Cisco Router and Security Device User Manual

Cisco Router and Security Device Manager User’s Guide

2.5

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Customer Order Number: Text Part Number: OL-4015-12

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco Router and Security Device Manager 2.5 User’s Guide

Home Page 1

Creating a New Connection 1

New Connection Reference 2

Create Connection 2

Additional Procedures 3

How Do I Configure a Static Route? 4 How Do I View Activity on My LAN Interface? 4 How Do I Enable or Disable an Interface? 5 How Do I View the IOS Commands I Am Sending to the Router? 5 How Do I Launch the Wireless Application from Cisco SDM? 6 How Do I Configure an Unsupported WAN Interface? 6 How Do I Enable or Disable an Interface? 7 How Do I View Activity on My WAN Interface? 7 How Do I Configure NAT on a WAN Interface? 8 How Do I Configure NAT on an Unsupported Interface? 9 How Do I Configure a Dynamic Routing Protocol? 9 How Do I Configure Dial-on-Demand Routing for My ISDN or Asynchronous

Interface? How Do I Edit a Radio Interface Configuration? 11

OL-4015-12

LAN Wizard 1

Ethernet Configuration 2

LAN Wizard: Select an Interface 2

LAN Wizard: IP Address and Subnet Mask 3

Cisco Router and Security Device Manager 2.5 User’s Guide

iii

Contents

LAN Wizard: Enable DHCP Server 3

LAN Wizard: DHCP Address Pool 4

DHCP Options 4

LAN Wizard: VLAN Mode 5

LAN Wizard: Switch Port 6

IRB Bridge 7

BVI Configuration 8

DHCP Pool for BVI 8

IRB for Ethernet 9

Layer 3 Ethernet Configuration 9

802.1Q Configuration 10 Trunking or Routing Configuration 10 Configure Switch Device Module 10 Configure Gigabit Ethernet Interface 11

Summary 11

802.1x Authentication 1

LAN Wizard: 802.1x Authentication (Switch Ports) 1

Advanced Options 2

LAN Wizard: RADIUS Servers for 802.1x Authentication 4

Edit 802.1x Authentication (Switch Ports) 6

LAN Wizard: 802.1x Authentication (VLAN or Ethernet) 7

802.1x Exception List 8

802.1x Authentication on Layer 3 Interfaces 9 Edit 802.1x Authentication 10

How Do I ... 11

How Do I Configure 802.1x Authentication on More Than One Ethernet Port?

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Configuring WAN Connections 1

Configuring an Ethernet WAN Connection 1

Ethernet WAN Connection Reference 2

WAN Wizard Interface Welcome Window 2 Select Interface 3 IP Address: Ethernet without PPPoE 3 Encapsulation: PPPoE 4 Summary 5 Advanced Options 5

Configuring a Serial Connection 6

Serial Connection Reference 7

IP Address: Serial with Point-to-Point Protocol 7 IP Address: Serial with HDLC or Frame Relay 8 Authentication 9 Configure LMI and DLCI 10 Configure Clock Settings 11

Contents

OL-4015-12

Configuring a DSL Connection 13

DSL Connection Reference 14

IP Address: ATM or Ethernet with PPPoE/PPPoA 14 IP Address: ATM with RFC 1483 Routing 15 Encapsulation Autodetect 16 PVC 18

Configuring an ISDN Connection 20

ISDN Connection Reference 20

ISDN Wizard Welcome Window 21 IP Address: ISDN BRI or Analog Modem 21 Switch Type and SPIDs 22 Dial String 23

Configuring an Aux Backup Connection 24

Aux Backup Connection Reference 24

Cisco Router and Security Device Manager 2.5 User’s Guide

Contents

Aux Backup Welcome Window 25 Backup Configuration 25 Backup Configuration: Primary Interface and Next Hop IP Addresses 26 Backup Configuration: Hostname or IP Address to Be Tracked 27

