Cisco Systems OL-4015-08 More About IKE Policies

Chapter30 More About....

More About VPN

30-22

Cisco Router and Security Device Manager Version 2.2 User’s Guide

OL-4015-08

–

Encryption Algorithm: DES, 3DES, or AES

–

Packet Signature Algorithm: MD5 or SHA-1

Key Exchange

IKE uses the negotiated key-exchange method (see “Session Negotiation” above)

to create enough bits of cryptographic keying material to secure future

transactions. This method ensures that each IKE session will be protected with a

new, secure set of keys.

Authentication, session negotiation, and key exchange constitute phase 1 of an

IKE negotiation.

IPSec Tunnel Negotiation and Configuration

After IKE has finished negotiating a secure method for exchanging inform ation

(phase 1), we use IKE to negotiate an IPSec tunnel. This is accomplished in IKE

phase 2. In this exchange, IKE creates fresh keying material for the IPSec tunnel

to use (either using the IKE phase 1 keys as a base or by performing a new key

exchange). The encryption and authentication algorithms for this tunnel are also

negotiated.

More About IKE Policies

When the IKE negotiation begins, IKE looks for an IKE policy that is the same on

both peers. The peer that initiates the negotiation will send all its policies to the

remote peer, and the remote peer will try to find a match. The remote peer looks

for a match by comparing its own highest priority policy against the other peer’s

received policies. The remote peer checks each of its policies in order of its

priority (highest first) until a match is found.

A match is made when both policies from the two peers co ntain the same

encryption, hash, authentication, and Diffie-Hellman parameter values, and when

the remote peer’s policy specifies a lifetime less than or equal to the lifetime in

the policy being compared. If the lifetimes are not identical, the shorter

lifetime-from the remote peer’s policy will be used.

