Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at
www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Preface liii
Conventions liii
Add and Edit Web Access Control Entry Dialog Boxes 6-51
Creating a Diagnostics File for the Cisco Technical Assistance Center 10-19
Configuring AAA Rules for ASA, PIX, and FWSM Devices 13-4
Configuring Web Filter Rules for ASA, PIX, and FWSM Devices 16-2
Web Filter Rules Page (ASA/PIX/FWSM) 16-3
Add and Edit PIX/ASA/FWSM Web Filter Rule Dialog Boxes 16-5
Edit Web Filter Type Dialog Box 16-8
Edit Web Filter Options Dialog Box 16-8
Configuring Web Filter Rules for IOS Devices 16-9
Web Filter Rules Page (IOS) 16-11
IOS Web Filter Rule and Applet Scanner Dialog Box 16-12
IOS Web Filter Exclusive Domain Name Dialog Box 16-13
Configuring Settings for Web Filter Servers 16-14
Web Filter Settings Page 16-15
Web Filter Server Configuration Dialog Box 16-18
Understanding the Relationship Between Services and Protocols in Zone-based Firewall Rules 18-10
IMAP and POP3 Class Maps Add or Edit Match Criterion Dialog Boxes 18-22
SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes 18-23
SMTP Class Maps Add or Edit Match Criterion Dialog Boxes 18-24
Sun RPC Class Maps Add or Edit Match Criterion Dialog Boxes 18-27
Local Web Filter Class Add or Edit Match Criterion Dialog Boxes 18-27
N2H2 and Websense Class Add or Edit Match Criterion Dialog Boxes 18-28
Configuring Inspect Parameter Maps 18-28
Configuring Protocol Info Parameter Maps 18-31
Add or Edit DNS Server for Protocol Info Parameters Dialog Box 18-32
Configuring Policy Maps for Zone-Based Firewall Policies 18-32
Add or Edit Match Condition and Action Dialog Boxes for Zone-Based Firewall and Web
Filter Policies 18-33
Configuring Content Filtering Maps for Zone-based Firewall Policies 18-34
Configuring Local Web Filter Parameter Maps 18-36
Configuring N2H2 or WebSense Parameter Maps 18-37
Add or Edit External Filter Dialog Box 18-39
Configuring Trend Parameter Maps 18-40
Configuring URL Filter Parameter Maps 18-41
Add or Edit URL Domain Name Dialog Box for URL Filter Parameters 18-43
Configuring URLF Glob Parameter Maps 18-43
Configuring Web Filter Maps 18-45
Changing the Default Drop Behavior 18-46
Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks 26-70
Configuring SSL VPN Smart Tunnels for ASA Devices 26-71
Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL VPNs
26-73
CHAPTER 37 Configuring Attack Response Controller for Blocking and Rate Limiting 37-1
Configuring Routers Running IOS Software Releases 12.1 and 12.2 51-2
CHAPTER 58 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers 58-1
Discovering Policies on Cisco Catalyst Switches and Cisco 7600 Series Routers 58-1
Interfaces 58-5
Creating or Editing Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers 58-5
Deleting Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers 58-7
Interfaces/VLANs PageInterfaces Tab 58-7
Create and Edit Interface Dialog BoxesAccess Port Mode 58-9
INDEX
Conventions
This document uses the following conventions:
Item Convention
Commands, keywords, special terminology, and options that should boldface font
be selected during procedures.
Variables for which you supply values and new or important italic font
terminology.
Displayed session and system information, paths and file names. screen font
Information you enter. boldface screen font
Variables you enter. italic screen font
Menu items and button names. boldface font
Indicates menu items to select, in the order you select them. Option > Network Preferences
Tip Identifies information to help you get the most benefit from your product.
Note Means reader take note. Notes identify important information that you should reflect upon before
continuing, contain helpful suggestions, or provide references to materials not contained in the
document.
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage, loss of data, or a potential breach in your network security.
Warning Identifies information that you must heed to prevent damaging yourself, the state of software, or
equipment. Warnings identify definite security breaches that will result if the information presented
is not followed carefully.
The following topics describe Cisco Security Manager, how to get started with the application, and how
to complete its configuration.
Product Overview, page 1-1
Using Security Manager - Overview, page 1-5
Logging In to and Exiting Security Manager, page 1-15
Using the JumpStart to Learn About Security Manager, page 1-17
Completing the Initial Security Manager Configuration, page 1-17
Understanding Basic Security Manager Interface Features, page 1-21
Accessing Online Help, page 1-36
Product Overview
Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security
devices. Security Manager supports integrated provisioning of firewall, IPS, and VPN (site-to-site,
remote access, and SSL) services across:
IOS routers.
Catalyst switches.
ASA and PIX security appliances.
Catalyst services modules related to firewall, VPN, and IPS.
IPS appliances and various service modules for routers and ASA devices.
Note For a complete list of devices and OS versions supported by Security Manager, please refer to Supported
Devices and Software Versions for Cisco Security Manager on Cisco.com.
Security Manager also supports provisioning of many platform-specific settings, for example, interfaces,
routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a
few devices to large networks with thousands of devices. Scalability is achieved through a rich feature
set of shareable objects and policies and device grouping capabilities.
Security Manager supports multiple configuration views optimized around different task flows and use
cases.
Besides the main views, there are several additional tools used for configuring other items such as
site-to-site VPNs and policy objects, or for monitoring devices. These tools are typically available from
the Tools menu, although some are available on the Policy or Activities menu. Some tools have related
buttons in the toolbar. These tools open in a separate window so that you do not loose your place in the
main view you are currently using.
The following topics provide reference information about the basic features of the user interface:
Menu Bar Reference, page 1-21
Toolbar Reference, page 1-28
Using Selectors, page 1-29
Using Wizards, page 1-32
Using Rules Tables, page 12-7
Using Text Fields, page 1-34
Accessing Online Help, page 1-36
The title bar displays the following information about Security Manager:
Your login name.
The name of the Security Manager server to which you are connected.
If Workflow mode is enabled, the name of the open activity.
Note If you are using Workflow mode, you must create an activity before you start defining policies.
For more information, see Workflow and Activities Overview, page 1-11.
In non-Workflow mode, submitting and deploying your changes can be done in a single action. In
Workflow mode, you first submit your activity and then you create a deployment job to deploy your
changes.
For more information, see Chapter 8, Managing Deployment.
activities so that a single activity contains only logically-related policy changes. You can
configure Workflow mode to require a separate approver, so that configuration changes cannot
be made without oversight. After approval, the user defines a separate deployment job to push
the policy changes to the devices. For more information, see Working in Workflow Mode,
page 1-12.
Non-Workflow ModeThis is the default mode of operation in which you do not explicitly
create activities. When you log in, Security Manager creates an activity for you or opens the one
you were previously using if it was not submitted. You can define and save your policies, and
then submit and deploy them in one step. For more information, see Working in Non-Workflow
Mode, page 1-13.
For a comparison of these modes of operation, see Comparing the Two Workflow Modes, page 1-13.
For information on selecting a mode, see Changing Workflow Modes, page 1-20.
Activities or Configuration SessionsAn activity (in non-Workflow mode, a configuration
session), is essentially a private view of the Security Manager database. You use activities to control
changes made to policies and policy assignments. Adding devices to the inventory does not involve
an activity, however, unless you discover policies that define security contexts (on multi-context
firewall devices) or virtual sensors (on IPS devices). Isolating policy changes in activities helps
prevent work in progress from accidentally making it into active device configurations. For more
information about activities and configuration sessions, see Understanding Activities, page 4-1 and
Working with Activities, page 4-6.
approver), or it can be approved by the current user (Workflow mode without a job approver).
Deployment preferences can be configured with or without job approval. For more information, see
Chapter 8, Managing Deployment
Table 1-1 Comparison Between Workflow Mode and Non-Workflow Mode (Continued)
Cisco Security Monitoring, Analysis and Response System (CS-MARS) IntegrationIf you
use the CS-MARS application, you can integrate it with Security Manager and view events in
CS-MARS from Security Manager, and conversely, Security Manager policies related to events from
CS-MARS. For more information, see Integrating CS-MARS and Security Manager, page 60-13.
Performance Monitor integrationIf you use Performance Monitor, which is available with
Security Manager, you can integrate it into Security Manager and view device status in the Inventory
Status page (see Viewing Inventory Status, page 60-9).
Device Manager integrationSecurity Manager includes read-only copies of the various device
managers, such as Adaptive Security Device Manager (ASDM). You can use these tools to view
device status, but not to change the device configuration. For more information, see Starting Device
Managers, page 60-3.
Step 1 In your web browser, open one of these URLs, where SecManServer is the name of the computer where
Security Manager is installed. Click Yes on any Security Alert windows.
If you are not using SSL, open http://SecManServer:1741
If you are using SSL, open https://SecManServer:443
The Cisco Security Management Suite login screen is displayed. Verify on the page that JavaScript and
cookies are enabled and that you are running a supported version of the web browser. For information
on configuring the browser to run Security Manager, see Installation Guide for Cisco Security Manager.
Step 2 Log in to the Cisco Security Management Suite server with your username and password. When you
initially install the server, you can log in using the username admin and the password defined during
product installation.
Step 3 On the Cisco Security Management Suite home page, you can access at least the following features.
Other features might be available depending on how you installed the product.
Cisco Security Manager Client InstallerClick this item to install the Security Manager client. The
client is the main interface for using the product.
Server AdministrationClick this item to open the CiscoWorks Common Services Server page.
CiscoWorks Common Services is the foundation software that manages the server. Use it to
configure and manage back-end server features such as server maintenance and troubleshooting,
local user definition, and so on.
CiscoWorks link (in the upper right of the page)Click this link to open the CiscoWorks Common
Services home page.
Step 4 To exit the application, click Logout in the upper right corner of the screen. If you have both the home
page and the Security Manager client open at the same time, exiting the browser connection does not
exit the Security Manager client.
Tip You must log into the workstation using a Windows user account that has Administrator privileges to
fully use the Security Manager client. If you try to operate the client with lesser privileges, you might
find that some features do not work correctly.
Step 1 Select Start > All Programs > Cisco Security Manager Client > Cisco Security Manager Client to
start the client.
Tip If the client was installed on the workstation, but it does not appear in your Start menu, it
probably was installed by another user. To make Security Manager Client visible in the Start
menu for every user of the client station, copy the Cisco Security Manager Client folder from
Documents and Settings\<user>\Start Menu\Programs\Cisco Security Manager to Documents
and Settings\All Users\Start Menu\Programs\Cisco Security Manager.
Step 2 In the Security Manager login window, select the server to which you want to log in, and enter your
Security Manager username and password. Click Login.
The client logs in to the server and opens the client interface.
Tip The client automatically closes if it is idle for 120 minutes. To change the idle timeout, select
Tools > Security Manager Administration, select Customize Desktop from the table of
contents, and enter the desired timeout period. You can also disable the feature so that the client
does not close automatically.
organizations recommendations. To set deployment defaults, select Tools > Security Manager
Administration, and then select Deployment from the table of contents to open the Deployment
settings page (see Deployment Page, page 11-7).
The following deployment settings are of particular interest:
Default Deployment MethodWhether configuration deployments should be written directly
to the device or to a transport server, or if configuration files should be written to a specified
directory on the Security Manager server. The default is to deploy configurations directly to the
device or transport server, if one is configured for the device. However, if you have your own
methods for deploying configuration files, you might want to select File as the default
deployment method. For more information on deployment methods, see Understanding
Deployment Methods, page 8-8
When Out-of-Band Changes DetectedHow to respond when Security Manager detects that
configuration changes were made on the device through the CLI rather than through Security
Manager. The default is to issue a warning and proceed with the deployment, overwriting the
changes that were made through the CLI. However, you can change this behavior to simply skip
the check for changes (which means Security Manager overwrites the changes but does not warn
you), or to cancel the deployment, thus leaving the device in its current state. For more
information about handling out-of-bound changes, see Understanding How Out-of-Band
Changes are Handled, page 8-12.
Allow Download on ErrorWhether to allow deployment to continue if minor configuration
errors are found. The default is to not allow deployment when minor errors are found.
Select a workflow mode. The default mode is non-Workflow mode. In non-Workflow mode, users
have more freedom to create and deploy configurations. However, if your organization requires a
more transaction-oriented approach to network management, where separate individuals perform
policy creation, approval, and deployment, you can enable Workflow mode to enforce your
procedures. If you are using Workflow mode, ensure that you configure user permissions
appropriately when you define user accounts to enforce your required division of labor. For
information on the types of workflow you can use, see Workflow and Activities Overview,
page 1-11. For information on how to change workflow modes, see Changing Workflow Modes,
page 1-20.
Configure default device communication settings. Security Manager uses the most commonly used
methods for accessing devices based on the type of device. For example, Security Manager uses SSH
by default when contacting Catalyst switches. If the default protocols work for the majority of your
devices, you do not need to change them. For devices that should use a non-default protocol, you
can change the protocol in the device properties for the specific devices. However, if you typically
use a protocol that is not the Security Manager default (for example, if you use a token management
server (TMS) for your routers), you should change the default setting. To change the default
communication settings, select Tools > Security Manager Administration, and select Device
Communication from the table of contents. In the Device Connection Settings group, select the
most appropriate protocols for each type of device. You can also change the default connection time
out and retry settings. For more information about device communication settings, see Device
Communication Page, page 11-12
Select the types of router and firewall policies you will manage with Security Manager. When you
manage IPS devices in Security Manager, you automatically manage the entire configuration.
However, with routers and firewall devices (ASA, PIX, and FWSM), you can select which types of
policies are managed by Security Manager. You can manage other parts of the device configuration
using other tools (including the devicess CLI). By default, all security-related policies are managed.
To change which policies are managed, select Tools > Security Manager Administration > Policy
Management. For detailed information about changing these settings and what you should do
before and after making the change, see Customizing Policy Management for Routers and Firewall
Devices, page 5-10.
Decide whether you want to use the Event Viewer to manage firewall and IPS events. You can
configure the disk and location for collecting syslog events from devices, and the port number to use
for syslog communication. If you do not want to use Security Manager for event management, you
can turn off the feature, which is enabled by default. For more information on the configuration
options, see Event Management Page, page 11-19.
Configure a Resource Management Essentials (RME) server. Security Manager comes packaged
with RME, which you can use to manage the operating systems on your devices. There are a number
of shortcut commands to RME from the Tools > Device OS Management menu. To enable these
shortcuts, you must configure Security Manager with the location of your RME server. Select Tools
> Security Manager Administration and select Device OS Management from the table of
contents. Enter the IP address or DNS name of the RME server. If you installed RME to require SSL
connections, select Connect Using HTTPS.
Configure Cisco Performance Monitor servers. If you use Performance Monitor to monitor your
devices, you can identify the servers to Security Manager. Users can then view monitoring messages
when they view inventory status by selecting Tools > Inventory Status. For information on
registering Performance Monitor servers with Security Manager, see Configuring Status Providers,
page 60-9.
Configure Security Manager for communication with Cisco Security Monitoring, Analysis and
Response System (CS-MARS). If you use CS-MARS for monitoring your network, you can identify
the servers to Security Manager and then access CS-MARS event information from within Security
Manager. For information on configuring this cross-communication, see Checklist for Integrating
CS-MARS with Security Manager, page 60-14.
Tip If you are using ACS for user authorization, you might have already configured an SMTP server and
system administrator e-mail address in the ACS integration procedure as described in the Installation
Guide for Cisco Security Manager. Security Manager sends a notification to this address if all ACS
servers become unavailable.
Step 1 Click Tools > Security Manager Administration and select Workflow from the table of contents to
open the Workflow page (see Workflow Page, page 11-40).
Step 2 Configure the workflow mode settings in the Workflow Control group. If you select Enable Workflow
(to use Workflow mode), you can also select these options:
Require Activity ApprovalTo enforce explicit approval of activities before policy changes are
committed to the database.
Require Deployment ApprovalTo enforce explicit approval of deployment jobs before they can
be run.
Step 3 Configure the e-mail notification settings. These are the default e-mail addresses for the e-mail sender
(that is, Security Manager), the approvers, and another person or e-mail alias who should be notified
when deployment jobs are complete.
You also have the options to include the job deployer when sending notifications of job status, and to
require that e-mail notifications are sent for deployment job status changes.
Step 4 Click Save to save and apply changes.
File Menu
The following table describes the commands on the File menu. The menu items differ depending on the
workflow mode.
Command Description
New Device Initiates the wizard to add a new device. See Adding Devices to the
Device Inventory, page 3-6.
Clone Device Creates a device by duplicating an existing device. See Cloning a
Device, page 3-46
Delete Device Deletes a device. See Deleting Devices from the Security Manager
Inventory, page 3-47.
Save Saves any changes made on the active page, but does not submit them
to the Security Manager database.
View Changes Opens the Activity Change Report (in PDF format) for the current
configuration session.
(non-Workflow mode only)
To see changes for the current activity in Workflow mode, select
Activities > View Changes.
Validate Validates the changes you have saved. See Validating an Activity (All
Modes), page 4-14.
(non-Workflow mode only)
To validate the current activity in Workflow mode, select Activities >
Validate Activity.
Submit Submits all changes made since the last submission to the Security
Manager database.
(non-Workflow mode only)
To validate the current activity in Workflow mode, select Activities >
Submit Activity.
Submit and Deploy Submits all changes made since the last submission to the Security
Manager database and deploys all changes made since the last
(non-Workflow mode only)
deployment. See Understanding Deployment, page 8-1.
In Workflow mode, you must have your activity approved and then
create a deployment job to deploy changes to devices.
Deploy Deploys all changes made since the last deployment. See
(non-Workflow mode only) Understanding Deployment, page 8-1.
In Workflow mode, you must have your activity approved and then
create a deployment job to deploy changes to devices.
Discard Discards all configuration changes since the last submission.
(non-Workflow mode only) To validate the current activity in Workflow mode, select Activities >
Discard Activity.
Edit Device Groups Edits device groups. See Working with Device Groups, page 3-52.
New Device Group Adds a device group. See Creating Device Groups, page 3-55.
Add Devices to Group Adds a device to a group. See Adding Devices to or Removing Them
From Device Groups, page 3-56.
Command Description
Print Prints the active page.
Not all pages can be printed. If the Print command is not available, you
cannot print the active page.
Exit Exits Security Manager.
Edit Menu
The following table describes the commands on the Edit menu. You can typically use these commands
only when you are working with a table in a policy, and some work only for rules tables (see Using Rules
Tables, page 12-7).
Command Description
Cut Cuts the selected row in a rules table and saves it on the clipboard.
Copy Copies the selected row in a rules table and saves it on the clipboard.
Paste Pastes the rules table row from the clipboard to the into the rules table
after the selected row.
Add Row Adds a row into the active table.
Edit Row Edits the selected table row.
Delete Row Deletes the selected table row.
Move Row Up Moves the selected row up or down in the rules table. For more
information, see Moving Rules and the Importance of Rule Order,
Move Row Down
page 12-16.
View Menu
The View menu contains commands to navigate within the user interface.
Policy Menu
The Policy menu contains commands for managing policies.
Map Menu
The Map menu contains commands for using the Map view. The commands in this menu are available
only when the Map view is open. For more information, see Chapter 29, Using Map View.
Tools Menu
The Tools menu contains commands that start tools that run in a window separate from the Security
Manager main interface. This enables you to access features without closing the page from which you
are currently working.
Activities Menu
The Activities menu contains commands for managing activities. It appears only when Workflow mode
is enabled. For more detailed information about these commands, see Accessing Activity Functions in
Workflow Mode, page 4-7.
Help Menu
The Help menu contains commands for accessing product documentation and training. For more
information, see Accessing Online Help, page 1-36.
Toolbar Reference
The main toolbar (see the illustration Figure 1-1) contains buttons that perform actions in Security
Manager.
The buttons that appear on the main toolbar vary depending on whether Workflow mode is enabled. The
following table presents all buttons.
Button Description
Opens the Device view.
For more information, see Chapter 3, Managing the Device Inventory.
Opens the Map view.
For more information, see Chapter 29, Using Map View.
Opens the Policy view.
For more information, see Chapter 5, Managing Policies.
Opens the Policy Object Manager tool.
For more information, see Chapter 6, Managing Policy Objects.
Button Description
Opens the Site-to-Site VPN Manager tool.
For more information, see Chapter 21, Managing Site-to-Site VPNs: The Basics.
Opens the Deployment Manager tool.
For more information, see Chapter 8, Managing Deployment.
Opens the Audit Report tool.
For more information, see Understanding Audit Reports, page 10-11.
Opens the Event Viewer tool.
For more information, see Chapter 59, Viewing Events.
Submits and deploys changes.
For more information, see Chapter 8, Managing Deployment.
Opens online help for the current page.
For more information, see Help Menu, page 1-28.
Opens the Activity Manager window, where you can create and manage activities. For
more information on the following activity buttons, and the conditions under which
they are enabled, see Accessing Activity Functions in Workflow Mode, page 4-7.
(Workflow mode only.) Adds a new activity.
(Workflow mode only.) Opens an activity.
(Workflow mode only.) Saves all changes made while the activity was open and closes
it.
(Workflow mode only.) Submits the activity for approval when using Workflow mode
with an activity approver.
(Workflow mode only.) Approves the changes proposed in an activity.
(Workflow mode only.) Rejects the changes proposed in an activity.
(Workflow mode only.) Discards the selected activity.
(Workflow mode only.) Validates the integrity of changed policies within the current
activity.
Using Selectors
Selectors appear in several places in the user interface; for example, the Device selector in Device view
(see Figure 1-1). These tree structures enable you to select items (like devices) on which to perform
actions. Several types of items can appear in a selector, depending on the task you are performing.
Items in selectors are presented in a hierarchy of folders. You can browse for items in a selector by
expanding and collapsing folders, which can contain other folders, items, or a combination of folders
and items. To expand and collapse a folder, click the +/- next to it.
To select an item, click it. If it is possible to perform actions on multiple items (for example, in a device
selector), you can use Ctrl+click to select each item, or Shift+click on the first and last item to select all
items between them. Many selectors support auto select, that is, when you type a single letter, the next
folder or item in the selector that begins with that letter is selected.
You can right-click an item to see commands that you can use with the item. Some commands on the
right-click menus are unique and not repeated on the regular menus.
Many times a device selector appears in a dialog box divided into two panes, Available Devices and
Selected Devices. In these dialog boxes, you must select the devices in the available devices list and click
>> to move them to the selected list to actually select the devices. To deselect the devices, you select
them in the selected devices list and click <<.
If a selector contains a large number of items, you can filter it to view a subset of those items. For more
information, see Filtering Items in Selectors, page 1-30.
Tip When you filter a selector, that filter might remain applied to the selector when you open another
window that includes the selector. For example, when you apply a filter to the Device selector in Device
view, that filter is applied to the selector if you open the New Device wizard. If you have problems
finding an item in a selector, check the Filter field to see if a filter is being applied.
Step 1 Select Create Filter from the selector filter field to open the Create Filter dialog box.
Step 2 Select one of the radio buttons to determine the matching criteria. The choices are:
Match Any of the FollowingCreates an OR relationship among the filter criteria. Policies
matching any of your criteria are included in the filter.
Match All of the FollowingCreates an AND relationship among the filter criteria. Only those
policies matching all your criteria are included in the filter.
Step 3 Establish a filter rule by entering three criteria, as follows:
From the first list, select the type to be filtered; for example, Name.
From the next list, select the operating criteria for the filter; for example, contains.
In the final field, enter or select a value on which to filter; for example Cisco.
Step 4 Click Add.
Tip If you make a mistake in forming the filter rule, select the rule and click Remove to delete it.
Step 5 Add any additional filter rules that you require. Click OK when you are finished.
The selector is filtered according to the new filter criteria, and the new filter is added to the filter list.
Navigation Path
Do one of the following:
Select Create Filter from the Filter field in a selector tree.
Select Advanced Filter from the Filter field above a table.
Field Reference
Element Description
Match All of the Following When you select this option an AND relationship is created among the
filtering criteria you define. An item must satisfy every rule in the filter
to be displayed in the list.
For example, if you define the following criteria:
Name contains OSPF
Name contains West
When you click OK, the filter is defined as: Name contains OSPF and
Name contains West.
Match Any of the Following When you select this option an OR relationship is created among the
filtering criteria you define. An item must satisfy only one of the rules
in the filter to be displayed in the list.
For example, if you define the following criteria:
Name contains OSPF
Name contains RIP
When you click OK, the filter is defined as: Name contains OSPF or
Name contains RIP.
Element Description
Filter Type The type of property on which you are filtering. For tables, this is the
(First field.) column heading. You might have only one option for filtering certain
lists (for example, you might only be able to filter by the name of the
item).
Filter Operator The relationship between the filter type and the filter value. The
available options depend on the selected type.
(Second field.)
Filter Value The value on which you want to filter. Depending on the selected type,
you either enter a text string in this field, or you select a value from the
(Third field.)
list.
Filter Content Area The filter type, operator, and value that you have selected for each
criterion.
Add button
Remove button To add a criterion, create it in the fields above this area and click
Add.
To remove a criterion, select it and click Remove.
Using Wizards
Some tasks that you can perform with Security Manager are presented as wizards. A wizard is a series
of dialog boxes (or steps) that enables you to perform a task. The current step number and the total
number of steps in the wizard are displayed in the wizard title bar.
Wizards share the following buttons:
BackReturns to the previous dialog box. Enables you to review and modify settings that you
defined in previous wizard steps.
NextContinues to the next dialog box. If this button is unavailable, you must define some required
settings in the current dialog box before you can continue. Required settings are marked with an
asterisk (*).
FinishFinishes the wizard, saving the settings you defined. You can finish the wizard whenever
this button is available. If this button is not available, you must define more settings.
CancelCloses the wizard without saving any settings.
HelpOpens online help for the wizard.
Using Tables
Many policies in Security Manager use tables. A small number of policies use a specialized type of table
called a rules table. Rules tables have extra features compared to standard tables; for more information,
see Using Rules Tables, page 12-7.
Standard tables include these basic features:
Table filterYou can filter the rows displayed to help you find items in a large table. For more
information, see Filtering Tables, page 1-33.
Table column headingsYou can sort by column and move, show, and hide columns. For more
information, see Table Columns and Column Heading Features, page 1-34.
Filtering Tables
You can filter the items in a table to view a subset that satisfies specific criteria. Filtering a table does
not change the contents of the table, but allows you to focus on just those entries that currently interest
you. This is helpful for tables that have hundreds of entries.
To filter a table, use the Filter fields above the table. With these controls, you can do the following:
To do simple filtering, select the column name on which you want to filter, select the relationship
you are looking for (such as begins with), enter the desired text string (or in some cases, select
one of the pre-defined options), and click Apply.
You can filter the results by selecting another criteria and clicking Apply. Your filters are added
together, showing the results that satisfy all criteria. For example, you could first enter Service
begins with IP, click Apply, then enter Source contains 10.100.10.10, and click Apply. The result
would be a table that shows all rows where the service is IP AND the source includes 10.100.10.10
(it might include other IP addresses as well).
To do advanced filtering, select Advanced Filter from the left most menu (the one that contains the
column headings). This opens the Create Filter dialog box. Using this dialog box, you can create
multiple filter criteria just as you can with the regular filter controls. However, you also have the
option to create a list of disjoined, ORed criteria, by selecting Match Any of the Following, where
you can say show me all rows that have IP for service or 10.100.10.10 for source address.
To add criteria, enter the criteria and click Add.
To remove criteria, select the undesired criteria and click Remove.
If you filter a table using the simple method, you can select Advanced Filter to alter your existing
filter, adding or removing criteria as desired. The dialog box is filled with whatever filter criteria
are currently applied to the table.
The current filter is shown next to the Filter label in the filter control area. You can click Clear to
remove the filter and show all rows.
Any filter you apply is kept in the left most menu below the Advanced Filter entry. You can apply
the filter by selecting it from the list. However, this list can have at most 10 entries. When you create
your eleventh filter, your oldest filter is removed from the list. If you select a filter and add criteria,
you are modifying that filter rather than creating a new one. You cannot delete the listed filters.
Tip Your filter is maintained for a given type of table even if you select another device or log out and
subsequently log back in. For example, if you filter the Access Rules table for one device, it will be
filtered the same way for other devices. When you clear the filter, it is cleared for the same type of table
for all devices. Your filters do not affect what any other user sees.
until you find the right one (the icon might be a generic Java icon rather than the Security Manager
icon). You can also use your mouse to click the desired icon rather than using Tab to cycle through
them.
Text and list elements missing, Java errors when clicking buttonsIf you change your Windows
color scheme while running the Security Manager client, you must close and then restart the client.
Otherwise, the behavior of the client can be unpredictable.
If you are experiencing these problems and you did not change the color scheme, try closing and
restarting the application.
Dialog Box is too big for the screenThe minimum screen resolution for the Security Manager
client is actually bigger than the best screen resolution available on many laptops (for screen
resolution requirements, see the client system requirements in the Installation Guide for Cisco
Security Manager). Because some dialog boxes are quite large, if you run the client on a laptop, you
might find the occasional dialog box that is too big to fit on your screen.
Usually, you can reposition the dialog box to get access to the OK, Cancel, and Help buttons.
However, if you cannot get those buttons on the screen, you can use the following techniques to
perform the same actions:
OKPut your cursor in a field near the bottom of the dialog box, then press Tab to move from
field to field. Typically, the first off-screen field is the OK button. When the cursor highlight
moves off screen, press Enter.
You can also put the cursor in a field that does not allow carriage returns (for example, the
typical Name field) and press Enter. In many cases, this is the equivalent of clicking OK.
CancelClick the X on the right side of the windows title bar.
HelpPress F1.
Tip You must configure Internet Explorer to allow active content to run on your computer for the online help
to open unblocked. In Internet Explorer, select Tools > Internet Options and click the Advanced tab.
Scroll to the Security section, and select Allow active content to run in files on My Computer. Click
OK to save the change. For a complete list of configuration requirements for Internet Explorer and
Firefox browsers, see the Installation Guide for Cisco Security Manager.
Before you start to manage a device using Security Manager, you should prepare the device with at least
a minimal configuration. The following sections describe the basic device configurations needed for
various transport protocols or device types. Before configuring transport protocols, determine the
requirements for your devices by reading Understanding Device Communication Requirements,
page 2-1.
Understanding Device Communication Requirements, page 2-1
Setting Up SSL (HTTPS), page 2-3
Setting Up SSH, page 2-5
Setting Up AUS or Configuration Engine, page 2-7
Configuring Licenses on Cisco ASA Devices, page 2-11
Configuring Licenses on Cisco IOS Devices, page 2-12
Initializing IPS Devices, page 2-12
Note DES encryption is not supported on Common Services 3.0 and later. Ensure that all PIX
Firewalls and Adaptive Security Appliances that you intend to manage with Security
Manager have a 3DES/AES license. You will get SSL handshake failures otherwise.
For information on configuring SSL, see Setting Up SSL (HTTPS), page 2-3.
SSHSecure Shell is the default transport protocol for Catalyst switches and Catalyst 6500/7600
devices. You can also use it with Cisco IOS routers.
For information on configuring SSH, see Setting Up SSH, page 2-5.
TelnetTelnet is the default protocol for routers running Cisco IOS software releases 12.1 and 12.2.
You can also use it with Catalyst switches, Catalyst 6500/7600 devices, and routers running Cisco
IOS Software release 12.3 and higher. See the Cisco IOS software documentation for configuring
Telnet.
HTTPYou can use HTTP instead of HTTPS (SSL) with IPS devices. HTTP is not the default
protocol for any device type.
TMSToken Management Server is treated like a transport protocol in Security Manager, but it is
not a real transport protocol. Instead, by configuring TMS as the transport protocol of a router, you
are telling Security Manager to deploy configurations to a TMS. From the TMS, you can download
the configuration to an eToken, plug the eToken into the routers USB bus, and update the
configuration. TMS is available only for certain routers running Cisco IOS Software 12.3 or higher.
For information on deploying configurations to a TMS and downloading them to a router, see
Deploying Configurations to a Token Management Server, page 8-41.
Security Manager can also use indirect methods to deploy configurations to devices, staging the
configuration on a server that manages the deployment to the devices. These indirect methods also allow
you to use dynamic IP addresses on your devices. The methods are not treated as transport protocols, but
as adjuncts to the transport protocol for the device. You can use these indirect methods:
AUS (Auto Update Server)When you add a device to Security Manager, you can select the AUS
server that is managing it. You can use AUS with PIX Firewalls and ASA devices.
For information on configuring a device to use an AUS server, see Setting Up AUS or Configuration
Engine, page 2-7.
Configuration EngineWhen you add a router to Security Manager, you can select the
Configuration Engine that is managing it.
For more information on configuring a router to use a Configuration Engine server, see Setting Up
AUS or Configuration Engine, page 2-7.
For information on adding devices that use AUS or Configuration Engine servers to Security Manager,
and how to add the servers, see these topics:
Adding Devices to the Device Inventory, page 3-6
Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 3-29
Step 3 Specify the host or network authorized to initiate an HTTP connection to the device.
hostname(config)# http ip_address [netmask] [if_name]
Where:
ip_addressThe IP address of the Security Manager server.
netmaskThe network mask for the IP address.
if_nameThe device interface name (default is inside) from which Security Manager initiates the
HTTP connection.
Step 4 Save the current configuration in Flash memory.
hostname(config)# write memory
Step 2 Configure the hostname and domain name if the device is new.
router(config)# hostname name
hostname(config)# ip domain-name your_domain
Step 3 Configure level 15 privilege. SSL requires that you must have level 15 privileges to log in to a Cisco
IOS router.
hostname(config)# username username privilege 15 password 0 password
If you do not enter the ip http authentication local command, the default enable password is used
for authentication.
AAA authorizationUse the following commands to enable AAA authentication and authorization.
The last two commands are necessary only if multiple AAA lists are defined; list-name is a character
string used to name the list of authorization methods. These commands authenticate the user that is
contacting the device using the HTTPS protocol.
hostname(config)#ip http authentication aaa
hostname(config)#ip http authentication aaa login-authentication list-name
hostname(config)# ip http authentication aaa exec-authorization list-name
hostname(config)# exit
Step 7 Verify that SSL is set up on the device. The Device should respond with an enabled status.
hostname# show ip http server secure status
Setting Up SSH
You can use the Secure Shell (SSH) protocol to communicate with Cisco IOS Routers, Catalyst switches,
and Catalyst 6500/7600 devices. This protocol provides strong authentication and secure
communications over insecure channels. Security Manager supports both SSH versions 1.5 and 2. Once
connected to the device, Security Manager determines which version to use and communicates using that
version.
The following topics describe how to set up SSH on the supported devices:
Critical Line-Ending Conventions for SSH, page 2-5
Testing Authentication, page 2-5
Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices, page 2-6
Preventing Non-SSH Connections (Optional), page 2-7
Testing Authentication
Before you set up SSH, you must test authentication without SSH to make sure the device can be
authenticated. You can authenticate with a local username and password or with an authentication,
authorization, and accounting (AAA) server running TACACS+ or RADIUS.
This procedure describes how to test authentication without SSH using a local or AAA server username
and password.
Step 2 Specify that the local username and password should be used in the absence of AAA statements. On
Cisco IOS routers, you can use the login local command on VTY lines instead of the aaa new-model
command.
hostname(config)#aaa new-model
Step 3 (Optional) Configure a user account in the local database of the device.
hostname(config)# username name password 0 password
Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600
devices
This procedure describes the tasks required to set up SSH on Cisco IOS routers, Catalyst switches, and
Catalyst 6500/7600 devices.
Tip You must configure SSH on Cisco IOS routers because Security Manager uses SSH connections to
handle interactive command deployments during SSL deployments.
Related Topics
Critical Line-Ending Conventions for SSH, page 2-5
Testing Authentication, page 2-5
Preventing Non-SSH Connections (Optional), page 2-7
Step 2 Configure the hostname and domain name if the device is new.
router(config)# hostname name
hostname(config)# ip domain-name your_domain
Step 3 Generate the RSA key pair for the SSH session. When the device prompts you to enter the size of the
modulus, we recommend that you enter 1024.
hostname(config)# crypto key generate rsa
Step 4 (Optional) Set the timeout interval in minutes and the number of retries.
hostname(config)# ip ssh timeout time
hostname(config)# ip ssh authentication-retries n
Related Topics
Critical Line-Ending Conventions for SSH, page 2-5
Testing Authentication, page 2-5
Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices, page 2-6
Step 2 Set up the router for Telnet access, specifying the first and last line numbers that can be used (numbers
range from 0 to 1180, and the last number must be greater than the first number).
hostname(config)# line vty first_line last_line
Step 2 Connect to the AUS. Specify a username and its password that can log into Security Manager. The port
number is typically 443.
hostname(config)# auto-update server https:// username:password@AUSserver_IP_address:port
/autoupdate/AutoUpdateServlet
Where:
poll_periodThe polling period interval between two updates. Default is 720 minutes (12 hours).
retry_count(Optional) The number of times to retry if the server connection attempt fails. Default
is 0.
retry_period(Optional) The number of minutes between retries. Default is 5.
Step 4 Configure the device to use the specified unique device ID to identify itself.
hostname(config)# auto-update device-id [ hardware-serial | hostname |
ipaddress [if_name ] | mac-address [if_name ] | string text ]
Where:
if_nameThe device interface name (the default is inside).
textA unique string name.
Step 5 Save the configuration changes.
hostname# write memory
Step 2 Configure the hostname and domain name if the device is new.
router(config)# hostname name
hostname(config)# ip domain-name your_domain
Step 3 Specify the trusted server for the CNS agent. Enter the IP address of the trusted server.
hostname(config)# cns trusted-server all-agents ip_address
Step 4 Configure the CNS event gateway, which provides CNS event services to Cisco IOS clients. Enter the IP
address of the event gateway, and optionally the port. The default port is either 11011 (with no
encryption) or 11012 (with encryption). Include the encrypt keyword to use an SSL encrypted link to
the event gateway.
hostname(config)# cns event ip_address [encrypt] [port]
Step 5 Start the CNS configuration agent and accept a partial configuration. Include the encrypt keyword to
use an SSL encrypted link to the web server.
hostname(config)# cns config partial ip_address [encrypt]
Step 6 Set the CNS password, which must be the same password configured on the CNS gateway. For
information on how to authenticate a Cisco IOS router on a Configuration Engine, see Cisco
Configuration Engine Administrator Guide at
http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/prod_maintenance_guides_list.html.
hostname(config)# cns password password
Step 7 Enable and configure the CNS execute agent. Include the encrypt keyword to use an SSL encrypted link
to the exec server. You can specify a port number for the encrypted exchange if you do not want to use
the default port 443.
hostname(config)# cns exec [encrypt [port]]
Step 2 Configure the hostname and domain name if the device is new.
router(config)# hostname name
hostname(config)# ip domain-name your_domain
Step 3 Specify the IP address of the trusted server for the CNS agent.
hostname(config)# cns trusted-server all-agents ip_address
Step 4 Specify schedule parameters for a Command Scheduler occurrence and enter kron-occurrence
configuration mode.
hostname(config)# kron occurrence occurrence-name [user username ]
{in [[numdays:]numhours:]nummin | at hours:min [[month] day-of-month] [day-of-week]} {oneshot | recurring}
Where:
occurrence-nameThe name of the occurrence. The name can be from 1 to 31 characters. If the
occurrence-name is new, an occurrence structure is created. If the occurrence-name is not new, the
existing occurrence is edited.
username(Optional) The name of the user.
in [[numdays:]numhours:]numminThe occurrence should run after waiting the specified time.
You can enter a number of days, hours, or minutes, or a combination of them. The timer starts when
the occurrence is configured.
athours:min [[month] day-of-month] [day-of-week]The occurrence should run at the specified
hour and minute on the specified month and day, or day of the week. Specify the hour using the
24-hour clock.
oneshotSpecifies that the occurrence is to run only once. After the occurrence runs, the
configuration is removed.
recurringSpecifies that the occurrence is to run on a recurring basis.
Step 5 Specify the policy list associated with a Command Scheduler occurrence. The name can be 1 to 31
characters. If the list-name is new, a policy list structure is created. If the list-name is not new, the
existing policy list is edited.
Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the same
time or interval.
hostname(config-kron-occurrence)# policy-list list-name
Step 7 Specify a name for a Command Scheduler policy and enter kron-policy configuration mode. The name
can be 1 to 31 characters. If the list-name is new, a policy list structure is created. If the list-name is not
new, the existing policy list is edited.
hostname(config)# kron policy-list list-name
Step 8 Retrieve the configuration from the staged CNS job. Specify the IP address of the CNS server. You must
use JobbedDynaConfig status so that the device retrieves the config from the staged CNS job;
otherwise, the device retrieves the template associated with the device.
hostname(config-kron-policy)# cli cns config retrieve ip_address
page /cns/JobbedDynaConfig status http:// ip_address /cns/PostStatus
Tip If you add the device using the New Device or Configuration File options, you can set the License
Supports Failover property while adding the device instead of waiting to set it in the device properties.
You configure these settings through the setup command in Intrusion Prevention System Device
Manager (IDM) or in a command-line session, depending upon which platform is used by your IPS
device. For a list of supported IPS platforms, see the supported devices and software versions
information at the following URL:
http://www.cisco.com/en/US/products/ps6498/products_device_support_tables_list.html.
For detailed information on these settings, refer to the technical documentation for your IPS device.
Note For information on preparing an IOS IPS device for use, see Initial Preparation of a Cisco IOS IPS
Router, page 38-5.
Before you can manage devices in Security Manager, you must prepare the devices for management, then
add those devices to the Security Manager device inventory. After you add the devices, you can view and
edit device information, configure policies on devices, copy and share policies, clone devices, and so on.
The following topics describe how to manage the device inventory:
Understanding the Device Inventory, page 3-1
Adding Devices to the Device Inventory, page 3-6
Working with the Device Inventory, page 3-29
Working with Device Groups, page 3-52
Shortcut menu optionsWhen you right-click a device or device group, you get a menu of
commands related to that device or group. These commands are shortcuts to commands available in
the regular menus.
Policy selector (2)Contains the following:
Policy groupsLists the policy groups that are supported on the selected device type. The policy
groups that are displayed are dependent on four factors:
The type of device selected in the Device selector.
The operating system running on the device.
The target operating system version selected for determining which commands will be available
for generated configurations.
Whether the device contains supported service modules.
For more information about policies, see Understanding Policies, page 5-1.
Shortcut menu optionsWhen you right-click a policy, you get a menu of commands related to that
policy. These commands are shortcuts to commands available in the regular menus.
Contents pane (6)The main content area.
The information displayed in this area depends on the device you select from the Device selector and the
option you select from the Policy selector.
Tip You can control whether the display name is added to the context name using the Prepend Device Name
when Generating Security Context Names property on the Discovery settings page (see Discovery
Page, page 11-17). However, if you do not add the display name, it is very difficult to determine the
hosting device for a context, and the context names are not sorted with the host device (they do not
appear in a folder attached to the host device). If you do not add the display name, Security Manager
adds a numeric suffix to the context name if more than one context of the same name is added to the
inventory (for example, admin_01, admin_02), and these numbers are not related to the host device.
Virtual SensorsYou can define virtual sensors on IPS devices. Virtual sensors appear in device
selectors using the host-display-name_virtual-sensor-name naming convention, and there is not a
discovery setting to control this convention.
Tip You can always change the display name for a virtual sensor, security context, or other type of device in
the devices properties.
Besides the naming conventions for virtual devices, you also need to understand the relationship between
various types of device names:
Display nameThe display name is simply the name that appears within Security Manager in
device selectors. This name does not have to be related to any name actually defined on the device.
When you add devices to the inventory, a display name is suggested based on the DNS name or IP
address you enter, but you can use whatever naming convention you want to use.
DNS nameThe DNS name you define for a device must be resolvable by the DNS server
configured for the Security Manager server.
IP addressThe IP address you define for a device should be the management IP address for the
device.
HostnameWhen you discover a device, the hostname property that is shown in the device
properties is taken from the devices configuration. If you add devices using configuration files, and
a file does not contain a hostname command, the initial hostname is the name of the configuration
file.
However, the hostname device property is not updated if you change the hostname on the device.
There is a Hostname policy in the device platform policy area, and it is this Hostname policy that
determines the hostname that is defined on the device.
SNMP Credentials(Optional) The Simple Network Management Protocol (SNMP) facilitates the
exchange of management information between network devices. SNMP enables network
administrators to manage network performance, find and solve network problems, and plan for
network growth.
Note PIX/ASA/FWSM devices require that user names be at least four characters. Passwords can be three to
32 characters; we recommend that passwords be at least eight characters.
Rather than using device-based credentials, you can configure Security Manager to use the credentials
you use when you log into Security Manager. You can then use the AAA servers accounting facilities
to track configuration changes by user. Using user login credentials is suitable only if your environment
is configured according to these standards:
You use TACACS+ or RADIUS for change auditing. User-login credentials will be reflected in these
accounting records. If you use device credentials, all changes made through Security Manager will
come from the same account, regardless of which user made the change.
User accounts are configured in the AAA server, and they have appropriate device-level access to
perform configuration changes.
You configure Security Manager and the managed devices to use the AAA server for authorization.
For information on configuring Security Manager to use AAA, see the Installation Guide for Cisco
Security Manager.
You do not use one-time passwords.
If your network setup supports using user-login credentials, you can configure Security Manager to use
them by selecting Tools > Security Manager Administration. Select Device Communication from the
table of contents, and select Security Manager User Login Credentials in the Connect to Device
Using field. The default is to use device credentials for all device access.
Related Topics
Device Credentials Page, page 3-38
Adding Devices to the Device Inventory, page 3-6
Device Communication Page, page 11-12
The Device Properties dialog box has two panes. The left pane contains a table of contents with these
items:
GeneralContains general information about the device, such as device identity, the operating
system running on the device, and device communication settings.
CredentialsContains device primary credentials (username, password, and enable password),
SNMP credentials, Rx-Boot Mode credentials, and HTTP credentials.
Device GroupsContains the groups to which the device is assigned.
Policy Object OverridesContains global settings of certain types of reusable policy objects that
you can override for this device.
When you select an item in the table of contents, the corresponding information is displayed in the right
pane.
Notes
Security Manager does not assume that the DNS hostname that appears on the Device Properties
page is the same as the hostname that you configured on the device.
When you add a device to Security Manager, you must enter either the management IP address or
the DNS hostname. Because it is not possible to determine the management interface and, therefore,
the management IP address when you discover from a configuration file, the hostname in the
configuration file is used as the DNS hostname. If the hostname is missing in the CLI of the
configuration file, the configuration filename is used as the DNS hostname.
When you discover a device from the network, the DNS hostname in the Device Properties page is
not updated with the hostname configured on the device. Therefore, if you want to specify the DNS
hostname for the device, you must specify it manually when you add the device to Security Manager
or on the Device Properties page.
For more information about device properties, see Viewing or Changing Device Properties, page 3-34.
Service modules are treated as separate devices. For most modules, you must add the service module
separately from its host device. However, Security Manager can automatically discover FWSM or
IDSM modules in a Catalyst 6500 device, so you need only add the parent device. The only
exception is if you configure an FWSM or IDSM module to use a non-default port for HTTPS (SSL),
in which case you must add the module separately.
When adding FWSM that have multiple security contexts (they are running in multiple-context
mode), do not add the security contexts individually using their management IP addresses. Instead,
add the device using the admin context management address (this also adds the individual contexts).
Then, configure Security Manager to deploy configurations to FWSM multiple-context devices
serially as described in Changing How Security Manager Deploys Configurations to
Multiple-Context FWSM, page 9-16.
You cannot add devices beyond the device limits defined by your Security Manager license. For
example, if you have a license for 50 devices, and there are 45 devices in the inventory, if you try to
add a multiple-context ASA with 6 security contents, the device addition and discovery fails.
The following topics describe the various methods of adding devices:
Add Device from NetworkTo add devices that are currently active on the network, see Adding
Devices from the Network, page 3-8. Security Manager connects directly and securely to the device
and discovers its identifying information and properties.
ProsYou need to specify minimal information about a device, and Security Manager obtains
the detailed information directly from the device, ensuring accuracy.
ConsYou can add only one device at a time. You cannot add devices that have dynamic IP
addresses, unless you determine the devices current IP address, add it using that address, and
then update the device properties in Security Manager to identify the Configuration Engine that
is managing the device.
Add from Configuration FileTo add devices by using a copy of the device configuration files,
see Adding Devices from Configuration Files, page 3-16.
ProsYou can add more than one device at a time.
ConsYou cannot use this method to add Catalyst 6500/7600 or IPS devices. When adding
groups of configuration files, all files must be for the same device type.
Also, you cannot successfully discover policies that require a connection with the device. For
example, if a policy points to a file that resides on the device, adding the device using the
configuration file will result in a Security Manager configuration that includes the no form of
the command, because Security Manager cannot retrieve the referenced file from the device. For
example, the svc image command for web VPNs might be negated.
Add New DeviceTo add a device that does not yet exist in the network, so that you can
pre-provision it in Security Manager, see Adding Devices by Manual Definition, page 3-20. You can
create the device in the system, assign policies to the device, and generate configuration files before
installing the device hardware.
ProsYou can pre-provision devices that do not yet exist in the network.
ConsYou must specify more information than that required by any other method. If you create
a Catalyst 6500 device, or a router that contains an IPS module, you should discover its modules
by selecting Policy > Discover Policies on Device.
Add Device from FileTo add devices from an inventory file in comma-separated values (CSV)
format, see Adding Devices from an Inventory File, page 3-24.
ProsYou can add multiple devices of different types at one time. You can reuse the inventory
list from your other network management applications, including CiscoWorks Common
Services, Cisco Security Monitoring, Analysis and Response System (CS-MARS), and other
Security Manager servers. If you use a file exported from another Security Manager server, you
can optionally add the devices without discovering policies, which is convenient for adding
offline or standby devices.
ConsYou cannot use this method to update the properties of devices already defined in the
inventory. Also, policy discovery can fail if you attempt to import more than 100 devices at one
time, and might fail for even fewer devices. In the case of IPS devices, do not add more than
four IPS devices at a time to avoid policy discovery failures.
Related Topics
Understanding the Device View, page 3-1
Working with Device Groups, page 3-52
Viewing or Changing Device Properties, page 3-34
Step 1 In Device view, select File > New Device or click the New Device button in the Device selector. The
New Device wizard opens to the Choose Method page.
Step 2 On the Choose Method page, select Add Device from Network and click Next to open the Device
Information page.
Step 3 On the Device information page, at minimum fill in the following fields. For a detailed explanation of
all fields, see Device Information Page Add Device from Network, page 3-9.
Enter either a hostname and DNS name, or an IP address (or both).
Enter a display name, which is the name that will appear in the Security Manager Device selector.
Select the correct operating system and version. If you are configuring a Catalyst switch or a 7600
router, ensure that you select IOS - Catalyst Switch/7600 rather than one of the other IOS entries.
Select the transport protocol that should be used to log into the device, if the device is configured to
use a protocol that differs from the default defined in Security Manager. The default is set on the
Device Communication administration page (see Device Communication Page, page 11-12).
Click Next.
Step 4 On the Device Credentials page, enter the usernames and passwords required to log into the device. Enter
at least the primary device credentials, which are the traditional User EXEC mode and Privileged EXEC
mode passwords.
For information on the different types of credentials, see Device Credentials Page, page 3-38.
Tip When you click Next or Finished from the Device Credentials page, Security Manager tests
whether it can connect to the device. You cannot add the device unless the test succeeds. For
more information, see Testing Device Connectivity, page 9-1.
Step 5 (Optional) Click Next to open the Device Grouping page, and select the device group to which the
imported devices should be added (see Device Groups Page, page 3-41).
Step 6 Click Finish. Security Manager opens the Discovery Status dialog box where you can view the status of
the device discovery and policy analysis (see Discovery Status Dialog Box, page 5-21).
Tip If you are discovering policies while adding a device, carefully read any messages that are
presented to you. These messages can contain important recommendations on the next steps you
should take. For example, when you add Cisco IOS routers or Catalyst devices, we recommend
that you immediately deploy the discovered configuration to a file so that Security Manager can
take over ownership of the configuration. For more information about deployment methods, see
Understanding Deployment Methods, page 8-8.
Step 7 If you are adding a device that contains modules, you are notified when the discovery of the device
chassis is complete and you are asked if you want to discover the devices modules. When you click Yes,
you are prompted for this information:
Catalyst 6500 service modulesThe Service Module Credentials dialog box opens prompting for
the following information, based on the modules contained in the chassis. For more information, see
Service Module Credentials Dialog Box, page 3-14.
FWSMThe management IP address (recommended), the username and passwords, and the
type of discovery you want to perform. If the FWSM is the second device in a failover pair,
select Do Not Discover Module for the failover module. (Security Manager always manages
the active admin context, regardless of whether you added the primary or secondary failover
service module.)
IDSMThe username and password and the type of discovery you want to perform.
IPS Router ModuleThe type of discovery you want to perform, the management IP address, the
username and password, and other SSL connection information. For more information, see IPS
Module Discovery Dialog Box, page 3-15.
You can skip discovery for any module you do not want to manage in Security Manager.
Click OK. You are returned to the Discovery Status dialog box, where you can view the progress of
service module discovery. When finished, close the window and the device is added to the inventory list.
A message will explain if you need to submit the activity for all devices to appear in the list (for example,
individual security contexts defined on an ASA device).
Step 8 If you added a device that is managed by an Auto Update Server or Configuration engine, with the device
selected in the device selector, select Tools > Device Properties. Select the server used with the device
in the Auto Update or Configuration Engine settings. You can add the server if it is not listed. For more
information, see Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 3-29.
Navigation Path
To start the New Device wizard, from Device view, select File > New Device, or click the Add button
in the device selector.
Related Topics
Understanding the Device View, page 3-1
Adding Devices from the Network, page 3-8
Device Credentials Page, page 3-38
Device Groups Page, page 3-41
Discovering Policies, page 5-12
Device Communication Page, page 11-12
Field Reference
Table 3-1 New Device Wizard, Device Information Page When Adding Devices from the
Network
Element Description
Identity
IP Type You can add only devices that have static IP addresses.
If you want to add a device that uses dynamic addresses (supplied by a
DHCP server), determine the current IP address for the device, use that
address, and after adding the device, update its properties to change the
IP Type to Dynamic and to identify the AUS or Configuration Engine
that is managing the device.
Hostname The DNS hostname for the device. Enter the DNS hostname if the IP
address is not known.
Note You must enter either the DNS hostname or the IP address, or
both.
Domain Name The DNS domain name for the device.
IP Address The management IP address of the device. The IP address must be in
the dotted quad format, for example, 10.64.3.8.
Note You must enter either the IP address or the DNS hostname, or
both.
Display Name The name to display in the Security Manager Device selector. If you
enter a hostname or IP address, it is entered automatically in this field,
but you can change it.
The maximum length is 70 characters. Valid characters are: 0-9;
uppercase A-Z; lowercase a-z; and the following characters: _ -. : and
space.
Note Two devices cannot have the same display name.
Table 3-1 New Device Wizard, Device Information Page When Adding Devices from the
Network (Continued)
Element Description
OS Type The family of the operating system running on the device. You must be
careful to select the correct type, because your selection affects how
Security Manager tries to log into the device and obtain its
configuration. The options are:
IOS 12.3+For Cisco routers running Cisco IOS Software
Release 12.3 or higher. Do not select this for Catalyst 6500/7600
or other Catalyst devices.
Tip Select this option for Aggregation Services Routers (ASR) even
if they are running a version of 12.2. The ASR IOS releases are
treated as higher releases.
Table 3-1 New Device Wizard, Device Information Page When Adding Devices from the
Network (Continued)
Element Description
System Context Whether to discover the system execution space of a PIX Firewall 7,
ASA, or FWSM device that is running in multiple-context mode. If you
are discovering a device that hosts multiple security contexts, whether
you select this checkbox has important implications in how you can
configure the device in Security Manager. What gets discovered on the
device also depends on whether you select the Discover Policies for
Security Contexts checkbox.
Both System Context and Discover Policies for Security
Contexts selectedThis is the recommended selection. Security
Manager discovers the system execution space and all of the
security contexts defined on the device, and lists them in the device
selector. The base display name represents the system execution
space (for example, 10.10.11.24), whereas the security contexts are
represented by nodes with the context name appended to the device
name (for example, 10.10.11.24_admin), unless you changed the
default naming convention configured on the Discovery page (see
Discovery Page, page 11-17).
System Context selected, Discover Policies for Security
Contexts deselectedThe system execution space is discovered
and added to the device selector. You can then discover the policies
for the security contexts at a later time. This method might be
appropriate if you have one group of people who discover
inventory and another group that discovers policies.
Neither checkbox selectedOnly the Admin context gets
discovered and added to the device selector. You cannot discover
the other security contexts or manage them.
Table 3-1 New Device Wizard, Device Information Page When Adding Devices from the
Network (Continued)
Element Description
Discover Device Settings
Discover The type of elements that should be discovered and added to the
inventory. You have these options:
Policies and InventoryDiscover policies, interfaces, and service
modules (if applicable). This is the default and recommended
option.
When policy discovery is initiated, the system analyzes the
configuration on the device, then imports the configured service
and platform policies. When inventory discovery is initiated, the
system analyzes the interfaces on the device and then imports the
interface list. If the device is a composite device, all the service
modules in the device are discovered and imported.
If you select this option, the checkboxes below are activated and
you can use them to control the types of policies that are
discovered.
Note During discovery, if you import an ACL that is inactive, it is
shown as disabled in Security Manager. If you deploy the same
ACL, it will be removed by Security Manager.
Note Although Security Manager discovers VPN modules, the discovery is done through the chassis and no
credentials are required.
Navigation Path
After you discover policies on a Catalyst chassis that can contain service modules, you are asked if you
want to discover its service modules. If you click Yes, this dialog box appears. You can perform policy
discovery using any of these methods:
When adding a device from the network. See Adding Devices from the Network, page 3-8.
When adding devices from an export file. See Adding Devices from an Inventory File, page 3-24.
When performing policy discovery on a device that is already in the inventory. See Discovering
Policies on Devices Already in Security Manager, page 5-15.
Related Topics
Chapter 49, Configuring Security Contexts on Firewall Devices
Field Reference
Element Description
Discovery Mode The types of policies to discovery for this module:
Discover Inventory and PoliciesDiscover inventory and security
policies. This is the recommended option.
Discover Inventory OnlyDo not discover security policies, but
discover inventory, such as VLAN configuration, security contexts,
and interfaces. You can discover the policy configuration later by
right-clicking the service module and then selecting Discover
Policies on Device.
Do Not Discover ModuleSkip discovery on this module and do
not add it to the inventory.
Element Description
Connect to FWSM How Security Manager should access the FWSM:
DirectlyConnect to the FWSM using its management IP address.
This is the recommended approach. It is the required method if you
are connecting to a failover device; otherwise, Security Manager
might connect to a standby FWSM after a failover.
via ChassisConnect to the FWSM through the chassis. This
method has the restriction that there should be fewer than 20
security contexts defined on the FWSM. Security Manager
connects to the Catalyst device through SSH and then to the FWSM
through the session command. The number of concurrent SSH
sessions is limited on a Catalyst device, with a default of 5. Policy
discovery uses one SSH session for each security context, so a
large number of contexts might lead to connection failures. If you
select Directly, Security Manager connects to the FWSM through
SSL, which has a greater concurrent session limit.
Management IP The management IP address for the service module.
For FWSMs, this field is not available if you select via Chassis for the
connection method.
Username The user name for the service module.
For FWSMs running in multiple-context mode, a footnote explains
which contexts username and password to enter, either the system or
the admin context. If you are connecting to a multiple-context mode
device through the switch chassis, you must configure the same
username and password for both the system execution space and the
admin context, and specify those credentials in this dialog box.
Note User names be at least four characters. Passwords can be three
to 32 characters; we recommend that passwords be at least eight
characters.
Password The User EXEC mode password for the service module. In the Confirm
field, enter the password again.
Enable Password The Privileged EXEC mode password for the service module. In the
Confirm field, enter the password again.
(FWSM only)
Navigation Path
After you discover policies on a router chassis that contains an IPS module, you are asked if you want
to discover its modules. If you click Yes, this dialog box appears. You can perform policy discovery
using any of these methods:
When adding a device from the network. See Adding Devices from the Network, page 3-8.
When adding devices from an inventory file. See Adding Devices from an Inventory File, page 3-24.
When performing policy discovery on a device that is already in the network. See Discovering
Policies on Devices Already in Security Manager, page 5-15.
Field Reference
Element Description
Discovery The type of discovery for this module:
Discover Inventory and PoliciesDiscover inventory and security
policies. This is the recommended option.
Discover Inventory OnlyDo not discover security policies, but
discover inventory, such as virtual sensors and interfaces. You can
discover the policy configuration later by right-clicking the module
and selecting Discover Policies on Device.
Do Not Discover ModuleSkip discovery on this module and do
not add it to the inventory.
IP Address The management IP address for the module.
HTTP Credentials Group
The credentials required to log into the module.
Username The username for the module.
Password The password for the specified username. In the Confirm field, enter the
password again.
HTTP Port The port configured for HTTP access to the module. The default is 80.
HTTPS Port The port configured for SSL (HTTPS) access to the module. The
default is defined on the Device Communication page (Tools >
Security Manager Administration > Device Communication, for
more information, see Device Communication Page, page 11-12). The
port typically used is 443.
To override the default, deselect Use Default and enter the correct port
number.
IPS RDEP Mode The connection method to use for contacting IPS devices when making
RDEP or SDEE connections (for event monitoring).
Certificate Common Name The name assigned to the certificate. The common name can be the
name of a person, system, or other entity that was assigned to the
certificate. In the Confirm field, enter the common name again.
Related Topics
Understanding the Device View, page 3-1
Working with Device Groups, page 3-52
Viewing or Changing Device Properties, page 3-34
Step 1 In Device view, select File > New Device or click the New Device button in the Device selector. The
New Device wizard opens to the Choose Method page.
Step 2 On the Choose Method page, select Add from Configuration File and click Next to open the Device
Information page (see Device Information PageConfiguration File, page 3-18).
Step 3 Select the device type for the configuration files from the Device Type selector, and select the
appropriate system object ID. If you have configuration files for more than one device type, add them in
batches based on device type.
Step 4 Click Browse and select the configuration files that contain the devices (of the specified type) that you
want to add.
Step 5 Select the appropriate discovery options to indicate which types of policies you want to discover, if any.
Step 6 (Optional) Click Next and select the device groups to which the new devices should belong.
Step 7 Click Finish. Security Manager opens the Discovery Status dialog box where you can view the status of
the configuration file analysis (see Discovery Status Dialog Box, page 5-21). When finished, close the
window and the device is added to the inventory list.
Tip If you are discovering policies and get unexpected errors, it might be because the configuration
file includes only the major Cisco IOS software version and not the point release information.
Some policies defined on the device might use features that became available in a point release,
which means that Security Manager might not recognize them as being supported. To resolve the
problem, after adding the device, select it in the Device selector, right-click, and select Device
Properties. On the General page, update the Target OS Version field with the software version
closest to the one running on the device without being higher than it (you can get the version
number using the show version command on the devices CLI). You can then rediscover policies
by right-clicking and selecting Discover Policies on Device.
Step 8 If you added a device that is managed by an Auto Update Server or Configuration engine, with the device
selected in the device selector, select Tools > Device Properties. Select the server used with the device
in the Auto Update or Configuration Engine settings. You can add the server if it is not listed. For more
information, see Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 3-29.
Navigation Path
To start the New Device wizard, from Device view, select File > New Device, or click the Add button
in the device selector.
Related Topics
Understanding the Device View, page 3-1
Adding Devices from Configuration Files, page 3-16
Device Groups Page, page 3-41
Discovering Policies, page 5-12
Discovery Status Dialog Box, page 5-21
Field Reference
Table 3-4 New Device Wizard, Device Information Page When Adding Devices from
Configuration Files
Element Description
Device Type selector Organizes the devices by device-type and device-family. Select the
device type for the new device. You must select the correct device type
for the configuration file you are adding.
System Object ID The system object identifiers for the device type you selected from the
Device Type selector. Select the correct ID for your device.
Configuration Files The configuration files from the devices you are adding to the
inventory. You can specify more than one configuration file, but they
must all be for the same device type. Separate the file names with
commas.
Click Browse to select the files from the Security Manager server, or
manually type in the file names (including the full path). For
information on selecting files, see Selecting or Specifying a File or
Directory on the Server File System, page 1-35.
Options The additional options available on the device. Select IPS if the IPS
feature is available on the device.
Target OS Version The OS version on which you want to base the routers configuration.
(Routers only.) Select Default to read the OS version from the configuration file.
Select a specific release number if you want to ensure the desired
release is used. If the desired release is not listed, select the release
number that is closet but lower than the release running on the
device.
You might have to select a specific release when discovering
configuration files for Aggregation Services Routers (ASR) or for
configuration files that include zone-based firewall policies.
Table 3-4 New Device Wizard, Device Information Page When Adding Devices from
Configuration Files (Continued)
Element Description
License Supports Failover Whether an optional failover license is installed on the device. The
option is active for ASA 5505 and 5510 devices only. Security Manager
(ASA 5505, 5510 only.)
deploys failover policies to the device only if this option is selected.
Tip If you discover policies from the device, Security Manager
determines the license status and sets this option appropriately.
Discover Device Settings
Discover The type of elements that should be discovered and added to the
inventory. You have these options:
Policies and InventoryDiscover policies, interfaces, and service
modules (if applicable). This is the default and recommended
option.
When policy discovery is initiated, the system analyzes the
configuration file, then imports the configured service and
platform policies. When inventory discovery is initiated, the
system analyzes the interfaces defined in the file and then imports
the interface list.
If you select this option, the checkboxes below are activated and
you can use them to control the types of policies that are
discovered.
Note During discovery, if you import an ACL that is inactive, it is
shown as disabled in Security Manager. If you deploy the same
ACL, it will be removed by Security Manager.
Table 3-4 New Device Wizard, Device Information Page When Adding Devices from
Configuration Files (Continued)
Element Description
RA VPN Policies Whether to discover IPSec and SSL remote access VPN policies such
as IKE proposals and IPsec proposals. This option is disabled if the
device does not support remote access VPN configuration. For more
information, see Chapter 26, Managing Remote Access VPNs.
Related Topics
Understanding the Device View, page 3-1
Working with Device Groups, page 3-52
Viewing or Changing Device Properties, page 3-34
Step 1 In Device view, select File > New Device or click the New Device button in the Device selector. The
New Device wizard opens to the Choose Method page.
Step 2 On the Choose Method page, select Add New Device and click Next to open the Device Information
page.
Step 3 On the Device Information page, at minimum fill in the following fields. For a detailed explanation of
all fields, see Device Information PageNew Device, page 3-21.
Select the device type from the Device Type selector at the left of the page, and select the system
object ID at the bottom of the selector.
In the IP Type field, select whether the device uses a static address (the IP address is defined on the
device) or a dynamic one (the address is provided by a DHCP server).
For devices with static addresses, enter either a DNS hostname and domain name, or an IP address
(or both).
Enter a display name, which is the name that will appear in the Security Manager Device selector.
Ensure that the correct operating system and version are selected.
If you use a server to manage configurations for the device, which is required for dynamically
addressed devices, select the Auto Update Server or Configuration Engine that manages the device
and enter the device identity string the server uses for the device. If the server is not listed, select
Add Server and add it to the inventory. For information on adding servers, see Adding, Editing, or
Deleting Auto Update Servers or Configuration Engines, page 3-29
When you are finished filling in the device information, click Next to proceed to the Device Credentials
page.
Step 4 (Optional) On the Device Credentials page, enter the usernames and passwords required to log into the
device. Typically, you need to enter the primary device credentials, which are the traditional User EXEC
mode and Privileged EXEC mode passwords. If you do not enter credentials, you can add them later on
the Device Properties page.
For information on the different types of credentials, see Device Credentials Page, page 3-38.
Click Next.
Step 5 (Optional) On the Device Grouping page, select the group to which the device should belong, if any. See
Device Groups Page, page 3-41
Step 6 Click Finish. The device is added to the inventory.
Tip If you are adding a PIX, ASA, or FWSM device, you should discover the factory default settings
for the device and its security contexts. For more information, see Discovering Policies on
Devices Already in Security Manager, page 5-15.
Navigation Path
To start the New Device wizard, from Device view, select File > New Device, or click the Add button
in the device selector.
Related Topics
Understanding the Device View, page 3-1
Adding Devices by Manual Definition, page 3-20
Device Credentials Page, page 3-38
Device Groups Page, page 3-41
Field Reference
Table 3-5 New Device Wizard, Device Information Page When Adding New Devices
Element Description
Device Type
Device Type selector Organizes the devices by device-type and device-family. Select the
device type for the new device.
Table 3-5 New Device Wizard, Device Information Page When Adding New Devices (Continued)
Element Description
System Object ID The system object identifiers for the device type you selected from the
Device Type selector. Select the correct ID for your device.
Identity
IP Type Whether the IP address for the device is static (defined on the device)
or dynamic (supplied by a DHCP server). Depending on the IP type you
select, the displayed fields differ.
Hostname The DNS hostname for the device. Enter the DNS hostname if the IP
(Static IP only) address is not known.
The maximum length is 70 characters. Valid characters are: 0-9;
uppercase A-Z; lowercase a-z; and hyphen (-).
Note You must enter either the DNS hostname or the IP address, or
both.
Two devices cannot have the same DNS hostname and domain name
combination.
Domain Name The DNS domain name for the device.
(Static IP only) The maximum length is 70 characters. Valid characters are: 0-9;
uppercase A-Z; lowercase a-z; period (.) and hyphen (-).
IP Address The management IP address of the device. The IP address must be in
the dotted quad format, for example 10.64.3.8.
(Static IP only)
Note You must enter either the IP address or the DNS hostname, or
both.
Display Name The name to display in the Security Manager Device selector. If you
enter a hostname or IP address, it is entered automatically in this field,
but you can change it.
The maximum length is 70 characters. Valid characters are: 0-9;
uppercase A-Z; lowercase a-z; and the following characters: _ -. : and
space.
Note Two devices cannot have the same display name.
Operating System
OS Type The type of operating system. Based on the device type, the OS type is
selected automatically.
Image Name The name of the image that will run on the device.
Target OS Version The target OS version for which you want to apply the configuration.
This selection determines the type of commands used when Security
Manager generates configuration files.
Options The additional options available on the device. Select IPS if the IPS
feature is available on the device.
Contexts Whether the device hosts a single security context (Single) or multiple
security contexts (Multi). This field is displayed only if the OS type is
an FWSM, ASA, or PIX Firewall 7.0.
Table 3-5 New Device Wizard, Device Information Page When Adding New Devices (Continued)
Element Description
Operational Mode The mode in which the device is operating. This field is displayed only
if the OS type is FWSM, ASA, or PIX Firewall 7.0+. The options
available are: Transparent, Routed, or Mixed. Mixed applies only to
FWSM 3.1 and higher devices when you select Multi for Contexts.
Auto Update or Configuration Engine
This group is named differently depending on the device type you select:
Auto UpdateFor PIX Firewall and ASA devices.
Configuration EngineFor Cisco IOS Routers.
Use these fields to identify the server that manages the device, if any. A server is required for a device
with a dynamic IP address. You cannot define a server for Catalyst 6500/7600 or FWSM devices.
Server The Auto Update Server or Configuration Engine that manages the
device.
You can add servers to the list by selecting Add Servers, which opens
the Server Properties dialog box (see Server Properties Dialog Box,
page 3-31). You can also edit the properties of a server by selecting
Edit Server, which opens the Available Servers dialog box (see
Available Servers Dialog Box, page 3-32).
For more information on managing this list of servers, see Adding,
Editing, or Deleting Auto Update Servers or Configuration Engines,
page 3-29
Device Identity The string value that uniquely identifies the device in Auto Update
Server or the Configuration Engine.
Additional Fields
Manage in Cisco Security Whether Security Manager manages the device. This check box is
Manager selected by default.
If the only function of the device you are adding is to serve as a VPN
end point, deselect this check box. Security Manager will not manage
configurations nor will it upload or download configurations on this
device. For more information, see Including Unmanaged or Non-Cisco
Devices in a VPN, page 21-10.
Table 3-5 New Device Wizard, Device Information Page When Adding New Devices (Continued)
Element Description
Security Context of Whether to manage a security context whose parent (the PIX Firewall,
Unmanaged Device ASA, or FWSM device) is not managed by Security Manager.
This field is active only if the device you selected in the Device selector
is a firewall device, such as PIX Firewall, ASA, or FWSM and that
firewall device supports security contexts.
You can partition a PIX Firewall, ASA, or FWSM into multiple security
firewalls, also known as security contexts. Each context is an
independent system with its own configuration and policies. You can
manage these standalone contexts in Security Manager, even though the
parent device is not managed by Security Manager. For more
information, see Chapter 49, Configuring Security Contexts on
Firewall Devices.
Note If you select this check box, the available target OS version for
the security module is displayed in the Target OS Version field.
License Supports Failover Whether an optional failover license is installed on the device. The
option is active for ASA 5505 and 5510 devices only. Security Manager
(ASA 5505, 5510 only.)
deploys failover policies to the device only if this option is selected.
Tip If you discover policies from the device, Security Manager
determines the license status and sets this option appropriately.
Tip If you want to build an inventory file by hand, the easiest approach is to export the Security Manager
inventory in the desired format and use that file as the basis for your inventory file.
The devices you import cannot be duplicates of devices already in the device inventory. You cannot, for
example, update device information in the inventory by re-importing the device.
If you are using a non-standard communication protocol for a type of device, update the global
device communication properties to specify the correct protocol. For more information, see Device
Communication Page, page 11-12.
Related Topics
Understanding the Device View, page 3-1
Working with Device Groups, page 3-52
Viewing or Changing Device Properties, page 3-34
Step 1 In Device view, select File > New Device or click the New Device button in the Device selector. The
New Device wizard opens to the Choose Method page.
Step 2 On the Choose Method page, select Add Device from File and click Next to open the Device
Information page (see Device Information PageAdd Device from File, page 3-26).
Step 3 Click Browse and select the inventory file that contains the devices that you want to import. Make sure
that you select the correct file type to indicate how the file is formatted.
Security Manager evaluates the contents of the inventory file and displays the list of devices in the import
table. All devices that have the status Ready to Import are automatically selected. The list identifies the
reasons the unselected devices cannot be imported. You can deselect any devices that you do not want
to import.
To see detailed information on a device, select it in the import table. The details are displayed in the
bottom pane. You can select different discovery options or transport settings per device.
Tip If you selected an inventory file in the Security Manager format, you have the option to import
the devices without performing policy discovery. This makes it possible for you to add devices
that are not currently active in the network. If you want to perform policy discovery on a device,
select the device, select Perform Device Discovery in the bottom panel, and select your
discovery options. You can select policy discovery settings for all devices in a folder by selecting
the folder instead of individual devices. The other CSV formats require that you perform policy
discovery during import.
When you are finished analyzing the list and modifying discovery and transport settings, click Next to
continue to the optional step of selecting groups, or click Finish to complete the wizard. In either case,
Security Manager attempts to log into each device and perform the discovery you selected unless you
are using a CSV file in Security Manager format and elected not to perform discovery. For the other
formats, Security Manager must be able to log into the device to add it to the inventory. The status is
displayed in the Discovery Status dialog box (see Discovery Status Dialog Box, page 5-21).
Tip If you are discovering policies while adding a device, carefully read any messages that are
presented. These messages can contain important recommendations on the next steps you should
take. For example, when you add Cisco IOS routers or Catalyst devices, we recommend that you
immediately deploy the discovered configuration to a file so that Security Manager can take
ownership of the configuration. For more information about deployment methods, see
Understanding Deployment Methods, page 8-8.
Step 4 (Optional) On the Device Grouping page, select the device group to which the imported devices should
be added (see Device Groups Page, page 3-41).
Click Finish.
Step 5 If you are adding a device that contains modules and you are performing device discovery, you are
notified when the discovery of the device chassis is complete and you are asked if you want to discover
the devices modules. When you click Yes, you are prompted for this information:
Catalyst 6500 service modulesThe Service Module Credentials dialog box opens prompting for
the following information, based on the modules contained in the chassis. For more information, see
Service Module Credentials Dialog Box, page 3-14.
FWSMThe management IP address (recommended), the user name and passwords, and the
type of discovery you want to perform. If the FWSM is the second device in a failover pair,
select Do Not Discover Module for the failover module. (Security Manager always manages
the active admin context, regardless of whether you added the primary or secondary failover
service module.)
IDSMThe user name and password and the type of discovery you want to perform.
IPS Router ModuleThe type of discovery you want to perform, the management IP address, the
user name and password, and other SSL connection information. For more information, see IPS
Module Discovery Dialog Box, page 3-15.
You can skip discovery for any module you do not want to manage in Security Manager.
Click OK. You are returned to the Discovery Status dialog box, where you can view the progress of
service module discovery.
Tip If you are adding devices that contain modules, for example, a Catalyst switch with an FWSM, you are
prompted for module discovery information after you click Finish.
Navigation Path
To start the New Device wizard, from Device view, select File > New Device, or click the Add button
in the device selector.
Related Topics
Understanding the Device View, page 3-1
Adding Devices from an Inventory File, page 3-24
Device Groups Page, page 3-41
Discovering Policies, page 5-12
Device Communication Page, page 11-12
Discovery Status Dialog Box, page 5-21
Field Reference
Table 3-6 New Device Wizard, Device Information Page When Adding Devices from Inventory
Files
Element Description
Import Devices From The inventory file that contains the devices you want to import. Click
Browse to select the file on the Security Manager server.
When selecting the file, you must also select the correct file type so that
Security Manager can correctly evaluate the comma-separated values
(CSV) file.
Device Import Table
After you select a file, Security Manager evaluates its contents and displays the list of devices defined
in the file in the table in the upper pane of the page. Security Manager automatically selects all devices
whose status is Ready to Import. Typically, these are the devices that do not already exist in the device
inventory.
The table contains the following columns.
Import Select this checkbox to add the device to the inventory. You can select
or deselect a folder to select or deselect all devices within the folder.
Display Name The name that will be displayed in the Security Manager Device
selector.
Host Name The host name defined on the device.
Transport The transport protocol that should be used to connect to the device.
Status Whether Security Manager can import the device. Devices can be
imported only if they have the status Ready to Import. For detailed
information on a devices status, select it and read the expanded status
information in the Status text box in the lower right corner of the page.
Device Type The type of device.
Details Pane
Below the device import table is a pane that displays the details for the device selected in the table.
The Identity information repeats the table fields. The Status text box displays an extended explanation
of the import status.
The Discover Device Settings and Transport groups let you specify how Security Manager should
import the device. If you select a folder instead of a device, the settings you select apply to all devices
in the folder. The settings are explained below.
Discover Device Settings
Perform Device Discovery Whether to discover policies directly from the device:
If the inventory file is in Security Manager format, you must select
Perform Device Discovery to discovery inventory and policies
(otherwise, the device is added without being evaluated). If you are
adding offline or standby devices, you can leave this option
deselected to easily add the device to the inventory.
All other inventory file types require device discovery.
Table 3-6 New Device Wizard, Device Information Page When Adding Devices from Inventory
Files (Continued)
Element Description
System Context Whether the selected device is the system execution space on a device
running in multiple context mode (that is, more than one security
context is defined on the device). If the device is the system execution
space, you must select this option for discovery to complete correctly.
Discover The type of elements that should be discovered and added to the
inventory. You have these options:
Policies and InventoryDiscover policies, interfaces, and service
modules (if applicable). This is the default and recommended
option.
When policy discovery is initiated, the system analyzes the
configuration on the device, then imports the configured service
and platform policies. When inventory discovery is initiated, the
system analyzes the interfaces on the device and then imports the
interface list. If the device is a composite device, all the service
modules in the device are discovered and imported.
If you select this option, the checkboxes below are activated and
you can use them to control the types of policies that are
discovered.
Note During discovery, if you import an ACL that is inactive, it is
shown as disabled in Security Manager. If you deploy the same
ACL, it will be removed by Security Manager.
Table 3-6 New Device Wizard, Device Information Page When Adding Devices from Inventory
Files (Continued)
Element Description
Transport
The transport settings determine the method Security Manager will use to contact the device. Each
device type has a default method, but you can select your preferred transport method. The device must
be configured to respond to the method you select. If you are not performing device discovery, the
device is not contacted.
Protocol The protocol Security Manager should use when connecting to the
device.
Server For devices that use them, the name of the Auto Update Server (AUS)
or Configuration Engine server the device uses to obtain configuration
updates. The server must already be defined in Security Manager, or
you must select the server from the import list, to import devices that
use these servers.
Device Identity For devices that use servers, the string value that uniquely identifies the
device in the Auto Update Server or the Configuration Engine.
Security Manager cannot initiate direct communication with devices that acquire their interface
addresses using DHCP because their IP addresses are not known ahead of time. Furthermore, these
devices might not be running, or they might be behind firewalls and NAT boundaries when the
management system must make changes. These devices connect to an Auto Update Server or
Configuration Engine to get device information.
You can add AUS and Configuration Engine servers to the device inventory when you add devices
manually or when you view device properties. You do not have to be adding or viewing the properties of
a device that uses one of these servers, you just have to get to the appropriate field to access the controls
to add, edit, or delete these servers.
You can also add these servers if you import them from an inventory file exported from CiscoWorks
Common Services Device Credential Repository (DCR) or from another Security Manager server. If you
import the server, you bypass the procedure described in this section. For more information about
importing devices, see Adding Devices from an Inventory File, page 3-24.
Tip Security Manager cannot determine the software version running on a Configuration Engine when you
add it. However, Security Manager cannot deploy configurations correctly to all versions of
Configuration. Ensure that your Configuration Engines are running a supported release (see the release
notes for this version of the product to see which Configuration Engine versions are supported at
http://www.cisco.com/en/US/products/ps6498/prod_release_notes_list.html).
Related Topics
Adding Devices from the Network, page 3-8
Adding Devices by Manual Definition, page 3-20
Viewing or Changing Device Properties, page 3-34
Step 1 Locate the field that allows you to identify and manage either AUS or Configuration Engine entries in
the device inventory:
a. Select File > New Device to open the New Device wizard, select Add New Device on the Choose
Method page, and click Next.
b. On the Device Information page, select an ASA device from the Device Type selector, for example,
Cisco ASA-5580 Adaptive Security Appliance. The Server field in the Auto Update group should
include Add Server in the drop-down list. It will also include Edit Server if there are servers
already defined. If these entries have specific server types (for example, Add Auto Update Server or
Add Configuration Engine), then you will be limited to adding, editing, or deleting that type of
server (in this case, select other types of devices to find the appropriate server type).
Step 2 To add a new AUS or Configuration Engine server, select Add Server from the Server drop-down list to
open the Server Properties dialog box (see Server Properties Dialog Box, page 3-31).
Step 3 To edit a server, select Edit Server from the Server drop-down list to open the Available Servers dialog
box (see Available Servers Dialog Box, page 3-32). You can then select the server and click Edit, which
opens the Server Properties dialog box where you can make your changes.
From the Available Servers dialog box, you can also:
Click Create to add a server.
Select a server and click Delete to remove it from the inventory. You are asked to confirm the
deletion. Make sure that the server is not being used by a device in the inventory.
Tip Security Manager cannot determine the software version running on a Configuration Engine when you
add it. However, Security Manager cannot deploy configurations correctly to all versions of
Configuration. Ensure that your Configuration Engines are running a supported release (see the release
notes for this version of the product to see which Configuration Engine versions are supported at
http://www.cisco.com/en/US/products/ps6498/prod_release_notes_list.html).
Navigation Path
To open this dialog box, do one of the following:
Select Add Server... from the Server field in the Auto Update Server or Configuration Engine
groups on the Device Information page of the New Device wizard when adding a device manually.
The selection might also be named Add Auto Update Server or Add Configuration Engine.
Select Add Server... from the Server field in the Auto Update Server or Configuration Engine
groups on the Device PropertiesGeneral page. The selection might also be named Add Auto
Update Server or Add Configuration Engine.
Click Create, or select a server and click Edit, in the Available Servers dialog box (see Available
Servers Dialog Box, page 3-32).
Related Topics
Available Servers Dialog Box, page 3-32
Device Information PageNew Device, page 3-21
Device Information Page Add Device from Network, page 3-9
Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 3-29
Viewing or Changing Device Properties, page 3-34
Field Reference
Element Description
Type The type of server you are defining, either Auto Update Server or
Configuration Engine.
This field is displayed only if you are adding a server. You cannot
change the type of an existing server.
For new servers, this field is also not displayed if the title of the dialog
box specifies the type of server you are adding.
Server Name The DNS hostname of the server.
Domain Name The DNS domain name of the server.
IP Address The IP address of the server.
Display Name The name to display in Security Manager for the server.
Username The username for logging into the server.
Password The password for accessing the server. In the Confirm field, enter the
password again.
Port The port number that the device managed by the Auto Update Server or
Configuration Engine uses to communicate with the server. The port
number is typically 443.
URN This field is displayed only for Auto Update Servers.
The uniform resource name for the Auto Update Server. The URN is the
name that identifies the resource on the Internet. The URN is part of a
URL, for example, /autoupdate/AutoUpdateServlet. The full URL
could be: https://: server ip:443/autoupdate/AutoUpdateServlet
where:
server ip is the IP address of the Auto Update Server.
443 is the port number of the Auto Update Server.
/autoupdate/AutoUpdateServlet is the URN of the Auto Update
Server.
Each row represents a single server, and shows the display name for the server in Security Manager, its
IP address, and DNS hostname and domain name. If the dialog box title does not include the server type,
the Type field specifies AUS or CE (Configuration Engine).
To add a server, click the Create button and fill in the Server Properties dialog box (see Server
Properties Dialog Box, page 3-31).
To edit the properties of a server, select it and click the Edit button.
To delete a server, select it and click the Delete button. You are asked to confirm the deletion.
Navigation Path
To open this dialog box, do one of the following:
Select Edit Server... from the Server field in the Auto Update Server or Configuration Engine
groups on the Device Information page of the New Device wizard when adding a device manually.
The selection might also be named Edit Auto Update Server or Edit Configuration Engine.
Select Edit Server... from the Server field in the Auto Update Server or Configuration Engine
groups on the Device PropertiesGeneral page. The selection might also be named Edit Auto
Update Server or Edit Configuration Engine.
Related Topics
Device Information PageNew Device, page 3-21
Device Information Page Add Device from Network, page 3-9
Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 3-29
Viewing or Changing Device Properties, page 3-34
Note Inventory rediscovery is especially important for ASA 5580 devices in which you install a 4 GB Ethernet
Fiber interface card. For other types of devices, you can usually make manual changes to the Interfaces
policy, but rediscovering inventory is the easier and more reliable choice.
Related Topics
Understanding the Device View, page 3-1
Understanding Device Properties, page 3-5
Understanding Policies, page 5-1
Changing Critical Device Properties, page 3-42
Step 1 In Device view, do one of the following in the Device selector to open the Device Properties dialog box:
Double-click a device.
Right-click a device and select Device Properties.
Select a device and select Tools > Device Properties.
Step 2 In the Device Properties dialog box, click these entries in the table of contents in the left pane to view
or change the properties. You must click Save before moving from one page to another.
GeneralGeneral information about the device, such as the device identity, the operating system
running on the device, and transport settings. For information about the fields, see General Page,
page 3-34.
CredentialsThe device credentials required to log into the device. For information about the
fields, see Device Credentials Page, page 3-38.
GroupsThe groups to which the device belongs. For information about the fields, see Device
Groups Page, page 3-41.
Policy Object OverridesThe local overrides to policy objects for the device. Policy Object
Overrides is a folder that contains the various policy object types that are available for the device.
Click a specific policy object type to view the policy objects of that type used by the device and their
overrides, if any. For more information about the fields, see Policy Object Override Pages,
page 3-42.
General Page
Use the Device Properties General page to add or edit information about the basic properties of the
device.
Navigation Path
From the Device selector, right-click a device and select Device Properties, then click General.
From the Device selector, double-click a device, then click General.
Select a device and select Tools > Device Properties, then click General.
Related Topics
Understanding Device Properties, page 3-5
Device Credentials Page, page 3-38
Device Groups Page, page 3-41
Policy Object Override Pages, page 3-42
Field Reference
Element Description
Identity
Device Type The type of device.
IP Type Whether the IP address for the device is static (defined on the device)
or dynamic (supplied by a DHCP server). Depending on the IP type you
select, the displayed fields differ.
Hostname The DNS hostname for the device.
(Static IP only) This is not necessarily the same name that is configured as the
hostname on the device. This property is not updated with the hostname
specified in the Hostname device property. It is also not updated with
the name defined in the device configuration if you rediscover the
device.
If you added the device to Security Manager by adding its configuration
file, the hostname is initially set to the name specified in the
configuration file. If no hostname is specified in the configuration, the
name of the file is used as the DNS hostname.
Domain Name The DNS domain name for the device.
(Static IP only)
IP Address The management IP address of the device, for example 192.168.3.8.
(Static IP only)
Display Name The name to display in the Security Manager Device selector.
The maximum length is 70 characters. Valid characters are: 0-9;
uppercase A-Z; lowercase a-z; and the following characters: _ -. : and
space.
Operating System
OS Type The family of the operating system running on the device.
Image Name The name of the image running on the device. The image name is
updated whenever you deploy to the device or rediscover its policies.
Running OS Version The version of the operating system running on the device.
Element Description
Target OS Version The OS version on which you want to base the devices configuration.
When creating a configuration file using the rules you configure,
Security Manager uses commands available in the target OS version.
This field is read-only for IPS devices.
You cannot change the target OS version to a version that significantly
changes the feature set available for the device. For more information,
see Changes That Change the Feature Set in Security Manager,
page 3-44.
Options A read-only field whose values are NONE or IPS. The value IPS
indicates that the IPS feature is available on the device.
IPS Running OS Version A read-only field that displays the version of IOS IPS running on the
router. This field does not appear if the Options field has the value of
NONE.
IPS Target OS Version A read-only field that displays the target version of IOS IPS running on
the router. This field does not appear if the Options field has the value
of NONE.
Contexts Whether the device hosts a single security context (Single) or multiple
security contexts (Multi). This field is displayed only if the OS type is
an FWSM, ASA, or PIX Firewall 7.0.
Operational Mode The mode in which the device is operating. This field is displayed only
if the OS type is FWSM, ASA, or PIX Firewall 7.0. The options
available are: Transparent, Routed, or Mixed. Mixed applies only to
FWSM 3.1 and higher devices when you select Multi for Contexts.
Device Communication Settings
Transport Protocol The transport protocol that Security Manager should use when
accessing the device or deploying configurations to it. If you select Use
Default, the transport protocol set in the Device Communication page
(Tools > Security Manager Administration > Device Communication)
is used (see Device Communication Page, page 11-12). You can select
a different protocol if the device is not configured to use the default
protocol.
The available transport protocols differ depending on what the device
type supports. For some device types, such as ASA, there is only one
option, so the field is grayed out.
Element Description
CS-MARS Monitoring
Monitored By The CS-MARS server that monitors this device, if any.
Click Discover CS-MARS to have Security Manager determine which
CS-MARS server is monitoring the device. If only one CS-MARS
server is monitoring it, the field is updated with the server name. If
there is more than one, you are prompted to select the CS-MARS server
to use. Your selection determines which server is accessed when you try
to view CS-MARS collected syslogs or events when viewing firewall
access rules or IPS signatures in the policy rule tables for the device.
Before you can discover a CS-MARS server for the device, the server
must be register with Security Manager on the CS-MARS
administration page (Tools > Security Manager Administration >
CS-MARS). For more information, see CS-MARS Page, page 11-4.
Auto Update or Configuration Engine
This group is named differently depending on the device type:
Auto UpdateFor PIX Firewall and ASA devices.
Configuration EngineFor Cisco IOS routers.
Use these fields to identify the server that manages the device, if any. A server is required for a device
with a dynamic IP address.
Server The Auto Update Server or Configuration Engine that manages the
device. For AUS, this server should match the one defined in the AUS
policy (see AUS Page, page 43-1).
You can add servers to the list by selecting Add Servers, which opens
the Server Properties dialog box (see Server Properties Dialog Box,
page 3-31. You can also edit the properties of a server by selecting Edit
Server, which opens the Available Servers dialog box (see Available
Servers Dialog Box, page 3-32).
For more information on managing this list of servers, see Adding,
Editing, or Deleting Auto Update Servers or Configuration Engines,
page 3-29.
For information on how these servers are used during deployment, see
Deploying Configurations Using an Auto Update Server or CNS
Configuration Engine, page 8-39.
Device Identity The string value that uniquely identifies the device in Auto Update
Server or the Configuration Engine. For AUS, this ID should match the
one defined in the AUS policy (see AUS Page, page 43-1).
Manage in Cisco Security Whether Security Manager manages the device.
Manager If the only function of the device is to serve as a VPN end point,
deselect this check box. Security Manager will not manage
configurations nor will it upload or download configurations on this
device.
Element Description
License Supports Failover Whether an optional failover license is installed on the device. The
(ASA 5505, 5510 only.) option is active for ASA 5505 and 5510 devices only. Security Manager
deploys failover policies to the device only if this option is selected.
Tip If you discover policies from the device, Security Manager
determines the license status and sets this option appropriately.
Tip In the New Device wizard, when you click Next or Finish when adding a device from the network,
Security Manager tests whether it can connect to the device using these credentials. The Device
Connectivity Test dialog box stays open while the test is in progress (see Device Connectivity Test
Dialog Box, page 9-3). If the test fails, click Details to see detailed error information. If you are adding
devices that contain modules, for example, a Catalyst switch with an FWSM, you are then prompted for
module discovery information.
Navigation Path
For new devices, to start the New Device wizard, from Device view, select File > New Device, or
click the Add button in the device selector.
For existing devices, to open the device properties, double-click a device in the Device selector, then
click Credentials on the Device Properties Page.
Related Topics
Understanding Device Credentials, page 3-4
Adding Devices from the Network, page 3-8
Adding Devices by Manual Definition, page 3-20
Device Communication Page, page 11-12
Understanding Device Properties, page 3-5
Viewing or Changing Device Properties, page 3-34
Managing Device Communication Settings and Certificates, page 9-4
Discovery Status Dialog Box, page 5-21
Field Reference
Element Description
Primary Credentials
Required for all device types. These credentials are used for SSH and Telnet connections, and for
HTTP and HTTPS connections if you select Use Primary Credentials in the HTTP group.
Username The user name for logging into the device.
Note PIX/ASA/FWSM devices require that user names be at least
four characters. Passwords can be three to 32 characters; we
recommend that passwords be at least eight characters.
Password The password for logging into the device (User EXEC mode). In the
Confirm field, enter the password again.
Enable Password The password that activates enable mode (Privileged EXEC mode) on
the device if the mode is configured on that device. In the Confirm field,
enter the password again.
HTTP Credentials
Credentials for making HTTP or HTTPS connections to a device. Some devices support this type of
connection, and other devices (such as IPS devices) require it.
Use Primary Credentials Whether Security Manager should use the configured primary
Username credentials for HTTP and HTTPS connections. If the device uses
different credentials for HTTP/HTTPS connections, deselect Use
Password Primary Credentials and enter the username and password configured
for HTTP/HTTPS. Reenter the password in the Confirm field.
Note PIX/ASA/FWSM devices require that user names be at least
four characters. Passwords can be three to 32 characters; we
recommend that passwords be at least eight characters.
HTTP Port The port to use for HTTP connections. The default is port 80. Change
this setting only if the device is configured to accept HTTP connections
on a different port.
HTTPS Port The port to use for HTTPS connections. The default is port 443 (unless
a different default is configured in the Security Manager device
communication settings). To change the default, first deselect Use
Default. Change this setting only if the device is configured to accept
HTTPS connections on a different port.
Note If you configure the local HTTP policy to be a shared policy and
assign the HTTP policy to multiple devices, the HTTPS port
number setting in the shared policy overrides the port number
configured in the Device Credentials page for all devices to
which the policy is assigned.
IPS RDEP Mode The connection method to use for contacting IPS devices when making
RDEP or SDEE connections (for event monitoring).
Certificate Common Name The name assigned to the certificate. The common name can be the
name of a person, system, or other entity that was assigned to the
certificate. In the Confirm field, enter the common name again.
Element Description
Additional Fields and Buttons
Authentication Certificate The certificate thumbprint for the device that is available in the Security
Thumbprint Manager certificate data store. Click Retrieve From Device to obtain
(Device properties only.) the current certificate from the device and to replace the one stored in
Security Manager.
RX-Boot Mode button Opens the RX-Boot Mode Credentials Dialog Box, where you can enter
the credentials for booting the router from a reduced command-set
image (RX-Boot).
If these credentials are for a Cisco router that runs from flash memory
(where it boots only from the first file in flash), you must run an image
other than the one in flash to upgrade the flash image. The RX-Boot
credentials are for running this other image.
SNMP button Opens the SNMP Credentials Dialog Box, where you can specify the
SNMP community strings defined on the device.
Test Connectivity button Tests whether Security Manager can connect to the device using the
credentials you entered and the configured transport method. For more
(Device properties and
information about testing device connectivity, see Testing Device
manual device addition only.)
Connectivity, page 9-1.
Use the RX-Boot Mode Credentials dialog box to add RX-Boot mode credentials, which are used for
booting the router from a reduced command-set image (RX-Boot). Enter the RX-Boot Mode username
and password; in the Confirm field, enter the password again.
Navigation Path
To open the RX-Boot Mode Credentials dialog box, click RX-Boot Mode in the Device Credentials Page
in either the New Device wizard (when adding a device manually or from the network), or the Device
Properties page.
Navigation Path
To open the SNMP Credentials dialog box, click SNMP in the Device Credentials Page, page 3-38 in
either the New Device wizard (when adding a device manually or from the network), or the Device
Properties page.
Field Reference
Element Description
SNMP V2C
These are the credentials for devices running SNMP version 2.
Element Description
RO Community String The read-only community string. In the Confirm field, enter the
community string again.
RW Community String The read-write community string. In the Confirm field, enter the
community string again.
SNMP V3
These are the credentials for devices running SNMP version 3.
Username The SNMP version 3 username.
Password The SNMP version 3 password. In the Confirm field, enter the
password again.
Auth Algorithm The authorization algorithm for encrypting the password. You can
select MD5 or SHA-1.
Navigation Path
For new devices, to start the New Device wizard, from Device view, select File > New Device, or
click the Add button in the device selector.
For existing devices, to open the device properties, double-click a device in the Device selector, then
click Device Groups on the Device Properties Page.
Related Topics
Understanding Device Grouping, page 3-52
Adding Devices to the Device Inventory, page 3-6
Understanding Device Properties, page 3-5
Discovery Status Dialog Box, page 5-21
Field Reference
Element Description
Group Types, such as The group types defined in Security Manager, for example, Department
Department and Location or Location. Each field contains a list of the device groups defined
within that group type. Select the device groups to which the device
should belong.
If you want to create a new device group, or group type, select Edit
Groups from the drop-down list for any of the existing group types.
This opens the Edit Device Groups page, where you can create new
groups and group types or delete them (see Edit Device Groups Dialog
Box, page 3-54).
Element Description
Set values as default Whether to set the selected groups as the default groups. If you select
this option, other devices you add are automatically added to these
groups.
Navigation Path
Double-click a device in the Device selector, then click the desired policy object type in the Policy
Object Overrides folder in the table of contents in the left pane.
Related Topics
Policy Object Overrides Window, page 6-16
Allowing a Policy Object to Be Overridden, page 6-13
Creating or Editing Object Overrides for a Single Device, page 6-14
Deleting Device-Level Object Overrides, page 6-17
Filtering Tables, page 1-33
Image Version Changes That Do Not Change the Feature Set in Security Manager
The following image version changes do not affect the types of policies available for that device in
Security Manager:
Upgrading from any Cisco IOS version supported by Security Manager to any other Cisco IOS
version supported by Security Manager.
Upgrading from any PIX 6.x image to another PIX 6.x image.
Upgrading from any PIX 7.x image to another PIX 7.x image, retaining the same security context
and mode configuration.
Upgrading from any ASA 7.x image to another ASA 7.x image, retaining the same security context
and mode configuration.
Upgrading from any ASA 8.x image to another ASA 8.x image, retaining the same security context
and mode configuration.
Upgrading from any FWSM 2.x image to another 2.x FWSM image, retaining the same security
context and mode configuration.
Upgrading from any FWSM 3.x image to another 3.x FWSM image, retaining the same security
context and mode configuration.
Upgrading a Catalyst 6500/7600 chassis from any IOS 12.x image to another IOS 12.x image.
Note This list applies only to images that are supported by Security Manager. For a list of supported images,
see Supported Devices and Software Versions for Cisco Security Manager for this version of the product
at http://www.cisco.com/en/US/products/ps6498/products_device_support_tables_list.html.
For these cases, use the following procedure to change the image version.
Related Topics
Understanding the Device View, page 3-1
Understanding Device Properties, page 3-5
Understanding Policies, page 5-1
Changes That Change the Feature Set in Security Manager, page 3-44
Related Topics
Understanding the Device View, page 3-1
Understanding Device Properties, page 3-5
Understanding Policies, page 5-1
Image Version Changes That Do Not Change the Feature Set in Security Manager, page 3-43
Step 1 Submit and deploy all the changes you configured for the device in Security Manager. This ensures that
the desired configuration is on the device before the image upgrade.
Step 2 Share the local policies defined on the device:
a. Right-click the device in the Device selector, then select Share Device Policies. By default, all
policies configured on the device (local and shared) are selected for sharing in the Share Policies
wizard.
b. Deselect the check box next to each existing shared policy, as indicated by the hand in the policy
icon. You should do this because there is no need to create a copy of the shared policies that already
exist; you will reassign the existing shared policies after the image version upgrade.
c. Enter a name for the shared policies. We recommend using the device name as a convenient means
of identification. For example, if the device name is MyRouter, each shared policy is given the name
MyRouter. Make a note of all the policies you are creating for this purpose.
d. Click Finish. The selected local policies become shared policies.
Step 3 Delete the device from Security Manager.
Step 4 Make the desired change to the device, for example, upgrade the image version, change the operational
mode, or replace the device.
Step 5 Add the device back to Security Manager and perform policy discovery.
Step 6 Reassign the policies to the device:
a. Right-click the first policy type displayed in the Device Policies selector, then select Assign Shared
Policy.
b. In the Assign Shared Policy dialog box, do one of the following:
If a local policy was previously defined on the device, select the shared policy you created for
this procedure and click OK.
If a shared policy of this type was previously assigned to the device, select it and click OK.
c. (Local policies only) Right-click the policy type again in the Device Policies selector, then select
Unshare Policy.
d. Repeat the process for each policy type that is relevant to the devices configuration. If a shared
policy is not available, this indicates that this is a policy type that was not available for the previous
image version.
Step 7 (Optional) Delete the shared policies created for this procedure from Policy view:
a. Select View > Policy View or click the Policy View icon on the toolbar.
b. Select one of the policies you want to delete and click the Assignments tab in the work area to verify
that the policy is not assigned to any devices.
c. Click the Delete Policy button beneath the Shared Policy selector to delete the policy.
d. Repeat the process for each policy type that you want to delete.
Cloning a Device
A cloned (duplicate) device shares the configurations and properties of the source device. Cloning a
device saves you time because you do not need to re-create configuration and properties on the new
device.
The cloned device shares the device operating system version, credentials and grouping attributes with
the source device, but it has its own unique identity, such as display name, IP address, hostname, and
domain name. You can clone only one device at a time.
Related Topics
Understanding the Device View, page 3-1
Copying Policies Between Devices, page 5-30
IP AddressThe management IP address of the cloned device, for example, 10.10.100.1. If you do
not know the IP address, enter the DNS hostname in the Hostname field. You must enter either the
IP address or the hostname for devices with static IP addresses.
Display NameThe name that appears in Security Manager device lists. The maximum length is
70 characters. Valid characters are: 0-9; uppercase A-Z; lowercase a-z; and the following characters:
_ -. : and space.
Device Identity(Dynamic IP only.) The string value that uniquely identifies the device in Auto
Update Server or Configuration Engine. This field appears only if the device is configured to use
one of these servers.
Clone VPN AssignmentsWhether to copy the VPN assignments defined for the device. This field
is displayed only if the device supports VPN assignments.
You can clone the VPN assignments of a device that is a spoke in a hub-and-spoke configuration,
or a device that participates in a full mesh topology. If you clone a spoke device, the new device is
added to the VPN as a new spoke with the same policies. If you clone a device in a full mesh VPN,
the new device is added to the full mesh VPN with the same policies. You cannot clone a device in
a point-to-point VPN topology.
Step 3 Click OK. A clone of the source device with its unique display name is created in the Device selector.
Tip If someone is configuring policies on the device, locks will prevent you from deleting the device.
Tip Device deletion requires the removal of a lot of information from the database. If you delete a lot of
devices at one time, it can take a while for the operation to complete. If you have a lot of devices to
delete, consider deleting them in smaller groups.
Tip When you select a device group, you are deleting only the devices in the group, you are not
deleting the group itself. For information on deleting device groups, see Deleting Device Groups
or Group Types, page 3-56.
Step 2 You are asked to confirm that you want to delete the devices.
Security Manager then validates whether the device can be deleted. If problems or potential problems
are identified, they are listed in the Device Delete Validation Dialog Box, page 3-48. This dialog box
shows errors (indicating devices that cannot be deleted) as well as warnings and informational messages.
You can elect to confirm the deletion of devices that have warnings or informational messages if you
accept the consequences described in the message. The dialog box has an OK button if you can continue
deleting all selected devices, or a Continue button if there are any error messages. If you click
Continue, you are deleting only those devices without error conditions. You are asked to confirm.
If all selected devices have errors, the button is greyed out and you must click Cancel. Resolve any errors
before attempting to delete the devices.
Navigation Path
This dialog box appears only if you try to delete devices and Security Manager determines that there are
problems with the deletion.
Note If the file does not specify os_type and os_version for a device, you must discover policies
directly from the device when adding it.
The additional fields, which appear at the end of each row, are:
os_type. The operating system type, which can be one of the following: PIX, ASA, IOS, FWSM,
IPS. This field is required for all device types.
os_version. The target operating system version, which can be any of the version numbers listed
in the New Device wizard when you select Add New Device. The acceptable version numbers
differ depending on the device model, so if you are creating a CSV file by hand, look over this
list carefully. For more information about adding devices using this method, see Adding
Devices by Manual Definition, page 3-20. This field is required for all device types.
fw_os_mode. The mode in which a firewall device is running, which can be one of the
following: TRANSPARENT, ROUTER, MIXED. This field is required for ASA, PIX, and
FWSM devices.
fw_os_context. The context in which a firewall device is running, which can be one of the
following: SINGLE, MULTI. This field is required for ASA, PIX, and FWSM devices.
anc_os_type. The ancillary operating system type for Cisco IOS-IPS devices. If present, it is
IPS. This field is required for IOS IPS devices.
anc_os_version. The ancillary target operating system version, which is the IPS target operating
system version. If present, it can be any of the supported IOS-IPS versions. This field is required
for IOS IPS devices.
You can select a subset of devices for export. The list from which you choose contains only those devices
to which you have Modify Device permissions.
Tip If you select a device that uses an AUS or Configuration Engine to manage its configuration, you must
also select the server in the list of devices to export. You can export AUS or Configuration Engine
information only in DCR or Security Manager format.
Related Topics
Filtering Items in Selectors, page 1-30
Selecting or Specifying a File or Directory on the Server File System, page 1-35
Step 1 In Device view, select Tools > Export Inventory to open the Export Inventory dialog box.
Step 2 Select the devices that you want to include in the export file and click >> to add them to the Selected
Devices list. You can select a folder to select all devices in the folder.
Step 3 Click Browse to select the folder on the Security Manager server in which to create the export file and
to enter a name for the file. For File Type, select the type of CSV file you want to create.
Click Save to return to the Export Inventory dialog box. The Export Inventory To field is updated with
the export file information.
Step 4 Click OK to create the export file.
If there are problems during the export, the Issues Encountered dialog box opens explaining the
problems for each device. For more detailed information for an issue, select a device and click Details.
The Perl command is located in $NMSROOT\bin, which is typically C:\Program Files\CSCSpx\bin. The
syntax of the command is:
Syntax
perl [path] CSMgrDeviceExport.pl The Perl script command. Include the path to the
CSMgrDeviceExport.pl file if the path is not defined in the
system path variable.
-u username A Security Manager username. The data exported is limited
by the permissions assigned to this user. The user must have
View Device permissions.
-p password (Optional.) The users password. If you do not include the
password on the command, you are prompted for it.
-s {Dhdoirtg} (Optional.) The fields you are selecting to include in the
output. If you do not specify the -s option, all fields are
included. You can specify one or more of the following:
DDisplay name.
hHost name.
dDomain name.
oOperating system (OS) type.
IImage name.
rRunning OS version.
tTarget OS version.
gDevice groups.
-h (Optional.) Display the command line help. If you include
this option, all other options are ignored.
>filename.csv (Optional.) Pipe the output to the specified file. If you do not
specify a file, the output is displayed on the screen.
Output Format
The output is in standard comma-separated values (CSV) format, which you can open in spreadsheet
programs or process with your own scripts. The first line has column headings. The columns, left to
right, are in the order of the fields described for the -s option above.
If there is no value for a particular field, that field is blank in the output.
The device group output field is enclosed in double-quotes and it can contain more than one group name.
The group names include the path structure for the group. For example, the following output indicates
the device is part of two groups, the East Coast group in the Department folder, and the NewGroup group
in the New folder. Groups are separated by a semicolon.
"/Department/East Coast; /New/NewGroup"
Any error messages generated during the script are written to the output file.
Tip If you have a large number of devices, grouping them can make it easier to select a subset of devices
when you deploy changes to them. For example, if there is a set of devices that you know you will want
to deploy changes to simultaneously, if you put them in a single device group, you just have to select the
group in the deployment job. For more information about policy deployment, see Chapter 8, Managing
Deployment.
Device grouping enables you to view a subset of devices in the inventory. The device group hierarchy
has two types of folders:
Device group typesGroup types are the highest level in the hierarchy. A group type can contain
specific device groups, but it cannot contain devices, except for the All group type, which includes
all devices in the inventory. Security Manager comes with the group types Department and Location
predefined, but you do not need to use them, and you can delete them. You can create a maximum
of 10 group types.
Device groupsDevice groups are subfolders within a group type folder. You can create multiple
levels of nested device groups. You can place devices within device groups. However, a device can
be in only one group within a group type. For example, in Figure 3-3 under the group type, Location,
you can assign routerx to San Jose, but you cannot assign routerx to San Jose and California.
Figure 3-3 shows an example of nested device groups with devices in some of the groups. Notice that an
individual device can reside in multiple groups. In this example, routerx is in the Finance group (under
the Department group type), and also in the Location > United States > California > San Jose nested
group. If you select routerx in any of these places, you are configuring a single device (the configurations
are not tied to the grouping).
Security Manager lets you create or delete group and group types, and put devices in groups, in many
locations in the interface:
When adding devices to the inventoryThe New Device wizard includes a Device Grouping page,
where you can create device group types and select a group for the newly-added device. You can
also select a default group to which all new devices are added.
When viewing the device inventory in Device viewThe File > Edit Device Groups command
opens a dialog box where you can create or delete groups and group types. If you select a group or
group type in the Device selector, the File menu and the right-click shortcut menu includes
commands for adding groups or adding devices to groups.
To add devices to a group, or remove them from a group, select the group and select File > Add
Devices to Group.
When viewing the properties for a deviceThe Device Grouping page allows you to select the
groups to which the device belongs, and to set defaults for devices added to the inventory. This is
the only place where you can remove a device from a device group. Double-click a device in the
Device selector to open the device properties.
When using the administration pagesSelect Tools > Security Manager Administration > Device
Groups to open the administration page for device groups, where you can create or delete groups
and group types, but you cannot add devices to groups here.
Related Topics
Creating Device Group Types, page 3-55
Creating Device Groups, page 3-55
Deleting Device Groups or Group Types, page 3-56
Adding Devices to or Removing Them From Device Groups, page 3-56
Navigation Path
Do one of the following:
Right-click a device group type or a device group in the Device selector and select Edit Device
Groups.
Select File > Edit Device Groups.
From the Device Grouping page in the New Device wizard or for existing devices, the device
properties, select Edit Groups from a group type list. See Device Groups Page.
Related Topics
Understanding Device Grouping, page 3-52
Working with Device Groups, page 3-52
Field Reference
Element Description
Groups Displays the device groups and group types.
To rename a group or type, select it and then click it again to make the
text editable. Type in the new name and press Enter.
Add Type button Click this button to create a new group type. The type is added with a
default name. Overtype the name and press Enter.
You can have a maximum of 10 group types.
Add Group to Type button Click this button to add a device group to the selected device group or
group type.
Element Description
Delete button (trash can) Click this button to delete the selected device group or group type and
all device groups that it contains. Deleting a device group or group type
does not delete any devices it contains.
Related Topics
Understanding Device Grouping, page 3-52
Deleting Device Groups or Group Types, page 3-56
Adding Devices to or Removing Them From Device Groups, page 3-56
Related Topics
Understanding Device Grouping, page 3-52
Adding Devices to or Removing Them From Device Groups, page 3-56
Deleting Device Groups or Group Types, page 3-56
Step 1 Select a device group or group type in the Device selector and select File > New Device Group, or
right-click and select New Device Group.
The Add Group dialog box appears.
Step 2 Enter a name for the device group and click OK. The new device group is added to the Device selector.
Step 1 In Device view, select File > Edit Device Groups. The Edit Device Groups page opens (see Edit Device
Groups Dialog Box, page 3-54).
Step 2 Select the group type or group you want to delete and click the Delete button. You are asked to confirm
the deletion.
Related Topics
Understanding Device Grouping, page 3-52
Filtering Items in Selectors, page 1-30
Step 1 Select the device group in the Device selector, right-click and select Add Devices to Group. The Add
Devices to Group dialog box appears.
Step 2 To add devices to the group, select the devices in the Available Devices selector and click >> to move
them to the Selected Devices list.
To remove devices, select them in the Selected Devices list and click <<.
Step 3 Click OK. The device group membership is adjusted to include the devices that were in the Selected
Devices list.
Whether you are using Workflow or non-Workflow mode, all policy configuration is done within an
activity, which is also called a configuration session in non-Workflow mode. In Workflow mode, you
must explicitly create and manage activities, whereas in non-Workflow mode much of the activity
creation and management is done automatically for you. However, in non-Workflow mode, you are in
fact working within an activity whenever you modify policies, and so you should understand the basic
activity concepts.
The following topics provide information about activities:
Understanding Activities, page 4-1
Working with Activities, page 4-6
Understanding Activities
An activity is a temporary context within which you define policies and assign them to devices. You do
not need to create an activity to import, create, or delete devices (unless you perform policy discovery
as part of the action), or to perform various system management tasks.
The requirements for creating or opening activities differ depending on your Workflow mode:
Non-Workflow modeAn activity is created automatically and transparently for you whenever you
define, modify, or assign policies to devices. The same activity is used until you submit your changes
to the database, and is automatically closed and reopened as needed. You cannot actively open or
manage activities in non-Workflow mode. These types of activities are also called configuration
sessions.
Workflow modeIf you do not explicitly open an activity, you are prompted to create a new activity
or open an existing one whenever you perform an action that requires an activity. You must actively
open and manage activities in Workflow mode.
When you create an activity, or one is created for you, you open a virtual copy of the Security Manager
policy database. You define and assign policies within this copy. Changes that you made within this copy
are only available within the copy. Other users in different activities cannot see these changes. After the
activity is submitted and, in Workflow mode, approved, the changes within this copy are committed to
the database so that all other users can view the changes. Then, you can create a deployment job to
generate the relevant CLI commands and deploy them to the devices.
How you submit your activity changes differs depending on Workflow mode:
Non-Workflow modeSelect File > Submit to submit your changes to the policy database.
Workflow modeSelect Activities > Submit Activity if you are working with an activity approver,
or Activities > Approve Activity if you do not have a separate activity approver.
The following topics describe why activities are important and how they operate in Workflow mode:
Benefits of Activities, page 4-2
Activity Approval, page 4-2
Activities and Locking, page 4-3
Activities and Multiple Users, page 4-4
Understanding Activity States, page 4-4
Benefits of Activities
You use activities to control changes made to policies and policy assignments. Although how activities
are implemented depends on the workflow settings you choose, all activities provide the following
benefits:
Audit trailActivities track changes that are made in Security Manager. In Workflow mode, you
can use this information to determine what changes were made and who made the changes as
described in Viewing Activity Status and History (Workflow Mode), page 4-18. For both Workflow
and non-Workflow mode, there is also an audit report that provides visibility into activities and other
actions, as described in Working with Audit Reports, page 10-11.
Safety mechanismActivities provide a means for experimenting with changes. Because you are
making the changes to a private database view, if you do not want to implement the changes, you
can easily discard the activity or configuration session. For more information, see Discarding an
Activity (All Modes), page 4-17.
Task isolationThe policies that are modified within an activity (or configuration session) are
locked from being modified within other activities. This prevents conflicting changes that could
make a policy unstable. For more information, see Activities and Locking, page 4-3.
In addition, the changes you make within an activity are visible only within the activity. Other users
see only the last approved committed configurations, unless they view your activity before you close
it (in Workflow mode).
Activity Approval
When you enable Workflow mode, you can choose to operate with or without an activity approver.
If your organization requires a different person with higher permissions to approve activities, you can
enable workflow with an approver. When using Workflow mode with an approver, the activity must be
approved by a person with the appropriate permissions so the policies can be committed to the database.
This approval process at the policy definition level helps to ensure that no inappropriate configurations
reach the network devices.
If you choose to operate without an approver, the person defining the policies has the permissions to
approve them.
For information about enabling or disabling activity approval and changing the default activity approver,
see Workflow Page, page 11-40.
Tip Activity locking is broader in scope than policy locking, which is described in Understanding Policy
Locking, page 5-7. Policy locking prevents two users from changing the same policy on the same device
simultaneously.
Related Topics
Approving or Rejecting an Activity (Workflow Mode), page 4-16
Deleting Devices from the Security Manager Inventory, page 3-47
Viewing or Changing Device Properties, page 3-34
Working with Deployment and the Configuration Archive, page 8-24
Validating an Activity (All Modes), page 4-14
State Description
Edit The activity was created, but the activity is not currently being edited.
The activity can be opened or discarded while it is in the Edit state.
Edit Open The activity is open for editing. Changes, such as defining and
assigning policies, can be made in the activity. The policies, policy
assignments (devices being assigned policies), and objects being
configured or modified in the activity are locked. That is, they cannot
be configured or modified within the context of another activity. The
activity can be closed, discarded, submitted, or approved while it is in
the Edit Open state.
The configuration changes can be seen only in the context of the
activity.
Submitted The activity was submitted for review and approval. (This state is
available only if you have Workflow mode enabled with activity
Submitted Open
approval required. For more information, see Workflow Page,
page 11-40.) No further changes can be made within the activity. The
policies, devices (through policy assignment), or objects affected by the
policy changes remain locked to other activities.
When an activity is submitted, an e-mail is sent to the approver. The
approver can open the activity (in read-only mode, moving to the
Submitted Open state) to review the changes within the activity, then
approve or reject it. An approved activity moves to the approved state.
A rejected activity returns to the Edit state.
Approved The activity was approved, and the corresponding configuration
elements are now committed policy configurations. The devices
affected by the policy changes are no longer locked to other activities.
The activity can be deployed or discarded while it is in the Approved
state.
Approve Failed The activity is placed in the Approve Failed state if errors occur during
approval (for example, due to a power failure). If this happens, try to
approve the activity again or reboot the server.
State Description
Discarded Changes made to the activity since the activity was created were
discarded and further changes to the activity are not allowed. Devices
associated with the activity are unlocked and can now be used in a new
activity. The activity remains in the Activity table showing a Discarded
state until it is purged from the system.
Figure 4-1 shows the stages in the activity workflow without an approver. Figure 4-2 shows the stages
in the activity workflow with an approver.
Create/open
activity
Editable
Define
Close activity configurations
Approve activity
Approved
COMMITTED
77254
Create/open
activity
Editable
Close Define
activity configurations
Submit
activity
Submitted
Open activity
(read-only)
Approve Reject
activity activity
Approved Editable
COMMITTED
73772
Table 4-2 Activities Tool Bar Buttons and Commands When Workflow Mode Is Enabled
Activities Menu
Button Command Description
New Activity Creates an activity.
Open Activity Opens an activity. You can open an activity when it is in the Edit
or the Submitted state.
To open a submitted activity, you must have user privileges to
approve or reject changes made in that activity. For more
information, see the Installation Guide for Cisco Security
Manager.
Close Activity Saves all changes made while the activity was open and closes it.
You can close an activity when it is in the Edit Open or the Submit
Open state.
View Changes Evaluates all changes made in the activity and produces an
Activity Change Report in PDF format in a separate window. For
more information, see Viewing Change Reports (All Modes),
page 4-12
Validate Activity Validates the integrity of changed policies within the current
activity. By validating an activity, you can check for configuration
errors that you might have introduced by your policy changes.
Submit Activity In Workflow mode with an activity approver, submits the activity
for approval. You can submit an activity when it is in the Edit or
the Edit Open state.
Table 4-2 Activities Tool Bar Buttons and Commands When Workflow Mode Is Enabled
Activities Menu
Button Command Description
Approve Activity Approves the changes proposed in an activity.
You can approve an activity when it is in the Submitted state when
using an activity approver, or the Edit or Edit Open state when not
using an approver. You must have user privileges to accept the
changes proposed in an activity. For more information, see the
Installation Guide for Cisco Security Manager.
Reject Activity In Workflow mode with an activity approver, rejects the changes
proposed in an activity.
You can reject an activity when it is in the Submitted or Submitted
Open state. You must have user privileges to deny changes
proposed in an activity. For more information, see the Installation
Guide for Cisco Security Manager.
Discard Activity Discards the selected activity. The activity is discarded and later
purged from the system after it exceeds the age for keeping
activities as set under Tools > Security Manager Administration >
Workflow. The activity state is shown as discarded until the
activity is actually purged from the system.
Navigation Path
Click the Activity Manager button on the Main toolbar, or select Tools > Activity Manager.
Field Reference
Element Description
Activity The name of the activity.
Last Modified The date and time of the most recent change to the activity.
State The state of the activity. For a list of states, see Understanding Activity
States, page 4-4.
User The username of the person who last changed the state of the activity.
Last Action The most recent action performed on the activity.
Create button Click this button to create new activity so that you can create or change
policies or assign policies to devices. For more information, see
Creating an Activity (Workflow Mode), page 4-10.
Element Description
Open button Click this button to open the selected activity so that changes, such as
defining and assigning policies, are captured within the activity. You
can open an activity when it is in the Edit or the Submitted state.
Submitted activities are opened read-only.
Validate button Click this button to validate changes that you have made to the selected
activity from the time you created the activity to the current time.
Validating an activity checks policy integrity and deployability, and
displays detailed error information if errors are detected. For more
information, see Validating an Activity (All Modes), page 4-14.
Submit button In Workflow mode with an activity approver, click this button to submit
the selected activity. Submitting the activity sends notification that the
activity is ready for review to the specified approver. You can submit an
activity when it is in the Edit or the Edit Open state.
You are prompted for a comment. For more information, see
Submitting an Activity for Approval (Workflow Mode with Activity
Approver), page 4-15.
Approve button Click this button to approve the selected activity, which saves the
proposed changes to the database. Devices associated with the activity
are unlocked, meaning they can be included in policy definitions and
changes in other activities. You must have appropriate user permissions
to approve the activity.
In Workflow mode without an approver, you can approve your own
activities when they are in the Edit state. In workflow mode with an
approver, you must submit your activity, and the approver can approve
an activity only when it is in the Submitted state.
You are prompted for an approval comment. For more information, see
Approving or Rejecting an Activity (Workflow Mode), page 4-16.
Reject button In Workflow mode with an activity approver, click this button to reject
the changes proposed in the selected activity. You must have
appropriate user permissions to reject an activity. If the activity is
rejected, the submitter can continue to make changes to the activity.
Devices associated with the activity are not unlocked, meaning that
they cannot be included in policy definitions or changes in another
activity. You can reject an activity only when it is in the Submitted or
the Submitted Open state.
You are prompted for a rejection comment. For more information, see
Approving or Rejecting an Activity (Workflow Mode), page 4-16.
Element Description
Discard button Click this button to discard the selected activity. Devices associated
with the activity are unlocked, meaning they can be used by other
activities.
You are prompted for a comment. For more information, see Discarding
an Activity (All Modes), page 4-17.
Discarded activities are removed from the system according to the
settings defined in the Security Manager settings for Workflow. The
activity state is shown as discarded until the activity is purged from the
system. For more information, see Workflow Page, page 11-40.
View Changes Click this button to generate a report in PDF format for the selected
activity. If activity is closed, this button is grayed out. For more
information, see Viewing Change Reports (All Modes), page 4-12.
Refresh button Click this button to refresh the information presented in the window.
Details tab Displays detailed information for the selected activity. Besides the
information repeated from the activities table, the details include this
information:
Activity IDThe identification number assigned by Security
Manager when you created the activity.
CreatedThe date and time the activity was created.
DescriptionThe description of the activity, which was entered
when the activity was created.
History tab Displays a log of the changes that have been made to the selected
activity. The information includes the state changes, the user who made
the change, the date and time of the change (based on the Security
Manager server time), and any comments the user entered to document
the change.
Related Topics
Understanding Activities, page 4-1
Opening an Activity (Workflow Mode), page 4-11
Related Topics
Creating an Activity (Workflow Mode), page 4-10
Understanding Activity States, page 4-4
Tip In non-Workflow mode, your previous configuration session is opened whenever needed until you
submit it. A new activity is then created the next time you perform an action that requires an activity.
Related Topics
Understanding Activities, page 4-1
Tip In non-Workflow mode, your configuration session is closed whenever you log out. The same session is
reopened the next time you log in.
Related Topics
Understanding Activities, page 4-1
Following are some of the ways you can view change reports:
Non-Workflow mode:
Select File > View Changes to view the changes made during the current configuration session.
Select Tools > Change Reports to view the changes made during previous sessions (which are
closed when you submit or discard your changes). Select a configuration session from the
Change Report window and click View Changes. (See Selecting a Change Report in
Non-Workflow Mode, page 4-14.)
Workflow mode:
Select Activities > View Changes, or click the View Changes button in the toolbar, to view the
changes made during the currently open activity.
Highlight an activity in the Activity Manager window and click View Changes to view the
changes made in that activity.
In both modes, you can view changes from various dialog boxes when creating deployment jobs.
Note You must disable any popup-blocker applications you have running to ensure the activity report will
open.
Devices
router2600
Policy Objects Override
InterfaceRole
Operation Category ID Name Patterns Comment Patterns Name
Add None Ethernet1 , Dialer0 , Serial0 , External interfaces Ethernet1 , Dialer0 , Serial0 , External
Async1 , Serial0/0 , Outside Async1 , Serial0/0 , Outside ,
Ethernet1 , Dialer0 , Serial0 ,
Async1 , Serial0/0 , Outside
Shared Policies
No changes
Policy Objects
Ike
191242
Tip To view the report for the current configuration session, close this dialog box and select File > View
Changes.
Related Topics
Submitting an Activity for Approval (Workflow Mode with Activity Approver), page 4-15
Deploying Configurations in Non-Workflow Mode, page 8-27
Note A validation warning (as opposed to an error) will not prevent activity approval or deployment.
When you submit an activity, Security Manager sends an e-mail to the relevant approvers to notify them
that an activity requires approval.
If you are working in Workflow mode without an activity approver, you do not need to submit activities
(in fact, you cannot submit them). You can approve the activity yourself. For more information about
changing activity approval settings, and configuring the e-mail addresses for notifications, see Workflow
Page, page 11-40.
Related Topics
Understanding Activities, page 4-1
Opening an Activity (Workflow Mode), page 4-11
Understanding Activity States, page 4-4
Configuring an SMTP Server and Default Addresses for E-Mail Notifications, page 1-19
Note Security Manager warns you if the e-mail cannot be sent and you must contact the approver
directly.
If you are operating in Workflow mode without an approver, you can approve your own activities. When
working without an approver, you cannot reject an activity, but you can discard it if you do not want to
save your changes. In non-Workflow mode, you use the Submit and Discard commands on the file menu
to submit (and automatically approve) or discard the configuration session.
In Workflow mode with an activity approver, the activity must be submitted before you can open it and
approve it. In this mode, you can also reject the activity.
If you approve an activity, policies and policy assignments are committed to the database and are ready
to be deployed to devices or files. Devices associated with the activity are unlocked, meaning they can
be included in policy definitions and changes in other activities.
If you reject the activity, it is returned to the Edit state and the submitter can reopen the activity to make
the necessary changes and resubmit it for approval. Devices associated with the activity are not
unlocked, meaning that they cannot be included in policy definitions or changes in another activity.
Note After an activity is approved, changes cannot be undone. You must create a new activity and manually
change policies and policy assignments to the desired state.
Related Topics
Understanding Activities, page 4-1
Opening an Activity (Workflow Mode), page 4-11
Understanding Activity States, page 4-4
To discard an activity:
Workflow ModeDo one of the following:
Open an activity, then click the Discard button on the activity toolbar or select Activities >
Discard Activity.
Select Tools > Activity Manager. From the Activity Manager window, select an activity, then
click Discard. Only an activity in the Edit or Edit Open state can be discarded.
Using either method, you are prompted with the Discard Activity dialog box, which allows you to
enter an optional comment to explain why you are discarding the activity. Enter a comment and click
OK to discard it.
Non-Workflow ModeSelect File > Discard to discard the changes in the current configuration
session.
Related Topics
Understanding Activities, page 4-1
Opening an Activity (Workflow Mode), page 4-11
Understanding Activity States, page 4-4
Related Topics
Understanding Activities, page 4-1
Activity Manager Window, page 4-8
The following topics describe the concept of policies in Cisco Security Manager and how to use and
manage them.
Understanding Policies, page 5-1
Discovering Policies, page 5-12
Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-27
Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34
Managing Shared Policies in Policy View, page 5-46
Understanding Policies
In Security Manager, a policy is a set of rules or parameters that define a particular aspect of network
configuration. You configure your network by defining policies on devices (which includes individual
devices, service modules, security contexts, and virtual sensors) and VPN topologies (which are made
up of multiple devices), and then deploying the configurations defined by these policies to these devices.
Several types of policies might be required to configure a particular solution. For example, to configure
a site-to-site VPN, you might need to configure multiple policies, such as IPsec, IKE, GRE, and so forth.
Policies are assigned to one or more devices. After a policy is assigned to a device, any changes to the
policy definition change the behavior of the device.
The following topics describe policies in more detail:
Settings-Based Policies vs. Rule-Based Policies, page 5-2
Service Policies vs. Platform-Specific Policies, page 5-2
Local Policies vs. Shared Policies, page 5-3
Understanding Rule Inheritance, page 5-4
Policy Management and Objects, page 5-7
Understanding Policy Locking, page 5-7
Customizing Policy Management for Routers and Firewall Devices, page 5-10
Rule-Based Policies
Rule-based policies contain one or more rules that govern how to handle traffic on a selected device, such
as the access rules and inspection rules defined as part of a firewall service. Rule-based policies can
contain hundreds or even thousands of rules arranged in a table, each defining different values for the
same set of parameters. The ordering of the rules is very important, as traffic flows are assigned the first
rule whose definition matches the flow (known as first matching).
The structure of the rules table depends on whether you configure a local policy or a shared policy (see
Local Policies vs. Shared Policies, page 5-3). If you configure a local rule-based policy for a single
device, the policy contains a flat table of local rules. If you configure a shared rule-based policy (either
in Device view or Policy view), the table is divided into two sections, Mandatory and Default. Mandatory
rules always precede the default rules, and cannot be overridden by local or default rules. The Default
section contains rules that can be overridden by mandatory and local rules. You can define rules in either
the Mandatory or Default section and move rules between sections using cut-and-paste.
When you define certain types of rule-based policies, such as firewall service policies, you can create a
policy hierarchy in which rules located at lower levels in the hierarchy acquire properties from the rules
located above them. This is known as rule inheritance. For example, you can define a set of inspection
rules that apply globally to all firewalls, while supplementing these rules with additional rules that can
be applied to a subset of devices. By maintaining common rules in a parent policy, inheritance enables
you to reduce the chance of introducing configuration errors that will cause deployment to fail. For more
information, see Understanding Rule Inheritance, page 5-4.
Settings-Based Policies
Settings-based policies contain sets of related parameters that together define one aspect of security or
device operation. For example, when you configure a Cisco IOS router, you can define a quality of
service (QoS) policy that defines which interfaces are included in the policy, the type of traffic on which
QoS is applied, and the definition of how this traffic should be queued and shaped. Unlike rule-based
policies, which can contain hundreds of rules containing values for the same set of parameters, you can
define only one set of parameters for each settings-based policy defined on a device.
Related Topics
Understanding Policies, page 5-1
For example, the firewall policy domain contains policies for access rules, inspection rules, and
transparent rules, among others. The site-to-site VPN policy domain contains policies for IKE proposals,
IPsec proposals, and preshared keys, among others. Service policies can be applied to any kind of device,
regardless of platform, although there may be some variation in policy definition depending on the
device type.
Platform-specific policy domains contain policies that configure features that are specific to the selected
platform. Not all platform-specific policies are directly related to security. For example, the Router
policy domain contains routing policies, identity policies (Network Admission Control and 802.1x),
policies related to device administration (DHCP, SNMP, device access), and other policies such as QoS
and NAT.
For routers and firewalls (ASA, PIX, FWSM), you can choose which platform-specific policies to
manage. For more information, see Customizing Policy Management for Routers and Firewall Devices,
page 5-10.
Policy 1
Policy 2
Shared
policy 1
Policy 3
181944
For example, if you want all the Cisco IOS routers in your network to implement the same Network
Admission Control (NAC) policy, you need only define a single NAC policy and share it. You can then
assign the shared policy to all the routers in your network with a single action. For more information,
see Modifying Shared Policy Assignments in Device View or the Site-to-Site VPN Manager, page 5-45.
Any changes that you make to a shared policy are automatically applied to all the devices to which it is
assigned. As a result, shared policies both streamline the process of policy creation and help maintain
consistency and uniformity in your device configurations.
For more information about the actions you can perform on shared policies, see Working with Shared
Policies in Device View or the Site-to-Site VPN Manager, page 5-34.
Tip In addition to sharing policies, you can choose to inherit the rules of a rule-based policy when defining
another policy of the same type. This makes it possible, for example, to maintain a set of corporate access
rules that apply to all firewall devices while providing the flexibility to define additional rules on
individual devices as required. For more information, see Understanding Rule Inheritance, page 5-4.
Related Topics
Understanding Policies, page 5-1
Mandatory ACE-1
Mandatory ACE-2 Mandatory rules from
.... parent policy
Mandatory ACE-n
Local ACE-1
Local ACE-2 Local rules in
.... child policy
Local ACE-n
Default ACE-1
Default ACE-2
Default rules from
.... parent policy
Default ACE-n
182194
Deny any any
The policy defined on the branch device is a child of the regional policy and a grandchild of the corporate
policy. Structuring inheritance in this manner enables you to define mandatory rules at the corporate
level that apply to all devices and that cannot be overridden by rules at a lower level in the hierarchy. At
the same time, rule inheritance provides the flexibility to add local rules for specific devices where
needed.
Having default rules makes it possible to define a global default rule, such as deny any any, that
appears at the end of all access rule lists and provides a final measure of security should gaps exist in
the mandatory rules and default rules that appear above it in the rules table.
Inheritance Example
For example, you can define a mandatory worm mitigation rule in the corporate access rules policy that
mitigates or blocks the worm to all devices with a single entry. Devices configured with the regional
access rules policy can inherit the worm mitigation rule from the corporate policy while adding rules that
apply at the regional level. For example, you can create a rule that allows FTP traffic to all devices in
one region while blocking FTP to devices in all other regions. However, the mandatory rule at the
corporate level always appears at the top of the access rules list. Any mandatory rules that you define in
a child policy are placed after the mandatory rules defined in the parent policy.
With default rules, the order is reverseddefault rules defined in a child policy appear before default
rules inherited from the parent policy. Default rules appear after any local rules that are defined on the
device, which makes it possible to define a local rule that overrides a default rule. For example, if a
regional default rule denies FTP traffic to a list of destinations, you can define a local rule that permits
one of those destinations.
Related Topics
Settings-Based Policies vs. Rule-Based Policies, page 5-2
Understanding Access Rules, page 14-1
Understanding Global Access Rules, page 14-3
Inheritance vs. Assignment, page 5-6
Inheriting or Uninherting Rules, page 5-42
Note Inheritance works differently for IPS signature policies and signature event actions. For
more information, see Understanding Signature Inheritance, page 33-3.
AssignmentWhen you assign a shared policy to a device, you replace whatever was already
configured on the device with the selected policy. This holds true whether the device previously had
a local policy or a different shared policy of that type.
Therefore, when working with rule-based policies such as access rules, you must use discretion when
choosing these options. Use inheritance to supplement the local rules on the device with additional rules
from a parent policy. Use assignment to replace the policy on the device with a selected shared policy.
Tip To prevent overwriting your local rules by mistake, Security Manager displays a warning message when
you select the Assigned Shared Policy option for a rule-based policy. The message provides you the
option of inheriting the rules of the policy instead of assigning it. Choose the inheritance option if you
want to preserve your local rules.
Related Topics
Understanding Rule Inheritance, page 5-4
Inheriting or Uninherting Rules, page 5-42
Local Policies vs. Shared Policies, page 5-3
Settings-Based Policies vs. Rule-Based Policies, page 5-2
Related Topics
Understanding Policies, page 5-1
Tip Security Manager also obtains activity (or configuration session) locks, which are broader in scope than
policy locks, when users perform some actions. For more information, see Activities and Locking,
page 4-3.
Lock Types
Security Manager uses two different types of locks:
Policy content locksLocks the content of a particular policy. The banner displayed above the work
area reads:
This data for this policy is locked by activity/user: <name>.
The content lock prevents other users from making any changes to the configuration of the locked
policy.
Assignment locksLocks the assignment of a policy type to a particular device. The banner
displayed above the work area reads:
The assignment of this policy is locked by activity/user: <name>.
For a local policy, an assignment lock prevents other users from unassigning the policy or assigning
a shared policy of the same type in place of the local policy. For a shared policy, an assignment lock
prevents other users from assigning a different shared policy of the same type in place of one already
assigned.
These locks can either work together or independently of one another, depending on the actions being
performed by the user. If both locks are active at the same time, the banner displayed above the work
area reads:
This policy is locked by activity/user: <name>.
See Understanding Locking and Policies, page 5-8 for a summary of the effects locking has on the
actions you can perform.
Releasing Locks
After is locked is enabled, it remains in place until you either submit your changes (when working in
non-Workflow mode) or submit and approve the activity (when working in Workflow mode). If you
discard the activity, any locks generated by the activity are also discarded. For more information about
workflow modes, see Workflow and Activities Overview, page 1-11.
Keep in mind that:
Locks are based on the device name, not the IP address of the device. Therefore, we recommend that
you avoid defining two devices with different names but the same IP address in Security Manager.
Any attempt to deploy to both devices, especially at the same time, leads to unpredictable results.
In addition, locks do not extend across different operations. For example, locking does not prevent
one user from deploying to the same device that is being discovered by a different user.
Additional details about locking can be found in the following sections:
Understanding Locking and Policies, page 5-8
Understanding Locking and VPN Topologies, page 5-9
Understanding Locking and Objects, page 5-10
Note The ability to modify policies and policy assignments is dependent on the user permissions assigned to
the user. See the Installation Guide for Cisco Security Manager.
Related Topics
Understanding Policy Locking, page 5-7
Understanding Policies, page 5-1
Note Unassigning devices from a VPN topology also creates device locks in the VPN topology, which means
that these devices cannot be deleted from the inventory. Other users cannot edit the device assignments
for the topology until you deploy configurations to all affected devices, including those you remove. The
device is not actually removed from the topology until you deploy configurations.
Related Topics
Understanding Policy Locking, page 5-7
Chapter 21, Managing Site-to-Site VPNs: The Basics
Related Topics
Understanding Policy Locking, page 5-7
Chapter 6, Managing Policy Objects
Caution If you use AUS or CNS to deploy configurations to ASA or PIX devices, be aware that the device
downloads a full configuration from AUS or CNS. Thus, reducing the policies managed by Security
Manager actually removes the configurations from the device. If you intend to deselect some ASA/PIX
policies for management to use other applications along with Security Manager to configure devices, do
not use AUS or CNS.
The ability to customize policy management on routers and firewalls makes it possible, for example, to
use Security Manager to manage DHCP and NAT policies while leaving routing protocol policies, such
as EIGRP and RIP, unmanaged. These settings, which can be modified only by a user with administrative
permissions, affect all Security Manager users.
Unmanaged policies are removed from both Device view and Policy view. Any existing policies of that
type, local or shared, are removed from the Security Manager database.
To customize policy management for routers and firewalls, select Tools > Security Manager
Administration > Policy Management to open the Policy Management Page, page 11-31. The policy
types are organized in folders, with router and firewall (which includes all ASA, PIX, and FWSM
devices) handled separately. Select or deselect policy types as desired and click Save. Subsequent
processing depends on whether you are changing a policy type to be managed or unmanaged:
Unmanaging a policy typeIf you unmanage a policy type, and any device of that type has that
policy configured, you must unassign the policies before unmanaging them. Security Manager
displays a list of all devices that have assigned policies of that type, including the policy name,
device name, and the user or activity that has a lock on the policy. If you click Yes to continue
unmanaging the policy, Security Manager obtains the required locks, unassigns the policies, and
then unmanages the policy type.
If a lock could not be obtained for even one device, no policies are unassigned, the policy type is not
unmanaged, and you are told of the problem. You can then either manually unassign the policies
from the affected devices, or release the user or activity locks, and try again to unmanage the policy
type.
Note Unmanaging a policy has no effect on the active configuration running on the device;
Security Manager does not remove the configuration from the device. Instead, unmanaging
the policy removes it from the database, and Security Manager no longer considers that part
of the device configuration.
Managing a previously-unmanaged policy typeIf you start managing a policy type that you
previously did not manage using Security Manager, it is possible that the active configuration on the
device has commands controlled by the newly-managed policy type. It is therefore important that
you rediscover policies on all devices of that type (either all routers or all ASA, PIX, FWSM
devices). This ensures that Security Manager has the current configuration for these policies.
If you do not rediscover policies and leave the newly-managed policies unconfigured, on the next
deployment to the device, the existing settings configured on the device are removed. For more
information on discovering policies on devices already managed, see Discovering Policies on
Devices Already in Security Manager, page 5-15.
Note Features that are unmanaged by Security Manager can still be modified manually with CLI commands
or FlexConfigs. For more information about FlexConfigs, see Chapter 7, Managing FlexConfigs.
Discovering Policies
Policy discovery enables you to bring your existing network configuration into Security Manager to be
managed. Policy discovery can be performed by importing the configuration of a live device or by
importing a configuration file. If you import a configuration file, the file must have been generated by
the device (for example, by using the show run command on Cisco IOS Software devices); you cannot
discover configuration files in any other format.
You can initiate policy discovery when you add a device by selecting the relevant options in the New
Device wizard. For more information, see Adding Devices to the Device Inventory, page 3-6.
You can also initiate policy discovery on existing devices from Device view. For more information, see
Discovering Policies on Devices Already in Security Manager, page 5-15.
When you initiate policy discovery on a device, the system analyzes the configuration on the device and
then translates this configuration into Security Manager policies and policy objects so that the device
can be managed. Warnings are displayed if the imported configuration completes only a partial policy
definition. If additional settings are required, you must go to the relevant page in the Security Manager
interface to complete the policy definition. Warnings and errors are also displayed if the imported
configuration is invalid.
After performing policy discovery, you must submit your changes (or approve your activity when
working in Workflow mode) to have the information included in change reports and to make the
information available to other users. If you make any changes to the discovered policies, you must
deploy the changes to the device for them to take effect. For more information, see Chapter 8, Managing
Deployment.
Tip Use the Security Manager Administration window to configure discovery-related settings that apply to
all devices. For more information, see Discovery Page, page 11-17.
Tip We recommend that you deploy to a file immediately after discovering a Site-to-Site VPN. This enables
Security Manager to assume full management of the relevant CLI commands that are configured on the
device.
IPSec and SSL Remote Access VPNsYou can discover IPSec and SSL VPNs when you discover
policies on the device, either when you add the device to the inventory or if you discover policies
on a device already in the inventory. Policies related to these VPNs are treated as regular device
policies. However, when selecting discovery options, you must specifically select to discover RA
VPN policies. For more information, see Adding Devices to the Device Inventory, page 3-6 and
Discovering Policies on Devices Already in Security Manager, page 5-15.
Note If you add a device using a configuration file, and discover security policies while adding
the device, Security Manager cannot successfully discover policies that require that files be
downloaded from the discovered device. This especially affects devices that include the svc
image command in a web VPN configuration. Because Security Manager does not have the
referenced file in its database, the no form of the command is generated for the discovered
configuration.
Tip We recommend that you deploy to a file immediately after discovering a Cisco IOS router or Catalyst
device. This enables Security Manager to assume full management of the relevant CLI commands that
are configured on the device.
discover policies just for an individual virtual sensor; you can discover policies only on the parent
device. If policies are discovered on the parent device that are not assigned to any virtual sensors, those
policies are created as shared policies that are not assigned to any device or virtual sensor.
After discovering an IPS device that contains virtual sensors, you must submit your changes to the
database for the virtual sensors to appear in the device selector.
Note For IOS devices, any objects discovered that are used by access control lists that are discovered as ACL
objects are subsequently replaced during deployment by the contents of the object. Object groups used
with ACL objects are not preserved, although they are discovered as Security Manager policy objects.
Related Topics
Frequently Asked Questions about Policy Discovery, page 5-25
Viewing Policy Discovery Task Status, page 5-20
Understanding Policy Object Overrides for Individual Devices, page 6-13
Caution If you perform policy discovery on a device after configuring policies in Security Manager but before
you deploy your changes, the discovered policies overwrite the undeployed changes. For example, if you
select the option to discover platform-specific settings, the discovered configuration overwrites any
platform-specific undeployed policies you configured in Security Manager. This is true even if the
discovered configuration does not include the specific platform policy you configured. For example,
discovering platform-specific settings overwrites any routing policies that you have configured for the
device in Security Manager, even if the configuration you discover does not contain any routing
information. Another result of rediscovery is that any shared policies that were configured on the device
are replaced by the local policies that are discovered.
Deployment Manager). If you inadvertently rediscover policies during a deployment job, wait until the
deployment job is completed and then discover policies again to ensure that Security Manager is
synchronized with the device.
Related Topics
Viewing Policy Discovery Task Status, page 5-20
Discovering Policies, page 5-12
Frequently Asked Questions about Policy Discovery, page 5-25
Understanding Policies, page 5-1
Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-27
Managing Shared Policies in Policy View, page 5-46
Step 1 Decide whether you need to discover policies on a single device or if you want to discover policies on
more than one device at a time. Policy discovery options vary based on how you start the discovery
process.
Single device discoveryIf you need to discover policies related to any of the following, you can
do it using only single-device discovery. (Note that single-device discovery is the type of discovery
performed when you add a device to the inventory.)
Security context configurations for ASA, PIX, and FWSM devices running in multiple context
mode.
Virtual sensor configurations for IPS devices.
Service module information for Catalyst devices.
Policy discovery from a configuration file.
Policy discovery from the factory default configuration.
Bulk rediscoveryIf you need to discover policies for more than one device, you can perform bulk
rediscovery. However, bulk rediscovery can be performed only on live devices (that is, devices
currently running and accessible in your network), and you cannot discover security context, virtual
sensor, or Catalyst service module configurations. (You can discover service modules if you select
them directly instead of selecting the device that contains them.)
Step 2 If you want to perform single-device discovery, do the following:
a. In device view or map view, ensure that only one device is selected, then right-click and select
Discover Policies on Device. This opens the Create Discovery Task dialog box.
Tip: If the dialog box is called Bulk Rediscovery, you need to close the dialog box and try again.
Ensure that only a single device is selected and reissue the command. You must use the right-click
menu; it is the only way to perform single-device discovery.
b. Modify the discovery task name, if desired, and select the following discovery options. For detailed
information, see Create Discovery Task and Bulk Rediscovery Dialog Boxes, page 5-18.
Discover FromWhether you are discovering from a live device (which is active and
accessible in the network), a configuration file (click Browse to select the file on the Security
Manager server), or factory default configuration (for ASA, PIX, and FWSM devices running
an OS version for which a factory default configuration exists). You can discover the default
configuration only for devices that run in single-context mode or for individual security
contexts.
Tip: We recommend that you use the Factory Default Configuration settings when you add PIX,
ASA, and FWSM devices manually (as described in Adding Devices by Manual Definition,
page 3-20). You should discover the default configuration for single-context mode devices and for
each security context on a multiple-context mode device. For more information about
factory-default policies, see Default Firewall Configurations, page 39-1.
Discover Policies for Security ContextsSelect this option for firewall devices running in
multiple-context mode if you want to discover policies for the security contexts defined on
them.
c. Select the types of policies you want to discover. For more information about the difference between
different types of policies, see Service Policies vs. Platform-Specific Policies, page 5-2.
InventoryDiscovers basic device information (such as hostname and domain name),
interfaces, and security contexts on devices running in multiple-context mode. On Cisco IOS
routers, this option also discovers all interface-related policies, such as DSL, PPP, and PVC
policies.
Platform SettingsDiscovers platform-specific policies, such as routing policies.
Firewall ServicesDiscovers firewall services policies, such as access rules and inspection
rules, on all platforms.
RA VPNDiscovers IPSec and SSL remote access VPN policies, such as IKE proposals and
IPsec proposals.
IPSDiscovers IPS policies, such as signatures and virtual sensors.
d. Click OK. The discovery task is initiated and the Discovery Status dialog box opens so you can view
the task status (see Discovery Status Dialog Box, page 5-21). You cannot perform other tasks in
Security Manager while discovery is in progress.
Step 3 If you want to perform bulk rediscovery, do the following:
a. In device view, do one of the following:
Select a device group, or multiple devices, then right-click and select Discover Policies on
Device. Ensure that the Bulk Rediscovery dialog box opens.
Tip: If the dialog box is called Create Discovery Task, you need to close the dialog box and try
again. Ensure that a device group or more than one device is selected and reissue the command.
Select Policy > Discover Policies on Device. This opens the Device Selector dialog box. Select
the devices you want to discover from the Available Devices list and click >> to move them to
the Selected Devices list. Click Next.
Note If you use the right-click command, Security Manager assumes you have selected the desired
devices. You can always click the Back button to go to the Device Selector screen and
change the device list.
b. Modify the discovery task name, if desired, and select discovery options. For detailed information,
see Create Discovery Task and Bulk Rediscovery Dialog Boxes, page 5-18.
The devices are organized in groups according to device type, with your device groups (if any)
shown within each type:
To change options for all devices of a given type, select the device type folder and modify the
Discover Device Settings options. If the Discover drop-down list shows Multiple Values, then
there are different discovery options selected for devices of that type. If you change the value,
it changes for all devices. The check boxes for the policy types (explained above for
single-device discovery) are available only if you select Policies and Inventory. Only options
available for all devices in the selected group are shown, so you might need to select individual
devices separately to select the most appropriate set of options.
To change options for a single device, click the + icons next to folders to open them until you
find the device, select the device, and then select the discovery options.
c. Click Finish. The discovery task is initiated and the Discovery Status dialog box opens so you can
view the task status (see Discovery Status Dialog Box, page 5-21). You cannot perform other tasks
in Security Manager while discovery is in progress.
Navigation Path
In Device view, select a device from the Device selector and do one of the following:
Select Policy > Discover Policies on Device to perform bulk rediscovery.
Right-click the device in the Device selector and select Discover Policies on Device. If a single
device is selected, you get the Create Discovery Task dialog box. Otherwise, you are performing
bulk rediscovery.
Tip You can also right click a device in Map view and select Discover Policies on Device.
Related Topics
Discovering Policies, page 5-12
Viewing Policy Discovery Task Status, page 5-20
Selecting or Specifying a File or Directory on the Server File System, page 1-35
Discovery Status Dialog Box, page 5-21
Field Reference
Element Description
Discovery Task Name The name assigned to the discovery task. Security Manager
automatically generates a name for the task based on the current date
and time, but you can modify this name as desired.
Element Description
Selected Devices table The devices you selected for rediscovery. The devices are organized in
(Bulk rediscovery only.) groups according to device type, with your device groups (if any)
shown within each type:
To change options for all devices of a given type, select the device
type folder and modify the Discover Device Settings options. If the
Discover drop-down list shows Multiple Values, then there are
different discovery options selected for devices of that type. If you
change the value, it changes for all devices. The check boxes for
the policy types (explained above for single-device discovery) are
available only if you select Policies and Inventory. Only options
available for all devices in the selected group are shown, so you
might need to select individual devices separately to select the
most appropriate set of options.
To change options for a single device, click the + icons next to
folders to open them until you find the device, select the device,
and then select the discovery options.
Tip: To change which devices are selected for rediscovery, click Back
to go to the Device Selector dialog box.
Discover From The source of policy information to be discovered:
Config. File Live DeviceDiscover policies directly from the device.
(Not available for bulk Config FileDiscover policies from a configuration file. Specify
rediscovery.) the location of the file in the Config File field. Click Browse to
select the file on the Security Manager server.
You can discover policies only from configuration files that were
generated from the device (for example, with the show run
command). For more information, see Adding Devices from
Configuration Files, page 3-16.
Factory Default ConfigurationPerforms discovery on a firewall
device using a file containing the factory-default settings for that
device. Security Manager automatically chooses the appropriate
file for the selected device (shown in the Config File edit box). This
option is available only if Security Manager has a default
configuration for the OS version running on an ASA, PIX, or
FWSM device. You can discover the default configuration only for
devices that run in single-context mode or for individual security
contexts. For more information, see Default Firewall
Configurations, page 39-1.
Discover Policies for Whether to discover policies for each security context that is configured
Security Contexts on a firewall device running in multiple-context mode. This field
applies only to PIX, ASA, and FWSM devices.
(Not available for bulk
rediscovery.) When deselected, Security Manager treats the entire device as having a
single set of policies configured in single-context mode.
For more information about security contexts, see Chapter 49,
Configuring Security Contexts on Firewall Devices.
Element Description
Policies to Discover (for The policy types to discover on the selected device.
single-device discovery) Note For bulk rediscovery, select Policies and Inventory to enable
Discover Device Settings (for the options, and Inventory Only to discover the inventory
bulk rediscovery) without discovering other policy types. If the drop-down list
has Multiple Values selected, this means that the devices in the
selected group have different discovery options selected. If you
change the selection, your change applies to all the devices in
the group.
The Discovery Status dialog box also displays the appropriate warning and error messages if any
problems are encountered during the discovery process. For example, if the CLI commands in a
configuration file do not define a complete Security Manager policy, a warning message is displayed that
you must complete the policy definition in the relevant Security Manager policy page.
For more information, see Discovery Status Dialog Box, page 5-21.
To view information about previous discovery tasks, select Tools > Policy Discovery Status to open the
Policy Discovery Status window. Select the discovery task in the top pane of the window, and the results
of the task are displayed in the lower panes. For more information about using the Policy Discovery
Status window, see Policy Discovery Status Page, page 5-23.
Related Topics
Discovering Policies on Devices Already in Security Manager, page 5-15
Frequently Asked Questions about Policy Discovery, page 5-25
Discovering Policies, page 5-12
Related Topics
Viewing Policy Discovery Task Status, page 5-20
Discovering Policies, page 5-12
Adding Devices from the Network, page 3-8
Adding Devices from Configuration Files, page 3-16
Adding Devices from an Inventory File, page 3-24
Field Reference
Element Description
Progress bar Indicates what percentage of the discovery task on the current device
has been completed.
Status The current state of the discovery task.
Devices to be discovered The total number of devices being discovered during this task. The
number includes service modules, security contexts, and virtual
sensors.
Devices discovered The number of devices discovered without errors.
successfully
Element Description
Devices discovered with The number of devices that generated errors during discovery.
errors
Discovery Details table The devices that are being discovered. Select a device to see the
messages generated during the discovery of that device in the message
list below the summary list. Besides the device name, information in
the table includes:
SeverityThe overall severity level of the discovery task. For
example, if the discovery task completed successfully, an
Information icon is displayed. If the task failed, an Error icon is
displayed.
StateThe current state of the policy discovery task for the
selected device:
Device AddedThe device has been added to Security
Manager, but policy discovery has not yet started.
Discovery StartedPolicy discovery has started.
Reading and Parsing Device ConfigThe policy discovery
task is interpreting the device configuration.
Importing ObjectsThe policy discovery task is importing
objects from the configuration.
Importing PoliciesThe policy discovery task is importing
policies from the configuration.
Discovery CompletePolicy discovery has been completed
successfully.
Discovery FailedPolicy discovery failed due to errors.
Discovered FromThe source of policy information. For example,
when discovering from a configuration file, this field displays the
name and path of the file.
Messages list The messages generated during the discovery for the selected device.
Select a message to see detailed information in the fields to the right of
the list.
Description Additional information about the message selected in the message list.
Action The steps you should take to resolve the described problem.
Abort button Aborts the discovery task.
If you abort the task when performing policy discovery on a single
device, the result is partial discovery of that device. In such cases, we
recommend deleting the information (for example, by discarding the
activity) and starting again.
If you abort the task when performing policy discovery on multiple
devices, Security Manager automatically discards the information for
any partially discovered device. Devices for which discovery was
completed before you aborted the operation are fully discovered.
Navigation Path
Select Tools > Policy Discovery Status.
Related Topics
Viewing Policy Discovery Task Status, page 5-20
Field Reference
Element Description
Task Table
The upper portion of the window lists the previous policy discovery or device addition tasks. Select a
task to view detailed information about it in the lower portion of the window. The columns in the table
provide overall status information for the task.
When adding devices that contain security contexts, the context discovery appears as a separate Policy
Discovery task.
Name The name of the discovery or device addition task. This might be a
system generated name or a name you specified when rediscovering
device policies.
Type The type of task, either Policy Discovery (when you rediscover device
policies) or Add Device (when you add a device using the New Device
wizard and elect to discover policies).
Start Time The time the task started.
End Time The time the task stopped.
Status The overall status of the task. One of the following:
Completed successfullyThe task succeeded.
Completed with errorsThe task was partially successful. This
could occur if all policies were not discovered or if the device was
added but no policies were discovered.
Completed with warningsThe task was successful but a minor
problem occurred.
FailedThe task failed. No polices were discovered or no device
was added because of errors or because you stopped discovery.
Refresh button Click this button to refresh the task list to update the information if
there are tasks running in the background or if new tasks were created.
Delete button Click this button to delete the selected task from the database. Deleting
old tasks does not affect the related devices or discovered policies.
Element Description
Discovery Details or Import Details Tables
These tables display the devices included in the selected task. The name differs depending on the type
of task (Discovery Details for Policy Discovery tasks, Import Details for Add Device tasks).
Select a device to see the messages generated during the task for that device in the message list below
the table.
Device The name of the device. If the name is followed by (deleted), the device
is no longer in the Security Manager inventory.
Config File The location of the configuration file. This field is displayed only if you
(Import Details only) are importing from a configuration file.
Element Description
Description Additional information about the message selected in the message list.
Action The steps you should take to resolve the described problem.
Question: I am using Cisco Secure ACS to manage authentication and authorization to Security
Manager. How does this affect policy discovery?
Answer: You must add all managed devices to Cisco Secure ACS before you can perform policy
discovery and manage these devices in Security Manager. This includes security contexts on
PIX/ASA/FWSM devices. For more information, see the Installation Guide for Cisco Security Manager.
Question: What should I do after discovering VPN or router platform policies?
Answer: Due to the way these features are discovered, Security Manager does not assume management
of discovered VPN and router platform policies until after it deploys them. This means that if you
discover a router, unassign one of its policies and deploy, no commands are removed from the routers
configuration. We recommend, therefore, that you perform deployment to a file immediately after
discovering VPN or router platform policies, before you make any changes to those policies. After this
initial deployment, you can reconfigure these policies and deploy your changes as required.
Question: If I discover policies on a device and then deploy the policies from Security Manager without
changing them, what is the difference between the original configuration on the device and the one that
exists after the deployment?
Answer: Typically, there will be no differences between the new configuration and your original one,
assuming you set up FlexConfigs for any unsupported CLI commands. However, in certain cases minor
changes might occur in your ACL or object-group naming schemes. For more information, see How
Policy Objects are Provisioned as Object Groups, page 6-75. In addition, any discovered objects that are
not being used by a policy are removed from the configuration. There can also be instances where the
new configuration is functionally equivalent to the old one but does not use the same commands.
Question: How does Security Manager handle my current CLI naming schemes for ACLs and object
groups?
Answer: When you discover policies from a device, Security Manager tries to use the same names you
have used. However, depending on your naming scheme, some minor differences might occur between
what you defined on your device and the policies created through discovery. Additionally, there is a
possibility that a naming conflict can occur between an existing ACL or object on the device and the
name required for the new policy or object; in this case, Security Manager generates a different name so
as not to misconfigure the device. For example, if the name of a discovered object conflicts with an
object of the same type that already exists in Security Manager, a suffix is added to the name of the new
object to make it unique or a device-level override is created.
Question: Are all configuration commands discovered and brought into Security Manager?
Answer: No. Security Manager does not discover all device configuration commands. Instead, it
discovers security policies. For any configuration commands not discovered, use the FlexConfig feature
to include the commands that Security Manager does not support.
Question: If I rediscover policies on a device already in Security Manager, what happens to the policies
assigned to the device?
Answer: If you rediscover policies on a device that you are already managing with Security Manager,
the newly discovered policies replace the ones assigned to the device. All policies within the selected
policy domain (firewall services, platform settings, or both) are replaced, not just the ones that are
different on the device compared to the ones in the Security Manager database. If you assigned shared
policies to the device, the assignment is removed and the shared policy is left unchanged (so that other
devices that use the shared policy are not affected). After policy discovery, all policies assigned to the
device are specific to that device; none of them are shared with other devices. If you want to use shared
policies with the device, you must redo the assignments after policy discovery.
Question: Does Security Manager use existing policies and objects during policy discovery?
Answer: During policy discovery, Security Manager uses existing policy objects (ones that you already
defined in Security Manager) when creating policies for the device. However, Security Manager does
not reuse existing policies; all policies created during discovery are local to the device being discovered.
Thus, you might find it beneficial to define your policy objects (such as network objects) before adding
devices to Security Manager.
Question: After adding a device and discovering policies, I cannot submit my changes to the database;
instead I get warnings such as Connection Policies Not Set. What must I do to complete the device
addition?
Answer: When you add a device and discover policies (particularly when you add devices from
configuration files), Security Manager warns you if the resulting configuration is incomplete in ways
that will prevent it from successfully managing the device. Connection policies, for example, are simply
the device credentials (user names and passwords) required to log into the device, as well as other
connection-related configuration settings (such as HTTP settings). Because these missing settings result
in an invalid configuration or prevent Security Manager from contacting and managing the device later,
you are prevented from submitting the changes to the database. Ensure that you have complete and valid
configurations for these settings, then resubmit your changes to the database.
Question: Why does the AAA policy not show the AAA configuration that I discovered on the device?
Answer: The AAA policy contains the default configurations for authentication, authorization, and
accounting. Other AAA commands that specify a particular list name are mapped to the policies that
reference them. If the list name is not referenced by a policy, it is not discovered.
Question: Why are parts of the AAA method list definitions configured on my router not discovered?
Answer: Security Manager does not support certain keywords, such as if-needed. Method lists
containing these keywords are discovered without the keyword. If the default AAA definitions on the
device contain unsupported keywords, the entire command is not discovered.
Question: Can I discover AAA servers on devices running IOS software that were configured using the
server-private command?
Answer: Yes, you can discover these servers. However, Security Manager converts them into standard
AAA servers that can be used globally or in multiple AAA server groups. The server-private command
is not supported.
Question: What do I need to know about discovery and device hostnames?
Answer: When you discover a device, the hostname policy is populated with the hostname discovered
on the device. However, the hostname listed in Device Properties is not updated with this value. Ensure
that the hostname defined in the device properties is the correct DNS name for the device. For more
information, see Understanding Device Properties, page 3-5.
To access Device view, select View > Device View or click the Device View button on the toolbar. To
access the Site-to-Site VPN Manager, select Tools > Site-to-Site VPN Manager or click the Site-to-Site
VPN Manager button on the toolbar.
Related Topics
Understanding the Device View, page 3-1
Managing Shared Policies in Policy View, page 5-46
Understanding Policies, page 5-1
Icon Status
The policy is not configured. Upon deployment, any policy of this type already present
on the device is effectively removed.
A local policy is configured. The definition of this policy affects only the device or
VPN topology on which it is configured.
A shared policy is configured. Any changes to the definition of this policy affect all of
the devices or VPN topologies to which this policy is assigned.
Related Topics
Understanding Policies, page 5-1
Related Topics
Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34
Managing Shared Policies in Policy View, page 5-46
Understanding Policies, page 5-1
Related Topics
Understanding the Device View, page 3-1
Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-27
Copying Policies Between Devices, page 5-30
Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34
Step 1 In Device view, select a device from the Device selector, then select a policy for that device from the
Device Policies selector. The details of the policy appear in the work area.
Step 2 Modify the definition of the policy as required. Click the Help button to access information specific to
the selected policy. For more information, see:
Chapter 21, Managing Site-to-Site VPNs: The Basics
Chapter 26, Managing Remote Access VPNs
Chapter 12, Introduction to Firewall Services
Overview of IPS Configuration, page 30-5
Overview of Cisco IOS IPS Configuration, page 38-3
Chapter 51, Managing Routers
Chapter 39, Managing Firewall Devices
Chapter 58, Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
Step 3 Click Save to save your changes.
If this is the first time you are configuring this policy on this particular device, the icon next to the
selected policy changes to indicate that the policy is configured and assigned locally to the device. For
more information about policy status icons, see Policy Status Icons, page 5-28.
After you save the policy, the policy is configured but you are the only one who can view the changes.
There are additional steps to take to commit your changes and to deploy them to the device. The exact
changes depend on whether you are working in Workflow or non-Workflow mode. Before taking the
additional steps, configure all of the policies that you want to deploy; you are not required to deploy
policy changes one at a time.
Tips
If your intention is to assign a single shared policy to additional devices, we recommend that you
use the assignment feature, rather than copying the policies. For more information about sharing
policies in Device view, see Modifying Shared Policy Assignments in Device View or the
Site-to-Site VPN Manager, page 5-45.
To create a new device of the same type that shares the same configuration and properties (including
the operating system version, credentials, and grouping attributes) as the source device, use the
Clone Device feature. For more information, see Cloning a Device, page 3-46.
Related Topics
Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-27
Configuring Local Policies in Device View, page 5-29
Understanding the Device View, page 3-1
Policy Status Icons, page 5-28
Filtering Items in Selectors, page 1-30
Tip You can also right click a device in Map view and select Copy Policies Between Devices.
Step 2 Select the policies you want to copy on the Select Policies to Copy page. Initially, most policies from
the source device (both local and shared) that can be copied are selected. You can change the selection,
however, if you select a policy that depends on another policy, you must select the dependant policies.
Security Manager will prompt you if your selections are not valid.
Consider the following when selecting policies:
Selecting the check box for a policy group selects all of the policies in that group.
When you copy policies between firewall devices (ASA, PIX, FWSM), copying the failover policy
automatically copies the interface policy and vice-versa.
It is usually not a good idea to copy interface policies, because these policies can have specific IP
addresses. Other types of policies that you should carefully consider before copying them include
NAT, routing, or the IPS policy on IOS devices.
If you select the security contexts policy (for FWSM, PIX Firewall, or ASA devices), you must
submit your changes after copying the devices for the contexts to appear in the device selector. In
non-Workflow mode, select File > Submit. In Workflow mode, submit your activity.
Step 3 Use the policy object copy options to determine how policy objects are handled. These options are not
mutually exclusive, and the combination you select has important implications on how the policies are
defined on the target devices.
Tip After selecting devices, Click the Preview button to view a summary of the policies that will be
copied. The summary shows the selected devices, the policies that will be copied to them, and
any overrides that will be created, updated, or deleted due to the copied policies.
Step 5 Click Finish. You are asked to confirm that you want to copy policies.
The policies are copied to the target devices. If the copy operation fails for any target device, the copy
is undone for successful devices, and you are shown a list of reasons why the copy failed for each
problem device. Typically, copy failures are because someone else has a lock on a policy or device, or
you do not have the required permissions to a device.
Unassigning a Policy
If you unassign a policy that has already been deployed to a device, in most cases the values that are
defined for the policy are erased, effectively removing the policy from the devices planned
configuration. When you perform deployment, the configuration for this feature that already exists on
the device is removed.
The exact behavior depends on the type of policy that you unassign:
Firewall service policiesIf you unassign a policy, Security Manager erases the policy from the
device.
VPN policies:
Site-to-site VPN policiesYou cannot unassign mandatory site-to-site VPN policies from the
devices in the topology. If you unshare a mandatory policy, Security Manager assigns default
values to the affected device. If you unassign an optional policy, Security Manager erases the
configuration from the device. For more information, see Understanding Mandatory and
Optional Policies for Site-to-Site VPNs, page 21-6.
IPSec remote access VPN policiesIf you unassign a policy, Security Manager erases the
policy from the device, even if it is a mandatory policy. In most cases, deployment fails if you
do not create a new definition for the mandatory policy. In those cases where deployment does
not fail, the device will fail to establish VPN tunnels.
SSL VPN policiesIf you unassign a policy, Security Manager erases the policy from the
device.
Catalyst 6500/7600 or Catalyst switch policiesInterface and VLAN policies cannot be shared or
unassigned. If you unassign a platform policy (such as IDSM settings or VLAN access lists)
Security Manager removes the policy from the device.
IPS policiesFor all IPS device and service policies, a default policy is assigned to the device.
PIX/ASA/FWSM policiesPolicies that you cannot share with other devices cannot be unassigned
from the device on which they are created. This includes interface, failover, security context, and
resource policies. For other policy types (such as timeout policies), Security Manager makes a best
effort to restore the system default configuration on the device.
IOS router policiesCore connectivity policies, such as basic interface settings and accounts and
credentials policies cannot be unassigned from the device on which they are created. If you unassign
a device access policy that was used to define the password for configuring the device, you might
prevent Security Manager from configuring that device in the future. For more information, see User
Accounts and Device Credentials on Cisco IOS Routers, page 53-13.
If you unassign a VTY or console policy, Security Manager restores a default configuration to
ensure continued communication with the device. For all other policy types, if you unassign the
policy, Security Manager erases the configuration from the device.
Related Topics
Configuring Local Policies in Device View, page 5-29
Copying Policies Between Devices, page 5-30
Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-27
Working with Shared Policies in Device View or the Site-to-Site VPN Manager
Sharing policies makes it possible to configure multiple devices with common policies, which provides
greater consistency in your policy definitions and streamlines your management efforts. Any changes to
a shared policy affect all the devices and VPN topologies to which the policy is assigned. This makes it
easy, for example, to update all of your Cisco IOS routers with new quality of service policies by
updating the shared Quality of Service policy assigned to these devices.
When working in Device view or the Site-to-Site VPN Manager, you can take a local policy (such as a
policy created during device discovery) and share it. You can then assign the shared policy to as many
devices or VPN topologies as you want (provided they are not locked by another user; see Understanding
Policy Locking, page 5-7), and you can change these assignments at any time.
In addition, you can take a shared policy that is assigned to a device or VPN topology and turn it into a
local policy for that particular device or topology. This enables you to create a special configuration that
affects only that device or topology. Other devices or topologies assigned the shared policy continue to
use the shared policy as before.
As an alternative to sharing local policies, you can create new shared policies and manage them at the
network level using Policy view. For more information, see Managing Shared Policies in Policy View,
page 5-46. After creating the shared policy and assigning it to devices or VPN topologies in Policy view,
you can return to Device view or the Site-to-Site VPN Manager and perform additional operations on
the policy as described in the sections that follow. Note that all shared policies that you create in Device
view or the Site-to-Site VPN Manager automatically appear as shared policies in Policy view.
Tip In Device view or the Site-to-Site VPN Manager, if you edit a shared policy, your changes are applied
to all devices or VPN topologies that share the policy. Thus, you do not need to go to Policy view to edit
shared policies. You are warned when you try to edit a shared policy that this will happen, to ensure you
do not inadvertently make a change to more devices or topologies than what you intend. If you need to
change the policy for just one device or topology, you can unshare the policy before editing it, as
described in Unsharing a Policy, page 5-39.
The following topics describe how to share policies and the operations that can be performed on them
in Device view or the Site-to-Site VPN Manager:
Using the Policy Banner, page 5-35
Policy Shortcut Menu Commands in Device View and the Site-to-Site VPN Manager, page 5-36
Sharing a Local Policy, page 5-37
Sharing Multiple Policies of a Selected Device, page 5-38
Unsharing a Policy, page 5-39
Assigning a Shared Policy to a Device or VPN Topology, page 5-40
Adding Local Rules to a Shared Policy, page 5-41
Inheriting or Uninherting Rules, page 5-42
Copying a Shared Policy, page 5-43
Renaming a Shared Policy, page 5-44
Modifying Shared Policy Definitions in Device View or the Site-to-Site VPN Manager, page 5-44
Modifying Shared Policy Assignments in Device View or the Site-to-Site VPN Manager, page 5-45
Related Topics
Understanding Policies, page 5-1
Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-27
The fields in the policy banner have the following meanings and uses:
Policy AssignedThe name of the policy assigned to this device or VPN. If the name has a link,
you can assign a shared policy to the element by clicking the link. If there is no link, a shared policy
cannot be assigned to this particular type of policy.
LocalThe policy is a local policy rather than a shared policy.
Specific policy nameThe shared policy is assigned to the policy.
Assigned ToIf a shared policy is assigned, the number of devices or VPNs to which the policy is
assigned. If no shared policy is assigned, local device or this VPN is indicated. If the name has a
link, you can do the following:
Local Device or This VPN linksClick the link to create a shared policy from this local policy.
You can then assign the shared policy to other devices or VPNs.
Number of Devices or VPNs linksClick the link to change the devices or VPNs assigned to
the shared policy.
Inherits FromThe name of the policy from which this policy inherits rules. This field appears only
for policies that allow inheritance. Click the link to specify a policy or set of policies from which
the policy will inherit rules. For more information about inheritance, see Understanding Rule
Inheritance, page 5-4.
The field can contain these entries:
NoneThe policy does not inherit rules from any other policy.
Single policy nameThe policy inherits rules from this policy.
Multiple policy names separated by > signsThe policy inherits rules from the indicated
hierarchy of policies.
Related Topics
Understanding Policies, page 5-1
Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-27
Policy Shortcut Menu Commands in Device View and the Site-to-Site VPN Manager
When you right-click a policy in Device view or the Site-to-Site VPN manager, you get a list of
commands that you can use on the policy. The shortcut command list includes only those commands
available for the selected policy, so the list differs according to your selection.
The available commands depend on whether the policy:
Is unassigned.
Contains a local policy for that specific device or VPN topology.
Contains a shared policy that might be assigned to multiple devices or VPN topologies.
Can be shared. There are no shortcut commands for policies that cannot be shared between devices
or topologies.
The current status of each policy type is indicated by the icon displayed next to the policy name. See
Policy Status Icons, page 5-28.
The following table provides a comprehensive list of the possible commands.
Related Topics
Understanding the Device View, page 3-1
Policy Status Icons, page 5-28
Using the Policy Banner, page 5-35
Assigning a Shared Policy to a Device or VPN Topology, page 5-40
Unsharing a Policy, page 5-39
Adding Local Rules to a Shared Policy, page 5-41
Sharing Multiple Policies of a Selected Device, page 5-38
Inheriting or Uninherting Rules, page 5-42
Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34
Step 1 In Device view or the Site-to-Site VPN Manager, select a policy from the Policies selector, then do one
of the following:
(Device view only) Select Policy > Share Policy.
Right-click the policy and select Share Policy.
Click the local device/this VPN link in the Assigned To field in the policy banner. A warning dialog
box called Local Policies Cannot Be Assigned to Multiple Devices opens to inform you that you are
viewing a local policy. Click Share Policy to continue.
The Share Policy dialog box is displayed.
Step 2 Enter a name for the shared policy and click OK.
Policy names can contain up to 255 characters, including spaces and special characters.
Tip To create a new device of the same type that shares the same configuration and properties (including
device operating system version, credentials, and grouping attributes) as the source device, create a
clone of the device. For more information, see Cloning a Device, page 3-46.
Related Topics
Understanding the Device View, page 3-1
Copying Policies Between Devices, page 5-30
Sharing a Local Policy, page 5-37
Unsharing a Policy, page 5-39
Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34
Filtering Items in Selectors, page 1-30
Tip You can also right click a device in Map view and select Share Device Policies.
Step 2 On the Select Policies to Share page, select all policies that you want to share. Initially, all shareable
policies configured on the device, whether local or shared, are selected. Deselect the check box next to
each policy that you do not want to share.
Following are some tips:
Local policies that are not checked remain local to the selected device.
If you select a policy that is already shared, Security Manager creates a copy of that policy using the
name that you define in the wizard.
Selecting the check box for a policy group selects all of the policies in that group.
If a policy is configured on the device, but you cannot select it (the check box is solid grey), it is an
unshareable policy.
Step 3 Enter a name for the shared policies. All policies are given the same name. You can later rename the
individual policies. For more information, see Renaming a Shared Policy, page 5-44.
If you select a policy that is already shared, Security Manager creates a copy of that policy using this
name.
Step 4 Click Finish. The selected policies become shared policies, which you can then assign to additional
devices as needed. For more information, see Modifying Shared Policy Assignments in Device View or
the Site-to-Site VPN Manager, page 5-45.
Unsharing a Policy
When you unshare a shared policy assigned to a particular device or VPN topology, you create a copy
that becomes a local policy for that device or topology. This means that any subsequent changes made
to the local policy affect only this particular device or topology. Other devices or topologies assigned
the original shared policy continue to use the shared policy as before.
For example, Security Manager might be managing a BGP routing policy called MyBGP, which is
assigned to 20 routers. If you decide that one of the routers (Router1) requires a variation of this policy,
you can select the device, unshare the policy, and make the changes you need for that router. From that
point on, Router1 has a local BGP policy while the other 19 routers continue to use the original shared
policy, MyBGP.
Related Topics
Understanding the Device View, page 3-1
Sharing a Local Policy, page 5-37
Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-27
Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34
Policy Status Icons, page 5-28
Step 1 In Device view or the Site-to-Site VPN Manager, select a policy from the Policies selector, then do one
of the following:
(Device view only) Select Policy > Unshare Policy.
Right-click the selected shared policy, then select Unshare Policy.
Step 2 Click OK. The shared policy is converted into a local policy for the selected device or VPN topology.
The shared policy icon in the Policies selector is replaced by the local policy icon.
Tip If you want to use the rules defined in the shared policy and still keep your local rules, we recommend
that you select the Inherit Rules option instead of assigning the policy. For more information, see
Inheriting or Uninherting Rules, page 5-42.
Note You can also inherit IPS signature policies and signature event actions, but inheritance works differently
than for rules-based policies. For more information, see Understanding Signature Inheritance,
page 33-3.
Related Topics
Understanding the Device View, page 3-1
Using the Policy Banner, page 5-35
Unassigning a Policy, page 5-32
Adding Local Rules to a Shared Policy, page 5-41
Copying Policies Between Devices, page 5-30
Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34
Step 1 In Device view or the Site-to-Site VPN Manager, select a policy from the Policies selector, then do one
of the following:
(Device view only) Select Policy > Assign Shared Policy.
Right-click the policy in the Policies selector, then select Assign Shared Policy.
Click the link in the Policy Assigned field in the policy banner.
The Assign Shared Policy dialog box is displayed if there are any shared policies available for
assignment.
Step 2 Select a shared policy from the displayed list to assign to the device or VPN topology and click OK. If
the policy does not allow inheritance, the shared policy is assigned to the selected device and you are
finished.
Step 3 If the policy allows inheritance, you are warned that the shared policy will replace the current policy and
given the option to inherit the rules instead with the Local Policy Will Be Replaced dialog box.
