Cisco Systems OL-4015-08 manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation Cisco Systems OL-4015-08. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel Cisco Systems OL-4015-08 ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation Cisco Systems OL-4015-08 décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation Cisco Systems OL-4015-08 devrait contenir:
- informations sur les caractéristiques techniques du dispositif Cisco Systems OL-4015-08
- nom du fabricant et année de fabrication Cisco Systems OL-4015-08
- instructions d'utilisation, de réglage et d’entretien de l'équipement Cisco Systems OL-4015-08
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage Cisco Systems OL-4015-08 ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles Cisco Systems OL-4015-08 et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service Cisco Systems en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées Cisco Systems OL-4015-08, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif Cisco Systems OL-4015-08, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation Cisco Systems OL-4015-08. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    Corporate He adquarters Cisc o Syst ems , Inc . 170 West Ta sman Drive San Jos e, CA 95 134-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553- NETS (638 7) Fax: 408 526-4100 Cisco Router and S ecurity De vice Manager (SDM) V er sion 2.2 User ’ s Guide Customer Order Number: Text Pa rt Nu mber: OL-4015- 08[...]

  • Page 2

    THE SPECIFICATIONS AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJE CT TO CHANGE WITHOUT NO TICE. ALL STATEMENT S, INFORMATI ON, AND RECOMMENDA TIONS IN T HIS MANUAL ARE BELIEVED TO BE ACCURATE BU T ARE PRESEN TED WITHOUT WARRANTY OF ANY KIND, EXPRE SS OR IMPLIED. USERS MUST TA KE FULL RESPONSIBILITY FOR THEIR AP PLICATION OF ANY PR[...]

  • Page 3

    iii Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 CONTEN TS Home Page 1 LAN Wi zar d 1 Ethern et Configur atio n 2 LAN Wiza rd: Sele ct an Inter face 3 LAN Wiza rd: IP Addr ess and Subnet Mas k 3 LAN Wiza rd: Enable DHCP Ser ver 4 LAN W izar d: DHCP Add res s Pool 4 DHCP Optio ns 5 LAN Wiza rd: VL AN Mod[...]

  • Page 4

    Contents iv Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 How Do I View the IOS Commands I Am Sen ding to th e Router? 12 How Do I Lau nch the Wire less Applic atio n from SDM? 13 Create Conne ction Wizard s 1 Create Conn ection 1 WAN Wizard In terface Welcome Window 2 ISDN Wi zard Welco me Win dow 3 Anal[...]

  • Page 5

    v Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Delete Conn ection 19 Summary 21 Connect ivit y testi ng and troub lesh ooting 22 How Do I ... 26 How Do I View the IOS Commands I Am Sen ding to th e Router? 26 How Do I Con figure an Unsu pported WAN In terface ? 26 How Do I Enabl e or Di sable [...]

  • Page 6

    Contents vi Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Add or Edi t BVI Inte rface 18 Add Loopba ck Interface/ Connecti on—L oopback 18 Connect ion: Ether net LAN 19 Connect ion: Ether net WAN 20 Eth ernet Prope rti es 21 Connect ion: Ethernet with No Encap sulati on 22 Connect ion: ADSL 23 Connect i[...]

  • Page 7

    vii Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Advanc ed Firewa ll Inte rface Configur ation 5 Advanced Firewall DMZ Service Config uratio n 6 DMZ Servic e Configur ation 7 Adva nced Fire wal l Insp ecti on R ule C onfi gur ation 7 Appli cati on Se curi ty C onf igurat ion 9 Domain Na me S e[...]

  • Page 8

    Contents viii Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 SDM Wa rnin g: I nsp ection Rule 15 SDM Wa rning : Fir ewall 16 Applicat ion S ecurity 17 Applic ation Sec urity Windows 17 No Applic atio n Securit y Policy 19 E-ma il 20 HTTP 21 Header Opt ions 23 Content Options 23 Instan t M ess aging 25 Poin[...]

  • Page 9

    ix Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts VPN Au thent ica tion Inform atio n 49 Backup GRE T unnel I nform ation 51 Routin g Info rmation 52 Static Rout ing Inform atio n 53 Select Rout ing Pr otocol 54 Summary of Co nfig uration 55 Edit Si te-to- Site VP N 55 Add new conne ction 58 Add[...]

  • Page 10

    Contents x Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Easy VPN Remote 77 Create Easy VPN Remo te 77 Config ure an Ea sy VPN Remote Cl ient 77 Connect ion Set tings 78 Auth enticat ion 79 Interf ace s 80 Summary of Co nfig uration 82 Edit Eas y VPN Remote 83 Add or Edi t Easy VPN Remot e 89 Add or Edi t[...]

  • Page 11

    xi Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Gene ral Gr oup Infor matio n 111 DNS a nd WINS C onfig uratio n 112 Split Tunn eling 113 Clien t Sett ings 115 Choose Br owser Proxy Settings 117 Add or Edi t Browser Pr oxy Setti ngs 117 User Au thent icatio n (XAut h) 119 Client Update 120 Add[...]

  • Page 12

    Contents xii Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 DMVPN Netwo rk Topo logy 9 Spec ify Hu b In forma tion 10 Spoke GRE Tu nnel I nterfac e Configu ration 10 SDM Warning: DMVPN Dependenc y 11 Edit D ynam ic M ultip oint V PN (D MVP N) 12 General Panel 14 NHRP Panel 15 NHRP Map Con figurati on 16 Ro[...]

  • Page 13

    xiii Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Add or Edi t Transfo rm Set 40 IPSec Rul es 43 Interne t Key Exchange 45 Inter net Key Exch ange (IKE) 45 IKE Po licie s 46 Add or Edi t IKE Poli cy 48 IKE Pre- shared Key s 50 Add or Edi t Pre Share d Key 51 VPN Troubles hooting 53 VPN Troubl [...]

  • Page 14

    Contents xiv Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Enable Passwor d Encrypt ion Servi ce 10 Enab le TCP Keepal ives for Inbou nd Tel net Sessi ons 11 Enable TCP Keepal ives fo r Outbou nd Telnet Sessio ns 11 Enabl e Se que nce Num ber s an d T ime S tam ps on De bug s 11 Enab le IP CEF 12 Disabl e[...]

  • Page 15

    xv Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Enable AAA 24 Config uratio n Summary Sc reen 25 SDM and Ci sco IOS AutoS ecure 25 Securi ty Conf igurat ions SDM Can Undo 27 Undoing Secu rity Audit F ixes 28 Add or Edi t Telnet/ SSH Accou nt Screen 28 Config ure User Accounts for Telnet /SSH P[...]

  • Page 16

    Contents xvi Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Detail s 8 Netw ork Addr ess Tra nsla tion Rule s 8 Designa te NAT Inter faces 12 Transl atio n Timeout Se ttings 12 Edit R out e Ma p 14 Edit Ro ute M ap Entr y 15 Addre ss Po ols 15 Add or Edi t Address Po ol 16 Add or Edi t Static Address Trans[...]

  • Page 17

    xvii Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Signat ure Import Wizard Summary 41 Signat ures 42 Assign Ac tions 46 Import Signat ures 46 Add, E dit, or Clon e Si gnature 48 Add or Edi t a Signatu re Loca tion 49 Cisco I ntrusio n Prevention Ale rt Cen ter 50 IPS-Su pplied Si gnature Defin[...]

  • Page 18

    Contents xviii Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Edit Q oS P olicy 13 Edit QoS Cl ass 15 Add a Proto col 17 Interf ace Asso ciat ion 18 QoS Statu s 18 Netw ork A dm issi on Con tro l 21 Create NAC T ab 21 Other Tas ks in a NAC Im plementa tion 22 Welcome 23 RADIUS Server 23 Select the Inter fa[...]

  • Page 19

    xix Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Router Pro pertie s 1 Device Pr operti es 1 Date and Tim e: Cl ock Prop ert ies 2 Date and Ti me Propert ies 3 NTP 4 Add or Edi t NTP Se rver De tail s 5 SNTP 7 Add an NTP Ser ver 7 Syslog 8 SNMP 8 Router Access 10 User Accou nts: Conf igure Use[...]

  • Page 20

    Contents xx Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 DNS Prop erties 26 Dynamic DNS Met hods 26 Add or Edi t Dynamic DNS Meth od 27 ACL Edit or 1 Usefu l Pr oce dures for Acce ss R ule s and Fire walls 2 Rules Windows 3 Add o r Edit a R ule 7 Asso ciat e with an Inte rfa ce 9 Add a Stand ard Rule Ent[...]

  • Page 21

    xxi Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Rout er P rov isi oni ng 33 Router Prov isioning fro m USB 33 Public Key I nfrastr ucture 35 Certific ate Wi zard s 35 Welcome to the SCEP Wiz ard 37 Certif ica te Aut hor ity ( CA) In for mat ion 37 Advanced Opti ons 39 Certi ficate Su bject Na[...]

  • Page 22

    Contents xxi i Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Open Fir ewall 56 Open Fir ewall Deta ils 57 Resetti ng to Factory Default s 1 This Fea ture Not Support ed 4 More About. ... 1 IP Addre sses and Subn et Masks 1 Host and Net work Fiel ds 3 Availa ble In terfac e Configur ations 4 DHCP Addres s [...]

  • Page 23

    xxii i Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Firewal l Pol icy Use Case Scen ario 29 DMVPN Conf igurat ion Recommendat ions 32 SDM Whit e Pa pers 34 Getting Started 1 What’s New in thi s Rel ease? 2 Cisco I OS Versions Suppor ted 2 Viewing Rout er Informat ion 1 Overvi ew 2 Inter face[...]

  • Page 24

    Contents xxiv Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Edit Men u Commands 9 Prefer ences 9 View Menu Commands 1 Home 1 Config ure 1 Monitor 1 Running Config 2 Show Commands 2 SDM D efa ult Ru les 2 Refres h 3 Tools Men u Commands 1 Ping 1 Telnet 1 Securi ty Au dit 1 USB Token PI N Setting s 2 Update[...]

  • Page 25

    C HAPTER 1-1 Cisc o Rout er a nd S ecuri ty De vice Man ager Vers ion 2 .2 Us er’ s Guid e OL-4015-08 1 Hom e P age The ho me page suppl ies ba sic inform ation a bout th e route r ’ s hardware, software , and co nfiguration. This page c ontains the following secti ons: Host N ame The co nfigured nam e of the rout er . About You r Router Shows [...]

  • Page 26

    Chapter 1 Hom e Page 1-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User’s Gui de OL-4015-08 More.. . The More... link displays a popup window pro viding additional hardware and software det ails. • Hardw are Details — In additio n to th e informatio n presen ted in th e About Y our Router section, this tab display s information[...]

  • Page 27

    1-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 1 Home Page Interfaces and Con nection s Up ( n ) : The n umber of LAN and W AN conne ctio ns th at ar e up. Down ( n ) : The numbe r of LAN and W AN connec tions t hat are down. Double-arr ow head : Click to display/ hide detail s. Total S uppor ted L[...]

  • Page 28

    Chapter 1 Hom e Page 1-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Inter face Firewal l Icon NA T Inspection Rul e Access Rule The name o f the interfac e to which a fi rew all has be en applied Wheth er t he interface is design ated as an inside or an outside interf ace. The name o r number of the N A T [...]

  • Page 29

    1-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 1 Home Page Note • Som e VPN servers or co ncentr ators au then ticate cl ients us ing Extende d Authentic ation ( XAuth ). This shows the numbe r of VPN tunn els awaiti ng an Xauth l ogin. I f any Easy VPN tunnel awaits XA uth l ogin, a se parat e m[...]

  • Page 30

    Chapter 1 Hom e Page 1-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 31

    C HAPTER 2-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 2 LAN Wizard The Cisco Rout er and Se curit y Device M anage r (SD M) LAN wizard guide s you in the c onf iguration of a LAN interf ace. The scre en lists th e LAN i nterfac es on the router . Y ou can sele ct any of the interfac es sho wn in the wind[...]

  • Page 32

    Chapter 2 LAN W izard Ethernet Configura tion 2-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What Do You Want to Do? Y ou ca n return to this scree n as often as ne cessary t o configure ad ditio nal LAN interf aces. Ethernet Configura tion The wiz ard guid es you throug h the co nfigurati on of an Ethe rn[...]

  • Page 33

    2-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 2 L AN Wizard LAN Wizar d: Sel ect an In terface • A DHCP a ddre ss pool if you decide to us e D HCP on this interface • The addre sses of DNS and W IN S s ervers o n th e W A N • A domain na me LAN Wizard: Select an Interface Select the in terfa[...]

  • Page 34

    Chapter 2 LAN W izard LAN Wizard: Ena ble DHCP Ser ver 2-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 LAN Wizard: Enable DHCP Server This screen lets you enable a DHCP server on your route r . A DHCP server automatic ally assig ns reusa ble IP addr esses to the dev ices on the LA N. When a device become s [...]

  • Page 35

    2-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 2 L AN Wizard DHCP Option s DHCP Options Use this windo w to configure DHCP options that will b e sent to hosts on the L AN that are r equestin g IP addres ses from the rou ter . These are not opti ons for the router that you are configu ring; these ar[...]

  • Page 36

    Chapter 2 LAN W izard LAN Wizard: VLAN Mode 2-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 LAN Wizard: VLAN Mode This screen lets you dete rmine the type of VLAN in formation that wi ll be carried over the switch po rt. Switch por ts can be designat ed eit her to be in ac cess mode, in which ca se they wil[...]

  • Page 37

    2-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 2 L AN Wizard IRB Bridge Include t his VLAN in an IRB bridge that wi ll form a bridge with you r wireless net work. (U se Wireless Applicat ion to co mplete.) If you chec k thi s box, the switch port will form part of a b ridge with your wirel ess netw[...]

  • Page 38

    Chapter 2 LAN W izard DHCP Pool fo r BVI 2-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Address Ente r t he I P addr ess for the interfa ce in dotted decimal for mat. Y our netwo rk administr ator should determine the IP addr esses of LAN interfa ces. For more inform ation, see I P Addresses and Subnet [...]

  • Page 39

    2-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 2 L AN Wizard IRB for Ether net IRB for Ethernet If your rout er has a wi reless inter face, you can use Integrated Rou ting and Bridging to ha ve this inter face form part of a bridge to the wireless LAN, and enab le traffic destin ed for the wirel es[...]

  • Page 40

    Chapter 2 LAN W izard Summary 2-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Configure Switch Device Modul e If you are configur ing a Gigabit Ethe rnet i nterfac e for rout ing, yo u ca n provide inform ation about the sw itch mo dule i n thi s wind ow . I t is n ot req uired that you prov ide this infor[...]

  • Page 41

    2-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 2 L AN Wizard How Do I... Step 1 From th e ca tegory ba r , cl ick Routing . Step 2 In the Static R outing group , cli ck Add... . The Add IP Stat ic Route di alog box ap pear s. Step 3 In the Pref ix f ield, enter the IP address of t he static route [...]

  • Page 42

    Chapter 2 LAN W izard How Do I... 2-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 5 Click Start Monitoring to see statistics for all se lected dat a items. The Int erface Details scre en appears, displaying the stati stics you se lected. The screen defa ults to showin g real-time data, for which it po[...]

  • Page 43

    2-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 2 L AN Wizard How Do I... The next time you use a w izard to c onfigure the rout er an d cl ick Finish on th e Summary w indow , the Deliver window will appea r . In this wind ow you can view the comm ands that you are d eli ve ring to the router ’ [...]

  • Page 44

    Chapter 2 LAN W izard How Do I... 2-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 45

    C HAPTER 3-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 3 Create Co nnection Wizards The C reate Co nnectio n wizar ds let y ou co nfi gure L AN and W AN co nnectio ns for all SDM-s upporte d interface s. Create Connec tion This wi ndow allows you to creat e new LAN and W AN c onnect ions. Note Y o u canno[...]

  • Page 46

    Chapter 3 Create Connec tion Wizard s WAN Wizard Interfac e Welcom e Window 3-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The Other (Uns upporte d by SDM) rad io button appe ars if an unsuppo rted logical or physical in terface e xists, or if a supported interfac e exists that has been gi ven an unsup por[...]

  • Page 47

    3-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards ISDN Wi zard We lcome Window ISDN Wizard Welcome Win dow PPP is the only typ e of encoding supported over ISDN BRI by SDM. Analog Modem We lcome Window PPP is the only type of encoding suppor ted ove r an analog modem conne[...]

  • Page 48

    Chapter 3 Create Connec tion Wizard s Sele ct I nter face 3-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Select Interface This wi ndo w appear s if there a re more tha n one inter face of th e type you s elected in the Cr eate Conne ction windo w . Choose the interfa ce that you want to use for this connec[...]

  • Page 49

    3-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards IP Address: ATM with RFC 1483 Routing Dynamic (D HCP Client) If you ch oose Dynamic, the router will leas e an IP addr ess from a re mote DHCP serv er . Enter t he nam e of t he DHCP serv er that will a ssign ad dresses . I[...]

  • Page 50

    Chapter 3 Create Connec tion Wizard s IP Address : Ethernet w ithout PPPoE 3-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Unnumbered Click IP Unnumbere d if you want the inter face to share an IP address t hat has alre ady been ass igned to ano ther interf ace. Then, cho ose the interf ace who se IP add[...]

  • Page 51

    3-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards IP Address: Serial with HDLC or Frame Relay Static IP Address If you ch oose st atic IP addr ess, ente r the IP addr ess and s ubnet mas k or the networ k bits in the fiel ds prov ided. For more inf ormation, refe r to IP A[...]

  • Page 52

    Chapter 3 Create Connec tion Wizard s IP Ad dress: ISDN BRI or A nalog Mode m 3-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Unnumbered Select IP Unnumbe red if you wa nt th e inter face to shar e an I P addr ess that has alre ady been ass igned to ano ther interf ace. Then, cho ose the interf ace who s[...]

  • Page 53

    3-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Authentication Authentication This pa ge is displa yed if you enab led PPP for a serial conn ection, PPPoE or PPPoA encapsulation for an A TM or Ethernet connection, or if you are configuring a n ISDN BR I or analog m odem [...]

  • Page 54

    Chapter 3 Create Connec tion Wizard s Switch Typ e and SPIDs 3-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 ISDN S witch Type Select the ISDN switch type. C ontact your I SDN ser vice provider for the switch type for yo ur connec tion. SDM supports these BRI switch type s: • For North Ame rica: – basi[...]

  • Page 55

    3-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Dial String A SPID is usually a 7-digi t telephone number with som e option al numbers. Howe ver , servi ce provide rs may use different numb eri ng scheme s. For the DMS-100 switc h type, two SPIDs are assigne d, one for [...]

  • Page 56

    Chapter 3 Create Connec tion Wizard s Backup Co nfiguration 3-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Backup Co nfiguration: Primary Interfac e & Next Hop IP Addres ses In order for the ISDN BRI or analog mo dem co nnection to act as a back up connect ion, it must b e associated with another in t[...]

  • Page 57

    3-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Advanced Options Advanced Op tions Ther e are two ad vanced option s available, bas ed on the router ’ s conf igurati on: Default stat ic route , and Port Addre ss T ranslat ion (P A T ). If the Stati c Route optio n is [...]

  • Page 58

    Chapter 3 Create Connec tion Wizard s Encap sulati on 3-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Autod etect Click Au t o d e t e c t to hav e SDM disco ver the en capsulati on typ e. If SDM succee ds, it will auto matica lly supply t he encaps ulatio n type and othe r configurati on parameters it dis[...]

  • Page 59

    3-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards PVC The encap sulation s av ailable if you ha ve a ser ial interfa ce are sho wn in the follo wing table. PVC A TM r outing uses a two-la yer h ierar chica l sche me, vi rtual path s, an d virt ual channel s, denoted by th[...]

  • Page 60

    Chapter 3 Create Connec tion Wizard s Configure LM I and DLCI 3-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 VCI Enter the VCI v alue obtained from your service provid er or system administrato r . The virtual circu it identifie r (VCI) is used in A TM switching and routing to identify a particul ar con n[...]

  • Page 61

    3-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Configure Clock Settings DLCI Enter t he DL CI in th is field. T his num ber m ust be un ique a mong all DL CIs used on this interface. Use IETF Frame Relay Encapsulation Intern et Engi neerin g T ask Force (IETF) enc apsu[...]

  • Page 62

    Chapter 3 Create Connec tion Wizard s Configure Clo ck Settings 3-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 T1 Framing This f ield conf igures th e T1 or E1 link for operation with D4 Super Frame (sf) o r Ext ended Supe rfra me ( esf). The def ault is es f . Line Code This f ield conf igures th e route[...]

  • Page 63

    3-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Delete Connection Line B uil d Ou t (LB O) This f ield is used to co nfigur e the Line Build Out ( LBO ) of the T1 link. The LBO decrea ses the t ran smit stre ngth of the sig nal by -7.5 or - 15 de cibels. It is not likel[...]

  • Page 64

    Chapter 3 Create Connec tion Wizard s Delete Conn ection 3-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 To view th e associat ions that t he connection has: Click Vi ew D e t a i ls . To delete the connect ion and all associations: Click A utomatically delete all associati ons , and the n click OK to caus[...]

  • Page 65

    3-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Summ ary • Crypto — A crypto map is applied to the interfa ce on which the conne ction wa s created . T o delete th e cryp to map, click Conf igure ; then cli ck In terfac es and Connections . Click th e connect ion in[...]

  • Page 66

    Chapter 3 Create Connec tion Wizard s Connecti vity test ing and troubles hooting 3-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Test the connec tivity afte r configuring Check thi s box if you want SD M to test the connec tion you have configured afte r it deli vers the commands to the router . SDM will [...]

  • Page 67

    3-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Connect ivity te sting and trouble shooting 3. Checks for DHCP and IPC P conf igurati o ns on the interf ace. 4. Exits inte rface test. 5. Pings the destination. SDM reports th e results of each of these checks in the Acti[...]

  • Page 68

    Chapter 3 Create Connec tion Wizard s Connecti vity test ing and troubles hooting 3-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • the PPPoE tunnel status • the PPP authentication status After perfo rming these checks, SDM reports the reason that the ping fa iled. If the ping fails on an Ethernet with[...]

  • Page 69

    3-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Connect ivity te sting and trouble shooting Activ ity This column displays the trou bleshooting acti vities. Status Displays th e status o f each t roubleshooting acti vity b y the f ollo wing icons a nd tex t alerts: Reas[...]

  • Page 70

    Chapter 3 Create Connec tion Wizard s How Do I... 3-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 How Do I... This se ction c ontains procedu res f or task s that the wiz ard doe s not h elp yo u comp let e. How Do I View th e IOS Comman ds I Am Sendin g to the Router? See Ho w Do I V iew t he IO S Co mman[...]

  • Page 71

    3-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards How Do I... How Do I View Activity on My WAN Interface? Y ou ca n view activity on a W AN interfac e by using the Monito r feature in SDM. Monitor scree ns can display statistics abo ut the W AN interf ace, including the n[...]

  • Page 72

    Chapter 3 Create Connec tion Wizard s How Do I... 3-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The inte rface is added to the po ol of inter faces using N A T . Step 6 Revie w the N etwork Ad dress Translati on Rules in the NA T wi ndow . If you ne ed to add, delete, or modify a rule, clic k the appropr[...]

  • Page 73

    3-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards How Do I... The Dyna mic Routi ng dialo g box appea rs, displaying the tab for the dynam ic routing proto col yo u sele cted. Step 5 Using th e fields in the Dyna mic Routi ng dialog box, configure the dynam ic routin g pr[...]

  • Page 74

    Chapter 3 Create Connec tion Wizard s How Do I... 3-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 4 Click Edit . The Connec tion ta b appe ars. Step 5 Click Opt ions . The Edi t Dialer Opt ion di alog box appe ars. Step 6 If you want t he router t o establi sh the c onnect ion only wh en it re cogniz [...]

