring physical inline interface mode policy 36-3 36-6 managing interface configurations physical interface properties promiscuous mode 36-11 36-2 38-7 understanding 38-1 38-9 traffic flow notifications 35-26 tuning recommendations 35-4 understanding user roles 36-8 VLAN group mode IPS modules for ASA shortcut menu understanding network sensing 36-1 viewing summary 38-4 understanding managed and unmanaged pas
Index PIX/ASA/FWSM server, IPS update Server Properties dialog box 52-16, 52-21 3-36 Server Security Settings page 43-4 server, Security Manager 11-49 Service configuring administrative settings managing or administrating ASA CX 11-1 Auth Proxy Configuration 10-1 Server Access 56-16 PIX/ASA/FWSM PIX/ASA/FWSM AUS, add/edit server AUS page identity-aware IPS, QoS, and Connection Rules 13-21 51-1 51-3 IPS, QoS, and Connection Rules 51-1 DDNS interface rule DDNS page IPS, QoS, and Conne
Index configuring identity-aware rules configuring security group aware rules Service Policy (MPC) Rule Wizard Connection Settings tab CSC tab Policy Objects 13-21 14-13 56-6 IPS tab 56-8 11-49 11-51 Token Management 11-52 11-53 11-54 25-6 Share Device Policies command configuring on firewall devices 56-1 1-30 shared license clients configuring services specifying 11-50 Ticket Management SHA hash algorithm 56-8 service policy rules 30-64 shared license servers 6-86 Set Linked Map
Index renaming engines 5-45 Site-to-Site VPN Manager exporting assigning to selected device modifying assignments sharing local unsharing inheritance policy synchronizing among Security Manager servers Shared Policy Assignments dialog box 10-4 38-7 35-4 38-1 updates defining controllers on Cisco IOS routers SHDSL Policy page 59-45 automatically applying 43-6 checking for and downloading 59-40 configuring server 59-40 SHDSL Controller dialog box managing 59-42 43-4 43-7 viewing rela
Index SIP class map objects match criteria viewing summary of VPN configuration Site-to-Site VPNs command 17-79 SIP policy map objects creating 17-79 Site-to-Site VPN Manager copying shared policies managing policies properties 5-41 50-8 understanding configuring for web filter rules policies 18-15, 18-19 configuring for zone based firewall rules policies 21-35, 21-38, 21-40 5-38 5-33 understanding shared policies unsharing policies 50-7 Smartfilter (N2H2) 5-37 5-45 unassigning policies
Index SNMP Policy page handshake failure during deployment 60-69 SNMP Traps dialog box IPS trap options host access MIBs 48-7 OIDs 48-7 encoding rules (ASA) 48-8 remote access VPNs access modes 30-49 30-36 29-4 access policies (ASA), configuring 48-9 access policies (ASA), reference 48-8 30-36 AnyConnect custom attributes (ASA) cluster load balancing 17-84 connection profiles 30-6 Source Contents dialog box creating on ASA 10-16 12-14 spam blocking spam using zone-based firewall
Index other settings (ASA) properties 30-41 performance settings (ASA) policies (IOS) prerequisites SSL VPN Other Settings page (ASA) 30-42 Advanced tab 32-14 secure desktop manager policies 25-52 30-25, 30-26, 30-27, 30-61 shared licenses (ASA) 30-64 30-65 setting up 30-42 30-47 SSL Server Verification tab 29-2 SSL VPN Policy page (IOS) understanding NAT settings 25-37 configuring bookmarks 9-4 sharing connection profiles on ASAs customizing 30-65 post URL method and macro subst
Index creating diagnostic file static NAT Cisco IOS routers generating data disable automatic aliasing disable payload generating partial database backup 23-6 10-29 Suspend Deployment Schedule dialog box static routes configuring on firewall devices 54-48 communication requirements configuration 2-1 SYN flooding attacks, preventing 54-49 8-21, 8-55 switches PIX/ASA/FWSM 17-4 syslog static routing access rule look-up Cisco IOS routers defining on overview 69-6 deeply parsed for Event
Index finding and replacing items removing rules sections using ticketing 12-16 overview 12-9 1-18 Ticket Management 12-20 settings 12-7 TACACS+ 11-51 ticket management description comparing workflow modes 6-26 settings in AAA server objects Take Over User Session page Ticket Manager window closing 39-16 4-16 creating 39-15 4-14 Target Value Ratings, IPS Network Information policy 39-15 discarding task flow opening deployment Workflow mode taskflow 8-3 4-22 multiple users stat
Index time zone settings Transcript Viewer window certificate errors transform sets 9-6 attributes Cisco IOS routers Clock Policy page 25-25 understanding 60-23 defining time zone and DST overview 60-22 25-19 Translation Exemption (NAT-0 ACL) Rule PIX/ASA/FWSM 60-22 TMS add/edit deploying configurations deployment method 23-19 23-20 Translation Options 8-43 PIX/ASA/FWSM 8-10 Token Management page 23-15 Translation Rules 11-52 Add/Edit Per-Session NAT rules dialog boxes Token Ma
Index transport protocols GET VPN registration failure device defaults global correlation (IPS) configuration 11-17 overview of device requirements invalid certificate error SSH mixing deployment methods 2-7 2-3 9-13 online help, problems accessing traps, SNMP configuring for IPS sensors IPS options 9-11 Not able to connect to server message, Report Manager 67-31 2-5 SSL (HTTPS) 9-10 9-6 minimum memory errors for ASA 8.