Configuring an Analog Modem Connection 27

Analog Modem Connection Reference 28

Analog Modem Welcome 28

Configuring a Cable Modem Connection 29

Cable Modem Connection Reference 29

Cable Modem Connection Wizard Welcome 30 Select Interface 30 Summary 30

Edit Interface/Connection 1

Connection: Ethernet for IRB 5

Connection: Ethernet for Routing 6

Existing Dynamic DNS Methods 7 Add Dynamic DNS Method 7

Wireless 9

Association 9

NAT 11

Edit Switch Port 12

Application Service 13

General 14

Select Ethernet Configuration Type 16

Connection: VLAN 17

Subinterfaces List 17

Add or Edit BVI Interface 18

Add or Edit Loopback Interface 18

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Connection: Virtual Template Interface 19

Connection: Ethernet LAN 19

Connection: Ethernet WAN 20

Connection: Ethernet Properties 22

Connection: Ethernet with No Encapsulation 24

Connection: ADSL 25

Connection: ADSL over ISDN 28

Connection: G.SHDSL 30

Connection: Cable Modem 34

Configure DSL Controller 35

Add a G.SHDSL Connection 37

Connection: Serial Interface, Frame Relay Encapsulation 40

Connection: Serial Interface, PPP Encapsulation 43

Connection: Serial Interface, HDLC Encapsulation 45

Contents

OL-4015-12

Add or Edit GRE Tunnel 46

Connection: ISDN BRI 48

Connection: Analog Modem 51

Connection: (AUX Backup) 53

Authentication 55

SPID Details 56

Dialer Options 57

Backup Configuration 59

Delete Connection 60

Connectivity Testing and Troubleshooting 62

Wide Area Application Services 1

Configuring a WAAS Connection 2

WAAS Reference 3

Cisco Router and Security Device Manager 2.5 User’s Guide

vii

Contents

NM WAAS 4 Integrated Service Engine 6 WCCP 7 Central Manager Registration 8

Create Firewall 1

Basic Firewall Configuration Wizard 4

Basic Firewall Interface Configuration 4 Configuring Firewall for Remote Access 5

Advanced Firewall Configuration Wizard 5

Advanced Firewall Interface Configuration 5 Advanced Firewall DMZ Service Configuration 6

DMZ Service Configuration 7 Application Security Configuration 8 Domain Name Server Configuration 9 URL Filter Server Configuration 9 Select Interface Zone 9 ZPF Inside Zones 10 Voice Configuration 10 Summary 11

SDM Warning: SDM Access 13

viii

How Do I... 15

How Do I View Activity on My Firewall? 15 How Do I Configure a Firewall on an Unsupported Interface? 17 How Do I Configure a Firewall After I Have Configured a VPN? 17 How Do I Permit Specific Traffic Through a DMZ Interface? 18 How Do I Modify an Existing Firewall to Permit Traffic from a New Network

or Host?

How Do I Configure NAT on an Unsupported Interface? 19 How Do I Configure NAT Passthrough for a Firewall? 20

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? 20 How Do I Associate a Rule with an Interface? 22 How Do I Disassociate an Access Rule from an Interface 22 How Do I Delete a Rule That Is Associated with an Interface? 23 How Do I Create an Access Rule for a Java List? 23 How Do I Permit Specific Traffic onto My Network if I Don’t Have a DMZ

Network?