  • Page 75

    3-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards How Do I... Step 3 Selec t the radio inte rface and cl ick Edit . In t he Conne ctio ns tab, you can chan ge the IP address or bri dging i nforma tion. If you want to c hange other wireless parameters, click Launch Wireles[...]

  • Page 76

    Chapter 3 Create Connec tion Wizard s How Do I... 3-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 77

    C HAPTER 4-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 4 Edit Interface/Con nection This wi ndow displays the ro uter ’ s inter faces an d conne ctions. The win do w also enables y ou to add, edit, a nd delete connect ions, and to enable or disabl e connec tions. Add Clicking t he Add button disp lays a[...]

  • Page 78

    Chapter 4 Edit Interface/Connection 4-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Dele te Select ing a connec tion and click ing Delet e disp lays a dialo g box i nform ing yo u of the ass ociations this conne ction has a nd as king you if you want to rem ove the assoc iations alon g with th e conne ction[...]

  • Page 79

    4-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection If SDM is running on a Cisco 7000 router , you will be able to create a connec tion only on Ether net a nd Fast Et hernet int erfaces. IP Ad dress This c olum n can c ontai n the following t ypes of IP a ddres ses: • The[...]

  • Page 80

    Chapter 4 Edit Interface/Connection 4-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Item Name The name of th e configur ation item, s uch as IP addre ss/Su bne t mask, or IPSe c polic y . The actual items listed in this column depend on the type of interf ace select ed. Item Value If the named item has a co[...]

  • Page 81

    4-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Why Are Some Interfaces or Connect ions Read-Only? Ther e are many c onditio ns t hat c an p rev ent SD M fr om m odifyi ng a previously configured inte rface or subi nterface. • For reasons why a previously configure d [...]

  • Page 82

    Chapter 4 Edit Interface/Connection Connecti on: Ethe rnet for IRB 4-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Connection: Ethernet for IRB This di alog box cont ains t he following fields if you se lected Ethernet for IRB in the Configure list. Current Br idge Group/Associat ed BVI These re ad-on ly fi[...]

  • Page 83

    4-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connection: Ethernet for Routing • Creat e a new dynamic DN S metho d. Click th e drop-down menu a nd choo se to crea te a new dynamic DNS method . T o clear an as sociate d dynamic DNS me thod fr om the inte rface , cho[...]

  • Page 84

    Chapter 4 Edit Interface/Connection Connecti on: Ethernet for Routin g 4-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Dynamic DNS Enab le dynam ic DNS if you want to au tomat ically update your DN S servers whene ver the W AN interface ’ s IP addr ess ch anges . Note Th is feature appears on ly if suppor[...]

  • Page 85

    4-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connection: Ethernet for Routing HTTP HTTP is a dynamic D NS method ty pe that up dates a DNS se rvice pr ovider with changes to the associat ed interf ace ’ s IP a ddress. Serve r If using HT TP , c hoose the doma in ad[...]

  • Page 86

    Chapter 4 Edit Interface/Connection Wireless 4-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Wireless If the router has a wireless in terface, you can launch the W ireless Application from this tab . Y ou can a lso launch the W i reles s Applicati on from the T ool s menu by se lecting T ools > Wi re l [...]

  • Page 87

    4-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Associa tion When a rule is applied to o utbound traf fic on an interf ace, the ru le filte rs traf f ic after it has entered the router but before it e xits the interf ace. Any pac ket that the rule does not permit is dr[...]

  • Page 88

    Chapter 4 Edit Interface/Connection NAT 4-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 is Serial0 /0, you would first selec t T unn el3 in the Interfa ces and C onnectio ns windo w , click Edit and associa te the polic y wit h it, an d the n click OK . Then you wou ld select the Ser ial0/0 i nterf ace and[...]

  • Page 89

    4-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection General Mode Grou p Choose the type of VLAN informati on you want to be carried a cross this Ethernet switch port. Choosing Access causes the switch port to forw ard only data destined for the specif ic VLAN number . Choo[...]

  • Page 90

    Chapter 4 Edit Interface/Connection General 4-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Descri ption Y o u can enter a short description in this f ield. This description will be visible in the theEd it Interface s and Connec tions wind ow . A descr iption ca n help oth ers who might be le ss familiar w[...]

  • Page 91

    4-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection QoS IP Rout e Cache-Flow This option enab les the Cisco IOS NetFlo w feature. Using NetF lo w , you can determine packet d istribution, protoco l dist ribution, and curr ent flows of da ta on the r outer . This is v aluab[...]

  • Page 92

    Chapter 4 Edit Interface/Connection Select Ether net Config uration Type 4-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Dissociate C urrent QoS Policy checkb ox Enabled when a QoS policy is associated with the interf ace. Chec k to dissocia te the curre ntly asso ciated po licy fr om the int erfac e. Asso[...]

  • Page 93

    4-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Conne ction: Subin terface s VLAN ID Enter th e ID number of the ne w VLAN interf ace. If you are editing a VLAN interfac e, you cann ot change the VLA N ID. Native VLAN Checkbox Check if this VLAN is a nontrunking VLAN. [...]

  • Page 94

    Chapter 4 Edit Interface/Connection Add or Edi t BVI Interf ace 4-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 In thi s example , FastEthern et1. 5 is co nfigured for rout ing, a nd FastEth ernet1 .3 is configured for IRB . Note Y o u must c hoose the phy sical interfac e on w hich t he subi nterfaces are[...]

  • Page 95

    4-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: Ethernet LAN Static IP Address If you se lected St atic IP a ddress, en ter that I P address in this f ield. Subn et Mas k Enter the subnet mask in this f ield, or select th e number of subnet bits from the f[...]

  • Page 96

    Chapter 4 Edit Interface/Connection Connection: Ethernet WAN 4-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Ad dress of R emote DHC P Serv er If you clicked DHCP Relay , enter the IP address of the DHCP server that will pro vide add resses to de vices on the LAN. Connection: Ethernet WAN This w indow l[...]

  • Page 97

    4-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Ether net Pr opertie s Authen tication Click this b utton to enter CHAP / PA P authentica tion password informatio n. Dynamic DNS Enab le dynam ic DNS if you want to au tomat ically update your DN S servers whene ver the [...]

  • Page 98

    Chapter 4 Edit Interface/Connection Connecti on: Ethe rnet with No E ncapsu lation 4-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Address Static IP Address A vailable wi th PPPoE encapsulation a nd with no encapsulation. If you choose static IP a ddress, enter t he IP addr ess and subn et m ask or th e[...]

  • Page 99

    4-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: ADSL • Dynamic IP a ddres s — If you choose Dynami c, the router will lease an IP address fr om a remo te DHCP server . Then, enter t he name or IP ad dress of the DHCP serve r . Host nam e If your serv i[...]

  • Page 100

    Chapter 4 Edit Interface/Connection Connection: ADSL 4-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Encapsulati on Select the type of encapsulation that will be used for this link. • PPPoE spec if ies Poin t-to- Poi nt Pr otoc ol o ver E ther n et e ncap sul ation . • PPPoA specifies Point-to- Point P[...]

  • Page 101

    4-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: ADSL • Dynamic IP address — If yo u choose Dy namic, th e router will lea se an IP address fr om a remo te DHCP server . Then, enter t he name or IP ad dress of the DHCP serve r . • Unnumber ed IP addre[...]

  • Page 102

    Chapter 4 Edit Interface/Connection Connecti on: ADS L over ISDN 4-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Enter the name of an existing dyn amic DNS me thod. Enter the name in the Dynamic DNS Method f ield exactly as it appe ars in the list in Conf igure > Additional T asks > Dynamic DNS M[...]

  • Page 103

    4-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: ADSL over I SDN If yo u are editi ng a n existi ng conn ect ion, th is field i s disa bled . If yo u n eed t o change this v alue, delete the co nnection and re create it us ing the v alue you nee d. Virtua l[...]

  • Page 104

    Chapter 4 Edit Interface/Connection Connecti on: G.SHDSL 4-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • auto — Configur e the A DSL line af ter aut o-negot iating with the DSL AM located at the Central Of fic e. • etsi — Europ ean T e lecom municat ions Stan dards Institut e mode. • multimode [...]

  • Page 105

    4-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connection: G.SHDSL Encapsulati on Select the type of encapsulation that will be used for this link. • PPPoE spec if ies Poin t-to- Poi nt Pr otoc ol o ver E ther n et e ncap sul ation . • PPPoA specifies Point-to- Po[...]

  • Page 106

    Chapter 4 Edit Interface/Connection Connecti on: G.SHDSL 4-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Static IP address If you sele ct Static IP a ddress, ente r the addr ess that the in terface wi ll use, and the subnet ma sk, or the ne twork bits. O btain this infor mation fr om your ser vice pro vid [...]

  • Page 107

    4-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connection: G.SHDSL Annex A ( U.S.) Conf igures the re gional operating para meters for North America. Annex B (E urope) Conf igures the re gional op erat ing pa rame ters for Euro pe. Authen tication Click this b utton i[...]

  • Page 108

    Chapter 4 Edit Interface/Connection Configu re DSL Contro ller 4-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Configure DSL Contro ller SDM supports the configuratio n of the Cisco WIC- 1SHDSL- V2. This WI C supports TI , E1, or a G.SHDSL conne ctio n over an A T M interfac e. SDM only supports a G. SHDSL[...]

  • Page 109

    4-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Configure DSL Controller If you have selected a 4 -wire connec tion, you must se lect a fixed line r ate. Th e supporte d line rates fo r a 4-wire connect ion are 384, 512, 640, 768, 896, 10 24, 1152, 128 0, 140 8, 166 4,[...]

  • Page 110

    Chapter 4 Edit Interface/Connection Connecti on: G. SHDSL wi th DSL Control ler 4-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 in th is field a nd c lick Edit . This also will display the Con nection: G.SHD SL with DSL Contr oller page , letting you edit th e connec tion con figuration. T o delet e a conn[...]

  • Page 111

    4-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connection: G.SHDSL wit h DSL Controller IP Address Select ho w the router will obta in an IP address for th is link. The f ields that appear in thi s area change according to the en capsula tion type c hosen. Y our ser v[...]

  • Page 112

    Chapter 4 Edit Interface/Connection Connecti on: Serial In terface, Fra me Relay Enc apsulati on 4-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Enter the name in the Dynamic DNS Method f ield exactly as it appe ars in the list in Conf igure > Additional T asks > Dynamic DNS Methods. • Choose a n e[...]

  • Page 113

    4-37 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connection: Serial Interface, Frame Relay Encapsulation Subn et Mas k If yo u sele cted Static IP addr ess , ente r the subnet mask . Th e subnet mask specif ies the portion of the IP ad dress that provi des the network a[...]

  • Page 114

    Chapter 4 Edit Interface/Connection Connecti on: Serial In terface, Fra me Relay Enc apsulati on 4-38 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Autosens e Defa ult. This setting all ows the router to detect which L MI type is being use d by communica ting with the switch and to then use th at type. If aut[...]

  • Page 115

    4-39 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: S erial I nterf ace, PPP En capsula tion T o clear an as sociate d dynamic DNS me thod fr om the inte rface , choos e None from t he drop- down menu . Connection: Serial In terface, PPP E ncapsulation Comple [...]

  • Page 116

    Chapter 4 Edit Interface/Connection Connection: Ser ial Interface, PPP Enc apsulation 4-40 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Authen tication Click this b utton if you need to enter CHAP or PA P authenticati on info rmation. Clock Settings In most case s, clock settings sh ould not b e changed fr o[...]

  • Page 117

    4-41 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: Ser ial In terface , HDLC Encap sulation Connection: Serial In terface, HDLC En capsulation Fill out these fields if you are co nfiguring a ser ial int erface for HDLC encapsu lati on.If yo u are edit ing a c[...]

  • Page 118

    Chapter 4 Edit Interface/Connection Add or Edi t GRE Tunne l' 4-42 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The clo ck setting s button will only ap pear if you are con f iguri ng a T1 or E1 serial connec tion. Dynamic DNS Enab le dynam ic DNS if you want to au tomat ically update your DN S servers [...]

  • Page 119

    4-43 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Add or Ed it G RE T unn el' Tunnel Source Select th e interf ace that the tunnel will use. Th is interfa ce must be rea chable fr om the other end of the tunne l; there fore, it mu st have a public, routea ble IP add[...]

  • Page 120

    Chapter 4 Edit Interface/Connection Connecti on: ISDN BRI 4-44 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Connection: ISDN BRI Comple te these fields if you ar e configur ing an ISDN B RI connec tion. Be cause SDM supports only PPP encapsulation o ve r an ISDN BRI connection, the encapsu lati on shown is n[...]

  • Page 121

    4-45 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: ISDN BR I Some service pro viders use SPIDs to def ine the services su bscribed to by t he ISDN de vice that is accessing th e ISDN ser vice pro vider . The servic e pro vider assigns the ISD N device on e or[...]

  • Page 122

    Chapter 4 Edit Interface/Connection Connecti on: ISDN BRI 4-46 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Subn et Mas k Ente r t he su bnet mask . Th e subnet ma sk specifies the porti on of the IP add ress that pro vides the netw ork addre ss. This v alue is sync hronized with the netw ork bits. Obtain th[...]

  • Page 123

    4-47 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connec tion : An alog Mo dem Connection: Analog Mo dem Comple te these fields if you are configur ing an ana log mod em connec tion. Because SDM s upports only PPP enc apsulation over an analog modem connect ion, the enca[...]

  • Page 124

    Chapter 4 Edit Interface/Connection Connecti on: Analog Modem 4-48 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Subn et Mas k Ente r t he su bnet mask . Th e subnet ma sk specifies the porti on of the IP add ress that pro vides the netw ork addre ss. This v alue is sync hronized with the netw ork bits. Obtai[...]

  • Page 125

    4-49 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connec tion: (AUX Bac kup) Connection: (AUX Backu p) Comple te these fields if you a re configuri ng an asynchr onous d ial-u p con nection using the console port to d oubl e as an A UX por t on a Cisc o 831 or 837. O nce[...]

  • Page 126

    Chapter 4 Edit Interface/Connection Connecti on: (AUX Backu p) 4-50 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Clear L ine Click this b utton to clear the line. Y ou should c lear the line after c reating an async connect ion so that interesting traf fic triggers the co nnection. IP Address Select eit h er[...]

  • Page 127

    4-51 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Authentication Dynamic DNS Enab le dynam ic DNS if you want to au tomat ically update your DN S servers whene ver the W AN interface ’ s IP addr ess ch anges . Note Th is feature appears on ly if supported by your Ci sc[...]

  • Page 128

    Chapter 4 Edit Interface/Connection SPID De tails 4-52 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 CHAP authen tication is more secure than P AP authentic ation. Login Name The login na me is given to you by your Interne t service pr ovider and is use d as the userna me for CHAP/P AP authentic ation. Passwo[...]

  • Page 129

    4-53 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Dialer Op tions SPID2 Enter the SPID to t he second BRI B Chan nel pro vided to yo u by your ISP . Dialer Options Both ISDN BR I and anal og modem i nterfaces ca n be configured for Dial-o n-Dema nd Routin g (DDR), which [...]

  • Page 130

    Chapter 4 Edit Interface/Connection Diale r Opti ons 4-54 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Idle timeout Enter the n umber of seco nds that will be allo wed to pass befor e an idle con nection (one that has no t raf fi c passing o ve r it) wi ll be te rminated. Fast idle timeout The fast idle tim [...]

  • Page 131

    4-55 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Backup Configuration Backup Configura tion ISDN BRI an d analog mo dem int erfaces can be configured to work as ba ckup interf aces to other , primary int erfac es. In that case , an ISDN or analo g modem connect ion will[...]

  • Page 132

    Chapter 4 Edit Interface/Connection Backup Co nfiguration 4-56 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Next Ho p Forwardin g Thes e fiel ds are op tional. Y ou can enter the IP addres s to which th e primar y and backup i nterfaces w ill conne ct whe n they are active. This is known as the next hop IP a[...]

  • Page 133

    C HAPTER 5-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 5 Create Firewall A f ire wall is a set of rules use d to protect the resources of y our LAN . Thes e rules fi lter the packet s arri ving at th e router . If a pack et does not me et the criteri a specif ied in the r ule, it is dropped. If it does me[...]

  • Page 134

    Chapter 5 C reate Fire wall 5-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Advanced Firewall Click this if y ou want SDM to lea d you t hrough t he steps of configuring a firewall. Y o u hav e the option to create a DMZ network, and to specify an inspection rule . The use cas e scena rio sh own when yo u s[...]

  • Page 135

    5-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall Have SDM hel p me cr eate a n Advanced Fire wall. If your ro uter has multiple insid e and outs ide inte rfaces , and you want to conf igure a D MZ, you should selec t this option. Select A dvanced Firewall . Th en, cl ick Launch the [...]

  • Page 136

    Chapter 5 C reate Fire wall Basic Fire wall Config uratio n Wizard 5-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Basic Firewal l Configuration Wizard SDM will protec t the LAN with a default f irew all when you select this optio n. For SDM to do this, you must specify the insid e and outside interfa ces i[...]

  • Page 137

    5-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall Advanced Firewall Configuration Wizard Sour ce Ho st /Net wor k If you want to allow a single host access thr ough the firewall, choose Host Addre ss and enter the IP a ddres s of a hos t. Choose Network Address and ente r the addre s[...]

  • Page 138

    Chapter 5 C reate Fire wall Advanc ed Firewall Conf iguration Wi zard 5-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Advanced Firewall DMZ Service Configuration This windo w allo ws you to vie w rule entries that specify which services av ailable inside the DM Z you want to make av ailable th rough the rou[...]

  • Page 139

    5-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall Advanced Firewall Configuration Wizard DMZ Service Configur ation Create or edit a DMZ service entry i n this wi ndo w . Host IP Add res s Enter th e address range that will specify the hosts in the DMZ that this entry applies to. Th [...]

  • Page 140

    Chapter 5 C reate Fire wall Advanc ed Firewall Conf iguration Wi zard 5-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 traf fic on to the netw ork. T hese rule s cause th e router to exam ine outg oing pack ets for sp ecif ied typ es of traf fic . T raff ic arri ving at the ou tside i nterf ace is comp ared [...]

  • Page 141

    5-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall Advanced Firewall Configuration Wizard Application Security Configuration SDM provides pre configured appl ication se curit y policies that you can use to protect the netw ork. Use the slider b ar to selec t the sec urity le vel that [...]

  • Page 142

    Chapter 5 C reate Fire wall Advanc ed Firewall Conf iguration Wi zard 5-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Domain Name Server Configuration The rout er must be conf igured with the IP ad dress o f at least one DNS s erv er for application security to work. Clic k Enable DNS-based hostname - to -[...]

  • Page 143

    5-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall How Do I... • Apply acc ess rule t o the inbound di rectio n to permi t IPSec tunnel traffic if necessary . • Apply acc ess rule to the inbound di rectio n to deny spoofing traff ic. • Apply acc ess rule t o the inbound di rect[...]

  • Page 144

    Chapter 5 C reate Fire wall How Do I... 5-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 How Do I View Activity on My Firewall? Activity on your fi rew al l is moni tored through the crea tion of log en tries . If logging is enabled on th e router , whene ve r an acces s rule that is c onfigured to generate[...]

  • Page 145

    5-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall How Do I... The Ed it a Rul e dial og box ap pear s. Step 5 The Rule Entry f ield sho ws each of the source I P/destination IP/ser vice combinatio ns that are permitted or denied b y the ru le. Click the rule entry th at you want to [...]

  • Page 146

    Chapter 5 C reate Fire wall How Do I... 5-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 T o verify that th e connection is wo rking, ver ify that the inter face status is “ Up ” in the In terfaces and C onnect ions w indow . The follo wing is an ex erpt sho wing the c onfigu ration for an ISDN in terf [...]

  • Page 147

    5-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall How Do I... access-list 105 permit udp host 123.3.4.5 host 192.168.0.1 eq isakmp access-list 105 permit udp host 123.3.4.5 host 192.168.0.1 eq non500-isakmp How Do I Permit Specific Traffic Thr ough a DMZ Interface? Follow the steps [...]

  • Page 148

    Chapter 5 C reate Fire wall How Do I... 5-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 How Do I Modify an Existing Firewall to Permit Traffic from a New Network or Host? Y o u can use the Edit Fire wall Polic y tab to modif y your f ire wal l conf iguration to permit t raff ic from a new network or host .[...]

  • Page 149

    5-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall How Do I... How Do I Configure NAT Passthrough for a Firewall? If you have configured NA T and ar e now configuring your firew all, you mu st configure t he fir ewa l l so that it permit s traf fic from your public IP address. T o do[...]

  • Page 150

    Chapter 5 C reate Fire wall How Do I... 5-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 1 From th e lef t fram e, sele ct Additional T asks . Step 2 In the Rules tree, select ACL E d i t o r and the n Access Rules . Step 3 Click Add . The Add a Rul e dialog box appears. Step 4 In the Name /Numb er fie[...]

  • Page 151

    5-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall How Do I... How Do I Associate a Rule with an Interface? If you use the SDM Fir ew a ll wizar d, the acces s and inspec tion rules that you create are au tomatica lly associ ated with the in terf ace for which you cr eated th e fi re[...]

  • Page 152

    Chapter 5 C reate Fire wall How Do I... 5-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 5 Click in the inbound or outbo und fi eld, and then click the b utton to the right. Step 6 Click None (clear rule association) . Step 7 Click OK . How Do I Delete a Rule That Is Associated with an Interface? SDM d[...]

  • Page 153

    5-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall How Do I... Step 1 If you are a t the Insp ection Rul es win dow , an d you have clicked Java L i s t , clic k the b utton to the ri ght of th e Number f ield and click Cr eate a new rule (A CL) and select. The Add a R ule win dow op[...]

  • Page 154

    Chapter 5 C reate Fire wall How Do I... 5-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 2 Click Edit Fir ewall P olicy/A CL . Step 3 T o display the access rule you need to modify , select the outside (untruste d) interf ace as the From interf ace, an d the insi de (truste d) interf ace as the T o int[...]

  • Page 155

    C HAPTER 6-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 6 Firewall Policy The Firewall Policy featur e lets you view and modi fy fire wall configurat ions — access rules, and /or CB A C inspection rules — in the conte xt of the int erfaces whose traf fic the y filte r . Using a graphical repr esentatio[...]

  • Page 156

    Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 3. Come t o the Fir ewall Policy w in dow to edit the f ir ewall polic y y ou create d . After conf iguring LAN and W AN interfaces and creatin g a fire wall, you can op en th is wind ow and get a gr aphic[...]

  • Page 157

    6-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL From – Select the int erfac e from which the traf fic flo w you are int erested in origina tes. The f irew all will pro tect the net work connected t o the From in terface. The From list contain s only i[...]

  • Page 158

    Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Originating T raff ic — Click this to highlight the part of the dia gram that repres ents the tra ff ic flo w that ente rs the router at the From i nterface and exit s the router at the T o interface. Wh[...]

  • Page 159

    6-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL Make Changes t o Access Rules and Inspect ion Rules as Necessary The polic y panel shows the details of the rules a pplied to the selected tr af fic flo w . The Poli cy panel is update d when the From an d[...]

  • Page 160

    Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Service Area header fields Fir ewall Fe atur e A vailab ility — If the Cisco IOS image that the rout er is u sing supports t he Firewall featur e, this f ield co ntain s the value A vailable . Access Rul[...]

  • Page 161

    6-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL the E xtende d entr y dial og wh en you add an ent ry f rom th e Ed it Firewall Policy/A CL wind ow . If you want t o add a st andard rule ent ry , you ca n do so in t he Rules window . Edit — Click to e[...]

  • Page 162

    Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 If you wan t to apply a f ire wall that protects the n etwork con nected to the Eth ernet 1 inte rfac e from traf fic e ntering the E therne t 0 int erfac e, yo u can do so in the Rules window . Serv ice A[...]

