How it Works
3D Innovations
Loading...
3.0.1
User Manual
88 pgs616.35 Kb0
Table of contents
Loading...

3D Innovations 3.0.1 User Manual

APPENDIX
B
Site-to-Site VPN User Interface Reference
The pages that you access by selecting Site-To-Site VPN Manager from the Tools menu, or clicking the Site-To-Site VPN Manager button on the toolbar,
help you configure site-to-site VPNs.
Note You can also configure site-to-site VPNs in Device view (View > Device View)
and Policy view (View > Policy View). For more information, see:
Managing VPN Devices in Device View, page 9-53
Managing Shared Site-to-Site VPN Policies in Policy View, page 9-56
OL-8214-02
These topics describe the pages that help you create VPN topologies, and the policies that will be assigned to them:
Site-to-Site VPN Manager Window, page B-2
Create VPN Wizard, page B-8
Site to Site VPN Policies, page B-37
VPN Topologies Device View Page, page B-85
User Guide for Cisco Security Manager 3.0.1
B-1
Appendix B Site-to-Site VPN User Interface Reference

Site-to-Site VPN Manager Window

Site-to-Site VPN Manager Window
Use the Site-to-Site VPN Manager window to:
View all available VPN topologies.
Create, edit, and delete VPN topologies.
View detailed information about each VPN topology.
View the endpoints defined for a VPN topology.
View and edit the policies assigned to a VPN topology.
The VPNs selector, in the upper left pane of the window, lists all available VPN topologies, and enables you to select topologies for viewing or editing. The lower left pane of the page lists the policies that are assigned to the VPN topology selected in the upper pane.
Navigation Path
Click the Site-To-Site VPN Manager button on the toolbar or select Tools > Site-To-Site VPN Manager.
Related Topics
Create VPN Wizard, page B-8
Understanding VPN Topologies, page 9-2
Working with VPN Topologies, page 9-10
Field Reference
Table B-1 Site-to-Site VPN Manager Window
Element Description
VPNs selector Lists each VPN topology, represented by its name and an icon
indicating its VPN type (hub and spoke, point to point, or full mesh).
Create VPN Topology button Click to create a VPN topology,thenselect the type of topology you
want to create from the options that are displayed. The Create VPN wizard opens.
User Guide for Cisco Security Manager 3.0.1
B-2
OL-8214-02
Appendix B Site-to-Site VPN User Interface Reference
Site-to-Site VPN Manager Window
Table B-1 Site-to-Site VPN Manager Window (continued)
Element Description
Edit VPN Topology button Opens the Edit VPN dialog box for editing a selected VPN
topology.
Note You can also edit a VPN topology by right-clicking it in the
VPNs selector, and selecting the Edit option.
Delete VPN Topology button Deletes a selected VPN topology.
Note You can also delete a selected VPN topology by
right-clicking it and selecting the Delete option.
A confirmation dialog box opens asking you to confirmthedeletion.
Policies selector Lists each individually named policy that is already assigned to, or
can be configured on, devices in the selected VPN topology.
Note VPN Summary and Peers, are not policies. For a
description of these pages, see VPN Summary Page,
page B-3 and Peers Page, page B-7.
Select a policy to open a page on which you can view or edit the parameters for the selected policy. See Site to Site VPN Policies,
page B-37.
Close button Closes the window. Help button Opens help for this window.

