Cisco OL-4015-08 User Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Software
  5. OL-4015-08
  6. User manual
Cisco OL-4015-08 User Manual

Cisco OL-4015-08 User Manual

Cisco router and security device manager user's guide
Hide thumbs
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
Table of Contents

Advertisement

Quick Links

Download this manual
Cisco Router and Security Device Manager
(SDM) Version 2.2 User's Guide
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number:
Text Part Number: OL-4015-08

Advertisement

Table of Contents
loading

Related Manuals for Cisco OL-4015-08

Summary of Contents for Cisco OL-4015-08

  • Page 1 Cisco Router and Security Device Manager (SDM) Version 2.2 User’s Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: Text Part Number: OL-4015-08...
  • Page 2 CCSP, the Cisco Square Bridge logo, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco...

  • Page 3: Table Of Contents

    Home Page LAN Wizard Ethernet Configuration LAN Wizard: Select an Interface LAN Wizard: IP Address and Subnet Mask LAN Wizard: Enable DHCP Server LAN Wizard: DHCP Address Pool DHCP Options LAN Wizard: VLAN Mode LAN Wizard: Switch Port IRB Bridge BVI Configuration DHCP Pool for BVI IRB for Ethernet...
  • Page 4 Contents How Do I View the IOS Commands I Am Sending to the Router? How Do I Launch the Wireless Application from SDM? Create Connection Wizards Create Connection WAN Wizard Interface Welcome Window ISDN Wizard Welcome Window Analog Modem Welcome Window Aux Backup Welcome Window Select Interface Encapsulation: PPPoE...
  • Page 5 Delete Connection Summary Connectivity testing and troubleshooting How Do I... How Do I View the IOS Commands I Am Sending to the Router? How Do I Configure an Unsupported WAN Interface? How Do I Enable or Disable an Interface? How Do I View Activity on My WAN Interface? How Do I Configure NAT on a WAN Interface? How Do I Configure NAT on an Unsupported Interface? How Do I Configure a Dynamic Routing Protocol?
  • Page 6 Contents Add or Edit BVI Interface Add Loopback Interface/Connection—Loopback Connection: Ethernet LAN Connection: Ethernet WAN Ethernet Properties Connection: Ethernet with No Encapsulation Connection: ADSL Connection: ADSL over ISDN Connection: G.SHDSL Configure DSL Controller Connection: G.SHDSL with DSL Controller Connection: Serial Interface, Frame Relay Encapsulation Connection: Serial Interface, PPP Encapsulation Connection: Serial Interface, HDLC Encapsulation Add or Edit GRE Tunnel'...
  • Page 7 Advanced Firewall Interface Configuration Advanced Firewall DMZ Service Configuration Advanced Firewall Inspection Rule Configuration Application Security Configuration Domain Name Server Configuration Summary How Do I... How Do I View Activity on My Firewall? How Do I Configure a Firewall on an Unsupported Interface? How Do I Configure a Firewall After I Have Configured a VPN? How Do I Permit Specific Traffic Through a DMZ Interface? How Do I Modify an Existing Firewall to Permit Traffic from a New Network...
  • Page 8 Contents SDM Warning: Inspection Rule SDM Warning: Firewall Application Security Application Security Windows No Application Security Policy E-mail HTTP Header Options Content Options Instant Messaging Point-to-Point Applications Applications/Protocols Global Timeouts and Thresholds Associate Policy with an Interface Edit Inspection Rule Permit, Block, and Alarm Controls Site-to-Site VPN Create Site to Site VPN...
  • Page 9 VPN Authentication Information Backup GRE Tunnel Information Routing Information Static Routing Information Summary of Configuration Edit Site-to-Site VPN Add new connection Add Additional Crypto Maps Crypto Map Wizard: Welcome Crypto Map Wizard: General Crypto Map Wizard: Peers Crypto Map Wizard: Transform Set Crypto Map Wizard: Traffic to Protect Crypto Map Wizard: Summary of the configuration Delete Connection...
  • Page 10 Contents Easy VPN Remote Create Easy VPN Remote Configure an Easy VPN Remote Client Connection Settings Authentication Interfaces Summary of Configuration Edit Easy VPN Remote Add or Edit Easy VPN Remote Add or Edit Easy VPN Remote: Easy VPN Settings Add or Edit Easy VPN Remote: Authentication Information Enter SSH Credentials XAuth Login Window...
  • Page 11 General Group Information DNS and WINS Configuration Split Tunneling Client Settings User Authentication (XAuth) Client Update Summary Browser Proxy Settings Add or Edit Easy VPN Server Add or Edit Easy VPN Server Connection Restrict Access Group Policies Configuration Local Pools Add or Edit IP Local Pool DMVPN Dynamic Multipoint VPN...
  • Page 12 Contents Edit Dynamic Multipoint VPN (DMVPN) General Panel NHRP Panel Routing Panel How Do I Configure a DMVPN Manually? VPN Global Settings VPN Global Settings VPN Global Settings: IKE VPN Global Settings: IPSec VPN Key Encryption Settings IP Security IPSec Policies Add or Edit IPSec Policy Add or Edit Crypto Map: General Panel Add or Edit Crypto Map: Peer Information Panel...
  • Page 13 Add or Edit Transform Set IPSec Rules Internet Key Exchange Internet Key Exchange (IKE) IKE Policies IKE Pre-shared Keys VPN Troubleshooting VPN Troubleshooting VPN Troubleshooting: Specify Easy VPN Client VPN Troubleshooting: Generate Traffic VPN Troubleshooting: Generate GRE Traffic SDM Warning: SDM will enable router debugs... Security Audit Welcome Page Interface Selection Page...
  • Page 14 Contents Enable Password Encryption Service Enable TCP Keepalives for Inbound Telnet Sessions Enable TCP Keepalives for Outbound Telnet Sessions Enable Sequence Numbers and Time Stamps on Debugs Enable IP CEF Disable IP Gratuitous ARPs Set Minimum Password Length to Less Than 6 Characters Set Authentication Failure Rate to Less Than 3 Retries Set TCP Synwait Time Set Banner...
  • Page 15 Enable AAA Configuration Summary Screen SDM and Cisco IOS AutoSecure Security Configurations SDM Can Undo Undoing Security Audit Fixes Add or Edit Telnet/SSH Account Screen Configure User Accounts for Telnet/SSH Page Enable Secret and Banner Page Logging Page Routing Add or Edit IP Static Route Add or Edit an RIP Route Add or Edit an OSPF Route Add or Edit EIGRP Route...
  • Page 16 Contents Network Address Translation Rules Designate NAT Interfaces Translation Timeout Settings Edit Route Map Address Pools Add or Edit Static Address Translation Rule: Inside to Outside Add or Edit Static Address Translation Rule: Outside to Inside Add or Edit Dynamic Address Translation Rule: Inside to Outside Add or Edit Dynamic Address Translation Rule: Outside to Inside How Do I .
  • Page 17 Signature Import Wizard Summary Signatures Assign Actions Import Signatures Add, Edit, or Clone Signature Add or Edit a Signature Location Cisco Intrusion Prevention Alert Center IPS-Supplied Signature Definition Files Global Settings Edit Global Settings SDEE Messages SDEE Message Text Network Module Management IDS Network Module Management IDS Sensor Interface IP Address IP Address Determination...
  • Page 18 Contents Edit QoS Policy Edit QoS Class Add a Protocol Interface Association QoS Status Network Admission Control Create NAC Tab Other Tasks in a NAC Implementation Welcome RADIUS Server Select the Interface(s) NAC Exception List Agentless Host Policy NAC Router Management Access Open Interface ACL Summary of the configuration Edit NAC Tab...
  • Page 19 Router Properties Device Properties Date and Time: Clock Properties Date and Time Properties SNTP Syslog SNMP Router Access User Accounts: Configure User Accounts for Router Access View Password VTYs Edit VTY Lines Configure Management Access Policies Add or Edit a Management Policy Management Access Error Messages DHCP Configuration DHCP Pools...
  • Page 20 Contents DNS Properties Dynamic DNS Methods Add or Edit Dynamic DNS Method ACL Editor Useful Procedures for Access Rules and Firewalls Rules Windows Add or Edit a Rule Associate with an Interface Add a Standard Rule Entry Add an Extended Rule Entry Select a Rule Port-to-Application Mapping Port-to-Application Mappings...
  • Page 21 Router Provisioning Router Provisioning from USB Public Key Infrastructure Certificate Wizards Welcome to the SCEP Wizard Certificate Authority (CA) Information Certificate Subject Name Attributes RSA Keys Summary Enrollment Status Cut and Paste Wizard Welcome Enrollment Task Enrollment Request Continue with Unfinished Enrollment Import CA certificate Import Router Certificate(s) Digital Certificates...
  • Page 22 Contents Open Firewall Open Firewall Details Resetting to Factory Defaults This Feature Not Supported More About... IP Addresses and Subnet Masks Host and Network Fields Available Interface Configurations DHCP Address Pools Meanings of the Permit and Deny Keywords Services and Ports More About NAT Static Address Translation Scenarios Dynamic Address Translation Scenarios...
  • Page 23 Firewall Policy Use Case Scenario DMVPN Configuration Recommendations SDM White Papers Getting Started What’s New in this Release? Cisco IOS Versions Supported Viewing Router Information Overview Interface Status VPN Status Firewall Status Application Security Log NAC Status Logging File Menu Commands Save Running Config to PC Deliver Configuration to Router Write to Startup Config...
  • Page 24 Contents Edit Menu Commands Preferences View Menu Commands Home Configure Monitor Running Config Show Commands SDM Default Rules Refresh Tools Menu Commands Ping Telnet Security Audit USB Token PIN Settings Update SDM Help Menu Commands Help Topics SDM on CCO About this router...

  • Page 25: Home

    Hardware Model Type Shows the router model number. Available/Total Memory Available RAM/Total OL-4015-08 C H A P T E R Software IOS Version SDM Version Cisco Router and Security Device Manager Version 2.2 User’s Guide The version of Cisco...
  • Page 26 Whether the router has accelerators, such as VPN accelerators. A diagram of the hardware configuration, including flash memory and installed devices such as USB flash and USB tokens. The feature sets included in the IOS image. The version of SDM running. Chapter 1 Home Page OL-4015-08...
  • Page 27 Interface type interface Firewall Policies Active/Inactive Active—A firewall is in place. Inactive—No firewall is in place. OL-4015-08 Down (n): The number of LAN and WAN connections that are down. Total Supported WAN Total WAN Connections Number of DHCP Clients (Detail view)
  • Page 28 The number of configured GRE over IPSec connections. The number of configured Easy VPN Remote connections. If this router is functioning as an Easy VPN Server, the number of Easy VPN clients with active connections. Description A description of the connection. OL-4015-08...
  • Page 29 Dynamic Routing Lists any dynamic Protocols routing protocols that are configured on the router. OL-4015-08 Active or Inactive NAC Policy Column The name of the NAC policy. Intrusion Prevention Active Signatures No. of IPS-enabled interfaces Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 30 Chapter 1 Home Page Cisco Router and Security Device Manager Version 2.2 User’s Guide OL-4015-08...

  • Page 31: Lan Wizard

    The Configure button may be disabled if a LAN interface has been given a configuration that SDM does not support. For a list of such configurations, see Reasons Why an Ethernet Interface Configuration May Be OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide wizard guides you Read-Only.

  • Page 32: Ethernet Configuration

    How Do I View Activity on My LAN Interface? • How Do I Enable or Disable an Interface? • How Do I View the IOS Commands I Am Sending to the • Router? How Do I Launch the Wireless Application from SDM? • Chapter 2 LAN Wizard OL-4015-08...

  • Page 33: Lan Wizard: Select An Interface

    Alternatively, select the number of the subnet mask. Your network administrator can tell you the number of network bits to enter. OL-4015-08 IP address for the interface in dotted decimal format. Your network IP Addresses and Subnet subnet mask.

  • Page 34: Lan Wizard: Enable Dhcp Server

    Cisco Router and Security Device Manager Version 2.2 User’s Guide DHCP server on your router. A DHCP server server assigns are drawn from a common pool that you configure by DHCP Address IP address in the range of IP addresses. Chapter 2 LAN Wizard address. Pools. OL-4015-08...

  • Page 35: Dhcp Options

    WINS Server 2 If there is an additional WINS server on the network, enter the IP address for the server in this field. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide DHCP Options...

  • Page 36: Lan Wizard: Vlan Mode

    VLAN ID number in the New VLAN field, and then enter the IP address and subnet mask of the new VLAN logical interface in the IP Address and Subnet Mask fields. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 2 LAN Wizard OL-4015-08...

  • Page 37: Irb Bridge

    IP address and subnet mask will appear in this screen. You can change it, or leave the values unchanged. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide IRB Bridge...

  • Page 38: Dhcp Pool For Bvi

    Cisco Router and Security Device Manager Version 2.2 User’s Guide IP address for the interface in dotted decimal format. Your network IP Addresses and Subnet subnet mask. Obtain this value from your network administrator. The network Chapter 2 LAN Wizard Masks. bits. This value is used to calculate OL-4015-08...

  • Page 39: Irb For Ethernet

    VLANs on the interface, and you can configure a native VLAN that does not use the 802.1q encapsulation protocol. I f you configure the interface for routing, you cannot configure subinterfraces or additional VLANs on the interface. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide IRB for Ethernet...

  • Page 40: Configure Switch Device Module

    This section contains procedures for tasks that the wizard does not help you complete. How Do I Configure a Static Route? To configure a Cisco Router and Security Device Manager Version 2.2 User’s Guide 2-10 static route: Chapter 2 LAN Wizard OL-4015-08...

  • Page 41: How Do I View Activity On My Lan Interface

    Select the data item(s) you want to view by checking the associated check box(es). Step 4 You can view up to four statistics at a time. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...

  • Page 42: How Do I Enable Or Disable An Interface

    Finish. From the SDM Edit menu, select Preferences. Step 1 Check Preview commands before delivering to router. Step 2 Click OK. Step 3 Cisco Router and Security Device Manager Version 2.2 User’s Guide 2-12 Chapter 2 LAN Wizard OL-4015-08...

  • Page 43: How Do I Launch The Wireless Application From Sdm

    To obtain help for any screen, click the help icon in the upper right corner. This icon looks like an open book with a question mark. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...
  • Page 44 Chapter 2 LAN Wizard How Do I... Cisco Router and Security Device Manager Version 2.2 User’s Guide 2-14 OL-4015-08...

  • Page 45: Create Connection Wizards

    Cisco Router and Security Device Manager (SDM) configures subinterfaces for each interface of that type. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 46: How Do I View The Ios Commands I Am Sending To The Router

    How Do I Configure a Dynamic Routing Protocol? • How Do I Configure Dial-on-Demand Routing for my • ISDN or Asynchronous Interface? Refer to the software configuration guide for the router to use the CLI to configure the interface. Create Connection Wizards OL-4015-08...

  • Page 47: Isdn Wizard Welcome Window

    When the asynchronous interface is already configured • When the asynchronous interface is not configurable by SDM due to the • presence of unsupported Cisco IOS commands in the existing configuration OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide ISDN Wizard Welcome Window...

  • Page 48: Select Interface

    Static IP Address If you choose static IP address, enter the IP address and subnet mask or the network bits in the fields provided. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 3 Create Connection Wizards OL-4015-08...

  • Page 49: Ip Address: Atm With Rfc 1483 Routing

    Dynamic (DHCP Client) If you choose Dynamic, the router will lease an IP address from a remote DHCP server. Enter the name of the DHCP server that will assign addresses. OL-4015-08 Masks. Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 50: Ip Address: Ethernet Without Pppoe

    DNS. IP Address: Serial with Point-to-Point Protocol Choose the method that the point-to-point interface will use to obtain an IP address. Cisco Router and Security Device Manager Version 2.2 User’s Guide Masks. Chapter 3 Create Connection Wizards IP Addresses OL-4015-08...

  • Page 51: Ip Address: Serial With Hdlc Or Frame Relay

    If you choose static IP address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, refer to and Subnet OL-4015-08 Masks. Masks. Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 52: Ip Address: Isdn Bri Or Analog Modem

    Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interface’s IP address changes. Click the Dynamic DNS button to configure dynamic DNS. Cisco Router and Security Device Manager Version 2.2 User’s Guide Masks. Chapter 3 Create Connection Wizards IP Addresses OL-4015-08...

  • Page 53: Authentication

    ISDN BRI connections require identification of the ISDN switch type, and in some cases, identification of the B channels using Service Provider ID (SPID) numbers. This information will be provided to you by your service provider. OL-4015-08 for a serial connection, Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 54 ISDN BRI for Norway NET3, Australia NET3, and New Zealand NET3switch types; ETSI-compliant switch types for Euro-ISDN E-DSS1 signaling system vn3—French ISDN BRI switches ntt—Japanese NTT ISDN switches basic-qsig—PINX (PBX) switches with QSIG signaling per Q.931 Chapter 3 Create Connection Wizards OL-4015-08...

  • Page 55: Dial String

    Note the following prerequisites: The primary interface must be configured for Site-to-Site VPN. • The IOS image on your router must support the SAA ICMP Echo • Enhancement feature. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Dial String 3-11...

  • Page 56: Backup Configuration: Primary Interface & Next Hop Ip Addresses

    Enter the IP address or host name of the destination host to which connectivity will be tracked. Please specify an infrequently-contacted destination as the site to be tracked. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-12 Chapter 3 Create Connection Wizards OL-4015-08...

  • Page 57: Interface

    In this window, select the type of encapsulation that the WAN link will use. Ask your service provider or network administrator which type of encapsulation is used for this link. The interface type determines the types of encapsulation available. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Advanced Options 3-13...
  • Page 58 This option is available when you have selected an ATM interface. An ATM with AAL5-MUX subinterface will be created when you configure an RFC 1483 connection. This subinterface will be visible in the Summary window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-14 Chapter 3 Create Connection Wizards OL-4015-08...
  • Page 59 The virtual path identifier (VPI) is used in ATM switching and routing to identify the path used for a number of connections. Enter the VPI value given to you by your service provider. OL-4015-08 Description Provides Frame Relay encapsulation. This option is available when you have selected a serial interface.

  • Page 60: Configure Lmi And Dlci

    Ask your service provider which of the following LMI types you should use. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-16 Chapter 3 Create Connection Wizards Value Auto • Annex A (U.S.). • Auto • • Auto • OL-4015-08...

  • Page 61: Configure Clock Settings

    OL-4015-08 Description Annex D defined by American National Standards Institute (ANSI) standard T1.617. LMI type defined jointly by Cisco Systems and three other companies. ITU-T Q.933 Annex A. The default. This setting allows the router to detect which LMI type is being used by communicating with the switch and to then use that type.
  • Page 62 SDM will set FDL to none and make this field read-only. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-18 Chapter 3 or E1 link for operation with D4 Super Frame (sf) or lines. The b8zs setting ensures Create Connection Wizards line with encoding. OL-4015-08...

  • Page 63: Delete Connection

    You can automatically delete all associations that the connection has, or delete the associations later. OL-4015-08 link to generate remote alarms (yellow Cisco Router and Security Device Manager Version 2.2 User’s Guide Delete Connection link.

  • Page 64: Association

    Interfaces and Connections. Click the connection in the Interface List, then click Edit. Click the Association tab; then in the Inspection Rule group, in both the Inbound and Outbound fields, choose None. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-20 Chapter 3 Create Connection Wizards OL-4015-08...

  • Page 65: Summary

    Back button to return to the screen on which you need to make changes. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Summary...
  • Page 66 Checks the interface status to see if it is up or down. Checks DNS Settings, whether they be SDM default options or user-specified hostnames. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-22 Chapter 3 Create Connection Wizards OL-4015-08...
  • Page 67 If the ping fails on an xDSL connection with PPPoE encapsulation, SDM checks: the ATM PVC status • OL-4015-08 If the ATM PVC test fails, SDM displays possible reasons for the failure and actions you can take to correct the problem.
  • Page 68 Click this button if you want to view the summarized troubleshooting information. Details Click this button if you want to view the detailed troubleshooting information. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-24 Chapter 3 Create Connection Wizards OL-4015-08...
  • Page 69 This box provides a possible action/solution to rectify the problem. What Do You Want to Do? If you want to: Troubleshoot the WAN interface connection. Save the test report. OL-4015-08 The connection is up. The connection is down. Test is successful. Test failed. Do this: Click Start button.

