24-46
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Use the FWSM tab on the Edit Endpoints dialog box to define the settings that enable you to connect
between the FWSM and a VPNSM or VPNSPA/VSPA that is already configured on a Catalyst 6500/7600
device. The FWSM tab is available only in a hub-and-spoke VPN topology when the selected hub is a
Catalyst 6500/7600 device.
Tips
Before you can define the FWSM settings, you must add the hosting Catalyst 6500/7600 device to
the Security Manager inventory and discover its FWSM and its policies and security contexts. See
Adding Devices from the Network, page 3-11 and Managing Security Contexts, page57-4.
If an inside interface is not already created on the Catalyst 6500/7600 device, you must create it (see
Creating or Editing VLANs, page 65-26). Then, you must assign the FWSM inside interface
(VLAN) to the appropriate security context, or directly to the FWSM blade.
You also must configure the settings on the VPN Interfaces tab related to IPsec VPN Services
Module (VPNSM) or VPNSPA/VSPA. For more information, see Configuring VPNSM or VPN
SPA/VSPA Endpoint Settings, page 24-41.
Navigation Path
On the Endpoints Page of the Create VPN wizard or Edit VPN dialog box, or on the VPN Peers policy,
select a Catalyst 6500/7600 device that contains an FWSM, then click Edit to open the Edit Endpoints
Dialog Box. Select the FWSM tab in the Edit Endpoints dialog box. For information on how to access
these pages and dialog boxes, see Defining the Endpoints and Protected Networks, page 24-33.
Field Reference
Configuring VRF Aware IPsec Settings
Use the VRF-Aware IPsec tab on the Edit Endpoints dialog box to configure a VRF-Aware IPsec policy
on a hub in your hub-and-spoke VPN topology. You can configure VRF-Aware IPsec as a one-box or
two-box solution. For more information about VRF-Aware IPsec, see Understanding VRF-Aware IPsec,
page 24-14.
Tips
VRF-Aware IPsec can be configured only on hubs in a hub-and-spoke VPN topology.
Table24-9 Edit Endpoints Dialog Box, FWSM Tab
Element Description
Enable FWSM Settings Whether you want to configure the connection between the Firewall
Services Module (FWSM) and the VPN Services Module (VPNSM) or
VPN SPA on the Catalyst 6500/7600 device.
FWSM Inside VLAN The VLAN that serves as the inside interface to the Firewall Services
Module (FWSM). Enter the name of the interface or interface role, or
click Select to select it from a list or to create a new interface role
object.
FWSM Blade From the list of available blades, select the blade number to which the
selected FWSM inside VLAN interface is connected.
Security Context If the FWSM inside VLAN is part of a security context (that is, the
FWSM is running in multiple-context mode), specify the security
context name in this field. The name is case-sensitive.