Manuale d’uso / di manutenzione del prodotto OL-4015-08 del fabbricante Cisco Systems
Vai alla pagina of 688
Corporate He adquarters Cisc o Syst ems , Inc . 170 West Ta sman Drive San Jos e, CA 95 134-1706 USA http://www.ci sco.com Tel: 408 526-4000 800 553- NETS (638 7) Fax: 408 526-4100 Cisco Router and S ecurity De vice Manager (SDM) V er sion 2.
THE SPECIFICATIONS AND INFORMATION REGARDING TH E PRODUCTS IN THIS MANUAL ARE SUBJE CT TO CHANGE WITHOUT NO TICE. ALL STATEMENT S, INFORMATI ON, AND RECOMMENDA TIONS IN T HIS MANUAL ARE BELIEVED TO BE ACCURATE BU T ARE PRESEN TED WITHOUT WARRANTY OF ANY KIND, EXPRE SS OR IMPLIED.
iii Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 CONTEN TS Home Page 1 LAN Wi zar d 1 Ethern et Configur atio n 2 LAN Wiza rd: Sele ct an Inter face 3 LAN.
Contents iv Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 How Do I View the IOS Commands I Am Sen ding to th e Router? 12 How Do I Lau nch the Wire less App.
v Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Delete Conn ection 19 Summary 21 Connect ivit y testi ng and troub lesh ooting 22 How Do I .
Contents vi Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Add or Edi t BVI Inte rface 18 Add Loopba ck Interface/ Connecti on—L oopback 18 Connect ion: Et.
vii Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Advanc ed Firewa ll Inte rface Configur ation 5 Advanced Firewall DMZ Service Config uratio n 6.
Contents viii Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 SDM Wa rnin g: I nsp ection Rule 15 SDM Wa rning : Fir ewall 16 Applicat ion S ecurity 17 Applic.
ix Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts VPN Au thent ica tion Inform atio n 49 Backup GRE T unnel I nform ation 51 Routin g Info rmation.
Contents x Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Easy VPN Remote 77 Create Easy VPN Remo te 77 Config ure an Ea sy VPN Remote Cl ient 77 Connect ion.
xi Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Gene ral Gr oup Infor matio n 111 DNS a nd WINS C onfig uratio n 112 Split Tunn eling 113 Clien .
Contents xii Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 DMVPN Netwo rk Topo logy 9 Spec ify Hu b In forma tion 10 Spoke GRE Tu nnel I nterfac e Configu r.
xiii Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Add or Edi t Transfo rm Set 40 IPSec Rul es 43 Interne t Key Exchange 45 Inter net Key Exch an.
Contents xiv Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Enable Passwor d Encrypt ion Servi ce 10 Enab le TCP Keepal ives for Inbou nd Tel net Sessi ons 1.
xv Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Enable AAA 24 Config uratio n Summary Sc reen 25 SDM and Ci sco IOS AutoS ecure 25 Securi ty Con.
Contents xvi Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Detail s 8 Netw ork Addr ess Tra nsla tion Rule s 8 Designa te NAT Inter faces 12 Transl atio n T.
xvii Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Signat ure Import Wizard Summary 41 Signat ures 42 Assign Ac tions 46 Import Signat ures 46 Ad.
Contents xviii Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Edit Q oS P olicy 13 Edit QoS Cl ass 15 Add a Proto col 17 Interf ace Asso ciat ion 18 QoS Stat.
xix Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Router Pro pertie s 1 Device Pr operti es 1 Date and Tim e: Cl ock Prop ert ies 2 Date and Ti m.
Contents xx Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 DNS Prop erties 26 Dynamic DNS Met hods 26 Add or Edi t Dynamic DNS Meth od 27 ACL Edit or 1 Usefu.
xxi Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Rout er P rov isi oni ng 33 Router Prov isioning fro m USB 33 Public Key I nfrastr ucture 35 Ce.
Contents xxi i Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Open Fir ewall 56 Open Fir ewall Deta ils 57 Resetti ng to Factory Default s 1 This Fea ture Not Support ed 4 More About.
xxii i Cisco Ro uter an d Securit y Device Ma nager ( SDM) Version 2.1 User’s Gu ide OL-4015-06 Conte nts Firewal l Pol icy Use Case Scen ario 29 DMVPN Conf igurat ion Recommendat ions 32 SDM Whit e.
Contents xxiv Cisco Rout er and Secu rity Device Mana ger (SDM) Ve rsion 2.1 User ’s Guide OL-4015-06 Edit Men u Commands 9 Prefer ences 9 View Menu Commands 1 Home 1 Config ure 1 Monitor 1 Running .
C HAPTER 1-1 Cisc o Rout er a nd S ecuri ty De vice Man ager Vers ion 2 .2 Us er’ s Guid e OL-4015-08 1 Hom e P age The ho me page suppl ies ba sic inform ation a bout th e route r ’ s hardware, software , and co nfiguration. This page c ontains the following secti ons: Host N ame The co nfigured nam e of the rout er .
Chapter 1 Hom e Page 1-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User’s Gui de OL-4015-08 More.. . The More... link displays a popup window pro viding additional hardware and software det ails.
1-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 1 Home Page Interfaces and Con nection s Up ( n ) : The n umber of LAN and W AN conne ctio ns th at ar e up. Down ( n ) : The numbe r of LAN and W AN connec tions t hat are down.
Chapter 1 Hom e Page 1-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Inter face Firewal l Icon NA T Inspection Rul e Access Rule The name o f the interfac e to which a fi rew all has be en applied Wheth er t he interface is design ated as an inside or an outside interf ace.
1-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 1 Home Page Note • Som e VPN servers or co ncentr ators au then ticate cl ients us ing Extende d Authentic ation ( XAuth ). This shows the numbe r of VPN tunn els awaiti ng an Xauth l ogin.
Chapter 1 Hom e Page 1-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
C HAPTER 2-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 2 LAN Wizard The Cisco Rout er and Se curit y Device M anage r (SD M) LAN wizard guide s you in the c onf iguration of a LAN interf ace. The scre en lists th e LAN i nterfac es on the router .
Chapter 2 LAN W izard Ethernet Configura tion 2-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What Do You Want to Do? Y ou ca n return to this scree n as often as ne cessary t o configure ad ditio nal LAN interf aces.
2-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 2 L AN Wizard LAN Wizar d: Sel ect an In terface • A DHCP a ddre ss pool if you decide to us e D HCP.
Chapter 2 LAN W izard LAN Wizard: Ena ble DHCP Ser ver 2-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 LAN Wizard: Enable DHCP Server This screen lets you enable a DHCP server on your route r . A DHCP server automatic ally assig ns reusa ble IP addr esses to the dev ices on the LA N.
2-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 2 L AN Wizard DHCP Option s DHCP Options Use this windo w to configure DHCP options that will b e sent to hosts on the L AN that are r equestin g IP addres ses from the rou ter .
Chapter 2 LAN W izard LAN Wizard: VLAN Mode 2-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 LAN Wizard: VLAN Mode This screen lets you dete rmine the type of VLAN in formation that wi ll be carried over the switch po rt.
2-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 2 L AN Wizard IRB Bridge Include t his VLAN in an IRB bridge that wi ll form a bridge with you r wireless net work. (U se Wireless Applicat ion to co mplete.
Chapter 2 LAN W izard DHCP Pool fo r BVI 2-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Address Ente r t he I P addr ess for the interfa ce in dotted decimal for mat. Y our netwo rk administr ator should determine the IP addr esses of LAN interfa ces.
2-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 2 L AN Wizard IRB for Ether net IRB for Ethernet If your rout er has a wi reless inter face, you can u.
Chapter 2 LAN W izard Summary 2-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Configure Switch Device Modul e If you are configur ing a Gigabit Ethe rnet i nterfac e for rout ing, yo u ca n provide inform ation about the sw itch mo dule i n thi s wind ow .
2-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 2 L AN Wizard How Do I... Step 1 From th e ca tegory ba r , cl ick Routing . Step 2 In the Static R outing group , cli ck Add... . The Add IP Stat ic Route di alog box ap pear s.
Chapter 2 LAN W izard How Do I... 2-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 5 Click Start Monitoring to see statistics for all se lected dat a items. The Int erface Details scre en appears, displaying the stati stics you se lected.
2-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 2 L AN Wizard How Do I... The next time you use a w izard to c onfigure the rout er an d cl ick Finish on th e Summary w indow , the Deliver window will appea r .
Chapter 2 LAN W izard How Do I... 2-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
C HAPTER 3-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 3 Create Co nnection Wizards The C reate Co nnectio n wizar ds let y ou co nfi gure L AN and W AN co nnectio ns for all SDM-s upporte d interface s. Create Connec tion This wi ndow allows you to creat e new LAN and W AN c onnect ions.
Chapter 3 Create Connec tion Wizard s WAN Wizard Interfac e Welcom e Window 3-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The Other (Uns upporte d by SDM) r.
3-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards ISDN Wi zard We lcome Window ISDN Wizard Welcome Win dow PPP is the only typ e of encoding supported over ISDN BRI by SDM.
Chapter 3 Create Connec tion Wizard s Sele ct I nter face 3-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Select Interface This wi ndo w appear s if there a re more tha n one inter face of th e type you s elected in the Cr eate Conne ction windo w .
3-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards IP Address: ATM with RFC 1483 Routing Dynamic (D HCP Client) If you ch oose Dynamic, the router will leas e an IP addr ess from a re mote DHCP serv er .
Chapter 3 Create Connec tion Wizard s IP Address : Ethernet w ithout PPPoE 3-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Unnumbered Click IP Unnumbere d if you want the inter face to share an IP address t hat has alre ady been ass igned to ano ther interf ace.
3-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards IP Address: Serial with HDLC or Frame Relay Static IP Address If you ch oose st atic IP addr ess, ente r the IP addr ess and s ubnet mas k or the networ k bits in the fiel ds prov ided.
Chapter 3 Create Connec tion Wizard s IP Ad dress: ISDN BRI or A nalog Mode m 3-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Unnumbered Select IP Unnumbe red if you wa nt th e inter face to shar e an I P addr ess that has alre ady been ass igned to ano ther interf ace.
3-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Authentication Authentication This pa ge is displa yed if you enab led PP.
Chapter 3 Create Connec tion Wizard s Switch Typ e and SPIDs 3-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 ISDN S witch Type Select the ISDN switch type. C ontact your I SDN ser vice provider for the switch type for yo ur connec tion.
3-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Dial String A SPID is usually a 7-digi t telephone number with som e option al numbers. Howe ver , servi ce provide rs may use different numb eri ng scheme s.
Chapter 3 Create Connec tion Wizard s Backup Co nfiguration 3-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Backup Co nfiguration: Primary Interfac e & N.
3-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Advanced Options Advanced Op tions Ther e are two ad vanced option s available, bas ed on the router ’ s conf igurati on: Default stat ic route , and Port Addre ss T ranslat ion (P A T ).
Chapter 3 Create Connec tion Wizard s Encap sulati on 3-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Autod etect Click Au t o d e t e c t to hav e SDM disco ver the en capsulati on typ e.
3-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards PVC The encap sulation s av ailable if you ha ve a ser ial interfa ce are sho wn in the follo wing table.
Chapter 3 Create Connec tion Wizard s Configure LM I and DLCI 3-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 VCI Enter the VCI v alue obtained from your service provid er or system administrato r .
3-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Configure Clock Settings DLCI Enter t he DL CI in th is field. T his num ber m ust be un ique a mong all DL CIs used on this interface.
Chapter 3 Create Connec tion Wizard s Configure Clo ck Settings 3-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 T1 Framing This f ield conf igures th e T1 or E1 link for operation with D4 Super Frame (sf) o r Ext ended Supe rfra me ( esf).
3-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Delete Connection Line B uil d Ou t (LB O) This f ield is used to co nfigur e the Line Build Out ( LBO ) of the T1 link. The LBO decrea ses the t ran smit stre ngth of the sig nal by -7.
Chapter 3 Create Connec tion Wizard s Delete Conn ection 3-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 To view th e associat ions that t he connection has: Click Vi ew D e t a i ls .
3-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Summ ary • Crypto — A crypto map is applied to the interfa ce on which the conne ction wa s created . T o delete th e cryp to map, click Conf igure ; then cli ck In terfac es and Connections .
Chapter 3 Create Connec tion Wizard s Connecti vity test ing and troubles hooting 3-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Test the connec tivity afte r configuring Check thi s box if you want SD M to test the connec tion you have configured afte r it deli vers the commands to the router .
3-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Connect ivity te sting and trouble shooting 3. Checks for DHCP and IPC P conf igurati o ns on the interf ace. 4. Exits inte rface test.
Chapter 3 Create Connec tion Wizard s Connecti vity test ing and troubles hooting 3-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • the PPPoE tunnel status • the PPP authentication status After perfo rming these checks, SDM reports the reason that the ping fa iled.
3-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards Connect ivity te sting and trouble shooting Activ ity This column displays the trou bleshooting acti vities.
Chapter 3 Create Connec tion Wizard s How Do I... 3-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 How Do I..
3-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards How Do I... How Do I View Activity on My WAN Interface? Y ou ca n view activity on a W AN interfac e by using the Monito r feature in SDM.
Chapter 3 Create Connec tion Wizard s How Do I... 3-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The inte rface is added to the po ol of inter faces using N A T . Step 6 Revie w the N etwork Ad dress Translati on Rules in the NA T wi ndow .
3-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards How Do I... The Dyna mic Routi ng dialo g box appea rs, displaying the tab for the dynam ic routing proto col yo u sele cted.
Chapter 3 Create Connec tion Wizard s How Do I... 3-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 4 Click Edit . The Connec tion ta b appe ars. Step 5 Click Opt ions . The Edi t Dialer Opt ion di alog box appe ars.
3-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 3 Create Conne ction Wizards How Do I... Step 3 Selec t the radio inte rface and cl ick Edit . In t he Conne ctio ns tab, you can chan ge the IP address or bri dging i nforma tion.
Chapter 3 Create Connec tion Wizard s How Do I... 3-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
C HAPTER 4-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 4 Edit Interface/Con nection This wi ndow displays the ro uter ’ s inter faces an d conne ctions. The win do w also enables y ou to add, edit, a nd delete connect ions, and to enable or disabl e connec tions.
Chapter 4 Edit Interface/Connection 4-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Dele te Select ing a connec tion and click ing Delet e disp lays a dialo g.
4-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection If SDM is running on a Cisco 7000 router , you will be able to create a connec tion only on Ether net a nd Fast Et hernet int erfaces.
Chapter 4 Edit Interface/Connection 4-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Item Name The name of th e configur ation item, s uch as IP addre ss/Su bne t mask, or IPSe c polic y . The actual items listed in this column depend on the type of interf ace select ed.
4-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Why Are Some Interfaces or Connect ions Read-Only? Ther e are many c onditio ns t hat c an p rev ent SD M fr om m odifyi ng a previously configured inte rface or subi nterface.
Chapter 4 Edit Interface/Connection Connecti on: Ethe rnet for IRB 4-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Connection: Ethernet for IRB This di alog box cont ains t he following fields if you se lected Ethernet for IRB in the Configure list.
4-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connection: Ethernet for Routing • Creat e a new dynamic DN S metho d. Click th e drop-down menu a nd choo se to crea te a new dynamic DNS method .
Chapter 4 Edit Interface/Connection Connecti on: Ethernet for Routin g 4-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Dynamic DNS Enab le dynam ic DNS if you want to au tomat ically update your DN S servers whene ver the W AN interface ’ s IP addr ess ch anges .
4-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connection: Ethernet for Routing HTTP HTTP is a dynamic D NS method ty pe that up dates a DNS se rvice pr ovider with changes to the associat ed interf ace ’ s IP a ddress.
Chapter 4 Edit Interface/Connection Wireless 4-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Wireless If the router has a wireless in terface, you can launch the W ireless Application from this tab .
