Cisco ROUTER-SDM-CD User Guide
Cisco ROUTER-SDM-CD Manual
 |
View all Cisco ROUTER-SDM-CD manuals
Add to My Manuals
Save this manual to your list of manuals |
Cisco ROUTER-SDM-CD manual content summary:
- Cisco ROUTER-SDM-CD | User Guide - Page 1
Cisco Router and Security Device Manager User's Guide 2.5 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: Text Part Number: OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 2
DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any is unintentional and coincidental. Cisco Router and Security Device Manager 2.5 User's Guide © 2007 Cisco Systems, Inc. All rights reserved. - Cisco ROUTER-SDM-CD | User Guide - Page 3
Configure Dial-on-Demand Routing for My ISDN or Asynchronous Interface? 10 How Do I Edit a Radio Interface Configuration? 11 LAN Wizard 1 Ethernet Configuration 2 LAN Wizard: Select an Interface 2 LAN Wizard: IP Address and Subnet Mask 3 Cisco Router and Security Device Manager 2.5 User's Guide iii - Cisco ROUTER-SDM-CD | User Guide - Page 4
(VLAN or Ethernet) 7 802.1x Exception List 8 802.1x Authentication on Layer 3 Interfaces 9 Edit 802.1x Authentication 10 How Do I ... 11 How Do I Configure 802.1x Authentication on More Than One Ethernet Port? 11 Cisco Router and Security Device Manager 2.5 User's Guide iv OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 5
ISDN Connection Reference 20 ISDN Wizard Welcome Window 21 IP Address: ISDN BRI or Analog Modem 21 Switch Type and SPIDs 22 Dial String 23 Configuring an Aux Backup Connection 24 Aux Backup Connection Reference 24 Cisco Router and Security Device Manager 2.5 User's Guide v - Cisco ROUTER-SDM-CD | User Guide - Page 6
9 Association 9 NAT 11 Edit Switch Port 12 Application Service 13 General 14 Select Ethernet Configuration Type 16 Connection: VLAN 17 Subinterfaces List 17 Add or Edit BVI Interface 18 Add or Edit Loopback Interface 18 Cisco Router and Security Device Manager 2.5 User's Guide vi OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 7
(AUX Backup) 53 Authentication 55 SPID Details 56 Dialer Options 57 Backup Configuration 59 Delete Connection 60 Connectivity Testing and Troubleshooting 62 Wide Area Application Services 1 Configuring a WAAS Connection 2 WAAS Reference 3 Cisco Router and Security Device Manager 2.5 User's Guide vii - Cisco ROUTER-SDM-CD | User Guide - Page 8
Through a DMZ Interface? 18 How Do I Modify an Existing Firewall to Permit Traffic from a New Network or Host? 19 How Do I Configure NAT on an Unsupported Interface? 19 How Do I Configure NAT Passthrough for a Firewall? 20 Cisco Router and Security Device Manager 2.5 User's Guide viii OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 9
Cisco SDM Warning: Inspection Rule 16 Cisco SDM Warning: Firewall 17 Edit Firewall Policy 17 Add a New Rule 21 Add Traffic 22 Application Inspection 23 URL Filter 24 Quality of Service 24 Inspect Parameter 24 Select Traffic 24 Delete Rule 25 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 10
Wizard 4 View Defaults 5 VPN Connection Information 6 IKE Proposals 8 Transform Set 11 Traffic to Protect 13 Summary of the Configuration 14 Spoke Configuration 15 Secure GRE Tunnel (GRE-over-IPSec) 16 GRE Tunnel Information 16 Cisco Router and Security Device Manager 2.5 User's Guide x OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 11
of VPN Support? 36 How Do I Configure a VPN on an Unsupported Interface? 37 How Do I Configure a VPN After I Have Configured a Firewall? 38 How Do I Configure NAT Passthrough for a VPN? 38 Easy VPN Remote 1 Creating an Easy VPN Remote Connection 2 Create Easy VPN Remote Reference 3 Cisco Router and - Cisco ROUTER-SDM-CD | User Guide - Page 12
Easy VPN Remote Wizard: Authentication 11 Easy VPN Remote Wizard: Summary of Configuration 13 Administering Easy VPN Remote Connections 14 Editing an Existing Easy VPN Remote 39 XAuth Login Window 40 Other Procedures 40 Cisco Router and Security Device Manager 2.5 User's Guide xii OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 13
and WINS Configuration 11 Split Cisco Tunneling Control Protocol 20 Summary 21 Browser Proxy Settings 21 Editing Easy VPN Server Connections 23 Edit Easy VPN Server Reference 23 Edit Easy VPN Server 24 Add or Edit Easy VPN Server Connection 25 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 14
7 Dynamic Multipoint VPN (DMVPN) Spoke Wizard 9 DMVPN Network Topology 9 Specify Hub Information 10 Spoke GRE Tunnel Interface Configuration 10 Cisco SDM Warning: DMVPN Dependency 11 Edit Dynamic Multipoint VPN (DMVPN) 12 Cisco Router and Security Device Manager 2.5 User's Guide xiv OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 15
Contents General Panel 14 NHRP Panel 15 NHRP Map Configuration 16 Routing Panel 17 How Do I Configure a DMVPN Manually? 19 VPN Global Settings 1 VPN Global Settings 1 VPN Global Settings: IKE 3 VPN Set 18 IPSec Rules 20 OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide xv - Cisco ROUTER-SDM-CD | User Guide - Page 16
Wizard Welcome 9 Enrollment Task 10 Enrollment Request 10 Continue with Unfinished Enrollment 11 Import CA certificate 12 Import Router Certificate(s) 12 Digital Certificates 13 Trustpoint Information 15 Certificate Details 15 Cisco Router and Security Device Manager 2.5 User's Guide xvi OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 17
CA Server 11 Edit CA Server Settings: General Tab 12 Edit CA Server Settings: Advanced Tab 13 Manage CA Server: CA Server Not Configured 13 Manage Certificates 13 Pending Requests 13 Revoked Certificates 15 Revoke Certificate 16 Cisco Router and Security Device Manager 2.5 User's Guide xvii - Cisco ROUTER-SDM-CD | User Guide - Page 18
SSL VPN Connections 20 Editing SSL VPN Connection Reference 21 Edit SSL VPN 22 SSL VPN Context 23 Designate Inside and Outside Interfaces 25 xviii Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 19
about Port Forwarding Servers 46 Learn More About Group Policies 47 Learn More About Split Tunneling 48 How do I verify that my Cisco IOS SSL VPN is working? 49 How do I configure a Cisco IOS SSL VPN after I have configured a firewall? 50 Cisco Router and Security Device Manager 2.5 User's Guide xix - Cisco ROUTER-SDM-CD | User Guide - Page 20
Client 3 VPN Troubleshooting: Generate Traffic 4 VPN Troubleshooting: Generate GRE Traffic 5 Cisco SDM Warning: SDM will enable router debugs... 6 Security Audit 1 Welcome Page 4 Interface Selection Page 4 Report Card Page 5 Fix It Page 5 Disable Finger Service 6 Disable PAD Service 7 Disable TCP - Cisco ROUTER-SDM-CD | User Guide - Page 21
NULL Interface 21 Enable Unicast RPF on Outside Interfaces 22 Enable Firewall on All of the Outside Interfaces 22 Set Access Class on HTTP Server Service 23 Cisco Router and Security Device Manager 2.5 User's Guide xxi - Cisco ROUTER-SDM-CD | User Guide - Page 22
Router 24 Enable AAA 24 Configuration Summary Screen 25 Cisco SDM and Cisco IOS AutoSecure 25 Security Configurations Cisco SDM Can Undo 27 Undoing Security Audit Fixes 28 Add or Edit Telnet/SSH Account Screen 28 Configure 5 Cisco Router and Security Device Manager 2.5 User's Guide xxii OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 23
3 Create IPS: SDF Location 3 Create IPS: Signature File 4 Create IPS: Configuration File Location and Category 5 Add or Edit a Config Location 6 Directory Selection 7 Signature File 7 Create IPS: Summary 8 Create IPS: Summary 8 Cisco Router and Security Device Manager 2.5 User's Guide xxiii - Cisco ROUTER-SDM-CD | User Guide - Page 24
IPS: SEAP Configuration 27 Edit IPS: SEAP Configuration: Target Value Rating 28 Add Target Value Rating 29 Edit IPS: SEAP Configuration: Event Cisco Security Center 55 IPS-Supplied Signature Definition Files 55 Security Dashboard 56 xxiv Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 25
3 Interface Selection 3 Queuing for Outbound Traffic 4 Add a New Traffic Class 5 Policing for Outbound Traffic 7 QoS Policy Generation 7 QoS Configuration Summary 8 Editing QoS Policies 9 Edit QoS Policy Reference 10 Edit QoS Policy 10 Cisco Router and Security Device Manager 2.5 User's Guide xxv - Cisco ROUTER-SDM-CD | User Guide - Page 26
Policy 8 Add Exception Policy 9 Agentless Host Policy 10 Configuring NAC for Remote Access 10 Modify Firewall 11 Details Window 11 Summary of the configuration 12 Edit NAC Tab 13 NAC Components 14 Exception List Window 14 xxvi Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 27
for Router Access 11 Add or Edit a Username 12 View Password 14 vty Settings 15 Edit vty Lines 15 Configure Management Access Policies 17 Add or Edit a Management Policy 19 Management Access Error Messages 20 SSH 22 DHCP Configuration 23 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 28
Policy Firewall 1 Zone Window 2 Add or Edit a Zone 3 Zone-Based Policy General Rules 3 Zone Pairs 5 Add or Edit a Zone Pair 5 Add a Zone 6 Select a Zone 7 xxviii Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 29
1 Configuring AAA Troubleshooting Tips 2 Cisco Common Classification Policy Language 1 Policy Map 1 Policy Map Windows 1 Add or Edit a QoS Policy Map 3 Associate a Policy Map to Interface 3 Add an Inspection Policy Map 5 Layer 7 Policy Map 5 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 30
Criteria 20 HTTP Request/Response Header Fields 20 Request/Response Body 21 Request/Response Protocol Violation 22 Add or Edit an IMAP Class Map 22 Cisco Router and Security Device Manager 2.5 User's Guide xxx OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 31
or Edit Local URL 6 Import URL List 7 URL Filter Servers 7 Add or Edit a URL Filter Server 8 URL Filtering Precedence 9 Configuration Management 1 Manually Editing the Configuration File 1 Config Editor 2 Reset to Factory Defaults 3 Cisco Router and Security Device Manager 2.5 User's Guide xxxi - Cisco ROUTER-SDM-CD | User Guide - Page 32
BRI Interface Configuration May Be Read-Only 27 Reasons Why an Analog Modem Interface Configuration May Be Read-Only 28 Firewall Policy Use Case Scenario 29 DMVPN Configuration Recommendations 29 Cisco SDM White Papers 31 xxxii Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 33
4015-12 Contents Getting Started 1 What's New in this Release? 2 Cisco IOS Versions Supported 4 Viewing Router Information 1 Overview 2 Interface Status 6 Firewall Status 9 Zone-Based Application/Protocol Traffic 27 NAC Status 28 Cisco Router and Security Device Manager 2.5 User's Guide xxxiii - Cisco ROUTER-SDM-CD | User Guide - Page 34
Factory Defaults 2 File Management 2 Rename 5 New Folder 5 Save SDF to PC 6 Exit 6 Unable to perform squeeze flash 6 Edit Menu Commands 1 Preferences 1 View Menu Commands 1 Home 1 Configure 1 Monitor 1 xxxiv Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 35
Audit 1 USB Token PIN Settings 2 Wireless Application 3 Update Cisco SDM 3 CCO Login 4 Help Menu Commands 1 Help Topics 1 Cisco SDM on CCO 1 Hardware/Software Matrix 1 About this router... 2 About Cisco SDM 2 Contents OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide xxxv - Cisco ROUTER-SDM-CD | User Guide - Page 36
Contents xxxvi Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 37
/Total RAM Cisco SDM Version The version of Cisco IOS software that is currently running on the router. The version of Cisco Router and Security Device Manager (Cisco SDM) software that is currently running on the router. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 1-1 - Cisco ROUTER-SDM-CD | User Guide - Page 38
image that does not support security features, the Firewall Policy, VPN, and Intrusion Prevention sections do not appear on the home page. View Running Config Click this button to display the router's running configuration. Cisco Router and Security Device Manager 2.5 User's Guide 1-2 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 39
of supported LAN interfaces currently configured on the router. Total WAN Connections The total number of Cisco SDM-supported WAN connections that are present on the router. DHCP Server Configured/ Not Configured DHCP Pool (Detail view) If one pool is configured, starting and ending address - Cisco ROUTER-SDM-CD | User Guide - Page 40
connections. The number of configured Easy VPN Remote connections. If this router is functioning as an Easy VPN Server, the number of Easy VPN clients with active connections. Description A description of the connection. Cisco Router and Security Device Manager 2.5 User's Guide 1-4 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 41
built in, or they may be loaded from a remote location. Lists any dynamic routing protocols that are configured on the router. No. of IPS-enabled The number of router interfaces interfaces on which IPS has been enabled. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 1-5 - Cisco ROUTER-SDM-CD | User Guide - Page 42
Routing Chapter 1 Home Page Intrusion Prevention SDF Version Security Dashboard The version of SDF files on this router. A link to the IPS Security Dashboard, where the top-ten signatures can be viewed and deployed. Cisco Router and Security Device Manager 2.5 User's Guide 1-6 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 43
2 C H A P T E R Creating a New Connection The Cisco SDM connection wizards guide you LAN and WAN configurations, and check the information that you enter against the existing configuration, warning you of any problems. This chapter contains the following sections: • Creating a New Connection • New - Cisco ROUTER-SDM-CD | User Guide - Page 44
physical interface exists, or if a supported interface exists that has been given an unsupported configuration. When you click the Other (Unsupported by Cisco SDM) radio button, the Create New Connection button is disabled. Cisco Router and Security Device Manager 2.5 User's Guide 2-2 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 45
? • How Do I Enable or Disable an Interface? • How Do I View Activity on My WAN Interface? • How Do I Configure NAT on a WAN Interface? • How Do I Configure a Static Route? • How Do I Configure a Dynamic Routing Protocol? OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 2-3 - Cisco ROUTER-SDM-CD | User Guide - Page 46
Dial-on-Demand Routing for My ISDN or Asynchronous Interface? How Do I Configure a Static Route? To configure a static route: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 display statistics about about a LAN interface: Cisco Router and Security Device Manager 2.5 User's Guide 2-4 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 47
the interface. How Do I View the IOS Commands I Am Sending to the Router? If you are completing a Wizard to configure a feature, you can view the Cisco IOS commands that you are sending to the router when you click Finish. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 2-5 - Cisco ROUTER-SDM-CD | User Guide - Page 48
it does not support, or a supported interface with an unsupported configuration, Cisco SDM displays a radio button labeled Other (Unsupported by Cisco SDM). The unsupported interface is displayed in the Interfaces and Connections window, but it cannot be configured using Cisco SDM. Cisco Router and - Cisco ROUTER-SDM-CD | User Guide - Page 49
use the router command-line interface (CLI). How Do I Enable or Disable an Interface? You can disable an interface without removing its configuration, and you can reenable an interface that you have disabled. Step 1 Step 2 Step 3 Step 4 Click Configure on the Cisco SDM toolbar. Click Interfaces - Cisco ROUTER-SDM-CD | User Guide - Page 50
across the interface. How Do I Configure NAT on a WAN Interface? Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Click Configure on the Cisco SDM toolbar. Click NAT in the left frame Address Translation Rule: Outside to Inside Cisco Router and Security Device Manager 2.5 User's Guide 2-8 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 51
Dynamic Routing dialog box, configure the dynamic routing protocol. If you need an explanation for any of the fields in the dialog box, click Help. When you have finished configuring the dynamic routing protocol, click OK. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 2-9 - Cisco ROUTER-SDM-CD | User Guide - Page 52
line will be tied up, it is often desirable to configure Dial-on-Demand Routing (DDR) for these connection types. Cisco SDM can help you configure DDR by: • Letting you associate a rule (or ACL) with the connection, which causes the router to establish the connection only when it recognizes network - Cisco ROUTER-SDM-CD | User Guide - Page 53
connection can remain idle before the router ends the connection. If you are Configuration? You must use the Wireless Application to edit an existing radio interface configuration. Step 1 Step 2 Step 3 Click Configure on the Cisco SDM Cisco Router and Security Device Manager 2.5 User's Guide 2-11 - Cisco ROUTER-SDM-CD | User Guide - Page 54
Additional Procedures Chapter 2 Creating a New Connection 2-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 55
a LAN interface, Cisco SDM inserts the description text $ETH-LAN$ in the configuration file so that it recognizes the interface as a LAN interface in the future. You can return to this screen as often as necessary to configure additional LAN interfaces. OL-4015-12 Cisco Router and Security Device - Cisco ROUTER-SDM-CD | User Guide - Page 56
on the WAN • A domain name LAN Wizard: Select an Interface Select the interface on which you want to configure a LAN connection in this window. This window lists interfaces that can support Ethernet LAN configurations. Cisco Router and Security Device Manager 2.5 User's Guide 3-2 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 57
is returned to the pool for use by another device. Field Reference Table 3-3 IP Address and Subnet Mask Element Enable DHCP Server Description To configure the router as a DHCP server on this interface, click Yes. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 3-3 - Cisco ROUTER-SDM-CD | User Guide - Page 58
parameters that will be sent to the requesting hosts on the LAN. To set these properties for the router, click Additional Tasks on the Cisco SDM category bar, click DHCP, and configure these settings in the DHCP Pools window. Cisco Router and Security Device Manager 2.5 User's Guide 3-4 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 59
Description The DNS server is typically a server that maps a known device name with its IP address. If you have DNS server configured DHCP server that you are configuring on this router will provide services to other devices within this Cisco Router and Security Device Manager 2.5 User's Guide 3-5 - Cisco ROUTER-SDM-CD | User Guide - Page 60
Table 3-7 IP Address and Subnet Mask Element Description Existing VLAN If you want to assign the configured using the Wireless Application. The IP address and Subnet mask fields under New VLAN are disabled when this box is checked. Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 61
the bridging configuration. Step 1 Step 2 Select Wireless Application from the Cisco SDM Tools Mask Element Create a new bridge group Join an existing bridge group Description To create a new bridge group that this interface will be Cisco Router and Security Device Manager 2.5 User's Guide 3-7 - Cisco ROUTER-SDM-CD | User Guide - Page 62
When you configure the router as a DHCP server, you can create a pool of IP addresses that clients on the network can use. When a client logs off the network, the address it was using is returned to the pool for use by another host. Cisco Router and Security Device Manager 2.5 User's Guide 3-8 OL - Cisco ROUTER-SDM-CD | User Guide - Page 63
. Layer 3 Ethernet Configuration Cisco SDM supports Layer 3 Ethernet configuration on routers with installed 3750 switch modules. You can create VLAN configurations and designate router Ethernet interfaces as DHCP servers. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 3-9 - Cisco ROUTER-SDM-CD | User Guide - Page 64
11 IP Address and Subnet Mask Element VLAN ID (1-4094) Native VLAN Description Enter a VLAN ID number from 1 to 4094. Cisco SDM displays a message telling you to enter a different VLAN ID if the switch module interface. 3-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 65
IP Address of Physical Interface IP Address of VLAN Subinterface Description Enter the IP address and subnet mask for the physical configuration to the router's running configuration and leave this wizard: Click Finish. Cisco SDM saves the configuration changes to the router's running configuration - Cisco ROUTER-SDM-CD | User Guide - Page 66
Summary Chapter 3 LAN Wizard 3-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 67
enable 802.1x authentication on the switch port or ports you selected for configuration using the LAN wizard. Enable 802.1x Authentication Check Enable 802.1x Authentication to enable 802.1x authentication on the switch port. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 4-1 - Cisco ROUTER-SDM-CD | User Guide - Page 68
Cisco 85x and Cisco 87x routers can be set only to multiple host mode. Single mode is disabled for these routers. Guest VLAN Check Guest VLAN to enable a VLAN for clients lacking 802.1x support to configure the interval locally, or Cisco Router and Security Device Manager 2.5 User's Guide 4-2 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 69
setting is 30 seconds. Supplicant Retries Timeout Enter the time, in seconds, that your Cisco IOS router retries an 802.1x client before timing out its connection to that client. Values must be The default setting is 2. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 4-3 - Cisco ROUTER-SDM-CD | User Guide - Page 70
interface and click the Details button. The source IP address in the RADIUS packets sent from the router must be configured as the NAD IP address in the Cisco ACS version 3.3 or later. If you choose Router chooses source, the source IP address in the RADIUS packets will be the address of interface - Cisco ROUTER-SDM-CD | User Guide - Page 71
Note Cisco IOS software allows a single RADIUS source interface to be configured on the router. If the router already has a configured RADIUS Router chooses source, you need not provide any value in the ping dialog source field. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 72
(Switch Ports) This window allows you to enable and configure 802.1x authentication parameters. If a message is displayed indicating Cisco 87x routers can be set only to multiple host mode. Single mode is disabled for these routers. Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 73
802.1x support. If you configuring a VLAN with 802.1x authentication. Note Before configuring 802.1x on VLAN, be sure that 802.1x is not configured on any VLAN switch ports. Also be sure that the VLAN is configured for DHCP. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 74
missing digit. Note Cisco SDM's 802.1x feature does not support the CLI option that associates policies with MAC addresses and will not include in the exception list MAC addresses that have a policy associated with them. Cisco Router and Security Device Manager 2.5 User's Guide 4-8 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 75
prerequisite task appears in the window, it must be completed before 802.1x authentication can be configured. A message explaining the prerequisite task is displayed, along with a link to the window for the Ethernet port. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 4-9 - Cisco ROUTER-SDM-CD | User Guide - Page 76
you made. Edit 802.1x Authentication This window allows you to enable and change the default values for a number of 802.1x authentication parameters. 4-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 77
. Note For configuring switches, the LAN wizard will continue to display the 802.1x options. If you want to edit the 802.lx authentication configuration on an Ethernet port, go to Configure > Additional Tasks > 802.1x. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 4-11 - Cisco ROUTER-SDM-CD | User Guide - Page 78
How Do I ... Chapter 4 802.1x Authentication 4-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 79
the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. In the Cisco SDM toolbar, click Configure. In the Cisco SDM taskbar, click Interfaces and Connections. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 80
Interface Welcome Window This window lists the types of connections you can configure for this interface using Cisco SDM. If you need to configure another type of connection for this interface, you can do so using the CLI. Cisco Router and Security Device Manager 2.5 User's Guide 5-2 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 81
want to use for this connection. If you are configuring an Ethernet interface, Cisco SDM inserts the description text $ETH-WAN$ in the configuration file so that it will recognize the interface as a the fields in this screen. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 5-3 - Cisco ROUTER-SDM-CD | User Guide - Page 82
box to enable PPPoE encapsulation. Uncheck this box if your service provider does not use PPPoE. This check box will not be available if your router is running a version of Cisco IOS that does not support PPPoE encapsulation. Cisco Router and Security Device Manager 2.5 User's Guide 5-4 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 83
screen. Table 5-4 WAN Summary Buttons Element Test the connectivity after configuring Description Check this box if you want Cisco SDM to test the connection you have configured after it delivers the commands to the router. Cisco SDM will test the connection and report results in another window - Cisco ROUTER-SDM-CD | User Guide - Page 84
routed. If a static route has already been configured on this router, this box does not appear. Next Hop Address If your service provider has given you a next-hop IP address to use, enter the IP address in this field. If you leave this field blank, Cisco SDM will use the WAN interface that you are - Cisco ROUTER-SDM-CD | User Guide - Page 85
to test the connection after sending the configuration to the router, check Test the connectivity after configuring. After you click Finish, Cisco SDM tests the connection and displays the test results fields in this screen. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 5-7 - Cisco ROUTER-SDM-CD | User Guide - Page 86
Relay Fields Element Static IP Address Description If you choose Static IP Address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, see IP Addresses and Subnet Masks. Cisco Router and Security Device Manager 2.5 User's Guide 5-8 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 87
Your service provider or network administrator may use a Challenge Handshake Authentication Protocol (CHAP) password or a Password Authentication Protocol (PAP) password to secure the connection between the devices. This password secures both incoming and outgoing access. OL-4015-12 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 88
(DLCI). Field Reference Table 5-9 describes the fields in this screen. Table 5-9 LMI and DLCI Fields Element LMI Type ANSI Description Annex D defined by American National Standards Institute (ANSI) standard T1.617. 5-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 89
Settings Fields Element Clock Source T1 Framing Description Internal specifies that the clock be generated configures the T1 or E1 link for operation with D4 Super Frame (sf) or Extended Superframe (esf). The default is esf. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 90
is used to configure the line build out (LBO) of the T1 link. The LBO decreases the transmit strength of the signal by -7.5 or -15 decibels. It is not likely to be needed on actual T1 or E1 lines. The default is none. 5-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 91
Create Connection to start the wizard. The wizard Welcome screen describes the tasks you will complete. Click Next to go to the subsequent screens to configure the connection. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 5-13 - Cisco ROUTER-SDM-CD | User Guide - Page 92
to test the connection after sending the configuration to the router, check Test the connectivity after configuring. After you click Finish, Cisco SDM tests the connection and displays the test use to obtain an IP address. 5-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 93
whenever the WAN interface IP address changes. Click the Dynamic DNS button to configure dynamic DNS. IP Address: ATM with RFC 1483 Routing Choose the method that the WAN interface will use to obtain an IP address. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 5-15 - Cisco ROUTER-SDM-CD | User Guide - Page 94
the type of encapsulation that the WAN link will use. Ask your service provider or network administrator which type of encapsulation is used for this link. The interface type determines the types of encapsulation available. 5-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 95
Fields Description Click Autodetect to have Cisco SDM discover the encapsulation type. If Cisco SDM succeeds, it will automatically supply the encapsulation type and other configuration parameters it discovers. Note Cisco SDM supports autodetect on SB106, SB107, Cisco 836, and Cisco 837 routers - Cisco ROUTER-SDM-CD | User Guide - Page 96
a DSL Connection Chapter 5 Configuring WAN Connections Table 5-13 Encapsulation Fields Element Description Encapsulations Available for Serial Interfaces Frame Relay Provides Frame to VCI, VPI, or both VCI and VPI. 5-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 97
to you by your service provider. Cisco IOS Default Values The values shown in the following table are Cisco IOS defaults. Cisco SDM will not overwrite these values if they have been changed during a prior configuration, but if your router has not been previously configured, these are the values - Cisco ROUTER-SDM-CD | User Guide - Page 98
the configuration to the router, click Finish. The ISDN Connection Reference describes the screens that Cisco SDM displays. ISDN Connection Reference • ISDN Wizard Welcome Window • Select Interface • IP Address: ISDN BRI or Analog Modem • Switch Type and SPIDs • Authentication 5-20 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 99
. Choose Dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. Click the Dynamic DNS button to configure dynamic DNS. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 5-21 - Cisco ROUTER-SDM-CD | User Guide - Page 100
Element ISDN Switch Type Description Choose the ISDN switch type. Contact your ISDN service provider for the switch type for your connection. Cisco SDM supports these BRI switch types: - ntt-Japanese NTT ISDN switches 5-22 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 101
the remote end of the ISDN BRI or analog modem connection. This is the phone number that the ISDN BRI or analog modem interface will dial whenever a connection is made. The dial string is provided to you by your service provider. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 102
Cisco SDM displays. Aux Backup Connection Reference • Aux Backup Welcome Window • Backup Configuration • Backup Configuration: Primary Interface and Next Hop IP Addresses • Backup Configuration: Hostname or IP Address to Be Tracked 5-24 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 103
following conditions exist: • The router is not using a Cisco IOS image that supports the Aux dial-backup feature. • A primary WAN interface is not configured. • The asynchronous interface is already configured. • The asynchronous interface is not configurable by Cisco SDM because of the presence of - Cisco ROUTER-SDM-CD | User Guide - Page 104
Fields Element Primary Interface Description Enter the IP address or hostname of the destination host to which connectivity will be tracked. Please specify an infrequently contacted destination as the site to be tracked. 5-26 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 105
the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. In the Cisco SDM toolbar, click Configure. In the Cisco SDM taskbar, click Interfaces and Connections. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 106
• Dial String • Summary Analog Modem Welcome This screen describes the tasks you will perform to configure an analog modem connection. PPP is the only type of encoding supported over an analog modem connection by Cisco SDM. 5-28 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 107
To send the configuration to the router, click Finish. The Cable Modem Connection Reference describes the screens that Cisco SDM displays. Cable Modem Connection Reference • Cable Modem Connection Wizard Welcome • Select Interface • Advanced Options • Summary OL-4015-12 Cisco Router and Security - Cisco ROUTER-SDM-CD | User Guide - Page 108
router. Cisco SDM configures a cable modem connection as a DHCP client. The following lines show cable modem connection with no NAT or static route configuration Selected Interface: Cable Modem 0/1/0 IP Address: Dynamic (DHCP Client) 5-30 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 109
screen. Table 5-21 Summary Buttons Element Test the connectivity after configuring Description Check this box if you want Cisco SDM to test the connection you have configured after it delivers the commands to the router. Cisco SDM will test the connection and report results in another window - Cisco ROUTER-SDM-CD | User Guide - Page 110
Configuring a Cable Modem Connection Chapter 5 Configuring WAN Connections 5-32 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 111
interface. When you choose an interface and click Edit, a dialog appears. If the interface is a supported and configured interface and is not a switch port, the dialog will have the following tabs: • Connection • Association tab • NAT tab Cisco Router and Security Device Manager 2.5 User's Guide 6-1 - Cisco ROUTER-SDM-CD | User Guide - Page 112
• Application Service • General tab If the interface is not supported, the dialog Slot, Status, and Description. Clicking Details displays the an interface whose configuration was not delivered to the router. Click to problem. Cisco Router and Security Device Manager 2.5 User's Guide 6-2 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 113
lists the physical and logical interfaces by name. If a logical interface is configured for a physical interface, the logical interface is shown under the physical interface. If Cisco SDM is running on a Cisco 7000 family router, you will be able to create a connection only on Ethernet and Fast - Cisco ROUTER-SDM-CD | User Guide - Page 114
Interface Configuration May Be Read-Only. • For reasons why a previously configured ISDN BRI interface may appear as read-only in the interface list, see the help topic Reasons Why an ISDN BRI Interface Configuration May Be Read-Only. Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 115
if you chose Ethernet for IRB in the Configure list. Current Bridge Group/Associated BVI These read changes. Note This feature appears only if supported by the Cisco IOS release on your router. To choose a dynamic DNS method to use Cisco Router and Security Device Manager 2.5 User's Guide 6-5 - Cisco ROUTER-SDM-CD | User Guide - Page 116
Routing This dialog box contains the following fields if you chose Ethernet for Routing in the Configure list. IP Address Enter an IP address and subnet mask in the IP Address fields. the WAN interface IP address changes. Cisco Router and Security Device Manager 2.5 User's Guide 6-6 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 117
, or delete dynamic DNS methods, go to Configure > Additional Tasks > Dynamic DNS Methods. Add Dynamic DNS Method This window allows you to add a dynamic DNS method. Choose the type of method, HTTP or IETF, and configure it. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-7 - Cisco ROUTER-SDM-CD | User Guide - Page 118
DNS service provider Router Properties > Edit > Domain, or if you want to override the configured domain name. When updating the interface IP address, the dynamic DNS method sends the domain name along with the interface's new IP address. Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 119
traffic that matches the IP address and service criteria specified in the rule. Inbound router. Any packet that the rule does not permit is dropped and will not be routed to another interface. When you apply a rule to the inbound OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 120
chosen interface in a VPN by associating it with an IPsec policy. IPsec Policy The configured IPsec policy associated with this interface. To associate the interface with an IPsec policy, choose the policy from this list. 6-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 121
Internet or to your organization's WAN, choose Outside. If you have chosen an interface that cannot be used in a NAT configuration, such as a logical interface, this field is disabled and contains the value Not Supported. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-11 - Cisco ROUTER-SDM-CD | User Guide - Page 122
to which the switch port will be connected. Or choose auto to allow for the speed to be automatically set to the optimal value. 6-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 123
The Power inline drop-down list appears if the switch port supports an inline power supply. Choose one of the following values: • never -Never apply inline power. Application Service This window allows you to associate QoS policies Cisco Router and Security Device Manager 2.5 User's Guide 6-13 - Cisco ROUTER-SDM-CD | User Guide - Page 124
you can enter a short description of the interface configuration. This description is visible in the Edit Interfaces and Connections window. A description, such as "Accounting" or "Test Net 5," can help other Cisco SDM users understand the purpose of the configuration. IP Directed Broadcasts An IP - Cisco ROUTER-SDM-CD | User Guide - Page 125