Firewall Policy 1

Edit Firewall Policy/ACL 1

Choose a Traffic Flow 3 Examine the Traffic Diagram and Choose a Traffic Direction 4 Make Changes to Access Rules 6 Make Changes to Inspection Rules 10 Add App-Name Application Entry 12 Add rpc Application Entry 12 Add Fragment application entry 13 Add or Edit http Application Entry 14 Java Applet Blocking 15 Cisco SDM Warning: Inspection Rule 16 Cisco SDM Warning: Firewall 17

Contents

OL-4015-12

Edit Firewall Policy 17

Add a New Rule 21

Add Traffic 22

Application Inspection 23

URL Filter 24

Quality of Service 24

Inspect Parameter 24

Select Traffic 24

Delete Rule 25

Cisco Router and Security Device Manager 2.5 User’s Guide

Contents

Application Security 1

Application Security Windows 1

No Application Security Policy 3

E-mail 4

Instant Messaging 5

Peer-to-Peer Applications 6

URL Filtering 7

HTTP 8

Header Options 9 Content Options 10

Applications/Protocols 12

Timeouts and Thresholds for Inspect Parameter Maps and CBAC 13 Associate Policy with an Interface 16 Edit Inspection Rule 16 Permit, Block, and Alarm Controls 17

Site-to-Site VPN 1

VPN Design Guide 1

Create Site to Site VPN 1

Site-to-Site VPN Wizard 4 View Defaults 5 VPN Connection Information 6 IKE Proposals 8 Transform Set 11 Traffic to Protect 13 Summary of the Configuration 14

Spoke Configuration 15 Secure GRE Tunnel (GRE-over-IPSec) 16 GRE Tunnel Information 16

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

VPN Authentication Information 17 Backup GRE Tunnel Information 18 Routing Information 19 Static Routing Information 20

Select Routing Protocol 22 Summary of Configuration 23

Edit Site-to-Site VPN 23

Add new connection 26 Add Additional Crypto Maps 26 Crypto Map Wizard: Welcome 27 Crypto Map Wizard: Summary of the configuration 28 Delete Connection 28 Ping 29 Generate Mirror... 29 Cisco SDM Warning: NAT Rules with ACL 30

How Do I... 31

How Do I Create a VPN to More Than One Site? 31 After Configuring a VPN, How Do I Configure the VPN on the Peer Router? 33 How Do I Edit an Existing VPN Tunnel? 34 How Do I Confirm That My VPN Is Working? 35 How Do I Configure a Backup Peer for My VPN? 36 How Do I Accommodate Multiple Devices with Different Levels of VPN

Support? How Do I Configure a VPN on an Unsupported Interface? 37 How Do I Configure a VPN After I Have Configured a Firewall? 38 How Do I Configure NAT Passthrough for a VPN? 38

Contents

OL-4015-12

Easy VPN Remote 1

Creating an Easy VPN Remote Connection 2

Create Easy VPN Remote Reference 3

Cisco Router and Security Device Manager 2.5 User’s Guide

Contents

Create Easy VPN Remote 4

Configure an Easy VPN Remote Client 5

Easy VPN Remote Wizard: Network Information 5

Easy VPN Remote Wizard: Identical Address Configuration 6

Easy VPN Remote Wizard: Interfaces and Connection Settings 7

Easy VPN Remote Wizard: Server Information 9

Easy VPN Remote Wizard: Authentication 11

Easy VPN Remote Wizard: Summary of Configuration 13

Administering Easy VPN Remote Connections 14

Editing an Existing Easy VPN Remote Connection 15 Creating a New Easy VPN Remote Connection 15 Deleting an Easy VPN Remote Connection 16 Resetting an Established Easy VPN Remote Connection 16 Connecting to an Easy VPN Server 17 Connecting other Subnets to the VPN Tunnel 17 Administering Easy VPN Remote Reference 18

Edit Easy VPN Remote 18

Add or Edit Easy VPN Remote 23

Add or Edit Easy VPN Remote: General Settings 25

Network Extension Options 28

Add or Edit Easy VPN Remote: Easy VPN Settings 28

Add or Edit Easy VPN Remote: Authentication Information 30

Add or Edit Easy VPN Remote: Easy VPN Client Phase III

Authentication

Add or Edit Easy VPN Remote: Interfaces and Connections 35

Add or Edit Easy VPN Remote: Identical Addressing 37

Easy VPN Remote: Add a Device 39

Enter SSH Credentials 39

XAuth Login Window 40

xii

Other Procedures 40

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

How Do I Edit an Existing Easy VPN Connection? 40 How Do I Configure a Backup for an Easy VPN Connection? 41

