Cisco 2.5 User manual

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Cisco Router and Security Device

Manager User’s Guide

2.5

Customer Order Number:

Text Part Number: OL-4015-12

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT

NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT

ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR

THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION

PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO

LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE

PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED

OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL

DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR

INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH

DAMAGES.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and

figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and

coincidental.

Cisco Router and Security Device Manager 2.5 User’s Guide

iii

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

CONTENTS

Home Page 1

Creating a New Connection 1

New Connection Reference 2

Create Connection 2

Additional Procedures 3

How Do I Configure a Static Route? 4

How Do I View Activity on My LAN Interface? 4

How Do I Enable or Disable an Interface? 5

How Do I View the IOS Commands I Am Sending to the Router? 5

How Do I Launch the Wireless Application from Cisco SDM? 6

How Do I Configure an Unsupported WAN Interface? 6

How Do I Enable or Disable an Interface? 7

How Do I View Activity on My WAN Interface? 7

How Do I Configure NAT on a WAN Interface? 8

How Do I Configure NAT on an Unsupported Interface? 9

How Do I Configure a Dynamic Routing Protocol? 9

How Do I Configure Dial-on-Demand Routing for My ISDN or Asynchronous

Interface?

10

How Do I Edit a Radio Interface Configuration? 11

LAN Wizard 1

Ethernet Configuration 2

LAN Wizard: Select an Interface 2

LAN Wizard: IP Address and Subnet Mask 3

Contents

iv

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

LAN Wizard: Enable DHCP Server 3

LAN Wizard: DHCP Address Pool 4

DHCP Options 4

LAN Wizard: VLAN Mode 5

LAN Wizard: Switch Port 6

IRB Bridge 7

BVI Configuration 8

DHCP Pool for BVI 8

IRB for Ethernet 9

Layer 3 Ethernet Configuration 9

802.1Q Configuration 10

Trunking or Routing Configuration 10

Configure Switch Device Module 10

Configure Gigabit Ethernet Interface 11

Summary 11

802.1x Authentication 1

LAN Wizard: 802.1x Authentication (Switch Ports) 1

Advanced Options 2

LAN Wizard: RADIUS Servers for 802.1x Authentication 4

Edit 802.1x Authentication (Switch Ports) 6

LAN Wizard: 802.1x Authentication (VLAN or Ethernet) 7

802.1x Exception List 8

802.1x Authentication on Layer 3 Interfaces 9

Edit 802.1x Authentication 10

How Do I ... 11

How Do I Configure 802.1x Authentication on More Than One Ethernet

Port?

11

v

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Contents

Configuring WAN Connections 1

Configuring an Ethernet WAN Connection 1

Ethernet WAN Connection Reference 2

WAN Wizard Interface Welcome Window 2

Select Interface 3

IP Address: Ethernet without PPPoE 3

Encapsulation: PPPoE 4

Summary 5

Advanced Options 5

Configuring a Serial Connection 6

Serial Connection Reference 7

IP Address: Serial with Point-to-Point Protocol 7

IP Address: Serial with HDLC or Frame Relay 8

Authentication 9

Configure LMI and DLCI 10

Configure Clock Settings 11

Configuring a DSL Connection 13

DSL Connection Reference 14

IP Address: ATM or Ethernet with PPPoE/PPPoA 14

IP Address: ATM with RFC 1483 Routing 15

Encapsulation Autodetect 16

PVC 18

Configuring an ISDN Connection 20

ISDN Connection Reference 20

ISDN Wizard Welcome Window 21

IP Address: ISDN BRI or Analog Modem 21

Switch Type and SPIDs 22

Dial String 23

Configuring an Aux Backup Connection 24

Aux Backup Connection Reference 24

Contents

vi

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Aux Backup Welcome Window 25