Your options are:
Assign PolicyAssign the shared policy to replace the existing local policy. If you choose to assign,
all local rules are removed and they cannot be retrieved.
Inherit From PolicyInherit the rules of the shared policy. If you choose to inherit, the inherited
rules are added to the local rules that are already defined in the devices local policy. Use inheritance
instead of assignment when the device needs to maintain the set of local rules already defined for it.
Tip You can select Do not show this again to save your selection and have it applied to all future
times that you assign rule-based policies. Otherwise, you are prompted each time you assign
policies so that you can make different selections based on the circumstances. If you select this
option, you can turn it off by resetting it on the Customize Desktop administration settings page
(see Customize Desktop Page, page 11-5).
Related Topics
Understanding the Device View, page 3-1
Copying a Shared Policy, page 5-43
Assigning a Shared Policy to a Device or VPN Topology, page 5-40
Unsharing a Policy, page 5-39
Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34
Step 1 In Device view, select a device from the Device selector, then select a shared policy assigned to that
device from the Device Policies selector. You must select a rule-based policy, such as access rules. The
details of the policy appear in the work area.
Step 2 Do one of the following:
Select Policy > Add Local Rules.
Right-click the policy, then select Add Local Rules.
A message is displayed indicating that the policy on this device is now defined as a child policy that
inherits rules from the shared policy. If the shared policy in turn inherits rules from a different shared
policy, those rules are automatically inherited as well.
Note To change the parent policy from which this policy inherits rules, see Inheriting or Uninherting
Rules, page 5-42.
Step 3 Click OK to confirm. In the work area, headings are added for local mandatory and default rules in
addition to the mandatory and default rules inherited from the shared policy.
In the Device Policies selector, the status icon changes to the icon for a local policy. For more
information, see Policy Status Icons, page 5-28.
Step 4 Define local rules as required.
Tip If you assign a shared policy after adding local rules, both the inherited rules and your local rules
are replaced with the selected shared policy.
Related Topics
Understanding the Device View, page 3-1
Managing Shared Policies in Policy View, page 5-46
Step 1 Select a shared rule-based policy in either Device view or Policy view, then do one of the following:
Select Policy > Inherit Rules.
Right-click the policy, then select Inherit Rules.
(Device view only) Click the link in the Inherits From field in the policy banner.
The Inherit Rules dialog box is displayed, containing a list of all shared policies of the selected type,
including any inheritance relationships among them.
Step 2 Select the policy from which to inherit rules, or select No Inheritance to remove any inheritance from
the child policy. The name of the parent policy is displayed below the selector.
For example, if you select an access rules policy called West Coast, your access policy inherits the rules
of the West Coast policy. If the West Coast policy is a child policy of another access rules policy called
US, your policy inherits the properties of the West Coast policy, which in turn inherits the properties of
the US policy.
Step 3 Click OK to save your definitions. The work area displays the inherited rules under the name of the
parent policy and any local rules, if defined, under the name of the original shared policy.
Tip If you copy a policy in Device view or the Site-to-Site VPN Manager, the new policy is assigned to the
selected device or VPN topology. If you want to copy a policy without changing policy assignments,
make the copy in Policy view.
Related Topics
Understanding the Device View, page 3-1
Managing Shared Policies in Policy View, page 5-46
Renaming a Shared Policy, page 5-44
Deleting a Shared Policy, page 5-52
Step 1 Select a shared policy in Device view, Policy view, or the Site-to-Site VPN Manager, then do one of the
following:
(Device or Policy view only) Select Policy > Save Policy As.
Right-click the shared policy, then select Save Policy As.
The Save Policy As dialog box is displayed.
Step 2 Enter a name for the new policy and click OK.
Names can contain up to 255 characters, including spaces and special characters.
Related Topics
Understanding the Device View, page 3-1
Managing Shared Policies in Policy View, page 5-46
Copying a Shared Policy, page 5-43
Deleting a Shared Policy, page 5-52
Step 1 Select a shared policy in Device view, Policy view, or the Site-to-Site VPN Manager, then do one of the
following:
(Device or Policy view) Select Policy > Rename Policy.
Right-click the policy, then select Rename Policy.
The Rename Policy dialog box is displayed.
Step 2 Enter a new name for the selected policy and click OK.
Names can contain up to 255 characters, including spaces and special characters.
Modifying Shared Policy Definitions in Device View or the Site-to-Site VPN Manager
You can modify any shared policy in Device view or the Site-to-Site VPN Manager by selecting one of
the devices or VPN topologies to which the policy is assigned, making the necessary changes, and then
saving these changes to the Security Manager server. Any changes made to a shared policy in Device
view or the Site-to-Site VPN Manager automatically affect all devices to which the shared policy is
assigned.
Tip To apply your changes only to the device or VPN topology that you are modifying, you must first
unshare the policy (see Unsharing a Policy, page 5-39). This action converts the policy to a local policy
and prevents your changes from affecting other devices or topologies.
Related Topics
Understanding the Device View, page 3-1
Using the Policy Banner, page 5-35
Modifying Shared Policy Assignments in Device View or the Site-to-Site VPN Manager, page 5-45
Configuring Local Policies in Device View, page 5-29
Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-27
Modifying Shared Policy Assignments in Device View or the Site-to-Site VPN Manager
You can modify the list of devices or VPN topologies assigned a particular shared policy as required. If
you remove a device or topology from a policy assignment, that policy is effectively removed from the
devices or topologys planned configuration. Upon deployment, any configuration of that type that
exists on the device or topology is removed. For more information about the implications of unassigning
a policy, see Unassigning a Policy, page 5-32.
Caution Use the policy assignment feature with care, as unassigning a policy removes that configuration from
the device or topology and can have unintended consequences. For example, if you unassign a device
access policy from a Cisco IOS router and then deploy that change, you might prevent Security Manager
from configuring that device in the future (see User Accounts and Device Credentials on Cisco IOS
Routers, page 53-13).
Policy assignment can also be modified from Policy view. For more information, see Modifying Policy
Assignments in Policy View, page 5-50.
Related Topics
Understanding the Device View, page 3-1
Using the Policy Banner, page 5-35
Assigning a Shared Policy to a Device or VPN Topology, page 5-40
Unassigning a Policy, page 5-32
Copying Policies Between Devices, page 5-30
Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34
Inheriting or Uninherting Rules, page 5-42
Inheritance vs. Assignment, page 5-6
Step 1 In Device view or the Site-to-Site VPN Manager, select a shared policy from the Policies selector, then
do one of the following:
(Device view only) Select Policy > Edit Policy Assignments.
Right-click the policy and select Edit Policy Assignments.
Click the n device/VPN link in the Assigned To field in the policy banner.
Step 2 Modify the list of devices or VPN topologies to which the policy is assigned, as follows:
To assign the selected policy to additional devices or topologies, select them from the Available
Devices/VPNs list, then click >> to move them to the Assigned Devices list.
To unassign the selected policy from devices or topologies, select them from the Assigned
Devices/VPNs list, then click << to return them to the Available Devices/VPNs list. Devices or
topologies that are unassigned from the policy remove this policy from their running configuration
during deployment.
Tip To assign a policy to all the devices in a device group, select the name of the device group, then
click >>.
(7) Policy Type SelectorLists the policy types available in Security Manager, divided by category.
Clicking a policy type in the selector displays all the shared policies defined for that type in the
Shared Policy selector. To create a new policy, right click the policy type and select New [policy
type] Policy or click the Create a Policy button in the shared policy selector. For more information,
see Policy View Selectors, page 5-48.
(4, 5, 6) Shared Policy SelectorLists the shared policies that are defined for the selected type.
Clicking a policy in the selector displays the definition of the policy and its assignments in the work
area. For more information, see Policy View Selectors, page 5-48.
Right-click a policy in the selector to perform actions on the policy. For more information on the
available commands, see Policy ViewShared Policy Selector Options, page 5-49.
Use the Filter field to filter the list of policies displayed in the selector. For more information about
creating filters, see Filtering Items in Selectors, page 1-30.
Related Topics
Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-27
Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34
You can expand and collapse the selector as required to view all the available policy types and subtypes.
To create a new policy, right click the policy type and select New [policy type] Policy or click the Create
a Policy button in the shared policy selector.
Selecting a policy type from the Policy Type selector displays all the shared policies of that type in the
Shared Policy selector. Local policies configured in Device view are not displayed.
For example, when you select a configuration policy type, such as NAT translation rules, the Shared
Policy selector displays a flat list of each shared policy of that type. If you select a rule-based policy
type, such as firewall access rules, the Shared Policy selector displays a hierarchical tree of shared
policies. This enables you to view the inheritance relationships among the various policies. The Shared
Policy selector includes a shortcut menu with options for actions that can be performed on that policy,
such as renaming it.
Tip You can create and apply a filter to shorten the list of policies displayed in the Shared Policy selector.
For more information about filters, see Filtering Items in Selectors, page 1-30.
Related Topics
Policy View Selectors, page 5-48
Managing Shared Policies in Policy View, page 5-46
Field Reference
Tip You can also create shared policies by converting local policies in Device view. For more information,
see Sharing a Local Policy, page 5-37.
Related Topics
Managing Shared Policies in Policy View, page 5-46
Deleting a Shared Policy, page 5-52
Step 1 In Policy view, select a policy type in the Policy Type selector.
Step 2 Do one of the following:
Right-click the policy type in the Policy Type selector, then select New [policy type] Policy.
Right-click a policy in the Shared Policy selector, then select New [policy type] Policy.
Click the Create a Policy button beneath the Shared Policy selector.
The Create a Policy dialog box is displayed.
Step 3 Enter a name for the new policy. Policy names can contain up to 255 characters, including spaces and
special characters.
When creating a Translation Rules policy for NAT rules on security devices (PIX/ASA/FWSM), you
must also choose a device software Version: PIX/ASA 6.3-8.2 or ASA 8.3 & Later.
Step 4 Click OK. The new policy appears in the Shared Policy selector.
To configure a definition for the new shared policy, click the Help button in the toolbar with the Details
tab open to see information specific to the type of policy you are creating. To assign the new shared
policy, see .
Therefore, if your intention when performing unassign is to assign a different shared policy to a
particular device or VPN topology, it is important to select the replacement policy and perform the
assignment before performing deployment.
Tip Assigning a replacement policy is particularly important when you use a device access policy to
configure the enable password or enable secret password on a Cisco IOS router. If you unassign this
policy and fail to define a different password in its place before deployment, Security Manager might be
unable to configure this device in the future. For more information, see User Accounts and Device
Credentials on Cisco IOS Routers, page 53-13.
Alternatively, you can return to Device view and replace the shared policy assigned to the device with a
different shared policy. For more information, see Assigning a Shared Policy to a Device or VPN
Topology, page 5-40.
Note If you unassign a mandatory site-to-site VPN policy, such as an IKE proposal policy, Security Manager
automatically replaces it with a default policy. If you unassign a mandatory remote access VPN policy,
you must manually configure a new policy of that same type or deployment will fail.
Related Topics
Modifying Shared Policy Assignments in Device View or the Site-to-Site VPN Manager, page 5-45
Managing Shared Policies in Policy View, page 5-46
Step 1 In Policy view, select a policy type from the Policy Type selector, then select a policy from the Shared
Policy selector. For more information about using these selectors, see Policy View Selectors, page 5-48.
Step 2 Click the Assignments tab in the work area.
Step 3 Modify the list of devices or VPNs to which the policy is assigned, as follows:
To assign the selected policy to additional devices or VPNs, select one or more items from the
Available Devices/VPNs list, then click >> to move them to the Assigned Devices/VPNs list.
Tip To assign a policy to all the devices in a device group, select the name of the device group, then
click >>.
To unassign the selected policy from devices or VPNs, select one or more items from the Assigned
Devices/VPNs list, then click << to return them to the Available Devices/VPNs list.
Step 4 Click Save to save your assignment changes.
Related Topics
Creating a New Shared Policy, page 5-50
Copying a Shared Policy, page 5-43
Managing Shared Policies in Policy View, page 5-46
Step 1 In Policy view, select a policy type from the Policy Type selector, then select the policy to delete from
the Shared Policy selector. For more information about using these selectors, see Policy View Selectors,
page 5-48.
Step 2 Do one of the following:
Right-click the policy, then select Delete Policy.
Click the Delete a Policy button beneath the Shared Policy selector.
You are asked to confirm the deletion.
Policy objects enable you to define logical collections of elements. They are reusable, named
components that can be used by other objects and policies. Objects aid policy definition by eliminating
the need to define that component each time you define a policy. When used, an object becomes an
integral component of the object or policy. This means that if you change the definition of an object, this
change is reflected in all objects and policies that reference the object.
Objects facilitate network updates, because you can identify objects separately but maintain them in a
central location. For example, you can identify the servers in your network as a network/host object
called MyServers, and the protocols to allow on these servers in a service object. You can then create an
access rule that permits the MyServers network/host object to send and receive traffic for the services
defined in the service object. If a change is made to these servers, you need only update the network/host
or service object and redeploy, instead of trying to locate and edit each rule in which the servers are used.
Objects are defined globally. This means that the definition of an object is the same for every object and
policy that references it. However, many object types (for example, interface roles) can be overridden at
the device level. Thus, you can create an object that works for most of your devices, yet customize the
object to match the configuration of a particular device that has slightly different requirements. For more
information, see Understanding Policy Object Overrides for Individual Devices, page 6-13.
This chapter contains the following topics:
Selecting Objects for Policies, page 6-2
Policy Object Manager Window, page 6-3
Working with Policy ObjectsBasic Procedures, page 6-6
Understanding AAA Server and Server Group Objects, page 6-20
Creating Access Control List Objects, page 6-40
Configuring Time Range Objects, page 6-53
Understanding Interface Role Objects, page 6-55
Understanding Map Objects, page 6-60
Understanding Network/Host Objects, page 6-62
Understanding and Specifying Services and Service and Port List Objects, page 6-69
How Policy Objects are Provisioned as Object Groups, page 6-75
Element Description
Type The type of object to display in the selector, if there is an option. For
example:
You can choose between network/host objects and interface roles
when configuring sources and destinations in some rule-based
policies.
You can choose between standard and extended ACL objects when
configuring some ACLs (for example, when configuring VLAN
ACLs on Catalyst 6500/7600 devices).
Tip In some policies, if you select more than one type of object,
they are displayed on different tabs within the field.
Available [object type] Displays all objects that are relevant to the policy or object you are
configuring.
When selecting interfaces, be aware that there can be interfaces and
interface roles with the same name. They can be distinguished by the
icon displayed next to the name. For more information, see Specifying
Interfaces During Policy Definition, page 6-58.
Tip You can quickly find an object inside a selector by clicking in
the list box and then starting to type the name of the object.
Element Description
Selected [object type] Displays the objects that you selected to apply to the policy or object
that you are editing.
Multi-Object Selector Buttons
>> button Moves the selected objects from one list to the other list in the direction
indicated. You can select multiple objects by using Ctrl+click.
<< button
You can also move objects between lists by double-clicking them or by
selecting them and pressing Enter.
Up/Down arrow buttons For a limited number of object types, order matters. If the selector
includes Move Up and Move Down buttons, arrange the objects in
priority order. For example, when defining a method list for AAA, use
the arrows to determine the order in which different types of AAA
server groups are used.
Common Buttons
Create button Click this button to create an object of this type.
Tip In a few cases, such as network/host and service objects,
clicking this button opens a list from which you need to select
a specific type for the object.
Edit button Click this button to edit the selected user-defined object. If you try to
edit a system-defined object, it is opened in read-only mode.
Related Topics
Allowing a Policy Object to Be Overridden, page 6-13
Filtering Items in Selectors, page 1-30
Navigation Path
Click the Policy Object Manager button on the toolbar or select Tools > Policy Object Manager.
Related Topics
Creating Policy Objects, page 6-6
Selecting Objects for Policies, page 6-2
Generating Object Usage Reports, page 6-11
Field Reference
Element Description
Object Type selector or table Lists the object types available in Security Manager. When you select
of contents an object type, all existing objects of that type are listed in the table in
(Left pane.) the right pane.
Element Description
Buttons Below Table
Click the New Object button to create a new object. The same icon is
used for any button that adds an item to a table.
Tip In a few cases, such as network/host and service objects,
clicking this button opens a list from which you need to select
a specific type for the object.
Clicking this button opens a dialog box to create the object. Click the
Help button in the dialog box for information on the selected object
type. Also, see Creating Policy Objects, page 6-6.
Click the Edit Object button to edit the selected object. The same icon
is used for editing any object in a table.
The dialog box used for editing the object is the same as the one used
for creating the object. If you try to edit a system-defined default
object, you are allowed only to view the object contents. Click the Help
button in the dialog box for information on the settings. For more
information, see Editing Objects, page 6-9.
Click the Delete Object button to delete the selected object. You can
delete only user-defined objects that are not currently being used in a
policy or another policy object. For more information, see Deleting
Objects, page 6-12.
Field Reference
Tip Your ability to create multiple objects with the same definition depends on a setting on the Policy Objects
page in the Security Manager Administration window (select Tools > Security Manager
Administration). By default, Security Manager warns you when you create an object whose definition
is identical to that of an existing object, but it does not prevent you from proceeding. For more
information, see Policy Objects Page, page 11-32.
Related Topics
Chapter 6, Managing Policy Objects
Working with Policy ObjectsBasic Procedures, page 6-6
Tip In a few cases, such as network/host and service objects, clicking these buttons opens a list from
which you need to select a specific type for the object.
The dialog box for adding the selected type of object opens. For more information about the individual
types of objects, see the following topics:
Understanding AAA Server and Server Group Objects, page 6-20
Creating Access Control List Objects, page 6-40
ASA Group Policies Dialog Box, page 28-1
Using Category Objects, page 6-9
Credentials Dialog Box, page 28-23
Add and Edit File Object Dialog Boxes, page 28-24
Understanding FlexConfig Policies and Policy Objects, page 7-1 and Creating FlexConfig Policy
Objects, page 7-25 (in Chapter 7, Managing FlexConfigs)
Add or Edit IKE Proposal Dialog Box, page 28-26
Understanding Interface Role Objects, page 6-55
Add or Edit IPSec Transform Set Dialog Box, page 28-28
Add and Edit LDAP Attribute Map Dialog Boxes, page 28-31
Understanding Map Objects, page 6-60
Understanding Network/Host Objects, page 6-62
PKI Enrollment Dialog Box, page 28-33
Add or Edit Port Forwarding List Dialog Boxes, page 28-42
Configuring Port List Objects, page 6-71
Creating Cisco Secure Desktop Configuration Objects, page 26-61
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Add or Edit Single Sign On Server Dialog Boxes, page 28-44
Monitoring Service Level Agreements (SLAs) To Maintain Connectivity, page 42-7
Configuring SSL VPN Bookmark Lists for ASA and IOS Devices, page 26-68
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Add or Edit SSL VPN Gateway Dialog Box, page 28-63
Configuring SSL VPN Smart Tunnels for ASA Devices, page 26-71
Add or Edit Text Object Dialog Box, page 7-29
Configuring Time Range Objects, page 6-53
Configuring Traffic Flow Objects, page 48-13
Add or Edit User Group Dialog Box, page 28-68
Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL
VPNs, page 26-73
Step 2 Enter a name for the object and optionally a description of the object.
Object names are not case-sensitive and are limited to 128 characters. You can begin object names with
a letter, a number, or an underscore. You can use a mix of letters, numbers, special characters, and spaces
for the remainder of the object name. Supported special characters include hyphens (-), underscores (_),
periods (.), and plus signs (+).
Note Certain object types, such as AAA server groups, ASA user groups, maps, network/host objects,
service objects, and traffic flows, have different naming guidelines. For more details, refer to the
online help when you are creating each object type.
Step 3 Configure the settings specific to the type of object. Refer to the online help page for the dialog box.
Step 4 (Optional) Under Category, select a category to help you identify this object in the Objects table. See
Using Category Objects, page 6-9.
Step 5 (Optional) If the object type provides the option, select Allow Value Override per Device to allow the
properties of this object to be redefined on individual devices. See Allowing a Policy Object to Be
Overridden, page 6-13.
Step 6 Click OK to save the object.
Editing Objects
You can edit any user-defined object as required. Changes that you make to the object are reflected in
all policies (and other objects) that use the object. However, if an override for the object is already
defined for a device, your edits are not reflected in the object used on those devices.
You cannot edit predefined objects, but you can copy them to create new objects. See Duplicating
Objects, page 6-10.
Tip You can also edit objects when you define policies or objects that use this object type. For more
information, see Selecting Objects for Policies, page 6-2.
Related Topics
Creating Policy Objects, page 6-6
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager Window, page 6-3.
Step 2 Select the object type from the table of contents.
Step 3 Right-click the object you want to edit and select Edit Object.
Step 4 Modify the fields in the Edit dialog box for that object type as required, then click OK to save your
changes. Click the Help button for information specific to the type of object.
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager (see Policy Object Manager
Window, page 6-3).
Step 2 Select Categories from the Object Type selector.
Step 3 Click Edit Object to open the Category Editor dialog box.
Step 4 Modify the names and descriptions of the predefined category objects as required:
LabelThe color associated with the category.
NameThe category name. Names can have a maximum of 128 characters, including special
characters and spaces.
DescriptionAdditional information about the object (up to 1024 characters).
Step 5 Click OK to save your changes.
Duplicating Objects
An alternative to creating a policy object from scratch is to duplicate an existing object. The new object
contains all the attributes of the copied object. You can then modify the name and all attributes as
required.
Duplicating is useful for creating objects that are based on predefined objects that cannot be edited.
Related Topics
Working with Policy ObjectsBasic Procedures, page 6-6
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager Window, page 6-3.
Step 2 Select the object type from the table of contents.
Step 3 Right-click the object you want to duplicate and select Create Duplicate.
The dialog box for that object type appears. The Name field contains the following default name for the
new object: Copy of name of copied object. The remaining fields contain the same values as the copied
object.
Step 4 Modify the name of the new object and its configuration, as required. Click the Help button for
information specific to that type of object.
Step 5 Click OK to save your changes.
Related Topics
Working with Policy ObjectsBasic Procedures, page 6-6
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager Window, page 6-3.
Step 2 Select the object type from the table of contents.
Step 3 Right-click the object and select View Object.
The dialog box for that object appears in read-only mode.
Element Description
Used By The name of the device, policy, VPN, or object that is referencing the
selected object.
Type The type of item that is referencing the selected object. This can be a
device, policy, or another object.
Usage Indicates how the object is being referenced. For example, if a device
is referencing the selected object, this column will indicate that it is a
policy assigned to the device that is referencing the object.
Proximity Indicates the relationship between the selected object and the item that
it using it. For example:
A policy that includes a network/host object in its definition has a
direct relationship with the object and an indirect relationship with
any other network/host objects contained within the object.
A device on which this policy is assigned references the
network/host object directly and any other network/host objects
contained within the object indirectly.
Devices The types of references you want to view. For example, you can
deselect Devices and Policies to view only references to the object from
Policies
other objects.
Other Objects
Deleting Objects
You can delete user-defined objects only when they are not being used by policies or other objects. You
cannot delete predefined objects. If you delete an object for which device-level overrides are defined,
all overrides are also deleted.
Tip You might be prevented from deleting an unused object from the database, if, for example, you replace
a local policy that used the object with a shared policy that does not. If object deletion fails, submit or
discard all pending changes (in Workflow mode, submit or discard all pending activities), then try again
to delete the object. Alternatively, you can leave unused objects in the database, because they will not
affect your policies.
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager Window, page 6-3.
Step 2 Select the object type from the table of contents.
Step 3 Right-click the object you want to delete and select Delete Object, or select the object and click the
Delete Object button. You are asked to confirm the deletion.
Tip If you override any part of the object definition at the device level, any subsequent changes made to the
policy definition at the global level do not affect the device on which the object was overridden.
Related Topics
Allowing a Policy Object to Be Overridden, page 6-13
Creating or Editing Object Overrides for a Single Device, page 6-14
Creating or Editing Object Overrides for Multiple Devices At A Time, page 6-15
Deleting Device-Level Object Overrides, page 6-17
is used but a device-level override is created to account for the difference. For example, if you run policy
discovery on a device that has an ACL with the same name as an ACL policy object in Security Manager,
the name of the discovered policy object is reused, but a device-level override is created for the object.
If you do not allow device-level overrides during discovery, a new policy object is created with a number
appended to the name; this is the default.
To configure Security Manager to allow device overrides during discovery, select Tools > Security
Manager Administration > Discovery and select Allow Device Override for Discovered Policy
Objects.
Related Topics
Understanding Policy Object Overrides for Individual Devices, page 6-13
Creating or Editing Object Overrides for a Single Device, page 6-14
Creating or Editing Object Overrides for Multiple Devices At A Time, page 6-15
Deleting Device-Level Object Overrides, page 6-17
Related Topics
Understanding Policy Object Overrides for Individual Devices, page 6-13
Allowing a Policy Object to Be Overridden, page 6-13
Creating or Editing Object Overrides for Multiple Devices At A Time, page 6-15
Deleting Device-Level Object Overrides, page 6-17
Step 1 (Device view) Right-click a device in the Device selector and select Device Properties.
Step 2 Select the object type you want to override from the Policy Object Overrides folder.
The table displays all objects of the selected type that can be overridden at the device level. If an object
has an override already defined for the device, the Value Overridden? column contains a check mark.
Step 3 Select the object whose override you want to change and do one of the following:
Click the Create Override button, or right-click and select Create Override.
Click the Edit Override button, or right-click and select Edit Override.
The dialog box for defining that type of object is displayed with the current properties (either the global
properties or the local override).
Step 4 Modify the definition of the object and click OK to save the device-level override. In the Device
Properties window, a green check mark appears in the Value Overridden? column.
Related Topics
Understanding Policy Object Overrides for Individual Devices, page 6-13
Allowing a Policy Object to Be Overridden, page 6-13
Creating or Editing Object Overrides for a Single Device, page 6-14
Deleting Device-Level Object Overrides, page 6-17
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager Window, page 6-3.
Step 2 Select the object type you want to override from the table of contents, and then select the object to
override.
Tip Not all types of object allow overrides, and not all objects are defined as overridable. Look for
a green check mark in the Overridable column. If the object type allows overrides, but this object
does not have a check mark, edit the object to enable object override (see Allowing a Policy
Object to Be Overridden, page 6-13).
Step 3 Double-click the checkmark, or right-click the object and select Edit Device Overrides, to open the
Policy Object Overrides Window, page 6-16. The window contains a table listing each device for which
an override is defined for the object.
Tip You can also edit the overridable object and click Edit next to the Overrides field.
Use the Policy Object Overrides window to view a list of all device-level overrides that are defined for
the selected object. The content displayed in the table differs depending on the type of object, but it
always includes the device name, object description, and category. Sometimes the content of the object
is shown, including the overrides.
To add an override, click the Create Override button. In the Create Overrides for Device window,
select the devices from the available list and click >> to move them to the selected list. When you
click OK, you are presented with the dialog box for defining your override, which applies to all
newly selected devices. (You are not changing the override of the greyed out devices)
Note The available devices list shows the devices that have not already had overrides defined for
the object. Devices with overrides are shown greyed out in the selected devices list.
The dialog boxes for creating and editing the override are the same ones used to create the object;
click the Help button for information specific to the type of object.
The override you create applies to all policies on the device that use the object; you cannot override
the object for one policy but not for another policy.
To edit an override, select it and click the Edit Override button.
To delete an override, select it and click the Delete Override button.
Deleting an override does not delete the object or remove the object from its device assignment.
When you delete the override, the policies on the device that use the object start using the global
definition for the object. This changes the meaning of the policies.
Tip You can also create and edit device-level overrides from the Device Properties window of a selected
device. Using the Device Properties windows makes it easy for you to manage the overrides for all
objects used by a single device. For more information, see Creating or Editing Object Overrides for a
Single Device, page 6-14.
Navigation Path
Open the Policy Object Manager Window, page 6-3. Select an object type that can be overridden (its
object page contains a column called Overridable), then do one of the following:
Double-click the green checkmark in the Overridable column.
Right-click the object and select Edit Device Overrides.
Edit the overridable object and click Edit next to the Overrides field.
Related Topics
Understanding Policy Object Overrides for Individual Devices, page 6-13
Allowing a Policy Object to Be Overridden, page 6-13
Creating or Editing Object Overrides for Multiple Devices At A Time, page 6-15
Deleting Device-Level Object Overrides, page 6-17
Filtering Tables, page 1-33
Filtering Items in Selectors, page 1-30
Related Topics
Understanding Policy Object Overrides for Individual Devices, page 6-13
Allowing a Policy Object to Be Overridden, page 6-13
Policy Object Override Pages, page 3-42
Policy Object Overrides Window, page 6-16
Syntax
perl [path] The Perl script command. Include the path to the
PolicyObjectImportExport.pl PolicyObjectImportExport.pl file if the path is not
defined in the system path variable.
-u username A Security Manager username. The data exported
is limited by the permissions assigned to this user.
The user must have Modify Objects permission for
the import or export of policy objects, and
additionally the Modify Devices permission for
the import or export of device-level overrides.
If you are importing objects in non-Workflow
mode, you must also have Submit and Approve
privileges.
-p password The users password.
When you run the command, if there are any errors in the file, only the affected objects are not imported.
Error messages indicate these problems as they occur, and Security Manager continues evaluating all
records in the file. All correctly defined policy objects are imported, and the objects with errors are
skipped. The total count and the names of the policy objects that are not imported are shown in the output
screen.
After the import command completes, additional actions depend on the Workflow mode you are using:
Workflow modeYou must log into Security Manager using the same username and password and
submit the activity you specified during the import. The activity must be submitted and approved
for the changes to take effect.
Non-Workflow modeThe imported objects are automatically submitted and approved without
action on your part. However, you will receive an error if the username you supplied does not have
Submit and Approve privileges, and the import operation will fail.
Related Topics
Additional AAA Support on ASA, PIX, and FWSM Devices, page 6-21
Creating AAA Server Objects, page 6-25
Understanding AAA Server and Server Group Objects, page 6-20
5.0 of SDI introduced the concept of SDI master and slave servers that share a single-node secret
file (SECURID). As a result, when you configure an SDI server as a AAA server object, you must
specify whether the server is version 5.0 or an earlier version.
LDAPThese devices can use Lightweight Directory Access Protocol (LDAP) servers for VPN
authorization. These devices support LDAP version 3 and are compatible with any v3 or v2
directory server. However, password management is supported only on the Sun Microsystems
JAVA System Directory Server and the Microsoft Active Directory.
With any other type of LDAP server (such as Novell or OpenLDAP), all LDAP functions are
supported except for password management. Therefore, if someone tries to log in to one of these
devices using one of these other servers for authentication and their password has expired, the
device drops the connection and a manual password reset is required.
You can configure Simple Authentication and Security Layer (SASL) mechanisms to authenticate
an LDAP client (in this case, the ASA, PIX, or FWSM device) to an LDAP server. These devices
and LDAP servers can support multiple mechanisms. If both mechanisms (MD5 and Kerberos) are
available, the ASA, PIX, or FWSM device uses the stronger mechanism, Kerberos, for
authentication.
When user authentication for VPN access has succeeded and the applicable tunnel-group policy
specifies an LDAP authorization server group, the ASA, PIX, or FWSM device queries the LDAP
server and applies the authorizations it receives to the VPN session.
HTTP-FormThese devices can use the HTTP Form protocol for single sign-on (SSO)
authentication of WebVPN users only. Single sign-on support lets WebVPN users enter a username
and password only once to access multiple protected services and Web servers. The WebVPN server
running on the security appliance acts as a proxy for the user to the authenticating server. When a
user logs in, the WebVPN server sends an SSO authentication request, including username and
password, to the authenticating server using HTTPS. If the server approves the authentication
request, it returns an SSO authentication cookie to the WebVPN server. The security appliance keeps
this cookie on behalf of the user and uses it to authenticate the user to secure websites within the
domain protected by the SSO server.
Table 6-5 on page 6-22 describes the AAA services that are supported by each protocol:
Table 6-5 AAA Services Supported by ASA, PIX, and FWSM Devices
Database Type
AAA Service Local RADIUS TACACS+ SDI NT Kerberos LDAP HTTP Form
Authentication of...
VPN users Yes Yes Yes Yes Yes Yes Yes Yes1
Firewall sessions Yes Yes Yes Yes Yes Yes Yes No
2
Administrators Yes Yes Yes Yes Yes Yes Yes No
Authorization of...
VPN users Yes Yes No No No No Yes No
3
Firewall sessions No Yes Yes No No No No No
4
Administrators Yes No Yes No No No No No
Table 6-5 AAA Services Supported by ASA, PIX, and FWSM Devices (Continued)
Database Type
AAA Service Local RADIUS TACACS+ SDI NT Kerberos LDAP HTTP Form
Accounting of...
VPN connections No Yes Yes No No No No No
Firewall sessions No Yes Yes No No No No No
Administrators No Yes5 Yes No No No No No
1. HTTP Form protocol supports single sign-on (SSO) authentication for WebVPN users only.
2. SDI is not supported for HTTP administrative access.
3. For firewall sessions, RADIUS authorization is supported with user-specific ACLs only, which are received or specified in a RADIUS authentication response.
4. Local command authorization is supported by privilege level only.
5. Command accounting is available for TACACS+ only.
Related Topics
Supported AAA Server Types, page 6-21
Creating AAA Server Objects, page 6-25
Understanding AAA Server and Server Group Objects, page 6-20
Name Description
Enable Uses the enable password defined on the device for authentication.
KRB5 Uses Kerberos 5 for authentication. Use KRB5-Telnet when using Telnet to
KRB5-Telnet connect.
For Cisco IOS routers, you can use Kerberos 5 client configuration only on
selected platforms running IOS Software versions that support this protocol.
Server configuration is not supported. The device must include an Advanced
series feature set (k9 crypto image).
If-Authenticated Uses the if-authenticated method, which allows the user to access the
requested function if the user is authenticated.
Line Uses the line password defined on the device for authentication.
Local Uses the local username database (defined on the device) for authentication.
Local-case Use Local-case if you want the login to be case-sensitive.
Name Description
RADIUS Use RADIUS or TACACS+ authentication. (Does not apply to Cisco IOS
TACACS+ routers.)
These AAA server groups do not contain any AAA servers. To use one of
them when defining a policy, you must create a device-level override and
define the AAA servers to associate with the group. For more information,
see Creating or Editing Object Overrides for a Single Device, page 6-14.
Related Topics
Creating AAA Server Group Objects, page 6-37
Default AAA Server Groups and IOS Devices, page 6-24
Understanding AAA Server and Server Group Objects, page 6-20
Note If you use one of these default AAA server groups in a policy defined for a PIX/ASA/FWSM device, the
AAA servers are deployed as a group to that device, not as individual servers. This is because all AAA
servers on PIX/ASA/FWSM devices must belong to a AAA server group.
Caution We recommend that you use caution when using these default AAA server groups in a policy definition.
There are certain commands (for example, ip radius and ip tacacs, which are configured using the
Interface field in the AAA Server dialog box) that can be defined once for each AAA server group and
once for all individual AAA servers. Because the AAA servers in the default group are deployed to IOS
devices as individual servers, you might inadvertently change the ip radius or ip tacacs settings for all
the individual AAA severs configured on the device, including servers that are not being managed by
Security Manager (and whose configurations would otherwise be left undisturbed).
Related Topics
Predefined AAA Authentication Server Groups, page 6-23
Creating AAA Server Group Objects, page 6-37
Understanding AAA Server and Server Group Objects, page 6-20
Note On PIX/ASA/FWSM devices, AAA objects in a device configuration that are not referenced by any
policies are removed from the device during the next deployment. However, the predefined AAA objects
named RADIUS and TACACS+ are never removed from PIX 6.3 devices, even if they are not referenced
by any policies.
Related Topics
Creating Policy Objects, page 6-6
Supported AAA Server Types, page 6-21
Additional AAA Support on ASA, PIX, and FWSM Devices, page 6-21
Understanding AAA Server and Server Group Objects, page 6-20
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager (see Policy Object Manager
Window, page 6-3).
Step 2 Select AAA Servers from the Object Type selector.
Step 3 Right-click in the work area, then select New Object to open the Add or Edit AAA Server Dialog Box,
page 6-26.
Step 4 Enter a name for the object and optionally a description of the object.
Note You cannot edit the protocol if the object is already included in a AAA server group.
Navigation Path
Select Tools > Policy Object Manager, then select AAA Servers from the Object Type Selector.
Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
Creating AAA Server Objects, page 6-25
Understanding AAA Server and Server Group Objects, page 6-20
Policy Object Manager Window, page 6-3
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are
not case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object.
Host The address of the AAA server to which authentication requests will be
sent. Specify one of the following:
IP AddressThe IP address of the AAA server. You can also enter
the name of a network/host object that contains the host IP address,
or click Select to select the object.
DNS Name (for PIX/ASA 7.2+ devices only)The DNS hostname
of the AAA server, up to 128 characters. The hostname can contain
alphanumeric characters and hyphens, but each element of the
hostname must begin and end with an alphanumeric character.
Interface The interface whose IP address should be used for all outgoing
RADIUS or TACACS packets (known as the source interface). Enter
the name of an interface or interface role, or click Select to select it
from a list or to create a new interface role.
Tips
If you enter the name of an interface, make sure the policy that uses
this AAA object is assigned to a device containing an interface
with this name.
If you enter the name of an interface role, make sure the role
represents a single interface, not multiple interfaces.
Only one source interface can be defined for the AAA servers in a
AAA server group. An error is displayed when you submit your
changes if different AAA servers in the group use different source
interfaces. See Creating AAA Server Group Objects, page 6-37.
You cannot specify an interface name for a AAA server used on an
IPS device.
Element Description
Timeout The amount of time to wait until the AAA server is considered
unresponsive:
Cisco IOS routersThe range is 1-1000 seconds. The default is 5
seconds.
ASA/PIX 7.x+, FWSM 3.1+ devicesThe range is 1-300 seconds.
The default is 10 seconds.
PIX 6.3 firewallsThe range is 1-512 seconds. The default is 5
seconds.
IPS devicesThe range is 1-512 seconds. The default is 3 seconds.
Protocol The protocol used by the AAA server. The fields to the right of the
protocol list change depending on your selection.
For specific information about the fields, see the topics indicated.
The following protocols are the most common:
RADIUSAll device types. See AAA Server Dialog
BoxRADIUS Settings, page 6-28.
TACACS+All device types except IPS. See AAA Server
Dialog BoxTACACS+ Settings, page 6-30.
The following protocols are supported for ASA/PIX 7.x+ and
FWSM 3.1+ devices:
KerberosSee AAA Server Dialog BoxKerberos Settings,
page 6-31.
LDAPSee AAA Server Dialog BoxLDAP Settings,
page 6-32.
NTSee AAA Server Dialog BoxNT Settings, page 6-34.
SDISee AAA Server Dialog BoxSDI Settings, page 6-34.
HTTP-FORMSee AAA Server Dialog BoxHTTP-FORM
Settings, page 6-35.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Navigation Path
Go to the Add or Edit AAA Server Dialog Box, page 6-26 and select RADIUS in the Protocol field.
Related Topics
Creating AAA Server Objects, page 6-25
Understanding AAA Server and Server Group Objects, page 6-20
AAA Server Group Dialog Box, page 6-38
Field Reference
Element Description
Key The shared secret that is used to encrypt data between the client and
Confirm AAA server. The key is a case-sensitive, alphanumeric string of up to
127 characters (U.S. English). Spaces and special characters are
permitted.
The key you define in this field must match the key on the RADIUS
server. Enter the key again in the Confirm field.
Note the following:
A key is required for AAA server objects used in an IPS AAA
policy. Otherwise, the key is optional.
Activity validation fails if you try defining a key with a space on a
PIX, ASA, or FWSM device.
If you do not define a key, all traffic between the AAA server and
its AAA clients is sent unencrypted.
Authentication/Authorizatio The port on which AAA authentication and authorization are
n Port performed. The default is 1645.
Tip The default port for IPS devices is 1812, so you need to change
this value if you are configuring the object for IPS and you want
to use the default port.
Accounting Port The port on which AAA accounting is performed. The default is 1646.
RADIUS Password The alphanumeric keyword that serves as the password to the RADIUS
server (maximum of 128 characters; spaces are not allowed). Enter the
Confirm
password again in the Confirm field.
(ASA, PIX 7.x+, and FWSM
3.x+ devices only.)
Retry Interval The interval between attempts to contact the AAA server. Values are:
(ASA, PIX 7.x+, and FWSM ASA/FWSM devices1 to 10 seconds.
3.x+ devices only.)
PIX devices1 to 5 seconds.
Element Description
ACL Netmask Convert The method for handling the netmask expressions that are contained in
(ASA, PIX 7.x+, and FWSM downloadable ACLs received from the RADIUS server:
3.x+ devices only.) StandardThe security appliance assumes that all downloadable
ACLs received from the RADIUS server contain only standard
netmask expressions. No translation from wildcard netmask
expressions is performed. This is the default.
Auto-DetectThe security appliance tries to determine the type of
netmask expression used in the downloadable ACL. If it detects a
wildcard netmask expression (used by Cisco IOS software), it
converts it to a standard netmask expression.
WildcardThe security appliance assumes that all downloadable
ACLs received from the RADIUS server contain only wildcard
netmask expressions, which it converts to standard netmask
expressions.
Some Cisco products, including Cisco IOS routers, require that
downloadable ACLs be configured with wildcards instead of network
masks. ASA devices, on the other hand, require that downloadable
ACLs be configured with network masks. This feature allows the ASA
device to internally convert a wildcard to a netmask. Translation of
wildcard netmask expressions means that downloadable ACLs written
for Cisco IOS routers can be used by ASA devices without altering the
configuration of the ACLs on the RADIUS server.
Navigation Path
Go to the Add or Edit AAA Server Dialog Box, page 6-26 and select TACACS+ in the Protocol field.
Related Topics
Creating AAA Server Objects, page 6-25
Understanding AAA Server and Server Group Objects, page 6-20
AAA Server Group Dialog Box, page 6-38
Field Reference
Element Description
Key The shared secret that is used to encrypt data between the client and the
Confirm AAA server. The key is a case-sensitive, alphanumeric string of up to
127 characters (U.S. English). Spaces and special characters are
permitted.
The key you define in this field must match the key on the TACACS+
server. Enter the key again in the Confirm field.
Note the following:
Activity validation fails if you try defining a key with a space on a
PIX, ASA, or FWSM device.
If you do not define a key, all traffic between the AAA server and
its AAA clients is sent unencrypted.
Server Port The port used for communicating with the AAA server. The default is
49.
Note This type of AAA server can be configured only on ASA, PIX 7.x+, and FWSM 3.1+ devices.
Navigation Path
Go to the Add or Edit AAA Server Dialog Box, page 6-26 and select Kerberos in the Protocol field.
Related Topics
Creating AAA Server Objects, page 6-25
Understanding AAA Server and Server Group Objects, page 6-20
AAA Server Group Dialog Box, page 6-38
Field Reference
Element Description
Server Port The port used for communicating with the AAA server. The default is
88.
Kerberos Realm Name The name of the realm containing the Kerberos authentication server
and ticket granting server (maximum of 64 characters).
Retry Interval The interval between attempts to contact the AAA server. Values range
from 1 to 10 seconds.
Note This type of AAA server can be configured only on ASA, PIX 7.x+, and FWSM 3.1+ devices.
Navigation Path
Go to the Add or Edit AAA Server Dialog Box, page 6-26 and select LDAP in the Protocol field.
Related Topics
Creating AAA Server Objects, page 6-25
Understanding AAA Server and Server Group Objects, page 6-20
AAA Server Group Dialog Box, page 6-38
Field Reference
Element Description
Enable LDAP over SSL Whether to establish a secure SSL connection between the
ASA/PIX/FWSM device and the LDAP server.
Tip You must select this option when using a Microsoft Active
Directory LDAP server in order to enable password
management.
Server Port The port used for communicating with the AAA server. The default is
389.
LDAP Hierarchy Location The base distinguished name (DN), which is the location in the LDAP
hierarchy where the authentication server should being searching when
it receives an authorization request. For example, OU=Cisco. The
maximum length is 128 characters.
The string is case-sensitive. Spaces are not permitted, but other special
characters are allowed.
LDAP Scope The scope of LDAP searches:
onelevelSearches only one level beneath the base DN. This type
of search scope is faster than a subtree search, because it is less
comprehensive. This is the default.
subtreeSearches all levels beneath the base DN.
LDAP Distinguished Name The DN and password that uniquely identify the ASA/PIX/FWSM
device in the LDAP schema (maximum of 128 characters). The DN is
similar to a unique key in a database or a fully qualified path for a file.
These parameters are used only when the LDAP server requires them
for authentication.
Element Description
LDAP Login Directory The name of the directory object in the LDAP hierarchy used for
authenticated binding (maximum of 128 characters). Authenticated
binding is required by some LDAP servers (including the Microsoft
Active Directory server) before other LDAP operations can be
performed.
This string is case-sensitive. Spaces are not permitted in the string, but
other special characters are allowed.
LDAP Login Password The case-sensitive, alphanumeric password for accessing the LDAP
server (maximum of 64 characters). Spaces are not allowed.
SASL MD5 Authentication These options establish a Simple Authentication and Security Layer
(SASL) mechanism to authenticate an LDAP client (the
SASL Kerberos
ASA/PIX/FWSM device) with an LDAP server.
Authentication
You can define one or both SASL authentication mechanisms. When
Kerberos Server Group
negotiating SASL authentication, the ASA/PIX/FWSM device
retrieves the list of SASL mechanisms configured on the LDAP server
and selects the strongest mechanism configured on both devices.
SASL MD5 AuthenticationWhether to have the device send the
LDAP server an MD5 value computed from the username and
password.
SASL Kerberos AuthenticationWhether to have the device send
the LDAP server the username and realm using the GSSAPI
(Generic Security Services Application Programming Interface)
Kerberos mechanism. This mechanism is stronger than the MD5
mechanism.
If you select Kerberos, you must also enter the name of the
Kerberos AAA server group used for SASL authentication. The
maximum length is 16 characters.
LDAP Server Type The type of LDAP server used for AAA:
Auto-DetectThe ASA/PIX/FWSM device tries to determine the
server type automatically. This is the default.
MicrosoftThe LDAP server is a Microsoft Active Directory
server.
Note You must configure LDAP over SSL to enable password
management with Microsoft Active Directory.
Element Description
LDAP Attribute Map The LDAP attribute configuration to bind to the LDAP server. Enter the
name of an LDAP attribute map policy object or click Select to select
it from a list or to create a new object.
LDAP attribute maps take the attribute names that you define and map
them to Cisco-defined attributes. For more information, see Add and
Edit LDAP Attribute Map Dialog Boxes, page 28-31.
Note This type of AAA server can be configured only on ASA, PIX 7.x+, and FWSM 3.1+ devices.
Navigation Path
Go to the Add or Edit AAA Server Dialog Box, page 6-26 and select NT in the Protocol field.
Related Topics
Creating AAA Server Objects, page 6-25
Understanding AAA Server and Server Group Objects, page 6-20
AAA Server Group Dialog Box, page 6-38
Field Reference
Element Description
Server Port The port used for communicating with the AAA server. The default is
139.
NT Authentication Host The name of the authentication domain controller hostname (maximum
of 16 characters).
Note This type of AAA server can be configured only on ASA, PIX 7.x+, and FWSM 3.1+ devices.
Navigation Path
Go to the Add or Edit AAA Server Dialog Box, page 6-26 and select SDI in the Protocol field.
Related Topics
Creating AAA Server Objects, page 6-25
Understanding AAA Server and Server Group Objects, page 6-20
AAA Server Group Dialog Box, page 6-38
Field Reference
Element Description
Server Port The port used for communicating with the AAA server. The default is
5500.
Retry Interval The interval between attempts to contact the AAA server. Values range
from 1 to 10 seconds. The default is 10 seconds.
SDI Server Version The SDI server version:
SDI-pre-5All SDI versions before version 5.0
SDI-5SDI version 5.0 or later.
SDI pre-5 Slave Server (Optional) A secondary server to be used for authentication if the
primary server fails when using an SDI version prior to 5.0. Enter the
IP address or the name of a network/host object, or click Select to select
an object or create a new one.
Note This type of AAA server can be configured only on ASA, PIX 7.x+, and FWSM 3.1+ devices.
Navigation Path
Go to the Add or Edit AAA Server Dialog Box, page 6-26 and select HTTP-FORM in the Protocol field.
Related Topics
Creating AAA Server Objects, page 6-25
Understanding AAA Server and Server Group Objects, page 6-20
AAA Server Group Dialog Box, page 6-38
Field Reference
Element Description
Start URL The URL from which the WebVPN server of the security appliance
should retrieve an optional pre-login cookie. The maximum URL
length is 1024 characters.
The authenticating web server might execute a pre-login sequence by
sending a Set-Cookie header along with the login page content. The
URL in this field defines the location from which the cookie is
retrieved.
Note The actual login sequence starts after the pre-login cookie
sequence.
Action URI The Uniform Resource Identifier (URI) that defines the location and
name of the authentication program on the web server to which the
security appliance sends HTTP POST requests for single sign-on (SSO)
authentication.
The maximum length of the action URI is 2048 characters.
Tip You can discover the action URI on the authenticating web
server by connecting to the web servers login page directly
with a browser. The URL of the login web page displayed in
your browser is the action URI for the authenticating web
server.
Username Parameter The name of the username parameter included in HTTP POST requests
for SSO authentication. The maximum length is 128 characters.
At login, the user enters the actual name value, which is entered into the
HTTP POST request and passed on to the authenticating web server.
Password Parameter The name of the password parameter included in HTTP POST requests
for SSO authentication. The maximum length is 128 characters.
At login, the user enters the actual password value, which is entered
into the HTTP POST request and passed on to the authenticating web
server.
Hidden Values The hidden parameters included in HTTP POST requests for SSO
authentication. They are referred to as hidden parameters because,
unlike the username and password, they are not visible to the user.
The maximum length of the hidden parameters is 2048 characters.
Tip You can discover the hidden parameters that the authenticating
web server expects in POST requests by using an HTTP header
analyzer on a form received from the web server.
Authentication Cookie Name The name of the authentication cookie used for SSO by the security
appliance. The maximum length is 128 characters.
If SSO authentication succeeds, the authenticating web server passes
this authentication cookie to the client browser. The client browser then
authenticates to other web servers in the SSO domain by presenting this
cookie.
Note The error is triggered by the actual interface defined as the source, not the name of the interface role that
represents the interface. That is, two AAA servers can have different interface roles defined as the source
interface as long as they both resolve to the same device interface. An error is also displayed if the
interface role defined for the source interface matches more than one actual interface on the device.
The number of AAA server group objects that can be created and the number of AAA server objects that
can be included in each group object depend on the selected platform. For example, ASA devices support
up to 18 single-mode server groups (with up to 16 servers each) and 7 multi-mode server groups (with
up to 4 servers each). PIX firewalls support up to 14 server groups, each containing up to 14 servers.
Note Security Manager includes a predefined AAA server group object that you can use when you perform
authentication locally inside the Cisco IOS router.
Tip You can also create AAA server group objects when you define policies or objects that use this object
type. For more information, see Selecting Objects for Policies, page 6-2.
Related Topics
Creating Policy Objects, page 6-6
Predefined AAA Authentication Server Groups, page 6-23
Default AAA Server Groups and IOS Devices, page 6-24
Understanding AAA Server and Server Group Objects, page 6-20
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager (see Policy Object Manager
Window, page 6-3).
Step 2 Select AAA Server Groups from the Object Type selector.
Step 3 Right-click inside the work area, then select New Object to open the AAA Server Group Dialog Box,
page 6-38.
Step 4 Enter a name for the object. The maximum name length is 16 characters if you plan to use this object
with ASA, PIX, or FWSM devices and 128 characters for Cisco IOS routers. Spaces are not supported.
Note Cisco IOS routers do not support the following AAA server group names: RADIUS, TACACS,
TACACS+. In addition, we do not recommend using an abbreviation of one of these names, such
as rad or tac.
Navigation Path
Select Tools > Policy Object Manager, then select AAA Server Groups from the Object Type
Selector. Right-click inside the work area and select New Object or right-click a row and select Edit
Object.
Related Topics
Creating AAA Server Group Objects, page 6-37
Understanding AAA Server and Server Group Objects, page 6-20
Creating Policy Objects, page 6-6
Add or Edit AAA Server Dialog Box, page 6-26
Policy Object Manager Window, page 6-3
Field Reference
Element Description
Name The object name (up to 16 characters when using this object with
firewall devices; up to 128 characters for Cisco IOS routers). Object
names are not case-sensitive. Spaces are not supported.
Consider the following important points:
Cisco IOS routers do not support AAA server groups named
RADIUS, TACACS, or TACACS+. In addition, we do not
recommend using an abbreviation of one of these names, such as
rad or tac.
If you define this AAA server group as the RADIUS or TACACS+
default group, any name you define here is automatically replaced
in the device configuration by the default name (RADIUS or
TACACS+) upon deployment.
Description An optional description of the object.
Protocol The protocol used by the AAA servers in the group. For more
information about these options, see Supported AAA Server Types,
page 6-21 and Additional AAA Support on ASA, PIX, and FWSM
Devices, page 6-21.
AAA Servers The AAA server policy objects that comprise the server group. Enter
the names of the objects or click Select to select them from a list that is
filtered to show only those AAA server objects that use the selected
protocol. Separate multiple objects with commas. You can also create
new objects from the selection list.
Make this Group the Default Whether to designate this AAA server group as the default group for the
AAA Server Group (IOS) RADIUS or TACACS+ protocol. Select this option if you intend to use
a single global group for the selected protocol for all policies on a
(IOS devices only.)
specific device requiring AAA.
Do not select this option if you intend to create multiple RADIUS or
TACACS+ AAA server groups. Multiple groups can be used to separate
different AAA functions (for example, use one group for authentication
and a different group for authorization) or to separate different
customers in a VRF environment.
Note When you discover an IOS router, any AAA servers in the
device configuration that are not members of a AAA server
group are placed in special groups called CSM-rad-grp (for
RADIUS) and CSM-tac-grp (for TACACS+), both of which are
marked as default groups. These two groups are created solely
to enable Security Manager to manage these servers. During
deployment, the AAA servers in these special groups are
deployed back to the device as individual servers. For more
information, see Default AAA Server Groups and IOS Devices,
page 6-24.
Element Description
Max Failed Attempts The number of connection attempts that can fail before an unresponsive
(PIX, ASA, FWSM devices AAA server in the group is deactivated.
only.) Values range from 1 to 5.
Reactivation Mode The method to use when reactivating failed AAA servers in the group:
(PIX, ASA, FWSM devices DepletionReactivate failed servers only after all of the servers in
only.) the group fail. This is the default.
TimedReactivate failed servers after 30 seconds of downtime.
Note You must use the Timed option when using Simultaneous as the
Group Accounting Mode.
Reactivation Deadtime When you select Depletion as the reactivation mode, the number of
minutes that should elapse between the deactivation of the last server in
(PIX, ASA, FWSM devices
the group and the reactivation of all the servers in the group. Values
only.)
range from 0 to 1440 minutes (24 hours).
Group Accounting Mode When using the RADIUS or TACACS+ protocols, the method for
sending accounting messages to the AAA servers in the group:
(PIX, ASA, FWSM devices
only.) SimultaneousAccounting messages are sent to all servers in the
group simultaneously.
Note If you select this option, you must select Timed as the
Reactivation Mode.
ACL 110 permits traffic originating from any address on the 10.128.2.0 network. The any statement
means that the traffic is allowed to have any destination address with the limitation of going to port 80.
The value of 0.0.0.0/255.255.255.255 can be specified as any.
Uses:
Identifying addresses for NAT (policy NAT and NAT exemption)Policy NAT lets you identify
local traffic for address translation by specifying the source and destination addresses and ports in
an extended access list. Regular NAT can only consider local addresses. An access list that is used
with policy NAT cannot be configured to deny an access control entry (ACE).
Identifying addresses for IOS dynamic NATFor user-defined ACLs, the NAT plug-in generates
its own ACL CLIs when deducing NAT traffic from VPN traffic.
Filtering traffic that will be intercepted by Network Admission Control (NAC).
Identifying traffic in a traffic class-map for modular policyAccess lists can be used to identify
traffic in a class-map, which is used for features that support Modular Policy Framework such as
TCP and general connection settings, inspection, IPS, and QoS. You can use one or more access lists
to identify specific types of traffic.
For transparent mode, enabling protocols that are blocked by a routed mode security appliance,
including BGP, DHCP, and multicast streams. Because these protocols do not have sessions on the
security appliance to allow return traffic, these protocols also require access lists on both interfaces.
Establishing VPN accessYou can use an extended access list in VPN commands to identify the
traffic that should be tunneled on the device for an IPsec site-to-site tunnel or to identify the traffic
that should be tunneled on the device for a VPN client. Use in conjunction with the policy objects
and settings shown in Table 6-16 on page 6-42:
Related Topics
Creating Access Control List Objects, page 6-40
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 14-5
Creating Policy Objects, page 6-6
Understanding Network/Host Objects, page 6-62
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager (see Policy Object Manager
Window, page 6-3).
Step 2 From the Object Type selector, select Access Control Lists.
The Access Control List page appears. The Extended tab opens by default.
Step 3 Right-click inside the work area, then select New Object.
The Add Extended Access List dialog box appears (see Add or Edit Access List Dialog Boxes,
page 6-45).
Step 4 Enter a name for the object and optionally a description of the object.
Step 5 Right-click inside the table, then select Add.
The Add Extended Access Control Entry dialog box appears.
Step 6 Create the access control entry:
If you select Access Control Entry for Type, specify the characteristics of the traffic that you want
to match and whether you are permitting or denying the traffic. Enter the source addresses whence
the traffic originates, the destination addresses whither the traffic travels, and the services that
define the characteristics of the traffic. Click Advanced to define logging options. For detailed
information about the fields on the dialog box, see Add and Edit Extended Access Control Entry
Dialog Boxes, page 6-47.
If you select ACL Object, select the object in the available objects list and click >> to add it to the
list of selected objects.
Uses:
Identifying OSPF route redistribution.
Filtering users of a community string using SNMP.
Configuring VLAN ACLs for a Catalyst 6500/7600 device.
Related Topics
Creating Access Control List Objects, page 6-40
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 14-5
Creating Policy Objects, page 6-6
Understanding Network/Host Objects, page 6-62
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager (see Policy Object Manager
Window, page 6-3).
Step 2 From the Object Type selector, select Access Control Lists.
The Access Control List page appears.
Step 3 Click the Standard tab.
Step 4 Right-click inside the work area, then select New Object.
The Add Standard Access List dialog box appears (see Add or Edit Access List Dialog Boxes,
page 6-45).
Step 5 Enter a name for the object and optionally a description of the object.
Step 6 Right-click inside the table, then select Add.
The Add Standard Access Control Entry dialog box appears.
Uses:
As a filter ACL in an ASA User Group policy object (under SSL VPN > Clientless).
Related Topics
Creating Access Control List Objects, page 6-40
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 14-5
Creating Policy Objects, page 6-6
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager (see Policy Object Manager
Window, page 6-3).
Step 2 From the Object Type selector, select Access Control Lists.
The Access Control List page appears.
Step 3 Click the Web tab.
Step 4 Right-click inside the work area and select New Object.
The Add WebType Access List dialog box appears (see Add or Edit Access List Dialog Boxes,
page 6-45).
Step 5 Enter a name for the object and optionally a description of the object.
Step 6 Right-click inside the access control entry table and select Add.
The Add Web Access Control Entry dialog box appears.
Step 7 Create the access control entry:
If you select Access Control Entry for Type, specify the characteristics of the traffic that you want
to match and whether you are permitting or denying the traffic. You can filter based on the network
destination of the traffic (Network Filter) or the web address (URL Filter). For detailed information
about the fields on the dialog box, see Add and Edit Web Access Control Entry Dialog Boxes,
page 6-51.
If you select ACL Object, select the object in the available objects list and click >> to add it to the
list of selected objects.
Step 8 Click OK to save your changes.
The dialog box closes and you return to the Add WebType Access List page. The new entry is shown in
the table. If necessary, select it and click the up or down buttons to position it at the desired location.
Step 9 (Optional) Under Category, select a category to help you identify this object in the Objects table. See
Using Category Objects, page 6-9.
Step 10 Click OK to save the object.
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector.
Select the tab for the type of ACL object you want to create, and then right-click inside the work area
and select New Object or right-click a row and select Edit Object.
Related Topics
Creating Access Control List Objects, page 6-40
Creating Extended Access Control List Objects, page 6-41
Creating Standard Access Control List Objects, page 6-43
Creating Web Access Control List Objects, page 6-44
Contiguous and Discontiguous Network Masks, page 6-63
Understanding Network/Host Objects, page 6-62
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are
not case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object.
Table 6-18 Add and Edit Access List Dialog Boxes (Continued)
Element Description
Access Control Entry table The access control entries (ACEs) and ACL objects that are part of the
ACL. The table displays the name of the entry or object, description,
options, services, and other attributes of the entry.
In the Permit column, a green checkmark indicates that the entry
permits traffic (typically, the traffic is considered a match for the
service you are defining), whereas a red circle with a slash indicates
that traffic is denied (typically, the traffic is considered to not match,
and the service you are defining is not applied to the denied traffic).
The source and, if applicable, destination addresses can be host IP
addresses, network addresses, or network/host policy objects.
To add an ACE, click the Add button and fill in the dialog box for
the type of ACL you are creating:
Add and Edit Extended Access Control Entry Dialog Boxes,
page 6-47
Add and Edit Standard Access Control Entry Dialog Boxes,
page 6-49
Add and Edit Web Access Control Entry Dialog Boxes,
page 6-51
To edit an ACE, select it and click the Edit button.
To delete an ACE, select it and click the Delete button.
To change the position of an entry, select it and click the Up/Down
arrow buttons as required. Entries are evaluated top to bottom, so
correct positioning is crucial for you to get the results you intend.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override per Whether to allow the object definition to be changed at the device level.
Device For more information, see Allowing a Policy Object to Be Overridden,
Overrides page 6-13 and Understanding Policy Object Overrides for Individual
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Navigation Path
From the Add or Edit Access List Dialog Boxes, page 6-45 for Extended ACL objects, click the Add
button in the ACE table, or select a row and click the Edit button.
Related Topics
Creating Extended Access Control List Objects, page 6-41
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 14-5
Understanding Network/Host Objects, page 6-62
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Filtering Items in Selectors, page 1-30
Field Reference
Table 6-19 Add and Edit Extended Access Control Entry Dialog Boxes
Element Description
Type The type of entry you are adding. The fields on the dialog box change
based on your selection.
Access Control EntryYou want to define an ACE.
ACL ObjectsYou want to include an existing ACL object. You
are presented with a list of available ACL objects. Select the
objects you want to include and click the >> button to move them
to the list of selected objects. You can remove an object by
selecting it and clicking <<. You can also edit objects in the
selected objects list.
Action The action to take on traffic defined in the entry:
PermitThe service associated with this ACL is applied to this
traffic. That is, the traffic is permitted to use the service.
DenyThe service associated with this ACL is not applied to this
traffic. If there are multiple ACLs configured for a service, denied
traffic is typically compared to the next ACL in the list; if it
matches no permit entry in any ACL for the service, the service is
not applied to the traffic. Whether the traffic is dropped from the
network depends on the service.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Table 6-19 Add and Edit Extended Access Control Entry Dialog Boxes (Continued)
Element Description
Source The source or destination of the traffic. You can enter more than one
Destination value by separating the items with commas.
You can enter any combination of the following address types. For more
information, see Specifying IP Addresses During Policy Definition,
page 6-68.
Network/host object. Enter the name of the object or click Select
to select it from a list. You can also create new network/host objects
from the selection list.
Host IP address, for example, 10.10.10.100.
Network address, including subnet mask, in either the format
10.10.10.0/24 or 10.10.10.0/255.255.255.0.
A range of IP addresses, for example, 10.10.10.100-10.10.10.200.
An IP address pattern in the format 10.10.0.10/255.255.0.255,
where the mask is a discontiguous bit mask (see Contiguous and
Discontiguous Network Masks, page 6-63).
Services The services that define the type of traffic to act on. You can enter more
than one value by separating the items with commas.
You can enter any combination of service objects and service types
(which are typically a protocol and port combination). If you type in a
service, you are prompted as you type with valid values. You can select
a value from the list and press Enter or Tab.
For complete information on how to specify services, see
Understanding and Specifying Services and Service and Port List
Objects, page 6-69.
Description An optional description of the object.
Advanced button Click this button to define logging options for the entry:
For PIX, ASA, and FWSM devices, you can enable:
Default loggingIf a packet is denied, message 106023 is
generated. If a packet is permitted, no message is generated.
Per ACE loggingIf a packet is denied, message 106100 is
generated. You can select the logging severity level for the
messages, and the interval (in seconds from 1 to 600) for
generating messages.
For IOS devices, when you enable logging, informational messages
about packets that match the entry are sent to the console. You can
also elect to include the input interface and source MAC address or
VC in the logging output.
Navigation Path
From the Add or Edit Access List Dialog Boxes, page 6-45 for Standard ACL objects, click the Add
button in the ACE table, or select a row and click the Edit button.
Related Topics
Creating Standard Access Control List Objects, page 6-43
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 14-5
Understanding Network/Host Objects, page 6-62
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Filtering Items in Selectors, page 1-30
Field Reference
Table 6-20 Add and Edit Standard Access Control Entry Dialog Boxes
Element Description
Type The type of entry you are adding. The fields on the dialog box change
based on your selection.
Access Control EntryYou want to define an ACE.
ACL ObjectsYou want to include an existing ACL object. You
are presented with a list of available ACL objects. Select the
objects you want to include and click the >> button to move them
to the list of selected objects. You can remove an object by
selecting it and clicking <<. You can also edit objects in the
selected objects list.
Action The action to take on traffic defined in the entry:
PermitThe service associated with this ACL is applied to this
traffic. That is, the traffic is permitted to use the service.
DenyThe service associated with this ACL is not applied to this
traffic. If there are multiple ACLs configured for a service, denied
traffic is typically compared to the next ACL in the list; if it
matches no permit entry in any ACL for the service, the service is
not applied to the traffic. Whether the traffic is dropped from the
network depends on the service.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Table 6-20 Add and Edit Standard Access Control Entry Dialog Boxes (Continued)
Element Description
Source The source of the traffic. You can enter more than one value by
separating the items with commas.
You can enter any combination of the following address types. For more
information, see Specifying IP Addresses During Policy Definition,
page 6-68.
Network/host object. Enter the name of the object or click Select
to select it from a list. You can also create new network/host objects
from the selection list.
Host IP address, for example, 10.10.10.100.
Network address, including subnet mask, in either the format
10.10.10.0/24 or 10.10.10.0/255.255.255.0.
A range of IP addresses, for example, 10.10.10.100-10.10.10.200.
An IP address pattern in the format 10.10.0.10/255.255.0.255,
where the mask is a discontiguous bit mask (see Contiguous and
Discontiguous Network Masks, page 6-63).
Description An optional description of the object.
Log Option Whether to create log entries when traffic meets the entry criteria. ACL
logging generates syslog message 106023 for denied packets. Deny
packets must be present to log denied packets.
Navigation Path
From the Add or Edit Access List Dialog Boxes, page 6-45 for Web Type ACL objects, click the Add
button in the ACE table, or select a row and click the Edit button.
Related Topics
Creating Web Access Control List Objects, page 6-44
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 14-5
Understanding Network/Host Objects, page 6-62
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Filtering Items in Selectors, page 1-30
Field Reference
Table 6-21 Add and Edit Web Access Control Entry Dialog Boxes
Element Description
Type The type of entry you are adding. The fields on the dialog box change
based on your selection.
Access Control EntryYou want to define an ACE.
ACL ObjectsYou want to include an existing ACL object. You
are presented with a list of available ACL objects. Select the
objects you want to include and click the >> button to move them
to the list of selected objects. You can remove an object by
selecting it and clicking <<. You can also edit objects in the
selected objects list.
Action The action to take on traffic defined in the entry:
PermitThe service associated with this ACL is applied to this
traffic. That is, the traffic is permitted to use the service.
DenyThe service associated with this ACL is not applied to this
traffic. If there are multiple ACLs configured for a service, denied
traffic is typically compared to the next ACL in the list; if it
matches no permit entry in any ACL for the service, the service is
not applied to the traffic. Whether the traffic is dropped from the
network depends on the service.
Filter Destination Whether the entry specifies a network filter (host or network address)
or a URL filter (web site address). Your selection changes the fields on
the dialog box. The fields are described below.
Destination The destination of the traffic. You can enter more than one value by
separating the items with commas.
(Network Filter only.)
You can enter any combination of the following address types. For more
information, see Specifying IP Addresses During Policy Definition,
page 6-68.
Network/host object. Enter the name of the object or click Select
to select it from a list. You can also create new network/host objects
from the selection list.
Host IP address, for example, 10.10.10.100.
Network address, including subnet mask, in either the format
10.10.10.0/24 or 10.10.10.0/255.255.255.0.
A range of IP addresses, for example, 10.10.10.100-10.10.10.200.
An IP address pattern in the format 10.10.0.10/255.255.0.255,
where the mask is a discontiguous bit mask (see Contiguous and
Discontiguous Network Masks, page 6-63).
Table 6-21 Add and Edit Web Access Control Entry Dialog Boxes (Continued)
Element Description
Ports The port numbers or port list policy objects that define the port the
(Network Filter only.) traffic uses, if you want to use port identification. You can enter more
than one value by separating the items with commas.
You can enter any combination of the following types:
Port list object. Enter the name of the object or click Select to
select it from a list. You can also create new port list objects from
the selection list.
Port number, for example, 80.
A range of ports, for example, 80-90.
URL Filter The Universal Resource Locator (URL), or web address, of the traffic.
You can use an asterisk as a match-all wildcard. For example,
(URL Filter only.)
http://*.cisco.com matches all servers on the cisco.com network. You
can specify any valid URL.
Logging The type of logging to use for this entry:
Select Log Disabled to not create log entries.
Select Default to use the default settings on the device.
All other available options enable logging and identify the log level
that will be used.
Logging Interval The interval of time, in seconds, used to generate logging messages,
from 1 to 600. The default is 300. You can modify this field only if you
select a logging level in the Logging field.
Time Range The time range policy object that defines the time range associated with
the entry. The time range defines the access to the device and relies on
the devices system clock. For more information, see Configuring Time
Range Objects, page 6-53.
Enter the name of the object or click Select to select it from a list. You
can also create new time range objects from the selection list.
Note Time range is not supported on FWSM 2.x or PIX 6.3 devices.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Description An optional description of the object.
You can also use time range objects when defining ASA user groups to restrict VPN access to specific
times during the week. For more information, see ASA Group Policies SSL VPN Settings, page 28-15.
Time range objects can rely on the devices system clock, but they work best when using Network Time
Protocol (NTP) synchronization.
Navigation Path
Select Tools > Policy Object Manager, then select Time Ranges from the Object Type Selector.
Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are
not case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object (up to 1024 characters).
Start Time The overall starting and ending time for the time range object:
End Time Start NowDefines the time of deployment as the start time.
Never EndDefines no end time for the range.
Start At, End AtDefines a specific start or end date and time.
Click the calendar icon to display a tool for selecting the date.
Enter the time in the Time field using the 24-hour clock format,
HH:MM.
Recurring Ranges Recurring time periods that happen within the overall start and end
times, if any. For example, if you want to create a time range object that
defines work hours, you could select Start Now and Never End for the
overall range, and enter a recurring range of weekdays from 08:00 to
18:00 hours.
To add a range, click the New Recurring Range button and fill in
the Recurring Ranges Dialog Box, page 6-54.
To edit a range, select it and click the Edit Recurring Range
button.
To delete a range, select it and click the Delete Recurring Range
button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Navigation Path
Go to the Add or Edit Time Range dialog box and click the New Recurring Range button under
Recurring Ranges, or select a range and click Edit Recurring Range. See Configuring Time Range
Objects, page 6-53.
Field Reference
Element Description
Specify days of the week and Defines a recurring range that is based on specific days and times of the
times during which this week. You can select from:
recurring range will be active
Every day
Weekdays
Weekends
On these days of the weekSelect the specific days to include in
the range.
Also select the starting and ending time during the day. The default is
all day.
Specify a weekly interval Defines a recurring range for every week. Select the starting and ending
during which this recurring day and time. For example, you can start the weekly period on Sunday
range will be active and end it on Thursday.
Tip You can also create interface role objects when you define policies or objects that use this object type.
For more information, see Selecting Objects for Policies, page 6-2.
Related Topics
Creating Policy Objects, page 6-6
Specifying Interfaces During Policy Definition, page 6-58
Understanding Interface Role Objects, page 6-55
Using Interface Roles When a Single Interface Specification is Allowed, page 6-59
Managing Object Overrides, page 6-12
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager (see Policy Object Manager
Window, page 6-3).
Step 2 Select Interface Roles from the Object Type selector.
Step 3 Right-click in the work area, then select New Object.
The Interface Role dialog box appears.
Step 4 Enter a name for the object and optionally a description of the object. Names can be up to 128 characters,
descriptions up to 1024.
Step 5 Enter one or more naming patterns for the interface role object. The names are the complete or partial
names of interfaces, subinterfaces, and other virtual interfaces. Separate multiple name patterns with
commas.
You can use these wildcards to create name patterns that apply to multiple interfaces:
Use a period (.) as a wildcard for a single character.
To use a period as part of the pattern itself (for example, when defining subinterfaces), enter a
backslash (\) before the period.
Use an asterisk (*) as a wildcard for one or more characters at the end of the interface pattern. For
example, FastEthernet* would include interfaces named FastEthernet0 and FastEthernet1.
If the pattern does not include a wildcard, it must match the exact name of the interface. For example,
the pattern FastEthernet will not match FastEthernet0/1 unless you include an asterisk at the end of
the pattern.
Step 6 (Optional) Under Category, select a category to help you identify this object in the Objects table. See
Using Category Objects, page 6-9.
Step 7 (Optional) Select Allow Value Override per Device to allow the properties of this object to be redefined
on individual devices. See Allowing a Policy Object to Be Overridden, page 6-13.
Step 8 Click OK to save the object.
Navigation Path
Select Tools > Policy Object Manager, then select Interface Roles from the Object Type Selector.
Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
Creating Policy Objects, page 6-6
Creating Interface Role Objects, page 6-56
Using Interface Roles When a Single Interface Specification is Allowed, page 6-59
Specifying Interfaces During Policy Definition, page 6-58
Understanding Interface Role Objects, page 6-55
Understanding the Zone-based Firewall Rules, page 18-3
Policy Object Manager Window, page 6-3
Field Reference
Element Description
Name The name of the policy object. A maximum of 128 characters is
allowed.
Description A description of the policy object. A maximum of 1024 characters is
allowed.
Interface Name Patterns The names to include in this interface role. The names are the complete
or partial names of interfaces, subinterfaces, and other virtual
interfaces. Separate multiple name patterns with commas.
You can use these wildcards to create name patterns that apply to
multiple interfaces:
Use a period (.) as a wildcard for a single character.
To use a period as part of the pattern itself (for example, when
defining subinterfaces), enter a backslash (\) before the period.
Use an asterisk (*) as a wildcard for one or more characters at the
end of the interface pattern. For example, FastEthernet* would
include interfaces named FastEthernet0 and FastEthernet1.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override per Whether to allow the object definition to be changed at the device level.
Device For more information, see Allowing a Policy Object to Be Overridden,
Overrides page 6-13 and Understanding Policy Object Overrides for Individual
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
By selecting from a list, you can ensure that your entry is valid. For more information, see Selecting
Objects for Policies, page 6-2.
When a policy allows multiple interfaces, separate entries with commas.
In policies and object selectors, icons distinguish between interfaces and interface roles. If you create
interface roles with the same name as interfaces, be careful to select exactly what you want. Table 6-25
explains the icons.
Type Icon
Interface
Interface role
If you can edit the role, a pencil image overlays the icon.
Global interface on ASA 8.3+ devices, used for rules created as global instead
of interface-specific.
Related Topics
Basic Interface Settings on Cisco IOS Routers, page 52-1
Configuring Firewall Device Interfaces, page 39-2
Understanding Interface Role Objects, page 6-55
Creating Interface Role Objects, page 6-56
Using Interface Roles When a Single Interface Specification is Allowed, page 6-59
Related Topics
Specifying Interfaces During Policy Definition, page 6-58
Understanding Interface Role Objects, page 6-55
Creating Interface Role Objects, page 6-56
Related Topics
Specifying Interfaces During Policy Definition, page 6-58
Understanding Interface Role Objects, page 6-55
Tip Devices enforce unique names for all configured maps. For example, you cannot use the same name for
an FTP and DNS class map on the same device. If you select maps with the same name for a device,
Security Manager automatically adds a numerical suffix to the duplicate names, for example, dnsmap_1.
The Maps folder contains the following folders. Subfolders organize the maps based on whether they are
used for inspection or web content filtering.
Class MapsLayer 7 class maps used for identifying traffic that you want to act on.
Parameter MapsParameter maps that configure settings used in zone-based firewall rules policies
or other maps.
Policy MapsLayer 7 policy maps used for identifying the action to take on selected traffic.
Also included in the Maps folder are entries for TCP Map objects (a Layer 4 object), Regular Expression
objects, and Regular Expression Group objects.
The following sections describe the different types of maps in more detail.
Class Maps
Class maps are subordinate to policy maps. You cannot specify a class map directly in a device policy.
Instead, you create a policy map to incorporate the class map. The class map itself defines the match
conditions for the traffic that you want to target in an inspection rule or zone-based firewall rule.
ASA/PIX 7.2 and higher, and FWSM devicesYou can create class maps for the inspection of
DNS, FTP, HTTP, IM, and SIP traffic. You also have the option of defining the traffic match
directly in the policy map object, but if you create separate class maps, you can reuse them in more
than one policy map.
IOS 12.4(6)T and higher devicesYou can create class maps for the inspection of IM applications
(AOL, ICQ, MSN Messenger, Windows Messenger, and Yahoo Messenger), P2P applications
(eDonkey, FastTrack, Gnutella, Kazaa2), H.323, HTTP, IMAP, POP3, SIP, SMTP, Sun RPC. You
can also create class maps for filtering web content using the Local, N2H2, Trend, and Websense
objects.
Unlike the class maps used for ASA/PIX/FWSM, you must create separate class maps and refer to
them from the related policy maps. You can use these policy maps in zone-based firewall inspection
or content filtering rules. For more information, see these topics:
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
To create class maps, see these topics:
Configuring Class Maps for Inspection Policies, page 15-22
Configuring Class Maps for Zone-Based Firewall Policies, page 18-17
To create the regular expressions and regular expression groups that you can use in class, parameter, and
policy maps, see these topics:
Configuring Regular Expressions for Inspection Maps, page 15-77
Configuring Regular Expression Groups, page 15-76
Parameter Maps
Parameter maps define settings that you can use in zone-based firewall inspection or content filtering
rules, or in other policy map objects.
InspectionYou can create Inspection Parameter maps for general zone-based firewall rule
parameters, or Protocol Info Parameter maps for use with IM application inspection.
Content FilteringYou can create the following parameter maps to define web content filtering:
Local, N2H2, Trend, URL Filter, URLF Glob, Websense.
Policy Maps
You can configure policy maps to alter the default actions of inspection or to configure web content
filtering in zone-based firewall settings policies. Policy maps typically apply to applications that require
special handling, perhaps due to embedded IP address information or the fact that the traffic opens
secondary channels on dynamically assigned ports.
The policy map identifies the action to take on traffic that matches the conditions identified in the map.
For most policy maps, you can specify traffic match conditions by referring to a class map. However,
some policy maps require that you specify the match criteria within the policy map.
You can configure these types of policy maps:
Inspection RulesWhen configuring inspection rules, you can use Security Manager to create
policy map objects for the following applications: DCE/RPC, DNS, ESMTP, FTP, GTP, H.323,
HTTP, IM, IP options, IPsec, NetBIOS, SIP, Skinny, and SNMP. for more information, see
Configuring Protocols and Maps for Inspection, page 15-19.
Zone-Based Firewall Inspection RulesWhen configuring zone-based firewall inspection rules,
you can use Security Manager to create policy map objects for the following applications: H.323,
HTTP, IM (includes AOL, ICQ, MSN Messenger, Windows Messenger, and Yahoo Messenger),
IMAP, P2P (includes eDonkey, FastTrack, Gnutella, Kazaa2), POP3, SIP, SMTP, Sun RPC. For
more information, see Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15.
Zone-Based Firewall Content Filtering RulesWhen configuring zone-based firewall content
filtering rules, you can use Security Manager to create Web Filter policy maps. You can also
configure HTTP policy maps to inspect HTTP traffic. For more information, see Configuring
Content Filtering Maps for Zone-based Firewall Policies, page 18-34.
IPS, QoS and Connection RulesWhen configuring this service policy, which is specific to PIX
7.x+ and ASA devices, you can customize TCP inspection using a TCP map. For more information,
see Configuring TCP Maps, page 48-17 and Chapter 48, Configuring Service Policy Rules on
Firewall Devices.
For example, 255.255.255.0 indicates that the first three octets of the IP address (24 bits or /24 in CIDR
notation) are made up of ones and identify the network; the last octet is made up of zeros and identifies
the host.
Discontiguous Network Masks
Nonstandard, or discontiguous, network masks are masks that do not conform to the contiguous format.
For example, 10.0.1.1/255.0.255.255 indicates that you want to match an address that matches octets 1,
3, and 4 exactly, but any value in octet 2 is accepted.
Although discontiguous network masks are not typically used for network configurations, they are
sometimes used for certain commands, such as filtering commands when defining access control lists
(ACLs). Security Manager supports the use of nonstandard network masks in the policies whose CLI
commands support them. An error is displayed if you try to define a discontiguous network mask in a
policy that does not support them.
Related Topics
Creating Network/Host Objects, page 6-64
Specifying IP Addresses During Policy Definition, page 6-68
Using Unspecified Network/Host Objects, page 6-67
Understanding Network/Host Objects, page 6-62
Tip You can create network/host objects when defining policies or objects that use this object type. For more
information, see Selecting Objects for Policies, page 6-2.
Related Topics
Understanding Network/Host Objects, page 6-62
Creating Policy Objects, page 6-6
Contiguous and Discontiguous Network Masks, page 6-63
Specifying IP Addresses During Policy Definition, page 6-68
Using Unspecified Network/Host Objects, page 6-67
How Network/Host, Port List, and Service Objects are Named When Provisioned As Object Groups,
page 6-75
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager Window, page 6-3.
Step 2 Select Networks/Hosts from the Object Type selector.
Step 3 Right-click in the work area, then select New Object, and select one of the following types of
network/host object, to open the Add or Edit Network/Host Dialog Box, page 6-65:
GroupTo create an object that has one or more entry. This is the type of network/host object that
was available in all Security Manager 3.x versions. You can include one or more IP addresses and
address ranges in IPv4 format. Additionally, you can include other network/host objects. For
example, you can create a network/host object that comprises two existing network/host objects, a
range of IP addresses, and two additional IP addresses.
HostTo create an object with a single host address, such as 10.100.10.10.
NetworkTo create an object with a single network address, such as 10.100.10.0/24.
Address RangeTo create an object with a single range of addresses, such as
10.100.10.1-10.100.10.255.
Tip Host, network, and address range objects also allow you to configure object NAT rules for ASA
8.3+ devices. Any NAT configuration is ignored for other devices.
Step 4 Enter a name for the object and optionally a description of the object.
Step 5 Depending on the object type you selected, enter the required address information.
GroupEnter the desired host or network addresses, address ranges, or other network/host objects.
For specific information on the address formats allowed, see Specifying IP Addresses During Policy
Definition, page 6-68.
HostEnter a single IP address.
NetworkEnter the network address and subnet mask. If the correct subnet mask is not included in
the Subnet Mask list, type it into the field.
Address RangeEnter the first and last address that define the range. You cannot enter the same
address in each field.
Tip You can leave these fields blank if you want to create an object that must be overridden for every
device that uses it. You must also select Allow Value Override per Device. For more
information, see Using Unspecified Network/Host Objects, page 6-67.
Step 6 (Optional) Under Category, select a category to help you identify this object in the Objects table. See
Using Category Objects, page 6-9.
Step 7 (Optional) Select Allow Value Override per Device to allow the properties of this object to be redefined
on individual devices. See Allowing a Policy Object to Be Overridden, page 6-13.
Tip If you configure a NAT rule on the NAT tab, you must select this option. All object NAT rules
are considered device overrides.
Navigation Path
Select Tools > Policy Object Manager, then select Networks/Hosts from the Object Type Selector.
Right-click inside the work area and select New Object (and select an object type) or right-click a row
and select Edit Object.
Related Topics
Creating Network/Host Objects, page 6-64
Understanding Network/Host Objects, page 6-62
Policy Object Manager Window, page 6-3
How Network/Host, Port List, and Service Objects are Named When Provisioned As Object Groups,
page 6-75
Field Reference
Element Description
Name The object name (up to 64 characters). Object names are not
case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object.
Networks/Hosts The networks or hosts to include in the object. Separate multiple
addresses with commas.
(Group objects only.)
You can include host addresses, network addresses (with subnet masks
entered after a / character, such as 10.100.10.0/24), a range of addresses
(separate the starting and ending address with a hyphen, -, and
optionally include a subnet mask), or other network/host objects (click
Select to select other objects). For more specific information on
supported formats, see Specifying IP Addresses During Policy
Definition, page 6-68.
IP Address The IP address of the single host to include in the object.
(Host objects only.)
Start IP Address The first and last IP address that define a range of addresses. The start
End IP Address and end addresses must be different, with the start being lower than the
end.
(Address range objects only.)
IP Address The address that represents the network, for example, 10.100.10.0/24.
Subnet Mask The Subnet Mask field includes a list of common masks (in CIDR
format), but you can type in any mask in either CIDR (for example, /24)
(Network objects only.)
or dotted decimal (for example, 255.255.255.0) format.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Element Description
Allow Value Override per Whether to allow the object definition to be changed at the device level.
Device For more information, see Allowing a Policy Object to Be Overridden,
Overrides page 6-13 and Understanding Policy Object Overrides for Individual
Devices, page 6-13.
Edit button
Tip If you configure NAT for host, address range, or network
objects, you must select this option. The NAT configuration is
created as a device override and is not kept in the object.
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Related Topics
Creating Network/Host Objects, page 6-64
Understanding Policy Object Overrides for Individual Devices, page 6-13
Contiguous and Discontiguous Network Masks, page 6-63
Specifying IP Addresses During Policy Definition, page 6-68
Understanding Network/Host Objects, page 6-62
Step 2 Create overrides for each device that will use the object:
a. In the Overridable column for the object on the Networks/Hosts page, double-click the green
checkmark to open the Policy Object Overrides Window, page 6-16.
b. Click the Create Override button and select the devices on which you want to create overrides, then
define a value in the address field. At this point, this override value applies to all the selected
devices. For more information, see Creating or Editing Object Overrides for Multiple Devices At A
Time, page 6-15.
c. Double-click each device in the Policy Object Overrides dialog box, then modify the address field
for the value required by that device.
Step 3 Define the policy that requires the network/host object. You can use one of two methods:
Define the policy on a single device in Device view, share the policy, then assign the policy to the
other devices. See Sharing a Local Policy, page 5-37 and Modifying Shared Policy Assignments in
Device View or the Site-to-Site VPN Manager, page 5-45.
Create a shared policy in Policy view, then assign the policy to the other devices using the
Assignments tab. See Modifying Policy Assignments in Policy View, page 5-50.
Note You can create a network/host group object that refers to a network/host object with an
unspecified value. You do not have to create the device-level overrides before you assign the
policy containing the object to devices.
Interface role object (in rare cases). Enter the name of the object or click Select to select it from a
list (you must select Interface Role as the object type). When you use an interface role, the rule
behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that
get their address through DHCP, because you do not know what IP address will be assigned to the
device. For more information, see Understanding Interface Role Objects, page 6-55.
When you create a network/host object or define IP addresses as part of a policy, Security Manager
verifies that the syntax of the address is correct and that a mask was entered when required. For example,
when you define a policy that requires a host, you do not need to enter a mask. However, when you
define a policy that requires a subnet, you must enter the address with the mask or select a network/host
object that has a mask defined.
Related Topics
Creating Network/Host Objects, page 6-64
Contiguous and Discontiguous Network Masks, page 6-63
Using Unspecified Network/Host Objects, page 6-67
Policy Object Manager Window, page 6-3
Understanding Network/Host Objects, page 6-62
Whether you are creating a service object or specifying services directly in a policy, you can specify
services using the following formats. As you type, Security Manager might prompt you with
text-completion options related to your entry. You can select a value from the list and press Enter or Tab.
You can enter more than one service by separating services with commas.
protocol, where the protocol is 1-255 or a well known protocol name such as tcp, udp, gre, icmp,
and so forth. If you enter a number, Security Manager might convert it to the associated name.
icmp/message_type, where the message type is 1-255 or a well-known message type name such as
echo.
{tcp | udp | tcp&udp}/{destination_port_number | port_list_object} where the destination port
number is 1-65535 or the name of a port list object. You can enter a range of ports using a hyphen,
for example, 10-20. The source port number is the Default Range port list object. The Default Range
object includes either all ports (1-65535) or all secure ports (1024-65535), depending on the setting
you select in the Policy Objects Page, page 11-32 (select Tools > Security Manager
Administration > Policy Objects).
For example, defining a service as tcp/10 means that 10 is the destination port and no source port is
defined.
When you specify ports, you can also use the following special keywords: lt (less than), gt (greater
than), eq (equal to), and neq (not equal to), followed by a number. For example, lt 440 specifies all
ports less than 440.
Tip To create port list objects, select Services > Port Lists in the Policy Object Manager Window and click
the Add Object button. For more information, see Configuring Port List Objects, page 6-71.
Related Topics
Selecting Objects for Policies, page 6-2
Creating Policy Objects, page 6-6
Editing Objects, page 6-9
How Service Objects are Provisioned as Object Groups, page 6-76
Using Category Objects, page 6-9
Managing Object Overrides, page 6-12
Allowing a Policy Object to Be Overridden, page 6-13
Tip The predefined Default Range port list object includes either all ports (1-65535) or all secure ports
(1024-65535), depending on the setting you select in the Security Manager Administration window
(select Tools > Security Manager Administration > Policy Objects and see Policy Objects Page,
page 11-32).
Navigation Path
Select Tools > Policy Object Manager, then select Services > Port Lists from the Object Type
Selector. Right-click inside the work area and select New Object or right-click a row and select Edit
Object.
Related Topics
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Configuring Service Objects, page 6-72
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are
not case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object.
Element Description
Ports The ports or ranges included in the port list object, for example, 443, or
1-1000. You can define a single port, a range of ports, multiple port
ranges, or any combination of single ports and ranges. Separate
multiple entries with commas. Port values range from 1 to 65535.
You can use the following operators to identify ranges:
gtGreater than. For example, gt 1000.
ltLess than. For example, lt 1000.
eqEquals. For example, eq 1000. However, eq 1000 has the same
meaning as simply entering 1000.
neqDoes not equal. For example, neq 1000.
If you use this operator, you can include only the neq value in the
Ports field. However, you can include port ranges in the object.
Thus, if you want to create an object that specifies all ports from
1000-1200 except for 1150, create a port list object for the
1000-1200 range, and another object that specifies neq 1150 and
that includes the other port list object.
Port Lists The other port list objects included in the object, if any. Enter the name
of the port lists or click Select to select them from a list or to create new
objects. Separate multiple entries with commas.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override per Whether to allow the object definition to be changed at the device level.
Device For more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select Services > Services from the Object Type Selector.
Right-click inside the work area and select New Object (and select an object type) or right-click a row
and select Edit Object.
Related Topics
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Policy Object Manager Window, page 6-3
Field Reference
Element Description
Name The object name. If you are using the object for ASA or PIX devices running
software version 8.x, limit the length of the name to 64 characters. For other
devices the name can be up to 128 characters.
Object names are not case-sensitive. For more information, see Creating Policy
Objects, page 6-6.
Description An optional description of the object.
Element Description
Services (for The services to include in this policy object. When creating a Service Group, you
groups) can enter more than one service by separating services with commas. When
Service (for creating a Service Object, you can enter one service only.
objects) You can specify services using the following formats. As you type, Security
Manager may prompt you with text-completion options related to your entry. If
you enter a service that translates directly to a predefined service object, the
entry is converted to the predefined object name; for example, TCP/80 is
converted to HTTP.
protocol, where the protocol is 1 to 255 or a well known protocol name such
as tcp, udp, gre, icmp, and so forth. If you enter a number, Security Manager
might convert it to the associated name.
icmp/message_type, where the message type is 1 to 255 or a well-known
ICMP message type name such as echo.
{tcp | udp | tcp&udp}/{destination_port_number | port_list_object} where
the destination port number can be 1 to 65535, or the name of a port list
object. You can enter a range of ports using a hyphen, for example, 10-20.
In this instance, the source port number is the Default Range port list object,
which specifies the range 1-65535. (See Configuring Port List Objects,
page 6-71 for information about creating and editing port list objects.)
Whenever you specify ports, you can also use the following special
keywords: lt (less than), gt (greater than), eq (equal to), and neq (not equal
to), followed by a number. For example, lt 440 specifies all ports less than
440.
{tcp | udp | tcp&udp}/{source_port_number | port_list_object}/
{destination_port_number | port_list_object}, where the source and
destination port numbers can be 1 to 65535, or the name of a port list object.
You can enter a range of ports using a hyphen, for example, 10-20.
(Service groups only) service_object_name, which is the name of another
existing service object. Specifying other objects lets you nest object
definitions. Click Select to select a service object or to create a new object.
Category The category assigned to the object. Categories help you organize and identify
rules and objects. See Using Category Objects, page 6-9.
Allow Value Whether to allow the object definition to be changed at the device level. For more
Override per information, see Allowing a Policy Object to Be Overridden, page 6-13 and
Device Understanding Policy Object Overrides for Individual Devices, page 6-13.
Overrides If you allow device overrides, you can click the Edit button to create, edit, and
view the overrides. The Overrides field indicates the number of devices that
Edit button
have overrides for this object.
Note For information about the options available when deploying object groups, see Deployment Page,
page 11-7.
Similarly, when discovering policies on a device, it is not always possible to create policy objects that
are an exact copy of the object groups that are configured on the device. However, Security Manager
preserves as much of the original configuration as possible.
Note For IOS devices, any policy objects that are used by access control list objects are subsequently replaced
during deployment by the contents of the object. Object groups used with ACL objects are not preserved,
although they are discovered as Security Manager policy objects.
The following sections describe the changes that are made when provisioning policy objects to object
groups on the device, or when creating the policy objects when discovering policies on these devices:
How Network/Host, Port List, and Service Objects are Named When Provisioned As Object Groups,
page 6-75
How Service Objects are Provisioned as Object Groups, page 6-76
How Network/Host, Port List, and Service Objects are Named When
Provisioned As Object Groups
In most cases, network/host, port list, and service objects can be provisioned as object groups without
changing the object name. Table 6-30 on page 6-76 describes how object names are changed when the
names cannot be converted directly to object groups on supported devices.
Note The predefined network/host object any is not provisioned as an object group.
Table 6-30 How Network/Host, Port List, and Service Objects are Named as Object Groups
Related Topics
Understanding Network/Host Objects, page 6-62
Understanding and Specifying Services and Service and Port List Objects, page 6-69
How Service Objects are Provisioned as Object Groups, page 6-76
How Policy Objects are Provisioned as Object Groups, page 6-75
Tip For ASA 8.3+ devices, service objects are provisioned using the object service command instead of the
object-group command.
Table 6-31 How Service Objects are Provisioned as Object Groups (Continued)
Related Topics
Understanding and Specifying Services and Service and Port List Objects, page 6-69
How Network/Host, Port List, and Service Objects are Named When Provisioned As Object Groups,
page 6-75
How Policy Objects are Provisioned as Object Groups, page 6-75
FlexConfig policies allow you to configure device commands that are not otherwise supported by
Security Manager. By using Flexconfigs, you can extend Security Managers control over a device
configuration and take advantage of new device features before upgrading the product.
FlexConfig policies are made up of FlexConfig objects. These objects are essentially subroutines that
can include scripting language commands, device commands, and variables. You can configure an object
to be processed prior to applying the Security Manager configuration to a device, or you can have it
processed after the configuration. Security Manager processes your objects in the order you specify so
that you can create objects whose processing depends on the processing of another object. A FlexConfig
policy objects contents can range from a single simple command string to elaborate CLI command
structures that incorporate scripting and variables.
Understanding policies and objects is central to understanding and using FlexConfig policy objects. For
more information on how Security Manager defines and uses polices, see Chapter 5, Managing
Policies and for information on how Security Manager defines and uses objects, see Chapter 6,
Managing Policy Objects.
The following topics describe FlexConfig policies and policy objects and how to use them:
Understanding FlexConfig Policies and Policy Objects, page 7-1
Configuring FlexConfig Policies and Policy Objects, page 7-22
FlexConfig Policy Page, page 7-33
The following topics help you understand FlexConfig policy objects and by extension, FlexConfig
policies. For more information about policy objects in general, see Chapter 6, Managing Policy
Objects.
Using CLI Commands in FlexConfig Policy Objects, page 7-2
Using Scripting Language Instructions, page 7-3
Understanding FlexConfig Object Variables, page 7-4
Predefined FlexConfig Policy Objects, page 7-17
Change the setting that controls the action that the device will take to warn. This is set under
Tools > Security Administration > Deployment.
The setting change will affect the behavior of devices for all commands being deployed, not just
those designated as appended commands.
Note If you are deploying to a device, you should remove most appended commands after the
initial deployment. This is especially true for object groups, where any unbound object
group is replaced in the Ending Command section during command generation, then re-sent
each time the configuration is deployed to a device. The device displays an error because the
firewall device shows that the object group already exists. If you are deploying to a file or
AUS, the appended commands should remain.
Object Body
#foreach ($peer_id in ["2", "3", "4"])
dial-peer voice $peer_id pots
caller-id
#end
CLI Output
dial-peer voice 2 pots
caller-id
Object Body
#foreach ($phone in [ [ "2000", "15105552000", "1/0/0" ], [ "2100",
"15105552100", "1/0/1" ], [ "2200", "15105552200", "1/0/2" ] ] )
dial-peer voice $phone.get(0) pots
destination-pattern $phone.get(1)
port $phone.get(2)
#end
CLI Output
dial-peer voice 2000 pots
destination-pattern 15105552000
port 1/0/0
Object Body
#foreach ( $phone in [ [ "2000", "15105552000", "1/0/0", "" ],
[ "2100", "15105552100", "1/0/1", "" ],
[ "2200", "15105552200", "", "ipv4:150.50.55.55"]
[ "2300", "15105552300", "", "ipv4:150.50.55.55"] ] )
dial-peer voice $phone.get(0) pots
destination-pattern $phone.get(1)
#if ( $phone.get(2) == "" )
session target $phone.get(3)
#else
port $phone.get(2)
#end
#end
CLI Output
dial-peer voice 2000 pots
destination-pattern 15105552000
port 1/0/0
There are three types of variables you can use in a FlexConfig policy object:
Policy object variablesStatic variables that reference a specific property. For example, Text
objects are a type of policy object variable. They are a name and value pair, and the value can be a
single string, a list of strings, or a table of strings. Their flexibility allows you to enter any type of
textual data to be referenced and acted upon by any policy object.
There are three ways to add policy object variables to a FlexConfig policy object. First, move the
cursor to the desired location, and then:
Right-click and select Create Text Object. This command opens a dialog box where you can
create a simple single-value text object and assign it a value. When you click OK, the variable
is added to the object, and it is added to the list of defined Text objects in the Policy Object
Manager window so that you can use it in other objects or edit its definition. For an example of
creating simple text variables, see Example of FlexConfig Policy Object Variables, page 7-6.
Right-click and select a policy object type from the Insert Policy Object sub-menu. These
commands open a selector dialog box where you can select the specific policy object that
contains the variable that you want to insert. After selecting the policy object, you are presented
with the Property Selector dialog box, where you choose the specific property of the object that
you want to use and optionally change the name of the variable associated with the property.
By using this technique, you can add a property from an existing policy object when you know
that the property has the value that you want to use. For example, if you want to insert a variable
that specifies the RADIUS protocol from the AAA Server Group policy object named RADIUS,
you would right-click, select Insert Policy Object > AAA Server Group, select RADIUS in
the AAA Server Group Selector dialog box, click OK, and then select Protocol in the Object
Property field on the AAA Server Group Property Selector dialog box and click OK. The
$protocol variable is inserted at the cursor, and the value for the property as defined in the
selected object is added to the variables list.
Type in a variable name. If you type in a variable, you cannot assign it a value until you click
OK on the Add or Edit FlexConfig dialog box. You will be prompted that a variable is
undefined, and given the opportunity to define its value. In the FlexConfig Undefined Variable
dialog box, you can select the object type of the policy object that contains the desired value,
which will prompt you to select the specific policy object and variable. This is essentially
identical to the process for inserting policy object variables described above. The technique you
use is a matter of personal preference; the end result is the same.
System variablesDynamic variables that reference a value during deployment when the
configuration is generated. The values are obtained from either the target device or policies
configured for the target device. You can declare system variables to be optional in FlexConfig
policy objects, which means that the variables do not need to be assigned a value for it to be deployed
to the device.
To insert a system variable into a FlexConfig policy object, move the cursor to the desired location,
right-click, and select the variable from the Insert System Variable sub-menus. For a description
of the available system variables, see FlexConfig System Variables, page 7-7.
Local VariablesVariables that are local in the looping and assignment derivatives (the for each
and set statements). Local variables get their values directly from the Velocity Template Engine.
There is no need to supply values for the local variables.
To insert a local variable, simply type it in. When you click OK on the Add or Edit FlexConfig dialog
box, you will be asked if you want to define the undefined variable. You can click No, or if you click
Yes to define other variables, you can leave the object type of the local variable as Undefined.
The following example shows how to create a FlexConfig policy object that adds these commands and
configures the value of $inside as serial0 and $mapname as my_crypto.
When you add the FlexConfig policy object to a device, and the configuration is generated, the following
output is created:
interface serial0
crypto map my_crypto
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager (see Policy Object Manager
Window, page 6-3).
Step 2 Select FlexConfigs from the table of contents. The table in the right pane lists the existing FlexConfig
objects.
Step 3 Right-click in the table and select New Object. The Add FlexConfig dialog box appears (see Add or Edit
FlexConfig Dialog Box, page 7-27).
Step 4 Enter a name and optionally a description for the object.
Tip You can also enter a group name. Groups help you find FlexConfig objects if you create a lot of
them. Either type in a group name, or select an existing one from the drop-down list.
Step 5 Keep Appended for Type so that the commands are added at the end of the device configuration.
Step 6 Create the content of the object:
a. Click in the FlexConfig edit box (the large white box) and type in interface followed by a space.
b. Right-click and select Create Text Object.
c. In the Create Text Object dialog box, enter inside as the name and serial0 as the value. Click OK
to add the variable.
d. Press Enter to move to the next line and type crypto map followed by a space.
e. Right-click and select Create Text Object.
f. In the Create Text Object dialog box, enter mapname as the name and my_crypto as the value.
Click OK to add the variable.
Step 7 Click the Validate FlexConfig icon button above the edit box to check the integrity and deployability
of the object. If any errors are identified, fix them.
Step 8 Click OK to save the policy object. You can now add the object to a devices local or shared FlexConfig
policy.
Table 7-1 Device System Variables (Applying to All Device Types) (Continued)
Predefined FlexConfig policy objects are read-only objects. To edit these predefined FlexConfig policy
objects, duplicate the desired object, make changes to the copy, and save it with a new name. This way,
the original predefined FlexConfigs remain unchanged. For lists of these predefined policy objects and
further information on each, see the following tables:
Predefined ASA FlexConfig Policy ObjectsTable 7-8 on page 7-20
Predefined Catalyst FlexConfig Policy ObjectsTable 7-7 on page 7-20
Predefined Cisco IOS FlexConfig Policy ObjectsTable 7-8 on page 7-20
Predefined PIX Firewall FlexConfig Policy ObjectsTable 7-9 on page 7-21
Predefined Router FlexConfig Policy ObjectsTable 7-10 on page 7-21
Name Description
ASA_add_ACEs Adds an access control entry (ACE) to all access control lists on the device.
ASA_add_EtherType_ACL_remark Loops through a list of ethertype access-list names and adds ACEs or remarks to
them. The ethertype access list is the same as Transparent Rules for Firewalls in
Security Manager. The remarks set by the CLI in this FlexConfig will be shown
in the description field of a transparent rule.
ASA_command_alias Creates a command alias named save for the copy running-config and copy
startup_config commands.
ASA_csd_image Provides an ASA Cisco Secure Desktop image. It copies the CSD image from
/CSCOpx/tftpboot/device-hostname on the CSM server to the device, then
configures the CSD image path. Make sure you fill out the devices hostname in
Device Properties. If the image name is different than the default, you can
override it in Device Properties > Policy Object Overrides > Text Objects >
AsaCsdImageName. Unassign this FlexConfig from the device after the image
has been copied and configured.
ASA_define_traffic_flow_tunnel _group Defines site-to-site VPN tunnel groups listed in the
SYS_FW_MPCRULE_TRAFFICFLOW_TUNNELGROUPNAME system
variable. This variable is populated with tunnel group names defined in Traffic
Flow objects.
ASA_established Permits return access for outbound connections through the security appliance.
This command works with an original connection that is outbound from a
network and protected by the security appliance and a return connection that is
inbound between the same two devices on an external host.
Uses the established command to specify the destination port that is used for
connection lookups, which gives you more control over the command and
supports protocols where the destination port is known, but the source port is
unknown. The permitto and permitfrom keywords define the return inbound
connection.
ASA_FTP_mode_passive Sets the FTP mode to passive.
ASA_generate_route_map Generates a route map to be used by the pim accept-register route-map
command configured under Platform > Multicast > PIM > Request Filter.
Security Manager exports the route-map name used in the pim command so that
you can configure it as desired.
Name Description
ASA_IP_audit Uses the ip-audit command to provide the following:
Sets the default actions (alarm, drop, reset) for packets that match an attack
signature.
Sets the default actions (alarm, drop, reset) for packets that match an
informational signature.
Creates a named audit policy that identifies the actions to take (alarm, drop,
reset) when a packet matches a defined attack signature or an informational
signature.
Disables a signature for an audit policy.
Assigns an audit policy to an interface.
ASA_MGCP Identifies a specific map for defining the parameters for Media Gateway Control
Protocol (MGCP) inspection.
ASA_no_router_Id Removes the router ID for each OSPF process.
ASA_no_shut_Intf Loops through and enables all interfaces on a device.
ASA_privilege Sets the privilege levels for the configuration, show and clear commands.
ASA_route_map Defines a route map for each OSPF process redistribution route map name.
ASA_RSA_KeyPair_generation Resets and generates RSA key pairs for certificates.
ASA_svc_image Provides an ASA SSL VPN Client image. It copies the SVC image from
/CSCOpx/tftpboot/device-hostname on the CSM server to the device, then
configures the SVC image path. Make sure you fill out the devices hostname in
Device Properties. If the image name is different than the default, you can
override it in Device Properties > Policy Object Overrides > Text Objects >
AsaSvcImageName. Unassign this FlexConfig from the device after the image
has been copied and configured.
ASA_sysopt Uses the sysopt command to provide the following examples:
Ensures that the maximum TCP segment size does not exceed the value you
set or that the minimum is not less than a specified size.
Forces each TCP connection to remain in a shortened TIME_WAIT state of
at least 15 seconds after the final normal TCP close-down sequence.
Disables DNS inspection that alters the DNS A record address.
Ignores the authentication key in RADIUS accounting responses.
Enables the web browser to supply a username and password from its cache
when it reauthenticates with the virtual HTTP server on the security
appliance.
ASA_virtual Configures virtual HTTP and Telnet servers.
Name Description
Cat6K_ECLB_algorithm Sets the Ether Channel load balance algorithm for modules.
Cat6K_ECLB_port_mode Applies an Ether Channel to the Catalyst trunk ports where IPS sensors
are plugged in. Make sure the ports are configure in trunk mode.
Cat6K_ECLB_portchannel Sets the port channel to trunk mode and add trunk-allowed VLANs.
Cat6K_firewall_multiple_vlan_interfaces Sets multiple VLAN interfaces mode if multiple SVIs need to be
provisioned.
Name Description
IOS_add_bridge_interface_desc Loops through a list of bridge interfaces and adds the description this is
a bridge interface.
IOS_CA_server Configures a certificate authority server.
IOS_compress_config Compresses large Cisco IOS configurations.
IOS_config_root_wireless_station Creates and configures the root radio station for a wireless LAN on Cisco
IOS routers such as the 851 and 871.
IOS_console_AAA_bypass Provides examples of the following scenarios:
Enables the authentication, authorization, and accounting (AAA)
access-control model.
Sets AAA at login.
Enables AAA authentication for logins.
IOS_Copy_Image Copies the an SVC image from the CSM server to the device, then
configures the SVC image path. Unassign this FlexConfig from the
device after the image has been copied and configured.
IOS_enable_SSL Enables SSL.
IOS_FPM Copies traffic class definition files to a router and applies policy-maps.
IOS_IPS_PUBLIC_KEY Defines public keys on an IOS IPS device. Public keys are required for
Security Manager to perform signature updates.
IOS_IPS_SIGNATURE_CATEGORY Retires all signatures except those in the ios_ips basic category.
IOS_PKI_with_AAA Configures a PKI AAA authorization using the entire subject name.
IOS_set_clock Sets the clock to the current time on the Security Manager server.
IOS_VOIP_advance Loops through and associates a POTS port number to a telephone number
and port or IP address number.
IOS_VOIP_simple Associates a POTS port number to a telephone number and port number.
IOS_VPN_config_gre_tunnel Uses VPN variables to configure the GRE tunnel for each VPN in which
the device participates.
IOS_VPN_set_interface_desc Using VPN variables, updates the description of the public interface for
each VPN in which the device participates.
Name Description
IOS_VPN_shutdown_inside_interface Using VPN variables, shuts down all inside interfaces for each VPN in
which the device participates.
IOS_VRF_on_vFW Configures virtual routing and forwarding (VRF) on virtual firewall
interfaces.
Name Description
PIX6.3_nat0_acl_compiled Generates a compiled access list for NAT 0 access-control lists.
PIX6.3_policy_nat_acl_compiled Generates a compiled access list for Policy NAT ACLs
PIX6.3_policy_static_acl_compiled Generates a compiled access list for Policy Static ACLs.
PIX_VPDN Configures a virtual private dialup network (VPDN).
Name Description
ROUTER_add_inspect_rules Loops through and appends inspect rules.
ROUTER_BGP_no_auto_summary Disables the auto route summary for each BGP process by using the no
auto-summary sub-command.
This FlexConfig policy object uses the list of border gateway protocol
(BGP) numbers from the SYS_ROUTER_BGP_AS_NUMBERS_LIST
system variable.
ROUTER_BGP_untrusted_info Uses the distance bgp 255 255 255 sub-command to make the border
gateway protocol (BGP) routing information untrusted for each BGP.
This FlexConfig policy object uses the list of BGP numbers from the
SYS_ROUTER_BGP_AS_NUMBERS_LIST system variable.
ROUTER_EIGRP_min_cost_routes Configures traffic to use minimum cost routes when multiple routes have
different cost routes to the same destination network. This is done using
multi-interface load splitting on different interfaces with equal cost
paths.
This FlexConfig policy object uses the list of router enhanced interior
gateway routing protocol (EIGRP) numbers from the
SYS_ROUTER_EIGRP_AS_NUMBERS_LIST system variable.
Router_EIGRP_no_auto_summary Disables the auto route summary for each router enhanced interior
gateway routing protocol (EIGRP) processes by using the no
auto-summary sub-command. This FlexConfig policy object uses the
list of EIGRP numbers from the
SYS_ROUTER_EIGRP_AS_NUMBERS_LIST system variable.
ROUTER_interface_prevent_dos _attacks Prevents denial-of-service (DOS) attacks on all device interfaces.
This FlexConfig policy object uses the list of interface names from the
SYS_INTERFACE_NAME_LIST system variable.
Name Description
ROUTER_OSPF_no_router_Id Removes the router OSPF ID for each OSPF process.
This FlexConfig policy uses the list of OSPF IDs from the
SYS_ROUTER_OSPF_PROCESS_IDS_LIST system variable.
ROUTER_QoS_Class_Map _description Sets QoS class map descriptions.
This FlexConfig policy object uses the list of router QoS class names
from the SYS_ROUTER_QOS_CLASS_MAP_LIST system variable.
ROUTER_QoS_Policy_Map _description Sets QoS policy descriptions.
This FlexConfig policy object uses the list of router QoS policy names
from the SYS_ROUTER_QOS_POLICY_MAP_LIST system variable.
Tip The group name and description are optional. We recommend you establish descriptions and
groups for objects you create.
The FlexConfig Undefined Variables dialog box appears with mycallAgentList listed in the
Variable Name column.
f. From the Object Type list, select Text Objects. The Text Objects window appears.
g. Select mycallAgentList from the Available Text Objects list and click OK.
h. In the FlexConfig Undefined Variables window, click OK.
The mycallAgentList variable appears in the Variables list of the Edit FlexConfig dialog box.
i. In the Edit FlexConfig dialog box, click OK.
j. Close the Policy Object Manager window.
Step 4 Assign the new FlexConfig policy object to a device by doing the following:
a. From the Device view, select the device for which you want to set up MGCP.
b. Select FlexConfigs from the Policy selector. The FlexConfigs Policy page appears.
c. Click the Add button. The FlexConfigs Selector dialog box appears.
d. Select the new MyASA_MGCP FlexConfig policy object and click >> to add the policy object to
the Selected FlexConfigs column.
You can select multiple policy objects at one time by holding either the Ctrl (for multiple selections)
or Shift (for multiple continuous selections) keys while selecting.
e. Click OK.
The MyASA_MGCP policy object is added to the Appended FlexConfigs table, because the object
is set to be appended to the configuration. You configure FlexConfig policy objects that you want
added to the beginning of the configuration as prepended policy objects.
f. Click Save.
Step 5 Preview the commands before they are generated and sent to the device by doing the following:
a. From the FlexConfigs Policy page, select the MyASA_MGCP policy object.
b. Click Preview.
The commands that are generated with this FlexConfig policy object and the values assigned to the
selected device appear. Note the changed values:
class-map sj_mgcp_class
match access-list mgcp_list
exit
mgcp-map inbound_mgcp
call-agent 10.10.10.10 105
call-agent 20.20.20.20 106
command-queue 150
exit
policy-map inbound_policy
class sj_mgcp_class
inspect mgcp inbound_mgcp
exit
exit
Step 6 If you have additional ASA devices that require MGCP, you can share this policy with them by doing
the following:
a. Right-click FlexConfigs in the Policy selector and select Share Policy.
The Share Policy dialog box appears.
b. Enter a name for the policy and click OK. For this example, enter MyShared_ASA_MGCP.
The banner above the FlexConfigs policy now shows that the device is using a shared policy and
displays the name of the policy.
c. In the FlexConfigs banner, click the link in the Assigned To field. In this example, the link should
be labeled 1 Device, which indicates that this shared policy is assigned to one device (the device
you are viewing).
Clicking the link opens the Shared Policy Assignments dialog box. Using this dialog box, you can
select the other devices that should use this policy in the Available Devices list, and click >> to add
them to the list of devices that are assigned the policy.
d. Click OK. The Shared Policy Assignments dialog box closes, and the additional devices you
selected are configured to use the shared policy. The link in the banner changes to indicate the
number of devices that now use this policy (in this example, 2 Devices).
Tip You can also share policies from Policy view. Select View > Policy View, select FlexConfigs
in the policy type selector, select the MyShared_ASA_MGCP policy, click the Assignments tab,
select the devices to which you want to assign the policy, click>>, and then Save.
Step 7 Submit your changes and deploy the configurations to the devices. For information about deploying
configurations, see Working with Deployment and the Configuration Archive, page 8-24.
Tip You can also create FlexConfig policy objects when defining policies or objects that use this object type.
For more information, see Selecting Objects for Policies, page 6-2.
When editing FlexConfig objects that involve route-maps (for example, OSPF or multicast
route-maps), you must define the corresponding access control lists (ACLs) before the route-maps.
This is a device requirement. If you do not define ACLs before route-maps, you will get a
deployment error.
Related Topics
A FlexConfig Creation Scenario, page 7-22
Working with Policy ObjectsBasic Procedures, page 6-6
Creating Policy Objects, page 6-6
Chapter 5, Managing Policies
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager window (see Policy Object
Manager Window, page 6-3).
Step 2 Select FlexConfigs from the Policy Object Type selector.
Step 3 Right-click inside the work area and select New Object.
The Add FlexConfig Object dialog box appears (see Add or Edit FlexConfig Dialog Box, page 7-27).
Step 4 Enter a name for the object and optionally a description. Other optional informational fields include:
GroupSelect an existing group name or type in a new one. These names can help you identify the
use of an object.
Negate ForIf this FlexConfig object is designed to negate another, enter the name of the
FlexConfig object whose commands are undone by this object.
Step 5 In the Type field, select whether commands in the object are to be prepended (put at the beginning) or
appended (put at the end) of the configurations generated from Security Manager policies.
Step 6 In the object body area, enter the commands and instructions to produce the desired configuration file
output. You can type in the following types of data:
Scripting commands to control processing. For more information, see Using Scripting Language
Instructions, page 7-3.
CLI commands that are supported by the operating system running on the devices to which you will
deploy the FlexConfig policy object. For more information, see Using CLI Commands in
FlexConfig Policy Objects, page 7-2.
Variables. You can insert variables using the right-click menu, which allows you to create simple
single-value text variables (Create Text Object), select variables from existing policy objects
(Insert Policy Object), or select system variables (Insert System Variable). For more information,
see Understanding FlexConfig Object Variables, page 7-4.
Tip If you want to remove a variable, select it in the object body and click the Cut button or press
the Backspace or Delete key. When you click OK to save your changes, the variable is removed
from the list of variables.
Step 7 Click the Validate FlexConfig icon button above the object body to check the integrity and
deployability of the object.
Step 8 Click OK to save the object.
Navigation Path
Select Tools > Policy Object Manager, then select FlexConfigs from the Object Type Selector.
Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
Creating FlexConfig Policy Objects, page 7-25
Editing FlexConfig Policies, page 7-32
Chapter 7, Managing FlexConfigs
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are
not case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object.
Group The name of the group of FlexConfig objects to which this object
belongs, if any. You can type in a name, or select an existing name from
the list. This field is for informational purposes only, and can help you
find a FlexConfig object in the FlexConfig Objects page in the Policy
Object Manager.
Type Whether the commands in the object are prepended (put at the
beginning) or appended (put at the end) of configurations.
Negate For The name of the FlexConfig object whose commands are undone in this
FlexConfig object. This field is for informational purposes only and
does not affect the processing of the object.
For example, if FlexConfig A has the command banner login, and
FlexConfig B has the command no banner login, FlexConfig B negates
the configuration for FlexConfig A.
Element Description
FlexConfig Object Body
Object Body edit box The commands and instructions to produce the desired configuration
file output. You can type in the following types of data:
Scripting commands to control processing. For more information,
see Using Scripting Language Instructions, page 7-3.
CLI commands that are supported by the operating system running
on the devices to which you will deploy the FlexConfig policy
object. For more information, see Using CLI Commands in
FlexConfig Policy Objects, page 7-2.
Variables. You can insert variables using the right-click menu,
which allows you to create simple single-value text variables
(Create Text Object), select variables from existing policy objects
(Insert Policy Object), or select system variables (Insert System
Variable). For more information, see Understanding FlexConfig
Object Variables, page 7-4.
Undo button Deletes the previous action.
Redo button Performs the previously undone action.
Cut button Deletes the highlighted text and copies it to the clipboard.
Copy button Copies the highlighted text to the clipboard.
Paste button Pastes previously cut or copied text.
Find button Locates the specified text string in the object body.
Validate FlexConfig button Checks the integrity and deployability of the FlexConfig object.
FlexConfig Object Variables
This table lists the variables that are used in the FlexConfig object.
Name The name of the variable. Click the cell to edit the name, which also
changes the name in the FlexConfig object body.
Default Value The value to use when one is not provided. Click the cell to edit the
value for user-defined variables. You cannot edit system-defined
variables.
Note Except for optional variables, if a default value is not provided,
you must provide a value for the variable.
Object Property The property of the object. The object property name is in the following
format:
type.name.data.property
where
TypeThe type of object, for example Text, Network, AAA
Server, and so on.
NameThe name of the object.
DataIndicates that the property of the object is data.
PropertyThe property of the data.
Element Description
Dimension The structure of the data in the variable. Possible values are:
0scaler (a single string)
1one-dimensional array (a list of strings)
2two-dimensional table (a table of strings)
Optional Whether the variable is required to have a value.
Description A description of the contents of the object. Click the cell to edit the
description.
Navigation Path
In the Add or Edit FlexConfig Dialog Box, right-click in the object body field and select Create Text
Object.
Tip If you want to create a multiple-value text object, right-click and select Insert Policy Object > Text
Objects, and click the Add button under the available objects list. For more information, see Add or Edit
Text Object Dialog Box, page 7-29.
Navigation Path
Select Tools > Policy Object Manager, then select Text Objects from the Object Type Selector.
Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are
not case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object (up to 1024 characters).
Dimension The structure of the data in the variable:
0scalar (a single string)
1one-dimensional array (a list of strings)
2two-dimensional table (a table of strings)
Number of Rows The number of data rows in the variable if the dimension is 1 or 2.
Number of Columns The number of data columns in the variable if the dimension is 2.
[text field] The content of the text object. Click the cell and enter the data.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override per Whether to allow the object definition to be changed at the device level.
Device For more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Tip You do not need to define local variables, those used by the scripting language for processing control.
For more information about variables, see Understanding FlexConfig Object Variables, page 7-4.
Navigation Path
In the Add or Edit FlexConfig Dialog Box, if you enter a variable name but do not define its values, when
you click OK, Security Manager displays a warning and asks if you want to define the variables. If you
click Yes, this dialog box is opened.
Field Reference
Element Description
Variable Name The name of the undefined variable that you used in the FlexConfig
object.
Object Type The type of policy object that contains the value you want to assign to
the variable. For local variables, use the Undefined object type.
For variables you want to define, you must select the specific policy
object and value within that object to assign to the selected variable.
You start by selecting the type of policy object from this list. You are
then prompted to select the specific policy object. When you click OK,
you are prompted to select the specific property within that object that
contains the desired value (see Property Selector Dialog Box,
page 7-31). When you select the value on the Property Selector dialog
box and click OK, the value is assigned to the variable.
Object Property The property of the object. For a detailed explanation, see Add or Edit
FlexConfig Dialog Box.
Optional Whether the variable is required to have a value.
Navigation Path
In the Add or Edit FlexConfig Dialog Box, right-click and select a specific policy object group type
from the Insert Policy Object menu, select a specific policy object when prompted, and click OK.
In the FlexConfig Undefined Variables Dialog Box, select a policy object type from the Object Type
field, select a specific policy object when prompted, and click OK.
Field Reference
Element Description
Object Property The property of the object that contains the value you want to assign to
the variable. For specific information on the properties, see topics
related to the configuration of those objects.
Name The name of variable. This field is not available when you are defining
undefined variables.
Description An optional description of the variable. This field is not available when
you are defining undefined variables.
Note During deployment, when the FlexConfig policy objects are compiled on the Security
Manager server, the correct system variable values and settings are used to generate
commands. However, because the Preview function does not have access to these values the
way it normally would during deployment, it might not display some CLI commands. In
addition, because the Preview function generates CLI commands on the client, some macros
used in FlexConfig policy objects reflect client settings instead of server settings.
Related Topics
Understanding FlexConfig Policies and Policy Objects, page 7-1
Creating FlexConfig Policy Objects, page 7-25
Chapter 5, Managing Policies
Chapter 8, Managing Deployment
Navigation Path
(Device view) Select FlexConfigs from the Policy selector.
(Policy view) Select FlexConfigs from the Policy Type selector and select an existing policy or
click the Create a Policy button to create a new one.
Related Topics
Creating FlexConfig Policy Objects, page 7-25
Chapter 7, Managing FlexConfigs
Field Reference
Element Description
Prepended FlexConfigs The FlexConfig policy objects that are added to the beginning of the
configuration. The objects are processed in the order shown.
Appended FlexConfigs The FlexConfig policy objects that are added to the end of the
configuration. The objects are processed in the order shown.
Values button Click this button to view, modify, or validate the values assigned to the
variables used in the selected FlexConfig policy object using the Values
Assignment Dialog Box, page 7-34.
Preview button Click this button to view the CLI commands that will be generated for
(Device view only.) the selected FlexConfig policy object.
In Policy view, you can preview CLI by first clicking Values, selecting
a device in the Values Assignment dialog box, and clicking Preview.
Up/Down arrow buttons Click these buttons to move the selected object up or down in the list.
The objects are processed in the displayed order, so it is important that
an object whose processing depends on the processing of another object
comes after the object it depends on.
Add button Click this button to add a FlexConfig policy object to the policy. The
object itself defines whether it will be added to the prepended or
appended list. You can create new FlexConfig objects or select existing
ones.
Edit button Click this button to edit the selected FlexConfig policy object. Your
changes affect all devices that use the edited object; your changes are
not local policy object overrides for the device.
Note If you selected a predefined FlexConfig policy object packaged
with Security Manager, or an object for which you do not have
edit permission, you are allowed only to view the object
definition.
Element Description
Remove button Click this button to remove the selected object from the policy The
object is not deleted from Security Manager; it is simply removed from
the FlexConfig policy.
Navigation Path
Select an object and click Values from the FlexConfig Policy Page, page 7-33.
Field Reference
Element Description
Assigned Devices The devices to which the shared FlexConfig policy has been assigned.
(Policy view only) Select the device for which you want to display variable values.
Element Description
Validate button Click this button to validate the Velocity Template Language syntax
and make sure that all required variables have values, that variables do
not start with SYS_, and that referenced policy objects exist.
Preview button Click this button to display the generated CLI commands for the
selected FlexConfig policy object.
Navigation Path
To open the FlexConfig Policy Preview dialog box, do one of the following:
In the Values Assignment Dialog Box, click Preview. In Policy view, you must first select a device.
(Device view) Select a device and click FlexConfig (see FlexConfig Policy Page, page 7-33). Select
an object in the FlexConfig policy and click Preview.
The settings and policies you define in Security Manager must be deployed to your devices so that you
can implement them in your network. The steps you take to deploy configurations to devices depend on
whether you are using Workflow mode or non-Workflow mode.
Although non-Workflow mode is the default mode of operation for Security Manager, you can use
Workflow mode if your company requires it. For more information, see Workflow and Activities
Overview, page 1-11.
The following topics provide information about deploying configurations to devices, in each workflow
mode:
Understanding Deployment, page 8-1
Working with Deployment and the Configuration Archive, page 8-24
Rolling Back Configurations, page 8-56
Understanding Deployment
A deployment job defines how configuration changes are sent to devices. In a deployment job, you can
define several parameters, such as the devices to which you want to deploy configurations and the
method used to deploy configurations to devices. You can also create deployment schedules to
automatically spawn deployment jobs at regular intervals.
The following topics will help you better understand and use deployment jobs:
Overview of the Deployment Process, page 8-1
Deployment in Non-Workflow Mode, page 8-3
Deployment in Workflow Mode, page 8-5
Including Devices in Deployment Jobs or Schedules, page 8-8
Understanding Deployment Methods, page 8-8
Handling Device OS Version Mismatches, page 8-13
During deployment, if Security Manager determines that the configuration on the device differs from the
last-deployed configuration, Security Manager overwrites the changes by default. You can control this
behavior using the deployment preferences; select Tools > Security Manager Administration, then
select Deployment, and look for the When Out of Band Changes Detected setting. You can also
control this for a specific deployment job by editing the deployment method for the job.
If you make changes to the device configuration outside of Security Manager, you have two choices for
bringing those changes into Security Manager:
1. You can rediscover policies on the device, in which case all policies for the device become local
policies, and any assignments of shared policies to the device are removed.
2. You can make the required changes in Security Manager and redeploy them to the device. During
deployment, do not select the option to force an error if out-of-band changes are found on the device.
This is the recommended approach.
For more information on how out-of-band changes affect deployment, see Understanding How
Out-of-Band Changes are Handled, page 8-12.
After configurations are deployed, you should make changes only through Security Manager for
configurations that Security Manager controls. This varies based on operating system. For IPS devices,
Security Manager controls the entire configuration. For IOS, ASA, PIX, and FWSM devices, you have
more control over which aspects of the device configuration Security Manager controls. If you do not
create policies for a feature in Security Manager, such as routing policies, Security Manager does not
control those features on the device. If you do create policies for these features, Security Manager
overwrites the settings on the device with the settings you defined in Security Manager. Through
administration settings, you can control the types of policies that will be available for these devices,
thereby preventing Security Manager from displaying or changing policies for these features. To see the
available features and control whether they are available for management in Security Manager, select
Tools > Security Manager Administration, then select Policy Management. Security Manager does
manage VPN-related policies.
Related Topics
Deployment in Non-Workflow Mode, page 8-3
Deployment in Workflow Mode, page 8-5
Deployment Page, page 11-7
Policy Management Page, page 11-31
Note Devices selected for one job cannot be included in any other job. This measure ensures that
the order in which policies are deployed is correct. However, you can include devices that
are specified in deployment schedules.
3. Deploy the job: Deploying the job sends the generated CLI to devices, either directly or through an
intermediary transport server (such as AUS, CNS, or TMS) or to output files. You select the
destination (device or file) when defining a job. The transport server is specified in the device
properties. For more details about defining deployment methods and transport servers, see
Understanding Deployment Methods, page 8-8.
State Description
Deployed Configurations for all the devices in the job were successfully deployed
to the devices or to configuration files. Devices in the job can now be
included in another job.
Deploying Configurations generated for the job are being deployed to the devices
or to a directory on the Security Manager server. You can monitor the
job progress in the Deployment Manager window if the Deployment
Status window is not already open.
Aborted The job was manually halted. Devices in the job can now be included
in another job.
Failed The deployment to one or more devices in the job failed. Devices in the
job can now be included in another job.
State Description
Rolling Back Security Manager is in the process of reverting to and deploying
previous configurations for the devices within the deployment job. You
can abort a job that is in the Rolling Back state.
Rolled Back Security Manager has successfully reverted to and deployed previous
configurations for the devices within the deployment job.
1. Create job
Edit
2. Define job
3. Submit job
Submitted
Approved Rejected
5. Deploy job
120464
Deployed
State Description
Edit The job was created, but it is not currently being edited. The job can be
opened, approved (in auto-approval mode), or discarded while it is in
the Edit state.
Edit-In Use The job is open for editing. The job can be closed, approved, discarded,
or submitted while it is in the Edit Open state.
Submitted The job was submitted for review. It can be viewed but not edited while
it is in the Submitted state. The job can be opened for viewing,
discarded, rejected, or approved while it is in the Submitted state. This
state occurs only when Workflow mode is enabled with deployment job
approval required.
State Description
Approved The job was approved and is ready to be deployed. The job can be
deployed or discarded while it is in the Approved state.
Rejected The job was rejected. You can open the job for editing or discard the
job while it is in the Rejected state. This state occurs only when
Workflow mode is enabled with deployment job approval required.
Discarded The job was discarded. No further changes to the job are not allowed.
The job remains in the Deployment table showing a Discarded state
until it is purged from the system. Devices in the job can be included in
another job.
Deployed Configurations for all the devices in the job were successfully deployed
to the devices or to configuration files. Devices in the job can now be
included in another job.
Deploying Configurations generated for the job are being deployed to the devices
or to a directory on the Security Manager server. You can monitor the
job progress in the Deployment Manager window.
Aborted The job was manually halted. Devices in the job can now be included
in another job.
Failed The deployment to one or more devices in the job failed. Devices in the
job can now be included in another job.
Scheduled to run at [date] The job is scheduled to be deployed at the date and time specified.
Rolling Back Security Manager is in the process of reverting to and deploying
previous configurations for the devices within the deployment job. You
can abort a job that is in the Rolling Back state.
Rolled Back Security Manager has successfully reverted to and deployed previous
configurations for the devices within the deployment job.
Note You enable and disable deployment job approval under Tools > Security Manager Administration >
Workflow. For more information, see Workflow Page, page 11-40.
The method you choose to use depends on the processes and procedures of your organization and the
transport protocols supported by a particular type of device. If you are using Configuration Engine
(CNS) or Auto Update Server (AUS), use those deployment methods. You must use one of these for
devices that use dynamic IP addresses. Otherwise, for devices with static IP addresses, use SSL (HTTPS)
for IOS, PIX, ASA, IPS, and standalone FWSM devices, and SSH for FWSM through the Catalyst
chassis. If you are using a Token Management Server (TMS) for some devices, you can also use that
method with Security Manager.
The following topics describe the deployment methods in more detail:
Deploying Directly to a Device, page 8-9
Deploying to a Device through an Intermediate Server, page 8-10
Deploying to a File, page 8-11
Understanding How Out-of-Band Changes are Handled, page 8-12
Caution You must configure at least one policy on a device before deploying to that device. If you deploy to a
device without assigning at least one policy, the devices current configuration is overwritten with a
blank configuration.
Related Topics
Managing Device Communication Settings and Certificates, page 9-4
Handling Device OS Version Mismatches, page 8-13
Related Topics
Managing Device Communication Settings and Certificates, page 9-4
Device Communication Page, page 11-12
Deploying to a File
If you choose to deploy configurations to configuration files, Security Manager creates two files:
device_name _delta.cfg for the delta configuration, and device_name _full.cfg for the full configuration.
If the files are created by a job that was generated from a deployment schedule, the name includes a time
stamp. Configuration files are in TFTP format so that you can upload them to your devices using TFTP.
If you deploy to file, you are responsible for transferring the configurations to your devices. Security
Manager assumes that you have done this, so the next time you deploy to the same devices, the generated
incremental commands are based on the configurations from the previous deployment. If for some reason
the last change was not applied to the device, the new delta configuration will not bring the device
configuration up to the one reflected in Security Manager.
To set a default directory for file deployments, select Tools > Security Manager Administration, then
select Deployment (see Deployment Page, page 11-7). If you select File for the default deployment
method, you also select the default directory. When you create a deployment job, you can change this
directory for that job.
Deploying configurations to a file is useful when the devices are not yet in place in your network (known
as green field deployment), if you have your own mechanisms in place to transfer configurations to your
devices, or if you want to delay deployment. When deploying to a file, the deployment job might fail if
you select a large number of devices or several devices that have large configuration files. If you
encounter deployment failures, resubmit the job with fewer devices selected.
Tip Do not use commands that require interaction with the device during deployment when deploying to file.
We recommend previewing your configuration before deployment to make sure there are no such
commands in the file. For more information, see Previewing Configurations, page 8-42.
Tip When the deployment method is configured to use the reference configuration in Configuration Archive,
out-of-band changes are always removed. This is equivalent to selecting Do not check for changes.
Related Topics
Deploying Directly to a Device, page 8-9
Deploying to a Device through an Intermediate Server, page 8-10
Deploying to a File, page 8-11
OS Version in
Security Manager OS Version On OS Version Used In
Scenario Database Device Deployment Action
Versions match ASA 8.2(1) ASA 8.2(1) ASA 8.2(1) Deployment proceeds with no warnings.
Device has newer ASA 8.1(1) ASA 8.1(2) ASA 8.1(2) Security Manager warns that it has
minor OS version. detected a different OS version on the
device than the one in the Security
Manager database.
Security Manager generates the CLI
based on the OS version running on the
device.
Device has newer ASA 8.0(2) ASA 8.0(4) ASA 8.0(3) Security Manager warns that it has
minor OS version, detected a different OS version on the
one that is not device than the one in the Security
directly supported Manager database.
by Security
Security Manager generates the CLI
Manager.
based on the OS version that it supports to
which the running OS version is
downward-compatible.
OS Version in
Security Manager OS Version On OS Version Used In
Scenario Database Device Deployment Action
Device has a new ASA 7.2(4) ASA 8.2(1) None. Deployment Security Manager reports an error
major OS version. fails. indicating that it has detected a different
OS version on the device than the one in
the Security Manager database.
Security Manager cannot proceed until
you correct this mismatch. Remove the
device from the inventory, add it again,
and discover the device policies.
Device has an ASA 8.1(2) ASA 8.1(1) ASA 8.1(1) Security Manager warns that it has
older minor OS detected a different OS version on the
version. device than the one in the Security
Manager database.
Security Manager generates the CLI
based on the OS version running on the
device.
Device has an ASA 8.2(1) ASA 7.2(4) None. Deployment Security Manager reports an error
older major OS fails. indicating that it has detected a different
version OS version on the device than the one in
the Security Manager database.
Security Manager cannot proceed until
you correct this mismatch. Remove the
device from the inventory, add it again,
and discover the device policies.
Note The buttons available in the Deployment Manager depend on the Workflow mode you are using.
Navigation Path
Click the Deployment Manager button on the Main toolbar or select Tools > Deployment Manager.
Related Topics
Overview of the Deployment Process, page 8-1
Viewing Deployment Status and History for Jobs and Schedules, page 8-24
Deploying Configurations in Non-Workflow Mode, page 8-27
Deploying Configurations in Workflow Mode, page 8-32
Deploying Configurations Using an Auto Update Server or CNS Configuration Engine, page 8-39
Deploying Configurations to a Token Management Server, page 8-41
Managing Device Communication Settings and Certificates, page 9-4
Field Reference
Element Description
Deployment Job Tab
This tab shows individual deployment jobs. Select a job in the upper pane to view its details in the tabs
in the lower pane.
Name The name of the job.
Last Action The date and time that the job or status was changed based on the time
zone of the server, not the time zone of the client.
Status The state of each job. The possible states differ based on workflow
mode. For a description of the states, see the following topics: .
Job States in Non-Workflow Mode, page 8-4
Job States in Workflow Mode, page 8-6
Changed By The name of the user who modified the job.
Description The description of the job. Double-click the icon to see the description.
Job Type The type of job with respect to scheduling. A one time job was not
created from a regularly recurring job, whereas a recurring job was.
Create button In Workflow mode, click this button to create a new job. The Create a
Job dialog box opens. See Creating and Editing Deployment Jobs,
(Workflow mode only.)
page 8-33.
Open button In Workflow mode, click this button to open the selected job. The Edit
(Workflow mode only.) a Job dialog box opens. See Creating and Editing Deployment Jobs,
page 8-33.
Close button In Workflow mode, click this button to close and save all changes made
while the selected job was open. You can close a job when it is in the
(Workflow mode only.)
Edit Open or the Submit Open state. Normally, you do not need to close
a job, because you will typically submit, approve, deploy, or schedule
the job for deployment. However, if the Security Manager server is
suddenly unavailable or your login session times out, a job might be left
in the Edit Open state. If this happens, you can close it manually by
selecting it and clicking Close.
Element Description
Submit button In Workflow mode, click this button to submit the selected job for
(Workflow mode only.) approval. You can submit a job when it is in the Edit or the Edit Open
state. The Submit Deployment Job dialog box opens. See Submitting
Deployment Jobs, page 8-36.
This button is active only if you are using Workflow mode with a
deployment job approver.
Reject button In Workflow mode, click this button to reject the selected job if you are
(Workflow mode only.) not satisfied with the configurations generated for the devices. You can
reject jobs only in workflow mode with a deployment job approver.
After a job is rejected, it can be opened for editing or discarded. See
Approving and Rejecting Deployment Jobs, page 8-37.
You are prompted to enter an optional comment to explain why you are
rejecting the job.
Approve button In Workflow mode, click this button to approve the selected job. After
a job is approved, it can be deployed. See Approving and Rejecting
(Workflow mode only.)
Deployment Jobs, page 8-37.
You are prompted to enter an optional comment to explain why you are
approving the job.
Discard button In Workflow mode, click this button to discard the selected job. You can
discard a job when it is in any state except Deployed, Deployment
(Workflow mode only.)
Failed, or Aborted. Once discarded, the job cannot be edited, submitted,
approved, or deployed. The job state is shown as discarded until the job
is purged from the system either automatically as set on the Workflow
settings page or manually (for more information, see Workflow Page,
page 11-40).
You are prompted to enter an optional comment to explain why you are
discarding the job. See Discarding Deployment Jobs, page 8-39.
Deploy button Click this button to deploy generated CLI commands devices or files.
The behavior of this button differs depending on Workflow mode:
(All modes.)
(Non-Workflow mode.) Click this button to create a deployment
job. If you have unsubmitted changes, you are first prompted to
submit them. The Deploy Saved Changes dialog box opens, where
you can select which devices to include in the job. Note that this
button does not act on the deployment job selected in the table, if
any; instead, it creates a new deployment job. See Deploying
Configurations in Non-Workflow Mode, page 8-27.
(Workflow mode.) Click this button to deploy the selected job. If
the job is in the Approved state, the Deploy Job dialog box opens
(see Deploying a Deployment Job in Workflow Mode, page 8-37).
If the job is in the deployed, failed, or aborted state then the
Redeploy Job dialog box opens. See Redeploying Configurations
to Devices, page 8-46.
Element Description
Refresh button Click this button to reload job information from the Security Manager
(All modes.) server. If the message Auto Refresh is On is displayed beneath the table,
the job list is automatically refreshed periodically.
Note The auto refresh setting is configured in the administration
settings for deployment: select Tools > Security Manager
Administration > Deployment.
Redeploy button In Non-Workflow mode, click this button to redeploy the selected job,
(Non-Workflow mode only.) which deploys the same generated CLI commands to the same devices
or files selected in the original job. The Redeploy Job dialog box opens.
See Redeploying Configurations to Devices, page 8-46.
(In Workflow mode, click the Deploy button to redeploy configurations
for the selected job.)
Abort button Click this button to abort the selected job if it is in the Deploying,
Scheduled, or Rolling Back state. A warning asks you to confirm the
(All modes.)
action. See Aborting Deployment Jobs, page 8-48.
Rollback button Click this button to deploy the previously deployed configuration to the
(All modes.) devices in the selected job. The Deployment Rollback dialog box opens
(see Rolling Back Configurations to Devices Using the Deployment
Manager, page 8-62).
Summary tab Displays summary information about the status of the selected
deployment job, such as the status of the job, the name of the
deployment job, the number of devices included in the job, the number
of devices deployed successfully, and the number of devices deployed
with errors.
Details tab Displays detailed information for the selected job. The table lists each
device included in the job, whether deployment succeeded or failed,
and a summary of the number of warnings, errors, or failures for the
device. Select a device in the table to view the results for that device:
Double-click the icon in the Config column to view the
configuration (see Previewing Configurations, page 8-42). If you
deleted the device from the inventory, the configuration and
transcript might not be available.
If you were deploying to the device, double-click the icon in the
Transcripts column to view a transcript of the commands sent to the
device and the devices responses. See Viewing Deployment
Transcripts, page 8-55.
When you select a device, the Messages box in the lower left
contains a summary of the messages generated for the deployment.
Select an item to view its description to the right. You might have
to enlarge the window to make the Description box visible. If
applicable, there might also be information on the actions you can
take to resolve the problems.
Element Description
History tab Displays a log of the changes that have been made to the selected job.
(Workflow mode only.) The information includes the state changes, the user who made the
change, the date and time of the change (based on the Security Manager
server time), and any comments the user entered to document the
change.
Deployment Schedules Tab
Use this tab to schedule regular deployment jobs. For detailed information about this tab, see
Deployment Schedules Tab, Deployment Manager, page 8-19.
Navigation Path
In Workflow mode, select a job or schedule in the Deployment Manager and click the appropriate button
to perform the desired action.
Navigation Path
Click the Deployment Manager button on the Main toolbar or select Tools > Deployment Manager,
and then click the Deployment Schedules tab in the upper pane.
Related Topics
Overview of the Deployment Process, page 8-1
Creating or Editing Deployment Schedules, page 8-49
Suspending or Resuming Deployment Schedules, page 8-52
Field Reference
Element Description
Deployment Schedule Table
This table shows deployment job schedules. Select a schedule in the table to view its details in the tabs
in the lower pane.
Name Name of the job schedule. Jobs created from this schedule use this
name plus a time stamp.
Status The status of the schedule:
EditIn Workflow mode, the schedule is being created. You can
open it and change its settings. No jobs are created from schedules
that are being edited.
ActiveDeployment jobs will be created according to this
schedule.
SuspendedThe schedule was suspended and no jobs are being
created by it. You can restart the schedule by selecting it and
clicking Resume.
Recurrence How often deployment jobs will be created from this schedule.
Next Run The date and time a deployment job will next be created from this
schedule.
Last Run The date and time of the most recent deployment job created from this
schedule.
Schedule End The date and time the schedule is no longer active. If the schedule has
no end date, Active Indefinitely is indicated.
Description The description of the job schedule. Double-click the icon to see the
description.
Create button Click this button to create a deployment job schedule. The Schedule
dialog box opens where you can create the schedule (see Schedule
Dialog Box, page 8-50.
Open button Click this button to open the selected schedule. The Schedule dialog
box opens where you can view or modify the schedule (see Schedule
Dialog Box, page 8-50).
In non-Workflow mode, modifying the schedule does not change its
status. In Workflow mode, the status changes to Edit, and you must
resubmit it for approval.
Close button Click this button to close and save all changes made while the schedule
was open. You can close a schedule when it is in the Edit Open or the
(Workflow mode only)
Submit Open state. Typically, you will have to close schedules only if
the Security Manager server becomes unavailable while you have a
schedule open.
Submit button Click this button to submit the selected schedule for approval if you are
operating in Workflow mode with an approver. You can submit a
(Workflow mode only)
schedule when it is in the Edit or the Edit Open state. You are prompted
for an optional comment to explain the submission, and an e-mail is
generated to the approver in Workflow mode.
Element Description
Reject button Click this button to reject the selected schedule. You are prompted for
(Workflow mode only) an optional comment to explain the rejection, and an e-mail is
generated to the approver and submitter in Workflow mode.
Approve button Click this button to approve the selected schedule. You are prompted
for an optional comment to explain the approval, and an e-mail is
(Workflow mode only)
generated to the approver and submitter in Workflow mode.
Discard button Click this button to discard the selected schedule. You can discard a
schedule unless there is an active deployment job that was created from
the schedule. (You can wait for the job to finish, or abort the job and
then discard the schedule.)
You are prompted for an optional comment to explain the discard, and
an e-mail is generated to the approver and submitter in Workflow mode.
Tip Although the discarded schedule is removed from this list, it is
kept in the database until it is purged from the system either
automatically (at 2 AM every morning). You are prevented from
creating a new schedule with the same name until the purge
happens.
Refresh button Click this button to reload schedule information from the Security
Manager server. If the message Auto Refresh is On is displayed beneath
the table, the schedule list is automatically refreshed periodically.
Note The auto refresh setting is configured in the administration
settings for deployment: select Tools > Security Manager
Administration > Deployment.
Suspend button Click this button to suspend the selected schedule. Suspending the
schedule does not delete the schedule, but it prevents the creation of
deployment jobs based on it. You are prompted for a comment to
explain the suspension, and an e-mail is generated to the approver in
Workflow mode.
Resume button Click this button to reactivate a suspended schedule. You are prompted
for a comment to explain the suspension, and an e-mail is generated to
the approver in Workflow mode.
Summary tab Displays summary information about the selected schedule. Besides the
fields shown in the table, summary information includes the number of
devices included in the schedule and the user ID of the person who last
changed the schedule.
Devices tab Displays the devices that are included in the selected schedule. These
are the devices to which configurations are deployed when a
deployment job is created from the schedule. To change the device list,
click Open, then click Add Devices on the Schedule dialog box.
History tab Displays a log of the changes that have been made to the selected
schedule. The information includes the state changes, the user who
made the change, the date and time of the change (based on the Security
Manager server time), and any comments the user entered to document
the change.
Element Description
Jobs tab Displays a list of the deployment jobs that have been created based on
the selected schedule. Information includes the name of the job, the
date and time the job was created based on server time (not the client
time), and the job status. If you select a job, and click the Deployment
Job tab, the selected job is highlighted and you can view the job details.
For information on job status, see these topics:
Job States in Workflow Mode, page 8-6
Job States in Non-Workflow Mode, page 8-4
Navigation Path
Select Tools > Configuration Archive.
Related Topics
Configuration Archive Page, page 11-3
Viewing and Comparing Archived Configuration Versions, page 8-53
Understanding Configuration Rollback, page 8-57
Using Rollback to Deploy Archived Configurations, page 8-64
Understanding Rollback for Devices in Multiple Context Mode, page 8-58
Understanding Rollback for Failover Devices, page 8-58
Understanding Rollback for Catalyst 6500/7600 Devices, page 8-59
Field Reference
Element Description
Device Selector Lists the devices in the device inventory. Select a device to see the
configuration versions for the device that are available in the archive.
These are displayed in the right pane.
Version ID The version number of the configuration version. By default, this
column is not displayed. To display it, right click any column heading
and select Show Columns > Version ID.
Created On The date and time that the configuration version was archived.
Created By The user ID or system ID associated with adding the configuration
version to the archive.
If there are two names in the form username1(username2), the first
name is the user who initiated the request, and the name in parentheses
is the system identity user. For more information on the system identity
trust user, see the Installation Guide for Cisco Security Manager.
Archival Source The origin of the archiving event (for example, User Request,
Deployment or Provision, Discovery).
Creation Comment A description about how or why the configuration version was created.
Transcript Icon When double-clicked, displays a transcript of a configuration version
that was deployed to a device.
A transcript is the log file of transactions between Security Manager
and a device captured during a deployment or rollback operation. It
includes commands sent and received between server and device from
the time of the deployment or rollback request, but it does not include
communication that occurs during the initial discovery phase of
deployment, when Security Manager obtains the current configuration
from the device.
View button Click this button to display the selected configuration in the Config
Version Viewer window (see Configuration Version Viewer,
page 8-54), where you can also compare the configuration to other
configuration versions.
Rollback button Click this button to roll the device configuration back to the selected
configuration version, provided that the configuration originated from
the device. You should roll back configurations only under extreme
circumstances. For more information see these topics:
Understanding Configuration Rollback, page 8-57
Using Rollback to Deploy Archived Configurations, page 8-64
Element Description
Add from Device button Click this button to have Security Manager retrieve the current running
configuration from the device and add it as a configuration version to
the archive. This is useful for any device whose configuration might
have been changed directly in its CLI.
For more information on adding configuration versions, see Adding
Configuration Versions from a Device to the Configuration Archive,
page 8-52.
Jobs and schedules are displayed on separate tabs. However, as jobs are created based on a deployment
schedule, those jobs appear in the regular jobs list. Click the appropriate tab to view the list of jobs or
schedules, where you can see this information:
Deployment JobsThe top pane displays a list of the deployment jobs. If you select a job, more
detailed information appears in the lower pane:
Summary tabThe Summary tab shows information such as the job status, number of devices
deployed successfully, and number of devices deployed with errors.
Details tabThe Details tab shows the status details for each device in the deployment.
History tab (Workflow mode only)The History tab displays transactions that occurred to the
selected job since it was created. Each row in the table shows the action that occurred, the user
who performed the action, the date and time it occurred, and comments, if any, that the user
entered.
Deployment SchedulesThe top pane displays a list of the deployment schedules. If you select a
schedule, more detailed information appears in the lower pane:
Summary tabThe Summary tab shows information such as the schedule, the time of the next
job to be created from the schedule, the time a job was last run based on the schedule, the
number of devices included in the schedule and the user ID of the person who last changed the
schedule.
Devices tabThe Devices tab shows the list of devices that are included in the schedule.
History tabThe History tab shows the state changes and related comments of the schedule.
You can track which user performed each action.
Jobs tabThe Jobs tab shows a list of deployment jobs that were created from the schedule and
their statuses. You can also view these jobs on the Deployment Jobs tab.
The status information in the Deployment Manager window refreshes automatically unless you turned
off automatic refresh in the Security Manager Administration Deployment page (Tools > Security
Manager Administration > Deployment). A message below the job or schedule table indicates whether
automatic refresh is on. If it is off, refresh status information by clicking Refresh.
Related Topics
Overview of the Deployment Process, page 8-1
Deploying Configurations in Non-Workflow Mode, page 8-27
Deploying Configurations in Workflow Mode, page 8-32
Deploying Configurations Using an Auto Update Server or CNS Configuration Engine, page 8-39
Deploying Configurations to a Token Management Server, page 8-41
Previewing Configurations, page 8-42
Redeploying Configurations to Devices, page 8-46
Aborting Deployment Jobs, page 8-48
Rolling Back Configurations to Devices Using the Deployment Manager, page 8-62
Creating or Editing Deployment Schedules, page 8-49
Suspending or Resuming Deployment Schedules, page 8-52
Related Topics
Overview of the Deployment Process, page 8-1
Deploying Configurations in Non-Workflow Mode, page 8-27
Creating and Editing Deployment Jobs, page 8-33
Managing Device Communication Settings and Certificates, page 9-4
Detecting and Analyzing Out of Band Changes, page 8-43
Tip Before creating the deployment job, read Tips for Successful Deployment Jobs, page 8-26. That topic
includes tips and cautions you should keep in mind when creating deployment jobs.
Caution You must configure at least one policy on a device before deploying to that device. If you deploy to a
device without assigning at least one policy, the devices current configuration is overwritten with a
blank configuration.
Note When using virtual sensors: An IPS device and all of the virtual sensors on it must be deployed as a
group. If you make changes to a virtual sensor and then deploy it, Security Manager deploys the parent
device and all virtual sensors associated with it.
Related Topics
Overview of the Deployment Process, page 8-1
Including Devices in Deployment Jobs or Schedules, page 8-8
Understanding Deployment Methods, page 8-8
Deploying Configurations Using an Auto Update Server or CNS Configuration Engine, page 8-39
Deploying Configurations to a Token Management Server, page 8-41
Managing Device Communication Settings and Certificates, page 9-4
Understanding How Out-of-Band Changes are Handled, page 8-12
Security Manager validates all of the policy changes that were made since the last deployment. If the
validation results in errors, resolve the errors before attempting to deploy again. If there are only
warnings or informational messages, click OK to proceed to the Deploy Saved Changes dialog box.
Step 2 In the Deploy Saved Changes dialog box, do the following:
Select the devices to which you want to deploy configurations. The device selector lists all devices
for which policy changes were made but not yet deployed, and initially all changed devices are
selected for deployment.
All device groups that contain changed devices are shown, and you can select or deselect the devices
using the device group folder. If you select or deselect a device that appears in more than one group,
it is selected or deselected in all groups; however, a device is deployed to only once in the job.
Right-click and select Expand All to open all of the folders.
If you detect out of band changes, when you close the OOB Changes dialog box, the device names
are color-coded based on the results: green indicates out of band change; red indicates an error
during the detection process; no color change indicates no out of band changes.
If you want to add devices that do not have policy changes to the deployment job, click Add other
devices to open the Add Other Devices dialog box (see Add Other Devices Dialog Box, page 8-51).
You might want to add unchanged devices if a device was manually modified and you want to return
the device to its previous configuration (the one stored in the Security Manager database).
(Optional) To change the method used to deploy configurations, click Edit Deploy Method to open
the Edit Deployment Method dialog box (see Edit Deploy Method Dialog Box, page 8-29). There is
a system default deployment method (which your organization chooses), so you might not need to
change the method. You can select these methods:
DeviceDeploys the configuration directly to the device or to the transport mechanism
specified for the device. For more information, see Deploying Directly to a Device, page 8-9 or
Deploying to a Device through an Intermediate Server, page 8-10.
FileDeploys the configuration file to a directory you select on the Security Manager server.
For more information, see Deploying to a File, page 8-11.
Before proceeding with the deployment, you can do the following:
Preview proposed configurations and compare them against last deployed configurations or current
running configurations. Right-click the device and select Preview Config. For more information,
see Previewing Configurations, page 8-42.
Analyze the devices for out of band changes by clicking the Detect OOB Changes button. For more
information, see Detecting and Analyzing Out of Band Changes, page 8-43 and OOB (Out of Band)
Changes Dialog Box, page 8-45.
Step 3 Click Deploy to start the deployment job for the selected devices, which generates the required
configuration files and applies them according to your selected deployment method.
The Deployment Status Details dialog box opens so that you can view the status of the deployment. It
displays summary information about the job, status about the deployment to each device, and messages
indicating why the deployment failed.
In the Deployment Details table, select a row corresponding to a device to display deployment status
messages specifically for that device. For more information, see Deployment Status Details Dialog Box,
page 8-30.
If deployment to any device failed, you can redeploy configurations to the failed devices. For more
information, see Redeploying Configurations to Devices, page 8-46.
Navigation Path
Click Edit Deploy Method in the DeploymentCreate or Edit a Job dialog box (Workflow mode) or
Deploy Saved Changes dialog box (non-Workflow mode). For the procedures, see:
Creating and Editing Deployment Jobs, page 8-33
Deploying Configurations in Non-Workflow Mode, page 8-27
Related Topics
Understanding Deployment Methods, page 8-8
Deploying Configurations in Workflow Mode, page 8-32
Deploying Configurations Using an Auto Update Server or CNS Configuration Engine, page 8-39
Deploying Configurations to a Token Management Server, page 8-41
Managing Device Communication Settings and Certificates, page 9-4
Field Reference
Element Description
Device The name of the device.
Method The deployment method to use:
DeviceDeploys the configuration directly to the device or to the
transport mechanism specified for the device. For more
information, see Deploying Directly to a Device, page 8-9 or
Deploying to a Device through an Intermediate Server, page 8-10.
FileDeploys the configuration file to a directory on the Security
Manager server. If you select File, specify the directory to which
you want to deploy the configuration file in the Destination
column. You cannot use file deployment with IPS devices. For
more information, see Deploying to a File, page 8-11.
Note To set the deployment method for more than one device at a
time, select the desired rows, right-click and select Edit
Selected Deploy Method. The Edit Selected Deploy Method
dialog box opens where you can make your selections.
Destination If you selected File in the Method field, enter the directory to which you
want to deploy the configuration file. Click Browse to select from a list
of available directories.
Preview Config button Click this button to display the proposed configuration changes for the
selected device. You can compare it to the last deployed configuration
or the current running configuration. For more information, see
Previewing Configurations, page 8-42.
Element Description
Out of Band Change Click the radio button corresponding to the action you want Security
Behavior Manager to take regarding changes made directly on the device using
the CLI. For a complete explanation of how to handle out-of-band
changes, including the meaning of the available options, see
Understanding How Out-of-Band Changes are Handled, page 8-12.
Navigation Path
Non-Workflow modeIf you select a subset of devices in a VPN in the Deploy Saved Changes
dialog box, this dialog box appears when you click Deploy.
Workflow modeIf you select a subset of devices in a VPN in the Create or Edit a Job dialog box,
this dialog box appears when you click OK.
Related Topics
Creating and Editing Deployment Jobs, page 8-33
Deploying Configurations in Non-Workflow Mode, page 8-27
Deploying Configurations in Workflow Mode, page 8-32
Field Reference
Element Description
VPN The name of the VPN.
Missing Devices All the devices in the VPN that were not selected for deployment.
Is Device in Other Job Whether the missing device is part of another deployment job.
Deploy to All Devices in Click this button to deploy to all devices in the VPN.
VPN button
You can deploy to all devices in the VPN only if the devices are not in
other deployment jobs.
Deploy to Selected Devices Click this button to deploy only to the devices selected in the Create or
button Edit a Job or Deploy Saved Changes dialog boxes.
In the Deployment Details table, select a row corresponding to a device to display deployment status
messages for that device.
Note You can click Close to close this dialog box and continue working in Security Manager while
deployment continues.
Navigation Path
From the Deploy Saved Changes dialog box, click Deploy.
Related Topics
Overview of the Deployment Process, page 8-1
Deploying Configurations in Non-Workflow Mode, page 8-27
Tips for Successful Deployment Jobs, page 8-26
Managing Device Communication Settings and Certificates, page 9-4
Device Communication Page, page 11-12
Field Reference
Element Description
Deployment Status Details
Progress Status Bar A visual representation and percentage of devices that were
successfully updated.
Status The status of the deployment. The possible states are Deploying,
Aborted, Successful, and Failed. For descriptions of these states, see
Job States in Non-Workflow Mode, page 8-4.
Deployment Job Name The name of the deployment job.
Devices To Be Deployed The total number of devices in the deployment job.
Devices Deployed The number of devices that were updated successfully.
Successfully
Devices Deployed With The number of devices that failed to be updated.
Errors
Deployment Details
This table lists the devices that are included in the deployment job.
Device The name of the device.
Status The status of the deployment to the device. For descriptions of these
states, see Job States in Non-Workflow Mode, page 8-4.
Summary The number of warnings, errors, and failures for the device.
Method The method of deployment to the device. Possible methods are File and
Device.
Config The device configuration file. Double click the icon to preview the
configuration for a device. For more information, see Previewing
Configurations, page 8-42.
Element Description
Transcript The commands Security Manager issued to the device and the
responses from the device during deployment if you are deploying to
the device (instead of deploying to a file). Double-click the icon to see
the transcript for a device.
Messages The warning, error, and failure messages, as indicated by the severity
icon.
When you select an item, the Description box to the right describes the
message in detail. The Action box to the right provides information on
how you can correct the problem.
Refresh button Click this button to update the status information.
Abort button Click this button to abort the deployment job. You can abort
deployment jobs only while they are in the Deploying, Scheduled, or
Rolling Back state. Aborting a job stops deployment of configuration
files to pending devices, but has no effect on devices to which
deployments are in progress (commands are being written to a device)
or to which deployment has already completed successfully.
Tip Before creating the deployment job, read Tips for Successful Deployment Jobs, page 8-26. That topic
includes tips and cautions you should keep in mind when creating deployment jobs.
Related Topics
Overview of the Deployment Process, page 8-1
Including Devices in Deployment Jobs or Schedules, page 8-8
Understanding Deployment Methods, page 8-8
Deploying Configurations Using an Auto Update Server or CNS Configuration Engine, page 8-39
Deploying Configurations to a Token Management Server, page 8-41
Note You can discard a deployment job at any time before you deploy it. For more information, see
Discarding Deployment Jobs, page 8-39.
Tip Before creating the deployment job, read Tips for Successful Deployment Jobs, page 8-26. That topic
includes tips and cautions you should keep in mind when creating deployment jobs.
Caution You must configure at least one policy on a device before deploying to that device. If you deploy to a
device without assigning at least one policy, the devices current configuration is overwritten with a
blank configuration.
Related Topics
Overview of the Deployment Process, page 8-1
Including Devices in Deployment Jobs or Schedules, page 8-8
Understanding Deployment Methods, page 8-8
Understanding How Out-of-Band Changes are Handled, page 8-12
Job States in Workflow Mode, page 8-6
(Optional) To change the method used to deploy configurations, click Edit Deploy Method to open
the Edit Deployment Method dialog box (see Edit Deploy Method Dialog Box, page 8-29). There is
a system default deployment method (which your organization chooses), so you might not need to
change the method. You can select these methods:
DeviceDeploys the configuration directly to the device or to the transport mechanism
specified for the device. For more information, see Deploying Directly to a Device, page 8-9 or
Deploying to a Device through an Intermediate Server, page 8-10.
FileDeploys the configuration file to a directory you select on the Security Manager server.
For more information, see Deploying to a File, page 8-11.
Before proceeding with the deployment, you can do the following:
Preview proposed configurations and compare them against last deployed configurations or current
running configurations. Right-click the device and select Preview Config. For more information,
see Previewing Configurations, page 8-42.
Analyze the devices for out of band changes by clicking the Detect OOB Changes button. For more
information, see Detecting and Analyzing Out of Band Changes, page 8-43 and OOB (Out of Band)
Changes Dialog Box, page 8-45.
Step 4 Select how you want the job handled when you close the dialog box. The options available to you depend
on whether you are using Workflow mode with a deployment job approver:
Without an approverIf you are not using a separate approver, you have these options:
Close the jobClose the job and leave it in the edit state. Select this option if you know you
want to make additional modifications to the job.
Approve the jobClose the job and approve it but do not deploy it. Configure the following:
Comments(Optional) Comments about the job approval.
SubmitterThe e-mail address of the person submitting the job for approval. Notifications of
job state changes are sent to this address, which is initially the e-mail address associated with
the user account you used to log into Security Manager. Ensure that the address is the correct
one so that you receive the notifications.
Deploy the jobClose the job, approve it, and deploy it. Configure the following:
OptionsWhether to Deploy Now or Schedule. If you select Schedule, additional fields appear
where you can specify the date and time when the job should be run. The time is in 24-hour
format and is based on the time zone of the Security Manager server, which is not necessarily
the same time zone that you are currently in. The target time must be at least five minutes in the
future.
Comments(Optional) Comments about the deployment job.
Send Deployment Status NotificationWhether Security Manager should send e-mail
notifications whenever the job status changes.
If you select this option, enter the e-mail addresses of the people who should receive
notifications in the Job Completion Recipients field. If you enter multiple addresses, separate
them with commas. The field initially contains the default approver and your e-mail addresses.
With an approverIf you are using a separate approver, you can configure the following options:
Submit the jobWhether to submit the job for approval. By default this check box is selected.
Approver E-mailThe e-mail address of the approver if you are submitting the job for
approval. The default approver e-mail address is entered in the field, but you can change it.
Note You enable and disable deployment job approval under Tools > Security Manager Administration >
Workflow. For more information, see Workflow Page, page 11-40.
This procedure assumes that you already created the job. You can also submit the job when you create
it by selecting the Submit the job checkbox in the Create a Job dialog box.
Related Topics
Deployment Manager Window, page 8-15
Job States in Workflow Mode, page 8-6
Note You enable and disable deployment job approval under Tools > Security Manager Administration >
Workflow. For more information, see Workflow Page, page 11-40
Related Topics
Deployment Manager Window, page 8-15
Job States in Workflow Mode, page 8-6
Note Deployment might take from a few minutes to an hour or more, depending on the number of devices in
the deployment job.
Related Topics
Overview of the Deployment Process, page 8-1
Deployment Manager Window, page 8-15
Including Devices in Deployment Jobs or Schedules, page 8-8
Understanding Deployment Methods, page 8-8
Managing Device Communication Settings and Certificates, page 9-4
Related Topics
Deployment Manager Window, page 8-15
Job States in Workflow Mode, page 8-6
Tip You cannot successfully deploy a configuration to AUS that requires Security Manager to download
other files to the device. For example, some remote access VPN policies allow you to configure plug-ins,
Anyconnect clients, and Cisco Secure Desktop configurations. These files are not sent to AUS. Do not
use AUS if you want to configure these types of policy.
Related Topics
Overview of the Deployment Process, page 8-1
Chapter 2, Preparing Devices for Management
Including Devices in Deployment Jobs or Schedules, page 8-8
Understanding Deployment Methods, page 8-8
Managing Device Communication Settings and Certificates, page 9-4
Step 1 Set up the AUS or Configuration Engine using the documentation for those products.
Step 2 Configure the devices to use the server. The following topics describe the configuration steps depending
on the type of server and the desired setup:
Setting Up AUS on PIX Firewall and ASA Devices, page 2-8
Setting Up CNS on Cisco IOS Routers in Event-Bus Mode, page 2-9
Setting Up CNS on Cisco IOS Routers in Call-Home Mode, page 2-10
Step 3 When you add the device to Security Manager, select the AUS or Configuration Engine for the device
if your chosen method allows it. If the AUS or Configuration Engine is not already defined in Security
Manager, you can identify it to Security Manager as you add the network device. For detailed
procedures, see these topics:
Adding Devices from the Network, page 3-8
Adding Devices from Configuration Files, page 3-16
Adding Devices by Manual Definition, page 3-20
Adding Devices from an Inventory File, page 3-24
Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 3-29
Tip After you add a device to the Security Manager inventory, you can change the assigned server
in the device properties. Right-click the device and select Device Properties. Configure the
server using the device properties if you could not identify it while adding the device.
Step 4 For devices that are using AUS, configure the AUS policy for the device in Security Manager. Do one
of the following:
Configure the policy for a single device. In Device view, select the device, and then select Platform
> Device Admin > Server Access > AUS from the Device Policy selector.
Configure a shared policy that you can assign to many devices that share the same AUS. In Policy
view, select PIX/ASA/FWSM Platform > Device Admin > Server Access > AUS from the Policy
Types selector. Right-click AUS and select New AUS Policy to create a policy, or select an existing
policy from the Policies selector to change the policy. Select the Assignments tab to assign the
policy to specific devices.
The server you identify in this policy must also be the server you identify in the device properties. The
device properties identify the server to which Security Manager will send the configuration, whereas the
AUS policy defines the server the device will contact.
Tip If you change AUS servers, keep in mind that the device will continue to use the AUS server
defined in its current configuration until it receives a new configuration. Thus, you should
change the AUS policy but deploy the configuration using the previous AUS server. After
deployment is successful, change the device properties to point to the new server.
Step 5 In Security Manager, deploy your configurations using the Deploy to Device deployment method.
Security Manager sends the configuration to the AUS or Configuration Engine, where the network
device retrieves it.
Depending on the Workflow mode you are using, follow these procedures:
Deploying Configurations in Non-Workflow Mode, page 8-27
Deploying Configurations in Workflow Mode, page 8-32
Related Topics
Overview of the Deployment Process, page 8-1
Chapter 2, Preparing Devices for Management
Including Devices in Deployment Jobs or Schedules, page 8-8
Understanding Deployment Methods, page 8-8
Managing Device Communication Settings and Certificates, page 9-4
Step 1 Set up the TMS as an FTP server. Security Manager uses FTP to deploy the configuration file to the
TMS, from which it can be downloaded and encrypted onto an eToken. The eToken can then be
connected to the USB port of a router and the configuration downloaded. See the TMS product
documentation for more information.
Step 2 In Security Manager, select Tools > Security Manager Administration > Token Management to
identify the TMS server to Security Manager.
By default, Security Manager uses the Security Manager server as the TMS, but you can specify a
different server. You must enter the hostname or IP address, a username and password for the TMS, the
directory to which configuration files should be copied, and the public key file location in Security
Manager. For more information, see Token Management Page, page 11-38.
Step 3 Specify TMS as the transport protocol to be used for Cisco IOS routers.
You can set this parameter globally for all Cisco IOS routers or for a specific device:
GloballySelect Tools > Security Manager Administration > Device Communication and
select TMS in Transport Protocol (IOS Routers 12.3 and above).
DeviceRight click the device in the Device selector and select Device Properties. On the General
tab, select TMS as the transport protocol in the Device Communications Group. Because not all
routers support TMS, you might not be able to configure TMS for specific devices.
Step 4 In Security Manager, deploy your configurations using the Deploy to Device deployment method.
Security Manager sends the delta configuration to the TMS server.
Depending on the Workflow mode you are using, follow these procedures:
Deploying Configurations in Non-Workflow Mode, page 8-27
Deploying Configurations in Workflow Mode, page 8-32
Step 5 Using the TMS, download the configuration to the eToken. See the TMS product documentation for
more information.
Step 6 Download the configuration from the eToken to the router and save the configuration to the device. Plug
the eToken into the router, then enter the following commands to download the configuration to the
router, where usb_token_id is either usbtoken0 or usbtoken1, depending on which USB port you used.
The default PIN is 1234567890.
Tip CCCD is the private sector on the eToken where the configuration file resides. When you enter
the crypto pki token default secondary config CCCD command, the CLI on the e-token
merges with the CLI on the router.
Previewing Configurations
There are many ways to preview a device configuration. You can select a device from the Device
selector and select Tools > Preview Configuration, or you can click the Preview Config button in
several dialog boxes.
Tip You can also right click a device in Map view and select Preview Configuration.
When you preview a configuration, the configuration is displayed in the Config Version Viewer dialog
box. The proposed configuration is on the left. You can select to view the delta configuration (which
shows the changes since the last deployment) or the full configuration. You can also compare the
configuration to the last one deployed to the device or the current running configuration in the right pane.
The contents of the proposed configuration can differ depending on where you view it from:
If you use Tools > Preview Configuration, or right click the device in the Device selector and
select Preview Configuration, the proposed configuration includes changes that you have not yet
submitted to the database.
If you preview the configuration while creating a deployment job, the proposed configuration
includes only those changes that you have submitted to the database. These are the changes that will
be deployed to the device if you start the deployment job.
The value of previewing configurations is that it lets you see the actual device commands that will be
used to configure the device. If you are a CLI expert, this can help you verify that you are getting the
configuration you expect. Even if you are not a CLI expert, you can use the information to look for more
information in the command reference for the operating system on Cisco.com.
Following are some tips for previewing configurations:
Many configuration options are specific to one or more interfaces. If you must specify an interface
name in a policy, the previewed configuration will include the commands for the policy only if the
Interfaces policy defines the interface that you specify. Ensure that you configure the Interfaces
policy before previewing configurations.
If you preview the configuration for a virtual sensor, the preview that you see is for the parent
device, not the virtual sensor, because the configuration for a virtual sensor is stored on the parent
device.
If you are just curious about what commands a policy will configure, consider adding a dummy
device and configure the policy for that device. This will help prevent unintended configuration
changes in your real devices. To add a dummy device, use the procedure described in Adding
Devices by Manual Definition, page 3-20.
Policies are validated before you can view the configuration. The validation happens for all devices,
not just the device you are previewing. Thus, you might see errors and warnings that apply to
different devices. If any errors or warnings occur, the Preview Messages dialog box appears. The
dialog box lists all of the messages, including their severity and possible solutions. Click OK to
continue to the Config Version Viewer dialog box. Click Details to see detailed information on the
problems.
The following table explains the fields in the Config Version Viewer window used for previewing
configurations.
Element Description
Proposed Config Type The type of configuration you want to view. For example, you can view
the full configuration or just the delta (the changes from the last
deployed configuration). The proposed configuration is displayed in
the left pane.
Compare to Version Choose a configuration to compare against the proposed configuration.
The selected configuration is displayed in the right pane.
NoneLeaves the reference configuration blank.
Last DeployedDisplays the last configuration that was deployed
to the device and compares it with the proposed configuration.
Running ConfigDisplays the current configuration running on
the device and compares it with the proposed configuration. The
device must be accessible to obtain the running configuration.
First Difference button Moves the cursor to the first difference noted between the proposed and
reference configurations.
Previous Difference button Moves the cursor to the previous difference noted between the proposed
and reference configurations.
Current Difference button Centers the currently selected difference on the page.
Next Difference button Moves the cursor to the next difference noted between the proposed and
reference configurations.
Last Difference button Moves the cursor to the last difference noted between the proposed and
reference configurations.
Print button Prints the configuration.
There are many ways to detect whether there have been out of band changes to a device configuration
since the last deployment to the device. If there have been changes (by another device management
application or by direct CLI updates), you can preview the changes and determine whether to update the
device policies before deployment, or to deploy and overwrite those out of band changes. (Out of band
changes are sometimes called OOB changes in Security Manager.)
Tip Out of band change detection is available only for IOS, ASA, PIX, FWSM devices, and security
contexts; it is not available for IPS devices. However, the settings for handling out of band changes
during deployment also apply to IPS devices; the difference is that you cannot proactively analyze these
changes in IPS devices prior to deployment.
To determine whether there have been out of band changes on one or more device, do any of the
following in Device view:
Select Tools > Detect Out of Band Changes. You are prompted to select the devices to evaluate
for out of band changes. Select the devices or device groups, click >> to move them to the selected
list, and click OK. For more information on selecting devices, see Using Selectors, page 1-29.
Select one or more devices or device groups, right-click and select Detect Out of Band Changes.
The selected devices are evaluated for changes.
During deployment, select the devices to include in deployment and click the Detect OOB Changes
button. (The button is available on the Deploy Saved Changes dialog box and the
DeploymentCreate or Edit a Job dialog box, depending on the workflow mode you are using.) The
selected devices are evaluated for changes.
For information on the deployment procedure, see:
Deploying Configurations in Non-Workflow Mode, page 8-27
Creating and Editing Deployment Jobs, page 8-33
When you start the detection process, the OOB (Out of Band) Changes Dialog Box is opened so that you
can view the results. Each selected device is evaluated by retrieving the current running configuration
and comparing it to the most recent configuration stored in Configuration Archive. Security Manager
does not consider any unmanaged policy types when evaluating differences between the configurations.
Tip Note that if you are in the process of deployment, the running configuration is not compared to the one
you are proposing to deploy, so if you detect out of band changes, you might also want to preview the
proposed configuration to see if you already implemented the same change in Security Manager policies.
Right-click the device in the deployment dialog box and select Preview Config. You can compare the
proposed configuration to the current running configuration. For more information, see Previewing
Configurations, page 8-42.
The OOB Changes dialog box shows the results of change detection. If a device has out of band changes,
the icon for the device in the device selector changes to green. Select a device in the left pane of the OOB
Detail tab to view the changes from the latest configuration in configuration archive. Use the buttons at
the bottom of the window to move from change to change. The legend at the bottom explains the color
coding used to describe the changes.
Tip If you are detecting changes during deployment, when you close the OOB Changes dialog box, the
device names in the deployment dialog box are color-coded based on the results: green indicates out of
band change; red indicates an error during the detection process; no color change indicates no out of
band changes.
Tip Configurations are compared for syntactic differences, not semantic differences. Thus, functionally
equivalent configurations might be identified as out of band changes.
Navigation Path
There are several ways to start the out of band change detection process. You can use the Tools > Detect
Out of Band Changes command, or select one or more devices right-click and select Detect Out of
Band Changes. You can also click the Detect OOB Changes button in Deploy Saved Changes dialog
box and DeploymentCreate or Edit a Job dialog box as explained in the following procedures:
Deploying Configurations in Non-Workflow Mode, page 8-27
Creating and Editing Deployment Jobs, page 8-33
Related Topics
Previewing Configurations, page 8-42
Filtering Items in Selectors, page 1-30
Field Reference
Element Description
Selected Devices list (left This list contains all devices you selected to evaluate for out of band
pane) changes, organized in device groups (if any).
Select a device to see the results in the right pane.
The icons for the devices change color based on the results of the
detection process:
GreenThere are out of band changes.
RedThe out of band detection process failed for some reason.
No color changeNo out of band changes.
Configuration Comparison The right pane shows the results of the change detection process for the
(right pane) selected device. Messages will indicate if OOB detection is still in
progress, if there are no changes, or if there was an error that prevented
change detection from completing.
If there are changes, the right pane shows both the running
configuration retrieved from the device and the latest configuration for
the device stored in Configuration Archive. The legend at the bottom of
the window describes the color coding used to indicate changes, and
you can use the following buttons to move from change to change.
First Difference button Moves the cursor to the first difference noted between the
configurations.
Previous Difference button Moves the cursor to the previous difference noted between the
configurations.
Current Difference button Centers the currently selected difference on the page.
Next Difference button Moves the cursor to the next difference noted between the
configurations.
Last Difference button Moves the cursor to the last difference noted between the
configurations.
Related Topics
Overview of the Deployment Process, page 8-1
Deploying Configurations in Non-Workflow Mode, page 8-27
Deploying Configurations in Workflow Mode, page 8-32
Deploying Configurations Using an Auto Update Server or CNS Configuration Engine, page 8-39
Deploying Configurations to a Token Management Server, page 8-41
Managing Device Communication Settings and Certificates, page 9-4
Understanding Deployment Methods, page 8-8
Job States in Non-Workflow Mode, page 8-4
Job States in Workflow Mode, page 8-6
Note To set the deployment method for more than one device at a time, select the devices,
right-click and select Edit Selected Deploy Method. The Edit Selected Deploy Method
dialog box opens where you can make your selections.
Out of Band Change Behavior(Optional) Select how you want Security Manager to respond if
it detects that changes were made on the device by someone other than Security Manager (these are
called out of band changes). For a complete explanation of how to handle out-of-band changes,
including the meaning of the available options, see Understanding How Out-of-Band Changes are
Handled, page 8-12.
Note Before proceeding with the deployment, you can preview proposed configurations and compare
them against last deployed configurations or current running configurations. Highlight the row
for a device and click Preview Config. For more information, see Previewing Configurations,
page 8-42.