Easy VPN Server 1

Creating an Easy VPN Server Connection 1

Create an Easy VPN Server Reference 3

Create an Easy VPN Server 4

Welcome to the Easy VPN Server Wizard 4

Interface and Authentication 4

Group Authorization and Group Policy Lookup 5

User Authentication (XAuth) 6

User Accounts for XAuth 7

Add RADIUS Server 8

Group Authorization: User Group Policies 9

General Group Information 10

DNS and WINS Configuration 11

Split Tunneling 11

Client Settings 12

Choose Browser Proxy Settings 15

Add or Edit Browser Proxy Settings 16

User Authentication (XAuth) 17

Client Update 18

Add or Edit Client Update Entry 19

Cisco Tunneling Control Protocol 20

Summary 21

Browser Proxy Settings 21

Contents

OL-4015-12

Editing Easy VPN Server Connections 23

Edit Easy VPN Server Reference 23

Edit Easy VPN Server 24

Add or Edit Easy VPN Server Connection 25

Cisco Router and Security Device Manager 2.5 User’s Guide

xiii

Contents

Restrict Access 26

Group Policies Configuration 26

IP Pools 29

Add or Edit IP Local Pool 29

Add IP Address Range 30

Enhanced Easy VPN 1

Interface and Authentication 1

RADIUS Servers 2

Group Authorization and Group User Policies 4

Add or Edit Easy VPN Server: General Tab 5

Add or Edit Easy VPN Server: IKE Tab 6

Add or Edit Easy VPN Server: IPSec Tab 8

Create Virtual Tunnel Interface 10

DMVPN 1

Dynamic Multipoint VPN 1

Dynamic Multipoint VPN (DMVPN) Hub Wizard 2

Type of Hub 3

Configure Pre-Shared Key 3

Hub GRE Tunnel Interface Configuration 4

Advanced Configuration for the Tunnel Interface 5

Primary Hub 6

Select Routing Protocol 7

Routing Information 7 Dynamic Multipoint VPN (DMVPN) Spoke Wizard 9

DMVPN Network Topology 9

Specify Hub Information 10

Spoke GRE Tunnel Interface Configuration 10

Cisco SDM Warning: DMVPN Dependency 11

xiv

Edit Dynamic Multipoint VPN (DMVPN) 12

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

General Panel 14 NHRP Panel 15

NHRP Map Configuration 16 Routing Panel 17

How Do I Configure a DMVPN Manually? 19

VPN Global Settings 1

VPN Global Settings: IKE 3 VPN Global Settings: IPSec 4 VPN Global Settings: Easy VPN Server 5 VPN Key Encryption Settings 6

IP Security 1

IPSec Policies 1

Add or Edit IPSec Policy 3 Add or Edit Crypto Map: General 5 Add or Edit Crypto Map: Peer Information 6 Add or Edit Crypto Map: Transform Sets 7 Add or Edit Crypto Map: Protecting Traffic 9

Contents

OL-4015-12

Dynamic Crypto Map Sets 11

Add or Edit Dynamic Crypto Map Set 11 Associate Crypto Map with this IPSec Policy 12

IPSec Profiles 12

Add or Edit IPSec Profile 13 Add or Edit IPSec Profile and Add Dynamic Crypto Map 14