Backup Configuration 25

Backup Configuration: Primary Interface and Next Hop IP Addresses 26

Backup Configuration: Hostname or IP Address to Be Tracked 27

Configuring an Analog Modem Connection 27

Analog Modem Connection Reference 28

Analog Modem Welcome 28

Configuring a Cable Modem Connection 29

Cable Modem Connection Reference 29

Cable Modem Connection Wizard Welcome 30

Select Interface 30

Summary 30

Edit Interface/Connection 1

Connection: Ethernet for IRB 5

Connection: Ethernet for Routing 6

Existing Dynamic DNS Methods 7

Add Dynamic DNS Method 7

Wireless 9

Association 9

NAT 11

Edit Switch Port 12

Application Service 13

General 14

Select Ethernet Configuration Type 16

Connection: VLAN 17

Subinterfaces List 17

Add or Edit BVI Interface 18

Add or Edit Loopback Interface 18

vii

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Contents

Connection: Virtual Template Interface 19

Connection: Ethernet LAN 19

Connection: Ethernet WAN 20

Connection: Ethernet Properties 22

Connection: Ethernet with No Encapsulation 24

Connection: ADSL 25

Connection: ADSL over ISDN 28

Connection: G.SHDSL 30

Connection: Cable Modem 34

Configure DSL Controller 35

Add a G.SHDSL Connection 37

Connection: Serial Interface, Frame Relay Encapsulation 40

Connection: Serial Interface, PPP Encapsulation 43

Connection: Serial Interface, HDLC Encapsulation 45

Add or Edit GRE Tunnel 46

Connection: ISDN BRI 48

Connection: Analog Modem 51

Connection: (AUX Backup) 53

Authentication 55

SPID Details 56

Dialer Options 57

Backup Configuration 59

Delete Connection 60

Connectivity Testing and Troubleshooting 62

Wide Area Application Services 1

Configuring a WAAS Connection 2

WAAS Reference 3

Contents

viii

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

NM WAAS 4

Integrated Service Engine 6

WCCP 7

Central Manager Registration 8

Create Firewall 1

Basic Firewall Configuration Wizard 4

Basic Firewall Interface Configuration 4

Configuring Firewall for Remote Access 5

Advanced Firewall Configuration Wizard 5

Advanced Firewall Interface Configuration 5

Advanced Firewall DMZ Service Configuration 6

DMZ Service Configuration 7

Application Security Configuration 8

Domain Name Server Configuration 9

URL Filter Server Configuration 9

Select Interface Zone 9

ZPF Inside Zones 10

Voice Configuration 10

Summary 11

SDM Warning: SDM Access 13

How Do I... 15

How Do I View Activity on My Firewall? 15

How Do I Configure a Firewall on an Unsupported Interface? 17

How Do I Configure a Firewall After I Have Configured a VPN? 17

How Do I Permit Specific Traffic Through a DMZ Interface? 18

How Do I Modify an Existing Firewall to Permit Traffic from a New Network

or Host?

19

How Do I Configure NAT on an Unsupported Interface? 19

How Do I Configure NAT Passthrough for a Firewall? 20

ix

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Contents

How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? 20

How Do I Associate a Rule with an Interface? 22

How Do I Disassociate an Access Rule from an Interface 22

How Do I Delete a Rule That Is Associated with an Interface? 23

How Do I Create an Access Rule for a Java List? 23

How Do I Permit Specific Traffic onto My Network if I Don’t Have a DMZ

Network?