Related Topics
Viewing Deployment Status and History for Jobs and Schedules, page 8-24
Job States in Non-Workflow Mode, page 8-4
Job States in Workflow Mode, page 8-6
Tip When you include a device in a schedule, the device is included in deployment jobs that are generated
from the schedule only if changes have been made to the device configuration and those changes were
committed to the database. Thus, you might see changes when previewing the device configuration even
though the device was not included in a scheduled deployment, if you have not submitted those changes
(or if they have been submitted by not yet approved, when using a separate approver in Workflow mode).
Related Topics
Overview of the Deployment Process, page 8-1
Viewing Deployment Status and History for Jobs and Schedules, page 8-24
Suspending or Resuming Deployment Schedules, page 8-52
Step 5 (Workflow mode only) If you are operating in Workflow mode, you must complete these additional
steps:
If you are using an approver for deployment jobs, select the schedule in the table and click Submit
to submit the schedule to the approver. You are prompted to verify the approvers e-mail address
and to enter comments to help the approver evaluate the schedule. The approver will have to approve
the schedule before it becomes active.
If you are not using an approver, select the schedule in the table and click Approve to approve it
yourself and to activate the schedule.
Navigation Path
Select Tools > Deployment Manager to open the Deployment Manager window, click the Deployment
Schedules tab in the upper pane, and do one of the following:
Click Create to create a new schedule.
Select a schedule and click Open to view or modify its properties.
Related Topics
Creating or Editing Deployment Schedules, page 8-49
Suspending or Resuming Deployment Schedules, page 8-52
Field Reference
Element Description
Schedule Name Group
This group defines the name of the job and the jobs notification requirements.
Name The name of the job. When individual deployment jobs are created from
this schedule, a time stamp is added to the job name.
Description The description of the purpose of the job.
Approver Email The e-mail address of the person who should approve the schedule.
(Workflow only)
Comments (Optional) Information to help the approver evaluate the schedule when
(Workflow only) you save this schedule.
Submitter Email The e-mail address of the person who is submitting this schedule for
approval. This field initially contains the e-mail address associated with
(Workflow only)
the user account you used to log into Security Manager, but you can
change it.
Require Deployment Status Whether to send e-mail messages for any change in the job status for
Notifications the job schedule or any job created from it. Messages are sent to the
approver and the submitter.
(Workflow only)
Element Description
Recurrence Pattern Group
The fields in this group define the job schedule.
Start Date The first day of the schedule. Click the calendar icon to select the date
from a calendar.
Time (Start) The time of day to run the schedule. The time is in 24-hour format and
is based on the server time zone, not the client time zone.
Recurrence How often to create a deployment job based on this schedule:
One timeRun this job once on the day specified as the start date
at the specified start time.
HourlyRun this job on an hourly schedule. Specify the number
of hours between deployment jobs.
DailyRun this job on a daily schedule. Specify the number of
days between deployment jobs.
WeeklyRun this job on the specified days of the week.
MonthlyRun this job on a monthly schedule. Select the day of
the month to run the job, and the number of months between
deployment jobs.
Run Indefinitely The expiration date and time for the schedule. Deployment jobs are not
created after this time. Select Run Indefinitely if you do not want the
End Date and Time
schedule to expire.
Devices To Deploy Group
This table lists the devices that are included in the deployment job. To add devices to the list, or to
remove them from it, click Add devices, which opens the Add Other Devices dialog box (see Add
Other Devices Dialog Box, page 8-51).
If Security Manager is configured to use user-login credentials for accessing devices, your username
and password are captured during schedule creation. If you change your password, you will need to
recreate the schedule.
Navigation Path
To open this dialog box, do one of the following:
(Non-Workflow mode) From the Deploy Saved Changes dialog box, click Add other devices. See
Deploying Configurations in Non-Workflow Mode, page 8-27.
(Workflow mode) From the DeploymentCreate or Edit a Job Dialog Box, click Add other
devices. See Creating and Editing Deployment Jobs, page 8-33.
(All modes) From the Schedule Dialog Box, click Add devices.
Related Topics
Including Devices in Deployment Jobs or Schedules, page 8-8
Creating or Editing Deployment Schedules, page 8-49
Filtering Items in Selectors, page 1-30
Related Topics
Viewing Deployment Status and History for Jobs and Schedules, page 8-24
Creating or Editing Deployment Schedules, page 8-49
Note You cannot retrieve configurations from devices that are managed by AUS and that have been configured
with dynamic IP addresses.
This procedure will help you retrieve a configuration from a device and add it to the archive.
Related Topics
Viewing and Comparing Archived Configuration Versions, page 8-53
Step 1 Select Tools > Configuration Archive to open the Configuration Archive (see Configuration Archive
Window, page 8-22).
Step 2 In the Device selector, select the device from which you want to retrieve the configuration. The archived
configurations appear in the right pane.
Step 3 Click Add from Device. Security Manager logs into the device, retrieves the running configuration, and
adds it to the archive.
Related Topics
Adding Configuration Versions from a Device to the Configuration Archive, page 8-52
Navigation Path
Select Tools > Configuration Archive, select a device whose configuration you want to view, select
the configuration, and click View.
Related Topics
Configuration Archive Window, page 8-22
Viewing Deployment Transcripts, page 8-55
Viewing and Comparing Archived Configuration Versions, page 8-53
Adding Configuration Versions from a Device to the Configuration Archive, page 8-52
Field Reference
Element Description
Version ID The configuration version to display in the left pane:
PreviousDisplay the version in the sequence before the one
currently selected.
NextDisplay the version in the sequence after the one currently
selected.
LastDisplay the last version in the list.
Specific Date and TimeDisplay the version created on that date
and time.
Compare with version The configuration version to compare to the version selected in the left
pane, if you want to compare versions. The configuration is displayed
in the right pane, with differences summarized and color coded as
explained by the caption below the pane.
Element Description
Config Type The types of configurations that are available for viewing. The types
differ based on the type of device. The types might indicate Full or
Delta, which have the following meaning:
Full ConfigurationThe full configuration for the selected device
as saved in the Configuration Archive. You can compare full
configurations for a device.
Delta ConfigurationThe file that is generated by Security
Manager during deployment and that represents policy changes
between the configuration selected in the Version ID field and the
most recently deployed version.
Note Configuration versions resulting from out-of-band changes (for
example, in the CLI) can be added to Configuration Archive
using Add from Device, but no delta configuration file is
generated.
First Difference button Moves the cursor to the first difference noted between the configuration
versions.
Previous Difference button Moves the cursor to the previous difference noted between the
configuration versions.
Current Difference button Using the cursor, focuses on the currently selected difference in the
window.
Next Difference button Moves the cursor to the next difference noted between the configuration
versions.
Last Difference button Moves the cursor to the last difference noted between the configuration
versions.
Transcript View button Click this button to open the transcript viewer window, which displays
the device communication transcript associated with this configuration.
Print button Click this button to print the configuration.
Navigation Path
Configuration ArchiveSelect Tools > Configuration Archive to open the Configuration Archive,
select the device for which you want to view a transcript and double-click the Transcript icon in
the row for the desired configuration version.
You can also click the Transcript View button from the Configuration Version Viewer window
when examining an archived configuration (see Configuration Version Viewer, page 8-54).
Deployment ManagerSelect Tools > Deployment Manager to open the Deployment Manager,
select the deployment job that includes the desired device deployment, select the Details tab in the
lower pane, and double-click the Transcript icon in the row for the desired device.
Related Topics
Configuration Archive Window, page 8-22
Deployment Manager Window, page 8-15
Field Reference
Element Description
Version ID The configuration version for which you are viewing transcripts:
PreviousDisplay the transcripts for the version in the sequence
before the one currently selected.
NextDisplay the transcripts for the version in the sequence after
the one currently selected.
LastDisplay the transcripts for the last version in the list.
Specific Date and TimeDisplay the transcripts for the version
created on that date and time.
Transcript Type The type of transcript that you want to view. Some configuration
versions have more than one transcript associated with them. Use this
field to select which transcript to view.
Transcript Window Displays the selected transcript. You can select text and copy it to the
clipboard (Ctrl+C) for pasting in a text editor.
View button Click this button to display the related configuration in the Config
Version Viewer window (see Configuration Version Viewer,
page 8-54).
Print button Click this button to print the transcript.
Caution It is usually a better idea to fix the configuration in Security Manager and deploy the fixed configuration,
because rolling back a configuration creates a situation where the configuration defined in Security
Manager is not the same one running on the device. After rollback, you should rediscover policies on
the device to make the device configuration and its configuration in Security Manager consistent. Roll
back configurations only in extreme circumstances.
Tip Configuration rollback does not include user account policies. When you roll back a configuration, the
existing state of user accounts is not changed. This helps ensure that users can continue to log into the
device.
Special considerations apply to the rollback of certain device types and configurations. See the following
sections for more information:
Understanding Rollback for Devices in Multiple Context Mode, page 8-58
Understanding Rollback for Failover Devices, page 8-58
Understanding Rollback for Catalyst 6500/7600 Devices, page 8-59
Understanding Rollback for IPS and IOS IPS, page 8-59
Commands that Can Cause Conflicts after Rollback, page 8-61
Commands to Recover from Failover Misconfiguration after Rollback, page 8-62
Related Topics
Rolling Back Configurations to Devices Using the Deployment Manager, page 8-62
Using Rollback to Deploy Archived Configurations, page 8-64
Related Topics
Rolling Back Configurations to Devices Using the Deployment Manager, page 8-62
Using Rollback to Deploy Archived Configurations, page 8-64
Commands that Can Cause Conflicts after Rollback, page 8-61
Commands to Recover from Failover Misconfiguration after Rollback, page 8-62
Related Topics
Rolling Back Configurations to Devices Using the Deployment Manager, page 8-62
Using Rollback to Deploy Archived Configurations, page 8-64
Commands that Can Cause Conflicts after Rollback, page 8-61
Commands to Recover from Failover Misconfiguration after Rollback, page 8-62
Related Topics
Rolling Back Configurations to Devices Using the Deployment Manager, page 8-62
Using Rollback to Deploy Archived Configurations, page 8-64
Commands that Can Cause Conflicts after Rollback, page 8-61
Commands to Recover from Failover Misconfiguration after Rollback, page 8-62
Caution Downgrading an IPS device removes certain capabilities of the IPS device. For example, downgrading
the engine prevents you from applying the latest signature updates. Operation of an IPS device without
the latest signature updates diminishes the effectiveness of the IPS device.
For rollback of a deployment job, the warning dialog box contains one or more of the following types
of warnings:
Security Manager warns you about IPS devices that need to have their sensor version downgraded
before a rollback can be performed.
Security Manager warns you about IOS IPS devices whose signature level has changed. For these
devices, only the non-IPS sections of the configuration can be rolled back.
Security Manager warns you about IPS devices that must be downgraded more than one level, and
as a result, Security Manager cannot do it. You must use the Cisco IPS CLI for such downgrades.
The warning dialog box displays the version to which the device must be reimaged or downgraded.
Note The option of downgrading an IOS IPS device during rollback is not available, because IOS IPS devices
do not support downgrade.
If the option of downgrading the sensor during rollback will not help accomplish the rollback, you
receive an error message stating that rollback cannot occur and that you need to manually reinstall the
image on the device to roll back. Only the update package most recently installed on a device can be
downgraded, so downgrade does not help in the following cases:
Rollback of a deployment (signature update) that involves downloading more than one update
package to the device.
Selection of an old deployment or configuration for rollback subsequent to which several upgrades
occurred.
Rollback of an upgrade that cannot be downgraded. Major, minor, and most service pack upgrades
cannot be downgraded, as shown in Table 8-17 on page 8-60
For rollback of a configuration that requires a downgrade to a version prior to Cisco IPS 5.1(4), Security
Manager does not support automatic downgrade. You must manually downgrade the device to the
specified version and then proceed with rollback.
Caution Outbreak Prevention updates on a particular device may be lost if that device is downgraded.
During rollback, if Security Manager discovers that there have been out-of-band changes to the device
that prevent rollback, you will receive an error message stating that rollback is prevented.
Related Topics
Rolling Back Configurations to Devices Using the Deployment Manager, page 8-62
Using Rollback to Deploy Archived Configurations, page 8-64
monitor-interface interface_name
Applicable only to security contexts and used to enable health monitoring of critical interfaces. If
this interface is bounced or fails, a switchover could occur.
Related Topics
Rolling Back Configurations to Devices Using the Deployment Manager, page 8-62
Using Rollback to Deploy Archived Configurations, page 8-64
Commands to Recover from Failover Misconfiguration after Rollback, page 8-62
Related Topics
Rolling Back Configurations to Devices Using the Deployment Manager, page 8-62
Using Rollback to Deploy Archived Configurations, page 8-64
Commands that Can Cause Conflicts after Rollback, page 8-61
Caution Roll back configurations only in extreme circumstances. It is usually a better idea to fix the configuration
in Security Manager and deploy the fixed configuration, because rolling back a configuration creates a
situation where the configuration defined in Security Manager is not the same one running on the device.
After rollback, you should rediscover policies on the device to make the device configuration and its
configuration in Security Manager consistent. Roll back configurations only in extreme circumstances.
Before proceeding, read the following topics.
Related Topics
Viewing Deployment Status and History for Jobs and Schedules, page 8-24
Job States in Non-Workflow Mode, page 8-4
Job States in Workflow Mode, page 8-6
Step 1 Click the Deployment Manager button in the Main toolbar. Click the Deployment Jobs tab if it is not
active.
Step 2 Select the deployment job (which must be in the Deployed or Failed states) and click Rollback.
The Rollback a Job dialog box opens. The dialog box lists all of the devices included in the job, including
the name of the device, the deployment method (file or device), the status of the previous deployment,
and the name of the deployment job that last updated the device.
Step 3 Select the devices for which you want to roll back configurations by checking the check box in the
Selection column. You can select only devices that used the deploy to device method. By default, all the
devices with the status Succeeded are selected.
You can view the configuration that will be deployed to a device by highlighting the row for a device
and clicking the Preview Config button. You can compare it to the last deployed configuration or the
current running configuration. For more information, see Previewing Configurations, page 8-42.
Step 4 Click OK. You are asked to confirm the action.
Step 5 (Optional) To make the configuration defined in Security Manager consistent with the one running on
the device, rediscover the device policies as described in Discovering Policies on Devices Already in
Security Manager, page 5-15.
Tip When you roll back a configuration, the action is not done as part of an activity or configuration session,
which means the device is not locked. Thus, it is possible that two users might roll back configurations
simultaneously on a device, which can generate unexpected problems. Before rolling back a
configuration, check the Deployment Manager to ensure that there are no active deployment jobs for the
device (select Tools > Deployment Manager).
Roll back configurations only in extreme circumstances. Before rolling back configurations, carefully
read these topics:
Understanding Configuration Rollback, page 8-57
Understanding Rollback for Devices in Multiple Context Mode, page 8-58
Understanding Rollback for Failover Devices, page 8-58
Understanding Rollback for Catalyst 6500/7600 Devices, page 8-59
Understanding Rollback for IPS and IOS IPS, page 8-59
Commands that Can Cause Conflicts after Rollback, page 8-61
Commands to Recover from Failover Misconfiguration after Rollback, page 8-62
Related Topics
Rolling Back Configurations to Devices Using the Deployment Manager, page 8-62
Adding Configuration Versions from a Device to the Configuration Archive, page 8-52
Chapter 8, Managing Deployment
Viewing and Comparing Archived Configuration Versions, page 8-53
Step 1 Select Tools > Configuration Archive to open the Configuration Archive (see Configuration Archive
Window, page 8-22).
Step 2 In the Device selector, select the device for which you want to roll back to a different configuration
version. The archived configurations appear in the right pane.
Step 3 Select the configuration version to which you want to roll back. You can roll back only to a configuration
that was deployed to the device or that originated from the device. You cannot roll back to a
configuration that was deployed to a file.
Step 4 Click Rollback to deploy the selected configuration version to the device. A progress box appears,
followed by a notification message when the configuration version is successfully deployed.
Step 5 (Optional) To make the configuration defined in Security Manager consistent with the one running on
the device, rediscover the device policies as described in Discovering Policies on Devices Already in
Security Manager, page 5-15.
However, it is usually better to correct the policies for the device and to then redeploy the updated
configuration. This preserves your changes and shared-policy configuration for the device, which would
otherwise be removed if you rediscover policies.
Related Topics
Understanding Configuration Rollback, page 8-57
Understanding Rollback for Devices in Multiple Context Mode, page 8-58
Understanding Rollback for Failover Devices, page 8-58
Understanding Rollback for Catalyst 6500/7600 Devices, page 8-59
Understanding Rollback for IPS and IOS IPS, page 8-59
Commands that Can Cause Conflicts after Rollback, page 8-61
Commands to Recover from Failover Misconfiguration after Rollback, page 8-62
Step 1 Select Tools > Configuration Archive to open the Configuration Archive (see Configuration Archive
Window, page 8-22).
Step 2 In the Device selector, select the device for which you want to roll back to a different configuration
version. The archived configurations appear in the right pane.
Step 3 Select the configuration version to which you want to roll back and click View.
Step 4 In the Configuration Version Viewer window, make sure the Config Type is set to Full.
Step 5 Click in the left-hand pane, then press Ctrl+A followed by Ctrl+C to copy the selected configuration to
the Windows clipboard.
Step 6 Open a text editor such as NotePad, then press Ctrl+V to paste the contents of the clipboard into the text
file.
Step 7 Save the file. You can use this file to perform manual rollback.
One of the more likely areas where you can run into problems is with actions where Security Manager
must log into a device. These types of actions include policy discovery and deployment using live
devices, or actions that involve retrieving information from a device.
The key point to remember is that the communication pathway is from the Security Manager server to
the device; the workstation on which you are running the Security Manager client is not involved in
device communication (unless the server is installed on the same machine, of course). The Security
Manager server must have a network pathway to the device as well as the correct credentials and
certificates to authenticate with the device for communication to be successful.
The following topics can help you troubleshoot general device communication and policy deployment
problems:
Testing Device Connectivity, page 9-1
Managing Device Communication Settings and Certificates, page 9-4
Resolving Red X Marks in the Device Selector, page 9-8
Troubleshooting Deployment, page 9-9
Related Topics
Understanding the Device View, page 3-1
Viewing or Changing Device Properties, page 3-34
Device Communication Page, page 11-12
Step 1 In Device view, do one of the following in the Device selector to open the Device Properties dialog box:
Double-click a device.
Right-click a device and select Device Properties.
Select a device and select Tools > Device Properties.
Step 2 Select Credentials from the table of contents.
Step 3 Click Test Connectivity.
The Device Connectivity Test dialog box opens and displays the progress of the test, including the
protocol being used (see Device Connectivity Test Dialog Box, page 9-3). You can abort the test while
it is running. When the test is finished, click Details to see:
For successful tests, the output of the show version command or the getVersion command (for IPS
Sensors and Cisco IOS IPS Sensors). You can select the text, press Ctrl+C to copy the text to the
clipboard, and then paste it into another file for later analysis.
For unsuccessful tests, the error information. Some common problems are:
The username or password is incorrect.
The wrong protocol is selected. For example, the device might not be configured to respond to
the selected protocol.
The device is not configured to accept connections correctly. Ensure that at least one supported
protocol is configured.
The wrong operating system is specified for the device (for example, you specified PIX for an
ASA device).
If you are using ACS authentication and the connection to the device is completed, you can get
errors when Security Manager tries to obtain version information if you do not have Control
authorization.
There might be general network configuration problems. Test connectivity to the device from
outside of Security Manager. Look for hardware, media, and booting errors, excessive traffic
causing queues to overflow, duplicate MAC or IP addresses on the device, physical
discrepancies, such as link, duplex, and speed mismatch, or logical discrepancies, such as
VLAN and VTP inconsistencies or ATM network misconfiguration.
Navigation Path
To start the device connectivity test, click Test Connectivity from the Credentials page in one of these
areas:
New Device wizard when adding a device manually. See Adding Devices by Manual Definition,
page 3-20.
Device Properties. To open the page, double-click a device in the Device selector or select Tools >
Device Properties.
The connectivity test is done automatically when you click Next or Finish on the Credentials page when
adding a device from the network.
Related Topics
Testing Device Connectivity, page 9-1
Device Credentials Page, page 3-38
Viewing or Changing Device Properties, page 3-34
Field Reference
Element Description
Connectivity Protocol The transport protocol being used to log into the device. Security
Manager uses the protocol specified in the device properties for the
device, which is usually the default protocol configured on the Device
Communications page (see Device Communication Page, page 11-12).
Connectivity Status Displays the status of the test and the time elapsed since the start of the
test.
Details button Click this button to display detailed information about the result of the
test.
Passed testsThe details display the output of the show version
command for PIX Firewall, Adaptive Security Appliances (ASA),
Firewall Service Modules (FWSM), Cisco IOS routers, and VPN
Services Modules (VPNSM), or the output of the getVersion
command for IPS Sensors and Cisco IOS IPS Sensors. You can
copy the command output and paste it into a file for analysis.
Failed testsThe detailed error message.
Abort button Stops the connectivity test before it is completed.
Tip Ensure that all PIX Firewalls and Adaptive Security Appliances that you intend to manage with Security
Manager have a 3DES/AES license. See Understanding Device Communication Requirements,
page 2-1.
SSH Public KeysBy default, Security Manager replaces public keys with the new ones obtained
during SSH connections. If you have problems with SSH communications, see Troubleshooting
SSH Connection Problems, page 9-6.
General Device Communication TroubleshootingFor other problems you might encounter, see
Troubleshooting Device Communication Failures, page 9-7.
Manually Adding SSL Certificates for Devices that Use HTTPS Communications
When you use SSL (HTTPS) as the transport protocol for communicating with IPS, PIX, ASA, or FWSM
devices, or Cisco IOS routers, you can configure Security Manager to automatically retrieve the device
authentication certificate when adding the device (see Device Communication Page, page 11-12).
Tip Having an accurate certificate is required for successful HTTPS communications; Security Manager
cannot communicate with the device without the correct certificate, which prevents configuration
deployment. When using self-signed certificates, the device might create a new certificate if Security
Manager attempts to access it using the wrong certificate. Thus, it is best to configure Security Manager
to always retrieve the certificate from the device.
Instead of having Security Manager automatically retrieve the certificates, you can manually add them
to increase the level of network security. On the Device Communication page, you would configure the
device authentication setting for the device type as Manually add certificates.
The easiest way to manually update the certificate for a device is to retrieve it from the device.
Right-click the device and select Device Properties. Click Credentials to open the Credentials page,
and then click Retrieve From Device to the right of the Authentication Certificate Thumbprint field.
Security Manager retrieves the certificate and prompts you to accept it. You might need to do this if you
encounter certificate problems during configuration deployment. (You can also type or paste the
certificate into this field.)
You can also manually type in, or copy and paste, the certificate thumbprint without having Security
Manager log into the device. Use the following procedure to manually enter the SSL certificate
thumbprint for a device if you configured that device type to require manually added certificates.
Tip If the thumbprint is not readily available, you can copy it from the error message that is displayed when
you add the device from the network or from an export file.
Step 1 Select Tools > Security Manager Administration and select Device Communication from the table of
contents to open the Device Communication page (see Device Communication Page, page 11-12).
Step 2 Click Add Certificate to open the Add Certificate dialog box (see Add Certificate Dialog Box,
page 11-15).
Step 3 Enter the DNS hostname or IP Address of the device, the certificate thumbprint in hexadecimal format,
and click OK. The thumbprint is added to the certificate store.
Tip To erase an existing thumbprint, leave the Certificate Thumbprint field empty.
Configure the SSL certificate settings to automatically retrieve the certificate when adding devices.
You can select different settings for IPS, router, and ASA/PIX/FWSM devices. To configure these
settings, select Tools > Security Manager Administration > Device Communication, and look at
the SSL Certificate Parameters group.
Related Topics
Manually Adding SSL Certificates for Devices that Use HTTPS Communications, page 9-4
Adding Devices to the Device Inventory, page 3-6
Chapter 2, Preparing Devices for Management
Device Communication Page, page 11-12
Device Credentials Page, page 3-38
Related Topics
Manually Adding SSL Certificates for Devices that Use HTTPS Communications, page 9-4
Adding Devices to the Device Inventory, page 3-6
Chapter 2, Preparing Devices for Management
Related Topics
Chapter 2, Preparing Devices for Management
Device Communication Page, page 11-12
Device Credentials Page, page 3-38
When adding new devices the credentials are defined within the New Device wizard if your method
of adding the device requires credentials. Keep the following in mind:
The primary credentials are used for SSH and Telnet connections.
The HTTP/HTTPS credentials are used for HTTP and SSL connections unless you select Use
Primary Credentials, in which case the primary credentials are also used for these
connections.
Related Topics
Adding Devices to the Device Inventory, page 3-6
Understanding Device Communication Requirements, page 2-1
Chapter 2, Preparing Devices for Management
Device Communication Page, page 11-12
Device Credentials Page, page 3-38
Troubleshooting Deployment
The deployment process is one of the most likely areas in which you will encounter problems when using
Security Manager. There are many different processes involved in deployment that influence whether the
deployment job is successfull:
Security Manager itself.
The stability and availability of your network, including links to remotely-managed devices.
Any bugs inherent in the versions of the operating systems that you are using on your network
devices that affect the commands Security Manager is trying to deploy (Security Manager is not
immune to these bugs).
The licenses you have enabled on the device, because many security commands require specific
device licenses.
The specific features supported by your devices, which Security Manager cannot always determine
ahead of time. For example, some platforms support features only if the device has a certain
minimum RAM, and some interface settings are available for specific interface cards only.
The correct functioning of interim applications such as AUS, Configuration Engine, or your TMS
server.
If you encounter deployment failures, examine the messages in the deployment status window carefully.
In addition, the following topics address some of the problems you might encounter:
Changing How Security Manager Responds to Device Messages, page 9-9
Memory Violation Deployment Errors for ASA 8.3+ Devices, page 9-11
Security Manager Unable to Communicate With Device After Deployment, page 9-11
Updating VPNs That Include Routing Processes, page 9-12
Mixing Deployment Methods with Router and VPN Policies, page 9-13
Deployment Failures for Routers, page 9-14
Deployment Failures for Catalyst Switches and Service Modules, page 9-15
Deployment Failures to Devices Managed by AUS, page 9-17
Troubleshooting the Setup of Configuration Engine-Managed Devices, page 9-18
Table 9-2 Deployment Device Error Handling for SSL and SSH on PIX Firewall, ASA, and Cisco IOS Routers
Note On Cisco IOS routers using the SSL protocol, deployment on devices stops on command syntax errors.
It does not stop when configuration-related errors occur.
To change how Security Manager treats a message, you need to update the DCS.properties file in
\CSCOpx\MDC\athena\config folder in the installation directory (usually c:\Program Files). Use a text
editor such as NotePad to update the file.
It is easiest to determine the message you want to ignore by looking at the transcript of a deployment job
that encountered the error using the following procedure.
Related Topics
Viewing Deployment Status and History for Jobs and Schedules, page 8-24
Tip Conversely, you can make device responses that are not tagged with the Error prefix to appear
as error messages. To do this, add the message to the Error Expressions list (for example,
dev.pix.ErrorExpressions).
Step 6 Add the error text to the warning expressions list. The warning message should be a generic regular
expression string. Except for the last expression, you must delimit all expressions with $\. For
example, if the message you want to ignore is Enter a public key as a hexadecimal number, enter the
following string:
.*Enter a public key as a hexadecimal number .*$
Step 7 Restart the CiscoWorks Daemon Manager.
NAT policiesMake sure that you are not using a local address on the device as the original address
to be translated. Translating this address might result in translating the management traffic sent
between Security Manager and the device, causing the interruption.
Device Access policies on routersSecurity Manager might loose contact with a device after you
unassign a device access policy from the device and redeploy it. Device access policies can be used
to define the enable password for accessing the device. If you unassign this policy and redeploy, the
password is removed from the device. In such cases, the device typically reverts to the default
password. However, in some cases, the device might contain an additional password that is unknown
to Security Manager, such as a line console password. If this additional password exists, the device
reverts to that password instead of the default password. If that happens, Security Manager cannot
configure this device. Therefore, if you use a device access policy to configure the enable password
or enable secret password on a device, make sure that you do not unassign the policy without
assigning a new policy before the next deployment.
Site-to-Site VPNsIf you lose communication with a spoke in a VPN, the problem can occur when
the Security Manager server communicates with an external interface on the spoke from within the
hubs protected network. We recommend that when you add the hub device to Security Manager that
you define a management IP address that is located outside of the hubs protected network.
Platform > Device Admin > Device Access > Allowed HostsFor IPS devices, the Allowed Hosts
policy identifies the hosts that can connect to the sensor. The Security Manager server must be
included in this policy.
Related Topics
Troubleshooting Device Communication Failures, page 9-7
Managing Device Communication Settings and Certificates, page 9-4
Understanding Device Communication Requirements, page 2-1
Related Topics
Chapter 21, Managing Site-to-Site VPNs: The Basics
Chapter 51, Managing Routers
Chapter 39, Managing Firewall Devices
Related Topics
Chapter 21, Managing Site-to-Site VPNs: The Basics
Chapter 51, Managing Routers
the posture credentials to the AAA server for validation. The default port used for EAP over UDP traffic
is 21862, but you can change this port as part of the NAC policy. If the default ACL blocks UDP traffic,
EAP over UDP traffic is likewise blocked, which prevents NAC from taking place.
Deployment Fails with Error Writing to Server or HTTP Response Code 500 Messages
Problem: Deployment to a Cisco IOS router fails and an Error Writing to Server or Http Response
Code 500 error message occurs.
Solution: When you use SSL as the transport protocol for deploying configurations to a Cisco IOS
router, the configuration is split into multiple configuration bulks. The size of this configuration bulk
varies from platform to platform. If Security Manager tries to deploy a configuration bulk that exceeds
the size of the SSL chunk configured on that device, the deployment fails and you get an Error Writing
to Server or Http Response Code 500 error message.
To resolve this, do the following:
1. On the Security Manager server, open the DCS.properties file in the \CSCOpx\MDC\athena\config
folder in the installation directory (usually C:\Program Files).
2. Locate DCS.IOS.ssl.maxChunkSize=<value of the configuration bulk>.
3. Reduce the value of the configuration bulk.
4. Restart the CiscoWorks Daemon Manager.
Related Topics
Chapter 51, Managing Routers
Solution: The problem is that Security Manager is trying to deploy configurations to more than one
security context on a device at the same time. Depending on the configuration changes, this can result
in errors on the device that prevent successful deployment. If you use FWSM in multiple-context mode,
configure Security Manager to deploy configurations serially to the device so that one context at a time
is configured, as described in Changing How Security Manager Deploys Configurations to
Multiple-Context FWSM, page 9-16.
Deployment Fails When Changing the Running Mode of an IDSM Data Port VLAN
Problem: Deployment fails when you attempt to change the running mode of the data port VLAN from
Trunk (IPS) to Capture (IDS) and the following error message is displayed:
Command Rejected: Remove trunk allowed vlan configuration from data port 2 before configuring
capture allowed-vlans
Solution: On some software releases such as 12.2(18)SFX4, there is a bug that prevents the change from
occurring correctly. Reload the device to overcome the problem.
Related Topics
Chapter 58, Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
To change how Security Manager deploys configurations to multiple-context FWSM, you need to update
the DCS.properties file. You also need to add the FWSM contexts to the inventory using the FWSM
admin context, rather than adding the individual security contexts.
The following procedure explains the end-to-end process for ensuring that FWSM deployments are done
serially.
Step 1 Make it a standard practice to add FWSM security contexts using the admin context management IP
address. Manage the contexts through the admin context.
Although it is possible to add security contexts for an FWSM individually, using each contexts
management IP address, Security Manager cannot recognize these individually-added contexts as being
hosted on the same physical device. This prevents Security Manager from doing serial deployments to
the contexts.
If you have any FWSM security contexts that you added using the security context management IP,
delete the contexts and FWSM from the inventory, then add them using the admin context (discover all
policies). See Adding Devices to the Device Inventory, page 3-6.
Tip If you have any undeployed changes to these contexts that you want to keep, first deploy the
changes to ensure that the configurations on the device are complete. Do the deployments one
context at a time.
Step 2 Log into Windows on the Security Manager server and edit the DCS.properties file in the
\CSCOpx\MDC\athena\config folder in the installation directory (usually c:\Program Files). Use a text
editor such as NotePad to update the file.
Step 3 Locate the DCS.doSerialAccessForFWSMVCs property in the DCS.properties file and set it to true:
DCS.doSerialAccessForFWSMVCs=true
Step 4 Restart the CiscoWorks Daemon Manager.
If none of the suggestions above solves the problem, turn on Configuration Engine debug mode on
the ASA/PIX device and check the log for errors after the next polling cycle.
Question: Why was I able to deploy successfully to a Configuration Engine-managed ASA/PIX device
the first time, but subsequent deployments were unsuccessful?
Answer: This can happen if the configuration pushed during the first deployment contains incorrect CLI
commands for the auto-update feature. Check the following:
Make sure the username and password of the Configuration Engine server is defined correctly in the
auto-update command.
If you used name commands when configuring the auto-update server using the device CLI, make
sure that you have defined a FlexConfig that contains the necessary name commands. A FlexConfig
is necessary because Security Manager does not support this command directly. As a result, even
though the command was discovered, it does not appear in the full configuration. If you use Security
Manager to configure the AUS policy, name commands are not necessary.
Question: How do I debug Configuration Engine on an ASA/PIX device?
Answer: Enter the following CLI commands:
logging monitor debug
terminal monitor
logging on
You can also find relevant information in the PIX log on the Configuration Engine server.
Question: How do I debug Configuration Engine on an IOS device?
Answer: Enter the following CLI commands:
debug cns all
debug kron exec-cli
terminal monitor
When working in event mode, you can also find relevant information in the event log on the
Configuration Engine server. When working in call home mode, check the config server log on the
Configuration Engine server.
Question: Why did I fail to discover an IOS device and acquire its configuration through Configuration
Engine?
Answer: If you see the following errors in debug mode:
*Feb 23 21:42:15.677: CNS exec decode: Unknown hostname cnsServer-lnx.cisco.com ... 474F6860:
72726F72 2D6D6573 73616765 3E584D4C error-message>XML 474F6870: 5F504152 53455F45
52524F52 3C2F6572 _PARSE_ERROR
Verify the following:
The CNS commands use a fully-qualified host name (host name and domain name).
The device contains the ip domain name command.
The device contains the ip host command with the fully qualified hostname of the Configuration
Engine with its IP address.
Question: Why does the event mode router not appear on the Configuration Engine Discover Device
page or appear in green on the Configuration Engine web page?
Answer: Check the following:
Make sure that the router and the Configuration Engine server can ping each other.
Make sure that the event gateway on the Configuration Engine server is up and running by using one
of the following commands:
The following topics describe some system management tasks related to the general operation of the
Security Manager product:
Overview of Security Manager Server Management and Administration, page 10-1
Managing Licenses, page 10-2
Managing IPS Updates, page 10-5
Working with Audit Reports, page 10-11
Taking Over Another Users Work, page 10-15
Changing Passwords for the Admin or Other Users, page 10-15
Backing up and Restoring the Security Manager Database, page 10-16
Creating a Diagnostics File for the Cisco Technical Assistance Center, page 10-19
Managing Licenses
The following topics explain how to install licenses for the Security Manager application and how to
manage licenses for IPS devices:
Installing Security Manager License Files, page 10-2
Updating IPS License Files, page 10-3
Redeploying IPS License Files, page 10-4
Automating IPS License File Updates, page 10-4
Tip The number of devices includes all discovered security contexts and virtual sensors, even if you have not
submitted the activity that discovered them and they do not currently appear in the device selector. If it
appears there are fewer devices in the inventory than your license allows, but you are getting device
count error messages, submit all activities to determine the number of discovered devices. Delete those
that you do not want to manage.
After registration, the base software license is sent to the e-mail address that you provided during
registration. In addition to receiving a PAK and license for Security Manager, you might receive one
additional PAK for each incremental device count pack you purchased.
Copy the license files to a folder on the Security Manager server. You must store your license files
on a disk that is local to your Security Manager server; you cannot use a drive that is mapped to the
server. Windows imposes this limitation, which serves to improve Security Manager performance
and security.
Tip Do not place the license file in the etc/licenses/CSM folder in the products installation folder, or you
will encounter an error when you try to add the license. Place the file in a folder outside the product
folders.
Step 1 Select Tools > Security Manager Administration and select Licensing from the table of contents.
Step 2 Click CSM if the tab is not active. For a description of the fields on this tab, see CSM Tab, Licensing
Page, page 11-27.
Step 3 Click Install a License to open the Install a License dialog box.
The Install a License dialog box includes links to Cisco.com for obtaining licenses if you have not
already done so. If you already have copied the licenses to the Security Manager server, click Browse to
select a license file, and then click OK on the Install a License dialog box to install the license.
Repeat the process until you have installed all of your licenses.
Related Topics
Redeploying IPS License Files, page 10-4
Step 1 Select Tools > Security Manager Administration and select Licensing from the table of contents.
Step 2 Click the IPS tab (see IPS Tab, Licensing Page, page 11-27).
The table lists all IPS devices in the device inventory and displays the status of their licenses. The status
can be valid, invalid, expired, no license, or trial license. The expiration date for the license is also
shown. Click Refresh to update the table with the latest license information from the devices.
To update licenses, do one of the following:
To update devices with licenses obtained directly from Cisco.comSelect the devices you want to
update and click Update Selected via CCO. A dialog box opens that lists the devices that can be
updated from Cisco.com, which might not be all of the devices you selected. Review the list and
click OK. The status of the update task is shown in the License Update Status Details dialog box
(see License Update Status Details Dialog Box, page 11-30).
Tip To successfully update the license using this method, you must have a Cisco.com support
contract that includes the serial numbers of the selected devices. You can also select Download
and apply licenses automatically to have the process done on a regular schedule.
To update devices with licenses that you have copied to the Security Manager serverClick Update
from License File. A dialog box opens where you can select the license files. Click Browse to select
them from the Security Manager local file system. You can select more than one license file. When
you have selected the desired files, click OK to have them applied to the devices.
Related Topics
Updating IPS License Files, page 10-3
Automating IPS License File Updates, page 10-4
Step 1 Select Tools > Security Manager Administration and select Licensing from the table of contents.
Step 2 Click the IPS tab (see IPS Tab, Licensing Page, page 11-27).
Step 3 Select the devices to which you want to redeploy licenses and click Redeploy Selected Licenses. A
dialog box opens listing devices whose licenses you are redeploying. Click OK to perform the update.
The status of the update task is shown in the License Update Status Details dialog box (see License
Update Status Details Dialog Box, page 11-30).
Related Topics
Updating IPS License Files, page 10-3
Redeploying IPS License Files, page 10-4
Step 1 Select Tools > Security Manager Administration and select Licensing from the table of contents.
Step 2 Click the IPS tab (see IPS Tab, Licensing Page, page 11-27).
Step 3 Select Download and Apply Licenses Automatically.
Step 4 In the Check field, select how often Security Manager should check Cisco.com for new licenses:
DailyOnce a day at midnight
WeeklyOnce a week at midnight on Sunday
MonthlyOnce a month at midnight on the first day of the month.
Tip If you have problems applying patches, service packs, or signature updates, check the time on your IPS
sensor. If the time on the sensor is ahead of the time on the associated certificate, the certificate is
rejected and the update may fail. Use the Network Time Protocol (NTP) to maintain accurate time on an
IPS sensor. For information on configuring NTP on the sensor, see Identifying an NTP Server,
page 30-21.
The following topics describe how to use Security Manager to manage IPS updates:
Configuring the IPS Update Server, page 10-5
Checking for IPS Updates and Downloading Them, page 10-6
Automating IPS Updates, page 10-7
Manually Applying IPS Updates, page 10-9
You can use Cisco.com as the IPS Update server. Using Cisco.com ensures that the latest updates are
available to you at their earliest availability. However, if you cannot use Cisco.com for some reason, you
can set up your own local IPS Update web server, manually download updates to it, and configure
Security Manager to obtain the updates from your local server.
Tip If you are using a device that requires a Cisco.com login for updating licenses, such as an IPS 4270 or
an AIP SSM-40 in an ASA device, you must configure the IPS Update server as Cisco.com. You cannot
use a local server.
Related Topics
Automating IPS Updates, page 10-7
Manually Applying IPS Updates, page 10-9
Step 1 Select Tools > Security Manager Administration and select IPS Updates from the table of contents
to open the IPS Updates page (see IPS Updates Page, page 11-20).
Step 2 In the Update Server area, click Edit Settings to open the Edit Update Server Settings dialog box (see
Edit Update Server Settings Dialog Box, page 11-24).
Step 3 Enter the identifying information for your server. Based on the server type selected in the Update From
field:
Cisco.comEnter a Cisco.com username and password. The user account you specify must have
applied for eligibility to download strong encryption software. To verify the account has the
appropriate permissions, go to Cisco.com and try to download an IPS update package. You will be
prompted to accept the appropriate agreements if the account is not already qualified.
Local serverEnter the IP address or DNS host name of your server, a username and password if
you require a log in before allowing access, and the path to the folder that contains the files. For the
path, do not enter the entire URL; enter only the path portion of the URL (for example, the path in
http://servername/IPSpath is IPSpath). Also add IIS configuration settings:
Home Directory should have listing enabled.
Documents should have Default Content Page disabled.
If your network requires a proxy server to get from the Security Manager server to the IPS Update server,
select Enable Proxy Server and enter the information for the proxy server.
Click OK to save your changes.
Step 4 Click Save on the IPS Updates page. Your changes are not completely saved unless you click Save.
Step 5 Test the connectivity to the IPS Update server by clicking Download Latest Updates. A dialog box
opens. Click Start to have Security Manager log into the update server, check for new updates, and
download them. The dialog box displays the results of the operation.
If you are using Cisco.com and experience a download failure, double-check the user account to ensure
it has the required permissions for downloading strong encryption software.
You can manually download IPS updates, automate IPS update downloads, or download them when you
try to manually apply them to a device. The following procedure explains how to manually check for
updates and download them. For information on configuring automatic downloads, see Automating IPS
Updates, page 10-7. For information on downloading updates while manually applying them to devices
or policies, see Manually Applying IPS Updates, page 10-9.
Related Topics
Automating IPS Updates, page 10-7
Manually Applying IPS Updates, page 10-9
Step 1 Select Tools > Security Manager Administration and select IPS Updates from the table of contents
to open the IPS Updates page (see IPS Updates Page, page 11-20).
Step 2 Review the status information in the Update Status group, and do any of the following:
Click Check for Updates. A dialog box opens to display the results of the operation. Click Start to
have Security Manager log into the IPS Update server and check for updates.
Click Download Latest Updates. A dialog box opens to display the results of the operation. Click
Start to have Security Manager log into the IPS Update server, check for updates, and download
them to the Security Manager server.
Tip If a Cisco.com download fails, ensure that the account you are using has applied for eligibility
to download strong encryption software. For details, see the description of User Name in Edit
Update Server Settings Dialog Box, page 11-24.
Tip If you later decide that you did not want to apply a signature update, you can revert to the previous update
level by selecting the Signatures policy on the device, clicking the View Update Level button, and
clicking Revert.
Tip If you do not manage IPS devices, consider taking the following performance tuning step. In
$NMSROOT\MDC\ips\etc\sensorupdate.properties, change the value of packageMonitorInterval from
its initial default value of 30,000 milliseconds to a less-frequent value of 600,000 milliseconds. Taking
this step will improve performance somewhat. [$NMSROOT is the full pathname of the Common
Services installation directory (the default is C:\Program Files\CSCOpx).]
Related Topics
Checking for IPS Updates and Downloading Them, page 10-6
Manually Applying IPS Updates, page 10-9
Understanding IPS Network Sensing, page 30-1
Deploying Configurations in Non-Workflow Mode, page 8-27
Deploying Configurations in Workflow Mode, page 8-32
Step 1 Select Tools > Security Manager Administration and select IPS Updates from the table of contents
to open the IPS Updates page (see IPS Updates Page, page 11-20).
Step 2 In the Auto Update Settings group in the lower portion of the page, select an auto update mode to
establish the extent of automation. Choices include:
Download, Apply, and Deploy UpdatesSecurity Manager checks for updates according to your
schedule, downloads them to the Security Manager server, applies them to the selected devices and
policies, and starts a deployment job to update the affected devices. This choice ensures that your
devices are running the latest updates with minimal effort for your operations staff.
Disable Auto UpdateSecurity Manager does not perform any automatic actions for IPS updates.
Check for UpdatesSecurity Manager checks for updates according to your schedule and updates
the information in the Update Status group. No devices or policies are updated.
Download UpdatesSecurity Manager checks for updates according to your schedule and
downloads any new updates to the Security Manager server.
Download and Apply UpdatesSecurity Manager checks for updates according to your schedule,
downloads them, and applies them to the selected devices and policies. You must separately create
a deployment job to deploy the changes to the affected devices.
Step 3 Click Edit Update Schedule to open a dialog box where you can specify the schedule for the operation.
Select the starting date, enter the starting time in 24-hour format (hh:mm), and select whether the
schedule should be by the hour, day, week, month, or a one-time event. Click OK to save the schedule.
Step 4 (Optional) Enter an e-mail address in the Notify Email field. Security Manager will notify this user when
a package is available for download or has been downloaded, applied, or deployed. You can enter more
than one address by separating the addresses with commas.
Step 5 Select the devices and shared policies you want to automatically update in the Apply Update To selector.
Use the Type field to toggle between local policies (for devices) and shared policies.
To select a device or policy, click it in the selector and click the Edit Row button (the pencil icon below
the selector). This action opens the Edit Auto Update Settings dialog box. Select the types of updates
you want to apply: minor sensor updates and service packs or service packs only, and the signature
update level. Click OK to save your changes. The devices to which the policy apply are added to the
Devices to be Auto Updated list. A message will indicate if you need to submit your changes for the
change to take effect.
Step 6 Click Save.
Tip If you later decide that you did not want to apply a signature update, you can revert to the previous update
level by selecting the Signatures policy on the device, clicking the View Update Level button, and
clicking Revert.
Related Topics
Checking for IPS Updates and Downloading Them, page 10-6
Selecting a Signature Category for Cisco IOS IPS, page 38-6
Step 1 Select Tools > Apply IPS Update to open the Apply IPS Update wizard.
Step 2 On the first page of the wizard, select the update that you want to apply. This page lists the sensor and
signature updates that are available. Do the following on this page:
To update the list of packages, click Download Latest Updates. Security Manager logs into the IPS
Update server and downloads the updates that have become available since the last download. This
works only if you have configured an update server as described in Configuring the IPS Update
Server, page 10-5. You can also update the list of packages by doing the following::
Configure automatic downloads on the IPS Updates page (select Tools > Security Manager
Administration > IPS Updates). For more information, see IPS Updates Page, page 11-20.
Manually download the updates to the CSCOpx\MDC\ips\updates folder in the product
installation folder (typically Program Files) on the Security Manager server.
You can also check for updates without downloading them by clicking Check for Updates. The
Update Status information is the same as described in IPS Updates Page, page 11-20.
Select the signature or sensor update you want to apply to your IPS devices in the Updates
Downloaded table. Use the Type field to toggle between the types of updates (you can select only
one update to apply):
Sensor UpdatesDisplays the filename, the major, minor, service pack, and patch versions, as
well as the supported engine release. You must apply all major sensor updates, however, minor
updates are cumulative.
Signature UpdatesDisplays the filename, the signature number, and the supported engine
release. Signature updates are cumulative; however, applying them as separate packages allows
you to separate your work into more manageable units if you intend to tune the updates to match
the specific needs of your network.
Note The engine package is not listed on the update page, but Security Manager implicitly pushes the
engine package automatically in the case of a signature update that requires a higher engine
version. (This occurs only when updating a device with the particular version that the engine
package requires.)
Tip The engine release controls which devices you can select for sensor updates; you can apply the
update only to devices that use the same engine version, regardless of the release version. For
example, if your device is running 6.0(5) E3, you can update to 6.1(1) E3 but not to 6.1(1) E2.
You also cannot apply a 6.1(1) E3 update to a device running 6.1(1) E2. If you want to update
the engine version, select a signature update with the higher engine version, and Security
Manager will update the engine level automatically while updating the signatures. For example,
if the device has the 6.1(1) E2 version and needs to have the E3 engine package applied, choose
the signature package that requires the E3 engine and apply it to the device; doing so applies the
engine package automatically to the device while updating the signatures. Thus, if the device
you want to update is grayed out, click Back and change your update selection.
If you are applying a signature update, and you want to edit the signatures before applying them, click
Next to continue. Otherwise, click Finish to apply your update to the policies.
Step 4 (Optional) On the third page of the wizard, modify the signatures as desired.
The signatures list displays the new and modified signatures between the signature level of the selected
update and the lowest signature level among the selected devices. If the selected devices include both
IPS sensors and Cisco IOS IPS devices, the signatures for these devices appear on separate tabs.
Click the link in the ID number to read the description for the signature on Cisco.com. The Status column
indicates whether the signature is new or modified (see the visual description of the icons on the wizard
page).
To edit a signature, select it in the table and click the Edit button below the table (the pencil icon). For
help in understanding the signature, click Help in the dialog box that the Edit button opens.
For details on available signature information, see Signatures Page, page 33-4. In the Signature
Summary Table, you can also add custom signatures and delete signatures, but you cannot do that on this
page of the Apply IPS Update Wizard.
Click Finish to apply your update to the policies and to save your edits.
Step 5 Submit your changes and deploy them to the devices. For information on creating deployment jobs, see
these topics:
Deploying Configurations in Non-Workflow Mode, page 8-27
Deploying Configurations in Workflow Mode, page 8-32
Related Topics
Generating the Audit Report, page 10-12
Purging Audit Log Entries, page 10-14
Tip You can also view the audit logs through CiscoWorks Common Services. From the Common Services
Server Administration page, select Server > Reports, and select Audit Log from the table of contents.
Click Generate Report and you are presented with a list of logs, one for each day. Click the link for the
desired log to open it. These logs are stored in the Program Files/CSCOpx/MDC/Logs/audit/ directory.
For information about logging into Common Services, see Logging In to the Cisco Security Management
Suite Server, page 1-15.
Related Topics
Understanding Audit Reports, page 10-11
Step 1 Select Tools > Audit Report to open the Audit Report window.
Step 2 To reduce the report to a specific set of records that relate to an area of interest, enter the appropriate
search criteria in the left pane and click Search. For detailed information about the search fields, see
Using the Audit Report Window, page 10-12.
The following examples describe sample search criteria:
To find out when the device router1 was removed from Security Manager managementSelect
Devices > Delete from the Search by action selector. In the Search by all or part of the object
name field, enter the display name of the device (router1).
To find out if a failed login attempt occurred in the systemSelect System > Authorization >
Login > Failed from the Search by action selector.
Step 3 To view the contents of an entry in the report, double click the entry. This action opens a dialog box
where you can read the message related to the entry. You can scroll through the report in this dialog box
by using the up and down arrow buttons.
Navigation Path
Select Tools > Audit Report.
Related Topics
Understanding Audit Reports, page 10-11
Generating the Audit Report, page 10-12
Field Reference
Element Description
Search Criteria (Left Pane)
The left side of the Audit Report window contains the search criteria for the report. The default report
lists all state changes from yesterday and today, sorted with the most recent changes at the top.
Search by action One or more sources of actions to include in the audit report. If you do
not make a selection, the report is not filtered based on action. You can
select All to include all action sources.
Search by date The time period to include in the report. Actions that occur between the
from and to dates are displayed. Click the calendar icon to select the
dates.
This filters default (reset position) is to include actions from yesterday
to today.
Search for activity by state This field works differently from the other search fields, and is
primarily of use in Workflow mode. You can use this field to select one
or more activities to include in the report. The activities are listed in the
display box below the drop-down list. The drop-down list helps you
find the activities on which you want to report.
To use this search mechanism, select the activity state of the activities
on which you want to report, and then select the activities. Use
Ctrl+click to select multiple activities.
Select No Activity to not filter by activity.
Search by message warning The message warning level. The report is limited to messages of the
level selected severity. Use Ctrl+click to select multiple levels.
Search by user name The username of the person who performed the actions to include in the
report. To see Security Manager system-generated actions, enter the
username System.
Search by a phrase in the A string of text that should occur in the message of the audit report
message body entries. You can enter a maximum of 1025 characters.
The message is not visible in the report table. To see the messages
related to an entry, double-click the entry.
Search by all or part of the A string of text that should occur in the name of the object for which
object name the audit entries were generated. You can enter a maximum of 1025
characters.
Search button Click this button to generate the report in the right pane.
Reset button Click this button to reset the search criteria and delete any values or
selections you made.
Element Description
Audit Report (Right Pane)
The right side of the Audit Report window contains the audit report. Each row represents one audit
entry. Double-click a row to open the Audit Message Details dialog box, where you can view a more
readable layout of the information and to see the specific messages associated with the entry. You can
scroll through the entries in the report from within the Audit Message Details dialog box.
Message Level The message warning level: Information, Warning, Success, Failure
and Internal System Error.
Date The date and time the action occurred.
Source The origin of the audit entry: Objects, License, Admin, Firewall, Policy
Manager, Devices, Topology, VPN, Config Archive, Deployment,
System, and Activity.
Action The action performed: Add, Assign, Create, Delete, Open, Purge,
Unassign, and Update.
Object The identifier of the object of the action. For example, if the category
is device, then the object identifier could be the device name or IP
address. If the category is deployment, then the object identifier could
be job name, job ID, and so on. There frequently is no specific object
name.
User Name The username of the person performing the action.
Activity The name of the activity in which the action occurred, if any.
# of rows per page The number of rows to display on each page.
< arrow Click this button to return to the previous page of the audit report.
> arrow Click this button to advance to the next page of the audit report.
Related Topics
Understanding Audit Reports, page 10-11
Generating the Audit Report, page 10-12
Using the Audit Report Window, page 10-12
Step 1 Select Tools > Security Manager Administration and select Take Over User Session from the table
of contents to open the Take Over User Session page (see Take Over User Session Page, page 11-37).
Step 2 Select the user session you want to take over.
Step 3 Click Take over session. The changes made by the selected user are transferred to you. Any changes
that have not already been committed are discarded.
If the selected user is logged in at the time changes are taken over, the user receives a warning message,
loses the changes in progress, and then is logged out.
Step 1 Log into Windows on the Security Manager server and open a Windows command line window.
Step 2 Stop the daemon manager services by using this command:
net stop crmdmgtd
Tip You can also stop and start the daemon manager using the Services control panel.
Step 3 Run the resetpasswd.exe command specifying admin as the user name. This example assumes you
installed the product in the default directory; change the directory path if you used a different directory:
C:\Program Files\CSCOpx\bin\resetpasswd.exe admin
You are prompted for a new password.
Tip If you want to change the password for a different user, replace admin with the desired user
name.
Tip The Security Manager database backup does not include the event data store used by the Event Manager
service. If you want to back up event management data, see Archiving or Backing Up and Restoring the
Event Data Store, page 59-24.
The following topics describe how to back up and recover the Security Manager database:
Backing up the Server Database, page 10-16
Restoring the Server Database, page 10-18
If there are multiple users with pending data, the changes for those users must also be committed or
discarded. If you need to commit or discard changes for another user, you can take over that users
session. To take over a session, select Tools > Security Manager Administration > Take Over
User Session, select the session, and click Take Over Session.
In Workflow mode:
To commit and approve changes, select Tools > Activity Manager. From the Activity Manager
window, select an activity and click Approve. If you are using an activity approver, click
Submit and have the approver approve the activity.
To discard uncommitted changes, select Tools > Activity Manager. From the Activity Manager
window, select an activity and click Discard. Only an activity in the Edit or Edit Open state can
be discarded.
You can also back up the database from a Windows command prompt using the following command:
Syntax Description
[path]perl [path]backup.pl The Perl script command. Include the path to the perl command and the
backup.pl file if the path is not defined in the system path variable. The
typical path for both is C:\Progra~1\CSCOpx\bin\.
backup_directory The directory where you want to create the backup. For example,
C:\Backups.
log_filename (Optional.) The log file for messages generated during backup. Include
the path if you want it created somewhere other than the current
directory. For example, C:\BackupLogs.
If you do not specify a name, the log is
%NMSROOT%\log\dbbackup.log.
email=email_address (Optional.) The email address where you want notifications sent. If you
do not want to specify an email address, but you need to specify a
subsequent parameter, enter email without the equal size or address.
You must configure SMTP settings in CiscoWorks Common Services to
enable notifications. For more information, see Configuring an SMTP
Server and Default Addresses for E-Mail Notifications, page 1-19.
compress (Optional.) Whether you want the backup file to be compressed. If you
do not enter this keyword, the backup is not compressed if
VMS_FILEBACKUP_COMPRESS=NO is specified in the
backup.properties file. Otherwise, the backup is still compressed. We
recommend compressing backups.
Example
The following command assumes that you are in the directory containing the perl and backup.pl
commands. It creates a compressed backup and log file in the backups directory and sends notifications
to admin@domain.com. Note that you must specify a backup generation to include the compress
parameter; if you specify any parameter after the log file parameter, you must include values for all
preceding parameters.
perl backup.pl C:\backups C:\backups\backup.log email=admin@domain.com 0 compress
Tip You can restore backups taken from previous releases of the application if the backup is from a version
supported for direct local inline upgrade to this version of the application. For information on which
versions are supported for upgrade, see the Installation Guide for Cisco Security Manager for this
release of the product.
Syntax
Step 1 Stop all processes by entering the following at the command line:
net stop crmdmgtd
Step 2 Restore the database by entering:
$NMSROOT\bin\perl$NMSROOT\bin\restorebackup.pl[-t temporary_directory]
[-gen generationNumber] -d backup_directory [-h]
where:
$NMSROOTThe full pathname of the Common Services installation directory (the default is
C:\Program Files\CSCOpx).
-t temporary_directory(Optional) This is the directory or folder used by the restore program to
store its temporary files. By default this directory is $NMSROOT\tempBackupData.
-gen generationNumber(Optional.) The backup generation number you want to recover. By
default, it is the latest generation. If generations 1 through 5 exist, then 5 will be the latest.
-d backup_directoryThe backup directory that contains the backup to restore.
-h(Optional) Provides help. When used with -d BackupDirectory, help shows the correct syntax
along with available suites and generations.
For example, to restore the most recent version from the c:\var\backup directory, enter the following
command:
C:\Progra~1\CSCOpx\bin\perl C:\Progra~1\CSCOpx\bin\restorebackup.pl -d C:\var\backup
Tip If you are restoring a database that contains RME data, you might be asked if you want to collect
inventory data. Collecting this data can take a long time. You might want to respond No and then
configure RME to schedule an inventory. In RME, select Devices > Inventory.
Step 3 Examine the log file, NMSROOT\log\restorebackup.log, to verify that the database was restored.
Step 4 Restart the system by entering:
net start crmdmgtd
Step 5 If you restore a database that was backed up prior to installing a Security Manager service pack, you
must reapply the service pack after restoring the database.
Tip When creating the diagnostics file from the command line, you must allow the command to complete
before closing the window or subsequent attempts to run the CSMDiagnostics command will not work
properly. If you mistakenly close the window, delete the C:\Program
Files\CSCOpx\MDC\etc\mdcsupporttemp folder before attempting to use the command again.
Unless you specify an alternate folder, the CSMDiagnostics.zip file is placed in the
<installation_location>/CSCOpx/MDC/etc folder, where <installation_location> is the drive and
directory in which you installed CiscoWorks Common Services (for example, c:\Program Files). You
should move or rename the diagnostics file after you create it because the file is overwritten each time
you generate it.
The CSMDiagnostics.zip file contains:
Configuration files.
Apache configuration and log files.
Security Manager has default settings for many system functions that you can change if they do not fit
the needs of your organization. To view and change these settings, select Tools > Security Manager
Administration. You can then select items from the table of contents on the left of the window to view
the default settings related to that item.
On most pages, when you change a setting, you must click Save to save your changes. If you make a
mistake, you can click Reset to return the values to the previously saved values. You can also click
Restore Defaults to return the settings to the Security Manager defaults.
Besides the pages that contain system defaults, the Security Manager Administration window includes
items that relate to system administration activities, such as taking over another users work or obtaining
access to pages in Common Services to perform server security tasks.
The following topics describe the settings and actions available on each of the pages available in the
Security Manager Administration window:
AutoLink Settings Page, page 11-2
Configuration Archive Page, page 11-3
CS-MARS Page, page 11-4
Customize Desktop Page, page 11-5
Debug Options Page, page 11-6
Deployment Page, page 11-7
Device Communication Page, page 11-12
Device Groups Page, page 11-16
Device OS Management Page, page 11-17
Discovery Page, page 11-17
Event Management Page, page 11-19
IPS Updates Page, page 11-20
Licensing Page, page 11-26
Logs Page, page 11-31
Policy Management Page, page 11-31
Policy Objects Page, page 11-32
Rule Expiration Page, page 11-33
Navigation Path
Click Tools > Security Manager Administration and select AutoLink from the table of contents.
Related Topics
Creating and Managing Layer 3 Links on the Map, page 29-19
Displaying Your Network on the Map, page 29-13
Field Reference
Element Description
Enable AutoLink for Whether to automatically include or omit (deselected) these private
10.0.0.0/8 networks from the maps you create.
Enable AutoLink for
172.16.0.0/12
Enable AutoLink for
192.168.0.0/16
Enable AutoLink for Whether to automatically include or omit (deselected) the loopback
127.0.0.0/8 network from the maps you create.
Enable AutoLink for Whether to automatically include or omit (deselected) the multicast
224.0.0.0/4 networks from the maps you create.
Save button Saves and applies changes.
Reset button Resets changes to the last saved values.
Restore Defaults button Resets values to Security Manager defaults.
Navigation Path
Click Tools > Security Manager Administration and select Configuration Archive from the table of
contents.
Related Topics
Configuration Archive Window, page 8-22
Rolling Back Configurations, page 8-56
Field Reference
Element Description
Max. Versions per Device The number of configuration versions you want to retain for each
Purge Now button managed device, from 1 to 100. If you reduce the number, you can click
Purge Now to immediately delete extra versions.
Enable Configuration
Security Manager automatically deletes extra versions during its
Archive Versions Auto Purge
normal cleanup cycle if you select the Enable Configuration Archive
Versions Auto Purge option.
TFTP Server for Rollback The fully-qualified DNS hostname or IP address of the server to use for
TFTP file transfers. TFTP is used during rollback for IOS devices when
the configuration cannot be updated using the configure replace
command, which does not force a system reload. Enter localhost to use
the Security Manager server.
By default, a TFTP server is enabled on the Security Manager server. If
you specify a remote TFTP server, you must configure that server
appropriately to provide TFTP services.
TFTP Root Directory The root directory for configuration file transfers if you are using the
Security Manager server as the TFTP server. Click Browse to select a
directory on the Security Manager server.
If you specify a server other than the Security Manager server as the
TFTP host, Security Manager always uses the root directory of that
TFTP server. You cannot specify a non-root directory for remote TFTP
servers.
Save button Saves and applies changes.
Reset button Resets changes to the last saved values.
Restore Defaults button Resets values to Security Manager defaults.
CS-MARS Page
Use the CS-MARS page to register the Cisco Security Monitoring, Analysis and Response System
servers that are monitoring your devices with Security Manager. By registering your CS-MARS servers,
you can view messages and events captured in CS-MARS based on a devices firewall access rules or
IPS signature rules configured in Security Manager. You must register a CS-MARS server before users
can see events collected from it.
Tip If you are using CS-MARS global controllers, add them instead of the individual local controllers. By
adding global controllers, Security Manager can identify the correct local controller for a device
automatically, without you having to add each of the local controllers. This simplifies your CS-MARS
configuration in Security Manager.
Navigation Path
Select Tools > Security Manager Administration and select CS-MARS from the table of contents.
Related Topics
Registering CS-MARS Servers in Security Manager, page 60-16
Field Reference
Element Description
CS-MARS Devices The CS-MARS servers that are registered with Security Manager.
To add a server, click the Add (+) button and fill in the New or Edit
CS-MARS Device Dialog Box, page 11-5.
To edit a server, select it and click the Edit (pencil) button.
To delete a server, select it and click the Delete (trash can) button.
When you delete a server, the device properties for all devices that
use the server are updated to remove the server connection. If a
device is also monitored by another CS-MARS server on the list,
its properties are updated to point to the other server.
When Launching CS-MARS The type of credentials Security Manager should use to log into
CS-MARS when obtaining event information:
Allow User to Save
Credentials Prompt usersWhen the user tries to get event information from
CS-MARS, prompt the user to log into CS-MARS. If you select
this option, you can also select Allow User to Save Credentials,
which gives users the option to save their credentials so they do not
have to log into CS-MARS again the next time they request event
status.
Use CS-Manager CredentialsWhen the user tries to get event
information from CS-MARS, log into CS-MARS using the same
username and password the user used to log into Security Manager.
Save button Saves and applies changes.
Reset button Resets changes to the last saved values.
Navigation Path
From the CS-MARS Page, page 11-4, click the Add button to add a new server, or select a server and
click the Edit button.
Field Reference
Element Description
CS-MARS Hostname/IP The IP address or fully-qualified DNS host name of the CS-MARS
server.
Tip If you add a CS-MARS global controller, do not add any of the
local controllers that the global controller monitors. Security
Manager will automatically determine the local controller that
is monitoring a specific device. Adding global controllers
simplifies your CS-MARS configuration.
Username The username and password for logging into the server to validate that
the CS-MARS server is running the appropriate software version and to
Password
obtain other basic information. Security Manager also uses this account
User Type to determine which CS-MARS server is monitoring a particular device.
For CS-MARS local controllers, you can enter either a global or local
user account. For global controllers, you must enter a global account.
Identify the type of account in the User Type field.
Certificate Thumbprint The CS-MARS server certificate, a hexadecimal string that is unique to
the device. Click Retrieve From Device to have Security Manager
Retrieve From Device button
retrieve the certificate from the CS-MARS server.
If the certificate is retrieved successfully, it is displayed. After
verifying the certificate, click Accept to save it on the Security
Manager server. You must have a correct certificate to use the
CS-MARS server from Security Manager.
Navigation Path
Select Tools > Security Manager Administration and select Customize Desktop from the table of
contents.
Field Reference
Element Description
Reset Do Not Ask on Click this button to reestablish Are you sure...? pop-up warnings.
Warnings button When you perform some actions, you are warned about the
consequences and you are given the option to not be warned again. If
you selected Do Not Ask Me Again for any of these warnings, clicking
this button reenables the warning.
Enable Idle Timeout Whether to have the Security Manager client close automatically if you
do not use it for the specified period of time. If you select this option,
Idle Timeout (minutes)
enter the number of minutes that must elapse before closing the client
in the Idle Timeout field.
The default is to close the client after 120 minutes of inactivity.
Save button Saves and applies changes.
Reset button Resets changes to the last saved values.
Restore Defaults button Resets values to Security Manager defaults.
Navigation Path
Select Tools > Security Manager Administration, then select Debug Options from the table of
contents.
Field Reference
Element Description
Capture Whether Security Manager generates data files about configuration
Discovery/Deployment generation, deployment, and discovery as these functions are
Debugging Snapshots to File performed. The temporary data files are stored in the MDC\temp
directory in the Security Manager installation folder on the server, and
you can use these files for debugging purposes.
Enable this setting if you encounter problems with deployment or
discovery.
If you need to send these files to Cisco TAC for debugging, encrypt the
files, because they can contain sensitive data such as passwords.
Note Selecting this check box slows down Security Manager
response time. Enable this option only in limited
circumstances.
Deployment Debug Level The message severity level for deployment-related actions such as
device communication.
Event Manager Debug Level The message severity level for the Event Manager subsystem.
Firewall Services Debug The message severity level for firewall-related policies.
Level
IOS Platform Debug Level The message severity level for Cisco IOS Software platform policies.
PIX Platform Debug Level The message severity level for PIX platform policies.
VPN Services Debug Level The message severity level for VPN services policies.
Save button Saves your changes.
Reset button Restores all fields to their previous values.
Restore Defaults button Resets values to Security Manager defaults.
Deployment Page
Use the Deployment page to define the default methods by which Security Manager deploys
configurations to devices. You can override some of these settings when you create deployment jobs.
Navigation Path
Select Tools > Security Manager Administration and select Deployment from the table of contents.
Related Topics
Chapter 8, Managing Deployment
Chapter 6, Managing Policy Objects
Field Reference
Element Description
Purge Debugging Files Older The maximum number of days the system should keep debugging files.
Than (days) Debug files are automatically deleted. If you decrease the number of
days, you can click Purge Now to immediately delete all debugging
files older than the number of days specified.
Default Deployment Method The method to use as the default method for deploying configurations
to devices:
Directory
DeviceDeploys the configuration directly to the device or to the
transport mechanism specified for the device. For more
information, see Deploying Directly to a Device, page 8-9.
FileDeploys the configuration file to a directory on the Security
Manager server. If you select File, specify the directory to which
you want to deploy the configuration file in the Destination
column. Even if you select file as the default, the setting does not
apply to IPS devices; you can use device deployment only for IPS
devices. For more information, see Deploying to a File, page 8-11.
You can override this method when you create deployment jobs.
When Out of Band Changes How Security Manager should respond when it detects that changes
Detected were made directly on the device CLI since a configuration was last
deployed to the device. This setting applies only for deployment
methods that are configured to obtain the reference configuration from
the device (see below for a description of the Reference Configuration
settings).
This setting specifies the default action, which you can override when
you create deployment jobs. You can choose one of the following:
Overwrite changes and show warning (default)If changes
were made to the device manually, Security Manager continues
with the deployment, overwrites the changes, and displays a
warning notifying you of this action.
Cancel deploymentIf changes were made to the device
manually, Security Manager cancels the deployment and displays a
warning notifying you of this action.
Do not check for changesSecurity Manager does not check for
changes and deploys the changes to the device, overwriting any
local modifications.
For a more complete discussion of out-of-band change handling, see
Understanding How Out-of-Band Changes are Handled, page 8-12.
Element Description
Deploy to File Reference The configuration that Security Manager uses to compare new policies
Configuration against the previous configuration for the device, if you are deploying
the configuration to a file on the Security Manager server.
Archive (default)The most recently archived configuration.
DeviceThe current running device configuration, which is
obtained from the device.
After comparing the configurations, Security Manager generates the
correct CLI for deployment.
Deploy to Device Reference The configuration that Security Manager uses to compare new policies
Configuration against the previous configuration for the device, if you are deploying
the configuration directly to the device (or to a transport server).
ArchiveThe most recently archived configuration.
Device (default)The current running device configuration,
which is obtained from the device.
After comparing the configurations, Security Manager generates the
correct CLI for deployment.
Optimize the Deployment of How firewall rules are deployed. You can choose one of the following:
Access Rules For Speed (default)Increases deployment speed by sending only the
delta (difference) between the new and old ACLs. This is the
recommended option. By making use of ACL line numbers, this
approach selectively adds, updates, or deletes ACEs at specific
positions and avoids resending the entire ACL. Because the ACL
being edited is still in use, there is a small chance that some traffic
might be handled incorrectly between the time an ACE is removed
and the time that it is added to a new position. The ACL line
number feature is supported by most Cisco IOS, PIX and ASA
versions, and became available in FWSM from FWSM 3.1(1).
TrafficThis approach switches ACLs seamlessly and avoids
traffic interruption. However, deployment takes longer and uses
more device memory before the temporary ACLs are deleted. First,
a temporary copy is made of the ACL that is intended for
deployment. This temporary ACL binds to the target interface.
Then the old ACL is recreated with its original name but with the
content of the new ACL. It also binds to the target interface. At this
point, the temporary ACL is deleted.
Note For FWSM devices, this option affects processing only if you
also select the Let FWSM Decide When to Compile Access
Lists option.
Firewall Access-List Names How ACL names are deployed to devices if the access rule does not
have a name in Security Manager.
Reuse existing namesReuse the ACL name that is configured in
the reference configuration (which is usually from the device).
Reset to CS-Manager generated namesReset the name to a
Security Manager auto-generated ACL name.
Element Description
Enable ACL Sharing for Whether Security Manager should share a single access control list
Firewall Rules (ACL) for an access rule policy with more than one interface. If you do
not select this option, Security Manager creates unique ACLs for every
interface to which you apply an access rule policy. The sharing of ACLs
is done only for ACLs created by access rule policies.
If you select this option, Security Manager evaluates the access rules
policy for each interface and deploys the minimum number required to
implement your policy while preserving your ACL naming
requirements. For example, if you use an interface role to assign the
same rules to four interfaces, you specify Reset to CS-Manager
generated names for the Firewall Access-List Names property, and
you do not specify ACL names for the interfaces in the access control
settings policy, only a single ACL is deployed, and each interface uses
that ACL.
If you select this option, keep the following in mind:
An interface might use an ACL that is named for a different
interface.
If you specify a name for the ACL in the access control settings
policy, an ACL by that name is created even if it is otherwise
identical to one used by another interface. Names specified in this
policy have precedence over any other settings.
If you select Reuse existing names for the Firewall Access-List
Names property, the existing names are preserved (unless you
override them in the access control settings policy). This means
that you might end up with duplicate ACLs under different names
if duplicate ACLs already exist on the device.
Hit count statistics are based on ACL, not on interface, so a shared
ACL provides statistics that are combined from all interfaces that
share the ACL.
Sharing ACLs is primarily beneficial for memory-constrained
devices such as the FWSM.
Let FWSM Decide When to Whether to have the Firewall Services Module (FWSM) automatically
Compile Access Lists determine when to compile access lists. Selecting this option might
increase deployment speed but traffic might be disrupted and the
system might become incapable of reporting ACL compilation error
messages. If you select this option, you can use the Optimize the
Deployment of Access Rules For Traffic setting to mitigate potential
traffic disruptions.
When deselected, Security Manager controls ACL compilation to avoid
traffic interruption and to minimize peak memory usage on the device.
Caution You should not select this option unless you are experiencing
deployment problems and you are an advanced user.
Element Description
Allow Download on Error Whether deployments to devices should continue even if there are
minor device configuration errors.
Remove Unreferenced Whether Security Manager should remove object groups that are not
Object Groups from Device being used by other CLI commands from devices during deployment.
(PIX, ASA, FWSM, IOS
Tip Network/host objects that include object NAT configurations
12.4(20)T+)
on ASA 8.3+ devices are never considered unreferenced.
Create Object Groups for Whether Security Manager should create object groups, such as
Policy Objects (PIX, ASA, network objects and service group objects, to replace comma-separated
FWSM, IOS 12.4(20)T+) values in a rule table cell for the indicated devices. When deselected,
Security Manager flattens the object groups to display the IP addresses,
Create Object Groups for
sources and destinations, ports, and protocols for these devices.
Multiple Sources,
Destinations or Services in a Tip These options do not apply to host, network, or address range
Rule (PIX, ASA, FWSM, network/host objects, or to service objects (as opposed to
IOS 12.4(20)T+) service group objects), which are always created as objects.
Optimize Network Object If you select this option, you can also select these options:
Groups During Deployment
(PIX, ASA, FWSM, IOS Create Object Groups for Multiple Sources, Destinations or
12.4(20)T+) Services in a RuleWhether to automatically create network
objects and service objects to replace comma-separated values in a
rule table cell that resulted when multiple rules were combined.
The objects are created during deployment. For more information,
see Combining Rules, page 12-19.
Optimize Network Object Groups During DeploymentWhether
to optimize network object groups by making them more succinct.
For more information on optimizing policy objects, see Optimizing
Network Object Groups When Deploying Firewall Rules,
page 12-30.
Remove Unreferenced Whether to delete any access lists that are not being used by other CLI
Access-lists on Device commands from devices during deployment.
Save Changes Permanently Whether to save the running configuration to the startup configuration
on Device (using the write memory command) after deploying a configuration to
a device. This applies to PIX, FWSM, ASA, or Cisco IOS devices. If
you deselect this check box, the startup configuration is not changed,
which means your configuration changes will be lost if the device
reloads for any reason.
Generate ACL Remarks Whether to display ACL warning messages and remarks during
During Deployment deployment.
Preselect Devices with Whether the list of changed devices you see when you create a
Undeployed Changes deployment job has all changed devices preselected. If you deselect this
option, users must manually select the devices to include in the
deployment job.
Enable Auto Refresh in Whether the deployment job and schedule status information should be
Deployment Main Panel automatically refreshed in the Deployment Manager window. If you
deselect this option, you must click the Refresh button to refresh the
information manually.
Element Description
Remove Unreferenced SSL Whether to have Security Manager delete files related to the SSL VPN
VPN Files on Device configuration from the device if the files are no longer referred to by the
devices SSL VPN configuration. If you deselect this option, unused
files remain on the device after deployment.
Mask Passwords and Keys The conditions, if any, under which Security Manager will mask the
When Viewing Configs and following items so that they cannot be read: passwords for users, enable
Transcripts mode, Telnet, and console; SNMP community strings; keys, including
those for TACACS+, Preshared Key, RADIUS server, ISAKMP,
Mask Passwords and Keys
failover, web VPN attributes, logging policy attributes, AAA, AUS,
When Deploying to File
OSPF, RIP, NTP, logging FTP server, point-to-point protocol, Storage
Key, single sign-on server, load balancing, HTTP/HTTPS proxy, and
the IPSEC shared key.
Mask Passwords and Keys When Viewing Configs and
TranscriptsThis option affects only the screen display of the
credentials, which guards against unauthorized personnel viewing
them. If you do not select this option, credentials in full transcripts
might still be masked depending on how the device handles them.
Mask Passwords and Keys When Deploying to FileThis option
affects the contents of configuration files that are deployed to file,
making them undeployable to actual devices. Select this option
only if you will never need to actually deploy these configurations
to real devices. Selecting this option has no effect on whether
credentials are masked when viewed.
Save button Saves and applies changes.
Reset button Resets changes to the last saved values.
Restore Defaults button Resets values to Security Manager defaults.
Navigation Path
Select Tools > Security Manager Administration and select Device Communication from the table of
contents.
Related Topics
Adding Devices to the Device Inventory, page 3-6
Chapter 3, Managing the Device Inventory
Field Reference
Element Description
Device Connection Parameters
Device Connection Timeout The number of seconds that Security Manager has to establish a
connection with a device before timing out.
Retry Count The number of times that Security Manager should try to establish a
connection to a device before concluding that the connection cannot be
completed. The default value is 3.
Socket Read Timeout For SSH and Telnet sessions, the maximum number of seconds Security
Manager can wait for incoming data before concluding that the
connection is lost.
Transport Protocol (IPS) The default transport protocol for IPS sensors and routers that include
the IPS feature. The default is HTTPS.
Transport Protocol (IOS The default transport protocol for routers that run Cisco IOS software
Routers 12.3 and above) release 12.3 and above. The default is HTTPS.
Transport Protocol (Catalyst The default transport protocol for Catalyst 6500/7600 devices and all
Switch/7600) other Catalyst switches, regardless of the Cisco IOS software version
running on the devices. The default is SSH.
Transport Protocol (IOS The default transport protocol for routers that run Cisco IOS software
Routers 12.2, 12.1) releases 12.1 and 12.2. The default is Telnet.
Connect to Device Using The type of credentials Security Manager should use when accessing
devices. For more information, see Understanding Device Credentials,
page 3-4.
Security Manager User Login CredentialsSecurity Manager
contacts the device using the credentials that you entered while
logging in to Security Manager. The same set of credentials are
used for all devices regardless of the credentials configured for
each device on the Device Credentials page.
Security Manager Device CredentialsSecurity Manager
contacts the device using the credentials specified in the Device
Properties Credentials page. This is the default.
Element Description
SSL Certificate Parameters
Device Authentication How to handle device authentication certificates for SSL (HTTPS)
Certificates (IPS) communications. You can configure different behaviors for different
Device Authentication types of devices, but the settings have the same meaning:
Certificates (Router) Retrieve while adding devicesSecurity Manager automatically
obtains certificates from the devices while you add devices from
PIX/ ASA/ FWSM Device
the network or from an export file.
Authentication Certificates
Manually add certificatesSecurity Manager does not
Add Certificate button
automatically accept certificates from the device. Click Add
Certificate to open the Add Certificate dialog box (see Add
Certificate Dialog Box, page 11-15) where you can manually add
the thumbprint before you try to add the device from the network
or from an export file. You can also add certificates for devices that
you create manually from the Device Properties Credentials page
to be successful. For more information, see Manually Adding SSL
Certificates for Devices that Use HTTPS Communications,
page 9-4.
Do not use certificate authenticationSecurity Manager ignores
device authentication certificates. This option leaves your system
vulnerable to third-party interference with device validation. We
recommend that you do not use this option.
Accept Device SSL For devices that use SSL, whether to obtain the certificate installed on
Certificate after Rollback an IPS device, firewall device, FWSM, ASA, or Cisco IOS router from
the device when you roll back the configuration on the device.
Element Description
HTTPS Port Number The default port number that the device uses for secure communication
with Security Manager (as well as other management applications that
use these protocols). This value overrides the HTTPS port number that
you configure in the HTTP policy for a device.
Note If you configure the local HTTP policy to be a shared policy and
assign the HTTP policy to multiple devices, the HTTPS port
number setting in the shared policy overrides the port number
configured in the Device Properties Credentials page for all
devices to which the policy is assigned.
Navigation Path
Select Tools > Security Manager Administration, select Device Communication from the table of
content, and click Add Certificate.
Field Reference
Element Description
Host Name or IP Address The hostname or IP address of the device for which you are adding the
certificate.
Certificate Thumbprint The certificate thumbprint, which is a string of hexadecimal digits that
is unique to the device.
Navigation Path
Select Tools > Security Manager Administration, then select Device Groups from the table of
contents.
Related Topics
Understanding Device Grouping, page 3-52
Working with Device Groups, page 3-52
Field Reference
Element Description
Groups Displays the device groups and group types.
To rename a group or type, select it and then click it again to make the
text editable. Type in the new name and press Enter.
Add Type button Click this button to create a new group type. The type is added with a
default name. Overtype the name and press Enter.
Add Group to Type button Click this button to add a device group to the selected device group or
group type.
Delete button (trash can) Click this button to delete the selected device group or group type and
all device groups that it contains. Deleting a device group or group type
does not delete any devices it contains.
Save button Saves your changes.
Reset button Restores all fields to their previous values.
Navigation Path
Select Tools > Security Manager Administration and select Device OS Management from the table
of contents.
Related Topics
Resource Manager Essentials Documentation
Managing the Device Operating System, page 3-52
Field Reference
Element Description
RME server address The IP address or fully-qualified hostname of the RME server.
For information on the RME version supported for use with Security
Manager, see the Release Notes for Cisco Security Manager for this
version of the product.
Connect using https Whether to connect to the RME server using SSL.
Save button Saves your changes.
Reset button Restores all fields to their previous values.
Restore Defaults button Resets values to Security Manager defaults.
Discovery Page
Use the Discovery page to define how Security Manager should handle certain types of objects or events
during inventory and policy discovery. You can also control how long Security Manager keeps discovery
tasks.
Navigation Path
Select Tools > Security Manager Administration and select Discovery from the table of contents.
Field Reference
Element Description
Prepend Device Name when Whether the name of the device that contains the security context
Generating Security Context should be added to the front of the security contexts name. For
Names example, if a security context is named admin, and it is contained in the
device with the display name 10.100.15.16, the name that will appear
in the Device selector is 10.100.15.16_admin.
If you do not prepend the device name, the security context name
appears in the inventory by itself. Because Security Manager does not
place security contexts in a folder related to the parent device, the only
way to easily see contexts that are related to a device is to prepend the
device name.
If you do not prepend device names, Security Manager adds a
numbered suffix to distinguish identically named devices. For example,
if the admin context exists in more than one firewall, you will see
admin_01, admin_02, and so on, in the Device selector.
Purge Discovery Tasks Older The number of days to save discovery and device-import tasks. Tasks
Than older than the number of days you enter are deleted.
Reuse Policy Objects for Whether to substitute any named policy objects, such as network/host
Inline Values objects already defined in Security Manager, for inline values in the
CLI. For more information on policy objects, see Chapter 6, Managing
Policy Objects.
Allow Device Override for For certain types of objects, whether to allow users to override the
Discovered Policy Objects parent object values at the device level for policy objects that are
discovered. If you select this option, if you run policy discovery on a
device that has an ACL with the same name as an ACL policy object in
Security Manager, the name of the discovered policy object is reused,
but a device-level override is created for the object. If you deselect this
option, a new policy object is created with a number appended to the
name.
Tip For objects that have subtypes, such as network/host and
service, overrides are limited to within a type. For example, an
override can be created for a network/host group when
discovering a same-named network/host group, but no override
would be created when discovering a same-named network/host
address range. Instead, the newly-discovered object will have a
number appended to the name.
Element Description
Auto-Expand Object Groups Expands object groups with the listed prefixes during the device import
with Prefixes process. Separate the prefixes with a comma. This expansion causes the
elements of the object group to display as separate items in the
discovered policies. For more information, see Expanding Object
Groups During Discovery, page 12-31.
Tip This option does not apply to policy objects created from the
object network or object service commands from ASA 8.3+
devices. These commands create host, network, or address
range network/host objects or service objects.
Save button Saves your changes.
Reset button Resets changes to the previously applied values.
Restore Defaults button Resets values to Security Manager defaults.
Tip If you get a message that Event Viewer is unavailable when you select Tools > Event Viewer, but the
Enable Event Management option is selected on this page, try restarting the Event Manager Service.
First, deselect the Enable option and click Save. Wait for the service to stop. Then, select the Enable
option, click Save, and wait for the service to finish restarting. You can then try opening Event Viewer
again.
Navigation Path
Click Tools > Security Manager Administration and select Event Management from the table of
contents.
Field Reference
Element Description
Enable Event Management Whether to enable the Event Manager Service, which allows Security
Manager to collect ASA and IPS event information. If you disable this
feature, you cannot use the Event Viewer application.
Tip If you change this setting and click Save, you are prompted to
confirm that you want to start or stop the Event Manager
Service. If you click Yes, the service is started or stopped
immediately, and you are shown a progress indicator and told
when the change is completed. Wait until the status change is
completed before continuing.
Element Description
Event Data Store Location The directory to use for collecting event information. Click Browse to
select a directory on the Security Manager server.
If the directory does not yet exist, create it in Windows Explorer. You
cannot create the directory from within Security Manager.
Tip If you change the location after you have started using the Event
Manager service, you cannot query old events.
Event Data Store Disk Size The amount of disk space you want to allocate for storing event data, in
gigabytes (GB). Before changing this setting, consider the following:
If you reduce the size below the amount of disk space already used
by event data, the oldest events are deleted until your new size limit
is reached.
You can see a visual representation of the amount of space
currently used for event data. Open the Event Viewer (Tools >
Event Viewer), then from Event Viewer, select Views > Show
Event Store Disk Usage.
Event Syslog Capture Port The port on which you want to enable syslog event capture. The default
is 514.
You must ensure that the Security Manager server, and intervening
firewalls, allow incoming traffic on this port for Security Manager to
collect the events. Managed devices must be configured to send syslog
information to this port on the Security Manager server.
Tip If you change this port, you must also change the Syslog
Servers policies for all ASA devices that send events to
Security Manager. For more information, see Syslog Servers
Page, page 44-20.
Event Data Pagination Size The maximum number of events each query response can contain. The
default is 20000, but you can select a different size from the list of
supported values.
Save button Saves and applies changes.
Most changes require that the Event Manager service briefly stop and
then restart. If you change whether the service is enabled, it stops or
starts, as appropriate. You are shown a progress indicator.
Reset button Resets changes to the last saved values.
Restore Defaults button Resets values to Security Manager defaults.
Tips
To apply IPS updates manually, select Tools > Apply IPS Update. For more information, see
Manually Applying IPS Updates, page 10-9.
If you later decide that you did not want to apply a signature update, you can revert to the previous
update level by selecting the Signatures policy on the device, clicking the View Update Level
button, and clicking Revert.
Navigation Path
Select Tools > Security Manager Administration and select IPS Updates from the table of contents.
Related Topics
Configuring the IPS Update Server, page 10-5
Checking for IPS Updates and Downloading Them, page 10-6
Automating IPS Updates, page 10-7
Selecting a Signature Category for Cisco IOS IPS, page 38-6
Field Reference
Element Description
Update Status group Displays the following items. Click Refresh to update the information.
Refresh button Latest AvailableThe most recent signature and sensor update
available on Cisco.com or the local HTTP server when you last
checked for updates.
Latest DownloadedThe most recent signature and sensor update
downloaded to Security Manager.
Latest AppliedThe most recent signature and sensor update
applied to any device in Security Manager.
Latest DeployedThe most recent signature and sensor update
deployed to any device in Security Manager.
Last Check OnThe time that the last check of Cisco.com was
performed.
Last Download OnThe time that the last update was downloaded
to Security Manager.
Last Deployed OnThe time that the last update was deployed to
any of the devices.
Element Description
Check for Updates button These buttons check for updates, or download signature and sensor
Download Latest Updates updates that have not already been downloaded to the Security Manager
button server, from the IPS Update server. You must configure an IPS Update
server before checking for updates or downloading them (click Edit
Settings in the Update Server group).
When you click one of these buttons, a dialog box opens to display the
results of the operation. Security Manager logs into the IPS Update
server, checks for updates, and downloads them if you clicked the
Download button. If a Cisco.com download fails, ensure that the
account you are using has applied for eligibility to download strong
encryption software. For details, see the description of User Name in
Edit Update Server Settings Dialog Box, page 11-24.
Tip If you configure a server, and then try to check for updates, and
you are told you did not configure a server, click Save at the
bottom of the page and try again.
Update Server group Displays the settings used to access Cisco.com or the local server that
contains the IPS update packages. The fields indicate whether the
update server is Cisco.com or a locally-configured HTTP server, the
name of the local server if you are using one, the user account for
logging into the server, and the name of the proxy server, if any. To
configure or change the IPS Update server, click Edit Settings to open
the Edit Update Server Settings dialog box (see Edit Update Server
Settings Dialog Box, page 11-24).
For more information, see Configuring the IPS Update Server,
page 10-5
Auto Update Settings group Contains the settings specific to automatic updates. For more
information, see Automating IPS Updates, page 10-7.
Element Description
Auto Update Mode Establishes whether, and to what extent, automatic updates are
performed. Contains the following options:
Download, Apply, and Deploy Updates
Disable Auto Update
Check for Updates
Download Updates
Download and Apply Updates
By default, auto update is disabled. The other options are a combination
of one or more of the following options:
Check for UpdatesSecurity Manager contacts the IPS Update
server to check if an update is available and sends e-mail if e-mail
notification is configured. No files are downloaded.
Download UpdatesSecurity Manager downloads the latest
updates from the IPS Update server, and sends e-mail notification
if e-mail notification is configured.
Apply UpdatesSecurity Manager modifies the configuration of
the devices selected in the Apply Update To list based on the
downloaded update packages. You have to separately deploy these
updates unless you also select Deploy Updates.
Deploy UpdatesSecurity Manager starts a deployment job to
send the applicable update packages to the devices selected in the
Apply Update To list. The device must have the required license for
a signature update to be successful.
Check for Updates The schedule for the actions selected in the Auto Update Mode field.
To change the schedule, click Edit Update Schedule and define the
Edit Update Schedule button
schedule in the Edit IPS Updates Schedule dialog box. You can specify
that Security Manager perform the updates based on hourly, daily,
weekly, or monthly schedules, or specify a one-time event. When
entering the start time, use the 24-hour clock and the hh:mm format.
Notify Email The e-mail address to which notifications of automatic updates are sent.
If you enter more than one address, separate the addresses with
commas. A notification is sent when an update:
Is available for download.
Has been downloaded.
Has been downloaded and applied.
Has been downloaded, applied, and deployed.
Element Description
Apply Update To The selector includes the IPS devices that have local signature policies
Type and the shared signature policies that are defined in Security Manager.
The columns in the selector indicate whether a local device policy or a
Edit Row button shared policy is selected for these types of updates:
Devices to be Auto Updated SignatureFor auto updating the signature update level.
MinorFor minor updates and service packs.
S.P.For service pack updates.
For shared policies, a partial grey checked box indicates that some, but
not all, of the devices that use the policy are selected. If you change the
devices assigned to the shared policy between automatic update events,
the shared policy is grayed out, and only the old assignments are shown
on this page. After the update runs, the assignment list will be
synchronized with the shared policy device assignments. To update the
device list proactively prior to the next auto update run, select the
policy and edit it (to select auto update settings), and the device
assignment list will be corrected.
Use the Type field to toggle between viewing local and shared policies.
Changing the view does not change your auto update selections.
To select a local or shared policy for auto update, select it in the selector
and click the Edit Row button below the selector. This opens the Edit
Auto Update Settings dialog box, where you can select the types of
updates for the policy. When you select any type of auto update for a
policy, the affected devices are listed in the Devices to be Auto
Updated list to the right of the selector.
Save button Saves your changes.
Reset button Resets changes to the last saved values.
Restore Defaults button Resets values to Security Manager defaults.
Navigation Path
Select Tools > Security Manager Administration > IPS Updates and click Edit Settings in the Update
Server group.
Field Reference
Element Description
Update From Whether to get IPS updates from Cisco.com or from a local
HTTP/HTTPS server. Your selection changes the fields on the dialog
box.
If you select local, you must configure an HTTP or HTTPS server to
use as the IPS update server.
IP Address/ Host Name The hostname or IP address of the local IPS update web server.
(Local server only.)
Web Server Port The port number that your local server listens to for connection
requests. The default is 80.
(Local server only.)
User Name The username to log into the IPS update server. If you are configuring
a local server that does not require a user login, leave this field blank.
If you are specifying a Cisco.com username, the user account on
Cisco.com must be eligible for downloading strong encryption
software. If you are not certain that the account has the required
permissions, use the account to log into Cisco.com and try to download
an IPS update file
(http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-system). If the
account does not have the appropriate permissions, you are prompted
to read and accept the required conditions. If you meet the eligibility
requirements, you can accept them. Otherwise, talk to your Cisco sales
representative for help.
Password The password for the specified username, entered in both fields. If you
Confirm are configuring a local server that does not require a password, leave
these fields blank.
Path to Update Files The path to the IPS update files location on your local server. For
example, if update files can be accessed at
(Local server only.)
http://local-server-ip:port/update_files_path/, then enter
update_files_path in this field.
Connect Using HTTPS Whether to use SSL when connecting to the local IPS Update server.
(Local server only.)
Certificate Thumbprint Displays the certificate thumbprint after it is calculated from the
certificate on the local server.
Retrieve From Server Used to connect to the local server specified in this dialog box, retrieve
the certificate from the local server given, and calculate the certificate
thumbprint, which is displayed in the Certificate Thumbprint field.
Proxy Server Group
Enable Proxy Server Whether a proxy server is needed to connect to Cisco.com or to your
local server.
Element Description
IP Address/ Host Name The hostname or IP address of the proxy server.
You can configure the proxy server to use basic, digest, NT LAN
Manager (NTLM) V1, or NTLM V2 authentication. NTLM V2 is the
most secure scheme.
Web Server Port The port number that the proxy server listens to for connection
requests. The default is 80.
User Name The username to log into the proxy server. If the proxy server does not
require a user login, leave this field blank.
Password The password for the specified username, entered in both fields. If the
proxy server does not require a password, leave these fields blank.
Confirm
Navigation Path
Select a device or policy on in the Apply Update To table on the IPS Updates page (see IPS Updates
Page, page 11-20) and click the Edit Row button.
Field Reference
Element Description
Auto Update The type of sensor updates to apply to the selected devices or shared
(IPS sensors and shared policies. You can apply both minor updates and service packs, service
policies only) packs only, or select None to apply no sensor updates automatically.
Auto Update Signature Whether to select the device or policy for automatic signature updates.
Update Level
Licensing Page
Use the Licensing page to manage licenses for the Security Manager application and for IPS devices.
For more information, see Managing Licenses, page 10-2.
Navigation Path
Select Tools > Security Manager Administration and select Licensing from the table of contents.
Field Reference
Element Description
CSM tab The license settings for the Security Manager application. For a
description of the fields on this tab, see CSM Tab, Licensing Page,
page 11-27.
IPS tab The license settings for IPS devices managed by Security Manager. For
a description of the fields on this tab, see IPS Tab, Licensing Page,
page 11-27.
Navigation Path
Select Tools > Security Manager Administration, select Licensing from the table of contents, and
click CSM.
Field Reference
Element Description
License Information Displays information about the license registered with the product: the
edition, license type, expiration date, the number of licensed devices,
the number of devices in use, and the percentage of the device count
used.
Install License The list of installed licenses with their installation dates.
Install a License button Click this button to install a license file. The dialog box that is opened
includes links to Cisco.com, where you can obtain licenses if you have
not already obtained them. You must copy license files to a local drive
on the Security Manager server before you can install them.
Navigation Path
Select Tools > Security Manager Administration, select Licensing from the table of contents, and
click IPS.
Related Topics
Updating IPS License Files, page 10-3
Redeploying IPS License Files, page 10-4
Automating IPS License File Updates, page 10-4
License Update Status Details Dialog Box, page 11-30
Filtering Tables, page 1-33
Field Reference
Element Description
IPS License Table Displays all the IPS devices in the device inventory and their license
status as of the last time you refreshed the information. Click the
Refresh button to obtain the latest information from the devices.
Information includes the serial number for the device, which is used to
register for licenses, the license status, and the expiration date of the
license. The list shows not only current licenses, but also unlicensed
devices, devices with expired licenses, and devices with invalid
licenses.
Tip The list does not include Cisco IOS IPS devices. You cannot use
Security Manager to manage licenses for routers running IPS.
Update Selected via CCO Click this button to update the license file for the selected devices by
button connecting to Cisco.com and retrieving a new license. When you click
this button, a dialog box opens listing devices that can be updated from
Cisco.com, which might not be all the devices you selected. Click OK
to perform the update. For successful updates, the updated file is
automatically applied to the device.
To successfully update the license using this method, you must have a
Cisco.com support contract that includes the serial numbers of the
selected devices.
Redeploy Selected Licenses Click this button to redeploy licenses to the selected devices.
button Redeploying licenses might be necessary when you have obtained an
updated license file and it was not applied to the device successfully
during an automatic update.
When you click this button, a dialog box opens listing devices whose
licenses you are redeploying. Click OK to perform the update. For
successful updates, the updated file is automatically applied to the
device.
Update from License File Click this button to update licenses by selecting a license file from the
button Security Manager server. When you click this button, a dialog box
opens where you can specify the license files. Click Browse to select
the files, which must be on a local drive on the Security Manager server.
When you click OK, the updated files are automatically applied to the
devices.
Export button Click this button to export the license list to a comma-separated values
(CSV) file. You are prompted to select the folder on the Security
Manager server and to specify a file name.
Element Description
Refresh button Click this button to refresh the data in the IPS license table.
Download and apply licenses Whether to automatically download IPS licenses from Cisco.com and
automatically apply them to the devices. Specify how frequently Security Manager
should check for new licenses in the Check field:
Check
DailyOnce a day at midnight
WeeklyOnce a week at midnight on Sunday
MonthlyOnce a month at midnight on the first day of the month.
To successfully configure automatic updates, you must have a
Cisco.com support contract that includes the serial numbers of your IPS
devices.
The results of automatic updates are sent by e-mail to the user
configured for IPS Update notifications on the administration settings
IPS Update page. For information on setting the e-mail address, see IPS
Updates Page, page 11-20.
Navigation Path
To open these dialog boxes, select one or more device on the Tools > Security Manager
Administration > Licensing > IPS tab and click Update Selected via CCO or Redeploy Selected
Licenses.
Field Reference
Element Description
Progress bar Indicates what percentage of the license update task on the current
device has been completed.
Status The current state of the update task.
Devices to be updated The total number of devices being updated during this task.
Devices updated successfully The number of devices updated without errors.
Devices updated with errors The number of devices that generated errors during the update.
Device list The devices that are being updated, including the device name, the
status of the update, and summary information about the update. Select
a device to see the messages generated during the update for that device
in the message list below the summary list.
Messages list The messages generated during the license update for the selected
device. Select a message to see detailed information in the fields to the
right of the list.
Description Additional information about the message selected in the message list.
Action The steps you should take to resolve the described problem.
Abort button Aborts the license update task.
Logs Page
Use the Logs page to configure the default settings for the audit and operations logs. The audit log keeps
a record of all state changes that occur in Security Manager.
Navigation Path
Select Tools > Security Manager Administration and select Logs from the table of contents.
Related Topics
Using the Audit Report Window, page 10-12
Understanding Audit Reports, page 10-11
Generating the Audit Report, page 10-12
Field Reference
Element Description
Keep Audit Log For The maximum number of days to save audit report entries before
deleting them. If the number of entries in the log exceeds the number
Purge Now button
entered in the Purge Audit Log After field, old log entries might be
deleted before they reach this age.
If you reduce the number of days, you can click Purge Now to
immediately delete the older entries.
Purge Audit Log After The maximum number of audit report entries to save. If an entry
(entries) becomes older than the number of days specified in the Keep Audit Log
For field, it is deleted even if the log has fewer than the maximum
number of entries.
Keep Operation Log For The number of days that Security Manager keeps operation logs before
deleting them. These logs are used for debugging purposes.
Log Level The level of information, according to severity, that you would like
collected in the operation logs. Each level collects different amounts of
data. For example, the Info level yields the most data, and the Severe
level collects the least.
Save button Saves your changes.
Reset button Resets changes to the previously applied values.
Restore Defaults button Resets values to Security Manager defaults.
Unmanaged policies are removed from both Device view and Policy view. Any unmanaged policies,
local or shared, are removed from the Security Manager database. The only exception is interface
policies, which continue to appear in Security Manager but are marked as read-only policies. For firewall
devices, interface and failover settings are considered a unit and are managed or unmanaged together.
For detailed information on managing and unmanaging policy types, including what you should do
before and after changing these settings, see Customizing Policy Management for Routers and Firewall
Devices, page 5-10.
Caution If you use AUS or CNS to deploy configurations to ASA or PIX devices, be aware that the device
downloads a full configuration from AUS or CNS. Thus, reducing the policies managed by Security
Manager actually removes the configurations from the device. If you intend to deselect some ASA/PIX
policies for management to use other applications along with Security Manager to configure devices, do
not use AUS or CNS.
Navigation Path
Select Tools > Security Manager Administration and select Policy Management from the table of
contents.
Field Reference
Element Description
Policies to Manage The policy types are organized in folders, with router and firewall
(which includes all ASA, PIX, and FWSM devices) handled separately,
and then by category (NAT, Interfaces, and Platform). Select or deselect
policy types as desired and click Save. Deselecting the check box for a
group of policies deselects all policies in that group. By default, all
policies are selected.
Save button Saves your changes.
If you are unmanaging a policy, you are shown a list of devices that
have the policy assigned to them. Security Manager must be able to
obtain the required locks to unassign the policy from all devices, or you
must manually unassign the policies (or remove the locks) before
unmanaging the policy.
If you are managing a previously unmanaged policy, be sure to
rediscover all affected devices to bring the existing configurations into
Security Manager.
Reset button Resets changes to the previously applied values.
Restore Defaults button Resets values to Security Manager defaults.
Navigation Path
Select Tools > Security Manager Administration and select Policy Objects from the table of contents.
Related Topics
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Chapter 6, Managing Policy Objects
Field Reference
Element Description
When Redundant Objects The action you want Security Manager to take when you try to create a
Detected policy object that has the same definition as an existing object:
IgnoreYou can freely create objects with identical definitions.
Any conflicts are ignored by Security Manager.
WarnSecurity Manager displays a warning if you attempt to
create an object that is identical to an existing object. You may
proceed to create the object, if you wish.
EnforceSecurity Manager prevents you from creating an object
that is identical to an existing object. An error message is
displayed.
Default Source Ports The port range value that is used as the default source port range for
service objects. You can choose one of the following:
Use all portsIncludes all ports from 1 to 65535.
Use secure portsIncludes all ports from 1024 to 65535.
If you change the default source ports, you must manually redeploy any
previously deployed devices that might be affected. These changes
might not be reflected in any open activities until you refresh the data.
For more information on port list objects, see Configuring Port List
Objects, page 6-71.
Enable AutoComplete Whether to have Security Manager list matching service and port list
Dropdown Box names as you type them when you create a service. You can then easily
select from names you have already defined. If you deselect
AutoComplete, you have to remember the complete service and port list
names and type them in yourself.
Save button Saves your changes.
Reset button Resets changes to the previously applied values.
Restore Defaults button Resets values to Security Manager defaults.
Navigation Path
Select Tools > Security Manager Administration and select Rule Expiration from the table of
contents.
Field Reference
Element Description
Notify Email The default e-mail address that should receive notifications of rule
expiration. Users can override this address when configuring individual
rules.
Notify Before Expiration The default number of days before a rule expires that Security Manager
should send the e-mail message. Users can override this value when
configuring individual rules.
Sender The e-mail address that Security Manager will use for sending e-mail
notifications.
Email Format The format of the e-mail message:
TextThe e-mail is sent in HTML and plain text formats.
XMLThe e-mail is sent using an XML markup. This option
might be appropriate if you decide to write a program to
automatically process and respond to notifications.
Save button Saves your changes.
Reset button Restores all fields to their previous values.
Restore Defaults button Resets values to Security Manager defaults.
Navigation Path
Select Tools > Security Manager Administration and select Server Security from the table of
contents.
Field Reference
Element Description
AAA Setup button Opens Common Services and displays the AAA Mode Setup page.
From this page, you can set AAA as your fallback sign-on method. For
more information about AAA, click Help from the AAA Mode Setup
page.
Certificate Setup button Opens Common Services and displays the Self-Signed Certificate
Setup page. CiscoWorks enables you to create self-signed security
certificates, which you can use to enable SSL connections between
your client browser and management server. For more information
about self-signed certificates, click Help from the Certificate Setup
page.
Single Sign On button Opens Common Services and displays the Single Sign-On Setup page.
With Single Sign On (SSO), you can use your browser session to
transparently navigate to multiple CiscoWorks servers without having
to authenticate to each of them. Communication between multiple
CiscoWorks servers is enabled by a trust mode addressed by certificates
and shared secrets. For more information about setting up SSO, click
Help from the Single Sign-On page.
Local User Setup Opens Common Services and displays the Local User Setup page, from
which you can add and delete users, edit user settings, and assign roles
or permissions. For more information, click Help from the Local User
Setup page and see the Installation Guide for Cisco Security Manager.
System Identity Setup Opens Common Services and displays the System Identity Setup page.
Communication between multiple CiscoWorks servers is enabled by a
trust mode addressed by certificates and shared secrets. System Identity
setup helps you to create a trust user on servers that are part of a multi-
server setup. For more information about system identity setup, click
Help from the System Identity Setup page.
Status Page
Use the Status page to select the providers that will provide status to users when they view their
inventory status by selecting Tools > Inventory Status. The status is displayed on the Status tab in the
Inventory Status window.
By default, Security Manager provides status on deployment to the devices, but you can add
Performance Monitor servers if you use them to monitor your network.
Navigation Path
Select Tools > Security Manager Administration and select Status from the table of contents.
Related Topics
Configuring Status Providers, page 60-9
Inventory Status Window, page 60-11
Viewing Inventory Status, page 60-9
Field Reference
Element Description
Display Deployment Status Whether to include the status of deployment jobs that include the
device.
Providers table The Performance Monitor servers that are registered with Security
Manager. You can add up to five servers.
The provider name appears in the Inventory Status window on the
Status tab for individual devices, indicating the server that provided the
status. The short name is a nickname.
To add a Performance Monitor server to the list, click the Add (+)
button and fill in the Add or Edit Status Provider Dialog Box,
page 11-36.
To edit a servers properties, select it and click the Edit (pencil)
button.
To delete a server, select it and click the Delete (trash can) button.
Use the Status cell to change whether Security Manager actively
polls the server for status. Select Enabled to actively poll the
server, or Disabled to suspend polling the server without having to
delete the provider entry.
Save button Saves your changes.
Reset button Resets changes to the last saved values.
Navigation Path
From the Tools > Security Manager AdministrationStatus Page, page 11-35, click the Add (+) button
beneath the providers table, or select a provider and click the Edit (pencil) button.
Field Reference
Element Description
Provider name The name of the service provider, for example, Performance Monitor.
You can enter up to 128 characters. Valid characters are: 0-9; uppercase
A-Z; lowercase a-z; and the following characters: - _ :. and space.
Server The IP address or fully-qualified host name of the Performance Monitor
server. The host name can be up to 128 characters.
Short Name The short name for the provider name.
Element Description
Port The port number that Security Manager should use to communicate
with the Performance Monitor server. The default is 443.
Poll Cycle The number of minutes the firewall device will wait between polling
Performance Monitor for new information. The default is 600 seconds
(10 minutes). The minimum time is 60 seconds.
Username The username for logging in to Performance Monitor.
Password The password for logging in to Performance Monitor. In the Confirm
field, enter the password again.
URN The uniform resource name for Performance Monitor. URN is the name
that identifies the resource on the Internet. URN is part of a URL, for
example, /mcp/StatusServlet. The full URL could be:
https://:<server ip> :443/mcp/StatusServlet
where:
<server ip> is the IP address of Performance Monitor.
443 is the port number Performance Monitor listens to.
/mcp/StatusServlet is the URN of the Performance Monitor.
Status Whether the server is enabled for providing status to Security Manager.
If you select Disabled, the server is added to the status providers list,
but Security Manager does not poll it for status.
Navigation Path
Select Tools > Security Manager Administration and select Take Over User Session from the table
of contents.
Navigation Path
Select Tools > Security Manager Administration and select Token Management from the table of
contents.
Related Topics
Deploying Configurations to a Token Management Server, page 8-41
Understanding Deployment Methods, page 8-8
Field Reference
Element Description
Server Name or IP Address The DNS hostname or IP address of the TMS server.
Username The username Security Manager should use to log on to the TMS
server.
Password The password for the username. Enter the password in both fields.
Confirm Password
Directory in the TMS Server The directory on the TMS server where deployed configuration files
for Config Files will be downloaded. The root FTP directory (.) is the default FTP
location on the TMS server.
Public Key File Location The location of the public and private key files on the Security Manager
server, as copied from the TMS server. Security Manager uses the
public key to encrypt data sent to the TMS server. Then the server uses
its private key to decrypt the data. Security Manager comes with a
default public key that matches the default private key on the server.
Note If needed, you can generate a new pair of public and private
keys using the TMS server. If you do this, you need to copy the
new public key to the Security Manager server.
Save button Saves your changes.
Reset button Resets changes to the last saved values.
Restore Defaults button Resets values to Security Manager defaults.
Navigation Path
Select Tools > Security Manager Administration and select VPN Policy Defaults from the table of
contents.
Related Topics
Assigning Initial Policies (Defaults) to a New VPN Topology, page 21-55
Creating IPSec VPNs Using the Remote Access VPN Configuration wizard (ASA Devices),
page 26-14
Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 26-11
Field Reference
Element Description
DMVPN tab Lists the policy types for which you can configure default policies for
the Dynamic Multipoint VPN technology.
Large Scale DMVPN tab Lists the policy types for which you can configure default policies for
the Large Scale Dynamic Multipoint VPN technology.
Easy VPN tab Lists the policy types for which you can configure default policies for
the Easy VPN technology.
IPsec/GRE tab Lists the policy types for which you can configure default policies for
the IPsec/GRE VPN technology.
GRE Dynamic IP tab Lists the policy types for which you can configure default policies for
the GRE Dynamic IP VPN technology.
Regular IPsec tab Lists the policy types for which you can configure default policies for
regular IPsec VPN technology.
Element Description
GET VPN Lists the policy types for which you can configure default policies for
the Group Encrypted Transport (GET) VPN technology.
Remote Access VPN Lists the policy types for which you can configure default policies for
IPsec remote access VPNs.
S2S Endpoints tab The interface roles that define the default endpoints for internal and
external interfaces in site-to-site VPNs.
Workflow Page
Use the Workflow page to select the workflow mode that Security Manager enforces and to define the
default settings for activity and deployment job notifications and logging.
Before changing the workflow mode, read the following topics to understand how the modes differ and
the effects of changing the modes:
Working in Workflow Mode, page 1-12
Working in Non-Workflow Mode, page 1-13
Comparing the Two Workflow Modes, page 1-13
Changing Workflow Modes, page 1-20
Navigation Path
Click Tools > Security Manager Administration and select Workflow from the table of contents.
Related Topics
Chapter 4, Managing Activities
Chapter 8, Managing Deployment
Field Reference
Element Description
Workflow Control
Enable Workflow Whether to enable Workflow mode. When Workflow mode is enabled,
you can select whether to have an approver for activities and
deployment jobs.
Require Activity Approval Whether to require that activities be approved explicitly by an assigned
approver. For more information about the differences between working
with and without an approver, see Activity Approval, page 4-2.
Require Deployment Whether to require that deployment jobs be approved explicitly by an
Approval assigned approver. For more information about the differences between
working with and without an approver, see Understanding Deployment,
page 8-1.
Element Description
Email Notifications
Sender The e-mail address that Security Manager will use for sending e-mail
notifications.
Activity Approver The default e-mail address for the person responsible for approving
activities. Users can override this address when submitting an activity
for approval. For more information, see Submitting an Activity for
Approval (Workflow Mode with Activity Approver), page 4-15.
Job/Schedule Approver The default e-mail address of the person responsible for approving
deployment jobs or schedules. Users can override this address when
submitting a job or schedule for approval. For more information, see
Submitting Deployment Jobs, page 8-36.
Job Completion Notification The e-mail address of the person who should receive notification when
deployment jobs are completed. Users can override this address when
creating a deployment job.
Require Deployment Status Whether to have e-mail notifications sent whenever the status of a
Notification deployment job changes. If you select this option, enter the e-mail
addresses that should receive notification in the Job Completion
Include Job Deployer
Notification field. Separate multiple addresses with commas.
Job Completion Notification
You can also select Include Job Deployer to include the e-mail address
of the person who deployed the job on the notification e-mail message.
Workflow History
Keep Activity for The number of days that activity information should be kept in the
Activity table. The default is 30. You can specify from 1 to 180 days.
Click Purge Now to delete all activities older than the number of days
specified.
Keep Job for The number of days that deployment job information should be kept in
the Deployment Job table. The default is 30. You can specify from 1 to
180 days.
Click Purge Now to delete all jobs older than the number of days
specified.
Keep job per schedule for The number of days that deployment job information should be kept in
the Deployment Job table for each job schedule. This setting applies
only to jobs that were initiated by a schedule. The default is 30. You can
specify from 1 to 180 days.
Click Purge Now to delete all jobs older than the number of days
specified.
Save button Saves your changes.
Reset button Resets changes to the previously applied values.
Restore Defaults button Resets values to Security Manager defaults.
The Firewall policy folder (in either Device or Policy view) includes firewall-related policies that you
can deploy to the Adaptive Security Appliance (ASA), PIX Firewall (PIX), Catalyst Firewall Services
Module (FWSM), and security routers running Cisco IOS Software. These policies allow you to control
network access through a device.
This chapter contains the following topics:
Overview of Firewall Services, page 12-1
Managing Your Rules Tables, page 12-6
Zone-based firewall rulesThese rules replace access rules, inspection rules, and web filter rules
on IOS devices if you want to configure your rules based on zones instead of interfaces. A zone is
a defined group of interfaces that perform the same security role (such as Inside or Outside). By
using zone rules, you can create more compact device configurations than you can by using the other
types of rules. For more information, see Understanding the Zone-based Firewall Rules, page 18-3.
Botnet Traffic Filter RulesThese rules help you to spot botnet traffic when it is sent to known bad
addresses. Botnets install malware on unsuspecting computers and use those computers as proxies
to perform malicious actions. For more information, see Chapter 17, Managing Firewall Botnet
Traffic Filter Rules.
Transparent rulesThese are Ethertype access control rules that apply to non-IP layer-2 traffic on
transparent or bridged interfaces. For more information, see Configuring Transparent Firewall
Rules, page 19-1.
Most firewall rules policies are configured in rules tables. These tables allow in-line editing for most
cells, rule organization using sections, and the ability to change the order of rules. If you create shared
rules policies, you can apply them to a number of devices, even to devices running different operating
systems, and Security Manager automatically creates the appropriate device commands to configure the
policies based on the characteristics of each individual device, filtering out settings that do not apply to
a device. For more information on using rule tables, see Managing Your Rules Tables, page 12-6.
Another powerful feature used by most firewall rules policies is the idea of inheritance. When you create
shared policies, one of your options is to have a device inherit the policy rather than be assigned the
policy. This allows you to have a set of shared rules that apply to all devices, while having unique rules
that apply to only those devices that require them. For more information about inheritance, see the
following topics:
Understanding Rule Inheritance, page 5-4
Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34.
The following topics provide additional overview information about firewall services policies:
Understanding the Processing Order of Firewall Rules, page 12-2
Understanding How NAT Affects Firewall Rules, page 12-3
ACL Names Preserved by Security Manager, page 12-4
Related Topics
Understanding AAA Rules, page 13-1
Understanding Access Rules, page 14-1
Understanding Inspection Rules, page 15-2
Understanding Web Filter Rules, page 16-1
Understanding the Zone-based Firewall Rules, page 18-3
Chapter 17, Managing Firewall Botnet Traffic Filter Rules
Configuring Transparent Firewall Rules, page 19-1
Note On ASA devices and on PIX devices not running version 6.3(x), Security Manager does not reuse the
ACL name if it is used by a NAT policy static rule and contains an object-group. The ACL is deployed
with the contents of the object-group defined as the source. This is because the device requires that all
ACEs in the ACL have the same source.
Tips
If you use an ACL policy object that uses a name also used by an ACL already defined on the device,
and the existing ACL is for a command that Security Manager does not support, you will get a
deployment error asking you to choose a different name. If this happens, rename the policy object.
ACLs named <number>_<number> are not valid on IOS devices. Security Manager strips off the
suffix prior to deployment. This also means that you cannot assign an IOS device more than one
ACL object with the same numbered prefix. However, named ACLs that have a numbered suffix are
allowed, for example, ACLname_1.
Numbered ACLs must use the correct number ranges for IOS devices. Standard ACLs must be in the
range 1-99 or 1300-1999. Extended ACLs must be in the range 100-199 or 2000-2699.
ACL names for IOS devices cannot begin with an underscore (_).
Policies that do not preserve user-defined names include SSL VPN policies, transparent firewall
rules, AAA rules (for IOS devices), and service policy rules (for ASA/PIX devices).
Tip During deployment, sometimes a suffix .n (where n is an integer) might get added to an ACL name if the
existing ACL cannot be edited in place. For example, if an ACL named acl_mdc_outside_10 already
exists on the device, a new ACL with the name acl_mdc_outside_10.1 is created if you do not remove
the old ACL before you deploy the new ACL.
User-defined sections (5)You can group rules into sections for your convenience. For more
information, see Using Sections to Organize Rules Tables, page 12-17.
Tools menu (7)Most rules table includes a Tools button that includes a list of additional tools you
can use when working with the policy.
Table buttons (8)Use the buttons below the table to do the following:
Find and replace items within rules (button with the binoculars icon)For more information,
see Finding and Replacing Items in Rules Tables, page 12-13.
Move and rearrange rules (up and down arrows)For more information, see Moving Rules and
the Importance of Rule Order, page 12-16.
Add rules to the table (+ icon)For more information, see Adding and Removing Rules,
page 12-8.
Edit the selected rule (pencil icon)For more information, see Editing Rules, page 12-9.
Delete the selected rule (trash can icon)For more information, see Adding and Removing
Rules, page 12-8.
Tip Rather than deleting a rule, consider first disabling the rule. By disabling a rule, you remove it from the
device (when you redeploy the configuration) without removing it from Security Manager. Then, if you
discover that you really needed that rule after all, you can simply enable it and redeploy the
configuration. If you delete the rule, you would have to recreate it (there is no undo function). Thus, you
might want to develop a policy of deleting rules only after they have been disabled for a certain amount
of time. For more information, see Enabling and Disabling Rules, page 12-17.
Related Topics
Using Rules Tables, page 12-7
Using Sections to Organize Rules Tables, page 12-17
Editing Rules
To edit an existing rule in any of the rules policies that use rules tables, select the rule and click the Edit
Row button, or right-click and select Edit Row. This allows you to edit all aspects of the selected rule.
Tip You cannot edit any aspect of an inherited rule from a local device rule policy. Edit inherited rules in
Policy view.
For most rule tables, you can also edit specific attributes, or table cells, instead of editing the entire rule,
using commands in the right-click menu.
The ability to edit a cell is limited by whether it makes sense to edit the content. For example, Inspection
Rules have many limitations based on how the rule is configured:
If you applied the rule to All Interfaces, you cannot edit source or destination addresses, the
interface, or the direction of the rule.
If you selected Default Inspection Traffic for the traffic match criteria (without selecting the option
to limit inspection between source and destination), or Custom Destination Ports, you cannot edit
source or destination addresses.
If you selected Destination Address and Port (IOS), you cannot edit source addresses.
The following cell-level commands are available, although the ability to edit multiple rows is not
supported in all policies that use rule tables:
Add <Attribute Type>When you select multiple rows and right-click a Source, Destination,
Services, or Interface cell, you can select the Add command to append entries to the data currently
in the selected cells. The Add commands full name includes the name of the attribute, for example,
Add Source.
Edit <Attribute Type>Most attributes allow you to edit the content. Editing replaces the content
of the cell. You can edit a single cell, or select multiple rows and edit the contents of the same type
of cell in all rows at once. The Edit commands full name includes the name of the attribute, for
example, Edit Interfaces.
Edit <Entry>In some cases, when you edit Source, Destination, Services, or Interfaces, you can
select an entry in the cell and edit just that entry. For example, if the Sources cell contains three
network/host objects and an IP address, you can select any of them and edit the entry. The edit
command includes the name of the entry, for example, Edit HostObject.
Remove <Entry>In some cases, when you edit Source, Destination, Services, or Interfaces, you
can select an entry in the cell and remove the entry. You cannot remove the last entry in the cell,
because the rule would become invalid. The remove command includes the name of the entry, for
example, Remove IP.
Create <Object Type> Object from Cell ContentsIn the Sources, Destinations, and Services
cells, you can select the Create command to create a policy object of the appropriate type. You can
also select an entry in the cell and create a policy object from just the selected item. The create
command includes the policy object type you can create, and the name of the item that is the source
for the object, either cell contents for everything in the cell, or the name of an entry if you selected
one. When creating network/host objects, you are always creating network/host group objects.
Show <Attribute Type> Contents; Show <Entry> ContentsThe show commands let you view
the actual data defined in the cell. The results depend on the view you are in:
Device View, Map View, or Import RulesYou are shown the actual IP addresses, services, or
interfaces to which the rule will apply for the specific device. For example, if the rule uses
network/host objects, you will see the specific IP addresses defined by the objects. If the rule
uses interface objects, you will see the specific interfaces defined on the device that the object
identifies, if any.
The IP addresses for network/host objects are sorted in ascending order on the IP address, and
then descending order on the subnet mask.
Service objects are sorted on protocol, source port, and destination port.
Interface objects are listed in alphabetical order. If the interface is selected because it matches
a pattern in an interface object, the pattern is listed first, and the matching interface is shown in
parentheses. For example, * (Ethernet1) indicates that the Ethernet1 interface on the device
is selected because it matches the * pattern (which matches all interfaces).
Policy ViewYou are shown the patterns defined in the policy objects and entries defined for the
policy. Entries are sorted alphabetically, with numbers and special characters coming first.
Related Topics
Using Rules Tables, page 12-7
Adding and Removing Rules, page 12-8
Moving Rules and the Importance of Rule Order, page 12-16
Enabling and Disabling Rules, page 12-17
Using Sections to Organize Rules Tables, page 12-17
Navigation Path
Do any of the following in a rules policy that includes sources, destinations, or other address cells:
Right-click an address cell in a rules table and select Edit Sources or Edit Destinations or a similar
command. The data replaces the content of the selected cells.
Select an entry in an address cell and select Edit <Entry>. The data replaces the selected entry.
Select multiple rules, right-click a Sources or Destination cell, and select Add Sources or Add
Destinations. The data is appended to the data already in the cell.
Navigation Path
Do any of the following in a rules policy that includes services:
Right-click a Services cell in a rules table and select Edit Services. The data replaces the content of
the selected cells.
Select an entry in a Services cell and select Edit <Entry>. The data replaces the selected entry.
Select multiple rules, right-click a Services cell, and select Add Services. The data is appended to
the data already in the cell.
Tip For inspection rules, services appear in the Traffic Match column and only for rules where the traffic
matches source, destination, and port.
For more information about interface roles and selecting interfaces, see the following topics:
Understanding Interface Role Objects, page 6-55
Specifying Interfaces During Policy Definition, page 6-58
Navigation Path
Do any of the following in a rules policy that includes interfaces or zones:
Right-click an Interfaces or Zones cell in a rules table and select Edit Interfaces, Edit Zones, or
similar command. The data replaces the content of the selected cells.
Select an entry in an Interfaces cell and select Edit <Entry>. The data replaces the selected entry.
You cannot edit an entry in a zone.
Select multiple rules, right-click an Interfaces cell, and select Add Interfaces. The data is appended
to the data already in the cell. You cannot add entries to a zone.
Navigation Path
Right-click a Category cell in a rules policy that includes categories and select Edit Category.
Navigation Path
Right-click a Description cell in a rules policy that includes descriptions and select Edit Description.
Interface objects are listed in alphabetical order. If the interface is selected because it matches
a pattern in an interface object, the pattern is listed first, and the matching interface is shown in
parentheses. For example, * (Ethernet1) indicates that the Ethernet1 interface on the device
is selected because it matches the * pattern (which matches all interfaces).
Policy ViewYou are shown the patterns defined in the policy objects and entries defined for the
policy. Entries are sorted alphabetically, with numbers and special characters coming first.
Navigation Path
Do any of the following in a rules policy that includes sources, destinations, services, interfaces, zones,
or other fields that specify networks, interfaces, or services. You can also show contents when using tools
that work with rules, such as importing rules.
Right-click one of those cells and select Show <Attribute Type> Contents, where the attribute type
is the name of the cell. The data includes all entries defined in the cell.
Right-click an entry in one of those cells and select Show <Entry> Contents, where the name of the
selected entry is included in the command name. The data displayed is only for the selected entry.
Tip For inspection rules, services appear in the Traffic Match column and only for rules where the traffic
matches source, destination, and port.
Note In access rules, you can search for global rules by using the Global interface name. However,
there is no way to convert between global and interface-specific rules. Although you can find
global rules using the Global interface name, if you try to replace an interface name with the
name Global, you are actually creating an interface-specific access rule that uses a policy
object named Global.
Related Topics
Editing Rules, page 12-9
Navigation Path
Click the Find and Replace (binoculars icon) button at the bottom of any policy that uses rules tables.
In the Firewall folder, this includes AAA rules, access rules, inspection rules, zone based firewall rules,
and web filter rules (for ASA/PIX/FWSM devices only). For ASA/PIX/FWSM devices, it also includes
the NAT translation rules policy (but not for every combination of context and operational mode) and
the IOS, QoS, and connection rules platform service policy.
Related Topics
Finding and Replacing Items in Rules Tables, page 12-13
Editing Rules, page 12-9
Field Reference
Element Description
Type The type of item you are trying to find. Select the type, then select which
columns you want to search. If you select All Columns, the columns searched
are those also listed with the All Columns item (the search does not consider
every column in the table).
NetworkA network/host object name or the IP address of a host or network.
ServiceA service object name or protocol and port, for example TCP/80.
The search is syntactic, not semantic, that is, if you are searching for
TCP/80 and a rule uses HTTP, the search results will not find it.
Interface RoleAn interface name or interface role object name.
Note In access rules, you can search for global rules by using the Global
interface name. However, there is no way to convert between global and
interface-specific rules. Although you can find global rules using the
Global interface name, if you try to replace an interface name with the
name Global, you are actually creating an interface-specific access
rule that uses a policy object named Global.
Element Description
Find Whole Whether the search should find and select only whole words, which are strings
Words Only delimited by spaces or punctuation. For example, a whole word search for
SanJose will find SanJose but not SanJose1.
If you use this option with the Allow Wildcard option, you can search for partial
strings but if you replace the located string, you replace the whole word and not
the partial string. For example, you can search for ^10.100* to find all addresses
like 10.100.10.0/24, and replace with them with the network10.100 policy
object. By selecting Whole Words, the network/host object replaces the entire
address, not just the portion you searched for.
For text searches, this option and the Allow Wildcards option are
mutually exclusive.
Allow Wildcards Whether the search or replacement strings use wildcard characters. If you do not
select this option, all characters are treated literally.
You can use the Java regular expression syntax to create your expression with
the following exceptions:
Period (.)The period is a literal period and it is implicitly escaped.
Question mark (?)The question mark indicates a single character.
Asterisk (*)The asterisk matches one or more characters. It does not
match zero characters.
Plus sign (+)The plus sign means the same as the asterisk; it matches one
or more characters.
Find Next button Click this button to find the next occurrence of the search string.
Replace button Click this button to replace the found string with the replacement string.
Replace All button Click this button to automatically find the search string and replace it throughout
the table.
If you use sections to organize your rules, you can move rules only within the section. When you move
rules that are outside the sections, you can move them above or below the section. For more information
about working with sections, see Using Sections to Organize Rules Tables, page 12-17.
Tip Special rules apply to moving access rules when you mix interface-specific and global rules in a policy.
For more information, see Understanding Global Access Rules, page 14-3.
Related Topics
Using Rules Tables, page 12-7
Adding and Removing Rules, page 12-8
Editing Rules, page 12-9
Enabling and Disabling Rules, page 12-17
Using Sections to Organize Rules Tables, page 12-17
Related Topics
Using Rules Tables, page 12-7
Adding and Removing Rules, page 12-8
Editing Rules, page 12-9
Moving Rules and the Importance of Rule Order, page 12-16
Using Sections to Organize Rules Tables, page 12-17
User-defined sections are set off visually from the other rules in the table by an indented section heading.
The heading contains, left to right, a +/- icon for opening and closing the section, a band of color
identifying the category you assigned the section (if any), the section name, the first and last rule number
contained in the section (for example, 4-8), and the description, if any, you gave the section.
Whether you create user-defined sections is completely up to you. If you decide creating these types of
sections is worthwhile, the following information explains how to create and use them:
To create a new section, right-click a row that you want to place the section and select Include in
New Section. (You can also use Shift+click to select a block of rules.) You are prompted for a name,
description, and category for the section (the name is the only required element).
To move existing rules into a section, select one or more contiguous rules, right-click and select
Include in Section <name of section>. This command appears only if the selected rows are next to
an existing section. If the rows you want to add to a section are not currently next to the section, you
can do one of two things: move the rules until they are next to the section; cut the rules and paste
them into the section.
You cannot move a section. Instead, you need to move the rules that are outside of the section around
it. When you move a rule that is next to, but not within, a section, the rule jumps over the section.
You cannot move a rule outside of or through a section. A section defines the borders within which
you can move rules. If you want to move rules out of a section and back into the Local scope section,
select one or more contiguous rules, right-click and select Remove from Section <name of
section>. The rules must be at the beginning or end of the section to use this command. If they are
not, you can either move the rules until they are, or use cut and paste to move them out of the section.
To add a new rule to a section, select the rule after which you want to create the rule before clicking
the Add Row button. To place it at the beginning of the section, select the section heading.
If you want to create a rule after, but outside of, a section, you can either create it as the last rule in
the section and then remove it from the section, or create it just above the section and click the down
arrow button.
You can change the name, description, or category of a section by right-clicking the section heading
and selecting Edit Section.
When you delete a section, all rules contained in the section are retained and moved back into the
Local scope section. No rules are deleted. To delete a section, right-click the section heading and
select Delete Section.
If you use the Combine Rules tool, the resulting combined rules respect your sections. Rules that
are in a section can be combined only with other rules in that section.
Related Topics
Using Rules Tables, page 12-7
Adding and Removing Rules, page 12-8
Editing Rules, page 12-9
Moving Rules and the Importance of Rule Order, page 12-16
Enabling and Disabling Rules, page 12-17
Navigation Path
Do one of the following:
Select one or more rules in a rules table, right-click and select Include in New Section.
Right-click a section heading and select Edit Section.
Field Reference
Element Description
Name The name of the section.
Description A description for the section, up to 1024 characters.
Category The category assigned to the section. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Combining Rules
Access rules and AAA rules policies can grow over time to include a large number of rules. The size of
these policies can make it difficult to manage them. To alleviate this problem, you can use the rule
combiner tool to reduce the number of rules in a policy without changing how the policy handles traffic.
Tip Combining rules can dramatically compress the number of access rules required to implement a
particular security policy. For example, a policy that required 3,300 access rules might only require 40
rules after hosts and services are efficiently grouped.
You might have several rules that allow a specific range of services to various trusted hosts (as sources)
to various public servers (as destinations). If you have 10 rules applying to this situation, it is possible
that those 10 rules can be combined into a single rule. You could then create new policy objects for the
collection of services (for example, AllowedServices), hosts (for example, TrustedHosts), and servers
(for example, PublicServers). To create the new objects during rule combination, you can right-click the
newly-combined cells and select Create Network (or Service) Object from Cell Contents.
For example, you might have two rules for interface FastEthernet0:
Permit TCP for source 10.100.10.1 to destination 10.100.12.1
Permit TCP for source 10.100.10.1 to destination 10.100.13.1
These can be combined into a single rule: permit TCP for source 10.100.10.1 to destination 10.100.12.1,
10.100.13.1.
Multidimensional sorting is used to combine rules. For example, for access rules:
1. Rules are sorted by their sources, so rules with the same source are placed together.
2. Same-source rules are sorted by destination, so rules with the same source and destination are
placed together.
3. Same-source and same-destination rules are combined into a single rule, and the services
are concatenated.
4. Adjacent rules are checked to see if they have the same source and service. If so, they are combined
into a single rule, and the destinations are concatenated.
5. Adjacent rules are checked to see if they have the same destination and service. If so, they are
combined into a single rule, and the sources are concatenated.
Sorting is repeated based on destination and service in place of source.
Tip Rules from different sections are never combined. Any sections you create to organize rules limit the
scope of the possible combinations. Also, interface-specific and global access rules are never combined.
For more information about global rules, see Understanding Global Access Rules, page 14-3.
Related Topics
Chapter 13, Managing Firewall AAA Rules
Chapter 14, Managing Firewall Access Rules
Step 1 Select the policy whose rules you want to combine from the Firewall folder. You can combine rules for
the following types of policy:
AAA rules
Access rules
Step 2 If you want the tool to limit possible combinations to a specific group of rules, select them. You can
select rules using Shift+click and Ctrl+click, select all rules in a section by selecting the section heading,
or all rules within a scope by selecting the scope heading (for example, Local). To not limit the tool, do
not select anything in the table. Keep the following in mind:
In Device view, you can save combinations only for local rules. The tool will allow you to run it on
shared and inherited rules, but you cannot save the results. If you do not select any rules, the default
is to consider all local scope rules.
To combine rules in shared policies, you must run the tool in Policy view. If you do not select any
rules, the default is to consider all mandatory rules.
You are warned if you try to run the tool when you cannot save the results.
Step 3 Click the Tools button located below the table, then select Combine Rules to open the Combine Rules
Selection Summary Dialog Box, page 12-21.
Step 4 Select the columns you want the rule to consider combining. If you do not select certain columns, the
combined rules must have the identical settings in those columns to be combined.
You can also elect to consider combining the rules you selected or all rules within the policy.
Tip If a column type is not listed, then combined rules must have the identical content in those cells
except for the Description cell. Rules that have different content for the cells are not combined.
Step 5 Click OK to generate the combination and display the results in the Rule Combiner Results Dialog Box.
Analyze the results and evaluate whether you want to save the combinations. You must save all or none,
you cannot pick and choose which combinations to save.
For more information on evaluating the results, see Interpreting Rule Combiner Results, page 12-21. For
an example, see Example Rule Combiner Results, page 12-23.
Step 6 Click OK to replace the original rules in the rules tables with the combined rules.
Navigation Path
You can combine rules from the AAA Rules Page, page 13-9 and the Access Rules Page, page 14-8.
Click Tools located at the bottom of the tables and select Combine Rules.
Field Reference
Element Description
Policy Selected Shows the policy selected and the scope. Local indicates the local
device rules. Otherwise, the field indicates the name of the shared
policy and the scope selected within the policy, if any.
Rules to be combined The rules you want the tool to consider combining:
All RulesConsider combining all rules within the selected
policy.
Selected RulesConsider combining only those rules you selected
in the policy before starting the tool.
For detailed information on selecting rules before running the tool, see
Combining Rules, page 12-19.
Choose which columns The columns in the rules table that can be combined. Any columns that
to combine you do not select must have the identical content for two rules to be
combined (even those not listed as combinable, except for the
Description column). The columns you can combine are:
Source
Destination
Service
Interface
For AAA rules, these additional columns:
Action
Auth Proxy
Tips
The combined results are not applied to the policy until you click OK. If you do not like the results
of the combination, click Cancel and consider selecting smaller groups of rules to limit the scope
of the Combine Rules tool.
If you click OK but then decide you do not want to accept the changes, you have two options. First,
make sure you do not click Save on the policy page, select a different policy, and click No when
prompted to save your changes to the policy. If you already clicked Save, you can still back out the
changes by discarding your activity or configuration session (for example, File > Discard in
non-Workflow mode), but this also discards any other changes you have made to other policies.
Once you submit your changes or your activity is approved, you cannot undo your changes.
You are allowed to run the Combine Rules tool even if you are combining rules for a policy that you
are not allowed to save. For example, you cannot save combined rules for a shared or inherited policy
in Device view. You are warned before running the tool if you will not be allowed to save the results.
Rules from different sections are never combined. Any sections you create to organize rules limit
the scope of the possible combinations. Also, interface-specific and global access rules are never
combined. For more information about global rules, see Understanding Global Access Rules,
page 14-3.
Navigation Path
You can combine rules from the AAA Rules Page and the Access Rules Page. Click Tools located at the
bottom of the tables and select Combine Rules, fill in the Combine Rules Selection Summary Dialog
Box and click OK.
Field Reference
Element Description
Result Summary Provides a summary of the results of the combination and indicates the
number of original rules, the number of rules remaining after the
combination, and the number of changed and unchanged rules, if any
combinations could be made.
Resulting Rules table The rules that will replace the rules currently in the policy. If you
click OK, these rules become part of your policy. The columns are
the same as those in the associated policy (see AAA Rules Page,
page 13-9 or Access Rules Page, page 14-8), with the addition of the
Rule State column.
The Rule State column shows the status of the rule:
Modified, CombinedThe new rule is the result of combining one
or more rules or modifying an existing rule. A red box around a cell
indicates cells that have combined contents.
UnchangedThe rule remains unchanged, as it could not be
combined with any other rule.
Not SelectedYou did not select the rule for possible combination.
If there are a large number of rules, you can use the buttons beneath the
table to scroll through the rules that have changes. Unchanged and
unselected rules are skipped.
Original rules table (lower The table in the lower half of the dialog box shows the original rules
table) that were combined to create the rule you select in the upper table.
Detail Report button Click this button to create an HTML report of the results. The report
summarizes the results and also provides the details about the resulting
rules and the rules that were combined to create the new rule.
For combined rules that have a lot of entries in cells, this report
makes it easier to read the results. You can also print or save the report
for later use.
1 Combined cell
2 Newly combined rule
3 Original rules
Related Topics
Chapter 13, Managing Firewall AAA Rules
Chapter 14, Managing Firewall Access Rules
The possible extent of a query depends on the view you are in:
Device or Map viewThe query is limited to the selected device. However, you can query
across all supported rule types. This allows you to compare different types of rules that apply to
the same traffic.
Policy viewThe query is limited to the selected policy. You see only rules that are defined in that
policy, and you cannot query other types of policies. If you want to query a shared policy while
examining other policies, select a device that is assigned to the shared policy, and query the policy
from the device in Device view.
Related Topics
AAA Rules Page, page 13-9
Access Rules Page, page 14-8
Inspection Rules Page, page 15-7
Web Filter Rules Page (ASA/PIX/FWSM), page 16-3
Zone-based Firewall Rules Page, page 18-56
Step 1 Select the policy that you want to query from the Firewall folder. You can query any of the following
types of policy:
AAA Rules
Access Rules
Inspection Rules
Web Filter Rules (PIX/ASA/FWSM)
Zone Based Rules
Step 2 Click the Tools button located below the table, then select Query to open the Querying Device or Policy
dialog box.
Step 3 Enter the parameters that define the rules you want to query. When setting up your query, you must select
at least one rule type; enabled, disabled or both; permitted, denied, or both; and mandatory, default, or
both. For detailed information about the query parameters, see Querying Device or Policy Dialog Box,
page 12-25.
In Policy view, you cannot change the type of rule you are querying. In Device view, you can query any
combination of rule types.
Step 4 Click OK to view the rules that match the criteria in the Policy Query Results dialog box. For
information on reading the report, see Interpreting Policy Query Results, page 12-28.
For an example of a policy query report, see Example Policy Query Result, page 12-29.
You can query rules from these types of policies: AAA rules, access rules, inspection rules, web filter
rules for ASA/PIX/FWSM, and zone based firewall rules.
When setting up your query, you must select at least one rule type; enabled, disabled or both; permitted,
denied, or both; and mandatory, default, or both.
Note For inspection rules, if you enter Global as the interface value, the match status results will be shown as
a partial match even if the match is complete.
Results are displayed in the Policy Query Results dialog box (see Interpreting Policy Query Results,
page 12-28).
Navigation Path
To generate Policy Query reports, do one of the following:
(Device view) Select a device, then select one of the supported firewall rules policies from the
Firewall folder. Click the Tools button and select Query.
(Policy view) Select any of the supported firewall rules policies from the Firewall folder and select
a specific policy from the Shared Policy selector. Click the Tools button and select Query.
(Map view) Right-click a device and select a supported firewall rules policy from the Edit Firewall
Policies menu. Click the Tools button and select Query.
Related Topics
Generating Policy Query Reports, page 12-24
Example Policy Query Result, page 12-29
Field Reference
Element Description
Rule Types The type of rules you want to query. When querying in Policy view, you
cannot change the selection. When querying in Device view, you can
select any of the following types of rules; the scope of the query is
limited to the selected device:
AAA Rules
Access Rules
Inspection Rules
Web Filter Rules
Zone Based Rules
Enabled and/or Whether you want to query enabled or disabled rules, or both.
Disabled Rules
Mandatory and/or Whether you want to query rules that are in the mandatory or default
Default Rules sections, or both.
Match Whether you want to query rules that permit or deny traffic, or both.
Element Description
Sources The source or destination of the traffic. You can enter more than one
Destinations value by separating the items with commas.
Note If you leave a field blank, the query matches any address for
that field.
You can enter any combination of the following address types to define
the source or destination of the traffic. For more information, see
Specifying IP Addresses During Policy Definition, page 6-68.
Network/host object. Enter the name of the object or click Select
to select it from a list. You can also create new network/host objects
from the selection list.
Host IP address, for example, 10.10.10.100.
Network address, including subnet mask, in either the format
10.10.10.0/24 or 10.10.10.0/255.255.255.0.
A range of IP addresses, for example, 10.10.10.100-10.10.10.200.
An IP address pattern in the format 10.10.0.10/255.255.0.255,
where the mask is a discontiguous bit mask (see Contiguous and
Discontiguous Network Masks, page 6-63).
Tip You can create an object with a list of the IP addresses to
facilitate future policy query requests.
Services The services that define the type of traffic that is acted on. You can enter
more than one value by separating the items with commas.
Note If you leave the field blank, the query matches any service.
You can enter any combination of service objects and service types
(which are typically a protocol and port combination). If you type in a
service, you are prompted as you type with valid values. You can select
a value from the list and press Enter or Tab.
For complete information on how to specify services, see
Understanding and Specifying Services and Service and Port List
Objects, page 6-69.
Tip You can create an object with a list of the services to facilitate
future policy query requests.
Interfaces The interfaces for which the rule is defined. You can enter any
combination of interface or interface role names, separated by commas.
Enter the name or click Select to select the interface or interface role.
Note If you leave the field blank, the query matches any interface or
interface role.
Query for Global Rules Whether the query should also consider global rules when querying
access rules or inspection rules.
From Zone For zone based firewall rules, the zones defined for the rule. Enter the
To Zone zone names (which are interface roles), or click Select to select them
from a list.
Element Description
Actions For zone based firewall rules, the actions defined for the rule.
Check if Matching Rules Are Whether to have the policy query results include rule conflict detection
Shadowed by Rules Above information. Selecting this option might have an impact on
performance and cost results.
Tip In the query results table, you can double-click a row, or right-click and select Go to Rule, to select the
rule in the rules policy page, where you can edit the rule. If the appropriate rules policy is not already
selected in the policy selector, you might have to do this twice to actually select the rule.
The details show the query value, which is the parameter you defined, and the item in the rule that
matches the parameter. The matching relationship is one of the following:
IdenticalThe parameter is identical to the value in the rule.
ContainsThe parameter is a superset that contains the value in the rule. For example, the
query parameter might have been a network/host object, and the rule used an IP address that was
part of the object definition.
Is contained byThe parameter is a subset nested within the value of the rule.
OverlapsThe query parameter shows results that overlap between more than one policy object
used in the rule. For example, the service query parameter was tcp/70-90 and the results show
a service defined as tcp/80-100.
Related Topics
AAA Rules Page, page 13-9
Access Rules Page, page 14-8
Inspection Rules Page, page 15-7
Web Filter Rules Page (ASA/PIX/FWSM), page 16-3
Zone-based Firewall Rules Page, page 18-56
Related Topics
Generating Policy Query Reports, page 12-24
AAA Rules Page, page 13-9
Access Rules Page, page 14-8
Inspection Rules Page, page 15-7
Web Filter Rules Page (ASA/PIX/FWSM), page 16-3
Zone-based Firewall Rules Page, page 18-56
If you enable optimization, when you deploy the policy, the resulting object group configuration is
generated. Note that the description indicates the group was optimized:
object-group network test
description (Optimized by CS-Manager)
network-object 10.1.1.0 255.255.255.252
network-object 192.168.1.0 255.255.255.0
This optimization does not change the definition of the network/host object, nor does it create a new
network/host policy object. If you rediscover policies on the device, the existing unchanged policy object
is used.
Note If a network/host object contains another network/host object, the objects are not combined. Instead,
each network/host object is optimized separately. Also, Security Manager cannot optimize network/host
objects that use discontiguous subnet masks.
To configure optimization, select the Optimize Network Object-Groups During Deployment option
on the Deployment Page, page 11-7 (select Tools > Security Manager Administration and select
Deployment from the table of contents). The default is to not optimize network object groups during
deployment.
You can use Authentication, Authorization, and Accounting (AAA) rules to control access to network
resources based on user privileges rather than by IP addresses. If you configure authentication rules,
users must enter a user name and password whenever they attempt to access a network behind the
protected device. Once authenticated, you can further require that the user account be checked to ensure
the user is authorized for network access. Finally, you can use accounting rules to track access for
billing, security, or resource allocation purposes.
AAA rule configuration is complex and requires that you configure more than just the AAA rules policy.
The following topics explain AAA rules in greater detail and include procedures that explain not only
the AAA rules policy configuration but also what you must configure in related policies:
Understanding AAA Rules, page 13-1
Understanding How Users Authenticate, page 13-2
Configuring AAA Rules for ASA, PIX, and FWSM Devices, page 13-4
Configuring AAA Rules for IOS Devices, page 13-7
AAA Rules Page, page 13-9
AAA Firewall Settings Policies, page 13-16
The following topics can help you with general rule table usage:
Adding and Removing Rules, page 12-8
Editing Rules, page 12-9
Enabling and Disabling Rules, page 12-17
Moving Rules and the Importance of Rule Order, page 12-16
segment that is high security, where you want to carefully control access. AAA rules are also useful for
circumstances where you need to maintain per-user accounting records for billing, security, or resource
allocation purposes.
The AAA rules policy actually configures three separate types of rule, and the configuration of these
rules differs significantly between IOS devices on the one hand and ASA, PIX, and FWSM devices on
the other hand. For IOS devices, these policies define what is called authentication proxy admission
control. When creating shared AAA rules, create separate rules for these types of devices. Following are
the types of rules you can configure with AAA rules:
Authentication rulesAuthentication rules control basic user access. If you configure an
authentication rule, users must log in if their connection request goes through the device on which
the rule is defined. You can force users to log in for HTTP, HTTPS, FTP, or Telnet connections. For
ASA, PIX, and FWSM devices, you can control other types of services, but users must first
authenticate using one of the supported protocols before other types of traffic are allowed.
The device recognizes these traffic types only on the default ports: FTP (21), Telnet (23), HTTP
(80), HTTPS (443). If you map these types of traffic to other ports, the user will not be prompted,
and access will fail.
Authorization rulesYou can define an additional level of control over and above authentication.
Authentication simply requires that users identify themselves. After authentication is successful, an
authorization rule can query the AAA server to determine if the user has sufficient privileges to
complete the attempted connection. If authorization fails, the connection is dropped.
For ASA, PIX, and FWSM devices, you define authorization rules directly in the AAA rules
policy; if you require authorization for traffic that does not also require authentication, the
unauthenticated traffic is always dropped. If you use RADIUS servers for authentication,
authorization is automatically performed and authorization rules are not necessary. If you
configure authorization rules, you must use a TACACS+ server.
For IOS devices, to configure authorization, you must configure an authorization server group
in the Firewall > Settings > AuthProxy policy; authorization is done for any traffic that is
subject to authentication. You can use TACACS+ or RADIUS servers.
AccountingYou can define accounting rules even if you do not configure authentication or
authorization. If you do configure authentication, accounting records are created for each user, so that
you can identify the specific user who made the connection. Without user authentication, accounting
records are based on IP address. You can use TACACS+ or RADIUS servers for accounting.
For ASA, PIX, and FWSM devices, you define accounting rules directly in the AAA rules
policy. You can perform accounting for any TCP or UDP protocol.
For IOS devices, to configure accounting, you must configure an accounting server group in
the Firewall > Settings > AuthProxy policy; accounting is done for any traffic that is subject
to authentication.
attempt one of the four supported protocols and successfully authenticate before completing connections
of any other protocol that requires authentication.
Tip For ASA, PIX, and FWSM devices, if you do not want to allow HTTP, HTTPS, Telnet, or FTP through
the security appliance but want to authenticate other types of traffic, you can require that the user
authenticate with the security appliance directly using HTTP or HTTPS by configuring the interface to
use interactive authentication (using the Firewall > Settings > AAA Firewall policy). The user would
then authenticate with the appliance before trying other connections, using one of the following URLs,
where interface_ip is the IP address of the interface and port is optionally the port number, if you specify
a non-default port for the protocol in the interactive authentication table:
http://interface_ip[:port]/netaccess/connstatus.html or
https://interface_ip[:port]/netaccess/connstatus.html
When attempting a connection through the device, the user is prompted based on the protocol:
HTTPThe device prompts the user with a web page to provide user name and password. The user
is prompted repeatedly until successfully authorized. After the user authenticates correctly, the
device redirects the user to the original destination. If the destination server also has its own
authentication, the user enters another user name and password.
For ASA, PIX, and FWSM devices, the security appliance uses basic HTTP authentication by
default, and provides an authentication prompt. You can improve the user experience by configuring
the interface for interactive authentication and specifying redirect for HTTP traffic. This redirects
the user to a web page hosted on the appliance for authentication. To configure an interface to use
interactive authentication, add the interface to the Interactive Authentication table on the Firewall
> Settings > AAA Firewall policy (see AAA Firewall Settings Page, Advanced Setting Tab,
page 13-16). Ensure that you select the HTTP and Redirect options when adding the interface.
You might want to continue to use basic HTTP authentication if: you do not want the security
appliance to open listening ports; if you use NAT on a router and you do not want to create a
translation rule for the web page served by the security appliance; basic HTTP authentication might
work better with your network. For example non-browser applications, like when a URL is
embedded in email, might be more compatible with basic authentication.
However, when using basic HTTP authentication, if the user is going to an HTTP server that requires
authentication, the same user name and password used to authenticate with the appliance is sent to
the HTTP server. Thus, login to the HTTP server fails unless the same user name and password are
used by the ASA and HTTP server. To avoid this problem, you must configure a virtual HTTP server
on the ASA using the virtual http command on the ASA. You can create a FlexConfig policy to do
this; the ASA_virtual pre-defined FlexConfig object provides an example that you can copy.
Tip In HTTP authentication, the username and password are transmitted in clear text. You can prevent this
by selecting the Use Secure HTTP Authentication option on the Firewall > Settings > AAA Firewall
policy. This option ensures that credentials are encrypted.
HTTPSThe user experience for HTTPS is the same as for HTTP; the user is prompted until
successfully authorized, and then redirected to the original destination.
For ASA, PIX, and FWSM devices, the security appliance uses a custom login screen. Like with
HTTP, you can configure the interface to use interactive authentication, in which case HTTPS
connections use the same authentication page as HTTP connections. You must configure the
interface separately for HTTPS redirection; use the Firewall > Settings > AAA Firewall policy.
For IOS devices, HTTPS connections are authenticated only if you enable SSL on the device and
your AAA rules require HTTP authentication proxy. This configuration is explained in Configuring
AAA Rules for IOS Devices, page 13-7.
FTPThe device prompts once for authentication. If authentication fails, the user must retry
the connection.
When prompted, the user can enter the username required for device authentication followed by an
at sign (@) and then the FTP username (name1@name2). For the password, the user would then
enter the device authentication password followed by an at sign (@) and then the FTP password
(password1@password2). For example, enter the following text.
name> asa1@partreq
password> letmein@he110
For IOS devices, this method of entering both the device and FTP credentials is required. For ASA,
PIX, and FWSM devices, this feature is useful when you have cascaded firewalls that require
multiple logins. You can separate several names and passwords by multiple at signs (@).
TelnetThe device prompts several times for authentication. After a number of failed attempts,
the user must retry the connection. After authentication, the Telnet server prompts for its user
name/password.
Related Topics
Understanding AAA Rules, page 13-1
Understanding How Users Authenticate, page 13-2
Creating a New Shared Policy, page 5-50
Modifying Policy Assignments in Policy View, page 5-50
Understanding Network/Host Objects, page 6-62
Understanding Interface Role Objects, page 6-55
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Understanding AAA Server and Server Group Objects, page 6-20
Understanding Interface Role Objects, page 6-55
Step 1 Do one of the following to open the AAA Rules Page, page 13-9:
(Device view) Select Firewall > AAA Rules from the Policy selector.
(Policy view) Select Firewall > AAA Rules from the Policy Type selector. Select an existing policy
or create a new one.
Step 2 Select the row after which you want to create the rule and click the Add Row button or right-click and
select Add Row. This opens the Add and Edit AAA Rule Dialog Boxes, page 13-11.
Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select
an existing row and edit either the entire row or specific cells. For more information, see Editing
Rules, page 12-9.
Step 3 Configure the rule. Following are the highlights of what you typically need to decide. For specific
information on configuring the fields, see Add and Edit AAA Rule Dialog Boxes, page 13-11.
Authentication, Authorization, or Accounting ActionSelect the options applicable for this rule.
Authentication prompts the user for a username and password when attempting HTTP, HTTPS, FTP,
or Telnet access. Authorization is an additional level, where after the user authenticates, the AAA
server is checked to ensure that the user is authorized for that type of access. Accounting generates
usage records in the AAA server and can be used for billing, security, or resource allocation
purposes. You can generate accounting information for any TCP or UDP traffic.
Permit or DenyWhether you are subjecting the identified traffic to AAA control (permit) or you
are exempting it from AAA control (deny). Any denied traffic is not prompted for authentication
and is allowed to pass unauthenticated, although your access rules might drop the traffic.
Source and Destination addressesIf the rule should apply no matter which addresses generated the
traffic or their destinations, use any as the source or destination. If the rule is specific to a host or
network, enter the addresses or network/host objects. For information on the accepted address
formats, see Specifying IP Addresses During Policy Definition, page 6-68.
ServiceYou can specify any type of service for authentication and authorization rules; however,
the user is prompted to authenticate only for HTTP, HTTPS, FTP, and Telnet connections. Thus, if
you specify something other than these services, the user must first attempt one of these connections
and successfully authenticate (and be authorized, if you include that action) before any other types
of connections are allowed. For accounting rules, you can specify any TCP or UDP service (or
simply TCP and UDP themselves), if you want to account for all types of traffic.
AAA Server GroupThe AAA server group policy object to be used for authentication,
authorization, or accounting. If the rule applies more than one of these actions, the server group must
support all selected actions. For example, only TACACS+ servers can provide services for
authorization rules (although using RADIUS for authentication rules automatically includes
RADIUS authorization), and only TACACS+ and RADIUS servers can provide accounting services.
If you want to use different server groups for particular actions, define separate rules for each type
of action that requires different groups.
InterfacesThe interface or interface role for which you are configuring the rule.
Click OK when you are finished defining your rule.
Step 4 If you did not select the right row before adding the rule, select the new rule and use the up and down
arrow buttons to position the rule appropriately. For more information, see Moving Rules and the
Importance of Rule Order, page 12-16.
Step 5 Select Firewall > Settings > AAA Firewall (in Device or Policy view) to open the AAA Firewall
Settings Page, Advanced Setting Tab, page 13-16. Configure the AAA firewall settings:
If you configured rules for HTTP authentication, you should select Use Secure HTTP
Authentication. This ensures that the username and password entered for HTTP authentication are
encrypted. If you do not select this option, the credentials are sent in clear text, which is insecure.
Tip If you select this option, ensure that you do not configure 0 for the user authentication time-out
(timeout uauth 0, configured in the Platform > Security > Timeouts policy), or users might
be repeatedly prompted for authentication, making the feature disruptive to your network.
If you configured authentication for HTTP or HTTPS traffic on an interface, you should consider
adding the interface to the Interactive Authentication table. When you enable an interface for
interactive authentication, users get an improved authorization web page, one that is the same for
both HTTP and HTTPS.
Click Add Row to add the interface to the table. Select whether the interface should listen for HTTP
or HTTPS traffic (add the interface twice to listen for both protocols), and the port to listen on if not
the default port for the protocol (80 and 443, respectively). Select Redirect network users for
authentication request so that network access traffic gets the improved authentication prompt; if
you do not select the option, only users trying to log into the device get the prompt.
Note You might want to continue to use basic HTTP authentication if: you do not want the
security appliance to open listening ports; if you use NAT on a router and you do not
want to create a translation rule for the web page served by the security appliance; basic
HTTP authentication might work better with your network. For example non-browser
applications, like when a URL is embedded in email, might be more compatible with
basic authentication.
For FWSM devices, you can also disable the authentication challenge for protocols you have
otherwise configured to require authentication. You can also add interfaces to the Clear Connections
table to ensure that active connections for users whose authentication has timed out are cleared.
If you want to exempt some devices from your AAA rules based on their media access control
(MAC) address, click the MAC Exempt List tab to open the AAA Firewall Page, MAC-Exempt List
Tab, page 13-20. Enter a name for the exemption list, and then click the Add Row button and fill in
the Firewall AAA MAC Exempt Setting Dialog Box, page 13-21 to add the MAC address to the table
with a permit rule. You might want to do this for secure, trusted devices.
The order of entries matters, so ensure that any specific entries that are covered by broader entries
come before the broad entries in the table. The device processes the list in order and the first match
is applied to the host. For more detailed information about how the entries on the MAC exempt list
are processed, see AAA Firewall Page, MAC-Exempt List Tab, page 13-20.
Step 6 If you are configuring authentication rules using a RADIUS server, and you include per-user ACL
configurations in the user profiles, enable per-user downloadable ACLs on the interface. (RADIUS
authentication automatically includes authorization checking.) For information on configuring per-user
ACLs, see the information on configuring RADIUS authorization in the Cisco ASA 5500 Series
Configuration Guide Using the CLI at
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html.
a. Select Firewall > Settings > Access Control (in Device or Policy view) to open the Access Control
Settings Page, page 14-17.
b. Click the Add Row button beneath the interface table and fill in the Firewall ACL Setting Dialog
Box, page 14-19 with at least these options:
Enter the interface or interface role on which you are performing authorization.
Select Per User Downloadable ACLs.
c. Click OK to save your changes.
Related Topics
Understanding AAA Rules, page 13-1
Understanding How Users Authenticate, page 13-2
Creating a New Shared Policy, page 5-50
Modifying Policy Assignments in Policy View, page 5-50
Understanding Network/Host Objects, page 6-62
Understanding Interface Role Objects, page 6-55
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Understanding AAA Server and Server Group Objects, page 6-20
Understanding Interface Role Objects, page 6-55
Step 1 Do one of the following to open the AAA Rules Page, page 13-9:
(Device view) Select Firewall > AAA Rules from the Policy selector.
(Policy view) Select Firewall > AAA Rules from the Policy Type selector. Select an existing policy
or create a new one.
Step 2 Select the row after which you want to create the rule and click the Add Row button or right-click and
select Add Row. This opens the Add and Edit AAA Rule Dialog Boxes, page 13-11.
Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select
an existing row and edit either the entire row or specific cells. For more information, see Editing
Rules, page 12-9.
Step 3 Configure the rule. Following are the highlights of what you typically need to decide. For specific
information on configuring the fields, see Add and Edit AAA Rule Dialog Boxes, page 13-11.
Authentication ActionSelect this option. Authentication rules are the only type of rule you can
configure in the AAA rules policy for IOS devices.
Permit or DenyWhether you are subjecting the identified traffic to AAA control (permit) or you
are exempting it from AAA control (deny). Any denied traffic is not prompted for authentication
and is allowed to pass unauthenticated, although your access rules might drop the traffic.
Source and Destination addressesIf the rule should apply no matter which addresses generated the
traffic or their destinations, use any as the source or destination. If the rule is specific to a host or
network, enter the addresses or network/host objects. For information on the accepted address
formats, see Specifying IP Addresses During Policy Definition, page 6-68.
ServiceOnly HTTP, HTTPS, FTP, and Telnet traffic cause the authentication proxy to prompt for
authentication. You can either specify these services, or simply use the IP service.
InterfacesThe interface or interface role for which you are configuring the rule.
Service triggering the authentication proxySelect the checkboxes for the type of traffic you want
to trigger user authentication: HTTP, FTP, or Telnet. You can select any combination. If you want to
trigger the proxy for HTTPS support, select HTTP and perform the HTTPS configuration that is
explained in a subsequent step in this procedure.
Click OK when you are finished defining your rule.
Step 4 If you did not select the right row before adding the rule, select the new rule and use the up and down
arrow buttons to position the rule appropriately. For more information, see Moving Rules and the
Importance of Rule Order, page 12-16.
Step 5 Select Firewall > Settings > AuthProxy (in Device or Policy view) to open the AuthProxy Page,
page 13-22. Configure the authentication proxy settings:
Authorization server groupsIf you want all of your authentication rules to also perform user
authorization, specify the list of AAA server group policy objects that identify the TACACS+ or
RADIUS servers that control authorization. You can also specify LOCAL to use the user database
defined on the device. If you do not specify a server group, authorization is not performed.
Tip You must configure per-user ACLs in your AAA server to define the privileges you want to apply
to each user. When configuring authorization, specify auth-proxy as the service (e.g. service =
auth-proxy), with a privilege level of 15. For more information on configuring the AAA server,
including information on configuring authentication proxy in general, see the Configuring the
Authentication Proxy section in the Cisco IOS Security Configuration Guide: Securing User
Services, Release 12.4T at
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_authen_
prxy_ps6441_TSD_Products_Configuration_Guide_Chapter.html.
Accounting server groupsIf you want to perform accounting for all of your authentication rules,
specify the list of AAA server group policy objects that identify the TACACS+ or RADIUS servers
that perform accounting. If you do not specify a server group, no accounting is performed. When
performing accounting, also configure the following options as appropriate:
If you specify more than one server group, consider selecting Use Broadcast for Accounting.
This option sends accounting records to the primary server in each server group.
The Accounting Notice option defines when the server is notified. The default is to notify
the server at the start and stop of a connection, but you can select to only send stop notices (or
none at all).
You can also customize authentication banners for each service, and on the Timeout tab, you can
change the default idle and absolute session timeouts globally or for each interface.
Step 6 Select Platform > Device Admin > AAA (in policy view, this is in the Router Platform folder) to open
the AAA Policy Page, page 53-6. Configure these options on the Authentication tab:
Select Enable Device Login Authentication.
Enter the list of server groups that will control authentication in priority order. Typically, you will
use at least some of the same TACACS+ or RADIUS server groups used in the AuthProxy policy.
However, this policy also defines device login control, so you might want to include some other
server groups. For more information, see AAA PageAuthentication Tab, page 53-6.
Step 7 If you are using the authentication proxy with HTTP connections, and you also want to use the proxy with
HTTPS connections, select Platform > Device Admin > Device Access > HTTP (in policy view, this is
in the Router Platform folder) to open the HTTP Policy Page, page 53-31. Configure these options:
Select Enable HTTP and Enable SSL if they are not already selected.
On the AAA tab, ensure that the configuration for login access to the device is appropriate. If you
are using AAA to control access through the device, you might want to use it for access to the device.
Tip Disabled rules are shown with hash marks covering the table row. When you deploy the configuration,
disabled rules are removed from the device. For more information, see Enabling and Disabling Rules,
page 12-17.
Navigation Path
To access the AAA Rules page, do one of the following:
(Device view) Select a device, then select Firewall > AAA Rules from the Policy selector.
(Policy view) Select Firewall > AAA Rules from the Policy Type selector. Create a new policy or
select an existing one.
(Map view) Right-click a device and select Edit Firewall Policies > AAA Rules.
Related Topics.
Adding and Removing Rules, page 12-8
Editing Rules, page 12-9
Moving Rules and the Importance of Rule Order, page 12-16
Using Sections to Organize Rules Tables, page 12-17
Using Rules Tables, page 12-7
Filtering Tables, page 1-33
Field Reference
Element Description
No. The ordered rule number.
Permit Whether the defined traffic will be subject to the rule (Permit) or
exempted from the rule (Deny):
PermitShown as a green check mark.
DenyShown as a red circle with slash.
Source The source and destination addresses for the rule. The any address
does not restrict the rule to specific hosts, networks, or interfaces.
Destination
These addresses are IP addresses for hosts or networks, network/host
objects, interfaces, or interface roles. Multiple entries are displayed as
separate subfields within the table cell. See:
Understanding Network/Host Objects, page 6-62
Understanding Interface Role Objects, page 6-55
Service The services or service objects that specify the protocol and port of the
traffic to which the rule applies. Multiple entries are displayed as
separate subfields within the table cell. See Understanding and
Specifying Services and Service and Port List Objects, page 6-69.
Interface The interfaces or interface roles to which the rule is assigned. Interface
role objects are replaced with the actual interface names when the
configuration is generated for each device. Multiple entries are
displayed as separate subfields within the table cell. See Understanding
Interface Role Objects, page 6-55.
Action The type of AAA control defined by this rule:
AuthenticateUsers making connections through the device must
authenticate with their username and password. Protocols requiring
authentication are defined by the Service field (for ASA/PIX/FWSM
devices) or the AuthProxy methods (for IOS devices).
AuthorizeAuthenticated users are also checked with the AAA
server to ensure that they are authorized to make the connection
(ASA/PIX/FWSM only).
AccountAccounting records for the identified traffic are sent to
the AAA server (ASA/PIX/FWSM only).
AuthProxy The protocols that require authentication using the authentication
proxy method. This applies only to IOS devices.
Server Group The AAA server group that provides the authentication, authorization,
or accounting support defined in the rule. This group is used for
ASA/PIX/FWSM devices only. For information on configuring AAA
servers for IOS devices for use with these rules, see Configuring AAA
Rules for IOS Devices, page 13-7.
Category The category assigned to the rule. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Description The description of the rule, if any.
Element Description
Tools button Click this button to select tools that you can use with this type of policy.
You can select from the following tools:
Combine RulesTo improve performance and memory usage by
combining similar rules. This reduces the number of rules in the
policy. See Combining Rules, page 12-19.
QueryTo run policy queries, which can help you evaluate your
rules and identify ineffective rules that you can delete. See
Generating Policy Query Reports, page 12-24
Find and Replace button Click this button to search for various types of items within the table
(binoculars icon) and to optionally replace them. See Finding and Replacing Items in
Rules Tables, page 12-13.
Up Row and Down Row Click these buttons to move the selected rules up or down within a
buttons (arrow icons) scope or section. For more information, see Moving Rules and the
Importance of Rule Order, page 12-16.
Add Row button Click this button to add a rule to the table after the selected row using
the Add and Edit AAA Rule Dialog Boxes, page 13-11. If you do not
select a row, the rule is added at the end of the local scope. For more
information about adding rules, see Adding and Removing Rules,
page 12-8.
Edit Row button Click this button to edit the selected rule. You can also edit individual
cells. For more information, see Editing Rules, page 12-9.
Delete Row button Click this button to delete the selected rule.
Navigation Path
From the AAA Rules Page, page 13-9, click the Add Row button or select a row and click the Edit
Row button.
Related Topics
Adding and Removing Rules, page 12-8
Editing Rules, page 12-9
Field Reference
Element Description
Enable Rule Whether to enable the rule, which means the rule becomes active when
you deploy the configuration to the device. Disabled rules are shown
overlain with hash marks in the rule table. For more information, see
Enabling and Disabling Rules, page 12-17.
Authentication Action The authentication, authorization, and accounting check boxes define
the types of rules that will be generated on the device. Each type
Authorization Action
generates a separate set of commands, but if you select more than one
(PIX/ASA/FWSM)
option, your other selections on this dialog box are limited to those
Accounting Action supported by all selected actions.
(PIX/ASA/FWSM)
AuthenticationUsers must supply a username and password to
make a connection through the device. For ASA, PIX, and FWSM
devices, what you enter in the Services field determines which
protocols require authentication, although the device will prompt
only for HTTP, HTTPS, FTP, and Telnet connections. For IOS
devices, the protocols that require authentication are based on the
authorization proxy check boxes you select at the bottom of the
dialog box.
AuthorizationAfter successful authentication, the AAA server is
also checked to determine if the user is authorized to make the
requested connection. If you specify a RADIUS server for
authentication rules, authorization happens without you having to
configure authorization rules. If you are using a TACACS+ server,
you must create separate authorization rules. For IOS devices,
authorization is configured in the Firewall > Settings >
AuthProxy policy, not in AAA rules.
AccountingAccounting records will be sent to the TACACS+ or
RADIUS server for the TCP and UDP protocols specified in the
Services field. If you also configure authentication, these records
are per-user; otherwise, they are based on IP address. For IOS
devices, accounting is configured in the Firewall > Settings >
AuthProxy policy, not in AAA rules, and applies only to the
protocols you select for authentication proxy.
Action (Permit/Deny) Whether the defined traffic will be subject to the rule (Permit) or
exempted from the rule (Deny).
For example, if you create an authentication deny rule for the
10.100.10.0/24 network to any destination using the HTTP service,
users on this network are not prompted to authenticate with the device
when making HTTP requests.
Table 13-2 Add and Edit AAA Rules Dialog Boxes (Continued)
Element Description
Sources The source or destination of the traffic. You can enter more than one
Destinations value by separating the items with commas.
You can enter any combination of the following address types to define
the source or destination of the traffic. For more information, see
Specifying IP Addresses During Policy Definition, page 6-68.
Network/host object. Enter the name of the object or click Select
to select it from a list. You can also create new network/host objects
from the selection list.
Host IP address, for example, 10.10.10.100.
Network address, including subnet mask, in either the format
10.10.10.0/24 or 10.10.10.0/255.255.255.0.
A range of IP addresses, for example, 10.10.10.100-10.10.10.200.
An IP address pattern in the format 10.10.0.10/255.255.0.255,
where the mask is a discontiguous bit mask (see Contiguous and
Discontiguous Network Masks, page 6-63).
Interface role object. Enter the name of the object or click Select to
select it from a list (you must select Interface Role as the object
type). When you use an interface role, the rule behaves as if you
supplied the IP address of the selected interface. This is useful for
interfaces that get their address through DHCP, because you do not
know what IP address will be assigned to the device. For more
information, see Understanding Interface Role Objects, page 6-55.
If you select an interface role as a source, the dialog box displays
tabs to differentiate between hosts or networks and interface roles.
Table 13-2 Add and Edit AAA Rules Dialog Boxes (Continued)
Element Description
Services The services that define the type of traffic to act on. You can enter more
than one value by separating the items with commas.
You can enter any combination of service objects and service types
(which are typically a protocol and port combination). If you type in a
service, you are prompted as you type with valid values. You can select
a value from the list and press Enter or Tab.
It is important that you select the service type carefully based on the
device type:
For IOS devices, only the protocols you select with the
authorization proxy check boxes at the bottom of the dialog box are
used for AAA control, so you can use IP as the protocol.
For ASA, PIX, and FWSM devices, although you can force
authentication for any type of traffic, the security appliance
prompts only for HTTP/HTTPS, FTP, and Telnet traffic. If you
specify a service other than one of these, users are prevented from
making any connection through the appliance until they try one of
these services and successfully authenticate.
If the rule is only for accounting, you can specify any TCP or UDP
protocols for which you want to create records.
For complete information on how to specify services, see
Understanding and Specifying Services and Service and Port List
Objects, page 6-69.
Note Due to an issue in PIX 6.3 and FWSM devices, if you specify a
service with a source port, no traffic is authenticated.
Therefore, source ports are ignored when the CLI is generated
from your rule for these device types.
AAA Server Group (PIX, The AAA server group policy object that defines the AAA server that
ASA, FWSM) should provide authentication, authorization, or accounting for the
traffic defined in the rule. Enter the name of the policy object or click
Select to select it from a list or to create a new object.
You must select a type of server that can perform all actions defined in
the rule. For example, the local database (defined on the device) cannot
provide authorization services. If you use a RADIUS server for
authentication, it automatically provides authorization services, but
you cannot define an authorization rule that uses a RADIUS server.
You can use a mix of server groups for different actions for the same
source/destination pair by creating separate rules for the desired
combination of authentication, authorization, and accounting actions.
For more information on AAA server group objects, see Understanding
AAA Server and Server Group Objects, page 6-20.
Note AAA server groups for IOS devices are defined in other
policies. For a complete explanation of the configuration, see
Configuring AAA Rules for IOS Devices, page 13-7.
Table 13-2 Add and Edit AAA Rules Dialog Boxes (Continued)
Element Description
Interface The interface or interface role object that identifies the interface from
which to authenticate, authorize, or account users. Enter the name of
the interface or interface role, or click Select to select it from a list or
to create a new interface role object.
For authentication rules on ASA and PIX devices, you can modify how
this interface authenticates HTTP/HTTPS traffic by using the Firewall
> Settings > AAA Firewall policy. Configuring the interface as an
HTTP/HTTPS listening port can improve the authentication experience
for users. For more information, see Understanding How Users
Authenticate, page 13-2 and AAA Firewall Settings Page, Advanced
Setting Tab, page 13-16.
Category The category assigned to the rule. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Description An optional description of the rule (up to 1024 characters).
HTTP Traffic Type Applies to For IOS devices, select the protocols for which you want to enforce
Authentication Proxy (IOS) authentication using the authentication proxy. If you select HTTP, you
can also configure HTTPS authentication proxy by enabling SSL on the
FTP Traffic Type Applies to
device. For specific information, see Configuring AAA Rules for IOS
Authentication Proxy (IOS)
Devices, page 13-7.
Telnet Traffic Type Applies to
Authentication Proxy (IOS)
Navigation Path
Right-click the Action cell in a AAA rule (on the AAA Rules Page, page 13-9) and select Edit AAA.
Navigation Path
Right-click the AuthProxy cell in a AAA rule (on the AAA Rules Page, page 13-9) and select Edit
AuthProxy.
Note This setting applies only to ASA, PIX, and FWSM devices. AAA server groups for IOS devices are
defined in other policies. For a complete explanation of the configuration, see Configuring AAA Rules
for IOS Devices, page 13-7.
Navigation Path
Right-click the Server Group cell in a AAA rule (on the AAA Rules Page, page 13-9) and select Edit
Server Group.
Navigation Path
To access the AAA Firewall settings page, do one of the following:
(Device view) Select an ASA, PIX, or FWSM device, select Firewall > Settings > AAA Firewall;
select the Advanced Setting tab if necessary.
(Policy view) Select Firewall > Settings > AAA Firewall from the Policy Type selector. Create a
new policy or select and existing one, then select the Advanced Setting tab if necessary.
(Map view) Right-click an ASA, PIX, or FWSM device and select Edit Firewall Settings > AAA
Firewall, then select the Advanced Setting tab if necessary.
Related Topics
Understanding AAA Rules, page 13-1
Understanding How Users Authenticate, page 13-2
Configuring AAA Rules for ASA, PIX, and FWSM Devices, page 13-4
Field Reference
Element Description
Use Secure HTTP Whether to require users making HTTP requests that traverse the
Authentication security appliance to first authenticate with the security appliance using
SSL (HTTPS). The user is prompted for username and password.
Secure HTTP authentication offers a secure method for user
authentication to the security appliance prior to allowing HTTP-based
web requests to traverse the security appliance. This is also called
HTTP cut-through proxy authentication.
If you select this option, ensure that your access rules do not block
HTTPS traffic (port 443), and that any PAT configuration also includes
port 443. Also, be aware that a maximum of 16 concurrent
authentications are allowed, and that if you configure 0 for the user
authentication timeout (timeout uauth 0, configured in the Platform >
Security > Timeouts policy) users might be repeatedly prompted for
authentication, making the feature disruptive to your network.
Tip If you do not select this option, HTTP authentication sends the
username and password in clear text.
Enable Proxy Limit Whether to allow proxy connections. If you enable proxies, you must
set a limit on the number of proxy connections allowed for each user,
Maximum Concurrent Proxy
from 1 to 128. The device default is 16, but you must specify a number.
Limit per User
Interactive Authentication Use this table to identify the interfaces that should listen for HTTP or
table (ASA/PIX 7.2.2+) HTTPS traffic for authentication. If your AAA rules require
authentication for these protocols on interfaces designated in this table,
the user is presented with an improved authentication web page as
opposed to the default authentication pages used by the appliance.
These pages are also used for authenticating direct connections to the
device.
To add an interface to the table, click the Add Row button and fill
in the Interactive Authentication Configuration Dialog Box,
page 13-18.
To edit a setting, select it and click the Edit Row button.
To delete a setting, select it and click the Delete Row button.
Table 13-3 Advanced Setting Tab, AAA Firewall Settings Page (Continued)
Element Description
Disable FTP Whether to disable authentication challenges for the indicated
Authentication Challenge protocols. By default, the FWSM prompts the user for a username and
Disable HTTP password when a AAA rule enforces authentication for traffic in a new
Authentication Challenge session and the protocol of the traffic is FTP, Telnet, HTTP, or HTTPS.
In some cases, you might want to disable the authentication challenge for
Disable HTTPS
one or more of these protocols. If you disable challenge authentication
Authentication Challenge
for a particular protocol, traffic using that protocol is allowed only if the
Disable Telnet traffic belongs to a session previously authenticated. This authentication
Authentication Challenge can be accomplished by traffic using a protocol whose authentication
(All options challenge remains enabled. For example, if you disable challenge
FWSM 3.x+ only.) authentication for FTP, the FWSM denies a new session using FTP if the
traffic is included in an authentication AAA rule. If the user establishes
the session with a protocol whose authentication challenge is enabled
(such as HTTP), FTP traffic is allowed.
Clear Connections When Use this table to identify the interfaces and source addresses where you
Uauth Timer Expires table want to force any active connections to close immediately after the user
authentication times out or when you clear the authentication session
(FWSM 3.2+ only.)
with the clear uauth command. (User authentication timeouts are
defined in the Platform > Security > Timeouts policy.) For any
interface/source address pairs not listed in this table, active connections
are not terminated even though the user authentication session expired.
To add any interface and source address pair, click the Add Row
button and fill in the Clear Connection Configuration Dialog Box,
page 13-19.
To edit a setting, select it and click the Edit Row button.
To delete a setting, select it and click the Delete Row button.
Navigation Path
Go to the AAA Firewall Settings Page, Advanced Setting Tab, page 13-16 and click the Add Row button
beneath the Interactive Authentication table, or select an item in the table and click the Edit Row button.
Related Topics
Understanding AAA Rules, page 13-1
Configuring AAA Rules for ASA, PIX, and FWSM Devices, page 13-4
Field Reference
Element Description
Protocol The protocol that you want to listen for, either HTTP or HTTPS. If you
want to listen for both protocols on an interface, add the interface to the
table twice.