Contents

Main Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Home Page Host Name About Your Router Configuration Overview Page Page Page Page LAN Wizard Configure Ethernet Configuration LAN Wizard: Select an Interface LAN Wizard: IP Address and Subnet Mask LAN Wizard: Enable DHCP Server LAN Wizard: DHCP Address Pool Starting IP Ending IP DHCP Options DNS Server 1 DNS Server 2 Domain Name WINS Server 1 LAN Wizard: VLAN Mode LAN Wizard: Switch Port Existing VLAN New VLAN IRB Bridge BVI Configuration Net Mask Net Bits DHCP Pool for BVI DHCP Server Configuration IRB for Ethernet Layer 3 Ethernet Configuration 802.1Q Configuration Trunking or Routing Configuration Configure Switch Device Module How Do I Configure a Static Route? How Do I View Activity on My LAN Interface? How Do I Enable or Disable an Interface? How Do I View the IOS Commands I Am Sending to the Router? How Do I Launch the Wireless Application from SDM? Page Create Connection Wizards Create Connection Create a New Connection WAN Wizard Interface Welcome Window ISDN Wizard Welcome Window Analog Modem Welcome Window Aux Backup Welcome Window Select Interface Encapsulation: PPPoE IP Address: ATM or Ethernet with PPPoE/PPPoA Static IP Address IP Address: ATM with RFC 1483 Routing IP Unnumbered IP Address: Ethernet without PPPoE Static IP Address Dynamic (DHCP Client) IP Address: Serial with Point-to-Point Protocol IP Address: Serial with HDLC or Frame Relay IP Address: ISDN BRI or Analog Modem Authentication Authentication Type Username Confirm Password Switch Type and SPIDs ISDN Switch Type I Have SPIDs SPID1 SPID2 Dial String Backup Configuration Backup Configuration: Primary Interface & Next Hop IP Addresses Primary Interface Primary Next Hop IP Address Backup Next Hop IP Address Backup Configuration: Hostname or IP Address to be Tracked Advanced Options Default Static Route Port Address Translation Encapsulation Autodetect Available Encapsulations PVC VPI VCI Cisco IOS Default Values Configure LMI and DLCI LMI Type DLCI Use IETF Frame Relay Encapsulation Configure Clock Settings Clock Source T1 Framing Line Code Data Coding Facilities Data Link (FDL) Line Build Out (LBO) Delete Connection To view the associations that the connection has: To delete the connection and all associations: To manually delete the association: Page Test the connectivity after configuring Connectivity testing and troubleshooting Which connection types can be tested? What is Basic Ping Testing? How does SDM Troubleshoot? IP Address/Hostname Summary Activity Status Reason Recommended action(s) How Do I View the IOS Commands I Am Sending to the Router? How Do I Configure an Unsupported WAN Interface? How Do I Enable or Disable an Interface? How Do I View Activity on My WAN Interface? How Do I Configure NAT on a WAN Interface? How Do I Configure NAT on an Unsupported Interface? How Do I Configure a Dynamic Routing Protocol? How Do I Configure Dial-on-Demand Routing for my ISDN or Asynchronous Interface? How Do I Edit a Radio Interface Configuration? Page Page Edit Interface/Connection Page Details About Interface Reset/Delete Why Are Some Interfaces or Connections Read-Only? Connection: Ethernet for IRB Current Bridge Group/Associated BVI Create a new Bridge Group/Join an existing Bridge Group Connection: Ethernet for Routing DHCP Relay Existing Dynamic DNS Methods Add Dynamic DNS Method Page Wireless Association Access Rule Inspect Rule VPN Making Association Changes NAT Edit Switch Port Mode Group VLAN Make VLAN visible to interface list General IP Directed Broadcasts IP Proxy ARP IP Route Cache-Flow IP Redirects IP Mask-Reply QoS Dissociate Current QoS Policy checkbox Associate an existing QoS policy checkbox Select Ethernet Configuration Type To indicate that the interface is a LAN interface: To indicate that the interface is a WAN interface: Connection: VLAN VLAN ID Connection: Subinterfaces Add or Edit BVI Interface IP Address/Subnet Mask Add Loopback Interface/ConnectionLoopback Connection: Ethernet LAN DHCP Relay Connection: Ethernet WAN Ethernet Properties Connection: Ethernet with No Encapsulation Connection: ADSL Page Page Connection: ADSL over ISDN Page Connection: G.SHDSL Page IP Address for Remote Connection in Central Office Equipment Type Page Configure DSL Controller Enable Sound to Noise Ratio Margin DSL Connections Connection: G.SHDSL with DSL Controller Page Connection: Serial Interface, Frame Relay Encapsulation DLCI LMI Type Use IETF Frame Relay Encapsulation Connection: Serial Interface, PPP Encapsulation Page Connection: Serial Interface, HDLC Encapsulation Add or Edit GRE Tunnel' Tunnel Number Page Connection: ISDN BRI ISDN Switch Type SPIDs Page Page Connection: Analog Modem Clear Line Page Connection: (AUX Backup) Clear Line