24

Firewall Policy 1

Edit Firewall Policy/ACL 1

Choose a Traffic Flow 3

Examine the Traffic Diagram and Choose a Traffic Direction 4

Make Changes to Access Rules 6

Make Changes to Inspection Rules 10

Add App-Name Application Entry 12

Add rpc Application Entry 12

Add Fragment application entry 13

Add or Edit http Application Entry 14

Java Applet Blocking 15

Cisco SDM Warning: Inspection Rule 16

Cisco SDM Warning: Firewall 17

Edit Firewall Policy 17

Add a New Rule 21

Add Traffic 22

Application Inspection 23

URL Filter 24

Quality of Service 24

Inspect Parameter 24

Select Traffic 24

Delete Rule 25

Contents

x

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Application Security 1

Application Security Windows 1

No Application Security Policy 3

E-mail 4

Instant Messaging 5

Peer-to-Peer Applications 6

URL Filtering 7

HTTP 8

Header Options 9

Content Options 10

Applications/Protocols 12

Timeouts and Thresholds for Inspect Parameter Maps and CBAC 13

Associate Policy with an Interface 16

Edit Inspection Rule 16

Permit, Block, and Alarm Controls 17

Site-to-Site VPN 1

VPN Design Guide 1

Create Site to Site VPN 1

Site-to-Site VPN Wizard 4

View Defaults 5

VPN Connection Information 6

IKE Proposals 8

Transform Set 11

Traffic to Protect 13

Summary of the Configuration 14

Spoke Configuration 15

Secure GRE Tunnel (GRE-over-IPSec) 16

GRE Tunnel Information 16

xi

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Contents

VPN Authentication Information 17

Backup GRE Tunnel Information 18

Routing Information 19

Static Routing Information 20

Select Routing Protocol 22

Summary of Configuration 23

Edit Site-to-Site VPN 23

Add new connection 26

Add Additional Crypto Maps 26

Crypto Map Wizard: Welcome 27

Crypto Map Wizard: Summary of the configuration 28

Delete Connection 28

Ping 29

Generate Mirror... 29

Cisco SDM Warning: NAT Rules with ACL 30

How Do I... 31

How Do I Create a VPN to More Than One Site? 31

After Configuring a VPN, How Do I Configure the VPN on the Peer Router? 33

How Do I Edit an Existing VPN Tunnel? 34

How Do I Confirm That My VPN Is Working? 35

How Do I Configure a Backup Peer for My VPN? 36

How Do I Accommodate Multiple Devices with Different Levels of VPN

Support?