Interface The interface or interface role on which to enable listeners. Enter the
name of the interface or interface role, or click Select to select it from
a list or to create a new interface role.
Port The port number that the security appliance listens on for this protocol
if other than the default, which is 80 (HTTP) and 443 (HTTPS).
Redirect network users for Whether to redirect users who are making requests through the device
authentication request to the authentication web page served by the security appliance. If you
do not select this option, only traffic directed to the interface is
prompted with the improved authentication web page.
Navigation Path
Go to the AAA Firewall Settings Page, Advanced Setting Tab, page 13-16 and click the Add Row button
beneath the Clear Connections When Uauth Timer Expires table, or select an item in the table and click
the Edit Row button.
Field Reference
Element Description
Interface The interfaces or interface roles for which you are configuring settings.
Enter the name or click Select to select the interface or interface role or
to create a new role. Separate multiple entries with commas.
Source IP Address/Netmask The host or network addresses for which you want to clear connections
immediately when the user authentication timer expires. The list can
include host IP addresses, network addresses, address ranges, or
network/host objects Separate multiple addresses with commas. For
more information on entering addresses, see Specifying IP Addresses
During Policy Definition, page 6-68.
Tip The MAC exempt list is processed on a first match basis. Thus, the order of entries matters. If you want
to permit a group of MAC addresses, but deny a subset of them, the deny rule must come before the
permit rule. However, Security Manager does not allow you to order MAC exempt rules: they are
implemented in the order shown. If you sort the table, your policy changes. If your entries do not depend
on each other, this does not matter. Otherwise, ensure that you enter rows in the proper order.
Navigation Path
To access the MAC Exempt List tab, do one of the following:
(Device view) Select an ASA, PIX, or FWSM device, then select Firewall > Settings > AAA
Firewall. Select the MAC-Exempt List tab.
(Policy view) Select Firewall > Settings > AAA Firewall from the Policy Type selector. Create a
new policy or select an existing one, then select the MAC-Exempt List tab.
(Map view) Right-click an ASA, PIX, or FWSM device and select Edit Firewall Settings > AAA
Firewall, then select the MAC-Exempt List tab.
Related Topics
Configuring AAA Rules for ASA, PIX, and FWSM Devices, page 13-4
Filtering Tables, page 1-33
Field Reference
Element Description
MAC-Exempt List Name The name of the MAC exempt list.
MAC Exempt List table The MAC exempt rules that you want to implement. The table shows the
MAC addresses and masks (in hexadecimal) and whether you are
permitting them (exempting them from authentication and authorization)
or denying them (making them go through standard authentication and
authorization). The device processes the entries in order and uses the first
match (not the best match).
To add an exemption rule, click the Add Row button and fill in the
Firewall AAA MAC Exempt Setting Dialog Box, page 13-21.
To edit an exemption rule, select it and click the Edit Row button.
To delete an exemption rule, select it and click the Delete Row button.
Navigation Path
Go to the AAA Firewall Page, MAC-Exempt List Tab, page 13-20 and click the Add Row button beneath
the MAC Exempt List table, or select an item in the table and click the Edit Row button.
Field Reference
Element Description
Action The action you want to take for the hosts that use the specified MAC addresses:
PermitExempts the host from authentication and authorization.
DenyForces the host to go through authentication and authorization.
MAC Address The MAC address of the hosts in standard 12-digit hexadecimal format, such as
00a0.cp5d.0282. You can enter complete MAC addresses or partial addresses.
For partial addresses, you can enter 0 for digits you are not matching.
MAC Mask The mask to apply to the MAC address. Use f to match a digit exactly, 0 to
match any digit at that place:
To specify an exact match of the address, enter ffff.ffff.ffff.
To match an address pattern, enter 0 for any digit for which you want to
match any character. For example, ffff.ffff.0000 matches all addresses
that have the same first 8 digits.
AuthProxy Page
Use the AuthProxy firewall settings policy to identify the servers and banners to use for the
authentication proxy and to configure non-default timeout values. The authentication proxy for IOS
devices is a service that forces users to log in and authenticate when trying to make HTTP, Telnet, or
FTP connections through an IOS device. The settings you configure here work in conjunction with your
AAA rules; only if a AAA rule requires user authentication for one of these services does your
AuthProxy settings come into play.
Ensure that your configuration of this policy is consistent with your Firewall > AAA Rules policy.
Additionally, you must use the Platform > Device Admin > AAA policy to define the AAA server
groups to use for authenticating user access; this policy defines only the authorization and accounting
server groups. If you also want to use authorization proxy for HTTPS access, you must enable SSL and
configure AAA in the Platform > Device Admin > Device Access > HTTP policy in addition to
enabling HTTP authorization proxy in your AAA rules policy.
Tip You must configure per-user ACLs in your AAA server to define the privileges you want to apply to each
user. When configuring authorization, specify auth-proxy as the service (e.g. service = auth-proxy),
with a privilege level of 15. For more information on configuring the AAA server, including information
on configuring authentication proxy in general, see the Configuring the Authentication Proxy section
in the Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4T at
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_authen_prxy_ps
6441_TSD_Products_Configuration_Guide_Chapter.html.
Navigation Path
To access the AuthProxy page, do one of the following:
(Device view) Select a device, then select Firewall > Settings > AuthProxy from the Policy selector.
(Policy view) Select Firewall > Settings > AuthProxy from the Policy Type selector. Create a new
policy or select an existing one.
(Map view) Right-click a device and select Edit Firewall Settings > AuthProxy.
Related Topics
Understanding AAA Rules, page 13-1
Understanding How Users Authenticate, page 13-2
Configuring AAA Rules for IOS Devices, page 13-7
Field Reference
Element Description
General Tab
Authorization Server Groups The AAA server group policy objects that identify the TACACS+ or
RADIUS servers that will provide per-user authorization control. You
can also use the LOCAL user database defined on the device.
Enter the names of the server group objects, or click Select to select
them from a list or to create new objects. Ensure that you put the groups
in priority order; authorization is attempted with the first group and if
that group is not available, with subsequent groups.
Accounting Server Groups The AAA server group policy objects that identify the TACACS+ or
RADIUS servers that will provide accounting services. Accounting
Use Broadcast
collects per-user usage information for billing, security, or resource
for Accounting
allocation purposes. Enter the names of the server group objects, or
click Select to select them from a list or to create new objects.
Ensure that you put the groups in priority order; if you do not select the
broadcast option, accounting is attempted with the first group and if
that group is not available, with subsequent groups.
If you select Use Broadcast for Accounting, accounting records are
sent simultaneously to the first server in each group. If the first server
is unavailable, failover occurs using the backup servers defined within
that group.
Accounting Notice The types of accounting notices to be sent to the accounting
server groups:
Start-stopSends a start accounting notice at the beginning of a
user process and a stop accounting notice at the end of the process.
The start accounting record is sent in the background. The
requested user process begins regardless of whether the start
accounting notice was received by the accounting server.
Stop-onlySends a stop accounting notice at the end of the
requested user process.
NoneNo accounting records are sent.
HTTP Banner The banner you want to present on the authentication proxy page to the
FTP Banner user when the user is prompted to authenticate for the specified service:
Disable Banner TextNo banner is displayed.
Telnet Banner
Use Default Banner TextDisplays the default banner Cisco
Systems, router hostname Authentication.
Use Custom Banner TextEnter the text you want to present to
the user.
Use HTTP banner from File Whether you want to use your own web page to authenticate HTTP
connections. Enter the URL for your HTTP banner.
URL
If you configure both HTTP banner text and a URL, the URL
banner take precedence; however, the banner text is also configured
on the device.
Element Description
Timeout Tab
Global Inactivity Time The length of time, in minutes, that the authentication proxy for a user
is maintained when there is no user activity in the session. If this timer
expires, the user session is cleared along with its dynamic user access
control list (ACL), and the user must re-authenticate. The range is 1 to
2,147,483,647. The default is 60 minutes.
Ensure that this timeout value is greater than or equal to the idle timeout
values configured in the Firewall > Settings > Inspection policy;
otherwise, timed-out user sessions might continue to be monitored and
eventually hang.
Global Absolute Time The length of time, in minutes, that an authentication proxy user
session can remain active. After this timer expires, the user session
must go through the entire process of establishing its connection as if it
were a new request. The range is 0 to 35,791. The default is 0, which
means that there is no global absolute timeout; user sessions are
maintained as long as they are active.
Interface Timeout Table This table contains the interfaces for which you want to configure
timeout values that differ from the global timeout values. If you want
to use the global values for all interfaces, you do not need to configure
anything in this table.
To add an interface with customized timeout values, click the Add
Row button and fill in the Firewall AAA IOS Timeout Value
Setting Dialog Box, page 13-24.
To edit a setting, select it and click the Edit Row button.
To delete a setting, select it and click the Delete Row button.
Navigation Path
From the Timeout tab of the AuthProxy Page, page 13-22, click the Add Row button beneath the table
of interfaces, or select a row and click the Edit Row button.
Field Reference
Table 13-9 Firewall AAA IOS Timeout Value Setting Dialog Box
Element Description
Interfaces The interfaces or interface roles for which you are configuring timeout
values. Enter the names of the interfaces or roles, or click Select to
select them from a list or to create new interface roles. Separate
multiple entries with commas.
Inactivity/Cache Time The length of time, in minutes, that the authentication proxy for a user
is maintained when there is no user activity in the session on the
interface. If this timer expires, the user session is cleared along with its
dynamic user access control list (ACL), and the user must
re-authenticate. The range is 1 to 2,147,483,647. The default is the
global inactivity timeout value (whose default is 60 minutes).
Absolute Time The length of time, in minutes, that an authentication proxy user
session can remain active on the interface. After this timer expires, the
user session must go through the entire process of establishing its
connection as if it were a new request. The range is 1 to 35,791. The
default is 0, which means that there is no absolute timeout; user
sessions are maintained as long as they are active.
Authentication Proxy The protocols to which these timeout values should apply. You can
Method (IOS) select any combination of HTTP, FTP, or Telnet.
Access rules define the rules that traffic must meet to pass through an interface. When you define rules
for incoming traffic, they are applied to the traffic before any other policies are applied (with the
exception of less common AAA rules). In that sense, they are your first line of defense.
The following topics help you understand and work with access rules:
Understanding Access Rules, page 14-1
Understanding Global Access Rules, page 14-3
Understanding Device Specific Access Rule Behavior, page 14-4
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 14-5
Configuring Access Rules, page 14-7
Configuring Expiration Dates for Access Rules, page 14-16
Configuring Settings for Access Control, page 14-16
Generating Analysis Reports, page 14-21
Generating Hit Count Reports, page 14-23
Importing Rules, page 14-28
Optimizing Access Rules Automatically During Deployment, page 14-34
The following topics can help you with general rule table usage:
Adding and Removing Rules, page 12-8
Editing Rules, page 12-9
Enabling and Disabling Rules, page 12-17
Moving Rules and the Importance of Rule Order, page 12-16
or denying (dropping) it. Each packet that arrives at an interface is examined to determine whether to
forward or drop the packet based on criteria you specify. If you define access rules in the out direction,
packets are also analyzed before they are allowed to leave an interface.
Tip For ASA 8.3+ devices, you can augment interface-specific access rules with global access rules. For
more information, see Understanding Global Access Rules, page 14-3.
When you permit traffic in an access rule, subsequent policies might end up dropping it. For example,
inspection rules, web filter rules, and zone-based firewall rules are applied after a packet makes it
through the interfaces access rules. These subsequent rules might then drop the traffic based on a deeper
analysis of the traffic; for example, the packet header might not meet your inspection requirements, or
the URL for a web request might be for an undesired web site.
Thus, you should carefully consider the other types of firewall rules you intend to create when you define
access rules. Do not create a blanket denial in an access rule for traffic that you really want to inspect.
On the other hand, if you know that you will never allow a service from or to a specific host or network,
use an access rule to deny the traffic.
Keep in mind that access rules are ordered. That is, when the device compares a packet against the
rules, it searches from top to bottom and applies the policy for the first rule that matches it, and ignores
all subsequent rules (even if a later rule is a better match). Thus, you should place specific rules above
more general rules to ensure those rules are not ignored. To help you identify cases where rules will never
be matched, and to identify redundant rules, you can use the analysis and policy query tools. For more
information, see Generating Analysis Reports, page 14-21 and Generating Policy Query Reports,
page 12-24.
The following are additional ways in which you can evaluate your access rules:
Combine rulesYou can use a tool to evaluate your rules and combine them into a smaller number
of rules that perform the same functions. This can leave you with a smaller, easier to manage list of
rules. For more information, see Combining Rules, page 12-19.
Generate hit countsYou can use a tool to view the hit count statistics maintained by the device.
This can tell you how often a rule has permitted or denied traffic. For more information, see
Generating Hit Count Reports, page 14-23.
View events collected by CS-MARSYou can analyze real time or historical events related to a rule
using the Cisco Security Monitoring, Analysis and Response System application if you configured
it to monitor the device and you configure the rule to generate syslog messages. For more
information, see Viewing CS-MARS Events for an Access Rule, page 60-20.
For more conceptual information on access rules, see the following topics:
Understanding Global Access Rules, page 14-3
Understanding Device Specific Access Rule Behavior, page 14-4
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 14-5
Related Topics
Configuring Access Rules, page 14-7
Configuring Expiration Dates for Access Rules, page 14-16
Configuring Settings for Access Control, page 14-16
Expanding Object Groups During Discovery, page 12-31
Importing Rules, page 14-28
Tip If you want to configure the same set of global rules for more than one device, create a shared policy and
inherit it in the access rules policy for each device. Ensure that all global rules are in the Default section
of the shared policy. If you put any global rules in the Mandatory section, you will not be able to inherit
it on devices that have local interface-specific access rules defined. For more information on shared and
inherited policies, see Local Policies vs. Shared Policies, page 5-3 and Understanding Rule Inheritance,
page 5-4.
When you configure access rules for an ASA 8.3+ device in Security Manager, interface-specific
and global rules are configured in the same policy. However, because the device always processes
interface-specific rules first, Security Manager prevents you from intermixing these different types
of rules. Therefore, if you configure both interface-specific and global rules on a device, keep the
following in mind:
Global rules always come last in the access rules policy. All interface-specific rules come before
global rules.
You cannot move rules in a way that violates the required order. For example, you cannot move an
interface-specific rule below a global rule, or a global rule above an interface-specific rule.
You cannot create rules in a location that violates the required order. For example, if you select an
interface-specific rule, and another interface-specific rule follows it in the table, you cannot create
a global rule. If you try to create the wrong kind of rule, when you save the rule, Security Manager
will ask you if the rule can be created at the nearest valid location. You must accept the suggestion
or the rule will not be added to the table. You can always move the rule after creating it if the
suggested location is not ideal (but without violating the rules on order).
You cannot inherit a policy if the rules in the inherited policy will violate the required order. For
example, if you create global rules in the device policy, and try to inherit a shared policy that
contains interface-specific rules in the Default section, Security Manager will prevent you from
inheriting the policy.
After assigning or inheriting a shared policy, you cannot edit the policy in a way that will violate
rule order on any device that uses the policy.
If you assign or inherit a policy that contains global rules on a device that does not support them, all
global rules are ignored and not configured on the device. For example, if you permit all traffic from
host 10.100.10.10 in a global rule in a shared policy, and assign that policy to an IOS device, the
rule permitting 10.100.10.10 access is not configured on the IOS device, and traffic from that host
is handled either by another interface-specific policy, or the default deny all policy. As a good
practice, you should not assign shared policies that contain global rules to devices that do not
support them, to ensure that you do not mistakenly believe the policy defined in a global rule is being
configured on the unsupported device.
There are also some changes in how certain tools work with global rules:
Find/ReplaceYou can search for global rules by using the Global interface name. However, there
is no way to convert between global and interface-specific rules. Although you can find global rules
using the Global interface name, if you try to replace an interface name with the name Global, you
are actually creating an interface-specific access rule that uses a policy object named Global.
Rule CombinerInterface-specific and global rules are never combined.
Related Topics
Understanding Access Rules, page 14-1
Understanding Device Specific Access Rule Behavior, page 14-4
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 14-5
Configuring Access Rules, page 14-7
Moving Rules and the Importance of Rule Order, page 12-16
FWSM devicesDeny all traffic entering an interface, permit all traffic leaving an interface.
You must configure access rules to allow any traffic to enter the device.
If you create any rules for an interface for any type of device, the device adds an implicit deny any rule
at the end of the policy. It is a good practice for you to add this rule yourself so that you remember it is
there. Adding the rule also allows you to get hit count information for the rule. For more information,
see Generating Hit Count Reports, page 14-23.
Tip When you create the access rule policy, ensure that you include a rule that will permit access to the
device from the Security Manager server, or you will not be able to manage the device using the product.
Related Topics
Understanding Access Rules, page 14-1
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 14-5
Tips
Because you can use network/host objects to identify a source or destination, and you can configure
deployment optimization for rules, there is not always a one-to-one relationship between an access
rule and ACEs in the CLI definition of an ACL.
All access lists created from firewall rules are extended access lists (rather than standard). Security
Manager applies a system-generated name to the ACL unless you specify a name for the ACL on the
Access Control Settings Page, page 14-17. The name applies to the ACL that includes all of the rules
related to the interface and direction for which the name is defined.
There are several deployment options that control how object groups are deployed. This topic
describes the default behavior. On the Deployment Page, page 11-7 (select Tools > Security Manager
Administration > Deployment), you can deselect the option to create object groups from
network/host objects. You can also optimize object groups during deployment (see Optimizing
Network Object Groups When Deploying Firewall Rules, page 12-30), create new object groups from
rules with multiple services or source and destination addresses, or remove unused object groups.
The deployment options also include settings that control the names of ACLs generated from access
rules and how many ACLs are created. By default, Security Manager creates a unique ACL for each
interface, even if this means that several duplicate ACLs are created.
If you select Enable ACL Sharing for Firewall Rules, Security Manager can create a single
ACL and apply it to multiple interfaces, thus avoiding the creation of unnecessary duplicate ACLs.
However, ACL sharing occurs only if it can be done while preserving your ACL naming requirements:
If you specify an ACL name for an interface and direction, that name is always used, even if it
means a duplicate ACL must be created. For more information, see Configuring Settings for
Access Control, page 14-16.
If you select Reuse existing names for the Firewall Access-List Names property, the existing
names are preserved (unless you override them in the access control settings policy). This means
that you might end up with duplicate ACLs under different names if duplicate ACLs already
exist on the device.
Tip: To maximize ACL sharing, ensure that you select Reset to CS-Manager Generated Names for
the Firewall Access-List Names property, select Speed for the Optimize the Deployment of Access
Rules For property, and that you do not configure ACL names in the access control settings policy.
For more detailed information about the Enable ACL Sharing for Firewall Rules property, see
Deployment Page, page 11-7.
Related Topics
Understanding Access Rules, page 14-1
Configuring Access Rules, page 14-7
Configuring Settings for Access Control, page 14-16
Expanding Object Groups During Discovery, page 12-31
Related Topics
Using Sections to Organize Rules Tables, page 12-17
Copying Policies Between Devices, page 5-30
Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34
Understanding Network/Host Objects, page 6-62
Understanding Interface Role Objects, page 6-55
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Step 1 Do one of the following to open the Access Rules Page, page 14-8:
(Device view) Select Firewall > Access Rules from the Policy selector.
(Policy view) Select Firewall > Access Rules from the Policy Type selector. Select an existing
policy or create a new one.
Step 2 Select the row after which you want to create the rule and click the Add Row button or right-click and
select Add Row. This opens the Add and Edit Access Rule Dialog Boxes, page 14-11.
Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select
an existing row and edit either the entire row or specific cells. For more information, see Editing
Rules, page 12-9. Special rules apply if you mix interface-specific and global rules in a policy;
for more information, see Understanding Global Access Rules, page 14-3.
Step 3 Configure the rule. Following are the highlights of what you typically need to decide. For specific
information on configuring the fields, see Add and Edit Access Rule Dialog Boxes, page 14-11.
Permit or DenyWhether you are allowing traffic that matches the rule or dropping it.
Source and Destination addressesIf the rule should apply no matter which addresses generated the
traffic or their destinations, use any as the source or destination. If the rule is specific to a host or
network, enter the addresses or network/host objects. For information on the accepted address
formats, see Specifying IP Addresses During Policy Definition, page 6-68.
ServiceUse the IP service to apply to any traffic (for example, if you want to deny all traffic from
a specific source). Otherwise, select the more specific service, which is a protocol and port
combination, that you are targeting.
Interfaces or GlobalThe interface or interface role for which you are configuring the rule, or
Global to create global access rules on ASA 8.3+ devices (see Understanding Global Access Rules,
page 14-3).
Advanced settingsClick Advanced to open the Advanced dialog box for configuring additional
settings. You can configure the following options; for detailed information, see Advanced and Edit
Options Dialog Boxes, page 14-13.
Logging options. If you are using Security Manager or CS-MARS to monitor the device, ensure
that you enable logging.
The direction of traffic to which this rule should apply (in or out). The default is in. You cannot
change this setting for global rules.
The time range for the rule, which allows you to configure rules that work only for specific
periods of time, such as during working hours. For more information, see Configuring Time
Range Objects, page 6-53.
IOS device options for fragmentation and allowing the return of traffic for established
outbound sessions.
Rule expiration dates and notification settings. For more information, see Configuring
Expiration Dates for Access Rules, page 14-16.
Click OK when you are finished defining your rule.
Step 4 If you did not select the right row before adding the rule, select the new rule and use the up and down
arrow buttons to position the rule appropriately. For more information, see Moving Rules and the
Importance of Rule Order, page 12-16. There are special restrictions for moving rules when you mix
interface-specific and global rules; see Understanding Global Access Rules, page 14-3.
Step 5 If you already have a large number of rules, consider analyzing and combining them before deploying
the new rules:
Click the Tools button and select Analysis to analyze whether you have redundant rules or rules that
will not be used. Fix problem areas. For more information, see Generating Analysis Reports,
page 14-21.
If analysis shows that you have a lot of redundant rules, click the Tools button and select Combine
Rules to combine them. You can either allow Security Manager to evaluate all rules for combination,
or just the rules you select before starting the rule combiner tool. For more information, see
Combining Rules, page 12-19.
Tip Disabled rules are shown with hash marks covering the table row. When you deploy the configuration,
disabled rules are removed from the device. For more information, see Enabling and Disabling Rules,
page 12-17.
Navigation Path
To open the Access Rules page, do one of the following:
(Device view) Select a device, then select Firewall > Access Rules from the Policy selector.
(Policy view) Select Firewall > Access Rules from the Policy Type selector. Create a new policy or
select an existing one.
(Map view) Right-click a device and select Edit Firewall Policies > Access Rules.
Related Topics
Configuring Expiration Dates for Access Rules, page 14-16
Configuring Settings for Access Control, page 14-16
Adding and Removing Rules, page 12-8
Editing Rules, page 12-9
Enabling and Disabling Rules, page 12-17
Moving Rules and the Importance of Rule Order, page 12-16
Using Sections to Organize Rules Tables, page 12-17
Using Rules Tables, page 12-7
Filtering Tables, page 1-33
Field Reference
Element Description
No. The ordered rule number.
Permit Whether a rule permits or denies traffic based on the conditions set:
PermitShown as a green check mark.
DenyShown as a red circle with slash.
Source The source and destination addresses for the rule. The any address does
not restrict the rule to specific hosts, networks, or interfaces. These
Destination
addresses are IP addresses for hosts or networks, network/host objects,
interfaces, or interface roles. Multiple entries are displayed as separate
subfields within the table cell. See:
Understanding Network/Host Objects, page 6-62
Understanding Interface Role Objects, page 6-55
Element Description
Service The services or service objects that specify the protocol and port of the
traffic to which the rule applies. Multiple entries are displayed as separate
subfields within the table cell. See Understanding and Specifying Services
and Service and Port List Objects, page 6-69.
Interface The interfaces or interface roles to which the rule is assigned. Interface role
objects are replaced with the actual interface names when the configuration
is generated for each device. Multiple entries are displayed as separate
subfields within the table cell. See Understanding Interface Role Objects,
page 6-55.
For ASA 8.3+ devices, global rules are indicated with the name Global and
a special icon to distinguish them from rules that use interface or interface
role names (for an explanation of the icons, see Specifying Interfaces During
Policy Definition, page 6-58).
Dir. The direction of the traffic to which this rule applies:
InPackets entering the interface.
OutPackets exiting the interface.
Options The additional options configured for the rule. These include logging, time
range, and some additional IOS rule options. See Advanced and Edit Options
Dialog Boxes, page 14-13.
Category The category assigned to the rule. Categories help you organize and identify
rules and objects. See Using Category Objects, page 6-9.
Description The description of the rule, if any.
Expiration Date The date that the rule expires. Expired rules show Expired in bold text.
Expired rules are not automatically deleted.
Tools button Click this button to select tools that you can use with this type of policy. You
can select from the following tools:
AnalysisTo identify rules that overlap or conflict with other rules. See
Generating Analysis Reports, page 14-21.
Combine RulesTo improve performance and memory usage by
combining similar rules. This reduces the number of rules in the policy.
See Combining Rules, page 12-19.
Hit CountTo identify the number of times that traffic for a device is
permitted or denied based on an access rule. This information is useful
in debugging the deployed policies. See Generating Hit Count Reports,
page 14-23.
Import RulesTo import rules from an ACL defined using device
commands. See Importing Rules, page 14-28.
QueryTo run policy queries, which can help you evaluate your rules
and identify ineffective rules that you can delete. See Generating Policy
Query Reports, page 12-24
Find and Replace button Click this button to search for various types of items within the table and to
(binoculars icon) optionally replace them. See Finding and Replacing Items in Rules Tables,
page 12-13.
Element Description
Up Row and Down Row Click these buttons to move the selected rules up or down within a scope or
buttons (arrow icons) section. For more information, see Moving Rules and the Importance of Rule
Order, page 12-16.
Add Row button Click this button to add a rule to the table after the selected row using the
Add and Edit Access Rule Dialog Boxes, page 14-11. If you do not select a
row, the rule is added at the end of the local scope. For more information
about adding rules, see Adding and Removing Rules, page 12-8.
Edit Row button Click this button to edit the selected rule. You can also edit individual cells.
For more information, see Editing Rules, page 12-9.
Delete Row button Click this button to delete the selected rule.
Navigation Path
From the Access Rules Page, page 14-8, click the Add Row button or select a row and click the Edit
Row button.
Related Topics
Configuring Expiration Dates for Access Rules, page 14-16
Editing Rules, page 12-9
Adding and Removing Rules, page 12-8
Importing Rules, page 14-28
Understanding Network/Host Objects, page 6-62
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Field Reference
Element Description
Enable Rule Whether to enable the rule, which means the rule becomes active when you
deploy the configuration to the device. Disabled rules are shown overlain
with hash marks in the rule table. For more information, see Enabling and
Disabling Rules, page 12-17.
Action Whether the rule permits or denies traffic based on the conditions you define.
Sources The source or destination of the traffic. You can enter more than one value
Destinations by separating the items with commas.
You can enter any combination of the following address types to define the
source or destination of the traffic. For more information, see Specifying IP
Addresses During Policy Definition, page 6-68.
Network/host object. Enter the name of the object or click Select to
select it from a list. You can also create new network/host objects from
the selection list.
Host IP address, for example, 10.10.10.100.
Network address, including subnet mask, in either the format
10.10.10.0/24 or 10.10.10.0/255.255.255.0.
A range of IP addresses, for example, 10.10.10.100-10.10.10.200.
An IP address pattern in the format 10.10.0.10/255.255.0.255, where the
mask is a discontiguous bit mask (see Contiguous and Discontiguous
Network Masks, page 6-63).
Interface role object. Enter the name of the object or click Select to
select it from a list (you must select Interface Role as the object type).
When you use an interface role, the rule behaves as if you supplied the
IP address of the selected interface. This is useful for interfaces that get
their address through DHCP, because you do not know what IP address
will be assigned to the device. For more information, see Understanding
Interface Role Objects, page 6-55.
If you select an interface role as a source, the dialog box displays tabs
to differentiate between hosts or networks and interface roles.
Service The services that define the type of traffic to act on. You can enter more than
one value by separating the items with commas.
You can enter any combination of service objects and service types (which
are typically a protocol and port combination). If you type in a service, you
are prompted as you type with valid values. You can select a value from the
list and press Enter or Tab.
For complete information on how to specify services, see Understanding and
Specifying Services and Service and Port List Objects, page 6-69.
Table 14-2 Add and Edit Access Rule Dialog Boxes (Continued)
Element Description
Interfaces Select whether you are creating an interface-specific or global rule. Global
Global (ASA 8.3+) rules are available only for ASA 8.3+ devices, and are handled according to
special rules (for detailed information, see Understanding Global Access
Rules, page 14-3).
If you select Interfaces, enter the name of the interface or the interface role
to which the rule is assigned, or click Select to select the interface or role
from a list, or to create a new role. An interface must already be defined to
appear on the list.
Interface role objects are replaced with the actual interface names when the
configuration is generated for each device. See Understanding Interface Role
Objects, page 6-55. Global rules are created as a special global ACL that is
not attached to specific interfaces, but is processed for all interfaces in the In
direction after interface-specific rules.
Description An optional description of the rule (up to 1024 characters).
Category The category assigned to the rule. Categories help you organize and identify
rules and objects. See Using Category Objects, page 6-9.
Advanced button Click this button to configure other settings for the rule, including logging
configuration, traffic direction, time ranges, and rule expiration dates. For
more information, see Advanced and Edit Options Dialog Boxes,
page 14-13.
Navigation Path
To access the Advanced dialog box, do one of the following:
Go to the Add and Edit Access Rule Dialog Boxes, page 14-11 and click Advanced.
Right-click the Options cell in an access rule (on the Access Rules Page, page 14-8) and select Edit
Options. If you select multiple rows, your changes replace the options defined for all selected rules.
Related Topics
Configuring Access Rules, page 14-7
Editing Rules, page 12-9
Understanding Access Rules, page 14-1
Chapter 14, Managing Firewall Access Rules
Configuring Time Range Objects, page 6-53
Field Reference
Element Description
Enable Logging (PIX, Whether to generate syslog messages for the rule entries, or ACEs, for PIX,
ASA, FWSM) ASA, and FWSM devices. You can select these additional options:
Default LoggingUse the default logging behavior. If a packet is
denied, message 106023 is generated. If a packet is permitted, no syslog
message is generated. The default logging interval is 300 seconds.
Per ACE LoggingConfigure logging specific to this entry. Select the
logging level you want to use to log events for the ACE, and the logging
interval, which can be from 1-600 seconds. Syslog message 106100 is
generated for the ACE.
Following are the possible logging levels:
Emergency(0) System is unstable
Alert(1) Immediate action is needed
Critical(2) Critical conditions
Error(3) Error conditions
Warning(4) Warning conditions
Notification(5) Normal but significant condition
Informational(6) Informational messages only
Debugging(7) Debugging messages
Enable Logging (IOS) Whether to generate an informational logging message about the packet that
Log Input matches the entry to be sent to the console for IOS devices.
Select Log Input to include the input interface and source MAC address or
virtual circuit in the logging output.
Traffic Direction For interface-specific access rules, the direction of the traffic to which this
rule applies:
(Advanced dialog
box only) InPackets entering an interface.
OutPackets exiting an interface.
Global rules are always applied in the In direction, so you cannot change this
setting when configuring a global rule.
Time Range The name of a time range policy object that defines the times when this rule
applies. The time is based on the system clock of the device. The feature
works best if you use NTP to configure the system clock.
Enter the name or click Select to select the object. If the object that you want
is not listed, click the Create button to create it.
Note Time range is not supported on FWSM 2.x or PIX 6.3 devices.
Element Description
Options (IOS) Additional options for IOS devices:
FragmentAllow fragmentation, which provides additional management
of packet fragmentation and improves compatibility with NFS.
By default, a maximum of 24 fragments is accepted to reconstruct a full
IP packet; however, based on your network security policy, you might
want to consider configuring the device to prevent fragmented packets
from traversing the firewall.
EstablishedAllow outbound TCP connections to return access through
the device. This option works with two connections: an original
connection outbound from a network protected by the device, and a return
connection inbound between the same two devices on an external host.
Rule Expiration Whether to configure an expiration date for the rule. Click the calendar icon
to select a date. For more information, see Configuring Expiration Dates for
(Advanced dialog
Access Rules, page 14-16.
box only)
If you configure an expiration date, you can also configure the number of
days before which the rule expires to send out a notification of the pending
expiration, and e-mail addresses to which to send the notifications. These
fields are initially filled with the information configured on the Rule
Expiration administrative settings page (select Tools > Security Manager
Administration > Rule Expiration).
Expired rules are not automatically deleted. You must delete them yourself
and redeploy the configuration to the device.
Navigation Path
Right-click the Expiration Date cell in an access rule (on the Access Rules Page, page 14-8) and select
Edit Rule Expiration. If you select multiple rows, your changes replace the options defined for all
selected rules.
Related Topics
Rule Expiration Page, page 11-33
Contiguous and Discontiguous Network Masks, page 6-63
There are other settings available, but they pertain to older devices and software releases and are of
limited use.
Related Topics
Configuring Access Rules, page 14-7
Step 1 Do one of the following to open the Access Control Settings Page, page 14-17:
(Device view) Select Firewall > Settings > Access Control from the Policy selector.
(Policy view) Select Firewall > Settings > Access Control from the Policy Type selector. Select an
existing policy or create a new one.
Step 2 Configure the global settings in the top part of the page. For PIX, ASA, and FWSM devices, you can
define the maximum number of concurrent deny flows and the related syslog interval. For ASA 8.3+
devices, you can enable object group search to optimize ACL performance when converting from
Checkpoint, but this setting is not recommended unless you have a memory-constrained device.
For specific information about these settings, and the platforms that support ACL compilation, see
Access Control Settings Page, page 14-17.
Step 3 For each interface on which you want to configure an ACL name, or enable per-user ACLs, add the
interface to the interfaces table by clicking the Add Row button beneath the table and filling in the
Firewall ACL Setting Dialog Box, page 14-19.
If you configure an ACL name, the name is applied to the specific interface and direction. Security
Manager creates system-generated names for any interface/direction combinations you do not
specifically name.
You can also specify the name of the global ACL for ASA 8.3+ devices.
You can edit existing entries in the list by selecting them and clicking Edit Row, or delete them by
clicking Delete Row.
Tip Many of these settings apply only to specific device types or software versions. If you configure an option
and apply the policy to unsupported device types, the option is ignored for those unsupported devices.
Navigation Path
To access the Access Control Page, do one of the following:
(Device view) Select a device, then select Firewall > Settings > Access Control from the
Policy selector.
(Policy view) Select Firewall > Settings > Access Control from the Policy Type selector. Create a
new policy or select an existing policy.
(Map view) Right-click a device and select Edit Firewall Settings > Access Control.
Related Topics
Configuring Settings for Access Control, page 14-16
Understanding Access Rules, page 14-1
Understanding Device Specific Access Rule Behavior, page 14-4
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 14-5
Understanding Access Rules, page 14-1
Understanding Interface Role Objects, page 6-55
Field Reference
Element Description
Maximum number of The maximum number of concurrent deny flows that the device is
concurrent flows (PIX, allowed to create. Syslog message 106101 is generated when the device
ASA, FWSM) reaches the number. The range you should use depends on the amount
of flash memory available in the device:
More than 64 MBValues are 1-4096. The default is 4096.
More than 16 MBValues are 1-1024. The default is 1024.
Less than or equal to 16 MBValues are 1-256. The default is 256.
Syslog interval (PIX, The interval of time for generating syslog message 106101, which
ASA, FWSM) alerts you that the security appliance has reached a deny flow
maximum. When the deny flow maximum is reached, another 106101
message is generated if the specified number of seconds has passed
since the last 106101 message. Values are 1-3600 milliseconds. The
default is 300.
Enable Access List Whether to compile access lists, which speeds up the processing of
Compilation (Global) large rules tables. Compilation optimizes your policy rules and
performance for all ACLs, but is supported on a limited number of
older platforms:
Routers (global configuration only): 7120, 7140, 7200, 7304,
and 7500.
PIX 6.3 firewalls, in global mode or per interface.
An ACL is compiled only if the number of access list elements is
greater than or equal to 19. The maximum recommended number of
entries is 16,000.
To compile access lists, the device must have a minimum of 2.1 MB of
memory. Access list compilation is also known as Turbo ACL.
Element Description
Enable Object Group Search Whether to enable object group search on ASA 8.3+ devices, which
(ASA 8.3+) optimizes ACL performance without expanding object groups. Object
group search is mainly for use when migrating from Checkpoint to
ASA, which can result in a large increase in the number of access rules,
when you have a memory-constrained device (that is, you find during
operations that memory runs low).
If you enable object group search, you cannot use the Hit Count tool to
analyze your rules. In most cases, you should not enable this feature.
Instead, use the rule combiner tool to simplify your access rules, and
consider using global rules for rules you want to enforce on all interfaces.
Interfaces table The table lists the interfaces for which you want to configure special
processing. The interface name can be a specific interface or an
interface role (which can apply settings to more than one interface at a
time), or Global for global ACL settings on ASA 8.3+ devices.
The main use of this table is to configure names for ACLs if you do not
want Security Manager to configure system-generated names. The name
applies to the ACL generated for an interface in a specific direction.
You can also configure interface-level settings for object group search,
per user downloadable ACLs, and ACL compilation.
To add an interface setting, click the Add Row button and fill in the
Firewall ACL Setting Dialog Box, page 14-19.
To edit an interface setting, select it and click the Edit Row button.
To delete an interface setting, select it and click the Delete Row
button.
Navigation Path
Go to the Access Control Settings Page, page 14-17 and click the Add Row button below the interface
table, or select a row in the table and click the Edit Row button.
Related Topics
Configuring Settings for Access Control, page 14-16
Understanding Access Rules, page 14-1
Understanding Global Access Rules, page 14-3
Understanding Device Specific Access Rule Behavior, page 14-4
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 14-5
Understanding Interface Role Objects, page 6-55
Field Reference
Element Description
Interface Select whether you are configuring settings for specific interfaces (or
Global (ASA 8.3+) interface roles), or for global rules on ASA 8.3+ devices.
If you select Interface, specify the name of the interface or interface
role for which you are configuring settings. Enter the name or click
Select to select it from a list or to create a new object.
If you select Global, your only option is to specify the name of the
global ACL.
Traffic Direction The direction of the traffic through the interface, in or out. The settings
you configure apply only to this direction, if direction matters.
For global ACLs on ASA 8.3+ devices, the direction is always in.
User Defined ACL Name Whether you want to supply the name for the ACL. If you select this
option, enter the name you want to use, which is applied to the ACL
generated for the interface and direction combination. The name must
be unique on the device.
If you are configuring the name for the global ACL on ASA 8.3+
devices, the option is automatically selected; simply enter the
desired name.
If you do not configure a name, Security Manager generates a name
for you.
Enable Per User Whether to enable the download of per-user ACLs to override the ACLs
Downloadable ACLs (PIX, on the interface. User ACLs are configured in a AAA server; they are
ASA, FWSM) not configured in Security Manager. If there are no per-user ACLs, the
access rules configured for the interface are applied to the traffic.
Enable Object Group Search Whether to enable object group search on a PIX 6.3 interface, which
(PIX 6.x) reduces the memory requirement on the device to hold large ACLs.
However, object group search impacts performance by making ACL
processing slower for each packet.
Object group search is recommended when you have huge object groups.
Tip If you are trying to configure object group search on ASA 8.3+
devices, the setting is on the Access Control Settings Page,
page 14-17.
Enable Access List Whether to compile access lists on this interface for PIX 6.x devices.
Compilation (PIX 6.x) This setting overrides the equivalent global setting that you configure
on the Access Control Settings page.
ACL compilation speeds up the processing of large rules tables and
optimizes your policy rules and performance for the interface. An ACL
is compiled only if the number of access list elements is greater than or
equal to 19. The maximum recommended number of entries is 16,000.
To compile access lists, the device must have a minimum of 2.1 MB
of memory.
Tip In addition to analysis, you can use the Combine Rules tool to have Security Manager evaluate your rules
and find ways to combine them into more efficient rules. For more information, see Combining Rules,
page 12-19.
Related Topics
Understanding Access Rules, page 14-1
Understanding Device Specific Access Rule Behavior, page 14-4
Understanding Access Rule Address Requirements and How Rules Are Deployed, page 14-5
Configuring Access Rules, page 14-7
Left pane (Base Rules)Lists conflicting groups of rules identified by the base rule, which is the
rule with the lowest rule number.
Top right pane (Conflict Overview)Shows the base rule selected in the left pane and all of the rules
that overlap, or conflict, with it. The scope indicates whether the rule is local to a device or inherited
from a shared rule (mandatory or default). The other columns are the same as the regular access rule
attributes (see Access Rules Page, page 14-8).
Select an overlapping rule in this pane to view a detailed comparison in the lower right pane.
Bottom right pane (Overlap Details)Shows a detailed comparison between the base rule and the
overlapping rule selected in the top right pane for easier direct comparison. Conflicting elements are
shown in bold text. The types of overlap are explained above.
Use the previous and next buttons to page through the details if necessary.
Tip If you enable object group search on an ASA 8.3+ device, you cannot use the Hit Count tool. Object
group search is configured on the Access Control Settings Page, page 14-17.
Related Topics
Understanding Access Rules, page 14-1
Configuring Access Rules, page 14-7
Step 1 (Device view only.) Select Firewall > Access Rules to open the Access Rules Page, page 14-8.
Step 2 If you want to get the hit count for specific rules, select them in the table. Use Shift+click to select a
group of rules, or Ctrl+click to select multiple individual rules.
You can also select rules by selecting a section heading, a scope heading, or by creating a filter to display
only those rules that interest you.
Step 3 Click the Tools button located below the table, then select Hit Count to open the Hit Count Selection
Summary Dialog Box, page 14-25.
Step 4 Select the rules to include in the report. Select All Rules to include all local, shared, and inherited rules.
If you selected rules before initiating the report, select that option.
Step 5 Click OK.
The tool obtains the ACL and hit count information from the device. You can abort the operation if you
want. When the information is obtained, it is displayed in the Hit Count Summary Results Page. For
information on reading the report, see Analyzing Hit Count Query Results, page 14-26.
You can click Refresh Hit Count while the report is open to obtain the latest information. The Delta
column displays the difference in hit count since the last refresh.
Navigation Path
(Device view only) From the Access Rules Page, page 14-8, click the Tools button and select Hit Count.
Related Topics
Generating Hit Count Reports, page 14-23
Understanding Access Rules, page 14-1
Field Reference
Element Description
Policy Selected Identifies the selected policy. If you do not select any policy, this is typically
Local, which means the rules defined specifically for the device. The policy
might also be a scope within a shared or inherited policy.
The indication in this field does not actually limit the scope of your hit
count report.
Rules Selected The rules for which you want to obtain hit counts.
Select All Rules to get hit counts for all inherited, shared, and local
rules. The option is not restricted to the scope indicated in the Policy
Selected field.
This is the only available option if you do not select any rules before
initiating the hit count report.
Select the option for your selected rules to obtain information for only
those rules. You can select the rows related to the name of a scope, a
section name, multiple individual rules, or create a filter and select all
filtered rules. This is the default if any row is selected when you initiate
the hit count report.
Navigation Path
(Device view only) From the Access Rules Page, page 14-8, click the Tools button, select Hit Count,
and then click OK in the Hit Count Selection Summary Dialog Box, page 14-25.
Related Topics
Generating Hit Count Reports, page 14-23
Understanding Access Rules, page 14-1
Table Columns and Column Heading Features, page 1-34
Using Category Objects, page 6-9
Field Reference
Element Description
Select Device The device for which you are displaying hit count information.
Refresh Hit Click this button to update the hit count information. The difference between
Count button the last hit count and the updated hit count is listed in the Delta column in
the expanded table (in the lower pane).The amount of time since the last
refresh is shown next to the button to help you evaluate the delta count.
Obtaining refreshed information can take some time, so you are given the
opportunity to abort the refresh.
Selected Access The rules you selected for obtaining hit count information. The hit count is
Rules table the sum of the hit counts for all ACEs created by the rule. The other
information is the same as in the Access Rules Page, page 14-8.
Select one or more rules in this table to see detailed information for the
access control entries (ACEs) associated with the rule in the tables in the
lower half of the window.
Choose Select whether you want to see the expanded table or the raw ACE table
(both explained below).
Expanded table Lists the devices access control list entries (ACEs) for the rule selected in
the upper table (Selected Access Rules table). The list contains more than
one ACE if the access rule generated more than one ACE when you deployed
the policy to the device.
The columns in the table match those of the upper table, except they contain
the specific data configured in the ACE in place of any network/host, service,
or interface role objects contained in the rule, with the exception of IOS
12.4(20)T+ devices, which show data only at the object level. Also, the name
of the ACL that contains the ACE is listed.
The additional Delta column contains the number of hits for the ACE since
the last time you clicked the Refresh Hit Count button. The Hit Count
column shows the hits for the specific ACE rather than the overall rule.
Tip You can sort on multiple columns at the same time by pressing and
holding the Ctrl key while you click the column headings. You can
sort on all columns except Interface, Direction, and ACL Name.
Raw ACE table Shows the actual CLI for the access control entry, along with the hit count. Use
this information if you are more comfortable evaluating device commands.
Importing Rules
Typically, when you add a device to Security Manager, you discover policies from the device. This
action populates your access rules policy with the access control entries (ACEs) from all active ACLs
on the device.
If you find there are other ACLs that have ACEs you want included in your policy, you can define them
directly in Security Manager.
Another alternative, however, is to import them by copying and pasting the CLI from a device
running-configuration or by typing in the desired commands. By using the Import Rules wizard, you can
quickly create all of the ACEs and associated policy objects from ACLs that you know already work.
You might also want to use this method if you are more comfortable using CLI to define your rules.
Step 1 (Device view only) Select Firewall > Access Rules to open the Access Rules Page, page 14-8.
Step 2 Select the row after which you want to add the rules. The row must be within the Local scope. If you do
not select a row, the rules are added at the end of the Local scope.
Step 3 Click the Tools button and select Import Rules to start the wizard (see Import Rules WizardEnter
Parameters Page, page 14-29).
Step 4 Enter the CLI in running-configuration format appropriate for the type of device. Select whether you are
creating an interface-specific rule (and enter the interface or interface role to which you want the rules
to apply), or for ASA 8.3+ devices, a global rule (see Understanding Global Access Rules, page 14-3).
Also, select the traffic direction with respect to the interface (the direction is always In for global rules).
For examples of importable CLI, see Examples of Imported Rules, page 14-32.
Beside access control rules, you should also include the CLI for the following items if they are referred
to by the rules:
Time range objects (the time-range command with its subcommands), which can create time range
policy objects.
Object groups for PIX, ASA, FWSM, and IOS 12.4(20)T+ devices (the object-group command
with its subcommands), which can create network/host policy objects.
For ASA 8.3+ devices, you can also include object network and object service commands.
However, any object NAT configuration is not imported.
You are prompted if your CLI contains errors when you click the Next button. For some detailed tips
about what you can enter, see Import Rules WizardEnter Parameters Page, page 14-29.
Step 5 Click Next to process the rules and open the Import Rules WizardStatus Page, page 14-30.
The CLI is evaluated and if importable, you are told the types of objects that were created from the CLI.
Step 6 Click Finish to import the rules, or click Next to view the rules and objects on the Import Rules
WizardPreview Page, page 14-31.
The information on the Preview page is read-only. If the rules are acceptable, click Finish. If you want
to make changes, you can edit them in the access rules policy.
Navigation Path
(Device view only) Click the Tools button and select Import Rules from the Access Rules Page,
page 14-8.
Related Topics
Importing Rules, page 14-28
Understanding Interface Role Objects, page 6-55
Field Reference
Element Description
CLI The OS commands that define the rules and related objects that you want
to import. These rules must be in running-configuration format, so they are
best copied and pasted from a configuration (use Ctrl+V to paste into the
field). You can also type in the commands; you will be prompted if they
cannot be interpreted.
You can import only one ACL at a time.
To see some examples of the CLI you can import, see Examples of Imported
Rules, page 14-32.
Tips
If you refer to an object but do not include the CLI, the rule might be
created but it will not use the object.
For PIX, FWSM, ASA, and IOS 12.4(20)T+, you can include object
group and name commands.
If you import an ACL that is inactive, it is shown as disabled in Security
Manager. If you deploy the configuration, it is removed from the device.
You can import extended ACLs for all device types, and standard
ACLs for IOS devices. However, standard ACLs are converted to
extended ACLs.
Element Description
Interface Select whether you are importing an interface-specific or global rule. Global
Global (ASA 8.3+) rules are available only for ASA 8.3+ devices, and are handled according to
special rules (for detailed information, see Understanding Global Access
Rules, page 14-3).
If you select Interfaces, enter the name of the interface or the interface role
for which you are defining this rule, or click Select to select the interface or
role from a list, or to create a new role. An interface must already be defined
to appear on the list. You can enter any combination of interface or interface
role names, separated by commas.
Traffic Direction The direction of the traffic with respect to the interface, in or out.
Category The category assigned to the rules. Categories help you organize and identify
rules and objects. See Using Category Objects, page 6-9.
Navigation Path
For information on starting the Import Rules wizard, see Import Rules WizardEnter Parameters Page,
page 14-29
Related Topics
Importing Rules, page 14-28
Field Reference
Element Description
Progress bar Shows the status of the import process.
Status The status of the imported configuration.
Rules Imported The number of rules that will be imported.
Policy Objects Created The number of policy objects that will be created.
Messages The warning, error, and informational messages, as indicated by the
severity icon. Typical informational messages describe the policy
objects created during the operation or the existing policy objects that
were re-used.
When you select an item, the Description box to the right describes the
message in detail. The Action box to the right provides information on
how you can correct the problem.
Abort button Click this button to stop the import operation.
Tip If your CLI refers to an object that does not exist, such as a time range, the object is not included in the
rule. You can either go back and add the CLI for the object, or you can click Finish, create the object
yourself, and edit the rule.
Navigation Path
For information on starting the Import Rules wizard, see Import Rules WizardEnter Parameters Page,
page 14-29.
Related Topics
Importing Rules, page 14-28
Access Rules Page, page 14-8
Understanding Network/Host Objects, page 6-62
Understanding Interface Role Objects, page 6-55
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Filtering Tables, page 1-33
Field Reference
Element Description
Rules tab The rules that were created from your CLI and that will be imported to the access
rules policy. All rules are converted to extended format, even if your CLI was for a
standard ACL.
Icons indicate the permit and deny status:
PermitShown as a green check mark.
DenyShown as a red circle with slash.
You can right-click the source, destination, services, and interfaces cells and select
Show Contents to see the detailed information in the cell.
You can also right-click and select Copy to copy a rule to the clipboard in HTML
format, which you can paste into a text editor.
Objects tab The policy objects created from your CLI, if any. Depending on the CLI, Security
Manager might create time range, network/host, service, or port list objects.
Right-click an object and select View Object to see the object definition in
read-only format.
This example creates a network/host object named ftp_servers and two access rules.
This example creates a time range object named no-http and one access rule.
Example 3: Filtering on TCP and ICMP using port numbers (IOS devices)
In the following example, the first line of the extended access list named goodports permits any incoming
TCP connections with destination ports greater than 1023. The second line permits incoming TCP
connections to the Simple Mail Transfer Protocol (SMTP) port of host 172.28.1.2. The last line permits
incoming ICMP messages for error feedback.
ip access-list extended goodports
permit tcp any 172.28.0.0 0.0.255.255 gt 1023
permit tcp any host 172.28.1.2 eq 25
permit icmp any 172.28.0.0 255.255.255.255
This example creates three access rules. Notice that the wildcard masks used in the IOS ACL syntax are
converted to regular subnet masks. Security Manager automatically converts between standard
network/host subnet mask designations and the wildcard masks required in IOS ACLs. Because
ASA/PIX/FWSM requires the use of subnet masks in ACL commands, this makes it possible for you to
create rules that can apply to all devices; Security Manager takes care of converting your rules to the
correct syntax.
This example creates two rules, converting the standard rules to extended rules (to any destination). The
remarks are saved in the description field.
For more examples of ACLs in command language format, see the following:
IOS
Deviceshttp://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_create_I
P_apply.html#wp1027258.
ASA
Deviceshttp://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_extended.
html.
The first ACE is actually a subset of the second ACE. ACL optimization will deploy only the
second entry.
Superset ACEWhere one entry is a superset of another and the order of the rules does not matter,
the redundant rule is removed. Consider the following example:
access-list acl_mdc_inside_access permit tcp any any range 110 120
access-list acl_mdc_inside_access deny tcp any any range 115
The second ACE will never be hit. ACL optimization will remove the second ACE and deploy only
the first one.
Adjacent ACEsWhere two entries are similar enough that a single entry can do the same job.
There can be no intervening rules that change which packets will hit each rule. Consider the
following example:
access-list myacl permit ip 1.1.1.0 255.255.255.128 any
access-list myacl permit ip 1.1.1.128 255.255.255.128 any
The two ACEs are merged into one: access-list myacl permit ip 1.1.1.0 255.255.255.0 any.
By configuring ACL deployment optimization, you can create smaller ACLs that are more efficient,
which can improve performance on devices with limited, non-expandable memory, such as the FWSM,
which can be shared among multiple virtual contexts.
However, there are down sides to configuring ACL deployment optimization:
Because optimization changes what would normally be deployed for your access rules, it is hard to
correlate those rules to the actual deployed ACEs. This can make the results of the hit count tool
unusable, and make it very difficult to correlate events in the Cisco Security Monitoring, Analysis
and Response System application. If it is important to you that you can monitor your access rules
using these tools, do not enable optimization. For more information, see Generating Hit Count
Reports, page 14-23 and Viewing CS-MARS Events for an Access Rule, page 60-20.
Optimization does not address inherent problems in your access rules policy. It is typically better to
address redundancies and conflicts proactively by using the rule analysis tool (see Generating
Analysis Reports, page 14-21). You can also use the combine rules tool to optimize your rules in the
access rules policy before you deploy them (see Combining Rules, page 12-19).
If you decide to configure ACL deployment optimization, consider enabling it only for those devices that
are memory constrained.
Inspection rules configure protocol inspection on a device. Inspection opens temporary holes in your
access rules to allow return traffic for connections initiated within your trusted network. When traffic is
inspected, the device also implements additional controls to eliminate mal-formed packets based on the
inspected protocols.
The device commands generated for inspection rules vary based on device type. For devices running
ASA, PIX 7.0+, and FWSM 3.x+, access-list, policy-map, and class-map commands are used. For older
FWSM and PIX 6.3 devices, fix-up commands are used. For IOS devices, ip-inspect commands are used.
The following topics will help you work with inspection rules:
Understanding Inspection Rules, page 15-2
Choosing the Interfaces for Inspection Rules, page 15-3
Selecting Which Protocols To Inspect, page 15-3
Understanding Access Rule Requirements for Inspection Rules, page 15-4
Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 15-5
Configuring Inspection Rules, page 15-5
Inspection Rules Page, page 15-7
Configuring Protocols and Maps for Inspection, page 15-19
Configuring Settings for Inspection Rules for IOS Devices, page 15-80
The following topics can help you with general rule table usage:
Adding and Removing Rules, page 12-8
Editing Rules, page 12-9
Enabling and Disabling Rules, page 12-17
Moving Rules and the Importance of Rule Order, page 12-16
Tip For IOS devices, you need to configure inspection explicitly, and you can identify the direction of traffic
to be inspected. For ASA, PIX, and FWSM devices, you cannot identify the direction, and you need to
configure inspection only if you do not want the inspection defaults. In the remaining discussion,
statements concerning direction apply only to IOS devices. For ASA, PIX, and FWSM, simply configure
inspection on the identified interface.
In many cases, you will configure inspection in one direction only at a single interface, which causes
traffic to be permitted back into the internal network only if the traffic is part of a permissible (valid,
existing) session. This is a typical configuration for protecting your internal networks from traffic that
originates on the Internet.
You can also configure inspection in two directions at one or more interfaces. Configure inspection in
two directions when the networks on both sides of the firewall should be protected, such as with extranet
or intranet configurations, and to protect against DoS attacks. For example, if the device is situated
between two partner companies networks, you might want to restrict traffic in one direction for certain
applications, and restrict traffic in the opposite direction for other applications. If you are protecting a
web server in the DMZ zone, you might want to configure deep inspection on HTTP traffic to identify
and reset connections that have undesirable characteristics.
You might want to configure your inspection rules on the outbound interfaces of your network, those that
connect to the Internet or another uncontrolled network, while allowing unfiltered connections within
the trusted network. Thus, your devices use resources for inspection only on sessions that travel over
unsecured and therefore potentially dangerous networks.
Related Topics
Selecting Which Protocols To Inspect, page 15-3
Understanding Access Rule Requirements for Inspection Rules, page 15-4
Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 15-5
Configuring Protocols and Maps for Inspection, page 15-19
Configuring Inspection Rules, page 15-5
Protocols that negotiate return channels, such as FTP, should be specifically inspected. If you use
simple generic TCP inspection of FTP traffic, the negotiated channels are not opened, and the
connection will fail. If you want to allow FTP, ensure that you create a specific inspection rule for it.
Multimedia protocols also negotiate return channels and should be specifically inspected. These
include H.323, RTSP (Real Time Streaming Protocol), and other application-specific protocols.
Some applications also use a generic TCP channel, so you might also need to configure generic
TCP inspection. Any generic TCP inspection rule should appear below a more specific inspection
rule in the table (that is, any rule that specifies TCP or UDP should appear at the end of the
inspection rule table).
Related Topics
Choosing the Interfaces for Inspection Rules, page 15-3
Understanding Access Rule Requirements for Inspection Rules, page 15-4
Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 15-5
Configuring Inspection Rules, page 15-5
Related Topics
Understanding Access Rules, page 14-1
Choosing the Interfaces for Inspection Rules, page 15-3
Selecting Which Protocols To Inspect, page 15-3
Configuring Inspection Rules, page 15-5
Related Topics
Understanding Inspection Rules, page 15-2
Selecting Which Protocols To Inspect, page 15-3
Configuring Protocols and Maps for Inspection, page 15-19
Configuring Inspection Rules, page 15-5
Step 1 Do one of the following to open the Inspection Rules Page, page 15-7:
(Device view) Select Firewall > Inspection Rules from the Policy selector.
(Policy view) Select Firewall > Inspection Rules from the Policy Type selector. Select an existing
policy or create a new one.
Step 2 Select the row after which you want to create the rule and click the Add Row button or right-click and
select Add Row. This opens the Add or Edit Inspect/Application FW Rule Wizard, page 15-10.
Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select
an existing row and edit either the entire row or specific cells. For more information, see Editing
Rules, page 12-9.
Step 3 Select whether to apply the rule to all interfaces on the device or to only the interfaces you specify.
If you elect to specify interfaces, enter the interface name or interface role, or click Select to select it
from a list. For IOS devices, you also can select whether the rule applies in the Out direction (traffic
leaving the interface). Use the In direction for all other device types.
Step 4 Select the criteria you want to use for matching traffic. This determines what gets inspected based on
this rule.
Default Protocol PortsSelect this option if the protocol you are inspecting uses the default ports
on your network.
If you want to constrain the inspection based on the source or destination address, also select Limit
inspection between source and destination IP addresses (available only for ASA, PIX 7.x+, and
FWSM 3.x+ devices). When you click Next, you are prompted for the source and destination
addresses. You can specify any for source or destination if you are interested only in configuring
the other value.
Custom Destination PortsSelect this option if you want to associate additional non-default TCP
or UDP ports with a given protocol, for example, treating TCP traffic on destination port 8080 as
HTTP traffic. When you click Next, you are prompted for the port or port range.
Destination Address and Port (IOS devices only)Select this option if you want to associate
additional non-default TCP or UDP ports with a given protocol only when the traffic is going to
certain destinations, for example, if you want to treat TCP traffic on destination port 8080 as HTTP
only when the traffic is going to server 192.168.1.10. When you click Next, you are prompted for
the destination address and the port information.
Source and Destination Address and Port (PIX 7.x+, ASA, FWSM 3.x+)Select this option for
the same reason you would select Destination Address and Port for IOS devices, although you have
the additional option of identifying the source of the traffic. When you click Next, you are prompted
for the source and destination addresses and the service port information.
Note For FWSM 2.x and PIX 6.3(x), you can select either Default Inspection Traffic or Custom
Destination Ports only.
Step 5 Click Next. If you selected anything other than Default Protocol Ports, fill in the required addressing and
port information explained above and click Next. See Add or Edit Inspect/Application FW Rule Wizard
Specify Address and Port Page, page 15-11.
Step 6 On the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected
Protocol Dialog Boxes, page 15-14, select the protocol you want to inspect from the list. Ensure that the
Device Type field indicates that inspection is supported for that protocol on the devices to which you are
assigning the rule. (If you assign a rule to an unsupported device type, the rule is ignored but you will
get a validation warning).
If the protocol you select allows additional configuration, the Configure button becomes active. Click
it to view and select your options. For more information, see Configuring Protocols and Maps for
Inspection, page 15-19.
For IOS devices only:
If you selected Custom Destination Ports or Destination Address and Port as the traffic
match, you can select custom protocol as the protocol name and click Configure to assign a
name to the configuration.
You can configure additional alert, audit, and time-out settings that override those set in the
inspection settings policy. You can also specify whether to inspect router generated traffic for a
limited number of protocols. For more information about inspection settings, see Configuring
Settings for Inspection Rules for IOS Devices, page 15-80.
Step 7 Click Finish to save the rule.
Step 8 If you did not select the right row before adding the rule, select the new rule and use the up and down
arrow buttons to position the rule appropriately. For more information, see Moving Rules and the
Importance of Rule Order, page 12-16.
Tip Disabled rules are shown with hash marks covering the table row. When you deploy the configuration,
disabled rules are removed from the device. For more information, see Enabling and Disabling Rules,
page 12-17.
Navigation Path
To access the Inspection Rules page, do one of the following:
(Device view) Select a device, then select Firewall > Inspection Rules from the Policy selector.
(Policy view) Select Firewall > Inspection Rules from the Policy Type selector. Create a new policy
or select an existing one.
(Map view) Right-click a device and select Edit Firewall Policies > Inspection Rules.
Related Topics
Adding and Removing Rules, page 12-8
Editing Rules, page 12-9
Enabling and Disabling Rules, page 12-17
Moving Rules and the Importance of Rule Order, page 12-16
Using Sections to Organize Rules Tables, page 12-17
Using Rules Tables, page 12-7
Filtering Tables, page 1-33
Field Reference
Element Description
No. The ordered rule number.
Permit Whether a rule identifies traffic that should be inspected based on the
conditions set:
PermitIdentifies traffic that will be inspected. Shown as a green
check mark.
DenyExempts the traffic from inspection. Your access rules will
determine if the traffic is allowed or blocked. Shown as a red circle
with slash.
Source The source and destination addresses for the rule. The any address does
not restrict the rule to specific hosts, networks, or interfaces. These
Destination
addresses are IP addresses for hosts or networks, network/host objects,
interfaces, or interface roles. Multiple entries are displayed as separate
subfields within the table cell. See:
Understanding Network/Host Objects, page 6-62
Understanding Interface Role Objects, page 6-55
Element Description
Traffic Match The type of matching used in the rule:
default-inspectionThe rule inspects traffic based on the default port.
TCP,UDP/port numberThe rule inspects traffic based on a custom
port number.
ServiceThe rule inspects traffic based on a service specification or
service object. Multiple entries are displayed as separate subfields
within the table cell. See Understanding and Specifying Services and
Service and Port List Objects, page 6-69.
Interface The interfaces or interface roles to which the rule is assigned. Global
indicates that the rule is assigned to all interfaces. Interface role objects are
replaced with the actual interface names when the configuration is generated
for each device. Multiple entries are displayed as separate subfields within
the table cell. See Understanding Interface Role Objects, page 6-55.
Dir. The direction of the traffic to which this rule applies:
(IOS devices only) InPackets entering the interface.
OutPackets exiting the interface.
Inspected Protocol The protocol to be inspected and possibly some configuration settings for
the protocol.
Time Range The time range policy object assigned to the rule. This object defines the
time window within which inspection occurs.
Category The category assigned to the rule. Categories help you organize and identify
rules and objects. See Using Category Objects, page 6-9.
Description The description of the rule, if any.
Tools button Click this button to select tools that you can use with this type of policy. You
can select from the following tools:
QueryTo run policy queries, which can help you evaluate your rules
and identify ineffective rules that you can delete. See Generating Policy
Query Reports, page 12-24
Find and Replace button Click this button to search for various types of items within the table and to
(binoculars icon) optionally replace them. See Finding and Replacing Items in Rules Tables,
page 12-13.
Up Row and Down Row Click these buttons to move the selected rules up or down within a scope or
buttons (arrow icons) section. For more information, see Moving Rules and the Importance of Rule
Order, page 12-16.
Add Row button Click this button to add a rule to the table after the selected row using the
Add or Edit Inspect/Application FW Rule Wizard, page 15-10. If you do not
select a row, the rule is added at the end of the local scope. For more
information about adding rules, see Adding and Removing Rules, page 12-8.
Edit Row button Click this button to edit the selected rule. You can also edit individual cells.
For more information, see Editing Rules, page 12-9.
Delete Row button Click this button to delete the selected rule.
Navigation Path
From the Inspection Rules Page, page 15-7, click the Add Row button or select a row and click the Edit
Row button.
Related Topics
Add or Edit Inspect/Application FW Rule Wizard Specify Address and Port Page, page 15-11
Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected
Protocol Dialog Boxes, page 15-14
Understanding Interface Role Objects, page 6-55
Editing Rules, page 12-9
Field Reference
Table 15-2 Add and Edit Inspect/Application FW Rule Wizard Step 1, Choose Traffic Match
Method
Element Description
Enable Rule Whether to enable the rule, which means the rule becomes active when you
deploy the configuration to the device. Disabled rules are shown overlain
with hash marks in the rule table. For more information, see Enabling and
Disabling Rules, page 12-17.
Apply the Rule to The interface to which the rule applies:
All InterfacesApply the rule to all interfaces. The rule becomes a
global rule on ASA, PIX, and FWSM devices. For IOS devices, the rule
is configured for each interface in the In direction.
Interface (PIX 7.x+, ASA, FWSM 3.x+, IOS)Apply the rule only to
those interfaces identified in the Interfaces field. Enter the name of the
interface or the interface role, or click Select to select the interface or
role from a list, or to create a new role. An interface must already be
defined to appear on the list.
For IOS devices only, you can select the direction of the traffic to which
this rule applies, either traffic entering an interface (In) or exiting it
(Out). For other devices, leave In as the direction.
Table 15-2 Add and Edit Inspect/Application FW Rule Wizard Step 1, Choose Traffic Match
Method (Continued)
Element Description
Match Traffic By
How you want to identify the traffic to inspect. If you select something other than Default Protocol
Ports (by itself), you are prompted for the other port or address information when you click Next.
Default Protocol Ports Inspect traffic based on the default ports assigned to a protocol.
Limit inspection You can also select Limit inspection between source and destination IP
between source and addresses to configure the inspection to occur only between a specified
destination IP addresses source and destination. Do not select this option if you want to inspect a
(PIX 7.x+, ASA, protocol without applying any constraints to the inspected traffic.
FWSM 3.x+)
Custom Inspect traffic based on specified non-default TCP or UDP destination ports.
Destination Ports Select this option if you want to associate additional TCP or UDP traffic with
a given protocol, for example, treating TCP traffic on destination port 8080
as HTTP traffic.
Destination Address Inspect traffic on IOS devices based on destination IP address and port.
and Port (IOS) Select this option if you want to associate additional non-default TCP or
UDP ports with a given protocol only when the traffic is going to certain
destinations, for example, if you want to treat TCP traffic on destination port
8080 as HTTP only when the traffic is going to server 192.168.1.10.
Source and Destination Inspect traffic on PIX 7.x+, ASA, and FWSM 3.x+ devices based on source
Address and Port (PIX and destination IP addresses and services. Select this option for the same
7.x, ASA, FWSM 3.x) reason you would select Destination Address and Port for IOS devices,
although you have the additional option of identifying the source of the traffic.
Category The category assigned to the rule. Categories help you organize and identify
rules and objects. See Using Category Objects, page 6-9.
Description An optional description of the rule (up to 1024 characters).
Add or Edit Inspect/Application FW Rule Wizard Specify Address and Port Page
Use the Add or Edit Inspect/Application FW Rule wizards address or port specification page to identify
the IP addresses, ports, or services required by your inspection rule. The content of this page differs
depending on your selection in the Match Traffic By group on the first page of the wizard (see Add or
Edit Inspect/Application FW Rule Wizard, page 15-10). This page does not appear if you select Default
Protocol Ports only.
The reference table below indicates the match criteria to which each field applies.
You select the protocol to inspect when you click Next from this page (see Add or Edit
Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog
Boxes, page 15-14).
Navigation Path
From the Add or Edit Inspect/Application FW Rule Wizard, page 15-10, select something other than
Default Protocol Ports in the Match Traffic By group and click Next.
Related Topics
Understanding Inspection Rules, page 15-2
Choosing the Interfaces for Inspection Rules, page 15-3
Selecting Which Protocols To Inspect, page 15-3
Understanding Access Rule Requirements for Inspection Rules, page 15-4
Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 15-5
Configuring Inspection Rules, page 15-5
Understanding Interface Role Objects, page 6-55
Editing Rules, page 12-9
Field Reference
Table 15-3 Add and Edit Inspect/Application FW Rule Wizard Step 2, Specify Address and Port
Page
Element Description
Action Whether you are identifying traffic that should be inspected based on the
conditions set. Typically, you want to create Permit rules.
(Available for Limit
inspection between PermitIdentifies traffic that will be inspected.
source and destination
DenyExempts the traffic from inspection. Your access rules will
IP addresses and
determine if the traffic is allowed or blocked.
Source and
Destination Address
and Port matching.)
Sources The source or destination of the traffic. You can enter more than one value
Destinations by separating the items with commas.
You can enter any combination of the following address types to define the
(Available for Limit
source or destination of the traffic. For more information, see Specifying IP
inspection between
Addresses During Policy Definition, page 6-68.
source and destination
IP addresses and Network/host object. Enter the name of the object or click Select to
Source and select it from a list. You can also create new network/host objects from
Destination Address the selection list.
and Port matching.
Host IP address, for example, 10.10.10.100.
For Destination
Address and Port, Network address, including subnet mask, in either the format
only the Destinations 10.10.10.0/24 or 10.10.10.0/255.255.255.0.
field is available.) A range of IP addresses, for example, 10.10.10.100-10.10.10.200.
An IP address pattern in the format 10.10.0.10/255.255.0.255, where the
mask is a discontiguous bit mask (see Contiguous and Discontiguous
Network Masks, page 6-63).
Interface role object, except when configuring Destination Address and
Port matching. Click Select to select it from a list (you must select
Interface Role as the object type). When you use an interface role, the rule
behaves as if you supplied the IP address of the selected interface. This is
useful for interfaces that get their address through DHCP, because you do
not know what IP address will be assigned to the device. For more
information, see Understanding Interface Role Objects, page 6-55.
If you select an interface role as a source, the dialog box displays tabs
to differentiate between hosts or networks and interface roles.
Service The services that define the type of traffic to act on. You can enter more than
(Available for Source one value by separating the items with commas.
and Destination You can enter any combination of service objects and service types (which
Address and Port are typically a protocol and port combination). If you type in a service, you
matching.) are prompted as you type with valid values. You can select a value from the
list and press Enter or Tab.
For complete information on how to specify services, see Understanding and
Specifying Services and Service and Port List Objects, page 6-69.
Table 15-3 Add and Edit Inspect/Application FW Rule Wizard Step 2, Specify Address and Port
Page (Continued)
Element Description
Time Range The name of a time range policy object that defines the times when this rule
applies. The time is based on the system clock of the device. The feature
(Available for Limit
works best if you use NTP to configure the system clock.
inspection between
source and destination Enter the name or click Select to select the object. If the object that you want
IP addresses and is not listed, click the Create button to create it.
Source and
Destination Address
and Port matching.)
Protocol The protocol for the ports you are specifying, either TCP, UDP, or both
(Available for Custom TCP/UDP.
Destination Ports and When configuring Custom Destination Ports for an IOS device, you must
Destination Address select TCP/UDP.
and Port matching.)
Ports The port used by the traffic you want to inspect. Values are 1-65535.
(Available for Custom SingleSpecify one port number only.
Destination Ports and
RangeSpecify a range of ports, for example, 10000-11000.
Destination Address
and Port matching.) When configuring custom ports, be aware that port ranges might not be
supported on all platforms or OS versions. Any conflicts are identified
during policy validation, not while you are editing this rule.
Tip If you specify a port or port range that conflicts with a pre-defined
port mapping, the device does not allow the port to be remapped.
Navigation Path
Do one of the following:
From the Add or Edit Inspect/Application FW Rule Wizard, page 15-10, click Next until you reach
this page.
To access the Edit Inspected Protocols dialog box, right-click the Inspected Protocol cell in an
inspection rule and select Edit Inspected Protocol. If you select multiple rows, your changes
replace the inspected protocol defined for all selected rules.
Related Topics
Add or Edit Inspect/Application FW Rule Wizard Specify Address and Port Page, page 15-11
Understanding Inspection Rules, page 15-2
Choosing the Interfaces for Inspection Rules, page 15-3
Selecting Which Protocols To Inspect, page 15-3
Field Reference
Element Description
Protocols table Lists the protocols that you can inspect. You can select one protocol per rule.
The list includes information on the device operating systems that allow
inspection of the protocol: do not select protocols that are not supported by
the device type on which you will use the inspection rule policy.
Tip For IOS devices, if you selected Custom Destination Ports or
Destination Address and Port for the match type on the first page of
the wizard, you can select custom protocol and click Configure to
give your protocol a name. For other device types, select the protocol
that you associate with the ports previously specified.
The group column provides additional information on the use of some of the
protocols.
The option column displays configured options for the selected protocol,
if any.
Selected Protocol Displays the protocol you selected. If the protocol allows additional
configuration, the Configure button becomes active; click it to see your
Configure button
options, and click the Help button in the dialog box that is opened for
information about the options. For more information about protocols that
allow configuration, see Configuring Protocols and Maps for Inspection,
page 15-19.
Rule Settings (IOS) Additional settings for the rule if it is used on devices running Cisco IOS
software. If you select Use Default Inspection settings, the IOS defaults, or
the settings defined in the inspection settings policy (see Configuring
Settings for Inspection Rules for IOS Devices, page 15-80), are used. These
are the settings you can enable or disable:
AlertWhether to generate stateful packet inspection alert messages on
the console.
AuditWhether audit trail messages are logged to the syslog server
or router.
TimeoutWhether to configure the length of time, in seconds, for
which a session is managed while there is no activity. If you select
Specify Timeout, enter the timeout value; the range is 5-43200 seconds.
Inspect Router Generated TrafficWhether to inspect traffic that is
generated by the device itself. This option is available for a limited
number of the protocols.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected
Protocol Dialog Boxes, page 15-14, select DNS in the protocols table, and click Configure.
Field Reference
Element Description
Maximum DNS The maximum DNS packet length. Values are 512 to 65535.
Packet Length
DNS Map The DNS policy map object that defines traffic match conditions and actions,
protocol conformance policies, and filter settings. Enter the object name, or
click Select to select it. If the object that you want is not listed, click the
Create button to create it.
Enable Dynamic Whether to allow the security appliance to snoop DNS packets in order to
Filter Snooping build a database of DNS lookup information. This information is used by
botnet traffic filtering to match DNS names to IP addresses.
If you configure a botnet traffic filtering rules policy, select this option.
Otherwise, do not select the option. For more information, see Botnet Traffic
Filter Rules Page, page 17-9.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected
Protocol Dialog Boxes, page 15-14, select SMTP in the protocols table, and click Configure.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected
Protocol Dialog Boxes, page 15-14, select ESMTP in the protocols table, and click Configure.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected
Protocol Dialog Boxes, page 15-14, select fragment in the protocols table, and click Configure.
Field Reference
Element Description
Maximum Fragments The maximum number of unassembled packets for which state information
(structures) is allocated by Cisco IOS software. Unassembled packets are
packets that arrive at the router interface before the initial packet for a
session. Values are 0-10000 state entries. The default is 256.
Note Memory is allocated for the state structures, and setting this value to
a larger number may cause memory resources to be exhausted.
Timeout (sec) The number of seconds that a packet state structure remains active. When the
timeout value expires, the router drops the unassembled packet, freeing that
structure for use by another packet. Values are 1-1000. The default timeout
value is one second.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected
Protocol Dialog Boxes, page 15-14, select IMAP or POP3, and click Configure.
Field Reference
Table 15-7 Configure IMAP or POP3 Dialog Boxes
Element Description
Reset Connection on Invalid Whether to reset, or drop, the connection between the client and server
IMAP/POP3 packet if an invalid packet is encountered. The client will have to repeat the
validation process to reconnect to the server.
Enforce Secure Whether to require that the client use a secure login to the server, that
Authentication is, so that passwords are not sent in clear text.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected
Protocol Dialog Boxes, page 15-14, select RPC in the protocols table, and click Configure.
Field Reference
Element Description
Program Number The program number to permit. Values are 1-4294967295.
Wait Time The number of minutes to keep a hole in the firewall open to allow
subsequent connections from the same source address to the same
destination address and port. Values are 0-35791 minutes. The default
is 0.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected
Protocol Dialog Boxes, page 15-14, select custom protocol in the protocols table, and click Configure.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected
Protocol Dialog Boxes, page 15-14, select HTTP or IM in the protocols table, and click Configure.
Class Map
Device (ASA, PIX,
Protocol Types Policy Map FWSM only) Description and Match Criteria Reference
DNS ASA, PIX, DNS DNS Inspect traffic based on a wide variety of criteria using the class and
FWSM, IOS policy map, which allow extensive control over DNS packets. In
addition, you can configure a maximum length in the inspection
rule, and enable dynamic DNS snooping for use with Botnet rules
(on ASA devices). See the following topics:
Configuring DNS Maps, page 15-24
DNS Class and Policy Maps Add or Edit Match Condition (and
Action) Dialog Boxes, page 15-27
Configure DNS Dialog Box, page 15-16
FTP Strict ASA, PIX, FTP FTP Inspect traffic based on file name, type, server, user, or FTP
FWSM, IOS command. See Configuring FTP Maps, page 15-33 and FTP Class
and Policy Maps Add or Edit Match Condition (and Action) Dialog
Boxes, page 15-34.
GTP ASA, PIX, GTP GTP Inspect traffic based on timeout values, message sizes, tunnel
FWSM, IOS counts, and GTP versions traversing the security appliance. See
Configuring GTP Maps, page 15-36 and GTP Policy Maps Add or
Edit Match Condition and Action Dialog Boxes, page 15-39.
Table 15-9 Configuring Protocols for Deep Inspection in Inspection Rules (Continued)
Class Map
Device (ASA, PIX,
Protocol Types Policy Map FWSM only) Description and Match Criteria Reference
H.323 ASA, PIX, H.323 H.323 Inspect traffic based on a wide variety of criteria, including the
H.325 FWSM (ASA, PIX, (ASA, PIX, H.323 message type, calling party, and called party. See
H.323 RAS FWSM) FWSM) Configuring H.323 Maps, page 15-41 and H.323 Class and Policy
Maps Add or Edit Match Condition (and Action) Dialog Boxes,
page 15-44.
HTTP ASA, PIX, HTTP HTTP Inspect traffic based on a wide variety of criteria including the
FWSM, IOS (ASA 7.1.x, (ASA, PIX, content of the header or body, port misuse, and whether the traffic
PIX 7.1.x, FWSM) includes a Java applet. The maps used differ based on the operating
FWSM 3.x, system and version.
IOS)
For ASA/PIX 7.2+, see Configuring HTTP Maps for ASA 7.2+ and
HTTP PIX 7.2+ Devices, page 15-53 and HTTP Class and Policy Map
(ASA 7.2+, (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action)
PIX 7.2+) Dialog Boxes, page 15-55.
For ASA/PIX 7.1.x, FWSM 3.x+, and IOS, see Configuring HTTP
Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices,
page 15-45.
SIP ASA, PIX, SIP (ASA, SIP (ASA, Inspect traffic based on a wide variety of criteria. See Configuring
FWSM PIX, PIX, SIP Maps, page 15-67 and SIP Class and Policy Maps Add or Edit
FWSM) FWSM) Match Condition (and Action) Dialog Boxes, page 15-69.
Skinny ASA, PIX, Skinny (none) Inspect traffic based on a wide variety of criteria. See Configuring
FWSM, IOS Skinny Maps, page 15-73 and Skinny Policy Maps Add or Edit
Match Condition and Action Dialog Boxes, page 15-74.
SMTP ASA, PIX (none) (none) Inspect Simple Mail Transfer Protocol (SMTP) traffic and drop any
7.x+, FWSM that use illegal commands. You can configure a maximum data
3.x+, IOS length for packets. See Configure SMTP Dialog Box, page 15-16.
SNMP ASA, PIX, SNMP (none) Inspect SNMP traffic based on SNMP version. See Configuring
FWSM 3.x+, SNMP Maps, page 15-75.
IOS
NetBIOS ASA, PIX NetBIOS (none) Inspect NetBIOS traffic to translate IP addresses in the NetBIOS
7.x+, FWSM name service (NBNS) packets according to the security appliance
NAT configuration. You can drop packets that violate the protocol.
See Configuring NetBIOS Maps, page 15-66.
IPSec Pass ASA, PIX IPsec Pass (none) Inspect IPSec traffic and control whether ESP or AH traffic is
Through 7.x+ Through allowed. See Configuring IPsec Pass Through Maps, page 15-65.
DCE/RPC ASA 7.2+, DCE/RPC (none) Inspect traffic based on time-outs and enforcing the mapper service.
PIX 7.2+, See Configuring DCE/RPC Maps, page 15-23.
FWSM 3.2+
Table 15-9 Configuring Protocols for Deep Inspection in Inspection Rules (Continued)
Class Map
Device (ASA, PIX,
Protocol Types Policy Map FWSM only) Description and Match Criteria Reference
IP options ASA 8.2(2)+ IP Options (none) Allow IP packets that have certain options configured in the Options
section of the IP header. In routed mode, packets that contain the
router-alert option are allowed. Otherwise, if any option is set,
packets are dropped. IP options are unnecessary for most
communication, but the NOP (no operation) option might be used
for padding, so you might want to allow it. See Configuring IP
Options Maps, page 15-64.
ESMTP ASA, ESMTP (none) Inspect ESMTP traffic. For IOS, you can configure only maximum
PIX 7.x+, data length. For ASA, PIX, FWSM, you can inspect traffic based on
FWSM 3.x+, a wide variety of criteria. See Configuring ESMTP Maps,
IOS page 15-30.
Fragment IOS (none) (none) Inspect traffic based on a maximum allowed number of
unassembled packet fragments. See Configure Fragments Dialog
Box, page 15-17.
IMAP IOS (none) (none) Inspect traffic based on invalid commands or clear text logins. See
(Internet Configure IMAP or POP3 Dialog Boxes, page 15-17.
Message
Access
Protocol)
POP3
(Post Office
Protocol 3)
RPC (Sun FWSM 2.x, (none) (none) Inspect traffic based on the RPC protocol number. See Configure
Remote IOS RPC Dialog Box, page 15-18.
Procedure
Call)
IM ASA, IM IM (only for Inspect traffic based on a wide variety of criteria. The allowed maps
PIX 7.x+, (ASA 7.2+, ASA, PIX) differ based on operating system version.
IOS PIX 7.2+)
For ASA, PIX, see Configuring IM Maps for ASA 7.2+, PIX 7.2+
IM (IOS) Devices, page 15-59 and IM Class and Policy Map (ASA 7.2+/PIX
7.2+) Add or Edit Match Condition (and Action) Dialog Boxes,
page 15-60.
For IOS, see Configuring IM Maps for IOS Devices, page 15-62.
Related Topics
Selecting Which Protocols To Inspect, page 15-3
Understanding Inspection Rules, page 15-2
Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 15-5
Configuring Inspection Rules, page 15-5
Creating Policy Objects, page 6-6
Navigation Path
Select Tools > Policy Object Manager, then select DNS, FTP, H.323 (ASA/PIX/FWSM), HTTP
(ASA/PIX/FWSM), IM, or SIP (ASA/PIX/FWSM) in the Maps > Class Maps > Inspect folder in the
table of contents. Right-click inside the work area, then select New Object, or right-click a row, then
select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Understanding Inspection Rules, page 15-2
Field Reference
Table 15-10 Add or Edit Class Maps Dialog Boxes for Inspection Rules
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Table 15-10 Add or Edit Class Maps Dialog Boxes for Inspection Rules (Continued)
Element Description
Match table The Match table lists the criteria included in the class map. Each row
Match Type indicates whether the inspection is looking for traffic that matches or does
not match each criterion and the criterion and value that is inspected.
To add a criterion, click the Add button and fill in the Match Criterion
dialog box. For more information, see the topics referenced above.
To edit a criterion, select it and click the Edit button.
To delete a criterion, select it and click the Delete button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
Overrides and Understanding Policy Object Overrides for Individual Devices,
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > DCE/RPC from
the Object Type selector. Right-click inside the work area, then select New Object or right-click a row
and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Pinhole Timeout The timeout for DCE/RPC pinholes. The default is 2 minutes (00:02:00).
Valid values are between 00:00:01 and 1193:00:00.
Enforce Endpoint Whether to enforce the endpoint mapper service during binding. Using this
Mapper Service service, a client queries a server, called the Endpoint Mapper, for the
dynamically allocated network information of a required service.
Enable Endpoint Whether to enable the lookup operation of the endpoint mapper service. If
Mapper Service Lookup you select this option, you can enter the time out for the lookup operation. If
you do not specify a timeout, the pinhole timeout or default pinhole timeout
Service Lookup
value is used. Valid values are between 00:00:01 and 1193:00:00.
Timeout
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
Overrides and Understanding Policy Object Overrides for Individual Devices,
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > DNS from the
Object Type selector. Right-click inside the work area, then select New Object or right-click a row and
select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Configuring Class Maps for Inspection Policies, page 15-22
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Protocol Conformance Tab
Defines DNS security settings and actions. For a description of the options on this tab, see DNS Map
Protocol Conformance Tab, page 15-26.
Filtering Tab
Defines the filtering settings for DNS. For a description of the options on this tab, see DNS Map
Filtering Tab, page 15-26.
Mismatch Rate Tab
The Log When DNS ID Mismatch Rate Exceeds option determines whether you want to report
excessive instances of DNS identifier mismatches based on the following criteria:
ThresholdThe maximum number of mismatch instances before a system message log is sent.
Values are 0 to 4294967295.
Time IntervalThe time period to monitor (in seconds). Values are 1 to 31536000.
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the
inspection is looking for traffic that matches or does not match each criterion, the criterion and value
that is inspected, and the action to be taken for traffic that satisfies the conditions.
To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see
DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes,
page 15-27).
To edit a criterion, select it and click the Edit button.
To delete a criterion, select it and click the Delete button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
Click the Protocol Conformance tab on the Add and Edit DNS Map dialog boxes. See Configuring DNS
Maps, page 15-24.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Enable DNS Guard Function Whether to perform a DNS query and response mismatch check using
the identification field in the DNS header. One response per query is
allowed to go through the security appliance.
Generate Syslog for ID Whether to create syslog entries for excessive instances of DNS
Mismatch identifier mismatches.
Randomize the DNS Whether to randomize the DNS identifier in the DNS query message.
Identifier for DNS Query
Enable NAT Rewrite Whether to enable IP address translation in the A record of the
Function DNS response.
Enable Protocol Enforcement Whether to enable DNS message format check, including domain
name, label length, compression, and looped pointer check.
Require Authentication Whether to require authentication between DNS servers as defined in
Between DNS Server RFC 2845. If you select this option, select the action to take when there
(RFC2845) is no authentication.
Action
Navigation Path
Click the Filtering tab on the Add and Edit DNS Map dialog boxes. See Configuring DNS Maps,
page 15-24.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Drop Packets that Exceed Whether to drop packets that exceed the maximum length in bytes that
Specified Length you specify. This is a global setting.
Maximum Packet Length
Drop Packets Sent to Server Whether to drop packets sent to the server that exceed the maximum
that Exceed Specified length in bytes that you specify.
Maximum Length
Maximum Length
Drop Packets Sent to Server Whether to drop packets sent to the server that exceed the length
that Exceed Length Indicated indicated by the resource record.
by Resource Record
Drop Packets Sent to Client Whether to drop packets sent to a client that exceed the maximum
that Exceed Specified Length length in bytes that you specify.
Maximum Length
Drop Packets Sent to Client Whether to drop packets sent to the client that exceed the length
that Exceed Length Indicated indicated by the resource record.
by Resource Record
DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit DNS Match Criterion (for DNS class maps) or Match Condition and Action (for
DNS policy maps) dialog boxes to do the following:
Define the match criterion and value for a DNS class map.
Select a DNS class map when creating a DNS policy map.
Define the match criterion, value, and action directly in a DNS policy map.
The fields on this dialog box change based on the criterion you select and whether you are creating a
class map or policy map.
Navigation Path
When creating a DNS class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog
boxes for DNS, right-click inside the table, then select Add Row or right-click a row, then select Edit
Row. See Configuring Class Maps for Inspection Policies, page 15-22.
When creating a DNS policy map, in the Policy Object Manager, from the Match Condition and Action
tab on the Add and Edit DNS Map dialog boxes, right-click inside the table, then select Add Row or
right-click a row, then select Edit Row. See Configuring DNS Maps, page 15-24.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Table 15-15 DNS Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes
Element Description
Match Type Enables you to use an existing DNS class map or define a new DNS
Class Name class map.
Use Specified ValuesYou want to define the class map on this
(Policy Map only)
dialog box.
Use Values in Class MapYou want to select an existing DNS class map
policy object. Enter the name of the DNS class map in the Class Name
field. Click Select to select the map from a list or to create a new class
map object.
Criterion Specifies which criterion of traffic to match:
DNS ClassMatches a DNS query or resource record class.
DNS TypeMatches a DNS query or resource record type.
Domain NameMatches a domain name from a DNS query or
resource record.
Header FlagMatches a DNS flag in the header.
QuestionMatches a DNS question.
Resource RecordMatches a DNS resource record.
Type Specifies whether the map includes traffic that matches or does not match
the criterion. For example, if Doesnt Match is selected on the string
example.com, then any traffic that contains example.com is excluded
from the map.
MatchesMatches the criterion.
Doesnt MatchDoes not match the criterion.
Action The action you want the device to take for traffic that matches the
defined criteria.
(Policy Map only)
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the
fields you might see.
Value The DNS class you want to inspect:
(for DNS InternetMatches the Internet DNS class.
Class criterion)
DNS Class Field ValueMatches the specified number.
DNS Class Field RangeMatches the specified range of numbers.
Table 15-15 DNS Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes
Element Description
Value The DNS type you want to inspect:
(for DNS DNS Type Field NameMatches the name of a DNS type:
Type criterion)
AIPv4 address.
AXFRFull (zone) transfer.
CNAMECanonical name.
IXFRIncremental (zone) transfer.
NSAuthoritative name server.
SOAStart of a zone of authority.
TSIGTransaction signature.
DNS Type Field ValueMatches the specified number.
DNS Type Field RangeMatches the specified range of numbers.
Value The regular expression you want to evaluate. You can select one of
the following:
(for Domain
Name criterion) Regular ExpressionThe regular expression object that defines the
regular expression you want to use for pattern matching. Enter the name
of the object. You can click Select to choose the object from a list of
existing ones or to create a new regular expression object.
Regular Expression GroupThe regular expression group object that
defines the regular expression you want to use for pattern matching.
Enter the name of the object. You can click Select to choose the
object from a list of existing ones or to create a new regular expression
group object.
Options The header flag you want to inspect. Use the Options field to indicate
Value whether you want an exact match (Equals) or a partial match (Contains).
Header Flag NameMatches the selected header flag names:
(for Header
Flag criterion) AA (authoritative answer)
QR (query)
RA (recursion available)
RD (recursion denied)
TC (truncation) flag bits
Header Flag ValueMatches the specified 16-bit hexadecimal value.
Resource Record Lists the sections to match:
AdditionalDNS additional resource record.
AnswerDNS answer resource record.
AuthorityDNS authority resource record.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > ESMTP from the
Object Type selector. Right-click inside the table, then select New Object or right-click a row and select
Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters
is allowed.
Parameters tab
Mask Server Banner Whether to mask the server banner to prevent the client from
discovering server information.
Configure Mail Relay Whether to have ESMTP inspection detect mail relay. When you select
this option, enter the domain name you are inspecting and select the
Domain Name
action you want to take when mail relay is detected.
Action
Special Character Whether you want to detect special characters in sender or receiver
(ASA7.2.3+/PIX7.2.3+) email addresses. If you select this option, select the action you want to
take when special characters are detected.
Action
Allow TLS (ASA7.2.3+, Whether to allow a TLS proxy on the security appliance. If you select
8.0.3+/PIX7.2.3) this option, you can also select Action Log to create a log entry when
TLS is detected.
Action Log
Table 15-16 Add and Edit ESMTP Map Dialog Boxes (Continued)
Element Description
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the
inspection is looking for traffic that matches or does not match each criterion, the criterion and value
that is inspected, and the action to be taken for traffic that satisfies the conditions.
To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see
ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes, page 15-31).
To edit a criterion, select it and click the Edit button.
To delete a criterion, select it and click the Delete button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level.
per Device For more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and
action for an ESMTP policy map.
The fields on this dialog box change based on the criterion you select. You can use the following criteria:
Body LengthMatches the message body length.
Body Line LengthMatches the length of a line in the message body.
CommandsMatches ESMTP commands.
Command Recipient CountMatches the number of recipient email addresses.
Command Line LengthMatches the number of characters of a command line.
EHLO Reply ParametersMatches the ESMTP EHLO reply parameters.
Header LengthMatches the number of characters of the header.
Header Line LengthMatches the number of characters of a line in the message header.
To Recipients CountMatches the number of recipients in the To field of the header.
Invalid Recipients CountMatches the number of invalid recipients in the header.
MIME File TypeMatches the MIME file type.
MIME Filename LengthMatches the number of characters of the filename.
MIME EncodingMatches the MIME encoding scheme.
Sender AddressMatches the address of the sender.
Sender Address LengthMatches the number of characters of the senders address.
Navigation Path
In the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit ESMTP
Map dialog boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit
Row. See Configuring ESMTP Maps, page 15-30.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Table 15-17 ESMTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes
Element Description
Criterion Specifies which criterion of ESMTP traffic to match. The criteria are
described above.
Type Specifies whether the map includes traffic that matches or does not match the
criterion. For example, if Doesnt Match is selected on the string
example.com, then any traffic that contains example.com is excluded
from the map.
MatchesMatches the criterion.
Doesnt MatchDoes not match the criterion.
Action The action you want the device to take for traffic that matches the
defined criteria.
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the
fields you might see.
Greater Than Length The length in bytes of the evaluated field. The criterion matches if the length
is greater than the specified number, and does not match if the field is less
than the specified number.
The dialog box indicates the valid range for the length, except for Body
Length and Header length, which can be 1 to 4294967295.
Commands The ESMTP command verbs you want to inspect.
Greater Than Count The number of evaluated items. The criterion matches if the count is greater
than the specified number, and does not match if the count is less than the
specified number.
Parameters The ESMTP EHLO reply parameters you want to inspect.
Table 15-17 ESMTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes
Element Description
Value The regular expression you want to evaluate. You can select one of
the following:
Regular ExpressionThe regular expression object that defines the
regular expression you want to use for pattern matching. Enter the name
of the object. You can click Select to choose the object from a list of
existing ones or to create a new regular expression object.
Regular Expression GroupThe regular expression group object that
defines the regular expression you want to use for pattern matching.
Enter the name of the object. You can click Select to choose the
object from a list of existing ones or to create a new regular expression
group object.
MIME Encoding The type of MIME encoding schemes you want to inspect.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > FTP from the
Object Type selector. Right-click inside the table, then select New Object or right-click a row, then
select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Configuring Class Maps for Inspection Policies, page 15-22
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Parameters tab
Mask Greeting Banner Whether to mask the greeting banner from the FTP server to prevent the
from Server client from discovering server information.
Mask Reply to Whether to mask the reply to the syst command to prevent the client from
SYST Command discovering server information.
Table 15-18 Add and Edit FTP Map Dialog Boxes (Continued)
Element Description
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the
inspection is looking for traffic that matches or does not match each criterion, the criterion and value
that is inspected, and the action to be taken for traffic that satisfies the conditions.
To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see
FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes, page 15-34).
To edit a criterion, select it and click the Edit button.
To delete a criterion, select it and click the Delete button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Validate For The device platforms for which to validate the object. Select the platform for
Validate button which you intend to use this object and click Validate to determine if the
object is configured in a way that will prevent policy deployment.
FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit FTP Match Criterion (for FTP class maps) or Match Condition and Action (for FTP
policy maps) dialog boxes to do the following:
Define the match criterion and value for an FTP class map.
Select an FTP class map when creating an FTP policy map.
Define the match criterion, value, and action directly in an FTP policy map.
The fields on this dialog box change based on the criterion you select and whether you are creating a
class map or policy map.
Navigation Path
When creating an FTP class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog
boxes for FTP, right-click inside the table, then select Add Row or right-click a row, then select Edit
Row. See Configuring Class Maps for Inspection Policies, page 15-22.
When creating an FTP policy map, in the Policy Object Manager, from the Match Condition and Action
tab on the Add and Edit FTP Map dialog boxes, right-click inside the table, then select Add Row or
right-click a row, then select Edit Row. See Configuring FTP Maps, page 15-33.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Table 15-19 FTP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes
Element Description
Match Type Enables you to use an existing FTP class map or define a new FTP class map.
Class Name Use Specified ValuesYou want to define the class map on this
dialog box.
(Policy Map only)
Use Values in Class MapYou want to select an existing FTP class map
policy object. Enter the name of the FTP class map in the Class Name
field. Click Select to select the map from a list or to create a new class
map object.
Criterion Specifies which criterion of FTP traffic to match:
Request CommandMatches an FTP request command.
FilenameMatches a filename for FTP transfer.
File TypeMatches a file type for FTP transfer.
ServerMatches an FTP server name.
UsernameMatches an FTP username.
Type Specifies whether the map includes traffic that matches or does not match the
criterion. For example, if Doesnt Match is selected on the string
example.com, then any traffic that contains example.com is excluded
from the map.
MatchesMatches the criterion.
Doesnt MatchDoes not match the criterion.
Action The action you want the device to take for traffic that matches the
defined criteria.
(Policy Map only)
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the
fields you might see.
Table 15-19 FTP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes
Element Description
Request Commands The FTP commands you want to inspect:
Append (APPE)Appends to a file.
Delete (DELE)Deletes a file at the server site.
Help (HELP)Provides help information from the server.
Put (PUT)FTP client command for the stor (store a file) command.
Rename From (RNFR)Specifies rename-from filename.
Server Specific Command (SITE)Specifies commands that are server
specific. Usually used for remote administration.
Change to Parent (CDUP)Changes to the parent directory of the
current working directory.
Get (GET)FTP client command for the retr (retrieve a file) command.
Create Directory (MKD)Creates a directory.
Remove Directory (RMD)Removes a directory.
Rename To (RNTO)Specifies rename-to filename.
Store File with Unique Name (STOU)Stores a file with a
unique filename.
Value The regular expression you want to evaluate. You can select one of
the following:
Regular ExpressionThe regular expression object that defines the
regular expression you want to use for pattern matching. Enter the name
of the object. You can click Select to choose the object from a list of
existing ones or to create a new regular expression object.
Regular Expression GroupThe regular expression group object that
defines the regular expression you want to use for pattern matching.
Enter the name of the object. You can click Select to choose the
object from a list of existing ones or to create a new regular expression
group object.
Tip GTP inspection requires a special license. If you do not have the required license, you will see device
errors if you try to deploy a GTP map.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > GTP from the
Object Type selector. Right-click inside the work area, then select New Object, or right-click a row and
select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Parameters tab
Country and Network The three-digit Mobile Country Code (mcc) and Mobile Network Code
Codes Table (mnc) to include in the map. The codes are 000 to 999.
To add codes, click the Add button and fill in the dialog box.
To edit a row, select it and click the Edit button.
To delete a row, select it and click the Delete button.
Permit Response Table The Network/Host policy objects for which you will allow GTP responses
from a GSN that is different from the one to which the response was sent.
To add objects, click the Add button and fill in the dialog box. For more
information, see Add and Edit Permit Response Dialog Boxes,
page 15-38.
To edit a row, select it and click the Edit button.
To delete a row, select it and click the Delete button.
Request Queue The maximum requests allowed in the queue. When the limit has been
reached and a new request arrives, the request that has been in the queue for
the longest time is removed. Values are 1-9999999. The default is 200.
Tunnel Limit The maximum number of tunnels allowed.
Permit Errors Whether to permit packets with errors or different GTP versions. By default,
all invalid packets or packets that failed during parsing are dropped.
Edit Timeouts button Click this button to configure time out values for various operations. For
more information about the options, see GTP Map Timeouts Dialog Box,
page 15-39.
Table 15-20 Add and Edit GTP Map Dialog Boxes (Continued)
Element Description
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the
inspection is looking for traffic that matches or does not match each criterion, the criterion and value
that is inspected, and the action to be taken for traffic that satisfies the conditions.
To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see
GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes, page 15-39).
To edit a criterion, select it and click the Edit button.
To delete a criterion, select it and click the Delete button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Validate For The device platforms for which to validate the object. Select the platform for
Validate button which you intend to use this object and click Validate to determine if the
object is configured in a way that will prevent policy deployment.
Navigation Path
From the Add and Edit GTP Map dialog boxes, click the Add button in the Country and Network codes
table, or select a row and click the Edit button. See Configuring GTP Maps, page 15-36.
Navigation Path
From the Add and Edit GTP Map dialog boxes, click the Add button in the Permit Response table, or
select a row and click the Edit button. See Configuring GTP Maps, page 15-36.
Navigation Path
From the Add and Edit GTP Map dialog boxes, click the Edit Timeouts button on the Parameters tab.
See Configuring GTP Maps, page 15-36.
Field Reference
Element Description
GSN Timeout The period of inactivity (hh:mm:ss) after which a GSN is removed. The
default is 30 minutes. Enter 0 to never tear down immediately.
PDP Context Timeout The maximum period of time allowed (hh:mm:ss) before beginning to
receive the PDP context. The default is 30 minutes. Enter 0 to specify
no limit.
Request Queue Timeout The maximum period of time allowed (hh:mm:ss) before beginning to
receive the GTP message. The default is 60 seconds. Enter 0 to specify
no limit.
Signaling Connections The period of inactivity (hh:mm:ss) after which the GTP signaling is
Timeout removed. The default is 30 minutes. Enter 0 to not remove the signal.
Tunnel Timeout The period of inactivity (hh:mm:ss) after which the GTP tunnel is torn
down. The default is 60 seconds (when a Delete PDP Context Request
is not received). Enter 0 to never tear down immediately.
T3 Response Timeout The maximum wait time for a response before removing the connection.
GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and
action for a GTP policy map.
The fields on this dialog box change based on the criterion you select.
Navigation Path
In the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit GTP Map
dialog box, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
See Configuring GTP Maps, page 15-36.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Table 15-22 GTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes
Element Description
Criterion Specifies which criterion of GTP traffic to match:
Access Point NameMatches the access point name so you can define
the access points to drop when GTP application inspection is enabled.
Message IDMatches the numeric identifier for the message that you
want to drop. By default, all valid message IDs are allowed.
Message LengthMatches the length of the UDP packet. Use this
criterion to change the default for the maximum allowed message length
for the UDP payload.
VersionMatches the GTP version.
Type Specifies whether the map includes traffic that matches or does not match the
criterion. For example, if Doesnt Match is selected on the string
example.com, then any traffic that contains example.com is excluded
from the map.
MatchesMatches the criterion.
Doesnt MatchDoes not match the criterion.
Action The action you want the device to take for traffic that matches the
defined criteria.
Drop PacketBy default, all invalid packets or packets that failed
during parsing are dropped.
Drop Packet and Log
Rate Limit
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the
fields you might see.
Access Point Name The access points to act on when GTP application inspection is enabled.
Specified ByAn access point name to be dropped. By default, all
messages with valid APNs are inspected, and any APN is allowed.
Regular ExpressionThe regular expression object that defines the
regular expression you want to use for pattern matching. Enter the name
of the object. You can click Select to choose the object from a list of
existing ones or to create a new regular expression object.
Regular Expression GroupThe regular expression group object that
defines the regular expression you want to use for pattern matching.
Enter the name of the object. You can click Select to choose the
object from a list of existing ones or to create a new regular expression
group object.
ID Type The numeric identifier of the message that you want to act on.
ValueA single message ID.
RangeA range of message IDs.
Table 15-22 GTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes (Continued)
Element Description
Minimum Length The minimum number of bytes in the UDP payload.
Maximum Length The maximum number of bytes in the UDP payload.
Version Type The GTP version as a single value or range of values.
Use 0 to identify Version 0 and 1 to identify Version 1. Version 0 of GTP
uses port 2123, while Version 1 uses port 3386. By default all GTP versions
are allowed.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > H.323
(ASA/PIX/FWSM) from the Object Type selector. Right-click inside the work area, then select New
Object, or right-click a row and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Configuring Class Maps for Inspection Policies, page 15-22
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Table 15-23 Add and Edit H.323 Map Dialog Boxes (Continued)
Element Description
Parameters tab
HSI Group table The HSI groups to include in the map. The group number, IP address of the
HSI host, and IP addresses and interface names of the clients connected to
the security appliance are shown in the table. Up to five HSI hosts per group,
and up to ten end points per HSI group, are allowed.
To add a group, click the Add button and fill in the dialog box (see Add
or Edit HSI Group Dialog Boxes, page 15-43).
To edit a group, select it and click the Edit button.
To delete a group, select it and click the Delete button.
Call Duration Limit The call duration limit in seconds. The range is from 0:0:0 to 1163:0:0. A
value of 0 means never timeout.
Enforce Presence of Whether to enforce calling and called party numbers used in call setup.
Calling and Called
Party Numbers
Check State Transition Whether to enable state checking validation on H.225 messages.
on H.225 Messages
Check State Transition Whether to enable state checking validation on RAS messages.
on RAS Messages
Create Pinholes on Whether to enable call setup between H.323 endpoints when the Gatekeeper
Seeing RCF Packets is inside the network. The device opens pinholes for calls based on
Registration Request/Registration Confirm (RRQ/RCF) messages. Because
these RRQ/RCF messages are sent to and from the Gatekeeper, the calling
endpoints IP address is unknown and the device opens a pinhole through
source IP address/port 0/0.
This option is available for ASA 8.0(5)+ devices.
Check for Whether to enforce H.245 tunnel blocking and perform the action you select
H.245 Tunneling in the Action list box.
Action
Check RTP Packets for Whether to check RTP packets flowing through the pinholes for protocol
Protocol Conformance conformance.
Payload Type must be Whether to enforce the payload type to be audio or video based on the
Audio or Video based signaling exchange.
on Signaling Exchange
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the
inspection is looking for traffic that matches or does not match each criterion, the criterion and value
that is inspected, and the action to be taken for traffic that satisfies the conditions.
To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see
H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes,
page 15-44).
To edit a criterion, select it and click the Edit button.
To delete a criterion, select it and click the Delete button.
Table 15-23 Add and Edit H.323 Map Dialog Boxes (Continued)
Element Description
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
From the Parameters tab on the Add and Edit H.323 Map dialog boxes, click the Add Row button in the
HSI group table, or select a row and click the Edit Row button. See Configuring H.323 Maps,
page 15-41.
Field Reference
Element Description
Group ID The HSI group ID number (0 to 2147483647).
IP Address The IP address of the HSI host.
Endpoint table The end points associated with HSI group. You can add up to 10 end points
per group. For each end point, you specify the IP address and interface
policy group.
To add an end point, click the Add button and fill in the dialog box (see
Add or Edit HSI Endpoint IP Address Dialog Boxes, page 15-43).
To edit an end point, select it and click the Edit button.
To delete an end point, select it and click the Delete button.
Navigation Path
From the Add and Edit HSI Group dialog boxes, click the Add Row button in the end point table, or
select a row and click the Edit Row button. See Configuring H.323 Maps, page 15-41.
Field Reference
Table 15-25 Add and Edit HSI Endpoint IP Address Dialog Boxes
Element Description
Network/Host The IP address of the end point host or network.
Interface The Interface policy group that identifies the interface connected to the
security appliance. Enter the name of a policy group, or click Select to select
it from a list, where you can also create new policy groups.
H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit H.323 Match Criterion (for H.323 class maps) or Match Condition and Action (for
H.323 policy maps) dialog boxes to do the following:
Define the match criterion and value for an H.323 class map.
Select an H.323 class map when creating an H.323 policy map.
Define the match criterion, value, and action directly in an H.323 policy map.
The fields on this dialog box change based on the criterion you select and whether you are creating a
class map or policy map.
Navigation Path
When creating an H.323 class map, in the Policy Object Manager, from the Add or Edit Class Maps
dialog boxes for H.323, right-click inside the table, then select Add Row or right-click a row, then select
Edit Row. See Configuring Class Maps for Inspection Policies, page 15-22.
When creating an H.323 policy map, in the Policy Object Manager, from the Match Condition and
Action tab on the Add and Edit H.323 Map dialog boxes, right-click inside the table, then select Add
Row or right-click a row, then select Edit Row. See Configuring H.323 Maps, page 15-41.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Table 15-26 H.323 Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes
Element Description
Match Type Enables you to use an existing H.323 class map or define a new H.323
Class Name class map.
Use Specified ValuesYou want to define the class map on this
(Policy Map only)
dialog box.
Use Values in Class MapYou want to select an existing H.323
class map policy object. Enter the name of the H.323 class map in
the Class Name field. Click Select to select the map from a list or
to create a new class map object.
Table 15-26 H.323 Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes
Element Description
Criterion Specifies which criterion of H.323 traffic to match:
Called PartyMatches the called party address.
Calling PartyMatches the calling party address.
Media TypeMatches the media type.
Type Specifies whether the map includes traffic that matches or does not
match the criterion. For example, if Doesnt Match is selected on the
string example.com, then any traffic that contains example.com is
excluded from the map.
MatchesMatches the criterion.
Doesnt MatchDoes not match the criterion.
Action The action you want the device to take for traffic that matches the
defined criteria.
(Policy Map only)
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the
fields you might see.
Value The regular expression you want to evaluate. You can select one of
the following:
Regular ExpressionThe regular expression object that defines
the regular expression you want to use for pattern matching.
Enter the name of the object. You can click Select to choose the
object from a list of existing ones or to create a new regular
expression object.
Regular Expression GroupThe regular expression group object
that defines the regular expression you want to use for pattern
matching. Enter the name of the object. You can click Select to
choose the object from a list of existing ones or to create a new
regular expression group object.
Media Type The type of media you want to inspect, audio, video, or data.
Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices
Use the Add and Edit HTTP Map dialog boxes to define HTTP maps for ASA 7.1.x, PIX 7.1.x, FWSM
3.x, and IOS devices.
The enhanced HTTP inspection feature, which is also known as an application firewall, verifies that
HTTP messages conform to RFC 2616, use RFC-defined methods, and comply with various other
criteria. This can help prevent attackers from using HTTP messages for circumventing network
security policy.
When you enable HTTP inspection with an HTTP map, strict HTTP inspection with the action reset and
log is enabled by default. You can change the actions performed in response to inspection failure, but
you cannot disable strict inspection as long as the HTTP map remains enabled. Security Manager uses
the http-map command to configure the map on the device.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > HTTP (ASA
7.1.x/PIX 7.1.x/FWSM3.x/IOS) from the Object Type selector. Right-click inside the work area, then
select New Object or right-click a row and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Table 15-27 Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
General tab Defines the action taken when non-compliant HTTP requests are received
and to enable verification of content type. For a description of the options,
see HTTP Map General Tab, page 15-47.
Entity Length tab Defines the action taken if the length of the HTTP content falls outside of
configured targets. For a description of the options, see HTTP Map Entity
Length Tab, page 15-48.
RFC Request Defines the action that the security appliance should take when specific RFC
Method tab request methods are used in the HTTP request. For a description of the
options, see HTTP Map RFC Request Method Tab, page 15-49.
Extension Request Defines the action taken when specific extension request methods are used
Method tab in the HTTP request. For a description of the options, see HTTP Map
Extension Request Method Tab, page 15-50.
Port Misuse tab Defines the action taken when specific undesirable applications are
encountered. For a description of the options, see HTTP Map Port Misuse
Tab, page 15-51.
Transfer Encoding tab Defines the action taken when specific transfer encoding types are used in
the HTTP request. For a description of the options, see HTTP Map Transfer
Encoding Tab, page 15-52.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
Click the General tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM
3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices,
page 15-45.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Take action for non-RFC Whether you want to configure the action to be taken for traffic that
2616 compliant traffic does not comply with RFC 2616. Possible actions are:
Allow PacketAllow the message.
Drop PacketClose the connection.
Reset Connection (default)Send a TCP reset message to client
and server.
You can also select Generate Syslog to write a message to the syslog
if non-compliant traffic is encountered.
Verify Content-type field Whether you want to configure the action to be taken for traffic whose
belongs to the supported content type does not belong to the supported internal content-type list.
internal content-type list. Possible actions are:
Allow PacketAllow the message.
Drop PacketClose the connection.
Reset Connection (default)Send a TCP reset message to client
and server.
You can also select these options:
Verify Content-type field for response matches the ACCEPT
field of requestTo also verify that the content type of the
response matches the request.
Generate SyslogTo write a message to the syslog if
non-compliant traffic is encountered.
Element Description
Override Global TCP Idle Whether to change the TCP idle timeout default setting. An IOS device
Timeout (IOS only) terminates a connection if there is no communication activity after this
length of time. If you select this option, specify the desired timeout
value in seconds.
Override Global Audit Trail Whether to change the audit trail setting for IOS devices. If you
Setting (IOS only) select this option, you can select Enable Audit Trail to generate audit
trail messages.
Enable Audit Trail
Navigation Path
Click the Entity Length tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX
7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and
IOS Devices, page 15-45.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Inspect URI Length Whether to enable inspection based on the length of the URI. If you select
this option, configure the following:
MaximumThe desired maximum length, in bytes, of the URI, from 1
to 65535.
Excessive URI Length ActionThe action to take when the length
is exceeded:
Allow PacketAllow the message.
Drop PacketClose the connection.
Reset ConnectionSend a TCP reset message to client and server.
Generate SyslogWhether to generate a syslog message when a
violation occurs.
Element Description
Inspect Maximum Whether to enable inspection based on the length of the HTTP header. If you
Header Length select this option, configure the following:
RequestThe desired maximum length, in bytes, of the request header,
from 1 to 65535.
ResponseThe desired maximum length, in bytes, of the response
header, from 1 to 65535.
Excessive Header Length ActionThe action to take when the length
is exceeded:
Allow PacketAllow the message.
Drop PacketClose the connection.
Reset ConnectionSend a TCP reset message to client and server.
Generate SyslogWhether to generate a syslog message when a
violation occurs.
Inspect Body Length Whether to enable inspection based on the length of the message body. If you
select this option, configure the following:
Minimum ThresholdThe desired minimum length, in bytes, of the
message body, from 1 to 65535.
Maximum ThresholdThe desired maximum length, in bytes, of the
message body, from 1 to 65535.
Body Length Threshold ActionThe action to take when the message
body falls outside of the configured boundaries:
Allow PacketAllow the message.
Drop PacketClose the connection.
Reset ConnectionSend a TCP reset message to client and server.
Generate SyslogWhether to generate a syslog message when a
violation occurs.
Navigation Path
Click the RFC Request Method tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX
7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and
IOS Devices, page 15-45.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Available and The Available Methods list contains the request methods defined in
Selected Methods RFC 2616.
Action To configure an action for a method, select it, then select an action
and optionally select Generate Syslog if you want a message added
Generate Syslog
to the syslog when an HTTP request containing the selected method
is encountered. Click the >> button to add it to the Selected Methods
list. (To remove a method from the selected list, select it and click
the << button.)
Tip You can select multiple methods at a time using Ctrl+click if
the action and syslog requests are the same for each.
Navigation Path
Click the Extension Request Method tab on the Add and Edit HTTP Map dialog boxes for ASA
7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM
3.x and IOS Devices, page 15-45.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Available and The Available Methods list contains the extension request methods defined
Selected Methods in RFC 2616.
Action To configure an action for a method, select it, then select an action and
optionally select Generate Syslog if you want a message added to the syslog
Generate Syslog
when an HTTP request containing the selected method is encountered. Click
the >> button to add it to the Selected Methods list. (To remove a method
from the selected list, select it and click the << button.)
Tip You can select multiple methods at a time using Ctrl+click if the
action and syslog requests are the same for each.
Navigation Path
Click the Port Misuse tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM
3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices,
page 15-45.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Available and Selected The Available Application Categories list contains the categories for
Application Categories which you can define firewall inspection settings.
Action To configure an action for a category, select it, then select an action and
optionally select Generate Syslog if you want a message added to the
Generate Syslog
syslog when an HTTP request containing the selected application is
encountered. Click the >> button to add it to the Selected Categories
list. (To remove a category from the selected list, select it and click the
<< button.)
Tip You can select multiple categories at a time using Ctrl+click if
the action and syslog requests are the same for each.
Navigation Path
Click the Transfer Encoding tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX
7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and
IOS Devices, page 15-45.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Available and Selected The Available Encoding Types list contains the types of transfer
Encoding Types encoding for which you can define firewall inspection settings.
Action To configure an action for a type, select it, then select an action and
optionally select Generate Syslog if you want a message added to the
Generate Syslog
syslog when an HTTP request containing the selected type is
encountered. Click the >> button to add it to the Selected Encoding
Types list. (To remove a type from the selected list, select it and click
the << button.)
Tip You can select multiple types at a time using Ctrl+click if the
action and syslog requests are the same for each.
Configuring HTTP Maps for ASA 7.2+ and PIX 7.2+ Devices
Use the Add and Edit HTTP Map dialog boxes to define the match criterion and values for the HTTP
inspect map for ASA and PIX software releases 7.2 and higher.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > HTTP (ASA
7.2+/PIX 7.2+) from the Object Type selector. Right-click inside the work area, then select New Object
or right-click a row, then select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Configuring Class Maps for Inspection Policies, page 15-22
Field Reference
Table 15-34 Add and Edit HTTP Map Dialog Boxes (ASA 7.2+/PIX 7.2+)
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters
is allowed.
Parameters tab
Body Match Maximum The maximum number of characters in the body of an HTTP message
that should be searched in a body match.
Tip A high value can have a significant impact on performance.
Check for protocol violations Whether to check for protocol violations.
Action The action to take based on the defined settings. You can drop, reset, or
log the connection.
Spoof Server Enables you to replace the server HTTP header value with the
specified string.
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the
inspection is looking for traffic that matches or does not match each criterion, the criterion and value
that is inspected, and the action to be taken for traffic that satisfies the conditions.
To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see
HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action)
Dialog Boxes, page 15-55).
To edit a criterion, select it and click the Edit button.
To delete a criterion, select it and click the Delete button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level.
per Device For more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Overrides: None Shows that no overrides exist on the device. You must manually set
overrides in order to change the display. For more information, see
Understanding Policy Object Overrides for Individual Devices,
page 6-13.
Note Selecting Allow Value Override per Device does not
automatically set overrides.
HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action)
Dialog Boxes
Use the Add or Edit HTTP Match Criterion (for HTTP class maps) or Match Condition and Action (for
HTTP policy maps) dialog boxes to do the following:
Define the match criterion and value for an HTTP class map.
Select an HTTP class map when creating an HTTP policy map.
Define the match criterion, value, and action directly in an HTTP policy map.
These types of maps are used only for devices running ASA 7.2 or higher, or PIX 7.2 or higher,
operating systems.
The fields on this dialog box change based on the criterion you select and whether you are creating a
class map or policy map. You can use the following criteria:
Request/Response Content Type MismatchSpecifies that the content type in the response must
match one of the MIME types in the accept field of the request.
Request ArgumentsApplies the regular expression match to the arguments of the request.
Request BodyApplies the regular expression match to the body of the request.
Request Body LengthSpecifies that the body length of the request be matched as greater than or
less than the specified number of bytes.
Request Header CountSpecifies that the number of headers in the request be matched as greater
than or less than the specified number.
Request Header LengthSpecifies that the header length of the request be matched as greater than
or less than the specified number of bytes.
Request Header FieldApplies the regular expression match to the header of the request.
Request Header Field CountApplies the regular expression match to the header of the request
based on a specified number of header fields.
Request Header Field LengthApplies the regular expression match to the header of the request
based on a specified field length.
Request Header Content TypeSpecifies the content type to evaluate in the content-type header
field of the request.
Request Header Transfer EncodingSpecifies the transfer encoding to evaluate in the
transfer-encoding header field of the request.
Request Header Non-ASCIISpecifies whether there are non-ASCII characters in the header of
the request.
Request MethodSpecifies the method of the request to match.
Request URIApplies the regular expression match to the URI of the request.
Request URI LengthSpecifies that the URI length of the request be matched as greater than or less
than the specified number of bytes.
Response Body ActiveXSpecifies whether there is ActiveX content in the body of the request.
Response Body Java AppletSpecifies whether there is a Java applet in the body of the request.
Response BodyApplies the regular expression match to the body of the response.
Response Body LengthSpecifies that the body length of the response be matched as greater than
or less than the specified number of bytes.
Response Header CountSpecifies that the number of headers in the response be matched as greater
than or less than the specified number.
Response Header LengthSpecifies that the header length of the response be matched as greater
than or less than the specified number of bytes.
Response Header FieldApplies the regular expression match to the header of the response.
Response Header Field CountApplies the regular expression match to the header of the response
based on a specified number of header fields.
Response Header Field LengthApplies the regular expression match to the header of the response
based on a specified field length.
Response Header Content TypeSpecifies the content type to evaluate in the content-type header
field of the response.
Response Header Transfer EncodingSpecifies the transfer encoding to evaluate in the
transfer-encoding header field of the response.
Response Header Non-ASCIISpecifies whether there are non-ASCII characters in the header of
the response.
Response Status LineApplies the regular expression match to the status line of the response.
Navigation Path
When creating an HTTP class map, in the Policy Object Manager, from the Add or Edit Class Maps
dialog boxes for HTTP, right-click inside the table, then select Add Row or right-click a row, then select
Edit Row. See Configuring Class Maps for Inspection Policies, page 15-22.
When creating an HTTP policy map, in the Policy Object Manager, from the Match Condition and
Action tab on the Add and Edit HTTP Map dialog boxes for ASA/PIX 7.2+ devices, right-click inside
the table, then select Add Row or right-click a row, then select Edit Row. See Configuring HTTP Maps
for ASA 7.2+ and PIX 7.2+ Devices, page 15-53.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Table 15-35 HTTP Class and Policy Maps (ASA 7.2+/PIX 7.2+) Add and Edit Match Condition and
Action Dialog Boxes
Element Description
Match Type Enables you to use an existing HTTP class map or define a new HTTP class
map.
Class Name
(Policy Map only) Use Specified ValuesYou want to define the class map on this dialog
box.
Use Values in Class MapYou want to select an existing HTTP class
map policy object. Enter the name of the HTTP class map in the Class
Name field. Click Select to select the map from a list or to create a new
class map object.
Criterion Specifies which criterion of HTTP traffic to match. The criteria are described
above.
Table 15-35 HTTP Class and Policy Maps (ASA 7.2+/PIX 7.2+) Add and Edit Match Condition and
Action Dialog Boxes (Continued)
Element Description
Type Specifies whether the map includes traffic that matches or does not match the
criterion. For example, if Doesnt Match is selected on the string
example.com, then any traffic that contains example.com is excluded
from the map.
MatchesMatches the criterion. For some criteria, this is the only
available option.
Doesnt MatchDoes not match the criterion.
Action The action you want the device to take for traffic that matches the defined
criteria. The types of action depend on the criterion you select.
(Policy Map only)
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the
fields you might see.
Field Name The name of the header field to evaluate. You can select one of the following:
PredefinedThe predefined HTTP header fields.
Regular ExpressionThe regular expression object that defines the
regular expression you want to use for pattern matching. Enter the name
of the object. You can click Select to choose the object from a list of
existing ones or to create a new regular expression object.
Table 15-35 HTTP Class and Policy Maps (ASA 7.2+/PIX 7.2+) Add and Edit Match Condition and
Action Dialog Boxes (Continued)
Element Description
Value The regular expression you want to evaluate. You can select one of
the following:
Regular ExpressionThe regular expression object that defines the
regular expression you want to use for pattern matching. Enter the name
of the object. You can click Select to choose the object from a list of
existing ones or to create a new regular expression object.
Regular Expression GroupThe regular expression group object that
defines the regular expression you want to use for pattern matching.
Enter the name of the object. You can click Select to choose the
object from a list of existing ones or to create a new regular expression
group object.
When you are evaluating the Request Header Transfer Encoding or Response
Header Transfer Encoding criteria, you can also select these options:
Specified ByOne of the following predefined types of
transfer encoding:
ChunkedThe message body is transferred as a series of chunks.
CompressedThe message body is transferred using UNIX
file compression.
DeflateThe message body is transferred using zlib format
(RFC 1950) and deflate compression (RFC 1951).
GZIPThe message body is transferred using GNU zip
(RFC 1952).
IdentityNo transfer encoding is performed.
EmptyThe transfer-encoding field in request header is empty.
Greater Than Length The length in bytes of the evaluated field. The criterion matches if the length
is greater than the specified number, and does not match if the field is less
than the specified number.
Greater Than Count The number of evaluated items. The criterion matches if the count is greater
than the specified number, and does not match if the count is less than the
specified number.
Table 15-35 HTTP Class and Policy Maps (ASA 7.2+/PIX 7.2+) Add and Edit Match Condition and
Action Dialog Boxes (Continued)
Element Description
Content Type The content type to evaluate as specified in the content-type header field.
You can select one of the following:
Specified ByA predefined MIME type.
UnknownThe MIME type is not known. Select Unknown when you
want to evaluate the item against all known MIME types.
ViolationThe magic number in the body must correspond to the
MIME type in the content-type header field.
Regular Expression, Regular Expression GroupThe regular
expression or regular expression group to evaluate. See the explanation
for the Value field for an explanation of these options.
Request Method The specified request method to match. You can select one of the following:
Specified ByThe predefined request method.
Regular Expression, Regular Expression GroupThe regular
expression or regular expression group to evaluate. See the explanation
for the Value field for an explanation of these options.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > IM (ASA
7.2+/PIX 7.2+) from the Object Type selector. Right-click inside the work area, then select New Object
or right-click a row and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the
inspection is looking for traffic that matches or does not match each criterion, the criterion and value
that is inspected, and the action to be taken for traffic that satisfies the conditions.
To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see
IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog
Boxes, page 15-60).
To edit a criterion, select it and click the Edit button.
To delete a criterion, select it and click the Delete button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
Overrides and Understanding Policy Object Overrides for Individual Devices,
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit IM Match Criterion (for IM class maps) or Match Condition and Action (for IM
policy maps) dialog boxes to do the following:
Define the match criterion and value for an IM class map.
Select an IM class map when creating an IM policy map.
Define the match criterion, value, and action directly in an IM policy map.
These types of maps are used only for devices running ASA 7.2 or higher, or PIX 7.2 or higher,
operating systems.
The fields on this dialog box change based on the criterion you select and whether you are creating a
class map or policy map.
Navigation Path
When creating an IM class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog
boxes for IM, right-click inside the table, then select Add Row or right-click a row, then select Edit
Row. See Configuring Class Maps for Inspection Policies, page 15-22.
When creating an IM policy map, in the Policy Object Manager, from the Match Condition and Action
tab on the Add and Edit IM Map dialog boxes for ASA 7.2/PIX 7.2, right-click inside the table, then
select Add Row or right-click a row, then select Edit Row. See Configuring IM Maps for ASA 7.2+,
PIX 7.2+ Devices, page 15-59.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Table 15-37 IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action)
Dialog Boxes
Element Description
Match Type Enables you to use an existing IM class map or define a new IM class map.
Class Name Use Specified ValuesYou want to define the class map on this
dialog box.
(Policy Map only)
Use Values in Class MapYou want to select an existing IM class map
policy object. Enter the name of the IM class map in the Class Name
field. Click Select to select the map from a list or to create a new class
map object.
Criterion Specifies which criterion of IM traffic to match. The criteria are:
FilenameMatches the filename from IM file transfer service.
Client IP AddressMatches the source client IP address.
Client Login NameMatches the client login name from IM service.
Peer IP AddressMatches the peer, or destination, IP address.
Peer Login NameMatches the peer, or destination, login name from
IM service.
ProtocolMatches IM protocols.
ServiceMatches IM services.
File Transfer Service VersionMatches the IM file transfer
service version.
Type Specifies whether the map includes traffic that matches or does not match the
criterion. For example, if Doesnt Match is selected on the string
example.com, then any traffic that contains example.com is excluded
from the map.
MatchesMatches the criterion.
Doesnt MatchDoes not match the criterion.
Action The action you want the device to take for traffic that matches the
defined criteria.
(Policy Map only)
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the
fields you might see.
Table 15-37 IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action)
Dialog Boxes (Continued)
Element Description
Value The regular expression you want to evaluate. You can select one of
the following:
Regular ExpressionThe regular expression object that defines the
regular expression you want to use for pattern matching. Enter the name
of the object. You can click Select to choose the object from a list of
existing ones or to create a new regular expression object.
Regular Expression GroupThe regular expression group object that
defines the regular expression you want to use for pattern matching.
Enter the name of the object. You can click Select to choose the
object from a list of existing ones or to create a new regular expression
group object.
IP Address The IP address you want to match.
Protocol The IM protocol, either MSN Messenger or Yahoo! Messenger.
Services The IM services you want to inspect. Select one or more of the listed services.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > IM (IOS) from
the Object Type selector. Right-click inside the work area, then select New Object or right-click a row,
then select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Service Tabs
The tabs represent different IM service providers. The settings available on each tab are identical. You
must configure the settings separately for each service provider. The descriptions of the following
fields apply to each of the services: Yahoo!, MSN, and AOL.
Text Chat How you want the text chat service to be handled, for example, allowed,
denied, logged, or some combination.
Other Services How you want services other than text chat to be handled, for example,
allowed, denied, logged, or some combination. IOS software recognizes all
services other than text chat, such as voice-chat, video-chat, file sharing and
transferring, and gaming as a single group.
Permit Servers The servers from which to permit traffic. Accepted formats are IP addresses,
IP ranges, and hostnames separated by commas.
Deny Servers The servers from which to deny traffic. Accepted formats are IP addresses,
IP ranges, and hostnames separated by commas.
Alert Whether you want to enable or disable alerts. The default is to use the default
inspection settings.
Audit Whether you want to enable or disable an audit trail. The default is to use the
default inspection settings.
Timeout A timeout for the service. You can use the default inspection settings, or you
can elect to specify a timeout. If you select Specify Timeout, enter the
timeout value in seconds.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Tip Because the no operation (NOP) option might be used as padding to ensure proper packet-header size
and alignment, you might want to allow NOP.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > IP Options from
the Object Type selector. Right-click inside the work area, then select New Object, or right-click a row
and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Name The name of the policy object. A maximum of 128 characters is allowed.
Description A description of the policy object.
End of Options List End of Options List (EOOL), or IP Option 0, contains just a single zero byte
and appears at the end of all options to mark the end of a list of options. This
might not coincide with the end of the header according to the header length.
No operation No Operation (NOP), or IP Option 1, is used for padding. The Options field
in the IP header can contain zero, one, or more options, which makes the
total length of the field variable. However, the IP header must be a multiple
of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the
NOP option is used as to align the options on a 32-bit boundary.
Table 15-39 Add and Edit IP Options Map Dialog Boxes (Continued)
Element Description
Router alert Router Alert (RTRALT), or IP Option 20, notifies transit routers to inspect
the contents of the packet even when the packet is not destined for that
router. This inspection is valuable when implementing RSVP and similar
protocols require relatively complex processing from the routers along the
packets delivery path.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
Overrides and Understanding Policy Object Overrides for Individual Devices,
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > IPsec Pass
Through from the Object Type selector. Right-click inside the work area, then select New Object or
right-click a row and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Table 15-40 Add and Edit IPsec Pass Through Map Dialog Boxes
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Allow ESP Whether to allow ESP traffic. If you select this option, you can configure the
Maximum ESP Tunnels maximum number of ESP tunnels that each client can have and the amount
per Client of time that an ESP tunnel can be idle before it is closed (in
hours:minutes:seconds format). The default timeout is 10 minutes
ESP Idle Timeout (00:10:00).
Allow AH Whether to allow AH traffic. If you select this option, you can configure the
maximum number of AH tunnels that each client can have and the amount of
Maximum AH Tunnels
time that an AH tunnel can be idle before it is closed (in
per Client
hours:minutes:seconds format). The default timeout is 10 minutes
AH Idle Timeout (00:10:00).
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > NetBIOS from
the Object Type selector. Right-click inside the work area, then select New Object or right-click a row
and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters
is allowed.
Check for Protocol Violation Whether to check for NETBIOS protocol violations. If you select this
Action option, select the action you want to take when violations occur.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level.
per Device For more information, see Allowing a Policy Object to Be Overridden,
Overrides page 6-13 and Understanding Policy Object Overrides for Individual
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > SIP
(ASA/PIX/FWSM) from the Object Type selector. Right-click inside the work area, then select New
Object or right-click a row and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Configuring Class Maps for Inspection Policies, page 15-22
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Parameters tab
Enable SIP Instant Whether to enable Instant Messaging extensions.
Messaging Extensions
Permit Non-SIP Traffic Whether to permit non-SIP traffic on the SIP port.
on SIP Port
Hide Servers and Whether to hide the IP addresses, which enables IP address privacy.
Endpoints IP Address
Check RTP Packets for Whether to check RTP/RTCP packets flowing on the pinholes for protocol
Protocol Conformance conformance. If you select this option, you can also elect to enforce the
Limit Payload to Audio payload type to be audio/video based on the signaling exchange.
or Video based on the
Signaling Exchange
If Number of Hops to Whether to check if the value of Max-Forwards header is zero. When it is
Destination is Greater greater than zero, the action you select in the Action field is implemented.
Than 0 The default is to drop the packet.
If State Transition is Whether to check SIP state transitions. When a transition is detected, the
Detected action you select in the Action field is implemented. The default is to drop
the packet.
If Header Fields Fail Whether to take the action specified in the Action field if the SIP header
Strict Validation fields are invalid. The default is to drop the packet.
Inspect Servers Whether to inspect the SIP endpoint software version in User-Agent and
and Endpoints Server headers. The default is to mask the information.
Software Version
If Non-SIP URI Whether to take the action specified in the Action field if a non-SIP URI
is Detected is detected in the Alert-Info and Call-Info headers. The default is to mask
the information.
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the
inspection is looking for traffic that matches or does not match each criterion, the criterion and value
that is inspected, and the action to be taken for traffic that satisfies the conditions.
To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see
SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes, page 15-69).
To edit a criterion, select it and click the Edit button.
To delete a criterion, select it and click the Delete button.
Table 15-42 Add and Edit SIP Map Dialog Box (Continued)
Element Description
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit SIP Match Criterion (for SIP class maps) or Match Condition and Action (for SIP
policy maps) dialog boxes to do the following:
Define the match criterion and value for a SIP class map.
Select a SIP class map when creating a SIP policy map.
Define the match criterion, value, and action directly in a SIP policy map.
The fields on this dialog box change based on the criterion you select and whether you are creating a
class map or policy map.
Navigation Path
When creating a SIP class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog
boxes for SIP, right-click inside the table, then select Add Row or right-click a row, then select Edit
Row. See Configuring Class Maps for Inspection Policies, page 15-22.
When creating a SIP policy map, in the Policy Object Manager, from the Match Condition and Action
tab on the Add and Edit SIP Map dialog boxes, right-click inside the table, then select Add Row or
right-click a row, then select Edit Row. See Configuring SIP Maps, page 15-67.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Table 15-43 SIP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes
Element Description
Match Type Enables you to use an existing SIP class map or define a new SIP class map.
Class Name Use Specified ValuesYou want to define the class map on this
dialog box.
(Policy Map only)
Use Values in Class MapYou want to select an existing SIP class map
policy object. Enter the name of the SIP class map in the Class Name
field. Click Select to select the map from a list or to create a new class
map object.
Criterion Specifies which criterion of SIP traffic to match.
Called PartyMatches the called party as specified in the To header.
Calling PartyMatches the calling party as specified in the From header.
Content LengthMatches the Content Length header.
Content TypeMatches the Content Type header.
IM SubscriberMatches the SIP Instant Messenger subscriber.
Message PathMatches the SIP Via header.
Third Party RegistrationMatches the requester of a
third-party registration.
URI LengthMatches a URI in the SIP headers.
Request MethodMatches the SIP request method.
Type Specifies whether the map includes traffic that matches or does not match the
criterion. For example, if Doesnt Match is selected on the string
example.com, then any traffic that contains example.com is excluded
from the map.
MatchesMatches the criterion.
Doesnt MatchDoes not match the criterion.
Action The action you want the device to take for traffic that matches the
defined criteria.
(Policy Map only)
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the
fields you might see.
Table 15-43 SIP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes
Element Description
Value The regular expression you want to evaluate. You can select one of
the following:
Regular ExpressionThe regular expression object that defines the
regular expression you want to use for pattern matching. Enter the name
of the object. You can click Select to choose the object from a list of
existing ones or to create a new regular expression object.
Regular Expression GroupThe regular expression group object that
defines the regular expression you want to use for pattern matching.
Enter the name of the object. You can click Select to choose the
object from a list of existing ones or to create a new regular expression
group object.
URI Type The type of URI to match, either SIP or TEL.
Greater Than Length The length in bytes of the evaluated field. The criterion matches if the length
is greater than the specified number, and does not match if the field is less
than the specified number.
Table 15-43 SIP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes
Element Description
Content Type The content type to evaluate as specified in the content-type header field.
You can select one of the following:
SDPMatches an SDP SIP content header type.
Regular Expression, Regular Expression GroupThe regular
expression or regular expression group to evaluate. See the explanation
for the Value field for an explanation of these options.
Resource Method The request method you want to inspect:
ackConfirms that the client has received a final response to an
INVITE request.
byeTerminates a call and can be sent by either the caller or the
called party.
cancelCancels any pending searches but does not terminate a call that
has already been accepted.
infoCommunicates mid-session signaling information along the
signaling path for the call.
inviteIndicates a user or service is being invited to participate in a
call session.
messageSends instant messages where each message is independent
of any other message.
notifyNotifies a SIP node that an event which has been requested by
an earlier SUBSCRIBE method has occurred.
optionsQueries the capabilities of servers.
prackProvisional response acknowledgment.
referRequests that the recipient REFER to a resource provided in
the request.
registerRegisters the address listed in the To header field with a
SIP server.
subscribeRequests notification of an event or set of events at a
later time.
unknownUses a nonstandard extension that could have unknown
security impacts on the network.
updatePermits a client to update parameters of a session but has no
impact on the state of a dialog.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > Skinny from the
Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then
select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Name The name of the Skinny map. A maximum of 40 characters is allowed.
Description A description of the Skinny map, up to 200 characters.
Parameters Tab
Enforce Endpoint Whether to enforce registration before calls can be placed.
Registration
Maximum SCCP Station The maximum SCCP station message ID allowed, in hexadecimal.
Message ID 0x
Check RTP Packets for Whether to check RTP packets flowing through the pinholes for
Protocol Conformance protocol conformance. If you select this option, you can also select
whether to enforce the payload type.
Enforce Payload Type to be
Audio or Video based on
Signaling Exchange
Minimum SCCP The minimum SCCP length allowed.
Prefix Length
Table 15-44 Add and Edit Skinny Map Dialog Boxes (Continued)
Element Description
Maximum SCCP The maximum SCCP length allowed.
Prefix Length
Media Timeout The timeout value for media connections.
Signaling Timeout The timeout value for signaling connections.
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the
inspection is looking for traffic that matches or does not match each criterion, the criterion and value
that is inspected, and the action to be taken for traffic that satisfies the conditions.
To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see
Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes, page 15-74).
To edit a criterion, select it and click the Edit button.
To delete a criterion, select it and click the Delete button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level.
per Device For more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and
action for a Skinny policy map.
Navigation Path
In the Policy Object Manager, from the Match Condition and Action tab on the Add or Edit Skinny Map
dialog boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
See Configuring SIP Maps, page 15-67.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Table 15-45 Skinny Policy Maps Add and Edit Match Condition and Action Dialog Boxes
Element Description
Criterion Specifies which criterion of Skinny traffic to match.
Type Specifies whether the map includes traffic that matches or does not
match the criterion. For example, if Doesnt Match is selected on
0xFFFF, then any traffic that has the message ID 0xFFFF is excluded
from the map.
MatchesMatches the criterion.
Doesnt MatchDoes not match the criterion.
ID Type The hexadecimal value for the message ID to inspect:
ValueMatches a single hexadecimal value.
RangeMatches a range of values.
Action The action you want the device to take for traffic that matches the
defined criteria.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > SNMP from the
Object Type selector. Right-click inside the work area, then select New Object, or right-click a row and
select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Table 15-46 Add and Edit SNNP Map Dialog Boxes (Continued)
Element Description
Disallowed SNMP The versions of SNMP you want to prohibit.
Versions SNMP Version 1
SNMP Version 2c (Community Based)
SNMP Version 2 (Party Based)
SNMP Version 3
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Regular Expressions Groups from the
Object Type selector. Right-click inside the work area, then select New Object or right-click a row and
select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Creating Policy Objects, page 6-6
Field Reference
Table 15-47 Add and Edit Regular Expression Class Map Dialog Boxes
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Regular Expressions The Regular Expression policy objects that include the expressions you want
to include in the group. Enter the name of the objects or click Select to select
them from a list or to create a new object.
Table 15-47 Add and Edit Regular Expression Class Map Dialog Boxes (Continued)
Element Description
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Regular Expressions from the Object
Type selector. Right-click inside the work area, then select New Object or right-click a row and select
Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Protocols and Maps for Inspection, page 15-19
Creating Policy Objects, page 6-6
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Value The regular expression, up to 100 characters in length. For information on
the metacharacters you can use to build regular expressions, see
Metacharacters Used to Build Regular Expressions, page 15-78.
Table 15-48 Add and Edit Regular Expression Dialog Boxes (Continued)
Element Description
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Element Description
Global Timeout Values
TCP Establish How long to wait for a TCP session to reach the established state before
Timeout (seconds) dropping the session, in seconds, from 1-2147483. The default is 30.
FIN Wait Time (seconds) How long to maintain TCP session state information after the firewall
detects a FIN-exchange, in seconds, from 1-2147483. The
FIN-exchange occurs when the TCP session is ready to close. The
default is 5.
TCP Idle Time (seconds) How long to maintain a TCP session while there is no activity in the
session, in seconds, from 1-2147483. The default is 3600 (one hour).
UDP Idle Time (seconds) How long to maintain a UDP session while there is no activity in the
session, in seconds, from 1-2147483. The default is 30.
When the software detects a valid UDP packet, the software establishes
state information for a new UDP session. Because UDP is a
connectionless service, there are no actual sessions, so the software
approximates sessions by examining the information in the packet and
determining if the packet is similar to other UDP packets (for example,
it has similar source or destination addresses) and if the packet was
detected soon after another similar UDP packet.
If the software detects no UDP packets for the UDP session for the
period of time defined by the UDP idle timeout, the software will not
continue to manage state information for the session.
DNS Timeout (seconds) The length of time for which a DNS lookup session is managed while
there is no activity, in seconds, from 1-2147483. The default is 5.
SYN Flooding DoS Attack Thresholds
Maximum 1 Minute The number of new unestablished sessions that causes the system to
Connection Rate - low start and stop deleting half-open sessions. Ensure that you enter a lower
Maximum 1 Minute number in the Low field than you enter in the High field. Possible
Connection Rate - high values are from 1-2147483647 per minute. The default is 400 for low
and 500 for high.
Element Description
Maximum Incomplete The number of existing half-open sessions that will cause the software
Sessions Stop Threshold to start and stop deleting half-open sessions. Ensure that you enter a
Maximum Incomplete lower number in the stop field than you enter in the start field. Possible
Sessions Start Threshold values are from 1-2147483647. The default is 400 for low and 500
for high.
Thresholds per Host
Max Sessions Per Host The number of half-open TCP sessions with the same host destination
address that can exist at a time before the software starts deleting
half-open sessions to the host. Possible values are 1-4294967295. The
default is 50.
A large number of half-open sessions can indicate there is a Denial of
Service attack against the host.
Max Sessions Blocking If the maximum sessions per host threshold is reached, the blocking
Interval (min) time to apply to help mitigate the potential TCP host-specific
denial-of-service (DoS) attack. Possible values are 0-35791 minutes.
The default is 0.
If the blocking time value is 0, the software deletes the oldest
existing half-open session for the host for every new connection
request to the host above the maximum session limit. This ensures
that the number of half-open sessions to a given host will never
exceed the threshold.
If the blocking time value is greater than 0, the software deletes all
existing half-open sessions for the host, then blocks all new
connection requests to the host. The software will continue to block
all new connection requests until the block-time expires.
Other
Session Hash Table The size of the hash table in terms of buckets. Possible values for the
Size (buckets) hash table are 1024, 2048, 4096, and 8192. The default is 1024.
You should increase the hash table size when the total number of
sessions running through the device is approximately twice the current
hash size; decrease the hash table size when the total number of
sessions is reduced to approximately half the current hash size.
Essentially, try to maintain a 1:1 ratio between the number of sessions
and the size of the hash table.
Enable Alert Messages Whether to generate stateful packet inspection alert messages on
the console.
Enable Audit Trail Messages Whether audit trail messages are logged to the syslog server or router.
Permit DHCP Passthrough Whether to permit a transparent firewall to forward DHCP packets
(Transparent Firewall) across the bridge without inspection.
Permitting DHCP passthrough overrides an ACL for DHCP packets, so
DHCP packets are forwarded even if the ACL is configured to deny all
IP packets. Thus, clients on one side of the bridge can get an IP address
from a DHCP server on the opposite side of the bridge.
Element Description
Block Non-SYN Packets Whether to drop TCP packets that do not belong to an established
session. These are TCP packets that do not initiate sessions, that is, the
SYN bit is not set in them.
Log Dropped Packets Whether to create log messages for dropped packets to specify the
reason for dropping them.
Related Topics
Understanding Inspection Rules, page 15-2
Configuring Inspection Rules, page 15-5
Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 15-5
Web filter rules policies define policies for allowing or preventing web traffic based on the requested
URL or the applet content of the traffic. For ASA, PIX, and FWSM devices, you can also filter FTP and
HTTPS traffic.
How you configure web filter rules is different depending on whether the device uses ASA, PIX or
FWSM software as opposed to Cisco IOS Software.
The following topics help you work with web filter rules:
Understanding Web Filter Rules, page 16-1
Configuring Web Filter Rules for ASA, PIX, and FWSM Devices, page 16-2
Configuring Web Filter Rules for IOS Devices, page 16-9
Configuring Settings for Web Filter Servers, page 16-14
Tip For IOS devices, you have the option of configuring web filtering using zone-based firewall rules instead
of web filter rules, which allows you the additional option of using Trend Micro web filtering servers.
For more information, see Chapter 18, Managing Zone-based Firewall Rules.
Beside filtering requests based on URL, you can do some applet filtering, stripping out ActiveX or Java
applets. You might want to do this to prevent applet downloads from sites you otherwise want to allow
if you do not fully trust the site. You can configure your rules to block these applets from specific sites
while allowing them from trusted sites.
The policies and procedures for configuring web filter rules differs based on the device type. See the
following topics for more information:
Configuring Web Filter Rules for ASA, PIX, and FWSM Devices, page 16-2
Configuring Web Filter Rules for IOS Devices, page 16-9
Configuring Web Filter Rules for ASA, PIX, and FWSM Devices
Web filter rules policies for ASA, PIX, and FWSM devices define how you want to handle HTTP, FTP,
and HTTPS traffic. You can also filter ActiveX and Java applets. Web filter rules permit or deny traffic
based on the Universal Resource Locator (URL) address in the web request. If you allow HTTP traffic
in your access rules, you can subsequently deny (or drop) traffic if it is directed at an objectionable web
or FTP site, or you can strip out ActiveX or Java applets from untrusted sources.
To configure web filtering rules for ASA, PIX, and FWSM devices:
1. Configure the rules that identify traffic that should be subject to filtering, and the traffic that should
be exempt from filtering rules (see below for the procedure).
2. Configure web filter settings to identify the URL filtering server and other settings. For more
information, see Configuring Settings for Web Filter Servers, page 16-14.
Related Topics
Understanding Web Filter Rules, page 16-1
Using Sections to Organize Rules Tables, page 12-17
Adding and Removing Rules, page 12-8
Editing Rules, page 12-9
Enabling and Disabling Rules, page 12-17
Moving Rules and the Importance of Rule Order, page 12-16
Understanding Network/Host Objects, page 6-62
Understanding and Specifying Services and Service and Port List Objects, page 6-69
Step 1 Do one of the following to open the Web Filter Rules Page (ASA/PIX/FWSM), page 16-3:
Device viewSelect Firewall > Web Filter Rules from the Policy selector.
Policy viewSelect Firewall > Web Filter Rules (PIX/FWSM/ASA) from the Policy Type select.
Select an existing policy or create a new one.
Step 2 Select the row after which you want to create the rule and click the Add Row button or right-click and
select Add Row. This opens the Add and Edit PIX/ASA/FWSM Web Filter Rule Dialog Boxes,
page 16-5.
Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select
an existing row and edit either the entire row or specific cells. For more information, see Editing
Rules, page 12-9.
Step 3 Configure the rule. Following are the highlights of what you typically need to decide. For specific
information on configuring the fields, see Add and Edit PIX/ASA/FWSM Web Filter Rule Dialog Boxes,
page 16-5.
Filtering and TypeWhether you are creating a rule that identifies traffic to be filtered (Filter) or
exempted from an existing filter rule (Filter Except), and the type of filtering to be done:
URLTo filter traffic based on web address.
HTTPSTo filter web traffic to secure sites. This does not include SSL VPN traffic.
FTPTo filter FTP traffic.
ActiveX or JavaTo remove ActiveX or Java applets. These options delete all entities within
applet or object tags, so you might remove more than just ActiveX or Java applets.
Source and Destination addressesIf the rule should apply no matter which addresses generated the
traffic or their destinations, use any as the source or destination. If the rule is specific to a host or
network, enter the addresses or network/host objects. For information on the accepted address
formats, see Specifying IP Addresses During Policy Definition, page 6-68.
ServicePrimarily defines the port that should be monitored. You must specify some type of TCP
service. Typically, you would use the pre-defined services HTTP, HTTPS, or FTP, which should be
the same as the type of filtering you are performing, but you can specify any TCP port on your
network that might contain the traffic to be filtered.
OptionsThe options you want to include, if any. The main options of interest are whether you want
to allow traffic if the filtering servers are unavailable, and whether you want to truncate long URLs
or URLs that have parameters. Truncating URLs that have parameters is typically a good idea,
because if you are going to drop a URL, it is not normally because of a parameter value.
Click OK when you are finished defining your rule.
Step 4 If you did not select the desired row before adding the rule, select the new rule and use the up and down
arrow buttons to position the rule appropriately. Order is not as important for web filtering rules,
however, because filter except rules always create exceptions to the related filter rule, whether they come
before or after the filter rule. For more information, see Moving Rules and the Importance of Rule Order,
page 12-16.
Tip Rules cannot overlap. For example, if you create two rules with the same, or overlapping, source,
destination, and service, you cannot deploy them. Also, you should order any filter-except rules below
the filter rule to which they are creating an exemption.
Navigation Path
To access the Web Filter Rules page for ASA, PIX, and FWSM devices, do one of the following:
(Device view) Select an ASA, PIX, or FWSM device, then select Firewall > Web Filter Rules from
the Policy selector.
(Policy view) Select Firewall > Web Filter Rules (PIX/FWSM/ASA) from the Policy Type
selector. Create a new policy or select an existing one.
(Map view) Right-click an ASA, PIX, or FWSM device and select Edit Firewall Policies > Web
Filter Rules.
Related Topics
Understanding Web Filter Rules, page 16-1
Configuring Web Filter Rules for ASA, PIX, and FWSM Devices, page 16-2
Configuring Settings for Web Filter Servers, page 16-14
Adding and Removing Rules, page 12-8
Editing Rules, page 12-9
Using Sections to Organize Rules Tables, page 12-17
Enabling and Disabling Rules, page 12-17
Moving Rules and the Importance of Rule Order, page 12-16
Filtering Tables, page 1-33
Field Reference
Element Description
No. The ordered rule number.
Source The source and destination addresses for the rule. The any address does
not restrict the rule to specific hosts, networks, or interfaces. These
Destination
addresses are IP addresses for hosts or networks, network/host objects,
interfaces, or interface roles. Multiple entries are displayed as separate
subfields within the table cell. See Understanding Network/Host Objects,
page 6-62.
Service The services or service objects that specify the protocol and port of the
traffic to which the rule applies. Multiple entries are displayed as separate
subfields within the table cell. See Understanding and Specifying Services
and Service and Port List Objects, page 6-69.
Type The type of filtering action for the rule, either filtering the identified traffic,
or exempting the identified traffic from filtering (Filter Except). For a full
explanation, see Edit Web Filter Type Dialog Box, page 16-8.
Table 16-1 Web Filter Rules Page (ASA, PIX, FWSM) (Continued)
Element Description
Options Additional configuration options for the selected protocol, if any. For
detailed descriptions, see Edit Web Filter Options Dialog Box, page 16-8.
Category The category assigned to the rule. Categories help you organize and identify
rules and objects. See Using Category Objects, page 6-9.
Description The description of the rule, if any.
Tools button Click this button to select tools that you can use with this type of policy. You
can select from the following tools:
QueryTo run policy queries, which can help you evaluate your rules
and identify ineffective rules that you can delete. See Generating Policy
Query Reports, page 12-24
Find and Replace button Click this button to search for various types of items within the table and to
(binoculars icon) optionally replace them. See Finding and Replacing Items in Rules Tables,
page 12-13.
Up Row and Down Row Click these buttons to move the selected rules up or down within a scope or
buttons (arrow icons) section. For more information, see Moving Rules and the Importance of Rule
Order, page 12-16.
Add Row button Click this button to add a rule to the table after the selected row using the
Add and Edit PIX/ASA/FWSM Web Filter Rule Dialog Boxes, page 16-5. If
you do not select a row, the rule is added at the end of the local scope. For
more information about adding rules, see Adding and Removing Rules,
page 12-8.
Edit Row button Click this button to edit the selected rule. You can also edit individual cells.
For more information, see Editing Rules, page 12-9.
Delete Row button Click this button to delete the selected rule.
Navigation Path
From the Web Filter Rules Page (ASA/PIX/FWSM), page 16-3, click the Add Row button or select a
row and click the Edit Row button.
Related Topics
Configuring Web Filter Rules for ASA, PIX, and FWSM Devices, page 16-2
Understanding Web Filter Rules, page 16-1
Configuring Settings for Web Filter Servers, page 16-14
Field Reference
Table 16-2 Add and Edit PIX/ASA/FWSM Web Filter Rule Dialog Boxes
Element Description
Enable Rule Whether to enable the rule, which means the rule becomes active when you
deploy the configuration to the device. Disabled rules are shown overlain
with hash marks in the rule table. For more information, see Enabling and
Disabling Rules, page 12-17.
Filtering The type of rule you are defining:
FilterThe rule filters the identified type of traffic between source
and destination.
Filter ExceptThe rule creates an exemption to a filter rule. The
identified traffic between the source and destination is not filtered.
Type The type of traffic that should be filtered (or exempted from filtering) for this
rule. For filtering that uses an external server, consult the documentation for
your version of the server to determine if it supports that type of filtering.
Configure the filtering server on the Web Filter Settings Page, page 16-15.
URLHTTP traffic. Filtering is done using an external filtering server.
HTTPSHTTPS traffic. This does not include traffic associated with an
SSL VPN. Filtering is done using an external filtering server.
JavaRemove Java applets from HTTP traffic if they are identified on
applet tags. The rule does not remove Java applets from SSL VPN
traffic. If the applet tag spans packets, or the code in the tags is larger
than the MTU, the Java applet is not removed.
ActiveXRemove ActiveX or Java applets from HTTP traffic. The rule
removes any item within object or applet tags, which might also remove
images and multimedia objects. The rule might not remove applets from
SSL VPN traffic. If the object tag spans packets, or the code in the tags
is larger than the MTU, the object is not removed.
FTPFTP traffic. Filtering is done using an external filtering server.
Sources The source or destination of the traffic. You can enter more than one value
by separating the items with commas.
Destinations
You can enter any combination of the following address types to define the
source or destination of the traffic. For more information, see Specifying IP
Addresses During Policy Definition, page 6-68.
Network/host object. Enter the name of the object or click Select to
select it from a list. You can also create new network/host objects from
the selection list.
Host IP address, for example, 10.10.10.100.
Network address, including subnet mask, in either the format
10.10.10.0/24 or 10.10.10.0/255.255.255.0.
A range of IP addresses, for example, 10.10.10.100-10.10.10.200.
An IP address pattern in the format 10.10.0.10/255.255.0.255, where the
mask is a discontiguous bit mask (see Contiguous and Discontiguous
Network Masks, page 6-63).
Table 16-2 Add and Edit PIX/ASA/FWSM Web Filter Rule Dialog Boxes (Continued)
Element Description
Services The services that define the port number of the traffic to act on. You can enter
more than one value by separating the items with commas.
The service must use TCP. Your specification defines the port that you want
filtered (the service name has no meaning). For example, if you want to filter
port 80, use the HTTP service object. If HTTP traffic on your network uses
a different port, specify TCP/port number (for example, TCP/8080). You can
enter TCP by itself to filter all ports.
You can enter any combination of service objects and service types (which
are typically a protocol and port combination). If you type in a service, you
are prompted as you type with valid values. You can select a value from the
list and press Enter or Tab.
For complete information on how to specify services, see Understanding and
Specifying Services and Service and Port List Objects, page 6-69.
Allow traffic if URL Whether to permit unfiltered traffic on outbound connections if all of the
Filter Server unavailable URL filtering servers are unavailable. If you do not select this option, all
affected outbound traffic (HTTP, FTP, or HTTPS) is blocked until at least
(URL, FTP,
one filtering server becomes available.
HTTPS only)
Block connection to Whether to prevent users from connecting to an HTTP proxy server.
HTTP Proxy Server
(URL only)
Truncate CGI When a URL has a parameter list starting with a question mark (?), such as
request by removing a CGI script, whether to truncate the URL sent to the filtering server by
CGI parameters removing all characters after and including the question mark.
(URL only)
Block outbound Whether to prevent interactive FTP sessions that do not provide the entire
requests if absolute FTP directory path when the user tries to change directories.
path is not provided
(FTP only)
Long URL How to handle URLs that are longer than the maximum allowed by the
filtering server: 4 KB for Websense, 3 KB for Smartfilter (N2H2). Many
(URL only)
times, long URLs are due to parameter lists, and you can use the Truncate
CGI request by removing CGI parameters option to handle those URLs.
For other long URLs, select from the following options:
DropDrop the long URL request.
TruncateTruncate the URL request to only the hostname or IP address
portion of the URL.
DenyDeny the URL request.
Category The category assigned to the rule. Categories help you organize and identify
rules and objects. See Using Category Objects, page 6-9.
Description An optional description of the rule (up to 1024 characters).
Navigation Path
Right-click the Type cell in a web filter rule for ASA/PIX/FWSM (on the Web Filter Rules Page
(ASA/PIX/FWSM), page 16-3) and select Edit Web Filter Type. You can edit the type for one row
at a time.
Field Reference
Element Description
Filtering The type of rule you are defining:
FilterThe rule filters the identified type of traffic between source
and destination.
Filter ExceptThe rule creates an exemption to a filter rule. The
identified traffic between the source and destination is not filtered.
Type The type of traffic that should be filtered (or exempted from filtering) for this
rule. For filtering that uses an external server, consult the documentation for
your version of the server to determine if it supports that type of filtering.
Configure the filtering server on the Web Filter Settings Page, page 16-15.
URLHTTP traffic. Filtering is done using an external filtering server.
HTTPSHTTPS traffic. This does not include traffic associated with an
SSL VPN. Filtering is done using an external filtering server.
JavaRemove Java applets from HTTP traffic if they are identified on
applet tags. The rule does not remove Java applets from SSL VPN
traffic. If the applet tag spans packets, or the code in the tags is larger
than the MTU, the Java applet is not removed.
ActiveXRemove ActiveX or Java applets from HTTP traffic. The rule
removes any item within object or applet tags, which might also remove
images and multimedia objects. The rule might not remove applets from
SSL VPN traffic. If the object tag spans packets, or the code in the tags
is larger than the MTU, the object is not removed.
FTPFTP traffic. Filtering is done using an external filtering server.
Navigation Path
Right-click the Options cell in a web filter rule for ASA/PIX/FWSM (on the Web Filter Rules Page
(ASA/PIX/FWSM), page 16-3) and select Edit Web Filter Type. You can edit the type for one row
at a time.
Field Reference
Element Description
Allow traffic if URL Filter Whether to permit unfiltered traffic on outbound connections if all of
Server unavailable the URL filtering servers are unavailable. If you do not select this
option, all affected outbound traffic (HTTP, FTP, or HTTPS) is blocked
(URL, FTP, HTTPS only)
until at least one filtering server becomes available.
Block connection to HTTP Whether to prevent users from connecting to an HTTP proxy server.
Proxy Server
(URL only)
Truncate CGI request by When a URL has a parameter list starting with a question mark (?), such
removing CGI parameters as a CGI script, whether to truncate the URL sent to the filtering server
(URL only) by removing all characters after and including the question mark.
Block outbound requests Whether to prevent interactive FTP sessions that do not provide the
if absolute FTP path is entire directory path when the user tries to change directories.
not provided
(FTP only)
Long URL How to handle URLs that are longer than the maximum allowed by the
filtering server: 4 KB for Websense, 3 KB for Smartfilter (N2H2). Many
(URL only)
times, long URLs are due to parameter lists, and you can use the
Truncate CGI request by removing CGI parameters option to handle
those URLs. For other long URLs, select from the following options:
DropDrop the long URL request.
TruncateTruncate the URL request to only the hostname or IP
address portion of the URL.
DenyDeny the URL request.
Tip You can also configure web filtering as a zone based firewall rule. For more information, see Adding
Zone-Based Firewall Rules, page 18-12.
Related Topics
Understanding Web Filter Rules, page 16-1
Understanding Interface Role Objects, page 6-55
Understanding Network/Host Objects, page 6-62
Step 1 Do one of the following to open the Web Filter Rules Page (IOS), page 16-11:
Device viewSelect Firewall > Web Filter Rules from the Policy selector.
Policy viewSelect Firewall > Web Filter Rules (IOS) from the Policy Type select. Select an
existing policy or create a new one.
Step 2 Configure the interfaces on which you will filter HTTP traffic. Create rules for each interface on which
you will enable filtering:
a. Select the Web Filter Rules tab if it is not already selected and do one of the following to open the
IOS Web Filter Rule and Applet Scanner Dialog Box, page 16-12:
To create a new rule, right-click inside the work area and select Add Row.
To edit an existing rule, right-click the rule and select Edit Row.
b. Identify the interface for which this rule applies. You can either enter the interface name or click
Select to select it or an interface role from the list. Also configure the following:
Traffic direction with respect to the interfaceTypically, you want to select In so that undesired
traffic is dropped before the device spends more time processing the packet.
Java applet scanningIf you enable web filtering on an interface, Java applets are inspected,
which can affect performance. Typically, you want to enable Java applet scanning so that you
can identify permitted and denied sources and avoid the scanning of denied applets. If you want
to configure both permitted and denied sources for an interface, you must configure two rules
for the interface.
c. Click OK to add the rule to the web filtering rules table.
Step 3 (Optional) Configure the list of exclusive domains, which define the local filtering list. This list is
applied before web requests are sent to the external web filtering server (defined on the Web Filter
Settings Page, page 16-15). If you know there are web sites that you will always permit (such as your
organizations web site) or deny, configure them in the local list. Configure as many rules as needed to
define the complete list.
a. Click the Exclusive Domains tab and do one of the following to open the IOS Web Filter Exclusive
Domain Name Dialog Box, page 16-13.
To create a new rule, right-click inside the work area and select Add Row.
To edit an existing rule, right-click the rule and select Edit Row.
b. Select whether you are permitting or denying the specified domains, and enter the domain names or
host IP addresses. You can enter either full domain names (the names of specific web sites) or partial
names (for entire domains you want to treat the same way).
c. Click OK to add your exclusive domain rule to the policy.
Tip You can also configure web filtering as a zone based firewall rule. For more information, see Zone-based
Firewall Rules Page, page 18-56.
Navigation Path
To access the Web Filter Rules page for IOS devices, do one of the following:
(Device view) Select an IOS device and select Firewall > Web Filter Rules from the Policy selector.
(Policy view) Select Firewall > Web Filter Rules (IOS) from the Policy Type selector. Create a
new policy or select an existing one.
(Map view) Right-click an IOS device and select Edit Firewall Policies > Web Filter Rules.
Related Topics
Understanding Web Filter Rules, page 16-1
Configuring Web Filter Rules for IOS Devices, page 16-9
Chapter 16, Managing Firewall Web Filter Rules
Field Reference
Element Description
Web Filter Rules tab The URL filtering rules defined for the policy. Each rule shows the interface
on which it is defined, whether the rule is applied to incoming or outgoing
traffic, and the permitted or denied Java applet sources if Java applet
scanning is enabled. You might have more than one rule for an interface if
you configure both a permit and deny list for Java applet scanning.
To add a rule, click the Add Row button and fill in the IOS Web Filter
Rule and Applet Scanner Dialog Box, page 16-12.
To edit a rule, select it and click the Edit Row button.
To delete a rule, select it and click the Delete Row button.
Exclusive Domains tab The local web filter list. This list is checked before web requests are sent
to the filtering server and applies to all interfaces on which you configure
web filtering.
If you know there are specific domains that you will always allow (such as
your organizations own domain name), or disallow, you can list them here.
By configuring a local filter list, you can improve performance because the
device does not need to wait for a response from the filtering server.
To add a domain, click the Add Row button and fill in the IOS Web Filter
Exclusive Domain Name Dialog Box, page 16-13.
To edit a domain, select it and click the Edit Row button.
To delete a domain, select it and click the Delete Row button.
Navigation Path
To open this dialog box, select the Web Filter Rules tab on the Web Filter Rules Page (IOS), page 16-11,
click Add Row to create a new rule, or select a row and click Edit Row to edit an existing rule.
Related Topics
Configuring Web Filter Rules for IOS Devices, page 16-9
Understanding Web Filter Rules, page 16-1
Chapter 16, Managing Firewall Web Filter Rules
Configuring Settings for Web Filter Servers, page 16-14
Field Reference
Table 16-6 IOS Web Filter Rule and Applet Scanner Dialog Box
Element Description
Enable Web Filtering Whether to enable the web filtering rule.
Interface The interface or interface role to which the rule is assigned. Enter the
name of the interface or the interface role, or click Select to select the
interface or role from a list, or to create a new role. An interface must
already be defined to appear on the list.
Interface role objects are replaced with the actual interface names when
the configuration is generated for each device. See Understanding
Interface Role Objects, page 6-55.
Traffic Direction The direction of the traffic to which this rule applies:
InPackets entering an interface.
OutPackets exiting an interface.
Java Applet Scanning If you select Enable Java Applet Scanning, the device checks for the
presence of Java applets in HTTP traffic coming from web servers to
Enable Java Applet Scanner
internal hosts. If a Java applet is present and the web server (applet
source) is in the list of permitted sources, the Java applet is left
unmodified in the HTTP traffic. Otherwise, the Java applets are
removed from HTTP pages.
Tip When you enable web filtering, Java applets are inspected,
which can affect performance. By enabling the Java applet
scanner, you can identify a list of permitted or denied sources
and avoid inspection for those applets. Even if you do not want
to deny any sources, enable scanning and permit the any source.
Permit Traffic The list of permitted or denied source addresses for Java applets. To
Applet Sources configure a list of permitted or denied sources:
Select either Permit from Specified Sources or Deny from
Specified Sources. If you want to create both a permit and deny
list, create two separate web filter rules. If you do not configure a
permit list, all sources are denied.
Enter the list of permitted or denied addresses in the Applet
Sources field. The list can include host IP addresses, network
addresses, address ranges, or network/host objects, but cannot
include domain names. Separate multiple addresses with commas.
For more information on entering addresses, see Specifying IP
Addresses During Policy Definition, page 6-68.
Navigation Path
To open this dialog box, select the Exclusive Domains tab on the Web Filter Rules Page (IOS),
page 16-11, click Add Row to create a new rule, or select a row and click Edit Row to edit an
existing rule.
Related Topics
Configuring Web Filter Rules for IOS Devices, page 16-9
Understanding Web Filter Rules, page 16-1
Chapter 16, Managing Firewall Web Filter Rules
Field Reference
Table 16-7 IOS Web Filter Exclusive Domain Name Dialog Box
Element Description
Traffic Whether you want to permit access to the listed web sites or deny
access to them.
Domain Name The domain names or host IP addresses of web sites that you are
permitting or denying. Separate multiple entries with commas.
For domain names, you can enter a full or partial name. For example,
cisco.com covers all web servers on the cisco.com domain, whereas
www.cisco.com specifies only the www web server.
Tip These settings work only with the web filter rules policy. The web servers you configure here are not
used with zone based firewall rules policies that configure web content filtering.
Related Topics
Understanding Web Filter Rules, page 16-1
Configuring Web Filter Rules for ASA, PIX, and FWSM Devices, page 16-2
Configuring Web Filter Rules for IOS Devices, page 16-9
Step 1 Do one of the following to open the Web Filter Settings Page, page 16-15:
(Device view) Select Firewall > Settings > Web Filter from the Policy selector.
(Policy view) Select Firewall > Settings > Web Filter from the Policy Type selector. Select an
existing policy or create a new one.
Step 2 Select the type of web filtering server you use in the Web Filter Server Type field, and then add the
servers to the table of web filtering servers. If you have more than one server, add them in priority order;
the first server in the list is the primary server.
To add a server, click the Add Row button and fill in the Web Filter Server Configuration Dialog
Box, page 16-18.
To edit a server, select it and click the Edit Row button.
To delete a server, select it and click the Delete Row button.
Step 3 The bottom half of the settings policy includes device-specific options that you can also configure. For
specific information on each setting, see Web Filter Settings Page, page 16-15. The following is an
overview of the settings:
IOS devicesThe most interesting setting is Allow Traffic when Servers Unreachable, which
determines whether you allow any web connections if the filtering servers are unavailable. If you do
not select this option, all web traffic is cut off if the servers go offline for any reason.
The remaining settings configure logging and cache size options.
ASA, PIX, FWSM devicesThese options configure the cache size and buffer limits used with the
filtering servers. You can also control whether the cached responses include both source and
destination (if you have different filtering policies per user) or destination only (one policy for all),
as configured in the filtering server.
Tip These settings work only with the web filter rules policy. The web servers you configure here are not
used with zone based firewall rules policies that configure web content filtering.
Navigation Path
To access the Web Filter settings page, do one of the following:
(Device view) Select a device, then select Firewall > Settings > Web Filter from the Policy selector.
(Policy view) Select Firewall > Settings > Web Filter from the Policy Type selector. Create a new
policy or select an existing one.
(Map view) Right-click a device and select Edit Firewall Settings > Web Filter.
Related Topics
Understanding Web Filter Rules, page 16-1
Configuring Settings for Web Filter Servers, page 16-14
Configuring Web Filter Rules for ASA, PIX, and FWSM Devices, page 16-2
Configuring Web Filter Rules for IOS Devices, page 16-9
Field Reference
Element Description
Web Filter Server Type The type of web filter server you are using:
NoneYou are not using web filter servers.
WebsenseYou use Websense servers.
Secure Computing SmartFilter/N2H2You use Smartfilter
servers. If you select this option, you can specify the server port to
use for communication in the Port field.
Tip If you change this setting, you are prompted to remove the
existing list of servers from the table. Clicking Yes does not
clear the table. The prompt is to remind you that the list might
contain the wrong type of servers.
Web Filter Servers table The servers that the device should use for web filtering. Enter the
servers in priority order; the device uses the first one in the list until
it fails to respond, and moves to the next server in the list until it gets
a response.
If you select None for filter type, this list is ignored.
To add a server, click the Add Row button and fill in the Web Filter
Server Configuration Dialog Box, page 16-18.
To edit a server, select it and click the Edit Row button.
To delete a server, select it and click the Delete Row button.
IOS Specific Settings
Allow Traffic when Whether the device should allow web traffic if the web filter servers are
Servers Unreachable not responding. If you do not select this option, all web access is
prevented until the servers come back online.
If you allow web traffic when the servers are down, the web requests
are not filtered and access to all web servers is allowed.
Enable Alerts Whether to generate stateful packet inspection alert messages on
the console.
Enable Audit Trail Whether audit trail messages are logged to the syslog server or router.
Enable Web Filter Whether to send system messages to the URL filtering server for logging.
Server Logging The device sends a log request immediately after the URL lookup
request. The log request contains the URL, hostname, source IP address,
and the destination IP address. The server records the log request into its
own log server so you can view this information as necessary.
Cache Size The maximum number of destination IP addresses (and their
authorization status) that can be cached in the device. The default value
is 5000.
When the cache reaches 80% full, the device starts removing older
inactive entries.
Maximum Requests The maximum number of outstanding requests that can exist at any
given time. If the specified number is exceeded, new requests are
dropped. The default is 1000.
Element Description
Packet Buffer The maximum number of HTTP responses that can be stored in the
packet buffer of the device while it waits for the web filter server to
allow or deny the request. The device drops responses when the
maximum is reached. The default (and maximum) value is 200.
When users make web requests, the device simultaneously sends the
request to the web site and to the web filtering server. If the response
from the web site is received before the server provides a permit or deny
response, the device keeps the request in the packet buffer until it gets
a response from the server.
The response is removed from the buffer when the server responds or if
the device determines that the server is unavailable and you also
selected Allow Traffic when Servers Unreachable.
PIX/ASA/FWSM Specific Settings
Cache Match Criteria How to cache web requests:
Source and DestinationCache entries are based on both the
address initiating the request and the destination web address.
Select this mode if users do not share the same filtering policy on
the filtering server.
DestinationCache entries are based on the destination web
address. Select this mode if all users share the same filtering policy
on the filtering server.
URL Buffer Memory The size of the URL buffer memory pool in KB. Values are 2 to 10240.
(ASA 7.2+, PIX 7.2+ only.)
Maximum Allowed The maximum allowed URL size in KB for each URL being buffered.
URL Size The possible values differ depending on server type:
(ASA 7.2+, PIX 7.2+ only.) WebsenseFrom 2 to 4.
Smartfilter (N2H2)2 or 3.
Cache Size The size of the cache, in KB, for storing responses from the filtering
server. Values are 1 to 128.
Caching stores URL access privileges in memory on the security
appliance. When a host requests a connection, the security appliance
first looks in the URL cache for matching access privileges instead of
forwarding the request to the Websense server.
URL Block Buffer Limit The size of the buffer for storing web server responses while waiting
for a filtering decision from the filtering server. The values are 1 to 128,
which specifies the number of 1550-byte blocks.
Navigation Path
From the Web Filter Settings Page, page 16-15, click Add Row beneath the Web Filter Servers table, or
select a row and click Edit Row.
Related Topics
Configuring Settings for Web Filter Servers, page 16-14
Understanding Web Filter Rules, page 16-1
Chapter 16, Managing Firewall Web Filter Rules
Field Reference
Element Description
Common
IP Address The IP address of the web filter server.
Timeout The length of time, in seconds, that the device will wait for a response
from the web filter server. The default is 5 seconds.
If the request times out, the device tries the next server, if you configure
more than one.
PIX/ASA/FWSM Specific Settings
Interface The network interface where the authentication server resides, for
example, FastEthernet0. If not specified, the default is inside.
Enter the name of the interface or the interface role that identifies it, or
click Select to select the interface or role from a list, or to create a new
role. An interface must already be defined to appear on the list.
Protocol The protocol to use when communicating with the web filtering server.
Select the option for which the server is configured:
TCP (version 1)
TCP version 4
UDP version 4
Connection Number (Optional) The maximum number of TCP connections allowed between
the device and the server.
IOS Specific Settings
Retransmit The number of times the device will retransmit a request when the
server does not respond. The default value is two times.
Port The port number that the server listens on. The default port is 15868.
Malware is malicious software that is installed on an unknowing host. Malware that attempts network
activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data)
can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP
address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic
database of known bad domain names and IP addresses, and then logs any suspicious activity.
You can also supplement the Cisco dynamic database with blacklisted addresses of your choosing by
adding them to a static blacklist; if the dynamic database includes blacklisted addresses that you think
should not be blacklisted, you can manually enter them into a static whitelist. Whitelisted addresses
still generate syslog messages, but because you are only targeting blacklist syslog messages, they are
informational. If you do not want to use the Cisco dynamic database at all, because of internal
requirements, you can use the static blacklist alone if you can identify all the malware sites that you
want to target.
Related Topics
Understanding Botnet Traffic Filtering, page 17-1
Task Flow for Configuring the Botnet Traffic Filter, page 17-3
Botnet Traffic Filter Rules Page, page 17-9
Unlisted addresses do not generate any syslog messages, but addresses on the blacklist, whitelist, and
graylist generate syslog messages differentiated by type.
Note To use the database, be sure to configure a domain name server for the security appliance so that it can
access the URL.
To use the domain names in the dynamic database, you need to enable DNS packet inspection with
Botnet Traffic Filter snooping; the security appliance looks inside the DNS packets for the domain name
and associated IP address.
Related Topics
Task Flow for Configuring the Botnet Traffic Filter, page 17-3
Botnet Traffic Filter Rules Page, page 17-9
Related Topics
Dynamic Blacklist Configuration Tab, page 17-10
Understanding Botnet Traffic Filtering, page 17-1
Task Flow for Configuring the Botnet Traffic Filter, page 17-3
Adding Entries to the Static Database, page 17-5
Enabling DNS Snooping, page 17-6
Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 17-7
Botnet Traffic Filter Rules Page, page 17-9
Note For devices in multiple context mode, you enable downloading of the dynamic database on the
System context and enable use of the dynamic database on each security context, as needed.
This opens the Botnet Traffic Filter Rules Page, page 17-9.
Step 2 On the Dynamic Blacklist Configuration tab, select Enable Dynamic Blacklist From Server to enable
downloading of the dynamic database.
Note In multiple context mode, you enable downloading of the dynamic database on the System context.
This setting enables downloading of the dynamic database from the Cisco update server. If you do not
have a database already installed on the security appliance, it downloads the database after
approximately 2 minutes. The update server determines how often the security appliance polls the server
for future updates, typically every hour.
Step 3 (Multiple context mode only) Click Save to save the changes to the System context. Then change to the
context where you want to configure the Botnet Traffic Filter, select Firewall > Botnet Traffic Filter
Rules for that context, and then proceed to Step 4.
Step 4 On the Dynamic Blacklist Configuration tab, select Use Dynamic Blacklist to enable use of the
dynamic database.
Note In multiple context mode, these settings are disabled on the System context.
Related Topics
Whitelist/Blacklist Tab, page 17-15
Device Whitelist or Device Blacklist Dialog Box, page 17-15
Understanding Botnet Traffic Filtering, page 17-1
Task Flow for Configuring the Botnet Traffic Filter, page 17-3
Configuring the Dynamic Database, page 17-4
Enabling DNS Snooping, page 17-6
Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 17-7
Botnet Traffic Filter Rules Page, page 17-9
Note For devices in multiple context mode, you configure the static database on the security context.
This opens the Botnet Traffic Filter Rules Page, page 17-9.
Step 2 On the Whitelist / Blacklist tab, click the Add Rows button that corresponds with the type of entry you
are adding (Whitelist or Blacklist).
This opens the Device Whitelist or Device Blacklist Dialog Box, page 17-15.
