Cisco Systems 2.5

Chapter34 Zone-Based Policy Firewall

Zone Window

34-4

Cisco Router and Security Device Manager 2.5 User’s Guide

OL-4015-12

•An interface can be assigned to only one security zone.

•All traffic to/from a given interface is implicitly blocked when the interface

is assigned to a zone, excepting traffic to/from other interfaces in t he same

zone, and traffic to any interface on the router.

•Traffic is implicitly allowed to flow by default among interfaces that are

members of the same zone.

•To permit traffic to/from a zone member interface, a policy allowing or

inspecting traffic must be configured between that zone and any other zone.

•The self zone is the only exception to the default deny-all policy. All traffic

to any router interface is allowed until traffic is explicitly denied.

•Traffic cannot flow between a zone member interface and any interface that

is not a zone member.

•Pass, inspect, and drop actions can only be applied between two zones.

•Interfaces that have not been assigned to a zone function as classical router

ports and might still use classical stateful inspection/CBAC configuration.

•If it is required that an interface on the box not be part of the zoning/firewall

policy, it might still be necessary to put that interface in a zone and configure

a pass all policy (sort of a dummy policy) between that zone and any other

zone to which traffic flow is desired.

•From the preceding it follows that, if traffic is to flow among all the interfaces

in a router, all the interfaces must be part of the zoning model (each interface

must be a member of one zone or another).

•The only exception to the preceding deny by default approach is the traffic

to/from the router, which will be permitted by default. An explicit policy can

be configured to restrict such traffic.

This set of rules was taken from The Zone-Based Policy Firewall Design Guide

available at the following link:

http://www.cisco.com/en/US/products/ps6350/products_feature_guide09186a00

8072c6e3.html

Contents

Main Cisco Router and Security Device Manager Users Guide 2.5 Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Home Page Host Name About Your Router Configuration Overview Page Page Page Page Creating a New Connection Creating a New Connection New Connection Reference Create Connection Additional Procedures How Do I Configure a Static Route? How Do I View Activity on My LAN Interface? How Do I Enable or Disable an Interface? How Do I View the IOS Commands I Am Sending to the Router? How Do I Launch the Wireless Application from Cisco SDM? How Do I Configure an Unsupported WAN Interface? How Do I Enable or Disable an Interface? How Do I View Activity on My WAN Interface? How Do I Configure NAT on a WAN Interface? How Do I Configure NAT on an Unsupported Interface? How Do I Configure a Dynamic Routing Protocol? How Do I Configure Dial-on-Demand Routing for My ISDN or Asynchronous Interface? How Do I Edit a Radio Interface Configuration? Page LAN Wizard Ethernet Configuration LAN Wizard: Select an Interface LAN Wizard: IP Address and Subnet Mask LAN Wizard: Enable DHCP Server LAN Wizard: DHCP Address Pool DHCP Options LAN Wizard: VLAN Mode LAN Wizard: Switch Port IRB Bridge BVI Configuration DHCP Pool for BVI IRB for Ethernet Layer 3 Ethernet Configuration 802.1Q Configuration Trunking or Routing Configuration Configure Switch Device Module Configure Gigabit Ethernet Interface Summary Page 802.1x Authentication LAN Wizard: 802.1x Authentication (Switch Ports) Host Mode Guest VLAN Auth-Fail VLAN Advanced Options Page Reset to Defaults LAN Wizard: RADIUS Servers for 802.1x Authentication Choose the RADIUS client source Server IP, Timeout, and Parameters Columns Use for 802.1x Check Box Add, Edit, and Ping Edit 802.1x Authentication (Switch Ports) Enable 802.1x Authentication Host Mode Guest VLAN Auth-Fail VLAN LAN Wizard: 802.1x Authentication (VLAN or Ethernet) Use 802.1x Authentication to separate trusted and untrusted traffic on the interface Exception Lists Exempt Cisco IP phones from 802.1x authentication 802.1x Exception List 802.1x Authentication on Layer 3 Interfaces Enable 802.1x Authentication Globally Interfaces Table Edit 802.1x Authentication How Do I ... How Do I Configure 802.1x Authentication on More Than One Ethernet Port? Page Configuring WAN Connections Configuring an Ethernet WAN Connection Ethernet WAN Connection Reference WAN Wizard Interface Welcome Window Select Interface IP Address: Ethernet without PPPoE Encapsulation: PPPoE Page Configuring a Serial Connection Serial Connection Reference IP Address: Serial with Point-to-Point Protocol IP Address: Serial with HDLC or Frame Relay Authentication Configure LMI and DLCI Configure Clock Settings Page Configuring a DSL Connection DSL Connection Reference IP Address: ATM or Ethernet with PPPoE/PPPoA IP Address: ATM with RFC 1483 Routing Encapsulation Autodetect Page PVC Page Configuring an ISDN Connection ISDN Connection Reference ISDN Wizard Welcome Window IP Address: ISDN BRI or Analog Modem Switch Type and SPIDs Dial String Configuring an Aux Backup Connection Aux Backup Connection Reference Aux Backup Welcome Window Backup Configuration Prerequisites Backup Configuration: Primary Interface and Next Hop IP Addresses Backup Configuration: Hostname or IP Address to Be Tracked Configuring an Analog Modem Connection Analog Modem Connection Reference Analog Modem Welcome Configuring a Cable Modem Connection Cable Modem Connection Reference Cable Modem Connection Wizard Welcome Select Interface Page Page Edit Interface/Connection Summary Enable or Disable Test Connection Interface List Details About Interface Why Are Some Interfaces or Connections Read-Only? Connection: Ethernet for IRB Current Bridge Group/Associated BVI Create a new Bridge Group/Join an existing Bridge Group Connection: Ethernet for Routing DHCP Relay Existing Dynamic DNS Methods Add Dynamic DNS Method Page Wireless Association Zone Inspect Rule VPN Making Association Changes NAT Edit Switch Port Duplex Power Inline Application Service QoS Netflow NBAR General IP Directed Broadcasts IP Proxy ARP IP Route Cache-Flow IP Redirects IP Mask-Reply IP Unreachables Select Ethernet Configuration Type To Indicate that the Interface is a LAN Interface: To Indicate that the Interface is a WAN Interface: Connection: VLAN VLAN ID Native VLAN Check Box IP Address Fields Subinterfaces List Add or Edit BVI Interface IP Address/Subnet Mask Add or Edit Loopback Interface Connection: Virtual Template Interface Interface Type IP Address Unnumbered to Connection: Ethernet LAN Connection: Ethernet WAN Enable PPPoE Encapsulation Page Connection: Ethernet Properties Enable PPPoE Encapsulation Page Connection: Ethernet with No Encapsulation Connection: ADSL Page Page Connection: ADSL over ISDN Page Connection: G.SHDSL Page IP Address for Remote Connection in Central Office Equipment Type Page Connection: Cable Modem Configure DSL Controller Line Rate Enable Sound to Noise Ratio Margin DSL Connections Add a G.SHDSL Connection Page Page Connection: Serial Interface, Frame Relay Encapsulation DLCI LMI Type Use IETF Frame Relay Encapsulation Page Connection: Serial Interface, PPP Encapsulation Page Connection: Serial Interface, HDLC Encapsulation Add or Edit GRE Tunnel Tunnel Number Page Connection: ISDN BRI ISDN Switch Type SPIDs Page Page Connection: Analog Modem Clear Line Page Connection: (AUX Backup) Clear Line Backup Details Authentication CHAP/PAP Login Name Password Reenter Password SPID Details SPID1 SPID2 Dialer Options Dialer List Association Timer Settings Page Backup Configuration Enable Backup Primary Interface Tracking Details Next Hop Forwarding Delete Connection To view the associations that the connection has: To delete the connection and all associations: To manually delete the associations: Connectivity Testing and Troubleshooting Which connection types can be tested? What is Basic Ping Testing? How does Cisco SDM Troubleshoot? Page Page Page Wide Area Application Services Configuring a WAAS Connection WAAS Reference NM WAAS Page Integrated Service Engine WCCP Central Manager Registration Create Firewall Basic Firewall Advanced Firewall Page Basic Firewall Configuration Wizard Basic Firewall Interface Configuration Outside (untrusted) Interface Allow secure Cisco SDM access from outside interfaces checkbox Inside (trusted) Interfaces Advanced Firewall Configuration Wizard Advanced Firewall Interface Configuration Allow secure Cisco SDM access from