  • Page 70: How Do I View The Ios Commands I Am Sending To The Router

    Click it to disable the interface. If the interface is currently disabled, the Enable button appears in that location. Click that button to disable the interface. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-26 Chapter 3 Create Connection Wizards interface that your router OL-4015-08...
  • Page 71 LAN whose resources. must be protected. Check outside(untrusted) to designate it as an outside interface. Outside interfaces typically connect to an untrusted network. Click OK. OL-4015-08 interface by using the Monitor feature in SDM. Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...

  • Page 72: How Do I Configure Nat On An Unsupported Interface

    In the Dynamic Routing group, click the dynamic routing protocol that you want Step 3 to configure. Click Edit. Step 4 Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-28 to configure the interface. The interface must have, at a minimum, dynamic routing protocol: Chapter 3 Create Connection Wizards OL-4015-08...
  • Page 73 Click Interfaces and Connections in the left frame. Step 2 Click the ISDN or asynchronous interface on which you want to configure DDR. Step 3 OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... 3-29...
  • Page 74 Click Configure on the SDM toolbar. Step 1 Click Interfaces and Connections in the left frame, and then click the Edit Step 2 Interface/Connection tab. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-30 Chapter 3 Create Connection Wizards OL-4015-08...
  • Page 75 Select the radio interface and click Edit. In the Connections tab, you can change Step 3 the IP address or bridging information. If you want to change other wireless parameters, click Launch Wireless Application. Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-31 OL-4015-08...
  • Page 76 Chapter 3 Create Connection Wizards How Do I... Cisco Router and Security Device Manager Version 2.2 User’s Guide 3-32 OL-4015-08...
  • Page 77 If you select a switch port, the Edit Switch Port dialog appears. The Edit button will be disabled if the interface is supported and unconfigured. OL-4015-08 C H A P T E R to see what configurations are available for...
  • Page 78 This column lists the physical and logical interfaces by name. If a has been configured for a the physical interface. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 4 physical interface, the logical interface is shown under Edit Interface/Connection logical interface OL-4015-08...
  • Page 79 Interface List. Association details include such information as Network Address Translation (NAT), Access, and inspection rules, IPSec policies, and Easy VPN configurations. Connection details include IP address, encapsulation type, and DHCP options. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 80 Highlight the interface you want to edit, and click Edit. If you are editing a GRE tunnel, the Connection tab Note will not appear if the GRE tunnel has not been configured to use gre ip mode. Select the physical interface, and click Reset. Edit Interface/Connection OL-4015-08...
  • Page 81 For reasons why a previously configured ISDN BRI interface may appear as • read-only in the Interface List, see the help topic Interface Configuration May Be OL-4015-08 Do this: Select the interface you want to delete, and click Delete. See one of the following procedures: How Do I Configure a Static Route? •...
  • Page 82 Click the drop-down menu and choose to use an existing method. A window with a list of existing dynamic DNS methods will open. This menu choice is available only if there are existing dynamic DNS methods. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 4 Edit Interface/Connection OL-4015-08...
  • Page 83 IP Address of Remote DHCP Server Enter the IP address of the DHCP server that will provide addresses to devices on the LAN. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: Ethernet for Routing...
  • Page 84 Add Dynamic DNS Method This window allows you to add a dynamic DNS method. Choose the type of method, HTTP or IETF, and configure it. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 4 Edit Interface/Connection OL-4015-08...
  • Page 85 Tasks > Router Properties, or if you want to override Domain Name. The dynamic DNS method sends the domain name along along with the interface’s new IP address. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: Ethernet for Routing...
  • Page 86 The name or number of an access rule applied to outbound traffic on this interface. If you want to apply a rule, click the button and either select an existing rule or create a rule and select it. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-10 Chapter 4 Edit Interface/Connection OL-4015-08...
  • Page 87 Note Tunnel interface, and then associate it with the source interface for the tunnel. For example, if you wanted to associate a policy with Tunnel3, whose source interface OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Association...

  • Page 88: Edit Switch Port

    Not Supported. Edit Switch Port This screen lets you edit VLAN information for Ethernet switch ports. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-12 Chapter 4 Edit Interface/Connection OL-4015-08...

  • Page 89: General

    If you have allowed the Security Audit feature to disable certain properties, but you want to reenable them, you can reenable them in this window. The properties listed in this screen are as follows: OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide General...
  • Page 90 Because it breaks the LAN security barrier, proxy ARP should be used only between two LANs with an equal security level, and only when necessary. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-14 Chapter 4 Edit Interface/Connection OL-4015-08...
  • Page 91 These messages can be used by an attacker to gain network mapping information. You can associate a QoS policy with an interface in this tab, or dissociate a policy from an interface. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-15...

  • Page 92: Select Ethernet Configuration Type

    WAN wizard window, and appears with the designation Outside in the Interfaces and Connections window. Connection: VLAN This screen lets you configure a VLAN interface. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-16 Chapter 4 Edit Interface/Connection OL-4015-08...

  • Page 93: Connection: Subinterfaces

    ID, IP address and mask, and a description, if one has been entered. For example, if the router had the interface FastEthernet 1, and the subinterfaces FastEthernet1.3 and FastEthernet1.5 were configured, this window might contain the following display OL-4015-08 for more information. 56.8.1.1/255.255.255.0 Bridge No. 77 Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 94: Add Or Edit Bvi Interface

    This window enables you to add a loopback interface to the selected interface. IP Address Select whether the loopback interface is to have no IP address or a static IP address. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-18 Chapter 4 Edit Interface/Connection OL-4015-08...

  • Page 95: Connection: Ethernet Lan

    If the router has been previously configured to be a DHCP relay and is configured Note to have more than one remote DHCP server IP address, this button will be disabled. OL-4015-08 IP address Masks. subnet mask. Obtain this value from your network administrator. The Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 96: Connection: Ethernet Wan

    Select Easy IP (IP Negotiated) if the router will obtain an IP address via Point-to-Point Protocol/IP Control Protocol (PPP/IPCP) address negotiation. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-20 Masks. Chapter 4 Edit Interface/Connection IP Addresses OL-4015-08...

  • Page 97: Ethernet Properties

    This window enables you to configure properties for an Ethernet WAN link. Enable PPPoE Encapsulation Click Enable PPPoE encapsulation if your service provider requires that you use PPPoE OL-4015-08 CHAP/PAP authentication password information. specifies Point-to-Point Protocol over Ethernet encapsulation. Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 98: Connection: Ethernet With No Encapsulation

    For more information, refer to Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-22 CHAP/PAP authentication password information. IP address IP Addresses and Subnet Masks. Chapter 4 Edit Interface/Connection IP Addresses and Subnet Masks. for this link. OL-4015-08...

  • Page 99: Connection: Adsl

    To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu. Connection: ADSL This window enables you to specify or edit properties of a PPPoE link supported by an ADSL connection. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: ADSL 4-23...
  • Page 100 For more information, refer to Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-24 IP address IP Addresses and Subnet Masks. Chapter 4 Edit Interface/Connection for this link. OL-4015-08...
  • Page 101 WAN interface’s IP address changes. This feature appears only if supported by your Cisco server’s IOS. Note To choose a dynamic DNS method to use, do one of the following: OL-4015-08 CHAP Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: ADSL DSLAM authentication information.

  • Page 102: Connection: Adsl Over Isdn

    The virtual path identifier (VPI) is used in ATM switching and routing to identify the path used for a number of connections. Obtain this value from your service provider. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-26 Chapter 4 Edit Interface/Connection OL-4015-08...
  • Page 103 Cisco IOS version. annexb—Standard Annex-B mode of ITU-T G.992.1. • annexb-ur2—ITU-T G.992.1 Annex-B mode. • OL-4015-08 IP address IP Addresses and Subnet Masks. Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: ADSL over ISDN for this link.

  • Page 104: Connection: G.shdsl

    To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu. Connection: G.SHDSL This window enables you to create or edit a Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-28 Chapter 4 Edit Interface/Connection CHAP authentication information. G.SHDSL connection. DSLAM OL-4015-08...
  • Page 105 Your service provider or network administrator must tell you the method the router should use to obtain an IP address. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: G.SHDSL...
  • Page 106 Operating Mode Select one of the values below: Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-30 Masks. IP address of the gateway system to which this link will connect. This Chapter 4 Edit Interface/Connection IP Addresses OL-4015-08...
  • Page 107 Click the drop-down menu and choose to create a new dynamic DNS method. To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu. OL-4015-08 CHAP Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: G.SHDSL...

  • Page 108: Configure Dsl Controller

    G.SHDSL port and the DSLAM, or the actual DSL line rate. The supported line rates are 200, 264, 392, 520, 776, 1032, 1160, 1544, 2056, and 2312. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-32 Chapter 4 Edit Interface/Connection OL-4015-08...

  • Page 109: Connection: G.shdsl With Dsl Controller

    To configure a new G.SHDSL connection, click Add. This will display Connection: G.SHDSL with DSL Controller new connection. To edit an exisiting G.SHDSL connection, select the connection OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Configure DSL Controller...
  • Page 110 Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-34 page, letting you edit the connection configuration. To delete a G.SHDSL Chapter 4 Edit Interface/Connection Connection: G.SHDSL with connection. OL-4015-08...
  • Page 111 This feature appears only if supported by your Cisco server’s IOS. To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method. • OL-4015-08 Masks. CHAP Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: G.SHDSL with DSL Controller...

  • Page 112: Connection: Serial Interface, Frame Relay Encapsulation

    For more information, refer to Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-36 selected. IP Addresses and Subnet Chapter 4 Edit Interface/Connection Frame Relay IP address for this interface. Obtain Masks. OL-4015-08...
  • Page 113 T1.617. Cisco LMI type defined jointly by Cisco and three other companies. ITU-T Q.933 ITU-T Q.933 Annex A. OL-4015-08 Connection: Serial Interface, Frame Relay Encapsulation subnet network bits to specify how much of the IP address Cisco Router and Security Device Manager Version 2.2 User’s Guide mask.
  • Page 114 DNS methods. Create a new dynamic DNS method. • Click the drop-down menu and choose to create a new dynamic DNS method. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-38 Chapter 4 Edit Interface/Connection OL-4015-08...

  • Page 115: Connection: Serial Interface, Ppp Encapsulation

    Obtain the value of the subnet mask or the network bits from your network administrator or Internet service provider. Subnet Bits Alternatively, enter the provide the network address. OL-4015-08 Connection: Serial Interface, PPP Encapsulation IP address for this point-to-point subinterface. Obtain this value from Masks.
  • Page 116 Click the drop-down menu and choose to create a new dynamic DNS method. To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-40 Chapter 4 Edit Interface/Connection CHAP authentication information. OL-4015-08...

  • Page 117: Connection: Serial Interface, Hdlc Encapsulation

    In most cases, clock settings should not be changed from the default values. If you know that your requirements are different from the defaults, click this button and make new clock settings in the window displayed. OL-4015-08 Connection: Serial Interface, HDLC Encapsulation IP address for this interface.

  • Page 118: Add Or Edit Gre Tunnel

    This window will not appear if the GRE tunnel has not been configured using gre ip mode. Tunnel Number Enter a number for this tunnel. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-42 tunnel to an interface or edit an existing interface in this Chapter 4 Edit Interface/Connection OL-4015-08...
  • Page 119 Adjust MTU to avoid fragmentation. Bandwidth Click to specify the bandwidth for this tunnel in kilobytes. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Add or Edit GRE Tunnel' address.

  • Page 120: Connection: Isdn Bri

    ISDN BRI for Norway NET3, Australia NET3, and New Zealand NET3switch types; ETSI-compliant switch types for Euro-ISDN E-DSS1 signaling system vn3—French ISDN BRI switches ntt—Japanese NTT ISDN switches basic-qsig—PINX (PBX) switches with QSIG signaling per Q.931 () Chapter 4 Edit Interface/Connection OL-4015-08...
  • Page 121 IP Address Enter the your network administrator or service provider. For more information, refer to Addresses and Subnet OL-4015-08 IP address for this point-to-point subinterface. Obtain this value from Masks. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 122 Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-46 subnet mask. The subnet mask specifies the portion of the IP address network bits to specify how many bits in the IP address CHAP Chapter 4 Edit Interface/Connection authentication information. OL-4015-08...

  • Page 123: Connection: Analog Modem

    IP Address Enter the your network administrator or service provider. For more information, refer to Addresses and Subnet OL-4015-08 IP address for this point-to-point subinterface. Obtain this value from Masks. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 124 Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-48 subnet mask. The subnet mask specifies the portion of the IP address network bits to specify how many bits in the IP address CHAP Chapter 4 Edit Interface/Connection authentication information. OL-4015-08...

  • Page 125: Connection: (Aux Backup)

    Timer settings will cause the router to automatically disconnect a call after the line is idle for the specified amount of time. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Connection: (AUX Backup)

  • Page 126: Authentication

    Obtain this value from Masks. subnet mask. The subnet mask specifies the portion of the IP address network bits to specify how many bits in the IP address Backup Configuration CHAP Chapter 4 Edit Interface/Connection screen, which lets you authentication information. OL-4015-08...
  • Page 127 OL-4015-08 for a serial connection or Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 128: Spid Details

    DMS-100 switch type, two SPIDs are assigned, one for each B channel. SPID1 Enter the SPID to the first BRI B Channel provided to you by your ISP. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-52 Chapter 4 Edit Interface/Connection OL-4015-08...

  • Page 129: Dialer Options

    Timer settings let you configure a maximum amount of time that a connection with no traffic will stay active. By configuring timer settings your connections will shut down automatically, saving you connection time and cost. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Dialer Options...
  • Page 130 Enter a number between 1 and 255, where 255 equals 100% of bandwidth on the first connection being utilized. Data Direction SDM supports Multilink PPP only for outbound network traffic. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-54 OL-4015-08...

  • Page 131: Backup Configuration

    Track Object Number This is a read-only field that displays an internal object number generated and used by SDM for tracking the connectivity to the remote host. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Backup Configuration...
  • Page 132 Enter the next hop IP address of the primary interface. Backup Next Hop IP Address Enter the next hop IP address of the ISDN BRI or analog modem backup interface. Cisco Router and Security Device Manager Version 2.2 User’s Guide 4-56 OL-4015-08...

  • Page 133: Create Firewall

    Click this if you want SDM to create a firewall using default rules. The use case scenario shows a typical network configuration in which this kind of firewall is used. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 134 Click Basic Firewall. Then, click Launch the Selected Task. SDM asks you to identify the interfaces on your router, and then it uses SDM default access rules and inspection rules to create the firewall. Chapter 5 Create Firewall inspection rule. OL-4015-08...
  • Page 135 DMZ, you should select this option. Get information about a task that this wizard does not help me complete. OL-4015-08 Do this: Select Advanced Firewall. Then, click Launch the Selected Task. SDM will show you the default inspection rule and allow you to use it in the firewall.

  • Page 136: Basic Firewall Configuration Wizard

    SDM to manage the router. Select the outside interface Select the interfaces through which users are to launch SDM. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 5 Create Firewall OL-4015-08...

  • Page 137: Advanced Firewall Configuration Wizard

    Select the router interface that connects to a DMZ network, if one exists. A DMZ network is a buffer zone used to isolate traffic that comes from an untrusted network. If you have a DMZ network, select the interface that connects to it. OL-4015-08 Internet firewall by asking you for information about Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 138: Advanced Firewall Dmz Service Configuration

    Click Add, and create the entry in the DMZ Service Configuration window. To edit a DMZ service entry: Select the service entry, and click Edit. Then, edit the entry in the DMZ Service Configuration window. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 5 Create Firewall OL-4015-08...

  • Page 139: Advanced Firewall Inspection Rule Configuration

    Outgoing traffic can leave the router, but if return traffic of the same type is not explicitly permitted, it will not be allowed on the LAN. Inspection rules provide a means to allow such return OL-4015-08 inside global address.
  • Page 140 Off if no audit trail is to be generated. Audit trails will be saved in a syslog file if syslog has been enabled in theRouter Properties Logging window. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 5 Create Firewall OL-4015-08...

  • Page 141: Application Security Configuration

    Select an existing policy, and select the policy. To create a policy, click the button, choose Create a New Policy, and create the policy in the dialog displayed. OL-4015-08 Do this: Select the rule name from the Inspection Rule Name list. The inspection rule entries appear in the box below.

  • Page 142: Domain Name Server Configuration

    The following are examples: Apply default inspection rule to the outbound direction. (Basic Firewall) • Turn on unicast reverse path forwarding check. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-10 Chapter 5 Create Firewall OL-4015-08...
  • Page 143 CLI commands you that are delivering to the router. How Do I... This section contains procedures for tasks that the wizard does not help you complete. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... 5-11...

  • Page 144: How Do I View Activity On My Firewall

    In the upper table, click the rule that you want to modify. Step 3 Click Edit. Step 4 Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-12 firewall is monitored through the creation of log entries. If Chapter 5 Create Firewall rule that is configured to OL-4015-08...

  • Page 145: How Do I Configure A Firewall On An Unsupported Interface

    The interface must have, at a minimum, an IP address configured, and it must be working. For more information on how to configure an interface using the CLI, refer to the Software Configuration Guide for your router. OL-4015-08 firewall on an interface type unsupported by SDM. Before Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 146: How Do I Configure A Firewall After I Have Configured A Vpn

    105 permit ahp host 123.3.4.5 host 192.168.0.1 access-list 105 permit esp host 123.3.4.5 host 192.168.0.1 Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-14 is placed on an interface used in a VPN, the firewall must permit Chapter 5 Create Firewall OL-4015-08...

  • Page 147: How Do I Permit Specific Traffic Through A Dmz Interface

    From the Service field, select TCP. Step 9 In the Port field, enter 80 or www. Step 10 Click Next>. Step 11 Click Finish. Step 12 OL-4015-08 network: Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... 5-15...

  • Page 148: How Do I Modify An Existing Firewall To Permit Traffic From A New Network Or Host

    NAT . The unsupported interface will appear as “Other” on the router interface list. Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-16 to configure the interface. The interface must have, at a minimum, Chapter 5 Create Firewall OL-4015-08...

  • Page 149: How Do I Configure Nat Passthrough For A Firewall

    Concentrator? In order to permit traffic through your firewall to a VPN concentrator, you must create or modify access rules that permit the OL-4015-08 and are now configuring your firewall, you must firewall so that it permits traffic from your public IP address. To do Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 150 Protocol UDP, Source Port 500, Destination Port 500 • Protocol IP, IP Protocol ESP • Protocol UDP, Source Port 10000, Destination Port 10000 • Click OK. Step 16 Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-18 Chapter 5 Create Firewall OL-4015-08...

  • Page 151: How Do I Associate A Rule With An Interface

    In the Association tab, find the access rule in the inbound or outbound field in the Step 4 Access Rule box. The access rule may have a name, or a number. OL-4015-08 Add or Edit a Rule Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...

  • Page 152: How Do I Delete A Rule That Is Associated With An Interface

    These sources are defined in an access rule that the Java List references. To create this kind of access rule, and use it in a Java list, do the following: Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-20 Chapter 5 Create Firewall OL-4015-08...

  • Page 153: Network

    DMZ. If you do not have a DMZ network, you can still permit specified types of outside traffic onto your network, using the Firewall Policy feature. Configure a firewall using the Firewall wizard. Step 1 OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... 5-21...

  • Page 154: Edit Firewall Policy/Acl

    Although it is set in the context of a DMZ network, the procedure is applicable to an inside network as well. Cisco Router and Security Device Manager Version 2.2 User’s Guide 5-22 Chapter 5 Create Firewall for an example of allowing traffic OL-4015-08...