VPN Summary Page

Use the VPN Summary page to view information about a selected VPN topology. This includes information about the type of VPN topology, its devices, the assigned technology, and specific policies that are configured in it.
User Guide for Cisco Security Manager 3.0.1
OL-8214-02
B-3
Site-to-Site VPN Manager Window
Navigation Path
Open the Site-to-Site VPN Manager Window, page B-2, select a topology in the VPNs selector, then select VPN Summary in the Policies selector.
Note The VPN Summary page opens when you finish creating or editing a VPN
topology.
The VPN Summary page alsoopens from Device view, when editing the VPN
policies defined for a VPN topology. For more information, see Managing
VPN Devices in Device View, page 9-53.
You can also open the VPN Summary page from Policy view. For more
information, see Working with Site-to-Site VPN Policies in Policy View,
page 9-56.
Related Topics
Site-to-Site VPN Manager Window, page B-2
Configuring High Availability in Your VPN Topology, page 9-51
Configuring VRF-Aware IPSec Settings, page 9-45
Configuring an IKE Proposal, page 9-62
Configuring IPSec Proposals, page 9-67
Configuring Preshared Key Policies, page 9-76
Configuring Public Key Infrastructure Policies, page 9-84
Configuring GRE or GRE Dynamic IP Policies, page 9-91
Configuring DMVPN Policies, page 9-96
Appendix B Site-to-Site VPN User Interface Reference
Field Reference
Table B-2 VPN Summary Page
Element Description
Type The VPN topology type—Hub-and-Spoke, Point-to-Point, or Full
Mesh. Description A description of the VPN topology.
User Guide for Cisco Security Manager 3.0.1
B-4
OL-8214-02
Appendix B Site-to-Site VPN User Interface Reference
Site-to-Site VPN Manager Window
Table B-2 VPN Summary Page (continued)
Element Description
Primary Hub Available if the VPN topology type is hub-and-spoke.
The name of the primary hub in the hub-and-spoke topology. Failover Hubs Available if the VPN topology type is hub-and-spoke.
The name of any secondary backup hubs that are configured in the
hub-and-spoke topology. Number of Spokes Available if the VPN topology type is hub-and-spoke.
The number of spokes that are included in the hub-and-spoke
topology. Peer 1 Available if the VPN topology type is point-to-point.
The name of the device that is defined as Peer One in the
point-to-point VPN topology. Peer 2 Available if the VPN topology type is point-to-point.
The name of the device that is defined as Peer Two in the
point-to-point VPN topology. Number of Peers Available if the VPN topology type is full mesh.
The number of devices included in the full mesh VPN topology. IPSec Technology The IPSec technology assigned to the VPN topology. See
Understanding IPSec Technologies and Policies, page 9-8.
IKE Proposal The security parameters of the IKE proposal configured in the VPN
topology. See IKE Proposal Page, page B-37. Transform Sets The transform sets that specify the authentication and encryption
algorithms that will be used to secure the traffic in the VPN tunnel.
See IPSec Proposal Page, page B-39. Preshared Key Unavailable if the selected technology is Easy VPN.
Specifies whether the shared key to use in the preshared key policy
is user defined or auto-generated. See Preshared Key Page,
page B-53.
Public Key Infrastructure If a Public Key Infrastructure policy is configured in the VPN
topology, specifies the CA server. See Public Key Infrastructure
Page, page B-57.
OL-8214-02
User Guide for Cisco Security Manager 3.0.1
B-5
Appendix B Site-to-Site VPN User Interface Reference
Site-to-Site VPN Manager Window
Table B-2 VPN Summary Page (continued)
Element Description
Routing Protocol Available only if the selected technology is GRE, GRE Dynamic IP,
or DMVPN.
The routing protocol and autonomous system (or process ID)
number used in the secured IGP for configuring a GRE, GRE
Dynamic IP, or DMVPN routing policy.
Note Security Manager adds a routing protocol to all the devices
in the secured IGP on deployment. If you want to maintain this secured IGP, you must create a router platform policy using this routing protocol and autonomous system (or process ID) number.
See GRE Modes Page, page B-59. Tunnel Subnet IP Available only if the selected technology is GRE, GRE Dynamic IP,
or DMVPN.
If a tunnel subnet is defined, displays the inside tunnel interface IP
address, including the unique subnet mask.
See GRE Modes Page, page B-59. High Availability Available if the VPN topology type is hub-and-spoke.
If a High Availability policy is configured on a device in your
hub-and-spoke VPN topology,displaysthe details of the policy.See
High Availability Page, page B-34.
VRF-Aware IPSec Available if the VPN topology type is hub-and-spoke.
If a VRF-Aware IPSec policy is configured on a hub in your
hub-and-spoke VPN topology, displays the type of VRF solution
(1-Box or 2-Box) and the name of the VRF policy.See VRF Aware
IPSec Tab, page B-28.
Close button Closes the page. Help button Opens help for this page.
B-6
User Guide for Cisco Security Manager 3.0.1
OL-8214-02
Appendix B Site-to-Site VPN User Interface Reference

Peers Page

Use the Peers page to view the endpoints defined for a VPN topology, including the internal and external VPN interfaces and protected networks assigned to the devicesinthetopology. The interface roles, or interfaces that match each interface role, may also be displayed for the VPN interfaces and protected networks.
The Peers page contains a scrollable table displaying the device roles, VPN interfaces and protected networks for all selected devices. By clicking the arrow displayed alongside any table heading, you can switch the order of the list to display from ascending to descending order, and vice versa. You can also filter the table contents using the filter controls above it to display only rows that match the criteria that you specify (see Filtering Tables, page 3-19).
Navigation Path
Open the Site-to-Site VPN Manager Window, page B-2, select a topology in the VPNs selector, then select Peers in the Policies selector.
Note You can also open the Peers page from Device view. For more information, see
Managing VPN Devices in Device View, page 9-53.
Site-to-Site VPN Manager Window
Related Topics
Site-to-Site VPN Manager Window, page B-2
VPN Topologies Device View Page, page B-85
Field Reference
Table B-3 Peers Page
Element Description
Role The role of the device—hub (primary or failover), spoke, or peer. Device The name of the device. VPN Interface The VPN interface (external and internal) that is defined for the
selected device. Protected Networks The protected networks that are defined for the selected device.
User Guide for Cisco Security Manager 3.0.1
OL-8214-02
B-7
Appendix B Site-to-Site VPN User Interface Reference

