Cisco systems e-mail gateway administrator's guide (48 pages)
Summary of Contents for Cisco OL-4015-08
Page 1
Cisco Router and Security Device Manager (SDM) Version 2.2 User’s Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: Text Part Number: OL-4015-08...
Page 2
CCSP, the Cisco Square Bridge logo, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco...
Home Page LAN Wizard Ethernet Configuration LAN Wizard: Select an Interface LAN Wizard: IP Address and Subnet Mask LAN Wizard: Enable DHCP Server LAN Wizard: DHCP Address Pool DHCP Options LAN Wizard: VLAN Mode LAN Wizard: Switch Port IRB Bridge BVI Configuration DHCP Pool for BVI IRB for Ethernet...
Page 4
Contents How Do I View the IOS Commands I Am Sending to the Router? How Do I Launch the Wireless Application from SDM? Create Connection Wizards Create Connection WAN Wizard Interface Welcome Window ISDN Wizard Welcome Window Analog Modem Welcome Window Aux Backup Welcome Window Select Interface Encapsulation: PPPoE...
Page 5
Delete Connection Summary Connectivity testing and troubleshooting How Do I... How Do I View the IOS Commands I Am Sending to the Router? How Do I Configure an Unsupported WAN Interface? How Do I Enable or Disable an Interface? How Do I View Activity on My WAN Interface? How Do I Configure NAT on a WAN Interface? How Do I Configure NAT on an Unsupported Interface? How Do I Configure a Dynamic Routing Protocol?
Page 6
Contents Add or Edit BVI Interface Add Loopback Interface/Connection—Loopback Connection: Ethernet LAN Connection: Ethernet WAN Ethernet Properties Connection: Ethernet with No Encapsulation Connection: ADSL Connection: ADSL over ISDN Connection: G.SHDSL Configure DSL Controller Connection: G.SHDSL with DSL Controller Connection: Serial Interface, Frame Relay Encapsulation Connection: Serial Interface, PPP Encapsulation Connection: Serial Interface, HDLC Encapsulation Add or Edit GRE Tunnel'...
Page 7
Advanced Firewall Interface Configuration Advanced Firewall DMZ Service Configuration Advanced Firewall Inspection Rule Configuration Application Security Configuration Domain Name Server Configuration Summary How Do I... How Do I View Activity on My Firewall? How Do I Configure a Firewall on an Unsupported Interface? How Do I Configure a Firewall After I Have Configured a VPN? How Do I Permit Specific Traffic Through a DMZ Interface? How Do I Modify an Existing Firewall to Permit Traffic from a New Network...
Page 8
Contents SDM Warning: Inspection Rule SDM Warning: Firewall Application Security Application Security Windows No Application Security Policy E-mail HTTP Header Options Content Options Instant Messaging Point-to-Point Applications Applications/Protocols Global Timeouts and Thresholds Associate Policy with an Interface Edit Inspection Rule Permit, Block, and Alarm Controls Site-to-Site VPN Create Site to Site VPN...
Page 9
VPN Authentication Information Backup GRE Tunnel Information Routing Information Static Routing Information Summary of Configuration Edit Site-to-Site VPN Add new connection Add Additional Crypto Maps Crypto Map Wizard: Welcome Crypto Map Wizard: General Crypto Map Wizard: Peers Crypto Map Wizard: Transform Set Crypto Map Wizard: Traffic to Protect Crypto Map Wizard: Summary of the configuration Delete Connection...
Page 10
Contents Easy VPN Remote Create Easy VPN Remote Configure an Easy VPN Remote Client Connection Settings Authentication Interfaces Summary of Configuration Edit Easy VPN Remote Add or Edit Easy VPN Remote Add or Edit Easy VPN Remote: Easy VPN Settings Add or Edit Easy VPN Remote: Authentication Information Enter SSH Credentials XAuth Login Window...
Page 11
General Group Information DNS and WINS Configuration Split Tunneling Client Settings User Authentication (XAuth) Client Update Summary Browser Proxy Settings Add or Edit Easy VPN Server Add or Edit Easy VPN Server Connection Restrict Access Group Policies Configuration Local Pools Add or Edit IP Local Pool DMVPN Dynamic Multipoint VPN...
Page 12
Contents Edit Dynamic Multipoint VPN (DMVPN) General Panel NHRP Panel Routing Panel How Do I Configure a DMVPN Manually? VPN Global Settings VPN Global Settings VPN Global Settings: IKE VPN Global Settings: IPSec VPN Key Encryption Settings IP Security IPSec Policies Add or Edit IPSec Policy Add or Edit Crypto Map: General Panel Add or Edit Crypto Map: Peer Information Panel...
Page 13
Add or Edit Transform Set IPSec Rules Internet Key Exchange Internet Key Exchange (IKE) IKE Policies IKE Pre-shared Keys VPN Troubleshooting VPN Troubleshooting VPN Troubleshooting: Specify Easy VPN Client VPN Troubleshooting: Generate Traffic VPN Troubleshooting: Generate GRE Traffic SDM Warning: SDM will enable router debugs... Security Audit Welcome Page Interface Selection Page...
Page 14
Contents Enable Password Encryption Service Enable TCP Keepalives for Inbound Telnet Sessions Enable TCP Keepalives for Outbound Telnet Sessions Enable Sequence Numbers and Time Stamps on Debugs Enable IP CEF Disable IP Gratuitous ARPs Set Minimum Password Length to Less Than 6 Characters Set Authentication Failure Rate to Less Than 3 Retries Set TCP Synwait Time Set Banner...
Page 15
Enable AAA Configuration Summary Screen SDM and Cisco IOS AutoSecure Security Configurations SDM Can Undo Undoing Security Audit Fixes Add or Edit Telnet/SSH Account Screen Configure User Accounts for Telnet/SSH Page Enable Secret and Banner Page Logging Page Routing Add or Edit IP Static Route Add or Edit an RIP Route Add or Edit an OSPF Route Add or Edit EIGRP Route...
Page 16
Contents Network Address Translation Rules Designate NAT Interfaces Translation Timeout Settings Edit Route Map Address Pools Add or Edit Static Address Translation Rule: Inside to Outside Add or Edit Static Address Translation Rule: Outside to Inside Add or Edit Dynamic Address Translation Rule: Inside to Outside Add or Edit Dynamic Address Translation Rule: Outside to Inside How Do I .
Page 17
Signature Import Wizard Summary Signatures Assign Actions Import Signatures Add, Edit, or Clone Signature Add or Edit a Signature Location Cisco Intrusion Prevention Alert Center IPS-Supplied Signature Definition Files Global Settings Edit Global Settings SDEE Messages SDEE Message Text Network Module Management IDS Network Module Management IDS Sensor Interface IP Address IP Address Determination...
Page 18
Contents Edit QoS Policy Edit QoS Class Add a Protocol Interface Association QoS Status Network Admission Control Create NAC Tab Other Tasks in a NAC Implementation Welcome RADIUS Server Select the Interface(s) NAC Exception List Agentless Host Policy NAC Router Management Access Open Interface ACL Summary of the configuration Edit NAC Tab...
Page 19
Router Properties Device Properties Date and Time: Clock Properties Date and Time Properties SNTP Syslog SNMP Router Access User Accounts: Configure User Accounts for Router Access View Password VTYs Edit VTY Lines Configure Management Access Policies Add or Edit a Management Policy Management Access Error Messages DHCP Configuration DHCP Pools...
Page 20
Contents DNS Properties Dynamic DNS Methods Add or Edit Dynamic DNS Method ACL Editor Useful Procedures for Access Rules and Firewalls Rules Windows Add or Edit a Rule Associate with an Interface Add a Standard Rule Entry Add an Extended Rule Entry Select a Rule Port-to-Application Mapping Port-to-Application Mappings...
Page 21
Router Provisioning Router Provisioning from USB Public Key Infrastructure Certificate Wizards Welcome to the SCEP Wizard Certificate Authority (CA) Information Certificate Subject Name Attributes RSA Keys Summary Enrollment Status Cut and Paste Wizard Welcome Enrollment Task Enrollment Request Continue with Unfinished Enrollment Import CA certificate Import Router Certificate(s) Digital Certificates...
Page 22
Contents Open Firewall Open Firewall Details Resetting to Factory Defaults This Feature Not Supported More About... IP Addresses and Subnet Masks Host and Network Fields Available Interface Configurations DHCP Address Pools Meanings of the Permit and Deny Keywords Services and Ports More About NAT Static Address Translation Scenarios Dynamic Address Translation Scenarios...
Page 23
Firewall Policy Use Case Scenario DMVPN Configuration Recommendations SDM White Papers Getting Started What’s New in this Release? Cisco IOS Versions Supported Viewing Router Information Overview Interface Status VPN Status Firewall Status Application Security Log NAC Status Logging File Menu Commands Save Running Config to PC Deliver Configuration to Router Write to Startup Config...
Page 24
Contents Edit Menu Commands Preferences View Menu Commands Home Configure Monitor Running Config Show Commands SDM Default Rules Refresh Tools Menu Commands Ping Telnet Security Audit USB Token PIN Settings Update SDM Help Menu Commands Help Topics SDM on CCO About this router...
Hardware Model Type Shows the router model number. Available/Total Memory Available RAM/Total OL-4015-08 C H A P T E R Software IOS Version SDM Version Cisco Router and Security Device Manager Version 2.2 User’s Guide The version of Cisco...
Page 26
Whether the router has accelerators, such as VPN accelerators. A diagram of the hardware configuration, including flash memory and installed devices such as USB flash and USB tokens. The feature sets included in the IOS image. The version of SDM running. Chapter 1 Home Page OL-4015-08...
Page 27
Interface type interface Firewall Policies Active/Inactive Active—A firewall is in place. Inactive—No firewall is in place. OL-4015-08 Down (n): The number of LAN and WAN connections that are down. Total Supported WAN Total WAN Connections Number of DHCP Clients (Detail view)
Page 28
The number of configured GRE over IPSec connections. The number of configured Easy VPN Remote connections. If this router is functioning as an Easy VPN Server, the number of Easy VPN clients with active connections. Description A description of the connection. OL-4015-08...
Page 29
Dynamic Routing Lists any dynamic Protocols routing protocols that are configured on the router. OL-4015-08 Active or Inactive NAC Policy Column The name of the NAC policy. Intrusion Prevention Active Signatures No. of IPS-enabled interfaces Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 30
Chapter 1 Home Page Cisco Router and Security Device Manager Version 2.2 User’s Guide OL-4015-08...
The Configure button may be disabled if a LAN interface has been given a configuration that SDM does not support. For a list of such configurations, see Reasons Why an Ethernet Interface Configuration May Be OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide wizard guides you Read-Only.
How Do I View Activity on My LAN Interface? • How Do I Enable or Disable an Interface? • How Do I View the IOS Commands I Am Sending to the • Router? How Do I Launch the Wireless Application from SDM? • Chapter 2 LAN Wizard OL-4015-08...
Alternatively, select the number of the subnet mask. Your network administrator can tell you the number of network bits to enter. OL-4015-08 IP address for the interface in dotted decimal format. Your network IP Addresses and Subnet subnet mask.
Cisco Router and Security Device Manager Version 2.2 User’s Guide DHCP server on your router. A DHCP server server assigns are drawn from a common pool that you configure by DHCP Address IP address in the range of IP addresses. Chapter 2 LAN Wizard address. Pools. OL-4015-08...
WINS Server 2 If there is an additional WINS server on the network, enter the IP address for the server in this field. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide DHCP Options...
VLAN ID number in the New VLAN field, and then enter the IP address and subnet mask of the new VLAN logical interface in the IP Address and Subnet Mask fields. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 2 LAN Wizard OL-4015-08...
IP address and subnet mask will appear in this screen. You can change it, or leave the values unchanged. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide IRB Bridge...
Cisco Router and Security Device Manager Version 2.2 User’s Guide IP address for the interface in dotted decimal format. Your network IP Addresses and Subnet subnet mask. Obtain this value from your network administrator. The network Chapter 2 LAN Wizard Masks. bits. This value is used to calculate OL-4015-08...
VLANs on the interface, and you can configure a native VLAN that does not use the 802.1q encapsulation protocol. I f you configure the interface for routing, you cannot configure subinterfraces or additional VLANs on the interface. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide IRB for Ethernet...
This section contains procedures for tasks that the wizard does not help you complete. How Do I Configure a Static Route? To configure a Cisco Router and Security Device Manager Version 2.2 User’s Guide 2-10 static route: Chapter 2 LAN Wizard OL-4015-08...
Select the data item(s) you want to view by checking the associated check box(es). Step 4 You can view up to four statistics at a time. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...
Finish. From the SDM Edit menu, select Preferences. Step 1 Check Preview commands before delivering to router. Step 2 Click OK. Step 3 Cisco Router and Security Device Manager Version 2.2 User’s Guide 2-12 Chapter 2 LAN Wizard OL-4015-08...
To obtain help for any screen, click the help icon in the upper right corner. This icon looks like an open book with a question mark. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...
Page 44
Chapter 2 LAN Wizard How Do I... Cisco Router and Security Device Manager Version 2.2 User’s Guide 2-14 OL-4015-08...
Cisco Router and Security Device Manager (SDM) configures subinterfaces for each interface of that type. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
How Do I Configure a Dynamic Routing Protocol? • How Do I Configure Dial-on-Demand Routing for my • ISDN or Asynchronous Interface? Refer to the software configuration guide for the router to use the CLI to configure the interface. Create Connection Wizards OL-4015-08...
When the asynchronous interface is already configured • When the asynchronous interface is not configurable by SDM due to the • presence of unsupported Cisco IOS commands in the existing configuration OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide ISDN Wizard Welcome Window...
Static IP Address If you choose static IP address, enter the IP address and subnet mask or the network bits in the fields provided. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 3 Create Connection Wizards OL-4015-08...
Dynamic (DHCP Client) If you choose Dynamic, the router will lease an IP address from a remote DHCP server. Enter the name of the DHCP server that will assign addresses. OL-4015-08 Masks. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
DNS. IP Address: Serial with Point-to-Point Protocol Choose the method that the point-to-point interface will use to obtain an IP address. Cisco Router and Security Device Manager Version 2.2 User’s Guide Masks. Chapter 3 Create Connection Wizards IP Addresses OL-4015-08...
If you choose static IP address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, refer to and Subnet OL-4015-08 Masks. Masks. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interface’s IP address changes. Click the Dynamic DNS button to configure dynamic DNS. Cisco Router and Security Device Manager Version 2.2 User’s Guide Masks. Chapter 3 Create Connection Wizards IP Addresses OL-4015-08...
ISDN BRI connections require identification of the ISDN switch type, and in some cases, identification of the B channels using Service Provider ID (SPID) numbers. This information will be provided to you by your service provider. OL-4015-08 for a serial connection, Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 54
ISDN BRI for Norway NET3, Australia NET3, and New Zealand NET3switch types; ETSI-compliant switch types for Euro-ISDN E-DSS1 signaling system vn3—French ISDN BRI switches ntt—Japanese NTT ISDN switches basic-qsig—PINX (PBX) switches with QSIG signaling per Q.931 Chapter 3 Create Connection Wizards OL-4015-08...
Note the following prerequisites: The primary interface must be configured for Site-to-Site VPN. • The IOS image on your router must support the SAA ICMP Echo • Enhancement feature. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Dial String 3-11...
Enter the IP address or host name of the destination host to which connectivity will be tracked. Please specify an infrequently-contacted destination as the site to be tracked. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-12 Chapter 3 Create Connection Wizards OL-4015-08...
In this window, select the type of encapsulation that the WAN link will use. Ask your service provider or network administrator which type of encapsulation is used for this link. The interface type determines the types of encapsulation available. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Advanced Options 3-13...
Page 58
This option is available when you have selected an ATM interface. An ATM with AAL5-MUX subinterface will be created when you configure an RFC 1483 connection. This subinterface will be visible in the Summary window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-14 Chapter 3 Create Connection Wizards OL-4015-08...
Page 59
The virtual path identifier (VPI) is used in ATM switching and routing to identify the path used for a number of connections. Enter the VPI value given to you by your service provider. OL-4015-08 Description Provides Frame Relay encapsulation. This option is available when you have selected a serial interface.
Ask your service provider which of the following LMI types you should use. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-16 Chapter 3 Create Connection Wizards Value Auto • Annex A (U.S.). • Auto • • Auto • OL-4015-08...
OL-4015-08 Description Annex D defined by American National Standards Institute (ANSI) standard T1.617. LMI type defined jointly by Cisco Systems and three other companies. ITU-T Q.933 Annex A. The default. This setting allows the router to detect which LMI type is being used by communicating with the switch and to then use that type.
Page 62
SDM will set FDL to none and make this field read-only. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-18 Chapter 3 or E1 link for operation with D4 Super Frame (sf) or lines. The b8zs setting ensures Create Connection Wizards line with encoding. OL-4015-08...
You can automatically delete all associations that the connection has, or delete the associations later. OL-4015-08 link to generate remote alarms (yellow Cisco Router and Security Device Manager Version 2.2 User’s Guide Delete Connection link.
Interfaces and Connections. Click the connection in the Interface List, then click Edit. Click the Association tab; then in the Inspection Rule group, in both the Inbound and Outbound fields, choose None. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-20 Chapter 3 Create Connection Wizards OL-4015-08...