Step 3 In the Domain or IP Address field, enter one or more domain names, IP addresses, and IP
address/netmasks. Enter multiple entries separated by commas or on separate lines. You can enter up to
1000 entries for each type.
Step 4 Click OK.
Related Topics
Configure DNS Dialog Box, page 15-16
Understanding Botnet Traffic Filtering, page 17-1
Task Flow for Configuring the Botnet Traffic Filter, page 17-3
Configuring the Dynamic Database, page 17-4
Adding Entries to the Static Database, page 17-5
Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 17-7
Botnet Traffic Filter Rules Page, page 17-9
Step 1 You must first configure DNS inspection for traffic that you want to snoop using the Botnet Traffic Filter.
See Chapter 15, Managing Firewall Inspection Rules.
Step 2 While defining a new inspection rule or editing an existing inspection rule, select DNS as the protocol
you want to inspect.
The Configure button to the right of the Selected Protocol field becomes active.
Step 3 Click Configure.
This opens the Configure DNS Dialog Box, page 15-16.
Step 4 To enable DNS snooping, select Enable Dynamic Filter Snooping.
Step 5 Click OK.
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
This procedure enables the Botnet Traffic Filter, which compares the source and destination IP address
in each initial connection packet to the IP addresses in the dynamic database, static database, DNS
reverse lookup cache, and DNS host cache, and sends a syslog message for any matching traffic. The
Botnet Traffic Filter can also drop the connection when matching traffic is encountered. For a particular
interface, you can specify only one enable rule that identifies the traffic that is subject to Botnet Traffic
Filtering; however, you can specify multiple drop rules to identify traffic that should be dropped by the
Botnet Traffic Filter.
The DNS snooping is enabled separately (see Enabling DNS Snooping, page 17-6). Typically, for
maximum use of the Botnet Traffic Filter, you need to enable DNS snooping, but you can use Botnet
Traffic Filter logging independently if desired. Without DNS snooping for the dynamic database, the
Botnet Traffic Filter uses only the static database entries, plus any IP addresses in the dynamic database;
domain names in the dynamic database are not used.
Related Topics
Traffic Classification Tab, page 17-11
BTF Enable Rules Editor, page 17-12
BTF Drop Rules Editor, page 17-13
Understanding Botnet Traffic Filtering, page 17-1
Task Flow for Configuring the Botnet Traffic Filter, page 17-3
Configuring the Dynamic Database, page 17-4
Adding Entries to the Static Database, page 17-5
Enabling DNS Snooping, page 17-6
Botnet Traffic Filter Rules Page, page 17-9
Note For devices in multiple context mode, you configure traffic classification on the security context.
This opens the Botnet Traffic Filter Rules Page, page 17-9.
Step 2 To enable the Botnet Traffic Filter on specified traffic, follow these steps:
a. On the Traffic Classification tab, click Add Row under the Enable Rules table.
This opens the BTF Enable Rules Editor, page 17-12.
b. In the Interfaces field, specify the interface or interfaces on which you want to enable the Botnet
Traffic Filter. Normally, you want to enable the Internet-facing interface only. To select the
interfaces or interface role objects using the Interfaces Selector, click Select (see Understanding
Interface Role Objects, page 6-55).
You can configure a global classification that applies to all interfaces by selecting the All Interfaces
role object (selected by default). If you configure an interface-specific classification, the settings for
that interface overrides the global setting.
c. Do one of the following to identify the traffic that you want to monitor:
To monitor all traffic, leave the ACL field blank.
To specify the traffic that you want to monitor, click Select to the right of the ACL field to select
an Access Control List object that identifies the traffic that you want to monitor. For example,
you might want to monitor all port 80 traffic on the outside interface. For more information
about Access Control List objects, see Creating Access Control List Objects, page 6-40.
Note You can specify only one enable rule per interface.
d. Click OK.
The BTF Enable Rules Editor closes and the rule is added to the Enable Rules table.
Step 3 To automatically drop malware traffic, follow these steps:
Note You must enable the Botnet Traffic Filter for the traffic you want to automatically drop before
creating a drop rule for that traffic.
a. On the Traffic Classification tab, click Add Row under the Drop Rules table.
This opens the BTF Drop Rules Editor, page 17-13.
b. In the Interfaces field, specify the interface or interfaces on which you want to drop traffic. There
must be a corresponding enable rule for the interface. To select the interfaces or interface role
objects using the Interfaces Selector, click Select (see Understanding Interface Role Objects,
page 6-55).
You can configure a global classification that applies to all interfaces by selecting the All Interfaces
role object (selected by default). If you configure an interface-specific classification, the settings for
that interface overrides the global setting.
c. Do one of the following to identify the traffic that you want to drop:
To monitor all traffic, leave the ACL field blank.
To specify the traffic that you want to monitor, click Select to the right of the ACL field to select
an Access Control List object that identifies the traffic that you want to monitor. For example,
you might want to monitor all port 80 traffic on the outside interface. For more information
about Access Control List objects, see Creating Access Control List Objects, page 6-40.
d. In the Threat Level area, choose one of the following options to drop traffic specific threat levels.
The default level is a range between Moderate and Very High.
Note We highly recommend using the default setting unless you have strong reasons for changing
the setting.
Note Static blacklist entries are always designated with a Very High threat level.
e. Click OK.
The BTF Drop Rules Editor closes and the rule is added to the Drop Rules table.
Step 4 To add more rules, repeat steps 2 and 3, as required. When finished adding rules, click Save to save
your changes.
Step 5 To treat graylisted traffic as blacklisted traffic for action purposes, on the Dynamic Blacklist
Configuration tab, check the Treat Ambiguous traffic as Blacklist check box.
If you do not enable this option, graylisted traffic will not be dropped if you configure a drop rule for
that traffic.
Navigation Path
To access the Botnet Traffic Filter Rules page, do one of the following:
(Device view) Select a device, then select Firewall > Botnet Traffic Filter Rules from the
Policy selector.
(Policy view) Select Firewall > Botnet Traffic Filter Rules from the Policy Type selector. Select
an existing policy or create a new one.
(Map view) Right-click a device and select Edit Firewall Policies > Botnet Traffic Filter Rules.
Related Topics
Understanding Botnet Traffic Filtering, page 17-1
Task Flow for Configuring the Botnet Traffic Filter, page 17-3
Dynamic Blacklist Configuration Tab, page 17-10
Traffic Classification Tab, page 17-11
BTF Enable Rules Editor, page 17-12
BTF Drop Rules Editor, page 17-13
Whitelist/Blacklist Tab, page 17-15
Device Whitelist or Device Blacklist Dialog Box, page 17-15
Configure DNS Dialog Box, page 15-16
Navigation Path
From the Botnet Traffic Filter Rules Page, page 17-9, click the Dynamic Blacklist Configuration tab.
Related Topics
Configuring the Dynamic Database, page 17-4
Understanding Botnet Traffic Filtering, page 17-1
Task Flow for Configuring the Botnet Traffic Filter, page 17-3
Botnet Traffic Filter Rules Page, page 17-9
Traffic Classification Tab, page 17-11
BTF Enable Rules Editor, page 17-12
BTF Drop Rules Editor, page 17-13
Whitelist/Blacklist Tab, page 17-15
Device Whitelist or Device Blacklist Dialog Box, page 17-15
Configure DNS Dialog Box, page 15-16
Field Reference
Element Description
Enable Dynamic Enables downloading of the dynamic database from the Cisco update server.
Blacklist From Server If you do not have a database already installed on the security appliance, it
downloads the database after approximately 2 minutes. The update server
determines how often the security appliance polls the server for future
updates, typically every hour.
Note If the device is in multiple context mode, configure this option on the
System context for that device.
Use Dynamic Blacklist Enables use of the dynamic database for the Botnet Traffic Filter.
Note In multiple context mode, you configure use of the database on a
per-context basis.
Treat Ambiguous traffic When selected, graylisted traffic will be treated as blacklisted traffic for
as Blacklist action purposes.
If you do not enable this option, graylisted traffic will not be dropped if you
configure a drop rule for that traffic.
Note We highly recommend configuring Dynamic Filter Snooping for proper functioning of the Botnet Traffic
Filter. When in Device view, Cisco Security Manager provides a link at the bottom of the Traffic
Classification tab that will take you directly to the Inspection Rules page so that you can enable Dynamic
Filter Snooping. For more information, see Enabling DNS Snooping, page 17-6.
The columns in the tables summarize the settings for an entry and are explained in BTF Enable Rules
Editor, page 17-12 and BTF Drop Rules Editor, page 17-13.
To configure traffic classification and actions:
Click the Add Row button to add an interface or interface role to the table, and fill in the BTF Enable
Rules Editor, page 17-12 or BTF Drop Rules Editor, page 17-13.
Select an entry and click the Edit Row button to edit an existing entry.
Select an entry and click the Delete Row button to delete it.
Navigation Path
From the Botnet Traffic Filter Rules Page, page 17-9, click the Traffic Classification tab.
Related Topics
BTF Enable Rules Editor, page 17-12
BTF Drop Rules Editor, page 17-13
Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 17-7
Understanding Botnet Traffic Filtering, page 17-1
Task Flow for Configuring the Botnet Traffic Filter, page 17-3
Botnet Traffic Filter Rules Page, page 17-9
Dynamic Blacklist Configuration Tab, page 17-10
Whitelist/Blacklist Tab, page 17-15
Device Whitelist or Device Blacklist Dialog Box, page 17-15
Configure DNS Dialog Box, page 15-16
Navigation Path
To access the BTF Enable Rules Editor, right-click inside the work area of the Enable Rules table on the
Traffic Classification tab and then select Add Row, or right-click an existing entry and select Edit Row.
Related Topics
Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 17-7
Understanding Botnet Traffic Filtering, page 17-1
Task Flow for Configuring the Botnet Traffic Filter, page 17-3
Botnet Traffic Filter Rules Page, page 17-9
Dynamic Blacklist Configuration Tab, page 17-10
Traffic Classification Tab, page 17-11
BTF Drop Rules Editor, page 17-13
Whitelist/Blacklist Tab, page 17-15
Device Whitelist or Device Blacklist Dialog Box, page 17-15
Configure DNS Dialog Box, page 15-16
Field Reference
Element Description
Interfaces The interfaces or interface roles on which you want to enable the Botnet Traffic Filter.
Enter the name of the interface or the interface role, or click Select to select the
interface or role from a list, or to create a new role. An interface must already be
defined to appear on the list.
You can use the All Interfaces role object to enable botnet filtering globally (selected
by default). If you configure an interface-specific classification, the settings for that
interface override the global settings.
Interface role objects are replaced with the actual interface names when the
configuration is generated for each device. See Understanding Interface Role
Objects, page 6-55.
ACL Specifies the access-list to use for identifying the traffic that you want to monitor. If
you do not specify an access list, by default you monitor all traffic.
To specify the traffic that you want to monitor, click Select to the right of the ACL
field to select an Access Control List object that identifies the traffic that you want to
monitor. For example, you might want to monitor all port 80 traffic on the outside
interface. For more information about Access Control List objects, see Creating
Access Control List Objects, page 6-40.
Navigation Path
To access the BTF Drop Rules Editor, right-click inside the work area of the Drop Rules table on the
Traffic Classification tab and then select Add Row, or right-click an existing entry and select Edit Row.
Related Topics
Enabling Traffic Classification and Actions for the Botnet Traffic Filter, page 17-7
Understanding Botnet Traffic Filtering, page 17-1
Task Flow for Configuring the Botnet Traffic Filter, page 17-3
Botnet Traffic Filter Rules Page, page 17-9
Dynamic Blacklist Configuration Tab, page 17-10
Traffic Classification Tab, page 17-11
BTF Enable Rules Editor, page 17-12
Whitelist/Blacklist Tab, page 17-15
Device Whitelist or Device Blacklist Dialog Box, page 17-15
Configure DNS Dialog Box, page 15-16
Field Reference
Element Description
Interfaces The interfaces or interface roles on which you want to enable the Botnet Traffic Filter.
Enter the name of the interface or the interface role, or click Select to select the
interface or role from a list, or to create a new role. An interface must already be
defined to appear on the list.
You can use the All Interfaces role object to enable botnet filtering globally (selected
by default). If you configure an interface-specific classification, the settings for that
interface override the global settings.
Interface role objects are replaced with the actual interface names when the
configuration is generated for each device. See Understanding Interface Role
Objects, page 6-55.
ACL Specifies the access-list to use for identifying the traffic that you want to monitor. If
you do not specify an access list, by default you monitor all traffic.
To specify the traffic that you want to monitor, click Select to the right of the ACL
field to select an Access Control List object that identifies the traffic that you want to
monitor. For example, you might want to monitor all port 80 traffic on the outside
interface. For more information about Access Control List objects, see Creating
Access Control List Objects, page 6-40.
Threat Level The Threat Level fields identify the threat level of malicious traffic that you want
dropped. The default level is a range between Moderate and Very High.
Note We highly recommend using the default setting unless you have strong
reasons for changing the setting.
Whitelist/Blacklist Tab
Use the Whitelist/Blacklist tab to view or to configure the static database entries for a device or shared
policy. The Device Blacklist contains domain names or IP addresses of malicious or undesirable sites.
You can use the static blacklist to supplement the Cisco dynamic database or you can use the static
blacklist alone if you can identify all the malware sites that you want to target.
The Device Whitelist contains domain names or IP addresses of sites that are deemed to be acceptable.
If the dynamic database includes blacklisted addresses that you think should not be blacklisted, you can
manually enter them into a static whitelist. Static whitelist entries take precedence over entries in the
static blacklist and the Cisco dynamic database. Whitelisted addresses still generate syslog messages,
but because you are only targeting blacklist syslog messages, they are informational.
To configure the static database:
Click the Add Row button to define static database entries using the Device Whitelist or Device
Blacklist Dialog Box, page 17-15.
Select an entry and click the Edit Row button to edit an existing entry.
Timesaver Select an entry and press F2 or double-click on an entry in the Device Whitelist or Device Blacklist to
edit that entry in place.
Select an entry and click the Delete Row button to delete it.
Navigation Path
From the Botnet Traffic Filter Rules Page, page 17-9, click the Whitelist/Blacklist tab.
Related Topics
Adding Entries to the Static Database, page 17-5
Understanding Botnet Traffic Filtering, page 17-1
Task Flow for Configuring the Botnet Traffic Filter, page 17-3
Device Whitelist or Device Blacklist Dialog Box, page 17-15
Botnet Traffic Filter Rules Page, page 17-9
Dynamic Blacklist Configuration Tab, page 17-10
Traffic Classification Tab, page 17-11
Navigation Path
From the Whitelist/Blacklist Tab, page 17-15, click the Add Rows button beneath the Device Whitelist
or Device Blacklist tables, or select an entry and click the Edit Row button.
Related Topics
Adding Entries to the Static Database, page 17-5
Understanding Botnet Traffic Filtering, page 17-1
Task Flow for Configuring the Botnet Traffic Filter, page 17-3
Botnet Traffic Filter Rules Page, page 17-9
Dynamic Blacklist Configuration Tab, page 17-10
Traffic Classification Tab, page 17-11
BTF Enable Rules Editor, page 17-12
BTF Drop Rules Editor, page 17-13
Whitelist/Blacklist Tab, page 17-15
Configure DNS Dialog Box, page 15-16
The Zone-based Firewall feature (also known as Zone-based Policy Firewall) allows unidirectional
application of IOS firewall policies between groups of interfaces known as zones. That is, interfaces
are assigned to zones, and firewall rules are applied to specific types of traffic moving in one direction
between the zones. Zone-based firewalls enforce a secure inter-zone policy by default, meaning traffic
cannot pass between security zones until an explicit policy allowing that traffic is defined.
The zone itself is an abstractionmultiple interfaces with the same or similar security requirements
that can be logically grouped together. For example, router interfaces Ethernet 0/0 and Ethernet 0/1
might be connected to the local LAN. When viewed from a firewall perspective, these two interfaces are
similar in that they represent the internal network, and they can be grouped into a single zone for the
purposes of firewall configuration. Then you can specify firewall policies between that and other zones.
These inter-zone policies offer considerable flexibility and granularity, so different inspection policies
can be applied to multiple host groups connected to the same router interface.
Note The zone-based firewall feature is supported on IOS devices running 12.4(6)T or later, and ASR devices
running 12.2(33) or later.
A Simple Example
A security zone should be configured for each region of similar security within the network, so that all
interfaces assigned to the same zone are protected with a similar level of security. For example, consider
an access router with three interfaces:
One interface is connected to the public Internet
One interface is connected to a private LAN that must not be accessible from the public Internet
One interface is connected to an Internet-service demilitarized zone (DMZ), where a Web server,
Domain Name System (DNS) server, and e-mail server must have access to the public Internet
Each interface in this network would be assigned to its own zone, as shown in the following figure.
DMZ
Private Internet
193017
This example configuration typically would have three main policies (sets of rules) defining:
Private zone connectivity to the Internet
Private zone connectivity to DMZ hosts
Internet zone connectivity to DMZ hosts
Zone-based firewalls impose a prohibitive default security posture. In other words, for example, unless
the DMZ hosts are specifically allowed access to other networks, those networks are protected against
any undesired connections from the DMZ hosts. Similarly, unless access is specifically provided for
Internet hosts to access the Private zone directly, the Private zone hosts are safe from unwanted access
by Internet hosts.
In this simple example, each zone has only one member interface. If an additional interface is added to
the Private zone, for example, the hosts connected to that new interface can immediately pass traffic to
all hosts connected to the existing interface in the zone. Additionally, traffic to hosts in other zones is
immediately controlled by existing Private zone policies.
In a more realistic example, you might allow varied access from the public Internet to specific hosts in
the DMZ, and varied application-use policies for hosts in the protected LAN.
This chapter contains the following topics:
Understanding the Zone-based Firewall Rules, page 18-3
Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules,
page 18-7
Understanding the Relationship Between Services and Protocols in Zone-based Firewall Rules,
page 18-10
General Recommendations for Zone-based Firewall Rules, page 18-11
Developing and Applying Zone-based Firewall Rules, page 18-12
Adding Zone-Based Firewall Rules, page 18-12
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Changing the Default Drop Behavior, page 18-46
Configuring Settings for Zone-based Firewall Rules, page 18-47
Troubleshooting Zone-based Rules and Configurations, page 18-52
Zone-based Firewall Rules Page, page 18-56
Logging
Zone-based firewall rules offer syslog, alert, and audit-trail logging options. Most messages are logged
to the router console unless a syslog server is configured. See Logging on Cisco IOS Routers, page 55-1
for information about configuring syslog logging.
Important Points
Please note the following points regarding zones and zone-based firewall rules:
Zone-based firewall rules are supported only for IOS versions 12.4(6)T or later.
If a zone-based firewall rule and an IOS Inspection rule use the same interface, an error results.
The zone-based firewall model and the earlier interface-based inspection rules model are not
mutually exclusive on the router, but they cannot be combined on any given interface. That is, an
interface cannot be configured as a member of a security zone if it is configured with Inspection
rules. Further, configuring a router to use both models at the same time is not recommended.
An interface can be assigned to only one security zone, but zones can include multiple interfaces. If
an interface is assigned to more than one zone, an error results.
All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone
(except traffic to and from other interfaces in the same zone, and traffic to any interface on the
router). Thus, to permit traffic to and from a zone-member interface, one or more rules allowing or
inspecting traffic must be configured between that zone and any other zone.
Traffic is implicitly allowed to flow between interfaces that are members of the same zone. However,
you can define rules that require inspection of traffic between same-zone members.
The Self zone is a default zone that defines the router itself as a separate security zone, which you
can specify as either the source or destination zone. The Self zone is the only exception to the default
deny all policy. All traffic to any router interface is allowed until explicitly denied.
A zone-based firewall rule that includes the Self zone applies to local trafficthat is, traffic directed
to the router, or to traffic generated by the router; it does not apply to traffic through the router. See
The Self Zone, page 18-5 for more information.
The Inspect action is not allowed in rules that apply to the Self zone.
The Pass action permits traffic in one direction only. You must explicitly define rules for
return traffic. However, with the Inspect action, return traffic is automatically allowed for
established connections.
Traffic cannot flow between a zone-member interface and any interface that is not a zone member.
Interfaces that have not been assigned to a zone can still function as classical router ports and might
still have other types of firewall rules configured on them.
However, if an interface is not part of your zone-based firewall policy, it might still be necessary to
add that interface to a zone and configure a pass all policy (sort of a dummy policy) between
that zone and any other zone to which inter-zone traffic flow is desired.
Access-control list (ACL) rules applied on interfaces that are also zone members are processed
before the zone rules are applied. Therefore, to continue using both rule types, it may be necessary
to relax the interface ACLs to ensure certain traffic flows are processed by the zone-based rules.
All interfaces in a zone must belong to the same Virtual Routing and Forwarding (VRF) instance.
Zone-based rules can be configured between zones whose member interfaces are in separate VRFs.
However, if traffic cannot flow between these VRFs, these rules will never be executed. See Zones
and VRF-aware Firewalls, page 18-6 for more information.
Zones are defined using Interface Role objects. If you change the definition of an interface role that
you are using for a zone, you are changing the zone, which can affect existing traffic flows. In
addition, if you use wildcards in the interface role to specify an interface name pattern, be aware that
interfaces may automatically be added to the zone when you create new interfaces on the router.
If zone-based firewall rules contain conflicting zone information, the first rule defined in the table
takes precedence. Rules that do not reference valid zones are not deployed and an activity validation
warning is shown.
Empty zones result in activity validation errors for certain devices; refer to the following
restriction lists.
Source and destination zones cannot be the same for certain devices; refer to the following
restriction lists.
ASR Restrictions
The following are restrictions specific to ASR devices:
Deep Packet Inspection (DPI) is not allowed.
Source and destination zones can be the same. This is possible because intra-zone traffic inspection
is allowed.
Content (URL) Filtering is not allowed.
Only certain protocols are supported, such as DNS, FTP, H.323, ICMP, RTSP, SIP, Skinny, TCP,
TFTP, and UDP.
ISR Restrictions
The following are restrictions specific to ISR devices:
Empty zones cannot exist.
Source and destination zones cannot be the same.
Related Topics
The Self Zone, page 18-5
Using VPNs with Zone-based Firewall Policies, page 18-6
Zones and VRF-aware Firewalls, page 18-6
Configuring Settings for Zone-based Firewall Rules, page 18-47
Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules,
page 18-7
Understanding the Relationship Between Services and Protocols in Zone-based Firewall Rules,
page 18-10
General Recommendations for Zone-based Firewall Rules, page 18-11
Developing and Applying Zone-based Firewall Rules, page 18-12
Related Topics
Understanding the Zone-based Firewall Rules, page 18-3
Related Topics
Understanding the Zone-based Firewall Rules, page 18-3
Zone vrf_A
Firewall
Router
Zone vrf_B_1 Zone common
Zone vrf_B_2
146618
Zone Z1
In this illustration:
The interface providing common services is a member of the zone common.
All of VRF A is in a single zone, vrf_A.
VRF B, which has multiple interfaces, is partitioned into two zones vrf_B_1 and vrf_B_2.
Zone Z1 does not have VRF interfaces.
Based on this configuration:
You can specify policies between each of these zones and the common zone. Additionally, you can
specify polices between each of the zones vrf_A, vrf_B_n and Z1 if VRF route export is configured
and the traffic patterns make sense.
You can configure a policy between zones vrf_A and vrf_B_1, but be sure that traffic can flow
between them.
You do not need to specify the global thresholds and timers on a per-VRF basis. Instead, parameters
are supplied to the Inspect action through a parameter map.
Related Topics
Understanding the Zone-based Firewall Rules, page 18-3
Tip: Essentially all of your zone-based rules should be Permit rules. This is the easiest
configuration to understandit means you are identifying the traffic to which you want the
chosen Action applied.
Deny Exempts the traffic defined by the Source, Destination, and Services fields. (If protocols
are listed in the Protocols table, the exemption is further limited to those protocols.) In other
words, treat the traffic as not matching the rule. Instead, evaluate subsequent class maps (which
are not the same as zone rules) for the zone pair and look for a subsequent map that matches the
traffic. If no subsequent map matches the traffic, apply the default rule to the traffic (see
Changing the Default Drop Behavior, page 18-46).
It is important to understand that there is not a one-to-one relationship between zone rules and
class maps. Therefore, you cannot determine just by looking at the rules table how the rules will
be converted to class maps. You must preview the configuration to see which subsequent rules
might be applied to traffic that matches your Deny rule. (To preview the configuration, save your
changes and select Tools > Preview Configuration. For more information, see Previewing
Configurations, page 8-42.)
In general, you might use a Deny rule to exempt a specific IP address within a subnet from a
Permit rule you want to apply to the subnet in general; for example, exempting 10.100.10.1 from
a rule applying to 10.100.10.0/24. However, it is much easier to create a Permit rule for the
specific IP address and apply a desired Action, and ensure that the rule is listed above the
general rule in the zone-based rules table.
If you decide to use Deny rules, be sure to also read Troubleshooting Zone-based Rules and
Configurations, page 18-52.
ActionThe Action parameters define what happens to traffic that matches a Permit rule. These
parameters are ignored for Deny rules, except to determine to which class map the rule is added.
When you create a Permit rule, traffic that matches the Source, Destination, Services, and Protocol
fields is processed according to the Action you choose: drop the traffic (and optionally log it), pass
the traffic (and optionally log it), inspect the traffic, or apply content filtering (for Web traffic only).
When you inspect traffic for some protocols, or perform content filtering, you have the option of
specifying a policy map to use for deep inspection. The deep inspection policy map also specifies
actions based on the deeper characteristics of the traffic. This additional inspection applies to
packets that meet the requirements of the class map to which the assigned policy map refers. Packets
that do not match the deep inspection class map are allowed. Thus, deep inspection might reset TCP
connections if the policy map specifies that action.
The following table illustrates the relationship between Permit/Deny and the chosen Action in a
zone-based firewall rule. The table uses the TCP service as an example, but the general explanation
applies to the IP service as well. The result applies only to the From and To zones specified in the rule.
Permit /
Deny Service Rule Action Protocol Result
Permit TCP Pass (None) Pass all TCP traffic.
Deny TCP Pass (None) Skip the rule and evaluate the next class map.
Either a subsequent class map with a Permit rule
is applied, or the class default rule is applied.
The Pass action is ignored.
Permit TCP Drop (None) Drop all TCP traffic.
Table 18-1 Relationship Between Permit/Deny and Action in Zone-based Rules (Continued)
Permit /
Deny Service Rule Action Protocol Result
Deny TCP Drop (None) Skip the rule and evaluate the next class map.
Either a subsequent class map with a Permit rule
is applied, or the class default rule is applied.
The Drop action is ignored.
Permit TCP Pass DNS Only DNS traffic passes. Other TCP traffic is
handled by subsequent rules.
Permit TCP Drop DNS DNS traffic is dropped. Other TCP traffic is
handled by subsequent rules.
Deny TCP Pass DNS Skip the rule for DNS traffic and evaluate the
next class map. Either a subsequent class map
with a Permit rule is applied, or the class
default rule is applied.
The Pass action is ignored.
Deny TCP Drop DNS Skip the rule for DNS traffic and evaluate the
next class map. Either a subsequent class map
with a Permit rule is applied, or the class
default rule is applied.
The Drop action is ignored.
Permit TCP Inspect HTTP Allow and inspect HTTP traffic. If you
specify a policy map for deep inspection,
the action from the policy map is applied to
any packets that match deep inspection
parameters (for example, reset the connection
for protocol violations).
Deny TCP Inspect HTTP Skip the rule for HTTP traffic and evaluate the
next class map. Either a subsequent class map
with a Permit rule is applied, or the class
default rule is applied.
The Inspect action is ignored.
Tip If subsequent rules, or the class
default, pass the traffic without
inspection, you need to create a
Permit/Pass rule in the other direction
(or an access rule) to allow return
traffic for the HTTP connection. If
your intention is to prohibit HTTP
connections, create a Permit/Drop rule
instead of a Deny/Inspect rule.
Table 18-1 Relationship Between Permit/Deny and Action in Zone-based Rules (Continued)
Permit /
Deny Service Rule Action Protocol Result
Permit TCP Content HTTP Allow and inspect HTTP traffic, and apply
Filter URL filtering maps to selectively permit or
deny Web connections based on the Web
sites requested.
If you specify a policy map for deep
inspection, the action from the policy map is
applied to any packets that match deep
inspection parameters (for example, reset the
connection for protocol violations).
Thus, traffic can be dropped either because the
Web site is blacklisted, or because the HTTP
packets violate your deep inspection rules.
Deny TCP Content HTTP Skip the rule for HTTP traffic and evaluate the
Filter next class map. Either a subsequent class map
with a Permit rule is applied, or the class
default rule is applied.
The Content Filter action is ignored.
Tip This type of rule can exempt the
specified source/destination from
content filtering if no subsequent class
maps drop the traffic or apply content
filtering. However, if you want to allow
HTTP connections for this traffic, you
must create a Permit/Inspect rule for
the traffic.
Protocol The Protocol table, in the Action area of the Add and Edit Zone Based Rule dialog boxes,
is used to select one or more protocols, add custom port application mappings (if you specify
non-default ports), and apply deep inspection policy maps. You can specify very specific protocols,
such as DNS, general protocols such as TCP and UDP, and even custom protocols that identify ports
you use for special applications.
As a general rule, leave Services set to IP and use the Protocol table to identify the protocols (which are
also services) for all of your zone-based rules for the Drop, Pass, and Inspect actions. (The Content Filter
action automatically uses the HTTP protocol, which you can configure but not change.) Following this
approach will create a configuration that is as clean and easy to interpret (and troubleshoot) as possible.
For more detailed information on how these fields are used when generating device configurations, see
Troubleshooting Zone-based Rules and Configurations, page 18-52.
Related Topics
Understanding the Zone-based Firewall Rules, page 18-3
Configuring Settings for Zone-based Firewall Rules, page 18-47
Understanding Map Objects, page 6-60
Enabling and Disabling Rules, page 12-17
Adding and Removing Rules, page 12-8
Moving Rules and the Importance of Rule Order, page 12-16
Step 1 Access the Zone-based Firewall Rules Page, page 18-56 as follows:
(Device view) Select an IOS router and then select Firewall > Zone Based Firewall Rules from the
Policy selector.
(Policy view) Select Firewall > Zone Based Firewall Rules from the Policy Type selector. Select
an existing policy or create a new one.
Step 2 Click the Add Row button below the rules table, or right-click anywhere inside the table, and choose
Add Row to open the Add Zone Based Firewall Rule dialog box.
Refer to Adding and Editing Zone-based Firewall Rules, page 18-58 for a complete description of this
dialog box.
Step 3 Define the base Traffic flow for this rule.
Note Together, the Permit/Deny, Sources, Destinations, and Services options can be thought of as
defining a simple access rule that can be enhanced by the application of in-depth Action-related
policies, and restricted to a specific direction between a specific pair of zones.
a. Choose whether to Permit or Deny further processing of traffic that matches this rule. See
Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules,
page 18-7 for more information.
b. Optionally, provide Source and Destination hosts/networks.
By default, the traffic definition encompasses packets from any source, to any destination.
You can use these fields to refine this base traffic definition by providing one or more source
and destination hosts/networks. (Refer Understanding Network/Host Objects, page 6-62 to for
more information.)
c. Specify one or more Services (protocols) that indicate the type of traffic; for example, IP, TCP, etc.
You can provide more than one Service; however, IP generally stands alone. (See Understanding and
Specifying Services and Service and Port List Objects, page 6-69.)
d. Provide the From Zone; that is, the only zone from which matched traffic can originate.
e. Provide the To Zone; that is, the only zone to which matched traffic can flow.
Refer to Understanding Interface Role Objects, page 6-55 for more information about
zone/interface objects.
Note Together, the From Zone and the To Zone constitute what is sometimes referred to as a
zone-pair.
Drop and Log Matching traffic is dropped and a syslog message generated; no notification of
the drop is sent to the originating host.
Pass Traffic is forwarded. This action is unidirectional; Pass allows traffic in only the
specified direction.
Pass and Log Traffic is forwarded and a syslog message generated.
Note The Pass actions do not track the state of connections or sessions within the traffic. Pass
only allows the traffic in one direction. A corresponding rule must be defined to allow
return traffic. The Pass actions are useful for protocols such as IPSec ESP, IPSec AH,
ISAKMP, and other inherently secure protocols with predictable behavior. However,
most application traffic is better handled in the zone-based firewall rules with the
Inspect action.
Inspect This option offers state-based traffic controlthe device maintains connection or
session information for TCP and UDP traffic, meaning return traffic in reply to connection
requests is permitted.
Choose this option to apply packet inspection based on your selected Layer 4 (TCP, UDP) and Layer
7 (HTTP, IMAP, instant messaging, and peer-to-peer) protocols. You also can edit the Port
Application Mapping (PAM) settings for the selected protocols, and you can set up deep packet
inspection (DPI) and provide additional protocol-related information for the Layer 7 protocols.
Content Filter Lets you configure HTTP content inspection (URL filtering) based on a
WebFilter parameter map, or a WebFilter policy map. This action is generally equivalent to a
Web Filter rule; however, zone-based firewall rules support additional advanced options, such
as HTTP deep packet inspection (DPI).
The router intercepts HTTP requests, performs protocol-related inspection, and optionally contacts
a third-party server to determine whether the requests should be allowed or blocked. You can provide
a WebFilter parameter map, which defines filtering based on local URL lists, as well as information
from an external SmartFilter (previously N2H2) or Websense server. Alternately, you can provide a
WebFilter policy map that accesses Local, N2H2, Websense, or Trend Micro filtering data.
b. For any Action except Content Filter, you can select and edit the specific traffic Protocol(s) to
be considered:
Click Select next to the Protocol table to open the Protocol Selector Dialog Box, page 18-62. Select
one or more protocols and click >> to move them to the Selected Protocol list. You can edit the Port
Application Mapping (PAM) settings for the selected protocols; see Configure Protocol Dialog Box,
page 18-63 for more information.
The Instant Messaging and Stun-ice protocols also allow selection of Protocol Info parameter maps.
Further, when Inspect is the chosen Action, some protocols allow selection of deep-inspection
policy maps.
See Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15, and Configuring
Protocol Info Parameter Maps, page 18-31 for more information.
Note It is not necessary to specify protocols for the Drop, Drop and Log, Pass, and Pass and Log
actions. You can leave the Protocol table empty and pass or drop traffic based on the Sources,
Destinations, and Services parameters.
c. When the chosen Action is Content Filter, configure the URL filtering:
1. Click Configure next to the Protocol field to customize the HTTP PAM settings, and to apply
an HTTP deep-inspection policy map. See the Configure Protocol Dialog Box, page 18-63 for
more information
2. Select either WebFilter Parameter Map, or WebFilter Policy Map, and enter or Select the name of
the appropriate WebFilter map. See Configuring Content Filtering Maps for Zone-based
Firewall Policies, page 18-34 for more information.
d. When the chosen Action is Inspect or Content Filter, you can enter or Select the name of an Inspect
Parameter map to apply a customized set of connection, timeout, and other settings. See Configuring
Inspect Parameter Maps, page 18-28 for more information.
Step 5 (Optional) Enter a description to help you identify the rule.
Step 6 (Optional) Under Category, select a category to help you identify this rule in the rules table. See Using
Category Objects, page 6-9.
Step 7 Click OK to close the Add Zone Based Firewall Rule dialog box and return to the Zone Based Firewall
Rules table.
The new rule is listed in the table.
Minimum
IOS
Software Policy Parameter
Protocol Version Map Class Map Map Description and Match Criteria Reference
Instant Messaging: 12.4(9)T IM (Zone AOL Protocol Inspect traffic based on the type of service
AOL, ICQ, based Info (text-chat or any other). See Zone-based Firewall
ICQ
MSN Messenger, IOS) IM Application Class Maps: Add or Edit Match
Windows MSN Condition Dialog Boxes, page 18-19.
Messenger, Messenger
You must also select a Protocol Info parameter map
Yahoo Messenger Windows to define the DNS servers used by the traffic you
Messenger are inspecting. See Configuring Protocol Info
Yahoo Parameter Maps, page 18-31.
Messenger
Peer-to-peer (P2P): 12.4(9)T P2P eDonkey None Inspect traffic based on file name. See Zone-based
eDonkey, FastTrack, Firewall P2P Application Class Maps: Add or Edit
FastTrack
Gnutella, Kazaa2 Match Condition Dialog Boxes, page 18-19.
Gnutella
Kazaa2
H.323 12.4(6)T H.323 H.323 None Inspect traffic based on the H.323 message type.
(IOS) (IOS) See H.323 (IOS) Class Maps Add or Edit Match
Criterion Dialog Boxes, page 18-20.
HTTP 12.4(6)T HTTP HTTP None Inspect traffic based on a wide variety of criteria
(Zone (IOS) including the content of the header or body, port
based misuse, and whether the traffic includes a Java
IOS) applet. See HTTP (IOS) Class Add or Edit Match
Criterion Dialog Boxes, page 18-20.
IMAP (Internet 12.4(6)T IMAP IMAP None Inspect traffic based on invalid commands or
Message Access POP3 POP3 clear-text logins. See IMAP and POP3 Class Maps
Protocol) Add or Edit Match Criterion Dialog Boxes,
POP3 (Post Office page 18-22.
Protocol 3)
SIP (Session 12.4(6)T SIP (IOS) SIP (IOS) None Inspect traffic based on a wide variety of criteria.
Initiation Protocol) See SIP (IOS) Class Add or Edit Match Criterion
Dialog Boxes, page 18-23.
SMTP (Simple Mail 12.4(6)T SMTP SMTP None Inspect traffic based on data length. See SMTP
Transfer Protocol) Class Maps Add or Edit Match Criterion Dialog
Boxes, page 18-24.
Stun-ice 12.4(9)T None None Protocol You must select a Protocol Info parameter map to
Info define the DNS servers used by the traffic you are
inspecting. See Configuring Protocol Info
Parameter Maps, page 18-31.
Sun RPC (Remote 12.4(6)T Sun RPC Sun RPC None Inspect traffic based on the RPC protocol number.
Procedure Call) See Sun RPC Class Maps Add or Edit Match
Criterion Dialog Boxes, page 18-27.
Related Topics
Understanding the Zone-based Firewall Rules, page 18-3
Zone-based Firewall Rules Page, page 18-56
Creating Policy Objects, page 6-6
Understanding Map Objects, page 6-60
Navigation Path
Select Tools > Policy Object Manager, then select any zone-based class map object in the folders in the
Maps > Class Maps folder in the table of contents. Right-click inside the work area, then select New
Object, or right-click a row, then select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Table 18-3 Add or Edit Class Maps Dialog Boxes for Zone-Based Firewall Policies
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Match table The Match table lists the criteria included in the class map. Each row
indicates whether the inspection is looking for traffic that matches or does
Match Type
not match each criterion and the criterion and value that is inspected.
(Except for Trend
Content Filter The name of the table indicates whether every one of the criteria must be met
class maps.) for the traffic to match the class (Match All), or whether matching any of the
listed criteria is sufficient (Match Any). For the HTTP (IOS) and SMTP
classes, you can choose whether to match all or any. When using a Match All
table, if you add more than one criteria, ensure that you are not defining a set
of characteristics that no traffic can match.
Tip Match All works for devices running Cisco IOS Software version
12.4(20)T or higher only.
To add a criterion, click the Add button and fill in the Match Criterion
dialog box. For more information, see the topics referenced above.
To edit a criterion, select it and click the Edit button.
To delete a criterion, select it and click the Delete button.
Trend Content Filter The match criteria for Trend Content Filter class maps differs from that of
Match Criteria all other class maps. Instead of adding items to a table, you simply select the
items you want from a list. Select the Enable checkbox for any of the
Trend-Micro classifications on the following tabs. Traffic matches the class
if it matches any of your selections.
Productivity CategoriesMatches the traffic to the category to which
the URL belongs. For example, you can target traffic associated with
gambling or pornography.
Security RatingsMatches the traffic to the security rating assigned to
it by Trend-Micro. For example, you can target adware, which is traffic
associated with advertising.
See the Trend-Micro documentation for specific information on these
categories or security classifications.
Table 18-3 Add or Edit Class Maps Dialog Boxes for Zone-Based Firewall Policies (Continued)
Element Description
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Zone-based Firewall IM Application Class Maps: Add or Edit Match Condition Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the various instant messenger (IM) application
classes used with zone-based firewall policies to define a match criterion and value for the class map.
You can define a match for the following types of traffic:
AnyAny type of traffic from the application except text chat traffic.
Text-chatText chat traffic.
Navigation Path
From the Add or Edit Class Maps dialog boxes for AOL, ICQ, MSN Messenger, Windows Messenger,
or Yahoo Messenger classes, right-click inside the table and select Add Row or right-click a row and
select Edit Row. See Configuring Class Maps for Zone-Based Firewall Policies, page 18-17.
Related Topics
Understanding Map Objects, page 6-60
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Understanding the Zone-based Firewall Rules, page 18-3
Zone-based Firewall P2P Application Class Maps: Add or Edit Match Condition Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the various peer-to-peer (P2P) application classes
used with zone-based firewall policies to define a match criterion and value for the class map.
Navigation Path
From the Add or Edit Class Maps dialog boxes for eDonkey, FastTrack, Gnutella, or Kazaa2 classes,
right-click inside the table and select Add Row, or right-click a row and select Edit Row. See
Configuring Class Maps for Zone-Based Firewall Policies, page 18-17.
Related Topics
Understanding Map Objects, page 6-60
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Table 18-4 Zone-based Firewall P2P Application Class Maps Add or Edit Match Condition Dialog
Boxes
Element Description
Criterion Choose which criterion to match:
File Transfer Matches file-transfer traffic.
Search Filename Matches the names of files for which the user is
searching. You can use this criterion to block users from searching for
particular files using eDonkey.
Text Chat Matches eDonkey text chat traffic.
Type Specifies that the map includes traffic that matches the criterion.
File Name The name of the file associated with the traffic. You can use regular
expressions to specify a name pattern. For information on the metacharacters
you can use to build regular expressions, see Metacharacters Used to Build
Regular Expressions, page 15-78.
Tip eDonkey does not require a file name.
H.323 (IOS) Class Maps Add or Edit Match Criterion Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the H.323 (IOS) class used with zone-based
firewall policies to define a match criterion and value for the class map. You can match traffic based on
the H.323 protocol message type. Select the message that you want to match.
Navigation Path
From the Add or Edit Class Maps dialog boxes for the H.323 (IOS) class, right-click inside the table and
select Add Row or right-click a row and select Edit Row. See Configuring Class Maps for Zone-Based
Firewall Policies, page 18-17.
Related Topics
Understanding Map Objects, page 6-60
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Understanding the Zone-based Firewall Rules, page 18-3
Request/Response Header, Request Header, Response HeaderYou can match a regular expression
against the header, test for repeated fields, check the content type, or check the total length or
number of records in the header.
Request/Response Protocol ViolationMatches non-compliant HTTP traffic.
Request Argument, Request URIMatches the length or content (with a regular expression) of the
argument (parameters) or uniform resource identifier (URI) in a request message.
Request Port MisuseMatches the misuse of ports by certain types of applications.
Response Body Java AppletMatches Java applets in an HTTP connection.
Response Header Status LineApplies a regular expression to match the content of the status line
in the header.
Navigation Path
From the Add or Edit Class Maps dialog boxes for the HTTP (IOS) class, right-click inside the table and
select Add Row or right-click a row and select Edit Row. See Configuring Class Maps for Zone-Based
Firewall Policies, page 18-17.
Related Topics
Understanding Map Objects, page 6-60
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Table 18-5 HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes
Element Description
Criterion Specifies which criterion of HTTP traffic to match. The criteria are
described above.
Type Specifies that the map includes traffic that matches the criterion.
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the
fields you might see.
Less Than Length The minimum length in bytes of the evaluated field. The criterion matches if
the length is less than the specified number.
Greater Than Length The maximum length in bytes of the evaluated field. The criterion matches
if the length is greater than the specified number.
Header Option The type of header record. If you do not select a record type, the count or
expression is applied to all records in the header. If you select a record type,
those selections are applied only to the records of the selected type. If you
select content type or transfer encoding, you can make additional selections
related to those types.
Request Method The request method you want to match.
Table 18-5 HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes (Continued)
Element Description
Value (Content Type) If you select content-type in the Header Option field, you can select
these types:
MismatchVerifies the content-type of the response message against
the accept field value of the request message.
UnknownThe content type is not known. Select Unknown when you
want to evaluate the item against all known MIME types.
ViolationThe content-type definition and the content type of the
actual body do not match.
Encoding Type If you select transfer encoding in the Header Option field, you can select
these types:
AllAll of the transfer encoding types.
ChunkedThe message body is transferred as a series of chunks; each
chunk contains its own size indicator.
CompressThe message body is transferred using UNIX file compression.
DeflateThe message body is transferred using zlib format (RFC 1950)
and deflate compression (RFC 1951).
GZIPThe message body is transferred using GNU zip (RFC 1952).
IdentityNo transfer encoding is performed.
Greater Than Count The maximum number of records allowed in the header. If you select a
specific header option, the count applies to those types of records. If you do
not select a specific header option, the count applies to the total number of
records in the header without regard to type.
Regular Expression The regular expression object that defines the regular expression you want to
use for pattern matching. Enter the name of the object. You can click Select
to choose the object from a list of existing ones or to create a new regular
expression object.
Port Misuse The type of request port misuse you want to match. Your options are:
AnyAny of the listed types of misuse.
IMInstant messaging protocol applications subject to inspection.
P2PPeer-to-peer protocol applications subject to inspection.
TunnelingTunneling applications subject to inspection:
HTTPPort/HTTPHost.
IMAP and POP3 Class Maps Add or Edit Match Criterion Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the Internet Message Access Protocol (IMAP) and
Post Office Protocol 3 (POP3) classes used with zone-based firewall policies to define a match criterion
and value for the class map.
You can select the following criteria to identify matching traffic:
Invalid CommandMatches commands that are not valid on a POP3 server or IMAP connection.
Login Clear TextMatches non-secure logins, where the password is being provided in clear text.
Navigation Path
From the Add or Edit Class Maps dialog boxes for the IMAP or POP3 classes, right-click inside the table
and select Add Row or right-click a row and select Edit Row. See Configuring Class Maps for
Zone-Based Firewall Policies, page 18-17.
Related Topics
Understanding Map Objects, page 6-60
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Understanding the Zone-based Firewall Rules, page 18-3
Navigation Path
From the Add or Edit Class Maps dialog boxes for the SIP (IOS) class, right-click inside the table and
select Add Row or right-click a row and select Edit Row. See Configuring Class Maps for Zone-Based
Firewall Policies, page 18-17.
Related Topics
Understanding Map Objects, page 6-60
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Table 18-6 SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes
Element Description
Criterion Specifies which criterion of traffic to match. You can select from
the following:
Protocol ViolationMatches traffic that violates the protocol.
Request/Response Header OptionsMatches a regular expression
against the selected request or response header field.
Request OptionsMatches the request method or matches a regular
expression against the selected request header field.
Response OptionsMatches a regular expression against the selected
response header field or status message.
Type Specifies that the map includes traffic that matches the criterion.
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the
fields you might see.
Header The type of header in the request or response message. The regular
expression is matched against the content of headers of the selected type.
Table 18-6 SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes (Continued)
Element Description
Method The request method you want to inspect:
ackAcknowledges that the previous message is valid and accepted.
byeSignifies the intention to terminate a call.
cancelTerminates any pending request.
infoCommunicates mid-session signaling information along the
signaling path for the call.
inviteSets up a call.
messageSends an instant message.
notifyInforms subscribers of state changes.
optionsQueries the capabilities of another user agent or a proxy server.
prackProvides reliable transfer of provisional response messages.
referIndicates that the recipient should contact a third party using the
contact information provided in the request.
registerIncludes a contact address to which SIP requests for the
address-of-record should be forwarded.
subscribeRequests notification of an event or set of events at a
later time.
updatePermits a client to update parameters of a session but has no
impact on the state of a dialog.
Status The regular expression is matched against the status line in the response.
Regular Expression The regular expression object that defines the regular expression you want to
use for pattern matching. Enter the name of the object. You can click Select
to choose the object from a list of existing ones or to create a new regular
expression object.
Tip Only the Data Length criterion is available for routers running Cisco IOS Software lower than 12.4(20)T.
The fields on this dialog box change based on the criterion you select. You can use the following criteria:
Data LengthSpecifies that the data length of the traffic is greater than the specified number. You
can match the data length of the traffic to determine if the data transferred in an SMTP connection
exceeds the specified length in bytes. By default, inspection keeps data length below 20.
Body Regular ExpressionApplies a regular expression to match the content types and content
encoding types for text and HTML in the body of an e-mail message. Only text or HTML that uses
7-bit or 8-bit encoding is checked. The regular expression cannot be scanned in messages that use
another encoding type (such as base64 or zip files).
Command Line LengthSpecifies that the length of the ESMTP command line not be greater than
the specified number. Use this to thwart Denial of Service (DoS) attacks.
Command VerbLimits inspection to the selected SMTP or ESMTP command. If you configure
inspection for SMTP, all commands are inspected unless you limit them.
Header LengthSpecifies that the length of the SMTP header is greater than the specified number.
Use this to thwart DoS attacks by limiting the possible size of the header.
Header Regular ExpressionApplies a regular expression to match the content of the header of an
e-mail message. For example, you can use this to test for particular patterns in the subject, from, or
to fields.
Mime Content-Type Regular ExpressionApplies a regular expression to match the Multipurpose
Internet Message Exchange (MIME) content type of an e-mail attachment. Use this to prevent the
transmission of undesired types of attachments.
Mime EncodingSpecifies the MIME encoding type for e-mail attachments that you want to inspect.
You can use this to identify unknown or non-standard encodings to restrict their transmission.
Recipient AddressApplies a regular expression to match the recipient of an e-mail message in the
SMTP RCPT command. Use this to search for a non-existent recipient, which might help you
identify the source of spam.
Recipient CountSpecifies that the number of recipients for an e-mail message cannot be greater
than the specified number. Use this to prevent spammers from sending e-mails to a large number
of users.
Recipient Invalid CountSpecifies that the number of invalid recipients for an e-mail message
cannot be greater than the specified number. Use this prevent spammers from sending e-mails to a
large number common names, where they are fishing for real addresses. SMTP typically replies with
a no such address message when an address is invalid; by putting a limit on the number of invalid
addresses, you can prevent these replies to spammers.
Reply EHLOSpecifies the service extension parameter in an EHLO server reply. Use this to
prevent a client from using a particular service extension.
Sender AddressApplies a regular expression to match the sender of an e-mail message. Use this to
block specific senders, such as known spammers, from sending e-mail messages through the device.
Navigation Path
From the Add or Edit Class Maps dialog boxes for SMTP classes, right-click inside the table and select
Add Row or right-click a row and select Edit Row. See Configuring Class Maps for Zone-Based
Firewall Policies, page 18-17.
Related Topics
Understanding Map Objects, page 6-60
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Table 18-7 SMTP Class Add or Edit Match Criterion Dialog Boxes
Element Description
Criterion Specifies which criterion of SMTP traffic to match. The criteria are
described above.
Type Specifies that the map includes traffic that matches the criterion.
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the
fields you might see.
Greater Than Length The maximum length in bytes of the evaluated field. The criterion
matches if the length is greater than the specified number.
Greater Than Count The maximum number of recipients or invalid recipients allowed in the
e-mail message. The criterion matches if the number is greater than the
specified number.
Verb Option The SMTP or ESMTP command that you want to inspect. If you select
User Defined, you must enter the text string that corresponds to a word
User Defined Format
in the body of the e-mail message. The word cannot include spaces or
(For the Command special characters; only alphanumeric characters.
Verb criterion.)
Service Extension Parameter The service extension parameter of an EHLO server reply that you want
to inspect. Select one of the well-known parameters, or select User
User Defined Format
Defined to specify a private extension in the User Defined Format field.
(For the Reply
EHLO criterion.
Encoding Format The MIME encoding format for which you want to test. Encoding
User Defined Format types are:
7-bitASCII encoding.
8-bitUsed for the exchange of e-mail messages containing octets
outside the 7-bit ASCII range.
base64Encodes binary data by treating it numerically and
translating it into a base 64 representation.
quoted-printable-Encoding that uses printable characters to
transmit 8-bit data over a 7-bit data path.
binaryEncodes using only 0 and 1.
unknownEncoding type is not known.
x-uuencode-Nonstandard encoding.
user definedAn encoding type you define. If you select User
Defined, you must enter the text string that defines the encoding
type you are looking for.
Regular Expression The regular expression object that defines the regular expression you
want to use for pattern matching. Enter the name of the object. You can
click Select to choose the object from a list of existing ones or to create
a new regular expression object.
Sun RPC Class Maps Add or Edit Match Criterion Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the Sun Remote Procedure Call (RPC) classes used
with zone-based firewall policies to define a match criterion and value for the class map. You can enter
the RPC protocol number that you want to match. See the Sun RPC documentation for information about
protocol numbers.
Navigation Path
From the Add or Edit Class Maps dialog boxes for Sun RPC classes, right-click inside the table and
select Add Row or right-click a row and select Edit Row. See Configuring Class Maps for Zone-Based
Firewall Policies, page 18-17.
Related Topics
Understanding Map Objects, page 6-60
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Understanding the Zone-based Firewall Rules, page 18-3
Local Web Filter Class Add or Edit Match Criterion Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the Local web filter class to define a match
criterion and value for the class map.
Navigation Path
From the Add or Edit Class Maps dialog boxes for the Local web filter class, right-click inside the table
and select Add Row or right-click a row and select Edit Row. See Configuring Class Maps for
Zone-Based Firewall Policies, page 18-17.
Related Topics
Understanding Map Objects, page 6-60
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Table 18-8 Local Web Filter Class Add or Edit Match Criterion Dialog Boxes
Element Description
Criterion Specifies which criterion of traffic to match. You can select from the following:
Server DomainMatches traffic based on the name of the server. The
URLF Glob parameter map you select should specify server domain names
such as *.cisco.com or www.cisco.com.
URL KeywordMatches traffic based on keywords in the URLs. A key
word is any complete string that occurs between / characters in a URL. For
example, in the URL segment www.cisco.com/en/US, en and US are
examples of keywords.
Type Specifies that the map includes traffic that matches the criterion.
Table 18-8 Local Web Filter Class Add or Edit Match Criterion Dialog Boxes (Continued)
Element Description
URLF Glob The URLF Glob parameter map object that defines the URL patterns that you
Parameter Map want to match. Ensure that the object you select has the appropriate content for
the type of matching you selected.
Enter the name of the object. You can click Select to choose the object from a
list of existing ones or to create a new object.
N2H2 and Websense Class Add or Edit Match Criterion Dialog Boxes
Use the Add or Edit Match Criterion dialog boxes for the N2H2 (SmartFilter) and Websense web filter
classes to define a match criterion and value for the class map. The only match criterion available is to
match any response from the SmartFilter or Websense server.
Navigation Path
From the Add or Edit Class Maps dialog boxes for the N2H2 or Websense web filter class, right-click
inside the table and select Add Row or right-click a row and select Edit Row. See Configuring Class
Maps for Zone-Based Firewall Policies, page 18-17.
Related Topics
Understanding Map Objects, page 6-60
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Inspect > Inspect
Parameters in the table of contents. Right-click inside the work area and select New Object, or
right-click a row and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
DNS Timeout The length of time, in seconds, for which a DNS lookup session is managed
while there is no activity.
ICMP Timeout The length of time, in seconds, for which an inactive ICMP (Internet
Control Message Protocol) session is maintained.
Max Incomplete Low The number of existing half-open sessions that will cause the software to
start (at the high threshold) and stop (at the low threshold) deleting
Max Incomplete High
half-open sessions.
Ensure that you enter a lower number in the Low field than you enter in
the High field, for example, 400 and 500. The default is unlimited
half-open sessions.
One Minute Low The number of new unestablished sessions that causes the system to start
and stop deleting half-open sessions. Ensure that you enter a lower number
One Minute High
in the Low field than you enter in the High field. The default is unlimited.
Max Sessions The maximum number of inspection sessions on a zone pair, for example,
200. The default is unlimited.
TCP FINWAIT Timeout How long to maintain TCP session state information after the firewall
detects a FIN-exchange, in seconds. The FIN-exchange occurs when the
TCP session is ready to close.
TCP SYNWAIT Timeout How long to wait for a TCP session to reach the established state before
dropping the session, in seconds.
TCP Idle Timeout How long to maintain a TCP session while there is no activity in the
session, in seconds.
Table 18-9 Add or Edit Inspect Parameter Map Dialog Boxes (Continued)
Element Description
TCP Max The threshold and blocking time (in minutes) for TCP host-specific
Incomplete Hosts denial-of-service (DoS) detection and prevention.
TCP Max Incomplete The maximum incomplete hosts is the number of half-open TCP sessions
Block Time with the same host destination address that can simultaneously exist before
the software starts deleting half-open sessions to that host. An unusually
high number of half-open sessions with the same destination host address
could indicate that a DoS attack is being launched against the host.
When the threshold is exceeded, half-open sessions are dropped based on
the maximum incomplete block time:
If the block time is 0, the software deletes the oldest existing half-open
session for the host for every new connection request to the host. This
ensures that the number of half-open sessions to a given host never
exceeds the threshold.
If the block time is greater than 0, the software deletes all existing
half-open sessions for the host and then blocks all new connection
requests to the host. The software continues to block all new
connection requests until the block time expires.
The software sends syslog messages whenever the specified threshold
is exceeded and when blocking of connection initiations to a host starts
or ends.
UDP Idle Timeout How long to maintain a UDP session while there is no activity in the
session, in seconds.
When the software detects a valid UDP packet, the software establishes
state information for a new UDP session. Because UDP is a connectionless
service, there are no actual sessions, so the software approximates sessions
by examining the information in the packet and determining if the packet
is similar to other UDP packets (for example, it has similar source or
destination addresses) and if the packet was detected soon after another
similar UDP packet.
If the software detects no UDP packets for the UDP session for the period
of time defined by the UDP idle timeout, the software will not continue to
manage state information for the session.
Enable Alert Whether to generate stateful packet inspection alert messages on
the console.
Enable Audit Trail Whether audit trail messages are logged to the syslog server or router.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of
devices that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Inspect > Protocol Info
Parameters in the table of contents. Right-click inside the work area and select New Object, or
right-click a row and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Table 18-10 Add or Edit Protocol Info Parameter Map Dialog Boxes
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
DNS Server Table The DNS servers for which traffic will be permitted (and inspected) or denied.
To add servers, click the Add button and fill in the Add Server dialog box
(see Add or Edit DNS Server for Protocol Info Parameters Dialog Box,
page 18-32).
To edit a server, select it and click the Edit button.
To delete a server, select it and click the Delete button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
Overrides and Understanding Policy Object Overrides for Individual Devices,
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Add or Edit DNS Server for Protocol Info Parameters Dialog Box
Use the Add or Edit DNS Server dialog box to identify DNS servers for which traffic will be permitted
(and inspected) or denied. These servers are defined in a Protocol Info parameter map for use with the
inspection of protocols that require them in a zone-based firewall policy.
You can identify a server using any of these types:
Server NameThe name of the DNS server. You can use an asterisk (*) as a wildcard character to
match one or more characters. For example, if you want to identify all DNS servers on the cisco.com
domain, you can specify *.cisco.com.
IP AddressThe IP address of a single DNS server.
IP Address RangeA range of IP addresses identifying any DNS server within the start and
end addresses.
Navigation Path
From the Add or Edit Protocol Info Parameter Map dialog boxes, click the Add button beneath the server
table, or select a server and click the Edit button. See Configuring Protocol Info Parameter Maps,
page 18-31.
Navigation Path
Select Tools > Policy Object Manager, then any of the following items in the Maps > Policy Maps >
Inspect folder in the table of contents: H.323 (IOS), HTTP (Zone based IOS), IM (Zone based IOS),
IMAP, P2P, POP3, SIP (IOS), SMTP, and Sun RPC. Right-click inside the work area and select New
Object, or right-click a row and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Table 18-11 Add or Edit Policy Maps Dialog Boxes for Zone-Based Firewall Policies
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Match All table The Match All table lists class maps included in the policy map, and the
action to take for traffic that matches the class. For traffic to match this class,
all criteria defined in the selected class maps must be met.
To add a criterion, click the Add button and fill in the Match Condition
and Action dialog box (see Add or Edit Match Condition and Action
Dialog Boxes for Zone-Based Firewall and Web Filter Policies,
page 18-33).
To edit a criterion, select it and click the Edit button.
To delete a criterion, select it and click the Delete button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Add or Edit Match Condition and Action Dialog Boxes for Zone-Based Firewall and Web
Filter Policies
Use the Add or Edit Match Condition and Action dialog boxes for zone-based firewall and web filter
policies to select the class maps for inspection and to define the action to take for traffic that matches
the class. This dialog box is used for the following types of policy maps: H.323 (IOS), HTTP (Zone
based IOS), IM (Zone based IOS), IMAP, P2P, POP3, SIP (IOS), SMTP, Sun RPC, Web Filter.
The fields on this dialog box differ slightly depending on the type of policy map you are defining.
Navigation Path
From the Add or Edit Policy Maps dialog boxes for Zone-Based Firewall Policies, right-click inside the
match table and select Add Row or right-click a row and select Edit Row. See Configuring Policy Maps
for Zone-Based Firewall Policies, page 18-32.
Related Topics
Understanding Map Objects, page 6-60
Configuring Inspection Maps for Zone-based Firewall Policies, page 18-15
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Table 18-12 Add or Edit Match Condition and Action Dialog Boxes for Zone-Based Firewall
Policies
Element Description
Match Type Indicates that you are selecting a class map. You must define class maps
when creating policy maps for zone-based firewall policies.
Class Map The name of the class map for the type of policy map you are creating. Click
Select to select the map from a list or to create a new class map object.
P2P, IM, and Web Filter
class map types. For P2P, IM, and Web Filter policy maps, you must also select the type of
policy map you are creating. For example, in a P2P map you must select
between eDonkey, FastTrack, Gnutella, and Kazaa2. In an IM (Zone Based
IOS) map, you must select between AOL, MSN Messenger, Yahoo
Messenger, Windows Messenger, and ICQ. In a Web Filter map, you must
select between Local, N2H2, WebSense, and Trend.
Action The action you want the device to take for traffic that matches the
selected class.
Tip If you use an external server, you must have set up and configured the server appropriately based on the
documentation for the type of server you select. If you use Trend Micro servers, you must specify the
server details, and register the product and download certificates, on the Content Filtering tab of the Zone
Based Firewall page (select Firewall > Settings > Zone Based Firewall). See Zone Based Firewall Page,
page 18-48.
The following are requirements for the map objects used with zone-based content filtering:
For devices running releases below 12.4(20)T, you must create a URL Filter parameter map. In the
Policy Object Manager, select Maps > Parameter Maps > Web Filter > URL Filter, and review
the detailed usage information in Configuring URL Filter Parameter Maps, page 18-41.
To perform local filtering on the router using lists of allowed (whitelisted) and denied
(blacklisted) hosts, create the lists on the Local Filtering tab. Any Web access request is first
compared to these lists before the request is sent on to an external filtering server (if you have
configured one). These lists contain either complete domain names (such as www.cisco.com),
or partial names (such as cisco.com), but they do not include paths or page names, and you
cannot use wildcards.
To use a SmartFilter (N2H2) or Websense server, configure the type of server you are using and
its address information on the External Filter tab. You can also configure other settings that
control communication with the server. You cannot configure a Trend Micro server using the
URL Filter parameter map.
For devices running release 12.4(20)T and higher, the preferred approach is to use a Web Filter
policy map. Although Web Filter policy maps are more complex, they provide added flexibility, and
they let you access Trend Micro filtering servers. In the Policy Object Manager, select Maps >
Policy Maps > Web Filter > Web Filter, and review the detailed usage information in Configuring
Web Filter Maps, page 18-45.
A Web Filter policy map incorporates other types of maps. To create the policy map, you will need
one or more of these other types of maps:
Parameter maps On the Parameters tab of the Add and Edit Web Filter Map dialog boxes, you
can select parameter maps for the various types of Web filtering if you do not want to use the
default settings. If you are using SmartFilter (N2H2) or Websense, you need to select a
parameter map because the map identifies those servers. For Local and Trend Micro filtering,
parameter maps configure some general settings, the most interesting of which is whether to
display a message or Web page when a URL is blocked. In the Policy Object Manager, you can
find parameter maps for Local, N2H2, Trend, and Websense in the Maps > Parameter Maps
> Web Filter folder. For detailed usage information, see Configuring Local Web Filter
Parameter Maps, page 18-36, Configuring N2H2 or WebSense Parameter Maps, page 18-37, or
Configuring Trend Parameter Maps, page 18-40.
Note You configure Trend Micro server information on the Content Filtering tab of the Zone
Based Firewall page (select Firewall > Settings > Zone Based Firewall). See Zone Based
Firewall Page, page 18-48.
Class maps for match conditions These class maps define the type of traffic you want to target
and specify the action to be taken. You select a type of filtering (Local, SmartFilter/N2H2,
Websense, or Trend Micro), specify the class map that identifies the targeted traffic, and choose
an action (such as Allow, Reset, etc.) to be taken for that traffic. In the Policy Object Manager,
you can find class maps for Local, N2H2, Trend, and Websense in the Maps > Class Maps >
Web Filter folder.
These class-map configurations depend on the type of filtering:
Local Filtering The Local WebFilter class map is a list of one or more URLF Glob parameter
maps that specify either domain names or URL keywords that you want to target. A URL
keyword is any text string delineated by forward-slash (/) characters in a URL. These class maps
help you define allowed (whitelisted) and denied (blacklisted) URL lists for a WebFilter
policycreate separate maps for each list. For detailed usage information, see Configuring
Class Maps for Zone-Based Firewall Policies, page 18-17, Local Web Filter Class Add or Edit
Match Criterion Dialog Boxes, page 18-27, and Configuring URLF Glob Parameter Maps,
page 18-43.
SmartFilter (N2H2) or Websense FilteringThe class maps for N2H2 and Websense define
any server response as the matching criterion. For detailed usage information, see Configuring
Class Maps for Zone-Based Firewall Policies, page 18-17.
Trend Micro Filtering The Trend class map lets you select various Productivity Categories
and Security Ratings, as defined by Trend Micro, that you want to target. For detailed usage
information, see Configuring Class Maps for Zone-Based Firewall Policies, page 18-17.
Besides the maps used to define content filtering, you can also configure the following maps for content
filter rules:
Inspect Parameters maps Zone-based firewall inspection includes several general settings, all of
which have default values that are appropriate for most networks. If you want to adjust any of these
settings, you can create an Inspect Parameters map. In the Policy Object Manager, select Maps >
Parameter Maps > Inspect > Inspect Parameters, and review the detailed usage information in
Configuring Inspect Parameter Maps, page 18-28.
HTTP policy map If you want to use deep inspection on the individual HTTP packets in addition
to Web filtering, you can configure an HTTP policy map by clicking Configure next to the Protocol
field in the Action section of the Adding and Editing Zone-based Firewall Rules, page 18-58. The
HTTP policy map incorporates HTTP class maps that define the type of traffic you want to match
and then defines the action to take. For example, you can target traffic that includes Java applets. In
the Policy Object Manager, select Maps > Policy Maps > Inspect > HTTP (Zone Based IOS), and
review the detailed usage information in Configuring Policy Maps for Zone-Based Firewall Policies,
page 18-32, HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes, page 18-20, and
Configuring Class Maps for Zone-Based Firewall Policies, page 18-17.
Related Topics
Understanding the Zone-based Firewall Rules, page 18-3
Zone-based Firewall Rules Page, page 18-56
Creating Policy Objects, page 6-6
Understanding Map Objects, page 6-60
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Web Filter > Local in
the table of contents. Right-click inside the work area and select New Object, or right-click a row and
select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Table 18-13 Add or Edit Local Web Filter Parameter Map Dialog Boxes
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Enable Alert Whether to generate stateful packet inspection alert messages on the console.
Enable Allow Mode Whether to allow or block URL requests when the URL filtering process
does not have connectivity to a URL filtering database. When allow-mode is
on, all unmatched URL requests are allowed; when off, all unmatched URL
requests are blocked.
Block Page The web page you want to present to the user if the user attempts to access a
page that you block. You can select from the following:
NoneThe user is not presented with any information.
MessageThe user is presented with the text message you enter in the
edit box.
Redirect URLThe user is redirected to the URL you enter in the
edit box.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select N2H2 or WebSense from the Maps > Parameter
Maps > Web Filter folder in the table of contents. Right-click inside the work area and select New
Object, or right-click a row and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Table 18-14 Add or Edit N2H2 or WebSense Parameter Map Dialog Boxes
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters
is allowed.
URL Filtering Server Table The list of URL filtering servers and their attributes.
To add servers, click the Add button and fill in the Add External
Filter dialog box (see Add or Edit External Filter Dialog Box,
page 18-39).
To edit a server, select it and click the Edit button.
To delete a server, select it and click the Delete button.
Enable Alert Whether to generate stateful packet inspection alert messages on
the console.
Enable Allow Mode Whether to allow or block URL requests when the URL filtering
process does not have connectivity to a URL filtering database. When
allow-mode is on, all unmatched URL requests are allowed; when off,
all unmatched URL requests are blocked.
Block Page The web page you want to present to the user if the user attempts to
access a page that you block. You can select from the following:
NoneThe user is not presented with any information.
MessageThe user is presented with the text message you enter in
the edit box.
Redirect URLThe user is redirected to the URL you enter in the
edit box.
Source Interface The interface whose IP address should be used as the source IP address
when a TCP connection is established between the system and the URL
filtering server.
Maximum Cache Entries The maximum number of entries to store in the categorization cache.
The default is 5000.
Cache Life Time How long, in hours, an entry remains in the cache table. The default
is 24.
Maximum Requests The maximum number of pending requests. The range is from 1 to
2147483647. The default is 1000.
Maximum Responses The maximum number of HTTP responses that can be buffered. The
range is from 0 and 20000. The default is 200.
Table 18-14 Add or Edit N2H2 or WebSense Parameter Map Dialog Boxes (Continued)
Element Description
Truncate Hostname Whether to truncate the URLs:
Truncate Script Parameters If you do not select an option, URLs are not truncated.
If you select Hostname, URLs are truncated at the end of the
domain name.
If you select Script Parameters, URLs are truncated at the left-most
question mark in the URL.
Tip Although you can select both options, it is illogical to do so.
Enable Server Log Whether to send information about HTTP requests to the URL filtering
servers log server. The information includes the URL, the hostname,
the source IP address, and the destination IP address.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level.
per Device For more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Navigation Path
Click the Add button beneath the server table, or select a server and click the Edit button, from any of
the following dialog boxes:
Add or Edit N2H2 or WebSense Parameter Map dialog boxes. See Configuring N2H2 or WebSense
Parameter Maps, page 18-37.
Add or Edit URL Filter Parameter Map dialog boxes. See Configuring URL Filter Parameter Maps,
page 18-41.
Field Reference
Element Description
Server The fully-qualified domain name or IP address of the URL filtering server.
Port The port that is listening for requests.
Retransmission Count The number of times the router retransmits the lookup request when a
response is not received from the server. The range is from 1 to 10.
Element Description
Timeout The number of seconds that the router waits for a response from the server.
The range is from 1 to 300.
Outside Whether the server is outside the network.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Web Filter > Trend in
the table of contents. Right-click inside the work area and select New Object, or right-click a row and
select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Enable Allow Mode Whether to allow or block URL requests when the URL filtering process
does not have connectivity to a URL filtering database. When allow-mode is
on, all unmatched URL requests are allowed; when off, all unmatched URL
requests are blocked.
Block Page The web page you want to present to the user if the user attempts to access a
page that you block. You can select from the following:
NoneThe user is not presented with any information.
MessageThe user is presented with the text message you enter in the
edit box.
Redirect URLThe user is redirected to the URL you enter in the
edit box.
Maximum Requests The maximum number of pending requests. The range is from 1 to
2147483647. The default is 1000.
Table 18-16 Add or Edit Trend Parameter Map Dialog Boxes (Continued)
Element Description
Maximum Responses The maximum number of HTTP responses that can be buffered. The range is
from 0 and 20000. The default is 200.
Truncate Hostname Whether to truncate URLs at the end of the domain name.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Web Filter > URL
Filter in the table of contents. Right-click inside the work area and select New Object, or right-click a
row and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Table 18-17 Add or Edit URL Filter Parameter Map Dialog Boxes
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Local Filtering Tab
The fields on this tab define the properties for local URL filtering.
Table 18-17 Add or Edit URL Filter Parameter Map Dialog Boxes (Continued)
Element Description
Whitelisted and These tables define the domain names for which the software will not contact
Blacklisted Domains the external URL filtering server. Domain names on the whitelist are always
tables allowed. Domain names on the blacklist are always blocked. Use these lists
to identify entire domains that you want to allow without restriction (such as
your companys web site) or block completely (such as pornography sites).
Domain names can be complete (including the host name, such as
www.cisco.com), or partial (such as cisco.com). For partial names, all web
site hosts on that domain are either permitted or denied. You can also enter
host IP addresses.
To add a domain name, click the Add button and fill in the Add Server
dialog box (see Add or Edit URL Domain Name Dialog Box for URL
Filter Parameters, page 18-43).
To edit a domain name, select it and click the Edit button.
To delete a domain name, select it and click the Delete button.
Enable Alert Whether to generate stateful packet inspection alert messages on the console.
Enable Audit Trail Whether to log URL information to the syslog server or router.
Enable Allow Mode Whether to allow or block URL requests when the URL filtering process
does not have connectivity to a URL filtering database. When allow-mode is
on, all unmatched URL requests are allowed; when off, all unmatched URL
requests are blocked.
External Filtering Tab
The fields on this tab define the properties for an external URL filtering server.
Server Type The type of external URL filtering server you are configuring, either
Server Table SmartFilter (N2H2) or Websense.
To add servers, click the Add button and fill in the Add External Filter
dialog box (see Add or Edit External Filter Dialog Box, page 18-39).
To edit a server, select it and click the Edit button.
To delete a server, select it and click the Delete button.
Source Interface The interface whose IP address should be used as the source IP address
when a TCP connection is established between the system and the URL
filtering server.
Maximum The maximum number of entries to store in the categorization cache. The
Cache Entries default is 5000.
Maximum Requests The maximum number of pending requests. The range is from 1 to
2147483647. The default is 1000.
Maximum Responses The maximum number of HTTP responses that can be buffered. The range is
from 0 and 20000. The default is 200.
Table 18-17 Add or Edit URL Filter Parameter Map Dialog Boxes (Continued)
Element Description
Truncate Hostname Whether to truncate the URLs:
Truncate If you do not select an option, URLs are not truncated.
Script Parameters
If you select Hostname, URLs are truncated at the end of the
domain name.
If you select Script Parameters, URLs are truncated at the left-most
question mark in the URL.
Do not select any truncate options for devices running software releases
lower than 12.4(15)T or you will receive a validation error.
Tip Although you can select both options, it is illogical to do so.
Enable Server Log Whether to send information about HTTP requests to the URL filtering
servers log server. The information includes the URL, the hostname, the
source IP address, and the destination IP address.
Additional Fields
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
Overrides and Understanding Policy Object Overrides for Individual Devices,
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Add or Edit URL Domain Name Dialog Box for URL Filter Parameters
Use the Add URL Domain Name dialog box to add web site domain names to the whitelisted (allowed)
or blacklisted (not allowed) lists.
Domain names can be complete (including the host name, such as www.cisco.com), or partial (such as
cisco.com). For partial names, all web site hosts on that domain are either permitted or denied. You can
also enter host IP addresses.
Navigation Path
From the Add or Edit URL Filter Parameter Map dialog boxes, click the Add button beneath the whitelist
or blacklist tables, or select a name and click the Edit button. See Configuring URL Filter Parameter
Maps, page 18-41.
A single URLF Glob must also be limited to one of these types of URL segments:
Strings that appear in the server name of a URL, which includes the name of the server and the
domain name of the network. For example, www.cisco.com.
Strings that appear in URL keywords, which are the strings that appear between / characters in a
URL, or which are the file names. For example, in the URL segment www.cisco.com/en/US/, both
en and US are keywords. The file name in a URL, such as index.html, is also considered a keyword.
You cannot use the characters /, {, }, and ? in a URLF glob.
To match a server name or URL keyword, the string in the URL must match exactly the string included
in the URLF glob unless you use wildcard metacharacters to specify a variable string pattern. You can
use the following metacharacters for pattern matching for either server names or URL keywords:
* (Asterisk). Matches any sequence of zero or more characters. For example, *.edu matches all
servers in the education domain, and you could use hack* to block
www.example.com/hacksite/123.html.
[abc] (Character class). Matches any character in the brackets. The character matching is case
sensitive. For example, [abc] matches a, b, or c, but not A, B, or C. Thus, you could use
www.[ey]xample.com to block both www.example.com and www.yxample.com.
[a-c] (Character range class). Matches any character in the range. The character matching is case
sensitive. [a-z] matches any lowercase letter. You can mix characters and ranges; for example,
[abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so does [a-cq-z].The dash (-) character is literal
only if it is the last or the first character within the brackets, [abc-] or [-abc].
[0-9] (Numerical range class). Matches any number in the brackets. For example [0-9] matches 0,
1, 2, 3, 4, 5, 6, 7, 8, or 9. Thus, you can use www.example[0-9][0-9].com to block
www.example01.com, www.example33.com, and www.example99.com (and so forth).
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Parameter Maps > Web Filter > URLF
Glob Parameters in the table of contents. Right-click inside the work area and select New Object, or
right-click a row and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Local Web Filter Class Add or Edit Match Criterion Dialog Boxes, page 18-27
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Table 18-18 Add or Edit URLF Glob Parameter Map Dialog Boxes
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Table 18-18 Add or Edit URLF Glob Parameter Map Dialog Boxes (Continued)
Element Description
Value The server domains or keywords for the URLs you are targeting. Enter only
one type of glob: either all server domains, or all URL keywords, but not a
mixture of both.
If you include more than one entry, separate the entries with new lines.
For example, the following entries identify all government or education
web servers:
*.gov
*.edu
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
Overrides and Understanding Policy Object Overrides for Individual Devices,
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select Maps > Policy Maps > Web Filter > Web Filter
from the Object Type selector. Right-click inside the table and select New Object or right-click a row
and select Edit Object.
Related Topics
Understanding Map Objects, page 6-60
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is allowed.
Parameters tab
Parameter Type The type of parameter map to include in the Web Filter policy map. Select
None if you do not want to select a parameter map.
Parameter Map
If you select a specific parameter type, enter the name of the parameter map
in the Parameter Map field. Click Select to select the map from a list or to
create a new parameter map object.
Match Condition and Action Tab
The Match All table lists class maps included in the policy map, and the action to take for traffic that
matches the class. For traffic to match this class, all criteria defined in the selected class maps must
be met.
To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see
Add or Edit Match Condition and Action Dialog Boxes for Zone-Based Firewall and Web
Filter Policies, page 18-33).
To edit a criterion, select it and click the Edit button.
To delete a criterion, select it and click the Delete button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
For the purposes of this discussion, the most interesting of these commands is policy-map, which is used
to apply your zone policy for each pair of zones. That is, for any given zone-pair, all rules defining traffic
(classes) and actions are applied within one policy-map. Further, Security Manager appends the current
class-default class to the end of each policy-maps class list to capture any packets not processed by a
zone rule.
The default class-default is dropappending this class to each policy-map is how the implicit dropping
of traffic between zones is accomplished. However, as mentioned, you can change this default behavior
for any zone-pair. For example, you might elect to pass all unmatched traffic, or you might change the
default to drop and log so you can determine what traffic is not being matched by your existing rules.
Note The only options for the default behavior are Drop, Drop and Log, Pass, and Pass and Log.
If you want the default policy to continue to drop packets, you do not have to do anything in Security
Manager. This rule is generated automatically. If you do want to change the default behavior for a
zone-pair, you must provide a Permit any any IP rule (that is, Match: Permit; Sources: any;
Destinations: any; Services: IP in the Adding and Editing Zone-based Firewall Rules, page 18-58), with
Drop and Log, Pass, or Pass and Log as the chosen Action. You must also ensure that this rule appears
last in the list of rules for a zone pair. Security Manager interprets this as the intended class-default rule.
If your zone-based rules table includes a large number of rules, it might be difficult to ensure that this
rule comes after all other rules for a zone pair. Here are a couple of techniques you can use to
alleviate this:
Use sections to organize the table, with one section per zone-pair. This will make it easier for you
to order the rules for a zone-pair, as well as ensuring that the class-default rule comes last. For more
information on working with sections, see Using Sections to Organize Rules Tables, page 12-17.
Create a shared zone-based rules policy that includes the class-default rule in the Default scope, and
inherit this rule in the devices local zone-based rule policy. For more information on inheritance
and creating shared policies, see Inheriting or Uninherting Rules, page 5-42 and Creating a New
Shared Policy, page 5-50.
Related Topics
Zone Based Firewall Page, page 18-48
Understanding the Zone-based Firewall Rules, page 18-3
Step 1 Access the Zone Based Firewall Page, page 18-48 as follows:
(Device view) Select an IOS device and then select Firewall > Settings > Zone Based Firewall
from the Policy selector.
(Policy view) Select Firewall > Settings > Zone Based Firewall from the Policy Type selector.
Select an existing policy or create a new one.
Step 2 (Optional) On the Zones tab: add, edit and delete unreferenced zones.
The Zones tab lists all unreferenced zones defined on the device; that is, zones without any associated
interfaces, rules or policies. Unreferenced zones are usually found and listed during device discovery,
but you also can create named, empty zones here.
Step 3 (Optional) On the VPN tab, supply the name of the zone specifically set up for VPN traffic.
This zone ensures that dynamic VPN traffic can be processed by the zone-based firewall rules on this
router. See Using VPNs with Zone-based Firewall Policies, page 18-6 for more information.
Step 4 (Optional) On the WAAS tab, select Enable WAAS to enable Wide Area Application
Services interoperability.
If this option is not enabled, packets being optimized by a WAAS device may be dropped because WAAS
increases the TCP packet sequence number during the TCP handshake. This behavior may be viewed as
a possible attack by the IOS device.
Step 5 (Optional) On the Content Filter Settings tab, provide server settings for Trend Micro-based
content filtering.
To use Trend Micro-based content filtering, you must configure contact information for the Trend Micro
server on this tab of the Zone Based Firewall page. This tab also provides links to Trend Micro
registration and certificate download. You must have an active subscription with Trend Micro to utilize
this form of content filtering, and you must download and install a valid subscription certificate on this
IOS device.
For more information, see Zone Based Firewall Page - Content Filter Tab, page 18-50.
Step 6 (Optional) On the Global Parameters (ASR) tab, you can configure global, logging-related settings
specific to ASR devices:
Log Dropped Packets Select this option to log all packets dropped by the device; syslog logging
must be enabled to view the information.
Log Flow export timeout rate NetFlow logs are created after a flow either expires or is timed out,
and it is important to put a time limit on how long a flow can be active before expiring. This value
is maximum number of minutes a flow can remain active before it is expired. The value can be any
integer from 1 to 3600; the default is 30.
Log Flow export destination IP The IP address or host name of the NetFlow collector to which
flow data is to be sent.
Log Flow export destination port The UDP port monitored by the NetFlow collector for flow data.
Navigation Path
To access the Zone Based Firewall page, do one of the following:
(Device view) Select a device, then select Firewall > Settings > Zone Based Firewall from the
Policy selector.
(Policy view) Select Firewall > Settings > Zone Based Firewall from the Policy Type selector.
Create a new policy or select an existing one.
(Map view) Right-click a device and choose Edit Firewall Settings > Zone Based Firewall.
Related Topics
Configuring Settings for Zone-based Firewall Rules, page 18-47
Understanding the Zone-based Firewall Rules, page 18-3
Adding Zone-Based Firewall Rules, page 18-12
Field Reference
Element Description
Zones tab This tab displays the Zones table, which lists unreferenced zones; that is
zones without any associated interfaces, rules or policies. Unreferenced
zones are usually found and listed during device discovery, but you also can
create named, empty zones here.
The Zones table lists the following information for each unreferenced zone:
Zone The name of the Zone/Interface Role.
Content Any interfaces assigned to the zone.
Description Any user-provided comments about the zone.
To add a zone to this table, click the Add Row button and provide a Zone
name in the Zone dialog box.
VPN tab This tab presents the VPN Zone field; a zone entry in this field ensures that
dynamic VPN traffic can be processed by the zone-based firewall rules on
this router. See Using VPNs with Zone-based Firewall Policies, page 18-6
for more information about this zone.
Enter or Select the zone through which VPN traffic will pass.
WAAS tab This tab presents the Enable WAAS check box. Select this option to enable
Wide Area Application Services interoperability.
If this option is not enabled, packets being optimized by a WAAS device may
be dropped because WAAS increases the TCP packet sequence number
during the TCP handshake. This behavior may be viewed as a possible attack
by the IOS device.
Content Filtering tab This tab displays server settings and certificate links for Trend Micro-based
content filtering. For more information, see Zone Based Firewall Page -
Content Filter Tab, page 18-50.
Element Description
Global Parameters This tab displays global, logging-related settings specific to ASR devices.
(ASR) tab Configure these settings as follows:
Log Dropped Packets Select this option to log all packets dropped by
the device; syslog logging must be enabled to view the information.
Log Flow export timeout rate NetFlow logs are created after a flow
either expires or is timed out, and it is important to put a time limit on
how long a flow can be active before expiring. This value is maximum
number of minutes a flow can remain active before it is expired. The
value can be any integer from 1 to 3600; the default is 30.
Log Flow export destination IP The IP address or host name of the
NetFlow collector to which flow data is to be sent.
Log Flow export destination port The UDP port monitored by the
NetFlow collector for flow data.
Navigation Path
To access the Zone Based Firewall page, do one of the following:
(Device view) Select a device, then select Firewall > Settings > Zone Based Firewall from the
Device selector.
(Policy view) Select Firewall > Settings > Zone Based Firewall from the Policy selector.
(Map view) Right-click a device and choose Edit Firewall Settings > Zone Based Firewall.
Related Topics
Zone-based Firewall Rules Page, page 18-56
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 18-34
Understanding the Zone-based Firewall Rules, page 18-3
Adding Zone-Based Firewall Rules, page 18-12
Field Reference
Element Description
Trend Micro Server Settings
Cache-entry-lifetime (hrs) How long, in hours, a look-up request to the Trend Micro server
remains in the routers local URL cache table. The allowed range is 0
to 120; the default value is 24.
Cache-size (KBytes) The maximum amount of memory to be used by the routers local URL
cache. The allowed range is 0 to 120,000 KB; the default value is 250.
Server The fully-qualified domain name or IP address of the Trend Micro URL
filtering server.
HTTP Port The port the Trend Micro server is listening to for HTTP requests. The
default is 80.
HTTPS Port The port the Trend Micro server is listening to for HTTPS requests. The
default is 443.
Retransmission Count The number of times the router retransmits a look-up request when a
response is not received from the server. The range is 1 to 10.
Retransmission Timeout The number of seconds that the router waits for a response from the
server. The range is 1 to 300.
Alert Whether stateful packet inspection messages are copied to the syslog.
Trend Micro Server Certificate Download Links
Link to download certificates Opens the page for installing Trusted Authority Certificates on Cisco
IOS Routers for Trend URL Filtering Support.
Link for product registration Opens the page for Product License Registration. You must enter the
Product Authorization Key and register the router.
Navigation Path
To access the Add and Edit Zone dialog boxes, do one of the following:
(Device view) Select a device, then select Firewall > Settings > Zone Based Firewall from the
Device selector. Right-click inside the Zones table, then select Add Row, or right-click a line item,
then select Edit Row.
(Policy view) Select Firewall > Settings > Zone Based Firewall from the Policy selector.
Right-click inside the table, then select Add Row, or right-click a line item, then select Edit Row.
(Map view) Right-click a device and select Edit Firewall Policies > Settings > Zone Based
Firewall Rules.
Enter a zone name in the Zone field, or click Select to choose one from the Interfaces Selector dialog box.
Related Topics
Zone Based Firewall Page, page 18-48
Understanding the Zone-based Firewall Rules, page 18-3
Configuring Settings for Zone-based Firewall Rules, page 18-47
When you deploy these rules, Security Manager generates the following configuration. The bold letters
are added for reference in the explanation that follows the configuration.
A.
class-map type inspect http match-any HTTPcmap
match req-resp protocol-violation
match request port-misuse any
!
B.
policy-map type inspect http HTTPpmap
class type inspect http HTTPcmap
reset
log
!
C.
class-map type inspect CSM_ZBF_CLASS_MAP_1
match access-group name CSM_ZBF_CMAP_ACL_1
!
D.
class-map type inspect match-any CSM_ZBF_CMAP_PLMAP_1
match protocol ftp
match protocol ftps
!
E.
class-map type inspect CSM_ZBF_CLASS_MAP_2
match access-group name CSM_ZBF_CMAP_ACL_2
match class-map CSM_ZBF_CMAP_PLMAP_1
!
F.
class-map type inspect match-any CSM_ZBF_CLASS_MAP_3
match protocol bittorrent
match protocol edonkey
match protocol fasttrack
match protocol icq
match protocol kazaa2
!
G.
class-map type inspect CSM_ZBF_CLASS_MAP_4
match protocol http
!
H.
class-map type inspect match-any CSM_ZBF_CLASS_MAP_5
match protocol tcp
match protocol udp
!
I.
policy-map type inspect CSM_ZBF_POLICY_MAP_1
class type inspect CSM_ZBF_CLASS_MAP_1
drop
class type inspect CSM_ZBF_CLASS_MAP_2
drop
class type inspect CSM_ZBF_CLASS_MAP_3
drop
class type inspect CSM_ZBF_CMAP_PLMAP_1
inspect
class type inspect CSM_ZBF_CLASS_MAP_4
inspect
service-policy http HTTPpmap
class type inspect CSM_ZBF_CLASS_MAP_5
inspect
class class-default
drop
!
J.
zone security Inside
zone security Outside
zone-pair security CSM_Inside-Outside_1 source Inside destination Outside
service-policy type inspect CSM_ZBF_POLICY_MAP_1
!
interface GigabitEthernet0/1
ip address dhcp
zone-member security Inside
!
interface GigabitEthernet0/2
ip address dhcp
zone-member security Outside
!
K.
ip access-list extended CSM_ZBF_CMAP_ACL_1
permit ip 10.100.10.0 0.0.0.255 any
permit ip 10.100.11.0 0.0.0.255 any
!
L.
ip access-list extended CSM_ZBF_CMAP_ACL_2
permit ip 10.100.12.0 0.0.0.255 any
!
The following list explains how the rules in Security Manager are converted to device-configuration
commands, to aid your understanding of the relationship between the two. The list numbering
corresponds to the rule numbers from the rules table in Security Manager (see the previous illustration):
1. This rule drops all traffic from the 10.100.10.0/24 network. The Permit, Source, Destination, and
Service fields are used to create the first access control entry (ACE) in the ACL named
CSM_ZBF_CMAP_ACL_1 defined in (K). This ACL is referenced from the class map
CSM_ZBF_CLASS_MAP_1 defined in (C), which then defines the first drop rule in the policy map
CSM_ZBF_POLICY_MAP_1, defined in (I).
The policy map (I) is used to define the zone service policy in (J). Because this policy map is how
all of the rules are assigned to the zone pair, (J) is not mentioned again.
2. This rule drops all traffic from the 10.100.11.0/24 network. This rule is combined with rule 1 by
adding an ACE to the ACL defined in (K). The rest of the configuration is identical to rule 1. Thus,
rules 1 and 2 essentially become a single rule in the device configuration.
3. This rule drops all FTP/FTPS traffic from the 10.100.10.12/24 network. The Permit, Source,
Destination, and Service fields are used to create the ACL named CSM_ZBF_CMAP_ACL_2
defined in (L). The Protocol table generates the class map CSM_ZBF_CMAP_PLMAP_1 defined
in (D), which specifies the FTP and FTPS protocols. The ACL and FTP/FTPS class map are then
used in a new class map, CSM_ZBF_CLASS_MAP_2 defined in (E), which completes the
characterization of the traffic based on the combination of source and protocol. Finally, (E) is
referenced in the policy map (I) as the second rule.
4. This rule drops peer-to-peer traffic from any source that uses any of these protocols: Bittorrent,
eDonkey, FastTrack, ICQ, or Kazaa2. This rule prevents any of your internal servers from being used
as a file-sharing source for these services. Because the rule applies to all sources and destinations
for the default IP service, no ACL is required. Instead, the configuration starts with the class map
CSM_ZBF_CLASS_MAP_3 defined in (F). This class map is referenced by the third drop rule in
the policy map (I).
5. This rule inspects FTP/FTPS traffic from any source to any destination, which means these services
are allowed. Note that rule 3, because it comes above rule 5, already drops FTP/FTPS traffic from
the 10.100.12.0/24 network, so the combination of these rules means that FTP/FTPS traffic is
inspected for all sources except 10.100.12.0/24. Because the Protocol table specifies the same
protocols as it does for rule 3, no new class map is needed. Instead, the policy map (I) simply refers
to the class map (D) as the fourth class type, but this time with the Inspect action.
6. This rule inspects HTTP traffic and applies a deep-inspection policy map named HTTPpmap. The
HTTPpmap policy map (B) defines the action to take when traffic matches the criteria defined in the
class map HTTPcmap (A). These maps specify that any HTTP connection that violates the HTTP
protocol, or that misuses ports, should be reset (dropped) and a syslog entry generated. (Protocol
violation and port misuse can characterize Denial of Service attacks.) The combination of (A) and
(B) define the deep-inspection rules for this policy.
An additional class map, CSM_ZBF_CLASS_MAP_4, is needed to specify the HTTP protocol (G).
Then, the fifth class type rule in the policy map (I) refers to class map (G) for inspection, and the
service-policy command refers to the policy map (B) for deep inspection.
7. This rule provides generic inspection on TCP/UDP traffic, allowing and inspecting the remaining
TCP/UDP traffic from the internal network to the Internet and back. The class map
CSM_ZBF_CLASS_MAP_5 defined in (H) is generated from the Protocols table. This class map
then becomes the next-to-last rule in the policy map (I).
8. Finally, there is an automatic rule, which appears as the final class-default rule in the policy map (I).
This rule drops any traffic that does not match one of the class maps referenced in the policy map
(I). For example, ICMP traffic from the internal network to the Internet will not be allowed. For
information on configuring a different class-default rule, see Changing the Default Drop Behavior,
page 18-46.
Note Zone-based firewall policies can be configured only on Cisco IOS and ASR devices.
The Zone Based Firewall Rules page displays a list of currently configured zone-based firewall rules,
and lets you add, edit and delete rules.
Tip Disabled rules are shown with hash marks covering the table row. When you deploy the configuration,
disabled rules are removed from the device. For more information, see Enabling and Disabling Rules,
page 12-17.
Navigation Path
To access the Zone Based Firewall Rules page, do one of the following:
(Device view) Select a device, then select Firewall > Zone Based Firewall Rules from the
Policy selector.
(Policy view) Select Firewall > Zone Based Firewall Rules from the Policy Type selector. Create
a new policy or select an existing one.
(Map view) Right-click a device and select Edit Firewall Policies > Zone Based Firewall Rules.
Related Topics
Understanding the Zone-based Firewall Rules, page 18-3
Adding Zone-Based Firewall Rules, page 18-12
Filtering Tables, page 1-33
Field Reference
Element Description
No. This number indicates the rules position in the ordering of the list. You
can use the Up Row and Down Row buttons to change the position of the
selected rule.
Permit Indicates whether the rule permits or denies traffic.
Permit Shown as a green check mark.
Deny Shown as a red circle with a slash.
Source Identifies source networks and hosts for this rule. Networks/hosts can be
provided as named objects, or as IP addresses. See Understanding
Network/Host Objects, page 6-62 for more information.
Element Description
Destination Identifies destination networks and hosts for this rule. Networks and hosts
can be provided as named objects, or as IP addresses. See Understanding
Network/Host Objects, page 6-62 for more information.
Service The services that define the types of traffic matched by this rule. Services are
defined by objects that specify protocol and port information. See
Understanding and Specifying Services and Service and Port List Objects,
page 6-69 for more information.
From Zone This rule applies only to traffic originating from this zone.
To Zone This rule applies only to traffic destined for this zone.
Inspected Protocol The protocol(s) on which the rule performs the chosen Action.
Action Identifies how matched protocols are processed:
Drop Matched traffic is silently dropped. The default action for
all traffic.
Drop and Log Matched traffic is logged and dropped.
Pass The router forwards matched traffic from the source zone to the
destination zone.
Pass and Log Traffic is logged and forwarded.
Inspect State-based traffic control; Inspect can provide application
inspection and control for certain protocols, based on Port to
Application Mapping (PAM).
Content Filter HTTP content inspection based on a WebFilter
parameter map, or a WebFilter policy map.
Note The Log options generate system-log messages; you must ensure that
syslog logging is configured to capture these messages.
Options The Inspect Parameter map assigned to this rule; available only with Inspect
and Content Filter actions.
Category The category assigned to the rule. Categories help you organize and identify
rules and objects. See Using Category Objects, page 6-9.
Description The description of this rule, if provided. A maximum of 1024 characters
is allowed.
Tools button Click this button to select tools that you can use with this type of policy. You
can select the following tool:
Query To run policy queries, which can help you evaluate your rules
and identify ineffective rules that you can delete. See Generating Policy
Query Reports, page 12-24
Find and Replace button Searches for values in rules tables, such as IP addresses and policy object
(binoculars icon) names, to facilitate locating and making changes to rules in tables. See
Finding and Replacing Items in Rules Tables, page 12-13.
Up button Moves the selected rule up one row in the table.
Down button Moves the selected rule down one row in the table.
Element Description
Add button Opens the Add Zone-based Firewall Rule dialog box, where you can create
a new rule.
Edit button Used to edit the selected rule in the table; opens the Edit Zone-based Firewall
Rule dialog box.
Delete button Deletes the selected rule from the table.
Navigation Path
From the Zone-based Firewall Rules Page, page 18-56, click the Add Row button, or select a row and
click the Edit Row button.
Related Topics
Understanding the Zone-based Firewall Rules, page 18-3
Configuring Settings for Zone-based Firewall Rules, page 18-47
Adding Zone-Based Firewall Rules, page 18-12
Field Reference
Table 18-23 Add and Edit Zone based Firewall Rule Dialog Boxes
Element Description
Enable Rule When selected, the rule is enabled on the device after the configuration is
generated and deployed. Deselect this option to disable the rule without deleting it.
Traffic Define the traffic flow to which this rule is applied.
Match Choose whether to Permit or Deny matched traffic. See Understanding the
Relationship Between Permit/Deny and Action in Zone-based Firewall Rules,
page 18-7 for additional information about this option.
Table 18-23 Add and Edit Zone based Firewall Rule Dialog Boxes (Continued)
Element Description
Sources Provide the source networks/hosts and destination networks/hosts for matching
Destinations traffic. Each field allows multiple entries separated by commas.
You can enter any combination of the following address types to define the source
or destination of the traffic. For more information, see Specifying IP Addresses
During Policy Definition, page 6-68.
Network/host object. Enter the name of the object, or click Select to select it
from a list. You can also create new network/host objects in the selection
dialog box.
Host IP address; for example, 10.10.10.100.
Network address, including subnet mask, in either 10.10.10.0/24 or
10.10.10.0/255.255.255.0 formats.
A range of IP addresses; for example, 10.10.10.100-10.10.10.200.
An IP address pattern in the format 10.10.0.10/255.255.0.255, where the
mask is a discontiguous bit mask (see Contiguous and Discontiguous
Network Masks, page 6-63).
Services Specify the services that define the type of traffic to matched by this rule. You can
enter any combination of service objects and service types (which are typically a
protocol and port combination), separated by commas. See Understanding the
Relationship Between Services and Protocols in Zone-based Firewall Rules,
page 18-10 for additional information about this option.
If you type in a service, you are prompted as you type with valid values. You also
can click Select to select services from a list. For complete information on how to
specify services, see Understanding and Specifying Services and Service and Port
List Objects, page 6-69.
From Zone Basic zone-based firewall rules are unidirectional; that is, they define a traffic
flow that moves in only one direction between two zones.
To Zone
Enter or Select the zone from which traffic flows can originate for this rule, and
enter or Select the zone to which traffic can flow.
Advanced button Opens the Advanced Options dialog box where you can select time-range options.
See Zone-based Firewall Rule: Advanced Options Dialog Box, page 18-61.
Table 18-23 Add and Edit Zone based Firewall Rule Dialog Boxes (Continued)
Element Description
Action The action applied to traffic that matches this rule. Choose the desired Action:
Action: Drop, Drop Silently drops all packets for the specified Services. The default
Drop and Log, action for all traffic.
Pass, Pass and Log
Drop and Log Matched traffic is logged and dropped.
Pass The router forwards matched packets from the From Zone to the To
Zone. Return traffic is not recognized, so you have to specify additional rules
for return traffic. This option is useful only for protocols such as
IPsec-encrypted traffic.
Pass and Log Traffic is logged and forwarded.
For any of these Actions, you can select one or more protocols to be matched by
clicking the Select button next to the Protocol table to open the Protocol Selector
Dialog Box, page 18-62. However, this is not necessary; you can leave the
Protocol table empty and pass or drop traffic based on the Sources, Destinations,
and Services parameters; in effect, these are standard access rules.
The Protocol Selector dialog box also provides access to the Configure Protocol
Dialog Box, page 18-63, where you can edit the Port Application Mapping (PAM)
parameters for the selected protocol.
Note The Log options generate system-log messages; you must ensure that
syslog logging is configured to capture these messages.
Action: Inspect Inspect provides state-based traffic controlthe device maintains connection or
session information for TCP and UDP traffic, meaning return traffic in reply to
connection requests is permitted.
Choose this option to apply packet inspection based on your selected Layer 4
(TCP, UDP) and Layer 7 (HTTP, IMAP, instant messaging, and peer-to-peer)
protocols. You also can edit PAM settings for the selected protocols, and you can
set up deep packet inspection (DPI) and provide additional protocol-related
information for the Layer 7 protocols. See Configuring Inspection Maps for
Zone-based Firewall Policies, page 18-15 for more information.
1. You can select one or more protocols for inspection by clicking the Select
button next to the Protocol table to open the Protocol Selector Dialog Box,
page 18-62.
2. The Protocol Selector dialog box also provides access to the Configure
Protocol Dialog Box, page 18-63, where you can create custom protocols,
and edit the PAM and DPI parameters for the selected protocol.
3. Inspect Parameters You can apply a customized set of connection,
timeout, and other settings by entering the name of an Inspect Parameter map
in this field, or you can click Select to select one from a list. You also can
create new Inspect Parameter maps from the selection-list dialog box; see
Configuring Inspect Parameter Maps, page 18-28 for more information.
If you do not specify an Inspect Parameters map, the default settings are used.
Table 18-23 Add and Edit Zone based Firewall Rule Dialog Boxes (Continued)
Element Description
Action: Content Filter provides URL filtering based on a supplied parameter or policy
Content Filter map. The router intercepts HTTP requests, performs protocol-related inspection,
and optionally contacts a third-party server to determine whether the requests
should be allowed or blocked. You can provide a WebFilter parameter map, which
defines filtering based on local URL lists, as well as information from an external
SmartFilter (previously N2H2) or Websense server. Alternately, you can provide
a WebFilter policy map that accesses Local, N2H2, Websense, or Trend Micro
filtering data.
1. When Content Filter is the chosen Action, HTTP is the specified Protocol.
You can click Configure to open the Configure Protocol Dialog Box,
page 18-63, where you can edit the HTTP PAM settings, and apply an HTTP
DPI map.
2. Select WebFilter Parameter Map, or WebFilter Policy Map, and supply
the name of an appropriate map. You can click the appropriate Select button
to select the map from a list; you also can create new maps from the
selection-list dialog box. See Configuring Content Filtering Maps for
Zone-based Firewall Policies, page 18-34 for information about configuring
these maps.
3. Inspect Parameters You can apply a customized set of connection,
timeout, and other settings by entering the name of an Inspect Parameter map
in this field, or you can click Select to select one from a list. You also can
create new Inspect Parameter maps from the selection-list dialog box; see
Configuring Inspect Parameter Maps, page 18-28 for more information.
If you do not specify an Inspect Parameters map, the default settings are used.
Description (Optional) You can enter a description of up to 1024 characters to help you
identify the rule when viewing the rules table.
Category (Optional) You can assign a category to the rule, to help you organize and identify
rules and objects. See Using Category Objects, page 6-9.
Navigation Path
In the Traffic section of the Add or Edit Zone based Firewall Rule dialog box, click the
Advanced button.
Related Topics
Adding and Editing Zone-based Firewall Rules, page 18-58
Understanding the Zone-based Firewall Rules, page 18-3
Field Reference
Element Description
Time Range This feature lets you define time periods during which this zone-based firewall
rule is active. If you do not specify a time range, the rule is immediately and
always active.
Enter the name of a time-range object, or click Select to choose one from a list
in the Time Ranges Selector dialog box. You can create and edit time-range
objects from this dialog box. For more information, see Configuring Time
Range Objects, page 6-53.
Options This feature lets you apply an initial-packet-fragment or an
established-connection restriction to this zone-based firewall rule. Choose one
of the following options:
NoneNo packet-fragment or established-connection restrictions
are applied.
Fragment If chosen, the rule is applied to non-initial packet fragments;
the fragment is either permitted or denied accordingly. The white paper,
Access Control Lists and IP Fragments, provides additional information
that is also relevant to zone-based firewall rules.
Established For the TCP protocol only; requires an established
connection. A match occurs if the TCP datagram has the ACK or RST
control bits set. The non-matching case is that of the initial TCP datagram
to form a connection.
Navigation Path
The Protocol Selector dialog box can be accessed from the Add and Edit Zone based Firewall Rule dialog
boxes (described in Adding and Editing Zone-based Firewall Rules, page 18-58). In either dialog box,
choose any Action except Content Filter and then click the Select button next to the Protocol table.
You can also open the Protocol Selector dialog box by right-clicking the Inspected Protocol column for
any entry in the Zone Based Firewall Rules table, and then choosing Edit Protocols.
Related Topics
Understanding the Zone-based Firewall Rules, page 18-3
Adding and Editing Zone-based Firewall Rules, page 18-58
Selecting Objects for Policies, page 6-2
Configure Protocol Dialog Box, page 18-63
Element Description
Available Protocols A list of protocols that can be selected for a zone-based firewall rule.
Tip You can create a custom protocol by clicking the Create button below
the Selected Protocols column, opening the Configure Protocol
Dialog Box, page 18-63.
Selected Protocols The list of protocols you have selected for this zone-based firewall rule.
Tip You can edit Port Application Mapping (PAM) settings for the
protocol highlighted in the Selected Protocols column: click the Edit
button below the Selected Protocols column to open the Configure
Protocol Dialog Box, page 18-63.
>> button Moves the highlighted protocols from the Available Protocols column to the
Selected Protocols column. You can select multiple protocols using the
standard Shift-click and Ctrl+click functions.
<< button Moves the highlighted protocols from the Selected Protocols column back to
the Available Protocols column. You can select multiple protocols using the
standard Shift-click and Ctrl+click functions.
Navigation Path
The Configure Protocol dialog box is accessed from the Protocol Selector Dialog Box, page 18-62,
as follows:
Click the Create (+) button below the Selected Protocols list to create a new protocol.
Select a protocol in the Selected Protocols list, and click the Edit (pencil) button to edit that protocol.
Related Topics
Understanding the Zone-based Firewall Rules, page 18-3
Adding Zone-Based Firewall Rules, page 18-12
Protocol Selector Dialog Box, page 18-62
Element Description
Protocol Name The name of the selected protocol. If you are creating a custom protocol, you
can enter a name of up to 19 characters. Custom protocol names must begin
with user-.
Enable Signature This option is available only when editing the peer-to-peer (eDonkey,
FastTrack, Gnutella, Kazaa2) protocols.
Enabling this option means Network-based Application Recognition (NBAR)
heuristics will be applied to the traffic to detect telltales that signify
specific P2P application activity. These telltales includes port-hopping and
other changes in application behavior to avoid traffic detection.
Note This level of traffic inspection comes at the price of increased CPU
utilization and reduced network throughput capability.
Deep Inspection This option is available only when editing the H.323, HTTP, IM (AOL, ICQ,
MSN Messenger, Windows Messenger, and Yahoo Messenger), IMAP, P2P
(eDonkey, FastTrack, Gnutella, Kazaa2), POP3, SIP, SMTP, Sun RPC
protocols, and Inspect is the chosen Action for the zone-based firewall rule.
Enter or Select the name of the Inspect policy map to be used with the
selected protocol. See Configuring Inspection Maps for Zone-based Firewall
Policies, page 18-15 for more information about these policy maps.
Protocol Info This option is available only when editing the Instant Messaging (AOL,
ICQ, MSN Messenger, Windows Messenger, and Yahoo Messenger) and
Stun-ice protocols.
Enter or Select the name of the Protocol Info parameter map to be used with
the selected protocol. These parameter maps define the DNS servers that
interact with these applications, which helps the Instant Messaging (IM)
application engine recognize the IM traffic and enforce the configured policy
for that IM application.
See Configuring Protocol Info Parameter Maps, page 18-31 for more
information about these parameter maps.
Port Application Mapping These options let you customize the Port Application Mapping (PAM)
parameters for the selected protocol.
Protocol Select the transport protocol(s) for this mapping:
TCP/UDP
TCP
UDP
Ports Enter any combination of a single port number, multiple port numbers, or a
range of ports (for example, 60000-60005). Separate multiple entries with
commas. Do not specify a range that overlaps already mapped ports.
Networks If this protocol/port mapping is only for specific networks or hosts, enter the
names or IP addresses of the networks or hosts, or the names of the
network/host objects. You can click Select to open the Networks/Hosts
Selector. Separate multiple entries with commas.
Transparent firewall rules are access control rules for non-IP layer 2 traffic. You can use these rules to
permit or drop traffic based on the Ethertype value in the layer-2 packet.
This chapter contains the following topics:
Configuring Transparent Firewall Rules, page 19-1
Transparent Rules Page, page 19-3
Tip On ASA, PIX, and FWSM in transparent mode, you must configure access rules to allow any IP traffic
to pass through the device. Transparent rules control layer 2 non-IP traffic only.
Also, see NAT in Transparent Mode, page 20-15 for information about using network address
translation on security devices.
You can also configure other types of firewall rules on these interfaces. The other types of rules apply to
layer-3 and higher traffic.
Tip If you configure any transparent rule, an implicit deny all rule is added at the end of the rule list for each
interface. You must ensure that you permit all desired traffic. You might want to include a permit any
(for ASA/PIX/FWSM devices) or permit 0x0000 0xFFFF (for IOS devices) rule as the final rule in the
table if your desire is simply to deny specific types of traffic, rather than permitting only specific types
of traffic.
Related Topics
Adding and Removing Rules, page 12-8
Editing Rules, page 12-9
Enabling and Disabling Rules, page 12-17
Step 1 Do one of the following to open the Transparent Rules Page, page 19-3:
(Device view) Select Firewall > Transparent Rules from the Policy selector for a supported
device type.
(Policy view) Select Firewall > Transparent Rules from the Policy Type selector. Select an
existing policy or create a new one.
Step 2 Select the row after which you want to create the rule and click the Add Row button or right-click and
select Add Row. This opens the Add and Edit Transparent Firewall Rule Dialog Boxes, page 19-5.
Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select
an existing row and edit either the entire row or specific cells. For more information, see Editing
Rules, page 12-9.
Step 3 Configure the rule. Following are the highlights of what you typically need to decide. For specific
information on configuring the fields, see Add and Edit Transparent Firewall Rule Dialog Boxes,
page 19-5.
Permit or DenyWhether you are allowing traffic that matches the rule or dropping it.
InterfacesThe interface or interface role for which you are configuring the rule.
The direction of traffic to which this rule should apply (in or out). The default is in.
EtherTypeThe hexadecimal code or keyword (for ASA/PIX/FWSM only) that identifies the
traffic. For a list of codes, see RFC 1700 at http://www.ietf.org/rfc/rfc1700.txt and search for Ether
Type. For ASA/PIX/FWSM, you can select a keyword to identify some EtherTypes. For
ASA/PIX/FWSM, the code must be 0x0600 at minimum.
MaskFor rules applied to IOS devices, you must also specify a mask to apply to the EtherType.
Use 0xFFFF to have the EtherType interpreted literally.
If you want to create a single rule to apply to a group of EtherTypes, convert the EtherTypes to binary
and calculate an appropriate mask where 1 means to interpret the EtherType literally, and 0 means
that any value should be allowed in the position. You must then convert your mask into hexadecimal.
Click OK when you are finished defining your rule.
Step 4 If you did not select the right row before adding the rule, select the new rule and use the up and down
arrow buttons to position the rule appropriately. For more information, see Moving Rules and the
Importance of Rule Order, page 12-16.
Step 5 (IOS devices only) If you are configuring transparent rules on an IOS device, you can forward DHCP
traffic across the bridge without inspection. To configure this, select the Firewall > Settings >
Inspection policy and select the Permit DHCP Passthrough (Transparent Firewall) option. This
setting is not supported on all IOS versions, so carefully inspect validation results to see if it will be
configured on your device.
Tip Disabled rules are shown with hash marks covering the table row. When you deploy the configuration,
disabled rules are removed from the device. For more information, see Enabling and Disabling Rules,
page 12-17.
Navigation Path
To access Transparent Rules, do one of the following:
(Device view) Select Firewall > Transparent Rules from the Policy selector for a supported
device type.
(Policy view) Select Firewall > Transparent Rules from the Policy Type selector. Select an
existing policy or create a new one.
(Map view) Right-click a device and select Edit Firewall Policies > Transparent Rules.
Related Topics
Interfaces in Routed and Transparent Modes, page 39-4.
Configuring Bridging Policies on Firewall Devices, page 39-17
Bridging on Cisco IOS Routers, page 53-18
Field Reference
Element Description
No. The ordered rule number.
Permit Whether a rule permits or denies traffic based on the conditions set:
PermitShown as a green check mark.
DenyShown as a red circle with slash.
EtherType The Ethernet packet type, which is the EtherType value in the packet. This
can be a hexadecimal code or a keyword.
Mask The 16-bit hexadecimal mask for the EtherType (for IOS devices only). A
mask of 0xFFFF indicates the EtherType is literal. Any other mask indicates
the corresponding bits in the EtherType to ignore. You must convert the
hexadecimal number to binary to fully interpret the mask (binary 1 means
interpret the corresponding EtherType value literally, 0 means allow any
value at that position).
Interface The interfaces or interface roles to which the rule is assigned. Interface role
objects are replaced with the actual interface names when the configuration
is generated for each device. Multiple entries are displayed as separate
subfields within the table cell. See Understanding Interface Role Objects,
page 6-55.
Dir. The direction of the traffic to which this rule applies:
InPackets entering the interface.
OutPackets exiting the interface.
Category The category assigned to the rule. Categories help you organize and identify
rules and objects. See Using Category Objects, page 6-9.
Description The description of the rule, if any.
Up Row and Down Row Click these buttons to move the selected rules up or down within a scope or
buttons (arrow icons) section. For more information, see Moving Rules and the Importance of Rule
Order, page 12-16.
Add Row button Click this button to add a rule to the table after the selected row using the
Add and Edit Transparent Firewall Rule Dialog Boxes, page 19-5. If you do
not select a row, the rule is added at the end of the local scope. For more
information about adding rules, see Adding and Removing Rules, page 12-8.
Edit Row button Click this button to edit the selected rule. You can also edit individual cells.
For more information, see Editing Rules, page 12-9.
Delete Row button Click this button to delete the selected rule.
Navigation Path
From the Transparent Rules Page, page 19-3, click the Add Row button or select a row and click the
Edit Row button.
Related Topics
Interfaces in Routed and Transparent Modes, page 39-4.
Configuring Bridging Policies on Firewall Devices, page 39-17
Bridging on Cisco IOS Routers, page 53-18
Defining Bridge Groups, page 53-19
Bridge-Group Virtual Interfaces, page 53-18
Editing Rules, page 12-9
Adding and Removing Rules, page 12-8
Field Reference
Table 19-2 Add and Edit Transparent Firewall Rule Dialog Boxes
Element Description
Enable Rule Whether to enable the rule, which means the rule becomes active when you
deploy the configuration to the device. Disabled rules are shown overlain
with hash marks in the rule table. For more information, see Enabling and
Disabling Rules, page 12-17.
Action Whether the rule permits or denies traffic based on the conditions you define.
Interfaces The interfaces or interface roles to which the rule is assigned. You must
select only bridged, transparent interfaces (for more specific information,
see Configuring Transparent Firewall Rules, page 19-1).
Enter the name of the interface or the interface role, or click Select to select
the interface or role from a list, or to create a new role. An interface must
already be defined to appear on the list.
Interface role objects are replaced with the actual interface names when the
configuration is generated for each device. See Understanding Interface Role
Objects, page 6-55.
Traffic Direction The direction of the traffic to which this rule applies:
InPackets entering an interface.
OutPackets exiting an interface.
Table 19-2 Add and Edit Transparent Firewall Rule Dialog Boxes (Continued)
Element Description
EtherType The hexadecimal code or keyword (for ASA/PIX/FWSM only) that
identifies the traffic based on the EtherType value in the packet. Enter or
select the following:
The hexadecimal EtherType value. For a list of codes, see RFC 1700 at
http://www.ietf.org/rfc/rfc1700.txt and search for Ether Type.
IOS devicesYou can enter any value from 0x0000 to 0xFFFF.
ASA/PIX/FWSM devicesThe value must be 0x0600 or higher.
For ASA/PIX/FWSM devices, you can also select these keywords:
bpduSpanning Tree Bridge Protocol Data Units
ipxInternet Packet Exchange
mpls-unicastMulti-Protocol Label Switching, unicast.
mpls-multicastMPLS multicast.
anyAny packet regardless of EtherType.
Wildcard Mask (IOS) The mask is a 16-bit hexadecimal number that determines how the EtherType
code is interpreted.
A mask of 0xFFFF indicates the EtherType is literal. Any other mask
indicates the corresponding bits in the EtherType to ignore. You must convert
the hexadecimal number to binary to fully interpret the mask (binary 1 means
interpret the corresponding EtherType value literally, 0 means allow any
value at that position).
Category The category assigned to the rule. Categories help you organize and identify
rules and objects. See Using Category Objects, page 6-9.
Description An optional description of the rule (up to 1024 characters).
Navigation Path
Right-click the EtherType cell in a transparent rule (on the Transparent Rules Page, page 19-3) and select
Edit EtherType. You can edit the EtherType for one row at a time.
Navigation Path
Right-click the Mask cell in a transparent rule (on the Transparent Rules Page, page 19-3) and select
Edit Mask. You can edit the mask for one row at a time.
These topics provide conceptual information about network address translation (NAT) in general, and
about translation types and various implementations:
Understanding Network Address Translation, page 20-2
Types of Address Translation, page 20-3
About Simplified NAT on ASA 8.3+ Devices, page 20-4
The following topics describe configuration and management of NAT rules on various Cisco devices:
Note In this document, all types of translation are generally referred to as NAT; see Types of Address
Translation, page 20-3 for descriptions of the various types. When describing NAT, the terms inside and
outside represent the security relationship between any two interfaces. The higher security level is inside
and the lower security level is outside.
The release of ASA version 8.3 provides a simplified, interface-independent approach to configuring
network address translation, as compared to earlier ASA versions and other devices. See About
Simplified NAT on ASA 8.3+ Devices, page 20-4 for more information.
Related Topics
Types of Address Translation, page 20-3
About Simplified NAT on ASA 8.3+ Devices, page 20-4
Note While certain of these types do not apply to ASA 8.3 and later devices, the ASA 8.3+ devices do provide
a Dynamic NAT and PAT option, which is Dynamic NAT with Dynamic PAT back-up feature.
Destination Translation
With manual static rules, in addition to source address translation, you also can configure destination
address translation. Source and destination translation are defined at the same time, in the same dialog
box. Again, while source translation can be static or dynamic, destination translation is always static,
and is only available with manual rules.
Many-to-one Addressing
Generally, static NAT rules are configured with one-to-one address mapping. However, you can now
define static NAT rules in which many IP addresses map to a few or one IP address. Functionally,
many-to-few is the same as many-to-one, but because the configuration is more complicated, we
recommend creating a many-to-one rule for each address as needed.
Many-to-one addressing might be useful, for example, in a situation where a range of public IP addresses
is used to reach a load balancer which redirects requests to an internal network.
Related Topics
Configuring NAT on ASA 8.3+ Devices, page 20-32
Add and Edit NAT Rule Dialog Boxes, page 20-35
Add or Edit Network/Host Dialog Box: NAT Tab, page 20-38
Navigation Path
(Device view) Select NAT from the Policy selector.
(Policy view) Select NAT (Router) from the Policy Type selector. Select an existing policy from the
Shared Policy selector, or create a new one.
Navigation Path
(Device view) Select NAT from the Policy selector, then click the Interface Specification tab.
(Policy view) Select NAT (Router) > Translation Rules from the Policy Type selector. Select an
existing policy or create a new one, and then click the Interface Specification tab.
Related Topics
NAT Policies on Cisco IOS Routers, page 20-5
NAT Page: Static Rules, page 20-6
NAT Page: Dynamic Rules, page 20-10
NAT Page: Timeouts, page 20-13
NAT Page: Timeouts, page 20-13
Note We strongly recommend that you do not perform NAT on traffic that will be transmitted over a VPN.
Translating addresses on this traffic causes it to be sent out unencrypted instead of encrypted over
the VPN.
The procedure for creating a static rule depends on whether the address being translated represents a
port, a single host, or an entire subnet:
You define a static NAT rule for a single host by entering the original address to translate and
the global address to which it is translated. The global address may be taken from an interface on
the device.
You define a static NAT rule for a subnet by entering one of the addresses in the subnet
(including the subnet mask) as the original address, and one of the global addresses that you want
to use as the translated address. The router configures the remaining addresses based on the subnet
mask you provide.
You define a static NAT rule for a port by entering the original IP address and the global address to
which it should be translated. The global address may be taken from an interface on the device. In
addition, you must select the protocol used by the port, as well as the local and global port numbers.
The Add Static NAT Rule and Edit Static NAT Rule dialog boxes are used to add and edit these rules.
Refer to NAT Static Rule Dialog Boxes, page 20-7 for descriptions of the fields displayed in the table
on this page.
Navigation Path
(Device view) Select NAT from the Policy selector, then click the Static Rules tab.
(Policy view) Select NAT (Router) > Translation Rules from the Policy Type selector. Select an
existing policy or create a new one, and then click the Static Rules tab.
Related Topics
NAT Policies on Cisco IOS Routers, page 20-5
NAT Page: Dynamic Rules, page 20-10
NAT Page: Timeouts, page 20-13
Standard Security Manager rules table topics:
Using Rules Tables, page 12-7
Filtering Tables, page 1-33
Table Columns and Column Heading Features, page 1-34
Navigation Path
Go to the NAT Page: Static Rules, page 20-6 tab; click the Add button beneath the table to add a new
rule, or select a rule in the table and click Edit to update that rule.
Related Topics
Understanding Interface Role Objects, page 6-55
Field Reference
Element Description
Static Rule Type The type of local address to be translated by this static rule:
Static Host A single host requiring static address translation.
Static Network A subnet requiring static address translation.
Static Port A single port requiring static address translation. If you
select this option, you must define the Port Redirection parameters.
Original Address An IP address, or the name of a network/host object representing the
address(es) to be translated. You can enter or Select the object name.
Network/host objects are logical collections of IP addresses that represent
networks, hosts, or both. See Understanding Network/Host Objects,
page 6-62 for more information.
Note Do not enter a local address belonging to this router, as it could cause
Security Manager management traffic to be translated. Translating
this traffic will cause a loss of communication between the router and
Security Manager.
Translated Address Use the options in this section of the dialog box to specify the address(es) to
which the Original Address(es) are translated:
Specify IP Select this option to specify an IP address, or the name of
a network/host object that provides the translated address(es). Add an IP
address, or the name of a network/host object, in the Translated
IP/Network field. You can enter or Select the object name.
Use Interface IP Select this option to specify that the IP address
assigned to a particular interface be used as the translated address. Enter
or Select the name of the desired Interface. (This is typically the
interface from which translated packets leave the router.)
Note This option is not available when Static Network is the chosen rule
type. Only one static rule may be defined per interface.
Port Redirection These parameters specify port information for the address translations. Port
address translation lets you to use the same public IP address for multiple
devices as long as the port specified for each device is different.
Note These parameters are available only when Static Port is the chosen
rule type.
Redirect Port When Static Port is chosen as the rule type, this box is
automatically checked; it cannot be changed. Enter the appropriate
information in the following fields:
Protocol The communications protocol used for these ports: TCP
or UDP.
Local Port The port number on the source network. Valid values range
from 1 to 65535.
Global Port The port number on the destination network that the
router is to use for this translation. Valid values range from 1 to 65535.
Element Description
Advanced This section contains optional, advanced translation options.
Note The Advanced options are available only when the Specify IP option
is the selected method for defining the translated address(es).
Overlapping networks result when you assign an IP address to a device on your network that is already
legally owned and assigned to a different device on the Internet or outside network. Overlapping
networks can also result after the merger of two companies using RFC 1918 IP addresses in their
networks. These two networks need to communicate, preferably without your having to re-address all
their devices.
This communication is achieved as follows. The outside device cannot use the IP address of the inside
device because it is the same as the address assigned to itself (the outside device). Instead, the outside
device sends a Domain Name System (DNS) query for the inside devices domain name. The source of
this query is the IP address of the outside device, which is translated to an address from a designated
address pool. The DNS server located on the inside network replies with the IP address associated with
the inside devices domain name in the data portion of the packet. The destination address of the reply
packet is translated back to the outside devices address, and the address in the data portion of the reply
packet is translated to an address from a different address pool. In this way, the outside device learns that
the IP address for the inside device is one of the addresses from that second address pool, and it uses this
address when it communicates with the inside device. The router running NAT takes care of the
translations at this point.
To disable the translation of the address inside the payload, check the No Payload option when you
create a static NAT rule based on a global IP translation.
Note By default, Security Manager does not perform NAT on traffic that is meant to be transmitted over a
VPN. Otherwise, any traffic appearing in both the NAT ACL and the crypto ACL defined on an interface
would be sent out unencrypted because NAT is always performed before encryption. However, you can
change this default setting.
Tip You can perform PAT on split-tunneled traffic on the spokes of your VPN topology directly from the
Global VPN Settings page. There is no need to create a dynamic NAT rule for each spoke. Any NAT
rules that you define on an individual device override the VPN setting. For more information, see NAT
Settings Tab, page 22-19.
The Add Dynamic NAT Rule and Edit Static NAT Rule dialog boxes are used to add and edit these rules.
Refer to NAT Dynamic Rule Dialog Box, page 20-11 for descriptions of the fields displayed in the table
on this page.
Navigation Path
(Device view) Select NAT from the Policy selector, then click the Dynamic Rules tab.
(Policy view) Select NAT (Router) > Translation Rules from the Policy Type selector. Select an
existing policy or create a new one, and then click the Dynamic Rules tab.
Related Topics
NAT Policies on Cisco IOS Routers, page 20-5
NAT Page: Static Rules, page 20-6
NAT Page: Timeouts, page 20-13
Standard Security Manager rules table topics:
Using Rules Tables, page 12-7
Filtering Tables, page 1-33
Table Columns and Column Heading Features, page 1-34
Navigation Path
Go to the NAT Page: Dynamic Rules, page 20-10 tab; click the Add button beneath the table to add a
new rule, or select a rule in the table and click Edit to update that rule.
Related Topics
Creating Access Control List Objects, page 6-40
Understanding Interface Role Objects, page 6-55
Field Reference
Element Description
Traffic Flow In the Access List field, enter or Select the name of the access control list
(ACL) object whose entries define the addresses requiring dynamic
translation.
Note Make sure that the specified ACL does not permit the translation of
Security Manager management traffic over any device address on
this router. Translating this traffic will cause a loss of
communication between the router and Security Manager.
Element Description
Translated Address Use the options in this section of the dialog box to specify the method and
address(es) used for dynamic translation:
Use Interface IP Select this option to specify that the globally
registered IP address assigned to a particular interface be used as the
translated address; port addressing ensures each translation is unique.
(The Enable Port Translation (Overload) option is checked
automatically when you select Use Interface IP.)
Enter or Select the name of the desired Interface. This is typically the
interface from which translated packets leave the router, meaning the
interface or interface role must represent an outside interface on the
router (see NAT Page: Interface Specification, page 20-6).
Address Pool Select this option to base address translation on the
addresses you specify in the Network Ranges pool.
Enter one or more address ranges, including the prefix, using the format
min1-max1/prefix (in CIDR notation), where prefix represents a
valid netmask. For example, 172.16.0.0-172.31.0.223/12.
You can add as many address ranges to the address pool as required,
but all ranges must share the same prefix. Separate multiple entries
with commas.
Settings This section contains two options
Enable Port Translation (Overload) When selected, the router uses
port addressing (PAT) if supply of global addresses in the address pool
is depleted; when deselected, PAT is not used.
Note When you use select Use Interface IP in the Translated Address
section, this box is checked automatically; it cannot be changed.
This setting applies only in situations where the NAT ACL overlaps the
crypto ACL used by the site-to-site VPN. Because the interface
performs NAT first, any traffic arriving from an address within this
overlap would get translated, causing the traffic to be sent unencrypted.
Leaving this box checked prevents that from happening.
Note This option does not apply to remote access VPNs.
Note If you disable the Port Translation (Overload) feature for all dynamic rules, you need not enter any
PAT-related timeout values. However, you can still modify the default timeout value for non-PAT
dynamic translations. (By default, all dynamic translations expire after 24 hours.) For more information
about the Overload feature, see NAT Dynamic Rule Dialog Box, page 20-11.
Navigation Path
(Device view) Select NAT from the Policy selector, then click the Timeouts tab.
(Policy view) Select NAT (Router) > Translation Rules from the Policy Type selector. Select an
existing policy or create a new one, and then click the Timeouts tab.
Related Topics
NAT Page: Interface Specification, page 20-6
NAT Page: Static Rules, page 20-6
NAT Page: Dynamic Rules, page 20-10
Field Reference
Element Description
Max Entries The maximum number of entries allowed in the dynamic NAT table.
You can enter a value between 1 and 2147483647, or you can leave the
field blank (the default), which means that the number of entries in the
table is unlimited.
Timeout (sec.) The number of seconds after which dynamic translations expire; this
does not apply to PAT (overload) translations. The default is 86400
seconds (24 hours).
Element Description
UDP Timeout (sec.) The timeout value applied to User Datagram Protocol (UDP) ports. The
default is 300 seconds (5 minutes).
Note This value applies only when Port Translation (Overload) is
enabled for a dynamic NAT rule; see NAT Dynamic Rule
Dialog Box, page 20-11.
DNS Timeout (sec.) The timeout value applied to Domain Naming System (DNS) server
connections. The default is 60 seconds.
Note This value applies only when Port Translation (Overload) is
enabled for a dynamic NAT rule; see NAT Dynamic Rule
Dialog Box, page 20-11.
TCP Timeout (sec.) The timeout value applied to Transmission Control Protocol (TCP)
ports. The default is 86400 seconds (24 hours).
Note This value applies only when Port Translation (Overload) is
enabled for a dynamic NAT rule; see NAT Dynamic Rule
Dialog Box, page 20-11.
FINRST Timeout (sec.) The timeout value applied when a Finish (FIN) packet or Reset (RST)
packet (both of which terminate connections) is found in the TCP
stream. The default is 60 seconds.
Note This value applies only when Port Translation (Overload) is
enabled for a dynamic NAT rule; see NAT Dynamic Rule
Dialog Box, page 20-11.
ICMP Timeout (sec.) The timeout value applied to Internet Control Message Protocol
(ICMP) flows. The default is 60 seconds.
Note This value applies only when Port Translation (Overload) is
enabled for a dynamic NAT rule; see NAT Dynamic Rule
Dialog Box, page 20-11.
PPTP Timeout (sec.) The timeout value applied to NAT Point-to-Point Tunneling Protocol
(PPTP) flows. The default is 86400 seconds (24 hours).
Note This value applies only when Port Translation (Overload) is
enabled for a dynamic NAT rule; see NAT Dynamic Rule
Dialog Box, page 20-11.
SYN Timeout (sec.) The timeout value applied to TCP flows after a synchronous
transmission (SYN) message (used for precise clocking) is
encountered. The default is 60 seconds.
Note This value applies only when Port Translation (Overload) is
enabled for a dynamic NAT rule; see NAT Dynamic Rule
Dialog Box, page 20-11.
Navigation Path
(Device view) Select NAT > Translation Options from the Device Policy selector.
(Policy view) Select NAT (PIX/ASA/FWSM) > Translation Options from the Policy Type
selector. Select an existing policy from the Shared Policy selector, or right-click Translation
Options to create a new policy.
Related Topics
NAT Policies on Security Devices, page 20-15
Field Reference
Element Description
Enable traffic through When selected, lets traffic pass through the security appliance without
the firewall without address translation. If this option is not selected, any traffic that does
address translation not match a translation rule will be dropped.
Note This option is available only on PIX 7.x, FWSM 3.x, and
ASA devices.
Enable xlate bypass When selected, establishment of NAT sessions for untranslated traffic
is disabled (this feature is called xlate bypass).
Note This option is available only on FWSM 3.2 and higher.
By default, the FWSM creates NAT sessions for all connections even if
NAT is not used. For example, a session is created for each untranslated
connection even if NAT control is not enabled, if NAT exemption or
identity NAT is used, or if you use same-security interfaces and do not
configure NAT. Because there is a maximum number of NAT sessions
(266,144 concurrent), these kinds of NAT sessions might cause you to
run into the limit. To avoid reaching the limit, enable xlate bypass.
If you disable NAT control and have untranslated traffic or use NAT
exemption, or if you enable NAT control and use NAT exemption, then
with xlate bypass, the FWSM does not create a session for those types
of untranslated traffic. However, NAT sessions are still created in the
following instances:
You configure identity NAT (with or without NAT
control)identity NAT is considered to be a translation.
You use same-security interfaces with NAT control. Traffic
between same-security interfaces create NAT sessions even when
you do not configure NAT for the traffic. To avoid NAT sessions in
this case, disable NAT control, or use NAT exemption as well as
xlate bypass.
Element Description
Do not translate VPN traffic When selected, VPN traffic passes through the security appliance
without address translation.
Clear translates for When selected, the translation slots assigned to dynamic translations
existing connections and any associated connections are cleared following each session.
Each session connecting through the security appliance, and
undergoing some form of NAT or PAT, is assigned a translation slot
known as an xlate. These translation slots can persist after the session
is complete, which can lead to a depletion of translation slots,
unexpected traffic behavior, or both.
Address Pools
Use the Address Pools page to view and manage the global address pools used in dynamic NAT rules.
The Address Pool dialog box is used to add and edit these address pools. Refer to Address Pool Dialog
Box, page 20-18 for descriptions of the fields displayed in the Global Address Pools table on this page.
Navigation Path
(Device view) Select NAT > Address Pools from the Device Policy selector.
(Policy view) Select NAT (PIX/ASA/FWSM) > Address Pools from the Policy Type selector.
Select an existing policy from the Shared Policy selector, or right-click Address Pools to create a
new policy.
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 20-17
Use the Address Pool dialog box to add or edit a global address pool for use in dynamic NAT rules.
Navigation Path
You open the Address Pool dialog box by clicking the Add Row or Edit Row buttons on the Address
Pools, page 20-17.
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 20-17
Field Reference
Element Description
Interface Name Enter or Select the name of the device interface on which the mapped IP
addresses will be used.
Pool ID Enter a unique identification number for this address pool, an integer
between 1 and 2147483647. When configuring a dynamic NAT rule, you
select a Pool ID to specify the pool of addresses to be used for translation.
IP address ranges Enter or Select the addresses to be assigned to this address pool. You can
specify these addresses as follows:
Address range for dynamic NAT (e.g., 192.168.1.1-192.168.1.15)
Subnetwork (e.g., 192.168.1.0/24)
List of addresses separated by commas (e.g., 192.168.1.1, 192.168.1.2,
192.168.1.3)
Single address to use for PAT (e.g., 192.168.1.1)
Combinations of the above (e.g., 192.168.1.1-192.168.1.15,
192.168.1.25)
Names of hosts on the connected network; these will be resolved to IP
addresses.
Description Enter a description for the address pool.
Enable Interface PAT When checked, port address translation is enabled on the specified interface.
Note Translation exemptions are only supported by PIX, ASA and FWSM devices in router mode,
and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only
static translation rules.
Dynamic Rules Tab, page 20-21 Use this tab to configure dynamic NAT and PAT rules.
Note Dynamic translation rules are only supported by PIX, ASA and FWSM devices in router
mode, and FWSM 3.2 devices in transparent mode. Other devices in transparent mode
support only static translation rules.
Policy Dynamic Rules Tab, page 20-23 Use this tab to configure dynamic translation rules based
on source and destination addresses and services.
Note Policy dynamic rules are only supported by PIX, ASA and FWSM devices in router mode,
and FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only
static translation rules.
Static Rules Tab, page 20-25 Use this tab to configure static translation rules for a security
appliance or shared policy.
General Tab, page 20-30 Use this tab to view all current translation rules, listed in the order that
they will be evaluated on the device.
Note The General tab is visible only for PIX, ASA and FWSM devices in router mode, and FWSM
3.2 devices in transparent mode. Other devices in transparent mode support only static
translation rules and do not need to display summary information.
Navigation Path
To access the Translation Rules page, do one of the following:
(Device view) Select NAT > Translation Rules from the Device Policy selector.
(Policy view) Select NAT (PIX/ASA/FWSM) > Translation Rules from the Policy Type selector.
Select an existing policy from the Shared Policy selector, or right-click Translation Rules to create
a new policy.
Note Translation exemptions are only supported by PIX, ASA and FWSM devices in router mode, and FWSM
3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.
Navigation Path
You can access the Translation Exemptions (NAT 0 ACL) tab from the Translation Rules: PIX, FWSM,
and pre-8.3 ASA, page 20-18 page.
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 20-17
Advanced NAT Options Dialog Box, page 20-28
General Tab, page 20-30
Standard Security Manager rules table topics:
Using Rules Tables, page 12-7
Filtering Tables, page 1-33
Table Columns and Column Heading Features, page 1-34
Use the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box to define and edit translation
exemption rules on PIX, FWSM and pre-8.3 ASA devices in router mode, and FWSM 3.2 devices in
transparent mode.
Navigation Path
You can access the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box from the Translation
Exemptions (NAT 0 ACL) tab. See Translation Exemptions (NAT 0 ACL), page 20-19 for more information.
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 20-17
Translation Rules: PIX, FWSM, and pre-8.3 ASA, page 20-18
Advanced NAT Options Dialog Box, page 20-28
Field Reference
Table 20-7 Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
Element Description
Enable Rule If checked, the rule is enabled. Deselect this option to disable the rule
without deleting it.
Action Select the action for this rule:
exempt The rule identifies traffic that is exempt from NAT.
do not exempt The rule identifies traffic that is not exempt from NAT.
Original: Interface Enter the name of (or Select) the device interface to which the rule applies.
Original: Sources Enter IP addresses for (or Select) the source hosts and network objects to
which the rule applies. Multiple entries must be separated by commas.
Note that this parameter is displayed in the Translation Exemptions (NAT 0
ACL) table under the column heading Original Address.
Translated: Direction The rule can be applied to Inbound or Outbound traffic, as specified with
this option.
Traffic flow: Enter IP addresses for (or Select) the destination hosts and network objects
Destinations to which the rule applies. Multiple entries must be separated by commas.
Table 20-7 Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box (Continued)
Element Description
Category To assign the rule to a category, choose the category from this list. Categories
can help identify rules and objects using labels and color-coding.
To define categories, select Tools > Policy Object Manager > Category.
See Using Category Objects, page 6-9 for more information.
Note No commands are generated for the Category attribute.
Description Enter a description of the rule.
Advanced button Click to open the Advanced NAT Options Dialog Box, page 20-28 to
(FWSM only) configure advanced settings for this rule.
Note Dynamic translation rules are only supported by PIX, ASA and FWSM devices in router mode, and
FWSM 3.2 devices in transparent mode. Other devices in transparent mode support only static
translation rules.
Navigation Path
You can access the Dynamic Rules tab from the Translation Rules page. For more information about the
Translation Rules page, see Translation Rules: PIX, FWSM, and pre-8.3 ASA, page 20-18.
Note By default, only standard Dynamic Rule elements are displayed in this table. Additional columns for
elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any
column heading. (All columns are displayed by default on the General Tab, page 20-30.)
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 20-17
Advanced NAT Options Dialog Box, page 20-28
Select Address Pool Dialog Box, page 20-22
General Tab, page 20-30
Use the Add/Edit Dynamic Translation Rule dialog box to define and edit dynamic NAT and PAT rules.
Navigation Path
You can access the Add/Edit Dynamic Translation Rule dialog box from the Dynamic Rules tab. See
Dynamic Rules Tab, page 20-21 for more information.
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 20-17
Translation Rules: PIX, FWSM, and pre-8.3 ASA, page 20-18
Advanced NAT Options Dialog Box, page 20-28
Select Address Pool Dialog Box, page 20-22
Field Reference
Element Description
Enable Rule If checked, the rule is enabled. Deselect this option to disable the rule
without deleting it.
Original: Interface Enter the name or Select the device interface to which the rule applies.
Original: Address Enter IP addresses for (or Select) the source hosts and network objects to
which the rule applies. Multiple entries must be separated by commas.
Translated: Pool Enter (or Select) the ID number of the pool of addresses used for translation;
clicking Select opens the Select Address Pool Dialog Box, page 20-22.
Enter a value of zero to specify this as an identity NAT rule.
Translated: Direction The rule can be applied to Inbound or Outbound traffic, as specified with
this option.
Advanced button Click to open the Advanced NAT Options Dialog Box, page 20-28 to
configure advanced settings for this rule.
The Select Address Pool dialog box presents a list of global address pools; these pools are defined and
managed via the Address Pools, page 20-17. Use this dialog box to select an address pool for use by a
dynamic translation rule, or a policy dynamic translation rule.
Navigation Path
You can access the Select Address Pool dialog box from the Add/Edit Dynamic Translation Rule Dialog
Box, page 20-22 when adding or editing a dynamic translation rule, or from the Add/Edit Policy
Dynamic Rules Dialog Box, page 20-24 when adding or editing a policy dynamic translation rule.
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 20-17
Translation Rules: PIX, FWSM, and pre-8.3 ASA, page 20-18
Address Pools, page 20-17
Field Reference
Element Description
Pool ID The identification number of the address pool.
Interface The name of the device interface to which the address pool applies.
IP Address Ranges The IP addresses assigned to the pool; interface in this list indicates PAT
is enabled on the specified Interface.
Description The description provided for the address pool.
Selected Row This field identifies the pool currently selected in the list. When you click
OK to close the dialog box, this pool is assigned to the translation rule.
Note Policy dynamic rules are only supported by PIX, ASA and FWSM devices in router mode, and FWSM
3.2 devices in transparent mode. Other devices in transparent mode support only static translation rules.
Navigation Path
You can access the Policy Dynamic Rules tab from the Translation Rules page. See Translation Rules:
PIX, FWSM, and pre-8.3 ASA, page 20-18 for more information.
Note By default, only standard Policy Dynamic Rule elements are displayed in this table. Additional columns
for elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any
column heading. (All columns are displayed by default on the General Tab, page 20-30.)
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 20-17
Add/Edit Policy Dynamic Rules Dialog Box, page 20-24
Advanced NAT Options Dialog Box, page 20-28
Select Address Pool Dialog Box, page 20-22
General Tab, page 20-30
Use the Add/Edit Policy Dynamic Rules dialog box to define and edit dynamic translation rules based
on source and destination addresses and services.
Navigation Path
You can access the Add/Edit Policy Dynamic Rules dialog box from the Policy Dynamic Rules tab. See
Policy Dynamic Rules Tab, page 20-23 for more information.
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 20-17
Translation Rules: PIX, FWSM, and pre-8.3 ASA, page 20-18
Policy Dynamic Rules Tab, page 20-23
Advanced NAT Options Dialog Box, page 20-28
Select Address Pool Dialog Box, page 20-22
Field Reference
Element Description
Enable Rule If checked, the rule is enabled. Deselect this option to disable the rule
without deleting it.
Original: Interface Enter the name of (or Select) the device interface to which the rule applies.
Original: Sources Enter IP addresses for (or Select) the source hosts and network objects to
which the rule applies. Multiple entries must be separated by commas.
Note that this parameter is displayed in the Policy Dynamic Rules table
under the column heading Original Address.
Translated: Pool Enter (or Select) the ID number of the pool of addresses used for translation;
clicking Select opens the Select Address Pool Dialog Box, page 20-22.
Enter a value of zero to specify this as an identity NAT rule.
Translated: Direction The rule can be applied to Inbound or Outbound traffic, as specified with
this option.
Traffic flow: Enter IP addresses for (or Select) the destination hosts and network objects
Destinations to which the rule applies. Multiple entries must be separated by commas.
Traffic flow: Services Enter (or Select) the services to which the rule applies. Multiple entries must
be separated by commas.
Element Description
Category To assign the rule to a category, choose the category from this list. Categories
can help identify rules and objects using labels and color-coding.
To define categories, select Tools > Policy Object Manager > Category.
See Using Category Objects, page 6-9 for more information.
Note No commands are generated for the Category attribute.
Description Enter a description of the rule.
Advanced button Click to open the Advanced NAT Options Dialog Box, page 20-28 to
configure advanced settings for this rule.
Caution The order of Static NAT rules on a security device is important, and Security Manager preserves this
ordering during deployment. However, security appliances do not support in-line editing of Static NAT
rules. This means that if you move, edit, or insert a rule anywhere above the end of the list, Security
Manager will remove from the device all Static NAT rules that follow the new or modified rule, and then
re-send the updated list from that point. Depending on the length of the list, this can require substantial
overhead, and may result in traffic interruption. Whenever possible, add any new Static NAT rules to the
end of the list.
The Add/Edit Static Rule dialog box is used to add and edit these rules. Refer to Add/Edit Static Rule
Dialog Box, page 20-26 for descriptions of the fields displayed in the table on this page.
Navigation Path
You can access the Static Rules tab from the Translation Rules page. See Translation Rules: PIX, FWSM,
and pre-8.3 ASA, page 20-18 for more information.
Note By default, only standard Static Rules elements are displayed in this table. Additional columns for
elements defined in the Advanced NAT Options dialog box can be displayed by right-clicking any
column heading. (All columns are displayed by default on the General Tab, page 20-30.)
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 20-17
Add/Edit Static Rule Dialog Box, page 20-26
Advanced NAT Options Dialog Box, page 20-28
General Tab, page 20-30
Standard rules table topics:
Using Rules Tables, page 12-7
Filtering Tables, page 1-33
Table Columns and Column Heading Features, page 1-34
Use the Add/Edit Static Rule dialog box to add or edit static translation rules for a firewall device or
shared policy.
Navigation Path
You can access the Add/Edit Static Rule dialog box from the Static Rules Tab, page 20-25.
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 20-17
Translation Rules: PIX, FWSM, and pre-8.3 ASA, page 20-18
Advanced NAT Options Dialog Box, page 20-28
Field Reference
Element Description
Enable Rule If checked, the rule is enabled. Deselect this option to disable the rule
without deleting it.
Translation Type Select the type of translation for this rule: NAT or PAT.
Original Interface Enter (or Select) the device interface connected to the host or network with
original addresses to be translated.
Original Address Enter (or Select) the source address to be translated.
Translated Interface Enter (or Select) the interface on which the translated addresses are to
be used.
To specify this as an identity NAT rule, enter the same interface in both this
and the Original Interface fields.
Element Description
Use Interface IP/Use Specify the address used for the Translated Interface: select Use Interface IP
Selected Address (address), or select Use Selected Address and enter an address, or Select a
network/host object.
Enable Policy NAT Select this option to enable Policy NAT for this translation rule.
Dest Address If Policy NAT is enabled, specify the destination addresses of the hosts or
networks to which the rule applies.
Services If Policy NAT is enabled, enter or Select the Services to which the rule applies.
Note For Static Policy NAT, IP is the only Service that can be specified.
Use the Edit Translated Address dialog box to change just the translated address assigned to a static
translation rule. The translated address is the address to which the original address is changed. The
interfaces IP address can be used, or you can enter a specific IP address. See Static Rules Tab,
page 20-25 for more information about static rules and translated addresses.
For detailed information on editing firewall rules cells, see Editing Rules, page 12-9.
Navigation Path
Right-click the Translated Address cell in the Static Rules table (on the NAT > Translation Rules page)
and choose Edit Translated Address.
Use the Advanced NAT Options dialog box to configure the advanced connection settingsDNS
Rewrite, Maximum TCP and Maximum UDP Connections, Embryonic Limit, Timeout (PIX 6.x), and
Randomize Sequence Numberfor NAT and Policy NAT. You can also configure these options for
Translation Exemption (NAT 0 ACL) rules on an FWSM.
Navigation Path
You can access the Advanced NAT Options dialog box by clicking the Advanced button when adding or
editing a translation rule. See the following topics for more information:
Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box, page 20-20
Add/Edit Dynamic Translation Rule Dialog Box, page 20-22
Add/Edit Policy Dynamic Rules Dialog Box, page 20-24
Add/Edit Static Rule Dialog Box, page 20-26
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 20-17
Translation Rules: PIX, FWSM, and pre-8.3 ASA, page 20-18
Field Reference
Element Description
Translate the DNS If checked, the security appliance rewrites DNS replies so an outside client
replies that match the can resolve the name of an inside host using an inside DNS server, and vice
translation rule versa. For instance, if your NAT rule includes the real address of a host with
an entry in a DNS server, and the DNS server is on a different interface from
a client, then the client and the DNS server need different addresses for the
host: one needs the mapped address and one needs the real address. This
option rewrites the address in the DNS reply to the client.
As an example, assume an inside web server, www.example.com, has the IP
address 192.168.1.1, which is translated to 10.1.1.1 on the outside interface
of the appliance. An outside client sends a DNS request to an inside DNS
server, which will resolve www.example.com to 192.168.1.1. When the
reply comes to the security appliance with DNS Rewrite enabled, the
security appliance will translate the IP address in the payload to 10.1.1.1, so
that the outside client will get the correct IP address.
Note that the mapped host needs to be on the same interface as either the
client or the DNS server. Typically, hosts that need to allow access from
other interfaces use a static translation, so this option is more likely to be
used with a static rule.
Max TCP Connections Enter the maximum number of TCP connections allowed; valid values are
per Rule 0 through 65,535. If this value is set to zero, the number of connections
is unlimited.
Max UDP Connections Enter the maximum number of UDP connections allowed; valid values are
per Rule 0 through 65,535. If this value is set to zero, the number of connections
is unlimited.
Max Embryonic Enter the number of embryonic connections allowed to form before the
Connections security appliance begins to deny these connections. An embryonic
connection is a connection request that has not finished the necessary
handshake between source and destination. Set this limit to prevent attack by
a flood of embryonic connections. Valid values are 0 through 65,535. If this
value is set to zero, the number of connections is unlimited.
Any positive value enables the TCP Intercept feature. TCP Intercept protects
inside systems from a DoS attack perpetrated by flooding an interface with
TCP SYN packets. When the embryonic limit has been surpassed, the TCP
Intercept feature intercepts TCP SYN packets from clients to servers on a
higher security level. SYN cookies are used during the validation process
and help to minimize the amount of valid traffic being dropped. Thus,
connection attempts from unreachable hosts will never reach the server.
Element Description
Timeout For PIX 6.x devices, enter a timeout value for this translation rule, in the
format hh:mm:ss. This value overrides the default translation timeout
specified in Platform > Security > Timeouts, unless this value is 00:00:00, in
which case translations matching this rule use the default translation timeout
(specified in Platform > Security > Timeouts).
Randomize If checked, the security appliance randomizes the sequence numbers of TCP
Sequence Number packets. Each TCP connection has two Initial Sequence Numbers (ISNs):
one generated by the client and one generated by the server. The security
appliance randomizes the ISN of the TCP SYN in both the inbound and
outbound directions. Randomizing the ISN of the protected host prevents an
attacker from predicting the next ISN for a new connection and potentially
hijacking the new session.
Disable this feature only if:
Another in-line security appliance is also randomizing initial sequence
numbers and data is being scrambled.
You are using eBGP multi-hop through the security appliance, and the
eBGP peers are using MD5. Randomization breaks the MD5 checksum.
You are using a WAAS device which requires that the security appliance
not randomize the sequence numbers of connections.
Disabling this option opens a security hole in the security appliance.
General Tab
Use the General tab of the Translation Rules page to view a summary of all translation rules defined for
the current device or shared policy. The translation rules are listed in the order that they will be evaluated
on the device.
Note The General tab is only visible for PIX, ASA and FWSM devices in router mode, and FWSM 3.2 devices
in transparent mode. Other devices in transparent mode support only static translation rules and do not
need to display summary information.
Navigation Path
You can access the General tab from the Translation Rules page. See Translation Rules: PIX, FWSM,
and pre-8.3 ASA, page 20-18 for more information.
Related Topics
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices, page 20-17
Translation Exemptions (NAT 0 ACL), page 20-19
Dynamic Rules Tab, page 20-21
Policy Dynamic Rules Tab, page 20-23
Static Rules Tab, page 20-25
Field Reference
Element Description
Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently
disabled. (See Enable Rule in Add/Edit Dynamic Translation Rule Dialog Box, page 20-22 for
information about enabling and disabling these rules.)
No. Rules are evaluated sequentially in the order listed. This number indicates
the rules position in the ordering of the list.
Type The type of translation rule; for example, Static, Dynamic, Exemption, etc.
Action Displays exempt if the rule is exempt from NAT.
Original Interface The ID of the device interface to which the rule is applied.
Original Address The object names or IP addresses of the source hosts and networks to which
the rule applies.
Local Port The port number supplied by the host or network (for static PAT).
Translated Pool The ID number of the address pool used for translation.
Translated Interface The interface on which the translated addresses are to be used.
Translated Address The translated addresses.
Global Port The port number to which the original port number will be translated (for
static PAT).
Destination The object names and IP addresses of the destination hosts or networks to
which the rule applies.
Protocol The protocol to which the rule applies.
Service The services to which the rule applies.
Direction The traffic direction (Inbound or Outbound) on which the rule is applied.
DNS Rewrite Whether the DNS Rewrite option is enabled: Yes or No. This option is set in
the Advanced NAT Options Dialog Box, page 20-28.
Maximum TCP The maximum number of TCP connections allowed to connect to the
Connections statically translated IP address. If zero, the number of connections is
unlimited. This option is set in the Advanced NAT Options Dialog Box,
page 20-28.
Embryonic Limit The number of embryonic connections allowed to form before the security
appliance begins to deny these connections. If zero, the number of connections
is unlimited. A positive number enables the TCP Intercept feature.
This option is set in the Advanced NAT Options Dialog Box, page 20-28.
Element Description
Maximum The maximum number of UDP connections allowed to connect to the
UDP Connections statically translated IP address. If zero, the number of connections is
unlimited. This option is set in the Advanced NAT Options Dialog Box,
page 20-28.
Timeout For PIX 6.x devices, this is the timeout value for a static translation rule. This
value overrides the default translation timeout specified in Platform >
Security > Timeouts. A Timeout value of 00:00:00 here means that
translations matching this rule should use the default translation timeout
specified in Platform > Security > Timeouts.
Randomize Whether the security appliance will randomize the sequence number of TCP
Sequence Number packets: Yes or No. This option is set in the Advanced NAT Options Dialog
Box, page 20-28, and is enabled by default.
Category The category to which the rule is assigned. Categories use labels and
color-coding to help identify rules and objects.
To define and edit categories, select Tools > Policy Object Manager >
Category. Refer to Using Category Objects, page 6-9 for more information.
Note No commands are generated for the Category attribute.
Description The description of the rule, if provided.
Note This section is not displayed in the Translation Rules table in Policy View because these
rules are device-specific.
NAT Rules After These also are rules you or another user have manually defined on the
device. You can specify that a rule is added to this section by clicking the section heading before
adding the rule.
The NAT rules listed in this table are processed on a first-match basis; therefore, order is important.
Providing a manual section both before and after the automatic rules lets you ensure all your rules
are in the appropriate order, since you can re-order rules only within their section. The rules in each
section take precedence over the rules in the section below it. For example, the rules in the top,
Before section take precedence over the rules in the Network Object NAT section, and so on.
The type of each ruleStatic, Dynamic PAT, or Dynamic NAT and PAT is indicated visually in
the table by presenting (S), (DP), or (DNP) in blue following the Source parameter in the
Translated column.
A Bi-directional rule is a static rule that actually consists of two paired rules, one each for outgoing
and incoming translation of the specified source and destination values. Each Bi-directional rule
entry in the rules table is presented as two lines.
For example, if Bi-directional is chosen when you create a static rule with Host1 in the Source field
and Host2 in the Translated field, two lines are added to the rules table: one with Host1 being
translated to Host2, and one with Host2 being translated to Host1.
Related Topics
NAT Policies on Security Devices, page 20-15
About Simplified NAT on ASA 8.3+ Devices, page 20-4
Standard rules table topics:
Using Rules Tables, page 12-7
Filtering Tables, page 1-33
Table Columns and Column Heading Features, page 1-34
Navigation Path
(Device view) Select NAT > Translation Rules from the Device Policy selector.
(Policy view) Select NAT (PIX/ASA/FWSM) > Translation Rules from the Policy Type selector.
Select an existing policy from the Shared Policy selector, or right-click Translation Rules to create
a new policy.
The Translation Rules page is displayed. Note that in Policy View, the Network Object NAT Rules
section is not displayed because those rules are device-specific.
Note To remove a Network Object NAT rule from this table, you must uncheck the Add Automatic Address
Translation NAT Rule option, or change the device to which the rule is assigned, in the related Edit
Network Host dialog box. See Add or Edit Network/Host Dialog Box: NAT Tab, page 20-38 for
additional information.
Use the Add NAT Rule dialog box to add a NAT rule to the selected ASA 8.3+ device; this dialog box is
not available on earlier-version ASAs, nor on PIX or FWSM devices. Refer to Configuring NAT on PIX,
FWSM, and pre-8.3 ASA Devices, page 20-17 for information about adding and editing NAT rules on
those devices.
Note Except for their titles, the Add NAT Rule and Edit NAT Rule dialog boxes are identical, and the
following descriptions apply to both.
Navigation Path
To add a rule, select the section to which you want the rule added (NAT Rules Before, Network Object
NAT Rules, or NAT Rules After), and then click the Add Row button below the rules table, or right-click
anywhere inside the table and choose Add Row to open the Add NAT Rule dialog box. Note that if you
do not select a section, the new rule is added to the NAT Rules Before section.
To edit a rule, select the rule and click the Edit Row button, or simply right-click the rule and choose the
Edit Row command, to open the Edit NAT Rule dialog box for that rule.
Related Topics
Chapter 20, Configuring Network Address Translation
Translation Rules: ASA 8.3+, page 20-32
Add or Edit Network/Host Dialog Box: NAT Tab, page 20-38
Field Reference
Element Description
Type The type of translation rule you are creating:
Static Provides static assignment of real addresses to mapped addresses.
Dynamic PAT (Hide) Provides dynamic assignment of multiple local
addresses to a single global IP address and a unique port number, in effect
hiding the local addresses behind the one global address.
Dynamic NAT and PAT Provides dynamic assignment of real addresses
to mapped addresses, and real ports to mapped ports.
On devices operating in router mode, this option also provide the
fallthrough option described below.
Note This selection applies only to the specified source translation;
destination translation is always static.
Original Source The source address the NAT rule will translate. If this is a range or network, all
addresses in the range or network are translated.
Table 20-14 Add and Edit NAT Rule Dialog Boxes (Continued)
Element Description
Address Whether the translation is based on an address or an interface on the device.
Interface (available Select either:
for Static and Address Translate the original address using the network/host object
Dynamic PAT specified in the Translated Source field.
rules only)
Interface Translate the original address based on the interface specified
in the Translated Source field.
The Interface option is are available only when either Static or Dynamic
PAT (Hide) is chosen as the Type.
Note These options are not available on devices operating in transparent mode.
Translated Source If Address is selected above, this entry represents the pool of translation
addresses: enter or Select the desired Networks/Hosts; defaults to the Original
Source (which will produce an Identity NAT rule).
If Interface is selected above, enter or Select the desired interface. The Interface
Selector list contains all interfaces currently defined on the device. For port
address translation based on this interface, be sure to configure the options in
the Service Translation section (in the Advanced panel of this dialog box).
If you leave the Interface field blank, the Address/Interface selection reverts to
Address and the Original Source is inserted into the Address field. This
produces an Identity NAT rule, meaning the specified address(es) are translated
to themselves (effectively not translated); Identity NAT applies to outbound
connections only.
Advanced Click the Advanced header to expand the dialog box and display the following
Advanced options. Click the header again to hide the Advanced panel.
Destination Use the options in this section of the Advanced panel to configure optional static
Translation translation of destination addresses:
Original Destination Translate the original destination addresses defined
by the Networks/Hosts object specified in this field.
Address or Interface Select Address to translate the original destination
using the Networks/Hosts object specified in the Translated Destination
field. Select Interface to translate the original destination using the interface
specified in the Translated Destination field.
Note These options are not available on devices operating in transparent mode.
Table 20-14 Add and Edit NAT Rule Dialog Boxes (Continued)
Element Description
Service Translation Use the options in this section of the Advanced panel to configure port
address translation:
Original Service Enter or Select the Service object that defines the
service(s) to be translated.
Translated Service Enter or Select the Service object that provides the
service(s) to be used for translation.
Leave the Original Service field blank to configure translation of any
service to the specified Translated Service.
Note The protocol specified in both Service objects must be the same.
These service objects represent a service protocol (TCP or UDP), and one or
more ports. The mapping of original ports to translated port is circular. That is,
the first original value is mapped to the first translated value, and the second
original value is mapped to the second translated value, and so on until all
original values are translated. If the pool of translated port is exhausted before
that point, mapping continues using the first translated value again. See
Understanding and Specifying Services and Service and Port List Objects,
page 6-69 for information about configuring service objects.
Note Service Translation and the following Translate DNS replies that
match this rule option cannot be used together.
Interface Use the options in this section of the Advanced panel to configure interface
Translation translation options:
Translate DNS replies that match this rule When checked, addresses
embedded in DNS replies that match this rule are rewritten.
For DNS replies traversing from a mapped interface to a real interface, the
Address (or A) record is rewritten from the mapped value to the real value.
Conversely, for DNS replies traversing from a real interface to a mapped
interface, the A record is rewritten from the real value to the mapped value.
Note that DNS inspection must be enabled to support this functionality.
Source Interface The name of the interface on which a packet may
originate; this is the real interface. Defaults to any, which represents all
interfaces. Enter or Select the desired interface.
Destination Interface The name of the interface on which a packet may
terminate; this is the mapped interface. Defaults to any, which
represents all interfaces. Enter or Select the desired interface.
Fallthrough to Interface PAT (Destination Interface) When checked,
dynamic PAT back-up is enabled. When the pool of dynamic NAT addresses is
depleted, port address translation is performed, using the address pool specified
in the Use Address field. This option is available only when Dynamic NAT and
PAT is the chosen Type on devices operating in router mode.
Table 20-14 Add and Edit NAT Rule Dialog Boxes (Continued)
Element Description
Others Use the options in this section of the Advanced panel to configure other NAT
rule options:
Direction This feature lets you configure a static NAT rule in a single
direction only; or dual rules, one each for both directions (forward and
reverse). Choose either:
Uni-directional A single static NAT is created, as specified by the
other options in this dialog box. Dynamic rules are uni-directional
by default.
Bi-directional Two linked static NAT rules are created,
encompassing both directions of the translation, as specified by the
other options in this dialog box. Note that each bi-directional rule entry
in the rules table consists of two lines.
This option is available for Static rules only.
Description (Optional) Provide a description of the rule.
Category (Optional) Choose a category to assign to the rule. Categories
can help you organize and identify rules and objects; see Using Category
Objects, page 6-9 for more information.
Use the NAT tab in any of the dialog boxes used to add or edit host, network, or address range objects
to create or update object NAT rules. This NAT configuration is used only for ASA 8.3+ devices; if you
use the object on any other type of device, the NAT configuration is ignored.
The NAT configuration is created as a device override and is not kept in the global object. Therefore,
you must select the Allow Value Override per Device option if you configure these NAT options. (This
option is selected automatically when you close the dialog box.)
This topic describes the fields on the NAT tab. For information about the fields on the General tab, see
Add or Edit Network/Host Dialog Box, page 6-65.
Navigation Path
Select the NAT tab on the Add or Edit Network/Host Dialog Box when creating or editing a host,
network, or address range object.
Related Topics
Chapter 20, Configuring Network Address Translation
Creating Network/Host Objects, page 6-64
Understanding Network/Host Objects, page 6-62
Specifying IP Addresses During Policy Definition, page 6-68
Policy Object Manager Window, page 6-3
Field Reference
Element Description
Add Automatic Address If checked, a network address translation (NAT) rule, as defined here, will be
Translation NAT Rule applied to the device specified in the Translated By field. The rule will
appear in the Network Object NAT Rule section of the Translation Rules
table for that device (see Translation Rules: ASA 8.3+, page 20-32).
Translated By The device on which you are configuring the NAT rule. Click Select to select
the device from a list. The list is filtered to show only ASA 8.3+ devices.
Original value Shows the address configured on the General tab of this dialog box. This is
the source address the NAT rule will translate. If it is a range or network, all
addresses in the range or network will be translated.
Type The type of translation rule you are creating:
Static Enables static assignment of real addresses to mapped addresses.
PAT (Hide) Enables dynamic assignment of multiple local addresses
to a single global IP address and a unique port number.
Dynamic NAT and PAT Enables dynamic assignment of real
addresses to mapped addresses, and real ports to mapped ports.
Use Address Whether the translation is based on an address or an interface on the device:
Use Interface (available Use AddressTranslate the original address using the specified address
only for Static and PAT) or network/host object. Enter the address or object name in the Address
field, or click Select to select the object from a list.
Use InterfaceTranslate the original address based on the specified
interface. The Interface list contains all interfaces currently defined on
the selected device; chose the desired interface.
If you leave the Interface field blank, this object will be inserted,
producing an Identity NAT rule, meaning the specified address(es) are
translated to themselves (effectively not translated); Identity NAT
applies to outbound connections only.
Note The Use Interface options are available only when either Static or
PAT (Hide) is chosen as the Type.
Advanced Click the Advanced header to expand the dialog box and display the following
Advanced options. Click the header again to hide the Advanced panel.
Translate DNS replies When checked, the Address (or A) record is rewritten in DNS replies that
for rule match this rule.
For DNS replies traversing from a mapped interface to a real interface, the
A record is rewritten from the mapped value to the real value. Conversely,
for DNS replies traversing from a real interface to a mapped interface, the A
record is rewritten from the real value to the mapped value. Note that DNS
inspection must be enabled to support this functionality.
Note This option and Service Translation (below) cannot be used together.
Element Description
Interfaces Use the options in this section of the Advanced panel to configure interface
translation options:
Source InterfaceThe name of the interface on which a packet may
originate; this is the real interface. Defaults to any, which represents
all interfaces.
Destination InterfaceThe name of the interface on which a packet
may terminate; this is the mapped interface. Defaults to any, which
represents all interfaces.
Fallthrough to Interface (Destination Interface)When checked,
dynamic PAT back-up is enabled. When the pool of dynamic NAT
addresses is depleted, port address translation is performed, using the
address pool specified in the Use Address field. This option is available
only when Dynamic NAT is the chosen Type.
Service Translation Use the options in this section of the Advanced panel to configure static port
address translation:
(Available for Static
rules only.) Protocol Whether a TCP or UDP port.
Original Port The port on which the traffic enters the device.
Translated Port The port number which is to replace the original
port number.
Note Service Translation and the Translate DNS replies that match this
rule option cannot be used together.
VPN Configuration
CH A P T E R 21
Managing Site-to-Site VPNs: The Basics
A virtual private network (VPN) consists of multiple remote peers transmitting private data securely to
one another over an unsecured network, such as the Internet. Site-to-site VPNs use tunnels to
encapsulate data packets within normal IP packets for forwarding over IP-based networks, using
encryption to ensure privacy and authentication to ensure integrity of data.
In Cisco Security Manager, site-to-site VPNs are implemented based on IPsec policies that are assigned
to VPN topologies. An IPsec policy is a set of parameters that define the characteristics of the site-to-site
VPN, such as the security protocols and algorithms that will be used to secure traffic in an IPsec tunnel.
Security Manager translates IPsec policies into CLI commands that can be deployed to the devices in the
VPN topology. Several policy types might be required to define a full configuration image that can be
assigned to a VPN topology, depending on the IPsec technology type.
The Site-to-Site VPN Manager defines and configures site-to-site VPN topologies and policies on Cisco
IOS security routers, PIX Firewalls, Catalyst VPN Service Modules, and Adaptive Security Appliance
(ASA) firewall devices.
You can access the Site-to-Site VPN Manager by selecting Tools > Site-To-Site VPN Manager or
clicking the Site-To-Site VPN Manager button on the toolbar.
You can also configure shared policies in Policy view and view and configure topologies in Device view.
In Policy View, you can assign IPsec policies to VPN topologies.
This chapter contains the following topics:
Understanding VPN Topologies, page 21-2
Understanding IPsec Technologies and Policies, page 21-5
Accessing Site-to-Site VPN Topologies and Policies, page 21-16
Site-To-Site VPN Discovery, page 21-18
Creating or Editing VPN Topologies, page 21-26
Deleting a VPN Topology, page 21-59
Spoke
Branch Se
office cu
re Main
tun
ne office
Sec l Internet
Spoke u re
tunn
el Hub
el
Spoke tunn
u re
Sec l
ne
e tun
Branch c ur
office Se Optional
secondary hubs
for resilience
130052
Spoke
This topology usually represents an intranet VPN that connects an enterprises main office with branch
offices using persistent connections to a third-party network or the Internet. VPNs in a hub-and-spoke
topology provide all employees with full access to the enterprise network, regardless of the size, number,
or location of its remote operations.
A hub is generally located at an enterprises main office. Spoke devices are generally located at an
enterprises branch offices. In a hub-and-spoke topology, most traffic is initiated by hosts at the spoke
site, but some traffic might be initiated from the central site to the spokes.
If the hub in a hub-and-spoke configuration becomes unavailable for any reason, IPsec failover transfers
tunnel connections seamlessly to a failover (backup) hub, which is used by all spokes. You can configure
multiple failover hubs for a single primary hub.
In a hub-and-spoke VPN topology, all IPsec technology types can be assigned except GET VPN.
Related Topics
Understanding IPsec Technologies and Policies, page 21-5
Understanding VPN Topologies, page 21-2
Implicitly Supported Topologies, page 21-5
Chapter 22, Configuring Common Site-to-Site VPN Policies
Site 1 Site 2
Internet
Secure tunnel
130053
Related Topics
Understanding IPsec Technologies and Policies, page 21-5
Understanding VPN Topologies, page 21-2
Implicitly Supported Topologies, page 21-5
Chapter 22, Configuring Common Site-to-Site VPN Policies
Site 2
Site 1 Internet
n nel
Secure tu
el
nn
tu
e
Se
Se c
ure c ur
cur
tu n n
el Se
e tu
Se
cur
n ne
e tu
l
n ne
l
nnel
Secure tu
130054
Site 4
Site 3
A full mesh network is reliable and offers redundancy. When the assigned technology is GRE and one
device (or node) can no longer operate, all the rest can still communicate with one another, directly or
through one or more intermediate nodes. With regular IPsec, if one device can no longer operate, a crypto
access control list (ACL) that specifies the protected networks, is created per two peers.
GET VPN is based on the group trust model. In this model, group members register with a key server.
The key server uses the Group Domain of Interpretation (GDOI) protocol for distributing the security
policy and keys for encrypting traffic between the group members. Because you can configure a primary
key server and secondary key servers that synchronize their policies with the primary one, if the primary
key server becomes unavailable, a secondary key server can take over.
Note When the number of nodes in a full mesh topology increases, scalability may become an issuethe
limiting factor being the number of tunnels that the devices can support at a reasonable CPU utilization.
Related Topics
Understanding IPsec Technologies and Policies, page 21-5
Understanding VPN Topologies, page 21-2
Implicitly Supported Topologies, page 21-5
Chapter 22, Configuring Common Site-to-Site VPN Policies
Related Topics
Understanding VPN Topologies, page 21-2
Hub-and-Spoke VPN Topologies, page 21-2
Point-to-Point VPN Topologies, page 21-3
Full Mesh VPN Topologies, page 21-4
Tip You can configure your own mandatory policy defaults by creating shared policies that specify the
desired settings, and then selecting these shared policies when creating a VPN. You can even make the
shared policies the defaults for the Create VPN wizard. For more information, see Understanding and
Configuring VPN Default Policies, page 21-11.
Some mandatory policies are mandatory only under certain conditions. For example, a preshared key
policy is mandatory only if the default (mandatory) IKE proposal uses preshared key authentication. If
the selected IKE authentication method is RSA Signature, a Public Key Infrastructure policy is
mandatory (see Deciding Which Authentication Method to Use, page 22-3).
The following table lists the mandatory and optional policies for each predefined technology that you
can assign to the devices in your site-to-site VPN topology.
2. A public key infrastructure policy is mandatory if the IKE authentication method is RSA Signature.
Related Topics
Creating or Editing VPN Topologies, page 21-26
Understanding Devices Supported by Each IPsec Technology, page 21-8
Understanding and Configuring VPN Default Policies, page 21-11
Understanding VPN Topologies, page 21-2
Chapter 22, Configuring Common Site-to-Site VPN Policies
Understanding Policies, page 5-1
Tip Some device models have NO-VPN versions that do not support VPN configuration. Thus, although the
3845 model might be supported for a type of VPN, the 3845 NOVPN model is not supported.
Related Topics
Creating or Editing VPN Topologies, page 21-26
Understanding Mandatory and Optional Policies for Site-to-Site VPNs, page 21-6
Including Unmanaged or Non-Cisco Devices in a VPN, page 21-10
Understanding and Configuring VPN Default Policies, page 21-11
Understanding VPN Topologies, page 21-2
Chapter 22, Configuring Common Site-to-Site VPN Policies
Understanding Policies, page 5-1
Related Topics
Understanding Devices Supported by Each IPsec Technology, page 21-8
Selecting Devices for Your VPN Topology, page 21-29
Creating or Editing VPN Topologies, page 21-26
Tips
When you configure VPN default policies, you are selecting shared policies. Although you can
configure only one default per policy per IPsec technology, users can select different shared policies
when configuring VPNs. Thus, you might want to configure more than one shared policy that users
can select, and configure the most commonly-used policy as the default policy. For more
information about how users can select different policies when configuring a VPN, see Assigning
Initial Policies (Defaults) to a New VPN Topology, page 21-55.
Keep in mind that any change to a shared policy affects all VPNs that are using the policy. This can
make it easy to implement across-the-board changes that are required for every VPN. However, after
creating the VPN, the user can switch from a shared policy to a local policy, so that any changes to
the configuration must be done specifically for the VPN topology. For more information about
shared policies, see Managing Shared Policies in Policy View, page 5-46.
The following procedure explains how to create and use VPN policy defaults.
Step 1 Create the default policies. All default policies are shared policies.
a. In Policy view (select View > Policy View), select the policy for which you want to configure
defaults. The policies are in the Site-to-Site VPN or Remote Access VPN folders.
b. Click the Create a Policy (+) button at the bottom of the shared policy selector, enter a name for the
policy, and click OK.
c. Configure the desired settings. Click the Help (?) button in the toolbar to get reference information
about the settings available in the selected policy.
d. Repeat the process until you have created at least one shared policy for each policy for which you
want to define a default policy.
Step 2 If desired, create defaults for the VPN endpoints. These defaults are interface role objects, which identify
the interface names used for VPN connections (for example, GigabitEthernet0/1). Create separate roles
for internal and external VPN interfaces.
a. Select Tools > Policy Object Manager to open the Policy Object Manager Window, page 6-3.
b. Select Interface Roles from the table of contents.
c. Click the New Object (+) button, enter the interface name patterns that identify the most commonly
used interfaces for VPN internal or external interfaces in your network, and click OK.
For more information about interface roles and the wildcards you can use to configure them, see
Understanding Interface Role Objects, page 6-55 and Creating Interface Role Objects, page 6-56.
Step 3 Submit the policies and policy objects to the database. You will have to resolve any validation errors.
In non-Workflow mode, select File > Submit.
In Workflow mode without an activity approver, select Activities > Approve Activity.
In Workflow mode with an activity approver, select Activities > Submit Activity. You will have to
wait for the activity to be approved before you can select the policies and objects as defaults.
Step 4 Select your newly-configured policies and policy objects as VPN policy defaults.
a. Select Tools > Security Manager Administration, and then select VPN Policy Defaults from the
table of contents (see VPN Policy Defaults Page, page 11-39).
b. Select the desired tabs, then select the policies you configured from the drop-down lists for each of
the mandatory or optional policies for which you configured defaults.
On the S2S Endpoints tab, select the appropriate interface role objects.
c. Click Save to save your defaults.
The next time a user runs the Create VPN wizard, the defaults you selected will be used as the
wizards defaults. Users can select any other shared policy or interface role to override the default.
Note VRF-Aware IPsec can also be configured on devices in a remote access VPN. For more information, see
Understanding IPsec Proposals in Remote Access VPNs, page 26-38.
In Security Manager, you can configure VRF-Aware IPsec in your hub-and spoke VPN topology, with
either a single device providing all functionality (one-box solution) or with multiple devices, each
providing a part of the functionality (two-box solution). The solution of one device providing all the
functionality can affect performance by overloading the system, whereas separating the functionality in
a two-box solution provides better scaling for each function.
The following topics describe:
VRF-Aware IPsec One-Box Solution, page 21-13
VRF-Aware IPsec Two-Box Solution, page 21-14
Enabling and Disabling VRF on Catalyst Switches and 7600 Devices, page 21-16
For information on configuring VRF-aware IPsec, see Configuring VRF Aware IPsec Settings,
page 21-44.
Note The configuration of routing between the PE device and the MPLS cloud is done by Cisco IP Solution
Center. See the Cisco IP Solution Center MPLS VPN User Guide.
Related Topics
Understanding VRF-Aware IPsec, page 21-13
Configuring VRF Aware IPsec Settings, page 21-44
Defining the Endpoints and Protected Networks, page 21-31
Note Security Manager fully manages the IPsec Aggregator, including routing to the PE device. The PE device
is fully managed by Cisco IP Solution Center. This includes routing between the PE device and the
MPLS cloud, and routing from the PE to the IPsec Aggregator. For more information, see the Cisco IP
Solution Center MPLS VPN User Guide.
Using the two-box solution, you configure VRF-Aware IPsec on devices in your VPN topology,
as follows:
1. Configure the connection between the IPsec Aggregator and the PE device.
Create a hub-and-spoke VPN topology and assign an IPsec technology to it. In this topology, the hub
is the IPsec Aggregator, and the spokes may be Cisco IOS routers, PIX Firewalls, Catalyst VPN
service modules, or Adaptive Security Appliance (ASA) devices. The IPsec Aggregator may be a
security router or a Catalyst VPN service module. You then define the VRF parameters (VRF name
and unique routing identifier) on the hub.
Note VRF-Aware IPsec supports the configuration of IPsec, GRE, or Easy VPN technologies on
Cisco IOS routers and Catalyst VPN service modules. DMVPN is also supported, but only
on Cisco IOS routers.
2. Specify the VRF forwarding interface (or VLAN for a Catalyst VPN service module) between the
IPsec Aggregator and the PE device.
3. Define the routing protocol and autonomous system (AS) number to be used between the IPsec
Aggregator and the PE. Available routing protocols include BGP, EIGRP, OSPF, RIPv2, and
Static Route.
If the routing protocol defined between the IPsec Aggregator and the PE differs from the routing
protocol used for the secured IGP, routing is redistributed to the secured IGP, using this routing
protocol and AS number. Routing is also redistributed from the secured IGP to the PE.