  • Page 163

    6-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL Applications Area This area appears if th e Cisco IOS imag e runnin g on the rout er suppo rts CB AC Inspection rules. The Applicat ions area displays th e inspection rule entries tha t are f ilter ing the[...]

  • Page 164

    Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Global Settings — Click to display a dialog box that en able s you to set globa l timeouts an d threshol ds. Summary — Click to display t he appli cation or pro tocol na me and descri ption for each e[...]

  • Page 165

    6-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL Swap From and To Inter faces to Bri ng Other Ru les into View SDM only displays inspec tion rule s for Originating traff ic in the Application area. If you w ant to vie w an inspection rule that is applie[...]

  • Page 166

    Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Alert Ac tion One of the follo wing: • default-on — Lea ve as def ault. Def ault v alue is on . • on — Enable a lert. • off — Disabl e alert. Audit A ction One of the follo wing: • default-o[...]

  • Page 167

    6-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL Alert Ac tion One of the follo wing: • default(on) — Leav e as default. Def ault v alue is on . • on — Enable a lert. • off — Disabl e alert. Audit A ction One of the follo wing: • default(o[...]

  • Page 168

    Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Audit A ction One of the follo wing: • default-off — Leav e as d efault. Default v alue is of f . • on — Enable a udit trail. • off — Disabl e audit trail . Timeout Specify ho w long the route[...]

  • Page 169

    6-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL Type One of the follo wing: • A Netwo rk — If you select thi s, provide a net work add ress in the I P addr ess fi eld. Note tha t the wildcard mask enab les you to enter a ne twork number th at may s[...]

  • Page 170

    Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Keep inspec tion ru le name on < interf ace-nam e> outbound and dissociate inspection rul e name on < inte rface-n ame> inbound — SDM will keep one inspect ion rule, and dissociate the r[...]

  • Page 171

    C HAPTER 7-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 7 Application Se curity Applicatio n Security allo ws y ou to creat e security policie s to gov ern the use of networ k and web applicatio ns. Y ou can apply the polic ies that you create to specif ic inter face s, clone a n existi ng polic y to l ev[...]

  • Page 172

    Chapter 7 Application Security Applicat ion Security Wi ndows 7-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Associate button — Cli ck to display a dia log that all ow s you to associa te the polic y with an interfa ce. The dia log allo ws to choose the interface , and to specify the traf fic direc [...]

  • Page 173

    7-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security No Application Security Policy No Application Security Policy SDM displa ys this wi ndow when you have clicked the Application Securi ty tab, but no App licati on Sec urity policy ha s been configure d on t he router . Y ou can [...]

  • Page 174

    Chapter 7 Application Security E-mail 7-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 E-mail Specify t he e-mail a pplications th at you wan t to inspe ct in this win dow . T o learn about the b uttons and dr awer s av ailable in the Applicat ion Security tab, click Applicatio n Security W indows . Edit Bu[...]

  • Page 175

    7-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security HTTP Reset Resets th e TCP connec tion if th e client enters a no n-protoc ol comm and bef ore authenti cation i s compl ete. Router Traffic Enables inspec tion of traf f ic destined to or originated from a router . Applicabl e [...]

  • Page 176

    Chapter 7 Application Security HTTP 7-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Set maximum URI leng th inspection Check box Check th is bo x if yo u want to d efine a ma ximum le ngth for U niversal Resource Indicator s (URIs). Specify the maximum length in b ytes, and then use the Permit, Block, and [...]

  • Page 177

    7-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security HTTP Header Options Y ou c an have the route r permi t or deny t raff ic based on HTT P heade r leng th and the requ est method contai ned in the h eader . Reque st metho ds ar e the comm ands sent to HTTP servers to fetch URLs,[...]

  • Page 178

    Chapter 7 Application Security HTTP 7-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Click Per mit, B lock, and Al arm Co ntro ls to learn ho w to specify th e action that the ro uter i s t o take when it enc ount ers tra ff ic w ith the ch arac teristi cs th at you specify in this windo w . Verify Content [...]

  • Page 179

    7-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security Instan t Messaging gzip ch eckb ox The encodin g format produce d by the GNU zip ( “ gzip ” ) pro gram . Identity checkbox Default e ncoding , which indic ates that no enco ding has been pe rform ed. Instant Messagin g Use t[...]

  • Page 180

    Chapter 7 Application Security Applicat ions/P rotocol s 7-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Applications/Prot ocols This w indow allows you to creat e policy s etti ngs fo r appl icatio ns and protoc ols that are n ot found in the oth er windo ws. T o learn ab out the b uttons an d dra wers av[...]

  • Page 181

    7-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security Global Tim eouts an d Threshold s Options Col umn This colu mn can co ntain f ields if there ar e other s ettings th at ha ve been made fo r the chos en item. MAX Data Specif ies the maximu m numbe r of b ytes ( data) that can b[...]

  • Page 182

    Chapter 7 Application Security Global Tim eouts and Thresho lds 7-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 TCP FIN Wait Timeout Value The amount of time t hat a TCP session will st ill be manag ed after th e f ire wall detects a FIN e xchange. The def ault v alue is 4 second s. TCP Idl eTimeout Talue [...]

  • Page 183

    7-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security Global Tim eouts an d Threshold s TCP Max imum Incom plete S essi ons pe r Host: The router starts deletin g half-open sessions for the same host when the total number for tha t host exceeds this n umber . The d efaul t numbe r [...]

  • Page 184

    Chapter 7 Application Security Global Tim eouts and Thresho lds 7-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Edit Inspection Rule Use this windo w to specify custom inspectio n rule settings for an application. Settings mad e here and applied to the router ’ s configurati on override th e globa l sett[...]

  • Page 185

    7-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security Global Tim eouts an d Threshold s MAX Data f ield Specif ies the maximu m numbe r of b ytes ( data) that can be tr ansfer red i n a singl e Simple Mail Transp ort Protocol (SMTP) session. After t he maximum v alue is exceed ed, [...]

  • Page 186

    Chapter 7 Application Security Global Tim eouts and Thresho lds 7-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 187

    C HAPTER 8-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 8 Site-to-Site VPN The help topics in this section describe the Site-to-Site confi guration scr eens. Create Site to Site VPN A V irtual Priv ate Netw ork (VPN) lets you protect tr af fic that tra ve ls ov er lines tha t your org aniz ati on may no t[...]

  • Page 188

    Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What Do You Want to Do? If you want to: Do this: Configure the router as pa rt of a VPN network connec ting t wo ro uters . When y ou c onfigure a VPN ne twork b etween two route rs, you can c ontrol how the[...]

  • Page 189

    8-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Find ou t ho w to perf orm o ther VP N-re lat ed tas ks that this wiza rd does no t guide you throug h. Select a topic f rom the follo wing list: • How Do I V iew t he IO S C omma nds I A m Sending to the R[...]

  • Page 190

    Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Site-to-Site VPN Wizard Y ou can have SDM use default sett ings for most of th e configurati on values, or you ca n let SD M gu ide yo u in c onfiguring a VPN . Configure an Ea sy VPN co ncentr ator . Config[...]

  • Page 191

    8-37 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN What do you want to do ? View Defaults This w indow displa ys the d efault In ternet Key Exchange ( IKE) p olicy , tran sform set, and I PSec rule that SDM will use t o conf ig ure a Qu ick Setup site- to-sit[...]

  • Page 192

    Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-38 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 VPN Conn ection Infor mation Use this windo w to ide ntify the IP address or ho st name of the re mot e site that will t erminate t he VPN tunnel th at you are configuring , to speci fy the route r interf ac[...]

  • Page 193

    8-39 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Ente r t he pre-shar ed k ey , and then reen ter it f or conf irmatio n. Exch ange th e pre-shared key with the a dministrator of the remote site thro ugh some secur e and conv eni ent met hod, such as an e n[...]

  • Page 194

    Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-40 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Details Click this b utton to obtain details ab out the interfac e you selected. Th e details windo w shows a ny access rule s, IPSec policies, Network Address T ranslation (N A T) rules, or Inspe ction rule[...]

  • Page 195

    8-41 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Encryption SDM supports a v ariety of encry ption types, listed in or der of security . The more secure an encry ption type is , the more processi ng time it requires. Note • Not all ro uters suppo rt all e[...]

  • Page 196

    Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-42 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Hash The authen tication a lgorithm to be us ed for the ne gotiation. SD M supports t he foll owin g a lg orit h ms: • SHA_1 — Secure Hash Alg orithm. A h ash algorith m used to authentica te packet data[...]

  • Page 197

    8-43 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN To add or edit an IKE polic y: If you w ant to add an IKE polic y that is not i ncluded in this list, click Add a nd create the poli cy in the windo w displayed. Edit an existi ng policy b y selecting it and [...]

  • Page 198

    Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-44 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 ESP En crypt ion The type of Encapsula ting Sec urity Prot ocol (ESP) enc ryptio n used. If E SP encryptio n is not configur ed for this transform set, this column will be empty . ESP Authentication The type[...]

  • Page 199

    8-45 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN What Do You Want to Do? Traffic to Protect This windo w lets you def ine the traf fic that this VPN protect s. The V PN can protect traf fic between specifie d subnets, or protect the traf fic specif ied in a[...]

  • Page 200

    Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-46 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 All traf fic from t his source subn et that has a desti nation IP add ress on the destinati on subne t wil l be prot ected. Destination Enter the a ddress of the destina tion s ubnet , and s peci fy the mask[...]

  • Page 201

    8-47 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Spoke Confi guration If you have configured a DMV PN hu b, yo u can h ave SDM genera te a proc edure that wi ll assist you or other admini strators in con f iguring DMVPN spokes. T he procedu re expla ins whi[...]

  • Page 202

    Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-48 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • The hash, encrypt ion, DH gro up, and Aut hentic ation T ype of the IK E polic ies that th e hub u ses, so that c ompatible IKE p olicies can b e conf igur ed on the spoke. • The ESP a nd Mode infor ma[...]

  • Page 203

    8-49 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Deta ils Click to obtain details ab out the interf ace that you select ed. The detail s windo w sho ws any access rules, IPSec policies, N A T rules, or Inspection rules associated with th e interf ace. If a [...]

  • Page 204

    Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-50 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Pre-Sha red Key Click th is but ton if the VPN pe ers use a pre-sh ared k ey fo r authenti cation an d then enter the pre -shar ed key , and then reen ter it for confirmat ion. Exc hange th e pre-shared key [...]

  • Page 205

    8-51 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Backup GR E Tunnel Inform ation Y ou can co nfigure a back up GRE- over -IPSec tu nnel that the router c an use when the primary tunnel fails. This tunne l will use the same interf ace that you conf igured fo[...]

  • Page 206

    Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-52 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Routing Information This w indow enab les you to configur e rou ting f or the tun neled traffic. Info rmati on that you add in thi s window appears in the Routing w indow . Chang es that you make in the Rout[...]

  • Page 207

    8-53 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Static Rout ing Static routi ng can be u sed in smal ler VP N deploym ents in which on ly a few pri vate netw orks pa rticip ate in the GRE-o ver -IPSec VPN. Y ou can conf igure a static route f or each remot[...]

  • Page 208

    Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-54 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Do split tunneling — Split tunne ling allo ws traf fic that is destined for the network sp ecified i n the IP A ddress a nd Ne twork Mas k fields t o be encr ypted and routed through the tunnel interf [...]

  • Page 209

    8-55 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Edit Site-to-Site VP N • RIP — R outing In ternet Prot ocol. • Static Ro uting. Thi s optio n is enable d when you a re configuring a GRE over IPSec t unnel . Note RIP is not suppor ted f or DMVP N Hub and spo ke topol ogy but[...]

  • Page 210

    Chapter 8 Site-to-S ite VPN Edit Site-to-Site VPN 8-56 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Use th is window to create and ma nage V PN conne ctio ns to re mote sy stems. Y ou can crea te, edit, and dele te VPN conne ctions, and reset e xisting connections. Y ou can also use this wi ndow to configure[...]

  • Page 211

    8-57 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Edit Site-to-Site VP N Sequ ence Numb er The s equen ce n umber fo r this c onn ectio n. Be caus e an IPSec poli cy may be u sed in more th an one c onnection , the co mbination of the seq uence num ber and I PSec policy name unique[...]

  • Page 212

    Chapter 8 Site-to-S ite VPN Edit Site-to-Site VPN 8-58 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Dele te Bu tto n Click to delete a selected VPN connection Test Tunnel.. Button Click to test a se lected VPN t unnel.The results o f the test will be sho wn in another windo w . Clear C onnection B utton Clic[...]

  • Page 213

    8-59 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Edit Site-to-Site VP N Step 2 Select a policy from the Choose IPSec Polic y list. Click OK to r eturn to th e VPN Conn ecti ons win do w . Add Additional Crypto Maps Use this windo w to add a ne w crypto map to a n e xisting IPSec p[...]

  • Page 214

    Chapter 8 Site-to-S ite VPN Edit Site-to-Site VPN 8-60 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What Do You Want to Do? Crypto Map Wizard: Welcome This wizard wi ll gu ide you thr ough t he creat ion of a c rypt o map. A c rypto map specifies the peer devices at the other e nd of the VPN connect ion, def[...]

  • Page 215

    8-61 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Edit Site-to-Site VP N Securit y Association Li fetime IPSec s ecu rity ass ocia tions use sha red keys. The se keys and the ir se curit y association s time out together . There are two life times: a timed lifetime and a traf fic-v[...]

  • Page 216

    Chapter 8 Site-to-S ite VPN Edit Site-to-Site VPN 8-62 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Crypto Map Wiza rd: Pe ers A crypto map inclu des the n ames or IP a ddresses of t he peers in volved in the security associat ion. Thi s screen all ows y ou to add and rem ov e peers associated with th is cry[...]

  • Page 217

    8-63 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Edit Site-to-Site VP N What Do You Want to Do? Crypto Map Wizard: Traffic to Protect This wi ndow lets you define whic h traffic is encrypte d. Y ou ca n specif y that al l traf fic t o the r emote de vice be enc rypted ; you can sp[...]

  • Page 218

    Chapter 8 Site-to-S ite VPN Edit Site-to-Site VPN 8-64 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 All traf fic from t his source subn et that has a desti nation IP add ress on the destination subnet will be encrypted. Destination Enter the a ddress of the destina tion s ubnet , and s peci fy the mask for t[...]

  • Page 219

    8-65 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Edit Site-to-Site VP N Delete Connection Use this windo w to delete a VPN tunnel , or simply to disassociate it from an interf ace b ut preserv e the def inition fo r future use. Delete the crypto map with seque nce number n from IP[...]

  • Page 220

    Chapter 8 Site-to-S ite VPN Edit Site-to-Site VPN 8-66 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Destinat ion Select the IP address tha t you want to ping. If the ad dress you want to use is not in the list, you can ent er a diff erent one in the f ield. To ping a remote peer: Specify the source an d dest[...]

  • Page 221

    8-67 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN How Do I... may be used on the remot e rout er , but the polici es and transf orm set s may be dif f erent. If the text f ile is simply copied into the remote conf iguration file, conf iguration er rors are likely to result. SDM War[...]

  • Page 222

    Chapter 8 Site-to-S ite VPN How Do I... 8-68 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 How Do I Create a VPN to More Than One Site? Y o u can us e SDM to create m ultiple VPN tunnel s on one interface on you r router . Each VPN t unnel will connect th e selecte d interf ace on yo ur router to a dif ferent[...]

  • Page 223

    8-69 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN How Do I... Step 12 Click Fin ish . Create an Additional Tunnel from the Same So ur ce Inte rface After you ha ve created the initia l VPN tun nel, foll ow th ese steps to create an additional tu nnel from the same sourc e interface[...]

  • Page 224

    Chapter 8 Site-to-S ite VPN How Do I... 8-70 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • If you entere d the same I P add ress in the Pe er I dentity field as yo u use d for the initial VPN connection, indic ating that this VP N tunnel will u se the same router interfac e as the init ial VPN tun nel, th[...]

  • Page 225

    8-71 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN How Do I... Caution D o no t apply the m irror c onfigurat ion to t he peer device without editing! This conf iguration is a template that req uires additional manual conf iguration. Use it only as a starting point to bu ild the con[...]

  • Page 226

    Chapter 8 Site-to-S ite VPN How Do I... 8-72 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 7 If you nee d to modi fy any of the comp onents of the conn ection, such as t he IPSec policy or the exis ting cr ypto ma p, note the names of those co mpone nts in t he VPN window , and go to the approp riate win[...]

  • Page 227

    8-73 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN How Do I... If you a re viewing IK E SA in format ion, yo u can verify that your VPN conn ection is working by v erify ing that th e sourc e and des tination IP ad dresse s are corre ct, and th at th e stat e is “ QM_IDLE, ” ind[...]

  • Page 228

    Chapter 8 Site-to-S ite VPN How Do I... 8-74 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 1 From th e lef t fram e, sele ct VP N . Step 2 From the VPN tree , select VPN Co mponents , and then IPSec P olicies . Step 3 In the IPSec Policies ta ble, c lick the IPSec p olicy that contai ns the crypto map t [...]

  • Page 229

    8-75 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN How Do I... How Do I Configure a VPN After I Have Configured a Firewall? In orde r for a VPN to function with a fir ewal l in place, the f ire wall must be conf igured to p ermit traf f ic between the local an d remote peer IP addre[...]

  • Page 230

    Chapter 8 Site-to-S ite VPN How Do I... 8-76 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 10 In the IP Addr ess and Wi ldcard Mask fields, enter the IP addr ess and sub net mask of the VPN sour ce peer . Step 11 In the Destinatio n Host/Network group, from the T ype fiel d, select A Netw ork . Step 12 I[...]

  • Page 231

    C HAPTER 9-77 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 9 Easy VPN Remote Create Easy VPN Remote SDM allows you to co nfigure your rou ter as a cli ent to an Easy V PN server or conce ntrat or . Y our rout er must be running a Cisco IOS sof twa re image that supports Easy V PN Phase II. T o be able to com[...]

  • Page 232

    Chapter 9 Easy VPN Re mote Create Easy VPN Remot e 9-78 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Connectio n Settings The informa tion entered in th is windo w identifies the E asy VPN tunnel, th e Easy VPN serv er or concentrato r that the router will connect to , and th e way you w ant traffic to be ro[...]

  • Page 233

    9-79 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Creat e Easy VPN Remot e Choose Network Extension if you want the de vices connected to the inside interfaces t o hav e IP addresse s that ar e routabl e and reacha ble by the des tination networ k. The d e vices at both ends of the[...]

  • Page 234

    Chapter 9 Easy VPN Re mote Create Easy VPN Remot e 9-80 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 User Au thenti cation (XA uth) User auth entication (XAuth) ap pears in this windo w if the Cisco IO S image on the route r supports Ea sy VPN Remote Phase III. If user au thent ication doe s not appea r , it[...]

  • Page 235

    9-81 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Creat e Easy VPN Remot e Inside I nterfaces Choose the inside (LAN) interface to associate with this Easy VPN conf ig uration. Y o u can choo se multiple inside int erfaces, wit h the follo wing restrict ions: • If y ou choo se an[...]

  • Page 236

    Chapter 9 Easy VPN Re mote Create Easy VPN Remot e 9-82 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 W ith the automatic setting , the VPN tunnel is establish ed automatica lly when the Easy VPN configur ation is deliv ered to the router configur ation file. Ho weve r , you will not be able to co ntrol th e [...]

  • Page 237

    9-83 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote ID an d pass word to log on to the ro uter a nd then p rov ide the XAut h login and password for th e Easy VPN server or concent rator . Y ou must follow this process when you click Finish and the co nfiguration[...]

  • Page 238

    Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-84 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Name The name g i ven to this Easy V PN conn ect ion. Mode Choose client or netw ork exte nsio n . In client mode , the VPN conc entra tor or server assigns a single IP a ddress to all traff ic coming from the r[...]

  • Page 239

    9-85 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Inside Interfaces These are the inside inter faces included in this Ea sy VPN connection. All hosts connect ed to these i n terf aces a re par t of the VPN. Easy VPN Server The names or IP addresses of the Easy [...]

  • Page 240

    Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-86 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • The crede ntials are aut omaticall y sent becau se they hav e been sa ve d on the router Add Butt on Add a new Easy VP N Remo te co nnectio n. Edit Bu tton Edit th e specif ied Easy VPN Rem ote co nnection .[...]

  • Page 241

    9-87 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote • The XAu th response is se t to be requeste d from SDM or t he route r console • The tun nel is w aiting f or XAuth credentia ls (the co nnection has b een initiated) If the conn ection is set to automati c[...]

  • Page 242

    Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-88 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Conn ect t o an Eas y VP N se rver f or which the r outer ha s a conf igured connec tion. If the connect ion uses man ual tunn el control , cho ose the connec tion, t hen cli ck Connect . Connect ions that use a[...]

  • Page 243

    9-89 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Add or Edit Ea sy VPN Remote Use this wind ow to configure your router as an Easy VPN cl ient. Y o ur route r must ha ve a co nnectio n to an Easy VPN conc entrato r or serv er on the netw ork. Note Th is wi ndo[...]

  • Page 244

    Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-90 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Network Exte nsion — Choos e Net wor k Ext ens ion if you want the devices connect ed to the inside in terfac es to ha ve IP addr esses that are routab le and reacha ble by the des tinat ion networ k. The de v[...]

  • Page 245

    9-91 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Group Key Enter t he IPSec group password. The gro up pa ssword must m atch the group password defined on the VPN concentra tor or server . Ob tain this in formatio n from your ne twork admin istrator . Confirm [...]

  • Page 246

    Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-92 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The Cisco Easy VPN Remote f eature imp lements Th e Cisco Unity Clien t protocol , whi ch allows mo st VPN param eters t o be de fined on a VPN r emote acces s serv er . This serv er can be a dedicat ed VPN de v[...]

  • Page 247

    9-93 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Serve rs Y ou can specify up to ten Easy VPN servers by IP addre ss or hostna me, an d you can order the list to specify which serv ers the router will attempt to connect to fir st . Add Click to sp ecify the n [...]

  • Page 248

    Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-94 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add or Edit Easy VPN Remote: Authentication Information This w indow appe ars if the C isco IOS image on yo ur ro uter su pport s Easy V PN Client Phase II I. I f the image suppor ts E asy VP N Clie nt Phas e II[...]

  • Page 249

    9-95 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Manuall y ente r the user name and passwor d in a web browser win dow . If yo u choose th is optio n, you ca n check th e chec kbox to use basic H TTP authenti cation to compensat e for le gac y web bro wsers th[...]

  • Page 250

    Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-96 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Please Ent er the User name Enter the SSH or T elnet account usern ame that you wil l use to log in to th is router . Please Ent er the Password Enter t he password associ ated with the SSH or T e lnet ac count [...]

  • Page 251

    9-97 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Serve rs Y ou can specify up to ten Easy VPN servers by IP addre ss or hostna me, an d you can order the list to specify which serv ers the router will attempt to connect to fir st . Click the Add b utton to s p[...]

  • Page 252

    Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-98 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Y ou ca n enab le remote manag emen t of the rou ter by checki ng the box t o request a ser ver-assigned I P addr ess fo r you route r . Thi s IP a ddress c an be used for conn ecting to y our rout er for rem ot[...]

  • Page 253

    9-99 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Enter the I PSec grou pname in the Group Na me field a nd the new IKE key value in the Ne w Ke y field. Reenter the new k ey for co nfirm ation in the Conf irm K ey field. If the values in the N e w Key and Conf[...]

  • Page 254

    Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-100 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The inf ormation is sav ed in the router conf iguration file and used each tim e the tunnel is establishe d. Cautio n Storing t he XA uth use rname and pa ssword in router mem ory cre ates a secu rity risk beca[...]

  • Page 255

    9-101 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote How Do I... Outside Int erface Choos e the ou tside inte rfac e that con nects to the Eas y VPN serv er or concentr ator . Note Cisc o 800 router s do n ot suppo rt the use of inte rface E 0 as the outside i nterface Connection Con[...]

