Transcription

Cisco Router and Security DeviceManager User’s Guide2.5Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000800 553-NETS (6387)Fax: 408 527-0883Customer Order Number:Text Part Number: OL-4015-12

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUTNOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUTARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FORTHEIR APPLICATION OF ANY PRODUCTS.THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATIONPACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TOLOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) aspart of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS AREPROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSEDOR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTALDAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE ORINABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCHDAMAGES.Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, andfigures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional andcoincidental.Cisco Router and Security Device Manager 2.5 User’s Guide 2007 Cisco Systems, Inc. All rights reserved.

C ON T E NT SHome Page 1Creating a New Connection 1Creating a New Connection 1New Connection Reference 2Create Connection 2Additional Procedures 3How Do I Configure a Static Route? 4How Do I View Activity on My LAN Interface? 4How Do I Enable or Disable an Interface? 5How Do I View the IOS Commands I Am Sending to the Router? 5How Do I Launch the Wireless Application from Cisco SDM? 6How Do I Configure an Unsupported WAN Interface? 6How Do I Enable or Disable an Interface? 7How Do I View Activity on My WAN Interface? 7How Do I Configure NAT on a WAN Interface? 8How Do I Configure NAT on an Unsupported Interface? 9How Do I Configure a Dynamic Routing Protocol? 9How Do I Configure Dial-on-Demand Routing for My ISDN or AsynchronousInterface? 10How Do I Edit a Radio Interface Configuration? 11LAN Wizard 1Ethernet Configuration 2LAN Wizard: Select an Interface 2LAN Wizard: IP Address and Subnet Mask 3Cisco Router and Security Device Manager 2.5 User’s GuideOL-4015-12iii

ContentsLAN Wizard: Enable DHCP Server 3LAN Wizard: DHCP Address Pool 4DHCP Options 4LAN Wizard: VLAN Mode 5LAN Wizard: Switch Port 6IRB Bridge 7BVI Configuration 8DHCP Pool for BVI 8IRB for Ethernet 9Layer 3 Ethernet Configuration 9802.1Q Configuration 10Trunking or Routing Configuration 10Configure Switch Device Module 10Configure Gigabit Ethernet Interface 11Summary 11802.1x Authentication 1LAN Wizard: 802.1x Authentication (Switch Ports) 1Advanced Options 2LAN Wizard: RADIUS Servers for 802.1x Authentication 4Edit 802.1x Authentication (Switch Ports) 6LAN Wizard: 802.1x Authentication (VLAN or Ethernet) 7802.1x Exception List 8802.1x Authentication on Layer 3 Interfaces 9Edit 802.1x Authentication 10How Do I . 11How Do I Configure 802.1x Authentication on More Than One EthernetPort? 11Cisco Router and Security Device Manager 2.5 User’s GuideivOL-4015-12

ContentsConfiguring WAN Connections 1Configuring an Ethernet WAN Connection 1Ethernet WAN Connection Reference 2WAN Wizard Interface Welcome WindowSelect Interface 3IP Address: Ethernet without PPPoE 3Encapsulation: PPPoE 4Summary 5Advanced Options 52Configuring a Serial Connection 6Serial Connection Reference 7IP Address: Serial with Point-to-Point Protocol 7IP Address: Serial with HDLC or Frame Relay 8Authentication 9Configure LMI and DLCI 10Configure Clock Settings 11Configuring a DSL Connection 13DSL Connection Reference 14IP Address: ATM or Ethernet with PPPoE/PPPoA 14IP Address: ATM with RFC 1483 Routing 15Encapsulation Autodetect 16PVC 18Configuring an ISDN Connection 20ISDN Connection Reference 20ISDN Wizard Welcome Window 21IP Address: ISDN BRI or Analog Modem 21Switch Type and SPIDs 22Dial String 23Configuring an Aux Backup Connection 24Aux Backup Connection Reference 24Cisco Router and Security Device Manager 2.5 User’s GuideOL-4015-12v

ContentsAux Backup Welcome Window 25Backup Configuration 25Backup Configuration: Primary Interface and Next Hop IP Addresses 26Backup Configuration: Hostname or IP Address to Be Tracked 27Configuring an Analog Modem Connection 27Analog Modem Connection Reference 28Analog Modem Welcome 28Configuring a Cable Modem Connection 29Cable Modem Connection Reference 29Cable Modem Connection Wizard Welcome 30Select Interface 30Summary 30Edit Interface/Connection 1Connection: Ethernet for IRB 5Connection: Ethernet for Routing 6Existing Dynamic DNS Methods 7Add Dynamic DNS Method 7Wireless 9Association9NAT 11Edit Switch Port 12Application Service 13General 14Select Ethernet Configuration Type 16Connection: VLAN 17Subinterfaces List 17Add or Edit BVI Interface 18Add or Edit Loopback Interface 18Cisco Router and Security Device Manager 2.5 User’s GuideviOL-4015-12

