Cisco Systems OL-4015-08 User Manual
Cisco Router and Security Device Manager (SDM) Version 2.2 User’s Guide
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number:
Text Part Number: OL-4015-08
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, the Cisco Square Bridge logo, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live,
Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness
Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Pack et , PIX, Post-Routing, Pre-Routing, ProConnect,
RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are
registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0406R)
Cisco Router and Security Device Manager (SDM) Version 2.2 User’s Guide
Copyright © 2005, Cisco Systems, Inc.
All rights reserved.
Home Page 1
LAN Wizard 1
Ethernet Configuration 2
LAN Wizard: Select an Interface 3
LAN Wizard: IP Address and Subnet Mask 3
LAN Wizard: Enable DHCP Server 4
LAN Wizard: DHCP Address Pool 4
DHCP Options 5
LAN Wizard: VLAN Mode 6
LAN Wizard: Switch Port 6
IRB Bridge 7
CONTENTS
OL-4015-06
BVI Configuration 7
DHCP Pool for BVI 8
IRB for Ethernet 9
Layer 3 Ethernet Configuration 9
802.1Q Configuration 9
Trunking or Routing Configuration 9
Configure Switch Device Module 10
Summary 10
How Do I... 10
How Do I Configure a Static Route? 10
How Do I View Activity on My LAN Interface? 11
How Do I Enable or Disable an Interface? 12
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
iii
Contents
How Do I View the IOS Commands I Am Sending to the Router? 12
How Do I Launch the Wireless Application from SDM? 13
Create Connection Wizards 1
Create Connection 1
WAN Wizard Interface Welcome Window 2
ISDN Wizard Welcome Window 3
Analog Modem Welcome Window 3
Aux Backup Welcome Window 3
Select Interface 4
Encapsulation: PPPoE 4
IP Address: ATM or Ethernet with PPPoE/PPPoA 4
IP Address: ATM with RFC 1483 Routing 5
IP Address: Ethernet without PPPoE 6
IP Address: Serial with Point-to-Point Protocol 6
iv
IP Address: Serial with HDLC or Frame Relay 7
IP Address: ISDN BRI or Analog Modem 8
Authentication 9
Switch Type and SPIDs 9
Dial String 11
Backup Configuration 11
Backup Configuration: Primary Interface & Next Hop IP Addresses 12
Backup Configuration: Hostname or IP Address to be Tracked 12
Advanced Options 13
Encapsulation 13
PVC 15
Configure LMI and DLCI 16
Configure Clock Settings 17
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Delete Connection 19
Summary 21
Connectivity testing and troubleshooting 22
How Do I... 26
How Do I View the IOS Commands I Am Sending to the Router? 26
How Do I Configure an Unsupported WAN Interface? 26
How Do I Enable or Disable an Interface? 26
How Do I View Activity on My WAN Interface? 27
How Do I Configure NAT on a WAN Interface? 27
How Do I Configure NAT on an Unsupported Interface? 28
How Do I Configure a Dynamic Routing Protocol? 28
How Do I Configure Dial-on-Demand Routing for my ISDN or Asynchronous
Interface?