  • Page 155: Firewall Policy

    DMZ interface and specify the services that should be allowed onto the DMZ network. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 156 SDM will display a message telling you to configure an additional interface. The following graphic shows the Traffic Selection panel. Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 6 Firewall Policy Use Case Scenario. Firewall Policy OL-4015-08...
  • Page 157 The following illustration shows the traffic selection panel and the traffic diagram area displaying the access rules and inspection rules in the selected traffic flow. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Firewall Policy/ACL...
  • Page 158 From interface, and there is an access rule applied to the inbound direction of the To interface. The access rule on the inbound direction of the To interface is an extended access rule, and contains at least one access rule entry. Chapter 6 Firewall Policy OL-4015-08...
  • Page 159 If the Policy Panel is blank, you can use the Add button to create entries for the rule. OL-4015-08 Rules applied to Originating traffic are indicated by a right arrow. An icon on the From interface traffic line indicates the presence of a rule filtering traffic inbound to the router.
  • Page 160 Then, create the entry in the Add an Entry window. Remember that the order of entries is important. SDM displays Cisco Router and Security Device Manager Version 2.2 User’s Guide Chapter 6 Firewall Policy OL-4015-08...
  • Page 161 Ethernet 0 interface from traffic entering the Ethernet 1 interface, select From: Ethernet 0, and To: Ethernet 1. Then click Apply Firewall. OL-4015-08 If the selected traffic flow does not have a firewall applied, you can apply a firewall by selecting Originating traffic and clicking the Apply Firewall button.
  • Page 162 The address of a host Any network or host Examples: TCP, EIGRP, UDP, GRE. See Services. Examples: Telnet, http, FTP. Services. Examples: SNMP, bootpc, RIP. See Services. Internet Group Management Protocol (IGMP). Examples: echo-reply, host-unreachable. See ICMP Message Types. Log denied traffic. OL-4015-08...
  • Page 163 From interface. You can add an entry for a specific application whether or not an inspection rule already exists. Edit—Click to edit a selected entry. Delete—Click to delete a selected entry. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Firewall Policy/ACL...
  • Page 164 Cisco Router and Security Device Manager Version 2.2 User’s Guide 6-10 Audit Trail Timeout Whether or How long the router not audit trail should wait before is enabled blocking return traffic for this protocol or application default-off 3600 (seconds) Chapter 6 Firewall Policy Description Short description VDOLive protocol. OL-4015-08...

  • Page 165: Add App-Name Application Entry

    Add rpc Application Entry Add a Remote Procedure Call (RPC) program number in this window, and specify Alert, Audit, Timeout, and Wait time settings. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Firewall Policy/ACL 6-11...

  • Page 166: Add Fragment Application Entry

    Edit Firewall Policy/ACL window, and you can specify Alert, Audit, and Timeout settings. A fragment entry sets the maximum number of unreassembled packets that the router should accept before dropping them. Cisco Router and Security Device Manager Version 2.2 User’s Guide 6-12 Chapter 6 Firewall Policy OL-4015-08...

  • Page 167: Add Or Edit Http Application Entry

    Use this window to add an http application to the inspection rule. Alert Action One of the following: default-on—Leave as default. Default value is on. • on—Enable alert. • off—Disable alert. • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Firewall Policy/ACL 6-13...

  • Page 168: Java Applet Blocking

    Do Not Block (Permit)—Permit Java applets from this network or host. • Block (Deny)—Deny Java applets from this network or host. • Host/Network Specify the network or the host. Cisco Router and Security Device Manager Version 2.2 User’s Guide 6-14 Chapter 6 Firewall Policy OL-4015-08...

  • Page 169: Sdm Warning: Inspection Rule

    Keep inspection rule name on <interface-name> inbound, and dissociate • inspection rule name on <interface-name> outbound—SDM will keep one inspection rule, and dissociate the rule from the other interface. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Firewall Policy/ACL 6-15...

  • Page 170: Sdm Warning: Firewall

    * Apply inbound access list to deny returning traffic. Click OK to accept these changes, or click Cancel to stop the application of the firewall. Cisco Router and Security Device Manager Version 2.2 User’s Guide 6-16 Chapter 6 Firewall Policy OL-4015-08...

  • Page 171: Application Security

    Action button—Click to add a policy, delete the chosen policy, or clone the chosen policy. If no policies are configured on the router, Add is the only action available. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 172 Click this drawer to make changes to the security settings of other applications and protocols. Click Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-18 Point-to-Point Applications Applications/Protocols for more information. Chapter 7 Application Security HTTP Instant Messaging for more OL-4015-08...

  • Page 173: No Application Security Policy

    Application Security configuration windows do not display the default values you must click this button to view them in the Global Timeouts and Thresholds window. See OL-4015-08 for more information. Global Timeouts and Thresholds Cisco Router and Security Device Manager Version 2.2 User’s Guide No Application Security Policy for more information.

  • Page 174: E-Mail

    Default value: 20 MB. Secure login checkbox Causes a user at a non-secure location to use encryption for authentication. Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-20 Windows. Chapter 7 Application Security OL-4015-08...
  • Page 175 Use the Permit, Block and Alarm controls to specify the action that you want SDM to take when this type of traffic is encountered. OL-4015-08 Windows. to learn how to specify the action that Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 176 Off explicitly disables the CBAC audit trail for HTTP traffic and for HTTPS traffic if HTTPS inspection is enabled, and overrides the global audit trail setting Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-22 Chapter 7 Application Security OL-4015-08...

  • Page 177: Header Options

    To learn about the buttons and drawers available in the Application Security tab, click Application Security OL-4015-08 Windows. Windows. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 178 Specification version 3.3, combined with the "deflate" compression mechanism described in RFC 1951, DEFLATE Compressed Data Format Specification version 1.3. Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-24 Chapter 7 Application Security to learn how to specify the action that OL-4015-08...

  • Page 179: Instant Messaging

    The following example shows traffic blocked for BitTorrent traffic, and alarms generated when traffic for that application arrives: BitTorrent OL-4015-08 to learn how to specify the action that Block Send Alarm (checked) to learn how to specify the action that Block Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 180: Applications/Protocols

    Audit column, but the Alert and Timeout columns are blank. Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-26 Chapter 7 Application Security Application Security Windows. OL-4015-08...

  • Page 181: Global Timeouts And Thresholds

    Global Timer values can be specified in seconds, minutes, or hours. TCP Connection Timeout Value The amount of time to wait for a value is 30 seconds. OL-4015-08 connection to be established. The default Cisco Router and Security Device Manager Version 2.2 User’s Guide Global Timeouts and Thresholds...
  • Page 182 Stop deleting new connections after the number of new connections drops below this value. The default value is 400 sessions. Start deleting new connections when the number of new connections exceeds this value. The default value is 500 sessions Application Security OL-4015-08...

  • Page 183: Associate Policy With An Interface

    Incoming column and the Outgoing column. To have only incoming traffic inspected, you would only check the box in the Incoming column. OL-4015-08 Stop deleting new connections after the number of new connections drops below this value. The default value is...

  • Page 184: Edit Inspection Rule

    Other Options Certain applications can have additional options set. Depending on the application, you may see the options described next. Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-30 Chapter 7 for more information. Application Security Global OL-4015-08...

  • Page 185: Permit, Block, And Alarm Controls

    Block to deny traffic. If you want an alarm to be sent to the log when this type of traffic is encountered, check Send Alarm. The Send Alarm control is not used in all windows. Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-31 OL-4015-08...
  • Page 186 Chapter 7 Application Security Global Timeouts and Thresholds Cisco Router and Security Device Manager Version 2.2 User’s Guide 7-32 OL-4015-08...

  • Page 187: Site-To-Site Vpn

    This option allows you to create a VPN network connecting two routers. Create a Secure GRE Tunnel (GRE-over-IPSec) This option allows you to configure a generic routing encapsulation protocol (GRE) tunnel between your router and a peer system. OL-4015-08 C H A P T E R More About VPN.
  • Page 188 Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-34 Do this: network Select Create a site-to-site VPN . Then click Launch the selected task. Select Create a Secure GRE tunnel (GRE-over-IPSec). Then click Launch the selected task. Chapter 8 Site-to-Site VPN OL-4015-08...
  • Page 189 Site-to-Site VPN If you want to: Find out how to perform other VPN-related tasks that this wizard does not guide you through. OL-4015-08 Do this: Select a topic from the following list: How Do I View the IOS Commands I Am •...

  • Page 190: Site-To-Site Vpn Wizard

    Cisco VPN 3000 series concentrator to operate with an Easy VPN Remote Phase II client, and other information which you might find useful: http://www.cisco.com/en/US/products/sw/ioss wrel/ps5012/products_feature_guide09186a008 00a8565.html The following link connects you to Cisco VPN 3000 series documentation: http://www.cisco.com/en/US/products/hw/vpnd evc/ps2284/products_getting_started_guide_bo ok09186a00800bbe74.html Site-to-Site VPN OL-4015-08...

  • Page 191: View Defaults

    IPSec rule that SDM will use to configure a Quick Setup site-to-site VPN. If you need a different configuration than this window shows, check Step-by-Step wizard so that you can define configuration values. OL-4015-08 Do this: Check Quick setup, and then click Next.

  • Page 192: Vpn Connection Information

    This key must be the same on each side of the VPN connection. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-38 IP address or host name of the remote site that tunnel that you are configuring, to specify the router Chapter 8 Site-to-Site VPN authenticate OL-4015-08...
  • Page 193 Choose the interface on the router that will be the source of the traffic on this VPN connection. All traffic coming through this interface whose destination IP address is in the subnet specified in the Destination area will be encrypted. OL-4015-08 pre-shared key, and then reenter it for confirmation. Exchange the Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 194: Ike Proposals

    IKE policies. Priority This is the order in which the policy will be offered during negotiation. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-40 IP Addresses and Subnet Masks. authenticate themselves. Chapter 8 Site-to-Site VPN OL-4015-08...
  • Page 195 AES provides greater security than DES and is computationally more efficient than 3DES. AES-192—AES encryption with a 192-bit key. • AES-256—AES encryption with a 256-bit key. • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create Site to Site VPN 8-41...
  • Page 196 Either SDM Default or User Defined. If no User Defined policies have been created on the router, this window will show the default IKE policy. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-42 Chapter 8 Site-to-Site VPN OL-4015-08...

  • Page 197: Transform Set

    To learn the possible values each column may contain, click Transform Name The name given to this transform set. OL-4015-08 or DMVPN. A transform Set. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 198 Tunnel mode allows network devices such as routers to act as an IPsec proxy for multiple VPN users. Type Either User Defined, or SDM Default. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-44 Chapter 8 Site-to-Site VPN OL-4015-08...

  • Page 199: Traffic To Protect

    Enter the address of the subnet whose outgoing traffic you want to protect, and specify the subnet mask. For more information, refer to Configurations. OL-4015-08 Do this: Select a transform set, and click Next. Click Add, and create the transform set in the Add Transform Set window.

  • Page 200: Summary Of The Configuration

    This window shows you the VPN or DMVPN configuration that you created. You can review the configuration in this window and use the back button to make changes if you want. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-46 Chapter 8 Site-to-Site VPN IPSec rule that defines OL-4015-08...

  • Page 201: Spoke Configuration

    The routing protocol to use, and any information associated with the protocol, • such as Autonomous System number (for EIGRP), and OSPF Process ID. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create Site to Site VPN...

  • Page 202: Secure Gre Tunnel (Gre-Over-Ipsec)

    SDM lists interfaces with static IP addresses and interfaces configured as unnumbered Note in the Interface list. Loopback interfaces are not included in the list. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-48 Chapter 8 Site-to-Site VPN IPSec rule that describes the OL-4015-08...

  • Page 203: Vpn Authentication Information

    Enter the subnet mask for the tunnel address in dotted decimal format. VPN Authentication Information VPN peers use a pre-shared key to key must be the same on each side of the VPN connection. OL-4015-08 Masks. authenticate Cisco Router and Security Device Manager Version 2.2 User’s Guide Create Site to Site VPN connections from each other.
  • Page 204 Digital Certificates page, select the configured trustpoint, and select None for Revocation. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-50 pre-shared key, and then reenter it for confirmation. Exchange the Chapter 8 Site-to-Site VPN OL-4015-08...

  • Page 205: Backup Gre Tunnel Information

    Enter the IP address of the tunnel in dotted decimal format. For more information, IP Addresses and Subnet Subnet Mask Enter the subnet mask for the tunnel address in dotted decimal format. OL-4015-08 Masks. Cisco Router and Security Device Manager Version 2.2 User’s Guide Create Site to Site VPN...

  • Page 206: Routing Information

    Next to specify which networks will participate in the GRE-over-IPSec VPN in the Routing Information window. This option is not available when you configure a backup GRE-over-IPSec tunnel. Note Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-52 Chapter 8 Site-to-Site VPN GRE over IPSec VPN. Select OL-4015-08...

  • Page 207: Static Routing Information

    ! Entry added by SDM ip route 200.1.0.0 If no default route exists, SDM simply creates one, using the tunnel interface as the next hop. For example: ip route 0.0.0.0 OL-4015-08 0.0.0.0 FE0 0.0.0.0 Tunnel0 255.255.0.0 FE0 0.0.0.0 Tunnel0 Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 208: Select Routing Protocol

    Use this window to specify how other networks behind your router are advertised to the other routers in the network. Select one of the following: EIGRP—Extended Interior Gateway Routing Protocol. • OSPF—Open Shortest Path First. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-54 Chapter 8 Site-to-Site VPN OL-4015-08...

  • Page 209: Summary Of Configuration

    In effect, it gives you the protection of a private network over public lines that may be used by other organizations. OL-4015-08 configuration that you have completed. You can Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 210 Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-56 The connection is up. The connection is down. The connection is being established. More about VPN Connections and IPSec Chapter 8 Site-to-Site VPN crypto map defined for the IPSec OL-4015-08...
  • Page 211 Dynamic—This is a dynamic site-to-site VPN tunnel. The VPN tunnel uses • dynamic crypto maps. Add Button Click to add a VPN connection OL-4015-08 transform set used by this VPN connection. Multiple Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Site-to-Site VPN...

  • Page 212: Add New Connection

    Select the interface you want to use for the VPN from the Select Interface list. Step 1 Only interfaces that are not used in other VPN connections are shown in this list. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-58 Chapter 8 Site-to-Site VPN OL-4015-08...

  • Page 213: Add Additional Crypto Maps

    This is the name of the IPSec policy controlling the VPN connection. The crypto maps making up the IPSec policy are shown in the list below this field. For more information, click OL-4015-08 More about VPN Connections and IPSec Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Site-to-Site VPN Policies.

  • Page 214: Crypto Map Wizard: Welcome

    Then click OK in this window. Check the Use Add Wizard box, and click OK. SDM will guide you in creating a new crypto map, and will associate it with the IPSec policy. Chapter 8 Site-to-Site VPN OL-4015-08...
  • Page 215 (OSPF) protocol or Routing Information Protocol (RIP) for remote VPN clients or LAN-to-LAN sessions. Reverse Route Injection dynamically adds static routes to the clients connected to the Easy VPN server. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Site-to-Site VPN 8-61...

  • Page 216: Crypto Map Wizard: Peers

    This shows the name, encryption, authentication characteristics, and other parameters of the selected crypto map. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-62 If this icon appears next to the transform set, it is read-only, and it cannot be edited. Chapter 8 Site-to-Site VPN OL-4015-08...

  • Page 217: Crypto Map Wizard: Traffic To Protect

    You can either select a subnet mask from the list or type in a custom mask. The subnet number and mask must be entered in dotted decimal format. For more information, see OL-4015-08 Do this: Click Next.

  • Page 218: Crypto Map Wizard: Summary Of The Configuration

    You can review it, click Back to return to a screen to make changes, and then return to the Summary window and click Finish to deliver the cryptomap configuration to the router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-64 Chapter 8 Site-to-Site VPN IPSec rule that defines OL-4015-08...

  • Page 219: Ping

    By default, the ping command originates from the outside interface with the connection to the remote device. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Site-to-Site VPN...

  • Page 220: Generate Mirror

    Identical names for IPSec policies, IKE policies, and transform sets Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-66 Chapter 8 Site-to-Site VPN After Configuring a VPN, How to learn how to use the text file to OL-4015-08...

  • Page 221: Sdm Warning: Nat Rules With Acl

    To make the listed NAT rules use route maps: Click OK. How Do I... This section contains procedures for tasks that the wizard does not help you complete. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... 8-67...

  • Page 222: How Do I Create A Vpn To More Than One Site?

    In the Destination fields, enter the IP address and subnet mask of the destination Step 10 router. Click Next>. Step 11 Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-68 Chapter 8 Site-to-Site VPN tunnels on one interface on your router. OL-4015-08...
  • Page 223 IP traffic coming from a specific subnet, enter the IP address and subnet mask of that subnet in the appropriate fields. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...

  • Page 224: After Configuring A Vpn, How Do I Configure The Vpn On The Peer Router

    Click Save to display the Windows Save File dialog box, and save the file. Step 5 Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-70 configurations on your router. SDM includes a function that peer router to which your VPN tunnel connects. This Chapter 8 Site-to-Site VPN OL-4015-08...

  • Page 225: How Do I Edit An Existing Vpn Tunnel

    In the Add static crypto maps window, you can add more crypto maps to the VPN Step 6 connection. OL-4015-08 Do not apply the mirror configuration to the peer device without editing! This configuration is a template that requires additional manual configuration.

  • Page 226: How Do I Confirm That My Vpn Is Working

    Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-72 connection is working by using the Monitor mode peer IPSec tunnel Chapter 8 Site-to-Site VPN IP addresses. or an Internet Key OL-4015-08...

  • Page 227: How Do I Configure A Backup Peer For My Vpn

    To add additional peers, repeat Step 4 through Step 8. Step 8 How Do I Accommodate Multiple Devices with Different Levels of VPN Support? To add multiple OL-4015-08 peers inside a single transform sets to a single crypto Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...

  • Page 228: How Do I Configure A Vpn On An Unsupported Interface

    SDM to configure your VPN connection. The unsupported interface will appear in the fields that require you to choose an interface for the VPN connection. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-74 over an interface type unsupported by SDM. Before Chapter 8 Site-to-Site VPN OL-4015-08...

  • Page 229: How Do I Configure A Vpn After I Have Configured A Firewall

    In the Action field, choose Permit. Step 8 In the Source Host/Network group, from the Type field, select A Network. Step 9 OL-4015-08 to function with a firewall to translate addresses from networks outside your own and Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...
  • Page 230 In the Description field, enter a short description of the network or host. Step 13 Click OK. Step 14 The new rule now appears in the Access Rules table. Cisco Router and Security Device Manager Version 2.2 User’s Guide 8-76 Chapter 8 Site-to-Site VPN OL-4015-08...

  • Page 231: Easy Vpn Remote

    If the router is not running a Cisco IOS image that supports Easy VPN Remote Note Phase II or later, you will not be able to configure an Easy VPN client. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 232: Connection Settings

    LAN will not be able to ping devices on the LAN, or reach them directly. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-78 server on the network that can resolve the hostname to the correct IP Chapter 9 Easy VPN Remote OL-4015-08...

  • Page 233: Interfaces

    Enter the IPSec group key. The group key must match the group key defined on the VPN concentrator or server. Obtain this information from your network administrator. Reenter the key to confirm its accuracy. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create Easy VPN Remote...
  • Page 234 Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-80 The web browser option appears only if supported by the Cisco IOS image on your router. XAuth to authenticate the router. If the server Chapter 9 Easy VPN Remote OL-4015-08...
  • Page 235 VPN tunnel whenever a timeout occurs. You can change SA timeout settings in the VPN Components window. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create Easy VPN Remote VPN Global Settings...

  • Page 236: Edit Easy Vpn Remote

    XAuth, it challenges the router for a username and password. When this happens, you must first supply a Secure Shell (SSH) login Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-82 Chapter 9 Easy VPN Remote OL-4015-08...

  • Page 237: Edit Easy Vpn Remote

    Status The status of the connection, which is indicated by the following icons and text alerts: OL-4015-08 The connection is up. When an Easy VPN connection is up, the Disconnect button enables you to deactivate the connection if manual tunnel control is used.
  • Page 238 Configuration Changed—The configuration for this connection has been changed, and needs to be delivered to the router. If the connection uses manual tunnel control, use the Connect button to establish the connection. Chapter 9 Easy VPN Remote OL-4015-08...
  • Page 239 They must be entered from SDM or the router console • They must be entered from a PC browser when browsing • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Easy VPN Remote 9-85...
  • Page 240 This button is labeled Login if all of the following are true: • The Easy VPN server or concentrator being connected to uses XAuth Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-86 Chapter 9 Easy VPN Remote OL-4015-08...
  • Page 241 VPN peer. The connection is cleared and reestablished. OL-4015-08 Do this: Click Add in the Edit Easy VPN Remote window. Configure the connection in the Add Easy VPN Remote window, and click OK. Then click Connect in this window to connect to the Easy VPN server.
  • Page 242 VPN Remote Phase II client, along with other useful information. http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/p roducts_feature_guide09186a00800a8565.html The following link connects you to Cisco VPN 3000 series documentation. http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/ products_getting_started_guide_book09186a00800bbe74.ht How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? Chapter 9 Easy VPN Remote OL-4015-08...