4-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Associa tion When a rule is applied to o utbound traf fic on an interf ace, the ru le filte rs traf f ic after it has entered the router but before it e xits the interf ace.
Chapter 4 Edit Interface/Connection NAT 4-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 is Serial0 /0, you would first selec t T unn el3 in the Interfa ces and C onnectio ns windo w , click Edit and associa te the polic y wit h it, an d the n click OK .
4-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection General Mode Grou p Choose the type of VLAN informati on you want to be carried a cross this Ethernet switch port. Choosing Access causes the switch port to forw ard only data destined for the specif ic VLAN number .
Chapter 4 Edit Interface/Connection General 4-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Descri ption Y o u can enter a short description in this f ield. This description will be visible in the theEd it Interface s and Connec tions wind ow .
4-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection QoS IP Rout e Cache-Flow This option enab les the Cisco IOS NetFlo w feature. Using NetF lo w , you can determine packet d istribution, protoco l dist ribution, and curr ent flows of da ta on the r outer .
Chapter 4 Edit Interface/Connection Select Ether net Config uration Type 4-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Dissociate C urrent QoS Policy checkb ox Enabled when a QoS policy is associated with the interf ace.
4-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Conne ction: Subin terface s VLAN ID Enter th e ID number of the ne w VLAN interf ace. If you are editing a VLAN interfac e, you cann ot change the VLA N ID.
Chapter 4 Edit Interface/Connection Add or Edi t BVI Interf ace 4-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 In thi s example , FastEthern et1. 5 is co nfigured for rout ing, a nd FastEth ernet1 .3 is configured for IRB .
4-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: Ethernet LAN Static IP Address If you se lected St atic IP a ddress, en ter that I P address in this f ield.
Chapter 4 Edit Interface/Connection Connection: Ethernet WAN 4-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Ad dress of R emote DHC P Serv er If you clicked DHCP Relay , enter the IP address of the DHCP server that will pro vide add resses to de vices on the LAN.
4-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Ether net Pr opertie s Authen tication Click this b utton to enter CHAP / PA P authentica tion password informatio n.
Chapter 4 Edit Interface/Connection Connecti on: Ethe rnet with No E ncapsu lation 4-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Address Static IP Address A vailable wi th PPPoE encapsulation a nd with no encapsulation.
4-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: ADSL • Dynamic IP a ddres s — If you choose Dynami c, the router will lease an IP address fr om a remo te DHCP server .
Chapter 4 Edit Interface/Connection Connection: ADSL 4-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Encapsulati on Select the type of encapsulation that will be used for this link. • PPPoE spec if ies Poin t-to- Poi nt Pr otoc ol o ver E ther n et e ncap sul ation .
4-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: ADSL • Dynamic IP address — If yo u choose Dy namic, th e router will lea se an IP address fr om a remo te DHCP server .
Chapter 4 Edit Interface/Connection Connecti on: ADS L over ISDN 4-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Enter the name of an existing dyn amic DNS me thod.
4-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: ADSL over I SDN If yo u are editi ng a n existi ng conn ect ion, th is field i s disa bled . If yo u n eed t o change this v alue, delete the co nnection and re create it us ing the v alue you nee d.
Chapter 4 Edit Interface/Connection Connecti on: G.SHDSL 4-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • auto — Configur e the A DSL line af ter aut o-negot iating with the DSL AM located at the Central Of fic e.
4-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connection: G.SHDSL Encapsulati on Select the type of encapsulation that will be used for this link. • PPPoE spec if ies Poin t-to- Poi nt Pr otoc ol o ver E ther n et e ncap sul ation .
Chapter 4 Edit Interface/Connection Connecti on: G.SHDSL 4-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Static IP address If you sele ct Static IP a ddress, ente r the addr ess that the in terface wi ll use, and the subnet ma sk, or the ne twork bits.
4-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connection: G.SHDSL Annex A ( U.S.) Conf igures the re gional operating para meters for North America. Annex B (E urope) Conf igures the re gional op erat ing pa rame ters for Euro pe.
Chapter 4 Edit Interface/Connection Configu re DSL Contro ller 4-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Configure DSL Contro ller SDM supports the configuratio n of the Cisco WIC- 1SHDSL- V2. This WI C supports TI , E1, or a G.
4-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Configure DSL Controller If you have selected a 4 -wire connec tion, you must se lect a fixed line r ate.
Chapter 4 Edit Interface/Connection Connecti on: G. SHDSL wi th DSL Control ler 4-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 in th is field a nd c lick Edit . This also will display the Con nection: G.SHD SL with DSL Contr oller page , letting you edit th e connec tion con figuration.
4-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connection: G.SHDSL wit h DSL Controller IP Address Select ho w the router will obta in an IP address for th is link. The f ields that appear in thi s area change according to the en capsula tion type c hosen.
Chapter 4 Edit Interface/Connection Connecti on: Serial In terface, Fra me Relay Enc apsulati on 4-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Enter the name in the Dynamic DNS Method f ield exactly as it appe ars in the list in Conf igure > Additional T asks > Dynamic DNS Methods.
4-37 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connection: Serial Interface, Frame Relay Encapsulation Subn et Mas k If yo u sele cted Static IP addr ess , ente r the subnet mask .
Chapter 4 Edit Interface/Connection Connecti on: Serial In terface, Fra me Relay Enc apsulati on 4-38 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Autosens e Defa ult. This setting all ows the router to detect which L MI type is being use d by communica ting with the switch and to then use th at type.
4-39 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: S erial I nterf ace, PPP En capsula tion T o clear an as sociate d dynamic DNS me thod fr om the inte rface , choos e None from t he drop- down menu .
Chapter 4 Edit Interface/Connection Connection: Ser ial Interface, PPP Enc apsulation 4-40 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Authen tication Click this b utton if you need to enter CHAP or PA P authenticati on info rmation.
4-41 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: Ser ial In terface , HDLC Encap sulation Connection: Serial In terface, HDLC En capsulation Fill out these fields if you are co nfiguring a ser ial int erface for HDLC encapsu lati on.
Chapter 4 Edit Interface/Connection Add or Edi t GRE Tunne l' 4-42 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The clo ck setting s button will only ap pear if you are con f iguri ng a T1 or E1 serial connec tion.
4-43 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Add or Ed it G RE T unn el' Tunnel Source Select th e interf ace that the tunnel will use.
Chapter 4 Edit Interface/Connection Connecti on: ISDN BRI 4-44 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Connection: ISDN BRI Comple te these fields if you ar e configur ing an ISDN B RI connec tion.
4-45 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connect ion: ISDN BR I Some service pro viders use SPIDs to def ine the services su bscribed to by t he ISDN de vice that is accessing th e ISDN ser vice pro vider .
Chapter 4 Edit Interface/Connection Connecti on: ISDN BRI 4-46 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Subn et Mas k Ente r t he su bnet mask . Th e subnet ma sk specifies the porti on of the IP add ress that pro vides the netw ork addre ss.
4-47 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connec tion : An alog Mo dem Connection: Analog Mo dem Comple te these fields if you are configur ing an ana log mod em connec tion.
Chapter 4 Edit Interface/Connection Connecti on: Analog Modem 4-48 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Subn et Mas k Ente r t he su bnet mask . Th e subnet ma sk specifies the porti on of the IP add ress that pro vides the netw ork addre ss.
4-49 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Connec tion: (AUX Bac kup) Connection: (AUX Backu p) Comple te these fields if you a re configuri ng an asynchr onous d ial-u p con nection using the console port to d oubl e as an A UX por t on a Cisc o 831 or 837.
Chapter 4 Edit Interface/Connection Connecti on: (AUX Backu p) 4-50 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Clear L ine Click this b utton to clear the line. Y ou should c lear the line after c reating an async connect ion so that interesting traf fic triggers the co nnection.
4-51 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Authentication Dynamic DNS Enab le dynam ic DNS if you want to au tomat ically update your DN S servers whene ver the W AN interface ’ s IP addr ess ch anges .
Chapter 4 Edit Interface/Connection SPID De tails 4-52 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 CHAP authen tication is more secure than P AP authentic ation. Login Name The login na me is given to you by your Interne t service pr ovider and is use d as the userna me for CHAP/P AP authentic ation.
4-53 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Dialer Op tions SPID2 Enter the SPID to t he second BRI B Chan nel pro vided to yo u by your ISP .
Chapter 4 Edit Interface/Connection Diale r Opti ons 4-54 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Idle timeout Enter the n umber of seco nds that will be allo wed to pass befor e an idle con nection (one that has no t raf fi c passing o ve r it) wi ll be te rminated.
4-55 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 4 Edit Interf ace/Co nnection Backup Configuration Backup Configura tion ISDN BRI an d analog mo dem int erfaces can be configured to work as ba ckup interf aces to other , primary int erfac es.
Chapter 4 Edit Interface/Connection Backup Co nfiguration 4-56 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Next Ho p Forwardin g Thes e fiel ds are op tional. Y ou can enter the IP addres s to which th e primar y and backup i nterfaces w ill conne ct whe n they are active.
C HAPTER 5-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 5 Create Firewall A f ire wall is a set of rules use d to protect the resources of y our LAN . Thes e rules fi lter the packet s arri ving at th e router .
Chapter 5 C reate Fire wall 5-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Advanced Firewall Click this if y ou want SDM to lea d you t hrough t he steps of configuring a firewall. Y o u hav e the option to create a DMZ network, and to specify an inspection rule .
5-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall Have SDM hel p me cr eate a n Advanced Fire wall. If your ro uter has multiple insid e and outs ide inte rfaces , and you want to conf igure a D MZ, you should selec t this option.
Chapter 5 C reate Fire wall Basic Fire wall Config uratio n Wizard 5-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Basic Firewal l Configuration Wizard SDM will protec t the LAN with a default f irew all when you select this optio n.
5-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall Advanced Firewall Configuration Wizard Sour ce Ho st /Net wor k If you want to allow a single host access thr ough the firewall, choose Host Addre ss and enter the IP a ddres s of a hos t.
Chapter 5 C reate Fire wall Advanc ed Firewall Conf iguration Wi zard 5-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Advanced Firewall DMZ Service Configurat.
5-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall Advanced Firewall Configuration Wizard DMZ Service Configur ation Create or edit a DMZ service entry i n this wi ndo w . Host IP Add res s Enter th e address range that will specify the hosts in the DMZ that this entry applies to.
Chapter 5 C reate Fire wall Advanc ed Firewall Conf iguration Wi zard 5-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 traf fic on to the netw ork. T hese rule s cause th e router to exam ine outg oing pack ets for sp ecif ied typ es of traf fic .
5-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall Advanced Firewall Configuration Wizard Application Security Configuration SDM provides pre configured appl ication se curit y policies that you can use to protect the netw ork.
Chapter 5 C reate Fire wall Advanc ed Firewall Conf iguration Wi zard 5-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Domain Name Server Configuration The rout er must be conf igured with the IP ad dress o f at least one DNS s erv er for application security to work.
5-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall How Do I... • Apply acc ess rule t o the inbound di rectio n to permi t IPSec tunnel traffic if necessary . • Apply acc ess rule to the inbound di rectio n to deny spoofing traff ic.
Chapter 5 C reate Fire wall How Do I... 5-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 How Do I View Activity on My Firewall? Activity on your fi rew al l is moni tored through the crea tion of log en tries .
5-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall How Do I... The Ed it a Rul e dial og box ap pear s. Step 5 The Rule Entry f ield sho ws each of the source I P/destination IP/ser vice combinatio ns that are permitted or denied b y the ru le.
Chapter 5 C reate Fire wall How Do I... 5-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 T o verify that th e connection is wo rking, ver ify that the inter face status is “ Up ” in the In terfaces and C onnect ions w indow .
5-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall How Do I... access-list 105 permit udp host 123.3.4.5 host 192.168.0.1 eq isakmp access-list 105 permit udp host 123.3.4.5 host 192.168.
Chapter 5 C reate Fire wall How Do I... 5-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 How Do I Modify an Existing Firewall to Permit Traffic from a New Network or Host? Y o u can use the Edit Fire wall Polic y tab to modif y your f ire wal l conf iguration to permit t raff ic from a new network or host .
5-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall How Do I... How Do I Configure NAT Passthrough for a Firewall? If you have configured NA T and ar e now configuring your firew all, you mu st configure t he fir ewa l l so that it permit s traf fic from your public IP address.
Chapter 5 C reate Fire wall How Do I... 5-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 1 From th e lef t fram e, sele ct Additional T asks . Step 2 In the Rules tree, select ACL E d i t o r and the n Access Rules .
5-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall How Do I... How Do I Associate a Rule with an Interface? If you use the SDM Fir ew .
Chapter 5 C reate Fire wall How Do I... 5-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 5 Click in the inbound or outbo und fi eld, and then click the b utton to the right. Step 6 Click None (clear rule association) .
5-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 5 Create Firewall How Do I... Step 1 If you are a t the Insp ection Rul es win dow , an d you have clicked Java L i s t , clic k the b utton to the ri ght of th e Number f ield and click Cr eate a new rule (A CL) and select.
Chapter 5 C reate Fire wall How Do I... 5-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 2 Click Edit Fir ewall P olicy/A CL .
C HAPTER 6-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 6 Firewall Policy The Firewall Policy featur e lets you view and modi fy fire wall configurat ions — access rules, and /or CB A C inspection rules — in the conte xt of the int erfaces whose traf fic the y filte r .
Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 3. Come t o the Fir ewall Policy w in dow to edit the f ir ewall polic y y ou create d .
6-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL From – Select the int erfac e from which the traf fic flo w you are int erested in origina tes. The f irew all will pro tect the net work connected t o the From in terface.
Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Originating T raff ic — Click this to highlight the part of the dia gram that repres ents the tra ff ic flo w that ente rs the router at the From i nterface and exit s the router at the T o interface.
6-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL Make Changes t o Access Rules and Inspect ion Rules as Necessary The polic y panel shows the details of the rules a pplied to the selected tr af fic flo w .
Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Service Area header fields Fir ewall Fe atur e A vailab ility — If the Cisco IOS image that the rout er is u sing supports t he Firewall featur e, this f ield co ntain s the value A vailable .
6-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL the E xtende d entr y dial og wh en you add an ent ry f rom th e Ed it Firewall Policy/A CL wind ow . If you want t o add a st andard rule ent ry , you ca n do so in t he Rules window .
Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 If you wan t to apply a f ire wall that protects the n etwork con nected to the Eth ernet 1 inte rfac e from traf fic e ntering the E therne t 0 int erfac e, yo u can do so in the Rules window .
6-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL Applications Area This area appears if th e Cisco IOS imag e runnin g on the rout er suppo rts CB AC Inspection rules.
Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Global Settings — Click to display a dialog box that en able s you to set globa l timeouts an d threshol ds.
6-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL Swap From and To Inter faces to Bri ng Other Ru les into View SDM only displays inspec tion rule s for Originating traff ic in the Application area.
Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Alert Ac tion One of the follo wing: • default-on — Lea ve as def ault. Def ault v alue is on . • on — Enable a lert.
6-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL Alert Ac tion One of the follo wing: • default(on) — Leav e as default. Def ault v alue is on . • on — Enable a lert.
Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Audit A ction One of the follo wing: • default-off — Leav e as d efault. Default v alue is of f . • on — Enable a udit trail.
6-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap te r 6 Firew all Poli cy Edit Firewall Policy/ACL Type One of the follo wing: • A Netwo rk — If you select thi s, provide a net work add ress in the I P addr ess fi eld.
Chapter 6 Firewall Policy Edit Fire wal l Po licy /ACL 6-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Keep inspec tion ru le name on < interf ace-nam.
C HAPTER 7-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 7 Application Se curity Applicatio n Security allo ws y ou to creat e security policie s to gov ern the use of networ k and web applicatio ns.
Chapter 7 Application Security Applicat ion Security Wi ndows 7-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Associate button — Cli ck to display a dia log that all ow s you to associa te the polic y with an interfa ce.