Create VPN Wizard

Table B-3 Peers Page (continued)
Element Description
Show Select to display either the interface roles or matching interfaces,
for the VPN interfaces and protected networks in the table, as
follows:
Interface Roles Only (default)—To display only the interface
roles assigned to the VPN interfaces and protected networks.
Matching Interfaces—Todisplaythe interfaces that match the
pattern of each interface role. If there are no matching interfaces “No Match” will be displayed.
Create button Opens the Device Selection tab of the Edit VPN dialog box on
which you can change the selection of devices in your VPN
topology. See Device Selection Page, page B-10. Edit button Opens the Endpoints tab of the Edit VPN dialog box on which you
can edit the VPN interfaces and protected networks for a selected
device in the table. See Endpoints Page, page B-13.
Create VPN Wizard
Security Manager supports three basic types of topologies with which you can create a site-to-site VPN. Use the Create VPN wizard to create a hub-and-spoke, point-to-point, or full mesh VPN topology across multiple devicetypes. For more information, see Understanding VPN Topologies, page 9-2.
Note You can deploy to your devices immediately after creating a VPN topology, using
the default policy configurations provided by Security Manager. All you need to do is complete the steps of the Create VPN wizard.
Editing a VPN topology is done using the Edit VPN dialog box, which comprises tabs whose elements are identical (except for the buttons) to the pages of the Create VPN wizard. You can click a tab to go directly to the page that contains the fields you want to edit, without having to go through each step of the wizard. Clicking OK on any tab in the dialog box saves your definitions on all the tabs. For more information, see Editing a VPN Topology, page 9-24.
User Guide for Cisco Security Manager 3.0.1
B-8
OL-8214-02
Appendix B Site-to-Site VPN User Interface Reference
The following pages describe the steps in the Create VPN wizard:
Name and Technology Page, page B-9
Device Selection Page, page B-10
Endpoints Page, page B-13
High Availability Page, page B-34
Navigation Path
1. In the Site-to-Site VPN Manager Window, page B-2, click the Create VPN
Topology button above the VPNs selector.
2. Select the type of VPN topology you want to create from the options that are
displayed—Hub and Spoke, Point to Point, or Full Mesh.
Related Topics
Understanding VPN Topologies, page 9-2
Understanding IPSec Technologies and Policies, page 9-8
Creating a VPN Topology, page 9-11
Create VPN Wizard

Name and Technology Page

Use the Name and Technology page of the Create VPN wizard to provide a name and description for the VPN topology, and select the IPSec technology that will be assigned to it.
Note When editing a VPN topology, the Name and Technology tab is used. The
elements of the tab (except for the buttons) are identical to those that appear on the Name and Technology page. For more information, see Editing a VPN
Topology, page 9-24.
Navigation Path
When creating a VPN topology, open the Create VPN Wizard, page B-8.
When editing a VPN topology, open the Site-to-Site VPN Manager Window,
page B-2, then right-click a VPN topology in the VPNs selector, or click the
Name and Technology tab in the Edit VPN dialog box.
OL-8214-02
User Guide for Cisco Security Manager 3.0.1
B-9
Appendix B Site-to-Site VPN User Interface Reference
Create VPN Wizard
Related Topics
Create VPN Wizard, page B-8
Editing a VPN Topology, page 9-24
Understanding IPSec Technologies and Policies, page 9-8
Defining a Name and IPSec Technology, page 9-12
Field Reference
Table B-4 Create VPN wizard > Name and Technology Page
Element Description
Name A unique name you want to specify for the VPN topology, for
identification purposes. Description Any descriptive text or comments that you want to add about the
VPN topology. IPSec Technology Select the IPSec technology that you want to assign to the VPN
topology from the drop-down list.
Note If you are editing an existing VPN, the assigned IPSec
technology is displayed, but unavailablefor editing. To edit the technology, you must delete the VPN topology and create a new one.
Next button Advances to the next wizard page. See Device Selection Page,
page B-10.
Cancel button Closes the wizard without saving your changes. Help button Opens help for this page.