Back button to return to the screen on which you need to make changes. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Summary...
Page 66
Checks the interface status to see if it is up or down. Checks DNS Settings, whether they be SDM default options or user-specified hostnames. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-22 Chapter 3 Create Connection Wizards OL-4015-08...
Page 67
If the ping fails on an xDSL connection with PPPoE encapsulation, SDM checks: the ATM PVC status • OL-4015-08 If the ATM PVC test fails, SDM displays possible reasons for the failure and actions you can take to correct the problem.
Page 68
Click this button if you want to view the summarized troubleshooting information. Details Click this button if you want to view the detailed troubleshooting information. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-24 Chapter 3 Create Connection Wizards OL-4015-08...
Page 69
This box provides a possible action/solution to rectify the problem. What Do You Want to Do? If you want to: Troubleshoot the WAN interface connection. Save the test report. OL-4015-08 The connection is up. The connection is down. Test is successful. Test failed. Do this: Click Start button.
Click it to disable the interface. If the interface is currently disabled, the Enable button appears in that location. Click that button to disable the interface. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-26 Chapter 3 Create Connection Wizards interface that your router OL-4015-08...
Page 71
LAN whose resources. must be protected. Check outside(untrusted) to designate it as an outside interface. Outside interfaces typically connect to an untrusted network. Click OK. OL-4015-08 interface by using the Monitor feature in SDM. Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...
In the Dynamic Routing group, click the dynamic routing protocol that you want Step 3 to configure. Click Edit. Step 4 Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-28 to configure the interface. The interface must have, at a minimum, dynamic routing protocol: Chapter 3 Create Connection Wizards OL-4015-08...
Page 73
Click Interfaces and Connections in the left frame. Step 2 Click the ISDN or asynchronous interface on which you want to configure DDR. Step 3 OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... 3-29...
Page 74
Click Configure on the SDM toolbar. Step 1 Click Interfaces and Connections in the left frame, and then click the Edit Step 2 Interface/Connection tab. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-30 Chapter 3 Create Connection Wizards OL-4015-08...
Page 75
Select the radio interface and click Edit. In the Connections tab, you can change Step 3 the IP address or bridging information. If you want to change other wireless parameters, click Launch Wireless Application. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-31 OL-4015-08...
Page 76
Chapter 3 Create Connection Wizards How Do I... Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-32 OL-4015-08...
Page 77
If you select a switch port, the Edit Switch Port dialog appears. The Edit button will be disabled if the interface is supported and unconfigured. OL-4015-08 C H A P T E R to see what configurations are available for...
Page 78
This column lists the physical and logical interfaces by name. If a has been configured for a the physical interface. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 4 physical interface, the logical interface is shown under Edit Interface/Connection logical interface OL-4015-08...
Page 79
Interface List. Association details include such information as Network Address Translation (NAT), Access, and inspection rules, IPSec policies, and Easy VPN configurations. Connection details include IP address, encapsulation type, and DHCP options. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 80
Highlight the interface you want to edit, and click Edit. If you are editing a GRE tunnel, the Connection tab Note will not appear if the GRE tunnel has not been configured to use gre ip mode. Select the physical interface, and click Reset. Edit Interface/Connection OL-4015-08...
Page 81
For reasons why a previously configured ISDN BRI interface may appear as • read-only in the Interface List, see the help topic Interface Configuration May Be OL-4015-08 Do this: Select the interface you want to delete, and click Delete. See one of the following procedures: How Do I Configure a Static Route? •...
Page 82
Click the drop-down menu and choose to use an existing method. A window with a list of existing dynamic DNS methods will open. This menu choice is available only if there are existing dynamic DNS methods. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 4 Edit Interface/Connection OL-4015-08...
Page 83
IP Address of Remote DHCP Server Enter the IP address of the DHCP server that will provide addresses to devices on the LAN. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: Ethernet for Routing...
Page 84
Add Dynamic DNS Method This window allows you to add a dynamic DNS method. Choose the type of method, HTTP or IETF, and configure it. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 4 Edit Interface/Connection OL-4015-08...
Page 85
Tasks > Router Properties, or if you want to override Domain Name. The dynamic DNS method sends the domain name along along with the interface’s new IP address. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: Ethernet for Routing...
Page 86
The name or number of an access rule applied to outbound traffic on this interface. If you want to apply a rule, click the button and either select an existing rule or create a rule and select it. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-10 Chapter 4 Edit Interface/Connection OL-4015-08...
Page 87
Note Tunnel interface, and then associate it with the source interface for the tunnel. For example, if you wanted to associate a policy with Tunnel3, whose source interface OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Association...
Not Supported. Edit Switch Port This screen lets you edit VLAN information for Ethernet switch ports. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-12 Chapter 4 Edit Interface/Connection OL-4015-08...
If you have allowed the Security Audit feature to disable certain properties, but you want to reenable them, you can reenable them in this window. The properties listed in this screen are as follows: OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide General...
Page 90
Because it breaks the LAN security barrier, proxy ARP should be used only between two LANs with an equal security level, and only when necessary. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-14 Chapter 4 Edit Interface/Connection OL-4015-08...
Page 91
These messages can be used by an attacker to gain network mapping information. You can associate a QoS policy with an interface in this tab, or dissociate a policy from an interface. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-15...
WAN wizard window, and appears with the designation Outside in the Interfaces and Connections window. Connection: VLAN This screen lets you configure a VLAN interface. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-16 Chapter 4 Edit Interface/Connection OL-4015-08...
ID, IP address and mask, and a description, if one has been entered. For example, if the router had the interface FastEthernet 1, and the subinterfaces FastEthernet1.3 and FastEthernet1.5 were configured, this window might contain the following display OL-4015-08 for more information. 56.8.1.1/255.255.255.0 Bridge No. 77 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
This window enables you to add a loopback interface to the selected interface. IP Address Select whether the loopback interface is to have no IP address or a static IP address. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-18 Chapter 4 Edit Interface/Connection OL-4015-08...
If the router has been previously configured to be a DHCP relay and is configured Note to have more than one remote DHCP server IP address, this button will be disabled. OL-4015-08 IP address Masks. subnet mask. Obtain this value from your network administrator. The Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Select Easy IP (IP Negotiated) if the router will obtain an IP address via Point-to-Point Protocol/IP Control Protocol (PPP/IPCP) address negotiation. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-20 Masks. Chapter 4 Edit Interface/Connection IP Addresses OL-4015-08...
This window enables you to configure properties for an Ethernet WAN link. Enable PPPoE Encapsulation Click Enable PPPoE encapsulation if your service provider requires that you use PPPoE OL-4015-08 CHAP/PAP authentication password information. specifies Point-to-Point Protocol over Ethernet encapsulation. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
For more information, refer to Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-22 CHAP/PAP authentication password information. IP address IP Addresses and Subnet Masks. Chapter 4 Edit Interface/Connection IP Addresses and Subnet Masks. for this link. OL-4015-08...
To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu. Connection: ADSL This window enables you to specify or edit properties of a PPPoE link supported by an ADSL connection. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: ADSL 4-23...
Page 100
For more information, refer to Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-24 IP address IP Addresses and Subnet Masks. Chapter 4 Edit Interface/Connection for this link. OL-4015-08...
Page 101
WAN interface’s IP address changes. This feature appears only if supported by your Cisco server’s IOS. Note To choose a dynamic DNS method to use, do one of the following: OL-4015-08 CHAP Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: ADSL DSLAM authentication information.
The virtual path identifier (VPI) is used in ATM switching and routing to identify the path used for a number of connections. Obtain this value from your service provider. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-26 Chapter 4 Edit Interface/Connection OL-4015-08...
Page 103
Cisco IOS version. annexb—Standard Annex-B mode of ITU-T G.992.1. • annexb-ur2—ITU-T G.992.1 Annex-B mode. • OL-4015-08 IP address IP Addresses and Subnet Masks. Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: ADSL over ISDN for this link.
To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu. Connection: G.SHDSL This window enables you to create or edit a Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-28 Chapter 4 Edit Interface/Connection CHAP authentication information. G.SHDSL connection. DSLAM OL-4015-08...
Page 105
Your service provider or network administrator must tell you the method the router should use to obtain an IP address. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: G.SHDSL...
Page 106
Operating Mode Select one of the values below: Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-30 Masks. IP address of the gateway system to which this link will connect. This Chapter 4 Edit Interface/Connection IP Addresses OL-4015-08...
Page 107
Click the drop-down menu and choose to create a new dynamic DNS method. To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu. OL-4015-08 CHAP Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: G.SHDSL...
G.SHDSL port and the DSLAM, or the actual DSL line rate. The supported line rates are 200, 264, 392, 520, 776, 1032, 1160, 1544, 2056, and 2312. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-32 Chapter 4 Edit Interface/Connection OL-4015-08...
To configure a new G.SHDSL connection, click Add. This will display Connection: G.SHDSL with DSL Controller new connection. To edit an exisiting G.SHDSL connection, select the connection OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Configure DSL Controller...
Page 110
Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-34 page, letting you edit the connection configuration. To delete a G.SHDSL Chapter 4 Edit Interface/Connection Connection: G.SHDSL with connection. OL-4015-08...
Page 111
This feature appears only if supported by your Cisco server’s IOS. To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method. • OL-4015-08 Masks. CHAP Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: G.SHDSL with DSL Controller...
For more information, refer to Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-36 selected. IP Addresses and Subnet Chapter 4 Edit Interface/Connection Frame Relay IP address for this interface. Obtain Masks. OL-4015-08...
Page 113
T1.617. Cisco LMI type defined jointly by Cisco and three other companies. ITU-T Q.933 ITU-T Q.933 Annex A. OL-4015-08 Connection: Serial Interface, Frame Relay Encapsulation subnet network bits to specify how much of the IP address Cisco Router and Security Device Manager Version 2.2 User’s Guide mask.
Page 114
DNS methods. Create a new dynamic DNS method. • Click the drop-down menu and choose to create a new dynamic DNS method. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-38 Chapter 4 Edit Interface/Connection OL-4015-08...
Obtain the value of the subnet mask or the network bits from your network administrator or Internet service provider. Subnet Bits Alternatively, enter the provide the network address. OL-4015-08 Connection: Serial Interface, PPP Encapsulation IP address for this point-to-point subinterface. Obtain this value from Masks.
Page 116
Click the drop-down menu and choose to create a new dynamic DNS method. To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-40 Chapter 4 Edit Interface/Connection CHAP authentication information. OL-4015-08...
In most cases, clock settings should not be changed from the default values. If you know that your requirements are different from the defaults, click this button and make new clock settings in the window displayed. OL-4015-08 Connection: Serial Interface, HDLC Encapsulation IP address for this interface.
This window will not appear if the GRE tunnel has not been configured using gre ip mode. Tunnel Number Enter a number for this tunnel. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-42 tunnel to an interface or edit an existing interface in this Chapter 4 Edit Interface/Connection OL-4015-08...
Page 119
Adjust MTU to avoid fragmentation. Bandwidth Click to specify the bandwidth for this tunnel in kilobytes. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Add or Edit GRE Tunnel' address.
ISDN BRI for Norway NET3, Australia NET3, and New Zealand NET3switch types; ETSI-compliant switch types for Euro-ISDN E-DSS1 signaling system vn3—French ISDN BRI switches ntt—Japanese NTT ISDN switches basic-qsig—PINX (PBX) switches with QSIG signaling per Q.931 () Chapter 4 Edit Interface/Connection OL-4015-08...
Page 121
IP Address Enter the your network administrator or service provider. For more information, refer to Addresses and Subnet OL-4015-08 IP address for this point-to-point subinterface. Obtain this value from Masks. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 122
Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-46 subnet mask. The subnet mask specifies the portion of the IP address network bits to specify how many bits in the IP address CHAP Chapter 4 Edit Interface/Connection authentication information. OL-4015-08...
IP Address Enter the your network administrator or service provider. For more information, refer to Addresses and Subnet OL-4015-08 IP address for this point-to-point subinterface. Obtain this value from Masks. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 124
Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-48 subnet mask. The subnet mask specifies the portion of the IP address network bits to specify how many bits in the IP address CHAP Chapter 4 Edit Interface/Connection authentication information. OL-4015-08...
Timer settings will cause the router to automatically disconnect a call after the line is idle for the specified amount of time. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: (AUX Backup)
Obtain this value from Masks. subnet mask. The subnet mask specifies the portion of the IP address network bits to specify how many bits in the IP address Backup Configuration CHAP Chapter 4 Edit Interface/Connection screen, which lets you authentication information. OL-4015-08...
Page 127
OL-4015-08 for a serial connection or Cisco Router and Security Device Manager Version 2.2 User’s Guide...
DMS-100 switch type, two SPIDs are assigned, one for each B channel. SPID1 Enter the SPID to the first BRI B Channel provided to you by your ISP. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-52 Chapter 4 Edit Interface/Connection OL-4015-08...
Timer settings let you configure a maximum amount of time that a connection with no traffic will stay active. By configuring timer settings your connections will shut down automatically, saving you connection time and cost. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Dialer Options...
Page 130
Enter a number between 1 and 255, where 255 equals 100% of bandwidth on the first connection being utilized. Data Direction SDM supports Multilink PPP only for outbound network traffic. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-54 OL-4015-08...
Track Object Number This is a read-only field that displays an internal object number generated and used by SDM for tracking the connectivity to the remote host. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Backup Configuration...
Page 132
Enter the next hop IP address of the primary interface. Backup Next Hop IP Address Enter the next hop IP address of the ISDN BRI or analog modem backup interface. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-56 OL-4015-08...
Click this if you want SDM to create a firewall using default rules. The use case scenario shows a typical network configuration in which this kind of firewall is used. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 134
Click Basic Firewall. Then, click Launch the Selected Task. SDM asks you to identify the interfaces on your router, and then it uses SDM default access rules and inspection rules to create the firewall. Chapter 5 Create Firewall inspection rule. OL-4015-08...
Page 135
DMZ, you should select this option. Get information about a task that this wizard does not help me complete. OL-4015-08 Do this: Select Advanced Firewall. Then, click Launch the Selected Task. SDM will show you the default inspection rule and allow you to use it in the firewall.
SDM to manage the router. Select the outside interface Select the interfaces through which users are to launch SDM. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 5 Create Firewall OL-4015-08...
Select the router interface that connects to a DMZ network, if one exists. A DMZ network is a buffer zone used to isolate traffic that comes from an untrusted network. If you have a DMZ network, select the interface that connects to it. OL-4015-08 Internet firewall by asking you for information about Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Click Add, and create the entry in the DMZ Service Configuration window. To edit a DMZ service entry: Select the service entry, and click Edit. Then, edit the entry in the DMZ Service Configuration window. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 5 Create Firewall OL-4015-08...
Outgoing traffic can leave the router, but if return traffic of the same type is not explicitly permitted, it will not be allowed on the LAN. Inspection rules provide a means to allow such return OL-4015-08 inside global address.
Page 140
Off if no audit trail is to be generated. Audit trails will be saved in a syslog file if syslog has been enabled in theRouter Properties Logging window. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 5 Create Firewall OL-4015-08...
Select an existing policy, and select the policy. To create a policy, click the button, choose Create a New Policy, and create the policy in the dialog displayed. OL-4015-08 Do this: Select the rule name from the Inspection Rule Name list. The inspection rule entries appear in the box below.
The following are examples: Apply default inspection rule to the outbound direction. (Basic Firewall) • Turn on unicast reverse path forwarding check. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-10 Chapter 5 Create Firewall OL-4015-08...
Page 143
CLI commands you that are delivering to the router. How Do I... This section contains procedures for tasks that the wizard does not help you complete. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... 5-11...
In the upper table, click the rule that you want to modify. Step 3 Click Edit. Step 4 Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-12 firewall is monitored through the creation of log entries. If Chapter 5 Create Firewall rule that is configured to OL-4015-08...
The interface must have, at a minimum, an IP address configured, and it must be working. For more information on how to configure an interface using the CLI, refer to the Software Configuration Guide for your router. OL-4015-08 firewall on an interface type unsupported by SDM. Before Cisco Router and Security Device Manager Version 2.2 User’s Guide...
105 permit ahp host 123.3.4.5 host 192.168.0.1 access-list 105 permit esp host 123.3.4.5 host 192.168.0.1 Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-14 is placed on an interface used in a VPN, the firewall must permit Chapter 5 Create Firewall OL-4015-08...
From the Service field, select TCP. Step 9 In the Port field, enter 80 or www. Step 10 Click Next>. Step 11 Click Finish. Step 12 OL-4015-08 network: Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... 5-15...
NAT . The unsupported interface will appear as “Other” on the router interface list. Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-16 to configure the interface. The interface must have, at a minimum, Chapter 5 Create Firewall OL-4015-08...
Concentrator? In order to permit traffic through your firewall to a VPN concentrator, you must create or modify access rules that permit the OL-4015-08 and are now configuring your firewall, you must firewall so that it permits traffic from your public IP address. To do Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 150
Protocol UDP, Source Port 500, Destination Port 500 • Protocol IP, IP Protocol ESP • Protocol UDP, Source Port 10000, Destination Port 10000 • Click OK. Step 16 Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-18 Chapter 5 Create Firewall OL-4015-08...
In the Association tab, find the access rule in the inbound or outbound field in the Step 4 Access Rule box. The access rule may have a name, or a number. OL-4015-08 Add or Edit a Rule Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...