use the Netflow options available on the Application Service tab. IP Redirects ICMP redirect messages instruct an end node to use a specific router as a part of its path to a network and can eliminate redirect attacks. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-15 - Cisco ROUTER-SDM-CD | User Guide - Page 126
WAN, and then click OK. Cisco SDM adds the comment line $ETH-WAN$ to the interface configuration, and the interface appears in the WAN wizard window with the designation Outside in the Interfaces and Connections window. 6-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 127
, and a description, if one was entered. For example, if the router had the interface FastEthernet1, and the subinterfaces FastEthernet1.3 and FastEthernet1.5 are configured, this window might contain the following display OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-17 - Cisco ROUTER-SDM-CD | User Guide - Page 128
BVI) in this window. If your router has a Dot11Radio interface, a BVI is automatically created when you configure a new bridge group. This is done to support IRB bridging. You can change the address or a static IP address. 6-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 129
address you want this VTI to use. Tunnel Mode Choose IPSec-IPv4. Connection: Ethernet LAN Use this window to configure the IP address and DHCP properties of an Ethernet interface that you want to use as a LAN interface. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-19 - Cisco ROUTER-SDM-CD | User Guide - Page 130
must use Point-to-Point Protocol over Ethernet (PPPoE) encapsulation. Your service provider can tell you whether the connection uses PPPoE. When you configure a PPPoE connection, a dialer interface is automatically created. 6-20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 131
IP address changes. Note This feature appears only if supported by the Cisco IOS release on your router. To choose a dynamic DNS method to use, do one of the following: • Enter the name of an existing dynamic DNS method. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-21 - Cisco ROUTER-SDM-CD | User Guide - Page 132
(DHCP Client) Available with PPPoE encapsulation and with no encapsulation. If you choose Dynamic, the router will lease an IP address from a remote DHCP server. Enter the name of the DHCP server that will assign addresses. 6-22 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 133
if supported by the Cisco IOS release on your router. To choose a dynamic DNS method to use, do one of the following: • Enter the name of an existing dynamic DNS method. Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure - Cisco ROUTER-SDM-CD | User Guide - Page 134
configure an Ethernet connection with no encapsulation. IP Address Choose how the router If your service provider inserts a hostname for the router into the only if supported by the Cisco IOS release on your router. To choose Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 135
a PPPoE link supported by an ADSL connection service provider. If you are editing an existing connection, this field is disabled. If you need to change this value, delete the connection and re-create it using the value you need. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 136
Enter the VCI value given to you by your service provider. If you are editing an existing connection, Configure the ADSL line to train in the ANSI T1.413 Issue 2 mode. • itu-dmt-Configure the ADSL line to train in the ITU G.992.1 mode. 6-26 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 137
HWIC-1ADSL, and HWIC-1ADSLI ADSL network modules. • splitterless-Configure the ADSL line to train in the G.Lite mode. This Note This feature appears only if supported by the Cisco IOS release on your router. To choose a dynamic DNS method Cisco Router and Security Device Manager 2.5 User's Guide 6-27 - Cisco ROUTER-SDM-CD | User Guide - Page 138
to identify the path used for a number of connections. Obtain this value from your service provider. If you are editing an existing connection, this field is disabled. If you . Obtain this value from your service provider. 6-28 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 139
you are running on the router does not support all five operating modes, you will see options only for the operating modes supported by your Cisco IOS release. • annexb-Standard Annex-B mode of ITU-T G.992.1. • annexb-ur2-ITU-T G.992.1 Annex-B mode. • auto-Configure the Asymmetric Digital Subscriber - Cisco ROUTER-SDM-CD | User Guide - Page 140
if supported by the Cisco IOS release on your router. To choose a dynamic DNS method to use, do one of the following: • Enter the name of an existing dynamic DNS method. Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure - Cisco ROUTER-SDM-CD | User Guide - Page 141
that you are configuring uses a DSL service provider. If you are editing an existing connection, this field is disabled. If you need to change this value, delete the connection and re-create it using the value you need. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 142
DHCP option 12, it sends a hostname for the router along with the IP address the router is to use. Check with your service provider or network administrator to determine the hostname sent. chosen and the field is disabled. 6-32 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 143
. Note This feature appears only if supported by the Cisco IOS release on your router. To choose a dynamic DNS method to Configure > Additional Tasks > Dynamic DNS Methods. • Choose an existing dynamic DNS method from a list. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 144
modem service module. Table 6-1 Field Description Cable Modem Element Description Change the default service module IP address Check box Check Change the default service the decimal value is automatically updated. 6-34 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 145
Configure DSL Controller Configure DSL Controller Cisco SDM supports the configuration of the Cisco WIC-1SHDSL-V2. This WIC supports TI, E1, or a G.SHDSL connection over an ATM interface. Cisco SDM only supports be made. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-35 - Cisco ROUTER-SDM-CD | User Guide - Page 146
which configures the interface to automatically negotiate the line rate between the G.SHDSL port and the DSLAM, or the actual DSL line rate. The supported line end crosstalk (Snext) sound-to-noise ratio margin in the form of decibels. 6-36 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 147
edit the connection configuration. To delete a service provider. If you are editing an existing connection, this field is disabled. If you need to change this value, delete the connection and recreate it using the value you need. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 148
service router. If you select this option, you must specify from the drop down list the Ethernet interface whose address you want to use. Description Enter a description of this connection that makes it easy to recognize and manage. 6-38 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 149
DNS servers whenever the WAN interface's IP address changes. Note This feature appears only if supported by your Cisco server's IOS. To choose a dynamic DNS method to use, do one of the following from the drop-down menu. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-39 - Cisco ROUTER-SDM-CD | User Guide - Page 150
Complete these fields if you are configuring a serial subinterface for Frame Relay this interface. Obtain this value from your network administrator or service provider. For more information, see IP Addresses and Subnet Masks Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 151
connection and create it again. LMI Type Ask your service provider which of the following Local Management Interface (LMI routers not from Cisco. Check this box if you are connecting to a router not from Cisco on this interface. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 152
appears only if you are configuring a T1 or E1 serial connection. Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. Note This feature appears only if supported by the Cisco IOS release on your router. To choose a dynamic DNS - Cisco ROUTER-SDM-CD | User Guide - Page 153
or service provider. Subnet Bits Alternatively, enter the network bits to specify how many bits in the IP address provide the network address. Authentication Click if you need to enter CHAP or PAP authentication information. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 154
appears only if you are configuring a T1 or E1 serial connection. Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. Note This feature appears only if supported by the Cisco IOS release on your router. To choose a dynamic DNS - Cisco ROUTER-SDM-CD | User Guide - Page 155
Encapsulation Fill out these fields if you are configuring a serial interface for HDLC encapsulation. If mask or the network bits from your network administrator or service provider. Subnet Bits Alternatively, choose the number of bits Cisco Router and Security Device Manager 2.5 User's Guide 6-45 - Cisco ROUTER-SDM-CD | User Guide - Page 156
add a GRE tunnel to an interface or edit an existing interface in this window. This window does not appear if the GRE tunnel is not configured using gre ip mode. Tunnel Number Enter a number for this tunnel. 6-46 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 157
public, routable IP address. Tunnel Destination The tunnel destination is the interface on the router at the other end of the tunnel. Choose whether you will specify an IP address or a hostname, this tunnel in kilobytes. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-47 - Cisco ROUTER-SDM-CD | User Guide - Page 158
BRI Complete these fields if you are configuring an ISDN BRI connection. Because Cisco SDM supports only PPP encapsulation over an ISDN BRI 931 () SPIDs Click if you need to enter service profile ID (SPID) information. 6-48 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 159
the fields below. IP Address Enter the IP address for this point-to-point subinterface. Obtain this value from your network administrator or service provider. For more information, see IP Addresses and Subnet Masks. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-49 - Cisco ROUTER-SDM-CD | User Guide - Page 160
service supported by the Cisco IOS release on your router . To choose a dynamic DNS method to use, do one of the following: • Enter the name of an existing dynamic DNS method. Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure - Cisco ROUTER-SDM-CD | User Guide - Page 161
Complete these fields if you are configuring an analog modem connection. Because Cisco SDM supports only PPP encapsulation over an administrator or service provider. For more information, see IP Addresses and Subnet Masks. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-51 - Cisco ROUTER-SDM-CD | User Guide - Page 162
service supported by the Cisco IOS release on your router . To choose a dynamic DNS method to use, do one of the following: • Enter the name of an existing dynamic DNS method. Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure - Cisco ROUTER-SDM-CD | User Guide - Page 163
type of connection. Note that because Cisco SDM supports only PPP encapsulation over an analog modem connection, the encapsulation shown is not editable. The option to configure the AUX port as a dial-up connection appears only for the Cisco 831 and 837 routers. This option will not be available - Cisco ROUTER-SDM-CD | User Guide - Page 164
or service provider. configuration information. Click if you need to enter CHAP or PAP authentication information. Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. 6-54 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 165
do not know which type your service provider uses, you can check both boxes: the router will attempt both types of authentication, and one attempt will succeed. CHAP authentication is more secure than PAP authentication. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-55 - Cisco ROUTER-SDM-CD | User Guide - Page 166
may support a SPID, and we recommend that you set up that ISDN service without SPIDs. In addition, SPIDs have significance at the local-access ISDN interface only. Remote routers never receive provided to you by your ISP. 6-56 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 167
configuring timer settings, you can have connections that shut down automatically, saving you connection time and cost. Idle timeout Enter the number of seconds that are allowed to pass before an idle connection (one that has no traffic passing over it) is terminated. OL-4015-12 Cisco Router and - Cisco ROUTER-SDM-CD | User Guide - Page 168
delivered until the current connection is ended. This timer sets the amount of not. Load Threshold Use this field to configure the percentage of bandwidth that must be Cisco SDM supports Multilink PPP only for outbound network traffic. 6-58 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 169
Configuration Backup Configuration ISDN BRI and analog modem interfaces can be configured a connection so that network services are not lost. Enable Backup Cisco SDM for tracking the connectivity to the remote host. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6- - Cisco ROUTER-SDM-CD | User Guide - Page 170
hop IP address. If you do not enter next hop IP addresses, Cisco SDM will configure static routes using the interface name. Note that when you back up a to cause Cisco SDM to delete the connection and all of the associations. 6-60 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 171
crypto map, click Configure, then click Interfaces and Connections. Click the connection in the Interface List, and then click Edit. Click the Association tab, then in the VPN group, in the IPSec Policy field, click None. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-61 - Cisco ROUTER-SDM-CD | User Guide - Page 172
take to correct the problem. Which connection types can be tested? Cisco SDM can troubleshoot ADSL, G.SHDSL V1 and G.SHDSL V2 connections, using PPPoE, AAL5SNAP or AAL5MUX encapsulation. Cisco SDM can troubleshoot Ethernet connections with PPPoE encapsulation. 6-62 Cisco Router and Security Device - Cisco ROUTER-SDM-CD | User Guide - Page 173
the PPPoE connection is down, there is a cabling problem, and Cisco SDM displays appropriate reasons and actions. After performing these checks, the test is terminated and Cisco SDM reports the results and suggests actions. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-63 - Cisco ROUTER-SDM-CD | User Guide - Page 174
Troubleshooting Chapter 6 Edit Interface/Connection 2. Checks DNS Settings, whether they be Cisco SDM default options or user-specified hostnames. 3. Checks DHCP or IPCP configuration and status. If the router has an IP address through either DHCP or IPCP Cisco SDM goes to step 4. If the router - Cisco ROUTER-SDM-CD | User Guide - Page 175
to view the detailed troubleshooting information. This column displays the troubleshooting activities. Displays the status of each troubleshooting activity by the following a possible action/solution to rectify the problem. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 6-65 - Cisco ROUTER-SDM-CD | User Guide - Page 176
have option to abort the troubleshooting while test is in progress. Click Save Report button to save the test report in HTML format. This button will be active only when test is in progress or when the testing is complete. 6-66 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 177
and failover support. • Web Cache Communication Protocol-(WCCP). This is a Cisco protocol that specifies interactions between one or more routers or Layer of routers to a group of appliances. Any type of TCP traffic can be redirected. Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 178
the Cisco SDM toolbar, click Configure. In the Cisco SDM toolbar, click Interfaces and Connections. Click the NM WAAS tab, next to the Edit Interface/Connection tab. Click Edit Settings to configure the router for the WAAS network module. a. Enter the required information in the Integrated Services - Cisco ROUTER-SDM-CD | User Guide - Page 179
the router. The CM displays the device registration status as online. WAAS Reference The following sections describe the WAAS configuration screens: • NM WAAS • Integrated Service Engine • WCCP • Central Manager Registration OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 7-3 - Cisco ROUTER-SDM-CD | User Guide - Page 180
7 Wide Area Application Services NM WAAS If a WAAS network module is installed on the router, Cisco SDM shows the NM WAAS tab. This tab shows the current WAAS status and configuration, and from this tab you can go to the WAAS configuration screens. From this screen, Cisco SDM allows you to log - Cisco ROUTER-SDM-CD | User Guide - Page 181
the WAAS central manager. Cisco SDM displays a red icon when the Edge WAE is not registered. To log on to the CM and register the Edge WAE on the router, click Register. Refresh To configure the WAAS device.... WAAS Configuration WAAS Interface Router IP address Service Module Internal IP Address - Cisco ROUTER-SDM-CD | User Guide - Page 182
the configuration fields in this screen. Table 7-2 Integrated Service Engine Tab Element Router IP Address IP Address Description Enter the IP address of the router interface that is to redirect traffic to the WAAS service module. Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 183
gateway router that the WAAS service module is to use. WCCP Configure WCCP settings in this screen. WCCP settings specify the router interfaces that redirect traffic to the WAAS NM, and information about the WAAS CM. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 7-7 - Cisco ROUTER-SDM-CD | User Guide - Page 184
Primary Interface Description Enter the IP Address of the WAAS Central Manager. Choose the router interface on which the registration request should be sent. The interface must have a route to the WAAS Central Manager's network. Cisco Router and Security Device Manager 2.5 User's Guide 7-8 OL - Cisco ROUTER-SDM-CD | User Guide - Page 185
create. Note • The router that you are configuring must be using a Cisco IOS image that supports the Firewall feature set in order for you to be able to use Cisco Router and Security Device Manager (Cisco SDM) to configure a firewall on the router. • The LAN and WAN configurations must be complete - Cisco ROUTER-SDM-CD | User Guide - Page 186
to configure a DMZ network, or if there is only one outside interface. Click Basic Firewall. Then, click Launch the Selected Task. Cisco SDM asks you to identify the interfaces on your router, and then it uses Cisco SDM default access rules and inspection rules to create the firewall. Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 187
Have Cisco SDM help me create an Advanced Firewall. If your router has multiple inside and outside interfaces, and you want to configure a Router? • How Do I Permit Specific Traffic onto My Network if I Don't Have a DMZ Network? OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 188
Cisco SDM to do this, you must specify the inside and outside interfaces in the next window. Click Next to begin configuration. Basic Firewall Interface Configuration Identify the interfaces on the router multiple interfaces. Cisco Router and Security Device Manager 2.5 User's Guide 8-4 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 189
what rules you want to use in the firewall. Click Next to begin configuration. Advanced Firewall Interface Configuration Identify the router's inside and outside interfaces and the interface that connects to the DMZ network. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 8-5 - Cisco ROUTER-SDM-CD | User Guide - Page 190
access the router using Cisco SDM. The Service Configuration This area shows the DMZ service entries configured on the router. Start IP Address The first IP address in the range that specifies the hosts in the DMZ network. End Cisco Router and Security Device Manager 2.5 User's Guide 8-6 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 191
, you must enter the NAT-translated address, known as the inside global address. End IP Address Enter the last IP address in the range; for example, 172.20.1.254. If NAT is enabled, you must enter the NAT-translated address. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 8-7 - Cisco ROUTER-SDM-CD | User Guide - Page 192
service from the list displayed. Application Security Configuration Cisco SDM description of the security it provides. The wizard summary screen displays the policy name, SDM_HIGH, SDM_MEDIUM, or SDM_LOW and the configuration Cisco Router and Security Device Manager 2.5 User's Guide 8-8 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 193
Interface Zone This window appears if a router interface other than the one you are configuring is a member of a Zone-Based Policy Firewall security zone. For more information about this topic, see Zone-Based Policy Firewall. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 8-9 - Cisco ROUTER-SDM-CD | User Guide - Page 194
Configuration Fields Element Enable Voice Configuration Interface Outside (untrusted) Inside (trusted) Description Check Enable Voice Configuration to enable the other fields in this screen. The name of a router network. 8-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 195
. Inside (trusted) Interface(s) Cisco SDM lists the router's logical and physical interfaces that you designated as the inside interfaces in this wizard session, along with their IP addresses. Underneath, plain-language descriptions are given for each configuration statement applied to the inside - Cisco ROUTER-SDM-CD | User Guide - Page 196
Cisco SDM lists the router logical and physical interfaces that you designated as outside interfaces in this wizard session, along with their IP addresses. Underneath, plain-language descriptions are given for each configuration to permit service traffic going to DMZ interface. Service ftp at 10 - Cisco ROUTER-SDM-CD | User Guide - Page 197
the CLI commands you that are delivering to the router. SDM Warning: SDM Access This window appears when you have indicated that Cisco SDM should be able to access the router from outside interfaces. It informs you that you must ensure that SSH and HTTPS are configured, and that at least one of the - Cisco ROUTER-SDM-CD | User Guide - Page 198
Host/Network box. In the Management Protocols box, check Allow SDM. Check HTTPS and SSH to allow those protocols. Click OK to close the dialog. Click Apply Changes in the window that displays management access policies. 8-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 199
want to generate log entries. To configure access rules for generating log entries: Step 1 From the left frame, select Additional Tasks. Step 2 In the Additional Tasks tree, click ACL Editor, and then click Access Rules. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 8-15 - Cisco ROUTER-SDM-CD | User Guide - Page 200
and the services that are permitted configured and view how many connection attempts have been denied. The table shows each router log entry generated by the firewall, including the time and the reason that the log entry was generated. 8-16 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 201
spid1 80568541630101 6854163 isdn incoming-voice modem Other configurations are available in the Software Configuration Guide for your router. After you have configured the unsupported interface using the CLI, you canuse Cisco SDM to configure the firewall. The unsupported interface will appear as - Cisco ROUTER-SDM-CD | User Guide - Page 202
of the types of statements that should be included in the configuration to permit VPN traffic: access-list 105 permit ahp host 123 the Service field, select TCP. In the Port field, enter 80 or www. Click Next>. Click Finish. 8-18 Cisco Router and Security Device Manager 2.5 User's Guide OL- - Cisco ROUTER-SDM-CD | User Guide - Page 203
is working, verify that the interface status is "Up." After you have configured the unsupported interface using the CLI, you can configure NAT . The unsupported interface will appear as "Other" on the router interface list. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 8-19 - Cisco ROUTER-SDM-CD | User Guide - Page 204
IP address. To do this you must configure an ACL. To configure an ACL permitting traffic from your public IP Type field, choose Standard Rule. In the Description field, enter a short description of the new rule, such as "Permit Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 205
name or number for this rule. In the Description field, enter a description of the rule, such as "VPN Concentrator Traffic mask of the VPN destination peer. In the Protocol and Service group, select TCP. In the Source port fields, select Cisco Router and Security Device Manager 2.5 User's Guide 8-21 - Cisco ROUTER-SDM-CD | User Guide - Page 206
Firewall How Do I Associate a Rule with an Interface? If you use the Cisco SDM Firewall wizard, the access and inspection rules that you create are automatically associated with The access rule may have a name, or a number. 8-22 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 207
rule association). Click OK. How Do I Delete a Rule That Is Associated with an Interface? Cisco SDM does not allow you to delete a rule that is associated with an interface; you must first Java list, do the following: OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 8-23 - Cisco ROUTER-SDM-CD | User Guide - Page 208
10.22.55.3 permit host 172.55.66.1 You can provide descriptions for the entries and a description for the rule. You do not need to associate the rule with feature. Step 1 Configure a firewall using the Firewall wizard. 8-24 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 209
allowed, click Add in the Service area. Create the entries you need in the rule entry dialog.You must click Add for each entry you want to create. The entries you create will appear in the entry list in the Service area. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 8-25 - Cisco ROUTER-SDM-CD | User Guide - Page 210
How Do I... Chapter 8 Create Firewall 8-26 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 211
easiest way to apply access rules and inspection rules to the inside and outside interfaces you identify, and will allow you to configure a DMZ interface and specify the services that should be allowed onto the DMZ network. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 9-1 - Cisco ROUTER-SDM-CD | User Guide - Page 212
the firewall policy you created. After configuring LAN and WAN interfaces and creating a router is using a Cisco IOS image that does not support the Firewall feature set, only the Services router using the Apply Changes button. Cisco Router and Security Device Manager 2.5 User's Guide 9-2 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 213
two configured interfaces on the router. If there is only one, Cisco SDM will display a message telling you to configure an additional interface. The following table defines the Cisco SDM traffic displayed in another window. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 9-3 - Cisco ROUTER-SDM-CD | User Guide - Page 214
the router with the chosen From and To interfaces (see Choose a Traffic Flow for more information). It also displays the types of rules applied for the chosen traffic flow, as well as the direction in which they have been applied. Cisco Router and Security Device Manager 2.5 User's Guide 9-4 OL - Cisco ROUTER-SDM-CD | User Guide - Page 215
rule is being applied. A firewall icon in the router indicates that a firewall has been applied to the Originating traffic flow. Cisco SDM displays a firewall icon if the following sets of underneath the traffic diagram. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 9-5 - Cisco ROUTER-SDM-CD | User Guide - Page 216
traffic outbound from the router. If you place the mouse over this icon, Cisco SDM will display the names of Rules. To return to the main Firewall Policy window description see Edit Firewall Policy/ACL. Make Changes to Cisco Router and Security Device Manager 2.5 User's Guide 9-6 OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 217
Chapter 9 Firewall Policy Edit Firewall Policy/ACL Service Area Header Fields Firewall Feature Availability Access Rule Inspection Rule If the Cisco IOS image that the router is using supports the Firewall feature, this field contains the value Available. The name or number of the access rule - Cisco ROUTER-SDM-CD | User Guide - Page 218
Firewall will associate an Cisco SDM-default inspection rule to the inbound direction of the From interface, and will associate an access rule to the inbound direction of the To interface that denies traffic. If the Cisco IOS image that the router is using does not support the Firewall feature, this - Cisco ROUTER-SDM-CD | User Guide - Page 219
: SNMP, bootpc, RIP. See UDP Services. Internet Group Management Protocol (IGMP). Examples: echo-reply, host-unreachable. See ICMP Message Types. Log denied traffic. To configure logging for firewalls see Firewall Log. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 9-9 - Cisco ROUTER-SDM-CD | User Guide - Page 220
9 Firewall Policy Field Option Description Description Options configured using the CLI Any description provided. Icons Meaning No icons description see Edit Firewall Policy/ACL. Make Changes to Inspection Rules The Applications area appears if the Cisco IOS image running on the router supports - Cisco ROUTER-SDM-CD | User Guide - Page 221
in the chosen traffic direction. Cisco SDM also displays a warning dialog, router waits before blocking return traffic for this protocol or application. Description-Displays a short description. For example, VDOLive protocol. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 222
Firewall Policy window description see Edit Firewall Policy/ACL. Add App-Name Application Entry Use this window to add an application entry that you want the Cisco IOS firewall to , Audit, Timeout, and Wait time settings. 9-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 223
are configuring in the Edit Firewall Policy/ACL window, and you can specify Alert, Audit, and Timeout settings. A fragment entry sets the maximum number of unreassembled packets that the router should accept before dropping them. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 224
. • on-Enable audit trail. • off-Disable audit trail. Specify how long the router should wait before blocking return traffic for this protocol or application. The field is prefilled . • on-Enable alert. • off-Disable alert. 9-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 225
application. The field is prefilled with the default value. Hosts/network for Java applet download The source hosts or networks whose applet traffic is to be inspected. Multiple hosts and Specify the network or the host. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 9-15 - Cisco ROUTER-SDM-CD | User Guide - Page 226
to an IP address. Cisco SDM Warning: Inspection Rule This window is displayed when Cisco SDM finds two inspection rules have been configured for a direction in a any change-Cisco SDM will not remove either inspection rule. 9-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 227
it will apply. Example: SDM will apply firewall configuration to the following interfaces: Inside (Trusted) Interface: FastEthernet 0/0 * Apply inbound default SDM Inspection rule * Apply inbound Information in this Window OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 9-17 - Cisco ROUTER-SDM-CD | User Guide - Page 228
to Configure > Additional Tasks > Zones to configure zones, and to Additional Tasks > Zone Pairs to configure additional zone Service clients-servers-policy (clients to servers) 1 any any tcp Action Rule Options Permit Firewall 9-18 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 229
zone by clicking the button to the right of the Source Zone field and selecting an existing zone or creating a new zone. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 9-19 - Cisco ROUTER-SDM-CD | User Guide - Page 230
click Rule Diagram to display the Rule Flow Diagram for that policy. The Rule Flow Diagram displays the source zone on the right of the router icon, and the destination zone on the left of the icon. 9-20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 231
the screen. Discarding Your Changes To discard changes that you have made but have not sent to the router, click Discard Changes at the bottom of the screen. Add a New Rule Define a traffic flow it and clicking Edit. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 9-21 - Cisco ROUTER-SDM-CD | User Guide - Page 232
the protocols that you chose in the service box. See the following help topics for more information: • Application Inspection • URL Filter • Quality of Service • Inspect Parameter If you chose Drop excluded from the rule. 9-22 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 233
, and choosing Create or Select from the context menu. Choose Create to configure a new policy map. Choose Select to apply an existing policy map to the traffic. The policy map name appears in the field when you are done. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 9-23 - Cisco ROUTER-SDM-CD | User Guide - Page 234
choose Create. Then, create the policy map in the Configure Deep Packet Inspection dialog. URL Filter Add an URL or created are summarized in this dialog. Quality of Service You can drop traffic that exceeds a specified rate per Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 235
3 Go to Configure > Additional Tasks > C3PL > Class Maps. Click the node for the type of class map that you are deleting. Select the name of the class map that was displayed in the View Details window and click Delete. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 9-25 - Cisco ROUTER-SDM-CD | User Guide - Page 236
Step 2 Step 3 Go to Configure > Additional Tasks > ACL Editor. Click the node for the type of ACL that you are deleting. Select the name or number of the ACL that was displayed in the View Details window and click Delete. 9-26 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 237
existing policy to leverage the settings for a new policy, and remove policies from the router. This chapter contains the following sections: • Application Security Windows • No Application Security need to make changes. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 10-1 - Cisco ROUTER-SDM-CD | User Guide - Page 238
policy, delete the chosen policy, or clone the chosen policy. If no policies are configured on the router, Add is the only action available. • Associate button-Click to display a dialog . You can also add filtering servers. 10-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 239
. Associate If no policy is configured this button is disabled. When a policy is created, you can click this button to associate the policy with an interface. See Associate Policy with an Interface for more information. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 10-3 - Cisco ROUTER-SDM-CD | User Guide - Page 240
, and other values for policy parameters. Cisco SDM provides defaults for each parameter, and you , or choose another setting. Because the Application Security configuration windows do not display the default values you must click Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 241
SDM_HIGH profile blocks IM applications. If the router uses the SDM_HIGH profile, and it does not block IM applications, those applications may have connected to a new server that is not specified in the profile. To enable OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 10-5 - Cisco ROUTER-SDM-CD | User Guide - Page 242
deny name newserver.yahoo.com Router(cfg-appfw-policy-ymsgr)# exit Router(cfg-appfw-policy)# exit Router(config)# Note • IM applications are able to communicate over nonnative protocol ports, such as HTTP, and through their native TCP and UDP ports. Cisco SDM configures block and permit actions - Cisco ROUTER-SDM-CD | User Guide - Page 243
SDM configures block and permit actions based on the native port for the application, and always blocks communication conducted over HTTP ports. • Application security policies will not block files if they are being provided by a paid service such as altnet.com. Files downloaded from peer-to-peer - Cisco ROUTER-SDM-CD | User Guide - Page 244
Permit, Block, and Alarm controls to specify the action that you want Cisco SDM to take when it encounters this type of traffic. Set maximum URI that the router takes if it encounters an URL that is longer than this value. 10-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015- - Cisco ROUTER-SDM-CD | User Guide - Page 245
enabled, and overrides the global audit trail setting. Header Options You can have the router permit or deny traffic based on HTTP header length and the request method contained in the , click Application Security Windows. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 10-9 - Cisco ROUTER-SDM-CD | User Guide - Page 246
router takes if it encounters traffic using that request method. Configure RFC Request Method checkboxes If you want the router router takes if requests cannot be matched with responses, and when it encounters an unknown content type. 10-10 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 247
action the router takes if the amount of data falls below the minimum length or when it exceeds the maximum length. Configure Transfer Encoding Checkbox Check this box to have the router verify how has been performed. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 10-11 - Cisco ROUTER-SDM-CD | User Guide - Page 248
alert or to the timeout settings, the value on is displayed in the Audit column, but the Alert and Timeout columns are blank. 10-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 249
enters a nonprotocol command before authentication is complete. Router Traffic Enables inspection of traffic destined to or originated from a router. Applicable only for H.323, TCP, and . The default value is 30 seconds. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 10-13 - Cisco ROUTER-SDM-CD | User Guide - Page 250