ContentsConnection: Virtual Template Interface 19Connection: Ethernet LAN19Connection: Ethernet WAN 20Connection: Ethernet Properties 22Connection: Ethernet with No Encapsulation 24Connection: ADSL 25Connection: ADSL over ISDN 28Connection: G.SHDSL 30Connection: Cable Modem 34Configure DSL Controller 35Add a G.SHDSL Connection 37Connection: Serial Interface, Frame Relay Encapsulation 40Connection: Serial Interface, PPP Encapsulation 43Connection: Serial Interface, HDLC Encapsulation 45Add or Edit GRE Tunnel 46Connection: ISDN BRI 48Connection: Analog Modem 51Connection: (AUX Backup) 53Authentication 55SPID Details 56Dialer Options 57Backup Configuration 59Delete Connection 60Connectivity Testing and Troubleshooting 62Wide Area Application Services 1Configuring a WAAS Connection 2WAAS Reference 3Cisco Router and Security Device Manager 2.5 User’s GuideOL-4015-12vii

ContentsNM WAAS 4Integrated Service Engine 6WCCP 7Central Manager Registration 8Create Firewall 1Basic Firewall Configuration Wizard 4Basic Firewall Interface Configuration 4Configuring Firewall for Remote Access 5Advanced Firewall Configuration Wizard 5Advanced Firewall Interface Configuration 5Advanced Firewall DMZ Service Configuration 6DMZ Service Configuration 7Application Security Configuration 8Domain Name Server Configuration 9URL Filter Server Configuration 9Select Interface Zone 9ZPF Inside Zones 10Voice Configuration 10Summary 11SDM Warning: SDM Access 13How Do I. 15How Do I View Activity on My Firewall? 15How Do I Configure a Firewall on an Unsupported Interface? 17How Do I Configure a Firewall After I Have Configured a VPN? 17How Do I Permit Specific Traffic Through a DMZ Interface? 18How Do I Modify an Existing Firewall to Permit Traffic from a New Networkor Host? 19How Do I Configure NAT on an Unsupported Interface? 19How Do I Configure NAT Passthrough for a Firewall? 20Cisco Router and Security Device Manager 2.5 User’s GuideviiiOL-4015-12

ContentsHow Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? 20How Do I Associate a Rule with an Interface? 22How Do I Disassociate an Access Rule from an Interface 22How Do I Delete a Rule That Is Associated with an Interface? 23How Do I Create an Access Rule for a Java List? 23How Do I Permit Specific Traffic onto My Network if I Don’t Have a DMZNetwork? 24Firewall Policy 1Edit Firewall Policy/ACL 1Choose a Traffic Flow 3Examine the Traffic Diagram and Choose a Traffic Direction 4Make Changes to Access Rules 6Make Changes to Inspection Rules 10Add App-Name Application Entry 12Add rpc Application Entry 12Add Fragment application entry 13Add or Edit http Application Entry 14Java Applet Blocking 15Cisco SDM Warning: Inspection Rule 16Cisco SDM Warning: Firewall 17Edit Firewall Policy 17Add a New Rule 21Add Traffic 22Application Inspection 23URL Filter 24Quality of Service 24Inspect Parameter 24Select Traffic 24Delete Rule 25Cisco Router and Security Device Manager 2.5 User’s GuideOL-4015-12ix

ContentsApplication Security 1Application Security Windows 1No Application Security Policy 3E-mail 4Instant Messaging 5Peer-to-Peer Applications 6URL Filtering 7HTTP 8Header Options 9Content Options 10Applications/Protocols 12Timeouts and Thresholds for Inspect Parameter Maps and CBACAssociate Policy with an Interface 16Edit Inspection Rule 16Permit, Block, and Alarm Controls 1713Site-to-Site VPN 1VPN Design Guide 1Create Site to Site VPN 1Site-to-Site VPN Wizard 4View Defaults 5VPN Connection Information 6IKE Proposals 8Transform Set 11Traffic to Protect 13Summary of the Configuration 14Spoke Configuration 15Secure GRE Tunnel (GRE-over-IPSec) 16GRE Tunnel Information 16Cisco Router and Security Device Manager 2.5 User’s GuidexOL-4015-12