outside interfaces checkbox DMZ Interface Advanced Firewall DMZ Service Configuration DMZ Service Configuration To configure a DMZ service entry: To edit a DMZ service entry: DMZ Service Configuration Host IP Address Service Application Security Configuration Preview Commands Button Custom Application Security Policy Button Domain Name Server Configuration URL Filter Server Configuration Filter HTTP Request through URL Filter Server URL Filter Server Type Select Interface Zone ZPF Inside Zones Voice Configuration Summary Inside (trusted) Interface(s) Outside (untrusted) Interface(s) DMZ Interface SDM Warning: SDM Access Determining if an Outside Interface is Configured with a Static IP Address Configuring SSH and HTTPS How Do I View Activity on My Firewall? Enable Logging Identify the Access Rules for Which You Want to Generate Log Entries Page How Do I Configure a Firewall on an Unsupported Interface? How Do I Configure a Firewall After I Have Configured a VPN? How Do I Permit Specific Traffic Through a DMZ Interface? How Do I Modify an Existing Firewall to Permit Traffic from a New Network or Host? How Do I Configure NAT on an Unsupported Interface? How Do I Configure NAT Passthrough for a Firewall? How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? Page How Do I Associate a Rule with an Interface? How Do I Disassociate an Access Rule from an Interface How Do I Delete a Rule That Is Associated with an Interface? How Do I Create an Access Rule for a Java List? How Do I Permit Specific Traffic onto My Network if I Dont Have a DMZ Network? Page Page Firewall Policy Edit Firewall Policy/ACL Configure a Firewall Before Using the Firewall Policy Feature Use the Firewall Policy View Feature Apply Changes Button Discard Changes Button Choose a Traffic Flow Examine the Traffic Diagram and Choose a Traffic Direction Originating Traffic Returning Traffic Icons Make Changes to Access Rules Service Area Header Fields Service Area Controls Page Service Area Entry Fields Make Changes to Inspection Rules Swap From and To Interfaces to Bring Other Rules into View Application Area Controls Application Area entry fields App-Name Add Application Entry Add rpc Application Entry Program Number Add Fragment application entry Range (optional) Add or Edit http Application Entry Hosts/network for Java applet download Java Applet Blocking Host/Network Cisco SDM Warning: Inspection Rule Cisco SDM Warning: Firewall Edit Firewall Policy Things You Must do Before Viewing Information in this Window Expanding and Collapsing the Display of a Policy Adding a New Rule to a Policy Adding a New Zone Policy Reordering Rules Within a Policy Copying and Pasting a Rule Displaying the Rule Flow Diagram Applying Your Changes Discarding Your Changes Add a New Rule Add Traffic Source Host/Network and Destination Host/Network Application Inspection URL Filter Quality of Service Inspect Parameter Select Traffic Delete Rule Automatically delete class maps and ACLs used by this rule I will delete the unused class maps and ACLs later Hide Details Manually Deleting Class Maps Manually Deleting ACLs Application Security Application Security Windows Policy Name List Application Security Buttons E-mail Drawer Instant Messaging Drawer Peer-to-Peer Drawer No Application Security Policy Global Settings E-mail Applications Column Alerts, Audit, and Timeout Columns Options Column Instant Messaging Peer-to-Peer Applications URL Filtering HTTP Detect noncompliant HTTP traffic Checkbox Detect tunneling applications Checkbox Set maximum URI length inspection Checkbox Enable HTTP inspection Checkbox Header Options Set maximum header length checkbox Configure Extension Request Method checkboxes Configure RFC Request Method checkboxes Content Options Verify Content Type checkbox Set Content Length checkbox Configure Transfer Encoding Checkbox Applications/Protocols Applications/Protocols Tree Applications Column Alerts, Audit, and Timeout Columns Options Column Timeouts and Thresholds for Inspect Parameter Maps and CBAC TCP Connection Timeout Value TCP FIN Wait Timeout Value TCP Idle Timeout Value UDP Idle Timeout Value DNS Timeout Value SYN Flooding DoS Attack Thresholds Enable audit globally Enable alert globally Associate Policy with an Interface Edit Inspection Rule Alert Field Audit Field Timeout Field Permit, Block, and Alarm Controls Page Site-to-Site VPN VPN Design Guide Create Site to Site VPN Create a Site-to-Site VPN Create a Secure GRE Tunnel (GRE-over-IPSec) Page Site-to-Site VPN Wizard View Defaults VPN Connection Information Select the interface for this VPN Connection Peer Identity Traffic to Encrypt IKE Proposals Page D-H Group To add or edit an IKE policy: To accept the policy list: Transform Set Select Transform Set Details of the Selected Transform Set Page Traffic to Protect Protect All Traffic Between the Following Subnets Create/Select an access-list for IPSec traffic Summary of the Configuration Spoke Configuration Test the connectivity after configuring Spoke Configuration Secure GRE Tunnel (GRE-over-IPSec) GRE Tunnel Information Tunnel Source Tunnel Destination IP Address of the GRE tunnel VPN Authentication Information Backup GRE Tunnel Information Create a backup secure GRE tunnel for resilience IP address of the backup GRE tunnels destination Tunnel IP address Routing Information EIGRP OSPF RIP Static Routing Static Routing Information Page Select Routing Protocol Summary of Configuration Edit Site-to-Site VPN Site-to-Site VPN Connections Page Test Tunnel.. Button Clear Connection Button Generate Mirror..Button Add new connection Add Additional Crypto Maps IPSec Policy Crypto Map Wizard: Welcome Crypto Map Wizard: Summary of the configuration Delete Connection interface name policy name set name Ping Source Destination To ping a remote peer: To clear the output of the ping command: Cisco SDM Warning: NAT Rules with ACL Original Address Translated Address Rule Type To make the listed NAT rules use route maps: How Do I Create a VPN to More Than One Site? Create the initial VPN tunnel: Create an Additional Tunnel from the Same Source Interface After Configuring a VPN, How Do I Configure the VPN on the Peer Router? How Do I Edit an Existing VPN Tunnel? How Do I Confirm That My VPN Is Working? How Do I Configure a Backup Peer for My VPN? How Do I Accommodate Multiple Devices with Different Levels of VPN Support? How Do I Configure a VPN on an Unsupported Interface? How Do I Configure a VPN After I Have Configured a Firewall? How Do I Configure NAT Passthrough for a VPN? Page Page Easy VPN Remote