User Guide For Cisco Secure Manager 3.1

User Guide for
Cisco Security Manager 3.1
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-11501-03
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, the Cisco logo, DCE, and Welcome to the
Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar,
Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified
Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration
Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient,
IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone,
MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect,
ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and
the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0807R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
User Guide for Cisco Security Manager 3.1
2002- 2007 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface 81
Audience 1-81
Conventions 1-81
Product Documentation 1-82
Obtaining Documentation, Obtaining Support, and Security Guidelines 1-83
CHAPTER
Getting to Know Security Manager 1-1

Whats New in Cisco Security Manager 3.1 1-1
Product Overview 1-4
Primary Benefits of Cisco Security Manager 3.1 1-5
Security Manager Feature Sets 1-7
Using Security Manager - Overview 1-10
Configuration Views 1-10
User Taskflow 1-11
Policy Overview 1-13
Workflow Overview 1-14
Getting Started Checklist 1-15
Using the JumpStart 1-16
CHAPTER
Performing Administrative Tasks 2-1

Define These Settings First 2-2
Setting Up User Permissions 2-3
Security Manager Permissions 2-4
OL-11501-03
Contents
View Permissions 2-5

Modify Permissions 2-14
Assign Permissions 2-23
Approve Permissions 2-26
Understanding CiscoWorks Roles 2-27
CiscoWorks Common Services Default Roles 2-27
Assigning Roles to Users in CiscoWorks Common Services 2-28
Understanding Cisco Secure ACS Roles 2-29
Cisco Secure ACS Default Roles 2-30
Customizing Cisco Secure ACS Roles 2-31
Default Associations Between Permissions and Roles in Security
Manager 2-32
Integrating Security Manager with Cisco Secure ACS 2-34
ACS Integration Requirements 2-35
Checklist for Initial Cisco Secure ACS Setup 2-37
Integration Procedures Performed in Cisco Secure ACS 2-38
Defining Users and User Groups in Cisco Secure ACS 2-39
Adding Managed Devices as AAA Clients in Cisco Secure ACS 2-41
Creating an Administration Control User in Cisco Secure ACS 2-47
Integration Procedures Performed in CiscoWorks 2-47
Creating a Local User in CiscoWorks 2-48
Defining the System Identity User 2-49
Configuring the AAA Setup Mode in CiscoWorks 2-50
Restarting the Daemon Manager 2-51
Assigning Roles to User Groups in Cisco Secure ACS 2-52
Assigning Roles to User Groups Without NDGs 2-53
Associating NDGs and Roles with User Groups 2-54
Selecting a Workflow Mode 2-56
Working in Workflow Mode 2-56
Working in Non-Workflow Mode 2-57
OL-11501-03
Contents
Comparing the Two Workflow Modes 2-58

Enabling and Disabling Workflow Modes 2-59
Working with AutoLink 2-61
Defining Configuration Archive Settings 2-62
Customizing Your Desktop 2-64
Defining Deployment Settings 2-65
Defining Device Communication Settings 2-68
About Security Manager and Device Authentication 2-70
Defining Connection and Transport Protocol Settings in the UI 2-71
Adding Certificates for IPS Devices, Cisco IOS Devices, and PIX/ASA/FWSM
Devices 2-73
Defining SSH by Editing the DCS Properties File 2-74
Working with Device Groups 2-75
Defining Discovery Settings 2-76
Administering IPS Update Settings 2-77
Establishing the IPS Update Server 2-78
Administering IPS Updates 2-79
Automating IPS Updates 2-80
Administering Licenses 2-82
Installing Security Manager License Files 2-82
Updating IPS License Files 2-85
Redeploying IPS License Files 2-86
Automating IPS License File Updates 2-87
Getting Help with Licensing 2-87
Archiving Log Files 2-88
Defining Policy Management Settings 2-89
Defining Policy Object Settings 2-91
Working with Server Security 2-92
Working with Status Providers 2-94
OL-11501-03
Contents
Taking Over Another Users Work 2-96

Defining TMS (Token Management System) Settings 2-97
Configuring VPN Policy Defaults 2-98
CHAPTER
Working with the Security Manager User Interface 3-1

Logging In to and Exiting Security Manager 3-2
Logging In to the Cisco Security Management Suite Server 3-2
Logging In to and Exiting the Security Manager Client 3-3
Server Connection Status and the Idle Timeout 3-4
Security Manager User Interface Overview 3-4
Security Manager Views 3-5
Device View Interface Overview 3-6
Map View Interface Overview 3-7
Policy View Interface Overview 3-9
Menu Bar Reference 3-10
File Menu 3-10
Edit Menu 3-11
View Menu 3-12
Policy Menu 3-13
Map Menu 3-14
Tools Menu 3-15
Activities Menu 3-17
Help Menu 3-18
Toolbar Reference 3-19
Using Selectors 3-20
Selecting Items from Selectors 3-21
Managing Items in Selectors 3-21
Filtering Items in Selectors 3-21
Using Wizards 3-22
OL-11501-03
Contents
Using Rules Tables 3-22

Filtering Tables 3-24
Table Columns and Column Heading Features 3-26
Understanding Rules Table Sections 3-27
Working with Rules Table Data 3-27
Using Main Menu Table Commands 3-29
Using Rules Table Buttons 3-30
Using Text Boxes 3-30
Finding Text in Text Boxes 3-30
Navigating Within Text Boxes 3-31
Selecting a File or Directory on the Server File System 3-31
Accessing Online Help 3-32
CHAPTER
Using Map View 4-1

Understanding Maps 4-1
Working With Maps 4-2
Access Permissions for Maps 4-3
Creating Maps 4-3
Saving Maps 4-4
Opening Maps 4-4
Deleting Maps 4-5
Exporting Maps 4-6
Navigating Maps 4-7
Using the Navigation Window 4-7
Panning Maps 4-8
Changing the Zoom Level of Maps 4-8
Selecting Map Elements 4-9
Centering Map Elements 4-9
Using Map Layouts 4-9

OL-11501-03
Contents
Undocking the Map Window 4-9

Searching for Map Elements 4-10
Refreshing Maps 4-10
Using Linked Maps 4-11
Using the Default Map 4-11
Changing the Map Background Color 4-12
Working With Map Background Images 4-13
Importing Map Background Images 4-13
Setting Map Background Images 4-14
Deleting Map Background Images 4-14
Using Background Image Coordinates and Scale 4-15
Displaying Your Network on the Map 4-16
Understanding Map Elements 4-16
Displaying Managed Devices on the Map 4-17
Adding a New Managed Device to the Map 4-17
Displaying an Existing Managed Device on the Map 4-18
Showing Containment of Catalyst Switches, Firewalls, and Adaptive
Security Appliances 4-19
Displaying Devices on the Map from the Device View 4-19
Using Map Objects To Represent Network Topology 4-20
Adding Map Objects 4-20
Deleting Map Objects 4-21
Displaying Layer 3 Links on the Map 4-21
Creating Layer 3 Links 4-22
Deleting Layer 3 Links 4-23
Understanding Automatic Layer 3 Connectivity Display 4-23
Managing Firewall Services in Map View 4-24
Managing Firewall Policies (Map View) 4-24
Managing Firewall Access Rules (Map View) 4-24
Managing Firewall Inspection Rules (Map View) 4-25
OL-11501-03
Contents
Managing Firewall AAA Rules (Map View) 4-25

Managing Web Filter Rules (Map View) 4-26
Managing Firewall Transparent Rules (Map View) 4-26
Managing Firewall Settings (Map View) 4-27
Managing Firewall Access Control Settings (Map View) 4-27
Managing Firewall Inspection Settings (Map View) 4-27
Managing AuthProxy Firewall Settings (Map View) 4-28
Managing Web Filter Settings (Map View) 4-28
Managing VPNs in Map View 4-29
Creating VPN Topologies (Map View) 4-29
Creating a Point-to-Point VPN Connection 4-30
Creating Full Mesh or Hub and Spoke VPNs (Map View) 4-30
Editing VPN Policies From the Map 4-31
Editing VPN Peers From the Map 4-32
Displaying Existing VPNs on the Map 4-33
Adding and Removing VPN Tunnels on the Map 4-33
Listing VPN Peers on the Map 4-34
Managing Device Policies in Map View 4-34
Copying Policies Between Devices (Map View) 4-35
Sharing Device Policies (Map View) 4-35
Cloning Devices (Map View) 4-36
Previewing Device Configuration 4-36
Discovering Device Configurations 4-36
CHAPTER
Managing Devices 5-1

Preparing the Devices for Security Manager to Manage 5-2
Setting Up SSL 5-4
Setting Up SSL on PIX Firewall, ASA, and FWSM Devices 5-5
Setting Up SSL on Cisco IOS Routers 5-6
Setting Up SSH 5-9
OL-11501-03
Contents
Critical Line-ending Conventions for SSH 5-9

Testing Authentication 5-9
Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600
devices 5-10
Preventing Non-SSH ConnectionsOptional 5-11
Setting Up AUS 5-13
Setting Up AUS on PIX Firewall and ASA Devices 5-13
Setting Up CNS Gateway on an Auto Update Server 5-14
Setting Up CNS 5-15
Setting Up CNS on PIX Firewall and ASA Devices 5-15
Setting Up CNS on Cisco IOS Routers 5-15
Setting Up TMS 5-21
Changing the Device Transport Protocol on Cisco IOS Routers 5-22
Initializing IPS Devices 5-23
Understanding the Device View 5-24
Filtering the Device Selector 5-28
Adding Devices to the Security Manager Inventory 5-30
Adding Catalyst 6500/7600 Devices from the Network 5-33
Adding VPN SPA Slot Locations 5-35
Working with Devices with Dynamically Assigned IP Addresses 5-36
Understanding Auto Update Server and Configuration Engine 5-36
Adding an Auto Update Server or Configuration Engine 5-37
Adding an Auto Update Server or Configuration Engine When Adding a
New Device 5-38
Adding an Auto Update Server When Adding a Device from
Network 5-39
Editing the Auto Update Server or Configuration Engine Information 5-40
Editing an Auto Update Server or Configuration Engine When Adding a
New Device 5-41
Editing the Auto Update Server Information when Adding Device from
Network 5-42
10
OL-11501-03
Contents
Understanding Device Credentials 5-43

Working with Device Connectivity Test 5-45
Understanding Device Connectivity Test 5-45
Verifying Device Connectivity from Security Manager 5-47
Testing Device Connectivity While Adding a Device from the
Network 5-47
Testing Device Connectivity While Adding a New Device 5-49
Testing Device Connectivity After Adding a Device to Security
Manager 5-50
Understanding Device Properties 5-51
Defining Device Properties 5-53
Working with Device Policies 5-54
Cloning a Device 5-55
Deleting Devices from the Security Manager Inventory 5-56
Understanding Device Grouping 5-57
Working With Device Groups 5-59
Creating Device Group Types 5-59
Creating Device Groups 5-60
Deleting Device Group Types, Device Groups, or Subgroups 5-61
Adding Devices to Device Groups 5-62
CHAPTER
Managing Policies 6-1

Understanding Policies 6-1
Settings-Based Policies vs. Rule-Based Policies 6-2
Service Policies vs. Platform-Specific Policies 6-3
Local Policies vs. Shared Policies 6-4
Policy Management and Objects 6-6
Discovering Policies 6-7
Discovering Policies on Devices Already in Security Manager 6-10

OL-11501-03
11
Contents
Viewing Policy Discovery Task Status 6-12

Frequently Asked Questions about Policy Discovery 6-13
Managing Policies in Device View 6-20
Performing Basic Policy Management 6-20
Configuring Local Policies in Device View 6-21
Policy Status Icons 6-22
Copying Policies Between Devices 6-23
Unassigning a Policy 6-25
Working with Shared Policies in Device View 6-27
Sharing a Local Policy 6-28
Sharing Multiple Policies of a Selected Device 6-30
Unsharing a Policy 6-32
Assigning a Shared Policy to a Selected Device 6-33
Adding Local Rules to a Shared Policy 6-34
Copying a Shared Policy 6-36
Renaming a Shared Policy 6-37
Modifying Shared Policy Definitions in Device View 6-38
Modifying Shared Policy Assignments in Device View 6-39
Managing Shared Policies in Policy View 6-40
Policy View Selectors 6-42
Filtering the Shared Policy Selector 6-43
Policy View Work Area 6-44
Creating a New Shared Policy 6-45
Modifying Policy Assignments in Policy View 6-46
Deleting a Shared Policy 6-48
Advanced Policy Features 6-49
Customizing Policy Management 6-49
Understanding Rule Inheritance 6-50
Inheritance vs. Assignment 6-53
Inheriting Rules 6-54
12
OL-11501-03
Contents
Understanding Locking 6-55

Understanding Locking and Policies 6-57
Understanding Locking and VPN Topologies 6-58
Understanding Locking and Objects 6-59
CHAPTER
Managing Activities 7-1

Understanding Activities 7-2
Benefits of Activities 7-3
Activity Approval 7-3
Activities and Locking 7-4
Activities and Multiple Users 7-5
Understanding Activity States 7-5
Working with Activities 7-9
Accessing Activity Functions 7-9
Creating an Activity 7-11
Opening an Activity 7-12
Closing an Activity 7-12
Validating an Activity 7-13
Submitting an Activity for Approval 7-14
Approving or Rejecting an Activity 7-16
Understanding Activity Change Reports 7-17
Discarding an Activity 7-19
Displaying Activity Details 7-19
Displaying Activity History 7-20
CHAPTER
Managing Objects 8-1

Introduction to Objects 8-1
Creating Objects 8-2
Guidelines for Managing Objects 8-4

OL-11501-03
13
Contents
Understanding the Policy Object Manager Window 8-5

Object Type Selector 8-7
Policy Object ManagerFiltering Bar 8-7
Policy Object ManagerWork Area 8-8
Managing Existing Objects 8-9
Editing Objects 8-10
Deleting Objects 8-11
Managing Object Overrides 8-12
Duplicating Objects 8-13
Generating Object Usage Reports 8-14
Viewing Object Details 8-15
Understanding AAA Server Group Objects 8-16
Predefined AAA Authentication Server Groups 8-17
Default AAA Server Groups and IOS Devices 8-18
Creating AAA Server Group Objects 8-19
Understanding AAA Server Objects 8-23
Supported AAA Server Types 8-25
AAA Support on ASA Devices 8-26
Creating AAA Server Objects 8-29
Understanding Access Control List Objects 8-31
Understanding the GUI 8-35
Creating Access Control List Objects 8-36
Creating Extended Access Control List Objects 8-36
Creating Standard Access Control List Objects 8-39
Creating Web Access Control List Objects 8-41
Understanding ASA User Group Objects 8-43
Creating ASA User Group Objects 8-45
Understanding Category Objects 8-48
Editing Category Objects 8-49
14
OL-11501-03
Contents
Understanding Credential Objects 8-50

Creating Credential Objects 8-50
Understanding FlexConfig Objects 8-52
Creating FlexConfig Objects 8-53
Understanding IKE Proposal Objects 8-54
Creating IKE Proposal Objects 8-55
Understanding Inspection Map Objects 8-57
Creating DNS Class Map Objects 8-59
Creating FTP Class Map Objects 8-61
Creating HTTP Class Map Objects 8-63
Creating IM Class Map Objects 8-67
Creating SIP Class Map Objects 8-70
Understanding DNS Policy Maps 8-72
Creating DNS Map Objects 8-73
Understanding FTP Policy Maps 8-76
Creating FTP Map Objects 8-76
Understanding GTP Policy Maps 8-79
Creating GTP Map Objects 8-80
Understanding HTTP Policy Map Objects 8-83
Creating HTTP Map Objects (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) 8-84
Configuring the General Tab 8-85
Configuring the Entity Length Tab 8-87
Configuring the RFC Request Method Tab 8-88
Configuring the Extension Request Method Tab 8-90
Configuring the Port Misuse Tab 8-91
Configuring the Transfer Encoding Tab 8-93
Creating HTTP Map Objects (ASA 7.2/PIX 7.2) 8-94
Understanding IM Map Objects 8-99
Creating IM Map Objects for ASA 7.2 and PIX 7.2 Devices 8-99
Creating IM Map Objects for IOS Devices 8-102
OL-11501-03
15
Contents
Understanding SIP Map Objects 8-104

Creating SIP Map Objects 8-104
Creating Regular Expression Group Objects 8-107
Creating Regular Expression Objects 8-109
Metacharacters Used to Build Regular Expressions 8-111
Notes 8-113
Creating TCP Map Objects 8-113
Understanding Interface Role Objects 8-115
Creating Interface Role Objects 8-116
Specifying Interfaces During Policy Definition 8-118
Exceptional Cases When Using Interface Roles 8-119
Understanding IPsec Transform Set Objects 8-120
IPsec Protocols 8-121
IPsec Modes 8-122
Creating IPsec Transform Set Objects 8-122
Understanding LDAP Attribute Map Objects 8-124
Creating LDAP Attribute Map Objects 8-125
Understanding Network/Host Objects 8-127
Supported IP Address Formats 8-128
Contiguous and Discontiguous Network Masks 8-129
Creating Network/Host Objects 8-131
Using Unspecified Network/Host Objects 8-134
Specifying IP Addresses During Policy Definition 8-135
Understanding PKI Enrollment Objects 8-136
Creating PKI Enrollment Objects 8-138
Defining CA Server Properties 8-140
Defining PKI Enrollment Parameters 8-142
Defining Additional PKI Attributes 8-145
Defining the Trusted CA Hierarchy 8-146
16
OL-11501-03
Contents
Understanding Port Forwarding List Objects 8-147

Creating Port Forwarding List Objects 8-148
Understanding Port List Objects 8-150
Creating Port List Objects 8-151
Understanding Secure Desktop Configuration Objects 8-153
Creating Secure Desktop Configuration Objects 8-154
Understanding Service Group Objects 8-157
Creating Service Group Objects 8-157
Understanding Service Objects 8-159
Creating Service Objects 8-160
Understanding Single Sign-On Server Objects 8-162
Creating Single Sign-On Server Objects 8-164
Understanding SLA Monitor Objects 8-166
Creating SLA Monitor Objects 8-167
Understanding Style Objects 8-169
Creating Style Objects 8-170
Understanding Text Objects 8-171
Creating Text Objects 8-172
Understanding Time Range Objects 8-173
Creating Time Range Objects 8-174
Creating Traffic Flow Objects 8-176
Understanding IP Precedence Bits 8-178
Understanding URL List Objects 8-179
Creating URL List Objects 8-179
Understanding User Group Objects 8-181
Creating User Group Objects 8-182
Understanding SSL VPN Customization Objects 8-186
Creating SSL VPN Customization Objects 8-187

OL-11501-03
17
Contents
Understanding SSL VPN Gateway Objects 8-191

Creating SSL VPN Gateway Objects 8-192
Understanding WINS Server List Objects 8-194
Creating WINS Server List Objects 8-195
Overriding Global Objects for Individual Devices 8-197
Allowing a Global Object to Be Overridden 8-198
Creating Device-Level Object Overrides 8-199
Creating Object Overrides for a Single Device 8-199
Creating Object Overrides for Multiple Devices 8-200
Deleting Device-Level Object Overrides 8-202
Deleting Overrides from the Device Properties Window 8-202
Deleting Overrides from the Policy Object Manager window 8-202
Selecting Objects for Policies 8-203
Filtering Object Selectors 8-207
Object Filtering Options 8-209
How Policy Objects are Provisioned as PIX/ASA Object Groups 8-211
How Network/Host Objects are Provisioned as PIX/ASA Object Groups 8-212
How Port List Objects are Provisioned as PIX/ASA Object Groups 8-214
How Service Objects are Provisioned as PIX/ASA Object Groups 8-215
How Service Group Objects are Provisioned as PIX/ASA Object Groups 8-218
CHAPTER
Managing Site-to-Site VPNs 9-1

Understanding VPN Topologies 9-2
Hub-and-Spoke VPN Topologies 9-3
Point-to-Point VPN Topologies 9-5
Full Mesh VPN Topologies 9-6
Implicitly Supported Topologies 9-8
Understanding IPsec Technologies and Policies 9-8
Understanding VPN Default Policies 9-12
18
OL-11501-03
Contents
Site-To-Site VPN Discovery 9-13

Supported Technologies and Topologies for VPN Discovery 9-13
Prerequisites for VPN Discovery 9-14
VPN Discovery Rules 9-16
Discovering Site-to-Site VPNs 9-17
Rediscovering Site-to-Site VPNs 9-18
Working with VPN Topologies 9-20
Creating a VPN Topology 9-20
Defining a Name and IPsec Technology 9-22
About Selecting Devices in a VPN Topology 9-23
Selecting Devices for Your VPN Topology 9-25
About Defining and Editing the Endpoints and Protected Networks 9-26
Defining the Endpoints and Protected Networks 9-28
Assigning Default Policies to Your VPN Topology 9-31
About Editing a VPN Topology 9-33
Editing a VPN Topology 9-35
Deleting a VPN Topology 9-37
Understanding Dial Backup 9-37
Configuring Dial Backup 9-39
Configuring a Catalyst VPN Services Module (VPNSM) VPN Interface 9-40
Configuring a Catalyst VPN Shared Port Adapter (VPN SPA) Blade 9-42
Procedure for Configuring a VPNSM or VPN SPA Blade 9-44
Configuring a Firewall Services Module (FWSM) Interface with VPNSM or
VPN SPA 9-48
Understanding VRF-Aware IPsec 9-51
VRF-Aware IPsec One-Box Solution 9-52
VRF-Aware IPsec Two-Box Solution 9-53
Configuring VRF-Aware IPsec Settings 9-55
Understanding High Availability 9-58
Configuring High Availability in Your VPN Topology 9-60

OL-11501-03
19
Contents
Managing VPN Devices in Device View 9-62

Working with Site-to-Site VPN Policies 9-64
Managing Shared Site-to-Site VPN Policies in Policy View 9-65
Understanding IKE 9-67
Deciding Which Encryption Algorithm to Use 9-68
Deciding Which Hash Algorithm to Use 9-69
Deciding Which Diffie-Hellman Group to Use 9-69
Deciding Which Authentication Method to Use 9-70
Configuring an IKE Proposal 9-71
Understanding IPsec Tunnel Policies 9-72
About Crypto Maps 9-73
About Transform Sets 9-74
About Reverse Route Injection 9-76
Configuring IPsec Proposals 9-77
Understanding VPN Global Settings 9-78
Understanding ISAKMP/IPsec Settings 9-79
Understanding NAT 9-80
Understanding Fragmentation 9-82
Configuring VPN Global Settings 9-83
Understanding Preshared Key Policies 9-84
Configuring Preshared Key Policies 9-86
Understanding Public Key Infrastructure Policies 9-87
Prerequisites for Successful PKI Enrollment 9-89
Configuring Public Key Infrastructure Policies 9-92
Understanding GRE 9-94
Understanding GRE Configuration for Dynamically Addressed
Spokes 9-98
Configuring GRE or GRE Dynamic IP Policies 9-99
Understanding DMVPN 9-101
Configuring DMVPN Policies 9-104
20
OL-11501-03
Contents
Configuring Large Scale DMVPNs 9-107

Understanding Easy VPN 9-109
Configuring an IPsec Proposal for Easy VPN 9-115
Configuring a User Group Policy for Easy VPN 9-117
Configuring a Tunnel Group Policy for Easy VPN 9-119
Configuring Client Connection Characteristics for Easy VPN 9-121
CHAPTER
10
Managing Remote Access VPNs 10-1

Discovering Remote Access VPN Policies 10-2
Working with Policies in Remote Access VPNs 10-3
Using the Remote Access Configuration Wizard 10-4
User Group Policies in Remote Access VPNs 10-6
Configuring User Group Policies 10-7
Tunnel Group Policies in Remote Access VPNs 10-8
Configuring Tunnel Group Policies 10-9
Assigning the Default Remote Access VPN Policies 10-11
IPsec Proposals in Remote Access VPNs 10-12
Configuring an IPsec Proposal on a Remote Access VPN Server 10-14
IKE Proposals in Remote Access VPNs 10-18
Configuring IKE Proposals on a Remote Access VPN Server 10-18
High Availability in Remote Access VPNs 10-19
Configuring a High Availability Policy 10-20
Cluster Load Balancing 10-22
Configuring a Cluster Load Balance Policy 10-23
Public Key Infrastructure Policies in Remote Access VPNs 10-24
Configuring a PKI Policy in a Remote Access VPN 10-25
VPN Global Settings in Remote Access VPNs 10-27
Configuring Global Settings in a Remote Access VPN 10-27
DN Matching Policies 10-30
Configuring a DN Matching Policy 10-31
OL-11501-03
21
Contents
DN Matching Rules 10-32

Configuring a DN Matching Rules Policy 10-33
Managing Shared Remote Access VPN Policies in Policy View 10-35
CHAPTER
11
Managing SSL VPNs 11-1

SSL VPN Access Modes 11-3
Working with SSL VPN Policies 11-5
Configuring SSL VPN on an IOS Device 11-6
Using the Wizard to Create an IOS SSL VPN Connection 11-7
Configuring an SSL VPN Gateway and Context 11-7
Customizing the SSL VPN Portal Page 11-10
Configuring an SSL VPN Policy (IOS) 11-11
Configuring General Settings for an IOS SSL VPN Policy 11-12
Configuring the Portal Page for an IOS SSL VPN Policy 11-14
Configuring the Secure Desktop Software for an IOS SSL VPN
Policy 11-15
Configuring Advanced Settings for an IOS SSL VPN Policy 11-16
Understanding User Groups in SSL VPN 11-17
Configuring User Groups on an IOS Device 11-19
Configuring User Groups on an ASA Device 11-20
Creating a New User Group 11-22
Defining the User Group Name and Access Methods 11-22
Configuring the Full Tunnel Access Mode 11-24
Configuring the Clientless and Thin Client Access Modes 11-26
Configuring SSL VPN on an ASA Device 11-28
Using the Wizard to Create an ASA SSL VPN Connection Profile 11-28
Defining the ASA SSL VPN Access Parameters 11-29
Defining the ASA SSL VPN Connection Profile Parameters 11-30
Configuring SSL VPN Policies on an ASA Device 11-33
Configuring an Access Policy 11-33
22
OL-11501-03
Contents
Understanding SSL VPN Connection Profile Policies 11-35

Configuring an SSL VPN Connection Profile Policy 11-36
Configuring ASA User Groups Policy in Your SSL VPN 11-43
Configuring the Cisco Secure Desktop Software 11-45
Configuring Global Settings 11-47
CHAPTER
12
Managing Firewall Services 12-1

Managing Your Rules Tables 12-5
Using Analysis 12-6
Generating Analysis Reports 12-8
Combining Rules 12-11
Combined Rules Criteria Notes 12-13
Defining Combined Rules Criteria 12-15
Understanding Combined Rules Summary Results 12-16
Using Find and Replace 12-18
Find and Replace Notes 12-19
How Regular Expressions are Supported in Find and Replace 12-20
Defining Find and Replace Criteria 12-22
Using Hit Count 12-24
Generating Hit Count Reports 12-25
Understanding Hit Count Results 12-26
Changing How Hit Count Results Are Displayed 12-27
Importing Rules 12-32
Notes 12-33
Extended Access List: Example 1 12-34
Extended Access List: Example 2 12-34
Standard Access List: Example 12-35
How to Import Rules 12-36
Using Policy Query 12-37
Generating Policy Query Reports 12-39
OL-11501-03
23
Contents
Understanding Policy Query Results 12-40

Understanding Rule Table Sections 12-44
Notes About Rule Table Sections 12-44
Adding Rule Table Sections 12-45
Adding Rules to an Existing Table Section 12-46
Removing Rules from an Existing Table Section 12-46
Editing a Rule Table Section 12-46
Removing a Rule Table Section 12-47
Optimizing Policy Objects in Rules 12-47
Notes about Policy Object Optimization 12-48
Expanding Object Groups During Discovery 12-49
Understanding Access Rules 12-49
How Access Rules Are Recognized on Devices 12-51
Notes About Access Rules 12-52
How ACL Names Are Generated 12-53
Preserving User-Defined ACL Names 12-56
Naming Conflicts and Resolutions 12-57
Identifying Original ACL Names 12-58
Notes 12-59
Working with Access Rules 12-59
Logging Events for an ACE 12-60
Adding Access Rules 12-61
Editing Access Rules 12-65
Enabling and Disabling Access Rules 12-68
Cutting, Copying, and Pasting Access Rules 12-69
Moving Access Rules Up and Down 12-70
Deleting Access Rules 12-71
Understanding Inspection Rules 12-72
Working with Inspection Rules 12-73
Adding Inspection Rules 12-74
24
OL-11501-03
Contents
Configuring Default Protocol Ports 12-77

Configuring Custom Destination Ports 12-78
Configuring Destination Address and Port (IOS) 12-79
Configuring Source and Destination Address and Port (ASA, FWSM
3.x) 12-81
Editing Inspection Rules 12-83
Enabling and Disabling Inspection Rules 12-86
Cutting, Copying, and Pasting Inspection Rules 12-86
Moving Inspection Rules Up and Down 12-87
Deleting Inspection Rules 12-88
Working with AAA Rules 12-89
Adding AAA Rules 12-91
Editing AAA Rules 12-94
Enabling and Disabling AAA Rules 12-96
Cutting, Copying, and Pasting AAA Rules 12-97
Moving AAA Rules Up and Down 12-99
Deleting AAA Rules 12-100
Understanding Web Filter Rules 12-101
Working with Web Filter Rules 12-101
Adding Web Filter Rules (PIX/ASA) 12-103
Editing Web Filter Rules (PIX/ASA) 12-106
Enabling and Disabling Web Filter Rules (PIX/ASA) 12-108
Cutting, Copying, and Pasting Web Filter Rules (PIX/ASA) 12-109
Moving Web Filter Rules Up and Down (PIX/ASA) 12-110
Deleting Web Filter Rules (PIX/ASA) 12-111
Adding Web Filter Rules (IOS) 12-112
Editing Web Filter Rules (IOS) 12-115
Deleting Web Filter Rules (IOS) 12-116
Adding Exclusive Domains (IOS) 12-117
Editing Exclusive Domains (IOS) 12-119
OL-11501-03
25
Contents
Deleting Exclusive Domains (IOS) 12-120

Working with Transparent Firewall Rules 12-122
Adding Transparent Rules 12-123
Editing Transparent Rules 12-125
Enabling and Disabling Transparent Rules 12-127
Cutting, Copying, and Pasting Transparent Rules 12-128
Moving Transparent Rules Up and Down 12-129
Deleting Transparent Rules 12-130
Understanding Firewall Settings 12-131
Understanding Settings for Access Controls 12-132
Object Group Search (PIX/ASA/FWSM) 12-133
Per User Downloadable ACLs (PIX/ASA/FWSM) 12-135
Access List Compilation (PIX) 12-138
Configuring Settings for Access Control 12-140
Configuring Firewall ACL Settings 12-142
Configuring Settings for Inspection Rules 12-143
Supported Features for Inspection 12-145
Configuring Settings for AAA 12-146
Configuring Settings for AAA Firewall (PIX/ASA/FWSM) 12-147
Understanding MAC Exempt Address Lists 12-149
Configuring Settings for AAA (IOS) 12-152
Configuring Settings for Web Filter Servers 12-156
Adding Settings for Web Filter Server Configuration 12-158
Editing Settings for Web Filter Server Configuration 12-160
Deleting Settings for Web Filter Server Configuration 12-161
CHAPTER
13
Managing IPS Services 13-1

Understanding Network Sensing 13-2
Configuring Interfaces 13-2
Understanding Interfaces 13-3
26
OL-11501-03
Contents
Configuring Physical Interfaces 13-4

Configuring Bypass Mode 13-4
Configuring Inline Pairs 13-5
Configuring VLAN Pairs 13-6
Configuring VLAN Groups 13-7
Interface Summary 13-9
Configuring Signatures 13-9
Understanding Signatures 13-9
Accessing the Cisco NSDB 13-10
Understanding Signature Inheritance 13-11
Editing SignaturesSeverity, Fidelity Rating, and Action 13-12
Enabling and Disabling Signatures 13-14
Cloning Signatures 13-14
Adding Custom Signatures 13-15
Editing Signature Parameters (Tuning Signatures) 13-16
Configuring Signature Settings 13-17
Configuring Anomaly Detection 13-18
Explaining Anomaly Detection 13-18
Worm Viruses 13-19
Learning Mode 13-20
Anomaly Detection Zones 13-20
Configuring Event Actions 13-21
Configuring Event Action Filters 13-22
Configuring Event Action Overrides 13-22
Configuring Network Information 13-22
Understanding Target Value Ratings 13-23
Configuring Target Value Ratings 13-23
Configuring OS Identification (Cisco IPS 6.x Sensors Only) 13-23
Configuring Settings for Event Actions 13-24
Configuring Policies Specific to IOS IPS Devices 13-24
OL-11501-03
27
Contents
Understanding Cisco IOS IPS 13-25

Limitations and Restrictions 13-25
Preparation for Use 13-26
Signatures 13-26
Signature Sets in Previous Versions of IOS IPS 13-26
General Settings 13-27
Interface Rules 13-27
CHAPTER
14
Managing Routers 14-1

Configuring Routers Running IOS Software Releases 12.1 and 12.2 14-3
Discovering Router Policies 14-4
NAT on Cisco IOS Routers 14-5
Designating Inside and Outside Interfaces 14-6
Defining Static NAT Rules 14-8
Defining a Static NAT Rule for a Host 14-8
Defining a Static NAT Rule for a Subnet 14-11
Defining a Static NAT Rule for a Port 14-13
Disabling the Alias Option for Attached Subnets 14-15
Disabling the Payload Option for Overlapping Networks 14-16
Defining Dynamic NAT Rules 14-16
Specifying NAT Timeouts 14-20
Basic Interface Settings on Cisco IOS Routers 14-21
Available Interface Types 14-22
Defining Basic Router Interface Settings 14-24
Generating an Interface Name 14-27
Deleting a Cisco IOS Router Interface 14-28
Advanced Interface Settings on Cisco IOS Routers 14-29
Understanding Helper Addresses 14-30
Defining Advanced Interface Settings 14-32
28
OL-11501-03
Contents
Dialer Interfaces on Cisco IOS Routers 14-34

Defining Dialer Profiles 14-35
Defining BRI Interface Properties 14-37
ADSL on Cisco IOS Routers 14-39
Supported ADSL Operating Modes 14-41
Defining ADSL Settings 14-42
SHDSL on Cisco IOS Routers 14-44
Defining SHDSL Controllers 14-46
PVCs on Cisco IOS Routers 14-47
Understanding Virtual Paths and Virtual Channels 14-48
Understanding ATM Service Classes 14-50
Understanding ATM Management Protocols 14-52
Understanding ILMI 14-52
Understanding OAM 14-53
Defining ATM PVCs 14-55
Defining OAM Management on ATM PVCs 14-59
PPP on Cisco IOS Routers 14-61
Understanding Multilink PPP (MLP) 14-62
Defining PPP Connections 14-63
Defining Multilink PPP Bundles 14-66
AAA on Cisco IOS Routers 14-68
Supported Authorization Types 14-69
Supported Accounting Types 14-70
Understanding Method Lists 14-71
Defining AAA Services 14-72
User Accounts and Device Credentials on Cisco IOS Routers 14-75
Defining Accounts and Credential Policies 14-75
Bridging on Cisco IOS Routers 14-77
Bridge-Group Virtual Interfaces 14-78

OL-11501-03
29
Contents
Defining Bridge Groups 14-80

Time Zone Settings on Cisco IOS Routers 14-81
Defining Time Zone and DST Settings 14-82
CPU Utilization Settings on Cisco IOS Routers 14-83
Defining CPU Utilization Settings 14-84
HTTP and HTTPS on Cisco IOS Routers 14-85
Defining HTTP Policies 14-86
Line Access on Cisco IOS Routers 14-89
Defining Console Port Setup Parameters 14-90
Defining Console Port AAA Settings 14-92
Defining VTY Line Setup Parameters 14-94
Defining VTY Line AAA Settings 14-98
Optional SSH Settings on Cisco IOS Routers 14-100
Defining Optional SSH Settings 14-100
SNMP on Cisco IOS Routers 14-103
Defining SNMP Agent Properties 14-104
Enabling SNMP Traps 14-106
DNS on Cisco IOS Routers 14-107
Defining DNS Policies 14-108
Hostnames and Domain Names on Cisco IOS Routers 14-109
Defining Hostname Policies 14-110
Memory Settings on Cisco IOS Routers 14-111
Defining Router Memory Settings 14-111
Secure Device Provisioning on Cisco IOS Routers 14-112
Contents of Bootstrap Configuration 14-114
Secure Device Provisioning Workflow 14-114
Defining Secure Device Provisioning Policies 14-115
Configuring a AAA Server Group for Administrative Introducers 14-119
DHCP on Cisco IOS Routers 14-119
30
OL-11501-03
Contents
Understanding DHCP Database Agents 14-120

Understanding DHCP Relay Agents 14-121
Understanding DHCP Option 82 14-122
Understanding Secured ARP 14-122
Defining DHCP Policies 14-123
Defining DHCP Address Pools 14-125
NTP on Cisco IOS Routers 14-126
Defining NTP Servers 14-127
802.1x on Cisco IOS Routers 14-129
Understanding 802.1x Device Roles 14-130
802.1x Interface Authorization States 14-131
Topologies Supported by 802.1x 14-132
Defining 802.1x Policies 14-133
Network Admission Control on Cisco IOS Routers 14-136
Router Platforms Supporting NAC 14-137
Understanding NAC Components 14-138
Understanding NAC System Flow 14-139
Defining NAC Setup Parameters 14-140
Defining NAC Interface Parameters 14-142
Defining NAC Identity Parameters 14-145
Logging on Cisco IOS Routers 14-146
Understanding Log Message Severity Levels 14-147
Defining Logging Setup Parameters 14-148
Defining Syslog Servers 14-151
Quality of Service on Cisco IOS Routers 14-153
Quality of Service and CEF 14-154
Understanding Matching Parameters 14-154
Understanding Marking Parameters 14-155
Understanding Queuing Parameters 14-157
Tail Drop vs. WRED 14-158
OL-11501-03
31
Contents
Low-Latency Queuing 14-160

Default Class Queuing 14-160
Understanding Policing and Shaping Parameters 14-161
Understanding the Token-Bucket Mechanism 14-163
Understanding Control Plane Policing 14-166
Defining QoS Policies 14-167
Defining QoS on Interfaces 14-167
Defining QoS on the Control Plane 14-171
Defining QoS Class Matching Parameters 14-172
Defining QoS Class Marking Parameters 14-175
Defining QoS Class Queuing Parameters 14-176
Defining QoS Class Policing Parameters 14-178
Defining QoS Class Shaping Parameters 14-180
BGP Routing on Cisco IOS Routers 14-181
Defining BGP Routes 14-183
Redistributing Routes into BGP 14-185
EIGRP Routing on Cisco IOS Routers 14-187
Defining EIGRP Routes 14-188
Defining EIGRP Interface Properties 14-190
Redistributing Routes into EIGRP 14-193
OSPF Routing on Cisco IOS Routers 14-195
Defining OSPF Process Settings 14-196
Defining OSPF Area Settings 14-197
Redistributing Routes into OSPF 14-199
Defining OSPF Redistribution Mappings 14-200
Defining OSPF Maximum Prefix Values 14-202
Defining OSPF Interface Settings 14-204
Understanding Interface Cost 14-206
Understanding Interface Priority 14-207
Disabling MTU Mismatch Detection 14-207
32
OL-11501-03
Contents
Blocking LSA Flooding 14-208

Understanding OSPF Timer Settings 14-209
Understanding the OSPF Network Type 14-210
Understanding OSPF Interface Authentication 14-211
RIP Routing on Cisco IOS Routers 14-212
Defining RIP Setup Parameters 14-213
Defining RIP Interface Authentication Settings 14-214
Redistributing Routes into RIP 14-216
Static Routing on Cisco IOS Routers 14-217
Defining Static Routes 14-218
CHAPTER
15
Managing Firewall Devices 15-1

Understanding Factory-Default Configurations 15-2
Configuring Firewall Device Interfaces 15-3
Understanding ASA 5505 Ports and Interfaces 15-4
Enabling Traffic between Interfaces with the Same Security Level 15-5
Configuring PIX 7.0/ASA Interfaces in Single Context Mode 15-6
Checklist for Configuring PIX 7.0/ASA Interfaces in Multi Context
Mode 15-10
Configuring Physical Interfaces of a PIX 7.0/ASA Security Appliance in
Multi Context Mode 15-13
Configuring PIX 6.3 Interfaces 15-16
Configuring FWSM Interfaces 15-18
Troubleshooting Interfaces 15-20
Configuring NAT Policies on Firewall Devices 15-20
Understanding NAT 15-21
Defining Address Pools 15-21
Configuring Translation Options 15-22
Defining Translation Exemptions (NAT 0 ACL) 15-23
Defining Simple Dynamic Rules 15-24
OL-11501-03
33
Contents
Defining Policy Dynamic Rules 15-25

Defining Static Rules 15-26
Viewing Translation Summary 15-27
Configuring Bridging Policies on Firewall Devices 15-28
Bridging Support for FWSM 3.1 15-29
Configuring Device Administration Policies on Firewall Devices 15-30
Configuring AAA 15-31
Understanding AAA 15-31
Defining AAA Policies 15-35
Configuring Banners 15-37
Configuring Boot Image and Configuration Settings 15-39
Configuring Clock Settings 15-40
Configuring Contact Credentials 15-42
Configuring Device Access Settings on Firewall Devices 15-43
Configuring Console Timeout 15-44
Configuring HTTP 15-45
Configuring ICMP 15-46
Configuring Management Access 15-48
Configuring Secure Shell 15-49
Configuring SNMP 15-50
Configuring Telnet 15-54
Configuring Failover 15-55
Understanding Failover 15-56
Additional Steps for an Active/Standy Failover Configuration 15-61
Configuring Hostname Settings 15-62
Configuring Resources on Firewall Services Modules 15-63
Configuring Server Access Settings on Firewall Devices 15-64
Configuring AUS Settings 15-64
Configuring DHCP Relay 15-66
Configuring DHCP Servers 15-68
34
OL-11501-03
Contents
Configuring DNS 15-70

Configuring NTP Settings 15-72
Configuring SMTP Servers 15-73
Configuring TFTP Servers 15-74
Configuring User Accounts 15-75
Configuring Logging Policies on Firewall Devices 15-77
Configuring E-Mail Setup 15-78
Configuring Event Lists 15-79
Configuring Logging Filters 15-81
Configuring Logging Setup 15-82
Configuring Rate Limit Levels 15-84
Configuring Server Setup 15-85
Defining Syslog Servers 15-87
Configuring Multicast Policies on Firewall Devices 15-88
Enabling Multicast Routing 15-88
Configuring IGMP 15-89
Protocol 15-90
Access Group 15-90
Static Group 15-90
Join Group 15-90
Configuring Multicast Routes 15-91
Configuring PIM 15-92
Protocol 15-92
Rendezvous Points 15-92
Route Tree 15-93
Request Filter 15-93
Configuring Routing Policies on Firewall Devices 15-93
Configuring No Proxy ARP 15-94
Configuring OSPF 15-95
Configuring RIP 15-96
OL-11501-03
35
Contents
Configuring Static Routes 15-98

Configuring Security Policies on Firewall Devices 15-98
Configuring Floodguard, Anti-Spoofing, and Fragment Settings 15-99
Configuring Timeouts 15-102
Configuring Service Policy Rules on Firewall Devices 15-103
Configuring User Preferences on Firewall Devices 15-104
Configuring Security Contexts on Firewall Devices 15-105
Add/Edit a Security Context for PIX or ASA 15-106
Add/Edit a Security Context for FWSM 15-108
Delete a Security Context 15-109
Enabling Multi-Context Mode 15-110
Restoring Single Context Mode 15-111
View the Contexts Defined for a Device 15-111
CHAPTER
16
Managing Catalyst Devices 16-1

Migrating Inventory From an Earlier Security Manager Release 16-2
Migrating Unmanaged Service Modules 16-5
Discovering Policies on 6500 Series and 7600 Series Devices 16-6
Interfaces 16-8
Creating or Editing Ports on Catalyst 6500/7600 Devices 16-9
Generating an Interface Name for Catalyst Devices 16-11
Deleting Ports on Catalyst 6500/7600 Devices 16-12
VLANs 16-12
Creating or Editing VLANs 16-13
Deleting VLANs 16-15
VLAN Groups 16-16
Creating or Editing VLAN Groups 16-16
Deleting VLAN Groups 16-18
VLAN ACLs (VACLs) 16-19
36
OL-11501-03
Contents
Creating or Editing VACLs 16-20

Deleting VACLs 16-23
IDSM Settings 16-24
Creating or Editing EtherChannel VLAN Definitions 16-25
Deleting EtherChannel VLAN Definitions 16-27
Creating or Editing Data Port VLAN Definitions 16-28
Deleting Data Port VLAN Definitions 16-30
Viewing Configuration Summaries 16-31
CHAPTER
17
Managing IPS Devices 17-1

Identifying Allowed Hosts 17-2
Configuring SNMP 17-2
Configuring the External Product Interface 17-5
Identifying an NTP Server 17-9
Configuring Logging 17-10
Configuring Analysis Engine Global Variables 17-11
Configuring Blocking 17-11
Configuring Virtual Sensors 17-12
Advantages of Virtualization 17-14
Understanding the Virtual Sensor 17-15
Assigning Interfaces to Virtual Sensors 17-15
Viewing Your Virtual Sensors 17-16
Defining A Virtual Sensor 17-16
Editing A Virtual Sensor 17-17
Deleting A Virtual Sensor 17-18
CHAPTER
18
Managing Deployment 18-1

Understanding Deployment 18-1
Benefits of Deployment Jobs 18-2
OL-11501-03
37
Contents
Deployment in Non-Workflow Mode 18-3

Deployment Task Flow in Non-Workflow Mode 18-3
Job States in Non-Workflow Mode 18-4
Deployment in Workflow Mode 18-5
Deployment Task Flow in Workflow Mode 18-5
Job States in Workflow Mode 18-8
Deployment Job Approval 18-9
Deployment Job Changes 18-10
Deployment Jobs and Multiple Users 18-10
Including Devices in Deployment Jobs 18-10
Understanding Deployment Methods 18-11
Deploying to a Device 18-11
Deploying to a File 18-13
Handling Device OS Version Mismatches 18-14
Frequently Asked Questions about Deployment 18-17
Working with Deployment 18-35
Using the Main Toolbar 18-36
Viewing Deployment Status Information 18-36
Deploying Configurations in Non-Workflow Mode 18-37
Deploying Configurations in Workflow Mode 18-40
Previewing Configurations 18-42
Changing Deployment Methods 18-43
Refreshing Deployment Status Information 18-44
Redeploying Configurations to Devices 18-44
Aborting Deployment Jobs 18-46
Rolling Back Configurations to Devices 18-47
Viewing Deployment Summary Information 18-48
Viewing Deployment Device Details 18-49
Performing Additional Workflow-Mode Tasks 18-50
Creating Deployment Jobs 18-50
38
OL-11501-03
Contents
Opening and Closing Deployment Jobs 18-53

Submitting Deployment Jobs 18-54
Approving and Rejecting Deployment Jobs 18-55
Discarding Deployment Jobs 18-56
Viewing Deployment Job History 18-56
CHAPTER
19
Managing FlexConfigs 19-1

Understanding FlexConfig Policy Objects 19-2
CLI Commands 19-2
Scripting Language Instructions 19-3
Example 1: Looping 19-4
Example 2: Looping with Two-Dimensional Arrays 19-4
Example 3: Looping with If/Else Statements 19-5
Object Variables 19-6
FlexConfig Policy Object Example 19-7
Predefined FlexConfig Policy Objects 19-7
FlexConfig System Variables 19-13
Understanding FlexConfig Policies 19-36
A FlexConfig Creation Scenario 19-36
Configuring FlexConfig Policy Objects 19-41
Creating FlexConfig Policy Objects 19-42
Duplicating FlexConfig Policy Objects 19-43
Editing FlexConfig Policy Objects 19-45
Viewing FlexConfig Policy Objects 19-47
Generating Usage Reports for FlexConfig Policy Objects 19-47
Deleting FlexConfig Policy Objects 19-49
Adding FlexConfig Policy Objects to a Device 19-50
Removing FlexConfig Policy Objects from a Device 19-51
Reordering FlexConfig Policy Objects 19-52
Previewing FlexConfig Policy Objects 19-52
OL-11501-03
39
Contents
Deleting FlexConfig Object Variables 19-53
CHAPTER
20
Using Tools 20-1

Understanding Policy Discovery Status 20-3
Viewing Policy Discovery Status Information 20-4
Understanding Show Containment 20-5
Understanding Inventory Status 20-6
Working With Device OS Management 20-6
Understanding Audit Reports 20-7
Guidelines for Defining the Audit Report Parameters 20-9
Generating the Audit Report 20-9
Viewing Audit Logs 20-10
Purging Audit Log Entries 20-11
Using the Configuration Archive Tool 20-11
Customizing the Configuration Archive Toolbar 20-12
Viewing Transcripts 20-13
Viewing and Comparing Configurations 20-14
Using Rollback to Deploy Archived Configurations 20-15
Understanding Rollback for Devices in Multiple Context Mode 20-18
Understanding Rollback for Failover Devices 20-18
Understanding Rollback for Catalyst 6500/7600 20-19
Understanding Rollback for IPS and IOS IPS 20-19
Commands that Can Cause Conflicts after Rollback 20-22
Commands to Recover from Failover Misconfiguration after
Rollback 20-23
Adding Configuration Versions from a Device to the Archive 20-23
Apply IPS Update 20-25
Backup and Restore 20-25
Security Manager Diagnostics 20-26
40
OL-11501-03
Contents
Diagnostic Utility Executable Menu Item 20-27

Generating a Diagnostic File from a Security Manager Client 20-28
Generating a Diagnostic File from a Security Manager Server 20-29
Obtaining Documentation, Obtaining Support, and Security Guidelines 20-29
CHAPTER
21
Using Monitoring, Troubleshooting, and Diagnostic Tools 21-1

Device Managers 21-2
IDM 21-3
PDM 21-4
ASDM 21-5
SDM 21-6
Understanding Communication 21-7
Starting Device Managers 21-7
Device OS Version Interoperability with Device Managers 21-13
Device Connectivity Test 21-15
Performance Monitor (Status Provider) 21-15
Understanding Performance Monitor as a Status Provider 21-16
Configuring Performance Monitor as a Status Provider 21-17
Understanding the Events to be Monitored 21-18
Device Reachability 21-19
VPN Tunnel Status 21-22
CPU Usage Threshold 21-23
Supported Services and Platforms for Monitoring and Reports 21-25
Supported Event Types for Each Service Type 21-27
Working with Event Thresholds 21-28
IPS Event Viewer 21-31
Understanding Communication 21-34
Guidelines for Working with IEV from Security Manager 21-35
Starting IEV Client 21-37

OL-11501-03
41
Contents
Navigating to IPS Signature Policy in Security Manager from IEV 21-37

IPS Signature Policy Lookup from the Realtime Dashboard 21-38
IPS Signature Policy Lookup from the Views Tab 21-39
Security Manager Access Rule Lookup from Device Manager Syslog 21-42
Navigating to ACL in Security Manager from ASDM Syslog 21-43
Navigating to ACL in Security Manager from SDM Syslog 21-46
APPENDIX
Administrative Settings User Interface Reference A-1

AutoLink Settings Page A-2
Configuration Archive Settings Page A-3
Customize Desktop Page A-4
Deployment Page A-5
Device Communication Page A-10
Add Certificate Dialog Box A-14
Device Groups Page A-15
Device OS Management Page A-16
Discovery Page A-17
IPS Updates Page A-19
Edit Update Server Settings Dialog Box A-23
Modify Signature Update Policies Dialog Box A-25
Licensing Page A-26
CSM Tab A-26
IPS Tab A-27
Updating Licenses via CCO Dialog Box A-28
Redeploying Licenses Dialog Box A-29
Updating Licenses from File Dialog Box A-30
Logs Page A-30
Policy Management Page A-32
42
OL-11501-03
Contents
Policy Objects Page A-33

Server Security Page A-35
Status Page A-36
Add Status Provider Dialog Box A-38
Edit Status Provider Dialog Box A-39
Take Over User Session Page A-41
Token Management Page A-42
VPN Policy Defaults Page A-44
Workflow Page A-48
APPENDIX
Map View User Interface Reference B-1

Map View Main Page B-1
Map Elements B-3
Map Toolbar B-5
Navigation Window B-6
Maps Menus B-7
Managed Device Node Context Menu B-7
Multiple Selected Nodes Context Menu B-9
VPN Connection Context Menu B-10
Layer 3 Link Context Menu B-10
Map Object Context Menu B-11
Map Background Context Menu B-11
Dialog Boxes B-12
Open Map Dialog Box B-13
Save Map As Dialog Box B-13
Delete Map Dialog Box B-14
Find Node Dialog Box B-15
Map Settings Dialog Box B-16
Select Color Dialog Box B-17
OL-11501-03
43
Contents
Import Background Image Dialog Box B-18

Set Linked Map Dialog Box B-19
Link Properties Dialog Box B-19
Select Interfaces Dialog Box B-20
Add Link Dialog Box B-21
Node Properties Dialog Box B-22
Add Map Object and Node Properties Dialog Boxes B-22
Interface Properties Dialog Box B-23
Select Policy Object Dialog Box B-24
Show Devices on Map Dialog Box B-25
Show VPNs on Map Dialog Box B-26
Show VPN Peers Dialog Box B-26
VPN Peers Dialog Box B-27
Select VPN to Configure Dialog Box B-28
APPENDIX
Devices User Interface Reference C-1

Devices Page C-2
Device Selector C-2
Create Filter Dialog Box C-3
Policy Selector C-7
Work Area C-7
Add Device from Network Wizard C-7
Device Information PageNetwork C-8
Auto Update Server Properties Dialog Box C-13
Available Auto Update Servers Dialog Box C-14
Device Credentials Page C-15
Rx-Boot Mode Credentials Dialog Box C-17
SNMP Credentials Dialog Box C-18
HTTP Credentials Dialog Box C-19
Device Connectivity Test Dialog Box C-20
44
OL-11501-03
Contents
FWSM Credentials and VPN SPA Slot Location Dialog Box C-22
VPN SPA Slots Dialog Box C-24
VPN SPA Slot Selector C-25
Device Validation Error Messages C-27
Device Grouping Page C-28
Add Device(s) from Config File Wizard C-29
Device Information PageConfig File C-30
Choose Files Dialog Box C-33
Add New Device Wizard C-34
Device Information PageNew Device C-35
Server Properties Dialog Box C-40
Available Servers Dialog Box C-41
CNS-Configuration Engine Properties Dialog Box C-42
Available Configuration Engines Dialog Box C-43
Device Credentials Page C-44
Add Device(s) from DCR Wizard C-45
Device Information PageDCR C-45
Device Delete Validation Page C-49
Device Delete Validation Details Dialog Box C-51
Create a Clone of <device name> Page C-52
Device Properties Page C-53
General Page C-54
Credentials Page C-57
Device Groups Page C-59
Policy Object Override Pages C-60
Device Shortcut Menu Options C-62

OL-11501-03
45
Contents
Policy Selector Shortcut Menu Options C-63

Device Group Shortcut Menu Options C-65
Edit Device Groups Page C-66
Add Devices to Group Page C-67
Add Group Dialog Box C-68
APPENDIX
Policy User Interface Reference D-1

Policy Menu General Reference D-1
Share Policy Dialog Box D-2
Assign Shared Policy Dialog Box D-3
Local Policy Will Be Replaced Dialog Box D-4
Copy Policies Wizard D-6
Copy Policies WizardCopy Policies from this Device Page D-6
Copy Policies WizardCopy Policies to these Devices Page D-7
Copy Policies WizardSelect Policies to Copy Page D-8
Share Policies Wizard D-9
Share Policies WizardShare Policies from this Device Page D-10
Share Policies WizardSelect Policies to Share Page D-11
Shared Policy Assignments Dialog Box D-11
Save Policy As Dialog Box D-13
Rename Policy Dialog Box D-14
Inherit Rules Dialog Box D-15
Create Discovery Task Dialog Box D-16
Discovery Status Dialog Box D-19
Policy View General Reference D-21
Policy ViewPolicy Type Selector D-23
Policy ViewPolicy Type Selector Options D-24
Policy ViewShared Policy Selector Options D-25
Create Filter Dialog BoxPolicy View D-26
46
OL-11501-03
Contents
Policy ViewAssignments Tab D-28

Create a Policy Dialog Box D-29
APPENDIX
Activities User Interface Reference E-1

Activity Manager Window E-1
Activity States E-4
Details Tab E-5
History Tab E-6
Create Activity Dialog Box E-7
Submit Activity Dialog Box E-8
Approve Activity Dialog Box E-9
Reject Activity Dialog Box E-10
Discard Activity Dialog Box E-11
Validation Dialog Box E-12
Errors Tab E-12
Devices Tab E-14
View Changes (Activity Change Report) E-15
Activity Required (Create Activity) Dialog Box E-17
Activity Required (Create or Open Activity) Dialog Box E-18
Openable Activities Dialog Box E-19
APPENDIX
Policy Object Manager User Interface Reference F-1

Policy Object Manager Window F-3
Object Type Selector F-4
Policy Object Manager WindowWork Area Buttons F-8
Policy Object Manager WindowShortcut Menu F-9
Create Filter Dialog BoxPolicy Object Manager F-10
AAA Server Groups Page F-12
AAA Server Group Dialog Box F-14

OL-11501-03
47
Contents
AAA Servers Page F-18

AAA Server Dialog Box F-20
AAA Server Dialog BoxRADIUS Settings F-22
AAA Server Dialog BoxTACACS+ Settings F-25
AAA Server Dialog BoxKerberos Settings F-26
AAA Server Dialog BoxLDAP Settings F-26
AAA Server Dialog BoxNT Settings F-29
AAA Server Dialog BoxSDI Settings F-30
AAA Server Dialog BoxHTTP-FORM Settings F-31
Access Control Lists Page F-33
Extended Tab F-34
Add and Edit Extended Access List Pages F-36
Add and Edit Extended Access Control Entry Dialog Boxes F-39
Standard Tab F-43
Add and Edit Standard Access List Pages F-45
Add and Edit Standard Access Control Entry Dialog Boxes F-47
Web Tab F-50
Add and Edit WebType Access List Dialog Boxes F-52
Add and Edit Web Access Control Entry Dialog Boxes F-54
ASA User Groups Page F-58
ASA User Group Dialog Box F-60
ASA User Group Dialog BoxClient Configuration Settings F-62
ASA User Group Dialog BoxClient Firewall Attributes F-64
ASA User Group Dialog BoxHardware Client Attributes F-67
ASA User Group Dialog BoxIPsec Settings F-69
ASA User Group Dialog BoxSSL VPN Clientless Settings F-72
ASA User Group Dialog BoxSSL VPN Thin Client Settings F-74
ASA User Group Dialog BoxSSL VPN Full Tunnel Settings F-75
ASA User Group Dialog BoxSSL VPN General Settings F-77
ASA User Group Dialog BoxDNS/WINS Settings F-80
48
OL-11501-03
Contents
ASA User Group Dialog BoxSplit Tunneling F-81

ASA User Group Dialog BoxGeneral Settings F-85
Categories Page F-87
Category Editor Dialog Box F-88
Credentials Page F-88
Credentials Dialog Box F-90
IKE Proposals Page F-92
IKE Proposal Dialog Box F-93
DNS Class Maps Page F-96
Add and Edit DNS Class Maps Dialog Boxes F-98
Add and Edit Match Criterion Dialog Boxes F-100
Add and Edit DNS Class Map > Add and Edit Match Criterion > DNS
Class F-102
Add and Edit DNS Class Map > Add and Edit Match Criterion > DNS
Type F-103
Add and Edit DNS Class Map > Add and Edit Match Criterion > Domain
Name F-104
Add and Edit DNS Class Map > Add and Edit Match Criterion > Header
Flag F-106
Add and Edit DNS Class Map > Add and Edit Match Criterion >
Question F-107
Add and Edit DNS Class Map > Add and Edit Match Criterion > Resource
Record F-108
FTP Class Maps Page F-109
Add and Edit FTP Class Map Dialog Boxes F-111
Add and Edit FTP Class Map > Add and Edit Match Criterion Dialog
Boxes F-113
Add and Edit FTP Class Map > Add and Edit Match Criterion > Request
Command F-115
Add and Edit FTP Class Map > Add and Edit Match Criterion >
Filename F-116

OL-11501-03
49
Contents
Add and Edit FTP Class Map > Add and Edit Match Criterion > File
Type F-117
Server F-119
Username F-120
HTTP Class Maps Page F-121
Add and Edit HTTP Class Map Dialog Boxes F-123
Add and Edit HTTP Class Map > Add and Edit Match Criterion Dialog
Boxes F-125
IM Class Maps Page F-168
Add and Edit IM Class Map Dialog Boxes F-170
Add and Edit IM Class Map > Add and Edit Match Criterion Dialog
Boxes F-172
Add and Edit IM Class Map > Add and Edit Match Criterion >
Filename F-174
Add and Edit IM Class Map > Add and Edit Match Criterion > Client IP
Address F-175
Add and Edit IM Class Map > Add and Edit Match Criterion > Client Login
Name F-176
Add and Edit IM Class Map > Add and Edit Match Criterion > Peer IP
Address F-178
Add and Edit IM Class Map > Add and Edit Match Criterion > Peer Login
Name F-179
Protocol F-180
Service F-181
Add and Edit IM Class Map > Add and Edit Match Criterion > File Transfer
Service Version F-182
SIP Class Maps Page F-184
Add and Edit SIP Class Map Dialog Boxes F-186
50
OL-11501-03
Contents
Add and Edit Match Criterion Dialog Boxes F-188

Add and Edit SIP Class Map > Add and Edit Match Criterion > Called
Party F-190
Add and Edit SIP Class Map > Add and Edit Match Criterion > Calling
Party F-191
Add and Edit SIP Class Map > Add and Edit Match Criterion > Content
Length F-192
Add and Edit SIP Class Map > Add and Edit Match Criterion > Content
Type F-193
Add and Edit SIP Class Map > Add and Edit Match Criterion > IM
Subscriber F-195
Add and Edit SIP Class Map > Add and Edit Match Criterion > Message
Path F-196
Add and Edit SIP Class Map > Add and Edit Match Criterion > Third Party
Registration F-197
Add and Edit SIP Class Map > Add and Edit Match Criterion > URI
Length F-199
Add and Edit SIP Class Map > Add and Edit Match Criterion > Request
Method F-200
DNS Maps Page F-203
Add and Edit DNS Map Dialog Boxes F-204
Add and Edit DNS Map > Protocol Conformance F-206
Add and Edit DNS Map > Filtering F-208
Add and Edit DNS Map > Mismatch Rate F-210
Add and Edit DNS Map > Match Condition and Action F-212
Add and Edit DNS Map > Add and Edit Match Condition and Action
Dialog Boxes F-214
FTP Maps Page F-228
Add and Edit FTP Map Dialog Boxes F-230
Add and Edit FTP Map > Parameters F-231
Add and Edit FTP Map > Match Conditions and Actions F-232

OL-11501-03
51
Contents
Add and Edit FTP Map > Add and Edit Match Condition and Action Dialog
Boxes F-233
GTP Maps Page F-243
Add and Edit GTP Map Dialog Boxes F-245
Add and Edit GTP Map Dialog Boxes > Parameters F-247
Add and Edit GTP Map > Match Condition and Action Tab F-254
HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) Page F-261
Add and Edit HTTP Map Dialog Boxes F-264
Add and Edit HTTP Map > General Tab F-266
Add and Edit HTTP Map > Entity Length Tab F-269
Add and Edit HTTP Map > RFC Request Method Tab F-271
Add and Edit HTTP Map > Extension Request Method Tab F-274
Add and Edit HTTP Map > Port Misuse Tab F-277
Add and Edit HTTP Map > Transfer Encoding Tab F-280
HTTP Maps (ASA 7.2/PIX 7.2) Page F-283
Add and Edit HTTP Map Dialog Boxes F-285
Add and Edit HTTP Map > Parameters Tab F-287
Add and Edit HTTP Map > Match Condition and Action Tab F-289
Add and Edit HTTP Map > Add and Edit Match Condition and Action
Dialog Boxes F-291
IM Maps (ASA 7.2/PIX 7.2) Page F-345
Add and Edit IM Map Dialog Boxes (for ASA 7.2/PIX 7.2) F-347
Add and Edit IM Map > Add and Edit Match Condition and Action Dialog
Boxes F-349
IM Maps (IOS) Page F-365
Add and Edit IM Map (IOS) Dialog Boxes F-367
Add and Edit IM Map (IOS) > Yahoo! Tab F-368
Add and Edit IM Map (IOS) > MSN Tab F-371
Add and Edit IM Map (IOS) > AOL Tab F-374
SIP Maps Page F-377
52
OL-11501-03
Contents
Add and Edit SIP Map Dialog Boxes F-379

Add and Edit SIP Map > Parameters Tab F-381
Add and Edit SIP Map > Match Condition and Action Tab F-384
Regular Expression Groups Page F-405
Add and Edit Regular Expression Group Dialog Boxes F-407
Regular Expressions Page F-409
Add and Edit Regular Expression Dialog Boxes F-411
TCP Maps Page F-413
Add and Edit TCP Map Dialog Boxes F-414
Interface Roles Page F-416
Interface Role Dialog Box F-419
Interface Name Conflict Dialog Box F-421
IPsec Transform Sets Page F-422
IPsec Transform Set Dialog Box F-424
LDAP Attribute Maps Page F-426
Add and Edit LDAP Attribute Map Dialog Boxes F-428
Add and Edit LDAP Attribute Map > Add and Edit LDAP Attribute Map
Value F-429
Add and Edit LDAP Attribute Map > Add and Edit LDAP Attribute Map
Value > Add and Edit Map Value F-430
Networks/Hosts Page F-431
Network/Host Dialog Box F-433
PKI Enrollments Page F-435
PKI Enrollment Dialog Box F-437
PKI Enrollment Dialog BoxCA Information Tab F-438
PKI Enrollment Dialog BoxEnrollment Parameters Tab F-442
PKI Enrollment Dialog BoxCertificate Subject Name Tab F-445
PKI Enrollment Dialog BoxTrusted CA Hierarchy Tab F-447
Port Forwarding List Page F-448

OL-11501-03
53
Contents
Port Forwarding List Dialog Box F-450

Add/Edit Port Forwarding Entry Dialog Box F-452
Secure Desktop Configuration Page F-453
Secure Desktop Configuration Dialog Box F-455
Port Lists Page F-459
Port List Dialog Box F-461
Service Groups Page F-463
Service Group Dialog Box F-464
Services Page F-465
Service Dialog Box F-467
Single Sign On Server (SSO) Page F-471
Single Sign On Server (SSO) Dialog Box F-473
SLA Monitors Page F-475
SLA Monitor Dialog Box F-477
Style Objects Page F-479
Style Objects Dialog Box F-481
Text Objects Page F-482
Text Object Dialog Box F-484
Time Ranges Page F-485
Time Range Dialog Box F-487
Recurring Ranges Dialog Box F-488
Traffic Flows Page F-489
Add and Edit Traffic Flow Dialog Boxes F-491
Add and Edit Traffic Flow > Source and Destination IP Address
(access-list) F-493
Default Inspection Traffic F-494
Add and Edit Traffic Flow > Default Inspection Traffic with Access
Lists F-496
Add and Edit Traffic Flow > TCP or UDP Destination Port F-497
54
OL-11501-03
Contents
Add and Edit Traffic Flow > RTP Range F-498

Add and Edit Traffic Flow > Tunnel Group F-499
Add and Edit Traffic Flow > IP Precedence Bits F-501
Add and Edit Traffic Flow > IP DiffServe CodePoints (DSCP) Values F-502
URL Lists Page F-504
URL Lists Dialog Box F-506
Add URL Entry Dialog Box F-507
User Groups Objects Page F-508
User Group Dialog Box F-510
User Group Dialog BoxGeneral Settings F-512
User Group Dialog BoxDNS/WINS Settings F-514
User Group Dialog BoxSplit Tunneling F-515
User Group Dialog BoxIOS Client Settings F-517
User Group Dialog BoxIOS Xauth Options F-519
User Group Dialog BoxIOS Client VPN Software Update F-522
User Group Dialog BoxAdvanced PIX Options F-524
User Group Dialog BoxClientless Settings F-525
User Group Dialog BoxThin Client Settings F-527
User Group Dialog BoxSSL VPN Full Tunnel Settings F-528
User Group Dialog BoxSSL VPN Split Tunneling F-530
User Group Dialog BoxBrowser Proxy Settings F-532
User Group Dialog BoxSSL VPN Connection Settings F-533
SSL VPN Customization Page F-534
SSL VPN Customization Dialog Box F-536
SSL VPN Customization Dialog BoxPage Title Tab F-538
SSL VPN Customization Dialog BoxLogin/out Pages Tab F-539
SSL VPN Customization Dialog BoxHome Page Tab F-543
SSL VPN Customization Dialog BoxApplication-Access/Prompt
Tab F-548
SSL VPN Gateway Page F-550
OL-11501-03
55
Contents
SSL VPN Gateway Dialog Box F-552

WINS Server Lists Page F-554
WINS Server Lists Dialog Box F-556
Add/Edit WINS Server Dialog Box F-557
Object Selectors F-558
Create Filter Dialog BoxObject Selectors F-561
Object Usage Window F-563
Policy Object Overrides Window F-565
Create Overrides for Device Dialog Box F-567
APPENDIX
Site-to-Site VPN User Interface Reference G-1

Site-to-Site VPN Manager Window G-2
VPN Summary Page G-3
Peers Page G-7
Create VPN Wizard G-9
Name and Technology Page G-10
Device Selection Page G-12
Endpoints Page G-14
Edit Endpoints Dialog Box G-18
VPN Interface Tab G-19
Protected Networks Tab G-27
FWSM Tab G-29
VRF Aware IPsec Tab G-31
Dial Backup Settings Dialog Box G-36
High Availability Page G-37
VPN Defaults Page G-41
Site to Site VPN Policies G-42
IKE Proposal Page G-43
IPsec Proposal Page G-45
56
OL-11501-03
Contents
VPN Global Settings Page G-49

ISAKMP/IPsec Settings Tab G-50
NAT Settings Tab G-54
General Settings Tab G-56
Preshared Key Page G-59
Public Key Infrastructure Page G-63
GRE Modes Page G-66
Server Load Balance Page G-76
Edit Load Balancing Parameters Dialog Box G-77
Easy VPN IPsec Proposal Page G-78
Easy VPN IPsec Proposal Tab G-79
Dynamic VTI Tab G-84
User Group Policy Page G-87
Tunnel Group Policy (PIX 7.0/ASA) Page G-88
Tunnel Group Policy > General Tab G-89
Tunnel Group Policy > IPsec Tab G-92
Tunnel Group Policy > Advanced Tab G-94
Tunnel Group Policy > Client VPN Software Update Tab G-96
Client Connection Characteristics Page G-97
VPN Topologies Device View Page G-104
Discover VPN Policies Wizard G-106
Discover VPN Policies WizardName and Technology Page G-107
Discover VPN Policies WizardDevice Selection Page G-108
Rediscover VPN Policies Wizard G-110
Rediscover VPN Policies WizardName and Technology Page G-111
Rediscover VPN Policies WizardDevice Selection Page G-112
APPENDIX
Remote Access VPN User Interface Reference H-1

Remote Access Configuration Wizard H-2

OL-11501-03
57
Contents
User Group Policy Page H-3

Tunnel Group Policy Page H-4
Tunnel Group Editor Dialog Box H-6
Tunnel Group Editor > General Tab H-7
Tunnel Group Editor > IPsec Tab H-10
Tunnel Group Editor > Advanced Tab H-12
Tunnel Group Editor > Client VPN Software Update Tab H-14
Remote Access VPN Defaults Page H-15
IPsec Proposal Page H-16
IPsec Proposal Editor Dialog Box (for PIX and ASA Devices) H-19
IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600
Devices) H-22
VPNSM/VPN SPA Settings Dialog Box H-26
FWSM Settings Tab (IPsec Proposal Editor) H-29
Dynamic VTI/VRF Aware IPsec Tab (IPsec Proposal Editor) H-31
IKE Proposal Page H-36
High Availability Page H-37
Public Key Infrastructure Page H-39
VPN Global Settings Page H-42
ISAKMP/IPsec Settings Tab H-43
NAT Settings Tab H-46
General Settings Tab H-47
ASA Cluster Load Balance Page H-50
DN Matching Policy Page H-52
DN Matching Rules Page H-54
DN Rule Dialog Box (Upper Pane) H-56
DN Rule Dialog Box (Lower Pane) H-57
58
OL-11501-03
Contents
APPENDIX
SSL VPN User Interface Reference I-1

SSL VPN Server Wizard (IOS) I-2
Gateway and Context Page (IOS) I-2
Portal Page Customization Page I-5
User Groups Selector Page I-7
Create User Group Wizard I-9
Name and Access Method Page I-10
Full Tunnel Access Mode Page I-11
Clientless and Thin Client Access Modes Page I-15
SSL VPN Policy Page (IOS) I-16
SSL VPN Context Editor Dialog Box (IOS) I-18
General Tab I-18
Portal Page Tab I-21
Secure Desktop Tab I-22
Advanced Tab I-24
SSL VPN Wizard for ASA Device I-25
Access Page (ASA) I-26
Connection Profile Page (ASA) I-27
SSL VPN Access Policy Page I-32
SSL VPN Connection Profiles Policy Page I-34
Add/Edit SSL VPN Connection Profile Dialog Box I-36
Basic Tab (ASA) I-36
AAA Tab (ASA) I-41
Settings Tab (ASA) I-47
ASA User Groups Policy Page I-51
Add User Group Selector Dialog Box (ASA) I-53
Cisco Secure Desktop Page (ASA) I-54
SSL VPN Global Settings Page I-55
Performance Tab I-56
OL-11501-03
59
Contents
Content Rewrite Tab I-58

Add/Edit Content Rewrite Dialog Box I-59
Encoding Tab I-61
Add/Edit File Encoding Dialog Box I-63
Proxy Tab I-64
Add/Edit Proxy Bypass Dialog Box I-66
Advanced Tab I-69
APPENDIX
Firewall Services User Interface Reference J-1

Access Rules Page J-2
Add and Edit Access Rule Dialog Boxes J-6
Advanced Dialog Box J-12
Edit Sources Dialog Box J-15
Show Source Contents Dialog Box J-17
Edit Destinations Dialog Box J-18
Show Destination Contents Dialog Box J-20
Edit Service Dialog Box J-21
Show Service Contents Dialog Box J-23
Edit Firewall Option Dialog Box J-23
Edit Interfaces Dialog Box J-25
Show Interface Contents Dialog Box J-26
Edit Category Dialog Box J-27
Edit Description Dialog Box J-28
Inspection Rules Page J-29
Add and Edit Inspection Rule Dialog Boxes J-33
Add Inspect/Application FW Rule > Match Traffic to Protocol Page J-37
Limit Inspection Between Source and Destination IP Addresses (ASA, FWSM
3.x) Page J-40
Match Traffic by Custom Destination Ports Page J-44
Match Traffic by Destination Address and Port (IOS) Page J-46
60
OL-11501-03
Contents
Match Traffic by Source and Destination Address and Port (ASA, FWSM 3.x)
Page J-48
Edit Inspected Protocol Dialog Box J-65
Configure DNS Dialog Box J-67
Configure SMTP Dialog Box J-68
Custom Protocol Dialog Box J-69
Configure ESMTP Dialog Box J-70
Configure Fragments Dialog Box J-71
Configure IMAP Dialog Box J-72
Configure POP3 Dialog Box J-73
Configure RPC Dialog Box J-74
Configuring Protocol Platform Dialog Box J-75
AAA Rules Page J-78
Add and Edit AAA Rules Dialog Boxes J-82

OL-11501-03
61
Contents

Edit AAA Option Dialog Box J-99
AuthProxy Dialog Box J-100
Edit AAA Server Group Dialog Box J-101
Web Filter Rules Page (PIX/ASA) J-104
Add and Edit PIX/FWSM/ASA Rules Dialog Boxes J-107
Edit Web Filter Type Dialog Box J-122
Edit Web Filter Options Dialog Box J-123
Web Filter Rules Page (IOS) J-126
Web Filter Rules Tab J-127
Exclusive Domains Tab J-130
IOS Web Filter Rule and Applet Scanner Dialog Box J-131
Exclusive Domain Name Dialog Box J-134
Transparent Rules Page J-135
Add and Edit Transparent Firewall Rule Dialog Boxes J-139
Edit Transparent EtherType Dialog Box J-143
Edit Transparent Mask Dialog Box J-144
62
OL-11501-03
Contents

Firewall Settings J-147
Access Control Page J-147
Firewall ACL Setting Dialog Box J-151
Inspection Page J-154
AAA Firewall > Advanced Setting Page J-157
AAA Firewall > Advanced Setting > Clear Connection Configuration
Dialog Box J-158
AAA Firewall > MAC-Exempt List Page J-161
AAA Firewall > MAC-Exempt List > Firewall AAA MAC Exempt Setting
Dialog Box J-163
AuthProxy Page J-164
AuthProxy General Tab (IOS) J-165
AuthProxy Timeout Tab (IOS) J-167
Web Filter Page J-170
Web Filter Server Configuration Dialog Box J-174
Add and Edit Rule Section Dialog Boxes J-176
Find and Replace Page J-177
Analysis Reports Page J-179
Import Rules - Enter Parameters Dialog Box J-183
Import Rules - Status Page J-185
Import Rules - Preview Page J-186
Import Rules - Preview Page (Rules Tab) J-187
Importing Rules - Preview Page (Objects Tab) J-190
Policy Query Page J-195
Policy Query Results Page J-200
Hit Count Selection Summary Dialog Box J-209
Hit Count Summary Results Page J-209
Combine Rules Selection Summary Dialog Box J-214
Combined Rules Results Summary J-215
OL-11501-03
63
Contents
Rule Combiner Detail Report J-219
APPENDIX
Router Platform User Interface Reference K-1

NAT Policy Page K-3
NAT PageInterface Specification Tab K-3
Edit Interfaces Dialog BoxNAT Inside Interfaces K-4
Edit Interfaces Dialog BoxNAT Outside Interfaces K-5
NAT PageStatic Rules Tab K-6
NAT Static Rule Dialog Box K-7
NAT PageDynamic Rules Tab K-13
NAT Dynamic Rule Dialog Box K-14
NAT PageTimeouts Tab K-16
Router Interfaces Page K-18
Create Router Interface Dialog Box K-20
Interface Auto Name Generator Dialog Box K-27
Advanced Interface Settings Page K-28
Advanced Interface Settings Dialog Box K-30
Dialer Policy Page K-38
Dialer Profile Dialog Box K-40
Dialer Physical Interface Dialog Box K-42
ADSL Policy Page K-44
ADSL Settings Dialog Box K-46
SHDSL Policy Page K-50
SHDSL Controller Dialog Box K-52
Controller Auto Name Generator Dialog Box K-56
PVC Policy Page K-57
PVC Dialog Box K-59
PVC Dialog BoxSettings Tab K-63
PVC Dialog BoxQoS Tab K-67
64
OL-11501-03
Contents
PVC Dialog BoxProtocol Tab K-71

Define Mapping Dialog Box K-72
PVC Advanced Settings Dialog Box K-74
PVC Advanced Settings Dialog BoxOAM Tab K-75
PVC Advanced Settings Dialog BoxOAM-PVC Tab K-78
PPP/MLP Policy Page K-81
PPP Dialog Box K-82
PPP Dialog BoxPPP Tab K-84
PPP Dialog BoxMLP Tab K-88
AAA Policy Page K-91
AAA PageAuthentication Tab K-93
AAA PageAuthorization Tab K-94
Command Authorization Dialog Box K-97
AAA PageAccounting Tab K-98
Command Accounting Dialog Box K-101
Accounts and Credentials Policy Page K-104
User Account Dialog Box K-107
Bridging Policy Page K-108
Bridge Group Dialog Box K-110
Clock Policy Page K-111
CPU Policy Page K-114
HTTP Policy Page K-118
HTTP PageSetup Tab K-119
HTTP PageAAA Tab K-121
Command Authorization Override Dialog Box K-124
Console Policy Page K-125
Console PageSetup Tab K-126
Console PageAuthentication Tab K-129
Console PageAuthorization Tab K-131

OL-11501-03
65
Contents
Console PageAccounting Tab K-133

VTY Policy Page K-137
VTY Line Dialog Box K-139
VTY Line Dialog BoxSetup Tab K-140
VTY Line Dialog BoxAuthentication Tab K-145
VTY Line Dialog BoxAuthorization Tab K-146
VTY Line Dialog BoxAccounting Tab K-149
Command Authorization Dialog BoxLine Access K-153
Command Accounting Dialog BoxLine Access K-155
Secure Shell Policy Page K-157
SNMP Policy Page K-160
Permission Dialog Box K-162
Trap Receiver Dialog Box K-163
SNMP Traps Dialog Box K-165
DNS Policy Page K-168
IP Host Dialog Box K-169
Hostname Policy Page K-170
Memory Policy Page K-171
Secure Device Provisioning Policy Page K-174
DHCP Policy Page K-179
DHCP Database Dialog Box K-182
IP Pool Dialog Box K-183
NTP Policy Page K-187
NTP Server Dialog Box K-189
802.1x Policy Page K-192
Network Admission Control Policy Page K-197
Network Admission Control PageSetup Tab K-198
Network Admission Control PageInterfaces Tab K-201
NAC Interface Configuration Dialog Box K-202
66
OL-11501-03
Contents
Network Admission Control PageIdentities Tab K-204

NAC Identity Profile Dialog Box K-205
NAC Identity Action Dialog Box K-206
Logging Setup Policy Page K-207
Syslog Servers Policy Page K-212
Syslog Server Dialog Box K-214
Quality of Service Policy Page K-215
QoS Policy Dialog Box K-219
QoS Class Dialog Box K-222
QoS Class Dialog BoxMatching Tab K-224
Edit ACLs Dialog BoxQoS Classes K-226
QoS Class Dialog BoxMarking Tab K-227
QoS Class Dialog BoxQueuing and Congestion Avoidance Tab K-229
QoS Class Dialog BoxPolicing Tab K-231
QoS Class Dialog BoxShaping Tab K-234
BGP Routing Policy Page K-236
BGP PageSetup Tab K-237
Neighbors Dialog Box K-239
BGP PageRedistribution Tab K-240
BGP Redistribution Mapping Dialog Box K-242
EIGRP Routing Policy Page K-244
EIGRP PageSetup Tab K-245
EIGRP Setup Dialog Box K-246
Edit Interfaces Dialog BoxEIGRP Passive Interfaces K-247
EIGRP PageInterfaces Tab K-248
EIGRP Interface Dialog Box K-249
EIGRP PageRedistribution Tab K-251
EIGRP Redistribution Mapping Dialog Box K-253
OSPF Interface Policy Page K-256

OL-11501-03
67
Contents
OSPF Interface Dialog Box K-258

OSPF Process Policy Page K-264
OSPF Process PageSetup Tab K-265
OSPF Setup Dialog Box K-266
Edit Interfaces Dialog BoxOSPF Passive Interfaces K-267
OSPF Process PageArea Tab K-268
OSPF Area Dialog Box K-269
OSPF Process PageRedistribution Tab K-270
OSPF Redistribution Mapping Dialog Box K-273
OSPF Max Prefix Mapping Dialog Box K-275
RIP Routing Policy Page K-276
RIP PageSetup Tab K-277
Edit Interfaces Dialog BoxRIP Passive Interfaces K-278
RIP PageAuthentication Tab K-279
RIP Authentication Dialog Box K-280
RIP PageRedistribution Tab K-282
RIP Redistribution Mapping Dialog Box K-283
Static Routing Policy Page K-285
Static Routing Dialog Box K-287
APPENDIX
PIX/ASA/FWSM Platform User Interface Reference L-1

NAT Policies L-5
Address Pools Page L-5
Address Pool Dialog Box L-6
Translation Options Page L-7
Translation Rules Page L-8
Translation Exemptions (NAT 0 ACL) Tab L-9
Dynamic Rules Tab L-11
Policy Dynamic Rules Tab L-13
Static Rules Tab L-16
68
OL-11501-03
Contents
General Tab L-19

Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box L-22
Add/Edit Dynamic Translation Rule Dialog Box L-24
Add/Edit Policy Dynamic Rules Dialog Box L-25
Add/Edit Static Rule Dialog Box L-26
Advanced NAT Options Dialog Box L-28
Select Address Pool Dialog Box L-30
Interfaces Page L-31
Add/Edit Interface Dialog Box L-34
Advanced Interface Settings Dialog Box L-45
Add VPND Group Dialog Box L-47
PPPoE Users Dialog Box L-48
FWSM Interfaces Page L-50
FWSM Add/Edit Interface Dialog Box L-54
Add/Edit Bridge Group Dialog Box L-57
ASA 5505 Ports and Interfaces Page L-59
Configure Hardware Ports Dialog Box L-63
Bridging L-65
ARP Table Page L-66
Add/Edit ARP Table Entry Dialog Box L-68
ARP Inspection Page L-69
Add/Edit ARP Inspection Dialog Box L-70
MAC Address Table Page L-71
Add/Edit MAC Table Entry Dialog Box L-72
MAC Learning Page L-73
Add/Edit MAC Learning Dialog Box L-74
Management IP Page L-75
AAA Page L-75
Authentication Tab L-76
Authorization Tab L-78
OL-11501-03
69
Contents
Accounting Tab L-79

Banner Page L-81
Boot Image/Configuration Page L-83
Images Dialog Box L-85
Clock Page L-86
Credentials Page L-88
CPU Threshold Page L-89
Device Access L-90
Console Page L-91
HTTP Page L-92
HTTP Configuration Dialog Box L-93
ICMP Page L-94
ICMP Configuration Dialog Box L-95
Management Access Page L-96
Secure Shell Page L-97
SSH Configuration Dialog Box L-98
SNMP Page L-99
SNMP Trap Configuration Dialog Box L-101
Add SNMP Host Access Entry Dialog Box L-103
Telnet Page L-104
Telnet Configuration Dialog Box L-105
Failover Policies L-106
Failover Page (PIX 6.x) L-107
Edit Failover Interface Configuration Dialog Box (PIX 6.x) L-109
Failover Page (FWSM) L-110
Advanced Settings Dialog Box L-114
Edit Failover Interface Configuration Dialog Box (FWSM) L-116
Failover Page (ASA/PIX 7.x) L-117
Settings Dialog Box L-120
70
OL-11501-03
Contents
Add Failover Group Dialog Box L-124

Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x) L-125
Add Interface MAC Address Dialog Box L-127
Bootstrap Configuration for LAN Failover Dialog Box L-127
Hostname Page L-128
Resources Page L-129
Add/Edit Resource Dialog Box L-131
Server Access L-134
AUS Page L-135
DHCP Relay Page L-137
Configure DHCP Relay Agent Parameters Dialog Box L-138
Configure DHCP Server Parameters Dialog Box L-139
DHCP Server Page L-140
Edit DHCP Server Dialog Box L-142
DHCP Server - Advanced Dialog Box L-143
DNS Page L-144
Add DNS Server Group Dialog Box L-146
Add DNS Server Dialog Box L-147
Edit Interfaces Dialog Box L-148
DDNS Page L-148
NTP Page L-149
NTP Server Configuration Dialog Box L-151
SMTP Server Page L-152
TFTP Server Page L-153
User Accounts Page L-154
Add/Edit User Account Dialog Box L-155
Logging Policies L-156
E-Mail Setup Page L-157
Add/Edit Email Recipient Dialog Box L-158
Event Lists Page L-158
OL-11501-03
71
Contents
Add/Edit Event List Dialog Box L-160

Add/Edit Syslog Class Dialog Box L-161
Add/Edit Syslog Message ID Filter Dialog Box L-162
Logging Filters Page L-163
Edit Logging Filters Dialog Box L-164
Logging Setup Page L-166
Rate Limit Page L-168
Add/Edit Rate Limit for Syslog Logging Levels Dialog Box L-169
Add/Edit Rate Limited Syslog Message Dialog Box L-170
Server Setup Page L-171
Add/Edit Syslog Message Dialog Box L-174
Syslog Servers Page L-175
Add/Edit Syslog Server Dialog Box L-176
Multicast Policies L-178
Enable Multicast Routing Page L-178
IGMP Page L-179
Protocol Tab L-180
Configure IGMP Parameters Dialog Box L-181
Access Group Tab L-183
Configure IGMP Access Group Parameters Dialog Box L-184
Static Group Tab L-184
Configure IGMP Static Group Parameters Dialog Box L-185
Join Group Tab L-186
Configure IGMP Join Group Parameters Dialog Box L-187
Multicast Routing Page L-187
Add/Edit MRoute Configuration Dialog Box L-188
PIM Page L-189
Protocol Tab L-190
Add/Edit PIM Protocol Dialog Box L-191
Rendezvous Points Tab L-192
72
OL-11501-03
Contents
Add/Edit Rendezvous Point Dialog Box L-193

Add/Edit Multicast Groups Dialog Box L-195
Route Tree Tab L-196
Multicast Group Dialog Box L-197
Request Filter Tab L-198
Multicast Group Dialog Box L-200
Routing Policies L-200
No Proxy ARP Page L-201
Edit Interfaces Dialog Box L-202
OSPF Page L-203
General Tab L-203
OSPF Advanced Dialog Box L-205
Area Tab L-208
Add/Edit Area/Area Networks Dialog Box L-210
Range Tab L-212
Add/Edit Area Range Network Dialog Box L-213
Neighbors Tab L-215
Add/Edit Static Neighbor Dialog Box L-216
Redistribution Tab L-217
Redistribution Dialog Box L-218
Virtual Link Tab L-220
Add/Edit OSPF Virtual Link Configuration Dialog Box L-221
Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box L-224
Filtering Tab L-225
Add/Edit Filtering Dialog Box L-226
Summary Address Tab L-228
Add/Edit Summary Address Dialog Box L-229
Interface Tab L-231
Add/Edit Interface Dialog Box L-234
RIP Page L-237

OL-11501-03
73
Contents
Add/Edit RIP Configuration Dialog Box L-238

Static Route Page L-240
Add/Edit Static Route Dialog Box L-243
Security Policies L-244
General Page L-245
Add/Edit General Security Configuration Dialog Box L-247
Timeouts Page L-248
Service Policy Rules L-250
Priority Queues Page L-250
Priority Queue Configuration Dialog Box L-252
IPS, QoS, and Connection Rules Page L-253
Insert/Edit Service Policy (MPC) Rule Wizard L-254
Interfaces Selector Dialog Boxes L-262
User Preferences L-264
Deployment Page L-264
Security Contexts Page L-265
Add/Edit Security Context Dialog Box (FWSM) L-266
Add/Edit Security Context Dialog Box (PIX/ASA) L-267
Allocate Interfaces Dialog Box L-270
View Interface Allocation Dialog Box L-271
APPENDIX
Catalyst Platform User Interface Reference M-1

Catalyst Summary Info Page M-1
Interfaces/VLANs Page M-3
Interfaces/VLANs PageVLANs Tab M-4
Create and Edit VLAN Dialog Boxes M-6
Access Port Selector Dialog Box M-8
Trunk Port Selector Dialog Box M-9
Interfaces/VLANs PageVLAN Groups Tab M-10
74
OL-11501-03
Contents
Create and Edit VLAN Group Dialog Boxes M-11

Service Module Slot Selector Dialog Box M-12
VLAN Selector Dialog Box M-13
Interfaces/VLANs PageInterfaces Tab M-14
Create and Edit Interface Dialog BoxesAccess Port Mode M-17
Create and Edit Interface Dialog BoxesRouted Port Mode M-22
Create and Edit Interface Dialog BoxesTrunk Port Mode M-25
Create and Edit Interface Dialog BoxesDynamic Mode M-31
Create and Edit Interface Dialog BoxesSubinterfaces M-37
Create and Edit Interface Dialog BoxesUnsupported Mode M-39
Interfaces/VLANs PageSummary Tab M-42
IDSM Settings Page M-44
Create and Edit IDSM EtherChannel VLANs Dialog Boxes M-46
Create and Edit IDSM Data Port VLANs Dialog Boxes M-47
IDSM Slot-Port Selector Dialog Box M-49
VLAN Access Lists Page M-50
Create and Edit VLAN ACL Dialog Boxes M-52
Create and Edit VLAN ACL Content Dialog Boxes M-54
Interface Selector Dialog BoxVLAN ACL Content M-55
APPENDIX
IPS User Interface Reference N-1

Signature Policies N-1
Signatures Page N-2
Edit Signature Dialog Box N-4
Row Shortcut Menu N-6
Add Custom Signature Dialog Box N-7
Update Level Dialog Box N-9
Actions Shortcut Menu N-10
Edit Actions Dialog Box N-10
Edit Fidelity Dialog Box N-12
OL-11501-03
75
Contents
Accessing the Cisco NSDB N-12

Edit Signature Parameters Dialog Box N-13
Engine Options N-17
Edit Signature ParameterComponent List Dialog Box N-31
Add Signature ParameterList Entry Dialog Box N-32
Edit Signature ParameterList Entry Dialog Box N-32
Obsoletes Dialog Box N-32
Add an Entry Dialog Box N-32
Settings Page N-32
Anomaly Detection Page N-34
Anomaly Detection Page > Operation Settings Tab N-35
Anomaly Detection Page > Learning Accept Mode Tab N-36
Times Of Day Dialog Box N-38
Days Of Week Dialog Box N-38
Anomaly Detection Page > Internal Zone, External Zone, and Illegal Zone
Tabs N-39
General Sub-Tab N-40
TCP Protocol Sub-Tab N-40
UDP Protocol Sub-Tab N-44
Other Protocols Sub-Tab N-45
Event Action Policies N-46
Event Action Filters Page N-47
Filter Item Dialog Box N-48
Event Action Overrides Page N-52
Event Action Override Dialog Box N-53
Network Information Page N-54
Target Value Ratings Tab N-54
OS Identification Tab N-56
Event Actions > Settings Page N-60
Interfaces Page N-61
76
OL-11501-03
Contents
Physical Interfaces Tab N-62

Modify Physical Interface Map Dialog Box N-64
Inline Pairs Tab N-65
Interface Pair Dialog Box N-66
VLAN Pairs Tab N-67
VLAN Pair Dialog Box N-68
VLAN Groups Tab N-70
VLAN Group Map Dialog Box N-71
Summary Tab N-72
Platform Policies N-74
Device Admin Policies N-74
Device Access Policies N-74
Server Access Policies N-79
Logging Page N-83
Interface Notifications Tab N-84
Analysis Engine Tab N-84
Security Policies N-85
Blocking Page N-85
IPS Updates Page N-100
Virtual Sensors Page N-100
Add Virtual Sensor Dialog Box N-102
Edit Virtual Sensor Dialog Box N-103
General Settings Page N-104
Interface Rules Page N-106
Add IPS Rule Dialog Box N-107
Adding Pair Dialog Box N-108
APPENDIX
Deployment User Interface Reference O-1

DeploymentNon-Workflow Mode O-1

OL-11501-03
77
Contents
Deployment Manager Window (Non-Workflow Mode) O-2

Deploy Saved Changes Dialog Box O-3
Deployment Status Details Dialog Box O-6
Preview Config Dialog Box O-8
DeploymentWorkflow Mode O-9
Deployment Manager Window (Workflow Mode) O-10
Create a Job Dialog Box O-12
Submit Deployment Job Dialog Box O-23
Reject Deployment Job Dialog Box O-24
Approve Deployment Job Dialog Box O-25
Discard Deployment Job Dialog Box O-26
Deploy Job Dialog Box O-27
Abort Deployment Job Dialog Box O-28
Deployment Rollback Dialog Box O-29
Rollback Confirmation Dialog Box O-31
Redeploy a Job Dialog Box O-32
Summary Tab (Deployment Manager Window) O-34
Details Tab (Deployment Manager Window) O-35
History Tab (Deployment Manager Window) O-36
APPENDIX
FlexConfig User Interface Reference P-1

FlexConfig Policy Page P-1
FlexConfigs Selector Dialog Box P-6
Values Assignment Dialog Box P-7
FlexConfig Policy Preview Dialog Box P-9
FlexConfigs Objects Page P-10
FlexConfig Editor Dialog Box P-11
Create Text Object Dialog Box P-15
FlexConfig Undefined Variables Dialog Box P-16
78
OL-11501-03
Contents
Property Selector Dialog Box P-17
APPENDIX
Tools User Interface Reference Q-1

Policy Discovery Status Page Q-2
Discovery Details Pane Q-4
Import Details Pane Q-5
Inventory Status Window Q-6
Catalyst Summary Information Window Q-8
Audit Report Page Q-8
Audit Message Details Dialog Box Q-11
Configuration Archive Window Q-12
Configuration Version Viewer Q-15
Transcript Viewer Window Q-17
Apply IPS Update Q-18
INDEX

OL-11501-03
79
Contents
80
OL-11501-03
Preface
This document describes how to use Cisco Security Manager.
Audience
This document is for the network administrator with expertise in network security,
including the use and configuration of firewalls, VPNs, and IPS sensors.
Conventions
This document uses the following conventions:
Item
Convention
Commands and keywords
boldface font
Variables for which you supply values
italic font
Displayed session and system information
screen
Information you enter
boldface screen font
Variables you enter
italic screen
Menu items and button names
boldface font
Selecting a menu item
Option > Network Preferences
font
font

OL-11501-03
81
Preface
Product Documentation
Table 1 describes the product documentation that is available. For information on
ordering printed documents, see Obtaining Documentation, Obtaining Support,
and Security Guidelines, page 83.
Table 1
Document Title
Available Formats
Release Notes for

Installation Guide for

PDF on the product DVD.
On Cisco.com at this URL:

http://www.cisco.com/en/US/products/ps6498/prod_release_
notes_list.html
http://www.cisco.com/en/US/products/ps6498/prod_installat
ion_guides_list.html
User Guide for

http://www.cisco.com/en/US/products/ps6498/products_user
_guide_list.html
Supported Devices and Software

Versions for
User Guide for

Auto Update Server 3.1

http://www.cisco.com/en/US/products/ps6498/products_devi
ce_support_tables_list.html
_guide_list.html
User Guide for
Cisco Performance Monitor 3.0

_guide_list.html
Context-sensitive online help
Click the Help button in a window or dialog box.
82
OL-11501-03
Preface
Obtaining Documentation, Obtaining Support, and Security Guidelines
Obtaining Documentation, Obtaining Support, and

Security Guidelines
For information on obtaining documentation, obtaining support, providing
documentation feedback, security guidelines, and also recommended aliases and
general Cisco documents, see the monthly Whats New in Cisco Product
Documentation, which also lists all new and revised Cisco technical
documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

OL-11501-03
83
Preface
84
OL-11501-03
CH A P T E R
Getting to Know Security Manager

The following topics describe Cisco Security Manager and best practices to
getting started quickly and efficiently:
Whats New in Cisco Security Manager 3.1, page 1-1
Product Overview, page 1-4
Using Security Manager - Overview, page 1-10
Getting Started Checklist, page 1-15
Using the JumpStart, page 1-16
Whats New in Cisco Security Manager 3.1
Upgrade from Security Manager 3.0 and 3.0.1.
Integrated IPS features. While Security Manager 3.0 allowed you to

cross-launch the IPS Management Center to access IPS functionality,
Security Manager 3.1 provides fully integrated IPS features.
Native, integrated Catalyst 6500/7600 and VACL management.
Ability to discover site-to-site and remote access VPNs.
Ability to discover IOS router configurations.
High availability.
Embedded, read-only access to SDM, ASDM, IDM, and IEV for monitoring
of individual devices.

OL-11501-03
1-1
Chapter 1
Enhanced reporting features, including device-centric policy report and

inventory report.
Device, interface, and VPN up/down status reported in inventory report.
Detailed activity report for firewall and IDS devices.
Ability to configure SSL VPN on IOS and ASA 7.1/7.2 devices.
Cross-launch of RME SWIM for OS management.
Ability to use Security Manager user login credentials to connect to devices.
Ability to use Telnet as a transport protocol to communicate with IOS and

Catalyst 6500/7600 devices.
Enhanced device certificate retrieval support including bulk retrieval through

CLIs.
Support for the following additional features on IOS devices:

SSL VPN
Additional Easy VPN features
Line access
SSH configuration
Local time
Comprehensive AAA support
HTTP server
PPP
DSL/ATM
DNS
NFP
Bridging (wireless)
QoS TAC enhancements
Authentication proxy enhancements
Additional interface settings, such as IP redirect, IP reply, virtual
reassembly, and others.

Additional firewall features, such as support for IM blocking, java list,
DOS settings, and voice service inspection.
1-2
OL-11501-03
Chapter 1

Additional IPsec VPN features, such as large-scale DMVPN, AIM III
Support for the following additional features on FWSM 3.1:

More than one pair of layer 2 interfaces
SNMPv2c
Skinny video
Asymmetric routing
FTP authentication challenge
Destination NAT for multicast
4K global statements
Support for the following features on ASA 7.2 devices:

Easy VPN HW client parity with PIX 501/506/VPN3002
Dual ISP support
PPPoE
Home/Business VLAN support
Enhanced auto-update support
Dynamic DNS
HA - sub-second failover
Virtualization - resource manager
Extended usage of DNS domain names
Generic input rate limiting
MPF-based regular expression classification map
N2H2 HTTPS/FTP filtering support
Support for the following features on FWSM 3.2:

L2 NAT/PAT
TACACS+ command enhancements
Xlate table bypass
H323 GUP support
Cut through proxy enhancements
RTSP PAT
OL-11501-03
1-3
Chapter 1
Product Overview
Support for AIM III (IPsec/SSL VPN)
Support for IPS 5.1/6.0 and IOS IPS in IOS 12.4(11)Tx
Support for the following features on IPS 6.0 devices:

Virtual sensors
Anomaly detection
Passive OS fingerprinting
Simplified custom signature creation
Signature update wizard, preview and tuning of new signatures
IPS signature update license management
External product interface (linkage of IPS sensor with CSA MC)
Product Overview
Cisco Security Manager (Security Manager) version 3.1 enables you to manage
security policies on Cisco security devices. Security Manager supports integrated
provisioning of firewall, IPS, and VPN (site-to-site, remote access, and SSL)
services across:
IOS routers.
PIX and ASA security appliances.
Catalyst 6500/7600 services modules:

FWSM
VPNSM
VPN SPA
IDSM
IPS appliances.
IPS modules:
AIP-SSM for ASA security appliances
NM-CIDS for IOS routers
1-4
OL-11501-03
Chapter 1

Product Overview
Note
For a complete list of devices and OS versions supported by Security Manager,

please refer to Supported Devices and Software Versions for Cisco Security
Manager 3.1 on Cisco.com.
Security Manager also supports provisioning of many platform-specific settings,
for example, interfaces, routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small
networks consisting of a few devices through to large networks with thousands of
devices. Scalability is achieved through a rich feature set of shareable objects and
policies and device grouping capabilities.
Security Manager supports multiple configuration views optimized around
different task flows and use cases.
The following topics provide an overview of Security Manager:
Primary Benefits of Cisco Security Manager 3.1, page 1-5
Security Manager Feature Sets, page 1-7
Primary Benefits of Cisco Security Manager 3.1

Table 1-1 lists the primary benefits of working with Security Manager.
Table 1-1
Primary Benefits of Security Manager 3.1
Benefit
Description
Scalable network management
Centrally administer security policies and

device settings for either small networks or
large scale networks consisting of thousands
of devices. Define policies and settings once
and then optionally assign them to
individual devices, groups of devices or all
the devices in the enterprise.
Provisioning of multiple security Manage VPN, firewall, and IPS

technologies on routers, security appliances,
technologies across different
Catalyst devices and service modules, and
platforms
IPS devices.
OL-11501-03
1-5
Chapter 1
Product Overview
Table 1-1
Primary Benefits of Security Manager 3.1 (continued)
Benefit
Description
Provisioning of
platform-specific settings and
policies
Manage platform-specific settings on

specific device types. For example: routing,
802.1x, EzSDD, and Network Admission
Control on routers, and device access
security, DHCP, AAA, and multicast on
firewall devices.
VPN wizard
Quickly and easily configure site-to-site,

hub-and-spoke and full-mesh VPNs across
different VPN device types.
Multiple management views
Device, policy, and map views enable you to

manage your security in the environment
that best suits your needs.
Reusable policy objects
Create reusable objects to represent network

addresses, device settings, VPN parameters,
and so on, then use them instead of manually
entering values.
Device grouping capabilities
Create device groups to represent your

organizational structure. Manage all devices
in the groups concurrently.
Policy inheritance
Centrally specify which policies are

mandatory and enforced lower in the
organization. New devices automatically
acquire mandatory policies.
Role-based administration
Enable appropriate access controls for

different operators.
Workflow
Optionally allow division of responsibility

and workload between network operators
and security operators and provide a change
management approval and tracking
mechanism.
Single, consistent user interface

for managing common firewall
features
Single rule table for all platforms (router,

PIX, ASA, and FWSM).
1-6
OL-11501-03
Chapter 1

Product Overview
Table 1-1
Primary Benefits of Security Manager 3.1 (continued)
Benefit
Description
Intelligent analysis of firewall

policies
The conflict detection feature analyzes and

reports rules that overlap or conflict with
other rules. The ACL hit count feature
checks in real-time whether specific rules
are being hit or triggered by packets.
Sophisticated rule table editing
In-line editing, ability to cut, copy, and paste

rules and to change their order in the rule
table.
Discover firewall policies from

device
Policies that exist on the device can be

imported into Security Manager for future
management.
Flexible deployment options
Support for deployment of configurations

directly to a device or to configuration file.
Can also use Auto-Update Server (AUS),
CNS Configuration Engine, or Token
Management Server (TMS) for deployment.
Rollback
Ability to roll back to a previous

configuration if necessary.
FlexConfig (template manager)
Intelligent CLI configlet editor to manage

features available on a device but not
natively supported by Security Manager.
Security Manager Feature Sets

Security Manager provides the following primary feature sets:
Firewall Services
Configuration and management of firewall policies across multiple platforms,
including IOS routers, PIX/ASA devices, and Catalyst Firewall Service
Modules (FWSM). Features include:
Access control rulesPermit or deny traffic on interfaces through the
use of Access Control Lists.

OL-11501-03
1-7
Chapter 1
Product Overview
Inspection rulesFilter TCP and UDP packets based on
application-layer protocol session information.

AAA/Authentication Proxy rulesFilter traffic based on authentication
and authorization for users who log into the network or access the
Internet through HTTP, HTTPS, FTP, or Telnet sessions.
Web filtering rulesUse URL filtering software, such as Websense, to
deny access to specific websites.

Transparent firewall rulesEnable you to add a transparent firewall
device or security appliance to an existing network without having to

reconfigure statically defined devices.
For more information, see Managing Firewall Services, page 12-1.
Site-to-Site VPN
Setup and configuration of IPsec site-to-site VPNs. Multiple device types can
participate in a single VPN, including IOS routers, PIX/ASA devices, and
Catalyst VPN Service Modules. Supported VPN topologies are:
Point to point
Hub and spoke
Full mesh
Supported IPsec technologies are:

Pure IPsec
GRE
GRE Dynamic IP
DMVPN
EzVPN
For more information, see Managing Site-to-Site VPNs, page 9-1.
Remote Access VPN

Setup and configuration of IPsec VPNs between servers and mobile remote
PCs running Cisco VPN client software. Security Manager supports the
EzVPN server feature which allows IOS routers, firewall devices, and
Catalyst 6500/7600 devices to act as VPN head-end devices. Security policies
defined at the head-end are pushed to the remote VPN device so that minimal
configuration is required by the end user.
1-8
OL-11501-03
Chapter 1

Product Overview
See Managing Remote Access VPNs, page 10-1 for more information.
Intrusion Prevention System (IPS) Management

Management and configuration of Cisco IPS sensors (appliances, switch
modules, and network modules) and IOS IPS devices (Cisco IOS routers with
IPS-enabled images and Cisco Integrated Services Routers).
For more information, see Managing IPS Devices and Managing IPS
Services.
Features Specific to Firewall Devices (PIX/ASA/FWSM)

Configuration of advanced platform-specific features and settings on PIX/
ASA devices and Catalyst Firewall Service Modules. These features provide
added value when managing security profiles and include:
Device administration settings
Security
Routing
Multicast
Logging
NAT
Bridging
Failover
Security contexts
See Managing Firewall Devices, page 15-1 for more information.
Features Specific to IOS Routers

Configuration of advanced platform-specific features and settings on IOS
routers. These features provide added value when managing security profiles
and include:
Routing
NAT
802.1x
NAC
QoS
Dialer interfaces
OL-11501-03
1-9
Chapter 1
Using Security Manager - Overview
Secure device provisioning
See Managing Routers, page 14-1 for more information.
Features Specific to Catalyst 6500/7600 Devices

The embedded CiscoView Device Manager (CVDM) for Catalyst 6500/7600
devices enables the configuration of basic VLAN and network connectivity
from within the Security Manager user interface and infrastructure.
See Chapter 16, Managing Catalyst Devices for more information.
FlexConfig Template Manager

An intelligent CLI configlet editor that enables you to provision features that
are available on the device but not natively supported by Security Manager. It
enables you to manually specify a set of CLI commands and to deploy them
to devices, using Security Managers provisioning mechanisms. These
commands can be either prepended or appended to the commands generated
by Security Manager to provision security policies.
See Managing FlexConfigs, page 19-1 for more information.

These topics provide an overview of the different views in which you can work in
Security Manager, the basic taskflow for defining and deploying policies to
devices, and some basic concepts:
Configuration Views, page 1-10
Getting Started Checklist, page 1-15
Policy Overview, page 1-13
Workflow Overview, page 1-14
Configuration Views
Security manager provides three views in which you can manage devices and
policies: Device view, Map view and Policy view. You can switch between these
views according to your needs.
1-10
OL-11501-03
Chapter 1

Device View
Device view enables you to add devices to the Security Manager inventory and to
centrally manage device policies, properties, interfaces, and so on.
This is a device-centric view in which you can see all devices that you are
managing and you can select specific devices to view their properties and define
their settings and policies.
In Device View, you can define security policies locally on specific devices. You
can then share these policies to make them globally available to be assigned to
other devices.
For more information, see Understanding the Device View, page 5-24.
Policy View
Policy view enables you to create and manage reusable policies that can be shared
among multiple devices.
This is a policy-centric view in which you can see all the policy types supported
by Security Manager. You you can select a specific policy type and create, view,
or modify shared policies of that type. You can also see the devices to which each
shared policy is assigned and change the assignments as required.
For more information, see Managing Shared Policies in Policy View, page 6-40.
Map View
Map view enables you to create customized, visual topology maps of your
network, within which you can view connections between your devices and easily
configure VPNs and access control settings.
For more information, see Using Map View, page 4-1.
User Taskflow
The basic user taskflow for configuring security policies on devices involves
adding devices to the Security Manager inventory, defining the policies, and then
deploying them to the devices. The following briefly describes the steps in a
typical user taskflow:
Step 1
Add devices to the Security Manager device inventory.

OL-11501-03
1-11
Chapter 1
To manage a device with Security Manager, you must first add it to the Security
Manager inventory. Security Manager provides multiple methods to quickly and
easily add devices: from the network (live devices), from the device credential
repository (DCR), or from a device configuration file. You can also add a device
that does not yet exist in the network but will be deployed in the future, by
creating it in Security Manager.
When you add a device, you can also discover its interfaces and certain policies
that were already configured on the device. Discovery brings the information into
the Security Manager database for continued management with Security Manager
in the future.
For more information, see Managing Devices, page 5-1.
Step 2
Define security policies.

After you have added your devices, you can define the security policies you
require. You can use Device view to define policies on specific devices. You can
use Policy view to create and manage reusable policies that can be shared by any
number of devices. When you make a change to a shared policy, the change is
applied to all devices to which that policy is assigned.
To simplify and speed up policy definition, you can use policy objects, which are
named, reusable representations of specific values. You can define an object once
and then reference it in multiple policies instead of having to define the values
individually in each policy.
Note
If you are using the Workflow mode, you must create an activity before you start
defining policies. For more information, see Workflow Overview, page 1-14.
For more information, see Managing Policies, page 6-1 and Managing Objects,
page 8-1.
Step 3
Submit and deploy your policy definitions.

Policy definition is done within your private view. Your definitions are not
committed to the database and cannot be seen by other Security Manager users
until you submit them. When you submit your policy definitions, the system
validates their integrity. Errors or warnings are displayed to inform you of any
problems that need to be addressed before the policies can be deployed to the
devices.
1-12
OL-11501-03
Chapter 1

Security Manager generates CLI commands according to your policy definitions

and enables you to quickly and easily deploy them to your devices. You can
deploy directly to live devices in the network (including dynamically addressed
devices) via a secure connection, or to files that can be transferred to your devices
at any time.
In non-Workflow mode, submitting and deploying your changes is done in a
single action. In Workflow mode, you first submit your activity and then you
create a deployment job to deploy your changes.
For more information, see Managing Deployment, page 18-1.
Policy Overview
A policy is a set of rules or parameters that define a particular aspect of network
configuration. In Security Manager, you define policies that specify the security
functionality you want on your devices. Security Manager translates your policies
into CLI commands that can be deployed to the relevant devices.
Security Manager enables you to configure local policies and shared policies.
Local policies are confined to the device on which they are configured. Shared
policies are named, reusable policies that can be assigned to multiple devices at
once. Any changes you make to a shared policy are reflected on all devices to
which that policy is assigned, so you do not have to make the change on each
device.
For more detailed information, see Understanding Policies, page 6-1.
Policy Assignment
In Security Manager, the application of a policy to a device is called assignment.

A local policy is automatically assigned to the device on which it is configured.
A shared policy can be assigned to multiple devices.
Policy Discovery
Policy discovery enables you to bring policies and settings that already exist on
your devices into Security Manager. Policy discovery can be done when you add
your device to the Security Manager inventory, or you can initiate policy
discovery manually at any time.

OL-11501-03
1-13
Chapter 1
Policy Objects
Objects are reusable components that can be referenced by name by multiple

policies. An object is a named representation of a set of values. For example, you
can define a network object called MyNetwork that contains a set of IP addresses
in your network. Whenever you configure a policy requiring these addresses, you
can simply refer to the MyNetwork network object rather than manually entering
the addresses each time. Furthermore, you can make changes to policy objects in
a central location and these changes will be reflected in all the policies that
reference those objects.
For more information, see Managing Objects, page 8-1.
Workflow Overview
Security Manager provides two modes of operation that scale to different
organizational working environments: Workflow mode and non-Workflow mode.
Workflow Mode
Workflow mode is for organizations that have division of responsibility between

users who define security policies and those who administer security policies. It
imposes a formal change-tracking and management system by requiring all policy
configuration to be done within the context of an activity. An activity is essentially
a private view of the Security Manager database. Changes made within the
activity are only committed to the database and made public after the activity has
been submitted and then approved by a user with the appropriate permissions. At
this stage, the changes can be deployed to the network by creating a deployment
job to define the devices to which configurations will be deployed and the
deployment method to be used.
Non-Workflow Mode (Default)
This is the default mode of operation in which there is no need to create activities
and jobs. When you log in, Security Manager creates an activity for you. You can
define and save your policies, and then submit and deploy them in one step.
For more information, see Selecting a Workflow Mode, page 2-56.
1-14
OL-11501-03
Chapter 1

Getting Started Checklist
Getting Started Checklist

The Checklist for Getting Started with Cisco Security Manager lists the tasks that
typically need to be performed to get up and running with Security Manager. It
assumes that you have already installed Security Manager on your server. If you
have not yet installed the product, please refer to Installation Guide of Cisco
Security Manager 3.1 for detailed information.
Note
Table 1-2
While we recommend performing the steps in the checklist sequentially, some

steps might not be relevant to you, depending on your role in the organization.
Checklist for Getting Started with Cisco Security Manager
Task
Step 1
Install the client application on your workstation.

Use Cisco Security Manager Suite homepage to install the Security Manager client and to
manage the server. You can also access other CiscoWorks applications you installed, such as
RME.
See Logging In to and Exiting the Security Manager Client, page 3-3.
Step 2
Define application-wide settings that will determine the behavior of certain aspects of the
application.
There are a few application-wide settings we recommend defining before you begin working
with Security Manager, such as the default deployment method (to device or file), the workflow
mode, and so on. These settings are located in Tools > Security Manager Administration.
See Define These Settings First, page 2-2.
Step 3
Understand how to get to context-sensitive help.

Context-sensitive help is available throughout the product. Click the help button on any page
or access the entire help system from the Help menu.

OL-11501-03
1-15
Chapter 1
Using the JumpStart
Task
Step 4
Familiarize yourself with basics of Security Manager.

Understanding the concepts upon which Security Manager is based will help you to get up and
running quickly with the product. We recommend you read the section that provides an
overview of using Security Manager and that you take a look at the JumpStart that opens when
you first open the application.
See Using Security Manager - Overview, page 1-10 and Using the JumpStart, page 1-16.
Step 5
Bootstrap your devices so that they can be managed by Security Manager.

Before you can manage devices in Security Manager, you must prepare the devices by making
sure they are configured with the protocols Security Manager needs to communicate with them,
for example, SSH and SSL.
See Preparing the Devices for Security Manager to Manage, page 5-2.
Step 6
Add devices to Security Manager inventory.

Before you can configure devices, you must add them to the inventory.
See Adding Catalyst 6500/7600 Devices from the Network, page 5-33.
After adding the devices, you can define your security policies and deploy them to the devices.
Using the JumpStart

The JumpStart is an interactive introduction to Security Manager. It describes and
illustrates the major concepts of using the product.
The JumpStart opens automatically when you first launch Security Manager. To
get to the JumpStart while you are working with the Security Manager, select
Help > JumpStart from the main menu.
The JumpStart contains the following navigation features:
A table of contents, which is always visible in the upper right corner. Click
an entry to open its page.
Links in the page enable you to drill down to more detailed information in the
JumpStart or to relevant information in the online help.
1-16
OL-11501-03
CH A P T E R
Performing Administrative Tasks

The following topics describe application settings and preferences:
Define These Settings First, page 2-2
Setting Up User Permissions, page 2-3
Integrating Security Manager with Cisco Secure ACS, page 2-34
Selecting a Workflow Mode, page 2-56
Working with AutoLink, page 2-61
Defining Configuration Archive Settings, page 2-62
Customizing Your Desktop, page 2-64
Defining Deployment Settings, page 2-65
Defining Device Communication Settings, page 2-68
Working with Device Groups, page 2-75
Working With Device OS Management, page 20-6
Defining Discovery Settings, page 2-76
Administering IPS Update Settings, page 2-77
Administering Licenses, page 2-82
Archiving Log Files, page 2-88
Defining Policy Management Settings, page 2-89
Defining Policy Object Settings, page 2-91
Working with Server Security, page 2-92

OL-11501-03
2-1
Chapter 2
Define These Settings First
Working with Status Providers, page 2-94
Taking Over Another Users Work, page 2-96
Defining TMS (Token Management System) Settings, page 2-97
Configuring VPN Policy Defaults, page 2-98
Define These Settings First

Use Security Manager to define many application-wide settings that customize
your working environment for your needs. This section highlights settings that we
recommend you define first to help your organization get up and running with the
application. All application settings are located in the Security Administration
page. To access application settings, select Tools > Security Administration.
We recommend you perform these actions first:
Verify you have completed all relevant steps in the Getting Started Checklist,
page 1-15.
Create individual user IDsEnables each user to log in with a distinct user
ID. This enables management of several devices without disrupting your or
another users work. Go to Tools > Security Administration > Application
Security and click Local User Setup. See Working with Server Security,
page 2-92.
Select your default deployment method (device or file)Enables you to set

configurations to deploy directly to the device in your network, or to a file in
a directory of your choosing. Go to Tools > Security Administration >
Deployment. See Defining Deployment Settings, page 2-65.
Decide whether to allow deployment to device to proceed if there are minor

errors on the deviceGo to Tools > Security Administration >
Deployment. See Defining Deployment Settings, page 2-65.
Decide how Security Manager will respond when out-of-band changes are
made to devicesYou can determine whether to issue a warning, cancel
deployment, or ignore any out-of-band configuration changes. Go to Tools >
Security Administration > Deployment. See Defining Deployment
Settings, page 2-65.
2-2
OL-11501-03
Chapter 2

Setting Up User Permissions

Cisco Security Manager authenticates your username and password before you
can log in. After they are authenticated, Security Manager establishes your role
within the application. This role defines your permissions (also called privileges),
which are the set of tasks or operations that you are authorized to perform. If you
are not authorized for certain tasks or devices, the related menu items, TOC items,
and buttons are hidden or disabled. In addition, a message tells you that you do
not have permission to view the selected information or perform the selected
operation.
Authentication and authorization for Security Manager is managed either by the
CiscoWorks server or the Cisco Secure Access Control Server (ACS). By default,
CiscoWorks manages authentication and authorization, but you can change to
Cisco Secure ACS by using the AAA Mode Setup page in CiscoWorks Common
Services.
The major advantages of using Cisco Secure ACS are the ability to create highly
granular user roles with specialized permissions sets (for example, allowing the
user to configure certain policy types but not others) and the ability to restrict
users to certain devices by configuring network device groups (NDGs).
The following topics describe user permissions:
Security Manager Permissions, page 2-4
Understanding CiscoWorks Roles, page 2-27
Understanding Cisco Secure ACS Roles, page 2-29
Default Associations Between Permissions and Roles in Security Manager,

page 2-32
For more information about ACS integration, see Integrating Security Manager
with Cisco Secure ACS, page 2-34.
Related Topics
Understanding Locking, page 6-55

OL-11501-03
2-3
Chapter 2
Security Manager Permissions

Security Manager classifies permissions into the following categories:
Tip
Note
ViewAllows you to view the current settings. For more information, see
View Permissions, page 2-5.
ModifyAllows you to change the current settings. For more information,

see Modify Permissions, page 2-14.
AssignAllows you to assign policies to devices and VPN topologies. For

more information, see Assign Permissions, page 2-23.
ApproveAllows you to approve policy changes and deployment jobs. For

more information, see Approve Permissions, page 2-26.
ImportAllows you to import the configurations that are already deployed

on devices into Security Manager.
DeployAllows you to deploy configuration changes to the devices in your

network and perform rollback to return to a previously deployed
configuration.
ControlAllows you to issue commands to devices, such as ping.
SubmitAllows you to submit your configuration changes for approval.
To view the complete Security Manager permissions tree, log in to Cisco Secure
ACS, then click Share Profile Components on the navigation bar. For more
information, see Customizing Cisco Secure ACS Roles, page 2-31.
When you select modify, assign, approve, import, control or deploy

permissions, you must also select the corresponding view permissions;
otherwise, Security Manager will not function properly.
When you select modify policy permissions, you must also select the
corresponding assign and view policy permissions.
When you permit a policy that uses policy objects as part of its definition, you
must also grant view permissions to these object types. For example, if you
select the permission for modifying routing policies, you must also select the
permissions for viewing network objects and interface roles, which are the
object types required by routing policies.
2-4
OL-11501-03
Chapter 2

The same holds true when permitting an object that uses other objects as part
of its definition. For example, if you select the permission for modifying user
groups, you must also select the permissions for viewing network objects,
ACL objects, and AAA server groups.
Related Topics
Customizing Cisco Secure ACS Roles, page 2-31

page 2-32
View Permissions
View (read-only) permissions in Security Manager are divided into the following
categories:
View Policies Permissions, page 2-5
View Objects Permissions, page 2-8
Additional View Permissions, page 2-13
Related Topics

page 2-32
View Policies Permissions

Security Manager includes the following view permissions for policies:
View > Policies > Firewall. Allows you to view firewall service policies
(located in the Policy selector under Firewall) on PIX/ASA/FWSM devices,
IOS routers, and Catalyst 6500/7600 devices. Examples of firewall service
policies include access rules, AAA rules, and inspection rules.

OL-11501-03
2-5
Chapter 2
View > Policies > Intrusion Prevention System. Allows you to view IPS
policies (located in the Policy selector under IPS), including policies for IPS
running on IOS routers.
View > Policies > Image. Allows you to select a signature update package in
the Apply IPS Updates wizard (located under Tools > Apply IPS Update), but
does not allow you to assign the package to specific devices, unless you also
have the Modify > Policies > Image permission.
View > Policies > NAT. Allows you to view network address translation
policies on PIX/ASA/FWSM devices and IOS routers. Examples of NAT
policies include static rules and dynamic rules.
View > Policies > Site-to-Site VPN. Allows you to view site-to-site VPN
policies on PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600
devices. Examples of site-to-site VPN policies include IKE proposals, IPsec
proposals, and preshared keys.
View > Policies > Remote Access VPN. Allows you to view remote access
VPN policies on PIX/ASA/FWSM devices, IOS routers, and Catalyst
6500/7600 devices. Examples of remote access VPN policies include IKE
proposals, IPsec proposals, and PKI policies.
View > Policies > SSL VPN. Allows you to view SSL VPN policies on
PIX/ASA/FWSM devices and IOS routers, such as the SSL VPN wizard.
View > Policies > Interfaces. Allows you to view interface policies (located
in the Policy selector under Interfaces) on PIX/ASA/FWSM devices, IOS
routers, IPS sensors, and Catalyst 6500/7600 devices:
On PIX/ASA/FWSM devices, this permission covers hardware ports and
interface settings.
On IOS routers, this permission covers basic and advanced interface
settings, as well as other interface-related policies, such as DSL, PVC,

PPP, and dialer policies.
On IPS sensors, this permission covers physical interfaces and summary
maps.
On Catalyst 6500/7600 devices, this permission covers interfaces and
VLAN settings.
View > Policies > Bridging. Allows you to view ARP table policies (located
in the Policy selector under Platform > Bridging) on PIX/ASA/FWSM
devices.
2-6
OL-11501-03
Chapter 2

View > Policies > Device Administration. Allows you to view device
administration policies (located in the Policy selector under Platform >
Device Admin) on PIX/ASA/FWSM devices, IOS routers, and
Catalyst 6500/7600 devices:
On PIX/ASA/FWSM devices, examples include device access polices,
server access policies, and failover policies.

On IOS routers, examples include device access (including line access)
polices, server access policies, AAA, and Secure Device Provisioning.

On IPS sensors, this permission covers device access policies and server
access policies.
On Catalyst 6500/7600 devices, this permission covers IDSM settings
and VLAN access lists.
View > Policies > Identity. Allows you to view identity policies (located in
the Policy selector under Platform > Identity) on Cisco IOS routers, including
802.1x and Network Admission Control (NAC) policies.
View > Policies > Logging. Allows you to view logging policies (located in
the Policy selector under Platform > Logging) on PIX/ASA/FWSM devices,
IOS routers, and IPS sensors. Examples of logging policies include logging
setup, server setup, and syslog server policies.
View > Policies > Multicast. Allows you to view multicast policies (located
in the Policy selector under Platform > Multicast) on PIX/ASA/FWSM
devices. Examples of multicast policies include multicast routing and IGMP
policies.
View > Policies > QoS. Allows you to view QoS policies (located in the
Policy selector under Platform > Quality of Service) on Cisco IOS routers.
View > Policies > Routing. Allows you to view routing policies (located in
the Policy selector under Platform > Routing) on PIX/ASA/FWSM devices
and IOS routers. Examples of routing policies include OSPF, RIP, and static
routing policies.
View > Policies > Security. Allows you to view security policies (located in
the Policy selector under Platform > Security) on PIX/ASA/FWSM devices
and IPS sensors:
On PIX/ASA/FWSM devices, security policies include anti-spoofing,
fragment, and timeout settings.

On IPS sensors, security policies include blocking settings.

OL-11501-03
2-7
Chapter 2
Note
View > Policies > Service Policy Rules. Allows you to view service policy
rule policies (located in the Policy selector under Platform > Service Policy
Rules) on PIX 7.x/ASA devices. Examples include priority queues and IPS,
QoS, and connection rules.
View > Policies > User Preferences. Allows you to view the Deployment
policy (located in the Policy selector under Platform > User Preferences) on
PIX/ASA/FWSM devices. This policy contains an option for clearing all NAT
translations on deployment.
View > Policies > Virtual Device. Allows you to view virtual sensor policies
on IPS devices. This policy is used to create virtual sensors.
View > Policies > FlexConfig. Allows you to view FlexConfigs, which are
additional CLI commands and instructions that can be deployed to
PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600 devices.
Policy permissions are affected when authentication is performed by a

Cisco Secure ACS on which network device groups (NDGs) are defined. See
NDGs and User Permissions, page 2-44.
Related Topics
View Permissions, page 2-5
View Objects Permissions

Security Manager includes the following view permissions for objects:
View > Objects > AAA Server Groups. Allows you to view AAA server
group objects. These objects are used in policies that require AAA services
(authentication, authorization, and accounting).
View > Objects > AAA Servers. Allows you to view AAA server objects.
These objects represent individual AAA servers that are defined as part of a
AAA server group.
2-8
OL-11501-03
Chapter 2

View > Objects > Access Control Lists - Standard/Extended. Allows you
to view standard and extended ACL objects. Extended ACL objects are used
for a variety of policies, such as NAT and NAC, and for establishing VPN
access. Standard ACL objects are used for such policies as OSPF and SNMP,
as well as for establishing VPN access.
View > Objects > Access Control Lists - Web. Allows you to view web ACL
objects. Web ACL objects are used to perform content filtering in SSL VPN
policies.
View > Objects > ASA User Groups. Allows you to view ASA user group
objects. These objects are configured on ASA security appliances in
Easy VPN, remote access VPN, and SSL VPN configurations.
View > Objects > Categories. Allows you to view category objects. These
objects help you easily identify rules and objects in rules tables through the
use of color.
View > Objects > Credentials. Allows you to view credential objects. These
objects are used in Easy VPN configuration during IKE Extended
Authentication (Xauth).
View > Objects > FlexConfigs. Allows you to view FlexConfig objects.
These objects, which contain configuration commands with additional
scripting language instructions, can be used to configure commands that are
not supported by the Security Manager user interface.
View > Objects > IKE Proposals. Allows you to view IKE proposal objects.
These objects contain the parameters required for IKE proposals in remote
access VPN policies.
View > Objects > Inspect - Class Maps - DNS. Allows you to view DNS
class map objects. These objects match DNS traffic with specific criteria so
that actions can be performed on that traffic.
View > Objects > Inspect - Class Maps - FTP. Allows you to view FTP class
map objects. These objects match FTP traffic with specific criteria so that
actions can be performed on that traffic.
View > Objects > Inspect - Class Maps - HTTP. Allows you to view HTTP
class map objects. These objects match HTTP traffic with specific criteria so
View > Objects > Inspect - Class Maps - IM. Allows you to view IM class
map objects. These objects match IM traffic with specific criteria so that
OL-11501-03
2-9
Chapter 2
View > Objects > Inspect - Class Maps - SIP. Allows you to view SIP class
map objects. These objects match SIP traffic with specific criteria so that
View > Objects > Inspect - Policy Maps - DNS. Allows you to view DNS
policy map objects. These objects are used to create inspection maps for DNS
traffic.
View > Objects > Inspect - Policy Maps - FTP. Allows you to view FTP
policy map objects. These objects are used to create inspection maps for FTP
traffic.
View > Objects > Inspect - Policy Maps - GTP. Allows you to view GTP
policy map objects. These objects are used to create inspection maps for GTP
traffic.
View > Objects > Inspect - Policy Maps - HTTP

(ASA7.1.x/PIX7.1.x/IOS). Allows you to view HTTP policy map objects
created for ASA/PIX 7.1.x devices and IOS routers. These objects are used to
create inspection maps for HTTP traffic.
View > Objects > Inspect - Policy Maps - HTTP (ASA7.2/PIX7.2). Allows
you to view HTTP policy map objects created for ASA 7.2/PIX 7.2 devices.
These objects are used to create inspection maps for HTTP traffic.
View > Objects > Inspect - Policy Maps - IM (ASA7.2/PIX7.2). Allows you
to view IM policy map objects created for ASA 7.2/PIX 7.2 devices. These
objects are used to create inspection maps for IM traffic.
View > Objects > Inspect - Policy Maps - IM (IOS). Allows you to view IM
policy map objects created for IOS devices. These objects are used to create
inspection maps for IM traffic.
View > Objects > Inspect - Policy Maps - SIP. Allows you to view SIP
policy map objects. These objects are used to create inspection maps for SIP
traffic.
View > Objects > Inspect - Regular Expressions. Allows you to view
regular expression objects. These objects represent individual regular
expressions that are defined as part of a regular expression group.
View > Objects > Inspect - Regular Expressions Groups. Allows you to
view regular expression group objects. These objects are used by certain class
maps and inspect maps to match text inside a packet.
View > Objects > Inspect - TCP Maps. Allows you to view TCP map
objects. These objects customize inspection on TCP flow in both directions.
2-10
OL-11501-03
Chapter 2

View > Objects > Interface Roles. Allows you to view interface role objects.
These objects define naming patterns that can represent multiple interfaces on
different types of devices. Interface roles enable you to apply policies to
specific interfaces on multiple devices without having to manually define the
name of each interface.
View > Objects > IPsec Transform Sets. Allows you to view IPsec
transform set objects. These objects comprise a combination of security
protocols, algorithms and other settings that specify exactly how the data in
the IPsec tunnel will be encrypted and authenticated.
View > Objects > LDAP Attribute Maps. Allows you to view LDAP
attribute map objects. These objects are used to map custom (user-defined)
attribute names to Cisco LDAP attribute names.
View > Objects > Networks/Hosts. Allows you to view network/host

objects. These objects are logical collections of IP addresses that represent
networks, hosts, or both. Network/host objects enable you to define policies
without specifying each network or host individually.
View > Objects > PKI Enrollments. Allows you to view PKI enrollment
objects. These objects define the Certification Authority (CA) servers that
operate within a public key infrastructure.
View > Objects > Port Forwarding Lists. Allows you to view port
forwarding list objects. These objects define the mappings of port numbers
on a remote client to the applications IP address and port behind an SSL VPN
gateway.
View > Objects > Secure Desktop Configurations. Allows you to view
secure desktop configuration objects. These objects are reusable, named
components that can be referenced by SSL VPN policies to provide a reliable
means of eliminating all traces of sensitive data that is shared for the duration
of an SSL VPN session.
View > Objects > Services - Port Lists. Allows you to view port list objects.
These objects, which contain one or more ranges of port numbers, are used to
streamline the process of creating service objects.
View > Objects > Services/Service Groups. Allows you to view service and
service group objects. These objects are defined mappings of protocol and
port definitions that describe network services used by policies, such as
Kerberos, SSH, and POP3.