ContentsVPN Authentication Information 17Backup GRE Tunnel Information 18Routing Information 19Static Routing Information 20Select Routing Protocol 22Summary of Configuration 23Edit Site-to-Site VPN 23Add new connection 26Add Additional Crypto Maps 26Crypto Map Wizard: Welcome 27Crypto Map Wizard: Summary of the configuration 28Delete Connection 28Ping 29Generate Mirror. 29Cisco SDM Warning: NAT Rules with ACL 30How Do I. 31How Do I Create a VPN to More Than One Site? 31After Configuring a VPN, How Do I Configure the VPN on the Peer Router? 33How Do I Edit an Existing VPN Tunnel? 34How Do I Confirm That My VPN Is Working? 35How Do I Configure a Backup Peer for My VPN? 36How Do I Accommodate Multiple Devices with Different Levels of VPNSupport? 36How Do I Configure a VPN on an Unsupported Interface? 37How Do I Configure a VPN After I Have Configured a Firewall? 38How Do I Configure NAT Passthrough for a VPN? 38Easy VPN Remote 1Creating an Easy VPN Remote Connection 2Create Easy VPN Remote Reference 3Cisco Router and Security Device Manager 2.5 User’s GuideOL-4015-12xi

ContentsCreate Easy VPN Remote 4Configure an Easy VPN Remote Client 5Easy VPN Remote Wizard: Network Information 5Easy VPN Remote Wizard: Identical Address Configuration 6Easy VPN Remote Wizard: Interfaces and Connection Settings 7Easy VPN Remote Wizard: Server Information 9Easy VPN Remote Wizard: Authentication 11Easy VPN Remote Wizard: Summary of Configuration 13Administering Easy VPN Remote Connections 14Editing an Existing Easy VPN Remote Connection 15Creating a New Easy VPN Remote Connection 15Deleting an Easy VPN Remote Connection 16Resetting an Established Easy VPN Remote Connection 16Connecting to an Easy VPN Server 17Connecting other Subnets to the VPN Tunnel 17Administering Easy VPN Remote Reference 18Edit Easy VPN Remote 18Add or Edit Easy VPN Remote 23Add or Edit Easy VPN Remote: General Settings 25Network Extension Options 28Add or Edit Easy VPN Remote: Easy VPN Settings 28Add or Edit Easy VPN Remote: Authentication Information 30Add or Edit Easy VPN Remote: Easy VPN Client Phase IIIAuthentication 33Add or Edit Easy VPN Remote: Interfaces and Connections 35Add or Edit Easy VPN Remote: Identical Addressing 37Easy VPN Remote: Add a Device 39Enter SSH Credentials 39XAuth Login Window 40Other Procedures 40Cisco Router and Security Device Manager 2.5 User’s GuidexiiOL-4015-12

ContentsHow Do I Edit an Existing Easy VPN Connection? 40How Do I Configure a Backup for an Easy VPN Connection? 41Easy VPN Server 1Creating an Easy VPN Server Connection 1Create an Easy VPN Server Reference 3Create an Easy VPN Server 4Welcome to the Easy VPN Server Wizard 4Interface and Authentication 4Group Authorization and Group Policy Lookup 5User Authentication (XAuth) 6User Accounts for XAuth 7Add RADIUS Server 8Group Authorization: User Group Policies 9General Group Information 10DNS and WINS Configuration 11Split Tunneling 11Client Settings 12Choose Browser Proxy Settings 15Add or Edit Browser Proxy Settings 16User Authentication (XAuth) 17Client Update 18Add or Edit Client Update Entry 19Cisco Tunneling Control Protocol 20Summary 21Browser Proxy Settings 21Editing Easy VPN Server Connections 23Edit Easy VPN Server Reference 23Edit Easy VPN Server 24Add or Edit Easy VPN Server Connection 25Cisco Router and Security Device Manager 2.5 User’s GuideOL-4015-12xiii

ContentsRestrict Access 26Group Policies Configuration 26IP Pools 29Add or Edit IP Local Pool 29Add IP Address Range 30Enhanced Easy VPN 1Interface and Authentication 1RADIUS Servers 2Group Authorization and Group User Policies 4Add or Edit Easy VPN Server: General Tab 5Add or Edit Easy VPN Server: IKE Tab 6Add or Edit Easy VPN Server: IPSec Tab 8Create Virtual Tunnel Interface 10DMVPN 1Dynamic Multipoint VPN 1Dynamic Multipoint VPN (DMVPN) Hub Wizard 2Type of Hub 3Configure Pre-Shared Key 3Hub GRE Tunnel Interface Configuration 4Advanced Configuration for the Tunnel Interface 5Primary Hub 6Select Routing Protocol 7Routing Information 7Dynamic Multipoint VPN (DMVPN) Spoke Wizard 9DMVPN Network Topology 9Specify Hub Information 10Spoke GRE Tunnel Interface Configuration 10Cisco SDM Warning: DMVPN Dependency 11Edit Dynamic Multipoint V