  • Page 256

    Chapter 9 Easy VPN Re mote How Do I... 9-102 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 How Do I Ed it an Exis ting Easy V PN Conn ection? T o edit an existing Easy VPN remote connectio n, follo w these steps: Step 1 From th e lef t frame, cho ose VPN . Step 2 In the VPN tree, choose Easy VPN Remo te . Ste[...]

  • Page 257

    9-103 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote How Do I... If the I SDN, asy nc, or anal og mod em inter face has be en configur ed, fo llow these steps: Step 1 From the le ft frame , click In terfac es and Connectio ns . Step 2 Click the Edit Inte rface/Co nnection tab. Step 3[...]

  • Page 258

    Chapter 9 Easy VPN Re mote How Do I... 9-104 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 259

    C HAPTER 10-105 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 10 Easy VPN Serve r The Eas y VP N Server featur e intr oduces se rver suppo rt for t he Cisco VPN Cli ent Release 3. x and lat er software clie nts and Cisc o VPN hard ware client s. The featur e allo ws a remo te end user to communicate using IP [...]

  • Page 260

    Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 06 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Create an Easy VPN Ser ver Click t o Crea te an Easy V PN se rver configurat ion on your route r . Launch the Easy VPN Serv er Wizard Butt on Click to sta rt the wizard. Welcome to th e Easy VP N Server [...]

  • Page 261

    10-107 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver If you ch oose bo th pres hared keys an d digita l cert ificates, e ntering a key v alue i n the Add Group Pol icy general setup win dow is optional. Group Authorization : Group Policy Looku p This wind[...]

  • Page 262

    Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 08 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 User Authentication (XAuth) Y ou ca n configure use r authen ticatio n on Easy VPN Server . Y ou can store user authenti cation d etails on an e xternal serv er such as a RADIU S serv er or a loca l data[...]

  • Page 263

    10-109 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver Add User Credenti als Butt on Click to ad d a user acco unt. User Accounts for XAuth Add an a ccount for a user you want to authe nticate af ter IKE has auth enticate d the device. User Ac counts The us[...]

  • Page 264

    Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Ping Ping an alre ady exist ing RA DIUS se rver or newly c onfigured RADIUS server . Group Authorization: User Group Policies This wind ow allo ws you to add, edit, clone o r delete user gro up policies [...]

  • Page 265

    10-111 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver Idle Tim er Disconnec ting idle VPN tunnels ca n help the Easy VPN Server run more ef f iciently b y reclaim ing unu sed reso urces . Click the Configur e Idle Timer check box and ente r a v alue for th[...]

  • Page 266

    Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Select from an E xisting Pool Choose the range of I P addre sses fr om the exi sting pool of IP addr esses. Note This f ield cannot be e dited if there are n o predef ined IP addres s pool s. Subnet Mask[...]

  • Page 267

    10-113 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver WINS Enter th e primar y and sec ondary WINS s erv er IP addr ess in the f ields pro vided . Enteri ng a seco ndary W INS se rver addr ess is optiona l. Domai n Na me Specify t he domain name that shoul[...]

  • Page 268

    Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Ente r the Prote cted S ubnet s Add or remove the subne ts for whi ch the packets are tu nneled from the VPN clients. Choose the Split Tunneling ACL Choose the A CL to use for split tunneling. Spli t DNS[...]

  • Page 269

    10-115 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver Client Settings This windo w allows y ou to conf igure additio nal attrib utes for security polic y such as add ing or re mov ing a back up serv er , Fire wall Are-U- There, and Includ e-Lo cal -LAN . N[...]

  • Page 270

    Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Browser Proxy Y ou ca n speci fy browser proxy setti ngs fo r Easy VP N software c lients . The E asy VPN Server sends the browser proxy settings to Easy VPN software clients requesting that infor mation[...]

  • Page 271

    10-117 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver What Do You Want to Do? Choose Browser Proxy Settings From the d rop-d own list, ch oose the b rowser proxy settings yo u want to a ssociate with the group. Note T o add ne w sett ings , choos e Add Bro[...]

  • Page 272

    Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Browser Pr oxy Settin gs Name If you are adding browse r proxy settings, enter a name that will appear in drop-down menus l isting b rowser proxy se ttings. If you a re editin g browser proxy set tings ,[...]

  • Page 273

    10-119 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver User Authentication (XAuth) This allo ws you to conf igure addi tional at trib utes f or user authenti cation, such as Group Lock an d save P a ssword Attributes. XAuth B anner Enter the text f or a ban[...]

  • Page 274

    Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Client Update This wind ow allows you to set up c lient sof tware or firmware up date no tifications, and displays e xisting client update entries. Existing clien t update entries can be select ed for ed[...]

  • Page 275

    10-121 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver Add or Edit Client Update Entry This wi ndow allows you to configure a new client upda te ent ry . Client Type Ent er a clie nt type or choo se one f rom the dr op-do wn me nu. Cli ent ty pe nam es are [...]

  • Page 276

    Chapter 10 Easy VPN Server Browse r Prox y Set tings 10-1 22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Test VPN Connecti vity After Configuring Click to te st the VPN c onnec tion you have just co nfigured. The r esults o f the test appear in a se para te wi ndow . Browser Proxy Sett ings This wind o w li[...]

  • Page 277

    10-123 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Add or Edit E asy VPN Server Exceptions List A list of I P addres ses for wh ich you do not want clien ts to use the pro xy server . Add Butt on Configure new bro wser proxy settings. Edit Bu tton Edit the spec ified bro wser prox[...]

  • Page 278

    Chapter 10 Easy VPN Server Add or Edi t Easy VPN Ser ver 10-1 24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Interface Col umn The nam e of t he interf ace us ed for this connect ion. Group Au thorization Column The name of the met hod list used for gro up policy loo kup. User Au thenti cation Col umn The n[...]

  • Page 279

    10-125 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Add or Edit E asy VPN Server Add or E dit Easy VPN Se rver Conn ection This window lets you add or edit an Easy VPN Ser ver connecti on. Choose a n Interface If you are addi ng a c onnec tion, c hoose the i nterfac e to use f rom [...]

  • Page 280

    Chapter 10 Easy VPN Server Group Pol icies Configura tion 10-1 26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Restrict Acces s This window allows you to speci fy which gr oup polic ies are al lowed to use the Easy VPN c onnect ion. Allo w a group acces s to the Easy VPN Serv er connection by checking its ch[...]

  • Page 281

    10-127 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Group Policies Configuration Add, Edi t, Clone, and De lete But tons Use the se buttons to ma nage group polici es on the rou ter . Clicki ng Clone displays the Gr oup Polic y edit ta bs. Send Updat e Button Click to send an IKE n[...]

  • Page 282

    Chapter 10 Easy VPN Server Group Pol icies Configura tion 10-1 28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Detail s Window The Details windo w is a list of feature settings and t heir v alues fo r the chosen group policy . Feature settings are displayed only if they are supported by your Cisco route r ?[...]

  • Page 283

    10-129 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Loca l Pool s The ma ximum num ber of c onnect ions a user can est ablis h simulta neously . SDM supp orts a maxim um of 10 sim ultaneo us logi ns per u ser . • XAut h Ba nne r The te xt message show n to client s during XAu th [...]

  • Page 284

    Chapter 10 Easy VPN Server Local Poo ls 10-1 30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add or Edit IP L ocal Pool This window lets you create or ed it a loc al pool of IP addr esses. Pool Name If you are creati ng a po ol, ente r the poo l name. If you are editin g a pool, this field is disable d. IP A[...]

  • Page 285

    C HAPTER 11-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 11 DMVPN These help topics pro vide information about Dynamic Multipoint V irtual Pri vate Network (DMV PN) configurati on scree ns. Dynamic Multipoi nt VPN This w izard will h elp you to configure y our ro ute r as a D ynam ic Mu ltipo int V PN ( DM[...]

  • Page 286

    Chapter 11 DM VPN Dyn ami c Mu ltip oint V PN 11-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 It is impor tant to c onfigure the hu b first beca use spokes must be co nfigured usin g inform ation a bout the hub. If you are configurin g a hub, you can use the SpokeConfiguratio n featur e available in t he S[...]

  • Page 287

    11-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Dynamic Multipoint VPN SDM ’ s C onfigure Spoke feat ure en abl es you to creat e a t ext file that contai ns the inform ation that spo ke adm inistra tors ne ed a bout the hub ’ s configuration. This featu re is av ailabl e fr om the Sum[...]

  • Page 288

    Chapter 11 DM VPN Dyn ami c Mu ltip oint V PN 11-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Digita l Certificat es Select th is butto n if your rout er uses digit al certif icates fo r authentica tion. Digital certif icates are co nfig ured under VPN Components> Public Ke y Infrastru cture. Confir m P[...]

  • Page 289

    11-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Dynamic Multipoint VPN Advanced Butt on SDM provides defau lt values for ad vanced tunnel set tings. Ho wever , th e hub administ rator must d ecide on the tunne l set tings and give them t o the pers onnel administerin g spoke routers so t h[...]

  • Page 290

    Chapter 11 DM VPN Dyn ami c Mu ltip oint V PN 11-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Tunnel Key Enter th e ke y to use for this tunnel. This ke y shou ld be the sa me for all mGRE tunnels in the network . SDM Defaul t: 100000 Bandwidth Ent er the i nte nded ba ndwi dth, in ki lob ytes per s econd [...]

  • Page 291

    11-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Dynamic Multipoint VPN IP Address of hub ’ s mGRE tunnel i nterface Enter the IP address of the mGRE tunnel in terface o n the primary hub . Obtain this inform ation fr om the hub ad minist rator . Select Routing Protocol Use th is win dow [...]

  • Page 292

    Chapter 11 DM VPN Dyn ami c Mu ltip oint V PN 11-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Select a n existing OSPF pr ocess ID/E IGRP AS number Y ou can select an existi ng process ID for OSPF or AS num ber for EIGRP if one has been pr eviously configured. See Rec ommenda tions for Configuring Rou ting[...]

  • Page 293

    11-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Dynamic Multipoint VPN Edit — Click to e dit the data fo r an adverti sed net work or grou p of net works. Th is b utton is ena bled for ent ries that you cr eated durin g the current in stance of this wizard . Delete — Clic k to delete t[...]

  • Page 294

    Chapter 11 DM VPN Dyn ami c Mu ltip oint V PN 11-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Fully Meshed Network Select if you ar e co nfiguring t he rout er as a spoke c apabl e of est ablis hing a dir ect IPSec tunn el to other spokes in the netwo rk. A multipoi nt GRE tunn el is configured on the spo[...]

  • Page 295

    11-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Dynamic Multipoint VPN Re-re gister with hub whe n IP address of interface- name changes — This option is a v ailabl e when the int erfac e you sel ected rece i ves a dy namic IP ad dress vi a DHCP or IPCP . Spe cifying ’ this option wil[...]

  • Page 296

    Chapter 11 DM VPN Edit Dynam ic Mul tipoint V PN (DMVPN) 11-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Firewall If a fir ew all has been ap plied to the interf ace that was design ated as the tunnel source, SDM can a dd access r ule entries to the con figu ration so that G RE, IPSec, and ISAKM P traf fi[...]

  • Page 297

    11-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Edit Dynamic Multipoint VPN (DMVPN) IPSec Pr ofile The IPSe c prof ile that th e tunnel u ses. The IPS ec prof ile defi nes the transform sets that ar e use d to encr ypt tr af fic on the tunnel. SDM supp orts th e use of only IPSec profiles[...]

  • Page 298

    Chapter 11 DM VPN Edit Dynam ic Mul tipoint V PN (DMVPN) 11-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 General Pane l In this p anel add o r edit genera l configurat ion para meters of the DM VPN tu nnel. IP Address Enter th e IP ad dress o f the tunne l. Thi s must be a pri vate address and mus t be in[...]

  • Page 299

    11-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Edit Dynamic Multipoint VPN (DMVPN) Bandwidth Ent er the i nte nded ba ndwi dth, in ki lob ytes per s econd (kbp s). Def ault ba ndwi dth values are se t during start up; the band width values c an be displaye d using the sho w interf aces E[...]

  • Page 300

    Chapter 11 DM VPN Edit Dynam ic Mul tipoint V PN (DMVPN) 11-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Hold Tim e Enter the n umber o f sec onds tha t NHRP network IDs shou ld b e advert ised a s va li d . Network ID Enter the NHRP Network ID . The net work ID is a globall y unique, 32-bit network ident[...]

  • Page 301

    11-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Edit Dynamic Multipoint VPN (DMVPN) Destination Reachable thr ough NBMA network — Enter th e IP add ress of the mGRE tun nel configured o n th e prim ary hub . Spokes a nd bac kup h ubs use t his tunnel informa tion to establish conta ct w[...]

  • Page 302

    Chapter 11 DM VPN Edit Dynam ic Mul tipoint V PN (DMVPN) 11-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 RIP Fields If you selec ted RIP as t he dynam ic routi ng protoc ol, sele ct V ersion 1 , Ve r s i o n 2 , or Default . If you sele ct V ersion 2 , the rou ter will i nclude the su bnet mask in the rou[...]

  • Page 303

    11-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN How Do I Conf igure a DMVP N Manuall y? How Do I Configure a DMVPN Manually? Y ou can co nfigure you r router as a DMVPN hub or spoke using the VPN Components windo ws and the Edit Dynamic Mu ltipoint VPN (DMVPN) win dow . In orde r to do so[...]

  • Page 304

    Chapter 11 DM VPN How Do I Con figure a DM VPN Manu ally? 11-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 To specify the networ ks you want t o advertise t o the DMVPN : If ther e are ne tworks be hind your router t hat you want to advert ise to the DMV PN, you ca n do so by addin g the network nu mbers i[...]

  • Page 305

    C HAPTER 12-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 12 VPN Global Settings These help topics desc ribe the VPN Global Settings windo ws. VPN Global Settings This wi ndow displays the VP N global settings for the ro uter . Edit Bu tton Click the Edi t b utton to add or change VPN global se ttings. Ena[...]

  • Page 306

    Chapt er 12 VPN Global S etti ngs VPN Globa l Setting s 12-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 XAuth Timeout The n umber of secon ds the ro uter is to wait f or a a syst em to r espond to the XAuth chall enge. IKE Identi ty Either th e host n ame of th e router o r the IP address th at the router[...]

  • Page 307

    12-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 12 VPN Gl obal Sett ings VPN Global Setting s IPSec Secu rity Asso ciatio n (SA) Lif etime ( Kilobytes) The n umber of kilo bytes that th e rout er ca n send over the V PN c onnect ion befo re the IPSec SA ex pires. The SA will be rene wed after the [...]

  • Page 308

    Chapt er 12 VPN Global S etti ngs VPN Globa l Setting s 12-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Keep alive Specify the num ber of seconds t hat the router s hould mai n tain a connectio n when it is not being used. Retry Specify th e number of se conds that the rout er should wait between att empt[...]

  • Page 309

    12-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 12 VPN Gl obal Sett ings VPN Global Setting s VPN Key Encryption Settings The VPN K ey Encryp tion Settin gs windo w appear s if th e Cisco IOS im age on your rou ter suppor ts T yp e 6 encrypti on, also re ferred to as VP N key encrypti on . Y ou ca[...]

  • Page 310

    Chapt er 12 VPN Global S etti ngs VPN Globa l Setting s 12-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 311

    C HAPTER 13-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 13 IP Security IP Secu rity (IPSec) is a fr ame wo rk of o pen sta n dards that p rovid es da ta conf identiality , data inte grity , and data authenticat ion between par ticipating peers. IPSec p rovides t hese security se rvices at the IP layer; i[...]

  • Page 312

    Chapter 13 IP Security IPSec Policies 13-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Name The name of thi s IPS ec poli cy . Type One of the follo wing: • ISAKMP — IKE will be used to establish the IPSec se curity asso ciations for protec ting the t raff ic specified by this cr ypto map e ntry . SDM [...]

  • Page 313

    13-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity IPSec Policies Dynam ic Cry pt o Maps Sets in th is IPS ec Po licy Dyna mic Cry pto M ap Set Name The name of this dynamic cr ypto map set. Names enable admin istrators to underst and how the crypto ma p set is used. Sequ ence Numb er[...]

  • Page 314

    Chapter 13 IP Security IPSec Policies 13-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Cryp to Maps in this IPSe c poli cy This box list s the crypto maps in this IPSe c policy . The list incl udes the name, the sequence numbe r , and t he transf orm se t that makes u p this crypto map. Y ou c an select a [...]

  • Page 315

    13-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity IPSec Policies Add or Edit Crypto Map: General Panel Change genera l crypto map pa rameters in t his windo w . This windo w contains the following fields. Name of I PSec Poli cy A read- only field that contains t he name of the po lic[...]

  • Page 316

    Chapter 13 IP Security IPSec Policies 13-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 independe ntly . It t hus en sures t hat i f one key is c ompr omised, no o ther keys w ill be. If you enab le PFS, you can specify use of the Diff ie- Hellman group1, group2, or group 5 me thod. Note If your router doe [...]

  • Page 317

    13-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity IPSec Policies Note A c rypto m ap c an con tain a maxim um of 6 tra nsform sets. Availabl e Transform Set s Conf igured transform sets av ailable for use in crypto maps. If no transform sets ha ve bee n conf igured on th e router , t[...]

  • Page 318

    Chapter 13 IP Security IPSec Policies 13-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add or Edit Cryp to Map : IPSec Rules Panel Use this screen to add or change the IPSe c rule use d in this crypt o map. IPSec rules co ntain acce ss rule e ntries that determin e the tr af fic to be e ncrypted. The IPSec[...]

  • Page 319

    13-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity Dynam ic Cr ypto Map S ets Dynamic Crypto Map Sets This w indow lists t he dyna mic cry pto m ap sets c onfigured on the route r . Add/Ed it/Dele te Buttons Use these b uttons to manage th e crypt o maps in th e windo w . If you try t[...]

  • Page 320

    Chapter 13 IP Security IPSec Profiles 13-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Associate Crypto Map with this IPSec Policy Sequence Number Enter a sequen ce number to identify this crypto map set. This seque nce number can not be in use by a ny ot her crypto map se t. Select t he Dynamic Cr ypto Ma[...]

  • Page 321

    13-37 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity Tran sf orm S et Dele te Click to edit a selected I PSec profile . If the prof ile you are deletin g is currently used in a DMV PN tunnel , you must co nfigure the DMV PN tunne l to use a different IPSec profile. Add or Edit IPSec Pro[...]

  • Page 322

    Chapter 13 IP Security Transfo rm Set 13-38 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Y o u can create mu ltipl e transfo rm se ts and th en specif y one or more o f them in a crypto map en try . The tran sform set def ined in the cr ypto map entry will b e used in the IPSe c security associati on ne goti[...]

  • Page 323

    13-39 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity Tran sf orm S et ESP Int egrity Indicate s the integrity algorithm being us ed. This column will conta in a v alue when the transform set is co nfig ured to pro vide both dat a inte grity and encryp tion. The column will contain one o[...]

  • Page 324

    Chapter 13 IP Security Transfo rm Set 13-40 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What Do You Want to Do? Add or Edit Tran sform Set Use this windo w to add or edit a transform set. T o obtain a descriptio n of the allo wable tran sform combinations , and description s of the tran sforms, cli ck Allow[...]

  • Page 325

    13-41 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity Tran sf orm S et • Easy VPN Servers do not supp ort ESP-SEAL enc ryption. Name of this transf orm set This ca n be any name t hat you want . The na me does no t have to match the name in the tr ansform set that the peer uses, b ut i[...]

  • Page 326

    Chapter 13 IP Security Transfo rm Set 13-42 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • ESP_NULL. Null enc ryption al gorithm, b ut encryption transform us ed. Note Th e type s of ESP en crypti on available dep end o n the rout er . Depe nding on the type of ro uter you ar e configuring, one or mo re of[...]

  • Page 327

    13-43 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity IPSec Ru les Note No t all router s suppo rt IP compre ssion . If yo ur rou ter does not sup port IP comp ression, t his box is d isab led. IPSec Rul es This w indo w show s the IPSe c rules co nf igured for thi s rout er . IPSec r ul[...]

  • Page 328

    Chapter 13 IP Security IPSec Rules 13-44 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Sourc e An IP address or ke y word that specif ies the source of the traf fic . Any specif ies that the s ource can b e any I P address . An IP addres s in this colu mn may app ear alone , or it may be fol lowed by a wil dc[...]

  • Page 329

    C HAPTER 14-45 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 14 Internet Key Exchange The help topics in this section d escribe the Internet K ey Exchange (IKE) configurati on sc reens. Internet Ke y Exchang e (IKE) Intern et Key Exchange (IKE ) is a stand ard meth od for arr anging fo r secur e, authenti cat[...]

  • Page 330

    Chapter 1 4 Internet K ey Exchang e Interne t Key Exchan ge (IKE) 14-46 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IKE Policies IKE negoti ations m ust be prote cted; t heref ore, e ach IK E negotiat ion b egins by each pee r agree ing on a comm on (shared ) IKE poli cy . Thi s policy states wh ich securit[...]

  • Page 331

    14-47 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 14 Int ernet Key Ex change Interne t Key Exc hange (I KE) Hash The a uthenticati o n alg orithm f or ne gotiatio n. Ther e are t wo possib le v alues: • Secure Hash Algo rithm (SHA) • Message Digest 5 ( MD5) Authen tication The au thent icatio n [...]

  • Page 332

    Chapter 1 4 Internet K ey Exchang e Interne t Key Exchan ge (IKE) 14-48 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add or Edit IKE Policy Add or edit an IKE polic y in this windo w . Note • Not all ro uters suppo rt all encryption types. Unsup ported types will not appear in the screen. • Not all IOS i[...]

  • Page 333

    14-49 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 14 Int ernet Key Ex change Interne t Key Exc hange (I KE) • AES-192 — Ad va nced Encr yption Standa rd (A ES) enc ryptio n with a 192- bit key . • AES-256 — Ad va nced Encr yption Standa rd (A ES) enc ryptio n with a 256- bit key . Hash The a[...]

  • Page 334

    Chapter 1 4 Internet K ey Exchang e Interne t Key Exchan ge (IKE) 14-50 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Life time This is the lif etime of the secu rity ass ociation, in hours, min utes and sec onds. The default is one day , or 24: 00:00. IKE Pre-shared Keys This wind ow allows you to view , add[...]

  • Page 335

    14-51 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 14 Int ernet Key Ex change Interne t Key Exc hange (I KE) Add or Edit Pre Shared K ey Use th is wind ow to add or ed it a pr e-sha red key . Key This is an a lphanum eric st ring that will be exchange d with the remote pe er . The same key must be co[...]

  • Page 336

    Chapter 1 4 Internet K ey Exchang e Interne t Key Exchan ge (IKE) 14-52 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Address/ Subnet Mask These fields app ear if you selec ted “ IP Ad dress ” in the Peer f ield. Enter the IP address of a network o r subn et in the I P Add ress field . The pre-sh ared [...]

  • Page 337

    C HAPTER 15-53 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 15 VPN Trouble shooting SDM can tr oublesh oot VPN connecti ons that you have configured. SD M report s the success or fa ilure of the connectio n tests, and when tests ha ve f ailed, recomm ends ac tions th at you can take to correc t conne ction p[...]

  • Page 338

    Chapte r 15 VPN Troub leshoot ing VPN Trou bleshootin g 15-54 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Peer The IP address or host na me of th e devices at the o ther en d of th e VPN co nnect ion. Summary Click this b utton if you want to vie w the summarized tro ubleshooting inform ation. Deta ils Clic[...]

  • Page 339

    15-55 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 15 VPN Tro ubleshoo ting VPN Tr oubleshoot ing: S pecify Ea sy VPN Clien t Test Specific C lient Bu tton This button is enabl ed if you are testi ng connec tions for an Ea sy VPN server configured on the route r . Click this button and specify the cl[...]