How Do I Edit a Radio Interface Configuration? 30
Edit Interface/Connection 1
29
Contents
OL-4015-06
Connection: Ethernet for IRB 6
Connection: Ethernet for Routing 7
Existing Dynamic DNS Methods 8
Add Dynamic DNS Method 8
Wireless 10
Association 10
NAT 12
Edit Switch Port 12
General 13
QoS 15
Select Ethernet Configuration Type 16
Connection: VLAN 16
Connection: Subinterfaces 17
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
v
Contents
Add or Edit BVI Interface 18
Add Loopback Interface/Connection—Loopback 18
Connection: Ethernet LAN 19
Connection: Ethernet WAN 20
Ethernet Properties 21
Connection: Ethernet with No Encapsulation 22
Connection: ADSL 23
Connection: ADSL over ISDN 26
Connection: G.SHDSL 28
Configure DSL Controller 32
Connection: G.SHDSL with DSL Controller 34
Connection: Serial Interface, Frame Relay Encapsulation 36
Connection: Serial Interface, PPP Encapsulation 39
Connection: Serial Interface, HDLC Encapsulation 41
vi
Add or Edit GRE Tunnel' 42
Connection: ISDN BRI 44
Connection: Analog Modem 47
Connection: (AUX Backup) 49
Authentication 51
SPID Details 52
Dialer Options 53
Backup Configuration 55
Create Firewall 1
Basic Firewall Configuration Wizard 4
Basic Firewall Interface Configuration 4
Firewall Remote Management Access 4
Advanced Firewall Configuration Wizard 5
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Advanced Firewall Interface Configuration 5
Advanced Firewall DMZ Service Configuration 6
DMZ Service Configuration 7
Advanced Firewall Inspection Rule Configuration 7
Application Security Configuration 9
Domain Name Server Configuration 10
Summary 10
How Do I... 11
How Do I View Activity on My Firewall? 12
How Do I Configure a Firewall on an Unsupported Interface? 13
How Do I Configure a Firewall After I Have Configured a VPN? 14
How Do I Permit Specific Traffic Through a DMZ Interface? 15
How Do I Modify an Existing Firewall to Permit Traffic from a New Network
or Host?
How Do I Configure NAT on an Unsupported Interface? 16
How Do I Configure NAT Passthrough for a Firewall? 17
How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? 17
How Do I Associate a Rule with an Interface? 19
How Do I Disassociate an Access Rule from an Interface 19
How Do I Delete a Rule That Is Associated with an Interface? 20
How Do I Create an Access Rule for a Java List? 20
How Do I Permit Specific Traffic onto My Network if I Don’t Have a DMZ
Network?
16
21
Contents
OL-4015-06
Firewall Policy 1
Edit Firewall Policy/ACL 1
Add App-Name Application Entry 11
Add rpc Application Entry 11
Add Fragment application entry 12
Add or Edit http Application Entry 13
Java Applet Blocking 14
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
vii
Contents
SDM Warning: Inspection Rule 15
SDM Warning: Firewall 16
Application Security 17
Application Security Windows 17
No Application Security Policy 19
E-mail 20
HTTP 21
Header Options 23
Content Options 23
Instant Messaging 25
Point-to-Point Applications 25
Applications/Protocols 26
Global Timeouts and Thresholds 27
Associate Policy with an Interface 29
Edit Inspection Rule 30
Permit, Block, and Alarm Controls 31
viii
Site-to-Site VPN 33
Create Site to Site VPN 33
Site-to-Site VPN Wizard 36
View Defaults 37
VPN Connection Information 38
IKE Proposals 40
Transform Set 43
Traffic to Protect 45
Summary of the Configuration 46
Spoke Configuration 47
Secure GRE Tunnel (GRE-over-IPSec) 48
GRE Tunnel Information 48
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
VPN Authentication Information 49
Backup GRE Tunnel Information 51
Routing Information 52
Static Routing Information 53
Select Routing Protocol 54
Summary of Configuration 55
Edit Site-to-Site VPN 55
Add new connection 58
Add Additional Crypto Maps 59
Crypto Map Wizard: Welcome 60
Crypto Map Wizard: General 60
Crypto Map Wizard: Peers 62
Crypto Map Wizard: Transform Set 62
Crypto Map Wizard: Traffic to Protect 63
Crypto Map Wizard: Summary of the configuration 64
Delete Connection 65
Ping 65
Generate Mirror... 66
SDM Warning: NAT Rules with ACL 67
Contents
OL-4015-06
How Do I... 67
How Do I Create a VPN to More Than One Site? 68
After Configuring a VPN, How Do I Configure the VPN on the Peer Router? 70
How Do I Edit an Existing VPN Tunnel? 71
How Do I Confirm That My VPN Is Working? 72
How Do I Configure a Backup Peer for My VPN? 73
How Do I Accommodate Multiple Devices with Different Levels of VPN
Support?