Device Selection Page

Use the Device Selection page of the Create VPN wizard to select the devices that will be included in the VPN topology.
User Guide for Cisco Security Manager 3.0.1
B-10
OL-8214-02
Appendix B Site-to-Site VPN User Interface Reference
Note When editing the device selection for a VPN topology, the Device Selection tab
is used. The elements of the tab (except for the buttons) are identical to those that appear on the Device Selection page. For more information, see Editing a VPN
Topology, page 9-24.
The contents of this page differ depending on the VPN topology type. For example, if you are creating or editing a hub-and-spoke topology, you also need to specify the devices as hubs or spokes.
Note The devices that are available for selection include only those that can be used for
the selected VPN topology type, that support the IPSec technology type, and which you are authorized to view. For more information, see About Selecting
Devices in a VPN Topology, page 9-14.
You can include devices in your VPN topology that are not managed by Security Manager.You cannot upload or download any configurationsto these devices nor deploy to them. For more information, see Adding Unmanaged Devices to Your
VPN Topology, page 9-14.
Create VPN Wizard
OL-8214-02
Navigation Path
When creating a VPN topology,openthe Create VPN Wizard,page B-8, then
click Next on the Name and Technology page.
When editing a VPN topology, click the Device Selection tab in the Edit VPN
dialog box.
In the VPN Topologies Device View Page, page B-85, click the Edit VPN
Topology button.
Related Topics
Create VPN Wizard, page B-8
Editing a VPN Topology, page 9-24
About Selecting Devices in a VPN Topology, page 9-14
Selecting Devices for Your VPN Topology, page 9-15
Removing Devices from a VPN Topology, page 9-23
User Guide for Cisco Security Manager 3.0.1
B-11
Appendix B Site-to-Site VPN User Interface Reference
Create VPN Wizard
Field Reference
Table B-5 Create VPN wizard > Device Selection Page
Element Description
Available Devices Lists all devices that can be included in your selected VPN
topology,thatsupporttheIPSectechnology type, and which you are
authorized to view.
Note Clicking a device group selects all its devices.
Hubs The devices you selected to be hubs in your hub-and-spoke
topology. In an Easy VPN topology, the selected devices are
servers.
Note If multiple devices are selected, you must make sure that the
required primary hub device appears first in the list. Youcan use the Up and Down buttons to change the order of the Hubs in the list.
To remove devices from the list, select them and click <<. Spokes The devices you selected to be spokes in your hub-and-spoke
topology.In an Easy VPN topology, the selected devices are clients.
To remove devices from the list, select them and click <<. Peer One/Peer Two The devices you selected to be peers in your point-to-point
topology.
To remove the selected device from the Peer One/Peer Two field,
click <<. Selected Devices The devices you selected to be included in your full mesh topology.
To remove selected devices from the Selected Devices list, click <<. Back button Returns to the previous wizard page. See Name and Technology
Page, page B-9.
Next button Advances to the next wizard page. See Endpoints Page, page B-13. Cancel button Closes the wizard without saving your changes. Help Opens help for this page.
B-12
User Guide for Cisco Security Manager 3.0.1
OL-8214-02
Appendix B Site-to-Site VPN User Interface Reference

Endpoints Page

Use the Endpoints page of the Create VPN wizard to view the devices in your VPN topology,anddefine or edit their external or internal interfaces and protected networks.
Note When editing a VPN topology, the Endpoints tab is used. The elements of the tab
(except for the buttons) are identical to those that appear on the Endpoints page. For more information, see Editing a VPN Topology, page 9-24.
The Endpoints page displays a scrollable table listing the VPN interfaces and protected networks for all selected devices. By clicking on the arrow displayed alongside any table heading, you can switch the order of the list to display from ascending to descending order, and vice versa. You can also filter the table contents using the filter controls above it to display only rows that match the criteria that you specify (see Filtering Tables, page 3-19).
Navigation Path
When creating a VPN topology,openthe Create VPN Wizard,page B-8, then
click Next on the Device Selection page.
When editing a VPN topology, click the Endpoints tab in the Edit VPN
dialog box.
Create VPN Wizard
OL-8214-02
Related Topics
Create VPN Wizard, page B-8
Editing a VPN Topology, page 9-24
Edit Endpoints Dialog Box, page B-16
About Defining and Editing the Endpoints and Protected Networks,
page 9-16
Defining the Endpoints and Protected Networks, page 9-18
User Guide for Cisco Security Manager 3.0.1
B-13
Appendix B Site-to-Site VPN User Interface Reference
Create VPN Wizard
Field Reference
Table B-6 Create VPN wizard > Endpoints Page
Element Description
Role The role of the device—hub, spoke, or peer. Device The name of the device. VPN Interface The primary or backup VPN interface that is currently defined for
the selected device.
Depending on the selection in the Show list, the interface roles, or
the interfaces that match each interface role, for the VPN interface
may also be displayed.
Select a row and click Edit to change the device’s VPN interfaces.
The Edit Endpoints dialog box opens, from which you can select the
required VPN interface. See VPN Interface Tab, page B-17.
Note You can select more than one device at a time for editing.
The changes you make in the VPN Interface tab will be applied to all the selected devices.
B-14
Note When selecting multiple devices for editing the VPN
interfaces, you cannot include Catalyst 6500/7600 devices in your selection. If you want to editthese devices,you must select them separately.
Note To edit the VPN interface for a Catalyst 6500/7600 device,
see VPN Interface Tab, page B-17.
User Guide for Cisco Security Manager 3.0.1
OL-8214-02
Appendix B Site-to-Site VPN User Interface Reference
Create VPN Wizard
Table B-6 Create VPN wizard > Endpoints Page (continued)
Element Description
Protected Networks The protected networks that are defined for the selected device.
Depending on the selection in the Show list, the interface roles, or
the interfaces that match each interface role, for the protected
networks may also be displayed.
Select a row and click Edit to change the device’s protected
networks. The Edit Endpoints dialog box opens, from which you
can select the required protected networks. See Protected Networks
Tab, page B-24.
Note You can select more than one device at a time for editing.
The changes you make in the Protected Networks tab will be applied to all the selected devices.
Note When selecting multiple devices for editing the protected
networks,youcannotinclude Catalyst VPN Service Module devices in your selection. If you want to edit these devices, you must select them separately.
Show Select to display either the interface roles or matching interfaces,
for the VPN interfaces and protected networks in the table, as
follows:
Interface Roles Only (default)—To display only the interface
roles assigned to the VPN interfaces and protected networks.
Matching Interfaces—Todisplaythe interfaces that match the
pattern of each interface role. If there are no matching interfaces “No Match” will be displayed.
Edit button Enables you to edit the VPN interface and/or protected networksfor
a selected device in the table. The Edit Endpoints dialog box opens.
See Edit Endpoints Dialog Box, page B-16. Back button Returns to the previous wizard page. See Device Selection Page,
page B-10.
Next button Available only if you are creating or editing a hub-and-spoke VPN
topology.
Advances to the next wizard page. See High Availability Page,
page B-34.
OL-8214-02
User Guide for Cisco Security Manager 3.0.1
B-15
Appendix B Site-to-Site VPN User Interface Reference
Create VPN Wizard
Table B-6 Create VPN wizard > Endpoints Page (continued)
Element Description
Finish button Saves your wizard definitions and closes the wizard.
The neworeditedVPN topology appears in the VPNs selector in the
Site-to-Site VPN window, with the VPN Summary page displayed.
See VPN Summary Page, page B-3. Cancel button Closes the wizard without saving your changes. Help Opens help for this page.