Creating an Easy VPN Remote Connection Create Easy VPN Remote Reference Create Easy VPN Remote Configure an Easy VPN Remote Client Easy VPN Remote Wizard: Network Information Easy VPN Remote Wizard: Identical Address Configuration Warning Messages Easy VPN Remote Wizard: Interfaces and Connection Settings Page Easy VPN Remote Wizard: Server Information Page Easy VPN Remote Wizard: Authentication Page Easy VPN Remote Wizard: Summary of Configuration Test VPN Connectivity Administering Easy VPN Remote Connections Editing an Existing Easy VPN Remote Connection Creating a New Easy VPN Remote Connection Deleting an Easy VPN Remote Connection Resetting an Established Easy VPN Remote Connection Connecting to an Easy VPN Server Connecting other Subnets to the VPN Tunnel Administering Easy VPN Remote Reference Edit Easy VPN Remote Page Page Page Page Add or Edit Easy VPN Remote Page Add or Edit Easy VPN Remote: General Settings Page Page Network Extension Options Add or Edit Easy VPN Remote: Easy VPN Settings Page Add or Edit Easy VPN Remote: Authentication Information Page Page Add or Edit Easy VPN Remote: Easy VPN Client Phase III Authentication Page Add or Edit Easy VPN Remote: Interfaces and Connections Page Add or Edit Easy VPN Remote: Identical Addressing Warning Messages Easy VPN Remote: Add a Device Enter SSH Credentials XAuth Login Window Other Procedures How Do I Edit an Existing Easy VPN Connection? How Do I Configure a Backup for an Easy VPN Connection? Page Easy VPN Server Creating an Easy VPN Server Connection Page Create an Easy VPN Server Reference Create an Easy VPN Server Welcome to the Easy VPN Server Wizard Interface and Authentication Group Authorization and Group Policy Lookup User Authentication (XAuth) User Accounts for XAuth Add RADIUS Server Group Authorization: User Group Policies General Group Information DNS and WINS Configuration Split Tunneling Client Settings Page Page Choose Browser Proxy Settings Add or Edit Browser Proxy Settings User Authentication (XAuth) Client Update Add or Edit Client Update Entry Cisco Tunneling Control Protocol Browser Proxy Settings Page Editing Easy VPN Server Connections Edit Easy VPN Server Reference Edit Easy VPN Server Add or Edit Easy VPN Server Connection Restrict Access Group Policies Configuration Page Page IP Pools Add or Edit IP Local Pool Add IP Address Range Enhanced Easy VPN Interface and Authentication RADIUS Servers Page Group Authorization and Group User Policies Configure Idle Timer Add or Edit Easy VPN Server: General Tab Name for this connection IP Address of Virtual Tunnel Interface Add or Edit Easy VPN Server: IKE Tab Page Add or Edit Easy VPN Server: IPSec Tab Transform Set Columns Time Based IPSec SA Lifetime Traffic Volume Based IPSec SA Lifetime IPSec SA Idle Time Perfect Forwarding Secrecy Create Virtual Tunnel Interface Interface Type Configure the interface IP address Select Zone DMVPN Dynamic Multipoint VPN Create a spoke (client) in Dynamic Multipoint VPN Create a hub (server or head-end) in Dynamic Multipoint VPN Dynamic Multipoint VPN (DMVPN) Hub Wizard Type of Hub Primary Hub Backup Hub Configure Pre-Shared Key Digital Certificates Hub GRE Tunnel Interface Configuration Select the interface that connects to the Internet Advanced Configuration for the Tunnel Interface NHRP Authentication String NHRP Network ID NHRP Hold Time Tunnel Key Primary Hub Public IP Address IP Address of hubs mGRE tunnel interface Select Routing Protocol Routing Information Please select the version of RIP to enable Select an existing OSPF process ID/EIGRP AS number Create a new OSPF process ID/EIGRP AS number protocol-name> Dynamic Multipoint VPN (DMVPN) Spoke Wizard DMVPN Network Topology Hub and Spoke Network Fully Meshed Network Specify Hub Information IP Address of Hubs physical interface IP Address of hubs mGRE tunnel interface Spoke GRE Tunnel Interface Configuration Select the interface that connects to the Internet Cisco SDM Warning: DMVPN Dependency Firewall Edit Dynamic Multipoint VPN (DMVPN) Page General Panel MTU Bandwidth Delay Tunnel Key NHRP Panel Authentication String Hold Time Network ID Next Hop Server NHRP Map Configuration Statically configure the IP-to-NMBA address mapping of IP destinations connected to an NBMA network. Routing Panel Routing Protocol RIP Fields OSPF Fields EIGRP Fields How Do I Configure a DMVPN Manually? To configure an IPSec Profile: To configure a DMVPN connection: To specify the networks you want to advertise to the DMVPN: VPN Global Settings VPN Global Settings Enable Aggressive Mode XAuth Timeout IKE Identity Dead Peer Detection VPN Global Settings: IKE Enable IKE Enable Aggressive mode Identity (of this router) XAuth Timeout VPN Global Settings: IPSec Authenticate and Generate new key after every Generate new key after the current key encrypts a volume of VPN Global Settings: Easy VPN Server VPN Key Encryption Settings Page Page IP Security IPSec Policies Crypto Maps in this IPSec policy Dynamic Crypto Maps Sets in this IPSec Policy Add or Edit IPSec Policy Crypto Maps in this IPSec policy Dynamic Crypto Maps Sets in this IPSec Policy Add or Edit Crypto Map: General Name of IPSec Policy Sequence Number Security Association Lifetime Enable Perfect Forwarding Secrecy Add or Edit Crypto Map: Peer Information Add or Edit Crypto Map: Transform Sets Available Transform Sets Details of Selected Transform Set (Crypto Map Wizard Only) Selected Transform Sets In Order of Preference (Manual Configuration of Crypto Map Only) What Do You Want to Do? (Crypto Map Wizard Only) What Do You Want to Do? (Manual Configuration of Crypto Map Only) Add or Edit Crypto Map: Protecting Traffic Protect all traffic between the following subnets (Crypto Map Wizard Only) IPSec Rule (Create/Select an access-list for IPSec traffic) Dynamic Crypto Map Sets Add or Edit Dynamic Crypto Map Set Associate Crypto Map with this IPSec Policy IPSec Profiles Details of IPSec Profile Add or Edit IPSec Profile Transform Set Columns IKE Profile Association Time Based IPSec SA Lifetime Traffic Volume Based IPSec SA Lifetime Add or Edit IPSec Profile and Add Dynamic Crypto Map Available Transform Sets Selected Transform Sets Transform Set ESP Encryption ESP Integrity AH Integrity IP Compression Mode Add or Edit Transform Set Name of this transform set Data integrity and encryption (ESP) Data and address integrity without encryption (AH) Mode IP Compression (COMP-LZS) IPSec Rules Name/Num Page Page Internet Key Exchange Internet Key Exchange (IKE) IKE Policies Page Add or Edit IKE Policy D-H Group Lifetime IKE