73
How Do I Configure a VPN on an Unsupported Interface? 74
How Do I Configure a VPN After I Have Configured a Firewall? 75
How Do I Configure NAT Passthrough for a VPN? 75
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
ix
Contents
Easy VPN Remote 77
Create Easy VPN Remote 77
Configure an Easy VPN Remote Client 77
Connection Settings 78
Authentication 79
Interfaces 80
Summary of Configuration 82
Edit Easy VPN Remote 83
Add or Edit Easy VPN Remote 89
Add or Edit Easy VPN Remote: Easy VPN Settings 91
Add or Edit Easy VPN Remote: Authentication Information 94
Enter SSH Credentials 95
XAuth Login Window 96
Add or Edit Easy VPN Remote: General Settings 96
Network Extension Options 98
Add or Edit Easy VPN Remote: Authentication Information 98
Add or Edit Easy VPN Remote: Interfaces and Connections 100
How Do I... 101
How Do I Edit an Existing Easy VPN Connection? 102
How Do I Configure a Backup for an Easy VPN Connection? 102
Easy VPN Server 105
Create an Easy VPN Server 105
Welcome to the Easy VPN Server Wizard 106
Interface and Authentication 106
Group Authorization: Group Policy Lookup 107
User Authentication (XAuth) 108
User Accounts for XAuth 109
Add RADIUS Server 109
Group Authorization: User Group Policies 110
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
x
OL-4015-06
General Group Information 111
DNS and WINS Configuration 112
Split Tunneling 113
Client Settings 115
Choose Browser Proxy Settings 117
Add or Edit Browser Proxy Settings 117
User Authentication (XAuth) 119
Client Update 120
Add or Edit Client Update Entry 121
Summary 121
Browser Proxy Settings 122
Add or Edit Easy VPN Server 123
Add or Edit Easy VPN Server Connection 125
Restrict Access 126
Group Policies Configuration 126
Contents
OL-4015-06
Local Pools 129
Add or Edit IP Local Pool 130
Add IP Address Range 130
DMVPN 1
Dynamic Multipoint VPN 1
Dynamic Multipoint VPN (DMVPN) Hub Wizard 2
Type of Hub 3
Configure Pre-Shared Key 3
Hub GRE Tunnel Interface Configuration 4
Advanced Configuration for the Tunnel Interface 5
Primary Hub 6
Select Routing Protocol 7
Routing Information 7
Dynamic Multipoint VPN (DMVPN) Spoke Wizard 9
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xi
Contents
DMVPN Network Topology 9
Specify Hub Information 10
Spoke GRE Tunnel Interface Configuration 10
SDM Warning: DMVPN Dependency 11
Edit Dynamic Multipoint VPN (DMVPN) 12
General Panel 14
NHRP Panel 15
NHRP Map Configuration 16
Routing Panel 17
How Do I Configure a DMVPN Manually? 19
VPN Global Settings 21
VPN Global Settings 21
VPN Global Settings: IKE 23
VPN Global Settings: IPSec 24
VPN Key Encryption Settings 25
xii
IP Security 27
IPSec Policies 27
Add or Edit IPSec Policy 29
Add or Edit Crypto Map: General Panel 31
Add or Edit Crypto Map: Peer Information Panel 32
Add or Edit Crypto Map: Transform Sets Panel 32
Add or Edit Crypto Map: IPSec Rules Panel 34
Dynamic Crypto Map Sets 35
Add or Edit Dynamic Crypto Map Set 35
Associate Crypto Map with this IPSec Policy 36
IPSec Profiles 36
Add or Edit IPSec Profile and Add Dynamic Crypto Map 37
Transform Set 37
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Add or Edit Transform Set 40
IPSec Rules 43
Internet Key Exchange 45
Internet Key Exchange (IKE) 45
IKE Policies 46
Add or Edit IKE Policy 48
IKE Pre-shared Keys 50
Add or Edit Pre Shared Key 51
VPN Troubleshooting 53
VPN Troubleshooting 53
VPN Troubleshooting: Specify Easy VPN Client 55
VPN Troubleshooting: Generate Traffic 56
VPN Troubleshooting: Generate GRE Traffic 57
SDM Warning: SDM will enable router debugs... 58
Contents
OL-4015-06
Security Audit 1
Welcome Page 4
Interface Selection Page 4
Report Card Page 5
Fix It Page 5
Disable Finger Service 6
Disable PAD Service 7
Disable TCP Small Servers Service 7
Disable UDP Small Servers Service 8
Disable IP BOOTP Server Service 8
Disable IP Identification Service 9