Edit Endpoints Dialog Box

Use the Edit Endpoints dialog box to:
Edit the VPN interfaces and protected networks defined for devices.
Configurea dial backup interface to use as a fallback link for a primary VPN
interface.
Define VPN Services Module (VPNSM) settings for a Catalyst 6500/7600
device.
Define VPN SPA settings for a Catalyst 6500/7600 device.
Configure FWSM on a Catalyst 6500/7600 device.
Configure a VRF-Aware-IPSec policy on a hub device.
The following tabs may be available on the Edit Endpoints dialog box:
VPN Interface Tab, page B-17
Protected Networks Tab, page B-24
FWSM Tab, page B-26
VRF Aware IPSec Tab, page B-28
B-16
Note You can select more than one device at a time for editing. The changes you
make on any tabs in the dialog box will be applied to all selected devices.
When selecting multiple devices for editing the VPN interfaces, you cannot
include Catalyst 6500/7600 devices in your selection. If you want to edit these devices, you must select them separately.
User Guide for Cisco Security Manager 3.0.1
OL-8214-02
Appendix B Site-to-Site VPN User Interface Reference
Clicking OK on any tab in the dialog box saves your definitions on all the
tabs.
Navigation Path
You canaccessthe Edit Endpoints dialog box from the Endpoints Page, page B-13 (or tab). Then select a device in the Endpoints table, and click Edit.
Related Topics
Endpoints Page, page B-13
Defining the Endpoints and Protected Networks, page 9-18
Configuring Dial Backup, page 9-28
Configuring a Catalyst VPN Services Module (VPNSM) VPN Interface,
page 9-30
Configuring a Catalyst VPN Shared Port Adapter (VPN SPA) Blade,
page 9-32
Configuring a Firewall Services Module (FWSM) Interface with VPNSM or
VPN SPA, page 9-38
Configuring VRF-Aware IPSec Settings, page 9-45
Create VPN Wizard