of half-open sessions may indicate that a Denial of Service (DoS) attack is under way. DoS attack thresholds allow the router to start deleting half-open sessions after the total number . The default value is 500 sessions 10-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 251
all types of traffic. Enable alert globally Check if you want to turn on CBAC alert messages for all types of traffic. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 10-15 - Cisco ROUTER-SDM-CD | User Guide - Page 252
rule settings for an application. Settings made here and applied to the router's configuration override the global settings. Click the Global Settings button in the Application when traffic of this type is encountered. 10-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 253
Permit, Block, and Alarm Controls Use the Permit, Block, and Alarm controls to specify what the router is to do when it encounters traffic with the characteristics that you specify. To make a policy not used in all windows. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 10-17 - Cisco ROUTER-SDM-CD | User Guide - Page 254
Applications/Protocols Chapter 10 Application Security Logging must be enabled for Application Security to send alarms to the log. For more information go to this link: Application Security Log. 10-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 255
. VPNs can encrypt traffic sent over these lines and authenticate peers before any traffic is sent. You can let Cisco Router and Security Device Manager (Cisco SDM) guide you through a simple VPN configuration by clicking the VPN icon. When you use the Wizard in the Create Site-to-Site VPN tab - Cisco ROUTER-SDM-CD | User Guide - Page 256
to configure a GRE tunnel if you need to connect networks that use different LAN protocols, or if you need to send routing protocols over the connection to the remote system. Select Create a Secure GRE tunnel (GRE-over-IPSec). Then click Launch the selected task. 11-2 Cisco Router and Security - Cisco ROUTER-SDM-CD | User Guide - Page 257
of VPN Support? • How Do I Configure a VPN on an Unsupported Interface? • How Do I Configure a VPN After I Have Configured a Firewall? • How Do I Configure NAT Passthrough for a VPN? • How Do I Configure a DMVPN Manually? OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 11-3 - Cisco ROUTER-SDM-CD | User Guide - Page 258
/hw/vpnd evc/ps2284/products_getting_started_guide_bo ok09186a00800bbe74.html Site-to-Site VPN Wizard You can have Cisco SDM use default settings for most of the configuration values, or you can let Cisco SDM guide you in configuring a VPN. 11-4 Cisco Router and Security Device Manager 2.5 User - Cisco ROUTER-SDM-CD | User Guide - Page 259
remote device. Quick setup is best used when both the local router and the remote system are Cisco routers using Cisco SDM. Quick setup will configure 3DES encryption if it is supported by the IOS image. Otherwise, it will configure DES encryption. If you need AES or SEAL encryption, click Step - Cisco ROUTER-SDM-CD | User Guide - Page 260
will terminate the VPN tunnel you are configuring. The remote IPSec peer might be another router, a VPN concentrator, or any other gateway device that supports IPSec. Peer(s) with dynamic IP side of the VPN connection. 11-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 261
problems router that will be the source of the traffic on this VPN connection. All traffic coming through this interface whose destination IP address is in the subnet specified in the Destination area will be encrypted. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 262
are only configured on the Easy VPN server. The Easy VPN client sends proposals, and the server responds according to its configured IKE policies. Priority This is the order in which the policy will be offered during negotiation. 11-8 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 263
for the negotiation. Cisco SDM supports the following algorithms: • SHA_1-Secure Hash Algorithm. A hash algorithm used to authenticate packet data. • MD5-Message Digest 5. A hash algorithm used to authenticate packet data. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 11-9 - Cisco ROUTER-SDM-CD | User Guide - Page 264
used. The following values are supported: • PRE_SHARE-Authentication will be performed Cisco SDM Default policies are read only, and cannot be edited. To accept the policy list: To accept the IKE policy list and continue, click Next. 11-10 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 265
is not configured for this transform set, this column will be empty. ESP Authentication The type of ESP authentication used. If ESP authentication is not configured for this transform set, this column will be empty. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 11-11 - Cisco ROUTER-SDM-CD | User Guide - Page 266
. Add a transform set to the router's configuration. Do this: Select a transform set, and click Next. Click Add, and create the transform set in the Add Transform Set window. Then click Next to continue VPN configuration. 11-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 267
editing the transform set, click Next to continue VPN configuration. Cisco SDM Default transform sets are read only and cannot be you want to encrypt, and one destination subnet supported by the peer that you specified in the VPN Cisco Router and Security Device Manager 2.5 User's Guide 11-13 - Cisco ROUTER-SDM-CD | User Guide - Page 268
spokes. The procedure explains which options to select in the wizard, and what information to enter in spoke configuration windows. You can save this information to a text file that you or another administrator can use. 11-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 269
can be configured on the spoke. • The ESP and Mode information of the transform sets that the hub uses. If similar transform sets have not been configured on the spoke, they can be configured using this information. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 11-15 - Cisco ROUTER-SDM-CD | User Guide - Page 270
end of the tunnel; therefore it must a a public, routable IP address. An error will be generated if you enter an IP address that is not associated with any configured interface. Details Note Cisco SDM in the Rules window. 11-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 271
IP Address of the GRE tunnel Enter the IP address of the tunnel. The IP addresses of both ends of the tunnel must be in the same subnet. The tunnel is given a separate IP address so that not be used in the pre-shared key. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 11-17 - Cisco ROUTER-SDM-CD | User Guide - Page 272
is configured for the primary GRE-over-IPSec tunnel, the keepalive packets that the routing protocol sends are used to verify that the tunnel is still active. If the router stops receiving keepalive packets on the primary tunnel, then traffic is sent through the backup tunnel. 11-18 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 273
of both ends of the tunnel configure router is being used in a large VPN deployment with a large number of networks in the GRE over IPSec VPN. Select static routing if a small number of networks will participate in the VPN. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 274
Routing Information window. If you need to configure additional static routes, you can do so in the Routing window. Check this box if you want to specify a static route for the tunnel, and select one of the following: 11-20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 275
. The following example assumes the network at the other end of the tunnel is 200.1.0.0, as specified in the destination will not be encrypted. When this option is selected, Cisco SDM creates a static route to the network, using the IP Cisco Router and Security Device Manager 2.5 User's Guide 11-21 - Cisco ROUTER-SDM-CD | User Guide - Page 276
of the network at the other end of the tunnel. Cisco SDM will create a static route entry configuring a GRE over IPSec tunnel. Note RIP is not supported for DMVPN Hub and spoke topology but is available for DMVPN Full Mesh topology. 11-22 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 277
between. This IPSec rule is displayed in the summary. To save this configuration to the router's running configuration and leave this wizard: Click Finish. Cisco SDM saves the configuration changes to the router's running configuration. The changes will take effect immediately, but will be lost if - Cisco ROUTER-SDM-CD | User Guide - Page 278
other end of the VPN connection. When a connection contains multiple peers, their IP addresses or host names are separated by commas. Multiple peers might be configured to provide alternative routing paths for the VPN connection. 11-24 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 279
to determine which set they will use. Multiple transform sets may be defined to ensure that the router can offer a transform set that the negotiating peer will agree to use. The transform sets is site-to-site VPN tunnel. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 11-25 - Cisco ROUTER-SDM-CD | User Guide - Page 280
contains. The crypto map specifies a sequence number, the peer device at the other end of the connection, the set of transforms that encrypt the traffic, and the IPSec rule that determines which traffic is encrypted. 11-26 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 281
Configure the crypto map yourself. Click Add New Crypto Map and use the Add Crypto Map window to create the new crypto map. Click OK when you are finished. Then click OK in this window. Have Cisco Router and Security Device Check the Use Add Wizard box, and click OK. Cisco SDM Manager (Cisco SDM - Cisco ROUTER-SDM-CD | User Guide - Page 282
return to the Summary window and click Finish to deliver the cryptomap configuration to the router. Delete Connection Use this window to delete a VPN tunnel, or simply definition with another router interface if you wish. 11-28 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 283
connection on the peer device. Peer Device Select the IP address or host name of the peer device to see the IPSec policy configured for the tunnel to that device. The policy appears in the box under the peer IP address. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 11-29 - Cisco ROUTER-SDM-CD | User Guide - Page 284
remote router, but the policies and transform sets may be different. If the text file is simply copied into the remote configuration file, configuration errors are likely to result. Cisco SDM for the original address. 11-30 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 285
Cisco SDM to create multiple VPN tunnels on one interface on your router. Each VPN tunnel will connect the selected interface on your router to a different subnet at the destination router. You can configure . Click Next>. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 11-31 - Cisco ROUTER-SDM-CD | User Guide - Page 286
field, enter the IP address of the destination router interface. You can enter the same IP address that you entered when you created the initial VPN connection. This indicates that this second VPN connection should use the 11-32 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 287
for the local router you configured. To generate a template configuration for the peer VPN router: Step 1 From the left frame, select VPN. Step 2 Select Site-to-Site VPN. in the VPN tree, and then click the Edit tab. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 11-33 - Cisco ROUTER-SDM-CD | User Guide - Page 288
mirror configuration to the peer device without editing! This configuration is a template that requires additional manual configuration. Use it only as a starting point to build the configuration for you want to edit. 11-34 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 289
VPN connection is working by using the Monitor mode in Cisco SDM. If your VPN connection is working, Monitor mode will to view information for IPSec tunnels or IKE SAs. Each configured VPN connection will appear as a row on the screen. Cisco Router and Security Device Manager 2.5 User's Guide 11-35 - Cisco ROUTER-SDM-CD | User Guide - Page 290
and that data transfer can take place. How Do I Configure a Backup Peer for My VPN? To configure multiple VPN peers inside a single crypto map: Step 1 VPN Support? To add multiple transform sets to a single crypto map: 11-36 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 291
have configured the unsupported interface using the CLI, you can use Cisco SDM to configure your VPN connection. The unsupported interface will appear in the fields that require you to choose an interface for the VPN connection. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 292
field, enter a short description of the new rule. Click Add. The Add a Standard Rule Entry dialog box appears. In the Action field, choose Permit. In the Source Host/Network group, from the Type field, select A Network. 11-38 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 293
Mask fields, enter the IP address and subnet mask of the VPN destination peer. In the Description field, enter a short description of the network or host. Click OK. The new rule now appears in the Access Rules table. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 11-39 - Cisco ROUTER-SDM-CD | User Guide - Page 294
How Do I... Chapter 11 Site-to-Site VPN 11-40 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 295
PIX Firewall or a Cisco IOS router that supports the Cisco Unity Client Protocol. After the Cisco Easy VPN server has been configured, a VPN connection can be created with minimal configuration on an Easy VPN remote, such as a Cisco 800 series router or a Cisco 2800 series router. When the Easy VPN - Cisco ROUTER-SDM-CD | User Guide - Page 296
Wizard to begin configuring the connection. Make configuration settings in the wizard screens. Click Next to go from the current screen to the next screen. Click Back to return to a screen you have previously visited. 12-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 297
Address Configuration • Easy VPN Remote Wizard: Interfaces and Connection Settings • Easy VPN Remote Wizard: Server Information • Easy VPN Remote Wizard: Authentication • Easy VPN Remote Wizard: Summary of Configuration OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 12 - Cisco ROUTER-SDM-CD | User Guide - Page 298
or later, Cisco SDM displays the recommended task Enable DNS if DNS is not enabled on the router so that a Split DNS configuration, if pushed by the server, will work. Click Launch Easy VPN Remote Wizard to start the wizard. 12-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 299
12 Easy VPN Remote Creating an Easy VPN Remote Connection Configure an Easy VPN Remote Client This wizard guides you through the configuration of an Easy VPN Remote Phase II Client. Note If the router is not running a Cisco IOS image that supports Easy VPN Remote Phase II or later, you will not - Cisco ROUTER-SDM-CD | User Guide - Page 300
address information for a device, choose an entry and click Edit. To remove an entry for an accessible device, choose the entry and click Delete. 12-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 301
to display 24. Warning Messages Cisco SDM displays a warning message when you click Next if it detects any of the following problems: • There are no configuration. Field Reference Table 12-4 describes the fields in th is screen. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 302
List In the Interfaces list, choose the outside interface that connects to the Easy VPN server or concentrator. Connection Settings Note Cisco 800 routers do not support the use of interface E 0 as the outside interface. 12-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 303
Description With the automatic setting, the VPN tunnel is established automatically when the Easy VPN configuration is delivered to the router configuration file. However, you will not be able to control the tunnel manually appears only if supported by the Cisco IOS image on your router. Easy VPN - Cisco ROUTER-SDM-CD | User Guide - Page 304
Server Information Fields Element Description Easy VPN Servers Easy ends of the connection to have direct access to one another. Consult with the administrator of the Easy VPN server or concentrator before choosing this setting. 12-10 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 305
. This IP address can be used for connecting to your router for remote management and troubleshooting (ping, Telnet, and Secure Shell). This mode is known as Network Extension Plus Note If the router is not running a Cisco IOS image that supports Easy VPN Remote Phase IV or later, you will not - Cisco ROUTER-SDM-CD | User Guide - Page 306
be performed in the web browser. This option appears only if supported by the Cisco IOS image on your router. From router console or SDM User authentication will be performed from the router console, or from Cisco SDM. 12-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 307
the Easy VPN configuration that you have created, and it allows you to save the configuration. A summary similar to the following appears: Easy VPN tunnel name:test1 Easy VPN server: 222.28.54.7 Group: myCompany Key: 1234 OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 12-13 - Cisco ROUTER-SDM-CD | User Guide - Page 308
the VPN connection you have just configured, the results of the test are shown in another window. Administering Easy VPN Remote Connections Use Cisco SDM to edit Easy VPN Remote section contains the followint topics: 12-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 309
Remote connection using the Easy VPN Remote Edit screens. Follow these steps to create a new Easy VPN Remote connection: Step 1 On the Cisco SDM toolbar, click Configure. Step 2 On the Cisco SDM category bar, click VPN. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 12-15 - Cisco ROUTER-SDM-CD | User Guide - Page 310
On the Cisco SDM toolbar, click Configure. On the Cisco SDM category bar, click VPN. In the VPN tree, choose Easy VPN Remote. Click the Edit Easy VPN Remote tab. Select the Easy VPN Remote connection that you want to reset. 12-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 311
Extensions Options window, check Configure Multiple Subnets. Choose Enter the subnets and add the subnets and network masks to the list, or choose Select an ACL. To enter the subnets manually, click the Add button and enter the subnet address and mask. Cisco SDM will generate an ACL automatically - Cisco ROUTER-SDM-CD | User Guide - Page 312
VPN server or concentrator to provide for secure communications with other networks that the server or concentrator supports. The list of connections displays information about the configured Easy VPN Remote connections. 12-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 313
Element Description Add VPN tunnel. Cisco SDM displays a manual tunnel control. • The tunnel is up. • The XAuth response is not set to be requested from a PC browser session. Click Disconnect to terminate the connection. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 314
configuration for this connection has been changed, and needs to be delivered to the router. If the connection uses manual tunnel control, use the Connect button to establish the connection. The name given to this Easy VPN connection. 12-20 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 315
configuration using Cisco SDM. Multiple Subnet Support The addresses of subnets which are not directly connected to the router but which are allowed to use the tunnel. An ACL defines the subnets allowed to use the tunnel. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 316
are sent: • They must be entered from Cisco SDM or the router console. • They must be entered from a PC browser when browsing. • The credentials are automatically sent because they have been saved on the router. If identical addressing is configured, the Item Value column displays the word - Cisco ROUTER-SDM-CD | User Guide - Page 317
Cisco PIX Firewall, or it can be a Cisco IOS router that supports the Cisco Unity Client protocol. Note • If the Easy VPN server or concentrator has been configured Description Enter a name for the Easy VPN remote configuration. Choose Client if you want the PCs and other devices on the router's - Cisco ROUTER-SDM-CD | User Guide - Page 318
at both ends of the connection to have direct access to one another. Tunnel Control Auto Manual Easy VPN Concentrator or Server Group Group Name] Choose Auto if you want the VPN tunnel to be established automatically when the Easy VPN configuration is delivered to the router configuration file - Cisco ROUTER-SDM-CD | User Guide - Page 319
Confirm Key Description Enter the IPSec configure your router as an Easy VPN client. Your router must have a connection to an Easy VPN concentrator or server on the network. Note This window appears if the Cisco IOS image on your router supports Easy VPN Client Phase IV. OL-4015-12 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 320
Cisco IOS router that supports the Cisco Unity Client protocol. Field Reference Table 12-9 describes the fields in this screen. Easy VPN Remote General Settings Fields Description Enter a name for the Easy VPN remote configuration Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 321
a server-assigned IP address for you router. This IP address can be used for connecting to your router for remote management and troubleshooting (ping, Telnet, and Secure Shell). This mode is called Network Extension Plus. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 12-27 - Cisco ROUTER-SDM-CD | User Guide - Page 322
be defined on a VPN remote access server. This server can be a dedicated VPN device, such as a VPN 3000 concentrator or a Cisco PIX Firewall, or it can be a Cisco IOS router that supports the Cisco Unity Client protocol. 12-28 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 323
with the Manual tunnel control setting. Servers You can specify up to ten Easy VPN servers by IP address or hostname, and you can order the list to specify which servers the router will attempt to connect to first. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 12-29 - Cisco ROUTER-SDM-CD | User Guide - Page 324
Description Add Click Add to specify the name or the IP address of a VPN concentrator or server for the router to configuration. All hosts connected to these interfaces will be part of the VPN. As many as three inside interfaces are supported on Cisco 800 series and Cisco 1700 series routers - Cisco ROUTER-SDM-CD | User Guide - Page 325
Device Authentication Digital Certificate. Description If you choose digital certificate, a digital certificate must be configured on the router to use. Note The Digital Certificates option is available only if supported by the Cisco IOS image on your router. Preshared Key Choose Preshared - Cisco ROUTER-SDM-CD | User Guide - Page 326
the username you have been given by the server administrator. The Current Password field displays asterisks (*) if there is a configured password. This field contains the value if no password has been configured. 12-32 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 327
Password Description Enter configured. Enter the new IKE key value given to you by your network administrator. Reenter the new key to confirm accuracy. If the values in the New Key and Reenter Key fields are not the same, Cisco SDM prompts you to reenter the key values. OL-4015-12 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 328
in a web browser window. From this router Save Credentials Note This option appears only if supported by the Cisco IOS image on your router. Choose From this router if you will enter the credentials from the router command line interface or from Cisco SDM. If the server allows passwords to be - Cisco ROUTER-SDM-CD | User Guide - Page 329
Easy VPN configuration you are creating cannot coexist with the existing VPN configuration. You will be asked if you want to remove the existing VPN tunnels from those interfaces and apply the Easy VPN configuration to them. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 12 - Cisco ROUTER-SDM-CD | User Guide - Page 330
the Easy VPN configuration is delivered to the router configuration file. You will not be able to control the tunnel manually using the Connect or Disconnect button. These buttons are disabled when this setting is chosen. 12-36 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 331
Settings Fields Element Manual Interesting Traffic Description Choose Manual if you want to bring up and shut down the VPN tunnel manually. With the manual setting, you If no loopback interfaces are configured, click Add. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 12-37 - Cisco ROUTER-SDM-CD | User Guide - Page 332
Description Clicking Add displays the dialog that enables you to configure a loopback interface. Split tunneling enables the router to and click Delete. Warning Messages Cisco SDM displays a warning message when you click OK if it detects any of the following problems: • There are no devices - Cisco ROUTER-SDM-CD | User Guide - Page 333
Global IP Address Description Enter the local IP router uses Secure Shell (SSH), you must to enter the SSH login and password the first time you establish the connection. Use this window to enter SSH or Telnet login information. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 334
Enter the Username Please Enter the Password Description Enter the SSH or Telnet account username that you will use to log in to this router. Enter the password associated with the SSH Edit Easy VPN Remote window appears. 12-40 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 335
Interface/Connection tab. Choose an ISDN, async, or analog modem interface from the list of configured interfaces. Click the Edit button. Click the Backup tab and configure the backup for an Easy VPN Remote connection. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 12-41 - Cisco ROUTER-SDM-CD | User Guide - Page 336
Other Procedures Chapter 12 Easy VPN Remote Step 6 When you have finished configuring the backup, click OK. 12-42 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 337
sections: • Creating an Easy VPN Server Connection • Editing Easy VPN Server Connections Creating an Easy VPN Server Connection Use theCisco SDM Easy VPN Server wizard to create an Easy VPN Server connection on the router. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 13-1 - Cisco ROUTER-SDM-CD | User Guide - Page 338
discard it. If you did not make this setting, clicking Finish sends the configuration to the router. Create an Easy VPN Server Reference describes the configuration screens you use to create an Easy VPN server connection. 13-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 339
WINS Configuration • Split Tunneling • Client Settings • Choose Browser Proxy Settings • Add or Edit Browser Proxy Settings • User Authentication (XAuth) • Client Update • Add or Edit Client Update Entry • Cisco Tunneling Control Protocol • Summary • Browser Proxy Settings OL-4015-12 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 340
that is already configured with a site-to-site IPSec policy, Cisco SDM displays a message that an IPSec policy already exists on the interface. Cisco SDM uses the existing IPSec policy to configure the Easy VPN Server. 13-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 341
SDM displays a message to choose another interface. Field Reference Table 13-2 describes the fields in this screen. Table 13-2 Interface and Authentication Fields Element Details Authentication Description when you configure the Add Cisco Router and Security Device Manager 2.5 User's Guide 13-5 - Cisco ROUTER-SDM-CD | User Guide - Page 342
and Policy Lookup Fields Element Local Only RADIUS Only Description This option allows you to create a method the list router to use for group authentication. User Authentication (XAuth) You can configure user authentication Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 343
. Table 13-4 User Authentication Fields Element Description Local Click Local to add user authentication list List from a list of all method lists configured on the router. The chosen method list is used for extended Cisco Router and Security Device Manager 2.5 User's Guide 13-7 - Cisco ROUTER-SDM-CD | User Guide - Page 344
13-6 Add a RADIUS Server Fields Element Add Edit Ping Description Add a new RADIUS server. Edit an already exiting RADIUS server configuration. Ping an already existing RADIUS server or newly configured RADIUS server. 13-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 345
DNS WINS Domain Name Split ACL Configure Idle Timer Idle Timer Description Check the box in this column pushed" to the users connecting to this group. Windows Internet Naming Service (WINS) address of the group. This WINS address is " Cisco Router and Security Device Manager 2.5 User's Guide 13-9 - Cisco ROUTER-SDM-CD | User Guide - Page 346
allocated to clients in this group. Maximum Connections Allowed Specify the maximum number of client connections to the Easy VPN Server from this group. Cisco SDM supports a maximum of 5000 connections per group. 13-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 347
DNS and WINS Configuration This window allows you to specify the Domain Name Service (DNS) and Windows Internet Naming Service (WINS) information. Field Reference Table 13-9 describes the fields in this screen. Table 13-9 DNS and WINS Fields Element DNS WINS Domain Name Description Enter the - Cisco ROUTER-SDM-CD | User Guide - Page 348
Split DNS Description This box configure additional attributes for security policy such as adding or removing a backup server, Firewall Are-U-There, and Include-Local-LAN. Note Some of the features described below appear only if supported by your Cisco server's IOS release. 13-12 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 349
/sdm.exe • ftp://username:[email protected]/go/vpn/sdm.exe • tftp://username:[email protected]/go/vpn/sdm.exe • scp://username:[email protected]/go/vpn/sdm.exe • rcp://username:[email protected]/go/vpn/sdm.exe OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 350
:sdm.exe • tar:sdm.exe • system:sdm.exe In these examples, username is the site username and password is the site password. Enter the version number of the file in the Version field. The version number must be in the range 1 to 32767. 13-14 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 351
Include Local LAN Perfect Forward Secrecy (PFS) Description You can specify browser proxy settings for Easy software clients belonging to the group policy you are configuring can request the browser proxy settings you enter in this Cisco Router and Security Device Manager 2.5 User's Guide 13-15 - Cisco ROUTER-SDM-CD | User Guide - Page 352
Settings Description If Manual Proxy Configuration You want to manually configure a proxy server for clients in this group. If you choose this option, complete the procedure for manually configuring a proxy server in this help topic. 13-16 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 353
only if supported by your Cisco server's IOS release. Maximum Logins Allowed Per Specify the maximum number of connections a user can establish at User a time. Cisco SDM supports a maximum of ten logins per user. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 13-17 - Cisco ROUTER-SDM-CD | User Guide - Page 354
which revisions are available. Displays the location of the revisions. Click to configure a new client update entry. Click to edit the specified client update entry. Click to delete the specified client update entry. 13-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 355
username:[email protected]/go/vpn/vpnclient-4.6.exe • scp://username:[email protected]/go/vpn/vpnclient-4.6.exe • rcp://username:[email protected]/go/vpn/vpnclient-4.6.exe • cns: • xmodem: • ymodem: • null: OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 13-19 - Cisco ROUTER-SDM-CD | User Guide - Page 356
16 Element Revisions Add a RADIUS Server Fields (continued) Description • flash:vpnclient-4.6.exe • nvram:vpnclient-4.6.exe • usbtoken problem by encapsulating ESP and IKE traffic in the TCP header so that firewalls do not see it. 13-20 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 357
This window lists browser proxy settings, showing how they are configured. You can add, edit, or delete browser proxy settings. Use the group policies configuration to associate browser proxy settings with client groups. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 13-21 - Cisco ROUTER-SDM-CD | User Guide - Page 358
proxy server. Configure new browser proxy settings. Edit the specified browser proxy settings. Delete the specified browser proxy settings. Browser proxy settings associated with one or more group policies can not be deleted before those associations are removed. 13-22 Cisco Router and Security - Cisco ROUTER-SDM-CD | User Guide - Page 359
in this section describe the Edit Easy VPN Server screens: • Edit Easy VPN Server • Add or Edit Easy VPN Server Connection • Restrict Access • Group Policies Configuration • IP Pools • Add or Edit IP Local Pool OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 13-23 - Cisco ROUTER-SDM-CD | User Guide - Page 360
the following: • Initiate The router is configured to initiate connections with Easy VPN Remote clients. • Respond The router is configured to wait for requests from Easy VPN Remote clients before establishing connections. 13-24 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 361
Restrict Access Button Description Click to test configured by clicking Additional Tasks on the Cisco SDM taskbar, and then clicking the AAA node. Check this checkbox if you want to require users to authenticate themselves. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 362
User Authentication Mode Configuration Description Choose the method list to use for user authentication from this list. Method lists are configured by clicking Additional tasks on the Cisco SDM taskbar, and then clicking the AAA node. Check Initiate if you want the router to initiate connections - Cisco ROUTER-SDM-CD | User Guide - Page 363
Configuration Fields Element Common Pool Add Edit Clone Delete Send Update Group Name Pool DNS WINS Domain Name ACL Details Window Description chosen group policy. Feature settings are displayed only if they are supported by your Cisco router's IOS release, and apply only to the chosen group. - Cisco ROUTER-SDM-CD | User Guide - Page 364
Maximum Logins-The maximum number of connections a user can establish simultaneously. Cisco SDM supports a maximum of 10 simultaneous logins per user. • XAuth Banner-The text message shown to clients during XAuth requests. 13-28 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 365
column is not displayed in all Cisco SDM areas. Note You cannot configure local pools with the group option using Cisco SDM. Add or Edit IP Local Pool This window lets you create or edit a local pool of IP addresses. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 13-29 - Cisco ROUTER-SDM-CD | User Guide - Page 366
fields in this screen. Table 13-26 Add IP Address Range Fields Element Start IP Address End IP Address Description Enter the lowest IP address in the range. For example, if you are defining a .254, enter 10.10.10.254. 13-30 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 367
14 C H A P T E R Enhanced Easy VPN The following sections describe the Cisco Router and Security Device Manager configuration screens for Enhanced Easy VPN. Interface and Authentication Specify the router interface to which the virtual template interface is to be unnumbered, and specify the - Cisco ROUTER-SDM-CD | User Guide - Page 368
-1 RADIUS Servers Fields Element RADIUS Client Source Description Configuring the RADIUS source allows you to specify the router must be configured as the NAD IP address in the Cisco Access Control Server (ACS) version 3.3 or later. 14-2 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 369
VPN Table 14-1 Element RADIUS Servers Fields Description RADIUS Server List Server IP Parameters Select Add Edit Ping Note Cisco IOS software allows a single RADIUS source interface to be configured on the router. If the router already has a configured RADIUS source and you choose a different - Cisco ROUTER-SDM-CD | User Guide - Page 370
group attributes are downloaded. If group polices have already been configured, they appear in the list in this window, and you can select them for this connection by checking the Select box to the left of the group name. 14-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 371
-IPV4 option enables the creation of a IP version 4 IPSec tunnel. Description You can enter a description that administrators in you network will find useful when changing configurations or troubleshooting the network. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 14-5 - Cisco ROUTER-SDM-CD | User Guide - Page 372
Groups to add the name of a group that is configured on the router. In the displayed dialog, check the box next to SDM informs you that all groups have been selected. • Delete-Choose a group and click Delete to remove it from the list. 14-6 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 373
logins. • Policyname-If policies have been configured on the router, they are displayed in this list and you can select a policy to use. Click Add to create a policy in the displayed dialog and use it in this IKE policy. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 14-7 - Cisco ROUTER-SDM-CD | User Guide - Page 374