  • Page 243: Add Or Edit Easy Vpn Remote

    Address Translation (NAT) and Port Address Translation (PAT) will be used. Devices outside the LAN will not be able to ping devices on the LAN or to reach them directly. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Easy VPN Remote...
  • Page 244 Enter the IPSec group name. The group name must match the group name defined on the VPN concentrator or server. Obtain this information from your network administrator. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-90 Chapter 9 Easy VPN Remote OL-4015-08...

  • Page 245: Add Or Edit Easy Vpn Remote: Easy Vpn Settings

    Easy VPN concentrator or server on the network. This window appears if the Cisco IOS image on your router supports Easy VPN Note Client Phase III. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Easy VPN Remote 9-91...
  • Page 246 VPN Connections window. The Connect and Disconnect buttons are disabled when this Easy VPN connection is chosen. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-92 Chapter 9 Easy VPN Remote Unity Client OL-4015-08...
  • Page 247 Cisco 800 series and Cisco 1700 series routers. An interface cannot be designated as both an inside and an outside interface. Note OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Easy VPN Remote...

  • Page 248: Add Or Edit Easy Vpn Remote: Authentication Information

    If user authentication does not appear, it must be set from the router command-line interface. Choose one of these ways to enter the XAuth username and password: From a PC • Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-94 Chapter 9 Easy VPN Remote OL-4015-08...

  • Page 249: Enter Ssh Credentials

    If the router uses Secure Shell (SSH), you must to enter the SSH login and password the first time you establish the connection. Use this window to enter SSH or Telnet login information. OL-4015-08 The web browser option appears only if supported by the Cisco IOS image on your router.

  • Page 250: Xauth Login Window

    Cisco PIX Firewall, or it can be a Cisco IOS router that supports the Cisco Unity Client protocol. Name Enter a name for the Easy VPN remote configuration. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-96 Chapter 9 Easy VPN Remote Unity Client protocol, OL-4015-08...

  • Page 251: Network Extension Options

    To allow subnets not directly connected to your router to use the tunnel, click the Options button and configure the network extension options. Enable remote management and troubleshooting of your router. • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Easy VPN Remote 9-97...

  • Page 252: Add Or Edit Easy Vpn Remote: Authentication Information

    The group name must match the group name defined on the VPN concentrator or server. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-98 The subnets you enter must not be directly connected to the router. Chapter 9 Easy VPN Remote OL-4015-08...
  • Page 253 Enter the username and password provided by the Easy VPN server administrator, and then reenter the password to confirm its accuracy. Note OL-4015-08 The web browser option appears only if supported by the Cisco IOS image on your router.

  • Page 254: Add Or Edit Easy Vpn Remote: Interfaces And Connections

    Up to three inside interfaces are supported on Cisco 800 and Cisco 1700 series routers. You can remove interfaces from an Easy VPN configuration in the Edit Easy VPN Remote window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-100 Chapter 9 Easy VPN Remote OL-4015-08...
  • Page 255 Note image on your router. How Do I... This section contains procedures for tasks that the wizard does not help you complete. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... VPN Global Settings 9-101...

  • Page 256: How Do I Edit An Existing Easy Vpn Connection

    Step 4 interface. In the appropriate wizard window, set the new interface as a backup for an Easy Step 5 VPN Remote connection. Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-102 Chapter 9 Easy VPN Remote OL-4015-08...
  • Page 257 Click the Backup tab and configure the backup for an Easy VPN Remote Step 5 connection. When you have finished configuring the backup, click OK. Step 6 OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I... 9-103...
  • Page 258 Chapter 9 Easy VPN Remote How Do I... Cisco Router and Security Device Manager Version 2.2 User’s Guide 9-104 OL-4015-08...

  • Page 259: Easy Vpn Server

    • Configuring user authentication • • Configuring group policies on the local database, if needed Configuring an IPSec transform set • OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-105...

  • Page 260: Welcome To The Easy Vpn Server Wizard

    Add Group Policy general setup window. If you choose digital certificates, the preshared keys fields does not appear in the Add Group Policy general setup window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-106 Chapter 10 Easy VPN Server OL-4015-08...

  • Page 261: Group Authorization: Group Policy Lookup

    When you define method lists for both a RADIUS and local database, the router first looks at the RADIUS server and then the local database for group authentication. OL-4015-08 Do this: Choose RADIUS and Local Only. Then click Next. Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 262: User Authentication (Xauth)

    The chosen method list is used for extended authentication. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-108 Chapter 10 Do this: Choose Local only. Then click Next. Choose Choose an existing AAA method list. Then click Next. Easy VPN Server OL-4015-08...

  • Page 263: User Accounts For Xauth

    This window lets you add a new RADIUS server or edit or ping an already existing RADIUS server . Add a new RADIUS server. Edit Edit an already exiting RADIUS server configuration. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create an Easy VPN Server 10-109...

  • Page 264: Group Authorization: User Group Policies

    This domain name is “pushed” to the users connecting to this group. Split ACL The access control list (ACL) that represents protected subnets for split tunneling purposes. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-110 Chapter 10 Easy VPN Server OL-4015-08...

  • Page 265: General Group Information

    Create a New Pool Enter the range of IP addresses for the local IP address pool in the IP Address Range field. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create an Easy VPN Server 10-111...

  • Page 266: Dns And Wins Configuration

    Enter the key in the Preshared Key field. Enter the IP address range in the Create a new pool field under the Pool Information area. Choose the IP address range from the Select From An Existing Pool field under Pool Information area. Easy VPN Server OL-4015-08...

  • Page 267: Split Tunneling

    You can also specify which groups of ACLs represent protected subnets for split tunneling. Enable Split Tunneling This box allows you to add protected subnets and ACLs for split tunneling. OL-4015-08 Do this: Check the DNS option. Then enter the primary and secondary DNS server IP addresses in the fields provided.
  • Page 268 Choose Choose the Split Tunneling ACL, and choose the ACL from the available options. Check the Enable Split Tunneling option and enter the domain names in the field provided. You must also set up subnets or choose an ACL. Easy VPN Server OL-4015-08...

  • Page 269: Client Settings

    Enter the URL of the configuration file in the URL field. Enter the version number of the file in Version field. The version number must be in the range 1 to 32767. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 270 Perfect Forward Secrecy (PFS) Enable PFS if it is required by the IPSec security association you are using. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-116 Chapter 10 Easy VPN Server OL-4015-08...

  • Page 271: Choose Browser Proxy Settings

    Delete. Add or Edit Browser Proxy Settings This window allows you to add or edit browser proxy settings. OL-4015-08 Do this: Click Add in the Backup Servers area. Then add the backup server IP address or host name in the window displayed.
  • Page 272 Step 4 addresses, check the Bypass proxy server for local address check box. Click OK to save the browser proxy settings. Step 5 Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-118 Chapter 10 Easy VPN Server OL-4015-08...

  • Page 273: User Authentication (Xauth)

    Save user name and password. Specify maximum number of simultaneous connection a user can make to the Easy VPN Server. OL-4015-08 Do this: Check the Enable group-lock option. Check the Enable save password option. Enter the number in the Maximum Logins Allowed Per User field.

  • Page 274: Client Update

    Click to configure a new client update entry. Edit Button Click to edit the specified client update entry. Delete Button Click to delete the specified client update entry. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-120 Chapter 10 Easy VPN Server OL-4015-08...

  • Page 275: Add Or Edit Client Update Entry

    To save this configuration to the router running configuration and leave this wizard, click Finish. Changes will take effect immediately. OL-4015-08 Add or Edit Easy VPN Server Cisco Router and Security Device Manager Version 2.2 User’s Guide Create an Easy VPN Server panel.

  • Page 276: Browser Proxy Settings

    Displays the proxy server IP address and port number used. Bypass Local Addresses If set, prevents clients from using the proxy server for local (LAN) addresses. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-122 Chapter 10 Easy VPN Server OL-4015-08...

  • Page 277: Add Or Edit Easy Vpn Server

    Click Edit to edit an existing Easy VPN Server configuration. Delete Click Delete to delete a specified configuration. Name Column The name of the IPSec policy associated with this connection. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Add or Edit Easy VPN Server 10-123...
  • Page 278 There is more than one Easy VPN Server connection using the local database • for user authentication. There is at least one local group policy configured. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-124 Chapter 10 Easy VPN Server OL-4015-08...

  • Page 279: Add Or Edit Easy Vpn Server Connection

    Check Initiate if you want the router to initiate connections with Easy VPN Remote clients. Check Respond if you want the router to wait for requests from Easy VPN Remote clients before establishing connections. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Add or Edit Easy VPN Server 10-125...

  • Page 280: Restrict Access

    Check the target group’s check box and uncheck those of all other groups. Deny the target group access in all other Easy VPN Server connections by unchecking its check box in the Restrict Access window belonging to each of those connections. Easy VPN Server OL-4015-08...
  • Page 281 ACL Column If split tunneling is specified for this group, this column may contain the name of an ACL that defines which traffic is to be encrypted. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Group Policies Configuration...
  • Page 282 Group Lock • Clients are restricted to the group. • Save Password XAuth credentials can be saved on the client. Maximum Logins • Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-128 Chapter 10 Easy VPN Server OL-4015-08...

  • Page 283: Local Pools

    If a local pool is configured with the group option using the CLI, the name of the group is displayed in the group name column. You cannot configure local pools with the group option using SDM. Note OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Local Pools 10-129...

  • Page 284: Add Or Edit Ip Local Pool

    This window lets you add an IP address range to an existing pool. Start IP Address Enter the lowest IP address in the range. End IP Address Enter the highest IP address in the range. Cisco Router and Security Device Manager Version 2.2 User’s Guide 10-130 Chapter 10 Easy VPN Server OL-4015-08...

  • Page 285: Dmvpn

    12.2(13)T. SDM supports the configuration of a single DMVPN on a router. In this screen, identify your router as a or as a spoke in the DMVPN network. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-1 OL-4015-08...

  • Page 286: Dynamic Multipoint Vpn (Dmvpn) Hub Wizard

    OSPF) that should be used. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-2 Chapter 11 DMVPN network. Spokes are the logical Wizard. DMVPN network. The hub is the logical center DMVPN hub. The hub should DMVPN Dynamic OL-4015-08...

  • Page 287: Configure Pre-Shared Key

    Enter the pre-shared key used in the spaces must not be used in the pre-shared key. The pre-shared key can contain a maximum of 128 characters. OL-4015-08 networks can be configured with a single hub, or with a primary and a in the DMVPN network.

  • Page 288: Hub Gre Tunnel Interface Configuration

    10.10.6.0 could be 255.255.255.0. For more information, see IP Addresses and Subnet Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-4 to support an IPSec tunnel to each Masks. Chapter 11 DMVPN DMVPN network spoke allows routing OL-4015-08...

  • Page 289: Advanced Configuration For The Tunnel Interface

    SDM Default: 100000 NHRP Hold Time Enter the number of seconds that NHRP network IDs should be advertised as valid. SDM Default: 360 OL-4015-08 tunnel parameters. SDM provides default DMVPN hubs spokes Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 290: Primary Hub

    Enter the IP address of the interface on the primary hub that is used for this tunnel. This should be a static IP address. Obtain this information from the hub administrator. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-6 Chapter 11 DMVPN in the DMVPN network, you OL-4015-08...

  • Page 291: Select Routing Protocol

    For more information on OSPF parameters, see Please select the version of RIP to enable Specify RIP version 1 or version 2. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Dynamic Multipoint VPN Add or Edit an RIP Route.
  • Page 292 Each router in a particular OSPF area maintains a topological database for that area. Add—Click to add a network, or a group of networks, to advertise. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-8 Recommendations for Configuring Routing DMVPN. Chapter 11 DMVPN OL-4015-08...

  • Page 293: Dynamic Multipoint Vpn (Dmvpn) Spoke Wizard

    GRE over IPSec connection to the DMVPN hub, and will send traffic destined for other spokes through the hub. When you select this option, the graphic displays links from the spokes to the hub. OL-4015-08 DMVPN network this router is a part of.

  • Page 294: Specify Hub Information

    Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-10 mGRE tunnel interface on the hub. The mGRE tunnel Chapter 11 DMVPN in the DMVPN. GRE over IPSec OL-4015-08...

  • Page 295: Sdm Warning: Dmvpn Dependency

    DMVPN. SDM informs you of the conflict and gives you the option of allowing SDM to modify the configuration so that the conflict is removed. OL-4015-08 IP Addresses and Subnet Masks.

  • Page 296: Edit Dynamic Multipoint Vpn (Dmvpn)

    The physical interface from which this tunnel originates. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-12 ISAKMP DMVPN Multipoint IPSec VPNs single DMVPN Recommendations. Chapter 11 DMVPN traffic, traffic, Encapsulating tunnel configurations. DMVPN that connects other remote on a router. DMVPN OL-4015-08...
  • Page 297 Click to add a new DMVPN tunnel configuration. Edit Click to edit a selected DMVPN tunnel configuration. Delete Click to delete a DMVPN tunnel configuration. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Dynamic Multipoint VPN (DMVPN) 11-13...

  • Page 298: General Panel

    Enter the largest amount of data, in bytes, that should be allowed in a packet traveling through the tunnel. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-14 IP Addresses and Subnet Masks. before you select an interface Chapter 11 DMVPN OL-4015-08...

  • Page 299: Nhrp Panel

    Enter the string that themselves for NHRP transactions. The string can be up to 8 characters long. All NHRP stations in the DMVPN must be configured with the same authentication string. OL-4015-08 mGRE tunnel interface, an interface capable of maintaining DMVPN hubs spokes Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 300: Nhrp Map Configuration

    In this part of the window you are providing the address information that the spoke or backup hub needs to contact the primary hub. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-16 Chapter 11 DMVPN OL-4015-08...

  • Page 301: Routing Panel

    RIP—Routing Internet Protocol • OSPF—Open Shortest Path First • EIGRP—Extended Interior Gateway Routing Protocol • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit Dynamic Multipoint VPN (DMVPN) 11-17...
  • Page 302 Check this box to have EIGRP use the original IP next hop when advertising routes to the DMVPN spoke routers. Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-18 Recommendations for Configuring Routing Protocols for Recommendations for Configuring Routing Protocols for Chapter 11 DMVPN DMVPN. OL-4015-08...

  • Page 303: How Do I Configure A Dmvpn Manually

    In the DMVPN Tunnel Configuration window, complete the General, NHRP, and Routing tabs to create a DMVPN tunnel.Consult the online help for more information about a particular field. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I Configure a DMVPN Manually?
  • Page 304 In the Routing window, select the routing protocol that you specified in DMVPN Step 2 configuration, and click Edit. Add the network numbers that you want to advertise. Step 3 Cisco Router and Security Device Manager Version 2.2 User’s Guide 11-20 Chapter 11 DMVPN OL-4015-08...

  • Page 305: Vpn Global Settings

    Aggressive Mode feature allows you to specify RADIUS tunnel attributes for an IPSec peer and to initiate an IKE aggressive mode negotiation with the tunnel attributes. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 306 IPSec Security Association (SA) Lifetime (Sec) The amount of time after which IPSec security associations (SAs) will expire and be regenerated. The default is 3600 seconds (1 hour). Cisco Router and Security Device Manager Version 2.2 User’s Guide 12-22 Chapter 12 VPN Global Settings OL-4015-08...

  • Page 307: Vpn Global Settings: Ike

    IPSec and IKE security associations with that peer. The Enable Dead Peer Detection checkbox is disabled when the Cisco IOS image that the router is using does not support DPD. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide VPN Global Settings...

  • Page 308: Vpn Global Settings: Ipsec

    If you do not specify a value, the router will authenticate and generate a new key after the current key has encrypted 4,608,000 kilobytes. Cisco Router and Security Device Manager Version 2.2 User’s Guide 12-24 Chapter 12 VPN Global Settings OL-4015-08...

  • Page 309: Vpn Key Encryption Settings

    Reenter the master key in this field for confirmation. If the values in this field and in the New Master Key field do not match, SDM prompts you to reenter the key. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 310 Chapter 12 VPN Global Settings VPN Global Settings Cisco Router and Security Device Manager Version 2.2 User’s Guide 12-26 OL-4015-08...

  • Page 311: Ip Security

    To learn about the relationship between IPSec policies, crypto maps, and VPN connections, see Icon OL-4015-08 More about VPN Connections and IPSec If this icon appears next to the IPSec policy, it is read-only, and it cannot be edited. An IPSec policy may be read-only if it contains commands that SDM does not support.
  • Page 312 Multiple peers are separated by commas. Transform Set This column lists the transform sets used in the crypto map. Cisco Router and Security Device Manager Version 2.2 User’s Guide 13-28 will be used to establish the IPSec security associations for Chapter 13 IP Security OL-4015-08...

  • Page 313: Add Or Edit Ipsec Policy

    The name of this IPSec policy. This name can be any set of alphanumeric characters. It may be helpful to include the peer names in the policy name, or to include other information that will be meaningful to you. OL-4015-08 Do this: Click Add.
  • Page 314 If you need multiple transform sets in the crypto map, do not use the wizard. Select the crypto map, click Edit, and edit the crypto map in the Edit crypto map panels. Chapter 13 IP Security OL-4015-08...

  • Page 315: Add Or Edit Crypto Map: General Panel

    When security keys are derived from previously generated keys, there is a security problem, because if one key is compromised, then the others can be compromised also. Perfect Forwarding Secrecy (PFS) guarantees that each key is derived OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide IPSec Policies...

  • Page 316: Add Or Edit Crypto Map: Peer Information Panel

    Cisco Router and Security Device Manager Version 2.2 User’s Guide 13-32 Do this: Click Add, and enter the IP address or host name of the peer. Select the peer, and click Remove. Chapter 13 IP Security OL-4015-08...
  • Page 317 Add a transform set to the Selected Transform Sets box. Remove a transform set from the Selected Transform Sets box. OL-4015-08 Do this: Select a transform set in the Available Transform Sets box, and click the right-arrow button. Select the transform set you want to remove, and click the left-arrow button.

  • Page 318: Add Or Edit Crypto Map: Ipsec Rules Panel

    Select a transform set, and click the up button or the down button. Click Add, and configure the transform set in the Add Transform Set window. Click Edit, and configure the transform set in the Edit Transform Set window. Chapter 13 IP Security OL-4015-08...

  • Page 319: Dynamic Crypto Map Sets

    This area lists the crypto maps used in this set. Use the Add, Edit, and Delete buttons to add, remove, or modify crypto maps in this list. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Dynamic Crypto Map Sets...

  • Page 320: Associate Crypto Map With This Ipsec Policy

    The name of the IPSec profile. Transform Set The transform sets used in this profile. Description A description of the IPSec profile. Click to add a new IPSec profile. Cisco Router and Security Device Manager Version 2.2 User’s Guide 13-36 Chapter 13 IP Security OL-4015-08...

  • Page 321: Add Or Edit Ipsec Profile And Add Dynamic Crypto Map

    A transform set is a particular combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Transform Set...
  • Page 322 (AES). SEAL encryption uses a 160-bit encryption key and has a lower impact to the CPU when compared to other software-based algorithms. Cisco Router and Security Device Manager Version 2.2 User’s Guide 13-38 Chapter 13 encryption types: IP Security OL-4015-08...
  • Page 323 Transport—Only the data is encrypted. This mode is used when the • encryption endpoints and the communication endpoints are the same. Type Either User Defined or SDM Default. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Transform Set 13-39...

  • Page 324: Add Or Edit Transform Set

    Edit Transform Set window. SDM Default transform sets are read-only and cannot Note be edited. Select the transform set, and click Delete. Note SDM Default transform sets are read-only and cannot be deleted. Allowable Transform Combinations. Chapter 13 IP Security OL-4015-08...
  • Page 325 Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES). SEAL encryption uses a 160-bit encryption key and has a lower impact to the CPU when compared to other software-based algorithms. OL-4015-08 encryption types: Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 326 IP Compression (COMP-LZS) Check this box if you want to use data compression. Cisco Router and Security Device Manager Version 2.2 User’s Guide 13-42 or ESP, a new IP header is attached, and the entire datagram can Chapter 13 IP Security OL-4015-08...

  • Page 327: Ipsec Rules

    Either Permit or Deny. Permit means that packets matching the criteria in this rules are protected by encryption. Deny means that matching packets are sent unencrypted. For more information see Keywords. OL-4015-08 Meanings of the Permit and Deny Cisco Router and Security Device Manager Version 2.2 User’s Guide IPSec Rules...
  • Page 328 Select the rule in the rule list, and click Delete. Select the rule in the rule list, and click Edit. Then, delete the entry in the rule window displayed. Apply the rule in the interface configuration window. Chapter 13 IP Security mask. If present, the OL-4015-08...