OL-11501-03
2-11
Chapter 2
View > Objects > Single Sign On Servers. Allows you to view single sign
on server objects. Single Sign-On (SSO) lets SSL VPN users enter a
username and password once and be able to access multiple protected
services and web servers.
View > Objects > SLA Monitors. Allows you to view SLA monitor objects.
These objects are used by PIX/ASA security appliances running version 7.2
or later to perform route tracking. This feature provides a method to track the
availability of a primary route and install a backup route if the primary route
fails.
View > Objects > SSL VPN Customizations. Allows you to view SSL VPN
customization objects. These objects define how to change the appearance of
SSL VPN pages that are displayed to users, such as Login/Logout and Home
pages.
View > Objects > SSL VPN Gateways. Allows you to view SSL VPN
gateway objects. These objects define parameters that enable the gateway to
be used as a proxy for connections to the protected resources in your
SSL VPN.
View > Objects > Style Objects. Allows you to view style objects. These
objects let you configure style elements, such as font characteristics and
colors, to customize the appearance of the SSL VPN page that appears to SSL
VPN users when they connect to the security appliance.
View > Objects > Text Objects. Allows you to view free-form text objects.
These objects comprise a name and value pair, where the value can be a single
string, a list of strings, or a table of strings.
View > Objects > Time Ranges. Allows you to view time range objects.
These objects are used when creating time-based ACLs and inspection rules.
They are also used when defining ASA user groups to restrict VPN access to
specific times during the week.
View > Objects > Traffic Flows. Allows you to view traffic flow objects.
These objects define specific traffic flows for use by PIX 7.x/ASA 7.x
devices.
View > Objects > URL Lists. Allows you to view URL list objects. These
objects define the URLs that are displayed on the portal page after a
successful login. This enables users to access the resources available on
SSL VPN websites when operating in Clientless access mode.
2-12
OL-11501-03
Chapter 2

View > Objects > User Groups. Allows you to view user group objects.
These objects define groups of remote clients that are used in Easy VPN
topologies, remote access VPNs, and SSL VPNs.
View > Objects > WINS Server Lists. Allows you to view WINS server list
objects. These objects represent WINS servers, which are used by SSL VPN
to access or share files on remote systems.
View > Objects > Internal - DN Rules. Allows you to view the DN rules
used by DN policies. This is an internal object used by Security Manager that
does not appear in the Policy Object Manager.
View > Objects > Internal - Client Updates. This is an internal object
required by user group objects that does not appear in the Policy Object
Manager.
View > Objects > Internal - Standard ACEs. This is an internal object for
standard access control entries, which are used by ACL objects.
View > Objects > Internal - Extended ACEs. This is an internal object for
extended access control entries, which are used by ACL objects.
Related Topics
Additional View Permissions

Security Manager includes the following additional view permissions:
View > Admin. Allows you to view Security Manager administrative

settings.
View > CLI. Allows you to view the CLI commands configured on a device
and preview the commands that are about to be deployed.
View > Config Archive. Allows you to view the list of configurations
contained in the configuration archive. You cannot view the device
configuration or any CLI commands.
View > Devices. Allows you to view devices in Device view and all related
information, including their device settings, properties, assignments, and so
on.

OL-11501-03
2-13
Chapter 2
You can limit device permissions to particular sets of devices by

configuring network device groups (NDGs) on a Cisco Secure ACS. See
Configuring Network Device Groups for Use in Security Manager,
page 2-43.
Note
View > Device Managers. Allows you to launch read-only versions of the
device managers for individual devices, such as the Cisco Router and Security
Device Manager (SDM) for Cisco IOS routers.
View > Topology. Allows you to view maps configured in Map view.
Related Topics
Modify Permissions
Modify (read-write) permissions in Security Manager are divided into the
following categories:
Modify Policies Permissions, page 2-14
Modify Objects Permissions, page 2-18
Additional Modify Permissions, page 2-23
Related Topics

page 2-32
Modify Policies Permissions
Note
When you specify modify policy permissions, make sure that you have selected
the corresponding assign and view policy permissions as well.
2-14
OL-11501-03
Chapter 2

Security Manager includes the following modify permissions for policies:
Modify > Policies > Firewall. Allows you to modify firewall service policies
(located in the Policy selector under Firewall) on PIX/ASA/FWSM devices,
Modify > Policies > Intrusion Prevention System. Allows you to modify
IPS policies (located in the Policy selector under IPS), including policies for
IPS running on IOS routers. This permission also allows you to tune
signatures in the Signature Update wizard (located under Tools > Apply IPS
Update).
Modify > Policies > Image. Allows you to assign a signature update package
to devices in the Apply IPS Updates wizard (located under Tools > Apply IPS
Update). This permission also allows you to assign auto update settings to
specific devices (located under Tools > Security Manager Administration >
IPS Updates).
Modify > Policies > NAT. Allows you to modify network address translation
policies on PIX/ASA/FWSM devices and IOS routers. Examples of NAT
Modify > Policies > Site-to-Site VPN. Allows you to modify site-to-site
VPN policies on PIX/ASA/FWSM devices, IOS routers, and Catalyst
6500/7600 devices. Examples of site-to-site VPN policies include IKE
proposals, IPsec proposals, and preshared keys.
Modify > Policies > Remote Access VPN. Allows you to modify remote
access VPN policies on PIX/ASA/FWSM devices, IOS routers, and Catalyst
6500/7600 devices. Examples of remote access VPN policies include IKE
proposals, IPsec proposals, and PKI policies.
Modify > Policies > SSL VPN. Allows you to modify SSL VPN policies on
Modify > Policies > Interfaces. Allows you to modify interface policies
(located in the Policy selector under Interfaces) on PIX/ASA/FWSM devices,
IOS routers, IPS sensors, and Catalyst 6500/7600 devices:
interface settings.

OL-11501-03
2-15
Chapter 2
On IPS sensors, this permission covers physical interfaces and summary
maps.
VLAN settings.
Modify > Policies > Bridging. Allows you to modify ARP table policies
(located in the Policy selector under Platform > Bridging) on
PIX/ASA/FWSM devices.
Modify > Policies > Device Administration. Allows you to modify device
Device Admin) on PIX/ASA/FWSM devices, IOS routers, and


access policies.
Modify > Policies > Identity. Allows you to modify identity policies (located
in the Policy selector under Platform > Identity) on Cisco IOS routers,
including 802.1x and Network Admission Control (NAC) policies.
Modify > Policies > Logging. Allows you to modify logging policies
(located in the Policy selector under Platform > Logging) on
PIX/ASA/FWSM devices, IOS routers, and IPS sensors. Examples of logging
policies include logging setup, server setup, and syslog server policies.
Modify > Policies > Multicast. Allows you to modify multicast policies
(located in the Policy selector under Platform > Multicast) on
PIX/ASA/FWSM devices. Examples of multicast policies include multicast
routing and IGMP policies.
Modify > Policies > QoS. Allows you to modify QoS policies (located in the
Policy selector under Platform > Quality of Service) on Cisco IOS routers.
2-16
OL-11501-03
Chapter 2

Modify > Policies > Routing. Allows you to modify routing policies (located
in the Policy selector under Platform > Routing) on PIX/ASA/FWSM devices
routing policies.
Modify > Policies > Security. Allows you to modify security policies
(located in the Policy selector under Platform > Security) on
PIX/ASA/FWSM devices and IPS sensors:
On PIX/ASA/FWSM devices, security policies include anti-spoofing,
fragment, and timeout settings.

On IPS sensors, security policies include blocking settings.
Note
Modify > Policies > Service Policy Rules. Allows you to modify service
policy rule policies (located in the Policy selector under Platform > Service
Policy Rules) on PIX 7.x/ASA devices. Examples include priority queues and
IPS, QoS, and connection rules.
Modify > Policies > User Preferences. Allows you to modify the
Deployment policy (located in the Policy selector under Platform > User
Preferences) on PIX/ASA/FWSM devices. This policy contains an option for
clearing all NAT translations on deployment.
Modify > Policies > Virtual Device. Allows you to modify virtual sensor
policies on IPS devices. Use this policy to create virtual sensors.
Modify > Policies > FlexConfig. Allows you to modify FlexConfigs, which
are additional CLI commands and instructions that can be deployed to

Related Topics
Modify Permissions, page 2-14

OL-11501-03
2-17
Chapter 2
Modify Objects Permissions

Security Manager includes the following view permissions for objects:
Modify > Objects > AAA Server Groups. Allows you to view AAA server
group objects. These objects are used in policies that require AAA services
(authentication, authorization, and accounting).
Modify > Objects > AAA Servers. Allows you to view AAA server objects.
These objects represent individual AAA servers that are defined as part of a
AAA server group.
Modify > Objects > Access Control Lists - Standard/Extended. Allows

you to view standard and extended ACL objects. Extended ACL objects are
used for a variety of policies, such as NAT and NAC, and for establishing
VPN access. Standard ACL objects are used for such policies as OSPF and
SNMP, as well as for establishing VPN access.
Modify > Objects > Access Control Lists - Web. Allows you to view web
ACL objects. Web ACL objects are used to perform content filtering in SSL
VPN policies.
Modify > Objects > ASA User Groups. Allows you to view ASA user group
objects. These objects are configured on ASA security appliances in
Modify > Objects > Categories. Allows you to view category objects. These
objects help you easily identify rules and objects in rules tables through the
use of color.
Modify > Objects > Credentials. Allows you to view credential objects.
These objects are used in Easy VPN configuration during IKE Extended
Modify > Objects > FlexConfigs. Allows you to view FlexConfig objects.
These objects, which contain configuration commands with additional
scripting language instructions, can be used to configure commands that are
not supported by the Security Manager user interface.
Modify > Objects > IKE Proposals. Allows you to view IKE proposal
objects. These objects contain the parameters required for IKE proposals in
remote access VPN policies.
Modify > Objects > Inspect - Class Maps - DNS. Allows you to view DNS
class map objects. These objects match DNS traffic with specific criteria so
2-18
OL-11501-03
Chapter 2

Modify > Objects > Inspect - Class Maps - FTP. Allows you to view FTP
class map objects. These objects match FTP traffic with specific criteria so
Modify > Objects > Inspect - Class Maps - HTTP. Allows you to view
HTTP class map objects. These objects match HTTP traffic with specific
criteria so that actions can be performed on that traffic.
Modify > Objects > Inspect - Class Maps - IM. Allows you to view IM class
map objects. These objects match IM traffic with specific criteria so that
Modify > Objects > Inspect - Class Maps - SIP. Allows you to view SIP
class map objects. These objects match SIP traffic with specific criteria so
Modify > Objects > Inspect - Policy Maps - DNS. Allows you to view DNS
policy map objects. These objects are used to create inspection maps for DNS
traffic.
Modify > Objects > Inspect - Policy Maps - FTP. Allows you to view FTP
policy map objects. These objects are used to create inspection maps for FTP
traffic.
Modify > Objects > Inspect - Policy Maps - GTP. Allows you to view GTP
policy map objects. These objects are used to create inspection maps for GTP
traffic.
Modify > Objects > Inspect - Policy Maps - HTTP

(ASA7.1.x/PIX7.1.x/IOS). Allows you to view HTTP policy map objects
created for ASA/PIX 7.x devices and IOS routers. These objects are used to
create inspection maps for HTTP traffic.
Modify > Objects > Inspect - Policy Maps - HTTP (ASA7.2/PIX7.2).

Allows you to view HTTP policy map objects created for ASA 7.2/PIX 7.2
devices. These objects are used to create inspection maps for HTTP traffic.
Modify > Objects > Inspect - Policy Maps - IM (ASA7.2/PIX7.2). Allows

you to view IM policy map objects created for ASA 7.2/PIX 7.2 devices.
These objects are used to create inspection maps for IM traffic.
Modify > Objects > Inspect - Policy Maps - IM (IOS). Allows you to view
IM policy map objects created for IOS devices. These objects are used to
create inspection maps for IM traffic.

OL-11501-03
2-19
Chapter 2
Modify > Objects > Inspect - Policy Maps - SIP. Allows you to view SIP
policy map objects. These objects are used to create inspection maps for SIP
traffic.
Modify > Objects > Inspect - Regular Expressions. Allows you to view
regular expression objects. These objects represent individual regular
expressions that are defined as part of a regular expression group.
Modify > Objects > Inspect - Regular Expressions Groups. Allows you to
view regular expression group objects. These objects are used by certain class
maps and inspect maps to match text inside a packet.
Modify > Objects > Inspect - TCP Maps. Allows you to view TCP map
objects. These objects customize inspection on TCP flow in both directions.
Modify > Objects > Interface Roles. Allows you to view interface role
objects. These objects define naming patterns that can represent multiple
interfaces on different types of devices. Interface roles enable you to apply
policies to specific interfaces on multiple devices without having to manually
define the name of each interface.
Modify > Objects > IPsec Transform Sets. Allows you to view IPsec
transform set objects. These objects comprise a combination of security
protocols, algorithms and other settings that specify exactly how the data in
the IPsec tunnel will be encrypted and authenticated.
Modify > Objects > LDAP Attribute Maps. Allows you to view LDAP
attribute map objects. These objects are used to map custom (user-defined)
attribute names to Cisco LDAP attribute names.
Modify > Objects > Networks/Hosts. Allows you to view network/host

objects. These objects are logical collections of IP addresses that represent
networks, hosts, or both. Network/host objects enable you to define policies
without specifying each network or host individually.
Modify > Objects > PKI Enrollments. Allows you to view PKI enrollment
objects. These objects define the Certification Authority (CA) servers that
operate within a public key infrastructure.
Modify > Objects > Port Forwarding Lists. Allows you to view port
forwarding list objects. These objects define the mappings of port numbers
on a remote client to the applications IP address and port behind an SSL VPN
gateway.
2-20
OL-11501-03
Chapter 2

Modify > Objects > Secure Desktop Configurations. Allows you to view
secure desktop configuration objects. These objects are reusable, named
components that can be referenced by SSL VPN policies to provide a reliable
means of eliminating all traces of sensitive data that is shared for the duration
of an SSL VPN session.
Modify > Objects > Services - Port Lists. Allows you to view port list
objects. These objects, which contain one or more ranges of port numbers, are
used to streamline the process of creating service objects
Modify > Objects > Services/Service Groups. Allows you to view service
and service group objects. These objects are defined mappings of protocol
and port definitions that describe network services used by policies, such as
Kerberos, SSH, and POP3.
Modify > Objects > Single Sign On Servers. Allows you to view single sign
on server objects. Single Sign-On (SSO) lets SSL VPN users enter a
username and password once and be able to access multiple protected
services and web servers.
Modify > Objects > SLA Monitors. Allows you to view SLA monitor
objects. These objects are used by PIX/ASA security appliances running
version 7.2 or later to perform route tracking. This feature provides a method
to track the availability of a primary route and install a backup route if the
primary route fails.
Modify > Objects > SSL VPN Customizations. Allows you to view SSL
VPN customization objects. These objects define how to change the
appearance of SSL VPN pages that are displayed to users, such as
Login/Logout and Home pages.
Modify > Objects > SSL VPN Gateways. Allows you to view SSL VPN
gateway objects. These objects define parameters that enable the gateway to
be used as a proxy for connections to the protected resources in your
SSL VPN.
Modify > Objects > Style Objects. Allows you to view style objects. These
objects let you configure style elements, such as font characteristics and
colors, to customize the appearance of the SSL VPN page that appears to SSL
VPN users when they connect to the security appliance.
Modify > Objects > Text Objects. Allows you to view free-form text objects.
These objects comprise a name and value pair, where the value can be a single
string, a list of strings, or a table of strings.

OL-11501-03
2-21
Chapter 2
Note
Modify > Objects > Time Ranges. Allows you to view time range objects.
These objects are used when creating time-based ACLs and inspection rules.
They are also used when defining ASA user groups to restrict VPN access to
specific times during the week.
Modify > Objects > Traffic Flows. Allows you to view traffic flow objects.
These objects define specific traffic flows for use by PIX 7.x/ASA 7.x
devices.
Modify > Objects > URL Lists. Allows you to view URL list objects. These
objects define the URLs that are displayed on the portal page after a
successful login. This enables users to access the resources available on
SSL VPN websites when operating in Clientless access mode.
Modify > Objects > User Groups. Allows you to view user group objects.
These objects define groups of remote clients that are used in Easy VPN
topologies, remote access VPNs, and SSL VPNs.
Modify > Objects > WINS Server Lists. Allows you to view WINS server
list objects. These objects represent WINS servers, which are used by
SSL VPN to access or share files on remote systems.
Modify > Objects > Internal - DN Rules. Allows you to view the DN rules
used by DN policies. This is an internal object used by Security Manager that
does not appear in the Policy Object Manager.
Modify > Objects > Internal - Client Updates. This is an internal object
required by user group objects that does not appear in the Policy Object
Manager.
Modify > Objects > Internal - Standard ACE. This is an internal object for
standard access control entries, which are used by ACL objects.
Modify > Objects > Internal - Extended ACE. This is an internal object for
extended access control entries, which are used by ACL objects.
Users can modify an object even if they do not have modify permissions for all
the devices that are using the object. See NDGs and User Permissions, page 2-44.
Related Topics
2-22
OL-11501-03
Chapter 2

Additional Modify Permissions

Security Manager includes the following additional modify permissions:
Modify > Admin. Allows you to modify Security Manager administrative

settings.
Modify > Config Archive. Allows you to modify the device configuration in
the Configuration Archive. In addition, it allows you to add configurations to
the archive and customize the Configuration Archive tool.
Modify > Devices. Allows you to add and delete devices, as well as modify
device properties and attributes. To discover the policies on the device being
added, you must also enable the Import permission. In addition, if you enable
the Modify > Devices permission, make sure that you also enable the Assign
> Policies > Interfaces permission.
Note
You can limit device permissions to particular sets of devices by

configuring network device groups (NDGs) on a Cisco Secure ACS. See
Configuring Network Device Groups for Use in Security Manager,
page 2-43.
Modify > Hierarchy. Allows you to modify device groups.
Modify > Topology. Allows you to modify maps in Map view.
Related Topics
Assign Permissions
Security Manager includes the following policy assignment permissions:
Assign > Policies > Firewall. Allows you to assign firewall service policies
(located in the Policy selector under Firewall) to PIX/ASA/FWSM devices,
Assign > Policies > Intrusion Prevention System. Allows you to assign IPS
policies (located in the Policy selector under IPS), including policies for IPS
running on IOS routers.

OL-11501-03
2-23
Chapter 2
Assign > Policies > Image. This permission is currently not used by Security
Manager.
Assign > Policies > NAT. Allows you to assign network address translation
policies to PIX/ASA/FWSM devices and IOS routers. Examples of NAT
Assign > Policies > Site-to-Site VPN. Allows you to assign site-to-site VPN
policies to PIX/ASA/FWSM devices, IOS routers, and Catalyst 6500/7600
devices. Examples of site-to-site VPN policies include IKE proposals, IPsec
proposals, and preshared keys.
Assign > Policies > Remote Access VPN. Allows you to assign remote
access VPN policies to PIX/ASA/FWSM devices, IOS routers, and
Catalyst 6500/7600 devices. Examples of remote access VPN policies
include IKE proposals, IPsec proposals, and PKI policies.
Assign > Policies > SSL VPN. Allows you to assign SSL VPN policies to
Assign > Policies > Interfaces. Allows you to assign interface policies
(located in the Policy selector under Interfaces) to PIX/ASA/FWSM devices,
IOS routers, and Catalyst 6500/7600 devices:
interface settings.

VLAN settings.
Assign > Policies > Bridging. Allows you to assign ARP table policies
(located in the Policy selector under Platform > Bridging) to
PIX/ASA/FWSM devices.
Assign > Policies > Device Administration. Allows you to assign device
Device Admin) to PIX/ASA/FWSM devices, IOS routers, and
2-24
OL-11501-03
Chapter 2


access policies.
Assign > Policies > Identity. Allows you to assign identity policies (located
in the Policy selector under Platform > Identity) to Cisco IOS routers,
including 802.1x and Network Admission Control (NAC) policies.
Assign > Policies > Logging. Allows you to assign logging policies (located
in the Policy selector under Platform > Logging) to PIX/ASA/FWSM devices
and IOS routers. Examples of logging policies include logging setup, server
setup, and syslog server policies.
Assign > Policies > Multicast. Allows you to assign multicast policies
(located in the Policy selector under Platform > Multicast) to
PIX/ASA/FWSM devices. Examples of multicast policies include multicast
routing and IGMP policies.
Assign > Policies > QoS. Allows you to assign QoS policies (located in the
Policy selector under Platform > Quality of Service) to Cisco IOS routers.
Assign > Policies > Routing. Allows you to assign routing policies (located
in the Policy selector under Platform > Routing) to PIX/ASA/FWSM devices
routing policies.
Assign > Policies > Security. Allows you to assign security policies (located
in the Policy selector under Platform > Security) to PIX/ASA/FWSM
devices. Security policies include anti-spoofing, fragment, and timeout
settings.
Assign > Policies > Service Policy Rules. Allows you to assign service
policy rule policies (located in the Policy selector under Platform > Service
Policy Rules) to PIX 7.x/ASA devices. Examples include priority queues and
IPS, QoS, and connection rules.
Assign > Policies > User Preferences. Allows you to assign the Deployment
policy (located in the Policy selector under Platform > User Preferences) to
PIX/ASA/FWSM devices. This policy contains an option for clearing all NAT
translations on deployment.

OL-11501-03
2-25
Chapter 2
Note
Assign > Policies > Virtual Device. Allows you to assign virtual sensor
policies to IPS devices. Use this policy to create virtual sensors.
Assign > Policies > FlexConfig. Allows you to assign FlexConfigs, which
are additional CLI commands and instructions that can be deployed to
When you specify assign permissions, make sure that you have selected the
corresponding view permissions as well.

Related Topics

page 2-32
Approve Permissions
Security Manager provides the following approve permissions:
Approve > CLI. Allows you to approve the CLI command changes contained
in a deployment job.
Approve > Policy. Allows you to approve the configuration changes

contained in the policies that were configured in a workflow activity.
Related Topics

page 2-32
2-26
OL-11501-03
Chapter 2

Understanding CiscoWorks Roles

When users are created in CiscoWorks Common Services, they are assigned one
or more roles. The permissions associated with each role determine the operations
that each user is authorized to perform in Security Manager.
The following topics describe CiscoWorks roles:
CiscoWorks Common Services Default Roles, page 2-27
Assigning Roles to Users in CiscoWorks Common Services, page 2-28
Related Topics
CiscoWorks Common Services Default Roles

CiscoWorks Common Services contains the following default roles:
Help DeskHelp desk users can view (but not modify) devices, policies,
objects, and topology maps.
Network OperatorIn addition to view permissions, network operators can

view CLI commands and Security Manager administrative settings. Network
operators can also modify the configuration archive and issue commands
(such as ping) to devices.
ApproverIn addition to view permissions, approvers can approve or reject

deployment jobs. They cannot perform deployment.
Network AdministratorNetwork administrators have complete view and

modify permissions, except for modifying administrative settings. They can
discover devices and the policies configured on these devices, assign policies
to devices, and issue commands to devices. Network administrators cannot
approve activities or deployment jobs; however, they can deploy jobs that
were approved by others.
Note
Cisco Secure ACS features a default role called Network Administrator

that contains a different set of permissions. For more information, see
Understanding Cisco Secure ACS Roles, page 2-29.

OL-11501-03
2-27
Chapter 2
System AdministratorSystem administrators have complete access to all

Security Manager permissions, including modification, policy assignment,
activity and job approval, discovery, deployment, and issuing commands to
devices.
See Table 2-1 on page 2-33 for details about which Security Manager permissions
are associated with each CiscoWorks role.
Note
Tip
Additional roles, such as export data, might be displayed in Common Services if

additional applications are installed on the server. The export data role is for
third-party developers and is not used by Security Manager.
Although you cannot change the definition of CiscoWorks roles, you can
define which roles are assigned to each user. For more information, see
Assigning Roles to Users in CiscoWorks Common Services, page 2-28.
You can generate a permissions table in CiscoWorks by selecting Server >

Reports > Permission Report, then clicking Generate Report.
Related Topics
Assigning Roles to Users in CiscoWorks Common Services

CiscoWorks Common Services enables you to define which roles are assigned to
each user. By changing the role definition for a user, you change the types of
operations this user is authorized perform in Security Manager. For example, if
you assign the Help Desk role, the user is limited to view operations and cannot
modify any data. However, if you assign the Network Operator role, the user is
also able to modify the configuration archive. You can assign multiple roles to
each user.
Note
You must restart Security Manager after making changes to user permissions.
2-28
OL-11501-03
Chapter 2

Procedure
Step 1
In Common Services, select Server > Security, then select Single-Server Trust
Management > Local User Setup from the TOC.
Tip
To reach the Local User Setup page from within Security Manager, select
Tools > Security Manager Administration > Server Security, then
click Local User Setup.
Step 2
Select the check box next to an existing user, then click Edit.
Step 3
On the User Information page, select the roles to assign to this user by clicking
the check boxes.
Note
For more information about each role, see CiscoWorks Common Services
Default Roles, page 2-27.
Step 4
Click OK to save your changes.
Step 5
Restart Security Manager.
Related Topics
Default Permission to Role Associations in Security Manager, page 2-33
Understanding Cisco Secure ACS Roles

Cisco Secure ACS provides greater flexibility for managing Security Manager
permissions than does CiscoWorks because it supports application-specific roles
that you can configure. Each role is made up of a set of permissions that determine
the level of authorization to Security Manager tasks. In Cisco Secure ACS, you

OL-11501-03
2-29
Chapter 2
assign a role to each user group (and optionally, to individual users as well), which
enables each user in that group to perform the operations authorized by the
permissions defined for that role.
In addition, you can assign these roles to Cisco Secure ACS device groups,
allowing permissions to be differentiated on different sets of devices.
Note
Cisco Secure ACS device groups are independent of Security Manager device
groups.
The following topics describe Cisco Secure ACS roles:
Cisco Secure ACS Default Roles, page 2-30
Related Topics
Cisco Secure ACS Default Roles

Cisco Secure ACS includes the same roles as CiscoWorks (see Understanding
CiscoWorks Roles, page 2-27), plus these additional roles:
Security ApproverSecurity approvers can view (but not modify) devices,

policies, objects, maps, CLI commands, and administrative settings. In
addition, security approvers can approve or reject the configuration changes
contained in an activity. They cannot approve or reject the deployment job,
nor can they perform deployment.
Security AdministratorIn addition to having view permissions, security

administrators can modify devices, device groups, policies, objects, and
topology maps. They can also assign policies to devices and VPN topologies,
and perform discovery to import new devices into the system.
Network AdministratorIn addition to view permissions, network

administrators can modify the configuration archive, perform deployment,
and issue commands to devices.
2-30
OL-11501-03
Chapter 2

Note
The permissions contained in the Cisco Secure ACS network

administrator role are different from those contained in the CiscoWorks
network administrator role. For more information, see Understanding
CiscoWorks Roles, page 2-27.
Unlike CiscoWorks, Cisco Secure ACS enables you to customize the permissions
associated with each Security Manager role. For more information about
modifying the default roles, see Customizing Cisco Secure ACS Roles,
page 2-31.
See Table 2-1 on page 2-33 for details about which Security Manager permissions
are associated with each Cisco Secure ACS role.
Note
Cisco Secure ACS 3.3 or later must be installed for Security Manager
authorization.
Related Topics

page 2-32
Customizing Cisco Secure ACS Roles

Cisco Secure ACS enables you to modify the permissions associated with each
Security Manager role. You can also customize Cisco Secure ACS by creating
specialized user roles with permissions that are targeted to particular Security
Manager tasks.
Note
You must restart Security Manager after making changes to user permissions.
Procedure
Step 1
In Cisco Secure ACS, click Shared Profile Components on the navigation bar.

OL-11501-03
2-31
Chapter 2
Step 2
Click Cisco Security Manager on the Shared Components page. The roles that
are configured for Security Manager are displayed.
Step 3
Do one of the following:
To create a role, click Add. Go to Step 4.
To modify an existing role, click the role. Go to Step 5.
Step 4
Enter a name for the role and, optionally, a description.
Step 5
Select and deselect the check boxes in the permissions tree to define the
permissions for this role.
Selecting the check box for a branch of the tree selects all permissions in that
branch. For example, selecting Assign selects all the assign permissions.
For a complete list of Security Manager permissions, see Security Manager
Permissions, page 2-4.
Note
When you select modify, approve, assign, import, control or deploy

permissions, you must also select the corresponding view permissions;
otherwise, Security Manager will not function properly.
Step 6
Click Submit to save your changes.
Step 7
Restart Security Manager.
Related Topics
Default Permission to Role Associations in Security Manager, page 2-33
Default Associations Between Permissions and Roles in Security

Manager
Table 2-1 shows how Security Manager permissions are associated with
CiscoWorks Common Services roles and the default roles in Cisco Secure ACS.
2-32
OL-11501-03
Chapter 2

Table 2-1
Default Permission to Role Associations in Security Manager
Roles
System
Admin.
Security Security
Admin. Approver
(ACS)
(ACS)
Network
Admin.
(CW)
Network
Admin.
(ACS)
Network
Approver Operator
Help
Desk
View Device
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
View Policy
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
View Objects
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
View Topology Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
View CLI
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
View Admin
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
View Config
Archive
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
View Device
Managers
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Modify Device Yes
Yes
No
Yes
No
No
No
No
Modify
Hierarchy
Yes
Yes
No
Yes
No
No
No
No
Modify Policy
Yes
Yes
No
Yes
No
No
No
No
Modify Image
Yes
Yes
No
Yes
No
No
No
No
Modify
Objects
Yes
Yes
No
Yes
No
No
No
No
Modify
Topology
Yes
Yes
No
Yes
No
No
No
No
Modify Admin Yes
No
No
No
No
No
No
No
Modify Config Yes

Archive
Yes
No
Yes
Yes
No
Yes
No
Permissions
View Permissions
Modify Permissions
Additional Permissions

OL-11501-03
2-33
Chapter 2
Integrating Security Manager with Cisco Secure ACS
Table 2-1
Default Permission to Role Associations in Security Manager (continued)
Roles
Permissions
System
Admin.
Security Security
Admin. Approver
(ACS)
(ACS)
Network
Admin.
(CW)
Network
Admin.
(ACS)
Network
Approver Operator
Help
Desk
Assign Policy
Yes
Yes
No
Yes
No
No
No
No
Approve Policy Yes
No
Yes
No
No
No
No
No
Approve CLI
Yes
No
No
No
No
Yes
No
No
Discover
(Import)
Yes
Yes
No
Yes
No
No
No
No
Deploy
Yes
No
No
Yes
Yes
No
No
No
Control
Yes
No
No
Yes
Yes
No
Yes
No
Submit
Yes
Yes
No
Yes
No
No
No
No
Related Topics
Integrating Security Manager with Cisco Secure

ACS
This section describes how to integrate your Cisco Secure ACS with Cisco
Security Manager.
Cisco Secure ACS provides command authorization for users who are using
management applications, such as Security Manager, to configure managed
network devices. Support for command authorization is provided by unique
command authorization set types (called roles in Security Manager) that contain
a set of permissions. These permissions (also called privileges) determine the
actions that users with particular roles can perform within Security Manager.
Cisco Secure ACS uses TACACS+ to communicate with management
applications. For Security Manager to communicate with Cisco Secure ACS, you
must configure the CiscoWorks server in Cisco Secure ACS as a AAA client that
2-34
OL-11501-03
Chapter 2

uses TACACS+. In addition, you must provide the CiscoWorks server with the
administrator name and password that you use to log in to the Cisco Secure ACS.
Fulfilling these requirements ensures the validity of communications between
Security Manager and Cisco Secure ACS.
Note
For an understanding of TACACS+ security advantages, see User Guide for

Cisco Secure ACS.
When Security Manager initially communicates with Cisco Secure ACS, it
dictates to Cisco ACS the creation of default roles, which appear in the Shared
Profile Components section of the Cisco Secure ACS HTML interface. It also
dictates a custom service to be authorized by TACACS+. This custom service
appears on the TACACS+ (Cisco IOS) page in the Interface Configuration section
of the HTML interface. You can then modify the permissions included in each
Security Manager role and apply these roles to users and user groups.
Related Topics
ACS Integration Requirements, page 2-35
Checklist for Initial Cisco Secure ACS Setup, page 2-37
ACS Integration Requirements

To use Cisco Secure ACS, make sure that:
Tip
You defined roles that include the commands required to perform necessary
functions in Security Manager.
The Network Access Restriction (NAR) includes the device group (or the
devices) that you want to administer, if you apply a NAR to the profile.
Managed device names are spelled and capitalized identically in

Cisco Secure ACS and in Security Manager.
We highly recommend that you create a fault-tolerant infrastructure that utilizes

multiple Cisco Secure ACS servers. Having multiple servers helps to ensure your
ability to continue work in Security Manager even if connectivity is lost to one of
the ACS servers.

OL-11501-03
2-35
Chapter 2
Note
You can integrate only one version of Security Manager with a Cisco Secure
ACS. Therefore, if your organization is using two different versions of
Security Manager at the same time, you must perform intergration with two
different Cisco Secure ACS servers. You can, however, upgrade to a new
version of Security Manager without having to use a different ACS.
Even when Cisco Secure ACS authentication is used, CiscoWorks Common

Services software uses local authorization for CiscoWorks Common
Services-specific utilities, such as Compact Database and Database
Checkpoint. To use these utilities, you must be defined locally and be
assigned the appropriate permissions.
Related Topics
2-36
OL-11501-03
Chapter 2

Checklist for Initial Cisco Secure ACS Setup

This checklist describes the steps required to integrate Security Manager with
Cisco Secure ACS. Each step might contain several substeps; steps and substeps
should be performed in order. The checklist contains references to specific
procedures used to perform each step.
Integration Task
Step 1
Plan your administrative authentication and authorization model.

You should decide on your administrative model before using Security Manager. This
includes defining the administrative roles and accounts that you plan to use.
Tip
When defining the roles and permissions of potential administrators, you should also
consider whether or not to enable Workflow. This selection affects how you can
restrict access.
For more information, see:
Step 2
Selecting a Workflow Mode, page 2-56
User Guide for Cisco Secure ACS for Windows Server
Install Cisco Secure ACS, Cisco Security Manager, and CiscoWorks Common Services.
Install Cisco Secure ACS version 3.3 or later on a Windows 2000/2003 server. Install
CiscoWorks Common Services and Cisco Security Manager on a different
Windows 2000/Windows 2003 server.
Step 3
Installation Guide for Cisco Security Manager 3.0.1
Installation Guide for Cisco Secure ACS for Windows Server
Perform integration procedures in Cisco Secure ACS.

Define Security Manager users as ACS users and assign them to user groups based on their
planned role, add all your managed devices (as well as the CiscoWorks/Security Manager
server) as AAA clients, and create an administration control user.
For more information, see Integration Procedures Performed in Cisco Secure ACS, page 2-38.

OL-11501-03
2-37
Chapter 2
Integration Task
Step 4
Perform integration procedures in CiscoWorks Common Services.

Configure a local user that matches the administrator defined in Cisco Secure ACS, define
that same user for the system identity setup, and configure ACS as the AAA setup mode.
For more information, see Integration Procedures Performed in CiscoWorks, page 2-47.
Step 5
Restart the Daemon Manager.

You must restart the Security Manager server Daemon Manager for the AAA settings you
configured to take effect.
For more information, see Restarting the Daemon Manager, page 2-51.
Step 6
Assign roles to user groups in Cisco Secure ACS.

Assign roles to each user group configured in Cisco Secure ACS. The procedure you should
use depends on whether you have configured network device groups (NDGs).
For more information, see Assigning Roles to User Groups in Cisco Secure ACS, page 2-52.
Related Topics
Integration Procedures Performed in Cisco Secure ACS

The following topics describe the procedures to perform in Cisco Secure ACS in
order when integrating it with Cisco Security Manager:
Defining Users and User Groups in Cisco Secure ACS, page 2-39
Adding Managed Devices as AAA Clients in Cisco Secure ACS, page 2-41
Creating an Administration Control User in Cisco Secure ACS, page 2-47
For more information about the procedures described in these sections, see User
Guide for Cisco Secure ACS for Windows Server.
Related Topics
Integration Procedures Performed in CiscoWorks, page 2-47
2-38
OL-11501-03
Chapter 2

Defining Users and User Groups in Cisco Secure ACS

All users of Security Manager must be defined in Cisco Secure ACS and assigned
a role appropriate to their job function. The easiest way to do this is to divide the
users into different groups based on each default role available in ACS, for
example, assigning all the system administrators to one group, all the network
operators to another group, and so on. For more information about the default
roles in ACS, see Cisco Secure ACS Default Roles, page 2-30.
In addition, you must create an additional user that is assigned the system
administrator role with full permissions. The credentials established for this user
are later used on the System Identity Setup page in CiscoWorks. See Defining the
System Identity User, page 2-49.
Please note that at this stage you are merely assigning users to different groups.
The actual assignment of roles to these groups is performed later, after
CiscoWorks, Security Manager, and any other applications have been registered
to Cisco Secure ACS.
Before You Begin
Install CiscoWorks Common Services and Cisco Security Manager on one

Windows 2000/2003 server. Install Cisco Secure ACS on a different
Windows 2000/2003 server.
Procedure
Step 1
Log in to Cisco Secure ACS.
Step 2
Configure a user with full permissions:

a.
Click User Setup on the navigation bar.
b.
On the User Setup page, enter a name for the new user, then click Add/Edit.
c.
Select an authentication method from the Password Authentication list under

User Setup.
d.
Enter and confirm the password for the new user.
e.
Select Group 1 as the group to which the user should be assigned.
f.
Click Submit to create the user account.

OL-11501-03
2-39
Chapter 2
Note
Step 3
For more information about the options available when configuring users
and user groups, see User Guide for Cisco Secure ACS.
Repeat step 2 for each Security Manager user. We recommend dividing the users
into groups based on the role each user will be assigned:
Group 1System Administrators
Group 2Security Administrators
Group 3Security Approvers
Group 4Network Administrators
Group 5Approvers
Group 6Network Operators
Group 7Help Desk
For more information about the default permissions associated with each role, see
Table 2-1 on page 2-33. For more information about customizing user roles, see
Customizing Cisco Secure ACS Roles, page 2-31.
Note
At this stage, the groups themselves are collections of users without any
role definitions. You will assign roles to each group after completing the
integration process. See Assigning Roles to User Groups in Cisco Secure
ACS, page 2-52.
Step 4
Create an additional user and assign this user to the system administrators group.
The credentials established for this user are later used on the System Identity
Setup page in CiscoWorks. See Defining the System Identity User, page 2-49.
Step 5
Continue with Adding Managed Devices as AAA Clients in Cisco Secure ACS,
page 2-41.
Related Topics
Integration Procedures Performed in Cisco Secure ACS, page 2-38
2-40
OL-11501-03
Chapter 2

Adding Managed Devices as AAA Clients in Cisco Secure ACS

Before you can begin importing devices into Security Manager, you must first
configure each device as a AAA client in your Cisco Secure ACS. In addition, you
must configure the CiscoWorks/Security Manager server as a AAA client.
If Security Manager is managing security contexts configured on firewall devices,
including security contexts configured on FWSMs for Catalyst 6500/7600
devices, each context must be added individually to Cisco Secure ACS.
The method for adding managed devices depends on whether you want to restrict
users to managing a particular set of devices by creating network device groups
(NDGs). Proceed as follows:
If you want users to have access to all devices, add the devices as described
in Adding Devices as AAA Clients Without NDGs, page 2-41.
If you want users to have access only to certain NDGs, add the devices as
described in Configuring Network Device Groups for Use in Security
Manager, page 2-43.
Adding Devices as AAA Clients Without NDGs

This procedure describes how to add devices as AAA clients of a Cisco Secure
ACS. For complete information about all available options, see User Guide for
Cisco Secure ACS.
Note
Remember to add the CiscoWorks/Security Manager server as a AAA client.

Procedure
Step 1
Click Network Configuration on the Cisco Secure ACS navigation bar.
Step 2
Click Add Entry beneath the AAA Clients table.
Step 3
Enter the AAA client hostname (up to 32 characters) on the Add AAA Client
page. The hostname of the AAA client must match the display name you plan to
use for the device in Security Manager.
For example, if you intend to append a domain name to the device name in
Security Manager, the AAA client hostname in ACS must be
<device_name>.<domain_name>.

OL-11501-03
2-41
Chapter 2
When naming the CiscoWorks server, we recommend using the fully-qualified

hostname. Be sure to spell the hostname correctly (it is not case-sensitive).
Additional naming conventions include:
Step 4
PIX/ASA 7.0 security context: <parent_display_name>_<context_name>
FWSM blade: <chassis_name>_FW_<slot_number>
FWSM security context:

<chassis_name>_FW_<slot_number>_<context_name>
IPS sensor: <IPSParentName>_<virtualSensorName>
Enter the IP address of the network device in the AAA Client IP Address field. If
the device does not have an IP address (for example, a virtual sensor or a virtual
context), enter the word dynamic instead of an address.
Note
If you are adding a multihomed device (a device with multiple NICs),

enter the IP address of each NIC. Press Enter between each address. In
addition, you must modify the gatekeeper.cfg file on the Security
Manager server. For more information, see the chapter on
post-installation server tasks in the Installation Guide for Cisco Security
Manager.
Step 5
Enter the shared secret in the Key field.
Step 6
Select TACACS+ (Cisco IOS) from the Authenticate Using list.
Step 7
Click Submit to save your changes. The device you added is displayed in the
AAA Clients table.
Step 8
Repeat Steps 1 through 7 to add additional devices.
Step 9
To save the devices you have added, click Submit + Restart.
Step 10
Continue with Creating an Administration Control User in Cisco Secure ACS,

page 2-47.
Related Topics
2-42
OL-11501-03
Chapter 2

Configuring Network Device Groups for Use in Security Manager

Cisco Secure ACS enables you to configure network device groups (NDGs) that
contain specific devices to be managed. For example, you can create NDGs for
each geographic region or NDGs that match your organizational structure. When
used with Security Manager, NDGs enable you to provide users with different
levels of permissions, depending on the devices they need to manage. For
example, by using NDGs you can assign User A system administrator permissions
to the devices located in Europe and Help Desk permissions to the devices located
in Asia. You can then assign the opposite permissions to User B.
NDGs are not assigned directly to users. Rather, NDGs are assigned to the roles
that you define for each user group. Each NDG can be assigned to a single role
only, but each role can include multiple NDGs. These definitions are saved as part
of the configuration for the selected user group.
The following topics outline the basic steps for configuring NDGs:
Note
Activating the NDG Feature, page 2-44
Creating NDGs, page 2-45
Associating NDGs and Roles with User Groups, page 2-54
Each device can be a member of only one NDG.
NDGs are not related to the device groups that you can configure in Security
Manager. See Understanding Device Grouping, page 5-57.
For complete details about managing NDGs, see User Guide for Cisco Secure
ACS.
Related Topics
NDGs and User Permissions, page 2-44

OL-11501-03
2-43
Chapter 2
NDGs and User Permissions

Because NDGs limit users to particular sets of devices, they affect policy
permissions, as follows:
Note
To view a policy, you must have permissions for at least one device to which
the policy is assigned.
To modify a policy, you must have permissions for all of the devices to which
the policy is assigned.
To view, modify, or assign a VPN policy, you must have permissions for all
of the devices in the VPN topology.
To assign a policy to a device, you need permissions only for that device,
regardless of whether you have permissions for any other devices to which the
policy is assigned. (VPN policies are an exception, as noted above.) However,
if a user assigns a policy to a device for which you do not have permissions,
you will not be able to modify that policy. See Modify Policies Permissions,
page 2-14.
To modify an object, a user does not need modify permissions for all the devices
that are using the object. However, a user must have modify permissions for a
particular device in order to modify a device-level object override defined on that
device.
Related Topics
Configuring Network Device Groups for Use in Security Manager, page 2-43
View Policies Permissions, page 2-5
Modify Policies Permissions, page 2-14
Activating the NDG Feature

You must activate the NDG feature before you can create NDGs and populate
them with devices.
2-44
OL-11501-03
Chapter 2

Procedure
Step 1
Click Interface Configuration on the Cisco Secure ACS navigation bar.
Step 2
Click Advanced Options.
Step 3
Scroll down, then select the Network Device Groups check box.
Step 4
Click Submit.
Step 5
Continue with Creating NDGs, page 2-45.
Related Topics
Creating NDGs, page 2-45
Creating NDGs
This procedure describes how to create NDGs and populate them with devices.
Each device can belong to only one NDG.
Note
We highly recommend creating a special NDG that contains the

CiscoWorks/Security Manager server.
Before You Begin
Activate the NDG feature. See Activating the NDG Feature, page 2-44.
Procedure
Step 1
Click Network Configuration on the navigation bar.

All devices are initially placed under Not Assigned, which holds all devices that
were not placed in an NDG. Please note that Not Assigned is not an NDG.
Step 2
Create NDGs:
a.
Click Add Entry.

OL-11501-03
2-45
Chapter 2
Step 3
b.
Enter a name for the NDG on the New Network Device Group page. The
maximum length is 24 characters. Spaces are permitted.
c.
(Optional when using version 4.0 or later) Enter a key to be used by all
devices in the NDG. If you define a key for the NDG, it overrides any keys
defined for the individual devices in the NDG.
d.
Click Submit to save the NDG.
e.
Repeat Steps a through d to create more NDGs.
Populate the NDGs with devices:

a.
Click the name of the NDG in the Network Device Groups area.
b.
Click Add Entry in the AAA Clients area.
c.
Define the particulars of the device to add to the NDG, then click Submit. For
more information, see Adding Devices as AAA Clients Without NDGs,
page 2-41.
d.
Repeat Steps b and c to add remaining devices to NDGs. The only device to
consider leaving in the Not Assigned category is the default AAA server.
e.
After you configure the last device, click Submit + Restart.
Note
Step 4
Each device can be a member of only one NDG.
Continue with Creating an Administration Control User in Cisco Secure ACS,

page 2-47.
Note
You can associate roles with each NDG only after completing the
integration procedures in Cisco Secure ACS and CiscoWorks Common
Services. See Associating NDGs and Roles with User Groups, page 2-54.
Related Topics
Activating the NDG Feature, page 2-44
2-46
OL-11501-03
Chapter 2

Creating an Administration Control User in Cisco Secure ACS

Use the Administration Control page in Cisco Secure ACS to define the
administrator account that is used when defining the AAA setup mode in
CiscoWorks Common Services. For more information, see Configuring the AAA
Setup Mode in CiscoWorks, page 2-50.
Procedure
Step 1
Click Administration Control on the Cisco Secure ACS navigation bar.
Step 2
Click Add Administrator.
Step 3
On the Add Administrator page, enter a name and password for the administrator.
Step 4
Click Grant All in the Administrator Privileges area to provide full administrative
permissions to this administrator.
Step 5
Click Submit to create the administrator.
Note
For more information about the options available when configuring an

administrator, see User Guide for Cisco Secure ACS.
Related Topics
Integration Procedures Performed in CiscoWorks

The following topics describe the procedures to perform in CiscoWorks Common
Services when integrating it with Cisco Security Manager:
Creating a Local User in CiscoWorks, page 2-48
Defining the System Identity User, page 2-49
Configuring the AAA Setup Mode in CiscoWorks, page 2-50

OL-11501-03
2-47
Chapter 2
Perform these procedures after completing the integration procedures performed

in Cisco Secure ACS. Common Services performs the actual registration of and
any installed applications, such as Cisco Security Manager and Auto-Update
Server into Cisco Secure ACS.
Related Topics
Creating a Local User in CiscoWorks

Use the Local User Setup page in CiscoWorks Common Services to create a local
user account that duplicates the administrator you previously created in
Cisco Secure ACS. This local user account is later used for the system identity
setup. For more information, see Defining the System Identity User, page 2-49.
Before You Begin
Create an administrator in Cisco Secure ACS. See Defining Users and User
Groups in Cisco Secure ACS, page 2-39.
Procedure
Step 1
Log in to CiscoWorks using the default admin user account.
Step 2
Select Server > Security from Common Services, then select Local User Setup
from the TOC.
Step 3
Click Add.
Step 4
Enter the same name and password that you entered when creating the
administrator in Cisco Secure ACS. See Step 4 in Defining Users and User
Step 5
Select all check boxes under Roles except Export Data.
Step 6
Click OK to create the user.
2-48
OL-11501-03
Chapter 2

Related Topics
Defining the System Identity User

Use the System Identity Setup page in CiscoWorks Common Services to create a
trust user (called the System Identity user) that enables communication between
servers that are part of the same domain and application processes that are located
on the same server. Applications use the System Identity user to authenticate
processes on local or remote CiscoWorks servers. This is especially useful when
the applications must synchronize before any users have logged in.
In addition, the System Identity user is often used to perform a subtask when the
primary task has already been authorized for the logged in user. For example,
editing a device in Security Manager requires interapplication communication
between Security Manager and the Common Services DCR. After the user has
been authorized to perform the editing task, the System Identity user is used to
invoke the DCR.
The System Identity user you configure here must be identical to the administrator
with full permissions that you configured in ACS. Failure to do so could result in
your being unable to view all the devices and policies configured in Security
Manager.
Before You Begin
Create a local user with the same name and password as this administrator in
CiscoWorks Common Services. See Creating a Local User in CiscoWorks,
page 2-48.
Procedure
Step 1
Select Server > Security, then select Multi-Server Trust Management >
System Identity Setup from the TOC.
Step 2
Enter the name of the administrator that you created for Cisco Secure ACS. See
Step 4 in Defining Users and User Groups in Cisco Secure ACS, page 2-39.
Step 3
Enter and verify the password for this user.

OL-11501-03
2-49
Chapter 2
Step 4
Click Apply.
Related Topics
Configuring the AAA Setup Mode in CiscoWorks

Use the AAA Setup Mode page in CiscoWorks Common Services to define your
Cisco Secure ACS as the AAA server, including the required port and shared
secret key. In addition, you can define up to two backup servers.
This procedure performs the actual registration of CiscoWorks and Security
Manager (and optionally, Auto-Update Server) into Cisco Secure ACS.
Procedure
Step 1
Select Server > Security, then select AAA Mode Setup from the TOC.
Step 2
Select the TACACS+ check box under Available Login Modules.
Step 3
Select ACS as the AAA type.
Step 4
Enter the IP addresses of up to three Cisco Secure ACS servers in the Server
Details area. The secondary and tertiary servers act as backups in case the primary
server fails.
Note
If all the configured TACACS+ servers fail to respond, you must log in
using the admin CiscoWorks Local account, then change the AAA mode
back to Non-ACS/CiscoWorks Local. After the TACACS+ servers are
restored to service, you must change the AAA mode back to ACS.
Step 5
In the Login area, enter the name of the administrator that you defined on the
Administration Control page of Cisco Secure ACS. For more information, see
Creating an Administration Control User in Cisco Secure ACS, page 2-47.
Step 6
Enter and verify the password for this administrator.
2-50
OL-11501-03
Chapter 2

Step 7
Enter and verify the shared secret key that you entered when you added the
Security Manager server as a AAA client of Cisco Secure ACS. See Step 5 in
Adding Devices as AAA Clients Without NDGs, page 2-41.
Step 8
Select the Register all installed applications with ACS check box to register
Security Manager and any other installed applications with Cisco Secure ACS.
Step 9
Click Apply to save your settings. A progress bar displays the progress of the
registration. A message is displayed when registration is complete.
Step 10
Restart the Cisco Security Manager Daemon Manager service. See Restarting the
Daemon Manager, page 2-51.
Step 11
Log back in to Cisco Secure ACS to assign roles to each user group. See
Assigning Roles to User Groups in Cisco Secure ACS, page 2-52.
Note
The AAA setup configured here is not retained if you uninstall CiscoWorks
Common Services or Cisco Security Manager. In addition, this configuration
cannot be backed up and restored after reinstallation. Therefore, if you upgrade to
a new version of either application, you must reconfigure the AAA setup mode
and reregister Security Manager with ACS. This process is not required for
incremental updates. If you install additional applications, such as AUS, on top of
CiscoWorks, you must reregister the new applications and Cisco Security
Manager.
Related Topics
Restarting the Daemon Manager

This procedure describes how to restart the Daemon Manager of the Security
Manager server. You must do this so the AAA settings that you configured take
effect. You can then log back in to CiscoWorks using the credentials defined in
Cisco Secure ACS.

OL-11501-03
2-51
Chapter 2
Procedure
Step 1
Log in to the machine on which the Security Manager server is installed.
Step 2
Select Start > Programs > Administrative Tools > Services to open the
Services window.
Step 3
From the list of services displayed in the right pane, select Cisco Security
Manager Daemon Manager.
Step 4
Click the Restart Service button on the toolbar.
Step 5
Continue with Assigning Roles to User Groups in Cisco Secure ACS, page 2-52.
Related Topics
Assigning Roles to User Groups in Cisco Secure ACS

After you have registered CiscoWorks, Security Manager and other installed
applications to Cisco Secure ACS, you can assign roles to each of the user groups
that you previously configured in Cisco Secure ACS. These roles determine the
actions that the users in each group are permitted to perform in Security Manager.
The procedure for assigning roles to user groups depends on whether NDGs are
being used:
Assigning Roles to User Groups Without NDGs, page 2-53
Related Topics
2-52
OL-11501-03
Chapter 2

Assigning Roles to User Groups Without NDGs

This procedure describes how to assign the default roles to user groups when
NDGs have not been defined. For more information, see Cisco Secure ACS
Default Roles, page 2-30.
Before You Begin
Create a user group for each default role. See Defining Users and User
Complete the procedures described in Integration Procedures Performed in

Cisco Secure ACS, page 2-38, and Integration Procedures Performed in
CiscoWorks, page 2-47.
Procedure
Step 1
Log in to Cisco Secure ACS.
Step 2
Click Group Setup on the navigation bar.
Step 3
Select the user group for system administrators from the list (see Step 2 of
Defining Users and User Groups in Cisco Secure ACS, page 2-39), then click
Edit Settings.
Step 4
Assign the system administrator role to this group:
Step 5
a.
Scroll down to the CiscoWorks area under TACACS+ Settings.
b.
Select the first Assign option, then select System Administrator from the
list of CiscoWorks roles.
c.
Scroll down to the Cisco Security Manager Shared Services area.
d.
Select the first Assign option, then select System Administrator from the
list of Cisco Secure ACS roles.
e.
Click Submit to save the group settings.
Repeat Steps 3 and 4 for the remaining roles, assigning each role to the
appropriate user group.
Note
When selecting the Security Approver or Security Administrator roles in

Cisco Secure ACS, we recommend selecting Network Administrator as
the closest equivalent CiscoWorks role.

OL-11501-03
2-53
Chapter 2
Note
For more information about customizing the default roles in ACS, see
Related Topics
Associating NDGs and Roles with User Groups

When you associate NDGs with roles for use in Security Manager, you must
create definitions in two places on the Group Setup page:
CiscoWorks area
Cisco Security Manager area
The definitions in each area should match as closely as possible. When

associating custom roles or ACS roles that do not exist in CiscoWorks Common
Services, try to define as close an equivalent as possible based on the permissions
assigned to that role.
You must create associations for each user group that will be used with Security
Manager. For example, if you have a user group containing support personnel for
the Western region, you can select that user group, then associate the NDG
containing the devices in that region with the Help Desk role.
Before You Begin
Activate the NDG feature and create NDGs. See Configuring Network Device
Groups for Use in Security Manager, page 2-43.
Procedure
Step 1
Click Group Setup on the navigation bar.
Step 2
Select a user group from the Group list, then click Edit Settings.
2-54
OL-11501-03
Chapter 2

Step 3
Map NDGs and roles for use in CiscoWorks:

a.
On the Group Setup page, scroll down to the CiscoWorks area under
TACACS+ Settings.
b.
Select Assign a Ciscoworks on a per Network Device Group Basis.
c.
Select an NDG from the Device Group list.
d.
Select the role to which this NDG should be associated from the second list.
e.
Click Add Association. The association appears in the Device Group box.
f.
Repeat Steps c through e to create additional associations.
Note
Step 4
To remove an association, select it from the Device Group, then click

Remove Association.
Scroll down to the Cisco Security Manager area and create associations that match
as closely as possible the associations defined in Step 3.
Note
When selecting the Security Approver or Security Administrator roles in

Cisco Secure ACS, we recommend selecting Network Administrator as
the closest equivalent CiscoWorks role.
Step 5
Click Submit to save your settings.
Step 6
Repeat Steps 2 through 5 to define NDGs for the remaining user groups.
Step 7
To save the associations that you have created, click Submit + Restart.
Note
For more information about customizing the default roles in ACS, see
Related Topics

OL-11501-03
2-55
Chapter 2
Selecting a Workflow Mode

Security Manager workflow has two main modes:
Workflow mode (with or without approvers).
Non-Workflow mode (default).
The workflow mode you choose depends on your organizational structure and the
level of control you wish to have over changes to the network. The following
topics help you understand the different workflow modes so that you can make an
informed decision as to which mode you prefer:
Working in Workflow Mode, page 2-56
Working in Non-Workflow Mode, page 2-57
Comparing the Two Workflow Modes, page 2-58
Enabling and Disabling Workflow Modes, page 2-59
Working in Workflow Mode

Workflow mode is an advanced mode of operation that imposes a formal
change-tracking and change-management system. Workflow mode is suitable for
organizations in which there is division of responsibility among security and
network operators for defining policies and deploying those policies to devices.
For example, a security operator might be responsible for defining security
policies on devices, another security operator might be responsible for approving
the policy definitions, and a network operator for deploying the resulting
configurations to a device. This separation of responsibility helps maintain the
integrity of deployed device configurations.
You can use Workflow mode with or without an approver. When using Workflow
mode with an approver, device management and policy configuration changes
performed by one user are reviewed and approved by another user before being
deployed to the relevant devices. When using Workflow mode without an
approver, device and policy configuration changes can be created and approved
by a single user, thus simplifying the change process.
2-56
OL-11501-03
Chapter 2

In Workflow mode:
A user must create an activity before defining or changing policy

configurations. An activity is essentially a proposal to make configuration
changes. The changes made within the activity are applied only after the
activity is approved by a user with the appropriate permissions. An activity
can either be submitted to another user for review and approval (Workflow
mode with an activity approver), or it can be approved by the current user
(Workflow mode without an activity approver). For detailed information
about the process of creating, submitting, and approving activities, see
Chapter 7, Managing Activities.
After the activity is approved, the configuration changes need to be deployed

to the relevant devices. To do this, a user must create a deployment job. A
deployment job defines the devices to which configurations will be deployed,
and the deployment method to be used. A deployment job can either be
submitted to another user for review and approval (Workflow mode with a job
approver), or it can be approved by the current user (Workflow mode without
a job approver). Deployment preferences can be configured with or without
job approval. For more information, see Chapter 18, Managing
Deployment.
Working in Non-Workflow Mode

Some organizations have no division of responsibility between users when
defining and administering their VPN and firewall policies. These organizations
can work in non-Workflow mode, which is the default mode of operation. When
using non-Workflow mode, there is no need to create activities and jobs. When
you log in, Security Manager creates an activity for you. This activity is
transparent to the user and does not need to be managed in any way. In addition,
when you save and deploy configuration changes, Security Manager creates a job
for you as well. Like activities, jobs are transparent and do not need to be
managed.
When using non-Workflow mode, multiple users with the same username and
password cannot be logged into Security Manager at the same time. If another
user logs in with the same username and password while you are working, your
session will be terminated and you will have to log in again.

OL-11501-03
2-57
Chapter 2
Comparing the Two Workflow Modes

Table 2-2 highlights the differences between the two workflow modes.
Table 2-2
Comparison Between Workflow Mode and Non-Workflow Mode
FAQ
Non-Workflow Mode
Workflow Mode
What is the default mode for Security

Manager?
Default
Not default
How do I know which mode is currently

selected?
In Tools > Security

Manager
Administration >
Workflow, the Enable
Workflow check box is
not selected.
In Tools > Security

Manager
Administration >
Workflow, the Enable
Workflow check box is
selected.
Must I create activities to make

configuration changes?
No. Security Manager

automatically creates an
activity when you log in.
Yes.
Must I create jobs to deploy

configurations to devices?
No.
Yes.
How do I deploy my configuration

changes to the devices?
Select Tools > Deployment

Manager and create a
deployment job.
Click the Submit and

Deploy Changes in the
Main toolbar.
Select File > Submit

and Deploy.
Select Tools >

Deployment Manager
and click Deploy.
At what stage are the CLI commands for When initiating deployment. When creating a deployment
my configuration changes generated?
job.
2-58
OL-11501-03
Chapter 2

Table 2-2
Comparison Between Workflow Mode and Non-Workflow Mode (continued)
FAQ
Non-Workflow Mode
Workflow Mode
How do I delete my current changes?
Select the File > Discard, or

if you have already started
deploying devices, abort the
deployment by selecting
Tools > Deployment
Manager > Abort.
Select Tools > Deployment

Manager > Discard. If the
job has already been
deployed, you can abort the
job by selecting Tools >
Deployment Manager >
Abort.
Can multiple users log into Security

Manager at the same time?
Yes, but only if each one has Yes. Each user can open a
different activity and make
a different username and
configuration changes.
password. Access to
Security Manager is
discontinued if a user with
the same username logs into
Security Manager.
What if another user is configuring the

devices I want to configure?
You will receive a message

indicating that the devices
are locked. See Activities
and Locking, page 7-4.
You will receive a message

indicating that the devices
are locked. See Activities
and Locking, page 7-4.
Enabling and Disabling Workflow Modes

The default mode in Security Manager is non-Workflow mode. If you have
Administrator permissions, you can change the workflow mode in Tools >
Security Manager Administration. Before doing so, be sure to understand the
following notes:
When you change the workflow mode, the change will take effect for all
Security Manager users working from the same server.
Before you can change to non-Workflow mode, all activities in editable states
(Edit, Edit Open, Submit, or Submit Open) must be approved or discarded,
and all generated jobs must be deployed, failed, rejected, discarded, or
aborted so that the locks on the devices can be released.

OL-11501-03
2-59
Chapter 2
If you change to non-Workflow mode and then restore an earlier version of

the database, Security Manager automatically changes to Workflow mode if
the restored database has any activities in an editable state (Edit, Edit Open,
Submit, or Submit Open). Approve or delete the editable activities, and then
turn workflow off again.
Both Workflow and non-Workflow modes use activities. However, Security

Manager hides and automatically manages activities when in non-Workflow
mode. Therefore, when changing from non-Workflow mode to Workflow
mode, the current hidden activity is then exposed and placed in the Edit_Open
state.
This procedure will help you establish Workflow mode settings.

Procedure
Step 1
Click Tools > Security Manager Administration.
Step 2
Click Workflow. The Workflow page appears in the right-hand pane. For a
description of the fields on this page, see Table A-28 on page A-48.
Step 3
To disable Workflow mode, deselect the Enable Workflow check box, and then
click Save.
Step 4
To enable Workflow mode, select the Enable Workflow check box.
Step 5
To eliminate the requirement that activities be approved before they are

committed to the database, deselect the Require Activity Approval check box.
(Check box is selected by default.)
Step 6
To eliminate the requirement that deployment jobs are approved before

deployment to devices, deselect the Require Deployment Approval check box.
(Check box is selected by default.)
Step 7
Enter the email address for the default Sender. (This is the address that appears on
every deployment job submitted.)
Step 8
Enter the email address for the default Activity Approver.
Step 9
Enter the email address for the default Deployment Job Approver.
Step 10
To change the number of days you keep the activity logs, enter a new value in the
Keep Activity for field.
Step 11
Click Purge Now to delete activity logs older than the number of days you
specify.
2-60
OL-11501-03
Chapter 2

Working with AutoLink
Step 12
To change the number of days you keep the deployment job logs, enter a new
value in the Keep Job for text box.
Step 13
Click Purge Now to delete deployment logs older than the number of days you
specify.
Step 14
Click Save to apply and save changes. A confirmation dialog box states that
changes were saved.
Note
Step 15
You can restore all values to their previous settings by clicking Reset, or
you can restore the system defaults by clicking Restore Defaults.
Click Yes in the confirmation dialog box to confirm your choice. A message states
that this action was successful.
Related Topics
Managing Activities, page 7-1
Managing Deployment, page 18-1
Working with AutoLink

The Security Manager Map view provides a graphical view of your VPN and
Layer 3 network topology. Using device nodes to represent managed devices and
map objects to represent unmanaged objects such as devices, clouds, and
networks, you can create topology maps with which to study your network.
AutoLink settings enable you to exclude any one of five private or reserved
networks from Map view. For example, you might want to exclude any networks
that are not relevant to the management tasks you are using Security Manager to
perform, for example, test networks. This will prevent them from appearing on
your topology map.
This procedure will help you define AutoLink settings.
Procedure
Step 1
Select Tools > Security Manager Administration.

OL-11501-03
2-61
Chapter 2
Defining Configuration Archive Settings
Step 2
Click AutoLink. The AutoLink settings page appears. For a description of the
fields on this page, see Table A-1 on page A-3.
Step 3
Deselect the check box for each IP address you want to omit from any topology
maps you create.
Step 4
changes were saved.
Note
Step 5
Click Yes in the confirmation dialog box to confirm your choice. A message
indicates that this action was successful.
Related Topics
Displaying Layer 3 Links on the Map, page 4-21
Displaying Your Network on the Map, page 4-16
Understanding Maps, page 4-1
Working With Maps, page 4-2

From the Configuration Archive preferences window, you can purge configuration
file versions maintained for devices managed by Security Manager. Here you can
also enter the Trivial File Transfer Protocol (TFTP) server and directory
information for Cisco IOS devices used during configuration rollback.
This procedure will help you define Configuration Archive settings.
Procedure
Step 1
2-62
OL-11501-03
Chapter 2

Step 2
Click Configuration Archive. The Configuration Archive Purge dialog box is on

the top half of the window and the TFTP for Configuration Version Rollback
server settings are below. For a description of the fields on this page, see
Table A-2 on page A-4.
Step 3
To specify how many configuration versions to retain for each device, enter a
value in the Max. Versions Per Device field.
Step 4
Click Purge Now to delete older configurations in excess of the number of

configurations you specified in Step 3.
Step 5
To change the default TFTP server for IOS devices, enter the server name or IP
address for TFTP file transfers.
Step 6
To change the default directory for TFTP file transfers, enter the root directory for
configuration file transfers on your TFTP server.
Tip
Step 7
changes were saved.
Note
Step 8
To return to values that were present when you first opened a settings
page, click Reset at any time before you click Save. If you clicked Save
in error and do not remember what was there before, you can click Reset
to Factory Defaults to reestablish Security Manager defaults.
Related Topics
Configuration Archive Window, page Q-12
Using the Configuration Archive Tool, page 20-11

OL-11501-03
2-63
Chapter 2
Customizing Your Desktop
Customizing Your Desktop

Adjust your GUI timeout and Do Not Ask settings from the Customize Desktop
page.
This procedure will help you adjust your GUI timeout and Do Not Ask settings.
Procedure
Step 1
Step 2
Click Customize Desktop. For a description of the fields on this page, see
Step 3
To reestablish the appearance of Are you sure . . .? reminders anywhere in the

application, click Reset Do Not Ask on Warnings, and then click Yes in the
confirmation dialog box to confirm your choice.
Step 4
To log users out according to the specified number of minutes in the Idle Timeout
text field, click the Enable Idle Timeout check box.
Step 5
In the Enable Idle Timeout check box, enter the number of minutes of idleness
after which you want Security Manager to log a user out.
Step 6
Step 7
Click Save to save and apply changes. A message confirms that your changes
were saved successfully.
Click Reset to restore all fields and check boxes to their previous values.
Click Restore Defaults to restore Security Manager defaults.
Related Topics
Working with the Security Manager User Interface, page 3-1
2-64
OL-11501-03
Chapter 2

Defining Deployment Settings

Use the Deployment settings page to define the following:
Number of days to archive debugging files.
Whether configuration changes are deployed to a file or to a device.
Whether to warn, cancel, or skip deployment when out-of-band changes are

detected.
Whether reference configurations for deployments should be taken from an

archive or a device.
How to optimize the deployment of firewall access lists. (Optimized to reduce

deployment time or to minimize traffic disruption).
Whether to allow FWSM to compile access lists automatically instead of

using Security Manager to control the ACL compilation.
Whether to enable advanced debugging.
Whether deployments will proceed with errors.
Whether to delete unreferenced object groups from devices.
Whether to automatically create object groups for policy objects and for
multiple sources, destinations, or services (for PIX, FWSM, and ASA
devices).
Whether to remove unreferenced access lists from devices.
Whether any changes to the device configuration for Cisco IOS, PIX, FWSM,
and ASA devices are copied to the startup configuration for those device
types.
Whether ACL remarks should be generated during deployment.
Whether to optimize network object groups during deployment.
This procedure will help you define deployment settings.

Procedure
Step 1
Step 2
Click Deployment.
The Deployment window appears. For a description of the fields on this page, see
OL-11501-03
2-65
Chapter 2
Step 3
To specify how long to keep debugging files, enter the number of days in the
Purge Debugging Files Older Than field.
Step 4
To specify how configurations should be deployed to devices, select the Default

Deployment Method; select either Device or File.
Step 5
If you selected File as the default deployment method in the previous step, enter
a directory path to which the file should be saved. Or, you can click Browse to
select the directory to which to save the file.
Step 6
Select the desired system response when Security Manager detects changes made
directly to the device (Out of Band Changes).
Step 7
Choose the File Reference Configuration object (the configuration against which
file changes are to be compared if you are deploying to a reference file). You can
choose one of the following:
Step 8
Step 9
Archive (default)Uses the most recently archived configuration against

which to compare changes; then generates the CLI to be deployed.
DeviceUses the current device configuration against which to compare

changes; then generates the CLI to be deployed.
Choose the Device Reference Configuration object (the configuration against

which device changes are to be compared if you are deploying to a device). You
can choose one of the following:
ArchiveUses the most recently archived configuration against which to

compare changes; then generates the CLI needed to be deployed.
Device (default)Uses the current device configuration against which to

compare changes; then generates the CLI to be deployed.
Select how firewall rules are to be deployed from the Optimize Firewall
Deployment for list. Choose one of the following two criteria:
SpeedIncreases deployment speed, thereby using less system memory, but

increases risk of traffic interruption.
TrafficInhibits traffic interruption during deployment, but increases system

memory usage and deployments take longer
See Table A-4 on page A-5 for more information.
2-66
OL-11501-03
Chapter 2

Step 10
Determine whether existing Firewall Access Names should be reused, or whether

the name values should be reset to names generated by Security Manager. You do
this by selecting one of the two options from the list. For more information, see
Preserving User-Defined ACL Names, page 12-56 and to How ACL Names Are
Generated, page 12-53.
Step 11
Determine how firewall rules should be deployed to devices in the Firewall Rule
Deployment Preference list. Select the Disable Access-list Compilation During
Deployment (FWSM) check box to specify that FWSM should automatically
compile access lists. If you do not select this check box, Security Manager
controls ACL compilation (to avoid traffic interruption and to minimize peak
memory usage on the device). For more information, see Understanding Access
Rules, page 12-49.
Caution
Do not select this check box unless you are experiencing deployment
problems and are an advanced user.
Step 12
To generate data files about information about configuration generation,

deployment, and discovery as these functions are performed, select Enable
Advanced Debugging.
Step 13
To allow deployment to devices to continue even if there are minor device

configuration errors, select Allow Download On Error.
Step 14
To delete from devices during deployment any object groups that are not being
used by other CLI commands, select Remove Unreferenced ObjectGroups from
Device (PIX, ASA, FWSM).
Step 15
(Optional) To automatically create network objects and service objects that

replace comma-separated values in a rule table cell, ensure that Create Object
Groups for Policy Objects (PIX, ASA, FWSM) is selected. When deselected,
Security Manager flattens the object groups for PIX/ASA/FWSM devices to IP
addresses and disables the following check box: Create Object Groups for
Multiple Sources, Destinations or Services in a Rule (PIX, ASA, FWSM). The
objects are created during deployment.
Step 16
(Optional) To automatically create network objects and service objects that

replace comma-separated values in a rule table cell, select Create Object Groups
for Multiple Sources, Destinations or Services in a Rule (PIX, ASA, FWSM). The
objects are created during deployment.
Step 17
To delete from devices during deployment any access lists that are not being used
by other CLI commands, select Remove Unreferenced Access-lists on Device.
OL-11501-03
2-67
Chapter 2
Defining Device Communication Settings
Step 18
To ensure that any changes to device configurations for PIX, FWSM, ASA, or
Cisco IOS devices are copied to the startup configuration for that device, select
Save Changes Permanently on Device.
Step 19
To display ACL warning messages and remarks during deployment, select

Generate ACL Remarks During Deployment.
Step 20
To optimize network object groups during deployment, select Optimize Network

Object Groups During Deployment (PIX, ASA, FWSM). For more information
on optimizing policy objects, see Optimizing Policy Objects in Rules, page 12-47.
Step 21
Click Save.
Certain options display a confirmation dialog box and ask if you want to continue.
To continue, click Yes.
Note
To return to values that were present when you first opened a settings
page, click Reset at any time before you click Save. If you clicked Save
in error and do not remember what was there before, you can click
Restore Defaults to reestablish Security Manager defaults.
Related Topics

Use the Device Communication settings page to define these settings for all
devices managed by Security Manager:
The number of seconds that Security Manager has to establish a connection

with a device before timing out.
The number of seconds Security Manager can spend blocked waiting for
incoming data.
The default transport protocol for contacting all Cisco IOS devices running
IOS versions 12.3 and later, Cisco IOS IPS routers, IPS sensors, Catalyst
6500 Series switches, Cisco 7600 Series routers, and routers running Cisco
IOS software release 12.1 and 12.2.
2-68
OL-11501-03
Chapter 2

The credentials that Security Manager uses to contact the device for various
operations, such as deployment, discovery, and rollback of configurations.
For more information, see About Security Manager and Device
Authentication, page 2-70.
The certificate authentication mechanism to be used for IPS devices, IOS

devices, firewall devices, FWSMs, and ASAs.
The default HTTPS port number to be used for secure communication

between Security Manager (as well as management and monitoring tools that
use HTTPS) and a device.
Whether Security Manager will apply changes to SSH keys made directly on
the device.
When you add routers running Cisco IOS software versions 12.1, 12.2, and
associated releases from the CiscoWorks DCR into the Security Manager
inventory, Security Manager uses the option you selected from the Transport
Protocol (IOS Routers 12.3 and above) list of the Device Communications page
to communicate with these devices, regardless of the option you selected from the
Transport Protocol (IOS Routers 12.2, 12.1) list. Security Manager has a
limitation that it uses the same transport protocol configured for routers running
Cisco IOS version 12.3 and later to communicate with routers running Cisco IOS
versions 12.1, 12.2, and associated releases as well.
The protocol used to contact Cisco IOS routers running versions 12.3 and later
might be incompatible with Cisco IOS routers running versions 12.1, 12.2, and
associated releases. As a result, device addition from DCR to Security Manager
might fail. To work around this problem, select a protocol that is supported on
Cisco IOS version 12.1 and 12.2 routers, such as Telnet or SSH, from the
Transport Protocol (IOS Routers 12.3 and above) list of the Device
Communications page to add the routers running 12.1 or 12.2 versions from DCR
to Security Manager. After you add the routers running Cisco IOS versions 12.1,
12.2, and associated releases to Security Manager, select a different protocol that
is compatible with Cisco IOS 12.3 routers, such as SSL, from the Transport
Protocol (IOS Routers 12.3 and above) list to add routers running Cisco IOS
software versions 12.3 or higher to Security Manager.
To make changes for only a single device, see Working with Device Policies,
page 5-54.
The following topics describe device communication settings:
Defining Connection and Transport Protocol Settings in the UI, page 2-71

OL-11501-03
2-69
Chapter 2
Adding Certificates for IPS Devices, Cisco IOS Devices, and

PIX/ASA/FWSM Devices, page 2-73
About Security Manager and Device Authentication

In Security Manager 3.0.1 and earlier, Security Manager used the credentials that
you entered on the Device Credentials page or on the Device Properties page to
log in to a device. You must also configure these credentials on the device if local
authentication was used, or on an external AAA server, such as Cisco Secure
Access Control Server (ACS), if the device was configured to perform
authentication with the external AAA server. These credentials are called Security
Manager device credentials, which are a set of user credentials specified on each
device and also stored in the Security Manager inventory or in the Device and
Credential Admin (DCA) in DCR. To connect to the device, Security Manager
uses these credentials regardless of the credentials that were entered to log in to
Security Manager.
Using Security Manager device credentials has a drawback in environments where
user accounts and suitable privileges for device-level access have been
configured. In such scenarios, an external AAA server, such as ACS, might be
used to perform user authentication. In addition, AAA or TACACS+ accounting
would be used for auditing purposes. TACACS+ accounting records provide
information on the user who configured CLI commands on a device. In addition,
creating a separate user account in the Security Manager database and on the
device only for Security Manager to contact the device might not be beneficial. If
the Security Manager device credentials are used to connect to the device, the
related TACACS+ accounting records would not accurately indicate the user ID
that originated the request, resulting in a particular CLI configuration change on
the device.
In Security Manager 3.1, you can configure Security Manager to contact the
device using the credentials that were used to log in to Security Manager, instead
of the credentials defined on the Device Credentials page or Device Properties
page. These credentials are called Security Manager user login credentials. This
option is useful when you use TACACS+ or RADIUS accounting for auditing
purposes, when you have already configured user accounts in an external AAA
server with suitable permissions for device-level access, or when Security
Manager and the device are configured to authenticate users using an external
AAA server, such as ACS.
2-70
OL-11501-03
Chapter 2

Login credentials are cached by Security Manager when you successfully log in
to the CiscoWorks and Cisco Security Management Suite home pages. These
credentials are discarded when you exit the Security Manager client or the idle
session timeout period is exceeded. For any Security Manager operation that
requires access to the device, such as discovery, deployment, rollback, and
preview, the cached user credentials are retrieved and added to the authentication
request sent to the device.
Defining Connection and Transport Protocol Settings in the UI

This procedure will help you define device communication settings.
Procedure
Step 1
Step 2
Click Device Communication. The Device Communication settings window

opens. For a description of the fields on this page, see Table A-5 on page A-11.
Step 3
Under Device Connection Parameters, perform the following:

a.
Enter the number of seconds for Device Connection timeout.
b.
Enter a value for Retry Count.
c.
Enter the number of seconds for Socket Read timeout for SSH and telnet
sessions.
d.
Select a default transport protocol for contacting all Cisco IOS IPS devices
and IPS sensors from the list if needed.
e.
Select a default transport protocol for contacting all Cisco IOS devices
running IOS versions 12.3 and later from the list if needed.
f.
Select a default transport protocol for contacting all Catalyst 6500 Series
switches and Cisco 7600 Series routers from the list if needed.
g.
Select a default transport protocol for contacting all routers running Cisco
IOS software version 12.1 or 12.2 from the list if needed.
Note
The selection does not apply to Catalyst 6500/6000 series swiches

running Cisco IOS software 12.2 or earlier.

OL-11501-03
2-71
Chapter 2
h.
Step 4
Select the authentication mechanism to use when Security Manager contacts

the device from the following options. For more information, see About
Security Manager and Device Authentication, page 2-70.
Under SSL Certificate Parameters, perform the following:

a.
Select a certificate authentication method for devices using SSL:

Retrieve while adding devices enables Security Manager to
automatically obtain certificates from devices while you add one or more
devices from the network or DCR. Security Manager calculates the
device certificate thumbprints and stores the calculated thumbprint(s) in
the certificate data store. For information and procedures see Adding
Devices to the Security Manager Inventory, page 5-30.
Manually add certificates prevents Security Manager from
automatically accepting certificates using the Add Device From Network

or the Add Device From DCR wizards (see Adding Devices to the
Security Manager Inventory, page 5-30). You must add the device
thumbprint manually before you the devices. See Adding Certificates for
IPS Devices, Cisco IOS Devices, and PIX/ASA/FWSM Devices,
page 2-73.
Do not use certificate authentication prevents automatic certificate
validation for devices using SSL.
Caution
b.
This option leaves your system vulnerable to third-party interference

with device validation. We recommend that you use only the Retrieve
while adding devices or Manually add certificates options.
Select the Accept Device SSL Certificate after Rollback check box if you
want Security Manager to obtain the certificate installed on a firewall device,
FWSM, ASA, or Cisco IOS router after you perform a configuration rollback.
Note
This applies only for devices that use SSL as their transport protocol.
Note
To add the device certificate thumbprint immediately, see Adding

Certificates for IPS Devices, Cisco IOS Devices, and
PIX/ASA/FWSM Devices, page 2-73.
2-72
OL-11501-03
Chapter 2

Step 5
Enter the default HTTPS port number to be used for secure communication
between a device and Security Manager if needed. This port number is used by
HTTPS for all devices managed by Security Manager. The HTTPS port number
you specify here overrides the port number that you configured for the device in
the HTTP policy in the Device Access section.
Note
If you configure the local HTTP policy to be a shared policy and assign
the HTTP policy to multiple devices, the HTTPS port number setting in
the shared policy overrides the port number configured in the Device
Credentials page for all devices to which the policy is assigned.
Step 6
To allow Security Manager to apply changes to the devices SSH keys when they
are updated directly on the device, select Overwrite SSH Keys.
Step 7
changes were saved.
Step 8
Click Yes in the confirmation dialog box to confirm your choice. A message states
that this action was successful.

PIX/ASA/FWSM Devices
Security Manager enables you to authenticate an IPS device, Cisco IOS device, or
PIX/ASA/FWSM devices by validating the certificate installed on the device.
Note that this is true only for devices that use SSL as their transport protocol.
This procedure will help you manually add device certificates.
Before You Begin
Make sure that the certificate thumbprint (hexadecimal string) is available.
Tip
If the thumbprint is not readily available, you can copy it from the error message
that is displayed when you add a live device, or a device from the network, or from
the DCR.
Procedure
OL-11501-03
2-73
Chapter 2
Step 1
Step 2
Click Device Communication. The Device Communication settings window

opens.
Step 3
Ensure that the device type for which you are entering a certificate is set to
Manually add certificates, then click Add Certificate.
The Add Certificate dialog box appears. For a description of the fields in this
dialog box, see Table A-6 on page A-15.
Step 4
Enter the Host Name or IP Address of the device.
Step 5
Enter the Certificate Thumbprint in its hexadecimal form.
Step 6
To initiate device contact, apply, and save changes click OK. A confirmation
dialog box states that changes were saved.
Note
The OK button becomes active only when at least 32 characters (the

number contained in the MD-5 hash file) of the thumbprint are entered.
Step 7
Click OK in the message that indicates that the action was successful.
Step 8
From the Device Communication page, click Save.
Defining SSH by Editing the DCS Properties File

Security Manager works with SSH transport protocols, known as SSH1 and
SSH2. SSH2 encryption algorithms or ciphers are negotiated between the device
and Security Manager. Security Manager stores the device public keys in
known_hosts file and this file is found in the .../CSCOpx/MDC/be/tmp/.ssh
directory. The protocol version being used on a particular device is automatically
detected and used by Security Manager to deploy to the device. For devices being
managed by Security Manager that support SSH1, the default encryption
algorithm or cipher is DES (Data Encryption Standard).
You make the following global changes to devices by editing the DCS properties
file:
Change the encryption algorithm for devices using SSH1.
2-74
OL-11501-03
Chapter 2

Working with Device Groups
Note
Choose whether Security Manager applies changes in the SSH keys for a
device when these are updated directly on the device.
Edit a list of warning expressions generated during deployment for all

devices.
You must restart the daemon manager to see changes after you edit
DCS.properites file.
Related Topics
Managing Devices, page 5-1
Preparing the Devices for Security Manager to Manage, page 5-2
Working with Device Groups

Grouping devices enables you to view a subset of devices that have similar group
attributes.
You can create groups and assign devices to them when you add devices, or you
can create the groups later, using the Device Groups page under the Tools menu.
From the Device Groups page, you can create group types and groups, delete
groups, and modify group names. To access this page, select Tools > Security
Manager Administration > Device Groups. For procedure, see Working With
Device Groups, page 5-59.
Note
Device groups and subgroups are simple, arbitrary, organizational collections of

devices that you create for more effective network visualization. They are not
policy-sharing entities. They are distinct from the various policy object groups
(for example: AAA server group objects, service group objects, and user group
objects).
Related Topics
Understanding Device Grouping, page 5-57
Working With Device Groups, page 5-59

OL-11501-03
2-75
Chapter 2
Defining Discovery Settings
Adding Devices to Device Groups, page 5-62
Edit Device Groups Page, page C-66
Defining Discovery Settings

From the Discovery page you can define how long to keep a record of discovery
and device-import tasks. Any tasks older than the number of days you specify will
be deleted. You can also determine wether to substitute any matching named
objects that are already defined in Security Manager for any inline values found
in the CLI, and whether to roll back all policies if an error is encountered during
policy discovery.
This procedure will help you define settings for policy and device discovery.
Procedure
Step 1
Step 2
Click Discovery. The Discovery page appears in the right-hand pane. For a
Step 3
To prepend device names when generating security context names, select the
Prepend Device Names when Generating Security Context Names check box.
Note
By selecting this option, you disable Security Managers method for ensuring
unique names. Instead, Security Manager will append a number to any duplicate
name it encounters. (So, for example, the name mydevice when encountered a
second time would be rendered as mydevice_01.)
Step 4
To change the number of days you keep discovery and device import tasks, enter
a new value in the Purge discovery tasks older than (days) text field.
Step 5
To substitute any named policy objects already defined in Security Manager for
inline values in the CLI, select the Reuse policy objects for inline values check
box. For more information, see Preserving User-Defined ACL Names,
page 12-56.
Step 6
To override the parent object values at the device level for certain devices, select
the Allow Device Override for Discovered Policy Objects check box. For more
information see, Overriding Global Objects for Individual Devices, page 8-197.
2-76
OL-11501-03
Chapter 2

Administering IPS Update Settings
Step 7
To roll back all discovered policies if even one error is encountered for a single
policy, select the On error, rollback discovery for entire device check box.
Step 8
To auto-expand object groups that have particular prefixes, type those prefixes in
the Auto-Expand object-groups with prefixes box. Separate the prefixes you type
with a comma. This expansion causes the specified items to display as separate
CLI during discovery. For more information see, Expanding Object Groups
During Discovery, page 12-49.
Step 9
changes were saved.
Note
Step 10
Click Yes to the confirmation dialog box to confirm your choice. A message
Related Topics
Frequently Asked Questions about Policy Discovery, page 6-13
Understanding the Policy Object Manager Window, page 8-5

The administrative settings for IPS updates in Security Manager are contained on
the IPS Updates page. This section contains the following procedures for
establishing IPS update settings:
Establishing the IPS Update Server, page 2-78
Administering IPS Updates, page 2-79
Automating IPS Updates, page 2-80

OL-11501-03
2-77
Chapter 2
Establishing the IPS Update Server

To obtain the latest IPS sensor update packages, you must first establish the
settings for the IPS update server that provides that update information.
This procedure will help you define settings for update server and update policy.
Procedure
Step 1
Step 2
Click IPS Updates. The IPS Updates page appears in the right-hand pane. For a
Step 3
In the Update Server area, click Edit Settings.

The Edit Update Server Settings dialog box appears.
Step 4
Add (or modify) the following:
IP Address or Host Name
Web Server Port
Username
Password and confirmation (two fields)
Path to Update files
Step 5
To connect using SSL, select the Connect Using HTTPS check box.
Step 6
To enable a proxy server, select the Enable Proxy Server check box.
Step 7
In the proxy server area, add (or modify) the following:
Step 8
IP Address or Host Name
Web Server Port
User Name
Click OK.
2-78
OL-11501-03
Chapter 2

Tip
To test connectivity to the IPS server or proxy server, you can perform the IPS
update procedure. For information, see Administering IPS Updates, page 2-79.
Administering IPS Updates

From the Update Status section of the IPS Updates page you can view IPS update
status, check the availability of IPS updates, and download the latest IPS updates.
Before you can administer IPS updates you must establish the IPS update server.
For the procedure to establish the server, see Establishing the IPS Update Server,
page 2-78.
For more information on IPS in Security Manager, see Chapter 13, Managing
IPS Services.
This procedure will help you monitor and update IPS updates.
Procedure
Step 1
Step 2
Step 3
Review the status listing of IPS update information, as required.
Step 4
To determine whether new IPS updates are available, click Check for Updates.
The Checking Sensor Updates dialog box appears.
Step 5
Click Start.
Security Manager contacts the IPS update server for the information. When
finished, the results are listed in the Update Status section.
Step 6
To download the latest updates, click Download Latest Updates.

The Downloading Sensor Updates dialog box appears.
Step 7
Click Start.

OL-11501-03
2-79
Chapter 2
Automating IPS Updates

Security Manager provides administrators with a variety of options for
automating the IPS updates. Checking for, downloading, applying, and deploying
IPS updates can be separately selected for automation. For more information
about using IPS for network sensing, see Understanding Network Sensing,
page 13-2.
From the Auto Update Settings section of the IPS Updates page you can:
Set the auto update mode
Specify the source of updates
Specify the notification email address for updates
Determine how to deploy updates
Specify the scope to which to apply automatic updates
This procedure will help you administer automatic IPS updates.

Procedure
Step 1
Step 2
Tip
Step 3
If you have not done so already, establish an IPS update server. For
details, see Establishing the IPS Update Server, page 2-78.
In the Auto Update Settings area in the lower portion of the IPS Updates page,
select an Auto Update Mode to establish the extent of automation. Choices
include:
Download, Apply, and Deploy Updates
Disable Auto Update (the default)
Check for Updates
Download Updates
Download and Apply Updates
2-80
OL-11501-03
Chapter 2

Step 4
To specify the time to check for updates, enter the time (in hh:mm:ss format) in
the Check for Updates At field. After you enable it, it will happen daily.
Step 5
To specify an email address to which update notification is sent, enter the address
in the Notify Email field.
Step 6
From the Deploy Updates list, select whether updates are to be deployed when
applied, or at a given time. If you select timed deployment, specify the
deployment time (in hh:mm:ss format) in the Time field. In non-Workflow mode,
when applied is the only choice.
Step 7
In the Apply Update To box, specify whether to apply updates to local or shared
Update Levels policies. If you select local policy update application, further
specify the extent of the policy update in the device selector that appears.
Step 8
Use the Devices Assigned to Selected Policies window to monitor which devices
are assigned to which policies.
Step 9
To modify existing signature update policies, perform the following steps:

a.
Select a device row and click Edit Row (pencil icon).
The Modify Signature Update Policies dialog box appears.

b.
Step 10
From the Auto Update list, select the level of updates you want to apply to the
selected row. Choices include the following:
None (default)
Minor Updates and Service Packs
Service Packs
c.
To enable signatures to be automatically updated, select the Auto Update

Signature Update Level.
d.
Click OK.
changes were saved.
Note
you can restore the system defaults by clicking Restore Defaults. Reset
and Restore Defaults do not apply to the settings in the Apply Update To
Table or to the setting in the Update Status area.

OL-11501-03
2-81
Chapter 2
Administering Licenses
This section details license administration information and procedures. The
following topics describe topics covering both Security Manager licenses and IPS
licenses:
Installing Security Manager License Files, page 2-82
Updating IPS License Files, page 2-85
Redeploying IPS License Files, page 2-86
Automating IPS License File Updates, page 2-87
Getting Help with Licensing, page 2-87
Installing Security Manager License Files

The terms of your Security Manager software license determine many things,
including the features that are available to you and the number of devices that you
can manage. For licensing purposes, the device count includes any physical
device, security context, or Catalyst security services module that uses an
IP address. Failover pairs count as one device.
When you upgrade from an earlier release, Security Manager does not prompt you
for a license; instead, it retains your license and continues to enforce its terms. If
you upgrade during a free evaluation, the remaining time in your evaluation
period does not change.
Note
For a complete list of Cisco part numbers for the Security Manager kits and
licenses that you can purchase, as well as information about the Cisco Software
Application Support service agreement contracts that you can purchase, see
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6498/prod_bulle
tin0900aecd8062bd79.html.
Two license types, Standard and Professional, are available, in addition to a free
90-day evaluation period, restricted to 50 devices.
Security Manager and IPS Manager share one base license file and share as
many other, additional licenses as you might purchase. To obtain the base
license, you must have (or obtain) a Cisco.com user ID, and you must register
2-82
OL-11501-03
Chapter 2

your copy of the software on Cisco.com. When registering, you must provide
the Product Authorization Key (PAK) that is attached to the Software License
Claim Certificate inside the shipped software package.
If you are a registered Cisco.com user, start here:
http://www.cisco.com/go/license
If you are not a registered Cisco.com user, start here:
http://tools.cisco.com/RPF/register/register.do
After registration, the base software license is sent to the email address that
you provided during registration. Keep the license in a secure location.
Common Services does not require a license file.
Auto Update Server does not require a license file.
Your license files for Resource Manager Essentials (RME.lic) and

Performance Monitor (mcpULperm.lic) are in the \license_files folder on
your Security Manager installation DVD.
Standard Edition
If you purchase the Standard Edition, your license supports:
One installation of Security Manager on one Windows-based server.
The configuration or management of 5 devices (in the Standard-5 option) or

25 devices (in the Standard-25 option), excluding Catalyst 6500 and 7600
Series devices and their associated service modules.
If you purchase either the Standard-5 or Standard-25 license, you cannot purchase
an incremental device license. Your license is fixed at either 5 or 25 devices.
Professional Edition
If you purchase the Professional Edition, your license supports:
One installation of Security Manager on one Windows-based server.
The configuration and management of 50 devices of all kinds (including

Catalyst 6500 and 7600 Series devices and their associated service modules),
with an option to purchase additional device license increments 50-, 100-,
500-, or 1,000-device licenses.
License limits are imposed when you exceed the allotted time (in the case of the
evaluation license), or the number of devices that your license allows you to
manage. The evaluation license provides the same privileges as the Professional
Edition license. It is important that you register Security Manager as soon as you
OL-11501-03
2-83
Chapter 2
can within the first 90 days, and for the number of devices that you need, to ensure
uninterrupted use of the product. Each time you start the application you are
reminded of how many days remain on your evaluation license, and you are
prompted to upgrade during the evaluation period. At the end of the evaluation
period, you are prevented from logging in until you upgrade your license.
Note
You must store your license files on a disk that is local to your Security Manager
server. Security Manager does not see mapped drives if you use it to browse
directories on your server. Windows imposes this limitation, which serves to
improve Security Manager performance and security. For more information,
log in to your Cisco.com account, then use Supports Bug Toolkit to learn about
bug CSCsb43414.
Procedure
Step 1
Step 2
Click Licensing.
Step 3
Select the CSM tab. For a description of the fields on this page, see Table A-12
on page A-26.
Step 4
Click Install a License to begin product registration to install a new license. If

you are installing a new license, go to Step 8.
Step 5
Perform either of the following steps to complete product registration and to

obtain a new production license from Cisco.com:
a.
go to http://www.cisco.com/go/license (login required).

or
b.
go to http://tools.cisco.com/RPF/register/register.do.
After you register, a Product Authorization Keys (PAK) is sent to the e-mail
address you provided during registration. In addition to receiving a PAK and
license for Security Manager, you might receive one additional PAK for each
incremental device count pack you purchased. Retain these with your Cisco
Security Manager software records.
2-84
OL-11501-03
Chapter 2

Step 6
Repeat Step 5 for each solution product you are licensing until all PAKs and
licenses have been sent. You must transfer the license files onto the Security
Manager server if they are not already there, using FTP or some other means. The
license file must be on a local drive like C: or D:, not on a mapped drive like O:,
or CSM cannot use it.
Step 7
Click Upgrade License again if the Upgrade License dialog box with the Browse
button is no longer visible.
Step 8
Click Browse to navigate to the folder containing the license file.
Step 9
Select the file.
Step 10
Click OK.
Updating IPS License Files

The following procedure details how to obtain and apply IPS license updates. For
information on how to configure Security Manager to automatically download
and apply IPS licenses on a regular schedule, see Automating IPS License File
Updates, page 2-87. For information on
Procedure
Step 1
Step 2
Click Licensing.
Step 3
Click on the IPS tab in the upper left of the page. For a description of the fields
on this page, see Table A-13 on page A-27.
The main window displays the current IPS license details, including the following
parameters:
Type
Device
Serial Number
Status (valid, invalid, expired, no license, or trial license)
Expiration date

OL-11501-03
2-85
Chapter 2
Step 4
To update from a stored license file, click Update from License File. The
Updating Licenses from File dialog box appears.
Step 5
Click Browse.
Step 6
In the Choose the License Files window, navigate to the location of the license file
update, select it, and click OK. The license file is obtained and applied.
Step 7
To update licenses via CCO, select the device license to update and then click
Update Selected via CCO. Review the list of devices in the dialog box that
appears, and click OK.
Step 8
In the warning box, confirm the update by clicking OK. The license file is
obtained and applied.
Redeploying IPS License Files

The following procedure details how to redeploy IPS licenses in the event that the
update fails to apply the new license file. Redeployment requires that you first
perform an update.
Procedure
Step 1
Step 2
Click Licensing.
Step 3
Step 4
Select the IPS device or IPS devices to update.
Step 5
Click Redeploy Selected License.
Step 6
Review the list of devices in the dialog box that appears, and click OK.
Step 7
The License Update Status Details page appears and displays all relevant details
about the status of the license update for the IPS device(s) that was (were) selected
for update.
2-86
OL-11501-03
Chapter 2

Automating IPS License File Updates

The following procedure details how to configure automatic IPS license
downloading and application. This sets Security Manager to download and apply
all license files on a regular basis with a frequency that you can determine.
Procedure
Step 1
Step 2
Click Licensing.
Step 3
Step 4
To set the system to automatically download and apply IPS licenses, select
Download and Apply Licenses Automatically.
Step 5
Select from the Check list how often Security Manager should check for new
licenses. You can specify the frequency of the checking as:
Daily: Once a day at midnight
Weekly: Once a week at midnight on Sunday
Monthly: Once a month at midnight on the first day of the month.
Getting Help with Licensing

If you have trouble using the registration website, contact the Licensing
Department in the Cisco Technical Assistance Center (TAC):
Phone: +1 (800) 553-2447
E-Mail: licensing@cisco.com
http://www.cisco.com/tac

OL-11501-03
2-87
Chapter 2
Archiving Log Files
Archiving Log Files

When state changes occur in Security Manager, an event is generated and an audit
entry is created in the audit log. You can display the aggregated results of the audit
entries by defining the parameters in the audit report page. The System
Administration Logs page enables you to determine how long to keep log files
archived.
This procedure will help you define the detail level and the purge settings for log
files.
Procedure
Step 1
Step 2
Click Logs. The Logs page appears in the right-hand pane. For a description of
the fields on this page, see Table A-18 on page A-31.
Step 3
To specify how many days to keep the logs, enter a new value in the Keep Audit
Log For text box.
Step 4
Click Purge Now to delete logs older than the number of days you specify.
Step 5
To specify how many logs or entries that you keep, enter a new value in the Purge
Audit Log after text box.
Note
Logs are purged according to whichever maximum, days or entries, is

reached the soonest.
Step 6
To specify how many days you keep the operation logs, enter a new value in the
Keep Operation Log For text box.
Step 7
Adjust the Log Level according to the amount of data you wish to capture.
Step 8
changes were saved.
Note
2-88
OL-11501-03
Chapter 2

Defining Policy Management Settings
Step 9
Related Topics
Audit Report Page, page Q-8
Understanding Audit Reports, page 20-7

Customizing policy management settings on a Cisco IOS router makes it possible,
for example, to use Security Manager to manage DHCP and NAT policies on
Cisco IOS routers while leaving routing protocol policies, such as EIGRP and
RIP, unmanaged. These settings, which can be modified only by a user with
administrative permissions, apply globally in Security Manager.
Unmanaged policies are removed from both Device view and Policy view. Any
unmanaged policies, local or shared, are removed from the Security Manager
database.
You cannot unmanage a policy type if you have configured and assigned policies
of that type in Security Manager. You must first remove the assignments and then
unassign the policy type. If the configurations defined by those policies have
already been deployed, these configurations are left in place on the devices, but
the policies are no longer stored in the database or accessible from the Security
Manager interface.
Tip
You can make changes to unmanaged policies using FlexConfigs (see

Understanding FlexConfig Objects, page 8-52) or the CLI.
This procedure will help you define Cisco IOS router policy settings.
Procedure
Step 1

OL-11501-03
2-89
Chapter 2
Step 2
Click Policy Management. The Policy Management page appears in the

right-hand pane. For a description of the fields on this page, see Table A-19 on
page A-33.
Step 3
Expand NAT and Router Platform folders to see a complete list of those policy
types.
Step 4
Deselect the check boxes for each policy type that you do not want to manage
using Security Manager.
Tip
Step 5
You can make changes to unmanaged policies using FlexConfigs (see

Understanding FlexConfig Objects, page 8-52) or the CLI.
Click Save to apply and save changes. You receive a warning message that
unmanaged policies will be removed from Device view and Policy view.
If policies of the selected type are assigned to even one device, an error is
displayed if you deselected that policy type. The error message displays the names
of the policies that are assigned, the devices to which they are assigned, and the
name of the user or activity associated with this action.
Note
Step 6
changes were saved.
Note
Step 7
If you get this error message, click Cancel and manually remove the
assignments in Policy view or Device view, after which you can repeat
this procedure from Step 1. If the activities of other users are involved,
you need to have these users remove the assignments in question. For
detailed procedures, see Working with Activities, page 7-9
2-90
OL-11501-03
Chapter 2

Defining Policy Object Settings
Related Topics
Advanced Policy Features, page 6-49
Managing Policies, page 6-1
Managing Routers, page 14-1
Managing Shared Policies in Policy View, page 6-40
Understanding Policies, page 6-1
Defining Policy Object Settings

Two different types of settings can be defined from the Policy Object settings
page. When you are about to create an object whose definition conflicts with, or
matches identically with the definition of another object, you can have
Security Manager warn, prevent, or, if appropriate, ignore the event completely.
You can also define port list ranges for service ports from this page.
This procedure will help you define policy settings.
Procedure
Step 1
Step 2
Click Policy Objects. The Policy Objects page appears in the right-hand pane.
For a description of the fields on this page, see Table A-20 on page A-34.
Step 3
Select the action you want Security Manager to take when you try to create a
policy object that is identical to an existing object.
Step 4
To change Default Source Ports used in the creation of Port List Objects, use the
list to the right of the Default Source Ports field.
Note
If you change the default source port, you must manually redeploy any
deployed devices that might be affected. These redeployments might not
be reflected in any open activities until you refresh the data.

OL-11501-03
2-91
Chapter 2
Working with Server Security
Step 5
changes were saved.
Note
Step 6
Related Topics
Managing Objects, page 8-1

Common Services provides the administrative functions that control a users
access in Security Manager. Security Manager provides access to these functions
through the Application Security page. The buttons found in the Application
Security page are actually a series of buttons that open Commons Services
functions.
When you log in to Security Manager, your username and password are compared
with the account information stored in the CiscoWorks or Cisco Secure Access
Control Server (ACS) database, depending on which you established at
installation as your AAA provider. After the authentication of your credentials,
you have access according to the role you have been assigned.
For more information on Security Manager roles and privileges, including
descriptions of how Common Services roles translate to user functions in Security
Manager, see Setting Up User Permissions, page 2-3.
This procedure will help you modify Common Services security settings in
Security Manager. Further details on each function are available from the
Common Services Help system.
Procedure
2-92
OL-11501-03
Chapter 2

Step 1
Step 2
Click Server Security. The Server Security page appears in the right-hand pane.
For a description of the fields on this page, see Table A-21 on page A-35.
Step 3
To adjust AAA mode setup, including login modules, click AAA Setup. The
Common Services AAA Mode Setup page appears. Make changes as necessary;
for details, click Help from the Common Services window or refer to the Common
Services user documentation.
Step 4
To create or change the details of the self-signed certificate setup, click

Certificate Setup. The Common Services Certificate Setup page appears. Make
changes as necessary; for details, click Help from the Common Services window
or refer to the Common Services user documentation.
Step 5
To create or change the details of the single sign-on setup, click Single Sign On.
The Common Services Single Sign-On Setup page appears. Make changes as
necessary; for details, click Help from the Common Services window or refer to
the Common Services user documentation.
Step 6
To add or delete users or change the details of user permissions, click Local User
Setup. The Common Services Local User Setup page appears. Make changes as
necessary; for details, click Help from the Common Services window or refer to
the Common Services user documentation.
Step 7
To create or change the details of the system identity setup, click System Identity
Setup. The Common Services System Identity Setup page appears. Make
changes as necessary; for details, click Help from the Common Services window
or refer to the Common Services user documentation.
Step 8
changes were saved.
Note
Step 9

OL-11501-03
2-93
Chapter 2
Working with Status Providers
Related Topics

page 2-32

Deployment and Monitoring Center for Performance (Performance Monitor), are
the two status providers you can enable in this release. As a status provider,
Performance Monitor collects the status of events, such as VPN tunnels, device
connectivity, and CPU usage threshold, and reports them to Security Manager.
Enabling Deployment as a status provider allows Security Manager to send
information about whether or not deployment succeeded or failed. Deployment is
enabled as a default on the Status page.
Performance Monitor, which is an external status provider, must be registered
with Security Manager and needs to be authenticated by Security Manager to send
status on events it is monitoring. Once credentials are authenticated, Security
Manager begins to receive the status of events. This procedure will help you add
and enable status providers.
Procedure
Step 1
Step 2
Click Status. The Status page appears. For a description of the fields on this page,
see Table A-22 on page A-37.
Note
Step 3
Click the Provider column header to sort the Providers table according to
the contents of that column. Click the column header again to sort the
table in reverse order.
Details about deployment to specific devices on the Status tab of the Inventory
Status window are enabled by default, to turn these off deselect the Deployment
check box.
2-94
OL-11501-03
Chapter 2

Step 4
To enable Performance Monitor, select Enabled from the list in the Status column
to have Security Manager poll this provider for event status. If you do not select
Enabled, the status provider definition is retained, but Security Manager will not
poll the provider for updates.
Step 5
Click the Add button. The Add Status Provider dialog box opens. After you
complete the definition, the new provider is listed in the Providers table. You can
add up to five status providers. For more information, see Add Status Provider
Dialog Box, page A-38.
Step 6
To edit a status provider, select a row in the Providers table, then click the Edit
button. The Edit Status Provider dialog box opens. For more information, see Add
Status Provider Dialog Box, page A-38.
Step 7
To delete a status provider, select a row in the Providers table, then click the
Delete button. You are prompted to confirm the deletion. Click Yes to confirm the
deletion.
Step 8
changes were saved.
Note
Step 9
Related Topics
Add Status Provider Dialog Box, page A-38
Edit Status Provider Dialog Box, page A-39
Inventory Status Window, page Q-6
Understanding Inventory Status, page 20-6

OL-11501-03
2-95
Chapter 2
Taking Over Another Users Work
Taking Over Another Users Work

A user with administrative privileges can take over the work of another user from
the Take Over User session page in non-Workflow mode. This feature is useful
when a user is working on devices and policies, causing the devices and policies
to be locked, and another user needs access to the same devices and policies.
Note
You can take over another user session only if you have administrator privileges
and are working in non-Workflow mode.
This procedure will help you take over the user session of another user.
Procedure
Step 1
Step 2
Click Take Over User Session. The Take Over User Session page appears in the
right-hand pane. For a description of the fields on this page, see Table A-25 on
page A-42.
Step 3
Click to highlight the user session you want to take over.
Step 4
Click Take over session.
Step 5
changes were saved.
Note
Step 6
Related Topics
Activities and Multiple Users, page 7-5
Understanding Activities, page 7-2
2-96
OL-11501-03
Chapter 2

Defining TMS (Token Management System) Settings
Defining TMS (Token Management System) Settings

Security Manager uses FTP to deploy the configuration file to the TMS server,
from which it can be downloaded and encrypted onto an eToken. Security
Manager uses the server settings and passwords you provide to connect to the
TMS server.
Note
To use TMS with Cisco IOS routers, you must specify TMS as the transport
protocol in the device properties. (This is set by going to Device properties > DCS
settings > Transport protocols. See Working with Device Policies, page 5-54.)
You must also configure the TMS server as an FTP server, otherwise deployment
will fail.
This procedure will help you configure TMS server settings.
Procedure
Step 1
Step 2
Click Token Management. The Token Management settings window opens. For
a description of the fields on this page, see Table A-26 on page A-43.
The TMS server name, password information, directory where configuration files
are to be copied, and public key file information fields all display defaults.
Step 3
Step 4
Add or modify any of the following:
Server Name or IP Address
Username
Directory on the TMS server onto which configuration files are to be copied
Public key full path location on the TMS server
changes were saved.
Note

OL-11501-03
2-97
Chapter 2
Configuring VPN Policy Defaults
Step 5
Related Topics
Understanding Deployment, page 18-1
Understanding Device Properties, page 5-51

You use the VPN Policy Defaults page to view or assign the default VPN policies
that Security Manager uses for each IPsec technology.
Security Manager uses VPN policy defaults to simplify VPN configuration while
ensuring that policy consistency is maintained. Security Manager provides
mandatory policies as factory defaults, which means they are configured on the
devices in your VPN topology with predefined values, depending on the assigned
IPsec technology. Factory default policies with their default configurations enable
you to deploy to your devices immediately after creating the VPN topology.
Factory default policies are private policies and are not viewable. Optional
policies are not provided as factory defaults.
When you create a new VPN topology using the Create VPN wizard, you can
configure new policies and, if you want, configure those policies as shared
policies. You can assign an approved shared policy as a default policy. For more
information, see Understanding VPN Default Policies, page 9-12.
The VPN Policy Default page in the Security Manager Administration section
presents eight tabbed areas. Six of these tabs are for the following VPN
technologies:
DMVPN
Large Scale DMVPN
Easy VPN
IPsec/GRE
GRE Dynamic IP
Regular IPsec
2-98
OL-11501-03
Chapter 2

The other two tabs on this page cover default settings for S2S (site-to-site)
Endpoints and Remote Access.
This procedure will help you view and configure VPN policy defaults. For
information on assigning default VPN policies, see Assigning Default Policies to
Your VPN Topology, page 9-31.
Procedure
Step 1
Step 2
Click VPN Policy Defaults. For a description of the fields on this page, see VPN
Policy Defaults Page, page A-44.
Step 3
Click on the tab for the VPN technology for which you want to view or configure
the defaults.
The names of the VPN policy defaults for the technology you selected are
displayed.
Step 4
To change a policys default assignment, select the new policy from the
drop-down list and then click Save.
Note
Step 5
To view the setting details of a particular default policy, click View Content.
Note
Step 6
In the drop-down list Security Manager displays all assignable shared

policies.
Some policy types have empty factory defaults. When you try to view
content of an empty policy type you receive the following message:
Info- There are no policy defaults for this policy type.
Click Save to save and apply changes. A message confirms that your changes
were saved successfully.
Note
Click Reset to restore all fields and check boxes to their previous values.
Click Restore Defaults to restore Security Manager defaults.

OL-11501-03
2-99
Chapter 2
Related Topics
VPN Policy Defaults Page, page A-44
Understanding VPN Default Policies, page 9-12
Assigning Default Policies to Your VPN Topology, page 9-31
Assigning the Default Remote Access VPN Policies, page 10-11
2-100
OL-11501-03
CH A P T E R
Working with the Security Manager

User Interface
The following topics describe how to use the Security Manager user interface:
Logging In to and Exiting Security Manager, page 3-2
Security Manager User Interface Overview, page 3-4
Security Manager Views, page 3-5
Menu Bar Reference, page 3-10
Toolbar Reference, page 3-19
Using Selectors, page 3-20
Using Wizards, page 3-22
Using Rules Tables, page 3-22
Using Text Boxes, page 3-30
Selecting a File or Directory on the Server File System, page 3-31
Accessing Online Help, page 3-32

OL-11501-03
3-1
Chapter 3
Working with the Security Manager User Interface
Logging In to and Exiting Security Manager

Security Manager has two interfaces:
Cisco Security Management Suite home pageUse this interface to install

the Security Manager client and to manage the server. You can also access
other CiscoWorks applications you installed, such as Resource Manager
Essentials (RME).
Security Manager clientUse this interface to perform most Security

Manager tasks.
These topics describe logging in to, maintaining, and exiting these interfaces:
Logging In to the Cisco Security Management Suite Server, page 3-2
Logging In to and Exiting the Security Manager Client, page 3-3
Server Connection Status and the Idle Timeout, page 3-4
Logging In to the Cisco Security Management Suite Server

Use Cisco Security Management Suite, and CiscoWorks Common Services, to
install the Security Manager client and to manage the server. You can also access
other CiscoWorks applications you installed, such as RME.
Procedure
Step 1
In your web browser, open http://SecManServer:1741, where SecManServer is

the name of the computer where Security Manager is installed.
Note
If you are using SSL, the default URL is https://SecManServer:443.
The CiscoWorks login screen is displayed. Verify on the page that JavaScript and
cookies are enabled and that you are running a supported version of the web
browser. For information on configuring the browser to run Security Manager, see
the Security Manager Installation Guide on Cisco.com.
3-2
OL-11501-03
Chapter 3

Step 2
Log in to the Cisco Security Management Suite server with your username and
password. When you initially install the server, you can log in using the username
admin and the password defined during product installation. Click Yes on any
Security Alert windows.
Tip
From the Cisco Security Management Suite page, you can manage the
server, install the client, and access other applications installed on the
server.
Step 3
To go to the regular CiscoWorks home page click CiscoWorks.
Step 4
To exit the application, click Logout in the upper right corner of the screen.
Logging In to and Exiting the Security Manager Client

Use the Security Manager client to perform most Security Manager tasks.
Before You Begin
Install the client on your computer. To install the client, log into the Security
Manager server as described in Logging In to the Cisco Security Management
Suite Server, page 3-2. Then, click Cisco Security Manager Client Installer and
follow the instructions in the installation wizard.
Procedure
Step 1
Select Start > Programs > Cisco Security Manager > Cisco Security Manager
Client to start the client.
Step 2
In the Security Manager login window, select the server to which you want to log
in, and enter your Security Manager username and password. Click Login.
The client logs in to the server and opens the client interface.
Step 3
To exit Security Manager, select File > Exit.

OL-11501-03
3-3
Chapter 3
Security Manager User Interface Overview
Server Connection Status and the Idle Timeout

Security Manager maintains the connection between your client system and the
Security Manager server.
If the client detects that it has lost the connection to server, you are notified via an
error popup, suggesting that you investigate the connection and re-start the
session.
If you do not use Security Manager for a period of time, your connection to the
server closes. The default timeout period is 120 minutes. You can change or
disable the idle timeout.
Related Topics
Customizing Your Desktop, page 2-64
Security Manager User Interface Overview

The interface you employ to use Security Manager consists of a series of dynamic
parts. Foremost among the interface parts are the three views:
Device view
Policy view
Map view
Each view presents a different way to access Security Manager functionality.

What you can do, and how you do it, are determined by the view you select. In the
Device and Policy views you see two selectors on the left and a work area on the
right. In each of these, your selection in the upper selector determines what you
can select in the lower selector. Your selection in the lower selector determines
what you view in the work area. This design enables you to quickly and easily drill
down to the network details that you want to view or edit.
Map view presents your network in a topographical manner. A small navigation
window enables you to determine the portion and scale of the displayed map.
For more information on the three views, see Security Manager Views, page 3-5.
The View menu contains navigation commands that change the contents of the
work area in the main window. For more information about the View menu, see
View Menu, page 3-12.
3-4
OL-11501-03
Chapter 3

Security Manager Views
Typically, you perform most functions in Security Manager from the work area.
Alternatively, you can open work areas in a separate windows, called tools. This
design enables you to maintain your location in the current work area while you
do related work using tools. For example, the Policy Object Manager tool appears
in a separate window, allowing you to create policy objects while maintaining
your location in the work area.
The Tools menu contains commands that open a tool in a separate window. For
more information about the Tools menu, see Tools Menu, page 3-15.
The main toolbar contains navigation buttons that open functional areas of the
user interface. For more information about these navigation buttons, see Toolbar
Reference, page 3-19.
Comprehensive details on other interface elements, including the menu bar, online
help, selectors, wizards, tables, and text boxes are presented in the following
sections:
Using Wizards, page 3-22
Using Text Boxes, page 3-30

This section provides an illustrated interface overview of each Security Manager
view:
Device View Interface Overview, page 3-6
Policy View Interface Overview, page 3-9
Map View Interface Overview, page 3-7
You can find details on using each Security Manager view in the following
chapters:
Chapter 5, Managing Devices

OL-11501-03
3-5
Chapter 3
Chapter 6, Managing Policies
Chapter 4, Using Map View
Device View Interface Overview

Figure 3-1 identifies the functional areas of the Device view.
Figure 3-1
Device View Interface
1
3
4
6
3-6
OL-11501-03
Chapter 3

Title bar
Menu bar
Toolbar
Work area
Policy selector
Device selector
The title bar displays the following information about Security Manager:
Your login name.
The name of the Security Manager server to which you are connected.
If Workflow mode is enabled, the name of the open activity.
Related Topics
Map View Interface Overview

Figure 3-2 identifies the functional areas of the Map view.

OL-11501-03
3-7
Chapter 3
Figure 3-2
Map View Interface
menu bar
navigation window
map toolbar
map
Related Topics
Appendix B, Map View User Interface Reference
3-8
OL-11501-03
Chapter 3

Policy View Interface Overview

Figure 3-3 identifies the functional areas of the Policy view.
Figure 3-3
Policy View Interface
1
2
3
4
190675
Title bar
Menu bar
Toolbar
Policy type selector
Policy filter
Shared policy selector
Work area
Related Topics
Appendix D, Policy User Interface Reference

OL-11501-03
3-9
Chapter 3
Menu Bar Reference
Menu Bar Reference

The menu bar contains menus with commands for using Security Manager.
Commands may become unavailable depending on the task you are performing.
The menus in the menu bar are described in the following topics:
File Menu, page 3-10.
Edit Menu, page 3-11
View Menu, page 3-12
Policy Menu, page 3-13
Map Menu, page 3-14
Tools Menu, page 3-15
Activities Menu, page 3-17
Help Menu, page 3-18
File Menu
Table 3-1 describes the commands on the File menu. The menu items differ
depending on the workflow mode.
Table 3-1
File Menu
Command
Description
New Device
Initiates the wizard to add a new device.
Clone Device
Creates a device by duplicating an existing device. See Cloning a

Device, page 5-55
Delete Device
Deletes a device. See Deleting Devices from the Security Manager

Inventory, page 5-56.
Save
Saves any changes made on the active page, but does not submit them to
the Security Manager database.
3-10
OL-11501-03
Chapter 3

Menu Bar Reference
Table 3-1
File Menu (continued)
Command
Description
View Changes
Opens the Activity Change Report (PDF)for the current activity (or
configuration session in non-workflow mode).
Validate
Validates the changes you have saved. See Validating an Activity,

page 7-13.
Submit
Submits all changes made since the last submission to the Security
Manager database.
Submit Deploy
Submits all changes made since the last submission to the Security
Manager database and deploys all changes made since the last
deployment. See Understanding Deployment, page 18-1.
Deploy
Deploys all changes made since the last deployment. See Understanding
Deployment, page 18-1.
Discard
Discards changes.
Edit Device Groups
Edits device groups. See Working With Device Groups, page 5-59.
New Device Group
Adds a device group. See Creating Device Groups, page 5-60.
Add Devices to Group
Adds a device to a group. See Adding Devices to Device Groups,

page 5-62.
Print
Prints the active page.

Not all pages can be printed. If the Print command is not available, you
cannot print the active page.
Exit
Exits Security Manager.

Related Topics
Adding Catalyst 6500/7600 Devices from the Network, page 5-33
Edit Menu
Table 3-2 describes the commands on the Edit menu.

OL-11501-03
3-11
Chapter 3
Menu Bar Reference
Table 3-2
Edit Menu
Command
Description
Cut
Cuts the selected text and saves it on the clipboard.
Copy
Copies the selected text and saves it on the clipboard.
Paste
Pastes the text from the clipboard to the cursors location.
Add Row
Adds a row into the active table.
Edit Row
Edits a table row.
Delete Row
Deletes a table row.
Move Row Up
Moves a table row up in the table.
Move Row Down
Moves a table row down in the table.

Related Topics
View Menu
The View menu contains commands to navigate within the user interface.
Table 3-3 describes the commands on the View menu.
Table 3-3
View Menu
Menu Command
Description
Device View
Opens Device view. See Device View Interface Overview, page 3-6.
Map View
Opens Map view. See Map View Interface Overview, page 3-7.
Policy View
Opens Policy view. See Policy View Interface Overview, page 3-9.
Related Topics
3-12
OL-11501-03
Chapter 3

Menu Bar Reference
Policy Menu
The Policy menu contains commands for managing policies.
Table 3-4 describes the commands on the Policy menu.
Table 3-4
Policy Menu
Menu Command
Description
Share Policy
Saves the active local policy as a shared policy. See Sharing a Local
Policy, page 6-28.
Unshare Policy
Saves the active shared policy as a local policy. See Unsharing a Policy,
page 6-32.
Assign Shared Policy
Assigns shared policies to devices. See Assigning a Shared Policy to a

Selected Device, page 6-33.
Unassign Policy
Unassigns the current policy from the selected device. See Unassigning
a Policy, page 6-25.
Copy Policies Between

Devices
Copies policies between devices. See Copying Policies Between

Devices, page 6-23
Share Device Polices
Enables you to share local device policies. See Sharing a Local Policy,
page 6-28.
Edit Policy Assignments
Edits assignment of shared policies to devices. See Modifying Policy

Assignments in Policy View, page 6-46.
Save Policy As
Saves a copy of a policy with a new name.
Rename Policy
Renames a policy.
Add Local Rules
Adds local rules to a shared policy on a device. You must select a

rule-based shared policy to use this command.
Inherit Rules
Edits policy inheritance. See Inheriting Rules, page 6-54
Discover Policies on Device Discovers policies on a device. See Discovering Policies, page 6-7
Discover VPN Policies
Opens the Discover VPN Policies wizard. See Site-To-Site VPN

Discovery, page 9-13.
Related Topics

OL-11501-03
3-13
Chapter 3
Menu Bar Reference
Appendix D, Policy User Interface Reference
Map Menu
The Map menu contains commands for using the Map view. The commands in this
menu are available only when the Map view is open.
Table 3-5 describes the commands on the Map menu.
Table 3-5
Map Menu
Menu Command
Description
New Map
Creates a map.
Open Map
Opens a saved map or the default map.
Show Devices On Map
Selects the managed devices to show on the active map.
Show VPNs On Map
Selects the VPNs to show on the active map.
Add Map Object
Creates a map object on the open map.
Add Link
Creates a Layer 3 link on the open map.
Find Map Node
Finds nodes on the open map.
Save Map
Saves the open map.
Save Map As
Saves the open map with a new name.
Zoom In
Zooms in on the map.
Zoom Out
Zooms out from the map.
Fit to Window
Zooms the open map to display the entire map.
Display Actual Size
Zooms the open map to display at actual size.
Refresh Map
Refreshes the open map with updated network data.
Export Map
Exports the open map to a file.
Delete Map
Deletes the map you select from a list.
Map Properties
Displays or edits properties for the open map.
3-14
OL-11501-03
Chapter 3

Menu Bar Reference
Table 3-5
Map Menu (continued)
Menu Command
Description
Show/Hide Navigation
Window
Displays or hides the navigation window on the open map.
Undock/Dock Map View
Undocks the maps window, allowing you to use other features while
keeping the map open. If the window is already undocked, the Dock Map
View command reattaches the window to the primary Security Manager
window.
Related Topics
Appendix B, Map View User Interface Reference
Tools Menu
The Tools menu contains commands that start tools, which run in a window
separate from the Security Manager main interface. This enables you to access
features without closing the page from which you are currently working.
Table 3-6 describes the commands in the Tools menu. For more information on
using tools, see Chapter 20, Using Tools.
Table 3-6
Tools Menu
Menu Command
Description
Device Properties
Provides general information about the device, credentials, the group the
device is assigned to, and policy overrides. For more information, see
Understanding Device Properties, page 5-51.
Policy Object Manager
Allows you to view all available objects grouped according to object

type; access all object dialog boxes to create, copy, edit, and delete
objects; and generate usage reports, which describe how selected objects
are being used by other Security Manager objects and policies. For
information see Policy Object Manager Window, page F-3.
Site-to-Site VPN Manager
Enables you to configure site-to-site VPNs. See Chapter 9, Managing

Site-to-Site VPNs.

OL-11501-03
3-15
Chapter 3
Menu Bar Reference
Table 3-6
Tools Menu (continued)
Menu Command
Description
Deployment Manager
Enables you to deploy configurations and manage deployment jobs. See

Chapter 18, Managing Deployment.
Activity Manager
Allows you to create and manage activities. See Activity Manager

Window, page E-1.
Policy Discovery Status
Allows you to see the status of policy discovery and device import from
the Policy Discovery Status page. See Viewing Policy Discovery Task
Status, page 6-12.
Show Containment
Shows security contexts or service modules for a device. See

Understanding Show Containment, page 20-5.
Inventory Status
Allows you to view and export device summary information for all
devices. See Understanding Inventory Status, page 20-6.
Catalyst Summary Info
Allows you to view high-level system information, including any

service modules, ports, and VLANs that Security Manager has
discovered. See Catalyst Summary Info Page, page M-1.
Device Manager
Allows you to view several monitoring and diagnostic features that

enable you to get information regarding the services running on the
device and a snapshot of the overall health of the system. See Device
Managers, page 21-2.
IPS Event Viewer
Allows you to view IPS events. See Managing IPS Services.
Apply IPS Update
Allows you to check for, download, view, and apply IPS signature and
sensor updates. See Managing IPS Services.
Preview Configuration
Displays the proposed changes, last deployed configuration, or current

running configuration for specific devices. See Preview Config Dialog
Box, page O-8.
Device OS Management
Provides access to Resource Manager Essentials (RME) Software Image

Manager (SWIM) and Inventory Reporting, according to access settings
in the Security Manager administration pages. See Working With Device
OS Management, page 20-6.
Audit Report
Allows you to generate audit report data according to parameters set in

the audit report page. See Audit Report Page, page Q-8.
3-16
OL-11501-03
Chapter 3

Menu Bar Reference
Table 3-6
Tools Menu (continued)
Menu Command
Description
Change Reports
Allows you to generate a table of changes to devices, shared policies,

and building blocks within a given activity (Workflow Mode) or
configuration session (nonWorkflow Mode).
Configuration Archive
Stores archived device configuration versions and allows you to view,

compare, and roll back from one configuration to another. See
Configuration Archive Window, page Q-12.
Backup
Allows backing up of Security Manager database using

Common Services. See Backup and Restore, page 20-25.
Security Manager
Diagnostics
Details administrative settings, recommends which settings to define

first, and explains user permissions and access modalities. See Security
Manager Diagnostics, page 20-26.
Security Manager
Administration
Describes how to gather troubleshooting information and contact the

Technical Assistance Center (TAC) for help.
Related Topics
Chapter 20, Using Tools
Appendix Q, Tools User Interface Reference
Activities Menu
The Activities menu contains commands for managing activities. It appears only
when Workflow mode is enabled.
Table 3-8 describes the commands in the Activities menu.
Table 3-7
Activities Menu
Menu Command
Description
New Activity
Creates a activity. See Creating an Activity, page 7-11.
Open Activity
Opens an activity. See Opening an Activity, page 7-12.
Close Activity
Closes an activity. See Closing an Activity, page 7-12.

OL-11501-03
3-17
Chapter 3
Menu Bar Reference
Table 3-7
Activities Menu (continued)
Menu Command
Description
View Changes
Opens the Activity Change Report (PDF). See Understanding Activity

Change Reports, page 7-17.
Validate Activity
Validates an activity. See Validation Dialog Box, page E-12.
Submit Activity
Submits an activity. See Submit Activity Dialog Box, page E-8.
Approve Activity
Approves an activity. See Approve Activity Dialog Box, page E-9.
Reject Activity
Rejects an activity. See Reject Activity Dialog Box, page E-10.
Discard Activity
Discards an activity. See Discard Activity Dialog Box, page E-11.