Easy VPN server to download user-specific attributes from the RADIUS server and push them to the client during mode configuration. The Easy VPN server obtains the username from the client's digital certificate. This option is displayed under the following conditions: • The router runs a Cisco IOS 12 - Cisco ROUTER-SDM-CD | User Guide - Page 375
want to include in the profile. The left-hand column contains the transform sets configured on the router. To add a configured tranform set to the profile, select it and click the >> button. If there encrypt the PFS request. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 14-9 - Cisco ROUTER-SDM-CD | User Guide - Page 376
No IP address. Tunnel Mode Cisco SDM currently supports the IPSec-IPv4 tunnel mode and it is selected. Select Zone This field appears when the router runs a Cisco IOS image that supports Zone-Policy Based Firewall (ZPF), and a zone has been configured on the router. If you want this virtual - Cisco ROUTER-SDM-CD | User Guide - Page 377
SDM supports the configuration of a DMVPN starting from IOS version 12.2(13)T. Cisco SDM supports the configuration of a single DMVPN on a router. In this screen, identify your router as a hub or as a spoke in the DMVPN network. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 378
hub configuration that you need. This information is listed in Dynamic Multipoint VPN (DMVPN) Spoke Wizard. Create a hub (server or head-end) in Dynamic Multipoint VPN Select if your router is for OSPF) that should be used. 15-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 379
Multipoint VPN Cisco SDM's Configure Spoke feature enables you to create a text file that contains the information that spoke administrators need about the hub's configuration. This feature a maximum of 128 characters. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 15-3 - Cisco ROUTER-SDM-CD | User Guide - Page 380
Key field do not match, Cisco SDM prompts you to reenter them. Hub GRE Tunnel Interface Configuration Multipoint Generic Routing Encapsulation (mGRE) is used in a DMVPN network to allow a single GRE interface on a hub to support an IPSec tunnel to each spoke router. This greatly simplifies DMVPN - Cisco ROUTER-SDM-CD | User Guide - Page 381
must be configured with the same authentication string. Cisco SDM Default: DMVPN_NW Cisco SDM Default: 100000 NHRP Hold Time Enter the number of seconds that NHRP network IDs should be advertised as valid. Cisco SDM Default: 360 OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 382
a delay value for an interface, in tens of microseconds. Cisco SDM Default: 1000 Primary Hub If the router you are configuring is the backup hub in the DMVPN network, you need this information from the hub administrator. 15-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 383
OSPF parameters, see Add or Edit an OSPF Route. Please select the version of RIP to enable Specify RIP version 1 or version 2. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 15-7 - Cisco ROUTER-SDM-CD | User Guide - Page 384
the numbers 172.55, not just the network 172.55.10.3. Area-Shown when OSPF is selected, the OSPF area number for that network. Each router in a particular OSPF area maintains a topological database for that area. 15-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 385
, you should ping the hub to be sure that your router can send traffic to it. Also you should have all the information about the hub you need before you begin. A hub administrator who uses Cisco SDM to configure the hub can generate a text file that contains the hub information spoke administrators - Cisco ROUTER-SDM-CD | User Guide - Page 386
to be always up. You can examine supported interfaces in Interfaces and Connections to determine if a dialup connection, such as an ISDN or Async connection has been configured for the physical interface you selected. 15-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 387
the DMVPN tunnel source has a configuration that prevents its use for DMVPN. Cisco SDM informs you of the conflict and gives you the option of allowing Cisco SDM to modify the configuration so that the conflict is removed. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 15-11 - Cisco ROUTER-SDM-CD | User Guide - Page 388
CLI. Cisco SDM supports the configuration of a single DMVPN on a router. The hub should be configured first configured with. For other recommendations on how to configure the routers in a DMVPN, see DMVPN Configuration Recommendations. 15-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 389
on the tunnel. Cisco SDM supports the use of only IPSec profiles to define encryption in a DMVPN. If you want to use crypto-maps, configure the DMVPN using configuration. Edit Click to edit a selected DMVPN tunnel configuration. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 390
an IP address or hostname if this is a hub-and-spoke network IPSec Profile Select a configured IPSec profile for this tunnel. The IPSec profile defines the transform sets that are used to encrypt traffic on this tunnel. 15-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 391
send traffic and receive next hop information to directly connect to all other spokes in the DMVPN. NHRP Panel Use this panel to provide NHRP configuration parameters. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 15-15 - Cisco ROUTER-SDM-CD | User Guide - Page 392
, it will be added to this list. Click Edit to modify a selected map. Click Delete to remove a selected map configuration. NHRP Map Configuration Use this window to create or edit a mapping between IP and NBMA addresses. 15-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 393
and spoke routers in this DMVPN use to perform routing. Note that all the routers in the DMVPN must be configured for the routing protocol that you select. • RIP-Routing Internet Protocol • OSPF-Open Shortest Path First OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 15-17 - Cisco ROUTER-SDM-CD | User Guide - Page 394
value identifies the OSPF process to other routers. See Recommendations for Configuring Routing Protocols for DMVPN. OSPF Network Type router to advertise the routes that it has learned from the tunnel interface out the same interface. 15-18 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 395
enter a short description if you want to. Click OK. To configure a DMVPN connection: Step 1 Step 2 Step 3 In the VPN tree, click the Dynamic Multipoint VPN branch. Click Edit Dynamic Multipoint VPN (DMVPN). Click Add. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 15-19 - Cisco ROUTER-SDM-CD | User Guide - Page 396
How Do I Configure a DMVPN Manually? Chapter 15 DMVPN Step 4 In the DMVPN Tunnel Configuration window, complete the specified in DMVPN configuration, and click Edit. Add the network numbers that you want to advertise. 15-20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015- - Cisco ROUTER-SDM-CD | User Guide - Page 397
Description Click the Edit button to add or change VPN global settings. The value is True if IKE is enabled; it is False if IKE is disabled. Enable Aggressive Mode OL-4015-12 Note If IKE is disabled, VPN configurations attributes. Cisco Router and Security Device Manager 2.5 User's Guide 16-1 - Cisco ROUTER-SDM-CD | User Guide - Page 398
Description The number of seconds the router is to wait for a a system to respond to the XAuth challenge. Either the host name of the router or the IP address that the router . The default is 3600 seconds (1 hour). 16-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 399
Description IPSec Security Association (SA) The number of kilobytes that the router disabled, VPN configurations will not router) This field specifies the way the router will identify itself. Select either IP address or host name. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 400
traffic to send, it never sends a DPD message. If set to Periodic, the router sends DPD messages at the interval specified by the IKE Keepalive value. VPN Global Settings: IPSec Edit global IPSec settings in this window. 16-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 401
Server Make global settings for Easy VPN server connections in this screen. Field Reference Table 16-2 describes the fields in this screen. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 16-5 - Cisco ROUTER-SDM-CD | User Guide - Page 402
Common Pool Enable Syslog messages Description You can configure a common IP address pool Settings window appears if the Cisco IOS image on your router supports Type 6 encryption, also referred router's configuration file. 16-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 403
keys. Current Master Key This field contains asterisks (*) when a master key has been configured. New Master Key Enter a new master key in this field. Master keys must not match, Cisco SDM prompts you to reenter the key. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 16-7 - Cisco ROUTER-SDM-CD | User Guide - Page 404
VPN Global Settings Chapter 16 VPN Global Settings 16-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 405
to the IPSec policy, it is read-only, and it cannot be edited. An IPSec policy may be read-only if it contains commands that Cisco SDM does not support. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 17-1 - Cisco ROUTER-SDM-CD | User Guide - Page 406
specified by this crypto map entry. Cisco SDM does not support the creation of manual crypto maps. Cisco SDM treats as read-only any manual crypto maps that have been created using the transform sets used in the crypto map. 17-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 407
always Dynamic. What Do You Want to Do? If you want to: Add an IPSec policy to the configuration. Edit an existing IPSec policy. Remove a crypto map entry from a policy. Remove an IPSec policy. Do be meaningful to you. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 17-3 - Cisco ROUTER-SDM-CD | User Guide - Page 408
SDM to guide you through the process, check Use Add Wizard, and then click Add. Icon If a crypto map is read-only, the read-only icon appears in this column. A crypto map may be read-only if it contains commands that Cisco SDM does not support. Dynamic Crypto Maps Sets in this IPSec Policy This - Cisco ROUTER-SDM-CD | User Guide - Page 409
specify both a timed and a traffic-volume lifetimes. If both are specified, the lifetime will expire when the first criterion has been satisfied. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 17-5 - Cisco ROUTER-SDM-CD | User Guide - Page 410
previously generated keys, there is a security problem, because if one key is compromised, then -Hellman group1, group2, or group5 method. Note If your router does not support group5, it will not appear in the list. Enable Reverse Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 411
are in the Select Transform Set drop-down list. If no transform sets have been configured on the router, only the default transform sets provided with Cisco SDM are shown. Note • Not all routers support all transform sets (encryption types). Unsupported transform sets will not appear in the window - Cisco ROUTER-SDM-CD | User Guide - Page 412
(Manual Configuration of router can offer a transform set that the peer will agree to use. Leave the crypto map wizard, uncheck Use Add Wizard, and click Add Crypto Map. The Transform Set tab allows you to add and order transform sets. 17-8 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 413
Policies What Do You Want to Do? (Manual Configuration of Crypto Map Only) If you want the LAN) whose traffic you want to encrypt, and one destination subnet supported by the peer that you specified in the Peers window. All traffic -12 Cisco Router and Security Device Manager 2.5 User's Guide 17-9 - Cisco ROUTER-SDM-CD | User Guide - Page 414
, the rule must specify the same source and destination data as the tunnel configuration. To add or change the IPSec rule for the crypto map, click the rule, Cisco SDM will display a warning message when you click OK. 17-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 415
configured on the router. Add/Edit/Delete Buttons Use these buttons to manage the crypto maps in the window. If you try to delete a crypto map set associated with an IPSec policy, Cisco SDM crypto maps in this list. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 17-11 - Cisco ROUTER-SDM-CD | User Guide - Page 416
Profiles This window lists configured IPSec profiles on the router. IPSec profiles consist of one or more configured transform sets; the profiles Description A description of the IPSec profile. Add Click to add a new IPSec profile. 17-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 417
different IPSec profile. Details of IPSec Profile This area displays the configuration of the selected IPSec profile. For a description of the information displayed in this area see Add or Edit , this field is read only. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 17-13 - Cisco ROUTER-SDM-CD | User Guide - Page 418
Profile and Add Dynamic Crypto Map Use this window to add or to edit an IPSec profile, or to add a dynamic crypto map. 17-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 419
in this profile. You can select multiple transform sets so that the router you are configuring and the router at the other end of the tunnel can negotiate which transform set to use. Transform Set to the transform set. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 17-15 - Cisco ROUTER-SDM-CD | User Guide - Page 420
contain a value when the transform set is configured to provide data integrity but not encryption. The column will contain one of the following values: • AH-MD5-HMAC-Message Digest 5. • AH-SHA-HMAC-Security Hash Algorithm. 17-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 421
an existing transform set. Note Cisco SDM Default transform sets are read-only and cannot be edited. Select the transform set, and click Delete. Note Cisco SDM Default transform sets are read-only and cannot be deleted. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 17-17 - Cisco ROUTER-SDM-CD | User Guide - Page 422
, and descriptions of the transforms, click Allowable Transform Combinations. Note • Not all routers support all transform sets (encryption types). Unsupported transform sets will not appear in the screen. • Not all IOS images support all the transform sets that Cisco SDM supports. Transform - Cisco ROUTER-SDM-CD | User Guide - Page 423
Cisco SDM recognizes the following ESP encryption types: • ESP_DES. Encapsulating Security Payload (ESP), Data Encryption Standard (DES). DES supports depend on the router. Depending on the type of router you are configuring, one or more Cisco Router and Security Device Manager 2.5 User's Guide 17-19 - Cisco ROUTER-SDM-CD | User Guide - Page 424
IP address and type-of-service information. Packets that match the criteria specified in the rule are encrypted. Packets that do not match the criteria are sent unencrypted. Name/Num The name or number of this rule. 17-20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 425
Chapter 17 IP Security IPSec Rules Used By Type Description Action Source Destination Service Which crypto maps this rule is used in. IPSec rules must specify both match. The type of traffic that the packet must contain. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 17-21 - Cisco ROUTER-SDM-CD | User Guide - Page 426
. Select the rule in the rule list, and click Edit. Then, delete the entry in the rule window displayed. Apply the rule in the interface configuration window. 17-22 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 427
establishes session keys (and associated cryptographic and networking configuration) between two hosts across the network. Cisco SDM lets you create IKE policies that will protect IKE and make other global settings for IKE. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 18-1 - Cisco ROUTER-SDM-CD | User Guide - Page 428
Internet Key Exchange If you want to: Do this: Create an IKE policy. Cisco SDM provides a default IKE policy, but there is no guarantee that the peer has the same policy. You should configure other IKE policies so that the router is able to offer an IKE policy that the peer can accept. Click - Cisco ROUTER-SDM-CD | User Guide - Page 429
policy to the router's configuration. Click Add, and configure a new IKE policy in the Add IKE policy window. Cisco SDM provides a default router's configuration. Choose the IKE policy that you want to remove, and click Remove. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 430
relative to the other configured IKE policies. Assign the lowest numbers to the IKE policies that you prefer that the router use. The router will offer those policies first during negotiations. The type of encryption that should be used to communicate this IKE policy. Cisco SDM supports a variety of - Cisco ROUTER-SDM-CD | User Guide - Page 431
D-H Group 5. This group provides more security than group 2, but requires more processing time. Note • If your router does not support group5, it will not appear in the list. • Easy VPN servers do not support D-H Group 1. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 18-5 - Cisco ROUTER-SDM-CD | User Guide - Page 432
pre-shared key is not readable in Cisco SDM windows. If you need to examine the pre shared key, go to View->Running Config. This will display the running configuration. The key is contained in the crypto isakmp key command. 18-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 433
is an alphanumeric string that will be exchanged with the remote peer. The same key must be configured on the remote peer. You should make this key difficult to guess. Question marks (?) and spaces name to an IP address. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 18-7 - Cisco ROUTER-SDM-CD | User Guide - Page 434
an IKE profile from this window, the profile is displayed in the list. When you use the Easy VPN server wizard to create a configuration, IKE profiles are created automatically, named by SDM, and displayed in this list. 18-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 435
router to identify the incoming and outgoing connections to which the IKE connection parameters are to apply. Match criteria can currently be applied to VPN groups. Group is automatically chosen in the Match Identity Type field. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 436
mode configuration requests. • Initiate-Choose Initiate if the Easy VPN server is to initiate mode configuration requests. • Both-Choose Both if the Easy VPN server is to both initiate and respond to mode configuration requests. 18-10 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 437
User Authentication Policy Dead Peer Discovery Description Specify an authorization policy that controls to allow XAuth logins. • Policyname-If policies have been configured on the router, they are displayed in this list and you can Cisco Router and Security Device Manager 2.5 User's Guide 18-11 - Cisco ROUTER-SDM-CD | User Guide - Page 438
. • You choose digital certificate authentication in the IKE policy configuration. • You choose RADIUS or RADIUS and Local group authorization. You can add a description of the IKE profile that you are adding or editing. 18-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 439
that part of Cisco SDM and complete the configuration. If Cisco SDM does not discover missing configurations, this box does not appear. Possible prerequisite tasks are described in Prerequisite Tasks for PKI Configurations. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 19-1 - Cisco ROUTER-SDM-CD | User Guide - Page 440
Gather information from you to configure a trustpoint and deliver it to the router. • Initiate an enrollment with router. Note Cisco SDM supports only base-64-encoded PKCS#10-type cut and paste enrollment. Cisco SDM does not support Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 441
exists under the trustpoint, Cisco SDM will not modify it. If you need to change the revocation method, go to Router Certificates window, select the trustpoint you configured, and click the Check . If you want to use a OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 19-3 - Cisco ROUTER-SDM-CD | User Guide - Page 442
the enrollment request. For security purposes, the challenge password is encrypted in the router configuration file, so you should record the password and save it in a location party to whom the router sends the certificate. 19-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 443
domain name be included in the certificate. Check this box if you want Cisco SDM to include the router's fully qualified domain name in the certificate request. Note If the Cisco IOS image running on the router does not support this feature, this box is disabled. FQDN If you enabled this field - Cisco ROUTER-SDM-CD | User Guide - Page 444
the router or the organization is located. Email (e) Enter the email address to be included in the router certificate. Note If the Cisco IOS image running on the router does not support this attribute, this field is disabled. 19-6 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 445
documents, check this box. Cisco SDM will generate usage keys for encryption and signature. Use existing RSA key pair Click this button if you want to use an existing key pair, and select the key from the drop-down list. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 19-7 - Cisco ROUTER-SDM-CD | User Guide - Page 446
configure a trustpoint on the router and begin the enrollment process. If you enabled Preview commands before delivering to router commands are delivered to the router, Cisco SDM generates an enrollment request and router. 19-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 447
you of the status of the enrollment process. If errors are encountered during the process, Cisco SDM displays the information it has about the error. When status has been reported, click Finish and save it to your PC. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 19-9 - Cisco ROUTER-SDM-CD | User Guide - Page 448
have submitted the enrollment request to the CA server manually, and received the CA server certificate and the certificate for your router, you must start the Cut and Paste wizard a name for the file, and click Save. 19-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 449
your router saved on your PC. After you import the router certificate, Cisco SDM will report on the status of the enrollment process. Note You must import the CA server's certificate before you import the router's certificate. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 450
have more than one router certificate to import. Remove certificate Click the tab for the certificate you need to remove and click Remove certificate. Browse Browse to locate the certificate and import it to the router. 19-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 451
certificate has been revoked. Cisco SDM displays a dialog in which you select the method to use to check for revocation. See Revocation Check and Revocation Check, CRL Only for more information. Name Trustpoint name. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 19-13 - Cisco ROUTER-SDM-CD | User Guide - Page 452
purpose certificate that the router us authenticate itself to remote peers. • Signature-CA certificates are signature certificates. The serial number of the certificate The name of the CA that issued the certificate. 19-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 453
has been revoked in this window. Revocation Check Configure how the router is to check for revocations, and order them by preference. The router can use multiple methods. Use/Method/Move Up a certificate revocation list. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 19-15 - Cisco ROUTER-SDM-CD | User Guide - Page 454
. Enter the URL only if the certificate supports X.500 DN. OCSP URL Enabled when OCSP if it has already been downloaded to the cache as a result of manual loading. CRL Query URL Cisco IOS. To use the RSA system, a network host 19-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 455
using the private key. RSA keys configured on your router Name Usage Exportable The key name. Key names are automatically assigned by Cisco SDM. The "HTTPS_SS_CERT_KEYPAIR" and "HTTPS_SS_CERT_KEYPAIR. key in this field. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 19-17 - Cisco ROUTER-SDM-CD | User Guide - Page 456
An exportable key pair can be sent to a remote router if it is necessary for that router to take over the functions of the local router. Save to USB Token Check the Save keys to must provide the USB token name and PIN. 19-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 457
in to the chosen USB token in PIN. USB Tokens This window allows you to configure USB token logins. This window also displays a list of configured USB token logins. When a USB token is connected to your Cisco router, Cisco SDM uses the matching login to log in to the token. Add Click Add to add - Cisco ROUTER-SDM-CD | User Guide - Page 458
router. If Removal Timeout is empty, the default timeout is used. The default timeout is triggered when a new attempt to access the IKE credentials is made. Secondary Config File Displays the configuration file that Cisco SDM -20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 459
. The file can be a partial or complete configuration file. The file extension must .cfg. If Cisco SDM can log in to the USB token, it will merge the specified configuration file with the router's running configuration. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 19-21 - Cisco ROUTER-SDM-CD | User Guide - Page 460
server to the router. Note the following for SCEP traffic: • Cisco SDM will not modify firewall for CRL/OCSP servers if these are not explicitly configured on the router. To permit communication Firewall Policy/ACL window. 19-22 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 461
access control entry (ACE) that Cisco SDM would add to a firewall to enable various types of traffic to reach the router. This entry is not added unless you check Modify in the Open Firewall window and complete the wizard. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 19-23 - Cisco ROUTER-SDM-CD | User Guide - Page 462
Open Firewall Chapter 19 Public Key Infrastructure 19-24 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 463
there are configuration tasks that should be performed before you begin configuring the CA server, it alerts you to them in this box. A link is provided next to the alert text so that you can go to that part of Cisco SDM OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 20-1 - Cisco ROUTER-SDM-CD | User Guide - Page 464
. • NTP not configured-The router must have accurate time for certificate enrollment to work. Identifying a Network Time Protocol server from which your router can obtain accurate time provides a time source that is not 20-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 465
the lifetimes of the certificates granted, and open enrollment requests. • Supporting information-Links to the RA server that will store the certificates and about the CA server that you are configuring in this window. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 20-3 - Cisco ROUTER-SDM-CD | User Guide - Page 466
could be the host name of the router, or another name that you enter. Choose Manual if you want to grant certificates manually. Choose Auto if you want the server server name, the router hostname or another name you choose. 20-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 467
use for this certificate. For example, IT support, or Engineering might be organizational units. Organization that is to contain the certificate information. Database Configure the database level, the database URL, and database Cisco Router and Security Device Manager 2.5 User's Guide 20-5 - Cisco ROUTER-SDM-CD | User Guide - Page 468
the CA server. Lifetime is entered in hours, in the range 1-336. If no value is entered, a CRL expires after 168 hours (one week). 20-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 469
key pairs for encrypting and signing documents, choose Usage Keys. Cisco SDM will generate usage keys for encryption and signature. Key is exportable Check Key is exportable if you want the CA server key to be exportable. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 20-7 - Cisco ROUTER-SDM-CD | User Guide - Page 470
to allow SDM to modify Support Organization (o):Acme Enterprises State (st):CA Country (c):US Advanced CA Server Configuration Database URL:nvram: Database Archive:pem Database Username:bjones Database Password:********* RSA Keys 20-8 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 471
-a. Certificates will be manually granted. Certificate information will be stored in nvram, in PEM format. SDM will generate a general-purpose key pair with the default modulus 1024. The key will not be exportable. an ACE will be configured to allow traffic to between the router and the CDP host - Cisco ROUTER-SDM-CD | User Guide - Page 472
dialog. Uninstall Server Click to uninstall the CA server from your Cisco IOS router. All of the CA server configuration and data will be removed. If you backed up the CA 365 days minimal nvram: 168 hours manual 20-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 473
: Certificate Authority Information and Advanced Options for descriptions of these items. Backup CA Server You a CA server, you can restore the server configuration to the router by clicking the Restore CA Server button. You must Cisco Router and Security Device Manager 2.5 User's Guide 20-11 - Cisco ROUTER-SDM-CD | User Guide - Page 474
Tab Edit general CA server configuration settings in this window. You cannot change the name of the CA server. For information on the settings that you can change, see CA Server Wizard: Certificate Authority Information. 20-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 475
CA Server but no CA server is configured. Click Create CA Server and complete the wizard to configure a CA server on your router. Manage Certificates Clicking VPN > Public Key are selected rejects all the requests.. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 20-13 - Cisco ROUTER-SDM-CD | User Guide - Page 476
for. The client administrator can determine the certificate ID by entering the Cisco IOS command sh crypto pki cert. Delete Click Delete to remove the .snrsprp.com Subject Name B398385E6BB6604E9E98B8FDBBB5E8B A 20-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 477
Certificate Click Revoke Certificate to display a dialog that allows you to enter the ID of the certificate that you want to revoke. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 20-15 - Cisco ROUTER-SDM-CD | User Guide - Page 478
the client for which the certificate was granted. See Pending Requests for information on how the client administrator can determine the certificate ID. 20-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 479
downloaded SSL VPN client software for Cisco IOS SSL VPN. With the Full tunnel Client for Cisco IOS SSL VPN, we delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client that allows network layer connectivity access to virtually any application. Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 480
go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to. On the Cisco SDM toolbar, click Configure. 21-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 481
return to a screen you have previously visited. Cisco SDM displays the Summary screen when you have completed the configuration. Review the configuration. If you need to make changes, click Gateways • User Authentication OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21-3 - Cisco ROUTER-SDM-CD | User Guide - Page 482
must be configured on the router before you can begin a Cisco IOS SSL VPN configuration. If either or both of these configurations are missing, a notification appears in this area of the window, and a link is provided 21-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 483
sales. Configure advanced features for an existing SSL VPN Select this option to configure additional features for an existing Cisco IOS SSL VPN policy. You must specify the context under which this policy is configured. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21-5 - Cisco ROUTER-SDM-CD | User Guide - Page 484
configuration even if the router is reloaded, and are presented during the SSL handshake process. New users must manually be used in a certificate request. Length of RSA Key Cisco SDM places the value 512 in this field. You can Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 485
list contains the IP addresses of all configured router interfaces, and all existing Cisco IOS SSL VPN gateways. You can use the IP address of a router interface if it is a public address that you create a new gateway. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21-7 - Cisco ROUTER-SDM-CD | User Guide - Page 486
. Note If you check this checkbox, the URL that you must use to access Cisco SDM changes after you deliver the configuration to the router. Review the information area at the bottom of the window to learn which URL to use. Cisco SDM places a shortcut to this URL on the desktop of your PC that you - Cisco ROUTER-SDM-CD | User Guide - Page 487
server. To manage AAA configurations on the router, leave the wizard, click Additional Tasks, and then click the AAA node in the Additional Tasks tree. This list does not appear if you have chosen Locally on this router. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21-9 - Cisco ROUTER-SDM-CD | User Guide - Page 488
and Edit buttons to manage the users on the router. This list does not appear if you chose External AAA server. Configure Intranet Websites Configure groups of intranet websites that you want users allow users to visit. 21-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 489
it. Click Modify to allow Cisco SDM to add entries to the ACL to allow SSL traffic to pass through the firewall. Click Details to view the entry that Cisco SDM adds. The entry will be one similar to the one already shown. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21-11 - Cisco ROUTER-SDM-CD | User Guide - Page 490
of an existing Cisco IOS SSL VPN policy. Services This area lists the services, such as URL mangling, and Cisco Secure Desktop, that this policy is configured for. URLs servers that this policy is configured to use. 21-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 491
order to send and receive e-mail. The Thin-Client feature, also known as port forwarding, allows a small applet to be downloaded along with the portal so that a remote workstation can communicate with the intranet server. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21-13 - Cisco ROUTER-SDM-CD | User Guide - Page 492
enter "Telnet to 10.10.11.2." The description you enter appears on the portal. Learn More Click this link for more information. You can view that information now by clicking Learn More about Port Forwarding Servers. 21-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 493
router so that clients can download it to establish full-tunnel connectivity. If the Full Tunnel software was installed along with Cisco SDM, the path to it automatically appears in the Location field, as shown in Example 21-1. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 494
locate software install bundles for Cisco SDM so that it can use that location in the Cisco IOS SSL VPN configuration, or, if necessary, load the software onto the router. Note You may need a CCO username and password in order to obtain software from Cisco software download sites. To obtain these - Cisco ROUTER-SDM-CD | User Guide - Page 495
in that field, no further action need be taken. Cisco SDM configures the router to download the software from that location. Example 21-2 shows a path Router C:\Documents and Settings\username\Desktop\sslclient-win-1.1.0.154.pkg OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 496
obtain software from Cisco software download sites. To obtain these credentials, click Register at the top of any Cisco.com webpage and provide the information asked for. Your userid and password will be e-mailed to you. 21-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 497
a network that the router can reach. Citrix Server To create a new list, click Add and provide the required information in the dialog displayed. Use the Edit and Delete keys to change or remove URL lists in this table. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21-19 - Cisco ROUTER-SDM-CD | User Guide - Page 498
, the Cisco IOS CLI commands that you are sending are displayed. Click Deliver to send the configuration to the router, or click Cancel to discard it. Editing SSL VPN Connection Reference describes the configuration screens. 21-20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 499
• Context: Port Forward Lists • Add or Edit a Port Forward List • Context: URL Lists • Add or Edit a URL List • Context: Cisco Secure Desktop • SSL VPN Gateways • Add or Edit a SSL VPN Gateway • Packages • Install Package OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21-21 - Cisco ROUTER-SDM-CD | User Guide - Page 500
IOS SSL VPN features that Cisco SDM supports. Click Cisco IOS SSL VPN links on Cisco.com for links to Cisco IOS SSL VPN documents. Click Cisco IOS SSL VPN Contexts, Gateways, and Policies for a description of how the components of a Cisco IOS SSL VPN configuration work together. SSL VPN Contexts - Cisco ROUTER-SDM-CD | User Guide - Page 501
Textual description of status. • In Service-Context is in service. Users specified in policies configured under the context can access their Cisco IOS SSL VPN portal. • Not in Service-Context is not in service. Users specified in policies configured under the context cannot access their Cisco IOS - Cisco ROUTER-SDM-CD | User Guide - Page 502
Description Enter the name of a new context, or choose the name of an existing context to edit it. Select an existing gateway, or click Create gateway to configure name must have already been configured on the router. 21-24 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 503