Backup Details Authentication CHAP/PAP Login Name Reenter Password SPID Details SPID1 SPID2 Dialer Options Dialer List Association Timer Settings Enable Multilink PPP Backup Configuration Enable Backup Primary Interface Tracking Details Next Hop Forwarding Create Firewall Basic Firewall Advanced Firewall Page Basic Firewall Configuration Wizard Basic Firewall Interface Configuration Outside (untrusted) Interface Inside (trusted) Interfaces Firewall Remote Management Access Advanced Firewall Configuration Wizard Advanced Firewall Interface Configuration DMZ Interface Advanced Firewall DMZ Service Configuration DMZ Service Configuration To configure a DMZ service entry: To edit a DMZ service entry: DMZ Service Configuration Advanced Firewall Inspection Rule Configuration Select Inspection Rule Protocol Alert Audit Trail Application Security Configuration Preview Commands Button Custom Application Security Policy Button Domain Name Server Configuration Inside (trusted) Interface(s) Outside (untrusted) Interface(s) DMZ Interface How Do I View Activity on My Firewall? Enable Logging Identify the Access Rules for Which You Want to Generate Log Entries How Do I Configure a Firewall on an Unsupported Interface? How Do I Configure a Firewall After I Have Configured a VPN? How Do I Permit Specific Traffic Through a DMZ Interface? How Do I Modify an Existing Firewall to Permit Traffic from a New Network or Host? How Do I Configure NAT on an Unsupported Interface? How Do I Configure NAT Passthrough for a Firewall? How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? Page How Do I Associate a Rule with an Interface? How Do I Disassociate an Access Rule from an Interface How Do I Delete a Rule That Is Associated with an Interface? How Do I Create an Access Rule for a Java List? How Do I Permit Specific Traffic onto My Network if I Dont Have a DMZ Network? Page Firewall Policy Edit Firewall Policy/ACL Configure a Firewall Before Using the Firewall Policy Feature Use the Firewall Policy View Feature Select a Traffic Flow Examine the Traffic Diagram and Select a Traffic Direction Page Make Changes to Access Rules and Inspection Rules as Necessary Page Page Page Page Apply Changes Button Discard Changes Button Swap From and To Interfaces to Bring Other Rules into View App-Name Add Application Entry Add rpc Application Entry Program Number Add Fragment application entry Range (optional) Add or Edit http Application Entry Hosts/network for Java applet download Java Applet Blocking Host/Network SDM Warning: Inspection Rule SDM Warning: Firewall Application Security Application Security Windows Policy Name List Application Security Buttons E-mail Drawer HTTP Drawer Instant Messaging Drawer Point-to-Point Drawer Applications/Protocols Drawer No Application Security Policy Policy Name Associate Global Settings E-mail Applications Column Alerts, Audit, and Timeout Columns Options Column HTTP Detect non-compliant HTTP traffic Checkbox Detect tunneling applications Checkbox Set maximum URI length inspection Checkbox Enable HTTP inspection checkbox Enable HTTPS inspection checkbox Set time out value checkbox Enable audit trail Header Options Set maximum header length checkbox Configure Extension Request Method checkboxes Configure RFC Request Method checkboxes Content Options Verify Content Type checkbox Set Content Length checkbox Configure Transfer Encoding Checkbox Instant Messaging Point-to-Point Applications Applications/Protocols Applications/Protocols Tree Applications Column Alerts, Audit, and Timeout Columns Options Column Global Timeouts and Thresholds TCP Connection Timeout Value TCP FIN Wait Timeout Value TCP IdleTimeout Talue UDP Idle Timeout Value DNS Timeout Value SYN Flooding DoS Attack Thresholds Associate Policy with an Interface Edit Inspection Rule Alert Field Audit Field Timeout Field Other Options Permit, Block, and Alarm Controls Page Site-to-Site VPN Create Site to Site VPN Create a Site-to-Site VPN Create a Secure GRE Tunnel (GRE-over-IPSec) Page Page Site-to-Site VPN Wizard View Defaults VPN Connection Information Select the interface for This VPN Connection Peer Identity Digital Certificate Traffic to Encrypt IKE Proposals Page D-H Group To add or edit an IKE policy: To accept the policy list: Transform Set Select Transform Set Details of the Selected Transform Set Page Traffic to Protect Protect All Traffic Between the Following Subnets Create/Select an access-list for IPSec traffic Summary of the Configuration Spoke Configuration Test the connectivity after configuring Spoke Configuration Secure GRE Tunnel (GRE-over-IPSec) GRE Tunnel Information Tunnel Source Tunnel Destination IP Address of the GRE tunnel VPN Authentication Information Digital Certificate Backup GRE Tunnel Information