VPN Interface Tab

Note If you selected a Catalyst 6500/7600 device in the Endpoints table for editing, the
OL-8214-02
VPN Interface tab provides settings that enable you to configure a VPN Services Module (VPNSM) or a VPN SPA blade on the device. For more information, see
Defining VPN Services Module (VPNSM) or VPN SPA Settings, page B-21.For
a description of the elements that appear on the VPN Interface tab for a Catalyst 6500/7600 device, see Table B-8 on page B-22.
Use the VPN Interface tab in the Edit Endpoints dialog box to edit the VPN interfaces defined for devices in the Endpoints table. When defining a primary VPN interface for a router device, you can also configure a backup interface to use as a fallback link for the primary route VPN interface, if its connection link
User Guide for Cisco Security Manager 3.0.1
B-17
Create VPN Wizard
Appendix B Site-to-Site VPN User Interface Reference
becomes unavailable. You can only configure a backup interface on a Cisco IOS security router, which is a spoke in the VPN topology. For more information, see
Understanding Dial Backup, page 9-27.
Navigation Path
The VPN Interface tab is displayed when you open the Edit Endpoints Dialog
Box, page B-16. You can also open it by clicking the VPN Interface tab from any
other tab in the Edit Endpoints dialog box.
Related Topics
Edit Endpoints Dialog Box, page B-16
Defining the Endpoints and Protected Networks, page 9-18
Configuring Dial Backup, page 9-28
Procedure for Configuring a VPNSM or VPN SPA Blade, page 9-34
Field Reference
Table B-7 describes the elements on the VPN Interface tab when a device other
than a Catalyst 6500/7600 is selected.
Table B-7 Edit Endpoints Dialog Box > VPN Interface Tab
Element Description
Enable the VPN Interface Changes on All Selected Peers
Available if you selected more than one device for editing in the
Endpoints page.
When selected, applies any changes you make in the VPN interface
tab to all the selected devices. VPN Interface The VPN interface defined for the selected device.
VPN interfaces are predefined interface role objects. If required,
click Select to open a dialog box that lists all available interfaces,
and sets of interfaces defined by interface roles, in which you can
make your selection, or create interface role objects. For more
information, see Interface Roles Page, page C-126.
User Guide for Cisco Security Manager 3.0.1
B-18
OL-8214-02
Appendix B Site-to-Site VPN User Interface Reference
Create VPN Wizard
Table B-7 Edit Endpoints Dialog Box > VPN Interface Tab (continued)
Element Description
Connection Type Note This element is only available in a hub-and-spoke VPN
topology, if the hub is an ASA or PIX 7.0 device and the selected technology is regular IPSec.
To configure the ASA hub during an SA negotiation, select one of
the following connection types:
Answer Only—To configure the hub to only respond to an SA
negotiation, but not initiate it.
Originate Only—To configure the hub to only initiate an SA
negotiation, but not respond to one.
Bidirectional—To configure the hub to both initiate and
respond to an SA negotiation.
Peer IP Address To define the IP address of the VPN interface of the peer device,
click one of the following radio buttons:
VPN Interface IP Address—To use the configured IP address
on the selected VPN interface. Only one VPN interface can match the interface role.
IP Address for IPSec Termination—Toenter manually the IP
address of the peer device. Enter the IP address in the field provided. Only one VPN interface can match the interface role.
IP Address of Another Existing Interface to be Used as
Local Address (unavailable if IPSec technology is DMVPN)—To use the configuredIPaddressonanyinterfaceas a local address, not necessarily a VPN interface. Enter the interface in the field provided.
You can choose the required interface by clicking Select. A dialog box opens that lists all available predefined interface roles, and in which you can create an interface role object. For more information, see Interface Roles Page, page C-126.
OL-8214-02
User Guide for Cisco Security Manager 3.0.1
B-19
Appendix B Site-to-Site VPN User Interface Reference
Create VPN Wizard
Table B-7 Edit Endpoints Dialog Box > VPN Interface Tab (continued)
Element Description
Tunnel Source Available for a hub when the selected technology is GRE or
DMVPN.
To define the tunnel source address to be used by the GRE or
DMVPN tunnel on the spoke side, click one of the following radio
buttons:
VPN Interface—To use the selected VPN interface as the
tunnel source address.
Another Existing Interface—To use any interface as the
tunnel source address, not necessarily a VPN interface. Enter the interface in the field provided.
You can choose the required interface by clicking Select. A dialog box opens that lists all available predefined interface roles, and in which you can create an interface role object. For more information, see Interface Roles Page, page C-126.
Dial Backup Settings
Enable Available only if the selected device is a Cisco IOS router which is
a spoke in the VPN topology.
When selected, enables you to configure a backup interface to use
as a fallback link for the primary route VPN interface, if its
connection link becomes unavailable.
Note Before configuring a backup interface, you must first
configure the dialer interface settings on the device. For more information, see Configuring Dialer Interfaces on
Cisco IOS Routers, page 12-29.
Dialer Interface Select the logical interface through which the secondary route
traffic will be directed when the dialer interface is activated. This
can be a Serial, Async, or BRI interface. The list displays all the
interfaces of these types on the devices.
B-20
User Guide for Cisco Security Manager 3.0.1
OL-8214-02
Appendix B Site-to-Site VPN User Interface Reference
Create VPN Wizard
Table B-7 Edit Endpoints Dialog Box > VPN Interface Tab (continued)
Element Description
Tracking IP Address The IP address of the destination device to which connectivity must
be maintained from the primary VPN interface connection. This is