These sources are defined in an access rule that the Java List references. To create this kind of access rule, and use it in a Java list, do the following: Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-20 Chapter 5 Create Firewall OL-4015-08...
DMZ. If you do not have a DMZ network, you can still permit specified types of outside traffic onto your network, using the Firewall Policy feature. Configure a firewall using the Firewall wizard. Step 1 OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... 5-21...
Although it is set in the context of a DMZ network, the procedure is applicable to an inside network as well. Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-22 Chapter 5 Create Firewall for an example of allowing traffic OL-4015-08...
DMZ interface and specify the services that should be allowed onto the DMZ network. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 156
SDM will display a message telling you to configure an additional interface. The following graphic shows the Traffic Selection panel. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 6 Firewall Policy Use Case Scenario. Firewall Policy OL-4015-08...
Page 157
The following illustration shows the traffic selection panel and the traffic diagram area displaying the access rules and inspection rules in the selected traffic flow. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Firewall Policy/ACL...
Page 158
From interface, and there is an access rule applied to the inbound direction of the To interface. The access rule on the inbound direction of the To interface is an extended access rule, and contains at least one access rule entry. Chapter 6 Firewall Policy OL-4015-08...
Page 159
If the Policy Panel is blank, you can use the Add button to create entries for the rule. OL-4015-08 Rules applied to Originating traffic are indicated by a right arrow. An icon on the From interface traffic line indicates the presence of a rule filtering traffic inbound to the router.
Page 160
Then, create the entry in the Add an Entry window. Remember that the order of entries is important. SDM displays Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 6 Firewall Policy OL-4015-08...
Page 161
Ethernet 0 interface from traffic entering the Ethernet 1 interface, select From: Ethernet 0, and To: Ethernet 1. Then click Apply Firewall. OL-4015-08 If the selected traffic flow does not have a firewall applied, you can apply a firewall by selecting Originating traffic and clicking the Apply Firewall button.
Page 162
The address of a host Any network or host Examples: TCP, EIGRP, UDP, GRE. See Services. Examples: Telnet, http, FTP. Services. Examples: SNMP, bootpc, RIP. See Services. Internet Group Management Protocol (IGMP). Examples: echo-reply, host-unreachable. See ICMP Message Types. Log denied traffic. OL-4015-08...
Page 163
From interface. You can add an entry for a specific application whether or not an inspection rule already exists. Edit—Click to edit a selected entry. Delete—Click to delete a selected entry. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Firewall Policy/ACL...
Page 164
Cisco Router and Security Device Manager Version 2.2 User’s Guide 6-10 Audit Trail Timeout Whether or How long the router not audit trail should wait before is enabled blocking return traffic for this protocol or application default-off 3600 (seconds) Chapter 6 Firewall Policy Description Short description VDOLive protocol. OL-4015-08...
Add rpc Application Entry Add a Remote Procedure Call (RPC) program number in this window, and specify Alert, Audit, Timeout, and Wait time settings. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Firewall Policy/ACL 6-11...
Edit Firewall Policy/ACL window, and you can specify Alert, Audit, and Timeout settings. A fragment entry sets the maximum number of unreassembled packets that the router should accept before dropping them. Cisco Router and Security Device Manager Version 2.2 User’s Guide 6-12 Chapter 6 Firewall Policy OL-4015-08...
Use this window to add an http application to the inspection rule. Alert Action One of the following: default-on—Leave as default. Default value is on. • on—Enable alert. • off—Disable alert. • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Firewall Policy/ACL 6-13...
Do Not Block (Permit)—Permit Java applets from this network or host. • Block (Deny)—Deny Java applets from this network or host. • Host/Network Specify the network or the host. Cisco Router and Security Device Manager Version 2.2 User’s Guide 6-14 Chapter 6 Firewall Policy OL-4015-08...
Keep inspection rule name on <interface-name> inbound, and dissociate • inspection rule name on <interface-name> outbound—SDM will keep one inspection rule, and dissociate the rule from the other interface. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Firewall Policy/ACL 6-15...
* Apply inbound access list to deny returning traffic. Click OK to accept these changes, or click Cancel to stop the application of the firewall. Cisco Router and Security Device Manager Version 2.2 User’s Guide 6-16 Chapter 6 Firewall Policy OL-4015-08...
Action button—Click to add a policy, delete the chosen policy, or clone the chosen policy. If no policies are configured on the router, Add is the only action available. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 172
Click this drawer to make changes to the security settings of other applications and protocols. Click Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-18 Point-to-Point Applications Applications/Protocols for more information. Chapter 7 Application Security HTTP Instant Messaging for more OL-4015-08...
Application Security configuration windows do not display the default values you must click this button to view them in the Global Timeouts and Thresholds window. See OL-4015-08 for more information. Global Timeouts and Thresholds Cisco Router and Security Device Manager Version 2.2 User’s Guide No Application Security Policy for more information.
Default value: 20 MB. Secure login checkbox Causes a user at a non-secure location to use encryption for authentication. Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-20 Windows. Chapter 7 Application Security OL-4015-08...
Page 175
Use the Permit, Block and Alarm controls to specify the action that you want SDM to take when this type of traffic is encountered. OL-4015-08 Windows. to learn how to specify the action that Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 176
Off explicitly disables the CBAC audit trail for HTTP traffic and for HTTPS traffic if HTTPS inspection is enabled, and overrides the global audit trail setting Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-22 Chapter 7 Application Security OL-4015-08...
To learn about the buttons and drawers available in the Application Security tab, click Application Security OL-4015-08 Windows. Windows. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 178
Specification version 3.3, combined with the "deflate" compression mechanism described in RFC 1951, DEFLATE Compressed Data Format Specification version 1.3. Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-24 Chapter 7 Application Security to learn how to specify the action that OL-4015-08...
The following example shows traffic blocked for BitTorrent traffic, and alarms generated when traffic for that application arrives: BitTorrent OL-4015-08 to learn how to specify the action that Block Send Alarm (checked) to learn how to specify the action that Block Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Audit column, but the Alert and Timeout columns are blank. Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-26 Chapter 7 Application Security Application Security Windows. OL-4015-08...
Global Timer values can be specified in seconds, minutes, or hours. TCP Connection Timeout Value The amount of time to wait for a value is 30 seconds. OL-4015-08 connection to be established. The default Cisco Router and Security Device Manager Version 2.2 User’s Guide Global Timeouts and Thresholds...
Page 182
Stop deleting new connections after the number of new connections drops below this value. The default value is 400 sessions. Start deleting new connections when the number of new connections exceeds this value. The default value is 500 sessions Application Security OL-4015-08...
Incoming column and the Outgoing column. To have only incoming traffic inspected, you would only check the box in the Incoming column. OL-4015-08 Stop deleting new connections after the number of new connections drops below this value. The default value is...
Other Options Certain applications can have additional options set. Depending on the application, you may see the options described next. Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-30 Chapter 7 for more information. Application Security Global OL-4015-08...
Block to deny traffic. If you want an alarm to be sent to the log when this type of traffic is encountered, check Send Alarm. The Send Alarm control is not used in all windows. Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-31 OL-4015-08...
Page 186
Chapter 7 Application Security Global Timeouts and Thresholds Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-32 OL-4015-08...
This option allows you to create a VPN network connecting two routers. Create a Secure GRE Tunnel (GRE-over-IPSec) This option allows you to configure a generic routing encapsulation protocol (GRE) tunnel between your router and a peer system. OL-4015-08 C H A P T E R More About VPN.
Page 188
Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-34 Do this: network Select Create a site-to-site VPN . Then click Launch the selected task. Select Create a Secure GRE tunnel (GRE-over-IPSec). Then click Launch the selected task. Chapter 8 Site-to-Site VPN OL-4015-08...
Page 189
Site-to-Site VPN If you want to: Find out how to perform other VPN-related tasks that this wizard does not guide you through. OL-4015-08 Do this: Select a topic from the following list: How Do I View the IOS Commands I Am •...
Cisco VPN 3000 series concentrator to operate with an Easy VPN Remote Phase II client, and other information which you might find useful: http://www.cisco.com/en/US/products/sw/ioss wrel/ps5012/products_feature_guide09186a008 00a8565.html The following link connects you to Cisco VPN 3000 series documentation: http://www.cisco.com/en/US/products/hw/vpnd evc/ps2284/products_getting_started_guide_bo ok09186a00800bbe74.html Site-to-Site VPN OL-4015-08...
IPSec rule that SDM will use to configure a Quick Setup site-to-site VPN. If you need a different configuration than this window shows, check Step-by-Step wizard so that you can define configuration values. OL-4015-08 Do this: Check Quick setup, and then click Next.
This key must be the same on each side of the VPN connection. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-38 IP address or host name of the remote site that tunnel that you are configuring, to specify the router Chapter 8 Site-to-Site VPN authenticate OL-4015-08...
Page 193
Choose the interface on the router that will be the source of the traffic on this VPN connection. All traffic coming through this interface whose destination IP address is in the subnet specified in the Destination area will be encrypted. OL-4015-08 pre-shared key, and then reenter it for confirmation. Exchange the Cisco Router and Security Device Manager Version 2.2 User’s Guide...
IKE policies. Priority This is the order in which the policy will be offered during negotiation. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-40 IP Addresses and Subnet Masks. authenticate themselves. Chapter 8 Site-to-Site VPN OL-4015-08...
Page 195
AES provides greater security than DES and is computationally more efficient than 3DES. AES-192—AES encryption with a 192-bit key. • AES-256—AES encryption with a 256-bit key. • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create Site to Site VPN 8-41...
Page 196
Either SDM Default or User Defined. If no User Defined policies have been created on the router, this window will show the default IKE policy. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-42 Chapter 8 Site-to-Site VPN OL-4015-08...
To learn the possible values each column may contain, click Transform Name The name given to this transform set. OL-4015-08 or DMVPN. A transform Set. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 198
Tunnel mode allows network devices such as routers to act as an IPsec proxy for multiple VPN users. Type Either User Defined, or SDM Default. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-44 Chapter 8 Site-to-Site VPN OL-4015-08...
Enter the address of the subnet whose outgoing traffic you want to protect, and specify the subnet mask. For more information, refer to Configurations. OL-4015-08 Do this: Select a transform set, and click Next. Click Add, and create the transform set in the Add Transform Set window.
This window shows you the VPN or DMVPN configuration that you created. You can review the configuration in this window and use the back button to make changes if you want. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-46 Chapter 8 Site-to-Site VPN IPSec rule that defines OL-4015-08...
The routing protocol to use, and any information associated with the protocol, • such as Autonomous System number (for EIGRP), and OSPF Process ID. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create Site to Site VPN...
SDM lists interfaces with static IP addresses and interfaces configured as unnumbered Note in the Interface list. Loopback interfaces are not included in the list. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-48 Chapter 8 Site-to-Site VPN IPSec rule that describes the OL-4015-08...
Enter the subnet mask for the tunnel address in dotted decimal format. VPN Authentication Information VPN peers use a pre-shared key to key must be the same on each side of the VPN connection. OL-4015-08 Masks. authenticate Cisco Router and Security Device Manager Version 2.2 User’s Guide Create Site to Site VPN connections from each other.
Page 204
Digital Certificates page, select the configured trustpoint, and select None for Revocation. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-50 pre-shared key, and then reenter it for confirmation. Exchange the Chapter 8 Site-to-Site VPN OL-4015-08...
Enter the IP address of the tunnel in dotted decimal format. For more information, IP Addresses and Subnet Subnet Mask Enter the subnet mask for the tunnel address in dotted decimal format. OL-4015-08 Masks. Cisco Router and Security Device Manager Version 2.2 User’s Guide Create Site to Site VPN...
Next to specify which networks will participate in the GRE-over-IPSec VPN in the Routing Information window. This option is not available when you configure a backup GRE-over-IPSec tunnel. Note Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-52 Chapter 8 Site-to-Site VPN GRE over IPSec VPN. Select OL-4015-08...
! Entry added by SDM ip route 200.1.0.0 If no default route exists, SDM simply creates one, using the tunnel interface as the next hop. For example: ip route 0.0.0.0 OL-4015-08 0.0.0.0 FE0 0.0.0.0 Tunnel0 255.255.0.0 FE0 0.0.0.0 Tunnel0 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Use this window to specify how other networks behind your router are advertised to the other routers in the network. Select one of the following: EIGRP—Extended Interior Gateway Routing Protocol. • OSPF—Open Shortest Path First. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-54 Chapter 8 Site-to-Site VPN OL-4015-08...
In effect, it gives you the protection of a private network over public lines that may be used by other organizations. OL-4015-08 configuration that you have completed. You can Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 210
Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-56 The connection is up. The connection is down. The connection is being established. More about VPN Connections and IPSec Chapter 8 Site-to-Site VPN crypto map defined for the IPSec OL-4015-08...
Page 211
Dynamic—This is a dynamic site-to-site VPN tunnel. The VPN tunnel uses • dynamic crypto maps. Add Button Click to add a VPN connection OL-4015-08 transform set used by this VPN connection. Multiple Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Site-to-Site VPN...
Select the interface you want to use for the VPN from the Select Interface list. Step 1 Only interfaces that are not used in other VPN connections are shown in this list. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-58 Chapter 8 Site-to-Site VPN OL-4015-08...
This is the name of the IPSec policy controlling the VPN connection. The crypto maps making up the IPSec policy are shown in the list below this field. For more information, click OL-4015-08 More about VPN Connections and IPSec Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Site-to-Site VPN Policies.
Then click OK in this window. Check the Use Add Wizard box, and click OK. SDM will guide you in creating a new crypto map, and will associate it with the IPSec policy. Chapter 8 Site-to-Site VPN OL-4015-08...
Page 215
(OSPF) protocol or Routing Information Protocol (RIP) for remote VPN clients or LAN-to-LAN sessions. Reverse Route Injection dynamically adds static routes to the clients connected to the Easy VPN server. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Site-to-Site VPN 8-61...
This shows the name, encryption, authentication characteristics, and other parameters of the selected crypto map. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-62 If this icon appears next to the transform set, it is read-only, and it cannot be edited. Chapter 8 Site-to-Site VPN OL-4015-08...
You can either select a subnet mask from the list or type in a custom mask. The subnet number and mask must be entered in dotted decimal format. For more information, see OL-4015-08 Do this: Click Next.
You can review it, click Back to return to a screen to make changes, and then return to the Summary window and click Finish to deliver the cryptomap configuration to the router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-64 Chapter 8 Site-to-Site VPN IPSec rule that defines OL-4015-08...
By default, the ping command originates from the outside interface with the connection to the remote device. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Site-to-Site VPN...
Identical names for IPSec policies, IKE policies, and transform sets Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-66 Chapter 8 Site-to-Site VPN After Configuring a VPN, How to learn how to use the text file to OL-4015-08...
To make the listed NAT rules use route maps: Click OK. How Do I... This section contains procedures for tasks that the wizard does not help you complete. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... 8-67...
In the Destination fields, enter the IP address and subnet mask of the destination Step 10 router. Click Next>. Step 11 Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-68 Chapter 8 Site-to-Site VPN tunnels on one interface on your router. OL-4015-08...
Page 223
IP traffic coming from a specific subnet, enter the IP address and subnet mask of that subnet in the appropriate fields. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...
Click Save to display the Windows Save File dialog box, and save the file. Step 5 Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-70 configurations on your router. SDM includes a function that peer router to which your VPN tunnel connects. This Chapter 8 Site-to-Site VPN OL-4015-08...
In the Add static crypto maps window, you can add more crypto maps to the VPN Step 6 connection. OL-4015-08 Do not apply the mirror configuration to the peer device without editing! This configuration is a template that requires additional manual configuration.
Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-72 connection is working by using the Monitor mode peer IPSec tunnel Chapter 8 Site-to-Site VPN IP addresses. or an Internet Key OL-4015-08...
To add additional peers, repeat Step 4 through Step 8. Step 8 How Do I Accommodate Multiple Devices with Different Levels of VPN Support? To add multiple OL-4015-08 peers inside a single transform sets to a single crypto Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...
SDM to configure your VPN connection. The unsupported interface will appear in the fields that require you to choose an interface for the VPN connection. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-74 over an interface type unsupported by SDM. Before Chapter 8 Site-to-Site VPN OL-4015-08...
In the Action field, choose Permit. Step 8 In the Source Host/Network group, from the Type field, select A Network. Step 9 OL-4015-08 to function with a firewall to translate addresses from networks outside your own and Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...
Page 230
In the Description field, enter a short description of the network or host. Step 13 Click OK. Step 14 The new rule now appears in the Access Rules table. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-76 Chapter 8 Site-to-Site VPN OL-4015-08...
If the router is not running a Cisco IOS image that supports Easy VPN Remote Note Phase II or later, you will not be able to configure an Easy VPN client. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
LAN will not be able to ping devices on the LAN, or reach them directly. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-78 server on the network that can resolve the hostname to the correct IP Chapter 9 Easy VPN Remote OL-4015-08...
Enter the IPSec group key. The group key must match the group key defined on the VPN concentrator or server. Obtain this information from your network administrator. Reenter the key to confirm its accuracy. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create Easy VPN Remote...
Page 234
Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-80 The web browser option appears only if supported by the Cisco IOS image on your router. XAuth to authenticate the router. If the server Chapter 9 Easy VPN Remote OL-4015-08...