ACL that is applied to an interface on which a Cisco IOS SSL VPN connection is configured may block the SSL traffic. Cisco SDM can automatically modify the ACL to allow this traffic to pass the gateway is enabled or not. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21-25 - Cisco ROUTER-SDM-CD | User Guide - Page 504
window displays the group policies configured for the chosen Cisco IOS SSL VPN context. Use about the policy in the lower part of the window. For a description of these details, click the following links Group Policy: General Tab Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 505
configured application ACL for this group. To configure router can reach. Enter information if you want Cisco IOS SSL VPN clients to be able to use Clientless Citrix. Field Reference Table 21-3 describes the fields in this screen. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 506
Cisco IOS SSL VPN Table 21-3 Clientless Tab Fields Element Clientless Web Browsing Action URL List Description feature for the group policy. When URL obfuscation is enabled, end users do not see the the path to the web server Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 507
checked by default. Group Policy: SSL VPN Client (Full Tunnel) Tab Make setting in this tab if you want to enable the group members to download and use full-tunnel client software. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21-29 - Cisco ROUTER-SDM-CD | User Guide - Page 508
full tunnel software installed Enter the URL to the home page that is to be displayed to full-tunnel clients in this group. 21-30 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 509
should use when accessing intranet hosts and services. Configure Advanced Tunnel Options Button Click to display the Advanced Tunnel Options router is connected to. If there are networked printers on these LANs, you must use this option. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 510
proxy server Click to instruct Cisco IOS SSL VPN client browsers not to service that it provides in these fields. For example, if the proxy server supports FTP requests, enter the IP address of the proxy server and port number 21. 21-32 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 511
WINS servers that will be sent to Cisco IOS SSL VPN clients. Cisco IOS SSL VPN clients will use these servers to access hosts and services on the corporate intranet. Provide addresses for can change these values, and the OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21-33 - Cisco ROUTER-SDM-CD | User Guide - Page 512
Editing SSL VPN Connections Chapter 21 Cisco IOS SSL VPN values you enter are used in to browse for it on your PC. It is saved to router flash after you click OK, and will appear in the upper-left corner of the portal. 21-34 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 513
uses NetBIOS servers to display the corporate Microsoft Windows file system to Cisco IOS SSL VPN users. Each name server list configured for the context is shown in the NetBIOS Name Server Lists area , and retries values. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21-35 - Cisco ROUTER-SDM-CD | User Guide - Page 514
that the router contacts on the list. Context: Port Forward Lists Configure the port forwarding lists for the selected context in this window. The lists can be associated to any group policy configured under the selected context. Port forward lists reveal TCP application services to Cisco IOS SSL - Cisco ROUTER-SDM-CD | User Guide - Page 515
the router. It shows the name and IP address of the gateway, the number of contexts configured to use the gateway, and the status of the gateway. The gateway is enabled and in service. The gateway is disabled and out of service. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 516
The gateway name uniquely identifies this gateway on the router, and is the name used to refer to the gateway when configuring Cisco IOS SSL VPN contexts. IP Address Choose or for secure Cisco IOS SSL VPN communication. 21-38 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 517
Gateways window. Packages This window enables you to obtain software install bundles that must be downloaded to Cisco IOS SSL VPN clients to support Cisco IOS SSL VPN features, and to load them on the router. You can also use this window to remove install bundles that have been installed. Follow - Cisco ROUTER-SDM-CD | User Guide - Page 518
in Cisco SDM configuration windows and describes how Cisco IOS SSL VPN components work together. An example of using the Cisco IOS SSL VPN wizard and edit windows in Cisco SDM is also provided. Before discussing each component individually, it is helpful to note the following: 21-40 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 519
or more Cisco IOS SSL VPN contexts. Each gateway configured on a router must be configured with its own IP address; IP addresses cannot be shared among gateways. It is possible to use the IP address of a router interface, or OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21 - Cisco ROUTER-SDM-CD | User Guide - Page 520
this wizard creates a new context, gateway, and group policy. The following table contains the information the user enters in each wizard window, and the configuration that Cisco SDM creates with that information. 21-42 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 521
configuration is delivered to the router, users must enter http://172.16.5.5:4443 to launch Cisco SDM using this IP address. Cisco SDM also begins to configure the first group policy, named policy_1. User Authentication Window OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 522
windows after completing the wizard. SSL VPN Passthrough Configuration Window User checks Allow SSL VPN to work with NAC and Firewall Cisco SDM adds an ACL with the following entry. permit tcp any host 172.16.5.5 eq 443 21-44 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 523
configuration is delivered, the router has one Cisco Services URLs exposed to Users Servers Exposed to users WINS servers Item Value URL Mangling, Full Tunnel http://172.16.5.5/pricelist http://172.16.5.5/catalog OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 524
IP address: 10.0.0.100 Server port on which user is connecting: 23 Port on client PC: Cisco SDM-supplied value. 3001 for this example. Description: SSL VPN Telnet access to server-a. This description will be on the portal. 21-46 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 525
three Cisco IOS SSL VPN group policies configured, Sales, Field, and Manufacturing, the router cannot, by itself, determine which policy group Bob Smith is a member of. If a AAA server is configured with the proper information OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 526
the information that Bob Smith is a member of the group Sales. The router can then display the correct portal for the Sales group. For information on how to configure the AAA server, see the "Configuring RADIUS Attribute Support for SSL VPN" section in the SSL VPN Enhancements document at the - Cisco ROUTER-SDM-CD | User Guide - Page 527
you are testing and observe the Cisco IOS SSL VPN traffic statistics in the Cisco IOS SSL VPN window. Based on the results of your tests, go back to Cisco SDM if necessary and fix any configuration problems you discovered. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 21-49 - Cisco ROUTER-SDM-CD | User Guide - Page 528
can allow Cisco SDM to make the necessary modifications to the firewall, or you can leave the firewall intact and make the changes manually by going to Configure > Firewall instance must already be configured on the router. 21-50 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 529
22 C H A P T E R SSL VPN Enhancements This chapter explains how to configure SSL VPN enhancements available with SSL VPN Reference • SSL VPN Context: Access Control Lists you to edit existing ACLs and create new ones. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 22-1 - Cisco ROUTER-SDM-CD | User Guide - Page 530
Action URL Time Range Description To create an Cisco IOS SSL VPN uses application ACLs to specify permitted and denied URLs. One ACL can consist of multiple entries. Field Reference Table 22-2 describes the fields in this screen. 22-2 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 531
Context ACL Entry Fields Description Choose one of the following: • Permit-Allow access to the URL in this entry. • Deny-Deny access to the URL in this entry is denied. To have this ACL entry apply to any URL, click Any. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 22-3 - Cisco ROUTER-SDM-CD | User Guide - Page 532
the start and end date for the Description To create a time range entry, click Add, and create the entry in the displayed dialog. To edit an entry, select the entry, and click Edit. Make changes to the entry in the displayed dialog. 22-4 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 533
Description Delete To remove an entry, select the entry and click Delete. Item Name The Item Name list displays the time range entries configured It can also specify a start time and an end time. Period If the entry type is Periodic Cisco Router and Security Device Manager 2.5 User's Guide 22-5 - Cisco ROUTER-SDM-CD | User Guide - Page 534
Range Fields Element Time Range Name Time Range Entry List Area Type Period Start End Add Edit Delete Description Enter a name for the time range. One of the following: • Absolute have a start date, and end date, or both. 22-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 535
fields in this screen. Table 22-6 Absolute Time Range Fields Element Description Start To specify a start date, click Start, and enter a ending days and times. Field Reference Table 22-7 describes the fields in this screen. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 536
Period From Day Till Day Duration Start Time End Time Periodic Time Range Fields Description Choose one of the following: • Specific ending time in 24-hour format. For example, entering 23:59 specifies an ending time of 11:59 p.m. 22-8 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 537
not troubleshoot more than two peers for site-to-site VPN, GRE over IPsec, or Easy VPN client connections. Tunnel Details This box provides the VPN tunnel details. Interface Interface to which the VPN tunnel is configured. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 23 - Cisco ROUTER-SDM-CD | User Guide - Page 538
(s) This box provides the possible reason(s) for the VPN tunnel failure. Recommended action(s) This box provides a possible action/solution to rectify the problem. Close Button Click this button to close the window. 23-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 539
done or has not completed successfully. • The IOS image does not support the required debugging commands. • The view used to launch Cisco SDM does not have root privileges. What Do You Want to Do? If you want to: Troubleshoot the VPN connection. Save the test report. Do this: Click Start button - Cisco ROUTER-SDM-CD | User Guide - Page 540
. Destination Destination IP address. Service This column lists the type of traffic on the interface. Log This column indicates whether logging is enabled for this traffic. Attributes Any additional attributes defined. 23-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 541
type you want, click this button to continue testing. Close Button Click this button to close the window. VPN Troubleshooting: Generate GRE Traffic This screen appears if you are generating GRE over IPSec traffic. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 23-5 - Cisco ROUTER-SDM-CD | User Guide - Page 542
Click this button to close the window. Cisco SDM Warning: SDM will enable router debugs... This window appears when Cisco SDM is ready to begin advanced troubleshooting. Advanced troubleshooting involves delivering debug commands to the router waiting for results to report, and then removing - Cisco ROUTER-SDM-CD | User Guide - Page 543
to the router configuration to fix those problems. To have Cisco SDM perform a security audit and then fix the problems it has found: Step 1 In the left frame, select Security Audit. Step 2 Click Perform Security Audit. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 24-1 - Cisco ROUTER-SDM-CD | User Guide - Page 544
. Check the Fix it boxes next to any problems that you want Cisco Router and Security Device Manager (Cisco SDM) to fix. For a description of the problem and a list of the Cisco IOS commands that will be added to your configuration, click the problem description to display a help page about that - Cisco ROUTER-SDM-CD | User Guide - Page 545
Interval • Set Scheduler Allocate • Set Users • Enable Telnet Settings • Enable NetFlow Switching • Disable IP Redirects • Disable IP Proxy ARP • Disable IP Directed Broadcast • Disable MOP Service Cisco Router and Security Device Manager 2.5 User's Guide 24-3 - Cisco ROUTER-SDM-CD | User Guide - Page 546
Service • Set Access Class on VTY Lines • Enable SSH for Access to the Router Welcome Page This screen describes the Security Audit wizard and the changes the wizard will attempt to make to your router configuration . 24-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 547
. The Security Audit will correct the problems you selected, collecting further input from you as necessary, and will then display a list of the new configuration commands that will be added to the router configuration. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 24-5 - Cisco ROUTER-SDM-CD | User Guide - Page 548
," which involves sending a finger request to a specific computer every minute, but never disconnecting. The configuration that will be delivered to the router to disable the Finger service is as follows: no service finger 24-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 549
are rarely used, the best policy is usually to disable them on all routers of any description. The configuration that will be delivered to the router to disable TCP small servers is as follows: no service tcp-small-servers OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 24-7 - Cisco ROUTER-SDM-CD | User Guide - Page 550
be used by an attacker to download a copy of a router's Cisco IOS software. In addition, the BOOTP service is vulnerable to DoS attacks; therefore it should be disabled or filtered via a firewall for this reason as well. 24-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 551
may be used to design attacks against the router. The configuration that will be delivered to the router to disable CDP is as follows: no cdp run This fix can be undone. To learn how, click Undoing Security Audit Fixes. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 24-9 - Cisco ROUTER-SDM-CD | User Guide - Page 552
IP protocol supports source routing configuration that will be delivered to the router to enable password encryption is as follows: service password-encryption This fix can be undone. To learn how, click Undoing Security Audit Fixes. 24-10 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 553
potential attacks. The configuration that will be delivered to the router to enable time stamps and sequence numbers is as follows: service timestamps debug datetime localtime show-timezone msec service timestamps log datetime localtime show-timeout msec OL-4015-12 Cisco Router and Security Device - Cisco ROUTER-SDM-CD | User Guide - Page 554
service sequence-numbers Enable IP CEF Security Audit enables Cisco Express Forwarding (CEF) or Distributed Cisco Length to Less Than 6 Characters Security Audit configures your router to require a minimum password length of six Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 555
configuration change will be made only if the Cisco IOS version running on your router supports the minimum password length feature. The configuration that will be delivered to the router a form of Denial-of-Service (DoS) attack. A TCP Cisco Router and Security Device Manager 2.5 User's Guide 24-13 - Cisco ROUTER-SDM-CD | User Guide - Page 556
. The configuration that will be delivered to the router to enable and configure logging is as follows, replacing and with the appropriate values that you enter into Security Audit: 24-14 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 557
very widely used for router monitoring, and frequently for router configuration changes as well. Version Cisco recommends disabling SNMP if your network does not require it. Security Audit will initially request to disable SNMP. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 558
for activities other than network switching, such as management processes. The configuration that will be delivered to the router to set the scheduler allocate percentage is as follows: scheduler allocate 4000 1000 24-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 559
the following configurations whenever possible: • Configures transport input Cisco IOS feature that enhances routing performance while using Access Control Lists (ACLs) and other features that create and enhance network security. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 560
possible. ICMP supports IP traffic by relaying information about paths, routes, and network conditions. ICMP redirect messages instruct an end node to use a specific router as its security level, and only when necessary. 24-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 561
be dropped instead. The configuration that will be delivered to the router to disable IP directed broadcasts is as follows: no ip directed-broadcast This fix can be undone. To learn how, click Undoing Security Audit Fixes. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 24-19 - Cisco ROUTER-SDM-CD | User Guide - Page 562
possible. ICMP supports IP traffic by relaying information about paths, routes, and network conditions. ICMP mask reply messages are sent when a network devices must know the subnet mask for a particular subnetwork 24-20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 563
supports -Service attack configuration to the router to disable ICMP host unreachable messages for discarded packets or packets routed to the null interface is as follows: int null 0 no ip unreachables This fix can be undone. To learn how, click Undoing Security Audit Fixes. OL-4015-12 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 564
In addition, unicast RPF can be enabled only when IP Cisco Express Forwarding (CEF) is enabled. Security Audit will check the router configuration to see if IP CEF is enabled. If IP by scrutinizing source and destination 24-22 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 565
as needed and closing it all other times. To enable CBAC, Security Audit will use Cisco SDM's Create Firewall screens to generate a firewall configuration. Set Access Class on HTTP Server Service Security Audit enables the HTTP service on the router with an access class whenever possible. The HTTP - Cisco ROUTER-SDM-CD | User Guide - Page 566
locking access to the router. The configuration that will be delivered to the router to secure access and services. Cisco SDM will perform the following precautionary tasks while enabling AAA to prevent loss of access to the router: 24-24 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 567
will be delivered to the router configuration, based on the security problems that you selected to fix in the Report Card screen. Cisco SDM and Cisco IOS AutoSecure AutoSecure is a Cisco IOS feature that, like Cisco SDM, lets you more easily configure security features on your router, so that your - Cisco ROUTER-SDM-CD | User Guide - Page 568
of Cisco SDM: • Disabling NTP-Based on input, AutoSecure will disable the Network Time Protocol (NTP) if it is not necessary. Otherwise, NTP will be configured with MD5 authentication. Cisco SDM does not support disabling NTP. 24-26 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 569
, Authorization, and Accounting (AAA) service is not configured, AutoSecure configures local AAA and prompts for configuration of a local username and password database on the router. Cisco SDM does not support AAA configuration. • Setting SPD Values-Cisco SDM does not set Selective Packet Discard - Cisco ROUTER-SDM-CD | User Guide - Page 570
and other configurations that you want to undo, and click Next>. Add or Edit Telnet/SSH Account Screen This screen lets you add a new user account or edit an existing user account for Telnet and SSH access to your router. 24-28 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 571
for confirmation. The entry in this field must match the entry in the password field. Configure User Accounts for Telnet/SSH Page This screen lets you manage the user accounts that have password of the selected account. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 24-29 - Cisco ROUTER-SDM-CD | User Guide - Page 572
to guess. The text banner will be displayed whenever anyone connects to your router using Telnet or SSH. The text banner is an important security consideration the text banner that you want configured on your router. 24-30 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 573
Audit Logging Page Logging Page This screen lets you configure the router log by creating a list of syslog servers descriptions of each of the severity levels are as follows: - 0 - emergencies System unusable - 1- alerts OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 574
- errors Error conditions - 4 - warnings Warning conditions - 5 - notifications Normal but significant condition - 6 - informational Informational messages only - 7 - debugging Debugging messages Chapter 24 Security Audit 24-32 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 575
, add new routes, edit existing routes, and delete routes. Note Static and dynamic routes configured for GRE over IPSec tunnels will appear in this window. If you delete a routing entry designated as a permanent route. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 25-1 - Cisco ROUTER-SDM-CD | User Guide - Page 576
been configured that SDM does not support, the configured, this column contains the text RIP, OSPF, and EIGRP. When one or more routes have been configured, this column contains the parameter names for the type of routing configured. 25-2 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 577
Edit. Then, configure the route in the displayed window. Add or Edit IP Static Route Use this window to add or edit a static route. Destination Network Enter the destination network address information in these fields. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 25-3 - Cisco ROUTER-SDM-CD | User Guide - Page 578
the destination network. For more information, refer to Available Interface Configurations. Prefix Mask Enter the destination address subnet mask. Make this down or the router is unable to communicate with the next router. 25-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 579
2, and Default. Select the version supported by the Cisco IOS image that the router is running. When you select version 1, the router sends version 1 RIP packets and the router's OSPF routing process to other routers. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 25-5 - Cisco ROUTER-SDM-CD | User Guide - Page 580
area number for that network. Each router in a particular OSPF area maintains a topological database for that area. Note If SDM detects previously configured OSPF routing that includes "area" in the IP address window. 25-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 581
route. Autonomous System Number The autonomous system number is used to identify the router's EIGRP routing process to other routers. IP Network List Enter the networks that you want to create routes to the Network list. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 25-7 - Cisco ROUTER-SDM-CD | User Guide - Page 582
Add or Edit EIGRP Route Chapter 25 Routing 25-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 583
with hosts across the Internet. Network Address Translation Wizards You can use a wizard to guide you in creating a Network Address Translation (NAT) rule. Choose one of the following wizards choose Advanced NAT. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 26-1 - Cisco ROUTER-SDM-CD | User Guide - Page 584
from the NAT configuration by unchecking its check box. The list shows the following information for each network: • IP address range allocated to the network • Network LAN interface • Comments entered about the network 26-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 585
configuration, uncheck its check box. Note If Cisco SDM detects a conflict between the NAT configuration and an existing VPN configuration for wizard will guide you through configuring NAT for connecting your LANs and servers to the Internet. OL-4015-12 Cisco Router and Security Device Manager 2.5 - Cisco ROUTER-SDM-CD | User Guide - Page 586
this NAT configuration. Remove that network from the NAT configuration by unchecking its check box. The list shows the following information for each network: • IP address range allocated to the network • Network LAN interface 26-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 587
a network from the NAT configuration, uncheck its check box. To add a network not directly connected to your router to the list, click Add Networks. Note If Cisco SDM does not allow you to ) to which they are translated. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 26-5 - Cisco ROUTER-SDM-CD | User Guide - Page 588
IP addresses that appear in the drop-down menu include the IP address of the router WAN interface and any public IP addresses you own that were entered in the connections window ( HTML and other WWW-oriented pages. 26-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 589
the NAT configuration to remove the conflict, or choose to not modify the NAT configuration. If you choose to not modify the NAT configuration, the conflict may cause other features you have configured to stop working. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 26-7 - Cisco ROUTER-SDM-CD | User Guide - Page 590
to configure or edit address pools. Address pools are used with dynamic address translation. The router can dynamically assign addresses from the pool as they are needed. When an address is no longer needed, it is returned to the pool. 26-8 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 591
they expire and are purged from the translation table. Click this button to configure the timeout values for NAT translation entries and other values. Network Address Translation a separate static rule for each address. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 26-9 - Cisco ROUTER-SDM-CD | User Guide - Page 592
pools to assign addresses to devices as they are needed. Click Address Pools, and configure address pool information in the dialog box. Set the translation timeout. Click Translation entry on Add, and then click Add. 26-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 593
previously configured NAT rules to appear as read-only in the Network Address Translation Rules list. Read-only NAT rules are not editable. For more information, see the help topic Reasons that Cisco SDM Cannot Edit a NAT Rule. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 594
your organization's WAN or to the Internet. Translation Timeout Settings When you configure dynamic NAT translation rules, translation entries have a timeout period after which they time out. The default is 60 seconds. 26-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 595
configured on a router, Cisco SDM only creates route maps to limit the action of NAT, route maps can be used for other purposes as well. If route maps have been created using the CLI, they will be visible in this window as well. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 596
number of the route map. Action Route maps created by Cisco SDM are configured with the permit keyword. If this field contains the value deny When Cisco SDM creates a route map, it automatically assigns it a sequence number. 26-14 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 597
Cisco SDM are configured configuring a dynamic NAT rule. Address This field contains the IP address range in the pool. Devices whose IP addresses match the access rule specified in the Add Address Translation Rule window will be given private IP addresses from this pool. OL-4015-12 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 598
and confirm deletion in the Warning box displayed. Note If Cisco SDM detects a previously configured NAT address pool that uses the "type" keyword, that the router to use PAT when the address pool is close to depletion. 26-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 599
by Cisco SDM or created using the CLI by clicking the View Route Maps button in the NAT window. Direction This help topic describes how to use the Add Address Translation Rule fields when From inside to outside is chosen. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 26 - Cisco ROUTER-SDM-CD | User Guide - Page 600
want Cisco SDM to translate the addresses of a subnet, enter the mask for that subnet. Cisco SDM determines the network and subnet number and the set of addresses needing translation from the IP address and mask that you supply. 26-18 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 601
If Interface is chosen in the Type field, only translations that redirect TCP/IP ports are supported. The Redirect Port check box is automatically checked and cannot be unchecked. IP Address This inside global addresses. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 26-19 - Cisco ROUTER-SDM-CD | User Guide - Page 602
that the router is to use for this translation. Configuration Scenarios Click Cisco SDM will prompt you to allow it to create a route map that protects those addresses from being translated by NAT. If NAT is allowed to translate 26-20 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 603
configure the NAT rule. IP Address Do one of the following: • If you want to create a one-to-one static mapping between the outside global address of a single remote host and a translated address, known as the outside local address, enter the IP address for the remote host. OL-4015-12 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 604
area will be used to calculate the remaining outside local addresses. Note If you do not enter a network mask in the Translate from Interface area, Cisco SDM will perform only one translation. 26-22 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 605
is defined by specifying a range of addresses and giving the range a unique name. The configured router uses the available addresses in the pool (those not used for static translations or for its to another device later. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 26-23 - Cisco ROUTER-SDM-CD | User Guide - Page 606
configure the NAT rule. Access Rule Dynamic NAT translation rules use access rules to specify the addresses that need translation. If you choose From inside to outside, these are the inside local addresses. Enter the name or number of the access rule that defines the addresses 26-24 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 607
in this field, or you can click Address Pool to choose or create an address pool. Configuration Scenarios Click Dynamic Address Translation Scenarios for examples that illustrate how the fields in this window are used. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 26-25 - Cisco ROUTER-SDM-CD | User Guide - Page 608
a unique name. The configured router uses the available addresses in are part of a VPN, Cisco SDM will prompt you to allow it router. This help topic describes how the remaining fields are used when From outside to inside is chosen. 26-26 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 609
with translated addresses exit the router. It also provides fields for specifying the translated address. Inside Interface(s) If you choose From outside to inside, this area contains the designated inside interfaces. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 26-27 - Cisco ROUTER-SDM-CD | User Guide - Page 610
outside. To configure a NAT rule to translate addresses from outside to inside, follow the directions in one of the following sections: • Add or Edit Dynamic Address Translation Rule: Outside to Inside • Add or Edit Static Address Translation Rule: Outside to Inside 26-28 Cisco Router and Security - Cisco ROUTER-SDM-CD | User Guide - Page 611
in one of these sections, choose the same LAN interface and a new WAN interface. Repeat this procedure for all WAN interfaces that you want to configure with address translation rules. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 26-29 - Cisco ROUTER-SDM-CD | User Guide - Page 612
How Do I . . . Chapter 26 Network Address Translation 26-30 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 613
signatures associated with those threats. • IPS Migration-If the router runs a Cisco IOS image of release 12.4(11)T or later, you can migrate Cisco IOS IPS configurations created using earlier versions of the Cisco IOS. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-1 - Cisco ROUTER-SDM-CD | User Guide - Page 614
the Edit IPS tab. For more information on Cisco IOS IPS, see the documents at the following link: http://www.cisco.com/en/US/products/ps6634/prod_white_papers_list.html Click the Launch IPS Rule Wizard button to begin. 27-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 615
Cisco IOS images that support Cisco IOS IPS contain built-in signatures. If you check the box at the bottom of the window, the router will use the built-in signatures only if it cannot obtain an SDF from any location in the list. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 616
router flash memory. Click Browse to specify where you want to save the signature file, and then click Download to begin downloading the file. Cisco SDM downloads the signature file to the location that you specify. Configure 27-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 617
key: http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup Download the key to your Configuration File Location window that is displayed when the router runs Cisco Cisco SDM displays the path to the location in this field. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-5 - Cisco ROUTER-SDM-CD | User Guide - Page 618
message. In the No. of Retries and Timeout fields, specify how many times the router is to attempt to contact the remote system, and how long the router is to wait for a response before stopping the contacting attempts. 27-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 619
file is located on the PC, click Browse, navigate to the folder containing the file, and select the filename. You must choose an Cisco SDM-specific package of the format sigv5-SDM-Sxxx.zip; for example, sigv5-SDM-S260.zip. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-7 - Cisco ROUTER-SDM-CD | User Guide - Page 620
located in router flash memory. The router is configured to use the signature definitions built in to the Cisco IOS image that the router uses. FastEthernet0/0 Signature File location: C:\SDM-Test-folder\sigv5-SDM-S260.zip Public Key: Cisco Router and Security Device Manager 2.5 User's Guide OL- - Cisco ROUTER-SDM-CD | User Guide - Page 621
Configuration This button appears if the Cisco IOS image on the router is version 12.4(11)T or later. Signature Event Action Processing (SEAP) gives you greater control over IOS IPS by providing advanced filtering and overrides. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 622
the type of traffic you want to examine. See Enable or Edit IPS on an Interface for more information. Edit Button Click to edit the Cisco IOS IPS characteristics applied to the specified interface. 27-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 623
/Outbound IPS • Enabled-Cisco IOS IPS is enabled for this traffic direction. • Disabled-Cisco IOS IPS is disabled for this traffic direction. VFR Status Virtual Fragment Reassembly (VFR) status. The possible values are: OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-11 - Cisco ROUTER-SDM-CD | User Guide - Page 624
, or any host or network. Service-Type of service filtered: IP, TCP, UDP, IGMP, or ICMP. Log-Whether or not denied traffic is logged. Attributes-Options configured using the CLI. Description-Any description provided. 27-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 625
. The ACL that you specify appears in the IPS Rules Configuration window when the interface with which it is associated is chosen Cisco IOS firewall to check for IP fragments on this interface. See VFR Status for more information. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 626
to view and configure global settings for Cisco IPS. This help topic describes the information that you may see if the running Cisco IOS image is the router buffer. SDEE Subscription Number of concurrent SDEE subscriptions. 27-14 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 627
traffic from that host or network. Configured SDF Locations A signature location is a URL that provides a path to an SDF. To find an SDF, the router attempts to contact the first location in delete a specified location. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-15 - Cisco ROUTER-SDM-CD | User Guide - Page 628
a new signature for a particular engine, it allows packets to pass through without scanning for the corresponding engine. Enable this option to make the Cisco IOS software drop packets during the compilation process. 27-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 629
Engine Tab) This option is applicable if signature actions are configured to "denyAttackerInline" or "denyFlowInline." By default, Cisco IOS IPS applies ACLs to the interfaces from which attack URL at which it resides. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-17 - Cisco ROUTER-SDM-CD | User Guide - Page 630