Disable CDP 9
Disable IP Source Route 10
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xiii
Contents
Enable Password Encryption Service 10
Enable TCP Keepalives for Inbound Telnet Sessions 11
Enable TCP Keepalives for Outbound Telnet Sessions 11
Enable Sequence Numbers and Time Stamps on Debugs 11
Enable IP CEF 12
Disable IP Gratuitous ARPs 12
Set Minimum Password Length to Less Than 6 Characters 12
Set Authentication Failure Rate to Less Than 3 Retries 13
Set TCP Synwait Time 13
Set Banner 14
Enable Logging 14
Set Enable Secret Password 15
Disable SNMP 15
Set Scheduler Interval 16
Set Scheduler Allocate 16
Set Users 17
Enable Telnet Settings 17
Enable NetFlow Switching 17
Disable IP Redirects 18
Disable IP Proxy ARP 18
Disable IP Directed Broadcast 19
Disable MOP Service 20
Disable IP Unreachables 20
Disable IP Mask Reply 20
Disable IP Unreachables on NULL Interface 21
Enable Unicast RPF on Outside Interfaces 22
Enable Firewall on All of the Outside Interfaces 22
Set Access Class on HTTP Server Service 23
Set Access Class on VTY Lines 23
Enable SSH for Access to the Router 24
xiv
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Enable AAA 24
Configuration Summary Screen 25
SDM and Cisco IOS AutoSecure 25
Security Configurations SDM Can Undo 27
Undoing Security Audit Fixes 28
Add or Edit Telnet/SSH Account Screen 28
Configure User Accounts for Telnet/SSH Page 29
Enable Secret and Banner Page 30
Logging Page 31
Routing 1
Add or Edit IP Static Route 3
Add or Edit an RIP Route 5
Add or Edit an OSPF Route 5
Add or Edit EIGRP Route 7
Contents
OL-4015-06
Network Address Translation 1
Network Address Translation Wizards 1
Basic NAT Wizard: Welcome 2
Basic NAT Wizard: Connection 2
Summary 3
Advanced NAT Wizard: Welcome 3
Advanced NAT Wizard: Connection 4
Add IP Address 4
Advanced NAT Wizard: Networks 4
Add Network 5
Advanced NAT Wizard: Server Public IP Addresses 5
Add or Edit Address Translation Rule 6
Advanced NAT Wizard: VPN Conflict 8
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xv
Contents
Details 8
Network Address Translation Rules 8
Designate NAT Interfaces 12
Translation Timeout Settings 12
Edit Route Map 14
Edit Route Map Entry 15
Address Pools 15
Add or Edit Address Pool 16
Add or Edit Static Address Translation Rule: Inside to Outside 17
Add or Edit Static Address Translation Rule: Outside to Inside 20
Add or Edit Dynamic Address Translation Rule: Inside to Outside 23
Add or Edit Dynamic Address Translation Rule: Outside to Inside 26
How Do I . . . 28
How Do I Configure NAT With One LAN and Multiple WANs? 28
Intrusion Prevention System 31
xvi
IPS Rules 32
Create IPS Rule 32
Welcome to the IPS Rule Configuration Wizard 33
Select Interfaces 33
SDF Location 33
IPS Rule Wizard Summary 34
IPS Rules Configuration 34
Enable or Edit IPS on an Interface 37
Import Signatures 38
File Selection 39
Welcome to the IPS Signature Import Wizard 40
Signature Definition File (SDF) and Signature Selection 40
Signature Filter 40
Signature Edit 41
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Signature Import Wizard Summary 41
Signatures 42
Assign Actions 46
Import Signatures 46
Add, Edit, or Clone Signature 48
Add or Edit a Signature Location 49
Cisco Intrusion Prevention Alert Center 50
IPS-Supplied Signature Definition Files 50
Global Settings 51
Edit Global Settings 53
SDEE Messages 54
SDEE Message Text 55
Network Module Management 1
IDS Network Module Management 1
IDS Sensor Interface IP Address 3
IP Address Determination 4
IDS NM Configuration Checklist 5
IDS NM Interface Monitoring Configuration 7
Contents
OL-4015-06
Network Module Login 7
Feature Unavailable 7
Switch Module Interface Selection 8
Quality of Service 9
Create QoS Policy 9
QoS Wizard 10
Interface Selection 10
QoS Policy Generation 10
View QoS Class Details 12