36

How Do I Configure a VPN on an Unsupported Interface? 37

How Do I Configure a VPN After I Have Configured a Firewall? 38

How Do I Configure NAT Passthrough for a VPN? 38

Easy VPN Remote 1

Creating an Easy VPN Remote Connection 2

Create Easy VPN Remote Reference 3

Contents

xii

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Create Easy VPN Remote 4

Configure an Easy VPN Remote Client 5

Easy VPN Remote Wizard: Network Information 5

Easy VPN Remote Wizard: Identical Address Configuration 6

Easy VPN Remote Wizard: Interfaces and Connection Settings 7

Easy VPN Remote Wizard: Server Information 9

Easy VPN Remote Wizard: Authentication 11

Easy VPN Remote Wizard: Summary of Configuration 13

Administering Easy VPN Remote Connections 14

Editing an Existing Easy VPN Remote Connection 15

Creating a New Easy VPN Remote Connection 15

Deleting an Easy VPN Remote Connection 16

Resetting an Established Easy VPN Remote Connection 16

Connecting to an Easy VPN Server 17

Connecting other Subnets to the VPN Tunnel 17

Administering Easy VPN Remote Reference 18

Edit Easy VPN Remote 18

Add or Edit Easy VPN Remote 23

Add or Edit Easy VPN Remote: General Settings 25

Network Extension Options 28

Add or Edit Easy VPN Remote: Easy VPN Settings 28

Add or Edit Easy VPN Remote: Authentication Information 30

Add or Edit Easy VPN Remote: Easy VPN Client Phase III

Authentication

33

Add or Edit Easy VPN Remote: Interfaces and Connections 35

Add or Edit Easy VPN Remote: Identical Addressing 37

Easy VPN Remote: Add a Device 39

Enter SSH Credentials 39

XAuth Login Window 40

Other Procedures 40

xiii

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Contents

How Do I Edit an Existing Easy VPN Connection? 40

How Do I Configure a Backup for an Easy VPN Connection? 41

Easy VPN Server 1

Creating an Easy VPN Server Connection 1

Create an Easy VPN Server Reference 3

Create an Easy VPN Server 4

Welcome to the Easy VPN Server Wizard 4

Interface and Authentication 4

Group Authorization and Group Policy Lookup 5

User Authentication (XAuth) 6

User Accounts for XAuth 7

Add RADIUS Server 8

Group Authorization: User Group Policies 9

General Group Information 10

DNS and WINS Configuration 11

Split Tunneling 11

Client Settings 12

Choose Browser Proxy Settings 15

Add or Edit Browser Proxy Settings 16

User Authentication (XAuth) 17

Client Update 18

Add or Edit Client Update Entry 19

Cisco Tunneling Control Protocol 20

Summary 21

Browser Proxy Settings 21

Editing Easy VPN Server Connections 23

Edit Easy VPN Server Reference 23

Edit Easy VPN Server 24

Add or Edit Easy VPN Server Connection 25

Contents

xiv

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Restrict Access 26

Group Policies Configuration 26

IP Pools 29

Add or Edit IP Local Pool 29

Add IP Address Range 30

Enhanced Easy VPN 1

Interface and Authentication 1

RADIUS Servers 2

Group Authorization and Group User Policies 4

Add or Edit Easy VPN Server: General Tab 5

Add or Edit Easy VPN Server: IKE Tab 6

Add or Edit Easy VPN Server: IPSec Tab 8

Create Virtual Tunnel Interface 10

DMVPN 1

Dynamic Multipoint VPN 1

Dynamic Multipoint VPN (DMVPN) Hub Wizard 2

Type of Hub 3

Configure Pre-Shared Key 3

Hub GRE Tunnel Interface Configuration 4

Advanced Configuration for the Tunnel Interface 5

Primary Hub 6

Select Routing Protocol 7

Routing Information 7

Dynamic Multipoint VPN (DMVPN) Spoke Wizard 9

DMVPN Network Topology 9

Specify Hub Information 10

Spoke GRE Tunnel Interface Configuration 10

Cisco SDM Warning: DMVPN Dependency 11

Edit Dynamic Multipoint VPN (DMVPN) 12

xv

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Contents

General Panel 14

NHRP Panel 15

NHRP Map Configuration 16

Routing Panel 17

How Do I Configure a DMVPN Manually? 19

VPN Global Settings 1

VPN Global Settings: IKE 3

VPN Global Settings: IPSec 4

VPN Global Settings: Easy VPN Server 5

VPN Key Encryption Settings 6

IP Security 1

IPSec Policies 1

Add or Edit IPSec Policy 3

Add or Edit Crypto Map: General 5

Add or Edit Crypto Map: Peer Information 6

Add or Edit Crypto Map: Transform Sets 7

Add or Edit Crypto Map: Protecting Traffic 9

Dynamic Crypto Map Sets 11

Add or Edit Dynamic Crypto Map Set 11

Associate Crypto Map with this IPSec Policy 12

IPSec Profiles 12

Add or Edit IPSec Profile 13

Add or Edit IPSec Profile and Add Dynamic Crypto Map 14

Transform Set 15

Add or Edit Transform Set 18

IPSec Rules 20

Contents

xvi

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Internet Key Exchange 1

Internet Key Exchange (IKE) 1