Cisco IOS IPS configuration. SDEE Messages Choose the SDEE message type to display: • All- SDEE error, status, and alert messages are shown. • Error-Only SDEE error messages are shown. • Status-Only SDEE status messages are shown. • Alerts-Only SDEE alert messages are shown. 27-18 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 631
to see possible SDEE messages. Time message was received. Available description. Click to check for new SDEE messages. Click to close the SDEE Messages window. SDEE Message Text This topic lists possible SDEE messages. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-19 - Cisco ROUTER-SDM-CD | User Guide - Page 632
- %d signatures - %d of %d engines Explanation Triggered when Cisco IOS IPS begins building the signature microengine (SME). Error Message Triggered when the router resorts to loading the builtin signatures. 27-20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 633
is the most probable cause of this problem. If this happens, the new imported signature that belongs to this engine is discarded by Cisco IOS IPS. Error Message SDF_PARSE_FAILED: an unexpected internal system error occurs. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-21 - Cisco ROUTER-SDM-CD | User Guide - Page 634
, and that a public key has been configured to allow the router to access the information in the configloc directory. Item Name Config Location Selected Category Public Key Item Value flash:/configloc/ basic Configured 27-22 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 635
messages uses more router memory. Global Engine Tab The Global Engine dialog displayed when the router uses a Cisco IOS 12.4(11)T or later image allows you to configure the settings described in the following sections. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-23 - Cisco ROUTER-SDM-CD | User Guide - Page 636
, SDM configures the router with a subset of signatures appropriate for a specific amount of router memory. You can also remove an existing category configuration if you want to remove category constraints when selecting signatures. 27-24 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 637
and paste it into the Key field. For detailed instructions that explain exactly which parts of the text to copy and paste, see Configure Public Key. Edit IPS: Auto Update Signature file updates are posted on Cisco.com. Cisco SDM can download the signature file update that you specify, or it - Cisco ROUTER-SDM-CD | User Guide - Page 638
the file that you want, and then use the Browse and Download buttons to save it to your PC. Autoupdate Click Enable Autoupdate if you want Cisco SDM to automatically obtain updates from a remote server that you specify. 27-26 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 639
you can configure. To begin configuration, click on one of the buttons under the SEAP Configuration button. You can configure SEAP settings for Cisco IOS IPS when the router runs Cisco IOS 12.4(11)T and later releases. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-27 - Cisco ROUTER-SDM-CD | User Guide - Page 640
Edit IPS Chapter 27 Cisco IOS IPS Edit IPS: SEAP Configuration: Target Value Rating The target value rating (TVR) is a user-defined value that Changes button is disabled when there are no changes to send to the router. 27-28 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 641
the range that you defined, the action is added to the event. Event action overrides are a way to add event actions globally without having to configure each signature individually. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-29 - Cisco ROUTER-SDM-CD | User Guide - Page 642
want in the Event Action Overrides window, click Apply Changes. The Apply Changes button is disabled when there are no changes to send to the router. 27-30 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 643
the Event Action. For example, if Deny Connection Inline is assigned a RR range of 90-100, and an event with an RR of 95 occurs, Cisco IOS IPS responds by denying the connection inline. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-31 - Cisco ROUTER-SDM-CD | User Guide - Page 644
that the router processes the filters whether or not event action filtering is enabled. Event Action Filter List Area For a description of the end of the list. A dialog is displayed that enables you to enter the data for the filter. 27-32 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 645
Chapter 27 Cisco IOS IPS Edit IPS Apply Changes OL-4015-12 Insert Before To insert a new event action filter before an , click Apply Changes. The Apply Changes button is disabled when there are no changes to send to the router. Cisco Router and Security Device Manager 2.5 User's Guide 27-33 - Cisco ROUTER-SDM-CD | User Guide - Page 646
to the router. Add or Edit an Event Action Filter The following information describes the fields in the Add and the Edit Event Action Filter dialogs. Name SDM provides event bounds of the range. For example, enter 70-200 27-34 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 647
Chapter 27 Cisco IOS IPS Edit IPS Attacker Address For Attacker Address, enter a range of addresses from 0.0.0.0 to 255.255.255.255, that you choose for this filter will be listed in the Event Action Filters window. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-35 - Cisco ROUTER-SDM-CD | User Guide - Page 648
you can use to filter the display of attack signatures, click the + sign next to the Attack folder. If you want to see Denial of Service (DoS) signatures, click the DoS folder. 27-36 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 649
router if the router has a DOS-based file system. SDFs are available from Cisco. Click the following URL to download an SDF from Cisco.com (requires login): http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup Cisco and Service.DNS. Cisco Router and Security Device Manager 2.5 User's Guide 27-37 - Cisco ROUTER-SDM-CD | User Guide - Page 650
during the current session, a yellow Wait icon appears in the ! column indicating that the change must be applied to the router. Summary or Details Button Click to display or hide the signatures marked for deletion. 27-38 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 651
event. Severity levels are informational, low, medium, and high Engine to which the signature belongs. Right-click Context Menu If you right-click a signature, Cisco SDM displays a context menu with the following options: OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-39 - Cisco ROUTER-SDM-CD | User Guide - Page 652
for deletion because imported signatures are set to replace signatures already configured on the router. See How to Import Signatures for more information. Signatures marked for deletion remain active in the Cisco IOS IPS configuration until you click Apply Changes. If you exit the Signatures window - Cisco ROUTER-SDM-CD | User Guide - Page 653
filter, click Yes. If you want the Cisco IOS IPS to evaluate matching events against the other remaining filters, click No. Comments You can add comments to describe the purpose of this filter. This field is optional. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-41 - Cisco ROUTER-SDM-CD | User Guide - Page 654
IOS 12.4(11)T and later releases. The Signatures window lets you view the configured Cisco IOS IPS signatures on the router. You can add customized signatures, or import signatures from SDFs downloaded from Cisco.com. You can also edit, enable, disable, retire, and unretire signatures. Signature - Cisco ROUTER-SDM-CD | User Guide - Page 655
example: If you choose Engine in View By, Criteria changes to Engine, and you can choose among the available engines, such as Atomic.ICMP and Service.DNS. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-43 - Cisco ROUTER-SDM-CD | User Guide - Page 656
signatures will not be imported and will not appear in the signature list. The signature list can be filtered using the selection controls. 27-44 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 657
the signature belongs. Right-click Context Menu If you right-click a signature, Cisco SDM displays a context menu with the following options: • Actions-Click to choose the Defaults-Click to restore the signature's default values. Cisco Router and Security Device Manager 2.5 User's Guide 27-45 - Cisco ROUTER-SDM-CD | User Guide - Page 658
window displayed when the router runs Cisco IOS 12.4(11)T and later releases. Signature ID The unique numerical value assigned to this signature. This value allows the Cisco IOS IPS to identify a particular signature. 27-46 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 659
The signature description includes the signature name and release, any alert notes available from the Cisco Security Center, user comments, and other information. The signature engine associated with this signature. One commonly-used engine is named Atomic IP. OL-4015-12 Cisco Router and Security - Cisco ROUTER-SDM-CD | User Guide - Page 660
you can specify IP parameters, such as header length and type of service. The controls in the Event Counter box allow you to specify configure the signature to Fire All, but after a certain threshold is reached, it starts summarizing. 27-48 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 661
. Below the list of files is a Filename field containing the full path of the specified file. Note If you are choosing a configuration file to provision your router, the file must be a CCCD file or have a .cfg extension. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-49 - Cisco ROUTER-SDM-CD | User Guide - Page 662
denies all traffic from the IP address considered to be the source of the attack by the Cisco IOS IPS system. Same as deny-attacker-inline. • denyFlowInline-Create an ACL that denies all packet. Same as deny-packet-inline. 27-50 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 663
router, or the Replace button to replace the already configured signatures. See Merge Button and Replace Button for more information. Click the Apply Changes button in the Edit IPS window to deploy the imported signatures. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27 - Cisco ROUTER-SDM-CD | User Guide - Page 664
description of Atomic.ICMP, and Service.DNS. If router is blue. The signature list area has these columns: • Sig ID-Unique numerical value assigned to this signature. This value allows Cisco IOS IPS to identify a particular signature. 27-52 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 665
. Field Definitions The following fields are in the Add, Edit, and Clone Signature windows. • SIGID-Unique numerical value assigned to this signature. This value allows Cisco IOS IPS to identify a particular signature. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-53 - Cisco ROUTER-SDM-CD | User Guide - Page 666
is the appearance of the signature on the address key. • SigComment-Comment or description text for the signature. • SigVersion-Signature version. • ThrottleInterval-Number of seconds defining and non-fragmented packets. 27-54 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 667
. Signature reports and downloads are available at this link (requires login): http://tools.cisco.com/MySDN/Intelligence/searchSignatures.x IPS-Supplied Signature Definition Files To ensure that the router has as many signatures available as its memory can accommodate, Cisco SDM is shipped with one - Cisco ROUTER-SDM-CD | User Guide - Page 668
Dashboard allows you to keep your router updated with signatures for the latest security threats. You must have Cisco IOS IPS configured on your router before you can deploy signatures using the Security Dashboard. 27-56 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 669
found on your router is blue. To obtain the latest top threats, click the Update top threats list button. Note You cannot update the top threats by using the Cisco SDM Refresh button or the threat is available to deploy. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-57 - Cisco ROUTER-SDM-CD | User Guide - Page 670
download a Cisco IOS SDF file, Cisco SDM remembers the location of the file. The next time you load the Security Dashboard, Cisco SDM will select the latest Cisco Configured Cisco IOS IPS on your router • Downloaded the latest Cisco Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 671
of version 12.4(11)T or later, you must migrate a configuration created before this release if you want to use Cisco IOS IPS on your router. If you do not migrate the configuration, the configuration commands will not be changed, but Cisco IOS IPS will not operate. Click the Launch IPS Migration - Cisco ROUTER-SDM-CD | User Guide - Page 672
when the Java heap size is too low to support an SDM feature. Complete the following procedure to set the heap size to the value stated in the window. Step 1 Exit Cisco SDM. Step 2 Click Start > Control Panel > Java. 27-60 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 673
Chapter 27 Cisco IOS IPS Java Heap Size Step 3 Step 4 Open the Java Runtime Settings dialog. The location of the Java Runtime Settings dialog. Click Apply in the Java Control Panel, and then click OK. Restart Cisco SDM. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 27-61 - Cisco ROUTER-SDM-CD | User Guide - Page 674
Java Heap Size Chapter 27 Cisco IOS IPS 27-62 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 675
you can configure it. You can use Telnet or SSH for this session. IDS Network Module Control Buttons Cisco SDM enables you to issue a number of basic commands to the IDS Network Module from this window. Reload Click to reload the IDS network module operating system. OL-4015-12 Cisco Router and - Cisco ROUTER-SDM-CD | User Guide - Page 676
launch the IDM software, Cisco SDM displays a dialog box that asks you for the IP address of the IDS module's external Fast Ethernet interface. When Cisco SDM obtains the correct address, available on the network module. 28-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 677
you click Configure, Cisco SDM verifies that the IDS Network Module has been configured, and that the router has all the configuration settings necessary to by the router. Therefore, it can be any address you want to use. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 28-3 - Cisco ROUTER-SDM-CD | User Guide - Page 678
Cisco SDM attempt to discover the network module's IP address. You can use this option if you do not know the IP address, and you are not sure that the last address Cisco SDM used to contact the network module is still correct. 28-4 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 679
is the address that Cisco SDM and the router use when communicating with the IDS network module. This IP address can be a private address; no hosts other than the router it is installed in will be able to reach the address. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 28-5 - Cisco ROUTER-SDM-CD | User Guide - Page 680
/iaabu/csids/csids10/index.htm After you have fixed configuration settings, you can click this button to refresh the checklist. If an X icon remains in the Action column, a configuration setting has still not been made. 28-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 681
. Feature Unavailable This window appears when you try to configure a feature that the Cisco IOS image on your router does not support. If you want to use this feature, obtain a Cisco IOS image from Cisco.com that supports it. Switch Module Interface Selection This window is displayed when there - Cisco ROUTER-SDM-CD | User Guide - Page 682
Switch Module Interface Selection Chapter 28 Network Module Management 28-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 683
the Summary screen when you have completed the configuration. Review the configuration. If you need to make changes, click Back to return to the screen in which you need to make changes, then return to the Summary screen. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 29-1 - Cisco ROUTER-SDM-CD | User Guide - Page 684
Quality of Service (QoS) on the router's WAN interfaces. QoS can also be enabled on IPSec VPN interfaces and tunnels. The policy is applied to outgoing traffic on the interface. To create a QoS policy, click Launch QoS Wizard. 29-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 685
Element Details Description To view configuration details about the chosen interface, click Details. The window displays the interface's IP address and subnet mask, names of access rules and policies applied to the interface, and connections the interface is used for. OL-4015-12 Cisco Router and - Cisco ROUTER-SDM-CD | User Guide - Page 686
NBAR protocol discovery (untrusted) Description To use Differentiated Services Code Point (DSCP) markings to classify traffic, click DSCP marking (trusted). Cisco network devices such as IP phones and switches add DSCP markings to packets. Configuring DSCP on the router allows these markings to be - Cisco ROUTER-SDM-CD | User Guide - Page 687
all classes other than best effort cannot exceed 75%. Cisco SDM displays the Allotted Bandwidth column when you configure a QoS policy for a non-VTI interface. It Class Name Description Enter a name for the traffic class. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 29-5 - Cisco ROUTER-SDM-CD | User Guide - Page 688
Service Table 29-3 Add New Traffic Class Fields (continued) Element Description Value This column displays the values configured for the particular type, separated to give to the class. Cisco SDM displays a message if you enter Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 689
Fields Element Configure policing for outbound traffic Traffic Class Committed Information Rate (CIR) Description If the link is listed at the bottom of the screen. Cisco SDM displays a message if any entered value causes the total to Cisco Router and Security Device Manager 2.5 User's Guide 29-7 - Cisco ROUTER-SDM-CD | User Guide - Page 690
Service Field Reference Table 29-5 QoS Policy Generation Element Voice Call Signalling Routing Management Transactional Best Effort Description Configuration SDM-QoS-Policy-1 Policy Details Class Name: SDM-Voice-1 Enabled: Yes 29-8 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 691
the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 692
and change configured QoS policies, and associate policies with router interfaces. This help topic contains separate sections for different parts of the screen. To view the information for a section, click on the section heading. 29-10 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 693
of Service Editing QoS Policies Policy Selection Reference Table 29-6 Policy Selection Area Element View Policy on interface In Direction Go Associate Policy Name Description Choose read-only Qos class is selected. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 29-11 - Cisco ROUTER-SDM-CD | User Guide - Page 694
Area Description If this icon appears next to the QoS class, it is read-only, and it cannot be edited, deleted, or moved to another position in the class list. The name of the QoS class. Cisco SDM predefines names for QoS classes. 29-12 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 695
Chapter 29 Quality of Service Editing QoS Policies Table 29-8 Class List Display Area (continued) Element Match Classification Action Description Whether the QoS class looks for matches new QoS policy in this screen. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 29-13 - Cisco ROUTER-SDM-CD | User Guide - Page 696
well as protocol and ACL values. This column displays the values configured for the particular type, separated by commas. For example, the Protocol Service Policy to Class In this screen, add an existing service policy to a QoS class. 29-14 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 697
29-11 Field Reference Element Interface Description This column lists the router interfaces. To choose an interface to which you want to associate the QoS policy, check the box next to the interface name. Inbound Outbound Note If you select the interface Cisco SDM uses to communicate with the - Cisco ROUTER-SDM-CD | User Guide - Page 698
There are several configuration parameters that you cannot set for class-default: • Classification box-You cannot specify classification criteria. • Action box-You cannot specify that traffic be dropped. Additionally, you can only specify that Fair Queuing be used. 29-16 Cisco Router and Security - Cisco ROUTER-SDM-CD | User Guide - Page 699
Quality of Service Editing QoS Policies Table 29-12 Add or Edit a QoS Class (continued) Element Classification Description Choose the types of items and values that you want the router to you are editing a QoS class. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 29-17 - Cisco ROUTER-SDM-CD | User Guide - Page 700
QoS Policies Chapter 29 Quality of Service Table 29-12 Element Action Add or Edit a QoS Class (continued) Description Choose the action that the router is to take when it finds the bottom double-arrowhead button. 29-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 701
Chapter 29 Quality of Service Editing QoS Policies Edit Match Protocol Values To add a Configure Policing In this screen, configure policing for a QoS policy. Field Reference Table 29-13 describes the fields in this screen. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 702
QoS Policies Chapter 29 Quality of Service Table 29-13 Configure Policing Element Description Specify the access rate parameters for DSCP markings. Configure Shaping In this screen, configure shaping for a QoS policy. 29-20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 703
Service Editing QoS Policies Field Reference Table 29-14 describes the fields in this screen. Table 29-14 Configure Shaping Element Committed Information Rate (CIR) Normal Burst Size (BC) Excess Burst Size (BE) Description -12 Cisco Router and Security Device Manager 2.5 User's Guide 29-21 - Cisco ROUTER-SDM-CD | User Guide - Page 704
Service Table 29-15 Configure Queuing Fields Element LLQ Chosen Priority Percentage CBWFQ Chosen Bandwidth Bandwidth Remaining Random Detect Fair Queue Chosen Queue Limit Random Detect Description click Random Detect. 29-22 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 705
on NAC, click the following links: • http://www.cisco.com/en/US/netsol/ns466/networking_solutions_package.htm l • http://www.cisco.com/application/pdf/en/us/guest/netsol/ns466/c654/cdccont_ choosing it in the policy list. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 30-1 - Cisco ROUTER-SDM-CD | User Guide - Page 706
be a Cisco Secure Access Control Server (ACS) using the RADIUS protocol. Cisco Secure Access Control Server software version 3.3 is required. See the links after these steps to learn more about installing and configuring ACS. 30-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 707
control polices are configured on these servers, and the router contacts them when a network host attempts to access the network. You can specify information for multiple servers. NAC policy servers use the RADIUS protocol. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 30-3 - Cisco ROUTER-SDM-CD | User Guide - Page 708
about an interface, choose the interface and click the Details button. The source IP address in the RADIUS packets sent from the router must be configured as the NAD IP address in the Cisco ACS version 3.3 or later. 30-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 709
client source. Note Cisco IOS software allows a single RADIUS source interface to be configured on the router. If the router already has a configured RADIUS source and the connection between the router and a RADIUS server. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 30-5 - Cisco ROUTER-SDM-CD | User Guide - Page 710
interface. If an inbound ACL is already present on the interface, Cisco SDM uses that ACL for NAC by adding appropriate permit statements for EAPoUDP configuration on the network. After you have done so, you can modify the 30-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 711
router to use Strict Validation, by changing the ACL applied to the interface to deny ip any any using the Cisco SDM are using the NAC wizard and you do not need to configure a NAC exception list, you can click Next without entering Cisco Router and Security Device Manager 2.5 User's Guide 30-7 - Cisco ROUTER-SDM-CD | User Guide - Page 712
if you want to identify the host by its MAC address. • Cisco IP Phone-Choose this if you want to include the Cisco IP phones on the network in the exception list. Specify Address Field the attempt to access the network. 30-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 713
information might contain instructions for downloading virus definition files. A remediation URL might look like the following: http://172.23.44.9/update Redirect URLs are usually of the form http://URL, or https://URL. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 30-9 - Cisco ROUTER-SDM-CD | User Guide - Page 714
you want Cisco SDM to modify the ACL to allow Cisco SDM traffic from a single host, choose Host Address and enter the IP address of a host. Choose Network Address and enter the address of a network and a subnet mask to allow 30-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 715
[ ] Modify Details Window This window displays the entries that Cisco SDM will add to ACLs to allow services needed for the service you are configuring. The window might contain an entry like the following: permit .158.1 OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 30-11 - Cisco ROUTER-SDM-CD | User Guide - Page 716
review it in a single window. You can use the Back button to return to any wizard screen to change information. Click Finish to deliver the configuration to the router. 30-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 717
information. Default values for EAPoUDP timeout settings are preconfigured, but you can change the settings. This button is disabled if there is no NAC policy configured on the router. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 30-13 - Cisco ROUTER-SDM-CD | User Guide - Page 718
to configure. Exception List Window This placeholder topic will be removed when the help system for NAC is built. This help topic has already been written for wizard mode. To view it, click the following link: NAC Exception List 30-14 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 719
Source any Destination Service Log 172.30 Configure the timeout values the router is to use for EAPoUDP communication with network hosts. The default, minimum, and maximum values for all settings are shown in the following table. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 720
Query Timeout Field Enter the number of seconds that the router should wait between queries to the posture agent on the host. Reset to Defaults Button Click this button to reset all NAC timeouts to their default values. 30-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 721
values apply to all interfaces. Configure a NAC Policy A NAC policy enables the posture validation process on a router interface, and can be used permit statement ending the ACL ensures that posture validation occurs. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 30-17 - Cisco ROUTER-SDM-CD | User Guide - Page 722
Install and Configure a Posture Agent on a Host? If you are a registered Cisco.com user, you can download Cisco Trust Agent (CTA) software from the following link: http://www.cisco.com/cgi for complete details. 30-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 723
the following fields. Host Enter the name you want to give the router in this field. Domain Enter the domain name for your organization. If you do not know the domain name, obtain it from your network administrator. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 31-1 - Cisco ROUTER-SDM-CD | User Guide - Page 724
Cisco Router and Security Device Manager (Cisco SDM) supports the enable secret password. The enable secret password allows you to control who is able to enter configuration commands on this router settings on the router. 31-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 725
field can contain the following values: • NTP - The router receives time information from an NTP server. • User Configuration - The time and date values are set manually, using Cisco SDM or the CLI. • No time source - The router is not configured with time or date settings. Change Settings Click - Cisco ROUTER-SDM-CD | User Guide - Page 726
Properties Chapter 31 Router Properties Note You must make the Time Zone and Daylight Savings settings on the PC before starting Cisco SDM so that Cisco SDM will receive the correct settings when you click Synchronize. Edit Date and Time Use this area to set the date and time manually. You can - Cisco ROUTER-SDM-CD | User Guide - Page 727
configuration. Add or Edit NTP Server Details Add or edit NTP server information in this window. IP Address Enter or edit the IP address of an NTP server. Prefer Click this box if this is to be the preferred NTP server. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 728
is a less complex version of Network Time Protocol (NTP). NTP allows routers on your network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single 31-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 729
, Cisco SDM will add statements to permit port 123 traffic on this interface. If the existing rule was a standard access rule, Cisco SDM changes it to an extended rule in order to be able to specify traffic type and destination. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 730
of the level you choose plus all messages of lower levels, or the router sends all messages of the level you choose plus all messages of lower levels to the logging hosts. For example, if you choose notifications (5), 31-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 731
all of the configured community strings and their types. Use the Add button to display the Add a Community String dialog box and create new community strings. Click the Edit or Delete buttons to edit or delete the community string you chose in the table. OL-4015-12 Cisco Router and Security Device - Cisco ROUTER-SDM-CD | User Guide - Page 732
top talkers. Enable Top Talkers Check the Enable Top Talkers check box to enable monitoring of the top talkers on the interfaces that have Netflow configured. 31-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 733
that will enable users to authenticate themselves when logging in to the router using HTTP, Telnet, PPP, or some other means. Username User account name. Password User account password, displayed as asterisks (*). OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 31-11 - Cisco ROUTER-SDM-CD | User Guide - Page 734
same as the enable secret password configured in the Device Properties-Password tab. The user password enables the specified user to log in to the router and enter a limited set of in the fields provided in this window. 31-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 735
edited account information appears in the Configure User Accounts for Telnet window. router access. It may not be visible if you are working in a different area of Cisco SDM Router Access node of the Additional Tasks tree. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 31-13 - Cisco ROUTER-SDM-CD | User Guide - Page 736
-A user associated with the view type SDM_Monitor can monitor all features supported by Cisco SDM. The user is not able to deliver configurations using Cisco SDM. The user is able to navigate the various areas of Cisco SDM, such as Interfaces and Connections, Firewall, and VPN. However, the user - Cisco ROUTER-SDM-CD | User Guide - Page 737
AAA is configured on the router. Note To use SSH as an input or output protocol, you must enable it by clicking SSH in the Additional Tasks tree and generating an RSA key. Edit vty Lines This window lets you edit virtual terminal (vty) settings on your router. OL-4015-12 Cisco Router and Security - Cisco ROUTER-SDM-CD | User Guide - Page 738
check boxes. Telnet Check Box Check to enable Telnet access to your router. SSH Check Box Check to enable the router to communicate with SSH clients. You can associate access rules to filter and browse for the access rule. 31-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 739
policy that you want to use for this vty line. Configure Management Access Policies Use this window to review existing management access Interface The router interface over which management traffic will flow. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 31-17 - Cisco ROUTER-SDM-CD | User Guide - Page 740
the router. The following protocols can be configured: • Cisco SDM-Specified hosts can use Cisco SDM. • Telnet-Specified hosts can use Telnet to access the router CLI. a Management Policy window to the router configuration. 31-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 741
or network to access Cisco SDM. When you check this box, the following protocols are automatically checked: Telnet, SSH, HTTP, HTTPS, and RCP. Checking this option does not prevent you from allowing additional protocols. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 31-19 - Cisco ROUTER-SDM-CD | User Guide - Page 742
Cisco SDM will advise you to enable those protocols when they are specified in this window. Note The options Allow secure protocols only and HTTPS are disabled if the Cisco IOS release on the router does not support router. 31-20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 743
order to make Cisco SDM on this router accessible. You cannot navigate to other features or deliver commands to the router until you configure a management access policy to allow access to Cisco SDM for a host or network. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 31-21 - Cisco ROUTER-SDM-CD | User Guide - Page 744
key configured for the device. If there is no key configured, you can enter a modulus size and generate a key. RSA key is set on this router Appears if a cryptographic key was generated. SSH is enabled on this router. 31-22 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 745
about the pool identified in name: • DHCP Pool Range-Range of IP addresses that can be granted to clients. • Default Router IP Address-If the router has an IP address in the same subnet as the DHCP pool, it is shown here. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 31-23 - Cisco ROUTER-SDM-CD | User Guide - Page 746
the domain name, and the default router can also be configured in the DHCP pool. Choose this router, Cisco SDM shows this pool as read-only. If a pool contains a discontinuous range of IP addresses, it also is shown as read-only. 31-24 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 747
Chapter 31 Router Properties DHCP Configuration Add or Edit DHCP Pool Add or edit a DHCP pool in this window. You cannot edit Cisco SDM-default 255.255.255.0 provides 255 IP addresses. DHCP Pool Enter the starting and ending IP addresses in the range. For example, if the network is 192.168 - Cisco ROUTER-SDM-CD | User Guide - Page 748
Configuration Chapter 31 Router they request IP addresses. DHCP Bindings This window shows existing manual DHCP bindings. A manual DHCP binding allows you to allocate the same IP address > Client has a client identifier. 31-26 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 749
mask used for the host IP address. Identifier From the drop-down menu, choose a method for identifying the client with a MAC address. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 31-27 - Cisco ROUTER-SDM-CD | User Guide - Page 750
of the DNS servers that you want the router to send DNS requests to. Click the Add, Edit, or Delete buttons to administer DNS IP address information. Dynamic DNS Methods This window shows a list of dynamic DNS methods. 31-28 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 751
or edit a dynamic DNS method. Set the type of method by choosing HTTP or IETF. HTTP HTTP is a dynamic DNS method type that updates a DNS service provider with changes to the associated interface's IP address. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 31-29 - Cisco ROUTER-SDM-CD | User Guide - Page 752
DNS service provider. IETF is a dynamic DNS method type that updates a DNS server with changes to the associated interface's IP address. If using IETF, configure a DNS server for the router in Configure > Additional Tasks > DNS. 31-30 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 753
allows you to view rules that were not created using Cisco SDM, called external rules, and rules with syntax that Cisco SDM does not support, called unsupported rules. Use the Rules screen to view a summary of the rules in the router's configuration and to navigate to other windows to create, edit - Cisco ROUTER-SDM-CD | User Guide - Page 754
Cisco SDM wizards and that you can apply in the Additional Tasks>ACL Editor windows. No. of Rules The number of rules of this type. Description A description of the rule if one has been entered. To configure tasks. 32-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 755
Do I Modify an Existing Firewall to Permit Traffic from a New Network or Host? • How Do I Configure NAT Passthrough for a Firewall? • How Do I Permit Traffic Through a Firewall to My Easy VPN permitted or denied. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 32-3 - Cisco ROUTER-SDM-CD | User Guide - Page 756
for admission control. The upper portion of the screen lists the access rules that have been configured on this router. This list does not contain Cisco SDM default rules. To view Cisco SDM default rules, click the SDM Default Rules branch of the Rules tree. The lower portion of the window lists the - Cisco ROUTER-SDM-CD | User Guide - Page 757