Related Topics
Chapter 7, Managing Activities
Appendix E, Activities User Interface Reference
Help Menu
The Help menu contains commands for accessing product documentation and
training.
Table 3-8 describes the commands on the Help menu.
Table 3-8
Help Menu
Menu Command
Description
Help Topics
Opens the online help system.
Help About This Page
Open online help for the active page.
JumpStart
Opens the JumpStart.
Security Manager Online
Opens the Security Manager web page on Cisco.com.
About Security Manager
Displays information about Security Manager.
Related Topics
3-18
OL-11501-03
Chapter 3

Toolbar Reference
Toolbar Reference
The main toolbar (see Figure 3-1) contains buttons that perform actions in
Security Manager.
The buttons that appear on the main toolbar vary depending on whether Workflow
mode is enabled. This table shows all buttons.
Table 3-9
Button
Security Manager Toolbar
Description
Opens the Device view.
For more information, see Chapter 5, Managing Devices.
Opens the Map view.
For more information, see Chapter 4, Using Map View.
Opens the Policy view.
For more information, see Chapter 6, Managing Policies.
Opens the Policy Object Manager tool.
For more information, see Chapter 8, Managing Objects.
Opens the Site-to-Site VPN Manager tool.
For more information, see Chapter 9, Managing Site-to-Site VPNs.
Opens the Deployment Manager tool.
For more information, see Chapter 18, Managing Deployment.
Opens the Audit Report tool.
For more information, see Understanding Audit Reports, page 20-7
Submits and deploys changes.
For more information, see Chapter 18, Managing Deployment.
Opens online help for the current page.
For more information, see Help Menu, page 3-18.
Opens the Activity Manager window, where you can create and manage
activities. For more information on the following activity buttons, and the
conditions under which they are enabled, see Accessing Activity Functions,
page 7-9.
OL-11501-03
3-19
Chapter 3
Using Selectors
Table 3-9
Security Manager Toolbar (continued)
Button
Description
Adds a new activity.
Opens an activity.
Saves all changes made while the activity was open and closes it.
Submits the activity for approval.
Approves the changes proposed in an activity.
Active when Workflow mode is enabled with an approver.
Rejects the changes proposed in an activity.
Active when Workflow mode is enabled with an approver.
Discards the selected activity.
Validates the integrity of changed policies within the current activity.
Using Selectors
Selectors appear in several places in the user interface; for example, the Device
selector in Device view (see Figure 3-1). These tree structures enable you to select
items (like devices) on which to perform actions. Several types of items can
appear in a selector, depending on the task you are performing.
The following topics describe how to use the standard features of the selector:
Selecting Items from Selectors, page 3-21
Managing Items in Selectors, page 3-21
Filtering Items in Selectors, page 3-21
3-20
OL-11501-03
Chapter 3

Using Selectors
Selecting Items from Selectors

Items in selectors are presented in a hierarchy of folders according to their
organization in Security Manager.
You can browse for items in a selector by expanding and collapsing folders, which
can contain other folders, items, or a combination of folders and items. To expand
and collapse a folder, click the arrow next to it. Select an item by clicking it.
The selectors support auto select. That is, when you type a single letter the next
folder or item in the selector that begins with that letter is selected.
Managing Items in Selectors

To manage an item in a selector, right-click the item to open its context menu. The
commands in the context menu vary according to the item type.
For more information about the management options that appear in selectors, see
the following topics:
Filtering Items in Selectors

To view a subset of the items in a selector, you can create filters to display only
those items that match the criteria you specify. You can have a maximum of 10
filters per user for each selector. After that, when you create another filter, that
new filter replaces the oldest filter. There is no duplication check for filters that
are created. You cannot delete filters manually.
A filter list appears above all selectors that can be filtered. From this list, you can
do the following:
Select a filter that you created previously.
Select None to see the tree without any filters applied to it.
Select Create Filter to create a filter.

OL-11501-03
3-21
Chapter 3
Using Wizards
Each filter can contain several filter rules. Each filter rule specifies a rule type,
criteria, and values. You select whether items must match any or all filter rules
before they can be displayed in the selector.
The process for creating filters depends on the type of item that appears in the
selector. For more information about filtering specific types of selectors, see
Understanding Device Properties, page 5-51. For information on filtering tables,
see Filtering Tables, page 3-24.
Using Wizards
Some tasks that you can perform with Security Manager are presented as wizards.
A wizard is a series of dialog boxes (or steps) that enables you to perform a task.
The current step number and the total number of steps in the wizard are displayed
in the wizard title bar.
Wizards share the following buttons:
BackReturns to the previous dialog box. Enables you to review and modify
settings that you defined in previous wizard steps.
NextContinues to the next dialog box. If this button is unavailable, you

must define some required settings in the current dialog box before you can
continue. Required settings are marked with an asterisk (*).
FinishFinishes the wizard, saving the settings you defined. You can finish
the wizard whenever this button is available. If this button is not available,
you must define more settings.
CancelCloses the wizard without saving any settings.
HelpOpens online help for the wizard.
Using Rules Tables

Rules tables in Security Manager display sets of rules (for example, access rules)
that make up a policy.
Figure 3-4 details the GUI used in Rules table.
3-22
OL-11501-03
Chapter 3

Using Rules Tables
Figure 3-4
Rules Table Example
Device and Policy Identification
Table filter
Table column headings
Inherited or local rules
New section heading
Work area with rules listed
Table tools menu
Table buttons
The following topics describe standard features of rules tables:
Filtering Tables, page 3-24
Table Columns and Column Heading Features, page 3-26
Understanding Rules Table Sections, page 3-27
Working with Rules Table Data, page 3-27

OL-11501-03
3-23
Chapter 3
Using Rules Tables
Using Main Menu Table Commands, page 3-29
Using Rules Table Buttons, page 3-30
Filtering Tables
To view a subset of the items in a table, you can create filters to display only those
rows that match the criteria you specify. You can have a maximum of 10 filters per
user for each table. After that, when you create another filter, that new filter
replaces the oldest filter. There is no duplication check for filters that are created.
You cannot delete filters manually.
From the filter list, you can do the following:
Select a filter that you created previously.
Select Advanced Filter to create a filter.
Select a type (column heading) from which to define a filter, for example,
Service.
Modify an existing filter.
Each filter can contain several filter rules. Each filter rule specifies a rule type,
criteria, and values. You select whether items must match any or all filter rules
before they can be displayed in the selector.
Procedure
Step 1
To filter a table, select a filter from the Filter list.

The table display is filtered according to the filter selected.
Step 2
To create a new filter, select Advanced Filter from the table filter list on the left.
The Create Filter dialog box appears.
a.
Select one of the radio buttons to determine the matching criteria. The choices
are:
Match Any of the Following (OR)
Match All of the Following (AND)
b.
Establish a filter rule by entering three criteria, as follows:
3-24
OL-11501-03
Chapter 3

Using Rules Tables
From the first list, select the type (column) to be filtered, for example,
Name.
From the next list, select the operating criteria for the filter, for example,
contains.
In the text box, type a value on which to filter, for example Cisco.
c.
Tip
Click Add.
If you make a mistake in forming the filter rule, select the rule and click
Remove to delete it.
d.
To add additional filtering rules, repeat steps b. and c.
e.
Click OK.
The table display is filtered according to the new filter criteria, and the new
filter is added to the filter list.
Step 3
To create a new filter by type, follow these steps:
Note
a.
This method uses only AND logic. To use OR logic you must create
the filter using Advanced Filter.
Select the type (for example, Destination) from the table filter list on the left.
The selection appears in the filter list.
b.
Next, select a matching criteria (for example, Contains) from the middle list.
c.
In the third field, enter the value on which to filter.
d.
Click Apply.
e.
Note
Step 4
To add an additional rule to the filter, repeat steps a. through d.
You can continue to add rules to the current filter, and view the results,
until you click Clear.
To modify a filter, follow these steps:

OL-11501-03
3-25
Chapter 3
Using Rules Tables
Note
a.
Modifications use only AND logic. To use OR logic you must create
a new filter using Advanced Filter.
Select the filter from the table filter list on the left.
The filter appears in the filter list and the table is filtered.
b.
Select the type (for example, Destination) from the table filter list on the left.
The selection appears in the filter list.
c.
Next, select a matching criteria (for example, Contains) from the middle list.
d.
In the third field, enter the value on which to filter.
e.
Click Apply.
Step 5
To remove an applied filter, click the Clear button on the top right portion of the
filter page. All filtering is removed from the table.
Table Columns and Column Heading Features

Rules tables (and certain other types of tables) contain columns, each of which has
a column heading in the heading row. These columns and their headings include
the following features:
Note
Show/hide ColumnsRight-click the table heading row to open the context

menu and then select Show Columns. This menu enables you to select which
columns appear.
The table for some policies does not display all available columns as a
default. You must right-click and use the Show columns feature of the
context menu to ensure that information from all columns can be viewed.
3-26
OL-11501-03
Chapter 3

Using Rules Tables
Show Details/Show SummaryRight-click the table heading row to open the

context menu and then select either Show Details or Show Summary. This
toggling menu enables you to select whether to view detailed or summarized
information in the table.
Move columnsClick and drag a column heading to move the column to a

new position.
Resize columnsClick a column heading divider (when the cursor turns into
an arrow) and drag it to resize the column.
Sort by column headingsClick a column heading to sort the table by that

columns contents. Click the same column heading again to reverse the sort
order. The sorted column has an arrow next to its heading.
Understanding Rules Table Sections

Rules tables can contain sections, which contain groups of rules. Expand and
collapse these sections by clicking the arrow next to the section title.
The grouping of rules into sections is determined by policy inheritance. For more
information about policy inheritance, see Understanding Rule Inheritance,
page 6-50.
Working with Rules Table Data

To work with table data, you must select the data first. You can select rules table
data at the following levels of granularity:
Row
Cell value
Subcell value
When you open a table, the first row is selected by default. You can then select
other data to work with. The selected data is highlighted.
Click the first cell in a row to select the row. Double-click the No. cell in a row
to edit the row (or view its properties, if you do not have privileges to edit it).
Right-click the first cell in a row to open the row context menu.

OL-11501-03
3-27
Chapter 3
Using Rules Tables
Click a cell or cell value (also referred to as a subcell) to select it. Double-click a
cell or cell value to edit it (or view its properties, if you do not have privileges to
edit it). Right-click a cell or cell value to open its context menu.
To select multiple contiguous rows, press the Shift key while clicking the first cell
of the first and last rows. To select multiple non-contiguous rows, press the Crtl
key while clicking the first cell in each desired row. You can select only one cell
or cell value at a time.
Table 3-10 describes the commands that appear in the rules table context menus.
Other commands can also appear in the context menus that are specific to the type
of data you select.
Table 3-10
Rules Table Context Menu Commands
Menu Command1
Description
Edit Subcell Value
Edits the selected subcell value.
Remove Subcell
Value
Removes the selected subcell value.
Show Subcell Value

Contents
Displays the properties of the selected subcell value.
Edit Subcell Value

Contents
Enables inline editing of the selected subcell value.
Create Object from

Subcell Value
Creates a policy object from the selected subcell

contents.
Find Usage
Identifies devices, policies, and other objects that use the

value.
Edit Value
Enables inline editing of the cell value.
Show Value Contents Flattens the value to display all of its components.
Create Object from
Cell Contents
Creates a policy object from the selected cell content.
Remove Value
Deletes the selected cell value.
Add Row
Adds a row below the selected row.
Edit Row
Edits the selected row.
Delete Row
Deletes the selected row.
View Row
Displays the properties of the selected row.
3-28
OL-11501-03
Chapter 3

Using Rules Tables
Table 3-10
Rules Table Context Menu Commands (continued)
Menu Command1
Description
Cut
Cuts the selected data.
Copy
Copies the selected data.
Paste
Pastes data in the current location. If the pasted data is a

row, a new row is created below the selected row.
Move Row Up
Moves the row up one position in the table.
Move Row Down
Moves the row down one position in the table.
Include in New
Section
Opens a dialog box for creating a new section in the

table.
Enable/Disable
Enables or disables the rule in the table. A disabled rule

is shown with hash marks.
1. Menu commands might vary depending on the value selected and user permissions.
Using Main Menu Table Commands

The Edit menu in the main menu contains commands for using rules tables as
detailed in Table 3-11.
Table 3-11
Edit Menu Rules Table Commands
Menu Command
Description
Insert Row
Inserts a row below the selected row.
Edit Row
Delete Row
View Row
Displays the properties of the selected row.
Move Row Up
Moves the row up.
Move Row Down
Moves the row down.

OL-11501-03
3-29
Chapter 3
Using Text Boxes
Using Rules Table Buttons

Rules tables include the buttons described in Table 3-12. A rules table can also
include other buttons that are specific to the policy type:
Table 3-12
Rules Table Buttons
Button
Description
Add Row
Adds a row.
Edit Row
Delete Row
Up Row
Moves the selected row up in the table.
Down Row
Moves the selected row down in the table.
Using Text Boxes

Text boxes that can contain multiple text lines include several features to make
them easier to use. These features are described in the following topics:
Finding Text in Text Boxes, page 3-30
Navigating Within Text Boxes, page 3-31
Finding Text in Text Boxes

Use the Find dialog box to find text within a multiple line text field.
Procedure
Step 1
Click in a multiple line text field.
Step 2
Press Ctrl+F. The Find dialog box opens.
Step 3
Enter text to search for in the Find what field.
Step 4
To specify the direction of the search, select either Up or Down in the Direction
field.
3-30
OL-11501-03
Chapter 3

Selecting a File or Directory on the Server File System
Step 5
To match the case of the text you entered, select the Match Case check box.
Step 6
Click Find. The next occurrence of your search text is highlighted in the text field.
Navigating Within Text Boxes

Use the Goto line dialog box to navigate to a specific line in a multiple line text
field.
Procedure
Step 1
Click in a multiple line text field.
Step 2
Press Ctrl+G. The Goto line dialog box opens.
Step 3
Enter a line number in the Line number field.
Step 4
Click OK. The text field scrolls to the line number you entered.
Selecting a File or Directory on the Server File

System
Catalyst 6500/7600 Device Manager (DM-6500/7600) uses a standard file system
browser to enable you to select a directory or file from it.
Procedure
Step 1
Click Browse.
Step 2
In the Select a File dialog box, navigate to the directory or file.
Step 3
Select a file from the right pane.
Step 4
Click OK.

OL-11501-03
3-31
Chapter 3
Accessing Online Help
Accessing Online Help

To access online help for Security Manager, do one of the following:
To open the main Security Manager online help page, select Help > Help
Topics.
To open context-sensitive online help for the active page, select Help > Help
About This Page or click the Help button in the toolbar.
To open context-sensitive online help for the active dialog box, click Help in
the dialog box.
Related Topics
Help Menu, page 3-18
3-32
OL-11501-03
CH A P T E R
Using Map View

The following topics describe how to use the Map view:
Managing Firewall Services in Map View, page 4-24
Managing VPNs in Map View, page 4-29
Managing Device Policies in Map View, page 4-34
Understanding Maps
Layer 3 network topology.
Using the map view, you can investigate details of your VPN configuration
graphically. Topological display of tunnels enables you to easily derive the
relationship among multiple VPN configurations (for example, a hierarchical
VPN). You can group devices to achieve a more complete picture of your VPN
configuration. This is useful in situations where a hub failover pair is a peer with
hundreds of spokes.
You can represent your Layer 3 network topology graphically, populating it with
managed devices (called device nodes). You can make the picture of the topology
more complete by adding unmanaged objects (called map objects) such as

OL-11501-03
4-1
Chapter 4
Using Map View
Working With Maps
devices, clouds, and networks. For large networks, you can choose to simplify the
topology graph by incorporating only a portion of the overall topology. You can
save the topology maps for future use.
You can save multiple topology maps to reflect your networks geographical or
functional organization. You can link a saved map to a node on a parent map, so
that from the parent map you can drill down to the linked map with more detailed
information (for more information, see Using Linked Maps, page 4-11). Saved
maps are shared among all users who have the necessary access privileges.
You can launch other Security Manager features from the map view. In some
cases, you can simplify the use of features by selecting nodes from the map before
you start another feature. For example, you can select multiple nodes, then create
a VPN that includes those nodes as members.
Working With Maps

A map is a representation of a portion of your network. You can create and save
multiple maps to address your network management needs. To work with any
map, you must be in Map view (select View > Map View).
After you create and save a map, the map is available to all users on the system
that have at least read privileges to all the devices on the map. Users that do not
have read privileges to a device on a map do not see the map in the list of existing
maps when they try to open a map. For more information, see Access Permissions
for Maps, page 4-3.
You can only have one map open at a time. If a map is open and you create a new
map or open an existing map, you are prompted to save or discard any unsaved
changes that you made to the current map.
Multiple users can open and modify a map at the same time. When a user saves
changes to a map, any other users who are using the map are notified and have the
option to do one of the following:
Update their map to the version saved by the other user, losing any changes
they have made.
Save their version of the map as a new map, preserving any changes they
made.
4-2
OL-11501-03
Chapter 4
Using Map View

Working With Maps
The following topics describe how to manage maps:
Access Permissions for Maps, page 4-3
Creating Maps, page 4-3
Saving Maps, page 4-4
Opening Maps, page 4-4
Deleting Maps, page 4-5
Exporting Maps, page 4-6
Access Permissions for Maps

Access to maps is controlled, based on two systems of user privileges:
Device privilegesYou must have at least read privileges to all the devices
in a map to open the map.
Map privilegesAccess to maps is based on your Security Manager user

role. There are two levels of map access:
Read-onlyYou can open maps, but you cannot modify them. If you
have this map privilege level, the features for modifying maps are not
available.
Read-writeYou can modify maps. All map modification features are
available.
Related Topics
Understanding Map Elements, page 4-16
Creating Maps
To create a new map, select Map > New Map. You must already be in Map view
(select View > Map View).
New maps do not contain any elements. For information about adding elements to
a map, see Displaying Your Network on the Map, page 4-16

OL-11501-03
4-3
Chapter 4
Using Map View
Working With Maps
Related Topics
Saving Maps
To save the active map, select Map > Save Map.
Any changes that you made since you last saved it are saved. If you did not save
the map previously, the Save Map As dialog box opens, enabling you to assign a
name to the map and save it.
If you close a map that contains unsaved changes, you are prompted to save the
changes.
If your Security Manager session closes automatically because of inactivity when
a map is open with unsaved changes, the current version of the map is saved if it
has a name. If you have not yet saved the map, the map is discarded. For example,
if you generate the default map, or create a new map, and do not save it before
your session times out, you cannot retrieve that map.
Related Topics
Save Map As Dialog Box, page B-13
Opening Maps
You can open any map that you have created. You can also open any map that
another user has created, provided you have the requisite permission settings with
regard to the devices shown on that map.
Before You Begin
You must be in Map view to open a map. Select View > Map View.
4-4
OL-11501-03
Chapter 4
Using Map View

Working With Maps
Procedure
Step 1
Select Map > Open Map. The Open Map dialog box opens.
Step 2
Select a map from the Available Maps list and click OK.
Related Topics
Open Map Dialog Box, page B-13
Deleting Maps
If you no longer need a map, you can delete it (presuming that you have edit
permission). Deleting a map does not delete any devices or VPNs shown on the
map, nor does it delete or modify their configurations; only the map is deleted.
Caution
When you delete a map, it is permanently deleted from the server. Other users
cannot use the deleted map.
Before You Begin
You must be in Map view to delete a map. Select View > Map View.
Procedure
Step 1
Select Map > Delete Map. The Delete Map dialog box appears.
Step 2
Select the map to delete from the Available Maps list.
Step 3
Click OK.
Step 4
In the confirmation dialog box, click Yes.

The map is deleted.

OL-11501-03
4-5
Chapter 4
Using Map View
Working With Maps
Related Topics
Exporting Maps
You can export a map to an scalable vector graphics (SVG) image file for use
outside of Security Manager.
Note
You can import the SVG image file into Microsoft Visio Professional 2003, where
you can modify and print the file.
Before You Begin
You must be in Map view to export a map. Select View > Map View.
Procedure
Step 1
Select Map > Export Map. The Export Topology Map to SVG dialog box opens.
Step 2
Browse to the location in which to save the file.
Step 3
Enter a filename in the File name field.
Note
Step 4
As SVG is the only file type currently supported, you can ignore the Save as type
field.
Click Save.
The map file is saved, in SVG format, to the location you indicated.
Related Topics
4-6
OL-11501-03
Chapter 4
Using Map View

Working With Maps
Navigating Maps
Several methods of navigating within a map enable you to see the portion of the
map that you want, at the level of detail that you want.
The following topics describe how to navigate within a map:
Using the Navigation Window, page 4-7
Panning Maps, page 4-8
Changing the Zoom Level of Maps, page 4-8
Selecting Map Elements, page 4-9
Centering Map Elements, page 4-9
Using Map Layouts, page 4-9
Using the Navigation Window

The navigation window displays a smaller version of the entire active map. The
shaded rectangle defines the area of the map that is currently displayed.
Use the navigation window to select the portion of the map to view and to change
the map zoom level.
To toggle the display of the navigation window on and off, select Map >
Show/Hide Navigation Window.
To pan the navigation control to select which portion of the map to display,
click within the shaded rectangle and drag it to a new location.
To change the zoom level, click and drag one of the resizing handles in the
corners of the shaded rectangle to increase or decrease the area of the map
displayed.
The title bar in the navigation window displays the name of the map. If the map
has unsaved changes, an asterisk (*) appears next to the map name.
Related Topics
Navigating Maps, page 4-7

OL-11501-03
4-7
Chapter 4
Using Map View
Working With Maps
Panning Maps
You can pan the map to select the portion of the map to display, using any of the
following methods:
Click the Pan Map toolbar button, then click and hold anywhere on the map
and drag the cursor.
Use the vertical and horizontal scroll bars that are available if the entire map
does not fit in the visible page.
Click and drag the shaded rectangle in the navigation window.
Related Topics
Using the Navigation Window, page 4-7
Changing the Zoom Level of Maps

You can change the zoom level of the map to select how much of the open map to
display.
To change the zoom level of the map in predefined increments:

To zoom in on the map, select Map > Zoom In, or click the Zoom In
toolbar button.
To zoom out from the map, select Map > Zoom Out, or click the
Zoom Out toolbar button.
To zoom into a specific area of the map, click Zoom Rectangle in the map
toolbar, then click the map and drag a rectangle around the area. When you
release the mouse button, the map zooms to display the area defined by the
rectangle.
Alternatively, to zoom in to or out of a specific area of the map, click and drag
the corner of the shaded rectangle in the navigation window.
To display the entire map, select Map > Fit to Window.
To display the map at actual size, select Map > Display Actual Size.
Related Topics
4-8
OL-11501-03
Chapter 4
Using Map View

Working With Maps
Selecting Map Elements

Table 4-1 describes how to select map elements.
Table 4-1
Selecting Network Elements
To select...
Do the following
A single map element
Click the element.
Multiple noncontiguous map

elements
Ctrl+click each element.
Multiple contiguous map

elements
Click the map and drag a rectangle that includes the elements.
Centering Map Elements

To center the display of the map on a particular map element, right-click the
element, then select Move to Center.
Using Map Layouts

You can automatically arrange the network nodes on the active map in several
predefined layouts. Only nodes that are already displayed on the map are
arranged. Any nodes that you later add do not follow the layout.
To select a map layout, right-click the map background, then select one of the
following layouts from the map context menu:
Hierarchical LayoutArranges the nodes in a hierarchical layout.
Radial LayoutArranges the nodes in a radial layout.
Circular LayoutArranges the nodes in a circular layout.
Undocking the Map Window

You can undock the map window, which enables you to use other product features
while keeping the map open.

OL-11501-03
4-9
Chapter 4
Using Map View
Working With Maps
Procedure
Step 1
To undock the map, select Map > Undock Map View.
Step 2
To dock the map window, select Map > Dock Map View.
Searching for Map Elements

This procedure describes how to find a node that is displayed on the active map.
Procedure
Step 1
Select Map > Find Map Node. The Find Node dialog box appears.
Step 2
Enter search criteria in the dialog box.

You can search for a node based on its name, interface IP addresses, and device
type. As you enter criteria, the list of nodes is updated to include only the devices
that match all of the entered criteria.
Step 3
Select the node to find from the node list, then click OK.
The selected node is highlighted and appears in the center of the map.
Related Topics
Find Node Dialog Box, page B-15
Refreshing Maps
The network data that is displayed on maps is typically updated as this data
changes. However, to be certain that a map displays current network data, you can
refresh it manually by selecting Map > Refresh Map.
4-10
OL-11501-03
Chapter 4
Using Map View

Working With Maps
Using Linked Maps

A linked map is a map that you associate with a map element on another map.
Because it not practical to include all the nodes on a large network in a single map,
you can use linked maps to create a hierarchical topology of your network.
You cannot link a node to the open map.
Before You Begin
You must create the map to link to before you can link to it.
Procedure
Step 1
Right-click the map element to which to link a map, then select Set Linked Map.
The Set Linked Map dialog box opens.
Step 2
Select a map to associate with the selected map element, then click OK.
Step 3
To open the linked map, right-click the linked node, then select Open Linked
Map.
Related Topics
Set Linked Map Dialog Box, page B-19
Using the Default Map

You can create a default map that contains all of the managed devices and VPNs
in the Security Manager inventory.
Generating the default map is a good way to create a map. After generating the
map, save it with a unique name to make it a standard map, and modify it as
desired.
You can generate the default map whenever you want to, and it contains the
inventory as it exists at the time you generate it. You cannot specifically save the
default map as the default map; it is regenerated every time you select it.
To create the default map, you must have sufficient access rights to the devices in
the inventory. For more information, see Access Permissions for Maps, page 4-3.

OL-11501-03
4-11
Chapter 4
Using Map View
Working With Maps
Before You Begin
You must be in Map view to create the default map. Select View > Map View.
Procedure
Step 1
Select Map > Open Map.
Step 2
Select Default Map from the Available Maps list, then click OK.
Note
If you have do not have sufficient access rights to all devices in the inventory, the
default map that opens shows only the subset of devices for which you do have
access rights.
Step 3
To save the default map as a standard map, select Map > Save Map, then enter a
name for the map and click OK.
Tips
If you refresh the map (select Map > Refresh Map), items that you added to
the inventory after generating the default map are not added to the map. You
must regenerate the default map to see new devices.
Changing the Map Background Color

The default map background color is white. You can set a different color.
Procedure
Step 1
Select Map > Map Properties.

The Map Settings dialog box opens.
Step 2
Click Select. The Select Color dialog box opens.
Step 3
Select a color from the Select Color dialog box, then click OK.
Step 4
Click OK in the Map Settings dialog box.
4-12
OL-11501-03
Chapter 4
Using Map View

Working With Maps
Related Topics
Map Settings Dialog Box, page B-16
Select Color Dialog Box, page B-17
Working With Map Background Images

A background image is an image that appears in the background of a map, behind
the map elements.
A suggested use for a background image is to use an image that represents a
geographic area. Then you can position map elements according to their
geographic locations.
Some background images are installed on the Security Manager server. You can
also transfer images to the server to use as background images. You can use
background images of the following file formats: JPEG, GIF, PNG, IVL, and
SVG. You must transfer images to the Security Manager server file system by
accessing the server directly. For security reasons, Security Manager does not
provide a way to transfer files to the server.
To use an image on the server as a background image, you must first import it into
Security Manager.
The following topics describe how to use map background images:
Importing Map Background Images, page 4-13
Setting Map Background Images, page 4-14
Deleting Map Background Images, page 4-14
Using Background Image Coordinates and Scale, page 4-15
Importing Map Background Images

To use a new image as a background image, you must first import it into Security
Manager.
Before You Begin
Transfer the image file to import onto the Security Manager server file system by
connecting directly to the server. For security reasons, Security Manager does not
provide a method of transferring files to the server.

OL-11501-03
4-13
Chapter 4
Using Map View
Working With Maps
Procedure
Step 1
Select Map > Map Properties. The Map Settings dialog box opens.
Step 2
Click the Add button. The Import Background Image dialog box opens.
Step 3
Click Browse. A file browser dialog box opens.
Step 4
Browse to the image file to import, then click OK.
Related Topics
Import Background Image Dialog Box, page B-18
Working With Map Background Images, page 4-13
Setting Map Background Images

To select a background image for a map, you must modify the map properties.
Procedure
Step 1
Step 2
Set a background image by selecting an image from the Available Background

Images list, then click OK.
Related Topics
Deleting Map Background Images

Deleting a map background image only removes it from the list of available
background images. It does not remove the image file from the Security Manager
server. For security reasons, you must connect to the server directly to delete a
file.
4-14
OL-11501-03
Chapter 4
Using Map View

Working With Maps
Procedure
Step 1
Step 2
Select the image to delete in the Available Background Images list, then click the
Remove button.
Step 3
Select the image to delete, then click OK.
Related Topics
Using Background Image Coordinates and Scale

You can adjust the default position and scale of background image.
Procedure
Step 1
Step 2
Adjust the background image position by entering coordinate values in the Map
X and Map Y fields.
Tip
Due to the variability of image positioning variables, the most effective approach
is to enter a pair of X,Y coordinate values, gauge the result on the image position,
and then adjust the values to achieve the desired result. You can enter negative
values.
Step 3
Set the background image scale by entering a percentage in the Scale (%) field.

OL-11501-03
4-15
Chapter 4
Using Map View
Displaying Your Network on the Map

You use the map view to represent your network topology by creating maps. A
map is a visual representation of your network, or a portion of it if it is too large
to fit on a single map. Maps consist of map elements that represent devices, links,
and other objects in your network. For more information about map, see Working
With Maps, page 4-2.
The following topics describe how to create maps:
Displaying Managed Devices on the Map, page 4-17
Using Map Objects To Represent Network Topology, page 4-20
Understanding Map Elements

All objects that can appear on a map are map elements. You display map elements
on a map to create a representation of a portion of your network.
The following types of map elements are available:
Device nodesElements that represent managed devices. Examples:

Router
Firewall device
Adaptive Security Appliance (ASA)
Catalyst 6500 switch or 7600 router
Firewall Services Module (FWSM)
Map objectsElements that are not managed. Examples:

Unmanaged device
Network
Network cloud
Host
LinksElements that represent network connections. Examples:
4-16
OL-11501-03
Chapter 4
Using Map View

Layer 3 link
VPN tunnels
Related Topics
Understanding Automatic Layer 3 Connectivity Display, page 4-23
Displaying Managed Devices on the Map

A device node represents a device that is managed by Security Manager. You add
a device node to a map by selecting the device from the Security Manager
inventory.
When you add a device node to a map, its Layer 3 connectivity to other nodes on
the map is created automatically. For more information, see Understanding
Automatic Layer 3 Connectivity Display, page 4-23.
The following sections describe how to use device nodes:
Adding a New Managed Device to the Map, page 4-17
Displaying an Existing Managed Device on the Map, page 4-18
Showing Containment of Catalyst Switches, Firewalls, and Adaptive Security

Appliances, page 4-19
Displaying Devices on the Map from the Device View, page 4-19
Adding a New Managed Device to the Map

You can create a new device node by adding a new device to the Security Manager
inventory from the Map view. After you create the new device in the inventory
from the Map view, it is added to the active map as a device node.
If you add a device using the Device view, you must manually add the device to
the map (see Displaying an Existing Managed Device on the Map, page 4-18).

OL-11501-03
4-17
Chapter 4
Using Map View
Procedure
Step 1
Click the New Device button in the map toolbar. The New Device dialog box
opens.
Step 2
Add a new device.

For more information about this dialog box, click its Help button.
Step 3
The new device is added to the center of the map. Move the device icon to the
desired position on the map.
Related Topics
Displaying an Existing Managed Device on the Map

This procedure describes how to add a device node to a map.
Before You Begin
The device that you want to add must be in the Security Manager inventory.
Procedure
Step 1
Right-click the map, then select Show Devices on Map. The Show Devices on
Map dialog box appears.
Step 2
Select the device nodes to display by doing the following:
Step 3
a.
To add a device node, select a device from the Available Devices list, then
click >>. The device is added to the Selected Devices list.
b.
To remove a device node, select it from the Selected Devices list, then click
<<. The device is removed from the Selected Devices list.
When the Selected Devices list contains only the nodes that you want to display,
click OK.
The dialog box closes, and the map is updated to display only the device nodes
you selected.
4-18
OL-11501-03
Chapter 4
Using Map View

Step 4
To remove a managed node, select Remove from Map from the node context
menu.
Related Topics
Showing Containment of Catalyst Switches, Firewalls, and Adaptive Security

Appliances
The containment relationship between Catalyst 6500/7600 and Adaptive Security
Appliance (ASA) devices and their service modules and security contexts, or
between PIX 7.x devices and their security contexts, is displayed in maps as
follows:
When you select a Catalyst 6500/7600 device, nodes that represent its
Firewall Services Modules (FWSM) are highlighted.
When you select an ASA, nodes that represent its Security Service Modules
are highlighted.
When you select a service module, the device that contains it is highlighted.
You can view a list of the security contexts contained in an ASA, firewall, or
FWSM device by right-clicking the node and selecting Show Containment.
This command also shows the service modules in a device that has them.
When you select a security context node, all its ancestor device nodes are
highlighted.
Displaying Devices on the Map from the Device View

From the device selector in the Device view, you can locate a device node on the
active map. The device node is centered on the map and highlighted. The device
must be displayed on the active map. Otherwise, you are notified that it cannot be
found.
Procedure
Step 1
Right-click a device in the device tree.

OL-11501-03
4-19
Chapter 4
Using Map View
Step 2
Select Show in Map view from the context menu.

If the device is shown on the active map, it is shown centered and highlighted on
the undocked map. You are notified if the device is not shown on the active map.
Using Map Objects To Represent Network Topology

You can add map elements to a map that represent objects (such as devices and
links) that Security Manager does not manage. These nodes are called map
objects. You can use map objects to create a more useful representation of your
network topology.
You can add Layer 3 links between any map elements, whether they are device
nodes, map nodes, or a combination of both types.
The following topics describe using map objects:
Adding Map Objects, page 4-20
Deleting Map Objects, page 4-21
Adding Map Objects

Use this procedure to add a map object to the map.
Procedure
Step 1
Select Map > Add Map Object. The Add Map Object dialog box appears.
Step 2
Enter a name for the node in the Device Name field.
Step 3
Select the type of device that the node represents from the Type list.
Step 4
(Optional) Add interfaces to the node by doing the following:
Step 5
a.
Click Add. The Interface Properties dialog box opens.
b.
Enter an interface name, IP address, and network mask, then click OK.
c.
Repeat this procedure to add additional interfaces.
(Optional) Select a policy object as the basis for the map object:
a.
Click Copy Policy Object. The Select Policy Object dialog box opens.
4-20
OL-11501-03
Chapter 4
Using Map View

Step 6
b.
Select a policy object type from the Select a policy object list.
c.
Click Select. The Single Selection Objects Selector dialog box opens.
d.
Select a policy object, then click OK.
e.
Click OK in the Select Policy Object dialog box. Information from the policy
object is entered in the Add Map Object dialog box.
Click OK. The map object is added to the center of the map. Move it to the desired
location.
Related Topics
Select Policy Object Dialog Box, page B-24
Displaying an Existing Managed Device on the Map, page 4-18
Deleting Map Objects

To delete a map object, right-click the object, then select Delete Map Object.
Displaying Layer 3 Links on the Map

A Layer 3 link is a line on the map that represents a network connection between
two device interfaces.
Layer 3 links are added to the map automatically when you add a new map
element that contains interface information. Network nodes are added as needed
to represent Layer 3 connectivity when you add a new element. When you delete
an interface that is a Layer 3 link endpoint, the link is removed.
You can add additional Layer 3 links between device nodes and map objects to
illustrate your networks connectivity. Adding Layer 3 links to a map does not
configure any network devices. Layer 3 links are just visual elements on the map.
You can use Layer 3 links to connect any two interfaces on a map. Depending on
the interfaces that you choose, the Layer 3 link might include intermediary
networks or network clouds. In some cases, you have the option to select which
intermediary networks and networks clouds are inserted between the connected
interfaces.
OL-11501-03
4-21
Chapter 4
Using Map View
The following topics describing using Layer 3 links:
Creating Layer 3 Links, page 4-22
Deleting Layer 3 Links, page 4-23
Understanding Automatic Layer 3 Connectivity Display, page 4-23
Creating Layer 3 Links

Use this procedure to add a Layer 3 link between two map elements.
When you add a Layer 3 link, intermediary networks and network clouds are
automatically inserted, depending on the node interfaces that you select to
connect. In some cases, you have the option to select which intermediary
networks and networks clouds are inserted between the connected interfaces.
Procedure
Step 1
Click Map > Add Link.
Step 2
Click one of the map elements to connect, then click the other map element to
connect.
Step 3
If the map elements contain interfaces, select the source and destination interfaces
for the link in the Select Interfaces dialog box, then click OK.
The Add Link dialog box might open, depending on which interfaces you select.
Step 4
If the Add Link dialog box opens, select which intermediary objects and network
clouds to insert, then click OK.
Related Topics
Select Interfaces Dialog Box, page B-20
Add Link Dialog Box, page B-21
4-22
OL-11501-03
Chapter 4
Using Map View

Deleting Layer 3 Links

Use this procedure to delete a Layer 3 link between two map elements.
Deleting a Layer 3 link does not delete any intermediary network or network
clouds between map elements.
Procedure
Step 1
Right-click the Layer 3 link to be removed.
Step 2
Select Delete Link.
Related Topics
Creating Layer 3 Links, page 4-22
Understanding Automatic Layer 3 Connectivity Display

Layer 3 connectivity information is automatically added to the map when you add
map elements that have interface information. When you add a map element that
has interface information, one of the following happens:
If the interface is on a network that is not represented on the map as a network

map object, a network map object is added to the map, with a Layer 3 link to
the new map element.
If the interface is on a network that is represented on the map as a network

map object, a Layer 3 link is added between the new map element and the
network map object.
When you remove a node interface that is a Layer 3 link endpoint, the link is also
removed.
The automatic addition of network objects and links is called Autolink. You can
configure Autolink to not automatically add private or certain reserved network
addresses. To configure these settings, select Tools > Security Manager
Administration, then click Autolink.

OL-11501-03
4-23
Chapter 4
Using Map View
Managing Firewall Services in Map View

The following topics describe how to manage firewall services from the map
view:
Managing Firewall Policies (Map View), page 4-24
Managing Firewall Settings (Map View), page 4-27
Managing Firewall Policies (Map View)

The following topics describe how to manage firewall policies from the map view:
Managing Firewall Access Rules (Map View), page 4-24
Managing Firewall Inspection Rules (Map View), page 4-25
Managing Firewall AAA Rules (Map View), page 4-25
Managing Web Filter Rules (Map View), page 4-26
Managing Firewall Transparent Rules (Map View), page 4-26
Managing Firewall Access Rules (Map View)

The following procedure describes how to manage access rules from a map device
node.
Procedure
Step 1
Right-click the device node to manage.
Step 2
Select Edit Firewall Policies > Access Rules from the context menu.
The Rules dialog box opens.
Step 3
Use the Access Rules dialog box to manage access rules on the device.
This dialog box has the same contents as the Access Rules page in the Device
view. For information about this dialog box, see Access Rules Page, page J-2.
Step 4
Click Save to save your changes and close the dialog box.
4-24
OL-11501-03
Chapter 4
Using Map View

Managing Firewall Inspection Rules (Map View)

The following procedure describes how to manage inspection rules from a map
device node.
Procedure
Step 1
Step 2
Select Edit Firewall Policies > Inspection Rules from the context menu.
The Inspection Rules dialog box opens.
Step 3
Use the Inspection Rules dialog box to manage inspection rules on the device.
This dialog box has the same contents as the Inspection Rules page in the Device
view. For information about this dialog box, see Inspection Rules Page, page J-29.
Step 4
Managing Firewall AAA Rules (Map View)

The following procedure describes how to manage AAA rules from a map device
node.
Procedure
Step 1
Step 2
Select Edit Firewall Policies > AAA Rules from the context menu.
The AAA Rules dialog box opens.
Step 3
Use the AAA Rules dialog box to manage AAA rules on the device.
This dialog box has the same contents as the AAA Rules page in the Device view.
For information about this dialog box, see AAA Rules Page, page J-78.
Step 4

OL-11501-03
4-25
Chapter 4
Using Map View
Managing Web Filter Rules (Map View)

The following procedure describes how to manage web filter rules from a map
device node.
Procedure
Step 1
Step 2
Select Edit Firewall Policies > Web Filter Rules from the context menu.
The Web Filter Rules dialog box opens.
Step 3
Use the Web Filter Rules dialog box to manage web filter rules on the device.
This dialog box has the same contents as the Web Filter Rules page in the Device
view. For information about this dialog box, see Web Filter Rules Page
(PIX/ASA), page J-104.
Step 4
Managing Firewall Transparent Rules (Map View)

The following procedure describes how to manage transparent firewall rules from
a map device node.
Procedure
Step 1
Step 2
Select Edit Firewall Policies > Transparent Rules from the context menu.
The Transparent Rules dialog box opens.
Step 3
Use the Transparent Rules dialog box to manage transparent rules on the device.
This dialog box has the same contents as the Transparent Rules page in the Device
view. For information about this dialog box, see Transparent Rules Page,
page J-135.
Step 4
4-26
OL-11501-03
Chapter 4
Using Map View

Managing Firewall Settings (Map View)

The following topics describe how to manage firewall settings from the Map view:
Managing Firewall Access Control Settings (Map View), page 4-27
Managing Firewall Inspection Settings (Map View), page 4-27
Managing AuthProxy Firewall Settings (Map View), page 4-28
Managing AuthProxy Firewall Settings (Map View), page 4-28
Managing Web Filter Settings (Map View), page 4-28
Managing Firewall Access Control Settings (Map View)

The following procedure describes how to manage firewall access control settings
from a map device node.
Procedure
Step 1
Step 2
Select Edit Firewall Settings > Access Control from the context menu. The
Access Control dialog box opens.
Step 3
Use the Access Control dialog box to manage access control settings on the
device.
This dialog box has the same contents as the Access Control page in the Device
view. For information about this dialog box, see Access Control Page, page J-147.
Step 4
Managing Firewall Inspection Settings (Map View)

The following procedure describes how to manage firewall inspection settings

OL-11501-03
4-27
Chapter 4
Using Map View
Procedure
Step 1
Step 2
Select Edit Firewall Settings > Inspection from the context menu. The
Inspection dialog box opens.
Step 3
Use the Inspection dialog box to manage inspection settings on the device.
This dialog box has the same contents as the Inspection page in the Device view.
For information about this dialog box, see Inspection Page, page J-154.
Step 4
Managing AuthProxy Firewall Settings (Map View)

The following procedure describes how to manage AuthProxy firewall settings
Procedure
Step 1
Step 2
Select Edit Firewall Settings > AuthProxy from the context menu. The
AuthProxy dialog box opens.
Step 3
Use the AuthProxy dialog box to manage AuthProxy settings on the device.
This dialog box has the same contents as the AuthProxy page in the Device view.
For information about this dialog box, see AuthProxy Page, page J-164.
Step 4
Managing Web Filter Settings (Map View)

The following procedure describes how to manage web filter settings from a map
device node.
4-28
OL-11501-03
Chapter 4
Using Map View

Managing VPNs in Map View
Procedure
Step 1
Step 2
Select Edit Firewall Settings > Web Filter from the context menu.
Step 3
Use the Web Filter dialog box to manage web filter settings on the device.
This dialog box has the same contents as the Web Filter page in the Device view.
For information about this dialog box, see Web Filter Page, page J-170.
Step 4

The following topics describe how to manage VPNs in the Map view:
Creating VPN Topologies (Map View), page 4-29
Editing VPN Policies From the Map, page 4-31
Editing VPN Peers From the Map, page 4-32
Displaying Existing VPNs on the Map, page 4-33
Adding and Removing VPN Tunnels on the Map, page 4-33
Listing VPN Peers on the Map, page 4-34
Creating VPN Topologies (Map View)

You can create VPN connections between VPN-capable device nodes that are
displayed on the open map.
The following topics describe the methods for creating VPN connections:
Creating a Point-to-Point VPN Connection, page 4-30
Creating Full Mesh or Hub and Spoke VPNs (Map View), page 4-30

OL-11501-03
4-29
Chapter 4
Using Map View
Creating a Point-to-Point VPN Connection

Use this procedure to create a point-to-point VPN connection between two
VPN-capable device nodes. Creating a VPN connection changes the device
configuration of the connected devices.
Before You Begin
This procedure describes how to create a VPN by first selecting the devices you
want to configure. Alternatively, you can create a VPN by clicking the New VPN
button in the toolbar and selecting the type of VPN you want to configure. This
will open the wizard for creating VPNs, and you have to select the devices within
the wizard.
Procedure
Step 1
Select the devices between which you want to create a VPN. Click the first device,
then Ctrl+click the second device.
Step 2
Click the New VPN button in the maps toolbar and select Create Point to Point
VPN. The Point to Point VPN wizard opens.
If workflow is enabled, you are prompted to open an activity if one is not open.
Step 3
Configure the point-to-point VPN connection. For more information about this
wizard, click its Help button. The VPN connection is displayed on the map when
you finish the wizard.
Related Topics
Selecting Map Elements, page 4-9
Creating Full Mesh or Hub and Spoke VPNs (Map View)

Use this procedure to create a full mesh or hub and spoke VPN that includes two
or more VPN-capable device nodes. Creating a VPN connection between device
nodes changes the device configuration of the connected devices.
4-30
OL-11501-03
Chapter 4
Using Map View

Before You Begin
This procedure describes how to create a VPN by first selecting the devices you
want to configure. Alternatively, you can create a VPN by clicking the New VPN
button in the toolbar and selecting the type of VPN you want to configure. This
will open the wizard for creating VPNs, and you have to select the devices within
the wizard.
Procedure
Step 1
Select multiple VPN-capable device nodes on the map.

For more information, see Selecting Map Elements, page 4-9.
Step 2
Right-click one of the selected nodes.

If you are creating a hub-and-spoke VPN, the node that you right-click becomes
the hub.
Step 3
Select one of the following commands:
Create Full Meshed VPNTo create a meshed VPN that includes the
selected nodes.
Create Hub & Spoke VPNTo create a hub-and-spoke VPN that includes
the selected nodes.
If workflow is enabled, you are prompted to open an activity if one is not open.
The Create VPN wizard opens to the tab for configuring the VPN type that you
selected.
Step 4
Configure the VPN connection. For information about this dialog box, click its
Help button. The VPN is displayed on the map when you are finished with the
wizard.
Editing VPN Policies From the Map

The following procedure describes how to edit VPN policies from the Map view.

OL-11501-03
4-31
Chapter 4
Using Map View
Procedure
Step 1
Select a VPN to edit by doing one of the following:
Right-click a VPN tunnel, then select Edit VPN Policies.
Right-click a device node, then select Edit VPN Policies.
The Select VPN to Configure dialog box appears if there are multiple VPNs.
Step 2
If necessary, select the VPN to configure from the Select VPN to Configure dialog
box, then click OK.
The Site-To-Site VPN Manager window opens.
Step 3
Use the Site-To-Site VPN Manager window to edit the VPN.

For information about this window, see Site-to-Site VPN Manager Window,
page G-2.
Step 4
Click Close to return to the Map view.
Editing VPN Peers From the Map

The following procedure describes how to edit VPN peers from the Map view.
Procedure
Step 1
Select a VPN to edit by doing one of the following:
Right-click a VPN tunnel, then select Edit VPN Peers.
Right-click a device node, then select Edit VPN Peers.
The Select VPN to Configure dialog box appears if there are multiple VPNs.
Step 2
If necessary, select the VPN to configure from the Select VPN to Configure dialog
box, then click OK.
A dialog box opens for editing the type of VPN you selected. For information on
using the dialog box, click its Help button.
4-32
OL-11501-03
Chapter 4
Using Map View

Displaying Existing VPNs on the Map

When you display a VPN, all of the its member devices are added to the map as
device nodes, and all of its tunnels are highlighted. However, devices that you
removed from the map previously are not added, even if they are members of a
VPN that you display. You can add such devices to the map manually, and their
VPN connectivity is displayed.
When you remove a VPN, only the VPN tunnels are removed. The device nodes
remain on the map.
Adding and Removing VPN Tunnels on the Map

A VPN tunnel is a line on the map that represents a VPN connection between two
devices. VPN tunnels are not added to the map automatically when you add a
device node that is a member of a VPN. However, if the VPN was already selected
to be shown on the map, adding a device in the VPN to the map will also display
the VPN.
When you display a VPN on a map, all of the its member devices are added to the
map as device nodes and are highlighted. All of its tunnels are added to the map
and are highlighted.
Removing a VPN removes only the VPN tunnels. No device nodes are removed.
Note
You cannot delete VPNs from the map view.

Procedure
Step 1
Select Map > Show VPNs on Map.

The Show VPNs on Map dialog box opens.
Step 2
Select the VPNs to display by doing the following:

a.
To add a VPN, select it from the Available VPNs list, then click >>.
b.
To remove a VPN, select it from the Selected VPNs list, then click <<.

OL-11501-03
4-33
Chapter 4
Using Map View
Managing Device Policies in Map View
Step 3
When the Selected VPNs list contains only the VPNs that you want to display,
click OK.
Listing VPN Peers on the Map

You can list the peers that participate in a VPN that is displayed on the map.
Procedure
Step 1
Right-click a node that participates in a VPN.
Step 2
Select Show VPN Peers.
If the selected device participates in more than one VPN, the Show VPN
Peers dialog box opens. Select the VPN whose peers you want to list, then
click OK. The VPN Peers dialog box opens, listing the peers in the selected
VPN.
If the selected device participates in only one VPN, the VPN Peers dialog box
opens, listing the peers in the selected VPN.

The following topics describe how to manage policies from the Map view:
Copying Policies Between Devices (Map View), page 4-35
Sharing Device Policies (Map View), page 4-35
Cloning Devices (Map View), page 4-36
Previewing Device Configuration, page 4-36
Discovering Device Configurations, page 4-36
4-34
OL-11501-03
Chapter 4
Using Map View

Copying Policies Between Devices (Map View)

You can copy policies from a map device node to other devices. You can also
begin this task from the Device view.
Procedure
Step 1
Right-click a device node, then select Copy Policies Between Devices. The Copy
Policies wizard opens so you can select the devices to which you want to copy
policies.
Step 2
Use the Copy Policies wizard to copy policies from the selected device to other
devices.
For more information, see Copy Policies WizardCopy Policies to these Devices
Page, page D-7.
Sharing Device Policies (Map View)

You can share a device nodes local policies from the map. You can also begin this
task from the Device view.
Procedure
Step 1
Right-click a device node, then select Share Device Policies. The Share Policies
wizard opens to the Select Policies page.
Step 2
Use the Share Policies wizard to share local policies.

For more information, see Share Policies WizardSelect Policies to Share Page,
page D-11.

OL-11501-03
4-35
Chapter 4
Using Map View
Cloning Devices (Map View)

You can clone a device from a device node on the map. You can also begin this
task from the Device view.
The cloned device automatically appears on the map.
Procedure
Step 1
Right-click a device node, then select Clone Device. The Create a Clone of
<device> dialog box opens.
Step 2
Use the Create a Clone of <device> dialog box to clone the device.
For more information, see Create a Clone of <device name> Page, page C-52.
Previewing Device Configuration

You can preview a device nodes configuration from the map. You can also begin
this task from the Device view.
Procedure
Step 1
Right-click a device node, then select Preview Configuration.

A preview configuration is generated for the device and is displayed in the The
Configuration Preview dialog box.
Step 2
Use the Configuration Preview dialog box to preview the configuration.

For more information, see Preview Config Dialog Box, page O-8.
Discovering Device Configurations

You can discover a device nodes configuration from the map. You can also begin
this task from the Device view.
4-36
OL-11501-03
Chapter 4
Using Map View

Procedure
Step 1
Right-click a device node, then select Discover Policies on Device. The Create
Discovery Task dialog box opens.
Step 2
Use the Create Discovery Task dialog box to discover policies on the device.
For more information, see Create Discovery Task Dialog Box, page D-16.

OL-11501-03
4-37
Chapter 4
Using Map View
4-38
OL-11501-03
CH A P T E R
Managing Devices
Before you can manage devices in Security Manager, you must prepare the
devices for management, then add those devices to the Security Manager device
inventory. After you add the devices, you can view and edit device information,
configure policies on devices, copy and share policies, clone devices, and so on.
The following topics describe how to manage devices:
Understanding the Device View, page 5-24
Adding Devices to the Security Manager Inventory, page 5-30
Working with Devices with Dynamically Assigned IP Addresses, page 5-36
Understanding Device Credentials, page 5-43
Working with Device Connectivity Test, page 5-45
Working with Device Policies, page 5-54
Cloning a Device, page 5-55
Deleting Devices from the Security Manager Inventory, page 5-56

OL-11501-03
5-1
Chapter 5
Managing Devices
Preparing the Devices for Security Manager to Manage
Preparing the Devices for Security Manager to

Manage
To enable communication between Security Manager and devices, you must
configure transport settings on the devices before you add them to the inventory.
Security Manager uses Secure Socket Layer (SSL) as the default transport
protocol for PIX Firewall, Adaptive Security Appliances (ASA), Firewall Service
Modules (FWSM), and Cisco IOS routers. Therefore, you must configure SSL on
these devices. For SSL configuration details, see Setting Up SSL, page 5-4.
Note
DES encryption is not supported on Common Services 3.0 and later. Please make
sure that all PIX Firewalls and Adaptive Security Appliances that you intend to
manage with Cisco Security Manager have a 3DES/AES license.
Security Manager uses Secure Shell (SSH) as the default transport protocol for
Catalyst 6500/7600 devices. Therefore, you must configure SSH on these devices.
For configuration details see, Setting Up SSH, page 5-9.
You must configure both SSH and SSL transport protocols on Cisco IOS routers.
Security Manager uses SSH connections to handle interactive command
deployments during SSL deployments. Although SSL is the default, you can
change the default to SSH. To change the default protocol from SSL to SSH, see
Changing the Device Transport Protocol on Cisco IOS Routers, page 5-22. For
SSH configuration details, see Setting Up SSH, page 5-9.
In addition to SSL and SSH, Security Manager supports staged delivery of
configurations using AUS, CNS, and TMS transport protocols. Instead of sending
configurations directly to devices, Security Manager sends them to another
location, such as an Auto Update Server, Configuration Engine, or Token
Management Server; then the device communicates with the appropriate server
and downloads the configuration files.
If you are using an IPS device, you must initialize it; see Initializing IPS Devices,
page 5-23. If you are using an IOS IPS device, you must prepare it for use; see
Preparation for Use, page 13-26.
If the device has a static IP address, you must configure the default transport
protocols (SSL or SSH) for discovering and deploying the configurations on the
device (Table 5-1).
5-2
OL-11501-03
Chapter 5
Managing Devices
If the device has a dynamic IP address, and it is managed by an Auto Update

Server or a CNS-Configuration Engine, you can configure AUS or CNS on that
device (Table 5-1).
If a Cisco IOS router has a dynamic IP address and is configured to use an Auto
Update Server/CNS Gateway, Security Manager communicates with the Auto
Update Server that is running the CNS Gateway protocol to determine the IP
address of the router. For such routers, you must configure SSL and SSH in
addition to the CNS transport protocol.
Table 5-1 summarizes of the types of devices and the transport settings they
support.
Table 5-1
Devices and Transport Settings
Devices
Transport Settings
PIX Firewall, ASA, FWSM and Cisco IOS routers (default)
SSL
Cisco IOS routers
SSH
Catalyst 6500/7600 devices (default)
SSH
PIX and ASA devicesFor devices managed by an Auto Updated Server
AUS
Cisco IOS routersFor devices managed by a CNS-Configuration Engine
CNS
Cisco IOS routersFor devices managed by a Token Management Server
TMS
For details about device types and associated server fields, see Table 5-12 on
page 5-37.
Related Topics
Setting Up SSL, page 5-4
Setting Up SSH, page 5-9
Setting Up AUS, page 5-13
Setting Up CNS, page 5-15
Setting Up TMS, page 5-21
Changing the Device Transport Protocol on Cisco IOS Routers, page 5-22

OL-11501-03
5-3
Chapter 5
Managing Devices
Setting Up SSL
Security Manager deploys the configuration to the device using a Secure Socket
Layer (SSL) protocol. With this protocol, Security Manager encrypts the
configuration file and sends it to the device.
The following topics describe how to set up SSL on devices:
Setting Up SSL on PIX Firewall, ASA, and FWSM Devices, page 5-5
Setting Up SSL on Cisco IOS Routers, page 5-6
5-4
OL-11501-03
Chapter 5
Managing Devices
Setting Up SSL on PIX Firewall, ASA, and FWSM Devices

Table 5-2 describes the tasks to complete before you use SSL as the transport
protocol for device management on PIX Firewall, ASA, and FWSM devices.
Table 5-2
Step 1
Setting Up SSL on PIX Firewall, ASA, and FWSM Devices
Enter
Result
hostname# config
terminal
Enters configuration mode from the terminal.

Respond to the prompts appropriately. Here are some tips:
1.
Enter y when the prompt asks if you want to preconfigure using

interactive prompts.
2.
Enter the current enable password.
3.
Specify the time zone, year, month, day, and time.
4.
If the device:
Is new Specify the network interface IP address of the
device and the network mask that applies to the inside IP

address.
Exists Verify that the interface IP address and mask are
correct.
5.
If the device:
Is new Specify the hostname and the domain name.
Exists Verify that the hostname and domain name are
correct.
Step 2
6.
When prompted for the IP address of the host that runs the PIX
Device Manager, specify the IP address of the
Security Manager server.
7.
Enter yes when the prompt asks if you want to write the above
changes to Flash.
hostname(config)# http Enables the HTTP server.

server enable

OL-11501-03
5-5
Chapter 5
Managing Devices
Table 5-2
Setting Up SSL on PIX Firewall, ASA, and FWSM Devices (continued)
Enter
Step 3
Step 4
Result
hostname(config)# http Specifies the host or network authorized to initiate an HTTP

connection to the device.
ip_address [netmask]
[if_name]
ip_address - IP address of the Security Manager server.
hostname(config)#
write memory
netmask - Network mask for the http ip_address.
if_name - Device interface name (default is inside) from which

Security Manager initiates the HTTP connection.
Stores the current configuration in Flash memory.
Setting Up SSL on Cisco IOS Routers

Table 5-3 describes the tasks to complete before you use SSL as the transport
protocol for device management on Cisco IOS routers.
Table 5-3
Setting Up SSL on Cisco IOS Routers
Enter
Result
Step 1
router# config terminal
Step 2
router(config)#
hostname<name>
Configures the hostname.

If the device is new, you must configure its hostname.
After you configure the hostname, the device prompt changes
to hostname(config)#. For example, if the hostname is router1,
the device prompt changes to router1(config)# (see step 3).
Step 3
Step 4
router1(config)# ip
domain-name
<your_domain>
Specifies the IP domain name of the router.

If the device is new and is not configured with a domain name,
you must specify the IP domain name of the router.
router1(config)# username Configures level 15 privilege.

<username> privilege 15
SSL requires that you must have level 15 privileges to log in to
password 0 <password>
a Cisco IOS router.
5-6
OL-11501-03
Chapter 5
Managing Devices
Table 5-3
Step 5
Setting Up SSL on Cisco IOS Routers (continued)
Enter
Result
router1(config)# no aaa
authorization network
<list-name>
(Optional) Disables AAA authorization.

If you are using AAA for authorization but would like to use
local authorization, use this command to disable the AAA
authorization.
Step 6
router1(config)# no aaa
authentication login
<list-name>
(Optional) Disables AAA authentication at login.

If you are using AAA for authentication but would like to use
local authentication, use this command to disable the AAA
authentication.
Step 7
Step 8
router1(config)# ip http
authentication local
authentication aaa
list-name - Character string used to name the list of

authorization methods.
list-name - Character string used to name the list of

authentication methods activated when a user logs in.
(Optional) Enables local authentication for SSL.

Enables Security Manager to authenticate with the local
username you created in step 4.
Note
If you do not enter this command, the default enable

password is used for authentication.
Note
You can either enable AAA authentication or local authentication. To enable AAA authentication, enter the
commands in step 8 and step 9. To enable local authentication, enter the command in this step.
(Optional) Enables AAA authentication/authorization for SSL.

Note
You can either enable AAA authentication or local

authentication. To enable AAA authentication, enter the
commands in step 8 and step 9. To enable local
authentication, enter the command in step 7.

OL-11501-03
5-7
Chapter 5
Managing Devices
Table 5-3
Step 9
Setting Up SSL on Cisco IOS Routers (continued)
Enter
Result
authentication aaa
login-authentication
<list-name>
(Optional) If multiple AAA lists are defined, you must enter

these commands.
authentication aaa
exec-authorization
<list-name>
These commands authenticate the user that is contacting the

device using the HTTPS protocol. The authentication uses
AAA.
list-name - Character string used to name the list of AAA

server groups.
Note
You can either enable AAA authentication or local

authentication. To enable AAA authentication, enter the
commands in step 8 and step 9. To enable local
authentication, enter the command in step 7.
Step 10
secure-server
Enables the HTTPS server.
Step 11
router1(config)# exit
Exits configuration mode and returns to Exec mode.
Step 12
router1# 1show ip http

server secure status
Verifies that SSL is set up on the device. Device responds with

an enabled status.
5-8
OL-11501-03
Chapter 5
Managing Devices
Setting Up SSH
Security Manager deploys the configuration to Cisco IOS Routers and Catalyst
6500/7600 devices routers using a Secure Shell (SSH). This provides strong
authentication and secure communications over insecure channels. Security
Manager supports both SSHv1.5 and SSHv2. Once connected to the device,
Security Manager determines which version to use and downloads using that
version.
The following topics describe the tasks required to set up SSH on Cisco IOS
routers and Catalyst 6500/7600 devices:
Note
Testing Authentication, page 5-9
Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 devices,

page 5-10
Preventing Non-SSH ConnectionsOptional, page 5-11
Security Manager supports Catalyst 6500/7600 devices running the Cisco IOS
software only.
Critical Line-ending Conventions for SSH

The following line-ending conventions for SSH must be observed to avoid system
failure:
1.
Do not end banner message lines with #, # , >, or > .

If your system requires a pound sign or greater-than sign at the end of a
banner message, ensure that it is followed by two spaces.
2.
Do not use banner message lines that contain only Username: or

Password:
3.
Do not customize the device user-mode prompt to not end with > or #.
Testing Authentication
Before you set up SSH, you must test authentication without SSH to make sure
the device can be authenticated. You can authenticate with a local username and
password or with an authentication, authorization, and accounting (AAA) server
running TACACS+ or RADIUS.
OL-11501-03
5-9
Chapter 5
Managing Devices
To test authentication without SSH using a local or AAA server username and
password, enter the commands described in Table 5-4.
Table 5-4
Testing Authentication Without SSH
Enter
Result
Step 1
hostname# config terminal
Step 2
hostname(config)# aaa
new-model
Uses the local username and password in the absence of aaa

statements.
Note
On Cisco IOS routers, you can use the login local

command on vty lines instead of the aaa new-model
command.
Step 3
hostname(config)# username
<name> password 0
<password>
Configures the user in the local database of the device. This

command is optional.
Step 4
hostname(config)# exit
Exits configuration mode.
Step 5
hostname# write memory
Saves the configuration changes.
Related Topics

page 5-10
Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 devices

Table 5-5 describes the tasks required to set up SSH on Cisco IOS routers and
Catalyst 6500/7600 devices.
Note
You must configure SSH on Cisco IOS routers because Security Manager uses
SSH connections to handle interactive command deployments during SSL
deployments.
5-10
OL-11501-03
Chapter 5
Managing Devices
Table 5-5
Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 Devices
Enter
Result
Step 1
Step 2
router(config)#
hostname<name>

After you configure the hostname, the device prompt changes
to hostname(config)#. For example, if the hostname is router1,
the device prompt changes to router1(config)# (see step 3).
Step 3
router1(config)# ip
domain-name
<your_domain>

If the device is new and is not configured with a domain name,
you must specify the IP domain name of the router.
Step 4
router1(config)# crypto key Generates the RSA key pair for the SSH session.
generate rsa
When the device prompts you to enter the size of the modulus,
we recommend that you enter1024.
Step 5
router1(config)# ip ssh
timeout <time>
Step 6
router1(config)# ip ssh
(Optional) Sets the number of retries.
authentication-retries <n>
Step 7
Step 8
router1# write memory
(Optional) Sets the timeout interval in minutes.
Related Topics
Preventing Non-SSH ConnectionsOptional

After configuring SSH, you can configure the Cisco IOS routers and Catalyst
6500/7600 devices to use SSH connections only. To prevent non-SSH
connections, enter the commands described in Table 5-6.

OL-11501-03
5-11
Chapter 5
Managing Devices
Table 5-6
Preventing Non-SSH Connections (Optional)
Enter
Result
Step 1
Step 2
Sets up the router for Telnet access.

hostname(config)# line vty
<first line number> <last line
first line number - valid values are 0-1180.
number>
last line number - valid values are 1-1180.
Step 3
hostname(config-line)#
transport input ssh
Prevents non-SSH connections, such as telnet.
Step 4
hostname(config-line)# end
Exits configuration mode.
Step 5
hostname# write memory
Related Topics

page 5-10
5-12
OL-11501-03
Chapter 5
Managing Devices
Setting Up AUS
Security Manager deploys configuration files to the Auto Update Server, where
they are stored for later retrieval by the device.
The following topics provide more information:
Setting Up AUS on PIX Firewall and ASA Devices, page 5-13
Setting Up CNS Gateway on an Auto Update Server, page 5-14
Setting Up AUS on PIX Firewall and ASA Devices

Devices, such as PIX Firewall and ASA, use the AUS protocol to contact the Auto
Update Server for configuration (and image) updates. See the Auto Update Server
product documentation for more information.
Table 5-7 describes the tasks to complete before you use AUS as the transport
protocol for device management on PIX Firewall and ASA devices.
Table 5-7
Setting Up AUS on PIX Firewall and ASA Devices
Enter
Result
Step 1
Step 2
Connects to the AUS.

hostname(config)#
auto-update server
username - The username is the one you enter when
https://username:password@A
you use Security Manager.
USserver_IP_address:port/aut
password - The password is the one you enter when you
oupdate/AutoUpdateServlet
use Security Manager.
Step 3
hostname(config)#
auto-update poll-period
poll_period [retry_count]
[retry_period]
The port number is typically 443.
Specifies the polling period for AUS.
poll_period - Polling period interval between two

updates. Default is 720 minutes (12 hours).
retry_count - (Optional) Number of times to retry if the

server connection attempt fails. Default is 0.
retry_period - (Optional) Number of minutes between

retries. Default is 5.

OL-11501-03
5-13
Chapter 5
Managing Devices
Table 5-7
Step 4
Step 5
Setting Up AUS on PIX Firewall and ASA Devices (continued)
Enter
Result
hostname(config)#
auto-update device-id
hardware-serial | hostname |
ipaddress [<if_name>] |
mac-address [<if_name>] |
string<text>
Configures the device to use the specified unique device ID

to identify itself.
hostname(config)# write
memory
if_name - Device interface name (default is inside).
text - A unique string name.
Setting Up CNS Gateway on an Auto Update Server

An Auto Update Server can provide the CNS event-bus feature to Cisco IOS
routers that have dynamic IP addresses obtained from a DHCP server. Security
Manager communicates with the Auto Update Server that is running the CNS
Gateway protocol to determine the IP address of the device. To configure CNS on
a Cisco IOS router in event-bus mode, see Table 5-8.
If you changed the CNS password on a Cisco IOS router, you must change the
password in the Auto Update Server also. See Changing the Default CNS
Bootstrap Password in the Auto Update Server, page 5-14.
Changing the Default CNS Bootstrap Password in the Auto Update Server
The default CNS bootstrap password configured in an Auto Update Server is

callhome. If you changed the CNS password on the router (step 7, Table 5-8), you
must change the default CNS bootstrap password in the Auto Update Server also.
This procedure describes how to change the default CNS bootstrap password in
an Auto Update Server.
Procedure
Step 1
Open the Windows command prompt on the machine where you installed AUS.
Step 2
Enter set NMSROOT=<dir>.

where <dir> is the directory where you installed AUS. For example, set
NMSROOT=C:\Progra~1\CSCOpx.
5-14
OL-11501-03
Chapter 5
Managing Devices
Step 3
Enter cd %NMSROOT%\MDC\autoupdate\bin\eventgateway.
Step 4
Enter cnspassword <password>.

where <password> is the password you set on the device.
Step 5
Restart the Daemon Manager if it is running.
Related Topics
Setting Up CNS on Cisco IOS Routers, page 5-15
Setting Up CNS
Security Manager deploys the configuration file to the Cisco Configuration
Engine, where it is stored for later retrieval from the device. Devices, such as
Cisco IOS router, PIX Firewall, and ASA that use a Dynamic Host Configuration
Protocol (DHCP) server, contact the Cisco Configuration Engine for
configuration (and image) updates. See the Cisco Configuration Engine product
documentation for more information.
The following topics describe how to set up CNS on devices:
Setting Up CNS on PIX Firewall and ASA Devices, page 5-15
Setting Up CNS on Cisco IOS Routers in Event-Bus Mode
Setting Up CNS on PIX Firewall and ASA Devices

If PIX Firewall and ASA devices are configured for CNS, they use the AUS
protocol. The required steps are identical to the steps that you follow when you
configure PIX Firewall and ASA for AUS. See Setting Up AUS, page 5-13.
Setting Up CNS on Cisco IOS Routers

The following tables describes the tasks to complete before you use CNS as the
transport protocol for device management on Cisco IOS routers. You can
configure CNS in the event-bus mode or the call-home mode.
To configure CNS in event-bus mode, see Table 5-8.
To configure CNS in call-home mode, see Table 5-9.

OL-11501-03
5-15
Chapter 5
Managing Devices
Table 5-8
Setting Up CNS on Cisco IOS Routers in Event-Bus Mode
Enter
Result
Step 1
Step 2
router(config)# hostname<name>

After you configure the hostname, the device prompt
changes to hostname(config)#. For example, if the
hostname is router1, the device prompt changes to
router1(config)# (see step 3).
Step 3
Step 4
Step 5
Step 6
router1(config)# ip domain-name
<your_domain>
router1(config)# cns trusted-server

all-agents <ip_address>
Specifies the trusted server for the CNS agent.
router1(config)# cns event

<ip_address> [port]
Configures the CNS event gateway, which provides

CNS event services to Cisco IOS clients.
router1(config)# cns config partial

<ip_address>
If the device is new and is not configured with a

domain name, you must specify the IP domain name
of the router.
ip_address - The IP address of the trusted server.
ip_address - IP address of the event gateway.
port - The port is an optional parameter, and by

default it is either 11011 (with no encryption) or
11012 (with encryption).
Starts the CNS configuration agent and accepts a

partial configuration.
5-16
OL-11501-03
Chapter 5
Managing Devices
Table 5-8
Step 7
Setting Up CNS on Cisco IOS Routers in Event-Bus Mode (continued)
Enter
Result
router1(config)# cns password

<password>
Sets the CNS password.
<password> - The password you want to set on

the router.
You can set the CNS password to callhome (which is

the default bootstrap password in AUS) or you can set
a different password.
If you set a different password on the router, you must
change the default CNS bootstrap password in the
Auto Update Server. For instructions, see Changing
the Default CNS Bootstrap Password in the Auto
Update Server, page 5-14.
Note
For information on how to authenticate a

Cisco IOS router on a Configuration Engine,
see the Cisco CNS Configuration Engine
Administrator Guide.
Step 8
router1(config)# cns exec
Enables and configures the CNS execute agent.
Step 9
Step 10
router1# copy running startup
Saves the configuration changes to NVRAM.

OL-11501-03
5-17
Chapter 5
Managing Devices
Table 5-9
Setting Up CNS on Cisco IOS Routers in Call-Home Mode
Enter
Result
Step 1
Step 2
router(config)# hostname<name>

After you configure the hostname, the device prompt
changes to hostname(config)#. For example, if the
hostname is router1, the device prompt changes to
router1(config)# (see step 3).
Step 3
Step 4
router1(config)# ip domain-name
<your_domain>
router1(config)# cns trusted-server

all-agents <ip_address>
Specifies the trusted server for the CNS agent.
If the device is new and is not configured with a

domain name, you must specify the IP domain name
of the router.
ip_address - IP address of the trusted server.
5-18
OL-11501-03
Chapter 5
Managing Devices
Table 5-9
Setting Up CNS on Cisco IOS Routers in Call-Home Mode (continued)
Enter
Step 5
Result
Specifies schedule parameters for a Command

router1(config)# kron occurrence
Scheduler occurrence and enters kron-occurrence
occurrence-name [user username]
{in [[numdays:]numhours:]nummin | configuration mode.
at hours:min [[month] day-of-month]
occurrence-name - Name of occurrence. Length
[day-of-week]} {oneshot | recurring}
of occurrence-name is from 1 to 31 characters. If
the occurrence-name is new, an occurrence
structure will be created. If the occurrence-name
is not new, the existing occurrence will be edited.
username - (Optional) Name of user.
numdays: - (Optional) Number of days. Identifies

that the occurrence is to run after a specified time
interval. The timer starts when the occurrence is
configured. If used, add a colon after the number.
numhours: - (Optional) Number of hours. If used,

add a colon after the number.
nummin - Number of minutes.
hours: - Hour as a number using the 24-hour

clock. Identifies that the occurrence is to run at a
specified calendar date and time. Add a colon
after the number.
min - Minute as a number.
month - (Optional) Month name. If used, you

must also specify day-of-month.
day-of-month - (Optional) Day of month as a

number.
day-of-week - (Optional) Name of the day of the

week.
oneshot - Identifies that the occurrence is to run

only once. After the occurrence runs, the
configuration is removed.
recurring - Identifies that the occurrence is to run

on a recurring basis.
OL-11501-03
5-19
Chapter 5
Managing Devices
Table 5-9
Step 6
Setting Up CNS on Cisco IOS Routers in Call-Home Mode (continued)
Enter
Result
router1(config-kron-occurrence)#
policy-list <list-name>
Specifies the policy list associated with a Command

Scheduler occurrence.
Use the kron occurrence and policy-list commands to
schedule one or more policy lists to run at the same
time or interval.
list-name - Name of policy. Length of list-name is

from 1 to 31 characters. If the list-name is new, a
policy list structure will be created. If the
list-name is not new, the existing policy list will
be edited.
Step 7
router1(config-kron-occurrence)#
exit
Exits kron-occurrence and returns to configuration

mode.
Step 8
router1(config)# kron policy-list

<list-name>
Specifies a name for a Command Scheduler policy

and enters kron-policy configuration mode.
list-name - Name of policy. Length of list-name is

from 1 to 31 characters. If the list-name is new, a
policy list structure will be created. If the
list-name is not new, the existing policy list will
be edited.
Step 9
router1(config-kron-policy)# cli cns Retrieves the config from the staged CNS job.
config retrieve <ip_address> page
ip address - IP address of the CNS server.
/cns/JobbedDynaConfig status
http://<ip_address>/cns/PostStatus JobbedDynaConfig status - You must use
JobbedDynaConfig status so that the device
retrieves the config from the staged CNS job;
otherwise, the device retrieves the template
associated with the device.
Step 10
router1(config-kron-policy)# exit
Exits kron-policy configuration mode and returns to

configuration mode.
Step 11
router1(config)# cns exec
Enables and configures the CNS execute agent.
Step 12
Step 13
router1# copy running startup
Saves the configuration changes to NVRAM.
5-20
OL-11501-03
Chapter 5
Managing Devices
Related Topics
Setting Up CNS Gateway on an Auto Update Server, page 5-14
Changing the Default CNS Bootstrap Password in the Auto Update Server,
page 5-14
Setting Up TMS
Security Manager uses FTP to deploy the configuration file to the Token
Management Server (TMS), from which it can be downloaded and encrypted onto
an eToken. The eToken can then be connected to the USB port of a router and the
configuration downloaded. See TMS product documentation for more
information.
To download the configuration from the eToken to the router, plug the eToken into
the router, then enter the commands as described in Table 5-10.
Table 5-10
Setting Up TMS on Cisco IOS Routers
Enter
Step 1
Result
router# crypto pki token

Logs into the eToken.
<usb_token_id> login <PIN>
usb_token_id - Depending on the port in which the
e-token is inserted, usb_token_id could either be
usbtoken0 or usbtoken1.
PIN - By default is 1234567890.
Step 2
Step 3
router(config)# crypto pki

token default secondary
config CCCD
Enables configuration provisioning with eToken.
Step 4
router(config)# exit
Step 5
router# write memory
Keeps the CLI on the router after you disconnect the eToken.
CCCD is the private sector on the eToken where the

configuration file resides. When you enter this command, the
CLI on the e-token merges with the CLI on the router.

OL-11501-03
5-21
Chapter 5
Managing Devices
Changing the Device Transport Protocol on Cisco IOS Routers

Security Manager uses Secure Socket Layer (SSL) as the default transport
protocol on Cisco IOS routers. Although SSL is the default, you can change the
default to SSH.
You can change the default protocol from SSL to SSH on all Cisco IOS
routers from the Device Communication page. For the procedure, see
Defining Connection and Transport Protocol Settings in the UI, page 2-71.
You can change the default protocol from SSL to SSH on a single Cisco IOS
router from the General page.
This procedure describes how to change the default protocol from SSL to SSH on
a selected Cisco IOS router.
Procedure
Step 1
Click the Device View button in the toolbar. The Devices page appears.
Step 2
In the Device selector, double-click the Cisco IOS router. The Device
Properties page appears.
In the Device selector, right-click the Cisco IOS router to display menu
options, then select Device Properties. The Device Properties page appears.
Step 3
Click General. The General page appears.
Step 4
From the Transport Settings field, select SSH.
Step 5
Click Save.
Note
If you select the Use Default option, the transport protocol set in the
Device Communications page (Tools > Security Manager Administration
> Device Communication) is used.
5-22
OL-11501-03
Chapter 5
Managing Devices
Initializing IPS Devices
Related Topics
General Page, page C-54
Initializing IPS Devices

To initialize an IPS device, you must configure the following settings. These are
network settings, and only a user with administrator privileges on the IPS device
can configure them:
Sensor name
IP address
Netmask
Default route
Enable TLS/SSL (to enable TLS/SSL in the web server on the device)
Web server port
Use default ports
You configure these settings through the setup command in Intrusion Prevention
System Device Manager (IDM) or in a command-line session, depending upon
which platform is used by your IPS device. The platform is one of the following:
Sensor appliance
IDSM-2
AIP-SSM
NM-CIDS
For detailed information on these settings, refer to the technical documentation

for your IPS device.
Note
For information on preparing an IOS IPS device for use, see Preparation for Use,
page 13-26.

OL-11501-03
5-23
Chapter 5
Managing Devices
Understanding the Device View

The Device View button opens the Devices page, from which you can add and
delete devices from the Security Manager inventory and manage device policies,
properties, and interfaces centrally.
This is a device-centric view in which you can see all devices that you are
managing and you can select specific devices to view their properties and define
their settings and policies. You can define security policies locally on specific
devices. You can then share those policies to make them globally available to be
assigned to other devices.
5-24
OL-11501-03
Chapter 5
Managing Devices
The Devices page contains two panes. The left pane contains two elements: the
Device selector, located in the top left pane, and the Policy selector, located in the
bottom left pane. The right pane is the main content area. Figure 5-1 shows the
Devices page.
Figure 5-1
Devices Page

OL-11501-03
5-25
Chapter 5
Managing Devices
Device selectorContains the following:
Add and Delete buttonsEnables you to add and delete devices from the
Security Manager inventory.
Filter fieldEnables you to display a subset of devices based on the filtering

criteria you define. For details, see Filtering the Device Selector, page 5-28.
Device treeLists the device groups and devices that exist in the system.
Each device type is represented by an icon. For information about the icons,
see Figure 5-2.
Figure 5-2
Device Icons
Adaptive Security Appliances

(ASA)
Catalyst 6500 Series Switch
PIX Firewall
Catalyst 7600 Series Router
Firewall Services Module (FWSM) 7
Cisco IOS Router
Device shortcut menu optionsProvides easy access to several tasks, such as

device properties, containment, cloning device, showing devices in a map,
discovering policies on a device, and so on. You can access these options by
right-clicking a device in the Device selector. For a complete list of menu
options, see Device Shortcut Menu Options, page C-62.
VPN 3000 Concentrator

Intrusion Prevention System (IPS)
5-26
OL-11501-03
Chapter 5
Managing Devices
Device Grouping shortcut menu optionsProvides access to several

grouping tasks, such as add group, edit group information, add devices to
group, and add a device to Security Manager. For details, see Device Group
Shortcut Menu Options, page C-65.
Policy selectorContains the following:
Policy groupsLists the policy groups that are supported on the selected
device type. The policy groups that are displayed are dependent on four
factors:
Type of device selected in the Device selector.
Operating system supported on the device.
Target operating system version running on the device.
Containment of the device. For details, see Show Containment,
page C-62.
For details, see Working with Device Policies, page 5-54.
Device policy shortcut menu optionsProvides easy access to several tasks,

such as assign shared policy, share policy, unassign policy, rename policy, and
so on. You can access these options by right-clicking a policy in the Policy
selector. For a complete list of menu options, see Policy Selector Shortcut
Menu Options, page C-63.
Contents paneThe main content area.
The information displayed in this area depends on the device you select from the
Device selector and the option you select from the Policy selector.
Related Topics
Devices Page, page C-2
Filtering the Device Selector, page 5-28
Device Shortcut Menu Options, page C-62
Policy Selector Shortcut Menu Options, page C-63
Device Group Shortcut Menu Options, page C-65

OL-11501-03
5-27
Chapter 5
Managing Devices
Filtering the Device Selector

You can view a subset of devices in the Device selector by defining the filtering
criteria in the Create a Filter dialog box.
Note
For each device tree, you can have a maximum of 10 filters for each user.
After that, a newly created filter replaces the older one: The 11th filter
replaces the first filter.
After you create the filters, you cannot delete them.
A filter that you created in the Devices page, window, or wizard is added to
the filter list.
When you create a filter in the Devices page, it becomes the last-applied
topmost active filter in the Device selector. This filter is carried forward from
the Devices page to other windows and wizards as the first active filter.
However, if you apply a new filter to a window or a wizard, this filter is not
carried backwards to the Devices page as the topmost active filter. The
Devices page retains its original last-applied filter.
This procedure describes how to filter devices in the Device selector.

Procedure
Step 1
Step 2
Click the arrow in the Filter field in the Device selector pane, then select Create
Filter. The Create Filter dialog box appears.
Step 3
Select one of the following from the Filter Type field (first field):
NameSelect this option to filter the devices by device name.
TypeSelect this option to filter the devices by device type.
Step 4
Select an option in the Filter Relation field (second field) to narrow down the filter
results.
Step 5
If you selected Name in the Filter Type field, enter a string value in the Filter
Value field (third field): either the device name or part of the device name.
5-28
OL-11501-03
Chapter 5
Managing Devices
Step 6
If you selected Type in the Filter Type field, select the appropriate option in
the Filter Value field (third field): ASA, ASA IPS, PIX Firewall, Catalyst
6500/7600 devices, FWSM, IPSSM, Router, Cisco IDS Network Module, or
Sensor.
Click Add. Based on the filter name, filter relation, and filter value that you
selected, a row of filter controls is displayed in the filter control content area.
To delete the selected row of filter controls from the filter control content area,
click Remove.
Step 7
Click one of the following radio buttons:
Match Any of the FollowingClicking this radio button creates an or

relationship between all of the filter controls that you created in the filter
control area.
Match All of the FollowingClicking this radio button creates an and

relationship between all of the filter controls that you created in the filter
control area.
See, Filter Control Relationship Example, page 5-29.
Step 8
Click OK. The filter is available from the filter field arrow in the Device selector
pane.
Filter Control Relationship Example
To understand the OR and AND filter control relationship, see Table 5-11.
.
Table 5-11
If the
following
device types
exist in
Security
Manager...
Filter Control Relationship Example
If you select Name
If you select Name
contains a or Type is
contains a and Type is
And the following device

names exist in Security
Manager...
ASA,
an OR relationship is
created and the following
devices are displayed:
ASA, an AND relationship

is created and the following
PIX Firewall
pix_506
PIX Firewall
pix_520
ASA
asa_5510
asa_5510
asa_5510
Router
router_1601
OL-11501-03
5-29
Chapter 5
Managing Devices
Adding Devices to the Security Manager Inventory
Table 5-11
Filter Control Relationship Example (continued)
If the
following
device types
exist in
Security
Manager...
And the following device

names exist in Security
Manager...
Router
ISDN_access_router_761 ISDN_access_router_761
Catalyst
6500/7600
devices
catalyst_6506
If you select Name
If you select Name
contains a or Type is
contains a and Type is
an OR relationship is
created and the following
ASA, an AND relationship

is created and the following
ASA,
catalyst_6506
Related Topics
Create Filter Dialog Box, page C-3

When you add a device to Security Manager, you bring in a range of identifying
information for the device, such as its DNS name and IP address. This information
is added during device discovery. You can also bring existing network
configurations associated with a device by initiating policy discovery. For
complete information on discovery, see Discovering Policies, page 6-7. Once you
add the device, it appears in the Security Manager device inventory.
You can add the following types of devices to Security Manager:
Live devices already on the network.
New devices not yet on the network.
One or more devices from the Device Credentials Repository (DCR).
Devices whose identifying information is stored in a configuration file.
Security Manager provides a wizard to help you add a device.
5-30
OL-11501-03
Chapter 5
Managing Devices
Note
Caution
You must use device discovery to add Catalyst 6500/7600 devices with VPN
Services Module and devices with dynamic IP addresses.
Cisco Security Manager 3.1 does not support IOS version 12.4(11)T and later
routers that use the Cisco CNS Configuration Engine to manage and deploy
configurations.
Before You Begin
Prepare the devices to be managed by Security Manager. For more

information, see Preparing the Devices for Security Manager to Manage,
page 5-2.
If you are using ACS for authentication, define the devices in ACS. See
Adding Managed Devices as AAA Clients in Cisco Secure ACS, page 2-41.
Procedure
Step 1
Click the Device View button on the toolbar.
Step 2
Select File > New Device or click the New Device button in the Device selector.
The Choose Method page of the New Device wizard appears with four options.
Step 3
Select the method by which you want to add the device:
Add device from networkAdd a live device from the network. Security
Manager connects directly and securely to the device and discovers its
identifying information and properties.
Add device(s) from config fileAdd devices from a configuration file.
Add new deviceAdd a single device before it is live on your network. You
can create the device in the system, assign policies to the device, and generate
configuration files before receiving the device hardware.
Add device from DCRAdd devices from the Device Credentials Repository
(DCR). The DCR resides on the CiscoWorks Server and is a common
database of device attributes and device credential information for use by
CiscoWorks component applications.

OL-11501-03
5-31
Chapter 5
Managing Devices
Note
By default, Security Manager uses Telnet as the transport protocol for

communicating with routers running IOS 12.1 or 12.2 and uses SSL and
SSH as the transport protocol for routers running IOS 12.3 and later.
When you add a live device using the Add Device From Network option,
you can specify that the device is running IOS 12.1 or 12.2, which enables
Security Manager to select the appropriate transport protocol (Telnet).
However, when you add a router running IOS 12.1 or 12.2 from the DCR,
Security Manager automatically selects the default transport protocol for
routers running IOS 12.3 or later. As a result, Security Manager cannot
communicate with the device and the operation fails.
To import a router running IOS 12.1 or 12.2 from the DCR, you must
temporarily change the default transport protocol for routers running
IOS 12.3 or later to Telnet. For a detailed procedure, please see the FAQ
and Troubleshooting Guide for Cisco Security Manager 3.x.
Step 4
Enter the device information, such as IP type, IP address, hostname, and so on,
and set discovery options.
If adding from network, see Device Information PageNetwork, page C-8.
If adding from a configuration file, see Device Information PageConfig

File, page C-30.
If adding a new device, see Device Information PageNew Device,

page C-35.
If adding from DCR, see Device Information PageDCR, page C-45.
Step 5
If you are adding a device from the network or adding a new device, enter primary
device credentials and enter SDEE, HTTP, RX-Boot Mode, and SNMP, as
required. See Device Credentials Page, page C-15.
Step 6
(Optional.) Add the device to a group. See Device Grouping Page, page C-28.
Step 7
Click Finish.
The Task Status page displays the status of the device import and discovery. If the
data you entered is incorrect, the system generates the appropriate number of error
messages and displays a table showing the pages on which the error or errors
occur with a red error icon corresponding to it.
5-32
OL-11501-03
Chapter 5
Managing Devices
Adding Catalyst 6500/7600 Devices from the Network
Note
Step 8
You can end device import and discovery by clicking Abort on the Task
Status page. This button is enabled during device import and discovery.
Click Close to close this page. This button is enabled after device import and
discovery are completed.
If you are adding a Catalyst 6500/7600 devices, and want to proceed with
FWSM inventory and policy discovery, Yes to go to the Firewall Service
Module Credentials page. See Adding Catalyst 6500/7600 Devices from the
Network, page 5-33.

If you are adding a Catalyst 6500/7600 device and you have completed all the
steps in the Adding Devices from the Network topic, you are asked if you want to
proceed with FWSM inventory and policy discovery. Click Yes to display the
Firewall Service Module Credentials and VPN SPA Slot Location page. If you
click No, the VPN SPA Slots window appears giving you the opportunity to
manually enter the locations of any Catalyst VPN Shared Port Adapter
(VPN SPA) service modules (VPN SPAs) installed on Catalyst 6500/7600
devices.
Each device can have from 3 to 13 slots, and each of these slots divides into
subslots that can hold one or two VPN SPAs. Security Manager allows you to
enter the subslot location to help you manage the device. The dialog box appears
when you initiate discovery for Catalyst 6500/7600 devices. For elements in the
Firewall Service Module Credentials page, see FWSM Credentials and VPN SPA
Slot Location Dialog Box, page C-22.
This procedure describes how to enter the information on the Firewall Service
Module Credentials and VPN SPA Slot Location page.
Procedure
Step 1
(Optional) Enter the management IP address for each slot.

OL-11501-03
5-33
Chapter 5
Managing Devices
The slots represent FWSMs on the Catalyst 6500/7600 devices. Although this step
is optional, we recommend that you enter the management IP address. For details,
see FWSM Credentials and VPN SPA Slot Location Dialog Box, page C-22.
Step 2
Enter the username, password, and enable password for each slot.
If the device you are adding is a multi-mode FWSM, note the following:
Step 3
Multi-mode FWSMs contain System Space and Admin Context. If you

entered the management IP address in step 1, Security Manager uses the
credentials you entered in this step to access the FWSM System Space
(through the session command from the Catalyst 6500/7600 devices) and the
Admin Context (through SSL). Therefore, in the Catalyst 6500/7600 devices,
you must configure the same username, password, and enable password for
both System Space and Admin Context and enter them in this dialog box.
If you did not enter the management IP address in step 1, Security Manager
uses the credentials you entered in this step to access the FWSM System
Space (through the session command from the Catalyst 6500/7600 devices)
and the Admin Context (through the changeto context command from the
System Space). Therefore, you must enter the System Space credentials in
this dialog box.
If you do not want to discover policies for a particular slot, deselect the Discover
Policies check box for that slot. The Discover Policies check box is selected by
default.
If you deselect the check box, only inventory data, such as VLAN configuration,
security contexts, and interfaces are discovered. You can discover the policy
configuration later by right-clicking an FWSM and selecting Discover Policies on
Device.
Step 4
Click OK. The Task Status page appears. After inventory and policy discovery for
all of the security contexts is completed, the Task Completed dialog box appears.
Step 5
Select Yes to submit the activity. The Validation Result dialog box appears.
We recommend that you submit the activity, otherwise the FWSMs and the
security contexts will not appear in the Device selector.
Step 6
Click OK to submit the activity.

The activity is submitted and the FWSM and security context appears in the
Device selector.
Click Details... to view the results of the validation.
5-34
OL-11501-03
Chapter 5
Managing Devices
Click Cancel to cancel the operation.
Related Topics
FWSM Credentials and VPN SPA Slot Location Dialog Box, page C-22
Adding VPN SPA Slot Locations

Use the VPN SPA Slots dialog box to add the locations of any Cisco Share Port
Adapters (VPN SPAs) installed on Catalyst 6500/7600 devices. Each of two slots
on these devices can hold one or two VPN SPAs, and Security Manager allows
you to enter this information to help you manage the device. FWSMs occupy a
whole slot in the 6Catalyst 6500/7600 devices, and each VPN SPAs occupies half
a slot. Each slot can therefore hold two VPN SPAs in each of two subslots,
numbered 0 and 1. For a description of the fields on this page, see VPN SPA Slots
Dialog Box, page C-24.
This procedure describes how to add in VPN SPA Slot locations to Catalyst
6500/7600 device information.
Procedure
Step 1
Step 2
Enter the slot number on the left of the / and subslot (numbered 0 and 1) to
the right of the /.
Click Select to select slot and subslot locations from a list of available slot
and subslots.
Click OK to confirm.
Click Cancel to cancel the operation.

OL-11501-03
5-35
Chapter 5
Managing Devices
Working with Devices with Dynamically Assigned IP Addresses
Working with Devices with Dynamically Assigned

IP Addresses
You can add devices that have dynamic IP addresses to the Security Manager
inventory. From the Add Device from Network or Add New Device wizards,
select the dynamic IP type, then select Auto Update Server or Configuration
Engine. Security Manager uses the device identity information to retrieve the
device IP address from an Auto Update Server or Configuration Engine that can
be reached.
You can add these devices one at a time. You cannot add dynamic IP devices from
a file.
Related Topics
Understanding Auto Update Server and Configuration Engine, page 5-36
Adding an Auto Update Server or Configuration Engine, page 5-37
Editing the Auto Update Server or Configuration Engine Information,

page 5-40
Understanding Auto Update Server and Configuration Engine

Auto Update Server (AUS) is a tool for upgrading device configuration files on
PIX Firewall and ASA devices that use the auto update feature.
Cisco Configuration Engine is a tool for upgrading device configuration files on
Cisco IOS routers and PIX Firewalls that use the configuration engine feature.
Security Manager cannot initiate direct communication with devices that acquire
their interface addresses using DHCP because their IP addresses are not known
ahead of time. Furthermore, these devices might not be running, or they might be
behind firewalls and NAT boundaries when the management system must make
changes. These devices connect to an Auto Update Server or Configuration
Engine to get device information.
For a summary of the device types and associated servers, see Table 5-12
5-36
OL-11501-03
Chapter 5
Managing Devices
Table 5-12
Device Types and Associated Servers
Device Types with Dynamic IP Addresses
Servers
PIX Firewall and ASA (that use the auto update feature) Auto Update Server
Cisco IOS routers and PIX Firewall (that use the
configuration engine feature)
Configuration Engine
Cisco IOS routers
Auto Update Server (running the CNS

Gateway protocol)
Related Topics

page 5-40
Adding an Auto Update Server or Configuration Engine

If you want to use an Auto Update Server or Configuration Engine as the
management server, you can add it to Security Manager. After you add the server,
it appears in the Available AUS Managers or Available CE Managers list.
If the Auto Update Server or Configuration Engine that is managing the selected
device does not appear in the Available AUS Managers or Available CE Managers
list, you can add the Auto Update Server or Configuration Engine in the following
ways:
From the Add New Device page. See Adding an Auto Update Server or
Configuration Engine When Adding a New Device, page 5-38.
From the Add Device from Network page. See Adding an Auto Update Server
When Adding a Device from Network, page 5-39.
From the device properties page, select the General option. See Defining
Device Properties, page 5-53.

OL-11501-03
5-37
Chapter 5
Managing Devices
Adding an Auto Update Server or Configuration Engine When Adding a New

Device
If the Auto Update Server or Configuration Engine that is managing the selected
device does not appear in the Available AUS Managers or Available CE Managers
list, you can add the Auto Update Server or Configuration Engine.
This procedure describes how to add an Auto Update Server or Configuration
Engine when you add a new device.
Procedure
Step 1
Step 2
Step 3
Select Add New Device, then click Next. The Add New Device page appears.
Step 4
From the IP Type field, select Dynamic.
Step 5
Enter the hostname, domain name, IP address, and display name. For more
information, see Identity, page C-36.
Step 6
Enter the device operating system information, such as OS type, image name,
target OS version, contexts, and operational mode. For more information, see
Operating System, page C-37.
Step 7
Depending on the device type you select, the Auto Update or CNS-Configuration
Engine field appears:
Auto UpdateDisplayed for PIX Firewall and ASA devices.
CNS-Configuration EngineDisplayed for Cisco IOS routers.
Note
This field is not active for Catalyst 6500/7600 devices and FWSM
devices.
Click the arrow to display a list of servers. Select the server that is managing the
device. If the server does not appear in the list, do the following:
a.
Click the arrow, then select + Add Server... The Server Properties dialog box
appears.
5-38
OL-11501-03
Chapter 5
Managing Devices
b.
Enter the information in the required fields. For a description of the fields on
the page, see Server Properties Dialog Box, page C-40.
c.
Click OK. The new server is added to the list of available servers.
For a summary of the device types and the server fields associated with them, see
Device Types and Associated Servers, page 5-37
Related Topics

page 5-40
Adding an Auto Update Server When Adding a Device from Network

If the Auto Update Server that is managing the selected device does not appear in
the Available AUS Managers list, you can add the Auto Update Server.
This procedure describes how to add an Auto Update Server when you add a
device from the network.
Procedure
Step 1
Step 2
Step 3
Select Add Device from Network, then click Next. The Add Device from
Network page appears.
Step 4
From the Device IP Type field, select Dynamic.
Step 5
Enter the string value that uniquely identifies the device in Auto Update Server in
the Device Identity field.
Step 6
From the CNS Gateway field, click the arrow to display a list of available Auto
Update Servers. Select the Auto Update Server that is running the CNS Gateway
protocol.

OL-11501-03
5-39
Chapter 5
Managing Devices
Security Manager communicates with the Auto Update Server running the CNS
Gateway protocol to retrieve the IP address of an IOS device, then performs
discovery directly from the device.
Step 7
Step 8
If the Auto Update Server does not appear in the list, do the following:
a.
Click the arrow, then select + Add Auto Update Server... The Auto Update
Server Properties dialog box appears.
b.
Enter the information in the required fields. For a description of the fields on
the page, see Auto Update Server Properties Dialog Box, page C-13.
c.
After you click OK in the Auto Update Server Properties dialog box, the new
Auto Update Server is added to the list of Available Servers.
Enter the display name.

For more information, see Device Information PageNetwork, page C-8.
Note
Only Cisco IOS routers with a dynamic IP address can be associated with an Auto
Update Server running the CNS Gateway protocol.
Related Topics

page 5-40
Editing the Auto Update Server or Configuration Engine

Information
You can edit the Auto Update Server or Configuration Engine information in three
ways:
From the device properties page, select the General option. For the
procedure, see Working with Device Policies, page 5-54.
5-40
OL-11501-03
Chapter 5
Managing Devices
From the Add New Device page. For the procedure, see Editing an Auto
Update Server or Configuration Engine When Adding a New Device,
page 5-41.
From the Add device from Network page. For the procedure, see Editing the
Auto Update Server Information when Adding Device from Network,
page 5-42.
Editing an Auto Update Server or Configuration Engine When Adding a New

Device
This procedure describes how to edit the Auto Update Server or Configuration
Engine information when you add a new device to Security Manager.
Procedure
Step 1
Step 2
Step 3
Select Add New Device, then click Next. The Add New Device page appears.
Step 4
From the IP Type field, select Dynamic.
Step 5
Enter the hostname, domain name, IP address, and display name. For more
information, see Identity, page C-36.
Step 6
Enter the device operating system information, such as OS type, image name,
target OS version, contexts, and operational mode. For more information, see
Operating System, page C-37.
Step 7
Depending on the device type you select, the Auto Update or CNS-Configuration
Engine field appears:
Note
This field is not active for Catalyst 6500/7600 devices and FWSM
devices.

OL-11501-03
5-41
Chapter 5
Managing Devices
Step 8
Click the arrow in the Auto Update or the CNS-Configuration Engine field, then
select Edit Servers.
The Available Servers dialog box appears. For a description of the fields on the
page, see Available Servers Dialog Box, page C-41.
Step 9
Select the server then click Edit.

The Auto Update Server Properties page or the CNS-Configuration Engine
Properties page appears. For a description of the fields on the page, see Auto
Update Server Properties Dialog Box, page C-13 or CNS-Configuration Engine
Properties Dialog Box, page C-42.
Step 10
Select the field to edit, then enter the changed information.
Step 11
Click OK. The Available Servers dialog box appears.
Step 12
Click OK.
Related Topics
Editing the Auto Update Server Information when Adding Device from Network
This procedure describes how to edit the Auto Update Server information when
you add a device that is already in the network.
Procedure
Step 1
Step 2
Step 3
Select Add Device from Network, then click Next. The Add Device from
Network page appears.
Step 4
From the Device IP Type field, select Dynamic.
5-42
OL-11501-03
Chapter 5
Managing Devices
Understanding Device Credentials
Step 5
Enter the string value that uniquely identifies the device in Auto Update Server in
the Device Identity field.
Step 6
Click the arrow in the CNS Gateway field, then select Edit Auto Update Server.
The Available Auto Update Server dialog box appears. For a description of the
fields on the page, see Available Auto Update Servers Dialog Box, page C-14.
Step 7
Select the Auto Update Server, then click Edit.

The Auto Update Server Properties appears. For a description of the fields on the
page, see Auto Update Server Properties Dialog Box, page C-13.
Step 8
Select the field to edit, then replace it with the desired information.
Step 9
Click OK.
Related Topics

Security Manager requires certain device credentials for logging in to the device.
When adding a device to the Security Manager database, you are also adding it to
the DCR, which makes the credentials available to all Ciscoworks applications
such as Resource Manager Essentials (RME) or Monitoring Center for
Performance (Performance Monitor). For this reason, the Device Credentials page
includes a wider range of optional fields for credentials that you might want to
store for possible use by these other applications, or ignore if not required for your
purposes.
You can provide device credentials in two ways:
When you add a device into Security Manager.
From the Device Properties page.
For information about the elements in the device credentials page, see Device
Credentials Page, page C-15.

OL-11501-03
5-43
Chapter 5
Managing Devices
You can provide the following device credentials:
Primary CredentialsUsername and password for logging into the device.

This information is required for device communication.
SDEE CredentialsSecurity Device Event Exchange (SDEE) is a standard

that specifies the format of messages and protocol used to communicate
events generated by security devices. SDEE uses a pull mechanism: requests
come from the network management application and the Intrusion Detection
System/Intrusion Prevention System (IDS/IPS) router responds. SDEE uses
HTTP and XML to provide a standardized interface.
SDEE is used for event management on IPS-supported devices. Security
Manager uses SDEE to query the IPS supported devices after deployment to
verify that the deployment was successful.
Note
HTTP CredentialsWeb browsers and Web servers use HTTP to transfer

files, such as text and graphic files. HTTP credentials are required for devices
that support SDEE. SDEE uses HTTP and XML to provide a standardized
interface. HTTP credentials are optional for other types of devices.
Rx-Boot Mode(Optional) Some Cisco routers are designed to run from

flash memory where they boot only from the first file in flash. This means that
you must run an image other than that in flash to upgrade the flash image.
That image is a reduced command-set image referred to as Rx-Boot (a
ROM-based image).
SNMP Credentials(Optional) The Simple Network Management Protocol

(SNMP) is an application-layer protocol that facilitates the exchange of
management information between network devices. It is part of the TCP/IP
suite. SNMP enables network administrators to manage network
performance, find and solve network problems, and plan for network growth.
You can use a maximum of 70 characters to define device credentials. Security

Manager does not restrict the characters you can use to define them. However, you
may not add spaces in passwords.
Related Topics
Device Credentials Page, page C-15
5-44
OL-11501-03
Chapter 5
Managing Devices
Working with Device Connectivity Test

In Cisco Security Manager 3.0.1 and earlier, you cannot validate whether a device
that is added to the Security Manager inventory can be reached. Although Security
Manager validates the data you entered, it does not validate whether the data you
entered allows you to contact the device.
In Security Manager 3.1, you can verify, when you are adding the device, whether
Security Manager can contact the device. Security Manager displays the root
cause for any device connectivity failure, such as the transport protocol not being
configured on the device, or invalid or null authentication credentials. If the
connection-related configuration settings result in an invalid configuration, or
prevent Security Manager from contacting and managing the device, you are
prevented from submitting the changes to the database. You need to ensure that
you have complete and valid configurations for these settings, then resubmit your
changes to the database. In addition, you can test device connectivity from the
Device Properties page for devices that have been added previously to the
Understanding Device Connectivity Test

When you test the communication between Security Manager and devices that
have been, or are being, added to the inventory, Security Manager uses the device
connection timeout and retry count values specified in the Device Communication
page. By default, the device connection timeout is 180 seconds. This is how long
Security Manager attempts to establish a connection with a device before timing
out multiplied by the number of times Security Manager should re-attempt
establishing a device connection after timing out. If the device can be reached,
Security Manager runs the show version command on PIX Firewall, Adaptive
Security Appliances (ASA), Firewall Service Modules (FWSM), and Cisco IOS
routers, or it executes the getVersion command on IPS Sensors and Cisco IOS IPS
Sensors. You can view the output of the command to read information about the
hardware, software version running on the device, license agreement, and other
system-related parameters. If the device connectivity test fails, an error message
is displayed.
After you enter the device contact information and device credentials in the Add
Device from Network Wizard and close the wizard, or advance to the next step of
the wizard, Security Manager checks whether the device is already running in the
network and is reachable. If device connectivity fails, the device cannot be added
OL-11501-03
5-45
Chapter 5
Managing Devices
and an error message states that Security Manager cannot communicate with the
device. To correct the connectivity error between Security Manager and the device
you are trying to add, look for common network problems, such as hardware,
media, and booting errors, excessive traffic causing queues to overflow, duplicate
MAC or IP addresses on the device, physical discrepancies, such as link, duplex,
and speed mismatch, or logical discrepancies, such as VLAN and VTP
inconsistencies or ATM network misconfiguration.
Keep the following points in mind while testing whether a device can be reached
from Security Manager:
You can test device connectivity when you add devices (both static and
dynamic IP addresses) using only the Add Device from Network or Add New
Device wizards.
The device connectivity test uses the transport mechanism or protocol

configured for the device. If you configured a default transport protocol for
contacting all Catalyst 6500 Series switches and Cisco 7600 Series routers
from the Device Communication settings page, the same protocol is used to
test whether the device can be reached.
The device connectivity test can be performed for all devices and OS versions
supported by Security Manager. However, if the device is managed by an
Auto Update Server, Token Management Server (TMS) or a
CNS-Configuration Engine, you cannot test connectivity between Security
Manager and the device.
If you chose to connect to the device from Security Manager using device
credentials (on the Device Communication settings page) and did not specify
the username and password for logging in to the device or you entered
incorrect credentials while adding the device, the device connectivity test
fails and an error message is displayed. Make sure that you have valid and
complete configurations by editing the device credentials information.
If you did not configure the transport protocol on the device, the device
connectivity test fails and an error message is displayed. Make sure that you
configure the transport settings on each device that has not been added to the
inventory, or configure the transport protocol from the Device Properties page
of the Security Manager GUI for devices that have been added to the
inventory.
5-46
OL-11501-03
Chapter 5
Managing Devices
If you configure the device to perform authentication with an external AAA

server, such as Cisco Secure Access Control Server (ACS), and do not enable
command authorization, an error message is displayed when Security
Manager attempts to run the show version command on the device that can
be reached.
While you add a device from the network, the operating system you specify
must be correct for the IP address you enter for the device on the Device
Information page. Otherwise, after you enter the device credentials and click
Next or Finish from the Device Credentials page, an error message is
displayed when device connectivity test is performed. For example, while
adding the device to Security Manager, if you enter the IP address of a
connected live ASA device from the network and choose the OS type as PIX,
an error message states that the OS type you chose is not supported for the
device. To correct the error, make sure that you choose the correct OS type of
the device.
Verifying Device Connectivity from Security Manager

The following topics describe how to verify connectivity between Security
Manager and the device, depending on how you are adding the device.
Testing Device Connectivity While Adding a Device from the Network,

page 5-47
Testing Device Connectivity While Adding a New Device, page 5-49
Testing Device Connectivity After Adding a Device to Security Manager,

page 5-50
Testing Device Connectivity While Adding a Device from the Network

Security Manager tests whether a device can be reached when you add the device
from the network. The addition of the device to Security Manager inventory is
successful only if device connectivity succeeds. This procedure describes how to
test connectivity when you add a device from the network.

OL-11501-03
5-47
Chapter 5
Managing Devices
Before You Begin

page 5-2.
If you are using ACS for authentication, define the devices in ACS. See
Associating NDGs and Roles with User Groups, page 2-54.
Procedure
Step 1
Step 2
In the Device selector, click the Add button. The New Device wizard opens.
Step 3
Select Add Device(s) from Network, then click Next. The New Device - Device
Information page appears.
Step 4
Enter the device information, such as IP type, IP address, hostname, and so on,
and set discovery options. For more information, see Device Information
PageNetwork, page C-8.
Step 5
Click Next to continue. The Device Credentials page appears.
Step 6
Enter primary device credentials, as required. See Device Credentials Page,

page C-15.
Step 7
Click Finish.
Click Next to continue.
Security Manager tests device connectivity and displays the progress of the test.
If the device cannot be reached, an error message is displayed. When the network
is not functioning properly under normal conditions, you can troubleshoot the
error messages generated to see the difference between normal and abnormal
operation. Security Manager prevents you from adding the device to the inventory
until you correct the error.
5-48
OL-11501-03
Chapter 5
Managing Devices
Testing Device Connectivity While Adding a New Device

When you add a single device to the Security Manager inventory for
preprovisioning, you can test the communication between Security Manager and
the device. Before you assign policies to the device and generate configuration
files, you can correct device connectivity errors, if any. This procedure describes
how to test connectivity when you add a device from the network.
Before You Begin

page 5-2.
Procedure
Step 1
Step 2
Click the Add button in the Device selector. The New Device - Choose Method
page appears.
Step 3
Select Add New Device, then click Next. The New Device - Device Information
page appears.
Step 4
Enter the device information. For details, see Device Information PageNew
Device, page C-35.
Step 5
Click Next to continue. The Device Credentials page appears.
Step 6
Enter the username and password under Primary Credentials. See Device
Step 7
Click the Test Connectivity button at the bottom of the page.

The Device Connectivity Test dialog box appears. You cannot perform other tasks
while the device connectivity test is in progress. A test-in-progress indication bar
appears when the connectivity test is running and a counter timer displays the
number of seconds elapsed since the start of the test. The transport protocol used
to test device connectivity, the status of connectivity test, and the time elapsed are
displayed.
For more information, see Device Connectivity Test Dialog Box, page C-20.
Step 8
Do one of the following in the Device Connectivity Test dialog box.

OL-11501-03
5-49
Chapter 5
Managing Devices
Tip
Step 9
Click Details to display information about the hardware, software version

running on the device, license agreement, and other system-related
parameters.
You can copy and paste the command output into a file for later analysis.
Click Abort to end device connectivity test. This button is enabled while
device connectivity is in progress.
Click Close to close this dialog box. This button is enabled after device
connectivity test is completed.
Click Finish.
Click Next to continue.
Testing Device Connectivity After Adding a Device to Security Manager

If you want to test device connectivity after you add devices to Security Manager,
use the Device Properties page. This procedure describes how to test connectivity
for devices that have been previously added to the inventory.
Procedure
Step 1
Click the Device View button on the toolbar. The Devices page appears.
Step 2
Double-click a device in the Device selector. The Device Properties page appears.
Step 3
Click Credentials from the left pane. The Credentials page appears.
Step 4
Click the Test Connectivity button at the bottom of the page.

The Device Connectivity Test dialog box appears. You cannot perform other tasks
while the device connectivity test is in progress. A test-in-progress indication bar
appears when the connectivity test is running and a counter timer displays the
number of seconds elapsed since the start of the test. The transport protocol used
to test device connectivity, the status of connectivity test, and the time elapsed are
displayed.
For more information, see Device Connectivity Test Dialog Box, page C-20.
5-50
OL-11501-03
Chapter 5
Managing Devices
Understanding Device Properties
Step 5
Do one of the following in the Device Connectivity Test dialog box.
Tip
Click Details to open the Details dialog box that displays information about
the hardware, software version running on the device, license agreement, and
other system-related parameters.
You can copy and paste the command output from the Details dialog box
into a file for later analysis.
Click Abort to end device connectivity test. This button is enabled while
device connectivity is in progress.
Click Close to close this dialog box. This button is enabled after device
connectivity test is completed.

You define device properties when you add devices to Security Manager. Device
properties are general information about the device, credentials, the group the
device is assigned to, and policy overrides. You must provide some of device
property information, such as device identity and primary credentials, when you
add the device, but you can add other information later from the Device Properties
page.
To open this page, do one of the following:
In the Device selector, double-click a device.
In the Device selector, right-click the device, then select Device Properties.
The Device Properties page has two panes. The left pane contains the General,
Credentials, Device Groups, and Policy Object Overrides options.
GeneralContains general information about the device, such as device

identity, the operating system running on the device, and DCS settings.
CredentialsContains device primary credentials (username, password, and

enable password), SNMP credentials, Rx-Boot Mode credentials, and HTTP
credentials.
Device GroupsContains the groups to which the device is assigned.

OL-11501-03
5-51
Chapter 5
Managing Devices
Policy Object OverridesContains global settings of certain types of

reusable policy objects, which you can override.
If you click a device property option, the corresponding information is displayed

in the right pane. For information about the elements in this page, see Device
Properties Page, page C-53.
From the Device Properties page you can:
Note
View device properties.
Define device properties. If you did not define the device properties when you
added the device to the Security Manager inventory, you can define them in
this page.
Edit device properties.
Security Manager does not assume that the DNS hostname that appears on the
Device Properties page is the same as the hostname that you configured on
the device.
When you add a device to Security Manager, you must enter either the
management IP address or the DNS hostname. Because it is not possible to
determine the management interface and, therefore, the management IP
address when you discover from a configuration file, the hostname in the
configuration file is used as the DNS hostname. If the hostname is missing in
the CLI of the configuration file, the configuration filename is used as the
DNS hostname.
During live device discovery, the DNS hostname in the Device Properties
page is not updated with the hostname configured on the device. Therefore,
if you want to specify the DNS hostname for the device, you must specify it
manually when you add the device to Security Manager or on the Device
Properties page.
If the DNS hostname or display name of the security context you are
discovering exists in DCR, Security Manager appends it with a _01, _02, and
so on to give it a unique name.
The following topics describe how to use the Device Properties page:
Defining Device Properties, page 5-53
5-52
OL-11501-03
Chapter 5
Managing Devices
Defining Device Properties

You can define device properties when you add a device or you can use the Device
Properties page to define them later.
This procedure describes how to define device properties in the Device Properties
page.
Procedure
Step 1
Step 2
Step 3
Step 4
Step 5
In the Device selector, double-click a device. The Device Properties page

appears.
In the Device selector, right-click the device to display menu options, then
select Device Properties. The Device Properties page appears.
Define general information about the device, such as device identity, the operating
system running on the device, and DCS settings:
a.
Click General. The General page appears.
b.
Enter the information in the appropriate fields. For more information, see
General Page, page C-54.
c.
Click Save.
Define device credentials, such as username and password:

a.
Click Credentials. The Credentials page appears.
b.
c.
Click Save.
Assign groups to a device:

a.
Click Device Groups. The Device Groups page appears.
b.
Enter the device grouping information. For more information, see Device
Groups Page, page C-59.

OL-11501-03
5-53
Chapter 5
Managing Devices
Working with Device Policies
c.
Step 6
Click Save.
Define policy object overrides:

a.
Click Policy Object Overrides. The Policy Object Overrides folder expands.
b.
Click a policy object. The corresponding page appears in the right pane.
c.
Policy Object Override Pages, page C-60.
d.
Click Save.
Related Topics
Credentials Page, page C-57
Policy Object Override Pages, page C-60
Device Groups Page, page C-59
Working with Device Policies

In Security Manager, a policy is a set of rules or parameters that define a particular
aspect of network configuration. You configure your network by defining policies
on devices (which includes individual devices, service modules, and security
contexts) and VPN topologies (which are made up of multiple devices), and then
deploying the configurations defined by these policies to these devices.
Several policy types might be required to configure a particular solution. For
example, to configure a site-to-site VPN, you might need to configure multiple
policies, such as IPSec, IKE, GRE, and so forth.
Policies are assigned to one or more devices. After a policy is assigned to a device,
any changes to the policy definition change the behavior of the device.
You can use Device view to manage both local policies and shared policies.
For details, see Managing Policies in Device View, page 6-20.
5-54
OL-11501-03
Chapter 5
Managing Devices
Cloning a Device
Cloning a Device
A cloned (duplicate) device shares the configurations and properties of the source
device. Cloning a device saves you time because you do not need to re-create
configuration and properties on the new device.
The cloned device shares the device operating system version, credentials, and
grouping attributes with the source device, but it has its own unique identity, such
as display name, IP address, hostname, and domain name. You can clone only one
device at a time.
Note
You cannot clone a Catalyst 6500/7600 device.

This procedure describes how to clone a device.
Procedure
Step 1
Step 2
Right-click the device in the Device selector to clone, then select Clone. The
Create a Clone of <device name> page appears.
Step 3
Enter the information in the appropriate fields. See Create a Clone of <device
name> Page, page C-52.
Step 4
Click OK. A clone of the source device with its unique display name is created in
the Device selector.
Related Topics
Create a Clone of <device name> Page, page C-52
Copying Policies Between Devices, page 6-23

OL-11501-03
5-55
Chapter 5
Managing Devices
Deleting Devices from the Security Manager Inventory
Deleting Devices from the Security Manager

Inventory
This procedure describes how to delete devices from the Security Manager
inventory.
Procedure
Step 1
Step 2
Select the device to delete from the Device selector.
Step 3
Click the Delete button.

A Warning dialog box appears asking if you want to delete the selected nodes and
presents the following two options:
Step 4
The Delete from DCR check box is selected by default. If you delete a device
with this check box selected, the device is deleted from Security Manager and
from DCR. If you do not want to delete the device from DCR, deselect this
check box.
Click Details to launch the Device Delete Validation Details dialog box to
view details about the device deletion. For more information see Device
Delete Validation Details Dialog Box, page C-51.
Click OK to continue. If all looks okay, the device is deleted.

If there are errors or warnings, the Device Delete Validation page appears
displaying the status of the deletion.
For more information, see Device Delete Validation Page, page C-49.
Step 5
Look for any warnings listed in the Severity column to determine if you want to
continue.
To see more information on the deletion details, click Details.
To continue with the deletion, click OK to confirm. Otherwise, click Cancel.
5-56
OL-11501-03
Chapter 5
Managing Devices
Understanding Device Grouping
Related Topics
Device Delete Validation Page, page C-49
Device Delete Validation Details Dialog Box, page C-51

Device grouping enables you to view a subset of devices that you define. By
default, Security Manager provides two Group Types: Department and Location,
and one folder called ALL. The ALL folder contains all of the devices that are
added to Security Manager.
Note
Device groups and subgroups are simple, arbitrary, organizational collections of

devices that you create for more effective network visualization. They are not
policy-sharing entities. They are distinct from the various policy object groups
(for example AAA server group objects, service group objects, and user group
objects). For information on policy objects, see Introduction to Objects, page 8-1.
You can create groups under the default group types, Department and Location,
and assign devices to them or you can create new group types. You can create a
maximum of 10 group types.
You cannot assign a device directly to a group type. You must create a group under
a group type, and then assign a device to that group. For example, under
Department (group type), you can create a group called Finance, and assign
routerx to it (Figure 5-3).

OL-11501-03
5-57
Chapter 5
Managing Devices
Figure 5-3
Device Groups
You can create subgroups and assign a device to it. For example, under Location,
you can create a group called United States; under United States, you can create
a subgroup called California; and under California, you can create a subgroup
called San Jose and assign routerx to it (Figure 5-3).
You can assign a device to multiple groups. When you do so, that device shows
up in multiple groups in the Device selector. If you assign a device, for example,
routerx, to the San Jose location and to the Finance department (Figure 5-3), that
device, routerx, appears in both of these groups.
Note
The device can be in only one group in a group type. For example, under the group
type, Location, you can assign routerx to San Jose, but you cannot assign routerx
to San Jose and California.
After you assign the device to groups, that device appears in the appropriate
groups and in the ALL folder in the Device selector.
You can assign devices to groups in four ways:
From the Device Grouping page in any of the add device wizards.
5-58
OL-11501-03
Chapter 5
Managing Devices
From the device group shortcut menu options. See Device Group Shortcut
Menu Options, page C-65.
From the Device Properties page. For more information, see Working with
Device Policies, page 5-54.
From the Tools menu options. Select Tools > Security Manager
Administration > Device Groups.
Related Topics
Working With Device Groups

You can create device group types and device groups, delete device groups, and
modify device group names. The following topics describe how to perform these
tasks:
Creating Device Group Types, page 5-59
Creating Device Groups, page 5-60
Deleting Device Group Types, Device Groups, or Subgroups, page 5-61
Creating Device Group Types

Security Manager has two predefined device group types: Location and
Department. You can create device groups under these device group types and
assign a device to them or you can create new group types.
Note
Remember that device group types are the top-level categories in your device
group hierarchy. If you would rather add a device group (lower-level), see
Creating Device Groups, page 5-60
This procedure describes how to create device group types.

OL-11501-03
5-59
Chapter 5
Managing Devices
Procedure
Step 1
Select File >Edit Device Groups...

The Edit Device Groups page opens.
Step 2
Click the Add Type button in the Device Groups page. A new device group type
field is created
Step 3
Enter a name for this group type, then press Enter.
Step 4
Click OK.
Related Topics
Creating Device Groups

This procedure describes the most direct method to create device groups.
Note
Device groups are the lower-level categories in your device group hierarchy, and
are added either beneath a device group type (top-level) or beneath another device
group. If you would rather add a device type group (top-level), see Creating
Device Group Types, page 5-59.
Procedure
Step 1
In the Device selector, right-click the device group type or a device group under
which you want to create the group, then select New Device Group. The Add
Group dialog box appears. See Add Group Dialog Box, page C-68.
Step 2
Enter a name for this device group, then press Enter.
Step 3
Click OK. The new device group is created beneath the device group type or
device group that you initially right-clicked(Figure 5-3).
5-60
OL-11501-03
Chapter 5
Managing Devices
Related Topics
Add Group Dialog Box, page C-68
Deleting Device Group Types, Device Groups, or Subgroups

This procedure describes how to delete device groups, subgroups, or device group
types.
Procedure
Step 1
Right-click a device group type or a device group in the Device selector, then
select Edit Device Groups... to display the Edit Device Groups page.
Select File >Edit Device Groups... to display the Edit Device Groups page.
Select Tools > Security Manager Administration > Device Groups to

display the Device Groups page.
Step 2
Click a device group type or device group to delete.
Step 3
Click the Delete button.
Step 4
Click OK.
Note
All device groups and device subgroups beneath the item you delete are also
deleted.
When you delete a device group, or a device subgroup, all devices contained
beneath that group or subgroup are no longer associated with that group type.
You can choose to delete the predefined group types, Location and
Department.

OL-11501-03
5-61
Chapter 5
Managing Devices
Related Topics
Adding Devices to Device Groups

You must create a device group before you add devices to it. To create groups, see
Creating Device Groups, page 5-60.
This procedure describes how to add devices to a group:
Procedure
Step 1
From the Device selector, right-click the device group to which you want to add
devices, then select Add Devices to Group. The Add Devices to Group page
appears.
Step 2
From the Device Groups pane, select a device, or devices from different device
groups, or select an entire group, then click >>. The individual device or devices
in the selected device group move to the Selected Devices pane.
Step 3
Click OK. The devices in the Selected Devices pane are added to the device group
you initially selected in the Device selector.
Note
A device can be in only one device group in a device group type. If you assign a
device to two groups that belong to one group type, you will get a warning
message.
Related Topics
5-62
OL-11501-03
CH A P T E R
Managing Policies
The following topics describe the concept of policies in Cisco Security Manager
and how to use and manage them.
Discovering Policies, page 6-7
Managing Policies in Device View, page 6-20
Working with Shared Policies in Device View, page 6-27
Understanding Policies
In Security Manager, a policy is a set of rules or parameters that define a particular
aspect of network configuration. You configure your network by defining policies
on devices (which includes individual devices, service modules, and security
contexts) and VPN topologies (which are made up of multiple devices), and then
deploying the configurations defined by these policies to these devices.
Several types of policies might be required to configure a particular solution. For
example, to configure a site-to-site VPN, you might need to configure multiple
policies, such as IPsec, IKE, GRE, and so forth.
Policies are assigned to one or more devices. After a policy is assigned to a device,
any changes to the policy definition change the behavior of the device.

OL-11501-03
6-1
Chapter 6
Managing Policies
The following topics describe policies in more detail:
Settings-Based Policies vs. Rule-Based Policies, page 6-2
Service Policies vs. Platform-Specific Policies, page 6-3
Local Policies vs. Shared Policies, page 6-4
Policy Management and Objects, page 6-6
Performing Basic Policy Management, page 6-20
Settings-Based Policies vs. Rule-Based Policies

Security Manager policies are structured as either rule-based policies or
settings-based policies.
Rule-Based Policies
Rule-based policies contain one or more rules that govern how to handle traffic on
a selected device, such as the access rules and inspection rules defined as part of
a firewall service. Rule-based policies can contain hundreds or even thousands of
rules arranged in a table, each defining different values for the same set of
parameters. The ordering of the rules is very important, as traffic flows are
assigned the first rule whose definition matches the flow (known as first
matching).
The structure of the rules table depends on whether you configure a local policy
or a shared policy (see Local Policies vs. Shared Policies, page 6-4). If you
configure a local rule-based policy for a single device, the policy contains a flat
table of local rules. If you configure a shared rule-based policy (either in Device
view or Policy view), the table is divided into two sections, Mandatory and
Default. Mandatory rules always precede the default rules. You can define rules
in either section and move rules between sections using cut-and-paste.
When you define certain types of rule-based policies, such as firewall service
policies, you can create a policy hierarchy in which rules located at lower levels
in the hierarchy acquire properties from the rules located above them. This is
known as rule inheritance. For example, you can define a set of inspection rules
that apply globally to all firewalls, while supplementing these rules with
additional rules that can be applied to a subset of devices. By maintaining
common rules in a parent policy, inheritance enables you to reduce the chance of
introducing configuration errors that will cause deployment to fail. For more
information, see Understanding Rule Inheritance, page 6-50.
6-2
OL-11501-03
Chapter 6
Managing Policies
Settings-Based Policies
Settings-based policies contain sets of related parameters that together define one
aspect of security or device operation. For example, when you configure a Cisco
IOS router, you can define a quality of service (QoS) policy that defines which
interfaces are included in the policy, the type of traffic on which QoS is applied,
and the definition of how this traffic should be queued and shaped. Unlike
rule-based policies, which can contain hundreds of rules containing values for the
same set of parameters, you can define only one set of parameters for each
settings-based policy defined on a device.
Related Topics
Service Policies vs. Platform-Specific Policies

Security Manager policies are divided into several domains, each of which
represents a major policy category. These domains can be divided into two
categories: service policies and platform-specific policies.
Service policies are divided into the following policy domains:
Firewall.
Site-to-site VPN.
Remote Access VPN.
SSL VPN.
IPS service policies.
For example, the firewall policy domain contains policies for access rules,
inspection rules, and transparent rules, among others. The site-to-site VPN policy
domain contains policies for IKE proposals, IPsec proposals, and preshared keys,
among others. Service policies can be applied to any kind of device, regardless of
platform, although there may be some variation in policy definition depending on
the device type.
Platform-specific policy domains exist for firewall devices (PIX/ASA/FWSM)
and Cisco IOS routers. These two domains contain policies that configure features
that are specific to the selected platform. Not all platform-specific policies are
directly related to security. For example, the Router policy domain contains

OL-11501-03
6-3
Chapter 6
Managing Policies
routing policies, identity policies (Network Admission Control and 802.1x),

policies related to device administration (DHCP, SNMP, device access), and other
policies such as QoS and NAT.
In the case of Cisco IOS routers, you can choose whether Security Manager
should manage all platform-specific policies. For more information, see Defining
Policy Management Settings, page 2-89.
Related Topics
Local Policies vs. Shared Policies

The policies that you configure on devices can either be local or shared. Local
policies refer to policies that are defined for a single device. Any changes that you
make to a local policy affect only that device. Local policies are well-suited to
smaller networks and to devices requiring nonstandard configurations. For
example, you might configure a local policy on a router that requires a different
OSPF routing policy than the one used by the other routers in your network. For
more information about the actions you can perform on local policies, see
Performing Basic Policy Management, page 6-20.
As your network grows, maintaining local policies on each device greatly
increases the effort required to manage these policies in a comprehensive and
efficient manner. To meet this challenge, Security Manager features policy
sharing. With policy sharing, you can create a single policy and assign it to
multiple devices. For more information, see Sharing a Local Policy, page 6-28.
6-4
OL-11501-03
Chapter 6
Managing Policies
Figure 6-1
Local vs. Shared Policies

Policy 1
Local Policy
Shared Policy
Policy 2
Shared
policy 1
181944
Policy 3
For example, if you want all the Cisco IOS routers in your network to implement
the same Network Admission Control (NAC) policy, you need only define a single
NAC policy and share it. You can then assign the shared policy to all the routers
in your network with a single action. For more information, see Modifying Shared
Policy Assignments in Device View, page 6-39.
Any changes that you make to a shared policy are automatically applied to all the
devices to which it is assigned. As a result, shared policies both streamline the
process of policy creation and help maintain consistency and uniformity in your
device configurations.
For more information about the actions you can perform on shared policies, see
Working with Shared Policies in Device View, page 6-27.
Tip
In addition to sharing policies, you can choose to inherit the rules of a rule-based
policy when defining another policy of the same type. This makes it possible, for
example, to maintain a set of corporate access rules that apply to all firewall
devices while providing the flexibility to define additional rules on individual
devices as required. For more information, see Understanding Rule Inheritance,
page 6-50.

OL-11501-03
6-5
Chapter 6
Managing Policies
Shared Policies and VPNs
In the same way that shared policies facilitate device configuration, they also
facilitate the configuration of VPNs. For example, you can create a shared IPsec
proposal policy and assign it to multiple site-to-site VPNs. Any changes that you
make to the shared policy affect all the VPNs to which the policy is assigned. For
more information, see Managing Shared Site-to-Site VPN Policies in Policy View,
page 9-65.
Related Topics
Policy Management and Objects

Objects make it easier to configure policies in Security Manager by providing a
set of values with a logical, easy-to-remember name that can be applied wherever
it is needed. For example, you can define a network/host object called MyNetwork
that contains a set of IP addresses in your network. Whenever you configure a
policy requiring these addresses, you can simply refer to the MyNetwork object
instead of manually entering the addresses each time.
When you define a policy, you can create objects on the fly by clicking the Select
button next to any field the accepts an object as a value. For more information, see
Selecting Objects for Policies, page 8-203. You can also create and manage
objects system-wide from the Policy Object Manager Window, page F-3.
Certain types of objects enable you to override their predefined values at the
device level, which enables you to use an object in a policy while retaining the
ability to customize particular values. For more information, see Overriding
Global Objects for Individual Devices, page 8-197.
For more information about objects and how to use them when defining policies,
see Managing Objects, page 8-1.
Related Topics
6-6
OL-11501-03
Chapter 6
Managing Policies
Discovering Policies
Policy discovery enables you to bring your existing network configuration into
Security Manager to be managed. Policy discovery can be performed by
importing the configuration of a live device or by importing a configuration file.
Note
Security Manager supports only device-generated configuration files for

discovery.
You can initiate policy discovery when you add a device by selecting the relevant
options in the New Device wizard. For more information, see Adding Devices to
the Security Manager Inventory, page 5-30.
You can also initiate policy discovery on existing devices from Device view. For
more information, see Discovering Policies on Devices Already in Security
Manager, page 6-10.
When you initiate policy discovery on a device, the system analyzes the
configuration on the device and then translates this configuration into Security
Manager policies and policy objects so that the device can be managed. Warnings
are displayed if the imported configuration completes only a partial policy
definition. If additional settings are required, you must go to the relevant page in
the Security Manager interface to complete the policy definition. Warnings and
errors are also displayed if the imported configuration is invalid.
After performing policy discovery, you must submit your changes (or approve
your activity when working in Workflow mode) to have the information included
in change reports and to make the information available to other users. For more
information, see Chapter 7, Managing Activities. If you make any changes to
the discovered policies, you must deploy the changes to the device. For more
information, see Chapter 18, Managing Deployment.
Note
Use the Security Manager Administration window to configure discovery-related

settings that apply to all devices. See Defining Discovery Settings, page 2-76.