Note Redistributing the routing is only relevant when IPsec/GRE or DMVPN is the
selected technology.
Related Topics
Understanding VRF-Aware IPsec, page 21-13
Configuring VRF Aware IPsec Settings, page 21-44
Defining the Endpoints and Protected Networks, page 21-31
Related topics
Understanding VRF-Aware IPsec, page 21-13
VRF-Aware IPsec One-Box Solution, page 21-13
VRF-Aware IPsec Two-Box Solution, page 21-14
Site-to-Site VPN policy in Device viewWhen you select a device in device view, you can select
the Site-to-Site VPN policy in the Policies selector to see a list of all site-to-site VPNs in which the
device participates and edit those topologies. You can also create new VPNs, or select a VPN and
open the Site-to-Site VPN Manager to edit the policies for the selected VPN. This device view
policy is essentially a short-cut into the Site-to-Site VPN Manager. For more information about
using this policy, see Configuring VPN Topologies in Device View, page 21-18.
Site-to-Site VPN folder in Policy viewPolicy view is used to create shared policies. Many of the
site-to-site VPN policies are shareable. Thus, you can configure shared policies that you can assign
to more than one VPN topology while configuring the topology in the Site-to-Site VPN Manager.
You can configure shared policies as defaults for the Create VPN wizard, as described in
Understanding and Configuring VPN Default Policies, page 21-11.
You can also create shared policies from the Site-to-Site VPN Manager window in much the same
way you can create them from local policies in Device view, although all sharing commands in the
Site-to-Site VPN Manager window are available only on the right-click context menu (when
right-clicking a shareable policy).
For more information on creating shared policies in Policy view, see Managing Shared Policies in
Policy View, page 5-46.
View and edit the policies assigned to a VPN topology, assign shared policies, or create shared
policies from existing policies. For information on individual policies, see Overview of Site-to-Site
VPN Policies, page 21-8.
The options and methods for configuring shared policies from the Site-to-Site VPN Manager are the
same as those from Device view, as explained in the sections under Working with Shared Policies
in Device View or the Site-to-Site VPN Manager, page 5-34 and Using the Policy Banner, page 5-35.
You can share, assign, unassign, edit assignments, and rename policies, but no VPN policies allow
inheritance. To perform these tasks, select the VPN topology, then right-click the desired policy and
select the desired command.
You can also use Policy view to configure shared VPN policies.
Note You can also discover configurations on devices in remote access VPNs that are already deployed in your
network. See Discovering Remote Access VPN Policies, page 26-8.
VPN Features Provisioned by Security Manager but Unsupported for VPN Discovery
Large Scale DMVPN with IPsec Terminator (high-concentration hub)
VRF-Aware IPsec
Dial backup
IPsec and ISAKMP profiles for Easy VPN
Easy VPN with High Availability
If you define and deploy policies of these types using Security Manager, your policies overwrite the
device configurations that were not discovered. Therefore, if you want Security Manager to manage
existing configurations, you should define policies that match the existing configurations as closely as
possible. (Use Tools > Preview Configuration to examine the results before deploying.) The VPN
provisioning mechanism leverages the content of the existing configuration as much as possible
(assuming the content matches the policies configured in Security Manager), but does not retain the
naming conventions used in the CLI commands.
Related Topics
Prerequisites for VPN Discovery, page 21-20
VPN Discovery Rules, page 21-21
Discovering Site-to-Site VPNs, page 21-22
Related Topics
Supported and Unsupported Technologies and Topologies for VPN Discovery, page 21-19
VPN Discovery Rules, page 21-21
Discovering Site-to-Site VPNs, page 21-22
Related Topics
Supported and Unsupported Technologies and Topologies for VPN Discovery, page 21-19
Prerequisites for VPN Discovery, page 21-20
Discovering Site-to-Site VPNs, page 21-22
Rediscovering Site-to-Site VPNs, page 21-25
Related Topics
Discovering Site-to-Site VPNs, page 21-22
Discovering Policies, page 5-12
Supported and Unsupported Technologies and Topologies for VPN Discovery, page 21-19
Prerequisites for VPN Discovery, page 21-20
Step 1 Select Policy > Discover VPN Polices to open the Discover VPN Policies WizardName and
Technology page.
Step 2 Specify the following information:
VPN NameThe name of the VPN being discovered.
DescriptionAn optional description of the VPN.
TopologyThe type of VPN that you are discoveringHub and Spoke, Point to Point, or Full Mesh.
IPsec TechnologyThe IPsec technology assigned to the VPNRegular IPsec, IPsec/GRE, GRE
Dynamic IP (sub-technology), DMVPN, Easy VPN, or GET VPN. The topology you select controls
what is available in this list.
If you selected IPsec/GRE, you must also specify the type which may be Standard (for IPsec/GRE)
or Spokes with Dynamic IP (to configure GRE Dynamic IP).
Discover FromYou can either discover the VPN directly from the network or from
Configuration Archive.
NetworkSecurity Manager connects to all live devices to obtain the device configuration.
Config ArchiveDiscovery from Config Archive is recommended if you deploy to
configuration files instead of live devices. The most recent version of the device configuration
in Configuration Archive is used for all devices.
Step 3 Click Next to open the Discover VPN Policies WizardDevice Selection Page.
Step 4 Select the devices participating in the VPN and their role in the VPN (hub, spoke, peer one, peer two,
key server, group member, or simply selected devices for full-mesh VPNs) depending on the topology
type. For Easy VPN topologies, servers are hubs and clients are spokes.
If there are two or more IPsec terminators in a hub-and-spoke VPN, use the Up and Down arrow
buttons to ensure the primary hub is listed first. When there is only one IPsec terminator, regardless
of how many hubs are connected to the same IPsec terminator, it is not possible to designate one hub
as the primary hub.
For more detailed information on selecting devices for a VPN, see Selecting Devices for Your VPN
Topology, page 21-29.
Step 5 Click Finish to close the wizard and start the discovery process. The Discovery Status window opens
and displays the status of the discovery and indicates whether the discovery of each device has been
successful or has failed (see Viewing Policy Discovery Task Status, page 5-20). Error or warning
messages are provided to indicate the source of any problems, which may be VPN specific or
device specific.
When the discovery process completes successfully, and you close the Discovery Status dialog box,
the Site-to-Site VPN Manager window opens, displaying summary information for the VPN that
was discovered.
Step 6 Verify that the VPN polices are as required. Edit the policies as necessary.
Related Topics
Creating a New Shared Policy, page 5-50
Creating FlexConfig Policy Objects, page 7-25
Modifying Policy Assignments in Policy View, page 5-50
Site-To-Site VPN Discovery, page 21-18
Discovering Site-to-Site VPNs, page 21-22
VPN Discovery Rules, page 21-21
Related Topics
Discovering Site-to-Site VPNs, page 21-22
Discovering Policies, page 5-12
Prerequisites for VPN Discovery, page 21-20
VPN Discovery Rules, page 21-21
Understanding Devices Supported by Each IPsec Technology, page 21-8
Including Unmanaged or Non-Cisco Devices in a VPN, page 21-10
Step 1 In the Site-to-Site VPN Manager window, right-click the VPN topology whose configurations you want
to rediscover and select Rediscover Peers. This opens the Rediscover VPN Policies WizardName and
Technology page.
This page displays the type of topology and IPsec technology used in the VPN, which you cannot change.
Step 2 Specify the following information:
VPN Discovery NameThe name of the rediscover VPN job.
DescriptionAn optional description of the VPN.
Discover FromYou can either rediscover the VPN directly from the network or from
Configuration Archive.
NetworkSecurity Manager connects to all live devices to obtain the device configuration.
Config ArchiveRediscovery from Config Archive is recommended if you deploy to
configuration files instead of live devices. The most recent version of the device configuration
in Configuration Archive is used for all devices.
Step 3 Click Next to open the Rediscover VPN Policies WizardDevice Selection page.
Step 4 Select the devices whose peer level policies need to be rediscovered and their role in the VPN (hub,
spoke, peer one, peer two, key server, group member, or simply selected devices for full-mesh VPNs)
depending on the topology type. For Easy VPN topologies, servers are hubs and clients are spokes.
If there are two or more IPsec terminators in a hub-and-spoke VPN, use the Up and Down arrow
buttons to ensure the primary hub is listed first. When there is only one IPsec terminator, regardless of
how many hubs are connected to the same IPsec terminator, it is not possible to designate one hub as
the primary hub.
For more detailed information on selecting devices for a VPN, see Selecting Devices for Your VPN
Topology, page 21-29.
Step 5 Click Finish to close the wizard and start the rediscovery process. The Discovery Status window opens
and displays the status of the rediscovery and indicates whether the rediscovery of each device has been
successful or has failed (see Viewing Policy Discovery Task Status, page 5-20). Error or warning messages
are provided to indicate the source of any problems, which may be VPN specific or device specific.
When the rediscovery process completes successfully, and you close the Discovery Status dialog
box, the Site-to-Site VPN Manager window opens, displaying summary information for the VPN that
was rediscovered.
Note When you complete the Create VPN wizard, your topology might be immediately deployable, because
Security Manager provides defaults for mandatory policies. However, if you use Security Manager
defaults, be sure to verify that the settings will work properly in your network. For more information,
see Understanding and Configuring VPN Default Policies, page 21-11.
When you edit a VPN topology, the Edit VPN dialog box contains the same pages as the Create VPN
wizard (except for the VPN defaults page), but the pages are laid out in a tabbed format rather than being
presented as a wizard. The only exception is for GET VPN topologies, where you can edit only the name
and description of the topology (you must edit GET VPN policies to change topology attributes, see
Configuring GET VPN, page 25-12). Clicking OK on any tab in the dialog box saves your definitions
on all the tabs. For all topologies, you must edit mandatory and optional policies originally presented on
the VPN defaults page directly.
By editing a VPN topology, you can change its device structure (adding or removing devices), change
the VPN interfaces and protected networks defined for a device, or modify the policies that are assigned
to the VPN. For example, if your organization frequently opens new sites, you might need to add spokes
to an existing hub-and-spoke VPN while applying all policies of the VPN to the new spokes. Or, you
might want to increase resiliency by adding a secondary hub to a VPN that has only one hub. While
editing a VPN topology, you might also need to modify the policies assigned to it, for example, to change
an IKE algorithm to a more secured one, or to change the DES encryption algorithm for a VPN to make
it more secure.
Tip After you create a topology, you cannot change the technology used in the VPN. Instead, you must delete
the old VPN and create a new one using the desired technology.
Either during or after you create a VPN topology, you can also create the following advanced
configurations when editing endpoints:
VRF-Aware IPsec on a hub in a hub-and-spoke topology (see Configuring VRF Aware IPsec
Settings, page 21-44).
A VPNSM or VPNSPA/VSPA on a Catalyst 6500/7600 in a hub-and-spoke, point-to-point, or full
mesh VPN topology (see Configuring VPNSM or VPN SPA/VSPA Endpoint Settings, page 21-38).
A Firewall Services Module together with a VPN Services Module or VPN SPA on a Catalyst
6500/7600 device in a hub-and-spoke, point-to-point, or full mesh VPN topology (see Configuring
a Firewall Services Module (FWSM) Interface with VPNSM or VPNSPA/VSPA, page 21-43).
Note You can create a visual representation of your VPN topology with all its elements in the Map view. For
more information, see Creating VPN Topologies in Map View, page 29-21.
Related Topics
Configuring VPN Topologies in Device View, page 21-18
Understanding IPsec Technologies and Policies, page 21-5
Using Wizards, page 1-32
Note If you are editing an existing VPN, the assigned IPsec technology and type is displayed, but you cannot
change them. To change the technology or type, you must delete the topology and create a new one.
The following table describes the options you can configure when defining the name and technology.
Element Description
Name A unique name that identifies the VPN topology.
Description Information about the VPN topology.
IPsec Technology The IPsec technology used in the VPN topology:
Regular IPsec
IPsec/GRE
DMVPN (Hub and Spoke VPN only)
Easy VPN (Hub and Spoke VPN only)
GET VPN (Full Mesh VPN only)
Element Description
Type The technology type if the selected IPsec technology is IPsec/GRE or
DMVPN for a hub-and-spoke topology:
IPsec/GRESelect either Standard (for IPsec/GRE) or Spokes with
Dynamic IP (for GRE Dynamic IP). For more information, see
Understanding GRE Configuration for Dynamically Addressed Spokes,
page 23-5.
DMVPNSelect either Standard (for regular DMVPN) or Large Scale
with IPsec Terminator (for a large scale DMVPN). For more
information, see Configuring Large Scale DMVPNs, page 23-16.
Related Topics
Understanding IPsec Technologies and Policies, page 21-5
Tip When selecting devices, you can select a device group to select all of the eligible devices in the group.
The following list explains how to add or remove devices based on the type of topology:
To select devices for a full mesh VPN topology with Regular IPSec or IPSec/GRE technology,
select them in the Available Devices list and click >>.
To select devices for a full mesh VPN topology that uses the GET VPN technology:
Select the devices that you want to define as key servers and click >> next to the Key
Servers field.
If you have more than one key server, use the Up and Down arrow buttons to ensure the primary
key server is listed first. Group members register with the first key server in the list. If the first
key server cannot be reached, they try to register with the second key server, and so on.
Select the devices that you want to define as group members and click >> next to the Group
Members field.
Note You need to select the primary hub only when there are two or more IPsec terminators.
When there is only one IPsec terminator, regardless of how many hubs are connected to
the same IPsec terminator, it is not possible to designate one hub as the primary hub.
Select the devices that you want to define as spokes (or clients in an Easy VPN configuration)
and click >> next to the Spokes list.
If you are configuring a Large Scale DMVPN with IPsec Terminator topology, you must also
select the Catalyst 6500/7600 devices you want to be IPsec Terminators in your Large Scale
DMVPN configuration. If you select more than one IPsec Terminator, use the Up and Down
arrow buttons to put them in priority order. For more information, see Configuring Large Scale
DMVPNs, page 23-16.
To select devices for a point-to-point VPN topology:
From the Devices list, select a device to be Peer One and click >>.
Select another device to be Peer Two and click >>.
To remove devices (any topology or technology combination), select them from one of the
selected devices lists and click << to move them back to the Available Devices list.
If you are editing an existing VPN topology, you can remove devices from the VPN topology, but
you cannot save your changes if your device selections result in an invalid VPN configuration. When
removing devices, you should be aware of the following:
You cannot remove a device if it is the only hub in a hub-and-spoke VPN topology, unless you
replace it with a different hub.
You cannot remove a device that is one of the two devices in a point-to-point VPN topology,
unless you replace it with a different device.
In a VPN topology with multiple hub devices, deleting a hub causes the appropriate tunnels to
be removed.
If some, but not all, spokes in a VPN topology are deleted, the hub side crypto statements
change to reflect the removal.
GET VPNs must have at least one key server and one group member.
Related Topics
Including Unmanaged or Non-Cisco Devices in a VPN, page 21-10
Tips:
This configuration applies to all IPsec technology types except GET VPN. To configure GET VPN
endpoints when creating the VPN, see Defining GET VPN Peers, page 21-54. For existing GET
VPNs, configure endpoints using the Key Servers and Group Members policies; see Configuring
GET VPN Key Servers, page 25-18 and Configuring GET VPN Group Members, page 25-20.
The devices listed on this page are selected in the Device Selection Page (see Selecting Devices for
Your VPN Topology, page 21-29). You can change the list only when editing the Peers policy, where
you can select a device and click the Delete (trash can) button to remove it. To add devices, you
must edit the VPN topology itself.
The table shows the role each device plays in the VPN (hub, spoke, peer, or IPsec Terminator), the device
name, and the VPN interface and protected networks. Initially, the VPN interface and protected network
is set to the default interface roles defined in the Security Manager Administrative settings for external
and internal interfaces (see VPN Policy Defaults Page, page 11-39). The endpoint configuration might
include configurations not shown in this table, but the VPN interface and protected network are the only
required settings.
To change the endpoint configuration for a device, select it and click the Edit Row button beneath
the table. You can select more than one device to edit at a time, but the devices must serve the same
role, and you cannot include Catalyst 6500/7600 devices or VPN service modules when selecting
multiple devices. You perform endpoint editing in the Edit Endpoints Dialog Box, whose content
differs depending on the selected device type and IPsec technology.
See the following topics for detailed information about the options you can configure in the Edit
Endpoints dialog box:
VPN Interface tabTo configure the VPN interface and other required interface settings (see
Configuring VPN Interface Endpoint Settings, page 21-32). In some cases, you can also
configure dial backup (for more information about dial backup, see Configuring Dial Backup,
page 21-36).
For Catalyst 6500/7600 devices, the VPN Interface tab provides settings that enable you to
configure a VPN Services Module (VPNSM) or a VPNSPA/VSPA blade on the device (which
might be an IPsec Terminator in a large scale DMVPN), and are described in Configuring
VPNSM or VPN SPA/VSPA Endpoint Settings, page 21-38.
Hub Interface tabIf the selected device is a hub in a large scale DMVPN, specify the
interface that is connected to the IPsec Terminator. See Configuring Large Scale DMVPNs,
page 23-16.
Protected Networks tabTo define the networks that are encrypted (see Identifying the
Protected Networks for Endpoints, page 21-42). The protected network can be an interface role,
network/host object, or in the case of regular IPsec, an ACL policy object.
FWSM tabTo define the settings that enable you to connect between a Firewall Services
Module (FWSM) and an IPsec VPN Services Module (VPNSM) or VPNSPA/VSPA that is
already configured on a Catalyst 6500/7600 device. This is possible only in a hub-and-spoke
topology where the hub is a Catalyst 6500/7600 device that has these modules installed. For
more information, see Configuring a Firewall Services Module (FWSM) Interface with VPNSM
or VPNSPA/VSPA, page 21-43.
VRF Aware IPsec tabTo configure a VRF-Aware IPsec policy on a hub (IPsec Aggregator)
in a hub-and-spoke VPN topology. For more information, see Configuring VRF Aware IPsec
Settings, page 21-44 and Understanding VRF-Aware IPsec, page 21-13.
To view the actual interfaces associated with an interface role for each device, select Matching
Interfaces in the Show list beneath the table. If there are no matching interfaces, No Match is
displayed. The default is to show the interface role policy object names. To create a valid VPN, these
roles must match to actual interfaces defined on the device.
Related Topics
Table Columns and Column Heading Features, page 1-34
Filtering Tables, page 1-33
Tips
If the device is a hub in a large scale DMVPN, this tab is called Hub Interface. Specify the interface
that is connected to the IPsec Terminator in the Hub Interface Toward the IPsec Terminator field.
Enter the name of the interface or interface role, or click Select to select it from a list. For more
information, see Configuring Large Scale DMVPNs, page 23-16.
If the device is a Catalyst 6500/7600 device, the VPN Interface tab provides settings that enable you
to configure a VPN Services Module (VPNSM) or a VPNSPA/VSPA blade on the device. For a
description of the elements that appear on the VPN Interface tab for a Catalyst 6500/7600 device,
see Configuring VPNSM or VPN SPA/VSPA Endpoint Settings, page 21-38. The table below
assumes the device is not a Catalyst 6500/7600 device.
Navigation Path
On the Endpoints Page of the Create VPN wizard or Edit VPN dialog box, or on the VPN Peers policy,
select a device and click Edit to open the Edit Endpoints Dialog Box. Select the VPN Interfaces tab in
the Edit Endpoints dialog box. For information on how to access these pages and dialog boxes, see
Defining the Endpoints and Protected Networks, page 21-31.
Field Reference
Element Description
Enable the VPN Interface Available if you selected more than one device on the Endpoints
Changes on All Selected Peers page for editing.
When selected, applies any changes you make in the VPN interface
tab to all the selected devices.
VPN Interface The VPN interface defined for the selected device. Enter the name
of the interface role policy object that defines identifies the
interface, or click Select to select it from a list or to create a new
interface role object. (See Creating Interface Role Objects,
page 6-56.)
If the device is an ASA 5505 version 7.2(1) or later, it must have two
interfaces defined with different security levels. For more
information, see Managing Device Interfaces, page 39-6.
Connection Type Only available in a hub-and-spoke VPN topology, if the selected
device is an ASA or PIX 7.0+ hub, and the selected technology is
Regular IPsec.
Select the type of connection that the hub will use during an
SA negotiation:
Answer OnlyTo configure the hub to only respond to an SA
negotiation, but not initiate it.
Originate OnlyTo configure the hub to only initiate an SA
negotiation, but not respond to one.
BidirectionalTo configure the hub to both initiate and
respond to an SA negotiation.
Table 21-6 Edit Endpoints Dialog Box, VPN Interface Tab (Continued)
Element Description
Local Peer IPSec Termination Unavailable if the selected technology is Easy VPN.
Specifies the IP address of the VPN interface of the local router. You
can select one of the following options:
Tunnel Source IP AddressUse the IP address of the
tunnel source.
VPN Interface IP AddressUses the configured IP address
on the selected VPN interface. Only one VPN interface can
match the interface role. This option is available only if you
select Configure Unique Tunnel Source for each Tunnel in
the GRE Modes policy.
IP AddressExplicitly specify the IP address of the VPN
interface of the local router. Use this option when the device is
behind a NAT boundary to specify the NAT IP Address.
Note If you select a tunnel source as the VPN interface, it is likely
that the VPN interface has a dynamically assigned IP address.
Table 21-6 Edit Endpoints Dialog Box, VPN Interface Tab (Continued)
Element Description
Dial Backup Settings
Enable Backup Available if the selected device is an IOS router that is in a
point-to-point or full mesh topology, or that is a spoke in a
hub-and-spoke topology, or that is a remote client in an Easy
VPN topology.
Whether to configure a backup interface to use as a fallback
link for the primary route VPN interface, if its connection link
becomes unavailable.
Tip Before configuring a backup interface, you must first
configure the dialer interface settings on the device. For
more information, see Dialer Interfaces on Cisco IOS
Routers, page 52-27.
Dialer Interface The logical interface through which the secondary route traffic is
directed when the dialer interface is activated. This can be a Serial,
Async, or BRI interface.
Enter the name of the interface or interface role object, or click
Select to select it from a list.
Primary Next Hop IP Address Available only if the selected technology is Regular IPsec,
IPsec/GRE, GRE Dynamic IP, or Easy VPN.
The IP address to which the primary interface connects when it is
active. This is known as the next hop IP address.
If you do not specify the next hop IP address, Security Manager
configures a static route using the VPN interface name. The VPN
interface must be point-to-point or deployment fails.
You can choose the required IP address by clicking Select. The
Network/Hosts selector opens, in which you can select a network
from which the IP address will be allocated.
Tracking IP Address The IP address of the destination device to which connectivity must
be maintained from the primary VPN interface connection. This is
the device that is pinged by the Service Assurance agent through the
primary route to track connectivity. The backup connection is
triggered if connectivity to this device is lost.
If you do not specify an IP address, the primary hub VPN interface
is used in a hub-and-spoke or Easy VPN topology. In a point-to-point
or full mesh VPN topology, the peer VPN interface is used.
You can choose the required IP address by clicking Select. The
Network/Hosts selector opens, in which you can select a network
from which the IP address will be allocated.
Advanced button Available if the selected technology is Regular IPsec, IPsec/GRE,
GRE Dynamic IP, or Easy VPN.
Click this button to configure additional optional settings using the
Dial Backup Settings Dialog Box, page 21-37.
Step 1 You configure dial backup when creating or editing a site-to-site VPN; for information on starting the
Create VPN wizard, or opening the Edit VPN dialog box, see Creating or Editing VPN Topologies,
page 21-26.
In the Create VPN wizard, proceed to the Endpoints page.
In the Edit VPN dialog box, click the Endpoints tab.
For general information on editing endpoints, see Defining the Endpoints and Protected Networks,
page 21-31.
Step 2 Select the router on which you want to configure dial backup and click the Edit (pencil) button. If
there is more than one router that will have the same dialer configuration, you can select and edit them
all at once.
This action opens the Edit Endpoints dialog box. Select the VPN Interface tab if it is not already selected.
Step 3 On the VPN Interface tab, configure the following options related to dial backup. If you are creating a
new VPN, you need to configure the other settings (such as VPN interface) as well. For detailed
reference information for these options, see Configuring VPN Interface Endpoint Settings, page 21-32.
Enable BackupSelect this option.
Dialer InterfaceSpecify the physical interface through which the secondary route traffic will be
directed when the logical dialer interface is activated.
Primary Next Hop IP AddressIf the selected IPsec technology is Regular IPsec, IPsec/GRE,
GRE Dynamic IP, or Easy VPN, enter the next hop IP address. If you do not enter the next hop IP
address, Security Manager configures a static route using the interface name.
Tracking IP AddressSpecify the IP address of the destination device to which connectivity must
be maintained from the primary VPN interface connection. This is the device that is pinged through
the primary route to track connectivity. The backup connection is triggered if connectivity to this
device is lost.
If you do not specify an IP address, the primary hub VPN interface is used in a hub-and-spoke or
Easy VPN topology. In a point-to-point or full mesh VPN topology, the peer VPN interface is used.
Step 4 If the selected IPsec technology is Regular IPsec, IPsec/GRE, GRE Dynamic IP, or Easy VPN, click
Advanced to configure additional (optional) settings in the Dial Backup Settings dialog box. These
settings are explained in Dial Backup Settings Dialog Box, page 21-37. Click OK to save your changes.
Step 5 Click OK in the Edit Endpoints dialog box.
Note You must configure the dialer interface settings before dial backup can work properly. For more
information, see Dialer Interfaces on Cisco IOS Routers, page 52-27.
Navigation Path
To open the Dial Backup Settings dialog box, enable dial backup and click Advanced on the VPN
Interface tab of the Edit Endpoints dialog box. For information on opening the Edit Endpoints dialog
box, see Defining the Endpoints and Protected Networks, page 21-31.
Related Topics
Configuring Dial Backup, page 21-36
Understanding Easy VPN, page 24-1
Field Reference
Element Description
Next Hop Forwarding If required, enter the next hop IP address of the ISDN BRI or analog
Backup Next Hop IP Address modem backup interface (that is, the IP address to which the backup
interface will connect when it is active). You can enter an IP address or
the name of a network/host object, or click Select to select a
network/host object that specifies the IP address.
If you do not enter the next hop IP address, Security Manager
configures a static route using the interface name.
Tracking Object Settings
Timeout The number of milliseconds the Service Assurance Agent operation
waits to receive a response from the destination device. The default is
5000 ms.
Frequency How often Response Time Reporter (RTR) should be used to detect loss
of performance on the primary route. The default is every 60 seconds.
Threshold The rising threshold in milliseconds that generates a reaction event
and stores history information for the RTR operation. The default is
5000 ms.
General Notes
A Catalyst 6500/7600 device can contain from 3 to 13 chassis slots. Due to the design of the blades,
you can install one VPNSM or two VPNSPA/VSPA per slot. The location of a VPNSPA/VSPA is
identified with a slot and subslot number. Security Manager stores this information in its inventory,
so that Security Manager can manage the VPN topologies.
If you are configuring intra-chassis high availability, you cannot use a VPNSM blade and a
VPNSPA/VSPA blade on the same device as primary and failover blades.
In a remote access VPN, you can configure only one failover unit for each IPsec proposal. See
VPNSM/VPN SPA Settings Dialog Box, page 27-80.
If the Catalyst 6500/7600 has a Firewall Services Module (FWSM), you can configure it to work
with these modules. For more information, see Configuring a Firewall Services Module (FWSM)
Interface with VPNSM or VPNSPA/VSPA, page 21-43.
If you are configuring a VPNSM or VPNSPA/VSPA with VRF-Aware IPsec on a device, the device
cannot belong to a different VPN topology in which VRF-Aware IPsec is not configured. For more
information, see Configuring VRF Aware IPsec Settings, page 21-44.
Create an inside VLAN on the Catalyst 6500/7600 device, or edit an existing port or VLAN
configuration. If the device is configured with VRF-Aware IPsec, you must create a
forwarding VLAN.
Navigation Path
On the Endpoints Page of the Create VPN wizard or Edit VPN dialog box, or on the VPN Peers policy,
select a Catalyst 6500/7600 device, then click Edit to open the Edit Endpoints Dialog Box. Select the
FWSM tab in the Edit Endpoints dialog box. For information on how to access these pages and dialog
boxes, see Defining the Endpoints and Protected Networks, page 21-31.
Field Reference
Table 21-8 Edit Endpoints Dialog Box, VPN Interface Tabs VPNSM/VPN SPA/VSPA Settings
Element Description
Enable the VPN Note Available if you selected more than one Catalyst 6500/7600
Interface Changes on All device for editing in the Endpoints page.
Selected Peers
When selected, applies any changes you make in the VPN interface tab
to all the selected devices.
VPNSM/VPN SPA/VSPA Use Crypto Connect AlternateWhen selected, only encrypted
Settings traffic entering the VPNSM/VPN SPA on the Catalyst 6500/7600
is passed through. Clear text traffic does not go through (bypasses)
the adapters. To use this option, the Catalyst 6500 must be running
version 12.2(33)SXH or later, and the 7600 router must be running
12.2(33)SRA or later.
This mode is recommended as an alternate to Crypto connect mode
for enterprise customers who have a need to support large VPN
topologies (financial institutions, for example) or need to pass
large amounts of data over an encrypted channel (remote disaster
recovery or backup over the Internet).
Inside VLANThe VLAN that serves as the inside interface to
the service module or adapter. It is also the hub endpoint of the
VPN tunnel (unless VRF-Aware IPsec is configured on the device).
Enter the name of the VLAN or interface role object, or click
Select to select it from a list.
Slot and SubslotThe number designating the slot location of the
VPNSM or VPNSPA/VSPA. If you are configuring a
VPNSPA/VSPA, the subslot number is also required.
Outside VLAN/External portThe external port or VLAN that
connects to the inside VLAN. Enter the name of the VLAN or
interface role object, or click Select to select it from a list. You
must select an interface or interface role that differs from the one
selected for the inside VLAN.
Note If VRF-Aware IPsec is configured on the device, the external
port or VLAN must have an IP address.
Table 21-8 Edit Endpoints Dialog Box, VPN Interface Tabs VPNSM/VPN SPA/VSPA Settings
Element Description
Tunnel Source Note Available only for a hub when the selected technology is
IPsec/GRE or DMVPN.
Note In a hub-and-spoke VPN topology in which Regular IPsec is the assigned technology, when
an ACL object is used to define the protected network on a spoke, Security Manager mirrors
the spokes ACL object on the hub to the matching crypto map entry.
To remove a selected protected network, select it and click the << button.
If the order of the objects matters, you can adjust the priority order of the selected objects using the
Move Up, Move Down buttons to position the objects in the selected list as desired. These buttons
are not available if order does not matter.
If an object that you need to define the protected network is not listed, click the Create (+) button
to add the object; you are prompted to select the type of object you want to add. You can also modify
the definition of an existing object by selecting it and clicking the Edit (pencil) button. For more
information, see the following topics:
Understanding Interface Role Objects, page 6-55 and Creating Interface Role Objects,
page 6-56.
Understanding Network/Host Objects, page 6-62 and Creating Network/Host Objects,
page 6-64.
Creating Access Control List Objects, page 6-40.
Navigation Path
On the Endpoints Page of the Create VPN wizard or Edit VPN dialog box, or on the VPN Peers policy,
select a device and click Edit to open the Edit Endpoints Dialog Box. Select the Protected Networks
tab in the Edit Endpoints dialog box. For information on how to access these pages and dialog boxes, see
Defining the Endpoints and Protected Networks, page 21-31.
Tips
Before you can define the FWSM settings, you must add the hosting Catalyst 6500/7600 device to
the Security Manager inventory and discover its FWSM and its policies and security contexts. See
Adding Devices from the Network, page 3-8 and Managing Security Contexts, page 49-4.
If an inside interface is not already created on the Catalyst 6500/7600 device, you must create it (see
Creating or Editing VLANs, page 58-26). Then, you must assign the FWSM inside interface
(VLAN) to the appropriate security context, or directly to the FWSM blade.
You also must configure the settings on the VPN Interfaces tab related to IPsec VPN Services
Module (VPNSM) or VPNSPA/VSPA. For more information, see Configuring VPNSM or VPN
SPA/VSPA Endpoint Settings, page 21-38.
Navigation Path
On the Endpoints Page of the Create VPN wizard or Edit VPN dialog box, or on the VPN Peers policy,
select a Catalyst 6500/7600 device that contains an FWSM, then click Edit to open the Edit Endpoints
Dialog Box. Select the FWSM tab in the Edit Endpoints dialog box. For information on how to access
these pages and dialog boxes, see Defining the Endpoints and Protected Networks, page 21-31.
Field Reference
Element Description
Enable FWSM Settings Whether you want to configure the connection between the Firewall Services
Module (FWSM) and the VPN Services Module (VPNSM) or VPN SPA on
the Catalyst 6500/7600 device.
FWSM Inside VLAN The VLAN that serves as the inside interface to the Firewall Services
Module (FWSM). Enter the name of the interface or interface role, or click
Select to select it from a list or to create a new interface role object.
FWSM Blade From the list of available blades, select the blade number to which the
selected FWSM inside VLAN interface is connected.
Security Context If the FWSM inside VLAN is part of a security context (that is, the FWSM
is running in multiple-context mode), specify the security context name in
this field. The name is case-sensitive.
Tips
VRF-Aware IPsec can be configured only on hubs in a hub-and-spoke VPN topology.
In a VPN topology with two hubs, you must configure VRF-Aware IPsec on both devices.
You cannot configure VRF-Aware IPsec on a device that belongs to another VPN topology in which
VRF-Aware IPsec is not configured.
You cannot configure VRF-Aware IPsec on hubs that have been configured with high availability.
See Configuring High Availability in Your VPN Topology, page 21-46.
Deployment might fail if the IPsec Aggregator is configured with the same keyring CLI command
as the existing preshared key (keyring) command, and is not referenced by any other command. In
this case, Security Manager does not use the VRF keyring CLI, but generates the keyring with a
different name, causing deployment to fail. You must manually remove the preshared key keyring
command through the CLI before you can deploy the configuration.
Navigation Path
On the Endpoints Page of the Create VPN wizard or Edit VPN dialog box, or on the VPN Peers policy,
select a device that supports VRF-Aware IPsec configuration in a hub-and-spoke topology, and click
Edit to open the Edit Endpoints Dialog Box. Select the VRF-Aware IPsec tab in the Edit Endpoints
dialog box. For information on how to access these pages and dialog boxes, see Defining the Endpoints
and Protected Networks, page 21-31 and Creating or Editing VPN Topologies, page 21-26.
Field Reference
Table 21-10 Edit Endpoints Dialog Box, VRF Aware IPsec Tab
Element Description
Enable the VRF Available if you selected more than one device for editing in the
Settings Changes on Endpoints page.
All Selected Peers
When selected, applies any changes you make in the VRF Settings tab to all
the selected devices.
Enable VRF Settings Whether to enable the configuration of VRF settings on the device.
Note You can remove VRF settings that were defined for the VPN
topology by deselect this check box. However, if VRF-Aware IPsec
is configured on a Catalyst 6500/7600 device, disabling it requires
additional steps, as explained in Enabling and Disabling VRF on
Catalyst Switches and 7600 Devices, page 21-16.
Table 21-10 Edit Endpoints Dialog Box, VRF Aware IPsec Tab (Continued)
Element Description
VRF Solution The type of VRF solution you want to configure:
1-Box (IPsec Aggregator + MPLS PE)In the one-box solution, one
device serves as the Provider Edge (PE) router that does the MPLS
tagging of the packets in addition to IPsec encryption and decryption
from the Customer Edge (CE) devices. For more information, see
VRF-Aware IPsec One-Box Solution, page 21-13.
2-Box (IPsec Aggregator Only)In the two-box solution, the PE device
does just the MPLS tagging, while the IPsec Aggregator device does the
IPsec encryption and decryption from the CEs. For more information,
see VRF-Aware IPsec Two-Box Solution, page 21-14.
VRF Name The name of the VRF routing table on the IPsec Aggregator. The VRF name
is case-sensitive.
Route Distinguisher The unique identifier of the VRF routing table on the IPsec Aggregator. This
unique route distinguisher maintains the routing separation for each VPN
across the MPLS core to the other PE routers.
The identifier can be in either of the following formats:
IP address:X (where X is in the range 0- 2147483647).
N:X (where N is in the range 0-65535, and X is in the range 0-
2147483647).
Note You cannot override the RD identifier after deploying the VRF
configuration to your device. To modify the RD identifier after
deployment, you must manually remove it using the device CLI, and
then deploy again.
Interface Towards The VRF forwarding interface on the IPsec Aggregator towards the PE
Provider Edge device. If the IPsec Aggregator (hub) is a Catalyst VPN service module, you
must specify a VLAN.
(2-Box solution only.)
Enter the name of the interface or interface role object, or click Select to
select it from a list or to create a new interface role object.
Routing Protocol The routing protocol to be used between the IPsec Aggregator and the
PE. The options are BGP, EIGRP, OSPF, RIPv2, or Static route. The default
(2-Box solution only.)
is BGP.
If the routing protocol used for the secured IGP differs from the routing
protocol between the IPsec Aggregator and the PE, select the routing
protocol to use for redistributing the routing to the secured IGP.
For information about protocols, see Chapter 51, Managing Routers.
Note In a one-box solution, these fields are unavailable as you do not need
to specify the routing protocol and AS number. In the one-box
solution, only the BGP protocol is supported.
Table 21-10 Edit Endpoints Dialog Box, VRF Aware IPsec Tab (Continued)
Element Description
AS Number The number that will be used to identify the autonomous system (AS) area
(2-Box solution, BGP or between the IPsec Aggregator and the PE. The AS number must be within
EIGRP routing only.) the range 1-65535.
If the routing protocol used for the secured IGP differs from the routing
protocol between the IPsec Aggregator and the PE, enter an AS number that
will be used to identify the secured IGP into which the routing will be
redistributed from the IPsec Aggregator and the PE. This is relevant only
when IPsec/GRE or DMVPN are applied.
Process Number The routing process ID number that will be used to identify the secured IGP
if you are using OSPF routing.
(2-Box solution, OSPF
routing only.) The range is 1-65535.
OSPF Area ID The ID number of the area in which the packet belongs. You can enter any
number from 0-4294967295.
(2-Box solution, OSPF
routing only.) Note All OSPF packets are associated with a single area, so all devices
must have the same area ID number.
Next Hop IP Address The IP address of the Provider Edge (PE) or the interface that is connected
to the IPsec Aggregator, if you are using static routing.
(2-Box solution, static
routing only.)
Redistribute Whether to have static routes advertised in the routing protocol configured
Static Route on the IPsec Aggregator towards the PE device.
(2-Box solution,
non-static routing only.)
Element Description
Enable Whether to enable high availability configuration on a group of hubs. If you
already configured high availability, you can remove the configuration by
deselecting this option.
Inside Virtual IP The IP address that is shared by the hubs in the HA group and that represents
the inside interface of the HA group. The virtual IP address must be on the
same subnet as the inside interfaces of the hubs in the HA group, but must
not be identical to the IP address of any of these interfaces.
Note If there is an existing standby group on the device, make sure that the
IP address you provide is different from the virtual IP address
already configured on the device.
Inside Mask The subnet mask for the inside virtual IP address.
VPN Virtual IP The IP address that is shared by the hubs in the HA group and represents the
VPN interface of the HA group. This IP address serves as the hub endpoint
of the VPN tunnel.
Note If there is an existing standby group on the device, make sure that the
IP address you provide is different from the virtual IP address
already configured on the device.
VPN Mask The subnet mask for the VPN virtual IP address.
Element Description
Hello Interval The duration in seconds (within the range of 1-254) between each hello
message sent by a hub to the other hubs in the group to indicate status and
priority. The default is 5 seconds.
Hold Time The duration in seconds (within the range of 2-255) that a standby hub will
wait to receive a hello message from the active hub before concluding that
the hub is down. The default is 15 seconds.
Standby Group Number The standby number of the inside hub interface that matches the internal
(Inside) virtual IP subnet for the hubs in the HA group. The number must be within
the range of 0-255. The default is 1.
Standby Group Number The standby number of the outside hub interface that matches the external
(Outside) virtual IP subnet for the hubs in the HA group. The number must be within
the range of 0-255. The default is 2.
Note The outside standby group number must be different from the inside
standby group number.
Enable Stateful Failover Whether to enable stateful failover, which uses Stateful SwitchOver (SSO)
to ensure that state information is shared between the HSRP devices in the
HA group. If a device fails, the shared state information enables the standby
device to maintain IPsec sessions without having to re-establish the tunnel
or renegotiate the security associations.
You can configure stateful failover only on an HA group that contains two
hubs that are Cisco IOS routers. This check box is disabled if the HA group
contains more than two hubs.
In an Easy VPN topology, this check box appears selected and disabled, as
stateful failover must always be configured.
Tips:
When deselected in a Regular IPsec topology, stateless failover is
configured on the HA group. Stateless failover will also be configured if
the HA group contains more than two hubs. You can configure stateless
failover on Cisco IOS routers or Catalyst 6500/7600 devices.
Stateful failover cannot be used when RSA Signature is the IKE
authentication method.
Stateful failover can be configured together with PKI configuration, but
only on devices with Cisco IOS version 12.3(14)T and later.
Related Topics
Hub-and-Spoke VPN Topologies, page 21-2
Understanding Easy VPN, page 24-1
Element Description
Group Settings Tab
Group Name The name of the Group Name of Interpretation (GDOI) group. This name is
the same as a VPN name.
Group Identity A parameter that is used to identify the group. All key servers and group
members use this parameter to identify with the group.
The identity can be either a number (such as 3333) or any IP address (such
as the multicast address used for rekey).
Receive Only If enabled, group members decrypt traffic and forward it in clear text. This
feature is useful for testing the VPN. In normal operation, ensure that this
option is not selected. For detailed information, see Using Passive Mode to
Migrate to GET VPN, page 25-23.
Security Policy An ACL policy object to be used as the security policy. For a detailed
(Create VPN explanation of the contents of this object and how it relates to the group
wizard only.) member security policy, see Understanding the GET VPN Security Policy
and Security Associations, page 25-10.
This field appears only if you are using the Create VPN wizard. In the Group
Encryption Policy, you configure the security policy on the Security
Associations tab (described below).
Note If you are using multicast as the method to distribute the keys, then
the ACL policy object must contain a deny rule (ACE) for the
multicast address. In this way, the rekey packets sent using multicast
will not be encrypted by the TEK. This statement allows the group
members to receive rekey packets sent using the multicast protocol.
Element Description
Authorization Type The type of authorization mechanism used by the group: None, Certificates,
or Preshared Key. Selecting Certificates or Preshared Key provides
additional security in allowing only authorized group members to register
with the key server. This type of additional security is required when a key
server serves multiple GDOI groups.
If you select Certificates, you must create a list of certificate filters (using
some combination of distinguished name or full-qualified domain name
attributes). This filter, located on the key server, specifies the attributes and
values used to validate whether the group member is authorized to join the
GDOI group. Enter a name for the certificate filter, click the Add Row (+)
button, and fill in the Add Certificate Filter Dialog Box, page 21-52.
Note To configure certificate authorization, you must also configure a
Public Key Infrastructure (PKI) policy for the GET VPN. The
PKI enrollment object that you use should define the same
distinguished names, or include the devices fully-qualified
domain name, as appropriate.
If you select Preshared Key, also select an ACL policy object to identify the
authorized group members. Use permit rules to identify the host or network
addresses of group members.
Key Distribution The transport method to be used to distribute keys to each group member,
either unicast or multicast. For help deciding which to use, see Choosing the
Rekey Transport Mechanism, page 25-6.
If you select unicast, the key server sends a rekey message to each registered
group member and waits for an acknowledgment. If you select multicast, the
key server sends a rekey message to all group members at once and does not
wait for acknowledgment. Rekey messages are retransmitted after the
retransmit interval configured in this policy.
If you select multicast, make sure that the router used as the key server is
multicast enabled, and also configure the following options:
Group IP AddressThe IP address of the multicast group to be used
for key distribution.
Use Static IGMP Joins on Group MembersIf you select this option,
the static Source Specific Multicast (SSM) mappings are enabled, which
reveal the source of multicast traffic to the group member. In the case of
GET VPN, the group member learns the key server address.
Element Description
RSA Key Label The label for the RSA key, which is used to encrypt a variety of messages.
This key can either already exist on the device, or it can be an unused
new label.
If you are creating a new VPN, you are asked at the end of the Create VPN
wizard whether you want this key synchronized among the key servers; if
you click Yes, Security Manager generates the key if it does not already
exist. If you change this value for an existing GET VPN, you need to
synchronize keys from the Key Servers policy. For more detailed
information about how this key is used, and the key generation and
synchronization process, see Generating and Synchronizing RSA Keys,
page 25-13.
Lifetime (KEK) The number of seconds that the key encryption key (KEK) is valid. This key
is used for encrypting rekey messages. Before the end of this lifetime, the key
server sends rekey messages to the group, which includes a new KEK
encryption key and transforms and new TEK encryption keys and transforms.
The KEK lifetime value should be greater than the TEK lifetime value (it is
recommended that the KEK lifetime value be at least three times greater than
the TEK lifetime value). The default value of 86,400 seconds is usually
appropriate. The TEK lifetime value is configured for each security
association (see Add New or Edit Security Association Dialog Box,
page 21-52).
Encryption Algorithm The algorithm used to encrypt the rekey message from the key server to the
group member.
Retransmits The number of times the rekey message can be sent if one or more group
members do not receive it.
Interval The number of seconds between retries.
Security Associations Tab
Security Associations Use the Security Associations table to define security associations for the
table VPN. The columns in the table summarize the settings for an entry and are
explained in Add New or Edit Security Association Dialog Box, page 21-52.
When creating a new VPN, the Security Policy field (explained above) is
used instead of this tab, which does not appear in the wizard.
To configure security associations:
Click the Add button to add an entry to the table, and fill in the Add New
Security Association dialog box.
Select an entry and click the Edit button to edit an existing entry.
Select an entry and click the Delete button to delete it.
Related Topics
Understanding the GET VPN Registration Process, page 25-4
Understanding Group Encrypted Transport (GET) VPNs, page 25-2
Configuring GET VPN, page 25-12
Tip To configure certificate authorization, you must also configure a Public Key Infrastructure (PKI) policy
for the GET VPN. The PKI policy is configured on all devices in the VPN.
Navigation Path
From the Group Settings tab on the GET VPN Group Encryption page, select Certificates as the
authorization type and click the Add Row button under the Authorization Filter table, or select a filter
and click the Edit Row button. For information on opening the Group Encryption page, see Defining
GET VPN Group Encryption, page 21-49.
Related Topics
Understanding the GET VPN Registration Process, page 25-4
Understanding Group Encrypted Transport (GET) VPNs, page 25-2
Configuring GET VPN, page 25-12
Navigation Path
To open the Add New Security Association dialog box, from the Security Associations tab on the GET
VPN Group Encryption page, click the Add Row (+) button or select an existing association and click
the Edit Row (pencil) button. For information on opening the Group Encryption page, see Defining GET
VPN Group Encryption, page 21-49.
Related Topics
Understanding the GET VPN Registration Process, page 25-4
Understanding Group Encrypted Transport (GET) VPNs, page 25-2
Configuring GET VPN, page 25-12
Field Reference
Element Description
ID The sequence number of the profile. This number defines the relative priority
of the security association (1 being the highest). If you have more than one
security association, the ACLs for each are concatenated (and merged) in the
order represented by this number, and the group members process the
collected ACL as a single ACL.
Keep the default number or enter a new one.
IPSec Profile Name The name of the IPSec profile.
Transform Sets The transform set policy objects (security protocols, algorithms, and other
settings) defined for the IPSec profile. Separate multiple entries with
commas, and place them in priority order. Click Select to choose from a list
of predefined transform sets or to create a new one.
Security Policy The access control list policy object defined for the security association.
Click Select to choose from a list of predefined ACL objects or to create a
new one. For a detailed explanation of the contents of this object and how it
relates to the group member security policy, see Understanding the GET
VPN Security Policy and Security Associations, page 25-10.
Note If you are using multicast as the method to distribute the keys, then
the ACL policy object must contain a deny rule (ACE) for the
multicast address. In this way, the rekey packets sent using multicast
will not be encrypted by the TEK. This statement allows the group
members to receive rekey packets sent using the multicast protocol.
Enable Anti-Replay Whether to enable the anti-replay feature, which helps prevent
eavesdroppers from inserting packets into the data stream. You can configure
anti-replay based on traffic counters or time:
Counter Window SizeAlthough this is the default, it is not
recommended. Counter-based anti-replay is useful only if there are two
group members (essentially a point-to-point VPN). Select a window size.
Time Window SizeThis is the preferred method, but it requires that
there are more than two group members. Enter the number of seconds of
the interval duration of the Synchronous Anti-Replay (SAR) clock. The
value range is 1 through 100. The default value is 100. For more
information on time-based anti-replay, see Understanding Time-Based
Anti-Replay, page 25-12.
Note If you are encrypting high packet rates for count-based anti-replay,
ensure that you do not make the KEK or TEK lifetime too long or it
can take several hours for the sequence number to wrap. For
example, if the packet rate is 100 kilopackets per second, the lifetime
should be configured as less than 11.93 hours so that the SA is used
before the sequence number wraps.
Element Description
Enable IPSec Lifetime Whether to configure an IPsec security association lifetime that overrides the
global setting, which is configured in the Global Settings for GET VPN
policy (see Configuring Global Settings for GET VPN, page 25-16). This
lifetime value controls how long the traffic encryption key (TEK) can be
used before a rekey is required.
Configure a value based on the volume of traffic (in kilobytes) between
group members, seconds, or both. The key expires when either of the values
is reached. Use the following recommendations:
The lifetime should be significantly shorter than the one used for the key
encryption key (KEK) (see Defining GET VPN Group Encryption,
page 21-49), perhaps a third of the length.
The timed lifetime is the recommended approach, because high traffic
volumes can cause excessive rekeys (with potential data loss).
Leave a field blank to not override that global setting.
Tip The list of key servers and group members includes those devices you selected on the Device Selection
page of the wizard (see Selecting Devices for Your VPN Topology, page 21-29), however, you can use
the Add (+) and Delete (trash can) buttons to add or remove devices from this page.
Examine the list of key servers and group members to determine if the default settings are appropriate
for your VPN. You can select Matching Interfaces from the Show field below each table to display the
actual interfaces that will be selected by the default interface roles. The interface roles must resolve to
actual interfaces on the device for the GET VPN configuration to be valid.
Related Topics
Configuring Fail-Close to Protect Registration Failures, page 25-8
Using Passive Mode to Migrate to GET VPN, page 25-23
Configuring GET VPN Key Servers, page 25-18
Configuring GET VPN Group Members, page 25-20
Step 1 Configure the key servers if the default settings are not appropriate.
For each key server you want to modify, select it, click the Edit (pencil) button beneath the table, and
configure at least following settings. For information on all available settings, see Edit Key Server
Dialog Box, page 25-19.
Identity InterfaceSelect the interface that group members use to identify the key server and
register with it. The default is the Loopback interface role, which identifies all Loopback interfaces
defined on the key server.
PriorityDefine the role of the key server as primary or secondary by entering a priority value
between 1-100. The key server with the highest priority becomes the primary key server. If two or
more key servers are assigned the same priority value, the device with the highest IP address is used.
The default priority is 100 for the first key server, 95 for the second, and so on.
Note There can be more than one primary key server if the network is partitioned.
Step 2 Move key servers up or down in the table to specify the order that group members use to register with
key servers. Group members register with the first key server in the list. If the first key server cannot be
reached, they will register with the second key server, and so on. Note that this order does not define the
overall key server priority, which is used to determine which key server is the primary key server.
Step 3 Configure the group members if the default settings are not appropriate.
For each group member you want to modify, select it, click the Edit (pencil) button beneath the table,
and configure at least the following settings:
GET-Enabled InterfaceThis is the VPN-enabled outside interface to the provider edge (PE).
Traffic originating or terminating on this interface is evaluated for encryption or decryption, as
appropriate. You can configure multiple interfaces by selecting an interface role object that resolves
to more than one interface. Click Select to select an interface role object or to create a new object.
Interface To Be Used As Local AddressThe interface whose IP address is used to identify the
group member to the key server for sending data, such as rekey information. If GET is enabled on
only one interface, you do not need to specify the interface to be used as the local address. If GET
is enabled on more than one interface, you must specify the interface to be used as the local address.
Enter the name of the interface or interface role, or click Select to select an interface role.
For information on the other available settings, see Edit Group Member Dialog Box, page 25-21.
The initial defaults listed in this page are configured in the Security Manager Administration VPN
Policy Defaults Page, page 11-39. If no specific default was configured for a mandatory policy, the
Factory Default policy is selected. For more information about configuring default policies, see
Understanding and Configuring VPN Default Policies, page 21-11.
If a policy is mandatory, you must make a selection. If there are no shared policies, Factory Default
is your only option. You can always edit the policy after you create the topology.
Note If you try to select a shared policy that is currently locked by another user, a message is
displayed warning you of a lock problem. To bypass the lock, select a different policy or
cancel the VPN topology creation until the lock is removed. For more information, see
Understanding Policy Locking, page 5-7.
If a policy is optional, and there are no shared policies, you cannot select anything. If you want the
features provided by that policy, configure it after you finish creating the topology.
To view the contents of the policy in a read-only dialog box, select the policy and click the View
Contents button beside the policy list.
When you are done, click Finish to create the new VPN topology. The new VPN topology appears in the
VPNs selector in the Site-to-Site VPN window, with the VPN Summary page displayed. See Viewing a
Summary of a VPN Topologys Configuration, page 21-56.
Element Description
Name The name of the VPN topology.
Technology The IPsec technology assigned to the VPN topology. See Understanding
IPsec Technologies and Policies, page 21-5.
Type The VPN topology type: Hub-and-Spoke, Point-to-Point, or Full Mesh.
Description A description of the VPN topology.
Element Description
IPsec Terminator Available if the VPN topology is large scale DMVPN.
The name of the IPsec Terminator(s) used to load balance GRE traffic to the
hubs in the large scale DMVPN.
Primary Hub Available if the VPN topology type is hub-and-spoke.
The name of the primary hub in the hub-and-spoke topology.
Failover Hubs Available if the VPN topology type is hub-and-spoke.
The name of any secondary backup hubs that are configured in the
hub-and-spoke topology.
Number of Spokes Available if the VPN topology type is hub-and-spoke.
The number of spokes that are included in the hub-and-spoke topology.
Peer 1 Available if the VPN topology type is point-to-point.
The name of the device that is defined as Peer One in the point-to-point
VPN topology.
Peer 2 Available if the VPN topology type is point-to-point.
The name of the device that is defined as Peer Two in the point-to-point
VPN topology.
Number of Peers Available if the VPN topology type is full mesh.
The number of devices included in the full mesh VPN topology.
IKE Proposal The security parameters of the IKE proposal configured in the VPN
topology. See IKE Proposal Page, page 22-4.
Dynamic VTI Available in an Easy VPN topology.
Displays if a dynamic virtual template interface is configured on a device in
an Easy VPN topology. See Dynamic VTI Tab, page 24-9.
Transform Sets The transform sets that specify the authentication and encryption algorithms
that will be used to secure the traffic in the VPN tunnel. See IPsec Proposal
Page, page 22-9.
Preshared Key Unavailable if the selected technology is Easy VPN.
Specifies whether the shared key to use in the preshared key policy is user
defined or auto-generated. See Preshared Key Page, page 22-24.
Public Key If a Public Key Infrastructure policy is configured in the VPN topology,
Infrastructure specifies the CA server. See Public Key Infrastructure Page, page 22-32.
Element Description
Routing Protocol Available only if the selected technology is IPsec/GRE, GRE Dynamic IP, or
DMVPN.
The routing protocol and autonomous system (or process ID) number used
in the secured IGP for configuring a GRE, GRE Dynamic IP, or DMVPN
routing policy.
Note Security Manager adds a routing protocol to all the devices in the
secured IGP on deployment. If you want to maintain this secured
IGP, you must create a router platform policy using this routing
protocol and autonomous system (or process ID) number.
Related Topics
Configuring an IKE Proposal, page 22-4
Configuring IPsec Proposals, page 22-9
Configuring Preshared Key Policies, page 22-23
Configuring Public Key Infrastructure Policies, page 22-31
Configuring GRE Modes for GRE or GRE Dynamic IP VPNs, page 23-6
Configuring GRE Modes for DMVPN, page 23-12
Configuring Large Scale DMVPNs, page 23-16
Some site-to-site VPN policies are used in many different VPN technologies, and even in remote-access
VPN configurations. The following topics explain these common policies and how to configure them.
Understanding IKE, page 22-1
Understanding IPsec Tunnel Policies, page 22-5
Understanding VPN Global Settings, page 22-12
Understanding Preshared Key Policies, page 22-22
Understanding Public Key Infrastructure Policies, page 22-26
Understanding IKE
Internet Key Exchange (IKE) is a key management protocol that is used to authenticate IPsec peers,
negotiate and distribute IPsec encryption keys, and to automatically establish IPsec security
associations (SAs).
The IKE negotiation comprises two phases. Phase 1 negotiates a security association between two IKE
peers, which enables the peers to communicate securely in Phase 2. During Phase 2 negotiation, IKE
establishes SAs for other applications, such as IPsec. Both phases use proposals when they negotiate
a connection.
An IKE proposal is a set of algorithms that two peers use to secure the IKE negotiation between them.
IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which
security parameters will be used to protect subsequent IKE negotiations. You can create multiple,
prioritized policies at each peer to ensure that at least one policy matches a remote peers policy. You
can define several IKE proposals per VPN.
To define an IKE proposal, you must specify:
Which encryption algorithm to use for the IKE negotiation. See Deciding Which Encryption
Algorithm to Use, page 22-2.
Which hash algorithm to use for integrity checking. See Deciding Which Hash Algorithm to Use,
page 22-2.
Which Diffie-Hellman group to use to operate the encryption algorithm. See Deciding Which
Diffie-Hellman Group to Use, page 22-3.
Which device authentication method to use. See Deciding Which Authentication Method to Use,
page 22-3.
For how long the IKE SA will be valid.
Related Topics
Configuring an IKE Proposal, page 22-4
IKE Proposal Page, page 22-4
Related Topics
Understanding IKE, page 22-1
Configuring an IKE Proposal, page 22-4
Related Topics
Understanding IKE, page 22-1
Configuring an IKE Proposal, page 22-4
Related Topics
Understanding IKE, page 22-1
Configuring an IKE Proposal, page 22-4
Related Topics
Understanding IKE, page 22-1
Configuring an IKE Proposal, page 22-4
Note For more information about the IKE (Internet Key Exchange) key management protocol, see
Understanding IKE, page 22-1.
This procedure describes how to view the parameters of the selected IKE proposal, select a different one
from a list of predefined IKE proposals, or create one.
Related Topics
Understanding IKE, page 22-1
Understanding Preshared Key Policies, page 22-22
Step 1 Click the Site-To-Site VPN Manager button on the toolbar. The Site-to-Site VPN Manager window opens.
Step 2 In the VPNs selector, select the desired VPN topology.
Step 3 Select IKE Proposal Policy in the Policies selector.
The IKE Proposal page appears, displaying the assigned IKE proposal with its default values. For a
description of the elements on this page, see IKE Proposal Page, page 22-4.
Step 4 To assign a different IKE proposal, click Select. The Select IKE Policy Object dialog box opens. Select
the desired IKE proposal from list and click OK. If the required IKE proposal is not included in the list,
click Add to create an IKE proposal object. For more information, see Add or Edit IKE Proposal Dialog
Box, page 28-26.
Navigation Path
(Site-to-Site VPN Manager Window, page 21-17) Select a topology in the VPNs selector, then select
IKE Proposal in the Policies selector.
(Policy view) Select Site-to-Site VPN > IKE Proposal from the Policy Types selector. Select an
existing shared policy or create a new one.
Related Topics
Understanding IKE, page 22-1
Configuring an IKE Proposal, page 22-4
Understanding Preshared Key Policies, page 22-22
Preshared Key Page, page 22-24
Configuring VPN Topologies in Device View, page 21-18
Field Reference
Element Description
Available IKE Proposals Lists the predefined IKE proposals available for selection.
Select the required IKE proposal in the list. The IKE proposal replaces the
one in the Selected IKE Proposal field.
IKE proposals are predefined objects. If the required IKE proposal is not
included in the list, click Add to open the IKE Editor dialog box that enables
you to create or edit an IKE proposal object. For more information, see Add
or Edit IKE Proposal Dialog Box, page 28-26.
Selected The selected IKE proposal with its predefined default values. The default is
preshared_sha_3des_dh5_5.
Note You cannot edit the selected IKE proposal because it is a predefined
object. You can only edit the properties of an IKE proposal object
you create.
To remove the IKE proposal from this field, select a different one.
Create button Opens the IKE Editor dialog box for creating an IKE proposal object. For
more information, see Add or Edit IKE Proposal Dialog Box, page 28-26.
Edit button Opens the IKE Editor dialog box for editing the selected IKE proposal. For
more information, see Add or Edit IKE Proposal Dialog Box, page 28-26.
Related Topics
Configuring IPsec Proposals, page 22-9
Note Security Manager can manage an existing VPN tunnel, only if the tunnels peers are managed by
Security Manager. In such a case, Security Manager uses the same crypto map name for the tunnel on
the peers. On subsequent deployments, only Security Manager tunnels are managed (Security Manager
maintains a log of all tunnels that were configured).
Related Topics
Understanding IPsec Tunnel Policies, page 22-5
About Transform Sets, page 22-7
Configuring IPsec Proposals, page 22-9
Note You cannot use transport mode when IPsec or Easy VPN are the assigned technologies.
Security Manager provides predefined transform sets that you can use in your tunnel policies. You can
also create your own transform sets. For more information, see Add or Edit IPSec Transform Set Dialog
Box, page 28-28.
Related Topics
Understanding IPsec Tunnel Policies, page 22-5
About Crypto Maps, page 22-6
Configuring IPsec Proposals, page 22-9
Note Security Manager automatically configures RRI on devices with High Availability (HA) or on the IPsec
Aggregator when VRF-Aware IPsec is configured. You can also configure RRI on a devices crypto map
in a remote access VPN. See Configuring an IPsec Proposal on a Remote Access VPN Server,
page 26-39.
In Security Manager, the following options are available for configuring Reverse Route Injection:
For dynamic crypto maps, routes are created upon the successful establishment of IPsec SAs for
those remote proxies. The next hop back to those remote proxies is via the remote VPN router whose
address is learned and applied during the creation of the dynamic crypto map template. The routes
are deleted after the SAs are deleted.
The Remote Peer option (available for IOS devices only) enables you to specify an interface or
address as the explicit next hop to the remote VPN device. Two routes are created. One route is the
standard remote proxy ID and the next hop is the remote VPN client tunnel address. The second
route is the actual route to the remote tunnel endpoint, when a recursive lookup is forced to impose
that the remote endpoint is reachable via next-hop. Creation of the second route for the actual next
hop is very important for VRF-Aware IPsec when a default route must be overridden by a more
explicit route.
Note For devices using a VPN Services Module (VPNSM), the next hop is the interface or
subinterface/VLAN on which the crypto map is applied.
In the case of Remote Peer IP (available for IOS devices only), one route is created to a remote proxy
by way of a user-defined next hop. The next hop can be used to override a default route, to properly
direct outgoing encrypted packets. This option reduces the number of routes created and supports
those platforms that do not readily facilitate route recursion.
Related Topics
Understanding IPsec Tunnel Policies, page 22-5
About Crypto Maps, page 22-6
Configuring IPsec Proposals, page 22-9
Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39
Related Topics
Understanding IPsec Tunnel Policies, page 22-5
About Reverse Route Injection, page 22-8
IPsec Proposal Page, page 22-9
Step 1 Click the Site-To-Site VPN Manager button on the toolbar. The Site-to-Site VPN Manager window opens.
Step 2 In the VPNs selector, select the required VPN topology.
Step 3 Select IPsec Proposal in the Policies selector.
The IPsec Proposal page appears, displaying the defined parameters for the selected IPsec proposal. For
a description of the elements on this page, see Table 22-2 on page 22-10.
Step 4 Click the Static or Dynamic radio button, depending on the crypto map type.
Step 5 Select the required transform sets for your tunnel policy.
Step 6 To generate and use a unique session key for each encrypted exchange, select the Enable Perfect
Forward Secrecy check box. Then, select the required Diffie-Hellman key derivation algorithm from
the Modulus Group list.
Step 7 In the Lifetime fields, specify the lifetime settings for the crypto IPsec security association (SA) in
seconds, in kilobytes, or both.
Step 8 To enable Cisco IOS Quality of Service services to operate in conjunction with tunneling and encryption
on an interface, select the QoS Preclassify check box.
Step 9 Select the required option to configure Reverse Route Injection (RRI) on the crypto map (on a PIX 7.0+,
ASA, or IOS router except 7600 device).
Note When configuring IPsec policy definitions on an Easy VPN server, the IPsec Proposal page contains
different elements. See Easy VPN IPsec Proposal Page, page 24-6.
Navigation Path
(Site-to-Site VPN Manager Window, page 21-17) Select a topology in the VPNs selector, then select
IPsec Proposal in the Policies selector.
(Policy view) Select Site-to-Site VPN > IPsec Proposal from the Policy Types selector. Select an
existing shared policy or create a new one.
Related Topics
Understanding IPsec Tunnel Policies, page 22-5
Configuring IPsec Proposals, page 22-9
Field Reference
Element Description
Crypto Map Type A crypto map combines all the components required to set up IPsec security
associations. When two peers try to establish an SA, they must each have at
least one compatible crypto map entry.
Select the type of crypto map you want to generate:
StaticUse a static crypto map in a point-to-point or full mesh
VPN topology.
DynamicDynamic crypto maps can only be used in a hub-and-spoke
VPN topology. Dynamic crypto map policies allow remote peers to
exchange IPsec traffic with a local hub, even if the hub does not know
the remote peers identity.
For more information, see About Crypto Maps, page 22-6.
Transform Sets The transform sets to use for your tunnel policy. Transform sets specify
which authentication and encryption algorithms will be used to secure the
traffic in the tunnel. You can select up to six transform sets.
Note Transform sets may use tunnel mode or transport mode of IPsec
operation. When IPsec or Easy VPN is the assigned technology, you
cannot use transport mode.
Element Description
Modulus Group Available if Enable Perfect Forward Secrecy is selected.
Select the required Diffie-Hellman key derivation algorithm from the
Modulus Group list box.
Security Manager supports Diffie-Hellman group 1, group 2, group 5, and
group 7 key derivation algorithms. Each group has a different size modulus:
Group 1 (the default): 768-bit modulus.
Group 2: 1024-bit modulus.
Group 5: 1536-bit modulus.
Group 7: Use when the elliptical curve field size is 163 characters.
For more information, see Deciding Which Diffie-Hellman Group to Use,
page 22-3.
Lifetime (sec) The number of seconds an SA will exist before expiring. The default is 3600
seconds (one hour).
Lifetime refers to the global lifetime settings for the crypto IPsec security
association (SA). The IPsec lifetime can be specified in seconds, in
kilobytes, or both.
Lifetime (kbytes) The volume of traffic (in kilobytes) that can pass between IPsec peers using
a given SA before it expires.
Valid values depend on the device type. Enter a value within the range
10-2147483647 for an IOS router, and 2560-536870912 for a
PIX7.0/ASA device.
The default value is 4,608,000 kilobytes.
QoS Preclassify Supported on Cisco IOS routers, except 7600 devices.
When selected, enables the classification of packets before tunneling and
encryption occur.
The Quality of Service (QoS) for VPNs feature enables Cisco IOS QoS
services to operate with tunneling and encryption on an interface.
The QoS features on the output interface classify packets and apply the
appropriate QoS service before the data is encrypted and tunneled, enabling
traffic flows to be adjusted in congested environments, and resulting in more
effective packet tunneling.
Element Description
Reverse Route Supported on ASA devices, PIX 7.0+ devices, and Cisco IOS routers except
7600 devices.
Reverse Route Injection (RRI) enables static routes to be automatically
inserted into the routing process for those networks and hosts protected by a
remote tunnel endpoint. For more information, see About Reverse Route
Injection, page 22-8.
Select one of the following options to configure RRI on the crypto map:
NoneDisables the configuration of RRI on the crypto map.
Standard(ASA, PIX 7.0+, IOS devices) Creates routes based on the
destination information defined in the crypto map access control list
(ACL). This is the default option.
Remote Peer(IOS devices only) Creates two routes, one for the
remote endpoint and one for route recursion to the remote endpoint via
the interface to which the crypto map is applied.
Remote Peer IP(IOS devices only) Specifies an address as the
explicit next hop to the remote VPN device. Enter the IP address or a
network/host object that specifies the address, or click Select to select
the network/host object from a list or to create a new object.
Note If you use network/host objects, you can select the Allow Value
Override per Device check box to override the IP address, if
required, for specific devices that use this object.
Related Topics
Configuring VPN Global Settings, page 22-15
Related Topics
Configuring VPN Global Settings, page 22-15
ISAKMP/IPsec Settings Tab, page 22-16
Understanding NAT
Network Address Translation (NAT) enables devices that use internal IP addresses to send and receive
data through the Internet. It converts private, internal LAN addresses into globally routable IP addresses
when they try to access data on the Internet. In this way, NAT enables a small number of public IP
addresses to provide global connectivity for a large number of hosts.
NAT enhances the stability of your hub-and-spoke VPN tunnels because resources required for VPN
connections are not used for other purposes, and the VPN tunnel is kept available for traffic requiring
complete security. Sites inside the VPN can use NAT through a split tunnel to exchange non secure traffic
with outside devices, and they do not squander VPN bandwidth or overwhelm the hub at the tunnel
head-end by directing nonessential traffic through it.
Security Manager supports only NAT with dynamic IP addressing, and applies to it an overload
feature that permits what is known as port-level NAT or Port Address Translation (PAT). PAT uses port
addressing to associate thousands of private NAT addresses with a small group of public IP address. PAT
is used if the addressing requirements of your network exceed the available addresses in your dynamic
NAT pool.
Note When you enable PAT on Cisco IOS routers, an additional NAT rule is implicitly created for
split-tunneled traffic, on deployment. This NAT rule, which denies VPN-tunneled traffic and permits all
other traffic (using the external interface as the IP address pool), is not reflected as a router platform
policy. You can remove the NAT rule by disabling this feature. For more information, see NAT Page:
Dynamic Rules, page 20-10.
Note You can configure traffic to bypass NAT configuration on site-to-site VPN traffic. To bypass NAT
configuration on Cisco IOS routers, make sure the Do Not Translate VPN Traffic check box is enabled
in the NAT Dynamic Rule platform policy (see NAT Dynamic Rule Dialog Box, page 20-11). To exclude
NAT on PIX Firewalls or ASA devices, make sure this check box is selected in the NAT Translation
Options platform policy (see Translation Options Page, page 20-16).
Note NAT traversal is enabled by default on routers running IOS version 12.3T and later. If you want to disable
the NAT traversal feature, you must do this manually on the device or using a FlexConfig (see Chapter 7,
Managing FlexConfigs).
You can define global NAT settings on the NAT Settings tab of the Global VPN Settings page.
Related Topics
Configuring VPN Global Settings, page 22-15
NAT Settings Tab, page 22-19
Understanding Fragmentation
Fragmentation breaks a packet into smaller units when it is transmitted over a physical interface that cannot
support the original size of the packet. Fragmentation minimizes packet loss in a VPN tunnel, because it
enables transmission of secured packets that might otherwise be too large to transmit. This is particularly
relevant when using GRE, because any packet of more than 1420 bytes will not have enough room in its
header for the additional 80 bytes that the combined use of IPsec and GRE adds to the packet payload.
The maximum transmission unit (MTU) specifies the maximum packet size, in bytes, that an interface
can handle. If a packet exceeds the MTU, it is fragmented, typically after encryption. If the DF (Dont
Fragment) bit is set, the packet is dropped. A DF bit is a bit within the IP header that indicates if a device
can fragment a packet. If you enable the DF feature, you must specify whether the device can clear, set,
or copy the DF bit from the encapsulated header.
Because reassembly of an encrypted packet is difficult, fragmentation can degrade network performance.
To prevent network performance problems, fragmentation settings configure the device so that
fragmentation occurs before encryption.
Security Manager instructs a device to handle packets that are larger than the MTU, either with
end-to-end MTU discovery or by setting the MTU on the device.
MTU Discovery: End-to-end MTU discovery uses Internet Control Message Protocol (ICMP)
messages to determine the maximum MTU that a host can use to send a packet through the VPN
tunnel without causing fragmentation. The MTU setting for each link in a transmission path is
checked to ensure that no transmitted packet exceeds the smallest MTU in that path. The discovered
MTU is used to decide whether fragmentation is necessary.
Local MTU handling: Typically used when ICMP is blocked. You can define an MTU size between
68 and 65535 bytes, depending on the VPN interface.
By default, Security Manager uses end-to-end MTU discovery using ICMP messages. If ICMP is
blocked, MTU discovery fails and packets are either lost (if the DF bit is set) or fragmented after
encryption (if the DF bit is not set).
On the General Settings tab of the VPN Global Settings page, you can define fragmentation settings and
enable the DF bit feature on the devices in your VPN topology. For more information, see Table 22-5 on
page 22-21.
Related Topics
Configuring VPN Global Settings, page 22-15
General Settings Tab, page 22-20
Note For more information about global VPN settings, see Understanding VPN Global Settings, page 22-12.
Related Topics
Understanding ISAKMP/IPsec Settings, page 22-13
Understanding NAT, page 22-13
Understanding Fragmentation, page 22-15
Step 1 Click the Site-To-Site VPN Manager button on the toolbar. The Site-to-Site VPN Manager window opens.
Step 2 In the VPNs selector, select the required VPN topology.
Step 3 Select VPN Global Settings in the Policies selector. The VPN Global Settings dialog box opens,
displaying the ISAKMP/IPsec Settings tab.
Step 4 In the ISAKMP/IPsec Settings tab, specify global settings for IKE and IPsec. For a description of the
elements on this tab, see ISAKMP/IPsec Settings Tab, page 22-16.
Step 5 Click the NAT Settings tab to define global NAT settings that apply to devices that use internal IP
addresses to send and receive data through the Internet. For a description of the elements on this tab, see
NAT Settings Tab, page 22-19.
Step 6 Click the General Settings tab to define fragmentation settings on the devices in your VPN topology.
For a description of the elements on this tab, see General Settings Tab, page 22-20.
Navigation Path
Open the Site-to-Site VPN Manager Window, page 21-17, select a topology in the VPNs selector,
then select VPN Global Settings in the Policies selector.
(Policy view) Select Site-to-Site VPN > VPN Global Settings from the Policy Types selector.
Select an existing shared policy or create a new one.
Navigation Path
The ISAKMP/IPsec Settings tab appears when you open the VPN Global Settings Page, page 22-16. You
can also open it by clicking the ISAKMP/IPsec Settings tab from any other tab in the VPN Global
Settings page.
Related Topics
VPN Global Settings Page, page 22-16
Understanding IKE, page 22-1
Understanding IPsec Tunnel Policies, page 22-5
Understanding ISAKMP/IPsec Settings, page 22-13
Configuring VPN Global Settings, page 22-15
Field Reference
Table 22-3 VPN Global Settings Page > ISAKMP/IPsec Settings Tab
Element Description
ISAKMP Settings
Enable Keepalive When selected, enables you to configure IKE keepalive as the default
failover and routing mechanism.
IKE keepalive is defined on the spokes in a hub-and-spoke VPN topology, or
on both devices in a point-to-point VPN topology.
Interval The number of seconds that a device waits between sending IKE keepalive
packets. The default is 10 seconds.
Retry The number of seconds a device waits between attempts to establish an IKE
connection with the remote peer. The default is 2 seconds.
Periodic Available only if Enable Keepalive is selected, and supported on routers
running IOS version 12.3(7)T and later, except 7600 devices.
When selected, enables you to send dead-peer detection (DPD) keepalive
messages even if there is no outbound traffic to be sent. Usually, DPD
keepalive messages are sent between peer devices only when no incoming
traffic is received but outbound traffic needs to be sent.
For more information, see Understanding ISAKMP/IPsec Settings,
page 22-13.
Identity During Phase I IKE negotiations, peers must identify themselves to
each other.
When selected, enables you to use the (IP) address or the hostname of the
device that it will use to identify itself in IKE negotiations. You can also
select to use a Distinguished Name (DN) to identify a user group name. The
default is Address.
SA Requests Supported on routers running IOS version 12.3(8)T and later, except
System Limit 7600 routers.
The maximum number of SA requests allowed before IKE starts rejecting
them. The specified value must equal or exceed the number of peers, or the
VPN tunnels may be disconnected.
You can enter a value in the range of 0-99999.
Table 22-3 VPN Global Settings Page > ISAKMP/IPsec Settings Tab (Continued)
Element Description
SA Requests Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.
System Threshold The percentage of system resources that can be used before IKE starts
rejecting new SA requests. The default is 75 percent.
Enable Supported on ASA devices and PIX 7.0 devices.
Aggressive Mode When selected, enables you to use aggressive mode in ISAKMP
negotiations, for an ASA device. Aggressive mode is enabled by default.
Deselect this check box to disable the use of aggressive mode in ISAKMP
negotiations, for an ASA device.
See Understanding IKE, page 22-1.
IPsec Settings
Enable Lifetime When selected, enables you to configure the global lifetime settings for the
crypto IPsec security associations (SAs) on the devices in your VPN topology.
Lifetime (secs) The number of seconds a security association will exist before expiring. The
default is 3,600 seconds (one hour).
Lifetime (kbytes) The volume of traffic (in kilobytes) that can pass between IPsec peers using a
given security association before it expires. The default is 4,608,000 kilobytes.
Xauth Timeout Available when Easy VPN is the selected technology, and the selected device
is a Cisco IOS router or Catalyst 6500 /7600 device.
The number of seconds the device waits for a response from the end user
after an IKE SA has been established.
When negotiating tunnel parameters for establishing IPsec tunnels in an Easy
VPN configuration, Xauth adds another level of authentication that identifies
the user who requests the IPsec connection. Using the Xauth feature, the
client waits for a username/password challenge after the IKE SA has been
established. When the end user responds to the challenge, the response is
forwarded to the IPsec peers for an additional level of authentication.
Max Sessions Supported on ASA devices and PIX 7.0 devices.
The maximum number of SAs that can be enabled simultaneously on
the device.
Table 22-3 VPN Global Settings Page > ISAKMP/IPsec Settings Tab (Continued)
Element Description
Enable IPsec via Sysopt Supported on ASA devices and PIX Firewalls versions 6.3 or 7.0.
When selected (the default), specifies that any packet that comes from an
IPsec tunnel is implicitly trusted (permitted).
Enable SPI Recovery Supported on routers running IOS version 12.3(2)T and later, in addition to
Catalyst 6500/7600 devices running version 12.2(18)SXE and later.
When selected, enables the SPI recovery feature to configure your device
so that if an invalid SPI (Security Parameter Index) occurs, an IKE SA will
be initiated.
SPI (Security Parameter Index) is a number which, together with a
destination IP address and security protocol, uniquely identifies a particular
security association. When using IKE to establish security associations, the
SPI for each security association is a pseudo-randomly derived number.
Without IKE, the SPI is manually specified for each security association.
When an invalid SPI occurs during IPsec packet processing, the SPI recovery
feature enables an IKE SA to be established.
Note If you want to bypass NAT configuration on IOS routers, make sure the Do Not Translate VPN Traffic
check box is selected in the NAT Dynamic Rule platform policy (see NAT Dynamic Rule Dialog Box,
page 20-11). To exclude NAT on PIX Firewalls or ASA devices, make sure this check box is selected in
the NAT Translation Options platform policy (see Translation Options Page, page 20-16).
Navigation Path
Open the VPN Global Settings Page, page 22-16, then click the NAT Settings tab.
Related Topics
Understanding NAT, page 22-13
VPN Global Settings Page, page 22-16
Field Reference
Table 22-4 VPN Global Settings Page > NAT Settings Tab
Element Description
Enable When selected, enables you to configure NAT traversal keepalive on a device.
Traversal Keepalive NAT traversal keepalive is used for the transmission of keepalive messages
when there is a device (middle device) located between a VPN-connected
hub and spoke, and that device performs NAT on the IPsec flow.
Note On Cisco IOS routers, NAT traversal is enabled by default. If you
want to disable the NAT traversal feature, you must do this manually
on the device or using a FlexConfig (see Chapter 7, Managing
FlexConfigs).
Navigation Path
Open the VPN Global Settings Page, page 22-16, then click the General Settings tab.
Related Topics
VPN Global Settings Page, page 22-16
Understanding Fragmentation, page 22-15
Field Reference
Table 22-5 VPN Global Settings Page > General Settings Tab
Element Description
Fragmentation Settings
Fragmentation Mode Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.
Fragmentation minimizes packet loss in a VPN tunnel when transmitted over
a physical interface that cannot support the original size of the packet.
Select the required fragmentation mode option from the list:
No FragmentationSelect if you do not want to fragment before
IPsec encapsulation. After encapsulation, the device fragments
packets that exceed the MTU setting before transmitting them through
the public interface.
End to End MTU DiscoverySelect to use ICMP messages for
the discovery of MTU. Use this option when the selected technology
is IPsec.
End-to-end MTU discovery uses Internet Control Message Protocol
(ICMP) messages to determine the maximum MTU that a host can use
to send a packet through the VPN tunnel without causing fragmentation.
Note For Catalyst 6500 /7600 devices, end-to-end path MTU discovery is
supported only on images 12.2(33)SRA, 12.2(33)SRB,
12.2(33)SXH, 12.2(33)SXI or above.
Table 22-5 VPN Global Settings Page > General Settings Tab (Continued)
Element Description
Enable Fragmentation Supported on Cisco IOS routers, Catalyst 6500 /7600 devices, PIX 7.0 and
Before Encryption ASA devices.
When selected, enables fragmentation to occur before encryption, if the
expected packet size exceeds the MTU.
Lookahead Fragmentation (LAF) is used before encryption takes place to
calculate the packet size that would result after encryption, depending on the
transform sets configured on the IPsec SA. If the packet size exceeds the
specified MTU, the packet will be fragmented before encryption.
Enable Notification Supported on PIX 7.0 and ASA devices.
on Disconnection When selected, enables the device to notify qualified peers of sessions that
are about to be disconnected. The peer receiving the alert decodes the reason
and displays it in the event log or in a pop-up panel. This feature is disabled
by default.
Enable Split Tunneling When selected (the default), enables you to configure split tunneling in your
VPN topology.
Split tunneling enables you to transmit both secured and unsecured traffic on
the same interface. Split tunneling requires that you specify exactly which
traffic will be secured and what the destination of that traffic is, so that only
the specified traffic enters the IPsec tunnel, while the rest is transmitted
unencrypted across the public network.
Enable Spoke-to-Spoke Supported on PIX 7.0 and ASA devices.
Connectivity through
When selected, enables direct communication between spokes in a
the Hub
hub-and-spoke VPN topology, in which the hub is an ASA/PIX 7.0 device.
Enable Default Route Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.
When selected, the device uses the configured external interface as the
default outbound route for all incoming traffic.
There are three methods for negotiating key information and setting up IKE SAs:
Main mode addressNegotiation is based on IP address. Main mode provides the highest security
because it has three two-way exchanges between the initiator and receiver. This is the default
negotiation method.
This method has three options for creating keys:
You can create a key for each peer, based on the unique IP address of each peer, providing
high security.
You can create a group preshared key on a hub in a hub-and-spoke VPN topology, to be used
for communication with any device in a specified subnet. Each peer is identified by its subnet,
even if the IP address of the device is unknown. In a point-to-point or full mesh VPN topology,
a group preshared key is created on the peers.
You can create a wildcard key on a hub in a hub-and-spoke VPN topology, or on a group
containing hubs, to be used for dynamic crypto where a spoke does not have a fixed IP address
or belong to a specific subnet. All spokes connecting to the hub have the same preshared key,
which could compromise security. In a point-to-point or full mesh VPN topology, a wildcard
key is created on the peers.
Note If you are configuring DMVPN with direct spoke-to-spoke connectivity, you create a
wildcard key on the spokes.
Main mode fully qualified domain name (FQDN)Negotiation is based on DNS resolution, with
no reliance on IP address. This option can only be used if the DNS resolution service is available
for the host. It is useful when managing devices with dynamic IP addresses that have DNS
resolution capabilities.
Aggressive modeNegotiation is based on hostname (without DNS resolution) and domain name.
Aggressive mode is less secure than main mode. However, it provides more security than using
group preshared keys if the IP address of the VPN interface on the host is unknown, and the FQDN
of the dynamic IP peer is not DNS resolvable. This negotiation method is recommended for use with
a GRE Dynamic IP or DMVPN failover and routing policy.
Related Topics
Deciding Which Authentication Method to Use, page 22-3
Configuring Preshared Key Policies, page 22-23
Preshared Key Page, page 22-24
Related Topics
Understanding Preshared Key Policies, page 22-22
Step 1 Click the Site-To-Site VPN Manager button on the toolbar. The Site-to-Site VPN Manager window opens.
Step 2 In the VPNs selector, select the desired VPN topology.
Note The preshared key policy does not apply to Easy VPN topologies.
Navigation Path
(Site-to-Site VPN Manager Window, page 21-17) Select a topology in the VPNs selector, then select
Preshared Key in the Policies selector.
(Policy view) Select Site-to-Site VPN > Preshared Key from the Policy Types selector. Select an
existing shared policy or create a new one.
Related Topics
Understanding Preshared Key Policies, page 22-22
Configuring Preshared Key Policies, page 22-23
Field Reference
Element Description
Key Specification
User Defined When selected, enables you to use a manually defined preshared key.
Enter the required preshared key in the Key field, then enter it again in the
Confirm field.
Auto Generated When selected, allocates a random key to the participating peers. This
ensures security because a different key is generated for every hub-spoke
connection. Auto Generated is the default selection.
Note The key is allocated during the first deployment to the devices and is
used in all subsequent deployments to the same devices, until you
select the Regenerate Key (Only in Next Deployment) check box.
Key Length The required length of the preshared key to be automatically generated
(maximum 127 characters). The default is 24.
Element Description
Same Key for Unavailable in a point-to-point VPN topology.
All Tunnels When selected, enables you to use the same auto-generated key for all tunnels.
Note If you do not select this check box, different keys are used for the
tunnels, except in cases, such as DMVPN configuration, when
different multipoint GRE interfaces in the same network must use the
same preshared key.
Regenerate Key (Only Only available if Auto Generate is selected.
in Next Deployment)
When selected, enables Security Manager to generate a new key for the next
deployment to the devices. This is useful if it is possible that the secrecy of
the keys might be compromised.
Note When you submit the job for deployment, this check box is cleared.
It does not remain selected because the new key will only be
generated for the upcoming deployment, and not for subsequent
deployments (unless you select it again).
Negotiation Method
Main Mode Address This is the default negotiation method.
Use this negotiation method for exchanging key information, if the IP
address of the devices is known. Negotiation is based on IP address. Main
mode provides the highest security because it has three two-way exchanges
between the initiator and receiver. Main mode address is the default
negotiation method.
Then click one of the following three radio buttons to define the negotiation
address type:
Peer AddressNegotiation is based on the unique IP address of each
peer. A key is created for each peer, providing high security. This is
the default.
SubnetCreates a group preshared key on a hub in a hub-and-spoke
topology to use for communication with any device in a specified
subnet, even if the IP address of the device is unknown. Each peer is
identified by its subnet. After selecting this option, enter the subnet in
the field provided.
In a point-to-point or full mesh VPN topology, a group preshared key is
created on the peers.
(continued)
Element Description
Main Mode Address WildcardCreates a wildcard key on a hub or on a group of hubs in a
(continued) hub-and-spoke topology to use when a spoke does not have a fixed IP
address or belong to a specific subnet. In this case, all spokes connecting
to the hub have the same preshared key, which could compromise
security. Use this option if a spoke in your hub-and-spoke VPN topology
has a dynamic IP address.
In a point-to-point or full mesh VPN topology, a wildcard key is created
on the peers.
Note When configuring DMVPN with direct spoke-to-spoke connectivity,
you create a wildcard key on the spokes.
Main Mode FQDN Select this negotiation method for exchanging key information, if the IP
address is not known and DNS resolution is available for the device(s).
Negotiation is based on DNS resolution, with no reliance on IP address.
Aggressive Mode Available only in a hub-and-spoke VPN topology.
Select this negotiation method for exchanging key information, if the IP
address is not known and DNS resolution might not be available on the
devices. Negotiation is based on hostname and domain name.
Note If direct spoke to spoke tunneling is enabled, you cannot use
aggressive mode.
Note When using SCEP, you must enter the fingerprint for the CA server. If the value you enter
does not match the fingerprint on the certificate, the certificate is rejected. You can obtain
the CAs fingerprint by contacting the server directly, or by entering the following address
in a web browser: http://URLHostName/certsrv/mscep/mscep.dll
Manually creating an enrollment request that you can submit to a CA server offline, by copying the
CA servers certificates from another device.
Use this method if your device cannot establish a direct connection to the CA server or if you want
to generate an enrollment request and send it to the server at a later time.
Note This method enables you to deploy the PKI policy either to devices or to files.
Note You can also use Cisco Secure Device Provisioning (SDP) to enroll for a certificate. For more
information about using SDP for certificate enrollment, see Secure Device Provisioning on Cisco IOS
Routers, page 53-82.
Related Topics
Prerequisites for Successful PKI Enrollment, page 22-28
Configuring Public Key Infrastructure Policies, page 22-31
Defining Multiple CA Servers for Site-to-Site VPNs, page 22-30
Public Key Infrastructure Page, page 22-32
Note You do not need to configure the name of the user group on the hub (Easy VPN Server).
For more information, see PKI Enrollment Dialog BoxCertificate Subject Name Tab, page 28-40.
To deploy PKI policies to files (not to live devices), the following prerequisites must be met:
Devices must have IOS 12.3(7)T or later (trustpoint PKI devices).
CA authentication certificates must be cut and pasted into the Security Manager user
interface (so that CA authentication is not interactive and does not require communication
with the live device).
If you are deploying to live devices, the PKI server must be online.
Security Manager supports the Microsoft, Verisign, and Entrust PKIs.
Security Manager supports Cisco IOS Certificate Servers. The Cisco IOS Certificate Server feature
embeds a simple certificate server, with limited CA functionality, into the Cisco IOS software. An
IOS Certificate Server can be configured as a FlexConfig policy. For more information, see
Chapter 7, Managing FlexConfigs.
To configure PKI with AAA authorization that uses the entire subject name on an IOS router, use
the predefined FlexConfig object named IOS_PKI_WITH_AAA.
Transferring the Certificate Request from the TFTP Server to the CA Server
Security Manager creates a PKCS#10 formatted enrollment request (.req) on the TFTP server. You must
transfer it to the PKI server using this procedure:
1. Connect to http://servername/certsrv, where servername is the name of the Windows 2000 Web
server where the CA you want to access is located.
2. Select Request a certificate, then click Next.
3. Select Advanced request, then click Next.
4. Select Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request
using a base64 encoded PKCS #7 file, then click Next.
5. Either select browse for a file (and browse to the TFTP server and select the .req file) or open the just
received by TFTP .req file with WordPad/Notepad and copy/paste the contents in the first window.
6. Export the .crt file from the CA and put it on the TFTP server.
7. Configure the crypto ca import <label> certificate to import the devices certificates from the
tftp server.
Related Topics
Configuring Public Key Infrastructure Policies, page 22-31
PKI Enrollment Dialog Box, page 28-33
Public Key Infrastructure Page, page 22-32
Configuring a User Group Policy for Easy VPN, page 24-10
Note You can also use device-level overrides when the CA servers are arranged in a PKI hierarchy beneath a
common, trusted CA server. To do this, you must ensure that both the global definition of the object and
the device-level override specify the trusted CA server in the Trusted CA Hierarchy tab of the PKI
Enrollment dialog box. See PKI Enrollment Dialog BoxTrusted CA Hierarchy Tab, page 28-42.
Related Topics
Understanding Public Key Infrastructure Policies, page 22-26
Understanding Public Key Infrastructure Policies, page 22-26
Deciding Which Authentication Method to Use, page 22-3
Step 1 To create the PKI enrollment object, open the PKI Enrollment dialog box. You can access this dialog box
in two ways:
From the Public Key Infrastructure policyClick the Add button beneath the Selected field. See
Configuring Public Key Infrastructure Policies, page 22-31.
From the Policy Object Manager (select Tools > Policy Object Manager)Select PKI Enrollments
from the Object Type selector, then click the New Object button.
Step 2 Define the global definition of the PKI enrollment object, including the CA server to which the object
refers. Be sure to select Allow Value Override per Device. This option makes the object overridable on
individual devices. See PKI Enrollment Dialog Box, page 28-33.
Base the global definition of the object on the CA server that is used by the most devices in the VPN.
Doing this reduces the number of device-level overrides that are required.
Step 3 When you finish defining the PKI enrollment object, click OK. As a result:
If you accessed the dialog box via the PKI policy, the new object appears in the Selected field of the
policy page.
If you accessed the dialog box using the Policy Object Manager, the new object appears in the work
area of the Policy Object Manager window. A green check mark in the Overridable column indicates
that device-level overrides can be created for this object. (The check mark does not indicate whether
any overrides actually exist.)
Step 4 Create the device-level overrides for the PKI enrollment object. You can do this in one of two ways:
From Device Properties (with the device selected in Device view, select Tools > Device
Properties)This option is recommended when you want to create a device-level override for a
single device. In the device properties, select Policy Object Overrides > PKI Enrollments, select
the PKI enrollment object that you want to override, then click the Create Override button. You can
then define the content of the override, including the CA server defined by the object.
For more information, see Creating or Editing Object Overrides for a Single Device, page 6-14.
From the Policy Object ManagerThis option is recommended when you want to create a
device-level override for multiple devices at the same time. Double-click the green check mark in
the Overridable column, select the devices to which the override should apply, then define the
content of the override, including the CA server defined by the object.
For more information, see Creating or Editing Object Overrides for Multiple Devices At A Time,
page 6-15.
Note To save the RSA key pairs and the CA certificates permanently to flash memory on a PIX Firewall
version 6.3 between reloads, you must configure the ca save all command. You can do this manually on
the device or using a FlexConfig (see Chapter 7, Managing FlexConfigs).
Related Topics
Defining Multiple CA Servers for Site-to-Site VPNs, page 22-30
Deciding Which Authentication Method to Use, page 22-3
Step 1 Click the Site-To-Site VPN Manager button on the toolbar. The Site-to-Site VPN Manager window opens.
Step 2 In the VPNs selector, select the required VPN topology.
Step 3 Select Public Key Infrastructure in the Policies selector. The Public Key Infrastructure page opens,
displaying the currently selected CA server. For a description of the elements on this page, see Public
Key Infrastructure Page, page 22-32.
Step 4 If you want to assign a different CA server, select it in the Available CA Servers list. The CA server
replaces the one in the Selected field.
CA servers are predefined as PKI enrollments objects. If the required CA server is not included in the
list, click Create to open a dialog box that enables you to create a PKI enrollment object. For more
information, see PKI Enrollment Dialog Box, page 28-33.
Note To save the RSA key pairs and the CA certificates permanently to flash memory on a PIX Firewall
version 6.3 between reloads, you must configure the ca save all command. You can do this manually on
the device or using a FlexConfig (see Chapter 7, Managing FlexConfigs).
Navigation Path
(Site-to-Site VPN Manager Window, page 21-17) Select a topology in the VPNs selector, then select
Public Key Infrastructure in the Policies selector.
(Policy view) Select Site-to-Site VPN > Public Key Infrastructure from the Policy Types selector.
Select an existing shared policy or create a new one.
Related Topics
Understanding Public Key Infrastructure Policies, page 22-26
Configuring Public Key Infrastructure Policies, page 22-31
Field Reference
Table 22-7 Public Key Infrastructure (PKI) Page
Element Description
Available CA Servers Lists the predefined CA servers available for selection.
CA servers are predefined PKI enrollment objects that contain server
information and enrollment parameters that are required for creating
enrollment requests for CA certificates.
Select the required CA server if you want to replace the default one in the
Selected field.
If the required CA server is not included in the list, click Create to open a
dialog box that enables you to create or edit a PKI enrollment object. For
more information, see PKI Enrollment Dialog Box, page 28-33.
Note If you are making a PKI enrollment request on an Easy VPN remote
access system, you must configure each remote component (spoke)
with the name of the user group to which it connects. You specify this
information in the Organization Unit (OU) field in the Certificate
Subject Name tab of the PKI Enrollment dialog box. You do not need
to configure the name of the user group on the hub (Easy VPN
Server). For more information, see PKI Enrollment Dialog
BoxCertificate Subject Name Tab, page 28-40.
Selected The selected CA server.
To remove the selected CA server, select a different one.
You can configure Generic Routing Encapsulation (GRE) and Dynamic Multipoint (DM) VPNs that
include GRE mode configurations. You can configure IPsec GRE VPNs for hub-and-spoke,
point-to-point, and full mesh VPN topologies. DMVPN is available for hub-and-spoke topologies only.
This chapter contains the following topics:
Understanding the GRE Modes Page, page 23-1
GRE and Dynamic GRE VPNs, page 23-2
Dynamic Multipoint VPNs (DMVPN), page 23-9
Note When configuring an IPsec/GRE, GRE Dynamic IP, or DMVPN routing policy, Security Manager adds
a routing protocol to all the devices in the secured IGP, on deployment. If you want to maintain this
secured IGP, you must create a router platform policy (on each member device) using the same routing
protocol and autonomous system (or process ID) number as defined in the GRE Modes policy.
Related Topics
Understanding GRE, page 23-2
Understanding GRE Configuration for Dynamically Addressed Spokes, page 23-5
Understanding DMVPN, page 23-9
Understanding IPsec Technologies and Policies, page 21-5
Understanding GRE
Generic Routing Encapsulation (GRE) is a tunneling protocol that encapsulates a variety of protocol
packet types inside IP tunnels, creating a virtual point-to-point connection to devices at remote points
over an IP network. With this technology, GRE encapsulates the entire original packet with a standard
IP header and GRE header before the IPsec process. Then, IPsec views the GRE packet as an
unremarkable IP packet and performs encryption and authentication services, as dictated by the IKE
negotiated parameters. Because GRE can carry multicast and broadcast traffic, it is possible to configure
a routing protocol for virtual GRE tunnels. The routing protocol detects loss of connectivity and reroutes
packets to the backup GRE tunnel, thus providing high resiliency.
For VPN resilience, a spoke must be configured with two GRE tunnels, one to the primary hub and the
other to the backup hub. Both GRE tunnels are secured with IPsec: each one has its own IKE security
association (SA) and a pair of IPsec SAs. An associated routing protocol automates the failover
mechanism, transferring to the backup tunnel if virtual link loss is detected.
Note GRE can be configured on Cisco IOS security routers and Catalyst 6500/7600 devices in hub-and-spoke,
point-to-point, and full mesh VPN topologies.
Note GRE does not support the use of dynamic cryptographic tunnels.
OSPFOpen Shortest Path First is a link-state, hierarchical protocol that features least-cost
routing, multipath routing, and load balancing.
Using OSPF, a host that obtains a change to a routing table or detects a change in the network
immediately multicasts the information to all other hosts in the network, so that all will have
the same routing table information. For more information, see OSPF Routing on Cisco IOS
Routers, page 57-19.
RIPv2Routing Information Protocol is a distance-vector protocol that sends routing-update
messages at regular intervals and whenever the network topology changes.
Using RIPv2, a gateway host (with a router) sends its entire routing table to its closest neighbor
host every 30 seconds, which in turn passes the information on to its next neighbor, and so on,
until all hosts within the network have the same knowledge of routing paths. RIPv2 uses a hop
count to determine network distance. Each host with a router in the network uses the routing
table information to determine the next host to route a packet to for a specified destination.
RIP is considered an effective solution for small homogeneous networks. For larger, more
complicated networks, RIPs transmission of the entire routing table every 30 seconds may put
a heavy amount of extra traffic in the network. For more information, see RIP Routing on Cisco
IOS Routers, page 57-42.
Static routeUse a static routing policy to provide a robust, stable IPsec-protected GRE tunnel
if there is a fixed, unchanging route between two devices. For each device subnet, a static route
is created on the device pointing to the corresponding tunnel interface. For more information,
see Static Routing on Cisco IOS Routers, page 57-50.
You must specify an IGP process number. The IGP process number identifies the IGP process to
which the inside interface on the device belongs. When GRE is implemented, this will be the secured
IGP. For secure communication, the inside interfaces on the devices in your VPN must use the same
IGP process. The IGP process number must be within a specified range. If you have an existing IGP
process on the device that is within this range, but is different from the IGP process number specified
in your GRE settings, Security Manager removes the existing IGP process. If the existing IGP
process matches the one specified in your GRE settings, any networks included in the existing IGP
process that do not match the specified inside interfaces are removed.
If the inside interfaces on your devices are configured to use an IGP process other than the IGP
process specified in your GRE settings (meaning that the interfaces belong to an unsecured IGP):
For spokes: Manually remove the inside interfaces from the unsecured IGP through the device
CLI before configuring GRE.
For hubs: If the hub inside interface is used as a network access point for Security Manager, then
on deployment, the interface is advertised in both secured and unsecured IGPs. To ensure that
the spoke peers use only the secured IGP, manually add the auto-summary command for the
unsecured IGP or remove the unsecured IGP for that inside interface.
You must provide a subnet that is unique yet it can be non-globally-routable for loopback. This
subnet must only be used to support the implementation of loopback for GRE. The loopback
interfaces are created, maintained, and used only by Security Manager. You should not use them for
any other purpose.
If you are using static routes, not unsecured IGP, make sure you configure static routes on the spokes
through to the hub inside interfaces.
Note You can configure the above settings in the GRE Modes page when IPsec/GRE is the selected
IPsec technology.
Note GRE Dynamic IP can only be configured on Cisco IOS routers and Catalyst 6500/7600 devices in
hub-and-spoke VPN topologies.
Security Manager uses the Cisco Configuration Engine to retrieve device IP addresses and other
information from dynamically addressed devices. Devices that have dynamic IP addresses connect to the
Configuration Engine manager at periodic intervals to upgrade device configuration files and to pass
device and status information.
For more information, see Adding, Editing, or Deleting Auto Update Servers or Configuration Engines,
page 3-29.
Note You can configure the GRE Dynamic IP settings in the GRE Modes page when GRE Dynamic IP is the
selected IPsec technology.
Related Topics
Understanding GRE, page 23-2
Configuring GRE Modes for GRE or GRE Dynamic IP VPNs, page 23-6
Related Topics
Understanding GRE, page 23-2
Prerequisites for Successful Configuration of GRE, page 23-3
Advantages of IPsec Tunneling with GRE, page 23-3
Note When configuring a GRE routing policy, Security Manager adds a routing protocol to all the devices in
the secured IGP, on deployment. If you want to maintain this secured IGP, you must create a router
platform policy (on each member device) using the same routing protocol and autonomous system (or
process ID) number as defined in the GRE Modes policy.
Table 23-1 GRE Modes Page for GRE or GRE Dynamic IP VPNs
Element Description
Routing Parameters Tab
Routing Protocol Select the required dynamic routing protocol (EIGRP, OSPF, or RIPv2,) or
static route to be used for GRE or GRE Dynamic IP.
The default routing protocol is EIGRP.
For more information about configuring these protocols, see Prerequisites
for Successful Configuration of GRE, page 23-3.
AS Number The number that is used to identify the autonomous system (AS) area to
which the EIGRP packet belongs. The range is 1-65535. The default is 110.
(EIGRP only.)
An autonomous system (AS) is a collection of networks that share a common
routing strategy. An AS can be divided into a number of areas, which are
groups of contiguous networks and attached hosts. Routers with multiple
interfaces can participate in multiple areas. An AS ID identifies the area to
which the packet belongs. All EIGRP packets are associated with a single
area, so all devices must have the same AS number.
Hello Interval The interval between hello packets sent on the interface, between 1 and
65535 seconds. The default is 5 seconds.
(EIGRP only.)
Hold Time The number of seconds the router will wait to receive a hello message before
(EIGRP only.) invalidating the connection. The range is between 1 and 65535. The default
hold time is 15 seconds (three times the hello interval).
Table 23-1 GRE Modes Page for GRE or GRE Dynamic IP VPNs (Continued)
Element Description
Delay The throughput delay for the primary route interface, in microseconds. The
(EIGRP only.) range of the tunnel delay time is 1-16777215. The default is 1000.
Failover Delay The throughput delay for the failover route interface, in microseconds. The
(EIGRP only.) range of the tunnel delay time is 1-16777215. The default is 1500.
Bandwidth The amount of bandwidth available to the primary route interface for the
EIGRP packets. You should enter a value that gives priority to the primary
(EIGRP only.)
route over other routes.
You can enter a value in the range 1 to 10000000 kb. The default is 1000 kb.
Note By default, the cost of sending a packet on an interface is calculated
based on the bandwidththe higher the bandwidth, the lower the cost.
Failover Bandwidth The amount of bandwidth available to the failover route interface for the
EIGRP packets.
(EIGRP only.)
Enter a value in the range 1 to 10000000 kb. The default is 1000 kb.
Process Number The routing process ID number that will be used to identify the secured IGP
that Security Manager adds when configuring GRE.
(OSPF only.)
The range is between 1 and 65535. The default is 110.
Security Manager adds an additional Interior Gateway Protocol (IGP) that is
dedicated for IPsec and GRE secured communication. An IGP refers to a
group of devices that receive routing updates from one another by means of
a routing protocol. Each routing group is identified by the process number.
For more information, see Understanding GRE, page 23-2.
Hub Network Area ID The ID number of the area in which the hubs protected networks will be
(OSPF only.) advertised, including the tunnel subnet. You can specify any number. The
default is 0.
Spoke Protected The ID number of the area in which the remote protected networks will be
Network Area ID advertised, including the tunnel subnet. You can specify any number. The
default is 1.
(OSPF only.)
Authentication A string that specifies the OSPF or RIPv2 authentication key. The string can
be up to eight characters long.
(OSPF or RIPv2 only.)
Cost The cost of sending a packet on the primary route interface.
(OSPF or RIPv2 only.) If the selected protocol is OSPF, enter a value in the range 1-65535; the
default is 100.
If the selected protocol is RIPv2, enter a value in the range 1-15; the default
is 1.
Failover Cost The cost of sending a packet on the secondary (failover) route interface.
(OSPF or RIPv2 only.) You can enter a value in the range 1-65535 for OSPF (the default is 125), or
in the range 1-15 for RIPv2 (the default is 2).
Table 23-1 GRE Modes Page for GRE or GRE Dynamic IP VPNs (Continued)
Element Description
Filter Dynamic Updates When selected, enables the creation of a redistribution list that filters all
on Spokes dynamic routing updates on the spokes. This forces the spoke devices to
advertise (populate on the hub device) only their own protected subnets and
not other IP addresses.
Tunnel Parameters Tab
Tunnel IP Select the required option to specify the GRE or GRE Dynamic IP tunnel
interface IP address.
Use Physical InterfaceWhen selected, uses the private IP address of
the tunnel taken from the protected network.
Use SubnetWhen selected, uses the tunnel IP address taken from an
IP range. This is the default.
In the Subnet field, enter the private IP address including the unique
subnet mask (default is 1.1.1.0/24).
If you are also configuring a dial backup interface, enter its subnet in the
Dial Backup Subnet field provided (default is 1.1.2.0/24).
Note In most cases, when you use a subnet to specify a GRE tunnel
interface IP address, Security Manager creates a loopback interface
on the device which is used for the tunnel IP address. If the device
belongs to a VPN topology whose configurations were discovered by
Security Manager, and you configure an IP address directly on the
devices GRE tunnel, Security Manager keeps that configuration and
does not create a loopback interface on the device. However, a
loopback is always configured on a hub in a VPN topology; in a
hub-and-spoke VPN topology with multiple hubs, a loopback
interface is also configured on the spokes.
Table 23-1 GRE Modes Page for GRE or GRE Dynamic IP VPNs (Continued)
Element Description
Tunnel Source IP Range The private IP address including the unique subnet mask that supports the
(GRE Dynamic IP only.) loopback for GRE. The GRE tunnel interface has an IP address (inside tunnel
IP address) which is taken from a loopback interface that Security Manager
creates specifically for this purpose.
When a spoke has a dynamic IP address, there is no fixed GRE tunnel source
address (to be used by the GRE tunnel on the spoke side) or destination
address (to be used by the GRE tunnel on the hub side). Therefore, Security
Manager creates additional loopback interfaces on the hub and the spoke to
use as the GRE tunnel endpoints. You must specify a subnet from which
Security Manager can allocate an IP address for the loopback interfaces.
Enable IP Multicast When selected, enables multicast transmissions across your GRE tunnels.
IP multicast delivers application source traffic to multiple receivers
without burdening the source or the receivers, while using a minimum of
network bandwidth.
Rendezvous Point Only available if you selected the Enable IP Multicast check box.
If required, you can enter the IP address of the interface that will serve as the
rendezvous point (RP) for multicast transmission. Sources send their traffic
to the RP. This traffic is then forwarded to receivers down a shared
distribution tree.
Understanding DMVPN
Dynamic Multipoint VPN (DMVPN) enables better scaling of large and small IPsec VPNs by combining
generic routing encapsulation (GRE) tunnels, IP Security (IPsec) encryption, and Next Hop Resolution
Protocol (NHRP) routing. (For information about large scale DMVPNs, see Configuring Large Scale
DMVPNs, page 23-16.)
Security Manager supports DMVPN using the EIGRP, OSPF, and RIPv2 dynamic routing protocols, and
GRE static routes. In addition, On-Demand Routing (ODR) is supported. ODR is not a routing protocol.
It may be used in a hub-and-spoke VPN topology when the spoke routers do not connect to any router other
than the hub. If you are running dynamic protocols, ODR is not suitable for your network environment.
You can use DMVPN on a hub-and-spoke VPN topology only with devices running Cisco IOS Software
release 12.3T devices and later, or ASRs running Cisco IOS XE Software 2.x or later (known as
12.2(33)XNA+ in Security Manager). DMVPN is not supported on Catalyst VPN Services Module
devices or on High Availability (HA) groups. If your device does not support DMVPN, use GRE
dynamic IP to configure GRE for dynamically addressed spokes. See Understanding GRE Configuration
for Dynamically Addressed Spokes, page 23-5.
The following topics provide more overview information on DMVPN:
Enabling Spoke-to-Spoke Connections in DMVPN Topologies, page 23-10
Advantages of DMVPN with GRE, page 23-11
The following documents on Cisco.com explain DMVPN in further detail:
Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch CommunicationsExplains
DMVPN technology and where and why you would use it. This data sheet explains the technologies
used with DMVPN and the benefits derived from those technologies.
Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3Explains the difference between
phase 2 and phase 3 spoke-to-spoke connections. Creating spoke-to-spoke connections is a
configuration option with DMVPN. Phase 3 uses shortcut switching enhancements to increase
network performance and scalability.
Additional white papers and presentations are available at
http://www.cisco.com/en/US/products/ps6658/prod_literature.html.
Related Topics
Understanding DMVPN, page 23-9
Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications
Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3
Configuring DMVPN
To configure a hub-and-spoke Dynamic Multipoint VPN, use the Create VPN wizard as described in
Creating or Editing VPN Topologies, page 21-26. You can also edit the membership of the VPN, or some
of its policies, using the described procedures. If you are creating a Large Scale DMVPN, also see
Configuring Large Scale DMVPNs, page 23-16.
If you need to make changes to other policies and settings, open the policies from the Site-to-Site
Manager page, as follows:
For ISAKMP and IPSec settings, select VPN Global Settings. See VPN Global Settings Page,
page 22-16.
For IKE proposal policies, select IKE Proposal. See Understanding IKE, page 22-1.
For IPSec proposals, select IPsec Proposal. See IPsec Proposal Page, page 22-9.
For preshared key policies, select Preshared Key. See Preshared Key Page, page 22-24.
For public key (PKI) policies, select Public Key Infrastructure. See Public Key Infrastructure
Page, page 22-32.
Related Topics
Understanding DMVPN, page 23-9
Enabling Spoke-to-Spoke Connections in DMVPN Topologies, page 23-10
Advantages of DMVPN with GRE, page 23-11
Note When configuring a DMVPN routing policy, Security Manager adds a routing protocol to all the devices
in the secured IGP, on deployment. If you want to maintain this secured IGP, you must create a router
platform policy (on each member device) using the same routing protocol and autonomous system (or
process ID) number as defined in the GRE Modes policy.
Element Description
Routing Parameters Tab
Routing Protocol Select the required dynamic routing protocol, or static route, to be used in
the DMVPN tunnel.
Options include the EIGRP, OSPF, and RIPv2 dynamic routing protocols,
and GRE static routes. On-Demand Routing (ODR) is also supported.
On-Demand Routing is not a routing protocol. It can be used in a
hub-and-spoke VPN topology when the spoke routers connect to no other
router other than the hub. If you are running dynamic protocols, On-Demand
Routing is not suitable for your network environment.
For more information, see Understanding GRE, page 23-2.
AS Number The number that is used to identify the autonomous system (AS) area to
which the EIGRP packet belongs. The range is 1-65535. The default is 110.
(EIGRP only.)
An autonomous system (AS) is a collection of networks that share a common
routing strategy. An AS can be divided into a number of areas, which are
groups of contiguous networks and attached hosts. Routers with multiple
interfaces can participate in multiple areas. An AS ID identifies the area to
which the packet belongs. All EIGRP packets are associated with a single
area, so all devices must have the same AS number.
Hello Interval The interval between hello packets sent on the interface, from 1 to 65535
seconds. The default is 5 seconds.
(EIGRP only.)
Hold Time The number of seconds the router will wait to receive a hello message before
invalidating the connection. The range is 1-65535. The default hold time is
(EIGRP only.)
15 seconds (three times the hello interval)
Delay The throughput delay for the primary route interface, in microseconds. The
range of the tunnel delay time is 1-16777215. The default is 1000.
(EIGRP only.)
Bandwidth The bandwidth for the primary route interface, in kilobits. The range of
bandwidth is 1 to 10000000. The default is 1000.
(EIGRP only.)
Bandwidth The amount of bandwidth available to the primary route interface for the
EIGRP packets. You should enter a value that gives priority to the primary
(EIGRP only.)
route over other routes.
You can enter a value in the range 1 to 10000000 kb. The default is 1000 kb.
Note By default, the cost of sending a packet on an interface is calculated
based on the bandwidththe higher the bandwidth, the lower the cost.
Process Number The routing process ID number that will be used to identify the secured IGP
that Security Manager adds when configuring DMVPN.
(OSPF only.)
The valid range for either protocol is 1-65535. The default is 110.
Hub Network Area ID The ID number of the area in which the hubs protected networks will be
advertised, including the tunnel subnet. You can enter any number. The
(OSPF only.)
default is 0.
Element Description
Spoke Protected The ID number of the area in which the remote protected networks will be
Network Area ID advertised, including the tunnel subnet. You can enter any number. The
(OSPF only.) default is 1.
Authentication Key A string that indicates the OSPF or RIPv2 authentication key. The string can
(OSPF and RIPv2.) be up to eight characters long.
Element Description
Server Load Balance When selected, enables the configuration of load balancing on a Cisco IOS
router that serves as a hub in a multiple hubs configuration.
Server load balancing optimizes performance in a multiple hubs
configuration, by sharing the workload. In this configuration, the DMVPN
server hubs share the same tunnel IP and source IP addresses, presenting the
appearance of a single device to the spokes in a VPN topology.
Enable IP Multicast When selected, enables multicast transmissions across your GRE tunnels.
IP multicast delivers application source traffic to multiple receivers
without burdening the source or the receivers, while using a minimum of
network bandwidth.
Rendezvous Point Only available if you selected the Enable IP Multicast check box.
If required, you can enter the IP address of the interface that will serve as the
rendezvous point (RP) for multicast transmission. Sources send their traffic
to the RP. This traffic is then forwarded to receivers down a shared
distribution tree.
Tunnel Key A number that identifies the tunnel key. The default is 1.
The tunnel key differentiates between different multipoint GRE (mGRE)
tunnel Non Broadcast Multiple Access (NBMA) networks. All mGRE
interfaces in the same NBMA network must use the same tunnel key value.
If there are two mGRE interfaces on the same router, they must have
different tunnel key values.
Note To view the newly created tunnel interfaces in the Router Interfaces
page for routers that are members of the VPN, you must rediscover
the device inventory details after successfully deploying the VPN to
the device.
NHRP Parameters
Network ID All Next Hop Resolution Protocol (NHRP) stations within one logical
Non-Broadcast Multi-Access (NBMA) network must be configured with the
same network identifier. Enter a globally unique, 32-bit network identifier
within the range of 1 to 4294967295.
Hold time The time, in seconds, that routers will keep information provided in
authoritative NHRP responses. The cached IP-to-NBMA address mapping
entries are discarded after the hold time expires.
The default is 300 seconds.
Authentication An authentication string that controls whether the source and destination
NHRP stations allow intercommunication. All routers within the same
network using NHRP must share the same authentication string. The string
can be up to eight characters long.
Related Topics
Understanding DMVPN, page 23-9
Configuring DMVPN, page 23-11
Related Topics
Configuring Large Scale DMVPNs, page 23-16
Filtering Tables, page 1-33
Navigation Path
From the Server Load Balance policy, select a hub and click the Edit (pencil) button below the table.
For information on opening the Server Load Balance policy, see Configuring Server Load Balancing in
Large Scale DMVPN, page 23-17.
Related Topics
Configuring Large Scale DMVPNs, page 23-16
Field Reference
Element Description
Weight The capacity of the hub relative to other hubs connected to the IPsec
Terminator, based on the weighted round robin (WRR) scheduling algorithm.
You can enter a value between 1 and 255. The default is 1.
Max Connections The maximum number of active connections to the IPsec Terminator that are
permitted to the hub.
You can enter a value between 1 and 65535. The default is 500.
Easy VPN is a hub-and-spoke VPN topology that can be used with a variety of routers, PIX, and ASA
devices. Policies are defined mostly on the hub and pushed to remote spoke VPN devices, ensuring that
clients have up-to-date policies in place before establishing a secure connection.
This chapter contains the following topics:
Understanding Easy VPN, page 24-1
Configuring an IPsec Proposal for Easy VPN, page 24-5
Configuring a User Group Policy for Easy VPN, page 24-10
Configuring a Connection Profile Policy for Easy VPN, page 24-11
Configuring Client Connection Characteristics for Easy VPN, page 24-12
Note You can also configure remote access policies in remote access VPNs. In remote access VPNs, policies
are configured between servers and mobile remote PCs running Cisco VPN client software, whereas, in
site-to-site Easy VPN topologies, the clients are hardware devices. For information about configuring
remote access VPNs, see Chapter 26, Managing Remote Access VPNs.
Note Easy VPN dial backup can be configured only on remote clients that are routers running IOS version
12.3(14)T or later.
In an Easy VPN configuration, when a remote device attempts to connect to the server and the tracked IP
is no longer accessible, the primary connection is torn down and a new connection is established over the
Easy VPN backup tunnel to the server. If the primary hub cannot be reached, the primary configuration
switches to the failover hub with the same primary configuration and not to the backup configuration.
Only one backup configuration is supported for each primary Easy VPN configuration. Each inside
interface must specify the primary and backup Easy VPN configuration. IP static route tracking must be
configured for dial backup to work on an Easy VPN remote device. The object tracking configuration is
independent of the Easy VPN remote dial backup configuration. The object tracking details are specified
in the spokes Edit EndPoints dialog box.
For more information about dial backup, see Configuring Dial Backup, page 21-36.
traffic to the virtual interface. Using IP routing to forward traffic to the tunnel interface simplifies IPsec
VPN configuration compared to the more complex process of using access control lists (ACLs) with a
crypto map. Dynamic VTIs function like any other real interface so that you can apply quality of service
(QoS), firewall, and other security services as soon as the tunnel is active.
Dynamic VTIs use a virtual template infrastructure for dynamic instantiation and management of IPsec
interfaces. In an Easy VPN topology, Security Manager implicitly creates the virtual template interface
for the device. If the device is a hub, the user must provide the IP address on the hub that will be used
as the virtual template interfacethis can be a subnet (pool of addresses) or an existing loopback or
physical interface. On a spoke, the virtual template interface is created without an IP address.
Notes
Dynamic VTI can be configured only in a hub-and-spoke Easy VPN topology on routers running
IOS version 12.4(2)T and later, except 7600 devices. It is not supported on PIX Firewalls, ASA
devices, or Catalyst 6000 series switches.
Not all the hubs/spokes require Dynamic VTI configuration during discovery or provision. You can
extend the existing EzVPN topology (including routers not supporting DVTI) to add routers which
support DVTI.
Dynamic VTI is supported on only servers, only clients (if server does not support DVTI), or both
clients and servers.
Dynamic VTI can be configured with or without VRF-Aware IPsec.
You cannot configure High Availability on hubs/servers that have been configured with DVTI.
You can also configure Dynamic VTI in remote access VPNs. For more information, see PVC
Dialog BoxQoS Tab, page 52-60.
In Security Manager, you configure Dynamic VTI in the Easy VPN IPsec Proposal page. See
Configuring an IPsec Proposal for Easy VPN, page 24-5.
Note Because the client may be configured for preshared key authentication, which initiates IKE
aggressive mode, the administrator should change the identity of the VPN device via the
crypto isakmp identity hostname command. This will not affect certificate authentication via
IKE main mode.
2. The client attempts to establish an IKE SA between its public IP address and the public IP address
of the VPN server. To reduce the amount of manual configuration on the client, every combination
of encryption and hash algorithms, in addition to authentication methods and D-H group sizes,
is proposed.
3. Depending on its IKE policy configuration, the VPN server determines which proposal is acceptable
to continue negotiating Phase 1.
Note Device authentication ends and user authentication begins at this point.
4. After the IKE SA is successfully established, and if the VPN server is configured for Xauth, the
client waits for a username/password challenge and then responds to the challenge of the peer. The
information that is entered is checked against authentication entities using authentication,
authorization, and accounting (AAA) protocols such as RADIUS and TACACS+. Token cards may
also be used via AAA proxy. During Xauth, a user-specific attribute can be retrieved if the
credentials of that user are validated via RADIUS.
Note VPN servers that are configured to handle remote clients should always be configured to
enforce user authentication.
5. If the server indicates that authentication was successful, the client requests further configuration
parameters from the peer. The remaining system parameters (for example, IP address, DNS, and
split tunnel attributes) are pushed to the client using client or network extension mode configuration.
Note The IP address pool and group preshared key (if Rivest, Shamir, and Adelman [RSA]
signatures are not being used) are the only required parameter in a group profile. All other
parameters are optional.
6. After each client is assigned an internal IP address via mode configuration, Reverse Route
Injection (RRI), if configured, ensures that a static route is created on the device for each client
internal IP address.
7. IKE quick mode is initiated to negotiate and create IPsec SAs.
The connection is complete.
VPN interface must be the devices FastEthernet0 interface. On a Cisco 800 series router the VPN
interface could be either the devices Ethernet0 or Dialer1 interface, depending on the configuration.
On a Cisco uBR905/uBR925 cable access router, the VPN interface must be the Ethernet0 interface.
Related Topics
Understanding Easy VPN, page 24-1
Easy VPN IPsec Proposal Page, page 24-6
Step 1 Click the Site-To-Site VPN Manager button on the toolbar. The Site-to-Site VPN Manager
window opens.
Step 2 In the VPNs selector, select the required VPN topology.
Step 3 Select Easy VPN IPsec Proposal in the Policies selector.
The Easy VPN IPsec Proposal page appears, displaying the IPsec Proposal tab with the defined
parameters for configuring an IPsec proposal on an Easy VPN server device. For a description of the
elements on this tab, see Table 24-1 on page 24-8.
Step 4 Specify the transform sets to be used for your tunnel policy. If you want to use a different transform set
to the displayed default one, or select additional transform sets, click Select to open a dialog box that
lists all available transform sets, and in which you can create your own transform set object. For more
information, see Add or Edit IPSec Transform Set Dialog Box, page 28-28.
Step 5 Select an option to configure a Reverse Route on the crypto map (on a PIX 7.0, ASA, or IOS router
except 7600 device).
Step 6 If required, select the Enable Network Address Translation check box to configure NAT, if the selected
device is a PIX 7.0 or ASA device.
Step 7 Specify an AAA authorization (Group Policy Lookup) method list that defines the order in which the
group policies are searched on the local server or on external AAA servers.
Step 8 Specify the AAA or Xauth user authentication method used to define the order in which user accounts
are searched.
Step 9 If you are configuring Dynamic VTI on a hub in the topology, specify either the subnet address or
interface role:
Subnet To use the IP address taken from a pool of addresses. Then, in the Subnet field, enter the
private IP address including the unique subnet mask, for example 10.1.1.0/24.
Interface RoleIf required, click Select to open the Interface selector in which you can select or
add an interface.
If you are configuring Dynamic VTI on a spoke in the topology, select None.
For a description of the elements on this tab, see Table 24-2 on page 24-10.
Note This topic describes the IPsec Proposal page when the assigned technology is Easy VPN. For a
description of the IPsec Proposal page when the assigned technology is Regular IPsec, IPsec/GRE, GRE
Dynamic IP, or DMVPN, see IPsec Proposal Page, page 22-9.
The following tabs are available on the Easy VPN IPsec Proposal page:
Easy VPN IPsec Proposal Tab, page 24-7
Dynamic VTI Tab, page 24-9
Navigation Path
(Site-to-Site VPN Manager Window, page 21-17) Select an EasyVPN topology in the VPNs
selector, then select Easy VPN IPsec Proposal in the Policies selector.
(Policy view) Select Site-to-Site VPN > Easy VPN IPsec Proposal from the Policy Types selector.
Select an existing shared policy or create a new one.
Navigation Path
The Easy VPN IPsec Proposal tab appears when you open the Easy VPN IPsec Proposal Page, page 24-6.
Related Topics
Understanding Easy VPN, page 24-1
Configuring an IPsec Proposal for Easy VPN, page 24-5
Understanding AAA Server and Server Group Objects, page 6-20
Field Reference
Element Description
Transform Sets The transform sets to be used for your tunnel policy. Transform sets specify
which authentication and encryption algorithms will be used to secure the
traffic in the tunnel. You can select up to six transform sets.
Transform sets may use only tunnel mode IPsec operation.
Note If more than one of your selected transform sets is supported by both
peers, the transform set that provides the highest security will be used.
Element Description
Group Policy Supported on Cisco IOS routers only.
Lookup/AAA The AAA authorization method list that will be used to define the order in
Authorization Method which the group policies are searched. Group policies can be configured on
both the local server or on an external AAA server.
You can click Select to open a dialog box that lists all available AAA group
servers, and in which you can create AAA group server objects.
User Authentication Supported on Cisco IOS routers only.
(Xauth)/AAA
The AAA or Xauth user authentication method used to define the order in
Authentication Method
which user accounts are searched.
Xauth allows all Cisco IOS software AAA authentication methods to
perform user authentication in a separate phase after the IKE authentication
phase 1 exchange. The AAA configuration list-name must match the Xauth
configuration list-name for user authentication to occur.
For more information about defining user accounts, see Defining Accounts
and Credential Policies, page 53-14.
You can click Select to open a dialog box that lists all available AAA group
servers from which you can make your selection, and in which you can create
additional AAA group server objects.
Note Dynamic VTI can be configured only on IOS routers running IOS version 12.4(2)T and later, except
7600 devices.
Navigation Path
Open the Easy VPN IPsec Proposal Page, page 24-6, then click the Dynamic VTI tab.
Related Topics
Understanding Easy VPN, page 24-1
Configuring an IPsec Proposal for Easy VPN, page 24-5
Field Reference
Element Description
Enable Dynamic VTI When selected, enables Security Manager to implicitly create a dynamic
virtual template interface on the device.
Note If the device is a hub server that does not support Dynamic VTI, a
warning message is displayed, and a crypto map is deployed without
dynamic VTI. In the case of a client device, an error message is
displayed.
Virtual Template IP If you are configuring Dynamic VTI on a hub in the topology, specify either
the subnet address or interface role:
SubnetTo use the IP address taken from a pool of addresses. Then, in
the Subnet field, enter the private IP address including the unique
subnet mask, for example 10.1.1.0/24.
Interface RoleTo use a physical or loopback interface on the device.
If required, click Select to open the Interface selector in which you can
select or add an interface.
If you are configuring Dynamic VTI on a spoke in the topology, select None.
Note An Easy VPN user group policy can be configured on a Cisco IOS security router, PIX 6.3 Firewall, or
Catalyst 6500 /7600 device.
This procedure describes how to specify the user group you want to assign to your Easy VPN server.
Related Topics
Understanding Easy VPN, page 24-1
Step 1 Click the Site-To-Site VPN Manager button on the toolbar. The Site-to-Site VPN Manager
window opens.
Step 2 In the VPNs selector, select the required VPN topology.
Step 3 Select User Group Policy in the Policies selector.
The User Group Policy page appears, displaying the currently selected user group. For a description of
the elements on this page, see User Group Policy Page, page 24-11.
Step 4 If you want to select a different user group, select it in the Available User Groups list. The user group
replaces the selected one.
User groups are predefined objects. If the required user group is not included in the list, click Create to
open a dialog box that displays all the user group objects, and enables you to create a user group. For
more information, see Add or Edit User Group Dialog Box, page 28-68.
Note You can modify an existing user groups properties by selecting it and clicking Edit.
Note You can also configure user group policies in remote access VPNs.
Navigation Path
(Site-to-Site VPN Manager Window, page 21-17) Select an Easy VPN topology in the VPNs
selector, then select User Group Policy in the Policies selector.
(Policy view) Select Site-to-Site VPN > User Group Policy from the Policy Types selector. Select
an existing shared policy or create a new one.
Related Topics
Understanding Easy VPN, page 24-1
Configuring a User Group Policy for Easy VPN, page 24-10
Note In remote access VPNs, you can configure tunnel group policies on a remote access VPN server.
Related Topics
Creating or Editing VPN Topologies, page 21-26
Understanding IPsec Technologies and Policies, page 21-5
Understanding Easy VPN, page 24-1
Step 1 Click the Site-To-Site VPN Manager button on the toolbar to open the Site-to-Site VPN Manager
Window, page 21-17.
Note To edit a shared policy, in Policy view, select Site-to-Site VPN > Connection Profiles (PIX
7.0/ASA) from the Policy Type selector. Select an existing policy or create a new one.
Step 2 In the VPNs selector, select the Easy VPN topology you want to change.
Step 3 Select Connection Profiles (PIX 7.0/ASA) in the Policies selector to open the Connection Profiles Page,
page 27-18.
Step 4 On the General tab, specify the connection profile name and group policies and select which method (or
methods) of address assignment to use. For a description of the available properties, see General Tab
(Connection Profiles), page 27-19.
Step 5 Click the AAA tab and specify the AAA authentication parameters for an the connection profile. For a
description of the elements on the tab, see AAA Tab (Connection Profiles), page 27-21.
Step 6 Click the IPsec tab and specify IPsec and IKE parameters for the connection profile. For a description
of the elements on the tab, see IPSec Tab (Connection Profiles), page 27-27.
Note All modes of operation can also support split tunneling, which allows secure access to corporate
resources through the VPN tunnel while also allowing Internet access through a connection to an ISP or
other service (thereby eliminating the corporate network from the path for web access).
Note VPN servers that are configured to handle remote clients should always be configured to enforce
user authentication.
Security Manager allows you to save the Xauth username and password on the device itself so you do
not need to enter these credentials manually each time the Easy VPN tunnel is established. The
information is saved in the devices configuration file and used each time the tunnel is established.
Saving the credentials in the devices configuration file is typically used if the device is shared between
several PCs and you want to keep the VPN tunnel up all the time, or if you want the device to
automatically bring up the tunnel whenever there is traffic to be sent.
Saving the credentials in the devices configuration file, however, could create a security risk, because
anyone who has access to the device configuration can obtain this information. An alternative method
for Xauth authentication is to manually enter the username and password each time Xauth is requested.
Security Manager enables you to do this interactively in a web browser window or from the command
line interface. Using web-based interaction, a login page is returned, in which you can enter the
credentials to authenticate the VPN tunnel. After the VPN tunnel comes up, all users behind this remote
site can access the corporate LAN without being prompted again for the username and password.
Alternatively, you can choose to bypass the VPN tunnel and connect only to the Internet, in which case
a password is not required.
Easy VPN Tunnel Activation
If the device credentials (Xauth username and password) are stored on the device itself, you must select
a tunnel activation method. Two options are available:
AutoThe Easy VPN tunnel is established automatically when the Easy VPN configuration is
delivered to the device configuration file. If the tunnel times out or fails, the tunnel automatically
reconnects and retries indefinitely. This is the default option.
Traffic Triggered ActivationThe Easy VPN tunnel is established whenever outbound local (LAN
side) traffic is detected. Traffic Triggered Activation is recommended for use with the Easy VPN
dial backup configuration so that backup is activated only when there is traffic to send across the
tunnel. When using this option, you must specify the Access Control List (ACL) that defines the
interesting traffic.
Note Manual tunnel activation is configured implicitly if you select to configure the Xauth password
interactively. In this case, the device waits for a command before attempting to establish the Easy VPN
remote connection. When the tunnel times out or fails, subsequent connections will also have to wait for
the command.
This procedure describes how to configure the client connection characteristics for Easy VPN.
Related Topics
Important Notes About Easy VPN Configuration, page 24-4
Understanding Easy VPN, page 24-1
Client Connection Characteristics Page, page 24-15
Step 1 Click the Site-To-Site VPN Manager button on the toolbar. The Site-to-Site VPN Manager window opens.
Step 2 In the VPNs selector, select the Easy VPN topology you want to modify.
Step 3 Select Client Connection Characteristics in the Policies selector. The Client Connection
Characteristics page opens. For a description of the elements on this page, see Table 24-3 on page 24-16.
Step 4 Select Client, Network Extension, or Network Extension Plus from the Mode list.
Note Network Extension Plus mode can be configured only on IOS routers.
Step 5 Select Device Stored Credentials or Interactive Entered Credentials depending on how you want to
enter the Xauth credentials for user authentication when you establish a VPN connection with the server.
Step 6 If you selected Device Stored Credentials, select the Xauth credentials.
Step 7 If the device is an IOS router, and if you selected Interactive Entered Credentials for the Xauth
credentials source, select Web Browser or Router Console depending on how you want to enter the
Xauth credentials interactively.
Step 8 If the device is an IOS router, and if you selected Device Stored Credentials for the Xauth password
source, select the Auto or Traffic Triggered Activation tunnel activation method.
Step 9 If you selected the Traffic Triggered Activation option for Tunnel Activation, specify the Access
Control List (ACL) that defines the interesting traffic.
Navigation Path
(Site-to-Site VPN Manager Window, page 21-17) Select an Easy VPN topology in the VPNs
selector, then select Client Connection Characteristics in the Policies selector.
(Policy view) Select Site-to-Site VPN > Client Connection Characteristics and create a new
policy or edit an existing policy.
Related Topics
Understanding Easy VPN, page 24-1
Configuring Client Connection Characteristics for Easy VPN, page 24-12
Creating Access Control List Objects, page 6-40
Field Reference
Element Description
Mode Select the required configuration mode for your remote device, as follows:
ClientSpecifies that all traffic from the remote clients inside network
will undergo Port Address Translation (PAT) to a single IP address which
was assigned for the device by the head end server at connect time.
Network ExtensionSpecifies that PCs and other hosts at the client
end of the VPN tunnel should be given IP addresses that are fully
routable and reachable by destination network. PAT is not used, allowing
the client PCs and hosts to have direct access to the PCs and hosts at the
destination network.
Network Extension PlusAn enhancement to Network Extension
mode, that enables an IP address that is received via mode configuration
to be automatically assigned to an available loopback interface. The
IPsec SAs for this IP address are automatically created by the Easy VPN
client. The IP address is typically used for troubleshooting (using ping,
Telnet, and Secure Shell).
Note Network Extension Plus mode can be configured only on IOS routers.
If the selected client device is a PIX 6.3 or ASA 5505 running OS
version 7.2(1), Network Extension mode will be configured.
Element Description
User Authentication Available only if the remote device is an IOS router, and if you selected the
Method (IOS) Interactive Entered Credentials option for the Xauth credentials source.
Select one of these ways to enter the Xauth username and password
interactively each time Xauth authentication is requested:
Web Browser (default)Manually in a web browser window (http page).
Router ConsoleManually from the command line interface (CLI).
Tunnel Activation (IOS) If the remote device is an IOS router, and if you selected the Device Stored
Credentials option for the Xauth password source, you must select a tunnel
activation method, as follows:
Auto (default)The Easy VPN tunnel is established automatically
when the Easy VPN configuration is delivered to the device
configuration file. If the tunnel times out or fails, the tunnel
automatically reconnects and retries indefinitely.
Traffic Triggered ActivationThe Easy VPN tunnel is established
whenever outbound local (LAN side) traffic is detected. When using this
option, you must specify the Access Control List (ACL) that defines the
interesting traffic.
Traffic Triggered Activation is recommended for use when Easy VPN dial
backup is configured so that backup is activated only when there is traffic to
send across the tunnel.
Note Manual tunnel activation is configured implicitly when you select to
configure the Xauth password interactively.
ACL (IOS) If you selected the Traffic Triggered Activation option for Tunnel
Activation, you must configure an ACL-triggered tunnel by specifying the
Access Control List (ACL) that defines the interesting traffic.
Click Select to open the Access Control Lists Selector from which you can
select the required ACL, or create or edit an ACL object.
Cisco Group Encrypted Transport virtual private network (GET VPN) is a full-mesh VPN technology
that can be used in a variety of WAN environments, including IP and Multiprotocol Label Switching
(MPLS). GET VPN comprises a set of features that are necessary to secure IP multicast group traffic or
unicast traffic over a private WAN that originates on or flows through a Cisco IOS device. GET VPN
combines the keying protocol Group Domain of Interpretation (GDOI) with IP security (IPsec)
encryption to provide users with an efficient method to secure IP multicast or unicast traffic. GET VPN
enables the router to apply encryption to nontunneled (that is, native) IP multicast and unicast packets
and eliminates the requirement to configure tunnels to protect multicast and unicast traffic.
Cisco Group Encrypted Transport VPN provides the following benefits:
Provides data security and transport authentication, helping to meet security compliance and
internal regulation by encrypting all WAN traffic.
Enables high-scale network meshes and eliminates complex peer-to-peer key management with
group encryption keys.
For Multiprotocol Label Switching (MPLS) networks, maintains network intelligence such as
full-mesh connectivity, natural routing path, and Quality of Service (QoS).
Grants easy membership control with a centralized key server.
Helps ensure low latency and jitter by enabling full-time, direct communications between sites,
without requiring transport through a central hub.
Reduces traffic loads on customer premises equipment (CPE) and provider-edge (PE) encryption
devices by using the core network for replication of multicast traffic, avoiding packet replication at
each individual peer site.
Tip For information about the CLI configuration of GET VPN, see Cisco Group Encrypted Transport VPN
on Cisco.com.
Key serversThe routers that act as key servers are the gatekeepers to the topology. The group
member must successfully register with a key server before becoming an active member of the VPN.
The key servers control the shared service policy, and generate and transmit keys to group members.
Key servers cannot be group members themselves, but a single key server can service more than one
topology. For more information, see Understanding the GET VPN Registration Process, page 25-4.
The Group Domain of Interpretation (GDOI) group key management protocol is used to provide a
set of cryptographic keys and policies to a group of devices. In a GET VPN network, GDOI is used
to distribute common IPsec keys to a group of enterprise VPN gateways (group members) that must
communicate securely. Devices designated as key servers periodically refresh and send out the
updated keys to the group members using a process called rekeying.
The GDOI protocol uses the Phase 1 Internet Key Exchange (IKE) SA. All participating VPN
gateways authenticate themselves to the device providing keys using IKE. All IKE authentication
methods, for example, pre-shared keys (PSKs) and public key infrastructure (PKI), are supported
for initial authentication. After the VPN gateways are authenticated and provided with the
appropriate security keys using the IKE SA, the IKE SA expires and GDOI is used to update the
group members in a more scalable and efficient manner. For more information about GDOI, refer
to RFC 3547.
Address preservationIPsec-protected data packets carry the original source and destination in the
outer IP header rather than replacing them with tunnel endpoint addresses. Address preservation
allows GET VPN to use the routing functionality present within the core network. Address
preservation allows routing to deliver the packets to any customer-edge (CE) device in the network
that advertises a route to the destination address. Any source and destination matching the policy for
the group will be treated in a similar manner. In the situation where a link between IPsec peers is
not available, address preservation also helps combat traffic black-hole situations.
Header preservation also maintains routing continuity throughout the enterprise address space and
in the WAN. As a result, end host addresses of the campus are exposed in the WAN (for MPLS, this
applies to the edge of the WAN). For this reason, GET VPN is applicable only when the WAN
network acts as a private network (for example, in an MPLS network).
The following figure shows the general operation of a GET VPN topology.
1. Group members register with the key server using the Group Domain of Interpretation (GDOI)
protocol. The key server authenticates and authorizes the group members and downloads the IPsec
policy and keys that are necessary for them to encrypt and decrypt IP multicast and unicast packets.
The registration process can use unicast or multicast communications.
2. Group members exchange IP packets that are encrypted using IPsec. Only the group members are
an active part of the VPN.
3. As needed, the key server pushes a rekey message to the group members. The rekey message
contains new IPsec policy and keys to use when old IPsec security associations (SAs) expire.
Rekey messages are sent in advance of the SA expiration time to ensure that valid group keys are
always available.
GET VPN is provisioned using Security Manager with the following caveats:
GET VPN-aware VRF is not supported.
DMVPN with GET is not supported, because there is no way to define DMVPN without tunnel
protection in Security Manager.
Manual configuration of a group member to join a multicast group (ip igmp join-group) is not
supported. Security Manager only provisions static source-specific multicast (SSM) mappings.
Related Topics
Understanding the GET VPN Registration Process, page 25-4
Understanding the GET VPN Security Policy and Security Associations, page 25-10
Configuring GET VPN, page 25-12
The key server generates the group policy and IPsec security associations (SAs) for the GDOI group.
The information generated by the key server includes multiple TEK attributes, traffic encryption policy,
lifetime, source and destination, a Security Parameter Index (SPI) ID that is associated with each TEK,
and the rekey policy (one KEK). Note that the group member might also have a local security policy
configured that is merged with the one downloaded; for complete information see Understanding the
GET VPN Security Policy and Security Associations, page 25-10.
The following figure illustrates the communication flow between group members and the key server. The
key server, after receiving registration messages from a group member, generates the information that
contains the group policy and new IPsec SAs. The new IPsec SA is then downloaded to the group
member. The key server maintains a table that contains the IP address of each group member per group.
When a group member registers, the key server adds its IP address in its associated group table, thus
allowing the key server to monitor an active group member. A key server can support multiple groups.
A group member can be part of multiple groups.
Figure 25-2 Communication Flow Between Group Members and the Key Server
Subnet 1 Subnet 3
IPsec IPsec
Rekey SAs Rekey SAs
Private Network
SA SA
IPsec
Rekey SAs
Group Member 2 SA
Subnet 2 Subnet 4
170833
Rekey Policy Key Server 1
Keys and
Policy
Registration
When you configure the GET VPN topology, you can configure the following registration-related features:
Decide whether to use unicast or multicast for group registration and rekeying. For more
information, see Choosing the Rekey Transport Mechanism, page 25-6.
Note If you use multicast, you need to enable multicast on the key servers and group members
manually. Security Manager does not provision multicast commands.
Decide whether to configure more than one key server to provide redundancy and load balancing.
For more information, see Configuring Redundancy Using Cooperative Key Servers, page 25-7.
Decide whether to configure fail-close mode on group members to protect their traffic prior to
successful registration with the key server. For more information, see Configuring Fail-Close to
Protect Registration Failures, page 25-8.
Decide whether to require authorization for group members to join the group. You can use certificate
authorization (which requires that you also configure the Public Key Infrastructure policy) or
preshared keys. Configuring authorization is required if the key server serves more than one group.
For information about the configuration options, see the Authorization Type setting described in
Defining GET VPN Group Encryption, page 21-49.
Related Topics
Generating and Synchronizing RSA Keys, page 25-13
Configuring GET VPN, page 25-12
Tip To use multicast, you must enable multicast on the key servers and group members. Security Manager
does not provision these commands; it only enables multicast rekey, it does not enable the router to send
and receive multicast traffic. Therefore, you must manually enable multicast on the device, or use the
FlexConfig policy to provision the commands (see Creating FlexConfig Policy Objects, page 7-25).
Fortunately, it is possible to mix multicast and unicast in a single GET VPN topology so long as all
key servers support multicast. When deciding which transport mechanism to use, consider the
following recommendations:
If all key servers and group members, and the network, support multicast, use multicast.
If all of the key servers and most of the group members support multicast, but a small number of
group members do not support multicast, use multicast. Group members that do not support
multicast will not receive rekey and IPsec SA updates. However, when the lifetime settings for these
items are about to expire, unicast group members will reregister with the key server and obtain the
new keys and IPsec SAs.
If no group members, or only a few, support multicast, use unicast. The group members will then
receive rekeys and IPsec SA updates from the key server and not need to reregister to get them.
Related Topics
Understanding the GET VPN Registration Process, page 25-4
Generating and Synchronizing RSA Keys, page 25-13
Configuring GET VPN, page 25-12
Tips
The RSA key must be the same on all cooperative key servers. For information on synchronizing the
RSA key, see Generating and Synchronizing RSA Keys, page 25-13.
It is a best practice to enable periodic ISAKMP keepalives between key servers so that the primary
key server can track and display the state of the other secondary key servers. IKE Keepalives
between group members and the key server is not required and is not supported. For information on
configuring keepalives, see Configuring Global Settings for GET VPN, page 25-16.
The COOP protocol is configured on a per GDOI group basis. A key server that is configured with
multiple GDOI groups can maintain multiple unique COOP relationships with disparate key servers.
The reason deny works this way in fail-close mode is because fail-close includes an implicit
ACL statement that gets added at the bottom of the list of crypto map ACLs. This statement is
permit ip any any, which matches all traffic. Because there is no IPsec security association due
to the fact that registration has yet to occur, there is no way to encrypt the remaining traffic and
it is dropped.
Note that because of this final permit ip any any statement, you might be able to limit yourself
to deny statements in your fail-close ACL.
The fail-close ACL is processed sequentially after the optional group member security policy ACL.
However, all statements in the group member security policy ACL must be deny statements, which
indicate that matching traffic should be sent in clear text. Because the security policy is processed
according to normal crypto map rules, traffic that matches deny statements is subsequently
compared to the fail-close ACL. If the fail-close ACL does not have matching deny statements, the
traffic will subsequently be dropped by the implicit final fail-close permit ip any any statement.
Therefore, if you use a group member security policy ACL, and you want the identified traffic to be
sent in clear text regardless of the registration status of the group member, your fail-close ACL
should contain all of the same statements contained in the security policy ACL at the least. It might
even be possible to use the same ACL object for both ACLs.
For more information about group member security policies, see Understanding the GET VPN
Security Policy and Security Associations, page 25-10.
The fail-close ACL is inserted as the final crypto map ACL. Thus, if you configure other features on
the GET VPN interface that use crypto maps, any traffic identified on deny statements in those other
ACLs will also get trapped (and dropped) by the fail-close ACL and the implicit final permit ip any
any statement. Thus, configuring fail-close mode for GET VPN can influence the non-GET VPN
services you configure on the interface.
Upon successful registration, the fail-close ACL and the implicit final permit ip any any statement
are removed from the crypto maps. These policies are not persistent.
You should consider including the following rules in the fail-close ACL policy object. Remember
that these rules are from the perspective of the group member:
SSH, SSL (HTTPS) trafficYou, and Security Manager, need to be able to access the device to
configure it. To ensure that you do not lock down the device, include deny statements for SSH
and SSL. For SSH, deny tcp any eq 22 <host or network address>. For SSL, deny tcp any
eq 443 <host or network address>. If you specify host addresses, ensure that the Security
Manager server is one of the hosts.
Routing trafficTo enable routing, allow the traffic for your routing process. For example, if
you are using OSPF, deny ospf any any.
GDOI trafficRegardless of the contents of the fail-close ACL, the device looks for GDOI
registration messages, so you do not need to explicitly allow them to enable successful
registration. However, if a group member (1) is in the path between the key server and another
group member (2), a registration failure by group member (1) will prevent successful
registration by the blocked group member (2). For registration on group member (2) to succeed,
the fail-close ACL on group member (1) would have to allow GDOI traffic to pass. Thus, you
might want to make it a general practice to allow GDOI traffic in the fail-close ACL: deny udp
any eq 848 any eq 848.
Related Topics
Configuring GET VPN, page 25-12
Creating Access Control List Objects, page 6-40
Creating Extended Access Control List Objects, page 6-41
Tip If a group member leaves the GET VPN, the ACLs downloaded from the key server are removed, but the
group member security policy ACL is retained and remains configured on the device.
In GET VPN security policy ACLs (and crypto map ACLs in general), the permit and deny keywords
have special meaning:
PermitMeans encrypt this traffic. Permit entries are allowed only in the security policy ACLs
defined on the key server (in the Group Encryption Policy), because encrypted traffic needs to have
a full IPsec security association, which includes the transform set used for encrypting traffic, and
anti-replay and IPsec lifetime configurations. If a packet matches a permit entry, but no IPsec SA
exists for that packet, the packet is dropped.
Normally, your permit rules should be symmetric, that is, the source and destination addresses
should be the same. If you need to specify different source and destination addresses, you must
create two rules; the second rule should be a mirror image of the first rule, with the source and
destination address switched.
DenyMeans do not encrypt this traffic. In practice, this typically means that the traffic that
matches the deny statement is sent in the clear. However, if you configure other features that use
crypto maps, denied traffic is actually compared to subsequent (lower priority) crypto map ACLs
to see if there is a match. IPsec security associations (SAs) are not generated for deny rules.
Following is a summary of the security policies that you can configure, in priority order:
Group member security policyWhen you configure the group member, as described in
Configuring GET VPN Group Members, page 25-20, you can optionally select an ACL policy object
that defines the local group member security policy.
This group member ACL policy object is allowed to have deny statements only. You use this ACL to
identify any traffic that you want to exclude from encryption and send in the clear. For example, if a
handful of group members in the group are running a different routing protocol than the usual one,
you can configure a local entry to these group members security policy ACL to bypass encryption
of the routing protocol traffic instead of defining the policy globally at the key server level.
Key server security policies and security associationsWhen you configure the Group
Encryption Policy for the GET VPN, as described in Defining GET VPN Group Encryption,
page 21-49, you configure ACLs that identify the traffic that should be encrypted and protected in
the VPN.
The security policies on the key server are coupled with transform sets and other settings to define
security associations; two IPsec security associations (SAs) are actually configured for every rule
within the ACL, and these SAs define how the selected traffic should be encrypted. Thus, all group
members use the same group SAs and they do not need to negotiate them with each other.
Because the key server policy is appended to the group member policy, the policy might be as
simple as permit ip any any, that is, encrypt all traffic that has not been excluded by the group
member policy.
However, you can create more complex sets of security policies and associations, setting up
several separate ACL policy objects that are coupled to different transform sets to define different
types of encryption.
If you create more than one security association, you must identify their order, and they are
appended to the group policy in that order. Remember, the end result is a single ACL, so if you
include a deny statement in the first ACL, any permit rules for the same traffic in subsequent security
associations are ignored, and the traffic is sent in clear text rather than being encrypted.
Note When you consider the security associations defined in the Group Encryption Policy as a
whole, you can define up to 100 ACL permit entries. Each permit entry results in a pair of
IPsec SAs; the maximum number of IPsec SAs in a group can not exceed 200. It is a best
practice to summarize interesting traffic to as few permit entries as possible, and to build
symmetric policies, where the source and destination addresses are the same. Unlike
traditional IPSec policies, where source and destination address ranges must be uniquely
defined, GET VPN is optimized when the source and destination address range are the same.
If you configure a rule that has different source and destination addresses, you must also
configure the mirrored rule (where the source and destination address are flipped), meaning
that four SAs are consumed.
In addition to these security policies, there is an additional fail-close ACL that influences traffic patterns
if you configure fail-close mode on a group member. For a complete discussion, see Configuring
Fail-Close to Protect Registration Failures, page 25-8.
Related Topics
Configuring GET VPN, page 25-12
Creating Access Control List Objects, page 6-40
Creating Extended Access Control List Objects, page 6-41
Anti-replay window
You can change only the name and description of a GET VPN using the Edit VPN wizard. If you need
to make changes to other policies and settings, open the policies from the Site-to-Site Manager page,
as follows:
For ISAKMP and IPSec settings, select Global Settings for GET VPN. See Configuring Global
Settings for GET VPN, page 25-16.
For IKE proposal policies, select IKE Proposal Policy for GET VPN. See Configuring the IKE
Proposal for GET VPN, page 25-15.
For security associations (ACL rules) and IPSec policies, select Group Encryption Policy >
Security Associations. See Defining GET VPN Group Encryption, page 21-49.
For preshared key policies, select Preshared Key. See Preshared Key Page, page 22-24.
For public key (PKI) policies, select Public Key Infrastructure. See Public Key Infrastructure
Page, page 22-32.
For rekey settings, select Group Encryption Policy > Group Settings. See Defining GET VPN
Group Encryption, page 21-49 and Generating and Synchronizing RSA Keys, page 25-13.
For key server configuration, including RSA key synchronization, select Key Servers. See
Configuring GET VPN Key Servers, page 25-18 and Generating and Synchronizing RSA Keys,
page 25-13.
For group membership and endpoint settings, select Group Members. See Configuring GET VPN
Group Members, page 25-20.
Related Topics
Understanding Group Encrypted Transport (GET) VPNs, page 25-2
Understanding the GET VPN Registration Process, page 25-4
Understanding the GET VPN Security Policy and Security Associations, page 25-10
Troubleshooting GET VPN Configurations, page 25-25
Understanding Preshared Key Policies, page 22-22
Tip For existing GET VPN topologies, if you want to generate a new RSA key, it might be easiest to update
the Group Encryption Policy to specify a new, unused RSA key label, then click the Synchronize Keys
button in the Key Servers policy. Because the key will not exist on any key server, Security Manager will
generate the new key and import it into all key servers. You can then manually delete the old key from
each key server.
Tip For the synchronization process to succeed, the devices must be online and reachable and you must have
Deploy authorization. If the device connection fails or times out, ensure that you can ping the key server
from the Security Manager server. If it is your practice to deploy to file instead of to live devices, you
might need to manually generate and synchronize the keys as described below. If you do not have
sufficient authorization, you are prevented from initiating the process; someone else must do it.
2. Create an exportable copy of the key using the following command, where passphrase is a string
used to encrypt the key for import (you can specify your own pass phrase):
crypto key export rsa rekeyrsa pem terminal 3des passphrase
This command prints out the public and private keys to the terminal, where you can copy them to the
clipboard for import into the other key servers. The keys are demarcated by ----BEGIN/END
PUBLIC KEY---- and ----BEGIN/END RSA PRIVATE KEY----.Note that you can also export to
a URL; see the Cisco IOS Security Command Reference on Cisco.com for detailed usage information.
3. Import the key into each of the other key servers using the following command:
crypto key import rsa rekeyrsa pem exportable terminal passphrase
When copying and pasting the keys, include the begin/end lines.
Element Description
IKE Proposal The IKE proposal policy object that defines the settings you want to use.
There are several predefined objects that you might be able to use as is.
Click Select to open the list of existing IKE proposal objects. The object you
select needs to use the same authorization method you are configuring for the
group (for example, an object name with the prefix preshared when using
preshared keys, or with the prefix cert when using Public Key Infrastructure
(PKI) certificates).
When you select an object and click OK, the settings defined in the object
are displayed in the IKE Proposal Settings display fields. You can also see
the settings by editing them in the selection list. If you do not find an
appropriate pre-existing object, click the Add (+) button in the selection list
and create a new object (see Add or Edit IKE Proposal Dialog Box,
page 28-26 for more information and detailed descriptions of the options).
IKE Proposal Overrides The number of seconds that the ISAKMP SA for key servers and group
members is valid. When the lifetime is exceeded, the SA expires and must
be renegotiated between the peers. Values can be 1 to 86400.
If you are using cooperative key servers (more than one key server), set
the key server lifetime high. The default 86400 is appropriate.
If you are using a single key server, you can set the lifetime low (but not
less than 60 seconds) so that the ISAKMP SA is not retained
unnecessarily. It is not used after a group member registers.
We recommend that you set the group member lifetime low as
compared to the key server lifetime, especially when cooperative key
servers are configured.
Related Topics
Understanding IKE, page 22-1
Understanding Preshared Key Policies, page 22-22
Defining GET VPN Group Encryption, page 21-49
Understanding Group Encrypted Transport (GET) VPNs, page 25-2
Configuring GET VPN, page 25-12
Note The lifetime settings in this policy do not apply to the ISAKMP security association lifetime for the key
server and group members. Those lifetime values are configured in the IKE Proposal for GET VPN
policy. For more information, see Configuring the IKE Proposal for GET VPN, page 25-15.
Element Description
Enable Keepalive (Key Whether to enable dead peer detection (DPD) keepalive messages between
Servers Only) key servers. If there is more than one key server (cooperative key servers),
you should enable periodic keepalive so the servers know each others
status and can elect a new primary server when necessary. Configure the
following settings:
IntervalWhen you also select Periodic, the number of seconds
between DPD messages. If you do not select Periodic, it is the number
of seconds during which traffic is not received from the peer before DPD
retry messages are sent. The range is from 10 to 3600 seconds.
RetryThe number of seconds between DPD retry messages if the
DPD retry message is missed by the peer; the range is from 2 to 60
seconds. The default DPD retry message is sent every 2 seconds. Five
aggressive DPD retry messages can be missed before the key server is
marked as down.
PeriodicWhether to send DPD messages at regular intervals
(regardless of traffic received from the other key servers). For GET
VPN, you should select Periodic.
Identity During Phase I IKE negotiations, peers must identify themselves to each
other. Select the ISAKMP identity to use:
Address(Default) The IP address of the interface that participates in
IKE negotiations. Use the address if only one interface participates in
negotiations, and its IP address is known (static).
HostnameThe fully-qualified host name (for example,
router1.example.com).
Distinguished Name
SA Requests The maximum number of SA requests allowed before IKE starts rejecting
System Limit them. The specified value must equal or exceed the number of peers, or the
VPN tunnels might be disconnected.
You can enter a value in the range of 0-99999.
Element Description
SA Requests The percentage of system resources that can be used before IKE starts
System Threshold rejecting new SA requests. The default is 75 percent.
IPsec Settings Select Enable Lifetime if you want to change the default lifetime settings
for IPsec SAs. You can configure a lifetime based on the volume of traffic
(in kilobytes) between group members, seconds, or both. The key expires
when either of the values is reached. The defaults (which are configured even
if you do not select this option) are:
Lifetime (secs)3600 seconds (one hour).
Lifetime (kbytes)4,608,000 kilobytes.
Tip You can override these values for the traffic encryption key when
configuring a security association. See Defining GET VPN Group
Encryption, page 21-49 and Add New or Edit Security Association
Dialog Box, page 21-52.
Related Topics
Understanding IKE, page 22-1
Understanding IPsec Tunnel Policies, page 22-5
Understanding ISAKMP/IPsec Settings, page 22-13
Understanding Group Encrypted Transport (GET) VPNs, page 25-2
Configuring GET VPN, page 25-12
Instead, the order determines the default order in which group members will try to register with a
key server. Group members register with the first key server in the list. If the first key server cannot
be reached, group members register with the second key server, and so on. For more information
about key server redundancy, see Configuring Redundancy Using Cooperative Key Servers,
page 25-7. Note that you can override this order for individual group members; see Configuring
GET VPN Group Members, page 25-20 and Edit Group Member Dialog Box, page 25-21.
Tip You can toggle between showing the interface roles or the actual interfaces defined by those roles in the
Identity and interfaces columns using the Show field below the table.
Related Topics
Understanding the GET VPN Registration Process, page 25-4
Understanding Group Encrypted Transport (GET) VPNs, page 25-2
Configuring GET VPN, page 25-12
Configuring VPN Topologies in Device View, page 21-18
Filtering Tables, page 1-33
Navigation Path
To add key servers or group members to a GET VPN topology, click the Add Row (+) button beneath
the Key Server or Group Member table in the GET VPN Peers page of the Create VPN wizard, or for
existing topologies, the Key Servers or Group Members policies. For detailed information, see the
following topics:
Defining GET VPN Peers, page 21-54
Configuring GET VPN Key Servers, page 25-18
Configuring GET VPN Group Members, page 25-20
Navigation Path
(Create VPN Wizard) Go to the GET VPN Peers Page, select a key server and click the Edit Row
button. See Defining GET VPN Peers, page 21-54.
(Site-to-Site VPN Manager Window, page 21-17) Select the Key Servers policy, select a key server
and click the Edit Row button. See Configuring GET VPN Key Servers, page 25-18.
Related Topics
Understanding Group Encrypted Transport (GET) VPNs, page 25-2
Configuring GET VPN, page 25-12
Field Reference
Element Description
Identity Interface The interface that group members use to identify the key server and register
with it. The default is the Loopback interface role, which identifies all
Loopback interfaces.
Priority A number between 1-100 that designates the role of the key server, either
primary or secondary. The key server with the highest number becomes the
primary key server. If two or more key servers are assigned the same priority,
the device with the highest IP address is used. The default priority is 100 for
the first key server, 95 for the second, and so on.
Note There can be more than one primary key server if the network
is partitioned.
Registration Interface The interface on which group domain of interpretation (GDOI) registrations
can be accepted. If you do not specify a registration interface, GDOI
registrations can occur on any interface.
Tip You can toggle between showing the interface roles or the actual interfaces defined by those roles in the
interfaces columns using the Show field below the table.
Related Topics
Configuring Fail-Close to Protect Registration Failures, page 25-8
Using Passive Mode to Migrate to GET VPN, page 25-23
Understanding Group Encrypted Transport (GET) VPNs, page 25-2
Tip If you selected multiple devices and chose an edit command from the right-click menu, this dialog box
shows only those options related to the edit command you chose.
Navigation Path
(Create VPN Wizard) Go to the GET VPN Peers page, select a group member and click the Edit
Row button. See Defining GET VPN Peers, page 21-54.
(Site-to-Site VPN Manager Window, page 21-17) Select a GET VPN topology, then select the
Group Members policy. Select a group member and click the Edit Row button. See Configuring
GET VPN Group Members, page 25-20.
Related Topics
Understanding Group Encrypted Transport (GET) VPNs, page 25-2
Configuring GET VPN, page 25-12
Field Reference
Element Description
GET-Enabled Interface The VPN-enabled outside interface to the provider edge (PE). Traffic
originating or terminating on this interface is evaluated for encryption or
decryption, as appropriate. You can configure multiple interfaces.
Enter the name of the interface or interface role, or click Select to select it
from a list or to create a new interface role.
Interface to be used as The interface whose IP address is used to identify the group member to the
local address key server for sending data, such as rekey information. If GET is enabled on
only one interface, you do not need to specify the interface to be used as the
local address. If GET is enabled on more than one interface, you must
specify the interface to be used as the local address.
Enter the name of the interface or interface role, or click Select to select it
from a list or to create a new interface role.
Element Description
Security Policy The local group member security ACL used to deny some group
member-specific traffic over and above the security ACL downloaded from
the key server. Denied traffic is sent in clear text rather than encrypted. For
detailed information, see Understanding the GET VPN Security Policy and
Security Associations, page 25-10.
Enter the name of the ACL object or click Select to select it from a list or to
create a new object.
Enable Fail Close Whether to enable fail-close mode on the device, which prevents the device
Fail Close ACL from transmitting clear text traffic before the device successfully registers
with the key server. Fail-close mode requires as a minimum Cisco IOS
Software release 12.4(22)T or 15.0; you can also configure it on all
supported ASRs.
Tip Fail-close mode is a complex feature, and you must carefully
construct the fail-close ACL or you might lock yourself out of the
device. Before enabling fail-close mode, read Configuring
Fail-Close to Protect Registration Failures, page 25-8.
You must select an ACL policy object that identifies allowable clear text
traffic (using deny statements), such as SSH and SSL communications with
the Security Manager server to allow for configuration updates. Enter then
name of the object or click Select to select it or to create a new object.
Override Key Servers Whether to override the key server list configured for the GET VPN topology
as a whole for this particular group member.
If you select this option, you can choose a subset of the key servers
configured for the topology to be used by the selected group member, and
change their priority order. This can help you load-balance registration
activity among a group of cooperative key servers. For more information, see
Configuring Redundancy Using Cooperative Key Servers, page 25-7.
Click Select to change the key server list and priority order of the key servers
using the Key Servers Selection dialog box. A key server must be defined for
the GET VPN topology before you can modify its use for a group member.
Enable Passive Whether to put the group member into passive security association (SA)
SA Mode mode, which means the group member installs the SA in the inbound
direction only. This means the group member can receive encrypted data, but
it sends clear text data only. This mode is useful for testing the VPN only,
primarily when you are migrating from an existing VPN to a GET VPN. (The
group member must be running Cisco IOS Software version 12.4(22)T or
15.0 at minimum, or be a supported ASR, to use this mode.)
This setting is similar to the Receive Only setting in the Group Encryption
Policy, which applies to the topology as a whole. This group member option
overrides the setting in the Group Encryption Policy.
For detailed information on how you can use these passive mode features to
migrate or test a GET VPN, see Using Passive Mode to Migrate to GET
VPN, page 25-23.
Tip Passive SA mode on group members requires Cisco IOS Software release 12.4(22)T+ or 15.0+, or
Release 2.3 (12.2(33)XNC)+ on ASRs.
The following procedure shows an example of the end-to-end migration process you might follow to
convert to GET VPN using these passive mode features.
Related Topics
Understanding Group Encrypted Transport (GET) VPNs, page 25-2
Configuring GET VPN, page 25-12
Step 1 Create the new GET VPN topology in Security Manager using the Create VPN wizard. When you are in
the wizard, ensure that you make these selections:
When selecting devices, choose the key servers for the topology, but for group members, select the
first set of group members that will be migrated. For more information, see Selecting Devices for
Your VPN Topology, page 21-29.
When configuring the group encryption settings, select Receive Only. This enables the SA
receive-only feature for the entire topology. For more information, see Defining GET VPN Group
Encryption, page 21-49.
For information about creating VPNs, see Creating or Editing VPN Topologies, page 21-26.
Step 2 Deploy the configurations to all devices in the VPN. The group members should now be able to receive
encrypted traffic but not send it. For information on the deployment process, see the following topics
based on the Workflow mode you are using:
Deploying Configurations in Non-Workflow Mode, page 8-27
Deploying Configurations in Workflow Mode, page 8-32
Step 3 Outside of Security Manager, verify that all of the group members are functioning properly.
For example, you can test whether the group members are able to send and receive encrypted packets
using some CLI commands on the group member devices:
On group member 1, configure the following command, where groupexample is the name of the
GDOI group for the VPN. This command sets the device to accept encrypted or clear text, but to
send only clear text.
crypto gdoi gm group groupexample ipsec direction inbound only
On group member 2, configure the following command. This command sets the device to accept
encrypted or clear text, but to send encrypted text.
crypto gdoi gm group groupexample ipsec direction inbound optional
Ping group member 1 from group member 2. Group member 2 should encrypt the packet before
sending it, and group member 1 should accept it and decrypt it. If you ping member 2 from member
1, the ping should be sent in clear text and accepted by member 2. Ensure that your ACLs allow pings.
Step 4 In Security Manager, select Tools > Site-to-Site VPN Manager (see Site-to-Site VPN Manager
Window, page 21-17).
Select the GET VPN topology, then select Group Members.
Add the remaining group members that you want to add to the topology (click the Add Group Member
(+) button, select the devices, and click OK).
If you want to use passive mode to test the new group members before enabling full encryption, ensure
that you select Enable Passive SA Mode when configuring the group members:
To configure an individual group member, select it and click the Edit Group Member
(pencil) button.
To enable passive mode on more than one device at a time, use Shift+click or Ctrl+click to select
multiple devices, then right-click and select Edit Passive SA Mode. You can then select the option
and click OK.
For more information on configuring group members, see Configuring GET VPN Group Members,
page 25-20.
Step 5 Deploy the configuration changes to all devices in the VPN. All devices should be operating in passive
mode at this point.
Step 6 In the Site-to-Site VPN Manager, select the GET VPN topology, then select Group Encryption Policy.
Deselect Receive Only. This turns off SA receive-only mode at the topology level.
Step 7 Deploy the configuration changes to all devices in the VPN. Now the GET VPN should be operating in
fully encrypted mode for the original group members that you tested. Any new members that you added
with passive SA mode enabled should be receiving encrypted traffic and sending clear text traffic.
Step 8 Use the following process to verify the new devices and to turn off passive mode. You can follow this
process for all new devices at once, or you can do smaller groups of them at a time. You can also use this
process for new group members as you extend your network. Iterate the following steps as appropriate:
a. Verify that the new group members are functioning properly using the same techniques that you used
to verify the original group members.
b. When you are ready to move a set of group members to fully-encrypted mode, in the Site-to-Site
VPN Manager, select the GET VPN topology and select Group Members.
c. Select all passive mode group members that should use full encryption, right-click and select Edit
Passive SA Mode. Deselect the Enable Passive SA Mode option and click OK.
d. Deploy configurations to all devices in the VPN, not just the ones whose passive mode you changed.
Normally, you should not deploy to less than all devices in a VPN.
Tip For additional troubleshooting tips from the CLI configuration perspective, including information about
valuable show commands, see Cisco Group Encrypted Transport VPN on Cisco.com.
Related Topics
Understanding Group Encrypted Transport (GET) VPNs, page 25-2
Configuring GET VPN, page 25-12
Cisco Security Manager lets you configure both remote access IPSec VPNs and remote access SSL
VPNs. Security Manager provides flexible configuration and management of remote access VPNs:
You can discover existing remote access VPN configuration policies from existing live devices or
from configuration files. Then, you can change and deploy new or updated policies, as necessary.
You can use the configuration wizard to help you quickly and easily set up these two types of remote
access VPNs with basic functionality.
If you know the functions and feature your network requires, you can configure remote access VPNs
independently. You can also use the wizard to create a basic remote access VPN and then configure
additional features that are not included in the wizard separately.
In addition, Cisco Security Manager provides flexibility in how remote access VPN configuration
policies are assigned: Device view or Policy view.
For some policies, you can also assign either the factory default policy (a private policy), or a shared
policy that you created using Security Manager.
Note As of version 3.2.1, Security Manager supports configuration of SSL VPN policies on ASA devices
running software version 8.0 and later. Make sure that you upgrade your ASA devices to a supported
version before configuring SSL VPNs.
Note You can also use the Easy VPN technology to configure remote access IPSec VPN policies in site-to-site
VPN topologies. Security policies are configured on hardware clients, such as routers, whereas in remote
access IPSec VPNs, policies are configured on PCs running Cisco VPN client software. For more
information, see Understanding Easy VPN, page 24-1.
Related Topics
Working with IPSec VPN Policies, page 26-34
Working with Policies Pertaining to Both IPSec and SSL VPNs, page 26-15
Discovering Remote Access VPN Policies, page 26-8
Note SSL VPN is supported on ASA 5500 devices running software version 8.0 and later, running in
single-context and router modes, on Cisco 870, 880, 890, 1800, 2800, 3700, 3800, 7200, and 7301 Series
routers running software version 12.4(6)T and later, and on Cisco 1900, 2900, and 3900 Series routers
running software version 15.0(1)M and later. For the 880 Series routers, the minimum software version
is 12.4(15)XZ, which is mapped to 12.4(20)T in Security Manager.
On IOS devices, remote access is provided through an SSL-enabled VPN gateway. Using an
SSL-enabled Web browser, the remote user establishes a connection to the SSL VPN gateway. After the
remote user is authenticated to the secure gateway via the Web browser, an SSL VPN session is
established and the user can access the internal corporate network. A portal page lets users access all the
resources available on the SSL VPN networks.
On ASA devices, remote users establish a secure, remote access VPN tunnel to the security appliance
using the Web browser. The SSL protocol provides the secure connection between remote users and
specific, supported internal resources that you configure at a central site. The security appliance
recognizes connections that need to be proxied, and the HTTP server interacts with the authentication
subsystem to authenticate users.
User authentication can be done using usernames and passwords, certificates, or both.
Note Network administrators provide user access to SSL VPN resources on a group basis instead of on an
individual user basis.
The Java applet initiates an HTTP request from the remote user client to the SSL VPN gateway. The
name and port number of the internal email server is included in the HTTP request. The SSL VPN
gateway creates a TCP connection to that internal email server and port.
Thin Client mode extends the capability of the cryptographic functions of the Web browser to enable
remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail
Transfer Protocol (SMTP), Internet Message Access protocol (IMAP), Telnet, and Secure Shell (SSH).
Note The TCP port-forwarding proxy works only with Suns Java Runtime Environment (JRE) version 1.4 or
later. A Java applet is loaded through the browser that verifies the JRE version. The Java applet refuses
to run if a compatible JRE version is not detected.
When using Thin Client mode, you should be aware of the following:
The remote user must allow the Java applet to download and install.
For TCP port-forwarding applications to work seamlessly, administrative privileges must be enabled
for remote users.
You cannot use Thin Client mode for applications such as FTP, where the ports are negotiated
dynamically. That is, you can use TCP port forwarding only with static ports.
Full Tunnel Client Access Mode
Full Tunnel Client mode enables access to the corporate network completely over an SSL VPN tunnel,
which is used to move data at the network (IP) layer. This mode supports most IP-based applications,
such as Microsoft Outlook, Microsoft Exchange, Lotus Notes E-mail, and Telnet. Being part of the SSL
VPN is completely transparent to the applications run on the client. A Java applet is downloaded to
handle the tunneling between the client host and the SSL VPN gateway. The user can use any application
as if the client host was in the internal network.
The tunnel connection is determined by the group policy configuration. The SSL VPN Client (SVC) is
downloaded and installed to the remote client, and the tunnel connection is established when the remote
user logs in to the SSL VPN gateway. By default, the SVC is removed from the remote client after the
connection is closed, but you can keep it installed, if required.
Note Full Tunnel SSL VPN access requires administrative privileges on the remote client.
Related Topics
Chapter 26, Managing Remote Access VPNs
When you deploy policies to the devices, any supporting files referenced in your policies are copied to
the device and placed in flash memory in the \csm folder. For the most part, you do not have to do any
manual work to make this happen. The following are some situations where you might need to do some
manual work:
If you are trying to discover existing SSL VPN policies, or rediscover them, file references from the
SSL VPN policies must be correct. For detailed information on how supporting files are handled
during policy discovery, see Discovering Remote Access VPN Policies, page 26-8.
If you have configured the ASA device in an Active/Failover configuration, you must get the
supporting files onto the failover device. The supporting files are not copied over to the failover
device during a failover. You have these choices for getting the files onto the failover device:
Manually copy the files from the \csm folder on the active unit to the failover unit.
After deploying the policies to the active unit, force a failover and redeploy the policies to the
now-active unit.
If you are using a VPN cluster for load balancing, the same supporting files must be deployed to all
devices in the cluster.
Plug-in Files
These files are used as browser plug-ins. You can find plug-in files in Program
Files\CSCOpx\objects\sslvpn\plugin. For complete information on the available files, see Understanding
Plug-ins, page 26-53.
Related Topics
SSL VPN Access Modes, page 26-4
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices),
page 26-12
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 26-10
If the device configuration contains an address pool for SSL VPN with a name that begins CSM_
(the naming convention used by Security Manager), Security Manager cannot detect whether the
addresses in that pool overlap with the pool configured in your SSL VPN policy. (This can occur,
for example, when the pool was configured by a user on a different installation of Security Manager.)
This can lead to errors during deployment. Therefore, we recommend that you configure the same
IP address pool as a network/host object in Security Manager and define it as part of the SSL VPN
policy. This enables the proper validation to take place.
The same IP address and port number cannot be shared by multiple SSL VPN gateways on the same
IOS device. As a result, deployment errors can occur if a duplicate gateway exists in the device
configuration but was not redefined using the Security Manager interface. If such an error occurs,
you must choose a different IP address and port number and redeploy.
If you define AAA authentication or accounting as part of an SSL VPN policy, the aaa new-model
command is deployed to enable AAA services. Bear in mind that this command is not removed if
you later delete the SSL VPN policy, as there might be other parts of the device configuration that
require the aaa new-model command for AAA services.
Note In addition, we recommend that you define at least one local user on the device with a
privilege level of 15. This ensures that you will not be locked out of the device if the aaa
new-model command is configured without an associated AAA server.
Related Topics
SSL VPN Access Modes, page 26-4
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices),
page 26-12
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 26-10
use, but they are not referenced by an SSL VPN policy, either configure commands that refer to them or
manually copy them to the Security Manager server. Policy discovery fails if an SSL VPN policy on the
device refers to a file that has been deleted from flash; in this case, either fix the configuration directly
before discovering the device, or deselect the RA VPN Policies option when adding the device and
create the desired SSL VPN configuration in Security Manager.
Note You should perform deployment immediately after you discover the policies on a device before you
make any changes to policies or unassign policies from the device; otherwise, the changes that you
configure in Security Manager might not be deployed to the device.
To perform discovery of all remote access VPN policies that are configured on a selected device in a
remote access VPN, select the RA VPN Policies check box in the Discover Policies on Device dialog
box. For more information, see Create Discovery Task and Bulk Rediscovery Dialog Boxes, page 5-18.
Related Topics
Discovering Policies, page 5-12
Discovering Policies on Devices Already in Security Manager, page 5-15
VPN Discovery Rules, page 21-21
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard
(IOS Devices)
This procedure describes how to create or edit SSL VPNs on IOS devices using the Remote Access VPN
Configuration Wizard.
Related Topics
Understanding Remote Access SSL VPNs, page 26-3
Step 14 Enter the logo to be displayed on the title bar of the SSL VPN login and portal page. Options are:
NoneNo logo is displayed.
DefaultUse the default logo.
CustomWhen selected, you can specify your own logo. Specify the source image file for the logo
in the Logo File field, or click Select to select an image file.
The source image file for the logo can be a GIF, JPG, or PNG file, with a file name of up to 255
characters, and up to 100 kilobytes in size.
Step 15 Enter a message that will be displayed to the user upon login.
Step 16 Enter the color of the primary and secondary title bars on the login and portal pages of the SSL VPN.
Step 17 Enter the color of the text on the primary and secondary title bars of the login and portal pages. Options
are white or black (the default).
Note The color of the text must be aligned with the color of the text on the title bar.
Step 18 If you want to preview how the portal page will appear, click Preview.
Step 19 Click Finish to save your definitions locally on the Security Manager client and close the dialog box.
Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard
(IOS Devices)
This procedure describes how to create or edit IPSec VPNs on IOS devices using the Remote Access
VPN Configuration Wizard.
Related Topics
Understanding Remote Access IPSec VPNs, page 26-2
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard
(ASA Devices)
This procedure describes how to create or edit SSL VPNs on ASA devices using the Remote Access VPN
Configuration Wizard.
Related Topics
Understanding Remote Access SSL VPNs, page 26-3
Note If HTTP port redirection is enabled, the default HTTP port number is 80.
You can click Select to open the Port List Selector dialog box from which you can make your selection,
or create a new port list.
Step 7 To allow users to select a tunnel group from a list of tunnel group connection profiles configured on the
device at login, select the Allow Users to Select Connection Profile in Portal Page check box.
Step 8 To enable the AnyConnect functionality on the ASA device, select the Enable AnyConnect
Access checkbox.
Step 9 Click Next. The Connection Profile page opens. For a description of the elements on this page, see
Connection Profile Page (ASA), page 27-3.
Step 10 Enter a name for this Connection Profile.
Step 11 Enter or Select the name of the tunnel group that contains the policies for this SSL VPN
connection profile.
Step 12 Specify the default Group Policy associated with the device. You can click Edit to open the Group Policy
Selector. If the required Group Policy is not included in the list, click the Create button to open the Create
User Group Wizard in which you can create a Group Policy. See Create User Group Wizard, page 27-6.