Create a backup secure GRE tunnel for resilience IP address of the backup GRE tunnels destination Tunnel IP address Routing Information EIGRP OSPF RIP Static Routing Static Routing Information Select Routing Protocol Summary of Configuration Edit Site-to-Site VPN Site-to-Site VPN Connections Page Test Tunnel.. Button Clear Connection Button Generate Mirror..Button Add new connection Add Additional Crypto Maps IPSec Policy Crypto Map Wizard: Welcome Crypto Map Wizard: General Sequence Number Security Association Lifetime Enable Perfect Forwarding Secrecy Enable Reverse Route Injection Crypto Map Wizard: Peers Specify Peers To remove a peer from the current list: Crypto Map Wizard: Transform Set Select Transform Set Crypto Map Wizard: Traffic to Protect Protect all traffic between the following subnets Create/Select an access-list for IPSec traffic Crypto Map Wizard: Summary of the configuration Delete Connection policy name interface name policy name set name Generate Mirror... Peer Device To create a text file of the IPSec policy: SDM Warning: NAT Rules with ACL Original Address Translated Address Rule Type To make the listed NAT rules use route maps: How Do I Create a VPN to More Than One Site? Create the initial VPN tunnel: Create an Additional Tunnel from the Same Source Interface After Configuring a VPN, How Do I Configure the VPN on the Peer Router? How Do I Edit an Existing VPN Tunnel? How Do I Confirm That My VPN Is Working? How Do I Configure a Backup Peer for My VPN? How Do I Accommodate Multiple Devices with Different Levels of VPN Support? How Do I Configure a VPN on an Unsupported Interface? How Do I Configure a VPN After I Have Configured a Firewall? How Do I Configure NAT Passthrough for a VPN? Page Easy VPN Remote Create Easy VPN Remote Configure an Easy VPN Remote Client Connection Settings Easy VPN Tunnel Name Easy VPN Server 1 Easy VPN Server 2 Authentication User Authentication (XAuth) Interfaces Outside Interface Connection Control Summary of Configuration Test VPN Connectivity Edit Easy VPN Remote Page Page Reset Connection Button Test Tunnel Button Connect or Disconnect or Login Button Page Page Add or Edit Easy VPN Remote Tunnel Control Easy VPN Concentrator or Server Group Interfaces Add or Edit Easy VPN Remote: Easy VPN Settings Tunnel Control Servers Outside Interface Toward Server or Concentrator Add or Edit Easy VPN Remote: Authentication Information User Authentication (XAuth) Enter SSH Credentials Please Enter the Username Please Enter the Password XAuth Login Window Add or Edit Easy VPN Remote: General Settings Servers Network Extension Options Add or Edit Easy VPN Remote: Authentication Information User Authentication Add or Edit Easy VPN Remote: Interfaces and Connections Outside Interface Connection Control How Do I Edit an Existing Easy VPN Connection? How Do I Configure a Backup for an Easy VPN Connection? Page Page Easy VPN Server Create an Easy VPN Server Create an Easy VPN Server Launch the Easy VPN Server Wizard Button Welcome to the Easy VPN Server Wizard Interface and Authentication Group Authorization: Group Policy Lookup Local Only RADIUS Only RADIUS and Local Only User Authentication (XAuth) Local Only RADIUS and Local Only Choose an existing AAA Method List User Accounts for XAuth Add RADIUS Server Group Authorization: User Group Policies Idle Timer General Group Information Please Enter a Name for This Group Preshared Key Pool Information Subnet Mask (Optional) DNS and WINS Configuration DNS WINS Domain Name Split Tunneling Enable Split Tunneling Split DNS Client Settings Backup Servers Configuration Push Browser Proxy Firewall Are-U-There Include Local LAN Perfect Forward Secrecy (PFS) Choose Browser Proxy Settings Add or Edit Browser Proxy Settings Browser Proxy Settings Name Proxy Settings User Authentication (XAuth) XAuth Banner Maximum Logins Allowed Per User: Group Lock Save Password Client Update Add or Edit Client Update Entry Client Type URL Revisions Test VPN Connectivity After Configuring Browser Proxy Settings Settings Server Details Bypass Local Addresses Add or Edit Easy VPN Server Page Add or Edit Easy VPN Server Connection Restrict Access Group Policies Configuration Common Pool Button Page Details Window Local Pools Add or Edit IP Local Pool Add IP Address Range DMVPN Dynamic Multipoint VPN Create a spoke (client) in Dynamic Multipoint VPN Create a hub (server or head-end) in Dynamic Multipoint VPN Dynamic Multipoint VPN (DMVPN) Hub Wizard Type of Hub Primary Hub Backup Hub Configure Pre-Shared Key Digital Certificates Hub GRE Tunnel Interface Configuration Select the interface that connects to the Internet Advanced Button Advanced Configuration for the Tunnel Interface NHRP Authentication String NHRP Network ID NHRP Hold Time Tunnel