Chapter28 Public Key Infrastructure
Open Firewall
28-56
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
Open Firewall
This screen is displayed when SDM detects firewall(s) on interfaces that would
block return traffic that the router needs to receive. Two situations in which it
might appear are when a firewall will block DNS traffic or PKI traffic and prevent
the router from receiving this traffic from the servers. SDM can modify these
firewalls so that the servers can communicate with the router.

Modify Firewall

This area lists the exit interfaces and ACL names, and allows you to select which
firewalls that you want SDM to modify. Select the firewalls that you want SDM to
modify in the Action column. SDM will modify them to allow SCEP or DNS traffic
from the server to the router.
Note the following for SCEP traffic:
SDM will not modify firewall for CRL/OCSP servers if these are not
explicitly configured on the router. To permit communication with
CRL/OCSP servers, obtain the correct information from the CA server
administrator and modify the firewallsusing the Edit Firewall Policy/ACL
window.
SDM assumes that the traffic sent from the CA server to the router will enter
through the same interfaces through which traffic from the router to the CA
server was sent. If you think that the return traffic from CA server will enter
the router through a different interface than the one SDM lists, you need to
open the firewall using the Edit Firewall Policy/ACL window. This may occur
if asymmetric routing is used, whereby traffic from the router to the CA
server exits the router through one interface and return tr affic enters the router
through a different interface.
SDM determines the exit interfaces of the router the moment the passthrough
ACE is added. If a dynamic routing protocol is used to learn routes to the CA
server and if a route changesthe exit interface changes for SCEP traffic
destined for the CA serveryou must explicitly add a passthrough ACE for
those interfaces using the Edit Firewall Policy/ACL window.
SDM adds passthrough ACEs for SCEP traffic. It does not add passthrough
ACEs for revocation traffic such as CRL traffic and OCSP traffic. You must
explicitly add passthrough ACEs for this traffic using the Edit Firewall
Policy/ACL window.