Index monitoring User Accounts policy, IPS devices 14-14 TrustSec security group objects selecting 35-16 user group objects advanced PIX 6.
Index table FlexConfig objects columns and headings sections tables 7-5, 7-6 changing variable values 1-46 VDI servers 12-20 33-12 Velocity Engine error message 1-45 text fields scripting language 1-46 finding text in multiple-line navigating using 7-3 View Changes command 1-47 1-28, 1-34 viewing interface allocations 1-47 57-9 View menu 1-46 Configuration Manager toolbars Configuration Manager troubleshooting Event Viewer 1-36 event table in Event Viewer Device 1-48 66-9 1-
Index list configuring IPS inline pairs 66-11 opening saving using VLAN ACLs (VACLs) 66-34 overview 66-3 66-38 defining 65-37 deleting 65-39 understanding 66-33 virtual channel identifier (VCI) Catalyst switches and 7600 Series routers virtual fragment reassembly (VFR) virtual path identifier (VPI) Create and Edit VLAN ACL Content dialog boxes 65-42 59-19 59-46 Create and Edit VLAN ACL dialog boxes Virtual Routing Forwarding (VRF) VRF-Aware IPsec Create and Edit VLAN dialog boxes 24
Index using device overrides to customize VPN policies 24-13 zone-based firewall connection profiles (ASA, PIX 7+) IOS devices 21-5 configuring bookmarks VPN default policies configuring understanding IPsec 24-12 access policies for IKEv2 (ASA), configuring 30-40 24-12 VPN discovery prerequisites procedure rules access policies for IKEv2 (ASA), reference 24-21 24-21 supported and unsupported technologies and topologies 24-20 24-19 VPN global settings certificate to connection profile map pol
Index user group policies for IOS, PIX 6.3 32-13 cluster load balancing VPNSM, VPN SPA, VSPA settings 32-6 configuring HTTP/HTTPS proxies and proxy bypass(ASA) 30-47 IPsec proposals attributes for ASA and PIX 7.0+ devices attributes for IOS and PIX 6.3 devices 30-33 configuring for IOS and PIX 6.3 devices Map view 30-33 32-3 5-12 remote access access modes discovering managing 29-12 29-1 managing (IOS, PIX 6.
Index configuring using device overrides to customize VPN policies 24-13 24-41 VPN Shared Port Adapter (VPN SPA) configuring viewing summary of VPN configuration 24-41 VPNSM/VPN SPA/VSPA Settings dialog box VPN Summary page 32-6 VRF-Aware IPsec changing on Catalyst switches and 7600 routers 24-59 configuring VPN topologies accessing 24-17 assigning initial policies to new assigning shared policies 24-58 cloning shared policies configuring in Device view 24-14 Setup tab defining GET VPN g
Index disabling 12-20 enabling 12-20 undocking maps Windows Messenger class map objects exclusive domain names (IOS) managing creating 18-14 understanding use by ASA, PIX, and FWSM devices 18-1 attributes 12-2 Web Filter Rules page (ASA/FWSM/PIX) Web Filter Rules page (IOS) web filter server properties 18-3 18-3 18-11 18-19 18-19 wizards configuring remote access SSL VPNs on ASA devices 29-14 configuring remote access VPNs configuring settings 18-15 Copy Policies configuring setting
Index creating activities add/edit zones 4-14 deployment 21-52 advanced options viewing device details viewing job history changing the default drop rule 8-27 8-27 jobs aborting 21-63 configuring PAM 21-65 configuring rules 21-12, 21-59 configuring settings 8-51 21-47 21-48 approving 8-39 configuring settings in Map view discarding 8-41 Content Filter tab rejecting states development overview 8-6 submitting Global Parameters tab 4-15 IPSec VPN 1-19 workflow modes changing
Index zone-based firewall rules policies blocking spam using zone-based firewall rules 21-25 configuring map objects for content filtering rules 21-35 configuring map objects for inspection rules creating zones 21-15 6-68 inspection parameters 21-29 match conditions for IM applications 21-20 match conditions for P2P applications preventing SMTP DoS attacks 21-20 21-25 protocol information for IM application inspection 21-32 understanding interface role objects Zone Contents dialog box 6-67 12
Index User Guide for Cisco Security Manager 4.