  • Page 329: Internet Key Exchange (Ike)

    If you want to: Learn more about IKE. Enable IKE. You must enable IKE for VPN connections to use IKE negotiations. OL-4015-08 C H A P T E R Do this: Click More About Click Global Settings, and then click Edit to enable IKE and make other global settings for IKE.

  • Page 330: Ike Policies

    The type of encryption that should be used to communicate this IKE policy. Cisco Router and Security Device Manager Version 2.2 User’s Guide 14-46 Chapter 14 Internet Key Exchange Do this: Click the IKE Policy node on the VPN tree. Click the Pre-Shared Key node on the VPN tree. OL-4015-08...
  • Page 331 IKE policy that the peer can accept. Edit an existing IKE policy. Remove an IKE policy from the router’s configuration. OL-4015-08 Do this: More About IKE Policies. Click Add, and configure a new IKE policy in the Add IKE policy window.

  • Page 332: Add Or Edit Ike Policy

    AES-128—Advanced Encryption Standard (AES) encryption with a 128-bit • key. AES provides greater security than DES and is computationally more efficient than triple DES. Cisco Router and Security Device Manager Version 2.2 User’s Guide 14-48 Chapter 14 Internet Key Exchange OL-4015-08...
  • Page 333 If your router does not support group5, it will not appear in the list. Note • Easy VPN servers do not support D-H Group 1. • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Internet Key Exchange (IKE) 14-49...

  • Page 334: Ike Pre-Shared Keys

    If a pre-shared key is read-only, the read-only icon appears in this column. A pre-shared key will be marked as read-only if it is configured with the no-xauth CLI option specifies how much of the peer IP address is used for the Chapter 14 Internet Key Exchange OL-4015-08...

  • Page 335: Add Or Edit Pre Shared Key

    This field appears if you selected “Hostname” in the Peer field. Enter the peer’s host name. There must be a DNS server on the network capable of resolving the host name to an IP address. OL-4015-08 Do this: Click Add, and add the pre-shared key in the Adda new Pre Shared Key window.
  • Page 336 Check this box if site-to-site VPN peers use XAuth to authenticate themselves. If Xauth authenticationn is enabled in VPN Global Settings, it is enabled for site-to-site peers as well as for Easy VPN connections. Cisco Router and Security Device Manager Version 2.2 User’s Guide 14-52 Chapter 14 Masks. Internet Key Exchange OL-4015-08...

  • Page 337: Vpn Troubleshooting

    VPN, GRE over IPsec, or Easy VPN client connections. Tunnel Details This box provides the VPN tunnel details. Interface Interface to which the VPN tunnel is configured. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide 15-53...
  • Page 338 This box provides a possible action/solution to rectify the problem. Close Button Click this button to close the window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 15-54 The connection is up. The connection is down. Test is successful. Test failed. Chapter 15 VPN Troubleshooting OL-4015-08...

  • Page 339: Vpn Troubleshooting: Specify Easy Vpn Client

    Enter IP address of Easy VPN client you want to debug. Listen for request for X minutes Enter the time duration for which Easy VPN Server has to listen to requests from Easy VPN client. OL-4015-08 VPN Troubleshooting: Specify Easy VPN Client Do this: Click Start button.

  • Page 340: Vpn Troubleshooting: Generate Traffic

    This column lists the type of traffic on the interface. This column indicates whether logging is enabled for this traffic. Attributes Any additional attributes defined. Cisco Router and Security Device Manager Version 2.2 User’s Guide 15-56 Chapter 15 VPN Troubleshooting OL-4015-08...

  • Page 341: Vpn Troubleshooting: Generate Gre Traffic

    Click this button to close the window. VPN Troubleshooting: Generate GRE Traffic This screen appears if you are generating GRE over IPSec traffic. OL-4015-08 VPN Troubleshooting: Generate GRE Traffic Cisco Router and Security Device Manager Version 2.2 User’s Guide 15-57...

  • Page 342: Sdm Warning: Sdm Will Enable Router Debugs

    This message is displayed because this process can take several minutes and may affect router performance. Cisco Router and Security Device Manager Version 2.2 User’s Guide 15-58 Chapter 15 VPN Troubleshooting OL-4015-08...

  • Page 343: Security Audit

    To have SDM perform a security audit and then fix the problems it has found: In the left frame, select Security Audit. Step 1 Click Perform Security Audit. Step 2 OL-4015-08 C H A P T E R AutoSecure. Cisco Router and Security Device Manager Version 2.2 User’s Guide SDM and...

  • Page 344: Welcome

    The Summary page of the wizard shows a list of all the configuration changes that Step 10 Security Audit will make. Click Finish to deliver those changes to your router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-2 Chapter 16 Security Audit OL-4015-08...
  • Page 345 Set Banner Enable Logging • Set Enable Secret Password • Disable SNMP • Set Scheduler Interval • Set Scheduler Allocate • Set Users • Enable Telnet Settings • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-3...

  • Page 346: Interface Selection

    Internet. By identifying which interfaces are outside interfaces, Security Configuration knows on which interfaces to configure firewall security features. Interface Column This column lists each of the router interfaces. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-4 Chapter 16 Security Audit OL-4015-08...

  • Page 347: Report Card

    Next> to continue the Security Audit Wizard. The Security Audit will correct the problems OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 348: Disable Finger Service

    (DoS) attack called “Finger of death,” which involves sending a finger request to a specific computer every minute, but never disconnecting. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-6 Chapter 16 finger service whenever possible. Finger is used to Security Audit OL-4015-08...

  • Page 349: Disable Pad Service

    Since the services are rarely used, the best policy is usually to disable them on all routers of any description. OL-4015-08 Undoing Security Audit Undoing Security Audit Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 350: Disable Udp Small Servers Service

    Cisco IOS software. As a result, BOOTP can potentially be used by an attacker to download a copy of a router’s Cisco IOS software. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-8 Chapter 16 Security Audit Undoing Security Audit Fixes. OL-4015-08...

  • Page 351: Disable Ip Identification Service

    The configuration that will be delivered to the router to disable CDP is as follows: no cdp run OL-4015-08 Undoing Security Audit Undoing Security Audit Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page Fixes.

  • Page 352: Disable Ip Source Route

    This fix can be undone. To learn how, click Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-10 Chapter 16 Security Audit Undoing Security Audit Fixes. Undoing Security Audit Fixes. Undoing Security Audit Fixes. OL-4015-08...

  • Page 353: Enable Tcp Keepalives For Inbound Telnet Sessions

    The configuration that will be delivered to the router to enable time stamps and sequence numbers is as follows: service timestamps debug datetime localtime show-timezone msec service timestamps log datetime localtime show-timeout msec OL-4015-08 Undoing Security Audit Undoing Security Audit Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page Fixes.

  • Page 354: Enable Ip Cef

    Longer passwords have exponentially more possible combinations of characters, making this method of attack much more difficult. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-12 Chapter 16 Security Audit Undoing Security Audit Fixes. OL-4015-08...

  • Page 355: Set Authentication Failure Rate To Less Than 3 Retries

    Because the buffer for incomplete connections is usually smaller than the buffer for completed OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page...

  • Page 356: Set Banner

    The configuration that will be delivered to the router to enable and configure logging is as follows, replacing <log buffer size> and <logging server ip address> with the appropriate values that you enter into Security Audit: Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-14 Chapter 16 Security Audit OL-4015-08...

  • Page 357: Set Enable Secret Password

    Because SNMP can be used to retrieve a copy of the network routing table, as well as other sensitive network information, Cisco recommends disabling SNMP if your network does not require it. Security Audit will initially request to disable SNMP. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page 16-15...

  • Page 358: Set Scheduler Interval

    The configuration that will be delivered to the router to set the scheduler allocate percentage is as follows: scheduler allocate 4000 1000 Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-16 Chapter 16 Security Audit OL-4015-08...

  • Page 359: Set Users

    Security Audit enables is a Cisco IOS feature that enhances routing performance while using Access Control Lists (ACLs) and other features that create and enhance network security. OL-4015-08 NetFlow switching whenever possible. NetFlow switching Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 360: Disable Ip Redirects

    Because it breaks the LAN security barrier, proxy ARP should be used only between two LANs with an equal security level, and only when necessary. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-18 Chapter 16 Security Audit Undoing Security Audit Fixes. OL-4015-08...

  • Page 361: Disable Ip Directed Broadcast

    The configuration that will be delivered to the router to disable IP directed broadcasts is as follows: no ip directed-broadcast This fix can be undone. To learn how, click OL-4015-08 Undoing Security Audit Undoing Security Audit Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page Fixes.

  • Page 362: Disable Mop Service

    ICMP mask reply messages are sent when a network devices must know the subnet mask for a particular subnetwork Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-20 Chapter 16 Security Audit Undoing Security Audit Fixes. Undoing Security Audit Fixes. OL-4015-08...

  • Page 363: Disable Ip Unreachables On Null Interface

    0 no ip unreachables This fix can be undone. To learn how, click OL-4015-08 Undoing Security Audit Undoing Security Audit Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page Fixes.

  • Page 364: Enable Unicast Rpf On Outside Interfaces

    80 for 443 for Secure Sockets Layer (SSL). It does this by scrutinizing source and Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-22 Chapter 16 Security Audit HTTP, HTTPS or port OL-4015-08...

  • Page 365: Set Access Class On Http Server Service

    <std-acl-num> permit <inside-network> access-list <std-acl-num> deny any In addition, the following configuration will be applied to each vty line: OL-4015-08 HTTP, HTTPS service on the router with an access Cisco Router and Security Device Manager Version 2.2 User’s Guide Fix It Page lines whenever possible.

  • Page 366: Enable Ssh For Access To The Router

    SDM will perform the following precautionary tasks while enabling AAA to prevent loss of access to the router: Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-24 access whenever possible: Chapter 16 Security Audit page to do so. OL-4015-08...

  • Page 367: Configuration Summary Screen

    Disable TCP Small Servers Service • Disable IP BOOTP Server Service • Disable IP Identification Service • • Disable CDP Disable IP Source Route • Disable IP Redirects • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Configuration Summary Screen 16-25...
  • Page 368 Disabling NTP—Based on input, AutoSecure will disable the Network Time • Protocol (NTP) if it is not necessary. Otherwise, NTP will be configured with MD5 authentication. SDM does not support disabling NTP. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-26 Chapter 16 Security Audit OL-4015-08...

  • Page 369: Security Configurations Sdm Can Undo

    Disable TCP Small Servers Service Disable IP BOOTP Server Service Disable IP Identification Service Disable CDP Disable IP Source Route OL-4015-08 SNMP—SDM will disable SNMP, but unlike AutoSecure, it does not Router—SDM will enable and configure SSH Equivalent CLI No service finger...

  • Page 370: Undoing Security Audit Fixes

    No mop enabled int <all-interfaces> no ip unreachables no ip mask-reply int null 0 no ip unreachables service password-encryption service tcp-keepalives-in service tcp-keepalives-out no ip gratuitous arps access to your router. Chapter 16 Security Audit OL-4015-08...

  • Page 371: Configure User Accounts For Telnet/Ssh

    Click a user account in the table to select it, and click this button to display the Edit a User Account screen, letting you edit the username and password of the selected account. OL-4015-08 Configure User Accounts for Telnet/SSH Page Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 372: Enable Secret And Banner

    Re-enter New Password Re-enter the new enable secret in this field for verification. Login Banner Enter the text banner that you want configured on your router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-30 Chapter 16 Security Audit OL-4015-08...

  • Page 373: Logging

    A log message severity level is shown as a number from 1 through 7, with lower numbers indicating more severe events. The descriptions of each of the severity levels are as follows: – – OL-4015-08 0 - emergencies System unusable 1- alerts Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 374 – Warning conditions 5 - notifications – Normal but significant condition 6 - informational – Informational messages only 7 - debugging – Debugging messages Cisco Router and Security Device Manager Version 2.2 User’s Guide 16-32 Chapter 16 Security Audit OL-4015-08...

  • Page 375: Routing

    Optional This area shows whether a distance metric has been entered, and whether or not the route has been designated as a permanent route. Cisco Router and Security Device Manager Version 2.2 User’s Guide 17-1 OL-4015-08...
  • Page 376 If no dynamic routes have been configured, this column contains the text RIP, OSPF, and EIGRP. When one or more routes have been configured, this column contains the parameter names for the type of routing configured. Cisco Router and Security Device Manager Version 2.2 User’s Guide 17-2 Chapter 17 Routing OL-4015-08...

  • Page 377: Add Or Edit Ip Static Route

    Add or Edit IP Static Route Use this window to add or edit a static route. Destination Network Enter the destination network address information in these fields. OL-4015-08 Do this: Select the RIP tab and click Edit. Then, configure the route in the RIP Dynamic Route window.
  • Page 378 Check this box to make this static route entry a permanent route. Permanent routes are not deleted even if the interface is shut down or the router is unable to communicate with the next router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 17-4 Configurations. Chapter 17 Routing OL-4015-08...

  • Page 379: Add Or Edit An Rip Route

    This field is editable when OSPF is first enabled; it is disabled once OSPF routing has been enabled. The process ID identifies the router’s OSPF routing process to other routers. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Add or Edit an RIP Route...
  • Page 380 Click Add to provide an IP address, network mask, and area number in the IP address window. Edit Click Edit to edit the IP address, network mask, or area number in the IP address window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 17-6 Configurations. Chapter 17 Routing OL-4015-08...

  • Page 381: Add Or Edit Eigrp Route

    Click Add to add a destination network IP address to the Network list. Delete Select an IP address, and click Delete to remove an IP address from the Network list. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Add or Edit EIGRP Route 17-7...
  • Page 382 Chapter 17 Routing Add or Edit EIGRP Route Cisco Router and Security Device Manager Version 2.2 User’s Guide 17-8 OL-4015-08...

  • Page 383: Network Address Translation

    (hosts on the Internet). Look at the example diagram that appears to the right when you choose Advanced NAT. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 384: Basic Nat Wizard: Welcome

    Any comments entered about the network • Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-2 If you do not want your servers to accept connections from the Internet, you can use the Basic NAT wizard. Chapter 18 Network Address Translation OL-4015-08...

  • Page 385: Advanced Nat Wizard: Welcome

    Advanced NAT Wizard: Welcome The Advanced NAT welcome window shows how the wizard will guide you through configuring NAT for connecting your LANs and servers to the Internet. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Wizards...

  • Page 386: Advanced Nat Wizard: Connection

    The list shows the following information for each network: The IP address range allocated to the network • The network’s LAN interface • Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-4 Chapter 18 Network Address Translation OL-4015-08...

  • Page 387: Add Network

    The list shows the private IP addresses and ports (if used) and the public IP addresses and ports (if used) to which they are translated. OL-4015-08 IP Addresses and Subnet Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Wizards Masks.

  • Page 388: Add Or Edit Address Translation Rule

    Click the Show or Hide Advanced button to show or hide advanced options that let you specify more information about the server. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-6 Chapter 18 Connection). Network Address Translation OL-4015-08...
  • Page 389 This field appears only if you choose to show advanced options with the Show or Hide Advanced button and you choose Other for server type. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Wizards...

  • Page 390: Advanced Nat Wizard: Vpn Conflict

    Outside interfaces connect to the designated Inside and Outside interfaces are listed above the NAT rule list. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-8 Chapter 18 Network Address Translation rules, view More About NAT. or to the Internet. The OL-4015-08...
  • Page 391 This is the private address or set of addresses that is used on the LAN. Translated Address This is the legal address or range of addresses that is used on the Internet or the external network. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules 18-9...
  • Page 392 NAT Interface Setting window. Interfaces can also be designated as inside or outside interfaces in the Interfaces and Connections window. Click Address Pools, and configure address pool information in the dialog box. Network Address Translation OL-4015-08...

  • Page 393: Translation Timeout Settings

    Find out how to perform related configuration tasks. OL-4015-08 Do this: Click Translation Timeouts, and make settings in the Translation Timeouts window. Click Add, and create the NAT rule in the Add Address Translation Rule window.

  • Page 394: Designate Nat Interfaces

    Set the timeout values for various translations in this window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-12 Rule. uses the Inside and Outside designations when Chapter 18 Network Address Translation Reasons that SDM Cannot OL-4015-08...
  • Page 395 (TCP) flows should live. The default is 86400 seconds (24 hours). Reset Button Clicking this button resets translation and timeout parameters to their default values. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules servers time out.

  • Page 396: Edit Route Map Entry

    The access lists that specify the traffic to which this route map applies. To edit a route map entry: Select the entry, click Edit, and edit the entry in the Edit Route Map Entry window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-14 Chapter 18 Network Address Translation OL-4015-08...

  • Page 397: Address Pools

    Pool Name This field contains the name of the address pool. Use this name to refer to the pool when configuring a dynamic NAT rule. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules...

  • Page 398: Add Or Edit Address Pool

    Clone selected entry on Add, and click Add. Select the pool entry, click Edit, and edit the pool configuration in the Edit Address Pool window. Select the pool entry, click Delete, and confirm deletion in the Warning box displayed. Network Address Translation OL-4015-08...

  • Page 399: Add Or Edit Static Address Translation Rule: Inside To Outside

    IPSec policy, and traffic will be sent unencrypted. You can view route maps created by SDM or created using the CLI by clicking the View Route Maps button in the NAT window. OL-4015-08 Available Interface Configurations. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 400 Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-18 Chapter 18 Network Address Translation inside global address, enter OL-4015-08...
  • Page 401 If you are creating a one-to-one mapping between a single • address and a single this field. OL-4015-08 inside global address, enter the inside global address in Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules...

  • Page 402: Add Or Edit Static Address Translation Rule: Outside To Inside

    Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-20 If you do not enter a network mask in the Translate from Interface area, SDM will perform only one translation. Chapter 18 Network Address Translation for examples that illustrate how the OL-4015-08...
  • Page 403 Designate NAT interfaces in the NAT window, and designate the router interfaces as inside or outside. Then return to this window and configure the NAT rule. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules...
  • Page 404 IP address that you want to Chapter 18 Network Address Translation outside global addresses, enter any valid address from outside global outside local address in addresses of a remote subnet to the outside local OL-4015-08 outside...

  • Page 405: Add Or Edit Dynamic Address Translation Rule: Inside To Outside

    OL-4015-08 If you do not enter a network mask in the Translate from Interface area, SDM will perform only one translation.
  • Page 406 Designate NAT interfaces in the NAT window, and designate the router interfaces as inside or outside. Then return to this window and configure the NAT rule. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-24 Chapter 18 Network Address Translation OL-4015-08...
  • Page 407 Configuration Scenarios Click Dynamic Address Translation Scenarios fields in this window are used. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules inside local for examples that illustrate how the...

  • Page 408: Add Or Edit Dynamic Address Translation Rule: Outside To Inside

    LAN the router serves. This help topic describes how the remaining fields are used when From outside to inside is chosen. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-26 Chapter 18 Network Address Translation OL-4015-08...
  • Page 409 It also provides fields for you to specify the translated address. Inside Interface(s) If you choose From outside to inside, this area contains the designated inside interfaces. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Address Translation Rules outside global...

  • Page 410: How Do I Configure Nat With One Lan And Multiple Wans

    Add or Edit Static Address Translation Rule: Inside to Outside • Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-28 Chapter 18 Network Address Translation for examples that illustrate how the OL-4015-08...
  • Page 411 Each time you add a new address translation rule using these directions, choose the same LAN interface and a new WAN interface. Repeat this procedure for all WAN interfaces that you want to configure with address translation rules. Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-29 OL-4015-08...
  • Page 412 Chapter 18 Network Address Translation How Do I . . . Cisco Router and Security Device Manager Version 2.2 User’s Guide 18-30 OL-4015-08...

  • Page 413: Intrusion Prevention System

    IPS on an interface and view information about how IPS is applied. If you enable IPS on an interface you can optionally specify which traffic to examine for intrusion. OL-4015-08 C H A P T E R IPS Rules Configuration Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 414: Create Ips Rule

    The access rule to use to select the type of traffic to examine. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-32 Chapter 19 Global Settings window where you make settings that affect Signatures window where you can manage signatures on the Intrusion Prevention System SDEE Messages OL-4015-08...

  • Page 415: Welcome To The Ips Rule Configuration Wizard

    You can specify multiple SDF locations so that if the router is not able to contact the first location, it can attempt to contact other locations until it obtains an SDF. OL-4015-08 Inbound Outbound...