  • Page 340

    Chapte r 15 VPN Troub leshoot ing VPN Trou bleshoot ing: Genera te Traf fic 15-56 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Continue But ton After selec ting the tr af fi c generation t ype you w ant, click th is b utton to co ntinue testing. Close Butto n Click this b utton to cl ose the win dow . VPN Tr[...]

  • Page 341

    15-57 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 15 VPN Tro ubleshoo ting VPN Troubleshooting: Generate GRE Traffic Have SDM generate VP N Traffic Select th is option if you w ant SDM to gener ate VPN tr af fi c on t he interf ace f or debugging. Note SDM will not generate VPN traf fic when the VPN[...]

  • Page 342

    Chapte r 15 VPN Troub leshoot ing SDM Warni ng: SDM will e nable router deb ugs... 15-58 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Have SDM generate VP N Traffic Select th is option if you w ant SDM to gener ate VPN tr af fi c on t he interf ace f or debugging. Enter the rem ote t unnel IP addr ess Enter [...]

  • Page 343

    C HAPTER 16-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 16 S ecurity Audit Securi ty Audi t is a feat ure that examine s your existi ng rout er configura tions and then upda tes your ro uter in or der to make you r router and ne twork more secure. Security Audit is ba sed on t he Ci sco I OS AutoSe cure f[...]

  • Page 344

    Chapter 16 Sec urity Audit 16-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The W elcome page of the Secu rity Audit wiza rd appe ars. Step 3 Click Next> . The Secur ity Aud it Inte rface C onfigurati on page appe ars. Step 4 The Se curity Audit wiz ard needs t o kno w which o f your router int erfac es [...]

  • Page 345

    16-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t One-Ste p Lockdown This op tion te sts you r outer c onfigurati on for a ny potential securit y pro blems a nd automa ticall y makes any ne cessary configurati on cha nges to corre ct any pr oblems found. The condi tions ch ecked f[...]

  • Page 346

    Chapter 16 Sec urity Audit Welcome Pag e 16-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Enable N etFlow Switching • Disable I P Redir ects • Disable I P Proxy A RP • Disab le IP Direct ed Broadc ast • Disable MOP Service • Disab le IP Unreach ables • Disable IP Mask R eply • Disab le IP [...]

  • Page 347

    16-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Repor t Card Page Outside Col umn This co lumn displays a check bo x for each inte rface listed in the I nterfa ce column . Check th e check box fo r each interfa ce tha t conn ects to a n etw ork outs ide of your network , such as[...]

  • Page 348

    Chapter 16 Sec urity Audit Fix It Page 16-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 you sele cted, col lecti ng fur ther input from you a s necessa ry , an d will the n display a list o f the new c onf iguration commands t hat will be added to the router configurat ion. Fix All Click this b utton to pla[...]

  • Page 349

    16-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page The conf iguration that will be deli ve red to the router to disab le the Finge r service is as follo ws: no service finger This fix ca n be undone. T o learn how , click Undo ing Security Audit Fi xes .. Disable PAD Se[...]

  • Page 350

    Chapter 16 Sec urity Audit Fix It Page 16-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The conf ig uration th at will be deli vered to the route r to disable TCP small servers is as follo ws: no service tcp-small-servers This fix ca n be undone. T o learn how , click Undo ing Security Audit Fi xes . Disabl[...]

  • Page 351

    16-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page In addition, th e BOO TP service is vulnerab le to DoS attacks; therefo re it should be disab led or f iltered via a fire wall for this reason as well. The conf iguration that will be deliv ered to the router to disable[...]

  • Page 352

    Chapter 16 Sec urity Audit Fix It Page 16-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 This fix ca n be undone. T o learn how , click Undo ing Security Audit Fi xes . Disable IP So urce Rou te Security Audit disabl es IP source rout ing when e ver possible. The IP protocol supports sou rce rout ing option[...]

  • Page 353

    16-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page Enable TC P Keep alives for In bound Telne t Sessions Security Audit enabl es TCP keep a li ve messages for bot h inboun d and outbou nd Te l n e t sessi ons whene ver po ssibl e. Enablin g TCP ke ep aliv es causes th [...]

  • Page 354

    Chapter 16 Sec urity Audit Fix It Page 16-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 service sequence-numbers Enable IP C EF Securi ty Aud it enab les Ci sco Expr ess For warding (CEF) or D istributed Ci sco Expres s For wardin g (DCEF) whene ver pos sible. B ecause there i s no nee d to b uild cache en[...]

  • Page 355

    16-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page This co nfiguration c hang e will r equire ev ery passwor d on the r outer, includ ing the user , ena ble, secr et, console, A UX, tty , a nd vty p asswo rds, t o be a t least six characters in length. T his conf igura[...]

  • Page 356

    Chapter 16 Sec urity Audit Fix It Page 16-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 connect ions, this can ov erwhel m and disable the host. Settin g the TCP synwait time to 10 se conds c auses th e rout er to shu t do wn an incom plete co nnectio n after 10 seconds, preventing the buildup of incomp le[...]

  • Page 357

    16-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page logging console critical logging trap debugging logging buffered <log buffer size> logging <logging server ip address> Set Ena ble Sec ret Pa ssword Sec uri ty Au dit wil l con figu re th e enable se cr et [...]

  • Page 358

    Chapter 16 Sec urity Audit Fix It Page 16-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The conf iguration that will be deliv ered to the router to disable SNMP is as follows: no snmp-server Set Scheduler Interval Security Audit configu res the scheduler interval on the router whenever possible. When a rou[...]

  • Page 359

    16-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page Set Users Securit y Audit secur es the conso le, A UX, vty , and tty lines by configuring Te l n e t user a ccount s to aut henticat e acc ess to th ese lines whene ver p ossibl e. Secur ity Audit w ill displ ay a di a[...]

  • Page 360

    Chapter 16 Sec urity Audit Fix It Page 16-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 NetFlow identifies flows of network packets based on the sou rce an d destinati on IP addresse s and TCP port numbers. Ne tFlo w then can us e just the initial pa cket of a fl ow for comp arison t o ACLs and fo r other [...]

  • Page 361

    16-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page The conf iguration that will be deliv ered to the router to disable proxy ARP is as follows: no ip proxy-arp This fix ca n be undone. T o learn how , click Undo ing Security Audit Fi xes . Disable IP Direc ted Bro adca[...]

  • Page 362

    Chapter 16 Sec urity Audit Fix It Page 16-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Disable MOP Service Securi ty Audit w ill disab le the Mai ntena nce Ope rations Prot ocol (M OP) o n all Ether net inter faces whenever possible. MOP is used to provide co nfiguration informatio n to the router wh en c[...]

  • Page 363

    16-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page in the internetw ork. ICMP mask reply messages are sent to the dev ice requesting the informatio n by de vices that ha ve the requested informati on. These messages can be used by an a ttac ker to gain network map ping[...]

  • Page 364

    Chapter 16 Sec urity Audit Fix It Page 16-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Enable Unic ast RPF on Outside Interfac es Security Audit ena bles unicast Rev erse P ath Forw arding (RPF) on all interfa ces that co nnect to the I nternet wh ene ver possib le. RPF is a fea ture that causes the route[...]

  • Page 365

    16-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page destinatio n addresses. W ithout CBA C, advanced application traf fic is permitted only b y writing Acc ess Control Lists (A C Ls). This approach lea ves fire wall doors open, so mo st administra tors tend to deny all [...]

  • Page 366

    Chapter 16 Sec urity Audit Fix It Page 16-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 access-class <std-acl-num> Enable SS H for Access to the Router If the Cisco IOS image run ning on the router is a cry pto image (an image that use s 56-bit Da ta Encr yption Stan dard (DE S) encr yption and is su[...]

  • Page 367

    16-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Config urati on Su mmar y Scree n • Conf igure authen tication and autho rization for VT Y lines The local database will be used for both authent ication and autho rization. • Conf igure authen tication for a console lin e The[...]

  • Page 368

    Chapter 16 Sec urity Audit SDM and Ci sco IOS Au toSecure 16-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Disable I P Proxy A RP • Disab le IP Direct ed Broadc ast • Disable MOP Service • Disab le IP Unreach ables • Disab le IP Unreach ables on NULL In terf ace • Disable IP Mask R eply • E[...]

  • Page 369

    16-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Security Configurations SDM Can Undo • Conf iguring AAA — If the Authentica tion, Aut horizatio n, and A ccounting (AAA) service i s not c onf igured, A utoSecure conf igures local AA A and prompts for configura tion of a loca[...]

  • Page 370

    Chapter 16 Sec urity Audit Undoin g Security Audit Fixes 16-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Undoing Security Aud it Fixes SDM ca n und o this securi ty fix. If you want SDM t o rem ove this secu rity conf iguratio n, run the Security Audit wiza rd. In the Report Card windo w , s elect the opt[...]

  • Page 371

    16-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Configure User Accounts for Telnet/SSH Page User Nam e Enter the use rname for the ne w account in this f ield. Password Enter the passw ord for the new account in this field. Confir m Password Reenter the ne w account password in[...]

  • Page 372

    Chapter 16 Sec urity Audit Enable Sec ret and Ban ner Page 16-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Dele te Bu tto n Click a user account in the table to select it, and cli ck this butto n to delete the select ed acco unt. Enable Sec ret and Banner Page This sc reen let s you enter a new ena ble se[...]

  • Page 373

    16-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Loggi ng Page Logging Pag e This screen lets you conf igure the route r log by creating a list of syslog serv ers where log messages will b e forwarded, and b y setting the logging le vel, which determines the minimum sev erity a [...]

  • Page 374

    Chapter 16 Sec urity Audit Loggin g Page 16-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Immedi ate ac tion n eeded – 2 - critical Critical conditio ns – 3 - errors Err or cond ition s – 4 - warnings W arn ing condi tions – 5 - notif ications Normal b ut significa nt conditio n – 6 - informa tio[...]

  • Page 375

    C HAPTER 17-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 17 Routing The Routin g window displays the configured stati c routes and Rou ting Int ernet Protocol, (RIP), Open Shortest Path First (OSPF), and Extended Interior Gatew ay Routing Pr otocol (E IGRP) c onfigured rout es. From this w indow , you ca n[...]

  • Page 376

    Chapter 17 Routing 17-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What Do You Want To Do? Note • If SDM dete cts a previousl y configured static route ent ry that h as the next hop interf ace config ured as the “ Null ” in terface , then the static ro ute entr y will be read-o nly . • If SDM detec[...]

  • Page 377

    17-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 17 Routing Add or Edi t IP Stat ic Route Item Value This column contai ns the text “ Enabled, ” a nd configurati on values when a ro uting type h as been c onfigured. It cont ains th e t ext “ Disabled ” when a r outi ng pr otoc ol has not bee[...]

  • Page 378

    Chapter 17 Routing Add or Edi t IP Static Rout e 17-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Prefix Enter the I P addre ss of the dest ination netw ork. F o r more in formation, r efer to A vaila ble Inte rface Configur ation s . Prefix Mask Enter the destinati on address subn et mask. Make this the de[...]

  • Page 379

    17-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 17 Routing Add or Ed it an RIP Route Add or Edit an RIP Route Use t his wi ndow to ad d or edit a Rou ting I nternet Protoc ol (RIP) rout e. RIP Versio n The values are RIP versio n 1, RIP version 2, and Defaul t. Select the version supporte d by the [...]

  • Page 380

    Chapter 17 Routing Add or Edit an OSPF Route 17-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Netw or k List Enter the n etworks th at you want t o cre ate r outes t o. Clic k Ad d to add a net work. Click Delet e to d elete a net work f rom the list. Network The address of the d estination netwo rk for [...]

  • Page 381

    17-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 17 Routing Add or Edi t EIGRP R oute Add or Edit EIGRP Ro ute Use t his wi ndow to ad d or delete an Ext ended IGRP (EIGRP) route . Autonomous Syst em Number The auton omous system n umber is use d to identif y the r outer ’ s E IGRP rout ing proces[...]

  • Page 382

    Chapter 17 Routing Add or Edi t EIGRP Route 17-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 383

    C HAPTER 18-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 18 Network Address Translation Network Addre ss T ranslat ion ( NA T ) is a rob ust form of address translat ion that ext ends addressing capabilities b y provid ing both static address translations an d dynamic address tran slations. N A T allows a [...]

  • Page 384

    Chapter 18 Networ k Address Tran slation Netwo rk Address Tra nslatio n Wizards 18-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 If your n etwork h as email servers, we b servers, or ot her type s of servers and you want t hem to ac cep t conn ections from the In tern et, cho ose A dvanced N A T and click t[...]

  • Page 385

    18-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation W izard s T o remo ve a ne twork from the N A T conf iguration , clear its chec kbox. Note If SDM dete cts a conf lict betw een the N A T conf iguration and an e xisting VPN conf iguratio [...]

  • Page 386

    Chapter 18 Networ k Address Tran slation Netwo rk Address Tra nslatio n Wizards 18-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Advanced NAT Wizard: Con nection Choose a n Interface From the drop do wn menu , choose the interf ace tha t connects to the Inter net. Th is is the router ’ s W AN interface. A[...]

  • Page 387

    18-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation W izard s • Any comments en tered a bout the net work T o remo ve a ne twork from the N A T conf iguration , clear its chec kbox. T o add a network not dire ctly co nnect ed to your rout[...]

  • Page 388

    Chapter 18 Networ k Address Tran slation Netwo rk Address Tra nslatio n Wizards 18-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 T o reorder the list based on the pri vate IP ad dresses, click the column head Priv ate IP Address . T o reor der the l ist base d on the publ ic IP addresse s, clic k the column[...]

  • Page 389

    18-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation W izard s Type of Se rver This field appe ars on ly if you choose t o show advanced opti ons with t he Show or Hide Adv anced butto n. Choose on e of the f ollowing ser ver types from the [...]

  • Page 390

    Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Advanced NAT Wizard: VPN Conflict If this Adv anced N A T wizard windo w appears , SDM has detecte d a conflic t betwee n the NA T configuration and a n existing V PN configur ation [...]

  • Page 391

    18-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Address Pools Click t his button to configure or edit a ddress po ols. Address p ools are u sed with dynam ic addre ss tra nslat ion. Th e rout er can dynamic ally ass ign add res s[...]

  • Page 392

    Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Rule Ty pe Rules ar e either static address translation rules or dyn amic addres s transl ation rules. Static address translation allow s hosts wit h pri vate a ddres ses to acces s[...]

  • Page 393

    18-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Make translation tim eout setting s. Click T r anslatio n Timeouts , and mak e settings in the T rans lation Timeouts wind ow . Add a N A T rule. Click Add , and create t h e N A T[...]

  • Page 394

    Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note Th ere are m any cond itions t hat cause previously -configure d NA T rules to ap pear as read-onl y in the Netwo rk Address T ranslation Rules list, ca using the rul e to not [...]

  • Page 395

    18-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules DNS Timeo ut Enter the numbe r of seconds after which conne ctions to DNS serve rs time out. ICMP Timeout Enter the time out value fo r Intern et Co ntrol Me ssage Pr otocol ( ICMP[...]

  • Page 396

    Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Edit Route M ap When VPN s and NA T are both configur ed on a route r , pa ckets tha t would normally m eet the criter ia for an IPSec rule will not do so if N A T translates th eir[...]

  • Page 397

    18-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Edit Route Map Entry Use this windo w to edit the access list specif ied in a route map entry . Name A read-o nly field cont ainin g the name of th e route ma p entr y . Seq No. A [...]

  • Page 398

    Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Address This field contai ns t he IP address range in the pool . Devices w hose IP add resses match the access rule specif ied in the Add Address T ranslation rule windo w will be g[...]

  • Page 399

    18-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Port Addr ess Translat ion (PAT) There may be ti mes when m ost o f the addre sses in the p ool h ave been assign ed, and the IP address p ool is ne arly depl eted. When th is occu[...]

  • Page 400

    Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Direction This help to pic describe s how to use the Add Address Translation Rul e fields when From inside to outside is sele ct ed. From inside to outside Select this option if you[...]

  • Page 401

    18-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Netw ork Ma sk If you w ant SDM to transl ate the addr esses of a subn et, enter th e mask for that subnet. SDM determ ines the networ k/subnet number an d the set of ad dresses ne[...]

  • Page 402

    Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • If you ar e ma pping t he inside local a ddres ses of a sub net to the co rrespo nding inside g lobal a ddresses, ente r any IP ad dress that you want to use in the translat ion[...]

  • Page 403

    18-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Note If you creat e a N A T rule that w ould tra nslate ad dresses of de vices that are pa rt of a VPN , SDM will prompt you to allo w it to create a rou te map that pr otects thos[...]

  • Page 404

    Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Ad dress Do one of the follo wing: • If you wa nt to create a one- to-o ne static map ping be tween t he outside g lobal address of a single re mote host a nd a trans lated add[...]

  • Page 405

    18-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Note If you do not enter a network mask in t he T ransla te from Int erface area, SDM wi ll perf orm o nly one trans lati on. Redirect Port Check t his bo x if you want to i nclud [...]

  • Page 406

    Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note If you creat e a N A T rule that w ould tra nslate ad dresses of de vices that are pa rt of a VPN , SDM wil l prompt you to a llo w it to crea te a route m ap that prote cts th[...]

  • Page 407

    18-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Access Rule... Dynami c N A T translatio n rules u se acce ss rules to spec ify the address es tha t need translat ion. If you select Fr o m inside to outside , these are the insid[...]

  • Page 408

    Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add or Edit Dyn amic Addre ss Translation R ule: Outsid e to Inside Use this help topic when y o u have chosen direction Fr o m Outside to Inside in the Add or the Edit Dynamic Addr[...]

  • Page 409

    18-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Tran slate from In terf ace This are a sho ws the interface s from whic h packets ne eding ad dress tran slation may arrive. It provides fields fo r you t o specif y the IP add res[...]

  • Page 410

    Chapter 18 Networ k Address Tran slation How Do I . . . 18-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Type Select Interface if you wa nt the T ranslate fr om... add resses to use the add ress of an inte rfac e on the r outer . They wi ll be translated to the ad dress th at you s pecify in the in terface[...]

  • Page 411

    18-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on How Do I . . . • Add or Edit Dyna mic Ad dress T ransla tion Rule: Inside to Outsi de Each ti me you add a new addr ess t ranslat ion rul e u sing th ese di rectio ns, choose the same LAN inter face and a new W AN [...]

  • Page 412

    Chapter 18 Networ k Address Tran slation How Do I . . . 18-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 413

    C HAPTER 19-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 19 Intrusion Prevention System IOS Intrusio n Prevention System (I PS) allows you to manage intrusion pr ev ention on router s that run an IOS image of version 12.3(8)T 4 or later . IPS lets you monitor and pre vents intrusio ns b y compar ing tr af[...]

  • Page 414

    Chapter 19 Intrusion Prevention System IPS Rules 19-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Global Set tings Drawer Click to display the Global Settings window where you m ake setti ngs that affect the ov erall operation of IOS IPS. SDEE Messages Drawer Secure Device Event E xchange (SDEE ) me ssages[...]

  • Page 415

    19-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em IPS Rules • The location of the Signature Def inition File (SDF). The use case scen ario illustr ates a con fig uration in which an I PS rule is used. Once you cre ate the IPS rul e and deliver the configurat ion t[...]

  • Page 416

    Chapter 19 Intrusion Prevention System IPS Rules 19-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Use the Add , Delete , Move Up , and Move Down b uttons to add, r emove, and order a list of SD F locations that th e router can at tempt to cont act to o btain an SDF . The route r starts at the f irst entr y[...]

  • Page 417

    19-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em IPS Rules Enable Butt on Click this b utton to enable IPS on the sele cted interf ace. Y ou are able to specif y the traf fic dire ctions to which I PS is to be applied, and the A CLs to use to def ine the ty pe of t[...]

  • Page 418

    Chapter 19 Intrusion Prevention System IPS Rules 19-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Unnumb ered — The router wi ll use one of a po ol of IP addr esses supp lied by your servi ce provide r for your ro uter , and for t he devices on the LAN. • Not Applicab le — The inter fac e type ca[...]

  • Page 419

    19-37 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em IPS Rules Source /Destination — A network or host ad dress, or any host or network. Serv ice — T ype of service filte red. IP , TCP , UDP , IGMP , and ICMP se rvices ca n be f iltered. Log — Whet her or not den[...]

  • Page 420

    Chapter 19 Intrusion Prevention System Import Signat ures 19-38 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Outbound Fi lter (Option al) Ente r the name or numbe r of the acce ss rule that spe cifies the outbound traf fic t o be e xamined. T he A CL tha t you speci fy appe ars in the I PS Rules Conf igurati[...]

  • Page 421

    19-39 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Impo rt S ign atur es Note Befor e you use the IPS Signature Im port wizard , you must ha ve sav ed the SDF that yo u inte nd to use to a dire ctory on yo ur PC. Click the Edi t Signatur es tab to m anage the sign at[...]

  • Page 422

    Chapter 19 Intrusion Prevention System Import Signat ures 19-40 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Welcome to th e IPS Signatu re Import Wiza rd This w indow summari zes t he tasks t hat you pe rform a s you go t hrough t he IPS Signat ure Import wizard. Click Next to be gin. Signature Definition F[...]

  • Page 423

    19-41 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Impo rt S ign atur es Match all of the conditi ons button If the signature s that you want must match all of th e conditions, that y ou specify , choose th is button. Note If you select this b utton, you can only sel[...]

  • Page 424

    Chapter 19 Intrusion Prevention System Import Signat ures 19-42 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Signature s This w indow lets you vi ew the con figured IPS s igna tures o n th e rou ter . Y ou can add cu stomiz ed si gnatur es, o r impo rt sign ature s from Cisco. com- downloaded Signature Defin[...]

  • Page 425

    19-43 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Impo rt S ign atur es Edit Click the Edi t b utton to edit th e parameter s of the selected signature. Dele te bu tton Click to mark th e selected signature fo r deletion from the list. T o vie w signatures you have [...]

  • Page 426

    Chapter 19 Intrusion Prevention System Import Signat ures 19-44 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 SDFs are av ailable from Cisco . Click th e follo wing URL to do wnload an SDF from Cisco.c om: http://www .cisco.com /cgi-bin/tab lebuild. pl/ios-sigup Cisco ma intains an alert cent er that pro vide[...]

  • Page 427

    19-45 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Impo rt S ign atur es Icons Right- click C ontext Me nu If you right- click a sig nature , SDM displa ys a context menu with the foll owing options: • Actions — Cli ck to select the actions to be taken when the s[...]

  • Page 428

    Chapter 19 Intrusion Prevention System Import Signat ures 19-46 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Apply Chan ges butt on Click to del ive r newly import ed signa tures, sign atur e edits , and newly enabl ed or disabled sign atures to the rou ter . When the c hanges a re applied, the yellow W ait [...]

  • Page 429

    19-47 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Impo rt S ign atur es Signature T ree If you need a de scriptio n of the signa ture tree , click th is link: Signatur e T ree . Y ou can use th e signat ure tree in this windo w to assemble the signatur es that yo u [...]

  • Page 430

    Chapter 19 Intrusion Prevention System Import Signat ures 19-48 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add, Edit, or Clo ne Sign ature This w indow contai ns fields an d values d escribed in th e Field Definitions se ctio n. The fields vary depending on the signa ture. Th eref ore, this is not an exhau[...]

  • Page 431

    19-49 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Impo rt S ign atur es • SigV ersion — Signature version. • ThrottleInterval — Num ber of seco nds def ining an Ala rm Throttle interv al. This is used with the AlarmThrottle parameter to tune special alarm li[...]

  • Page 432

    Chapter 19 Intrusion Prevention System Import Signat ures 19-50 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Auto save Check this option if you wa nt the router to automatic ally sav e the SDF in the e ve nt of a router cra sh. This e liminates th e need for you to r econfig ure IPS w ith this SDF wh en th e[...]