If you want to modify the properties of a Group Policy in the list, select it and click Edit. The Edit User
Groups dialog box opens, enabling you to edit the Group Policy object.
Step 13 Specify the customization profile that defines the appearance of the portal page that allows the remote
user access to all the resources available on the SSL VPN networks.
You can click Select to open the SSL VPN Customization Selector dialog box that lists all available
customization objects, from which you can make your selection.
Note You can set up different login windows for different groups by using a combination of
customization profiles and tunnel groups. For example, assuming that you had created a
customization profile called salesgui, you can create an SSL VPN tunnel group called sales that
uses that customization profile.
Step 14 Select a protocol (http or https) from the list, and specify the URL including the name of the connection
profile, in the field provided.
Specify the URL that is associated with the connection profile. This URL provides users with direct
access to the portal page of the connection profile. The URL is made up of the host name or IP address
of the ASA device and port number, and the alias used to identify the SSL VPN connection profile.
Note If you do not specify a URL, you can access the portal page by entering the portal page URL,
and then selecting the connection profile alias from a list of configured connection profile aliases
configured on the device. See Access Page (ASA), page 27-2.
Step 15 Specify the address pools from which IP addresses will be assigned. The server uses these pools in the
order listed. If all addresses in the first pool have been assigned, it uses the next pool, and so on. You
can specify up to six pools.
If you want to use a different address pool, or select additional address pools, click Select to open the
Network/Hosts selector from which you can make your selection(s).
Step 16 Enter the name of the authentication server group (LOCAL if the tunnel group is configured on the local
device). You can click Select to open a dialog box that lists all available AAA server groups, and in
which you can create AAA server group objects.
Step 17 If an external AAA server group is selected, you can enable fallback to the local database for
authentication if the selected authentication server group fails.
Step 18 Enter the name of the authorization server group (LOCAL if the tunnel group is configured on the local
device). You can click Select to open a dialog box that lists all available AAA server groups, and in
which you can create AAA server group objects.
Step 19 Enter the name of the accounting server group. You can click Select to open a dialog box that lists all
available AAA server groups, and in which you can create AAA server group objects.
Step 20 Click Finish to save your definitions locally on the Security Manager client and close the dialog box.
Creating IPSec VPNs Using the Remote Access VPN Configuration wizard
(ASA Devices)
This procedure describes how to create or edit IPSec VPNs on ASA devices using the Remote Access
VPN Configuration Wizard.
Related Topics
Understanding Remote Access IPSec VPNs, page 26-2
Step 14 Enter the trustpoint name if any trustpoints are configured. A trustpoint represents a CA/identity pair and
contains the identity of the CA, CA-specific configuration parameters, and an association with one
enrolled identity certificate.
Step 15 Select whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate.
During IKE negotiations, peers must identify themselves to one another.
Step 16 To enable the sending of the certificate chain for authorization, select the Enable Sending Certificate
Chain check box. A certificate chain includes the root CA certificate, identity certificate, and key pair.
Step 17 To enable passwords to be updated with the RADIUS authentication protocol, select the Enable
Password Update with RADIUS Authentication check box. For more information, see Supported
AAA Server Types, page 6-21.
Step 18 Specify the following ISAKMP Keepalive settings:
To configure IKE keepalive as the default failover and routing mechanism, select the Monitor
Keepalive check box. For more information, see Understanding ISAKMP/IPsec Settings,
page 22-13.
Enter the number of seconds that a device waits between sending IKE keepalive packets.
Enter the number of seconds a device waits between attempts to establish an IKE connection with
the remote peer. The default is 2 seconds.
Step 19 Configure the specific revision level and image URL of the VPN clients.
Step 20 Click Next. The Defaults page opens. For a description of the elements on this page, see Defaults Page,
page 27-16.
Step 21 Enter the defaults to be used for this IPSec VPN.
Step 22 Click Finish to save your definitions locally on the Security Manager client and close the dialog box.
Related Topics
Understanding and Managing SSL VPN Support Files, page 26-5
Configuring Cluster Load Balance Policies (ASA), page 26-17
ASA Cluster Load Balance Page, page 27-17
Related Topics
Understanding Cluster Load Balancing (ASA), page 26-16
Note Interfaces are objects. You can click Select to open a dialog box that lists all available interface
roles and interfaces and in which you can create interface role objects. For more information,
see Understanding Interface Role Objects, page 6-55.
Step 9 If required, select the Send FQDN to client instead of an IP address when redirecting check box to
enable redirection using FQDNs. This check box is available only for ASA devices running 8.0.2 or later.
For more information, see Understanding Cluster Load Balancing (ASA), page 26-16.
Note To use VPN load balancing, you must have an ASA Model 5510 with a Plus license or an ASA
Model 5520 or higher. VPN load balancing also requires an active 3DES/AES license. The
security appliance checks for the existence of this crypto license before enabling load balancing.
If it does not detect an active 3DES or AES license, the security appliance prevents the enabling
of load balancing and also prevents internal configuration of 3DES by the load balancing system
unless the license permits this usage.
Related Topics
Configuring Connection Profiles (ASA), page 26-18
Connection Profiles Page, page 27-18
Note You can also create or edit connection profiles from the Remote Access VPN Configuration wizard. For
more information, see Using the Remote Access VPN Configuration Wizard, page 26-9.
Related Topics
Understanding Connection Profiles (ASA), page 26-18
Remote Access VPN Configuration Wizard, page 27-1
data format. DAP selection configuration files include all of the attributes that you configure. These
can include AAA attributes, endpoint attributes, and access policies as configured in network and
web-type ACL filter, port forwarding, and URL lists.
DfltAccess PolicyAlways the last entry in the DAP summary table, always with a priority of 0.
You can configure Access Policy attributes for the default access policy, but it does not containand
you cannot configureAAA or endpoint attributes. You cannot delete the DfltAccessPolicy, and it
must be the last entry in the summary table.
Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic
Access policy, an ASA device checks for Group policies that specify the setting.
Related Topics
Configuring Dynamic Access Policies, page 26-20
Configuring DAP Attributes, page 26-25
Related Topics
Understanding Dynamic Access Policies, page 26-19
Understanding DAP Attributes, page 26-22
Configuring Cisco Secure Desktop Policies on ASA Devices, page 26-26
Step 3 Enter the name of the DAP record (up to 128 characters).
Step 4 Specify a priority for the DAP record. The security appliance applies access policies in the order you set
here, highest number having the highest priority.
Step 5 Enter a description for the DAP record.
Step 6 In the Main tab, configure the DAP attributes and the type of remote access method supported by the
DAP system on your security appliance. For a detailed description of the elements on this tab, see
Table 27-27 on page 27-36.
a. Click Create below the table, or select a DAP entry in the table and click Edit. The Add/Edit DAP
Entry dialog box opens. For a description of the elements on this dialog box, see Table 27-28 on
page 27-41.
For a full description of the procedure to define the DAP attributes, see Configuring DAP Attributes,
page 26-25.
b. Select the type of remote access permitted by the DAP system.
c. Select the Network ACL tab to select and configure network ACLs to apply to this DAP record.
This tab is available only if you selected an access method other than Web Portal.
d. Select the WebType ACL tab to select and configure Web-type ACLs to apply to this DAP record.
This tab is available only if you selected an access method other than AnyConnect Client.
e. Select the Functions tab to configure file server entry and browsing, HTTP proxy, and URL entry
for the DAP record.
This tab is available only if you selected an access method other than AnyConnect Client.
f. Select the Port Forwarding tab to select and configure port forwarding lists for user sessions.
This tab is available only if you selected an access method other than AnyConnect Client.
g. Select the URL List tab to select and configure URL lists for user sessions.
This tab is available only if you selected an access method other than AnyConnect Client.
h. Select the Action tab to configure the type of remote access permitted.
This tab is available for all types of access methods.
Step 7 Select the Logical Operators tab to create multiple instances of each type of endpoint attribute. For a
description of the elements on this tab, see Table 27-43 on page 27-56.
Step 8 Select the Advanced Expressions tab to set additional attributes for the DAP using free-form LUA. For
a description of the elements on this tab, see Table 27-44 on page 27-59.
Step 9 Click OK.
Max String
Attribute Type Attribute Name Source Value Length Description
Cisco aaa.cisco.memberof AAA string 128 memberof value
aaa.cisco.username AAA string 64 username value
aaa.cisco.class AAA string 64 class attribute value
aaa.cisco.ipaddress AAA number framed-ip address value
aaa.cisco.tunnelgroup AAA string 64 tunnel-group name
LDAP aaa.ldap.<label> LDAP string 128 LDAP attribute
value pair
RADIUS aaa.radius.<number> RADIUS string 128 Radius attribute
value pair
This endpoint expression tests for a match on CLIENTLESS OR CVC client types:
endpoint.application.clienttype=="CLIENTLESS" or endpoint.application.clienttype=="CVC"
This endpoint expression tests for Norton Antivirus versions 10.x but excludes 10.5.x:
(endpoint.av.NortonAV.version > "10" and endpoint.av.NortonAV.version < "10.5") or endpoint.av.NortonAV.version > "10.6"
Related Topics
Configuring Dynamic Access Policies, page 26-20
Understanding Dynamic Access Policies, page 26-19
Configuring DAP Attributes, page 26-25
Related Topics
Understanding DAP Attributes, page 26-22
Understanding Dynamic Access Policies, page 26-19
Configuring Dynamic Access Policies, page 26-20
Step 2 Click Create on the Dynamic Access policy page, or select the row of a policy in the table on the page,
and click Edit.
The Add/Edit Dynamic Access Policy dialog box opens, displaying the Main tab. For a description of
the elements on the Main tab, see Table 27-27 on page 27-36.
Step 3 Click Create below the table, or select a DAP entry in the table and click Edit. The Add/Edit DAP Entry
dialog box opens. For a description of the elements on this dialog box, see Table 27-28 on page 27-41.
Step 4 Select the attribute type from the Criterion list, then enter the appropriate values. The dialog box values
vary based on your selection. Options are:
AAA Attributes Cisco; see Table 27-29 on page 27-43.
AAA Attributes LDAP; see Table 27-30 on page 27-44.
AAA Attributes RADIUS; see Table 27-31 on page 27-45.
Anti-Spyware; see Table 27-32 on page 27-46.
Anti-Virus; see Table 27-33 on page 27-47.
Application; see Table 27-34 on page 27-48.
File; see Table 27-36 on page 27-49.
NAC; see Table 27-37 on page 27-50.
Operating System; see Table 27-38 on page 27-51.
Personal Firewall; see Table 27-39 on page 27-52.
Policy; see Table 27-40 on page 27-53.
Process; see Table 27-41 on page 27-54.
Registry; see Table 27-42 on page 27-55.
Step 5 Click OK.
Note A complete explanation of the capabilities and configuration of the Cisco Secure Desktop program is
beyond the scope of this document. For information about configuring CSD, and what CSD can do for
you, see the materials available online at
http://www.cisco.com/en/US/products/ps6742/tsd_products_support_configure.html. Select the
configuration guide for the CSD version you are configuring.
This procedure describes how to configure the Cisco Secure Desktop feature on an ASA device.
Related Topics
Understanding and Managing SSL VPN Support Files, page 26-5
Note The package version must be compatible with the ASA operating system version. When you
create a local policy in Device view, the Version field indicates the CSD package version you
should select. (The version is included in the package file name. For example,
securedesktop-asa_k9-3.3.0.118.pkg is CSD version 3.3.0.118.) When you create a shared
policy in Policy view, the Version field indicates the version of the CSD file you selected. For
more information on version compatibility, see Understanding and Managing SSL VPN Support
Files, page 26-5.
Step 4 Click Configure to open the Cisco Secure Desktop Manager (CSDM) Policy Editor that lets you
configure CSD on the security appliance. This application is independent of Security Manager; read the
CSD documentation cited above for an explanation of how to use the policy editor.
The editor contains these main items (select them in the table of contents):
Prelogin PoliciesThis is a decision tree. When a user attempts a connection, the users system is
evaluated against your rules and the first rule that matches is applied. Typically, you create policies
for secure locations, home locations, and insecure public locations. You can make your checks based
on registry information, the presence of specific files or certificates, the workstations operating
system, or IP address.
All editing is done through the right-click menu. Right click on boxes or + signs to activate related
settings, if any.
For end nodes, you can select these options:
Access DeniedWorkstations that match your criteria are prevented from accessing the network.
PolicyYou want to define a specific admission policy at this point. After naming the policy,
it is added to the table of contents. Select each item in the policy and configure its settings.
SubsequenceYou want to perform additional checks. Enter the name of the next decision tree
that you want to evaluate for this workstation.
Host scanYou can specify a set of registry entries, file names, and process names, which form a
part of the basic host scan. The host scan occurs after the prelogin assessment but before the
assignment of a dynamic access policy. Following the basic host scan, the security appliance uses
the login credentials, the host scan results, prelogin policy, and other criteria you configure to assign
a dynamic access policy. You can also enable:
Endpoint AssessmentThe remote workstation scans for a large collection of antivirus,
antispyware, and personal firewall applications, and associated updates.
Advanced Endpoint AssessmentIncludes all of the Endpoint Assessment features, and lets
you configure an attempt to update noncompliant workstations to meet the version requirements
you specify. You must purchase and install a license for this feature before you can configure it.
Related Topics
Configuring Remote Access VPN Global Settings, page 26-28
Global Settings Page, page 27-60
Related Topics
Understanding Remote Access VPN Global Settings, page 26-28
Step 2 In the ISAKMP/IPsec Settings tab (see ISAKMP/IPsec Settings Tab, page 27-60), specify global
settings for IKE and IPsec, as follows:
a. Select Enable Keepalive to configure IKE keepalive as the default failover and routing mechanism
for your devices. (Applies to Cisco IOS routers, Catalyst 6500 /7600 devices, and PIX Firewalls
version 6.3.)
b. Enter the number of seconds a device must wait between sending IKE keepalive packets.
c. Enter the number of seconds a device must wait between attempts to establish an IKE connection
with the remote peer.
d. Select Periodic if you want to send dead-peer detection (DPD) keepalive messages, even if there is
no outbound traffic to be sent (for routers except 7600).
e. Specify whether the device uses an IP address or hostname to identify itself in IKE negotiations. You
can also specify to use a distinguished name (DN) to identify a user group name.
f. Specify the maximum number of SA requests allowed before IKE starts rejecting them (for routers
except 7600).
g. Specify the percentage of system resources that can be used before IKE starts rejecting new SA
requests (for Cisco IOS routers and Catalyst 6500 /7600 devices).
h. Select Enable Lifetime to configure the global lifetime settings for the crypto IPsec SAs on the
devices in your remote access VPN.
i. Specify the number of seconds an SA will exist before expiring.
j. Specify the volume of traffic (in kilobytes) that can pass between IPsec peers using a given SA
before it expires.
k. Specify the Xauth timeout, that is, the number of seconds the device will wait for a system response
to the Xauth challenge (Cisco IOS routers and Catalyst 6500 /7600 devices).
l. Specify the maximum number of SAs that can be enabled simultaneously on the device (ASA or PIX
7.0 devices only).
m. Select Enable IPsec via Sysopt to specify that any packet that comes from an IPsec tunnel be
implicitly trusted (PIX 6.3, PIX 7.0, and ASA devices only).
Step 3 Click the NAT Settings tab to define global NAT settings that apply to devices that use internal IP
addresses to send and receive data through the public Internet. For a description of the elements on the
NAT Settings tab, see NAT Settings Tab, page 27-63.
a. Select Enable Traversal Keepalive for the transmission of keepalive messages when a device
(referred to as the middle device) located between a VPN-connected hub and spoke performs NAT
on the IPsec flow.
b. Specify the interval (between 5 and 3600 seconds) between the keepalive signals sent between the
spoke and the middle device to indicate that the session is active.
c. Select Enable Traversal over TCP (for ASA or PIX 7.0 devices only) to encapsulate both the IKE
and IPsec protocols within a TCP packet, and enable secure tunneling through both NAT and PAT
devices and firewalls.
d. Enter the TCP ports for which you want to enable NAT traversal (ASA or PIX 7.0 devices only).
Step 4 Click the General Settings tab to define fragmentation and other global settings on the devices in your
remote access VPN. For a description of the elements on the General Settings tab, see General Settings
Tab, page 27-64.
a. Select the fragmentation mode from the following options:
No FragmentationSelect if you do not want to fragment before IPsec encapsulation.
End to End MTU DiscoverySelect to use ICMP messages for the discovery of MTU.
Local MTU HandlingSelect to set the MTU locally on the devices. This option is typically
used when ICMP is blocked.
See Understanding Fragmentation, page 22-15.
b. Specify the MTU size (between 68 and 65535 bytes depending on the VPN interface).
c. Select the required setting for the DF bit (for Cisco IOS routers, ASA, or PIX 7.0 devices)Copy,
Set, or Clear.
d. Select Enable Fragmentation Before Encryption (for Cisco IOS routers, ASA, or PIX 7.0 devices)
to fragment before encryption, if the expected packet size exceeds the MTU (Cisco IOS routers
only).
e. Select Enable Notification on Disconnection (for ASA or PIX 7.0 devices only) to notify qualified
peers of sessions that are about to be disconnected.
f. Select Enable Spoke-to-Spoke Connectivity through the Hub (for ASA, or PIX 7.0 devices only)
to enable direct communication between spokes in a hub-and-spoke VPN topology, in which the hub
is an ASA device or a PIX Firewall version 7.0.
g. Select Enable Default Route (for Cisco IOS routers only) to use the devices configured external
interface as the default outbound route for all incoming traffic.
Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic
Access policy, an ASA device checks for Group policies that specify the setting.
Client Firewall Attributes, which configure the firewall settings for VPN clients in an Easy VPN or
remote access VPN. For more information, see ASA Group Policies Client Firewall Attributes,
page 28-5.
Hardware Client Attributes, which configure the VPN 3002 Hardware Client settings in an Easy
VPN or remote access VPN. For more information, see ASA Group Policies Hardware Client
Attributes, page 28-7.
IPsec settings, which specify tunneling protocols, filters, connection settings, and servers for the
user group in an Easy VPN or remote access VPN. For more information, see ASA Group Policies
IPSec Settings, page 28-9.
Clientless settings, which configure the Clientless mode of access to the corporate network in an
SSL VPN, for the ASA user group. For more information, see ASA Group Policies SSL VPN
Clientless Settings, page 28-11.
Full Client settings, which configure the Full Client mode of access to the corporate network in an
SSL VPN, for the ASA user group. For more information, see ASA Group Policies SSL VPN Full
Client Settings, page 28-13.
General settings that are required for Clientless/Port Forwarding in an SSL VPN. For more
information, see ASA Group Policies SSL VPN Settings, page 28-15.
DNS/WINS settings that define the DNS and WINS servers and the domain name that should be
pushed to remote clients associated with the ASA user group. For more information, see ASA Group
Policies DNS/WINS Settings, page 28-18.
Split tunneling that lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel
in encrypted form or to a network interface in clear text form. For more information, see ASA Group
Policies Split Tunneling Settings, page 28-19.
Remote access or SSL VPN session connection settings for the ASA user group. For more
information, see ASA Group Policies Connection Settings, page 28-20.
Related Topics
Creating Group Policies (ASA), page 26-31
Group Policies Page, page 27-66
Step 3 Select the required ASA user group from the list and click OK, or if the required ASA user group does
not exist, create it by clicking Create.
The Add ASA User Group dialog box appears, displaying a list of settings that you can configure for the
ASA user group object. For a description of the elements on this dialog box, see ASA Group Policies
Dialog Box, page 28-1.
Step 4 Enter a name for the object and optionally a description of the object.
Step 5 Select whether to store the ASA user groups attributes and values locally on the device, or on an
external server.
Note If you selected to store the ASA user groups attributes on an external server, you do not need to
configure any Technology settings. After you specify the AAA server group that will be used for
authentication and a password to the AAA server, click OK and then select the group in the
object selector and click OK to add it to the policy.
Step 6 If you selected to store the ASA user groups attributes locally on the device, select the type of VPN for
which you are creating the ASA user group from the Technology list.
Step 7 To configure the user group for an Easy VPN/IPSec VPN, from the Easy VPN/IPSec VPN folder in the
Settings pane:
a. Select Client Configuration to configure the Cisco client parameters. For a description of these
settings, see ASA Group Policies Client Configuration Settings, page 28-4.
b. Select Client Firewall Attributes to configure the firewall settings for VPN clients. For a
description of these settings, see ASA Group Policies Client Firewall Attributes, page 28-5.
c. Select Hardware Client Attributes to configure the VPN 3002 Hardware Client settings. For a
description of these settings, see ASA Group Policies Hardware Client Attributes, page 28-7.
d. Select IPsec to specify tunneling protocols, filters, connection settings, and servers. For a
description of these settings, see ASA Group Policies IPSec Settings, page 28-9.
Step 8 To configure the user group for an SSL VPN, from the SSL VPN folder in the Settings pane:
a. Select Clientless to configure the Clientless mode of access to the corporate network in an SSL
VPN. For a description of these settings, see ASA Group Policies SSL VPN Clientless Settings,
page 28-11.
b. Select Full Client to configure the Full Client mode of access to the corporate network in an SSL
VPN. For a description of these settings, see ASA Group Policies SSL VPN Full Client Settings,
page 28-13.
c. Select Settings to configure the general settings that are required for clientless and thin client (port
forwarding) access modes in an SSL VPN. For a description of these settings, see ASA Group
Policies SSL VPN Settings, page 28-15.
Step 9 Specify the following settings for an ASA user group in an Easy VPN/IPSec VPN and SSL VPN
configuration, in the Settings pane:
a. Select DNS/WINS to define the DNS and WINS servers and the domain name that should be pushed
to clients associated with the ASA user group. For a description of these settings, see ASA Group
Policies DNS/WINS Settings, page 28-18.
b. Select Split Tunneling to allow a remote client to conditionally direct encrypted packets through a
secure tunnel to the central site and simultaneously allow clear text tunnels to the Internet through
a network interface. For a description of these settings, see ASA Group Policies Split Tunneling
Settings, page 28-19.
c. Select Connection Settings to configure the SSL VPN connection settings for the ASA user group,
such as the session and idle timeouts, including the banner text. For a description of these settings,
see ASA Group Policies Connection Settings, page 28-20.
Step 10 Click OK.
Step 11 Select the ASA user group from the list and click OK.
Note In remote access VPNs, digital certificates are used for user authentication. When creating or editing a
PKI enrollment object, you must configure each remote component (spoke) with the name of the user
group to which it connects.
Related Topics
Understanding Public Key Infrastructure Policies, page 22-26
Prerequisites for Successful PKI Enrollment, page 22-28
Public Key Infrastructure Page, page 27-66
Remote clients should also be configured to use digital certificates for user authentication during
IKE negotiations, by specifying the user group name when configuring ISAKMP settings (see
Configuring Remote Access VPN Global Settings, page 26-28).
To save the RSA key pairs and the CA certificates permanently between reloads to flash memory on
a PIX version 6.3, you must configure the ca save all command. You can do this manually on the
device or by using a FlexConfig (see Chapter 7, Managing FlexConfigs).
Related Topics
Configuring Certificate to Connection Profile Map Policies (ASA), page 26-35
Certificate to Connection Profile Maps > Policies Page, page 27-67
Related Topics
Understanding Certificate to Connection Profile Map Policies (ASA), page 26-34
Note A connection profile must already exist in the configuration before you can create and map a certificate
to connection profile map rule to it. If you unassign a connection profile after creating a certificate to
connection profile map rule, the rules that are mapped to the connection profile are unassigned. See
Configuring Connection Profiles (ASA), page 26-18.
Related Topics
Configuring Certificate to Connection Profile Map Rules (ASA), page 26-36
Certificate to Connection Profile Maps > Rules Page, page 27-68
Related Topics
Understanding Certificate to Connection Profile Map Rules (ASA), page 26-35
Connection Profiles Page, page 27-18
Step 1 (Device view only) With an ASA device selected, select Remote Access VPN > IPSec VPN >
Certificate to Connection Profile Maps > Rules from the Policy selector. The Certificate to Connection
Profile Map Rules page is displayed. For a description of the elements on this page, see Certificate to
Connection Profile Maps > Rules Page, page 27-68.
Step 2 Click Add Row beneath the maps table in the upper pane to configure the priority and connection profile
mapping for your matching rules. The Map Rule dialog box opens. For a description of the elements on
this page, see Map Rule Dialog Box (Upper Table), page 27-69.
Step 3 Select a connection profile from the list.
Step 4 Enter the priority number for the matching rule. A lower number has higher priority.
Step 5 Enter a name for the map.
Step 6 Click OK. The map is displayed in the upper table of the page.
Step 7 Select the map created in the upper table to display the details in the table in the lower pane.
Step 8 Click Add Row beneath the table in the lower pane to configure the certificate to connection profile
matching rule that must be satisfied in order for a remote client to connect to the device using the profile
in this map. The Map Rule dialog box opens. For a description of the elements on this page, see Map
Rule Dialog Box (Lower Table), page 27-70.
Step 9 Select the certificate field from the list.
Step 10 Select the component of the certificate that you wish to configure.
Related Topics
Configuring IKE Proposals on a Remote Access VPN Server, page 26-37
IKE Proposal Page, page 27-73
Related Topics
Understanding IKE Proposals in Remote Access VPNs, page 26-37
Note You can configure dynamic VTI only on routers running Cisco IOS Release 12.4(2)T and later, except
7600 devices.
You can also configure dynamic VTI in a site-to-site Easy VPN topology. For more information, see
Understanding Easy VPN, page 24-1.
Related Topics
Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39
IPsec Proposal Page, page 27-74
Related Topics
PVC Dialog BoxQoS Tab, page 52-60
Understanding VRF-Aware IPsec, page 21-13
Understanding IPsec Proposals in Remote Access VPNs, page 26-38
IPsec Proposal Editor Dialog Box (for PIX and ASA Devices), page 27-75
IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices), page 27-77
VPNSM/VPN SPA Settings Dialog Box, page 27-80
Understanding IPsec Tunnel Policies, page 22-5
Note The elements in IPsec Proposal Editor dialog box differ depending on the selected device.
Note The IPsec Proposal Editor dialog box displays two tabsGeneral and Dynamic VTI/VRF Aware
IPsec. If the selected device is a Catalyst 6500/7600, the FWSM Settings tab is also displayed.
a. In the General tab (for a description of the elements in the General tab, see Table 27-58 on
page 27-78):
Specify the external interface through which remote access clients will connect to the server.
Note Important: If the selected device is a Catalyst 6500/7600, specify the inside VLAN that
serves as the inside interface to the VPN Services Module (VPNSM) or VPN SPA. Click
Select to open a dialog box in which you define the settings that enable you to configure
a VPNSM or VPN SPA. For a description of the elements in the VPNSM/VPN SPA
Settings dialog box, see Table 27-59 on page 27-80
For information about configuring a VPNSM, see Configuring VPNSM or VPN SPA/VSPA
Endpoint Settings, page 21-38.
For information about configuring a VPN SPA, see Configuring VPNSM or VPN SPA/VSPA
Endpoint Settings, page 21-38.
Select the transform sets to be used for your tunnel policy.
If required, enable reverse route injection (RRI) to ensure that a static route is created on the
device for each assigned address to the client.
To configure reverse route injection (RRI) on the devices crypto map, select the required option
from the Reverse Route Injection list. For more information, see About Reverse Route Injection,
page 22-8.
Select an AAA authorization method list to use for defining the order in which the group
policies are searched. Group policies can be configured on the local server or on an external
AAA server.
Select the AAA or Xauth user authentication method to use for defining the order in which user
accounts are searched.
b. Click the Dynamic VTI/VRF Aware IPsec tab to configure a dynamic virtual interface,
VRF-Aware IPsec settings, or both on the device. For a description of the elements on this tab, see
Table 27-60 on page 27-82.
Step 5 After you finish creating or editing your IPsec proposal, click OK to save your changes and close the
IPsec Proposal Editor dialog box.
Note When configuring an HA group, you must provide an inside virtual IP that matches the subnet of one of
the interfaces on the device, in addition to a VPN virtual IP that matches the subnet of one of the devices
interfaces and is configured with an IPsec proposal. See Configuring an IPsec Proposal on a Remote
Access VPN Server, page 26-39.
A remote access VPN server device on which HA is configured cannot be configured as a hub in a
site-to-site VPN topology on which HA is configured, using the same outside interface that was used for
the remote access VPN server.
For a description of the High Availability page, on which you can provide information for configuring
an HA group, see Table 27-54 on page 27-72.
Related Topics
Configuring a High Availability Policy, page 26-41
High Availability Page, page 27-71
Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39
Related Topics
Understanding High Availability in Remote Access VPNs (IOS), page 26-41
Note You must provide an inside virtual IP that matches the subnet of one of the interfaces on the
device, in addition to a VPN virtual IP that matches the subnet of one of the devices interfaces
and is configured with an IPsec proposal; otherwise an error is displayed.
Step 5 Specify the IP address of the inside interface of the remote peer device which acts as the failover server.
Note The remote access VPN server on which you define a user group policy can be a Cisco IOS router, PIX
6.3 Firewall, or 6500 /7600 device.
On the User Group Policy page, you can specify the user groups you want to assign to your remote access
VPN server. You can create and edit user group policies. You can open the User Group Policy page from
the Remote Access Configuration wizard or from the Remote Access VPN Policies folder.
Related Topics
Configuring User Group Policies, page 26-43
Add or Edit User Group Dialog Box, page 28-68
Note You can also specify user groups using the Remote Access VPN Configuration Wizard. For more
information, see Using the Remote Access VPN Configuration Wizard, page 26-9.
Related Topics
Understanding User Group Policies (IOS), page 26-42
Note In order for DTLS to fall back to a TLS connection, you must specify a fallback trustpoint. If you do not
specify a fallback trustpoint and the DTLS connection experiences a problem, the connection terminates
instead of falling back to the specified trustpoint.
The AnyConnect Essentials client provides remote end users running Microsoft Windows Vista,
Windows Mobile, Windows XP or Windows 2000, Linux, or Macintosh OS X, with the benefits of a
Cisco SSL VPN client. If this feature is disabled, the full AnyConnect VPN client is used. This feature
is disabled by default.
Note This license cannot be used at the same time as the shared license for SSL VPN.
Related Topics
Understanding SSL VPN Client Settings, page 26-56
Step 4 Specify a separate UDP port for DTLS connections with the AnyConnect client. You can click Select to
open the Port List Selector dialog box from which you can make your selection.
Step 5 Specify a Fallback Trustpoint to use for interfaces that do not have a trustpoint assigned.
Step 6 Specify the amount of time, in seconds, that an SSL VPN session can be idle before the security
appliance terminates the session.
Step 7 Specify the maximum number of SSL VPN sessions you want to allow.
Step 8 Select Allow Users to Select Connection Profile in Portal Page to include a list of the configured
tunnel groups on the SSL VPN end-user interface, from which users can select a connection profile when
they log in.
Step 9 Select Enable AnyConnect Access to enable either the Cisco AnyConnect VPN Client or the legacy
Cisco SSL VPN Client (SVC) on the interfaces defined on the security appliance for SSL VPN
connections. For details, see Understanding SSL VPN Client Settings, page 26-56.
Step 10 Select Enable AnyConnect Essentials to enable the AnyConnect Essentials SSL VPN Client. For
details, see Understanding SSL VPN Client Settings, page 26-56.
Related Topics
Defining Performance Settings, page 26-47
Performance Tab, page 27-88
Related Topics
Configuring Other SSL VPN Settings, page 26-46
Performance Tab, page 27-88
Note The maximum object size must be greater than the minimum object size.
Step 4 Specify the maximum size document that the security appliance can cache. The range is 0 to 10000 Kb.
The default is 1000 Kb.
Step 5 Specify an integer to set a revalidation policy for caching objects that have only the last-modified
timestamp, and no other server-set expiration values. The range is 1-100. The default is 20.
Step 6 Enter an integer to set the number of minutes to cache objects without revalidating them. Valid values
range from 0 to 900. The default is one minute.
Step 7 Select the Cache Compressed Content check box to cache compressed content.
Step 8 Select the Cache Static Content check box to cache static content.
Note The security appliance searches rewrite rules by order number, starting with the lowest, and applies the
first rule that matches.
Related Topics
Defining Content Rewrite Rules, page 26-48
Content Rewrite Tab, page 27-90
Add/Edit Content Rewrite Dialog Box, page 27-91
Related Topics
Configuring Other SSL VPN Settings, page 26-46
Content Rewrite Tab, page 27-90
Add/Edit Content Rewrite Dialog Box, page 27-91
Step 2 On the Other Settings page, click the Content Rewrite tab. The Content Rewrite tab opens, displaying
all applications for which content rewrite is enabled or disabled. For a description of the elements on this
tab, see Table 27-65 on page 27-90.
Step 3 On the Content Rewrite tab, click Create, or select a rewrite rule in the table and click Edit.
The Add/Edit Content Rewrite dialog box opens. For a description of the elements in this dialog box,
see Table 27-66 on page 27-91.
Step 4 Select the Enable check box to enable content rewrite for this rewrite rule.
Step 5 Enter a number for this rule. This number specifies the position of the rule in the list. Rules without a
number are at the end of the list. The range is 1 to 65534.
Step 6 Enter the name of the application or resource to which the rule applies (up to 300 characters).
Step 7 Enter the application or resource for the rule.
Step 8 Click OK. The Add Content Rewrite Rule dialog box closes, and the content rewrite rule is added to
the table.
Understanding Encoding
Character encoding is the pairing of raw data (such as 0s and 1s) with characters to represent the data.
The language determines the character encoding method to use. Some languages use the same method,
while others do not. Usually, the geographic region determines the default encoding method used by the
browser, but the remote user can change this. The browser can also detect the encoding specified on the
page, and render the document accordingly.
The encoding attribute lets you specify the value of the character encoding method in the SSL VPN
portal page to ensure that the browser renders it properly, regardless of the region in which the user is
using the browser, or any changes made to the browser.
The character encoding attribute is a global setting that, by default, all SSL VPN portal pages inherit.
However, you can override the file-encoding attribute for Common Internet File System (CIFS) servers
that use character encoding that differs from the value of the character-encoding attribute. You can use
different file-encoding values for CIFS servers that require different character encodings.
The SSL VPN portal pages downloaded from the CIFS server to the SSL VPN user encode the value of
the SSL VPN file-encoding attribute identifying the server, or if one does not, they inherit the value of
the character encoding attribute. The remote users browser maps this value to an entry in its character
encoding set to determine the proper character set to use. The SSL VPN portal pages do not specify a
value if SSL VPN configuration does not specify a file encoding entry for the CIFS server and the
character encoding attribute is not set. The remote browser uses its own default encoding if the SSL VPN
portal page does not specify the character encoding, or if it specifies a character encoding value that the
browser does not support.
In the Encoding tab of the SSL VPN Global Settings page, you can view the currently configured
character sets associated with the CIFS server to be encoded in the portal pages. From this tab, you can
create or edit the character sets, as described in the following procedure.
Related Topics
Configuring Other SSL VPN Settings, page 26-46
Encoding Tab, page 27-91
Add/Edit File Encoding Dialog Box, page 27-93
Related Topics
Configuring Other SSL VPN Settings, page 26-46
Encoding Tab, page 27-91
Add/Edit File Encoding Dialog Box, page 27-93
Note If you choose none or specify a value that the browser on the SSL VPN client does not support,
it uses its own default encoding.
Step 4 Click Create, or select a character set in the table and click Edit.
The Add/Edit File Encoding dialog box opens. For a description of the elements in this dialog box, see
Table 27-68 on page 27-93.
Step 5 Enter the IP address or host name of each CIFS server for which the encoding requirement differs from
the Global SSL VPN Encoding Type attribute setting.
CIFS servers are predefined network objects. You can click Select to open the Network/Hosts Selector
dialog box that lists all available network hosts, and in which you can create network host objects.
Step 6 From the Encoding Type list, select the character encoding that the CIFS server should provide for SSL
VPN portal pages.
Step 7 Click OK.
Note The HTTP/HTTPS proxy does not support connections to personal digital assistants.
You can specify a proxy autoconfiguration (PAC) file to download from an HTTP proxy server; however,
you may not use proxy authentication when specifying the PAC file.
You can configure the security appliance to use proxy bypass when applications and web resources work
better with the content rewriting this feature provides. Proxy bypass is an alternative method of content
rewriting that makes minimal changes to the original content. It is useful with custom web applications.
You can configure multiple proxy bypass entries. The order in which you configure them is unimportant.
The interface and path mask or interface and port uniquely identify a proxy bypass rule.
If you configure proxy bypass using ports rather than path masks, depending on your network
configuration, you might need to change your firewall configuration to allow these ports access to the
security appliance. Use path masks to avoid this restriction. Be aware, however, that path masks can
change, so you might need to use multiple path mask statements to exhaust the possibilities.
Related Topics
Configuring Other SSL VPN Settings, page 26-46
Defining Proxies and Proxy Bypass Rules, page 26-51
Proxy Tab, page 27-94
Add/Edit Proxy Bypass Dialog Box, page 27-97
Related Topics
Configuring Other SSL VPN Settings, page 26-46
Understanding Proxies and Proxy Bypass Rules, page 26-51
Proxy Tab, page 27-94
Add/Edit Proxy Bypass Dialog Box, page 27-97
Step 6 If you selected Proxy Auto-Configuration File as the type of proxy server, select the Specify PAC file
URL option and specify a PAC file to download to the browser. Once downloaded, the PAC file uses a
JavaScript function to identify a proxy for each URL.
Step 7 Under the Proxy Bypass table, click Create, or select a rule in the table and click Edit.
The Add/Edit Proxy Bypass dialog box opens. For a description of the elements in this dialog box, see
Table 27-70 on page 27-97.
Step 8 Specify the name of the interface on the security appliance for proxy bypass. You can click Select to
make your selection from a list of interface and interface role objects.
Step 9 Select the required Bypass Traffic option, as follows:
On PortTo specify a port number to be used for proxy bypass. Valid port numbers are
20000-21000. You can click Select to open the Port List Selector dialog box from which you can
make your selection.
Match Specifying PatternTo specify a URL path to match for proxy bypass.
Step 10 In the URL field, select the http or https protocol, and enter the URL to which you want to apply
proxy bypass.
Step 11 Select the Rewrite XML check box to rewrite XML sites and applications to be bypassed by the
security appliance.
Step 12 Select the Rewrite Hostname check box to rewrite absolute external links.
Note You can configure the security appliance to perform no content rewriting, or rewrite XML links,
or a combination of XML and links.
Understanding Plug-ins
A browser plug-in is a separate program that a web browser invokes to perform a dedicated function,
such as connect a client to a server within the browser window. The security appliance lets you import
plug-ins for download to remote browsers in clientless SSL VPN sessions. Of course, Cisco tests the
plug-ins it redistributes, and in some cases, tests the connectivity of plug-ins we cannot redistribute.
However, we do not recommend importing plug-ins that support streaming media at this time.
Note Per the GNU General Public License (GPL), Cisco redistributes plug-ins without having made any
changes to them. Per the GPL, Cisco cannot directly enhance these plug-ins.
The security appliance does the following when you install a plug-in onto the flash device:
(Cisco-distributed plug-ins only) Unpacks the jar file specified in the URL.
Writes the file to the csco-config/97/plugin directory on the security appliance file system.
Enables the plug-in for all future clientless SSL VPN sessions, and adds a main menu option and an
option to the drop-down menu next to the Address field of the portal page.
When the user in a clientless SSL VPN session clicks the associated menu option on the portal page, the
portal page displays a window to the interface and displays a help pane. The user can select the protocol
displayed in the drop-down menu and enter the URL in the Address field to establish a connection.
Note Some Java plug-ins may report a status of connected or online even when a session to the destination
service is not set up. The open-source plug-in reports the status, not the security appliance.
Note Do not specify an IP address as the common name (CN) for the SSL certificate. The
remote user attempts to use the FQDN to communicate with the security appliance. The
remote PC must be able to use DNS or an entry in the System32\drivers\etc\hosts file to
resolve the FQDN.
In the Plug-in tab of the SSL VPN Global Settings page, you can view the currently configured browser
plug-ins for clientless SSL VPN browser access. From this tab, you can create or edit the plug-in files,
as described in the following procedure.
Note The ssh-plugin.jar provides support for both SSH and Telnet protocols. The SSH client
supports SSH Version 1.0.
vnc-plugin.jarThe Virtual Network Computing plug-in lets the remote user use a monitor,
keyboard, and mouse to view and control a computer with remote desktop sharing turned on. Cisco
redistributes this plug-in without any changes to it per the GNU General Public License. The web
site containing the source of the redistributed plug-in is http://www.tightvnc.com.
Related Topics
Understanding and Managing SSL VPN Support Files, page 26-5
Configuring Other SSL VPN Settings, page 26-46
Defining Browser Plug-ins, page 26-55
Plug-in Tab, page 27-98
Add/Edit Plug-in Entry Dialog Box, page 27-99
Related Topics
Configuring Other SSL VPN Settings, page 26-46
Related Topics
Understanding and Managing SSL VPN Support Files, page 26-5
Configuring SSL VPN Client Settings, page 26-57
SSL VPN Client Settings Tab, page 27-99
Related Topics
Configuring Other SSL VPN Settings, page 26-46
Understanding SSL VPN Client Settings, page 26-56
Related Topics
Configuring Other SSL VPN Settings, page 26-46
Advanced Tab, page 27-102
Note When you change the memory size, the new setting takes effect only after the system reboots.
Step 4 In the Enable On-Screen Keyboard field, choose On All Pages or On Logon Page Only to enable the
on-screen keyboard feature, as desired. Otherwise, leave it set to Disabled.
Step 5 Click the Allow Users to Enter Internal Password check box to require an additional password when
accessing internal sites. This feature is useful if you require that the internal password be different from
the SSL VPN password. For example, you can use a one-time password for authentication to ASA and
another password for internal sites.
Note The shared license cannot be used at the same time as the AnyConnect Essentials license.
Step 5 In the License Server Port field, enter the number of the TCP port on which the license
server communicates.
Step 6 In the Refresh Interval field, enter a value between 10-300 seconds to be used as the refresh interval.
Default is 30 seconds.
Step 7 In the Interfaces field, enter or select the interfaces to be used for communicating with clients.
Step 8 Click the Configure Backup shared SSL VPN License Server check box to configure a backup server for
the shared license server, then configure the following:
Backup License ServerServer to act as a backup license server if the current one is unavailable.
Backup Server Serial NumberSerial number of the backup license server.
HA Peer Serial Number(Optional) Serial number of the backup server of a failover pair.
Step 4 Click the Portal Page tab and customize the design of the login page. You can customize the title, the
logo graphic, the message that appears above the login prompt, and the background and text colors.
If you want to select a different graphic, you must first copy the graphic onto the Security Manager
server. You cannot select it from your workstations hard drive.
Step 5 Click the Secure Desktop tab to configure Cisco Secure Desktop (CSD) software. CSD policies define
entry requirements for client systems and provide a single, secure location for session activity and
removal on the client system, ensuring that sensitive data is shared only for the duration of an SSL
VPN session.
If you want to use CSD, select Enable Cisco Secure Desktop and click Select to select a Secure Desktop
Configuration policy object, which defines the rules you want to use to control VPN access and host
scanning. You can create a new object from the selection list. For information about configuring these
objects, see Creating Cisco Secure Desktop Configuration Objects, page 26-61.
Note You must install and activate the Secure Desktop Client software on a device for your
configuration to work.
Step 6 Click the Advanced tab to configure a maximum number of simultaneous users for the context or if you
are using VRF, the name of the VRF instance that is associated with the SSL VPN context.
Step 7 Click OK to save your changes.
Alternatively, for untrusted locations such as Internet cafes, you might set up a location named
Insecure that has no matching criteria (thus making it the default for clients that do not match other
locations). This location would require full Secure Desktop functions, and include a short timeout period
to prevent access by unauthorized users. If you create a location and do not specify criteria, make sure
it is the last entry in the Locations list.
Related Topics
Cisco Secure Desktop on IOS Configuration Example Using SDM,
http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa7
b.shtml
Setting Up CSD for Microsoft Windows Clients,
http://www.cisco.com/en/US/docs/security/csd/csd311/csd_for_vpn3k_cat6k/configuration/guide/
CSDwin.html
Creating Policy Objects, page 6-6
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager (see Policy Object Manager
Window, page 6-3).
Step 2 Select Cisco Secure Desktop Configuration from the Object Type selector.
Step 3 Right-click in the work area and select New Object to open the Add or Edit Secure Desktop
Configuration Dialog Box, page 28-21.
Step 4 Enter a name for the object and optionally a description of the object.
Step 5 Select Windows Location Settings to create locations (such as Work, Home, or Insecure), and define
the location-based settings (also called adaptive policies) for CSD.
a. For each location you want to configure, enter its name in the Location to Add field and click Add
to move it to the Locations field. You can reorder the locations using the Move Up and Move Down
buttons. When users connect, these locations are evaluated in order and the first one that matches is
used to define the policies for the user.
When you add a location, a folder for the location is added to the table of contents. The folder and
its subfolders define the policies for the location.
b. If you want all the open browser windows to close after the Secure Desktop installation, make sure
to select the corresponding check box.
c. Select the required check boxes to configure a VPN Feature policy that enables web browsing, file
access, port forwarding, and full tunneling, if installation or location matching fails.
Step 6 Select the folders and subfolders for the Windows locations you added and configure their settings. For
detailed information about these settings, see Setting Up CSD for Microsoft Windows Clients at
http://www.cisco.com/en/US/docs/security/csd/csd311/csd_for_vpn3k_cat6k/configuration/guide/CSD
win.html.
Step 7 Select Windows CE to configure a VPN feature policy to enable or restrict web browsing and remote
server file access for remote clients running Microsoft Windows CE.
Step 8 Select Mac and Linux Cache Cleaner to configure the Cache Cleaner and a VPN Feature Policy for
these clients, such as enabling or restricting web browsing, remote server file access, and port
forwarding.
Step 9 (Optional) Under Category, select a category to help you identify this object in the Objects table. See
Using Category Objects, page 6-9.
Step 10 Click OK to save the object.
Related Topics
Localizing SSL VPN Web Pages for ASA Devices, page 26-66
Creating Policy Objects, page 6-6
Add and Edit SSL VPN Customization Dialog Boxes, page 28-49
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager (see Policy Object Manager
Window, page 6-3).
Tip You can also create SSL VPN Customization objects when defining policies or objects that use
this object type. For more information, see Selecting Objects for Policies, page 6-2.
Step 2 Select SSL VPN Customization from the Object Type selector. The SSL VPN Customization page
opens, displaying a list of the existing SSL VPN Customization objects.
Step 3 Right-click in the work area and select New Object.
The Add SSL VPN Customization dialog box appears (see Add and Edit SSL VPN Customization
Dialog Boxes, page 28-49).
Step 4 Enter a name for the object and optionally a description of the object.
Step 5 Before you configure settings for the various pages, use the Preview button to view the default settings.
Clicking Preview opens a browser window to display the current settings for the Logon page, Portal
page, or Logout page, whichever one is selected in the table of contents (selecting a page within one of
these folders is the same as selecting the parent folder).
Tip Click Preview after making any changes to settings to verify that the changes are what
you desire.
Step 6 Configure the settings for the Logon page. This web page is the one users see first when connecting to
the SSL VPN portal. It is used for logging into the VPN. Select the following items in the Logon Page
folder in the table of contents on the left of the dialog box to view and change the settings:
Logon PageSpecify the title of the web page, which is displayed in the browsers title bar.
Title PanelDetermine whether the Logon page will have a title displayed in the web page itself.
If you enable the title panel, you can specify the title, font, font size and weight, styles, and colors
used. You can also select a File object that identifies a logo graphic. For more information about the
settings, see SSL VPN Customization Dialog BoxTitle Panel, page 28-52.
LanguageIf you want to configure translation tables for other languages on the ASA device and
use them, you can configure the supported languages and allow users to choose their language. For
information about translation tables and localization support, see Localizing SSL VPN Web Pages
for ASA Devices, page 26-66. For more information about the settings, see SSL VPN Customization
Dialog BoxLanguage, page 28-53.
Logon FormConfigure the labels and colors used in the form that accepts user logon information.
For more information about the settings, see SSL VPN Customization Dialog BoxLogon Form,
page 28-55.
Informational PanelIf you want to provide extra information to the user, you can enable an
informational panel and add text and a logo graphic. For more information about the settings, see
SSL VPN Customization Dialog BoxInformational Panel, page 28-56.
Copyright PanelIf you want to include copyright information on the logon page, you can enable
the copyright panel and enter your copyright statement. For more information about the settings, see
SSL VPN Customization Dialog BoxCopyright Panel, page 28-56.
Full CustomizationIf you do not want to use the security appliances built-in logon page, even
customized, you can instead enable full customization and supply your own web page. For
information on creating the required file, see Creating Your Own SSL VPN Logon Page for ASA
Devices, page 26-67. For more information about the settings, see SSL VPN Customization Dialog
BoxFull Customization, page 28-57.
Step 7 Configure the settings for the Portal page. This is the home page for the SSL VPN portal, and is
displayed after the users log in. Select the following items in the Portal Page folder in the table of
contents on the left of the dialog box to view and change the settings:
Portal PageSpecify the title of the web page, which is displayed in the browsers title bar.
Title PanelDetermine whether the Portal page will have a title displayed in the web page itself.
If you enable the title panel, you can specify the title, font, font size and weight, styles, and colors
used. You can also select a File object that identifies a logo graphic. For more information about the
settings, see SSL VPN Customization Dialog BoxTitle Panel, page 28-52.
ToolbarDetermine whether the Portal page will have a toolbar, which contains a field for entering
a URL to browse. For more information about the settings, see SSL VPN Customization Dialog
BoxToolbar, page 28-58.
ApplicationsDetermine which application buttons will appear on the page. For more information
about the settings, see SSL VPN Customization Dialog BoxApplications, page 28-58.
Custom PanesDetermine how you want to organize the body of the Portal page. The default is a
single column with no internal panes. You can create a multiple-column layout, create internal panes
that display text or references to URLs, and determine in which column and row to place the panes.
For more information about the settings, see SSL VPN Customization Dialog BoxCustom Panes,
page 28-59.
Home PageDetermine how and whether to display URL lists on the home page, and whether to
use your own web page for the main body of the Portal page. For more information about the
settings, see SSL VPN Customization Dialog BoxHome Page, page 28-61.
Step 8 Select Logout Page to configure the settings of the page displayed when a user logs out of the SSL VPN.
You can configure the title, message text, fonts, and colors. For more information about the settings, see
SSL VPN Customization Dialog BoxLogout Page, page 28-62.
Step 9 (Optional) Under Category, select a category to help you identify this object in the Objects table. See
Using Category Objects, page 6-9.
Step 10 (Optional) Select Allow Value Override per Device to allow the properties of this object to be redefined
on individual devices. See Allowing a Policy Object to Be Overridden, page 6-13.
Step 11 Click OK to save the object.
The languages on the security appliance are labels for the translation tables. The languages must
mirror those of the browser, and can consist of groups of up to 8 alphanumeric characters
(starting from alpha characters), separated by hyphens. For example, fr-FR-paris-univ8.
However, when you add a language to the list in Security Manager, only the first two characters
are available.
When looking for a match, the security appliance starts with the longest language name, and if
it does not match, it discards the rightmost group of the name. For example, if the preferred
language on the browser is fr-FR-paris-univ8, and the security appliance supports
fr-FR-paris-univ8, fr-FR-paris, fr-FR, and fr, it matches fr-FR-paris-univ8 and uses the
translated strings from that translation table. If fr is the only language on the security appliance,
the security appliance considers it a match also, and uses that translation table.
For more information about setting up translation tables, see the user documentation for the
ASA device and operating system or the ASDM online help.
Language SelectorBy enabling the language selector, you provide the user with the ability
to actively select the desired language from a list of languages that you support. This technique
does not rely on the browser language settings being configured correctly. The language selector
is displayed on the logon page.
Related Topics
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Creating Policy Objects, page 6-6
Add and Edit SSL VPN Customization Dialog Boxes, page 28-49
Creating Your Own SSL VPN Logon Page for ASA Devices
You can create your own custom SSL VPN Logon page rather than use the page provided by the security
appliance for browser-based clientless SSL VPNs. This is called full customization, and replaces the
settings you can configure in the SSL VPN Customization policy object.
To provide your own Logon page, you must create the page, copy it to the Security Manager server, and
identify the page on the Full Customization page of the SSL VPN Customization object dialog box. For
information on creating SSL VPN Customization objects, see Configuring ASA Portal Appearance
Using SSL VPN Customization Objects, page 26-63.
When you enable full customization, all other settings for the Logon page configured in the policy object
are ignored. When you deploy your configuration to the ASA device, Security Manager copies your
custom page to the device.
The Logon page you create must include all of the HTML code required to present the page correctly,
and include special Cisco HTML code that provides the functions for the login form and the Language
Selector drop-down list. Keep the following in mind when you create the HTML file:
The file extension must be .inc.
All images in the custom Logon page must be present on the security appliance. Replace the file
path with the keyword /+CSCOU+/, which is an internal directory on the ASA device. When you
upload an image to the device, it is saved in this directory.
Use the csco_ShowLoginForm(lform) Javascript function to add the login form to the page. This
form prompts for the username, passwords, and group information. You must include this function
somewhere on the page.
Use the csco_ShowLanguageSelector(selector) Javascript function to add the Language Selector
drop-down list to the page. You do not have to use this function if you are not supporting the use of
more than one language.
Related Topics
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Add and Edit SSL VPN Customization Dialog Boxes, page 28-49
SSL VPN Customization Dialog BoxFull Customization, page 28-57
Configuring SSL VPN Bookmark Lists for ASA and IOS Devices
When you configure a browser-based clientless SSL VPN, you can define a list of bookmarks, or
URLS, to include on the SSL VPN portal page. Use SSL VPN bookmarks policy objects to define
bookmark lists.
You can create SSL VPN bookmark objects for SSL VPNs hosted on IOS devices or ASA devices.
However, these device types allow different bookmark configurations, the ASA device allowing more
configuration options than IOS devices. Besides allowing more configuration options, you can also
create bookmarks for ASA devices in non-English, non-ASCII languages. For more information on
localizing the bookmarks and portal for ASA devices, see Localizing SSL VPN Web Pages for ASA
Devices, page 26-66.
After you create the SSL VPN bookmark object as described in this procedure, you can use the object
to specify the bookmark object in the Portal Web Pages or Bookmarks fields in these policies:
ASA devicesOn the SSL VPN > Clientless page in an ASA group policy object (see ASA Group
Policies SSL VPN Clientless Settings, page 28-11), which you then select in one of these policies:
Remote Access VPN > Group Policies
Remote Access VPN > Connection Profiles on the General tab
ASA devicesIn the Remote Access VPN > Dynamic Access policy, you can specify the SSL VPN
bookmark object on the Main > Bookmarks tab (see Main Tab, page 27-36).
IOS devicesOn the Clientless page in a user group policy object configured for SSL VPN (see
User Group Dialog BoxClientless Settings, page 28-78), which you then select in the Remote
Access VPN > SSL VPN policy on the General tab.
Related Topics
Creating Group Policies (ASA), page 26-31
Configuring Dynamic Access Policies, page 26-20
Understanding Connection Profiles (ASA), page 26-18
Configuring an SSL VPN Policy (IOS), page 26-60
Creating Policy Objects, page 6-6
Policy Object Manager Window, page 6-3
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager (see Policy Object Manager
Window, page 6-3).
Tip You can also create SSL VPN bookmark objects when you define policies or objects that use this
object type. For more information, see Selecting Objects for Policies, page 6-2.
Step 2 Select SSL VPN Bookmarks from the Object Type selector. The SSL VPN Bookmarks page opens,
displaying a list of the existing SSL VPN bookmark objects.
Tip If you choose the protocols RDP, SSH, Telnet, VNC, or ICA, you must configure the plug-in for
the protocol in the Remote Access VPN > SSL VPN > Other Settings policy (see SSL VPN
Other Settings Page, page 27-88).
You can also configure the bookmark to use the Post method rather than the Get method. If you use
Post, you must configure the post parameters by clicking Add Row beneath the Post Parameters
table. For more information on Post parameters, see these topics:
Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks, page 26-70
Add and Edit Post Parameter Dialog Boxes, page 28-49
Click OK to add the bookmark to the table of bookmarks.
Step 7 (Optional) Under Category, select a category to help you identify this object in the Objects table. See
Using Category Objects, page 6-9.
Step 8 (Optional) Select Allow Value Override per Device to allow the properties of this object to be redefined
on individual devices. See Allowing a Policy Object to Be Overridden, page 6-13.
Step 9 Click OK to save the object.
Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks
One of the options you have for configuring bookmarks on an SSL VPN hosted on an ASA device is the
method used by a URL, either Get or Post. The Get method is the standard method; a user clicks the URL
and is taken to the web page. The Post method is useful when processing the data might involve changes
to it, for example, storing or updating data, ordering a product, or sending e-mail.
If you choose the Post URL method, you must configure Post parameters for bookmark entries. Because
these are often personalized resources that contain the user ID and password or other input parameters,
you might need to define clientless SSL VPN macro substitutions.
Clientless SSL VPN macro substitutions let you configure users for access to personalized resources that
contain the user ID and password or other input parameters. Examples of such resources include
bookmark entries, URL lists, and file shares.
Note For security reasons, password substitutions are disabled for file access URLs (cifs://). Also for
security reasons, use caution when introducing password substitutions for web links, especially for
non-SSL instances.
Tip A stateful failover does not retain smart tunnel connections. Users must reconnect following a failover.
You configure smart tunnel access for an application by creating an SSL VPN smart tunnel list policy
object and including that object in an ASA group policy object. You then assign the ASA group policy
object to a device in the Remote Access VPN > Group Policies policy.
Related Topics
Understanding Group Policies (ASA), page 26-30
Creating Policy Objects, page 6-6
Policy Object Manager Window, page 6-3
Tip You can also create SSL VPN smart tunnel list objects when you create or edit the ASA group
policy object. For more information, see Selecting Objects for Policies, page 6-2.
b. Click the Add Object button to open the Add and Edit Smart Tunnel List Dialog Boxes, page 28-65.
c. Enter a name for the object, up to 64 characters.
d. Add the applications to which you are granting smart tunnel access to the table of applications (click
the Add Row button to open the Add and Edit A Smart Tunnel Entry Dialog Boxes, page 28-66).
Consider the following:
Enter an application name that is easy to understand and include version numbers if you support
more than one version. For example, Microsoft Outlook.
For the application path, the simplest and easiest to maintain option is to enter only the filename,
for example, outlook.exe. This allows the user to install the application in any folder. Enter the
full path if you want to enforce a specific installation structure.
Hash values are optional, but you can use them to prevent spoofing. Without hash values, a user
can rename an application to a supported filename; the security appliance checks only the
filename and path (if specified). However, if you enter hash values, you must maintain them as
users apply patches or application upgrades. For specific information on determining hash
values, see Add and Edit A Smart Tunnel Entry Dialog Boxes, page 28-66.
Click OK to save the entry.
e. You can also incorporate other SSL VPN smart list objects into the object. This allows you to create
a core set of smart list objects that you can use repeatedly in other objects.
f. Click OK to save the object.
Step 2 Configure the ASA group policy object to use the SSL VPN smart tunnel list object:
a. Edit (or create) the ASA group policy object either from the Policy Object Manager Window, page 6-3
or the Remote Access VPN > Group Policies policy. The object must be configured to support SSL
VPNs. (You can also edit these objects from the Remote Access VPN > Connection Profiles policy
from an individual profile, or the Connection Profiles policy for an EasyVPN topology.)
b. Select the SSL VPN > Clientless folder from the table of contents to open ASA Group Policies SSL
VPN Clientless Settings, page 28-11.
c. Enter the name of the SSL VPN smart tunnel list object in the Smart Tunnel field.
d. Select Auto Start Smart Tunnel to automatically start smart tunnels for the applications when the
user connects to the SSL VPN portal.
If you do not select this option, users must start smart tunnel access using the Application Access
> Start Smart Tunnels button on the clientless SSL VPN portal page.
Related Topics
Creating Policy Objects, page 6-6
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager Window, page 6-3.
Tip You can also create WINS server list objects when defining policies or objects that use this
object type. For more information, see Selecting Objects for Policies, page 6-2.
Step 2 Select WINS Server Lists from the Object Type selector.
The WINS Server List page opens, displaying the currently defined WINS server list objects.
Step 3 Right-click in the work area and select New Object to open the Add or Edit WINS Server List Dialog
Box, page 28-84.
Step 4 Enter a name for the object and optionally a description of the object.
Step 5 Click the Add Row button below the table, or select a server in the table and click Edit Row, to configure
the WINS servers defined in the object. Configure these settings:
ServerThe IP address of the WINS server. You can select a network/host object or enter the
address directly.
Set as Master BrowserSelect this option if the server is a master browser, which maintains the
list of computers and shared resources.
Other fields are optional; change them if you want non-default values. For more information, see Add
or Edit WINS Server Dialog Box, page 28-85.
Click OK to save your changes.
Step 6 (Optional) Under Category, select a category to help you identify this object in the Objects table. See
Using Category Objects, page 6-9.
Step 7 (Optional) Select Allow Value Override per Device to allow the properties of this object to be redefined
on individual devices. See Allowing a Policy Object to Be Overridden, page 6-13.
Step 8 Click OK to save the object.
The Remote Access VPN policy pages are used to configure remote access VPNs on Cisco IOS security
routers, PIX Firewalls, Catalyst 6500 /7600 devices, and Adaptive Security Appliance (ASA) devices.
This chapter contains the following topics:
Remote Access VPN Configuration Wizard, page 27-1
ASA Cluster Load Balance Page, page 27-17
Connection Profiles Page, page 27-18
Dynamic Access Page (ASA), page 27-33
Global Settings Page, page 27-60
Group Policies Page, page 27-66
Public Key Infrastructure Page, page 27-66
Certificate to Connection Profile Maps > Policies Page, page 27-67
Certificate to Connection Profile Maps > Rules Page, page 27-68
High Availability Page, page 27-71
IKE Proposal Page, page 27-73
IPsec Proposal Page, page 27-74
User Group Policy Page, page 27-84
SSL VPN Access Policy Page, page 27-85
SSL VPN Other Settings Page, page 27-88
SSL VPN Shared License (ASA 8.2) Page, page 27-103
SSL VPN Policy Page (IOS), page 27-105
Navigation Path
(Device view only) Select the desired device, and then select Remote Access VPN > Configuration
Wizard from the Policy selector.
Related Topics
Using the Remote Access VPN Configuration Wizard, page 26-9
Field Reference
Element Description
Remote Access SSL VPN Click this radio button to choose SSL as the type of remote access VPN
to create. The wizard takes you through appropriate steps depending on
the type of device selected:
ASA device
a. Access Page (ASA), page 27-2
b. Connection Profile Page (ASA), page 27-3
IOS device
a. Gateway and Context Page (IOS), page 27-10
b. Portal Page Customization Page, page 27-11
Remote Access IPSec VPN Click this radio button to choose IPSec as the type of remote access
VPN to create. The wizard takes you through appropriate steps
depending on the type of device selected:
ASA device
a. IPSec VPN Connection Profile Page (ASA), page 27-13
b. IPSec Settings Page (ASA), page 27-14
c. Defaults Page, page 27-16
IOS device
a. User Group Policy Page, page 27-84
b. Defaults Page, page 27-16
Remote Access Click this button to start the configuration wizard.
Configuration Wizard button
Navigation Path
(Device View Only) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a
remote access SSL VPN on an ASA device. The Access page is the first page that appears.
Related Topics
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices),
page 26-12
Understanding Interface Role Objects, page 6-55
Field Reference
Element Description
Interfaces to Enable SSL Interfaces on which you want to enable the SSL VPN connection
VPN Service profiles. Enter an interface or click Select to select an interface role
from a list.
Port Number Port number to use for the SSL VPN sessions. Enter a port number or
click Select to select a port list object that defines the port.
The default port is 443, for HTTPS traffic. The port number can be
443, or within the range of 1024-65535. If you change the port
number, all current SSL VPN connections terminate, and current users
must reconnect.
Note If HTTP port redirection is enabled, the default HTTP port
number is 80.
Portal Page URLs URLs that will be displayed on the Portal page to access the SSL VPN
connection profile.
Allow Users to Select When selected, enables the user to select a tunnel group at login from
Connection Profile in a list of tunnel group connection profiles configured on the device. This
Portal Page is the default setting.
Enable AnyConnect Access When selected, enables the AnyConnect functionality on the
ASA device.
Note To enable AnyConnect Essentials, go to Remote Access VPN >
SSL VPN > Access. For details, see Configuring an Access
Policy, page 26-45.
Navigation Path
(Device view only) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a
remote access SSL VPN on an ASA device; then click Next until you reach this page.
Related Topics
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices),
page 26-12
ASA Group Policies Dialog Box, page 28-1
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Understanding Network/Host Objects, page 6-62
Understanding AAA Server and Server Group Objects, page 6-20
Field Reference
Element Description
Connection Profile Name Name of the tunnel group that contains the policies for this SSL VPN
connection profile. Enter a descriptive name.
Group Policy Default ASA user group associated with the device. Enter an ASA
user group policy or click Select to select one from a list or to create a
new one.
Full Tunnel Read-only field that indicates whether full tunnel access mode is
configured for the user group.
Group Policies Names of the ASA user group policies that will be used in your SSL
VPN connection profile and whether Full Tunnel access mode is
enabled or disabled for them.
Click Edit to select ASA user group policy objects from a list or to
create new objects.
Note All SSL VPN connection profiles on an ASA device share one
group policy. Each time you create a connection profile using
the wizard, the Group Policies list may be populated with data
from the previous connection profile defined on the device.
Portal Page Customization Customization profile that defines the appearance of portal pages and
resources available to remote access users on the SSL VPN network.
Enter the name of a profile or click Select to select one from a list or to
create a new one.
Note You can set up different login windows for different groups by
using a combination of customization profiles and tunnel groups.
For example, assuming that you had created a customization
profile called salesgui, you can create an SSL VPN tunnel group
called sales that uses that customization profile.
Connection URL URL of the connection profile. This URL provides users with direct
access to the customized portal page.
Select a protocol (http or https) from the list and specify the URL,
including host name or IP address of the ASA device and port number
and the alias used to identify the SSL VPN connection profile.
Note If you do not specify a URL, you can access the portal page by
entering the portal page URL, and then selecting the connection
profile alias from a list of configured connection profile aliases
configured on the device. See Access Page (ASA), page 27-2.
Global IP Address Pool Address pools from which IP addresses will be assigned. Enter the
name of an address pool or click Select to select a network/host object
that defines the pool.
The server uses these pools in the order listed. If all addresses in the
first pool have been assigned, it uses the next pool, and so on. You can
specify up to 6 pools.
Authentication Server Group Name of the authentication server group (LOCAL if the tunnel group is
configured on the local device). Enter the name or click Select to select
the server group object or to create a new object.
Element Description
Use LOCAL if Server Whether to fall back to the local database for authentication if the
Group Fails selected authentication server group fails.
Authorization Server Group Name of the authorization server group (LOCAL if the tunnel group is
configured on the local device). Enter the name or click Select to select
the server group object or to create a new object.
Accounting Server Group Name of the accounting server group. Enter the name or click Select to
select the server group object or to create a new object.
Navigation Path
Depends on the type of device selected:
(IOS device) From the Gateway and Context Page (IOS), page 27-10, click Edit in the Group
Policies field.
(ASA device) From the Connection Profile Page (ASA), page 27-3, click Edit in the Group
Policies field.
Related Topics
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 26-10
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices),
page 26-12
Field Reference
Element Description
Available User Groups Lists predefined user groups available for selection. Select the required
user groups and click >>.
If the required user group is not listed, click Create to create a user
group. See Create User Group Wizard, page 27-6.
To modify the properties of a user group, select it and click Edit.
Selected User Groups Lists the selected user groups.
To remove user groups from this list, select them and click <<.
To modify the properties of a user group, select it and click Edit.
Note To specify a user group as the default user group, select it
and click Set As Default. This option is only available for
IOS routers.
Navigation Path
From the User Groups Selector Page, page 27-5, click Create or select an item from one of the lists and
click Edit.
This section contains the following topics:
Name and Access Method Page, page 27-6
Full Tunnel Dialog Box, page 27-7
Clientless and Thin Client Access Modes Page, page 27-8
Use this step of the Create User Group wizard to define a name for your user group, and optionally, select
the remote access method(s) that will be used to access the SSL-enabled gateway (IOS router) or ASA
security appliance.
Navigation Path
In the User Groups Selector Page, page 27-5, click Create.
Related Topics
Create User Group Wizard, page 27-6
SSL VPN Access Modes, page 26-4
Full Tunnel Dialog Box, page 27-7
Clientless and Thin Client Access Modes Page, page 27-8
Field Reference
Table 27-5 Create User Group WizardName and Access Method Page
Element Description
Name Name of the user group. Enter up to 128 characters, including
uppercase and lowercase characters and most alphanumeric or
symbol characters.
Access Method Select the required remote access mode option(s), as follows:
Full TunnelTo access to the corporate network completely over
an SSL VPN tunnel. This is the recommended option.
ClientlessTo access the internal or corporate network using a
web browser on the client machine.
Thin ClientTo download a Java applet that acts as a TCP proxy
on the client machine.
Note This dialog box is only available if you selected the Full Client option in the Name and Access Method
Page, page 27-6 of the Create User Group wizard.
In this dialog box, you can configure the mode used to access the corporate network.
Navigation Path
Open the Create User Group Wizard, page 27-6, select the Full Client access method option, and then
click Next.
Related Topics
Create User Group Wizard, page 27-6
SSL VPN Access Modes, page 26-4
Field Reference
Element Description
Use Other Access Modes When selected, enables the remote client to use clientless or thin client
if SSL VPN Client access modes if the SVC download fails.
Download Fails
Full Tunnel When selected, enables the Full Tunnel access mode to be configured.
Note For the Full Tunnel access mode to work properly, the SSL
VPN Client (SVC) software must be installed on the device.
The SVC is managed using a FlexConfig policy. For more
information, see Predefined FlexConfig Policy Objects,
page 7-17.
Client IP Address Pools Note Available only if the selected device is an IOS router.
IP address pools that clients draw from when they log on. Enter the IP
address pools or click Select select the network/host object from a list
or to create a new object.
Primary DNS Server IP address of the primary DNS server to be used for Full Client SSL
VPN connections. Enter the IP address or click Select to select a
network/host object from a list or to create a new object.
Secondary DNS Server IP address of a secondary DNS server to be used for Full Client SSL
VPN connections. Enter the IP address or click Select to select a
network/host object from a list or to create a new object.
Default DNS Domain Domain name of the DNS server to be used for Full Client SSL
VPN connections.
Primary WINS Server IP address of the primary WINS server to be used for Full Client SSL
VPN connections. Enter the IP address or click Select to select a
network/host object from a list or to create a new object.
Table 27-6 Create User Group WizardFull Tunnel Dialog Box (Continued)
Element Description
Secondary WINS Server IP address of a secondary WINS server to be used for Full Client SSL
VPN connections. Enter the IP address or click Select to select a
network/host object from a list or to create a new object.
Split Tunnel Option Specifies the traffic that will be transmitted secured or unsecured across
the public network:
DisabledSplit tunneling is disabled and no traffic will
be secured.
Exclude Specified NetworksSplit tunneling is enabled, and
traffic to or from networks specified in the Networks field is
transmitted unsecured.
Tunnel Specified NetworksSplit tunneling is enabled, and
traffic to or from networks specified in the Networks field is
transmitted secured.
Destinations Available if the selected device is an IOS router and split tunneling
is enabled.
The specified networks to which traffic is transmitted secured or
unencrypted, depending on the selected Split Tunneling option.
Multiple entries are separated by commas. You can enter host IP
addresses, network addresses (for example, 10.100.10.0/24 or
10.100.10.0/255.255.255.0), or the names of network/host objects.
You can click Select to select network/host objects or to create
new objects.
Networks Note Available if the selected device is an ASA security appliance
and split tunneling is enabled.
In the Clientless and Thin Client page of the Create User group wizard, you can configure the Clientless
and Thin Client modes to be used for accessing the corporate network in your SSL VPN.
Note This page is only available if you selected the Clientless or Thin Client options in step 1 of the Create
User Group wizard (Name and Access Method Page, page 27-6).
Navigation Path
Open the Create User Group Wizard, page 27-6, select the Clientless or Thin Client access method
options, and then click Next.
Related Topics
Create User Group Wizard, page 27-6
SSL VPN Access Modes, page 26-4
Configuring SSL VPN Bookmark Lists for ASA and IOS Devices, page 26-68
Add or Edit Port Forwarding List Dialog Boxes, page 28-42
Field Reference
Table 27-7 Create User Group WizardClientless and Thin Client Page
Element Description
ClientlessAppears only if you selected Clientless in step 1 of the wizard.
Portal Page Websites List of websites that are displayed on the portal page as a bookmark to
enable users to access the resources available on the SSL VPN websites.
You can click Select to open the URL List Selector from which you can
select the required URL List from a list of URL List objects.
Allow Users to When selected, enables remote users to input the website URLs directly.
Enter Websites
Thin ClientAppears only if you selected Thin Client in step 1 of the wizard.
Port Forwarding List Port Forwarding List that defines the mapping of the port number on the
client machine to the applications IP address and port behind the SSL
VPN gateway.
You can click Select to open the Port Forwarding List Selector from
which you can select the required Port Forwarding List from a list of
Port Forwarding List objects.
Port Forwarding Available only if the selected device is an ASA security appliance.
Applet Name
Java applet that will be used as a TCP proxy on the client machine. The
Java applet starts a new SSL connection for every client connection.
The Java applet initiates an HTTP request from the remote user client
to the ASA device. The name and port number of the internal email
server is included in the HTTP request. A TCP connection is created to
that internal email server and port.
Download Port Forwarding When selected, enables a port-forwarding Java applet to be
Applet on Client Login automatically downloaded when the remote client logs in.
Navigation Path
(Device view) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a remote
access SSL VPN on an IOS device. The Gateway and Context page is the first page that appears.
Related Topics
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 26-10
Add or Edit SSL VPN Gateway Dialog Box, page 28-63
Understanding AAA Server and Server Group Objects, page 6-20
Field Reference
Element Description
Gateway Gateway to be used as a proxy for connections to the protected resources in
your SSL VPN.
Options are:
Use Existing GatewayWhen selected, enables you to use an existing
gateway for your SSL VPN.
Create Using IP AddressWhen selected, enables you to configure a
new gateway using a reachable (public static) IP address on the router.
Create Using InterfaceWhen selected, enables you to configure a
new gateway using the public static IP address of the router interface.
Gateway Name Name of the SSL VPN gateway policy object. Enter the name of the gateway
object or click Select to select it from a list or to create a new object.
Note After selecting the gateway, the port number and digital certificate
required to establish a secure connection are displayed in the
relevant fields.
Port Note Available only if you selected to create a gateway using the routers
IP address or interface.
Number of the port that will carry the HTTPS traffic (between 1024 and
65535). The default is 443, unless HTTP port redirection is enabled, in
which case the default HTTP port number is 80.
Specify the port number or click Select to select a port list object from a list
or to create a new object.
Element Description
Trustpoint Note Available only if you selected to create a new gateway using the
routers IP address or interface.
Navigation Path
(Device view) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a remote
access SSL VPN on an IOS device; then click Next until you reach this page.
Related Topics
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 26-10
Field Reference
Element Description
Title Title that is displayed in the title bar of the portal page.
The default title is SSL VPN Service.
Logo Logo to be displayed on the title bar of the SSL VPN login and
portal page.
Options are:
NoneNo logo is displayed.
DefaultTo use the default logo.
CustomWhen selected, enables you to specify your own logo.
Specify the source image file for the logo in the Logo File field, or
click Select to select an image file.
The source image file for the logo can be a gif, jpg, or png file, with a
filename of up to 255 characters, and up to 100 kilobytes in size.
Login Message Message that will be displayed to the user upon login.
Primary Title Color Color of the title bars on the login and portal pages of the SSL VPN.
Click Select to open a dialog box in which you can choose the required
color for the title bars.
Secondary Title Color Color of the secondary title bars on the login and portal pages of the
SSL VPN.
Click Select to open a dialog box in which you can choose the required
color for the secondary title bars.
Primary Text Color Color of the text on the title bars of the login and portal pages.
Options are white or black (the default).
Note The color of the text must be aligned with the color of the text
on the title bar.
Secondary Text Color Color of the text on the secondary title bars of the login and portal pages.
Options are white or black (the default).
Note The color of the text must be aligned with the color of the text
on the secondary title bar.
Preview A preview of how the portal page will appear.
Navigation Path
(Device view) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a remote
access IPsec VPN on an ASA device. The IPSec Connection Profile page is the first page that appears.
Related Topics
Creating IPSec VPNs Using the Remote Access VPN Configuration wizard (ASA Devices),
page 26-14
Field Reference
Element Description
Connection Profile Name Name of the connection profile that contains the policies for this IPSec
VPN connection profile.
Group Policy Default group policy associated with the device. Enter a name or click
Select to select the object from a list or to create a new object.
Global IP Address Pool Address pools from which IP addresses are assigned. The server uses
these address pools in the order listed. If all addresses in the first pool
have been assigned, it uses the next pool, and so on. You can specify up
to 6 pools.
Enter the name of a network/host object or click Select to select the
object from a list or to create a new object.
Authentication Server Group Name of the authentication server group (LOCAL if the tunnel group is
configured on the local device). Enter a name or click Select to select
the server group from a list or to create a new object.
Use LOCAL if Server Whether to fall back to the local database for authentication if the
Group Fails selected authentication server group fails.
Authorization Server Group Name of the authorization server group (LOCAL if the tunnel group is
configured on the local device). Enter a name or click Select to select
the server group from a list or to create a new object.
Accounting Server Group Name of the accounting server group. Enter a name or click Select to
select the server group from a list or to create a new object.
Navigation Path
(Device View) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a remote
access IPsec VPN on an ASA device; then click Next until you reach this page.
Related Topics
Creating IPSec VPNs Using the Remote Access VPN Configuration wizard (ASA Devices),
page 26-14
Field Reference
Element Description
Preshared Key The value of the preshared key for the tunnel group. The maximum
length of a preshared key is 127 characters.
Note You must retype this value in the Confirm field.
Trustpoint Name The trustpoint name if any trustpoints are configured. A trustpoint
represents a CA/identity pair and contains the identity of the CA,
CA-specific configuration parameters, and an association with one
enrolled identity certificate.
IKE Peer ID Validation Select whether IKE peer ID validation is ignored, required, or checked
only if supported by a certificate. During IKE negotiations, peers must
identify themselves to one another.
Enable Sending When selected, enables the sending of the certificate chain for
Certificate Chain authorization. A certificate chain includes the root CA certificate,
identity certificate, and key pair.
Enable Password Update with When selected, enables passwords to be updated with the RADIUS
RADIUS Authentication authentication protocol.
For more information, see Supported AAA Server Types, page 6-21.
ISAKMP Keepalive
Monitor Keepalive When selected, enables you to configure IKE keepalive as the default
failover and routing mechanism.
For more information, see Understanding ISAKMP/IPsec Settings,
page 22-13.
Confidence Interval The number of seconds that a device waits between sending IKE
keepalive packets.
Retry Interval The number of seconds a device waits between attempts to establish an
IKE connection with the remote peer. The default is 2 seconds.
Client Software Update
All Windows Platforms When selected, enables you to configure the specific revision level and
image URL of the VPN client on all Windows platforms.
Element Description
Windows 95/98/ME When selected, enables you to configure the specific revision level and
image URL of the VPN client on Windows 95/98/ME platforms.
Windows NT4.0/2000/XP When selected, enables you to configure the specific revision level and
image URL of the VPN client on NT4.0/2000/XP platforms.
VPN3002 Hardware Client When selected, enables you to configure the specific revision level and
image URL of the VPN3002 hardware client.
Navigation Path
(Device View) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a remote
access IPSec VPN on an IOS device; then click Next until you reach this page.
Related Topics
Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 26-11
Field Reference
Element Description
Available User Groups Lists the predefined user groups available for selection.
Select the required user groups and click >>.
In Security Manager, user groups are objects. If the required user group
is not in the list, click Create to open the User Groups Editor dialog
box, which enables you to create or edit a user group object. See Add
or Edit User Group Dialog Box, page 28-68.
Selected User Groups Displays the selected user groups.
To remove a user group from this list, select it and click <<.
To modify the properties of a user group, select it and click Edit.
Defaults Page
Use the VPN Defaults page of the Remote Access IPSec Configuration Wizard to view and select the
default site-to-site VPN policies that will be assigned to the VPN topology you are creating. For each
policy type, you can assign either the factory default policy (a private policy) or a shared policy. When
you click Finish, the selected policies are assigned to your device.
The drop-down lists for each policy type list the existing shared policies that you can select. You can select
a policy and click the View Content button to see the definition of that policy. In some cases, you are
allowed to make changes, but you cannot save them. The policy types listed differ based on device type.
Note If you try to select a default policy that is currently locked by another user, a message is displayed
warning you of a lock problem. To bypass the lock, select a different policy or cancel the VPN topology
creation until the lock is removed. For more information, see Understanding Policy Locking, page 5-7.
Navigation Path
(Device View) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a remote
access IPSec VPN and click Next until you reach this page.
Related Topics
Creating IPSec VPNs Using the Remote Access VPN Configuration wizard (ASA Devices),
page 26-14
Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 26-11
Field Reference
Element Description
ASA Cluster Load Balance Defines load balancing for an ASA device in your remote access VPN.
High Availability Defines a High Availability (HA) policy on a Cisco IOS router in a
remote access VPN.
Certificate to Connection Defines the connection profile for your remote access VPN.
Profile Map Policy
IKE Proposal Defines the set of algorithms that two peers use to secure the IKE
negotiation between them.
IPSec Proposal Defines the crypto maps required to set up IPsec security associations
(SAs), including IPsec rules, transform sets, remote peers, and other
parameters that might be necessary to define an IPsec SA.
Public Key Infrastructure Defines the Public Key Infrastructure (PKI) policy used to generate PKI
enrollment requests for PKI certificates and RSA keys.
VPN Global Settings Defines global settings for IKE, IPsec, NAT, and fragmentation that
apply to devices in your remote access VPN.
Note Load balancing requires an active 3DES/AES license. The ASA device checks for the existence of this
crypto license before enabling load balancing. If it does not detect an active 3DES or AES license, the
device prevents load balancing, and also prevents internal configuration of 3DES by the load balancing
system.
Navigation Path
(Device View) Select an ASA device; then select Remote Access VPN > ASA Cluster Load
Balance from the Policy selector.
(Policy View) Select Remote Access VPN > ASA Cluster Load Balance from the Policy Type
selector. Select an existing policy or create a new one.
Related Topics
Understanding Cluster Load Balancing (ASA), page 26-16
Configuring Cluster Load Balance Policies (ASA), page 26-17
Creating Interface Role Objects, page 6-56
Field Reference
Element Description
VPN Load Balancing
Participate in Load Select to specify that the device belongs to the load-balancing cluster.
Balancing Cluster
VPN Cluster Configuration
Cluster IP Address The single IP address that represents the entire virtual cluster. The IP
address should be in the same subnet as the external interface.
UDP Port The UDP port for the virtual cluster in which the device is participating.
If another application is using this port, enter the UDP destination port
number that you want to use for load balancing.
The default is 9023.
Enable IPsec Encryption Select this check box to ensure that all load-balancing information
communicated between the devices is encrypted.
When the check box is selected, you must also specify and verify a
shared secret. The security appliances in the virtual cluster
communicate via LAN-to-LAN tunnels using IPsec.
IPsec Shared Secret The shared secret to be communicated between IPsec peers if you
enabled IPsec encryption. This can be a case-sensitive value between 4
and 16 characters, without spaces.
Element Description
Priority
Accept default device value When selected (the default), accepts the default priority value assigned
to the device.
Configure same priority on When selected, enables you to configure the same priority value to all
all devices in the cluster the devices in the cluster. The priority indicates the likelihood of this
device becoming the virtual cluster master, either at startup or when the
existing master fails.
Enter a value between 1 and 10.
VPN Server Configuration
Public interfaces The public interfaces to be used on the server.
Interfaces are predefined objects. You can click Select to open a dialog
box that lists all available interfaces, and sets of interfaces defined by
interface roles, in which you can make your selection, or create
interface role objects.
Private Interfaces The private interfaces to be used on the server.
Interfaces are predefined objects. You can click Select to open a dialog
box that lists all available interfaces, and sets of interfaces defined by
interface roles, in which you can make your selection, or create
interface role objects.
Send FQDN to client When selected, enables redirection using a FQDN on an ASA device
instead of an IP address configured with load balancing. For more information, see
when redirecting Understanding Cluster Load Balancing (ASA), page 26-16.
This check box is available only for ASA devices running 8.0.2 or later.
The connection profile consists of the following tabs. Configure them as appropriate for the type of VPN
you are configuring.
General Tab (Connection Profiles), page 27-19
AAA Tab (Connection Profiles), page 27-21
Secondary AAA Tab (Connection Profiles), page 27-25 (SSL VPN only)
IPSec Tab (Connection Profiles), page 27-27
SSL Tab (Connection Profiles), page 27-29 (SSL VPN only)
Navigation Path
Remote access VPNs:
(Device View) Select a ASA or PIX 7+ device and select Remote Access VPN > Connection
Profiles from the Policy selector.
(Policy View) Select Remote Access VPN > Connection Profiles (ASA) from the Policy Type
selector. Select an existing policy or create a new one.
Easy VPN:
From the Site-to-Site VPN Manager Window, page 21-17, select the Easy VPN topology and then
select Connection Profiles (PIX7.0/ASA).
(Device view) Select a device that participates in the Easy VPN topology and select Site to Site VPN
from the Policy selector. Select the Easy VPN topology and click Edit VPN Policies to open the
Site-to-Site VPN Manager Window, page 21-17, where you can select the policy.
(Policy view) Select Site-to-Site VPN > Connection Profiles (PIX7.0/ASA). Select an existing
policy or create a new one.
This section contains the following topics:
General Tab (Connection Profiles), page 27-19
AAA Tab (Connection Profiles), page 27-21
Secondary AAA Tab (Connection Profiles), page 27-25
IPSec Tab (Connection Profiles), page 27-27
SSL Tab (Connection Profiles), page 27-29
Navigation Path
From the Connection Profiles Page, page 27-18, click the Add button or select an entry and click the Edit
button. For Easy VPN topologies, simply select the policy. Click the General tab if necessary.
Related Topics
Configuring Connection Profiles (ASA), page 26-18
ASA Group Policies Dialog Box, page 28-1
Understanding Network/Host Objects, page 6-62
Field Reference
Element Description
Connection Profile Name The name of the tunnel group that contains the policies for this
connection profile.
Group Policy If required, the name of the ASA group policy object that defines the
default user group associated with the connection profile. A group
policy is a collection of user-oriented attribute/value pairs stored either
internally on the device or externally on a RADIUS/LDAP server.
Click Select to select an existing object or to create a new one.
Client Address Assignment
DHCP Servers The DHCP servers to be used for client address assignments. The
servers are used in the order listed.
Enter the IP addresses of the DHCP servers or the names of
network/host policy objects that define the DHCP server addresses.
Click Select to select existing network/host objects or to create new
ones. Separate multiple entries with commas.
Global IP Address Pool The address pools from which IP addresses will be assigned to clients
if no pool is specified for the interface to which the client connects.
Address pools are typically entered as a range of addresses, such as
10.100.12.2-10.100.12.254. The server uses these pools in the order
listed. If all addresses in the first pool have been assigned, it uses the
next pool, and so on. You can specify up to 6 pools.
Enter the address pool ranges or the names of network/host objects that
define these pools. Click Select to select existing network/host objects
or to create new ones. Separate multiple entries with commas. Separate
multiple entries with commas.
Interface-Specific Address If you want to configure separate IP address pools for specific
Pools table interfaces, so that clients connecting through that interface use a pool
different from the global pool, add the interface to this table and
configure the separate pool. Any interface not listed here uses the
global pool.
To add an interface-specific address pool, click the Add Row
button and fill in the Add/Edit Interface Specific Client Address
Pools Dialog Box, page 27-21
To edit an interface pool, select it and click the Edit Row button.
To delete an interface, select it and click the Delete Row button.
Navigation Path
Open the General Tab (Connection Profiles), page 27-19, then click Add Row below the
Interface-Specific Address Pools table, or select a row in the table and click Edit Row.
Related Topics
Creating Interface Role Objects, page 6-56
Creating Network/Host Objects, page 6-64
Field Reference
Table 27-16 Add/Edit Interface Specific Client Address Pools Dialog Box
Element Description
Interface The interface to assign a client address to.
You can click Select to open a dialog box that lists all available interfaces
and interface roles, from which you can make your selection or create
interface role objects.
Address Pool The address pool to be used to assign a client address to the selected interface.
Address pools are predefined network objects. You can click Select to open
a dialog box that lists all available network hosts, and in which you can
create or edit network host objects.
Navigation Path
From the Connection Profiles Page, page 27-18, click the Add button or select an entry and click the Edit
button; then select the AAA tab. For Easy VPN topologies, simply click the AAA tab.
Related Topics
Configuring Connection Profiles (ASA), page 26-18
Understanding AAA Server and Server Group Objects, page 6-20
Configuring a Connection Profile Policy for Easy VPN, page 24-11
Understanding Easy VPN, page 24-1
Field Reference
Element Description
Authentication Method Whether to authenticate connections using AAA, certificates, or both.
If you select Certificate, many of the options on the dialog box are
greyed out and do not apply.
Authentication Server Group The name of the authentication server group (LOCAL if the tunnel
group is configured on the local device). Enter the name of a AAA
server group object or click Select to select it from a list or to create a
new object.
If you want to use different authentication server groups based on the
interface to which the client connects, configure the server groups in
the Interface-Specific Authentication Server Groups table at the bottom
of this tab (described below).
Use LOCAL if Server Whether to fall back to the local database for authentication if the
Group Fails selected authentication server group fails.
Authorization Server Group The name of the authorization server group (LOCAL if the tunnel
group is configured on the local device). Enter the name of a AAA
server group object or click Select to select it from a list or to create a
new object.
Users must exist in the Whether to require that the username of the client must exist in the
authorization database authorization database to allow a successful connection. If the
to connect username does not exist in the authorization database, then the
connection is denied.
Accounting Server Group Name of the accounting server group. Enter the name of a AAA
server group object or click Select to select it from a list or to create a
new object.
Strip Realm from Username Whether to remove the realm or group name from the username before
Strip Group from Username passing the username on to the AAA server. A realm is an
administrative domain. Enabling these options allows the
authentication to be based on the username alone.
You can enable any combination of these options. However, you must
select both check boxes if your server cannot parse delimiters.
Element Description
Override Account-Disabled Whether to override the account-disabled indicator from a AAA
Indication from AAA Server server. This configuration is valid for servers, such as RADIUS with
NT LDAP, and Kerberos, that return an account-disabled indication.
If you are using an LDAP directory server for authentication, password
management is supported with the Sun Microsystems JAVA System
Directory Server (formerly named the Sun ONE Directory Server) and
the Microsoft Active Directory.
SunThe DN configured on the security appliance to access a Sun
directory server must be able to access the default password policy
on that server. We recommend using the directory administrator, or
a user with directory administrator privileges, as the DN.
Alternatively, you can place an ACI on the default password policy.
MicrosoftYou must configure LDAP over SSL to enable
password management with Microsoft Active Directory.
Enable Notification Whether to have the security appliance notify the remote user at login
Upon Password Expiration that the current password is about to expire or has expired, and to then
to Allow User to offer the user the opportunity to change the password.
Change Password
If you want to give the user prior warning of an impending password
Enable Notification Prior expiration, select Enable Notification Prior to Expiration and specify
to Expiration the number of days prior to expiration that you want to start notifications
(1 to 180 days). You can use this option with AAA servers that support
Notify Prior to Expiration
such notificationRADIUS, RADIUS with an NT server, and LDAP
servers. There is no prior notification for other types of servers.
Distinguished Name (DN) How you want to use the distinguished name for authorization. A
Authorization Setting distinguished name (DN) is a unique identification, made up of
individual fields, that can be used as the identifier when matching users
to a tunnel group. DN rules are used for enhanced certificate
authentication. Select from the following options to determine how the
DN is used during authorization:
Use Entire DN as the UsernameUse the entire DN; do not focus
on any one field.
Specify Individual DN fields as the UsernameFocus on
specific fields. Select a primary field, and optionally, a secondary
field. The default is to use only the user identification (UID) field.
Element Description
Interface-Specific If you want to configure separate authentication server groups for
Authentication Server specific interfaces, so that clients connecting through that interface use
Groups table a server group different from the global group, add the interface to this
table and configure the separate group. Any interface not listed here
uses the global authentication server group. The table shows the server
group and whether you are falling back to local authentication if the
server group is not available.
To add an interface-specific authentication group to the list, click
the Add Row button and fill in the Add/Edit Interface Specific
Authentication Server Groups Dialog Box, page 27-24.
To edit an interface setting, select it and click the Edit Row button.
To delete an interface setting, select it and click the Delete
Row button.
Navigation Path
Open the AAA Tab (Connection Profiles), page 27-21 or the Secondary AAA Tab (Connection Profiles),
page 27-25, then click Add Row below the (Secondary) Interface Specific Authentication Server Groups
table, or select a row in the table and click Edit Row.
Related Topics
Configuring Connection Profiles (ASA), page 26-18
Understanding Interface Role Objects, page 6-55
Understanding AAA Server and Server Group Objects, page 6-20
Field Reference
Element Description
Interface The name of the interface or interface role (that identifies the
interfaces) for which you are configuring an authentication server
group. Click Select to select an interface or interface role or to create a
new interface role.
Server Group The name of the authentication server group (LOCAL if the tunnel
group is configured on the local device). Enter the name of a AAA
server group object or click Select to select it from a list or to create a
new object.
When you are configuring secondary AAA, this group is used
specifically for the second credentials. You can specify different server
groups for primary and secondary credentials.
Use LOCAL if Server Whether to fall back to the local database for authentication if the
Group Fails selected authentication server group fails.
Use Primary Username Whether to use the same username for the secondary credentials that
was used for the primary credentials. If you select this option, after
(Secondary authentication
users authenticate with their primary credentials, they are prompted for
only; SSL VPN on
the secondary password only. If you do not select this option, the
ASA 8.2+ only.)
secondary prompt requires both a username and password.
Navigation Path
From the Connection Profiles Page, page 27-18, click the Add button or select an entry and click the Edit
button; then select the Secondary AAA tab.
Related Topics
Configuring Connection Profiles (ASA), page 26-18
Field Reference
Element Description
Enable Double Whether to enable double authentication, which prompts the user for
Authentication two sets of credentials (username and password) before completing the
SSL VPN connection.
Secondary Authentication The name of the authentication server group (LOCAL if the tunnel
Server Group group is configured on the local device) to be used with the second set
of credentials. Enter the name of a AAA server group object or click
Select to select it from a list or to create a new object.
If you want to use different authentication server groups based on the
interface to which the client connects, configure the server groups in
the Secondary Interface-Specific Authentication Server Groups table at
the bottom of this tab (described below).
Use LOCAL if Server Group Whether to fall back to the local database for authentication if the
Fails selected authentication server group fails.
Use Primary Username for Whether to use the same username for the secondary credentials that
Secondary Authentication was used for the primary credentials. If you select this option, after
users authenticate with their primary credentials, they are prompted for
the secondary password only. If you do not select this option, the
secondary prompt requires both a username and password.
Username for Session The username that the software will use for the user session, either the
primary or secondary name. If you prompt for the primary name only,
select primary.
Note By default, if there is more than one username, AnyConnect
remembers both usernames between sessions. In addition, the
head-end device might offer a feature to allow for
administrative control over whether the client remembers both
or neither usernames.
Authorization The server to use for authorization, either the primary authentication
Authentication Server server (defined on the AAA tab) or the secondary authentication server
configured on this tab.
Element Description
Distinguished Name How you want to use the distinguished name for authorization. A
(DN) Secondary distinguished name (DN) is a unique identification, made up of
Authorization Setting individual fields, that can be used as the identifier when matching users
to a tunnel group. DN rules are used for enhanced certificate
authentication. Select from the following options to determine how the
DN is used during authorization:
Use Entire DN as the UsernameUse the entire DN; do not focus
on any one field.
Specify Individual DN fields as the UsernameFocus on
specific fields. Select a primary field, and optionally, a secondary
field. The default is to use only the user identification (UID) field.
Secondary Interface-Specific If you want to configure separate secondary authentication server
Authentication Server groups for specific interfaces, so that clients connecting through that
Groups table interface use a server group different from the global group, add the
interface to this table and configure the separate group. Any interface
not listed here uses the global authentication server group. The table
shows the server group and whether you are falling back to local
authentication if the server group is not available.
To add a secondary interface-specific authentication group to the
list, click the Add Row button and fill in the Add/Edit Interface
Specific Authentication Server Groups Dialog Box, page 27-24.
To edit an interface setting, select it and click the Edit Row button.
To delete an interface setting, select it and click the Delete
Row button.
Navigation Path
From the Connection Profiles Page, page 27-18, click the Add Row button or select an entry and click
the Edit Row button; then select the IPSec tab. For Easy VPN topologies, simply click the IPSec tab.
Related Topics
Configuring Connection Profiles (ASA), page 26-18
Configuring a Connection Profile Policy for Easy VPN, page 24-11
Understanding Easy VPN, page 24-1
Field Reference
Element Description
Preshared Key The value of the preshared key for the connection profile. The
maximum length of a preshared key is 127 characters. Enter the key
again in the Confirm field.
Trustpoint Name The name of the PKI enrollment policy object that defines the trustpoint
name if any trustpoints are configured. A trustpoint represents a
Certificate Authority (CA)/identity pair and contains the identity of the
CA, CA-specific configuration parameters, and an association with one
enrolled identity certificate.
Click Select to select the object from a list or to create a new object.
IKE Peer ID Validation Select whether IKE peer ID validation is ignored (Do not check),
required, or checked only if supported by a certificate. During IKE
negotiations, peers must identify themselves to one another.
Enable Sending Whether to enable the sending of the certificate chain for authorization.
Certificate Chain A certificate chain includes the root CA certificate, identity certificate,
and key pair.
Enable Password Update with Whether to enable passwords to be updated with the RADIUS
RADIUS Authentication authentication protocol. For more information, see Supported AAA
Server Types, page 6-21.
ISAKMP Keepalive Whether to monitor ISAKMP keepalive. If you select the Monitor
Keepalive option, you can configure IKE keepalive as the default
failover and routing mechanism. Enter the following parameters:
Confidence IntervalThe number of seconds that a device waits
between sending IKE keepalive packets.
Retry IntervalThe number of seconds a device waits between
attempts to establish an IKE connection with the remote peer. The
default is 2 seconds.
For more information, see Understanding ISAKMP/IPsec Settings,
page 22-13.
Client Software Update table The VPN client revision level and URLs for client platforms. You can
configure different revision levels for All Windows Platforms,
Windows 95/98/ME, Windows NT4.0/2000/XP, or the VPN3002
Hardware Client.
To configure the client for a platform, select it, click the Edit Row
button, and fill in the IPSec Client Software Update Dialog Box,
page 27-29.
Navigation Path
From the IPSec Tab (Connection Profiles), page 27-27, select a client type in the Client Software Update
table and click Edit.
Related Topics
Connection Profiles Page, page 27-18
Configuring Connection Profiles (ASA), page 26-18
Field Reference
Element Description
Client Type Type of client being modified.
Client Revisions Revision level of the client.
Image URL URL of the client software image.
Navigation Path
From the Connection Profiles Page, page 27-18, click the Add button or select an entry and click the Edit
button; then select the SSL tab.
Related Topics
Configuring Connection Profiles (ASA), page 26-18
Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL
VPNs, page 26-73
Understanding Network/Host Objects, page 6-62
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Field Reference
Element Description
WINS Servers List The name of the WINS (Windows Internet Naming Server) servers list
to use for CIFS name resolution.
SSL VPN uses the CIFS protocol to access or share files on remote
systems. When you attempt a file-sharing connection to a Windows
computer by using its computer name, the file server you specify
corresponds to a specific WINS server name that identifies a resource
on the network.
A WINS servers list defines a list of WINS servers, which are used to
translate Windows file server names to IP addresses. The security
appliance queries the WINS servers to map WINS names to IP
addresses. You must configure at least one, and up to three WINS
servers for redundancy. The security appliance uses the first server on
the list for WINS/CIFS name resolution. If the query fails, it uses the
next server.
WINS server lists are predefined objects. If you want to use a different
WINS servers list, click Select to open the WINS Server List Selector
dialog box that lists all available WINS Servers list objects, and in
which you can create WINS Servers list objects.
DNS Group The DNS group to use for the SSL VPN tunnel group. The DNS
group resolves the hostname to the appropriate DNS server for the
tunnel group.
Portal Page Customization Specify the default SSL VPN customization profile in the field
provided. This profile defines the appearance of the portal page that
allows the remote user access to all resources available on the SSL
VPN networks.
Note You can set up different login windows for different groups by
using a combination of customization profiles and groups. For
example, assuming that you had created a customization profile
called salesgui, you can create an SSL VPN group called sales
that uses that customization profile. You specify the group in
the General tab on the Customization Profiles dialog box.
Element Description
Connection Aliases
Alias The alternate name by which the tunnel group is referred to.
A group alias creates one or more alternate names by which a user can
refer to a tunnel group. This feature is useful when the same group is
known by several common names (such as Devtest and QA). If you
want the actual name of the tunnel group to appear on this list, you must
specify it as an alias. The group alias that you specify here appears on
the login page. Each tunnel group can have multiple aliases or no alias.
For more information, see Understanding Connection Profiles (ASA),
page 26-18.
Status Specifies whether a group alias is enabled or not.
If enabled, the group alias appears in a list during login.
Create button Opens the Add/Edit Connection Alias Dialog Box, page 27-32 for
creating a group alias.
Edit button Opens the Add/Edit Connection Alias Dialog Box, page 27-32 for
editing the settings of a selected group alias in the table.
Delete button Deleted one or more group aliases that are selected in the table.
Group URLs
URL The URL associated with the tunnel group connection profile.
You can configure multiple URLs (or no URLs) for a tunnel group.
Each URL can be enabled or disabled individually. You must use a
separate specification for each URL, specifying the entire URL using
either the HTTP or HTTPS protocol.
For more information, see Understanding Connection Profiles (ASA),
page 26-18.
Status Specifies whether a group URL is enabled or not. If enabled, it
eliminates the need to select a group during login.
Create button Click to open the Add Group URL dialog box for creating a group URL.
See Add/Edit Connection URL Dialog Box, page 27-32.
Edit button Select a group URL in the table, then click to open the Edit Group URL
dialog box to edit its settings. See Add/Edit Connection URL Dialog
Box, page 27-32.
Delete button Select the rows of one or more group URLs, then click to remove from
the list.
Navigation Path
Open the SSL Tab (Connection Profiles), page 27-29, then click Create below the Connection Aliases
table, or select a row in the table and click Edit.
Related Topics
Connection Profiles Page, page 27-18
Configuring Connection Profiles (ASA), page 26-18
Field Reference
Table 27-23 Add/Edit Connection Profile > Add/Edit Connection Alias Dialog Box
Element Description
Enabled Indicates whether the connection alias is enabled or not.
Connection Alias An alternative name for the connection profile.
The connection alias that you specify here appears in a list on the users
login page. Each group can have multiple aliases or no alias, each
specified in separate commands.
Note You can configure multiple URLs or addresses (or none) for a group. Each URL or address can be
enabled or disabled individually.
You cannot associate the same URL or address with multiple groups. The security appliance verifies the
uniqueness of the URL or address before accepting the URL or address for a tunnel group.
Navigation Path
Open the SSL Tab (Connection Profiles), page 27-29, then click Create below the Group URLs table,
or select a row in the table and click Edit.
Related Topics
Connection Profiles Page, page 27-18
Configuring Connection Profiles (ASA), page 26-18
Field Reference
Element Description
Enabled Indicates whether the connection URL is enabled or not.
Connection URL Select a protocol (http or https) from the list, and specify the incoming
URL for the connection in the field provided.
Note The CSD client software must be installed and activated on a device in order for an SSL VPN policy to
work properly.
Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic
Access policy, an ASA device checks for Group policies that specify the setting.
Navigation Path
(Device View) Select an ASA device; then select Remote Access VPN > Dynamic Access (ASA)
from the Policy selector.
(Policy View) Select Remote Access VPN > Dynamic Access (ASA) from the Policy Type selector.
Select an existing policy or create a new one.
Related Topics
Understanding Dynamic Access Policies, page 26-19
Configuring Dynamic Access Policies, page 26-20
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Cisco Secure Desktop Policies on ASA Devices, page 26-26
Field Reference
Element Description
Priority Priority of the configured dynamic access policy record.
Name Name of the configured dynamic access policy record.
Network ACL Name of the firewall ACL that applies to the session.
WebType ACL Name of the WebType VPN ACL that applies to the session.
Port Forwarding Name of the port forwarding list that applies to the session.
Bookmark Name of the SSL VPN Bookmark object that applies to the session.
Terminate Indicates whether the session is terminated or not.
Description Additional information about the configured dynamic access policy.
Create button Click this button to create a dynamic access policy. See Add/Edit
Dynamic Access Policy Dialog Box, page 27-35.
Edit button Click this button to edit the selected dynamic access policy. See
Add/Edit Dynamic Access Policy Dialog Box, page 27-35.
Delete button Click this button to delete the selected dynamic access policies.
Cisco Secure Desktop
For the procedure to configure CSD on an ASA device, see Configuring Cisco Secure Desktop Policies
on ASA Devices, page 26-26.
Enable When selected, enables the CSD on the device. Enabling CSD loads the
specified Cisco Secure Desktop package. If you transfer or replace the
CSD package file, disable and then enable CSD to load the file.
Package Specify the name of the File Object that identifies the Cisco Secure
Desktop package you want to upload to the device.
Version
Click Select to select an existing File Object or to create a new one. For
more information, see Add and Edit File Object Dialog Boxes,
page 28-24.
Note The package version must be compatible with the ASA
operating system version. When you create a local policy in
Device view, the Version field indicates the CSD package
version you should select. (The version is included in the
package file name. For example,
securedesktop-asa_k9-3.3.0.118.pkg is CSD version
3.3.0.118.) When you create a shared policy in Policy view, the
Version field indicates the version of the CSD file you selected.
For more information on version compatibility, see
Understanding and Managing SSL VPN Support Files,
page 26-5.
Configure Click Configure to open the Cisco Secure Desktop Manager (CSDM)
Policy Editor that lets you configure CSD on the security appliance. For
a description of the elements in this dialog box, see Cisco Secure
Desktop Manager Policy Editor Dialog Box, page 27-59.
Note For detailed information about dynamic access policy attributes, see Understanding DAP Attributes,
page 26-22
These tabs are available in the Add/Edit Dynamic Access Policy dialog box:
Main Tab, page 27-36
Logical Operators Tab, page 27-55
Advanced Expressions Tab, page 27-58
Navigation Path
Open the Dynamic Access Page (ASA), page 27-33, then click Create, or select a dynamic access policy
in the table and click Edit. The Add/Edit Dynamic Access Policy dialog box is displayed.
Related Topics
Understanding Dynamic Access Policies, page 26-19
Configuring Dynamic Access Policies, page 26-20
Field Reference
Element Description
Name The name of the dynamic access policy record (up to 128 characters).
Priority A priority for the dynamic access policy record. The security appliance
applies access policies in the order you set here, highest number having the
highest priority. In the case of dynamic access policy records with the same
priority setting and conflicting ACL rules, the most restrictive rule applies.
Description Additional information about the dynamic access policy record (up to
1024 characters).
Main tab Enables you to add a dynamic access policy entry and set attributes for the
access policy depending on the type of remote access that you configure.
For a description of the elements on this tab, see Main Tab, page 27-36.
Logical Operators tab Enables you to create multiple instances of each type of endpoint attribute.
For a description of the elements on this tab, see Logical Operators Tab,
page 27-55.
Advanced Enables you to configure one or more logical expressions to set AAA
Expressions tab or endpoint attributes other than what is possible in the AAA and
Endpoint areas.
For a description of the elements on this tab, see Advanced Expressions Tab,
page 27-58.
Main Tab
Use the Main tab of the Add/Edit Dynamic Access Policy dialog box to configure the dynamic access
policy attributes and the type of remote access method supported your security appliance. You can set
attributes for network and webtype ACL filters, file access, HTTP proxy, URL entry and lists, port
forwarding, and clientless SSL VPN access methods.
Navigation Path
The Main tab appears when you open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35.
Related Topics
Configuring Dynamic Access Policies, page 26-20
Configuring DAP Attributes, page 26-25
Field Reference
Table 27-27 Add/Edit Dynamic Access Policy Dialog Box > Main Tab
Element Description
Criteria ID The AAA and endpoint selection attribute names that are available for
dynamic access policy use.
Content Values of the AAA and endpoint attributes criteria that the security appliance
uses for selecting and applying a dynamic access policy record during
session establishment. Attribute values that you configure here override
authorization values in the AAA system, including those in existing group
policy, tunnel group, and default group records.
Create button Click this button to configure AAA and endpoint attributes as selection
criteria for the DAP record. See Add/Edit DAP Entry Dialog Box,
page 27-40.
Edit button Click this button to edit the selected dynamic access policy. See Add/Edit
DAP Entry Dialog Box, page 27-40.
Delete button Click this button to delete the selected dynamic access policies.
Access Method Specify the type of remote access permitted:
UnchangedContinue with the current remote access method.
AnyConnect ClientConnect using the Cisco AnyConnect VPN Client.
Web PortalConnect with clientless VPN.
Both default Web PortalConnect via either clientless or the
AnyConnect client, with a default of clientless.
Both default AnyConnect ClientConnect via either clientless or the
AnyConnect client, with a default of AnyConnect.
Network ACL tabLets you select and configure network ACLs to apply to this dynamic access
policy. An ACL for a dynamic access policy can contain permit or deny rules, but not both. If an ACL
contains both permit and deny rules, the security appliance rejects it.
Table 27-27 Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued)
Element Description
Network ACL Lists the Access Control Lists (ACLs) that will be used to restrict user access
to the SSLVPN.
Click the Select button to open the Access Control Lists Selector from which
you can make your selection. The ACL contains conditions that describe a
traffic stream of packets, and actions that describe what should occur based on
those conditions. Only ACLs having all permit or all deny rules are eligible.
WebType ACL tabLets you select and configure web-type ACLs to apply to this dynamic access
policy. An ACL for a dynamic access policy can contain only permit or deny rules. If an ACL contains
both permit and deny rules, the security appliance rejects it.
Web Type ACL Specifies the WebType access control list that will be used to restrict user
access to the SSLVPN.
Click the Select button to open the Access Control Lists Selector from which
you can make your selection. Only ACLs having all permit or all deny rules
are eligible.
Functions tabLets you configure file server entry and browsing, HTTP proxy, and URL entry for the
dynamic access policy.
File Server Browser Specify the file server browsing setting to be configured on the portal page:
UnchangedUses values from the group policy that applies to
this session.
EnableEnables CIFS browsing for file servers or shared features.
DisableDisables CIFS browsing for file servers or shared features.
Note Browsing requires NBNS (Master Browser or WINS). If that fails or
is not configured, we use DNS.
Table 27-27 Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued)
Element Description
HTTP Proxy Specify how you want to configure the security appliance to terminate
HTTPS connections and forward HTTP/HTTPS requests to HTTP and
HTTPS proxy servers:
UnchangedUses values from the group policy that applies to
this session.
EnableAllows the forwarding of an HTTP applet proxy to the client.
The proxy is useful for technologies that interfere with proper content
transformation, such as Java, ActiveX, and Flash. It bypasses mangling
while ensuring the continued use of the security appliance. The
forwarded proxy modifies the browsers old proxy configuration and
redirects all HTTP and HTTPS requests to the new proxy configuration.
It supports virtually all client side technologies, including HTML, CSS,
JavaScript, VBScript, ActiveX, and Java. The only browser it supports
is Microsoft Internet Explorer.
DisableDisables the forwarding of an HTTP applet proxy to the client.
Auto-startEnables HTTP proxy and to have the DAP record
automatically start the applets associated with these features.
URL Entry Using SSL VPN does not ensure that communication with every site is
secure. SSL VPN ensures the security of data transmission between the
remote users PC or workstation and the security appliance on the corporate
network. If a user then accesses a non-HTTPS web resource (located on the
Internet or on the internal network), the communication from the corporate
security appliance to the destination web server is not secured.
In a clientless VPN connection, the security appliance acts as a proxy
between the end user web browser and target web servers. When a user
connects to an SSL-enabled web server, the security appliance establishes a
secure connection and validates the server SSL certificate. The end user
browser never receives the presented certificate, so therefore cannot examine
and validate the certificate. The current implementation of SSL VPN does
not permit communication with sites that present expired certificates.
Neither does the security appliance perform trusted CA certificate
validation. Therefore, users cannot analyze the certificate an SSL-enabled
web-server presents before communicating with it.
Specify how the URL entry setting must be configured on the portal page:
UnchangedUses values from the group policy that applies to
this session.
EnableAllows a user from entering HTTP/HTTPS URLs on the portal
page. If this feature is enabled, users can enter web addresses in the URL
entry box, and use clientless SSL VPN to access those websites.
DisableDisables a user from entering HTTP/HTTPS URLs on the
portal page.
Note To limit Internet access for users, select Disable for the URL Entry
field. This prevents SSL VPN users from surfing the Web during a
clientless VPN connection.
Table 27-27 Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued)
Element Description
Port Forwarding tabLets you select and configure port forwarding lists for user sessions.
Note Port Forwarding does not work with some SSL/TLS versions.
Caution Make sure Sun Microsystems Java Runtime Environment (JRE) 1.4+ is installed on the
remote computers to support port forwarding (application access) and digital certificates.
Port Forwarding Select an option for the port forwarding lists that apply to this DAP record:
UnchangedRemoves the attributes from the running configuration.
EnableEnables port forwarding on the device.
DisableDisables port forwarding on the device.
Auto-startEnables port forwarding, and to have the DAP record
automatically start the port forwarding applets associated with its port
forwarding lists.
Port Forwarding List The Port Forwarding List, that defines the mapping of the port number on
the client machine to the applications IP address and port behind the SSL
VPN gateway.
You can click Select to open the Port Forwarding List Selector from which
you can select the required Port Forwarding List from a list of Port
Forwarding List objects. A Port Forwarding List object defines the mappings
of port numbers on the remote client to the applications IP address and port
behind the SSL VPN gateway.
Bookmark tabLets you enable and configure SSL VPN bookmarks. When enabled, users who
successfully log into the SSL VPN are presented with the portal page containing the list of defined
bookmarks. These bookmarks enable users to access resources available on SSL VPN websites in
Clientless access mode.
Enable Bookmarks When selected, enables bookmarks on the SSL VPN portal page.
Bookmarks A list of websites that will be displayed on the portal page as a bookmark to
enable users to access the resources available on the SSL VPN websites.
You can click Select to open the Bookmarks Selector from which you can
select the required bookmark from a list or create a new bookmark, as desired.
Action tabSpecifies special processing to apply to a specific connection or session.
Table 27-27 Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued)
Element Description
Terminate When selected, terminates the session. By default, the access policy
attributes are applied to the session and it is running.
User Message Enter a text message to display on the portal page when this DAP record is
selected. Maximum 128 characters. A user message displays as a yellow orb.
When a user logs on it blinks three times to attract attention, and then it is
still. If several DAP records are selected, and each of them has a user
message, all user messages display.
Note You can include in such messages URLs or other embedded text,
which require that you use the correct HTML tags.
Use the Add/Edit DAP Entry dialog box to specify the authorization attributes and endpoint attributes
for a dynamic access policy. The security appliance selects the dynamic access policy based on the
endpoint security information of the remote device and the AAA authorization information for the
authenticated user. It then applies the dynamic access policy to the user tunnel or session.
Note For detailed information about dynamic access policy attributes, see Understanding DAP Attributes,
page 26-22
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Element Description
Criterion Select the authorization or endpoint attribute from the list. It serves as the
selection criterion that the security appliance uses for selecting and applying
dynamic access policies during session establishment.
AAA Attributes CiscoRefers to user authorization attributes that are
stored in the AAA hierarchical model. See Add/Edit DAP Entry Dialog
Box > AAA Attributes Cisco, page 27-42
AAA Attributes LDAPSets the LDAP client stores all native LDAP
response attribute value pairs in a database associated with the AAA
session for the user. See Add/Edit DAP Entry Dialog Box > AAA
Attributes LDAP, page 27-43.
AAA Attributes RADIUSSets the RADIUS client stores all native
RADIUS response attribute value pairs in a database associated with the
AAA session for the user. See Add/Edit DAP Entry Dialog Box > AAA
Attributes RADIUS, page 27-44.
Anti-SpywareCreates an endpoint attribute of type Anti-Spyware. You
can use the Host Scan modules of Cisco Secure Desktop to scan for
antispyware applications and updates that are running on the remote
computer. See Add/Edit DAP Entry Dialog Box > Anti-Spyware,
page 27-45.
Anti-VirusCreates an endpoint attribute of type Anti-Virus. You can use
the Host Scan modules of Cisco Secure Desktop to scan for antivirus
applications and updates that are running on the remote computer. See
Add/Edit DAP Entry Dialog Box > Anti-Virus, page 27-46.
ApplicationIndicates the type of remote access connection. See
Add/Edit DAP Entry Dialog Box > Application, page 27-47.
FileCreates an endpoint attribute of type File. Filename checking to be
performed by Basic Host Scan must be explicitly configured using Cisco
Secure Desktop Manager. See Add/Edit DAP Entry Dialog Box > File,
page 27-49.
NACCreates an endpoint attribute of type NAC. NAC protects the
enterprise network from intrusion and infection from worms, viruses, and
rogue applications by performing endpoint compliancy. We refer to these
checks as posturevalidation. See Add/Edit DAP Entry Dialog Box >
NAC, page 27-50.
Operating SystemCreates an endpoint attribute of type Operating
System. The prelogin assessment module of the CSD can check the
remote device for the OS version, IP address, and Microsoft Windows
registry keys. See Add/Edit DAP Entry Dialog Box > Operating System,
page 27-51.
Element Description
Criterion (cont.) Personal FirewallCreates an endpoint attribute of type Personal
Firewall. You can use the Host Scan modules of Cisco Secure Desktop to
scan for personal firewall applications and updates that are running on the
remote computer. For a description of the elements in the dialog box, see
Add/Edit DAP Entry Dialog Box > Personal Firewall, page 27-51.
PolicyCreates an endpoint attribute of type Policy. See Add/Edit DAP
Entry Dialog Box > Policy, page 27-52.
ProcessProcess name checking to be performed by Basic Host Scan
must be explicitly configured using Cisco Secure Desktop Manager. See
Add/Edit DAP Entry Dialog Box > Process, page 27-53.
RegistryCreates an endpoint attribute of type Registry. Registry key
scans apply only to computers running Windows Microsoft Windows
operating systems. See Add/Edit DAP Entry Dialog Box > Registry,
page 27-54.
Description Additional information about the dynamic access policy (up to 1024 characters).
Main tab Enables you to add a dynamic access policy entry and set attributes for the
access policy depending on the type of remote access that you configure.
For a description of the elements on this tab, see Main Tab, page 27-36.
Logical Operators tab Enables you to create multiple instances of each type of endpoint attribute.
For a description of the elements on this tab, see Logical Operators Tab,
page 27-55.
Advanced Enables you to configure multiple instances of each type of endpoint attribute.
Expressions tab
For a description of the elements on this tab, see Advanced Expressions Tab,
page 27-58.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select AAA Attributes Cisco as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-29 Add/Edit DAP Entry Dialog Box > AAA Attributes Cisco
Element Description
Criterion Shows AAA Attributes Cisco as the selection criterion.
Class Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter the name of the AAA server group associated
with the user. The maximum length is 64 characters.
AAA server groups represent collections of authentication servers focused
on enforcing specific aspects of your overall network security policy.
IP Address Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter the assigned IP address.
Addresses are predefined network objects. You can also click Select to open
a dialog box that lists all available network hosts, and in which you can
create or edit network host objects.
Member-of Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter a comma-separated string of group policy
names that apply to the user. This attribute lets you indicate multiple group
membership. The maximum length is 128 characters.
Username Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter the username of the authenticated user. A
maximum of 64 characters is allowed.
Connection Profiles Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and select the connection profile from a list of all the SSL
VPN Connection Profile policies defined on the security appliance.
An SSL VPN connection profile comprises a set of records that contain VPN
tunnel connection profile policies, including the attributes that pertain to
creating the tunnel itself.
Note For a description of the procedure to configure an SSL VPN
Connection Profiles policy, see Configuring Connection Profiles
(ASA), page 26-18.
The LDAP client stores all native LDAP response attribute value pairs in a database associated with the
AAA session for the user. The LDAP client writes the response attributes to the database in the order in
which it receives them. It discards all subsequent attributes with that name. This scenario might occur
when a user record and a group record are both read from the LDAP server. The user record attributes
are read first, and always have priority over group record attributes.
To support Active Directory group membership, the AAA LDAP client provides special handling of the
LDAP memberOf response attribute. The AD memberOf attribute specifies the DN string of a group
record in AD. The name of the group is the first CN value in the DN string. The LDAP client extracts
the group name from the DN string and stores it as the AAA memberOf attribute, and in the response
attribute database as the LDAP memberOf attribute. If there are additional memberOf attributes in the
LDAP response message, then the group name is extracted from those attributes and is combined with
the earlier AAA memberOf attribute to form a comma separated string of group names, also updated in
the response attribute database.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select AAA Attributes LDAP as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-30 Add/Edit DAP Entry Dialog Box > AAA Attributes LDAP
Element Description
Criterion Shows AAA Attributes LDAP as the selection criterion.
Attribute ID Specify the name of the LDAP attribute map in the dynamic access policy.
LDAP attribute maps take the attribute names that you define and map them
to Cisco-defined attributes. A maximum of 64 characters is allowed.
Value Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter the custom map value that maps to a Cisco Map
Value or enter the Cisco map value that maps to the Custom Map Value.
The attribute map is populated with value mappings that apply customer,
user-defined attribute values to the customer attribute name and to the
matching Cisco attribute name and value.
The RADIUS client stores all native RADIUS response attribute value pairs in a database associated with
the AAA session for the user. The RADIUS client writes the response attributes to the database in the
order in which it receives them. It discards all subsequent attributes with that name. This scenario might
occur when a user record and a group record are both read from the RADIUS server. The user record
attributes are read first, and always have priority over group record attributes.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select AAA Attributes RADIUS as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-31 Add/Edit DAP Entry Dialog Box > AAA Attributes RADIUS
Element Description
Criterion Shows AAA Attributes RADIUS as the selection criterion.
Attribute ID Specify the name of the RADIUS attribute name or number in the dynamic
access policy. A maximum of 64 characters is allowed.
RADIUS attribute names do not contain the cVPN3000 prefix to better
reflect support for all three security appliances (VPN 3000, PIX, and the
ASA). The appliances enforce the RADIUS attributes based on attribute
numeric ID, not attribute name. LDAP attributes are enforced by their name,
not by the ID.
Value Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter the attribute value.
You can use the Host Scan feature of the Cisco Secure Desktop feature to enable Endpoint Assessment,
a scan for antivirus, personal firewall, and antispyware applications and updates that are running on the
remote computer. Following the configuration of the prelogin policies and host scan options, you can
configure a match of any one or any combination of the Host Scan results to assign a dynamic access
policy following the user login.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Anti-Spyware as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Element Description
Criterion Shows Anti-Spyware as the selection criterion.
Type Select the matching criteria to indicate whether the selected endpoint
attribute and its accompanying qualifiers (fields below the Product ID field)
should be present or not.
Vendor Name Select the text that describes the application vendor from the list.
Product ID Select a unique identifier for the product that is supported by the selected
vendor from the list.
Product Description Available only if you selected Matches as the Type.
Select the check box, then select the description of the product from the list.
Version Available only if you selected Matches as the Type.
Identify the version of the application, and specify whether you want the
endpoint attribute to be equal to/not equal to that version.
Last Update Available only if you selected Matches as the Type.
Specify the number of days since the last update. You might want to indicate
that an update should occur in less than or greater than the number of days
you enter here.
You can configure a scan for antivirus applications and updates as a condition for the completion of a
Cisco AnyConnect or clientless SSL VPN connection. Following the prelogin assessment, Cisco Secure
Desktop loads Endpoint Assessment checks and reports the results back to the security appliance for use
in assigning a dynamic access policy.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Anti-Virus as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Element Description
Criterion Shows Anti-Virus as the selection criterion.
Type Select the matching criteria to indicate whether the selected endpoint
attribute and its accompanying qualifiers (fields below the Product ID field)
should be present or not.
Vendor Name Select the text that describes the application vendor from the list.
Product ID Select a unique identifier for the product that is supported by the selected
vendor from the list.
Product Description Available only if you selected the criteria to match the endpoint attribute for
the dynamic access policy.
Select the check box, then select the description of the product from the list.
Version Available only if you selected the criteria to match the endpoint attribute for
the dynamic access policy.
Identify the version of the application, and specify whether you want the
endpoint attribute to be equal to/not equal to that version.
Last Update Available only if you selected the criteria to match the endpoint attribute for
the dynamic access policy.
Specify the number of days since the last update. You might want to indicate
that an update should occur in less than or greater than the number of days
you enter here.
Use this dialog box to indicate the type of remote access connection as the endpoint attribute for the
dynamic access policy.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Application as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Element Description
Criterion Shows Application as the selection criterion.
Client Type Select the check box, then select the matching criteria (for example, isor
isnt) from the drop-down list, and specify the type of remote access
connection from the list: AnyConnect, Clientless, Cut-through Proxy,
IPsec, or L2TP.
Note If you select AnyConnect as the client type, make sure to enable
Cisco Secure Desktop. If it is not enabled, Security Manager
generates an error.
The DAP Device Criterion lets you provide specific device information for use during the associated
prelogin policy checking. You can provide one or more of the following attributes for a devicehost
name, MAC address, port number, Privacy Protection selectionand indicate whether each is or isnt to
be matched.
Note that isnt is exclusionary. For example, if you specify the criterion Host Name isnt zulu_2 , all
devices not named zulu_2 will match.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Choose Device as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Element Description
Criterion Shows Device as the selected Criterion.
Host Name Select this option, choose a match criterion (is or isnt) from the related
drop-down list, and then enter the device host name to be matched.
MAC Address Select this option, choose a match criterion (is or isnt) from the related
drop-down list, and then enter the devices MAC address to be matched.
Port Number Select this option, choose a match criterion (is or isnt), and then enter or
Select the device port to be matched.
Privacy Protection Select this option, choose a match criterion (is or isnt), and then choose the
Privacy Protection option defined on the device: none, cache cleaner, or
secure desktop.
The file criterion prelogin check lets you specify that a certain file must or must not exist to be eligible
for the associated prelogin policy. For example, you might want to use a file prelogin check to ensure a
corporate file is present or one or more peer-to-peer file-sharing programs containing malware are not
present before assigning a prelogin policy.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select File as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Element Description
Criterion Shows File as the selection criterion.
Type Specify whether this endpoint attribute must match or not match the
criteria configured for selecting and applying dynamic access policies
during session establishment.
Endpoint ID Select a string that identifies an endpoint for files. Dynamic access
policies use this ID to match Cisco Secure Desktop host scan attributes
for dynamic access policy selection. You must configure Host Scan
before you configure this attribute. When you configure Host Scan, the
configuration displays in this pane, so you can select it, reducing the
possibility of errors in typing or syntax.
Filename Specify the filename.
Last Update Available only if you selected the criteria to match the endpoint
attribute for the dynamic access policy.
Specify the number of days since the last update. You might want to
indicate that an update should occur in less than (<) or more than (>)
the number of days you enter here.
Checksum Available only if you selected the criteria to match the endpoint
attribute for the DAP record.
Select the check box to specify a checksum to authenticate the file, then
enter a checksum in hexadecimal format, beginning with 0x.
NAC protects the enterprise network from intrusion and infection from worms, viruses, and rogue
applications by performing endpoint compliancy and vulnerability checks as a condition for production
access to the network. We refer to these checks as posturevalidation. You can configure posture
validation to ensure that the anti-virus files, personal firewall rules, or intrusion protection software on
a host with an AnyConnect or Clientless SSL VPN session are up-to-date before providing access to
vulnerable hosts on the intranet. Posture validation can include the verification that the applications
running on the remote hosts are updated with the latest patches. NAC occurs only after user
authentication and the setup of the tunnel. NAC is especially useful for protecting the enterprise network
from hosts that are not subject to automatic network policy enforcement, such as home PCs. The security
appliance uses Extensible Authentication Protocol (EAP) over UDP (EAPoUDP) messaging to validate
the posture of remote hosts.
The establishment of a tunnel between the endpoint and the security appliance triggers posture
validation. You can configure the security appliance to pass the IP address of the client to an optional
audit server if the client does not respond to a posture validation request. The audit server, such as a
Trend server, uses the host IP address to challenge the host directly to assess its health. For example, it
may challenge the host to determine whether its virus checking software is active and up-to-date. After
the audit server completes its interaction with the remote host, it passes a token to the posture validation
server, indicating the health of the remote host.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select NAC as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Element Description
Criterion Shows NAC as the selection criterion.
Posture Status Select the matching criteria (for example, is) from the drop-down list,
then enter the posture token string received from ACS.
The prelogin assessment includes a check for the OS attempting to establish a VPN connection. When
the user attempts to connect, however, Cisco Secure Desktop checks for the OS, regardless of whether
you insert an OS prelogin check.
If the prelogin policy assigned to the connection has Secure Desktop (Secure Session) enabled and if the
remote PC is running Microsoft Windows XP or Windows 2000, it installs Secure Session, regardless of
whether you insert an OS prelogin check. If the prelogin policy has Secure Desktop enabled and the
operating system is Microsoft Windows Vista, Mac OS X 10.4, or Linux, Cache Cleaner runs instead.
Therefore, you should make sure the Cache Cleaner settings are appropriate for a prelogin policy on
which you have configured Secure Desktop or Cache Cleaner to install. Although Cisco Secure Desktop
checks for the OS, you may want to insert an OS prelogin check as a condition for applying a prelogin
policy to isolate subsequent checks for each OS.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Operating System as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-38 Add/Edit DAP Entry Dialog Box > Operating System
Element Description
Criterion Shows Operating System as the selection criterion.
OS Version Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and select the OS version from the list: Windows
(various), MAC, Linux, Pocket PC.
Service Pack Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and select the service pack for the operating system.
You can click Host Scan in the Cisco Secure Desktop interface to enable Endpoint Assessment, a scan for
personal firewalls that are running on the remote computer. Most, but not all, personal firewall programs
support active scan, which means that the programs are memory-resident, and therefore always running.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select AAA Attributes Cisco as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-39 Add/Edit DAP Entry Dialog Box > Personal Firewall
Element Description
Criterion Shows Personal Firewall as the selection criterion.
Type Select one of the following options and assign the associated values:
MatchesSelect if the mere presence of the named personal firewall
on the remote PC is sufficient to match the prelogin policy you
are configuring.
Doesnt MatchSelect if the absence of the named personal firewall
from the remote PC is sufficient to match the prelogin policy you
are configuring.
Vendor Name Select the text that describes the application vendor from the list.
Product ID Select a unique identifier for the product that is supported by the selected
vendor from the list.
Product Description Available only if you selected that this endpoint attribute and all its settings
must be available on the remote PC.
Select the check box, then select the description of the product from the list.
Version Available only if you selected that this endpoint attribute and all its settings
must be available on the remote PC.
Identify the version of the application, and specify whether you want the
endpoint attribute to be equal to/not equal to that version.
Windows locations let you determine how clients connect to your virtual private network, and protect it
accordingly. For example, clients connecting from within a workplace LAN on a 10.x.x.x network
behind a NAT device are an unlikely risk for exposing confidential information. For these clients, you
might set up a Cisco Secure Desktop Windows Location named Work that is specified by IP addresses
on the 10.x.x.x network, and disable both the Cache Cleaner and the Secure Desktop function for this
location. Cisco Secure Desktop checks locations in the order listed on the Windows Location Settings
window, and grants privileges to client PCs based on the first location definition they match.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Policy as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Element Description
Criterion Shows Policy as the selection criterion.
Location Select the matching criteria (for example, is) from the drop-down list,
and select the Cisco Secure Desktop Microsoft Windows location
profile from the list. All the locations configured in the Cisco Secure
Desktop Manager are displayed in this list.
You can specify a set of process names, which form a part of Basic Host Scan. The host scan, which
includes Basic Host Scan and Endpoint Assessment, or Advanced Endpoint Assessment; occurs after the
prelogin assessment but before the assignment of a dynamic access policy. Following the Basic Host
Scan, the security appliance uses the login credentials, the host scan results, prelogin policy, and other
criteria you configure to assign a DAP.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Process as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Element Description
Criterion Shows Process as the selection criterion.
Type Select one of the following options and assign the associated values:
MatchesSelect if the mere presence of the named process on the
remote PC is sufficient to match the prelogin policy you are configuring.
Doesnt MatchSelect if the absence of the named process from the
remote PC is sufficient to match the prelogin policy you are configuring.
Endpoint ID A string that identifies an endpoint for files, processes or registry entries.
Dynamic access policies use this ID to match Cisco Secure Desktop host
scan attributes for dynamic access policy selection. You must configure Host
Scan before you configure this attribute. When you configure Host Scan, the
configuration displays in this pane, so you can select it, reducing the
possibility of errors in typing or syntax.
Path Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter the name of the process. You can display it in
Microsoft Windows by opening the Windows Task Manager window and
clicking the Processes tab.
Configure Host Scan before you configure this attribute. When you
configure Host Scan, the configuration displays in this pane, so you can
select it and specify the same index when you assign this entry as an endpoint
attribute when configuring a DAP, reducing the possibility of errors in typing
or syntax.
Registry key scans apply only to computers running Windows Microsoft Windows operating systems.
Basic Host Scan ignores registry key scans if the computer is running Mac OS or Linux.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Registry as the Criterion.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Element Description
Criterion Shows Registry as the selection criterion.
Type Select one of the following options and assign the associated values:
MatchesSelect if the mere presence of the named registry key on the
remote PC is sufficient to match the prelogin policy you are configuring.
For example, select this option if you want to require the following
registry key to be present to match a criterion for assigning a prelogin
policy:
HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>
Doesnt MatchSelect if the absence of the named registry key from
the remote PC is sufficient to match the prelogin policy you are
configuring. For example, select this option if you want to require the
following registry key to be absent to match a criterion for assigning a
prelogin policy:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer
sion\Run\<Evil_SpyWare>
Registry Name Select the text that describes the registry name from the list.
Endpoint ID A string that identifies an endpoint for files, processes or registry entries.
Dynamic access policies use this ID to match Cisco Secure Desktop host
scan attributes for dynamic access policy selection. You must configure Host
Scan before you configure this attribute. When you configure Host Scan, the
configuration displays in this pane, so you can select it, reducing the
possibility of errors in typing or syntax.
Value Select the value, dword or string, from the list, then select the matching
criteria (whether it equals or does not equal), and enter a decimal or a
string to compare with the dword or string value of the registry key on the
remote PC.
Note DWORD refers to the attribute in the Add/Edit Registry Criterion
dialog box. Dword refers to the attribute as it appears in the
registry key. Use the regedit application, accessed on the Windows
command line, to view the Dword value of a registry key, or use it to
add a Dword value to the registry key to satisfy the requirement you
are configuring.
Ignore Case When selected, ignores the case in the registry entry if it includes a string.
You are configuring the Match Any/Match All operation within each endpoint type. The security
appliance evaluates each type of endpoint attribute, and then performs a logical AND operation on
all of the configured endpoints. That is, each user must satisfy the conditions of ALL of the
endpoints you configure, as well as the AAA attributes.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35, then click the Logical Operators tab.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-43 Add/Edit Dynamic Access Policy Dialog Box > Logical Operators Tab
Element Description
AAA Select one of the following options if you defined the AAA attribute in the
dynamic access policy:
Match AnyCreates an OR relationship among the attributes.
Attributes matching any of your criteria are included in the filter. The
security appliance grants access to a particular user for a particular
session even if any one of the attributes is matching all your criteria.
Match AllCreates an AND relationship among the attributes. The
security appliance grants access to a particular user for a particular
session only if the attributes are matching all your criteria.
Match NoneCreates a NOT relationship among the attributes. The
dynamic access policy specifies that none of the attributes of the user
need to match to be granted access to a session.
Anti-Spyware Select one of the following options if you defined Anti-Spyware as an
endpoint attribute:
Match AnyCreates an OR relationship among the attributes. Policies
matching any instance of your criteria are used to authorize users.
Match AllCreates an AND relationship among the attributes. Only
those attributes matching all your criteria are used to authorize users.
Anti-Virus Select one of the following options if you defined Anti-Virus as an
endpoint attribute:
Match AnySet to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
Match AllSet to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
Table 27-43 Add/Edit Dynamic Access Policy Dialog Box > Logical Operators Tab (Continued)
Element Description
Application Select one of the following options if you defined Application as an
endpoint attribute:
Match AnySet to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
Match AllSet to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
File Select one of the following options if you defined File as an
endpoint attribute:
Match AnySet to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
Match AllSet to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
Policy Select one of the following options if you defined Policy as an
endpoint attribute:
Match AnySet to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
Match AllSet to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
Personal Firewall Personal firewall rules let you specify applications and ports for the firewall
to allow or block. Select one of the following options if you defined Personal
Firewall as an endpoint attribute:
Match AnySet to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
Match AllSet to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
Table 27-43 Add/Edit Dynamic Access Policy Dialog Box > Logical Operators Tab (Continued)
Element Description
Process Select one of the following options if you defined Process as an
endpoint attribute:
Match AnySet to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
Match AllSet to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
Registry Registry key scans apply only to computers running Windows Microsoft
Windows operating systems. Basic Host Scan ignores registry key scans if
the computer is running Mac OS or Linux.
Select one of the following options if you defined Registry as an
endpoint attribute:
Match AnySet to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
Match AllSet to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
Note For detailed information about advanced expressions, see About Advanced Expressions for AAA or
Endpoint Attributes and Examples of DAP Logical Expressions.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35, then click the Advanced
Expressions tab.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-44 Add/Edit Dynamic Access Policy Dialog Box > Advanced Expressions Tab
Element Description
Basic Expressions This text box is populated with basic expressions based on the endpoint
and AAA attributes that you configured in the dynamic access policy.
Relationship Drop-down List Specify the relationship between the basic selection rules and the
logical expressions you enter on this tab, that is, whether the new
attributes add to or substitute for the AAA and endpoint attributes
already set. Select one of the following options:
Basic AND AdvancedCreates an AND relationship between the
basic and advanced expressions. Both the basic and advanced
expressions defined in the dynamic access policy are considered
while authenticating users.
By default, this option is selected.
Basic OR AdvancedCreates an OR relationship between the
basic and advanced expressions. Users are granted access to a
session if either the basic or advanced expressions in the dynamic
access policy are matched with the user policy.
Basic OnlyOnly the basic expressions defined in the DAP entry
are used to determine whether the security appliance grants users
access to a particular session.
Advanced OnlyOnly the advanced expressions defined in the
DAP entry are used to authorize users for an SSL VPN session.
Advanced Expressions Enter one or more logical expressions to set AAA or endpoint attributes
other than what is possible in the AAA and Endpoint areas above.
Enter free-form LUA text that defines new AAA and/or endpoint
selection attributes. Security Manager does not validate text that you
enter here; it just copies this text to the dynamic access policy XML
file, and the security appliance processes it, discarding any expressions
it cannot parse.
Note The Cisco Secure Desktop Manager Policy Editor is an independent program. For information about
configuring CSD, and what CSD can do for you, see the materials available online at
http://www.cisco.com/en/US/products/ps6742/tsd_products_support_configure.html. Look specifically
for information on configuring prelogin policies and host scan. Select the configuration guide for the
CSD version you are configuring.
Navigation Path
Open the Dynamic Access Page (ASA), page 27-33, then click Configure from the Cisco Secure
Desktop section (you must first specify a CSD package). The CSDM Policy Editor dialog box
is displayed.
Related Topics
Understanding DAP Attributes, page 26-22
Configuring DAP Attributes, page 26-25
Configuring Dynamic Access Policies, page 26-20
Navigation Path
(Device View) Select Remote Access VPN > Global Settings from the Policy selector.
(Policy View) Select Remote Access VPN > Global Settings from the Policy Type selector. Select
an existing policy or create a new one.
Element Description
ISAKMP/IPsec Settings tab Enables you to specify global settings for IKE and IPsec.
For a description of the elements on this tab, see ISAKMP/IPsec
Settings Tab, page 27-60.
NAT Settings tab Enables you to specify global Network Address Translation (NAT)
settings to enable devices that use internal IP addresses to send and
receive data through the Internet.
For a description of the elements on this tab, see NAT Settings Tab,
page 27-63.
General Settings tab Enables you to define fragmentation settings and other global settings
on devices in your remote access VPN.
For a description of the elements on this tab, see General Settings Tab,
page 27-64.
Navigation Path
Open the Global Settings Page, page 27-60, or click the ISAKMP/IPsec Settings tab from any other tab
in the VPN Global Settings page.
Related Topics
Global Settings Page, page 27-60
Understanding Remote Access VPN Global Settings, page 26-28
Configuring Remote Access VPN Global Settings, page 26-28
Understanding IKE, page 22-1
Understanding IPsec Tunnel Policies, page 22-5
Understanding ISAKMP/IPsec Settings, page 22-13
Field Reference
Element Description
ISAKMP Settings
Enable Keepalive When selected, enables you to configure IKE keepalive as the default
failover and routing mechanism for your devices.
Interval (seconds) The number of seconds that a device waits between sending IKE
keepalive packets. The default is 10 seconds.
Retry (seconds) The number of seconds a device waits between attempts to establish an
IKE connection with the remote peer. The default is 2 seconds.
Periodic Available only if Enable Keepalive is selected and supported on routers
running IOS version 12.3(7)T and later, except 7600 devices.
When selected, enables you to send dead-peer detection (DPD) keepalive
messages even if there is no outbound traffic to be sent. Usually, DPD
keepalive messages are sent between peer devices only when no
incoming traffic is received but outbound traffic needs to be sent.
For more information, see Understanding ISAKMP/IPsec Settings,
page 22-13.
Identity During Phase I IKE negotiations, peers must identify themselves to
each other. Select one of the following:
AddressUse the IP address of the host exchanging ISAKMP
identity information.
HostnameUse the fully-qualified domain name of the host
exchanging ISAKMP identity information.
Distinguished Name (IOS devices only)Use a distinguished
name (DN) to identify a user group name.
Auto (ASA devices only)Determine ISAKMP negotiation by
connection type; IP address for preshared key or certificate
distinguished name for certificate authentication.
Element Description
SA Requests System Limit Supported on routers running Cisco IOS Release 12.3(8)T and later,
except 7600 routers.
The maximum number of SA requests allowed before IKE starts
rejecting them.
You can enter a value in the range of 0-99999.
Note Make sure the value you enter equals or exceeds the number of
peers connected to the device.
SA Requests Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.
System Threshold
The percentage of system resources that can be used before IKE starts
rejecting new SA requests.
IPsec Settings
Enable Lifetime Select to enable you to configure the global lifetime settings for the
crypto IPsec SAs on the devices in your remote access VPN.
Lifetime (secs) The number of seconds a security association will exist before expiring.
The default is 3,600 seconds (1 hour).
Lifetime (kbytes) The volume of traffic (in kilobytes) that can pass between IPsec peers
using a given security association before it expires. The default is
4,608,000 kilobytes.
Xauth Timeout (seconds) Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.
The number of seconds the device will wait for a system response to the
Xauth challenge.
When negotiating tunnel parameters for establishing IPsec tunnels in a
remote access configuration, Xauth adds another level of authentication
that identifies the user who requests the IPsec connection. Using the
Xauth feature, the client waits for a username/password challenge
after the IKE SA was established. When the end user responds to the
challenge, the response is forwarded to the IPsec peers for an additional
level of authentication.
Max Sessions The maximum number of Security Associations (SAs) that can be
enabled simultaneously on the device. The maximum number differs
(ASA and PIX 7.0+ only.)
based on device model. For ASA devices, the limits are:
550510 sessions.
5510250 sessions.
5520750 sessions.
5540, 5550, 55805000 sessions.
558510000 sessions.
Enable IPsec via Sysopt (PIX Supported on ASA devices, and PIX Firewalls versions 6.3 or 7.0.
and ASA only)
When selected (the default), specifies that any packet that comes from
an IPsec tunnel is implicitly trusted (permitted).
Navigation Path
Open the Global Settings Page, page 27-60, then click the NAT Settings tab.
Related Topics
Understanding NAT, page 22-13
Global Settings Page, page 27-60
Understanding Remote Access VPN Global Settings, page 26-28
Configuring Remote Access VPN Global Settings, page 26-28
Field Reference
Element Description
Enable Traversal Keepalive When selected, enables you to configure NAT traversal keepalive on
a device.
NAT traversal keepalive is used for the transmission of keepalive
messages when there is a device (middle device) located between a
VPN-connected hub and spoke, and that device performs NAT on the
IPsec flow.
Note On Cisco IOS routers, NAT traversal is enabled by default. If
you want to disable the NAT traversal feature, you must do this
manually on the device or using a FlexConfig (see Chapter 7,
Managing FlexConfigs).
Navigation Path
Open the Global Settings Page, page 27-60, then click the General Settings tab.
Related Topics
Understanding Fragmentation, page 22-15
Understanding Remote Access VPN Global Settings, page 26-28
Configuring Remote Access VPN Global Settings, page 26-28
Global Settings Page, page 27-60
Field Reference
Element Description
Fragmentation Settings
Fragmentation mode Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.
Fragmentation minimizes packet loss in a VPN tunnel when packets are
transmitted over a physical interface that cannot support the original
size of the packet.
Select the required fragmentation mode option from the list:
No FragmentationSelect if you do not want to fragment prior to
IPsec encapsulation.
End to End MTU DiscoverySelect to use ICMP messages for
the discovery of MTU.
End-to-end MTU discovery uses Internet Control Message
Protocol (ICMP) messages to determine the maximum MTU that a
host can use to send a packet through the VPN tunnel without
causing fragmentation.
Local MTU HandlingSelect to set the MTU locally on the
devices. This option is typically used when ICMP is blocked.
Local MTU Size Supported on Cisco IOS routers and Catalyst 6500 /7600 devices, when
Local MTU Handling is the selected fragmentation mode option.
Note The permitted MTU size is between 68 and 65535 bytes
depending on the VPN interface.
Element Description
DF Bit Supported on Cisco IOS routers, Catalyst 6500 /7600 devices, PIX 7.0
and ASA devices.
A Dont Fragment (DF) bit is a bit in an IP header that determines
whether a device is allowed to fragment a packet.
Select the required setting for the DF bit:
CopyTo copy the DF bit from the encapsulated header in the
current packet to all the devices packets. If the packets DF bit is
set to fragment, all packets will be fragmented.
SetTo set the DF bit in the packet you are sending. A packet that
exceeds the MTU will be dropped and an ICMP message sent to the
packets initiator.
ClearTo cause the device to fragment packets regardless of the
original DF bit setting. If ICMP is blocked, MTU discovery fails
and packets are fragmented only after encryption.
Enable Fragmentation Supported on Cisco IOS routers, Catalyst 6500 /7600 devices, PIX 7.0
Before Encryption and ASA devices.
When selected, enables fragmentation before encryption, if the
expected packet size exceeds the MTU.
Lookahead Fragmentation (LAF) is used before encryption takes place
to calculate the packet size that would result after encryption,
depending on the transform sets configured on the IPsec SA. If the
packet size exceeds the specified MTU, the packet will be fragmented
before encryption.
Enable Notification Supported on PIX 7.0 and ASA devices.
on Disconnection
When selected, enables the device to notify qualified peers of sessions
that are about to be disconnected. The peer receiving the alert decodes
the reason and displays it in the event log or in a pop-up window. This
feature is disabled by default.
IPsec sessions may be dropped for several reasons, such as, a security
appliance shutdown or reboot, session idle timeout, maximum
connection time exceeded, or administrator cut-off.
Enable Spoke-to-Spoke Supported on PIX 7.0 and ASA devices.
Connectivity through
When selected, enables direct communication between spokes in
the Hub
a hub-and-spoke VPN topology, in which the hub is an ASA or
PIX 7.0 device.
Enable Default Route Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.
When selected, the device uses the configured external interface as the
default outbound route for all incoming traffic.
Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic
Access policy, an ASA device checks for Group policies that specify the setting.
Each row in the table represents an ASA group policy object, displaying the name of the policy object
assigned to the SSL VPN connection profile, whether it is stored on the ASA device itself (Internal) or
on a AAA server (External), and whether the group is for IPSec, SSL, or both types of VPN. For external
groups, the protocol is unknown and listed as N/A.
To add an ASA group policy object, click the Add Row button. This opens an object selector, from
which you can select an existing policy object or click the Create button to create a new object.
To edit an object, select it and click the Edit Row button to open the ASA Group Policies Dialog
Box, page 28-1.
To delete an object from the policy, select it and click the Delete Row button. The associated policy
objects are not deleted, they are only removed from this policy.
Navigation Path
(Device view) Select an ASA device, then select Remote Access VPN > Group Policies from the
Policy selector.
(Policy view) Select Remote Access VPN > Group Policies (ASA) from the Policy selector. Select
an existing policy or create a new one.
Related Topics
Creating Group Policies (ASA), page 26-31
Note To save the RSA key pairs and the CA certificates permanently to flash memory on a PIX Firewall
version 6.3 between reloads, you must configure the ca save all command. You can do this manually on
the device or by using a FlexConfig (see Chapter 7, Managing FlexConfigs).
Navigation Path
(Device View) Select Remote Access VPN > Public Key Infrastructure from the Policy selector.
(Policy View) Select Remote Access VPN > Public Key Infrastructure from the Policy Type
selector. Select an existing policy or create a new one.
Related Topics
Understanding Public Key Infrastructure Policies, page 22-26
Configuring Public Key Infrastructure Policies, page 26-33
Configuring Public Key Infrastructure Policies, page 22-31
Field Reference
Element Description
Available CA Servers Lists the CA servers available for selection.
Select the required CA servers and click >>.
CA servers are defined as PKI enrollments objects that contain server
information and enrollment parameters required for creating enrollment
requests for CA certificates.
If the required CA server is not included in the list, click Create to open the
PKI Enrollment Dialog Box, page 28-33 that enables you to create a PKI
enrollment object. You can also edit the properties of a CA server by
selecting it and clicking Edit.
Note When creating or editing a PKI enrollment object, you must
configure each remote component (spoke) with the name of the user
group to which it connects. You specify this information in the
Organization Unit (OU) field in the Certificate Subject Name tab of
the PKI Enrollment Editor dialog box. In addition, the certificate
issued to the client should have OU as the name of the user group.
For more information, see PKI Enrollment Dialog BoxCertificate
Subject Name Tab, page 28-40.
Selected CA Servers The selected CA servers.
To remove a CA server from this list, select it and click <<. You can select
more than one CA server at a time.
Navigation Path
(Device View) Select an ASA device; then select Remote Access VPN > IPSec VPN > Certificate
to Connection Profile Maps > Policies from the Policy selector.
(Policy View) Select Remote Access VPN > IPSec VPN > Certificate to Connection Profile Maps
> Policies from the Policy Type selector. Select an existing policy or create a new one.
Related Topics
Understanding Certificate to Connection Profile Map Policies (ASA), page 26-34
Configuring Certificate to Connection Profile Map Policies (ASA), page 26-35
Field Reference
Element Description
Use Configured Rules to Match a When selected, the server uses the configured rules to establish
Certificate to a Group authentication and determine which tunnel group to map the client to.
Use Certificate Organization When selected (default), the server uses the organizational unit
Unit field to Determine (OU) field to establish authentication and determine which tunnel
the Group group to map the client to.
Use IKE Identity to Determine When selected (default), the server uses the IKE identity to establish
the Group authentication and determine which tunnel group to map the client to.
User Peer IP Address to When selected (the default), the server uses the peer IP address to
Determine the Group establish authentication and determine which tunnel group to map
the client to.
Note A connection profile must exist in the configuration before you can create and map a matching rule to
it. If you unassign a connection profile after creating a matching rule, the rules that are mapped to the
connection profile are unassigned. See Configuring Connection Profiles (ASA), page 26-18.
Navigation Path
(Device View only) Select an ASA device; then select Remote Access VPN > IPSec VPN > Certificate
to Connection Profile Maps > Policies from the Policy selector.
Related Topics
Understanding Certificate to Connection Profile Map Rules (ASA), page 26-35
Configuring Certificate to Connection Profile Map Rules (ASA), page 26-36
Field Reference
Element Description
Maps table The connection profile maps for which connection rules are defined. Each
row is a profile map, which includes a map name, the name of the connection
profile that is being mapped, and the priority of the map (lower numbers have
higher priority).
To configure rules for this map, select it and then use the rules table to
create, edit, and delete the rules.
To add a map, click the Add Row button and fill in the Map Rule Dialog
Box (Upper Table), page 27-69.
To edit map properties (not rules), select it and click the Edit Row button.
To delete an entire map, select it and click the Delete Row button.
Rules table The rules for the map selected in the upper table. You must ensure that the
map is actually selected in the upper table: the group title above the rules
table should say Details for (Connection Profile Name).
When you select a map, the table shows all rules configured for the map,
including the field (subject or issuer), certificate component, matching
operator, and the value that the rule is looking for. The remote user must match
all configured rules a map for the device to use the mapped connection profile.
To add a rule, click the Add Row button and fill in the Map Rule Dialog
Box (Lower Table), page 27-70.
To edit a rule, select it and click the Edit Row button.
To delete a rule, select it and click the Delete Row button.
Default Select the default connection profile to be used if no matching rules are found.
Connection Profile
Navigation Path
On the Certificate to Connection Profile Maps > Rules Page, page 27-68, click Add Row in the upper
pane or select a row in the upper table and click Edit Row.
Related Topics
Certificate to Connection Profile Maps > Rules Page, page 27-68
Map Rule Dialog Box (Lower Table), page 27-70
Field Reference
Element Description
Connection Profile Select the connection profile for which you are creating matching rules.
Clients attempting to connect to this connection profile must satisfy the
associated matching rule conditions to connect to the device.
Priority The priority number of the matching rule. A lower number has a higher
priority. For example, a matching rule with a priority number of 2, has a
higher priority than a matching rule with a priority number of 5.
If you create multiple maps, they are processed in priority order, and the first
matching rule determines to which profile the user is mapped.
Map Name The name of the connection profile map.
Navigation Path
On the Certificate to Connection Profile Maps > Rules Page, page 27-68, click Add Row in the lower
pane or select a row in the lower table and click Edit Row.
Related Topics
Certificate to Connection Profile Maps > Rules Page, page 27-68
Map Rule Dialog Box (Upper Table), page 27-69
Field Reference
Element Description
Field Select the field for the matching rule according to the Subject or the Issuer
of the client certificate.
Component Select the component of the client certificate to use for the matching rule.
Element Description
Operator Select the operator for the matching rule as follows:
EqualsThe certificate component must match the entered value. If
they do not match exactly, the connection is denied.
ContainsThe certificate component must contain the entered value. If
the component does not contain the value, the connection is denied.
Does Not EqualThe certificate component cannot equal the entered
value. For example, for a selected certificate component of Country, and
an entered value of USA, if the client county value equals USA, then the
connection is denied.
Does Not ContainThe certificate component cannot contain the
entered value. For example, for a selected certificate component of
Country, and an entered value of USA, if the client county value
contains USA, the connection is denied.
Value The value of the matching rule. The value entered is associated with the
selected component and operator.
Navigation Path
(Device View) Select an IOS or Catalyst device; then select Remote Access VPN > IPSec VPN >
High Availability from the Policy selector.
(Policy View) Select Remote Access VPN > IPSec VPN > High Availability from the Policy Type
selector. Select an existing policy or create a new one.
Related Topics
Understanding High Availability in Remote Access VPNs (IOS), page 26-41
Configuring a High Availability Policy, page 26-41
Field Reference
Element Description
Inside Virtual IP The IP address that will be shared by the hubs in the HA group and will
represent the inside interface of the HA group. The virtual IP address must
be on the same subnet as the inside interfaces of the hubs in the HA group.
Note You must provide an inside virtual IP that matches the subnet of one
of the interfaces on the device, in addition to a VPN virtual IP that
matches the subnet of one of the devices interfaces and is configured
with an IPsec proposal; otherwise an error is displayed.
Note If there is an existing standby group on the device, make sure that the
IP address you provide is different from the virtual IP address
already configured on the device.
Element Description
Failover Server The IP address of the inside interface of the remote peer device.
You can click Select to open the Network/Hosts Selector, from which you can
select a host from which the IP address of the remote peer will be allocated.
Enable Stateful Failover When selected, enables SSO for stateful failover.
Note In an Easy VPN topology, this check box appears selected and
disabled, as stateful failover must always be configured.
You can only configure stateful failover on an HA group that contains two
hubs that are Cisco IOS routers. This check box is disabled if the HA group
contains more than two hubs.
Note When deselected in a Regular IPsec topology, stateless failover is
configured on the HA group. Stateless failover will also be
configured if the HA group contains more than two hubs. Stateless
failover can be configured on Cisco IOS routers or Catalyst
6500/7600 devices.
Navigation Path
(Device view) Select Remote Access VPN > IKE Proposal from the Policy selector.
(Policy view) Select Remote Access VPN > IKE Proposal from the Policy type selector and select
an existing policy or create a new one.
Related Topics
Remote Access VPN Configuration Wizard, page 27-1
Understanding IKE, page 22-1
Understanding IKE Proposals in Remote Access VPNs, page 26-37
Configuring IKE Proposals on a Remote Access VPN Server, page 26-37
Deciding Which Encryption Algorithm to Use, page 22-2
Deciding Which Hash Algorithm to Use, page 22-2
Deciding Which Diffie-Hellman Group to Use, page 22-3
Deciding Which Authentication Method to Use, page 22-3
Field Reference
Element Description
Available IKE Proposals Lists the predefined IKE proposals available for selection.
Select the required IKE proposals and click >>.
IKE proposals are predefined objects. If the required IKE proposal is
not included in the list, click Create to open the Add or Edit IKE
Proposal Dialog Box, page 28-26 that enables you to create or edit an
IKE proposal object.
Selected IKE Proposals Lists the selected IKE proposals.
To remove an IKE proposal from this list, select it and click <<.
To modify the properties of an IKE proposal, select it and click Edit.
Navigation Path
(Device View) Select Remote Access VPN > IPSec VPN > IPsec Proposal from the Policy selector.
(Policy View) Select Remote Access VPN > IPSec VPN > IPsec Proposal from the Policy Type
selector. Select an existing policy or create a new one.
Related Topics
Understanding IPsec Proposals in Remote Access VPNs, page 26-38
Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39
Defining Accounts and Credential Policies, page 53-14
Remote Access VPN Configuration Wizard, page 27-1
IPsec Proposal Editor Dialog Box (for PIX and ASA Devices), page 27-75
IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices), page 27-77
Field Reference
Element Description
Endpoint The external interface (or inside VLAN for a Catalyst 6500/7600 device)
through which remote access clients will connect to the server.
Transform Sets The transform set(s) selected for the policy (the default is tunnel_3des_sha).
Transform sets specify which authentication and encryption algorithms will
be used to secure the traffic in the tunnel.
RRI Shows whether Reverse Route Injection (RRI) is enabled or disabled on the
crypto map for the support of VPN clients.
For more information, see About Reverse Route Injection, page 22-8.
AAA Authorization If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows the
name of the server groups selected to perform AAA authorization.
AAA Authentication If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows the
name of the server groups selected to perform AAA authentication.
VRF If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows
whether VRF is enabled or disabled.
DVTI If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows
whether DVTI is enabled or disabled.
Create button Click to open the IPsec Proposal Editor dialog box to create an IPsec proposal.
If the device is a PIX Firewall or ASA device, see IPsec Proposal Editor
Dialog Box (for PIX and ASA Devices), page 27-75.
If the device is a Cisco IOS router or Catalyst 6500/7600, see IPsec Proposal
Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices),
page 27-77.
Edit button Select the row of a proposal from the table, then click to open the IPsec
Proposal Editor dialog box to edit the selected proposal.
If the device is a PIX Firewall or ASA device, see IPsec Proposal Editor
Dialog Box (for PIX and ASA Devices), page 27-75.
If the device is a Cisco IOS router or Catalyst 6500/7600, see IPsec Proposal
Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices),
page 27-77.
Delete button Select the rows of one or more proposals, then click to delete.
IPsec Proposal Editor Dialog Box (for PIX and ASA Devices)
Use the IPsec Proposal Editor to create or edit an IPsec proposal for a device in your remote access VPN.
The elements in this dialog box differ according to the selected device. Table 27-57 on page 27-76
describes the elements in the IPsec Proposal Editor dialog box when a PIX 7.0 or ASA device is selected.
Note For a description of the elements in the dialog box when a Cisco IOS router or Catalyst 6500/7600 is
selected, see Table 27-58 on page 27-78.
Navigation Path
Open the IPsec Proposal Page, page 27-74, then click Create, or select a proposal from the list and
click Edit.
Related Topics
Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39
Understanding IPsec Tunnel Policies, page 22-5
Creating Interface Role Objects, page 6-56
Creating AAA Server Group Objects, page 6-37
Field Reference
Table 27-57 IPsec Proposal Editor (for PIX and ASA Devices)
Element Description
External Interface The external interface (endpoint) through which remote access clients
connect to the server.
An endpoint can be an interface or a set of interfaces that are defined by a
particular interface role. Click Select to open a dialog box that lists all
available interfaces and sets of interfaces defined by interface roles, and
enables you to create interface role objects.
Transform Sets The transform set or sets to use for your tunnel policy (the default is
tunnel_3des_sha).
Transform sets specify which authentication and encryption algorithms will
be used to secure the traffic in the tunnel.
A default transform set is displayed. If you want to use a different transform
set or select additional transform sets, click Select to open a dialog box that
lists all available transform sets and enables you to create transform set
objects. For more information, see Add or Edit IPSec Transform Set Dialog
Box, page 28-28.
If more than one of your selected transform sets is supported by both peers,
the transform set that provides the highest security will be used.
Note You can select up to six transform sets.
Table 27-57 IPsec Proposal Editor (for PIX and ASA Devices) (Continued)
Element Description
Reverse Route Injection Note Available only for ASA devices.
Select the required option to configure Reverse Route Injection (RRI) on the
crypto map in your tunnel policy:
NoneTo disable the RRI configuration on the crypto map.
StandardThis is the default. It creates routes based on the destination
information defined in the crypto map access control list (ACL).
For more information, see About Reverse Route Injection, page 22-8.
Enable Network Note Available only for ASA devices.
Address Translation
Traversal When selected (the default), enables you to configure NAT traversal on the
device.
You use NAT traversal when a device (referred to as the middle device) is
located between a VPN-connected hub and spoke, that performs NAT on the
IPsec flow.
For more information, see Understanding NAT, page 22-13.
Note For a description of the elements in the dialog box when a PIX 7.0+ or ASA device is selected is selected,
see IPsec Proposal Editor Dialog Box (for PIX and ASA Devices), page 27-75.
Navigation Path
Open the IPsec Proposal Page, page 27-74, then click Create, or select a proposal from the list and click
Edit. The IPsec Proposal Editor dialog box opens, displaying the General tab.
Related Topics
VPNSM/VPN SPA Settings Dialog Box, page 27-80
Dynamic VTI/VRF Aware IPsec Tab (IPsec Proposal Editor), page 27-81
Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39
Creating Interface Role Objects, page 6-56
Creating AAA Server Group Objects, page 6-37
Field Reference
Element Description
External Interface Note Available only if the selected device is an IOS router.
The external interface through which remote access clients will connect to
the server.
An external interface can be defined by a specific interface role. Interface
roles are predefined objects. Click Select to open a dialog box that lists all
available interfaces and sets of interfaces defined by interface roles, and
enables you to create interface role objects.
Inside VLAN Note Available only if the selected device is a Catalyst 6500/7600.
The inside VLAN that serves as the inside interface to the VPN Services
Module (VPNSM) or VPN SPA. Click Select to open a dialog box in which
you define the settings that enable you to configure a VPN Services Module
(VPNSM) external interface or a VPN SPA blade on the Catalyst 6500/7600
device. See VPNSM/VPN SPA Settings Dialog Box, page 27-80.
For information about configuring a VPNSM, see Configuring VPNSM or
VPN SPA/VSPA Endpoint Settings, page 21-38.
For information about configuring a VPN SPA, see Configuring VPNSM or
VPN SPA/VSPA Endpoint Settings, page 21-38.
Transform Sets The transform set or sets to use for your tunnel policy. Transform sets specify
which authentication and encryption algorithms are used to secure the traffic
in the tunnel.
A default transform set is displayed. If you want to use a different transform
set or select additional transform sets, click Select to open a dialog box that
lists all available transform sets and enables you to create transform set
objects. For more information, see Add or Edit IPSec Transform Set Dialog
Box, page 28-28.
If more than one of your selected transform sets is supported by both peers,
the transform set that provides the highest security is used.
Note You can select up to six transform sets.
Element Description
Reverse Route Injection Select one of the following options to configure Reverse Route Injection
(RRI) on the crypto map:
NoneTo disable the configuration of RRI on the crypto map.
StandardThe default. It creates routes according to the destination
information defined in the crypto map access control list (ACL).
Remote PeerTo create two routes, one for the remote endpoint and
one for route recursion to the remote endpoint through the interface to
which the crypto map is applied.
Remote Peer IPTo specify an interface or address as the explicit next
hop to the remote VPN device. Then click Select to open the
Network/Hosts Selector, from which you can select the IP address of the
remote peer to use as the next hop.
Note You can select the Allow Value Override per Device check box to
override the default route, if required.
For more information, see About Reverse Route Injection, page 22-8.
Group Policy The AAA authorization method list that defines the order in which the group
Lookup/AAA policies are searched. Group policies can be configured on the local server
Authorization Method or on an external AAA server.
Note The default is LOCAL.
Click Select to open a dialog box that lists all available AAA server groups
and enables you to create AAA server group objects.
User Authentication The AAA or Xauth user authentication method that defines the order in
(Xauth)/AAA which user accounts are searched.
Authentication Method
Note The default authentication method is LOCAL.
Note This dialog box is available only if the selected device is a Catalyst 6500/7600.
Use the VPNSM/VPN SPA Settings dialog box to specify the settings for configuring a VPN Services
Module (VPNSM) or a VPN Shared Port Adapter (VPN SPA) on a Catalyst 6500/7600 device.
Note Before you define the VPNSM or VPN SPA settings, you must import your Catalyst 6500/7600 device
to the Security Manager inventory and discover its interfaces. For more information, see Configuring
VPNSM or VPN SPA/VSPA Endpoint Settings, page 21-38.
Before you configure VPNSM or VPN SPA with VRF-Aware IPsec on a device, verify that an IPsec
proposal with VRF-Aware IPsec and an IPsec proposal without VRF-Aware IPsec were not configured
on the device.
For more information about VPNSM or VPNSPA/VSPA, see Configuring VPNSM or VPN SPA/VSPA
Endpoint Settings, page 21-38.
Navigation Path
In the General tab of the IPsec Proposal Editor Dialog Box (for IOS Routers and
Catalyst 6500/7600 Devices), page 27-77, click Select next to the Inside VLAN field.
Related Topics
IPsec Proposal Page, page 27-74
IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices), page 27-77
Creating Interface Role Objects, page 6-56
Field Reference
Element Description
Inside VLAN The inside VLAN that serves as the inside interface to the VPNSM or VPN
SPA, and to which the required crypto maps will be applied.
If required, click Select to open a dialog box that lists all available interfaces
and sets of interfaces defined by interface roles, from which you can make
your selection, or create interface role objects.
Slot From the list of available slots, select the VPNSM blade slot number to
which the inside VLAN interface is connected or the number of the slot in
which the VPN SPA blade is inserted.
Subslot The number of the subslot (0 or 1) on which the VPN SPA blade is installed.
Note If you are configuring a VPNSM, select the blank option.
Element Description
External Port The external port or VLAN that connects to the inside VLAN.
Note If VRF-Aware IPsec is configured on the device, the external port or
VLAN must have an IP address. If VRF-Aware IPsec is not
configured, the external port or VLAN must not have an IP address.
Click Select to open a dialog box that lists all available interfaces and sets of
interfaces defined by interface roles, from which you can make your
selection, or create interface role objects.
Note You must specify an interface or interface role that differs from the
one specified for the inside VLAN.
Enable Failover Blade When selected, enables you to configure a failover VPNSM or VPN SPA
blade for intrachassis high availability.
Note A VPNSM blade and VPN SPA blade cannot be used on the same
device as primary and failover blades.
Failover Slot From the list of available slots, select the VPNSM blade slot number that
serves as the failover blade, or the number of the slot in which the failover
VPN SPA blade is inserted.
Failover Subslot Select the number of the subslot (0 or 1) on which the failover VPN SPA
blade is actually installed.
Note If you are configuring a VPNSM, select the blank option.
Note The Dynamic VTI/VRF Aware IPsec tab is available only when the selected device is a Cisco IOS router
or Catalyst 6500/7600.
Use the Dynamic VTI/VRF Aware IPsec tab of the IPsec Proposal Editor to configure VRF Aware IPsec
settings (on a Cisco IOS router or Catalyst 6500/7600 device), configure a dynamic virtual interface on
a Cisco IOS router, or do both, in your remote access VPN.
For more information, see:
Understanding VRF-Aware IPsec, page 21-13
Understanding IPsec Proposals in Remote Access VPNs, page 26-38
Navigation Path
In the IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices), page 27-77,
click the Dynamic VTI/VRF Aware IPsec tab.
Related Topics
IPsec Proposal Page, page 27-74
Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39
Understanding IPsec Tunnel Policies, page 22-5
Creating Interface Role Objects, page 6-56
Field Reference
Table 27-60 IPsec Proposal Editor > Dynamic VTI/VRF Aware IPsec Tab
Element Description
Enable Dynamic VTI When selected, enables Security Manager to implicitly create a dynamic
virtual template interface on an IOS router.
Note Dynamic VTI can be configured only on IOS routers running Cisco
IOS Release 12.4(2)T and later, except 7600 devices. If the device
does not support Dynamic VTI, an error message is displayed.
For more information, see PVC Dialog BoxQoS Tab, page 52-60.
Enable VRF Settings When selected, enables you to configure VRF settings on the device for the
selected hub-and-spoke topology.
Note To remove VRF settings that were defined for the VPN topology,
deselect this check box.
User Group When you configure a remote access VPN server, remote clients must have
the same group name as the user group object configured on the VPN server
so that they can connect to the device.
Enter the name of the user group policy object associated with the device, or
click Select to select it from a list. You can also create new objects or edit
existing ones from the selection list.
CA Server Select the Certification Authority (CA) server to use for managing certificate
requests for the device.
If the required CA server is not included in the list, click Select to open a
dialog box that lists all available CA servers and enables you to create a PKI
enrollment object. For more information, see PKI Enrollment Dialog Box,
page 28-33.
For more information about IPsec configuration with CA servers, see
Understanding Public Key Infrastructure Policies, page 22-26.
Virtual Template IP Available if you selected the Enable Dynamic VTI check box.
Type Specify the virtual template interface to use by clicking one of the following
radio buttons:
IPTo use an IP address as the virtual template interface. Then specify
the private IP address in the IP field.
If required, click Select to open the Network/Hosts selector in which
you can select a host to be used as the IP address.
Use Loopback InterfaceTo use the IP address taken from an existing
loopback interface as the virtual template interface. Then, in the Role
field, enter the interface or click Select to select it from the list of
interface roles.
Note A virtual template IP address is configured only on a server in a
remote access VPN.
Table 27-60 IPsec Proposal Editor > Dynamic VTI/VRF Aware IPsec Tab (Continued)
Element Description
VRF Solution Available if you selected the Enable VRF Settings check box.
Click one of the following radio buttons to configure the required
VRF solution:
1-Box (IPsec Aggregator + MPLS PE)One device serves as the
Provider Edge (PE) router that does the MPLS tagging of the packets in
addition to IPsec encryption and decryption from the Customer Edge
(CE) devices. For more information, see VRF-Aware IPsec One-Box
Solution, page 21-13.
2-Box (IPsec Aggregator Only)The PE device does only the MPLS
tagging, while the IPsec Aggregator device does the IPsec encryption
and decryption from the CEs. For more information, see VRF-Aware
IPsec Two-Box Solution, page 21-14.
VRF Name The name of the VRF routing table on the IPsec Aggregator. The VRF name
is case-sensitive.
Route Distinguisher The unique identifier of the VRF routing table on the IPsec Aggregator.
This unique route distinguisher maintains routing separation for each VPN
across the MPLS core to the other PE routers.
The identifier can be in either of the following formats:
IP address:X (where X is in the range of 0-999999999).
N:X (where N is in the range of 0-65535, and X is in the range of
0-999999999).
Note You cannot override the RD identifier after deploying the VRF
configuration to your device. To modify the RD identifier after
deployment, you must manually remove it through the device CLI
and then deploy again.
Interface Towards Available only if the 2-Box radio button is selected.
Provider Edge The VRF forwarding interface on the IPsec Aggregator towards the
PE device.
Note If the IPsec Aggregator (hub) is a Catalyst VPN service module,
you must specify a VLAN.
Table 27-60 IPsec Proposal Editor > Dynamic VTI/VRF Aware IPsec Tab (Continued)
Element Description
AS Number Available only if the 2-Box radio button is selected.
The number to use to identify the autonomous system (AS) area between the
IPsec Aggregator and the PE.
If the routing protocol for the secured IGP differs from the routing protocol
between the IPsec Aggregator and the PE, enter an AS number that identifies
the secured IGP into which the routing will be redistributed from the IPsec
Aggregator and the PE. This is relevant only if GRE or DMVPN are applied.
The AS number must be between 1 and 65535.
Process Number Available only if the 2-Box radio button is selected, and if the selected
routing protocol is OSPF.
The routing process ID number to use to configure the routing between the
IPsec Aggregator and the PE.
The process number must be between 1 and 65535.
OSPF Area ID Available only if the 2-Box radio button is selected, and if the selected
routing protocol is OSPF.
The ID number of the area in which the packet belongs. You can enter any
number from 0 to 4294967295.
Note All OSPF packets are associated with a single area, so all devices
must have the same area ID number.
Redistribute Available only if the 2-Box radio button is selected, and for any selected
Static Route routing protocol other than Static route.
When selected, enables static routes to be advertised in the routing protocol
configured on the IPsec Aggregator towards the PE device.
Note If this check box is deselected and Enable Reverse Route Injection is
enabled (default) for the IPsec proposal, static routes are still
advertised in the routing protocol on the IPsec Aggregator.
Next Hop IP Address Available only if the 2-Box radio button is selected and if the selected
routing protocol is Static.
The IP address of the provider edge device (or the interface that is connected
to the IPSec aggregator).
Navigation Path
(Device view) Select Remote Access VPN > IPSec VPN > User Groups from the Policy selector.
(Policy view) Select Remote Access VPN > IPSec VPN > User Groups (IOS/PIX 6.x) from the
Policy Type selector and select an existing policy or create a new one.
Related Topics
Remote Access VPN Configuration Wizard, page 27-1
Understanding User Group Policies (IOS), page 26-42
Configuring User Group Policies, page 26-43
Field Reference
Element Description
Available User Groups Lists the predefined user groups available for selection.
Select the required user groups and click >>.
In Security Manager, user groups are objects. If the required user group
is not in the list, click Create to open the User Groups Editor dialog
box, which enables you to create or edit a user group object. See Add
or Edit User Group Dialog Box, page 28-68.
Selected User Groups Displays the selected user groups.
To remove a user group from this list, select it and click <<.
To modify the properties of a user group, select it and click Edit.
Navigation Path
(Device View) Select Remote Access VPN > SSL VPN > Access from the Policy selector.
(Policy View) Select Remote Access VPN > SSL VPN > Access (ASA) from the Policy Type
selector. Select an existing policy or create a new one.
Related Topics
Access Interface Configuration Dialog Box, page 27-87
Understanding Interface Role Objects, page 6-55
Field Reference
Element Description
Access Interface Table The Access Interface table displays the access settings for each interface.
To configure access on an interface, click the Add button (see Access
Interface Configuration Dialog Box, page 27-87).
To edit access settings for an interface, select the interface and click the
Edit button (see Access Interface Configuration Dialog Box,
page 27-87).
To delete access settings for an interface, select the interface and click
the Delete button.
Port Number The port to use for SSL VPN sessions. The default port is 443, for HTTPS
traffic; the range is 1024 through 65535. If you change the port number, all
current SSL VPN connections terminate, and current users must reconnect.
Note If HTTP port redirection is enabled, the default HTTP port number
is 80.
Enter the name of a port list, or click Select to open the Port List Selector
from which you can make your selection, or create a port list object. A port
list object is a named definition of one or more port ranges that you use when
defining service objects.
DTLS Port Number Specify a separate UDP port for DTLS connections. The default port is 443.
Enter the name of a port list, or click Select to open the Port List Selector
from which you can make your selection, or create a port list object. A port
list object is a named definition of one or more port ranges that you use when
defining service objects.
For details about DTLS, see Understanding SSL VPN Client Settings,
page 26-56.
Fallback Trustpoint Enter or select a trustpoint to use for interfaces that do not have a
trustpoint assigned.
Default Idle Timeout Amount of time, in seconds, that an SSL VPN session can be idle before the
security appliance terminates it.
This value applies only if the Idle Timeout value in the group policy for the
user is set to zero (0), which means there is no timeout value; otherwise the
group policy Idle Timeout value takes precedence over the timeout you
configure here. The minimum value you can enter is 60 seconds (1 minute).
The default is 30 minutes (1800 seconds). Maximum is 24 hours (86400
seconds).
We recommend that you set this attribute to a short time period. This is
because a browser set to disable cookies (or one that prompts for cookies and
then denies them) can result in a user not connecting but nevertheless
appearing in the sessions database. If the Simultaneous Logins attribute for
the group policy is set to one, the user cannot log back in because the
database indicates that the maximum number of connections already exists.
Setting a low idle timeout removes such phantom sessions quickly, and lets
a user log in again.
Element Description
Max Session Limit The maximum number of SSL VPN sessions allowed.
Be aware that the different ASA models support SSL VPN sessions as
follows: ASA 5510 supports a maximum of 150; ASA 5520 maximum is
750; ASA 5540 maximum is 2500.
Allow Users to Select When selected, includes a list of configured Connection Profiles (tunnel
Connection Profile in groups) on the SSL VPN end-user interface, from which users can select a
Portal Page profile when they log in.
When deselected, the user cannot select a profile on login.
Enable AnyConnect When selected, allows SSL VPN client connections. For details about
Access AnyConnect SSL VPN clients, see Understanding SSL VPN Client Settings,
page 26-56.
Enable AnyConnect When selected, enables the AnyConnect Essentials feature. For details about
Essentials AnyConnect Essentials SSL VPN clients, see Understanding SSL VPN
Client Settings, page 26-56.
Navigation Path
Open the SSL VPN Access Policy Page, page 27-85, then click Add Row below the table, or select a
row in the table and click Edit Row.
Related Topics
Configuring an Access Policy, page 26-45
Understanding Interface Role Objects, page 6-55
Field Reference
Table 27-63 SSL VPN Access Policy Page > Access Interface Configuration Dialog Box
Element Description
Access Interface Enter the interface on which you want to configure SSL VPN access.
You can click Select to open a dialog box from which you can select an
interface from a list of interface or interface role objects.
Trustpoint Enter or Select the previously defined trustpoint to be assigned to
this interface.
Load Balancing Trustpoint If load balancing is configured, you can enter or Select a secondary
trustpoint to be assigned to this interface.
Allow Access Select this option to enable VPN access via this interface. If the option
is not selected, access is configured on the interface, but it is disabled.