Summary of the configuration 13
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xvii
Contents
Edit QoS Policy 13
Edit QoS Class 15
Add a Protocol 17
Interface Association 18
QoS Status 18
Network Admission Control 21
Create NAC Tab 21
Other Tasks in a NAC Implementation 22
Welcome 23
RADIUS Server 23
Select the Interface(s) 25
NAC Exception List 25
Configure Exception List Entry Dialog 26
Policy List 27
Add Exception Policy 27
Agentless Host Policy 28
NAC Router Management Access 29
Open Interface ACL 29
Details Window 30
Summary of the configuration 30
xviii
Edit NAC Tab 31
EAPoUDP Components 31
Exception List Window 32
Exception Policies Window 32
EAPoUDP Timeouts 33
Configure a NAC Policy 34
How Do I... 35
How Do I Configure a NAC Policy Server? 35
How Do Install and Configure a Posture Agent on a Host? 35
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Router Properties 1
Device Properties 1
Date and Time: Clock Properties 2
Date and Time Properties 3
NTP 4
Add or Edit NTP Server Details 5
SNTP 7
Add an NTP Server 7
Syslog 8
SNMP 8
Router Access 10
User Accounts: Configure User Accounts for Router Access 10
Add or Edit a Username 11
View Password 13
VTYs 13
Edit VTY Lines 14
Configure Management Access Policies 15
Add or Edit a Management Policy 17
Management Access Error Messages 18
SDM Warning: ANY Not Allowed 18
SDM Warning: Unsupported Access Control Entry 19
SDM Warning: SDM Not Allowed 19
SDM Warning: Current Host Not Allowed 19
SSH 20
Contents
OL-4015-06
DHCP Configuration 21
DHCP Pools 21
Add or Edit DHCP Pool 22
DHCP Bindings 23
Add or Edit DHCP Binding 24
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xix
Contents
DNS Properties 26
Dynamic DNS Methods 26
Add or Edit Dynamic DNS Method 27
ACL Editor 1
Useful Procedures for Access Rules and Firewalls 2
Rules Windows 3
Add or Edit a Rule 7
Associate with an Interface 9
Add a Standard Rule Entry 11
Add an Extended Rule Entry 13
Select a Rule 16
Port-to-Application Mapping 19
Port-to-Application Mappings 19
Add or Edit Port Map Entry 21
xx
Authentication, Authorization, and Accounting 23
AAA Main Window 23
AAA Servers and Groups 24
AAA Servers Window 25
Add or Edit a TACACS+ Server 26
Add or Edit a RADIUS Server 27
Edit Global Settings 27
AAA Server Groups Window 28
Authentication and Authorization Policies 29
Authentication and Authorization Windows 29
Authentication NAC 30
Add or Edit a Method List for Authentication or Authorization 31
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Router Provisioning 33
Router Provisioning from USB 33
Public Key Infrastructure 35
Certificate Wizards 35
Welcome to the SCEP Wizard 37
Certificate Authority (CA) Information 37
Advanced Options 39
Certificate Subject Name Attributes 39
Other Subject Attributes 40
RSA Keys 41
Summary 42
Enrollment Status 43
Cut and Paste Wizard Welcome 43
Enrollment Task 43
Contents
OL-4015-06
Enrollment Request 44
Continue with Unfinished Enrollment 44
Import CA certificate 45
Import Router Certificate(s) 46
Digital Certificates 46
Trustpoint Information 48
Certificate Details 48
Revocation Check 49
Revocation Check, CRL Only 49
RSA Keys Window 50
Generate RSA Key Pair 51
USB Tokens 52
Add or Edit USB Token 53
SDP Troubleshooting Tips 55
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xxi
Contents
Open Firewall 56
Open Firewall Details 57
Resetting to Factory Defaults 1
This Feature Not Supported 4
More About.... 1
IP Addresses and Subnet Masks 1
Host and Network Fields 3
Available Interface Configurations 4
DHCP Address Pools 5
Meanings of the Permit and Deny Keywords 6
Services and Ports 6
More About NAT 13
Static Address Translation Scenarios 13
Dynamic Address Translation Scenarios 16
Reasons that SDM Cannot Edit a NAT Rule 17
xxii
More About VPN 18
Cisco.com Resources 18
More about VPN Connections and IPSec Policies 19