7-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security No Application Security Policy No Application Security Policy SDM displa ys this wi ndow when you have clicked the Application Securi ty tab, but no App licati on Sec urity policy ha s been configure d on t he router .
Chapter 7 Application Security E-mail 7-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 E-mail Specify t he e-mail a pplications th at you wan t to inspe ct in this win dow . T o learn about the b uttons and dr awer s av ailable in the Applicat ion Security tab, click Applicatio n Security W indows .
7-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security HTTP Reset Resets th e TCP connec tion if th e client enters a no n-protoc ol comm and bef ore authenti cation i s compl ete. Router Traffic Enables inspec tion of traf f ic destined to or originated from a router .
Chapter 7 Application Security HTTP 7-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Set maximum URI leng th inspection Check box Check th is bo x if yo u want to d efine a ma ximum le ngth for U niversal Resource Indicator s (URIs).
7-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security HTTP Header Options Y ou c an have the route r permi t or deny t raff ic based on HTT P heade r leng th and the requ est method contai ned in the h eader .
Chapter 7 Application Security HTTP 7-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Click Per mit, B lock, and Al arm Co ntro ls to learn ho w to specify th e action that the ro uter i s t o take when it enc ount ers tra ff ic w ith the ch arac teristi cs th at you specify in this windo w .
7-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security Instan t Messaging gzip ch eckb ox The encodin g format produce d by the GNU zip ( “ gzip ” ) pro gram . Identity checkbox Default e ncoding , which indic ates that no enco ding has been pe rform ed.
Chapter 7 Application Security Applicat ions/P rotocol s 7-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Applications/Prot ocols This w indow allows you to creat e policy s etti ngs fo r appl icatio ns and protoc ols that are n ot found in the oth er windo ws.
7-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security Global Tim eouts an d Threshold s Options Col umn This colu mn can co ntain f ields if there ar e other s ettings th at ha ve been made fo r the chos en item.
Chapter 7 Application Security Global Tim eouts and Thresho lds 7-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 TCP FIN Wait Timeout Value The amount of time t hat a TCP session will st ill be manag ed after th e f ire wall detects a FIN e xchange.
7-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security Global Tim eouts an d Threshold s TCP Max imum Incom plete S essi ons pe r Host: The router starts deletin g half-open sessions for the same host when the total number for tha t host exceeds this n umber .
Chapter 7 Application Security Global Tim eouts and Thresho lds 7-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Edit Inspection Rule Use this windo w to specify custom inspectio n rule settings for an application.
7-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 7 Application Security Global Tim eouts an d Threshold s MAX Data f ield Specif ies the maximu m numbe r of b ytes ( data) that can be tr ansfer red i n a singl e Simple Mail Transp ort Protocol (SMTP) session.
Chapter 7 Application Security Global Tim eouts and Thresho lds 7-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
C HAPTER 8-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 8 Site-to-Site VPN The help topics in this section describe the Site-to-Site confi guration scr eens.
Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What Do You Want to Do? If you want to: Do this: Configure the router as pa rt of a VPN network connec ting t wo ro uters .
8-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Find ou t ho w to perf orm o ther VP N-re lat ed tas ks that this wiza rd does no t guide you throug h.
Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Site-to-Site VPN Wizard Y ou can have SDM use default sett ings for most of th e configurati on values, or you ca n let SD M gu ide yo u in c onfiguring a VPN .
8-37 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN What do you want to do ? View Defaults This w indow displa.
Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-38 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 VPN Conn ection Infor mation Use this windo w to ide ntif.
8-39 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Ente r t he pre-shar ed k ey , and then reen ter it f or conf irmatio n.
Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-40 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Details Click this b utton to obtain details ab out the interfac e you selected.
8-41 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Encryption SDM supports a v ariety of encry ption types, listed in or der of security . The more secure an encry ption type is , the more processi ng time it requires.
Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-42 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Hash The authen tication a lgorithm to be us ed for the ne gotiation. SD M supports t he foll owin g a lg orit h ms: • SHA_1 — Secure Hash Alg orithm.
8-43 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN To add or edit an IKE polic y: If you w ant to add an IKE polic y that is not i ncluded in this list, click Add a nd create the poli cy in the windo w displayed.
Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-44 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 ESP En crypt ion The type of Encapsula ting Sec urity Prot ocol (ESP) enc ryptio n used. If E SP encryptio n is not configur ed for this transform set, this column will be empty .
8-45 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN What Do You Want to Do? Traffic to Protect This windo w lets you def ine the traf fic that this VPN protect s.
Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-46 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 All traf fic from t his source subn et that has a desti nation IP add ress on the destinati on subne t wil l be prot ected.
8-47 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Spoke Confi guration If you have configured a DMV PN hu b, yo u can h ave SDM genera te a proc edure that wi ll assist you or other admini strators in con f iguring DMVPN spokes.
Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-48 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • The hash, encrypt ion, DH gro up, and Aut hentic ation T ype of the IK E polic ies that th e hub u ses, so that c ompatible IKE p olicies can b e conf igur ed on the spoke.
8-49 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Deta ils Click to obtain details ab out the interf ace that you select ed. The detail s windo w sho ws any access rules, IPSec policies, N A T rules, or Inspection rules associated with th e interf ace.
Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-50 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Pre-Sha red Key Click th is but ton if the VPN pe ers use a pre-sh ared k ey fo r authenti cation an d then enter the pre -shar ed key , and then reen ter it for confirmat ion.
8-51 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Backup GR E Tunnel Inform ation Y ou can co nfigure a back up GRE- over -IPSec tu nnel that the router c an use when the primary tunnel fails.
Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-52 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Routing Information This w indow enab les you to configur e rou ting f or the tun neled traffic. Info rmati on that you add in thi s window appears in the Routing w indow .
8-53 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Create Site to Site VPN Static Rout ing Static routi ng can be u sed in smal ler VP N deploym ents in which on ly a few pri vate netw orks pa rticip ate in the GRE-o ver -IPSec VPN.
Chapter 8 Site-to-S ite VPN Create Site to Site VPN 8-54 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Do split tunneling — Split tunne ling allo ws traf .
8-55 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Edit Site-to-Site VP N • RIP — R outing In ternet Prot ocol. • Static Ro uting. Thi s optio n is enable d when you a re configuring a GRE over IPSec t unnel .
Chapter 8 Site-to-S ite VPN Edit Site-to-Site VPN 8-56 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Use th is window to create and ma nage V PN conne ctio ns to re mote sy stems. Y ou can crea te, edit, and dele te VPN conne ctions, and reset e xisting connections.
8-57 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Edit Site-to-Site VP N Sequ ence Numb er The s equen ce n umber fo r this c onn ectio n.
Chapter 8 Site-to-S ite VPN Edit Site-to-Site VPN 8-58 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Dele te Bu tto n Click to delete a selected VPN connection Test Tunnel.. Button Click to test a se lected VPN t unnel.
8-59 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Edit Site-to-Site VP N Step 2 Select a policy from the Choose IPSec Polic y list. Click OK to r eturn to th e VPN Conn ecti ons win do w .
Chapter 8 Site-to-S ite VPN Edit Site-to-Site VPN 8-60 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What Do You Want to Do? Crypto Map Wizard: Welcome This wizard wi ll gu ide you thr ough t he creat ion of a c rypt o map.
8-61 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Edit Site-to-Site VP N Securit y Association Li fetime IPSec s ecu rity ass ocia tions use sha red keys. The se keys and the ir se curit y association s time out together .
Chapter 8 Site-to-S ite VPN Edit Site-to-Site VPN 8-62 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Crypto Map Wiza rd: Pe ers A crypto map inclu des the n ames or IP a ddresses of t he peers in volved in the security associat ion.
8-63 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Edit Site-to-Site VP N What Do You Want to Do? Crypto Map Wizard: Traffic to Protect This wi ndow lets you define whic h traffic is encrypte d.
Chapter 8 Site-to-S ite VPN Edit Site-to-Site VPN 8-64 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 All traf fic from t his source subn et that has a desti nation IP add ress on the destination subnet will be encrypted.
8-65 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN Edit Site-to-Site VP N Delete Connection Use this windo w to delete a VPN tunnel , or simply to disassociate it from an interf ace b ut preserv e the def inition fo r future use.
Chapter 8 Site-to-S ite VPN Edit Site-to-Site VPN 8-66 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Destinat ion Select the IP address tha t you want to ping. If the ad dress you want to use is not in the list, you can ent er a diff erent one in the f ield.
8-67 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN How Do I... may be used on the remot e rout er , but the polici es and transf orm set s may be dif f erent. If the text f ile is simply copied into the remote conf iguration file, conf iguration er rors are likely to result.
Chapter 8 Site-to-S ite VPN How Do I... 8-68 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 How Do I Create a VPN to More Than One Site? Y o u can us e SDM to create m ultiple VPN tunnel s on one interface on you r router .
8-69 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN How Do I... Step 12 Click Fin ish .
Chapter 8 Site-to-S ite VPN How Do I... 8-70 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • If you entere d the same I P add ress in the Pe er I dentity fiel.
8-71 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN How Do I... Caution D o no t apply the m irror c onfigurat ion to t he peer device without editing! This conf iguration is a template that req uires additional manual conf iguration.
Chapter 8 Site-to-S ite VPN How Do I... 8-72 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 7 If you nee d to modi fy any of the comp onents of the conn ect.
8-73 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN How Do I... If you a re viewing IK E SA in format ion, yo u can verify that your V.
Chapter 8 Site-to-S ite VPN How Do I... 8-74 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 1 From th e lef t fram e, sele ct VP N . Step 2 From the VPN tree , select VPN Co mponents , and then IPSec P olicies .
8-75 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 8 Site-to-Site VPN How Do I... How Do I Configure a VPN After I Have Configured a Firewall? In orde r.
Chapter 8 Site-to-S ite VPN How Do I... 8-76 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 10 In the IP Addr ess and Wi ldcard Mask fields, enter the IP addr ess and sub net mask of the VPN sour ce peer . Step 11 In the Destinatio n Host/Network group, from the T ype fiel d, select A Netw ork .
C HAPTER 9-77 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 9 Easy VPN Remote Create Easy VPN Remote SDM allows you to co nfigure your rou ter as a cli ent to an Easy V PN server or conce ntrat or . Y our rout er must be running a Cisco IOS sof twa re image that supports Easy V PN Phase II.
Chapter 9 Easy VPN Re mote Create Easy VPN Remot e 9-78 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Connectio n Settings The informa tion entered in th is win.
9-79 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Creat e Easy VPN Remot e Choose Network Extension if you want the de vices connected to the inside interfaces t o hav e IP addresse s that ar e routabl e and reacha ble by the des tination networ k.
Chapter 9 Easy VPN Re mote Create Easy VPN Remot e 9-80 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 User Au thenti cation (XA uth) User auth entication (XAuth) ap pears in this windo w if the Cisco IO S image on the route r supports Ea sy VPN Remote Phase III.
9-81 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Creat e Easy VPN Remot e Inside I nterfaces Choose the inside (LAN) interface to associate with this Easy VPN conf ig uration.
Chapter 9 Easy VPN Re mote Create Easy VPN Remot e 9-82 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 W ith the automatic setting , the VPN tunnel is establish ed automatica lly when the Easy VPN configur ation is deliv ered to the router configur ation file.
9-83 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote ID an d pass word to log on to the ro uter a nd then p rov ide the XAut h login and password for th e Easy VPN server or concent rator .
Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-84 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Name The name g i ven to this Easy V PN conn ect ion.
9-85 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Inside Interfaces These are the inside inter faces included in this Ea sy VPN connection. All hosts connect ed to these i n terf aces a re par t of the VPN.
Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-86 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • The crede ntials are aut omaticall y sent becau se they hav e been sa ve d on the router Add Butt on Add a new Easy VP N Remo te co nnectio n.
9-87 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote • The XAu th response is se t to be requeste d from SDM or .
Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-88 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Conn ect t o an Eas y VP N se rver f or which the r outer ha s a conf igured connec tion. If the connect ion uses man ual tunn el control , cho ose the connec tion, t hen cli ck Connect .
9-89 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Add or Edit Ea sy VPN Remote Use this wind ow to configure your router as an Easy VPN cl ient. Y o ur route r must ha ve a co nnectio n to an Easy VPN conc entrato r or serv er on the netw ork.
Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-90 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Network Exte nsion — Choos e Net wor k Ext ens ion if you want the devices connect ed to the inside in terfac es to ha ve IP addr esses that are routab le and reacha ble by the des tinat ion networ k.
9-91 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Group Key Enter t he IPSec group password. The gro up pa ssword must m atch the group password defined on the VPN concentra tor or server .
Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-92 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The Cisco Easy VPN Remote f eature imp lements Th e Cisco Unity Clien t protocol , whi ch allows mo st VPN param eters t o be de fined on a VPN r emote acces s serv er .
9-93 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Serve rs Y ou can specify up to ten Easy VPN servers by IP addre ss or hostna me, an d you can order the list to specify which serv ers the router will attempt to connect to fir st .
Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-94 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add or Edit Easy VPN Remote: Authentication Information This w indow appe ars if the C isco IOS image on yo ur ro uter su pport s Easy V PN Client Phase II I.
9-95 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Manuall y ente r the user name and passwor d in a web browser win dow .
Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-96 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Please Ent er the User name Enter the SSH or T elnet account usern ame that you wil l use to log in to th is router .
9-97 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Serve rs Y ou can specify up to ten Easy VPN servers by IP addre ss or hostna me, an d you can order the list to specify which serv ers the router will attempt to connect to fir st .
Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-98 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Y ou ca n enab le remote manag emen t of the rou ter by checki ng the box t o request a ser ver-assigned I P addr ess fo r you route r .
9-99 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote Edit Easy VPN Remote Enter the I PSec grou pname in the Group Na me field a nd the new IKE key value in the Ne w Ke y field. Reenter the new k ey for co nfirm ation in the Conf irm K ey field.
Chapter 9 Easy VPN Re mote Edit Easy VPN Remote 9-100 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The inf ormation is sav ed in the router conf iguration file and used each tim e the tunnel is establishe d.
9-101 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote How Do I... Outside Int erface Choos e the ou tside inte rfac e that con nects to the Eas y VPN serv er or concentr ator .
Chapter 9 Easy VPN Re mote How Do I... 9-102 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 How Do I Ed it an Exis ting Easy V PN Conn ection? T o edit an existing Easy VPN remote connectio n, follo w these steps: Step 1 From th e lef t frame, cho ose VPN .
9-103 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 9 E asy VPN Remote How Do I... If the I SDN, asy nc, or anal og mod em inter face has be en configur ed, fo llow these steps: Step 1 From the le ft frame , click In terfac es and Connectio ns .
Chapter 9 Easy VPN Re mote How Do I... 9-104 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
C HAPTER 10-105 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 10 Easy VPN Serve r The Eas y VP N Server featur e intr oduces se rver suppo rt for t he Cisco VPN Cli ent Release 3. x and lat er software clie nts and Cisc o VPN hard ware client s.
Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 06 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Create an Easy VPN Ser ver Click t o Crea te an Easy V PN se rver configurat ion on your route r . Launch the Easy VPN Serv er Wizard Butt on Click to sta rt the wizard.
10-107 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver If you ch oose bo th pres hared keys an d digita l cert ificates, e ntering a key v alue i n the Add Group Pol icy general setup win dow is optional.
Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 08 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 User Authentication (XAuth) Y ou ca n configure use r authen ticatio n on Easy VPN Server .
10-109 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver Add User Credenti als Butt on Click to ad d a user acco unt. User Accounts for XAuth Add an a ccount for a user you want to authe nticate af ter IKE has auth enticate d the device.
Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Ping Ping an alre ady exist ing RA DIUS se rver or newly c onfigured RADIUS server .