Key Primary Hub Public IP Address IP Address of hubs mGRE tunnel interface Select Routing Protocol Routing Information Please select the version of RIP to enable Select an existing OSPF process ID/EIGRP AS number Create a new OSPF process ID/EIGRP AS number protocol-name> Dynamic Multipoint VPN (DMVPN) Spoke Wizard DMVPN Network Topology Hub and Spoke Network Fully Meshed Network Specify Hub Information IP Address of Hubs physical interface IP Address of hubs mGRE tunnel interface Spoke GRE Tunnel Interface Configuration Select the interface that connects to the Internet SDM Warning: DMVPN Dependency Firewall Edit Dynamic Multipoint VPN (DMVPN) Page General Panel Bandwidth Delay Tunnel Key This is a multipoint GRE Tunnel NHRP Panel Authentication String Hold Time Network ID Next Hop Server NHRP Map Configuration Statically configure the IP-to-NMBA address mapping of IP destinations connected to an NBMA network. Routing Panel Routing Protocol RIP Fields OSPF Fields EIGRP Fields How Do I Configure a DMVPN Manually? To configure an IPSec Profile: To configure a DMVPN connection: To specify the networks you want to advertise to the DMVPN: VPN Global Settings VPN Global Settings Enable IKE Enable Aggressive Mode XAuth Timeout IKE Identity Dead Peer Detection IPSec Security Association (SA) Lifetime (Sec) VPN Global Settings: IKE VPN Global Settings: IPSec Authenticate and Generate new key after every Generate new key after the current key encrypts a volume of VPN Key Encryption Settings Page IP Security IPSec Policies Crypto Maps in this IPSec policy Dynamic Crypto Maps Sets in this IPSec Policy Add or Edit IPSec Policy Crypto Maps in this IPSec policy Dynamic Crypto Maps Sets in this IPSec Policy Add or Edit Crypto Map: General Panel Name of IPSec Policy Sequence Number Security Association Lifetime Enable Perfect Forwarding Secrecy Add or Edit Crypto Map: Peer Information Panel Add or Edit Crypto Map: Transform Sets Panel Available Transform Sets Selected Transform Sets Add or Edit Crypto Map: IPSec Rules Panel To add or change the IPSec rule for this crypto map: Dynamic Crypto Map Sets Add or Edit Dynamic Crypto Map Set Associate Crypto Map with this IPSec Policy IPSec Profiles Add or Edit IPSec Profile and Add Dynamic Crypto Map Available Transform Sets Selected Transform Sets Transform Set ESP Encryption ESP Integrity AH Integrity IP Compression Add or Edit Transform Set Name of this transform set Data integrity and encryption (ESP) Data and address integrity without encryption (AH) IP Compression (COMP-LZS) IPSec Rules Name/Num Used By Source Internet Key Exchange Internet Key Exchange (IKE) IKE Policies Page Add or Edit IKE Policy D-H Group Lifetime IKE Pre-shared Keys Peer IP/Name Add or Edit Pre Shared Key Key Reenter Key Peer IP Address/Subnet Mask User Authentication [Xauth] VPN Troubleshooting VPN Troubleshooting Tunnel Details Page Test Specific Client Button VPN Troubleshooting: Specify Easy VPN Client Listen for request for X minutes VPN Troubleshooting: Generate Traffic VPN traffic on this connection is defined as Have SDM generate VPN Traffic I will generate VPN traffic from the source network VPN Troubleshooting: Generate GRE Traffic Have SDM generate VPN Traffic I will generate VPN traffic from the source network SDM Warning: SDM will enable router debugs... Security Audit Perform Security Audit Page One-Step Lockdown Welcome Page Interface Selection Page Interface Column Outside Column Inside Column Report Card Page Fix It Page Select an Option: Fix the security problems Select an option: Undo Security Configurations I want SDM to fix some problems, but undo other security configurations Disable Finger Service Disable PAD Service Disable TCP Small Servers Service Disable UDP Small Servers Service Disable IP BOOTP Server Service Disable IP Identification Service Disable CDP Disable IP Source Route Enable Password Encryption Service Enable TCP Keepalives for Inbound Telnet Sessions Enable TCP Keepalives for Outbound Telnet Sessions Enable Sequence Numbers and Time Stamps on Debugs Enable IP CEF Disable IP Gratuitous ARPs Set Minimum Password Length to Less Than 6 Characters Set Authentication Failure Rate to Less Than 3 Retries Set TCP Synwait Time Set Banner Enable Logging Set Enable Secret Password Disable SNMP Set Scheduler Interval Set Scheduler Allocate Set Users Enable Telnet Settings Enable NetFlow Switching Disable IP Redirects Disable IP Proxy ARP Disable IP Directed Broadcast Disable MOP Service Disable IP Unreachables Disable IP Mask Reply Disable IP Unreachables on NULL Interface Enable Unicast RPF on Outside Interfaces Enable Firewall on All of the Outside Interfaces Set Access Class on HTTP Server Service Set Access Class on VTY Lines Enable SSH for Access to the