Transform Set 15

Add or Edit Transform Set 18

IPSec Rules 20

Cisco Router and Security Device Manager 2.5 User’s Guide

Contents

Internet Key Exchange 1

Internet Key Exchange (IKE) 1

IKE Policies 2

Add or Edit IKE Policy 4 IKE Pre-shared Keys 6

Add or Edit Pre Shared Key 7 IKE Profiles 8

Add or Edit an IKE Profile 9

Public Key Infrastructure 1

Certificate Wizards 1

Welcome to the SCEP Wizard 2 Certificate Authority (CA) Information 3

Advanced Options 4 Certificate Subject Name Attributes 4

Other Subject Attributes 6

xvi

RSA Keys 7

Summary 8

CA Server Certificate 9

Enrollment Status 9

Cut and Paste Wizard Welcome 9

Enrollment Task 10

Enrollment Request 10

Continue with Unfinished Enrollment 11

Import CA certificate 12

Import Router Certificate(s) 12

Digital Certificates 13

Trustpoint Information 15 Certificate Details 15

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Revocation Check 15 Revocation Check, CRL Only 16

RSA Keys Window 16

Generate RSA Key Pair 17

USB Token Credentials 18

USB Tokens 19

Add or Edit USB Token 20

Open Firewall 22

Open Firewall Details 23

Certificate Authority Server 1

Create CA Server 1

Prerequisite Tasks for PKI Configurations 2 CA Server Wizard: Welcome 3 CA Server Wizard: Certificate Authority Information 3

Advanced Options 5 CA Server Wizard: RSA Keys 7 Open Firewall 8 CA Server Wizard: Summary 8

Contents

OL-4015-12

Manage CA Server 9

Backup CA Server 11

Manage CA Server Restore Window 11

Restore CA Server 11

Edit CA Server Settings: General Tab 12

Edit CA Server Settings: Advanced Tab 13

Manage CA Server: CA Server Not Configured 13

Manage Certificates 13

Pending Requests 13 Revoked Certificates 15 Revoke Certificate 16

Cisco Router and Security Device Manager 2.5 User’s Guide

xvii

Contents

Cisco IOS SSL VPN 1

Cisco IOS SSL VPN links on Cisco.com 2

Creating an SSL VPN Connection 2

Create an SSL VPN Connection Reference 3

Create SSL VPN 4

Persistent Self-Signed Certificate 6

Welcome 7

SSL VPN Gateways 7

User Authentication 8

Configure Intranet Websites 10

Add or Edit URL 10

Customize SSL VPN Portal 11

SSL VPN Passthrough Configuration 11

User Policy 12

Details of SSL VPN Group Policy: Policyname 12

Select the SSL VPN User Group 13

Select Advanced Features 13

Thin Client (Port Forwarding) 13

Add or Edit a Server 14

Full Tunnel 15

Locating the Install Bundle for Cisco SDM 16

Enable Cisco Secure Desktop 18

Common Internet File System 19

Enable Clientless Citrix 19

Summary 20

xviii

Editing SSL VPN Connections 20

Editing SSL VPN Connection Reference 21

Edit SSL VPN 22

SSL VPN Context 23

Designate Inside and Outside Interfaces 25

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Select a Gateway 25

Context: Group Policies 26

Group Policy: General Tab 26

Group Policy: Clientless Tab 27

Group Policy: Thin Client Tab 29

Group Policy: SSL VPN Client (Full Tunnel) Tab 29

Advanced Tunnel Options 31

DNS and WINS Servers 33

Context: HTML Settings 33

Select Color 35

Context: NetBIOS Name Server Lists 35

Add or Edit a NBNS Server List 35

Add or Edit an NBNS Server 36

Context: Port Forward Lists 36

Add or Edit a Port Forward List 36

Context: URL Lists 36

Add or Edit a URL List 37

Context: Cisco Secure Desktop 37

SSL VPN Gateways 37

Add or Edit a SSL VPN Gateway 38

Packages 39

Install Package 40

Contents

OL-4015-12

Additional Help Topics 40

Cisco IOS SSL VPN Contexts, Gateways, and Policies 40 Learn More about Port Forwarding Servers 46 Learn More About Group Policies 47 Learn More About Split Tunneling 48 How do I verify that my Cisco IOS SSL VPN is working? 49 How do I configure a Cisco IOS SSL VPN after I have configured a

firewall?