10-111 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver Idle Tim er Disconnec ting idle VPN tunnels ca n help the Easy VPN Server run more ef f iciently b y reclaim ing unu sed reso urces .
Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Select from an E xisting Pool Choose the range of I P addre sses fr om the exi sting pool of IP addr esses.
10-113 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver WINS Enter th e primar y and sec ondary WINS s erv er IP addr ess in the f ields pro vided . Enteri ng a seco ndary W INS se rver addr ess is optiona l.
Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Ente r the Prote cted S ubnet s Add or remove the subne ts for whi ch the packets are tu nneled from the VPN clients.
10-115 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver Client Settings This windo w allows y ou to conf igure additio nal attrib utes for security polic y such as add ing or re mov ing a back up serv er , Fire wall Are-U- There, and Includ e-Lo cal -LAN .
Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Browser Proxy Y ou ca n speci fy browser proxy setti ngs fo r Easy VP N software c lients .
10-117 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver What Do You Want to Do? Choose Browser Proxy Settings From the d rop-d own list, ch oose the b rowser proxy settings yo u want to a ssociate with the group.
Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Browser Pr oxy Settin gs Name If you are adding browse r proxy settings, enter a name that will appear in drop-down menus l isting b rowser proxy se ttings.
10-119 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver User Authentication (XAuth) This allo ws you to conf igure addi tional at trib utes f or user authenti cation, such as Group Lock an d save P a ssword Attributes.
Chapter 10 Easy VPN Server Create an Easy VPN Server 10-1 20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Client Update This wind ow allows you to set up c lient sof tware or firmware up date no tifications, and displays e xisting client update entries.
10-121 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Creat e an Easy VPN Ser ver Add or Edit Client Update Entry This wi ndow allows you to configure a new client upda te ent ry . Client Type Ent er a clie nt type or choo se one f rom the dr op-do wn me nu.
Chapter 10 Easy VPN Server Browse r Prox y Set tings 10-1 22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Test VPN Connecti vity After Configuring Click to te st the VPN c onnec tion you have just co nfigured. The r esults o f the test appear in a se para te wi ndow .
10-123 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Add or Edit E asy VPN Server Exceptions List A list of I P addres ses for wh ich you do not want clien ts to use the pro xy server .
Chapter 10 Easy VPN Server Add or Edi t Easy VPN Ser ver 10-1 24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Interface Col umn The nam e of t he interf ace us ed for this connect ion. Group Au thorization Column The name of the met hod list used for gro up policy loo kup.
10-125 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Add or Edit E asy VPN Server Add or E dit Easy VPN Se rver Conn ection This window lets you add or edit an Easy VPN Ser ver connecti on.
Chapter 10 Easy VPN Server Group Pol icies Configura tion 10-1 26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Restrict Acces s This window allows you to speci fy which gr oup polic ies are al lowed to use the Easy VPN c onnect ion.
10-127 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Group Policies Configuration Add, Edi t, Clone, and De lete But tons Use the se buttons to ma nage group polici es on the rou ter .
Chapter 10 Easy VPN Server Group Pol icies Configura tion 10-1 28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Detail s Window The Details windo w is a list of feature settings and t heir v alues fo r the chosen group policy .
10-129 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 10 Easy VPN Server Loca l Pool s The ma ximum num ber of c onnect ions a user can est ablis h simulta neously . SDM supp orts a maxim um of 10 sim ultaneo us logi ns per u ser .
Chapter 10 Easy VPN Server Local Poo ls 10-1 30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add or Edit IP L ocal Pool This window lets you create or ed it a loc al pool of IP addr esses. Pool Name If you are creati ng a po ol, ente r the poo l name.
C HAPTER 11-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 11 DMVPN These help topics pro vide information about Dynamic Multipoint V irtual Pri vate Network (DMV PN) configurati on scree ns.
Chapter 11 DM VPN Dyn ami c Mu ltip oint V PN 11-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 It is impor tant to c onfigure the hu b first beca use spokes must be co nfigured usin g inform ation a bout the hub.
11-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Dynamic Multipoint VPN SDM ’ s C onfigure Spoke feat ure en abl es you to creat e a t ext file that contai ns the inform ation that spo ke adm inistra tors ne ed a bout the hub ’ s configuration.
Chapter 11 DM VPN Dyn ami c Mu ltip oint V PN 11-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Digita l Certificat es Select th is butto n if your rout er uses digit al certif icates fo r authentica tion. Digital certif icates are co nfig ured under VPN Components> Public Ke y Infrastru cture.
11-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Dynamic Multipoint VPN Advanced Butt on SDM provides defau lt values for ad vanced tunnel set tings.
Chapter 11 DM VPN Dyn ami c Mu ltip oint V PN 11-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Tunnel Key Enter th e ke y to use for this tunnel. This ke y shou ld be the sa me for all mGRE tunnels in the network .
11-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Dynamic Multipoint VPN IP Address of hub ’ s mGRE tunnel i nterface Enter the IP address of the mGRE tunnel in terface o n the primary hub . Obtain this inform ation fr om the hub ad minist rator .
Chapter 11 DM VPN Dyn ami c Mu ltip oint V PN 11-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Select a n existing OSPF pr ocess ID/E IGRP AS number Y ou can select an existi ng process ID for OSPF or AS num ber for EIGRP if one has been pr eviously configured.
11-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Dynamic Multipoint VPN Edit — Click to e dit the data fo r an adverti sed net work or grou p of net works. Th is b utton is ena bled for ent ries that you cr eated durin g the current in stance of this wizard .
Chapter 11 DM VPN Dyn ami c Mu ltip oint V PN 11-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Fully Meshed Network Select if you ar e co nfiguring t he rout er as a spoke c apabl e of est ablis hing a dir ect IPSec tunn el to other spokes in the netwo rk.
11-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Dynamic Multipoint VPN Re-re gister with hub whe n IP address of interface- name changes — This option is a v ailabl e when the int erfac e you sel ected rece i ves a dy namic IP ad dress vi a DHCP or IPCP .
Chapter 11 DM VPN Edit Dynam ic Mul tipoint V PN (DMVPN) 11-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Firewall If a fir ew all has been ap plied to the i.
11-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Edit Dynamic Multipoint VPN (DMVPN) IPSec Pr ofile The IPSe c prof ile that th e tunnel u ses. The IPS ec prof ile defi nes the transform sets that ar e use d to encr ypt tr af fic on the tunnel.
Chapter 11 DM VPN Edit Dynam ic Mul tipoint V PN (DMVPN) 11-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 General Pane l In this p anel add o r edit genera l configurat ion para meters of the DM VPN tu nnel. IP Address Enter th e IP ad dress o f the tunne l.
11-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Edit Dynamic Multipoint VPN (DMVPN) Bandwidth Ent er the i nte nded ba ndwi dth, in ki lob ytes per s econd (kbp s).
Chapter 11 DM VPN Edit Dynam ic Mul tipoint V PN (DMVPN) 11-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Hold Tim e Enter the n umber o f sec onds tha t NHRP network IDs shou ld b e advert ised a s va li d .
11-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN Edit Dynamic Multipoint VPN (DMVPN) Destination Reachable thr ough NBMA network — Enter th e IP add ress of the mGRE tun nel configured o n th e prim ary hub .
Chapter 11 DM VPN Edit Dynam ic Mul tipoint V PN (DMVPN) 11-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 RIP Fields If you selec ted RIP as t he dynam ic routi ng protoc ol, sele ct V ersion 1 , Ve r s i o n 2 , or Default .
11-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 11 DMVPN How Do I Conf igure a DMVP N Manuall y? How Do I Configure a DMVPN Manually? Y ou can co nfigure you r router as a DMVPN hub or spoke using the VPN Components windo ws and the Edit Dynamic Mu ltipoint VPN (DMVPN) win dow .
Chapter 11 DM VPN How Do I Con figure a DM VPN Manu ally? 11-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 To specify the networ ks you want t o advertise t .
C HAPTER 12-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 12 VPN Global Settings These help topics desc ribe the VPN Global Settings windo ws. VPN Global Settings This wi ndow displays the VP N global settings for the ro uter .
Chapt er 12 VPN Global S etti ngs VPN Globa l Setting s 12-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 XAuth Timeout The n umber of secon ds the ro uter is to wait f or a a syst em to r espond to the XAuth chall enge.
12-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 12 VPN Gl obal Sett ings VPN Global Setting s IPSec Secu rity Asso ciatio n (SA) Lif etime ( Kilobytes) The n umber of kilo bytes that th e rout er ca n send over the V PN c onnect ion befo re the IPSec SA ex pires.
Chapt er 12 VPN Global S etti ngs VPN Globa l Setting s 12-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Keep alive Specify the num ber of seconds t hat the router s hould mai n tain a connectio n when it is not being used.
12-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 12 VPN Gl obal Sett ings VPN Global Setting s VPN Key Encryption Settings The VPN K ey Encryp tion Settin gs windo w appear s if th e Cisco IOS im age on your rou ter suppor ts T yp e 6 encrypti on, also re ferred to as VP N key encrypti on .
Chapt er 12 VPN Global S etti ngs VPN Globa l Setting s 12-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
C HAPTER 13-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 13 IP Security IP Secu rity (IPSec) is a fr ame wo rk of o pen sta n dards that p rovid es da ta conf identiality , data inte grity , and data authenticat ion between par ticipating peers.
Chapter 13 IP Security IPSec Policies 13-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Name The name of thi s IPS ec poli cy . Type One of the follo wing: • ISAKMP — IKE will be used to establish the IPSec se curity asso ciations for protec ting the t raff ic specified by this cr ypto map e ntry .
13-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity IPSec Policies Dynam ic Cry pt o Maps Sets in th is IPS ec Po licy Dyna mic Cry pto M ap Set Name The name of this dynamic cr ypto map set.
Chapter 13 IP Security IPSec Policies 13-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Cryp to Maps in this IPSe c poli cy This box list s the crypto maps in this IPSe c policy . The list incl udes the name, the sequence numbe r , and t he transf orm se t that makes u p this crypto map.
13-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity IPSec Policies Add or Edit Crypto Map: General Panel Change genera l crypto map pa rameters in t his windo w . This windo w contains the following fields.
Chapter 13 IP Security IPSec Policies 13-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 independe ntly . It t hus en sures t hat i f one key is c ompr omised, no o ther keys w ill be. If you enab le PFS, you can specify use of the Diff ie- Hellman group1, group2, or group 5 me thod.
13-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity IPSec Policies Note A c rypto m ap c an con tain a maxim um of 6 tra nsform sets. Availabl e Transform Set s Conf igured transform sets av ailable for use in crypto maps.
Chapter 13 IP Security IPSec Policies 13-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add or Edit Cryp to Map : IPSec Rules Panel Use this screen to add or change the IPSe c rule use d in this crypt o map. IPSec rules co ntain acce ss rule e ntries that determin e the tr af fic to be e ncrypted.
13-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity Dynam ic Cr ypto Map S ets Dynamic Crypto Map Sets This w indow lists t he dyna mic cry pto m ap sets c onfigured on the route r . Add/Ed it/Dele te Buttons Use these b uttons to manage th e crypt o maps in th e windo w .
Chapter 13 IP Security IPSec Profiles 13-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Associate Crypto Map with this IPSec Policy Sequence Number Enter a sequen ce number to identify this crypto map set. This seque nce number can not be in use by a ny ot her crypto map se t.
13-37 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity Tran sf orm S et Dele te Click to edit a selected I PSec profile . If the prof ile you are deletin g is currently used in a DMV PN tunnel , you must co nfigure the DMV PN tunne l to use a different IPSec profile.
Chapter 13 IP Security Transfo rm Set 13-38 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Y o u can create mu ltipl e transfo rm se ts and th en specif y one or more o f them in a crypto map en try .
13-39 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity Tran sf orm S et ESP Int egrity Indicate s the integrity algorithm being us ed. This column will conta in a v alue when the transform set is co nfig ured to pro vide both dat a inte grity and encryp tion.
Chapter 13 IP Security Transfo rm Set 13-40 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What Do You Want to Do? Add or Edit Tran sform Set Use this windo w to add or edit a transform set.
13-41 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity Tran sf orm S et • Easy VPN Servers do not supp ort ESP-SEAL enc ryption. Name of this transf orm set This ca n be any name t hat you want .
Chapter 13 IP Security Transfo rm Set 13-42 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • ESP_NULL. Null enc ryption al gorithm, b ut encryption transform us ed. Note Th e type s of ESP en crypti on available dep end o n the rout er .
13-43 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 13 IP Se curity IPSec Ru les Note No t all router s suppo rt IP compre ssion . If yo ur rou ter does not sup port IP comp ression, t his box is d isab led.
Chapter 13 IP Security IPSec Rules 13-44 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Sourc e An IP address or ke y word that specif ies the source of the traf fic . Any specif ies that the s ource can b e any I P address .
C HAPTER 14-45 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 14 Internet Key Exchange The help topics in this section d escribe the Internet K ey Exchange (IKE) configurati on sc reens.
Chapter 1 4 Internet K ey Exchang e Interne t Key Exchan ge (IKE) 14-46 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IKE Policies IKE negoti ations m ust be prote cted; t heref ore, e ach IK E negotiat ion b egins by each pee r agree ing on a comm on (shared ) IKE poli cy .
14-47 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 14 Int ernet Key Ex change Interne t Key Exc hange (I KE) Hash The a uthenticati o n alg orithm f or ne gotiatio n.
Chapter 1 4 Internet K ey Exchang e Interne t Key Exchan ge (IKE) 14-48 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add or Edit IKE Policy Add or edit an IKE polic y in this windo w . Note • Not all ro uters suppo rt all encryption types.
14-49 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 14 Int ernet Key Ex change Interne t Key Exc hange (I KE) • AES-192 — Ad va nced Encr yption Standa rd (A ES) enc ryptio n with a 192- bit key . • AES-256 — Ad va nced Encr yption Standa rd (A ES) enc ryptio n with a 256- bit key .
Chapter 1 4 Internet K ey Exchang e Interne t Key Exchan ge (IKE) 14-50 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Life time This is the lif etime of the secu rity ass ociation, in hours, min utes and sec onds.
14-51 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 14 Int ernet Key Ex change Interne t Key Exc hange (I KE) Add or Edit Pre Shared K ey Use th is wind ow to add or ed it a pr e-sha red key . Key This is an a lphanum eric st ring that will be exchange d with the remote pe er .
Chapter 1 4 Internet K ey Exchang e Interne t Key Exchan ge (IKE) 14-52 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Address/ Subnet Mask These fields app ear if you selec ted “ IP Ad dress ” in the Peer f ield.
C HAPTER 15-53 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 15 VPN Trouble shooting SDM can tr oublesh oot VPN connecti ons that you have configured.
Chapte r 15 VPN Troub leshoot ing VPN Trou bleshootin g 15-54 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Peer The IP address or host na me of th e devices at the o ther en d of th e VPN co nnect ion. Summary Click this b utton if you want to vie w the summarized tro ubleshooting inform ation.
15-55 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 15 VPN Tro ubleshoo ting VPN Tr oubleshoot ing: S pecify Ea sy VPN Clien t Test Specific C lient Bu tton This button is enabl ed if you are testi ng connec tions for an Ea sy VPN server configured on the route r .
Chapte r 15 VPN Troub leshoot ing VPN Trou bleshoot ing: Genera te Traf fic 15-56 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Continue But ton After selec ting the tr af fi c generation t ype you w ant, click th is b utton to co ntinue testing.
15-57 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 15 VPN Tro ubleshoo ting VPN Troubleshooting: Generate GRE Traffic Have SDM generate VP N Traffic Select th is option if you w ant SDM to gener ate VPN tr af fi c on t he interf ace f or debugging.
Chapte r 15 VPN Troub leshoot ing SDM Warni ng: SDM will e nable router deb ugs... 15-58 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Have SDM generate VP N Traffic Select th is option if you w ant SDM to gener ate VPN tr af fi c on t he interf ace f or debugging.