Pre-shared Keys Peer IP/Name Add or Edit Pre Shared Key Key Reenter Key Peer IP Address/Subnet Mask IKE Profiles IKE Profiles Details of IKE Profile Add or Edit an IKE Profile Page Page Page Public Key Infrastructure Certificate Wizards Simple Certificate Enrollment Protocol (SCEP) Cut and Paste/Import from PC Launch the selected task button Welcome to the SCEP Wizard Certificate Authority (CA) Information CA server nickname Enrollment URL Challenge Password and Confirm Challenge Password Advanced Options Button Certificate Subject Name Attributes Include routers fully qualified Domain Name (FQDN) in the certificate. Include routers IP Address Include routers serial number Other Subject Attributes RSA Keys Generate new key pair(s) Save to USB Token Summary If you are performing an SCEP enrollment If you are performing a cut-and-paste enrollment CA Server Certificate CA servers certificates finger print is: To accept the CA servers certificate and continue the enrollment process To decline the CA servers certificate and stop the enrollment process Enrollment Status Enrollment Task Begin New Enrollment Continue with an unfinished enrollment Enrollment Request Save: Continue with Unfinished Enrollment Select CA server nickname (trustpoint) Import CA and router certificate(s) Import CA certificate Import router certificate(s) Import CA certificate Import Router Certificate(s) Digital Certificates Trustpoints Certificate chain for trustpoint name Trustpoint Information Certificate Details Revocation Check Revocation Check Revocation Check, CRL Only RSA Keys Window RSA keys configured on your router Key Data Save Key to PC Button Generate RSA Key Pair Modulus Key is exportable checkbox Save to USB Token USB Token Credentials USB Tokens Removal Timeout Secondary Config File Add or Edit USB Token Token Name Current PIN Page Open Firewall Modify Firewall Details Button Open Firewall Details Page Certificate Authority Server Create CA Server Create Certificate Authority (CA) Server Restore Certificate Authority (CA) Server Prerequisite Tasks for PKI Configurations CA Server Wizard: Welcome CA Server Wizard: Certificate Authority Information CA Server Name Grant CDP URL Issuer Name Attributes Database Lifetimes CA Server Wizard: RSA Keys Modulus Key is exportable Passphrase and Confirm Passphrase Open Firewall CA Server Wizard: Summary Manage CA Server Status Icon Start Server Stop Server Backup Server Uninstall Server Details of CA Server Manage CA Server Restore Window Restore CA Server Edit CA Server Settings: General Tab Edit CA Server Settings: Advanced Tab Manage CA Server: CA Server Not Configured Manage Certificates Pending Requests Select All Grant Reject Refresh Certificate Enrollment Requests Area Revoke Certificate Revoked Certificates Revoke Certificate Revoke Certificate Certificate ID Cisco IOS SSL VPN Cisco IOS SSL VPN links on Cisco.com Creating an SSL VPN Connection Create an SSL VPN Connection Reference Create SSL VPN Create a new SSL VPN Add a new policy to an existing SSL VPN for a new group of users Configure advanced features for an existing SSL VPN Launch the selected task button Persistent Self-Signed Certificate Length of RSA Key Subject Generate Button Welcome SSL VPN Gateways IP Address and Name Fields IP Address User Authentication External AAA server Button Locally on this router Button First on an external AAA server and then locally on this router Button Use the AAA authentication method list Button AAA servers configured for this router List Configure Intranet Websites Action and URL List Columns Add or Edit URL URL Link Customize SSL VPN Portal Theme Preview SSL VPN Passthrough Configuration User Policy Details of SSL VPN Group Policy: Policyname WINS servers Select the SSL VPN User Group SSL VPN User Group Select Advanced Features Thin Client (Port Forwarding) Add or Edit a Server Server IP Address Server port on which service is listening Port on Client PC Learn More Full Tunnel Enable Full Tunnel Checkbox IP Address Pool Keep the Full Tunnel Client software installed on clients PC Checkbox Install Full Tunnel Client Checkbox Locating the Install Bundle for Cisco SDM Page Enable Cisco Secure Desktop Install Cisco Secure Desktop Common Internet File System WINS Servers Permissions Enable Clientless Citrix Citrix Server Editing SSL VPN Connections Editing SSL VPN Connection Reference Edit SSL VPN SSL VPN Contexts Details about SSL VPN Context: Name SSL VPN Context Page Designate Inside and Outside Interfaces Select a Gateway Context: Group Policies Click here to learn more Group Policy: General Tab Group Policy: Clientless Tab Page Group Policy: Thin Client Tab Group Policy: SSL VPN Client (Full Tunnel) Tab IP address pool from which clients will be assigned an IP address Keep full-tunnel client software installed on clients PC Checkbox Renegotiate Key field ACL to restrict access for users in this group to corporate resources Home page client should see when a web browser is opened with full tunnel software installed Advanced Tunnel Options Split Tunneling Split DNS Browser Proxy Settings Do not use proxy server for addresses beginning with DNS and WINS Servers DNS and WINS Servers Context: HTML Settings Select theme Customize Button Page Preview Button Select Color Basic RGB Context: NetBIOS Name Server Lists Add or Edit a NBNS Server List Add or Edit an NBNS Server Context: Port Forward Lists Add or Edit a Port Forward List Context: URL Lists Add or Edit a URL List Context: Cisco Secure Desktop SSL VPN Gateways SSL VPN Gateways Details of SSL VPN Gateway Add or Edit a SSL VPN Gateway Gateway Name HTTP Redirect Checkbox Enable Gateway Checkbox Packages Install Package Additional Help Topics Cisco IOS SSL VPN Contexts, Gateways, and Policies CiscoIOS SSL VPN Contexts CiscoIOS SSL VPN Gateways CiscoIOS SSL VPN Policies Example Page Page Page Learn More about Port Forwarding Servers Learn More About Group Policies Learn More About Split Tunneling How do I verify that my Cisco IOS SSL VPN is working? How do I configure a Cisco IOS SSL VPN after I have configured a firewall? How do I associate a VRF instance with a CiscoIOS SSL VPN context? SSL VPN Enhancements SSL VPN Reference SSL VPN Context: Access Control Lists Add or Edit Application ACL Add ACL Entry Action URL Time Range Add or Edit Action URL Time Range Dialog Add or Edit Absolute Time Range Entry Add or Edit Periodic Time Range Entry Page VPN Troubleshooting VPN Troubleshooting Tunnel Details Page Test Specific Client Button VPN Troubleshooting: Specify Easy VPN Client Listen for request for