Cisco Router and Security Device Manager 2.5 User’s Guide

xix

Contents

How do I associate a VRF instance with a Cisco IOS SSL VPN context? 50

SSL VPN Enhancements 1

SSL VPN Reference 1

SSL VPN Context: Access Control Lists 1 Add or Edit Application ACL 2 Add ACL Entry 3 Action URL Time Range 4 Add or Edit Action URL Time Range Dialog 5 Add or Edit Absolute Time Range Entry 6 Add or Edit Periodic Time Range Entry 7

VPN Troubleshooting 1

VPN Troubleshooting: Specify Easy VPN Client 3

VPN Troubleshooting: Generate Traffic 4

VPN Troubleshooting: Generate GRE Traffic 5

Cisco SDM Warning: SDM will enable router debugs... 6

Security Audit 1

Welcome Page 4

Interface Selection Page 4

Report Card Page 5

Fix It Page 5

Disable Finger Service 6 Disable PAD Service 7 Disable TCP Small Servers Service 7 Disable UDP Small Servers Service 8 Disable IP BOOTP Server Service 8 Disable IP Identification Service 9

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Disable CDP 9 Disable IP Source Route 10 Enable Password Encryption Service 10 Enable TCP Keepalives for Inbound Telnet Sessions 11 Enable TCP Keepalives for Outbound Telnet Sessions 11 Enable Sequence Numbers and Time Stamps on Debugs 11 Enable IP CEF 12 Disable IP Gratuitous ARPs 12 Set Minimum Password Length to Less Than 6 Characters 12 Set Authentication Failure Rate to Less Than 3 Retries 13 Set TCP Synwait Time 13 Set Banner 14 Enable Logging 14 Set Enable Secret Password 15 Disable SNMP 15 Set Scheduler Interval 16 Set Scheduler Allocate 16 Set Users 17 Enable Telnet Settings 17 Enable NetFlow Switching 17 Disable IP Redirects 18 Disable IP Proxy ARP 18 Disable IP Directed Broadcast 19 Disable MOP Service 20 Disable IP Unreachables 20 Disable IP Mask Reply 20 Disable IP Unreachables on NULL Interface 21 Enable Unicast RPF on Outside Interfaces 22 Enable Firewall on All of the Outside Interfaces 22 Set Access Class on HTTP Server Service 23

Contents

OL-4015-12

Cisco Router and Security Device Manager 2.5 User’s Guide

xxi

Contents

Set Access Class on VTY Lines 23 Enable SSH for Access to the Router 24 Enable AAA 24

Configuration Summary Screen 25

Cisco SDM and Cisco IOS AutoSecure 25

Security Configurations Cisco SDM Can Undo 27

Undoing Security Audit Fixes 28

Add or Edit Telnet/SSH Account Screen 28

Configure User Accounts for Telnet/SSH Page 29

Enable Secret and Banner Page 30

Logging Page 31

Routing 1

Add or Edit IP Static Route 3

Add or Edit an RIP Route 5

xxii

Add or Edit an OSPF Route 5

Add or Edit EIGRP Route 7

Network Address Translation 1

Network Address Translation Wizards 1

Basic NAT Wizard: Welcome 2 Basic NAT Wizard: Connection 2 Summary 3 Advanced NAT Wizard: Welcome 3 Advanced NAT Wizard: Connection 4

Add IP Address 4 Advanced NAT Wizard: Networks 4

Add Network 5 Advanced NAT Wizard: Server Public IP Addresses 5

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Add or Edit Address Translation Rule 6 Advanced NAT Wizard: ACL Conflict 7

Details 8

Network Address Translation Rules 8

Designate NAT Interfaces 12 Translation Timeout Settings 12 Edit Route Map 13

Edit Route Map Entry 14 Address Pools 15

Add or Edit Address Pool 16 Add or Edit Static Address Translation Rule: Inside to Outside 17 Add or Edit Static Address Translation Rule: Outside to Inside 20 Add or Edit Dynamic Address Translation Rule: Inside to Outside 23 Add or Edit Dynamic Address Translation Rule: Outside to Inside 26