More About IKE 21
More About IKE Policies 22
Allowable Transform Combinations 23
Reasons Why a Serial Interface or Subinterface Configuration May Be
Read-Only
24
Reasons Why an ATM Interface or Subinterface Configuration May Be
Read-Only
25
Reasons Why an Ethernet Interface Configuration May Be Read-Only 26
Reasons Why an ISDN BRI Interface Configuration May Be Read-Only 27
Reasons Why an Analog Modem Interface Configuration May Be Read-Only 28
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Firewall Policy Use Case Scenario 29
DMVPN Configuration Recommendations 32
SDM White Papers 34
Getting Started 1
What’s New in this Release? 2
Cisco IOS Versions Supported 2
Viewing Router Information 1
Overview 2
Interface Status 6
VPN Status 8
Firewall Status 13
Application Security Log 14
NAC Status 15
Contents
OL-4015-06
Logging 17
File Menu Commands 1
Save Running Config to PC 1
Deliver Configuration to Router 1
Write to Startup Config 2
Reset to Factory Defaults 2
File Management 2
Rename 4
New Folder 5
Save SDF to PC 5
Exit 5
Unable to perform ‘squeeze flash’ 5
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
xxiii
Contents
Edit Menu Commands 9
Preferences 9
View Menu Commands 1
Home 1
Configure 1
Monitor 1
Running Config 2
Show Commands 2
SDM Default Rules 2
Refresh 3
Tools Menu Commands 1
Ping 1
Telnet 1
xxiv
Security Audit 1
USB Token PIN Settings 2
Update SDM 3
Help Menu Commands 1
Help Topics 1
SDM on CCO 1
About this router... 1
About SDM 1
Cisco Router and Security Device Manager (SDM) Version 2.1 User’s Guide
OL-4015-06
Home Page
The home page supplies basic information about the router’s hardware, software,
and configuration. This page contains the following sections:
Host Name
The configured name of the router.
About Your Router
Shows basic information about your router hardware and software, and contains
the following fields:
Hardware Software
Model Type
Available/Total Memory
Shows the router model
number.
Available RAM/Total
RAM
IOS Version
SDM Version
CHAPTER
The version of Cisco
IOS software that is
currently running on the
router.
The version of Cisco
Cisco Router and
Security Device
Manager (SDM)
software that is
currently running on the
router.
1
OL-4015-08
Cisco Router and Security Device Manager Version 2.2 User’s Guide
1-1
Hardware Software
Total Flash Capacity
Feature Availability
Flash plus Webflash (if
applicable)
The features available in the Cisco IOS image the router is using are
designated by a check. The features SDM checks for are: IP, Firewall, VPN,
IPS, and NAC.
More...
The More... link displays a popup window providing additional hardware and
software details.
• Hardware Details—In addition to the information presented in the About
Your Router section, this tab displays information about:
–
Where the router boots from–Flash or Configuration File.
–
Whether the router has accelerators, such as VPN accelerators.
–
A diagram of the hardware configuration, including flash memory and
installed devices such as USB flash and USB tokens.
• Software Details—In addition to the information presented in the About Your
Router section, this tab displays information about:
Chapter 1 Home Page
Configuration Overview
Note If you do not see feature information described in this help topic on the home
Cisco Router and Security Device Manager Version 2.2 User’s Guide
1-2
–
The feature sets included in the IOS image.
–
The version of SDM running.
This section of the home page summarizes the configuration settings that have
been made.
page, the Cisco IOS image does not support the feature. For example, if the router
is running a Cisco IOS image that does not support security features, the Firewall
Policy, VPN, and Intrusion Prevention sections do not appear on the home page.
View Running Config
Click this button to display the router’s running configuration.