X minutes VPN Troubleshooting: Generate Traffic VPN traffic on this connection is defined as Have SDM generate VPN Traffic I will generate VPN traffic from the source network VPN Troubleshooting: Generate GRE Traffic Have SDM generate VPN Traffic I will generate VPN traffic from the source network Cisco SDM Warning: SDM will enable router debugs... Security Audit Perform Security Audit One-Step Lockdown Page Welcome Page Interface Selection Page Interface Column Outside Column Inside Column Report Card Page Fix It Page Select an Option: Fix the security problems Select an option: Undo Security Configurations I want Cisco SDM to fix some problems, but undo other security configurations Disable Finger Service Disable PAD Service Disable TCP Small Servers Service Disable UDP Small Servers Service Disable IP BOOTP Server Service Disable IP Identification Service Disable CDP Disable IP Source Route Enable Password Encryption Service Enable TCP Keepalives for Inbound Telnet Sessions Enable TCP Keepalives for Outbound Telnet Sessions Enable Sequence Numbers and Time Stamps on Debugs Enable IP CEF Disable IP Gratuitous ARPs Set Minimum Password Length to Less Than 6 Characters Set Authentication Failure Rate to Less Than 3 Retries Set TCP Synwait Time Set Banner Enable Logging Set Enable Secret Password Disable SNMP Set Scheduler Interval Set Scheduler Allocate Set Users Enable Telnet Settings Enable NetFlow Switching Disable IP Redirects Disable IP Proxy ARP Disable IP Directed Broadcast Disable MOP Service Disable IP Unreachables Disable IP Mask Reply Disable IP Unreachables on NULL Interface Enable Unicast RPF on Outside Interfaces Enable Firewall on All of the Outside Interfaces Set Access Class on HTTP Server Service Set Access Class on VTY Lines Enable SSH for Access to the Router Enable AAA Configuration Summary Screen Cisco SDM and Cisco IOS AutoSecure AutoSecure Features Implemented in Cisco SDM AutoSecure Features Not Implemented in Cisco SDM AutoSecure Features Implemented Differently in Cisco SDM Security Configurations Cisco SDM Can Undo Undoing Security Audit Fixes Add or Edit Telnet/SSH Account Screen Configure User Accounts for Telnet/SSH Page Enable Secret and Banner Page New Password Re-enter New Password Login Banner Logging Page IP Address/Hostname Table Add... Button Edit... Button Set logging level Field Page Routing Static Routing Dynamic Routing Add or Edit IP Static Route Destination Network Forwarding Optional Add or Edit an RIP Route Add or Edit an OSPF Route IP Network List Available Interface List Make Interface Passive Add or Edit EIGRP Route Page Network Address Translation Network Address Translation Wizards Basic NAT Wizard: Welcome Basic NAT Wizard: Connection Choose an Interface Choose Networks Summary Advanced NAT Wizard: Welcome Advanced NAT Wizard: Connection Choose an Interface Additional Public IP Addresses Add IP Address Advanced NAT Wizard: Networks Advanced NAT Wizard: Server Public IP Addresses Add or Edit Address Translation Rule Original Port Translated Port Protocol Advanced NAT Wizard: ACL Conflict Details Network Address Translation Rules Designate NAT Interfaces Address Pools Translation Timeouts Network Address Translation Rules Clone selected entry on Add Page Designate NAT Interfaces Inside (trusted) Outside (untrusted) Translation Timeout Settings DNS Timeout Edit Route Map Edit Route Map Entry Address Pools Add or Edit Address Pool Pool Name Port Address Translation (PAT) Add or Edit Static Address Translation Rule: Inside to Outside Page Page Redirect Port Configuration Scenarios Add or Edit Static Address Translation Rule: Outside to Inside Page Page Redirect Port Add or Edit Dynamic Address Translation Rule: Inside to Outside Page Page Add or Edit Dynamic Address Translation Rule: Outside to Inside Page How Do I . . . How do I Configure Address Translation for Outside to Inside How Do I Configure NAT With One LAN and Multiple WANs? Page Cisco IOS IPS IPS Tabs IPS Rules Create IPS Create IPS: Welcome Create IPS: Select Interfaces Create IPS: SDF Location Create IPS: Signature File Specify the signature file you want to use with IOS IPS Get the latest signature file from CCO and save to PC Configure Public Key Create IPS: Configuration File Location and Category Config Location Choose Category Add or Edit a Config Location Specify config location on this router Specify config location using URL Directory Selection Signature File Specify Signature File on Flash Specify Signature File using URL Specify Signature File on PC Create IPS: Summary Edit IPS IPS Policies Button Global Settings Button Auto Update SEAP Configuration Edit IPS: IPS Policies Disable Button Disable All Button Interface Name IP Inbound IPS/Outbound IPS IPS Filter Details Enable or Edit IPS on an Interface Both, Inbound, and Outbound Buttons Inbound Filter Outbound Filter ... Button Edit IPS: Global Settings Global Settings Table Configured SDF Locations Reload Signatures Enable Syslog Notification (Syslog and SDEE Tab) SDEE (Syslog and SDEE Tab) Enable Engine Fail Closed (Global Engine Tab) Use Built-in Signatures (as backup) (Global Engine Tab) Add or Edit a Signature Location Specify SDF on this router Specify SDF using URL Autosave Edit IPS: SDEE Messages SDEE Messages SDEE Message Text IDS Status Messages IDS Error Messages Edit IPS: Global Settings Engine Options Edit IPS Prerequisites Table Syslog and SDEE Tab Global Engine Tab Edit IPS Prerequisites Config Location Tab Category Selection Tab Public Key Tab Add Public Key Edit IPS: Auto Update Before Configuring Autoupdate Download signature file from Cisco.com Autoupdate Edit IPS: SEAP Configuration Edit IPS: SEAP Configuration: Target Value Rating Target Value Rating Column Target IP Address Column Add Target Value Rating Target Value Rating (TVR) Target IP Addresses Edit IPS: SEAP Configuration: Event Action Overrides Page Add or Edit an Event Action Override Event Action Enabled Risk Rating Edit IPS: SEAP Configuration: Event Action Filters Use Event Action Filters Event Action Filter List Area Event Action Filter List Buttons Page Add or Edit an Event Action Filter Page Stop on Match Comments Edit IPS: Signatures Page Enable Disable Summary or Details Button Signature List Signatures marked for deletion Apply Changes Button Page Edit IPS: Signatures Import Button Total [ ] Select All Page Page Apply Changes Edit Signature Signature ID Page Event Counter Alert Frequency Status File Selection Size Time Modified Assign Actions Import Signatures How to Import Signatures Signature List Area Merge