How Do I . . . 28

How do I Configure Address Translation for Outside to Inside 28 How Do I Configure NAT With One LAN and Multiple WANs? 29

Contents

OL-4015-12

Cisco IOS IPS 1

Create IPS 2

Create IPS: Welcome 3 Create IPS: Select Interfaces 3 Create IPS: SDF Location 3 Create IPS: Signature File 4 Create IPS: Configuration File Location and Category 5

Add or Edit a Config Location 6

Directory Selection 7

Signature File 7 Create IPS: Summary 8 Create IPS: Summary 8

Cisco Router and Security Device Manager 2.5 User’s Guide

xxiii

Contents

Edit IPS 9

Edit IPS: IPS Policies 10

Enable or Edit IPS on an Interface 13 Edit IPS: Global Settings 14

Edit Global Settings 16

Add or Edit a Signature Location 17

Edit IPS: SDEE Messages 18

SDEE Message Text 19 Edit IPS: Global Settings 22

Edit Global Settings 23

Edit IPS Prerequisites 24

Add Public Key 25 Edit IPS: Auto Update 25 Edit IPS: SEAP Configuration 27

Edit IPS: SEAP Configuration: Target Value Rating 28

Add Target Value Rating 29

Edit IPS: SEAP Configuration: Event Action Overrides 29

Add or Edit an Event Action Override 31

Edit IPS: SEAP Configuration: Event Action Filters 32

Add or Edit an Event Action Filter 34 Edit IPS: Signatures 36 Edit IPS: Signatures 42

Edit Signature 46

File Selection 49

Assign Actions 50

Import Signatures 51

Add, Edit, or Clone Signature 53 Cisco Security Center 55 IPS-Supplied Signature Definition Files 55

xxiv

Security Dashboard 56

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

IPS Migration 59

Migration Wizard: Welcome 59 Migration Wizard: Choose the IOS IPS Backup Signature File 60

Signature File 60

Java Heap Size 60

Network Module Management 1

IDS Network Module Management 1

IDS Sensor Interface IP Address 3 IP Address Determination 4 IDS NM Configuration Checklist 5 IDS NM Interface Monitoring Configuration 7

Network Module Login 7

Feature Unavailable 7

Switch Module Interface Selection 7

Contents

OL-4015-12

Quality of Service 1

Creating a QoS Policy 1

Create a QoS Policy Reference 2

Create QoS Policy 2

QoS Wizard 3

Interface Selection 3

Queuing for Outbound Traffic 4

Add a New Traffic Class 5

Policing for Outbound Traffic 7

QoS Policy Generation 7

QoS Configuration Summary 8

Editing QoS Policies 9

Edit QoS Policy Reference 10

Edit QoS Policy 10

Cisco Router and Security Device Manager 2.5 User’s Guide

xxv

Contents

Add Class for the New Policy 13

Add Service Policy to Class 14

Associate or Disassociate the QoS Policy 15

Add or Edit a QoS Class 15

Edit Match DSCP Values 18

Edit Match Protocol Values 19

Add Custom Protocols 19

Edit Match ACL 19

Configure Policing 19

Configure Shaping 20

Configure Queuing 21

Network Admission Control 1

Create NAC Tab 1

Other Tasks in a NAC Implementation 2 Welcome 3 NAC Policy Servers 4 Interface Selection 6 NAC Exception List 7

Add or Edit an Exception List Entry 7

Choose an Exception Policy 8

Add Exception Policy 9 Agentless Host Policy 10 Configuring NAC for Remote Access 10 Modify Firewall 11

Details Window 11 Summary of the configuration 12

xxvi

Edit NAC Tab 13

NAC Components 14 Exception List Window 14

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Exception Policies Window 15