Page 235
VPN tunnel whenever a timeout occurs. You can change SA timeout settings in the VPN Components window. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create Easy VPN Remote VPN Global Settings...
XAuth, it challenges the router for a username and password. When this happens, you must first supply a Secure Shell (SSH) login Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-82 Chapter 9 Easy VPN Remote OL-4015-08...
Status The status of the connection, which is indicated by the following icons and text alerts: OL-4015-08 The connection is up. When an Easy VPN connection is up, the Disconnect button enables you to deactivate the connection if manual tunnel control is used.
Page 238
Configuration Changed—The configuration for this connection has been changed, and needs to be delivered to the router. If the connection uses manual tunnel control, use the Connect button to establish the connection. Chapter 9 Easy VPN Remote OL-4015-08...
Page 239
They must be entered from SDM or the router console • They must be entered from a PC browser when browsing • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Easy VPN Remote 9-85...
Page 240
This button is labeled Login if all of the following are true: • The Easy VPN server or concentrator being connected to uses XAuth Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-86 Chapter 9 Easy VPN Remote OL-4015-08...
Page 241
VPN peer. The connection is cleared and reestablished. OL-4015-08 Do this: Click Add in the Edit Easy VPN Remote window. Configure the connection in the Add Easy VPN Remote window, and click OK. Then click Connect in this window to connect to the Easy VPN server.
Page 242
VPN Remote Phase II client, along with other useful information. http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/p roducts_feature_guide09186a00800a8565.html The following link connects you to Cisco VPN 3000 series documentation. http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/ products_getting_started_guide_book09186a00800bbe74.ht How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? Chapter 9 Easy VPN Remote OL-4015-08...
Address Translation (NAT) and Port Address Translation (PAT) will be used. Devices outside the LAN will not be able to ping devices on the LAN or to reach them directly. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Easy VPN Remote...
Page 244
Enter the IPSec group name. The group name must match the group name defined on the VPN concentrator or server. Obtain this information from your network administrator. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-90 Chapter 9 Easy VPN Remote OL-4015-08...
Easy VPN concentrator or server on the network. This window appears if the Cisco IOS image on your router supports Easy VPN Note Client Phase III. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Easy VPN Remote 9-91...
Page 246
VPN Connections window. The Connect and Disconnect buttons are disabled when this Easy VPN connection is chosen. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-92 Chapter 9 Easy VPN Remote Unity Client OL-4015-08...
Page 247
Cisco 800 series and Cisco 1700 series routers. An interface cannot be designated as both an inside and an outside interface. Note OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Easy VPN Remote...
If user authentication does not appear, it must be set from the router command-line interface. Choose one of these ways to enter the XAuth username and password: From a PC • Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-94 Chapter 9 Easy VPN Remote OL-4015-08...
If the router uses Secure Shell (SSH), you must to enter the SSH login and password the first time you establish the connection. Use this window to enter SSH or Telnet login information. OL-4015-08 The web browser option appears only if supported by the Cisco IOS image on your router.
Cisco PIX Firewall, or it can be a Cisco IOS router that supports the Cisco Unity Client protocol. Name Enter a name for the Easy VPN remote configuration. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-96 Chapter 9 Easy VPN Remote Unity Client protocol, OL-4015-08...
To allow subnets not directly connected to your router to use the tunnel, click the Options button and configure the network extension options. Enable remote management and troubleshooting of your router. • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Easy VPN Remote 9-97...
The group name must match the group name defined on the VPN concentrator or server. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-98 The subnets you enter must not be directly connected to the router. Chapter 9 Easy VPN Remote OL-4015-08...
Page 253
Enter the username and password provided by the Easy VPN server administrator, and then reenter the password to confirm its accuracy. Note OL-4015-08 The web browser option appears only if supported by the Cisco IOS image on your router.
Up to three inside interfaces are supported on Cisco 800 and Cisco 1700 series routers. You can remove interfaces from an Easy VPN configuration in the Edit Easy VPN Remote window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-100 Chapter 9 Easy VPN Remote OL-4015-08...
Page 255
Note image on your router. How Do I... This section contains procedures for tasks that the wizard does not help you complete. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... VPN Global Settings 9-101...
Step 4 interface. In the appropriate wizard window, set the new interface as a backup for an Easy Step 5 VPN Remote connection. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-102 Chapter 9 Easy VPN Remote OL-4015-08...
Page 257
Click the Backup tab and configure the backup for an Easy VPN Remote Step 5 connection. When you have finished configuring the backup, click OK. Step 6 OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... 9-103...
Page 258
Chapter 9 Easy VPN Remote How Do I... Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-104 OL-4015-08...
• Configuring user authentication • • Configuring group policies on the local database, if needed Configuring an IPSec transform set • OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-105...
Add Group Policy general setup window. If you choose digital certificates, the preshared keys fields does not appear in the Add Group Policy general setup window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-106 Chapter 10 Easy VPN Server OL-4015-08...
When you define method lists for both a RADIUS and local database, the router first looks at the RADIUS server and then the local database for group authentication. OL-4015-08 Do this: Choose RADIUS and Local Only. Then click Next. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
The chosen method list is used for extended authentication. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-108 Chapter 10 Do this: Choose Local only. Then click Next. Choose Choose an existing AAA method list. Then click Next. Easy VPN Server OL-4015-08...
This window lets you add a new RADIUS server or edit or ping an already existing RADIUS server . Add a new RADIUS server. Edit Edit an already exiting RADIUS server configuration. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create an Easy VPN Server 10-109...
This domain name is “pushed” to the users connecting to this group. Split ACL The access control list (ACL) that represents protected subnets for split tunneling purposes. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-110 Chapter 10 Easy VPN Server OL-4015-08...
Create a New Pool Enter the range of IP addresses for the local IP address pool in the IP Address Range field. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create an Easy VPN Server 10-111...
Enter the key in the Preshared Key field. Enter the IP address range in the Create a new pool field under the Pool Information area. Choose the IP address range from the Select From An Existing Pool field under Pool Information area. Easy VPN Server OL-4015-08...
You can also specify which groups of ACLs represent protected subnets for split tunneling. Enable Split Tunneling This box allows you to add protected subnets and ACLs for split tunneling. OL-4015-08 Do this: Check the DNS option. Then enter the primary and secondary DNS server IP addresses in the fields provided.
Page 268
Choose Choose the Split Tunneling ACL, and choose the ACL from the available options. Check the Enable Split Tunneling option and enter the domain names in the field provided. You must also set up subnets or choose an ACL. Easy VPN Server OL-4015-08...
Enter the URL of the configuration file in the URL field. Enter the version number of the file in Version field. The version number must be in the range 1 to 32767. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 270
Perfect Forward Secrecy (PFS) Enable PFS if it is required by the IPSec security association you are using. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-116 Chapter 10 Easy VPN Server OL-4015-08...
Delete. Add or Edit Browser Proxy Settings This window allows you to add or edit browser proxy settings. OL-4015-08 Do this: Click Add in the Backup Servers area. Then add the backup server IP address or host name in the window displayed.
Page 272
Step 4 addresses, check the Bypass proxy server for local address check box. Click OK to save the browser proxy settings. Step 5 Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-118 Chapter 10 Easy VPN Server OL-4015-08...
Save user name and password. Specify maximum number of simultaneous connection a user can make to the Easy VPN Server. OL-4015-08 Do this: Check the Enable group-lock option. Check the Enable save password option. Enter the number in the Maximum Logins Allowed Per User field.
Click to configure a new client update entry. Edit Button Click to edit the specified client update entry. Delete Button Click to delete the specified client update entry. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-120 Chapter 10 Easy VPN Server OL-4015-08...
To save this configuration to the router running configuration and leave this wizard, click Finish. Changes will take effect immediately. OL-4015-08 Add or Edit Easy VPN Server Cisco Router and Security Device Manager Version 2.2 User’s Guide Create an Easy VPN Server panel.
Displays the proxy server IP address and port number used. Bypass Local Addresses If set, prevents clients from using the proxy server for local (LAN) addresses. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-122 Chapter 10 Easy VPN Server OL-4015-08...
Click Edit to edit an existing Easy VPN Server configuration. Delete Click Delete to delete a specified configuration. Name Column The name of the IPSec policy associated with this connection. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Add or Edit Easy VPN Server 10-123...
Page 278
There is more than one Easy VPN Server connection using the local database • for user authentication. There is at least one local group policy configured. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-124 Chapter 10 Easy VPN Server OL-4015-08...
Check Initiate if you want the router to initiate connections with Easy VPN Remote clients. Check Respond if you want the router to wait for requests from Easy VPN Remote clients before establishing connections. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Add or Edit Easy VPN Server 10-125...
Check the target group’s check box and uncheck those of all other groups. Deny the target group access in all other Easy VPN Server connections by unchecking its check box in the Restrict Access window belonging to each of those connections. Easy VPN Server OL-4015-08...
Page 281
ACL Column If split tunneling is specified for this group, this column may contain the name of an ACL that defines which traffic is to be encrypted. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Group Policies Configuration...
Page 282
Group Lock • Clients are restricted to the group. • Save Password XAuth credentials can be saved on the client. Maximum Logins • Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-128 Chapter 10 Easy VPN Server OL-4015-08...
If a local pool is configured with the group option using the CLI, the name of the group is displayed in the group name column. You cannot configure local pools with the group option using SDM. Note OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Local Pools 10-129...
This window lets you add an IP address range to an existing pool. Start IP Address Enter the lowest IP address in the range. End IP Address Enter the highest IP address in the range. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-130 Chapter 10 Easy VPN Server OL-4015-08...
12.2(13)T. SDM supports the configuration of a single DMVPN on a router. In this screen, identify your router as a or as a spoke in the DMVPN network. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-1 OL-4015-08...
OSPF) that should be used. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-2 Chapter 11 DMVPN network. Spokes are the logical Wizard. DMVPN network. The hub is the logical center DMVPN hub. The hub should DMVPN Dynamic OL-4015-08...
Enter the pre-shared key used in the spaces must not be used in the pre-shared key. The pre-shared key can contain a maximum of 128 characters. OL-4015-08 networks can be configured with a single hub, or with a primary and a in the DMVPN network.
10.10.6.0 could be 255.255.255.0. For more information, see IP Addresses and Subnet Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-4 to support an IPSec tunnel to each Masks. Chapter 11 DMVPN DMVPN network spoke allows routing OL-4015-08...
SDM Default: 100000 NHRP Hold Time Enter the number of seconds that NHRP network IDs should be advertised as valid. SDM Default: 360 OL-4015-08 tunnel parameters. SDM provides default DMVPN hubs spokes Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Enter the IP address of the interface on the primary hub that is used for this tunnel. This should be a static IP address. Obtain this information from the hub administrator. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-6 Chapter 11 DMVPN in the DMVPN network, you OL-4015-08...
For more information on OSPF parameters, see Please select the version of RIP to enable Specify RIP version 1 or version 2. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Dynamic Multipoint VPN Add or Edit an RIP Route.
Page 292
Each router in a particular OSPF area maintains a topological database for that area. Add—Click to add a network, or a group of networks, to advertise. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-8 Recommendations for Configuring Routing DMVPN. Chapter 11 DMVPN OL-4015-08...
GRE over IPSec connection to the DMVPN hub, and will send traffic destined for other spokes through the hub. When you select this option, the graphic displays links from the spokes to the hub. OL-4015-08 DMVPN network this router is a part of.
Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-10 mGRE tunnel interface on the hub. The mGRE tunnel Chapter 11 DMVPN in the DMVPN. GRE over IPSec OL-4015-08...
DMVPN. SDM informs you of the conflict and gives you the option of allowing SDM to modify the configuration so that the conflict is removed. OL-4015-08 IP Addresses and Subnet Masks.
The physical interface from which this tunnel originates. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-12 ISAKMP DMVPN Multipoint IPSec VPNs single DMVPN Recommendations. Chapter 11 DMVPN traffic, traffic, Encapsulating tunnel configurations. DMVPN that connects other remote on a router. DMVPN OL-4015-08...
Page 297
Click to add a new DMVPN tunnel configuration. Edit Click to edit a selected DMVPN tunnel configuration. Delete Click to delete a DMVPN tunnel configuration. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Dynamic Multipoint VPN (DMVPN) 11-13...
Enter the largest amount of data, in bytes, that should be allowed in a packet traveling through the tunnel. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-14 IP Addresses and Subnet Masks. before you select an interface Chapter 11 DMVPN OL-4015-08...
Enter the string that themselves for NHRP transactions. The string can be up to 8 characters long. All NHRP stations in the DMVPN must be configured with the same authentication string. OL-4015-08 mGRE tunnel interface, an interface capable of maintaining DMVPN hubs spokes Cisco Router and Security Device Manager Version 2.2 User’s Guide...
In this part of the window you are providing the address information that the spoke or backup hub needs to contact the primary hub. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-16 Chapter 11 DMVPN OL-4015-08...
RIP—Routing Internet Protocol • OSPF—Open Shortest Path First • EIGRP—Extended Interior Gateway Routing Protocol • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Dynamic Multipoint VPN (DMVPN) 11-17...
Page 302
Check this box to have EIGRP use the original IP next hop when advertising routes to the DMVPN spoke routers. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-18 Recommendations for Configuring Routing Protocols for Recommendations for Configuring Routing Protocols for Chapter 11 DMVPN DMVPN. OL-4015-08...
In the DMVPN Tunnel Configuration window, complete the General, NHRP, and Routing tabs to create a DMVPN tunnel.Consult the online help for more information about a particular field. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I Configure a DMVPN Manually?
Page 304
In the Routing window, select the routing protocol that you specified in DMVPN Step 2 configuration, and click Edit. Add the network numbers that you want to advertise. Step 3 Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-20 Chapter 11 DMVPN OL-4015-08...
Aggressive Mode feature allows you to specify RADIUS tunnel attributes for an IPSec peer and to initiate an IKE aggressive mode negotiation with the tunnel attributes. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 306
IPSec Security Association (SA) Lifetime (Sec) The amount of time after which IPSec security associations (SAs) will expire and be regenerated. The default is 3600 seconds (1 hour). Cisco Router and Security Device Manager Version 2.2 User’s Guide 12-22 Chapter 12 VPN Global Settings OL-4015-08...
IPSec and IKE security associations with that peer. The Enable Dead Peer Detection checkbox is disabled when the Cisco IOS image that the router is using does not support DPD. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide VPN Global Settings...
If you do not specify a value, the router will authenticate and generate a new key after the current key has encrypted 4,608,000 kilobytes. Cisco Router and Security Device Manager Version 2.2 User’s Guide 12-24 Chapter 12 VPN Global Settings OL-4015-08...
Reenter the master key in this field for confirmation. If the values in this field and in the New Master Key field do not match, SDM prompts you to reenter the key. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 310
Chapter 12 VPN Global Settings VPN Global Settings Cisco Router and Security Device Manager Version 2.2 User’s Guide 12-26 OL-4015-08...
To learn about the relationship between IPSec policies, crypto maps, and VPN connections, see Icon OL-4015-08 More about VPN Connections and IPSec If this icon appears next to the IPSec policy, it is read-only, and it cannot be edited. An IPSec policy may be read-only if it contains commands that SDM does not support.
Page 312
Multiple peers are separated by commas. Transform Set This column lists the transform sets used in the crypto map. Cisco Router and Security Device Manager Version 2.2 User’s Guide 13-28 will be used to establish the IPSec security associations for Chapter 13 IP Security OL-4015-08...
The name of this IPSec policy. This name can be any set of alphanumeric characters. It may be helpful to include the peer names in the policy name, or to include other information that will be meaningful to you. OL-4015-08 Do this: Click Add.
Page 314
If you need multiple transform sets in the crypto map, do not use the wizard. Select the crypto map, click Edit, and edit the crypto map in the Edit crypto map panels. Chapter 13 IP Security OL-4015-08...
When security keys are derived from previously generated keys, there is a security problem, because if one key is compromised, then the others can be compromised also. Perfect Forwarding Secrecy (PFS) guarantees that each key is derived OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide IPSec Policies...
Cisco Router and Security Device Manager Version 2.2 User’s Guide 13-32 Do this: Click Add, and enter the IP address or host name of the peer. Select the peer, and click Remove. Chapter 13 IP Security OL-4015-08...
Page 317
Add a transform set to the Selected Transform Sets box. Remove a transform set from the Selected Transform Sets box. OL-4015-08 Do this: Select a transform set in the Available Transform Sets box, and click the right-arrow button. Select the transform set you want to remove, and click the left-arrow button.
Select a transform set, and click the up button or the down button. Click Add, and configure the transform set in the Add Transform Set window. Click Edit, and configure the transform set in the Edit Transform Set window. Chapter 13 IP Security OL-4015-08...
This area lists the crypto maps used in this set. Use the Add, Edit, and Delete buttons to add, remove, or modify crypto maps in this list. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Dynamic Crypto Map Sets...
The name of the IPSec profile. Transform Set The transform sets used in this profile. Description A description of the IPSec profile. Click to add a new IPSec profile. Cisco Router and Security Device Manager Version 2.2 User’s Guide 13-36 Chapter 13 IP Security OL-4015-08...
A transform set is a particular combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Transform Set...