OL-11501-03
6-7
Chapter 6
Managing Policies
Policy Discovery and VPNs
In addition to performing discovery on individual devices, Security Manager

allows you to discover the VPNs that are already deployed in your network. A
wizard walks you through the procedure step by step. For more information, see
Site-To-Site VPN Discovery, page 9-13.
Tip
We recommend that you deploy to a file immediately after discovering a VPN.

This enables Security Manager to assume full management of the relevant CLI
commands that are configured on the device.
Note
Discovery cannot be performed on SSL VPNs. Security Manager leaves existing

SSL VPN configurations intact on the device until you deploy SSL VPNs policies
configured with Security Manager.
Policy Discovery and Cisco IOS Routers and Catalyst 6500/7600 Devices
Security Manager supports a subset of the complete list of commands available in

the Cisco IOS software, mostly centered on security-related commands. You can
discover all supported Cisco IOS commands. Commands that are not supported
are left in place unless they conflict directly with a policy configured in Security
Manager. For more information about performing policy discovery on Cisco IOS
routers, see Discovering Router Policies, page 14-4. For more information about
performing policy discovery on Catalyst 6500/7600 devices, see Discovering
Policies on 6500 Series and 7600 Series Devices, page 16-6.
Tip
We recommend that you deploy to a file immediately after discovering a Cisco

IOS router. This enables Security Manager to assume full management of the
relevant CLI commands that are configured on the device.
Policy Discovery and Object Groups
When you perform policy discovery, any object groups already configured on
firewall devices (PIX, ASA, and FWSM) are brought into Security Manager as
policy objects. For more information about how Security Manager policy objects
are translated into object groups and vice-versa, see How Policy Objects are
Provisioned as PIX/ASA Object Groups, page 8-211.
6-8
OL-11501-03
Chapter 6
Managing Policies
Note
A setting in the Security Manager Administration window enables you to

create device-level overrides on all discovered policy objects. This makes it
possible to define a customized version of the policy object on other devices.
For more information, see Defining Discovery Settings, page 2-76.
You can discover objects that have the same definition as existing objects,
regardless of the setting you have defined for detecting redundant objects. For
more information about this setting, see Defining Policy Object Settings,
page 2-91.
Policy Discovery and Access Control Lists
Certain policies in Security Manager support only standard or only extended

ACLs, even if both types are supported by the CLI. In such cases, policy discovery
works as follows:
If the Security Manager policy supports only extended ACLs (for example,
firewall service policies), any standard ACLs configured on the device for
that policy are imported as extended ACLs.
If the Security Manager policy supports only standard ACLs (for example,
SNMP traps on IOS routers), any extended ACLs configured on the device for
that policy are imported as standard ACLs.
During the discovery process, Security Manager will show any inactive ACLs that
are imported as disabled. If you later deploy these disabled ACLs, they are
removed from the device configuration.
Related Topics
Viewing Policy Discovery Task Status, page 6-12
Overriding Global Objects for Individual Devices, page 8-197

OL-11501-03
6-9
Chapter 6
Managing Policies
Discovering Policies on Devices Already in Security Manager

This procedure describes how to discover policies on devices that were already
added to Security Manager.
You might initiate policy discovery on existing devices when:
Caution
You discover out-of-band changes in the network, for example, changes to

device configurations using CLI commands. In such a situation, you can
rediscover existing policies on the device to make sure that the Security
Manager database has the most current information. We recommend entering
out-of-band changes in Security Manager rather than performing rediscovery.
You want to discover a subset of policies (for example, platform-specific

settings) that was not discovered when you first added the device to Security
Manager.
You want to import the factory-default configuration of a firewall device. For

more information, see Understanding Factory-Default Configurations,
page 15-2.
If you perform policy discovery on a device after configuring policies in Security

Manager, the discovered policies overwrite the information you previously
configured.
For example, if you select the option to discover platform-specific settings, the
resulting configuration overwrites any platform-specific policies you configured
in Security Manager. This is true even if the discovered configuration does not
include the specific platform-specific policy you configured. To take one possible
case, discovering platform-specific settings overwrites any routing policies you
have configured for the device in Security Manager, even if the configuration you
discover does not contain any routing information.
Another result of rediscovery is that any shared policies that were configured on
the device are replaced by the local policies that are discovered.
Procedure
Step 1
In Device view, select a device from the Device selector.
Step 2
6-10
OL-11501-03
Chapter 6
Managing Policies
Select Policy > Discover Policies on Device.
Right-click a device in the Device selector, then select Discover Policies on

Device.
The Create Discovery Task dialog box is displayed. See Table D-13 on page D-17
for a description of the fields in this dialog box.
Step 3
(Optional) Modify the default name assigned to the discovery task. The default
name is based on the date and time the task is initiated.
Step 4
Select the type of policy discovery to perform:
Live DeviceDiscovery is performed on the live device.
Config FileDiscovery is performed using a configuration file. Enter the

path to the file, or click Browse to navigate to the file.
Factory Default ConfigurationDiscovery is performed using a file

containing the factory-default configuration for the selected device.
Tip
Step 5
We recommend that you use the Factory Default Configuration settings

when performing policy discovery on firewall devices (PIX, ASA, and
FWSM) added manually or from the DCR. For more information about
factory-default policies, see Understanding Factory-Default
Configurations, page 15-2.
(Optional) Under Policies to Discover, refine the scope of the discovery task by
selecting or deselecting the following check boxes:
InventoryDiscovers basic device information (such as hostname and

domain name), interfaces, and security contexts on devices running in
multiple mode. On Cisco IOS routers, this option also discovers all
interface-related policies, such as DSL, PPP, and PVC policies.
Platform SettingsDiscovers platform-specific policies, such as routing

policies.
Firewall ServicesDiscovers firewall service policies, such as access rules

and inspection rules, on all platforms.
RA VPNDiscovers remote access VPN policies, such as IKE proposals and

IPsec proposals.
IPSDiscovers IPS policies, such as signatures and virtual sensors.

OL-11501-03
6-11
Chapter 6
Managing Policies
Note
For more information about the difference between different types of

policies, see Service Policies vs. Platform-Specific Policies, page 6-3.
By default, all options relevant to the device type are selected.

Step 6
Click OK. The discovery task is initiated. You cannot perform other tasks in
Security Manager while discovery is in progress.
Note
If you are discovering policies on a Catalyst 6500/7600 device, you must

proceed as described in Adding Catalyst 6500/7600 Devices from the
Network, page 5-33.
When the task is complete, a message box is displayed. Click OK to close this
message box or click Status Detail to view the Discovery Status window. For
more information, see Viewing Policy Discovery Task Status, page 6-12.
Related Topics
Viewing Policy Discovery Task Status

When you initiate policy discovery a discovery task is created. For each policy
discovery initiation, only one task is created regardless of the number of devices
being discovered.
You can view the status of the current policy discovery task in the Discovery
Status dialog box, which opens automatically when the task is initiated. This
dialog box provides updated status information about the discovery task,
including summary information about the task and details about each device being
discovered.
6-12
OL-11501-03
Chapter 6
Managing Policies
You can abort a discovery task, if required. When you perform policy discovery
on a single device, aborting the task results in partial discovery. In such cases, we
recommend deleting the information and starting again. When you perform policy
discovery on multiple devices, any devices for which discovery was completed
before you aborted the operation are fully discovered. Security Manager
automatically discards the information for any partially discovered device.
The Discovery Status dialog box also displays the appropriate warning and error
messages if any problems are encountered during the discovery process. For
example, if the CLI commands in a configuration file do not define a complete
Security Manager policy, a warning message is displayed that you must complete
the policy definition in the relevant Security Manager policy page.
For more information, see Discovery Status Dialog Box, page D-19.
To view information about previous discovery tasks, open the Policy Discovery
Status dialog box. For more information, see Policy Discovery Status Page,
page Q-2.
Related Topics
Discovering Policies on Devices Already in Security Manager, page 6-10
Frequently Asked Questions about Policy Discovery

These questions and answers describe how policy discovery processes your device
configurations into Security Manager policies:
How does policy discovery work?
When should I discover policies?
How can I determine the results of the discovery?
Does Security Manager show which commands are not discovered, and what
can I do about them?
How are discovered policies reflected in the user interface?
I am using Auto Update Server for my PIX or ASA devices. How do I

discover policies?

OL-11501-03
6-13
Chapter 6
Managing Policies
I am using Cisco Secure ACS to manage authentication and authorization to

Security Manager. How does this affect policy discovery?
What should I do after discovering VPN or router platform policies?
If I discover policies on a device and then deploy the policies from Security
Manager without changing them, what is the difference between the original
configuration on the device and the one that exists after the deployment?
How does Security Manager handle my current CLI naming schemes for
ACLs and object groups?
Are all configuration commands discovered and brought into Security

Manager?
If I rediscover policies on a device already in Security Manager, what

happens to the policies assigned to the device?
Does Security Manager use existing policies and objects during policy
discovery?
What do I need to know about security contexts on PIX 7.0 and ASA devices
in terms of policy discovery?
What do I need to know about security contexts for Firewall Services

Modules (FWSMs) on Catalyst 6500 switches and 7600 routers when I add
them and discover policies?
After adding a device and discovering policies, I cannot submit my changes

to the database; instead I get warnings such as Connection Policies Not Set.
What must I do to complete the device addition?
Can I import policies from my existing VPN/Security Management Suite

(VMS) 2.x products into Security Manager?
Why does the AAA policy not show the AAA configuration that I discovered
on the device?
Can I discover AAA servers on devices running IOS software that were
configured using the server-private command?
What do I need to know about discovery and device hostnames?
Q. How does policy discovery work?

A. After you select the device whose policies, settings, and interfaces
(inventory) you want to discover, Security Manager obtains the running

configuration (from live devices) or the supplied configuration (when
6-14
OL-11501-03
Chapter 6
Managing Policies
discovering from configuration files) and translates the CLI into Security
Manager policies and objects. The imported configuration is added to the
Configuration Archive as the initial configuration for the device. After
discovery, you can review the discovered policies and objects and decide
whether to commit them to the database. If you dislike them, you can discard
them instead. Please note that commit and discard affect all discovered
devices as a group and cannot be implemented on a per-device basis.
Q. When should I discover policies?
A. Typically, you should discover policies when you add devices to Security
Manager. However, if you are creating devices in Security Manager (instead

of importing live devices or configuration files), you must perform policy
discovery after adding the device. You should also perform policy discovery
in order to synchronize Security Manager with any out-of-band changes that
have been made to the device, for example via the CLI.
Q. How can I determine the results of the discovery?
A. When you initiate a discovery task, a window opens that shows you the
discovery status and results. You can also view a history of discovery task
results on the Policy Discovery Status page (select Tools > Policy Discovery
Status).
Q. Does Security Manager show which commands are not discovered, and what
can I do about them?

A. In the task status window, go to the Message Summary section, then select
Commands Not Discovered. Any undiscovered commands are listed in the

Description field.
Q. How are discovered policies reflected in the user interface?
A. Security Manager converts the device commands into policies. There is no
difference in appearance between a policy discovered from a device

configuration and one defined directly in Security Manager.
Q. I am using Auto Update Server for my PIX or ASA devices. How do I
discover policies?
A. If a device has a static IP address, you can discover policies from the device.
If it has a dynamic IP address, you must discover policies from the devices
configuration file (offline).

OL-11501-03
6-15
Chapter 6
Managing Policies
Q. I am using Cisco Secure ACS to manage authentication and authorization to
Security Manager. How does this affect policy discovery?

A. You must add all managed devices to Cisco Secure ACS before you can
perform policy discovery and manage these devices in Security Manager.

This includes security contexts on PIX/ASA/FWSM devices. For more
information, see Adding Managed Devices as AAA Clients in Cisco Secure
ACS, page 2-41.
Q. What should I do after discovering VPN or router platform policies?
A. Due to the way these features are discovered, Security Manager does not
assume management of discovered VPN and router platform policies until

after it deploys them. This means that if you discover a router, unassign one
of its policies and deploy, no commands are removed from the routers
configuration. We recommend, therefore, that you perform deployment to a
file immediately after discovering VPN or router platform policies, before
you make any changes to those policies. After this initial deployment, you can
reconfigure these policies and deploy your changes as required.
Q. If I discover policies on a device and then deploy the policies from Security
Manager without changing them, what is the difference between the original
configuration on the device and the one that exists after the deployment?
A. Typically, there will be no differences between the new configuration and
your original one, assuming you set up FlexConfigs for any unsupported CLI
commands (since they are not displayed in Security Manager). However, in
certain cases minor changes might occur in your ACL or object-group naming
schemes. For more information, see How Policy Objects are Provisioned as
PIX/ASA Object Groups, page 8-211. In addition, any discovered objects that
are not being used by a policy are removed from the configuration. There can
also be instances where the new configuration is functionally equivalent to
the old one but does not use the same commands.
Q. How does Security Manager handle my current CLI naming schemes for
ACLs and object groups?

A. When you discover policies from a device, Security Manager tries to use the
same names you have used. However, depending on your naming scheme,
some minor differences might occur between what you defined on your
device and the policies created through discovery. Additionally, there is a
possibility that a naming conflict can occur between an existing ACL or
object on the device and the name required for the new policy or object; in
6-16
OL-11501-03
Chapter 6
Managing Policies
this case, Security Manager generates a different name so as not to

misconfigure the device. For example, if the name of a discovered object
conflicts with an object of the same type that already exists in Security
Manager, a suffix is added to the name of the new object to make it unique or
a device-level override is created.
Q. Are all configuration commands discovered and brought into Security
Manager?
A. No. Security Manager does not discover all device configuration commands.
Instead, it discovers security policies. For any configuration commands not

discovered, use the FlexConfig feature to include the commands that Security
Manager does not support.
Q. If I rediscover policies on a device already in Security Manager, what
happens to the policies assigned to the device?

A. If you rediscover policies on a device that you are already managing with
Security Manager, the newly discovered policies replace the ones assigned to
the device. All policies within the selected policy domain (firewall services,
platform settings, or both) are replaced, not just the ones that are different on
the device compared to the ones in the Security Manager database. If you
assigned shared policies to the device, the assignment is removed and the
shared policy is left unchanged (so that other devices that use the shared
policy are not affected). After policy discovery, all policies assigned to the
device are specific to that device; none of them are shared with other devices.
If you want to use shared policies with the device, you must redo the
assignments after policy discovery.
Q. Does Security Manager use existing policies and objects during policy
discovery?
A. During policy discovery, Security Manager uses existing policy objects (ones
that you already defined in Security Manager) when creating policies for the
device. However, Security Manager does not reuse existing policies; all
policies created during discovery are local to the device being discovered.
Thus, you might find it beneficial to define your policy objects (such as
network objects) before adding devices to Security Manager.
Q. What do I need to know about security contexts on PIX 7.0 and ASA devices
in terms of policy discovery?

OL-11501-03
6-17
Chapter 6
Managing Policies
A. On devices running PIX 7.0 or ASA software, you can create security
contexts, which act like independent firewalls. When you add a device that
has security contexts, you should discover all contexts and policies at the
same time; otherwise, you will have to discover policies for each context
separately. When you add the device, select MULTI for Context and do not
select Security Context of Unmanaged Device. (If you select this option, only
the admin context is imported, and it has no relationship to other security
contexts on the device; select this option only if you want to manage the
security context independently from the parent device.) Depending on how
you add the device, you might need to select the option to discover security
contexts. During discovery, Security Manager identifies each security context
and adds it as a separate device to the device list, appending the security
context name to the end of the parents name; for example, if the parent is
pix_141, the admin context would be pix_141_admin. When managing
PIX 7.0 and ASA devices in Security Manager, you can create new security
contexts, or delete existing contexts, as well as creating and deleting policies
for those contexts.
Q. What do I need to know about security contexts for Firewall Services
Modules (FWSMs) on Catalyst 6500 switches and 7600 routers when I add
them and discover policies?
A. On FWSMs, you can create security contexts, which act like independent
firewalls. If you use this feature and are running IOS software on the chassis,
add the chassis device using the SSH credentials for the chassis. Then
Security Manager can identify each FWSM on the chassis, and give you the
option to add each of them. During FWSM discovery, Security Manager
discovers the security contexts for each FWSM, including the policies for the
FWSM and for each context. In the device list, each security context is listed
separately and the name of the context is appended to the name of the FWSM
on which it is defined. (For example, Cat6K_FW_4 might be the FWSM, and
Cat6K_FW_4_context1 would be the context1 security context.) You should
always perform policy discovery on the chassis, not on the individual FWSM,
so that Security Manager can discover the inventory. However, if you are
running the Catalyst OS on the device, you must add the FWSM as a
standalone device instead of adding the chassis, since Security Manager does
not support the Catalyst OS.
Q. After adding a device and discovering policies, I cannot submit my changes
to the database; instead I get warnings such as Connection Policies Not Set.
What must I do to complete the device addition?
6-18
OL-11501-03
Chapter 6
Managing Policies
A. When you add a device and discover policies (particularly when you add
devices from configuration files), Security Manager warns you if the resulting
configuration is incomplete in ways that will prevent it from successfully
managing the device. Connection policies, for example, are simply the device
credentials (user names and passwords) required to log into the device, as
well as other connection-related configuration settings (such as HTTP
settings). Because these missing settings result in an invalid configuration or
prevent Security Manager from contacting and managing the device later, you
are prevented from submitting the changes to the database. Ensure that you
have complete and valid configurations for these settings, then resubmit your
changes to the database.
Q. Can I import policies from my existing VPN/Security Management Suite
(VMS) 2.x products into Security Manager?

A. No, you cannot. Instead, add the devices that you were managing with VMS
into Security Manager and run policy discovery on them to add their policies
to Security Manager.
Q. Why does the AAA policy not show the AAA configuration that I discovered
on the device?
A. The AAA policy contains the default configurations for authentication,
authorization, and accounting. Other AAA commands that specify a

particular list name are mapped to the policies that reference them. If the list
name is not referenced by a policy, it is not discovered.
Q. Can I discover AAA servers on devices running IOS software that were
configured using the server-private command?

A. Yes, you can discover these servers. However, Security Manager converts
them into standard AAA servers that can be used globally or in multiple AAA
server groups. The server-private command is not supported.
Q. What do I need to know about discovery and device hostnames?
A. When you discover a device, the hostname policy is populated with the
hostname discovered on the device. However, the hostname listed in Device

Properties is not updated with this value. For more information, see
Understanding Device Properties, page 5-51.

OL-11501-03
6-19
Chapter 6
Managing Policies
Managing Policies in Device View

You can use Device view to manage both local policies and shared policies, as
described in the following sections:
Performing Basic Policy Management, page 6-20
To access Device view, select View > Device View or click the Device View
button on the toolbar.
Related Topics
Performing Basic Policy Management

The following topics describe the operations you can perform on local policies in
Device view:
Configuring Local Policies in Device View, page 6-21
Unassigning a Policy, page 6-25
Local policies are policies that are specific to the device or VPN topology on
which they are configured. They are not shared by other network elements.
Related Topics
6-20
OL-11501-03
Chapter 6
Managing Policies
Configuring Local Policies in Device View

Use Device view to configure local platform and service policies on individual
firewall devices and Cisco IOS routers. Each policy defines a particular
configuration or security task that the device can perform, such as NAT, OSPF
routing or inspection rules. Local policies are unnamed and are particular to the
individual device on which they have been defined. Any changes that you make
to a local policy do not affect other devices that Security Manager is managing.
When you configure a policy, a lock is placed on that policy to prevent other users
from making changes to the same policy at the same time. See Understanding
Locking, page 6-55.
You can modify any local policy assigned to a particular device, provided you
have permissions to modify policies and to access that device. For more
information about permissions, see Setting Up User Permissions, page 2-3.
After configuring a policy, you must deploy the changes to the device in order to
make them active on that device. For more information, see Chapter 18,
Managing Deployment.
Procedure
Step 1
In Device view, select a device from the Device selector, then select a policy for
that device from the Device Policies selector. The details of the policy appear in
the work area.
Note
Step 2
For more information about Device view, see Understanding the Device
View, page 5-24.
Modify the definition of the policy as required. For more information, see:
Chapter 9, Managing Site-to-Site VPNs.
Chapter 10, Managing Remote Access VPNs.
Chapter 11, Managing SSL VPNs.
Chapter 12, Managing Firewall Services.
Chapter 13, Managing IPS Services.
Chapter 14, Managing Routers.

OL-11501-03
6-21
Chapter 6
Managing Policies
Step 3
Chapter 15, Managing Firewall Devices.
Chapter 16, Managing Catalyst Devices.
Chapter 17, Managing IPS Devices.
Click Save to save your changes to the server.

If this is the first time you are configuring this policy on this particular device, the
icon next to the selected policy changes to indicate that the policy is configured
and assigned locally to the device. For more information about policy status icons,
see Table 6-1 on page 6-22.
To deploy the configured policy to the device, see Working with

Note
Related Topics
Policy Status Icons

You can learn the status of any policy in Security Manager at a glance by viewing
the icon displayed next to the policy name, as shown in Table 6-1.
Table 6-1
Policy Status Icons
Icon
Status
The policy is not configured. Upon deployment,
any policy of this type already present on the
device is effectively removed.
6-22
OL-11501-03
Chapter 6
Managing Policies
Table 6-1
Policy Status Icons (continued)
Icon
Status
A local policy is configured. The definition of this
policy affects only the device/VPN topology on
which it is configured.
A shared policy is configured. Any changes to the
definition of this policy affect all of the
devices/VPN topologies to which this policy is
assigned.
Related Topics
Copying Policies Between Devices

Security Manager enables you to streamline device configuration by copying
multiple policies, or even a complete set of policies, from one device to others of
the same type. This makes it easy, for example, to quickly configure a new firewall
device with the same policies configured on an existing firewall device.
When you copy policies between devices, those policies that are local on the
source device are copied locally to the target device. Shared policies assigned to
the source device are copied as shared policies to the target device as well.
Tip
If your intention is to assign a single shared policy to additional devices, we

recommend that you use the assignment feature, rather than copying. For
more information about sharing policies in Device view, see Modifying
Shared Policy Assignments in Device View, page 6-39.
To create a new device of the same type that shares the same configuration
and properties (including device operating system version, credentials, and
grouping attributes) as the source device, use the Clone Device feature. For
more information, see Cloning a Device, page 5-55.

OL-11501-03
6-23
Chapter 6
Managing Policies
Procedure
Step 1
In Device view, select a device from the Device selector.
Step 2
Select Policy > Copy Policies Between Devices.
Right-click a device in the Device selector, then select Copy Policies

Between Devices.
The Copy Policies wizard is displayed.

Step 3
On the Copy Policies from this Device page (Table D-4 on page D-7), select the
source device from which to copy policies, then click Next. The Copy Policies to
these Devices page (Table D-5 on page D-8) is displayed.
Note
If you selected a device before selecting the Copy Policies Between

Devices command, you are automatically brought to the second page of
the wizard. You can click Back to return to the first page to select a
different device.
Step 4
Select the target devices to which you want to copy policies from the source
device, then click Next. The Select Policies to Copy page (Table D-6 on
page D-9) is displayed.
Step 5
(Optional) If you do not want to copy certain policies, deselect the check box next
to those policies. By default, all policy types that are configured on the source
device (local and shared) are selected for copying.
Note
When you copy policies between firewall devices, copying the interfaces
policy automatically copies the failover policy and vice-versa.
Step 6
Click Finish. A warning message is displayed, asking you to confirm the

operation.
Step 7
Click Yes. The selected policies are copied from the source device to the target
device.
6-24
OL-11501-03
Chapter 6
Managing Policies
An error message is displayed if the target devices are locked by another

user or activity, or if you lack the required permissions.
Note
Related Topics
Unassigning a Policy
If you unassign a policy that has already been deployed to a device, in most cases
the values that are defined for the policy are erased, effectively removing the
policy from the devices planned configuration. When you perform deployment,
the configuration for this feature that already exists on the device is removed.
The exact behavior depends on the type of policy that you unassign:
Firewall service policiesIf you unassign a policy, Security Manager erases

the policy from the device.
VPN policies:
Site-to-site VPN policiesYou cannot unassign mandatory site-to-site
VPN policies from the devices in the topology. If you unshare a

mandatory policy, Security Manager assigns default values to the
affected device. If you unassign an optional policy, Security Manager
erases the configuration from the device. For more information, see
About Mandatory and Optional Policies, page 9-9.
Remote access VPN policiesIf you unassign a policy, Security
Manager erases the policy from the device, even if it is a mandatory

policy. In most cases, deployment fails if you do not create a new
definition for the mandatory policy. In those cases where deployment
does not fail, the device will fail to establish VPN tunnels.
SSL VPN policiesIf you unassign a policy, Security Manager erases
the policy from the device.

OL-11501-03
6-25
Chapter 6
Managing Policies
Catalyst 6500/7600 policiesInterface and VLAN policies cannot be shared

or unassigned. If you unassign a platform policy (such as IDSM settings or
VLAN access lists) Security Manager removes the policy from the device.
IPS policiesFor all IPS device and service policies, a default policy is
assigned to the device.
PIX/ASA/FWSM policiesPolicies that you cannot share with other devices

cannot be unassigned from the device on which they are created. This
includes interface, failover, security context, and resource policies. For other
policy types (such as timeout policies), Security Manager makes a best effort
to restore the system default configuration on the device.
IOS router policiesCore connectivity policies, such as basic interface

settings and accounts and credentials policies cannot be unassigned from the
device on which they are created. If you unassign a VTY or console policy,
Security Manager restores a default configuration to ensure continued
communication with the device. For all other policy types, if you unassign the
policy, Security Manager erases the configuration from the device.
Procedure
Step 1
Select a device from the Device selector.
Step 2
Right-click a local policy assigned to the device from the Device Policies selector,
then select Unassign Policy.
Note
You cannot use this command to unassign a device access policy on a

Cisco IOS router. If you unassign a device access policy that was used to
define the password for configuring the device, you might prevent
Security Manager from configuring that device in the future. For more
information, see User Accounts and Device Credentials on Cisco IOS
Routers, page 14-75.
A message is displayed, warning that you are about to unassign the current policy.
Step 3
Click OK. The icon next to the selected policy reverts to an empty icon to show
that the policy was removed from the devices planned configuration. For more
information about policy status icons, see Table 6-1 on page 6-22.
6-26
OL-11501-03
Chapter 6
Managing Policies
Related Topics
Working with Shared Policies in Device View

Sharing policies makes it possible to configure multiple devices with common
policies, which provides greater consistency in your policy definitions and
streamlines your management efforts. Any changes to a shared policy affect all
the devices and VPN topologies to which the policy is assigned. This makes it
easy, for example, to update all of your Cisco IOS routers with new quality of
service policies by updating the shared Quality of Service policy assigned to these
devices.
When working in Device view, you can take a local policy (such as a policy
created during device discovery) and share it. You can then assign the shared
policy to as many devices as you want (provided they are not locked by another
user; see Understanding Locking, page 6-55), and you can change these
assignments at any time.
In addition, you can take a shared policy that is assigned to a device and turn it
into a local policy for that particular device. This enables you to create a special
configuration that affects only that device. Other devices assigned the shared
policy continue to use the shared policy as before.
Note
As an alternative to sharing local policies, you can create new shared policies in
Policy view. For more information, see Creating a New Shared Policy, page 6-45.
After creating the shared policy and assigning it to devices in Policy view, you can
return to Device view and perform additional operations on the policy, as
described in the sections that follow.
The following topics describe how to share policies and the operations that can be
performed on them:
Sharing a Local Policy, page 6-28
Sharing Multiple Policies of a Selected Device, page 6-30
Unsharing a Policy, page 6-32

OL-11501-03
6-27
Chapter 6
Managing Policies
Assigning a Shared Policy to a Selected Device, page 6-33
Adding Local Rules to a Shared Policy, page 6-34
Copying a Shared Policy, page 6-36
Renaming a Shared Policy, page 6-37
Modifying Shared Policy Definitions in Device View, page 6-38
Modifying Shared Policy Assignments in Device View, page 6-39
Shared policies can also be created and managed at the network level using Policy
view. For more information, see Managing Shared Policies in Policy View,
page 6-40.
Related Topics
Sharing a Local Policy

As your network grows, you might decide to convert a local policy into a shared
policy that you can assign to multiple devices. Sharing a policy provides a
streamlined management approach that ensures that all devices assigned to the
policy are configured in a consistent manner. For example, if you configure a set
of firewall inspection rules on a particular device, sharing that devices inspection
rules policy makes it possible to assign that policy to other devices, eliminating
the need to configure each device individually. See Assigning a Shared Policy to
a Selected Device, page 6-33.
In addition, having a shared policy enables you to update the configurations of
each assigned device at one time, saving time and promoting greater consistency
across your set of managed devices.
When you share a policy, you must name the policy. (Local policies do not have
names, because they are associated with only a single device.) This enables you
to identify this policy when managing shared policies in Policy view.
6-28
OL-11501-03
Chapter 6
Managing Policies
Procedure
Step 1
In Device view, select a device from the Device selector, then select a local policy
for that device from the Device Policies selector. The details of the policy appear
in the work area.
Step 2
Select Policy > Share Policy.
Right-click the local policy, then select Share Policy.
The Share Policy dialog box is displayed. See Table D-1 on page D-2 for a
description of the fields in this dialog box.
Step 3
Enter a name for the shared policy. Policy names can contain up to 255 characters,
including spaces and special characters.
Step 4
Click OK to save the policy as a shared policy.

In the Device Policies selector, the icon next to the selected policy type changes
to show that the policy is now a shared policy. For more information about policy
status icons, see Table 6-1 on page 6-22.
Additionally, a header is added to the work area above the policy definition
details. This header contains several important pieces of information: the name of
the policy (and its inheritance, if applicable) and the number of devices to which
the policy is assigned (including the selected device), as well as user privilege and
lock indicators (see Understanding Locking, page 6-55), where applicable. You
can use the links contained in the header as follows:
Click the link in the policy name to select a different shared policy to assign
to the selected device. See Assigning a Shared Policy to a Selected Device,
page 6-33.
Click the link in the number of assigned devices to edit the list of devices to
which the policy is assigned. See Modifying Shared Policy Assignments in
Device View, page 6-39.
Related Topics

OL-11501-03
6-29
Chapter 6
Managing Policies
Sharing Multiple Policies of a Selected Device

With one procedure, you can share multiple policies configured on a particular
device. When you perform this procedure, you can choose to share all the policies
configured on the device or only some of them. For example, you can take all the
firewall service policies defined on an ASA device and share them.
Initially, the resulting shared policies are assigned only to the device from which
the procedure was performed. You can then however, assign these shared policies
to additional devices, as required. See Modifying Shared Policy Assignments in
Device View, page 6-39.
This feature provides a convenient way to take the policies configured on a single
device and use them as a template for configuring similar devices. For example,
after you discover the devices at your branch offices, you can take all the local
access rules that you have configured on a similar device and share them with a
single procedure so that you can assign them to the branch office devices.
Tip
To create a new device of the same type that shares the same configuration and
properties (including device operating system version, credentials, and grouping
attributes) as the source device, use the Clone Device feature. For more
information, see Cloning a Device, page 5-55.
Procedure
Step 1
(Optional) In Device view, select a device from the Device selector.
Step 2
Select Policy > Share Device Policies.
Right-click the device, then select Share Device Policies.
The Select Policies from this Device page of the Share Policies wizard is
displayed. See Table D-7 on page D-10 for a description of the fields in this page.
6-30
OL-11501-03
Chapter 6
Managing Policies
Note
Step 3
If you selected a device before selecting the Share Device Policies

command, you go automatically to the second page of the wizard. You can
click Back to return to the first page to select a different device.
Select the device from the tree whose policies you want to share, then click Next.
The Select Policies to Share page of the Share Policies wizard (Table D-8 on
page D-11) is displayed. By default, all policies configured on the device (local
and shared) are selected for sharing.
Note
If you select a policy that is already shared, Security Manager creates a

copy of that policy using the name that you define in Step 5.
Step 4
(Optional) Deselect the check box next to each policy that you do not want to
share. For example, local policies that are not checked remain local to the selected
device.
Step 5
Enter a name for the shared policies. This name will be used by all the policies
you are sharing.
Step 6
Click Finish. The selected policies become shared policies, which you can then
assign to additional devices as needed. For more information, see Modifying
Shared Policy Assignments in Device View, page 6-39.
Related Topics

OL-11501-03
6-31
Chapter 6
Managing Policies
Unsharing a Policy
When you unshare a shared policy assigned to a particular device, you create a
copy that becomes a local policy for that device. This means that any subsequent
changes made to the local policy affect only this particular device. Other devices
assigned the original shared policy continue to use the shared policy as before.
For example, Security Manager might be managing a BGP routing policy called
MyBGP, which is assigned to 20 routers. If you decide that one of the routers
(Router1) requires a variation of this policy, you can select the device, unshare the
policy, and make the changes you need for that router. From that point on, Router1
has a local BGP policy while the other 19 routers continue to use the original
shared policy, MyBGP.
Procedure
Step 1
In Device view, select a device from the Device selector, then select a shared
policy for that device (as shown by the share icon) from the Device Policies
selector. The details of the policy appear in the work area.
Note
Step 2
Step 3
For more information about policy status icons, see Table 6-1 on
page 6-22.
Select Policy > Unshare Policy.
Right-click the selected shared policy, then select Unshare Policy.
Click OK. The shared policy is converted into a local policy for the selected
device. The share icon in the Device Policies selector is replaced by the local
policy icon.
Related Topics
6-32
OL-11501-03
Chapter 6
Managing Policies
Assigning a Shared Policy to a Selected Device

You can replace any policy (local or shared) assigned in Device view with a shared
policy of the same type. For example, if you have a local NAT policy assigned to
a Cisco IOS router, you can assign a shared NAT policy in its place. Similarly, if
a shared NAT policy was assigned to the router, you can replace it with a different
shared NAT policy.
If you use the Assign Shared Policy option to replace a local, rule-based policy
(for example, an inspection rules policy), any local rules that you configured are
replaced by the rules defined in the shared policy. A warning message gives you
the opportunity to preserve the local rules by inheriting the rules of the shared
policy instead of assigning the shared policy in place of the local policy. For more
information, see Inheritance vs. Assignment, page 6-53.
Tip
If you want to use the rules defined in the shared policy and still keep your local
rules, we recommend that you select the Inherit Rules option instead. For more
information, see Inheriting Rules, page 6-54.
Procedure
Step 1
In Device view, select a device from the Device selector, then select a policy for
that device from the Device Policies selector. The details of the policy appear in
the work area.
Step 2
Select Policy > Assign Shared Policy.
Right-click the policy, then select Policy > Assign Shared Policy.
The current policy is unassigned from the device and the Assign Shared Policy
dialog box is displayed. See Table D-2 on page D-4 for a description of the fields
in this dialog box.
Step 3
Select a shared policy from the displayed list to assign to the device.
Step 4
Click OK. The shared policy is assigned to the selected device.

OL-11501-03
6-33
Chapter 6
Managing Policies
Note
If you are assigning a rule-based policy in place of a local policy, a

message is displayed warning that the shared policy will replace the local
policy. If you want to preserve the local rules, select the option to inherit
the rules of the selected policy instead of the assignment option.
Related Topics
Adding Local Rules to a Shared Policy

After you assign a shared rule-based policy, such as access rules, to a device, you
can define additional rules in the policy that are local to that device. Selecting this
option creates an inheritance relationship, where the policy defined on the device
inherits rules from the shared policy while adding rules that affect only this
particular device. For more information about inheritance, see Understanding
Rule Inheritance, page 6-50.
Local rules that you add to a device do not affect the shared policy from which the
device inherits its remaining rules. For example, if the shared policy
Access_Rules_South is assigned to five devices and you define local rules on one
of those devices, the access rules policy on that device consists of the rules
defined in Access_Rules_South plus the local rules; the other four devices
continue to use only the rules defined Access_Rules_South.
Before You Begin
Assign a shared, rule-based policy to the device. See Assigning a Shared

Policy to a Selected Device, page 6-33.
6-34
OL-11501-03
Chapter 6
Managing Policies
Procedure
Step 1
policy assigned to that device from the Device Policies selector. You must select
a rule-based policy, such as access rules. The details of the policy appear in the
work area.
Step 2
Select Policy > Add Local Rules.
Right-click the policy, then select Add Local Rules.
A message is displayed indicating that the policy on this device is now defined as
a child policy that inherits rules from the shared policy. If the shared policy in turn
inherits rules from a different shared policy, those rules are automatically
inherited as well.
Note
Step 3
To change the parent policy from which this policy inherits rules, see
Inheriting Rules, page 6-54.
Click OK to confirm. In the work area, headings are added for local mandatory
and default rules in addition to the mandatory and default rules inherited from the
shared policy.
In the Device Policies selector, the status icon changes to the icon for a local
policy. For more information, see Policy Status Icons, page 6-22.
Step 4
Define local rules as required.
Note
If you use the Assign Shared Policy option after adding local rules, both
the inherited rules and your local rules are replaced with the selected
shared policy.
Related Topics

OL-11501-03
6-35
Chapter 6
Managing Policies
Copying a Shared Policy

You can save an existing shared policy under a new name. This provides a useful
shortcut for creating a new policy that contains the same definitions as an existing
one. You can then change the policy definition, as required.
If you save a rule-based policy with inheritance under a new name, the new policy
contains the same inheritance properties as the policy from which it was created.
For more information, see Understanding Rule Inheritance, page 6-50.
Procedure
Step 1
policy assigned to that device from the Device Policies selector. The details of the
policy appear in the work area.
Step 2
Select Policy > Save Policy As.
Right-click the policy, then select Save Policy As.
The Save Policy As dialog box is displayed. See Table D-10 on page D-14 for a
Note
You can also rename a policy from Policy view by selecting a policy type
from the Policy Type selector, then right-clicking a policy in the Shared
Policy selector. For more information, see Policy View Selectors,
page 6-42.
Step 3
Enter a name for the new policy.
Step 4
Click OK. The new policy is saved and appears in the selector next to the policy
from which it was created. You can then modify the definition of the policy, as
required.
Related Topics
6-36
OL-11501-03
Chapter 6
Managing Policies
Renaming a Shared Policy, page 6-37
Deleting a Shared Policy, page 6-48
Renaming a Shared Policy

You can rename a shared policy. The new name is immediately reflected in all
devices and VPN topologies to which the policy is assigned.
Procedure
Step 1
policy assigned to that device from the Device Policies selector. The details of the
policy appear in the work area.
Step 2
Select Policy > Rename Policy.
Right-click the policy, then select Rename Policy.
The Rename Policy dialog box is displayed. See Table D-11 on page D-15 for a
Note
You can also rename a policy from Policy view by selecting a policy type
from the Policy Type selector, then right-clicking a policy in the Shared
Policy selector. For more information, see Policy View Selectors,
page 6-42.
Step 3
Enter a new name for the selected policy. Policy names can contain up to
255 characters, including spaces and special characters.
Step 4
Click OK. The selected policy is renamed.
Related Topics
Deleting a Shared Policy, page 6-48

OL-11501-03
6-37
Chapter 6
Managing Policies
Modifying Shared Policy Definitions in Device View

You can modify any shared policy in Device view by selecting one of the devices
to which the policy is assigned, making the necessary changes, and then saving
these changes to the Security Manager server. By default, any changes made to a
shared policy in Device view automatically affect all devices to which the shared
policy is assigned.
Note
To apply your changes only to the device that you are modifying, you must first
unshare the policy (see Unsharing a Policy, page 6-32). This action converts the
policy to a local policy and prevents your changes from affecting other devices in
the network.
Procedure
Step 1
policy for that device from the Device Policies selector. The details of the policy
appear in the work area.
Step 2
Redefine the policy, as required.
Step 3
Click Save. A message is displayed, reminding you that the changes you made
will be applied to all devices to which the policy is assigned.
Tip
Step 4
To prevent this warning message from appearing in the future, select the
Do not show in the future check box before confirming the save.
Click OK to confirm the save, or click Cancel to cancel the operation.
Related Topics
6-38
OL-11501-03
Chapter 6
Managing Policies
Modifying Shared Policy Assignments in Device View

You can modify the list of devices assigned a particular shared policy as required.
If you remove a device from a policy assignment, that policy is effectively
removed from the devices planned configuration. Upon deployment, any
configuration of that type that exists on the device is removed. For more
information, see Unassigning a Policy, page 6-25.
Caution
Use the policy assignment feature with care, as unassigning a policy removes that
configuration from the device and can have unintended consequences. For
example, if you unassign a device access policy from a Cisco IOS router and then
deploy that change, you might prevent Security Manager from configuring that
device in the future. For more information, see User Accounts and Device
Credentials on Cisco IOS Routers, page 14-75.
Policy assignment can also be modified from Policy view. For more information,
see Modifying Policy Assignments in Policy View, page 6-46.
Procedure
Step 1
policy for that device from the Device Policies selector. The details of the policy
appear in the work area.
Step 2
Select Policy > Edit Policy Assignments.
Right-click the policy, then select Edit Policy Assignments.
Tip
Step 3
You can also edit policy assignments by clicking the assignment link
located in the header above the work area.
Modify the list of devices to which the policy is assigned, as follows:
To assign the selected policy to additional devices, select one or more devices
from the Available Devices list, then click >> to move them to the Assigned
Devices list.

OL-11501-03
6-39
Chapter 6
Managing Policies
Managing Shared Policies in Policy View
Tip
Step 4
To unassign the selected policy from devices, select one or more devices from
the Assigned Devices list, then click << to return them to the Available
Devices list. Devices that are unassigned from the policy remove this policy
from their running configuration during deployment.
To assign a policy to all the devices in a device group, select the name of
the device group, then click >>.
Click OK to save your definitions.
Related Topics
Modifying Shared Policy Definitions in Device View, page 6-38

Policy view enables you to manage shared policies in Security Manager at the
system level. With Policy view you can quickly view all the shared policies that
are defined for a particular policy type, edit their definitions, and modify their
device assignments. Additionally, you can create a new shared policy for later
assignment to devices.
To access Policy view, select View > Policy View or click the Policy View button
on the toolbar.
Policy view is divided into the following sections:
Policy Type selector.
Shared Policy selector.
Work area.
6-40
OL-11501-03
Chapter 6
Managing Policies
Figure 6-2
Policy View
Assignments tab
Shared Policy selector
Work area
Shared Policy filter
Save button
Policy Type selector
Create a policy button
Related Topics
Policy View Selectors, page 6-42
Policy View Work Area, page 6-44

OL-11501-03
6-41
Chapter 6
Managing Policies
Policy View Selectors

Policy view contains two selectors. The upper selector displays all the policy
types available for a selected policy domain. The root of the policy type selector
is the policy domain name. To display the policy types for a different policy
domain, click the root of the tree and select a different domain from the list.
Policy domains include:
Firewall services.
NAT (PIX/ASA platform).
NAT (router platform).
Site-to-Site VPN.
Remote Access VPN.
SSL VPN.
Catalyst platform.
IPS platform.
IPS on IOS routers.
PIX/ASA/FWSM platform.
Router interfaces.
Router platform.
FlexConfigs
You can expand and collapse the selector as required to view all the available
policy types and subtypes. The Policy Type selector also includes a shortcut menu
for creating a new shared policy of a selected type.
Selecting a policy type from the Policy Type selector displays all the shared
policies of that type in the Shared Policy selector. Local policies configured in
Device view are not displayed.
For example, when you select a configuration policy type, such as NAT translation
rules, the Shared Policy selector displays a flat list of each shared policy of that
type. If you select a rule-based policy type, such as firewall access rules, the
Shared Policy selector displays a hierarchical tree of shared policies. This enables
6-42
OL-11501-03
Chapter 6
Managing Policies
you to view the inheritance relationships among the various policies. The Shared
Policy selector includes a shortcut menu with options for actions that can be
performed on that policy, such as renaming it.
Tip
You can create and apply a filter to shorten the list of policies displayed in the
Shared Policy selector. For more information about filters, see Filtering the
Shared Policy Selector, page 6-43.
Related Topics
Policy View Work Area, page 6-44
Filtering the Shared Policy Selector

You can filter the list of policies displayed in the Shared Policy selector according
to the policy name. For example, if you have dozens of access rule policies, you
can create and apply a filter so that only those access rule policies having a certain
name are displayed in the selector.
Each user can define a maximum of 10 filters for the Shared Policy selector. After
that, creating an additional filter replaces the oldest one in the list. In other words,
the 11th filter replaces the first filter.
Filters are created and applied from the Filter list displayed above the Shared
Policy selector.
Procedure
Step 1
In Policy view, select Create Filter from the Filter list displayed above the Shared
Policy selector. The Create Filter dialog box is displayed. See Table D-19 on
page D-27 for a description of the fields in this dialog box.
Step 2
Define filter criteria:

a.
Name is automatically selected from the Filter Type list on the left. Policies
can be filtered by name only.
b.
Select an operator from the list in the center. The operator defines how the
filter relates to the policy name. Options are: contains, doesnt contain, is,
isnt, begins with, and ends with.
OL-11501-03
6-43
Chapter 6
Managing Policies
c.
Enter a string representing the policy name or partial policy name in the field
on the right.
For example, if you define the criteria as Name begins with HQ, the filter will
include only those shared policies whose names begin with HQ.
d.
Click Add. The defined criteria are displayed in the content area of the dialog
box.
Note
e.
Step 3
To remove criteria from the filter definition, select it in the content

area, then click Remove.
Repeat steps b through d to add criteria to the filter.
Select one of the following options:
Match Any of the FollowingCreates an OR relationship among the filter

criteria. Policies matching any of your criteria are included in the filter.
Match All of the FollowingCreates an AND relationship among the filter

criteria. Only those policies matching all your criteria are included in the
filter.
Step 4
Click OK. The filter is saved and added to the Filter list.
Step 5
To apply the filter, select it from the Filter list. To display policies without a filter,
select None from the Filter list.
Related Topics
Policy View Work Area

The work area in Policy view contains the following tabs:
DetailsContains the definition of the selected policy. The information

displayed on the Details tab is identical to the information displayed in
Device view and can be modified in exactly the same way. For more
information about configuring policies, see:
6-44
OL-11501-03
Chapter 6
Managing Policies
Chapter 9, Managing Site-to-Site VPNs.

Chapter 10, Managing Remote Access VPNs.
Chapter 11, Managing SSL VPNs.
Chapter 15, Managing Firewall Devices.
Chapter 16, Managing Catalyst Devices.
Chapter 13, Managing IPS Services.
Chapter 17, Managing IPS Devices.
AssignmentsContains the device assignments for the selected policy,

enabling you to add and remove devices as required. For more information,
see Modifying Policy Assignments in Policy View, page 6-46.
Related Topics
Creating a New Shared Policy

Use Policy view to create a new shared policy. In most cases, the new policy starts
out undefined, but in certain cases (for example, many site-to-site VPN policies,
such as IPsec proposals and GRE modes) default values are supplied. In all cases,
the new policy is not initially assigned to any devices. If the new policy is a
rule-based policy that supports inheritance, it can be created as a child of an
existing shared policy of the same type. For more information, see Understanding
Rule Inheritance, page 6-50.
Tip
You can also create shared policies by converting local policies in Device view.
For more information, see Sharing a Local Policy, page 6-28.
Procedure
Step 1
In Policy view, select a policy type in the Policy Type selector.

OL-11501-03
6-45
Chapter 6
Managing Policies
Step 2
Right-click the policy type in the Policy Type selector, then select New
[policy type] Policy.
Right-click a policy in the Shared Policy selector, then select New [policy
type] Policy.
Click the Create a Policy button beneath the Shared Policy selector.
The Create a Policy dialog box is displayed. See Table D-21 on page D-30 for a
Step 3
Enter a name for the new policy. Policy names can contain up to 255 characters,
including spaces and special characters.
Step 4
Click OK to save your definitions. The new policy appears in the Shared Policy
selector.
To configure a definition for the new shared policy, see Policy View Work Area,
page 6-44. To assign the new shared policy, see Modifying Policy Assignments in
Policy View, page 6-46.
Related Topics
Modifying Policy Assignments in Policy View

Use the Assignments tab in Policy view to modify the list of devices or VPN
topologies to which you assigned a selected shared policy. Assigning a policy to
a device or VPN overwrites any policy of the same type (local or shared) that was
previously assigned to the device in Security Manager. When deployed, the newly
assigned policy overrides any policy of the same type that is already configured
on the device, whether it was configured using Security Manager or using another
method, such as the CLI.
When you unassign a shared policy from a device or VPN topology, Security
Manager removes the policy from the planned configuration of that device or VPN
topology. When the configuration defined by the policy is deployed, any
configuration of the same type that is already configured on the device (including
the devices in the VPN topology) is removed. For more information, see
Unassigning a Policy, page 6-25.
6-46
OL-11501-03
Chapter 6
Managing Policies
Therefore, if your intention when performing unassign is to assign a different

shared policy to a particular device or VPN topology, it is important to select the
replacement policy and perform the assignment before performing deployment.
Note
Assigning a replacement policy is particularly important when you use a device

access policy to configure the enable password or enable secret password on a
Cisco IOS router. If you unassign this policy and fail to define a different
password in its place before deployment, Security Manager might be unable to
configure this device in the future. For more information, see User Accounts and
Device Credentials on Cisco IOS Routers, page 14-75.
Alternatively, you can return to Device view and replace the shared policy
assigned to the device with a different shared policy. For more information, see
Assigning a Shared Policy to a Selected Device, page 6-33.
Note
If you unassign a mandatory site-to-site VPN policy, such as an IKE proposal

policy, Security Manager automatically replaces it with a default policy. If you
unassign a mandatory remote access VPN policy, you must manually configure a
new policy of that same type or deployment will fail.
Procedure
Step 1
In Policy view, select a policy type from the Policy Type selector, then select a
policy from the Shared Policy selector. See Policy View Selectors, page 6-42.
Step 2
Click the Assignments tab in the work area. See Table D-20 on page D-29 for a
description of the fields on this tab.
Step 3
Modify the list of devices or VPNs to which the policy is assigned, as follows:
Tip
To assign the selected policy to additional devices or VPNs, select one or

more items from the Available Devices/VPNs list, then click << to move them
to the Assigned Devices/VPNs list.
To assign a policy to all the devices in a device group, select the name of
the device group, then click >>.

OL-11501-03
6-47
Chapter 6
Managing Policies
Step 4
To unassign the selected policy from devices or VPNs, select one or more
items from the Assigned Devices/VPNs list, then click << to return them to
the Available Devices/VPNs list.
Click Save to save your definitions.
Related Topics
Deleting a Shared Policy

Use Policy view to delete a shared policy from Security Manager. You can delete
a policy only if it is not assigned to any devices or VPN topologies. For more
information, see Modifying Policy Assignments in Policy View, page 6-46.
Procedure
Step 1
In Policy view, select a policy type from the Policy Type selector, then select a
policy from the Shared Policy selector. See Policy View Selectors, page 6-42.
Step 2
(Optional) Click the Assignment tab to verify that the selected policy is not
assigned to any devices or VPN topologies. If any assignments still exist, you
must remove them before continuing.
Step 3
Right-click the policy, then select Delete Policy.
Click the Delete a Policy button beneath the Shared Policy selector.
A confirmation message is displayed.

Step 4
Click OK. The selected policy is deleted.
Related Topics
Creating a New Shared Policy, page 6-45
6-48
OL-11501-03
Chapter 6
Managing Policies
Advanced Policy Features

The following sections describe advanced policy features available in Security
Manager:
Customizing Policy Management, page 6-49
Understanding Rule Inheritance, page 6-50
Customizing Policy Management

When you manage Cisco IOS routers, you have the option of selecting which
policy types to manage with Security Manager and which policy types to leave
unmanaged. Managing a policy type means that Security Manager controls the
configuration of the policy and considers the information that it stores in its
database about that policy to be the desired configuration. Security Manager does
not configure unmanaged policy types, nor does it track configurations of these
types that were configured using other methods. For example, if you decide not to
manage SNMP policies, any SNMP configurations that you configured using CLI
commands are unknown to Security Manager.
The ability to customize policy management on a Cisco IOS router makes it
possible, for example, to use Security Manager to manage DHCP and NAT
policies on Cisco IOS routers while leaving routing protocol policies, such as
EIGRP and RIP, unmanaged. These settings, which can be modified only by a user
with administrative permissions, affect all Security Manager users.
existing policies of that type, local or shared, are removed from the Security
Manager database.

OL-11501-03
6-49
Chapter 6
Managing Policies
the policies will no longer be stored in the database or accessible from the
Security Manager interface. Configurations that were defined using CLI
commands or FlexConfigs are left in place.
If you change a particular policy from unmanaged to managed, you can again
modify the configuration of that policy using Security Manager.
Note
Features that are unmanaged by Security Manager can still be modified manually
with CLI commands or FlexConfigs. For more information about FlexConfigs,
see Chapter 19, Managing FlexConfigs.
To customize policy management of Cisco IOS routers, see Defining Policy
Management Settings, page 2-89.
Related Topics
Understanding Rule Inheritance

As described in Local Policies vs. Shared Policies, page 6-4, shared policies
enable you to configure and assign a common policy definition to multiple
devices. Rule inheritance takes this feature one step further by enabling a device
to contain the rules defined in a shared policy in addition to local rules that are
specific to that particular device. Using inheritance, Security Manager can
enforce a hierarchy where policies at a lower level (called child policies) inherit
the rules of policies defined above them in the hierarchy (called parent policies).
Rule Order When Using Inheritance
As described in Understanding Access Rules, page 12-49, an access list (ACL)

consists of rules (also called access control entries or ACEs) arranged in a table.
An incoming packet is compared against the first rule in the ACL. If the packet
matches the rule, the packet is permitted or denied, depending on the rule. If the
packet does not match, the packet is compared against the next rule in the table
and so forth, until a matching rule is found and executed.
6-50
OL-11501-03
Chapter 6
Managing Policies
This first-match system means that the order of rules in the table is of critical
importance. When you create a shared access rule policy, Security Manager
divides the rules table into multiple sections, Mandatory and Default. The
Mandatory section contains rules that cannot be overridden by the local rules
defined in a child policy. The Default section contains rules that can be overridden
by local rules.
Figure 6-3 describes how rules are ordered in the rules table when using
inheritance.
Figure 6-3
Order of Rules When Using Inheritance
Mandatory ACE-1
Mandatory ACE-2
....
Mandatory rules from

parent policy
Mandatory ACE-n
Local ACE-1
Local ACE-2
....
Local rules in
child policy
Local ACE-n
Default ACE-1
Default ACE-2
Default ACE-n
Deny any any
Default rules from

parent policy
182194
....
Benefits of Using Inheritance
The ability to define rule-based policies in a hierarchical manner gives you great
flexibility when defining your rule sets, and the hierarchy can extend as many
levels as required. For example, you can define an access rule policy for the device
at a branch office that inherits rules from a parent policy that determines access at
the regional level. This policy, in turn, can inherit rules from a global access rules
policy at the top of the hierarchy that sets rules at the corporate level.

OL-11501-03
6-51
Chapter 6
Managing Policies
In this example, the rules are ordered in the rules table as follows:
Mandatory corporate access rules

Mandatory regional access rules
Local rules on branch device
Default regional access rules
Default corporate access rules
The policy defined on the branch device is a child of the regional policy and a
grandchild of the corporate policy. Structuring inheritance in this manner enables
you to define mandatory rules at the corporate level that apply to all devices and
that cannot be overridden by rules at a lower level in the hierarchy. At the same
time, rule inheritance provides the flexibility to add local rules for specific
devices where needed.
Having default rules makes it possible to define a global default rule, such as
deny any any, that appears at the end of all access rule lists and provides a final
measure of security should gaps exist in the mandatory rules and default rules that
appear above it in the rules table.
Inheritance Example
For example, you can define a mandatory worm mitigation rule in the corporate
access rules policy that mitigates or blocks the worm to all devices with a single
entry. Devices configured with the regional access rules policy can inherit the
worm mitigation rule from the corporate policy while adding rules that apply at
the regional level. For example, you can create a rule that allows FTP traffic to all
devices in one region while blocking FTP to devices in all other regions. However,
the mandatory rule at the corporate level always appears at the top of the access
rules list. Any mandatory rules that you define in a child policy are placed after
the mandatory rules defined in the parent policy.
With default rules, the order is reverseddefault rules defined in a child policy
appear before default rules inherited from the parent policy. Default rules appear
after any local rules that are defined on the device, which makes it possible to
define a local rule that overrides a default rule. For example, if a regional default
rule denies FTP traffic to a list of destinations, you can define a local rule that
permits one of those destinations.
6-52
OL-11501-03
Chapter 6
Managing Policies
IPS Policy Inheritance
Event action filter policies for IPS devices can also use inheritance to add rules
defined in a parent policy to the local rules defined on a particular device. The
only difference is that although active and inactive rules are displayed together in
the Security Manager interface, all inactive rules are deployed last, after the
inherited default rules.
Signature policies for IPS devices use a different type of inheritance that can be
applied on a per-signature basis. See Configuring Signatures, page 13-9.
Related Topics
Settings-Based Policies vs. Rule-Based Policies, page 6-2
Understanding Access Rules, page 12-49
Inheritance vs. Assignment, page 6-53
Inheriting Rules, page 6-54
Inheritance vs. Assignment

It is important to understand the difference between rule inheritance and policy
assignment:
InheritanceWhen you inherit the rules from a selected policy, you do not
overwrite the local rules that are already configured on the device. Instead,
the inherited rules are added to the local rules. If the inherited rules are
mandatory rules, they are added before the local rules. If the inherited rules
are default rules, they are added after the local rules. Any changes that you
make to the inherited rules in the parent policy are reflected in the policy that
inherits those rules.
AssignmentWhen you assign a shared policy to a device, you replace

whatever was already configured on the device with the selected policy. This
holds true whether the device previously had a local policy or a different
shared policy of that type.
Therefore, when working with rule-based policies such as access rules, you must
use discretion when choosing these options. Use inheritance to supplement the
local rules on the device with additional rules from a parent policy. Use
assignment to replace the policy on the device with a selected shared policy.

OL-11501-03
6-53
Chapter 6
Managing Policies
Tip
To prevent overwriting your local rules by mistake, Security Manager displays a

warning message when you select the Assigned Shared Policy option for a
rule-based policy. The message provides you the option of inheriting the rules of
the policy instead of assigning it. Choose the inheritance option if you want to
preserve your local rules. See Local Policy Will Be Replaced Dialog Box,
page D-4.
Related Topics
Inheriting Rules, page 6-54
Inheriting Rules
This procedure describes how certain types of rule-based policies, such as access
rules, can inherit rules from shared policies of the same type. Child policies
inherit both the mandatory rules and default rules that are defined in the parent
policy.
Note
When working in Device view, you can then define additional rules that are local
to the selected device. For more information, see Adding Local Rules to a Shared
Policy, page 6-34.
You can edit rule inheritance from either Device view or Policy view.
Procedure
Step 1
Step 2
From Device view, select a device from the Device selector, then a rule-based
policy from the Device Policies selector.
From Policy view, select a rule-based policy type from the Policy Type
selector, then a policy from the Shared Policy selector.
6-54
OL-11501-03
Chapter 6
Managing Policies
Select Policy > Inherit Rules.
Right-click the policy, then select Inherit Rules.
Step 3
The Inherit Rules dialog box is displayed, containing a list of all shared policies
of the selected type, including any inheritance relationships among them. See
Table D-12 on page D-16 for a description of the fields in this dialog box.
Step 4
Click the policy from which to inherit rules, or select the root of the list (marked
No Inheritance) to remove any inheritance from the child policy. The name of the
parent policy is displayed below the selector.
For example, if you select an access rules policy called West Coast, your access
policy inherits the rules of the West Coast policy. If the West Coast policy is a
child policy of another access rules policy called US, your policy inherits the
properties of the West Coast policy, which in turn inherits the properties of the US
policy.
Step 5
Click OK to save your definitions. The work area displays the inherited rules
under the name of the parent policy and any local rules, if defined, under the name
of the original shared policy.
Related Topics
Understanding Locking
Security Manager has a locking mechanism that is useful in organizations where
several people have the authority to make configuration changes. It prevents a
potential situation in which two or more people are making changes to the same
device, policy, policy assignment, or object at the same time. When a lock is
applied, a message is displayed across the top of the work area to other users who
access that device or policy.

OL-11501-03
6-55
Chapter 6
Managing Policies
Lock Types
Security Manager uses two different types of locks:
Policy content locksLocks the content of a particular policy. The banner

displayed above the work area reads:
This data for this policy is locked by activity/user: <name>.
The content lock prevents other users from making any changes to the
configuration of the locked policy.
Assignment locksLocks the assignment of a policy type to a particular

device. The banner displayed above the work area reads:
The assignment of this policy is locked by activity/user: <name>.
For a local policy, an assignment lock prevents other users from unassigning
the policy or assigning a shared policy of the same type in place of the local
policy. For a shared policy, an assignment lock prevents other users from
assigning a different shared policy of the same type in place of one already
assigned.
These locks can either work together or independently of one another, depending
on the actions being performed by the user. If both locks are active at the same
time, the banner displayed above the work area reads:
This policy is locked by activity/user: <name>.
See Table 6-2 on page 6-57 for a summary of the effects locking has on the actions
you can perform.
Releasing Locks
After is locked is enabled, it remains in place until you either submit your changes
(when working in non-Workflow mode) or submit and approve the activity (when
working in Workflow mode). If you discard the activity, any locks generated by
the activity are also discarded. For more information about workflow modes, see
Selecting a Workflow Mode, page 2-56.
Note
Locks are based on the device name, not the IP address of the device.
Therefore, we recommend that you avoid defining two devices with different
names but the same IP address in Security Manager. Any attempt to deploy to
both devices, especially at the same time, leads to unpredictable results.
6-56
OL-11501-03
Chapter 6
Managing Policies
In addition, locks do not extend across different operations. For example,

locking does not prevent one user from deploying to the same device that is
being discovered by a different user.
Additional details about locking can be found in the following sections:
Understanding Locking and Policies, page 6-57
Understanding Locking and VPN Topologies, page 6-58
Understanding Locking and Objects, page 6-59
Related Topics
Understanding Locking and Policies

Table 6-2 summarizes the effects of policy locks in Security Manager.
Table 6-2
Locking Summary
If Another User/Activity...
Changes a policy definition
Changes the definition of a

rule-based policy with
descendants
You Cannot...
You Can...
Modify the policy or assign

it to other devices.
Unassign the policy (if its a

local policy)
Modify the parent policy or

any of the descendants.
Assign the parent policy or

any of its descendants to
additional devices.
Change the rule inheritance

of the parent policy or any of
the descendants.
Unassign the policy from any

device (if its shared).
Unassign the policy from any

device.

OL-11501-03
6-57
Chapter 6
Managing Policies
Table 6-2
Locking Summary (continued)
If Another User/Activity...
You Cannot...
You Can...
Changes a policy assignment

without changing its definition
Modify the policy.
Assign and unassign the policy

from other devices.
Changes a policy definition and

changes its assignment
Modify the policy or assign it to Unassign the policy from any

other devices.
device.
Note
Note
In Policy view, a content

lock is placed on the
policy. In Device view,
an assignment lock is
placed on those devices
whose assignment is
being changed by the
other user.
The ability to modify policies and policy assignments is dependent on the user
permissions assigned to the user. See Setting Up User Permissions, page 2-3.
Related Topics
Understanding Locking and VPN Topologies

When you change the device assignment for a VPN topology, or make changes to
a specific VPN policy, a lock is placed on the complete topology. This means that
other users cannot make changes to the device assignment, nor can they make
changes to any of the VPN policies defined for that topology.
In order to view and modify VPN policies, you must have the required
permissions for each of the devices that make up the VPN topology. Permissions
are also required to add a device to a VPN topology. If you have different levels
of permissions to the devices that make up the VPN topology, the lowest
permission level is applied to the entire topology.
6-58
OL-11501-03
Chapter 6
Managing Policies
For example, if you have read/write permissions to the devices that comprise the
spokes in a hub-and-spoke VPN, but read-only permissions to the device serving
as the hub, you are granted read-only permission to the policies and composition
of the hub-and-spoke topology. For more information about permissions, see
Setting Up User Permissions, page 2-3.
Related Topics
Managing Site-to-Site VPNs, page 9-1
Understanding Locking and Objects

When you create or modify a reusable object, that object is locked to prevent other
users from modifying or deleting the same object. Additional rules for object
locking include:
An object lock does not prevent you from modifying the definition or
assignment of a policy that uses that object.
The lock placed on a policy does not prevent you from making changes to an
object that is included in the policy definition.
You can change the definition of any object even if it is part of a policy
assigned to a device to which you do not have permissions.
When an object makes use of other objects (such as network/host objects,

service group objects, and AAA server group objects), the lock on the object
does not prevent another user from modifying those other objects. For
example, when you modify a AAA server group object, the lock on that object
does not prevent another user from modifying any of the AAA servers that
make up the AAA server group.
When an object is locked, users who try to modify that object see a read-only
version of the relevant dialog box. When you are working in Workflow mode, a
message indicates which activity has locked the object.
Related Topics
Introduction to Objects, page 8-1

OL-11501-03
6-59
Chapter 6
Managing Policies
6-60
OL-11501-03
CH A P T E R
Managing Activities
When using Workflow mode, all policy definition and assignment tasks must be
done within the context of an activity. If you are using non-Workflow mode (the
default mode of operation in Security Manager), you do not need to create and
manage activities. For more information, see Working in Non-Workflow Mode,
page 2-57.
The following topics provide information about activities:

Benefits of Activities, page 7-3
Activity Approval, page 7-3
Activities and Locking, page 7-4
Understanding Activity States, page 7-5
Accessing Activity Functions, page 7-9
Working with Activities, page 7-9

Creating an Activity, page 7-11
Opening an Activity, page 7-12
Closing an Activity, page 7-12
Validating an Activity, page 7-13
Submitting an Activity for Approval, page 7-14
Approving or Rejecting an Activity, page 7-16
Understanding Activity Change Reports, page 7-17
OL-11501-03
7-1
Chapter 7
Managing Activities
Understanding Activities
Discarding an Activity, page 7-19
An activity is a temporary context within which you define policies and assign
them to devices. You need not create an activity to import, create, or delete
devices. However, you do need to create an activity or open an existing activity
before you define policies or assign them to devices.
Note
If you discover policies as part of a device import, a message prompts you to

either create a new activity or open an existing activity.
When you create an activity, you open a virtual copy of the Security Manager
policy database. You define and assign policies within this copy. Changes that you
made within this copy are only available within the copy. Other users in different
activities cannot see these changes. After the activity is submitted and approved,
the changes within this copy are committed to the database so that all other users
can view the changes.
Then, you can create a deployment job to generate the relevant CLI commands
and deploy them to the devices.
Note
If you try to define or assign policies before you open an activity, a message
prompts you to either create a new activity or open an existing activity.
The following topics describe why activities are important and how they operate
in Workflow mode:
Benefits of Activities, page 7-3
Activity Approval, page 7-3
Activities and Locking, page 7-4
7-2
OL-11501-03
Chapter 7
Managing Activities
Benefits of Activities
You use activities to control changes made to policies and policy assignments.
Although how activities are implemented depends on the workflow settings you
choose, all activities provide the following benefits:
Audit trailActivities track changes that are made in Security Manager. You
can use this information to determine what changes were made and who made
the changes. For more information, see Displaying Activity History,
page 7-20.
Safety mechanismActivities provide a means for experimenting with

changes. You can make changes using an activity, then view the configuration
that results from those changes. If you do not want to implement the changes,
you can discard the activity. For more information, see Discarding an
Activity, page 7-19.
Task isolationWhen you create an activity, the policies that are modified
within that activity are locked from being modified within other activities.
This prevents conflicting changes that could make a policy unstable. For more
information, see Activities and Locking, page 7-4.
In addition, the changes you make within an activity are visible only within
the activity. Other users will see only the last approved committed
configurations, unless they view your activity before you close it.
Activity Approval
When you enable Workflow mode, you can choose to operate with or without an
activity approver.
If your organization requires a different person with higher permissions to
approve activities, you can enable workflow with an approver. When using
Workflow mode with an approver, the activity must be approved by a person with
the appropriate permissions so the policies can be committed to the database. This
approval process at the policy definition level helps to ensure that no
inappropriate configurations reach the network devices.
If you choose to operate without an approver, the person defining the policies has
the permissions to approve them.

OL-11501-03
7-3
Chapter 7
Managing Activities
Note
For information about enabling or disabling activity approval and changing the
default activity approver, see Chapter 2, Performing Administrative Tasks.
Activities and Locking

Activities introduce a locking model. This is useful in large networks where
several people have the authority to make configuration changes. It prevents two
or more people from making changes to the same feature policy, policy
assignment, or object at the same time.
In addition, Security Manager uses locking to ensure that operations related to the
committed configuration always run exclusive of one another. These operations
can be divided into two categories:
Operations that change the committed configuration:
Activity approval
Device deletion
Editing device properties
Operations that read the committed configuration:
Configuration preview
Deployment (in non-Workflow mode)
Creation of deployment job (in Workflow mode)
Activity validation
If you are performing an operation that changes the committed configuration, you
cannot perform any of the operations in either list until this operation is complete.
An error message is displayed if you try. For example, if you are approving an
activity (which occurs automatically when an activity is submitted in
non-Workflow mode), you cannot delete a device or validate a different activity
until the approval is complete. This type of locking is particularly important in
multi-user settings as it prevents multiple users from simultaneously making
changes to the committed configuration.
If you are performing an operation that reads the committed configuration, you
cannot perform an operation that changes the committed configuration. For
example, if you are validating an activity, another user cannot approve an activity.
7-4
OL-11501-03
Chapter 7
Managing Activities
However, you may perform another operation that reads the configuration. For
example, if you are validating an activity, another user can create a deployment
job. Similarly, if you are previewing the configuration before deployment, another
user is permitted to do the same. This is because these two operations are limited
to reading the committed configuration; they do not make any changes to it.
Related Topics
Defining Device Properties, page 5-53
Working with Deployment, page 18-35
Activities and Multiple Users

Only one user can define or change policies within an individual activity at one
time. However, when Workflow mode is enabled, multiple users can work in the
activity in sequence. That is, if an activity is closed (but not yet approved or
submitted for approval), another user can open it and make changes to it. Multiple
users can work in parallel in different activities.
Understanding Activity States

An activity has four primary states:
Edit OpenPolicy changes can be made within the selected activity. The
activity remains in this state until it is submitted for approval, approved, or
deleted. The activity can be opened, closed, and edited any number of times
while it is in this state. The policies, policy assignments (devices being
assigned policies), and objects being configured or modified in the activity
are locked. That is, they cannot be configured or modified within the context
of another activity. The configuration changes can be seen only in the context
of the current activity.

OL-11501-03
7-5
Chapter 7
Managing Activities
If the browser session terminates while you are editing an activity, Security
Manager prompts you to save your changes, then closes the activity.
SubmittedThe activity was submitted for approval. (This state is available

only if you have Workflow mode enabled with activity approval required. For
more information, see Chapter 2, Performing Administrative Tasks.) No
further changes can be made within the activity. The policies, devices
(through policy assignment), or objects affected by the policy changes remain
locked to other activities.
When an activity is submitted, an email is sent to the approver. The approver
can open the activity (in read-only mode) to review the changes within the
activity, then approve or reject it. An approved activity moves to the approved
state. A rejected activity returns to the Edit state.
ApprovedThe activity was approved by a person with activity approval

permissions. The policies defined within the activity are committed and ready
to be deployed to devices or to a file. The devices affected by the policy
changes are no longer locked to other activities.
RejectedThe activity was reviewed and rejected by a person with activity

approval permissions. The policies defined within the activity are not
committed. The activity returns to the Edit state and the devices affected by
the policy changes remain locked to other activities.
Figure 7-1 shows the stages in the activity workflow without an approver
(default). Figure 7-2 shows the stages in the activity workflow with an approver.
For a complete list and descriptions of activity states, see Activity States,
page E-4.
7-6
OL-11501-03
Chapter 7
Managing Activities
Figure 7-1
Activity Workflow without an Approver
Create/open
activity
Editable
Close activity
Define
configurations
Approve activity
COMMITTED
77254
Approved

OL-11501-03
7-7
Chapter 7
Managing Activities
Figure 7-2
Activity Workflow with an Approver
Create/open
activity
Editable
Close
activity
Define
configurations
Submit
activity
Submitted
Approve
activity
Reject
activity
Approved
Editable
COMMITTED
73772
Open activity
(read-only)
7-8
OL-11501-03
Chapter 7
Managing Activities
Working with Activities

The following topics provide information to help you use activities:
Accessing Activity Functions, page 7-9
Closing an Activity, page 7-12
Accessing Activity Functions

You can access activity management functions in the following ways:
Note
Select Tools > Activity Manager. The Activity Manager window contains a
list of existing activities and their states. From this window, you can create
new activities, and open, close submit, approve, reject, or discard existing
activities. For more information, see Activity Manager Window, page E-1.
The Activity Manager option from the Tools menu is only visible when
Workflow mode is enabled.
Click a button in the main toolbar. The activity management buttons that are
active in the main toolbar vary according three factors:
Whether workflow is turned on with or without an approver. In Workflow
mode with an approver, the main toolbar buttons allow you to create,
open, close, submit, approve, reject, and discard activities. In Workflow
mode without an approver, the main toolbar buttons allow you to create,
open, close, submit, and discard activities.
The state of the activity. For example, if no activity is open, the Open An
Activity button is provided, while the Close Activity button is not

provided.
OL-11501-03
7-9
Chapter 7
Managing Activities
Users permissions. If the user who is logged in does not have activity
approval permissions, the Approve button is not visible.

For descriptions of the buttons on the main toolbar, see Table 7-1.
Table 7-1
Main Toolbar ButtonsWorkflow Mode Enabled
Button
Description
Creates an activity.
Opens an activity. You can open an activity when it is in the Edit or the Submitted
state.
To open a submitted activity, you must have user privileges to approve or reject
changes made in that activity. For more information, see Setting Up User
Permissions, page 2-3.
Saves all changes made while the activity was open and closes it.
You can close an activity when it is in the Edit Open or the Submit Open state.
Generates change data and produces an Activity Change Report in PDF format in a
separate window. For more information, see Understanding Activity Change Reports,
page 7-17
Submits the activity for approval.
You can submit an activity when it is in the Edit or the Edit Open state.
Approves the changes proposed in an activity.
You can approve an activity when it is in the Submitted state. You must have user
privileges to accept the changes proposed in an activity. For more information, see
Setting Up User Permissions, page 2-3.
This action is not available in Workflow mode without an approver.
Rejects the changes proposed in an activity.
You can reject an activity when it is in the Submitted or Submitted Open state. You
must have user privileges to deny changes proposed in an activity. For more
information, see Setting Up User Permissions, page 2-3.
This action is not available in Workflow mode without an approver.
7-10
OL-11501-03
Chapter 7
Managing Activities
Table 7-1
Main Toolbar ButtonsWorkflow Mode Enabled
Button
Description
Discards the selected activity. The activity is discarded and later purged from the
system when you perform the purge action, either automatically as set in the
Workflow Management page or manually. The activity state is shown as discarded
until the activity is actually purged from the system.
Validates the integrity of changed policies within the current activity.
Creating an Activity
This procedure describes how to create an activity.
Before you create or change policies or assign policies to devices, you must create
an activity.
Procedure
Step 1
Click Create in the main toolbar.

The Create Activity dialog box appears.
Step 2
In the Activity Name field, keep the default name (username, date, and time the
activity was created) or enter a logical, unique name that reflects the contents of
the activity.
Step 3
In the Comment field, enter a brief description of the activity or other pertinent
information.
Step 4
Click OK.
The activity is listed by name in the Activity Manager window. For more
information, see Activity Manager Window, page E-1.
Related Topics
Create Activity Dialog Box, page E-7

OL-11501-03
7-11
Chapter 7
Managing Activities
Opening an Activity
This topic describes how to open an activity.
You can open an existing activity if no one else has it opened. You might open an
existing activity in the Edit state to make further policy changes, or you might
open an existing activity in the Submitted state to review proposed policy changes
before approving or rejecting it (if you have the appropriate permissions and you
are working in Workflow mode with an approver). For more information, see
Chapter 2, Performing Administrative Tasks.
Note
Submitted activity opens in read-only mode.

To open an activity, do one of the following:
Click the Open button in the main toolbar. From the Openable activities
dialog box, select the activity you want to open, then click OK.
Select Tools > Activity Manager. From the Activity Manager window, select
the activity you want to open, then click Open.
Related Topics
Closing an Activity
You can close an activity without approving it (or submitting it for approval) if
you or others want to continue configuring policies at a later time.
Note
A person with administrator privileges can close an activity opened by another

user.
To close an open activity, do one of the following:
Click the Close button in the main toolbar.
Select Tools > Activity Manager. From the Activity Manager window, click
Close.
7-12
OL-11501-03
Chapter 7
Managing Activities
Related Topics
Validating an Activity
Security Manager validates activities when you submit them for approval, or you
can validate an activity at any time while you are creating and changing policies
in an activity. After an activity is submitted, the validation report remains static.
The validation process checks the following and displays a report of the results:
Note
Policy integrityThere are no unresolvable references (for example, missing

objects, unresolved Interface Roles, overrides of Mandatory settings, and so
on).
Policy deployabilityThe platform, OS, and configured features are

supported by the target devices so that policies can be correctly translated into
CLI commands.
FlexConfig integrityMakes sure there are no corrupted FlexConfig objects.

If corrupted objects are found, a warning with a list of the corrupted
FlexConfig objects results.
FlexConfig syntaxIf syntax errors are found, a warning with a list of

affected FlexConfigs and their syntax errors results.
FlexConfig object referencesMakes sure object references are resolvable.

If FlexConfig objects reference non-existent objects, a warning with a list of
the missing objects results.
If you finish working on an activity, you can submit it, and the validation process
runs. For more information, see Submitting an Activity for Approval, page 7-14.

OL-11501-03
7-13
Chapter 7
Managing Activities
This procedure describes how to validate an activity.

Procedure
Step 1
Open an activity, then click the Validate button on the main toolbar.
an activity, then click Validate.
Security Manager performs the validation. If no errors are found, an informational

message shows that the validation passed. If errors are found, the Validation
dialog box appears. The Validation dialog box contains detailed error information
organized in two tabs. You must correct these errors before submitting the activity.
Security Manager does not allow an activity to be submitted with validation
errors.
Note
Step 2
A validation warning (as opposed to an error) will not prevent activity

approval or deployment.
Click the desired tab to display its contents. The following topics contain
information about these tabs:
Errors Tab, page E-12
Devices Tab, page E-14
Related Topics
Validation Dialog Box, page E-12
Submitting an Activity for Approval

This procedure describes how to submit an activity for approval.
After you finish creating, changing, or assigning policies within the activity, you
must submit the activity for approval. When you submit it, the integrity and
deployability of the activity is validated. For details about the validation process
and report, see Validating an Activity, page 7-13.
7-14
OL-11501-03
Chapter 7
Managing Activities
The activity is also closed so that it can be opened by the user who has the
permissions to approve it. When the activity is approved, its configurations are
committed to the Security Manager database, and they can be deployed to the
devices.
When you submit an activity, you can send email to the relevant approvers to
notify them that an activity requires approval.
Note
By default, submission of activities for approval is disabled in the Workflow

dialog box (Tools > Security Manager Administration > Preferences > Workflow).
This means that the submission step is not required and you can approve the
activity yourself (if you have the appropriate permissions). An administrator can
change activity approval settings in the Workflow dialog box if the organization
requires one set of users to define configurations and another set to approve and
commit them. For more information about changing activity approval settings, see
Procedure
Step 1
Open an activity and click the Submit button on the main toolbar.
an activity, then click Submit.
The Submit Activity dialog box appears.

Step 2
In the Approver field, keep the default email address of the person assigned
activity approval permissions or enter the email address of another person. This
person receives notification of your submission.
Note
The default email address is set in Tools > Security Manager

Administration > Preferences > Workflow.
Step 3
In the Comment field, enter a brief description of the changes included in the
activity or other pertinent information.
Step 4
Click OK. The activity status changes to Submitted in the Activity Manager
window.

OL-11501-03
7-15
Chapter 7
Managing Activities
Note
If the email does not reach the recipient, Security Manager displays a
message indicating that the email server is unreachable, and you must
contact the approver directly.
Related Topics
Submit Activity Dialog Box, page E-8
Approving or Rejecting an Activity

This procedure describes how to approve or reject an activity.
If you have activity approval permissions, you can open a submitted activity,
review the policies and policy assignments, and then either approve or reject the
activity.
If you approve the activity, policies and policy assignments are committed to the
database and are ready to be deployed to devices or files. Devices associated with
the activity are unlocked, meaning they can be included in policy definitions and
changes in other activities.
If you reject the activity, the submitter can reopen the activity to make the
necessary changes and resubmit it for approval. Devices associated with the
activity are not unlocked, meaning that they cannot be included in policy
definitions or changes in another activity.
Note
After an activity is approved, changes cannot be undone. You must create a new
activity and manually change policies and policy assignments to the desired state.
Before You Begin
Open the activity and review its policies and policy assignments.
7-16
OL-11501-03
Chapter 7
Managing Activities
Procedure
Step 1
Open an activity and click the Approve or Reject button, as appropriate, on

the main toolbar.
an activity and click Approve or Reject.
The Approve Activity or Reject Activity dialog box appears.

Step 2
In the Comment field, enter a brief explanation of why you are approving or
rejecting the activity. If you are rejecting the activity, you might want to include
suggested revisions.
Step 3
Click OK. The activity status changes to Approved or Edit (if rejected) in the
Activity Manager window. For a description of the elements in the window, see
Activity Manager Window, page E-1.
Related Topics
Approve Activity Dialog Box, page E-9
Reject Activity Dialog Box, page E-10
Understanding Activity Change Reports

From the Tools > Change Reports menu (non-Workflow mode), or the Activities
menu (Workflow mode), you can select View Changes to view reports about
actions that users have taken within an activity. You can see which actions were
taken and what devices and groups were acted upon within an activity or
configuration session (non-Workflow mode). A report generated in PDF format
format identifies the policy and building block changes made as part of that
activity.

OL-11501-03
7-17
Chapter 7
Managing Activities
Note
If you discover a device or rediscover policies on a device, then subsequent policy

changes in the same activity performed on that device are not listed in the activity
change report. This is also true on a device that you clone from another device.
A three-level menu structure view shows which actions were taken and what
devices and groups were acted upon. It also identifies the policy changes made as
part of that activity, including changes to policy objects. You can use the PDF
bookmark feature to navigate the report.
Note
You must disable any popup-blocker applications you have running to ensure the
activity report will launch.
Figure 7-3 shows a sample activity report.
Figure 7-3
Activity Report
Activity Change Report
User:
Session started on:
Current state:
Report created on:
celia
26-Oct-2006 00:49:16
Edit Open
26-Oct-2006 18:14:22
Devices
router2600
Policy Objects Override
InterfaceRole
Category ID
Operation
Add
None
Name Patterns
Comment
Ethernet1 , Dialer0 , Serial0 , External interfaces

Async1 , Serial0/0 , Outside
Patterns
Name
Ethernet1 , Dialer0 , Serial0 , External

Async1 , Serial0/0 , Outside ,
Ethernet1 , Dialer0 , Serial0 ,
Async1 , Serial0/0 , Outside
Shared Policies
No changes
Ike
Category ID
Operation
Add
None
Dh Group
1
Lifetime
86400
Priority
-1
Hash
SHA
Encryption
aes-128
Authentication
Preshared Key
Name
New IKE Proposal
191242
Policy Objects
Use File > View Changes to obtain an Activity Change Report that only reports
changes on the current activity (or configuration session in non-Workflow mode).
7-18
OL-11501-03
Chapter 7
Managing Activities
Discarding an Activity
This topic describes how to discard an activity.
You can discard an activity if it is no longer required. When you discard an
activity, you delete all the policies and policy assignments that were defined
within the activity. Those policies and policy assignments are not in the database;
therefore, they cannot be deployed.
Discarded activities are removed from the system according to the settings
defined in CSM Settings and devices associated with the activity are unlocked,
meaning they can be used by other activities. For more information, see
To discard an activity, do one of the following:
Open an activity, then click the Discard button on the main toolbar.
an activity, then click Discard. Only an activity in the Edit or Edit Open state
can be discarded.
Related Topics
Displaying Activity Details

This procedure describes how to display activity details.
For a specific activity, you can view details, such as the activity ID and name, the
date and time that an activity was created and last modified, and any comments
that the user entered when changing the activity state.
Procedure
Step 1
Select Tools > Activity Manager.
Step 2
Select the activity about which you want to see detailed information.
Step 3
Click the Activity Details tab. For details about the information displayed, see
Details Tab, page E-5.

OL-11501-03
7-19
Chapter 7
Managing Activities
Related Topics
Displaying Activity History

This procedure describes how to display historical information about an activity.
The Activity History tab displays actions that occurred to the selected activity
since it was created. Each row in the table show the action that occurred, the user
who performed the action, the date and time it occurred, and comments, if any,
that the user entered.
Procedure
Step 1
Select Tools > Activity Manager.
Step 2
Select the activity about which you want to see information.
Step 3
Click the Activity History tab. For details about the information displayed, see
History Tab, page E-6.
Related Topics
7-20
OL-11501-03
CH A P T E R
Managing Objects
Introduction to Objects
Objects enable you to define logical collections of elements. They are reusable,
named components that can be used by other objects and policies. Objects aid
policy definition by eliminating the need to define that component each time you
define a policy. When used, an object becomes an integral component of the
object or policy. This means that if you change the definition of an object, this
change is reflected in all objects and policies that reference the object.
Objects facilitate network updates, because you can identify objects separately
but maintain them in a central location. For example, you can identify the servers
in your network as a network/host object called MyServers, and the protocols to
allow on these servers in a service group object. You can then create an access rule
that permits the service group to access the MyServers network/host object. If a
change is made to these servers, you need only update the network/host object and
redeploy, instead of trying to locate and edit each rule in which the servers are
used.
By default, objects are defined globally. This means that the definition of an
object is the same for every object and policy that references it. However, many
object types (for example, interface roles) can be overridden at the device level.
This enables you to customize an object to match the configuration of a particular
device in your network. For more information, see Overriding Global Objects for
Individual Devices, page 8-197.
Note
Objects were known as building blocks in the VPN/Security Management

Solution (VMS) bundle, which predated the Cisco Security Manager.
OL-11501-03
8-1
Chapter 8
Managing Objects
Related Topics
Creating Objects, page 8-2
Guidelines for Managing Objects, page 8-4
Managing Existing Objects, page 8-9
Creating Objects
Security Manager provides predefined objects of various types that you can use to
define policies. Additionally, you can create your own objects, as required.
You can access the dialog boxes for creating objects in one of two ways:
Using the Policy Object Manager window. This option is best suited for
situations where you are defining one or more objects outside of the context
of defining a particular policy. See Understanding the Policy Object Manager
Window, page 8-5.
Using object selectors. When you define a policy that uses objects, object
selectors include buttons for creating and editing objects without your having
to first leave the policy that you are defining. See Selecting Objects for
Policies, page 8-203.
The following topics describe the types of objects that are available in
Security Manager and how to create them:
Understanding AAA Server Group Objects, page 8-16
Understanding AAA Server Objects, page 8-23
Understanding Access Control List Objects, page 8-31
Understanding ASA User Group Objects, page 8-43
Understanding Category Objects, page 8-48
Understanding Credential Objects, page 8-50
Understanding FlexConfig Objects, page 8-52
Understanding IKE Proposal Objects, page 8-54
Understanding Inspection Map Objects, page 8-57
Understanding Interface Role Objects, page 8-115
8-2
OL-11501-03
Chapter 8
Managing Objects
Note
Understanding IPsec Transform Set Objects, page 8-120
Understanding LDAP Attribute Map Objects, page 8-124
Understanding Network/Host Objects, page 8-127
Understanding PKI Enrollment Objects, page 8-136
Understanding Port Forwarding List Objects, page 8-147
Understanding Port List Objects, page 8-150
Understanding Secure Desktop Configuration Objects, page 8-153
Understanding Service Group Objects, page 8-157
Understanding Service Objects, page 8-159
Understanding Single Sign-On Server Objects, page 8-162
Understanding SLA Monitor Objects, page 8-166
Understanding Style Objects, page 8-169
Understanding Text Objects, page 8-171
Understanding Time Range Objects, page 8-173
Understanding URL List Objects, page 8-179
Understanding User Group Objects, page 8-181
Understanding SSL VPN Customization Objects, page 8-186
Understanding SSL VPN Gateway Objects, page 8-191
Understanding WINS Server List Objects, page 8-194
For information about FlexConfig objects, see Understanding FlexConfig Policy

Objects, page 19-2.
Related Topics:

OL-11501-03
8-3
Chapter 8
Managing Objects
Guidelines for Managing Objects

You should keep in mind the following guidelines when working with objects:
Note
Object names are not case-sensitive and are limited to 128 characters. You
must begin object names with a letter or an underscore. You can use a mix of
letters, numbers, special characters, and spaces for the remainder of the
object name. Supported special characters include hyphens (-),
underscores (_), periods (.), and plus signs (+).
Certain object types, such as AAA Server Groups, ASA User Groups,
Inspect Maps, and Traffic Flows, have different naming guidelines. For
more details, refer to the online help when you are creating each object
type.
You can rename an object that is referenced by policies or other objects.

Security Manager synchronizes the references with the new object name.
Objects are defined on the global level and are available for use with all
relevant policies and other objects. To override the definitions of certain types
of objects for specific devices, see Overriding Global Objects for Individual
Devices, page 8-197.
If you change the definition of an object, this change is reflected in all

policies that reference that object.
Your ability to create multiple objects with the same definition depends on a
setting on the Policy page located in the Preferences section of the
Cisco Security Manager Administration window. By default,
Security Manager warns you when you create an object whose definition is
identical to that of an existing object, but it does not prevent you from
proceeding. For more information, see Defining Policy Object Settings,
page 2-91.
You cannot delete an object that is referenced by policies or other objects.
In certain situations, you might not be allowed to delete an object, even

though the usage report indicates that it is not being used by any other objects
or policies. For example, if you configured a device with a local policy that
uses network/host object A and later replace that local policy with a shared
policy that does not use that object, you will still be prevented from deleting
object A. This can also happen when Security Manager creates an internal
8-4
OL-11501-03
Chapter 8
Managing Objects
Understanding the Policy Object Manager Window
object from the configuration of a discovered device, and the device is later
deleted. If you are prevented from deleting an object and you do not find any
policies or objects that use that object, we recommend that you submit or
discard all pending changes, then try again.
Related Topics
How Policy Objects are Provisioned as PIX/ASA Object Groups, page 8-211
Understanding Locking and Objects, page 6-59

You manage objects in Security Manager using the Policy Object Manager
window. This window enables you to view, create, edit, copy, and delete objects
of each type. Additionally, the Policy Object Manager window enables you to run
a usage report that details how each object is being used by Security Manager.

OL-11501-03
8-5
Chapter 8
Managing Objects
To open the Policy Object Manager window, click the Policy Object Manager
button on the toolbar, or select Tools > Policy Object Manager.
Figure 8-1
Policy Object Manager Window
Object Type selector
Filtering bar
Work area
The Policy Object Manager window is divided into the following sections:
Object Type Selector, page 8-7
Policy Object ManagerFiltering Bar, page 8-7
Policy Object ManagerWork Area, page 8-8
8-6
OL-11501-03
Chapter 8
Managing Objects
Related Topics
Object Type Selector

The Object Type selector, which is located on the left side of the Policy Object
Manager window, contains a list of each available object type. A unique icon is
displayed next to the name of each object type. This icon identifies objects of that
type whenever they appear, such as in rules tables.
Related Topics
Policy Object ManagerFiltering Bar

Use the filtering bar displayed above the work area to display only those objects
that match your defined criteria. Filter criteria are preconfigured, and vary
according to the type of object selected from the Object Type selector.
This procedure describes how to filter the objects table.
Procedure
Step 1
Select Tools > Policy Object Manager.
Step 2
Select an object type from Object Type selector. The objects that are defined for
that type appear in the work area.
Step 3
Click the blue arrow next to the word Filter in the upper-left corner of the work
area. The filter area expands to show the fields and buttons for defining filters.
Step 4
Filter the information displayed in the objects table by doing one of the following:
To create a filter, enter or select criteria in the three fields, then click Apply.
To create a filter that includes multiple criteria linked by OR statements, click

the arrow in the field on the left, then select Advanced Filter.

OL-11501-03
8-7
Chapter 8
Managing Objects
To reuse an existing filter, click the arrow in the field on the left, then select
a filter from the list displayed below the words Advanced Filter.
For details about creating filters, see Filtering Tables, page 3-24.
Note
Step 5
Tip
Up to 10 filters may be defined at a time.
To restore the complete contents of the objects table, click Clear.
Use the filter criterion Is Referenced to generate a list of objects that are not being
referenced by any policies or devices. You can then select the objects listed in the
table and delete them. In certain cases, you may not be allowed to delete
unreferenced objects. See Guidelines for Managing Objects, page 8-4.
Related Topics
Policy Object ManagerWork Area

Select an object type in the Object Type selector to display a table of existing
objects of that type in the work area, which is located on the right side of the
Policy Object Manager window. The icons of user-defined objects include a
special badge that distinguish them from the predefined objects that are provided
with Security Manager.
The table displays key information about each object, including:
Object type icon.
Object name.
Defined category.
Object description.
8-8
OL-11501-03
Chapter 8
Managing Objects
Managing Existing Objects
Additional information in the table differs for each object type. For example, the
table for service objects includes the protocol, the source and destination ports,
the ICMP message type (if applicable), and whether the global settings for this
object can be overridden for individual devices.
To learn how to filter the information displayed in the work area, see Policy
Object ManagerFiltering Bar, page 8-7.
To sort the information in the work area, click a column header. Click the header
again to sort the information in reverse order.
Related Topics

The following topics describe the actions that you can perform on the objects
defined in the Policy Object Manager:
Editing Objects, page 8-10
Deleting Objects, page 8-11
Managing Object Overrides, page 8-12
Duplicating Objects, page 8-13
Generating Object Usage Reports, page 8-14
Viewing Object Details, page 8-15
You can access the options for performing all these actions by right-clicking an
object in the Policy Object Manager and selecting from the displayed shortcut
menu. Not all options are available for all objects. For example, predefined
objects cannot be edited, and certain object types cannot be overridden for
individual devices.
Related Topics

OL-11501-03
8-9
Chapter 8
Managing Objects
Editing Objects
You can edit any user-defined object as required. Changes that you make to the
object are reflected in all policies (and other objects) that use the object. This
procedure describes how to edit an object.
Note
Predefined objects cannot be edited, but they can be copied. See Duplicating
Objects, page 8-13.
Tip
You can also edit objects when you define policies or objects that use this object
type. For more information, see Selecting Objects for Policies, page 8-203.
Before You Begin
Determine if the object is being used, and which policies, objects, and devices
would be affected by the changes. You can generate a usage report for this
purpose. See Generating Object Usage Reports, page 8-14.
Procedure
Step 1
Select Tools > Policy Object Manager. The Policy Object Manager window
appears.
Step 2
Select an object type from the Object Type selector.
Step 3
In the work area, right-click the object you want to edit, then select Edit Object.
Step 4
Modify the fields in the Edit dialog box for that object type as required, then click
OK to save your changes.
Note
By default, Security Manager displays a warning if you define an object

that matches an existing object. For more information, see Defining
Policy Object Settings, page 2-91.
8-10
OL-11501-03
Chapter 8
Managing Objects
Related Topics
Deleting Objects
You can delete user-defined objects only when they are not being used by policies
or other objects. Predefined objects cannot be deleted. If you delete an object for
which device-level overrides are defined, all overrides are also deleted.
This procedure describes how to delete user-defined objects.
Note
You might be prevented from deleting an unreferenced object from the database,
if, for example, you replace a local policy that used the object with a shared policy
that does not. If object deletion fails, submit or discard all pending changes (in
Workflow mode, submit or discard all pending activities), then try again to delete
the object. Alternatively, you can leave unreferenced objects in the database,
because they will not affect Security Manager operation.
Before You Begin
Determine if the object is currently being used and which policies, objects,
and devices would be affected by the deletion. You can generate a usage
report for this purpose. See Generating Object Usage Reports, page 8-14.
Procedure
Step 1
Step 2
Step 3
In the work area, right-click a user-defined object, then select Delete Object.
Tip
Step 4
You can select multiple objects by pressing Ctrl and clicking on the
desired objects.
When prompted, click Yes to confirm the deletion.

OL-11501-03
8-11
Chapter 8
Managing Objects
Note
To verify that the object was deleted, select Tools > Audit Report and
view the generated report.
Related Topics
Managing Object Overrides

From the Policy Object Manager window, you can select a global object that can
be overridden and generate a table of device-level overrides that are defined for
that global object. For example, you can select a global AAA server group object
and view a table of all devices for which you defined a local variation of the global
object.
For more information, see Overriding Global Objects for Individual Devices,
page 8-197.
Object override definitions are displayed in the Policy Object Override window.
This procedure describes how to create, edit, and delete object overrides from this
window.
Procedure
Step 1
Step 2
Select an object type from the Object Type selector to display the table of existing
objects of that type.
Step 3
In the work area, select a global object for which device-level overrides have been
permitted. These objects are indicated by a green checkmark in the Overridable
column. See Allowing a Global Object to Be Overridden, page 8-198.
Step 4
Double-click the checkmark, or right-click the object and select Edit Device
Overrides. The Policy Object Overrides window is displayed.
8-12
OL-11501-03
Chapter 8
Managing Objects
Each device-level override defined for the selected object is displayed in a table
containing the name of the device to which the override applies, the category
assigned to the object, and the object definition. See Table F-315 on page F-565
for a description of the fields in this window.
Step 5
Step 6
(Optional) Do one of the following:
To create a device-level override, click the New Object button. For more
information, see Creating Device-Level Object Overrides, page 8-199.
To edit a device-level override, select the object from the table, then click the
Edit Object button.
To delete a device-level override, select the object from the table, then click
the Delete Object button. For more information, see Deleting Device-Level
Object Overrides, page 8-202.
Click Close to return to the Policy Object Manager window.
Related Topics
Creating Object Overrides for a Single Device, page 8-199
Creating Object Overrides for Multiple Devices, page 8-200
Duplicating Objects
An alternative to creating a policy object from scratch is to duplicate an existing
object. The new object contains all the attributes of the copied object and a default
name. You can then modify the name and all attributes as required.
Duplicating is useful for creating objects that are based on predefined objects that
cannot be edited.
This procedure describes how to duplicate an object.

OL-11501-03
8-13
Chapter 8
Managing Objects
Procedure
Step 1
Select Tools > Policy Object Manager. The Policy Object Manager window is
displayed.
Step 2
Step 3
In the work area, right-click the object you want to duplicate, then select Create
Duplicate.
The dialog box for that object type appears. The Name field contains the
following default name for the new object: Copy of name of copied object. The
remaining fields contain the same values as the copied object.
Step 4
Modify the name of the new object and its configuration, as required.
Step 5
Note

Related Topics
Generating Object Usage Reports

Before you make any changes to a user-defined object, you should determine if
the object is being used. You can do this by generating usage reports that show
which policies, objects, and devices are using the selected object and would
therefore be affected by changes to that object. Usage reports contain any
references to the selected object in your current activity as well as references
found in the data committed to the Security Manager database.
This procedure describes how to generate a usage report.
8-14
OL-11501-03
Chapter 8
Managing Objects
Procedure
Step 1
appears.
Step 2
Step 3
In the work area, right-click the object for which you want to generate a report,
then select Find Usage.
The Usage Reports window appears, displaying all references to the selected
object. See Table F-315 on page F-564 for a description of the fields in this
window.
Tip
Step 4
Click a column header to sort the table according to the contents of that
column. Click the column header again to sort the table in reverse order.
(Optional) Filter the information displayed in the usage report by deselecting one
or more of the following check boxes:
Devices
Policies
Other Objects
The deselected entries are removed from the report.
Related Topics
Viewing Object Details

You can view detailed object information in read-only mode, even when the object
is locked by another activity. This is useful when you need to view complete
configuration details for complex objects whose definitions cannot be fully
displayed in the Policy Object Manager window or when your user privileges
allow you only to view object information.

OL-11501-03
8-15
Chapter 8
Managing Objects
Understanding AAA Server Group Objects
Note
You can display object details without opening an activity.

This procedure describes how to display complete configuration details for a
selected object in read-only mode.
Procedure
Step 1
Select Tools > Policy Object Manager. The Policy Object Manager window is
displayed.
Step 2
Step 3
In the work area, right-click the object that you want to view configuration details
for, then select View Object.
The dialog box for that object appears in read-only mode.
Related Topics

In Security Manager, policies requiring AAA (such as Easy VPN, Remote Access
VPNs, and router platform policies such as Secured Device Provisioning and
802.1x) refer to AAA server group objects. These objects contain multiple AAA
servers that use the same protocol, such as RADIUS or TACACS+. In essence,
AAA server groups represent collections of authentication servers focused on
enforcing specific aspects of your overall network security policy. For example,
you can group those servers dedicated to authenticating internal traffic, external
traffic, or remote dial-in users, as well as servers that authorize the administration
of your firewall devices.
8-16
OL-11501-03
Chapter 8
Managing Objects
AAA server groups objects are typically made up of individual AAA server
objects. For more information, see Understanding AAA Server Objects,
page 8-23. Security Manager policies always refer to the AAA server group,
rather than individual AAA servers.
The following topics describe how to work with AAA server group objects:
Predefined AAA Authentication Server Groups, page 8-17
Default AAA Server Groups and IOS Devices, page 8-18
Creating AAA Server Group Objects, page 8-19
Related Topics
Predefined AAA Authentication Server Groups

Security Manager contains several predefined AAA server groups that define an
authentication method without specifying particular AAA servers. In policies
such as IPsec proposals, you can use these predefined server groups to define the
types of AAA authentication to perform and the order in which to perform them.
Table 8-1 lists the predefined AAA authentication server groups.
Table 8-1
Predefined AAA Authentication Server Groups
Name
Description
Enable
Uses the enable password for authentication.
KRB5
Uses Kerberos 5 for authentication.

Note
For Cisco IOS routers, Security Manager supports

Kerberos 5 client configuration only on selected platforms
running IOS Software versions that support this protocol.
Server configuration is not supported. The device must
include an Advanced series feature set (k9 crypto image).
Line
Uses the line password for authentication.
Local
Uses the local username database for authentication.
None
Uses no authentication.

OL-11501-03
8-17
Chapter 8
Managing Objects
Table 8-1
Predefined AAA Authentication Server Groups (continued)
Name
Description
RADIUS
Does not apply to Cisco IOS routers.

Uses RADIUS authentication.
Note
TACACS+
This AAA server group does not contain any AAA servers
at the global level. To use this AAA server group when
defining a policy, you must create a device-level override
and define the AAA servers to associate with the group. For
more information, see Creating Device-Level Object
Overrides, page 8-199.
Does not apply to Cisco IOS routers.

Uses TACACS+ authentication.
Note
This AAA server group does not contain any AAA servers
at the global level. To use this AAA server group when
defining a policy, you must create a device-level override
and define the AAA servers to associate with the group. For
more information, see Creating Device-Level Object
Overrides, page 8-199.
Related Topics
Default AAA Server Groups and IOS Devices

IOS software enables you to define AAA servers either as members of AAA
server groups or as individual servers. Security Manager, however, requires all
AAA servers to belong to a AAA server group.
Therefore, when you discover an IOS device whose device configuration contains
individual AAA servers that do not belong to a AAA server group, Security
Manager creates the following server groups to contain these servers:
For RADIUS: CSM-rad-grp
8-18
OL-11501-03
Chapter 8
Managing Objects
For TACACS+: CSM-tac-grp
Both of these special AAA server groups are marked in the Policy Object Manager
as the default groups for their protocol. This is indicated by the Make this Group
the Default AAA Server Group check box.
These groups are created solely for the purpose of management by Security
Manager. During deployment, the AAA servers in these special groups are
deployed back to the IOS device as individual servers, not as part of the group.
Note
If you use one of these default AAA server groups in a policy defined for a
PIX/ASA/FWSM device, the AAA servers are deployed as a group to that
device, not as individual servers. This is because all AAA servers on
PIX/ASA/FWSM devices must belong to a AAA server group.
We recommend that you use caution when using these default AAA server
groups in a policy definition. There are certain commands (for example,
ip radius and ip tacacs, which are configured using the Interface field in the
AAA Server dialog box) that can be defined once for each AAA server group
and once for all individual AAA servers. Because the AAA servers in the
default group are deployed to IOS devices as individual servers, you might
inadvertently change the ip radius or ip tacacs settings for all the individual
AAA severs configured on the device, including servers that are not being
managed by Security Manager (and whose configurations would otherwise be
left undisturbed).
Related Topics
Creating AAA Server Group Objects

You can create AAA server group objects for Security Manager policies requiring
AAA services, such as authentication and authorization. Each AAA server group
object can contain multiple AAA servers, all of which use the same protocol, such
OL-11501-03
8-19
Chapter 8
Managing Objects
as RADIUS or TACACS+. For example, if you want to use RADIUS to

authenticate network access and TACACS+ to authenticate CLI access, you must
create at least two AAA server group objects, one for RADIUS servers and one
for TACACS+ servers.
In addition, only one source interface can be defined for the AAA servers in the
group. An error is displayed when you submit your changes if different AAA
servers in the group use different source interfaces.
Note
The error is triggered by the actual interface defined as the source, not the name
of the interface role that represents the interface. That is, two AAA servers can
have different interface roles defined as the source interface as long as they both
resolve to the same device interface. An error is also displayed if the interface role
defined for the source interface matches more than one actual interface on the
device.
The number of AAA server group objects that can be created and the number of
AAA server objects that can be included in each group object depend on the
selected platform. For example, ASA devices support up to 18 single-mode server
groups (with up to 16 servers each) and 7 multi-mode server groups (with up to 4
servers each). PIX firewalls support up to 14 server groups, each containing up to
14 servers.
Objects are defined at the global level, which means that they are applied
identically to every object and policy that references them. However, you can
override AAA server group object definitions at the device level. For more
information, see Managing Object Overrides, page 8-12.
This procedure describes how to create AAA server group objects.
Note
Security Manager includes a predefined AAA server group object that you can use
when you perform authentication locally inside the Cisco IOS router.
Tip
You can also create AAA server group objects when you define policies or objects
that use this object type. For more information, see Selecting Objects for Policies,
page 8-203.
8-20
OL-11501-03
Chapter 8
Managing Objects
Before You Begin
Read and understand Guidelines for Managing Objects, page 8-4.
Procedure
Step 1
appears.
Step 2
Select AAA Server Groups from the Object Type selector.
Step 3
Right-click inside the work area, then select New Object.

The AAA Server Group dialog box appears. For a description of the fields in this
dialog box, see Table F-7 on page F-15.
Step 4
Enter a name for the object. The maximum name length is 16 characters if you
plan to use this object with firewall devices and 128 characters for Cisco IOS
routers. Spaces are not supported.
Note
Cisco IOS routers do not support the following AAA server group names:
RADIUS, TACACS, TACACS+. In addition, we do not recommend using
an abbreviation of one of these names, such as rad or tac.
Step 5
(Optional) Enter a description for the object. The maximum length is

1024 characters (special characters are permitted).
Step 6
Select the protocol to be used by the servers in the group.
Step 7
Enter the names of the AAA servers to include in the group, or click Select to
display a selector (see Selecting Objects for Policies, page 8-203). Only those
servers corresponding to the selected protocol are displayed.
Tip
If the required AAA server is not listed, click the Create button or the
Edit button in the selector to open the AAA Server Dialog Box,
page F-20. From here you can define a AAA server to include in the
server group.
When you finish, click OK to return to the AAA Server Group dialog box. Your
selections are displayed in the AAA Servers field.

OL-11501-03
8-21
Chapter 8
Managing Objects
Step 8
(IOS devices only) Select the check box if this group is to be the default group in
the network for RADIUS or TACACS+. Use this option if you intend to have a
single global server group for this protocol for all policies requiring AAA.
The default group can be used in most cases, except when you need to configure
multiple AAA server groups that use the same protocol. For example, you might
want to define multiple RADIUS groups so that one group can be used for
authentication and another group for authorization. Service providers may want
to define multiple groups with the same protocol in order to provide customer
separation when using VRF.
Note
Step 9
Default groups are created automatically when you discover individual

AAA servers configured on an IOS router. These server groups are
created solely for the purpose of management by Security Manager. For
more information, see Default AAA Server Groups and IOS Devices,
page 8-18.
(PIX/ASA/FWSM devices only) Configure the following settings:

a.
Specify the number of connection attempts that can fail before a server is
considered inactive.
b.
Select the method for reactivating failed servers in the group:

DepletionAll servers in the group are permitted to fail before all the
servers are reactivated (known as depletion). This is the default.

TimedCauses failed servers to be reactivated after 30 seconds of
downtime. This option is useful when customers use the first server in a
server list as the primary server and prefer that it is online whenever
possible.
Note
The Timed option must be used when simultaneous accounting has

been enabled, as described in Step d below.
c.
(When Depletion is selected) You can configure the deadtime, which

determines how long (in minutes) the system waits after the last server in the
group has become inactive before beginning reactivation.
d.
Select the method to use for sending accounting messages (single or

simultaneous). This setting applies only to RADIUS to TACACS+.
8-22
OL-11501-03
Chapter 8
Managing Objects
Understanding AAA Server Objects
Step 10
(Optional) Under Category, select a color to help you identify this object in the
Objects table and in rule tables. See Understanding Category Objects, page 8-48.
Step 11
(Optional) Select the Allow Value Override per Device check box to allow the
properties of this object to be redefined on individual devices. See Allowing a
Global Object to Be Overridden, page 8-198.
Step 12
Click OK to save your definitions. The new object appears in the table in the
Policy Object Manager window.
Tip
To perform additional actions on the object, see Managing Existing

Objects, page 8-9.
Note

Related Topics

You can create AAA server objects in Security Manager. AAA enables devices to
determine who the user is (authentication), what the user is permitted to do
(authorization), and what the user actually did (accounting), as described below:
AuthenticationAuthentication is the way a user is identified before being

allowed access to the network and network services. It controls access by
requiring valid user credentials, which are typically a username and

OL-11501-03
8-23
Chapter 8
Managing Objects
password. All authentication methods, except for local, line password, and
enable authentication, must be defined through AAA. You can use
authentication alone or with authorization and accounting.
AuthorizationAfter authentication is complete, authorization controls the

services and commands available to each authenticated user. Authorization
works by assembling a set of attributes that describe what the user is
authorized to perform. These attributes are compared to the information
contained in a database for a given user and the result is returned to AAA to
determine the user's actual capabilities and restrictions. The database can be
located locally on the access server or router or it can be hosted remotely on
a RADIUS or TACACS+ security server. Were you not to use authorization,
authentication alone would provide the same access to services to all
authenticated users. You must use authorization together with authentication.
AccountingAccounting is used to track the services users are accessing, as

well as the amount of network resources they are consuming. When AAA
accounting is activated, the network access server reports user activity to the
RADIUS or TACACS+ security server (depending on which security method
you have implemented) in the form of accounting records. Accounting
information includes when sessions start and stop, usernames, the number of
bytes that pass through the device for each session, the service used, and the
duration of each session. This data can then be analyzed for network
management, client billing, and/or auditing. You can use accounting alone or
together with authentication and authorization.
AAA provides an extra level of protection and control for user access over using
ACLs alone. For example, you can create an ACL allowing all outside users to
access Telnet on a server on the DMZ network. If you want only some users to
access the server (and you might not always know the IP addresses of these users),
you can enable AAA to allow only authenticated and/or authorized users to make
it through the device.
AAA server objects are collected into AAA server group objects. In Security
Manager, all policies requiring AAA (such as EzVPN, Remote Access VPNs, and
router platform policies such as Secured Device Provisioning and 802.1x) use
AAA server group objects. See Understanding AAA Server Group Objects,
page 8-16.
The following topics describe how to work with AAA server objects:
Supported AAA Server Types, page 8-25
AAA Support on ASA Devices, page 8-26
8-24
OL-11501-03
Chapter 8
Managing Objects
Creating AAA Server Objects, page 8-29
Related Topics
Supported AAA Server Types

Security Manager supports AAA servers using one of the following protocols:
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed

client/server system that secures networks against unauthorized access. In the
Cisco implementation, RADIUS clients run on Cisco devices and send
authentication requests to a central RADIUS server that contains all user
authentication and network service access information. RADIUS is a fully open
protocol, distributed in source code format, that can be modified to work with any
security system currently available on the market.
Cisco supports RADIUS under its AAA security model. RADIUS can be used
with other AAA security protocols, such as TACACS+, Kerberos, and local
username lookup. RADIUS is supported on all Cisco platforms, but some
RADIUS-supported features run only on specified platforms.
TACACS+
Terminal Access Controller Access Control System (TACACS+) is a security

application that provides centralized validation of users attempting to gain access
to a router or network access server. The goal of TACACS+ is to provide a
methodology for managing multiple network access points from a single
management service.
TACACS+ provides for separate and modular authentication, authorization, and
accounting facilities. TACACS+ allows for a single access control server (the
TACACS+ daemon) to provide each serviceauthentication, authorization, and
accountingindependently.
Related Topics

OL-11501-03
8-25
Chapter 8
Managing Objects
AAA Support on ASA Devices

In addition to supporting RADIUS and TACACS+, ASA devices can support
AAA servers running the following protocols:
Note
Kerberos, page 8-26
NT, page 8-26
SDI Servers, page 8-26
LDAP, page 8-27
HTTP-Form, page 8-27
For more information, see Configuring AAA Servers and the Local Database at
this URL:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/aaa.ht
ml
Kerberos
ASA devices can use Kerberos servers for VPN authentication. When a user
attempts to establish VPN access through the ASA device, and the traffic matches
an authentication statement, the device consults the Kerberos server for user
authentication and grants or denies user access based on the response from the
server. 3DES, DES, and RC4 encryption types are supported.
NT
ASA devices can use NT servers for VPN authentication. When a user attempts to
establish VPN access and the applicable tunnel-group policy specifies an NT
authentication server group, the ASA device consults the Microsoft Windows
domain server for user authentication and grants or denies user access based on
the response from the domain server.
SDI Servers
SecurID servers from RSA Security, Inc. are known as SDI servers. When a user
attempts to establish VPN access and the applicable tunnel-group policy specifies
an SDI authentication server group, the ASA device sends the username and
8-26
OL-11501-03
Chapter 8
Managing Objects
one-time password to the SDI server. The device then grants or denies user access
based on the response from the server. Version 5.0 of SDI introduced the concept
of SDI master and slave servers that share a single-node secret file (SECURID).
As a result, when you configure an SDI server as a AAA server object in Security
Manager, you must specify whether the server is version 5.0 or an earlier version.
LDAP
ASA devices can use Lightweight Directory Access Protocol (LDAP) servers for
VPN authorization. ASA devices support LDAP version 3 and are compatible
with any v3 or v2 directory server. However, password management is supported
only on the Sun Microsystems JAVA System Directory Server and the Microsoft
Active Directory.
With any other type of LDAP server (such as Novell or OpenLDAP), all LDAP
functions are supported except for password management. Therefore, if someone
tries to log in to an ASA device using one of these other servers for authentication
and their password has expired, the ASA device drops the connection and a
manual password reset is required.
You can configure Simple Authentication and Security Layer (SASL)
mechanisms to authenticate an LDAP client (in this case, the ASA device) to an
LDAP server. Both ASA devices and LDAP servers can support multiple
mechanisms. If both mechanisms (MD5 and Kerberos) are available, the ASA
device uses the stronger mechanism, Kerberos, for authentication.
When user authentication for VPN access has succeeded and the applicable
tunnel-group policy specifies an LDAP authorization server group, the ASA
device queries the LDAP server and applies the authorizations it receives to the
VPN session.
HTTP-Form
The security appliance can use the HTTP Form protocol for single sign-on (SSO)
authentication of WebVPN users only. Single sign-on support lets WebVPN users
enter a username and password only once to access multiple protected services
and Web servers. The WebVPN server running on the security appliance acts as a
proxy for the user to the authenticating server. When a user logs in, the WebVPN
server sends an SSO authentication request, including username and password, to
the authenticating server using HTTPS. If the server approves the authentication
request, it returns an SSO authentication cookie to the WebVPN server. The

OL-11501-03
8-27
Chapter 8
Managing Objects
security appliance keeps this cookie on behalf of the user and uses it to
authenticate the user to secure websites within the domain protected by the SSO
server.
Table 8-2 describes the AAA services that are supported by each protocol:
Table 8-2
AAA Services Supported by ASA Devices
Database Type
Local
RADIUS
TACACS+
SDI
NT
Kerberos
LDAP
HTTP
Form
VPN users
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes1
Firewall sessions
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes 2
Yes
Yes
Yes
No
No
No
No
No
Yes
No
Yes
No
No
No
No
No
No
Yes
No
No
No
No
No
Yes
No
No
No
No
No
Yes
No
No
No
No
No
Yes
No
No
No
No
No
AAA Service
Authentication of...
Administrators
Yes
Yes
Yes
Yes
Authorization of...
VPN users
Firewall sessions
Administrators
No
Yes
Yes
4
Accounting of...
VPN connections
No
Yes
Firewall sessions
No
Yes
Administrators
No
Yes
1. HTTP Form protocol supports single sign-on (SSO) authentication for WebVPN users only.
2. SDI is not supported for HTTP administrative access.
3. For firewall sessions, RADIUS authorization is supported with user-specific ACLs only, which are received or specified in a
RADIUS authentication response.
4. Local command authorization is supported by privilege level only.
5. Command accounting is available for TACACS+ only.
Related Topics
8-28
OL-11501-03
Chapter 8
Managing Objects
Creating AAA Server Objects

You can create AAA server objects to populate the AAA server group objects that
are referenced by Security Manager policies, such as Easy VPN and 802.1x.
When creating a AAA server object, you must specify the IP address of the
external AAA server, the key used for data encryption, the protocol used by the
server, and the timeout interval.
This procedure describes how to create AAA server objects.
Note
On PIX/ASA/FWSM devices, AAA objects in a device configuration that are not

referenced by any policies are removed from the device during the next
deployment. However, the predefined AAA objects named RADIUS and
TACACS+ are never removed from PIX 6.3 devices, even if they are unreferenced
by any policies.
Before You Begin
Configure the external AAA server that will be referenced by the AAA server
object.
Procedure
Step 1
appears.
Step 2
Select AAA Servers from the Object Type selector.
Step 3
Right-click in the work area, then select New Object.

The AAA Server dialog box appears. For a description of the fields in this dialog
box, see Table F-9 on page F-20.
Step 4
Enter a name for the object.
Step 5

Step 6
In the Connect to Host Using field, do one of the following:
Enter the IP address of the AAA server in the IP Address field, or click Select
to display a selector. See Selecting Objects for Policies, page 8-203.
OL-11501-03
8-29
Chapter 8
Managing Objects
Step 7
(ASA 7.2 devices only) Enter the DNS name of the AAA server.
(Optional) In the Interface field, enter the interface or interface role whose IP
address that should be used for all outgoing RADIUS or TACACS packets, or
click Select to display a selector. See Selecting Objects for Policies, page 8-203.
When you enter the name of an interface, make sure the policy that uses this AAA
object is assigned to a device containing an interface with this name. Otherwise,
deployment will fail.
When you enter the name of an interface role, make sure the role represents a
single interface, not multiple interfaces. Otherwise, an error message is displayed.
Tip
If the required interface role is not listed, click the Create button or the
Edit button to open the Interface Role Dialog Box, page F-419. From
here, you can define an interface role to use in the object. The interface
role you define must correspond to a single interface on the device.
Step 8
Enter the amount of time to wait until a AAA server is considered unresponsive.
Step 9
Select the protocol used by the AAA server and configure protocol-specific
properties. For details about these properties, see Table F-9 on page F-22.
Note
The Kerberos, LDAP, NT, SDI, and HTTP-FORM protocols can be used
only with ASA, PIX 7.x, and FWSM 3.1 and above devices.
Step 10
Step 11
Tip

Objects, page 8-9.
8-30
OL-11501-03
Chapter 8
Managing Objects
Understanding Access Control List Objects
Note

Related Topics

An Access Control List (ACL) object is a reusable component that encapsulates
one or more Access Control Entries (ACEs) or ACL objects. Each ACE is an
individual permit or deny statement within an ACL. The component (also referred
to as a policy object) is platform independent and can be referenced by a host of
Security Manager policies.
Although there are several types of ACLs, three types are supported by the policy
object tool for this release.
ExtendedDefines an extended type access list that can be used by various

policies within Security Manager. Each ACE of extended type includes an
action element (permit or deny) and filter criteria such as source address,
destination address, protocol, and protocol-specific parameters. For use
cases, see Extended ACL, page 8-32.
StandardDefines a standard type access list that can be used by various

policies within Security Manager. Each ACE of standard type includes an
action element (permit or deny) and a filter criteria based on source address.
For use cases, see Standard ACL, page 8-33.

OL-11501-03
8-31
Chapter 8
Managing Objects
WebDefines a web type access list that can be used by various policies
within Security Manager. Each ACE of web type includes an action element
(permit or deny) and filter criteria such as source address, destination address,
protocol, and protocol-specific parameters. For use cases, see Web ACL,
page 8-34.
Extended ACL
Extended IP ACLs allow you to permit or deny traffic from specific IP addresses
to a specific destination IP address and port. It also allows you to have granular
control by specifying controls for different types of protocols such as ICMP, TCP,
UDP, etc, within the ACL statements. Extended IP ACLs range from 100 to 199.
In Cisco IOS Software Release 12.0.1, extended ACLs began to use additional
numbers (2000 to 2699).
Extended ACL example:
access-list 110 - Applied to traffic leaving the office (outgoing)
access-list 110 permit tcp 92.128.2.0 0.0.0.255 any eq 80
ACL 110 permits traffic originating from any address on the 92.128.2.0 network.
The any statement means that the traffic is allowed to have any destination
address with the limitation of going to port 80. The value of
0.0.0.0/255.255.255.255 can be specified as any.
Uses:
Identifying addresses for NAT (policy NAT and NAT exemption)Policy

NAT lets you identify local traffic for address translation by specifying the
source and destination addresses in an extended access list. You can also
specify the source and destination ports. Regular NAT can only consider local
addresses. An access list that is used with policy NAT cannot be configured
to deny an ACE.
Identifying addresses for IOS dynamic NATFor user-defined ACLs, the

NAT plug-in generates its own ACL CLIs when deducing NAT traffic from
VPN traffic.
Filtering traffic that will be intercepted by Network Admission Control

(NAC).
Identifying traffic in a traffic class-map for modular policyAccess lists can

be used to identify traffic in a class-map, which is used for features that
support Modular Policy Framework. Features that support Modular Policy
8-32
OL-11501-03
Chapter 8
Managing Objects
Framework include TCP and general connection settings, inspection, IPS,

and QoS. You can use one or more access lists to identify specific types of
traffic.
For transparent mode, enabling protocols that are blocked by a routed mode
security appliance, including BGP, DHCP, and multicast streams. Because
these protocols do not have sessions on the security appliance to allow return
traffic, these protocols also require access lists on both interfaces.
Establishing VPN accessYou can use an extended access list in VPN

commands to identify the traffic that should be tunneled on the device for an
IPsec site-to-site tunnel or to identify the traffic that should be tunneled on
the device for a VPN client. Use in conjunction with the policy objects and
settings shown in Table 8-3:
Table 8-3
Policy Objects and Settings
Policy Object1
Device
Purpose
VPN Topology
Any
Selecting Protected Networks.
ASA User Group
Any
Filter ACL.
ASA User Group
ASA
Inbound Firewall Policy; Filter

ACL.
ASA User Group
ASA
Outbound Firewall Policy.
Traffic Flow
User Group
ASA 7.x
PIX 7.x
IOS
Catalyst
6500/7600
PIX 6.3
Service Policy Rules (MPC). The

traffic flow BB (class-map) uses
Extended ACL as one of its traffic
match types.
Selecting Protected Networks.
Enables you to specify an ACL that
represents protected subnets for
the purpose of split tunneling.
1. To access the policy objects listed, select Tools > Policy Object Manager > <policy_object>.
Standard ACL
A Standard Access List allows you to permit or deny traffic FROM specific
IP addresses. The destination of the packet and the ports involved can be anything.
Standard IP ACLs range from 1 to 99.

OL-11501-03
8-33
Chapter 8
Managing Objects
Standard ACL example:

access-list 10 permit 192.168.2.0 0.0.0.255
Uses:
Identifying OSPF route redistribution. Standard access lists include only the
destination address (Single Context Mode only).
Filtering users of a community string using SNMP.
Establishing VPN accessYou can use a standard access list in VPN

commands to identify a network list for split-tunneling. Use in conjunction
with the following policy objects and settings:
Policy Object1
User Group
Device
Purpose
PIX 6.3 and later
IOS 12.3 and later
Split Tunnel ACL
1. To access the policy object, select Tools > Policy Object Manager > User Group.
Web ACL
Web ACLs, also referred to as WebVPN, lets you establish a secure,

remote-access VPN tunnel to the security appliance using a web browser. There
is no need for either a software or hardware client. WebVPN provides easy access
to a broad range of web resources and both web-enabled and legacy applications
from almost any computer that can reach HTTPS Internet sites. WebVPN uses
Secure Socket Layer Protocol and its successor, Transport Layer Security
(SSL/TLS1) to provide a secure connection between remote users and specific,
supported internal resources that you configure at a central site.
Table 8-4 shows examples of Web VPN ACLs.
Table 8-4
Examples of Web VPN ACLs
Action
Filter
Effect
Deny
url http://*.yahoo.com/
Denies access to all of Yahoo!
Deny
url cifs://fileserver/share/directory
Denies access to all files in the

specified location.
Deny
url https://www.company.com/ directory/file.html
Denies access to the specified file.
8-34
OL-11501-03
Chapter 8
Managing Objects
Table 8-4
Examples of Web VPN ACLs
Action
Filter
Effect
Permit
url https://www.company.com/directory
Permits access to the specified

location
Deny
url http://*:8080/
Denies HTTPS access to anywhere

via port 8080.
Deny
url http://10.10.10.10
Denies HTTP access to

10.10.10.10.
Permit
url any
Permits access to any URL.

Usually used after an ACL that
denies url access.
The following topics will help you work with ACL objects:
Understanding the GUI, page 8-35
Creating Access Control List Objects, page 8-36
Understanding the GUI

The ACL Object GUI structure differs slightly from that of other policy objects.
1.
First, you define the ACL object. After the object is defined, it is listed in the
Extended ACL object table or Standard ACL object table.
From this table, you can request to add a new object, edit an existing object,
or delete an object. These functions are performed using either the shortcut
menus or the buttons located below the tables. You can also create a duplicate
object, copy an ACL or ACE entry contained within that object and paste it
in another table, or generate a report that indicates whether the objects are in
use by another object, policy, or device. These functions are performed using
the shortcut menu.
Note
You cannot directly add or edit an ACL or ACE entry from this table.

OL-11501-03
8-35
Chapter 8
Managing Objects
2.
Next, you define the ACL entry associated with the object. After the entry is
defined, it is listed in the Add Extended Access List or Add Standard Access
List table.
From this table, you can request to add a new ACE or ACL entry, edit an
existing entry, or delete an entry. These functions are performed using either
the shortcut menus or the buttons located below the tables. You can also move
an entry up or down in the table, and copy and paste an entry within the table.
After you define an ACL object and associated ACE and ACL entries, the
information is displayed in the Extended ACL or Standard ACL tables. You can
click the arrows to expand or compress the listed information.
Creating Access Control List Objects

An Access Control List (ACL) object is made up of one or more ACEs, one or
more ACL objects, or a combination of both.
Note
Extended type ACEs enable you to specify source and destination addresses
and protocol, and, based on the protocol type, the ports (for TCP or UDP), or
the ICMP type (for ICMP) can be specified.
Standard type ACEs use the source IP address for matching operations.
Web type ACEs use destination service and port or URL filter.
You can define an ACL object from the Policy Object Manager and use it from
multiple policies belonging to multiple devices.
Related Topics
Creating Extended Access Control List Objects, page 8-36
Creating Standard Access Control List Objects, page 8-39
Creating Web Access Control List Objects, page 8-41
Creating Extended Access Control List Objects

Before You Begin
8-36
OL-11501-03
Chapter 8
Managing Objects
Procedure
Step 1

The Policy Object Manager window appears.
Step 2
From the Object Type selector, select Access Control Lists.

The Access Control List page appears. The Extended tab opens by default. For a
description of the GUI elements, see Table F-18.
Step 3

The Add Extended Access List dialog box appears. For a description of the GUI
elements, see Table F-19.
Step 4
Enter the name of the object.
Step 5
(Optional) Enter a description to help you identify the object. If a description is

entered, an icon is displayed when you view Access Control Lists table.
Step 6
Right-click inside the table, then select Add.

The Add Extended Access Control Entry dialog box appears. For a description of
the GUI elements, see Table F-20.
Step 7
Select Type.
Access Control EntryIdentifies the entry as an ACE.
Access Control ListsIdentifies the entry as an ACL object. This allows

ACL objects that have already been defined to be used in the newly created
object.
Step 8
Select whether to permit or deny the traffic.
Step 9
(Optional) Select a color from the Category list to help you readily identify the
object. For more information, see Understanding Category Objects, page 8-48.
Step 10
Enter the source addresses or click Select to display a list of defined network/host
objects. If the latter, do either of the following, then click OK:
Select from the list of available objects, then click >>.

The objects are moved to the selected column.
Click Create to create a new object to use as a source address.

A popup window helps you define the object. When you complete the
definition, the new object is listed in the selected column.

OL-11501-03
8-37
Chapter 8
Managing Objects
For more information, see Understanding Network/Host Objects, page 8-127.

Step 11
Enter the destination addresses or click Select to display a list of defined

network/host objects. If the latter, do either of the following, then click OK:

Click Create to create a new object to use as a destination address.


Step 12
Enter the services or click Select to display a list of services. If the latter, do either
of the following, then click OK:

Click Create to create a new service object.

For more information, see Understanding Service Objects, page 8-159.