NAC Timeouts 15

Configure a NAC Policy 17

How Do I... 18

How Do I Configure a NAC Policy Server? 18 How Do I Install and Configure a Posture Agent on a Host? 18

Router Properties 1

Device Properties 1

Date and Time: Clock Properties 2

Date and Time Properties 3 NTP 4

Add or Edit NTP Server Details 5 SNTP 6

Add an NTP Server 7 Logging 8 SNMP 9 Netflow 10

Netflow Talkers 10

Contents

OL-4015-12

Router Access 11

User Accounts: Configure User Accounts for Router Access 11

Add or Edit a Username 12 View Password 14

vty Settings 15

Edit vty Lines 15 Configure Management Access Policies 17 Add or Edit a Management Policy 19 Management Access Error Messages 20 SSH 22

DHCP Configuration 23

Cisco Router and Security Device Manager 2.5 User’s Guide

xxvii

Contents

DHCP Pools 23 Add or Edit DHCP Pool 25 DHCP Bindings 26 Add or Edit DHCP Binding 27

DNS Properties 28

Dynamic DNS Methods 28

Add or Edit Dynamic DNS Method 29

ACL Editor 1

Useful Procedures for Access Rules and Firewalls 3

Rules Windows 3

Add or Edit a Rule 7 Associate with an Interface 10 Add a Standard Rule Entry 11 Add an Extended Rule Entry 13 Select a Rule 16

xxviii

Port-to-Application Mapping 1

Port-to-Application Mappings 1

Add or Edit Port Map Entry 3

Zone-Based Policy Firewall 1

Zone Window 2

Add or Edit a Zone 3 Zone-Based Policy General Rules 3

Zone Pairs 5

Add or Edit a Zone Pair 5 Add a Zone 6 Select a Zone 7

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Authentication, Authorization, and Accounting 1

Configuring AAA 2

AAA Screen Reference 2

AAA Root Screen 3 AAA Servers and Server Groups 4 AAA Servers 4 Add or Edit a TACACS+ Server 5 Add or Edit a RADIUS Server 6

Edit Global Settings 7 AAA Server Groups 8 Add or Edit AAA Server Group 9 Authentication and Authorization Policies 10 Authentication and Authorization 10 Authentication NAC 11 Authentication 802.1x 12 Add or Edit a Method List for Authentication or Authorization 13

Contents

OL-4015-12

Router Provisioning 1

Secure Device Provisioning 1

Router Provisioning from USB 2

Router Provisioning from USB (Load File) 2

SDP Troubleshooting Tips 2

Cisco Common Classification Policy Language 1

Policy Map 1

Policy Map Windows 1

Add or Edit a QoS Policy Map 3

Associate a Policy Map to Interface 3

Add an Inspection Policy Map 5 Layer 7 Policy Map 5

Cisco Router and Security Device Manager 2.5 User’s Guide

xxix

Contents

Application Inspection 5 Configure Deep Packet Inspection 6

Class Maps 6

Associate Class Map 7

Class Map Advanced Options 7 QoS Class Map 8

Add or Edit a QoS Class Map 9

Select a Class Map 9 Deep Inspection 9 Class Map and Application Service Group Windows 9

Add or Edit an Inspect Class Map 12

Associate Parameter Map 12

Add an HTTP Inspection Class Map 13

HTTP Request Header 13

HTTP Request Header Fields 14

HTTP Request Body 15

HTTP Request Header Arguments 15

HTTP Method 16

Request Port Misuse 16

Request URI 16

Response Header 17

Response Header Fields 18

HTTP Response Body 19

HTTP Response Status Line 19

Request/Response Header Criteria 20

HTTP Request/Response Header Fields 20

Request/Response Body 21

Request/Response Protocol Violation 22

Add or Edit an IMAP Class Map 22

xxx

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

+ 972 hidden pages

Cisco Router and Security Device User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

CONTENTS