the device that is pinged by the Service Assurance agent through the
primary route to track connectivity. The backup connection will be
triggered if connectivity to this device is lost.
Note If you do not specify an IP address, the primary hub VPN
interface will be used in a hub-and-spoke VPN topology. In a point-to-point or full mesh VPN topology, the peer VPN interface will be used.
Primary Next Hop IP Address Available only if the selected technology is IPSec, GRE, or GRE
Dynamic IP.
Enter the IP address to which the primary interface will connect
when it is active. This is known as the next hop IP address.
If you do not enter the next hop IP address, Security Manager will
configure a static route using the interface name. Advanced button Available only if the selected technology is IPSec, GRE, or GRE
Dynamic IP.
Opens the Dial Backup Settings dialog box for configuring
additional (optional) settings. See Dial Backup Settings Dialog
Box, page B-32.
OK button Saves your changes locally on the client and closes the dialog box.
The changes appear in the Endpoints table for the selected
device(s). Cancel button Closes the dialog box without saving your changes. Help button Opens help for this tab.
OL-8214-02
Defining VPN Services Module (VPNSM) or VPN SPA Settings
When you select a Catalyst 6500/7600 device in the Endpoints table for editing, the VPN Interface tab of the Edit Endpoints dialog box provides settings for configuring a VPN Services Module (VPNSM) or VPN SPA on the device. You can select more than one Catalyst 6500/7600 device at the same time. Your changes are applied to all the selected devices.
User Guide for Cisco Security Manager 3.0.1
B-21
Appendix B Site-to-Site VPN User Interface Reference
Create VPN Wizard
Note Before you define the VPNSM or VPN SPA settings, you must import your
Catalyst 6500/7600 device to the Security Managerinventoryanddiscoverits interfaces. For more information, see Procedure for ConfiguringaVPNSMor
VPN SPA Blade, page 9-34.
If you are configuring a VPNSM or VPN SPA with VRF-Aware IPSec on a
device, verify that the device does not belong to a different VPN topology in which VRF-Aware IPSec is not configured. Similarly, if you are configuring a VPNSM or VPN SPAwithout VRF-Aware IPSec, make sure that the device belongs to a different VPN topology in which VRF-Aware IPSec is configured.
Field Reference
Table B-8 describes the elements that appear on the VPN Interface tab of the Edit
Endpoints dialog box, after you select a Catalyst 6500/7600 device.
Table B-8 Edit Endpoints Dialog Box > VPN Interface Tab > VPNSM/VPN SPA Settings
Element Description
Enable the VPN Interface Changes on All Selected Peers
Available if you selected more than one Catalyst 6500/7600 device
for editing in the Endpoints page.
When selected, applies any changes you make in the VPN interface
tab to all the selected devices.
VPNSM/VPN SPA Settings
VPN Interface The inside VLAN that serves as the inside interface to the VPN
Services Module or VPN SPA. It is also the hub endpoint of the
VPN tunnel (unless VRF-Aware IPSec is configured on the device).
If required, click Select to open a dialog box that lists all available
interfaces, and sets of interfaces definedbyinterface roles, in which
you can make your selection, or create interface role objects. For
more information, see Interface Roles Page, page C-126.
User Guide for Cisco Security Manager 3.0.1
B-22
OL-8214-02
Appendix B Site-to-Site VPN User Interface Reference
Create VPN Wizard
Table B-8 Edit Endpoints Dialog Box > VPN Interface Tab > VPNSM/VPN SPA Settings
Element Description
Slot From the list of availableslots,selectthe VPNSM blade slot number
to which the inside VLAN interface is connected, or the number of
the slot in which the VPN SPA blade is inserted.
For more information, see Adding VPN SPA Slot Locations,
page 5-44.
Subslot The number of the subslot (0 or 1) on which the VPN SPA blade is
actually installed.
Note If you are configuring a VPNSM, select the blank option.
External Port The external port or VLAN that connects to the inside VLAN.
Note If VRF-Aware IPSec is configured on the device, the
external port or VLAN must have an IP address. If VRF-Aware IPSec is not configured, the external port or VLAN must not have an IP address.
Click Select to open a dialog box that lists all available interfaces,
and sets of interfaces defined by interface roles, in which you can
make your selection, or create interface role objects. For more
information, see Interface Roles Page, page C-126.
Note You must select an interface or interface role that differs
from the one selected for the inside VLAN.
Enable Failover Blade When selected, enables you to configure a failoverVPNSM or VPN
SPA blade for intra chassis high availability.
Note A VPNSM blade and VPN SPAblade cannot be used on the
same device as primary and failover blades.
Failover Slot Fromthelistofavailableslots,selecttheVPNSMbladeslotnumber
that will serve as the failover blade, or the number of the slot in
which the failover VPN SPA blade is inserted. Failover Subslot Select the number of the subslot (0 or 1) on which the failover VPN
SPA blade is actually installed.
Note If you are configuring a VPNSM, select the blank option.
OL-8214-02
User Guide for Cisco Security Manager 3.0.1
B-23
Appendix B Site-to-Site VPN User Interface Reference
Create VPN Wizard
Table B-8 Edit Endpoints Dialog Box > VPN Interface Tab > VPNSM/VPN SPA Settings
Element Description
Peer IP Address To define the IP address of the VPN interface of the peer device,
click one of the following radio buttons:
VPN Interface IP Address—To use the configured IP address
on the selected VPN interface.
IP Address for IPSec Termination—Toenter manually the IP
address of the peer device. Enter the IP address in the field provided.
OK button Saves your changes locally on the client and closes the dialog box.
The changes appear in the Endpoints table for the selected
device(s). Cancel button Closes the dialog box without saving your changes. Help button Opens help for this tab.