  • Page 416: Ips Rule Wizard Summary

    Use this list to filter the interfaces shown in the interface list area. Select between the following: All interfaces—All interfaces on the router. • IPS interfaces—Interfaces on which IPS has been enabled. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-34 Chapter 19 Intrusion Prevention System OL-4015-08...

  • Page 417: Enable Or Edit Ips On An Interface

    Negotiated—The interface receives an IP address via negotiation with the • remote device. OL-4015-08 on the selected interface. You are able to specify Enable or Edit IPS on an Interface Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 418 Click to view the entries of the filter applied to inbound or outbound traffic. Field Descriptions Action—Whether the traffic is permitted or denied Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-36 Chapter 19 Intrusion Prevention System OL-4015-08...

  • Page 419: Enable Or Edit Ips On An Interface

    Configuration window when the interface with which it is associated is selected. If you need to browse for the access rule or create a new one, click the ... button. OL-4015-08 filters that you want to use to specify the traffic to Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 420: Import Signatures

    Click the Import Signatures tab to import a Signature Definition File (SDF). Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-38 Chapter 19 Select a Rule has more information. Add or Edit a Rule has more information. VFR Status for more information. Intrusion Prevention System OL-4015-08...

  • Page 421: File Selection

    Time Modified Click Time Modified to order the files and directories based on modification date and time. Clicking Time Modified again will reverse the order. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Import Signatures 19-39...

  • Page 422: Welcome To The Ips Signature Import Wizard

    Fewer button to remove criteria. You are able to view the signatures that match the criteria that you selected in the next screen. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-40 Value General Telnet Adware/Spyware Chapter 19 Intrusion Prevention System OL-4015-08...

  • Page 423: Signature Edit

    PC. If you save the SDF to the PC as well as to router memory, you have a backup in case there are communications problems between SDM and the router. OL-4015-08 SubSig ID Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 424 • belong to a hardcoded engine. It is disabled if the signature uses one of the IOS hardcoded engines. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-42 Chapter 19 IPS-Supplied Signature Definition Intrusion Prevention System Files. OL-4015-08...
  • Page 425 You can only import signatures from the router if the router has a DOS-based file Note system. OL-4015-08 Signatures marked for Cisco Router and Security Device Manager Version 2.2 User’s Guide Import Signatures deletion.
  • Page 426 The severity level of the event. Severity levels are informational, low, medium, and high Engine The engine to which the signature belongs. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-44 Chapter 19 Intrusion Prevention System for more information OL-4015-08...

  • Page 427: Assign Actions

    Click to restore selected signatures marked for deletion. When clicked the signatures are unmarked, and returned to the list of active signatures. OL-4015-08 Signature is present in Router configuration and enabled. Signature is present in router configuration but not active.

  • Page 428: Assign Actions

    Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-46 Chapter 19 Intrusion Prevention System OL-4015-08...
  • Page 429 Replace Choose this option to replace the signatures already configured on the router with the signatures that you are importing. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Import Signatures Signature Tree.

  • Page 430: Add, Edit, Or Clone Signature

    This a limiter for firing the alarm only after X times of seeing the signature on the address key. SigComment—The comment of the signature. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-48 Chapter 19 Intrusion Prevention System OL-4015-08...

  • Page 431: Add Or Edit A Signature Location

    The following URL is provided as an example of the format. It is not a valid URL to a signature file: https://172.16.122.204/mysigs/vsensor.sdf OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Import Signatures from. To specify multiple...

  • Page 432: Cisco Intrusion Prevention Alert Center

    To use an SDF in router memory, determine which SDF has been installed, and then configure IPS to use it. The procedures that follow show you how to do this. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-50 Chapter 19 Intrusion Prevention System OL-4015-08...

  • Page 433: Global Settings

    In the dialog box displayed, click Specify SDF on flash, and enter the name of Step 3 the SDF file. Click OK to close the dialog box. Step 4 Global Settings Edit Button Click to edit any of the global settings seen in this window. OL-4015-08 Name/status c1710-k9o3sy-mz.123-8.T.bin ips.tar attack-drop.sdf home.shtml sdmconfig-1710.cfg home.tar es.tar...
  • Page 434 SDF. Add Button Click to add an URL to the list. Edit Button Click to edit a selected location. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-52 Chapter 19 Intrusion Prevention System OL-4015-08...

  • Page 435: Edit Global Settings

    If IPS does not find or fails to load signatures from the specified location(s), it can use the IOS built-in signatures to enable IPS. This option is enabled by default. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 436: Sdee Messages

    Time The time the message is received. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-54 Chapter 19 SDEE messages received by the router. SDEE messages are SDEE Message Text Intrusion Prevention System to see possible SDEE OL-4015-08...

  • Page 437: Sdee Message Text

    Explanation: Triggers when a SDF file is loaded successfully from a given location. BUILTIN_SIGS: %s to load builtin signatures Explanation: Triggers when the router resorts to loading the builtin signatures are activated OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide SDEE Messages 19-55...
  • Page 438 Explanation: IDS has been disabled. The message should indicate the cause. SYSERROR: Unexpected error (%s) at line %d func %s() file %s Explanation: Triggers when an unexpected internal system error occurs. Cisco Router and Security Device Manager Version 2.2 User’s Guide 19-56 OL-4015-08...

  • Page 439: Network Module Management

    SDM enables you to issue a number of basic commands to the IDS Network Module from this window. Reload Click to reload the IDS network module operating system. OL-4015-08 C H A P T E R Network Module is installed on the router, this window displays for this session.
  • Page 440 Software Version–The version of IDM software running on the module. • Model–The model number of the network module. • Memory–The amount of memory available on the network module. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 20-2 Determination. Chapter 20 Network Module Management OL-4015-08...

  • Page 441: Ids Sensor Interface Ip Address

    The IP address you enter will only be seen by the router. Therefore, it can be any address you want to use. OL-4015-08 A check mark icon next to the interface name indicates that the IDS network module is monitoring the traffic on that interface.

  • Page 442: Ip Address Determination

    IP address, and you are not sure that the last address SDM used to contact the network module is still correct. Cisco Router and Security Device Manager Version 2.2 User’s Guide 20-4 Chapter 20 Network Module Management IDS Sensor interface. SDM will do the OL-4015-08...

  • Page 443: Ids Nm Configuration Checklist

    IDS network module. This IP address can be a private address; no hosts other than the router it is installed in will be able to reach the address. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide IDS Network Module Management...
  • Page 444 After you have fixed configuration settings, you can click this button to refresh the checklist. If an X icon remains in the Action column, a configuration setting has still not been made. Cisco Router and Security Device Manager Version 2.2 User’s Guide 20-6 Chapter 20 Network Module Management Telnet OL-4015-08...

  • Page 445: Ids Nm Interface Monitoring Configuration

    This window appears when you try to configure a feature that the Cisco IOS image on your router does not support. If you want to use this feature, obtain a Cisco IOS image from Cisco.com that supports it. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Network Module Login...

  • Page 446: Switch Module Interface Selection

    Click the radio button next to the switch module that you want to manage, and then click Cisco Router and Security Device Manager Version 2.2 User’s Guide 20-8 OL-4015-08...

  • Page 447: Quality Of Service

    Launch QoS Wizard Button Click to launch the QoS wizard. The QoS wizard allows you to configure QoS policies on your WAN interfaces. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 448: Qos Policy Generation

    Routing protocols included in this category are egp, bgp, eigrp, and rip. The remaining traffic is given Best-Effort service. Cisco Router and Security Device Manager Version 2.2 User’s Guide 21-10 Chapter 21 Quality of Service policy. policy in this OL-4015-08...

  • Page 449: View Qos Class Details

    SDM will generate default QoS policy consisting of pre-defined QoS classes for each traffic type. See more about the contents of this window. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide QoS Policy Generation policy.

  • Page 450: View Qos Class Details

    Close—Click on Close button to exit the View QoS Class Details window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 21-12 classes that are going to be created for the QoS policy. Chapter 21 Quality of Service OL-4015-08...

  • Page 451: Edit Qos Policy

    CLI-Created—The policy was created using the IOS CLI. • Applied to Interface This column lists the interface to which the QoS policy is applied. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Summary of the configuration policy-map and Edit QoS Policy screen.

  • Page 452: Edit Qos Class

    A Business-Critical traffic QoS class might have protocols such as DHCP, EIGRP, and OSPF. Cisco Router and Security Device Manager Version 2.2 User’s Guide 21-14 Chapter 21 Quality of Service OL-4015-08...

  • Page 453: Edit Qos Class

    Protocol/Application This area lists all the default protocols configured for the selected QoS class. You can add or delete protocols. OL-4015-08 class attributes of the selected traffic type. Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit QoS Policy class in QoS policy.
  • Page 454 This field will not appear if you checked the Trust (rely on) DSCP-markings of Note the packets for traffic classification option under the window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 21-16 Chapter 21 Quality of Service class. Interface Selection OL-4015-08...

  • Page 455: Add A Protocol

    Delete Select the port number from the Port Number(s) box and click on Delete button to remove the port number from the Port Number(s) box. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit QoS Policy 21-17...

  • Page 456: Interface Association

    Cisco Router and Security Device Manager Version 2.2 User’s Guide 21-18 Status window allows you to monitor the performance of the traffic on Bandwidth utilization per class under each traffic type Bandwidth utilization for protocols under each class Chapter 21 Quality of Service OL-4015-08...
  • Page 457 Select the traffic direction and type of statistics you want to monitor. Direction Click either Input or Output. OL-4015-08 Incoming and outgoing bytes for each class defined under the traffic type Incoming and outgoing bytes for each protocol for each class Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 458 SDM displays a message instead of a bar chart if there are not adequate statistics for a particular traffic type. Cisco Router and Security Device Manager Version 2.2 User’s Guide 21-20 Chapter 21 Quality of Service OL-4015-08...

  • Page 459: Network Admission Control

    After you create the NAC policy, you can edit it by clicking Edit NAC and choosing it in the policy list. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 460: Other Tasks In A Nac Implementation

    3.3 is required. Install and configure the posture validation and remediation server. Step 3 Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-22 Chapter 22 Other Tasks in a NAC Implementation Network Admission Control to learn the tasks EAPoUDP OL-4015-08...

  • Page 461: Radius Server

    You can add information for multiple RADIUS servers in one visit to this screen, so long as they are all accessed from the same router interface. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create NAC Tab...
  • Page 462 Check this box if you want to use the listed RADIUS server for NAC. The server must have the required admissions control policies configured if NAC is to be able to use the server. Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-24 Chapter 22 Network Admission Control OL-4015-08...

  • Page 463: Select The Interface(S)

    As an alternative or as a complement to the NAC exception list, this wizard allows you to configure a agentless host policy in another window. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create NAC Tab...

  • Page 464: Configure Exception List Entry Dialog

    Policy field to choose an existing policy or to display a dialog box in which you can create a new policy. Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-26 Chapter 22 Network Admission Control OL-4015-08...

  • Page 465: Policy List

    Enter the name for the policy in this field. Question mark (?) characters and space characters cannot be used in policy names, and the name is limited to 256 characters. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Create NAC Tab...

  • Page 466: Agentless Host Policy

    ACS server for this purpose. If the Cisco IOS image does not require this information, these fields do not appear. Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-28 Chapter 22 Network Admission Control OL-4015-08...

  • Page 467: Nac Router Management Access

    FastEthernet0/0. DNS and DHCP services are blocked on Ethernet0/0 and NTP traffic is blocked on FastEthernet0/0. Interface Service Ethernet0/0 Ethernet0/0 DHCP OL-4015-08 100 (INBOUND) 100 (INBOUND) Cisco Router and Security Device Manager Version 2.2 User’s Guide Create NAC Tab Action [ ] Modify...

  • Page 468: Details Window

    NACLess. Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-30 Chapter 22 Network Admission Control Action 101 (INBOUND) [ ] Modify [ ] Modify Address/Device Policy 10.10.10.1 NACLess 10.10.10.1 NACLess OL-4015-08...

  • Page 469: Edit Nac Tab

    Create NAC wizard, the default NAC policy SDM_ADM_POLICY appears in this list. EAPoUDP Components This window provides a brief description of the EAPoUDP components that SDM allows you to configure. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Edit NAC Tab posture information.

  • Page 470: Exception List Window

    This rule permits any host governed by the policy to send IP traffic to the IP address 172.30.2.10. Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-32 Access Rule nac-rule Source Destination Service 172.30.2.10 ip Chapter 22 Network Admission Control Redirect URL http://172.30.10/update Attributes OL-4015-08...

  • Page 471: Eapoudp Timeouts

    Enter the number of seconds that the router is to ignore packets from clients that have just failed authentication. Retransmit Timeout Field Enter the number of seconds the router is to wait before retransmitting EAPoUDP messages to clients. OL-4015-08 Default 180 seconds 3 seconds 36000 seconds 300 seconds Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 472: Configure A Nac Policy

    You can also click the button to the right of this field and browse for the access rule, or create a new access rule. Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-34 Chapter 22 Network Admission Control posture agent on the client to determine the OL-4015-08...

  • Page 473: How Do I Configure A Nac Policy Server

    How Do Install and Configure a Posture Agent on a Host? If you are a registered Cisco.com user, you can download Cisco Trust Agent (CTA) software from the following link: OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide How Do I...
  • Page 474 The specific installation procedures required to install third-party posture agent software and the optional remediation server vary depending on the software in use. Consult the vendor documentation for complete details. Cisco Router and Security Device Manager Version 2.2 User’s Guide 22-36 OL-4015-08...

  • Page 475: Router Properties

    Domain Enter the domain name for your organization. If you do not know the domain name, obtain it from your network administrator. OL-4015-08 C H A P T E R vty) settings, Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 476: Date And Time: Clock Properties

    Reenter the password exactly as you entered it in the New Password field. Date and Time: Clock Properties Use this window to view and edit the date and time settings on the router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-2 Chapter 23 Router Properties OL-4015-08...

  • Page 477: Date And Time Properties

    Synchronize; it does not automatically re synchronize with the PC during subsequent sessions. This button is disabled if you have not checked Synchronize with my local PC clock. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Date and Time: Clock Properties server.
  • Page 478 If your router does not support NTP commands, this branch will not appear in the Note Router Properties tree. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-4 Chapter 23 Router Properties OL-4015-08...

  • Page 479: Add Or Edit Ntp Server Details

    Add or Edit NTP Server Details Add or edit IP Address Enter or edit the IP address of an NTP server. OL-4015-08 server information in this window. Cisco Router and Security Device Manager Version 2.2 User’s Guide Date and Time: Clock Properties...
  • Page 480 Enter the key used by the NTP server. The key value can use any of the letters A through Z, uppercase or lowercase, and can be no longer than 32 characters. Confirm Key Value Reenter the key value to confirm accuracy. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-6 Chapter 23 Router Properties OL-4015-08...

  • Page 481: Sntp

    Delete Click to delete a selected NTP server configuration. Add an NTP Server Enter the IP address of an OL-4015-08 server in this window. Cisco Router and Security Device Manager Version 2.2 User’s Guide Date and Time: Clock Properties 23-7...

  • Page 482: Syslog

    SNMP This page lets you enable the SNMP, set SNMP community strings, and enter SNMP trap manager information. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-8 IP Addresses and Subnet Masks. Chapter 23 Router Properties OL-4015-08...
  • Page 483 This is a text field that you can use to enter contact information for a person managing the SNMP server. It is not a configuration parameter that will affect the operation of the router. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Date and Time: Clock Properties...

  • Page 484: Router Access

    SDM features available to be monitored depend on the commands present in the view. Not all features may be available for monitoring by the user. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-10 Chapter 23 Router Properties HTTP, HTTPS, for more information. OL-4015-08...

  • Page 485: Add Or Edit A Username

    Encrypt password using MD5 hash algorithm Check this box if you want the password to be encrypted using the one way Message Digest 5 (MD5) algorithm, which provides strong encryption protection. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Router Access...

  • Page 486: View Password

    The user is able to create Easy VPN Remote connections and Edit them. User interface components in other areas are disabled for this user. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-12 Chapter 23 Router Properties OL-4015-08...

  • Page 487: Vtys

    Outbound Access-class—The name or number of the access rule applied to • the outbound direction of the line range. ACL—If configured, shows the • OL-4015-08 associated with the vty connections. Cisco Router and Security Device Manager Version 2.2 User’s Guide VTYs 23-13...

  • Page 488: Edit Vty Lines

    Select the output protocols by clicking the appropriate check boxes. Telnet Check this check box to enable Telnet access to your router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-14 Chapter 23 authentication policy associated with this Router Properties OL-4015-08...

  • Page 489: Configure Management Access Policies

    In the policy, you can specify which protocols the host or network in the policy can use, and which router interface will carry the management traffic. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide VTYs...
  • Page 490 Click to add a management policy, and specify the policy in the Add a Management Policy window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-16 IP Addresses and Subnet Masks. HTTPS—Specified hosts can use Hypertext Transfer Protocol to HTTPS—Specified hosts can use Hypertext Transfer Protocol, Chapter 23 Router Properties OL-4015-08...

  • Page 491: Add Or Edit A Management Policy

    Select the interface through which you want to allow management traffic. The interface should be the most direct route from the host or network to the local router. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide VTYs...

  • Page 492: Management Access Error Messages

    “any.” Such policies cannot be edited in the Management Access window. A policy containing the “any” keyword Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-18 Chapter 23 Router Properties HTTP, HTTPS, HTTP, HTTPS, RCP, or OL-4015-08...

  • Page 493: Sdm Warning: Unsupported Access Control Entry

    Click No to proceed without adding a policy for the current host or network. You will lose contact with the router during command delivery, and you will have to log on to SDM using a different host or network. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide VTYs...
  • Page 494 Click this button to generate a crypto key for the router using the modulus size you entered. If the crypto key has already been generated, this button is disabled. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-20 Chapter 23 Router Properties OL-4015-08...

  • Page 495: Dhcp Configuration

    Import All—Whether the router imports DHCP option parameters to the • DHCP server database and also sends this information to DHCP clients on the LAN when they request IP addresses. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide DHCP Configuration 23-21...

  • Page 496: Add Or Edit Dhcp Pool

    Enter the network from which the IP addresses in the pool will be taken. For example, 192.168.233.0. This cannot be the IP address of an individual host. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-22 Chapter 23 Router Properties OL-4015-08...

  • Page 497: Dhcp Bindings

    IP address from the available DHCP pools. You can also add new bindings, edit existing bindings, or delete existing bindings. Binding Name The name assigned to the DHCP binding. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide DHCP Configuration 23-23...

  • Page 498: Add Or Edit Dhcp Binding

    Click to delete the specified manual DHCP binding. Add or Edit DHCP Binding This window allows you to add or edit existing manual DHCP bindings. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-24 Chapter 23 Router Properties OL-4015-08...
  • Page 499 Enter a name to identify the client. The name should be a hostname only, not a domain-style name. For example, router is an acceptable name, but router.cisco.com is not. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide DHCP Configuration...

  • Page 500: Dns Properties

    CLI to change the internal cache or host group options to HTTP or IETF. Add Button Click the Add button to create a new dynamic DNS method. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-26 Chapter 23 Router Properties OL-4015-08...

  • Page 501: Add Or Edit Dynamic Dns Method

    If using HTTP, enter a username for accessing the DNS service provider. Password If using HTTP, enter a password for accessing the DNS service provider. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Dynamic DNS Methods 23-27...
  • Page 502 IETF is a dynamic DNS method type that updates a DNS server with changes to the associated interface’s IP address. If using IETF, configure a DNS server for the router in Configure > Additional Tasks > DNS. Cisco Router and Security Device Manager Version 2.2 User’s Guide 23-28 OL-4015-08...

  • Page 503: Acl Editor

    A type of rule. One of the following: Access Rules NAT Rules IPSec Rules OL-4015-08 C H A P T E R IPSec rules that specify which traffic is to be Rules that govern the traffic that can enter and leave the network.

  • Page 504: Useful Procedures For Access Rules And Firewalls

    These rules are predefined rules that are used by SDM wizards and that you can apply in the Additional Tasks>ACL Editor windows. Useful Procedures for Access Rules and Firewalls Chapter 24 ACL Editor contains step by step OL-4015-08...