Page 322
(AES). SEAL encryption uses a 160-bit encryption key and has a lower impact to the CPU when compared to other software-based algorithms. Cisco Router and Security Device Manager Version 2.2 User’s Guide 13-38 Chapter 13 encryption types: IP Security OL-4015-08...
Page 323
Transport—Only the data is encrypted. This mode is used when the • encryption endpoints and the communication endpoints are the same. Type Either User Defined or SDM Default. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Transform Set 13-39...
Edit Transform Set window. SDM Default transform sets are read-only and cannot Note be edited. Select the transform set, and click Delete. Note SDM Default transform sets are read-only and cannot be deleted. Allowable Transform Combinations. Chapter 13 IP Security OL-4015-08...
Page 325
Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES). SEAL encryption uses a 160-bit encryption key and has a lower impact to the CPU when compared to other software-based algorithms. OL-4015-08 encryption types: Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 326
IP Compression (COMP-LZS) Check this box if you want to use data compression. Cisco Router and Security Device Manager Version 2.2 User’s Guide 13-42 or ESP, a new IP header is attached, and the entire datagram can Chapter 13 IP Security OL-4015-08...
Either Permit or Deny. Permit means that packets matching the criteria in this rules are protected by encryption. Deny means that matching packets are sent unencrypted. For more information see Keywords. OL-4015-08 Meanings of the Permit and Deny Cisco Router and Security Device Manager Version 2.2 User’s Guide IPSec Rules...
Page 328
Select the rule in the rule list, and click Delete. Select the rule in the rule list, and click Edit. Then, delete the entry in the rule window displayed. Apply the rule in the interface configuration window. Chapter 13 IP Security mask. If present, the OL-4015-08...
If you want to: Learn more about IKE. Enable IKE. You must enable IKE for VPN connections to use IKE negotiations. OL-4015-08 C H A P T E R Do this: Click More About Click Global Settings, and then click Edit to enable IKE and make other global settings for IKE.
The type of encryption that should be used to communicate this IKE policy. Cisco Router and Security Device Manager Version 2.2 User’s Guide 14-46 Chapter 14 Internet Key Exchange Do this: Click the IKE Policy node on the VPN tree. Click the Pre-Shared Key node on the VPN tree. OL-4015-08...
Page 331
IKE policy that the peer can accept. Edit an existing IKE policy. Remove an IKE policy from the router’s configuration. OL-4015-08 Do this: More About IKE Policies. Click Add, and configure a new IKE policy in the Add IKE policy window.
AES-128—Advanced Encryption Standard (AES) encryption with a 128-bit • key. AES provides greater security than DES and is computationally more efficient than triple DES. Cisco Router and Security Device Manager Version 2.2 User’s Guide 14-48 Chapter 14 Internet Key Exchange OL-4015-08...
Page 333
If your router does not support group5, it will not appear in the list. Note • Easy VPN servers do not support D-H Group 1. • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Internet Key Exchange (IKE) 14-49...
If a pre-shared key is read-only, the read-only icon appears in this column. A pre-shared key will be marked as read-only if it is configured with the no-xauth CLI option specifies how much of the peer IP address is used for the Chapter 14 Internet Key Exchange OL-4015-08...
This field appears if you selected “Hostname” in the Peer field. Enter the peer’s host name. There must be a DNS server on the network capable of resolving the host name to an IP address. OL-4015-08 Do this: Click Add, and add the pre-shared key in the Adda new Pre Shared Key window.
Page 336
Check this box if site-to-site VPN peers use XAuth to authenticate themselves. If Xauth authenticationn is enabled in VPN Global Settings, it is enabled for site-to-site peers as well as for Easy VPN connections. Cisco Router and Security Device Manager Version 2.2 User’s Guide 14-52 Chapter 14 Masks. Internet Key Exchange OL-4015-08...
VPN, GRE over IPsec, or Easy VPN client connections. Tunnel Details This box provides the VPN tunnel details. Interface Interface to which the VPN tunnel is configured. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide 15-53...
Page 338
This box provides a possible action/solution to rectify the problem. Close Button Click this button to close the window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 15-54 The connection is up. The connection is down. Test is successful. Test failed. Chapter 15 VPN Troubleshooting OL-4015-08...
Enter IP address of Easy VPN client you want to debug. Listen for request for X minutes Enter the time duration for which Easy VPN Server has to listen to requests from Easy VPN client. OL-4015-08 VPN Troubleshooting: Specify Easy VPN Client Do this: Click Start button.
This column lists the type of traffic on the interface. This column indicates whether logging is enabled for this traffic. Attributes Any additional attributes defined. Cisco Router and Security Device Manager Version 2.2 User’s Guide 15-56 Chapter 15 VPN Troubleshooting OL-4015-08...
Click this button to close the window. VPN Troubleshooting: Generate GRE Traffic This screen appears if you are generating GRE over IPSec traffic. OL-4015-08 VPN Troubleshooting: Generate GRE Traffic Cisco Router and Security Device Manager Version 2.2 User’s Guide 15-57...
This message is displayed because this process can take several minutes and may affect router performance. Cisco Router and Security Device Manager Version 2.2 User’s Guide 15-58 Chapter 15 VPN Troubleshooting OL-4015-08...
To have SDM perform a security audit and then fix the problems it has found: In the left frame, select Security Audit. Step 1 Click Perform Security Audit. Step 2 OL-4015-08 C H A P T E R AutoSecure. Cisco Router and Security Device Manager Version 2.2 User’s Guide SDM and...
The Summary page of the wizard shows a list of all the configuration changes that Step 10 Security Audit will make. Click Finish to deliver those changes to your router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-2 Chapter 16 Security Audit OL-4015-08...
Page 345
Set Banner Enable Logging • Set Enable Secret Password • Disable SNMP • Set Scheduler Interval • Set Scheduler Allocate • Set Users • Enable Telnet Settings • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-3...
Internet. By identifying which interfaces are outside interfaces, Security Configuration knows on which interfaces to configure firewall security features. Interface Column This column lists each of the router interfaces. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-4 Chapter 16 Security Audit OL-4015-08...
Next> to continue the Security Audit Wizard. The Security Audit will correct the problems OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
(DoS) attack called “Finger of death,” which involves sending a finger request to a specific computer every minute, but never disconnecting. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-6 Chapter 16 finger service whenever possible. Finger is used to Security Audit OL-4015-08...
Since the services are rarely used, the best policy is usually to disable them on all routers of any description. OL-4015-08 Undoing Security Audit Undoing Security Audit Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Cisco IOS software. As a result, BOOTP can potentially be used by an attacker to download a copy of a router’s Cisco IOS software. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-8 Chapter 16 Security Audit Undoing Security Audit Fixes. OL-4015-08...
The configuration that will be delivered to the router to disable CDP is as follows: no cdp run OL-4015-08 Undoing Security Audit Undoing Security Audit Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page Fixes.
The configuration that will be delivered to the router to enable time stamps and sequence numbers is as follows: service timestamps debug datetime localtime show-timezone msec service timestamps log datetime localtime show-timeout msec OL-4015-08 Undoing Security Audit Undoing Security Audit Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page Fixes.
Longer passwords have exponentially more possible combinations of characters, making this method of attack much more difficult. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-12 Chapter 16 Security Audit Undoing Security Audit Fixes. OL-4015-08...
Because the buffer for incomplete connections is usually smaller than the buffer for completed OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page...
The configuration that will be delivered to the router to enable and configure logging is as follows, replacing <log buffer size> and <logging server ip address> with the appropriate values that you enter into Security Audit: Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-14 Chapter 16 Security Audit OL-4015-08...
Because SNMP can be used to retrieve a copy of the network routing table, as well as other sensitive network information, Cisco recommends disabling SNMP if your network does not require it. Security Audit will initially request to disable SNMP. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page 16-15...
The configuration that will be delivered to the router to set the scheduler allocate percentage is as follows: scheduler allocate 4000 1000 Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-16 Chapter 16 Security Audit OL-4015-08...
Security Audit enables is a Cisco IOS feature that enhances routing performance while using Access Control Lists (ACLs) and other features that create and enhance network security. OL-4015-08 NetFlow switching whenever possible. NetFlow switching Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Because it breaks the LAN security barrier, proxy ARP should be used only between two LANs with an equal security level, and only when necessary. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-18 Chapter 16 Security Audit Undoing Security Audit Fixes. OL-4015-08...
The configuration that will be delivered to the router to disable IP directed broadcasts is as follows: no ip directed-broadcast This fix can be undone. To learn how, click OL-4015-08 Undoing Security Audit Undoing Security Audit Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page Fixes.
ICMP mask reply messages are sent when a network devices must know the subnet mask for a particular subnetwork Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-20 Chapter 16 Security Audit Undoing Security Audit Fixes. Undoing Security Audit Fixes. OL-4015-08...
0 no ip unreachables This fix can be undone. To learn how, click OL-4015-08 Undoing Security Audit Undoing Security Audit Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page Fixes.
80 for 443 for Secure Sockets Layer (SSL). It does this by scrutinizing source and Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-22 Chapter 16 Security Audit HTTP, HTTPS or port OL-4015-08...
<std-acl-num> permit <inside-network> access-list <std-acl-num> deny any In addition, the following configuration will be applied to each vty line: OL-4015-08 HTTP, HTTPS service on the router with an access Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page lines whenever possible.
SDM will perform the following precautionary tasks while enabling AAA to prevent loss of access to the router: Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-24 access whenever possible: Chapter 16 Security Audit page to do so. OL-4015-08...
Disable TCP Small Servers Service • Disable IP BOOTP Server Service • Disable IP Identification Service • • Disable CDP Disable IP Source Route • Disable IP Redirects • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Configuration Summary Screen 16-25...
Page 368
Disabling NTP—Based on input, AutoSecure will disable the Network Time • Protocol (NTP) if it is not necessary. Otherwise, NTP will be configured with MD5 authentication. SDM does not support disabling NTP. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-26 Chapter 16 Security Audit OL-4015-08...
Disable TCP Small Servers Service Disable IP BOOTP Server Service Disable IP Identification Service Disable CDP Disable IP Source Route OL-4015-08 SNMP—SDM will disable SNMP, but unlike AutoSecure, it does not Router—SDM will enable and configure SSH Equivalent CLI No service finger...
No mop enabled int <all-interfaces> no ip unreachables no ip mask-reply int null 0 no ip unreachables service password-encryption service tcp-keepalives-in service tcp-keepalives-out no ip gratuitous arps access to your router. Chapter 16 Security Audit OL-4015-08...
Click a user account in the table to select it, and click this button to display the Edit a User Account screen, letting you edit the username and password of the selected account. OL-4015-08 Configure User Accounts for Telnet/SSH Page Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Re-enter New Password Re-enter the new enable secret in this field for verification. Login Banner Enter the text banner that you want configured on your router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-30 Chapter 16 Security Audit OL-4015-08...
A log message severity level is shown as a number from 1 through 7, with lower numbers indicating more severe events. The descriptions of each of the severity levels are as follows: – – OL-4015-08 0 - emergencies System unusable 1- alerts Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 374
– Warning conditions 5 - notifications – Normal but significant condition 6 - informational – Informational messages only 7 - debugging – Debugging messages Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-32 Chapter 16 Security Audit OL-4015-08...
Optional This area shows whether a distance metric has been entered, and whether or not the route has been designated as a permanent route. Cisco Router and Security Device Manager Version 2.2 User’s Guide 17-1 OL-4015-08...
Page 376
If no dynamic routes have been configured, this column contains the text RIP, OSPF, and EIGRP. When one or more routes have been configured, this column contains the parameter names for the type of routing configured. Cisco Router and Security Device Manager Version 2.2 User’s Guide 17-2 Chapter 17 Routing OL-4015-08...
Add or Edit IP Static Route Use this window to add or edit a static route. Destination Network Enter the destination network address information in these fields. OL-4015-08 Do this: Select the RIP tab and click Edit. Then, configure the route in the RIP Dynamic Route window.
Page 378
Check this box to make this static route entry a permanent route. Permanent routes are not deleted even if the interface is shut down or the router is unable to communicate with the next router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 17-4 Configurations. Chapter 17 Routing OL-4015-08...
This field is editable when OSPF is first enabled; it is disabled once OSPF routing has been enabled. The process ID identifies the router’s OSPF routing process to other routers. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Add or Edit an RIP Route...
Page 380
Click Add to provide an IP address, network mask, and area number in the IP address window. Edit Click Edit to edit the IP address, network mask, or area number in the IP address window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 17-6 Configurations. Chapter 17 Routing OL-4015-08...
Click Add to add a destination network IP address to the Network list. Delete Select an IP address, and click Delete to remove an IP address from the Network list. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Add or Edit EIGRP Route 17-7...
Page 382
Chapter 17 Routing Add or Edit EIGRP Route Cisco Router and Security Device Manager Version 2.2 User’s Guide 17-8 OL-4015-08...
(hosts on the Internet). Look at the example diagram that appears to the right when you choose Advanced NAT. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Any comments entered about the network • Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-2 If you do not want your servers to accept connections from the Internet, you can use the Basic NAT wizard. Chapter 18 Network Address Translation OL-4015-08...
Advanced NAT Wizard: Welcome The Advanced NAT welcome window shows how the wizard will guide you through configuring NAT for connecting your LANs and servers to the Internet. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Wizards...
The list shows the following information for each network: The IP address range allocated to the network • The network’s LAN interface • Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-4 Chapter 18 Network Address Translation OL-4015-08...
The list shows the private IP addresses and ports (if used) and the public IP addresses and ports (if used) to which they are translated. OL-4015-08 IP Addresses and Subnet Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Wizards Masks.
Click the Show or Hide Advanced button to show or hide advanced options that let you specify more information about the server. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-6 Chapter 18 Connection). Network Address Translation OL-4015-08...
Page 389
This field appears only if you choose to show advanced options with the Show or Hide Advanced button and you choose Other for server type. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Wizards...
Outside interfaces connect to the designated Inside and Outside interfaces are listed above the NAT rule list. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-8 Chapter 18 Network Address Translation rules, view More About NAT. or to the Internet. The OL-4015-08...
Page 391
This is the private address or set of addresses that is used on the LAN. Translated Address This is the legal address or range of addresses that is used on the Internet or the external network. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules 18-9...
Page 392
NAT Interface Setting window. Interfaces can also be designated as inside or outside interfaces in the Interfaces and Connections window. Click Address Pools, and configure address pool information in the dialog box. Network Address Translation OL-4015-08...
Find out how to perform related configuration tasks. OL-4015-08 Do this: Click Translation Timeouts, and make settings in the Translation Timeouts window. Click Add, and create the NAT rule in the Add Address Translation Rule window.
Set the timeout values for various translations in this window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-12 Rule. uses the Inside and Outside designations when Chapter 18 Network Address Translation Reasons that SDM Cannot OL-4015-08...
Page 395
(TCP) flows should live. The default is 86400 seconds (24 hours). Reset Button Clicking this button resets translation and timeout parameters to their default values. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules servers time out.
The access lists that specify the traffic to which this route map applies. To edit a route map entry: Select the entry, click Edit, and edit the entry in the Edit Route Map Entry window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-14 Chapter 18 Network Address Translation OL-4015-08...
Pool Name This field contains the name of the address pool. Use this name to refer to the pool when configuring a dynamic NAT rule. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules...
Clone selected entry on Add, and click Add. Select the pool entry, click Edit, and edit the pool configuration in the Edit Address Pool window. Select the pool entry, click Delete, and confirm deletion in the Warning box displayed. Network Address Translation OL-4015-08...
IPSec policy, and traffic will be sent unencrypted. You can view route maps created by SDM or created using the CLI by clicking the View Route Maps button in the NAT window. OL-4015-08 Available Interface Configurations. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 400
Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-18 Chapter 18 Network Address Translation inside global address, enter OL-4015-08...
Page 401
If you are creating a one-to-one mapping between a single • address and a single this field. OL-4015-08 inside global address, enter the inside global address in Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules...
Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-20 If you do not enter a network mask in the Translate from Interface area, SDM will perform only one translation. Chapter 18 Network Address Translation for examples that illustrate how the OL-4015-08...
Page 403
Designate NAT interfaces in the NAT window, and designate the router interfaces as inside or outside. Then return to this window and configure the NAT rule. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules...
Page 404
IP address that you want to Chapter 18 Network Address Translation outside global addresses, enter any valid address from outside global outside local address in addresses of a remote subnet to the outside local OL-4015-08 outside...
OL-4015-08 If you do not enter a network mask in the Translate from Interface area, SDM will perform only one translation.
Page 406
Designate NAT interfaces in the NAT window, and designate the router interfaces as inside or outside. Then return to this window and configure the NAT rule. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-24 Chapter 18 Network Address Translation OL-4015-08...
Page 407
Configuration Scenarios Click Dynamic Address Translation Scenarios fields in this window are used. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules inside local for examples that illustrate how the...
LAN the router serves. This help topic describes how the remaining fields are used when From outside to inside is chosen. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-26 Chapter 18 Network Address Translation OL-4015-08...
Page 409
It also provides fields for you to specify the translated address. Inside Interface(s) If you choose From outside to inside, this area contains the designated inside interfaces. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules outside global...
Add or Edit Static Address Translation Rule: Inside to Outside • Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-28 Chapter 18 Network Address Translation for examples that illustrate how the OL-4015-08...
Page 411
Each time you add a new address translation rule using these directions, choose the same LAN interface and a new WAN interface. Repeat this procedure for all WAN interfaces that you want to configure with address translation rules. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-29 OL-4015-08...