  • Page 433

    19-51 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Global Settings Determ ine Which SDF File is in Memory T o determine which SDF f ile is in router memory , open a T elnet session to the route r , and enter the show flash command. The outp ut will be similar to the [...]

  • Page 434

    Chapter 19 Intrusion Prevention System Global Set tings 19-52 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Notif ication Method Status Configur ed SDF Locations A signature loca tion is an URL that provides a pat h to an SDF . T o find an SDF , the router atte mpts to contact the f irst location in the list.[...]

  • Page 435

    19-53 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Global Settings Delete Button Click to delete a selected location. Move Up/Down Button s Use thes e b uttons to change t he orde r of p refer ence fo r the UR Ls in th e list. Edit Global Settings Edit settings th at[...]

  • Page 436

    Chapter 19 Intrusion Prevention System SDEE M essages 19-54 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Enable Deny Acti on on I PS inter face This option is applic able if signature actions are conf igured to "den y Attacker Inline" or "deny Flo wInline". By def ault, IPS a pplies A CLs[...]

  • Page 437

    19-55 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em SDEE Mes sages Descri ption A vailabl e descri ption. Refresh But ton Click to c heck for new SD EE messages. Close Butto n Click to c lose the SDE E Messages wind o w . SDEE Messa ge Text This topi c lists possible [...]

  • Page 438

    Chapter 19 Intrusion Prevention System SDEE M essages 19-56 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IDS error messages ENGINE_BUILD_FAILED: %s - %d ms - engine build failed - %s Explanatio n: T riggers when on e of the e ngines f ails to build af ter a SDF f ile is loaded. One s uch mess age fo r each f[...]

  • Page 439

    C HAPTER 20-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 20 Network Module Management If the r outer has net work mod ules tha t are m anage d by other applic ation s, such as Intrusion Detect ion System (ID S), SDM provide s a means for yo u to laun ch those applicatio ns. IDS Network Module Manag ement I[...]

  • Page 440

    Chapter 20 Ne twork Mo dule Mana gement IDS Netwo rk Module M anageme nt 20-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Reset Click to per form a re set of the ID S network mod ule har dware Y ou should onl y use the Reset button to recover from Failed stat e, or afte r you have shutdown the IDS Network M[...]

  • Page 441

    20-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 20 Net work Modu le Mana gement IDS Network Module Management IDS NM Monitoring Int erface Settings This area of the windo w sho ws which ro uter interf aces hav e traf fic sent to th e IDS network m odule f or mo nitori ng. Configur e Click to add or[...]

  • Page 442

    Chapter 20 Ne twork Mo dule Mana gement IDS Netwo rk Module M anageme nt 20-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Address Enter an IP address to use for th e IDS Sensor interface. SDM will do the following: • Create a loo pback in terfa ce. Th e numb er 25 5 is us ed if av ailable, if not, anot[...]

  • Page 443

    20-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 20 Net work Modu le Mana gement IDS Network Module Management Specify If you know the network module ’ s IP address, choose th is option, a nd enter t he address. SDM w ill re membe r the addre ss, and you c an sel ect Use SDM last known IP Addre ss[...]

  • Page 444

    Chapter 20 Ne twork Mo dule Mana gement IDS Netwo rk Module M anageme nt 20-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Date & T ime IP CEF Set tin g IDS NM Init ial Setup For more information on conf iguring the IDS module, refer to the docume nts at the follo wing link. http://www .cisco.com /univ e[...]

  • Page 445

    20-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 20 Net work Modu le Mana gement Network Module Login IDS NM Interface Monitoring Configuration Use this windo w to select router inter faces whose traf fic you want the IDS network m odule t o mo nitor . Monitore d Interfaces This lists contains t he [...]

  • Page 446

    Chapter 20 Ne twork Mo dule Mana gement Switch Mod ule Interfac e Selectio n 20-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Switch Module Inte rface Se lection This windo w is displayed when there is mor e than one switch module installed on the ro uter, and all ows you to se lect the one th at you want t[...]

  • Page 447

    C HAPTER 21-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 21 Quality of Service The Qual ity of Service ( Qo S ) W izard allo ws a network administrato r to ena ble Quality of Ser vice (Q oS) on the router ’ s W AN interf aces. QoS can also b e enab led on IPSe c VPN int erfac es and tunn els . The QoS ed[...]

  • Page 448

    Chapte r 21 Quality of S ervice QoS Wizard 21-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 QoS Wizard Next Click the Next b utton to begin configuring a QoS policy . Interface Selec tion Choose t he in terface o n wh ich yo u want to configure the QoS policy in this window . This win dow lists W A N inter[...]

  • Page 449

    21-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 21 Qua lity of Service QoS Policy Generation Bandwidth Al locati on This ar ea allo ws you to track and allo cate band width to the o utgoing traf fic.Th is column also lists the bandwid th remaining after allo cating bandwidth to ea ch traffic type [...]

  • Page 450

    Chapte r 21 Quality of S ervice QoS Policy Gene ration 21-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 View QoS Class Details The win dow that ap pear s whe n you clic k the Vi e w Det ails but ton disp lays deta ils of the QoS classes that ar e going to be creat ed for the QoS polic y . Real Time Traff i[...]

  • Page 451

    21-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 21 Qua lity of Service Summary of t he confi gurati on Summary of the configura tion The Qo S W izard Su mmary w indow displays t he summary of QoS policy -map an d its relat ed QoS class- maps. This policy map will inturn be attached to the select e[...]

  • Page 452

    Chapte r 21 Quality of S ervice Edit QoS Poli cy 21-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Ad dress The IP a ddress of th e interf ace to which th e polic y is app lied. Qos P olicy D etail s This ar ea lists type of tr af fi c and the bandwid th allocat ed to each traf fic type configured . Real[...]

  • Page 453

    21-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 21 Qua lity of Service Edit QoS Policy Queuing This column lists the queu ing type, either band width or priori ty . Class Based W eigh ted Fair Queuing (CB WFQ) defines two types of Low Latency Queuin g method s — bandwi dth and pri ority . • Pr[...]

  • Page 454

    Chapte r 21 Quality of S ervice Edit QoS Poli cy 21-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add Click t his button t o add an N B AR-re cognized protoc ol th at ha s not be ma tched under any of the existing cla sses. Delete Select t he prot ocols from the li st and click Delete bu tto n to de let e [...]

  • Page 455

    21-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 21 Qua lity of Service Edit QoS Policy Add a Pro tocol This w indow allows you to add th e pro tocol s that are not add ed to the real-t ime traffic clas s. NBAR Protocol This area lists the NB AR protocols that are not added to an y of the traf fic [...]

  • Page 456

    Chapte r 21 Quality of S ervice QoS Status 21-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Interface Association This w indow provides you the op portuni ty to associ ate a cloned policy t o an interf ace. Interf ace list The inte rface list disp lays the interf aces wit h which yo u can asso ciate th e Q[...]

  • Page 457

    21-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 21 Qua lity of Service QoS Status Bandwidth u tilization is sho wn in K bps. • T otal incoming and out going by tes for each traf fic type – Incomi ng and outgoi ng bytes for each c lass defined under the traffic type – Incomi ng and outgo ing [...]

  • Page 458

    Chapte r 21 Quality of S ervice QoS Status 21-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Statistics Select o ne of th e follo wing • Bandwidth • Bytes • Pa ckets dropped All Traf fic — R eal-Time — B usiness-Critical — Trivial SDM displa ys stati stics for al l traffic classes in bar c hart [...]

  • Page 459

    C HAPTER 22-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 22 Network Admission Con trol Network Admission Control (NA C) reduce s the i nfect ion of data ne tworks f rom comput er vir uses by asse ssing the healt h of c lient workstations, help ing to e nsure that the y recei ve the latest a va ilable viru[...]

  • Page 460

    Chapter 22 Network Admis sion Contro l Create NAC Tab 22-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The N AC conf iguration on the router is only one part of a complete N AC implemen tation. Click Oth er T asks in a N A C Implementat ion to learn the tasks that must be per formed on othe r devices in or[...]

  • Page 461

    22-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control Creat e NAC Tab Welcome The NA C wizard e nables yo u to do the following: • Configure R ADIUS parame ters — A dmissi on c ontr ol po lices ar e co nfigured on RADIUS servers that th e router co ntacts w hen a netw o[...]

  • Page 462

    Chapter 22 Network Admis sion Contro l Create NAC Tab 22-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Select t he inter face through which the RADIUS server is accessed List Choose the interf ace that the route r is to use to connect to the RADIUS serv ers. If you need more in format ion about an interfa [...]

  • Page 463

    22-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control Creat e NAC Tab Add, Edit, and Ping Buttons T o provide information for a RADIUS serv er , click the Add b utton and ente r the inform ation in th e scre en disp layed. Select a row and click Edit to modify the inform at[...]

  • Page 464

    Chapter 22 Network Admis sion Contro l Create NAC Tab 22-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Address/ MAC Address/ Device Type, Address/Devic e, and P olicy Colu mns These co lumns cont ain in format ion about a host in the exce ption lis t. A host can be identified by its IP address, MAC addr[...]

  • Page 465

    22-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control Creat e NAC Tab Policy List Select the polic y that you want to apply to the host. Whe n you select a policy , the redir ect URL spec ifie d for th e polic y appe ars in a read -only f ield, and the ac cess rule entries [...]

  • Page 466

    Chapter 22 Network Admis sion Contro l Create NAC Tab 22-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Access Rule Field Enter th e name o f the acc ess rule that you want to use, o r click t he b u tton to the right of this f ield and bro wse for the a ccess rule, or create a ne w acces s rule. T he acces[...]

  • Page 467

    22-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control Creat e NAC Tab NAC Router Ma nageme nt Access Hosts loggin g on to SDM m ust be e xempt f rom N AC v alidation. Specif y the interfaces thro ugh whic h SDM can be run, and specif y the hosts tha t are to be ex empt from[...]

  • Page 468

    Chapter 22 Network Admis sion Contro l Create NAC Tab 22-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Details Window This wind ow displays t he entries that SDM will add to A CLs to allo w services needed for the N A C v ali datio n process. Th e win dow might contai n an entr y like the follo wing: permi[...]

  • Page 469

    22-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control Edit NAC Tab Edit NAC Tab The E dit NA C t ab lis ts th e N AC policies con figured on the ro uter and en abl es you to con figure ot her NA C s etti ngs. A N AC policy m ust be configur ed fo r eac h interface on w hich[...]

  • Page 470

    Chapter 22 Network Admis sion Contro l Edit NAC Tab 22-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Exception List Wind ow This placeh older topic will be remo ve d when the help system for N A C is built. This help topic h as already been writte n for wi zard mode. T o vie w it, c lick on t he follo wing[...]

  • Page 471

    22-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control Edit NAC Tab Add, Edit, and Delete Buttons Click the Add b utton to create a ne w exception polic y . Use the Edit button to modify e xisting ex ception policies, a nd the De lete b utton to remov e exceptio n policies. [...]

  • Page 472

    Chapter 22 Network Admis sion Contro l Edit NAC Tab 22-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Revalidat ion Timeout Fiel d The ro uter per iodica lly que ries the postu re age nt on the client to determine th e client ’ s adherence to security polic y . Enter the number of seconds that the router [...]

  • Page 473

    22-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control How Do I... The access rule must contain den y statements that specify the traf fic that is to be ex empted from the a dmissio n cont rol pro cess. N o postu re validatio n trig gering occu rs if th e acc ess ru le con t[...]

  • Page 474

    Chapter 22 Network Admis sion Contro l How Do I... 22-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 http://www .cisco.com/en/US/p roducts/ps5923/index.html The doc umen t at the f ollowing lin k explai ns how to i nstall and configure CT A software on a host. http://www .cisco.com/en/US/pr oducts/ps5923/pr[...]

  • Page 475

    C HAPTER 23-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 23 Router Properties Router proper ties let you defin e the ove rall attrib utes of the router , such as the rout er name , dom ain n ame, pas swo rd, Simp le N etw ork Mana geme nt Pr otoc ol ( SNMP ) status , Domain Name Sy stem ( DNS ) serv er add[...]

  • Page 476

    Chapter 2 3 Router P ropert ies Date and Time : Clock Prop erties 23-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Enter the text for Banner Enter text fo r the rout er bann er . The route r text b anner i s di splaye d when ev er anyone lo gs in t o t he ro uter . It i s re commen ded that t he text ban ne[...]

  • Page 477

    23-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties Dat e and T ime : Cl ock Prop erti es Date /Tim e Y ou can se e the rout er ’ s date and time settings on th e right side of t he SDM status bar . The time and da te settings i n this part of t he Clock Prop erties win dow is n[...]

  • Page 478

    Chapter 2 3 Router P ropert ies Date and Time : Clock Prop erties 23-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note Y o u must make the Time Zone and Daylig ht Savings settings on the PC befo re starting SDM so that SDM will re cei ve the correct settings when you click Synchronize . Edit Date and Time [...]

  • Page 479

    23-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties Dat e and T ime : Cl ock Prop erti es IP Address The IP ad dres s of an NT P server . If your organiz ation doe s not have an NTP server, you may want to use a publi cly av ailable ser ver , such as the serve r descri bed at the [...]

  • Page 480

    Chapter 2 3 Router P ropert ies Date and Time : Clock Prop erties 23-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Prefer Click this bo x if this is to be the preferred N TP serve r . Interf ace Select the rout er interf ace that will pr ovi de access to the NTP Serv er . Y ou can use the show IP r outes CL[...]

  • Page 481

    23-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties Dat e and T ime : Cl ock Prop erti es SNTP This window is displaye d on Cisco 830 routers. Net work T ime Proto col ( NTP ) allo ws routers on your netwo rk to synchronize their ti me settings with an NTP server . A gr oup of NTP[...]

  • Page 482

    Chapter 2 3 Router P ropert ies Date and Time : Clock Prop erties 23-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note A n extended ac cess ru le will be creat ed traffic for port 1 23 traffic and applie d to the inter face t hat you selec t in this w indo w . If an access rule was a lready in p lace for t[...]

  • Page 483

    23-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties Dat e and T ime : Cl ock Prop erti es Enable SNMP Check th is box t o ena ble SNMP support. Unchec k this bo x to di sable SN MP support. SNMP is enab led by default. Community St ring SNMP commun ity s trin gs are e mbedd ed pa [...]

  • Page 484

    Chapter 2 3 Router P ropert ies Router Ac cess 23-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Router Access This window explains wh ich featur es are i ncluded in Router Acc ess. User Acc ounts: Config ure User Ac counts for Ro uter Acce ss This windo w allo ws you to define accoun ts and passwords that [...]

  • Page 485

    23-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties Router Access What Do You Want To Do? Add or Edit a Username Add or edit a user ac count in the f ields pro vided in this windo w . User Nam e Enter or edit th e username in this f ield. Password Enter or edit the passwor d in t[...]

  • Page 486

    Chapter 2 3 Router P ropert ies Router Ac cess 23-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note Proto cols that require t he retriev al of clea r text passwords, such as CHAP , cannot be us ed wi th MD 5-encr ypted p assword s. MD 5 encr yption is not reversible. T o restore the password to clea r tex[...]

  • Page 487

    23-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties VTYs Details The Associat e a V iew for this us er area d isplays details of the se lected v ie w . Click on Details b utton for a more detail ed inf ormation abo ut the sele cted vi ew . View Password If you are associating a v[...]

  • Page 488

    Chapter 2 3 Router P ropert ies VTYs 23-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Authentic ation Polic y — The AAA authen tication polic y associated with this vty lin e. Thi s field is visible if A AA is configure d on th e rou ter . • Authorizatio n Polic y — The AAA authoriz ation polic y[...]

  • Page 489

    23-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties VTYs SSH Check thi s check box to en able the rou ter to commu nicate to SSH client s. Access Rule Y ou can associate access rules to f ilter inbound and outboun d traff ic on the vty lines in t he range. Inbo und Enter the n am[...]

  • Page 490

    Chapter 2 3 Router P ropert ies VTYs 23-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Host /Net work A network a ddress o r host IP add ress. If a n etwork add ress is giv en, t he pol icy applies to a ll hosts on that netw ork. If a ho st address is giv en, the policy applies to that host. A networ k addr[...]

  • Page 491

    23-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties VTYs Edit Bu tton Click to edit a managemen t policy , and specify the poli cy in the Edit a Managem ent Policy window . Dele te Bu tto n Click to delete a selected management polic y . Apply Button Click to ap ply chan ges you [...]

  • Page 492

    Chapter 2 3 Router P ropert ies VTYs 23-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Management Prot ocols Specify the management protocols allowed for t he host or network. Allow SDM Check to a llo w the specif ied host or network to access SDM. When you check th is box, the follo wing protocols a re aut[...]

  • Page 493

    23-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties VTYs can cr eate a security risk b ecause if source is “ any ” it allo ws tr af f ic from any networ k to enter the router , or if destination is “ any ” it allows ac cess to any node on the network th at the loc al rout[...]

  • Page 494

    Chapter 2 3 Router P ropert ies VTYs 23-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 SSH This ro uter impl ements Secu re Shell ( SSH) Serv er , a featur e that enab les an SSH client to make a secu re, encr ypted con necti on to a Cisc o router . This conne ction provid es functionality t h at is similar[...]

  • Page 495

    23-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties DHCP Configuration DHCP Configuration This window explains how you can manage DH CP configurati ons on your router . DHCP Pools This window displays th e DHCP pools con figured on the route r . Pool Name The name of the D HCP po[...]

  • Page 496

    Chapter 2 3 Router P ropert ies DHCP C onfiguratio n 23-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add Select this op tion to create a ne w DHCP Pool. U ser need to s pecify DH CP Pool name, DHCP Pool ne twork, DHCP po ol ip addr ess ra nge an d Le ase tim e. A lso DNS servers, WI NS server, domain name[...]

  • Page 497

    23-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties DHCP Configuration Subnet Mask Enter the subn et ma sk. The su bnet ma sk of the exampl e network a ddre ss could be 255.255. 255.0, providing 2 55 IP addre sses. DHCP Pool Ente r the st artin g and endi ng IP address es in the [...]

  • Page 498

    Chapter 2 3 Router P ropert ies DHCP C onfiguratio n 23-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Host/IP Mask The IP addre ss an d mas k boun d to the cl ient. MAC Address The MAC address of the client . Type The type of MA C address is one of the following: • Ether net Client has a hard ware addres[...]

  • Page 499

    23-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties DHCP Configuration Name Enter the n ame you want for the DHCP bindin g. If you are editing the DHCP bindin g, the name field is rea d-only . Host IP Enter the I P addr ess yo u want t o bind to the cli ent. The address s hould b[...]

  • Page 500

    Chapter 2 3 Router P ropert ies DNS Proper ties 23-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 DNS Properties The Doma in Name Syste m ( DNS ) is a database of Inte rnet host names w ith their correspondin g IP addresses distributed ove r designate d DNS servers. It enables netwo rk us ers to refer to ho[...]

  • Page 501

    23-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties Dynamic DNS Met hods Edit Bu tton T o edit a dynami c DNS method, c hoose it from th e list of e x isting dyna mic DNS methods an d then c lick the Edit butto n. Dele te Bu tto n T o edit a dynami c DNS method, c hoose it from t[...]

  • Page 502

    Chapter 2 3 Router P ropert ies Dynamic DNS M ethods 23-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IETF IETF i s a dyna mic D NS met hod ty pe tha t upda tes a DNS se rver with change s to the asso ciated int erfac e ’ s IP address. If usin g IET F , c onfigure a DNS ser ver for the ro uter i n Conf i[...]

  • Page 503

    C HAPTER 24-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 24 ACL Editor Rules d efine how the route r will respon d to a par ticular k ind of tra f fic. Using SDM, y ou ca n crea te a ccess r ules t hat c ause the r outer to blo ck cer tain types of traf fic while permittin g other types, N A T rules that d[...]

  • Page 504

    Chapter 24 ACL Edit or Useful Proc edures for Access Rules and Firewal ls 24-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 No. o f Ru les The num ber of rules of t his type. Descri ption A descri ption of the rule if on e ha s been entere d. To configure rules: Click the cate gory of rule in th e rule tree [...]

  • Page 505

    24-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows • Ho w Do I Modify an Existi ng Fire wall to Per mit Tr af fic from a Ne w Network or Host? • How Do I Configure N A T Passthrough for a Firewall? • Ho w Do I Permit T raff ic Through a Fire wa ll to My E asy VPN Co[...]

  • Page 506

    Chapter 24 ACL Edit or Rules Windows 24-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The up per port ion of the s creen lists th e access r ules that h av e been conf igured on this route r . This l ist does not co ntain SDM de fault rule s. T o view SDM default rules, cl ick the SDM Default Rules branch o[...]

  • Page 507

    24-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows Access rule s can be either st andard rules or ex tended ru les. IPSec rule s ha ve to ext ended rules b ecause t hey m ust be able to speci fy a service type. E xternally defined and unsuppo rted rul es may be eit her st[...]

  • Page 508

    Chapter 24 ACL Edit or Rules Windows 24-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Destinat ion For exten ded rules, the dest ination IP address criter ia tha t the tra ff ic must match. The ad dress may be for a network , or a specific host. Thi s colu mn may cont ain: • An IP address a nd wildcard ma[...]

  • Page 509

    24-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows Add or Edit a R ule This window lets you add or edit a rule yo u hav e selected in th e Rules wind ow . Y ou can re name or re numbe r the rule, a dd, change , reorde r , or delete rul e entrie s, and ad d or chang e the [...]

  • Page 510

    Chapter 24 ACL Edit or Rules Windows 24-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Rule Entry List This list sho ws the entries that mak e up the rule. Y o u can add, edit, and delete entries. Y ou can also reorder them to change the order in which the y are e va luated. Observ e the follo wing guideline[...]

  • Page 511

    24-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows What do you want to do ? Associate w ith an Interfac e Y o u can use this windo w to associate a rule y ou ha ve created fr om the Access Rules windo w with an interf ace and to specify whethe r it applies to outbound tra[...]

  • Page 512

    Chapter 24 ACL Edit or Rules Windows 24-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Select a n Interface Select th e inter face to which y ou wan t this rule to apply . Specify a Dir ection If you w ant the router to ch eck pack ets inbound to the inter face, click Inbound . The router chec ks for a matc[...]

  • Page 513

    24-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows What do you want to do ? Add a Stand ard Rule Entry A standard rule en try allows you to pe rmit or de ny traff ic that ca me from a specified source. The source ca n be a network or a host wit hin a specific network. Y [...]

  • Page 514

    Chapter 24 ACL Edit or Rules Windows 24-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note Any tra ff ic t hat does n ot match the criteri a in one of the rule entries you create is implicitly denied. T o ensure that traf fic you do not intend to de ny is permitted, you must appen d explic it permit entrie[...]

  • Page 515

    24-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows Mask If you selecte d A Network or if you select ed A Host Name or IP address , eith er select the wildcard mask f rom this list, or enter a custom wildcard mask. A binary 0 in a wildca rd mask means th at the corres pon[...]

  • Page 516

    Chapter 24 ACL Edit or Rules Windows 24-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What Permit an d Deny do depends on the type o f rule in which they ar e used. In SDM, e xtended r ule entr ies can be used in access r ules, N A T rules, IPSec rules, and access lists associated with route map s. Click M[...]

  • Page 517

    24-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows Type Select o ne of th e follo wing: • A spec ific IP addr ess. This can be a n etwork ad dress or the addres s of a specif ic host. • A host na me. • Any IP address . Mask If yo u sele cted A specif ic IP addre ss[...]

  • Page 518

    Chapter 24 ACL Edit or Rules Windows 24-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 See Services and Ports to see a tabl e cont aining p ort nam es an d numb ers av ailable in SDM. Log Matches Against Thi s Entry If you h av e specif ied a sys log serv er in System Prop erties, y ou can chec k this b ox [...]