OL-4015-08
Chapter 1 Home Page
Double-arrow head: Click
to display/hide details.
SDM-supported WAN
interfaces that are present
on the router.
SDM-supported WAN
connections that are
present on the router.
Interfaces and
Connections
Total Supported LAN
Configured LAN
Interface
Up (n): The number of
LAN and WAN
connections that are
up.
The total number of
LAN interfaces that
are present in the
router.
The number of
supported LAN
interfaces currently
configured on the
Down (n): The number
of LAN and WAN
connections that are
down.
Total Supported WAN The number of
Total WAN Connections The total number of
router.
DHCP Server
Configured/
Not Configured
DHCP Pool (Detail view)
If one pool is
configured, starting
Number of DHCP Clients
(Detail view)
Current number of clients
leasing addresses.
and ending address of
DHCP pool.
If multiple pools are
configured, list of
configured pool
names.
Interface Type IP/Mask Description
Name of configured
interface
Interface type IP address and subnet
mask
Description of interface
Firewall Policies
OL-4015-08
Active/Inactive Trusted (n) Untrusted (n)DMZ (n)
Active—A firewall
is in place.
Inactive—No
The number of
trusted (inside)
interfaces.
The number of
untrusted (outside)
interfaces.
The number of
DMZ interfaces.
firewall is in place.
Cisco Router and Security Device Manager Version 2.2 User’s Guide
1-3
Chapter 1 Home Page
Firewall Policies
Interface Firewall Icon NAT Inspection Rule Access Rule
The name of the
interface to which
a firewall has been
applied
Active/Inactive Trusted (n) Untrusted (n)DMZ (n)
Whether the
interface is
designated as an
inside or an
outside interface.
The name or
number of the NAT
rule applied to this
interface.
The names or
numbers of the
inbound and
outbound
inspection rules.
The names or
numbers of the
inbound and
outbound access
rules.
Up (n)- The number of
VPN
active VPN
connections.
IPSec (Site-to-Site)
Xauth Login Required
The number of
configured site-to-site
VPN connections.
The number of Easy
VPN connections
awaiting an Xauth
GRE over IPSec
Easy VPN Remote
The number of
configured GRE over
IPSec connections.
The number of
configured Easy VPN
Remote connections.
Login. See note.
No. of DMVPN Clients
If router is configured
as a DMVPN hub, the
number of DMVPN
clients.
No. of Active VPN clients
If this router is
functioning as an Easy
VPN Server, the number
of Easy VPN clients
with active connections.
Interface Type IPSec Policy Description
The name of an
interface with a
configured VPN
The type of VPN
connection configured
on the interface.
The name of the IPSec
policy associated with
the VPN connection.
A description of the
connection.
connection
1-4
Cisco Router and Security Device Manager Version 2.2 User’s Guide
OL-4015-08
Chapter 1 Home Page
Note • Some VPN servers or concentrators authenticate clients using Extended
Authentication (XAuth). This shows the number of VPN tunnels awaiting an
Xauth login. If any Easy VPN tunnel awaits XAuth login, a separate message
panel is shown with a Login button. Clicking Login allows you to enter the
credentials for the tunnel.
• If Xauth has been configured for a tunnel, it will not begin to function until
the login and password has been supplied. There is no timeout after which it
will stop waiting; it will wait indefinitely for this information.
NAC Policies Active or Inactive
Interface Column NAC Policy Column
The name of the interface to which the
policy is applied. For example,
FastEthernet 0, or Ethernet 0/0.
The name of the NAC policy.
Routing Intrusion Prevention
No. of Static Routes
The number of static
Active Signatures
routes configured on the
router.
Dynamic Routing
Protocols
Lists any dynamic
routing protocols that
No. of IPS-enabled
interfaces
are configured on the
router.
Cisco Router and Security Device Manager Version 2.2 User’s Guide
OL-4015-08
The number of active
signatures the router is
using. These may be
built in, or they may be
loaded from a remote
location.
The number of router
interfaces on which IPS
has been enabled.
1-5
Chapter 1 Home Page
1-6
Cisco Router and Security Device Manager Version 2.2 User’s Guide
OL-4015-08
Loading...