Router Enable AAA Configuration Summary Screen SDM and Cisco IOS AutoSecure AutoSecure Features Implemented in SDM AutoSecure Features Not Implemented in SDM AutoSecure Features Implemented Differently in SDM Security Configurations SDM Can Undo Undoing Security Audit Fixes Add or Edit Telnet/SSH Account Screen Configure User Accounts for Telnet/SSH Page Enable Secret and Banner Page New Password Re-enter New Password Login Banner Logging Page IP Address/Hostname Table Add... Button Edit... Button Set logging level Field Page Routing Static Routing Dynamic Routing Add or Edit IP Static Route Destination Network Forwarding Optional Add or Edit an RIP Route Add or Edit an OSPF Route IP Network List Available Interface List Make Interface Passive Add or Edit EIGRP Route Page Network Address Translation Network Address Translation Wizards Basic NAT Wizard: Welcome Basic NAT Wizard: Connection Choose an Interface Choose Networks Advanced NAT Wizard: Welcome Advanced NAT Wizard: Connection Choose an Interface Additional Public IP Addresses Add IP Address Advanced NAT Wizard: Networks Advanced NAT Wizard: Server Public IP Addresses Add or Edit Address Translation Rule Type of Server Original Port Translated Port Protocol Advanced NAT Wizard: VPN Conflict Network Address Translation Rules Designate NAT Interfaces Address Pools Translation Timeouts Network Address Translation Rules Clone selected entry on Add Page Designate NAT Interfaces Inside (trusted) Outside (untrusted) Translation Timeout Settings Page Edit Route Map Route map entries To edit a route map entry: Edit Route Map Entry Address Pools Address Add or Edit Address Pool Pool Name Port Address Translation (PAT) Add or Edit Static Address Translation Rule: Inside to Outside Page Page Redirect Port Configuration Scenarios Add or Edit Static Address Translation Rule: Outside to Inside Page Page Redirect Port Add or Edit Dynamic Address Translation Rule: Inside to Outside Page Access Rule... Configuration Scenarios Add or Edit Dynamic Address Translation Rule: Outside to Inside Access Rule... How Do I . . . How Do I Configure NAT With One LAN and Multiple WANs? Page Page Intrusion Prevention System IPS Tabs IPS Policies Drawer Global Settings Drawer SDEE Messages Drawer IPS Rules Create IPS Rule Welcome to the IPS Rule Configuration Wizard Select Interfaces SDF Location IPS Rule Wizard Summary IPS Rules Configuration Interfaces Enable Button Disable Button Disable All Button Interface Name IP Inbound IPS/Outbound IPS VFR Status IPS Filter Details Enable or Edit IPS on an Interface Both/Inbound/Outbound Inbound Filter Outbound Filter ...Button Import Signatures File Selection Filename Size Time Modified Welcome to the IPS Signature Import Wizard Signature Definition File (SDF) and Signature Selection Signature Filter Match all of the conditions button Match any of the conditions button Signature Edit Signature Import Wizard Summary Signatures Signature Tree ] Deleted [ ] New [ Total [ Enable button Disable button Import button Summary/Details Button Signature List Signatures marked for deletion Apply Changes button Discard Changes button Assign Actions Import Signatures Signature Tree Signature List Area Merge Replace Add, Edit, or Clone Signature Field Definitions Add or Edit a Signature Location Specify SDF on this router Specify SDF using URL Autosave Cisco Intrusion Prevention Alert Center IPS-Supplied Signature Definition Files Determine Which SDF File is in Memory Configuring IPS to Use an SDF Global Settings Notification Method Status Configured SDF Locations Edit Global Settings Enable Syslog Notification Enable SDEE Notification Enable Engine Fail Closed Use Built-in Signatures (as backup) SDEE Messages Select By: Time Refresh Button SDEE Message Text IDS status messages IDS error messages Network Module Management IDS Network Module Management IDS Network Module Control Buttons IDS Network Module Status IDS NM Monitoring Interface Settings Configure IDS Sensor Interface IP Address IP Address Determination Use SDM last known IP Address Let SDM discover IP address Specify IDS NM Configuration Checklist IDS NM Sensor Interface Date & Time IP CEF Setting Refresh IDS NM Initial Setup IDS NM Interface Monitoring Configuration Network Module Login Feature Unavailable Switch Module Interface Selection Quality of Service Create QoS Policy Create QoS Policy Tab Edit QoS Policy Tab Launch QoS Wizard Button QoS Wizard Next Interface Selection QoS Policy Generation Bandwidth Allocation View QoS Class Details Real Time Traffic Business-Critical Traffic Summary of the configuration Edit QoS Policy Clone QoS Policies Qos Policy Details Edit QoS Class Add this class to the policy Protocol/Application Queuing Type DSCP Marking Add a Protocol NBAR