Page 412
Chapter 18 Network Address Translation How Do I . . . Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-30 OL-4015-08...
IPS on an interface and view information about how IPS is applied. If you enable IPS on an interface you can optionally specify which traffic to examine for intrusion. OL-4015-08 C H A P T E R IPS Rules Configuration Cisco Router and Security Device Manager Version 2.2 User’s Guide...
The access rule to use to select the type of traffic to examine. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-32 Chapter 19 Global Settings window where you make settings that affect Signatures window where you can manage signatures on the Intrusion Prevention System SDEE Messages OL-4015-08...
You can specify multiple SDF locations so that if the router is not able to contact the first location, it can attempt to contact other locations until it obtains an SDF. OL-4015-08 Inbound Outbound...
Use this list to filter the interfaces shown in the interface list area. Select between the following: All interfaces—All interfaces on the router. • IPS interfaces—Interfaces on which IPS has been enabled. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-34 Chapter 19 Intrusion Prevention System OL-4015-08...
Negotiated—The interface receives an IP address via negotiation with the • remote device. OL-4015-08 on the selected interface. You are able to specify Enable or Edit IPS on an Interface Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 418
Click to view the entries of the filter applied to inbound or outbound traffic. Field Descriptions Action—Whether the traffic is permitted or denied Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-36 Chapter 19 Intrusion Prevention System OL-4015-08...
Configuration window when the interface with which it is associated is selected. If you need to browse for the access rule or create a new one, click the ... button. OL-4015-08 filters that you want to use to specify the traffic to Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Click the Import Signatures tab to import a Signature Definition File (SDF). Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-38 Chapter 19 Select a Rule has more information. Add or Edit a Rule has more information. VFR Status for more information. Intrusion Prevention System OL-4015-08...
Time Modified Click Time Modified to order the files and directories based on modification date and time. Clicking Time Modified again will reverse the order. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Import Signatures 19-39...
Fewer button to remove criteria. You are able to view the signatures that match the criteria that you selected in the next screen. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-40 Value General Telnet Adware/Spyware Chapter 19 Intrusion Prevention System OL-4015-08...
PC. If you save the SDF to the PC as well as to router memory, you have a backup in case there are communications problems between SDM and the router. OL-4015-08 SubSig ID Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 424
• belong to a hardcoded engine. It is disabled if the signature uses one of the IOS hardcoded engines. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-42 Chapter 19 IPS-Supplied Signature Definition Intrusion Prevention System Files. OL-4015-08...
Page 425
You can only import signatures from the router if the router has a DOS-based file Note system. OL-4015-08 Signatures marked for Cisco Router and Security Device Manager Version 2.2 User’s Guide Import Signatures deletion.
Page 426
The severity level of the event. Severity levels are informational, low, medium, and high Engine The engine to which the signature belongs. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-44 Chapter 19 Intrusion Prevention System for more information OL-4015-08...
Click to restore selected signatures marked for deletion. When clicked the signatures are unmarked, and returned to the list of active signatures. OL-4015-08 Signature is present in Router configuration and enabled. Signature is present in router configuration but not active.
Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-46 Chapter 19 Intrusion Prevention System OL-4015-08...
Page 429
Replace Choose this option to replace the signatures already configured on the router with the signatures that you are importing. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Import Signatures Signature Tree.
This a limiter for firing the alarm only after X times of seeing the signature on the address key. SigComment—The comment of the signature. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-48 Chapter 19 Intrusion Prevention System OL-4015-08...
The following URL is provided as an example of the format. It is not a valid URL to a signature file: https://172.16.122.204/mysigs/vsensor.sdf OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Import Signatures from. To specify multiple...
To use an SDF in router memory, determine which SDF has been installed, and then configure IPS to use it. The procedures that follow show you how to do this. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-50 Chapter 19 Intrusion Prevention System OL-4015-08...
In the dialog box displayed, click Specify SDF on flash, and enter the name of Step 3 the SDF file. Click OK to close the dialog box. Step 4 Global Settings Edit Button Click to edit any of the global settings seen in this window. OL-4015-08 Name/status c1710-k9o3sy-mz.123-8.T.bin ips.tar attack-drop.sdf home.shtml sdmconfig-1710.cfg home.tar es.tar...
Page 434
SDF. Add Button Click to add an URL to the list. Edit Button Click to edit a selected location. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-52 Chapter 19 Intrusion Prevention System OL-4015-08...
If IPS does not find or fails to load signatures from the specified location(s), it can use the IOS built-in signatures to enable IPS. This option is enabled by default. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Time The time the message is received. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-54 Chapter 19 SDEE messages received by the router. SDEE messages are SDEE Message Text Intrusion Prevention System to see possible SDEE OL-4015-08...
Explanation: Triggers when a SDF file is loaded successfully from a given location. BUILTIN_SIGS: %s to load builtin signatures Explanation: Triggers when the router resorts to loading the builtin signatures are activated OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide SDEE Messages 19-55...
Page 438
Explanation: IDS has been disabled. The message should indicate the cause. SYSERROR: Unexpected error (%s) at line %d func %s() file %s Explanation: Triggers when an unexpected internal system error occurs. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-56 OL-4015-08...
SDM enables you to issue a number of basic commands to the IDS Network Module from this window. Reload Click to reload the IDS network module operating system. OL-4015-08 C H A P T E R Network Module is installed on the router, this window displays for this session.
Page 440
Software Version–The version of IDM software running on the module. • Model–The model number of the network module. • Memory–The amount of memory available on the network module. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 20-2 Determination. Chapter 20 Network Module Management OL-4015-08...
The IP address you enter will only be seen by the router. Therefore, it can be any address you want to use. OL-4015-08 A check mark icon next to the interface name indicates that the IDS network module is monitoring the traffic on that interface.
IP address, and you are not sure that the last address SDM used to contact the network module is still correct. Cisco Router and Security Device Manager Version 2.2 User’s Guide 20-4 Chapter 20 Network Module Management IDS Sensor interface. SDM will do the OL-4015-08...
IDS network module. This IP address can be a private address; no hosts other than the router it is installed in will be able to reach the address. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide IDS Network Module Management...
Page 444
After you have fixed configuration settings, you can click this button to refresh the checklist. If an X icon remains in the Action column, a configuration setting has still not been made. Cisco Router and Security Device Manager Version 2.2 User’s Guide 20-6 Chapter 20 Network Module Management Telnet OL-4015-08...
This window appears when you try to configure a feature that the Cisco IOS image on your router does not support. If you want to use this feature, obtain a Cisco IOS image from Cisco.com that supports it. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Module Login...
Click the radio button next to the switch module that you want to manage, and then click Cisco Router and Security Device Manager Version 2.2 User’s Guide 20-8 OL-4015-08...
Launch QoS Wizard Button Click to launch the QoS wizard. The QoS wizard allows you to configure QoS policies on your WAN interfaces. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Routing protocols included in this category are egp, bgp, eigrp, and rip. The remaining traffic is given Best-Effort service. Cisco Router and Security Device Manager Version 2.2 User’s Guide 21-10 Chapter 21 Quality of Service policy. policy in this OL-4015-08...
SDM will generate default QoS policy consisting of pre-defined QoS classes for each traffic type. See more about the contents of this window. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide QoS Policy Generation policy.
Close—Click on Close button to exit the View QoS Class Details window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 21-12 classes that are going to be created for the QoS policy. Chapter 21 Quality of Service OL-4015-08...
CLI-Created—The policy was created using the IOS CLI. • Applied to Interface This column lists the interface to which the QoS policy is applied. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Summary of the configuration policy-map and Edit QoS Policy screen.
A Business-Critical traffic QoS class might have protocols such as DHCP, EIGRP, and OSPF. Cisco Router and Security Device Manager Version 2.2 User’s Guide 21-14 Chapter 21 Quality of Service OL-4015-08...
Protocol/Application This area lists all the default protocols configured for the selected QoS class. You can add or delete protocols. OL-4015-08 class attributes of the selected traffic type. Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit QoS Policy class in QoS policy.
Page 454
This field will not appear if you checked the Trust (rely on) DSCP-markings of Note the packets for traffic classification option under the window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 21-16 Chapter 21 Quality of Service class. Interface Selection OL-4015-08...
Delete Select the port number from the Port Number(s) box and click on Delete button to remove the port number from the Port Number(s) box. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit QoS Policy 21-17...
Cisco Router and Security Device Manager Version 2.2 User’s Guide 21-18 Status window allows you to monitor the performance of the traffic on Bandwidth utilization per class under each traffic type Bandwidth utilization for protocols under each class Chapter 21 Quality of Service OL-4015-08...
Page 457
Select the traffic direction and type of statistics you want to monitor. Direction Click either Input or Output. OL-4015-08 Incoming and outgoing bytes for each class defined under the traffic type Incoming and outgoing bytes for each protocol for each class Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 458
SDM displays a message instead of a bar chart if there are not adequate statistics for a particular traffic type. Cisco Router and Security Device Manager Version 2.2 User’s Guide 21-20 Chapter 21 Quality of Service OL-4015-08...
After you create the NAC policy, you can edit it by clicking Edit NAC and choosing it in the policy list. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
3.3 is required. Install and configure the posture validation and remediation server. Step 3 Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-22 Chapter 22 Other Tasks in a NAC Implementation Network Admission Control to learn the tasks EAPoUDP OL-4015-08...
You can add information for multiple RADIUS servers in one visit to this screen, so long as they are all accessed from the same router interface. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create NAC Tab...
Page 462
Check this box if you want to use the listed RADIUS server for NAC. The server must have the required admissions control policies configured if NAC is to be able to use the server. Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-24 Chapter 22 Network Admission Control OL-4015-08...
As an alternative or as a complement to the NAC exception list, this wizard allows you to configure a agentless host policy in another window. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create NAC Tab...
Policy field to choose an existing policy or to display a dialog box in which you can create a new policy. Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-26 Chapter 22 Network Admission Control OL-4015-08...
Enter the name for the policy in this field. Question mark (?) characters and space characters cannot be used in policy names, and the name is limited to 256 characters. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create NAC Tab...
ACS server for this purpose. If the Cisco IOS image does not require this information, these fields do not appear. Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-28 Chapter 22 Network Admission Control OL-4015-08...
FastEthernet0/0. DNS and DHCP services are blocked on Ethernet0/0 and NTP traffic is blocked on FastEthernet0/0. Interface Service Ethernet0/0 Ethernet0/0 DHCP OL-4015-08 100 (INBOUND) 100 (INBOUND) Cisco Router and Security Device Manager Version 2.2 User’s Guide Create NAC Tab Action [ ] Modify...
Create NAC wizard, the default NAC policy SDM_ADM_POLICY appears in this list. EAPoUDP Components This window provides a brief description of the EAPoUDP components that SDM allows you to configure. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit NAC Tab posture information.
This rule permits any host governed by the policy to send IP traffic to the IP address 172.30.2.10. Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-32 Access Rule nac-rule Source Destination Service 172.30.2.10 ip Chapter 22 Network Admission Control Redirect URL http://172.30.10/update Attributes OL-4015-08...
Enter the number of seconds that the router is to ignore packets from clients that have just failed authentication. Retransmit Timeout Field Enter the number of seconds the router is to wait before retransmitting EAPoUDP messages to clients. OL-4015-08 Default 180 seconds 3 seconds 36000 seconds 300 seconds Cisco Router and Security Device Manager Version 2.2 User’s Guide...
You can also click the button to the right of this field and browse for the access rule, or create a new access rule. Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-34 Chapter 22 Network Admission Control posture agent on the client to determine the OL-4015-08...
How Do Install and Configure a Posture Agent on a Host? If you are a registered Cisco.com user, you can download Cisco Trust Agent (CTA) software from the following link: OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...
Page 474
The specific installation procedures required to install third-party posture agent software and the optional remediation server vary depending on the software in use. Consult the vendor documentation for complete details. Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-36 OL-4015-08...
Domain Enter the domain name for your organization. If you do not know the domain name, obtain it from your network administrator. OL-4015-08 C H A P T E R vty) settings, Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Reenter the password exactly as you entered it in the New Password field. Date and Time: Clock Properties Use this window to view and edit the date and time settings on the router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-2 Chapter 23 Router Properties OL-4015-08...
Synchronize; it does not automatically re synchronize with the PC during subsequent sessions. This button is disabled if you have not checked Synchronize with my local PC clock. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Date and Time: Clock Properties server.
Page 478
If your router does not support NTP commands, this branch will not appear in the Note Router Properties tree. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-4 Chapter 23 Router Properties OL-4015-08...
Add or Edit NTP Server Details Add or edit IP Address Enter or edit the IP address of an NTP server. OL-4015-08 server information in this window. Cisco Router and Security Device Manager Version 2.2 User’s Guide Date and Time: Clock Properties...
Page 480
Enter the key used by the NTP server. The key value can use any of the letters A through Z, uppercase or lowercase, and can be no longer than 32 characters. Confirm Key Value Reenter the key value to confirm accuracy. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-6 Chapter 23 Router Properties OL-4015-08...
Delete Click to delete a selected NTP server configuration. Add an NTP Server Enter the IP address of an OL-4015-08 server in this window. Cisco Router and Security Device Manager Version 2.2 User’s Guide Date and Time: Clock Properties 23-7...
SNMP This page lets you enable the SNMP, set SNMP community strings, and enter SNMP trap manager information. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-8 IP Addresses and Subnet Masks. Chapter 23 Router Properties OL-4015-08...
Page 483
This is a text field that you can use to enter contact information for a person managing the SNMP server. It is not a configuration parameter that will affect the operation of the router. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Date and Time: Clock Properties...
SDM features available to be monitored depend on the commands present in the view. Not all features may be available for monitoring by the user. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-10 Chapter 23 Router Properties HTTP, HTTPS, for more information. OL-4015-08...
Encrypt password using MD5 hash algorithm Check this box if you want the password to be encrypted using the one way Message Digest 5 (MD5) algorithm, which provides strong encryption protection. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Router Access...
The user is able to create Easy VPN Remote connections and Edit them. User interface components in other areas are disabled for this user. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-12 Chapter 23 Router Properties OL-4015-08...
Outbound Access-class—The name or number of the access rule applied to • the outbound direction of the line range. ACL—If configured, shows the • OL-4015-08 associated with the vty connections. Cisco Router and Security Device Manager Version 2.2 User’s Guide VTYs 23-13...
Select the output protocols by clicking the appropriate check boxes. Telnet Check this check box to enable Telnet access to your router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-14 Chapter 23 authentication policy associated with this Router Properties OL-4015-08...
In the policy, you can specify which protocols the host or network in the policy can use, and which router interface will carry the management traffic. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide VTYs...
Page 490
Click to add a management policy, and specify the policy in the Add a Management Policy window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-16 IP Addresses and Subnet Masks. HTTPS—Specified hosts can use Hypertext Transfer Protocol to HTTPS—Specified hosts can use Hypertext Transfer Protocol, Chapter 23 Router Properties OL-4015-08...
Select the interface through which you want to allow management traffic. The interface should be the most direct route from the host or network to the local router. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide VTYs...
“any.” Such policies cannot be edited in the Management Access window. A policy containing the “any” keyword Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-18 Chapter 23 Router Properties HTTP, HTTPS, HTTP, HTTPS, RCP, or OL-4015-08...
Click No to proceed without adding a policy for the current host or network. You will lose contact with the router during command delivery, and you will have to log on to SDM using a different host or network. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide VTYs...
Page 494
Click this button to generate a crypto key for the router using the modulus size you entered. If the crypto key has already been generated, this button is disabled. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-20 Chapter 23 Router Properties OL-4015-08...
Import All—Whether the router imports DHCP option parameters to the • DHCP server database and also sends this information to DHCP clients on the LAN when they request IP addresses. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide DHCP Configuration 23-21...
Enter the network from which the IP addresses in the pool will be taken. For example, 192.168.233.0. This cannot be the IP address of an individual host. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-22 Chapter 23 Router Properties OL-4015-08...
IP address from the available DHCP pools. You can also add new bindings, edit existing bindings, or delete existing bindings. Binding Name The name assigned to the DHCP binding. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide DHCP Configuration 23-23...
Click to delete the specified manual DHCP binding. Add or Edit DHCP Binding This window allows you to add or edit existing manual DHCP bindings. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-24 Chapter 23 Router Properties OL-4015-08...
Page 499
Enter a name to identify the client. The name should be a hostname only, not a domain-style name. For example, router is an acceptable name, but router.cisco.com is not. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide DHCP Configuration...
CLI to change the internal cache or host group options to HTTP or IETF. Add Button Click the Add button to create a new dynamic DNS method. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-26 Chapter 23 Router Properties OL-4015-08...
If using HTTP, enter a username for accessing the DNS service provider. Password If using HTTP, enter a password for accessing the DNS service provider. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Dynamic DNS Methods 23-27...
Page 502
IETF is a dynamic DNS method type that updates a DNS server with changes to the associated interface’s IP address. If using IETF, configure a DNS server for the router in Configure > Additional Tasks > DNS. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-28 OL-4015-08...
A type of rule. One of the following: Access Rules NAT Rules IPSec Rules OL-4015-08 C H A P T E R IPSec rules that specify which traffic is to be Rules that govern the traffic that can enter and leave the network.