Table 27-63 SSL VPN Access Policy Page > Access Interface Configuration Dialog Box (Continued)
Element Description
Enable DTLS When selected, enables Datagram Transport Layer Security (DTLS) on
the interface and allows an AnyConnect VPN Client to establish an SSL
VPN connection using two simultaneous tunnelsan SSL tunnel and a
DTLS tunnel.
Check Client Certificate When selected, a valid digital certificate is required from the client
for connection.
Navigation Path
(Device View) Select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.
(Policy View) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy
Type selector. Select an existing policy or create a new one.
Performance Tab
Use the Performance tab of the SSL VPN Other Settings page to specify caching properties that enhance
SSL VPN performance.
Navigation Path
The Performance tab appears when you open the SSL VPN Other Settings Page, page 27-88. You can
also open it by clicking the Performance tab from any other tab on the SSL VPN Global Settings page.
Related Topics
Defining Performance Settings, page 26-47
SSL VPN Other Settings Page, page 27-88
Field Reference
Element Description
Enable When selected, enables the use of cache settings for the security
appliance. This check box is selected by default.
When deselected, the cache settings configured on the security
appliance do not take effect and all the fields under the Performance tab
are grayed out.
Minimum Object Size The minimum size of an HTTP object that can be stored in the cache
(in kilobytes) on the security appliance.
The minimum size range is 0-10,000 Kb. The default is 0 Kb.
Maximum Object Size The maximum size (in kilobytes) of an HTTP object that can be stored
in the cache on the security appliance.
The maximum size limit for an HTTP object is 10,000 kilobytes. The
default is 1000 Kb.
Last Modified Factor Specifies an integer to set a revalidation policy for caching objects that
have only the last-modified timestamp, and no other server-set
expiration values. The range is 1-100. The default is 20.
The Expires response from the origin web server to the security
appliance request, which indicates the time that the response expires,
also affects caching. This response header indicates the time that the
response becomes stale and should not be sent to the client without an
up-to-date check (using a conditional GET operation).
The security appliance can also calculate an expiration time for each
web object before it is written to disk. The algorithm to calculate an
objects cache expiration date is as follows:
Expiration date = (Todays date - Objects last modified date) *
Freshness factor
After the expiration date has passed, the object is considered stale and
subsequent requests causes a fresh retrieval of the content by the
security appliance. Setting the last modified factor to zero is equivalent
to forcing an immediate revalidation, while setting it to 100 results in
the longest allowable time until revalidation.
Expiration Time The amount of time (in minutes) that the security appliance caches
objects without revalidating them. The range is 0-900 minutes. The
default is one minute.
Revalidation consists of rejecting the objects from the origin server
before serving the requested content to the client browser when the age
of the cached object has exceeded its freshness lifetime. The age of a
cached object is the time that the object has been stored in the security
appliances cache without the security appliance explicitly contacting
the origin server to check if the object is still fresh.
Table 27-64 SSL VPN Other Settings > Performance Tab (Continued)
Element Description
Cache Compressed Content When selected, enables compressed objects (zip, gz, and tar files) for
SSL VPN sessions to be cached on the security appliance.
When you deselect this check box, the security appliance stores objects
before it compresses them.
Cache Static Content When selected, enables static content to be cached on the
security appliance.
Each web page comprises static and dynamic objects. The security
appliance caches individual static objects, such as image files (*.gif,
*.jpeg), java applets (.js), and cascading style sheets (*.css), etc.
Navigation Path
Open the SSL VPN Other Settings Page, page 27-88, then click the Content Rewrite tab.
Related Topics
Defining Content Rewrite Rules, page 26-48
SSL VPN Other Settings Page, page 27-88
Field Reference
Table 27-65 SSL VPN Global Settings > Content Rewrite Tab
Element Description
Rule Number An integer that indicates the position of the rule in the list.
The security appliance searches rewrite rules by order number, starting
with the lowest, and applies the first rule that matches.
Rule Name The name of the application for which the rule applies.
Resource Mask The application or resource for the rule.
Enable Indicates whether the content rewrite rule is enabled or not on the
security appliance.
Create button Opens a dialog box that lets you add a content rewrite rule to the list.
See Add/Edit Content Rewrite Dialog Box, page 27-91.
Edit button Opens a dialog box that lets you edit a selected content rewrite rule in
the table. See Add/Edit Content Rewrite Dialog Box, page 27-91.
Delete button Deletes one or more selected content rewrite rules from the table.
Navigation Path
Open the Content Rewrite Tab, page 27-90, then click Create below the table, or select a row in the table
and click Edit.
Related Topics
Defining Content Rewrite Rules, page 26-48
SSL VPN Other Settings Page, page 27-88
Content Rewrite Tab, page 27-90
Field Reference
Table 27-66 SSL VPN Other Settings > Content Rewrite Tab >Add/Edit Content Rewrite Dialog
Box
Element Description
Enable When selected, enables content rewriting on the security appliance for the
rewrite rule.
Some applications do not require this processing, such as external
public websites. For these applications, you might choose to turn off
content rewriting.
Rule Number Specifies a number for this rule. This number specifies the position of the
rule in the list. Rules without a number are at the end of the list. The range
is from 1 to 65534.
Rule Name Specifies an alphanumeric string that describes the content rewrite rule. The
maximum is 128 bytes.
Resource Mask Specifies the name of the application or resource to which the rule applies.
You can use the following wildcards:
*Matches everything. You cannot use this wildcard by itself. It must
accompany an alphanumeric string.
?Matches any single character.
[!seq]Matches any character not in sequence.
[seq]Matches any character in sequence.
The maximum is 300 bytes.
Encoding Tab
Use the Encoding tab of the SSL VPN Other Settings page to specify the character set to encode in SSL
VPN portal pages to be delivered to remote users. By default, the encoding type set on the remote
browser determines the character set for SSL VPN portal pages, so you need to set the character
encoding only if it is necessary to ensure proper encoding on the browser.
Navigation Path
Open the SSL VPN Other Settings Page, page 27-88, then click the Encoding tab.
Related Topics
Defining Encoding Rules, page 26-50
SSL VPN Other Settings Page, page 27-88
Field Reference
Element Description
Global SSL VPN Select the attribute that determines the character encoding that all SSL
Encoding Type VPN portal pages inherit, except for those portal pages delivered from
the CIFS servers listed in the table.
By default, the security appliance applies the Global SSL VPN
Encoding Type to pages from Common Internet File System servers.
You can select one of the following values:
big5
gb2312
ibm-850
iso-8859-1
shift_jis
Note If you are using Japanese Shift_jis Character encoding, click
Do not specify in the Font Family area of the associated Select
Page Font pane to remove the font family.
unicode
windows-1252
none
If you choose None or specify a value that the browser on the SSL VPN
client does not support, it uses its own default encoding.
You can enter a string of up to 40 characters, and equal to one of the
valid character sets identified in
http://www.iana.org/assignments/character-sets. You can use either the
name or the alias of a character set listed on that page. The string is
case-insensitive. The command interpreter converts upper-case to
lower-case when you save the security appliance configuration.
Common Internet File The name or IP address of each CIFS server for which the encoding
System Server requirement differs from the Global SSL VPN Encoding Type
attribute setting.
Encoding Type The character encoding override for the associated CIFS server.
Create button Opens a dialog box that lets you add a CIFS server for which the
encoding requirement differs from the Global SSL VPN Encoding
Type attribute setting. See Add/Edit File Encoding Dialog Box,
page 27-93.
Table 27-67 SSL VPN Other Settings > Encoding Tab (Continued)
Element Description
Edit button Opens a dialog box that lets you edit the settings of a selected CIFS
server in the table. See Add/Edit File Encoding Dialog Box,
page 27-93.
Delete button Select the rows of one or more exceptions to the global encoding type
attribute setting, then click to remove from the list.
Navigation Path
Open the Encoding Tab, page 27-91, then click Create below the table, or select a row in the table and
click Edit.
Related Topics
Defining Encoding Rules, page 26-50
Field Reference
Table 27-68 SSL VPN Other Settings > Encoding Tab >Add/Edit File Encoding Dialog Box
Element Description
CIFS Server IP When selected, indicates the IP address of a CIFS server for which the
encoding requirement differs from the Global SSL VPN Encoding
Type attribute setting.
CIFS servers are predefined objects. You can click Select to open the
Network/Hosts Selector dialog box that lists all available network
hosts, and in which you can create network host objects.
CIFS Server Host When selected, indicates the host name of a CIFS server for which the
encoding requirement differs from the Global SSL VPN Encoding
Type attribute setting. The security appliance retains the case you
specify, although it ignores the case when matching the name to a server.
Encoding Type Select the character encoding that the CIFS server should provide for
SSL VPN portal pages. This selection overrides the Global SSL VPN
Encoding Type attribute setting.
If you choose None or specify a value that the browser on the SSL VPN
client does not support, it uses its own default encoding.
Proxy Tab
Use the Proxy tab of the SSL VPN Other Settings page to configure the security appliance to terminate
HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers. On this
tab, you can also configure the security appliance to perform minimal content rewriting, and to specify
the types of content to rewriteexternal links or XML.
Navigation Path
Open the SSL VPN Other Settings Page, page 27-88, then click the Proxy tab.
Related Topics
Defining Proxies and Proxy Bypass Rules, page 26-51
Understanding Network/Host Objects, page 6-62
Field Reference
Element Description
Proxy Type Select the type of external proxy server to use for SSL VPN
connections as follows:
HTTP/HTTPS ProxyEnables you to use an external proxy
server to handle HTTP or HTTPS requests and activates all the
fields beneath it that specify HTTP or HTTPS server properties.
Proxy using PACEnables you to specify a proxy
autoconfiguration (PAC) file to download from an HTTP proxy
server to a browser.
HTTP/HTTPS Proxy Servers
Enable HTTP Proxy Server Click this check box to enable the HTTP proxy server.
HTTP Proxy Server Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
The IP address of the external HTTP proxy server to which the security
appliance forwards HTTP connections.
HTTP proxy servers are predefined network objects. You can click Select
to open the Networks/Hosts Selector dialog box from which you can
make your selections, and in which you can create network host objects.
HTTP Proxy Port Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
The port of the external HTTP proxy server to which the security
appliance forwards HTTP connections.
You can click Select to open the Port List Selector dialog box from
which you can make your selection, or create a port list object. A port
list object is a named definition of one or more port ranges that you use
when defining service objects.
Table 27-69 SSL VPN Other Settings > Proxy Tab (Continued)
Element Description
Exception Address List Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
A URL or a comma-delimited list of several URLs to exclude from those
that can be sent to the HTTP proxy server. The string does not have a
character limit, but the entire command cannot exceed 512 characters.
You can specify literal URLs or use the following wildcards:
* to match any string, including slashes (/) and periods (.). You
must accompany this wildcard with an alphanumeric string.
? to match any single character, including slashes and periods.
[x-y] to match any single character in the range of x and y, where
x represents one character and y represents another character in the
ANSI character set.
[!x-y] to match any single character that is not in the range.
Authentication User Name Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
The username that is used as the keyword to accompany each HTTP
proxy request to provide basic, proxy authentication.
Authentication Password The password to send to the proxy server with each HTTP request.
Confirm Confirms the password entered in the Authentication Password field.
The values in the Authentication Password and Confirm fields must
match before you can save these settings.
Enable HTTPS Proxy Server Click this check box to enable the HTTPS proxy server.
HTTPS Proxy Server Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
The IP address of the external HTTPS proxy server to which the
security appliance forwards HTTP connections.
HTTPS proxy servers are predefined network objects. You can click
Select to open the Networks/Hosts Selector dialog box from which you
can make your selections, and in which you can create network host
objects.
HTTPS Proxy Port Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
The port of the external HTTPS proxy server to which the security
appliance forwards HTTPS connections.
You can click Select to open the Port List Selector dialog box from
which you can make your selection, or create a port list object.
Table 27-69 SSL VPN Other Settings > Proxy Tab (Continued)
Element Description
Exception Address List Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
A URL or a comma-delimited list of several URLs to exclude from those
that can be sent to the HTTPS proxy server. The string does not have a
character limit, but the entire command cannot exceed 512 characters.
You can specify literal URLs or use the following wildcards:
* to match any string, including slashes (/) and periods (.). You
must accompany this wildcard with an alphanumeric string.
? to match any single character, including slashes and periods.
[x-y] to match any single character in the range of x and y, where
x represents one character and y represents another character in the
ANSI character set.
[!x-y] to match any single character that is not in the range.
Authentication User Name Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
The username that is used as the keyword to accompany each HTTPS
proxy request to provide basic, proxy authentication.
Authentication Password The password to send to the proxy server with each HTTPS request.
Confirm Confirms the password entered in the Authentication Password field.
The values in the Authentication Password and Confirm fields must
match before you can save these settings.
Proxy using PAC
Available only if you selected Proxy using PAC from the Proxy Server list.
Specify Proxy Auto Config When selected, enables you to specify a proxy autoconfiguration (PAC)
file URL file to download to the browser. Once downloaded, the PAC file uses a
JavaScript function to identify a proxy for each URL. Enter http:// and
type the URL of the proxy autoconfiguration file into the adjacent field.
If you omit the http:// portion, the security appliance ignores it.
This option is an alternative to specifying the IP address of the HTTP
proxy server
Proxy Bypass Specifies the ASA interface, port, and target URL configured for
proxy bypass. Use the following buttons to create, edit, or delete proxy
bypass settings:
Create buttonOpens a dialog box that lets you add a proxy
bypass rule to the table. See Add/Edit Proxy Bypass Dialog Box,
page 27-97.
Edit buttonOpens a dialog box that lets you edit the settings of a
selected proxy bypass rule in the table. See Add/Edit Proxy Bypass
Dialog Box, page 27-97.
Delete buttonDeletes one or more proxy bypass rules selected in
the table.
Navigation Path
Open the Proxy Tab, page 27-94, then click Create below the table, or select a row in the table and
click Edit.
Related Topics
Defining Proxies and Proxy Bypass Rules, page 26-51
Understanding Interface Role Objects, page 6-55
Field Reference
Table 27-70 SSL VPN Global Settings > Proxy Tab >Add/Edit Proxy Bypass Dialog Box
Element Description
Interface The interface on the security appliance that is used for proxy bypass.
You can click Select to open a dialog box from which you can select an
interface from a list of interface or interface role objects.
Bypass On Port When selected, enables you specify a port number to be used for proxy
bypass. Valid port numbers are 20000-21000.
You can click Select to open the Port List Selector dialog box from which
you can make your selection, or create a port list object. A port list object is
a named definition of one or more port ranges that you use when defining
service objects.
Note If you configure proxy bypass using ports rather than path masks,
depending on your network configuration, you might need to change
your firewall configuration to allow these ports access to the security
appliance. Use path masks to avoid this restriction.
Bypass Matching When selected, enables you to specify a URL path to match for proxy bypass.
Specify Pattern
A path is the text in a URL that follows the domain name. For example, in
the URL www.mycompany.com/hrbenefits, hrbenefits is the path.
You can use the following wildcards:
*Matches everything. You cannot use this wildcard by itself. It must
accompany an alphanumeric string.
?Matches any single character.
[!seq]Matches any character not in sequence.
[seq]Matches any character in sequence.
The maximum is 128 bytes.
Note Path masks can change, so you might need to use multiple path mask
statements to exhaust the possibilities.
Table 27-70 SSL VPN Global Settings > Proxy Tab >Add/Edit Proxy Bypass Dialog Box (Continued)
Element Description
URL Select the http or https protocol, then enter a URL to which you want to
apply proxy bypass, in the field provided.
URLs used for proxy bypass allow a maximum of 128 bytes. The port for
HTTP is 80 and for HTTPS it is 443, unless you specify another port.
Rewrite XML When selected, rewrites XML sites and applications to be bypassed by the
security appliance.
Rewrite Hostname When selected, rewrites external links to be bypassed by the
security appliance.
Plug-in Tab
Clientless SSL VPN must be enabled on the security appliance to provide remote access to the plug-ins.
Use the Plug-in tab of the SSL VPN Other Settings page to view the currently configured browser
plug-ins, and create new plug-ins or edit the existing ones,.
Navigation Path
Open the SSL VPN Other Settings Page, page 27-88, then click the Plug-in tab. You can also open it by
clicking the Plug-in tab from any other tab on the SSL VPN Other Settings page.
Related Topics
Understanding Plug-ins, page 26-53
Defining Browser Plug-ins, page 26-55
Understanding and Managing SSL VPN Support Files, page 26-5
Field Reference
Element Description
Plug-in The type of plug-in based on the protocol service that the plug-in provides
to the user. The plug-in is used in remote browsers in Clientless SSL
VPN sessions.
Plug-in File The name of the File Object that identifies the plug-in file.
Create button Opens a dialog box that lets you add a browser plug-in. See Add/Edit Plug-in
Entry Dialog Box, page 27-99.
Edit button Opens a dialog box that lets you edit the settings of the selected plug-in. See
Add/Edit Plug-in Entry Dialog Box, page 27-99.
Delete button Select the rows of one or more browser plug-ins, then click to remove from
the list.
Navigation Path
Open the Plug-in Tab, page 27-98, then click Create below the table, or select a row in the table and
click Edit.
Related Topics
Understanding Plug-ins, page 26-53
Defining Browser Plug-ins, page 26-55
Understanding and Managing SSL VPN Support Files, page 26-5
Field Reference
Table 27-72 SSL VPN Other Settings > Plug-in Tab > Add/Edit Plug-in Entry Dialog Box
Element Description
Plug-in The type of plug-in file based on the protocol to be used for the imported
plug-in in URLs launched from the SSL VPN portal. Select one of the
following options from the list:
Remote Desktop (RDP)Provides access to Remote Desktop Protocol
services using the rdp-plugin.jar plug-in file.
Secure Shell (SSH), TelnetProvides access to Secure Shell and
Telnet services using the ssh-plugin.jar plug-in file.
VNCProvides access to Virtual Network Computing services using
the vnc-plugin.jar plug-in file.
Citrix (ICA)Provides access to Citrix MetaFrame services using the
ica-plugin.jar plug-in file.
Plug-in File The File Object that identifies the plug-in file. Enter the name of the File
Object or click Select to select an object. You can also create the File Object
from the object selector. For more information on creating File Objects, see
Add and Edit File Object Dialog Boxes, page 28-24.
Navigation Path
Open the SSL VPN Other Settings Page, page 27-88, then click the Client Settings tab. You can also
open it by clicking the Client Settings tab from any other tab on the SSL VPN Other Settings page.
Related Topics
Understanding SSL VPN Client Settings, page 26-56
Configuring SSL VPN Client Settings, page 26-57
Understanding and Managing SSL VPN Support Files, page 26-5
Field Reference
Table 27-73 SSL VPN Other Settings > Client Settings Tab
Element Description
AnyConnect Client Image
AnyConnect Client Image Displays the name of the File Object that identifies the package file for
an Anyconnect client image. These are images that the security
appliance downloads to the remote PC.
Order Indicates the order in the table. The security appliance downloads the
image at the top of the table first. Therefore, you should move the image
used by the most commonly-encountered operating system to the top.
Create button Click to open the object selector so that you can select a package to add
to the list. You can select an existing File Object or create a new one.
Edit button Select a row of an SSL VPN client image in the table, then click to
change the File Object selection or the order of the client image.
Delete button Select the rows of one or more Anyconnect client images, then click to
remove from the list.
AnyConnect Client Profile
Profile Name Displays the name of the client profile to be downloaded to the
security appliance.
AnyConnect Client Profile Displays the name of the File Object that identifies the client profile for
an Anyconnect client, which is downloaded to the security appliance.
The client profile is an XML file that the security appliance downloads
to the remote PC. These profiles display host information in the
AnyConnect VPN Client user interface.
Create button Click to open the object selector so that you can select a profile to add
to the list. You can select an existing File Object or create a new one.
Edit button Select a row of an SSL VPN client profile in the table, then click to
change the File Object selection or the name of the client profile.
Delete button Select the rows of one or more Anyconnect client profiles, then click to
remove from the list.
Cache File System (to hold CSD and SVC images)
Maximum Cache File The maximum size (in MB) of the cache on the security appliance to
System Object Size store SSL VPN client and CSD images.
Note The security appliance expands SSL VPN client and the CSD
images in cache memory. If you receive the error message
ERROR: Unable to load SVC image - increase disk space via
the cache-fs command, increase the size of cache memory.
Navigation Path
Open the SSL VPN Client Settings Tab, page 27-99, then click Create below the AnyConnect Client
Image table, or select a row in the table and click Edit.
Related Topics
Understanding SSL VPN Client Settings, page 26-56
Configuring SSL VPN Client Settings, page 26-57
Understanding and Managing SSL VPN Support Files, page 26-5
Field Reference
Table 27-74 SSL VPN Other Settings > Client Settings Tab > Add/Edit AnyConnect Client Image
Dialog Box
Element Description
AnyConnect Client Image The name of the File Object that identifies the Anyconnect client. Click
Select to select an object.
You can also create the File Object from the object selector. For more
information, see Add and Edit File Object Dialog Boxes, page 28-24.
Image Order The order in which the security appliance downloads the client images
to the remote PC. It downloads the image at the top of the table first.
Therefore, you should enter a lower value for the image used by the
most commonly-encountered operating system.
Regular Expression Regular expression for the AnyConnect image. Enter a name of an
existing regular expression or click Select to select or create a new one.
Navigation Path
Open the SSL VPN Client Settings Tab, page 27-99, then click Create below the AnyConnect Client
Profile table, or select a row in the table and click Edit.
Related Topics
Understanding SSL VPN Client Settings, page 26-56
Configuring SSL VPN Client Settings, page 26-57
Understanding and Managing SSL VPN Support Files, page 26-5
Field Reference
Table 27-75 SSL VPN Other Settings > Client Settings Tab > Add/Edit AnyConnect Client Profile
Dialog Box
Element Description
AnyConnect Profile Name The name of the Anyconnect client profile to be downloaded to the
security appliance.
AnyConnect Client Profile The name of the File Object that identifies the Anyconnect client
profile XML file. Click Select to select an object.
You can also create the File Object from the object selector. For more
information, see Add and Edit File Object Dialog Boxes, page 28-24.
Advanced Tab
The Advanced tab lets you configure the memory, on-screen keyboard, and internal password features
on ASA devices.
Navigation Path
Open the SSL VPN Other Settings Page, page 27-88, then click the Advanced tab.
Related Topics
Defining Advanced Settings, page 26-58
Field Reference
Element Description
Memory Size Specify the amount of memory you want to allocate to SSL VPN
sessions as follows:
% of Total Physical MemoryAs a percentage of total memory.
Default is 50%.
KilobytesIn kilobytes. 20KB is the minimum setting allowed.
Cisco recommends that you do not specify memory in terms of KB
because different ASA models have different total amounts of
memory, for example:
ASA 5510 has 256 MB
ASA5520 has 512 MB
ASA 5540 has 1GB
Note When you change the memory size, the new setting takes effect
only after the system reboots.
Enable On-screen Keyboard Select one of the following options:
DisabledThe on-screen keyboard is not displayed. Users must
input their credentials using the standard keyboard.
On All PagesAllows a user to input credentials using an
on-screen keyboard, which is displayed whenever logon
credentials are required.
On Logon Page OnlyAllows a user to input credentials using an
on-screen keyboard, which is displayed on the logon page.
Allow Users to Enter Click the checkbox to enable the feature. When enabled, an additional
Internal Password password is required when accessing internal sites. This feature is
useful if you require that the internal password be different from the
SSL VPN password. For example, you can use a one-time password for
authentication to ASA and another password for internal sites.
Navigation Path
(Device View) Select an ASA device using version 8.2 or higher, and select Remote Access VPN >
SSL VPN > Shared License from the Policy selector.
(Policy View) Select Remote Access VPN > SSL VPN > Shared License (ASA 8.2+) from the
Policy Type selector. Select an existing policy or create a new one.
Related Topics
Understanding SSL VPN Shared Licenses (ASA), page 26-58
Configuring an ASA Device as a Shared License Client, page 26-59
Configuring an ASA Device as a Shared License Server, page 26-59
Field Reference
Element Description
Select Role Role you are configuring, either Shared License Client or Shared
License Server. Depending on your choice, different fields appear.
Shared License Client
Shared Secret Case-sensitive string (4-128 characters) used for communicating with
the shared license server.
License Server Hostname of the ASA device configured as the license server.
License Server Port Number of the TCP port on which the license server communicates.
Select Backup Role of Client Role of the client:
Client OnlyWhen selected, the client acts only as the client. In
this case, you must specify another device as a backup server.
Backup ServerWhen selected, the client also acts as the backup
server. In this case, you must also specify the interfaces to be used
for this purpose.
Shared License Server
Shared Secret Case-sensitive string (4-128 characters) used for communicating with
the shared license server.
License Server Hostname of the ASA device configured as the license server.
License Server Port Number of the TCP port on which the license server communicates.
Refresh Interval Value between 10-300 seconds. Default is 30 seconds.
Interfaces Interfaces used for communicating shared licenses to clients.
Configure Backup shared Click this check box to configure a backup server for the shared license
SSL VPN License Server server, then configure the following:
Backup License ServerServer to act as a backup license server if
the current one is unavailable.
Backup Server Serial NumberSerial number of the backup
license server.
HA Peer Serial Number(Optional) Serial number of the backup
server of a failover pair.
Navigation Path
(Device View) Select an IOS device and select Remote Access VPN > SSL VPN from the
Policy selector.
(Policy View) Select Remote Access VPN > SSL VPN > SSL VPN Policy (IOS) from the Policy
Type selector. Select an existing policy or create a new one.
Related Topics
Configuring an SSL VPN Policy (IOS), page 26-60
Filtering Tables, page 1-33
Navigation Path
Open the SSL VPN Policy Page (IOS), page 27-105, then click Create, or select a policy in the table and
click Edit.
Field Reference
Element Description
General tab Defines the general settings required for an SSL VPN policy. General
settings include specifying the gateway, domain, AAA servers for
accounting and authentication, and user groups. For a description of the
fields on this tab, see General Tab, page 27-107.
Portal Page tab Defines the design of the login page for the SSL VPN policy. The display
box at the bottom of the tab changes to show you how your selections will
look. You can configure:
TitleThe text displayed at the top of the page. Control the color using
the Primary settings in the Title Color and Text Color fields.
LogoThe graphic displayed next to the title. Select None, Default, or
Custom. To configure a custom graphic, you must copy the desired
graphic to the Security Manager server, then click Browse to select the
file. Supported graphic types are GIF, JPG, and PNG, with a maximum
size of 100 KB.
Login MessageThe text displayed immediately above the login
prompt. Control the color using the Secondary settings in the Title Color
and Text Color fields.
Secure Desktop tab Configures the Cisco Secure Desktop (CSD) software on the router. CSD
policies define entry requirements for client systems and provide a single,
secure location for session activity and removal on the client system,
ensuring that sensitive data is shared only for the duration of an SSL VPN
session.
Note You must install and activate the Secure Desktop Client software on
a device for your configuration to work.
If you want to use CSD, select Enable Cisco Secure Desktop and click
Select to select a Secure Desktop Configuration policy object, which defines
the rules you want to use to control VPN access and host scanning. You can
create a new object from the selection list. For information about configuring
these objects, see Creating Cisco Secure Desktop Configuration Objects,
page 26-61.
Advanced tab Configures these additional settings:
Maximum Number of UsersThe maximum number of SSL VPN user
sessions allowed at one time, from 1-1000.
VRF NameIf Virtual Routing Forwarding (VRF) is configured on the
device, the name of the VRF instance that is associated with the SSL
VPN context. For information about VRF, see Understanding
VRF-Aware IPsec, page 21-13.
General Tab
Use the General tab of the SSL VPN Context Editor dialog box to define or edit the general settings
required for an SSL VPN policy. General settings include specifying the gateway, domain, AAA servers
for accounting and authentication, and user groups.
Navigation Path
Open the SSL VPN Context Editor Dialog Box (IOS), page 27-105, then click the General tab.
Related Topics
Configuring an SSL VPN Policy (IOS), page 26-60
Add or Edit SSL VPN Gateway Dialog Box, page 28-63
Understanding AAA Server and Server Group Objects, page 6-20
Field Reference
Element Description
Enable SSL VPN Whether to activate the SSL VPN connection, putting it In Service.
Name The name of the context that defines the virtual configuration of the
SSL VPN.
Note To simplify the management of multiple context
configurations, make the context name the same as the domain
or virtual hostname.
Gateway The name of the SSL VPN gateway policy object that defines the
characteristics of the gateway to which users connect when entering the
VPN. A gateway object provides the interface and port configuration
for an SSL VPN connection.
Enter the name of the object or click Select to select it from a list or to
create a new object.
Domain The domain or virtual hostname of the SSL VPN connection.
Portal Page URL The URL for the SSL VPN, which is filled in when you select a gateway
object. Users connect to this URL to enter the VPN.
Authentication Server Group The authentication server groups. The list is in prioritized order.
Authentication is attempted using the first group and proceeds through
the list until the user is successfully authenticated or denied. Use the
LOCAL group if the users are defined on the gateway itself.
Enter the names of the AAA server groups; separate multiple entries
with commas. You can click Select to select the groups or to create
new ones.
Authentication Domain A list or method for SSL VPN remote user authentication. If you do not
specify a list or method, the gateway uses global AAA parameters for
remote-user authentication.
Table 27-79 SSL VPN Context Editor General Tab (IOS) (Continued)
Element Description
Accounting Server Group The accounting server group. Enter the name of the AAA server
group policy object, or click Select to select it from a list or to create
a new object.
User Groups The user groups that will be used in your SSL VPN policy. User groups
define the resources available to users when connecting to an SSL VPN
gateway. The table shows whether full client, CIFS file access, and thin
client is enabled for the group.
To add a user group, click Add Row to open a list of existing user
group policy objects from which you can select the group. If the
desired group does not already exist, click the Create button below
the available groups list and create it. For more information about
user group objects, see Add or Edit User Group Dialog Box,
page 28-68.
To edit a user group, select it and click the Edit Row button.
To delete a user group, select it and click the Delete Row button.
This deletes the group only from the policy, it does not delete the
user group policy object.
There are several policy objects that you use exclusively with VPN-related policies. This reference
explains the configuration of these policy objects.
This chapter contains the following topics:
ASA Group Policies Dialog Box, page 28-1
Add or Edit Secure Desktop Configuration Dialog Box, page 28-21
Credentials Dialog Box, page 28-23
Add and Edit File Object Dialog Boxes, page 28-24
Add or Edit IKE Proposal Dialog Box, page 28-26
Add or Edit IPSec Transform Set Dialog Box, page 28-28
Add and Edit LDAP Attribute Map Dialog Boxes, page 28-31
PKI Enrollment Dialog Box, page 28-33
Add or Edit Port Forwarding List Dialog Boxes, page 28-42
Add or Edit Single Sign On Server Dialog Boxes, page 28-44
Add or Edit Bookmarks Dialog Boxes, page 28-46
Add and Edit SSL VPN Customization Dialog Boxes, page 28-49
Add or Edit SSL VPN Gateway Dialog Box, page 28-63
Add and Edit Smart Tunnel List Dialog Boxes, page 28-65
Add or Edit User Group Dialog Box, page 28-68
Add or Edit WINS Server List Dialog Box, page 28-84
externally on a AAA server. The tunnel group uses a user group policy that sets terms for user
connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user
or a group of users rather than having to specify each attribute individually for each user.
Note You must select the technology (Easy VPN/IPSec VPN, SSL VPN, or Easy VPN/IPSec VPN and SSL
VPN) for which you are creating the object. If you are editing an existing ASA group policies object,
the technology is already selected, and you cannot change it. Depending on the selected technology, the
appropriate settings are available for configuration.
Navigation Path
Select ASA Group Policies in the Policy Object Manager Window, page 6-3. Right-click inside the work
area and select New Object or right-click a row and select Edit Object.
Tip You can also access this dialog box from the Remote Access VPN > Group Policies policy.
Related Topics
Configuring Connection Profiles (ASA), page 26-18
Creating Group Policies (ASA), page 26-31
Field Reference
Table 28-1 Add or Edit ASA Group Policies Dialog Box, including Technology Settings
Element Description
Name The object name, which can be up to 128 characters. Object names are not
case-sensitive. For more information, see Creating Policy Objects, page 6-6.
Description An optional description of the object.
Settings Pane
The body of the dialog box is a pane with a table of contents on the left and settings related to the item
selected in the table of contents on the right.
You must first configure technology settings, then you can select items from the table of contents on
the left and configure the options you require. Your selections on the Technology page control which
options are available on these pages and in the table of contents.
The top folders in the table of contents represent the VPN technologies or other settings that you can
configure, and are explained next.
Table 28-1 Add or Edit ASA Group Policies Dialog Box, including Technology Settings
Element Description
Technology settings These settings control what you can define in the group policy:
Group Policy TypeWhether you are storing the group policy on the
ASA device itself (Internal) or on a AAA server (External). You cannot
change this option when editing an object.
If you select External, the only attributes you can configure are the
name of the AAA server group object that identifies the AAA server and
its password.
TechnologyThe types of VPN for which this object defines group
policies. You cannot change this option when editing an object. You can
configure settings for Easy VPN/IPSec VPN, SSL VPN, or both. The
default is both.
External Server GroupIf you are storing the group policy attributes
on an external AAA server, specify the AAA server group that will be
used for authentication. Click Select to select the object from a list or to
create a new object.
After you select an external server group, the Password and Confirm
fields become active. Enter the alphanumeric password to use for
authenticating with the server in both fields. The password can be a
maximum of 128 characters; spaces are not allowed.
DNS/WINS The DNS and WINS servers and the domain name that should be pushed to
clients associated with the group. See ASA Group Policies DNS/WINS
Settings, page 28-18.
Split Tunneling Settings to allow a remote client to conditionally direct encrypted packets
through a secure tunnel to the central site and simultaneously allow clear text
tunnels to the Internet through a network interface. See ASA Group Policies
Split Tunneling Settings, page 28-19.
Easy VPN/IPSec VPN Settings for Easy VPN and remote access IPSec VPNs:
Client ConfigurationThe Cisco client parameters for the group. See
ASA Group Policies Client Configuration Settings, page 28-4.
Client Firewall AttributesThe firewall settings for VPN clients for the
group. See ASA Group Policies Client Firewall Attributes, page 28-5.
Hardware Client AttributesThe VPN 3002 Hardware Client settings
for the group. See ASA Group Policies Hardware Client Attributes,
page 28-7.
IPSecThe tunneling protocols, filters, connection settings, and servers
for the group. See ASA Group Policies IPSec Settings, page 28-9.
Table 28-1 Add or Edit ASA Group Policies Dialog Box, including Technology Settings
Element Description
SSL VPN Settings for SSL VPN:
ClientlessSettings for the clientless mode of access to the corporate
network in an SSL VPN. See ASA Group Policies SSL VPN Clientless
Settings, page 28-11.
Full ClientSettings for the full client mode of access to the corporate
network in an SSL VPN. See ASA Group Policies SSL VPN Full Client
Settings, page 28-13.
SettingsThe general settings that are required for clientless/port
forwarding in an SSL VPN. See ASA Group Policies SSL VPN Settings,
page 28-15.
Connection Settings The connection settings for the group, such as the session and idle timeouts,
including the banner text. See ASA Group Policies Connection Settings,
page 28-20.
Navigation Path
Select Easy VPN/IPSec VPN > Client Configuration from the table of contents in the ASA Group
Policies Dialog Box, page 28-1.
Field Reference
Element Description
Store Password on Whether to allow users to store a password on their local systems. Enable this
Client System feature only if you are certain that the local systems will be in secure sites.
Enable IPsec over UDP Whether to allow a Cisco VPN client or hardware client to connect using
UDP Port UDP to a security appliance that is running NAT.
If you select this option, specify the UDP port number within the range of
4001-49151. In IPsec negotiations, the security appliance listens on the
configured port and forwards UDP traffic for that port even if other filter
rules drop UDP traffic.
Note The Cisco VPN client must also be configured to use IPsec over
UDP, which is configured by default on certain devices.
Element Description
IPsec Backup Servers Specify the backup server configuration:
Servers List Keep Client ConfigurationThe security appliance sends no backup
server information to the client. The client uses its own backup server
list, if configured. This is the default.
Clear Client ConfigurationThe client uses no backup servers. The
security appliance pushes a null server list.
Use Specified Backup ServersUse the backup servers you specify in
the servers list. Enter the IP addresses of the servers, or the name of a
network/host object. Click Select to select the object from a list or to
create a new object.
You can configure backup servers either on the client or on the primary
security appliance. If you configure backup servers on the security
appliance, it pushes the backup server policy to the clients in the group,
replacing the backup server list on the client if one is configured.
Navigation Path
Select Easy VPN/IPSec VPN > Client Firewall Attributes from the table of contents in the ASA Group
Policies Dialog Box, page 28-1.
Field Reference
Element Description
Firewall Mode The firewall requirements for client systems for the group:
No FirewallDo not use a firewall. You cannot configure any other
options on the page.
Firewall RequiredAll users in this group must use the designated
firewall. The security appliance drops any session that attempts to
connect without the designated firewall installed and running. In this
case, the security appliance notifies the VPN client that its firewall
configuration does not match.
Note Make sure the group does not include any clients other than
Windows VPN Clients. Any other clients in the group (including
VPN 3002 Hardware Clients) are unable to connect if you require a
client firewall.
Element Description
Policy Source Some types of firewall allow you to configure where the client firewall
should obtain its policies:
Get Policy From Remote FirewallThe policy is configured in the
client firewall application. This is how most client firewalls work.
Use Specified PolicyThe policy you specify should be pushed to the
client firewall application, which should use your policy.
You must enter the name of an extended access control list policy object,
or click Select to select one from a list or to create a new one, in both in
the Inbound Traffic Policy and Outbound Traffic Policy fields.
Custom Firewall The attributes that define the required or optional firewall if you select
custom firewall as the firewall type:
Vendor IDThe number that identifies the vendor of the custom
firewall. Values are 1-255.
Product IDThe number that identifies the product or model of the
custom firewall. Values are 1-32 or 255. Multiple ranges are allowed, for
example, 4-12, 24-32. Use 255 for all supported products.
DescriptionAn optional description of the custom firewall, for
example, the name of the vendor and product.
Navigation Path
Select Easy VPN/IPSec VPN > Hardware Client Attributes from the table of contents in the ASA
Group Policies Dialog Box, page 28-1.
Field Reference
Element Description
Require Interactive Whether to enable secure unit authentication, which provides additional
Client Authentication security by requiring VPN hardware clients to authenticate with a username
and password each time that the client initiates a tunnel. The hardware client
does not have a saved username and password.
Note Secure unit authentication requires that you have an authentication
server group configured for the tunnel group the hardware clients
use. If you require secure unit authentication on the primary security
appliance, be sure to configure it on any backup servers as well.
Require Individual Whether to require that individual users behind a hardware client authenticate
User Authentication to gain access to the network across the tunnel. Individual users authenticate
according to the order of authentication servers that you configure.
If you do not select this option, the security appliance allows inheritance of
a value for user authentication from another group policy.
Enable Cisco IP Whether to allow IP phones behind hardware clients to connect without
Phone Bypass undergoing a user authentication processes. Secure unit authentication
remains in effect for other users.
Enable LEAP Bypass Whether to enable Lightweight Extensible Authentication Protocol (LEAP)
packets from wireless devices behind a VPN hardware client to travel across
a VPN tunnel prior to user authentication. This action lets workstations using
Cisco wireless access point devices establish LEAP authentication and then
authenticate again per user authentication.
Note LEAP is an 802.1X wireless authentication method that implements
mutual authentication between a wireless client on one side of a
connection and a RADIUS server on the other side. The credentials
used for authentication, including a password, are always encrypted
before they are transmitted over the wireless medium.
Allow Network Whether to enable network extension mode for hardware clients.
Extension Mode
Network extension mode lets hardware clients present a single, routable
network to the remote private network over the VPN tunnel. IPsec
encapsulates all traffic from the private network behind the hardware client
to networks behind the security appliance. PAT does not apply. Devices
behind the security appliance have direct access to devices on the private
network behind the hardware client over the tunnel, and only over the tunnel,
and vice versa. The hardware client must initiate the tunnel, but after the
tunnel is up, either side can initiate data exchange.
Idle Timeout Mode How to handle periods of inactivity from individual clients:
Specified TimeoutIf there is no communication activity by a user
behind a hardware client for the number of minutes you specify,
the security appliance terminates the clients access. Values are
1-35791394 minutes.
Unlimited TimeoutUser sessions are not terminated due to inactivity.
Navigation Path
Select Easy VPN/IPSec VPN > IPsec from the table of contents in the ASA Group Policies Dialog Box,
page 28-1.
Field Reference
Element Description
Enable Re-Authentication on Whether the security appliance should prompt the user to enter a
IKE Re-Key username and password during initial Phase 1 IKE negotiation and also
prompt for user authentication whenever an IKE rekey occurs,
providing additional security. Reauthentication fails if no user is at the
other end of the connection.
Enable IPsec Compression Whether to enable data compression, which speeds up transmission
rates for remote dial-in users connecting with modems.
Enable Perfect Forward Whether to enable the use of Perfect Forward Secrecy (PFS) to generate
Secrecy (PFS) and use a unique session key for each encrypted exchange. In IPsec
negotiations, PFS ensures that each new cryptographic key is unrelated
to any previous key.
Tunnel Group Lock Tunnel group lock restricts users by checking if the group configured
in the VPN client is the same as the tunnel group to which the user
is assigned. If it is not, the security appliance prevents the user
from connecting.
If you do not specify a tunnel name, the security appliance
authenticates users without regard to the assigned group. Group locking
is disabled by default.
Element Description
Client Access Rules table The access rules for clients. These rules control which types of clients
are denied access, if any. You can have up to 25 rules, and combined
they are limited to 255 characters.
Tip If you define any rule, an implicit deny all rule is added. Thus, if
a client matches no permit rule, the client is denied access. If you
create rules, ensure that you have permit rules for all allowed
clients. You can use * as a wildcard to match partial strings.
The rule with the lowest integer has the highest priority. Therefore, the
rule with the lowest integer that matches a client type or version is the
rule that applies. If a lower priority rule contradicts, the security
appliance ignores it.
To add a rule, click the Add Row button to open the Add or Edit
Client Access Rules Dialog Box, page 28-10.
To edit a rule, select it and click the Edit Row button.
To delete a rule, select it and click the Delete button.
Navigation Path
From ASA Group Policies IPSec Settings, page 28-9, click the Add Row button beneath the Client
Access Rules table, or select a rule and click the Edit Row button.
Field Reference
Element Description
Priority The relative priority of the rule.
The rule with the lowest integer has the highest priority. Therefore, the
rule with the lowest integer that matches a client type or version is the
rule that applies. If a lower priority rule contradicts, the security
appliance ignores it. Values are 1-65535.
Action Whether this rule permits or denies traffic access to the client.
Table 28-6 Add or Edit Client Access Rules Dialog Box (Continued)
Element Description
VPN Client Type The type or version of VPN client to which this rule applies. Spaces
VPN Client Version are allowed.
You can use * as a wildcard to match zero or more characters. You can
use n/a for clients that do not send their type or version. The strings you
enter in these fields must match the strings displayed using the show
vpn-sessiondb remote command on the ASA device.
Following are some examples, where priority, permit/deny, type, and
version are shown in order:
3 Deny * version 3.* is a priority 3 rule that denies all client types
with software version 3.x.
5 Permit VPN3002 * is a priority 5 rule that allows VPN3002
clients of all software versions.
255 Permit * * is a priority 255 rule that allows all types and
versions of clients. This is useful if you are only trying to deny
specific types of clients without wanting to create permit rules for
all the other types.
Navigation Path
Select SSL VPN > Clientless from the table of contents in the ASA Group Policies Dialog Box,
page 28-1.
Field Reference
Element Description
Portal Page Websites The name of the SSL VPN bookmarks policy object that includes the
web site URLs to display on the portal page. These web sites help users
access desired resources. Enter the name of the object or click Select to
select it from a list or to create a new object.
Allow Users to Whether to allow the remote user to enter web site URLs directly into
Enter Websites the browser. If you do not select this option, the user can access only
those URLs included on the portal.
Enable File Server Browsing Whether to allow the remote user to browse for file shares on the CIFS
file servers.
Table 28-7 ASA Group Policies SSL VPN Clientless Settings (Continued)
Element Description
Enable File Server Entry Whether to allow the remote user to locate file shares on the CIFS file
servers by entering the names of the file shares.
Enable Hidden Shares Whether to make hidden CIFS shares visible, and thus accessible,
to users.
HTTP Proxy The type of access you want to allow to the external HTTP proxy server
to which the security appliance forwards HTTP connections. You can
enable access, disable access, or select Auto Start, which starts the
proxy automatically upon user login.
Filter ACL The name of the web type access control list policy object to use to
restrict user access to the SSL VPN. Enter the name of the object or
click Select to select it from a list or to create a new object.
Enable ActiveX Relay Whether to enable ActiveX relay, which allows users to start ActiveX
programs from the portal page. This allows users to start Microsoft
Office applications from the web browser and upload and download
Office documents.
UNIX Authentication The UNIX authentication group ID.
Group ID
UNIX Authentication The UNIX authentication user ID.
User ID
Smart Tunnel The name of the smart tunnel list policy object assigned to this group.
Click Select to select it from a list or to create a new object.
A smart tunnel is a connection between a Winsock 2, TCP-based
application and a private site. The connection uses a clientless
(browser-based) SSL VPN session with the security appliance as the
pathway, and the security appliance as a proxy server. Thus, smart
tunnels do not require users to have administrator privileges. For more
information, see Configuring SSL VPN Smart Tunnels for ASA
Devices, page 26-71.
Auto Start Smart Tunnel Whether to start smart tunnel access automatically upon user login. If
you do not select this option, the user must start the tunnel manually
through the Application Access tools on the portal page.
Auto sign-on supports only applications that use HTTP and HTTPS
using the Microsoft WININET library on a Microsoft Windows
operating system. For example, Microsoft Internet Explorer uses the
WININET dynamic linked library to communicate with web servers.
Port Forwarding List The name of the port forwarding list policy object assigned to this
group. Port forwarding lists contain the set of applications that users of
clientless SSL VPN sessions can access over forwarded TCP ports.
Enter the name of the object or click Select to select it from a list or to
create a new object.
Table 28-7 ASA Group Policies SSL VPN Clientless Settings (Continued)
Element Description
Auto Start Port Forwarding Whether to start port forwarding automatically upon user login.
Port Forwarding The application name or short description to display on the Port
Applet Name Forwarding Java applet screen on the portal, up to 64 characters. This is
the name of the applet users will download to act as a TCP proxy on the
client machine for the services configured on the SSL VPN gateway.
Tip To enable full client access, you must configure the Remote Access VPN > SSL VPN > Other Settings
policy on the device to identify AnyConnect image packages to install on the device. The images must
be on the device so that users can download them. For more information, see Understanding SSL VPN
Client Settings, page 26-56 and Add and Edit File Object Dialog Boxes, page 28-24.
Navigation Path
Select SSL VPN > Full Client from the table of contents in the ASA Group Policies Dialog Box,
page 28-1.
Field Reference
Table 28-8 ASA Group Policies SSL VPN Full Client Settings
Element Description
Enable Full Client Whether to enable full client mode.
Mode The mode in which to operate the SSL VPN:
Use Other Access Modes if AnyConnect Client Download
FailsIf the full client fails to download to the remote user, allow
the user to make clientless or thin client access to the VPN.
Full Client OnlyProhibit clientless or thin client access. The
user must have the full client installed and functional to connect to
the VPN.
Keep AnyConnect Client on Whether to leave the AnyConnect client installed on the client system
Client System after the client disconnects. If you do not leave the client installed, it
must be download each time the user connects to the gateway.
Table 28-8 ASA Group Policies SSL VPN Full Client Settings (Continued)
Element Description
Enable Compression Whether to enable data compression, which speeds up transmission
rates for remote dial-in users connecting with modems.
Enable Keepalive Messages Whether to exchange keepalive messages between peers to demonstrate
that they are available to send and receive data in the tunnel. Keepalive
messages transmit at set intervals, and any disruption in that interval
results in the creation of a new tunnel using a backup device.
If you select this option, enter the time interval (in seconds) that the
remote client waits between sending IKE keepalive packets in the
Interval field.
Client Dead Peer Detection The time interval, in seconds, that the Dead Peer Detection (DPD) timer
Timeout (sec) is reset each time a packet is received over the SSL VPN tunnel from
the remote user.
DPD is used to send keepalive messages between peer devices only when
no incoming traffic is received and outbound traffic needs to be sent.
Gateway Dead Peer The time interval, in seconds, that the Dead Peer Detection (DPD) timer
Detection Timeout (sec) is reset each time a packet is received over the SSL VPN tunnel from
the gateway.
Key Renegotiation Method The method by which the tunnel key is refreshed for the remote user
group client:
DisabledDisables the tunnel key refresh.
Use Existing TunnelRenegotiates the SSL tunnel connection.
Create New TunnelInitiates a new tunnel connection.
Enter the time interval (in minutes) between the tunnel refresh cycles
in the Interval field.
Enable Datagram Transport Whether to enable Datagram Transport Layer Security (DTLS)
Layer Security connections for the group.
Enabling DTLS allows the AnyConnect client establishing an SSL
VPN connection to use two simultaneous tunnels, an SSL tunnel and a
DTLS tunnel. Using DTLS avoids latency and bandwidth problems
associated with some SSL connections and improves the performance
of real-time applications that are sensitive to packet delays.
Table 28-8 ASA Group Policies SSL VPN Full Client Settings (Continued)
Element Description
AnyConnect Module The module that the AnyConnect client needs to enable optional features.
vpnginaSelect this module to enable the Start Before Logon
(SBL) feature, which is a graphical identification and authentication
(GINA) module for the AnyConnect client VPN connection.
If other options are listed, see the release notes for the Cisco
AnyConnect VPN Client for an explanation of the feature.
AnyConnect MTU The maximum transmission unit (MTU) size for SSL VPN connections
established by the Cisco AnyConnect VPN Client.
AnyConnect Profile Name The name of the AnyConnect profile to use for the group. You must
configure this name and relate it to a profile in the Remote Access VPN
> SSL VPN > Other Settings policy.
Prompt User to Whether to ask the user to download the client. Enter the number of
Choose Client seconds the user has to make a selection in the Time User Has to
Time User Has to Choose Choose field. The default is 120 seconds.
If you do not select this option, the user is immediately taken to the
Default Location
default location. The user is also taken to the default location after the
time to choose expires.
Web PortalThe portal page is loaded in the web browser.
AnyConnect ClientThe AnyConnect client is downloaded.
Navigation Path
Select SSL VPN > Settings from the table of contents in the ASA Group Policies Dialog Box, page 28-1.
Field Reference
Element Description
Home Page The URL of the SSL VPN home page. The page is displayed when users
log into the VPN. If you do not enter a URL, no home page is displayed.
Authentication Failure The message to deliver to a remote user who successfully logs into the
Message VPN but has no VPN privileges, and so can do nothing. The default
message is:
Login was successful, but because certain criteria have not been met
or due to some specific group policy, you do not have permission to use
any of the VPN features. Contact your IT administrator for more
information.
Element Description
Minimum Keepalive Object The minimum size (in kilobytes) of an IKE keepalive packet that can be
Size (kilobytes) stored in the cache on the security appliance.
Single Sign On Server The name of the single sign on (SSO) server policy object that identifies
the server to use for this group, if any. An SSO server allows users to
enter their username and password once and be able to access other
server in the network without logging into each of them. If configure an
SSO server, also configure the auto signon rules table.
Enter the name of the object or click Select to select it from a list or to
create a new object. For more information, see Add or Edit Single Sign
On Server Dialog Boxes, page 28-44.
Enable HTTP Compression Whether to allow an HTTP compressed object to be cached on the
security appliance.
Auto Signon Rules table If you configure a single sign on server, the auto signon rules table
contains the rules that determine which internal servers are provided
the users credentials. Thus, you can provide single sign on for some
servers in your network but not others.
Each rule is an allow rule, and indicates the IP address, subnet, or
Universal Resource Identifier (URI) that identifies the server, and the
type of authentication that will be sent to the server when the user tries
to access it (either basic HTML, NTLM, FTP, or all of these). The rules
are processed in order, top to bottom, and the first match is applied.
Therefore, be sure to order the rules correctly using the up and down
arrow buttons.
If the user accesses a server that is not identified in one of these rules,
the user must log into the server to gain access.
To add a rule, click the Add Row button to open the Add or Edit
Auto Signon Rules Dialog Box, page 28-17.
To edit a rule, select it and click the Edit Row button.
To delete a rule, select it and click the Delete Row button.
Portal Page Customization The name of the SSL VPN customization policy object that defines the
appearance of the portal web page. The portal page allows the remote
user access to all the resources available on the SSL VPN network. If
you do not specify an object, the default page appearance is used.
Enter the name of the object or click Select to select it from a list or to
create a new object. For more information, see Configuring ASA Portal
Appearance Using SSL VPN Customization Objects, page 26-63.
Element Description
User Storage Location The location where personalized user information is stored between
clientless SSL VPN sessions. If you do not specify a location,
information is not stored between sessions. Stored information is
encrypted.
Enter a file system designation in the following format:
protocol://username:password@host:port/path
Where protocol is the protocol of the server, username and password
are a valid user account on the server, and host is the name of the server.
Also indicate the port number (if you do not use the default for the
protocol) and directory path of the location on the server to use. For
example:
cifs://newuser:12345678@anyfiler02a/new_share
Storage Key The storage key used to protect data stored between sessions. Spaces
are not supported.
Post Max Size The maximum size allowed for a posted object. The range is 0 through
2147483647 (which is the default). Specify 0 to prevent posting.
Upload Max Size The maximum size allowed for a uploaded object. The range is 0
through 2147483647 (which is the default). Specify 0 to prevent
uploading.
Download Max Size The maximum size allowed for a downloaded object. The range is 0
through 2147483647 (which is the default). Specify 0 to prevent
downloads.
Navigation Path
Open the ASA Group Policies SSL VPN Settings, page 28-15, then click Create, or select an item in the
table and click Edit.
Field Reference
Element Description
Allow IP Select this option to configure an IP address or subnet for the rule. Any
server within this subnet is supplied the specified login credentials.
To enter the IP address of a single server, enter the full IP address
and use 255.255.255.255 as the subnet mask.
To specify a subnet, enter the network address and subnet mask, for
example, IP address 10.100.10.0 mask 255.255.255.0.
If you want the appliance to send credentials to any internal server
the user tries to access, create rules for all of your internal
networks. You might be able to do this with a single rule.
Allow URI Select this option to configure a Universal Resource Identifier (URI)
for the rule. This identifies the internal server based on URI rather than
IP address. For example, https://*.example.com/* creates a rule for all
web pages on any server in the example.com domain. Use the asterisk
as a wildcard to apply to zero or more characters.
Authentication Type The type of credentials that the security appliance will pass on to the
servers covered by this rule: Basic HTML, NTLM (NT LAN Manager)
authentication, FTP, or all of these methods.
The default option is All. Use the default unless you want to limit logins
to a certain type.
Navigation Path
Select DNS/WINS from the table of contents in the ASA Group Policies Dialog Box, page 28-1.
Field Reference
Element Description
Primary DNS Server The IP address of the primary DNS server for the group. Enter the IP
address or the name of a network/host object, or click Select to select
an object from a list or to create a new object.
Secondary DNS Server The IP address of the secondary DNS server for the group. Enter the IP
address or the name of a network/host object, or click Select to select
an object from a list or to create a new object.
Primary WINS Server The IP address of the primary WINS server for the group. Enter the IP
address or the name of a network/host object, or click Select to select
an object from a list or to create a new object.
Element Description
Secondary WINS Server The IP address of the primary WINS server for the group. Enter the IP
address or the name of a network/host object, or click Select to select
an object from a list or to create a new object.
DHCP Network Scope The scope of the DHCP network for the group. Enter the IP network
address or the name of a network/host object, or click Select to select
an object from a list or to create a new object.
Default Domain The default domain name for the group. The default, blank, is none.
Tip For optimum security, we recommend that you not enable split tunneling.
Navigation Path
Select Split Tunneling from the table of contents in the ASA Group Policies Dialog Box, page 28-1.
Field Reference
Element Description
DNS Names A list of domain names to be resolved through the split tunnel. All other
names are resolved using the public DNS server. If you do not enter a
list, the list is inherited from the default group policy.
Separate multiple entries with spaces or commas. The entire string can
be a maximum of 255 characters.
Tunnel Option The policy you want to enable for split tunneling:
Disabled(Default) No traffic goes in the clear or to any other
destination than the security appliance. Remote users reach
networks through the corporate network and do not have access to
local networks.
Tunnel Specified TrafficTunnel all traffic from or to the
networks permitted in the network ACL. Traffic to all other
addresses travels in the clear and is routed by the remote users
Internet service provider.
Exclude Specified TrafficTraffic goes in the clear from and to the
networks permitted in the network ACL. This is useful for remote
users who want to access devices on their local network, such as
printers, while they are connected to the corporate network through
a tunnel. This option applies only to the Cisco VPN Client.
Networks The name of a standard access control list policy object that identifies
the networks that require traffic to travel across the tunnel and those
that do not require tunneling. How permit and deny are interpreted
depends on your selection for Tunnel Option.
Enter the name of the object, or click Select to select it from a list or to
create a new object. If you do not specify an ACL, the network list is
inherited from the default group policy.
Navigation Path
Select Connection Settings from the table of contents in the ASA Group Policies Dialog Box,
page 28-1.
Field Reference
Element Description
Filter ACL The name of the extended access control list (ACL) policy object to use
to restrict user access to the VPN. Enter the name of the object or click
Select to select it from a list or to create a new object.
Banner Text The banner, or welcome text, to display on remote clients when they
connect to the VPN. You can enter up to 500 characters.
Access hours The name of a time range policy object that specifies the times that
users are allowed to access the VPN. If you do not specify a time range,
users can access the VPN at all times. Specify a time range if you want
to limit access to the network to certain hours, such as the typical work
days and work hours for your organization.
Enter the name of the object or click Select to select it from a list or to
create a new object. For more information, see Configuring Time Range
Objects, page 6-53.
Max Simultaneous Logins The number of simultaneous logins a single user is allowed. Values are
0-2147483647. The default is 3. Specify 0 to disable logins and prevent
user access.
Max Connection Time The maximum amount of time a user is allowed to be connected to the
VPN. Select one of the following:
Specified Connection timeUse the maximum time value that you
enter. Values are 1-35791394 minutes. After the time is exceeded,
the security appliance closes the connection.
Unlimited Connection timeThe security appliance does not close
connections based on connection time.
Idle Timeout The amount of time a user is allowed to be connected to the VPN while
the connection is idle, that is, there is no communication activity. Select
one of the following:
Specified TimeoutUse the time out value you enter. Values are
1-4473924 minutes. When the idle time is exceeded, the security
appliance closes the connection. The default is 30 minutes.
Unlimited TimeoutThe security appliance does not close idle
connections.
This policy object uses the Secure Desktop Manager application to configure the settings. For an example
of configuring settings, see Cisco Secure Desktop on IOS Configuration Example Using SDM at
http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa7b.sht
ml. The first part of the configuration example explains setting up SDM, which you can ignore. Instead,
look for the sections that describe setting up Windows locations midway through the example. The
screen shots will help you identify when you are looking at CSD configuration.
Navigation Path
Select Tools > Policy Object Manager, then select Cisco Secure Desktop (Router) from the Object
Type Selector. Right-click inside the work area and select New Object, or right-click a row and select
Edit Object.
Related Topics
Creating Cisco Secure Desktop Configuration Objects, page 26-61
Policy Object Manager Window, page 6-3
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are not
case-sensitive. For more information, see Creating Policy Objects, page 6-6.
Description An optional description of the object (up to 1024 characters).
Windows Location Settings
Windows Locations The names of the locations that you want to configure for Windows clients
connecting from specific locations, such as Work, Home, or Insecure.
When you create a location, an item for the location is added to the table of
contents, where you can select the settings folders related to the location and
configure its properties. The settings include a definition of how to
determine if a client is connecting from that particular location.
For each location you want to configure, enter its name in the Location to
Add field and click Add to move it to the Locations list.
You can reorder the locations using the Move Up/Move Down buttons. CSD
checks locations in the order listed in this dialog box, and grants privileges
to client PCs based on the first location definition they match. You can create
a default location, such as Insecure, as the final location and configure the
strictest security for it. For more information, see Creating Cisco Secure
Desktop Configuration Objects, page 26-61.
Close all open Whether to close all the open browser windows after installing the Secure
browser windows Desktop application.
after installation
Table 28-14 Add or Edit Secure Desktop Configuration Dialog Box (Continued)
Element Description
VPN Feature Policy Select the check boxes to enable these features if installation or location
matching fails:
Web Browsing
File Access
Port Forwarding
Full Tunneling
Windows CE
VPN Feature Policy The Windows CE options enable you to configure a VPN feature policy to
enable or restrict web browsing and remote server file access for remote
clients running Microsoft Windows CE. You cannot configure locations for
these clients.
Mac and Linux Cache Cleaner
Launch Cleanup Upon Whether to set a global timeout after which CSD launches the cache cleaner.
Global Timeout Select a timeout (the default is 30 minutes), and select whether to allow the
user to reset the timeout value.
Launch Cleanup Upon Whether to start the cache cleaner when the user closes all web
Exiting of Browser browser windows.
Enable Canceling Whether to allow the remote user to cancel the cleaning of the cache.
of Cleaning
Secure Delete The number of passes for CSD to perform a secure cleanup. The default is 1
pass.
CSD encrypts and writes the cache to the remote clients disk. Upon
termination of the Secure Desktop, CSD converts all bits occupied by the
cache to all 0s, then to all 1s, and then to randomized 0s and 1s.
Enable Web Browsing Whether to allow web browsing (but not other remote access features) if the
if Mac or Linux cache cleaner installation fails.
Installation Fails
VPN Feature Policy Whether to allow web browsing, remote server file access, and port
forwarding for Macintosh and Linux clients. Port forwarding permits the use
of the Secure Desktop to connect a client application installed on the local
PC to the TCP/IP port of a peer application on a remote server.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
the challenge, the response is forwarded to the IPsec peers for an additional level of authentication. You
can save the Xauth credentials (username and password) on the device itself so you do not need to enter
them manually each time the Easy VPN tunnel is established.
Navigation Path
Select Tools > Policy Object Manager, then select Credentials from the Object Type Selector.
Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
Easy VPN and IKE Extended Authentication (Xauth)
Client Connection Characteristics Page, page 24-15
Policy Object Manager Window, page 6-3
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are not
case-sensitive. For more information, see Creating Policy Objects, page 6-6.
Description An optional description of the object (up to 1024 characters).
Username The name that will be used to identify the user during Xauth authentication.
Password The password for the user, entered in both fields. The password must be
alphanumeric and a maximum of 128 characters. Spaces are not allowed.
Confirm
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Tip Before you can add a file to a file object, you must copy the file to the Security Manager server.
You cannot select files from a network server or your workstation. Do not copy the file directly to the
file repository.
When you create a file object, Security Manager makes a copy of the file in its storage system. These
files are backed up whenever you create a backup of the Security Manager database, and they are restored
if you restore the database. When you deploy configurations that specify a file object, the associated file
is download to the device in the appropriate directory.
After you create a file object, you typically should not edit it. If you need to replace the file, edit the file
object to select the new file, or create a new file object. If the file is editable, you can edit the file object
to identify the files location in the file repository, and use the desired editor to open and edit the file
outside of Security Manager. The file repository is the CSCOpx\MDC\FileRepository folder in the
installation directory (typically, C:\Program Files). The files are organized in subfolders named for the
file type.
When you delete a file object, the associated file is not deleted from the file repository.
Navigation Path
Select Tools > Policy Object Manager, then select File Objects from the Object Type Selector.
Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Related Topics
Understanding and Managing SSL VPN Support Files, page 26-5
Configuring SSL VPN Client Settings, page 26-57
Defining Browser Plug-ins, page 26-55
Configuring Cisco Secure Desktop Policies on ASA Devices, page 26-26
SSL VPN Customization Dialog BoxInformational Panel, page 28-56
SSL VPN Customization Dialog BoxTitle Panel, page 28-52
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are not
case-sensitive. For more information, see Creating Policy Objects, page 6-6.
If you do not enter a name, the name of the file is used for the object name.
Description An optional description of the object.
File Type The type of file. If you create the object while configuring a policy, the
correct file type is pre-selected. Options are:
ImageFor graphic files.
Cisco Secure Desktop Package
Plug-InFor browser plug-in files.
AnyConnect Profile
AnyConnect Image
Table 28-16 Add and Edit File Object Dialog Boxes (Continued)
Element Description
File The name and full path of the file. The file must be on the Security Manager
server. Click Browse to select the file.
For file objects that you are editing, the path indicates the location in the
Security Manager file repository.
Tip Security Manager comes with a number of files that you can use with
SSL VPN configurations. If you are creating a file object for
Anyconnect images or profiles, Cisco Secure Desktop clients, or
plug-ins, you can find some files in the C:\Program
Files\CSCOpx\objects\sslvpn folder.
File Name on Device The file name you want to use when the file is downloaded to the device
when you deploy policies. The default is to use the same file name as the
original file.
If the object was created by discovering policies from the device, this field
uses the original name of the file as it existed on the device. This might not
be the same name as it exists on the Security Manager server if the original
name duplicated existing file names on the server.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Navigation Path
Select Tools > Policy Object Manager, then select IKE Proposals from the Object Type Selector.
Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Tip You can also access this dialog box by selecting a device, selecting Remote Access VPN > IPSec VPN
> IKE Proposal, and clicking the Add or Edit button.
Related Topics
Creating Policy Objects, page 6-6
Policy Object Manager Window, page 6-3
Add or Edit IPSec Transform Set Dialog Box, page 28-28
Field Reference
Element Description
Name The name of the policy object. A maximum of 128 characters is allowed.
Description A description of the policy object. A maximum of 1024 characters is allowed.
Priority The priority value of the IKE proposal. The priority value determines the
order of the IKE proposals compared by the two negotiating peers when
attempting to find a common security association (SA). If the remote IPsec
peer does not support the parameters selected in your first priority policy, the
device tries to use the parameters defined in the policy with the next lowest
priority number.
Valid values range from 1 to 10000. The lower the number, the higher the
priority. If you leave this field blank, Security Manager assigns the lowest
unassigned value starting with 1, then 5, then continuing in increments of 5.
Encryption Algorithm The encryption algorithm used to establish the Phase 1 SA for protecting
Phase 2 negotiations:
AES-128Encrypts according to the Advanced Encryption Standard
using 128-bit keys.
AES-192Encrypts according to the Advanced Encryption Standard
using 192-bit keys.
AES-256Encrypts according to the Advanced Encryption Standard
using 256-bit keys.
DESEncrypts according to the Data Encryption Standard using
56-bit keys.
3DESEncrypts three times using 56-bit keys. 3DES is more secure
than DES, but requires more processing for encryption and decryption.
It is less secure than AES. A 3DES license is required to use this option.
Hash Algorithm The hash algorithm used in the IKE proposal. The hash algorithm creates a
message digest, which is used to ensure message integrity. Options are:
SHA (Secure Hash Algorithm)Produces a 160-bit digest. SHA is
more resistant to brute-force attacks than MD5.
MD5 (Message Digest 5)Produces a 128-bit digest. MD5 uses less
processing time than SHA.
Element Description
Modulus Group The Diffie-Hellman group to use for deriving a shared secret between the
two IPsec peers without transmitting it to each other. A larger modulus
provides higher security but requires more processing time. The two peers
must have a matching modulus group. Options are:
1Diffie-Hellman Group 1 (768-bit modulus).
2Diffie-Hellman Group 2 (1024-bit modulus).
5Diffie-Hellman Group 5 (1536-bit modulus, considered good
protection for 128-bit keys, but group 14 is better).
7Diffie-Hellman Group 7 (163-bit elliptical curve field size).
14Diffie-Hellman Group 14 (2048-bit modulus, considered good
protection for 128-bit keys).
15Diffie-Hellman Group 15 (3072-bit modulus, considered good
protection for 192-bit keys).
16Diffie-Hellman Group 16 (4096-bit modulus, considered good
protection for 256-bit keys).
Lifetime The lifetime of the security association (SA), in seconds. When the lifetime
is exceeded, the SA expires and must be renegotiated between the two peers.
As a general rule, the shorter the lifetime (up to a point), the more secure
your IKE negotiations will be. However, with longer lifetimes, future IPsec
security associations can be set up more quickly than with shorter lifetimes.
You can specify a value from 60 to 86400 seconds.
Authentication Method The method of authentication to use between the two peers:
Preshared KeyPreshared keys allow for a secret key to be shared
between two peers and used by IKE during the authentication phase. If
one of the participating peers is not configured with the same preshared
key, the IKE SA cannot be established.
CertificateAn authentication method in which RSA key pairs are used
to sign and encrypt IKE key management messages. This method
provides non-repudiation of communication between two peers, meaning
that it can be proved that the communication actually took place. When
you use this authentication method, the peers are configured to obtain
digital certificates from a Certification Authority (CA).
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
types. Additionally, you can select whether to include compression in the transform set. During IPSec
security association negotiation, the peers agree to use a particular transform set when protecting a
particular data flow.
Two different security protocols are included within the IPSec standard:
Encapsulating Security Protocol (ESP)Provides authentication, encryption, and anti-replay
services. ESP is IP protocol type 50.
Authentication Header (AH)Provides authentication and anti-replay services. AH does not
provide encryption and has largely been superseded by ESP. AH is IP protocol type 51.
Navigation Path
Select Tools > Policy Object Manager, then select IPSec Transform Sets from the Object Type Selector.
Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
About Transform Sets, page 22-7
IPsec Proposal Editor Dialog Box (for PIX and ASA Devices), page 27-75
IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices), page 27-77
Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39
Configuring IPsec Proposals, page 22-9
Configuring an IPsec Proposal for Easy VPN, page 24-5
Policy Object Manager Window, page 6-3
Add or Edit IKE Proposal Dialog Box, page 28-26
Creating Policy Objects, page 6-6
Field Reference
Element Description
Name The name of the policy object. A maximum of 128 characters is allowed.
Description A description of the policy object. A maximum of 1024 characters is allowed.
Element Description
Mode The mode in which the IPSec tunnel operates:
TunnelTunnel mode encapsulates the entire IP packet. The IPSec
header is added between the original IP header and a new IP header. This
is the default.
Use tunnel mode when the firewall is protecting traffic to and from hosts
positioned behind the firewall. Tunnel mode is the normal way regular
IPSec is implemented between two firewalls (or other security gateways)
that are connected over an untrusted network, such as the Internet.
TransportTransport mode encapsulates only the upper-layer protocols
of an IP packet. The IPSec header is inserted between the IP header and
the upper-layer protocol header (such as TCP).
Transport mode requires that both the source and destination hosts
support IPSec, and can only be used when the destination peer of the
tunnel is the final destination of the IP packet. Transport mode is
generally used only when protecting a Layer 2 or Layer 3 tunneling
protocol such as GRE, L2TP, and DLSW.
ESP Encryption The Encapsulating Security Protocol (ESP) encryption algorithm that the
transform set should use:
(Blank)Do not use ESP encryption.
DESEncrypts according to the Data Encryption Standard using
56-bit keys.
3DESEncrypts three times using 56-bit keys. 3DES is more secure
than DES, but requires more processing for encryption and decryption.
A 3DES license is required to use this option.
AES-128Encrypts according to the Advanced Encryption Standard
using 128-bit keys.
AES-192Encrypts according to the Advanced Encryption Standard
using 192-bit keys.
AES-256Encrypts according to the Advanced Encryption Standard
using 256-bit keys.
ESP-NullA null encryption algorithm. Transform sets defined with
ESP-Null provide authentication without encryption; this is typically
used for testing purposes only.
Element Description
ESP Hash Algorithm The ESP or AH hash algorithm to use in the transform set for
AH Hash Algorithm authentication. The default is to use SHA for ESP authentication and to
not use AH authentication.
NoneDoes not perform ESP or AH authentication.
SHA (Secure Hash Algorithm)Produces a 160-bit digest. SHA is
more resistant to brute-force attacks than MD5, but requires more
processing time.
MD5 (Message Digest 5)Produces a 128-bit digest. MD5 uses less
processing time than SHA, but is less secure.
Note We recommend using both encryption and authentication on
IPSec tunnels.
Compression Whether to compress the data in the IPSec tunnel using the Lempel-Ziv-Stac
(LZS) algorithm.
(IOS devices only.)
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Navigation Path
Select Tools > Policy Object Manager, then select LDAP Attribute Map from the Object Type
selector. Right-click inside the table and select New Object, or right-click a row and select Edit Object.
Related Topics
Creating AAA Server Objects, page 6-25
AAA Server Dialog BoxLDAP Settings, page 6-32
Field Reference
Table 28-19 Add and Edit LDAP Attribute Map Dialog Boxes
Element Description
Name The object name, which can be up to 128 characters. Object names are not
case-sensitive. For more information, see Creating Policy Objects, page 6-6.
Description An optional description of the object.
Attribute Map table The table shows the mapped values. Each entry shows the customer map
name, Cisco map name, and the attribute mapping of customer name to
Cisco name.
To add a mapping, click the Add Row button to open the Add and Edit
LDAP Attribute Map Value Dialog Boxes, page 28-32.
To edit a mapping, select it and click the Edit Row button.
To delete a mapping, select it and click the Delete Row button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
From the Add and Edit LDAP Attribute Map Dialog Boxes, page 28-31, click the Add Row button to
add a new mapping, or select a row and click the Edit Row button.
Field Reference
Table 28-20 Add and Edit LDAP Attribute Map Value Dialog Boxes
Element Description
Customer Map Name The name of your attribute map that relates to the Cisco map.
Cisco Map Name The Cisco attribute map name you want to map to the customer map name.
Customer to Cisco Map The mappings of customer names to Cisco names.
Value table To add a mapping, click the Add Row button to open the Add and Edit
Map Value Dialog Boxes, page 28-33.
To edit a mapping, select it and click the Edit Row button.
To delete a mapping, select it and click the Delete Row button.
Navigation Path
From the Add and Edit LDAP Attribute Map Value Dialog Boxes, page 28-32, click the Add Row button
to add a new mapping, or select a row and click the Edit Row button.
Note You do not have to define enrollment parameters in order to create or import a trustpoint in
Security Manager.
Navigation Path
Select Tools > Policy Object Manager, then select PKI Enrollments from the Object Type Selector.
Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Tip You can also open this dialog box from the Remote Access VPN > Public Key Infrastructure policy.
Related Topics
Understanding Public Key Infrastructure Policies, page 22-26
Prerequisites for Successful PKI Enrollment, page 22-28
Configuring Public Key Infrastructure Policies, page 26-33
Configuring Public Key Infrastructure Policies, page 22-31 (site-to-site VPN)
Policy Object Manager Window, page 6-3
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are
not case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object.
CA Information tab Use this tab to enter settings related to the Certificate Authority server,
its certificate, and its level of revocation checking support. For
information on the specific settings, see PKI Enrollment Dialog
BoxCA Information Tab, page 28-35.
Enrollment Parameters tab Use this tab to enter settings related to PKI enrollment. For information
on the specific settings, see PKI Enrollment Dialog BoxEnrollment
Parameters Tab, page 28-39.
Note You do not have to define enrollment parameters in order to
create or import a trustpoint in Security Manager.
Certificate Subject Name tab Use this tab to enter optional information to be included in the
certificate, including subject attributes. For information on the specific
settings, see PKI Enrollment Dialog BoxCertificate Subject Name
Tab, page 28-40.
Trusted CA Hierarchy tab Use this tab to define trusted CA servers that are arranged in a
hierarchical framework. For information on the specific settings, see
PKI Enrollment Dialog BoxTrusted CA Hierarchy Tab, page 28-42.
Element Description
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level.
per Device For more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Navigation Path
Go to the PKI Enrollment Dialog Box, page 28-33 and click the CA Information tab.
Related Topics
PKI Enrollment Dialog BoxEnrollment Parameters Tab, page 28-39
PKI Enrollment Dialog BoxCertificate Subject Name Tab, page 28-40
PKI Enrollment Dialog BoxTrusted CA Hierarchy Tab, page 28-42
Field Reference
Element Description
CA Server Nickname The name used to identify the CA server in the certificate request. If you
leave this field blank, the domain name is used. You must leave this field
blank for Verisign CAs. Also, keep the following in mind:
You cannot configure two CA servers with the same name but different
URLs on the same device.
The CA name cannot match the name of a trusted CA configured as part
of the same PKI enrollment object (as defined on the PKI Enrollment
Dialog BoxTrusted CA Hierarchy Tab, page 28-42).
When the device is configured as part of a VPN, do not configure a
device-level override that uses the same CA name as that of the CA
server used by any of the peers. (This is not a problem when the device
and its peers use a tiered PKI hierarchy.)
Element Description
Enrollment Type The type of enrollment you want to perform. Security Manager completes the
enrollment only if you configure URL enrollment. If you select another type,
you must complete the enrollment using your own methods.
Self-Signed Certificate (ASA only)To configure the enrollment
self command.
Terminal (ASA only)To configure the enrollment terminal command.
URLTo configure the URL for the CA server so that you can complete
automatic enrollment.
NoneDo not configure any enrollment command.
Enrollment URL The URL of the CA server to which devices should attempt to enroll. The
URL can be in the following formats:
SCEPUses an HTTP URL in the form of http://CA_name:port,
where CA_name is the host DNS name or IP address of the CA server.
The port number is mandatory.
TFTPUses the format tftp://certserver/file_specification. Use this
option when you do not have direct access to the CA server. The TFTP
server transfers certificate requests and certificates.
Other supported formats include: bootflash, cns, flash, ftp, null, nvram,
rcp, scp, system.
Note If the CA cgi-bin script location at the CA is not the default
(/cgi-bin/pkiclient.exe), you must also include the nonstandard script
location in the URL, in the form of
http://CA_name:port/script_location, where script_location is the
full path to the CA scripts.
Element Description
CA Certificate Source How to obtain the certificate:
Fingerprint Retrieve CA Certificate Using SCEP (the default)Have the router
retrieve the certificate from the CA server using the Simple Certificate
Certificate
Enrollment Process (SCEP). Enter the fingerprint for the CA server in
(URL enrollment only.) hexadecimal format. If the value you enter does not match the
fingerprint on the certificate, the certificate is rejected.
Using the fingerprint to verify the authenticity of the CAs certificate
helps prevent an unauthorized party from substituting a fake certificate
in place of the real one.
Tip You can obtain the CAs fingerprint by contacting the server directly,
or by entering the following address in a web browser:
http://URLHostName/certsrv/mscep/mscep.dll. Using the
fingerprint is supported only on Cisco IOS software releases
12.3(12) or higher, 12.3(14)T or higher, 12.4 or higher,
12.2(33)XNA or higher.
Element Description
Revocation The type of certificate revocation checking to be performed:
Check Support Checking Not PerformedThis is the default. The device does not
perform any revocation checking, even if a CRL is on the device.
CRL Check RequiredThe device must check a CRL. If no CRL exists
on the device and the device cannot obtain one, certificates are rejected
and a tunnel cannot be established. This is the default.
OCSP Check RequiredThe device must check revocation status from
an OCSP server. If this check fails, certificates are rejected.
CRL Check AttemptedThe device tries to download the latest CRL
from the specified LDAP server. If the download fails, however,
certificates are accepted.
OCSP Check AttemptedThe device tries to check revocation status
from an OCSP server. If this fails, however, certificates are accepted.
CRL or OCSP Check RequiredThe device first checks for a CRL. If a
CRL does not exist or cannot be obtained, the device tries to check
revocation status from an OCSP server. If both options fail, certificates
are rejected.
OCSP or CRL Check RequiredThe device first tries to check
revocation status from an OCSP server. If this fails, the device checks
for a CRL. If both options fail, certificates are rejected.
CRL and OCSP Checks AttemptedThe device first checks for a CRL.
If a CRL does not exist or cannot be obtained, the device tries to check
revocation status from an OCSP server. If both options fail, however,
certificates are accepted.
OCSP and CRL Checks AttemptedThe device first tries to check
revocation status from an OCSP server. If this fails, the device tries
to download the latest CRL. If both options fail, however, certificates
are accepted.
OCSP Server URL The URL of the OCSP server checking for revocation if you require OCSP
checks. This URL must start with http://
CRL Server URL The URL of the LDAP server from which the CRL can be downloaded if you
require CRL checks. This URL must start with ldap://
Note You must include a port number in the URL when using this AAA
server on ASA devices, otherwise LDAP will fail.
Enable Registration For PIX 6.3 devices, whether the CA server operates in RA (Registration
Authority Mode Authority) mode. A Registration Authority is a server that acts as a proxy for
(PIX 6.3) the actual CA so that CA operations can continue when the CA server is offline.
Note Cisco IOS routers configure RA mode automatically, if required.
Note You do not have to define enrollment parameters in order to create or import a trustpoint in
Security Manager.
Navigation Path
Go to the PKI Enrollment Dialog Box, page 28-33 and click the Enrollment Parameters tab.
Related Topics
PKI Enrollment Dialog BoxCA Information Tab, page 28-35
PKI Enrollment Dialog BoxCertificate Subject Name Tab, page 28-40
PKI Enrollment Dialog BoxTrusted CA Hierarchy Tab, page 28-42
Field Reference
Element Description
Challenge Password The password used by the CA server to validate the identity of the device.
This password is mandatory for PIX 6.3 devices, but optional for PIX/ASA
7.0+ devices and Cisco IOS routers.
You can obtain the password by contacting the CA server directly or by
entering the following address in a web browser:
http://URLHostName/certsrv/mscep/mscep.dll. The password is good for
60 minutes from the time you obtain it from the CA server. Therefore, it is
important that you deploy the password as soon as possible after you create it.
Note Each password is valid for a single enrollment by a single device.
Therefore, we do not recommend that you assign a PKI enrollment
object where this field is defined to a VPN, unless you first configure
a device-level override for each device in the VPN. For more
information, see Understanding Policy Object Overrides for
Individual Devices, page 6-13.
Retry Period The interval between certificate request attempts, in minutes. Values can be
1 to 60 minutes. The default is 1 minute.
Retry Count The number of retries that should be made if no certificate is issued upon the
first request. Values can be 1 to 100. The default is 10.
Element Description
Certificate The percentage of the current certificates lifetime after which the router
Auto-Enrollment requests a new certificate. For example, if you enter 70, the router requests
(IOS devices only.) a new certificate after 70% of the lifetime of the current certificate has been
reached. Values range from 10% to 100%.
If you do not specify a value, the router requests a new certificate after the
old certificate expires.
Include Devices Whether to include the serial number of the device in the certificate.
Serial Number Tip The CA uses the serial number to either authenticate certificates or to
later associate a certificate with a particular device. If you are in doubt,
include the serial number, as it is useful for debugging purposes.
RSA Key Pair Name If the key pair you want to associate with the certificate already exists, this
field specifies the name of that key pair.
(PIX 7.0+, ASA, IOS
devices only.) If the key pair does not exist, this field specifies the name to assign to the key
pair that will be generated during enrollment.
Note If you do not specify an RSA key pair, the fully qualified domain
name (FQDN) key pair is used instead. On PIX and ASA devices, the
key pair must exist on the device before deployment.
RSA Key Size If the key pair does not exist, defines the desired key size (modulus), in bits.
If you want a modulus between 512 and 1024, enter an integer that is a
(IOS devices only.)
multiple of 64. If you want a value higher than 1024, enter 1536 or 2048. The
recommended size is 1024.
Note The larger the modulus size, the more secure the key. However, keys
with larger modulus sizes take longer to generate (a minute or more
when larger than 512 bits) and longer to process when exchanged.
RSA Encryption The size of the second key, which is used to request separate encryption,
Key Size signature keys, and certificates.
(IOS devices only.)
Source Interface The source address for all outgoing connections sent to a CA or LDAP server
during authentication, enrollment, and when obtaining a revocation list. This
(IOS devices only.)
parameter may be necessary when the CA server or LDAP server cannot
respond to the address from which the connection originated (for example,
due to a firewall).
If you do not define a value in this field, the address of the outgoing interface
is used.
Enter the name of an interface or interface role, or click Select to select it. If
the object that you want is not listed, click the Create button to create it.
Navigation Path
Go to the PKI Enrollment Dialog Box, page 28-33 and click the Certificate Subject Name tab.
Related Topics
PKI Enrollment Dialog BoxCA Information Tab, page 28-35
PKI Enrollment Dialog BoxEnrollment Parameters Tab, page 28-39
PKI Enrollment Dialog BoxTrusted CA Hierarchy Tab, page 28-42
Field Reference
Element Description
Include Devices FQDN Whether to include the devices fully qualified domain name (FQDN)
in the certificate request.
The name is taken from the Hostname policy (ensure that you specify
both the hostname and domain name in the policy to get a valid
full-qualified domain name). If you do not configure the Hostname
policy, the name is derived from the display name for the device in
Security Manager, display_name.null, which is unlikely to give you the
desired results.
Include Devices IP Address The interface whose IP address is included in the certificate request.
Enter the name of the interface or interface role, or click Select to select
it. If the object that you want is not listed, click the Create button to
create it.
Common Name (CN) The X.500 common name to include in the certificate.
Organization Unit (OU) The name of the organization unit (for example, a department name) to
include in the certificate.
Note When you configure PKI server objects for Cisco EzVPN
Remote components, this field must contain the name of the
client group to which the component connects. Otherwise, the
component will not be able to connect. Although this
information is not required for the EzVPN Server, including it
does not create configuration problems. For more information
about EzVPN, see Understanding Easy VPN, page 24-1.
Organization (O) The organization or company name to include in the certificate.
Locality (L) The locality to include in the certificate.
State (ST) The state or province to include in the certificate.
Country (C) The country to include in the certificate.
Email (E) The email address to include in the certificate.
Navigation Path
Go to the PKI Enrollment Dialog Box, page 28-33 and click the Trusted CA Hierarchy tab.
Related Topics
PKI Enrollment Dialog BoxCA Information Tab, page 28-35
PKI Enrollment Dialog BoxEnrollment Parameters Tab, page 28-39
PKI Enrollment Dialog BoxCertificate Subject Name Tab, page 28-40
Navigation Path
Select Tools > Policy Object Manager, then select Port Forwarding List from the Object Type
Selector. Right-click inside the work area and select New Object or right-click a row and select
Edit Object.
Related Topics
SSL VPN Access Modes, page 26-4
ASA Group Policies SSL VPN Clientless Settings, page 28-11
User Group Dialog BoxThin Client Settings, page 28-79
Clientless and Thin Client Access Modes Page, page 27-8
Policy Object Manager Window, page 6-3
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are
not case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object.
Port Forwarding List table The port forwarding entries that are defined in the object. The entries
show the mapping of the local port to the remote server and port.
To add a mapping, click the Add Row button to open the Add or
Edit A Port Forwarding Entry Dialog Box, page 28-43.
To edit a mapping, select it and click the Edit Row button.
To delete a mapping, select it and click the Delete Row button.
Include Port The names of other port forwarding list objects to include in the object.
Forwarding Lists Enter the name of the object or click Select to select it from a list or to
create a new object. Separate multiple entries with commas.
When you add other port forwarding lists, the entries from those lists
are treated as if they were directly entered into this object, and the
names of the included objects are not reflected in the device
configuration commands during deployment.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level.
per Device For more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Navigation Path
Go to the Add or Edit Port Forwarding List Dialog Boxes, page 28-42 and click the Add Row button or
select an entry and click the Edit Row button beneath the Port Forwarding List table.
Field Reference
Element Description
Local TCP Port The port number to which the local application is mapped (between 1
and 65535).
Remote Server The IP address or fully qualified domain name of the remote server.
Select the type of entry and enter the IP address or name.
IP Address
For the IP address, you can enter the name of a network/host object that
Name
specifies the remote servers IP address, or click Select to select it from
a list or to create a new object.
Remote TCP Port The port number of the application for which port forwarding is
configured (between 1 and 65535).
Description A description of the port forwarding entry. This information is
mandatory on Cisco IOS devices.
Note The SAML Browser Artifact profile method of exchanging assertions is not supported.
Navigation Path
Select Single Sign On Servers in the Policy Object Manager Window, page 6-3. Right-click inside the
work area and select New Object or right-click a row and select Edit Object.
You can also create the object when configuring an ASA user group object for SSL VPN (see ASA Group
Policies SSL VPN Settings, page 28-15).
Field Reference
Element Description
Name The object name, which must be 4 to 31 characters. Object names are
not case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object.
Authentication Type The type of SSO server to use with clientless SSL VPN connections.
The other attributes on the page change based on your selection.
SiteMinderComputer Associates SiteMinder SSO server.
SAML POSTSecurity Assertion Markup Language (SAML)
Browser Post Profile server.
URL The URL of the SiteMinder SSO server to which the security appliance
(SiteMinder only.) makes authentication requests. Select whether to use HTTP or HTTPS
and enter the URL.
Tip For HTTPS communication, make sure that the SSL encryption
settings match on both the security appliance and the
SiteMinder server. On the security appliance, you can verify
this with the ssl encryption command.
Secret Key The key used to encrypt authentication communications with the
SiteMinder server, if any. The key can contain any alphanumeric
Confirm
characters. There is no minimum or maximum number of characters.
(SiteMinder only.) Enter the same key in both fields.
Tip If you enter a secret key, you must configure the same key in
the SiteMinder server using the Cisco Java plug-in
authentication scheme.
Assertion URL The URL for the SAML-type SSO assertion consumer service. Select
whether to use HTTP or HTTPS and enter the URL, which must be
(SAML POST only.)
fewer than 255 characters.
Assertion Issuer The name of the security device that is sending assertions to a
(SAML POST only.) SAML-type SSO server. This is usually the name of the security
appliance, for example, asa.example.com. The name must be fewer
than 65 characters.
Trustpoint The name of the PKI enrollment policy object that identifies the
certificate authority (CA) server that acts as the trustpoint that contains
(SAML POST only.)
the certificate to use to sign the SAML-type browser assertion. Enter
the name or click Select to select it from a list or to create a new object.
Max Retries The number of times the security appliance retries a failed SSO
authentication attempt before the authentication times out. The range is
1 to 5 retries, and the default is 3 retries.
Request Timeout The number of seconds before a failed SSO authentication attempt
times out. The range is 1 to 30 seconds, and the default is 5 seconds.
Table 28-27 Add or Edit Single Sign-On Server Dialog Box (Continued)
Element Description
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override per Whether to allow the object definition to be changed at the device level.
Device For more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select SSL VPN Bookmarks from the Object Type
Selector. Right-click inside the work area, then select New Object or right-click a row, then select
Edit Object.
Related Topics
Configuring SSL VPN Bookmark Lists for ASA and IOS Devices, page 26-68
Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks, page 26-70
Localizing SSL VPN Web Pages for ASA Devices, page 26-66
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are
not case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object.
Bookmarks Heading (IOS) The heading that is displayed above the URLs listed on the portal page
(IOS devices only) of an SSLVPN hosted on an IOS device.
Element Description
Bookmarks The list of bookmark entries for the object.
To change the order of an entry, select it and click the Move Up or
Move Down arrow buttons. The order of entries in the table defines
the order in which the bookmarks are presented to the user.
To add an entry, click the Add button and fill in the Add Bookmark
Entry dialog box (see Add and Edit Bookmark Entry Dialog Boxes,
page 28-47).
To edit an entry, select it and click the Edit button.
To delete an entry, select it and click the Delete button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level.
per Device For more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Navigation Path
In the Policy Object Manager, from the Add or Edit Bookmarks Dialog Boxes, right-click inside the
Bookmarks table, then select Add Row or right-click a row, then select Edit Row.
Related Topics
Configuring SSL VPN Bookmark Lists for ASA and IOS Devices, page 26-68
Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks, page 26-70
Field Reference
Element Description
Bookmark Option Select whether you want to define a new SSL VPN Bookmark entry or
use the entries from an existing object:
Enter BookmarkYou want to define a bookmark entry.
Include Existing BookmarksYou want to include bookmark
entries defined in an existing SSL VPN Bookmark object. Enter the
name of the object or click Select to select it from a list or to create
a new object.
Title The text label that the user sees for the bookmark.
URL The Universal Resource Locator address for the bookmark. Select the
protocol for the bookmark and enter the rest of the URL in the edit box.
Advanced Group
The settings in the Advanced group are applicable only to SSL VPN portals hosted on ASA devices
running software version 8.x. Do not configure these settings for SSL VPN Bookmark objects that you
will use on other devices.
Subtitle An additional user-visible title that describes the bookmark entry.
Thumbnail The File object that represents an icon you want to associate with the
bookmark on the Portal. Enter the name of the File object or click
Select to select it from a list or to create a new object.
Authentication Access Whether to display the thumbnail only on the Portal page. If you
deselect this option, the thumbnail is also displayed on the Logon page.
Enable Favorite URL Option Whether to display the bookmark entry on the portal home page.
Deselect the check box if you want the bookmark entry to appear on the
application page only.
Enable Smart Tunnel Option Whether to open the bookmark in a new window that uses the smart
tunnel functionality to pass data to and from the security appliance.
URL Method Select the required URL method from the list:
GetSelect this option if you want simple data retrieval.
PostSelect this option when processing the data might involve
changes to it, for example, storing or updating data, ordering a
product, or sending e-mail. If you select this option, you must
configure the Post parameters in the Post Parameters table.
Post Parameters The list of the names and values of the Post parameters for the
bookmark entry.
To add a parameter, click the Add button and fill in the Add Post
Parameter dialog box (see Add and Edit Post Parameter Dialog
Boxes, page 28-49).
To edit a parameter, select it and click the Edit button.
To delete a parameter, select it and click the Delete button.
Navigation Path
In the Policy Object Manager, from the Add and Edit Bookmark Entry Dialog Boxes, right-click inside
the Post Parameters table, then select Add Row or right-click a row, then select Edit Row.
Related Topics
Configuring SSL VPN Bookmark Lists for ASA and IOS Devices, page 26-68
Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks, page 26-70
Field Reference
Element Description
Name The name of the post parameter exactly as defined in the corresponding
HTML form. For example, param_name in <input
name=param_name value=param_value>.
Value The value of the post parameter exactly as defined in the corresponding
HTML form. For example, param_value in <input
name=param_name value=param_value>.
Navigation Path
Select Tools > Policy Object Manager, then select SSL VPN Customization from the Object Type
Selector. Right-click inside the work area, then select New Object or right-click a row, then select
Edit Object.
Related Topics
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Localizing SSL VPN Web Pages for ASA Devices, page 26-66
Creating Your Own SSL VPN Logon Page for ASA Devices, page 26-67
Field Reference
Table 28-31 Add and Edit SSL VPN Customization Dialog Boxes
Element Description
Name The object name, which can be up to 128 characters. Object names are
not case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object.
Settings Pane
The body of the dialog box is a pane with a table of contents on the left and settings related to the item
selected in the table of contents on the right. Before configuring settings, click the Preview button to
see the default settings to help you determine what, if anything, you want to change.
The top folders in the table of contents represent the SSL VPN web pages that you can customize, and
are explained next.
Logon Page The Logon web page is the one users see first when connecting to the
SSL VPN portal. It is used for logging into the VPN. Select the
following items in the Logon Page folder in the table of contents to
view and change the settings:
Logon PageThe Browser Window Title field defines the title of
the web page, which is displayed in the browsers title bar.
Title PanelThe title displayed in the web page itself. For more
information about the settings, see SSL VPN Customization
Dialog BoxTitle Panel, page 28-52.
LanguageThe languages you will support for the Logon, Portal,
and Logout pages. For more information about the settings, see
SSL VPN Customization Dialog BoxLanguage, page 28-53.
Logon FormThe labels and colors used in the form that accepts
user logon information. For more information about the settings,
see SSL VPN Customization Dialog BoxLogon Form,
page 28-55.
Informational PanelAn extra informational panel for
conveying information to users. For more information about the
settings, see SSL VPN Customization Dialog BoxInformational
Panel, page 28-56.
Copyright PanelThe copyright information on the logon page.
For more information about the settings, see SSL VPN
Customization Dialog BoxCopyright Panel, page 28-56.
Full CustomizationIf you do not want to use the security
appliances built-in logon page, even customized, you can instead
enable full customization and supply your own web page. For more
information about creating a custom Logon page and the settings,
see Creating Your Own SSL VPN Logon Page for ASA Devices,
page 26-67 and SSL VPN Customization Dialog BoxFull
Customization, page 28-57.
Table 28-31 Add and Edit SSL VPN Customization Dialog Boxes (Continued)
Element Description
Portal Page The Portal web page is the one users see after logging into the SSL
VPN; it is the home page. Select the following items in the Portal Page
folder in the table of contents to view and change the settings:
Portal PageThe Browser Window Title field defines the title of
the web page, which is displayed in the browsers title bar.
Title PanelThe title displayed in the web page itself. For more
information about the settings, see SSL VPN Customization
Dialog BoxTitle Panel, page 28-52.
ToolbarThe toolbar displayed above the main part of the Portal
page. For more information about the settings, see SSL VPN
Customization Dialog BoxToolbar, page 28-58.
ApplicationsThe application buttons that will appear on the
page. For more information about the settings, see SSL VPN
Customization Dialog BoxApplications, page 28-58.
Custom PanesThe layout of the main part of the Portal page.
The default is a single column with no internal panes. For more
information about the settings, see SSL VPN Customization
Dialog BoxCustom Panes, page 28-59.
Home PageHow and whether to display URL lists on the home
page. For more information about the settings, see SSL VPN
Customization Dialog BoxHome Page, page 28-61.
Logout Page The Logout web page is the one users see after logging out of the SSL
VPN. For more information about the settings, see SSL VPN
Customization Dialog BoxLogout Page, page 28-62.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level.
per Device For more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Navigation Path
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Title Panel in the
table of contents to configure the title of the Logon page, or Portal Page > Title Panel to configure the
title of the Portal page.
Related Topics
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Localizing SSL VPN Web Pages for ASA Devices, page 26-66
Field Reference
Element Description
Display Title Panel Whether to display a title panel within the web page. The default is to
not display a title. If you select this option, you can configure the title
using the other fields on this page.
Gradient Whether to have the background color change in a gradual progression.
Title Text The text to display in the title panel.
Font Weight The characteristics of the font used for the title text. You can select a
weight, font size, and color. Click Select to choose a font color.
Font Size
Font Color
Background Color The color of the background of the title panel. Click Select to choose
a color.
Style (CSS) Cascading Style Sheet (CSS) parameters that define the style
characteristics of the title panel. You can include a maximum of
256 characters.
Tip For more information about CSS, visit the World Wide Web
Consortium (W3C) website at www.w3.org.
Logo Image The File policy object that identifies the logo image you want to include
in the title panel, if any. Enter the name of the File object or click Select
to select it from a list or to create a new object.
Tip The image file can be a GIF, JPG, or PNG file, and it can be up
to 100 kilobytes in size.
For more information about File objects, see Add and Edit File Object
Dialog Boxes, page 28-24.
Navigation Path
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Language in the
table of contents.
Related Topics
Localizing SSL VPN Web Pages for ASA Devices, page 26-66
Add and Edit SSL VPN Customization Dialog Boxes, page 28-49
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Field Reference
Element Description
Automatic Browser This table lists the languages you will support on the web pages for
Language Selection automatic browser language selection. Automatic browser language
select allows the ASA device to negotiate with the users web browser
to determine the language in which to present the web pages. You must
configure a translation table on the ASA device for any language you
list here. For more detailed information about automatic browser
language selection, see Localizing SSL VPN Web Pages for ASA
Devices, page 26-66.
Languages are listed by their abbreviation in the table. The languages
are evaluated top to bottom until a match is found. The language that is
indicated as the default language (indicated as True in the table) is used
if the device is unable to negotiate a different language with the
browser. If you do not specify a default, English is the default.
To add a language, click the Add Row button below the table.
To edit a language, select it and click the Edit Row button.
To delete a language, select it and click the Delete Row button.
Enable Language Selector Whether to display the Language Selector on the Logon page. The
Language Selector allows users to select their preferred language. The
Language Selector is complementary to the automatic browser
language selection capability.
Element Description
Language Selector Prompt The text label for the Language Selector prompt.
Language Table The list of languages included in the Language Selector drop-down list.
You must configure a translation table on the ASA device for any
language you list here. For more detailed information, see Localizing
SSL VPN Web Pages for ASA Devices, page 26-66.
The table lists the languages by abbreviation and title, or the common
name of the language. The title is the text displayed in the drop-down
list. You can change the language title but not the abbreviation.
To add a language, click the Add Row button below the table.
To edit a language, select it and click the Edit Row button.
To delete a language, select it and click the Delete Row button.
Navigation Path
From the SSL VPN Customization Dialog BoxLanguage page, click the Add Row button for either
the Automatic Browser Language Selection table or the Language Selector table, or select a row and
click the Edit Row button.
Related Topics
Localizing SSL VPN Web Pages for ASA Devices, page 26-66
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Field Reference
Element Description
Language The list of languages that you can support on the browser-based
clientless SSL VPN web pages, listed by their abbreviation.
Default Whether the language should be defined as the default language for the
portal. The default language is used if the ASA device cannot negotiate
(Automatic Browser
a language with the clients browser.
Language Selection only)
Title The name of the language that should appear in the Language Selector
(Language Selector only) on the Logon page.
Navigation Path
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Logon Form in
the table of contents.
Related Topics
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Field Reference
Element Description
Title The text displayed as the title of the login box.
Message The message that appears in the login box above the username and
password fields. You can enter a maximum of 256 characters.
Username Prompt The text of the prompt for the username entry field.
Password Prompt The text of the prompt for the password entry field.
Secondary Username Prompt The prompts for a second username and password if you require two
login credentials. You can enable secondary authentication only if the
Secondary Password Prompt
Connection Profile policy is configured to require it.
The secondary username and password prompt are displayed only if
you configure them. If you leave the username prompt blank, the
primary username is used and the secondary password must be
associated with the primary username.
Internal Password Prompt The text of the prompt for the internal password entry field.
Show Internal Password First Whether the prompt for the internal password should be placed above
the password prompt. The internal password is required when using a
clientless SSL VPN to access an internal protected website.
Group Selector Prompt The text of the prompt for the Group Selector drop-down list.
Button Text The name of the button the user clicks to log onto the SSL VPN.
Border Color The color of the border of the login box. Click Select to choose a color.
Title Font Color The color of the font for the login box title. Click Select to choose
a color.
Title Background Color The background color for the Title area of the login box. Click Select
to choose a color.
Font Color The color of the font of the login form. Click Select to choose a color.
Background Color The background color for the login form. Click Select to choose a color.
Navigation Path
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Informational
Panel in the table of contents.
Related Topics
Add and Edit SSL VPN Customization Dialog Boxes, page 28-49
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Field Reference
Element Description
Display Informational Panel Whether to display the Informational panel. The default is to not
display the panel. If you select this option, you can configure the panel
using the other fields on this page.
Panel Position The location of the Informational panel, either to the left of the Logon
box or to the right of it.
Text The text that appears in the Informational panel. You can enter a
maximum of 256 characters.
Logo Image The File policy object that identifies the logo image you want to include
in the Informational panel, if any. Enter the name of the File object or
click Select to select it from a list or to create a new object.
Tip The image file can be a GIF, JPG, or PNG file, and it can be up
to 100 kilobytes in size.
For more information about File objects, see Add and Edit File Object
Dialog Boxes, page 28-24.
Image Position The position of the logo image in the panel, either above the text or
below it.
Navigation Path
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Copyright Panel
in the table of contents.
Related Topics
Add and Edit SSL VPN Customization Dialog Boxes, page 28-49
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Field Reference
Element Description
Display Copyright Panel Whether to display the Copyright panel. The default is to not display
the panel. If you select this option, you can configure the panel using
the other fields on this page.
Text The text that appears in the copyright panel. You can enter a maximum
of 256 characters.
Navigation Path
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Full
Customization in the table of contents.
Related Topics
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Field Reference
Element Description
Enable Full Customization Whether you want to use your own custom Logon page. If you enable
full customization, all of the other Logon page configuration settings
are ignored.
Custom Page The custom Logon page. You must copy the file to the Security
Manager server before specifying it here. Click Browse to select the
file. For information on selecting files, see Selecting or Specifying a
File or Directory on the Server File System, page 1-35.
Navigation Path
From the Add and Edit SSL VPN Customization Dialog Boxes, select Portal Page > Toolbar in the table
of contents.
Related Topics
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Field Reference
Element Description
Display Toolbar Whether to display the toolbar. The default is to not display the
toolbar. If you select this option, you can configure the toolbar using
the other fields on this page.
Prompt Box Title The text of the prompt for the field where users select the protocol of
the target web page and enter the URL.
Browse Button Text The name of the button the user clicks to go to the target URL.
Logout Prompt The text of the prompt for logging out of the SSL VPN.
Navigation Path
From the Add and Edit SSL VPN Customization Dialog Boxes, select Portal Page > Applications in
the table of contents.
Related Topics
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Field Reference
Element Description
No. The sequential number of the application in the table. To change the
Move Up and Move Down order of an application, select it and click the Move Up or Move down
buttons (below the table) buttons to the desired position. The applications appear on the Portal
page in the order represented here.
Applications The graphic associated with an application.
Title The name of the application. Standard applications include Home, Web
Applications, Browse Networks, Application Access, and AnyConnect
Client. Also listed are the browser plug-ins that you create when you
configure the SSL VPN global settings are also available for selection
from this page.
Double-click a title to make it editable so that you can change the name.
Enable Whether the application is included on the Portal page.
Navigation Path
From the Add and Edit SSL VPN Customization Dialog Boxes, select Portal Page > Custom Panes in
the table of contents.
Related Topics
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Field Reference
Element Description
Columns table The list of columns that the main body of the Portal page should be
divided into. You define the column based on a percentage of the width
of the page. The percentages should add up to 100. If they do not add
up to 100, the device will adjust the column widths.
Create the columns as you want them to appear, left to right, on the
Portal page.
To add a column, click the Add Row button below the table.
To edit a column, select it and click the Edit Row button.
To delete a column, select it and click the Delete Row button.
Custom Panes table The custom panes that should appear in the main body of the Portal
page. The table shows whether a pane is enabled to appear, the type of
pane, its characteristics, and the column and row in which it will appear
on the page. The panes can display plain text or include a URL for
HTML, image, or RSS links.
For more detailed information about the settings, see Add or Edit
Custom Pane Dialog Boxes, page 28-60.
To add a custom pane, click the Add Row button below the table.
To edit a custom pane, select it and click the Edit Row button.
To delete a custom pane, select it and click the Delete Row button.
Navigation Path
From the SSL VPN Customization Dialog BoxCustom Panes page, click the Add Row button in the
Column table, or select a column and click the Edit Row button.
Navigation Path
From the SSL VPN Customization Dialog BoxCustom Panes page, click the Add Row button in the
Custom Pane table, or select a pane and click the Edit Row button.
Field Reference
Element Description
Enable Whether to display the custom pane on the Portal page.
Type The type of content to show in the pane, one of:
TextPlain text. You can include HTML mark up.
HTMLHTML content provided by a URL.
ImageAn Image provided by a URL.
RSSAn RSS feed provided by a URL.
Show Title Whether to display a title in the pane. If you select this option, enter the
Title title in the Title field.
Navigation Path
From the Add and Edit SSL VPN Customization Dialog Boxes, select Portal Page > Home Page in the
table of contents.
Related Topics
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Field Reference
Element Description
Enable Custom Intranet Web Whether to display a custom Intranet web page, which also enables
Page URL bookmarks to be displayed on the Portal page. If you select this
option, you can configure the panel using the other fields on this page.
URL List Mode How you want to display URL lists on the home page. If you display
URL lists, they are displayed in the column cells that are not occupied
by custom panes (as configured on Portal Page > Custom Panes). The
options are:
Group By ApplicationBookmarks are grouped by application
type. For example, Web Bookmarks, File Bookmarks.
No GroupURL lists are shown as separate panes.
Do Not DisplayURL lists are not shown.
Custom Intranet Web The URL of the custom web page that you want to be loaded as the
Page URL home page. This page is displayed in the main body of the Portal page.
If you specify a custom page, the settings on the Custom Panes page are
ignored, and bookmark lists appear on the application pages that are
accessed through the navigation panel on the left of the Portal page.
Navigation Path
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logout Page in the table of
contents.
Related Topics
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
Field Reference
Element Description
Title The text to display in the title panel.
Text The message to display on the Logout page. Click Preview to see the
default logout message. You can enter a maximum of 256 characters.
Show Login Button Whether to display the Login button on the page. Displaying the button
Login Button Text makes it easier for the user to log back into the portal.
If you enable the button, you can specify the name of the button in the
Login Button Text field.
Element Description
Border Color The color of the border around the logout box. Click Select to choose
a color.
Title Font Color The color of the font and background for the title area of the page. Click
Select to choose a color.
Title Background Color
Font Color The font and background color of the message that appears in the logout
box. Click Select to choose a color.
Background Color
Navigation Path
Select Tools > Policy Object Manager, then select SSL VPN Gateway from the Object Type Selector.
Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
Gateway and Context Page (IOS), page 27-10
General Tab, page 27-107
Policy Object Manager Window, page 6-3
Field Reference
Table 28-45 Add and Edit SSL VPN Gateway Dialog Boxes
Element Description
Name The object name, which can be up to 128 characters. Object names are
not case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object (up to 1024 characters).
Table 28-45 Add and Edit SSL VPN Gateway Dialog Boxes (Continued)
Element Description
IP Address The IP address for the gateway, which is the address to which remote
users connect:
Use Static IP AddressSpecify the address that you want to use.
You must also configure this address on an interface on the router.
Obtained from InterfaceSpecify the interface role that resolves
to a single interface on the device. The IP address configured for
the interface is used. This option allows you to identify the external
interface you want to use for connections without having to
explicitly enter the IP address. If you have to change the address on
the interface, you do not have to also reconfigure this object.
Port The number of the port that will carry the HTTPS traffic. You can also
enter the name of a port list object that specifies the single port number,
or click Select to select the object from a list. The default is the HTTPS
object, which specifies port 443. If you do not use port 443, you can
enter another port number between 1025 and 65535.
Trustpoint The digital certificate required to establish the secure connection. A
self-signed certificate is generated when an SSL VPN gateway
is activated.
Enable Gateway Whether to activate the SSL VPN gateway.
Specify SSL Whether to restrict the encryption algorithms used for the connection,
Encryption Algorithms or to specify a different order of use. The default is to make all
algorithms available in this order of preference: 3DES and SHA1, AES
and SHA1, RC4 and MD5.
Select the priority order for the algorithms. Select None to eliminate
one or two algorithms.
Redirect HTTP Traffic Whether to have the gateway redirect HTTP traffic over secure HTTP
(HTTPS). Traffic that comes to this port is redirected to the port you
HTTP Port
specify in the Port field.
Enter the port number for HTTP traffic in the HTTP Port field. You can
enter a number or the name of a port list object, or click Select to select
an object from a list or to create a new object.
The HTTP port is normally 80. However, you can enter any other
number that is used in your network between 1025-65535.
Hostname The hostname for the gateway.
Do Not SpecifyNo hostname is assigned; the IP address to the
gateway is used.
Use the host and domain names of the deviceThese are defined
in the Platform > Device Admin > Hostname policy.
Use the ObjectThe hostname is the value defined in a text policy
object. Enter the name of the object or click Select to select it from
a list or to create a new object.
Table 28-45 Add and Edit SSL VPN Gateway Dialog Boxes (Continued)
Element Description
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override per Whether to allow the object definition to be changed at the device level.
Device For more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Navigation Path
Select Tools > Policy Object Manager, then select SSL VPN Smart Tunnel Lists from the Object Type
selector. Right-click inside the work area and select New Object, or right-click a row and select Edit
Object.
Related Topics
ASA Group Policies SSL VPN Clientless Settings, page 28-11
Configuring SSL VPN Smart Tunnels for ASA Devices, page 26-71
Policy Object Manager Window, page 6-3
Field Reference
Table 28-46 Add and Edit Smart Tunnel Lists Dialog Boxes
Element Description
Name The object name, which can be up to 64 characters. Spaces are not
allowed. Object names are not case-sensitive. For more information,
see Creating Policy Objects, page 6-6.
Description An optional description of the object.
Smart Tunnel Entries table The applications to which users will be allowed smart tunnel access
through the SSL VPN, including the name of the application and its
location on client workstations.
To add an application, click the Add Row button to open the Add
and Edit A Smart Tunnel Entry Dialog Boxes, page 28-66.
To edit an application, select it and click the Edit Row button.
To delete an application, select it and click the Delete Row button.
Include Smart Tunnel Lists The other SSL VPN smart tunnel list objects that you want to include
in this object, if any. Enter the names of the objects or click Select to
select them from a list or to create new objects. Separate multiple
entries with commas.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level.
per Device For more information, see Allowing a Policy Object to Be Overridden,
page 6-13 and Understanding Policy Object Overrides for Individual
Overrides
Devices, page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Navigation Path
From Add and Edit Smart Tunnel List Dialog Boxes, page 28-65, click the Add Row button beneath the
Smart Tunnel Entries table, or select an entry and click the Edit Row button.
Related Topics
Configuring SSL VPN Smart Tunnels for ASA Devices, page 26-71
Policy Object Manager Window, page 6-3
Field Reference
Table 28-47 Add and Edit Smart Tunnel Entry Dialog Boxes
Element Description
App Name The name of the application to which you are allowing smart tunnel
access. The name can be up to 64 characters. Consider including the
version number of the application if you are allowing more than one
version smart tunnel access.
App Path The filename and optionally, the path, of the application. This entry can
be up to 128 characters. Use one of the following:
FilenameFor example, outlook.exe. By only specifying the file
name, it does not matter where users install the application on their
workstations. However, the file name must match exactly.
Full path and filenameFor example, C:\Program
Files\Microsoft Office\OFFICE11\OUTLOOK.EXE. This
allows the application smart tunnel access only if it is installed
in the specified directory, which you can use to enforce
organizational standards.
Tips
If you specify the full path, and the smart tunnel application stops
working after it had been working for a while, it is likely that a
product upgrade changed the installation path. Add a new entry
that accounts for the new path.
If you are granting smart tunnel access to an application that is
started from the command line, create one entry for cmd.exe (the
Windows command line), and another entry for the application.
Table 28-47 Add and Edit Smart Tunnel Entry Dialog Boxes (Continued)
Element Description
Hash Value (Optional) The hash value for the application. By specifying a hash
value, you can ensure that the user does not rename another application
to use a supported filename and thus start an unsupported and undesired
application over the smart tunnel.
To obtain the hash value, enter the checksum of the application (that is,
the checksum of the executable file) into a utility that calculates a hash
using the SHA-1 algorithm. One example of such a utility is the
Microsoft File Checksum Integrity Verifier (FCIV), which is available
at http://support.microsoft.com/kb/841290/. Place a temporary copy of
the application to be hashed on a path that contains no spaces (for
example, c:\temp) and then enter fciv.exe -sha1 application at the
command line (for example, fciv.exe -sha1 c:\msimn.exe) to display
the SHA-1 hash. Copy and paste the value into this field.
The SHA-1 hash is always 40 hexadecimal characters. Before
authorizing an application for smart tunnel access, clientless SSL VPN
calculates the hash of the application matching the App Name. It
qualifies the application for smart tunnel access if the result matches
the value of hash.
Because the checksum varies with each version or patch of an
application, the hash you enter can match only one version or patch on
the remote host. To specify a hash for more than one version of an
application, create a unique smart tunnel entry for each hash value.
Tip Hash values require maintenance. You must update the smart
tunnel list if you want to support future versions or patches of
an application for which you supply a hash value. A sudden
problem with smart tunnel access might be an indication that
the application list containing hash values is not up-to-date with
an application upgrade. You can avoid this problem by not
entering a hash.
Note You must select the technology (Easy VPN/Remote Access VPN, or SSL VPN) for which you are
creating the user group object. If you are editing an existing user group object, the technology is already
selected and you cannot change it. Depending on the selected technology, the appropriate settings are
available for configuration.
Navigation Path
Select Tools > Policy Object Manager, then select User Groups from the Object Type Selector.
Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Tip You can also access this dialog box from the Remote Access VPN > IPSec VPN > User Groups or the
Remote Access VPN > SSL VPN policies.
Related Topics
Policy Object Manager Window, page 6-3
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are
not case-sensitive. For more information, see Creating Policy Objects,
page 6-6.
Description An optional description of the object.
Settings Pane
The body of the dialog box is a pane with a table of contents on the left and settings related to the item
selected in the table of contents on the right.
You must first configure technology settings, then you can select items from the table of contents on
the left and configure the options you require. Your selections on the Technology page control which
options are available on these pages and in the table of contents.
The top folders in the table of contents represent the VPN technologies or other settings that you can
configure, and are explained next.
Technology settings These settings control what you can define in the group policy:
Group NameThe name for the user group (up to 128 characters).
Configure the same user group name within the remote client or
device to ensure that the appropriate group attributes are downloaded.
TechnologyThe types of VPN for which this object defines
group policies. You cannot change this option when editing an
object, or if you are creating the user group object while editing a
VPN policy. You can configure settings for Easy VPN/Remote
Access IPSec VPN or SSL VPN, but not both.
Element Description
Easy VPN/Remote Access When you select Easy VPN/Remote Access IPSec VPN as the
IPSec VPN pages technology, you can configure settings on the following pages:
User Group Dialog BoxGeneral Settings, page 28-70
User Group Dialog BoxDNS/WINS Settings, page 28-72
User Group Dialog BoxSplit Tunneling, page 28-72
User Group Dialog BoxIOS Client Settings, page 28-73
User Group Dialog BoxIOS Xauth Options, page 28-75
User Group Dialog BoxIOS Client VPN Software Update,
page 28-76
User Group Dialog BoxAdvanced PIX Options, page 28-77
SSL VPN pages When you select SSL VPN as the technology, you can configure
settings on the following pages:
User Group Dialog BoxClientless Settings, page 28-78
User Group Dialog BoxThin Client Settings, page 28-79
User Group Dialog BoxSSL VPN Full Tunnel Settings,
page 28-79
User Group Dialog BoxDNS/WINS Settings, page 28-72
User Group Dialog BoxSSL VPN Split Tunneling, page 28-81
User Group Dialog BoxBrowser Proxy Settings, page 28-83
User Group Dialog BoxSSL VPN Connection Settings,
page 28-84
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Note These settings apply in Easy VPN and remote access IPSec VPN configurations.
Navigation Path
Select General from the table of contents in the Add or Edit User Group Dialog Box, page 28-68.
Related Topics
Configuring Preshared Key Policies, page 22-23
Field Reference
Element Description
Preshared Key The preshared key that will be used to authenticate the clients
associated to the user group.
Note You do not have to enter a preshared key if you are using digital
certificates for group authentication.
In regular IPsec VPNs, preshared keys allow for one or more peers to
use individual shared secrets to authenticate encrypted tunnels. A
preshared key must be configured on each participating peer. If one of
the participating peers is not configured with the same preshared key,
the IKE SA cannot be established.
In Easy VPN authentication, the same Easy VPN server key is used for
the spoke configuration to ensure that the server/client keys match.
In remote access IPSec VPN authentication, the same key is used to
negotiate a VPN connection between the remote access VPN server and
the remote clients.
IP Address Pool The IP address ranges for a local pool that will be used to allocate an
Subnet/Ranges internal IP address to a client. Remote clients are assigned IP addresses
from this pool. Separate multiple entries with commas. The default is
172.16.0.1-172.16.4.254.
Backup Servers IP Address The IP address of the servers to be used as backups for the Easy VPN
or remote access IPSec VPN server. The router tries to connect to these
servers if the primary connection to the Easy VPN or remote access
VPN server fails. Separate multiple entries with commas.
PIX Only Attributes These attributes apply only to PIX 6.3 devices.
Idle TimeThe timeout period for VPN connections, in seconds.
If no communication occurs on the connection during this period,
the device terminates the connection. The minimum is 60 seconds,
and the maximum time is 35791394 minutes. The default is 30
minutes.
Max TimeThe maximum amount of time for VPN connections,
in seconds. At the end of the time, the device terminates the
connection. The minimum is 60 seconds, and the maximum is
35791394 minutes. There is no default.
Note The DNS/WINS settings you configure for a user group apply in Easy VPN, remote access VPN, and
SSL VPN configurations.
Navigation Path
Select DNS/WINS from the table of contents in the Add or Edit User Group Dialog Box, page 28-68.
Field Reference
Element Description
Primary DNS Server The IP address of the primary DNS server for the group. Enter the IP
address or the name of a network/host object, or click Select to select
an object from a list or to create a new object.
Secondary DNS Server The IP address of the secondary DNS server for the group. Enter the IP
address or the name of a network/host object, or click Select to select
an object from a list or to create a new object.
Domain Name The domain name of the DNS server you want to configure on the
user group.
Primary WINS Server The IP address of the primary WINS server for the group. Enter the IP
address or the name of a network/host object, or click Select to select
an object from a list or to create a new object.
Secondary WINS Server The IP address of the primary WINS server for the group. Enter the IP
address or the name of a network/host object, or click Select to select
an object from a list or to create a new object.
Tip For optimum security, we recommend that you not enable split tunneling.
Note Split tunneling can be applied in Easy VPN, remote access VPN, and SSL VPN configurations. For
information about configuring split tunneling for SSL VPN, see User Group Dialog BoxSSL VPN
Split Tunneling, page 28-81.
Navigation Path
Select Split Tunneling from the table of contents in the Add or Edit User Group Dialog Box, page 28-68
when configuring Easy VPN/Remote Access IPSec VPN.
Field Reference
Element Description
Split Tunneling The networks for which you want to tunnel traffic. Traffic to all other
addresses travels in the clear and is routed by the remote users Internet
service provider. You can identify the networks using one of these options:
Protected NetworksSpecify the networks by network addresses.
Enter the addresses or network/host objects, or click Select to select the
objects from a list or to create new objects. For information on
specifying addresses, see Specifying IP Addresses During Policy
Definition, page 6-68.
ACLSpecify the networks using an extended access control list policy
object. Enter the name of the object or click Select to select the object
from a list or to create a new object.
Split DNS A list of domain names that must be tunneled or resolved to the private
network. All other names will be resolved through the public DNS server.
You can enter multiple domain names separated by commas.
Note These settings apply in Easy VPN and remote access IPSec VPN configurations.
Navigation Path
Select Client Settings (IOS) from the table of contents in the Add or Edit User Group Dialog Box,
page 28-68.
Field Reference
Element Description
Enable Firewall This feature may be used if a VPN client is running the Black Ice or Zone
Are-You-There Alarm personal firewall.
(Not available on 7600 When selected, it ensures that the personal firewall is running at connection
series or ASR routers.) time and throughout the connection. The Firewall-Are-U-There attribute is
sent by the Black Ice and Zone Alarm personal firewalls if the server prompts
them to do so. If the personal firewall stops running, the connection is
terminated. If this feature is enabled and there is no personal firewall running
on the server, the connection is never established.
Mode A Central Policy Push (CPP) firewall policy on a server allows or denies a
tunnel on the basis of whether the remote device has a required firewall for
a local AAA server.
The Mode option specifies whether the Central Policy Push (CPP) policy is
optional or mandatory, as follows:
OptionalIf the CPP policy is defined as optional, and is included in
the Easy VPN server configuration, the tunnel setup is continued even if
the client does not confirm the defined policy.
RequiredIf the CPP policy is defined as mandatory and is included in
the Easy VPN server configuration, the tunnel setup is allowed only if
the client confirms this policy. Otherwise, the tunnel is terminated.
Firewall Type The type of firewall that you are making required or optional. The list shows
all of the supported firewall software, which includes software from Cisco
and Zone Labs.
Policy Type Specifies the CPP firewall policy type:
Check PresenceInstructs the server to check for the presence of the
specified firewall type.
Central Policy PushThe actual policy, such as the input and output
access lists, that must be applied by the specified client firewall type.
Specify the following:
The access control list to be used. Enter the name of the extended
ACL object or click Select to select it from a list or to create a
new object.
The direction of the access control listInbound or Outbound.
Include Local LAN Whether to allow a non split-tunneling connection to access the local LAN
at the same time as the client.
Perfect Forward Secrecy Whether to enable Perfect Forward Secrecy (PFS). If PFS is enabled, the
server is configured to notify the client of the central-site policy about
whether PFS is required for any IPsec SA. The Diffie-Hellman (D-H)
group that is proposed for PFS is the same that was negotiated in Phase 1
of the IKE negotiation.
Note These settings apply in Easy VPN and remote access VPN configurations.
Navigation Path
Select Xauth Options (IOS) from the table of contents in the Add or Edit User Group Dialog Box,
page 28-68.
Field Reference
Element Description
Banner The banner text that is displayed to Easy VPN remote clients during
Xauth and web-based activation the first time the Easy VPN tunnel is
brought up. A maximum of 1024 characters is allowed.
Maximum Logins Per User The maximum number of connections a user can establish
simultaneously. The maximum is 10.
Maximum Connections The maximum number of client connections to the Easy VPN Server
from this group. The maximum is 5000 per group.
Enable Group-Lock Whether to enable group lock, which requires that the user enter the
extended Xauth username in one of the following formats:
username/groupname
username\groupname
username@groupname
username%groupname
The group that is specified after the delimiter is then compared to the
group identifier that is sent during IKE aggressive mode. The groups
must match or the connection is rejected.
Note Do not select this option if you are using RSA signature
authentication mechanisms such as certificates.
Enable Save Password Whether to allow users to save their Xauth password locally on the
client. On subsequent authentications, users can activate the password
by using the check box on the software client or by adding the username
and password to the Cisco IOS hardware client profile. After users
activate the password, their username and password are sent to the
server automatically during Xauth.
This option is useful only if users have static passwords, that is, they
are not one-time passwords such as those that are generated by a token.
Note These settings apply in Easy VPN and remote access VPN configurations.
Navigation Path
Select Client VPN Software Update (IOS) from the table of contents in the Add or Edit User Group
Dialog Box, page 28-68.
Navigation Path
Open the User Group Dialog BoxIOS Client VPN Software Update, page 28-76, then click Add Row,
or select an item in the table and click Edit Row.
Related Topics
Add or Edit User Group Dialog Box, page 28-68
Field Reference
Element Description
System Type The platform on which the IOS VPN client operates.
All Windows (Default)This option includes any Windows
platform for which a VPN client is available.
Macintosh OS X
IOS Image URL Enter the URL from where the client can be downloaded. The URL
must start with http:// or https://.
IOS VPN Client Revisions Enter the revision level of the VPN client. You can specify more than
one client revision separated by commas.
Note These settings apply in Easy VPN and remote access VPN configurations.
Navigation Path
Select Advanced Options (PIX) from the table of contents in the Add or Edit User Group Dialog Box,
page 28-68.
Field Reference
Element Description
User Idle Timeout (sec) The length of time that a VPN tunnel can remain open without user
activity, in seconds. Values range from 60-86400 seconds.
User Authentication Server The AAA server to which remote devices send user authentication
requests. Enter the name of the server group or click Select to select it
from a list or to create a new group. See Understanding AAA Server
and Server Group Objects, page 6-20.
Enable Device Pass-Through Whether to use Media Access Control (MAC) addresses to bypass
authentication for devices, such as Cisco IP phones, that do not support
AAA authentication.
When MAC-based AAA exemption is enabled, the device bypasses the
AAA server for traffic that matches both the MAC address of the device
and the IP address that was dynamically assigned by a DHCP server.
Authorization services are disabled automatically when you bypass
authentication. Accounting records continue to be generated (if
enabled), but the username is not displayed.
Enable Secure Unit Whether to provide increased security when allowing access to the
Authentication device from a remote client.
With Secure Unit Authentication (SUA), you can use one-time
passwords, two-factor authentication, and similar authentication
schemes to authenticate the remote device during Extended
Authentication (Xauth).
SUA is specified in the VPN policy on the device and is downloaded to
the remote client. This enables SUA and determines the connection
behavior of the remote client.
Enable User Authentication Whether to enable Individual User Authentication (IUA), which
supports individually authenticating clients on the inside network of the
remote access VPN, based on the IP address of each inside client. IUA
supports both static and OTP authentication mechanisms.
Navigation Path
Select Clientless from the table of contents in the Add or Edit User Group Dialog Box, page 28-68.
Related Topics
Clientless and Thin Client Access Modes Page, page 27-8
Field Reference
Element Description
Portal Page Websites The name of the SSL VPN bookmarks policy object that includes the
web site URLs to display on the portal page. These web sites help users
access desired resources. Enter the name of the object or click Select to
select it from a list or to create a new object.
Allow Users to Whether to allow the remote user to enter web site URLs directly into
Enter Websites the browser. If you do not select this option, the user can access only
those URLs included on the portal.
Enable Common Internet File In Clientless mode, files and directories created on Microsoft Windows
System (CIFS) servers can be accessed by the remote client through the web browser.
When you enable the Common Internet File System (CIFS), a list of file
server and directory links are displayed on the portal page after login.
The CIFS protocol lets you customize permissions on the SSL VPN
gateway to allow shared files to be accessed or modified by the remote
client, as follows:
Enable File BrowsingWhether to allow the remote user to
browse for file shares on the CIFS file servers.
Enable File EntryWhether to allow the remote user to locate
file shares on the CIFS file servers by entering the names of the
file shares.
WINS Server List The name of the WINS server list policy object that identifies the
WINS/NetBIOS servers to use for resolving file server names. You
should supply an object if you enable CIFS. Enter the name of the
object or click Select to select if from a list or to create a new object.
Enable Citrix Whether to enable remote clients to run Citrix-enabled applications,
such as Microsoft Word or Excel, through the SSL VPN as if the
application were locally installed, without the need for client software.
The Citrix software must be installed on one or more servers on a
network that the router can reach.
Navigation Path
Select Thin Client from the table of contents in the Add or Edit User Group Dialog Box, page 28-68.
Related Topics
Clientless and Thin Client Access Modes Page, page 27-8
Field Reference
Element Description
Enable Thin Client Whether to allow thin client access to the SSL VPN.
Port Forward List The name of the port forwarding list policy object assigned to this
group. Port forwarding lists contain the set of applications that users of
clientless SSL VPN sessions can access over forwarded TCP ports.
Enter the name of the object or click Select to select it from a list or to
create a new object.
Download Port Forwarding Whether the port forwarding Java applet should be automatically
Applet on Client Login downloaded to the client when a user logs into the SSL VPN. If you do
not automatically download the applet, users must download it
manually after login.
Tip For full tunnel client access to work, you must install the client software on the gateway. The user
downloads the client when connecting to the gateway.
Navigation Path
Select Full Tunnel > Settings from the table of contents in the Add or Edit User Group Dialog Box,
page 28-68.
Related Topics
Full Tunnel Dialog Box, page 27-7
Field Reference
Element Description
Enable Full Tunnel Whether to enable full tunnel client access to the SSL VPN.
Use Other Access Modes Whether to allow users to connect to the SSL VPN even if a problem
if SSL VPN Client prevents the client from downloading, installing, and starting correctly
Download Fails on the users system.
Full Tunnel Only If you select Full Tunnel Only, a user cannot connect to the SSL VPN
if the download fails, which locks the user out of the network. Select
Use Other Access Modes to allow clientless or thin client access if
there is a download problem.
Client IP Address Pool The IP address ranges of the address pool that full tunnel clients will
draw from when they log on. The address pool must be in the same
subnet as one of the devices interface IP addresses.
Enter the address range separating the first and last IP address with a
hyphen, for example, 10.100.10.2-10.100.10.255. If you enter a single
address, the pool has just one address. Do not enter subnet designations.
You can also enter the name of a network/host policy object that defines
the range, or click Select to select the object from a list or to create a
new object. Separate multiple ranges with commas.
Filter ACL The name of an extended access control list (ACL) object that restricts
access to the SSL VPN. Enter the name of the object or click Select to
select it from a list or to create a new object.
Keep SSL VPN Client on Whether to leave the full client installed on the users workstation after
Client Computer the user disconnects. If you do not allow the client to remain on the
users system, the client must be downloaded each time the user
establishes a connection to the SSL VPN gateway.
Home Page URL The web address of the login home page for the full client.
Client Dead Peer The time interval that the Dead Peer Detection (DPD) timer is reset
Detection Timeout each time a packet is received over the SSL VPN tunnel from the
remote user. Enter a value in the range 1-3600 seconds.
Element Description
Gateway Dead Peer The time interval that the Dead Peer Detection (DPD) timer is reset
Detection Timeout each time a packet is received over the SSL VPN tunnel from the
gateway. Enter a value in the range 1-3600 seconds.
Key Renegotiation Method The method by which the tunnel key is refreshed for the remote user
group client:
DisabledDisables the tunnel key refresh.
Create New TunnelInitiates a new tunnel connection. Enter the
time interval (in seconds) between the tunnel refresh cycles in the
Interval field.
Tip For optimum security, we recommend that you not enable split tunneling.
Navigation Path
Select Full Tunnel > Split Tunneling from the table of contents in the Add or Edit User Group Dialog
Box, page 28-68.
Field Reference
Element Description
Tunnel Option Whether to allow split tunneling and if so, which traffic should be
secured or transmitted unencrypted across the public network:
Disabled(Default) No traffic goes in the clear or to any other
destination than the gateway. Remote users reach networks through
the corporate network and do not have access to local networks.
Tunnel Specified TrafficTunnel all traffic from or to the
addresses listed in the Destinations field. Traffic to all other
addresses travels in the clear and is routed by the remote users
Internet service provider.
Exclude Specified TrafficTraffic goes in the clear from and to the
addresses listed in the Destinations field. This is useful for remote
users who want to access devices on their local network, such as
printers, while they are connected to the corporate network through
a tunnel.
Destinations The IP addresses for hosts or networks that identify the networks that
require traffic to travel across the tunnel and those that do not require
tunneling. Whether traffic to these addresses is encrypted and tunneled
to the gateway, or sent in the clear, is determined by your selection for
Tunnel Option.
Enter network addresses such as 10.100.10.0/24 or host addresses such
as 10.100.10.12. You can also enter the name of a network/host policy
object, or click Select to select the object from a list or to create a new
object. Separate multiple addresses with commas.
Exclude Local LANs Whether to exclude local LANs from the encrypted tunnel. This option
is available only if you selected the Exclude Specified Traffic tunnel
option. By selecting this option, you do not have to enter local LAN
addresses into the destinations field to allow users to communicate with
systems (such as printers) that are attached to their LAN.
When selected, this attribute disallows a non split-tunneling connection
to access the local subnetwork at the same time as the client.
Split DNS Names A list of domain names to be resolved through the split tunnel to
the private network. All other names are resolved using the public
DNS server.
Enter up to 10 entries in the list of domains, separated by commas. The
entire string can be no longer than 255 characters.
Tip The browser proxy settings work only for Microsoft Internet Explorer; they do not work for other types
of browsers.
Navigation Path
Select Full Tunnel > Browser Proxy Settings from the table of contents in the Add or Edit User Group
Dialog Box, page 28-68.
Related Topics
Defining Proxies and Proxy Bypass Rules, page 26-51
Field Reference
Element Description
Browser Proxy Option Whether and how to configure proxy settings on the remote clients browser:
BlankDo not configure proxy settings.
Do Not Use Proxy ServerConfigure the browser to not use a proxy.
Automatically Detect SettingsConfigure the browser to automatically
detect proxy settings.
Bypass Proxy Server for Local AddressesConfigure the browser to
bypass proxy settings configured by the user.
Proxy Server The address of the proxy server:
IP addressThe IP address or the name of a network/host object that
specifies the address. Click Select to select the object from a list.
NameThe fully qualified domain name, for example,
proxy.example.com.
Proxy Server Port The port number on the server that is used for proxy traffic, for example, 80.
Enter a value in the range 1-65535.
Do Not Use Proxy If you configured a proxy, you can identify specific hosts for which the proxy
Server for Addresses should be bypassed. If the user opens these hosts in the browser, the proxy is
Beginning With not used in the connection.
Enter full IP addresses or fully qualified domain names. For example,
10.100.10.14 or www.cisco.com.
Navigation Path
Select Connection Settings from the table of contents in the Add or Edit User Group Dialog Box,
page 28-68.
Field Reference
Element Description
Idle Timeout The idle timeout period for the SSL VPN session. The session is
disconnected if the client is idle longer than the specified idle timeout.
Values range from 0-3600 seconds.
Session Timeout The timeout period for the SSL VPN session. The session is
disconnected when this timeout is reached even if the user is still active.
Values range from 1-1209600 seconds.
Banner Text The banner, for example, a welcome message, that is displayed to
remote users when they connect to the SSL VPN.
You cannot use double quotes or new lines (carriage returns) in the
banner text. However, you can include HTML tags to create the
desired layout.
Navigation Path
Select Tools > Policy Object Manager, then select WINS Server Lists from the Object Type Selector.
Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL
VPNs, page 26-73
Policy Object Manager Window, page 6-3
Field Reference
Element Description
Name The object name, which can be up to 128 characters. Object names are not
case-sensitive. For more information, see Creating Policy Objects, page 6-6.
Description An optional description of the object.
WINS Server List The WINS servers that are defined for the object.
To add a server, click the Add button and fill in the Add WINS Server
dialog box (see Add or Edit WINS Server Dialog Box, page 28-85).
To edit a server, select it and click the Edit button.
To delete a server, select it and click the Delete button.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-9.
Allow Value Override Whether to allow the object definition to be changed at the device level. For
per Device more information, see Allowing a Policy Object to Be Overridden, page 6-13
and Understanding Policy Object Overrides for Individual Devices,
Overrides
page 6-13.
Edit button
If you allow device overrides, you can click the Edit button to create, edit,
and view the overrides. The Overrides field indicates the number of devices
that have overrides for this object.
Navigation Path
From the Add or Edit WINS Server List Dialog Box, click the Add button beneath the WINS Server List
table, or select a server in the table and click the Edit button.
Related Topics
Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL
VPNs, page 26-73
Field Reference
Element Description
Server The IP address of the WINS server used to translate Windows file
server names to IP addresses. You can also enter the name of a
network/host policy object that identifies the server. Click Select to
choose a network/hosts object or to create a new object.
Set as Master Browser Whether to server is a master browser. The master browser maintains
the list of computers and shared resources.
Element Description
Timeout The period of time the security appliance waits for a response to a
WINS query before sending the query again to the same server (if it is
the only one), or to the next server (if there is more than one).
The default timeout is 2 seconds. The range is between 1 and 30 seconds.
Retries The number of times to retry sending WINS queries to the configured
servers. The security appliance recycles through the list of servers this
number of times before sending an error message.
The default is 2. The range is between 0 and 10.
Tip The network data that is displayed on maps is typically updated as this data changes. However, to be
certain that a map displays current network data, you can refresh it manually by selecting Map >
Refresh Map.
1 Menu bar (see Map Menu, page 1-24) 2 Navigation window (see Using the
Navigation Window, page 29-4)
3 Map toolbar (see Map Toolbar, 4 Map (see Understanding Map Elements,
page 29-3) page 29-14)
Related Topics
Understanding Maps and Map View, page 29-1
Working With Maps, page 29-8
Displaying Your Network on the Map, page 29-13
Managing VPNs in Map View, page 29-20
Managing Device Policies in Map View, page 29-21
Map Toolbar
The following table describes the buttons on the map toolbar.
Pans the map. Click the button, click and hold on the map, then drag the cursor.
Creates a new Security Manager-managed node. After you create the new device in
the inventory, it is added to the active map as a device node.
Tips
If you refresh the map (select Map > Refresh Map), items that you added to the inventory after
generating the default map are not added to the map. You must reopen the default map to see new
devices.
Note If you have do not have sufficient access rights to all devices in the inventory, the default map
that opens shows only the subset of devices for which you do have access rights. For more
information, see Access Permissions for Maps, page 29-8.
Step 3 To save the default map as a standard map, select Map > Save Map or Map > Save Map As, enter a
name for the map and click OK.
Opening Maps
To open an existing map, select Map > Open Map, select the desired map from the list of available
maps, and click OK. You must already be in Map view (select View > Map View). If you currently have
a map open with unsaved changes, you are asked if you want to save it.
The list of available maps includes a special map called the Default Map. This map contains all of the
managed devices and VPNs in the inventory. You are essentially creating a new map each time you open
it. For more information about the default map, see Creating New or Default Maps, page 29-9.
Tip You can open any map that you have created or the default map. You can also open any map that another
user has created provided you have the requisite permission settings with regard to the devices shown on
that map (see Access Permissions for Maps, page 29-8).
Related Topics
Working With Maps, page 29-8
Understanding Map Elements, page 29-14
Saving Maps
To save the active map, select Map > Save Map. Any changes that you made since you last saved it are
saved. If you did not save the map previously, the Save Map As dialog box opens, enabling you to assign
a name to the map and save it.
To save a map under a new name, select Map > Save Map As. The map name can be as long as 256
characters, but cannot be the reserved names Default Map or New Map.
If you close a map that contains unsaved changes, you are prompted to save the changes.
If your Security Manager session closes automatically because of inactivity when a map is open with
unsaved changes, the current version of the map is saved if it has a name. If you have not yet saved the
map, the map is discarded. For example, if you generate the default map, or create a new map, and do
not save it before your session times out, you cannot retrieve that map.
Deleting Maps
If you no longer need a map, you can delete it (presuming that you have edit permission). Deleting a map
does not delete any devices or VPNs shown on the map, nor does it delete or modify their configurations;
only the map is deleted.
When you delete a map, it is permanently deleted from the server. Other users cannot use the deleted
map.
To delete a map, select Map > Delete Map, select the map you want to delete from the available maps
list and click OK. You are asked to confirm the deletion.
You must already be in Map view (select View > Map View) to delete a map.
Exporting Maps
When viewing a map, you can export the map to a scalable vector graphics (SVG) image file for use
outside of Security Manager.
Related Topics
Working With Maps, page 29-8
Understanding Map Elements, page 29-14
Step 1 Select Map > Export Map. The Export Topology Map to SVG dialog box opens.
Step 2 Browse to the location in which to save the file.
Step 3 Enter a filename in the File name field. The correct file extension will be added for you.
Step 4 Click Save.
Related Topics
Using the Navigation Window, page 29-4
Step 1 Right-click the map element to which to link a map, then select Set Linked Map. The Set Linked Map
dialog box opens.
Step 2 Select a map to associate with the selected map element, then click OK.
Step 3 To open the linked map, right-click the linked node, then select Open Linked Map. The current map
closes and the linked map opens.
Tip You can control the position and scale of the image using the X and Y coordinates and scale settings.
The X,Y source point is the upper left corner of the image. You can use positive or negative numbers.
You must experiment to get the results you desire. The scale setting is in percentage.
To change the background color, click Select next to the background color field and choose the
desired color.
Firewall security context When you select a security context, the parent device
is highlighted. The dotted outline distinguishes the
icon as a security context.
Adaptive Security Appliance When you select a device, its security contexts are
highlighted.
Adaptive Security Appliance When you select a security context, the parent device
security context is highlighted. The dotted outline distinguishes the
icon as a security context.
Router Router or VPN concentrator.
Catalyst 6500/7600 or Catalyst When you select a Catalyst device node, any Firewall
switch Service Modules contained in it are highlighted.
Firewall Services Module When you select a Firewall Services Module, the
(FWSM) security contexts it contains are highlighted on the
map.
FWSM security context When you select a security context, the parent device
is highlighted. The dotted outline distinguishes the
icon as a security context.
IPS Sensor or Security Service An IPS sensor.
Module
VPN connection Any type of VPN connection.
For GET VPNs, a dashed line indicates the
connection between group members and key servers.
Related Topics
Using Map Objects To Represent Network Topology, page 29-16
Creating and Managing Layer 3 Links on the Map, page 29-19
To remove a managed nodeRight-click the node and select Remove from Map.
To locate a device on the open map when in Device viewRight-click the device in the device
selector and select Show in Map view. If the device is shown on the active map, it is shown centered
and highlighted on the undocked map. You are told that the device cannot be found if the device is
not shown on the active map.
To locate a device in Device view from the mapRight-click the device and select Show in
Device View. Device view is opened with the device selected so that you can edit its policies.
Related Topics
Understanding Map Elements, page 29-14
Showing Containment of Catalyst Switches, Firewalls, and Adaptive Security Appliances,
page 29-16
Tip To delete a map object, right-click the object and select Delete Map Object.
Step 1 Select Map > Add Map Object. The Add Map Object dialog box appears (see Add Map Object and
Node Properties Dialog Boxes, page 29-17).
Step 2 Do one of the following:
If you are adding a map object based on the definition of an Security Manager policy object, click
Copy Policy Object to open the Select Policy Object Dialog Box, page 29-18. Then, select the type
of object (AAA server, network/host, PKI enrollment), click Select to choose the object, then click
OK in the Select Policy Object dialog box. Information from the policy object is entered in the Add
Map Object dialog box.
The name of the object is used as the map object name, but you can edit this if desired.
If you are adding a map object that is not based on a policy object, enter a name for the map object
in the Name field.
Step 3 Select the type of object that the node represents from the Type list. If you selected a policy object, the
type is pre-selected, but you can change the selection.
Step 4 (Optional) Add interfaces to the node by doing the following for each interface:
a. Click Add to open the Interface Properties Dialog Box, page 29-18. If items already appear in the
list, you can select them and click Edit to change them.
b. Enter an interface name, IP address, and network mask, then click OK.
Step 5 Click OK. The map object is added to the center of the map. Move it to the desired location.
Navigation Path
To open the Add Map Object dialog box, select Map > Add Map Object.
To open the Node Properties dialog box, right-click a map object or managed device and select Node
Properties.
Field Reference
Table 29-12 Add Map Object and Node Properties Dialog Boxes for Unmanaged Nodes
Element Description
Name The name of the map object. If you select a policy object, the name of
the object is automatically used, but you can change it.
Copy Policy Object button Click to browse for a policy object to use as the basis for the map object
using the Select Policy Object Dialog Box, page 29-18.
Table 29-12 Add Map Object and Node Properties Dialog Boxes for Unmanaged Nodes
Element Description
Type list The type of object you are creating. If you select a policy object, a type
is selected for you, but you can change it if necessary.
Interfaces table The interfaces on the node. If you select a policy object, information
might have been added to this table.
To add an interface, click the Add (+) button and fill in the
Interface Properties Dialog Box, page 29-18.
To edit an interface, select it and click the Edit (pencil) button.
To delete an interface, select it and click the Delete (trash can)
button.
Navigation Path
To open this dialog box, click Copy Policy Object in the Add Map Object dialog box (see Add Map
Object and Node Properties Dialog Boxes, page 29-17).
Navigation Path
To open this dialog box, click the Add or Edit button in the Add Map Object and Node Properties Dialog
Boxes, page 29-17.
Field Reference
Element Description
Interface Name The interface name.
Interface IP Addr/Mask The interface IP address and network mask, for example,
10.100.10.0/24 or 10.100.10.0/255.255.255.0.
Tips
The automatic addition of network objects and links is called Autolink. You can configure Autolink
to not automatically add private or certain reserved network addresses. To configure these settings,
select Tools > Security Manager Administration, then click Autolink.
To view the properties of a link, right-click the layer 3 link and select Link Properties.
To delete a layer 3 link, right-click the layer 3 link to be removed and select Delete Link. Deleting
a layer 3 link does not delete any intermediary network or network clouds between map elements.
Step 1 In Map view, click Map > Add Link or the Add Link button in the toolbar.
Step 2 Click one of the map elements to connect, then click the other map element to connect.
Step 3 If the map elements contain interfaces, select the source and destination interfaces for the link in the
Select Interfaces and Link Properties Dialog Boxes, then click OK.
The Add Link dialog box might open, depending on which interfaces you select.
Step 4 If the Add Link Dialog Box opens, select which intermediary objects and network clouds to insert, then
click OK.
Tip When creating a link, if there are no interfaces defined for either device, the Interface lists are greyed
out. If one device has interfaces defined, both fields are active, but empty for the device that does not
have interfaces defined for it. You cannot change the interface when viewing link properties.
Navigation Path
For information on how to create layer 3 links or view their properties, see Creating and Managing Layer
3 Links on the Map, page 29-19.
Navigation Path
This dialog box might open when you add a link between nodes, depending on which interfaces you
select to connect. For the procedure, see Creating and Managing Layer 3 Links on the Map, page 29-19.
Tip You can also remove a VPN using this command. Select the VPNs you want to remove from the selected
VPNs list and click <<. When you remove a VPN, only the VPN tunnels are removed. The device nodes
remain on the map.
When you display a VPN, all of the its member devices are added to the map as device nodes, and all of
its tunnels are highlighted. However, devices that you removed from the map previously are not added,
even if they are members of a VPN that you display. You can add such devices to the map manually, and
their VPN connectivity is displayed.
A VPN tunnel is a line on the map that represents a VPN connection between two devices. VPN tunnels
are not added to the map automatically when you add a device node that is a member of a VPN. However,
if the VPN was already selected to be shown on the map, adding a device in the VPN to the map will
also display the tunnel.
For an explanation of the icons used in the map, see Understanding Map Elements, page 29-14.
Related Topics
Selecting Map Elements, page 29-12
Related Topics
Chapter 8, Managing Deployment
Chapter 3, Managing the Device Inventory
Chapter 5, Managing Policies
Tip If you want to assign a shared policy to a device, see Performing Basic Policy Management in Map View,
page 29-22.
To configure local firewall policies on a device in Map view, right click the device and select one of the
following commands:
Edit Firewall Policies > AAA RulesTo configure AAA policies, which control who is allowed
access to the device and what services they are allowed to use once they have access. For more
information on configuring AAA rules, see AAA Rules Page, page 13-9.
Edit Firewall Policies > Access RulesTo configure Access Rules policies, which control the
traffic that flows through a device. For more information on configuring access rules, see Access
Rules Page, page 14-8.
Edit Firewall Policies > Inspection RulesTo configure Inspection Rules policies, which analyze
traffic at the application layer and track TCP and UDP sessions to perform refined access control.
For more information on configuring inspection rules, see Inspection Rules Page, page 15-7.
Edit Firewall Policies > Botnet Traffic Filter Rules(ASA 8.2 and higher only) To configure
Botnet Traffic Filter Rules policies, which monitor web traffic. For more information on configuring
botnet traffic filter rules, see Botnet Traffic Filter Rules Page, page 17-9.
Edit Firewall Policies > Transparent RulesTo configure Transparent Rules policies, which
define EtherType rules for transparent firewalls. For more information on configuring inspection
rules, see Transparent Rules Page, page 19-3.
Edit Firewall Policies > Web Filter RulesTo configure Web Filter Rules policies, which define
rules for web access. For more information on configuring web filter rules, see Web Filter Rules
Page (ASA/PIX/FWSM), page 16-3 or Web Filter Rules Page (IOS), page 16-11.
Edit Firewall Policies > Zone Based Firewall Rules(IOS 12.4(6)T and higher only) To
configure Zone Based Firewall Rules policies, which configure inspection and web filtering using
security zones. For more information on configuring zone based firewall rules, see Zone-based
Firewall Rules Page, page 18-56.
Related Topics
Chapter 12, Introduction to Firewall Services
Chapter 5, Managing Policies
Tip If you want to assign a shared policy to a device, see Performing Basic Policy Management in Map View,
page 29-22.
To configure local firewall settings policies on a device in Map view, right click the device and select
one of the following commands:
Edit Firewall Settings > AAA Firewall(ASA/PIX/FWSM only) To configure AAA Firewall
settings policies, which configures proxy, authentication challenge, MAC exempt lists, and other
general AAA settings. For more information on configuring AAA firewall settings, see AAA
Firewall Settings Page, Advanced Setting Tab, page 13-16 and AAA Firewall Page, MAC-Exempt
List Tab, page 13-20.
Edit Firewall Settings > Access ControlTo configure Access Control settings policies, which
configures optimization and other general access control settings. For more information on
configuring access control settings, see Access Control Settings Page, page 14-17.
Edit Firewall Settings > AuthProxy(IOS devices only) To configure AuthProxy settings
policies, which configure general settings for authorization proxies. For more information on
configuring authorization proxies, see AuthProxy Page, page 13-22.
Edit Firewall Settings > Inspection(IOS devices only) To configure Inspection settings policies,
which configure timeout and session settings for inspection rules. For more information on
configuring inspection settings, see Configuring Settings for Inspection Rules for IOS Devices,
page 15-80.
Edit Firewall Settings > Web FilterTo configure Web Filter settings policies, which configure
the server used for web filtering. For more information on configuring web filter settings, see Web
Filter Settings Page, page 16-15.
Edit Firewall Settings > Zone Based Firewall(IOS 12.4(6)T and higher devices) To configure
Zone Based Firewall settings policies, which configure zones and Trend web filter server settings.
IPS Configuration
CH A P T E R 30
Getting Started with IPS Configuration
Cisco Intrusion Prevention System (IPS) Sensors are network devices that perform real-time monitoring
of network traffic for suspicious activities and active network attacks. The IPS sensor analyzes network
packets and flows to determine whether their contents appear to indicate an attack against your network.
Using Cisco Security Manager, you can configure and manage sensors, which can be dedicated
stand-alone network appliances, Catalyst 6500 switch modules, service modules running in supported
ASA devices or routers, and IPS-enabled Cisco IOS Software images running on integrated services
routers. For a full list of supported IPS devices and software versions, see the Supported Devices and
Software Versions for Cisco Security Manager document for this version of the product.
This chapter contains the following topics:
Understanding IPS Network Sensing, page 30-1
Overview of IPS Configuration, page 30-5
Identifying Allowed Hosts, page 30-7
Configuring SNMP, page 30-8
Managing User Accounts and Password Requirements, page 30-13
Identifying an NTP Server, page 30-21
Identifying DNS Servers, page 30-22
Identifying an HTTP Proxy Server, page 30-22
Configuring the External Product Interface, page 30-23
Configuring IPS Logging Policies, page 30-26
Tip Cisco IPS sensors and Cisco IOS IPS devices are often referred to collectively as IPS devices or simply
sensors. However, Cisco IOS IPS does not run the full dedicated IPS software, and its configuration does
not include IPS device-specific policies. Additionally, the amount of sensing that you can perform with
Cisco IOS IPS is more limited. The following sections focus on using dedicated IPS devices, including
service modules installed in IOS routers, rather than Cisco IOS IPS. For a discussion focused on Cisco
IOS IPS, see Intrusion Prevention System (IPS) Cisco IOS Intrusion Prevention System Deployment
Guide on Cisco.com and Chapter 38, Configuring IOS IPS Routers. Also, see
http://www.cisco.com/go/iosips.
When an IPS device detects unauthorized network activity, it can terminate the connection, permanently
block the associated host, and take other actions.
Note For more overview information on IPS sensors, including a comparison of the available appliances and
service modules and details about device interfaces, see Introducing the Sensor in Installing Cisco
Intrusion Prevention System Appliances and Modules. A list of these documents for each IPS release is
available at
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_installation_guides_list.html.
Attacker
Sensor deployed Sensor deployed
in IDS mode in IPS mode
Main campus
Internet
Campus core
Sensor deployed in hybrid
mode to deliver IDS services
Service provider, outside router and IPS
partner, or branch services inside the firewall
148416
office network
The command and control interface is always Ethernet. This interface has an assigned IP address, which
allows it to communicate with the manager workstation or network devices (Cisco switches, routers, and
firewalls). Because this interface is visible on the network, you should use encryption to maintain data
privacy. SSH is used to protect the CLI and TLS/SSL is used to protect the manager workstation. SSH
and TLS/SSL are enabled by default on the manager workstations.
When responding to attacks, the sensor can do the following:
Insert TCP resets via the sensing interface.
Note You should select the TCP reset action only on signatures associated with a TCP-based
service. If selected as an action on non-TCP-based services, no action is taken. Additionally,
TCP resets are not guaranteed to tear down an offending session because of limitations in
the TCP protocol.
Make ACL changes on switches, routers, and firewalls that the sensor manages.
Note ACLs may block only future traffic, not current traffic.
Filter out known false positives caused by specialized software, such as vulnerability scanner and
load balancers by one of the following methods:
You can configure the sensor to ignore the alerts from the IP addresses of the scanner and load
balancer.
You can configure the sensor to allow these alerts and then use Event Viewer to filter out the
false positives.
Filter the Informational alerts.
These low priority events notifications could indicate that another device is doing reconnaissance
on a device protected by the IPS. Research the source IP addresses from these Informational alerts
to determine what the source is.
Analyze the remaining actionable alerts:
Research the alert.
Fix the attack source.
Fix the destination host.
Modify the IPS policy to provide more information.
Step 1 Install and connect the device to your network. Install the device software and perform basic device
configuration. Install the licenses required for all of the services running on the device. The amount of
initial configuration that you perform influences what you will need to configure in Security Manager.
Follow the instructions in the Installing Cisco Intrusion Prevention System Appliances and Modules
document for the IPS version you are using.
Step 2 Add the device to the Security Manager device inventory (see Adding Devices to the Device Inventory,
page 3-6).
Tip You can discover router and Catalyst switch modules when adding the device in which the
module is installed. For ASA devices, you must add the service module separately.
Step 3 Configure the interfaces as described in Configuring Interfaces, page 31-6. You must enable the
interfaces connected to your network for the device to function.
For certain types of service module, there are additional policies to configure:
Router-hosted service modulesConfigure the IPS Module interface settings policy on the router.
For more information, see IPS Module Interface Settings on Cisco IOS Routers, page 52-22.
IDSMConfigure the IDSM Settings Catalyst platform policy. For more information, see IDSM
Settings, page 58-44.
IPS modules on ASA devicesConfigure the Platform > Service Policy Rules > IPS, QoS, and
Connection Rules policy on the host ASA to specify the traffic that should be inspected. For more
information, see About IPS Modules on ASA Devices, page 48-12 and IPS, QoS, and Connection
Rules Page, page 48-5.
Step 4 Use the Virtual Sensors policy to assign interfaces to the virtual sensors, including the base vs0 virtual
sensor that exists for all IPS devices. For information about virtual sensor settings and assigning
interfaces to a virtual sensor, see Defining A Virtual Sensor, page 32-5.
If the device supports it, and you have a need for it, you can also create user-defined virtual sensors so
that a single device acts like multiple sensors. Most of the IPS configuration is done on the parent device,
but you can configure unique settings per virtual sensor for signatures, anomaly detection, and event
actions. For more information, see Chapter 32, Configuring Virtual Sensors.
Step 5 Configure basic device access platform policies. These policies determine who can log into the device:
AAAConfigure this policy if you want to use a RADIUS server to control access to the device.
You can use AAA control in conjunction with local user accounts defined in the User Accounts
policy. See Configuring AAA Access Control for IPS Devices, page 30-19.
Allowed HostsThe addresses of hosts who are allowed access. Ensure that the Security Manager
server is included as an allowed host, or you cannot configure the device using Security Manager.
See Identifying Allowed Hosts, page 30-7.
SNMPConfigure this policy if you want to use an SNMP application to manage the device. See
Configuring SNMP, page 30-8.
Password RequirementsYou can define the acceptable characteristics of a user password. See
Configuring User Password Requirements, page 30-18.
User AccountsThe user accounts defined on the device. See Configuring IPS User Accounts,
page 30-16.
Step 6 Configure basic server access platform policies. These policies identify the servers to which the device
can connect:
External Product InterfaceIf you use Management Center for Cisco Security Agents, configure
this policy to allow the sensor to download host postures from the application. See Configuring the
External Product Interface, page 30-23.
NTPConfigure this policy if you want to use a Network Time Protocol server to control the device
time. See Identifying an NTP Server, page 30-21.
DNS, HTTP ProxyThe DNS and HTTP Proxy policies are required only if you configure global
correlation. They identify a server that can resolve DNS names to IP addresses. Use the HTTP Proxy
policy if your network requires the use of a proxy to make Internet connections; otherwise, use the
DNS policy. See Identifying DNS Servers, page 30-22 or Identifying an HTTP Proxy Server,
page 30-22.
Step 7 Configure the Logging policy if you want non-default logging. See Configuring IPS Logging Policies,
page 30-26.
Step 8 Configure IPS signatures and event actions. Event action policies are easier to configure than creating
custom signatures, so try to use event action filters and overrides to modify signature behavior before
trying to edit specific signatures. For more information, see the following topics:
Chapter 34, Configuring Event Action Rules
Configuring Signatures, page 33-3
Step 9 If you use any of the Request Block or Request Rate Limit event actions, configure blocking or rate
limiting hosts. See Configuring IPS Blocking and Rate Limiting, page 37-7.
Step 10 Configure other desired advanced IPS services. See the following topics:
Chapter 36, Configuring Global Correlation
Configuring Anomaly Detection, page 35-6
Step 11 Maintain the device:
Update and redeploy configurations as necessary.
Apply updated signature and engine packages. For information about checking for updates, applying
them, and setting up regular automated updates, see Managing IPS Updates, page 10-5.
Manage the device licenses. You can update and redeploy licenses, or automate license updates. For
more information, see the following topics:
Updating IPS License Files, page 10-3
Redeploying IPS License Files, page 10-4
Automating IPS License File Updates, page 10-4
Tip If you add host addresses only, you will be limited to using those workstations to access the device.
Instead, you can specify network addresses to allow all hosts connected to specific safe networks
access.
Configuring SNMP
SNMP is an application layer protocol that facilitates the exchange of management information between
network devices. SNMP enables network administrators to manage network performance, find and solve
network problems, and plan for network growth.
SNMP is a simple request/response protocol. The network-management system issues a request, and
managed devices return responses. This behavior is implemented by using one of four protocol
operations: Get, GetNext, Set, and Trap.
You can configure the sensor for monitoring by SNMP. SNMP defines a standard way for network
management stations to monitor the health and status of many types of devices, including switches,
routers, and sensors.
You can configure the sensor to send SNMP traps. SNMP traps enable an agent to notify the management
station of significant events by way of an unsolicited SNMP message.
Trap-directed notification has the following advantageif a manager is responsible for a large number
of devices, and each device has a large number of objects, it is impractical to poll or request information
from every object on every device. The solution is for each agent on the managed device to notify the
manager without solicitation. It does this by sending a message known as a trap of the event.
After receiving the event, the manager displays it and can take an action based on the event. For example,
the manager can poll the agent directly, or poll other associated device agents to get a better
understanding of the event.
Tip Trap-directed notification results in substantial savings of network and agent resources by eliminating
frivolous SNMP requests. However, it is not possible to totally eliminate SNMP polling. SNMP requests
are required for discovery and topology changes. In addition, a managed device agent cannot send a trap
if the device has had a catastrophic outage.
This procedure describes how to configure SNMP on an IPS sensor so that you can manage the sensor
with an SNMP management station, including the configuration of traps.
Enable SNMP Gets/SetsSelect this option to enable the SNMP management workstation to
obtain (get) information, and to modify (set) values on the IPS sensor. If you do not enable this
option, the management workstation cannot manage this sensor.
Read-Only Community StringThe community string required for read-only access to the sensor.
SNMP get requests from the management station must supply this string to get responses from the
sensor. This string gives access to all SNMP get requests.
Read-Write Community StringThe community string required for read-write access to the
sensor. SNMP set requests from the management station must supply this string to get responses
from the sensor; it can also be used on get requests. This string gives access to all SNMP get and set
requests.
Step 3 If you want to configure SNMP traps, click the SNMP Trap Configuration tab and configure at least
the following options. For a complete description of all available options, see SNMP Trap Configuration
Tab, page 30-11.
Enable NotificationsSelect this option to allow the sensor to send SNMP traps.
Trap DestinationsAdd the SNMP management stations that should be trap destinations. Click the
Add Row (+) button to add a new destination, or select a destination and click the Edit Row (pencil)
button to change its configuration.
When adding or editing a trap destination, the trap community string that you enter overrides the
default community string entered on the SNMP Trap Configuration tab. The community string
appears in the traps sent to this destination and is useful if you are receiving multiple types of traps
from multiple agents. For example, a router or sensor could be sending the traps, and if you put
something that identifies the router or sensor specifically in your community string, you can filter
the traps based on the community string.
To remove a destination, select it and click the Delete Row (trash can) button.
Step 4 If you configure trap destinations, you must also ensure that the desired alerts include the Request
SNMP Trap action. You have the following options for adding this action:
(Easy way.) Create an event action override to add the Request SNMP Trap action to all alerts of a
specified risk rating (IPS > Event Actions > Event Action Overrides policy). For example, you
could generate traps for all alerts with a risk rating between 85-100. Event action overrides let you
add an action without individually editing each signature. For more information, see Configuring
Event Action Overrides, page 34-12.
(Precise way.) Edit the Signatures policy (IPS > Signatures > Signatures) to add the Request
SNMP Trap action to the signatures for which you want to send trap notifications. Traps are sent
only for signatures that you configure to send traps.
Note If the signature has Default for the source, you have to change the source to the Local
source before you can change the action. However, if you right-click the Action cell in
the signatures table and select Edit Actions, then select Request SNMP Trap (along
with any other desired action) and click OK, the source is automatically changed to
Local.
Step 5 Add the SNMP management stations to the Allowed Hosts policy. The management stations must be
allowed hosts to access the sensor. See Identifying Allowed Hosts, page 30-7.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector.
Select the General Configuration tab.
(Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an
existing policy or create a new one. Select the General Configuration tab.
Field Reference
Table 30-1 General Configuration Tab, SNMP Policy for IPS Sensors
Element Description
Enable SNMP Gets/Sets Whether to enable the SNMP management workstation to obtain (get)
information, and modify (set) values on the IPS sensor. If you do not
enable this option, the management workstation cannot manage this
sensor; the sensor will not respond to SNMP requests.
Read-Only Community The community string required for read-only access to the sensor.
String SNMP get requests from the management station must supply this
string to get responses from the sensor. This string gives access to all
SNMP get requests. Use the string to help identify the sensor.
Read-Write Community The community string required for read-write access to the sensor.
String SNMP set requests from the management station must supply this
string to get responses from the sensor; it can also be used on get
requests. This string gives access to all SNMP get and set requests. Use
the string to help identify the sensor.
Sensor Contact The network administrator or contact point who is responsible for this
sensor.
Sensor Location The physical location of the sensor, such as building address, name, and
room number.
Sensor Agent Port The port to use for SNMP get/set communication with the sensor. The
default is 161. The valid range is 1 to 65535.
Enter a port number or the name of a port list object, or click Select to
select a port list object from a list or to create a new object. The port list
object must identify a single port.
SNMP Agent Protocol The protocol you are using for SNMP, either UDP (the default) or TCP.
Select the protocol used by your SNMP management station.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector.
Select the SNMP Trap Configuration tab.
(Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an
existing policy or create a new one. Select the SNMP Trap Configuration tab.
Field Reference
Table 30-2 SNMP Trap Configuration Tab, SNMP Policy for IPS Sensors
Element Description
Enable Notifications Whether to enable the sensor to send trap notifications to the trap
destinations whenever a specific type of event occurs in a sensor. If you
do not select this option, the sensor does not send traps.
Tip To have the sensor send SNMP traps, you must also select
Request SNMP Trap as the event action when you configure
signatures. Traps are sent only for signatures that you configure
to send traps.
Error Filter The type of events that will generate SNMP traps based on the severity
of the event: fatal, error, or warning. Select all severities that you want;
use Ctrl+click to select multiple values.
The sensor sends notifications of events of the selected severities only.
Enable Detail Traps Whether to include the full text of the alert in the trap. If you do not
select this option, sparse mode is used. Sparse mode includes less than
484 bytes of text for the alert.
Default Trap Community The community string used for the traps if no specific string has been
String set for the trap destination in the Trap Destinations table.
Tip All traps carry a community string. By default, all traps that
have a community string identical to that of the destination are
taken by the destination. All other traps are discarded by the
destination. However, you can configure the destination to
determine which trap strings to accept.
Table 30-2 SNMP Trap Configuration Tab, SNMP Policy for IPS Sensors (Continued)
Element Description
Trap Destinations table The SNMP management stations that will be sent trap notifications.
The table shows the IP address of the management station, the
community string added to traps from this sensor, and the port to which
traps are sent.
To add a destination, click the Add Row button and fill in the Add
SNMP Trap Communication dialog box (see SNMP Trap
Communication Dialog Box, page 30-12).
To edit a destination, select it, click the Edit Row button and make
your changes.
To delete a destination, select it and click the Delete Row button.
Navigation Path
Go to the IPS Platform > Device Admin > Device Access > SNMP policy, select the SNMP Trap
Configuration tab, and click the Add Row button beneath the Trap Destinations table, or select a
destination in the table and click the Edit Row button. For more information, see SNMP Trap
Configuration Tab, page 30-11.
Field Reference
Element Description
IP Address The IP address of the SNMP management station that should receive
trap notifications. Enter the IP address or the name of a network/host
object, or click Select to select the object from a list or to create a new
object. The network/host object must specify a single host IP address.
Trap Community String The community string of the trap. If you do not enter a trap string, the
default trap string defined on the SNMP Trap Communication tab is
used for traps sent to this destination.
Trap Port The port used by the SNMP management station to receive traps. Enter
the port number or the name of a port list object, or click Select to select
the object from a list or to create a new one. The port list object must
identify a single port.
Tip If you change the password requirements, and then make changes to any local user account, the new
requirements must be met by all user accounts that have passwords managed by Security Manager. This
is because Security Manager reconfigures the passwords for all managed accounts if any single account
needs to be reconfigured.
The User Accounts policy allows you to centrally manage the local user accounts for your IPS devices.
Using a shared policy can help you ensure that all IPS devices contain the same accounts with the same
passwords. However, it is important to understand that passwords are encrypted, so Security Manager
cannot discover the actual passwords defined on the device. Security Manager manages the passwords
for an account only if you define that password in Security Manager. Security Manager does not manage
any user accounts defined in a RADIUS AAA server.
The following topics describe IPS user accounts, and Security Manager discovery and deployment
considerations, in more detail:
Understanding IPS User Roles, page 30-13
Understanding Managed and Unmanaged IPS Passwords, page 30-14
Understanding How IPS Passwords are Discovered and Deployed, page 30-15
Configuring IPS User Accounts, page 30-16
Configuring User Password Requirements, page 30-18
Configuring AAA Access Control for IPS Devices, page 30-19
Note The purpose of the Service account is to provide Cisco Technical Support access to
troubleshoot unique and unusual problems. It is not needed for normal system configuration
and troubleshooting. You should carefully consider whether you want to create a service
account. The service account provides shell access to the system, which makes the system
vulnerable. However, you can use the service account to create a password if the
administrator password is lost. Analyze your situation to decide if you want a service
account existing on the system.
Tip If you do not want to manage any user accounts in Security Manager, ensure that the User Accounts
policy is empty, or simply unassign the policy (right-click the policy and select Unassign Policy).
Security Manager will not modify user account configurations.
Tip The IPS sensor can accept public keys for RSA authentication when logging into the device through an
SSH client. Each user has an associated list of authorized keys. Users can use these keys instead of
passwords. Security Manager ignores these keys during discovery and deployment. Thus, if keys are
configured, Security Manager does not remove the configuration.
Related Topics
Discovering Policies, page 5-12
Deploying Configurations in Non-Workflow Mode, page 8-27
Deploying Configurations in Workflow Mode, page 8-32
Understanding Configuration Rollback, page 8-57
Understanding Rollback for IPS and IOS IPS, page 8-59
Tip Cisco IOS IPS devices use the same user accounts that are defined for the router. This procedure does
not apply to Cisco IOS IPS configurations.
Related Topics
Filtering Tables, page 1-33
Table Columns and Column Heading Features, page 1-34
The policy shows existing user accounts, including the username, role, and whether the password is
managed by Security Manager (as explained in Understanding Managed and Unmanaged IPS Passwords,
page 30-14).
Step 2 Do one of the following:
To add a user account, click the Add Row (+) button. This opens the Add User dialog box. Enter the
information required to define the account. For detailed information on the settings, see Add User
and Edit User Credentials Dialog Boxes, page 30-17.
To edit a user account, select it and click the Edit Row (pencil) button and make the required
changes in the Edit User dialog box.
You cannot change a user role to or from the Service role.
To delete a user account, select it and click the Delete Row (trash can) button. You cannot delete
the account named cisco.
Tip All password changes must meet the requirements of the Password Requirements policy. If you
change the requirements policy, all new user accounts, or edited accounts, are tested against the
new requirements. Although the passwords for existing unedited user accounts are not tested,
they too must meet the password requirements if you change any user account defined in this
policy, because Security Manager will deploy all of the accounts during the next configuration
deployment. Passwords are checked for conformity when you validate policies, which typically
happens when you submit changes to the database. For more information, see Understanding
How IPS Passwords are Discovered and Deployed, page 30-15.
Navigation Path
From the IPS platform User Accounts policy, click the Add Row (+) button to create a new account, or
select an existing account and click the Edit Row (pencil) button. For information on accessing the User
Accounts policy, see Configuring IPS User Accounts, page 30-16.
Field Reference
Element Description
User Name The username for the account. The name can be 1 to 64 characters,
including uppercase and lowercase letters and numbers, plus the special
characters ( ) + : , _ / - ] + $.
You cannot change the username when editing an account.
Password The password for this user account. Enter the password in both fields.
Confirm The password must conform to the Password Requirements policy for
IPS devices; see Configuring User Password Requirements,
page 30-18.
Element Description
Role The role for this user. For an explanation of these roles, see
Understanding IPS User Roles, page 30-13.
Tip When editing a user account, you cannot select the Service role.
When editing an account assigned to the Service role, you
cannot change the role.
Tip The requirements you define here determine what is considered an acceptable password in the User
Accounts policy (see Configuring IPS User Accounts, page 30-16). If you change this policy, it can be
applied even to unchanged user accounts. For more information about the implications of deploying
changes to this policy, see Understanding How IPS Passwords are Discovered and Deployed,
page 30-15.
Element Description
Attempt Limit How many times a user is allowed to try to log into the device before
you lock the user account due to excessive failed attempts.
The default is 0, which indicates unlimited authentication attempts. For
security purposes, you should change this number.
Size Range The minimum and maximum size allowed for user passwords; separate
the minimum and maximum with a hyphen. The range is 6 to 64
characters; the default is 8-64.
Tip If you configure non-zero values for any of the minimum
characters options, the minimum size you enter in the Size
Range field must be equal to or greater than the sum of those
values. For example, you cannot set a minimum password size
of eight and also require that passwords must contain at least
five lowercase and five uppercase characters.
Minimum Digit Characters The minimum number of numeric digits that must be in a password.
Element Description
Minimum Uppercase The minimum number of uppercase alphabet characters that must be in
Characters a password.
Minimum Lowercase The minimum number of lowercase alphabet characters that must be in
Characters a password.
Minimum Other Characters The minimum number of non-alphanumeric printable characters that
must be in a password.
Number of Historical The number of historical passwords that you want the sensor to
Passwords remember for each account. Any attempt to change the password of an
account fails if the new password matches any of the remembered
passwords. If you specify 0, no previous passwords are remembered.
Tip You must ensure that the user account configured in the device properties exists in the RADIUS server
or as a local user account, depending on the authorization method that you use. If you switch between
local and AAA modes, or change AAA servers, you must ensure that the account is defined in whatever
user account database you are using. If you are using AAA with local fallback, the account should be
defined in all databases. This account must exist, with the same password defined in the Security
Manager device properties for the device, or deployment to the device will fail. The user account used
for discovery and deployment must have administrator privileges.
Related Topics
Managing User Accounts and Password Requirements, page 30-13
Configuring IPS User Accounts, page 30-16
Note User role configuration is very important. If you do not assign a role to the user, either
through the default user role or in the RADIUS server, the sensor prevents user login
even if the RADIUS server accepted the username and password.
To assign roles specifically to users on the RADIUS server, you configure the Accept Message for
those accounts as either ips-role=administrator, ips-role=operator, ips-role=viewer, or
ips-role=service. You configure the Accept Message individually for each user account. An example
of a Reply attribute for a given user could be configured to return Hello <user> your
ips-role=operator.
If you configure a service account in the RADIUS server, you must also configure an identical
service account locally on the device. For service accounts, both the RADIUS and Local accounts
are checked during login.
Tip Check the time on your IPS sensor if you are having trouble updating your IPS software. If the time on
the sensor is ahead of the time on the associated certificate, the certificate is rejected, and the sensor
software update fails.
Tip The key and key ID are configured on the NTP server; you must obtain them from the NTP server
configuration.
Tip If your network requires HTTP proxies when making Internet connections, configure the HTTP Proxy
policy instead of the DNS policy. See Identifying an HTTP Proxy Server, page 30-22.
Note The AIP-SSC-5 service module does not support DNS servers.
Tip If you do not use HTTP proxies, configure DNS servers so that the IPS sensor can resolve the address
of the update server. See Identifying DNS Servers, page 30-22.
Note The AIP-SSC-5 service module does not support HTTP proxy servers.
Tip Management Center for Cisco Security Agents is no longer an active product. Configure this policy only
if you are still using that application. For more information, see About CSA MC in Installing and Using
Cisco Intrusion Prevention System Device Manager 6.0 and
http://www.cisco.com/en/US/products/sw/cscowork/ps5212/index.html.
Management Center for Cisco Security Agents enforces a security policy on network hosts. It has two
components:
Agents that reside on and protect network hosts.
A management console, which is an application that manages agents. It downloads security policy
updates to agents and uploads operational information from agents.
Step 1 Do one of the following to open the External Product Interface policy:
(Device view) Select Platform > Device Admin > Server Access > External Product Interface
from the Policy selector.
(Policy view) Select IPS > Platform > Device Admin > Server Access > External Product
Interface, then select an existing policy or create a new one.
The Management Center for Cisco Security Agents tab shows any existing definitions, including the
IP address (or network/host object), URL, and port of the external application, the username and
password used to log into it, and whether the connection is enabled. The interface type is always
Extended SDEE.
Navigation Path
From the External Product Interface IPS platform policy, click Add Row or select an entry and click
Edit Row. For information on opening the External Product Interface policy, see Configuring the
External Product Interface, page 30-23.
Field Reference
Element Description
External Products IP The IP address, or the network/host policy object that contains the
Address address, of the external product. Enter the IP address or object name, or
click Select to select an object from a list or to create a new one.
Interface Type Identifies the physical interface type, which is always Extended SDEE.
Enable receipt of information Whether information is allowed to be passed from the external product
to the sensor.
SDEE URL The URL on the CSA MC the IPS uses to retrieve information using
SDEE communication. You must configure the URL based on the
software version of the CSA MC that the IPS is communicating with as
follows:
For CSA MC version 5.0/csamc50/sdee-server.
For CSA MC version 5.1/csamc51/sdee-server.
For CSA MC version 5.2 and higher/csamc/sdee-server (the
default value).
Port The port, or the port list object that identifies the port, being used for
communications. Enter the port or port list name, or click Select to
select the object from a list or to create a new object.
User name A username and password that can log into the external product.
Password
Element Description
Enable receipt of host Whether to allow the receipt of host posture information from CSA
postures MC. The host posture information received from a CSA MC is deleted
if you disable this option.
Allow unreachable hosts Whether to allow the receipt of host posture information for hosts that
postures are not reachable by the CSA MC.
A host is not reachable if the CSA MC cannot establish a connection
with the host on any IP addresses in the hosts posture. This option is
useful in filtering the postures whose IP addresses may not be visible
to the IPS sensor or that might be duplicated across the network. This
filter is most applicable in network topologies where hosts that are not
reachable by the CSA MC are also not reachable by the IPS, for
example if the IPS and CSA MC are on the same network segment.
Posture ACL table Posture ACLs are network addresses for which host postures are
allowed or denied. Use posture ACLs to filter postures that have IP
addresses that might not be visible to the IPS or that might be
duplicated across the network.
To add a posture ACL, click the Add Row (+) button. This opens
the Add Posture ACL dialog box. For information on configuring
the Posture ACL, see Posture ACL Dialog Box, page 30-25.
To edit a posture ACL, select it and click the Edit Row (pencil)
button.
To delete a posture ACL, select it and click the Delete Row (trash
can) button.
To change the priority of an ACL, select it and click the Up or
Down button. ACLs are processed in order, and the action
associated with the first match is applied.
Enable receipt of watch listed Whether to allow the receipt of the watch list information from CSA
addresses MC. The watch list information received from a CSA MC is deleted if
you disable this option.
Manual Watch List RR The percentage of the manual watch list risk rating (RR). The default is
increase 25, and the valid range is 0 to 35.
Session-based Watch List RR The percentage of the session-based watch list risk rating. The default
Increase is 25, and the valid range is 0 to 35.
Packed-based Watch List RR The percentage of the packet-based watch list risk rating. The default is
Increase 10, and the valid range is 0 to 35.