C HAPTER 16-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 16 S ecurity Audit Securi ty Audi t is a feat ure that examine s your existi ng rout er configura tions and then upda tes your ro uter in or der to make you r router and ne twork more secure.
Chapter 16 Sec urity Audit 16-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The W elcome page of the Secu rity Audit wiza rd appe ars. Step 3 Click Next> . The Secur ity Aud it Inte rface C onfigurati on page appe ars.
16-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t One-Ste p Lockdown This op tion te sts you r outer c onfigurati on for a ny potential securit y pro blems a nd automa ticall y makes any ne cessary configurati on cha nges to corre ct any pr oblems found.
Chapter 16 Sec urity Audit Welcome Pag e 16-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Enable N etFlow Switching • Disable I P Redir ects • Disable.
16-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Repor t Card Page Outside Col umn This co lumn displays a check bo x for each inte rface listed in the I nterfa ce column .
Chapter 16 Sec urity Audit Fix It Page 16-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 you sele cted, col lecti ng fur ther input from you a s necessa ry , an d will the n display a list o f the new c onf iguration commands t hat will be added to the router configurat ion.
16-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page The conf iguration that will be deli ve red to the router to disab le the Finge r service is as follo ws: no service finger This fix ca n be undone.
Chapter 16 Sec urity Audit Fix It Page 16-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The conf ig uration th at will be deli vered to the route r to disable TCP small servers is as follo ws: no service tcp-small-servers This fix ca n be undone.
16-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page In addition, th e BOO TP service is vulnerab le to DoS attacks; therefo re it should be disab led or f iltered via a fire wall for this reason as well.
Chapter 16 Sec urity Audit Fix It Page 16-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 This fix ca n be undone. T o learn how , click Undo ing Security Audit Fi xes . Disable IP So urce Rou te Security Audit disabl es IP source rout ing when e ver possible.
16-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page Enable TC P Keep alives for In bound Telne t Sessions Security Audit enabl es TCP keep a li ve messages for bot h inboun d and outbou nd Te l n e t sessi ons whene ver po ssibl e.
Chapter 16 Sec urity Audit Fix It Page 16-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 service sequence-numbers Enable IP C EF Securi ty Aud it enab les Ci sco Expr ess For warding (CEF) or D istributed Ci sco Expres s For wardin g (DCEF) whene ver pos sible.
16-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page This co nfiguration c hang e will r equire ev ery passwor d on the r outer, includ ing the user , ena ble, secr et, console, A UX, tty , a nd vty p asswo rds, t o be a t least six characters in length.
Chapter 16 Sec urity Audit Fix It Page 16-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 connect ions, this can ov erwhel m and disable the host.
16-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page logging console critical logging trap debugging logging buffered <.
Chapter 16 Sec urity Audit Fix It Page 16-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The conf iguration that will be deliv ered to the router to disable SNMP is as follows: no snmp-server Set Scheduler Interval Security Audit configu res the scheduler interval on the router whenever possible.
16-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page Set Users Securit y Audit secur es the conso le, A UX, vty , and tty lines by configuring Te l n e t user a ccount s to aut henticat e acc ess to th ese lines whene ver p ossibl e.
Chapter 16 Sec urity Audit Fix It Page 16-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 NetFlow identifies flows of network packets based on the sou rce an d destinati on IP addresse s and TCP port numbers.
16-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page The conf iguration that will be deliv ered to the router to disable proxy ARP is as follows: no ip proxy-arp This fix ca n be undone.
Chapter 16 Sec urity Audit Fix It Page 16-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Disable MOP Service Securi ty Audit w ill disab le the Mai ntena nce Ope rations Prot ocol (M OP) o n all Ether net inter faces whenever possible.
16-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page in the internetw ork. ICMP mask reply messages are sent to the dev ice requesting the informatio n by de vices that ha ve the requested informati on.
Chapter 16 Sec urity Audit Fix It Page 16-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Enable Unic ast RPF on Outside Interfac es Security Audit ena bles unicast Rev erse P ath Forw arding (RPF) on all interfa ces that co nnect to the I nternet wh ene ver possib le.
16-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Fix It Page destinatio n addresses. W ithout CBA C, advanced application traf fic is permitted only b y writing Acc ess Control Lists (A C Ls).
Chapter 16 Sec urity Audit Fix It Page 16-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 access-class <std-acl-num> Enable SS H for Access to the Router.
16-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Config urati on Su mmar y Scree n • Conf igure authen tication and autho rization for VT Y lines The local database will be used for both authent ication and autho rization.
Chapter 16 Sec urity Audit SDM and Ci sco IOS Au toSecure 16-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Disable I P Proxy A RP • Disab le IP Direct .
16-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Security Configurations SDM Can Undo • Conf iguring AAA — If the Authentica .
Chapter 16 Sec urity Audit Undoin g Security Audit Fixes 16-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Undoing Security Aud it Fixes SDM ca n und o this securi ty fix. If you want SDM t o rem ove this secu rity conf iguratio n, run the Security Audit wiza rd.
16-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Configure User Accounts for Telnet/SSH Page User Nam e Enter the use rname for the ne w account in this f ield. Password Enter the passw ord for the new account in this field.
Chapter 16 Sec urity Audit Enable Sec ret and Ban ner Page 16-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Dele te Bu tto n Click a user account in the table to select it, and cli ck this butto n to delete the select ed acco unt.
16-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 16 Secur ity Audi t Loggi ng Page Logging Pag e This screen lets you conf igure the route r log by c.
Chapter 16 Sec urity Audit Loggin g Page 16-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Immedi ate ac tion n eeded – 2 - critical Critical conditio ns .
C HAPTER 17-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 17 Routing The Routin g window displays the configured stati c routes and Rou ting Int ernet Protocol, (RIP), Open Shortest Path First (OSPF), and Extended Interior Gatew ay Routing Pr otocol (E IGRP) c onfigured rout es.
Chapter 17 Routing 17-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What Do You Want To Do? Note • If SDM dete cts a previousl y configured static route ent ry that h as the next hop interf ace config ured as the “ Null ” in terface , then the static ro ute entr y will be read-o nly .
17-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 17 Routing Add or Edi t IP Stat ic Route Item Value This column contai ns the text “ Enabled, ” a nd configurati on values when a ro uting type h as been c onfigured.
Chapter 17 Routing Add or Edi t IP Static Rout e 17-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Prefix Enter the I P addre ss of the dest ination netw ork. F o r more in formation, r efer to A vaila ble Inte rface Configur ation s .
17-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 17 Routing Add or Ed it an RIP Route Add or Edit an RIP Route Use t his wi ndow to ad d or edit a Rou ting I nternet Protoc ol (RIP) rout e. RIP Versio n The values are RIP versio n 1, RIP version 2, and Defaul t.
Chapter 17 Routing Add or Edit an OSPF Route 17-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Netw or k List Enter the n etworks th at you want t o cre ate r outes t o. Clic k Ad d to add a net work. Click Delet e to d elete a net work f rom the list.
17-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 17 Routing Add or Edi t EIGRP R oute Add or Edit EIGRP Ro ute Use t his wi ndow to ad d or delete an Ext ended IGRP (EIGRP) route .
Chapter 17 Routing Add or Edi t EIGRP Route 17-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
C HAPTER 18-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 18 Network Address Translation Network Addre ss T ranslat ion ( NA T ) is a rob ust form of address translat ion that ext ends addressing capabilities b y provid ing both static address translations an d dynamic address tran slations.
Chapter 18 Networ k Address Tran slation Netwo rk Address Tra nslatio n Wizards 18-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 If your n etwork h as email s.
18-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation W izard s T o remo ve a ne twork from the N A T conf iguration , clear its chec kbox.
Chapter 18 Networ k Address Tran slation Netwo rk Address Tra nslatio n Wizards 18-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Advanced NAT Wizard: Con nection Choose a n Interface From the drop do wn menu , choose the interf ace tha t connects to the Inter net.
18-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation W izard s • Any comments en tered a bout the net work T o remo ve a ne twork from the N A T conf iguration , clear its chec kbox.
Chapter 18 Networ k Address Tran slation Netwo rk Address Tra nslatio n Wizards 18-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 T o reorder the list based on the pri vate IP ad dresses, click the column head Priv ate IP Address .
18-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation W izard s Type of Se rver This field appe ars on ly if you choose t o show advanced opti ons with t he Show or Hide Adv anced butto n.
Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Advanced NAT Wizard: VPN Conflic.
18-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Address Pools Click t his button to configure or edit a ddress po ols. Address p ools are u sed with dynam ic addre ss tra nslat ion.
Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Rule Ty pe Rules ar e either static address translation rules or dyn amic addres s transl ation rules.
18-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Make translation tim eout setting s. Click T r anslatio n Timeouts , and mak e settings in the T rans lation Timeouts wind ow .
Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note Th ere are m any cond itio.
18-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules DNS Timeo ut Enter the numbe r of seconds after which conne ctions to DNS serve rs time out.
Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Edit Route M ap When VPN s and .
18-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Edit Route Map Entry Use this windo w to edit the access list specif ied in a route map entry .
Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Address This field contai ns t he IP address range in the pool .
18-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Port Addr ess Translat ion (PAT) There may be ti mes when m ost o f the addre sses in the p ool h ave been assign ed, and the IP address p ool is ne arly depl eted.
Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Direction This help to pic describe s how to use the Add Address Translation Rul e fields when From inside to outside is sele ct ed.
18-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Netw ork Ma sk If you w ant SDM to transl ate the addr esses of a subn et, enter th e mask for that subnet.
Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • If you ar e ma pping t he i.
18-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Note If you creat e a N A T ru.
Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Ad dress Do one of the follo.
18-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Note If you do not enter a network mask in t he T ransla te from Int erface area, SDM wi ll perf orm o nly one trans lati on.
Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note If you creat e a N A T rul.
18-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Access Rule... Dynami c N A T translatio n rules u se acce ss rules to spec ify the address es tha t need translat ion.
Chapter 18 Networ k Address Tran slation Netwo rk Address Translat ion Rules 18-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add or Edit Dyn amic Addre ss T.
18-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on Network Address Tran slation R ules Tran slate from In terf ace This are a sho ws the interface s from whic h packets ne eding ad dress tran slation may arrive.
Chapter 18 Networ k Address Tran slation How Do I . . . 18-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Type Select Interface if you wa nt the T ranslate fr om... add resses to use the add ress of an inte rfac e on the r outer .
18-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 18 Network Ad dress Tra nslati on How Do I . . . • Add or Edit Dyna mic Ad dress T ransla tion Rul.
Chapter 18 Networ k Address Tran slation How Do I . . . 18-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
C HAPTER 19-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 19 Intrusion Prevention System IOS Intrusio n Prevention System (I PS) allows you to manage intrusion pr ev ention on router s that run an IOS image of version 12.
Chapter 19 Intrusion Prevention System IPS Rules 19-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Global Set tings Drawer Click to display the Global Settings window where you m ake setti ngs that affect the ov erall operation of IOS IPS.
19-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em IPS Rules • The location of the Signature Def inition File (SDF). The use case scen ario illustr ates a con fig uration in which an I PS rule is used.
Chapter 19 Intrusion Prevention System IPS Rules 19-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Use the Add , Delete , Move Up , and Move Down b uttons to add, r emove, and order a list of SD F locations that th e router can at tempt to cont act to o btain an SDF .
19-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em IPS Rules Enable Butt on Click this b utton to enable IPS on the sele cted interf ace.
Chapter 19 Intrusion Prevention System IPS Rules 19-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Unnumb ered — The router wi ll use one of a po ol of IP addr esses supp lied by your servi ce provide r for your ro uter , and for t he devices on the LAN.
19-37 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em IPS Rules Source /Destination — A network or host ad dress, or any host or network. Serv ice — T ype of service filte red.
Chapter 19 Intrusion Prevention System Import Signat ures 19-38 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Outbound Fi lter (Option al) Ente r the name or numbe r of the acce ss rule that spe cifies the outbound traf fic t o be e xamined.
19-39 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Impo rt S ign atur es Note Befor e you use the IPS Signature Im port wizard , you must ha ve sav ed the SDF that yo u inte nd to use to a dire ctory on yo ur PC.
Chapter 19 Intrusion Prevention System Import Signat ures 19-40 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Welcome to th e IPS Signatu re Import Wiza rd This w indow summari zes t he tasks t hat you pe rform a s you go t hrough t he IPS Signat ure Import wizard.
19-41 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Impo rt S ign atur es Match all of the conditi ons button If the signature s that you want must match all of th e conditions, that y ou specify , choose th is button.
Chapter 19 Intrusion Prevention System Import Signat ures 19-42 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Signature s This w indow lets you vi ew the con figured IPS s igna tures o n th e rou ter . Y ou can add cu stomiz ed si gnatur es, o r impo rt sign ature s from Cisco.
19-43 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Impo rt S ign atur es Edit Click the Edi t b utton to edit th e parameter s of the selected signature. Dele te bu tton Click to mark th e selected signature fo r deletion from the list.
Chapter 19 Intrusion Prevention System Import Signat ures 19-44 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 SDFs are av ailable from Cisco . Click th e follo wing URL to do wnload an SDF from Cisco.c om: http://www .
19-45 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Impo rt S ign atur es Icons Right- click C ontext Me nu If you rig.
Chapter 19 Intrusion Prevention System Import Signat ures 19-46 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Apply Chan ges butt on Click to del ive r newly import ed signa tures, sign atur e edits , and newly enabl ed or disabled sign atures to the rou ter .
19-47 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Impo rt S ign atur es Signature T ree If you need a de scriptio n of the signa ture tree , click th is link: Signatur e T ree .
Chapter 19 Intrusion Prevention System Import Signat ures 19-48 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add, Edit, or Clo ne Sign ature This w indow contai ns fields an d values d escribed in th e Field Definitions se ctio n.
19-49 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Impo rt S ign atur es • SigV ersion — Signature version. • ThrottleInterval — Num ber of seco nds def ining an Ala rm Throttle interv al.
Chapter 19 Intrusion Prevention System Import Signat ures 19-50 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Auto save Check this option if you wa nt the router to automatic ally sav e the SDF in the e ve nt of a router cra sh.
19-51 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Global Settings Determ ine Which SDF File is in Memory T o determine which SDF f ile is in router memory , open a T elnet session to the route r , and enter the show flash command.
Chapter 19 Intrusion Prevention System Global Set tings 19-52 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Notif ication Method Status Configur ed SDF Locations A signature loca tion is an URL that provides a pat h to an SDF .
19-53 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em Global Settings Delete Button Click to delete a selected location. Move Up/Down Button s Use thes e b uttons to change t he orde r of p refer ence fo r the UR Ls in th e list.
Chapter 19 Intrusion Prevention System SDEE M essages 19-54 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Enable Deny Acti on on I PS inter face This option is applic able if signature actions are conf igured to "den y Attacker Inline" or "deny Flo wInline".
19-55 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 19 Int rusion Preven tion Syst em SDEE Mes sages Descri ption A vailabl e descri ption. Refresh But ton Click to c heck for new SD EE messages. Close Butto n Click to c lose the SDE E Messages wind o w .
Chapter 19 Intrusion Prevention System SDEE M essages 19-56 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IDS error messages ENGINE_BUILD_FAILED: %s - %d ms - engine build failed - %s Explanatio n: T riggers when on e of the e ngines f ails to build af ter a SDF f ile is loaded.
C HAPTER 20-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 20 Network Module Management If the r outer has net work mod ules tha t are m anage d by other applic ation s, such as Intrusion Detect ion System (ID S), SDM provide s a means for yo u to laun ch those applicatio ns.
Chapter 20 Ne twork Mo dule Mana gement IDS Netwo rk Module M anageme nt 20-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Reset Click to per form a re set of .