Protocol Custom Protocol Interface Association Interface list QoS Status InterfaceIP/MaskSlot/PortDescription View Interval Start Monitoring Select QoS Parameters for Monitoring All TrafficReal-TimeBusiness-CriticalTrivial Network Admission Control Create NAC Tab Enable AAA Button Launch NAC Wizard Button How Do I List Other Tasks in a NAC Implementation Welcome RADIUS Server Select the interface through which the RADIUS server is accessed List Server Name, Timeout, and Parameters columns Use for NAC Checkbox Add, Edit, and Ping Buttons Select the Interface(s) Interfaces Check Boxes NAC Exception List IP Address/MAC Address/Device Type, Address/Device, and Policy Columns Configure Exception List Entry Dialog Type List Specify Address Field Policy Field Policy List Policy List URL Redirect URL: Field Agentless Host Policy Allow agentless host checkbox Username and Password Fields NAC Router Management Access Select the Interface Area Source Host/Network Area Open Interface ACL Details Window Summary of the configuration Edit NAC Tab EAPoUDP Timeouts Button Agentless Host Policy Button NAC Policies List EAPoUDP Components Exception List Window Exception Policies Window EAPoUDP Timeouts Interface List Hold Period Timeout Field Retransmit Timeout Field Configure a NAC Policy How Do I Configure a NAC Policy Server? How Do Install and Configure a Posture Agent on a Host? Page Router Properties ( Device Properties Device Tab Password Tab Date and Time: Clock Properties Date/Time Router Time Source Change Settings Date and Time Properties Synchronize with my local PC clock Synchronize Edit Date and Time Apply NTP Add or Edit NTP Server Details Prefer Authentication Key SNTP Add an NTP Server Syslog IP Address/Hostname Logging to buffer SNMP Enable SNMP Community String Trap Receiver SNMP Server Location SNMP Server Contact Router Access User Accounts: Configure User Accounts for Router Access User Name Privilege Level View Name Add or Edit a Username Privilege Level Associate a View with the user View Password Enter the View Password VTYs Edit VTY Lines Line Range Time Out Input Protocol Output Protocol Configure Management Access Policies Host/Network Management Interface Permitted Protocols Add or Edit a Management Policy Management Protocols Management Access Error Messages SDM Warning: ANY Not Allowed SDM Warning: Unsupported Access Control Entry SDM Warning: SDM Not Allowed SDM Warning: Current Host Not Allowed SSH Status Key modulus size Generate RSA Key DHCP Configuration DHCP Pools Details of DHCP Pool Pool Name name Add or Edit DHCP Pool DHCP Pool Lease Length DHCP Options DHCP Bindings Binding Name Add or Edit DHCP Binding Page DNS Properties Enable DNS-based hostname to address translation DNS IP Address Dynamic DNS Methods Add or Edit Dynamic DNS Method IETF ACL Editor Category No. of Rules To configure rules: Useful Procedures for Access Rules and Firewalls Rules Windows First column Name/Number Used By First Column (Rule Entry Area) Source Attributes Add or Edit a Rule Name/Number Rule Entry List Clone Interface Association Associate with an Interface Select an Interface Specify a Direction If Another Rule is Already Associated with the Interface Add a Standard Rule Entry Page Log Matches Against This Entry Add an Extended Rule Entry Destination Host/Network Protocol and Service Log Matches Against This Entry Select a Rule Rule Category Preview Page Port-to-Application Mapping Port-to-Application Mappings Application Protocol Column Port Type Column Port Column Protocol Type Column Access List Column Add or Edit Port Map Entry Protocol Field Description Field Port Type List Port Number Field Host of Service Field Authentication, Authorization, and Accounting AAA Main Window Enable/Disable AAA AAA Servers and Groups Authentication Policies AAA Servers and Groups AAA Servers Window Add or Edit a TACACS+ Server Server IP or Host Single Connection to Server Server-specific setup Add or Edit a RADIUS Server Server IP or Host Authorization Port Accounting Port Timout in seconds AAA Server Groups Window Group Name Authentication and Authorization Policies Authentication and Authorization Windows List Name Method 1 Method 2, 3, and 4 Authentication NAC List Name Column Method 1 Column Method 2, 3, and 4 Columns Add or Edit a Method List for Authentication or Authorization Name/Specify Methods Move Up/Down Router Provisioning Router Provisioning from USB Page Public Key Infrastructure Certificate Wizards Prerequisite Tasks Simple Certificate Enrollment Protocol (SCEP) Cut and Paste/Import from PC SDP Launch the selected task button Welcome to the SCEP Wizard Certificate Authority (CA) Information CA server nickname Enrollment URL Challenge Password and Confirm Challenge Password Advanced Options