Chapter19 Public Key Infrastructure
Open Firewall
19-22
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Open Firewall
This screen is displayed when Cisco SDM detects firewall(s) on interfaces that
would block return traffic that the router needs to receive. Two situations in which
it might appear are when a firewall will block DNS traffic or PKI traffic and
prevent the router from receiving this traffic from the servers. Cisco SDM can
modify these firewalls so that the servers can communicate with the router.

Modify Firewall

This area lists the exit interfaces and ACL names, and allows you to select which
firewalls that you want Cisco SDM to modify. Select the firewalls that you want
Cisco SDM to modify in the Action column. Cis co SDM will modify them to allow
SCEP or DNS traffic from the server to the router.
Note the following for SCEP traffic:
Cisco SDM will not modify firewall for CRL/OCSP servers if these are not
explicitly configured on the router. To permit communication with
CRL/OCSP servers, obtain the correct information from the CA server
administrator and modify the firewallsusing the Edit Firewall Policy/ACL
window.
Cisco SDM assumes that the traffic sent from the CA server to the router will
enter through the same interfaces through which traffic from the router to the
CA server was sent. If you think that the return traffic from CA server will
enter the router through a different interface than the one Cisco SDM lists,
you need to open the firewall using the Edit Firewall Policy/ACL window.
This may occur if asymmetric routing is used, whereby traffic from the router
to the CA server exits the router through one interface and retu rn traffic enters
the router through a different interface.
Cisco SDM determines the exit interfaces of the router the moment the
passthrough ACE is added. If a dynamic routing protocol is us ed to learn
routes to the CA server and if a route changes—the exit interface changes for
SCEP traffic destined for the CA server—you must explicitly add a
passthrough ACE for those interfaces using the Edit Firewall Policy/ACL
window.
Cisco SDM adds passthrough ACEs for SCEP traffic. It does not add
passthrough ACEs for revocation traffic such as CRL traffic and OCSP
traffic. You must explicitly add passthrough ACEs for this traffic using the
Edit Firewall Policy/ACL window.