20-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 20 Net work Modu le Mana gement IDS Network Module Management IDS NM Monitoring Int erface Settings This area of the windo w sho ws which ro uter interf aces hav e traf fic sent to th e IDS network m odule f or mo nitori ng.
Chapter 20 Ne twork Mo dule Mana gement IDS Netwo rk Module M anageme nt 20-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Address Enter an IP address to use for th e IDS Sensor interface. SDM will do the following: • Create a loo pback in terfa ce.
20-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 20 Net work Modu le Mana gement IDS Network Module Management Specify If you know the network module ’ s IP address, choose th is option, a nd enter t he address.
Chapter 20 Ne twork Mo dule Mana gement IDS Netwo rk Module M anageme nt 20-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Date & T ime IP CEF Set tin g IDS NM Init ial Setup For more information on conf iguring the IDS module, refer to the docume nts at the follo wing link.
20-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 20 Net work Modu le Mana gement Network Module Login IDS NM Interface Monitoring Configuration Use this windo w to select router inter faces whose traf fic you want the IDS network m odule t o mo nitor .
Chapter 20 Ne twork Mo dule Mana gement Switch Mod ule Interfac e Selectio n 20-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Switch Module Inte rface Se lect.
C HAPTER 21-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 21 Quality of Service The Qual ity of Service ( Qo S ) W izard allo ws a network administrato r to ena ble Quality of Ser vice (Q oS) on the router ’ s W AN interf aces.
Chapte r 21 Quality of S ervice QoS Wizard 21-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 QoS Wizard Next Click the Next b utton to begin configuring a QoS policy . Interface Selec tion Choose t he in terface o n wh ich yo u want to configure the QoS policy in this window .
21-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 21 Qua lity of Service QoS Policy Generation Bandwidth Al locati on This ar ea allo ws you to track and allo cate band width to the o utgoing traf fic.
Chapte r 21 Quality of S ervice QoS Policy Gene ration 21-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 View QoS Class Details The win dow that ap pear s whe n you clic k the Vi e w Det ails but ton disp lays deta ils of the QoS classes that ar e going to be creat ed for the QoS polic y .
21-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 21 Qua lity of Service Summary of t he confi gurati on Summary of the configura tion The Qo S W izard Su mmary w indow displays t he summary of QoS policy -map an d its relat ed QoS class- maps.
Chapte r 21 Quality of S ervice Edit QoS Poli cy 21-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Ad dress The IP a ddress of th e interf ace to which th e polic y is app lied. Qos P olicy D etail s This ar ea lists type of tr af fi c and the bandwid th allocat ed to each traf fic type configured .
21-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 21 Qua lity of Service Edit QoS Policy Queuing This column lists the queu ing type, either band width or priori ty . Class Based W eigh ted Fair Queuing (CB WFQ) defines two types of Low Latency Queuin g method s — bandwi dth and pri ority .
Chapte r 21 Quality of S ervice Edit QoS Poli cy 21-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add Click t his button t o add an N B AR-re cognized protoc ol th at ha s not be ma tched under any of the existing cla sses.
21-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 21 Qua lity of Service Edit QoS Policy Add a Pro tocol This w indow allows you to add th e pro tocol s that are not add ed to the real-t ime traffic clas s.
Chapte r 21 Quality of S ervice QoS Status 21-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Interface Association This w indow provides you the op portuni ty to associ ate a cloned policy t o an interf ace.
21-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 21 Qua lity of Service QoS Status Bandwidth u tilization is sho wn in K bps.
Chapte r 21 Quality of S ervice QoS Status 21-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Statistics Select o ne of th e follo wing • Bandwidth • Bytes.
C HAPTER 22-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 22 Network Admission Con trol Network Admission Control (NA C) reduce s the i nfect ion of data ne .
Chapter 22 Network Admis sion Contro l Create NAC Tab 22-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The N AC conf iguration on the router is only one part of a complete N AC implemen tation.
22-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control Creat e NAC Tab Welcome The NA C wizard e nables yo u to do the follow.
Chapter 22 Network Admis sion Contro l Create NAC Tab 22-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Select t he inter face through which the RADIUS server is accessed List Choose the interf ace that the route r is to use to connect to the RADIUS serv ers.
22-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control Creat e NAC Tab Add, Edit, and Ping Buttons T o provide information for a RADIUS serv er , click the Add b utton and ente r the inform ation in th e scre en disp layed.
Chapter 22 Network Admis sion Contro l Create NAC Tab 22-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Address/ MAC Address/ Device Type, Address/Devic e, and P olicy Colu mns These co lumns cont ain in format ion about a host in the exce ption lis t.
22-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control Creat e NAC Tab Policy List Select the polic y that you want to apply to the host.
Chapter 22 Network Admis sion Contro l Create NAC Tab 22-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Access Rule Field Enter th e name o f the acc ess rule that you want to use, o r click t he b u tton to the right of this f ield and bro wse for the a ccess rule, or create a ne w acces s rule.
22-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control Creat e NAC Tab NAC Router Ma nageme nt Access Hosts loggin g on to SDM m ust be e xempt f rom N AC v alidation.
Chapter 22 Network Admis sion Contro l Create NAC Tab 22-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Details Window This wind ow displays t he entries that SDM will add to A CLs to allo w services needed for the N A C v ali datio n process.
22-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control Edit NAC Tab Edit NAC Tab The E dit NA C t ab lis ts th e N AC policies con figured on the ro uter and en abl es you to con figure ot her NA C s etti ngs.
Chapter 22 Network Admis sion Contro l Edit NAC Tab 22-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Exception List Wind ow This placeh older topic will be remo ve d when the help system for N A C is built. This help topic h as already been writte n for wi zard mode.
22-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control Edit NAC Tab Add, Edit, and Delete Buttons Click the Add b utton to create a ne w exception polic y . Use the Edit button to modify e xisting ex ception policies, a nd the De lete b utton to remov e exceptio n policies.
Chapter 22 Network Admis sion Contro l Edit NAC Tab 22-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Revalidat ion Timeout Fiel d The ro uter per iodica lly que ries the postu re age nt on the client to determine th e client ’ s adherence to security polic y .
22-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 22 Netwo rk Admission Control How Do I... The access rule must contain den y statements that specify the traf fic that is to be ex empted from the a dmissio n cont rol pro cess.
Chapter 22 Network Admis sion Contro l How Do I... 22-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 http://www .cisco.com/en/US/p roducts/ps5923/index.html The doc umen t at the f ollowing lin k explai ns how to i nstall and configure CT A software on a host.
C HAPTER 23-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 23 Router Properties Router proper ties let you defin e the ove rall attrib utes of the router , suc.
Chapter 2 3 Router P ropert ies Date and Time : Clock Prop erties 23-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Enter the text for Banner Enter text fo r the rout er bann er . The route r text b anner i s di splaye d when ev er anyone lo gs in t o t he ro uter .
23-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties Dat e and T ime : Cl ock Prop erti es Date /Tim e Y ou can se e the rout er ’ s date and time settings on th e right side of t he SDM status bar .
Chapter 2 3 Router P ropert ies Date and Time : Clock Prop erties 23-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note Y o u must make the Time Zone and Daylig ht Savings settings on the PC befo re starting SDM so that SDM will re cei ve the correct settings when you click Synchronize .
23-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties Dat e and T ime : Cl ock Prop erti es IP Address The IP ad dres s of an NT P server .
Chapter 2 3 Router P ropert ies Date and Time : Clock Prop erties 23-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Prefer Click this bo x if this is to be the preferred N TP serve r . Interf ace Select the rout er interf ace that will pr ovi de access to the NTP Serv er .
23-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties Dat e and T ime : Cl ock Prop erti es SNTP This window is displaye d on Cisco 830 routers. Net work T ime Proto col ( NTP ) allo ws routers on your netwo rk to synchronize their ti me settings with an NTP server .
Chapter 2 3 Router P ropert ies Date and Time : Clock Prop erties 23-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note A n extended ac cess ru le will be creat ed traffic for port 1 23 traffic and applie d to the inter face t hat you selec t in this w indo w .
23-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties Dat e and T ime : Cl ock Prop erti es Enable SNMP Check th is box t o ena ble SNMP support. Unchec k this bo x to di sable SN MP support.
Chapter 2 3 Router P ropert ies Router Ac cess 23-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Router Access This window explains wh ich featur es are i ncluded in Router Acc ess.
23-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties Router Access What Do You Want To Do? Add or Edit a Username Add or edit a user ac count in the f ields pro vided in this windo w .
Chapter 2 3 Router P ropert ies Router Ac cess 23-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note Proto cols that require t he retriev al of clea r text passwords, such as CHAP , cannot be us ed wi th MD 5-encr ypted p assword s.
23-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties VTYs Details The Associat e a V iew for this us er area d isplays details of the se lected v ie w . Click on Details b utton for a more detail ed inf ormation abo ut the sele cted vi ew .
Chapter 2 3 Router P ropert ies VTYs 23-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Authentic ation Polic y — The AAA authen tication polic y associated with this vty lin e. Thi s field is visible if A AA is configure d on th e rou ter .
23-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties VTYs SSH Check thi s check box to en able the rou ter to commu nicate to SSH client s. Access Rule Y ou can associate access rules to f ilter inbound and outboun d traff ic on the vty lines in t he range.
Chapter 2 3 Router P ropert ies VTYs 23-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Host /Net work A network a ddress o r host IP add ress. If a n etwork add ress is giv en, t he pol icy applies to a ll hosts on that netw ork.
23-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties VTYs Edit Bu tton Click to edit a managemen t policy , and specify the poli cy in the Edit a Managem ent Policy window . Dele te Bu tto n Click to delete a selected management polic y .
Chapter 2 3 Router P ropert ies VTYs 23-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Management Prot ocols Specify the management protocols allowed for t he host or network. Allow SDM Check to a llo w the specif ied host or network to access SDM.
23-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties VTYs can cr eate a security risk b ecause if source is “ any ” it allo ws .
Chapter 2 3 Router P ropert ies VTYs 23-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 SSH This ro uter impl ements Secu re Shell ( SSH) Serv er , a featur e that enab les an SSH client to make a secu re, encr ypted con necti on to a Cisc o router .
23-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties DHCP Configuration DHCP Configuration This window explains how you can manage DH CP configurati ons on your router . DHCP Pools This window displays th e DHCP pools con figured on the route r .
Chapter 2 3 Router P ropert ies DHCP C onfiguratio n 23-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add Select this op tion to create a ne w DHCP Pool. U ser need to s pecify DH CP Pool name, DHCP Pool ne twork, DHCP po ol ip addr ess ra nge an d Le ase tim e.
23-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties DHCP Configuration Subnet Mask Enter the subn et ma sk. The su bnet ma sk of the exampl e network a ddre ss could be 255.255. 255.
Chapter 2 3 Router P ropert ies DHCP C onfiguratio n 23-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Host/IP Mask The IP addre ss an d mas k boun d to the cl ient. MAC Address The MAC address of the client .
23-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties DHCP Configuration Name Enter the n ame you want for the DHCP bindin g. If you are editing the DHCP bindin g, the name field is rea d-only .
Chapter 2 3 Router P ropert ies DNS Proper ties 23-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 DNS Properties The Doma in Name Syste m ( DNS ) is a database of Inte rnet host names w ith their correspondin g IP addresses distributed ove r designate d DNS servers.
23-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 23 Rout er Properties Dynamic DNS Met hods Edit Bu tton T o edit a dynami c DNS method, c hoose it from th e list of e x isting dyna mic DNS methods an d then c lick the Edit butto n.
Chapter 2 3 Router P ropert ies Dynamic DNS M ethods 23-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IETF IETF i s a dyna mic D NS met hod ty pe tha t upda tes a DNS se rver with change s to the asso ciated int erfac e ’ s IP address.
C HAPTER 24-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 24 ACL Editor Rules d efine how the route r will respon d to a par ticular k ind of tra f fic.
Chapter 24 ACL Edit or Useful Proc edures for Access Rules and Firewal ls 24-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 No. o f Ru les The num ber of rules of t his type. Descri ption A descri ption of the rule if on e ha s been entere d.
24-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows • Ho w Do I Modify an Existi ng Fire wall to Per mit Tr af fic from a.
Chapter 24 ACL Edit or Rules Windows 24-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The up per port ion of the s creen lists th e access r ules that h av e been conf igured on this route r . This l ist does not co ntain SDM de fault rule s.
24-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows Access rule s can be either st andard rules or ex tended ru les. IPSec rule s ha ve to ext ended rules b ecause t hey m ust be able to speci fy a service type.
Chapter 24 ACL Edit or Rules Windows 24-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Destinat ion For exten ded rules, the dest ination IP address criter ia tha t the tra ff ic must match. The ad dress may be for a network , or a specific host.
24-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows Add or Edit a R ule This window lets you add or edit a rule yo u hav e selected in th e Rules wind ow .
Chapter 24 ACL Edit or Rules Windows 24-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Rule Entry List This list sho ws the entries that mak e up the rule. Y o u can add, edit, and delete entries. Y ou can also reorder them to change the order in which the y are e va luated.
24-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows What do you want to do ? Associate w ith an Interfac e Y o u can use th.
Chapter 24 ACL Edit or Rules Windows 24-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Select a n Interface Select th e inter face to which y ou wan t this rule to apply . Specify a Dir ection If you w ant the router to ch eck pack ets inbound to the inter face, click Inbound .
24-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows What do you want to do ? Add a Stand ard Rule Entry A standard rule en try allows you to pe rmit or de ny traff ic that ca me from a specified source.
Chapter 24 ACL Edit or Rules Windows 24-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note Any tra ff ic t hat does n ot match the criteri a in one of the rule entries you create is implicitly denied.
24-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows Mask If you selecte d A Network or if you select ed A Host Name or IP address , eith er select the wildcard mask f rom this list, or enter a custom wildcard mask.
Chapter 24 ACL Edit or Rules Windows 24-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What Permit an d Deny do depends on the type o f rule in which they ar e used. In SDM, e xtended r ule entr ies can be used in access r ules, N A T rules, IPSec rules, and access lists associated with route map s.
24-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows Type Select o ne of th e follo wing: • A spec ific IP addr ess. This can be a n etwork ad dress or the addres s of a specif ic host.
Chapter 24 ACL Edit or Rules Windows 24-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 See Services and Ports to see a tabl e cont aining p ort nam es an d numb ers av ailable in SDM.
24-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 24 ACL Editor Rule s Wind ows Rule Categor y Select th e rule ca tegory tha t you want t o select fr om. Th e rul es in the ca tegory you select w ill ap pear in th e box below the list.
Chapter 24 ACL Edit or Rules Windows 24-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Destination For exten ded rules, the dest ination IP address criter ia tha t the tra ff ic must match. The ad dress may be for a network , or a specific host.
C HAPTER 25-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 25 Port-to-Applica tion Mapping Port-to-A pplica tion Ma pping ( P AM) allows you to cu stomize TCP and UDP por t numbers fo r network ser vices an d applica tions.
Chapt er 25 Port- to-Appl icati on Mappi ng Port-to-App lication Ma pping s 25-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Applicat ion Protocol Column This col umn cont ains the name of t he appli cation p roto col, an d the na mes of the protocol types.
25-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 25 Port- to-Appl ication M apping Port-to-Application Mappings Descriptio n Column If a desc riptio n of th e P AM entry ha s been c reated, the de script ion is d isplay ed in this column.
Chapt er 25 Port- to-Appl icati on Mappi ng Port-to-App lication Ma pping s 25-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 numbers separ ated by comm as , or p ort numb er ra nges indicate d wit h a dash.
C HAPTER 26-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 26 Authentication , Authorization, a nd Accounting Cisco IOS Authentica tion, Authoriza tion, and Accoun ting (AAA) is an archit ectural frame work fo r con figu ring a set of three indepe ndent security functi ons in a c onsiste nt man ner .