Button Replace Button Add, Edit, or Clone Signature Field Definitions Page Cisco Security Center IPS-Supplied Signature Definition Files Determine Which SDF File Is in Memory Configuring IPS to Use an SDF Security Dashboard Top Threats Table Select SDF Deploying Signatures From the Top Threats Table IPS Migration Migration Wizard: Welcome Migration Wizard: Choose the IOS IPS Backup Signature File Signature File Specify signature file on flash Java Heap Size Page Page Network Module Management IDS Network Module Management IDS Network Module Control Buttons IDS Network Module Status IDS NM Monitoring Interface Settings Configure IDS Sensor Interface IP Address IP Address Determination Use Cisco SDM last known IP Address Let Cisco SDM discover IP address Specify IDS NM Configuration Checklist IDS NM Sensor Interface Date & Time IP CEF Setting Refresh IDS NM Initial Setup IDS NM Interface Monitoring Configuration Network Module Login Feature Unavailable Switch Module Interface Selection Page Quality of Service Creating a QoS Policy Create a QoS Policy Reference Create QoS Policy QoS Wizard Interface Selection Queuing for Outbound Traffic Add a New Traffic Class Page Policing for Outbound Traffic QoS Policy Generation QoS Configuration Summary 29-9 Editing QoS Policies Complete these steps to edit a QoS policy: Step1 If you want to review the Cisco IOS CLI commands that you send to the router Edit QoS Policy Reference Edit QoS Policy Page Page Add Class for the New Policy Add Service Policy to Class Associate or Disassociate the QoS Policy Add or Edit a QoS Class Page Page Edit Match DSCP Values Edit Match Protocol Values Add Custom Protocols Edit Match ACL Configure Policing Configure Shaping Configure Queuing Page Network Admission Control Create NAC Tab Enable AAA Button Launch NAC Wizard Button How Do I List Other Tasks in a NAC Implementation Welcome NAC Policy Servers Choose the RADIUS client source Details Button Server IP, Timeout, and Parameters Columns Use for NAC Check Box Add, Edit, and Ping Buttons Interface Selection NAC Exception List IP Address/MAC Address/Device Type, Address/Device, and Policy Columns Add or Edit an Exception List Entry Type List Specify Address Field Choose an Exception Policy Redirect URL: URL Field Preview of Access Rule Add Exception Policy Name Field Access Rule Field Redirect URL Field Agentless Host Policy Authenticate Agentless Hosts Check Box Username and Password Fields Configuring NAC for Remote Access Enable Cisco SDM Remote Management Modify Firewall Details Window Summary of the configuration Edit NAC Tab NAC Timeouts Button Agentless Host Policy Button NAC Policies List NAC Components Exception List Window Exception Policies Window NAC Timeouts Page Configure these timeout values globally Check Box Configure a NAC Policy Name Field Select an Interface List Admission Rule Field How Do I Configure a NAC Policy Server? How Do I Install and Configure a Posture Agent on a Host? Router Properties ( Device Properties Device Tab Password Tab Date and Time: Clock Properties Date/Time Router Time Source Change Settings Date and Time Properties Synchronize with my local PC clock Synchronize Edit Date and Time Apply NTP Add or Edit NTP Server Details Authentication Key SNTP Property Value Add an NTP Server Logging Logging Level Logging to Buffer SNMP Enable SNMP Community String Trap Receiver SNMP Server Location Netflow Netflow Talkers Enable Top Talkers Router Access User Accounts: Configure User Accounts for Router Access Privilege Level View Name Add or Edit a Username Page View Password Enter the View Password vty Settings Edit vty Lines Page Authentication/Authorization Configure Management Access Policies Host/Network Management Interface Permitted Protocols Apply Button Add or Edit a Management Policy Management Access Error Messages Page SSH Status Messages Key modulus size Button Generate RSA Key Button Details of DHCP Pool DHCP Configuration DHCP Pools Pool Name name DHCP Pool Status Add or Edit DHCP Pool DHCP Bindings Binding Name Host/IP Mask MAC Address Add or Edit DHCP Binding MAC Address Client Name (Optional) DNS Properties Enable DNS-based hostname to address translation Check Box DNS IP Address Dynamic DNS Methods Add or Edit Dynamic DNS Method HTTP Page ACL Editor Category No. of Rules To configure rules: Useful Procedures for Access Rules and Firewalls Rules Windows First column Name/Number Used By First Column (Rule Entry Area) Source Destination Service Attributes Add or Edit a Rule Name/Number Rule Entry List Clone Interface Association Page Associate with an Interface Select an Interface Specify a Direction If Another Rule is Already Associated with the Interface Add a Standard Rule Entry Page Log Matches Against This Entry Add an Extended Rule Entry Destination Host/Network Protocol and Service Log Matches Against This Entry Select a Rule Rule Category Preview Page Port-to-Application Mapping Port-to-Application Mappings Application Protocol Column Port Type Column Port Column Protocol Type Column Access List Column Add or Edit Port Map Entry Protocol Field Description Field Port Type List Port Number Field Host of Service Field Zone-Based Policy Firewall Configuration Task Order Zone Window Add or Edit a Zone Zone-Based Policy General Rules Page Zone Pairs Add or Edit a Zone Pair Add a Zone Zone Name Select a Zone Select a Zone for the Interface Page Authentication, Authorization, and Accounting Configuring AAA AAA Screen Reference AAA Root Screen AAA Servers and Server Groups AAA Servers Add or Edit a TACACS+ Server Add or Edit a RADIUS Server Server-specific setup Page AAA Server Groups Add or Edit AAA Server Group Authentication and Authorization Policies Authentication and Authorization Authentication NAC Authentication 802.1x Add or Edit a Method List for Authentication or Authorization Page Page Page Router Provisioning Secure Device Provisioning Router Provisioning from USB Router Provisioning from USB (Load File) SDP Troubleshooting Tips Guidelines Troubleshooting Tips Page Cisco Common Classification Policy Language Policy Map Policy Map Windows Policy Map List Area Details of Policy Map Add or Edit a QoS Policy Map Policy Name and Description Class Map, Queuing, Set DSCP, and Drop Associate a Policy Map to Interface Page Add an Inspection Policy Map Layer 7 Policy Map Application Inspection Configure Deep Packet Inspection Class Maps Associate Class Map Class Map Advanced Options Inspect Parameter Map URL Filtering Parameter Map Enable Application Inspection QoS Class Map Add or Edit a QoS Class Map