  • Page 519

    24-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows Rule Categor y Select th e rule ca tegory tha t you want t o select fr om. Th e rul es in the ca tegory you select w ill ap pear in th e box below the list. If no ru les appe ar in the b ox, no rules of tha t category h [...]

  • Page 520

    Chapter 24 ACL Edit or Rules Windows 24-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Destination For exten ded rules, the dest ination IP address criter ia tha t the tra ff ic must match. The ad dress may be for a network , or a specific host. Thi s colu mn may cont ain the follo wing: • An IP address a[...]

  • Page 521

    C HAPTER 25-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 25 Port-to-Applica tion Mapping Port-to-A pplica tion Ma pping ( P AM) allows you to cu stomize TCP and UDP por t numbers fo r network ser vices an d applica tions. P AM uses this informa tion to support n etwork environmen ts that r un serv ices us[...]

  • Page 522

    Chapt er 25 Port- to-Appl icati on Mappi ng Port-to-App lication Ma pping s 25-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Applicat ion Protocol Column This col umn cont ains the name of t he appli cation p roto col, an d the na mes of the protocol types. For example, the FT P and t he TFTP entr ies are [...]

  • Page 523

    25-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 25 Port- to-Appl ication M apping Port-to-Application Mappings Descriptio n Column If a desc riptio n of th e P AM entry ha s been c reated, the de script ion is d isplay ed in this column. Add or Edit Po rt Map Entry Y ou can add and ed it por t map[...]

  • Page 524

    Chapt er 25 Port- to-Appl icati on Mappi ng Port-to-App lication Ma pping s 25-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 numbers separ ated by comm as , or p ort numb er ra nges indicate d wit h a dash. For example, you m ight ent er thr ee noncon tiguous port numbers a s 310, 313, 318, or you m ight e[...]

  • Page 525

    C HAPTER 26-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 26 Authentication , Authorization, a nd Accounting Cisco IOS Authentica tion, Authoriza tion, and Accoun ting (AAA) is an archit ectural frame work fo r con figu ring a set of three indepe ndent security functi ons in a c onsiste nt man ner . AAA p [...]

  • Page 526

    Chapter 2 6 Authenti cation, Aut horization, and Account ing AAA Ser vers and G roups 26-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Enable/Di sable AAA AAA is enabl ed by defau lt. If you cl ick Di sa ble , SDM displays a message tellin g you that it will make config uration chang es to ensure that the [...]

  • Page 527

    26-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 26 Aut hentica tion, Authori zation, a nd Account ing AAA Servers and Gr oups AAA Servers Window This w indow let s you view a snap shot of th e in format ion a bout t he AAA se rvers that the rout er is configured to use. The IP ad dress, server typ[...]

  • Page 528

    Chapter 2 6 Authenti cation, Aut horization, and Account ing AAA Ser vers and G roups 26-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add or Edit a TACACS+ Ser ver Add or ed it infor mation for a T A CA CS+ serv er in this windo w . Serve r IP or Host Enter the I P addr ess or the host na me of the server[...]

  • Page 529

    26-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 26 Aut hentica tion, Authori zation, a nd Account ing AAA Servers and Gr oups Add or Edit a RADIUS Server Add or ed it infor mation for a RADIUS ser ver in t h is windo w . Serve r IP or Host Enter the I P addr ess or the host na me of the server . I[...]

  • Page 530

    Chapter 2 6 Authenti cation, Aut horization, and Account ing AAA Ser vers and G roups 26-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 TACACS+ S erver/ R ADIUS Server Click the appropriat e bu tton to specify the server type for which you are setting global paramete rs. If you select T A CA CS+ Server , th[...]

  • Page 531

    26-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 26 Aut hentica tion, Authori zation, a nd Account ing AAA Servers and Gr oups Type The type of serve rs in the selected group, either T A CA CS+, or RADIUS. Group Members The IP addre sses or host nam es of the AAA servers in this grou p. Authenticat[...]

  • Page 532

    Chapter 2 6 Authenti cation, Aut horization, and Account ing AAA Ser vers and G roups 26-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 List Name The method list name. A method list is a sequential list de scribing the authenti cation met hods to b e queried in order to authe nticate a user . Method 1 The m[...]

  • Page 533

    26-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 26 Aut hentica tion, Authori zation, a nd Account ing AAA Servers and Gr oups Method 1 Column The method th at the router will at tempt f irst. If on e of the serv ers in this method authenti cates the user ( sends a P ASS res ponse), a uthent icatio[...]

  • Page 534

    Chapter 2 6 Authenti cation, Aut horization, and Account ing AAA Ser vers and G roups 26-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Methods A method is a configured server grou p. Up t o four metho ds can be speci fied and placed in the list in the order you want the ro uter to use them . The rou ter wi[...]

  • Page 535

    C HAPTER 27-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 27 Router Provisioning This w indow tells y ou i f SDM has dete cted a USB token or USB flash device connect ed to your rout er . Y ou can click th e Router Pr ovisionin g b u t t o n t o c h o o s e a configuration file from the USB to ken or USB f[...]

  • Page 536

    Chapter 27 R outer Prov isioning Router Provis ioning from USB 27-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 5 Click OK t o load the cho sen f ile.[...]

  • Page 537

    C HAPTER 28-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 28 Public Key Infrastructure The Public K ey In frastructure ( PKI) windo ws enable you to ge nerate enrollm ent requests a nd RSA keys, and ma nage keys and ce rtificates . Y ou c an use the Simple Certif icate Enrollment Process (SCEP) to create a[...]

  • Page 538

    Chapter 28 Public Key Infrastructure Certificate Wi zards 28-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • NTP not configured — The router must h a ve accurat e time for certif icat e enrollment to work. Identifying a Netwo rk T ime Protocol serv er from which your router ca n obtain accurate tim e p[...]

  • Page 539

    28-37 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Certificate Wizards Note SDM supp orts only base-64 -encode d PKCS#10-typ e cut and paste enrol lmen t. SDM doe s not suppo rt impo rting PEM and PKCS#1 2 typ e certificate enro llment s. SDP Click this b utton if you w[...]

  • Page 540

    Chapter 28 Public Key Infrastructure Certificate Wi zards 28-38 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note The information y ou enter i n this sc reen is used to generate a trustpoin t. The trustpoi nt is ge nerated with a de fault revocation chec k metho d of CRL . If you a re editing an e xisting tr[...]

  • Page 541

    28-39 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Certificate Wizards Advanced Opti ons Button Advanced op tions al low you to provide m ore in format ion to enable the ro uter t o contact the CA serv er . Advanced Options Use this windo w to provid e more info rmation[...]

  • Page 542

    Chapter 28 Public Key Infrastructure Certificate Wi zards 28-40 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Include rout er ’ s IP Address Check i f you want t o incl ude a valid IP address configur ed on your r oute r in th e certificat e requ est. If you ch eck t his box, y ou can manu ally en ter an IP[...]

  • Page 543

    28-41 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure RSA Ke ys State ( st) Enter th e state o r pro vince in w hich the router o r the o rg anization is lo cated. Country (c) Enter the country i n which the router or the organization is loca ted. Email (e) Enter the email[...]

  • Page 544

    Chapter 28 Public Key Infrastructure Summary 28-42 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The mo dulus de termi nes the si ze of th e key . The la rger the modulu s, the more secure the key , but keys wi th la rge modulu s take l onger to ge nerate , an d encr yption /decr yption oper ations take lon g[...]

  • Page 545

    28-43 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Enrol lment St atus If you are performing a cut-and-past e enrollment After th e commands ar e deli v ered to the rout er, SDM g enerate s an enrollmen t request and d isplays it in anoth er window . Y ou mu st save thi[...]

  • Page 546

    Chapter 28 Public Key Infrastructure Enrollme nt Re quest 28-44 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Begin N ew Enrollment Click Begin new enrollment to g enerate a tr ustpoint, an RSA key pair an d an enroll men t re quest th at you can save to your PC and se nd t o th e CA ser ver . T he wizard co [...]

  • Page 547

    28-45 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Import CA certificate Import CA and router certificate (s) Choose this option if you want to import bo th the CA server ’ s certificat e and the router ’ s ce rtif icate in the same session. Both certif icates must [...]

  • Page 548

    Chapter 28 Public Key Infrastructure Import Rou ter Certificate (s) 28-46 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Brow se B utto n Click to locate the cer tif icate f ile on the PC. Import Router Certificate(s) If you have one or more cert ificates f or yo ur ro uter g ranted by the CA on yo ur hard dis[...]

  • Page 549

    28-47 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Digital Certific ates Edit Button A trustpoint can be edited if it is an SCEP trustpoint, and if the CA server ’ s certif icate and the router ’ s certif icate hav e not both been success fully im ported . If the tr[...]

  • Page 550

    Chapter 28 Public Key Infrastructure Digita l Certifi cates 28-48 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Refresh Button Click t o refres h the Certi ficate cha in area wh en you se lect a dif ferent trus tpoint in the T rustpoints list. Trustpoint Information The T rustpoints list in the Router Certifi[...]

  • Page 551

    28-49 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Digital Certific ates Revocatio n Chec k Specify ho w the rout er is to check whethe r a certif icat e has been re voked in this windo w . Revocation Check Configure h ow the route r is to ch eck for r e vocations, and [...]

  • Page 552

    Chapter 28 Public Key Infrastructure RSA Keys Window 28-50 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Best Effort — Downlo ad the CRL from th e CRL serv er if i t is a vailab le. If it is not av ailable, the cer tif icate will be accept ed. • Optional — Check the CRL only if it has alread y been [...]

  • Page 553

    28-51 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure RSA Key s Window Key Data Click to v ie w a sel ected RSA ke y . Save Ke y to PC B utton Click to sav e the data of the selected key to your PC. Generate RSA Key Pair Use this window to generate a new RSA key pair . Lab[...]

  • Page 554

    Chapter 28 Public Key Infrastructure USB T okens 28-52 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Save to U SB Token Check t he Sa ve keys to secure USB token check box if you want to save the RSA keys to a USB token connect ed to your rout er . Th is check box appea rs only if a USB toke n is co nnecte d [...]

  • Page 555

    28-53 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure USB To ken s Maximum PIN Retries Displays the maximu m number of times SDM will attempt to log in to the USB token with the g iv en PIN. If SDM is unsuccessfu l af ter try ing for the number specif ied, it will stop t r[...]

  • Page 556

    Chapter 28 Public Key Infrastructure USB T okens 28-54 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Current P IN If you are adding a U SB token logi n, or if you are editi ng a USB token logi n that has no PIN, t he Curren t PIN field displa ys <None>. If you are editin g a USB to ken login which has a[...]

  • Page 557

    28-55 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure SDP Trou bles hoot ing Tips SDP Troubleshooting T ips Use this info rmation before enr olling using Secu re Dev ice Prov isioning ( SDP ) to prep are the connecti o n bet ween the rout er and the ce rtificate serv er . [...]

  • Page 558

    Chapter 28 Public Key Infrastructure Open Fir ewall 28-56 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Open Firewall This scre en is displa yed when SDM de tects firewall(s) on interfaces th at would block r eturn traf fic th at the router nee ds to rec eiv e. T wo situations in which it might ap pear ar e w[...]

  • Page 559

    28-57 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Open Firewal l Detail s Butt on Click this b utton to vie w the access control e ntry that SD M woul d add to the fi re wall if you all ow the mod ific ation. Open Firewall Details This window displa ys the acces s cont[...]

  • Page 560

    Chapter 28 Public Key Infrastructure Open Fir ewall 28-58 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 561

    C HAPTER 29-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 29 Resetting to Factory Defa ults Y ou ca n reset the c onfigurati on of th e router to factory de faults an d sav e the curr ent configur ation to a file that can be use d later. If you cha nged the router ’ s LAN IP add ress from the factory valu[...]

  • Page 562

    Chapter 29 Resetting to Factory Defaults 29-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The pr ocess for g i ving the PC a st atic or dyna mic I P addr ess varies sl ightly depending on the version of M icrosoft Window s the PC is runnin g. Note Do not reconf igure the PC until after you reset the router [...]

  • Page 563

    29-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap ter 2 9 Re sett ing to Fac tor y Defa ul ts Specify an IP address . En ter t he IP addr ess 10 .10.1 0.2 or an y othe r address in the 10.1 0.10. 0 subnet gre ater tha n 10.10 .10.1 . Enter the subnet 255 .255.2 55.248 . Click OK . Micr osof t Wi ndow s [...]

  • Page 564

    Chapter 29 Resetting to Factory Defaults This Fe ature Not Sup ported 29-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 This Feature Not Supported This w indow appears when a n SDM f eatur e is not supp orted. This m ay be b ecause the route r is running a Cisco IOS imag e that does not support t he feature [...]

  • Page 565

    C HAPTER 30-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 30 More About.... These to pics provide mor e informat ion about subjects tha t SDM online help discusses. IP Addresses and Subnet Ma sks This top ic provides ba ckgro und infor mation ab out IP addr esses and sub net mask s, and sho ws you ho w to u[...]

  • Page 566

    Chapter 30 M ore Abo ut.... IP Ad dresses a nd Subnet Masks 30-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The subnet ma sk is used to specify ho w many of the 32 bits ar e used for the network number and, if subnetting is used, the subne t number . It is a binary mask with a 1 bit in every position used [...]

  • Page 567

    30-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... IP Addresse s and Subnet Mask s When a net work address i s display ed in SDM w indows, the IP address a nd subnet mask for it ma y be sho wn in network a ddress/su bnet bits for mat, as in the following exam ple: 172.28.33.0/24 The [...]

  • Page 568

    Chapter 30 M ore Abo ut.... Availabl e Interface Co nfigurat ions 30-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Address/Wildcard Mask Enter a netw ork address, and th en the wildcard ma sk to specify ho w much of the network a ddress must m atch exactly . For example, if you en tered a network ad dres[...]

  • Page 569

    30-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... DHCP Address Pools DHCP Address Pools The IP ad dres ses tha t th e DHCP server assi gns are drawn from a commo n pool that yo u con figure by sp ecifying the starti ng I P addr ess i n the rang e an d the ending address in th e rang[...]

  • Page 570

    Chapter 30 M ore Abo ut.... Meaning s of the Permi t and Deny Key words 30-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Reser ved Addr esses Y ou must not use the following ad dresses i n the range of add resses tha t you specify: • The ne twork/subne twork I P addre ss. • The broad cast address on th [...]

  • Page 571

    30-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Servic es and Por ts • IP Servi ces • Services T hat Can Be Spec ifie d in Inspectio n Rules TCP Servi ces TCP Service Port Number De scription bgp 179 B ord er Ga teway Protocol .BGP exchan ges rea chabi lity infor mation with o[...]

  • Page 572

    Chapter 30 M ore Abo ut.... Services and Ports 30-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 UDP Servic es lpd 515 Line Printer Daemon . A protocol used to send print jobs between UNIX systems. nntp 119 Netwo rk Ne ws T rans port Proto col. pim-auto-r p 496 Protocol-Indep endent Multicast Au to-RP . PIM [...]

  • Page 573

    30-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Servic es and Por ts netbio s-ns 137 NetBios name serv ice netbios-ss 139 N etBios session service ntp 123 N etwork T i me Protoc ol. TCP protoc ol that ensures ac curat e local tim ekeeping wit h refe renc e to r adi o and a tomic c[...]

  • Page 574

    Chapter 30 M ore Abo ut.... Services and Ports 30-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 ICMP Message Types ICMP Messages Port Number Description alternate -address 6 Alternate host ad dress. conv ersio n-error 3 1 Sent to rep ort a dat agram co n version error . echo 8 T y pe of mes sage sent when [...]

  • Page 575

    30-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Servic es and Por ts IP Ser vices timestamp-req uest 13 Request for timestamp to be used for synchroni zation between two devices. trace route 30 Messa ge sent i n repl y to a host that has issu ed a t racerout e request . unreac ha[...]

  • Page 576

    Chapter 30 M ore Abo ut.... Services and Ports 30-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Services That Can Be Specified in I nspection Rul es tcp 6 Transmission Con trol Protoc ol. Conne ction-o riented transport la yer proto col that provides relia ble full- duplex data transmissi on. udp 17 User D[...]

  • Page 577

    30-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... More About NAT More About NAT This section pro vides scenar io information that may help you in completing the N A T Translation Rule w indows, and ot her i nform ation t hat expla ins why NA T rules created using the CLI may not be[...]

  • Page 578

    Chapter 30 M ore Abo ut.... More Abou t NA T 30-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Scenario 2 Y ou need to map ea ch IP addr ess in a netw ork to a unique public IP add ress , and you do no t wan t to create a se parate ru le for eac h mapp ing. The s ource ne twork number is 10 .l2.12. 0, and t[...]

  • Page 579

    30-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... More About NAT Result The sourc e address 10. 12.12. 3 is transla ted to the a ddress 17 2.17.4 .8 in packet s lea v ing th e router . The port number in the Redir ect po rt f ield is ch anged f rom 137 to 139. R eturn t raffic carr[...]

  • Page 580

    Chapter 30 M ore Abo ut.... More Abou t NA T 30-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Dynamic Addre ss Translatio n Scen arios The fo llowing scenari os show you ho w you can use dynam ic ad dress transl ation rules . These scen arios are ap plicable whet her yo u selec t from insid e-to-o utsid e,[...]

  • Page 581

    30-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... More About NAT Scenario 2 Y o u want the ho st addresses specif ied in access-list 7 in the pr ev ious scenario to use add resses fr om a pool y ou de fine. If th e addr esses in the p ool become deplete d, you want the rout er to u[...]

  • Page 582

    Chapter 30 M ore Abo ut.... More About VPN 30-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • The inside source static netw ork command with one of the k e ywor ds “ extendabl e ” , “ no-alia s ” , or “ no-pa yload ” • The outsi de sour ce st atic net work command w ith o ne of the keyword [...]

  • Page 583

    30-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... More Ab out VPN • Securit y and VPN De vices • IPSecurity T r oubleshooting – U nderst anding and Using Debug Command s • Field Notic es More about VPN Connections and IPSec Policies A VPN co nnection is an a ssociati o n be[...]

  • Page 584

    Chapter 30 M ore Abo ut.... More About VPN 30-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 A rout er in terface can be assoc iate d with only one IPSec pol icy . However , an IPSec pol icy can b e associa ted wit h mul tiple r outer i nterfa ces, and a cr ypto ma p can s pecify more than one pe er fo r a [...]

  • Page 585

    30-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... More Ab out VPN More About IK E IKE hand le s th e foll owing ta sks : • Authentic ation • Session Negoti ation • Ke y Exch ange • IPSec T unnel Negotia tion and Co nfiguration Authen tication Authentic ation is ar guably th[...]

  • Page 586

    Chapter 30 M ore Abo ut.... More About VPN 30-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 – Encr yptio n Al gori thm : DES, 3 DES, or A ES – Packe t Signature Algorithm : MD5 or SHA-1 Key Exchange IKE us es th e nego tiat ed key-exchan ge me thod (see “ Session Negotiation ” ab ove ) to creat e e[...]

  • Page 587

    30-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... More Ab out VPN Allowable Tr ansform C ombinations T o def ine a transform set, you specify one to three tr ansforms . Each tran sform repres ents an IPSec secur ity protocol ( AH or ESP ) plus th e algorithm that you want to use. W[...]

  • Page 588

    Chapter 30 M ore Abo ut.... Reasons Why a S erial I nterface or Subi nterface Configu ration May Be Read -Only 30-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Examples The f ollo wing are exam ples of per missibl e transform combi nations : • ah-m d5-hmac • esp-d es • esp-3 des a nd es p-md5- hmac ?[...]

  • Page 589

    30-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Reasons Why an ATM Inter face or Subint erface Configura tion May Be R ead-Onl y • The inte rface is conf igured with the encapsulation frame-r e lay command with an IP address on the main inter face. • The inte rface e ncapsula[...]

  • Page 590

    Chapter 30 M ore Abo ut.... Reasons Why an Ethern et Interf ace Config uration Ma y Be Read-O nly 30-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • If the “ dial-on- demand ” opt ion i s configure d on t he pppoe-client command. • If there is more than 1 PVC conf igured on the interface . • If t[...]

  • Page 591

    30-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Reas ons Wh y an ISD N BRI Inter fac e Conf igur atio n Ma y Be Read- Only Reasons Why an ISDN BRI In terface Configuration May Be Read -Only A pre viously conf igured ISDN BRI inter face will be read-only a nd will not be configura[...]

  • Page 592

    Chapter 30 M ore Abo ut.... Reasons Why an An alog M odem Interf ace Config uration Ma y Be Rea d-Only 30-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 – The SDM- supporte d inter faces are configur ed with unsupp orted configurat ions – The prim ary int erfaces are no t suppor ted by SDM Reasons Why a[...]

  • Page 593

    30-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Firewall Policy Use Case Scenario – track / rtr or bo th is not configured – route- map is rem oved – Access-list is remov ed or a ccess-list is modif ied (for e xample, tracking ip addr ess is modif ied) – The SDM- supporte[...]

  • Page 594

    Chapter 30 M ore Abo ut.... Firewall Pol icy Use Case Scenario 30-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Examining O riginating Traffic: F rom Inter face Fast Ether net 0/0; To Interface Serial 1/0 In this conf ig uration, th ere is a fire wall filt ering traf fic enterin g the router on the Serial [...]

  • Page 595

    30-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Firewall Policy Use Case Scenario These a re the en tries that protec t the netw ork atta ched t o Fast Ethernet 0/0. Th e Den y entries f ilter IP traf fic fro m specific n etworks. There is an ex plicit permit all entry for IP tra[...]

  • Page 596

    Chapter 30 M ore Abo ut.... DMVPN Config uration Rec ommenda tions 30-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The Servi ces area shows th at certa in ty pes of I CMP t raffic hav e b een permi tted. Allowing www Traffic t o DMZ Inte rface The me thod shown in th is sec tion can al so be use d when th[...]

  • Page 597

    30-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... DMVP N Confi gur atio n Recomm end atio ns Assigning Spoke Addresses All rou ters i n th e DM VPN must be i n the same s ubnet . Ther efor e, the hub administrator m ust assign addr esses in the subnet to the spoke rou ters so tha t[...]

  • Page 598

    Chapter 30 M ore Abo ut.... SDM White Pap ers 30-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Ping the Hub Befor e You Start Spoke Configur ation Before configur ing a spoke route r , you should test connect ivity to the hub by issu ing th e ping comman d. If the pi ng does not s uccee d, you must conf ig[...]

  • Page 599

    C HAPTER 31-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 31 Getting Started Cisco R outer and Se curity Device Man ager (SDM) is a n easy- to-u se In ternet browser-based software tool desig ned for c onfiguring LAN , WA N , an d secur ity featu res on a r outer . SDM is de signed f or resell ers and n etw[...]

  • Page 600

    Chapter 31 Ge tting Started What ’ s New in th is Rele ase? 31-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What ’ s New in this Release? T o find out the new featur es SDM suppor ts, go to: http://www .cisco.com /go/sdm Click the T echnical Documenta tion link, and then click Relea se Notes. Cisco IOS[...]

  • Page 601

    C HAPTER 32-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 32 Viewing Router Information The Ci sco R outer and Sec urity Device Manag er (S DM) M onitor m ode le ts y ou view a current snap shot of info rmati on about you r router, the router inte rfaces, t he fire wa ll, and any active VPN conn ections. Y [...]

  • Page 602

    Chapter 32 Viewing Router Informa tion Overvi ew 32-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Overview The Moni tor mode Overview screen di splays an ov erv iew of your router activity and stati stics, and serves as a su mmar y of the i nformat ion conta ined on t he other Monitor mode screens. It conta[...]