  • Page 505: Rules Windows

    • • • • OL-4015-08 Access Rules window—Access rules most commonly define the traffic that you want to permit or deny entry to your LAN or exit from your LAN, but they can be used for other purposes as well.
  • Page 506 Cisco Router and Security Device Manager Version 2.2 User’s Guide 24-4 If the rule is read only, the read-only icon will appear in this column. Chapter 24 ACL Editor OL-4015-08...
  • Page 507 The keyword any. Any indicates that the source IP address can be any IP • address A host name. • OL-4015-08 Permit traffic. Deny traffic. wildcard mask. The IP address specifies a network, and the Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 508 Click the Add button and create the rule in the windows displayed. Select the access rule and click Edit. Then edit the rule in the Edit rule window displayed. How Do I Associate a Rule with an Interface? Chapter 24 ACL Editor OL-4015-08...
  • Page 509 Description You can provide a description of the rule in this field. The description must be less than 100 characters long. OL-4015-08 Do this: Select the Access rule, and click Delete. SDM does not permit you to delete a rule that has been associated with an interface.
  • Page 510 Click the Associate button to apply the rule to an interface. The Associate button is enabled only if you are adding a rule from the Access Note Rules window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 24-8 Chapter 24 ACL Editor OL-4015-08...

  • Page 511: Associate With An Interface

    You can use this window to associate a rule you have created from the Access Rules window with an interface and to specify whether it applies to outbound traffic or inbound traffic. OL-4015-08 Do this: Click Add, and create the entry in the window displayed. Or click Edit, and change the entry in the window displayed.
  • Page 512 Cisco Router and Security Device Manager Version 2.2 User’s Guide 24-10 Chapter 24 ACL Editor OL-4015-08...

  • Page 513: Add A Standard Rule Entry

    You can create a single rule entry in this window, but you can return to this window to create additional entries for a rule if you need to. OL-4015-08 Do this: Click No. The association between the existing rule and the interface is preserved, and the rule that you created in the Add a Rule window is saved.
  • Page 514 Cisco Router and Security Device Manager Version 2.2 User’s Guide 24-12 Meanings of the Permit and Deny Keywords to specify the parts of the network address that must be matched. Chapter 24 ACL Editor route to learn more about the OL-4015-08...

  • Page 515: Add An Extended Rule Entry

    The choices are Permit and Deny. If you are creating an entry for an IPSec rule, the choices are protect the traffic and don’t protect the traffic. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 516 24-14 route maps. Click to learn more about the action of Permit and the action of Deny wildcard mask Chapter 24 ACL Editor Meanings of the Permit and IP address in this field. If the to specify the parts OL-4015-08...
  • Page 517 Destination Port Available when either TCP or UDP is selected. Setting this field will cause the router to filter on the destination port in a packet. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Rules Windows 24-15...

  • Page 518: Select A Rule

    Select a Rule Use this window to select a rule to use. Cisco Router and Security Device Manager Version 2.2 User’s Guide 24-16 to see a table containing port names and numbers available Chapter 24 ACL Editor OL-4015-08...
  • Page 519 The keyword any. Any indicates that the source IP address can be any IP • address A host name. • OL-4015-08 Meanings of the Permit and Deny Keywords wildcard mask. The IP address specifies a network, and the Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 520 Cisco Router and Security Device Manager Version 2.2 User’s Guide 24-18 wildcard mask. The IP address specifies a network, and the rules, the service specifies the type of traffic that packets matching Chapter 24 ACL Editor OL-4015-08...

  • Page 521: Port-To-Application Mapping

    Clicking the Edit button lets you make changes to user-defined entries. Entries with the value System Defined in the Protocol Type column cannot be edited or deleted. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide entries.
  • Page 522 If you want to view the ACL that identifies the host, go to Additional Tasks > ACL Editor > Access Rules. Then click the number of the ACL that you saw in this window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 25-20 Chapter 25 Port-to-Application Mapping OL-4015-08...

  • Page 523: Add Or Edit Port Map Entry

    Cisco IOS image that allows you to specify whether this port map entry applies to TCP or to UDP traffic, you can enter multiple port OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 524 Specify the IP address of the host to which this port mapping is to apply. If you need the same mapping for another host, create a separate PAM entry for that host. Cisco Router and Security Device Manager Version 2.2 User’s Guide 25-22 OL-4015-08...

  • Page 525: Authentication, Authorization, And Accounting

    This window provides a summary view of the AAA configuration on the router. To view more detailed information or to edit the AAA configuration, click the appropriate node on the AAA tree. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 526: Aaa Servers And Groups

    Policies node in the AAA tree. AAA Servers and Groups This window provides a description of AAA servers and AAA server groups. Cisco Router and Security Device Manager Version 2.2 User’s Guide 26-24 Chapter 26 Authentication, Authorization, and Accounting OL-4015-08...

  • Page 527: Aaa Servers Window

    The IP address of the AAA server. Type The type of server, TACACS+ or RADIUS. Parameters This column lists the timeout, key, and other parameters for each server. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide AAA Servers and Groups 26-25...

  • Page 528: Add Or Edit A Tacacs+ Server

    If you do not enter a value, the router will use the value configured in the AAA Servers Global Settings window. New Key/Confirm Key Enter the key and reenter it for confirmation. Cisco Router and Security Device Manager Version 2.2 User’s Guide 26-26 Chapter 26 Authentication, Authorization, and Accounting OL-4015-08...

  • Page 529: Add Or Edit A Radius Server

    You can specify communication settings that will apply to all communications between the router and AAA servers in this window. Any communications settings made for a specific router will override settings made in this window. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide AAA Servers and Groups...

  • Page 530: Aaa Server Groups Window

    Group Name The name of the server group. Server group names allow you to use a single name to reference multiple servers. Cisco Router and Security Device Manager Version 2.2 User’s Guide 26-28 Chapter 26 Authentication, Authorization, and Accounting OL-4015-08...

  • Page 531: Authentication And Authorization Policies

    You can review and manage these method lists from these windows. Add, Edit, and Delete Buttons Use these buttons to create, edit, and remove method lists. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide AAA Servers and Groups 26-29...

  • Page 532: Authentication Nac

    The method list name. A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user. Cisco Router and Security Device Manager Version 2.2 User’s Guide 26-30 Chapter 26 Authentication, Authorization, and Accounting EAPoUDP group SDM_NAC_Group method lists configured OL-4015-08...

  • Page 533: Add Or Edit A Method List For Authentication Or Authorization

    Name/Specify Select the name Default in the Name list, or select User Defined, and enter a method list name in the Specify field. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide AAA Servers and Groups 26-31...
  • Page 534 This is an IOS restriction. IOS will not accept any method name after the method name "none" has been added to a Method List. Cisco Router and Security Device Manager Version 2.2 User’s Guide 26-32 Chapter 26 Authentication, Authorization, and Accounting OL-4015-08...

  • Page 535: Router Provisioning

    If you want to preview the file, click Preview File to display the contents of the Step 4 file in the details pane. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 536 Chapter 27 Router Provisioning Router Provisioning from USB Click OK to load the chosen file. Step 5 Cisco Router and Security Device Manager Version 2.2 User’s Guide 27-34 OL-4015-08...

  • Page 537: Public Key Infrastructure

    Possible prerequisite tasks are the following: SSH credentials not verified—SDM requires you to provide your SSH • credentials before beginning. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-35...
  • Page 538 Certificates wizard to generate a request, and then to reinvoke it when you have obtained the certificates for the CA server and for the router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-36 Chapter 28 Public Key Infrastructure OL-4015-08...

  • Page 539: Welcome To The Scep Wizard

    Certificate Authority (CA) Information Provide information to identify the CA server in this window. Also specify a challenge password that will be sent along with the request. OL-4015-08 Tips. Cisco Router and Security Device Manager Version 2.2 User’s Guide Certificate Wizards...
  • Page 540 This password is also referred to as a challenge password. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-38 Chapter 28 Public Key Infrastructure OL-4015-08...

  • Page 541: Certificate Subject Name Attributes

    If the Cisco IOS image running on the router does not support this feature, this Note box is disabled. FQDN If you enabled this field, enter the routers FQDN in this field. An example of an FQDN is sjrtr.mycompany.net OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Certificate Wizards 28-39...

  • Page 542: Other Subject Attributes

    Enter the Organizational Unit, or department name to use for this certificate. Organization (o) Enter the organization or company name. This is the X.500 organizational name. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-40 Chapter 28 Public Key Infrastructure OL-4015-08...

  • Page 543: Rsa Keys

    64. If you want a value higher than 1024, you can enter 1536 or 2048. If you enter a value greater than 512, key generation may take a minute or longer. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide RSA Keys...

  • Page 544: Summary

    After the commands are delivered to the router, SDM attempts to contact the CA server. If the CA server is contacted, SDM displays a message window with the server’s digital certificate. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-42 Chapter 28 Public Key Infrastructure OL-4015-08...

  • Page 545: Enrollment Status

    Enrollment Task Specify whether you are beginning a new enrollment or you are resuming an enrollment with an enrollment request that you saved to the PC. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Enrollment Status 28-43...

  • Page 546: Continue With Unfinished Enrollment

    PC. Select CA server nickname (trustpoint) Select the trustpoint associated with the enrollment you are completing. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-44 Chapter 28 Public Key Infrastructure OL-4015-08...

  • Page 547: Import Ca Certificate

    If you have the CA server certificate on your hard disk, you can browse for it and import it to your router in this window. You can also copy and paste the certificate text into the text area of this window. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Import CA certificate...

  • Page 548: Digital Certificates

    The Trustpoints list only displays the name, enrollment URL, and enrollment type for a trustpoint. Click to view all the information for the selected trustpoint. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-46 Chapter 28 Public Key Infrastructure OL-4015-08...
  • Page 549 This area shows details about the certificates associated with the selected trustpoint. Details Button Click to view the selected certificate. OL-4015-08 Revocation Check, CRL Only Cisco Router and Security Device Manager Version 2.2 User’s Guide Digital Certificates for more information.

  • Page 550: Trustpoint Information

    This window displays all the information provided to create the trustpoint. Certificate Details This window displays trustpoint details that are not displayed in the Certificates window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-48 Chapter 28 Public Key Infrastructure OL-4015-08...

  • Page 551: Revocation Check

    Specify how the router is to check whether a certificate has been revoked in this window. Verification One of the following: • None—Check the Certificate Revocation List (CRL) distribution point embedded in the certificate. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Digital Certificates 28-49...

  • Page 552: Rsa Keys Window

    If this column contains a checkmark the key can be exported to another router if it becomes necessary for that router to assume the role of the local router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-50 Chapter 28 Public Key Infrastructure OL-4015-08...

  • Page 553: Generate Rsa Key Pair

    Check if you want the key to be exportable. An exportable key pair can be sent to a remote router if it is necessary for that router to take over the functions of the local router. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide RSA Keys Window...

  • Page 554: Usb Tokens

    Displays the name used to log in to the USB token. User PIN Displays the PIN used to log in to the USB token. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-52 Chapter 28 Public Key Infrastructure OL-4015-08...

  • Page 555: Add Or Edit Usb Token

    USB token is connected. For example, a USB token connected to USB port 0 is named usbtoken0. If you are editing a USB token login, the Token Name field cannot be changed. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide USB Tokens...
  • Page 556 The file extension must .cfg. If SDM can log in to the USB token, it will merge the specified configuration file with the router’s running configuration. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-54 Chapter 28 Public Key Infrastructure OL-4015-08...

  • Page 557: Sdp Troubleshooting Tips

    Firewall permits HTTP or HTTPS traffic from the PC from which the SDM /SDP application is invoked. For more information about SDP, refer to the following web page: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_gui de09186a008028afbd.html#wp1043332 OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide SDP Troubleshooting Tips 28-55...

  • Page 558: Open Firewall

    ACEs for revocation traffic such as CRL traffic and OCSP traffic. You must explicitly add passthrough ACEs for this traffic using the Edit Firewall Policy/ACL window. Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-56 Chapter 28 Public Key Infrastructure OL-4015-08...

  • Page 559: Open Firewall Details

    CA traffic to reach the router. This entry is not added unless you check Modify in the Open Firewall window and complete the wizard. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Open Firewall...
  • Page 560 Chapter 28 Public Key Infrastructure Open Firewall Cisco Router and Security Device Manager Version 2.2 User’s Guide 28-58 OL-4015-08...

  • Page 561: Resetting To Factory Defaults

    IP address, depending on the type of router that you have. Use the following table to determine the type of address to give the PC. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 562 Automatically to obtain a dynamic IP address. For a static IP address, click Cisco Router and Security Device Manager Version 2.2 User’s Guide 29-2 Chapter 29 Resetting to Factory Defaults Routers Needing Static Addresses Cisco 1721, 1751, and 1760 Cisco 1841 Cisco 2600XM, and 2691 Cisco 28xx, 36xx, 37xx, and 38xx OL-4015-08...
  • Page 563 IP address back to 10.10.10.1. The next time you log on to the router with your browser, enter the IP address 10.10.10.1 in the browser’s location field. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide 29-3...

  • Page 564: This Feature Not Supported

    Cisco IOS image that does not support the feature, or because SDM is being run on a PC and cannot support the feature. Cisco Router and Security Device Manager Version 2.2 User’s Guide 29-4 OL-4015-08...

  • Page 565: More About

    4 octets which are displayed in decimal, separated by periods or "dots," for example, 172.16.122.204. The decimal address 172.16.122.204 represents the binary IP address shown in the following figure. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 566 Note that the bits field on the right is empty, indicating that an invalid value has been entered in the Subnet Mask field. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-2 OL-4015-08...

  • Page 567: Host And Network Fields

    Any IP address—The action you specified is to apply to any host or network. • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide IP Addresses and Subnet Masks and PAT, and...

  • Page 568: Available Interface Configurations

    Unsupported WAN interface • Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-4 Chapter 30 You can add a: PPPoE connection • • Tunnel interface Loopback interface • • Tunnel interface Loopback Interface • More About... OL-4015-08...

  • Page 569: Dhcp Address Pools

    • 172.16.1.1 to 172.16.1.254 (assuming LAN IP address is in 172.16.1.0 subnet) SDM configures the router to automatically exclude the LAN interface IP address in the pool. OL-4015-08 An ADSL interface • A G.SHDSL interface • A tunnel or loopback for either of •...

  • Page 570: Meanings Of The Permit And Deny Keywords

    Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-6 Meaning of Deny Drop matching traffic. Do not translate the address. inside local outside local address. sent unencrypted. Do not protect matching addresses from NAT translation. Chapter 30 More About... OL-4015-08...
  • Page 571 OL-4015-08 Description Border Gateway Protocol.BGP exchanges reachability information with other systems that use the BGP protocol Character generator. Remote commands. Similar to exec except that cmd has automatic authentication Daytime Discard Domain Name Service.
  • Page 572 See echo. Internet Security Association and Key Management Protocol Mobile IP registration IEN116 name service (obsolete) NetBios datagram service. Network Basic Input Output System. An API used by applications to request services from lower-level network processes. Chapter 30 More About... OL-4015-08...
  • Page 573 X-Displays (clients) and X Display Managers. non500-isak 4500 Internet Security Association and Key Management Protocol. This keyword is used when NAT-traversal port floating is required. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Services and Ports 30-9...
  • Page 574 Sent to indicate received packet’t time to live field has reached zero. Reply to request for timestamp to be used for synchronization between two devices. Chapter 30 More About... OL-4015-08...
  • Page 575 Port Number aahp eigrp icmp igmp ipinip ospf OL-4015-08 Description Request for timestamp to be used for synchronization between two devices. Message sent in reply to a host that has issued a traceroute request. Destination unreachable. Packet cannot be delivered for reasons other than congestion.
  • Page 576 Session Initiation Protocol. Sip is a telephony protocol used to integrate telephony services and data services. A telephony protocol enabling telephony clients to be H.323 compliant. See smtp. Protocol for network enabled databases. StreamWorks protocol. Streaming video protocol. Chapter 30 More About... OL-4015-08...

  • Page 577: More About Nat

    The source address 10.12.12.3 is translated to the address 172.17.4.8 in packets leaving the router. If this is the only NAT rule for this network, 10.12.12.3 is the only address on the network that gets translated. OL-4015-08 Description See tcp.
  • Page 578 Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-14 Translate to Interface Fields Net Mask IP Address 255.255.255.0 172.17.4.8 (host) Translate to... fields Net Mask IP Address Leave blank 172.17.4.8 Chapter 30 More About... Redirect Port Leave unchecked. Redirect Port Original Port 137 Translated Port 139 OL-4015-08...
  • Page 579 The port number in the Redirect port field is changed from 137 to 139. Return traffic carrying the destination address 172.17.4.8 & port 139 is routed to port number 137 of the host with the IP address 10.12.12.3. OL-4015-08 Translate to... fields Net Mask...

  • Page 580: Dynamic Address Translation Scenarios

    172.17.4.8. PAT would be used to distinguish traffic associated with different hosts. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-16 Translate to... fields Type Interface Interface FastEthernet0/ Chapter 30 More About... Address Pool Disabled OL-4015-08...

  • Page 581: Reasons That Sdm Cannot Edit A Nat Rule

    Reasons that SDM Cannot Edit a NAT Rule A previously configured when a NAT static rule is configured with any of the following: • The inside source static and destination Cisco IOS commands OL-4015-08 IP Address fields 172.16.131.2 172.16.131.10 Translate to... fields Type...

  • Page 582: More About Vpn

    The following links provide TAC resources and other information on VPN issues. How Virtual Private Networks Work • Dynamic Multipoint IPSec VPNs • TAC-authored articles on IPSec • TAC-authored articles on SDM • Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-18 Chapter 30 More About... OL-4015-08...

  • Page 583: More About Vpn Connections And Ipsec Policies

    A crypto map can specify more than one peer for a connection. This may be done to provide redundancy. The following diagram shows the same interface and policy, but crypto map CM-3 specifies two peers: Topeka and Lawrence. OL-4015-08 Policy 5 Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 584 Topeka and Lawrence as one connection for both interfaces. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-20 Policy 5 Policy 5 Chapter 30 More About... Seattle Chicago Topeka Lawrence Seattle Chicago Topeka Lawrence OL-4015-08...

  • Page 585: More About Ike

    Key Exchange Algorithm. This is a mathematical technique for securely • exchanging cryptographic keys over a public medium (that is, Diffie-Hellman). The keys are used in the encryption and packet-signature algorithms. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide More About VPN 30-21...

  • Page 586: More About Ike Policies

    If the lifetimes are not identical, the shorter lifetime-from the remote peer’s policy will be used. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-22 Encryption Algorithm: DES, 3DES, or AES Packet Signature Algorithm: MD5 or SHA-1 Chapter 30 More About... OL-4015-08...

  • Page 587: Allowable Transform Combinations

    ESP with the 168-bit DES encryption algorithm (3DES or Triple DES) esp-null Null encryption algorithm. esp-seal ESP with the 160-bit encryption key Software Encryption Algorithm (SEAL) encryption algorithm. OL-4015-08 or ESP) plus the algorithm that you Authentication IP Compression Transform Transform...

  • Page 588: Reasons Why A Serial Interface Or Subinterface Configuration May Be Read-Only

    The interface is part of a SERIAL_CSUDSU_56K WIC. • The interface is part of a Sync/Async WIC configured with the • physical-layer async command. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-24 Chapter 30 More About... OL-4015-08...

  • Page 589: Reasons Why An Atm Interface Or Subinterface Configuration May Be Read-Only

    • If the IP Address is not configured on the PVC in the protocol ip command. • OL-4015-08 Reasons Why an ATM Interface or Subinterface Configuration May Be Read-Only with the dialer pool-member command. Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 590: Reasons Why An Ethernet Interface Configuration May Be Read-Only

    If the LAN interface has been configured as a DHCP server, and has been • configured with an IP-helper address. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-26 is required (which is determined dynamically from the Cisco IOS Chapter 30 More About... OL-4015-08...

  • Page 591: Reasons Why An Isdn Bri Interface Configuration May Be Read-Only

    – – – – – OL-4015-08 Reasons Why an ISDN BRI Interface Configuration May Be Read-Only The default route through the primary interface is removed The backup interface default route is not configured ip local policy is removed track /rtr or both is not configured...

  • Page 592: Reasons Why An Analog Modem Interface Configuration May Be Read-Only

    The SDM-supported interfaces are configured with unsupported configurations The primary interfaces are not supported by SDM The default route through the primary interface is removed The backup interface default route is not configured ip local policy is removed Chapter 30 More About... OL-4015-08...