Protected Networks Tab

B-24
Use the Protected Networks tab on the Edit Endpoints dialog box to edit the protected networks that are defined on a selected device in the Endpoints table.
You can specify the protected networks as interface roles whose naming patterns match the internal VPN interface type of the device, as network objects containing one or more network or host IP addresses, interfaces, or other network objects, or as access control lists (if IPSec is the assigned technology).
For more information, see:
Working with Interface Role Objects, page 8-120
Working with Network/Host Objects, page 8-142
Working with Access Control List Objects, page 8-32
Navigation Path
You can access the Protected Networks tab from the Edit Endpoints dialog box. Open the Edit Endpoints Dialog Box, page B-16, then click the Protected Networks tab.
User Guide for Cisco Security Manager 3.0.1
OL-8214-02
Appendix B Site-to-Site VPN User Interface Reference
Create VPN Wizard
Related Topics
Edit Endpoints Dialog Box, page B-16
Defining the Endpoints and Protected Networks, page 9-18
Field Reference
Table B-9 Edit Endpoints Dialog Box > Protected Networks Tab
Element Description
Enable the Protected Networks Changes on All Selected Peers
Available if you selected more than one device for editing in the
Endpoints page.
When selected, applies any changes you make in the Protected
Networks tab to all the selected devices. Available Protected Networks A hierarchy of all available protected networks, including the
interface roles whose naming pattern may match the internal VPN
interface type of the device. If IPSec is the assigned technology,
access control lists (ACLs) are also included in the list of available
protected networks.
Note In a hub-and-spoke VPN topology in which IPSec is the
assigned technology, when an ACL object is used to define the protected network on a spoke, Security Manager mirrors the spoke’s ACL object on the hub to the matching crypto map entry.
Select the interface role(s), protected networks, and/or access
control lists that you want to define for the selected device, then
click >>. Selected Protected Networks The protected networks and interface roles you selected for the
device.
Note You can reorder the selected protected networks/interface
roles in the list by selecting them (one at a time), then clicking the Move Up or Move Down button, as required.
>> button Moves protected networks from the available networks list to the
selected networks list. << button Removes protected networks from the selected list.
User Guide for Cisco Security Manager 3.0.1
OL-8214-02
B-25
Appendix B Site-to-Site VPN User Interface Reference
Create VPN Wizard
Table B-9 Edit Endpoints Dialog Box > Protected Networks Tab (continued)
Element Description
Create button If the required interface roles, protected networks, or access control
lists do not appear in the Available Protected Networks list, click
Create and select the required option to create an interface role,
protected network, or access control list.
Note The Access Control List option is only available if the
assigned technology is IPSec.
If you select the Interface Role option, the Interface Role Editor
page opens in which you can create an interface role object. For
more information, see Editing Interface Role Objects, page 8-124.
If you select the Protected Network option, theNetworkEditor page
opens in which you can create a network object. For more
information, see Editing Network/Host Objects, page 8-146.
If you select the Access Control List option, the Access Lists Editor
page opens in which you can create an access control list object. For
more information, see Editing Access Control List Objects,
page 8-40.
OK button Saves your changes locally on the client and closes the dialog box.
The changes appear in the Endpoints table for the selected
device(s). Cancel button Closes the dialog box without saving your changes. Help button Opens help for this tab.

FWSM Tab

B-26
Note The FWSM tab is only available in a hub-and-spoke VPN topology, when the
selected hub is a Catalyst 6500/7600 device.
Use the FWSM tab on the Edit Endpoints dialog box to define the settings that enable you to connect between a Firewall Services Module (FWSM) and an IPSec VPN Services Module (VPNSM) or VPN SPA, that is already configured on a Catalyst 6500/7600 device.
User Guide for Cisco Security Manager 3.0.1
OL-8214-02
Appendix B Site-to-Site VPN User Interface Reference
Note Before defining the FWSM settings, you must import your Catalyst 6500/7600
device to the Security Manager inventory. Then open Cisco Catalyst Device Manager (Cisco CDM), and discover the FWSM configurations on the device, and assign a VLAN that will serve as the inside interface to the FWSM.
For more information, see:
Configuring a Firewall Services Module (FWSM) Interface with VPNSM or
VPN SPA, page 9-38
Discovering Policies, page 6-5
Creating a Single Layer 3 Ethernet VLAN, page 14-102
Navigation Path
You can access the FWSM tab from the Edit Endpoints dialog box. Open the Edit
Endpoints Dialog Box, page B-16, then click the FWSM tab.
Create VPN Wizard
Note Make sure you selected a Catalyst 6500/7600 device in the table on the Endpoints
Page, page B-13 (or tab), before opening the Edit Endpoints dialog box.
Related Topics
Configuring a Firewall Services Module (FWSM) Interface with VPNSM or
VPN SPA, page 9-38
Defining VPN Services Module (VPNSM) or VPN SPA Settings, page B-21
Edit Endpoints Dialog Box, page B-16
Field Reference
Table B-10 Edit Endpoints Dialog Box > FWSM Tab
Element Description
Enable FWSM Settings When selected, enables you to configuretheconnectionbetween the
Firewall Services Module (FWSM) and the VPN Services Module
(VPNSM) or VPN SPA on the selected Catalyst 6500/7600 device.
User Guide for Cisco Security Manager 3.0.1
OL-8214-02
B-27
Loading...
+ 61 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use