Button Advanced Options Certificate Subject Name Attributes Include routers fully qualified Domain Name (FQDN) in the certificate. Include routers IP Address Include routers serial number Other Subject Attributes Common Name (cn) Organizational Unit (ou) Organization (o) State (st) RSA Keys Generate new key pair(s) Save to USB Token If you are performing an SCEP enrollment If you are performing a cut-and-paste enrollment Enrollment Status Cut and Paste Wizard Welcome Enrollment Task Begin New Enrollment Continue with an unfinished enrollment Enrollment Request Save: Continue with Unfinished Enrollment Select CA server nickname (trustpoint) Import CA and router certificate(s) Import CA certificate Import Router Certificate(s) Digital Certificates Certificate chain for trustpoint name Trustpoint Information Certificate Details Revocation Check Revocation Check Revocation Check, CRL Only Verification CRL Query URL RSA Keys Window RSA keys configured on your router Generate RSA Key Pair USB Tokens Maximum PIN Retries Removal Timeout Secondary Config File Add or Edit USB Token Token Name Page SDP Troubleshooting Tips Guidelines Troubleshoot Tips Open Firewall Modify Firewall Open Firewall Details Page Resetting to Factory Defaults Understanding How to Give the PC a Dynamic or Static IP Address After You Reset Page To Reset the Router to Factory Defaults: This Feature Not Supported More About.... IP Addresses and Subnet Masks Page Host and Network Fields Available Interface Configurations DHCP Address Pools Meanings of the Permit and Deny Keywords Services and Ports TCP Services UDP Services Page ICMP Message Types IP Services Services That Can Be Specified in Inspection Rules More About NAT Static Address Translation Scenarios Scenario 1 Scenario 2 Scenario 3 Scenario 4 Dynamic Address Translation Scenarios Scenario 1 Scenario 2 Reasons that SDM Cannot Edit a NAT Rule More About VPN Cisco.com Resources More about VPN Connections and IPSec Policies Page More About IKE Session Negotiation Key Exchange IPSec Tunnel Negotiation and Configuration More About IKE Policies Allowable Transform Combinations Examples Reasons Why a Serial Interface or Subinterface Reasons Why an ATM Interface or Subinterface Reasons Why an Ethernet Interface Configuration May Be Read-Only Reasons Why an ISDN BRI Interface Configuration May Be Read-Only Reasons Why an Analog Modem Interface Firewall Policy Use Case Scenario Examining Originating Traffic: From Interface Fast Ethernet 0/0; To Interface Serial 1/0 Examining Returning Traffic: From Interface Ethernet 0/0; To Interface Serial 1/0 Examining Originating Traffic: From: Serial 1/0; To: Ethernet 1/0 Allowing www Traffic to DMZ Interface DMVPN Configuration Recommendations Configure the Hub First Assigning Spoke Addresses Recommendations for Configuring Routing Protocols for DMVPN Using Interfaces with Dialup Configurations Ping the Hub Before You Start Spoke Configuration SDM White Papers Getting Started Page Viewing Router Information Overview Update Button Resource Status Interface Status Firewall Status Group QoS VPN Status Group NAC Status Group Log Group Interface Status Monitor Interface and Stop Monitoring Button Test Connection Button Interface List Select Chart Types to Monitor Group Interface Status Area Chart Area VPN Status Select a Category Test Tunnel.. Button IPSec Tunnels DMVPN Tunnels Easy VPN Servers Update button Disconnect button IKE SAs Firewall Status Firewall Log Number of Attempts Denied by Firewall Attempts Denied by Firewall Table Update Button Application Security Log NAC Status Page Logging Update Clear Page Page File Menu Commands Save Running Config to PC Deliver Configuration to Router Save Running Config to Routers Startup Config Cancel Write to Startup Config Reset to Factory Defaults File Management Refresh Button Format Button New Folder Button Load File From PC Button Copy Button Rename New Folder Save SDF to PC Exit Unable to perform squeeze flash Page Page Page Edit Menu Commands Preferences Preview commands before delivering to router Save signature file to Flash Confirm before exiting SDM Continue monitoring interface status when switching mode/task View Menu Commands Running Config Show Commands SDM Default Rules Refresh Page Tools Menu Commands USB Token PIN Settings Select a PIN Type Token Name Current PIN New PIN Update SDM Update SDM from Cisco.com Update SDM from Local PC Page Update SDM from CD Page Help Menu Commands Page GLOSSARY Symbols and Numerics A Page B C Page Page D Page Page Page Page F G H I Page Page protocol between routed interfaces and bridge groups within a single switch router. K L M N Page O P Page Page Q R Page Page S Page Page T U V Page W X Page INDEX Symbols Numerics A D E F G H I L M N O P R S T U V W X