  • Page 593: Firewall Policy Use Case Scenario

    Examining Originating Traffic: From: Serial 1/0; To: Ethernet 1/0 • Allowing www Traffic to DMZ • OL-4015-08 track /rtr or both is not configured route-map is removed Access-list is removed or access-list is modified (for example, tracking ip address is modified)
  • Page 594 Examining Returning Traffic: From Interface Ethernet 0/0; To Interface Serial 1/0 Clicking the Returning traffic button displays the access rule for inbound traffic on Serial 1/0. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-30 Chapter 30 More About... OL-4015-08...
  • Page 595 Swap From and To interfaces from the View Options menu, and select Fast Ethernet 1/0 in the To interface list. Doing so makes Serial 1/0 the From interface and Fast Ethernet 1/0 the To interface. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-31 OL-4015-08...

  • Page 596: Dmvpn Configuration Recommendations

    If you are configuring a spoke, you must obtain the correct information about the hub before you begin. Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-32 Chapter 30 More About... OL-4015-08...
  • Page 597 You can examine supported interfaces in Interfaces and Connections to determine if a dialup connection, such as an ISDN or Async connection has been configured for the physical interface you selected. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide DMVPN Configuration Recommendations...

  • Page 598: Sdm White Papers

    A number of white papers are available that describe how SDM can be used. These white papers are available at the following link. http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/appnote/index.h Cisco Router and Security Device Manager Version 2.2 User’s Guide 30-34 Chapter 30 More About... OL-4015-08...

  • Page 599: Getting Started

    SDM also features a Monitor mode, which enables you to observe router performance and gather statistics associated with configurations that you have made on the router. Cisco Router and Security Device Manager Version 2.2 User’s Guide 31-1 OL-4015-08...

  • Page 600: What's New In This Release

    To determine which Cisco IOS versions SDM supports, go to the following URL: http://www.cisco.com/go/sdm Click the Technical Documentation link, and then click Release Notes. Cisco Router and Security Device Manager Version 2.2 User’s Guide 31-2 Chapter 31 Getting Started OL-4015-08...

  • Page 601: Viewing Router Information

    Tasks>Router Properties>Logging window. In addition, individual rules may need configuration so that they generate log events. For more information, see the help topic How Do I View Activity on My Firewall? Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-1 OL-4015-08...

  • Page 602: Overview

    From the toolbar, click Monitor, and then in the left frame, click Firewall Status. From the toolbar, click Monitor, and then in the left frame, click VPN Status. Then select the tab for IPSec Tunnels, DMVPN Tunnels, Easy VPN Servers, or IKE SAs. click Logging. Viewing Router Information OL-4015-08...
  • Page 603 The total number of disabled (down) interfaces on the router. Interface The interface name. The IP address of the interface. Status The status of the interface, either Up, or Down. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Overview 32-3...
  • Page 604 Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-4 HTTP, HTTPS, ping, and others) rejected by the firewall. rule that rejected the connection attempt must be configured to create Security Associations (SAs) connections currently IPSec Virtual Private Network (VPN) connections currently Chapter 32 Viewing Router Information OL-4015-08...
  • Page 605 The number of log entries stored that have a severity level of 3 or 4. These messages may indicate a problem with your network, but they do not likely require immediate attention. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Overview...

  • Page 606: Interface Status

    These data items are as follows: Packet Input—The number of packets received on the interface. • Packet Output—The number of packets sent by the interface. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-6 Chapter 32 Viewing Router Information OL-4015-08...
  • Page 607 It has the following options Note The polling frequencies listed are approximations and may differ slightly from the listed times. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Interface Status 32-7...

  • Page 608: Vpn Status

    The statistics corresponding to the selection made in this field will appear in the field below. You can select one of the following VPN categories: Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-8 Chapter 32 Viewing Router Information connections that are active on the OL-4015-08...
  • Page 609 Decapsulation Packets column • The number of packets decapsulated over the IPSec VPN connection. Send Error Packets column • OL-4015-08 Up—The tunnel is active Down—The tunnel is inactive due to an error or hardware failure. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 610 The time and date when the tunnel registration expires and the DMVPN tunnel will be shut down. Status column • The status of the DMVPN tunnel. Reset button • Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-10 Chapter 32 Viewing Router Information OL-4015-08...
  • Page 611 Maximum connections allowed for this group • Maximum logins per user • Client Connections in this Group This area shows the following information about the selected group. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide VPN Status 32-11...
  • Page 612 Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-12 MM_NO_STATE—The Internet Security Association and Key Management Protocol (ISAKMP) SA has been created but nothing else has happened yet. MM_SA_SETUP—The peers have agreed on parameters for the ISAKMP SA. Chapter 32 Viewing Router Information OL-4015-08...

  • Page 613: Firewall Status

    Firewall Log Whether or not the router is configured to maintain a log of connection attempts allowed and denied by the firewall. OL-4015-08 MM_KEY_EXCH—The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated.

  • Page 614: Application Security Log

    The following is example log text for instant messenging applications: Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-14 Chapter 32 Viewing Router Information OL-4015-08...

  • Page 615: Nac Status

    NAC sessions being initalized, and a button that allows you to clear all active and initializing NAC sessions The window lists the router interfaces with associated NAC policies. FastEthernet0/0 10.10.15.1/255.255.255.0 Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-15 OL-4015-08...
  • Page 616 Infected—The host is infected with a known virus. The user is redirected to • a remediation site to obtain virus definition file updates. Unknown—The host’s posture is unknown. • Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-16 Chapter 32 Remote EAP Policy Infected Viewing Router Information OL-4015-08...

  • Page 617: Logging

    Displays all messages with the severity level specified in the Select a Logging Level to View field. Log events contains the following information: Severity Column • OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Logging 32-17...
  • Page 618 Immediate action needed 2 - critical Critical conditions 3 - errors Error conditions 4 - warnings Warning conditions 5 - notifications Normal but significant condition 6 - informational Informational messages only 7 - debugging Debugging messages Chapter 32 Viewing Router Information OL-4015-08...
  • Page 619 Chapter 32 Viewing Router Information Logging Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-19 OL-4015-08...
  • Page 620 Chapter 32 Viewing Router Information Logging Cisco Router and Security Device Manager Version 2.2 User’s Guide 32-20 OL-4015-08...

  • Page 621: File Menu Commands

    OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 622: Write To Startup Config

    It also shows the size of each file in bytes, and the date and time each file and directory was last modified. Cisco Router and Security Device Manager Version 2.2 User’s Guide 33-2 Chapter 33 Defaults. File Menu Commands OL-4015-08...
  • Page 623 USB flash device connected to that router. Copy Button Choose a file from the right side of the window and click the Copy button to copy the file. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide File Management 33-3...

  • Page 624: Rename

    Enter the new filename in the New Name field. The path to the location of the file is displayed above the New Name field. Cisco Router and Security Device Manager Version 2.2 User’s Guide 33-4 Chapter 33 File Menu Commands OL-4015-08...

  • Page 625: New Folder

    Ensure that the router will not lose power. If the router loses power after an Step 1 erase flash: operation, there will be no Cisco IOS image in memory. OL-4015-08 Flash, Flash memory, and you will lose your connection to the Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 626 From the PC, log on to the router using Telnet, and enter Enable mode. Step 5 Cisco Router and Security Device Manager Version 2.2 User’s Guide 33-6 server to which you can save files and copy them over to the Chapter 33 File Menu Commands OL-4015-08...
  • Page 627 SDM session. Now that an erase flash: has been performed on the router, you will be able to execute the squeeze flash command when necessary. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Unable to perform ‘squeeze flash’...
  • Page 628 Chapter 33 File Menu Commands Unable to perform ‘squeeze flash’ Cisco Router and Security Device Manager Version 2.2 User’s Guide 33-8 OL-4015-08...

  • Page 629: Edit Menu Commands

    This is SDM default behavior. Select this option if you would like SDM to display a dialog box asking for confirmation when you exit SDM. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 630 Monitor mode and perform other tasks in SDM, select this check box and specify the maximum number of interfaces you want SDM to monitor. The default maximum number of interfaces to monitor is 4. Cisco Router and Security Device Manager Version 2.2 User’s Guide 34-10 OL-4015-08...

  • Page 631: View Menu Commands

    Interfaces and Connections, Firewalls and ACLs, VPNs Routing, and other tasks. Monitor Displays the SDM Monitor window, which lets you view statistics about your router and network. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide 35-1...

  • Page 632: Running Config

    For more information about the rules, see the option descriptions that follow. Cisco Router and Security Device Manager Version 2.2 User’s Guide 35-2 Chapter 35 View Menu Commands OL-4015-08...

  • Page 633: Refresh

    SDM displays a message window telling you that if you refresh, you will lose undelivered commands. If you want to deliver the commands. click No in this window, and then click Deliver on the SDM toolbar. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Refresh...
  • Page 634 Chapter 35 View Menu Commands Refresh Cisco Router and Security Device Manager Version 2.2 User’s Guide 35-4 OL-4015-08...

  • Page 635: Tools Menu Commands

    Cisco IOS command-line interface (CLI) using the Security Audit Displays the SDM Security Audit screen. See information. OL-4015-08 C H A P T E R Generate Mirror... for information on how to use the Ping Cisco Router and Security Device Manager Version 2.2 User’s Guide...

  • Page 636: Usb Token Pin Settings

    Enter a new PIN for the USB token. The existing PIN will be replaced by the new PIN. The new PIN must be at least 4 digits long. Confirm PIN Reenter the new PIN to confirm it. Cisco Router and Security Device Manager Version 2.2 User’s Guide 36-2 Chapter 36 Tools Menu Commands OL-4015-08...

  • Page 637: Update Sdm

    To update SDM from the PC you are using to run SDM follow these steps: Download the file sdm-vnn.zip from the following URL: Step 1 http://www.cisco.com/cgi-bin/tablebuild.pl/sdm OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Update SDM 36-3...
  • Page 638 If there is more than one SDM .zip file, obtain the copy with the highest version number. Use the update wizard to copy the SDM files from your PC to the router. Step 2 Cisco Router and Security Device Manager Version 2.2 User’s Guide 36-4 OL-4015-08...
  • Page 639 SDM will enable you to locate the file SDM-Updates.xml on the CD. When you Step 3 locate the file, click Open. Follow the instructions in the installation wizard. Step 4 OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Update SDM 36-5...
  • Page 640 Chapter 36 Tools Menu Commands Update SDM Cisco Router and Security Device Manager Version 2.2 User’s Guide 36-6 OL-4015-08...

  • Page 641: Help Menu Commands

    About this router... Displays hardware and software information about the router on which SDM is running. About SDM Displays version information about SDM. OL-4015-08 C H A P T E R Cisco Router and Security Device Manager Version 2.2 User’s Guide 37-1...
  • Page 642 Chapter 37 Help Menu Commands About SDM Cisco Router and Security Device Manager Version 2.2 User’s Guide 37-2 OL-4015-08...
  • Page 643 Cisco Secure Access Control Server. Software running on a RADIUS server used to store policy databases used in a to the network. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide G L O S S A R Y...
  • Page 644 (called a MAC address) to its IP address. Adaptive Security Algorithm. Allows one-way (inside to outside) connections without an explicit configuration for each internal system and application. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-2 address, NAT, PAT, Static PAT. OL-4015-08...
  • Page 645 Sometimes referred to as a notary or a certifying authority. Within a given CA’s domain, each device needs only its own certificate and the CA’s public key to authenticate every other device in that domain. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary...
  • Page 646 (PKIX) of the IETF is working to standardize a protocol for these functions, either CRS or an equivalent. When an IETF standard is stable, Cisco will add support for it. CEP was jointly developed by Cisco Systems and VeriSign, Inc. digital certificate An X.509 certificate contains within it information regarding the identity of...
  • Page 647 An IP compression algorithm. comp-lzs The file on the router that holds the settings, preferences, and properties you can Configuration, administer using SDM. Config, Config File OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary GL-5...
  • Page 648 The gateway of last resort. The gateway to which a packet is routed when its default gateway destination address does not match any entries in the routing table. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-6 analysis. traffic flow OL-4015-08...
  • Page 649 In Frame Relay connections, the identifier for a DLCI particular data link connection between two endpoints. OL-4015-08 Oakley key exchange. Oakley key exchange. Cisco IOS software supports 768-bit and Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 650 Also called digital signature algorithm (DSA), the DSS algorithm is part of many public-key standards for cryptographic signatures. Routing that adjusts automatically to network topology or traffic changes. Also dynamic routing called adaptive routing. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-8 OL-4015-08...
  • Page 651 ECHO Enhanced Interior Gateway Routing Protocol. Advanced version of IGRP EIGRP developed by Cisco Systems. Provides superior convergence properties and operating efficiency, and combines the advantages of link state protocols with those of distance vector protocols. Wrapping of data in a particular protocol header. For example, Ethernet data is encapsulation wrapped in a specific Ethernet header before network transit.
  • Page 652 Cisco IP phones. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-10 implementation, a list of hosts with static addresses that are allowed posture agents installed, or because they are hosts such OL-4015-08...
  • Page 653 X.25, the protocol for which it is generally considered a replacement. File Transfer Protocol. Part of the TCP/IP protocol stack, used for transferring files between hosts. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary GL-11...
  • Page 654 High-Level Data Link Control. Bit-oriented synchronous data link layer HDLC protocol developed by the International Standards Organization (ISO). HDLC specifies a data encapsulation method on synchronous serial links using frame characters and checksums. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-12 OL-4015-08...
  • Page 655 When it finds unauthorized activity or anomalies, it can terminate the condition, block traffic from attacking hosts, and send alerts to the IDM. OL-4015-08 network, a hub is a router with a point-to-point Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 656 Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-14 inspection rule allows the router to inspect specified outgoing traffic OL-4015-08...
  • Page 657 4 decimal numbers separated by periods or “dots.” The part of the address used to specify the network number, the subnetwork number, and the host number is specified by the OL-4015-08 which uses and Internet protocols, such as SNMP, UDP.
  • Page 658 The creation, distribution, authentication, and storage of encryption keys. key management Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-16 crypto map associated with a VPN OL-4015-08...
  • Page 659 (by means of a subnet mask) in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks. The local subnet is the subnet associated with your end of a transmission. OL-4015-08 encryption. date. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 660 Binary: 11111111 11111111 11111111 11111000 The first 29 bits provide the network and subnetwork address, and the last 3 provide the host address. See also Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-18 Address, TCP/IP, host, host/network. OL-4015-08...
  • Page 661 See also ACL, posture, and EAPoUDP. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary...
  • Page 662 255.255.248 has 17 network bits. A network interface card that is installed in the router chassis to add network module functionality to the router. Examples are Ethernet network modules, and network modules. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-20 OL-4015-08...
  • Page 663 Open Shortest Path First. Link-state, hierarchical IGP routing algorithm OSPF proposed as a successor to RIP in the Internet community. OSPF features include least-cost routing, multipath routing, and load balancing. OL-4015-08 protocol. Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary...
  • Page 664 Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-22 address. With PAT enabled, the router chooses a OL-4015-08...
  • Page 665 PPPoE PPPoE enables hosts on an Ethernet network to connect to remote hosts through a broadband modem. OL-4015-08 request sent between hosts to determine whether a host is accessible implementation, the condition of a host attempting access to the Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 666 An ordered sequence of bits that appears superficially similar to a truly random pseudo random sequence of the same bits. A key generated from a pseudo random number is called a nonce. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-24 encryption. OL-4015-08...
  • Page 667 Protocol that allows users to copy files to and from a file system residing on a remote host or server on the network. The rcp protocol uses TCP to ensure the reliable delivery of data OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary...
  • Page 668 Ultimate certification authority (CA), which signs the certificates of the root CA subordinate CAs. The root CA has a self-signed certificate that contains its own public key. A path through an internetwork. route Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-26 OL-4015-08...
  • Page 669 Information added to the configuration to define your security policy in the form rule of conditional statements that instruct the router how to react to a particular situation. OL-4015-08 Getting Started for more information. Cisco Router and Security Device Manager Version 2.2 User’s Guide...
  • Page 670 A key that is used only once. session key Some encryption systems use the Secure Hashing Algorithm to generate digital signatures, as an alternative to MD5. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-28 key. OL-4015-08...
  • Page 671 Layer 2 keepalives during periods of queue congestion. In a DMVPN spoke has a point-to-point OL-4015-08 network, a spoke router is a logical end point in the network, and IPSec connection with a DMVPN Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary router.
  • Page 672 See also PAT. Route that is explicitly configured and entered into the routing table. Static static route routes take precedence over routes chosen by dynamic routing protocols. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-30 OL-4015-08...
  • Page 673 Trivial File Transfer Protocol. TFTP is a simple protocol used to transfer files. TFTP It runs on UDP and is explained in depth in Request For Comments (RFC) 1350. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary...
  • Page 674 A virtual path may carry multiple virtual channels corresponding to individual connections. The VCI identifies the channel being used. The combination of VPI and VCI identifies an ATM connection. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-32 OL-4015-08...
  • Page 675 A site-to-site VPN. A site-to-site VPN consists of a set of VPN connections VPN connection between peers, in which the defining attributes of each connection include the following device configuration information: OL-4015-08 - A connection name - Optionally, an IKE policy and pre-shared key - An IPSec peer...
  • Page 676 10.28.88.0 would match the IP address in the rule, and the IP address 10.28.15.55 would not match. Windows Internet Naming Service. A Windows system that determines the IP WINS address associated with a particular network computer. Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-34 Generate Mirror... OL-4015-08...
  • Page 677 IKE authentication phase 1 exchange. The AAA configuration list-name must match the Xauth configuration list-name for user authentication to occur. Xauth is an extension to IKE, and does not replace IKE authentication. OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Glossary...
  • Page 678 Glossary Cisco Router and Security Device Manager Version 2.2 User’s Guide GL-36 OL-4015-08...
  • Page 679 Access Rules window address pools 9, 15 ADSL operating mode 16, 25 ADSL operating mode ansi-dmt itu-dmt splitterless ADSL over ISDN default operating mode OL-4015-08 operating modes AES encryption AH authentication Alert ansi-dmt subinterface Audit trail authentication digital signatures SHA_1 AutoSecure...
  • Page 680 IP address Dynamic Multipoint VPN dynamic routing protocol configuring Easy VPN auto tunnel control Client Mode configuring a backup Digital certificates editing existing connection group key group name interfaces 5, 22 82, 101 79, 98 90, 94, 98 OL-4015-08...
  • Page 681 RFC 1483 Routing 14, 26, 29, 34 encryption 3DES ESP authentication and encryption extended rules numbering ranges Externally Defined Rules window OL-4015-08 File menu finger service, disabling firewall configuring NAT passthrough 81, 100 configuring on an unsupported interface enabling CBAC...
  • Page 682 Serial with HDLC or Frame Relay for Serial with PPP negotiated next hop unnumbered IP compression IP directed broadcasts, disabling IP Identification service, disabling IPSec description group key group name policy type rule 5, 22 5, 22 5, 22 79, 91 90, 94, 98 OL-4015-08...
  • Page 683 Monitor mode Firewall Status Interface Status Logging Overview VPN Status MOP service, disabling Multipoint Generic Routing Encapsulation OL-4015-08 address pools affect on DMZ service configuration and VPN connections configuring on unsupported interface configuring with a VPN designated interfaces DNS timeout...
  • Page 684 RFC 1483 Routing AAL5 MUX AAL5 SNAP RIP route route map route maps router information about this router routing PPPoE 14, 26, 29, 34 39, 50, 3 20, 23 24, 26, 29, 34 24, 26, 29, 34 67, 14 OL-4015-08...
  • Page 685 SDM Default Rules window security association lifetime Security Audit wizard Configure User Accounts for Telnet Enable Secret and Banner Interface Selection Logging OL-4015-08 Report Card starting sequence numbers, enabling serial interface clock settings subinterface SHA_1 shared key...
  • Page 686 IPSec peer transform set transport mode tunnel mode viewing activity VPN concentrator 33, 55 46, 64 39, 45, 63 43, 62 72, 8 OL-4015-08...
  • Page 687 WAN connections creating in wizard deleting WAN interface unsupported Xauth logon OL-4015-08 Cisco Router and Security Device Manager Version 2.2 User’s Guide Index IN-9...
  • Page 688 Index Cisco Router and Security Device Manager Version 2.2 User’s Guide IN-10 OL-4015-08...

This manual is also suitable for:

Sdm 2.2

Table of Contents