IKE Policies 2

Add or Edit IKE Policy 4

IKE Pre-shared Keys 6

Add or Edit Pre Shared Key 7

IKE Profiles 8

Add or Edit an IKE Profile 9

Public Key Infrastructure 1

Certificate Wizards 1

Welcome to the SCEP Wizard 2

Certificate Authority (CA) Information 3

Advanced Options 4

Certificate Subject Name Attributes 4

Other Subject Attributes 6

RSA Keys 7

Summary 8

CA Server Certificate 9

Enrollment Status 9

Cut and Paste Wizard Welcome 9

Enrollment Task 10

Enrollment Request 10

Continue with Unfinished Enrollment 11

Import CA certificate 12

Import Router Certificate(s) 12

Digital Certificates 13

Trustpoint Information 15

Certificate Details 15

xvii

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Contents

Revocation Check 15

Revocation Check, CRL Only 16

RSA Keys Window 16

Generate RSA Key Pair 17

USB Token Credentials 18

USB Tokens 19

Add or Edit USB Token 20

Open Firewall 22

Open Firewall Details 23

Certificate Authority Server 1

Create CA Server 1

Prerequisite Tasks for PKI Configurations 2

CA Server Wizard: Welcome 3

CA Server Wizard: Certificate Authority Information 3

Advanced Options 5

CA Server Wizard: RSA Keys 7

Open Firewall 8

CA Server Wizard: Summary 8

Manage CA Server 9

Backup CA Server 11

Manage CA Server Restore Window 11

Restore CA Server 11

Edit CA Server Settings: General Tab 12

Edit CA Server Settings: Advanced Tab 13

Manage CA Server: CA Server Not Configured 13

Manage Certificates 13

Pending Requests 13

Revoked Certificates 15

Revoke Certificate 16

Contents

xviii

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Cisco IOS SSL VPN 1

Cisco IOS SSL VPN links on Cisco.com 2

Creating an SSL VPN Connection 2

Create an SSL VPN Connection Reference 3

Create SSL VPN 4

Persistent Self-Signed Certificate 6

Welcome 7

SSL VPN Gateways 7

User Authentication 8

Configure Intranet Websites 10

Add or Edit URL 10

Customize SSL VPN Portal 11

SSL VPN Passthrough Configuration 11

User Policy 12

Details of SSL VPN Group Policy: Policyname 12

Select the SSL VPN User Group 13

Select Advanced Features 13

Thin Client (Port Forwarding) 13

Add or Edit a Server 14

Full Tunnel 15

Locating the Install Bundle for Cisco SDM 16

Enable Cisco Secure Desktop 18

Common Internet File System 19

Enable Clientless Citrix 19

Summary 20

Editing SSL VPN Connections 20

Editing SSL VPN Connection Reference 21

Edit SSL VPN 22

SSL VPN Context 23

Designate Inside and Outside Interfaces 25

xix

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

Contents

Select a Gateway 25

Context: Group Policies 26

Group Policy: General Tab 26

Group Policy: Clientless Tab 27

Group Policy: Thin Client Tab 29

Group Policy: SSL VPN Client (Full Tunnel) Tab 29

Advanced Tunnel Options 31

DNS and WINS Servers 33

Context: HTML Settings 33

Select Color 35

Context: NetBIOS Name Server Lists 35

Add or Edit a NBNS Server List 35

Add or Edit an NBNS Server 36

Context: Port Forward Lists 36

Add or Edit a Port Forward List 36

Context: URL Lists 36

Add or Edit a URL List 37

Context: Cisco Secure Desktop 37

SSL VPN Gateways 37

Add or Edit a SSL VPN Gateway 38

Packages 39

Install Package 40

Additional Help Topics 40

Cisco IOS SSL VPN Contexts, Gateways, and Policies 40

Learn More about Port Forwarding Servers 46

Learn More About Group Policies 47

Learn More About Split Tunneling 48

How do I verify that my Cisco IOS SSL VPN is working? 49

How do I configure a Cisco IOS SSL VPN after I have configured a

firewall?

50

Contents

xx

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

How do I associate a VRF instance with a Cisco IOS SSL VPN context? 50

SSL VPN Enhancements 1

SSL VPN Reference 1

SSL VPN Context: Access Control Lists 1

Add or Edit Application ACL 2

Add ACL Entry 3

Action URL Time Range 4

Add or Edit Action URL Time Range Dialog 5

Add or Edit Absolute Time Range Entry 6

Add or Edit Periodic Time Range Entry 7

VPN Troubleshooting 1

VPN Troubleshooting: Specify Easy VPN Client 3

VPN Troubleshooting: Generate Traffic 4

VPN Troubleshooting: Generate GRE Traffic 5

Cisco SDM Warning: SDM will enable router debugs... 6

Security Audit 1

Welcome Page 4

Interface Selection Page 4

Report Card Page 5

Fix It Page 5

Disable Finger Service 6

Disable PAD Service 7

Disable TCP Small Servers Service 7

Disable UDP Small Servers Service 8

Disable IP BOOTP Server Service 8

Disable IP Identification Service 9

Page is loading ...

Cisco 2.5, Router and Security Device Manager 2.5, ROUTER-SDM-CD User manual

Related papers

Other documents