Step 13

entered, an icon is displayed when you view the Add Extended Access List table.
Step 14

The dialog box closes and you return to the Add Extended Access List page. The
new entry is shown in the table.
Step 15
Step 16

The Add Extended Access List page closes and you return to the Access Control
Lists page. The new ACL is shown in the table.
8-38
OL-11501-03
Chapter 8
Managing Objects
Note
By default, Security Manager displays a warning if you define an object that

matches an existing object. For more information, see Defining Policy Object
Related Topics
Access Control Lists Page, page F-33
Creating Standard Access Control List Objects

Before You Begin
Procedure
Step 1

Step 2

The Access Control List page appears. For a description of the GUI elements, see
Table F-17.
Step 3
Click the Standard tab. For a description of the GUI elements, see Table F-21.
Step 4

The Add Standard Access List dialog box appears. For a description of the GUI
Step 5
Step 6

entered, an icon is displayed when you view the Access Control List table.
Step 7

The Add Standard Access Control Entry dialog box appears. For a description of

OL-11501-03
8-39
Chapter 8
Managing Objects
Step 8
Select Type.

object.
Step 9
Step 10
Step 11



Step 12

entered, an icon is displayed when you view the Add Standard Access List table.
Step 13
Select whether you want logging turned on or off.
Step 14

The dialog box closes and you return to the Add Standard Access List dialog box.
The new entry is shown in the table.
Step 15
Step 16

The Add Standard Access List page closes and you return to the Access Control
8-40
OL-11501-03
Chapter 8
Managing Objects
Note

Related Topics
Creating Web Access Control List Objects

Before You Begin
Procedure
Step 1

Step 2

The Access Control List page appears. For a description of the GUI elements, see
Table F-17.
Step 3
Click the Web tab. For a description of the GUI elements, see Table F-24.
Step 4

The Add WebType Access List dialog box appears. For a description of the GUI
Step 5
Step 6

entered, an icon is displayed when you view the Access Control Lists table.
Step 7

The Add WebType Access Control Entry dialog box appears. For a description of

OL-11501-03
8-41
Chapter 8
Managing Objects
Step 8
Select Type.

object.
Step 9
Step 10
Step 11


Step 12

entered, an icon is displayed when you view the table.
Step 13
Select whether you want logging turned on or off.
Step 14

The dialog box closes and you return to the Add WebType Access List page. The
new entry is shown in the table.
Step 15
Step 16

The Add WebType Access List page closes and you return to the Access Control
Note

8-42
OL-11501-03
Chapter 8
Managing Objects
Understanding ASA User Group Objects
Related Topics

ASA User Groups objects are group policies that you use to manage Virtual
Private Networks (VPN) group policies.
ASA user groups are configured on ASA security appliances in Easy VPN
topologies, remote access VPNs, and SSL VPNs. When you configure an
Easy VPN, remote access VPN or SSL VPN connection, you must create user
groups to which remote clients will belong. A user group policy is a set of
user-oriented attribute/value pairs for SSL VPN connections that are stored either
internally (locally) on the device or externally on an AAA server. The tunnel
group uses a user group policy that sets terms for user connections after the tunnel
is established. Group policies let you apply whole sets of attributes to a user or a
group of users, rather than having to specify each attribute individually for each
user.
An ASA user group object comprises the following attributes:
Group policy sourceIdentifies whether the user groups attributes and

values are stored internally (locally) on the security appliance or externally
on an AAA server. If the user group is an external type, no other settings need
to be configured for it. For more information, see ASA User Group Dialog
Box, page F-60.
Client Configuration settings, which specify the Cisco client parameters for
the user group in an Easy VPN or remote access VPN. For more information,
see ASA User Group Dialog BoxClient Configuration Settings, page F-62.
Client Firewall Attributes, which configure the firewall settings for VPN
clients in an Easy VPN or remote access VPN. For more information, see
ASA User Group Dialog BoxClient Firewall Attributes, page F-64.
Hardware Client Attributes, which configure the VPN 3002 Hardware Client
settings in an Easy VPN or remote access VPN. For more information, see
ASA User Group Dialog BoxHardware Client Attributes, page F-67.

OL-11501-03
8-43
Chapter 8
Managing Objects
IPsec settings, which specify tunneling protocols, filters, connection settings,

and servers for the user group in an Easy VPN or remote access VPN. For
more information, see ASA User Group Dialog BoxIPsec Settings,
page F-69.
Clientless settings, which configure the Clientless mode of access to the

corporate network in an SSL VPN, for the ASA user group. For more
information, see ASA User Group Dialog BoxSSL VPN Clientless
Settings, page F-72.
Thin Client settings, which configure the Thin Client mode of access to the
information, see ASA User Group Dialog BoxSSL VPN Thin Client
Full Tunnel settings, which configure the Full Tunnel mode of access to the
information, see ASA User Group Dialog BoxSSL VPN Full Tunnel
General settings that are required for Clientless and Thin Client access modes
in an SSL VPN. For more information, see ASA User Group Dialog
BoxSSL VPN General Settings, page F-77.
DNS/WINS settings that define the DNS and WINS servers and the domain
name that should be pushed to remote clients associated with the ASA user
group. For more information, see ASA User Group Dialog BoxDNS/WINS
Split tunneling that lets a remote client conditionally direct packets over an
IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear
text form. For more information, see ASA User Group Dialog BoxSplit
Tunneling, page F-81.
Remote access or SSL VPN session connection settings for the ASA user
group. For more information, see ASA User Group Dialog BoxGeneral
To create ASA user group objects, see Creating ASA User Group Objects,
page 8-45.
Related Topics
Configuring a Tunnel Group Policy for Easy VPN, page 9-119
Tunnel Group Policies in Remote Access VPNs, page 10-8
8-44
OL-11501-03
Chapter 8
Managing Objects
Configuring ASA User Groups Policy in Your SSL VPN, page 11-43
Creating ASA User Group Objects

Use the ASA User Groups Objects page to create ASA user group objects for use
in an Easy VPN or remote access VPN, or SSL VPN, or shared between a remote
access VPN and SSL VPN.
Note
You must select the technology (Easy VPN/Remote Access VPN, or SSL VPN, or
both) for which you are creating the ASA user group object. If you are editing an
existing ASA user group object, the technology is already selected, and you
cannot change it. Depending on the selected technology, the appropriate settings
are available for configuration.
Tip
You can also create ASA User Group objects when defining policies or objects
page 8-203.
This procedure describes how to create ASA User Group objects.
Before You Begin
Procedure
Step 1

Step 2
From the Object Type selector, select ASA User Groups.

The ASA User Groups page appears. For a description of the elements on this
page, see Table F-27 on page F-59.
Step 3
From the work area, right-click inside the table, then select New Object.
OL-11501-03
8-45
Chapter 8
Managing Objects
The Add ASA User Group dialog box appears, displaying a list of settings that
you can configure for the ASA user group object. For a description of the elements
on this dialog box, see Table F-28 on page F-61.
Step 4
Step 5
(Optional) Enter a description to help you identify the object. A maximum of

1024 characters is allowed and special characters are permitted. If a description is
entered, an icon is displayed when you view the ASA User Groups table.
Step 6
Select whether to store the ASA user groups attributes and values locally on the
device, or on an external server.
Note
If you selected to store the ASA user groups attributes on an external

server, you do not need to configure any Technology settings. After you
specify the AAA server group that will be used for authentication and a
password to the AAA server, click OK to save your definitions and close
the ASA User Group dialog box.
Step 7
If you selected to store the ASA user groups attributes locally on the device,
select the type of VPN for which you are creating the ASA user group from the
Technology list.
Step 8
To configure the user group for an Easy VPN or remote access VPN, from the
Easy VPN/Remote Access VPN folder in the Settings pane:
a.
Select Client Configuration to configure the Cisco client parameters for the
ASA user group. For a description of the elements required to configure these
parameters, see Table F-29 on page F-63.
b.
Select Client Firewall Attributes to configure the firewall settings for VPN
clients for the ASA user group. For a description of the elements required to
configure these settings, see Table F-30 on page F-65.
c.
Select Hardware Client Attributes to configure the VPN 3002 Hardware

Client settings for the ASA user group. For a description of the elements
required to configure these settings, see Table F-31 on page F-68.
d.
Select IPsec to specify tunneling protocols, filters, connection settings, and

servers for the ASA user group. For a description of the elements required to
8-46
OL-11501-03
Chapter 8
Managing Objects
Step 9
Step 10
Step 11
To configure the user group for an SSL VPN, from the SSL VPN folder in the
Settings pane:
a.
Select Clientless to configure the Clientless mode of access to the corporate

network in an SSL VPN, for the ASA user group object. For a description of
the elements required to configure the Clientless mode settings, see
Table F-34 on page F-73.
b.
Select Thin Client to configure the Thin Client mode of access to the
corporate network in an SSL VPN, for the ASA user group object. For a
description of the elements required to configure the Thin Client mode
settings, see Table F-35 on page F-75.
c.
Select Full Tunnel to configure the Full Tunnel mode of access to the
corporate network in an SSL VPN, for the ASA user group object. For a
description of the elements required to configure the Full Tunnel mode
d.
Select Settings to configure the general settings that are required for
Clientless and Thin Client access modes in an SSL VPN, for the ASA user
group object. For a description of the elements required to configure these
Specify the following settings for an ASA user group in an Easy VPN, remote
access VPN or SSL VPN configuration, in the Settings pane:
a.
Select DNS/WINS to define the DNS and WINS servers and the domain
name that should be pushed to clients associated with the ASA user group.
For a description of the elements required to configure the DNS and WINS
servers, see Table F-39 on page F-81.
b.
Select Split Tunneling to specify a secure tunnel to the central site and
simultaneous clear text tunnels to the Internet. For a description of the
elements required to configure split tunneling, see Table F-40 on page F-83.
c.
Select General Settings to configure the SSL VPN connection settings for
the ASA user group, such as the session and idle timeouts, including the
banner text. For a description of the elements required to configure these
object when it appears in the object or rules tables. For more information, see
Understanding Category Objects, page 8-48.

OL-11501-03
8-47
Chapter 8
Managing Objects
Understanding Category Objects
Step 12
Click OK to save your definitions and close the ASA User Group dialog box. The
new ASA user group object appears in the table on the ASA User Groups page in
the Policy Object Manager window.
Tip

Objects, page 8-9.
Note

Related Topics
ASA User Groups Page, page F-58
ASA User Group Dialog Box, page F-60

The categories feature provides an intermediate level of detail to objects, which
helps you easily identify rules and objects in rules tables through the use of color.
You can assign a category to a rule or object when you create the rule, or you can
edit the rule or object to include category information later.
Default categories and color combinations are provided; however, you can edit
these predefined categories, if required.
The benefits of using category objects are:
Visibility is improved when you view rules tables using objects that are
color-coded.
Objects can be filtered in the rules tables, facilitating rule maintenance.
8-48
OL-11501-03
Chapter 8
Managing Objects
For example, you might want to create a network/host object and keep track of its
use for administrative purposes. When you define this network/host object, you
associate it with a category. When you view the access rules table, you can easily
identify those rules that use your network/host object. You can also filter the table
to display only those items associated with the category.
The following topic describes how to work with category objects:
Editing Category Objects, page 8-49
Related Topics
Editing Category Objects

You can edit the name and description of each predefined category object. These
names and descriptions make it easier to identify the purpose of the category when
it appears in various rules tables.
This procedure describes how to edit a category object.
Procedure
Step 1
appears.
Step 2
Select Categories from the Object Type selector.
Step 3
In the work area, right-click an object, then select Edit Object.

The Category Editor dialog box appears. For a description of the fields in this
Step 4
Modify the names and descriptions of the predefined category objects, as

required. Names can have a maximum of 128 characters, including special
characters and spaces. Descriptions can have a maximum of 1024 characters.
Step 5

OL-11501-03
8-49
Chapter 8
Managing Objects
Understanding Credential Objects
Related Topics

Credential objects are used when authenticating user access to the network and
network services. A credential object comprises user credentials, typically a
username and password that identify the user during authentication.
In Security Manager, credential objects are used in Easy VPN configuration
during IKE Extended Authentication (Xauth). When negotiating tunnel parameters
for establishing IPsec tunnels in an Easy VPN configuration, Xauth identifies the
user who requests the IPsec connection. If the VPN server is configured for Xauth,
the client waits for a username/password challenge after the IKE SA has been
established. When the end user responds to the challenge, the response is
forwarded to the IPsec peers for an additional level of authentication. You can
save the Xauth credentials (username and password) on the device itself so you
do not need to enter them manually each time the Easy VPN tunnel is established.
To create Credential objects, see Creating Credential Objects, page 8-50.
Related Topics
Easy VPN and IKE Extended Authentication (Xauth), page 9-122
Credentials Page, page F-88
Creating Credential Objects

You can create credential objects to use for IKE Extended Authentication (Xauth)
in Easy VPN configurations. For more information, see Understanding Credential
Objects, page 8-50.
8-50
OL-11501-03
Chapter 8
Managing Objects
Credential objects are defined at the global level, which means that they are
applied identically to every object and policy that references them. However, you
can override credential object definitions at the device level. For more
This procedure describes how to create a credential object.
Tip
You can also create credential objects when defining policies or objects that use
this object type. For more information, see Selecting Objects for Policies,
page 8-203.
Before You Begin
Procedure
Step 1

Step 2
From the Object Type selector, select Credentials. The Credentials page opens,
displaying the currently defined credential objects. For a description of the
elements on this page, see Table F-44 on page F-89.
Step 3

The Credentials dialog box appears. For a description of the elements in this
Step 4
Enter a name for the Credentials object.
Step 5

Step 6
Specify a name that will be used to identify the user during Xauth authentication.
Step 7
Enter a password that will be used to identify the user during Xauth
authentication.
Step 8
Enter the password again to confirm it.
Step 9

OL-11501-03
8-51
Chapter 8
Managing Objects
Understanding FlexConfig Objects
Step 10
Step 11
Credentials page.
Tip

Objects, page 8-9.
Note

Related Topics
Credentials Dialog Box, page F-90

FlexConfig objects are reusable, named components that can be referenced by
other objects and policies. You create FlexConfig objects by entering
configuration commands, either with or without additional scripting language
instructions, in the FlexConfig Editor.
Because of their complexity and interdependency, FlexConfig objects are
described with FlexConfig policies. For more information, see Chapter 19,
Managing FlexConfigs.
These topics help you create, duplicate, edit, view, generate usage reports for, and
delete FlexConfig objects:
Creating FlexConfig Objects, page 8-53
8-52
OL-11501-03
Chapter 8
Managing Objects
Creating FlexConfig Objects

You can create FlexConfig objects to configure features on devices that are not
directly supported by Security Manager. For more information about FlexConfigs,
see Chapter 19, Managing FlexConfigs.
Tip
You can also create FlexConfig objects when defining policies or objects that use
page 8-203.
This procedure describes how to create FlexConfig objects.
Before You Begin
Security Manager does not manipulate or validate your commands; it simply

deploys them to the devices. Therefore, ensure that your commands do not
conflict in any way with the VPN or firewall configuration on the devices.
If there is more than one set of commands for an interface, only the last set of
commands is deployed. Therefore, it is not recommended to use beginning
and ending commands to configure interfaces.
Procedure
Step 1
Step 2
Select FlexConfigs from the Object Type selector.

Step 3
Right-click inside the work area, then click New Object.

The Add FlexConfig Object dialog box appears. See Table P-6 on page P-12 for
a description of the fields in this dialog box.
Step 4

OL-11501-03
8-53
Chapter 8
Managing Objects
Understanding IKE Proposal Objects
Note

Related Topics
FlexConfig Editor Dialog Box, page P-11

Internet Key Exchange (IKE) proposal objects contain the parameters required for
IKE proposals when defining remote access VPN policies. IKE is a key
management protocol that facilitates the management of IPsec-based
communications. It is used to authenticate IPsec peers, negotiate and distribute
IPsec encryption keys, and automatically establish IPsec security associations
(SAs).
The IKE negotiation comprises two phases. Phase 1 negotiates a security
association between two IKE peers, which enables the peers to communicate
securely in Phase 2. During Phase 2 negotiation, IKE establishes security
associations (SAs) for other applications, such as IPsec. Both phases use
proposals when they negotiate a connection.
For more information about IKE proposals, see Understanding IKE, page 9-67. To
create an IKE proposal object, see Creating IKE Proposal Objects, page 8-55.
Related Topics
8-54
OL-11501-03
Chapter 8
Managing Objects
Creating IKE Proposal Objects

You can create IKE proposal objects to use when you define IKE proposals for
remote access VPN policies. When you create an IKE proposal object, you must
enter the priority of the proposal and define the encryption and authentication
methods to use. Additionally, you can modify the default lifetime of the SA, if
required.
This procedure describes how to create IKE proposal objects.
Tip
You can also create IKE proposal objects when defining policies that use this
object type. For more information, see Selecting Objects for Policies, page 8-203.
Before You Begin
Procedure
Step 1
appears.
Step 2
Select IKE Proposals from the Object Type selector.
Step 3

The IKE Proposal dialog box appears. For a description of the fields in this dialog
Step 4
Step 5

Step 6
(Optional) Enter a priority value for the IKE proposal. Lower values indicate
higher priorities. If the remote IPsec peer does not support the parameters selected
in your first priority policy, the device tries to use the parameters defined in the
policy with the next lowest priority number.

OL-11501-03
8-55
Chapter 8
Managing Objects
Note
If you leave this field blank, Security Manager assigns the lowest
unassigned value starting with 1, then 5, then continuing in increments
of 5.
Step 7
Select the encryption algorithm to use to establish the Phase 1 SA for protecting
Phase 2 negotiations. See Deciding Which Encryption Algorithm to Use,
page 9-68.
Step 8
Select the hash algorithm to use for authentication and ensuring data integrity. See
Deciding Which Hash Algorithm to Use, page 9-69.
Step 9
In the Modulus Group field, select the Diffie-Hellman group to use for deriving a
shared secret between two IPsec peers without transmitting it to each other. See
Deciding Which Diffie-Hellman Group to Use, page 9-69.
Step 10
Enter the SA lifetime, in seconds. As a general rule, the shorter the lifetime (up
to a point), the more secure your IKE negotiations will be. However, with longer
lifetimes, future IPsec security associations can be set up more quickly than with
shorter lifetimes.
Step 11
Select the method of authentication to use to establish the identity of each IPsec
peer. See Deciding Which Authentication Method to Use, page 9-70.
Step 12
Step 13
Tip

Objects, page 8-9.
Note

8-56
OL-11501-03
Chapter 8
Managing Objects
Understanding Inspection Map Objects
Related Topics

Inspection map objects comprise class maps and policy maps. The Inspection
Maps policy object is subdivided into several entries. The Class Maps folder
contains all Layer 7 class-maps that are supported in ASA 7.2 and PIX7.2 devices.
The Policy Maps folder contains all Layer 7 policies that are supported. Also
included in the Inspect Maps folder are entries for TCP Map objects, Regular
Expression objects, and Regular Expression Group objects.
Class Maps
An inspection class map matches application traffic with criteria specific to the
application, such as a URL string. You then identify the class map in the inspect
map and enable actions. The difference between creating a class map and defining
the traffic match directly in the inspect map is that you can create more complex
match criteria and you can reuse class maps. Security Manager currently supports
the following applications that support inspection class maps: DNS, FTP, HTTP,
IM, and SIP.
To create class maps, refer to the following:
Creating DNS Class Map Objects, page 8-59
Creating FTP Class Map Objects, page 8-61
Creating HTTP Class Map Objects, page 8-63
Creating IM Class Map Objects, page 8-67
Creating SIP Class Map Objects, page 8-70
Policy Maps
The algorithm the security appliance uses for stateful application inspection
ensures the security of applications and services. Some applications require
special handling, and specific application inspection engines are provided for this
purpose. Applications that require special application inspection engines are
those that embed IP addressing information in the user data packet or open
secondary channels on dynamically assigned ports.
OL-11501-03
8-57
Chapter 8
Managing Objects
Application inspection engines work with NAT to help identify the location of
embedded addressing information. This allows NAT to translate these embedded
addresses and to update any checksum or other fields that are affected by the
translation.
Each application inspection engine also monitors sessions to determine the port
numbers for secondary channels. Many protocols open secondary TCP or UDP
ports to improve performance. The initial session on a well-known port is used to
negotiate dynamically assigned port numbers. The application inspection engine
monitors these sessions, identifies the dynamic port assignments, and permits data
exchange on these ports for the duration of the specific session.
In addition, stateful application inspection audits the validity of the commands
and responses within the protocol being inspected. The security appliance helps
to prevent attacks by verifying that traffic conforms to the RFC specifications for
each protocol that is inspected.
You can create inspect maps for specific protocol inspection engines. You use an
inspect map to store the configuration for a protocol inspection engine. You then
enable the configuration settings in the inspect map by associating the map with
a specific type of traffic using a global security policy or a security policy for a
specific interface.
Security Manager currently supports the following applications that support
inspect maps: DNS, FTP, GTP, HTTP, IM, and SIP.
To create policy inspection maps, refer to the following:
Creating DNS Map Objects, page 8-73
Creating FTP Map Objects, page 8-76
Creating GTP Map Objects, page 8-80
Creating HTTP Map Objects (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS),

page 8-84
Creating HTTP Map Objects (ASA 7.2/PIX 7.2), page 8-94
Creating IM Map Objects for ASA 7.2 and PIX 7.2 Devices, page 8-99
Creating IM Map Objects for IOS Devices, page 8-102
Creating SIP Map Objects, page 8-104
8-58
OL-11501-03
Chapter 8
Managing Objects
To create inspection maps that are not associated with Layer 7 class maps or
policy maps, refer to the following:
Creating Regular Expression Group Objects, page 8-107
Creating Regular Expression Objects, page 8-109
Creating TCP Map Objects, page 8-113
Creating DNS Class Map Objects

The DNS Class Map panel lets you configure DNS class maps for DNS
inspection.
Before You Begin
Procedure
Step 1

Step 2
From the Object Type selector, select Inspect Maps > Class Maps >
DNS Class Maps.
The DNS Class Maps page appears. For a description of the GUI elements, see
Table F-48.
Step 3

The Add DNS Class Map dialog box appears. For a description of the GUI
Step 4
Enter the name of the DNS Class Map.
Step 5
(Optional) Enter a description to help you identify the class map. If a description
is entered, an icon is displayed when you view the DNS Class Maps table.
Step 6
Right-click inside the match criteria table, then select Add Row.
The Add Match Criterion dialog box appears. For a description of the GUI
Step 7
Select the criterion from the list. For more information regarding criterion, see
Step 9.
OL-11501-03
8-59
Chapter 8
Managing Objects
Step 8
Select the match type from the list.
Step 9
Complete the dialog box with appropriate values. The dialog box values vary
based on your selection in the Criterion list. See the following tables for
descriptions of the criterion elements.
Step 10
DNS ClassMatches a DNS query or resource record class. For a description

of the GUI elements, see Table F-51.
DNS TypeMatches a DNS query or resource record type. For a description

Domain NameMatch a domain name from a DNS query or resource record.

For a description of the GUI elements, see Table F-53.
Header FlagMatch a DNS flag in the header. Header Flag criterion values
specify the value details for the DNS header flag match. For a description of
QuestionMatch a DNS question. For a description of the GUI elements, see

Table F-55.
Resource RecordMatch a DNS resource record. For a description of the

GUI elements, see Table F-56.
Click OK.
The Add Match Criterion dialog box closes and you return to the Add DNS Class
Map dialog box.
Step 11
(Optional) Select a category from the list to help you readily identify the object
when it appears in the object or rules tables. For more information, see
Step 12
(Optional) Select Allow Value Override per Device to allow the global
properties of this object to be redefined on individual devices. For more
information, see Allowing a Global Object to Be Overridden, page 8-198.
Note
Selecting this check box does not automatically recognize override values
to use; however, before you can set the override values, you must first save
the policy object. Go to Step 13.
8-60
OL-11501-03
Chapter 8
Managing Objects
Step 13

The Add DNS Class Map dialog box closes and you return to the DNS Class Maps
page. The new class map is shown in the table.
You can now select override values for the policy object. For more information,
see Managing Object Overrides, page 8-12.
Note

Related Topics
DNS Class Maps Page, page F-96
Creating FTP Class Map Objects

An FTP class map object lets you configure FTP class maps for FTP inspection.
Before You Begin
Procedure
Step 1

Step 2
FTP Class Maps.
The FTP Class Maps page appears. For a description of the GUI elements, see
Table F-57.

OL-11501-03
8-61
Chapter 8
Managing Objects
Step 3

The Add FTP Class Map dialog box appears. For a description of the GUI
Step 4
Enter the name of the FTP Class Map.
Step 5
is entered, an icon is displayed when you view the FTP Class Maps table.
Step 6
Step 7
Step 9.
Step 8
Step 9
Step 10
Request CommandMatches an FTP request command. For a description of

File NameMatches a filename for FTP transfer. For a description of the

File TypeMatches a file type for FTP transfer. For a description of the GUI
ServerMatches an FTP server. For a description of the GUI elements, see

Table F-63.
User NameMatches an FTP user. For a description of the GUI elements, see
Table F-64.

The Add Match Criterion dialog box closes and you return to the Add FTP Class
Map dialog box.
Step 11
8-62
OL-11501-03
Chapter 8
Managing Objects
Step 12
Note
Step 13

The Add FTP Class Map dialog box closes and you return to the FTP Class Maps
Note

Related Topics
FTP Class Maps Page, page F-109
Creating HTTP Class Map Objects

An HTTP class map object lets you configure HTTP class maps for HTTP
inspection.
Before You Begin

OL-11501-03
8-63
Chapter 8
Managing Objects
Procedure
Step 1

Step 2
HTTP Class Maps.
The HTTP Class Maps page appears. For a description of the GUI elements, see
Table F-65. The page lists system generated HTTP class maps that cannot be
edited.
Step 3

The Add HTTP Class Map dialog box appears. For a description of the GUI
Step 4
Enter the name of the HTTP Class Map.
Step 5
is entered, an icon is displayed when you view the HTTP Class Maps table.
Step 6
Step 7
Select the criterion from the list. For more information on criterion, see Step 9.
Step 8
Select the match preference from the list.
Step 9
Request/Response Content Type MismatchSpecifies that the content type

in the response must match one of the MIME types in the accept field of the
request. For a description of the GUI elements, see Table F-68.
Request ArgumentsApplies the regular expression match to the arguments

of the request. For a description of the GUI elements, see Table F-69.
Request BodyApplies the regular expression match to the body of the

request. For more information, For a description of the GUI elements, see
Table F-70.
8-64
OL-11501-03
Chapter 8
Managing Objects
Request Body LengthApplies the regular expression match to the body of

the request with field length greater than the bytes specified. For a description
Request Header CountApplies the regular expression match to the header

of the request with a maximum number of headers. For a description of the
Request Header LengthApplies the regular expression match to the header

of the request with length greater than the bytes specified. For a description
Request Header FieldApplies the regular expression match to the header of

the request. For a description of the GUI elements, see Table F-74.
Request Header Field CountApplies the regular expression match to the

header of the request with a maximum number of header fields. For a
Request Header Field LengthApplies the regular expression match to the

header of the request with field length greater than the bytes specified. For a
Request Header Content TypeFor a description of the GUI elements, see

Table F-77.
Request Header Transfer EncodingFor a description of the GUI elements,

see Table F-78.
Request Header Non-ASCIIMatches non-ASCII characters in the header of

the request. See Table F-79.
Request MethodApplies the regular expression match to the method of the

Request URIApplies the regular expression match to the URI of the

Request URI LengthApplies the regular expression match to the URI of the
request with length greater than the bytes specified. For a description of the
Response Body ActiveXSpecifies to match on ActiveX. For a description

Response Body Java AppletSpecifies to match on a Java Applet. For a


OL-11501-03
8-65
Chapter 8
Managing Objects
Step 10
Response BodyApplies the regular expression match to the body of the

response. For a description of the GUI elements, see Table F-85.
Response Body LengthApplies the regular expression match to the body of

the response with field length greater than the bytes specified. For a
Response Header CountApplies the regular expression match to the header

of the response with a maximum number of headers. For a description of the
Response Header Length Applies the regular expression match to the

header of the response with length greater than the bytes specified. For a
Response Header FieldApplies the regular expression match to the header

of the response. For a description of the GUI elements, see Table F-89.
Response Header Field CountApplies the regular expression match to the

header of the response with a maximum number of header fields. For a
Response Header Field LengthApplies the regular expression match to the

header of the response with field length greater than the bytes specified. For
a description of the GUI elements, see Table F-91.
Response Header Content TypeFor a description of the GUI elements, see

Table F-92.
Response Header Transfer EncodingFor a description of the GUI elements,

see Table F-93.
Response Header Non-ASCIIMatches non-ASCII characters in the header

Response Status LineApplies the regular expression match to the status

line. For a description of the GUI elements, see Table F-95.

The Add Match Criterion dialog box closes and you return to the Add HTTP Class
Map dialog box.
Step 11
8-66
OL-11501-03
Chapter 8
Managing Objects
Step 12
Note
Step 13

The Add HTTP Class Map dialog box closes and you return to the HTTP Class
Maps page. The new class map is shown in the table.
Note

Related Topics
HTTP Class Maps Page, page F-121
Creating IM Class Map Objects

An IM Class Map object lets you configure IM class maps for IM inspection.
Before You Begin

OL-11501-03
8-67
Chapter 8
Managing Objects
Procedure
Step 1

Step 2
IM Class Maps.
The IM Class Maps page appears. For a description of the GUI elements, see
Table F-96.
Step 3

The Add IM Class Map dialog box appears. For a description of the GUI elements,
see Table F-97.
Step 4
Enter the name of the IM Class Map.
Step 5
is entered, an icon is displayed when you view the IM Class Maps table.
Step 6
Step 7
Select the criterion from the list. For more information on criterion, see Step 9.
Step 8
Step 9
FilenameMatches the filename from the IM file transfer service. For a

Client IP AddressMatches a source IP address. For a description of the GUI

Client Login NameMatches the client login name from the IM service. For
Peer IP AddressMatches a destination IP address. For a description of the

Peer Login NameMatches the client peer login name from the IM service.
8-68
OL-11501-03
Chapter 8
Managing Objects
Step 10
ProtocolMatches IM protocols. For a description of the GUI elements, see

Table F-104.
ServiceMatches IM services. For a description of the GUI elements, see

Table F-105.
File Transfer Service VersionMatches the IM file transfer service version.


The Add Match Criterion dialog box closes and you return to the Add IM Class
Map dialog box.
Step 11
Step 12
Note
Step 13
Step 14
The Add IM Class Map dialog box closes and you return to the IM Class Maps
Note


OL-11501-03
8-69
Chapter 8
Managing Objects
Related Topics
IM Class Maps Page, page F-168
Creating SIP Class Map Objects

A SIP class map object lets you configure SIP class maps for SIP inspection.
Before You Begin
Procedure
Step 1

Step 2
SIP Class Maps.
The SIP Class Maps page appears. For a description of the GUI elements, see
Table F-107.
Step 3

The Add SIP Class Map dialog box appears. For a description of the GUI
Step 4
Enter the name of the SIP Class Map.
Step 5
is entered, an icon is displayed when you view the SIP Class Maps table.
Step 6
Step 7
Step 9.
Step 8
8-70
OL-11501-03
Chapter 8
Managing Objects
Step 9
Step 10
Called PartyMatches the called party as specified in the To header. For a

Calling PartyMatches the calling party as specified in the From header. For
Content LengthMatches the Content Length header. For a description of

Content TypeMatches the Content Type header. For a description of the

IM SubscriberMatches the SIP IM subscriber. For a description of the GUI

Message PathMatches the SIP Via header. For a description of the GUI
Third Party RegistrationMatches the requester of a third-party registration.

URI LengthMatches a URI in the SIP headers. For a description of the GUI
Request MethodMatch the SIP request method. For a description of the


The dialog box closes and you return to the Add SIP Class Map dialog box.
Step 11
Step 12
Note

OL-11501-03
8-71
Chapter 8
Managing Objects
Step 13

The Add SIP Class Map dialog box closes and you return to the SIP Class Maps
Note

Related Topics
SIP Class Maps Page, page F-184
Understanding DNS Policy Maps

A DNS class map lets you view previously configured DNS application
inspection maps. A DNS map lets you change the default configuration values
used for DNS application inspection.
DNS application inspection supports DNS message controls that provide
protection against DNS spoofing and cache poisoning. User configurable rules
allow certain DNS types to be allowed, dropped, and/or logged, while others are
blocked. Zone transfer can be restricted between servers with this function, for
example.
The Recursion Desired and Recursion Available flags in the DNS header can be
masked to protect a public server from attack if that server only supports a
particular internal zone. In addition, DNS randomization can be enabled avoid
spoofing and cache poisoning of servers that either do not support randomization,
or utilize a weak pseudo random number generator. Limiting the domain names
that can be queried also restricts the domain names which can be queried, which
protects the public server further.
8-72
OL-11501-03
Chapter 8
Managing Objects
A configurable DNS mismatch alert can be used as notification if an excessive

number of mismatching DNS responses are received, which could indicate a
cache poisoning attack. In addition, a configurable check to enforce a Transaction
Signature be attached to all DNS messages is also supported.
From the DNS Maps page, you can create, view, and manage DNS inspect maps.
Related Topics
DNS Maps Page, page F-203
Creating DNS Map Objects

Before You Begin
Procedure
Step 1

Step 2
From the Object Type selector, select Inspect Maps > Policy Maps >
DNS Maps.
The DNS Maps page appears. For a description of the GUI elements, see
Table F-119.
Step 3

The Add DNS Map dialog box appears. For a description of the GUI elements, see
Table F-120.
Step 4
Enter the name of the DNS Map object.
Step 5

entered, an icon is displayed when you view the DNS Maps table.
Step 6
Configure values for protocol conformance. For a description of the GUI


OL-11501-03
8-73
Chapter 8
Managing Objects
Note
The Protocol Conformance tab opens by default the first time the dialog
box is accessed.
Step 7
Click the Filtering tab to configure the values for filtering. For a description of
Step 8
Click the Mismatch Rate tab to configure the values for mismatch rate. For a
Step 9
Click the Match Condition and Action tab to configure the values for match
criterion. For a description of the GUI elements, see Table F-124.
a.
Right-click inside the table, then select Add Row.

The Add Match Condition and Action dialog box appears. For a description
b.

If you select Use Specified Values as your match type, you can select a
criterion from the list. The dialog box values vary based on your criterion
selection. Go to Step 10.
If you select Use Values in Class Map as your match type, you can enter
a class map name. Go to Step 11.

Step 10
If you select Use Specified Values as your match type, select the criterion.
Options are:
DNS ClassMatches a DNS query or resource record class. For a description

DNS TypeMatches a DNS query or resource record type. For a description

Domain NameMatches a domain name from a DNS query or resource

record. For a description of the GUI elements, see Table F-128.
Header FlagMatches a DNS flag in the header. For a description of the GUI
QuestionMatches a DNS question. For a description of the GUI elements,

see Table F-130.
Resource RecordMatches a DNS resource record. For a description of the

8-74
OL-11501-03
Chapter 8
Managing Objects
When completed, go to Step 12.

Step 11
Step 12
If you select Use Values in Class Map as your match type:

a.
Enter the name of the class map or click Select, which opens the DNS Class
Map Selector from which to make your selection.
b.
Select the action to be performed when the criteria are met.

The Add Match Condition and Action dialog box closes and you return to the Add
DNS Map dialog box.
Step 13
Step 14
Note
Step 15

The Add DNS Map dialog box closes and you return to the DNS Maps page. The
new map is shown in the table.
Note


OL-11501-03
8-75
Chapter 8
Managing Objects
Related Topics
Understanding DNS Policy Maps, page 8-72
Understanding FTP Policy Maps

An FTP class map lets you view previously configured FTP application inspection
maps. An FTP policy map object lets you change the default configuration values
used for FTP application inspection.
FTP is a common protocol used for transferring files over a TCP/IP network, such
as the Internet. You can use an FTP map to block specific FTP protocol methods,
such as an FTP PUT, from passing through the security appliance and reaching
your FTP server.
From the FTP Maps page, you can create, view, and manage FTP inspect maps.
Related Topics
FTP Maps Page, page F-228
Creating FTP Map Objects

Before You Begin
Procedure
Step 1

Step 2
FTP Maps.
The FTP Maps page appears. For a description of the GUI elements, see
Table F-133.
8-76
OL-11501-03
Chapter 8
Managing Objects
Step 3

The Add FTP Map dialog box appears. For a description of the GUI elements, see
Table F-134.
Step 4
Enter the name of the FTP Map object.
Step 5

entered, an icon is displayed when you view the FTP Maps table.
Step 6
Configure values for parameters. For a description of the GUI elements, see
Table F-135.
Note
Step 7
The Parameters tab opens by default the first time the dialog box is
accessed.
criterion.
a.

b.


Step 8
Options are:
Request CommandMatches an FTP request command. For a description of

File NameMatches a filename for FTP transfer. For a description of the

File TypeMatches a file type for FTP transfer. For a description of the GUI

OL-11501-03
8-77
Chapter 8
Managing Objects
ServerMatches an FTP server. For a description of the GUI elements, see

Table F-141.
UsernameMatches an FTP user. For a description of the GUI elements, see

Table F-142.

Step 9

a.
Enter the class map name or click Select, which opens the class map selector
from which to make your selection.
b.
Step 10
Click OK to save your changes and close the dialog box.
Step 11
Step 12
Note
Step 13
(Optional) Select platform information for which to perform validation, then click
Validate to initialize the validation process.
Step 14
Step 15
The dialog box closes and you return to the FTP Maps page. The new object is
shown in the table.
8-78
OL-11501-03
Chapter 8
Managing Objects
Note

Related Topics
Understanding GTP Policy Maps

The GPRS Tunnel Protocol (GTP) provides uninterrupted connectivity for mobile
subscribers between GSM networks and corporate networks or the Internet. GTP
uses a tunneling mechanism to provide a service for carrying user data packets.
A GTP map object lets you change the default configuration values used for GTP
application inspection. The GTP Map object page lets you create, view, and
manage GTP inspect maps. GTP is a relatively new protocol designed to provide
security for wireless connections to TCP/IP networks, such as the Internet. You
can use a GTP map to control timeout values, message sizes, tunnel counts, and
GTP versions traversing the security appliance.
After a configuration is generated for the device, the gtp-map command is shown.
Note
GTP inspection requires a special license. If the gtp-map command is entered on

a security appliance without the required license, the security appliance displays
an error message.
From the GTP Maps page, you can create, view, and manage GTP inspect maps.
Related Topics
GTP Maps Page, page F-243

OL-11501-03
8-79
Chapter 8
Managing Objects
Creating GTP Map Objects

Before You Begin
Procedure
Step 1

Step 2
GTP Maps.
The GTP Maps page appears. For a description of the GUI elements, see
Table F-144.
Step 3

The Add GTP Map dialog box appears. For a description of the GUI elements, see
Table F-145.
Note
accessed.
Step 4
Step 5

entered, an icon is displayed when you view the GTP Maps table.
Step 6
(Optional) Configure Country and Network Code settings.

a.
Right-click inside the table, then click Add Row.
b.
Enter the Mobile Country Code and Mobile Network Code. For a description
c.
Click OK.
The Add Country and Network Codes dialog box closes and you return to the
Add GTP Map dialog box.
8-80
OL-11501-03
Chapter 8
Managing Objects
Step 7
(Optional) To permit GTP responses from a GSN that is different from the one to
which the response was sent, complete the Permit Response table.
a.
Right-click inside the table, then click Add Row.

The Add Permit Response dialog box appears. For a description of the GUI
b.
Enter the To Object Group name and From Object Group name.
c.
Click OK.
The Add Permit Response dialog box closes and you return to the Add GTP
Map dialog box.
Step 8
Enter the request queue, which specifies the maximum requests allowed in the
queue.
Step 9
Enter the tunnel limit, which specifies the maximum number of tunnels allowed.
Step 10
(Optional) Select Permit Errors, which permits packets with errors or different
GTP versions that are invalid or that encountered an error during inspection to be
sent through the security appliance instead of being dropped.
Step 11
Click Edit Timeouts.

The GTP Timeouts dialog box appears. For a description of the GUI elements, see
Table F-149.
Step 12
Enter the appropriate values.
Step 13
Click OK.
The GTP Timeouts dialog box closes and you return to the Add GTP Map dialog
box.
Step 14
Click the Match Conditions and Actions tab to configure the values for match
criterion.
a.

b.
Configure values for match criterion. Options are:

Access Point NameDefines the access points to drop when GTP
application inspection is enabled. For a description of the GUI elements,

see Table F-151.

OL-11501-03
8-81
Chapter 8
Managing Objects
Message IDSpecifies the numeric identifier for the message that you
want to drop. For a description of the GUI elements, see Table F-152.
Message LengthChanges the default for the maximum message length
for the UDP payload that is allowed. For a description of the GUI
VersionSpecifies the GTP version for messages that you want to drop.

c.

The Match Condition and Action dialog box closes and you return to the Add
GTP Map dialog box.
Step 15
Step 16
Optional) Select Allow Value Override per Device to allow the global properties
of this object to be redefined on individual devices. For more information, see
Allowing a Global Object to Be Overridden, page 8-198.
Note
Step 17
(Optional) Select platform information for which to perform validation, then click
Validate to initialize the validation process.
Step 18
Step 19
The Add GTP Map dialog box closes and you return to the GTP Maps page. The
new object is shown in the table.
Note

8-82
OL-11501-03
Chapter 8
Managing Objects
Related Topics
Understanding GTP Policy Maps, page 8-79
Understanding HTTP Policy Map Objects

An HTTP map object lets you change the default configuration values used for
HTTP application inspection. An HTTP Map object defines different HTTP
packet criteria to be inspected, as well as the action to be taken when the criteria
are met. The HTTP Map object only defines general HTTP protocol-related
parameters; it is not specific to any particular traffic flow. This ensures that the
same HTTP Map object can be reused for different devices or different traffic flow
within a single device.
The enhanced HTTP inspection feature, also known as an application firewall,
verifies that HTTP messages conform to RFC 2616, use RFC-defined and
supported extension methods, and comply with various other criteria. This can
help prevent attackers from using HTTP messages for circumventing network
security policy.
Note
When you enable HTTP inspection with an HTTP map, strict HTTP inspection
with the action reset and log is enabled by default. You can change the actions
performed in response to inspection failure, but you cannot disable strict
inspection as long as the HTTP map remains enabled.
In many cases, you can configure the criteria and how the security appliance
responds when the criteria are not met. The criteria that you can apply to HTTP
messages include the following:
Does not include any method on a configurable list.
Message body size is within configurable limits.
Request and response message header size is within a configurable limit.
URI length is within a configurable limit.
Content-type in the message body matches the header.
Content-type in the response message matches the accept-type field in the

request message.

OL-11501-03
8-83
Chapter 8
Managing Objects
Note
Content-type in the message is included in a predefined internal list.
Message meets HTTP RFC format criteria.
Presence or absence of selected supported applications.
Presence or absence of selected encoding types.
The actions you can specify for messages that fail the criteria set using the
different configuration commands include allow, reset, or drop. In addition to
these actions, you can specify to log the event or not.
From the HTTP Maps page, you can create, view, and manage HTTP inspect
maps.
Related Topics

page 8-84
Creating HTTP Map Objects (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS)

Before You Begin
Procedure
Step 1

Step 2
HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS).
The HTTP Maps page appears. For a description of the GUI elements, see
Table F-155.
Step 3

The Add HTTP Map dialog box appears. For a description of the GUI elements,
see Table F-156.
8-84
OL-11501-03
Chapter 8
Managing Objects
Step 4
Note
Configure settings for any of the following:
General tabFor a description of the GUI elements, see Table F-157.
Entity Length tabFor a description of the GUI elements, see Table F-158.
RFC Request Method tabFor a description of the GUI elements, see

Table F-159.
Extension Request Method tabFor a description of the GUI elements, see

Table F-160.
Port Misuse tabFor a description of the GUI elements, see Table F-161.
Transfer Encoding tabFor a description of the GUI elements, see

Table F-162.

Related Topics
HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) Page, page F-261
Understanding HTTP Policy Map Objects, page 8-83
Configuring the General Tab, page 8-85
Configuring the Entity Length Tab, page 8-87
Configuring the RFC Request Method Tab, page 8-88
Configuring the Extension Request Method Tab, page 8-90
Configuring the Port Misuse Tab, page 8-91
Configuring the Transfer Encoding Tab, page 8-93
Configuring the General Tab

The General tab lets you define the action taken when non-compliant HTTP
requests are received and to enable verification of content type. For a description

OL-11501-03
8-85
Chapter 8
Managing Objects
Procedure
Step 1
Step 2

entered, an icon is displayed when you view the HTTP Maps table.
Step 3
(Optional) Select Take action for non-RFC 2616 compliant traffic, which
specifies the action taken by the security appliance when it receives traffic that
fails to comply with RFC 2616.
Step 4
Select the action taken when a message fails the inspection.
Step 5
(Optional) Select Generate Syslog, which causes the security appliance to

generate a syslog message when it receives a packet that uses a non-compliant
method.
Step 6
(Optional) Select Verify Content-type field belongs to the supported internal

content-type list, which enables content verification based on comparing the
content type field in the HTTP response to the preconfigured list of supported
content types.
Step 7
(Optional) Select Verify Content-type field for response matches the ACCEPT
field of request, which enables content verification based on comparing the
content type field in the HTTP response to the type specified in the Accept field
in the HTTP request.
Step 8
Select the action taken when a message fails the inspection.
Step 9

generate a syslog message when it receives a packet that uses a non-compliant
method.
Step 10
(Optional) Select Override Global TCP Idle Timeout (IOS only) to change the
TCP idle timeout setting, then enter the new timeout value in the field provided.
Step 11
(Optional) Select Override Global Audit Trail Setting (IOS only) to change the
audit trail setting.
Step 12
Step 13
Click OK to save your changes and close the dialog box, or select another tab.
8-86
OL-11501-03
Chapter 8
Managing Objects
Note
Settings are not saved to the database until you click OK.
Related Topics
Add and Edit HTTP Map > General Tab, page F-266
Configuring the Entity Length Tab

The Entity Length tab lets you define the permitted lengths for the URI, HTTP
header, and HTTP body. For a description of the GUI elements, see Table F-156.
Procedure
Step 1
Step 2

Step 3
(Optional) Select Inspect URI Length, which causes the security appliance to
inspect the length of the URI in each HTTP request.
Step 4
Enter the maximum number of bytes allowed for the length of the HTTP request
URI.
Step 5
Select the action that the security appliance should take when inspection for the
URI length fails.
Step 6

generate a syslog message when it receives the HTTP request with a URI that
exceeds the permitted maximum length.
Step 7
(Optional) Select Inspect Maximum Header Length, which causes the security
appliance to inspect the length of the header in each HTTP request or response.
Step 8
Enter the request bytes, which specifies the maximum number of bytes allowed
for the length of the header in the HTTP request.
Step 9
Enter the response bytes, which specifies the maximum number of bytes allowed
for the length of the header in the HTTP response.

OL-11501-03
8-87
Chapter 8
Managing Objects
Step 10
HTTP header length fails.
Step 11

generate a syslog message when it receives the HTTP request with a header that
Step 12
(Optional) Select Inspect Body Length, which causes the security appliance to
inspect the size recognized as being within configurable limits.
Step 13
Enter the minimum and maximum threshold values in bytes.
Step 14
body length fails.
Step 15

generate a syslog message when it receives the HTTP request with a body length
that exceeds the permitted threshold values.
Step 16
Step 17
Note
Related Topics
Add and Edit HTTP Map > Entity Length Tab, page F-269
Configuring the RFC Request Method Tab

The RFC Request Method tab lets you define the action that the security appliance
should take when specific request methods are used in the HTTP request. For a
8-88
OL-11501-03
Chapter 8
Managing Objects
Procedure
Step 1
Step 2

Step 3
Select from the list of available methods to specify when you want the security
appliance to take different actions in response to HTTP requests using different
methods.
Step 4
Select the action that the security appliance should take when it receives an HTTP
message containing the selected method. Each of the selected methods can have
a separate action.
Step 5

generate a syslog message. You can specify a different option for each selected
method.
Step 6
Click >>. The method selected, along with action and syslog information, is
displayed in the table.
Timesaver
Step 7
You can select multiple methods at a time if the action and syslog requests are the
same for each.
Select Specify the action to be applied for the remaining available methods
above to inspect packets for all other methods by using a default action.
Note
If you do not set a default action, packet inspection is performed only for
the specific methods selected in Step 3.
Step 8
Select the action that the security appliance should take when it receives the
HTTP request containing any method that is not included in the method table.
Step 9

method.To generate a syslog message, select the check box.
Step 10

OL-11501-03
8-89
Chapter 8
Managing Objects
Step 11
Note
Related Topics
Add and Edit HTTP Map > RFC Request Method Tab, page F-271
Configuring the Extension Request Method Tab

The Extension Request Method tab lets you define the action taken when specific
extension request methods are used in the HTTP request. For a description of the
Procedure
Step 1
Step 2

Step 3
Select from the list of available methods to specify when you want the security
appliance to inspect packets for specific methods only.
Step 4
Select the action that the security appliance should take when it receives an HTTP
message containing the selected method. Each selected method can have a
separate action.
Step 5

method.
Step 6
Click >>. The method selected, along with action and syslog information, is
displayed in the table.
Timesaver
same for each.
8-90
OL-11501-03
Chapter 8
Managing Objects
Step 7
Select Specify the action to be applied for the remaining available methods
above to inspect packets for all other methods by using a default action.
Note
Step 8
Select the action taken by the security appliance when it receives the HTTP
request containing any method that is not included in the method table.
Step 9

generate a syslog message.You can specify a different option for each selected
method.
Step 10
Step 11
Note
Related Topics
Add and Edit HTTP Map > Extension Request Method Tab, page F-274
Configuring the Port Misuse Tab

The Port Misuse tab lets you enable application firewall inspection. For a
Procedure
Step 1
Step 2


OL-11501-03
8-91
Chapter 8
Managing Objects
Step 3
Select from the list of available categories that you can specify when you want the
security appliance to take different actions in response to HTTP requests using
different categories.
Step 4
request containing one of the categories in the category table.
Step 5

generate a syslog message if the HTTP message includes any category in the
category table.
Step 6
Click >>. The category is moved to the table and the action and syslog
information is displayed.
Timesaver
You can select multiple categories at a time if the action and syslog requests are
the same for each.
Step 7
Select Specify the action to be applied for the remaining available categories
above to inspect packets for all other categories by using a default action.
Note
the specific categories selected in Step 3.
Step 8
request containing any category that is not in the category table.
Step 9

generate a syslog message. You can specify a different option for each of the
selected categories.
Step 10
Step 11
Note
8-92
OL-11501-03
Chapter 8
Managing Objects
Related Topics
Add and Edit HTTP Map > Port Misuse Tab, page F-277
Configuring the Transfer Encoding Tab

The Transfer Encoding tab lets you define the action that the security appliance
should take when specific transfer encoding types are used in the HTTP request.
Procedure
Step 1
Step 2

Step 3
Select from the list of available transfer encoding types that you can specify when
you want the security appliance to take different actions in response to HTTP
requests using different transfer encoding types.
Step 4
request containing one of the transfer encoding types in the transfer encoding type
table.
Step 5

generate a syslog message if the HTTP message includes any transfer encoding
type in the transfer encoding type table.
Step 6
Click >>. The method is moved to the table and the action and syslog information
is displayed.
Timesaver
same for each.
Step 7
Select Specify the action to be applied for the remaining available encoding
types above to inspect packets for all other methods by using a default action.

OL-11501-03
8-93
Chapter 8
Managing Objects
Note
Step 8
request containing any method that is not included in the method table.
Step 9

method.
Step 10
Step 11
Note
Related Topics
Creating HTTP Map Objects (ASA 7.2/PIX 7.2)

Before You Begin
Procedure
Step 1

8-94
OL-11501-03
Chapter 8
Managing Objects
Step 2
HTTP Maps (ASA 7.2/PIX 7.2).
The HTTP Maps page appears. For a description of the GUI elements, see
Table F-163.
Step 3

The Add HTTP Map dialog box appears. For a description of the GUI elements,
see Table F-164.
Step 4
Step 5

Step 6
Complete the information in the Parameters tab. For a description of the GUI
Note
Step 7
accessed.
criterion. For a description of the GUI elements, see Table F-166.
a.

b.


Step 8
Options are:
Request/Response Content Type MismatchSpecifies that the content type

request. For a description of the GUI elements, seeTable F-168.

OL-11501-03
8-95
Chapter 8
Managing Objects
Request ArgumentsApplies the regular expression match to the arguments

of the request. For a description of the GUI elements, see Table F-169.
Request BodyApplies the regular expression match to the body of the

request. For more information, For a description of the GUI elements, see
Table F-170.
Request Body LengthApplies the regular expression match to the body of

the request with field length greater than the bytes specified. For a description
Request Header CountApplies the regular expression match to the header

of the request with a maximum number of headers. For a description of the
Request Header LengthApplies the regular expression match to the header

of the request with length greater than the bytes specified. For a description
Request Header FieldApplies the regular expression match to the header of

the request. For a description of the GUI elements, see Table F-174.
Request Header Field CountApplies the regular expression match to the

header of the request with a maximum number of header fields. For a
Request Header Field LengthApplies the regular expression match to the

header of the request with field length greater than the bytes specified. For a
Request Header Content TypeFor a description of the GUI elements, see

Table F-177.
Request Header Transfer EncodingFor a description of the GUI elements,

see Table F-178.
Request Header Non-ASCIIMatches non-ASCII characters in the header of

the request. See Table F-179.
Request MethodApplies the regular expression match to the method of the

Request URIApplies the regular expression match to the URI of the

Request URI LengthApplies the regular expression match to the URI of the
request with length greater than the bytes specified. For a description of the
8-96
OL-11501-03
Chapter 8
Managing Objects
Response Body ActiveXSpecifies to match on ActiveX. For a description

Response Body Java AppletSpecifies to match on a Java Applet. For a

Response BodyApplies the regular expression match to the body of the

response. For a description of the GUI elements, see Table F-185.
Response Body LengthApplies the regular expression match to the body of

the response with field length greater than the bytes specified. For a
Response Header CountApplies the regular expression match to the header

of the response with a maximum number of headers. For a description of the
Response Header Length Applies the regular expression match to the

header of the response with length greater than the bytes specified. For a
Response Header FieldApplies the regular expression match to the header

Response Header Field CountApplies the regular expression match to the

header of the response with a maximum number of header fields. For a
Response Header Field LengthApplies the regular expression match to the

header of the response with field length greater than the bytes specified. For
Response Header Content TypeFor a description of the GUI elements, see

Table F-192.
Response Header Transfer EncodingFor a description of the GUI elements,

see Table F-193.
Response Header Non-ASCIIMatches non-ASCII characters in the header

Response Status LineApplies the regular expression match to the status

line. For a description of the GUI elements, see Table F-195.

OL-11501-03
8-97
Chapter 8
Managing Objects
Step 9
Step 10

a.
Enter the name of the class map or click Select, which opens the class map
selector from which to make your selection.
b.

HTTP Map dialog box. The new information is shown in the table.
Step 11
Step 12
Optional) Select Allow Value Override per Device to allow the global properties
of this object to be redefined on individual devices. For more information, see
Note
Step 13

The Add HTTP Map dialog box closes and you return to the HTTP Maps
(ASA 7.2/PIX 7.2) page. The new information is shown in the table.
Note

Related Topics
8-98
OL-11501-03
Chapter 8
Managing Objects
Understanding IM Map Objects

Instant Messaging, although a great tool, causes concern due to its use of clear text
when conducting business and the potential for network attacks and the spreading
of viruses. As a result, network administrators can block certain types of instant
messages from occurring, while allowing others.
The IM map object lets you view previously configured Instant Messaging (IM)
application inspection maps. An IM map lets you change the default configuration
values used for IM application inspection.
IM application inspection provides detailed access control to control network
usage. It also helps stop leakage of confidential data and propagations of network
threats. A regular expression database search representing various patterns for IM
protocols to be filtered is applied. A syslog is generated if the flow is not
recognized.
The scope can be limited by using an access list to specify any traffic streams to
be inspected. For UDP messages, a corresponding UDP port number is also
configurable. Inspection of Yahoo! Messenger, MSN Messenger, and AOL instant
messages are supported.
Related Topics
Creating IM Map Objects for ASA 7.2 and PIX 7.2 Devices
Before You Begin
Procedure
Step 1


OL-11501-03
8-99
Chapter 8
Managing Objects
Step 2
IM Maps (ASA 7.2/PIX 7.2).
The IM Maps (ASA 7.2/PIX 7.2) page appears. For a description of the GUI
Step 3

The Add IM Map dialog box appears. For a description of the GUI elements, see
Table F-198.
Step 4
Enter the name of the map.
Step 5

entered, an icon is displayed when you view the IM Maps table.
Step 6

The Add Match Condition and Action dialog box appears. For a description of the
Step 7
Step 8
If you select Use Values in Class Map as your match type, you can enter a
class map name. Go to o Step 9.
If you select Use Specified Values as your match type, select the criterion from
the list, then complete the dialog box accordingly. Options are:
FilenameMatches the filename from the IM file transfer service. For a

Client IP AddressMatches a source IP address. For a description of the GUI

Client Login NameMatches the client login name from the IM service. For
Peer IP AddressMatches a destination IP address. For a description of the

Peer Login NameMatches the client peer login name from the IM service.
ProtocolMatches IM protocols. For a description of the GUI elements, see

Table F-205.
8-100
OL-11501-03
Chapter 8
Managing Objects
ServiceMatches IM services. For a description of the GUI elements, see

Table F-206.
File Transfer Service VersionMatches the IM file transfer service version.


Step 9
Step 10

a.
Enter the name of the class map or click Select, which opens the IM Class
Map selector from which to make your selection.
b.

IM Map dialog box. The new information is shown in the table.
Step 11
Step 12
Note
Step 13

The Add IM Map (ASA 7.2/PIX 7.2) dialog box closes and you return to the
IM Maps (ASA 7.2/PIX 7.2) page. The new object is shown in the table.

OL-11501-03
8-101
Chapter 8
Managing Objects
Note

Related Topics
Creating IM Map Objects for IOS Devices

Before You Begin
Procedure
Step 1

Step 2
IM Maps (IOS).
The IM Maps (IOS) page appears. For a description of the GUI elements, see
Table F-209.
Step 3

The Add IM Map (IOS) dialog box appears. For a description of the GUI
Note
The Yahoo tab opens by default the first time the dialog box is accessed.
Step 4
Enter the name of the map.
Step 5

entered, an icon is displayed when you view the IM Maps table.
8-102
OL-11501-03
Chapter 8
Managing Objects
Step 6
Complete the Add IM Map (IOS) dialog box. Options are:
Yahoo!Matches Yahoo! Messenger instant messages. For a description of

MSNMatches MSN Messenger instant messages. For a description of the

AOLMatches AOL instant messages. For a description of the GUI

Step 7
Step 8
Note
Step 9
Step 10
The Add IM (IOS) dialog box closes and you return to the IM Maps page. The
Note

Related Topics

OL-11501-03
8-103
Chapter 8
Managing Objects
Understanding SIP Map Objects

A SIP map object lets you view previously configured SIP application inspection
maps. A SIP map lets you change the default configuration values used for SIP
application inspection.
SIP is a widely used protocol for Internet conferencing, telephony, presence,
events notification, and instant messaging. Partially because of its text-based
nature and partially because of its flexibility, SIP networks are subject to a large
number of security threats.
SIP application inspection provides address translation in message header and
body, dynamic opening of ports and basic sanity checks. It also supports
application security and protocol conformance, which enforce the sanity of the
SIP messages, as well as detect SIP-based attacks.
Related Topics
Creating SIP Map Objects

Before You Begin
Procedure
Step 1

Step 2
From the Object Type selector, select Inspect Maps > Policy Maps > SIP Maps.
The SIP Maps page appears. For a description of the GUI elements, see
Table F-214.
Step 3

The Add SIP Map dialog box appears. For a description of the GUI elements, see
Table F-215.
8-104
OL-11501-03
Chapter 8
Managing Objects
Step 4
Step 5

entered, an icon is displayed when you view the SIP Maps table.
Step 6
Complete the information in the Parameters tab. For a description of the GUI
Note
Step 7
accessed.
criterion.
a.

b.


Step 8
If you select Use Specified Values as your match type, select the criterion from
the list, then complete the dialog box accordingly. Options are:
Called PartyMatches the called party as specified in the To header. For a

Calling PartyMatches the calling party as specified in the From header. For
Content LengthMatches the Content Length header. For a description of

Content TypeMatches the Content Type header. For a description of the

IM SubscriberMatches the SIP IM subscriber. For a description of the GUI


OL-11501-03
8-105
Chapter 8
Managing Objects
Message PathMatches the SIP Via header. For a description of the GUI
Third Party RegistrationMatches the requester of a third-party registration.

URI LengthMatches a URI in the SIP headers. For a description of the GUI
Request MethodMatch the SIP request method. For a description of the


Step 9
Step 10

a.
Enter the name of the class map or click Select, which opens the IM Class
Map selector from which to make your selection.
b.

The Add Match Condition and Action dialog box closes and you return to the SIP
Maps page. The new object is shown in the table.
Step 11
Step 12
Note
Step 13
Step 14
The Add SIP Map dialog box closes and you return to the SIP Maps page. The
8-106
OL-11501-03
Chapter 8
Managing Objects
Note

Related Topics
Creating Regular Expression Group Objects

A Regular Expression Group object groups regular expressions together. The
objects can be used by inspection class maps and inspection policy maps.
Note
Some inspection maps can specify regular expressions to match text inside a
packet. Be sure to create the regular expressions before you configure the class
map or policy maps.
Before You Begin
Procedure
Step 1

Step 2
From the Object Type selector, select Inspect Maps >

Regular Expression Groups.
The Regular Expression Groups page appears. For a description of the GUI
Step 3

The Add Regular Expression Class Map dialog box appears. For a description of
Step 4

OL-11501-03
8-107
Chapter 8
Managing Objects
Step 5

entered, an icon is displayed when you view the Regular Expressions Groups
table.
Step 6
Enter the regular expression(s) in the field provided or click Select, which opens
the Regular Expressions selector from which to make your selection.
Step 7
Step 8
Note
Step 9
Step 10
The Add Regular Expression Class Map dialog box closes and you return to the
Regular Expression Groups page. The new object is shown in the table.
Note

Related Topics
Add and Edit Regular Expression Group Dialog Boxes, page F-407
8-108
OL-11501-03
Chapter 8
Managing Objects
Creating Regular Expression Objects

A regular expression matches text strings either literally as an exact string, or by
using metacharacters so you can match multiple variants of a text string. You can
use a regular expression to match the content of certain application traffic; for
example, you can match body text inside an HTTP packet.
Before You Begin
Procedure
Step 1

Step 2
From the Object Type selector, select Inspect Maps > Regular Expressions.
The Regular Expressions page appears. For a description of the GUI elements, see
Table F-230.
Step 3

The Add Regular Expression dialog box appears. For a description of the GUI
Step 4
Step 5

entered, an icon is displayed when you view the Regular Expressions table.
Step 6
Enter the regular expression(s) in the field provided. See Table 8-5 for the
metacharacters used to build regular expressions.
Step 7
Step 8
((Optional) Select Allow Value Override per Device to allow the global

OL-11501-03
8-109
Chapter 8
Managing Objects
Note
Step 9
Step 10
The Add Regular Expression dialog box closes and you return to the Regular
Expressions page. The new object is shown in the table.
Note

Related Topics
Metacharacters Used to Build Regular Expressions, page 8-111
Add and Edit Regular Expression Dialog Boxes, page F-412
8-110
OL-11501-03
Chapter 8
Managing Objects
Metacharacters Used to Build Regular Expressions

Table 8-5 identifies the metacharacters used to build regular expressions.
Table 8-5
Metacharacters Used to Build Regular Expressions
Character
Description
Notes
Dot
Matches any single character. For example, d.g

matches dog, dag, dtg, and any word that contains
those characters, such as doggonnit.
(exp)
Subexpression
A subexpression segregates characters from

surrounding characters, so that you can use other
metacharacters on the subexpression. For example,
d(o|a)g matches dog and dag, but do|ag matches do
and ag. A subexpression can also be used with repeat
quantifiers to differentiate the characters meant for
repetition. For example, ab(xy){3}z matches
abxyxyxyz.
Alternation
Matches either expression it separates. For example,

dog|cat matches dog or cat.
Question mark
A quantifier that indicates that there are 0 or 1 of the

previous expression. For example, lo?se matches lse
or lose.
Note
You must enter Ctrl+V and then the question

mark or else the help function is invoked.
Asterisk
A quantifier that indicates that there are 0, 1 or any

number of the previous expression. For example,
lo*se matches lse, lose, loose, etc.
Plus
A quantifier that indicates that there is at least 1 of

the previous expression. For example, lo+se matches
lose and loose, but not lse.
{x}
Repeat Quantifier
Repeat exactly x times. For example, ab(xy){3}z

matches abxyxyxyz.
Minimum repeat quantifier
Repeat at least x times. For example, ab(xy){2,}z

matches abxyxyz, abxyxyxyz, etc.

OL-11501-03
8-111
Chapter 8
Managing Objects
Table 8-5
Metacharacters Used to Build Regular Expressions (continued)
Character
Description
Notes
[abc]
Character class
Matches any character in the brackets. For example,

[abc] matches a, b, or c.
[âbc]
Negated character class
Matches a single character that is not contained

within the brackets. For example, [âbc] matches
any character other than a, b, or c. [Â-Z] matches
any single character that is not an uppercase letter.
[a-c]
Character range class
Matches any character in the range. [a-z] matches

any lowercase letter. You can mix characters and
ranges: [abcq-z] matches a, b, c, q, r, s, t, u, v, w, x,
y, z, and so does [a-cq-z].
The dash (-) character is literal only if it is the last or
the first character within the brackets: [abc-] or
[-abc].
Quotation marks
Preserves trailing or leading spaces in the string. For

example, test preserves the leading space when it
looks for a match.
Caret
Specifies the beginning of a line.
Escape character
When used with a metacharacter, matches a literal

character. For example, \[ matches the left square
bracket.
char
Character
When character is not a metacharacter, matches the

literal character.
\r
Carriage return
Matches a carriage return 0x0d.
\n
Newline
Matches a new line 0x0a.
\t
Tab
Matches a tab 0x09.
\f
Formfeed
Matches a form feed 0x0c.
\xNN
Escaped hexadecimal
number
Matches an ASCII character using hexadecimal

(exactly two digits).
\NNN
Escaped octal number
Matches an ASCII character as octal (exactly three

digits). For example, the character 040 represents a
space.
8-112
OL-11501-03
Chapter 8
Managing Objects
Related Topics
Notes, page 8-113
If you entered any metacharacters in your text string that you want to be used
literally, add the backslash (\) escape character before them. for example,
example\.com.
If you want to match upper and lower case characters, enter text in both
upper- and lowercase. For example, cats is entered as
[cC][aA][tT][sS]sS].
Notes
Related Topics
Creating TCP Map Objects

The TCP Maps object lets you customize inspection on TCP flow for both through
and to box traffic. The TCP Map objects page lets you create, view, and manage
TCP inspect maps.
Before You Begin
Procedure
Step 1

Step 2
From the Object Type selector, select TCP Maps.

The TCP Maps page appears. For a description of the GUI elements, see
Table F-232.

OL-11501-03
8-113
Chapter 8
Managing Objects
Step 3

The Add TCP Map dialog box appears. For a description of the GUI elements, see
Table F-233.
Step 4
Step 5

entered, an icon is displayed when you view the TCP Maps table.
Step 6
Select from the list of settings.
Step 7
Select how to handle reserve bits.
Step 8
Enter values for TCP options. Do the following:

a.
Enter the lower- and upper-bound values.
b.
Select the action for handling the reserved bits.
c.
Click Add.
Step 9
Step 10

The dialog box closes and you return to the TCP Map Objects page. The new
object is shown in the table.
Note

Related Topics
TCP Maps Page, page F-413
8-114
OL-11501-03
Chapter 8
Managing Objects
Understanding Interface Role Objects

Interface role objects enable you to apply policies to specific interfaces on
multiple devices without having to manually define the name of each interface.
Because most devices follow a standard naming convention for their interfaces,
you can define a naming pattern that describes a particular interface type and then
assign a policy to all interfaces matching that pattern.
For example, you might define an interface role with a naming pattern of DMZ*.
When you include this interface role in a policy, the policy is applied to all
interfaces whose name begins with DMZ on the selected devices. As a result,
you can, for example, assign a policy that enables anti-spoof checking on all DMZ
interfaces to all relevant device interfaces with a single action. Interface roles can
refer to any of the actual interfaces on the device, including physical interfaces,
subinterfaces, and virtual interfaces, such as loopback interfaces.
Interface roles serve as an indirection entity between interfaces on the one hand
and policies on the other. This enables you to apply policies to particular device
interfaces based on the assigned role. Additionally, if you change the naming
convention used for a particular interface type, you do not need to determine
which policies are affected by the change. All you do is edit the interface role.
Interface roles are especially useful when applying policies to new devices. As
long as the devices you are adding share the same interface naming scheme as
existing devices, the relevant policies can be extended to them without the need
to make additional assignments.
Security Manager includes the following predefined interface roles:
All-Interfaces
Internal
External
The following topics describe how to work with interface role objects:
Creating Interface Role Objects, page 8-116
Specifying Interfaces During Policy Definition, page 8-118
Exceptional Cases When Using Interface Roles, page 8-119
Related Topics

OL-11501-03
8-115
Chapter 8
Managing Objects
Creating Interface Role Objects

You can create interface role objects that represent one or more interfaces on
devices. These interface roles can then be used when you define policies that
require interfaces. When you create an interface role object, you must define the
naming pattern of the device interfaces to include in the object. Interface roles can
refer to any of the actual interfaces on the device, including physical interfaces,
subinterfaces, and virtual interfaces.
override interface role object definitions at the device level, which enables you to
associate the role with specific interfaces on a particular device. For more
This procedure describes how to create interface role objects.
Tip
You can also create interface role objects when you define policies or objects that
use this object type. For more information, see Selecting Objects for Policies,
page 8-203.
Before You Begin
Procedure
Step 1
appears.
Step 2
Select Interface Roles from the Object Type selector.
Step 3

The Interface Role dialog box appears. For a description of the fields in this dialog
Step 4
Step 5

8-116
OL-11501-03
Chapter 8
Managing Objects
Step 6
Enter one or more naming patterns for the interface role object. This pattern
defines the device interfaces to include in the definition of the interface role.
Separate multiple patterns with commas.
Two wildcards are available:
You can use a period (.) as a wildcard to represent a single character.
You can use an asterisk (*) as a wildcard at the end of a pattern to represent
multiple interfaces with similar names. (An asterisk can also be used on its
own to indicate all interfaces.)
If the pattern does not include a wildcard, it must match the exact name of the
interface. For example, the pattern FastEthernet will not match FastEthernet0/1
unless you include an asterisk at the end of the pattern.
Note
When the pattern defines a subinterface, enter a backslash (\) before the
period. Otherwise, Security Manager treats the period as a wildcard.
Step 7
Step 8
properties of this object to be redefined on individual devices. By default, all
interface role objects can be overridden. See Allowing a Global Object to Be
Overridden, page 8-198.
Step 9
Tip

Objects, page 8-9.
Note


OL-11501-03
8-117
Chapter 8
Managing Objects
Related Topics
Specifying Interfaces During Policy Definition

Security Manager provides you with several options for specifying an interface
when defining a policy:
Entering the name of an interface manually. (To manually enter a

subinterface, see Defining Subinterfaces, page 8-118.)
Entering the name of an interface role manually. See Understanding Interface

Role Objects, page 8-115.
Selecting an interface or interface role from a list. For more information, see
Selecting Objects for Policies, page 8-203.
When the policy allows multiple interfaces, each entry must be separated by a
comma.
Defining Subinterfaces
If you manually define a subinterface as part of a policy definition, be sure to enter

a backslash (\) before the period. If you enter the period without the backslash,
Security Manager treats the period as a wildcard for a single character.
For example, if you want to define Ethernet1/1.0 as part of an access rule, you
need to enter Ethernet1/1\.0 in the Interfaces field. If you enter Ethernet1/1.0
instead, the interface role will match interfaces named Ethernet1/1.0 and
Ethernet1/1/0, since the period on its own is treated as a wildcard.
Note
Subinterfaces always appear with a backslash in object selectors.

Distinguishing Interfaces from Interface Roles
When using the selector, be aware that there may be interfaces and interface roles
with the same name. They can be distinguished by the icon displayed next to the
name, as shown in Table 8-6.
8-118
OL-11501-03
Chapter 8
Managing Objects
Table 8-6
Type
Icons for Interfaces and Interface Roles
Icon
Interface
Interface role
Related Topics
Basic Interface Settings on Cisco IOS Routers, page 14-21
Configuring Firewall Device Interfaces, page 15-3
Exceptional Cases When Using Interface Roles

This section describes exceptional cases than can occur when defining interface
roles in policies.
One Interface Role Assigned to Multiple Interfaces
When using interface roles, you might define a role that applies to more than one
interface on a device. For example, the All-Ethernets interface role might be
assigned to two different Ethernet interfaces on the device. If you then define a
policy requiring a single interface definition that includes the All-Ethernets
interface role, a warning message tells you that Security Manager will use the first
interface on the device it finds with that role. Any other interfaces assigned the
same role are ignored.

OL-11501-03
8-119
Chapter 8
Managing Objects
Understanding IPsec Transform Set Objects
Interfaces and Interface Roles with the Same Name
Under normal circumstances, you can configure an interface role that has the same
name as an actual interface on the device. If you use object selectors when
defining policies (see Selecting Objects for Policies, page 8-203), both the
interface and the interface role are listed as available choices, enabling you to
select either option. If you type in this common name when you define a policy,
Security Manager automatically associates the interface role with the policy, not
the interface.
However, a naming conflict can occur under the following circumstances:
1.
You type the name of an interface when defining a policy.
2.
You later create an interface role that has the same name.
3.
You type this name again when defining a policy.
4.
You click Select to display the object selector, or Save to save the policy.
When this sequence of events occurs, the Interface Name Conflict Dialog Box,
page F-421 is displayed. From here, you can select whether to include the
interface or the interface role in the policy.
Related Topics

A transform set comprises a combination of security protocols, algorithms and
other settings that specify exactly how the data in the IPsec tunnel will be
encrypted and authenticated. During IPsec security association negotiation, the
peers agree to use a particular transform set when protecting a particular data
flow. When defining a transform set, you can make use of the AH (authentication
header) protocol, the ESP (encapsulation security protocol) protocol, or both.
When using ESP, you can specify whether to use ESP encryption only, or ESP
encryption together with ESP authentication. Additionally, you can use the
transform set to specify whether to compress the traffic being carried over the
IPsec tunnel.
8-120
OL-11501-03
Chapter 8
Managing Objects
Note
We recommend using both encryption and authentication on IPsec tunnels.

IPsec transform set objects are used when defining IPsec proposal policies for
VPNs. For more information, see Configuring IPsec Proposals, page 9-77.
To create an IPsec transform set object, see Creating IPsec Transform Set Objects,
page 8-122.
Related Topics
IPsec Protocols, page 8-121
IPsec Modes, page 8-122
IPsec Protocols
Two different security protocols are included within the IPsec standard:
Encapsulating Security Protocol (ESP)Provides authentication,

encryption, and anti-replay services. ESP is IP protocol type 50.
Authentication Header (AH)Provides authentication and anti-replay

services. AH does not provide encryption and has largely been superseded by
ESP. AH is IP protocol type 51.
When using ESP, you can choose from several encryption options, including:
Data Encryption Standard (DES)
3DES (requires 3DES license)
Advanced Encryption Standard (AES 128-bit, 192-bit, and 256-bit)
ESP and AH perform authentication through the use of a hash algorithm, which
creates a message to ensure message integrity. Both ESP and AH offer the
following authentication options:
Message Digest 5 (MD5)Produces a 128-bit digest. MD5 uses less

processing time than SHA, but is less secure.
Secure Hash Algorithm (SHA)Produces a 160-bit digest. SHA is more

resistant to brute-force attacks than MD5, but requires more processing time.
OL-11501-03
8-121
Chapter 8
Managing Objects
Related Topics
Creating IPsec Transform Set Objects, page 8-122
IPsec Modes
IPsec can operate in the following modes:
Tunnel ModeTunnel mode encapsulates the entire IP packet. The IPsec

header is added between the original IP header and a new IP header. Tunnel
mode is used when the firewall is protecting traffic to and from hosts
positioned behind the firewall. Tunnel mode is the normal way regular IPsec
is implemented between two firewalls (or other security gateways) that are
connected over an untrusted network, such as the Internet.
Transport ModeTransport mode encapsulates only the upper-layer

protocols of an IP packet. The IPsec header is inserted between the IP header
and the upper-layer protocol header (such as TCP). Transport mode requires
that both the source and destination hosts support IPsec, and can only be used
when the destination peer of the tunnel is the final destination of the IP
packet. Transport mode is generally used only when protecting a Layer 2 or
Layer 3 tunneling protocol such as GRE, L2TP, and DLSW.
Related Topics
Creating IPsec Transform Set Objects

You can create IPsec transform set objects for use in IPsec proposals when
defining site-to-site and remote access VPNs. When you create an IPsec transform
set object, you must select the mode in which IPsec should operate, as well as
define the required encryption and authentication types. Additionally, you can
select whether to include compression in the transform set.
8-122
OL-11501-03
Chapter 8
Managing Objects
This procedure describes how to create IPsec transform set objects.
Tip
You can also create IPsec transform set objects when defining policies or objects
page 8-203.
Before You Begin
Procedure
Step 1
Step 2
Select IPsec Transform Sets from the Object Type selector.
Step 3

The IPsec Transform Set dialog box appears. For a description of the fields in this
Step 4
Step 5

Step 6
Select the required IPsec modetunnel or transport. For more information, see
IPsec Modes, page 8-122.
Step 7
(Optional) Select the type of ESP encryption and authentication to use in the
transform set. If the AH protocol is being used instead of ESP, leave this field
blank, then select the type of AH authentication to use. For more information, see
IPsec Protocols, page 8-121.
Step 8
(Optional) Select the Compression check box to compress the data in the IPsec
tunnel.
Step 9
Step 10

OL-11501-03
8-123
Chapter 8
Managing Objects
Understanding LDAP Attribute Map Objects
Tip

Objects, page 8-9.
Note

Related Topics

Use the LDAP Attribute Map page to create and name an attribute map for
mapping custom (user-defined) attribute names to Cisco LDAP attribute names.
If you are introducing a security appliance to an existing LDAP directory, your
existing custom LDAP attribute names and values are probably different from the
Cisco attribute names and values. Rather than renaming your existing attributes,
you can create LDAP attribute maps that map your custom attribute names and
values to Cisco attribute names and values. By using simple string substitution,
the security appliance then presents you with only your own custom names and
values. You can then bind these attribute maps to LDAP servers or remove them
as needed. You can also delete entire attribute maps or remove individual name
and value entries.
For more information regarding AAA Support on ASA devices, see LDAP,
page 8-27.
Related Topics
Creating LDAP Attribute Map Objects, page 8-125
LDAP Attribute Maps Page, page F-426
8-124
OL-11501-03
Chapter 8
Managing Objects
Creating LDAP Attribute Map Objects

Use the Add and Edit LDAP Attribute Map dialog boxes to add or edit an existing
LDAP attribute map.
Before You Begin
Procedure
Step 1
Step 2
Select LDAP Attribute Maps from the Object Type selector.
Step 3

The Add LDAP Attribute Map dialog box appears. For a description of the GUI
Step 4
Step 5

entered, an icon is displayed when you view the LDAP Attribute Maps table.
Step 6

The Add LDAP Attribute Map Value dialog box appears. For a description of the
Step 7
Enter the name of the custom map.
Step 8
Select the Cisco map name from the list.
Step 9

The Add Map Value dialog box appears. For a description of the GUI elements,
see Table F-242.
Step 10
Enter the Custom Map Value.
Step 11
Enter the Cisco Map Value.
Step 12

The Add Map Value dialog box closes and you return to the Add LDAP Attribute
Map Value dialog box. The new values are displayed in the table.

OL-11501-03
8-125
Chapter 8
Managing Objects
Step 13

The Add LDAP Attribute Map Value dialog box closes and you return to the
LDAP Attribute Maps page. The new object is shown in the table.
Step 14
Step 15
((Optional) Select Allow Value Override per Device to allow the global
Note
Step 16
Step 17
The Add LDAP Attribute Map dialog box closes and you return to the LDAP
Attribute Maps page. The new object is shown in the table.
Note

Related Topics
8-126
OL-11501-03
Chapter 8
Managing Objects
Understanding Network/Host Objects

Network/host objects are logical collections of IP addresses that represent
networks, hosts, or both. They can contain one or more network or host IP
addresses, as well as other network/host objects. You can reference network/host
objects when defining a variety of policies, instead of specifying each network or
host individually. By collecting multiple objects in a network/host object, you can
refer to all objects in the group as a single item.
Network/host objects can contain the following:
Networks or subnets, specified by IP addresses and subnet masks.
Individual hosts, specified by IP addresses.
Other network/host objects, specified by selecting from a list of existing

objects.
Network/host objects make it easier to manage scalable policies. By using the

associative capabilities of network/host objects, you can expand your policies
along with your network. For example, when you make changes to the list of
addresses contained in a network/host object, the changes propagate to all other
network/host objects and to policies that refer to that network/host object.
The following topics describe how to work with network/host objects:
Creating Network/Host Objects, page 8-131
Using Unspecified Network/Host Objects, page 8-134
Supported IP Address Formats, page 8-128
Contiguous and Discontiguous Network Masks, page 8-129
Specifying IP Addresses During Policy Definition, page 8-135
Related Topics
How Network/Host Objects are Provisioned as PIX/ASA Object Groups,

page 8-212

OL-11501-03
8-127
Chapter 8
Managing Objects
Supported IP Address Formats

When defining network/host objects, you can use any of the following formats:
Host address: x.x.x.x (where x is a value between 0-255)

Example: 192.0.2.252
Network IP address: x.x.x.x/y (where x is a value between 0-255, and y is a

value between 1-32)
Example: 192.0.2.0/24
Network IP address: x.x.x.x/x.x.x.x (where x is a value between 0-255)

Example: 192.0.2.0/255.255.255.0
IP address range: x.x.x.xx.x.x.x

Examples: 192.0.2.14192.0.2.112
Note
IP address ranges can span more than one subnet.
You cannot define an IP address range with a network mask when defining a
network/host object. You can, however, add the network mask when entering
the address range directly in a policy. See Specifying IP Addresses During
Policy Definition, page 8-135.
For more information about how Security Manager works with network
masks, see Contiguous and Discontiguous Network Masks, page 8-129.
Network/Host Object Optimization
Security Manager optimizes the addresses that you define in network/host objects
by removing redundant entries and combining adjacent entries. For example,
192.168.1.0 and 192.168.1.1 are combined as 192.168.1.0/31. Optimization
reduces the size of your configuration and provides better performance and
memory usage.
To perform optimization, the adjacent addresses must be located on the same
subnet boundary (as defined by the CIDR notation). For example, take the
following addresses:
10.1.1.228 (00001010 00000001 00000001 11100100 in binary)
10.1.1.229 (00001010 00000001 00000001 11100101)
8-128
OL-11501-03
Chapter 8
Managing Objects
These two addresses can be optimized as 10.1.1.228/31. However, in the case of

these two addresses:
10.1.1.227 (00001010 00000001 00000001 11100011)
10.1.1.228 (00001010 00000001 00000001 11100100)
Security Manager cannot optimize these addresses because these is no way to

define a subnet boundary without including additional addresses.
In addition, optimization cannot be performed in the following circumstances:
Note
On ACLs.
On nested network/host objects, which are objects that refer to other objects
as part of their definition.
IP addresses that you enter directly when you define a policy (for example, in the
Source and Destination fields of an access rule) are not optimized.
Related Topics
Contiguous and Discontiguous Network Masks

A network mask determines which portion of an IP address identifies the network
and which portion identifies the host. Like the IP address, the mask is represented
by four octets. (An octet is an 8-bit binary number equivalent to a decimal number
in the range 0-255.) If a given bit of the mask is 1, the corresponding bit of the IP
address is in the network portion of the address, and if a given bit of the mask is 0,
the corresponding bit of the IP address is in the host portion.
Standard, or contiguous, network masks start with zero or more 1s followed by
zero or more 0s, as described by the regular expression, 1x0(32-x). This kind of
network mask is considered contiguous because it represents a network that

OL-11501-03
8-129
Chapter 8
Managing Objects
consists of a contiguous IP address range. For example, the network

192.168.1.0/255.255.255.0 contains all the IP addresses ranging from
192.168.1.0 to 192.168.1.255.
Table 8-7 shows different methods of representing commonly used standard
network masks:
Table 8-7
Standard Network Masks
Dotted Decimal Notation
Classless Inter-Domain Routing (CIDR) Notation
255.0.0.0
/8
255.255.0.0
/16
255.255.255.0
/24
255.255.255.255
/32
For example, 255.255.255.0 indicates that the first three octets of the IP address
(24 bits or /24 in CIDR notation) are made up of ones and identify the network;
the last octet is made up of zeros and identifies the host.
Discontiguous Network Masks
Nonstandard, or discontiguous, network masks are masks that do not conform to

the format of 1 x0(32-x). Although discontiguous network masks are not typically
used for network configurations, they are sometimes used for certain commands,
such as filtering commands when defining access control lists (ACLs). Security
Manager supports the use of nonstandard network masks in the policies whose
CLI commands support them. An error is displayed if you try to define a
discontiguous network mask in a policy that does not support them.
Network Masks and Discovery
During discovery, Security Manager attempts to match network/host objects with

existing equivalent objects defined in the Policy Object Manager:
For contiguous network masksTwo network/host objects containing only

standard networks are considered equivalent if they consist of the same set of
IP addresses.
For discontiguous network masksTwo network/host objects are considered

equivalent only if the standard networks consist of the same set of IP
addresses and the nonstandard networks are syntactically equivalent.
8-130
OL-11501-03
Chapter 8
Managing Objects
How Network Masks are Displayed
Although you can enter both contiguous and discontiguous network masks using
dotted decimal notation, all contiguous network masks are converted to CIDR
notation. This makes it easier to distinguish them from discontiguous network
masks, which are displayed in dotted decimal notation only.
Related Topics
Creating Network/Host Objects

You can create network/host objects to represent networks or individual hosts.
When you create a network/host object, you can include one or more IP addresses
and address ranges in IPv4 format. Additionally, you can include existing
network/host objects in a new network/host object. For example, you can create a
network/host object that comprises two existing network/host objects, a range of
IP addresses, and two additional IP addresses.
override network/host object definitions at the device level, which enables you to
associate the object with a specific IP address used by a particular device. For
more information, see Overriding Global Objects for Individual Devices,
page 8-197.
This procedure describes how to create network/host objects.

OL-11501-03
8-131
Chapter 8
Managing Objects
Tip
You can create network/host objects when defining policies or objects that
page 8-203.
In addition, you can right-click the source or destination defined in an access

rule or AAA rule and create a network/host object directly from the contents
of the cell. For more information, see Editing Access Rules, page 12-65 and
Editing AAA Rules, page 12-94.
Before You Begin
Procedure
Step 1
appears.
Step 2
Select Networks/Hosts from the Object Type selector.
Step 3

The Network/Host dialog box appears. For a description of the fields in this dialog
Step 4
Enter a name for the object. The name must begin with a letter.
Step 5

Step 6
Under Networks/Hosts, enter the addresses (including network masks; the /32
host mask is not required) and/or address ranges to include in the object, or click
Select to display a selector (see Selecting Objects for Policies, page 8-203). Use
a - to separate the first and last IP address in an address range.
If the network you want is not listed, click the Create button or the Edit button to
display the Network/Host Dialog Box, page F-433. From here you can define a
network/host object.
Note
See Supported IP Address Formats, page 8-128 for a complete list of

supported formats.
8-132
OL-11501-03
Chapter 8
Managing Objects
Tip
You can leave this field blank when creating a global object that will be
overridden on all devices that use the object. See Using Unspecified
Network/Host Objects, page 8-134.
Step 7
Step 8
Note
Step 9
You must select this option when creating a network/host object with an
unspecified value.
Tip

Objects, page 8-9.
Note

Related Topics

page 8-212

OL-11501-03
8-133
Chapter 8
Managing Objects
Using Unspecified Network/Host Objects

When you define network/host objects, you can leave the Networks/Hosts field
blank, thereby creating a network/host object with an unspecified value. Use this
feature to create global network/host objects that are overridden on every device
that uses them.
The advantage of using a network/host object with an unspecified value is that
Security Manager displays an error if you submit your changes without creating
a device-level override on every device using the object; by contrast, when you
define the global object with a placeholder value (such as, 10.10.10.10), that
global value could be deployed by mistake if you fail to define an override.
The following procedure describes how to create and implement network/host
objects with unspecified values.
Procedure
Step 1
Create a network/host object, making sure to:
Leave the Networks/Hosts field blank.
Select the Allow Value Override per Device check box.
For more information, see Creating Network/Host Objects, page 8-131.

Step 2
Step 3
Create overrides for each device that will use the object:
a.
In the Overridable column for the object on the Networks/Hosts page,

double-click the green checkmark. The Policy Object Overrides window is
displayed. See Table F-315 on page F-565.
b.
Select the devices on which you want to create overrides, then define a value
in the Networks/Hosts field. At this point, this override value applies to all
the selected devices. For more information, see Creating Object Overrides for
Multiple Devices, page 8-200.
c.
Double-click each device in the Policy Object Overrides dialog box, then
modify the Networks/Hosts field for the value required by that device.
Define the policy that requires the network/host object. You can use one of two
methods:
Define the policy on a single device in Device view, share the policy, then
assign the policy to the other devices. See Sharing a Local Policy, page 6-28
and Modifying Shared Policy Assignments in Device View, page 6-39.
8-134
OL-11501-03
Chapter 8
Managing Objects
Note
Create a shared policy in Policy view, then assign the policy to the other
devices using the Assignments tab. See Modifying Policy Assignments in
You can create a network/host object that refers to a network/host object with
an unspecified value.
You do not have to create the device-level overrides before you assign the
policy containing the object to devices.
Related Topics
Specifying IP Addresses During Policy Definition

Security Manager provides you with several options for specifying an IP address
when defining a policy:
Entering the IP address manually.
Entering an IP address range manually. You can add a network mask in CIDR
or dotted decimal format, if required (for example, when defining tunnel
groups or dynamic NAT policies).
Note
Adding network masks to an IP address range is not supported when

defining a network/host object. See Supported IP Address Formats,
page 8-128.
Entering the name of a network/host object that represents one or more IP

addresses. See Understanding Network/Host Objects, page 8-127.

OL-11501-03
8-135
Chapter 8
Managing Objects
Understanding PKI Enrollment Objects
Selecting a network/host object from a list. For more information, see

Selecting Objects for Policies, page 8-203.
When you create a network/host object or define IP addresses as part of a policy,

Security Manager verifies that the syntax of the address is correct and that a mask
was entered where required. For example, when you define a policy that requires
a host, you do not need to enter a mask. However, when you define a policy that
requires a subnet, you must enter the address with the mask or select a
network/host object that has a mask defined.
Note
For more information about the types of addresses you can enter, see
Supported IP Address Formats, page 8-128.
If the policy requires a specific type of IP address, such as a subnet, other

types of IP addresses are not accepted.
When the policy allows multiple addresses, you must separate each entry with
a comma.
IP addresses that you enter directly when defining a policy (for example, in
the Source and Destination fields of an access rule) are not optimized. For
more information, see Network/Host Object Optimization, page 8-128.
Related Topics

PKI (public key infrastructure) enrollment objects define the Certification
Authority (CA) servers that operate within a public key infrastructure. CA
servers, also known as trustpoints, manage public PKI certificate requests and
issue certificates to participating IPsec network devices. CA servers provide
centralized key management for the participating devices, eliminating the need
8-136
OL-11501-03
Chapter 8
Managing Objects
for you to configure keys on each device. Instead, you enroll each participating
device with a CA server, which is explicitly trusted to validate identities and
create a digital certificate for that device. When peers must negotiate a secured
communication session, they validate the identity of the other peer and establish
an encrypted session with the public keys contained in the certificates.
CAs can also revoke certificates for devices that will no longer participate in
IPsec. Revoked certificates are either managed by an Online Certificate Status
Protocol (OCSP) server or are listed in a certificate revocation list (CRL) stored
on an LDAP server, which each peer can check before accepting a certificate from
another peer.
PKI can be set up in a hierarchical framework consisting of multiple CAs. At the
top of the hierarchy is a root CA, which holds a self-signed certificate. The trust
within the entire hierarchy is derived from the RSA key pair of the root CA.
Subordinate CAs within the hierarchy can enroll with either the root CA or
another subordinate CA. Within a hierarchical PKI, all enrolled peers can validate
each others certificates if the peers share a trusted root CA certificate or a
common subordinate CA.
A PKI enrollment object identifies the name and URL of a particular CA server,
specifies the revocation-checking method that server uses, and defines the
parameters that devices require to enroll with that server. In addition, a PKI
enrollment object can define additional information for inclusion in certificate
requests. When using a hierarchical PKI framework, the PKI enrollment object
specifies the trusted servers located above this server in the established hierarchy.
PKI enrollment objects are used in PKI policies. For more information, see
Understanding Public Key Infrastructure Policies, page 9-87.
To create a PKI enrollment object, see Creating PKI Enrollment Objects,
page 8-138.
Related Topics

OL-11501-03
8-137
Chapter 8
Managing Objects
Creating PKI Enrollment Objects

You can create PKI enrollment objects to define the properties of a CA server used
when devices exchange certificates as part of an IPsec network. When you create
a PKI enrollment object, you define a name for the server and the URL for
enrollment. You must specify whether the devices you wish to enroll with this
server should retrieve the CA servers own certificate using the Simple Certificate
Enrollment Process (SCEP) or use a certificate that you have entered manually
into the device configuration. You must also select the method of support used by
the CA server for revocation checking.
In addition, you can optionally define the following:
Whether the CA server is acting as a Registration Authority (RA) server.
Enrollment parameters, including retry settings and RSA key pair settings.
Additional attributes to include in the certificate request.
The list of trusted CA servers located above this server in the PKI hierarchy.
override PKI enrollment object definitions at the device level, which enables you
to associate a specific CA server with a particular device. For more information,
This procedure describes how to create a PKI enrollment object.
Tip
You can also create PKI enrollment objects when defining policies or objects that
page 8-203.
Before You Begin
Procedure
Step 1
appears.
Step 2
Select PKI Enrollments from the Object Type selector.
8-138
OL-11501-03
Chapter 8
Managing Objects
Step 3

The PKI Enrollment dialog box appears. For a description of the fields in this
Step 4
Step 5

Step 6
Define the properties of the PKI enrollment object, as described in the following
topics:
Defining CA Server Properties, page 8-140
Defining PKI Enrollment Parameters, page 8-142
Defining Additional PKI Attributes, page 8-145
Defining the Trusted CA Hierarchy, page 8-146
Step 7
Step 8
Step 9
Tip

Objects, page 8-9.
Note

Related Topics

OL-11501-03
8-139
Chapter 8
Managing Objects
Defining CA Server Properties

Use the CA Information tab of the PKI Enrollment dialog box to define the basic
properties of the PKI enrollment object, including the name and URL of the CA
server, the source for obtaining the CA servers certificate, and the type of
revocation checking support.
This procedure describes how to define the properties of the CA server in a PKI
enrollment object.
Naming the CA Server
When you enter a name for the CA server, bear in mind the following:
You cannot configure two CA servers with the same name but different URLs
on the same device.
The CA name cannot match the name of a trusted CA configured as part of

the same PKI enrollment object. For more information about trusted CAs, see
Defining the Trusted CA Hierarchy, page 8-146.
When the device is configured as part of a VPN, do not configure a

device-level override that uses the same CA name as that of the CA server
used by any of the peers. (This is not a problem when the device and its peers
use a tiered PKI hierarchy.)
In all of these cases, deployment will succeed, but one CA definition will
overwrite the other.
Procedure
Step 1
In the PKI Enrollment dialog box, click the CA Information tab. See Table F-247
on page F-439 for a description of the fields on this tab.
Step 2
(Optional) Enter the name used to identify the CA server in the certification
request.
Note
Step 3
If you leave this field blank, the domain name is used. You must leave this
field blank for Verisign CAs, because they require the domain name.
Enter the URL of the CA server. The following formats are supported:
8-140
OL-11501-03
Chapter 8
Managing Objects
http://CA_name:port, where CA_name is the host DNS name or IP address

of the CA. The port number is mandatory.
Note
Step 4
If the CA cgi-bin script location at the CA is not the default

(/cgi-bin/pkiclient.exe), you must also include the nonstandard script
location in the URL, in the form of
http://CA_name:port/script_location, where script_location is the
full path to the CA scripts.
tftp://certserver/file_specification, when you enroll with the CA server by

means of a TFTP server. This option can be used if you do not have direct
access to the CA server.
Any of the following formats: bootflash, cns, flash, ftp, null, nvram, rcp, scp,
system.
Select one of the following options for obtaining the CA servers certificate:
Tip
Select Retrieve CA Certificate Using SCEP to have the router retrieve the
certificate from the CA server. When using SCEP, you must enter the
fingerprint for the CA server in hexadecimal format. If the value you enter
does not match the fingerprint on the certificate, the certificate is rejected.
You can obtain the CAs fingerprint by contacting the server directly, or
by entering the following address in a web browser:
http://URLHostName/certsrv/mscep/mscep.dll
Select Enter Manually and then copy up to three certificates from another
device and paste them into the text field (using your browsers Paste function
or the Ctrl-V keyboard shortcut). Each certificate must begin with the word
certificate and end with the word quit. Use this option when you want the
PKI enrollment object to represent predefined certificates.
Step 5
Select the level of revocation checking support provided by the PKI enrollment
object. For more information, see Table F-247 on page F-439.
Step 6
(If you selected OCSP checking in Step 5) Enter the URL for the OCSP server that
is providing real-time certificate status checking. This URL must start with
http://.

OL-11501-03
8-141
Chapter 8
Managing Objects
Step 7
(If you selected CRL checking in Step 5) Enter the URL for the LDAP server
containing the CRL to be downloaded and checked by the CA server. This URL
must start with ldap://.
Note
Step 8
You must include a port number in the URL when using this AAA server
on ASA devices, otherwise LDAP will fail.
(Optional) Select the Enable Registration Authority Mode check box if the CA
server represented by the enrollment object is operating in Registration Authority
(RA) mode. In RA mode the server acts as a proxy for the actual CA, which means
that CA operations can continue even when the CA itself is offline.
Note
This option does not apply to PIX/ASA 7.0+ devices. In addition, you do
not need to configure this option if the PKI enrollment object is being
used by Cisco IOS routers. Cisco IOS routers configure RA mode
automatically, if required.
Related Topics
Creating PKI Enrollment Objects, page 8-138
Defining PKI Enrollment Parameters

Use the Enrollment Parameters tab of the PKI Enrollment dialog box to define the
retry settings to use when the device contacts the CA server as well as the settings
for generating the RSA key pair to associate with the certificate.
If the PKI enrollment object represents a Microsoft CA, you can define the
challenge password required to validate the routers identity.
8-142
OL-11501-03
Chapter 8
Managing Objects
This procedure describes how to define enrollment parameters for a PKI

enrollment object.
Procedure
Step 1
In the PKI Enrollment dialog box, click the Enrollment Parameters tab. See
Table F-248 on page F-443 for a description of the fields on this tab.
Step 2
(Mandatory for PIX 6.3 devices; optional for PIX/ASA 7.0 devices and Cisco IOS
routers) Enter the password used by the CA server to validate the devices identity.
Step 3
Tip
You can obtain the password by entering the following address in a web
browser: http://URLHostName/certsrv/mscep/mscep.dll. The
password is good for 60 minutes from the time you obtain it from the CA
server. Therefore, it is important that you deploy the password as soon as
possible after you create it.
Note
Each password is valid for a single enrollment by a single device.

Therefore, we do not recommend that you assign a PKI enrollment object
where this field is defined to a VPN, unless you first configure a
device-level override for each device in the VPN. For more information,
see Overriding Global Objects for Individual Devices, page 8-197.
(Optional) Modify the default retry values, as follows:

a.
In the Retry Period field, specify the interval between certificate request
attempts, in minutes.
b.
In the Retry Count field, specify the number of times the device should
resend the certificate request, if no response is received from the CA server
to the first request.
Step 4
(Optional) To have the router request new certificates automatically (known as

autoenrollment), enter the percentage of the current certificates lifetime that
triggers the request. For example, if you enter 70, the router requests a new
certificate after 70% of the lifetime of the current certificate has been reached.
Step 5
(Optional) Select the Include Devices Serial Number check box if you want to
include the serial number of the device in the certificate request.

OL-11501-03
8-143
Chapter 8
Managing Objects
Note
Step 6
The CA uses the serial number to either authenticate certificates or to later

associate a certificate with a particular router. If you are in doubt, include
the serial number, as it is useful for debugging purposes.
(Optional) Define the RSA key pair to associate with the certificate:
a.
In the RSA Key Pair Name field, enter the name of the key pair. If you are
associating an existing key pair, enter its name. If you are generating a new
key pair, it will be given the name you enter here.
Note
b.
(Cisco IOS routers only) In the Key Size field, enter the size of the key pair
(modulus) in bits. Valid values range from 512 to 1024 (in multiples of 64),
1536 and 2048.
Note
c.
Step 7
If you do not specify an RSA key pair, the fully qualified domain
name (FQDN) key pair is used instead. On PIX and ASA devices, the
key pair must exist on the device before it is deployed.
Keys with larger modulus values are more secure, but take longer to
generate and process. For example, keys larger than 512 bits may take
a minute or longer to generate.
(Cisco IOS routers only) In the Encryption Key Size field, define the size of
the second key, which is used to request separate encryption, signature keys,
and certificates.
(Optionalfor Cisco IOS routers only) In the Source Interface field, enter the
name of the interface or interface role whose address should be used as the source
interface for all outgoing connections to the CA or LDAP server, or click Select
to display a selector (see Selecting Objects for Policies, page 8-203).
This option is useful when the CA or LDAP server cannot reach the address from
which the connection originated (for example, due to a firewall). If you do not
enter a value in this field, the address of the outgoing interface is used.
8-144
OL-11501-03
Chapter 8
Managing Objects
Tip
If the interface role you want is not listed, click the Create button or the
Edit button in the selector to open the Interface Role Dialog Box,
page F-419. From here, you can define an interface role to use in the
object.
Related Topics
Defining Additional PKI Attributes

Use the Certificate Subject Name tab of the PKI Enrollment dialog box to
optionally define additional attributes to include in the certificate request. This
information is placed in the certificate and can be viewed by any party who
receives the certificate from the router.
This procedure describes how to define additional attributes for a PKI enrollment
object.
Note
You must enter all information in the LDAP X.500 format.

Procedure
Step 1
In the PKI Enrollment dialog box, click the Certificate Subject Name tab. See
Step 2
(Optional) Select the Include Devices FQDN check box to include the routers
fully qualified domain name in the certificate.

OL-11501-03
8-145
Chapter 8
Managing Objects
Step 3
(Optional) Select the device interface whose IP address should be included in the
certificate. Enter the name of an interface or interface role, or click Select to
display a selector (see Selecting Objects for Policies, page 8-203).
Tip
Step 4
page F-419. From here, you can define an interface role to include in the
object.
(Optional) Specify one or more X.500 attributes.
Note
If you are using digital certificates for user authentication on a Cisco

EzVPN IPsec remote-access system, each EzVPN Remote component
must be configured with the name of the client group to which it connects.
Enter this information in the Organization Unit (OU) field. Although this
information is not required for the EzVPN Server, including it does not
create configuration problems. For more information about EzVPN, see
Understanding Easy VPN, page 9-109.
Related Topics
Defining the Trusted CA Hierarchy

Use the Trusted CA Hierarchy tab of the PKI Enrollment dialog box to optionally
define the CA servers that reside at a higher level in a PKI hierarchy. Within a
hierarchical PKI, all enrolled peers can validate each others certificate if the
peers share a trusted root CA certificate or a common subordinate CA.
8-146
OL-11501-03
Chapter 8
Managing Objects
Understanding Port Forwarding List Objects
This procedure describes how to define a trusted CA hierarchy for a PKI

enrollment object.
Procedure
Step 1
In the PKI Enrollment dialog box, click the Trusted CA Hierarchy tab. See
Step 2
Define the trusted servers by selecting one or more PKI enrollment objects from
the Available CA Servers list, then clicking >> to add them to the Selected CA
Servers list.
Related Topics

Application port forwarding is configured for thin client access mode in
SSL VPN. Port forwarding allows users to access applications (such as telnet,
email, VNC, SSH, and Terminal services) inside the enterprise via an SSL VPN
session. When port forwarding is enabled, the hosts file on the SSL VPN client is
modified to map the application to the port number configured in the forwarding
list. A Port Forwarding List object defines the mappings of port numbers on the
remote client to the applications IP address and port behind the SSL VPN
gateway.
To create Port Forwarding List objects, see Creating Port Forwarding List
Objects, page 8-148.

OL-11501-03
8-147
Chapter 8
Managing Objects
Related Topics
Configuring the Clientless and Thin Client Access Modes, page 11-26
Thin Client Access Mode, page 11-3
Creating Port Forwarding List Objects

You can create port forwarding list objects to use when you are configuring the
Thin Client access mode for SSL VPN. A port forwarding list object defines the
mappings of port numbers on the remote client to the applications IP address and
port behind the SSL VPN gateway.
override Port Forwarding List object definitions at the device level. For more
Tip
You can also create port forwarding list objects when defining policies or objects
page 8-203.
This procedure describes how to create port forwarding list objects.
Before You Begin
Procedure
Step 1

Step 2
From the Object Type selector, select Port Forwarding List.

The Port Forwarding List page opens, displaying the defined port forwarding list
objects. For a description of the elements on this page, see Table F-251 on
page F-449.
8-148
OL-11501-03
Chapter 8
Managing Objects
Step 3

The Port Forwarding List dialog box opens, displaying a table of any port
forwarding entries that are defined for the object. For a description of the elements
in this dialog box, see Table F-252 on page F-450.
Step 4
Enter a name for the port forwarding list object.
Step 5

Step 6
To create a new port forwarding entry or modify the properties of an existing one,
click Create below the Port Forwarding List table, or select an entry in the table
and click Edit. The Add/Edit Port Forwarding Entry dialog box opens. For a
description of the elements on this dialog box, see Table F-253 on page F-453.
a.
Specify the port number to which the local application is mapped.
b.
Specify the IP address or fully qualified domain name of the remote server.
c.
Specify the port number of the application for which port forwarding is
configured.
d.
Enter any additional information about the port forwarding entry (mandatory
on IOS routers).
e.
Click OK to save the changes, and close the Add/Edit Port Forwarding Entry
dialog box. The entry appears in the table in the Port Forwarding List dialog
box.
Step 7
In the Include Port Forwarding Lists field, specify the names of other Port
Forwarding List objects that you want to include in this Port Forwarding List
object. You can click Select to open the Port Forwarding List selector from which
you can make your selection.
Step 8
Step 9
Step 10

OL-11501-03
8-149
Chapter 8
Managing Objects
Understanding Port List Objects
Tip

Objects, page 8-9.
Note

Related Topics

Port list objects contain one or more ranges of port numbers. These objects are
used to streamline the process of creating service objects (see Creating Service
Objects, page 8-160).
Security Manager contains a predefined port list object that includes either all
ports (1-65535) or all secure ports (1024-65535), depending on the setting you
select in the Cisco Security Manager Administration window. For more
information, see Defining Policy Object Settings, page 2-91.
To create a port list object, see Creating Port List Objects, page 8-151.
Related Topics
How Port List Objects are Provisioned as PIX/ASA Object Groups,

page 8-214
8-150
OL-11501-03
Chapter 8
Managing Objects
Creating Port List Objects

You can create port list objects for use in defining service objects. Each port list
object can contain one or more port ranges (for example, 1-1000 and 2000-2500).
Additionally, a port list object can include other port list objects.
override port list object definitions at the device level. For more information, see
Managing Object Overrides, page 8-12.
This procedure describes how to define port list objects.
Tip
You can also create port list objects when defining service objects. For more
information, see Selecting Objects for Policies, page 8-203.
Before You Begin
Procedure
Step 1
appears.
Step 2
Select Port Lists from the Object Type selector.
Step 3

The Port List dialog box appears. For a description of the fields in this dialog box,
see Table F-257 on page F-461.
Step 4
Step 5

Step 6
Define the contents of the port list object by doing one or both of the following:
In the Ports field, enter one or more ports and port ranges. Use hyphens to
separate the first and last port number in the range, for example, 100-999.
Separate multiple entries with commas. You can also use the following
operators:

OL-11501-03
8-151
Chapter 8
Managing Objects
gtgreater than
ltless than
eqequals
neqdoes not equal
Note
You cannot combine a port range containing the neq operator with
additional ranges.
Enter the names of existing port list objects, or click Select to display a
selector (see Selecting Objects for Policies, page 8-203).
Step 7
Step 8
Step 9
Tip

Objects, page 8-9.
Note

Related Topics

page 8-214
8-152
OL-11501-03
Chapter 8
Managing Objects
Understanding Secure Desktop Configuration Objects
Understanding Secure Desktop Configuration

Objects
Secure Desktop Configuration objects are reusable, named components that can
be referenced by SSL VPN policies for Cisco IOS routers and ASA devices. Cisco
Secure Desktop (CSD) provides a reliable means of eliminating all traces of
sensitive data by providing a single, secure location for session activity and
removal on the client system. CSD provides a session-based interface where
sensitive data is shared only for the duration of a SSL VPN session. All session
information is encrypted, and all traces of the session data are removed from the
remote client when the session is terminated, even if the connection terminates
abruptly.
To create a Secure Desktop Configuration object, see Creating Secure Desktop
Configuration Objects, page 8-154.
About Windows Locations
Windows locations let you determine how clients connect to your virtual private
network, and protect it accordingly. For example, clients connecting from within
a workplace LAN on a 10.x.x.x network behind a NAT device are an unlikely risk
for exposing confidential information. For these clients, you might set up a CSD
Windows Location named Work that is specified by IP addresses on the 10.x.x.x
network, and disable both the Cache Cleaner and the Secure Desktop function for
this location.
In contrast, users' home PCs might be considered more at risk to viruses due to
their mixed use. For these clients, you might set up a location named Home that
is specified by a corporate-supplied certificate that employees install on their
home PCs. This location would require the presence of antivirus software and
specific, supported operating systems to grant full access to the network.
Alternatively, for untrusted locations such as Internet cafes, you might set up a
location named Insecure that has no matching criteria (thus making it the
default for clients that do not match other locations). This location would require
full Secure Desktop functions, and include a short timeout period to prevent
access by unauthorized users.
Caution
If you create a location and do not specify criteria, make sure it is the last entry in
the Locations in priority order list described in the next section.

OL-11501-03
8-153
Chapter 8
Managing Objects
Note
For more information about configuring the Secure Desktop, see Cisco Secure
Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release
3.1.1 (from Chapter 3 onwards), at this URL:
http://www.cisco.com/en/US/docs/security/csd/csd311/csd_for_asa/configuratio
n/311j.html.
Related Topics
Secure Desktop Configuration Page, page F-453
Secure Desktop Configuration Dialog Box, page F-455
Creating Secure Desktop Configuration Objects

Secure Desktop Configuration objects are referenced by SSL VPN policies.
Creating a Secure Desktop Configuration object involves first creating a location
(such as Work, Home, or Insecure) that you can assign to Microsoft Windows
clients as they connect to the corporate network. Then you can configure a group
of settings for the location, enable or restrict web browsing and file access for
Windows CE clients, and configure the Cache Cleaner and a VPN Feature Policy
for Macintosh and Linux clients.
This procedure describes how to create Secure Desktop Configuration objects.
Before You Begin
Procedure
Step 1
appears.
Step 2
Select Secure Desktop Configuration from the Object Type selector. The Secure
Desktop Configuration page opens, displaying the defined Secure Desktop
Configuration objects. For a description of the elements on this page, see
8-154
OL-11501-03
Chapter 8
Managing Objects
Step 3

The Secure Desktop Configuration dialog box appears, displaying a list of
settings in the Secure Desktop Manager pane that you can configure for the Secure
Desktop Configuration object. For a description of the elements in this dialog box,
Note
For a detailed description of how to configure these settings, see Cisco

Secure Desktop Configuration Guide for Cisco ASA 5500 Series
Administrators, Release 3.1.1 from Chapter 3 onwards.
Step 4
Step 5
(Optional) Enter a description for the object.
Step 6
From the Secure Desktop Manager pane, select Windows Location Settings to
create a location (such as Work, Home, or Insecure), and define the location-based
settings (also called adaptive policies) for CSD.
For each location, the Secure Desktop Manager pane displays the name of the
location and the options for configuring privileges and restrictions for it.
Step 7
If you want all the open browser windows to close after the Secure Desktop
installation, make sure this option is selected.
Step 8
Select the required check boxes to configure a VPN Feature policy that enables
web browsing, file access, port forwarding, and full tunneling, if installation or
location matching fails.
Step 9
For each location in the Secure Desktop Manager pane:

a.
Select VPN Feature Policy to configure a group-based policy, web browsing,

remote server file access, port forwarding, and full tunneling settings for
SSL VPN.
b.
Select Keystroke Logger to scan the client PC for a keystroke logging

application.
c.
Select Cache Cleaner to disable or erase data that a user downloaded,

inserted, or created in the browser, including cached files, configuration
changes, cached browser information, passwords entered, and
auto-completed information.
d.
Select Secure Desktop General to enable or disable the Secure Desktop

features and customize the user experience.

OL-11501-03
8-155
Chapter 8
Managing Objects
e.
Select Secure Desktop Settings to configure restrictions on the Secure

Desktop.
f.
Select Secure Desktop Browser to specify the home page to which the
browser connects when the remote user establishes a CSD session. This
option also lets you specify the folders and bookmarks (or favorites) to
insert into the respective browser menu during a CSD session.
Step 10
Select Windows CE to configure a VPN feature policy for the location, to enable
or restrict both web browsing and remote server file access for remote clients
running Microsoft Windows CE.
Step 11
Select Max and Linux Cache Cleaner to configure the Cache Cleaner and a VPN
Feature Policy for the location, that enables or restricts web browsing, remote
server file access, and port forwarding for Macintosh and Linux clients.
Step 12
Step 13
Tip

Objects, page 8-9.
Note

Related Topics
Secure Desktop Configuration Dialog Box, page F-455
8-156
OL-11501-03
Chapter 8
Managing Objects
Understanding Service Group Objects

Service group objects are collections of service objects (see Understanding
Service Objects, page 8-159). Service groups are convenient because they reflect
the nature of most applications (such as a web browser) that require several
network services to function. You can create service groups to represent the
composition of a particular application, or you can model them after the logical
organizations that exist on your network, such as a development team or corporate
department. With service groups you do not have to reference service definitions
individually within your policies.
Security Manager includes many predefined service group objects. For example,
there are service groups for services that can use either TCP or UDP, such as
Network Time Protocol (NTP), Layer 2 Tunneling Protocol (L2TP), and
Microsoft SQL Server. There is also a predefined service group object for all
ICMP message types.
To create a service group object, see Creating Service Group Objects, page 8-157.
Related Topics
How Service Group Objects are Provisioned as PIX/ASA Object Groups,

page 8-218
Creating Service Group Objects

You can create service group objects that contain a collection of related services.
To create a service group object, you merely select the service objects the group
should contain. If the required service objects do not yet exist, you can create
them.
override service group object definitions at the device level. For more
This procedure describes how to define a service group object.

OL-11501-03
8-157
Chapter 8
Managing Objects
Tip
You can create service group objects when defining policies or objects that
page 8-203.
In addition, you can right-click the service defined in an access rule or AAA
rule and create a service group object directly from the contents of the cell.
For more information, see Editing Access Rules, page 12-65 and Editing
AAA Rules, page 12-94.
Before You Begin
Create the required service objects. See Creating Service Objects,

page 8-160.
Procedure
Step 1
appears.
Step 2
Select Service Groups from the Object Type selector.
Step 3

The Service Group dialog box appears. For a description of the fields in this
Step 4
Step 5

Step 6
Define the content of the service group by entering the names of one or more
services or service groups, or click Select to display a selector (see Selecting
Objects for Policies, page 8-203).
Tip
If the service you want is not listed, click the Create button or the Edit
button in the selector to display the Service Dialog Box, page F-467.
From here, you can define a service to include in the service group.
8-158
OL-11501-03
Chapter 8
Managing Objects
Understanding Service Objects
Step 7
Step 8
Step 9
Tip

Objects, page 8-9.
Note

Related Topics
Creating Service Objects, page 8-160

page 8-218

Service objects are defined mappings of protocol and port definitions that
describe network services used by policies, such as Kerberos, SSH, and POP3.
You can reference service objects directly within your policies. You can also
create larger collections of service definitions, called service groups, that you can
reference within your policies. See Understanding Service Group Objects,
page 8-157.

OL-11501-03
8-159
Chapter 8
Managing Objects
Security Manager includes a comprehensive collection of predefined service

objects, including ICMP messages, as well as objects for commonly used services
such as HTTP, Syslog, POP3, Telnet, and SNMP.
To create a service object, see Creating Service Objects, page 8-160.
Related Topics
How Service Objects are Provisioned as PIX/ASA Object Groups,

page 8-215
Creating Service Objects

You can create service objects to describe a type of traffic carried by the devices
in your network. When creating a service object, you must select the protocol used
by the service. If this protocol is either TCP or UDP, you must also select the
source and destination ports. When creating an Internet Control Message Protocol
(ICMP) service object, you must define the message type.
override service object definitions at the device level. For more information, see
This procedure describes how to create service objects.
Tip
You can also create service objects when defining policies or objects that use this
Before You Begin
Procedure
Step 1
appears.
8-160
OL-11501-03
Chapter 8
Managing Objects
Step 2
Select Services from the Object Type selector.
Step 3

The Service dialog box appears. For a description of the fields in this dialog box,
Step 4
Step 5

Step 6
Select the protocol used by the service. If the protocol you require does not appear
in the list, leave the field blank, then enter one or more IP protocol numbers in the
field provided. Separate multiple entries with commas.
Step 7
(Optional) If either TCP, UDP, or TCP & UDP is the selected protocol, enter the
destination and source ports contained in the service, as follows:
a.
By default, the destination port range is defined by entering port numbers in

the field provided. Separate multiple entries with commas. You can enter a
range of ports, if required. (Ranges cannot contain spaces.) You can also use
the following operators:
gtgreater than
ltless than
eqequals
neqdoes not equal
Alternatively, you can select Select Port List object, then enter the name of
a port list object, or click Select to display a selector. See Understanding Port
List Objects, page 8-150.
b.
By default, the source port range is the system default range (1-65535).
Alternatively, you can click Select to display a selector for choosing a defined
port list object, or select Enter ranges to enter port numbers directly.
Step 8
(Optional) If ICMP is the selected protocol, select the ICMP message type to be
defined by the service object. If the required message type does not appear in the
list, enter one or more ICMP message numbers in the field provided. Separate
multiple entries with commas.
Step 9

OL-11501-03
8-161
Chapter 8
Managing Objects
Understanding Single Sign-On Server Objects
Step 10
Step 11
Tip

Objects, page 8-9.
Note

Related Topics
Creating Service Group Objects, page 8-157

page 8-215

Single Sign-On (SSO) lets SSL VPN users enter a username and password once
and be able to access multiple protected services and web servers.
The SSO mechanism starts as part of the AAA process or just after successful user
authentication to an AAA server. The SSL VPN server running on the security
appliance acts as a proxy for the user to the authenticating server. When a user
logs in, the SSL VPN server sends an SSO authentication request, including
username and password, to the authenticating server using HTTPS. If the server
approves the authentication request, it returns an SSO authentication cookie to the
8-162
OL-11501-03
Chapter 8
Managing Objects
SSL VPN server. The security appliance keeps this cookie on behalf of the user
and uses it to authenticate the user to secure websites within the domain protected
by the SSO server.
Security Manager supports authentication for SSL VPN users using Computer
Associates SiteMinder SSO server.
SSO Authentication with SiteMinder
SSO authentication using SiteMinder is separate from AAA authentication, and

begins after the AAA process is completed. If you want to configure SSO for a
SSL VPN user or group, you must first configure a AAA server, such as a
RADIUS or LDAP server. You can then setup SSO support for SSL VPN.
To configure SSO with SiteMinder, you need to:
1.
Specify the SSO server.
2.
Specify the URL of the SSO server to which the security appliance makes
SSO authentication requests.
3.
Specify a secret key to secure the communication between the security

appliance and the SSO server. This key is similar to a password. You create
it, save it, and enter it on both the security appliance and the SiteMinder
Policy Server using the Cisco Java plug-in authentication scheme.
4.
Optionally, you can also configure the authentication request timeout, and the
number of authentication request retries.
After you have completed the configuration tasks, you assign an SSO server to an
ASA user group.
Note
Besides configuring the security appliance for SSO with SiteMinder, you must
also configure your CA SiteMinder Policy Server with the Cisco authentication
scheme, provided as a Java plug-in. For the complete procedure to configure a
custom authentication scheme on your SiteMinder Policy Server, please refer to
the CA SiteMinder documentation.
For the procedure to create a Single Sign-On Server object, see Creating Single
Sign-On Server Objects, page 8-164.
Related Topics

OL-11501-03
8-163
Chapter 8
Managing Objects
Single Sign On Server (SSO) Page, page F-471
Single Sign On Server (SSO) Dialog Box, page F-473
Creating Single Sign-On Server Objects

You can create Single Sign On (SSO) Server objects to enable you to configure or
delete SSO for SSL VPN users using Computer Associates' SiteMinder SSO
server. SSO support, available only for SSL VPN, lets users access different
secure services on different servers after entering a username and password just
once.
override Single Sign On Server object definitions at the device level. For more
This procedure describes how to create an SSO Server object.
Before You Begin
Procedure
Step 1
appears.
Step 2
Select Single Sign On Servers from the Object Type selector. The Single Sign On
Servers page opens, displaying the defined SSO Server objects. For a description
of the elements on this page, see Table F-262 on page F-472.
Step 3

The SSO Server dialog box appears. For a description of the elements in this
Step 4
Step 5
8-164
OL-11501-03
Chapter 8
Managing Objects
Note
The Authentication Type field displays the type of SSO server. The
security appliance currently supports the SiteMinder type configured
using Security Manager.
Step 6
In the URL field, select a protocol (http or https) from the list, and specify the
the SSO server URL to which the security appliance makes SSO authentication
requests in the field provided.
Step 7
Enter and confirm the secret key used to encrypt authentication communications
with the SSO Server in the fields provided.
Step 8
Enter the number of times the security appliance retries a failed SSO
authentication attempt before the authentication times out.
Step 9
Enter the number of seconds before a failed SSO authentication attempt times out.
The range is from 1 to 30 seconds, and the default is 5 seconds.
Step 10
Step 11
Step 12
Tip

Objects, page 8-9.
Note

Related Topics

OL-11501-03
8-165
Chapter 8
Managing Objects
Understanding SLA Monitor Objects
Single Sign On Server (SSO) Dialog Box, page F-473

Service level agreement (SLA) monitor objects are used by PIX/ASA security
appliances running version 7.2 or later to perform route tracking. This feature
provides a method to track the availability of a primary route and install a backup
route if the primary route fails. For example, you can define a default route to an
Internet service provider (ISP) gateway and a backup default route to a secondary
ISP in case the primary ISP becomes unavailable. This feature, called Dual ISP,
provides security appliances with a form of high availability, which is a vital part
of providing customers with the services to which they are entitled.
Without route tracking, there is no inherent mechanism for determining if the
route is up or down. A static route remains in the routing table even if the next hop
gateway becomes unavailable, and is removed only if the associated interface on
the security appliance goes down.
The security appliance performs route tracking by associating a route with a
monitoring target that you define in the SLA monitor object. It monitors the target
using ICMP echo requests, according to the parameters configured in the object.
If an echo reply is not received within a specified time period, the object is
considered down and the associated route is removed from the routing table. A
previously configured backup route is used in place of the removed route.
To create an SLA monitor object, see Creating SLA Monitor Objects, page 8-167.
Related Topics
Configuring Static Routes, page 15-98
8-166
OL-11501-03
Chapter 8
Managing Objects
Creating SLA Monitor Objects

When you define an SLA monitor object, you must define:
The address to be monitored for reachability.
The interface on the security appliance that sends out the ICMP echo
requests.
An ID number for the SLA operation.
You can optionally modify the default values that define the ICMP echo requests,
such as the frequency of the request transmissions and the timeout that triggers
the removal of the nonresponsive static route from the routing table and its
replacement by the backup route.
Note
SLA monitoring jobs start immediately after deployment and continue to run until
you unassign the policy from the device (that is, they do not age out).
Selecting a Monitoring Target
When you select a monitoring target, make sure that it can respond to ICMP echo
requests. The target can be any network address that you choose, but consider the
use of:
The ISP gateway address.
The next hop gateway address (if you are concerned about the availability of
the ISP gateway).
A server on the target network, such as an AAA server, with which the
security appliance needs to communicate.
A persistent network object on the destination network. (A desktop or

notebook computer that you can shut down at night is not a good choice.)
This procedure describes how to create SLA monitor objects.
Tip
You can also create SLA monitor objects when defining policies or objects that
page 8-203.

OL-11501-03
8-167
Chapter 8
Managing Objects
Before You Begin
Procedure
Step 1
appears.
Step 2
Select SLA Monitors from the Object Type selector.
Step 3

The SLA Monitor dialog box appears. For a description of the fields in this dialog
Step 4
Step 5
Step 6
Enter the ID number that identifies the SLA operation.
Step 7
Enter the IP address to be monitored.
Step 8
In the Interface field, enter the name of the interface or interface role whose
address should be used as the source interface for all ICMP echo requests sent to
the monitored address, or click Select to display a selector (see Selecting Objects
for Policies, page 8-203).
Tip
page F-419. From here, you can define an interface role to use in the
object.
Step 9
(Optional) Modify the default values that determine how the monitored address is
checked for reachability. See Table F-265 on page F-477.
Step 10
Step 11
8-168
OL-11501-03
Chapter 8
Managing Objects
Understanding Style Objects
Tip

Objects, page 8-9.
Note

Related Topics
Understanding SLA Monitor Objects, page 8-166

Style objects are reusable, named components that can be referenced by other
objects and policies. A style object lets you configure style elements, including
color swatches and preview capabilities, to customize the appearance of the SSL
VPN page that appears to SSL VPN users when they connect to the security
appliance. Style objects enable you to configure font characteristics and colors
without requiring any Cascading Style Sheet (CSS) parameters to define the style.
To create a style object, see Creating Style Objects, page 8-170.
Related Topics
Style Objects Page, page F-479

OL-11501-03
8-169
Chapter 8
Managing Objects
Creating Style Objects

You can create style objects to populate the SSL VPN Customization objects that
are referenced by SSL VPN policies. When you create a style object, you can
configure style elements, including font family, style, weight, and size, color
swatches, and preview capabilities.
This procedure describes how to create a style object.
Tip
You can also create style objects when defining policies or objects that use this
Before You Begin
Procedure
Step 1
appears.
Step 2
Select Style Objects from the Object Type selector.

The Style Objects page opens, displaying the currently defined style objects. For
a description of the elements on this page, see Table F-266 on page F-480.
Step 3

The Style Objects dialog box appears. For a description of the fields in this dialog
Step 4
Step 5
Step 6
Specify a font family, style, weight, and size.
Step 7
Click Select next to the Foreground and Background fields to open the Select
Color dialog box from which you can select a foreground and background color
for the font. For more information, see Select Color Dialog Box, page B-17.
A preview of the font style is displayed.
8-170
OL-11501-03
Chapter 8
Managing Objects
Understanding Text Objects
Step 8
Step 9
Tip

Objects, page 8-9.
Note

Related Topics
Style Objects Dialog Box, page F-481

Text objects are a type of policy object variable. They are a name and value pair,
where the value can be a single string, a list of strings, or a table of strings. Their
flexibility allows you to enter any type of textual data to be referenced and acted
upon by FlexConfigs.
For information about creating text objects, see Creating Text Objects,
page 8-172.

OL-11501-03
8-171
Chapter 8
Managing Objects
Creating Text Objects

You can create a text object if you need textual data to be referenced and acted
upon by another policy object.
override object definitions at the device level. To override object definitions at the
device level, see Managing Object Overrides, page 8-12.
Tip
You can also create text objects when defining policies or objects that use this
This procedure describes how to create text objects.
Before You Begin
Procedure
Step 1
Step 2
Select Text Objects from the Object Type selector.

The Policy Object Manager dialog box appears.
Step 3

The Add Text Object dialog box appears. For a description of the fields in this
Step 4
Tip

Objects, page 8-9.
8-172
OL-11501-03
Chapter 8
Managing Objects
Understanding Time Range Objects
Note

Related Topics
Text Object Dialog Box, page F-484

Time range objects are used when creating time-based ACLs and inspection rules.
While similar to extended ACLs in function, time-based ACLs allow for access
control based on time considerations. Each time range, which defines specific
times of the day and/or week, is referenced in the ACL or inspection rule by a
function. This enables you to place time restrictions on that function. For more
information, see Adding Access Rules, page 12-61 and Adding Inspection Rules,
page 12-74.
Time range objects can also be used when defining ASA user groups to restrict
VPN access to specific times during the week. For more information, see Creating
ASA User Group Objects, page 8-45.
Time range objects can rely on the devices system clock, but using Network Time
Protocol (NTP) synchronization is recommended.
To create a time range object, see Creating Time Range Objects, page 8-174.
Related Topics

OL-11501-03
8-173
Chapter 8
Managing Objects
Creating Time Range Objects

You can create time range objects for use when creating time-based ACLs and
inspection rules. When you create a time range object, you can optionally define
specific periods within the defined start and end time.
This procedure describes how to create a time range object.
Tip
You can also create time range objects when defining policies or objects that use
page 8-203.
Before You Begin
Procedure
Step 1
appears.
Step 2
Select Time Ranges from the Object Type selector.
Step 3

The Time Range dialog box appears. For a description of the fields in this dialog
Step 4
Step 5

Step 6
Define a start time for the time range object. You can either have the time range
take effect immediately upon deployment or define a specific date and time as the
start time.
Step 7
Define an end time for the time range object. You can either define a specific date
and time or specify that the time range continues indefinitely.
8-174
OL-11501-03
Chapter 8
Managing Objects
Step 8
(Optional) Define one or more recurring ranges for the time range object. These
ranges, which are recurring time intervals that fall within the start and end times
defined for the object, are defined as follows:
a.
In the Recurring Ranges field, click the Add button. The Recurring Ranges
dialog box is displayed. See Table F-272 on page F-489 for a description of
the fields in this dialog box.
b.

Specify days of the week and time during which this recurring range will
be active
Specify a weekly interval during which this recurring range will be active
c.
If you are basing the recurring range on days of the week, select which days
to include. Additionally, you can select a start time and end time, if required.
(By default, the start time and end time are both midnight.)
d.
If you are basing the recurring range on a weekly interval, select the start
day/time and the end day/time.
e.
Click OK. The Recurring Range dialog box closes and your definitions
appear in the Recurring Ranges field of the Time Range dialog box.
f.
Repeat Step a through Step e to add additional recurring ranges to the time
range object, if required.
Note
To edit a recurring range, select it in the Recurring Ranges field, then

click the Edit button. To remove a recurring range, select it, then click
the Delete button.
Step 9
Step 10
Tip

Objects, page 8-9.

OL-11501-03
8-175
Chapter 8
Managing Objects
Creating Traffic Flow Objects
Note

Related Topics

Traffic Flow objects are used to support PIX Firewall 7.0 and ASA 7.0 platforms.
This object supports the class-map command.
Before You Begin
Procedure
Step 1

Step 2
From the Object Type selector, select Traffic Flow.