  • Page 603

    32-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation Overvi ew Resource S tatus Shows basic informat ion about your route r hardware an d contai ns the following fie ld s: CPU Usage Sho ws the percen tage o f CPU us age. Memory Usag e Sho ws the percen t of RA M usag e. F[...]

  • Page 604

    Chapter 32 Viewing Router Informa tion Overvi ew 32-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Bandwi dth Usa ge The perce nt of i nter fa ce bandw idth bein g use d. Description A vailabl e descript ion for the i nterface. SDM may add descri ptions such as $FW_O UTSIDE$ or $E TH_LA N$. Firewall St atus [...]

  • Page 605

    32-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation Overvi ew No. of DMVPN Clients If the route r is c onfigured a s a DMVPN hub, t he num ber o f DMV PN cl ients. No. of Active VPN Clients If the r outer is con figured as an Easy VPN Serve r , this fiel d sho ws the num[...]

  • Page 606

    Chapter 32 Viewing Router Informa tion Interface St atus 32-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Informational The numbe r of log ent ries stored that have a se verity level of 6 or higher . Th ese inform ation messages si gnal normal network events. Interface Status The Int erface Statu s scre en [...]

  • Page 607

    32-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation Interface Status • Bandwidth Usa ge — The perc ent of b andwidth u sed b y the in terfa ce, sho wn as a perce ntage value. He re is how bandwidt h perc entag e is comput ed: Bandwidt h percen tage=(K bps/ bw) * 100,[...]

  • Page 608

    Chapter 32 Viewing Router Informa tion VPN Status 32-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Real-time data ev ery 10 sec. This option will continue polling the router for a maxi mum of two hours, re sultin g in appro ximat ely 12 0 data poi nts. • 10 minutes of data polled every 10 sec. • 60 [...]

  • Page 609

    32-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation VPN Stat us • IPSec Tunnels • DMVPN T unnels • Easy V PN Se rvers • IKE S As Test Tunnel.. Button Click to test a se lected VPN t unnel.The results o f the test will be sho wn in another windo w . IPSec Tunne ls[...]

  • Page 610

    Chapter 32 Viewing Router Informa tion VPN Status 32-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The num ber of erro rs that have occurre d while send ing packet s. • Rece ive Error Packets c olum n The num ber of erro rs that have occurre d while receiving packets. • Encryp ted P ackets colu mn The [...]

  • Page 611

    32-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation VPN Stat us Resets stat istics co unters fo r the tunnel listed, se tting numb er of packets enc apsula ted and deca spsu late d, numb er of se nt and recei ved er rors, and number of pa ckets encryp ted and de crypted[...]

  • Page 612

    Chapter 32 Viewing Router Informa tion VPN Status 32-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Public I P addr ess • Assigned IP addre ss • Encryp ted P ackets • Decr ypte d Pac kets • Droppe d Outb ound Packets • Droppe d Inbo und Packets • Status Update butt on Click this b utton to d[...]

  • Page 613

    32-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation Firewall Status – MM_K EY_EXCH — The peer s ha ve e xchang ed Dif f ie-Hell man public keys and h ave generat ed a shar ed s ecret . T he I SAKM P SA rema ins unauth enticat ed. – MM_K EY_A UTH — The ISAK MP SA[...]

  • Page 614

    Chapter 32 Viewing Router Informa tion Firewa ll St atu s 32-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Number of At tempts Deni ed by Fir ewall Sho ws the n umber of co nnection a ttempts rejecte d b y the f irewa ll. Attempts Denied by Fir ewall Table Sho ws a list of connectio n attempts denied by th[...]

  • Page 615

    32-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation NAC St atus * Jun 27 11:42:01.323: %APPFW-6-IM_MSN_SESSION: im-msn text-chat service session initiator 14.1.0.1:1973 sends 142 bytes to responder 207.46.108.33:1863 *Jun 28 11:42:01.323: %APPFW-6-IM_MSN_SESSION: im-msn[...]

  • Page 616

    Chapter 32 Viewing Router Informa tion NAC Status 32-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Clicking on an in terfa ce entry displa ys the inform ation returned by posture ag ents installed on th e hosts in the subnet for th at interfa ce. An e xample of the in terface inform ation fo llows: 10.10.1[...]

  • Page 617

    32-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation Logg in g Logging The route r contain s a log of e vents cate g orized by se verity lev el, like a UNIX syslog service. This screen displays the rout er log. Note that it is the router log that is displ ayed, even if l[...]

  • Page 618

    Chapter 32 Viewing Router Informa tion Loggin g 32-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Sho ws the se verity of the loggi ng ev ent. Se verity is sho wn as a numb er from 1 throu gh 7, with l ower numbe rs indi cating more severe ev ents. The descrip tions of each of the sev erity lev els are as f[...]

  • Page 619

    32-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation Logg in g[...]

  • Page 620

    Chapter 32 Viewing Router Informa tion Loggin g 32-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 621

    C HAPTER 33-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 33 File Menu Commands The follo wing options are av ailable fr om the Cisco Router and Security De vice Manager (SD M) File menu. Save Running Config to PC Sav es the router ’ s run ning configur ation file to a text file on the PC. Deliver Configu[...]

  • Page 622

    Chapter 33 File Menu Comm ands Write to Startup Co nfig 33-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Cancel Click this b u tton to d iscard the con figu ration change a nd close the SDM De li ve r to Rout er di alog b ox. Save to Fi le Click this b utton to sav e the c onfigu ration chang es show n in t[...]

  • Page 623

    33-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 33 File Menu Commands File M anagemen t Y ou can ch oose a file or d irect ory in the list o n th e righ t si de of t he window and then ch oose one of the comman ds abo ve th e list. Dir ectorie s can be ren amed or deleted. Fi les can be cop ied, pa[...]

  • Page 624

    Chapter 33 File Menu Comm ands File Manag emen t 33-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Paste Butto n After you clic k the Copy button to copy a file, c lick the Paste button to place the copy of the file in a different d irect ory . Ch oose a target director y from the le ft side of the wind ow .[...]

  • Page 625

    33-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 33 File Menu Commands Save SDF to PC New Folder This wi ndow allo ws you to name an d create a new folde r in th e direc tory syste m on your Cisco route r fla sh memor y and on US B fla sh devices con necte d to t hat router . Enter the nam e of the [...]

  • Page 626

    Chapter 33 File Menu Comm ands Unable to pe rform ‘ squeeze fla sh ’ 33-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note If the rout er doe s lo se power af ter the er ase fl ash oper ation , you can use the proc edure at the foll owing link to re cover: http://www .cisco.com/uni vercd/cc/t d/doc/prod[...]

  • Page 627

    33-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 33 File Menu Commands Unable to perform ‘ squeeze flash ’ Step 6 Enter th e comman d erase f lash: , and conf irm. The router 's IOS image, conf iguratio n file, th e SDM.tar f ile, and the SDM.shtm l file ar e remov ed from non-volatile RAM [...]

  • Page 628

    Chapter 33 File Menu Comm ands Unable to pe rform ‘ squeeze fla sh ’ 33-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 629

    C HAPTER 34-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 34 Edit Menu Commands The follo wing options are av ailable fr om the Cisco Router and Security De vice Manager (SD M) Ed it menu. Preferences This sc reen lets you configure th e fol lowing Cisc o Route r an d Secur ity D e vice Manager op tions: Pr[...]

  • Page 630

    Chapter 34 Edit Menu Co mmands Preferenc es 34-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Continue mo nitoring inter face status when switching mode/task This is SD M default be havior . SD M begins monit oring in terface stat us wh en you click Monit or and sele ct Interface st atus . T o have SDM cont[...]

  • Page 631

    C HAPTER 35-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 35 View Menu Commands The follo wing options are av ailable fr om the Cisco Router and Security De vice Manager (S DM) V iew menu. Home Displays the SDM Home p age wh ich provide s inform ation a bout rou ter ha rdware, software, and LAN, W AN, Firew[...]

  • Page 632

    Chapter 35 View Menu C ommands Running Con fig 35-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Running Config Displays the rou ter ’ s run ning configur ation. Show Commands Displays the Show Comman ds dialog box, whi ch lets you issue Cisco IOS show comm ands to the router and v iew the out put. Th e Sh[...]

  • Page 633

    35-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 35 View Me nu Command s Refresh Access Rules Sho ws all of t he default A ccess Control L ist ( AC L ) rules th at perm it or deny traf fic to the net work. Firewall Shows a list of proto cols and the de fault opt ions for whethe r each of the m trigg[...]

  • Page 634

    Chapter 35 View Menu C ommands Refresh 35-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 635

    C HAPTER 36-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 36 Tools Menu Co mmands The follo wing options are av ailable fr om the Cisco Router and Security De vice Manager (SD M) T ool s menu. Ping Display s the Pin g dial og bo x, whic h let s you send a ping me ssage to anot her network device. Se e Ge ne[...]

  • Page 636

    Chapter 3 6 Tools Menu C ommands USB Toke n PIN Settings 36-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 USB Token PIN Setting s The U SB T oke n PIN Se ttings d ialog box all ows you to se t PINs f or U SB tokens connec ted to your router . Select a PIN Type Choose User PIN to set a user PIN, or Admin PIN[...]

  • Page 637

    36-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 36 Tool s Menu Comman ds Update SDM Save the N ew PIN to R outer Check th e Save the new PIN to r outer checkbox if you wa nt to save the new PIN as an entry in Conf igure > VPN > VPN Components > Public Ke y Infrastruc ture > USB T okens [...]

  • Page 638

    Chapter 3 6 Tools Menu C ommands Update SD M 36-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 If ther e is mo re than one SDM .z ip f ile, obtain the cop y with th e highest ver sion number . Step 2 Use the update wiza rd to copy the SD M files from your PC to the ro uter .[...]

  • Page 639

    36-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 36 Tool s Menu Comman ds Update SDM Update SD M from CD If you h ave the SDM C D, you can us e it to u pdate SDM on y our ro uter . T o do so, foll ow thes e steps : Step 1 Place t he SDM CD in t he CD drive on your PC. Step 2 Select Updat e SDM from [...]

  • Page 640

    Chapter 3 6 Tools Menu C ommands Update SD M 36-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 641

    C HAPTER 37-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 37 Help Menu Commands The follo wing options are av ailable fr om the Cisco Router and Security De vice Manager (S DM) H elp menu . Help Topics Displays the SDM onlin e help. The SDM onli ne help T able of Contents ap pears in the le ft frame of the [...]

  • Page 642

    Chapter 37 Help Menu Comm ands About SDM 37-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 643

    GL-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 GLOSSAR Y S ymbols and Numerics 3DES T riple DES. An encryption al g orithm tha t uses thre e 56-bit DES en cryption k eys (effectiv ely 168 bits) in quick succe ssion. An alte rnative 3DES version uses just two 56-bit DES k eys, b ut uses one of th em twice,[...]

  • Page 644

    Glos sary GL-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 addres s transl ation The transla tion o f a ne twork addr ess an d/or po rt to anothe r net work add ress/or port. Se e also IP address , NA T , PA T , Static P A T . ADSL asymmetri c digital sub scriber lin e. aggressi ve mode A mode of establish [...]

  • Page 645

    GL-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary asymm etr ic encr ypti on Also calle d public ke y systems , this approach allo ws any one to obtain access to anyone else' s public key and th eref ore send a n encryp ted message to that pe rson using the public k ey . asymmet ric keys A pa ir[...]

  • Page 646

    Glos sary GL-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 CA certificate A digital certif icate gran ted to one certif icati on authority (CA) b y another certif ication a uthority . cache A temporary re pository of inform ation accum ulated fr om previous task ex ecutions that c an be reuse d, decrea sing[...]

  • Page 647

    GL-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary CHAP Challen ge Handshake A uthenti cation Protoc ol. Secu rity feat ure suppor ted on lines using P PP encapsulation that prev ents unauthorized a ccess. CHAP d oes not itself p re ven t unauthor ized acce ss, it m erely ide ntif ies the remote en d[...]

  • Page 648

    Glos sary GL-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 cookie A cookie is a web b ro wser f eature w hich s tores or retrie ves in format ion, suc h as a us er's pr eferen ces, to persist ent storage. In Net scape and I nterne t Explo rer , cookie s are imp lemen ted by saving a sma ll text file on[...]

  • Page 649

    GL-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary DES D ata Encryp tion Sta ndar d. Standa rd crypto graph ic algo rithm developed and standa rdized by the U.S. Natio nal In stitute of Standar ds and T echn ology (NI ST). Uses a secre t 56-b it encr yption ke y . The DES algori thm is included in ma[...]

  • Page 650

    Glos sary GL-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 DMVPN Dynamic m ultip oint v irtual priv ate n etwork. A vir tual private network in which router s are arr anged i n a logic al hub a nd spoke topo logy , and in w hich t he hubs ha ve point-to-point GRE ov er IPSec connect ions with th e hub . DMV[...]

  • Page 651

    GL-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary E EAPoUDP Extensible Aut henticat ion Protocol ove r User Data gram Proto col. Someti mes shorten ed to EO U. The p rotocol used by a cli ent an d a N AD to perf orm po stu re v alidation. Easy VPN A cent ral ized VP N mana gement solut ion ba sed on[...]

  • Page 652

    Glos sary GL-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 ESP Encapsulat ing Securi ty Payload. An IPSec pr otocol that provides both da ta inte grity and conf identiality . Also kno wn as Encapsulating Sec urity Payload , ESP pro vides co nfid entiality , data ori gin authen tication, r eplay-detec tion,[...]

  • Page 653

    GL-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary extended rules A type of Access rul e. Extende d rules extende d rules can examin e a grea ter variety of pac ket fields to de termine a matc h. Ext ended r ules can examin e both the pack et ’ s source and destin ation IP addr esses, the protoc o[...]

  • Page 654

    Glos sary GL-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 G global IKE p olicy An IKE polic y that is global to a de vice, ra ther than af fecting onl y a single interface on tha t device. GRE generic routing e ncapsul ation . T unne ling pro tocol dev eloped by Cisco tha t can encap sulat e a wide v arie[...]

  • Page 655

    GL-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary headend T he upstream, transmit end of a tunnel. HMAC Hash-based Me ssage Authentica tion Code. HMA C is a mechanism for message authe nticat ion using cryp togr aphic ha sh function s. HMAC can be used wi th any iterati ve cryptog raphic hash funct[...]

  • Page 656

    Glos sary GL-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IDS Sensor An ID S sensor is hardware on wit h the Ci sco ID S runs . IDS senso rs ca n be stand-a lone devices, or networ k modules inst alled on rou ters. IDM IDS Device Ma nager . IDM is soft ware u sed to mana ge an IDS s ensor . IETF Internet [...]

  • Page 657

    GL-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary interface The physica l connec tion bet ween a particul ar network an d the ro uter . The router ’ s LAN inter face connects to t he local n etwork that the r outer serv es. The router has one or m ore W AN interfac es that c onnect to the Inter n[...]

  • Page 658

    Glos sary GL-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IPSec A frame work of open standard s that provides da ta conf identiality , data inte grity , and data authe ntication betwe en participatin g peers. IPSec pro vides these security services at the IP l ayer . IPSec us es IKE to handle neg otiation[...]

  • Page 659

    GL-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary key pair See public key encryp tion . key recovery A trus ted met hod by w hich encr ypted infor matio n can be de crypt ed if the decrypti on key is lost or destroyed. L L2F Pr otocol La yer 2 Forwarding Pr otocol . Pro tocol t hat sup ports t he c[...]

  • Page 660

    Glos sary GL-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 logical i nterface An interf ace that has been create d solely b y conf iguration, and that is not a physical i nterface on t he route r . Dial er inte rfaces and t unnel in terfaces ar e exa mples of logical inter faces. loopback I n a loo pback t[...]

  • Page 661

    GL-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary MD5 M essage Di gest 5 . A on e-way ha shing f unction that produce s a 1 28-bit h ash. Both MD5 an d Secur e Hashing A lgori thm (SHA) a re variation s on MD4 and are designed to str engthe n the securi ty of t he MD 4 ha shing a lgorith m. Cisco u[...]

  • Page 662

    Glos sary GL-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 NAD Netwo rk Acce ss De vice. In a N A C impleme ntation , the de vice th at recei ves a host ’ s request to log on to the network . A N AD, usual ly a router, works with posture agent sof tware runni ng on the host, v irus prote ction so ftware,[...]

  • Page 663

    GL-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary NHRP Next Hop Resolu tion prot ocol. A c lient and server pr otocol used in DMVPN networks , in w hich the hub router is the server a nd the spokes a re the clients. The hub maintains an NHRP database of the public interfa ce addresses of the each s[...]

  • Page 664

    Glos sary GL-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 P PAD packet assem bler/di sassemble r . Device used to connec t simple devices (like character -mode terminals) that do not support the full functionali ty of a par ticul ar pr otocol to a ne tw ork. P ADs b uf fer data and a ssem ble an d di sass[...]

  • Page 665

    GL-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary physica l interface A ro uter in terface suppo rted by a network m odul e that is i nstalled in the rou ter chass is, or that i s part of the router ’ s ba sic hardw are. ping An ICMP req uest sent betw een hosts to de termine whether a host is ac[...]

  • Page 666

    Glos sary GL-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 PPTP Point-to-Point T unneling Pro tocol. C reates cl ient-init iated tun nels by encapsu lating pa ckets into IP datagr ams for transmission over TCP/IP-ba sed netwo rks. Can be used as an alternat i ve to the L2F and L2TP tu nnelin g protocol s. [...]

  • Page 667

    GL-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary public ke y encr ypti on In public key encrypti on syste ms, ev ery us er has bot h a publ ic key and a private ke y . Each pr i v ate k ey i s maintained by a sing le user and sh ared wit h no one. T he priv a te key is used to gene rate a uniqu e [...]

  • Page 668

    Glos sary GL-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 remote subnet Subnetworks ar e IP networks arbi traril y segmented by a network ad minist rator (by mea ns of a subnet mask) in order to pro vide a multile vel, hie rarchical routing structur e while shi eldin g the subnetwo rk from th e address in[...]

  • Page 669

    GL-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary route map Route maps enable you to control informa tion that is added to th e routing table . SDM automa tically creat es route maps to pre vent N A T from translating spe cifi c sour ce addr esse s whe n doing so w ould pr e ve nt pa cke ts fro m m[...]

  • Page 670

    Glos sary GL-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 S SA security associat ion. A set of secu rity param eters agre ed upon by two peers to protect a spec ific session i n a pa rticul ar tunne l. Both IKE a nd IPSe c use SA s, although SAs are inde pendent of one anothe r . IPSec SAs are uni direct [...]

  • Page 671

    GL-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary SHA-1 Secure Hashing Algor ithm 1. Algorithm that tak es a message of less than 264 bits in length and p roduc es a 16 0-bit message digest. The l arge message digest prov ides security ag ainst brute-for ce collision and in vers ion attacks. SHA-1 [...]

  • Page 672

    Glos sary GL-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 spoofing spoof The act of a pac ket il legally claiming to be fro m an address f rom which it was not ac tually se nt. Spoo fing is de signed t o foil network securi ty mec hanism s such as fil ters and access lists. SRB source- route bridg ing. Me[...]

  • Page 673

    GL-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary subnet, s ubnetwork In IP networks, a ne twork shar ing a part icular subnet add ress. Subn etworks ar e networks ar bitrari ly segmented by the network ad ministra tor in orde r to provide a multile vel, h ierarchica l routing str ucture w hile shi[...]

  • Page 674

    Glos sary GL-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 traffic flow confident iality or tra ffic ana lys is Securit y concep t that pre vents the un authoriz ed discl osure of com municat ion parame ters. Th e successf ul implem ent ation of this concep t hides sour ce and destinat ion IP ad dresses, m[...]

  • Page 675

    GL-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary VFR V irtual Fragm ent Reass embly . VFR enables IO S Firewal l to dynam ically cr eate A C Ls to block IP fr agme nts. IP frag ments o ften d o not cont ain en ough informatio n for st atic A CLs to be able t o filt er them. VPI virtual path iden t[...]

  • Page 676

    Glos sary GL-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 VPN mirror policy A VPN policy on a remo te system that contains v alues that are c ompatible with a local polic y and t hat enable the remote system to establis h a VPN con nection to the local syste m. Some valu es in a mirror polic y must match [...]

  • Page 677

    GL-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary X X.509 A digital ce rtif icate stan dard, spec ifying cer tifi cate structu re. Main f ields are ID, subject f ield, v alidity dates, public ke y , and CA signatur e. X.5 09 certifi cate A digital certif icate that is structu red according to the X[...]

  • Page 678

    Glos sary GL-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]

  • Page 679

    IN- 1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 INDE X Symbols $ETH-LAN$ 1 $ETH-W AN$ 4 Numerics 3DES 41 A About SDM SDM version 1 acces s rule in NAT translati on rule 25, 27 Access Rules win dow 3 address poo ls 9, 15 ADSL operati ng mode 16, 25 ADSL oper ating mode ansi -dmt 25 itu-dmt 25 splitterless [...]

  • Page 680

    Index IN-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 CEF, enablin g 12 Chal leng e Hand sha ke Au then tic atio n Prot oco l, see CHAP CHAP 9 Client Mod e 78 clock sett ings 17, 38, 41 COMP-LZS 44 crypto map 60 dynam ic 28 IPSec rul e 64 peers in 62 prot ecte d traf fic 63 security associa tion lifetime 6[...]

  • Page 681

    IN- 3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Index IPSec group key 79 IPSec group name 79 manual tunne l contr ol 81, 101 Network E xtension Mode 79 Network E xtension Pl us 79, 98 number of int erfac es supported 81, 100 Preshare d key 79, 98 SSH logon ID 82 traffic -based t unnel con trol 82, 101 Uni[...]

  • Page 682

    Index IN-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 GRE over I PSec tunnel 48 GRE tunn el 48 pre-s hared key 50 split tunnelling 54 H HDLC 15 Help men u 1 HTTP service conf iguring an acce ss class 23 Hub-an d-Spoke n etwor k 9 I ICMP host unr eachab le message s, disabling 20, 21 ICMP mask reply me ssag[...]

  • Page 683

    IN- 5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Index statistics 9 tunnel stat us 9 viewin g activi ty 8 IPSec Rules wind ow 3 IP source rou ting, disabl ing 10 L LMI 16, 37 logging config uring 31 enab lin g 14 enab ling s equen ce numbe rs and time stamps 11 viewin g events 17 M MD5 42 mGRE 4 mirror con[...]

  • Page 684

    Index IN-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 translatio n timeouts 9, 12 UDP flo w time outs 13 Wizard 1 NAT Rules window 3 NetFlow, enabling 17 next hop IP ad dress 13 NHRP authenti cation st ring 5 hold ti me 5 network ID 5 O One-Ste p Lockdown 3 OSPF route 5 P PAD ser vic e, disa bl ing 7 PAP 9[...]

  • Page 685

    IN- 7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Index distan ce me tri c 4 EIGRP r oute 7 OSPF route 5 passive i nterf ace 5, 6, 7 perman en t route 4 RIP route 5 rout ing prot ocol, dynam ic 28 RSA digital sign ature 21 encr yption 21 rule 46 rule entry guideline s 8 rules exten ded ru les 4 NAT, and VPN[...]

  • Page 686

    Index IN-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 T TCP keep- alive mess age, enabli ng 11 TCP small servers, disabling 7 TCP synwait time 13 Telnet us er accounts 17 Telnet user ac counts, configu ring 29 term inol ogy, defi nitions 1 text banner , conf igur ing 14, 30 time stam ps, enab ling 11 Tools[...]

  • Page 687

    IN- 9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Index permittin g traffi c through a fire wall to 17 vty lines conf iguring an acce ss class 23 W WAN conn ecti ons creat ing in wi zard 1 deleting 19 WAN interface unsupport ed 26 X Xaut h logon 83[...]

  • Page 688

    Index IN-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08[...]