Chapter 2 6 Authenti cation, Aut horization, and Account ing AAA Ser vers and G roups 26-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Enable/Di sable AAA AAA is enabl ed by defau lt.
26-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 26 Aut hentica tion, Authori zation, a nd Account ing AAA Servers and Gr oups AAA Servers Window This w indow let s you view a snap shot of th e in format ion a bout t he AAA se rvers that the rout er is configured to use.
Chapter 2 6 Authenti cation, Aut horization, and Account ing AAA Ser vers and G roups 26-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Add or Edit a TACACS+ Ser ver Add or ed it infor mation for a T A CA CS+ serv er in this windo w .
26-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 26 Aut hentica tion, Authori zation, a nd Account ing AAA Servers and Gr oups Add or Edit a RADIUS Server Add or ed it infor mation for a RADIUS ser ver in t h is windo w .
Chapter 2 6 Authenti cation, Aut horization, and Account ing AAA Ser vers and G roups 26-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 TACACS+ S erver/ R ADIUS Server Click the appropriat e bu tton to specify the server type for which you are setting global paramete rs.
26-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 26 Aut hentica tion, Authori zation, a nd Account ing AAA Servers and Gr oups Type The type of serve rs in the selected group, either T A CA CS+, or RADIUS.
Chapter 2 6 Authenti cation, Aut horization, and Account ing AAA Ser vers and G roups 26-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 List Name The method list name. A method list is a sequential list de scribing the authenti cation met hods to b e queried in order to authe nticate a user .
26-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 26 Aut hentica tion, Authori zation, a nd Account ing AAA Servers and Gr oups Method 1 Column The method th at the router will at tempt f irst.
Chapter 2 6 Authenti cation, Aut horization, and Account ing AAA Ser vers and G roups 26-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Methods A method is a configured server grou p. Up t o four metho ds can be speci fied and placed in the list in the order you want the ro uter to use them .
C HAPTER 27-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 27 Router Provisioning This w indow tells y ou i f SDM has dete cted a USB token or USB flash device connect ed to your rout er .
Chapter 27 R outer Prov isioning Router Provis ioning from USB 27-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Step 5 Click OK t o load the cho sen f ile.
C HAPTER 28-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 28 Public Key Infrastructure The Public K ey In frastructure ( PKI) windo ws enable you to ge nerate enrollm ent requests a nd RSA keys, and ma nage keys and ce rtificates .
Chapter 28 Public Key Infrastructure Certificate Wi zards 28-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • NTP not configured — The router must h a ve accurat e time for certif icat e enrollment to work.
28-37 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Certificate Wizards Note SDM supp orts only base-64 -encode d PKCS#10-typ e cut and paste enrol lmen t. SDM doe s not suppo rt impo rting PEM and PKCS#1 2 typ e certificate enro llment s.
Chapter 28 Public Key Infrastructure Certificate Wi zards 28-38 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note The information y ou enter i n this sc reen is used to generate a trustpoin t. The trustpoi nt is ge nerated with a de fault revocation chec k metho d of CRL .
28-39 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Certificate Wizards Advanced Opti ons Button Advanced op tions al low you to provide m ore in format ion to enable the ro uter t o contact the CA serv er .
Chapter 28 Public Key Infrastructure Certificate Wi zards 28-40 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Include rout er ’ s IP Address Check i f you want t o incl ude a valid IP address configur ed on your r oute r in th e certificat e requ est.
28-41 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure RSA Ke ys State ( st) Enter th e state o r pro vince in w hich the router o r the o rg anization is lo cated. Country (c) Enter the country i n which the router or the organization is loca ted.
Chapter 28 Public Key Infrastructure Summary 28-42 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The mo dulus de termi nes the si ze of th e key .
28-43 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Enrol lment St atus If you are performing a cut-and-past e enrollment After th e commands ar e deli v ered to the rout er, SDM g enerate s an enrollmen t request and d isplays it in anoth er window .
Chapter 28 Public Key Infrastructure Enrollme nt Re quest 28-44 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Begin N ew Enrollment Click Begin new enrollment to g enerate a tr ustpoint, an RSA key pair an d an enroll men t re quest th at you can save to your PC and se nd t o th e CA ser ver .
28-45 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Import CA certificate Import CA and router certificate (s) Choose this option if you want to import bo th the CA server ’ s certificat e and the router ’ s ce rtif icate in the same session.
Chapter 28 Public Key Infrastructure Import Rou ter Certificate (s) 28-46 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Brow se B utto n Click to locate the cer tif icate f ile on the PC.
28-47 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Digital Certific ates Edit Button A trustpoint can be edited if it is an SCEP trustpoint, and if the CA server ’ s certif icate and the router ’ s certif icate hav e not both been success fully im ported .
Chapter 28 Public Key Infrastructure Digita l Certifi cates 28-48 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Refresh Button Click t o refres h the Certi ficate cha in area wh en you se lect a dif ferent trus tpoint in the T rustpoints list.
28-49 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Digital Certific ates Revocatio n Chec k Specify ho w the rout er is to check whethe r a certif icat e has been re voked in this windo w .
Chapter 28 Public Key Infrastructure RSA Keys Window 28-50 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Best Effort — Downlo ad the CRL from th e CRL serv er if i t is a vailab le. If it is not av ailable, the cer tif icate will be accept ed.
28-51 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure RSA Key s Window Key Data Click to v ie w a sel ected RSA ke y . Save Ke y to PC B utton Click to sav e the data of the selected key to your PC.
Chapter 28 Public Key Infrastructure USB T okens 28-52 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Save to U SB Token Check t he Sa ve keys to secure USB token check box if you want to save the RSA keys to a USB token connect ed to your rout er .
28-53 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure USB To ken s Maximum PIN Retries Displays the maximu m number of times SDM will attempt to log in to the USB token with the g iv en PIN.
Chapter 28 Public Key Infrastructure USB T okens 28-54 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Current P IN If you are adding a U SB token logi n, or if you are editi ng a USB token logi n that has no PIN, t he Curren t PIN field displa ys <None>.
28-55 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure SDP Trou bles hoot ing Tips SDP Troubleshooting T ips Use this info rmation before enr olling using Secu re Dev ice Prov isioning ( SDP ) to prep are the connecti o n bet ween the rout er and the ce rtificate serv er .
Chapter 28 Public Key Infrastructure Open Fir ewall 28-56 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Open Firewall This scre en is displa yed when SDM de tects firewall(s) on interfaces th at would block r eturn traf fic th at the router nee ds to rec eiv e.
28-57 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 28 Publ ic Key Infrast ructure Open Firewal l Detail s Butt on Click this b utton to vie w the access control e ntry that SD M woul d add to the fi re wall if you all ow the mod ific ation.
Chapter 28 Public Key Infrastructure Open Fir ewall 28-58 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
C HAPTER 29-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 29 Resetting to Factory Defa ults Y ou ca n reset the c onfigurati on of th e router to factory de faults an d sav e the curr ent configur ation to a file that can be use d later.
Chapter 29 Resetting to Factory Defaults 29-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The pr ocess for g i ving the PC a st atic or dyna mic I P addr ess varies sl ightly depending on the version of M icrosoft Window s the PC is runnin g.
29-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chap ter 2 9 Re sett ing to Fac tor y Defa ul ts Specify an IP address . En ter t he IP addr ess 10 .10.1 0.2 or an y othe r address in the 10.1 0.10. 0 subnet gre ater tha n 10.
Chapter 29 Resetting to Factory Defaults This Fe ature Not Sup ported 29-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 This Feature Not Supported This w indow appears when a n SDM f eatur e is not supp orted.
C HAPTER 30-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 30 More About.... These to pics provide mor e informat ion about subjects tha t SDM online help discusses.
Chapter 30 M ore Abo ut.... IP Ad dresses a nd Subnet Masks 30-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The subnet ma sk is used to specify ho w many of the 32 bits ar e used for the network number and, if subnetting is used, the subne t number .
30-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... IP Addresse s and Subnet Mask s When a net work address i s display ed in SDM w indows, the IP address a nd subnet mask for it ma y be sho wn in network a ddress/su bnet bits for mat, as in the following exam ple: 172.
Chapter 30 M ore Abo ut.... Availabl e Interface Co nfigurat ions 30-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IP Address/Wildcard Mask Enter a netw ork address, and th en the wildcard ma sk to specify ho w much of the network a ddress must m atch exactly .
30-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... DHCP Address Pools DHCP Address Pools The IP ad dres ses tha t th e DHCP server ass.
Chapter 30 M ore Abo ut.... Meaning s of the Permi t and Deny Key words 30-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Reser ved Addr esses Y ou must not use the following ad dresses i n the range of add resses tha t you specify: • The ne twork/subne twork I P addre ss.
30-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Servic es and Por ts • IP Servi ces • Services T hat Can Be Spec ifie d in Inspectio n Rules TCP Servi ces TCP Service Port Number De scription bgp 179 B ord er Ga teway Protocol .
Chapter 30 M ore Abo ut.... Services and Ports 30-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 UDP Servic es lpd 515 Line Printer Daemon . A protocol used to send print jobs between UNIX systems. nntp 119 Netwo rk Ne ws T rans port Proto col.
30-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Servic es and Por ts netbio s-ns 137 NetBios name serv ice netbios-ss 139 N etBios session service ntp 123 N etwork T i me Protoc ol.
Chapter 30 M ore Abo ut.... Services and Ports 30-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 ICMP Message Types ICMP Messages Port Number Description alternate -address 6 Alternate host ad dress. conv ersio n-error 3 1 Sent to rep ort a dat agram co n version error .
30-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Servic es and Por ts IP Ser vices timestamp-req uest 13 Request for timestamp to be used for synchroni zation between two devices. trace route 30 Messa ge sent i n repl y to a host that has issu ed a t racerout e request .
Chapter 30 M ore Abo ut.... Services and Ports 30-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Services That Can Be Specified in I nspection Rul es tcp 6 Transmission Con trol Protoc ol. Conne ction-o riented transport la yer proto col that provides relia ble full- duplex data transmissi on.
30-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... More About NAT More About NAT This section pro vides scenar io information that ma.
Chapter 30 M ore Abo ut.... More Abou t NA T 30-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Scenario 2 Y ou need to map ea ch IP addr ess in a netw ork to a unique public IP add ress , and you do no t wan t to create a se parate ru le for eac h mapp ing.
30-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... More About NAT Result The sourc e address 10. 12.12. 3 is transla ted to the a ddress 17 2.17.4 .8 in packet s lea v ing th e router .
Chapter 30 M ore Abo ut.... More Abou t NA T 30-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Dynamic Addre ss Translatio n Scen arios The fo llowing scenari os show you ho w you can use dynam ic ad dress transl ation rules .
30-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... More About NAT Scenario 2 Y o u want the ho st addresses specif ied in access-list 7 in the pr ev ious scenario to use add resses fr om a pool y ou de fine.
Chapter 30 M ore Abo ut.... More About VPN 30-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • The inside source static netw ork command with one of the k e.
30-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... More Ab out VPN • Securit y and VPN De vices • IPSecurity T r oubleshooting .
Chapter 30 M ore Abo ut.... More About VPN 30-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 A rout er in terface can be assoc iate d with only one IPSec pol icy .
30-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... More Ab out VPN More About IK E IKE hand le s th e foll owing ta sks : • Authent.
Chapter 30 M ore Abo ut.... More About VPN 30-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 – Encr yptio n Al gori thm : DES, 3 DES, or A ES – Packe t Si.
30-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... More Ab out VPN Allowable Tr ansform C ombinations T o def ine a transform set, you specify one to three tr ansforms . Each tran sform repres ents an IPSec secur ity protocol ( AH or ESP ) plus th e algorithm that you want to use.
Chapter 30 M ore Abo ut.... Reasons Why a S erial I nterface or Subi nterface Configu ration May Be Read -Only 30-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.
30-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Reasons Why an ATM Inter face or Subint erface Configura tion May Be R ead-Onl y • The inte rface is conf igured with the encapsulation frame-r e lay command with an IP address on the main inter face.
Chapter 30 M ore Abo ut.... Reasons Why an Ethern et Interf ace Config uration Ma y Be Read-O nly 30-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • If the “ dial-on- demand ” opt ion i s configure d on t he pppoe-client command.
30-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Reas ons Wh y an ISD N BRI Inter fac e Conf igur atio n Ma y Be Read- Only Reasons.
Chapter 30 M ore Abo ut.... Reasons Why an An alog M odem Interf ace Config uration Ma y Be Rea d-Only 30-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.
30-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Firewall Policy Use Case Scenario – track / rtr or bo th is not configured – r.
Chapter 30 M ore Abo ut.... Firewall Pol icy Use Case Scenario 30-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Examining O riginating Traffic: F rom Inter f.
30-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... Firewall Policy Use Case Scenario These a re the en tries that protec t the netw ork atta ched t o Fast Ethernet 0/0. Th e Den y entries f ilter IP traf fic fro m specific n etworks.
Chapter 30 M ore Abo ut.... DMVPN Config uration Rec ommenda tions 30-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The Servi ces area shows th at certa in ty pes of I CMP t raffic hav e b een permi tted.
30-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 30 More About.... DMVP N Confi gur atio n Recomm end atio ns Assigning Spoke Addresses All rou ters i n th e DM VPN must be i n the same s ubnet .
Chapter 30 M ore Abo ut.... SDM White Pap ers 30-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Ping the Hub Befor e You Start Spoke Configur ation Before configur ing a spoke route r , you should test connect ivity to the hub by issu ing th e ping comman d.
C HAPTER 31-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 31 Getting Started Cisco R outer and Se curity Device Man ager (SDM) is a n easy- to-u se In ternet browser-based software tool desig ned for c onfiguring LAN , WA N , an d secur ity featu res on a r outer .
Chapter 31 Ge tting Started What ’ s New in th is Rele ase? 31-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 What ’ s New in this Release? T o find out the new featur es SDM suppor ts, go to: http://www .cisco.
C HAPTER 32-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 32 Viewing Router Information The Ci sco R outer and Sec urity Device Manag er (S DM) M onitor m ode le ts y ou view a current snap shot of info rmati on about you r router, the router inte rfaces, t he fire wa ll, and any active VPN conn ections.
Chapter 32 Viewing Router Informa tion Overvi ew 32-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Overview The Moni tor mode Overview screen di splays an ov erv iew of your router activity and stati stics, and serves as a su mmar y of the i nformat ion conta ined on t he other Monitor mode screens.
32-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation Overvi ew Resource S tatus Shows basic informat ion about your route r hardware an d contai ns the following fie ld s: CPU Usage Sho ws the percen tage o f CPU us age.
Chapter 32 Viewing Router Informa tion Overvi ew 32-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Bandwi dth Usa ge The perce nt of i nter fa ce bandw idth bein g use d. Description A vailabl e descript ion for the i nterface.
32-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation Overvi ew No. of DMVPN Clients If the route r is c onfigured a s a DMVPN hub, t he num ber o f DMV PN cl ients.
Chapter 32 Viewing Router Informa tion Interface St atus 32-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Informational The numbe r of log ent ries stored that have a se verity level of 6 or higher . Th ese inform ation messages si gnal normal network events.
32-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation Interface Status • Bandwidth Usa ge — The perc ent of b andwidth u sed b y the in terfa ce, sho wn as a perce ntage value.
Chapter 32 Viewing Router Informa tion VPN Status 32-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Real-time data ev ery 10 sec. This option will continue polling the router for a maxi mum of two hours, re sultin g in appro ximat ely 12 0 data poi nts.
32-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation VPN Stat us • IPSec Tunnels • DMVPN T unnels • Easy V PN Se rvers • IKE S As Test Tunnel.. Button Click to test a se lected VPN t unnel.
Chapter 32 Viewing Router Informa tion VPN Status 32-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 The num ber of erro rs that have occurre d while send ing packet s. • Rece ive Error Packets c olum n The num ber of erro rs that have occurre d while receiving packets.