The Traffic Flow page appears. For a description of the GUI elements, see
Table F-273.
Step 3

The Add Traffic Flow dialog box appears. For a description of the GUI elements,
see Table F-274.
Step 4
Step 5
((Optional) Enter a description to help you identify the object. If a description is

entered, an icon is displayed when you view the Traffic Flows table.
8-176
OL-11501-03
Chapter 8
Managing Objects
Step 6
Select the traffic match type from the list, then enter the appropriate values. The
dialog box values vary based on your selection. Options are:
Any traffic. For a description of the GUI elements, see Table F-274.
Source and destination IP address (uses access lists). For a description of the
Default inspection traffic. You can also choose to limit inspection between
source and destination IP addresses. For a description of the GUI elements,
see Table F-276.
Default inspection traffic with access list. For a description of the GUI
TCP or UDP destination port. For a description of the GUI elements, see
Table F-278.
RTP range. For a description of the GUI elements, see Table F-279.
Tunnel group. For a description of the GUI elements, see Table F-280.
IP precedence bits. For more information, see Understanding IP Precedence

Bits, page 8-178. For a description of the GUI elements, see Table F-281.
IP DiffServe CodePoints (DSCP) values. For a description of the GUI

Step 7
Step 8

The Add Traffic Flow dialog box closes and you return to the Traffic Flows page.
The new object is shown in the table.
Note


OL-11501-03
8-177
Chapter 8
Managing Objects
Related Topics
Understanding IP Precedence Bits, page 8-178
Traffic Flows Page, page F-489
Understanding IP Precedence Bits

IP precedence bits are standard Type of Service (ToS) bits in an IP packet. They
are used for QoS packet classification. Using packet classification, you can
partition network traffic into multiple priority levels or classes of service.
By setting precedence levels on incoming traffic and using them in combination
with the Cisco IOS QoS queueing features, you can create differentiated service.
You can use features such as policy-based routing (PBR) and committed access
rate (CAR) to set precedence based on extended access list classification. These
features afford considerable flexibility for precedence assignment. For example,
you can assign precedence based on application or user, or by destination and
source subnetwork.
For historical reasons, each precedence corresponds to a name. These names,
which continue to evolve, are defined in the RFC 791 document. Table 8-8 lists
the numbers and their corresponding names, from least to most important.
You can partition traffic into up to six classes (the remaining two are reserved for
internal network use) and then use policy maps and extended ACLs to define
network policies in terms of congestion handling and bandwidth allocation for
each class.
Table 8-8
IP Precedence Pre-Defined Objects
Number
Name
Routine
Priority
Immediate
Flash
Flash-override
Critical
8-178
OL-11501-03
Chapter 8
Managing Objects
Understanding URL List Objects
Table 8-8
IP Precedence Pre-Defined Objects (continued)
Number
Name
Internet
Network
Related Topics
Creating Traffic Flow Objects, page 8-176

URL List objects are used in SSL VPNs. They define the URLs that are displayed
on the portal page after a successful login, to enable users to access the resources
available on SSL VPN websites, in Clientless access mode.
To create URL List objects, see Creating URL List Objects, page 8-179.
Related Topics
Clientless and Thin Client Access Modes Page, page I-15
Creating URL List Objects

You can create URL List objects to use when you are configuring the Clientless
access mode for SSL VPN. They define lists of websites that can be displayed on
an SSL VPN portal page as bookmarks enabling users to access resources
available on SSL VPN websites.
override URL List object definitions at the device level. For more information, see

OL-11501-03
8-179
Chapter 8
Managing Objects
Tip
You can also create URL list objects when defining policies or objects that use this
This procedure describes how to create URL list objects.
Before You Begin
Procedure
Step 1

Step 2
From the Object Type selector, select URL Lists.

The URL Lists page opens, displaying the currently defined URL list objects. For
a description of the elements on the URL Lists page, see Table F-283 on
page F-505.
Step 3

The URL List dialog box appears. For a description of the elements in this dialog
Step 4
Enter a name for the URL list object.
Step 5
Step 6
Enter a heading that will be displayed above the URLs listed on the portal page of
the SSL VPN (only available for an IOS router).
Step 7
The URL List table displays any URLs that are defined for the object. To create
or edit a URL list entry to be included in the URL List table, click Create below
the table, or select a URL in the table and click Edit.
The Add/Edit URL Entry dialog box opens. For a description of the elements on
this dialog box, see Table F-285 on page F-508.
To define a URL for the URL List object, select the Enter URL option, then
specify a text label and http value for the URL.
8-180
OL-11501-03
Chapter 8
Managing Objects
Understanding User Group Objects
To include an existing URL List in the URL List object, select the Include
Existing URL List option, then specify the required URL List in the URL
Lists field. You can click Select to open the URL Lists Selector from which
Click OK to save the changes, and close the Add/Edit URL Entry dialog box.
The entry appears in the URL List table in the URL List dialog box.
Step 8
Step 9
Step 10
Tip

Objects, page 8-9.
Note

Related Topics

User group objects are used in Easy VPN topologies, remote access VPNs, and
SSL VPNs.

OL-11501-03
8-181
Chapter 8
Managing Objects
When you configure a remote access VPN, SSL VPN, or Easy VPN server, you
can create user groups to which remote clients belong. The remote clients must be
configured with the same group name as the user group on the VPN server, in
order to connect to the server; otherwise, no connection is established. When the
remote client connects to the VPN server successfully, the group policies for that
particular user group are pushed to all remote clients belonging to the user group.
For more information about user groups, see:
Configuring a User Group Policy for Easy VPN, page 9-117
User Group Policies in Remote Access VPNs, page 10-6
Configuring an SSL VPN Policy (IOS), page 11-11
To create user group objects, see Creating User Group Objects, page 8-182.
Related Topics
User Group Dialog Box, page F-510
Creating User Group Objects

Use the User Groups Objects page to create user group objects for use in your
remote access VPN, SSL VPN, or configured on your Easy VPN server.
Note
You must select the technology (Easy VPN/Remote Access VPN, or SSL VPN)
for which you are creating the user group object. If you are editing an existing user
group object, the technology is already selected, and you cannot change it.
Depending on the selected technology, the appropriate settings are available for
configuration.
Tip
You can also create User Group objects when defining policies or objects that use
page 8-203.
8-182
OL-11501-03
Chapter 8
Managing Objects
This procedure describes how to create User Group objects.

Before You Begin
Procedure
Step 1

Step 2
From the Object Type selector, select User Groups.

The User Groups page opens, displaying the currently defined user group objects.
For a description of the elements on this page, see Table F-286 on page F-509.
Step 3
From the work area, right-click inside the table, then select New Object.
The User Group dialog box opens, displaying a list of settings that you can
configure for the user group. For a description of the elements on this dialog box,
Step 4
Enter the name of the user group object.
Step 5
(Optional) Enter a description to help you identify the object. A maximum of

1024 characters is allowed and special characters are permitted. If a description is
entered, an icon is displayed when you view the User Groups table.
Step 6
Specify a name for the user group. You should configure the same user group
name within the remote client or device to ensure that the appropriate group
attributes are downloaded.
Step 7
If you opened the User Group dialog box from the Policy Object Manager
window, select the type of technology for which you are creating the user group
objectEasy VPN/Remote Access VPN or SSL VPN.
Note
If you opened the dialog box from the Site-to-site VPN Manager, or the
Remote Access VPN or SSL VPN folder in the Device View, the
technology is already selected, and you cannot edit it.
Depending on the selected technology, the appropriate settings are displayed in

the Settings pane for configuration, as described in the following steps.

OL-11501-03
8-183
Chapter 8
Managing Objects
Step 8
Step 9
To configure the user group for an Easy VPN or remote access VPN, from the
Settings pane:
a.
Select General to configure general settings for your user group policy,
including the authentication method, IP address pool information, and
connection attributes for PIX Firewalls. For a description of the elements
b.
Select DNS/WINS to define the DNS and WINS servers and the domain
name that should be pushed to clients associated with the user group. For a
description of the elements required to configure these settings, see
c.
Select Split Tunneling to configuring split tunneling for your user group. For
a description of the elements required to configure split tunneling, see
d.
Select Client Settings (IOS) to define Cisco IOS specific options for your
user group, including firewall settings for VPN clients. For a description of
the elements required to configure these settings, see Table F-291 on
page F-518.
e.
Select Xauth Options (IOS) to configure IKE Extended Authentication

(Xauth) user authentication and connection parameters for the user group,
including the banner text. For a description of the elements required to
f.
Select Client VPN Software Update (IOS) to configure, for an IOS VPN
client, the platform type, VPN Client revisions, and image URL for each
client VPN software package installed, for your user group. For a description
of the elements required to configure these settings, see Table F-293 on
page F-522.
g.
Select Advanced Options (PIX) to configure options specifically for PIX

Firewalls in your user group. For a description of the elements required to
configure these options, see Table F-295 on page F-524.
To configure the user group for an SSL VPN, from the Settings pane:
a.
Select Clientless to configure the Clientless mode of access to the corporate

network in an SSL VPN, for your user group. For a description of the
elements required to configure the Clientless mode, see Table F-296 on
page F-526.
8-184
OL-11501-03
Chapter 8
Managing Objects
b.
Select Thin Client to configure the Thin Client settings that enable the Thin
Client mode of access to the corporate network in an SSL VPN, for your user
group. For a description of the elements required to configure the Thin Client
mode, see Table F-297 on page F-528.
c.
Select Settings from the Full Tunnel folder to configure Full Tunnel settings
that enable the Full Tunnel mode of access to the corporate network in an
SSL VPN, for your user group. For a description of the elements required to
configure the Full Tunnel settings, see Table F-298 on page F-529.
d.
Select DNS/WINS from the Full Tunnel folder to define the DNS and WINS
servers for the user group in an SSL VPN. For a description of the elements
e.
Select Split Tunneling from the Full Tunnel folder to configure split
tunneling for your user group in an SSL VPN. For a description of the
elements required to configure split tunneling, see Table F-299 on
page F-531.
f.
Select Browser Proxy Settings from the Full Tunnel folder to configure the
browser proxy settings for your user group in an SSL VPN. For a description
of the elements required to these settings, see Table F-300 on page F-533.
g.
Select Connection Settings to configure the SSL VPN connection settings

for the user group. For a description of the elements required to configure the
connection settings, see Table F-301 on page F-534.
Step 10
Step 11
Click OK to save your definitions and close the User Group dialog box. The new
user group object appears in the table on the User Groups page in the Policy
Object Manager window.
Tip

Objects, page 8-9.

OL-11501-03
8-185
Chapter 8
Managing Objects
Understanding SSL VPN Customization Objects
Note

Related Topics
User Groups Objects Page, page F-508
User Group Dialog BoxGeneral Settings, page F-512
User Group Dialog BoxDNS/WINS Settings, page F-514
User Group Dialog BoxSplit Tunneling, page F-515
User Group Dialog BoxIOS Client Settings, page F-517
User Group Dialog BoxIOS Xauth Options, page F-519
User Group Dialog BoxIOS Client VPN Software Update, page F-522
User Group Dialog BoxAdvanced PIX Options, page F-524
User Group Dialog BoxClientless Settings, page F-525
User Group Dialog BoxThin Client Settings, page F-527
User Group Dialog BoxSSL VPN Full Tunnel Settings, page F-528
User Group Dialog BoxSSL VPN Split Tunneling, page F-530
User Group Dialog BoxBrowser Proxy Settings, page F-532
User Group Dialog BoxSSL VPN Connection Settings, page F-533

A Customization object describes how to change the appearance of SSL VPN
pages displayed to SSL VPN users. This includes the Login page displayed to
users when they connect to the gateway or security appliance, the Home page
8-186
OL-11501-03
Chapter 8
Managing Objects
displayed to users after authentication, the Application Access window displayed

when users launch an application, and the Logout page displayed when users log
out of SSL VPN service.
After you customize the SSL VPN pages, you can save your customization and
apply it to a specific tunnel group, user group, or user. You can create and save
many customizations, enabling the gateway device or security appliance to
change the appearance of SSL VPN pages for individual users, or group of users.
Customizing the SSL VPN Portal Page, page 11-10
Configuring the Portal Page for an IOS SSL VPN Policy, page 11-14
Portal Page Tab, page I-21
To create customization objects, see Creating SSL VPN Customization Objects,

page 8-187.
Related Topics
SSL VPN Customization Dialog Box, page F-536
Creating SSL VPN Customization Objects

An SSL VPN Customization object lets you customize pages that are displayed to
SSL VPN users when they connect to the security appliance and after the security
appliance authenticates them, including the SSL VPN Home page and the
Application Access page.
override SSL VPN Customization object definitions at the device level. For more
This procedure describes how to create an SSL VPN Customization object.

OL-11501-03
8-187
Chapter 8
Managing Objects
Tip
You can also create SSL VPN Customization objects when defining policies or
objects that use this object type. For more information, see Selecting Objects for
Before You Begin
Procedure
Step 1
appears.
Step 2
Select SSL VPN Customization from the Object Type selector. The SSL VPN
Customization page opens, displaying the defined SSL VPN Customization
objects. For a description of the elements on this page, see Table F-302 on
page F-535.
Step 3

The SSL VPN Customization dialog box appears. For a description of the fields
in this dialog box, see Table F-303 on page F-536.
Step 4
Step 5

Step 6
Select the Page Title tab to customize the SSL VPN page that appears to
SSL VPN users when they initially connect to the security appliance, as follows:
a.
Specify the text that you want to be displayed in the title bar of the SSL VPN
page.
b.
Enter the style of the title text to be displayed in the title bar of the SSL VPN
page. You can click Select to make your selection from a list of available
Style objects.
c.
Specify the style parameters for the SSL VPN page that is displayed when
users connect to the security appliance. You can click Select to make your
selection from a list of available Style objects.
d.
Select the logo to be displayed on the title bar of the SSL VPN login and
portal pages.
8-188
OL-11501-03
Chapter 8
Managing Objects
e.
Review the preview of the uploaded logo using your current title and logo
settings.
For a detailed description of the elements on the Page Title tab, see Table F-304
on page F-538.
Step 7
Select the Login/out Pages tab to customize the login box, login prompts, and
login buttons that appear to SSL VPN users when they initially connect to the
security appliance.
a.
In the Login Window area, enter the following information that appears in
the SSL VPN page login box displayed to SSL VPN users when they connect
to the security appliance:
Title text
Message
Text of the username prompt
Text of the password prompt
Text of the group prompt
Text of the Login button
Text of the Clear button
b.
In the Logout Window area, enter the title text and logout message to appear
in the logout box of the SSL VPN page when users log out of the SSL VPN
service.
For a detailed description of the elements on the Login/out Pages tab, see
Step 8
Select the Home Page tab to customize the appearance of the SSL VPN home
page that the security appliance displays to authenticated SSL VPN users.
a.
In the Overall and Bookmarks area, specify the overall style and bookmarks
of the SSL VPN home page.
b.
In the Web Applications area, specify the types of text to appear in the Web
Applications box in the SSL VPN home page.
c.
In the Application Access area, specify the title text and message text to be
displayed in the Applications Access box of the SSL VPN home page.
d.
In the Network Browse area, specify the title text, message text, and
drop-down list text, that is displayed in the Browse Networks box of the
SSL VPN Home page.

OL-11501-03
8-189
Chapter 8
Managing Objects
For a detailed description of the elements on the Home Page tab, see Table F-306
on page F-544.
Step 9
Select the Application-Access/Prompt tab to customize the SSL VPN

Application Access window that appears to authenticated SSL VPN users that
select Application Access on the SSL VPN Home page.
a.
In the Application Access area, specify the window style, warning message
style, and warning message text of the Application Access window. You can
also select whether or not to display the application details in the Application
Access Window.
b.
In the Prompt Dialog area, specify the title style and message style of the
dialog messages that appear to authenticated SSL VPN users, and the border
width of the various prompt dialog messages as notices or warnings. You can
also select the Collapse option if you want to wrap these messages around the
lines of text.
For a detailed description of the elements on the Application-Access/Prompt tab,

Step 10
Step 11
Step 12
Tip

Objects, page 8-9.
Note

8-190
OL-11501-03
Chapter 8
Managing Objects
Understanding SSL VPN Gateway Objects
Related Topics
SSL VPN Customization Dialog BoxPage Title Tab, page F-538
SSL VPN Customization Dialog BoxLogin/out Pages Tab, page F-539
SSL VPN Customization Dialog BoxHome Page Tab, page F-543
SSL VPN Customization Dialog BoxApplication-Access/Prompt Tab,

page F-548

An SSL VPN gateway acts as a proxy for connections to protected resources,
which are accessed through an SSL-encrypted connection between the gateway
and a web-enabled browser on a remote device.
An SSL VPN gateway object includes parameters that enable the gateway to be
used as a proxy for connections to the protected resources in your SSL VPN.
These parameters include the gateways IP address, the port that will carry HTTPS
traffic, and the digital certificate required to establish a secure connection.
To create SSL VPN gateway objects, see Creating SSL VPN Gateway Objects,
page 8-192.
Related Topics
Configuring an SSL VPN Gateway and Context, page 11-7
SSL VPN Gateway Page, page F-550

OL-11501-03
8-191
Chapter 8
Managing Objects
Creating SSL VPN Gateway Objects

You can create an SSL VPN Gateway object to use when you are configuring an
SSL VPN connection on your VPN gateway (server) device. For more
information, see Configuring an SSL VPN Gateway and Context, page 11-7.
override SSL VPN Gateway object definitions at the device level. For more
Tip
You can also create SSL VPN Gateway objects when defining policies or objects
page 8-203.
This procedure describes how to create an SSL VPN Gateway object.
Before You Begin
Procedure
Step 1

Step 2
From the Object Type selector, select SSL VPN Gateways.

The SSL VPN Gateways page opens, displaying the currently defined SSL VPN
Gateway objects. For a description of the elements on this page, see Table F-308
on page F-550.
Step 3

The SSL VPN Gateway dialog box appears. For a description of the elements in
this dialog box, see Table F-309 on page F-552.
Step 4
Enter a name for the SSL VPN Gateway object.
Step 5
Step 6
Specify the IP address used to configure the gateway object, from the public static
IP address of the router interface, or using the routers public static IP address.
8-192
OL-11501-03
Chapter 8
Managing Objects
Step 7
Specify the number of the port that will carry the HTTPS traffic.
Step 8
Specify the trustpoint (digital certificate) required to establish the secure

connection.
Note
A self-signed certificate is generated when an SSL VPN gateway is

activated.
Step 9
Select Enable Gateway to activate the SSL VPN gateway.
Step 10
Select Specify SSL Encryption Algorithms to specify the encryption

algorithm(s) that the SSL protocol uses for the SSL VPN connections. Then select
up to three algorithms, in order of preference, from the lists provided.
Step 11
Select Redirect HTTP Traffic to configure the gateway to redirect HTTP traffic
over secure HTTP (HTTPS), then specify the port number over which the HTTP
traffic will be redirected in the field provided.
Step 12
Step 13
Step 14
SSL VPN Gateways page.
Tip

Objects, page 8-9.
Note

Related Topics

OL-11501-03
8-193
Chapter 8
Managing Objects
Understanding WINS Server List Objects
SSL VPN Gateway Dialog Box, page F-552

SSL VPN uses WINS and the Common Internet File System (CIFS) protocol to
access or share files on remote systems. When you attempt a file-sharing
connection to a Windows computer by using its computer name, the file server
you specify corresponds to a specific WINS name that identifies a resource on the
network.
The security appliance queries WINS or NetBIOS name servers to map WINS
names to IP addresses. SSL VPN requires NetBIOS to access or share files on
remote systems.
The Common Internet File System (CIFS) protocol provides users with network
access to files, printers, and other machine resources. SSL VPN serves remote
users with HTTPS portal pages that interface with a proxy CIFS client running on
the security appliance. Using this client, SSL VPN provides users with network
access to the files on the network, provided that the users meet user authentication
requirements and the file properties do not restrict access. The client is
transparentthe portal pages delivered by SSL VPN provide the appearance of
direct access to the file systems.
When a user requests a list of files, SSL VPN queries the server designated as the
master browser for the IP address of the server containing the list. The security
appliance gets the list and delivers it to the remote user on the SSL VPN portal
page.
To create WINS Server List objects, see Creating WINS Server List Objects,
page 8-195.
Related Topics
Creating WINS Server List Objects, page 8-195
WINS Server Lists Page, page F-554
8-194
OL-11501-03
Chapter 8
Managing Objects
Creating WINS Server List Objects

The WINS Server List object lets you configure the Windows Internet Naming
Server (WINS) or NetBIOS attributes for the tunnel group. To make the WINS
function operational, you must configure at least one WINS server (host). For
more information about WINS Servers, see Understanding WINS Server List
override WINS Server List object definitions at the device level. For more
This procedure describes how to create a WINS Server List object.
Tip
You can also create WINS Server List objects when defining policies or objects
page 8-203.
Before You Begin
Procedure
Step 1
appears.
Step 2
Select WINS Server Lists from the Object Type selector.

The WINS Server List page opens, displaying the currently defined WINS server
list objects. For a description of the elements on this page, see Table F-310 on
page F-555
Step 3

The WINS Server List dialog box appears. For a description of the fields in this
Step 4
Step 5

OL-11501-03
8-195
Chapter 8
Managing Objects
Step 6
From the WINS Server List table, you can create a new WINS server or modify
the properties of an existing one, as follows:
a.
Click Create below the table, or select a WINS server in the table and click
Edit. The Add/Edit WINS Server dialog box opens. For a description of the
elements on this dialog box, see Table F-311 on page F-557.
b.
In the Server field, enter the IP address for the WINS server to translate
Windows file server names to IP addresses. You can click Select to open the
Network/Hosts Selector from which you can make your selection.
c.
Select the Set as Master Browser check box (by default it is deselected), to
enable the WINS server to function as a CIFS server. The master browser
maintains the list of computers and shared resources.
d.
In the Timeout field, specify the initial time in seconds that the server waits
for a response to a WINS query before sending the query to the next server.
e.
In the Retries field, specify the number of times to retry sending a WINS
query to the configured servers, in order.
f.
Click OK to save the changes and close the dialog box. The new or modified
WINS Server entry appears in the table in the WINS Server List dialog box.
Step 7
(Optional) Select a color from the Category list to help you identify the object
Step 8
properties of this object to be redefined on individual devices. By default, all
interface role objects can be overridden. See Allowing a Global Object to Be
Step 9
Tip

Objects, page 8-9.
8-196
OL-11501-03
Chapter 8
Managing Objects
Overriding Global Objects for Individual Devices
Note

Related Topics
WINS Server Lists Dialog Box, page F-556

By default, objects are defined at the global level, which means that they are
applied identically to every object and policy that references them. However, there
are many object types whose definition can be overridden at the device level. To
identify those object types, look for the Overridable column in the objects table.
You can define overridable object types globally, then use device-level overrides
to specify the exact definition required on each device. One example might be a
case where you want to deny ICMP traffic to the different departments in your
company, each of which is connected to a different network. You can do this by
defining a policy with an access rule that includes a global network/host object
called Departmental Network. By allowing device override for this object, you
can then create overrides on each relevant device that specify the actual network
to which that device is connected.
Device-level object overrides are especially important when the global object is
included in the definition of a VPN policy, which applies to every device in the
VPN topology. For example, you select a PKI enrollment object when defining a
PKI policy on a site-to-site VPN. If the hub of your VPN uses a different CA
server than the spokes, you must use device-level overrides to specify the CA
server used by the hub. Although the PKI policy references a single PKI
enrollment object, the actual CA server represented by this object will differ for
the hub, based on the device-level override you define.

OL-11501-03
8-197
Chapter 8
Managing Objects
Related Topics
Allowing a Global Object to Be Overridden, page 8-198
Creating Device-Level Object Overrides, page 8-199
Deleting Device-Level Object Overrides, page 8-202
Allowing a Global Object to Be Overridden

You can designate discovered objects as well as objects created in Security
Manager as overridable.
Note
To identify the object types that can be overridden, select the object type in the
Policy Object Manager, then look for the Overridable column in the objects table.
Designating Discovered Objects as Overridable
To allow device-level overrides for policy objects that are discovered on devices,
perform the following procedure.
Procedure
Step 1
Select Tools > Security Manager Administration > Discovery.
Step 2
Select the Allow Device Override for Discovered Policy Objects check box.
Step 3
Click Save.
Designating Global Objects Defined in Security Manager as Overridable
To allow device-level overrides when defining a global object in

Security Manager, select the Allow Value Override per Device check box when
defining the object.
When you finish creating the object, a green checkmark appears in the
Overridable column in the Policy Object Manager window table entry for that
object. This checkmark indicates that you can create device-level overrides for the
object.
8-198
OL-11501-03
Chapter 8
Managing Objects
Related Topics
Creating Device-Level Object Overrides

After enabling the Allow Value Override per Device attribute in the relevant
object dialog box (see Allowing a Global Object to Be Overridden, page 8-198),
you can create device-level overrides in two places in Security Manager:
In the Device Property window of a selected device.
In the Policy Object Manager window.
Creating device-level overrides from the Policy Object Manager window makes
is easier to define overrides on multiple devices at one time. The procedure for
creating overrides is dependent on which method you use, as described in the
following sections:
If you override any part of the object definition at the device level, any subsequent
changes made to the policy definition at the global level do not affect the device
on which the object was overridden.
Related Topics
Creating Object Overrides for a Single Device

You can create device-level object overrides from the Device Properties window.
An override specifies a definition for a global object that affects only the selected
device. For example, you can override the definition of a AAA server group object
so that the object represents a different group of AAA servers for one device than
the group it represents for other devices.

OL-11501-03
8-199
Chapter 8
Managing Objects
Before You Begin
Define the global object, making sure to select the option that allows
device-level overrides. See Allowing a Global Object to Be Overridden,
page 8-198.
Procedure
Step 1
Select View > Device View or click the Devices button on the toolbar.
Step 2
Right-click a device in the Device selector, then select Device Properties.
Step 3
Select Policy Object Overrides from the Device Properties selector, then select
an overridable object type.
The work area of the Device Properties window displays all objects of the selected
type that may be overridden at the device level.
Step 4
Click the Create Override button, or right-click an object in the table, then select
Create Override. The dialog box for defining that object type is displayed. The
fields in the dialog box contain the global definition for the selected object.
Step 5
Modify the definition of the object, as required.
Step 6
Click OK to save the device-level override. In the Device Properties window, the
check box in the Value Overridden column of the table appears selected.
Related Topics
Creating Object Overrides for Multiple Devices

In addition to the Device Properties window of a particular device, you can create
device-level object overrides from the Policy Object Manager window. This
method enables you to create overrides on multiple devices at the same time,
which is especially useful when creating overrides for several devices that
participate in the same VPN topology. For example, if the spokes located in one
part of the VPN use a different CA server than the spokes located in a different
part of the VPN, you can override the PKI enrollment object that defines the
8-200
OL-11501-03
Chapter 8
Managing Objects
server for these devices. This is a more convenient method than selecting each
device individually from Device view and defining the override from the Device
Properties window.
Before You Begin
Define the global object, making sure to select the option that allows
device-level overrides. See Allowing a Global Object to Be Overridden,
page 8-198.
Procedure
Step 1
Step 2
Select an overridable object types from the Object Type selector.
Step 3
In the work area, select a user-defined object that can be overridden, as indicated
by the green checkmark in the Value Override column.
Step 4
Step 5
Click the Create button. The Create Overrides for Device dialog box is displayed.
See Table F-317 on page F-567 for a description of the elements in this dialog
box.
Step 6
Select one or more devices from the Available Devices list, click >> to add them
to the Selected Devices list, then click OK.
Step 7
In the dialog box that appears, define the properties of the device-level override,
then click OK.
The device-level overrides are created for each selected device and are displayed
in the Policy Object Overrides window.
Step 8
Click the Close button to return to the Policy Object Manager window.
Related Topics

OL-11501-03
8-201
Chapter 8
Managing Objects
Deleting Device-Level Object Overrides

Deleting a device-level override restores the global definition of the object to the
selected device. You can delete overrides from the Device Properties window or
from the Policy Object Manager window, as described in the following sections:
Deleting Overrides from the Device Properties Window, page 8-202
Deleting Overrides from the Policy Object Manager window, page 8-202
Deleting Overrides from the Device Properties Window

This procedure describes how to delete overrides from the Device Properties
window of a selected device.
Procedure
Step 1
Select View > Device View or click the Devices button on the toolbar.
Step 2
Right-click a device in the Device selector, then select Device Properties.
Step 3
Select Policy Objects from the Device Properties selector, then select one of the
available object types.
Step 4
In the work area, right-click the override you want to delete, then select Delete
Override. A confirmation message is displayed.
Step 5
Click Yes to delete the override and restore the global object definition.
Related Topics
Deleting Overrides from the Policy Object Manager window

This procedure describes how to delete device-level object overrides when
working in the Policy Object Manager window. When you delete an override, the
global definition of the object is restored to the selected device.
8-202
OL-11501-03
Chapter 8
Managing Objects
Selecting Objects for Policies
Procedure
Step 1
Step 2
Select one of the overridable object types from the Object Type selector. See
Creating Object Overrides for Multiple Devices, page 8-200.
Step 3
In the work area, select a user-defined object that can be overridden, as indicated
by the green checkmark in the Value Override column.
Step 4
Step 5
Select the override to delete and click the Delete button. A confirmation message
is displayed.
Step 6
Click Yes to delete the override and restore the global object definition.
Related Topics

When creating a policy, you often need to select one or more objects to include in
the policy definition. For example, firewall policies make use of network/host
objects, interface role objects, and service objects.
To include objects in policies, you can manually enter the object name or click a
button to display a popup object selector. Object selectors make it easy for you to
select which objects to include in a particular policy.
Additionally, object selectors enable you to create and edit objects of that type on
the fly. This makes it easy to work with objects without leaving the policy you are
defining to launch the Policy Object Manager. For example, if when creating a
dynamic NAT rule you discover that the ACL object you require does not exist,
you can click a button to launch the dialog box for creating an ACL object. When
you finish creating the object, you are returned to the object selector with the new
object selected and ready for inclusion in the policy.

OL-11501-03
8-203
Chapter 8
Managing Objects
When you create an object by launching the object editor from within a selector,
the new object must conform to the requirements of the field from which the
selector was launched. For example, if you launch a selector from a field requiring
a host and then decide to create a network/host object for that field, you must
define the network/host object as a host.
Security Manager includes two types of objects selectorsa simple list selector
for policies that require you to select a single object, and a dual selector for
policies that allow you to select multiple objects of a certain type.
Object selectors for service objects include a third button for grouping. This
enables you to create a service group object without first closing the policy dialog
box.
Note
When using an object selector to select interfaces, be aware that there may be
interfaces and interface roles with the same name. They can be distinguished by
the icon displayed next to the name. For more information, see Specifying
Interfaces During Policy Definition, page 8-118.
Procedure
Step 1
From the page or dialog box of the policy you are configuring, go to a field
requiring an object, then click Select.
An object selector for the required object type is displayed. See Table F-313 on
page F-559 for a description of object selectors.
In certain cases, the object selector is prefiltered to display only the objects that
are applicable to the policy you are configuring. For example, when configuring
a policy that requires a subnet, the object selector displays only those
network/host objects that represent subnets, not network/host objects that
represent single hosts.
Tip
Step 2
You can also create your own filters to apply to object selectors. For more
information, see Filtering Object Selectors, page 8-207.
(When configuring sources and destinations) Select the type of object to

displaynetwork/host objects or interface roles. You can include both types in
the same set of selections. When you click OK, your selections are displayed in
separate tabs in the page or dialog box in which they are defined.
8-204
OL-11501-03
Chapter 8
Managing Objects
Note
This option is available in the following policiesAAA Rules, Access

Rules, Inspection Rules, and NAT (PIX/ASA devices only).
(When selecting ACL objects) Select the type of ACLs to display, standard or
extended. You can include both types in the same set of selections. When you
click OK, your selections are displayed in separate tabs in the page or dialog box
in which they are defined.
Step 3
Step 4
Select the objects to include in the policy definition by doing one of the following:
In single-object selectorsClick the object you want to select from the

displayed list. The name of the object appears in the field at the bottom of the
selector.
In multiple-object selectorsClick the objects you want to select from the

Available list (standard multiple-selection shortcuts are supported), then
click >> to move your selections to the Selected list on the right. You can
return objects from the Selected list to the Available list by selecting them,
then clicking <<.
Tip
You can also move objects between lists by double-clicking them or by

selecting them and pressing Enter.
Tip
To quickly find a particular object, start typing its name. The selector
jumps to the nearest match.
Use the Move Up and Move Down buttons to change the order of the selected
objects. The order of the selected objects affects how they are used within a
particular policy.
Note
The up and down arrows appear only in those selectors where the order in
which the objects appear affects the policy definition. For example, when
defining a method list for AAA, use the arrows to determine the order in
which different types of AAA server groups are used.

OL-11501-03
8-205
Chapter 8
Managing Objects
Step 5
(Optional) If the object you need does not appear in the Available list, do one of
the following:
Right-click inside the list and select Create.
Click the Create button.
The dialog box for creating an object of that type is displayed. For example, if you
click the Create button from an interface role selector, the Interface Role dialog
box is displayed. When you finish creating the object, click OK to return to the
object selector. The new object is displayed in the Selected list.
Note
Step 6
Object creation is limited to objects that can be successfully applied to the

current policy. For example, if the policy requires a network/host object
that represents a subnet, the new network/host object that you create from
the selector must represent a subnet.
(Optional) If you wish to modify the properties of a user-defined object, select it,
then do one of the following:
Right-click the object, then select Edit.
Click the Edit button.
The dialog box for editing that object is displayed. Modify the properties of the
object as required, then click OK to return to the object selector.
Note
Predefined objects cannot be edited.
Step 7
(Optional) If you want to group services into a service group, select the relevant
objects in the Available list, then click the Group button to display the Service
Group Dialog Box, page F-464. For more information, see Creating Service
Group Objects, page 8-157.
Step 8
Click OK to save your definitions. The objects you selected are added to the
policy definition.
Related Topics
8-206
OL-11501-03
Chapter 8
Managing Objects
Filtering Object Selectors

You can filter the list of objects displayed in an object selector according to the
policy name. For example, if you have dozens of service objects, you can create
and apply a filter so that only those services having a certain name are displayed
in the selector.
You can also create more sophisticated filters. For example, you can create a filter
for network/host objects by selecting Type Isnt Host. When applied, this filter
displays only those network/host objects that are defined as networks, not objects
representing individual hosts. For services, you can select Service Includes
port plus the port number to display only those services that use that specific port.
Each user can define a maximum of 10 filters for each object type. After that,
creating an additional filter replaces the oldest one in the list. In other words, the
11th filter replaces the first filter.
Filters are created and applied from the Filter list displayed above the list of
available objects.
Procedure
Step 1
From the page or dialog box of the policy you are configuring, go to a field
requiring an object, then click Select.
An object selector for the required object type is displayed. See Table F-313 on
page F-559 for a description of object selectors.
Step 2
Select Create Filter from the Filter list displayed above the list of available
objects. The Create Filter dialog box is displayed. See Table F-314 on page F-562
for a description of the fields in this dialog box.
Step 3
Define a filter criterion:

a.
Select a filter type from the list on the left. Different filter types are available,
depending on the object type. The default type is Name.
b.
Select an operator from the list in the center. The operator defines how the
filter relates to the object name. For example, when the selected filter type is
Name, the available operators are: contains, doesnt contain, is, isnt, begins
with, and ends with.

OL-11501-03
8-207
Chapter 8
Managing Objects
c.
Enter a string representing the object name or partial object name in the field
on the right.
For example, if you define the criteria as Name begins with Branch, the filter
will include only those objects whose names begin with Branch.
d.
Click Add. The defined criterion is displayed in the content area of the Create
Filter dialog box.
Note
e.
To remove a criterion from the filter definition, select it in the content

area and click Remove.
Repeat steps b through d to add criteria to the filter.
For a complete list of filtering options per object type, see Object Filtering
Options, page 8-209.
Step 4
Match Any of the FollowingCreates an OR relationship among the filter

criteria. Objects matching any of your criteria are included in the filter.
Match All of the FollowingCreates an AND relationship among the filter

criteria. Only those objects matching all your criteria are included in the filter.
Step 5
Click OK. The filter is saved and added to the Filter list in the selector.
Step 6
To apply the filter, select it from the Filter list. To display objects without a filter,
select None from the Filter list.
Related Topics
Object Filtering Options, page 8-209
Selecting Objects for Policies, page 8-203
8-208
OL-11501-03
Chapter 8
Managing Objects
Object Filtering Options

Table 8-9 shows the filtering options that are available for each object type in
Security Manager.
Table 8-9
Object Filtering Options
Object Type
Types
All
Name
All
AAA Server Group
FlexConfig
FlexConfig
FlexConfig
IKE Proposals
Interface Role
Interface Role
Category
Predefined
Type
Group
Predefined
Predefined
Predefined
Physical
Operators
Values
contains
doesnt contain
is
isnt
begins with
ends with
is
isnt
Is true
Is false
is
Append
isnt
Prepend
is
isnt
Is true
Is false
Is true
Is false
Is true
Is false
Is true
Is false
text field
list of categories
(disabled)
list of FlexConfig
groups
(disabled)
(disabled)
(disabled)
(disabled)

OL-11501-03
8-209
Chapter 8
Managing Objects
Table 8-9
Object Filtering Options (continued)
Object Type
Types
IPsec Transform Set
Predefined
Network/Host
Network/Host
Network/Host
Port List
Content
Predefined
Type
Predefined
Port List
Content
Service/Service Group
Content
Destination
Group
Predefined
Protocol
Source
Operators
Is true
Is false
contains text
doesnt contain text
includes address
doesnt include
address
Is true
Is false
is Network
is Host
Is true
Is false
includes port
doesnt include port
contains
doesnt contain
includes port
doesnt include port
Is true
Is false
Is true
Is false
is
isnt
includes port
doesnt include port
Values
(disabled)
text or address
(disabled)
(disabled)
(disabled)
port number (text field)
text field
(disabled)
(disabled)
list of protocols
8-210
OL-11501-03
Chapter 8
Managing Objects
How Policy Objects are Provisioned as PIX/ASA Object Groups
Related Topics
Filtering Object Selectors, page 8-207
How Policy Objects are Provisioned as PIX/ASA

Object Groups
Object groups are a feature of PIX and ASA devices that enable you reduce the
size of access rules by grouping objects such as IP hosts, networks, protocols,
ports, and ICMP message types. Although the functionality of object groups is
similar to the functionality of policy objects in Security Manager, there are several
important differences in implementation.
As a result, when deploying policies to a device, it is not always possible to create
object groups that are an exact copy of the policy objects that you configured in
Security Manager. To take one example, policy object names are unique per object
type in Security Manager (that is, you can define a network/host object and a
service object with the same name); PIX object groups of all types, however, share
a single naming scheme. Therefore, if you deploy a network/host object whose
name matches an existing service object group on the device, a suffix is added to
the name of the network/host object to distinguish it from the service object
group.
Note
For more information about the options available when deploying object groups,
see Defining Deployment Settings, page 2-65.
Similarly, when discovering policies on a device, it is not always possible to
create policy objects that are an exact copy of the object groups that are
configured on the device. However, Security Manager preserves as much of the
original configuration as possible.
The following sections describe the changes that are made when provisioning
policy objects to PIX object groups:

page 8-212

OL-11501-03
8-211
Chapter 8
Managing Objects
Note

page 8-214

page 8-215

page 8-218
The information contained in these sections can also be used to understand how
object groups are converted into policy objects when imported into Security
Manager. For more information, see Discovering Policies, page 6-7.
Related Topics
How Network/Host Objects are Provisioned as PIX/ASA Object

Groups
In most cases, network/host objects can be provisioned as object groups without
changing the object name. Table 8-10 describes how Security Manager changes
the names of network/host objects whose names cannot be converted directly to
object groups on PIX/ASA devices.
Note
The predefined network/host object any cannot be provisioned as an object group.
8-212
OL-11501-03
Chapter 8
Managing Objects
Table 8-10
How Network/Host Objects are Named as Object Groups
Condition
New Name
Examples
Object name includes a space.
Space is replaced with an

underscore.
A network/host object named

my network is changed to an
object group named
my_network when deployed.
Object name is longer than

64 characters (maximum
supported by object groups).
Name is truncated so that any

suffixes required by the object
group (such as _TCP or _UDP, or
unique numbers, such as _1) can
be added while remaining within
the 64-character limit.
Device already has an object

group (Protocol/ICMP/Service)
with the same name.
A numeric suffix is added to the If you provision a network/host

name, starting from 1.
object named West and the
device already has a TCP service
object group named West, the
name of the object group is
changed to West_1 when
deployed.
Related Topics

OL-11501-03
8-213
Chapter 8
Managing Objects
How Port List Objects are Provisioned as PIX/ASA Object Groups

In most cases, port list objects can be provisioned as object groups without
changing the object name. Table 8-11 describes how Security Manager changes
the names of port list objects whose names cannot be converted directly to object
groups on PIX/ASA devices.
Table 8-11
How Port List Objects are Named as Object Group
Condition
New Name
Examples

underscore.
A port list object named

my portlist is changed to an
object group named
my_portlist when deployed.



with the same name.
A numeric suffix is added to the If you provision a port list object

named West and the device
already has a TCP service object
group named West, the name of
the object group is changed to
West_1 when deployed.
You have already created a

network/host object group with
the same name.
A numeric suffix is added to the If you have a network/host object

and a port list object that are both
named West, the network/host
object is deployed as West and
the port list is deployed as
West_1.
Related Topics
8-214
OL-11501-03
Chapter 8
Managing Objects
How Service Objects are Provisioned as PIX/ASA Object Groups

Table 8-12 describes how Security Manager changes the names of service objects
whose names cannot be converted directly to object groups on PIX/ASA devices.
Table 8-12
How Service Objects are Named as Object Groups
Condition
New Name
Examples

underscore.
A service object named

my service is changed to an
object group named
my_service when deployed.



with the same name.
A numeric suffix is added to the If you provision a service object

named West and the device
already has a TCP service object
group named West, the name of
the object group is changed to
West_1 when deployed.
You have already created a

network/host object group with
the same name.
A numeric suffix is added to the If you have a network/host object

and a service object that are both
named West, the network/host
object is deployed as West and
the service is deployed as
West_1.

OL-11501-03
8-215
Chapter 8
Managing Objects
Table 8-13 describes how Security Manager creates object groups when
deploying service objects to PIX/ASA devices.
Table 8-13
How Service Objects are Provisioned as Object Groups
Condition
Generated Object Group
Examples
Service object contains

ICMP protocol and ICMP
message types.
Generates an ICMP-type
object group with the same
name as the service object.
icmp/icmp-echo, 23
Service object service1:

Object group:
object-group icmp-type service1
icmp-object icmp-echo
icmp-object 23
Service object contains only Generates a protocol object Service object service1:
protocols.
group with the same name as tcp, gre, 34
the service object.
Object group:
object-group protocol service1
protocol-object tcp
protocol-object gre
protocol-object 34
Service object uses port list

objects for both source and
destination ports.
Generates service object

groups that match the port
list objects.

multiple ports or port
ranges, but does not use port
list object for the source
ports.

group with the name
<ObjectName>.src for the
source ports.
For more information, see Table 8-11 on

page 8-214.
Service object serv1:
tcp/400,600/23-80
Object group:
object-group service serv1.src tcp
port-object eq 400
port-object eq 600
8-216
OL-11501-03
Chapter 8
Managing Objects
Table 8-13
How Service Objects are Provisioned as Object Groups (continued)
Condition
Examples

multiple ports or port
ranges, but does not use port
list object for the destination
ports.

group for the destination
tcp/400,600/23-80, 566
ports with the same name as
Object group:
the service object.
object-group service serv1 tcp
port-object range 23 80
port-object eq 566
port-object eq 400
port-object eq 600
Service object contains the

TCP&UDP protocol and
includes defined ports.

tcp&udp/400,600/23-80, 566
Object group:
object-group service serv1 tcp
port-object range 23 80
port-object eq 566
port-object eq 400
port-object eq 600
object-group protocol tcp-udp
protocol-object tcp
protocol-object udp
Related Topics

OL-11501-03
8-217
Chapter 8
Managing Objects
How Service Group Objects are Provisioned as PIX/ASA Object

Groups
Table 8-14 describes how Security Manager creates object groups when
deploying service objects to PIX/ASA devices.
8-218
OL-11501-03
Chapter 8
Managing Objects
Table 8-14
How Service Group Objects are Provisioned as Object Groups
Condition
Examples
Service group object

contains only ICMP-based
service objects.
Generates an ICMP-type
object group with the same
name as the service group
object.

icmp/icmp-echo, 23

icmp/icmp-echo-reply, 29
Service group object servgrp1:

service1, service2
Object group:
icmp-object 23
icmp-object icmp-echo-reply
icmp-object 29
object-group icmp-type servgrp1
group-object service1
group-object service2

contains only
protocol-based service
objects.
Generates a protocol object Service object service1:

group with the same name as tcp
the service group object.
gre
Service group object servgrp1:

service1, service2
Object group:
object-group protocol servgrp1
protocol-object tcp
protocol-object gre

OL-11501-03
8-219
Chapter 8
Managing Objects
Table 8-14
Condition
How Service Group Objects are Provisioned as Object Groups (continued)
Generates ICMP-type object

groups with the name
contains multiple
ICMP-based service objects <ObjectName>.icmp.
and other types of service
objects.
Examples
Service object icmp1:
icmp/icmp-echo, 23

icmp/1, 3
Service object http:

tcp/80
Service group object grp1:

icmp1, icmp2, http
Object group:
object-group icmp-type icmp1
icmp-object 23
icmp-object 1
icmp-object 3
object-group icmp-type grp1.icmp
(contains icmp1 and icmp2)
8-220
OL-11501-03
Chapter 8
Managing Objects
Table 8-14
Condition
Examples

contains multiple
protocol-based service
objects and other types of
service objects.
Generates a protocol object

group with the name
<ObjectName>.prot.
tcp, udp, 45
Service object prot1:

Service object prot2:
65, gre
Service object http:

tcp/80

prot1, prot2, http
Object group:
object-group protocol prot1
protocol-object tcp
protocol-object udp
protocol-object 45
object-group protocol prot2
protocol-object 65
protocol-object gre
object-group protocol grp1.prot
group-object prot1
group-object prot2

OL-11501-03
8-221
Chapter 8
Managing Objects
Table 8-14
Condition

contains multiple TCP
service objects with
identical source ports.
Generates a service object

group for the destination
ports in the various service
objects with the same name
as the service group object.
If the service group object
contains other types of
service objects (protocol,
ICMP, UDP with ports,
TCP&UDP with ports), the
object group is named
<ObjectName>.tcp.
Examples
icmp/icmp-echo, 23
Service object https:

tcp/80
Service object ftp:

tcp/23

icmp1, https, ftp
Object group:
Note
For UDP service

objects, the object
group suffix is udp;
for TCP&UDP
service objects, the
object group suffix
is tcpudp.
icmp-object 23
object-group service grp1.tcp tcp
(contains ports 80 and 23)
8-222
OL-11501-03
Chapter 8
Managing Objects
Table 8-14
Condition
Examples

contains multiple TCP
service objects with
identical destination ports.
Generates a service object

group for the source ports in
the various service objects
with the name
<ObjectName>.src.
If the service group object
contains other types of
service objects (protocol,
ICMP, UDP with ports,
TCP&UDP with ports), the
object group is named
<ObjectName>.tcp.src.

icmp/icmp-echo, 23

tcp/34/80

tcp/35/80

icmp1, service1, service2
Object group:
Note
For UDP service

objects, the object
group suffix is udp;
for TCP&UDP
service objects, the
object group suffix
is tcpudp.
icmp-object 23
object-group service grp1.tcp.src
tcp
(contains ports 34 and 35)
Related Topics

OL-11501-03
8-223
Chapter 8
Managing Objects
8-224
OL-11501-03
CH A P T E R
Managing Site-to-Site VPNs

A virtual private network (VPN) consists of multiple remote peers transmitting
private data securely to one another over an unsecured network, such as the
Internet. Site-to-site VPNs use tunnels to encapsulate data packets within normal
IP packets for forwarding over IP-based networks, using encryption to ensure
privacy and authentication to ensure integrity of data.
In Cisco Security Manager, site-to-site VPNs are implemented based on IPsec
policies that are assigned to VPN topologies. An IPsec policy is a set of
parameters that define the characteristics of the site-to-site VPN, such as the
security protocols and algorithms that will be used to secure traffic in an IPsec
tunnel. Security Manager translates IPsec policies into CLI commands that can be
deployed to the devices in the VPN topology. Several policy types may be
required to define a full configuration image that can be assigned to a VPN
topology, depending on the IPsec technology type.
The Site-to-Site VPN Manager defines and configures site-to-site VPN topologies
and policies on Cisco IOS security routers, PIX Firewalls, Catalyst VPN Service
Modules, and Adaptive Security Appliance (ASA) firewall devices.
You can access the Site-to-Site VPN Manager by selecting
Tools > Site-To-Site VPN Manager or clicking the Site-To-Site VPN Manager
button on the toolbar.

OL-11501-03
9-1
Chapter 9
Understanding VPN Topologies
Note
You can also view site-to-site VPN topologies and configure policies in Policy
view and Device view. In the Policy View you can assign IPsec policies to VPN
topologies. For more information, see:
Managing Shared Site-to-Site VPN Policies in Policy View, page 9-65
Managing VPN Devices in Device View, page 9-62
Modifying Policy Assignments in Policy View, page 6-46
The following topics describe:
Understanding VPN Topologies, page 9-2
Understanding IPsec Technologies and Policies, page 9-8
Site-To-Site VPN Discovery, page 9-13
Working with VPN Topologies, page 9-20
Working with Site-to-Site VPN Policies, page 9-64

A VPN topology specifies the peers and the networks that are part of the VPN and
how they connect to one another. After you create a VPN topology, the policies
that can be applied to your VPN topology become available for configuration,
depending on the assigned IPsec technology.
Security Manager supports three main types of topologieshub and spoke, point
to point, and full mesh, with which you can create a site-to-site VPN. Not all
policies can be applied to all VPN topologies. The policies that can be applied
depend on the IPsec technology that is assigned to the VPN topology. In addition,
the IPsec technology that is assigned to a VPN depends on the topology type. For
example, the DMVPN and Easy VPN technologies can only be applied in a
hub-and-spoke topology.
For more information, see Understanding IPsec Technologies and Policies,
page 9-8.
9-2
OL-11501-03
Chapter 9

Note
Security Manager provides default configurations for all site-to-site VPN

policies, enabling you to deploy to your devices immediately after creating a VPN
topology.
Hub-and-Spoke VPN Topologies, page 9-3
Point-to-Point VPN Topologies, page 9-5
Full Mesh VPN Topologies, page 9-6
Implicitly Supported Topologies, page 9-8
Hub-and-Spoke VPN Topologies

In a hub-and-spoke VPN topology, multiple remote devices (spokes)
communicate securely with a central device (hub). A separate, secured tunnel
extends between the hub and each individual spoke.
Figure 9-1 shows a typical hub-and-spoke VPN topology.

OL-11501-03
9-3
Chapter 9
Figure 9-1
Hub-and-Spoke VPN Topology
Spoke
Se
Spoke
Sec
ure
Spoke
Branch
office
cu
re
ec u
c
Se
re
tun
ne
l
tunn
el
Main
office
Internet
Hub
el
tunn
ur
l
ne
un
t
e
Spoke
Optional
secondary hubs
for resilience
130052
Branch
office
This topology usually represents an intranet VPN that connects an enterprises

main and branch office locations using persistent connections to a third-party
network or the Internet. VPNs in a hub-and-spoke topology provide all employees
with full access to the enterprise network, regardless of the size, number, or
location of its remote operations.
A hub is a Cisco IOS VPN-enabled device, generally located at an enterprises
main office. Spoke devices are generally located at an enterprises branch offices.
In a hub-and-spoke topology, most traffic is initiated by hosts at the spoke site,
but some traffic might be initiated from the central site to the spokes.
If the hub in a hub-and-spoke configuration becomes unavailable for any reason,
IPsec failover transfers tunnel connections seamlessly to a failover (backup) hub,
which is used by all spokes. You can configure multiple failover hubs for a single
primary hub.
In a hub-and-spoke VPN topology, all IPsec technology types can be assigned. For
more information, see Understanding IPsec Technologies and Policies, page 9-8.
9-4
OL-11501-03
Chapter 9

Related Topics
Point-to-Point VPN Topologies

In a point-to-point VPN topology, two devices communicate directly with each
other, without the option of IPsec failover as in a hub-and-spoke configuration. To
establish a point-to-point VPN topology, you specify two endpoints as peer
devices. Since either of the two devices can initiate the connection, the assigned
IPsec technology type can be only Regular IPsec or IPsec/GRE. For more
information, see Understanding IPsec Technologies and Policies, page 9-8.
Figure 9-2 shows a typical point-to-point VPN topology.
Figure 9-2
Point-to-Point VPN Topology
Site 1
Site 2
Internet
130053
Secure tunnel
Related Topics

OL-11501-03
9-5
Chapter 9
Full Mesh VPN Topologies

A full mesh topology works well in a complicated network where all peers need
to communicate with each other. In this topology type, every device in the
network communicates with every other device via a unique IPsec tunnel. All
devices have direct peer relationships with one another, preventing a bottleneck at
the VPN gateway device, and saving the overhead of encryption and decryption
on the device.
Note
You can assign only Regular IPsec and IPsec/GRE technologies to a full mesh
VPN topology. See Understanding IPsec Technologies and Policies, page 9-8.
Figure 9-3 shows a typical full mesh VPN topology.
9-6
OL-11501-03
Chapter 9

Figure 9-3
Full Mesh VPN Topology
Site 2
Site 1
Internet
n
Secure tu
Se
el
cu
re
el
l
n ne
e tu
n el
cur
n
e tu
Se
tu n n
nn
cur
ure
tu
Se
Se c
nel
nnel
130054
Secure tu
Site 4
Site 3
A full mesh network is reliable and offers redundancy. When the assigned
technology is GRE and one device (or node) can no longer operate, all the rest can
still communicate with one another, directly or through one or more intermediate
nodes. With regular IPsec, if one device can no longer operate, a crypto access
control list (ACL) that specifies the protected networks, is created per two peers.
Note
When the number of nodes in a full mesh topology increases, scalability may
become an issuethe limiting factor being the number of tunnels that the devices
can support at a reasonable CPU utilization.
Related Topics

OL-11501-03
9-7
Chapter 9
Understanding IPsec Technologies and Policies
Implicitly Supported Topologies

In addition to the three main VPN topologies, other more complex topologies may
be created as combinations of these topologies. They include:
Partial meshA network in which some devices are organized in a full mesh
topology, and other devices form either a hub-and-spoke or a point-to-point
connection to some of the fully meshed devices. A partial mesh does not
provide the level of redundancy of a full mesh topology, but it is less
expensive to implement. Partial mesh topologies are generally used in
peripheral networks that connect to a fully meshed backbone.
Tiered hub-and-spokeA network of hub-and-spoke topologies in which a

device can behave as a hub in one or more topologies and a spoke in other
topologies. Traffic is permitted from spoke groups to their most immediate
hub.
Joined hub-and-spokeA combination of two topologies (hub-and-spoke,

point-to-point, or full mesh) that connect to form a point-to-point tunnel. For
example, a joined hub-and-spoke topology could comprise two
hub-and-spoke topologies, with the hubs acting as peer devices in a
point-to-point topology.
Related Topics
Point-to-Point VPN Topologies, page 9-5
Full Mesh VPN Topologies, page 9-6

Site-to-site VPN policies are grouped according to their IPsec technology type.
Security Manager provides six types of IPsec technologies that you can configure
on the devices in your site-to-site VPN topologyRegular IPsec, IPsec/GRE,
GRE Dynamic IP, standard and large scale DMVPN, and Easy VPN. When you
assign a technology to a VPN topology, all policies that can be applied to your
VPN topology using the assigned technology become available.
9-8
OL-11501-03
Chapter 9

Note
You assign an IPsec technology to a VPN topology during its creation. After an
IPsec technology is assigned to a VPN topology, you cannot change the
technology, other than by deleting the VPN topology and creating a new one. See
Defining a Name and IPsec Technology, page 9-22.
About Mandatory and Optional Policies
Some site-to-site VPN policies are mandatory, which means they are configured
on your devices with predefined defaults, upon definition of the IPsec technology.
You can edit these policies, if required. The policies that are not predefined are
optional and available for your configuration, as required.
Note
You can deploy mandatory policies with their default configurations to your
devices immediately after creating the VPN topology. All you need to do is
complete the steps of the Create VPN wizard. See Creating a VPN Topology,
page 9-20.
Some mandatory policies are mandatory only under certain conditions. For
example, a preshared key policy is mandatory only if the default (mandatory) IKE
proposal uses preshared key authentication. If the selected IKE authentication
method is RSA Signature, a Public Key Infrastructure policy is mandatory (see
Deciding Which Authentication Method to Use, page 9-70). In addition, a tunnel
group policy for an ASA device is mandatory only if the ASA is a hub device in
a hub-and-spoke VPN topology.
Table 9-1 lists the mandatory and optional policies, for each predefined
technology that you can assign to the devices in your site-to-site VPN topology.
Note
In point-to-point and full mesh VPN topologies, you can assign only Regular
IPsec and GRE technologies.

OL-11501-03
9-9
Chapter 9
Table 9-1
Site-to-Site VPN IPsec Technologies and Policies
Technology
Mandatory Policies
Regular IPsec
IKE Proposal
See Understanding
IPsec Tunnel Policies,
page 9-72.
IPsec Proposal
IPsec/GRE (Generic
Routing Encapsulation)
Optional Policies
Public Key
Infrastructure2
Preshared Key1
VPN Global
Settings
IKE Proposal
IPsec Proposal
Public Key
Infrastructure2
Preshared Key1
VPN Global
Settings
GRE Modes
GRE Dynamic IP
IKE Proposal
See Understanding
GRE Configuration for
Dynamically Addressed
Spokes, page 9-98.
IPsec Proposal
Public Key
Infrastructure2
Preshared Key1
VPN Global
Settings
GRE Modes
Dynamic Multipoint
VPN (DMVPN).
IKE Proposal
IPsec Proposal
Public Key
Infrastructure2
Preshared Key1
VPN Global
Settings
GRE Modes
See Understanding
GRE, page 9-94.
See Understanding
DMVPN, page 9-101.
Supported Platforms
Regular IPsec policies
can be configured on
Cisco IOS security
routers, PIX Firewalls,
Catalyst VPN service
modules, and ASA
devices.
GRE policies can be
configured on Cisco
IOS security routers and
Catalyst 6500/7600
devices.
GRE Dynamic IP can be
configured on Cisco
IOS security routers and
Catalyst 6500/7600
devices.
DMVPN configuration
is supported on Cisco
IOS 12.3T devices and
later.
9-10
OL-11501-03
Chapter 9

Table 9-1
Site-to-Site VPN IPsec Technologies and Policies (continued)
Technology
Mandatory Policies
Large Scale DMVPN
IKE Proposal
See Configuring Large

Scale DMVPNs,
page 9-107.
IPsec Proposal
Preshared Key1
GRE Modes
Server Load
Balance
Easy VPN
IKE Proposal
See Understanding
Easy VPN, page 9-109.
IPsec Proposal
Client Connection
Characteristics
Optional Policies
Public Key
Infrastructure2
VPN Global
Settings
User Group
(mandatory on an
IOS router or PIX
6.3 hub in VPN
topology)
Tunnel Group
(mandatory on an
ASA hub device in
VPN topology)
Public Key
Infrastructure2
VPN Global
Settings
Supported Platforms
Large Scale DMVPN
configuration is
supported on Catalyst
6500/7600 devices
(IPsec Terminators),
and Cisco IOS 12.3T
devices and later.
Easy VPN
configuration is
supported on Cisco IOS
security routers, PIX
Firewalls, Catalyst VPN
service modules, and
ASA devices.
1. A preshared key policy is mandatory only if the IKE authentication method is Preshared Key.
2. A public key infrastructure policy is mandatory if the IKE authentication method is RSA Signature.
Related Topics

OL-11501-03
9-11
Chapter 9
Understanding VPN Default Policies

Security Manager provides mandatory policies as factory defaults, which means
they are configured on the devices in your VPN topology with predefined values,
depending on the assigned IPsec technology. Factory default policies enable you
to deploy to your devices immediately after creating the VPN topology. Factory
default policies are private policies, which can be assigned only to the VPN
topology in which they are configured. Any changes you make to these policies
affect only this VPN topology.
Optional policies are not provided as factory defaults. These policies are not
assigned by default to your devices. They can be configured. If required, you can
define an optional policy as a shared policy, which means you can assign it as a
default policy to any VPN topologies that are newly created.
Any changes that you make to a shared policy affect all VPN topologies to which
the policy is assigned. In Policy view, you can view all shared policies that have
been defined for each policy type in a site-to-site VPN, edit individual policies,
and modify their assignments to VPN topologies. For more information, see
Managing Shared Policies in Policy View, page 6-40.
On the VPN Policy Defaults page of the Administration tool (Tools > Security
Manager Administration > VPN Policy Defaults) you can view the default
policies for each IPsec technology that can be assigned to a VPN topology. These
include the factory defaults that are provided by Security Manager, in addition to
any shared VPN policies that were created, and submitted or approved (depending
on the workflow mode), using Security Manager. Selecting a VPN shared policy
assigns this shared policy as the default policy to all VPN topologies that are
created after the selection is made.
In the last step of the Create VPN wizard, you can view all the available policy
types (both mandatory and optional) that can be assigned to your VPN topology,
according to the selected IPsec technology. For each policy type, you can select
the policies to assign to your VPN topology.
Related Topics
VPN Defaults Page, page G-41
9-12
OL-11501-03
Chapter 9

Site-To-Site VPN Discovery

Security Manager allows you to discover the VPN topologies that are already
deployed in your network so that you use Security Manager to manage them. Your
VPN configurations are brought into Security Manager and displayed as
site-to-site VPN policies.
Security Manager also allows you to rediscover the configurations of existing
VPN topologies that are already managed with Security Manager. For information
about Site-to-Site VPN rediscovery, see Rediscovering Site-to-Site VPNs,
page 9-18.
Note
You can also discover configurations on devices in remote access VPNs that are
already deployed in your network. See Discovering Remote Access VPN Policies,
page 10-2.
These topics provide information about Site-to-Site VPN discovery:
Supported Technologies and Topologies for VPN Discovery, page 9-13
Prerequisites for VPN Discovery, page 9-14
VPN Discovery Rules, page 9-16
Discovering Site-to-Site VPNs, page 9-17
Rediscovering Site-to-Site VPNs, page 9-18
Discover VPN Policies Wizard, page G-106
Supported Technologies and Topologies for VPN Discovery

This topic lists the technologies and topologies that Security Manager can
discover, as well as the VPN features that are provisioned by Security Manager
but cannot be discovered.
Supported Technologies for VPN Discovery
IPsec
IPsec + GRE
IPsec + GRE dynamic IP

OL-11501-03
9-13
Chapter 9
DMVPN
Easy VPN
Supported Topologies for VPN Discovery
Point to point
Hub and spoke
Full mesh
VPN Features Provisioned by Security Manager but Unsupported for VPN Discovery
SSL VPN
Large Scale DMVPN with IPsec Terminator
VRF-Aware IPsec
Dial backup
IPsec and ISAKMP profiles for Easy VPN
Easy VPN with High Availability
Easy VPN with Dynamic Virtual Tunnel Interfaces
Related Topics
Prerequisites for VPN Discovery

For successful VPN discovery, the following prerequisites must be met:
All devices participating in the VPN must be added to the Security Manager
inventory.
You must provide Security Manager with some basic information about the
VPN. The VPN discovery wizard prompts you for the following information:
VPN topology (hub and spoke, point to point, full mesh)
9-14
OL-11501-03
Chapter 9

VPN technology (Regular IPsec, IPsec/GRE, GRE dynamic IP, DMVPN,
Easy VPN)
Devices in the VPN and their roles (hub/spoke)
Source of the VPN configuration. The VPN can be discovered directly
from the live network or from Security Managers Configuration

Archive.
Each device in the VPN must have a crypto map associated with a physical
interface.
Each PIX 6.3 or ASA 5505 client device in an Easy VPN topology must have
a vpnclient configuration.
Related Topics

OL-11501-03
9-15
Chapter 9
VPN Discovery Rules

Table 9-2 describes the rules by which Security Manager translates and discovers
your VPN configurations, and how it handles instances where your configuration
on the device does not match what is supported by Security Manager.
Table 9-2
VPN Discovery Rules
If this condition exists:

Security Manager cannot
contact a device in the VPN for
live device discovery.
There are inconsistencies in

the policies/values in the VPN
configurations across the
devices in the VPN.
Preshared key
configurationthere is a
different key per set of peers.
The VPN discovery will be handled as follows:
If the device is the only hub or spoke in the VPN, discovery fails.
If there are other hubs or spokes in the VPN, discovery proceeds

but the unavailable device is not discovered.
If the device is a peer in a point to point topology, discovery fails.
If the device is a peer in a full mesh topology and there are only
two devices, including the unavailable one, in the topology,
discovery fails. If there are more than two devices, discovery
proceeds but the unavailable device is not discovered.
If the values on the hub and the spokes differ, preference is given
to the values on the hub.
If a simple selection of one policy or value from several eligible

policies or values is required and does not put functionality at
risk, Security Manager selects a single policy/value that is
common to all devices. For example, a VPN can have a single IKE
policy only, whereas there can be more than one IKE policy on the
devices.
If selecting one value puts the functionality at risk, no value is

discovered for the policy and a validation message is received
upon deployment.
If numeric values differ, a message is generated during discovery,

and the lower value is discovered. For example, the lowest SA
lifetime value in an IPsec policy.
If none of the above options are possible, VPN discovery fails.
The preshared key policy is not discovered.
9-16
OL-11501-03
Chapter 9

Table 9-2
VPN Discovery Rules (continued)
If this condition exists:
The VPN discovery will be handled as follows:
There is more than one eligible The crypto map that is associated with all or the majority of the
crypto map on the device.
devices selected for VPN discovery is used.
A spoke does not have a crypto The VPN discovery proceeds but the spoke is not discovered and an
map associated with the hub. error message is generated.
A device does not have the
selected transform set value.
The VPN discovery proceeds but the device may be removed from the
VPN topology.
A device does not have the

selected IKE proposal.
The VPN discovery proceeds but the device may be removed from the
VPN topology.
Related Topics
Rediscover VPN Policies Wizard, page G-110
Discovering Site-to-Site VPNs

This procedure describes how to discover a Site-to-Site VPN that is already
working in your network, but that has not yet been defined in Security Manager.
Procedure
Step 1
Select Policy > Discover VPN Polices. The Discover VPN Policies wizard opens,
displaying the Name and Technology page. For a description of the elements on
the Name and Technology page, see Table G-35 on page G-107.
Step 2
Specify a name for the VPN, topology type, and IPsec technology of the VPN to
be discovered, and whether you want to discover the VPN directly from the live
devices in your network or from the Config Archive.

OL-11501-03
9-17
Chapter 9
Step 3
Click Next to open the Device Selection page of the wizard.
Step 4
Select the devices participating in the VPN, and their role in the VPN (hub, spoke,
peer one, or peer two) depending on the topology type. For a description of the
elements on the Device Selection page, see Table G-36 on page G-109.
Step 5
Click Finish to close the wizard and start the discovery process. The Discovery
Status window displays the status of the discovery and indicates whether the
discovery of each device has been successful or has failed. Error or warning
messages are provided to indicate the source of any problems, which may be VPN
specific or device specific.
When the discovery process is complete, the Site-to-Site VPN Manager opens and
displays the summary information for the VPN that was discovered.
Step 6
Verify that the VPN polices are as required. Edit the policies as necessary.
Related Topics
Rediscovering Site-to-Site VPNs

You can also rediscover the configurations of existing VPN topologies that are
already managed with Security Manager.
The same rules by which Security Manager translates and discovers VPN
configurations apply also to rediscovery. However, you can perform rediscovery
only on devices that participate in a VPN topology, and you cannot make any
changes to the IPsec technology or topology type. In addition, only the
configurations of device specific policies, such as VPN interfaces and protected
networks, and any High Availability (HA) policies that are configured on hubs,
can be rediscovered. VPN global policies, such as IKE proposals or PKI
enrollments cannot be rediscovered.
9-18
OL-11501-03
Chapter 9

This procedure describes how to rediscover the configurations of a Site-to-Site

VPN topology that already exists in Security Manager.
Procedure
Step 1
In the Site-to-Site VPN Manager window, right-click the VPN topology whose
configurations you want to rediscover, and click Rediscover Peers.
The Rediscover VPN Policies wizard opens, displaying the Name and Technology
page. For a description of the elements on the Name and Technology page, see
Table G-37 on page G-112.
Step 2
Specify whether you want to rediscover the VPN directly from the live devices in
your network or from the Config Archive.
Note
You cannot make any changes to the VPNs topology type or IPsec
technology.
Step 3
Click Next to open the Device Selection page.
Step 4
Select the devices whose peer level policies need to be rediscovered, and their role
in the VPN (hub, spoke, peer one, or peer two) depending on the topology type.
For a description of the elements on the Device Selection page, see Table G-38 on
page G-113.
Step 5
Click Finish to close the wizard and start the rediscovery process. The Discovery
Status window displays the status of the rediscovery and indicates whether the
rediscovery of each device has been successful or has failed. Error or warning
messages are provided to indicate the source of any problems.
When the rediscovery process is complete, the Site-to-Site VPN Manager opens
and displays the summary information for the VPN that was rediscovered.
Related Topics

OL-11501-03
9-19
Chapter 9
Working with VPN Topologies

Security Manager provides the Site-to-Site VPN Manager that you can use to
view, create, edit, and delete VPN topologies. You can also view the policies that
are assigned to each VPN topology, create policies, and edit them.
Note
You can also view a list of VPN topologies in Device view. For more information,
see Managing VPN Devices in Device View, page 9-62.
Creating a VPN Topology, page 9-20
Editing a VPN Topology, page 9-35
Deleting a VPN Topology, page 9-37
Related Topics
Site-to-Site VPN Manager Window, page G-2
Creating a VPN Topology

Creating a VPN topology involves specifying the devices and the networks that
make up the site-to-site VPN. You define the devices and their roles (such as hub,
spoke, peer), the VPN interfaces that are the source and destination endpoints of
the VPN tunnel, and the protected networks that will be secured by the tunnel. You
can create hub-and-spoke, point-to-point, or full mesh topologies. When you
create a VPN topology, you assign to it the IPsec technology with which a
predefined set of policies is associated. See Understanding IPsec Technologies
and Policies, page 9-8.
9-20
OL-11501-03
Chapter 9

Note
You can create a visual representation of your VPN topology with all its elements
in the Map view. For more information, see Creating VPN Topologies (Map
View), page 4-29.
While creating a VPN topology, you can also configure:
High Availability on a group of hubs in a hub-and-spoke topology (see

Configuring High Availability in Your VPN Topology, page 9-60).
VRF-Aware IPsec on a hub in a hub-and-spoke topology (see Configuring

VRF-Aware IPsec Settings, page 9-55).
A VPN Services Module (VPNSM blade) on a Catalyst 6500/7600 in a

hub-and-spoke, point-to-point, or full mesh VPN topology (see Configuring
a Catalyst VPN Services Module (VPNSM) VPN Interface, page 9-40).
A VPN SPA blade on a Catalyst 6500/7600 in a hub-and-spoke,

point-to-point, or full mesh VPN topology (see Configuring a Catalyst VPN
Shared Port Adapter (VPN SPA) Blade, page 9-42).
A Firewall Services Module together with a VPN Services Module or VPN

SPA on a Catalyst 6500/7600 device in a hub-and-spoke, point-to-point, or
full mesh VPN topology (see Configuring a Firewall Services Module
(FWSM) Interface with VPNSM or VPN SPA, page 9-48).
You can use the Create VPN wizard to create hub-and-spoke, point-to-point, and
full mesh VPN topologies across multiple device types.
Note
After creating the VPN topology, you can deploy the default policy configurations
provided by Security Manager immediately to your devices. All you need to do is
complete the steps of the Create VPN wizard.
The following topics describe how to create a VPN topology:
Defining a Name and IPsec Technology, page 9-22
Selecting Devices for Your VPN Topology, page 9-25
Defining the Endpoints and Protected Networks, page 9-28
Configuring High Availability in Your VPN Topology, page 9-60

OL-11501-03
9-21
Chapter 9
Defining a Name and IPsec Technology

On the Name and Technology page of the Create VPN wizard, you define a name
and description for the VPN topology, and select the IPsec technology that will be
assigned to it.
Procedure
Step 1
Click the Site-To-Site VPN Manager button on the toolbar. The Site-to-Site
VPN Manager window opens.
Step 2
To add a VPN topology, click the Create VPN Topology button above the VPNs
selector and select Hub and Spoke, Point to Point, or Full Mesh from the shortcut
menu.
Note
To edit a VPN topology, right-click it in the VPNs selector, and select

Edit.
The Create VPN wizard opens, displaying the Name and Technology page. For a
description of the elements on this page, see Table G-4 on page G-11.
Step 3
Enter a unique name and description for the VPN topology in the relevant fields.
Step 4
From the IPsec Technology list, select the IPsec technology that you want to
assign to the VPN topology. Options are:
Regular IPsec
IPsec/GRE
DMVPN ((Hub and Spoke VPN only)
Easy VPN (Hub and Spoke VPN only)
Note
Step 5
If you are editing a VPN topology, the assigned IPsec technology is

displayed, but unavailable for editing. To edit the technology, you must
delete the VPN topology and create a new one.
If you selected the IPsec/GRE technology, select either Standard (for IPsec/GRE)
or Spokes with Dynamic IP (to configure GRE Dynamic IP), from the Type list.
9-22
OL-11501-03
Chapter 9

Step 6
If you selected the DMVPN technology, select either Standard (for regular
DMVPN) or Large Scale with IPsec Terminator (to configure a large scale
DMVPN), from the Type list.
Step 7
Click Next (or the Device Selection tab if you are editing a VPN topology) to
select the devices for your VPN topology.
For more information about selecting devices, see About Selecting Devices in a
VPN Topology, page 9-23. For the procedure to select devices, see Selecting
Devices for Your VPN Topology, page 9-25.
Related Topics
Name and Technology Page, page G-10
About Selecting Devices in a VPN Topology

Note
For the procedure to select devices for your VPN topology, see Selecting Devices
for Your VPN Topology, page 9-25.
On the Device Selection page of the Create VPN wizard, you select the devices to
include in the VPN topology. The contents of this page differ depending on
whether you are creating or editing a hub-and-spoke, large scale DMVPN,
point-to-point, or full mesh VPN topology.
Only the devices that can be used for the selected VPN topology, and which you
are authorized to view, are available for selection. In addition, the available
devices depend on the selected IPsec technologyfor example, if the IPsec
technology is IPsec/GRE, GRE Dynamic IP, or DMVPN, PIX Firewalls and ASA
devices are not displayed. For more information, see the supported platforms
described in Table 9-1 on page 9-10.
Note
You can also edit the devices included in your VPN topology from Device view.
For more information, see Managing VPN Devices in Device View, page 9-62.

OL-11501-03
9-23
Chapter 9
Adding Unmanaged Devices to Your VPN Topology
You can include unmanaged devices in your VPN topology. These devices may
serve as endpoints in a VPN topology, but Security Manager neither uploads or
downloads any configurations nor deploys to them.
An unmanaged device can be a non-Cisco device, or a Cisco device that you do
not want Security Manager to manage. An unmanaged device can also be a Cisco
device that is not managed by Security Manager, but can still serve as a VPN
endpoint, such as a VPN concentrator.
Note
You can specify that a device is unmanaged when you add it to your device
inventory, by deselecting the Manage in Security Manager check box in the
Device Information wizard. For more information, see Adding Devices to the
Security Manager Inventory, page 5-30.
Cloning a Device in a VPN Topology
Cloning (duplicating) a device enables you to share the configurations and

properties of one device on another, without having to recreate the configuration
and properties.
In a VPN topology, you can clone a device that is a spoke in a hub-and-spoke
configuration, or a device that participates in a full mesh topology. If you clone a
spoke device in a hub-and-spoke VPN topology, the new device is added to the
VPN as a new spoke with the same policies. If you clone a device in a full mesh
VPN, the new device is added to the full mesh VPN with the same policies.
Note
You cannot clone a device in a point-to-point VPN topology.

You can clone a VPN device in Device view, by selecting the Clone VPN
Assignments check box in the Create a Clone Device page. For more information,
see Cloning a Device, page 5-55.
Related Topics
Removing Devices from a VPN Topology, page 9-34
Device Selection Page, page G-12
9-24
OL-11501-03
Chapter 9

Selecting Devices for Your VPN Topology

This procedure describes how to select devices to include in your VPN topology.
For more information about selecting devices in a VPN topology, see About
Selecting Devices in a VPN Topology, page 9-23.
Procedure
Step 1
Open the Create VPN wizard, then click Next (or the Device Selection tab if you
are editing a VPN topology) on the Name and Technology page.
The Device Selection page opens. For a description of the elements on this page,
see Table G-5 on page G-13.
Step 2
To select devices for a hub-and-spoke VPN topology:
From the Devices list, select the device(s) that you want to define as hubs (or
servers in an Easy VPN configuration) in your VPN topology, then click >>.
The selected devices appear in the Hubs List.
Note
Select the device(s) that you want to define as spokes (or clients in an
Easy VPN configuration) in your VPN topology, then click >>. The selected
devices appear in the Spokes List.
Note
Step 3
Step 4
Click the Up and Down buttons to change the order of the devices in
the Hubs list, so that the primary hub appears first.
If you selected Large Scale with IPsec Terminator as the DMVPN

technology type in the Name and Technology page, you must also
select the Catalyst 6500/7600 devices you want to be IPsec
Terminators in your Large Scale DMVPN configuration.
To select devices for a point-to-point VPN topology:
From the Devices list, select a device to be Peer One in your VPN topology,
then click >>.
Select another device to be Peer Two in the topology, and click >>.
To select devices for a full mesh VPN topology, select them in the Available
Devices list, then click >>. The devices appear in the Selected Devices list.
OL-11501-03
9-25
Chapter 9
Step 5
Click Next (or the Endpoints tab if you are editing a VPN) to define the VPN
interfaces and the protected networks for the devices in your VPN topology.
For the procedure to define the endpoints and protected networks, see Defining
the Endpoints and Protected Networks, page 9-28.
Related Topics
About Selecting Devices in a VPN Topology, page 9-23
Adding Unmanaged Devices to Your VPN Topology, page 9-24
About Defining and Editing the Endpoints and Protected Networks

On the Endpoints page of the Create VPN wizard, you define the external or
internal VPN interfaces and the protected networks for the devices in your VPN
topology. The VPN interfaces are the interfaces that encrypt the data. The
protected networks are the networks that are encrypted.
The table on the Endpoints page lists the VPN interfaces and protected networks
defined for all selected devices in the VPN topology, including the interface roles,
or the interfaces that match each interface role.
Note
The internal and external interfaces that appear on the Endpoints page are the
default interfaces that are defined on the Administration tools VPN Defaults
page. For more information, see Configuring VPN Policy Defaults, page 2-98.
VPN interfaces are predefined interface role objects. Interface role objects enable
you to apply policies to specific interfaces on multiple devices without having to
manually define the names of each interface. For more information about
interface roles, see Understanding Interface Role Objects, page 8-115.
When selecting or editing the protected networks in your VPN, you can use
interface roles whose naming patterns match the internal VPN interface type of
the device, or network objects to refer to multiple networks. For more information
about network objects, see Understanding Network/Host Objects, page 8-127.
9-26
OL-11501-03
Chapter 9

If the assigned technology is IPsec, you can also use access control lists (ACLs)
to specify the protected networks. For more information, see Understanding
Access Control List Objects, page 8-31.
Note
In a hub-and-spoke VPN topology in which IPsec is the assigned technology,

when an ACL object is used to define the protected network on a spoke, Security
Manager mirrors the spokes ACL object on the hub to the matching crypto map
entry.
Editing the VPN interfaces and protected networks for the devices in your VPN
topology can include the following:
Editing the VPN interfaces defined for devices.
Editing a hub interface that is connected to an IPsec Terminator in a large

scale DMVPN.
Configuring a VPN Services Module (VPNSM) interface or VPN SPA for a

Catalyst 6500/7600 device.
Configuring a dial backup interface to be used as a fallback link for the

primary VPN interface.
Editing the protected networks defined for devices.
Configuring a Firewall Services Module together with a VPN Services

Module on a Catalyst 6500/7600 device.
Configuring a VRF-Aware-IPsec policy on a hub in a hub-and-spoke

topology.
Related Topics
Endpoints Page, page G-14
Configuring Dial Backup, page 9-39
Configuring a Catalyst VPN Services Module (VPNSM) VPN Interface,

page 9-40
Configuring a Catalyst VPN Shared Port Adapter (VPN SPA) Blade,

page 9-42

OL-11501-03
9-27
Chapter 9

VPN SPA, page 9-48
Configuring VRF-Aware IPsec Settings, page 9-55
Configuring Large Scale DMVPNs, page 9-107
Defining the Endpoints and Protected Networks

Using the Edit Endpoints dialog box, you can define or edit the external or internal
interfaces and protected networks in your VPN topology. The Edit Endpoints
dialog box may display four tabs. Click the appropriate tab to edit the VPN
interface or protected networks of the selected device, configure FWSM on a
Catalyst 6500/7600 device, or configure a VRF Aware IPsec policy on a hub
device.
For more information, see About Defining and Editing the Endpoints and
Protected Networks, page 9-26.
This procedure describes how to edit the VPN interface and protected networks
defined for a device, and configure a dial backup interface to be used as a fallback
link for a primary VPN interface.
Please be aware of the following notes before you attempt to use this procedure.
Note
If you are configuring a VPN interface for a Catalyst 6500/7600 device

(which may be an IPsec Terminator in a large scale DMVPN), see
page 9-40.
To configure a Firewall Services Module together with a VPN Services

Module on a Catalyst 6500/7600 device (which may be an IPsec Terminator
in a large scale DMVPN), see Configuring a Firewall Services Module
(FWSM) Interface with VPNSM or VPN SPA, page 9-48.
If the selected device is a hub (IPsec Aggregator) on which you want to

configure VRF-Aware IPsec, see Configuring VRF-Aware IPsec Settings,
page 9-55.
9-28
OL-11501-03
Chapter 9

Procedure
Step 1
Open the Create VPN wizard, then click Next (or the Endpoints tab if you are
editing a VPN topology) on the Device Selection page. The Endpoints page opens.
For a description of the elements on this page, see Table G-6 on page G-15.
Step 2
To edit the VPN interface or protected networks for a device, select the row in the
table that contains the device and click Edit. The Edit Endpoints dialog box
opens. For a description of the tabs on the Edit Endpoints dialog box, see Edit
Endpoints Dialog Box, page G-18.
Note
Step 3
You can select more than one device at a time for editing. The changes
you make on the VPN Interface or Protected Networks tab are applied to
all selected devices. When selecting multiple devices, you cannot include
Catalyst 6500/7600 devices in your selection.
To edit the primary VPN interface for the selected device, click the
VPN Interface tab (for a description of the elements on this tab, see Table G-7 on
page G-20):
a.
Specify the VPN interface defined for the selected device.
Note
If the selected device is a hub in a large scale DMVPN, specify the

interface that is connected to the IPsec Terminator in the Hub
Interface tab. See Configuring Large Scale DMVPNs, page 9-107.
b.
If the selected device is an ASA or PIX 7.0 hub in a hub-and-spoke VPN

topology, and if the selected technology is regular IPsec, select the type of
connection from the Connection Type list.
c.
Specify the IP address of the VPN interface of the peer device under Peer IP
Address.
d.
If the device is a hub and the selected technology is IPsec/GRE or DMVPN,

specify the tunnel source address to be used by the GRE or DMVPN tunnel
on the spoke side, under Tunnel Source.
e.
To enable the configuration of a backup interface to be used as a fallback link

for the primary route VPN interface, select the Enable check box under
Backup, then complete the fields provided. For the procedure to configure
dial backup, see Configuring Dial Backup, page 9-39.
OL-11501-03
9-29
Chapter 9
Step 4
To edit the protected networks for the selected device:

a.
Click the Protected Networks tab on the Edit Endpoints dialog box. For a
description of the elements on the Protected Networks tab, see Table G-9 on
page G-28.
b.
From the Available Protected Networks list, select the interface role(s),
protected networks, and/or access control lists (ACLs) that you want to define
for the selected device, then click >>.
If the required interface roles, protected networks, or ACLs do not appear in
the Available Protected Networks list, click Create and select the required
option to create an interface role, protected network, or ACL. The Access
Control List option is available only when IPsec is the assigned technology.
Note
In a hub-and-spoke VPN topology in which IPsec is the assigned

technology, when an ACL object is used to define the protected
network on a spoke, Security Manager mirrors the spokes ACL
object on the hub to the matching crypto map entry.
The protected networks, interface roles, and access control lists you selected
for the device are displayed in the Selected Protected Networks list.
Step 5
You can now do one of the following:
To go back and change the devices selected in your VPN topology, click Back
(or the Device Selection tab). See Selecting Devices for Your VPN Topology,
page 9-25.
To configure high availability on a group of hubs, click Next (or the High
Availability tab if you are editing a VPN). See Configuring High Availability
in Your VPN Topology, page 9-60.
If you are creating a point-to-point or full mesh VPN topology, click Next to
view or modify the default VPN policies available for assignment to your
VPN topology. See Assigning Default Policies to Your VPN Topology,
page 9-31.
Click Finish to complete the VPN topology creation or modification process

and exit the wizard, or OK to save your changes and close the Edit VPN
dialog box.
9-30
OL-11501-03
Chapter 9

The new or edited VPN topology appears in the VPNs selector in the Site-to-Site
VPN window, with the VPN Summary page displayed. See VPN Summary Page,
page G-3.
Related Topics
About Defining and Editing the Endpoints and Protected Networks,

page 9-26
Edit Endpoints Dialog Box, page G-18

page 9-40

VPN SPA, page 9-48
Assigning Default Policies to Your VPN Topology

The VPN Defaults page of the Create VPN wizard displays all available
mandatory and optional policies that can be assigned to your VPN topology,
according to the selected IPsec technology. For each policy type, you can select
the policies to assign to your VPN topology. These can be factory default policies
(for mandatory policy types only) or shared VPN policies that were created (and
submitted or approved, depending on the workflow mode) using Security
Manager.
Note
The policies you select are applied only to the specific VPN topology you are
creating. If you want the selected policies to be applied to all future VPN
topologies when they are created, you must change the policy defaults
selection on the Administration tools VPN Policy Defaults page. For more
information, see Configuring VPN Policy Defaults, page 2-98.

OL-11501-03
9-31
Chapter 9
You cannot view or assign VPN policy defaults when editing a VPN topology.
.For more information, see Understanding VPN Default Policies, page 9-12.
Before You Begin
Make sure that the default VPN policies you want to assign are selected on
the VPN Administration tools VPN Policy Defaults page.
Procedure
Step 1
Open the VPN Defaults page by clicking Next on the Endpoints page or the High
Availability page (if you are configuring a hub-and-spoke VPN topology) of the
wizard. For a description of the elements on the VPN Defaults page, see
Step 2
For each policy type, select the VPN policy you want to assign to your VPN
topology.
You can select the Factory Default policy (available for a mandatory policy only)
or select a shared VPN policy that appears in the list. If a shared policy was not
already selected in the Administration tools VPN Policy Defaults page for an
optional policy, none will be assigned.
Note
If you try to select a default policy that is currently locked by another user,
a message is displayed warning you of a lock problem. To bypass the lock,
select a different policy or cancel the VPN topology creation until the lock
is approved. For more information, see Understanding Locking,
page 6-55.
Step 3
To view the contents of a selected VPN policy, click the View Content button.
Step 4
Click Finish to save all your wizard definitions and assign the VPN default
policies to the new VPN topology. The wizard closes.
The new VPN topology appears in the VPNs selector in the Site-to-Site VPN
window, with the VPN Summary page displayed. See VPN Summary Page,
page G-3.
9-32
OL-11501-03
Chapter 9

Related Topics
VPN Defaults Page, page G-41
About Mandatory and Optional Policies, page 9-9
About Editing a VPN Topology

You can edit a VPN topology by changing its device structure (adding or removing
devices), changing the VPN interfaces and protected networks defined for a
device, or modifying the policies that are assigned to the VPN. For example, if
your organization frequently opens new sites, you may need to add spokes to an
existing hub-and-spoke VPN, while applying all policies of the VPN to the new
spokes. Or, you may want to increase resiliency by adding a secondary hub to a
VPN that has only one hub. You can also designate a hub to act as an IPsec
Aggregator in a VRF-Aware IPsec configuration, or to be included in a High
Availability (HA) group. While editing a VPN topology, you may also need to
modify the policies assigned to it, for example, change an IKE algorithm that was
originally defined to a more secured one, or change the DES encryption algorithm
for a VPN to make it more secure.
For the procedure to edit a VPN topology, see Editing a VPN Topology,
page 9-35.
When you edit a VPN topology, you can also configure a VPN Services Module
(VPNSM) or VPN SPA blade, with or without a Firewall Services Module
(FWSM blade) on a Catalyst 6500/7600 device, in a hub-and-spoke,
point-to-point, or full mesh VPN topology.
Note
You can also edit a VPN topology at the device level from Device view, which
displays a list of VPN topologies to which a selected device belongs. From this
view, you can view and edit the structure of your VPN topologies, and edit the
policies defined for them. See Managing VPN Devices in Device View, page 9-62.
About Locking in Site-to-Site VPN Topologies
Security Manager has a locking mechanism that prevents more than one user from
making changes to the same policy or policy assignment at the same time. When
a policy is locked, a message is displayed to other users who access that policy.
For more information, see Understanding Locking, page 6-55.
OL-11501-03
9-33
Chapter 9
If you change the device assignment for a VPN topology, or make changes to a
specific VPN policy, a lock is placed on the whole VPN topology, and any other
topologies in which the policy is shared. This means that other users cannot make
changes to the device assignment, nor can they make changes to any of the
policies defined for the VPN topologies.
In order to view and modify site-to-site VPN policies, you must have the required
permissions for each device in the VPN topology. You also need permissions to
add a device to a VPN topology. If you have different levels of permissions to the
devices in the VPN topology, the lowest permission level is applied to the whole
topology. For example, if you have read/write permissions to the spokes in a
hub-and-spoke topology, but read-only permissions to the device serving as the
hub, you are granted read-only permission to the policies and devices in the
hub-and-spoke topology. For more information about permissions, see Security
Manager Permissions, page 2-4.
Note
The information displayed on the VPN Peers page can be locked but not shared
between VPN topologies. Locking this information prevents all associated peers
in the VPN topology from being edited by other users. Unassigning devices from
a VPN topology maintains the device locking in this VPN topology, which means
that these devices cannot be deleted from the inventory. See Peers Page, page G-7.
Removing Devices from a VPN Topology
On the Device Selection page, you can also remove devices from your VPN
topology. When doing this, you should be aware of the following:
You cannot remove a device if it is the only hub in a hub-and-spoke VPN

topology, unless you replace it with a different hub.
You cannot remove a device that is one of the two devices in a point-to-point
VPN topology, unless you replace it with a different device.
In a VPN topology with multiple hub devices, deleting a hub causes the
appropriate tunnels to be removed.
If some, but not all, spokes in a VPN topology are deleted, the hub side crypto
statements change to reflect the removal.
Related Topics
9-34
OL-11501-03
Chapter 9

Editing a VPN Topology

You can edit a VPN topology using the Edit VPN dialog box. The tabs in the Edit
VPN dialog box display the same contents that appear in the pages of the Create
VPN wizard. You can click a tab to go directly to the page that contains the
parameters you want to edit.
This procedure describes how to edit a VPN topology from the Site-to-Site VPN
Manager. You can also edit a VPN topology from Device view. For more
information, see Managing VPN Devices in Device View, page 9-62.
Before You Begin
Make sure the VPN topology you want to edit appears in the VPNs selector
in the Site-to-Site VPN window.
Procedure
Step 1
Step 2
In the VPNs selector, select the VPN topology you want to edit, and click Edit.
The Edit VPN dialog box opens, displaying the Name and Technology tab. For a
description of the elements on this tab, see Table G-4 on page G-11.
Step 3
If required, edit the name and description of the VPN topology.
Note
Step 4
Click the Device Selection tab to change the device structure of your VPN
topology. For a description of how to change the device selection on this tab, see
Selecting Devices for Your VPN Topology, page 9-25.
Note
Step 5
You cannot edit the assigned IPsec technology. To edit the technology,
you must delete the VPN topology and create a new one.
To remove devices from your VPN topology, select them on the Device
Selection tab, and click <<.
Click the Endpoints tab to do any of the following:

OL-11501-03
9-35
Chapter 9
View or edit the external or internal interfaces or protected networks in your

VPN topology.
Configure a VRF Aware IPsec policy on a hub device.
Define FWSM settings for a Catalyst 6500/7600 device.
Then, select the device(s) you want to edit in the Endpoints table, and click Edit
to open the Edit Endpoints dialog box. For a description of how to use the Edit
Endpoints dialog box, see Edit Endpoints Dialog Box, page G-18.
Note
You can also use the Edit Endpoints dialog box to define the VPN
Services Module (VPNSM) or VPN SPA settings for a Catalyst
6500/7600 device.
Step 6
If you are editing a hub-and-spoke VPN topology, and you want to configure high
availability on a group of hubs, or remove a high availability group that was
defined for the topology, click the High Availability tab. For a description of the
elements on this tab, see Table G-13 on page G-39.
Step 7
Click OK to save your changes locally on the client.
Related Topics

page 9-40

page 9-42

VPN SPA, page 9-48
9-36
OL-11501-03
Chapter 9

Deleting a VPN Topology

Deleting a VPN topology removes IPsec tunnels between peers and all
configurations associated with the VPN topology from the devices and networks
assigned to the site-to-site VPN.
This procedure describes how to delete a VPN topology.
Procedure
Step 1
VPN Manager window opens, displaying all defined VPN topologies.
Step 2
In the VPNs selector, select the VPN topology you want to delete and click
Delete.
A confirmation dialog box opens asking you to confirm the deletion.
Step 3
Click Yes to confirm the deletion.
Related Topics
Understanding Dial Backup

Dial backup can be used to provide a fallback link for a primary, direct connection
when the primary link becomes unavailable. Implementation of the dial backup
feature is based on the assumption that two static routes exist:
A primary route through a primary gateway, which has highest priority.
A secondary route through a secondary gateway, which has lower priority and
only appears in the routing table when the primary gateway is down.

OL-11501-03
9-37
Chapter 9
Security Manager configures a logical dialer interface on the spoke. The dialer
interface is associated with a physical backup interface. When the primary route
is down, the dialer interface is activated and traffic is redirected through this
backup interface, along the secondary route. To ensure that the spoke-hub traffic
is encrypted, Security Manager applies a crypto map to the dialer interface. This
crypto map is identical to the crypto map on the VPN interface (the primary route
interface). In Easy VPN, the backup configuration is attached to the dialer
interface.
Depending on the IOS version, Response Time Reporter (RTR) or Service Level
Agreement (SLA) IOS technology, is used to detect loss of network performance
on the primary route. If the assigned IPsec technology is DMVPN, Dialer
Watch-List (DWL) is used.
ISDN Basic Rate Interface (BRI) and analog modem interfaces can be configured
as backup interfaces to other primary interfaces. In such a case, an ISDN or analog
modem connection is made if the primary interface goes down. Should the
primary interface and connection go down, the ISDN or analog modem interface
immediately dials out to establish a connection so that network services are not
lost.
Before you configure a dial backup policy for your site-to-site VPN, you must
configure the dialer interface settings on the appropriate Cisco IOS router. This
requires defining the relationship between the physical BRI and Async interfaces,
and the virtual dialer interfaces used when configuring dial backup.
Note
Dial backup can be configured on Cisco IOS security routers which are spokes in
a hub-and-spoke, point-to-point, or full mesh VPN topology. Dial backup can also
be configured on a remote client router running IOS version 12.3(14)T in an
Easy VPN topology. For more information, see Easy VPN with Dial Backup,
page 9-110.
Related Topics
Dialer Interfaces on Cisco IOS Routers, page 14-34
VPN Interface Tab, page G-19
Dial Backup Settings Dialog Box, page G-36
9-38
OL-11501-03
Chapter 9

Configuring Dial Backup

This procedure describes how to configure dial backup on a router that is in a
point-to-point or full mesh VPN topology, or that is a spoke in a hub-and-spoke
topology, or is a remote client in an Easy VPN topology.
Before You Begin
Create your VPN topology. See Creating a VPN Topology, page 9-20.
Make sure the selected device is a Cisco IOS security router.
Make sure you have configured the dialer interface settings on the device. For
more information, see Dialer Interfaces on Cisco IOS Routers, page 14-34.
Make sure that the primary route is functioning.
Procedure
Step 1
Open the Edit Endpoints dialog box of the Create VPN wizard, as follows:
a.
Right-click the required VPN topology in the VPNs selector, and select Edit.
b.
Click the Endpoints tab on the Create VPN wizard.
c.
Select the row in the Endpoints table that contains the device (router) on
which you want to configure dial backup, and click Edit.
The Edit Endpoints dialog box opens, displaying the VPN Interface tab. For
a description of the elements in the VPN Interface tab, see Table G-7 on
page G-20.
Step 2
If required, edit the primary VPN interface for the selected device.
Step 3
To enable the configuration of a backup interface, select the Enable Backup

check box.
Step 4
Specify the physical interface through which the secondary route traffic will be
directed when the logical dialer interface is activated.
Step 5
If the selected IPsec technology is Regular IPsec, IPsec/GRE, GRE Dynamic IP,
or Easy VPN, enter the next hop IP address. If you do not enter the next hop IP
address, Security Manager configures a static route using the interface name.
Step 6
Specify the tracking IP address.

OL-11501-03
9-39
Chapter 9
Note
Step 7
If you do not specify an IP address, the primary hub VPN interface is used
for a hub-and-spoke VPN topology or Easy VPN topology. In a
point-to-point or full mesh VPN topology, the peer VPN interface is used.
If the selected IPsec technology is Regular IPsec, IPsec/GRE, GRE Dynamic IP,
or Easy VPN, click Advanced to configure additional (optional) settings.
The Dial Backup Settings dialog box opens. For a description of the elements in
this dialog box, see Table G-12 on page G-37.
Step 8
a.
Enter the next hop IP address of the ISDN BRI or analog modem to which the
backup interface will connect when it is active.
b.
Specify the tracking object settings by entering the required values in the
Timeout, Frequency, and Threshold fields.
c.
Click OK to save your definitions and close the Dial Backup Settings dialog
box.
Click OK in the Edit Endpoints dialog box to save your changes locally on the
client and close the dialog box.
Related Topics
Understanding Dial Backup, page 9-37
Easy VPN with Dial Backup, page 9-110
Dial Backup Settings Dialog Box, page G-36
Configuring a Catalyst VPN Services Module (VPNSM) VPN

Interface
Security Manager supports Catalyst 6500/7600 devices and Cisco IOS 7600
routers fitted with an IPsec VPN Services Module (VPNSM blade). This module
uses virtual LANs (VLANs) to connect to platform LAN and WAN interfaces.
9-40
OL-11501-03
Chapter 9

The device can be in a point-to-point or full mesh VPN topology, or a hub or spoke
in a hub-and-spoke VPN topology managed by Security Manager (except in an
Easy VPN configuration, where the device cannot be a spoke).
Security Manager also supports the configuration of a Firewall Services Module
(FWSM blade) with a VPN Services Module (VPNSM blade) on a Catalyst
6500/7600 device. For a description of this feature, see Configuring a Firewall
Services Module (FWSM) Interface with VPNSM or VPN SPA, page 9-48.
Note
Security Manager supports the configuration of multiple VPNSM blades on

a Catalyst 6500/7600 device, but only one blade (or two if you are configuring
intra chassis high availability) can be configured per VPN topology.
In a remote access VPN, you can configure only one VPNSM failover blade
for each IPsec proposal. See VPNSM/VPN SPA Settings Dialog Box,
page H-26.
VPNSM configuration requires that its parent Catalyst 6500/7600 device is

running Catalyst OS release 12.2(18)SXD1 and later.
To configure a VPNSM on a Catalyst 6500/7600 device, you must first import the
device to your Security Manager inventory and discover its interfaces. For more
information, see Adding Catalyst 6500/7600 Devices from the Network,
page 5-33.
The next step in configuring VPNSM is to create an inside VLAN on the Catalyst
6500/7600 device, or edit an existing port or VLAN configuration. If the device
is configured with VRF-Aware IPsec, you must create a forwarding VLAN.
You do this device configuration using Cisco Catalyst Device Manager
(Cisco CDM)an embedded device manager for single chassis setup, switch and
services configuration, and monitoring of the Cisco Catalyst 6500/7600 family of
products. Cisco CDM enables the management of Catalyst 6500/7600 devices,
and specifically the creation of VLANs.
Note
You can use only Layer 3 VLANs for VPNSM configuration. For more
information, see Creating or Editing VLANs, page 16-13.

OL-11501-03
9-41
Chapter 9
After creating or editing the VLANs or ports for your device using Cisco CDM,
you must configure VPNSM on the device using the Site-to-Site VPN Manager.
You configure the following VPNSM parameters when specifying the VPN
interfaces for your VPN topology:
The inside VLAN on the inside trunk interface of the VPNSM to which the
crypto map will be attached. This VLAN serves as the inside interface to the
VPNSM, and is also the hub or spoke endpoint of the VPN tunnel (unless
VRF-Aware IPsec is configured on the device).
The VPNSM blade to which the inside VLAN will be connected.
The external port or VLAN that connects to the inside VLAN. Security
Manager connects the inside VLAN with the Catalysts external port
according to the external port configuration.
If you are configuring high availability between blades, you must specify a
failover VPNSM blade.
For more information, see Defining VPN Services Module (VPNSM) or VPN
SPA Settings, page G-24.
Related Topics
Procedure for Configuring a VPNSM or VPN SPA Blade, page 9-44

VPN SPA, page 9-48
Defining VPN Services Module (VPNSM) or VPN SPA Settings, page G-24
Configuring a Catalyst VPN Shared Port Adapter (VPN SPA) Blade

In addition to supporting Catalyst 6500/7600 devices and Cisco IOS 7600 routers
fitted with a VPN Services Module (VPNSM blade), Security Manager supports
the configuration of Cisco IPsec VPN Shared Port Adapter (VPN SPA) blades on
these devices.
The device can be in a point-to-point or full mesh VPN topology, or a hub or spoke
in a hub-and-spoke VPN topology managed by Security Manager (except in an
Easy VPN configuration, where the device cannot be a spoke).
A Catalyst 6500/7600 device can contain from 3 to 13 chassis slots. The main
difference between a VPNSM and a VPN SPA is that two VPN SPA blades can be
inserted in a single Catalyst 6500/7600 chassis slot, whereas only one VPNSM
9-42
OL-11501-03
Chapter 9

blade can be inserted per slot. The location of a VPN SPA blade is identified with
a slot and subslot number. Security Manager stores VPN SPA blade information
(slot and subslot location and interfaces) in its inventory, so that Security Manager
can manage the blades in VPN topologies.
For information on how to configure a VPN SPA blade on a Catalyst 6500/7600
device, see Procedure for Configuring a VPNSM or VPN SPA Blade, page 9-44.
Note
The VPN SPA supports the AES encryption algorithm for all key sizes (128-,
192-, and 256-bit), as well as the DES and 3DES encryption algorithms. For more
information, see Deciding Which Encryption Algorithm to Use, page 9-68.
The following outlines the steps you must do to configure a VPN SPA blade on a
Catalyst 6500/7600 device:
1.
Import the device to your Security Manager inventory and discover its
interfaces.
Note
During the Catalyst 6500/7600 device discovery, you must enter the
VPN SPA card slot locations. Since a slot in a Catalyst 6500/7600
chassis can hold two VPN SPA cards, you must enter a subslot
number (0 or 1). For more information, see Adding VPN SPA Slot
Locations, page 5-35.
2.
If you need to create an inside VLAN on the device or edit an existing port or
VLAN configuration, you can use Cisco Catalyst Device Manager (Cisco
CDM). If the device is configured with VRF-Aware IPsec, you must create a
forwarding VLAN.
3.
In Security Manager, you must create the interface roles for the VLANs or
ports that will be used for configuring the VPN SPA on the device. You
configure the following VPN SPA parameters when specifying the VPN
interfaces for your VPN topology:
The inside VLAN that serves as the inside interface to the VPN SPA, and
is also the endpoint of the VPN tunnel (unless VRF-Aware IPsec is

configured on the device).
The number of the VPN SPA blade slot to which the inside VLAN is
connected.
The number of the subslot on which the blade is installed.
OL-11501-03
9-43
Chapter 9
The external port or VLAN that connects to the inside VLAN. Security
Manager connects the inside VLAN with the Catalysts external port
according to the external port configuration.
If you are configuring high availability between blades, you must specify
a failover VPN SPA blade.

For more information, see Defining VPN Services Module (VPNSM) or VPN
SPA Settings, page G-24.
Important Notes About Configuring a VPN SPA
Before you configure a VPN SPA blade on a Catalyst 6500/7600 in your VPN
topology, you should be aware of the following:
If you are configuring intra chassis high availability, you cannot use a
VPNSM blade and a SPA blade on the same device, as primary and failover
blades.
In the case of a DMVPN topology in which multiple hubs participate, if one

of the hubs is configured with a VPN SPA blade, a tunnel key must not be
configured on any of the devices, whether they are spokes or hubs. Devices
that participate in such a topology must be running IOS version 12.3T and
later, in order to support tunnels without keys.
In a remote access VPN, you can configure only one VPN SPA failover blade
per IPsec proposal. See VPNSM/VPN SPA Settings Dialog Box, page H-26.
Related topics

page 9-40

VPN SPA, page 9-48
Procedure for Configuring a VPNSM or VPN SPA Blade

This procedure describes how to configure a VPN Services Module (VPNSM) or
VPN SPA blade on a Catalyst 6500/7600 device.
9-44
OL-11501-03
Chapter 9

Note
This procedure also applies if you are configuring an IPsec Terminator in a large
scale DMVPN configuration. For more information, see Configuring Large Scale
DMVPNs, page 9-107.
Before You Begin:
Note
Import the required Catalyst 6500/7600 device into the Security Manager
inventory and discover its interfaces. For a description of this procedure, see
Adding Catalyst 6500/7600 Devices from the Network, page 5-33.
If you are configuring a VPN SPA blade, you must enter the VPN SPA
card slot locations during device discovery. Because a slot in a Catalyst
6500/7600 chassis can hold two VPN SPA cards, you must enter a subslot
number (0 or 1). For more information, see Adding VPN SPA Slot
Locations, page 5-35.
For VPN SPA configuration, make sure that the Catalyst 6500/7600 device is
running Catalyst OS release 12.2(18)SXE2 or later.
If you are configuring a VPNSM or VPN SPA with VRF-Aware IPsec on a

device, verify that the device does not belong to a different VPN topology in
which VRF-Aware IPsec is not configured. Similarly, if you are configuring
a VPNSM or VPN SPA without VRF-Aware IPsec, make sure that the device
belongs to a different VPN topology in which VRF-Aware IPsec is
configured.
For VPN SPA configuration, please read Important Notes About Configuring
a VPN SPA, page 9-44.
Procedure
Step 1
Step 2
Select your Catalyst 6500/7600 device from the Device selector.
Step 3
Right-click the device and select Catalyst Manager. Cisco CDM opens.
Step 4
In Cisco CDM, create the VLANs you require for the device or edit any existing
ports or VLANs. For more information, see Creating or Editing VLANs,
page 16-13.

OL-11501-03
9-45
Chapter 9
Step 5
Click Save to save the configuration changes and close Cisco CDM. VPN
Manager can now use the new VLANs.
Step 6
In Security Manager, click the Site-To-Site VPN Manager button on the toolbar.
The Site-to-Site VPN Manager window opens.
Step 7
Open the Endpoints page to define or edit the VPNSM/VPN SPA settings for the
Catalyst 6500/7600 device:
To create a VPN topology:

Click Create VPN Topology above the VPNs selector, and select the
type of VPN topology to create.

The Create VPN wizard displays the Name and Technology page. For a
Enter a name and description for the VPN topology, and select the IPsec
technology to assign to it, then click Next.

On the Device Selection page, select the devices for your VPN topology,
including the required Catalyst 6500/7600 device. For a description of

the elements on the Device Selection page, see Table G-5 on page G-13.
Click Next. The Endpoints page opens. For a description of the elements
on the Endpoints page, see Table G-6 on page G-15.
To edit a VPN topology:

In the VPNs selector, right-click the VPN topology that contains your
Catalyst 6500/7600 device, and select Edit. The Edit VPN page opens.
Click the Endpoints tab.
Step 8
Select the row in the table that contains the required Catalyst 6500/7600 device,
and click Edit. The Edit Endpoints dialog box displays the VPN Interface tab.
Note
You can select more than one Catalyst 6500/7600 device at the same time.
Your changes are applied to all selected devices.
For a description of the elements on the VPN Interface tab, see Table G-8 on
page G-25.
Step 9
Configure the VPNSM or VPN SPA settings, as follows:
To configure a VPNSM:
In the VPN Interface field, select the inside VLAN you created or edited.
9-46
OL-11501-03
Chapter 9

Select the VPNSM blade slot to which the inside VLAN interface will be
connected.
Select the external port or VLAN to connect to the inside VLAN.
If required, select a VPNSM blade to serve as a failover blade.
To configure a VPN SPA:

In the VPN Interface field, select the inside VLAN you created or edited.
Select the VPN SPA blade slot number to which the inside VLAN is
connected.
Select the number of the subslot (0 or 1) on which the blade is installed.
Select the external port or VLAN that will connect to the inside VLAN.
(Optional) To configure high availability between blades, select the
Enable Failover Blade check box. Then select the VPN SPA failover
blade slot number, and the number of the subslot (0 or 1) on which the
failover blade is installed.
Step 10
Click one of the following radio buttons under Peer IP Address area to define the
IP address of the VPN interface of the peer device.
Step 11

The inside VLAN is shown next to the Catalyst 6500/7600 device in the Endpoints
table for the selected topology in the Site-to-Site VPN Manager window.
Related Topics

page 9-40

page 9-42

OL-11501-03
9-47
Chapter 9
Configuring a Firewall Services Module (FWSM) Interface with

VPNSM or VPN SPA
Security Manager supports the configuration of a Firewall Services Module with
a VPN Services Module or VPN SPA on a Catalyst 6500/7600 device. This feature
enables a Cisco Catalyst 6500/7600 Series Firewall Services Module (FWSM) to
apply firewall policies to untrusted clients, while the Cisco Catalyst 6500/7600
IPsec VPN Services Module or VPN SPA provides secure access to the internal
network.
For information about configuring a VPN Services Module on a Catalyst
6500/7600 device, see Configuring a Catalyst VPN Services Module (VPNSM)
VPN Interface, page 9-40. For information about configuring a VPN SPA blade
on a Catalyst 6500/7600 device, see Configuring a Catalyst VPN Shared Port
Adapter (VPN SPA) Blade, page 9-42.
To configure FWSM on a Catalyst 6500/7600 device, you must first import the
device to your inventory and discover its policies. For more information, see
Discovering Policies, page 6-7.
After importing the Catalyst 6500/7600 device, you can create security contexts
for it. A security context is an independent virtual firewall that has its own
security policies, interfaces, and administrators. A single physical Firewall
Services Module can contain multiple security contexts. In Security Manager, you
can configure up to three security contexts. For more information, see Security
Contexts Page, page L-265.
The next step in configuring FWSM with VPNSM or VPN SPA, is to open Cisco
Catalyst Device Manager (Cisco CDM) and discover the Firewall Services
Module (FWSM) configurations on the device. If an inside interface is not already
created on the Catalyst 6500/7600 device, you must create it using Cisco CDM
(see Creating or Editing VLANs, page 16-13). Then, you must assign the FWSM
inside interface (VLAN) to the appropriate security context, or directly to the
FWSM blade.
After creating the FWSM inside interface for your device, you must specify
FWSM settings on the device, using the Site-to-Site VPN Manager. You configure
the following settings when creating or editing your VPN topology:
The VLAN which serves as the inside interface to the FWSM.
The FWSM blade to which the Firewall inside VLAN is connected.
If defined, the security context to which the inside VLAN is connected.
9-48
OL-11501-03
Chapter 9

This procedure describes how to configure a Firewall Services Module on a

Before You Begin:
If the required Catalyst 6500/7600 device is not already in the Security

Manager inventory, import it into the inventory and define (or discover) its
security contexts. See Adding Catalyst 6500/7600 Devices from the Network,
page 5-33 and Security Contexts Page, page L-265.
Procedure
Step 1
Step 2
Select your Catalyst 6500/7600 device from the Device selector.
Step 3
Right-click the device and select Catalyst Device Manager. Cisco CDM opens
in a new window.
Step 4
In Cisco CDM:
a.
Run a discovery for FWSM configurations on the device. See Discovering

Policies, page 6-7.
b.
Select or create the VLAN that will serve as the inside interface to the FWSM,
and assign it to the appropriate security context, or directly to the FWSM
blade.
c.
Click Save to save the configuration changes and close Cisco CDM. The
VLANs configuration can now be used by the VPN Manager.
Step 5
In Security Manager, click the Site-To-Site VPN Manager button on the toolbar.
The Site-to-Site VPN Manager window opens.
Step 6
Open the Endpoints page, as follows:
If you are creating a VPN topology:

Click Create VPN Topology above the VPNs selector and select the type
of VPN topology you want to createHub and Spoke, Point to Point, or

Full Mesh.
The Create VPN wizard opens, displaying the Name and Technology
page. For a description of the elements on this page, see Table G-4 on
page G-11.

OL-11501-03
9-49
Chapter 9
Enter a name and description for the VPN topology, and select the IPsec
technology that will be assigned to it, then click Next.

On the Device Selection page, select the devices that will be included in
your VPN topology, including the required Catalyst 6500/7600 device.

For a description of the elements on the Device Selection page, see
Click Next. The Endpoints page opens.
If you are editing a VPN topology:

In the VPNs selector, right-click the VPN topology which contains your
Catalyst 6500/7600 device, and select Edit. The Edit VPN page opens.
Click the Endpoints tab.
For a description of the elements on the Endpoints page, see Table G-6 on
page G-15.
Step 7
Select the row in the table that contains the required Catalyst 6500/7600 device,
and click Edit. The Edit Endpoints dialog box opens.
Note
You can select more than one Catalyst 6500/7600 device at a time for
editing. The changes you make can be applied to all the selected devices.
Step 8
In the VPN Interface tab, configure the VPNSM or VPN SPA settings. For a
Step 9
Click the FWSM tab, and configure the FWSM settings, as follows. For a
Step 10
a.
Select the Enable FWSM Settings check box.
b.
Specify the Firewall inside VLAN you created or edited in Cisco CDM.
c.
Select the FWSM blade number to which the inside VLAN interface is
connected.
d.
If the inside VLAN is part of a security context, specify its name in the
Security Context field. The name is case-sensitive.
9-50
OL-11501-03
Chapter 9

Related Topics
FWSM Tab, page G-29

page 9-40

page 9-42
Creating or Editing VLANs, page 16-13
Understanding VRF-Aware IPsec

One obstacle to successfully deploying peer-to-peer VPNs is the separation of
routing tables, and the use of overlapping addresses, which usually results from
using private IP addresses in customer networks. The VRF-Aware IPsec feature,
which introduces IPsec tunnel mapping to Multiprotocol Label Switching
(MPLS) VPNs, solves this problem.
The VRF-Aware IPsec feature enables you to map IPsec tunnels to Virtual
Routing Forwarding (VRF) instances, using a single public-facing address. A
VRF instance defines the VPN membership of a customer site attached to the
Provider Edge (PE) router. A VRF comprises an IP routing table, a derived Cisco
Express Forwarding (CEF) table, a set of interfaces that use the forwarding table,
and a set of rules and routing protocol parameters that control the information that
is included in the routing table. A set of routing and CEF tables is maintained for
each VPN customer across the MPLS/VPN network.
Since each VPN has its own routing and forwarding table in the router, any
customer or site that belongs to a VPN is provided access only to the set of routes
contained within that table. Any PE router maintains a number of routing tables
and a global routing table per VPN, which can be used to reach other routers in
the provider network. Effectively, a number of virtual routers are created in a
single physical router. Across the MPLS core to the other PE routers, this routing
separation is maintained by adding unique VPN identifiers, such as the route
distinguisher (RD).

OL-11501-03
9-51
Chapter 9
Note
VRF-Aware IPsec can also be configured on devices in a remote access VPN. For
more information, see IPsec Proposals in Remote Access VPNs, page 10-12.
In Security Manager, you can configure VRF-Aware IPsec in your hub-and spoke
VPN topology, with either a single device providing all functionality (one-box
solution) or with multiple devices, each providing a part of the functionality
(two-box solution). The solution of one device providing all the functionality
can affect performance by overloading the system, whereas separating the
functionality in a two-box solution provides better scaling for each function.
VRF-Aware IPsec One-Box Solution, page 9-52
VRF-Aware IPsec Two-Box Solution, page 9-53
Related Topics
VRF-Aware IPsec One-Box Solution

In the one-box solution, IPsec tunnels terminate on a Cisco IOS router, which
serves as the Provider Edge (PE) device. The PE device maps these tunnels to the
appropriate MPLS/VPN network and serves as the IPsec Aggregator, by
performing IPsec encryption and decryption from the Customer Edge (CE)
devices.
Note
The configuration of routing between the PE device and the MPLS cloud is done
by Cisco IP Solution Center. See the Cisco IP Solution Center MPLS VPN User
Guide at this URL:
http://www.cisco.com/en/US/docs/net_mgmt/ip_solution_center/3.0/mpls/user/guid
e/4_iscqsg.html.
9-52
OL-11501-03
Chapter 9

Figure 9-4 shows the topology of a one-box solution.

Figure 9-4
VRF-Aware IPsec One-Box Solution
Related Topics
Understanding VRF-Aware IPsec, page 9-51
VRF-Aware IPsec Two-Box Solution

In the two-box solution, the PE device does just the MPLS mapping, while a
separate IPsec Aggregator device does the IPsec encryption and decryption from
the CEs.
Note
Security Manager fully manages the IPsec Aggregator, including routing to the PE
device. The PE device is fully managed by Cisco IP Solution Center. This includes
routing between the PE device and the MPLS cloud, and routing from the PE to
OL-11501-03
9-53
Chapter 9
the IPsec Aggregator. For more information, see the Cisco IP Solution Center
MPLS VPN User Guide at this URL:
http://www.cisco.com/en/US/docs/net_mgmt/ip_solution_center/3.0/mpls/user/guid
e/4_iscqsg.html
Figure 9-5 shows the topology of a two-box solution.
Figure 9-5
VRF-Aware IPsec Two-Box Solution
Using the two-box solution, you configure VRF-Aware IPsec on devices in your
VPN topology, as follows:
1.
Configure the connection between the IPsec Aggregator and the PE device.
Create a hub-and-spoke VPN topology and assign an IPsec technology to it.
In this topology, the hub is the IPsec Aggregator, and the spokes may be Cisco
IOS routers, PIX Firewalls, Catalyst VPN service modules, or Adaptive
Security Appliance (ASA) devices. The IPsec Aggregator may be a security
router or a Catalyst VPN service module. You then define the VRF
parameters (VRF name and unique routing identifier) on the hub.
9-54
OL-11501-03
Chapter 9

Note
VRF-Aware IPsec supports the configuration of IPsec, GRE, or

Easy VPN technologies on Cisco IOS routers and Catalyst VPN
service modules. DMVPN is also supported, but only on Cisco IOS
routers.
2.
Specify the VRF forwarding interface (or VLAN for a Catalyst VPN service
module) between the IPsec Aggregator and the PE device.
3.
Define the routing protocol and autonomous system (AS) number to be used
between the IPsec Aggregator and the PE. Available routing protocols include
BGP, EIGRP, OSPF, RIPv2, and Static Route.
If the routing protocol defined between the IPsec Aggregator and the PE
differs from the routing protocol used for the secured IGP, routing is
redistributed to the secured IGP, using this routing protocol and AS number.
Routing is also redistributed from the secured IGP to the PE.
Note
Redistributing the routing is only relevant when IPsec/GRE or

DMVPN is the selected technology.
Related Topics
Configuring VRF-Aware IPsec Settings

The following procedure describes how to configure VRF-Aware IPsec on a hub
in a hub-and-spoke topology.
Before You Begin
Create your hub-and-spoke VPN topology. See Creating a VPN Topology,

page 9-20.
Before you configure VRF-Aware IPsec on your devices, you should know
the following:

OL-11501-03
9-55
Chapter 9
VRF-Aware IPsec may be configured only on hubs in a hub-and-spoke
VPN topology.
You cannot configure VRF-Aware IPsec on a device that belongs to
another VPN topology in which VRF-Aware IPsec is not configured.

You cannot configure VRF-Aware IPsec on hubs that have been
configured with high availability. See Understanding High Availability,

page 9-58.
Deployment may fail if the IPsec Aggregator is configured with a keyring
CLI command that is the same as the existing preshared key (keyring)
command, and is not referenced by any other command. In this case,
Security Manager does not use the VRF keyring CLI, but generates the
keyring with a different name, causing deployment to fail. You must
manually remove the preshared key keyring command through the CLI,
before you can deploy the configuration.
Procedure
Step 1
In the Site-to-Site VPN Manager window, right-click the hub-and-spoke VPN

topology on which you want to configure VRF-Aware IPsec, and click Edit. The
Edit VPN dialog box opens.
Step 2
Click the Endpoints tab. For a description of the elements on the Endpoints tab,
see Table G-6 on page G-15.
Step 3
Select the row in the Endpoints table that contains the required hub device (the
IPsec Aggregator) and click Edit. The Edit Endpoints dialog box opens.
Note
You can select more than one hub for editing. The configuration changes
can be applied to all selected devices.
Step 4
Click the VRF Aware IPsec tab in the Edit Endpoints dialog box. For a
description of the elements on the VRF Aware IPsec tab, see Table G-11 on
page G-33.
Step 5
Select the Enable VRF Settings check box to enable the configuration of VRF
settings on the hub(s) for the selected hub-and-spoke topology.
9-56
OL-11501-03
Chapter 9

Note
To remove previously defined VRF settings, deselect the Enable VRF

Settings check box.
Step 6
Select the 1-Box or 2-Box radio button, depending on the solution you want to
configure.
Step 7
Enter the name of the VRF routing table and its unique route distinguisher in the
appropriate fields.
Step 8
To configure a two-box solution, select the VRF forwarding interface (or VLAN)
between the IPsec Aggregator (hub) and the PE device.
Note
Step 9
If the IPsec Aggregator is a Catalyst VPN service module (VPNSM) or

VPN SPA, you select a VLAN.
Select the routing protocol and specify the AS number to be used between the
IPsec Aggregator and the PE. In the one-box solution, only the BGP protocol is
supported.
Note
In a one-box solution, these fields are unavailable as you do not need to

specify the routing protocol and AS number.
Step 10
To configure a two-box solution with the OSPF routing protocol, specify the ID
number of the area in which the packet belongs.
Step 11
To configure a two-box solution with static routing, you must specify the next hop
IP address. This is the IP address of the PE (or the interface that is connected to
the IPsec Aggregator).
Step 12
To configure a two-box solution with any routing protocol other than Static route,
you can enable static routes to be advertised in the routing protocol configured on
the IPsec Aggregator towards the PE device.
Step 13

OL-11501-03
9-57
Chapter 9
Note
When you select the new or edited hub-and-spoke topology in the Site-to-Site
VPN Manager window, the configuration of a VRF-Aware IPsec policy is
displayed in the VPN Summary page. See VPN Summary Page, page G-3.
Related topics
VRF-Aware IPsec One-Box Solution, page 9-52
VRF-Aware IPsec Two-Box Solution, page 9-53
VRF Aware IPsec Tab, page G-31
Understanding High Availability

High Availability (HA) policies provide automatic device backup when
configured on Cisco IOS routers or Catalyst 6500/7600 devices, running IP over
LANs. High Availability can be configured in a hub-and-spoke VPN topology
when Regular IPsec is the assigned technology, or in an Easy VPN topology.
In Security Manager, HA is supported by an HA group made up of two or more
hub devices that use Hot Standby Routing Protocol (HSRP) to provide
transparent, automatic device failover. By sharing a virtual IP address, the hubs in
the HA group present the appearance of a single virtual device or default gateway
to the hosts on a LAN. One hub in the HA group is always active and assumes the
virtual IP address, while the others are standby hubs. The hubs in the group watch
for hello packets from active and standby devices. If the active device becomes
unavailable for any reason, a standby hub takes ownership of the virtual IP address
and takes over the hub functionality. This transfer is seamless and transparent to
hosts on the LAN, and to the peering devices.
9-58
OL-11501-03
Chapter 9

Enabling Stateful Failover
You can enable stateful failover for your HA groups. With stateful failover,
Stateful SwitchOver (SSO) ensures that state information is shared between the
HSRP devices in the HA group. If a device fails, the shared state information
enables the standby device to maintain IPsec sessions without having to
re-establish the tunnel or renegotiate the security associations.
Note
Stateful failover is supported on Cisco IOS routers only.
Stateful failover must be configured in an Easy VPN topology.
Stateful failover cannot be used when RSA Signature is the IKE

authentication method.
An HA group configured with stateful failover cannot contain more than two
hubs.
Stateful failover can be configured together with PKI configuration, but only
on devices with Cisco IOS version 12.3(14)T and later.
If you do not enable stateful failover, stateless failover (HSRP without SSO)
is configured on the HA group. Stateless failover is also configured if the HA
group contains more than two hubs.
Prerequisites for Successful High Availability Configuration
Keep the following points in mind when working with HA groups:
High Availability may be configured only on hubs in a hub-and-spoke VPN

topology when the assigned technology is Regular IPsec, or in an Easy VPN
topology.
You can configure high availability only on Cisco IOS routers or Catalyst
6500/7600 devices.
You cannot configure High Availability on hubs that have been configured
with VRF-Aware IPsec. See Understanding VRF-Aware IPsec, page 9-51.
You cannot configure GRE on an HA group.
A device in an HA group can belong to more than one hub-and-spoke

topology.

OL-11501-03
9-59
Chapter 9
A device configured as a hub in a site-to-site VPN with an HA configuration

cannot be configured as a hub in a different site-to-site VPN with an HA
configuration using the same outside interface. Similarly, such a device
cannot be configured as a remote access VPN server on which HA is
configured, using the same outside interface.
An HA group cannot contain both Cisco IOS routers and Catalyst 6500/7600
devices.
If you want to configure stateful failover, the High Availability (HA) group
may contain only two hubs which are Cisco IOS routers. See Enabling
Stateful Failover, page 9-59.
The same auto-generated preshared key must be used for authentication on all
peers. If you specified not to use this option when configuring a preshared key
policy, this is overridden during configuration of High Availability. For more
information, see Configuring Preshared Key Policies, page 9-86.
During generation of configurations, all hubs in the HA group receive the

same commands, which must be deployed to the HA group as a unit. You
cannot deploy to individual hubs in the group.
Related Topics
High Availability Page, page G-37
Easy VPN with High Availability, page 9-110
Configuring High Availability in Your VPN Topology

The configuration of High Availability is an optional step of the Create VPN
wizard. You can configure High Availability in a hub-and-spoke VPN topology
when Regular IPsec is the assigned technology, or in an Easy VPN topology.
For a description of the high availability feature, see Understanding High
Availability, page 9-58.
You can configure High Availability in the fourth step of the Create VPN wizard.
This procedure describes how to define a group of hubs as a High Availability
(HA) group.
9-60
OL-11501-03
Chapter 9

Before You Begin:
Please read Prerequisites for Successful High Availability Configuration,

page 9-59.
Create your hub-and-spoke VPN topology with Regular IPsec or Easy VPN
as the selected technology. See Creating a VPN Topology, page 9-20.
Make sure your device selection includes the appropriate devices.
Procedure
Step 1
In the Site-to-Site VPN Manager window, right-click the VPN topology on which
you want to configure High Availability, and click Edit. The Edit VPN dialog box
opens.
Step 2
Click the High Availability tab on the Edit VPN page. For a description of the
elements on the High Availability tab, see Table G-13 on page G-39.
Step 3
Select the Enable check box.
Note
If you want to remove a previously defined HA group, deselect this check

box, then click OK.
Step 4
Enter the virtual IP address, including subnet mask, that will be shared by the hubs
in the HA group and will represent the inside interface of the HA group.
Step 5
Enter the virtual IP address, including subnet mask, that will be shared by the hubs
in the HA group and will represent the VPN interface of the HA group.
Step 6
Specify the interval between each hello message sent by a hub to the other hubs
in the group to indicate status and priority.
Step 7
Specify the duration (in seconds) that a standby hub will wait to receive a hello
message from the active hub before concluding that the hub is down.
Step 8
Enter the standby number of the inside hub interface that matches the internal
virtual IP subnet, and the outside hub interface that matches the external virtual
IP subnet, for the hubs in the HA group. The numbers must be within the range of
0-255.
Note
Inside and outside standby group numbers must be different.

OL-11501-03
9-61
Chapter 9
Managing VPN Devices in Device View
Step 9
If required, select the Stateful Failover check box to enable the use of SSO for
stateful failover on the HA group. When this check box is deselected, stateless
failover is configured on the HA group.
Note
In an Easy VPN topology, this check box appears selected and disabled,
as stateful failover must always be configured.
For more information, see Enabling Stateful Failover, page 9-59.

Step 10

When you select the new or edited hub-and-spoke VPN topology in the
Site-to-Site VPN Manager window, the VPN Summary page displays the details
of the High Availability policy configured. For more information, see VPN
Summary Page, page G-3.
Related Topics
Understanding High Availability, page 9-58
Understanding Easy VPN, page 9-109

Device view provides an easy way to view and edit your VPN topologies at the
device level. You can create and delete VPN topologies, edit the properties of a
VPN topology, including its device selection, and edit the policies defined for it.
You can also view the VPN topology or topologies to which each device in the
CSM inventory belongs, and if necessary, change its assignment to or from a VPN
topology.
In Security Manager, global objects are used in the definition of some VPN
policies. By default, objects are applied identically to every object and policy that
references them. However, the definition of certain object types can be overridden
at the device level, so that any subsequent changes made to the policy definition
at the global level will not affect the device where the object was overridden.
9-62
OL-11501-03
Chapter 9

Since a VPN policy applies to every device in a VPN topology, you may need to
override the object definitions at the device level. For example, when defining a
PKI policy, you need to select a PKI enrollment object. If the hub of your VPN
uses a different CA server than the spokes, you must use device-level overrides to
specify the CA server used by the hub. Although the PKI policy references a
single PKI enrollment object, the actual CA server represented by this object
differs for the hub, based on the device-level override you define. For more
information about overriding a VPN policy object at the device level, see
Overriding Global Objects for Individual Devices, page 8-197.
This procedure describes how to create or edit a VPN topology from Device view.
Procedure
Step 1
Step 2
Select the required device from the Device selector.
Step 3
Select Site to Site VPN from the Policy selector. The Site to Site VPN page
opens, displaying a list of VPN topologies to which the selected device belongs.
If the device does not belong to a VPN topology, none is displayed. For a
Step 4
To create a VPN topology to which the selected device will belong:
Step 5
a.
Click Create VPN Topology, and select the type of VPN topology you want
to createHub and Spoke, Point to Point, or Full Mesh. The first step of the
Create VPN wizard opens.
b.
Follow the procedure in Creating a VPN Topology, page 9-20. For a

description of the elements in the pages of the wizard, see Create VPN
Wizard, page G-9.
To add or remove the selected device from an existing VPN topology, or edit any
other properties:
a.
Select the VPN topology in the table, and click Edit VPN Topology. The Edit
VPN dialog box opens, displaying the Device Selection tab. For a description
of the elements on the Device Selection tab, see Device Selection Page,
page G-12.
b.
Edit the device structure or any other properties of the VPN topology, as
required.
c.