because they must be able to specify a service type. Externally defined and unsupported rules may be either standard or extended. Description A description of the rule, if one has been entered of a specific type of rule. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 32-5 - Cisco ROUTER-SDM-CD | User Guide - Page 758
multiple services between the same end points must contain an entry for each service. This field can contain other information about this entry, such as whether logging has been enabled. A short description of the entry. 32-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 759
Delete a rule that has been associated with an interface Cisco SDM does not permit you to delete a rule that has , reorder, or delete rule entries, and add or change the description of the rule. Name/Number Add or edit the name or Cisco Router and Security Device Manager 2.5 User's Guide 32-7 - Cisco ROUTER-SDM-CD | User Guide - Page 760
router examine the source host or network, the destination host or network, and the type of traffic that the packet contains. Description You can provide a description of the rule in this field. The description interface. 32-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 761
lists: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_ tech_note09186a00800a5b9a.shtml The following link contains procedures that you may want to consult: Useful Procedures for Access Rules and Firewalls OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 32-9 - Cisco ROUTER-SDM-CD | User Guide - Page 762
to the rule that is already applied to the interface, or by disassociating the rule with the interface and associating the new rule. 32-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 763
rule entry in this window, but you can return to this window to create additional entries for a rule if you need to. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 32-11 - Cisco ROUTER-SDM-CD | User Guide - Page 764
you must append explicit permit entries to the that rule you are configuring. Action Select the action you want the router to take when a packet matches the criteria in the rule entry. address that must be matched. 32-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 765
you are configuring. Select the action you want the router to take when a packet matches the criteria in the rule entry. The choices are Permit and Deny. If you are creating an entry for an IPSec rule, the choices are protect the traffic and don't protect the traffic. OL-4015-12 Cisco Router and - Cisco ROUTER-SDM-CD | User Guide - Page 766
What Permit and Deny do depends on the type of rule in which they are used. In Cisco SDM, extended rule entries can be used in access rules, NAT rules, IPSec rules, and access lists , based on the value of the Type field. 32-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 767
to use this field, leave it set to = any. Destination Port Available when either TCP or UDP is selected. Setting this field will cause the router to filter on the destination port in a packet. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 32-15 - Cisco ROUTER-SDM-CD | User Guide - Page 768
through 255. See Services and Ports to see a table containing port names and numbers available in Cisco SDM. Log Matches Against This Entry If you have configured logging for firewall messages to select a rule to use. 32-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 769
. Or, if the rule has been used by NAT, this column contains the value NAT. Description A description of the rule. This area of the screen displays the entries of the selected rule. Action any IP address • A host name. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 32-17 - Cisco ROUTER-SDM-CD | User Guide - Page 770
. This is shown by displaying the service, such as echo-reply, followed by the protocol, such as ICMP. A rule permitting or denying multiple services between the same endpoints must contain an entry for each service. 32-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 771
enables Context-Based Access Control (CBAC) supported services to run on nonstandard ports. Previously, CBAC and services. Port-to-Application Mappings This window displays the port-to-application mappings configured on the router and Cisco Router and Security Device Manager 2.5 User's Guide 33-1 - Cisco ROUTER-SDM-CD | User Guide - Page 772
under the File Transfer protocol type. Port Type Column This list appears if the router is running a Cisco IOS image that allows you to specify whether this port map entry applies to TCP ACL that you saw in this window. 33-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 773
. Description Field This field appears if the router is running a Cisco IOS router is running a Cisco IOS image that allows you to specify whether this port map entry applies to TCP or to UDP traffic, you can enter multiple port OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 774
you can enter a single port number. Host of Service Field Specify the IP address of the host to which this port mapping is to apply. If you need the same mapping for another host, create a separate PAM entry for that host. 33-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 775
For a good description of how Zone- Based Policy Firewall can be implemented, read The Zone-Based Policy Firewall Design Guide available on cisco.com by going to Support > Product Support > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline > Configure > Feature Guides and clicking Zone - Cisco ROUTER-SDM-CD | User Guide - Page 776
a zone-pair until you have configured the policy. If you try to complete a task that relies on another portion of the configuration that you have not configured, SDM does not allow you to do a zone pair cannot be deleted. 34-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 777
dialog, SDM does not create any passthrough ACL to permit such traffic. You can configure the necessary passthrough for the policy map two ways. - Go to Configure > be configured before interfaces can be assigned to the zone. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 34 - Cisco ROUTER-SDM-CD | User Guide - Page 778
policy can be configured to restrict such traffic. This set of rules was taken from The Zone-Based Policy Firewall Design Guide available at the following link: http://www.cisco.com/en/US/products/ps6350/products_feature_guide09186a00 8072c6e3.html 34-4 Cisco Router and Security Device Manager - Cisco ROUTER-SDM-CD | User Guide - Page 779
to determine which traffic can be sent across the zones. The source zone and destination zone lists contain the zones configured on the router and the self zone. The self zone can be used when you are configuring zone pairs OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 34-5 - Cisco ROUTER-SDM-CD | User Guide - Page 780
to Configure > C3PL > Policy Map > Protocol Inspection. Provide a protocol inspection policy map that will allow the necessary traffic to pass through the firewall. Zone Name Enter the name of the zone that you want to add. 34-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 781
zone has been configured on the router, you can add the interface that you are configuring as a member of that zone. Select a Zone for the Interface Select the zone that you want to include the interface in, and click OK. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 34-7 - Cisco ROUTER-SDM-CD | User Guide - Page 782
Zone Pairs Chapter 34 Zone-Based Policy Firewall 34-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 783
Dialin User Service (RADIUS), and the Terminal Access Controller Access Control System Plus (TACACS+) authentication methods. This chapter contains the following section: • Configuring AAA • AAA Screen Reference OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 35-1 - Cisco ROUTER-SDM-CD | User Guide - Page 784
it. AAA Screen Reference The topics in this section describe the AAA configuration screens: • AAA Root Screen • AAA Servers and Server Groups • AAA Servers • Add or Edit a TACACS+ Server • Add or Edit a RADIUS Server 35-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 785
Servers and Groups Description If AAA is enabled, the button name is Disable AAA. If AAA is disabled, the button name is Enable AAA. AAA is enabled by default. If you click Disable AAA, Cisco SDM displays a message telling you that it will make configuration changes to ensure that the router can be - Cisco ROUTER-SDM-CD | User Guide - Page 786
This window provides a description of AAA servers and AAA router is configured to use. The IP address, server type, and other parameters are displayed for each server. Field Reference Table 35-2 describes the fields in this screen. 35-4 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 787
-2 AAA Servers Fields Element Global Settings Add Edit Delete Server IP Parameters Description Click Global Settings to make global settings for TACACS+ and RADIUS servers. Table 35-3 describes the fields in this screen. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 35-5 - Cisco ROUTER-SDM-CD | User Guide - Page 788
use the value configured in the AAA Servers Global Settings window. • New Key/Confirm Key-Enter the key and reenter it for confirmation. Add or Edit a RADIUS Server Add or edit information for a RADIUS server in this window. 35-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 789
Fields Element Server IP or Host Authorization Port Accounting Port Timeout in seconds Configure Key Description Enter the IP address or the host name of the server. If the router has not been configured to use a Domain Name Service (DNS) server, enter an IP address. Specify the server port to use - Cisco ROUTER-SDM-CD | User Guide - Page 790
Key Select the source interface Description Click the appropriate button to configured on this router. If no AAA servers have been configured, this window is empty. Field Reference Table 35-6 describes the fields in this screen. 35-8 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 791
Server Groups Fields Element Add Edit Delete Group Name Type Group Members Description Click the Add button to create a RADIUS server group. After you Fields Element Group Name Description Enter a name for the group. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 35-9 - Cisco ROUTER-SDM-CD | User Guide - Page 792
Server Group Fields Description Select the Server type, either RADIUS, or TACACS+. Note This field may be protected and set to a specific type, depending on the configuration that you are method lists from these windows. 35-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 793
Authorization Fields Description Use these configured on the router.You can specify additional method lists in this window if you want the router to attempt the methods that you enter before resorting to the default method list. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 794
Description configured are kept empty. Authentication 802.1x The Authentication 802.1x window displays the method lists configured for 802.1x authentication. Note You cannot specify additional method lists for 802.1x configuration. 35-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 795
the fields in this screen. 802.1x Authentication Fields Description Use these buttons to create, edit, and remove an 802.1x configuration, the list name "default" is displayed in this column. The method that the router will attempt first Cisco Router and Security Device Manager 2.5 User's Guide 35-13 - Cisco ROUTER-SDM-CD | User Guide - Page 796
PASS or a FAIL response. Click Add to add a method to the list. If there are no configured server groups to add, you can configure a server group in the window displayed. Click this button to delete a method from the list. 35-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 797
List for Authentication or Authorization Fields Element Move Up Move Down Enable Password Aging Description The router attempts the methods in the order they are listed in this window. Click Move enter a new password. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 35-15 - Cisco ROUTER-SDM-CD | User Guide - Page 798
AAA Screen Reference Chapter 35 Authentication, Authorization, and Accounting 35-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 799
de09186a008028afbd.html#wp1043332 Note If the Launch SDP button is absent, you router Cisco IOS release does not support SDP. If the Launch SDP button is disabled, you are logged in to Cisco SDM as a nonroot view user. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 36-1 - Cisco ROUTER-SDM-CD | User Guide - Page 800
SDP Troubleshooting Tips Use this information before enrolling using Secure Device Provisioning (SDP) to prepare the connection between the router and the certificate server. If you experience problems enrolling, you can review these tasks to determine where the problem is. 36-2 Cisco Router and - Cisco ROUTER-SDM-CD | User Guide - Page 801
WAN connection. • When you complete the configuration changes in SDP, you must return to Cisco SDM and click Refresh on the toolbar to view the status of the trustpoint in the Router Certificates window in the VPN Components tree. Troubleshooting Tips These recommendations involve preparations on - Cisco ROUTER-SDM-CD | User Guide - Page 802
SDP Troubleshooting Tips Chapter 36 Router Provisioning 36-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 803
feature-specific configuration commands. C3PL allows you to create traffic policies based on events, conditions, and actions. Cisco Router and Security Device Manager (Cisco SDM) uses you view information and make changes. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 37-1 - Cisco ROUTER-SDM-CD | User Guide - Page 804
column. The following table shows detail for an IM policy map. The router blocks AOL traffic, but allows all other types of IM traffic. 37-2 Match Class Name aol-cmap class-default Action Disabled Enabled Cisco Router and Security Device Manager 2.5 User's Guide Log Disabled Disabled OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 805
as you add or edit a QoS policy map. Policy Name and Description If you are creating a new policy map, enter a name and a description for it in these fields. If you are editing a policy map, the fields in this screen. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 37-3 - Cisco ROUTER-SDM-CD | User Guide - Page 806
not configured. The Shaping column indicates whether policing is configured for the class map or not. • Yes-Policing is configured. • No-Policing is not configured. The Set DSCP column lists the DSCP markings used in the class map. 37-4 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 807
map, and the action that the router will take for the traffic that the class map describes. Click Add to add a new class map to the list and configure the action. Click Edit to modify Map • Add or Edit a SUNRPC Class Map OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 37-5 - Cisco ROUTER-SDM-CD | User Guide - Page 808
address and on source and destination port. • Protocol-The Layer 4 protocols (TCP, UDP, and ICMP) and application services such as HTTP, SMTP, DNS, etc. Any well-known or user-defined service known to PAM may be specified. 37-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 809
UDP timeouts and session control parameters. You can select an existing parameter map. If no parameter map is configured, this field is disabled. Click View to display the selected parameter map without leaving this dialog. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 37-7 - Cisco ROUTER-SDM-CD | User Guide - Page 810
select an existing application inspection policy. If no application inspection policy is configured, this field is disabled. Click View to display the selected application inspection voice signaling protocols to be matched. 37-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 811
Service configured class maps, and the bottom part displays the details for the selected class map. To edit a class map or see more detail, click Edit to display a dialog that lets you view information and make changes. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 812
-3 Description FTP and HTTP QoS class map Test Inspection, HTTP, SMTP, SUN RPC, IMAP and POP3 Class Maps These types of class maps have a Class Map Name and a Used By column A sample table for HTTP follows. Class Map Name http-rqst http-rsp-body Used By pmap-5 pmap-5 37-10 Cisco Router and - Cisco ROUTER-SDM-CD | User Guide - Page 813
configured for a specific application, such as the Yahoo! Messenger instant messaging application or the gnutella P2P application. The following table shows sample data for P2P application service or Edit an SMTP Class Map OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 37-11 - Cisco ROUTER-SDM-CD | User Guide - Page 814
Enter a name to identify this class map in the Class Name field. You can also enter a description. If you are editing a class map, you cannot change the name. When you have specified the associate with the class map. 37-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 815
class name to identify the class map. You can also enter a description that will be displayed in the HTTP Class Maps window. Click the specify the type of data you want to include. Configure the class map data in the fields displayed. Cisco Router and Security Device Manager 2.5 User's Guide 37-13 - Cisco ROUTER-SDM-CD | User Guide - Page 816
the map in the Select an existing map list, and click View. Field Name and Configuration Options You can include fields within the header to the inspection criteria and specify length, count Edit Regular Expression for more 37-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 817
Chapter 37 Cisco Common Classification Policy Language Class Maps information about creating regular expressions. To examine in a request, and inspect for strings that match regular expressions that you have configured. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 37-15 - Cisco ROUTER-SDM-CD | User Guide - Page 818
Class Maps Chapter 37 Cisco Common Classification Policy Language Length greater Than Click this box to specify the number of bytes to specify a URI length that a packet should not exceed, and enter the number of bytes. 37-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 819
dialog, choose it in the Select an existing map list, and click View. Sample Use Case Configure an HTTP class map to block a request whose URI matches any of the following regular expressions Regular Expression for more OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 37-17 - Cisco ROUTER-SDM-CD | User Guide - Page 820
Class Maps Chapter 37 Cisco Common Classification Policy Language information on how to create regular expressions. To examine an transfer-encoding field, you can inspect for various types of compression and encoding. 37-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 821
create a new one that will match the strings you are inspecting for. Sample Use Case Configure the router to log an alarm whenever an attempt is made to access a forbidden page. A [Hh][Tt][Tt][Pp][/][0-9][.][0-9][ \t]+403 OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 37-19 - Cisco ROUTER-SDM-CD | User Guide - Page 822
Class Maps Chapter 37 Cisco Common Classification Policy Language Logging is specified in the policy map to which the HTTP class to specify a field length that a packet should not exceed, and enter the number of bytes. 37-20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 823
want the class map to match the field type that you chose. Request/Response Body The router can inspect for request/response body length and specific text strings inside the body of the than ( - Cisco ROUTER-SDM-CD | User Guide - Page 824
map in the Class Name field. You can also enter a description in the field provided. In the Maximum data transfer allowed in a session field, enter the maximum number of bytes the router should allow for an SMTP session. 37-22 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 825
whose traffic you want the router to inspect. Enter a name to identify this class map in the Class Name field. You can also enter a description. If you are editing of P2P services: • eDonkey • fasttrack • gnutella • kazaa2 OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 37-23 - Cisco ROUTER-SDM-CD | User Guide - Page 826
also enter a description. If you are editing a class map, you cannot change the name. Click Login string in clear text to have the router inspect POP3 traffic for nonsecure logins. Click Invalid protocol command to have the router inspect POP3 traffic for invalid commands. 37-24 Cisco Router and - Cisco ROUTER-SDM-CD | User Guide - Page 827
Cisco Common Classification Policy Language Parameter Maps Parameter Maps Parameter Maps specify inspection behavior for Zone-Policy Firewall, for parameters such as denial-of-service configured parameter maps. Cisco SDM informs you if Cisco Router and Security Device Manager 2.5 User's Guide 37-25 - Cisco ROUTER-SDM-CD | User Guide - Page 828
addresses assigned to a group of servers. You can enter a hostname in the Name field if the router is able to contact a DNS server on the network to resolve the server's IP address. To enter , the name field is read only. 37-26 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 829
Regular Expression dialog, which can assist you in constructing a regular expression. If you click Guide, any text that you entered in the Pattern field appears in the Regular Expression field of the Build Regular Expression dialog. OL-4015-12 Cisco Router and Security Device Manager 2.5 User - Cisco ROUTER-SDM-CD | User Guide - Page 830
the beginning of the regular expression. • Specify Character String-Enter a text string manually. - Character String-Enter a text string. - Escape Special Characters-If you entered set. Sets include: [0-9A-Za-z] [0-9] [A-Z] 37-28 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 831
expression is "test me," and you select "me" and apply One or more times, then the regular expression changes to "test (me)+". OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 37-29 - Cisco ROUTER-SDM-CD | User Guide - Page 832
Metacharacters The following table lists the metacharacters that have special meanings. Character Description . Dot (exp) Subexpression | Alternation Notes Matches any single character. , dog|cat matches dog or cat. 37-30 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 833
Chapter 37 Cisco Common Classification Policy Language Parameter Maps Character Description ? Question mark * Asterisk + Plus {x} Repeat quantifier {x,} character. For example, \[ matches the left square bracket. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 37-31 - Cisco ROUTER-SDM-CD | User Guide - Page 834
Parameter Maps Chapter 37 Cisco Common Classification Policy Language Character Description char Character \r \n \t \f \xNN Carriage return Newline Tab Formfeed Escaped example, the character 040 represents a space. 37-32 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 835
. URL filtering is enabled by configuring an Application Security policy that enables it. Even if no Application Security policy is configured on the router, you can still maintain a local click URL Filtering Precedence. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 38-1 - Cisco ROUTER-SDM-CD | User Guide - Page 836
. See the introductory information in URL Filtering for a description of the URL filtering features that Cisco SDM provides. Edit Global Settings Edit URL filtering global settings . This option is disabled by default. 38-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 837
what the router is to do when it detects a match, and configure log and cache size parameters. You can also specify a source interface if you do not want the URL filtering parameter map to apply to all router interfaces. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 38-3 - Cisco ROUTER-SDM-CD | User Guide - Page 838
URL Filtering URL Filter Name Enter a name that will convey how this URL filter is configured or used. For example, if you specify a source interface of Fast Ethernet 1, you 2147483647. The cache is cleared every 12 hours. 38-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 839
you can maintain one local URL list on the router. This list is used by all Application Security policies in which URL filtering is enabled. Cisco IOS images of release 12.4(9)T and later support all the ZPF features that SDM supports. In a ZPF configuration, a local URL list can be created for each - Cisco ROUTER-SDM-CD | User Guide - Page 840
the URL filtering servers that the router is configured to use. If you enter a partial domain name, such as .somedomain.com, all requests that end with that string, such as servers that the router is configured to use. 38-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 841
allow you to add a server to the list if it is of a different type. For example, if a URL filter server list containing Websense servers is configured on the router, you OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 38-7 - Cisco ROUTER-SDM-CD | User Guide - Page 842
Count Optional field. Enter the number of times that you want the router to attempt to retransmit the request if no response arrives from the server. The default value is 2 times. This field accepts values from 1 to 10. 38-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 843
one URL filter server list can be configured on the router. All configured Application Security policies use the same URL router does not perform URL filtering unless URL filtering is enabled in an Application Security policy. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 844
URL Filtering Window Chapter 38 URL Filtering 38-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 845
in this area of Cisco SDM. Manually Editing the Configuration File Cisco SDM allows you to edit the router configuration file by providing a configuration editor that you can use to import a configuration file or use to enter Cisco IOS CLI commands directly. Cisco SDM supports the most widely-used - Cisco ROUTER-SDM-CD | User Guide - Page 846
want to merge changes that you have made in the Edit Configuration box with the router running config, click Merge with Running Config. The changes are sent to the router and take effect as soon as the router receives them. 39-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 847
is not supported when you are running a copy of Cisco SDM installed on the PC. Before you start, you should understand how to give your PC a static IP address in the 10.10.10.0 subnet so that you will be able to reconnect to the router after you reset it. The factory configuration does not - Cisco ROUTER-SDM-CD | User Guide - Page 848
39 Configuration Management restricting it to the LAN interface, and only from the internal subnet defined on that interface. After you access the router, you can change the router obtain a dynamic IP address. For a static 39-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 849
the subnet 255.255.255.248. Click OK. To Reset the Router to Factory Defaults: Step 1 Step 2 Step 3 Step 4 Step 5 Leave Save Running Config to PC checked in Step 1 on screen, and specify a name for the configuration file. Cisco SDM provides a default path and name. You don't have to change it - Cisco ROUTER-SDM-CD | User Guide - Page 850
appears when an Cisco SDM feature is not supported. This may be because the router is running a Cisco IOS image that does not support the feature, or because Cisco SDM is being run on a PC and cannot support the feature. 39-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 851
: • Network number • Optional subnetwork number • A host number Note Cisco SDM does not support IP version 6. Cisco SDM requires you to enter IP addresses in dotted-decimal format. This format shown in the following figure. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 40-1 - Cisco ROUTER-SDM-CD | User Guide - Page 852
in the bits field. When you enter or select a value in one field, Cisco SDM automatically adjusts the other. Cisco SDM displays a warning window if you enter a decimal mask that results in binary zeros Subnet Mask field. 40-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 853
such as NAT and PAT, and they may be temporarily assigned using DHCP. You can use Cisco SDM to configure NAT, PAT and DHCP. Host and Network Fields This topic explains how to supply host or apply to any host or network. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 40-3 - Cisco ROUTER-SDM-CD | User Guide - Page 854
Interface • Dialer Interface associated with an ADSL or G.SHDSL configuration • Serial interface with a PPP or HDLC configuration • Serial subinterface with a Frame Relay configuration • Unsupported WAN interface 40-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 855
a common pool that you configure by specifying the starting IP address in the range and the ending address in the range. The Cisco SDM configures the router to automatically exclude the LAN interface IP address in the pool. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 856
lists services you can specify in rules, and their corresponding port numbers. It also provides a short description of each service. This topic is divided into the following areas: • TCP Services • UDP Services • ICMP Message Types 40-6 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 857
klogin kshell login OL-4015-12 • IP Services • Services That Can Be Specified in Inspection Rules Port Number Description 179 Border Gateway Protocol.BGP exchanges reachability network users. 544 Kerberos shell 513 Login Cisco Router and Security Device Manager 2.5 User's Guide 40-7 - Cisco ROUTER-SDM-CD | User Guide - Page 858
registration nameserver 42 IEN116 name service (obsolete) netbios-dgm 138 NetBios datagram service. Network Basic Input Output System. An API used by applications to request services from lower-level network processes. 40-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 859
40 More About.... Services and Ports UDP Service Port Number Description netbios-ns 137 NetBios name service netbios-ss 139 NetBios session service ntp 123 Network Time NAT-traversal port floating is required. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 40-9 - Cisco ROUTER-SDM-CD | User Guide - Page 860
destination router when packets are arriving too quickly to be processed. Sent to indicate received packet't time to live field has reached zero. Reply to request for timestamp to be used for synchronization between two devices. 40-10 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 861
pcp pim Port Number Description 51 88 Enhanced Interior Gateway Routing Protocol. Advanced version of IGRP developed by Cisco. 50 Extended Services Processor. 1 Internet Control routing on existing IP networks. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 40-11 - Cisco ROUTER-SDM-CD | User Guide - Page 862
to integrate telephony services and data services. A telephony protocol enabling telephony clients to be H.323 compliant. See smtp. Protocol for network enabled databases. StreamWorks protocol. Streaming video protocol. 40-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 863
udp vdolive Description See tcp may not be editable in Cisco SDM. Static Address Translation Scenarios router. If this is the only NAT rule for this network, 10.12.12.3 is the only address on the network that gets translated. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 864
Mask Static 10.12.12.3 Leave blank Translate to... fields IP Address Redirect Port 172.17.4.8 UDP Original Port 137 Translated Port 139 40-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 865
the router. The port number in the Redirect port field is changed from 137 to 139. Return traffic carrying the destination address 172.17.4.8 & port 139 is routed to port number 137 of the host with the IP address 10.12.12.3. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 40 - Cisco ROUTER-SDM-CD | User Guide - Page 866
associated with different hosts. The ACL rule you use to define the "Translate from" addresses is configured as shown below: access-list 7 deny host 10.10.10.1 access-list 7 permit 10.10 associated with different hosts. 40-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 867
Edit a NAT Rule A previously configured NAT rule will be read-only and will not be configurable when a NAT static rule is configured with any of the following: • The inside source static and destination Cisco IOS commands OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 40-17 - Cisco ROUTER-SDM-CD | User Guide - Page 868
dynamic rule is configured with the Loopback interface More About VPN These topics contain more information about VPN, DMVPN, IPSec and IKE. Cisco.com Resources The articles on IPSec • TAC-authored articles on Cisco SDM 40-18 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 869
IPSecurity Troubleshooting-Understanding and Using Debug Commands • Field Notices More about VPN Connections and IPSec Policies A VPN connection is an association between a router interface and peers: Topeka and Lawrence. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 40-19 - Cisco ROUTER-SDM-CD | User Guide - Page 870
connections in this configuration, as both Dialer 3 and Serial 1/1 have connections to Seattle, Chicago, Topeka, and Lawrence. Cisco SDM would show the links to Topeka and Lawrence as one connection for both interfaces. 40-20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 871
Key Exchange • IPSec Tunnel Negotiation and Configuration Authentication Authentication is arguably the most important private key could continue the negotiation. Note Cisco SDM supports the pre-shared key method of authentication. Cisco Router and Security Device Manager 2.5 User's Guide 40-21 - Cisco ROUTER-SDM-CD | User Guide - Page 872
and key exchange constitute phase 1 of an IKE negotiation. IPSec Tunnel Negotiation and Configuration After IKE has finished negotiating a secure method for exchanging information (phase 1), we peer's policy will be used. 40-22 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 873
Transform ah-md5-hmac ah-sha-hmac esp-des esp-3des esp-null esp-seal Description AH with the MD5 (HMAC variant) authentication algorithm. AH with the SHA (HMAC variant) Algorithm (SEAL) encryption algorithm. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 40-23 - Cisco ROUTER-SDM-CD | User Guide - Page 874
is configured with the encapsulation hdlc and ip address negotiated commands. • The interface is part of a SERIAL_CSUDSU_56K WIC. • The interface is part of a Sync/Async WIC configured with the physical-layer async command. 40-24 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 875
. • The encapsulation on the PVC is neither "aal5mux," nor "aal5snap." • If the encapsulation protocol on aal5mux is not "ip." • If the IP Address is not configured on the PVC in the protocol ip command. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 40-25 - Cisco ROUTER-SDM-CD | User Guide - Page 876
Ethernet LAN or WAN interface or will be read-only and will not be configurable in the following cases: • If the LAN interface has been configured as a DHCP server, and has been configured with an IP-helper address. 40-26 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 877
default route is not configured - ip local policy is removed - track /rtr or both is not configured - route-map is removed - Access-list is removed or access-list is modified (for example, tracking ip address is modified) OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 40-27 - Cisco ROUTER-SDM-CD | User Guide - Page 878
, the backup connection will be shown as read only: - The default route through the primary interface is removed - The backup interface default route is not configured - ip local policy is removed 40-28 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 879
-list is modified (for example, tracking ip address is modified) - The Cisco SDM-supported interfaces are configured with unsupported configurations - The primary interfaces are not supported by Cisco SDM Firewall Policy Use Case Scenario For information on firewall policy management, including - Cisco ROUTER-SDM-CD | User Guide - Page 880
configure DMVPN routing information Cisco SDM Configuration Before configuring a spoke router, you should test connectivity to the hub by issuing the ping command. If the ping does not succeed, you must configure a route to the hub. 40-30 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 881
Papers A number of white papers are available that describe how Cisco SDM can be used. These white papers are available at the following link. http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/appnote/index.h tm OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 40-31 - Cisco ROUTER-SDM-CD | User Guide - Page 882
Cisco SDM White Papers Chapter 40 More About.... 40-32 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 883
SDM can help you test and troubleshoot it so that you can ensure that the configuration works. Cisco SDM also features a Monitor mode, which enables you to observe router performance and gather statistics associated with configurations that you have made on the router. OL-4015-12 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 884
.html • Easy VPN Enhancements- Cisco SDM supports the following Easy VPN enhancements: - Per-user AAA policy download with PKI. - Password aging. - Split DNS - Cisco Tunneling Control Protocol (cTCP). 41-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 885
name - Wi-Fi Multimedia (WMM) elements. • IPS user interface enhancements . • Secure Socket Layer VPN (SSL VPN) enhancements-Cisco SDM now supports: - URL Obfuscation - Automatic download of the Thin Client applet - Radius Accounting Cisco Router and Security Device Manager 2.5 User's Guide 41-3 - Cisco ROUTER-SDM-CD | User Guide - Page 886
