24-45
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Identifying the Protected Networks for Endpoints
Use the Protected Networks tab on the Edit Endpoints dialog box to edit the protected networks that are
defined on devices in the Endpoints table. (See Defining the Endpoints and Protected Networks,
page 24-33.)
You can specify the protected networks as interface roles whose naming patterns match the internal VPN
interface of the device, as network/host group objects containing one or more network or host IP
addresses, interfaces, or other network objects, or as access control list objects (if Regular IPsec is the
assigned technology).
If you are editing more than one device at a time, select Enable the Protected Networks Changes
on All Selected Peers to apply any changes you make in the Protected Networks tab to all the
selected devices.
To add a protected network, select it from the Available Protected Networks list and click >> to
move it to the Selected Protected Networks list. You can use any combination of interface role
objects, network/host group objects (listed in the Protected Networks folder), or Access Control List
objects to define the protected network for the device. (ACL objects are available only if Regular
IPsec is the assigned technology.)
Note In a hub-and-spoke VPN topology in which Regular IPsec is the assigned technology, when
an ACL object is used to define the protected network on a spoke, Security Manager mirrors
the spoke’s ACL object on the hub to the matching crypto map entry.
To remove a selected protected network, select it and click the << button.
If the order of the objects matters, you can adjust the priority order of the selected objects using the
Move Up, Move Down buttons to position the objects in the selected list as desired. These buttons
are not available if order does not matter.
If an object that you need to define the protected network is not listed, click the Create (+) button
to add the object; you are prompted to select the type of object you want to add. You can also modify
the definition of an existing object by selecting it and clicking the Edit (pencil) button. For more
information, see the following topics:
Understanding Interface Role Objects, page 6-67 and Creating Interface Role Objects,
page 6-68.
Understanding Networks/Hosts Objects, page 6-74 and Creating Networks/Hosts Objects,
page 6-76.
Creating Access Control List Objects, page 6-49.
Navigation Path
On the Endpoints Page of the Create VPN wizard or Edit VPN dialog box, or on the Peers policy, select
a device and click Edit to open the Edit Endpoints Dialog Box. Select the Protected Networks tab in
the Edit Endpoints dialog box. For information on how to access these pages and dialog boxes, see
Defining the Endpoints and Protected Networks, page 24-33.
Configuring a Firewall Services Module (FWSM) Interface with VPNSM or VPNSPA/VSPA
Security Manager supports the configuration of a Firewall Services Module (FWSM) with an IPsec VPN
Services Module (VPNSM) or VPNSPA/VSPA on a Catalyst 6500/7600 device. This feature enables a
FWSM to apply firewall policies to untrusted clients, while the VPNSM or VPN SPA/VSPA provides
secure access to the internal network.