These rules are predefined rules that are used by SDM wizards and that you can apply in the Additional Tasks>ACL Editor windows. Useful Procedures for Access Rules and Firewalls Chapter 24 ACL Editor contains step by step OL-4015-08...
• • • • OL-4015-08 Access Rules window—Access rules most commonly define the traffic that you want to permit or deny entry to your LAN or exit from your LAN, but they can be used for other purposes as well.
Page 506
Cisco Router and Security Device Manager Version 2.2 User’s Guide 24-4 If the rule is read only, the read-only icon will appear in this column. Chapter 24 ACL Editor OL-4015-08...
Page 507
The keyword any. Any indicates that the source IP address can be any IP • address A host name. • OL-4015-08 Permit traffic. Deny traffic. wildcard mask. The IP address specifies a network, and the Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 508
Click the Add button and create the rule in the windows displayed. Select the access rule and click Edit. Then edit the rule in the Edit rule window displayed. How Do I Associate a Rule with an Interface? Chapter 24 ACL Editor OL-4015-08...
Page 509
Description You can provide a description of the rule in this field. The description must be less than 100 characters long. OL-4015-08 Do this: Select the Access rule, and click Delete. SDM does not permit you to delete a rule that has been associated with an interface.
Page 510
Click the Associate button to apply the rule to an interface. The Associate button is enabled only if you are adding a rule from the Access Note Rules window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 24-8 Chapter 24 ACL Editor OL-4015-08...
You can use this window to associate a rule you have created from the Access Rules window with an interface and to specify whether it applies to outbound traffic or inbound traffic. OL-4015-08 Do this: Click Add, and create the entry in the window displayed. Or click Edit, and change the entry in the window displayed.
Page 512
Cisco Router and Security Device Manager Version 2.2 User’s Guide 24-10 Chapter 24 ACL Editor OL-4015-08...
You can create a single rule entry in this window, but you can return to this window to create additional entries for a rule if you need to. OL-4015-08 Do this: Click No. The association between the existing rule and the interface is preserved, and the rule that you created in the Add a Rule window is saved.
Page 514
Cisco Router and Security Device Manager Version 2.2 User’s Guide 24-12 Meanings of the Permit and Deny Keywords to specify the parts of the network address that must be matched. Chapter 24 ACL Editor route to learn more about the OL-4015-08...
The choices are Permit and Deny. If you are creating an entry for an IPSec rule, the choices are protect the traffic and don’t protect the traffic. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 516
24-14 route maps. Click to learn more about the action of Permit and the action of Deny wildcard mask Chapter 24 ACL Editor Meanings of the Permit and IP address in this field. If the to specify the parts OL-4015-08...
Page 517
Destination Port Available when either TCP or UDP is selected. Setting this field will cause the router to filter on the destination port in a packet. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Rules Windows 24-15...
Select a Rule Use this window to select a rule to use. Cisco Router and Security Device Manager Version 2.2 User’s Guide 24-16 to see a table containing port names and numbers available Chapter 24 ACL Editor OL-4015-08...
Page 519
The keyword any. Any indicates that the source IP address can be any IP • address A host name. • OL-4015-08 Meanings of the Permit and Deny Keywords wildcard mask. The IP address specifies a network, and the Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 520
Cisco Router and Security Device Manager Version 2.2 User’s Guide 24-18 wildcard mask. The IP address specifies a network, and the rules, the service specifies the type of traffic that packets matching Chapter 24 ACL Editor OL-4015-08...
Clicking the Edit button lets you make changes to user-defined entries. Entries with the value System Defined in the Protocol Type column cannot be edited or deleted. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide entries.
Page 522
If you want to view the ACL that identifies the host, go to Additional Tasks > ACL Editor > Access Rules. Then click the number of the ACL that you saw in this window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 25-20 Chapter 25 Port-to-Application Mapping OL-4015-08...
Cisco IOS image that allows you to specify whether this port map entry applies to TCP or to UDP traffic, you can enter multiple port OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 524
Specify the IP address of the host to which this port mapping is to apply. If you need the same mapping for another host, create a separate PAM entry for that host. Cisco Router and Security Device Manager Version 2.2 User’s Guide 25-22 OL-4015-08...
This window provides a summary view of the AAA configuration on the router. To view more detailed information or to edit the AAA configuration, click the appropriate node on the AAA tree. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Policies node in the AAA tree. AAA Servers and Groups This window provides a description of AAA servers and AAA server groups. Cisco Router and Security Device Manager Version 2.2 User’s Guide 26-24 Chapter 26 Authentication, Authorization, and Accounting OL-4015-08...
The IP address of the AAA server. Type The type of server, TACACS+ or RADIUS. Parameters This column lists the timeout, key, and other parameters for each server. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide AAA Servers and Groups 26-25...
If you do not enter a value, the router will use the value configured in the AAA Servers Global Settings window. New Key/Confirm Key Enter the key and reenter it for confirmation. Cisco Router and Security Device Manager Version 2.2 User’s Guide 26-26 Chapter 26 Authentication, Authorization, and Accounting OL-4015-08...
You can specify communication settings that will apply to all communications between the router and AAA servers in this window. Any communications settings made for a specific router will override settings made in this window. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide AAA Servers and Groups...
Group Name The name of the server group. Server group names allow you to use a single name to reference multiple servers. Cisco Router and Security Device Manager Version 2.2 User’s Guide 26-28 Chapter 26 Authentication, Authorization, and Accounting OL-4015-08...
You can review and manage these method lists from these windows. Add, Edit, and Delete Buttons Use these buttons to create, edit, and remove method lists. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide AAA Servers and Groups 26-29...
The method list name. A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user. Cisco Router and Security Device Manager Version 2.2 User’s Guide 26-30 Chapter 26 Authentication, Authorization, and Accounting EAPoUDP group SDM_NAC_Group method lists configured OL-4015-08...
Name/Specify Select the name Default in the Name list, or select User Defined, and enter a method list name in the Specify field. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide AAA Servers and Groups 26-31...
Page 534
This is an IOS restriction. IOS will not accept any method name after the method name "none" has been added to a Method List. Cisco Router and Security Device Manager Version 2.2 User’s Guide 26-32 Chapter 26 Authentication, Authorization, and Accounting OL-4015-08...
If you want to preview the file, click Preview File to display the contents of the Step 4 file in the details pane. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 536
Chapter 27 Router Provisioning Router Provisioning from USB Click OK to load the chosen file. Step 5 Cisco Router and Security Device Manager Version 2.2 User’s Guide 27-34 OL-4015-08...
Possible prerequisite tasks are the following: SSH credentials not verified—SDM requires you to provide your SSH • credentials before beginning. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-35...
Page 538
Certificates wizard to generate a request, and then to reinvoke it when you have obtained the certificates for the CA server and for the router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-36 Chapter 28 Public Key Infrastructure OL-4015-08...
Certificate Authority (CA) Information Provide information to identify the CA server in this window. Also specify a challenge password that will be sent along with the request. OL-4015-08 Tips. Cisco Router and Security Device Manager Version 2.2 User’s Guide Certificate Wizards...
Page 540
This password is also referred to as a challenge password. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-38 Chapter 28 Public Key Infrastructure OL-4015-08...
If the Cisco IOS image running on the router does not support this feature, this Note box is disabled. FQDN If you enabled this field, enter the routers FQDN in this field. An example of an FQDN is sjrtr.mycompany.net OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Certificate Wizards 28-39...
Enter the Organizational Unit, or department name to use for this certificate. Organization (o) Enter the organization or company name. This is the X.500 organizational name. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-40 Chapter 28 Public Key Infrastructure OL-4015-08...
64. If you want a value higher than 1024, you can enter 1536 or 2048. If you enter a value greater than 512, key generation may take a minute or longer. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide RSA Keys...
After the commands are delivered to the router, SDM attempts to contact the CA server. If the CA server is contacted, SDM displays a message window with the server’s digital certificate. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-42 Chapter 28 Public Key Infrastructure OL-4015-08...
Enrollment Task Specify whether you are beginning a new enrollment or you are resuming an enrollment with an enrollment request that you saved to the PC. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Enrollment Status 28-43...
PC. Select CA server nickname (trustpoint) Select the trustpoint associated with the enrollment you are completing. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-44 Chapter 28 Public Key Infrastructure OL-4015-08...
If you have the CA server certificate on your hard disk, you can browse for it and import it to your router in this window. You can also copy and paste the certificate text into the text area of this window. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Import CA certificate...
The Trustpoints list only displays the name, enrollment URL, and enrollment type for a trustpoint. Click to view all the information for the selected trustpoint. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-46 Chapter 28 Public Key Infrastructure OL-4015-08...
Page 549
This area shows details about the certificates associated with the selected trustpoint. Details Button Click to view the selected certificate. OL-4015-08 Revocation Check, CRL Only Cisco Router and Security Device Manager Version 2.2 User’s Guide Digital Certificates for more information.
This window displays all the information provided to create the trustpoint. Certificate Details This window displays trustpoint details that are not displayed in the Certificates window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-48 Chapter 28 Public Key Infrastructure OL-4015-08...
Specify how the router is to check whether a certificate has been revoked in this window. Verification One of the following: • None—Check the Certificate Revocation List (CRL) distribution point embedded in the certificate. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Digital Certificates 28-49...
If this column contains a checkmark the key can be exported to another router if it becomes necessary for that router to assume the role of the local router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-50 Chapter 28 Public Key Infrastructure OL-4015-08...
Check if you want the key to be exportable. An exportable key pair can be sent to a remote router if it is necessary for that router to take over the functions of the local router. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide RSA Keys Window...
Displays the name used to log in to the USB token. User PIN Displays the PIN used to log in to the USB token. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-52 Chapter 28 Public Key Infrastructure OL-4015-08...
USB token is connected. For example, a USB token connected to USB port 0 is named usbtoken0. If you are editing a USB token login, the Token Name field cannot be changed. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide USB Tokens...
Page 556
The file extension must .cfg. If SDM can log in to the USB token, it will merge the specified configuration file with the router’s running configuration. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-54 Chapter 28 Public Key Infrastructure OL-4015-08...
Firewall permits HTTP or HTTPS traffic from the PC from which the SDM /SDP application is invoked. For more information about SDP, refer to the following web page: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_gui de09186a008028afbd.html#wp1043332 OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide SDP Troubleshooting Tips 28-55...
ACEs for revocation traffic such as CRL traffic and OCSP traffic. You must explicitly add passthrough ACEs for this traffic using the Edit Firewall Policy/ACL window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-56 Chapter 28 Public Key Infrastructure OL-4015-08...
CA traffic to reach the router. This entry is not added unless you check Modify in the Open Firewall window and complete the wizard. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Open Firewall...
Page 560
Chapter 28 Public Key Infrastructure Open Firewall Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-58 OL-4015-08...
IP address, depending on the type of router that you have. Use the following table to determine the type of address to give the PC. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 562
Automatically to obtain a dynamic IP address. For a static IP address, click Cisco Router and Security Device Manager Version 2.2 User’s Guide 29-2 Chapter 29 Resetting to Factory Defaults Routers Needing Static Addresses Cisco 1721, 1751, and 1760 Cisco 1841 Cisco 2600XM, and 2691 Cisco 28xx, 36xx, 37xx, and 38xx OL-4015-08...
Page 563
IP address back to 10.10.10.1. The next time you log on to the router with your browser, enter the IP address 10.10.10.1 in the browser’s location field. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide 29-3...
Cisco IOS image that does not support the feature, or because SDM is being run on a PC and cannot support the feature. Cisco Router and Security Device Manager Version 2.2 User’s Guide 29-4 OL-4015-08...
4 octets which are displayed in decimal, separated by periods or "dots," for example, 172.16.122.204. The decimal address 172.16.122.204 represents the binary IP address shown in the following figure. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 566
Note that the bits field on the right is empty, indicating that an invalid value has been entered in the Subnet Mask field. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-2 OL-4015-08...
Any IP address—The action you specified is to apply to any host or network. • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide IP Addresses and Subnet Masks and PAT, and...
• 172.16.1.1 to 172.16.1.254 (assuming LAN IP address is in 172.16.1.0 subnet) SDM configures the router to automatically exclude the LAN interface IP address in the pool. OL-4015-08 An ADSL interface • A G.SHDSL interface • A tunnel or loopback for either of •...
Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-6 Meaning of Deny Drop matching traffic. Do not translate the address. inside local outside local address. sent unencrypted. Do not protect matching addresses from NAT translation. Chapter 30 More About... OL-4015-08...
Page 571
OL-4015-08 Description Border Gateway Protocol.BGP exchanges reachability information with other systems that use the BGP protocol Character generator. Remote commands. Similar to exec except that cmd has automatic authentication Daytime Discard Domain Name Service.
Page 572
See echo. Internet Security Association and Key Management Protocol Mobile IP registration IEN116 name service (obsolete) NetBios datagram service. Network Basic Input Output System. An API used by applications to request services from lower-level network processes. Chapter 30 More About... OL-4015-08...
Page 573
X-Displays (clients) and X Display Managers. non500-isak 4500 Internet Security Association and Key Management Protocol. This keyword is used when NAT-traversal port floating is required. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Services and Ports 30-9...
Page 574
Sent to indicate received packet’t time to live field has reached zero. Reply to request for timestamp to be used for synchronization between two devices. Chapter 30 More About... OL-4015-08...
Page 575
Port Number aahp eigrp icmp igmp ipinip ospf OL-4015-08 Description Request for timestamp to be used for synchronization between two devices. Message sent in reply to a host that has issued a traceroute request. Destination unreachable. Packet cannot be delivered for reasons other than congestion.
Page 576
Session Initiation Protocol. Sip is a telephony protocol used to integrate telephony services and data services. A telephony protocol enabling telephony clients to be H.323 compliant. See smtp. Protocol for network enabled databases. StreamWorks protocol. Streaming video protocol. Chapter 30 More About... OL-4015-08...
The source address 10.12.12.3 is translated to the address 172.17.4.8 in packets leaving the router. If this is the only NAT rule for this network, 10.12.12.3 is the only address on the network that gets translated. OL-4015-08 Description See tcp.
Page 578
Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-14 Translate to Interface Fields Net Mask IP Address 255.255.255.0 172.17.4.8 (host) Translate to... fields Net Mask IP Address Leave blank 172.17.4.8 Chapter 30 More About... Redirect Port Leave unchecked. Redirect Port Original Port 137 Translated Port 139 OL-4015-08...
Page 579
The port number in the Redirect port field is changed from 137 to 139. Return traffic carrying the destination address 172.17.4.8 & port 139 is routed to port number 137 of the host with the IP address 10.12.12.3. OL-4015-08 Translate to... fields Net Mask...
172.17.4.8. PAT would be used to distinguish traffic associated with different hosts. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-16 Translate to... fields Type Interface Interface FastEthernet0/ Chapter 30 More About... Address Pool Disabled OL-4015-08...
Reasons that SDM Cannot Edit a NAT Rule A previously configured when a NAT static rule is configured with any of the following: • The inside source static and destination Cisco IOS commands OL-4015-08 IP Address fields 172.16.131.2 172.16.131.10 Translate to... fields Type...
The following links provide TAC resources and other information on VPN issues. How Virtual Private Networks Work • Dynamic Multipoint IPSec VPNs • TAC-authored articles on IPSec • TAC-authored articles on SDM • Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-18 Chapter 30 More About... OL-4015-08...
A crypto map can specify more than one peer for a connection. This may be done to provide redundancy. The following diagram shows the same interface and policy, but crypto map CM-3 specifies two peers: Topeka and Lawrence. OL-4015-08 Policy 5 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 584
Topeka and Lawrence as one connection for both interfaces. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-20 Policy 5 Policy 5 Chapter 30 More About... Seattle Chicago Topeka Lawrence Seattle Chicago Topeka Lawrence OL-4015-08...
Key Exchange Algorithm. This is a mathematical technique for securely • exchanging cryptographic keys over a public medium (that is, Diffie-Hellman). The keys are used in the encryption and packet-signature algorithms. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide More About VPN 30-21...
If the lifetimes are not identical, the shorter lifetime-from the remote peer’s policy will be used. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-22 Encryption Algorithm: DES, 3DES, or AES Packet Signature Algorithm: MD5 or SHA-1 Chapter 30 More About... OL-4015-08...
ESP with the 168-bit DES encryption algorithm (3DES or Triple DES) esp-null Null encryption algorithm. esp-seal ESP with the 160-bit encryption key Software Encryption Algorithm (SEAL) encryption algorithm. OL-4015-08 or ESP) plus the algorithm that you Authentication IP Compression Transform Transform...
The interface is part of a SERIAL_CSUDSU_56K WIC. • The interface is part of a Sync/Async WIC configured with the • physical-layer async command. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-24 Chapter 30 More About... OL-4015-08...
• If the IP Address is not configured on the PVC in the protocol ip command. • OL-4015-08 Reasons Why an ATM Interface or Subinterface Configuration May Be Read-Only with the dialer pool-member command. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
If the LAN interface has been configured as a DHCP server, and has been • configured with an IP-helper address. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-26 is required (which is determined dynamically from the Cisco IOS Chapter 30 More About... OL-4015-08...
– – – – – OL-4015-08 Reasons Why an ISDN BRI Interface Configuration May Be Read-Only The default route through the primary interface is removed The backup interface default route is not configured ip local policy is removed track /rtr or both is not configured...