32-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation VPN Stat us Resets stat istics co unters fo r the tunnel listed, se .
Chapter 32 Viewing Router Informa tion VPN Status 32-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 • Public I P addr ess • Assigned IP addre ss • Encry.
32-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation Firewall Status – MM_K EY_EXCH — The peer s ha ve e xchang ed Dif f ie-Hell man public keys and h ave generat ed a shar ed s ecret .
Chapter 32 Viewing Router Informa tion Firewa ll St atu s 32-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Number of At tempts Deni ed by Fir ewall Sho ws the n umber of co nnection a ttempts rejecte d b y the f irewa ll.
32-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation NAC St atus * Jun 27 11:42:01.323: %APPFW-6-IM_MSN_SESSION: im-msn text-chat service session initiator 14.1.0.1:1973 sends 142 bytes to responder 207.
Chapter 32 Viewing Router Informa tion NAC Status 32-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Clicking on an in terfa ce entry displa ys the inform ation returned by posture ag ents installed on th e hosts in the subnet for th at interfa ce.
32-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation Logg in g Logging The route r contain s a log of e vents cate g orized by se verity lev el, like a UNIX syslog service.
Chapter 32 Viewing Router Informa tion Loggin g 32-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Sho ws the se verity of the loggi ng ev ent. Se verity is sho wn as a numb er from 1 throu gh 7, with l ower numbe rs indi cating more severe ev ents.
32-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 32 Viewi ng Router Inform ation Logg in g.
Chapter 32 Viewing Router Informa tion Loggin g 32-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
C HAPTER 33-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 33 File Menu Commands The follo wing options are av ailable fr om the Cisco Router and Security De vice Manager (SD M) File menu. Save Running Config to PC Sav es the router ’ s run ning configur ation file to a text file on the PC.
Chapter 33 File Menu Comm ands Write to Startup Co nfig 33-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Cancel Click this b u tton to d iscard the con figu ration change a nd close the SDM De li ve r to Rout er di alog b ox.
33-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 33 File Menu Commands File M anagemen t Y ou can ch oose a file or d irect ory in the list o n th e righ t si de of t he window and then ch oose one of the comman ds abo ve th e list.
Chapter 33 File Menu Comm ands File Manag emen t 33-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Paste Butto n After you clic k the Copy button to copy a file, c lick the Paste button to place the copy of the file in a different d irect ory .
33-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 33 File Menu Commands Save SDF to PC New Folder This wi ndow allo ws you to name an d create a new folde r in th e direc tory syste m on your Cisco route r fla sh memor y and on US B fla sh devices con necte d to t hat router .
Chapter 33 File Menu Comm ands Unable to pe rform ‘ squeeze fla sh ’ 33-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Note If the rout er doe s lo se power af ter the er ase fl ash oper ation , you can use the proc edure at the foll owing link to re cover: http://www .
33-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 33 File Menu Commands Unable to perform ‘ squeeze flash ’ Step 6 Enter th e comman d erase f lash: , and conf irm. The router 's IOS image, conf iguratio n file, th e SDM.
Chapter 33 File Menu Comm ands Unable to pe rform ‘ squeeze fla sh ’ 33-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
C HAPTER 34-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 34 Edit Menu Commands The follo wing options are av ailable fr om the Cisco Router and Security De vice Manager (SD M) Ed it menu.
Chapter 34 Edit Menu Co mmands Preferenc es 34-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Continue mo nitoring inter face status when switching mode/task This is SD M default be havior . SD M begins monit oring in terface stat us wh en you click Monit or and sele ct Interface st atus .
C HAPTER 35-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 35 View Menu Commands The follo wing options are av ailable fr om the Cisco Router and Security De vice Manager (S DM) V iew menu.
Chapter 35 View Menu C ommands Running Con fig 35-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 Running Config Displays the rou ter ’ s run ning configur ation. Show Commands Displays the Show Comman ds dialog box, whi ch lets you issue Cisco IOS show comm ands to the router and v iew the out put.
35-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 35 View Me nu Command s Refresh Access Rules Sho ws all of t he default A ccess Control L ist ( AC L ) rules th at perm it or deny traf fic to the net work.
Chapter 35 View Menu C ommands Refresh 35-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
C HAPTER 36-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 36 Tools Menu Co mmands The follo wing options are av ailable fr om the Cisco Router and Security De vice Manager (SD M) T ool s menu. Ping Display s the Pin g dial og bo x, whic h let s you send a ping me ssage to anot her network device.
Chapter 3 6 Tools Menu C ommands USB Toke n PIN Settings 36-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 USB Token PIN Setting s The U SB T oke n PIN Se ttings d ialog box all ows you to se t PINs f or U SB tokens connec ted to your router .
36-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 36 Tool s Menu Comman ds Update SDM Save the N ew PIN to R outer Check th e Save the new PIN to r out.
Chapter 3 6 Tools Menu C ommands Update SD M 36-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 If ther e is mo re than one SDM .z ip f ile, obtain the cop y with th e highest ver sion number . Step 2 Use the update wiza rd to copy the SD M files from your PC to the ro uter .
36-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Chapter 36 Tool s Menu Comman ds Update SDM Update SD M from CD If you h ave the SDM C D, you can us e it to u pdate SDM on y our ro uter . T o do so, foll ow thes e steps : Step 1 Place t he SDM CD in t he CD drive on your PC.
Chapter 3 6 Tools Menu C ommands Update SD M 36-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
C HAPTER 37-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 37 Help Menu Commands The follo wing options are av ailable fr om the Cisco Router and Security De vice Manager (S DM) H elp menu . Help Topics Displays the SDM onlin e help.
Chapter 37 Help Menu Comm ands About SDM 37-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
GL-1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 GLOSSAR Y S ymbols and Numerics 3DES T riple DES. An encryption al g orithm tha t uses thre e 56-bit DES en cryption k eys (effectiv ely 168 bits) in quick succe ssion.
Glos sary GL-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 addres s transl ation The transla tion o f a ne twork addr ess an d/or po rt to anothe r net work add ress/or port. Se e also IP address , NA T , PA T , Static P A T .
GL-3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary asymm etr ic encr ypti on Also calle d public ke y systems , this approach allo ws any one to obtain access to anyone else' s public key and th eref ore send a n encryp ted message to that pe rson using the public k ey .
Glos sary GL-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 CA certificate A digital certif icate gran ted to one certif icati on authority (CA) b y another certif ication a uthority .
GL-5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary CHAP Challen ge Handshake A uthenti cation Protoc ol. Secu rity feat ure suppor ted on lines using P PP encapsulation that prev ents unauthorized a ccess.
Glos sary GL-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 cookie A cookie is a web b ro wser f eature w hich s tores or retrie ves in format ion, suc h as a us er's pr eferen ces, to persist ent storage.
GL-7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary DES D ata Encryp tion Sta ndar d. Standa rd crypto graph ic algo rithm developed and standa rdized by the U.S. Natio nal In stitute of Standar ds and T echn ology (NI ST).
Glos sary GL-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 DMVPN Dynamic m ultip oint v irtual priv ate n etwork. A vir tual private network in which router s are arr anged i n a logic al hub a nd spoke topo logy , and in w hich t he hubs ha ve point-to-point GRE ov er IPSec connect ions with th e hub .
GL-9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary E EAPoUDP Extensible Aut henticat ion Protocol ove r User Data gram Proto col. Someti mes shorten ed to EO U. The p rotocol used by a cli ent an d a N AD to perf orm po stu re v alidation.
Glos sary GL-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 ESP Encapsulat ing Securi ty Payload. An IPSec pr otocol that provides both da ta inte grity and conf identiality .
GL-11 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary extended rules A type of Access rul e. Extende d rules extende d rules can examin e a grea ter variety of pac ket fields to de termine a matc h.
Glos sary GL-12 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 G global IKE p olicy An IKE polic y that is global to a de vice, ra ther than af fecting onl y a single interface on tha t device. GRE generic routing e ncapsul ation .
GL-13 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary headend T he upstream, transmit end of a tunnel. HMAC Hash-based Me ssage Authentica tion Code. HMA C is a mechanism for message authe nticat ion using cryp togr aphic ha sh function s.
Glos sary GL-14 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IDS Sensor An ID S sensor is hardware on wit h the Ci sco ID S runs . IDS senso rs ca n be stand-a lone devices, or networ k modules inst alled on rou ters.
GL-15 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary interface The physica l connec tion bet ween a particul ar network an d the ro uter . The router ’ s LAN inter face connects to t he local n etwork that the r outer serv es.
Glos sary GL-16 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 IPSec A frame work of open standard s that provides da ta conf identiality , data inte grity , and data authe ntication betwe en participatin g peers.
GL-17 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary key pair See public key encryp tion . key recovery A trus ted met hod by w hich encr ypted infor matio n can be de crypt ed if the decrypti on key is lost or destroyed.
Glos sary GL-18 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 logical i nterface An interf ace that has been create d solely b y conf iguration, and that is not a physical i nterface on t he route r . Dial er inte rfaces and t unnel in terfaces ar e exa mples of logical inter faces.
GL-19 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary MD5 M essage Di gest 5 . A on e-way ha shing f unction that produce s a 1 28-bit h ash. Both MD5 an d Secur e Hashing A lgori thm (SHA) a re variation s on MD4 and are designed to str engthe n the securi ty of t he MD 4 ha shing a lgorith m.
Glos sary GL-20 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 NAD Netwo rk Acce ss De vice. In a N A C impleme ntation , the de vice th at recei ves a host ’ s request to log on to the network .
GL-21 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary NHRP Next Hop Resolu tion prot ocol. A c lient and server pr otocol used in DMVPN networks , in w hich the hub router is the server a nd the spokes a re the clients.
Glos sary GL-22 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 P PAD packet assem bler/di sassemble r . Device used to connec t simple devices (like character -mode terminals) that do not support the full functionali ty of a par ticul ar pr otocol to a ne tw ork.
GL-23 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary physica l interface A ro uter in terface suppo rted by a network m odul e that is i nstalled in the rou ter chass is, or that i s part of the router ’ s ba sic hardw are.
Glos sary GL-24 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 PPTP Point-to-Point T unneling Pro tocol. C reates cl ient-init iated tun nels by encapsu lating pa ckets into IP datagr ams for transmission over TCP/IP-ba sed netwo rks.
GL-25 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary public ke y encr ypti on In public key encrypti on syste ms, ev ery us er has bot h a publ ic key and a private ke y . Each pr i v ate k ey i s maintained by a sing le user and sh ared wit h no one.
Glos sary GL-26 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 remote subnet Subnetworks ar e IP networks arbi traril y segmented by a network ad minist rator (b.
GL-27 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary route map Route maps enable you to control informa tion that is added to th e routing table .
Glos sary GL-28 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 S SA security associat ion. A set of secu rity param eters agre ed upon by two peers to protect a spec ific session i n a pa rticul ar tunne l. Both IKE a nd IPSe c use SA s, although SAs are inde pendent of one anothe r .
GL-29 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary SHA-1 Secure Hashing Algor ithm 1. Algorithm that tak es a message of less than 264 bits in length and p roduc es a 16 0-bit message digest. The l arge message digest prov ides security ag ainst brute-for ce collision and in vers ion attacks.
Glos sary GL-30 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 spoofing spoof The act of a pac ket il legally claiming to be fro m an address f rom which it was not ac tually se nt. Spoo fing is de signed t o foil network securi ty mec hanism s such as fil ters and access lists.
GL-31 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary subnet, s ubnetwork In IP networks, a ne twork shar ing a part icular subnet add ress.
Glos sary GL-32 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 traffic flow confident iality or tra ffic ana lys is Securit y concep t that pre vents the un authoriz ed discl osure of com municat ion parame ters.
GL-33 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary VFR V irtual Fragm ent Reass embly . VFR enables IO S Firewal l to dynam ically cr eate A C Ls to block IP fr agme nts. IP frag ments o ften d o not cont ain en ough informatio n for st atic A CLs to be able t o filt er them.
Glos sary GL-34 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 VPN mirror policy A VPN policy on a remo te system that contains v alues that are c ompatible with a local polic y and t hat enable the remote system to establis h a VPN con nection to the local syste m.
GL-35 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Glossary X X.509 A digital ce rtif icate stan dard, spec ifying cer tifi cate structu re. Main f ields are ID, subject f ield, v alidity dates, public ke y , and CA signatur e.
Glos sary GL-36 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
IN- 1 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 INDE X Symbols $ETH-LAN$ 1 $ETH-W AN$ 4 Numerics 3DES 41 A About SDM SDM version 1 acces s rule in NAT trans.
Index IN-2 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 CEF, enablin g 12 Chal leng e Hand sha ke Au then tic atio n Prot oco l, see CHAP CHAP 9 Client Mod e 7.
IN- 3 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Index IPSec group key 79 IPSec group name 79 manual tunne l contr ol 81, 101 Network E xtension Mode 79 Netw.
Index IN-4 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 GRE over I PSec tunnel 48 GRE tunn el 48 pre-s hared key 50 split tunnelling 54 H HDLC 15 Help men u 1 .
IN- 5 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Index statistics 9 tunnel stat us 9 viewin g activi ty 8 IPSec Rules wind ow 3 IP source rou ting, disabl in.
Index IN-6 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 translatio n timeouts 9, 12 UDP flo w time outs 13 Wizard 1 NAT Rules window 3 NetFlow, enabling 17 nex.
IN- 7 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Index distan ce me tri c 4 EIGRP r oute 7 OSPF route 5 passive i nterf ace 5, 6, 7 perman en t route 4 RIP r.
Index IN-8 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08 T TCP keep- alive mess age, enabli ng 11 TCP small servers, disabling 7 TCP synwait time 13 Telnet us e.
IN- 9 Cisco Ro uter and Securit y Device Ma nager Vers ion 2.2 User ’ s Gu ide OL-4015-08 Index permittin g traffi c through a fire wall to 17 vty lines conf iguring an acce ss class 23 W WAN conn e.
Index IN-10 Cisco Rout er and Secu rity Device Manage r Versi on 2.2 User ’ s Guid e OL-4015-08.
Un punto importante, dopo l’acquisto del dispositivo (o anche prima di acquisto) è quello di leggere il manuale. Dobbiamo farlo per diversi motivi semplici:
Se non hai ancora comprato il Cisco Systems OL-4015-08 è un buon momento per familiarizzare con i dati di base del prodotto. Prime consultare le pagine iniziali del manuale d’uso, che si trova al di sopra. Dovresti trovare lì i dati tecnici più importanti del Cisco Systems OL-4015-08 - in questo modo è possibile verificare se l’apparecchio soddisfa le tue esigenze. Esplorando le pagine segenti del manuali d’uso Cisco Systems OL-4015-08 imparerai tutte le caratteristiche del prodotto e le informazioni sul suo funzionamento. Le informazioni sul Cisco Systems OL-4015-08 ti aiuteranno sicuramente a prendere una decisione relativa all’acquisto.
In una situazione in cui hai già il Cisco Systems OL-4015-08, ma non hai ancora letto il manuale d’uso, dovresti farlo per le ragioni sopra descritte. Saprai quindi se hai correttamente usato le funzioni disponibili, e se hai commesso errori che possono ridurre la durata di vita del Cisco Systems OL-4015-08.
Tuttavia, uno dei ruoli più importanti per l’utente svolti dal manuale d’uso è quello di aiutare a risolvere i problemi con il Cisco Systems OL-4015-08. Quasi sempre, ci troverai Troubleshooting, cioè i guasti più frequenti e malfunzionamenti del dispositivo Cisco Systems OL-4015-08 insieme con le istruzioni su come risolverli. Anche se non si riesci a risolvere il problema, il manuale d’uso ti mostrerà il percorso di ulteriori procedimenti – il contatto con il centro servizio clienti o il servizio più vicino.