Add or Edit a QoS Class Map Select a Class Map Deep Inspection Class Map and Application Service Group Windows Class Map Area Details of Class Map Add or Edit an Inspect Class Map Specifying whether you want the class to match any or all of the conditions Choosing what you want the inspect class map to match Changing the match order Associate Parameter Map Add an HTTP Inspection Class Map HTTP Request Header Field Name and Configuration Options HTTP Request Header Fields HTTP Request Body HTTP Request Header Arguments HTTP Method Request Port Misuse Request URI Response Header Response Header Fields HTTP Response Body Java Applets in HTTP Response HTTP Response Status Line Request/Response Header Criteria HTTP Request/Response Header Fields Request/Response Body Request/Response Protocol Violation Add or Edit an IMAP Class Map Add or Edit an SMTP Class Map Add or Edit a SUNRPC Class Map Add or Edit an Instant Messaging Class Map Add or Edit a Point-to-Point Class Map Class Name Class Map Type Add P2P Rule Add or Edit a POP3 Class Map Parameter Maps Parameter Map Windows Add or Edit a Parameter Map for Protocol Information Parameter Map Name Server Details Add or Edit a Server Entry Add or Edit Regular Expression Pattern List Add a Pattern Pattern Guide Button Build Regular Expression Build Snippet Specify Character Snippet Preview Regular Expression Regular Expression Metacharacters Page Page URL Filtering URL Filtering Window Edit Global Settings Allow Mode URL Filter Alert Audit Trail General Settings for URL Filtering Page Maximum Buffered HTTP Requests Maximum Buffered HTTP Responses Advanced Local URL List Maintaining the Local URL List Importing URL Lists from your PC Add or Edit Local URL Import URL List URL Filter Servers Add or Edit a URL Filter Server Port Number Retransmission Count Retransmission Timeout URL Filtering Precedence Page Configuration Management Manually Editing the Configuration File Config Editor Running Configuration Edit Configuration Merging with Running Config Replacing the Running Config Reset to Factory Defaults Understanding How to Give the PC a Dynamic or Static IP Address After You Reset To Reset the Router to Factory Defaults: This Feature Not Supported More About.... IP Addresses and Subnet Masks Page Host and Network Fields Available Interface Configurations DHCP Address Pools Meanings of the Permit and Deny Keywords Services and Ports TCP Services UDP Services Page ICMP Message Types IP Services Services That Can Be Specified in Inspection Rules More About NAT Static Address Translation Scenarios Scenario 1 Scenario 2 Scenario 3 Scenario 4 Dynamic Address Translation Scenarios Scenario 1 Scenario 2 Reasons that Cisco SDM Cannot Edit a NAT Rule More About VPN Cisco.com Resources More about VPN Connections and IPSec Policies Page More About IKE Session Negotiation Key Exchange IPSec Tunnel Negotiation and Configuration More About IKE Policies Allowable Transform Combinations Examples Reasons Why a Serial Interface or Subinterface Reasons Why an ATM Interface or Subinterface Reasons Why an Ethernet Interface Configuration May Be Read-Only Reasons Why an ISDN BRI Interface Configuration May Be Read-Only Reasons Why an Analog Modem Interface Firewall Policy Use Case Scenario DMVPN Configuration Recommendations Configure the Hub First Assigning Spoke Addresses Recommendations for Configuring Routing Protocols for DMVPN Using Interfaces with Dialup Configurations Ping the Hub Before You Start Spoke Configuration Cisco SDM White Papers Page Getting Started Whats New in this Release? Page Cisco IOS Versions Supported Viewing Router Information Overview Launch Wireless Application Button Resource Status Interface Status Firewall Status Group QoS VPN Status Group NAC Status Group Log Group Interface Status Monitor Interface and Stop Monitoring Button Test Connection Button Interface List Select Chart Types to Monitor Group Interface Status Area Chart Area Firewall Status Zone-Based Policy Firewall Status Firewall Policy List Area View Interval Statistics Area VPN Status IPSec Tunnels Monitor Tunnel Button Test Tunnel.. Button Monitoring an IPSec Tunnel DMVPN Tunnels Monitor Tunnel Button Reset Button Monitoring a DMVPN Tunnel Easy VPN Server Disconnect button IKE SAs SSL VPN Components System Resources Number of Connected Users Tabbed Area SSL VPN Context User Sessions URL Mangling Port Forwarding CIFS Full Tunnel User List User List Area Traffic Status Netflow Top Talkers Top Protocols Top Talkers Flow status for the source address QoS InterfaceIP/MaskSlot/PortDescription View Interval Start Monitoring Select QoS Parameters for Monitoring All TrafficReal-TimeBusiness-CriticalTrivial Associating a QoS Policy With an Interface Application/Protocol Traffic Enable NBAR NBAR Status NAC Status Logging Syslog Page Clear Log Button Firewall Log Firewall Log Number of Attempts Denied by Firewall Attempts Denied by Firewall Table View Top Attacks Monitoring Firewall with a Non-Administrator View User Account Application Security Log SDEE Message Log SDEE Messages Time IPS Status Total Active Signatures Total Inactive Signatures Clear Button SDEE Log IPS Signature Statistics Update and Clear Buttons SDEE Log Signature List Area IPS Alert Statistics 802.1x Authentication Status 802.1x Authentication on Interfaces Area 802.1x Clients Area File Menu Commands Save Running Config to PC Deliver Configuration to Router Save Running Config to Routers Startup Config Cancel Write to Startup Config Reset to Factory Defaults File Management Refresh Button Format Button New Folder Button Load File From PC Button Copy Button Paste Button Rename New Folder Save SDF to PC Exit Unable to perform squeeze flash Page Page Edit Menu Commands Preferences Preview commands before delivering to router Save signature file to Flash Confirm before exiting Cisco SDM Continue monitoring interface status when switching mode/task View Menu Commands Running Config Show Commands Cisco SDM Default Rules Access Rules Firewall VPN - IKE Policy VPN - Transform Sets Refresh Tools Menu Commands USB Token PIN Settings Select a PIN Type Token Name Current PIN New PIN Wireless Application Update Cisco SDM Update Cisco SDM from Cisco.com Update Cisco SDM from Local PC Update Cisco SDM from CD CCO Login Page Page Help Menu Commands Page GLOSSARY Symbols and Numerics A Page Page B C Page Page Page D Page Page E Page F G H I Page Page K L M Page N Page O P Page Page Page Q R Page Page S Page Page Page Page T U V Page W X Z INDEX Symbols Numerics A C D E F G H I Page J L M N O P Q R S T U V W X