The SDM-supported interfaces are configured with unsupported configurations The primary interfaces are not supported by SDM The default route through the primary interface is removed The backup interface default route is not configured ip local policy is removed Chapter 30 More About... OL-4015-08...
Examining Originating Traffic: From: Serial 1/0; To: Ethernet 1/0 • Allowing www Traffic to DMZ • OL-4015-08 track /rtr or both is not configured route-map is removed Access-list is removed or access-list is modified (for example, tracking ip address is modified)
Page 594
Examining Returning Traffic: From Interface Ethernet 0/0; To Interface Serial 1/0 Clicking the Returning traffic button displays the access rule for inbound traffic on Serial 1/0. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-30 Chapter 30 More About... OL-4015-08...
Page 595
Swap From and To interfaces from the View Options menu, and select Fast Ethernet 1/0 in the To interface list. Doing so makes Serial 1/0 the From interface and Fast Ethernet 1/0 the To interface. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-31 OL-4015-08...
If you are configuring a spoke, you must obtain the correct information about the hub before you begin. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-32 Chapter 30 More About... OL-4015-08...
Page 597
You can examine supported interfaces in Interfaces and Connections to determine if a dialup connection, such as an ISDN or Async connection has been configured for the physical interface you selected. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide DMVPN Configuration Recommendations...
A number of white papers are available that describe how SDM can be used. These white papers are available at the following link. http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/appnote/index.h Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-34 Chapter 30 More About... OL-4015-08...
SDM also features a Monitor mode, which enables you to observe router performance and gather statistics associated with configurations that you have made on the router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 31-1 OL-4015-08...
To determine which Cisco IOS versions SDM supports, go to the following URL: http://www.cisco.com/go/sdm Click the Technical Documentation link, and then click Release Notes. Cisco Router and Security Device Manager Version 2.2 User’s Guide 31-2 Chapter 31 Getting Started OL-4015-08...
Tasks>Router Properties>Logging window. In addition, individual rules may need configuration so that they generate log events. For more information, see the help topic How Do I View Activity on My Firewall? Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-1 OL-4015-08...
From the toolbar, click Monitor, and then in the left frame, click Firewall Status. From the toolbar, click Monitor, and then in the left frame, click VPN Status. Then select the tab for IPSec Tunnels, DMVPN Tunnels, Easy VPN Servers, or IKE SAs. click Logging. Viewing Router Information OL-4015-08...
Page 603
The total number of disabled (down) interfaces on the router. Interface The interface name. The IP address of the interface. Status The status of the interface, either Up, or Down. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Overview 32-3...
Page 604
Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-4 HTTP, HTTPS, ping, and others) rejected by the firewall. rule that rejected the connection attempt must be configured to create Security Associations (SAs) connections currently IPSec Virtual Private Network (VPN) connections currently Chapter 32 Viewing Router Information OL-4015-08...
Page 605
The number of log entries stored that have a severity level of 3 or 4. These messages may indicate a problem with your network, but they do not likely require immediate attention. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Overview...
These data items are as follows: Packet Input—The number of packets received on the interface. • Packet Output—The number of packets sent by the interface. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-6 Chapter 32 Viewing Router Information OL-4015-08...
Page 607
It has the following options Note The polling frequencies listed are approximations and may differ slightly from the listed times. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Interface Status 32-7...
The statistics corresponding to the selection made in this field will appear in the field below. You can select one of the following VPN categories: Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-8 Chapter 32 Viewing Router Information connections that are active on the OL-4015-08...
Page 609
Decapsulation Packets column • The number of packets decapsulated over the IPSec VPN connection. Send Error Packets column • OL-4015-08 Up—The tunnel is active Down—The tunnel is inactive due to an error or hardware failure. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 610
The time and date when the tunnel registration expires and the DMVPN tunnel will be shut down. Status column • The status of the DMVPN tunnel. Reset button • Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-10 Chapter 32 Viewing Router Information OL-4015-08...
Page 611
Maximum connections allowed for this group • Maximum logins per user • Client Connections in this Group This area shows the following information about the selected group. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide VPN Status 32-11...
Page 612
Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-12 MM_NO_STATE—The Internet Security Association and Key Management Protocol (ISAKMP) SA has been created but nothing else has happened yet. MM_SA_SETUP—The peers have agreed on parameters for the ISAKMP SA. Chapter 32 Viewing Router Information OL-4015-08...
Firewall Log Whether or not the router is configured to maintain a log of connection attempts allowed and denied by the firewall. OL-4015-08 MM_KEY_EXCH—The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated.
The following is example log text for instant messenging applications: Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-14 Chapter 32 Viewing Router Information OL-4015-08...
NAC sessions being initalized, and a button that allows you to clear all active and initializing NAC sessions The window lists the router interfaces with associated NAC policies. FastEthernet0/0 10.10.15.1/255.255.255.0 Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-15 OL-4015-08...
Page 616
Infected—The host is infected with a known virus. The user is redirected to • a remediation site to obtain virus definition file updates. Unknown—The host’s posture is unknown. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-16 Chapter 32 Remote EAP Policy Infected Viewing Router Information OL-4015-08...
Displays all messages with the severity level specified in the Select a Logging Level to View field. Log events contains the following information: Severity Column • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Logging 32-17...
It also shows the size of each file in bytes, and the date and time each file and directory was last modified. Cisco Router and Security Device Manager Version 2.2 User’s Guide 33-2 Chapter 33 Defaults. File Menu Commands OL-4015-08...
Page 623
USB flash device connected to that router. Copy Button Choose a file from the right side of the window and click the Copy button to copy the file. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide File Management 33-3...
Enter the new filename in the New Name field. The path to the location of the file is displayed above the New Name field. Cisco Router and Security Device Manager Version 2.2 User’s Guide 33-4 Chapter 33 File Menu Commands OL-4015-08...
Ensure that the router will not lose power. If the router loses power after an Step 1 erase flash: operation, there will be no Cisco IOS image in memory. OL-4015-08 Flash, Flash memory, and you will lose your connection to the Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 626
From the PC, log on to the router using Telnet, and enter Enable mode. Step 5 Cisco Router and Security Device Manager Version 2.2 User’s Guide 33-6 server to which you can save files and copy them over to the Chapter 33 File Menu Commands OL-4015-08...
Page 627
SDM session. Now that an erase flash: has been performed on the router, you will be able to execute the squeeze flash command when necessary. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Unable to perform ‘squeeze flash’...
Page 628
Chapter 33 File Menu Commands Unable to perform ‘squeeze flash’ Cisco Router and Security Device Manager Version 2.2 User’s Guide 33-8 OL-4015-08...
This is SDM default behavior. Select this option if you would like SDM to display a dialog box asking for confirmation when you exit SDM. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 630
Monitor mode and perform other tasks in SDM, select this check box and specify the maximum number of interfaces you want SDM to monitor. The default maximum number of interfaces to monitor is 4. Cisco Router and Security Device Manager Version 2.2 User’s Guide 34-10 OL-4015-08...
Interfaces and Connections, Firewalls and ACLs, VPNs Routing, and other tasks. Monitor Displays the SDM Monitor window, which lets you view statistics about your router and network. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide 35-1...
For more information about the rules, see the option descriptions that follow. Cisco Router and Security Device Manager Version 2.2 User’s Guide 35-2 Chapter 35 View Menu Commands OL-4015-08...
SDM displays a message window telling you that if you refresh, you will lose undelivered commands. If you want to deliver the commands. click No in this window, and then click Deliver on the SDM toolbar. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Refresh...
Page 634
Chapter 35 View Menu Commands Refresh Cisco Router and Security Device Manager Version 2.2 User’s Guide 35-4 OL-4015-08...
Cisco IOS command-line interface (CLI) using the Security Audit Displays the SDM Security Audit screen. See information. OL-4015-08 C H A P T E R Generate Mirror... for information on how to use the Ping Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Enter a new PIN for the USB token. The existing PIN will be replaced by the new PIN. The new PIN must be at least 4 digits long. Confirm PIN Reenter the new PIN to confirm it. Cisco Router and Security Device Manager Version 2.2 User’s Guide 36-2 Chapter 36 Tools Menu Commands OL-4015-08...
To update SDM from the PC you are using to run SDM follow these steps: Download the file sdm-vnn.zip from the following URL: Step 1 http://www.cisco.com/cgi-bin/tablebuild.pl/sdm OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Update SDM 36-3...
Page 638
If there is more than one SDM .zip file, obtain the copy with the highest version number. Use the update wizard to copy the SDM files from your PC to the router. Step 2 Cisco Router and Security Device Manager Version 2.2 User’s Guide 36-4 OL-4015-08...
Page 639
SDM will enable you to locate the file SDM-Updates.xml on the CD. When you Step 3 locate the file, click Open. Follow the instructions in the installation wizard. Step 4 OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Update SDM 36-5...
Page 640
Chapter 36 Tools Menu Commands Update SDM Cisco Router and Security Device Manager Version 2.2 User’s Guide 36-6 OL-4015-08...
About this router... Displays hardware and software information about the router on which SDM is running. About SDM Displays version information about SDM. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide 37-1...
Page 642
Chapter 37 Help Menu Commands About SDM Cisco Router and Security Device Manager Version 2.2 User’s Guide 37-2 OL-4015-08...
Page 643
Cisco Secure Access Control Server. Software running on a RADIUS server used to store policy databases used in a to the network. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide G L O S S A R Y...
Page 644
(called a MAC address) to its IP address. Adaptive Security Algorithm. Allows one-way (inside to outside) connections without an explicit configuration for each internal system and application. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-2 address, NAT, PAT, Static PAT. OL-4015-08...
Page 645
Sometimes referred to as a notary or a certifying authority. Within a given CA’s domain, each device needs only its own certificate and the CA’s public key to authenticate every other device in that domain. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary...
Page 646
(PKIX) of the IETF is working to standardize a protocol for these functions, either CRS or an equivalent. When an IETF standard is stable, Cisco will add support for it. CEP was jointly developed by Cisco Systems and VeriSign, Inc. digital certificate An X.509 certificate contains within it information regarding the identity of...
Page 647
An IP compression algorithm. comp-lzs The file on the router that holds the settings, preferences, and properties you can Configuration, administer using SDM. Config, Config File OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary GL-5...
Page 648
The gateway of last resort. The gateway to which a packet is routed when its default gateway destination address does not match any entries in the routing table. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-6 analysis. traffic flow OL-4015-08...
Page 649
In Frame Relay connections, the identifier for a DLCI particular data link connection between two endpoints. OL-4015-08 Oakley key exchange. Oakley key exchange. Cisco IOS software supports 768-bit and Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 650
Also called digital signature algorithm (DSA), the DSS algorithm is part of many public-key standards for cryptographic signatures. Routing that adjusts automatically to network topology or traffic changes. Also dynamic routing called adaptive routing. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-8 OL-4015-08...
Page 651
ECHO Enhanced Interior Gateway Routing Protocol. Advanced version of IGRP EIGRP developed by Cisco Systems. Provides superior convergence properties and operating efficiency, and combines the advantages of link state protocols with those of distance vector protocols. Wrapping of data in a particular protocol header. For example, Ethernet data is encapsulation wrapped in a specific Ethernet header before network transit.
Page 652
Cisco IP phones. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-10 implementation, a list of hosts with static addresses that are allowed posture agents installed, or because they are hosts such OL-4015-08...
Page 653
X.25, the protocol for which it is generally considered a replacement. File Transfer Protocol. Part of the TCP/IP protocol stack, used for transferring files between hosts. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary GL-11...
Page 654
High-Level Data Link Control. Bit-oriented synchronous data link layer HDLC protocol developed by the International Standards Organization (ISO). HDLC specifies a data encapsulation method on synchronous serial links using frame characters and checksums. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-12 OL-4015-08...
Page 655
When it finds unauthorized activity or anomalies, it can terminate the condition, block traffic from attacking hosts, and send alerts to the IDM. OL-4015-08 network, a hub is a router with a point-to-point Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 656
Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-14 inspection rule allows the router to inspect specified outgoing traffic OL-4015-08...
Page 657
4 decimal numbers separated by periods or “dots.” The part of the address used to specify the network number, the subnetwork number, and the host number is specified by the OL-4015-08 which uses and Internet protocols, such as SNMP, UDP.
Page 658
The creation, distribution, authentication, and storage of encryption keys. key management Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-16 crypto map associated with a VPN OL-4015-08...
Page 659
(by means of a subnet mask) in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks. The local subnet is the subnet associated with your end of a transmission. OL-4015-08 encryption. date. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 660
Binary: 11111111 11111111 11111111 11111000 The first 29 bits provide the network and subnetwork address, and the last 3 provide the host address. See also Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-18 Address, TCP/IP, host, host/network. OL-4015-08...
Page 661
See also ACL, posture, and EAPoUDP. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary...
Page 662
255.255.248 has 17 network bits. A network interface card that is installed in the router chassis to add network module functionality to the router. Examples are Ethernet network modules, and network modules. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-20 OL-4015-08...
Page 663
Open Shortest Path First. Link-state, hierarchical IGP routing algorithm OSPF proposed as a successor to RIP in the Internet community. OSPF features include least-cost routing, multipath routing, and load balancing. OL-4015-08 protocol. Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary...
Page 664
Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-22 address. With PAT enabled, the router chooses a OL-4015-08...
Page 665
PPPoE PPPoE enables hosts on an Ethernet network to connect to remote hosts through a broadband modem. OL-4015-08 request sent between hosts to determine whether a host is accessible implementation, the condition of a host attempting access to the Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 666
An ordered sequence of bits that appears superficially similar to a truly random pseudo random sequence of the same bits. A key generated from a pseudo random number is called a nonce. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-24 encryption. OL-4015-08...
Page 667
Protocol that allows users to copy files to and from a file system residing on a remote host or server on the network. The rcp protocol uses TCP to ensure the reliable delivery of data OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary...
Page 668
Ultimate certification authority (CA), which signs the certificates of the root CA subordinate CAs. The root CA has a self-signed certificate that contains its own public key. A path through an internetwork. route Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-26 OL-4015-08...
Page 669
Information added to the configuration to define your security policy in the form rule of conditional statements that instruct the router how to react to a particular situation. OL-4015-08 Getting Started for more information. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
Page 670
A key that is used only once. session key Some encryption systems use the Secure Hashing Algorithm to generate digital signatures, as an alternative to MD5. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-28 key. OL-4015-08...
Page 671
Layer 2 keepalives during periods of queue congestion. In a DMVPN spoke has a point-to-point OL-4015-08 network, a spoke router is a logical end point in the network, and IPSec connection with a DMVPN Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary router.
Page 672
See also PAT. Route that is explicitly configured and entered into the routing table. Static static route routes take precedence over routes chosen by dynamic routing protocols. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-30 OL-4015-08...
Page 673
Trivial File Transfer Protocol. TFTP is a simple protocol used to transfer files. TFTP It runs on UDP and is explained in depth in Request For Comments (RFC) 1350. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary...
Page 674
A virtual path may carry multiple virtual channels corresponding to individual connections. The VCI identifies the channel being used. The combination of VPI and VCI identifies an ATM connection. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-32 OL-4015-08...
Page 675
A site-to-site VPN. A site-to-site VPN consists of a set of VPN connections VPN connection between peers, in which the defining attributes of each connection include the following device configuration information: OL-4015-08 - A connection name - Optionally, an IKE policy and pre-shared key - An IPSec peer...
Page 676
10.28.88.0 would match the IP address in the rule, and the IP address 10.28.15.55 would not match. Windows Internet Naming Service. A Windows system that determines the IP WINS address associated with a particular network computer. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-34 Generate Mirror... OL-4015-08...
Page 677
IKE authentication phase 1 exchange. The AAA configuration list-name must match the Xauth configuration list-name for user authentication to occur. Xauth is an extension to IKE, and does not replace IKE authentication. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary...
Page 678
Glossary Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-36 OL-4015-08...
Page 680
IP address Dynamic Multipoint VPN dynamic routing protocol configuring Easy VPN auto tunnel control Client Mode configuring a backup Digital certificates editing existing connection group key group name interfaces 5, 22 82, 101 79, 98 90, 94, 98 OL-4015-08...
Page 681
RFC 1483 Routing 14, 26, 29, 34 encryption 3DES ESP authentication and encryption extended rules numbering ranges Externally Defined Rules window OL-4015-08 File menu finger service, disabling firewall configuring NAT passthrough 81, 100 configuring on an unsupported interface enabling CBAC...
Page 682
Serial with HDLC or Frame Relay for Serial with PPP negotiated next hop unnumbered IP compression IP directed broadcasts, disabling IP Identification service, disabling IPSec description group key group name policy type rule 5, 22 5, 22 5, 22 79, 91 90, 94, 98 OL-4015-08...
Page 683
Monitor mode Firewall Status Interface Status Logging Overview VPN Status MOP service, disabling Multipoint Generic Routing Encapsulation OL-4015-08 address pools affect on DMZ service configuration and VPN connections configuring on unsupported interface configuring with a VPN designated interfaces DNS timeout...
Page 687
WAN connections creating in wizard deleting WAN interface unsupported Xauth logon OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Index IN-9...
Page 688
Index Cisco Router and Security Device Manager Version 2.2 User’s Guide IN-10 OL-4015-08...