OL-11501-03
9-63
Chapter 9
Working with Site-to-Site VPN Policies
Step 6
To edit the policies defined for a VPN topology:

a.
Select the VPN topology in the table, and click Edit VPN Policies. The VPN
Summary page opens, displaying information about the VPN topology,
including its policies.
b.
To edit a policy, select it in the Policy selector. A page opens, on which you
can view or edit the parameters for the selected policy.
c.
Edit the selected policy, as required. For more information, see Site to Site
VPN Policies, page G-42.
Related Topics
About Editing a VPN Topology, page 9-33
Create VPN Wizard, page G-9

Security Manager supports many policies that are available for site-to-site VPN
configuration. Policies are grouped according to their IPsec technology type.
When you assign a technology to a VPN topology, all policies that can be applied
to your VPN topology using the assigned technology, become available.
You can view the policies that are can be assigned to a VPN topology in the
Site-to-Site VPN Manager window. To open this window, select
Tools > Site-To-Site VPN Manager or click the Site-To-Site VPN Manager
button on the toolbar. To view the policies, select a VPN topology from the VPNs
selector. The policies associated with the selected topology are listed in the lower
left pane of the page. Select a policy from the list to view or edit its parameters.
For a description of the Site-to-Site VPN Manager window, see Table G-1 on
page G-2.
9-64
OL-11501-03
Chapter 9

Note
When you define policies, your definitions are not committed to the database and
cannot be seen by other Security Manager users until you submit them.
Working with Site-to-Site VPN Policies in Policy View
You can use Policy view to view all shared policies that have been defined for each
policy type in a site-to-site VPN, edit individual policies, and modify their
assignments to VPN topologies. See Managing Shared Policies in Policy View,
page 6-40.
Working with Site-to-Site VPN Policies in Device View
In Device view, you can view and edit your VPN topologies at the device level.
You can view any VPN topologies to which each device in the CSM inventory
belongs, and if necessary, change its assignment to or from a VPN topology. You
can right-click a policy in the Policy selector to display menu options that enable
you to share the policy, assign the shared policy to, or unassign it from the selected
device or VPN topology.
For more information, see Managing VPN Devices in Device View, page 9-62.
Related Topics
About Locking in Site-to-Site VPN Topologies, page 9-33
Site to Site VPN Policies, page G-42
Managing Shared Site-to-Site VPN Policies in Policy View

In Policy view, you can view all shared policies that have been defined for each
policy type in a site-to-site VPN, edit their definitions, modify their assignments
to VPN topologies, or apply them globally to multiple VPN topologies. You can
also create shared policies to assign to VPN topologies later.
This procedure describes how to create or edit site-to-site VPN policies, and
modify their assignments to VPN topologies, from Policy view.

OL-11501-03
9-65
Chapter 9
Procedure
Step 1
Click the Policy View button on the toolbar.
Step 2
Select the Site-to-Site VPN folder from the Policy Type selector in the upper
pane. The folder opens, listing the IPsec policy types that can be defined for a
site-to-site VPN topology. For more information, see Policy View Selectors,
page 6-42.
Step 3
To view the shared policies defined for a policy type, select the policy type in the
selector. If any policies are defined for the selected policy type, they are displayed
in the Shared Policy selector in the lower pane.
Step 4
To create a shared policy for a policy type:
Step 5
Step 6
Step 7
a.
Click Create. The Create a Policy dialog box opens.
b.
Enter a name for the new policy and click OK. The new policy appears in the
Shared Policy selector for the selected policy type, displaying predefined
definitions, which you can edit, if required.
To view or edit the policy definition:

a.
Select the policy in the Shared Policy selector. The Details tab in the work
area of Policy view opens, displaying the policy definitions.
b.
If required, modify the definitions for the policy. See Working with
Site-to-Site VPN Policies, page 9-64.
To view or edit the policy assignment:

a.
Select the policy in the Shared Policy selector, and click the Assignments tab
in the work area. For a description of the elements on this tab, see Policy
ViewAssignments Tab, page D-28.
b.
If required, modify the list of VPN topologies to which the policy is assigned.
See Modifying Policy Assignments in Policy View, page 6-46.
Note
To publish your changes, click the Submit button on the toolbar.
9-66
OL-11501-03
Chapter 9

Related Topics
Working with Site-to-Site VPN Policies in Policy View, page 9-65
Understanding IKE
Internet Key Exchange (IKE) is a key management protocol that facilitates the
management of IPsec-based communications. It is used to authenticate IPsec
peers, negotiate and distribute IPsec encryption keys, and to automatically
establish IPsec security associations (SAs).
The IKE negotiation comprises two phases. Phase 1 negotiates a security
association between two IKE peers, which enables the peers to communicate
securely in Phase 2. During Phase 2 negotiation, IKE establishes SAs for other
applications, such as IPsec. Both phases use proposals when they negotiate a
connection.
Phase 1 negotiation can occur using one of two modes: main mode or aggressive
mode:
Main mode tries to protect all information during the negotiation from
potential attackers. In main mode, the identities of the two sides are hidden.
While this mode of operation provides the highest security, it takes a long
time to complete the negotiation.
Aggressive mode takes less time to negotiate keys between peers, but is less
secure than main mode negotiation. For example, the identities of the two
parties trying to establish a security association can be exposed to an
eavesdropper.
An IKE proposal is a set of algorithms that two peers use to secure the IKE
negotiation between them. IKE negotiation begins by each peer agreeing on a
common (shared) IKE policy. This policy states which security parameters will be
used to protect subsequent IKE negotiations. You can create multiple, prioritized
policies at each peer to ensure that at least one policy matches a remote peers
policy. You can define several IKE proposals per VPN.

OL-11501-03
9-67
Chapter 9
To define an IKE proposal, you must specify:
Which encryption algorithm to use for the IKE negotiation. See Deciding
Which Encryption Algorithm to Use, page 9-68.
Which hash algorithm to use for integrity checking. See Deciding Which
Hash Algorithm to Use, page 9-69.
Which Diffie-Hellman group to use to operate the encryption algorithm.

Deciding Which Diffie-Hellman Group to Use, page 9-69.
Which device authentication method to use. See Deciding Which

Authentication Method to Use, page 9-70.
For how long the IKE SA will be valid.
Related Topics
Configuring an IKE Proposal, page 9-71
IKE Proposal Page, page G-43
Deciding Which Encryption Algorithm to Use

When deciding which encryption and hash algorithms to use for the IKE proposal,
your choice is limited to algorithms that are supported by the devices in the VPN.
You can choose from the following encryption algorithms:
DES (Data Encryption Standard) is a symmetric secret-key block algorithm.

It is faster than 3DES and uses less system resources, but it is also less secure.
If you do not need strong data confidentiality, and if system resources or
speed is a concern, you should choose DES.
3DES (Triple DES) is more secure because it processes each block of data
three times, each time with a different key. However, it uses more system
resources and is slower than DES. 3DES is the recommended encryption
algorithm, assuming that the devices support it.
AES (Advanced Encryption Standard) provides greater security than DES

and is computationally more efficient than 3DES. AES offers three different
key strengths: 128-, 192- and 256-bit keys. A longer key provides higher
security but a reduction in performance. AES is supported only on routers
running IOS version 12.3T and later.
9-68
OL-11501-03
Chapter 9

Note
AES cannot be used in conjunction with a hardware encryption card.
Related Topics
Understanding IKE, page 9-67
Deciding Which Hash Algorithm to Use

You can choose from the following hash algorithms:
SHA produces a 160-bit digest, and is more resistant to brute-force attacks

than MD5. However, it is also more resource intensive than MD5. For
implementations that require the highest level of security, use the SHA hash
algorithm.
MD5 produces a 128-bit digest, and uses less processing time for an overall
faster performance than SHA, but it is considered to be weaker than SHA.
Related Topics
Deciding Which Diffie-Hellman Group to Use

Security Manager supports Diffie-Hellman group 1, group 2, group 5, and group
7 key derivation algorithms to generate IPsec SA keys. Each group has a different
size modulus. A larger modulus provides higher security, but requires more
processing time. You must have a matching modulus group on both peers.
Diffie-Hellman Group 1: 768-bit modulus. Use to generate IPsec SA keys,

where the prime and generator numbers are 768 bits.



OL-11501-03
9-69
Chapter 9
Diffie-Hellman Group 7: Use to generate IPsec SA keys, when the elliptical

curve field size is 163 characters. Group 7 is not supported on a Catalyst
6500/7600 device with VPNSM or VPN SPA configuration.
Related Topics
Deciding Which Authentication Method to Use

Security Manager supports two methods for peer device authentication in a VPN
communication:
Preshared KeyPreshared keys allow for a secret key to be shared between

two peers and used by IKE during the authentication phase. The same shared
key must be configured at each peer or the IKE SA cannot be established.
To use IKE successfully with this device authentication method, you must
define various preshared key parameters. For more information, see
Understanding Preshared Key Policies, page 9-84.
RSA SignatureAn authentication method in which RSA key pairs are used
to sign and encrypt IKE key management messages. RSA Signature provides
non-repudiation of communication between two peers, meaning that it can be
proved that the communication actually took place. When using this
authentication method, peers are configured to obtain digital certificates from
a Certification Authority (CA). CAs manage certificate requests and issue
certificates to participating IPsec network devices. These services provide
centralized key management for the participating devices.
While the use of preshared keys does not scale well, using a CA does improve
the manageability and scalability of your IPsec network. With a CA, you do
not need to configure keys between all encrypting devices. Instead, each
participating device is registered with the CA, and requests a certificate from
the CA. Each device that has its own certificate and the public key of the CA
can authenticate every other device within a given CAs domain.
To use IKE successfully with the RSA Signature device authentication
method, you must define parameters for CA authentication and enrollment.
For more information, see Understanding Public Key Infrastructure Policies,
page 9-87.
9-70
OL-11501-03
Chapter 9

Related Topics
Configuring an IKE Proposal

In Security Manager, an IKE proposal is a mandatory policy, with predefined
security parameters, that is automatically assigned to a VPN topology. On the IKE
Proposal page, you can view the parameters of the selected IKE proposal, select
a different one from a list of predefined IKE proposals, or create one.
Note
For more information about the IKE (Internet Key Exchange) key management
protocol, see Understanding IKE, page 9-67.
This procedure describes how to view the parameters of the selected IKE
proposal, select a different one from a list of predefined IKE proposals, or create
one.
Before You Begin
Procedure
Step 1
Step 2
In the VPNs selector, select the required VPN topology.
Step 3
Select IKE Proposal in the Policies selector.

The IKE Proposal page appears, displaying the assigned IKE proposal with its
default values. For a description of the elements on this page, see Table G-15 on
page G-44.
Step 4
To assign a different IKE proposal, select it in the Available IKE Proposals list.
The IKE proposal replaces the one in the Selected IKE Proposal list.

OL-11501-03
9-71
Chapter 9
If the required IKE proposal is not included in the list, click Add to open the IKE
Editor dialog box that enables you to create an IKE proposal object. For more
information, see IKE Proposal Dialog Box, page F-93.
Note
Step 5
After creating an IKE proposal object, you can modify its properties by
selecting it, and clicking Edit.
Note
Related Topics
Understanding Preshared Key Policies, page 9-84
Understanding IPsec Tunnel Policies

IPsec is one of the most secure methods for setting up a VPN. IPsec provides data
encryption at the IP packet level, offering a robust security solution that is
standards-based. Pure IPsec configurations cannot use routing protocolsthe
policy created is used for pure IPsec provisioning. You can configure pure IPsec
on Cisco IOS routers, PIX Firewalls, Catalyst VPN Service Modules, and
Adaptive Security Appliance (ASA) devices.
With IPsec, data is transmitted over a public network through tunnels. A tunnel is
a secure, logical communication path between two peers. Traffic that enters an
IPsec tunnel is secured by a combination of security protocols and algorithms,
called a transform set.
9-72
OL-11501-03
Chapter 9

In Security Manager, you configure IPsec proposals on devices in your VPN

topology. An IPsec proposal is a collection of one or more crypto maps that are
applied to the VPN interfaces on the devices. A crypto map combines all the
components required to set up IPsec security associations, including transform
sets. A crypto map may also be configured with Reverse Route Injection (RRI).
About Crypto Maps, page 9-73
About Transform Sets, page 9-74
About Reverse Route Injection, page 9-76
Related Topics
Configuring IPsec Proposals, page 9-77
About Crypto Maps

A crypto map combines all components required to set up IPsec security
associations, including IPsec rules, transform sets, remote peer(s), and other
parameters that might be necessary to define an IPsec SA. A crypto map entry is
a named series of CLI commands. Crypto map entries with the same crypto map
name (but different map sequence numbers) are grouped into a crypto map set,
which is applied to the VPN interfaces on relevant devices. All IP traffic passing
through the interface is evaluated against the applied crypto map set.
When two peers try to establish an SA, they must each have at least one
compatible crypto map entry. The transform set defined in the crypto map entry
is used in the IPsec security negotiation to protect the data flows specified by that
crypto maps IPsec rules.
Dynamic crypto map policies are used when an unknown remote peer tries to
initiate an IPsec security association with the local hub. The hub cannot be the
initiator of the security association negotiation. Dynamic crypto policies allow
remote peers to exchange IPsec traffic with a local hub, even if the hub does not
know the remote peers identity. You can create a dynamic crypto policy on
individual hubs or on a device group that contains hubs. The policy is written only
to the hubs, not to any spokes that might be contained in the group. A dynamic
crypto map policy essentially creates a crypto map entry without all the
parameters configured. The missing parameters are later dynamically configured

OL-11501-03
9-73
Chapter 9
(as the result of an IPsec negotiation) to match a remote peers requirements. The
peer addresses for dynamic or static crypto maps are deduced from the VPN
topology.
Dynamic crypto map policies apply only in a hub-and-spoke VPN
configurationin a point-to-point or full mesh VPN topology, you can apply only
static crypto map policies.
Note
Security Manager can manage an existing VPN tunnel, only if the tunnels peers
are managed by Security Manager. In such a case, Security Manager uses the same
crypto map name for the tunnel on the peers. On subsequent deployments, only
Security Manager tunnels are managed (Security Manager maintains a log of all
tunnels that were configured).
Related Topics
Understanding IPsec Tunnel Policies, page 9-72
About Transform Sets, page 9-74
About Transform Sets

A transform set is a combination of security protocols and algorithms that secure
traffic in an IPsec tunnel. During the IPsec security association negotiation, peers
search for a transform set that is the same at both peers. When such a transform
set is found, it is applied to the traffic as part of both peers IPsec security
associations.
You can specify a number of transform sets per tunnel policy. If you are defining
the policy on a spoke or a group of spokes, you dont usually have to specify more
than one transform set. This is because the spokes assigned hub would typically
be a higher performance router capable of supporting any transform set that the
spoke supports. However, if you are defining the policy on a hub for dynamic
crypto, you should specify more than one transform set to ensure that there will
be a transform set match between the hub and the unknown spoke. You can specify
up to six transform sets in a crypto map entry. If more than one of your selected
transform sets is supported by both peers, the transform set that provides the
highest security is used.
9-74
OL-11501-03
Chapter 9

When defining a transform set, you must specify which IPsec mode of operation
to usetunnel mode or transport mode. You can use the AH and ESP protocols to
protect an entire IP payload (Tunnel mode) or just the upper-layer protocols of an
IP payload (Transport mode).
In tunnel mode (the default), the entire original IP datagram is encrypted, and it
becomes the payload in a new IP packet. This mode allows a router to act as an
IPsec proxy. That is, the router performs encryption on behalf of the hosts. The
sources router encrypts packets and forwards them along the IPsec tunnel. The
destinations router decrypts the original IP datagram and forwards it on to the
destination system. The major advantage of tunnel mode is that the end systems
do not need to be modified to enjoy the benefits of IPsec. Tunnel mode also
protects against traffic analysis. With tunnel mode, an attacker can only determine
the tunnel endpoints and not the true source and destination of the tunneled
packets, even if they are the same as the tunnel endpoints.
In transport mode, only the IP payload is encrypted, and the original IP headers
are left intact. This mode has the advantage of adding only a few bytes to each
packet. It also allows devices on the public network to see the final source and
destination of the packet. However, by passing the IP header in the clear, transport
mode allows an attacker to perform some traffic analysis. For example, an attacker
could see when a companys CEO sent many packets to another senior executive.
However, the attacker would only know that IP packets were sent; the attacker
would not be able to decipher the contents of the packets. With transport mode,
the destination of the flow must be an IPsec termination device.
Note
You cannot use transport mode when IPsec or Easy VPN are the assigned
technologies.
Security Manager provides predefined transform sets that you can use in your
tunnel policies. You can also create your own transform sets. For more
information, see Understanding IPsec Transform Set Objects, page 8-120.
Related Topics

OL-11501-03
9-75
Chapter 9
About Reverse Route Injection

Reverse Route Injection (RRI) enables static routes to be automatically inserted
into the routing process for those networks and hosts protected by a remote tunnel
endpoint. These protected hosts and networks are known as remote proxy
identities. Each route is created on the basis of the remote proxy network and
mask, with the next hop to this network being the remote tunnel endpoint. By
using the remote VPN router as the next hop, the traffic is forced through the
crypto process to be encrypted.
After the static route is created on the VPN router, this information is propagated
to upstream devices, allowing them to determine the appropriate VPN router to
which to send returning traffic in order to maintain IPsec state flows. This is
particularly useful if multiple VPN routers are used at a site to provide load
balancing or failover, or if the remote VPN devices are not accessible via a default
route. Routes are created in either the global routing table or the appropriate
virtual route forwarding (VRF) table.
Note
Security Manager automatically configures RRI on devices with High

Availability (HA), or on the IPsec Aggregator when VRF-Aware IPsec is
configured.
You can configure RRI on a devices crypto map in a remote access VPN. See
Configuring an IPsec Proposal on a Remote Access VPN Server, page 10-14.
In Security Manager, the following options are available for configuring Reverse
Route Injection:
For dynamic crypto maps, routes are created upon the successful
establishment of IPsec SAs for those remote proxies. The next hop back to
those remote proxies is via the remote VPN router whose address is learned
and applied during the creation of the dynamic crypto map template. The
routes are deleted after the SAs are deleted.
The Remote Peer option enables you to specify an interface or address as the
explicit next hop to the remote VPN device. Two routes are created. One route
is the standard remote proxy ID and the next hop is the remote VPN client
tunnel address. The second route is the actual route to the remote tunnel
endpoint, when a recursive lookup is forced to impose that the remote
9-76
OL-11501-03
Chapter 9

endpoint is reachable via next-hop. Creation of the second route for the
actual next hop is very important for VRF-Aware IPsec when a default route
must be overridden by a more explicit route.
Note
For devices using a VPN Services Module (VPNSM), the next hop is the
interface or subinterface/VLAN on which the crypto map is applied.
In the case of Remote Peer IP, one route is created to a remote proxy by way
of a user-defined next hop. The next hop can be used to override a default
route, to properly direct outgoing encrypted packets. This option reduces the
number of routes created and supports those platforms that do not readily
facilitate route recursion.
Related Topics
Configuring an IPsec Proposal on a Remote Access VPN Server, page 10-14
Configuring IPsec Proposals

In Security Manager, an IPsec proposal is a policy that you can assign to a VPN
topology. In the Site-to-Site VPN Manager window, you can view the predefined
IPsec proposal that you can assign to a selected VPN topology. From this page,
you can edit the IPsec proposal, if required.
This procedure describes how to edit the parameters of an IPsec proposal.
Before You Begin
Procedure
Step 1
Step 2

OL-11501-03
9-77
Chapter 9
Step 3
Select IPsec Proposal in the Policies selector.

The IPsec Proposal page appears, displaying the defined parameters for the
selected IPsec proposal. For a description of the elements on this page, see
Step 4
Click the Static or Dynamic radio button, depending on the crypto map type.
Step 5
Select the required transform set(s) for your tunnel policy.
Step 6
To generate and use a unique session key for each encrypted exchange, select the
Enable Perfect Forward Secrecy check box. Then, select the required
Diffie-Hellman key derivation algorithm from the Modulus Group list.
Step 7
In the Lifetime fields, specify the lifetime settings for the crypto IPsec security
association (SA) in seconds, in kilobytes, or both.
Step 8
To enable Cisco IOS Quality of Service services to operate in conjunction with

tunneling and encryption on an interface, select the QoS Preclassify check box.
Step 9
Select the required option to configure Reverse Route Injection (RRI) on the
crypto map (on a PIX 7.0, ASA, or IOS router except 7600 device).
Step 10
Note
Related Topics
About Reverse Route Injection, page 9-76
IPsec Proposal Page, page G-45
Understanding VPN Global Settings

In Security Manager, you can define VPN global settings that apply to all devices
in your VPN topology. These settings include Internet Key Exchange (IKE),
IPsec, NAT, and fragmentation definitions.
9-78
OL-11501-03
Chapter 9

The following topics describe these global VPN settings:
Understanding ISAKMP/IPsec Settings, page 9-79
Understanding NAT, page 9-80
Understanding Fragmentation, page 9-82
Related Topics
Configuring VPN Global Settings, page 9-83
Understanding ISAKMP/IPsec Settings

The Internet Key Exchange (IKE) protocol, also called the Internet Security
Association and Key Management Protocol (ISAKMP) is the negotiation protocol
that lets two hosts agree on how to build an IPsec security association. Each
ISAKMP negotiation is divided into a Phase 1 and Phase 2. Phase 1 creates the
first tunnel, which protects ISAKMP negotiation messages. Phase 2 creates the
tunnel that protects data.
To set terms for ISAKMP negotiations, you create an IKE proposal. For more
information, see Configuring an IKE Proposal, page 9-71.
About IKE Keepalive
With IKE keepalive, tunnel peers exchange messages that demonstrate they are
available to send and receive data in the tunnel. Keepalive messages transmit at
set intervals, and any disruption in that interval results in the creation of a new
tunnel, using a backup device.
Devices that rely on IKE keepalive for resiliency transmit their keepalive
messages regardless of whether they are exchanging other information. These
keepalive messages can therefore create a small but additional demand on your
network.
A variation on IKE keepalive called keepalive dead-peer detection (DPD) sends
keepalive messages between peer devices only when no incoming traffic is
received and outbound traffic needs to be sent. If you want to send DPD keepalive
messages when no incoming traffic is received regardless of whether there is any
outbound traffic, you can specify this using the Periodic option. See
ISAKMP/IPsec Settings Tab, page G-50.

OL-11501-03
9-79
Chapter 9
Related Topics
ISAKMP/IPsec Settings Tab, page G-50
Understanding NAT
Network Address Translation (NAT) enables devices that use internal IP
addresses to send and receive data through the Internet. It converts private,
internal LAN addresses into globally routable IP addresses when they try to
access data on the Internet. In this way, NAT enables a small number of public IP
addresses to provide global connectivity for a large number of hosts.
NAT enhances the stability of your hub-and-spoke VPN tunnels because resources
required for VPN connections are not used for other purposes, and the VPN tunnel
is kept available for traffic requiring complete security. Sites inside the VPN can
use NAT through a split tunnel to exchange non secure traffic with outside
devices, and they do not squander VPN bandwidth or overwhelm the hub at the
tunnel head-end by directing nonessential traffic through it.
Security Manager supports only NAT with dynamic IP addressing, and applies to
it an overload feature that permits what is known as port-level NAT or Port
Address Translation (PAT). PAT uses port addressing to associate thousands of
private NAT addresses with a small group of public IP address. PAT is used if the
addressing requirements of your network exceed the available addresses in your
dynamic NAT pool.
Note
When you enable PAT on Cisco IOS routers, an additional NAT rule is
implicitly created for split-tunneled traffic, on deployment. This NAT rule,
which denies VPN-tunneled traffic and permits all other traffic (using the
external interface as the IP address pool), is not reflected as a router platform
policy. You can remove the NAT rule by disabling this feature. For more
information, see Defining Dynamic NAT Rules, page 14-16.
You can configure traffic to bypass NAT configuration on site-to-site VPN

traffic. To bypass NAT configuration on Cisco IOS routers, make sure the
Do Not Translate VPN Traffic check box is enabled in the NAT Dynamic
Rule platform policy (see NAT Dynamic Rule Dialog Box, page K-14). To
9-80
OL-11501-03
Chapter 9

exclude NAT on PIX Firewalls or ASA devices, make sure this check box is
selected in the NAT Translation Options platform policy (see Translation
Options Page, page L-7).
About NAT Traversal
NAT traversal is used for the transmission of keepalive messages when there is a
device (middle device) located between a VPN-connected hub and spoke, and that
device performs NAT on the IPsec flow.
If the IP address of the VPN interface on the spoke is not globally routable, the
NAT on the middle device replaces it with a new globally routable IP address. This
change is made in the IPsec header, and violates the checksum of the spoke
causing a mismatch with the hubs checksum calculation. This results in loss of
connectivity between the hub and the spoke.
With NAT traversal, the spoke adds a UDP header to the payload. The NAT on the
middle device changes the IP address in the UDP header, leaving the IPsec header
and checksum intact. On a middle device that uses static NAT, you must provide
the static NAT IP address (globally routable) on the inside interface. The static
NAT IP address is provided for all traffic through that interface that requires NAT.
However, if the middle device uses dynamic NAT where the NAT IP address is
unknown, you must define dynamic crypto on the hub to serve any connection
request from the spoke. Security Manager generates the required tunnel
configuration for the spoke.
Note
NAT traversal is enabled by default on routers running IOS version 12.3T and
later. If you want to disable the NAT traversal feature, you must do this manually
on the device or using a FlexConfig (see Chapter 19, Managing FlexConfigs).
You can define global NAT settings on the NAT Settings tab of the Global VPN
Settings page.
Related Topics
NAT Settings Tab, page G-54

OL-11501-03
9-81
Chapter 9
Understanding Fragmentation
Fragmentation breaks a packet into smaller units when it is transmitted over a
physical interface that cannot support the original size of the packet.
Fragmentation minimizes packet loss in a VPN tunnel, because it enables
transmission of secured packets that might otherwise be too large to transmit. This
is particularly relevant when using GRE, because any packet of more than 1420
bytes will not have enough room in its header for the additional 80 bytes that the
combined use of IPsec and GRE adds to the packet payload.
The maximum transmission unit (MTU) specifies the maximum packet size, in
bytes, that an interface can handle. If a packet exceeds the MTU, it is fragmented,
typically after encryption. If the DF (Don't Fragment) bit is set, the packet is
dropped. A DF bit is a bit within the IP header that indicates if a device can
fragment a packet. If you enable the DF feature, you must specify whether the
device can clear, set, or copy the DF bit from the encapsulated header.
Because reassembly of an encrypted packet is difficult, fragmentation can degrade
network performance. To prevent network performance problems, fragmentation
settings configure the device so that fragmentation occurs before encryption.
Security Manager instructs a device to handle packets that are larger than the
MTU, either with end-to-end MTU discovery or by setting the MTU on the device.
MTU Discovery: End-to-end MTU discovery uses Internet Control Message

Protocol (ICMP) messages to determine the maximum MTU that a host can
use to send a packet through the VPN tunnel without causing fragmentation.
The MTU setting for each link in a transmission path is checked to ensure that
no transmitted packet exceeds the smallest MTU in that path. The discovered
MTU is used to decide whether fragmentation is necessary.
Local MTU handling: Typically used when ICMP is blocked. You can define
an MTU size between 68 and 65535 bytes, depending on the VPN interface.
By default, Security Manager uses end-to-end MTU discovery using ICMP

messages. If ICMP is blocked, MTU discovery fails and packets are either lost (if
the DF bit is set) or fragmented after encryption (if the DF bit is not set).
On the General Settings tab of the VPN Global Settings page, you can define
fragmentation settings and enable the DF bit feature on the devices in your VPN
topology. For more information, see Table G-19 on page G-57.
9-82
OL-11501-03
Chapter 9

Related Topics
General Settings Tab, page G-56
Configuring VPN Global Settings

On the VPN Global Settings page, you can define global settings for IKE, IPsec,
NAT, and fragmentation, to apply to devices in your VPN topology. A VPN
Global Settings policy applies to any IPsec technology assigned to your VPN
topology.
The following procedure describes how to define global settings in your VPN
topology.
Note
For more information about global VPN settings, see Understanding VPN Global
Before You Begin
Procedure
Step 1
Step 2
Step 3
Select VPN Global Settings in the Policies selector. The VPN Global Settings
dialog box opens, displaying the ISAKMP/IPsec Settings tab.
Step 4
In the ISAKMP/IPsec Settings tab, specify global settings for IKE and IPsec. For
a description of the elements on this tab, see Table G-17 on page G-51.
Step 5
Click the NAT Settings tab to define global NAT settings that apply to devices
that use internal IP addresses to send and receive data through the Internet. For a
Step 6
Click the General Settings tab to define fragmentation settings on the devices in
your VPN topology. For a description of the elements on this tab, see Table G-19
on page G-57.
OL-11501-03
9-83
Chapter 9
Step 7
Note
Related Topics
Understanding Preshared Key Policies

If you want to use preshared key as your authentication method, you must define
a shared key for each tunnel between two peers, that will be their shared secret for
authenticating the connection. The key will be configured on each peer. If the key
is not the same on both peers of the tunnel, the connection cannot be established.
The peer addresses that are required for configuring the preshared key are
deduced from the VPN topology.
Preshared keys are configured on spokes. In a hub-and-spoke VPN topology,
Security Manager mirrors the spokes preshared key and configures it on its
assigned hub, so that the key on the spoke and hub are the same. In a
point-to-point VPN topology, you must configure the same preshared key on both
peers. In a full mesh VPN topology, any two devices that are connected must have
the same preshared key.
In a preshared key policy, you can manually specify to use a specific key, or you
can use automatically generated keys for peers participating in each
communication session. Using automatically generated keys (the default method)
is preferred, because security can be compromised if all connections in a VPN use
the same preshared key.
9-84
OL-11501-03
Chapter 9

There are three methods for negotiating key information and setting up IKE SAs:
Main mode addressNegotiation is based on IP address. Main mode

provides the highest security because it has three two-way exchanges
between the initiator and receiver. This is the default negotiation method.
This method has three options for creating keys:
You can create a key for each peer, based on the unique IP address of each
peer, providing high security.

You can create a group preshared key on a hub in a hub-and-spoke VPN
topology, to be used for communication with any device in a specified

subnet. Each peer is identified by its subnet, even if the IP address of the
device is unknown. In a point-to-point or full mesh VPN topology, a
group preshared key is created on the peers.
You can create a wildcard key on a hub in a hub-and-spoke VPN
topology, or on a group containing hubs, to be used for dynamic crypto

where a spoke does not have a fixed IP address or belong to a specific
subnet. All spokes connecting to the hub have the same preshared key,
which could compromise security. In a point-to-point or full mesh VPN
topology, a wildcard key is created on the peers.
Note
If you are configuring DMVPN with direct spoke-to-spoke

connectivity, you create a wildcard key on the spokes.
Main mode fully qualified domain name (FQDN)Negotiation is based on

DNS resolution, with no reliance on IP address. This option can only be used
if the DNS resolution service is available for the host. It is useful when
managing devices with dynamic IP addresses that have DNS resolution
capabilities.
Aggressive modeNegotiation is based on hostname (without DNS

resolution) and domain name. Aggressive mode is less secure than main
mode. However, it provides more security than using group preshared keys if
the IP address of the VPN interface on the host is unknown, and the FQDN of
the dynamic IP peer is not DNS resolvable. This negotiation method is
recommended for use with a GRE Dynamic IP or DMVPN failover and
routing policy.

OL-11501-03
9-85
Chapter 9
Related Topics
Deciding Which Authentication Method to Use, page 9-70
Configuring Preshared Key Policies, page 9-86
Preshared Key Page, page G-59
Configuring Preshared Key Policies

The following procedure describes how to edit the parameters of a preshared key
policy defined for a VPN topology:
Before You Begin
Procedure
Step 1
Step 2
Step 3
Select Preshared Key in the Policies selector.

The Preshared Key page appears, displaying the defined parameters for the
selected preshared key policy. For a description of the elements on this page, see
Step 4
Select to use either a specific preshared key, or to automatically generate a random

key to the participating peers.
Step 5
Select the negotiation method required for exchanging key information, from the
available options.
Step 6
Note
9-86
OL-11501-03
Chapter 9

Related Topics
Understanding Public Key Infrastructure Policies

Security Manager supports IPsec configuration with Certification Authority (CA)
servers that manage certificate requests and issue certificates to devices in your
VPN topology. You can create a Public Key Infrastructure (PKI) policy to
generate enrollment requests for CA certificates and RSA keys, and manage keys
and certificates, providing centralized key management for the participating
devices.
CA servers, also known as trustpoints, manage public CA certificate requests and
issue certificates to participating IPsec network devices. When you use RSA
Signature as the device authentication method for IKE and IPsec proposal
policies, peers are configured to obtain digital certificates from a CA server. With
a CA server, you do not have to configure keys between all the encrypting devices.
Instead, you individually enroll each participating device with the CA server,
which is explicitly trusted to validate identities and create a digital certificate for
the device. When this has been accomplished, each participating peer can validate
the identities of the other participating peers and establish encrypted sessions with
the public keys contained in the certificates.
CAs can also revoke certificates for peers that no longer participate in an IPsec
VPN topology. Revoked certificates are either managed by an Online Certificate
Status Protocol (OCSP) server or are listed in a certificate revocation list (CRL)
stored on an LDAP server, which each peer can check before accepting a
certificate from another peer.
PKI enrollment can be set up in a hierarchical framework consisting of multiple
CAs. At the top of the hierarchy is a root CA, which holds a self-signed certificate.
The trust within the entire hierarchy is derived from the RSA key pair of the root
CA. Subordinate CAs within the hierarchy can enroll with either the root CA or
with another subordinate CA. Within a hierarchical PKI, all enrolled peers can
validate each others certificate if the peers share a trusted root CA certificate or
a common subordinate CA.

OL-11501-03
9-87
Chapter 9
Note
PKI policies may be configured on Cisco IOS routers, PIX Firewalls, and
Adaptive Security Appliance (ASA) devices.
Security Manager only supports PKI configuration on devices with Cisco IOS
version 12.3(7)T and later.
To save the RSA key pairs and the CA certificates between reloads
permanently to Flash memory on a PIX Firewall version 6.3, you must
configure the "ca save all" command. You can do this manually on the device
or using a FlexConfig (see Chapter 19, Managing FlexConfigs).
PKI policies may also be configured on devices in a remote access VPN. For
more information, see Public Key Infrastructure Policies in Remote Access
VPNs, page 10-24.
CA Server Authentication Methods
You can authenticate the CA server using one of the following methods:
Using the Simple Certificate Enrollment Protocol (SCEP) to retrieve the CAs
certificates from the CA server. Using SCEP, you establish a direct
connection between your device and the CA server. Be sure your device is
connected to the CA server before beginning the enrollment process. Since
this method of retrieving CA certificates for routers is interactive, you can
deploy your PKI policy to live devices only, not to files.
Note
When using SCEP, you must enter the fingerprint for the CA server.
If the value you enter does not match the fingerprint on the certificate,
the certificate is rejected. You can obtain the CAs fingerprint by
contacting the server directly, or by entering the following address in
a web browser: http://URLHostName/certsrv/mscep/mscep.dll.
Manually creating an enrollment request that you can submit to a CA server

offline, by copying the CA servers certificates from another device.
Use this method if your device cannot establish a direct connection to the CA
server or if you want to generate an enrollment request and send it to the
server at a later time.
9-88
OL-11501-03
Chapter 9

Note
This method enables you to deploy the PKI policy either to devices or
to files.
For more information, see PKI Enrollment Dialog Box, page F-437.
Note
You can also use Cisco Secure Device Provisioning (SDP) to enroll for a
certificate. For more information about using SDP for certificate enrollment, see
Secure Device Provisioning on Cisco IOS Routers, page 14-112.
Related Topics
Prerequisites for Successful PKI Enrollment, page 9-89
Configuring Public Key Infrastructure Policies, page 9-92
Public Key Infrastructure Page, page G-63
Prerequisites for Successful PKI Enrollment

The following are prerequisites for configuring a PKI policy in your network:
The IKE authentication method used with CA can only be RSA Signature.
The domain name must be defined on the devices for PKI enrollment to be
successful (unless you specify the CA server nickname).
To enroll with the CA server directly, you must specify the servers
enrollment URL.
To enroll with the CA server by means of a TFTP server, you must ensure that
the CA certificates file is saved to the TFTP server. After deployment of the
PKI policy, you must copy the certificate request from your TFTP server to
the CA server. For more information, see Prerequisites for PKI Enrollment
Using TFTP, page 9-91.
When configuring a trustpoint, you must specify one of the Certificate

Revocation List (CRL) checking options. For more information, see Defining
CA Server Properties, page 8-140.

OL-11501-03
9-89
Chapter 9
You may specify an RSA public key to use in the enrollment request. If you
do not specify an RSA key pair, the Fully Qualified domain Name (FQDN)
key will be used.
If using RSA keys, once the certificate has been granted, the public key is
included in the certificate so that peers can use it to encrypt data sent to the
device. The private key is kept on the device and used to decrypt data sent by
peers, and to digitally sign transactions when negotiating with peers. You can
use an existing key pair or generate a new one. If you want to generate a new
key pair to use in the certificate for router devices, you must also specify the
modulus to determine the size of the key.
For more information, see Defining PKI Enrollment Parameters, page 8-142.
If you are making a PKI enrollment request on a Cisco Easy VPN IPsec
remote access system, you must configure each remote component (spoke)
with the name of the user group to which it connects. You specify this
information in the Organization Unit (OU) field in the Certificate Subject
Name tab of the PKI Enrollment Editor dialog box.
Note
You do not need to configure the name of the user group on the hub
(Easy VPN Server).
For more information, see Defining Additional PKI Attributes, page 8-145.
To deploy PKI policies to files (not to live devices), the following

prerequisites must be met:
Devices must have IOS 12.3(7)T or later (trustpoint PKI devices).
CA authentication certificates must be cut and pasted into the Security
Manager user interface (so that CA authentication is not interactive and

does not require communication with the live device).
If you are deploying to live devices, the PKI server must be online.
Security Manager supports the Microsoft, Verisign, and Entrust PKIs.
Security Manager supports Cisco IOS Certificate Servers. The Cisco IOS
Certificate Server feature embeds a simple certificate server, with limited CA
functionality, into the Cisco IOS software. An IOS Certificate Server can be
configured as a FlexConfig policy. For more information, see Chapter 19,
Managing FlexConfigs..
9-90
OL-11501-03
Chapter 9

Prerequisites for PKI Enrollment Using TFTP
If you do not have constant direct access to the CA server, you can enroll using
TFTP, if your devices are routers running IOS 12.3(7)T or later.
On deployment, Security Manager generates the corresponding CA trustpoint
command and authenticate command. The trustpoint command is configured with
the enrollment URL tftp://<certserver> <file_specification> entry to retrieve the
CA certificate using TFTP. If the file_specification is not specified, the FQDN of
the router is used.
Before using this option, you must make sure that the CA certificates file (.ca) is
saved on the TFTP server. To do this, use this procedure:
1.
Connect to http://servername/certsrv, where servername is the name of the

Windows 2000 web server on which the CA you want to access is located.
2.
Select Retrieve the CA certificate or certificate revocation list, then click

Next.
3.
Select Base64 encoded, then click Download CA certificate.
4.
Save the .crt file as a .ca file on the TFTP server using your browsers Save
As function.
After deployment, you must transfer the certificate request generated by Security
Manager on the TFTP server to the CA, and then transfer the devices certificates
from the CA to the device.
Transferring the Certificate Request from the TFTP Server to the CA Server
Security Manager creates a PKCS#10 formatted enrollment request (.req) on the

TFTP server. You must transfer it to the PKI server using this procedure:
1.
Connect to http://servername/certsrv, where servername is the name of the

Windows 2000 Web server where the CA you want to access is located.
2.
Select Request a certificate, then click Next.
3.
Select Advanced request, then click Next.
4.
Select Submit a certificate request using a base64 encoded PKCS #10 file
or a renewal request using a base64 encoded PKCS #7 file, then click
Next.
5.
Either select browse for a file (and browse to the TFTP server and select the
.req file) or open the just received by TFTP .req file with WordPad/Notepad
and copy/paste the contents in the first window.

OL-11501-03
9-91
Chapter 9
6.
Export the .crt file from the CA and put it on the TFTP server.
7.
Configure the 'crypto ca import <label> certificate' to import the device's

certificates from the tftp server.
Related Topics
Configuring Public Key Infrastructure Policies

You can create a Public Key Infrastructure (PKI) policy to generate enrollment
requests for CA certificates and RSA keys, and to manage keys and certificates.
Certification Authority (CA) servers are used to manage these certificate requests
and issue certificates to the participating devices in your VPN topology.
In Security Manager, CA servers are predefined as PKI enrollment objects that
you can use in your PKI policies. A PKI enrollment object contains the server
information and enrollment parameters that are required for creating enrollment
requests for CA certificates.
Note
For more information about Public Key Infrastructure policies, see Understanding
Public Key Infrastructure Policies, page 9-87.
This procedure describes how to specify the CA server that will be used to create
a Public Key Infrastructure (PKI) policy, in your VPN topology.
Before You Begin
Make sure the devices on which you are configuring PKI have IOS versions
12.3(7)T and later.
Please read Prerequisites for Successful PKI Enrollment, page 9-89.
9-92
OL-11501-03
Chapter 9

Procedure
Step 1
Step 2
Step 3
Select Public Key Infrastructure in the Policies selector. The

Public Key Infrastructure page opens, displaying the currently selected CA
server. For a description of the elements on this page, see Table G-21 on
page G-65.
Step 4
If you want to assign a different CA server, select it in the Available CA Servers

list. The CA server replaces the one in the Selected field.
CA servers are predefined as PKI enrollments objects. If the required CA server
is not included in the list, click Create to open a dialog box that enables you to
create a PKI enrollment object. For more information, see PKI Enrollment Dialog
Box, page F-437.
Note
Step 5
Note
Note
After creating a PKI enrollment object, you can modify its properties by
selecting it, and clicking Edit.
To save the RSA key pairs and the CA certificates between reloads permanently
to Flash memory on a PIX Firewall version 6.3, you must configure the
"ca save all" command. You can do this manually on the device or using a
FlexConfig (see Chapter 19, Managing FlexConfigs).
Related Topics
Understanding Public Key Infrastructure Policies, page 9-87

OL-11501-03
9-93
Chapter 9
Deciding Which Authentication Method to Use, page 9-70
Understanding GRE
Generic Routing Encapsulation (GRE) is a tunneling protocol that encapsulates a
variety of protocol packet types inside IP tunnels, creating a virtual point-to-point
connection to devices at remote points over an IP network. With this technology,
GRE encapsulates the entire original packet with a standard IP header and GRE
header before the IPsec process. Then, IPsec views the GRE packet as an
unremarkable IP packet and performs encryption and authentication services, as
dictated by the IKE negotiated parameters. Because GRE can carry multicast and
broadcast traffic, it is possible to configure a routing protocol for virtual GRE
tunnels. The routing protocol detects loss of connectivity and reroutes packets to
the backup GRE tunnel, thus providing high resiliency.
For VPN resilience, a spoke must be configured with two GRE tunnels, one to the
primary hub and the other to the backup hub. Both GRE tunnels are secured with
IPsec: each one has its own IKE SA and a pair of IPsec SAs. An associated routing
protocol automates the failover mechanism, transferring to the backup tunnel if
virtual link loss is detected.
Note
GRE can be configured on Cisco IOS security routers and Catalyst 6500/7600
devices in hub-and-spoke, point-to-point, and full mesh VPN topologies.
Advantages of IPsec Tunneling with GRE
The main advantages of IPsec tunneling with GRE are:
GRE uses a routing protocol by which every IPsec peer knows the status of
every other peer at all times.
GRE provides higher resiliency than IKE keepalive (see About IKE
Keepalive, page 9-79).
Spoke-to-spoke connectivity is supported when you use GRE.
GRE supports multicast and broadcast transmissions.
9-94
OL-11501-03
Chapter 9

Note
GRE does not support the use of dynamic cryptographic tunnels.

How Does Security Manager Implement GRE?
Security Manager implements a double Interior Gateway Protocol (IGP) solution

for GRE. An IGP refers to a group of devices that receive routing updates from
one another by a routing protocol, EIGRP, OSPF, or RIP. Each routing group is
identified by a logical number. For general routing purposes, the interfaces on the
routers in your networks belong to an IGP. Security Manager adds an additional
IGP that is dedicated for IPsec and GRE-secured communication. This additional
IGP is the secured IGP. The existing IGP (unsecured IGP), is used for routing
traffic that does not require encryption.
When a GRE tunnel is established, a virtual interface is configured on each
device. These virtual interfaces are the endpoints of the GRE tunnel. Each virtual
interface is unique and is assigned with its own crypto map. The GRE tunnel
interface has an IP address (inside tunnel IP address) which is taken from a
loopback interface that Security Manager creates. The GRE tunnel points to the
source and destination IP addresses of the physical VPN interfaces on the hub and
spoke. The GRE virtual interfaces on the hub and its assigned spokes belong to
the secured IGP, as do the inside interfaces you defined for the hub and spoke.
Routing updates within the secured IGP are GRE encapsulated and IPsec is
applied. A flow whose destination is a secured interface (according to the routing
updates of the secured IGP) is directed through the GRE interface where it is GRE
encapsulated and then evaluated against the crypto ACL. If it matches the crypto
ACL, it is routed through the GRE and VPN tunnels.
Note
In most cases, when you use a subnet to specify a GRE tunnel interface IP address,
Security Manager creates a loopback interface on the device which is used for the
tunnel IP address. If the device belongs to a VPN topology whose configurations
were discovered by Security Manager, and you configure an IP address directly
on the devices GRE tunnel, Security Manager keeps that configuration and does
not create a loopback interface on the device. However, a loopback is always
configured on a hub in a VPN topology; in a hub-and-spoke VPN topology with
multiple hubs, a loopback interface is also configured on the spokes.

OL-11501-03
9-95
Chapter 9
Prerequisites for Successful Configuration of GRE
Consider the following prerequisites before using GRE in your network:
You must identify the inside interfaces on your devicesthe physical

interfaces on the device that connect the device with its internal subnets and
networks.
You must select a routing protocol (known as an Interior Gateway Protocol

(IGP) or a static route, whenever you enable GRE.
Security Manager supports the EIGRP, OSPF, and RIPv2 dynamic routing
protocols, and GRE static routes.
EIGRPEnhanced Interior Gateway Routing Protocol enables the
exchange of routing information within an autonomous system and

addresses some of the more difficult issues associated with routing in
large, heterogeneous networks. Compared to other protocols, EIGRP
provides superior convergence properties and operating efficiency, and
combines the advantages of several different protocols.
OSPFOpen Shortest Path First is a link-state, hierarchical protocol that
features least-cost routing, multipath routing, and load balancing.

Using OSPF, a host that obtains a change to a routing table or detects a
change in the network immediately multicasts the information to all other
hosts in the network, so that all will have the same routing table
information.
RIPv2Routing Information Protocol is a distance-vector protocol that
sends routing-update messages at regular intervals and whenever the

network topology changes.
Using RIPv2, a gateway host (with a router) sends its entire routing table
to its closest neighbor host every 30 seconds, which in turn passes the
information on to its next neighbor, and so on, until all hosts within the
network have the same knowledge of routing paths. RIPv2 uses a hop
count to determine network distance. Each host with a router in the
network uses the routing table information to determine the next host to
route a packet to for a specified destination.
RIP is considered an effective solution for small homogeneous networks.
For larger, more complicated networks, RIP's transmission of the entire
routing table every 30 seconds may put a heavy amount of extra traffic in
the network.
9-96
OL-11501-03
Chapter 9

Static routeUse a static routing policy to provide a robust, stable
IPsec-protected GRE tunnel if there is a fixed, unchanging route between

two devices. For each of the device subnets, a static route is created on
the device pointing to the corresponding tunnel interface.
For more information about routing protocols, see Chapter 14, Managing
Routers.
You must specify an IGP process number. The IGP process number identifies
the IGP process to which the inside interface on the device belongs. When
GRE is implemented, this will be the secured IGP. For secure communication,
the inside interfaces on the devices in your VPN must use the same IGP
process. The IGP process number must be within a specified range. If you
have an existing IGP process on the device that is within this range, but is
different from the IGP process number specified in your GRE settings,
Security Manager removes the existing IGP process. If the existing IGP
process matches the one specified in your GRE settings, any networks
included in the existing IGP process that do not match the specified inside
interfaces are removed.
If the inside interfaces on your devices are configured to use an IGP process
other than the IGP process specified in your GRE settings (meaning that the
interfaces belong to an unsecured IGP):
For spokes: Manually remove the inside interfaces from the unsecured
IGP through the device CLI before configuring GRE.

For hubs: If the hub inside interface is used as a network access point for
Security Manager, then on deployment, the interface is advertised in both

secured and unsecured IGPs. To ensure that the spoke peers use only the
secured IGP, manually add the auto-summary command for the
unsecured IGP or remove the unsecured IGP for that inside interface.
You must provide a subnet that is unique yet it can be non-globally-routable

for loopback. This subnet must only be used to support the implementation of
loopback for GRE. The loopback interfaces are created, maintained, and used
only by Security Manager. You should not use them for any other purpose.
If you are using static routes, not unsecured IGP, make sure you configure
static routes on the spokes through to the hub inside interfaces.

OL-11501-03
9-97
Chapter 9
Note
You can configure the above settings in the GRE Modes page when IPsec/GRE is
the selected IPsec technology. See Understanding IPsec Technologies and
Policies, page 9-8.
Related Topics
GRE Modes Page, page G-66
Understanding GRE Configuration for Dynamically Addressed Spokes,

page 9-98
Configuring GRE or GRE Dynamic IP Policies, page 9-99
Understanding GRE Configuration for Dynamically Addressed Spokes

When a spoke has a dynamic IP address, there is no fixed GRE tunnel source
address (to be used by the GRE tunnel on the spoke side) or destination address
(to be used by the GRE tunnel on the hub side). Therefore, Security Manager
creates additional loopback interfaces on the hub and the spoke, to be used as the
GRE tunnel endpoints. You must specify a subnet from which Security Manager
can allocate an IP address for the loopback interfaces.
Note
GRE Dynamic IP can only be configured on Cisco IOS routers and Catalyst
6500/7600 devices in hub-and-spoke VPN topologies.
Security Manager uses the Cisco Configuration Engine (Cisco CE) to retrieve
device IP addresses and other information from dynamically addressed devices.
Cisco IOS routers and PIX Firewalls that have dynamic IP addresses connect to
the Cisco CE manager at periodic intervals to upgrade device configuration files
and to pass device and status information.
For more information, see Understanding Auto Update Server and Configuration
Engine, page 5-36.
Note
You can configure the GRE Dynamic IP settings in the GRE Modes page when
GRE Dynamic IP is the selected IPsec technology. See Understanding IPsec
Technologies and Policies, page 9-8.
9-98
OL-11501-03
Chapter 9

Related Topics
Understanding GRE, page 9-94
Configuring GRE or GRE Dynamic IP Policies

The following procedure describes how to configure IPsec tunneling with GRE or
GRE Dynamic IP in your site-to-site VPN.
Before You Begin
Make sure that the selected IPsec technology is IPsec/GRE or GRE Dynamic
IP. For more information, see Understanding IPsec Technologies and
Policies, page 9-8.
Please read Prerequisites for Successful Configuration of GRE, page 9-96.
Procedure
Step 1
Step 2
Step 3
Select GRE Modes in the Policies selector.

The GRE Modes page opens to display the fields that are relevant for the selected
IPsec technologyIPsec/GRE or GRE Dynamic IP.
For a description of the elements on the GRE Modes page for a GRE or GRE
Dynamic IP policy, see Table G-22 on page G-67.
Step 4
On the Routing Parameters tab, select the required dynamic routing protocol
(EIGRP, OSPF, or RIPv2), or static route to be used for your GRE or GRE
Dynamic IP tunnel.
a.
If you selected the EIGRP routing protocol:

Enter or edit the number that will be used to identify the autonomous
system (AS) area to which the EIGRP packet belongs.

OL-11501-03
9-99
Chapter 9
Specify the interval between hello packets sent on the interface, and the
number of seconds the router will wait to receive a hello message before
invalidating the connection.
Specify the throughput delay for the primary route interface and the
failover route interface, in microseconds.

b.
If you selected the OSPF routing protocol:

Enter the routing process ID number that will be used to identify the
secured IGP that Security Manager adds when configuring GRE or GRE
Dynamic IP.
Enter the ID number of the area in which the hubs protected networks
will be advertised, including the tunnel subnet.

Enter the ID number of the area in which the remote protected networks

Enter a string that specifies the OSPF authentication key.
Specify the cost of sending a packet on the primary route interface and
the secondary (failover) route interface.

c.
If you selected the RIPv2 routing protocol:

Enter a string that specifies the RIPv2 authentication key.
Specify the cost of sending a packet on the primary route interface and
the secondary (failover) route interface.
Note
Security Manager adds a routing protocol to all the devices in the secured
IGP, on deployment. If you want to maintain this secured IGP, you must
create a router platform policy using the same routing protocol, and
autonomous system (or process ID) number defined here. For instructions
on how to define routing policies for the different protocols, see
Step 5
If required, select the Filter Dynamic Updates on Spokes check box to enable
the creation of a redistribution list that filters all dynamic routing updates on
spokes.
Step 6
Select the Tunnel Parameters tab, then do the following:

a.
Click one of the radio buttons to specify the GRE or GRE Dynamic IP tunnel
interface IP address. For more information, see Table G-22 on page G-67.
9-100
OL-11501-03
Chapter 9

b.
If the assigned IPsec technology is GRE Dynamic IP, enter the private IP
address including the unique subnet mask that supports the loopback for
GRE.
c.
Select the Enable IP Multicast check box to enable multicast transmissions

across your GRE tunnels. You can enter the IP address of the interface that
will serve as the rendezvous point (RP) for the multicast transmissions.
Note
Step 7
To view the new GRE tunnel and/or loopback interfaces in the Router
Interfaces page, you must rediscover the device inventory details after
successfully deploying the VPN to the device. For more information, see
Basic Interface Settings on Cisco IOS Routers, page 14-21.
Note
Related Topics

page 9-98
Understanding DMVPN
Note
For information about large scale DMVPNs, see Configuring Large Scale
DMVPNs, page 9-107.
Dynamic Multipoint VPN (DMVPN) enables better scaling of large and small
IPsec VPNs by combining generic routing encapsulation (GRE) tunnels, IP
Security (IPsec) encryption, and Next Hop Resolution Protocol (NHRP) routing.
OL-11501-03
9-101
Chapter 9
Security Manager supports DMVPN using the EIGRP, OSPF, and RIPv2 dynamic
routing protocols, and GRE static routes. In addition, On-Demand Routing (ODR)
is supported. ODR is not a routing protocol. It may be used in a hub-and-spoke
VPN topology when the spoke routers do not connect to any router other than the
hub. If you are running dynamic protocols, ODR is not suitable for your network
environment. For more information about routing protocols, see Chapter 14,
Managing Routers.
How Does Security Manager Implement GRE with DMVPN?
In a hub-and-spoke VPN topology, each spoke has a permanent IPsec tunnel to the
hub, but not to the other spokes within the topology. Using NHRP, the hub
maintains an NHRP database of the public interface addresses of all the spokes
(the clients). Each spoke registers its real address with the hub when it boots.
When a spoke needs to send a packet to a destination (private) subnet on another
spoke, it queries the NHRP server for the VPN address of the destination spoke.
After the source spoke learns the peer address of the target spoke, it initiates a
dynamic IPsec tunnel to the target spoke. The spoke-to-spoke tunnel is built over
the multipoint GRE interface. The spoke-to-spoke links are established on
demand whenever there is traffic between the spokes. Thereafter, packets can
bypass the hub and use the spoke-to-spoke tunnel.
Advantages of DMVPN with GRE
Using DMVPN with GRE provides the following advantages:
Simplified GRE configuration on the hub

With GRE, a tunnel is configured on the hub for each connected spoke. With
GRE + DMVPN, only one tunnel is configured for all the connected spokes.
Support for dynamically addressed spokes

When using GRE, the physical interface IP address of the spoke routers must
be configured as the GRE tunnel destination address, when configuring the
hub router. DMVPN enables spoke routers to have dynamic external interface
IP addresses, and provides robust configuration that does not have to be
redeployed to the device even if the external interface IP address changes.
When the spoke comes online, it sends to the hub registration packets that
contain the physical interface IP address of the spoke.
9-102
OL-11501-03
Chapter 9

Dynamic tunnel creation for direct spoke-to-spoke communication

NHRP enables spoke routers to dynamically learn the external interface IP
address of the routers in the VPN network. When a spoke wants to transmit a
packet to another spoke, it can use NHRP to dynamically determine the
required destination address of the destination spoke. The hub acts as the
NHRP server, handling the request for the source spoke. This enables the
dynamic creation of an IPsec+GRE tunnel directly between spoke routers,
without having to go through a hub router, thus reducing the delay of multiple
encryption and decryption actions on the hub.
Note
DMVPN can only be configured on a hub-and-spoke VPN topology.
DMVPN configuration is supported on Cisco IOS 12.3T devices and later. If

your device does not support DMVPN, use GRE dynamic IP to configure
GRE for dynamically addressed spokes. See Understanding GRE
Configuration for Dynamically Addressed Spokes, page 9-98.
DMVPN is not supported on Catalyst VPN Services Module devices or on

High Availability (HA) groups.
An advanced phase of DMVPN enables the use of shortcut switching

enhancements to increase network performance and scalability. For
information about migrating to the next phase of DMVPN, see the following
paper on Cisco.com: Migrating from Dynamic Multipoint VPN Phase 2 to
Phase 3.
You can configure the DMVPN settings in the GRE Modes page when DMVPN
is the selected IPsec technology. See Understanding IPsec Technologies and
Policies, page 9-8.
Related Topics
Configuring DMVPN Policies, page 9-104

OL-11501-03
9-103
Chapter 9
Configuring DMVPN Policies

The following procedure describes how to configure DMVPN with GRE in your
site-to-site VPN.
Before You Begin
Create your hub-and-spoke VPN topology. See Creating a VPN Topology,

page 9-20.
Make sure that the selected IPsec technology is DMVPN. For more
Procedure
Step 1
Step 2
Step 3
Select GRE Modes in the Policies selector.

The GRE Modes page opens to display the fields that are relevant for the selected
IPsec technologyDMVPN. For a description of the elements on the GRE Modes
page for a DMVPN policy, see Table G-23 on page G-72.
Step 4
In the Routing Parameters tab, select the required dynamic routing protocol
(EIGRP, OSPF, or RIP), static route, or On-Demand Routing, to be used for your
DMVPN tunnel.
a.
If you selected the EIGRP routing protocol:

Enter or edit the number that will be used to identify the autonomous
system (AS) area to which the EIGRP packet belongs.

Specify the interval between hello packets sent on the interface, and the
number of seconds the router will wait to receive a hello message before
invalidating the connection.
Specify the throughput delay for the primary route interface, in
microseconds.
b.
If you selected the OSPF routing protocol:

Enter the routing process ID number that will be used to identify the
secured IGP that Security Manager adds when configuring DMVPN.
9-104
OL-11501-03
Chapter 9

Enter the ID number of the area in which the hubs protected networks

Enter the ID number of the area in which the remote protected networks

Enter a string that specifies the OSPF authentication key.
Specify the cost of sending a packet on the primary route interface.
c.
If you selected the RIPv2 routing protocol:

Enter a string that specifies the RIPv2 authentication key.
Specify the cost of sending a packet on the primary route interface.
Note
Security Manager adds a routing protocol to all devices in the secured IGP
on deployment. If you want to maintain this secured IGP, you must create
a router platform policy that uses the same routing protocol, and
autonomous system (or process ID) number defined here. See Chapter 14,
Managing Routers for how to define routing policies for the different
protocols.
Step 5
Select the Allow Direct Spoke-to-Spoke Connectivity check box if you want to
enable direct communication between spokes, without going through the hub.
Step 6
Select the Filter Dynamic Updates on Spokes check box to enable the creation
of a redistribution list that filters all dynamic routing updates on spokes
(unavailable if you are using On-Demand Routing or a static route for your
DMVPN tunnel).
Step 7
Select the Tunnel Parameters tab, then do the following:

a.
In the Tunnel IP Range field, enter the inside tunnel interface IP address,
including the subnet mask.
Note
b.
If CSM detects that a tunnel interface IP address already exists on the

device, and its IP address matches the tunnels IP subnet field, it will
use that interface as the GRE tunnel.
If you are configuring a dial backup interface, enter its inside tunnel interface
IP address, including the unique subnet mask in the Dial Backup Tunnel IP
Range field.

OL-11501-03
9-105
Chapter 9
c.
Select the Server Load Balance check box to enable load balancing on a
Cisco IOS router hub in a multiple hubs configuration.
d.
Select the Enable IP Multicast check box to enable multicast transmissions

across your DMVPN tunnels. Then, if required, enter the IP address of the
interface that will serve as the rendezvous point (RP) for the multicast
transmissions.
e.
Enter a number that identifies the tunnel key.
Note
Step 8
Step 9
To view the newly created tunnel interfaces in the Router Interfaces page,
you must rediscover the device inventory details after successfully
deploying the VPN to the device. For more information, see Basic
Interface Settings on Cisco IOS Routers, page 14-21.
In the NHRP Parameters area:

a.
Enter a globally unique, 32-bit network identifier for the NHRP stations.
b.
Enter the time that routers will keep information provided in authoritative
NHRP responses.
c.
Enter an authentication string that controls whether the source and

destination NHRP stations allow intercommunication. All routers within the
same network using NHRP must share the same authentication string.
Note
Related Topics
Understanding DMVPN, page 9-101
9-106
OL-11501-03
Chapter 9

Configuring Large Scale DMVPNs

Security Manager supports DMVPN in large scale deployments that may
comprise thousands of spokes. In large scale DMVPN topologies, IPsec
Terminators, also referred to as Server Load Balance (SLB) devices, reside
between the spokes and the hubs. The hubs are directly connected to the IPsec
Terminatorthere is no other device between them.
The IPsec Terminator, which is a Catalyst 6500/7600 device, performs encryption
and decryption while the hubs handle all tasks related to Next Hop Resolution
Protocol (NHRP) and multipoint generic routing encapsulation (mGRE). The
IPsec Terminator is configured to specifically load balance GRE traffic to the
hubs, and is configured with dynamic crypto to accept any spokes with any
proxies. When using tunnel protection on spokes, these proxies are automatically
set to match GRE traffic. One GRE tunnel is configured on the spokes. All hubs
connecting to the same IPsec Terminator will use the same Tunnel IP, and the
tunnel source is the Virtual IP address of the IPsec Terminator.
In Security Manager, you configure a Large Scale DMVPN during the creation of
a hub-and-spoke VPN topology. You must select the IPsec Terminators in addition
to the hubs and spokes.
Each hub in the DMVPN must identify itself and its protected networks, and must
have an interface that is connected to at least one IPsec Terminator. For each IPsec
Terminator in the DMVPN, you must specify a VPN external interface, the crypto
engine slot and the Inside VLAN. The configuration of an IPsec Terminator is
similar to that of a VPN SPA device. No protected networks are configured on an
IPsec Terminator. After you create the DMVPN topology, a Server Load Balance
policy is configured on the IPsec Terminators with all the required parameters,
which you can edit, if required.
Note
VRF-Aware IPsec cannot be configured in a large scale DMVPN.

This procedure describes how to configure a large scale DMVPN topology with a
Server Load Balance policy.
Before You Begin
Create your hub-and-spoke VPN topology, making sure that:

The selected IPsec technology is DMVPN of type Large Scale with
IPsec Terminator.
OL-11501-03
9-107
Chapter 9
The IPsec Terminators are Catalyst 6500/7600 devices.

There is direct connectivity between the IPsec Terminators and the hubs.
Procedure
Step 1
Step 2
If you havent already done so, create your hub-and-spoke VPN topology, using
the Create VPN wizard, making sure you do the following:
a.
Select the DMVPN IPsec technology of type Large Scale with IPsec
Terminator. See Defining a Name and IPsec Technology, page 9-22.
b.
Select the required IPsec Terminators (Catalyst 6500/7600 devices), the hubs
and all the spokes, in the Device Selection page. See Selecting Devices for
Your VPN Topology, page 9-25.
c.
In the Edit Endpoints dialog box:

For each hub device, in the Hub Interface tab, select the interface that is
connected to the IPsec Terminator. Each hub can be connected to only

one IPsec Terminator.
For each IPsec Terminator, specify a VPN external interface, the crypto
engine slot and the Inside VLAN.

See Defining the Endpoints and Protected Networks, page 9-28.
A Server Load Balance policy is automatically configured on the IPsec
Terminators with all the required parameters.
Step 3
In the VPNs selector, select the required hub-and-spoke large scale DMVPN
topology.
Step 4
Select Server Load Balance in the Policies selector. The Server Load Balance
page opens, displaying a table listing the server load balance parameters for each
hub in the large scale DMVPN. For a description of the elements on this page, see
Step 5
If you want to modify the parameters of an entry in the table, select it and click
Edit. The Edit Load Balancing Parameters dialog box opens. For a description of
the elements on this dialog box, see Table G-25 on page G-78.
9-108
OL-11501-03
Chapter 9

Step 6
Modify the Weight or Max Connections values, as required, and click OK. The
dialog box closes and the modified entry is displayed in the table on the Server
Load Balance page.
Step 7
Note
Related Topics
Server Load Balance Page, page G-76
Understanding Easy VPN

Easy VPN simplifies VPN deployment for remote offices. Using Easy VPN,
security policies defined at the head end are pushed to remote VPN devices,
ensuring that clients have up-to-date policies in place before establishing a secure
connection.
Security Manager supports the configuration of Easy VPN policies on
hub-and-spoke VPN topologies. In such a configuration, most VPN parameters
are defined on the Easy VPN server, which acts as the hub device. The centrally
managed IPsec policies are pushed to the Easy VPN client devices by the server,
minimizing the remote (spoke) devices configuration.
Easy VPN is supported on Cisco IOS routers, PIX Firewalls, Catalyst VPN
Service Modules, and ASA devices. The Easy VPN Server can be a Cisco IOS
router, a PIX Firewall, or an ASA device. The Easy VPN client is supported on
PIX Firewalls, Cisco 800-3800 Series routers, and ASA 5505 devices running OS
version 7.2 or later.
Note
You can also configure remote access policies in remote access VPNs. In remote
access VPNs, policies are configured between servers and mobile remote PCs
running Cisco VPN client software, whereas, in site-to-site Easy VPN topologies,
the clients are hardware devices. For information about configuring remote access
VPNs, see Chapter 10, Managing Remote Access VPNs.

OL-11501-03
9-109
Chapter 9
The following sections describe:
Easy VPN with Dynamic Virtual Tunnel Interfaces, page 9-111
Easy VPN with Dial Backup

Dial backup for Easy VPN allows you to configure a dial backup tunnel
connection on your remote client device. The backup feature is activated only
when real traffic is ready to be sent, eliminating the need for expensive dialup or
ISDN links that must be created and maintained even when there is no traffic.
Note
Easy VPN dial backup can be configured only on remote clients that are routers
running IOS version 12.3(14)T or later.
In an Easy VPN configuration, when a remote device attempts to connect to the
server and the tracked IP is no longer accessible, the primary connection is torn
down and a new connection is established over the Easy VPN backup tunnel to the
server. If the primary hub isn't reachable, the primary configuration will switch to
the failover hub with the same primary configuration and not to the backup
configuration.
Only one backup configuration is supported for each primary Easy VPN
configuration. Each inside interface must specify the primary and backup
Easy VPN configuration. IP static route tracking must be configured for dial
backup to work on an Easy VPN remote device. The object tracking configuration
is independent of the Easy VPN remote dial backup configuration. The object
tracking details are specified in the spoke's Edit EndPoints dialog box.
For more information about dial backup, see Understanding Dial Backup,
page 9-37. The procedure for configuring dial backup in an Easy VPN topology
is described in Configuring Dial Backup, page 9-39.
Easy VPN with High Availability
You can also configure High Availability (HA) on devices in an Easy VPN
topology. High Availability (HA) provides automatic device backup when
configured on Cisco IOS routers or Catalyst 6500/7600 devices, running IP over
LANs. Using Security Manager, you can create an HA group made up of two or
9-110
OL-11501-03
Chapter 9

more hub devices in your Easy VPN that use Hot Standby Routing Protocol
(HSRP) to provide transparent, automatic device failover. For more information,
see Understanding High Availability, page 9-58.
Easy VPN with Dynamic Virtual Tunnel Interfaces

The IPsec virtual tunnel interface (VTI) feature simplifies the configuration of
GRE tunnels that need to be protected by IPsec for remote access links. A VTI is
an interface that supports IPsec tunneling, and allows you to apply interface
commands directly to the IPsec tunnels. The configuration of a virtual tunnel
interface reduces overhead as it does not require a static mapping of IPsec
sessions to a particular physical interface, where the crypto map is applied.
IPsec VTIs support both unicast and multicast encrypted traffic on any physical
interface, such as in the case of multiple paths. Traffic is encrypted or decrypted
when it is forwarded from or to the tunnel interface and is managed by the IP
routing table. Dynamic or static IP routing can be used to route the traffic to the
virtual interface. Using IP routing to forward traffic to the tunnel interface
simplifies IPsec VPN configuration compared to the more complex process of
using access control lists (ACLs) with a crypto map. Dynamic VTIs function like
any other real interface so that you can apply quality of service (QoS), firewall,
and other security services as soon as the tunnel is active.
Dynamic VTIs use a virtual template infrastructure for dynamic instantiation and
management of IPsec interfaces. In an Easy VPN topology, Security Manager
implicitly creates the virtual template interface for the device. If the device is a
hub, the user must provide the IP address on the hub that will be used as the virtual
template interfacethis can be a subnet (pool of addresses) or an existing
loopback interface. On a spoke, the virtual template interface is created without
an IP address.
Note
Dynamic VTI can be configured only in a hub-and-spoke Easy VPN topology

on routers running IOS version 12.4(2)T and later, except 7600 devices.
Dynamic VTI must be configured on all client devices in an Easy VPN

topology. Not all the hubs require Dynamic VTI configuration.
Dynamic VTI can be configured with or without VRF-Aware IPsec.

OL-11501-03
9-111
Chapter 9
You can also configure Dynamic VTI in remote access VPNs. For more
information, see Using Dynamic Virtual Template Interfaces in Remote
Access VPNs, page 10-13.
In Security Manager, you can configure Dynamic VTI in the Easy VPN
IPsec Proposal page. See Configuring an IPsec Proposal for Easy VPN,
page 9-115.
Overview of Configuring Easy VPN
When a remote client initiates a connection to a VPN server, device authentication

between the peers occurs via IKE, followed by user authentication using IKE
Extended Authentication (Xauth), VPN policy push (in Client, Network
Extension, or Network Extension Plus mode), and IPsec security association (SA)
creation.
The following provides an overview of this process:
1.
The client initiates IKE Phase 1 via aggressive mode if a preshared key is to
be used for authentication, or main mode if digital certificates are used. If the
client identifies itself with a preshared key, the accompanying user group
name (defined during configuration) is used to identify the group profile
associated with this client. If digital certificates are used, the organizational
unit (OU) field of a distinguished name (DN) is used to identify the user
group name. See Defining Additional PKI Attributes, page 8-145.
Note
Because the client may be configured for preshared key

authentication, which initiates IKE aggressive mode, the
administrator should change the identity of the VPN device via the
crypto isakmp identity hostname command. This will not affect
certificate authentication via IKE main mode.
2.
The client attempts to establish an IKE SA between its public IP address and
the public IP address of the VPN server. To reduce the amount of manual
configuration on the client, every combination of encryption and hash
algorithms, in addition to authentication methods and D-H group sizes, is
proposed.
3.
Depending on its IKE policy configuration, the VPN server determines which
proposal is acceptable to continue negotiating Phase 1.
9-112
OL-11501-03
Chapter 9

Note
4.
After the IKE SA is successfully established, and if the VPN server is

configured for Xauth, the client waits for a username/password challenge
and then responds to the challenge of the peer. The information that is entered
is checked against authentication entities using authentication, authorization,
and accounting (AAA) protocols such as RADIUS and TACACS+. Token
cards may also be used via AAA proxy. During Xauth, a user-specific
attribute can be retrieved if the credentials of that user are validated via
RADIUS.
Note
5.
Device authentication ends and user authentication begins at this

point.
VPN servers that are configured to handle remote clients should

always be configured to enforce user authentication.
If the server indicates that authentication was successful, the client requests
further configuration parameters from the peer. The remaining system
parameters (for example, IP address, DNS, and split tunnel attributes) are
pushed to the client using client or network extension mode configuration.
Note
The IP address pool and group preshared key (if Rivest, Shamir, and
Adelman [RSA] signatures are not being used) are the only required
parameter in a group profile. All other parameters are optional.
6.
After each client is assigned an internal IP address via mode configuration,

Reverse Route Injection (RRI), if configured, ensures that a static route is
created on the device for each client internal IP address.
7.
IKE quick mode is initiated to negotiate and create IPsec SAs.
The connection is complete.

OL-11501-03
9-113
Chapter 9
Important Notes About Site-to-Site Easy VPN Configuration
Before you configure an Easy VPN policy in your topology, you should know the
following:
In an Easy VPN topology configuration, deployment fails if a 72xx series

router is used as a remote client device. The Easy VPN client is supported on
PIX Firewalls, Cisco 800-3800 Series routers, and ASA 5505 devices running
OS version 7.2 or later.
If you try to configure a Public Key Infrastructure (PKI) policy on a PIX 6.3
remote client in an Easy VPN topology configuration, deployment fails. For
successful deployment on this device, you must first issue the PKI certificate
on the CA server, and then try again to deploy the device. For more
information about PKI policies, see Understanding Public Key Infrastructure
In some cases, deployment fails on a device that serves as an Easy VPN client
if the crypto map is configured on the NAT (or PAT) internal interface instead
of the external interface. On some platforms, the inside and outside interfaces
are fixed. For example, on a Cisco 1700 series router the VPN interface must
be the devices FastEthernet0 interface. On a Cisco 800 series router the VPN
interface could be either the devices Ethernet0 or Dialer1 interface,
depending on the configuration. On a Cisco uBR905/uBR925 cable access
router, the VPN interface must be the Ethernet0 interface.
These procedures describe how to configure Easy VPN policies in your VPN
topology:
Configuring an IPsec Proposal for Easy VPN, page 9-115
Configuring Client Connection Characteristics for Easy VPN, page 9-121
Related Topics
Easy VPN IPsec Proposal Page, page G-78
User Group Policy Page, page G-87
Tunnel Group Policy (PIX 7.0/ASA) Page, page G-88
Client Connection Characteristics Page, page G-97
9-114
OL-11501-03
Chapter 9

Configuring an IPsec Proposal for Easy VPN

Configuring an IPsec proposal on an Easy VPN server device enables you to:
Select the transform set(s) to use to secure the traffic that enters your VPN
tunnel. For more information, see About Transform Sets, page 9-74.
Configure a dynamic virtual interface on a device in your Easy VPN

topology. For more information, see Easy VPN with Dynamic Virtual Tunnel
Interfaces, page 9-111.
Configure Reverse Route Injection (RRI) on the crypto map (on a PIX 7.0,
ASA, or IOS router except 7600 device). For more information, see About
Reverse Route Injection, page 9-76.
Configure NAT traversal on an ASA device. Use NAT traversal when there is
a device between a VPN-connected hub and spoke, and that performs
Network Address Translation (NAT) on the IPsec traffic.
Specify a group authorization (Group Policy Lookup) method that defines the
order in which the group policies are searched on the local server or on
external AAA servers. Remote users are grouped, so that when the remote
client establishes a successful connection to the VPN server, the group
policies for that particular user group are pushed to all clients belonging to
the user group.
Specify a user authentication (Xauth) method list that defines the order in
which user accounts are searched. After the IKE SA is successfully
established, and if the device is configured for Xauth, the client waits for a
username/password challenge and then responds to the challenge of the
peer. The information that is entered is checked against authentication entities
using authentication, authorization, and accounting (AAA) protocols such as
RADIUS and TACACS+.
In Security Manager, an IPsec proposal is a mandatory policy that is already

configured on the Easy VPN server with predefined default values.
This procedure describes how to edit these IPsec policy definitions, if required.
Before You Begin
Please read Important Notes About Site-to-Site Easy VPN Configuration,

page 9-114.

OL-11501-03
9-115
Chapter 9
Make sure that the selected IPsec technology is Easy VPN. For more
Procedure
Step 1
Step 2
Step 3
Select Easy VPN IPsec Proposal in the Policies selector.

The Easy VPN IPsec Proposal page appears, displaying the IPsec Proposal tab
with the defined parameters for configuring an IPsec proposal on an Easy VPN
server device. For a description of the elements on this tab, see Table G-26 on
page G-82.
Step 4
Specify the transform set(s) to be used for your tunnel policy. If you want to use
a different transform set to the displayed default one, or select additional
transform sets, click Select to open a dialog box that lists all available transform
sets, and in which you can create your own transform set object. For more
information, see IPsec Transform Sets Page, page F-422.
Step 5
Select an option to configure a Reverse Route on the crypto map (on a PIX 7.0,
ASA, or IOS router except 7600 device).
Step 6
If required, select the Enable Network Address Translation check box to

configure NAT, if the selected device is a PIX 7.0 or ASA device.
Step 7
Specify an AAA authorization (Group Policy Lookup) method list that defines the
order in which the group policies are searched on the local server or on external
AAA servers.
Step 8
Specify the AAA or Xauth user authentication method used to define the order in
which user accounts are searched.
Step 9
To configure a dynamic virtual template interface on the device:

a.
Select the Dynamic VTI tab in the IPsec Proposal page.
b.
Select the Enable Dynamic VTI check box.
a.
Click the Use Subnet or Use Loopback Interface radio button to specify the
IP address that will be used as the virtual template interface.
For a description of the elements on this tab, see Table G-27 on page G-86.
9-116
OL-11501-03
Chapter 9

Step 10
Note
Related Topics
Configuring a User Group Policy for Easy VPN

When you configure an Easy VPN server, you can create user groups for remote
clients to belong to. As you add remote clients, you can specify that they inherit
parameters from the user group policy. Thus you can quickly configure VPN
access for large numbers of users.
Remote clients must have the same group name as the user group configured on
the server in order to connect to the device, otherwise no connection is
established. When the remote client establishes a successful connection to the
VPN server, the group policies for that particular user group are pushed to all
clients belonging to the user group.
Note
An Easy VPN user group policy can be configured on a Cisco IOS security router,
PIX 6.3 Firewall, or Catalyst 6500/7600 device.
This procedure describes how to specify the user group you want to assign to your
Easy VPN server.
Before You Begin
Make sure that the selected device is an IOS router or PIX 6.3 device.
OL-11501-03
9-117
Chapter 9

page 9-114.
Procedure
Step 1
Step 2
Step 3
Select User Group Policy in the Policies selector.

The User Group Policy page appears, displaying the currently selected user group.
For a description of the elements on this page, see Table G-28 on page G-88.
Step 4
If you want to select a different user group, select it in the Available User Groups
list. The user group replaces the selected one.
User groups are predefined objects. If the required user group is not included in
the list, click Add to open a dialog box that displays all the user group objects,
and enables you to create a user group. For more information, see Creating User
Group Objects, page 8-182.
Note
Step 5
After creating a user group, you can modify its properties by selecting it,
and clicking Edit.
Note
Related Topics
9-118
OL-11501-03
Chapter 9

Configuring a Tunnel Group Policy for Easy VPN

A tunnel group consists of a set of records that contain IPsec tunnel connection
policies. Tunnel groups identify the group policy for a specific connection, and
include user-oriented attributes. If you do not assign a particular group policy to
a user, the default group policy for the connection applies. For a successful
connection, the username of the remote client must exist in the database,
otherwise the connection is denied.
In site-to site VPNs, you configure tunnel group policies on an Easy VPN server,
which can be a PIX Firewall version 7.0, or an ASA device.
Note
In remote access VPNs, you can configure tunnel group policies on a remote
access VPN server. For more information, see Tunnel Group Policies in Remote
Access VPNs, page 10-8.
Creating a tunnel group policy involves specifying:
The group policyA collection of user-oriented attributes stored either

internally on the device or externally on RADIUS/LDAP server.
Global AAA settingsAuthentication, Authorization, and Accounting

servers.
The DHCP servers to be used for client address assignment, and the address
pools from which the IP addresses will be assigned.
Settings for Internet Key Exchange (IKE) and IPsec (such as, preshared key).
(Optional) Interface-specific information (for authentication server groups

and client address pools).
Client VPN software information.
On the PIX7.0/ASA Tunnel Group Policy page, you can create tunnel group
policies or edit the parameters defined for existing tunnel group policies on your
Easy VPN server.
This procedure describes how to configure a tunnel group policy on your
Easy VPN server.
Before You Begin

OL-11501-03
9-119
Chapter 9

page 9-114.
Procedure
Step 1
Step 2
Step 3
Select Tunnel Group Policy (PIX 7.0/ASA) in the Policies selector. The Tunnel
Group Policy page opens, displaying the General tab.
Step 4
On the General tab, specify the global AAA settings for your tunnel group and
select the method (or methods) of address assignment to use. For a description of
the elements on the General tab of the Tunnel Group Policy page, see Table G-29
on page G-90.
Step 5
Click the IPsec tab to specify IPsec and IKE parameters for the tunnel group
policy. For a description of the elements on the IPsec tab of the Tunnel Group
Policy page, see Table G-30 on page G-93.
Step 6
Click the Advanced tab to specify interface-specific information for your tunnel
group policy. For a description of the elements on the Advanced tab of the Tunnel
Group Policy page, see Table G-31 on page G-95.
Step 7
Click the Client VPN Software Update tab to view and edit the client type, VPN
Client revisions, and image URL for each client VPN software package installed.
For a description of the elements on the Client VPN Software Update tab of the
Tunnel Group Policy page, see Table G-32 on page G-97.
Step 8
When you have finished configuring your tunnel group parameters, click Save to
save your changes to the server.
Note
9-120
OL-11501-03
Chapter 9

Related Topics
Configuring Client Connection Characteristics for Easy VPN

Easy VPN connection characteristics specify how traffic will be routed in the
VPN and how the VPN tunnel will be established, as described in these sections:
Easy VPN Configuration Modes, page 9-121
Easy VPN Tunnel Activation, page 9-123
Easy VPN Configuration Modes
Easy VPN can be configured in three modesClient, Network Extension, and

Network Extension Plus.
Client modeThe default configuration that allows devices at the client site
to access resources at the central site, but disallows access to the central site
for resources at the client site. In client mode, a single IP address is pushed
to the remote client from the server when the VPN connection is established.
This address is typically a routable address in the private address space of the
customer network. All traffic passing across the Easy VPN tunnel undergoes
Port Address Translation (PAT) to that single pushed IP address.
Network Extension modeAllows users at the central site to access the

network resources at the client site, and allows the client PCs and hosts direct
access to the PCs and hosts at the central site. Network Extension mode
specifies that the hosts at the client end of the VPN tunnel should be given IP
addresses that are fully routable and reachable by the destination network.
The devices at both ends of the connection will form one logical network.
PAT is not used, so the hosts at the client end have direct access to the hosts
at the destination network. In other words, the Easy VPN server (the hub)
gives routable addresses to the Easy VPN client (the spoke), while the whole
LAN behind the client will not undergo PAT.

OL-11501-03
9-121
Chapter 9
Note
Network Extension Plus modeAn enhancement to Network Extension

mode, which can be configured only on IOS routers. It enables an IP address
that is received via mode configuration to be automatically assigned to an
available loopback interface. This IP address can be used for connecting to
your router for remote management and troubleshooting (ping, Telnet, and
Secure Shell).
All modes of operation can also support split tunneling, which allows secure
access to corporate resources through the VPN tunnel while also allowing Internet
access through a connection to an ISP or other service (thereby eliminating the
corporate network from the path for web access).
Easy VPN and IKE Extended Authentication (Xauth)
When negotiating tunnel parameters for establishing IPsec tunnels in an

Easy VPN configuration, IKE Extended Authentication (Xauth) adds another level
of authentication that identifies the user who requests the IPsec connection. If the
VPN server is configured for Xauth, the client waits for a "username/password"
challenge after the IKE SA has been established. When the end user responds to
the challenge, the response is forwarded to the IPsec peers for an additional level
of authentication.
The information that is entered is checked against authentication entities using
authentication, authorization, and accounting (AAA) protocols such as RADIUS
and TACACS+. Token cards may also be used via AAA proxy. During Xauth, a
user-specific attribute can be retrieved if the credentials of that user are validated
via RADIUS.
Note
VPN servers that are configured to handle remote clients should always
be configured to enforce user authentication.
Security Manager allows you to save the Xauth username and password on the
device itself so you do not need to enter these credentials manually each time the
Easy VPN tunnel is established. The information is saved in the devices
configuration file and used each time the tunnel is established. Saving the
credentials in the device's configuration file is typically used if the device is
shared between several PCs and you want to keep the VPN tunnel up all the time,
or if you want the device to automatically bring up the tunnel whenever there is
traffic to be sent (see Easy VPN Tunnel Activation, page 9-123).
9-122
OL-11501-03
Chapter 9

Saving the credentials in the devices configuration file, however, could create a
security risk, because anyone who has access to the device configuration can
obtain this information. An alternative method for Xauth authentication is to
manually enter the username and password each time Xauth is requested. Security
Manager enables you to do this interactively in a web browser window or from the
command line interface. Using web-based interaction, a login page is returned, in
which you can enter the credentials to authenticate the VPN tunnel. After the VPN
tunnel comes up, all users behind this remote site can access the corporate LAN
without being prompted again for the username and password. Alternatively, you
can choose to bypass the VPN tunnel and connect only to the Internet, in which
case a password is not required.
Easy VPN Tunnel Activation
If the device credentials (Xauth username and password) are stored on the device
itself, you must select a tunnel activation method. Two options are available:
Note
AutoThe Easy VPN tunnel is established automatically when the

Easy VPN configuration is delivered to the device configuration file. If the
tunnel times out or fails, the tunnel automatically reconnects and retries
indefinitely. This is the default option.
Traffic Triggered ActivationThe Easy VPN tunnel is established whenever

outbound local (LAN side) traffic is detected. Traffic Triggered Activation is
recommended for use with the Easy VPN dial backup configuration so that
backup is activated only when there is traffic to send across the tunnel. When
using this option, you must specify the Access Control List (ACL) that
defines the interesting traffic.
Manual tunnel activation is configured implicitly if you select to configure the

Xauth password interactively. In this case, the device waits for a command before
attempting to establish the Easy VPN remote connection. When the tunnel times
out or fails, subsequent connections will also have to wait for the command.
This procedure describes how to configure the client connection characteristics
for Easy VPN.
Before You Begin

OL-11501-03
9-123
Chapter 9

page 9-114.
Procedure
Step 1
Step 2
In the VPNs selector, select the required Easy VPN topology.
Step 3
Select Client Connection Characteristics in the Policies selector. The Client

Connection Characteristics page opens. For a description of the elements on this
page, see Table G-33 on page G-101.
Step 4
Select Client, Network Extension, or Network Extension Plus from the Mode
list.
Note
Network Extension Plus mode can be configured only on IOS routers.
Step 5
Select Device Stored Credentials or Interactive Entered Credentials

depending on how you want to enter the Xauth credentials for user authentication
when you establish a VPN connection with the server.
Step 6
If you selected Device Stored Credentials, select the Xauth credentials.
Step 7
If the device is an IOS router, and if you selected Interactive Entered

Credentials for the Xauth credentials source, select Web Browser or
Router Console depending on how you want to enter the Xauth credentials
interactively.
Step 8
If the device is an IOS router, and if you selected Device Stored Credentials for
the Xauth password source, select the Auto or Traffic Triggered Activation
tunnel activation method.
Step 9
If you selected the Traffic Triggered Activation option for Tunnel Activation,
specify the Access Control List (ACL) that defines the interesting traffic.
Step 10
9-124
OL-11501-03
Chapter 9

Note
Related Topics

OL-11501-03
9-125
Chapter 9
9-126
OL-11501-03
CH A P T E R
10
Managing Remote Access VPNs

A virtual private network (VPN) consists of multiple remote peers securely
transmitting private data to one another over an unsecured network, such as the
Internet. Remote access VPNs use tunnels to encapsulate data packets within
normal IP packets for forwarding over IP-based networks, using encryption to
ensure privacy and authentication to ensure integrity of data.
Remote access VPNs permit secure, encrypted connections between a company's
private network and remote users, by establishing an encrypted IPsec tunnel
across the Internet using broadband cable, DSL, or Internet service provider (ISP)
dial connection.
A remote access VPN comprises a VPN client and a VPN headend device, or VPN
gateway. The VPN client software resides on a users workstation and initiates the
VPN tunnel access to the corporate network. At the other end of the VPN tunnel
is the VPN gateway at the edge of the corporate site.
When a VPN client initiates a connection to the VPN gateway device, negotiation
consists of authenticating the device through Internet Key Exchange (IKE),
followed by user authentication using IKE Extended Authentication (Xauth).
Next the group profile is pushed to the VPN client using mode configuration, and
an IPsec security association (SA) is created to complete the VPN connection.
For remote access VPNs, AAA (authentication, authorization, and accounting) is
used for secure access. With user authentication, a valid username and password
must be entered before the connection is completed. Usernames and passwords
can be stored on the VPN device itself or on an external AAA server, that can
provide authentication to numerous other databases. For more information on
using AAA servers, see Understanding AAA Server Objects, page 8-23.

OL-11501-03
10-1
Chapter 10
Discovering Remote Access VPN Policies
Note
You can also use the Easy VPN technology to configure remote access VPN
policies in site-to-site VPN topologies. Security policies are configured on
hardware clients, such as routers, whereas in remote access VPNs, policies are
configured on PCs running Cisco VPN client software. For more information, see
Overview of Configuring Easy VPN, page 9-112.
Related Topics
Working with Policies in Remote Access VPNs, page 10-3
Discovering Remote Access VPN Policies, page 10-2
Discovering Remote Access VPN Policies

Security Manager allows you to import the configurations of remote access VPN
policies during policy discovery. You can discover configurations on devices that
are already deployed in your remote access VPN network, so that Security
Manager can manage them. These configurations are imported into Security
Manager as remote access VPN policies. Remote access VPN policy discovery
can be performed by importing the configuration of a live device or by importing
a configuration file.
When you initiate policy discovery on a device in a remote access VPN, the
system analyzes the configuration on the device and then translates this
configuration into Security Manager policies so that the device can be managed.
Warnings are displayed if the imported configuration completes only a partial
policy definition. If additional settings are required, you must go to the relevant
page in the Security Manager interface to complete the policy definition. You can
also rediscover the configurations of devices that are already managed with
Security Manager.
10-2
OL-11501-03
Chapter 10

Working with Policies in Remote Access VPNs
Note
You should perform deployment immediately after you discover the policies
on a device before you make any changes to policies or unassign policies from
the device; otherwise, the changes that you configure in Security Manager
might not be deployed to the device.
Be aware that after rediscovery on a device any shared policies that were
configured on the device are replaced by the local policies that are discovered.
To perform discovery of all remote access VPN policies that are configured on a
selected device in a remote access VPN, select the RA VPN Policies check box
in the Create Discovery Task dialog box. Remote access VPN policies are not
selected by default for discovery in the Create Discovery Task dialog box. For
more information, see Create Discovery Task Dialog Box, page D-16.
Related Topics

A remote access VPN policy defines the IPsec parameters that the VPN client and
VPN gateway use to create the VPN tunnel. In some cases, several types of
policies might be required to define a full configuration image that can be
assigned to devices. Other remote access VPN policies can be assigned
individually to devices.
You can set up and configure a remote access VPN on Cisco IOS routers,
PIX Firewalls, Catalyst 6500/7600 devices, and Adaptive Security Appliance
(ASA) devices.
In Device view, you can view and configure remote access VPN policies for
devices. To access Device view, select View > Device View or click the Device
View button on the toolbar. You can right-click a policy in the Policy selector to

OL-11501-03
10-3
Chapter 10
display menu options that enable you to share the policy and assign the shared
policy to or unassign it from the selected device. For more information, see
Performing Basic Policy Management, page 6-20.
In Policy View, you can also view all shared policies for each policy type in a
remote access VPN, edit policies, and modify their assignments to devices. See
Managing Shared Remote Access VPN Policies in Policy View, page 10-35.
Note
You must have read-write permissions to modify a remote access VPN policy. For
more information, see Modify Policies Permissions, page 2-14.
The following topics provide information about the policies you can configure on
a remote access VPN from the Device view:
IPsec Proposals in Remote Access VPNs, page 10-12
IKE Proposals in Remote Access VPNs, page 10-18
Cluster Load Balancing, page 10-22
Public Key Infrastructure Policies in Remote Access VPNs, page 10-24
VPN Global Settings in Remote Access VPNs, page 10-27
DN Matching Policies, page 10-30
DN Matching Rules, page 10-32
Related Topics
Appendix H, Remote Access VPN User Interface Reference
Using the Remote Access Configuration Wizard, page 10-4
Discovering Remote Access VPN Policies, page 10-2
Using the Remote Access Configuration Wizard

The Remote Access Configuration wizard enables you to configure your device
as a remote access VPN server, quickly and easily. After the policies are
configured, specific security parameters defined in these policies are pushed to
the client by the server, minimizing configuration on the client.
10-4
OL-11501-03
Chapter 10

Depending on the device type, the first step of the wizard requires you to
configure a user group or tunnel group policy. A user group policy must be
configured on an IOS security router, PIX Firewall, or Catalyst 6500/7600 device.
Tunnel group policies must be configured on ASA devices or PIX Firewalls
version 7.0.
The wizard then assigns other policies that are required to complete the
configuration to the device. These policies can be the default policies predefined
by Security Manager, or shared policies that you created using Security Manager.
For more information, see Assigning the Default Remote Access VPN Policies,
page 10-11.
Note
You cannot use the Remote Access Configuration wizard to edit a remote access
VPN. Each time you launch the wizard, any existing user group (or tunnel group)
policy assignment is removed from the device, so you must create it again.
The following policies can assigned to a device to configure it as a remote access
VPN server:
Note
User Group (IOS router, PIX Firewall, or Catalyst 6500/7600 device only)
Tunnel Group (ASA device or PIX Firewall version 7.0 only)
IPsec Proposal
High Availability
IKE Proposals
Public Key Infrastructure (PKI)
VPN Global Settings
Cluster Load Balance (ASA device or PIX Firewall version 7.0 only)
DN Matching (ASA device or PIX Firewall version 7.0 only)
DN Matching Rules (ASA device or PIX Firewall version 7.0 only)
You can also configure these policies on your device individually from the
Remote Access VPN Policies folder.
To access the Remote Access Configuration wizard:
1.
Select View > Device View or click the Device View button on the toolbar.

OL-11501-03
10-5
Chapter 10
2.
From the Device selector, select the device to configure as your remote access
server.
3.
Select Remote Access VPN > Configuration Wizard from the Policy
selector.
4.
Click Remote Access Configuration Wizard.
Related Topics
Configuring User Group Policies, page 10-7
Configuring Tunnel Group Policies, page 10-9
User Group Policies in Remote Access VPNs

When you configure a remote access VPN server, you must create user groups to
which remote clients will belong. A user group policy specifies the attributes that
determine user access to and use of the VPN. User groups simplify system
management, enabling you to quickly configure VPN access for large numbers of
users.
For example, in a typical remote access VPN, you might allow a finance group to
access one part of a private network, a customer support group to access another
part, and an MIS group to access other parts. In addition, you might allow specific
users within MIS to access systems that other MIS users cannot access. User
group policies provide the flexibility to do so securely.
Remote clients must have the same group name as the user group configured on
the VPN server so that they can connect to the device; otherwise, a connection
cannot be established. When a remote client establishes a connection to the VPN
server, the group policies for that user group are pushed to all clients belonging to
the same user group. You can configure user groups on the local remote access
VPN server and external AAA servers.
Note
The remote access VPN server on which you define a user group policy can be a
Cisco IOS router, PIX 6.3 Firewall, or 6500/7600 device.
10-6
OL-11501-03
Chapter 10

On the User Group Policy page, you can specify the user groups you want to
assign to your remote access VPN server. You can create and edit user group
policies. You can open the User Group Policy page from the Remote Access
Configuration wizard or from the Remote Access VPN Policies folder.
Related Topics
Configuring User Group Policies

This procedure describes how to specify the user groups to assign to your remote
access VPN server.
Before You Begin
In Device view (View > Device View), select the required device (Cisco IOS
router, PIX Firewall, or Catalyst 6500/7600).
Procedure
Step 1
Open the User Group Policy page.

a.
From the wizard:

Select View > Device View > Remote Access VPN > Configuration
Wizard.
b.
From the Remote Access VPN Policies folder:

Select View > Device View > Remote Access VPN >
RA VPN Policies > User Group Policy, from the Policy selector.
Step 2
From the User Group Policy page, select the required user groups from the
Available User Groups list, and click >>. For a description of the elements on
this page, see Table H-1 on page H-4.
User groups are objects. If the required user group is not in the list, click Create
to open the User Groups Editor dialog box that enables you to create or edit a user
group object.

OL-11501-03
10-7
Chapter 10
Step 3
If you opened the User Group Policy page from the wizard, click Next to advance
to the next step of the wizard. See Assigning the Default Remote Access VPN
If you opened the User Group Policy page from the Remote Access VPN Policies
folder, click Save to save your changes to the server.
Note
Related Topics
User Group Policy Page, page H-3
Managing Shared Remote Access VPN Policies in Policy View, page 10-35
Tunnel Group Policies in Remote Access VPNs

A tunnel group is a set of records which contain VPN tunnel connection policies,
including the attributes that pertain to creating the tunnel itself.
Tunnel groups identify the group policy for a specific connection, which includes
user-oriented attributes. If you do not assign a tunnel group policy to a user, the
default group policy for the connection applies.
You can create one or more tunnel groups specific to your environment. Tunnel
groups can be configured on the local remote access VPN server or on external
AAA servers.
On the Tunnel Group Policy page, you can view the tunnel group policies defined
on your remote access VPN server. You can create and edit tunnel group policies.
You can open the Tunnel Group Policy page from the Remote Access
Configuration wizard or from the Remote Access VPN Policies folder.
10-8
OL-11501-03
Chapter 10

Note
You can configure tunnel group policies only on PIX Firewalls version 7.0, or
ASA devices.
Related Topics
Tunnel Group Policy Page, page H-4
Configuring Tunnel Group Policies

This procedure describes how to create or edit tunnel group policies on your
remote access VPN server.
Before You Begin
In Device view (View > Device View), select the required device (PIX 7.0 or
ASA device).
Procedure
Step 1
Open the Tunnel Group Policy page.

a.
From the wizard:

Configuration Wizard.
b.
From the Remote Access VPN Policies folder:

RA VPN Policies > Tunnel Group Policy (PIX 7.0/ASA), from the
Policy selector.
Step 2
Click Create in the Tunnel Group Policy page, or select a device from the table
on the Tunnel Group Policy page and click Edit. The Tunnel Group Editor dialog
box opens, displaying the General tab. For a description of the elements on the
Tunnel Group Policy page, See Table H-2 on page H-5.

OL-11501-03
10-9
Chapter 10
Step 3
On the General tab, specify the global AAA settings for your tunnel group and
select which method (or methods) of address assignment to use. For a description
of the elements on the General tab, see Table H-3 on page H-7.
Step 4
Click the IPsec tab to specify IPsec and IKE parameters for the tunnel group
policy. For a description of the elements on the IPsec tab, see Table H-4 on
page H-10.
Step 5
Click the Advanced tab to specify interface-specific information for your tunnel
group policy. For a description of the elements on the Advanced tab, see
Table H-5 on page H-13.
Step 6
Click the Client VPN Software Update tab to view and edit the client type, VPN
For a description of the elements on the Client VPN Software Update tab, see
Step 7
After you finish creating or editing your tunnel group policy, click OK to save
your changes locally on the client and close the Tunnel Group Policy Editor dialog
box.
Step 8
If you opened the Tunnel Group Policy page from the wizard, click Next to
advance to the next step of the wizard. See Assigning the Default Remote Access
VPN Policies, page 10-11.
If you opened the Tunnel Group Policy page from the Remote Access VPN
Policies folder, click Save to save your changes to the server.
Note
Related Topics
10-10
OL-11501-03
Chapter 10

Assigning the Default Remote Access VPN Policies

The VPN Defaults page of the Remote Access Configuration Wizard displays all
the available policy types that can be assigned to your device. For each policy
type, you can assign either the factory default policy (a private policy), or a shared
policy that you created using Security Manager. When you click Finish, the
selected policies are assigned to your device.
To assign a policy that is not listed, you can change the policy defaults selection
in the Administration tools VPN Policy Defaults page (Tools > Security
Manager Administration > VPN Policy Defaults). On this page, you can view
the default policies available for assignment to remote access VPN devices. These
include the factory defaults, in addition to any shared VPN policies that you
created and submitted or approved (depending on the workflow mode), with
Security Manager.
Note
Note
In Policy view, you can view all shared policies that were defined for each policy
type in a remote access VPN, edit individual policies, and modify their device
assignments. For more information, see Managing Shared Policies in Policy View,
page 6-40.
Default policies are not available for User Group and Tunnel Group policies.
You must define a user group policy (or tunnel group policy for ASA devices
and PIX Firewalls version 7.0) each time you configure your remote access
VPN server.
If you try to select a default policy that is locked by another user, a warning
is displayed. You can change the default in the VPN Defaults page of the
wizard in order to bypass the lock, or you can just cancel the configuration of
your device until the lock is approved. For more information, see
Understanding Locking, page 6-55.
Before You Begin
In Device view (View > Device View), select the required device.
Make sure that the default policies you want to assign to this device are
selected from the Administration tools VPN Policy Defaults page (Tools >
Security Manager Administration > VPN Policy Defaults).
OL-11501-03
10-11
Chapter 10
Procedure
Step 1
Open the VPN Defaults page by clicking Next on the User Group Policy page of
the Remote Access Configuration wizard. If the device is an ASA or PIX Firewall
version 7.0, click Next on the Tunnel Group Policy page. For a description of the
elements on the VPN Defaults page, see Table H-7 on page H-16.
Step 2
For each policy type, select the policy to assign to your device.
You can select the Factory Default policy or select a shared VPN policy that
appears in the list. If a shared policy was not already selected in the
Administration tools VPN Policy Defaults page, none will be assigned.
Step 3
To view the contents of a selected VPN policy, click the View Content button.
Step 4
Click Finish to save your wizard definitions and assign the remote access VPN
policies to your device. The wizard closes.
Related Topics
Remote Access VPN Defaults Page, page H-15
IPsec Proposals in Remote Access VPNs

An IPsec proposal is a collection of one or more crypto maps. A crypto map
combines all the components required to set up IPsec security associations (SAs),
including IPsec rules, transform sets, remote peer(s), and other parameters that
might be necessary to define an IPsec SA.
When configuring an IPsec proposal, you must define the external interface
through which the remote access clients connect to the server, and the encryption
and authentication algorithms that protect the data in the VPN tunnel. You can
also select a group authorization (Group Policy Lookup) method that defines the
order in which group policies are searched (on the local server or on external AAA
servers) and a user authentication (Xauth) method that defines the order in which
user accounts are searched.
10-12
OL-11501-03
Chapter 10

For more information on IPsec tunnel concepts, see Understanding IPsec Tunnel
Policies, page 9-72. For information about user accounts, see Defining Accounts
and Credential Policies, page 14-75.
On the IPsec Proposal page, you can view the default IPsec proposal that is
available for assignment to your remote access VPN. From this page, you can
create a new IPsec proposal or edit the default
When you create or edit an IPsec proposal, you may also configure:
A VPN Services Module (VPNSM) interface or VPN SPA on a Catalyst

6500/7600 device (see Configuring a Catalyst VPN Services Module
(VPNSM) VPN Interface, page 9-40).
A Cisco IPsec VPN Shared Port Adapter (VPN SPA) blade on a Catalyst
6500/7600 device (see Configuring a Catalyst VPN Shared Port Adapter
(VPN SPA) Blade, page 9-42).
A Firewall Services Module and a VPN Services Module on a Catalyst

6500/7600 device (see Configuring a Firewall Services Module (FWSM)
Interface with VPNSM or VPN SPA, page 9-48).
VRF-Aware IPsec on a Catalyst 6500/7600 device (see Configuring

VRF-Aware IPsec Settings, page 9-55).
A dynamic virtual interface on an IOS router (see Using Dynamic Virtual

Template Interfaces in Remote Access VPNs, page 10-13).
Using Dynamic Virtual Template Interfaces in Remote Access VPNs
Dynamic virtual template interfaces (VTIs) provide highly secure and scalable
connectivity for remote-access VPNs, replacing dynamic crypto maps and the
dynamic hub-and-spoke method for establishing tunnels. you can use dynamic
VTIs for both the server and remote configuration. The tunnels provide an
on-demand separate virtual access interface for each VPN session. The
configuration of the virtual access interfaces is duplicated from a virtual template
configuration, which includes the IPsec configuration and any features configured
on the virtual template interface. Dynamic VTIs provide efficiency in the use of
IP addresses and provide secure connectivity. They enable dynamically
downloadable per-group and per-user policies to be configured on a RADIUS
server. Dynamic VTI simplifies VRF-Aware IPsec deployment, as the VRF is
configured on the interface.

OL-11501-03
10-13
Chapter 10
When this feature is enabled, Security Manager implicitly creates the virtual
template interface for the selected device in a remote access VPN. All you must
do is provide the IP address on the server that will be used as the virtual template
interface, or use an existing loopback interface. The virtual template interface is
created on the remote client without an IP address.
You can configure dynamic VTI when configuring an IPsec proposal on your
remote access VPN server.
Note
You can configure dynamic VTI only on routers running Cisco IOS Release
12.4(2)T and later, except 7600 devices.
You can configure dynamic VTI with or without VRF-Aware IPsec.
You can also configure dynamic VTI in a site-to-site Easy VPN topology. For
more information, see Easy VPN with Dynamic Virtual Tunnel Interfaces,
page 9-111.
Related Topics
IPsec Proposal Page, page H-16
Configuring an IPsec Proposal on a Remote Access VPN Server

This procedure describes how to create or edit an IPsec proposal for your remote
access VPN server.
Note
On a Catalyst 6500/7600, you can also configure a VPN Services Module

(VPNSM) interface or VPN SPA, a Firewall Services Module with a VPN
Services Module, and/or VRF- Aware IPsec.
If the device is a router IOS version 12.4(2)T or later, except 7600 device, you
can configure a dynamic virtual interface on it.
If the device is a PIX 7.0, ASA, or IOS router except 7600, you can also
configure reverse route injection on the crypto map.
10-14
OL-11501-03
Chapter 10

Before You Begin
In Device view (View > Device View), select the device on which you want
to configure the IPsec proposal.
Procedure
Step 1
In Device view, select Remote Access VPN > RA VPN Policies

> IPsec Proposal from the Policy selector. The IPsec Proposal page opens.
For a description of the elements on the IPsec Proposal page, see Table H-8 on
page H-17.
Step 2
Click Create on the IPsec Proposal page, or select a row in the table on the IPsec
Proposal page, and click Edit. The IPsec Proposal Editor dialog box opens.
Note
Step 3
The elements in IPsec Proposal Editor dialog box differ depending on the
selected device.
If the selected device is a PIX 7.0 or an ASA device:

a.
Select the external interface through which remote access clients will connect
to the server.
b.
Select the transform set or sets to be used for your tunnel policy.
c.
If you do not want to configure Reverse Route Injection (RRI) on the devices
crypto map, select the None option from the list.
The default option, Standard, creates routes based on the destination
information defined in the crypto map access control list (ACL). For more
information, see About Reverse Route Injection, page 9-76.
d.
If required, enable the configuration of Network Address Translation

Traversal (NAT-T) on an ASA device. See About NAT Traversal, page 9-81.
e.
For a PIX device, specify the AAA or Xauth user authentication method to
define the order in which user accounts are searched.
f.
Click OK to save your changes locally on the client and close the dialog box.
The changes appear in the table of the IPsec Proposal page.
For a description of the elements on the IPsec Proposal Editor dialog box, see

OL-11501-03
10-15
Chapter 10
Step 4
If the selected device is a Cisco IOS router or Catalyst 6500/7600, the IPsec
Proposal Editor dialog box opens displaying the General tab.
Note
a.
The IPsec Proposal Editor dialog box displays two tabsGeneral and
Dynamic VTI/VRF Aware IPsec. If the selected device is a Catalyst
6500/7600, the FWSM Settings tab is also displayed.
In the General tab (for a description of the elements in the General tab, see
Table H-10 on page H-23):
Specify the external interface through which remote access clients will
connect to the server.
Note
Important: If the selected device is a Catalyst 6500/7600,

specify the inside VLAN that serves as the inside interface to the
VPN Services Module (VPNSM) or VPN SPA. Click Select to
open a dialog box in which you define the settings that enable you
to configure a VPNSM or VPN SPA. For a description of the
elements in the VPNSM/VPN SPA Settings dialog box, see
For information about configuring a VPNSM, see Configuring a Catalyst

VPN Services Module (VPNSM) VPN Interface, page 9-40.
For information about configuring a VPN SPA, see Configuring a
Catalyst VPN Shared Port Adapter (VPN SPA) Blade, page 9-42.
Select the transform set(s) to be used for your tunnel policy.
If required, enable reverse route injection (RRI) to ensure that a static
route is created on the device for each assigned address to the client.
To configure reverse route injection (RRI) on the devices crypto map,
select the required option from the Reverse Route Injection list. For more
Select an AAA authorization method list to use for defining the order in
which the group policies are searched. Group policies can be configured
on the local server or on an external AAA server.
Select the AAA or Xauth user authentication method to use for defining
the order in which user accounts are searched.
10-16
OL-11501-03
Chapter 10

b.
If the selected device is a Catalyst 6500/7600, click the FWSM tab and define
the settings that enable you to connect between a Firewall Services Module
(FWSM) and an IPsec VPNSM blade or VPN SPA blade that is already
configured on a Catalyst 6500/7600 device. For a description of the elements
in the FWSM Settings tab, see Table H-12 on page H-30.
For more information, see Configuring a Firewall Services Module (FWSM)
Interface with VPNSM or VPN SPA, page 9-48.
c.
Click the Dynamic VTI/VRF Aware IPsec tab to configure a dynamic

virtual interface, VRF-Aware IPsec settings, or both on the device.
For a description of the elements on this tab, see Table H-13 on page H-32.
Step 5
After you finish creating or editing your IPsec proposal, click OK to save your
changes locally on the client, and close the IPsec Proposal Editor dialog box.
Step 6
Note
Related Topics
Using Dynamic Virtual Template Interfaces in Remote Access VPNs,

page 10-13
IPsec Proposal Editor Dialog Box (for PIX and ASA Devices), page H-19
Devices), page H-22
VPNSM/VPN SPA Settings Dialog Box, page H-26
FWSM Settings Tab (IPsec Proposal Editor), page H-29

OL-11501-03
10-17
Chapter 10
IKE Proposals in Remote Access VPNs

Internet Key Exchange (IKE), also called ISAKMP, is the negotiation protocol
that enables two hosts to agree on how to build an IPsec security association. To
configure your device for remote access VPNs, you must specify the encryption
algorithm, authentication algorithm, and key exchange method that the device
should use when negotiating a VPN connection with the remote clients.
An IKE proposal is a set of algorithms that two peers use to secure the IKE
negotiation between them. IKE negotiation begins by each peer agreeing on a
common (shared) IKE policy. This policy states which security parameters will be
used to protect subsequent IKE negotiations. You can create multiple, prioritized
policies at each peer to ensure that at least one policy will match a remote peers
policy.
For more information on IKE concepts, see Understanding IKE, page 9-67.
On the IKE Proposal page, you can select the IKE proposals to assign to your
remote access VPN server. You can create and edit IKE proposals.
Related Topics
Configuring IKE Proposals on a Remote Access VPN Server, page 10-18
IKE Proposal Page, page H-36
Configuring IKE Proposals on a Remote Access VPN Server

This procedure describes how to specify the IKE proposals you want to assign to
your remote access VPN server.
Before You Begin
Procedure
Step 1
In Device view, select Remote Access VPN > RA VPN Policies

> IKE Proposal from the Policy selector. The IKE Proposal page opens.
10-18
OL-11501-03
Chapter 10

Step 2
On the IKE Proposal page, select the required IKE proposals from the Available
IKE Proposals list, and click >>. For a description of the elements on this page,
see Table H-14 on page H-36.
IKE proposals are objects. If the required IKE proposal is not included in the list,
click Create to open the IKE Editor dialog box that enables you to create or edit
an IKE proposal object. For more information, see IKE Proposal Dialog Box,
page F-93.
Step 3
Note
Related Topics
High Availability in Remote Access VPNs

In Security Manager, High Availability (HA) is supported by the creation of an
HA group made up of two or more hub devices that use Hot Standby Routing
Protocol (HSRP) to provide transparent, automatic device failover. By sharing a
virtual IP address, the hubs in the HA group present the appearance of a single
virtual device or default gateway to the hosts on a LAN. One hub in the HA group
is always active and assumes the virtual IP address, while the others are standby
hubs. The hubs in the group watch for hello packets from active and standby
devices. If the active device becomes unavailable for any reason, a standby hub
takes ownership of the virtual IP address and takes over the hub functionality. This
transfer is seamless and transparent to hosts on the LAN, and to the peering
devices.
In remote access VPNs, High Availability (HA) is supported on Cisco IOS routers
running IP over LANs.

OL-11501-03
10-19
Chapter 10
Stateful SwitchOver (SSO) is used to ensure that state information is shared

between the HSRP devices in the HA group. If a device fails, the shared state
information enables the standby device to maintain IPsec sessions without having
to re-establish the tunnel or renegotiate the security associations.
Note
When configuring an HA group, you must provide an inside virtual IP that

matches the subnet of one of the interfaces on the device, in addition to a VPN
virtual IP that matches the subnet of one of the devices interfaces and is
configured with an IPsec proposal. See Configuring an IPsec Proposal on a
Remote Access VPN Server, page 10-14.
A remote access VPN server device on which HA is configured cannot be

configured as a hub in a site-to-site VPN topology on which HA is
configured, using the same outside interface that was used for the remote
access VPN server.
For a description of the High Availability page, on which you can provide
information for configuring an HA group, see Table H-15 on page H-38.
Related Topics
Configuring a High Availability Policy, page 10-20
High Availability Page, page H-37
Configuring a High Availability Policy

This procedure describes the steps required to configure a high availability policy
on an IOS router in your remote access VPN.
Before You Begin:
In Device view (View > Device View), select the required IOS router.
Make sure an IPsec proposal is configured on the device.
10-20
OL-11501-03
Chapter 10

Procedure
Step 1
In Device view, select Remote Access VPN > High Availability from the Policy
selector. The High Availability page opens. For a description of the elements on
this page, see Table H-15 on page H-38.
Step 2
Specify the virtual IP addresses (and subnet masks) that represent the inside
interface and the VPN interface of the HA group, in the relevant fields.
Note
You must provide an inside virtual IP that matches the subnet of one of
the interfaces on the device, in addition to a VPN virtual IP that matches
the subnet of one of the devices interfaces and is configured with an IPsec
proposal; otherwise an error is displayed.
Step 3
Specify the hello interval and hold time, in seconds.
Step 4
Specify the standby number of the inside hub interface that matches the internal
virtual IP subnet, and the outside hub interface that matches the external virtual
IP subnet, for the hubs in the HA group. The numbers must be within the range of
0-255.
Note
Inside and outside standby group numbers must be different.
Step 5
Specify the IP address of the inside interface of the remote peer device which acts
as the failover server.
Step 6
Note
Related Topics
High Availability in Remote Access VPNs, page 10-19

OL-11501-03
10-21
Chapter 10
Cluster Load Balancing

In a remote client configuration in which you are using two or more devices
connected to the same network to handle remote sessions, you can configure these
devices to share their session load. This feature is called load balancing. Load
balancing directs session traffic to the least loaded device, thus distributing the
load among all devices. Load balancing is effective only on remote sessions
initiated with an ASA device.
To implement load balancing, you must group two or more devices on the same
private LAN-to-LAN network into a virtual cluster. All devices in the virtual
cluster carry session loads. One device in the virtual cluster, called the virtual
cluster master, directs incoming calls to the other devices, called secondary
devices. The virtual cluster master monitors all devices in the cluster, keeps track
of how busy each is, and distributes the session load accordingly.
The virtual cluster appears to outside clients as a single virtual cluster IP address.
This IP address is not tied to a specific physical deviceit belongs to the current
virtual cluster master. A VPN client trying to establish a connection connects first
to this virtual cluster IP address. The virtual cluster master then sends back to the
client the public IP address of the least-loaded available host in the cluster. In a
second transaction (transparent to the user), the client connects directly to that
host. In this way, the virtual cluster master directs traffic evenly and efficiently
across resources.
The role of virtual cluster master is not tied to a physical deviceit can shift
among devices. If a machine in the cluster fails, the terminated sessions can
immediately reconnect to the virtual cluster IP address. The virtual cluster master
then directs these connections to another active device in the cluster. Should the
virtual cluster master itself fail, a secondary device in the cluster immediately
takes over as the new virtual session master. Even if several devices in the cluster
fail, users can continue to connect to the cluster as long as any one device in the
cluster is available.
The Cluster Load Balance page enables you to configure load balancing on your
VPN device. You must explicitly enable load balancing, as it is disabled by
default. All devices that participate in a cluster must share the same
cluster-specific values: IP address, encryption settings, encryption key, and port.
Related Topics
Configuring a Cluster Load Balance Policy, page 10-23
10-22
OL-11501-03
Chapter 10

ASA Cluster Load Balance Page, page H-50
Configuring a Cluster Load Balance Policy

Note
You can configure a Cluster Load Balance policy only on an ASA device.
Before You Begin
In Device view (View > Device View), select the required ASA device.
Procedure
Step 1
In Device view, select Remote Access VPN > RA VPN Policies > ASA Cluster
Load Balance from the Policy selector. The ASA Cluster Load Balance page
opens. For a description of the elements on this page, see Table H-20 on
page H-51.
Step 2
Select the Participating in Load Balancing Cluster check box to specify the
device belongs to the load-balancing cluster.
Step 3
Specify the single IP address that represents the entire virtual cluster. Choose an
IP address that is in the same subnet as the external interface.
Step 4
Specify the UDP port for the virtual cluster to which the device belongs. If another
application is using this port, enter the UDP destination port number to use for
load balancing. The default is 9023.
Step 5
If required, select Enable IPsec Encryption to ensure that all load-balancing

information communicated between the devices is encrypted.
Step 6
If you selected the Enable IPsec Encryption check box, you must specify an
IPsec Shared Secret password. The security appliances in the virtual cluster
communicate via LAN-to-LAN tunnels using IPsec. This password must match
the passwords passed on by the client.
Step 7
In the Priority area, select one of the following options:
Accept default device valueTo accept the default priority value assigned
to the device.

OL-11501-03
10-23
Chapter 10
Step 8
Specify the public and private interfaces to be used on the server.
Note
Step 9
Configure same priority on all devices in the clusterTo configure the

same priority value to all the devices in the cluster. Then enter the priority
number (between 1-10) to indicate the likelihood of the device becoming the
virtual cluster master, either at startup or when the existing master fails.
Interfaces are objects. You can click Select to open a dialog box that lists
all available interface roles and interfaces and in which you can create
interface role objects. For more information, see Understanding Interface
Note
Related Topics
Public Key Infrastructure Policies in Remote Access VPNs

Security Manager supports IPsec configuration with Certification Authority (CA)
servers, also known as trustpoints, that manage Public Key Infrastructure (PKI)
certificate requests and issue certificates to the devices in a remote access VPN.
You can create a Public Key Infrastructure (PKI) policy to generate PKI
enrollment requests for PKI certificates and RSA keys, and manage keys and
certificates. These services provide centralized key management for the
participating devices.
For more information, see Understanding Public Key Infrastructure Policies,
page 9-87.
10-24
OL-11501-03
Chapter 10

In Security Manager, CA servers are defined as PKI enrollment objects that you
can use in your PKI policies. A PKI enrollment object contains the server
information and enrollment parameters that are required for creating enrollment
requests for CA certificates. For more information, see Understanding PKI
Enrollment Objects, page 8-136.
Note
In remote access VPNs, digital certificates are used for user authentication. When
creating or editing a PKI enrollment object, you must configure each remote
component (spoke) with the name of the user group to which it connects. Remote
clients should also be configured to use digital certificates for user authentication
during IKE negotiations, by specifying the user group name when configuring
ISAKMP settings (see Configuring Global Settings in a Remote Access VPN,
page 10-27).
Related Topics
Configuring a PKI Policy in a Remote Access VPN, page 10-25
Public Key Infrastructure Page, page H-39
Configuring a PKI Policy in a Remote Access VPN

This procedure describes how to specify the CA server(s) that will be used to
create a Public Key Infrastructure (PKI) policy in your remote access VPN.
Before You Begin
In Device view (View > Device View), select the device on which you are
configuring PKI.
Make sure the selected device has Cisco IOS Release 12.3(7)T or later.
Please read Prerequisites for Successful PKI Enrollment, page 9-89.
Procedure
Step 1
In Device view, select Remote Access VPN > RA VPN Policies > Public Key
Infrastructure from the Policy selector. The Public Key Infrastructure page
opens. For a description of the elements on this page, see Table H-16 on
page H-41.
Step 2
Select the required CA server(s) from the Available CA Servers list and click >>.
OL-11501-03
10-25
Chapter 10
If the required CA server is not included in the list, click Create to open the PKI
Enrollment dialog box which enables you to create or edit a PKI enrollment
object. For more information, see PKI Enrollment Dialog Box, page F-437.
Note
Step 3
Note
Note
When creating or editing a PKI enrollment object, make sure you

configure each remote component (spoke) with the name of the user group
to which it connects. You specify this information in the Organization
Unit (OU) field in the Certificate Subject Name tab of the PKI Enrollment
Editor dialog box. In addition, the certificate issued to the client should
have OU as the name of the user group. For more information, see
Defining Additional PKI Attributes, page 8-145.
To save the RSA key pairs and the CA certificates permanently between reloads
to flash memory on a PIX firewall version 6.3, you must configure the "ca save
all" command. You can do this manually on the device or by using a FlexConfig
(see Chapter 19, Managing FlexConfigs).
Related Topics
Prerequisites for Successful PKI Enrollment, page 9-89
10-26
OL-11501-03
Chapter 10

VPN Global Settings in Remote Access VPNs

On the VPN Global Settings page, you can define global settings for IKE, IPsec,
NAT, and fragmentation, that apply to devices in your remote access VPN.
A full description of VPN global settings is provided in Understanding VPN
Global Settings, page 9-78.
Global VPN settings comprise:
ISAKMP/IPsec settings that enable you to configure ISAKMP (IKE) and

IPsec parameters that allow peers to negotiate in establishing a VPN tunnel
in a remote access VPN. For more information, see Understanding
ISAKMP/IPsec Settings, page 9-79.
Network Address Translation (NAT) settings to enable devices that use

internal IP addresses to send and receive data through the Internet. For more
information, see Understanding NAT, page 9-80.
General Settings, including fragmentation settings and the maximum

transmission unit (MTU) handling parameters that you can configure on the
devices in your remote access VPN. For more information, see Understanding
Fragmentation, page 9-82.
.Related Topics
Configuring Global Settings in a Remote Access VPN, page 10-27
VPN Global Settings Page, page H-42
Configuring Global Settings in a Remote Access VPN

Follow the procedure below to define global settings in your remote access VPN.
Before You Begin
Procedure
Step 1
In Device view, select Remote Access VPN > RA VPN Policies >
VPN Global Settings from the Policy selector.

OL-11501-03
10-27
Chapter 10
The VPN Global Settings page opens, displaying the ISAKMP/IPsec Settings tab.
For a description of the elements on the ISAKMP/IPsec Settings tab, see
Step 2
In the ISAKMP/IPsec Settings tab, specify global settings for IKE and IPsec, as
follows:
a.
Select Enable Keepalive to configure IKE keepalive as the default failover

and routing mechanism for your devices. (Applies to Cisco IOS routers,
Catalyst 6500/7600 devices, and PIX Firewalls version 6.3.)
b.
Enter the number of seconds a device must wait between sending IKE
keepalive packets.
c.
Enter the number of seconds a device must wait between attempts to establish
an IKE connection with the remote peer.
d.
Select Periodic if you want to send dead-peer detection (DPD) keepalive

messages, even if there is no outbound traffic to be sent (for routers except
7600).
e.
Specify whether the device uses an IP address or hostname to identify itself

in IKE negotiations. You can also specify to use a distinguished name (DN)
to identify a user group name.
f.
Specify the maximum number of SA requests allowed before IKE starts

rejecting them (for routers except 7600).
g.
Specify the percentage of system resources that can be used before IKE starts
rejecting new SA requests (for Cisco IOS routers and Catalyst 6500/7600
devices).
h.
Select Enable Lifetime to configure the global lifetime settings for the
crypto IPsec SAs on the devices in your remote access VPN.
i.
Specify the number of seconds an SA will exist before expiring.
j.
Specify the volume of traffic (in kilobytes) that can pass between IPsec peers
using a given SA before it expires.
k.
Specify the Xauth timeout, that is, the number of seconds the device will wait
for a system response to the Xauth challenge (Cisco IOS routers and Catalyst
6500/7600 devices).
l.
Specify the maximum number of SAs that can be enabled simultaneously on

the device (ASA or PIX 7.0 devices only).
10-28
OL-11501-03
Chapter 10

m.
Step 3
Step 4
Select Enable IPsec via Sysopt to specify that any packet that comes from
an IPsec tunnel be implicitly trusted (PIX 6.3, PIX 7.0, and ASA devices
only).
Click the NAT Settings tab to define global NAT settings that apply to devices
that use internal IP addresses to send and receive data through the public Internet.
For a description of the elements on the NAT Settings tab, see Table H-18 on
page H-46.
a.
Select Enable Traversal Keepalive for the transmission of keepalive

messages when a device (referred to as the middle device) located between a
VPN-connected hub and spoke performs NAT on the IPsec flow.
b.
Specify the interval (between 5 and 3600 seconds) between the keepalive
signals sent between the spoke and the middle device to indicate that the
session is active.
c.
Select Enable Traversal over TCP (for ASA or PIX 7.0 devices only) to
encapsulate both the IKE and IPsec protocols within a TCP packet, and
enable secure tunneling through both NAT and PAT devices and firewalls.
d.
Enter the TCP ports for which you want to enable NAT traversal (ASA or
PIX 7.0 devices only).
Click the General Settings tab to define fragmentation and other global settings
on the devices in your remote access VPN. For a description of the elements on
the General Settings tab, see Table H-19 on page H-48.
a.
Select the fragmentation mode from the following options:

No FragmentationSelect if you do not want to fragment before IPsec
encapsulation.
End to End MTU DiscoverySelect to use ICMP messages for the
discovery of MTU.
Local MTU HandlingSelect to set the MTU locally on the devices.
This option is typically used when ICMP is blocked.

See Understanding Fragmentation, page 9-82.
b.
Specify the MTU size (between 68 and 65535 bytes depending on the VPN
interface).
c.
Select the required setting for the DF bit (for Cisco IOS routers, ASA, or
PIX 7.0 devices)Copy, Set, or Clear.

OL-11501-03
10-29
Chapter 10
Step 5
d.
Select Enable Fragmentation Before Encryption (for Cisco IOS routers,

ASA, or PIX 7.0 devices) to fragment before encryption, if the expected
packet size exceeds the MTU (Cisco IOS routers only).
e.
Select Enable Notification on Disconnection (for ASA or PIX 7.0 devices

only) to notify qualified peers of sessions that are about to be disconnected.
f.
Select Enable Spoke-to-Spoke Connectivity through the Hub (for ASA, or

PIX 7.0 devices only) to enable direct communication between spokes in a
hub-and-spoke VPN topology, in which the hub is an ASA device or a
PIX Firewall version 7.0.
g.
Select Enable Default Route (for Cisco IOS routers only) to use the devices
configured external interface as the default outbound route for all incoming
traffic.
Note
Related Topics
ISAKMP/IPsec Settings Tab, page H-43
NAT Settings Tab, page H-46
General Settings Tab, page H-47
DN Matching Policies
Distinguished name (DN) rules are used for enhanced certificate authentication
on PIX 7.0 and ASA devices.
A DN is a unique identification, made up of individual fields, that can be used as
the identifier when matching users to a tunnel group.
10-30
OL-11501-03
Chapter 10

Certificate group matching lets you define rules to match a user's certificate to a
permission group based on fields in the DN. To establish authentication, you can
use any field of the certificate, or you can have all certificate users share a
permission group.
To match user permission groups based on fields of the certificate, you define
rules that specify the fields to match for a group and then enable each rule for that
selected group. A tunnel group must already exist in the configuration before you
can create a rule for it.
After you define rules, you must configure a certificate group matching policy to
define the method for identifying the permission groups of certificate users. You
can match the group from the DN rules, the Organization Unit (OU) field, the IKE
identify, or the peer IP address. You can use any or all of these methods.
Related Topics
Configuring a DN Matching Policy, page 10-31
DN Matching Policy Page, page H-52
Configuring a DN Matching Policy

This procedure describes how to configure a DN Matching policy for a remote
client trying to connect to a PIX 7.0, or an ASA server device.
Before You Begin
ASA device).
Make sure a tunnel group has been configured on the device. See Configuring
Tunnel Group Policies, page 10-9.
Procedure
Step 1
In Device view, select Remote Access VPN > RA VPN Policies > DN
Matching Policy from the Policy selector. The DN Matching Policy page is
displayed.
Step 2
Select any, or all, of the following check boxes:

a.
Use Configured Rules to Match a Certificate to a Group to configure the

server to use the configured DN rules to establish authentication.
OL-11501-03
10-31
Chapter 10
b.
Use Certificate Organization Unit (OU) Field to Determine the Group to

configure the server to use the OU field of the DN to establish authentication.
c.
Use IKE Identify to Determine the Group to configure the server to use the
IKE identity of the DN to establish authentication.
d.
Use Peer IP address to Determine the Group to configure the server to use
the peer IP address of the DN to establish authentication.
For a description of the elements on the DN Matching Policy page, see Table H-21
on page H-53.
Step 3
Note
Related Topics
Configuring a DN Matching Rules Policy, page 10-33
DN Matching Rules
Note
DN Matching rules can be configured only on PIX Firewalls version 7.0, or ASA
devices.
When configuring certificate group matching, you must define DN rules to match
a remote clients certificate to a permission group, based on fields in the DN.
To match user permission groups based on fields of the certificate, you define
rules that specify the fields to match for a group and then enable each rule for that
selected group. A tunnel group must already exist in the configuration before you
can create and map a rule to it.
10-32
OL-11501-03
Chapter 10

After defining the DN rules, you must configure a certificate group matching
policy to define the method for identifying the permission groups of certificate
users. For more information, see DN Matching Policies, page 10-30.
Note
A tunnel group must already exist in the configuration before you can create and
map a DN Matching rule to it. If you unassign a tunnel group after creating a DN
Matching rule, the DN rules that are mapped to the tunnel group are unassigned.
See Configuring Tunnel Group Policies, page 10-9.
Related Topics
DN Matching Rules Page, page H-54
Configuring a DN Matching Rules Policy

This procedure describes how to configure the DN Matching rules and parameters
for any remote client trying to connect to a PIX Firewall version 7.0 or an ASA
server device.
Before You Begin
ASA device).
Make sure a tunnel group is configured on the device. See Configuring Tunnel
Group Policies, page 10-9.
Procedure
Step 1
In Device view, select Remote Access VPN > RA VPN Policies > DN
Matching Rules from the Policy selector. The DN Matching Rules page is
displayed. For a description of the elements on this page, see Table H-22 on
page H-55.
Step 2
Click Create in the upper pane to configure the priority and tunnel group mapping
for your matching rules. The DN Rule page is displayed. For a description of the
elements on this page, see Table H-23 on page H-56.