IOS Versions Supported To determine which Cisco IOS versions Cisco SDM supports, go to the following URL: http://www.cisco.com/go/sdm In the Support section, click the General Information link, and then click Release Notes. 41-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 887
Additional Tasks > Router Properties > Logging window. In addition, individual rules may need configuration so that they generate log events. For more information, see the help topic How Do I View Activity on My Firewall? OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 42-1 - Cisco ROUTER-SDM-CD | User Guide - Page 888
, if the router is running a Cisco IOS image that does not support security features, the Firewall Status, and VPN status sections do not appear on the screen. Launch Wireless Application Button If the router has radio interfaces, you can click this button to monitor and configure radio interfaces - Cisco ROUTER-SDM-CD | User Guide - Page 889
Shows the available flash over the amount of flash installed on the router. Shows basic information about the interfaces installed on the router and their status. Note Only interface types supported by Cisco SDM are included in these statistics. Unsupported interfaces will not be counted. Total - Cisco ROUTER-SDM-CD | User Guide - Page 890
Usage The percent of interface bandwidth being used. Description Available description for the interface. Cisco SDM may add descriptions such as $FW_OUTSIDE$ or $ETH_LAN$. Firewall Status Group Shows basic information about the router resources and contains the following fields: Number of - Cisco ROUTER-SDM-CD | User Guide - Page 891
by the admissions control process. Log Group Shows basic information about the router resources and contains the following fields: Total Log Entries The total number of entries currently stored in the router log. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 42-5 - Cisco ROUTER-SDM-CD | User Guide - Page 892
or stop monitoring the selected interface. The button label changes based on whether Cisco SDM is monitoring the interface or not. Test Connection Button Click to test the steps you need to take to correct the problem. 42-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 893
. • Packets flow-The number of packets in the flow for the chosen interface. This data item appears only if configured under Configure > Interfaces and Connections > Edit > Application Service for the chosen interface. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 42-7 - Cisco ROUTER-SDM-CD | User Guide - Page 894
, for the chosen interface. This data item appears only if configured under Configure > Interfaces and Connections > Edit > Application Service for the chosen interface. Note If the router Cisco IOS image does not support Netflow, the flow counters will not be available. To view statistics - Cisco ROUTER-SDM-CD | User Guide - Page 895
Cisco SDM will continue to poll data, replacing the oldest data points with the newest ones. Firewall Status This window displays the following statistics about the firewall configured on the router: • Number of Interfaces Configured Cisco Router and Security Device Manager 2.5 User's Guide 42-9 - Cisco ROUTER-SDM-CD | User Guide - Page 896
router. Zone-Based Policy Firewall Status If the router runs a Cisco IOS image that supports the Zone-Based Policy Firewall feature, you can display the status of the firewall activity for each zone pair configured on the router Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 897
displays a graph showing the cumulative number of allowed packets against the time interval chosen in the View Interval list. Data is collected on the traffic configured with the pass action in the Layer 4 policy map. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 42-11 - Cisco ROUTER-SDM-CD | User Guide - Page 898
connections tree. IPSec Tunnels This group displays statistics about each IPSec VPN that is configured on the router. Each row in the table represents one IPSec VPN. The columns in the table to an error or hardware failure. 42-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 899
Click this button to refresh the IPSec Tunnel table and display the most current data from the router. Monitoring an IPSec Tunnel To monitor an IPSec tunnel, follow these steps: Step 1 Step 2 Select Item to Monitor. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 42-13 - Cisco ROUTER-SDM-CD | User Guide - Page 900
Tunnel table. See Monitoring a DMVPN Tunnel. Update button Click this button to refresh the DMVPN Tunnel table and display the most current data from the router. 42-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 901
Chapter 42 Viewing Router Information VPN Status Reset Button Click to reset statistics counters for the tunnel list. Number of about the selected group. • Group Name • Key • Pool Name • DNS Servers • WINS Servers OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 42-15 - Cisco ROUTER-SDM-CD | User Guide - Page 902
Inbound Packets • Status Update button Click this button to display the most current data from the router. Disconnect button • Choose a row in the table and click Disconnect to drop the connection with the client. 42-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 903
OL-4015-12 This group displays the following statistics about each active IKE security association configured on the router: • Source IP column The IP address of the peer originating the IKE SA the most current data from the router. Cisco Router and Security Device Manager 2.5 User's Guide 42-17 - Cisco ROUTER-SDM-CD | User Guide - Page 904
data for that context and data for the users who are configured for the context. System Resources The percentage of CPU and memory description of the data the tab displays. User Sessions URL Mangling Port Forwarding CIFS Full Tunnel 42-18 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 905
configured on the router, no data will be shown in the tab for that feature. Some statistics are collected anew each time the router gathered for the chosen context. For a description of the information displayed, click SSL VPN Cisco Router and Security Device Manager 2.5 User's Guide 42-19 - Cisco ROUTER-SDM-CD | User Guide - Page 906
and connections. For more information refer to the command reference available at the following link: http://www.cisco.com/en/US/products/hw/switches/ps708/products_command_r eference_chapter09186a0080419245.html#wp1226849 42-20 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 907
chosen in the SSL VPN Components tree. Because there can be multiple group polices configured for the context, each using their own URL list and server lists, this screen window by choosing a user and clicking the Disconnect button. Cisco Router and Security Device Manager 2.5 User's Guide 42-21 - Cisco ROUTER-SDM-CD | User Guide - Page 908
user belongs. See Group Policy: Thin Client Tab for more information. • WINS Name Service list name-This value is configured for the group to which the user belongs. See Group Policy: Clientless Tab for more information. 42-22 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 909
in Configure > Interfaces and Connections > Edit Interface/Connection, you can view Netflow statistics. Choose Top N Traffic Flows > Top Protocols or Top N Traffic Flows > Top Talkers (high-traffic sources) from the Traffic Status tree. Note If the router Cisco IOS image does not support Netflow - Cisco ROUTER-SDM-CD | User Guide - Page 910
the source IP address. Note If Netflow top talkers is not enabled in Configure > Additional Tasks > Router Properties > NetFlow, then statistics for the top ten talkers are displayed. current information about the flows. 42-24 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 911
sent for interfaces with no QoS configuration. Monitoring inbound traffic on QoS • Bandwidth utilization for Cisco SDM defined traffic types - information if applicable, and available descriptions. Select the interface that you Cisco Router and Security Device Manager 2.5 User's Guide 42-25 - Cisco ROUTER-SDM-CD | User Guide - Page 912
Bandwidth • Bytes • Packets dropped All Traffic-Real-Time-Business-Critical-Trivial Cisco SDM displays statistics for all traffic classes in bar chart form, based on the Edit button. Click the Application Service tab. 42-26 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 913
the router Cisco IOS image does not support NBAR Service tab. Check the NBAR checkbox. NBAR Status The NBAR status table displays the following statistics for the interface you choose from the Select an Interface drop-down list: OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 914
are: • Local Exception Policy-An exception policy that is configured on the router is used to validate the host. • Remote EAP Policy-The host returns a posture, and an exception policy assigned by an ACS server is used. 42-28 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 915
has been configured on the router, this log records SDEE messages. To open a log, click the tab with the log's name. Syslog The router contains a log of events categorized by severity level, like a UNIX syslog service. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 42-29 - Cisco ROUTER-SDM-CD | User Guide - Page 916
configure the IP addresses of syslog hosts, use the Additional Tasks > Router Properties > Logging window. Logging Level (Buffer) Shows the logging level configured for the buffer on the router : • Severity Column 42-30 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 917
occurred. • Description Column Shows a description of the log event. Updates the window with current information about log details and the most current log entries. Erases all messages from the log buffer on the router. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 42-31 - Cisco ROUTER-SDM-CD | User Guide - Page 918
occurred. • Description column Contains the following information about the denied attempt: log name, access rule name or number, service, source address, destination address, and number of packets. An example follows: 42-32 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 919
icmp 171.71.225.148->10.77.158.140 (0/0), 3 packets Update Button Polls the router and updates the information shown on the screen with current information. Search Button Opens a denied access to the target port. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 42-33 - Cisco ROUTER-SDM-CD | User Guide - Page 920
configured logging for debugging(7), the log will contain application security log messages. The following is example log text: *Sep 8 12:23:49.914: %FW-6-DROP_PKT: Dropping im-yahoo pkt 128.107.252.142:1481 => 216.155.193.139:5050 42-34 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 921
Sep 8 11:42:01.323: %APPFW-6-IM_MSN_SESSION: im-msn un-recognized service session initiator 14.1.0.1:2000 sends 1364 bytes to responder 207.46.108.19 router. SDEE messages are generated when there are changes to IPS configuration. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 922
not case sensitive. The time the message was received. Types are Error, Status, and Alerts. Click SDEE Message Text to see possible SDEE messages. Available description. 42-36 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 923
if the router is using a Cisco IOS image that supports IPS version 4.x or earlier. This window displays a table of IPS signature statistics, grouped by signature type. The following statistics are shown: • Signature ID-Numerical signature identifier. • Description-Description of the signature - Cisco ROUTER-SDM-CD | User Guide - Page 924
Log. Signature List Area The Signature ID, Description, number of hits, and drop count is shown for all signatures. If packet arrives that matches a signature, the source and destination IP addresses are listed as well. 42-38 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 925
described in the following list: • Signature ID-Numerical signature identifier. • Description-Description of the signature. • Risk Rating-A value between 0 and 100 that -The signature engine associated with the signature. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 42-39 - Cisco ROUTER-SDM-CD | User Guide - Page 926
Status 802.1x Authentication on Interfaces Area Interface 802.1x Authentication Reauthentication 802.1x Clients Area Client MAC Address Authentication Status Interface Chapter 42 Viewing Router Information 42-40 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 927
are available from the Cisco Router and Security Device Manager (Cisco SDM) File menu. Save Running Config to PC Saves the router's running configuration file to a text file on the PC. Deliver Configuration to Router This window lets you deliver to the router any configuration changes that you have - Cisco ROUTER-SDM-CD | User Guide - Page 928
are boot network or boot host commands present with service config commands in the running configuration. Click this button to discard the configuration change and close the Cisco SDM Deliver to Router dialog box. Click this button to save the configuration changes shown in the window to a text file - Cisco ROUTER-SDM-CD | User Guide - Page 929
from which they were copied. • If Cisco SDM is invoked from your router flash, then Cisco SDM files can not be deleted. You can delete Cisco SDM files that are copies or if Cisco SDM is invoked from a PC. • If Cisco SDM is invoked from your router flash, then Cisco SDM files can not be renamed. You - Cisco ROUTER-SDM-CD | User Guide - Page 930
Cisco router flash memory or on a USB flash device connected to that router. Cisco SDM files and files with names containing spaces cannot be loaded using Load File From PC. Cisco SDM files, such as Cisco SDM original file. 43-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 931
is displayed above the New Name field. New Folder This window allows you to name and create a new folder in the directory system on your Cisco router flash memory and on USB flash devices connected to that router. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 43-5 - Cisco ROUTER-SDM-CD | User Guide - Page 932
You should print the contents of this help topic so that you can use the instructions to obtain a Cisco IOS image and SDM.tar from Cisco.com, and install them on the router. Step 1 Ensure that the router will not lose power. If the router loses power after an erase flash: operation, there will be no - Cisco ROUTER-SDM-CD | User Guide - Page 933
flash: tftp://10.10.10.3/SDM.tar Note If you prefer to download a Cisco IOS image, the SDM.tar file, and the SDM.shtml file, follow these instructions to use an Internet connection to download an Cisco SDM-supported Cisco IOS image, the SDM.tar file, and the SDM.shtml file. Then place those files - Cisco ROUTER-SDM-CD | User Guide - Page 934
to Cisco SDM, using the same IP address you used when you started the Cisco SDM session. Now that an erase flash: has been performed on the router, you will be able to execute the squeeze flash command when necessary. 43-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 935
are available from the Cisco Router and Security Device Manager (Cisco SDM) Edit menu. Preferences This screen lets you configure the following Cisco Router and Security Device Manager options: Preview commands before delivering to router Choose this option if you want Cisco SDM to display a list of - Cisco ROUTER-SDM-CD | User Guide - Page 936
if you leave Monitor mode and perform other tasks in Cisco SDM, select this check box and specify the maximum number of interfaces you want Cisco SDM to monitor. The default maximum number of interfaces to monitor is 4. 44-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 937
you to perform guided and manual configurations for Interfaces and Connections, Firewalls and ACLs, VPNs Routing, and other tasks. Monitor Displays the Cisco SDM Monitor window, which lets you view statistics about your router and network. OL-4015-12 Cisco Router and Security Device Manager - Cisco ROUTER-SDM-CD | User Guide - Page 938
tech-support-Shows the output from all of the other show commands. • show environment-Shows information about the router power supply. This command may not appear in the Show Commands drop-down list if not supported by your router. 45-2 Cisco Router and Security Device Manager 2.5 User's Guide OL - Cisco ROUTER-SDM-CD | User Guide - Page 939
Cisco SDM Default Rules Cisco SDM Default Rules The Cisco SDM Default Rules screen displays a list of all of the default rules configured by Cisco SDM and a brief description of each. Firewall Shows Cisco SDM's default Application Cisco Router and Security Device Manager 2.5 User's Guide 45-3 - Cisco ROUTER-SDM-CD | User Guide - Page 940
commands, Cisco SDM displays a message window telling you that if you refresh, you will lose undelivered commands. If you want to deliver the commands. click No in this window, and then click Deliver on the Cisco SDM toolbar. 45-4 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 941
box, letting you connect to your router and access the Cisco IOS command-line interface (CLI) using the Telnet protocol. Security Audit Displays the Cisco SDM Security Audit screen. See Security Audit for more information. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 46-1 - Cisco ROUTER-SDM-CD | User Guide - Page 942
Configure > VPN > VPN Components > Public Key Infrastructure > USB Tokens, you are automatically logged into that router. An administrator PIN is used to manage USB token settings using the manufacturer's software. Cisco SDM 46-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 943
SDM from Cisco.com: Step 1 Step 2 Select Update Cisco SDM from Cisco.com from the Tools menu. Selecting this option starts the update wizard. Use the update wizard to obtain the Cisco SDM files and copy them to your router. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 944
Cisco SDM from CD If you have the Cisco SDM CD, you can use it to update Cisco SDM on your router. To do so, follow these steps: Step 1 Step 2 Step 3 Step 4 Place the Cisco SDM CD in the CD drive on your PC. Select Update Cisco SDM from CD, and click Update Cisco SDM in the General Instructions - Cisco ROUTER-SDM-CD | User Guide - Page 945
and going to the Cisco website at the following link: http://www.cisco.com When the webpage opens, click Register and provide the necessary information to obtain a username and password. Then, try this operation again. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide 46-5 - Cisco ROUTER-SDM-CD | User Guide - Page 946
CCO Login Chapter 46 Tools Menu Commands 46-6 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 947
up a browser and displays the Cisco SDM page on the Cisco.com website. Hardware/Software Matrix Opens up a browser and displays a matrix of Cisco router models and Cisco IOS image versions to guide you in selecting compatible Cisco IOS image software. A Cisco Connection Online username and password - Cisco ROUTER-SDM-CD | User Guide - Page 948
About this router... Chapter 47 Help Menu Commands About this router... Displays hardware and software information about the router on which Cisco SDM is running. About Cisco SDM Displays version information about Cisco SDM. 47-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015 - Cisco ROUTER-SDM-CD | User Guide - Page 949
Adaptation Layer 5 Multiplexing. access control, access control rule information entered into the configuration which allows you to specify what type of traffic to permit or deny into an network, and the type of traffic. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide GL-1 - Cisco ROUTER-SDM-CD | User Guide - Page 950
AH provides authentication services but does not provide encryption services. It is provided to ensure compatibility with IPSec peers that do not support ESP, which and data integrity. AHP does not provide secrecy. GL-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 951
for solving a problem. Security algorithms pertain outside) connections without an explicit configuration for each internal system and application standard for cell relay in which multiple service types (such as voice, video, and Cisco Router and Security Device Manager 2.5 User's Guide GL-3 - Cisco ROUTER-SDM-CD | User Guide - Page 952
to affect network booting. Basic Service Set Identifier. BSSIDs are identifiers Cisco Common Classification Policy Language. C3PL is a structured replacement for feature-specific configuration commands and allows configurable Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 953
each application connection status. CBWFQ Class-Based Weighted Fair Queuing. CBWFQ provides support for user-defined traffic classes. For CBWFQ, you define traffic classes identities can be vulnerable to spoofing attacks. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide GL-5 - Cisco ROUTER-SDM-CD | User Guide - Page 954
. The recipient recomputes the value and compares it for verification. Cisco Router and Security Device Manager. Cisco SDM is an Internet browser-based software tool designed to configure LAN, WAN, and security features on a router. See Getting Started for more information. An encryption-decryption - Cisco ROUTER-SDM-CD | User Guide - Page 955
that support scalable network deployment, configuration, service-assurance monitoring, and service delivery. comp-lzs An IP compression algorithm. Configuration, The file on the router that holds the settings, preferences, and properties you can Config, Config File administer using Cisco SDM - Cisco ROUTER-SDM-CD | User Guide - Page 956
function of a non-repudiation service. decryption Reverse application of an Configuration Protocol. Provides a mechanism for allocating IP addresses to hosts dynamically, so that addresses can be reused when hosts no longer need them. GL-8 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 957
DMVPN A router with a single DMVPN configuration has a connection to one DMVPN hub, and has one configured GRE tunnel for DMVPN communication.The GRE tunnel addresses for the hub and spokes must be in the same subnet. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide GL-9 - Cisco ROUTER-SDM-CD | User Guide - Page 958
number, and the city in which the user resides. Domain Name System (or Service). An Internet service that translates domain names, which are composed of letters, into IP addresses, standards for cryptographic signatures. GL-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 959
Protocol. Advanced version of IGRP developed by Cisco Systems. Provides superior convergence properties and operating efficiency, and combines the advantages of link state protocols with those of distance vector protocols. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide GL-11 - Cisco ROUTER-SDM-CD | User Guide - Page 960
The enrollment URL is the HTTP path to a certification authority (CA) that your Cisco IOS router should follow when sending certificate requests. The URL includes either a DNS name or -variant SHA authentication algorithm. GL-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 961
use CSMA/CD, and run end devices, such as a Cisco IOS client and a Cisco IOS certificate server. F fasttrack A file-sharing network in which indexing functions are dynamically assigned to connected peers, called supernodes. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 962
to a device, rather than affecting only a single interface on that device. A decentralized P2P file sharing protocol. Using an installed Gnutella client, users can search, download and upload files across the Internet. GL-14 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 963
protocol developed by the International Standards Organization (ISO). HDLC specifies a data encapsulation method on synchronous serial links using frame characters and checksums. The upstream, transmit end of a tunnel. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide GL-15 - Cisco ROUTER-SDM-CD | User Guide - Page 964
any network-addressable device on any network. The term node includes devices such as routers and printers which would not normally be called hosts. Hypertext Transfer Protocol, Hypertext Transfer send alerts to the IDM. GL-16 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 965
router/firewall/host must be able to verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a CA service router based on default rules or as a result of user-defined rules. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide GL - Cisco ROUTER-SDM-CD | User Guide - Page 966
, while ensuring support for a wide variety of protocols, media, services and platforms. Cisco IOS Intrusion Prevention System. IOS IPS compares traffic against an extensive database of intrusion signatures, and can drop intruding packets and take other actions based on configuration. Signatures are - Cisco ROUTER-SDM-CD | User Guide - Page 967
service. A string of bits used to encrypt or decrypt data, or to compute message digests. The process whereby two or more parties agree to use the same secret symmetric key. A trusted third party who holds the cryptographic keys. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 968
IPSec to provide authentication services. L2TP access concentrator. support internetwork routing. A VLAN is an example of a logical layer 3 interface. An Ethernet port is an example of a physical layer 3 interface. Line Build Out. GL-20 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 969
LEFS life cycle LLQ LNS local subnet logical interface loopback low-end file system end of a transmission. An interface that has been created solely by configuration, and that is not a physical interface on the router. -4015-12 Cisco Router and Security Device Manager 2.5 User's Guide GL-21 - Cisco ROUTER-SDM-CD | User Guide - Page 970
is configured Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness. GL-22 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 971
and terminal emulation software. Performs both synchronous and asynchronous routing of supported protocols. Network Address Translation. Mechanism for reducing the need for globally used to classify traffic for QoS. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide GL-23 - Cisco ROUTER-SDM-CD | User Guide - Page 972
spokes in order to build direct tunnels to them. A third-party security service that stores evidence for later, possible retrieval, regarding the origin and destination of protocol. Non-volatile random access memory. GL-24 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 973
for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide GL-25 - Cisco ROUTER-SDM-CD | User Guide - Page 974
This feature is valuable when an Internet service provider cannot allocate enough unique IP router interface supported by a network module that is installed in the router chassis, or that is part of the router's basic hardware. GL-26 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 975
security policy. Point-to-Point Protocol. A protocol that provides router-to-router, and host-to-network connections over synchronous and asynchronous circuits. PPP has built in security mechanisms, such as CHAP and PAP. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide GL-27 - Cisco ROUTER-SDM-CD | User Guide - Page 976
channel. When using a pre-shared key, if one of the participating peers is not configured with the same pre-shared key, the IKE SA cannot be established. An IKE SA is a from a pseudo random number is called a nonce. GL-28 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 977
, distributing tokens, and performing personal authentication functions. Remote Authentication Dial-In User Service. An access server authentication and accounting protocol that uses UDP as the transport protocol. See also TACACS+ Cisco Router and Security Device Manager 2.5 User's Guide GL-29 - Cisco ROUTER-SDM-CD | User Guide - Page 978
with your end of a router's digital certificate. Sometimes called a challenge password. RFC1483 describes two different methods for carrying connectionless network interconnect traffic over an ATM network: routed protocol data units (PDUs) and bridged PDUs. Cisco SDM supports the configuration - Cisco ROUTER-SDM-CD | User Guide - Page 979
added to the routing table. Cisco SDM automatically creates route maps to prevent configuration to define your security policy in the form of conditional statements that instruct the router how to react to a particular situation. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 980
establish IPSec SAs manually. A set of SAs is needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports Encapsulating Security Protocol a particular attacker address. GL-32 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 981
they represent the internal network, so they can be grouped into a zone for firewall configurations. session key A key that is used only once. SFR Signature Fidelity Rating. A . shared secret A crytographic key. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide GL-33 - Cisco ROUTER-SDM-CD | User Guide - Page 982
works with Session Description Protocol (SDP) for call signaling. SDP specifies the ports for the media stream. Using SIP, the router can support any SIP Voice over are redirected to specified back-end DNS name servers. GL-34 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 983
a supported Cisco router to provide remote clients secure access to network resources by creating an encryption tunnel across the Internet using the broadband or ISP dial connection that the remote client uses. SSL VPN context A WebVPN context provides the resources needed to configure secure - Cisco ROUTER-SDM-CD | User Guide - Page 984
Cisco SDM , at each end of a network supporting TCP/IP protocols. Each protocol layer maintains state information in the packets it sends and receives. Routers route Route that is explicitly configured and entered into the routing Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 985
. The downstream, receive end of a tunnel. Transmission service to valid requests, thereby preventing legitimate users from connecting to a website, accessing e-mail, using FTP service from unauthorized parties Description of a security Cisco Router and Security Device Manager 2.5 User's Guide GL-37 - Cisco ROUTER-SDM-CD | User Guide - Page 986
addressing scheme for accessing hypertext documents and other services using a browser. Two examples follow: http://www.cisco.com. ftp://10.10.5.1/netupdates/sig.xml Identity and VCI identifies an ATM connection. GL-38 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 987
connections between peers, in which the defining attributes of each connection include the following device configuration information: - A connection name - Optionally, an IKE policy and pre-shared key - is applied OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide GL-39 - Cisco ROUTER-SDM-CD | User Guide - Page 988
remote administrators to use when you configure site-to-site VPN connections. LAN. Wide Area Application Services. A Cisco solution that optimizes the traffic to reduce transmission costs and download time from Web servers. Wide Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 989
with a particular network computer. Wi-Fi Multimedia. An IEEE 802.11e Quality of Service (QoS) draft standard. WMM compliant equipment is designed to improve the user experience for according to the X.509 guidelines. OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide GL-41 - Cisco ROUTER-SDM-CD | User Guide - Page 990
traffic flow between two security zones. See also security zone Zone-Based Policy Firewall. In a ZPF configuration interfaces are assigned to zones, and an inspection policy is applied to traffic moving between the zones. GL-42 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 991
Symbols $ETH-LAN$ 1 $ETH-WAN$ 3 Numerics 3DES 9 A About SDM SDM version 2 access rule in NAT translation rule 24, 27 making changes in 21 ESP 11 MD5 9 SHA_1 9 AutoSecure 25 B banner, configuring 14, 30 BOOTP, disabling 8 OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide IN-1 - Cisco ROUTER-SDM-CD | User Guide - Page 992
specific traffic through 18 services 6 DMZ service 7 address range 7 DSS digital signature 21 dynamic IP address 15, 22 Dynamic Multipoint VPN 1 dynamic routing protocol configuring 9 E Easy VPN 5 auto tunnel control 9, 36 IN-2 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 993
specific traffic 18, 19 permitting traffic from specific hosts or networks 19 permitting traffic to a VPN concentrator 20 policy 1 scenarios 29 SDM warning 17 traffic flow, see traffic flow traffic-flow display controls 3 OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide IN-3 - Cisco ROUTER-SDM-CD | User Guide - Page 994
HDLC 18 Help menu 1 HTTP service configuring an access class 23 Hub-and- SDM warning 16 interfaces available configurations for each type 4 editing associations 9 statistics 6 unsupported 2 viewing activity 6 Internet Key Exchange 21 IN-4 Cisco Router and Security Device Manager 2.5 User's Guide - Cisco ROUTER-SDM-CD | User Guide - Page 995
directed broadcasts, disabling 19 IP Identification service, disabling 9 IPS about 1 built-in signatures 17 buttons for configuration and management 9 Create IPS 2 IPSec 14 description 1 group key 12, 25 group name 24, 31 OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide IN-5 - Cisco ROUTER-SDM-CD | User Guide - Page 996
configuring with a VPN 38 designated interfaces 8 DNS timeout 12 dynamic address translation rule, inside to outside 23 dynamic NAT timeout 13 ICMP timeout 12 max number of entries 13 permitting through a firewall 20 PPTP timeout 13 redirect port 20, 23 route map 26 route maps 13 IN-6 Cisco Router - Cisco ROUTER-SDM-CD | User Guide - Page 997
PPP 18 PPPoE 17, 28, 31, 37 in Ethernet WAN wizard 4 preferences, SDM 1 pre-shared key 7, 17, 3 pre-shared keys 6 preview commands option 1 primary hub 3 Protocol Traffic viewing activity 23 proxy ARP, disabling 18 PVC 18 OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide IN-7 - Cisco ROUTER-SDM-CD | User Guide - Page 998
SDF 58 in router memory 55 IPS supplied 55 loading 49 locations 15, 17 SDM Default Rules window 4 SDP launching 1 troubleshooting 2 Secure Device Provisioning, see SDP 1 security association lifetime 5 Security Audit wizard IN-8 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 999
GLS1 text banner, configuring 14, 30 time stamps, enabling 11 Tools menu 1 Traffic viewing activity 23 traffic flow 3, 4 icons 5 transform set 11, 7 transform sets, multiple 36 translation rules 9 translation timeouts 9 OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide IN-9 - Cisco ROUTER-SDM-CD | User Guide - Page 1000
through a firewall to 20 vty lines configuring an access class 23 W WAAS NM external IP address 7 internal IP address 7 WAE-C 1 WAE-E 1 WAN connections deleting 60 WAN interface unsupported 6 WCCP 1 WCCP 61 Redirect 8 IN-10 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12 - Cisco ROUTER-SDM-CD | User Guide - Page 1001
Index WCCP 62 Redirect 8 WCCP Redirect Exclude 8 WCCP settings 7 Web Cache Communication Protocol 1 Wide Area Engine Core 1 Wide Area Engine Edge 1 X Xauth logon 14 OL-4015-12 Cisco Router and Security Device Manager 2.5 User's Guide IN-11 - Cisco ROUTER-SDM-CD | User Guide - Page 1002
Index IN-12 Cisco Router and Security Device Manager 2.5 User's Guide OL-4015-12
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
-
598
-
599
-
600
-
601
-
602
-
603
-
604
-
605
-
606
-
607
-
608
-
609
-
610
-
611
-
612
-
613
-
614
-
615
-
616
-
617
-
618
-
619
-
620
-
621
-
622
-
623
-
624
-
625
-
626
-
627
-
628
-
629
-
630
-
631
-
632
-
633
-
634
-
635
-
636
-
637
-
638
-
639
-
640
-
641
-
642
-
643
-
644
-
645
-
646
-
647
-
648
-
649
-
650
-
651
-
652
-
653
-
654
-
655
-
656
-
657
-
658
-
659
-
660
-
661
-
662
-
663
-
664
-
665
-
666
-
667
-
668
-
669
-
670
-
671
-
672
-
673
-
674
-
675
-
676
-
677
-
678
-
679
-
680
-
681
-
682
-
683
-
684
-
685
-
686
-
687
-
688
-
689
-
690
-
691
-
692
-
693
-
694
-
695
-
696
-
697
-
698
-
699
-
700
-
701
-
702
-
703
-
704
-
705
-
706
-
707
-
708
-
709
-
710
-
711
-
712
-
713
-
714
-
715
-
716
-
717
-
718
-
719
-
720
-
721
-
722
-
723
-
724
-
725
-
726
-
727
-
728
-
729
-
730
-
731
-
732
-
733
-
734
-
735
-
736
-
737
-
738
-
739
-
740
-
741
-
742
-
743
-
744
-
745
-
746
-
747
-
748
-
749
-
750
-
751
-
752
-
753
-
754
-
755
-
756
-
757
-
758
-
759
-
760
-
761
-
762
-
763
-
764
-
765
-
766
-
767
-
768
-
769
-
770
-
771
-
772
-
773
-
774
-
775
-
776
-
777
-
778
-
779
-
780
-
781
-
782
-
783
-
784
-
785
-
786
-
787
-
788
-
789
-
790
-
791
-
792
-
793
-
794
-
795
-
796
-
797
-
798
-
799
-
800
-
801
-
802
-
803
-
804
-
805
-
806
-
807
-
808
-
809
-
810
-
811
-
812
-
813
-
814
-
815
-
816
-
817
-
818
-
819
-
820
-
821
-
822
-
823
-
824
-
825
-
826
-
827
-
828
-
829
-
830
-
831
-
832
-
833
-
834
-
835
-
836
-
837
-
838
-
839
-
840
-
841
-
842
-
843
-
844
-
845
-
846
-
847
-
848
-
849
-
850
-
851
-
852
-
853
-
854
-
855
-
856
-
857
-
858
-
859
-
860
-
861
-
862
-
863
-
864
-
865
-
866
-
867
-
868
-
869
-
870
-
871
-
872
-
873
-
874
-
875
-
876
-
877
-
878
-
879
-
880
-
881
-
882
-
883
-
884
-
885
-
886
-
887
-
888
-
889
-
890
-
891
-
892
-
893
-
894
-
895
-
896
-
897
-
898
-
899
-
900
-
901
-
902
-
903
-
904
-
905
-
906
-
907
-
908
-
909
-
910
-
911
-
912
-
913
-
914
-
915
-
916
-
917
-
918
-
919
-
920
-
921
-
922
-
923
-
924
-
925
-
926
-
927
-
928
-
929
-
930
-
931
-
932
-
933
-
934
-
935
-
936
-
937
-
938
-
939
-
940
-
941
-
942
-
943
-
944
-
945
-
946
-
947
-
948
-
949
-
950
-
951
-
952
-
953
-
954
-
955
-
956
-
957
-
958
-
959
-
960
-
961
-
962
-
963
-
964
-
965
-
966
-
967
-
968
-
969
-
970
-
971
-
972
-
973
-
974
-
975
-
976
-
977
-
978
-
979
-
980
-
981
-
982
-
983
-
984
-
985
-
986
-
987
-
988
-
989
-
990
-
991
-
992
-
993
-
994
-
995
-
996
-
997
-
998
-
999
-
1,000
-
1,001
-
1,002
 |
 |
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel:
408 526-4000
800 553-NETS (6387)
Fax:
408 527-0883
Cisco Router and Security Device
Manager User’s Guide
2.5
Customer Order Number:
Text Part Number: OL-4015-12