OL-11501-03
10-33
Chapter 10
Step 3
Select a tunnel group from the list.
Step 4
Enter the priority number for the matching rule. A lower number has higher
priority.
Step 5
Click OK. The DN Matching rule is displayed in the upper pane of the page.
Step 6
Select the tunnel group mapping created in the upper pane to display the details
in the lower pane.
Step 7
Click Create in the lower pane to configure the DN Matching rule that must be
satisfied in order for a remote client to connect to the device. The DN Rule page
is displayed. For a description of the elements on this page, see Table H-24 on
page H-57.
Step 8
Select the certificate field from the list.
Step 9
Select the component of the rule you wish to configure.
Step 10
Select the operator of the rule.
Step 11
Enter the value for the matching rule.
Step 12
Click OK. The DN Matching rule parameters are displayed in the lower pane of
the page.
Step 13
Note
Related Topics
10-34
OL-11501-03
Chapter 10

Managing Shared Remote Access VPN Policies in Policy View

In Policy view, you can view all shared policies for each policy type in a remote
access VPN, modify individual policies, and apply the policies globally to
multiple devices. You can also create shared policies that you can assign later to
devices.
This procedure describes how to create or edit remote access VPN policies, and
modify their assignments to devices, from Policy view.
Procedure
Step 1
Click the Policy View button on the toolbar.
Step 2
Select the Remote Access VPN folder from the Policy selector. The folder opens,
listing the types of IPsec policies that you can define for a remote access VPN.
For more information, see Policy View Selectors, page 6-42.
Step 3
To view the shared policies defined for a policy type, select the policy type from
the Policy Type selector. Any policies that are defined for the selected policy type
are displayed in the Shared Policy selector in the lower pane.
Step 4
To create a shared policy for a policy type:
Step 5
Step 6
a.
Right-click the policy type and select New [policy type] Policy from the
shortcut menu. The Create a Policy dialog box opens.
b.
Enter a name for the new policy and click OK. The new policy will appear in
the Shared Policy selector for the selected policy type, displaying predefined
definitions, which you can edit, if required.
To view or edit a policys definitions, or do both:

a.
Select the policy in the Shared Policy selector. The Details tab in the work
area of Policy view opens, displaying the definitions for the policy.
b.
If required, modify the definitions for the policy. See Working with Policies
in Remote Access VPNs, page 10-3.
To view or edit a policys assignments, or do both:

a.
Select the policy in the Shared Policy selector, and click the Assignments tab
in the work area. For a description of the elements on this tab, see Policy

OL-11501-03
10-35
Chapter 10
b.
Step 7
If required, modify the list of devices to which the policy is assigned. See
Modifying Policy Assignments in Policy View, page 6-46.
Note
Related Topics
10-36
OL-11501-03
CH A P T E R
11
Managing SSL VPNs

The SSL VPN feature enables users to access enterprise networks from any
Internet-enabled location using only a web browser that natively supports Secure
Socket Layer (SSL) encryption, without the need for a software or hardware
client.
Note
SSL VPN is supported on ASA 5500 devices running software version 7.1 and
later, and IOS routers running software version 12.4(6)T and later.
On IOS devices, remote access is provided through an SSL-enabled VPN gateway.
Using an SSL-enabled web browser, the remote user establishes a connection to
the SSL VPN gateway. After the remote user is authenticated to the secure
gateway via the web browser, an SSL VPN session is established and the user can
access the internal corporate network. A portal page enables users to access all the
resources available on the SSL VPN networks.
On ASA devices, remote users establish a secure, remote access VPN tunnel to
the security appliance using the web browser. The SSL protocol provides the
secure connection between remote users and specific, supported internal
resources that you configure at a central site. The security appliance recognizes
connections that need to be proxied, and the HTTP server interacts with the
authentication subsystem to authenticate users.
Note
Network administrators provide user access to SSL VPN resources on a group

basis. Users have no direct access to resources on the internal network.

OL-11501-03
11-1
Chapter 11
Managing SSL VPNs
Figure 11-1 shows how a mobile worker can access protected resources from the
main office and branch offices. Site-to-site IPsec connectivity between the main
and remote sites is unaltered. The mobile worker needs only Internet access and
supported software (web browser and operating system) to securely access the
corporate network.
Figure 11-1
Secure SSL VPN Access Example
Prerequisites for Configuring SSL VPN
For a remote user to securely access resources on a private network behind an

SSL VPN gateway, the following prerequisites must be met:
A user account (login name and password).
An SSL-enabled browser (such as, Internet Explorer, Netscape, Mozilla, or

FireFox).
An Email client (such as Eudora, Microsoft Outlook, or Netscape Mail).
One of the following operating systems:

Microsoft Windows 2000 or Windows XP with either the Sun
MicroSystems Java Runtime Environment (JRE) for Windows version

1.4 or later, or a browser that supports ActiveX control.
11-2
OL-11501-03
Chapter 11
Managing SSL VPNs

SSL VPN Access Modes
Linux with Sun MicroSystems JRE for Linux version 1.4 or later. To
access Microsoft file shares from Linux in clientless remote access mode,
Samba must also be installed.
Related Topics
SSL VPN Access Modes, page 11-3
Configuring SSL VPN on an IOS Device, page 11-6
Configuring SSL VPN on an ASA Device, page 11-28

SSL VPN provides three modes of remote access that are supported on IOS
routers and ASA devicesClientless, Thin Client, and Full Tunnel client.
Clientless Access Mode
In Clientless mode, the remote user accesses the internal or corporate network
using a web browser on the client machine. No applet downloading is required.
Clientless mode is useful for accessing most content that you would expect in a
web browser, such as Internet access, databases, and online tools that employ a
web interface. It supports web browsing (using HTTP and HTTPS), file sharing
using Common Internet File System (CIFS), and Outlook Web Access (OWA)
email. For Clientless mode to work successfully, the PC of the remote user must
run Windows 2000, Windows XP, or Linux operating systems.
Thin Client Access Mode
Thin Client mode, also called TCP port forwarding, assumes that the client
application uses TCP to connect to a well-known server and port. In this mode,
the remote user downloads a Java applet by clicking the link provided on the
portal page. The Java applet acts as a TCP proxy on the client machine for the
services configured on the SSL VPN gateway. The Java applet starts a new SSL
connection for every client connection.
The Java applet initiates an HTTP request from the remote user client to the
SSL VPN gateway. The name and port number of the internal email server is
included in the HTTP request. The SSL VPN gateway creates a TCP connection
to that internal email server and port.

OL-11501-03
11-3
Chapter 11
Managing SSL VPNs
Thin Client mode extends the capability of the cryptographic functions of the Web
browser to enable remote access to TCP-based applications such as Post Office
Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet
Message Access protocol (IMAP), Telnet, and Secure Shell (SSH).
Note
The TCP port-forwarding proxy works only with the Sun MicroSystems (JRE)
version 1.4 or later versions. A Java applet is loaded through the browser that
verifies the JRE version. The Java applet refuses to run if a compatible JRE
version is not detected.
When using Thin Client mode, you should be aware of the following:
The remote user must allow the Java applet to download and install.
For TCP port-forwarding applications to work seamlessly, administrative

privileges must be enabled for remote users.
You cannot use Thin Client mode for applications such as FTP, where the
ports are negotiated dynamically. You can use TCP port forwarding only with
static ports.
Full Tunnel Client Access Mode
Full Tunnel Client mode enables access to the corporate network completely over
an SSL VPN tunnel, which is used to move data at the network (IP) layer. This
mode supports most IP-based applications, such as, Microsoft Outlook, Microsoft
Exchange, Lotus Notes E-mail, and Telnet. Being part of the SSL VPN is
completely transparent to the applications run on the client. A java applet is
downloaded to handle the tunneling between the client host and the SSL VPN
gateway. The user can use any application as if the client host was in the internal
network.
The tunnel connection is determined by the group policy configuration. The SSL
VPN Client (SVC) is downloaded and installed to the remote client, and the tunnel
connection is established when the remote user logs in to the SSL VPN gateway.
By default, the SVC is removed from the remote client after the connection is
closed, but you can keep it installed, if required.
Note
In Security Manager, the SVC is managed using a FlexConfig policy. For more
information, see Predefined FlexConfig Policy Objects, page 19-7.
11-4
OL-11501-03
Chapter 11
Managing SSL VPNs

Working with SSL VPN Policies
Note
Full Tunnel SSL VPN access requires administrative privileges on the remote
client.
Related Topics
Managing SSL VPNs, page 11-1
Configuring the Full Tunnel Access Mode, page 11-24
Full Tunnel Access Mode Page, page I-11
Working with SSL VPN Policies

SSL VPN policies define the configuration that is required for remote users to
establish a secure remote access VPN tunnel between an Internet-enabled location
and a private network behind an SSL VPN, using an SSL-enabled web browser.
Note
You can set up and configure SSL VPNs on Cisco IOS routers, and Adaptive
Security Appliance (ASA) devices.
You cannot discover the configurations on a device that is already deployed

in an SSL VPN network. Security Manager leaves any existing SSL VPN
configurations intact on the device until you deploy SSL VPN policies that
were configured with Security Manager.
In Device view, you can view and configure SSL VPN policies for devices. To
access Device view, select View > Device View or click the Device View button
in the toolbar. You can right-click a policy in the Policy selector to display menu
options that enable you to share the policy, assign the shared policy to, or unassign
it from the selected device. For more information, see Performing Basic Policy
Management, page 6-20.
You can also view all shared policies for each policy type in an SSL VPN, edit
policies, and modify their assignments to devices, in Policy view. See Managing
Shared Policies in Policy View, page 6-40.
OL-11501-03
11-5
Chapter 11
Managing SSL VPNs
Configuring SSL VPN on an IOS Device
Note
You must have read-write permissions to modify an SSL VPN policy. For more
information, see Modify Policies Permissions, page 2-14.
These topics provide information about configuring an SSL VPN from the
Security Manager Device view:
Using the Wizard to Create an IOS SSL VPN Connection, page 11-7
Using the Wizard to Create an ASA SSL VPN Connection Profile, page 11-28
Configuring SSL VPN Policies on an ASA Device, page 11-33

On Cisco IOS routers, remote access is provided through an SSL-enabled VPN
gateway. Using an SSL-enabled web browser, the remote user establishes a
connection to the SSL VPN gateway. After the remote user is authenticated to the
secure gateway via the web browser, an SSL VPN session is established and the
user can access the internal corporate network. A portal page enables users to
access all the resources available on the SSL VPN networks.
SSL VPN configuration on Cisco IOS routers is usually deployed in small
office/home office (SOHO) networks, remote branch offices, and main corporate
sites.
Using Security Manager, you can create a basic connection with a limited set of
features that enable an SSL VPN to function, and then configure additional
policies and features for your SSL VPN.
These topics describe how to configure an SSL VPN connection and the policies
required for it to function:
11-6
OL-11501-03
Chapter 11
Managing SSL VPNs

Using the Wizard to Create an IOS SSL VPN Connection

The SSL VPN wizard enables you to configure SSL VPN on your VPN gateway
(server) device.
The wizard creates an SSL VPN connection with a limited set of features that
enable a basic SSL VPN to function. After you complete the wizard, you can
configure additional policies and features for the SSL VPN, or modify the
existing ones. If required, you can return to the wizard to create additional
SSL VPN configurations.
To access the SSL VPN wizard:
1.
Click the Device View button in the toolbar.
2.
From the Device Selector, select the IOS device you want to configure as your
VPN gateway (server).
3.
Select SSL VPN > SSL VPN Wizard from the Policy selector.
4.
Click SSL VPN Server Wizard.
These topics describe the steps in the SSL VPN wizard:
Related Topics
Configuring an SSL VPN Gateway and Context

The SSL VPN gateway acts as a proxy for connections to protected resources,
which are accessed through an SSL-encrypted connection between the gateway
and a web-enabled browser on a remote device.
An SSL VPN gateway provides a reachable IP address and certificate for one or
more SSL VPN contexts. Each gateway configured on a router must be configured
with its own IP addressIP addresses cannot be shared among gateways. You can
use the IP address of a router interface, or another reachable IP address if one is
available. Either a digital certificate or a self-signed certificate must be configured
for a gateway to establish a secure connection. All gateways on the router can use
the same certificate.

OL-11501-03
11-7
Chapter 11
Managing SSL VPNs
An SSL VPN context defines the virtual configuration of the SSL VPN. It must
be configured before an SSL VPN gateway can be used. An SSL VPN context can
be associated with only one gateway. It supports one or more user group policies.
Although one gateway can serve multiple SSL VPN contexts, resource constraints
and IP address reachability must be taken into account.
The SSL VPN gateway and context configuration must be completed before a
remote user can access resources on a private network behind the SSL VPN. In
the first step of the SSL VPN wizard, you create an SSL VPN context, configure
a gateway, and specify information that permits users to access a portal page, as
described in the following procedure.
Before You Begin
In Device view (View > Device View), select the required Cisco IOS router.
Procedure
Step 1
Select View > Device View > SSL VPN > SSL VPN Wizard, then click
SSL VPN Server Wizard.
The wizard opens, displaying the Gateway and Context page. For a description of
the elements on this page, see Table I-1 on page I-3.
Step 2
Select an option to specify the gateway to be used as a proxy for connections to

the protected resources in your SSL VPN. You can select to use an existing
gateway, or create a new gateway using the routers public static IP address or the
public static IP address of the router interface.
Note
The Portal Page URL field displays the URL that will appear on the Portal
page to access the SSL VPN gateway.
Step 3
If you selected to create a new gateway using the routers public static IP address
or the public static IP address of the router interface, specify the number of the
port that will carry the HTTPS traffic, and the trustpoint (self-signed certificate)
required to establish the secure connection.
Step 4
Enter a name for the context that defines the virtual configuration of the
SSL VPN.
11-8
OL-11501-03
Chapter 11
Managing SSL VPNs

Note
To simplify the management of multiple context configurations, you

should use the domain or virtual hostname for the context name.
Step 5
Specify the user group(s) that will be used in your SSL VPN connection. You can
click Edit to open the User Groups selector from which you can select the user
group(s), or open the User Group wizard in which you can create a user group.
For more information, see Configuring User Groups on an IOS Device,
page 11-19.
Step 6
Specify the name of the server group (LOCAL if the users are defined on the local
device) to be used for user authentication.
Step 7
Specify a list or method for SSL VPN remote user authentication.
Note
If you do not specify a list or method, the gateway uses global AAA
parameters for remote user authentication.
Step 8
Specify the name of the accounting server group to be used for authentication.
Step 9
Click Next to advance to the next step of the wizard.
Note
When you click Finish in the wizard, the new gateway and context are displayed
in the SSL VPN Policy page.
Related Topics
Gateway and Context Page (IOS), page I-2
Understanding User Groups in SSL VPN, page 11-17

OL-11501-03
11-9
Chapter 11
Managing SSL VPNs
Customizing the SSL VPN Portal Page

The portal page enables the remote user access to all resources available on the
SSL VPN networks. For example, the portal page could provide a link to allow the
remote user to download and install a thin-client Java applet (for TCP port
forwarding) or a tunneling client. Only the websites that appear as links on the
portal page are available to users.
This procedure describes how to define the appearance of the portal page. You can
select among the predefined themes listed, and obtain a preview of the portal page
as it would appear if that theme were used.
Before You Begin
In Device view (View > Device View), make sure the selected device is an Cisco
IOS router.
Procedure
Step 1
Open the Portal Page Customization page by clicking Next on the Gateway and
Context page, of the SSL VPN wizard. For a description of the elements on the
Portal Page Customization page, see Table I-1 on page I-5.
Step 2
Customize the appearance of the portal page, by specifying:
The title and logo to be displayed in the title bar of the login and portal page.
A message that will be displayed to the user upon login.
The colors of the primary and secondary title bars on the login and portal
pages of the SSL VPN.
The colors of the text on the primary and secondary title bars of the login and
portal pages.
A preview of the portal page is displayed.

Step 3
When you have completed customizing the portal page, click Finish to close the
wizard.
The SSL VPN connection you have defined in the wizard is displayed in the
SSL VPN Policy page. If required, you can modify this connection from the
SSL VPN folder. See Configuring an SSL VPN Policy (IOS), page 11-11.
11-10
OL-11501-03
Chapter 11
Managing SSL VPNs

Related Topics
Portal Page Customization Page, page I-5
Configuring an SSL VPN Policy (IOS)

After you create a basic SSL VPN connection on your server device using the
SSL VPN wizard, you can modify the connection, if required, and configure
additional policies and features from the SSL VPN folder in the Device view.
The SSL VPN Policy page displays a list of all the currently defined SSL VPN
policies, including any policies that were created using the wizard. From this
page, you can create, modify, or delete SSL VPN policies.
These topics enable you to configure SSL VPN policies on an IOS router:
Configuring General Settings for an IOS SSL VPN Policy, page 11-12
Configuring the Secure Desktop Software for an IOS SSL VPN Policy,
page 11-15
Configuring Advanced Settings for an IOS SSL VPN Policy, page 11-16
Related Topics
SSL VPN Policy Page (IOS), page I-16

OL-11501-03
11-11
Chapter 11
Managing SSL VPNs
Configuring General Settings for an IOS SSL VPN Policy

This procedure describes how to create or edit the general settings required for an
SSL VPN policy, such as, specifying the gateway, domain, AAA servers for
accounting and authentication, and user groups.
Before You Begin
Procedure
Step 1
Select View > Device View > SSL VPN > SSL VPN Policy.
The SSL VPN Policy page opens. For a description of the elements on the
SSL VPN Policy page, see Table I-7 on page I-17.
Step 2
Click Create on the SSL VPN Policy page, or select a row in the table on the page
and click Edit.
The SSL VPN Context Editor dialog box opens, displaying the General tab. For a
description of the elements on the General tab, see Table I-8 on page I-19.
Step 3
If you are creating a policy, specify the name of the context that defines the virtual
configuration of the SSL VPN.
Note
Step 4
Enter or edit the gateway to be used in the SSL VPN policy. You can click Select
to open a dialog box from which you can select the gateway from a list of
SSL VPN gateway objects.
Note
Step 5
To simplify the management of multiple context configurations, the

context name is the same as the domain or virtual hostname.
page to access the SSL VPN gateway.
Select or deselect Enable SSL VPN depending on whether you want this
SSL VPN connection to be active.
11-12
OL-11501-03
Chapter 11
Managing SSL VPNs

Step 6
Enter or edit the name of the server group (LOCAL if the users are defined on the
local device) to be used for user authentication. You can click Select to select an
authentication server group from a list of AAA server group objects.
Step 7
Enter or edit a method for SSL VPN remote user authentication.
Note
If you do not specify a method, the gateway uses global AAA parameters
for remote user authentication.
Step 8
If the selected device is running IOS version 12.4(9)T or later, enter or edit the
name of the accounting server group to be used for authentication. You can click
Select to select an accounting server group from a list of AAA server group
objects.
Step 9
Specify the user group(s) that will be used in your SSL VPN policy.
To add a user group(s) to the User Groups table, click Create. The User
Groups Selector opens, from which you can select the required user group(s).
If the required user group is not included in the Selector, click Create to open
the Add User Group dialog box in which you can create a new user group
object. For a description of the User Groups Selector, see Table I-3 on
page I-8.
To modify the properties of a user group, select it and click Edit. The Edit
User Group dialog box opens, enabling you to edit the user group object.
For more information about user group objects, see Creating User Group Objects,
page 8-182.
Step 10
Click OK to save your settings locally on the client and close the SSL VPN
Context Editor, or click another tab in the dialog box.
Related Topics
General Tab, page I-18

OL-11501-03
11-13
Chapter 11
Managing SSL VPNs
Configuring the Portal Page for an IOS SSL VPN Policy

The portal page enables the remote user to access all resources available on the
SSL VPN networks. Only the websites that appear as links on the portal page are
available to users.
You can configure the appearance of the portal page when you create an SSL VPN
connection, using the wizard (see Customizing the SSL VPN Portal Page,
page 11-10). In the Portal Page tab of the SSL VPN Context Editor, you can
redefine the themes for a selected SSL VPN policy, or customize the portal page
for a new SSL VPN policy.
This procedure describes how to define the appearance of the portal page for an
SSL VPN policy. You can select among the predefined themes listed, and obtain
a preview of the portal page as it would appear if that theme were used.
Before You Begin
Procedure
Step 1
Step 2
and click Edit. The SSL VPN Context Editor dialog box opens.
Step 3
Click the Portal Page tab. For a description of the elements on the Portal Page
tab, see Table I-9 on page I-21.
Step 4
Customize the appearance of the portal page for the SSL VPN policy, by
specifying:
The title and logo to be displayed in the title bar of the login and portal page.
A message that will be displayed to the user upon login.
The colors of the primary and secondary title bars on the login and portal
pages of the SSL VPN.
The colors of the text on the primary and secondary title bars of the login and
portal pages.
A preview of the portal page is displayed.

11-14
OL-11501-03
Chapter 11
Managing SSL VPNs

Step 5
When you have finished cutomizing the portal page, click OK to save your
settings locally on the client and close the SSL VPN Context Editor, or click
another tab in the dialog box.
Related Topics
Configuring the Secure Desktop Software for an IOS SSL VPN Policy
Cisco Secure Desktop (CSD) enables you to eliminate all traces of sensitive data
by providing a single, secure location for session activity and removal on the
client system. CSD provides a session-based interface where sensitive data is
shared only for the duration of a SSL VPN session. All session information is
encrypted, and all traces of the session data are removed from the remote client
when the session is terminated, even if the connection terminates abruptly.
Note
In Security Manager, the CSD is managed using a FlexConfig policy. For more
information, see Predefined FlexConfig Policy Objects, page 19-7.
This procedure describes how to configure CSD on an IOS router.
Before You Begin
Make sure the Secure Desktop Client software is installed and activated on
the device. For more information, see Configuring the Cisco Secure Desktop
Software, page 11-45.
Procedure
Step 1

OL-11501-03
11-15
Chapter 11
Managing SSL VPNs
Step 2
Step 3
Click the Secure Desktop tab. For a description of the elements on the Secure
Desktop tab, see Table I-10 on page I-23.
Step 4
Select the Enable check box to enable CSD on the device.
Step 5
In the Configuration field, specify the filename of the CSD distribution package
to install into the running configuration (the securedesktop_asa_<n>_<n>*.pkg
file to be uploaded from your local computer to the flash device).
You can click Select to open the Secure Desktops Selector from which you can
select a CSD distribution package file from a list of CSD distribution package
objects. For more information, see Understanding Secure Desktop Configuration
Step 6
Click OK to save your settings locally on the client, and close the SSL VPN
Related Topics
Configuring the Cisco Secure Desktop Software, page 11-45
Secure Desktop Tab, page I-22
Configuring Advanced Settings for an IOS SSL VPN Policy

This procedure describes how to specify or edit the advanced settings required for
an SSL VPN policy, including the maximum number of SSL VPN user sessions
that can be configured, and Virtual Routing Forwarding (VRF) related
information.
11-16
OL-11501-03
Chapter 11
Managing SSL VPNs

Understanding User Groups in SSL VPN
Before You Begin
Procedure
Step 1
Step 2
Step 3
Click the Advanced tab. For a description of the elements on the Advanced tab,
see Table I-11 on page I-24.
Step 4
Specify the maximum number of SSL VPN user sessions that can be configured
(within the range of 1-1000).
Step 5
If Virtual Routing Forwarding (VRF) is configured on the device, specify the

name of the VRF instance that is associated with the SSL VPN context.
Step 6
Click OK to save your settings locally on the client, and close the SSL VPN
Related Topics
Advanced Tab, page I-24

SSL VPN user group policies allow you to accommodate the needs of different
groups of users. For example, a group of engineers working remotely needs access
to network resources different from the network resources to which sales
personnel working in the field need access. Business partners and outside vendors
must be able to access the information that they need to work with your
organization, but you must ensure that they do not have access to confidential

OL-11501-03
11-17
Chapter 11
Managing SSL VPNs
information or other resources they do not need. Creating a different policy for
each group provides remote users with the resources they need, and prevents them
from accessing other resources.
In Security Manager, user parameters are captured by user groups which define
the resources accessible to the user when connecting to an SSL VPN gateway or
ASA security appliance.
On an IOS router, a user group is defined within a context. Each context has a
domain name. When a user types a URL to access the SSL VPN gateway, that
domain name is used to associate the user with the user group defined in the
context. You can have more than one user group in a context. Each SSL VPN
context has its own user groups list.
Note
If more than one user group policy is configured on a device, you must configure
the device to use an AAA server to authenticate users and to determine which user
group a particular user belongs to.
An ASA security appliance has a built-in user group that is shared by all
connections to the device. During SSL VPN user authentication, the AAA server
returns a user group name that the user belongs to. The device first tries to match
the name to the names in the User Groups list. If a match is found, the definition
in the matching user group will be used. Otherwise, the default user group is used.
If no default user group is defined, the devices built-in user group is used.
Related Topics
Configuring User Groups on an IOS Device, page 11-19
Creating a New User Group, page 11-22
Defining the ASA SSL VPN Connection Profile Parameters, page 11-30
11-18
OL-11501-03
Chapter 11
Managing SSL VPNs

Configuring User Groups on an IOS Device

When you are configuring SSL VPN, you must specify the user group(s) that will
be used in your SSL VPN connection. You can use predefined user group(s), edit
them if required, and create user groups.
This procedure describes how to specify the user group(s) to use in your SSL VPN
connection on an IOS router.
Before You Begin
In Device view (View > Device View), select the required IOS device.
Procedure
Step 1
The Gateway and Context page of the SSL VPN wizard opens. For a description
of the elements on the Gateway and Context page, see Table I-1 on page I-3.
The User Groups table displays the currently defined user groups that will be used
in your SSL VPN connection.
Step 2
To select additional user group(s), or modify the properties of a selected user

group in the table, click Edit.
Note
You can select more than one user group for editing.
The User Groups Selector opens displaying a list of predefined user groups
available for selection. For a description of the elements on the User Groups
Selector page, see Table I-3 on page I-8.
Step 3
Select the required user group(s) and click >>.
If the required user group is not included in the Available User Groups list,
click Create below the list to create one. See Creating a New User Group,
page 11-22.
To specify a user group as the default, select it in the Selected User Groups
list, and click Set As Default.

OL-11501-03
11-19
Chapter 11
Managing SSL VPNs
Step 4
To modify the properties of a user group in the Selector, select it and click
Edit. User groups are objects. The Edit User Group dialog box opens,
enabling you to edit the user group object. See User Group Dialog Box,
page F-510.
Click OK to save your changes and close the User Groups Selector.
The newly defined, selected or edited user group(s) appears in the User Groups
table on the Gateway and Context page.
Related Topics
User Groups Selector Page, page I-7
Creating User Group Objects, page 8-182
Configuring User Groups on an ASA Device

When you are configuring SSL VPN on an ASA device, you must specify the user
group(s) that will be used in your SSL VPN connection profile. You can select
predefined user group(s), edit them if required, and create user groups.
This procedure describes how to specify the user group(s) to use in your SSL VPN
connection profile on an ASA device.
Before You Begin
Procedure
Step 1
11-20
OL-11501-03
Chapter 11
Managing SSL VPNs

Step 2
Click Next in the Access page of the SSL VPN Configuration Wizard. The
Connection Profile page of the SSL VPN wizard opens. For a description of the
elements on the Connection Profile page, see Table I-13 on page I-28.
The User Groups table on the Connection Profile page displays the currently
defined ASA user groups that will be used in your SSL VPN connection profile.
Note
Step 3
ASA user groups are shared by all connection profiles on the selected
device.
To select additional user group(s), or modify the properties of a selected user

group in the table, click Edit. You can select more than one user group for editing.
The User Groups Selector opens displaying a list of predefined ASA user groups
available for selection. For a description of the elements on the User Groups
Selector page, see Table I-3 on page I-8.
Step 4
Step 5
Select the required ASA user group(s) and click >>.
If the required user group is not included in the Available User Groups list,
click Create below the list to create one. See Creating a New User Group,
page 11-22.
To modify the properties of an ASA user group in the Selector, select it and
click Edit. ASA user groups are objects. The Edit ASA User Group dialog
box opens, enabling you to edit the user group object. See ASA User Group
Dialog Box, page F-60.
Click OK to save your changes and close the User Groups Selector.
The newly defined, selected or edited ASA user group(s) appears in the User
Groups table on the Connection Profile page.
Related Topics
Connection Profile Page (ASA), page I-27

OL-11501-03
11-21
Chapter 11
Managing SSL VPNs
Creating ASA User Group Objects, page 8-45
Creating a New User Group

User groups define the resources accessible to the user when connecting to an IOS
SSL VPN gateway, or an ASA security appliance. In Security Manager, you can
create a new user group that will be used in your SSL VPN connection on an IOS
router or ASA device, using the Policy Object Manager or from within the
SSL VPN wizard.
These topics describe the steps you may configure to create a user group from
within the SSL VPN wizard:
Defining the User Group Name and Access Methods, page 11-22
For information about creating user groups from the Policy Object Manager, see:
Related Topics
Configuring User Groups on an ASA Device, page 11-20
Create User Group Wizard, page I-9
Defining the User Group Name and Access Methods

This procedure describes how to define a name for your user group, and
optionally, select and configure the remote access method(s) that will be used to
access the SSL-enabled gateway (IOS router) or ASA security appliance.
Before You Begin
router or ASA device).
11-22
OL-11501-03
Chapter 11
Managing SSL VPNs

Procedure
Step 1
Step 2
Open the User Groups Selector page as follows:
If you selected an IOS router, click Edit alongside the User Groups table in
the Gateway and Context Page (IOS).
If you selected an ASA device, click Next in the Access Page (ASA), then
click Edit alongside the User Groups table in the Connection Profile Page
(ASA).
Step 3
Click Create in the User Groups Selector page. The Create User Group wizard
opens, displaying the Name and Access Method page opens. For a description of
the elements on this page, see Table I-4 on page I-11.
Step 4
Specify a name for the user group.
Step 5
Select the access mode(s) you want to configure for the user group:
Step 6
Full TunnelSelect to enable access to the corporate network completely

over the SSL VPN tunnel. The SSL VPN Client (SVC) is downloaded and
installed to the remote client, and the tunnel connection is established when
the remote user logs in to the SSL VPN gateway. For more information, see
Full Tunnel Client Access Mode, page 11-4.
ClientlessSelect to enable remote user access to the internal or corporate

network using a web browser on the client machine. For more information,
see Clientless Access Mode, page 11-3.
Thin ClientSelect to enable the client application to use TCP to connect to

a well-known server and port. The remote user downloads a Java applet that
acts as a TCP proxy on the client machine for the services that you configure
on the SSL VPN gateway. For more information, see Thin Client Access
Mode, page 11-3.
Click Next to configure the Full Tunnel, Clientless and/or Thin Client access
modes, or click Finish to complete the user group configuration.
Related Topics
Name and Access Method Page, page I-10

OL-11501-03
11-23
Chapter 11
Managing SSL VPNs
Configuring the Full Tunnel Access Mode

Full Tunnel Client mode enables access to the corporate network completely over
an SSL VPN tunnel. In Full Tunnel Client access mode, the tunnel connection is
determined by the group policy configuration. The full tunnel client software,
SSL VPN Client (SVC), is downloaded to the remote client, so that a tunnel
connection is established when the remote user logs in to the SSL VPN gateway,
or connects to the ASA security appliance.
For more information, see Full Tunnel Client Access Mode, page 11-4.
This procedure describes how to configure the Full Tunnel access mode to be used
in your user group configuration.
Note
You can configure the Full Tunnel client access mode only if you selected the Full
Tunnel option in Step 1 of the Create User Group wizard. See Defining the User
Group Name and Access Methods, page 11-22.
Before You Begin
Procedure
Step 1
Open the Full Tunnel page by clicking Next on the Name and Access Method
Page of the Create User Group wizard. For a description of the elements on the
Full Tunnel page, see Table I-5 on page I-12.
Note
This page is only available if you selected to configure the Full Tunnel
access mode, in step 1 of the wizard.
11-24
OL-11501-03
Chapter 11
Managing SSL VPNs

Step 2
Select Use Other Access Modes if SSL VPN Client Download Fails if you want
to enable the remote client to use clientless or thin client access modes if the
SSL VPN Client (SVC) software download fails.
Step 3
Select Full Tunnel Only to enable the configuration of the Full Tunnel access
mode.
Step 4
If the device is an IOS router, specify the IP address ranges of the address pool
that full tunnel clients will draw from, when they log on. You can click Select to
open the Networks/Hosts Selector from which you can make your selection(s).
Step 5
Specify the IP addresses of the primary and secondary (optional) DNS servers to
be used for the Full Tunnel SSL VPN connection. You can click Select to open
the Networks/Hosts Selector from which you can make your selections.
Step 6
Specify the domain name of the DNS server to be used for the Full Tunnel SSL
VPN connection.
Step 7
Specify the IP addresses of the primary and secondary (optional) WINS servers
to be used for the Full Tunnel SSL VPN connection. You can click Select to open
the Networks/Hosts Selector from which you can make your selections.
Step 8
Specify the traffic that will be secured or transmitted unencrypted across the
public network, from these options:
DisableSplit tunneling is disabled and no traffic will be secured.
Exclude Specified NetworksSplit tunneling is enabled. You can specify

the networks to which traffic is transmitted in the clear (unencrypted).
Tunnel Specified NetworksSplit tunneling is enabled. All traffic from or

to the specified networks will be secured.
Step 9
If the device is an IOS router, specify the networks to which traffic will be
transmitted secured or unencrypted, depending on the selected Split Tunneling
option.
Step 10
If the device is an IOS router, and if you selected the Exclude Tunneling
Specified Traffic option, you can select Exclude Local LAN if you want to
disallow a non split-tunneling connection to access the local subnetwork at the
same time as the client.
Step 11
If the device is an ASA security appliance, specify the access control lists (ACLs)
to be used for split tunneling. You can click Select to open the Access Control
Lists selector, from which you can select the required access control list.
Step 12
Specify a list of domain names that must be tunneled or resolved to the private
network. All other names will be resolved via the public DNS server.
OL-11501-03
11-25
Chapter 11
Managing SSL VPNs
Step 13
Click Next to configure the Clientless and/or Thin Client access modes, or click
Finish to complete the user group configuration.
Related Topics
Configuring the Clientless and Thin Client Access Modes

In Clientless access mode, the remote user accesses the internal or corporate
network using a web browser on the client machine. No applet downloading is
required. In Thin Client access mode, the client application to use TCP to connect
to a well-known server and port. The remote user downloads a Java applet that
acts as a TCP proxy on the client machine for the services that you configure on
the SSL VPN gateway.
This procedure describes how to configure the Clientless and/or Thin Client
access modes to be used in your SSL VPN user group configuration.
Note
You can configure these access modes only if you selected the Clientless and/or
Thin Client options in Step 1 of the wizard. See Defining the User Group Name
and Access Methods, page 11-22.
Before You Begin
Procedure
Step 1
Open the Clientless and Thin Client page by clicking Next on the Full Tunnel
Access Mode Page of the Create User Group wizard. For a description of the
elements on the Clientless and Thin Client page, see Table I-6 on page I-16.
11-26
OL-11501-03
Chapter 11
Managing SSL VPNs

Note
Step 2
The elements displayed on this page depend on whether you selected to

configure both Clientless and Thin Client access modes, or either one of
them, in Step 1 of the wizard.
If you are configuring Clientless access mode, specify a list of websites that will
be displayed on the portal page as a bookmark to enable users to access the
resources available on the SSL VPN websites.
You can click Select to open the URL List Selector from which you can make your
selection from a list of URL List objects. For more information, see
Understanding URL List Objects, page 8-179.
Step 3
If you are configuring Thin Client access mode, specify a Port Forwarding List,
that defines the mapping of the port number on the client machine to the
applications IP address and port behind the SSL VPN gateway.
You can click Select to open the Port Forwarding List Selector from which you
can make your selection from a list of Port Forwarding List objects. For more
information, see Understanding Port Forwarding List Objects, page 8-147.
Step 4
If the device is an ASA security appliance, specify the Java applet that will be
used as a TCP proxy on the client machine, and if required, select to download it.
Step 5
If required, select the check box to enable a port-forwarding Java applet to be

automatically downloaded when the remote client logs in.
Step 6
Click Finish to complete the user group configuration and close the wizard.
The new user group is displayed in the User Groups Selector page, from where
you can select it for use in your SSL VPN. See Creating a New User Group,
page 11-22.
Related Topics
Defining the User Group Name and Access Methods, page 11-22
Clientless Access Mode, page 11-3

OL-11501-03
11-27
Chapter 11
Managing SSL VPNs
Configuring SSL VPN on an ASA Device

SSL VPN configuration is supported on Cisco ASA 5500 Series Security
Appliances, software version 7.1 and later.
In an SSL VPN connection, the security appliance acts as a proxy between the end
user web browser and target web servers. When an SSL VPN user connects to an
SSL-enabled web server, the security appliance recognizes connections that need
to be proxied, and the HTTP server interacts with the authentication subsystem to
authenticate users. The security appliance establishes a secure connection and
validates the server SSL certificate.
Digital certificates are used for authentication. The security appliance creates a
self-signed SSL server certificate when it boots, or you can install in the security
appliance, an SSL certificate that has been issued in a PKI context (see Public Key
Infrastructure Policies in Remote Access VPNs, page 10-24). For HTTPS, this
certificate must then be installed on the client. You only need to install the
certificate from a given security appliance once.
Using Security Manager, you can create a basic connection profile with a limited
set of features that enable an SSL VPN to function, and then configure additional
policies and features for your SSL VPN.
These topics describe how to configure an SSL VPN connection profile on an
ASA device, and the policies required for it to function:
Using the Wizard to Create an ASA SSL VPN Connection Profile

The SSL VPN wizard provides a quick and convenient way to configure and
enable SSL VPN on your ASA security appliance.
The wizard creates an SSL VPN connection profile with a limited set of features
that enable a basic SSL VPN to function. After you complete the wizard, you can
configure additional policies and features for the SSL VPN, or modify the
existing ones. If required, you can return to the wizard to create additional
SSL VPN configurations.
11-28
OL-11501-03
Chapter 11
Managing SSL VPNs

To access the ASA SSL VPN wizard:

1.
Click the Device View button in the toolbar.
2.
From the Device Selector, select the ASA device on which you want to
configure SSL VPN.
3.
4.
Click SSL VPN Server Wizard.
These topics describe the steps you configure to define a basic SSL VPN
connection profile using the ASA SSL VPN wizard:
Defining the ASA SSL VPN Access Parameters, page 11-29
Related Topics
Defining the ASA SSL VPN Access Parameters

The Access page of the SSL VPN Configuration Wizard enables you to configure
the security appliance interfaces for SSL VPN sessions and select a port for your
SSL VPN connection profiles.
This procedure describes how to configure the access parameters on an ASA
device.
Before You Begin
Procedure
Step 1
The wizard opens, displaying the Access page. For a description of the elements
on this page, see Table I-12 on page I-26.
Step 2
Specify the interfaces on which you want to enable the SSL VPN connection
profiles. You can click Select to open a dialog box from which you can select an
interface from a list of interface or interface role objects.

OL-11501-03
11-29
Chapter 11
Managing SSL VPNs
Step 3
Specify the port number that you want to use for SSL VPN sessions. You can click
Select to open the Port List Selector dialog box from which you can make your
selection.
Note
page to access the security appliance.
Step 4
Select Allow Users to Select Connection Profile in Portal Page to include a list
of configured tunnel groups on the SSL VPN end-user interface from which the
user can select a tunnel group at login.
Step 5
Select Enable SSL VPN Access to enable the SSL VPN functionality on the
device.
Step 6
Click Next to advance to the next step of the wizard.
Note
When you click Finish in the wizard, these parameters are displayed in the Access
Policy page.
Related Topics
Access Page (ASA), page I-26
Defining the ASA SSL VPN Connection Profile Parameters

An SSL VPN connection profile comprises a set of records that contain VPN
tunnel connection profile policies, including the attributes that pertain to creating
the tunnel itself. When you define the parameters for your ASA SSL VPN
connection profile, you configure a tunnel group policy. Tunnel groups identify
the group policy for a specific connection profile, which includes user-oriented
attributes. In Security Manager, user parameters are captured by user groups
which define the resources accessible to the user when connecting to the ASA
security appliance.
11-30
OL-11501-03
Chapter 11
Managing SSL VPNs

For more information, see Understanding SSL VPN Connection Profile Policies,
page 11-35.
In the Connection Profile page of the SSL VPN wizard you configure the tunnel
group policies on your security appliance.
This procedure describes how to configure a tunnel group policy, which includes
specifying the associated user groups, address pools, and authentication server
group settings.
Before You Begin
In Device view (View > Device View), make sure the selected device is an
ASA device.
Procedure
Step 1
Open the Connection Profile page by clicking Next on the Access page of the
SSL VPN wizard. For a description of the elements on the Connection Profile
page, see Table I-13 on page I-28.
Step 2
In the Connection Profile field, specify the name of the tunnel group that
contains the policies for this SSL VPN connection profile.
Step 3
In the Default User Group field, specify the default user group policy associated
with the device. The Full Tunnel field indicates whether full tunnel access mode
was configured for the user group.
The default user group is used if no match is found when the AAA server tries to
match the user group name to the names in the User Groups list on the ASA
device. You can click Select to open a dialog box that lists all available ASA user
groups, and from which you can create an ASA user group object. For more
information, see Understanding ASA User Group Objects, page 8-43.
Note
Step 4
If no default user group is defined, the devices built-in user group is used.
Specify the user group(s) that will be used in your SSL VPN connection profile.

OL-11501-03
11-31
Chapter 11
Managing SSL VPNs
Note
All SSL VPN connection profiles on an ASA device share one built-in
user group. Each time you create a connection profile using the wizard,
the User Groups list may be populated with data from the previous
connection profile defined on the device.
You can click Edit to open the User Groups Selector, in which you can select the
required ASA user groups, and from which you can create and edit ASA user
groups. See Configuring User Groups on an ASA Device, page 11-20.
Step 5
In the Portal Page Customization field, specify the customization profile that
defines the appearance of the portal page. You can click Select to make your
selection from a list of SSL VPN customization objects. See Understanding SSL
VPN Customization Objects, page 8-186.
Step 6
Specify the group URL that is associated with the tunnel group connection profile.
Step 7
Specify up to 6 address pools from which IP addresses will be assigned. The

server uses these pools in the order listed.
Step 8
From the Authentication Method list, select the type of authentication to

performAAA (the default), Certificate or Both (AAA and Certificate
authentication).
Step 9
Specify the name of the server group to be used for user authentication (LOCAL
if the tunnel group is configured on the local device). You can click Select to make
your selection from a list of AAA Server Group objects.
Step 10
If you selected LOCAL for the authentication server group, select the check box
to enable fallback to the local database for authentication if the selected
authentication server group fails.
Step 11
Specify the name of the authorization server group (LOCAL if the tunnel group
is configured on the local device). You can click Select to make your selection
from a list of AAA Server Group objects.
Step 12
Specify the name of the accounting server group. You can click Select to make
Step 13
When you have completed configuring the connection profile policy, click Finish
to close the SSL VPN Configuration wizard.
11-32
OL-11501-03
Chapter 11
Managing SSL VPNs

The SSL VPN connection profile you have defined in the wizard is displayed in
the SSL VPN Connection Profile Policy page. You can modify this connection
profile, if required. See Configuring SSL VPN Policies on an ASA Device,
page 11-33.
Related Topics
Configuring SSL VPN Policies on an ASA Device

After you create a basic SSL VPN connection profile on your server device using
the SSL VPN wizard, you can modify the connection profile, if required, and
configure additional policies and features.
These topics describe the SSL VPN policies you can configure on an ASA device:
Configuring an Access Policy, page 11-33
Configuring an SSL VPN Connection Profile Policy, page 11-36
Configuring Global Settings, page 11-47
Related Topics
Configuring an Access Policy

An Access policy specifies the security appliance interfaces on which an
SSL VPN connection profile can be enabled, the port to be used for the connection
profile, the SSL VPN session timeout and maximum number of sessions.
OL-11501-03
11-33
Chapter 11
Managing SSL VPNs
This procedure describes how to configure an Access policy on an ASA device.

Before You Begin
Procedure
Step 1
Select View > Device View > SSL VPN > Access from the Policy selector. The
Access page appears. For a description of the elements on this page, see
Table I-14 on page I-32.
Step 2
Specify the interfaces on which you want to enable SSL VPN connection profiles.
You can click Select to open a dialog box from which you can select an interface
from a list of interface or interface role objects.
Step 3
Specify the port number that you want to use for SSL VPN sessions. You can click
Select to open the Port List Selector dialog box from which you can make your
selection.
Step 4
Specify the amount of time, in seconds, that an SSL VPN session can be idle
before the security appliance terminates the session.
Step 5
Specify the maximum number of SSL VPN sessions you want to allow.
Step 6
Select the Allow Users to Select Connection Profile in Portal Page check box
to include a list of the configured tunnel groups on the SSL VPN end-user
interface, from which users can select a tunnel group when they log on.
Step 7
Select the Enable SSL VPN Access check box to enable the SSL VPN
functionality on the device.
Step 8
Note
Related Topics
SSL VPN Access Policy Page, page I-32
11-34
OL-11501-03
Chapter 11
Managing SSL VPNs

Understanding SSL VPN Connection Profile Policies

Note
For a description of the procedure to configure an SSL VPN Connection Profiles

policy, see Configuring SSL VPN on an ASA Device, page 11-28.
An SSL VPN connection profile comprises a set of records that contain VPN
tunnel connection profile policies, including the attributes that pertain to creating
the tunnel itself. When you define the parameters for your ASA SSL VPN
connection profile, you configure a tunnel group policy. Tunnel groups identify
the group policy for a specific connection profile, which includes user-oriented
attributes. User parameters are captured by user groups which define the resources
accessible to the user when connecting to the ASA security appliance.
You can create one or more tunnel groups specific to your environment. Tunnel
groups may be configured on the local remote access VPN server or on external
AAA servers. Configuring a tunnel group policy includes specifying the
associated user groups, address pools, servers, and authentication server group
settings.
About Group Aliases
When configuring an SSL VPN Connection Profile policy, you may specify group
aliases for your tunnel group. Specifying a group alias creates one or more
alternate names by which a user can refer to a tunnel group. This feature is useful
when the same group is known by several common names (such as Devtest and
QA). The group alias appears on the login page. If you want the actual name of
the tunnel group to appear on the list, you must specify it as an alias. Each tunnel
group can have multiple aliases or no alias.
About Group URLs
Specifying a group URL eliminates the need for the user to select a tunnel group
at login. When a user logs in, the security appliance looks for the user's incoming
URL in the tunnel group policy table. If it finds the URL and if this feature is
enabled, the security appliance selects the appropriate server and presents the user
with only the username and password fields in the login window. This simplifies
the user interface and has the added advantage of never exposing the list of groups
to the user. The login window that the user sees uses the customizations
configured for that tunnel group. You can configure multiple URLs (or no URLs)

OL-11501-03
11-35
Chapter 11
Managing SSL VPNs
for a tunnel group. Each URL can be enabled or disabled individually. You must
use a separate specification for each URL, specifying the entire URL using either
the HTTP or HTTPS protocol.
Related Topics
SSL VPN Connection Profiles Policy Page, page I-34
Configuring an SSL VPN Connection Profile Policy

The SSL VPN Connection Profiles Policy page displays a list of all the SSL VPN
Connection Profile policies currently defined on the security appliance, including
any policies that were created using the wizard. From this page, you can create,
edit, or delete the policies.
These topics enable you to configure SSL VPN Connection Profile policies on an
ASA device:
Defining Basic Parameters, page 11-36
Defining AAA Parameters, page 11-39
Defining Servers and Address Pools, page 11-42
Related Topics
Understanding SSL VPN Connection Profile Policies, page 11-35
Defining Basic Parameters

The Basic settings you must define for an SSL VPN Connection Profile policy
include specifying a name for the tunnel group, the user group policy, address
pools for available for assignment throughout the policy, the DNS server to be
used for the tunnel group, group aliases, and incoming group URLs.
For more information about these settings, see:
About Group Aliases, page 11-35
About Group URLs, page 11-35
11-36
OL-11501-03
Chapter 11
Managing SSL VPNs

This procedure describes how to create or edit the basic settings required for an
SSL VPN Connection Profile policy.
Before You Begin
Procedure
Step 1
Select View > Device View > SSL VPN > Connection Profiles.
The SSL VPN Connection Profiles policy page opens. For a description of the
elements on this page, see Table I-15 on page I-35.
Step 2
Click Create on the SSL VPN Connection Profiles policy page, or select the row
of a policy in the table on the page, and click Edit.
The Add/Edit SSL VPN Connection Profile dialog box opens, displaying the
Basic tab. For a description of the elements on the Basic tab, see Table I-16 on
page I-37.
Step 3
In the Connection Profile Name field, specify the name or IP address of the
tunnel group that contains the policies for this SSL VPN connection profile.
Step 4
If required, specify the default user group to be associated with the device.
You can click Select to open a dialog box from which you can select a user group
from a list of ASA user group objects. For more information, see Understanding
Step 5
If required, specify an alternate user group to be applied to the tunnel group.

You can click Select to open a dialog box from which you can select a user group
from a list of ASA user group objects. For more information, see Understanding
Step 6
Specify the DNS group to use for the tunnel group. The DNS group resolves the
hostname to the appropriate DNS server for the tunnel group.
Step 7
Specify up to 6 address pools from which the client IP addresses will be assigned.
Address pools are predefined network objects. You can click Select to open the
Network/Hosts selector from which you can make your selection(s). For more
information, see Understanding Network/Host Objects, page 8-127.

OL-11501-03
11-37
Chapter 11
Managing SSL VPNs
Step 8
Step 9
From the Group Aliases table, you can create a new group alias or edit an existing
one, as follows:
Click Create below the table, or select a group alias in the table and click
Edit. The Add/Edit Group Alias dialog box opens. For a description of the
elements on this dialog box, see Table I-17 on page I-40.
Select the Enabled check box (by default it is selected).
In the Group Alias field, specify an alternative name for the tunnel group.
Click OK to save the changes, or Cancel to cancel the operation.
From the Group URLs table, you can create a new group URL or edit an existing
one, as follows:
Click Create below the table, or select a group URL in the table and click
Edit. The Add/Edit Group URL dialog box opens. For a description of the
elements on this dialog box, see Table I-18 on page I-41.
Select the Enabled check box (by default it is selected).
In the Group URL field, select a protocol (http or https) from the list, and
specify the incoming URL for the group.
Note
Step 10
If you want to delete a group alias or group URL from a table, select it
and click Delete.
When you have finished configuring the basic settings of your SSL VPN
Connection Profile policy, click OK to save your changes locally on the client and
close the Add/Edit SSL VPN Connection Profile dialog box. Alternatively, you
can click the AAA or Settings tabs to continue the Connection Profile policy
configuration.
Related Topics
Basic Tab (ASA), page I-36
11-38
OL-11501-03
Chapter 11
Managing SSL VPNs

Defining AAA Parameters

When you define the AAA authentication parameters for your SSL VPN
Connection Profile policy, you must specify the type of authentication, the
authorization, authentication, and accounting server groups, parameters relevant
to password management, values for usernames that the security appliance
recognizes for authorization, and configure interface-specific server groups for
authentication.
This procedure describes how to create or edit the AAA authentication parameters
required for an SSL VPN Connection Profile policy.
Before You Begin
Procedure
Step 1
Step 2
The Add/Edit SSL VPN Connection Profile dialog box opens.
Step 3
Click the AAA tab. For a description of the elements on the AAA tab of the
Add/Edit SSL VPN Connection Profile dialog box, see Table I-19 on page I-42.
Step 4
From the Authentication list, select the type of authentication to performAAA

(the default), Certificate or Both (AAA and Certificate authentication).
Step 5
Specify the name of the server group to be used for user authentication (LOCAL
if the tunnel group is configured on the local device). You can click Select to make
Step 6
If you selected LOCAL for the authentication server group, select the check box
to enable fallback to the local database for authentication if the selected
authentication server group fails.
Step 7
Specify the name of the authorization server group (LOCAL if the tunnel group
is configured on the local device). You can click Select to make your selection
from a list of AAA Server Group objects.

OL-11501-03
11-39
Chapter 11
Managing SSL VPNs
Step 8
To enable authorization on the local device, select the LOCAL Authorization

check box.
Step 9
Select the Users Must Exist in the Authorization Database to Connect check
box, if you want the security appliance to allow only users in the authorization
database to connect.
Step 10
Specify the name of the accounting server group. You can click Select to make
Step 11
For users that authenticate with digital certificates and require LDAP or RADIUS
authorization, you can set values for the usernames that the security appliance
recognizes for authorization, as follows:
Use the Entire DN as the UsernameSelect to allow the use of the entire
Distinguished Name (DN) as the identifier for the username.
Specify Individual DN Fields as the UsernameSelect to enable the use of

individual DN fields as the username when matching users to the tunnel
group.
Then select one of the following options:
Primary DN FieldSelect the primary DN field identifier to be used for
identification.
Secondary DN FieldSelect the secondary DN field identifier to be
used for identification.
Note
Step 12
Select the Override Account-Disabled Indication from AAA Server check box
to override the account-disabled indicator from a AAA server. This
configuration is valid for servers, such as RADIUS with NT LDAP, and Kerberos,
that return an account-disabled indication.
Note
Step 13
Select None if no secondary field identifier is required.
Allowing override account-disabled is a potential security risk.
Select the Enable Notification Upon Password Expiration to Allow User to

Change Password check box, to enable the security appliance to notify the
remote user at login that the current password is about to expire or has expired.
11-40
OL-11501-03
Chapter 11
Managing SSL VPNs

Step 14
Select the Enable Notification Prior to Expiration check box, to warn the user
about the pending expiration, and specify the number of days (1-180) before the
current password expires in the Notify Prior to Expiration field.
Step 15
From the Interface-Specific Authentication Server Groups table, you can

configure interface-specific authentication for your SSL VPN connection profile
policy, as follows:
Click Create below the table, or select a row in the table and click Edit. The
Add/Edit SSL VPN Interface Specific Authentication Server Groups dialog
box opens. For a description of the elements on this dialog box, see Table I-20
on page I-47.
Specify the interface to be associated with the authentication server group.
Specify the server group to be associated with the selected interface.
Select Use LOCAL if Server Group Fails to enable fallback to the LOCAL
database if the selected server group fails.
Note
Step 16
If you want to delete an interface-specific authentication server group

from the table, select it and click Delete.
When you have finished configuring the AAA parameters for your SSL VPN
Connection Profile policy, click OK to save your changes locally on the client and
close the Add/Edit SSL VPN Connection Profile dialog box. Alternatively, you
can click the Basic or Settings tabs to continue the Connection Profile policy
configuration.
Related Topics
AAA Tab (ASA), page I-41

OL-11501-03
11-41
Chapter 11
Managing SSL VPNs
Defining Servers and Address Pools

The Settings tab lets you configure the WINS servers for the connection profile
policy, select a customized look and feel for the SSL VPN end-user logon web
page, DHCP servers to be used for client address assignment, and establish an
association between an interface and client IP address pools.
This procedure describes how to create or edit these settings for an SSL VPN
Connection Profile policy.
Before You Begin
Procedure
Step 1
Step 2
The Add/Edit SSL VPN Connection Profile dialog box opens.
Step 3
Click the Settings tab. For a description of the elements on the Settings tab of the
Add/Edit SSL VPN Connection Profile dialog box, see Table I-21 on page I-48.
Step 4
Specify the name of the WINS servers list to use for CIFS name resolution.
Step 5
Specify the SSL VPN customization profile that defines the appearance of the
portal page.
Step 6
Specify the IP addresses of up to 10 DHCP servers to be used for client address

assignments.
Step 7
From the Client IP Address Pool table, you can specify client IP address pools
on an interface-specific basis, which override the global IP address pools
(configured on the Basic tab), as follows:
Click Create below the table, or select a row in the table and click Edit. The
Add/Edit SSL VPN Interface Specific Client Address Pools dialog box opens.
For a description of the elements on this dialog box, see Table I-22 on
page I-51.
11-42
OL-11501-03
Chapter 11
Managing SSL VPNs

Specify the address pool to be used to assign a client address to the selected
interface.
Specify the IP address pool to be used to assign server group to be associated

with the selected interface.
Note
Step 8
If you want to delete a client IP address pool from the table, select it and
click Delete.
When you have finished configuring these settings for your SSL VPN Connection
Profile policy, click OK to save your changes locally on the client and close the
Add/Edit SSL VPN Connection Profile dialog box. Alternatively, you can click
the Basic or AAA tabs to continue the Connection Profile policy configuration.
Related Topics
Settings Tab (ASA), page I-47
Configuring ASA User Groups Policy in Your SSL VPN

When you configure an SSL VPN connection profile, you must create user groups
to which remote clients will belong. A user group policy specifies the attributes
that determine user access to, and use of the SSL VPN. User groups simplify
system management, enabling you to quickly configure SSL VPN access for large
numbers of users.
A user group policy is a set of user-oriented attribute/value pairs for SSL VPN
connection profiles that are stored either internally (locally) on the device or
externally on an AAA server. The tunnel group uses a user group policy that sets
terms for user connection profiles after the tunnel is established. Group policies
let you apply whole sets of attributes to a user or a group of users, rather than
having to specify each attribute individually for each user.

OL-11501-03
11-43
Chapter 11
Managing SSL VPNs
Note
If more than one user group policy is configured on a device, you must configure
the device to use an AAA server to authenticate users and to determine which user
group a particular user belongs to.
An ASA security appliance has a built-in user group. During SSL VPN user
authentication, the AAA server returns a user group name that the user belongs to.
The device first tries to match the name to the names in the User Groups list. If a
match is found, the definition in the matching user group is used. Otherwise, the
default user group is used. If no default user group is defined, the devices built-in
user group is used.
The ASA User Groups Policy page displays the ASA user groups currently
defined for your SSL VPN connection profile. From this page you can create new
user group policies and edit existing ones. In Security Manager, ASA user groups
are predefined objects. When creating an ASA User Groups policy, you may need
to select one or more objects to include in the policy definition.
This procedure describes how to specify the user groups you want to assign to
your SSL VPN connection profile on an ASA device.
Before You Begin
Procedure
Step 1
Select View > Device View > SSL VPN > User Groups from the Policy selector.
The ASA User Groups Policy page opens, displaying a table listing the ASA user
groups defined for your SSL VPN. For a description of the elements on this page,
see Table I-23 on page I-52.
Step 2
To add an ASA user group to the list:

a.
Click Create below the table.

ASA user groups are predefined objects. The Add User Group Selector opens,
displaying a list of available ASA user group objects. For a description of the
elements in this selector, see Table I-24 on page I-53.
b.
Select the required ASA user group in the list. The selected user group is
displayed in the Selected field.
11-44
OL-11501-03
Chapter 11
Managing SSL VPNs

c.
If the required user group is not included in the Add User Group Selector list,
click Create to open a dialog box that enables you to create or edit an ASA
user group object.
Note
You can also edit the properties of an ASA user group from the Add
User Group Selector, by selecting it and clicking the Edit button.
For information on how to create or edit an ASA user group object, see
Creating ASA User Group Objects, page 8-45.
d.
Step 3
Click OK to close the Add User Group Selector. The newly selected ASA
user group is displayed in the table on the ASA User Groups Policy page.
To modify the properties of an ASA user group displayed in the ASA User Groups
Policy page, select the ASA user group in the table, and click Edit.
The Edit ASA User Group dialog box opens, enabling you to edit the selected
ASA user group object. For more information, see Creating ASA User Group
Objects, page 8-45.
Step 4
When you have finished configuring the ASA user groups for your SSL VPN
connection profile, click Save to save your changes to the server.
Note
Related Topics
ASA User Groups Policy Page, page I-51
Configuring the Cisco Secure Desktop Software

Cisco Secure Desktop (CSD) enables you to eliminate all traces of sensitive data
by providing a single, secure location for session activity and removal on the
client system. This ensures that cookies, browser history, temporary files, and
downloaded content do not remain on a system after a remote user logs out or an

OL-11501-03
11-45
Chapter 11
Managing SSL VPNs
SSL VPN session times out. CSD increases protection against data theft and client
system malware (malicious software) by encrypting all data and files associated
with or downloaded during the SSL VPN session.
CSD encrypts all information in the session. This protection is valuable in case of
an abrupt session termination, or if a session times out due to inactivity.
Furthermore, CSD stores all session information in the secure vault desktop
partition. When the session closes, CSD overwrites and removes all data using a
U.S. Department of Defense (DoD) sanitation algorithm to provide endpoint
security protection.
This procedure describes how to configure the CSD on an ASA device. For the
procedure to configure CSD on an IOS router, see Configuring the Secure
Desktop Software for an IOS SSL VPN Policy, page 11-15.
Before You Begin
Make sure the Secure Desktop Client software is installed and activated on
the device.
Make sure a connection profile policy has been configured on the device. See
Configuring an SSL VPN Connection Profile Policy, page 11-36.
Procedure
Step 1
In Device view, select SSL VPN > Cisco Secure Desktop from the Policy
selector. The Cisco Secure Desktop policy page opens.
Step 2
Select the Enable check box to enable CSD on the ASA device.
Step 3
In the Configuration field, specify the filename of the CSD distribution package
to install into the running configuration (the securedesktop_asa_<n>_<n>*.pkg
You can click Select to open the Secure Desktops Selector from which you can
select a CSD distribution package file from a list of available CSD distribution
package objects. See Understanding Secure Desktop Configuration Objects,
page 8-153.
Step 4
11-46
OL-11501-03
Chapter 11
Managing SSL VPNs

Note
Related Topics
Understanding Secure Desktop Configuration Objects, page 8-153.
page 11-15
Cisco Secure Desktop Page (ASA), page I-54
Configuring Global Settings

In Security Manager, you can define SSL VPN global settings that apply to all
devices in your SSL VPN topology. These settings include caching, content
rewriting, character encoding, proxy, and proxy bypass definitions.
These topics describe how to configure these global VPN settings:
Defining Performance Settings, page 11-47
Defining Content Rewrite Rules, page 11-49
Defining Encoding Rules, page 11-50
Defining Proxies and Proxy Bypass Rules, page 11-53
Defining Advanced Settings, page 11-55
Defining Performance Settings

Caching enhances SSL VPN performance. It stores frequently reused objects in
the system cache, which reduces the need to perform repeated rewriting and
compressing of content. It reduces traffic between SSL VPN and both the remote
servers and end-user browsers, with the result that many applications run much
more efficiently.
This procedure describes how to enable caching on your ASA security appliance.
Before You Begin

OL-11501-03
11-47
Chapter 11
Managing SSL VPNs
Procedure
Step 1
Select View > Device View > SSL VPN > Global Settings from the Policy
selector.
The Global Settings page opens, displaying the Performance tab. For a description
of the elements on this tab, see Table I-26 on page I-56.
Step 2
Select the Enable check box to enable caching on the security appliance.
Step 3
Specify the minimum size document that the security appliance can cache. The
range is 010000 Kb. The default is 0 Kb.
Note
The maximum object size must be greater than the minimum object size.
Step 4
Specify the maximum size document that the security appliance can cache. The
range is 0 to 10000 Kb. The default is 1000 Kb.
Step 5
Specify an integer to set a revalidation policy for caching objects that have only
the last-modified timestamp, and no other server-set expiration values. The range
is 1100. The default is 20.
Step 6
Enter an integer to set the number of minutes to cache objects without revalidating
them. Valid values range from 0 to 900. The default is one minute.
Step 7
Select the Cache Compressed Content check box to cache compressed content.
Step 8
Select the Cache Static Content check box to cache static content.
Step 9
Note
Related Topics
Performance Tab, page I-56
11-48
OL-11501-03
Chapter 11
Managing SSL VPNs

Defining Content Rewrite Rules

SSL VPN processes application traffic through a content transformation/rewriting
engine that includes advanced elements (such as, JavaScript, VBScript, Java, and
multi-byte characters) to proxy HTTP traffic depending on whether the user is
using an application within or independently of an SSL VPN device.
If you do not want some applications and web resources, such as public websites,
to go through the security appliance, you can create rewrite rules that permits
users to browse certain sites and applications without going through the security
appliance itself. This is similar to split tunneling in an IPsec VPN connection.
In the Content Rewrite tab of the SSL VPN Global Settings page, you can
configure multiple content rewrite rules. The Content Rewrite tab lists all
applications for which content rewrite is enabled or disabled.
Note
The security appliance searches rewrite rules by order number, starting with the
lowest, and applies the first rule that matches.
From this tab, you can create or edit content rewrite rules, as described in the
following procedure.
Before You Begin
Procedure
Step 1
selector.
Step 2
On the Global Settings page, click the Content Rewrite tab. The Content Rewrite
tab opens, displaying all applications for which content rewrite is enabled or
disabled. For a description of the elements on this tab, see Table I-27 on
page I-58.
Step 3
On the Content Rewrite tab, click Create, or select a rewrite rule in the table and
click Edit.

OL-11501-03
11-49
Chapter 11
Managing SSL VPNs
The Add/Edit Content Rewrite dialog box opens. For a description of the elements
in this dialog box, see Table I-28 on page I-60.
Step 4
Select the Enable check box to enable content rewrite for this rewrite rule.
Step 5
Enter a number for this rule. This number specifies the position of the rule in the
list. Rules without a number are at the end of the list. The range is 1 to 65534.
Step 6
Enter an alphanumeric string that describes the rule, maximum 128 characters.
Step 7
Enter the name of the application or resource mask to which the rule applies (up
to 300 characters).
Step 8
Click OK. The Add Content Rewrite Rule dialog box closes, and the content
rewrite rule is added to the table.
Note
Step 9
If you want to delete a content rewrite rule from a table, select it and click
Delete.
Note
Related Topics
Content Rewrite Tab, page I-58
Add/Edit Content Rewrite Dialog Box, page I-59
Defining Encoding Rules

Character encoding is the pairing of raw data (such as 0s and 1s) with characters
to represent the data. The language determines the character encoding method to
use. Some languages use the same method, while others do not. Usually, the
geographic region determines the default encoding method used by the browser,
but the remote user can change this. The browser can also detect the encoding
specified on the page, and render the document accordingly.
11-50
OL-11501-03
Chapter 11
Managing SSL VPNs

The encoding attribute lets you specify the value of the character encoding
method in the SSL VPN portal page to ensure that the browser renders it properly,
regardless of the region in which the user is using the browser, or any changes
made to the browser.
The character encoding attribute is a global setting that, by default, all SSL VPN
portal pages inherit. However, you can override the file-encoding attribute for
Common Internet File System (CIFS) servers that use character encoding that
differs from the value of the character-encoding attribute. You can use different
file-encoding values for CIFS servers that require different character encodings.
The SSL VPN portal pages downloaded from the CIFS server to the SSL VPN
user encode the value of the SSL VPN file-encoding attribute identifying the
server, or if one does not, they inherit the value of the character encoding attribute.
The remote user's browser maps this value to an entry in its character encoding set
to determine the proper character set to use. The SSL VPN portal pages do not
specify a value if SSL VPN configuration does not specify a file encoding entry
for the CIFS server and the character encoding attribute is not set. The remote
browser uses its own default encoding if the SSL VPN portal page does not
specify the character encoding, or if it specifies a character encoding value that
the browser does not support.
In the Encoding tab of the SSL VPN Global Settings page, you can view the
currently configured character sets associated with the CIFS server to be encoded
in the portal pages. From this tab, you can create or edit the character sets, as
Before You Begin
Understanding SSL VPN Connection Profile Policies, page 11-35.
Procedure
Step 1
selector.
Step 2
On the Global Settings page, click the Encoding Tab. For a description of the
elements on this tab, see Table I-29 on page I-61.

OL-11501-03
11-51
Chapter 11
Managing SSL VPNs
Step 3
From the Global SSL VPN Encoding Type list, select the attribute that
determines the character encoding that all SSL VPN portal pages inherit, except
for those from the CIFS servers listed in the table.
Note
Step 4
If you choose none or specify a value that the browser on the SSL VPN
client does not support, it uses its own default encoding.
Click Create, or select a character set in the table and click Edit.
The Add/Edit File Encoding dialog box opens. For a description of the elements
Step 5
In the CIFS Server field, enter the name or IP address of each CIFS server for
which the encoding requirement differs from the Global SSL VPN Encoding
Type attribute setting.
CIFS servers are predefined network objects. You can click Select to open the
Network/Hosts Selector dialog box that lists all available network hosts, and in
which you can create network host objects.
Step 6
From the Encoding Type list, select the character encoding that the CIFS server
should provide for SSL VPN portal pages.
Step 7
Click OK. The Add/Edit File Encoding dialog box closes, and the newly created
or edited character set is added to the table.
Note
Step 8
If you want to delete a character set from a table, select it and click
Delete.
Note
Related Topics
Encoding Tab, page I-61
Add/Edit File Encoding Dialog Box, page I-63
11-52
OL-11501-03
Chapter 11
Managing SSL VPNs

Defining Proxies and Proxy Bypass Rules

The security appliance can terminate HTTPS connections and forward
HTTP/HTTPS requests to HTTP and HTTPS proxy servers. These servers act as
intermediaries between users and the Internet. Requiring all Internet access via a
server you control, provides another opportunity for filtering to assure secure
Internet access and administrative control.
Note
The HTTP/HTTPS proxy does not support connections to personal digital

assistants.
You can configure the security appliance to use proxy bypass when applications
and web resources work better with the content rewriting this feature provides.
Proxy bypass is an alternative method of content rewriting that makes minimal
changes to the original content. It is useful with custom web applications.
You can configure multiple proxy bypass entries. The order in which you
configure them is unimportant. The interface and path mask or interface and port
uniquely identify a proxy bypass rule.
If you configure proxy bypass using ports rather than path masks, depending on
your network configuration, you might need to change your firewall configuration
to allow these ports access to the security appliance. Use path masks to avoid this
restriction. Be aware, however, that path masks can change, so you might need to
use multiple path mask statements to exhaust the possibilities.
In the Proxy tab of the SSL VPN Global Settings page, you can view the currently
configured proxy bypass rules, create new rules or edit the existing ones, as
Before You Begin
Procedure
Step 1
Select View > Device View > SSL VPN > Global Settings from the Device
Policies selector.

OL-11501-03
11-53
Chapter 11
Managing SSL VPNs
Step 2
On the Global Settings page, click the Proxy Tab. For a description of the
Step 3
Specify the IP address of the external HTTP proxy server to which the security
appliance forwards HTTP connections. You can click Select to make your
selection from a list of network host objects.
Step 4
Specify the port that listens for HTTP requests. The default port is 80. You can
click Select to make your selection from the Port List Selector dialog box.
Step 5
Specify the IP address of the external HTTPS proxy server to which the security
appliance forwards HTTP connections. You can click Select to make your
selection from a list of network host objects.
Step 6
Specify the port that listens for HTTPS requests. The default port is 443. You can
click Select to make your selection from the Port List Selector dialog box.
Step 7
Under the Proxy Bypass table, click Create, or select a rule in the table and click
Edit.
The Add/Edit Proxy Bypass dialog box opens. For a description of the elements
Step 8
Specify the name of the interface on the security appliance for proxy bypass. You
can click Select to make your selection from a list of interface and interface role
objects.
Step 9
Select the required Bypass Traffic option, as follows:
On PortTo specify a port number to be used for proxy bypass. Valid port
numbers are 2000021000. You can click Select to open the Port List Selector
dialog box from which you can make your selection.
Match Specifying PatternTo specify a URL path to match for proxy

bypass.
Step 10
In the URL field, select the http or https protocol, and enter the URL to which
you want to apply proxy bypass.
Step 11
Select the Rewrite XML check box to rewrite XML sites and applications to be
bypassed by the security appliance.
Step 12
Select the Rewrite Hostname check box to rewrite absolute external links.
Note
You can configure the security appliance to perform no content rewriting,

or rewrite XML links, or a combination of XML and links.
11-54
OL-11501-03
Chapter 11
Managing SSL VPNs

Step 13
Click OK. The Add Proxy Bypass Rule dialog box closes, and the proxy bypass
rule is added to the table.
If you want to delete a proxy bypass rule from the table, select it and click
Delete.
Note
Step 14
Note
Related Topics
Proxy Tab, page I-64
Add/Edit Proxy Bypass Dialog Box, page I-66
Defining Advanced Settings

The Advanced tab lets you configure the amount of security appliance memory
that SSL VPN can use for its sessions.
Before You Begin
Procedure
Step 1
Select View > Device View > SSL VPN > Global Settings from the Device
Policies selector.
Step 2
On the Global Settings page, click the Advanced Tab. For a description of the

OL-11501-03
11-55
Chapter 11
Managing SSL VPNs
Step 3
Specify the amount of memory that you want to allocate to the SSL VPN
processes, either as a percentage of total memory or in kilobytes. The default
percentage is 50%. Different ASA models have different total amounts of
memory.
Note
Step 4
When you change the memory size, the new setting takes effect only after
the system reboots.
Note
Related Topics
11-56
OL-11501-03
CH A P T E R
12
Managing Firewall Services

Firewall Services manages firewall-related policies in Security Manager that
apply to the adaptive security appliance (ASA), PIX Firewall (PIX), Firewall
Services Module (FWSM) installed in a Catalyst 6500 Series or Cisco 7600
Router Series devices, and security routers running Cisco IOS (IOS).
Each firewall policy comprises a collection of rules. The rules are loaded into
rules tables incrementally, allowing you to scroll and view a partial rule set before
the entire rule set is in memory. After rules are loaded the first time, they are
retained in cache memory, so subsequent viewing of the rules tables is
instantaneous. Cache memory is automatically cleared after an activity is
approved or discarded, if a device is rediscovered, or when a policy is copied from
another device. While rules are being loaded into tables, the action buttons on the
page are grayed out until loading is complete; however, you can still make
changes to the rules in the table during this process.
You can define firewall policies from Device view, which enables you to
configure local service policies on individual firewall devices and security
appliances. You can then share these local policies with other devices. You can
also define firewall policies from Policy view, which enables you to define a
general policy to assign to a set of devices or all devices. Policy view enables you
to manage shared policies at the system level. For more information, see
Chapter 6, Managing Policies.
Firewall Services provides a uniform design for displaying firewall policy
information for all supported platforms. This design is represented in the form of
rules tables that are shown in the main work area. The options listed in the
Firewall selector are based on the type of device for which rules are being created.

OL-11501-03
12-1
Chapter 12
Security Manager manages the following types of policies under

Firewall Services:
Firewall rulesPermit or deny a packet based on source address, destination

address, source interface, and service. For more information, see Working
with Access Rules, page 12-59.
Inspection rulesSupport routers running IOS, PIX Firewalls 7.x, and fixup
commands on adaptive security appliances (ASAs) and Firewall Services
Modules (FWSMs) 3.x. For more information, see Working with Inspection
Rules, page 12-73.
AAA rulesControl authentication, authorization, or accounting for traffic.

For more information, see Working with AAA Rules, page 12-89.
Web filter rulesSpecify filter URLs using a filtering server such as

Websense. For more information, see Working with Web Filter Rules,
page 12-101.
Transparent rulesEtherType rules used to configure non-IP related traffic

policies through the firewall appliance when operating in transparent mode.
In transparent mode, you can apply extended and EtherType access rules to
an interface. For more information, see Working with Transparent Firewall
Rules, page 12-122.
In addition to understanding the types of firewall policies that Security Manager

supports, you need to understand the concept of policy inheritance. Inheritance
refers to the capability of Security Manager to enforce hierarchical lists of
first-match, rule-based policies such as access rules. Within the hierarchy,
policies at a lower level in the hierarchy (called child policies) extend or override
the properties of the policies that are directly above them in the hierarchy (called
parent policies). Firewall policies can be inherited by a parent policy.
Settings-based policies do not recognize inheritance, but settings-based policies
can be shared and assigned to other devices. For more information, see the
following:
Working with Shared Policies in Device View, page 6-27.
To better understand the difference between policy inheritance and policy

assignment, see Inheritance vs. Assignment, page 6-53.
12-2
OL-11501-03
Chapter 12
It is important to understand how Security Manager recognizes names for access

control lists. During deployment, the ACL names can be automatically generated
by Security Manager or preserved as defined by users. For more information, see:
How ACL Names Are Generated, page 12-53
Preserving User-Defined ACL Names, page 12-56
Firewall policies have the following properties:
A policy assigned to a device will correspond to a set of commands (CLI) on

that device.
Only one policy of a particular type can be assigned to a device; however, a

policy type can be assigned to multiple devices. If a new policy of the same
type is assigned to a device, the new policy overrides the previous
assignment. For more information, see Assigning a Shared Policy to a
A policy can be shared or local. A local policy applies to only one device and
is removed when the device is removed from Security Manager. A shared
policy can be assigned to multiple devices and remains in the system even if
all of its associated devices are removed from Security Manager. For more
information, see Local Policies vs. Shared Policies, page 6-4.
Note
Shared policies are listed when you are working at the global policy
level. You must assign a name to the policy when it is created. For
more information, see Creating a New Shared Policy, page 6-45.
You can define a policy at the global level, which can be inherited at the
device level.
The ACEs from the mandatory rules are ordered from the highest group down
to the device. Mandatory rules cannot be overridden. The ACEs from the
Default rules are ordered in the opposite direction and can be overridden. For
more information, see Understanding Rule Inheritance, page 6-50.
You can edit firewall policy inheritance from either Device view or Policy
view.
You can copy or clone firewall policies between devices.
Security Manager does not recognize out-of-band changes (rules and other
changes entered directly to the device). If the device has several changes that you
want recognized by Security Manager, you can right-click the device, then click
OL-11501-03
12-3
Chapter 12
Discover Policies on Device. Security Manager contacts the device and

rediscovers the policies on it. If you are requesting to discover policies for the first
time, you are prompted with a warning that all policies on the device will be
overridden if you continue.
If permanent changes are entered directly to the device, you can be made aware
of such changes by requesting that an error or warning is generated before you
deploy updated configurations to the device.
A warning permits the deployment to continue and a message appears in the

deployment status window.
An error denies the deployment.
For more information, see Deploying to a Device, page 18-11.
Note
Out-of-band changes do not appear in rules tables managed by Security Manager.

Only policies defined in Security Manager are shown in rules tables.
Related Topics
Understanding Settings for Access Controls, page 12-132
Managing Your Rules Tables, page 12-5
Working with Access Rules, page 12-59
Working with Inspection Rules, page 12-73
Working with AAA Rules, page 12-89
Working with Web Filter Rules, page 12-101
Working with Transparent Firewall Rules, page 12-122
12-4
OL-11501-03
Chapter 12

Managing Your Rules Tables

To help you administer your rules tables, Security Manager provides you with the
ability to perform a variety of functions. You can:
Analyze whether rules overlap or conflict with other rules. See Using
Analysis, page 12-6.
Combine rules to improve performance and memory usage. See Combining

Rules, page 12-11.
Search for a particular object or text string and replace it globally or

selectively. See Using Find and Replace, page 12-18.
Collect data identifying the number of times that traffic for a device is
permitted or denied based on an access rule. See Using Hit Count,
page 12-24.
Import rules by pasting them from an external application to the access rule
table in Security Manager, or by importing them from a file. See Importing
Rules, page 12-32.
Compose a query that describes a set of packets. The results of the query
identify all rules that could affect the defined packets. See Using Policy
Query, page 12-37.
Divide your rules tables into sections to help you manage large rules tables.
See Understanding Rule Table Sections, page 12-44.
Optimize network policy objects that are used in rules tables when deploying
generated configurations to PIX, ASA, and FWSM devices. See Optimizing
Policy Objects in Rules, page 12-47.
Expand object groups to display separate CLI during discovery. See

Expanding Object Groups During Discovery, page 12-49.
Create network/host policy objects from cell contents in Access Rules and
AAA Rules tables. See Editing Access Rules, page 12-65 and Editing AAA
Rules, page 12-94 respectively.

OL-11501-03
12-5
Chapter 12
Using Analysis
The Analysis feature analyzes and reports rules that overlap or conflict with other
rules. The analysis is performed using the rules defined for a selected device.
Reports are provided for access rules only. For more information, see Generating
Analysis Reports, page 12-8.
Certain conflicting rules might have no effect on a device after they are deployed;
however, they create unnecessary clusters in the rules table. By detecting these
rules, you can clean up the rule set and optimize performance.
Other conflicting rules, such as opposite rules, can create unwanted results to your
network. By detecting these conflicting rules, you can implement your security
needs as intended.
The Analysis feature supports discontiguous masks. For more information, see
Contiguous and Discontiguous Network Masks, page 8-129.
Some of the types of conflicts shown in the analysis report include:
Duplicate rulesRules that are identical.
Conflicting rules.
Opposite rules (Table 12-1).
Opposite rules (Figure 12-1).
A lower rule that will never be used (Table 12-3).
The first rule contained in a second rule (Table 12-4).
Table 12-1
Opposite Rules
Source
Destination
Protocol
Action
my-PC
Mail-Servers
smtp-25
Permit
my-PC
Mail-Servers
smtp-25
Deny
Table 12-2
Opposite Rules
Source
Destination
Service
Action
my-PC
any
smtp-25
Permit
my-PC
1.2.3.4
smtp-25
Deny
12-6
OL-11501-03
Chapter 12

Table 12-3
Lower Rule Never Used
Source
Destination
Protocol
Action
PC-subnet (192.168.101.0/24
Print-Server
lpr-515
Permit
my-PC (192.168.101.50)
Print-Server
lpr-515
Deny
Table 12-4
First Rule Contained In Second Rule
Source
Destination
Protocol
Action
PC-subnet (192.168.101.0/24
Web-Proxy1
80
Permit
Trusted-Nets (192.168.0.0/16)
Web-Proxy1
80
Permit
The analysis report is displayed in three window panes (Figure 12-1).
Left paneLists Conflicting Groups. Conflicts are grouped into conflicting

groups based on base rules.
Top right paneIdentifies a base rule and one or more conflicting rules for
this conflicting group.
Bottom right paneIdentifies one or more conflicts at the tuple level for
the base rule and conflicting rule. A tuple consists of the sub-elements of a
rule on which rule analysis is conducted, for example, source, destination,
service, and interface. The specific conflicting relationship and details can be
navigated using the Previous and Next buttons.

OL-11501-03
12-7
Chapter 12
Figure 12-1
Example of Analysis Report Layout
Related Topics
Generating Analysis Reports, page 12-8
Generating Analysis Reports

The Analysis feature analyzes and reports rules that overlap or conflict with other
rules. The analysis is performed using the rules defined for a selected device
group. For more information, see Example of Analysis Report Layout, page 12-8.
12-8
OL-11501-03
Chapter 12

Procedure
Step 1
Step 2
Select Firewall > Access Rules.

The Access Rules page appears. For a description of the GUI elements, see
Table J-1.
Step 3
Click the Tools button located below the table, then select Analysis.
Note
Depending on how many rules are present, a progress bar may or may not
be displayed.
The Analysis Report appears. For a description of the GUI elements, see
Table J-96.
Step 4
Based on the report, make any corrections to the rules tables as needed.
Step 5
Click OK to close the report.

OL-11501-03
12-9
Chapter 12
Figure 12-2 shows an Analysis Report query from the Access Rules page.
Figure 12-2
Analysis Report Query
Figure 12-3 shows the results to that query. The report in this example shows that
the rules conflict.
12-10
OL-11501-03
Chapter 12

Figure 12-3
Analysis Report Results
Related Topics
Analysis Reports Page, page J-179
Example of Analysis Report Layout, page 12-8
Combining Rules
Your organization might dictate the need for using a large number of ACLs. A
large number of ACLs can affect performance and memory usage in
Security Manager and on the device. To help you manage your ACLs, you can
combine rules, thus facilitating your ability to maintain them.

OL-11501-03
12-11
Chapter 12
Combining rules provides a way to group objects of a similar type so that a single
access rule can apply to all objects in the group. For example, consider the
following three object groups:
My ServicesIncludes the TCP/UDP port numbers of the service requests

that are allowed access to the internal network.
Trusted HostsIncludes the host and network addresses allowed access to

the greatest range of services and servers.
Public ServersIncludes the host addresses of servers to which the greatest

access is provided.
After combining these objects, you can use a single access rule to allow trusted
hosts to make specific service requests to a group of public servers.
Note
Combining objects does not automatically create an object group. To create an

object group, you can right-click a cell in the table, then choose to create a
network object or service object from the cell contents using the shortcut menu.
Combining rules dramatically compresses the number of access rules required to
implement a particular security policy. For example, a customer policy that
required 3,300 access rules might only require 40 rules after hosts and services
are properly grouped.
To achieve this, multidimensional sorting is performed. For example:
1.
Policies are sorted by their sources, so policies with the same source are
placed together.
2.
Same-source policies are sorted by destination, so policies with the same

source and destination are placed together.
3.
Same-source and same-destination policies are combined into a single policy,

and the services are combined into an object group.
4.
Adjacent policies are checked to see if they have the same source and service.
If so, they are combined into a single policy, and the destinations are
combined into an object group.
5.
Adjacent policies are checked to see if they have the same destination and
service. If so, they are combined into a single policy, and the sources are
combined into an object group.
Sorting is repeated based on destination and service in place of source.
12-12
OL-11501-03
Chapter 12

For example, you might have two rules:

Rule 1: Src:1.1.1.1 Dst:2.2.2.2 Svc:CMD Interface:inside Action:Permit
Rule 2: Src:1.1.1.1 Dst:3.3.3.3 Svc:CMD Interface:inside Action:Permit
The two rules can be combined to form a new rule:

New Rule: Src:1.1.1.1 Dst:2.2.2.2, 3.3.3.3 Svc:CMD Interface:inside
Action:Permit
Tip
You can right-click the Destination cell to create a network object from
the combined cell contents.
You can elect to automatically create network objects to replace the

comma-separated values in a rule table cell that resulted when multiple rules were
combined. The network objects are created during deployment. To set this feature,
select Tools > Security Manager Administration > Deployment. From the
Deployment page, select Create Object Groups for Multiple Sources,
Destinations, or Services in a Rule.
Each object in the source domain must have a unique name so that policies can be
sorted alphabetically. The same requirement is true for destinations and services.
Sorting can also be based on IP addresses or port numbers.
Related Topics
Combined Rules Criteria Notes, page 12-13
Defining Combined Rules Criteria, page 12-15
Combine Rules Selection Summary Dialog Box, page J-214
Combined Rules Criteria Notes

When combining rules, note the following:
For access rules to be combined, they must share the same values for:
Enabled/disabled flag
Category
Permit/deny flag
Traffic direction
OL-11501-03
12-13
Chapter 12
Logging options
Time range
IOS options
For AAA rules to be combined, they must share the same values for:
Enabled/disabled flag
Category
Permit/deny flag
Server group
Authentication, authorization, and accounting options
AuthProxy options (Applicable to IOS devices only)
All rules have the option to include a description and category field. Although
the category field does not affect the CLI generated, rules with different
categories cannot be combined. Rules with different descriptions, however,
can be combined and the new rule will contain a concatenation of the
descriptions separated by a new line.
Rules belonging to different sections cannot be combined.
Rules with different actions (permit/deny) cannot be combined.
If the currently selected folder is a parent policy when viewed from Policy
View or Map View, the Combined Rules button is enabled, but the summary
results are read-only.
If you do not have the correct privileges to modify a rules table, the Combined
Rules button is enabled, but the summary results are read-only.
Related Topics
Combining Rules, page 12-11
Defining Combined Rules Criteria, page 12-15
12-14
OL-11501-03
Chapter 12

Defining Combined Rules Criteria

Procedure
Step 1
Step 2
Select Firewall > [Access Rules | AAA Rules].

The appropriate table appears based on your selection.
Step 3
(Optional) Select specific rules in the table for the purpose of combining. To
consider all rules in the table, do nothing.
Step 4
Click the Tools button located below the table, then select Combine Rules.
The Combine Rules Selection Summary dialog box appears.
Step 5
Select the columns used for combining rules.
Step 6
Click OK.
The Results Summary is displayed after the rules table has been analyzed. For
more information, see Understanding Combined Rules Summary Results,
page 12-16.
Step 7
(Optional) Click Detail Report to display a text description of combined rule

information and displays table cell contents in its entirety. Close the window after
you view its contents.
Step 8
Click OK to replace the original rules in the rules tables with the combined rules.
You return to the main table with the new combined rules shown.
Step 9
Click Save, which saves your changes to the server but keeps them private.
Related Topics

OL-11501-03
12-15
Chapter 12
Understanding Combined Rules Summary Results

The combined rules summary is divided into two tables (Figure 12-4). The top
table shows the new rules that have been generated. A table cell with a red border
identifies the changes that were made to the cell content, enabling the rules to be
combined. The bottom table shows the original rules in the table before they were
combined and indicates the rules original row numbers.
Tip
Selecting a combined rule in the top table shows the rules in the lower
table that were combined.
You can make changes directly to the results shown in the Description column.
You an also create a network or service object from the Source, Destination, or
Service columns.
Clicking OK updates the rules table with the combined rules; however, you must
click Save to save your changes to the server.
Note
If you decide not to combine rules after you click Save, you can cancel the
activity; however, after the activity is approved, you cannot revert back to
uncombined rules.
From this report, you can click Detailed Report, which opens a text description
of combined rule information and displays table cell contents in its entirety. The
report is in HTML, which you can print and save using Internet Explorer toolbar
options.
12-16
OL-11501-03
Chapter 12

Figure 12-4
Combined Rule Summary
Combined cell
Newly combined rule
Original rules
Related Topics

OL-11501-03
12-17
Chapter 12
Using Find and Replace

The Find and Replace feature is a convenient method by which you can search for
values in rules tables, such as IP addresses and policy object names, to facilitate
locating and making changes to rules in tables. The feature is similar to the find
and replace feature in Microsoft Windows applications. You access this feature by
clicking the Find and Replace icon (shown as a binoculars icon), which is located
below the rules tables.
Note
The Find and Replace feature is not supported from the Transparent Rules tables
or Web Filter Rules tables for IOS devices.
Currently you can search for data in Source, Destination, Service, Interface, and
Description table columns. When you begin to identify your search operation, you
choose a data type on which to search using a list box. The available values used
in the search will vary based on your selection. Find and Replace works on a
table-by-table basis.
Table 12-5 identifies the data on which a search can be performed. For other
values listed in tables, you can perform similar functionality using a combination
of filtering and multiple rule editing features.
Table 12-5
Find and Replace Values
Column
Searched Values
Source/Destination
IP address or network object name. The search feature is not

case-sensitive.
Service
Raw service string, for example TCP/80, or service object name.

The search feature is not case-sensitive.
Note
The Find and Replace feature uses a syntactic search and not
a semantic search. For example, if you search on TCP/80
and a rule has HTTP service defined, search results will not
find it.
12-18
OL-11501-03
Chapter 12

Table 12-5
Find and Replace Values
Column
Searched Values
Interface
Interface role pattern used in raw interface string, such as Ethernet0,

or interface role object, such as External. The search feature is not
case-sensitive.
Description
Enables you to enter a string of text that is used to define a policy

rule.
Related Topics
Find and Replace Notes, page 12-19
How Regular Expressions are Supported in Find and Replace, page 12-20
Defining Find and Replace Criteria, page 12-22
Find and Replace Page, page J-177
Find and Replace Notes

When defining your find and replace criteria, be aware of the following:
Find using partial data is supported only for named policy objects, not
IP address, nameless services or service strings. For example, if you search
for network 10.10 and deselect Find whole words only, search results will
find all named objects that include 10.10, but no IP addresses that contain the
string, for example, 110.10.23.34, or 23.10.10.45.
Note
Search results can highlight complete subcell information only. For

example, if you search on External for Interface Role, and the
results display External7202, the entire interface name is highlighted.
Although a rule can contain multiple sources, destinations, services, and

interfaces, you cannot search on multiple items; the search feature supports
only single items. For example, to find search results for rules containing FTP
and HTTP services, two searches are needed, one for FTP and one for HTTP.
Only text strings used as search criterion for Descriptions can be partially
replaced.

OL-11501-03
12-19
Chapter 12
Searches on patterns are supported. For example, you can select your search
criterion for Interface Roles by typing a text string in the field provided or
clicking Select, which opens the Interface Selector from which to make your
selection. Searches on patterns are supported only when the Allow Wildcards
check box is selected.
Note
Only * and ? regular expressions are supported with text strings.
Searches on IP addresses and services using wildcards is not supported.
Although you cannot search for multiple items, you can identify multiple
items as a replacement value. Enter multiple networks, services, or interface
roles in the Replace field using comma-separated values.
If no value is entered in the Replace field, the resulting found items are
deleted from the rules.
Rules with read-only values cannot be replaced.
Regular Expression constructs are based on Java 1.4.2 pattern matching;

however, certain exceptions apply, which are described in How Regular
Expressions are Supported in Find and Replace, page 12-20. For more
information on regular expression constructs, refer to http://java.sun.com.
Related Topics
Using Find and Replace, page 12-18
How Regular Expressions are Supported in Find and Replace

When the Allow Wildcards check box is selected, the Find and Replace fields use
a proprietary regular expression syntax (in essence, Sun's Java RegEx syntax)
with the exceptions that are shown in Table 12-6.
12-20
OL-11501-03
Chapter 12

Table 12-6
Regular Expression Exceptions
Character
Match
Indicates a literal '.' (It is implicitly escaped.)
Indicates any character 1 time.
Indicates any character 1-n times. For example, \d*

will not match 0-n digits; it will match 1 digit and
0-n of any characters.
Indicates any character 1-n times.
Examples of wildcard-enabled searches:
Find string '*' matches everything.
Find string for Network '*.*.*.*' matches all IP addresses.
Find string for Network '1.*.*.*' matches all IP addresses with '1' as the final
digit in the first octet, for example, 1.2.3.4 and 91.2.3.4.
Find string for Network '^1.*.*.*' matches all IP addresses with '1' as the first
octet exactly. For example, 1.2.3.4 is a match, but 91.2.3.4 is not.
Find string for Description 'Blogg$' only matches text ending with 'Blogg'.
For example, Joe Blogg is a match, but Joe Bloggs is not.
Examples of wildcard-enabled replacements:
Find string for Interface Role '*side' and Replace string 'External' replaces all
Interface Roles ending with 'side'. For example, both 'inside' and 'outside'
become 'External'.
Find string for Network '*.(*.*.*)' and Replace string '10.$1' sets the first
octet of all IP Address to '10'. For example, '1.2.3.4.' is replaced by '10.2.3.4'.
Find string for Service 'tcp/([6-7]000)-*' and Replace string 'tcp/$1-8000'

finds every port with a starting range between 6000 and 7000 and sets the end
to '8000'.
Find string for Description 'c(?)t' and Replace string 'b$1t' replaces three
letter words starting with 'c' and ending with 't', with three letter words
starting with 'b and ending with 'r'. For example, 'cat' becomes 'bar' and 'cut'
becomes 'bur'.

OL-11501-03
12-21
Chapter 12
Related Topics
Defining Find and Replace Criteria

Procedure
Step 1
From any Firewall rules table, click Find and Replace, which is located at the
bottom of each rules table. The Find and Replace button is represented as
binoculars. You can also use the shortcut keys (Ctrl+F).
The Find and Replace dialog box appears. For a description of the GUI elements,
see Table J-95.
Note
The Find and Replace feature is not supported from the Transparent Rules
tables or Web Filter Rules tables for IOS devices.
Step 2
Select the type of item on which to base your search using the first list box. Then,
identify the column(s) to search using the adjacent list box.
Step 3
Enter the search information in the Find field or click Select, which opens a
selector dialog box from which to make your selection.
Step 4
Enter the replace information in the Replace field or click Select, which opens a
selector dialog box from which to make your selection.
Step 5
Identify the search direction used in the table. Each search always starts from
selected rule and selected cell or subcell if one is selected. The starting point itself
is not included. If no rule is selected, the search begins from the first rule in the
table. If no cell or subcell is selected, the search begins from the selected rules
left-most column if Search Down is selected, or from selected rules right-most
column if Search Up is selected.
12-22
OL-11501-03
Chapter 12

Note
If no direction is selected, the search behaves similar to Search Down.

When the end of the rules table is reached, the search continues at the
beginning of the rules table until the start point is reached.
Step 6
(Optional) If you are searching for a text-string, choose whether to match the case.
Only Descriptions are case-sensitive.
Step 7
(Optional) Choose whether to search for whole words only. This function can be
helpful when you are searching for policy objects.
Step 8
(Optional) Choose whether to allow wildcards.
Note
Step 9
Step 10
You cannot define your search to allow wildcards and search for whole
words. These options are mutually exclusive.
Do any of the following:
Click Find Next to locate the next reference identified in the Find field.
Click Replace to replace the reference identified in the Find field.
Click Replace All to replace all references identified in the Find field.
Click Save, which saves your changes to the server, but keeps them private.
Related Topics

OL-11501-03
12-23
Chapter 12
Using Hit Count

The Hit Count feature collects the number of times that traffic for a device is
permitted or denied based on an access rule. Report results are displayed in two
forms:
ACEs (Default)Shown in the Expanded table, which opens automatically

after the report is generated.
Corresponding CLI for each ACEShown in the Raw ACE table.
From Hit Count reports, you can:
Update report results by clicking the refresh button. Changes to hit count
information are displayed in the Delta column of the Expanded results table.
No Delta column is displayed when the report is generated for the first time.
Sort columns in Expanded tables. You can sort on certain columns in the
results table. Information is changed in ascending or descending order.
Sortable columns are:
Rule
Delta
Hit Count
Permit
Service
Source Address
Destination Address
View column results from the Expanded table in complete or partial detail.
ACL hit count information is a critical component for debugging your security
system. You can display this information directly from the Access Rules tables.
Hit count information is provided for all device platforms supported by
Firewall Services.
Note
If the Hit Count report generates no information for the selected rule in the Access
Rules table, it is possible that the policies in the Security Manager repository and
the ACLs on device are out of sync. Make sure that the ACLs in Security Manager
match those on the device.
12-24
OL-11501-03
Chapter 12

Note
Before hit count information can be accurately generated in a report, the policies
selected must be assigned and successfully deployed to devices.
Note
Currently, if the network object-group optimization feature is enabled, hit count

might not work properly if optimization has occurred. This issue is being tracked
under defect identifier CSCsi00849.
Related Topics
Generating Hit Count Reports, page 12-25
Understanding Hit Count Results, page 12-26
Changing How Hit Count Results Are Displayed, page 12-27
Generating Hit Count Reports

You can generate a Hit Count report from Device view only. Select the rules from
the table to include in the report.
Note
You can only generate Hit Count reports for one device at a time.
Before You Begin
Make sure that the device configuration has been successfully deployed to the
device.
Make sure that the device is reachable.
Procedure
Step 1
Step 2

Table J-1.
Step 3
Select a rule or multiple rules from the table.

OL-11501-03
12-25
Chapter 12
Step 4
Click the Tools button located below the table, then select Hit Count.
Note
If no rules are selected, the report displays hit count information for all
rules on the device.
The Hit Count report appears. For a description of the GUI elements, see
Table J-109.
Step 5
(Optional) Click Refresh Hit Count to calculate the hit count changes since the
report was last generated.
After the refresh, the Expanded table adds a Delta column that displays the new
data retrieved.
Step 6
Close the page after you view the contents.
Related Topics
Hit Count Selection Summary Dialog Box, page J-209
Understanding Hit Count Results

The Hit Count report displays ACL hit count information for the rules selected
from the Access Rules tables. If no rules are selected, the Hit Count report
includes information for all access rules on the device. The report includes policy
objects that are used to define the rules selected. If object grouping is enabled, the
report displays the hit count for all ACEs in the object group. (See Figure 12-5.)
Note
A single policy defined in Security Manager might map to more than one ACL on
a device.
12-26
OL-11501-03
Chapter 12

Report results are displayed in two forms:
ACEs (See Figure 12-6.) Default. Shown in the Expanded table, which opens
automatically after the report is generated.
Corresponding CLI for each ACE (See Figure 12-7.) Shown in the Raw ACE
table.
For a description of the report GUI elements, see Table J-109.

If you inadvertently define a duplicate rule in a table, for example, access rule 1
in the mandatory table is the same as rule 5, the report displays the hit count for
the first rule (mandatory_1 hit count = 1000) and the duplicate rule displays the
hit count as zero (mandatory_5 hit count = 0).
Tip
To determine whether a rule with zero hit counts is a duplicate rule or simply a
rule that has not been applied to traffic, run an analysis report. See Example of
Analysis Report Layout, page 12-8.
Note
If the Hit Count report generates no information for the selected rule in the Access
Rules table, it is possible that the policies in the Security Manager repository and
the ACLs on the device are out of sync. Make sure that the ACLs in
Security Manager match those on the device.
Related Topics
Changing How Hit Count Results Are Displayed

In addition to viewing Hit Count report information from the Expanded table and
the Raw ACE table, you can customize report results based on more specific
needs.

OL-11501-03
12-27
Chapter 12
To change how report information is displayed, see:
Filtering Columns, page 12-28
Sorting Columns, page 12-28
Viewing Complete or Partial Details, page 12-29
Filtering Columns
This procedures describes how to filter hit count result information.
Procedure
Step 1
From the Hit Count Query Results, right-click the Rule column heading in the
Selected Access Rules table, then click Show Columns.
Step 2
Select or deselect from the list of entries as appropriate.

You can only select one heading at a time.
Step 3
Repeat the steps as needed.

The report results are displayed based on your selections.
Step 4
Related Topics
Sorting Columns
From the Expanded table, you can sort column information in ascending or
descending order.
This procedure describes how to sort columns in the Expanded table.
12-28
OL-11501-03
Chapter 12

Note
You can sort settings only on the following columns: Rule, Delta, Hit Count,
Permit, Service, Source Address, and Destination Address.
Tip
You can sort on multiple columns at the same time using the Ctrl key.
Procedure
Step 1
Determine which column in the Expanded table to sort.
Step 2
Click once on the column cell heading.

The information is changed in ascending or descending order.
Step 3
Click again to reverse the order.
Step 4
Related Topics
Viewing Complete or Partial Details

From the Expanded table, you can view partial rule information (default). You can
also view detailed results that expand the columns to display complete rule
information.
This procedure describes how to change views from the Expanded table.
Procedure
Step 1
Select a rule from the Expanded table.

OL-11501-03
12-29
Chapter 12
Step 2
Right-click the Rule column heading, then click Show Detail.

The table expands to display all information for the selected rule.
Step 3
To condense the information displayed, select the rule, then click

Show Summary.
Step 4
Related Topics
Figure 12-5
Hit Count Results Table
12-30
OL-11501-03
Chapter 12

Figure 12-6
Expanded Table

OL-11501-03
12-31
Chapter 12
Figure 12-7
Raw ACE Table
Related Topics
Importing Rules
The Import Rules feature acts as an accelerator for adding rules to rules tables.
You can import rules (ACEs) by pasting them from an external application to the
access rule table in Security Manager. You can import rules from Device view and
only to Local rules.
12-32
OL-11501-03
Chapter 12

Related Topics
Notes, page 12-33
Extended Access List: Example 1, page 12-34
Standard Access List: Example, page 12-35
How to Import Rules, page 12-36
Import Rules - Enter Parameters Dialog Box, page J-183
You cannot import rules in Policy view.
The ability to import ACL policy objects is not supported.
Only CLI in the device running-configuration format is supported.
Only one ACL can be imported at a time.
If you import an ACL that is inactive, it is shown as disabled in

Security Manager. If you deploy the same ACL, it will be removed by
Security Manager.
Time range definitions and their references in ACEs are supported as long as
they are consistent. ACEs referring to nonexisting time ranges result in an
error.
For PIX/ASA/FWSM:
Notes
One or more ACEs in named/numbered format. Only extended is
supported.
Object group and name commands are supported as long as they are
consistent. ACEs referring to nonexisting object groups and names result

in an error.
For IOS: One or more ACEs in named/numbered format. Both standard and
extended are supported.
Related Topics

OL-11501-03
12-33
Chapter 12
Standard Access List: Example, page 12-35
Extended Access List: Example 1

In the following example, the first line permits any incoming TCP connections
with destination ports greater than 1023. The second line permits incoming TCP
connections to the Simple Mail Transfer Protocol (SMTP) port of host 128.88.1.2.
The last line permits incoming ICMP messages for error feedback.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0
0.0.255.255 gt 1023
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0
eq 25
access-list 102 permit icmp 0.0.0.0 255.255.255.255 128.88.0.0
255.255.255.255
Related Topics
Importing Rules, page 12-32
Notes, page 12-33
Extended Access List: Example 2

Suppose you have a network connected to the Internet, and you want any host on
an Ethernet to be able to form TCP connections to any host on the Internet.
However, you do not want IP hosts to be able to form TCP connections to hosts
on the Ethernet except to the mail (SMTP) port of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number
on the other end. The same two port numbers are used throughout the life of the
connection. Mail packets coming in from the Internet will have a destination port
of 25. Outbound packets will have the port numbers reversed. The fact that the
secure system behind the router always will be accepting mail connections on
port 25 is what makes possible separate control of incoming and outgoing
services. The access list can be configured on either the outbound or inbound
interface.
12-34
OL-11501-03
Chapter 12

In the following example, the Ethernet network is a Class B network with the
address 128.88.0.0, and the address of the mail host is 128.88.1.2. The established
keyword is used only for the TCP protocol to indicate an established connection.
A match occurs if the TCP datagram has the ACK or RST bits set, which indicate
that the packet belongs to an existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0
0.0.255.255 established
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0
eq 25
Related Topics
Notes, page 12-33
Standard Access List: Example

The following configuration creates a standard access list named Internet_filter
and an extended access list named marketing_group:
ip access-list standard Internet_filter
permit 1.2.3.4
deny any
ip access-list extended marketing_group
permit tcp any 171.69.0.0 0.0.255.255 eq telnet
deny tcp any any
permit icmp any any
deny udp any 171.69.0.0 0.0.255.255 lt 1024
deny ip any any log

OL-11501-03
12-35
Chapter 12
Related Topics
Notes, page 12-33
How to Import Rules

Procedure
Step 1

The Access Rules table appears.
Step 2
Click the Tools button located below the table, then select Import Rules.
Step 3
Do one of the following (See Notes, page 12-33):
Step 4
Manually enter CLI configurations to the text area.
Copy and paste the CLI configurations from an external application to the text
area.
Enter the interface information or click Select, which opens the Object Selector
dialog box from which to make your selection. The interface identifies the logical
name of the interface (interface role) or physical interface to which a rule is
assigned. If you are using the Object Selector dialog box, do one of the following,
then click OK:
Select the available interface roles, then click >>.

Click the Add button to create an interface role object.

A popup window helps you define the interface role object. After you
complete the definition, the new object is listed in the selected column.
For more information, see Understanding Interface Role Objects, page 8-115.
Step 5
Select the traffic direction.
Step 6
rule when it appears in a rules table. For more information, see Understanding
Category Objects, page 8-48.
12-36
OL-11501-03
Chapter 12

Step 7
Click Next, which performs a validation check in search of errors.

Errors are shown in red. You must correct any errors before you may continue.
Errors include:
If you copy invalid device data, for example, a PIX configuration to an

IOS device.
Syntax errors.
If no ACL definition is present.
If some ACE refers to non-existent object groups or time ranges.
If there is more than one ACL.
If no errors, the Import Rules - Status page appears.

Step 8
(Optional) Review the status page, then click Next.

The Import Rules - Preview page appears.
Step 9
Click Finish.
The status page closes and you return to the Access Rules table. The imported
rules are displayed in the table.
Related Topics
Notes, page 12-33
Using Policy Query

You might want to know how many rules contain a particular network object or
service before you create a new rule, or perhaps you want to clean up redundant
rules, or identify and delete rules that have no effect on your network. You can
compose a query that describes a set of packets. The results of the query identify
all rules that could affect the defined packets. Based on the results, you can add
or delete rules as needed.

OL-11501-03
12-37
Chapter 12
Policy Query operates on the values of the conditions, for example, to show all
rules that will impact a packet with a source in network 192.168.1.0/24. The query
will return rules that have any in the source as well as a policy object (assuming
the policy object contains some part of the 192.168.1.0/24 network).
The elements on which a query is based are:
Source and destination You can specify a set of network objects or IP

networks. For example, you can request a query to show all rules with the
source 192.168.8.*.
Discontiguous masks are supported. For more information, see Contiguous
and Discontiguous Network Masks, page 8-129.
Service You can specify a set of services, service groups, or protocols and
associated port or message types.
InterfaceDefault is any interface, which is represented as All-Interfaces in

the GUI. You can specify incoming interfaces.
Rule typeSome combination of firewall access, AAA, inspection, web

filter, and transparent rules.
ActionsDepending on the rule type, you can specify different actions (for
example firewall rules have permit and deny actions).
Based on the device hierarchy, you have two approaches for determining how to
base your query:
Consider only rules at the local level and above. A single ordered list of rules
results. Only a partial set of rules for the devices within the group is
displayed. In this instance, you request a policy query from Device view. The
query results display all policies that affect that device.
Consider rules for all devices that are descendents of the current group.
Multiple ordered lists result, one for each subgroup or device. In this instance,
you request a policy query from Policy view. The query results display all
devices affected by that policy.
For a given table, the query is compared to each rule in the table. If an intersection
between the query packet and the rule exists, the rule is added to the query results.
Calculations are based on a tuplespace (source, destination, and service).
The query mechanism helps to debug how traffic is being processed by the rules.
By doing a content match, you can see all rules that could have some affect on
traffic. The query results are labeled by how the rule interacts with the query
space.
12-38
OL-11501-03
Chapter 12

Related Topics
Generating Policy Query Reports, page 12-39
Understanding Policy Query Results, page 12-40
Generating Policy Query Reports

You can generate a Policy Query report by clicking the Tools button located below
any of the main firewall rules tables, then selecting Query. The Query Report can
be generated from either Device view or Policy view. This procedure assumes you
are requesting a query from Device view.
Procedure
Step 1
From any firewall rules table, click the Tools button located below the table, then
select Query.
The Querying <Policy | Device> dialog box appears. For a description of the GUI
elements, see Table J-106.
Step 2
Complete the dialog box as needed.
Step 3
Click OK, which initializes the query report.

The policy query results are displayed. For more information, see Understanding
Policy Query Results, page 12-40.
Related Topics
Using Policy Query, page 12-37
Policy Query Page, page J-195

OL-11501-03
12-39
Chapter 12
Understanding Policy Query Results

Policy query results are based on the criteria of the initial query. The results are
divided into sections. See Figure 12-8.
Figure 12-8
Policy Query Results
Query Parameters
The top portion of the report shows the query parameters. The left column lists
the available options. The right column lists the selected options. You can edit
your query by clicking Edit Query. Follow the procedure for Generating Policy
Query Reports, page 12-39.
12-40
OL-11501-03
Chapter 12

Results Table
The middle portion of the report shows a results table that displays query results
based on the rule type selected from the list box. The results table displays the
results for the rule type selected, for example, access rules. The results identify
the following:
Match Status
Complete MatchAll elements expressed in the query report match the
query results.
Partial MatchSome of the elements expressed in the query report
match the query results.

No EffectRules are blocked by other matching rules, or a conflict
exists that has no effect. Some examples are:

You might have two matching rules, A and B. Rule A appears in an ACL
Details Table list before Rule B. Both rules have the same interface. Rule
A's source address, destination address, and services are equivalent to, or
contain, those of Rule B. Rule B is blocked by Rule A. Rule B has no
effect.
You might have a global mandatory rule that permits a service, but the
rule at the device level denies the service. Since rules are recognized on
a first-match order, after discovering a match at the mandatory global
scope, no other rules are checked. The conflict has no effect.
ScopeIdentifies whether a rule is shared or local, mandatory or default.
RuleIdentifies the rule number when you are viewing the actual Mandatory
and Default or Local rules tables.
PermitShows whether a rule permits or denies traffic based on the

conditions set.
PermitShown as a green check mark.
DenyShown as a red circle with slash.
SourceIdentifies the source object names or addresses of hosts. Multiple

entries are separated by commas.
DestinationIdentifies the destination object names or addresses of hosts.

Multiple entries are separated by commas.
ServiceIdentifies service objects that specify the service type of traffic.


OL-11501-03
12-41
Chapter 12
InterfaceIdentifies the logical name of the interface (interface role) or

physical interface to which a rule is assigned.
DirectionIdentifies whether traffic is entering or exiting a network.
CategoryProvides an intermediate level of detail to objects and helps you

readily identify rules and objects by use of color-coding.
The bottom portion of the report shows a details table. The details table shows
greater detail for the parameters that matched the highlighted rule in the results
table. If no match exists for a parameter, details remain blank. You select a folder
to display details specific to a parameter.
DetailsProvides greater detail for query parameters, for example, when

policy objects are used or parameters are nested. Select from the following
folders:
SourcesProvides greater detail pertaining to the source parameter.
DestinationsProvides greater detail pertaining to the destination
parameter.
ServicesProvides greater detail pertaining to the services parameter.
InterfacesProvides greater detail pertaining to the interfaces
parameter.
Note
Interface details do not apply to Web filter rules.
Query ValueShows the parameter used in the query request.
RelationshipIdentifies the relationship between the query and the detailed

parameter.
IdenticalThe parameter result is identical to that of the query. For
example, the query source was any and the query results show source
as any.
ContainsThe query results contain the query parameter. For example,
the query requested a network object to represent the source and the
results display an IP address.
12-42
OL-11501-03
Chapter 12

Is contained byThe parameter is nested within the query parameter. For
example, the query requested ACL object A, which is nested within ACL
object B.
OverlapsThe query parameter requested shows results that overlap
between more than one policy object. For example, the query parameter
was tcp/70-90 and the results show a service defined as tcp/80-100. Or
Network A includes IP addresses 1.2.3.4 and 2.3.4.5. Network B includes
IP addresses 2.3.4.5 and 3.4.5.6. Network A and Network B overlap, as
they both include IP address 2.3.4.5, but no other parameters match the
query.
Rule ValueProvides a more granular description of a parameter result for

the highlighted rule in the results table.
Example of Details Table Results
Consider the following:

Two Network Objects are defined in Security Manager:
Network Object A includes IP addresses 1.2.3.4, 2.3.4.5, and 3.4.5.6.
Network Object B includes IP addresses 3.4.5.6, and 4.5.6.7.
You request a policy query using Network Object A as the source parameter. The
results table shows rules that includes Network Object A as the source. The details
table, however, will display the following:
Details
Query Value
Relationship
Rule Value
Sources
Network Object A
contains
Network Object B
[3.4.5.6]
Close the page after you view the contents.

Related Topics

OL-11501-03
12-43
Chapter 12
Understanding Rule Table Sections

Rule table sections provide a convenient way to group multiple contiguous rules
into sections. This can be particularly helpful when your rules tables contain large
rule sets. You can collapse or expand a section to hide or view rules contained
within it. Sections can be moved up or down within a rules table. Sections can also
be deleted to ungroup the rules.
Related Topics
Notes About Rule Table Sections, page 12-44
Adding Rule Table Sections, page 12-45
Adding Rules to an Existing Table Section, page 12-46
Removing Rules from an Existing Table Section, page 12-46
Removing a Rule Table Section, page 12-47
Notes About Rule Table Sections
Sections are managed using the shortcut (right-click) menu.
Sections cannot be contained (nested) within other sections.
Sections can be added to the following rules tables: Access Rules,

AAA Rules, Inspection Rules, Web Filter Rules, Translation Rules, and
MPC Rules; however, sections are not supported in Web Filter Rules tables
for IOS devices.
Sections are retained when you perform policy queries, combine rules, import
rules, and find and replace searches.
Each section can include a section name, number of rules contained within
the section, category, and description. An arrow is used to expand and
collapse the section.
When a section is expanded, it displays a visual boundary to identify rules in

the section.
The use of sections has no performance impact.
The Move Up and Move Down arrows can be used within each section.
12-44
OL-11501-03
Chapter 12

The Move Up and Move Down arrows jump over sections when used on rules
that are not included in sections (Local scope). The section is treated as a
single rule.
Sections can be moved up or down within a table.
Related Topics
Adding Rule Table Sections

Before You Begin
Make sure you have at least one rule defined in the rules table.
Procedure
This procedure assumes you have added a rule to the Local scope.
Step 1
Right-click a rule in the table, then select Include in New Section.
Note
You can select multiple rules at a time using the Ctrl key.
The Add Rule Section dialog box appear. For a description of the GUI elements,
see Table J-94.
Step 2
Enter the information in the fields provided, then click OK.

The dialog box closes and you return to the main rules table. The new section
name is highlighted and the section is shown in a collapsed state. Also shown are
the number of rules currently contained within the new section and any
description that was added.

OL-11501-03
12-45
Chapter 12
Related Topics
Adding Rules to an Existing Table Section

You can add rules to an existing table section using a variety of methods.
Right-click a table section name, then select Add Row. After the rule is
defined, the new rule is added to the top of the section.
Right-click a row in the table section, then select Add Row. After the rule is
defined, the new rule is added immediately after the selected row.
Right-click the white space inside the table, then select Add Row. After the
rule is defined, the new rule is added at the end of the table.
Related Topics
Understanding Rule Table Sections, page 12-44
Removing Rules from an Existing Table Section

To remove rules from an existing table section, right-click the rows, then select
Remove From Section <Section Name>.
The rules previously contained in the section are relocated to the Local scope.
Related Topics
Editing a Rule Table Section

Procedure
Step 1
Right-click a rule table section, then select Edit Section.

The Edit Rule Section dialog box appears. For a description of the GUI elements,
see Table J-94.
12-46
OL-11501-03
Chapter 12

Step 2
Make changes as needed, then click OK.

The dialog box closes and you return to the main rules table with the new section
information displayed.
Related Topics
Removing a Rule Table Section

Procedure
Step 1
Right-click a rule table section, then select Delete Section.
Step 2
You will be prompted with a warning that the section will be deleted. You can opt
to not show the message again.
The section is removed and the rules previously contained in the section are
relocated to the Local scope.
Related Topics
Optimizing Policy Objects in Rules

You can elect to have Security Manager optimize network policy objects when
you generate configurations for PIX, FWSM, and ASA devices for deployment.
Optimization merges adjacent networks and removes redundant network entries.
Optimization helps reduce the size of the runtime access-list data structures on the
device and the literal configuration size (to a lesser extent). A reduced runtime
memory usage consumed by access-lists is particularly beneficial for FWSM
devices, where the network processor memory is tight, and PIX devices that use
Turbo ACLs.

OL-11501-03
12-47
Chapter 12
Consider the following example for a network policy object named Test that
contains the following sources and destinations:
192.168.1.0/24
192.168.1.23
10.1.1.0
10.1.1.1
10.1.1.2/31
When optimization is on, the following CLIs are generated:

object-group network test
network-object 192.168.1.0 255.255.255.0
network-object 10.1.1.0 255.255.255.252
To turn optimization on, select Tools > Security Manager Administration, then
select Deployment. Select Optimize Network Object Groups During
Deployment (PIX, ASA, FWSM).
Related Topics
Notes about Policy Object Optimization, page 12-48
Notes about Policy Object Optimization
Only network policy objects that are referenced by any policy are optimized.
Nested network policy objects are not flattened. Security Manager optimizes
each network policy objects local content. For example, if net2 is nested
inside net1, both are optimized independently. After optimization, net1 still
references net2.
Optimization is not supported for any network entry that has discontiguous
masks.
The remark Optimized by CS-Manager is added to the description of an

optimized network policy object.
Rediscovery of an optimized policy object reuses the original policy object in

Security Manager.
Related Topics
Optimizing Policy Objects in Rules, page 12-47
12-48
OL-11501-03
Chapter 12

Understanding Access Rules
Expanding Object Groups During Discovery

You can elect to expand object groups when you import devices. During the
discovery process, Security Manager imports the CLI comprising the object group
as separate rules.
During device import, you can elect to expand an object group as separate rules
instead of importing the object group name. To access this feature, select Tools >
Security Manager Administration > Discovery.
Consider the example where CSM_INLINE_55 contains 1.1.1.1, 2.2.2.2, 5.5.5.5.
During import, CSM_INLINE_55 will be expanded to one rule in the rule table
that will identify 1.1.1.1, 2.2.2.2, and 5.5.5.5 as a source.
Related Topics
Discovery Page, page A-17

Firewall policies rely on access rules as one method for defining network security
policy; they control the traffic that flows through a firewall device and security
appliance. Access rules comprise conditions and actions. A condition describes a
traffic stream of packets. You define constraints on the source and destination
device, the service (for example, protocols and ports), and the incoming interface.
An action describes what should occur based on the conditions set. For example,
if the packet stream meets all conditions as described and the action is set to
permit traffic, the packets are sent to the destination device.
Access rules filter network traffic by controlling whether routed packets are
forwarded or blocked at the firewalls interfaces. Each packet is examined to
determine whether to forward or drop the packet based on criteria you specify.
Criteria could be the source address of the traffic, the destination address of the
traffic, the upper-layer protocol, or other information. No authentication is
required.
Access rules use the concept of access control lists (ACLs) to describe how an
entire subnet or specific network host interacts with another to permit or deny a
specific service, protocol, or both.

OL-11501-03
12-49
Chapter 12
Access rules are grouped by the interface on which they are configured and
enforced. Firewall Services sorts the rules by interface and uses the remaining
information in the rule to create the access control entry (ACE) that is included in
the ACL for that interface.
Access rules are recognized in the form of an ordered list, which is represented in
a rules table. Rules are processed by a firewall device or security appliance from
first to last, or first-match basis. When a rule matches the network traffic that a
firewall device or security appliance is processing, the device or appliance uses
that rule's action to decide if traffic is permitted. After finding a matching ACE,
the device looks no further.
When you define an access rule, you are basically defining an ACE in an ACL.
Each table row in the Access Rules table represents one ACE. An access rule can
represent multiple ACEs if the definition contains multiple sources, destinations,
and services. For platforms that support object grouping, each combination of
source, destination, and source in a rule is mapped to a single ACE. For platforms
that do not support object grouping, such as IOS devices, multiple ACEs are
generated.
After you configure an ACE, you can view its command-line equivalent
(access-list command) after the device configuration is generated. The access-list
commands are then bound to an ACL using the access-group command.
Note
A one-to-one relationship between an access rule defined in Security Manager and

the associated access-list command on the device does not always exist if object
grouping or rule optimization is enabled.
After you define access rules for Security Manager to manage, it is likely that the
resulting ACLs will have ACEs that are either redundant or conflicting. Because
a device uses the first-match method to evaluate ACLs, these extraneous entries
do not cause a problem. However, to help you identify if conflicting rules exist,
you can generate an analysis report from which you can determine if any ACEs
should be changed. For more information, see Using Analysis, page 12-6.
Your organization might dictate the need for using a large number of ACLs, which
can affect performance and memory usage in Security Manager and on the device.
As a result, you might want to combine rules and group objects of a similar type,
thus facilitating your ability to maintain them. For more information, see
Combining Rules, page 12-11.
12-50
OL-11501-03
Chapter 12

You might want to know whether rules that are defined are used and how often.
The Hit Count feature collects the number of times that traffic for a device is
permitted or denied based on an access rule. For more information, see Using Hit
Count, page 12-24.
You might want to import ACEs by pasting them from an external application to
the access rule table, or by importing them from a file. For more information, see
Importing Rules, page 12-32.
You might want to identify rules that use a particular policy object, or perhaps you
simply want to remove extraneous entries to make your rules tables more
manageable. You can compose a query that describes a set of packets. The results
of the query identify all rules in the global policy that could affect the defined
packets. Based on the results, you can add or delete rules as needed. For more
information, see Using Policy Query, page 12-37.
To help you manage the thousands of rules that might be listed in your rules
tables, you can search for policy objects and text references that are used to define
the rules, thus facilitating your ability to locate rules. For more information, see
Adding Access Rules, page 12-61.
Related Topics
How Access Rules Are Recognized on Devices

Devices managed by Security Manager use the Adaptive Security Algorithm
(ASA, also referred to as algorithm) to allow one-way (inside to outside)
connections without an explicit configuration for each internal system and
application. An example of the algorithm in action is FTP. The algorithm analyzes
the contents of the FTP control channel to allow dynamic access to the correct
FTP data channels. You can configure exceptions to this algorithm so that certain
traffic can access your higher-security interfaces.

OL-11501-03
12-51
Chapter 12
The algorithm is a stateful (fixed) approach to security. Every inbound packet is

checked against the algorithm and against any connection-state information in
memory. This approach is regarded in the industry as being far more secure than
a stateless packet-screening approach.
Each interface on the device or appliance is associated with a list of ACEs that are
associated with an ACL. An ACL is an ordered list of rules that describe how an
entire subnet or specific network host interacts with another to permit or deny a
specific service, protocol, or both.
Each ACE describes network traffic based on source IP address, destination
IP address, protocol, and possibly ports. Each ACE has an action to permit or
deny. When a packet arrives at the firewall device or security appliance, the device
checks the ACL for the interface on which the packet has arrived. The device then
evaluates the ACEs in the ACL, looking for the first one that matches the packet.
When the firewall device finds a matching ACE, the device performs the
associated action either permitting the packet into the firewall device for further
processing, or denying entry to the packet. After finding a matching ACE, the
device looks no further. If no ACE matches the packet, the packet is denied. An
exception to this rule is an IOS device, which permits inbound traffic by default.
To deny traffic, an ACE must be assigned to the interface.
Related Topics
Notes About Access Rules, page 12-52
Notes About Access Rules
Access rules are listed sequentially and are applied in the order in which they
appear in the table. An unwritten rule denies all traffic that is not explicitly
permitted.
Access rules are grouped by the interface on which they are configured and
enforced. Within each group, access rules are evaluated in the same order as
you configure them. This is the default method for permitting or
blocking traffic.
12-52
OL-11501-03
Chapter 12

A device configured from Firewall Services uses ACLs. ACLs allow you to
specify whether your firewall device should permit or block a connection
from a network or host on one interface to a network or host on a different
interface.
A PIX Firewall permits traffic from inside to outside only unless
specifically denied in an ACL. Traffic is permitted from a higher-security

interface to a lower-security interface by default. Traffic is denied from a
lower-security interface to a higher-security interface by default.
A Firewall Services Module (FWSM) denies inbound and outbound
traffic unless specifically permitted in an ACL.

An adaptive security appliance (ASA) denies all packets on the
originating interface unless specifically permitted in an ACL.

An IOS router permits all traffic through an interface unless specifically
denied in an ACL.
Standard ACLs are used in IOS devices for filtering purposes. After device
discovery and subsequent deployment, Security Manager converts the
standard ACLs to extended ACLs.
On the outside interface, all hosts are visible to hosts on all other interfaces.
Hosts on a medium security interface are, by default, visible to hosts on
higher-security interfaces, but not visible to hosts on lower-security
interfaces unless the appropriate NAT rules have been created.
Firewall Services generates only configuration files with ACLs. Conduits and
outbound lists are not supported. Therefore, you must use the conversion tool
on configurations with conduits and outbound lists before they can be
deployed.
Related Topics
How ACL Names Are Generated

An ACL is assigned a name, which requires no user intervention; however,
user-defined ACL names can be retained in Security Manager. For more
information, see Preserving User-Defined ACL Names, page 12-56.

OL-11501-03
12-53
Chapter 12
When the name for the ACL is generated by Security Manager, the name is
derived from the type of rule or platform being defined and certain configuration
settings that make it unique. A group command is then generated that binds the
defined rules to the ACL.
Table 12-7 shows the naming conventions used for the rule types and platforms.
Table 12-7
ACL Naming Conventions for Rule Types and Platforms
Rule Type
Name
Access ACL
CSM_FW_ACL_InterfaceName (for inbound)
CSM_FW_ACL_OUT_InterfaceName (for outbound)
Note
Inspection
Only OUT is explicitly present as part of the ACL name.
For ASA 7.0/PIX 7.0:
CSM_CMAP_ACL_n where n is an integer beginning with 1.
For IOS devices:
AAA ACL
Devices use a numbered ACL.
For PIX/ASA/FWSM:
CSM_AAA_{AUTHO | ATHEN | ACCT}_InterfaceName

_ServerGroupName
Authentication Proxy for IOS devices:
Web Filter ACL
On an interface without NAC:

CSM_AUTH-PROXY_<InterfaceName> <traffic type>_ACL,
where InterfaceName is the interface in which the rule is
applied and traffic type is HTTP, Telnet, or FTP.
AuthProxy and NAC on the same interface:

CSM_ADMISSION_<ID of interface role in snapshot>_ACL,
where ID of interface role in snapshot is an internal ID of the
interface within Security Manager to which NAC is applied.
For ASA 7.0/PIX 7.0:
Devices correspond to a filter command.
For IOS devices:
Devices use a numbered ACL.
12-54
OL-11501-03
Chapter 12

Table 12-7
ACL Naming Conventions for Rule Types and Platforms (continued)
Rule Type
Name
NAT 0 ACL
Policy Nat ACL
CSM_nat0_InterfaceName_in (for inbound)
CSM_nat0_InterfaceName (for outbound)
CSM_nat_InterfaceName_poolID_in (for inbound)
CSM_nat_InterfaceName_poolID (for outbound)
For PIX 6.3(x):

_dns (for dns)
_nrseq (for norandomseq)
_emb## (for embryonic limit)
_tcp## (for tcp max connection limits)
_udp## (for udp max connection limits)
Policy Static ACL
CSM_static_localIP_globalIP_LocalInterfaceName
_globalInterfaceName (for IP)
CSM_static_localIP_globalIP_LocalInterfaceName
_globalInterfaceName_ protocol _globalPort (for other
protocols)
During deployment, sometimes a suffix .n (where n is an integer) might get

added to an ACL name if the existing ACL cannot be edited in place. For example,
if an ACL named acl_mdc_outside_10 already exists on the device, a new ACL
with the name acl_mdc_outside_10.1 is created if you do not remove the old ACL
before you deploy the new ACL.
Related Topics
Naming Conflicts and Resolutions, page 12-57
Identifying Original ACL Names, page 12-58
Notes, page 12-59

OL-11501-03
12-55
Chapter 12
Preserving User-Defined ACL Names

You can elect to retain user-defined ACL names instead of having
Security Manager generate ACL names. Note, however, that a relationship exists
between name preservation, deployment time, and non-traffic interruption. For
example, name preservation will have an effect on deployment time and traffic
interruption. (Deployment approaches and their effects are explained in detail in
the Troubleshooting Guide.) To define user-defined ACL names, select
Firewall > Settings > Access Control. For a description of the GUI elements, see
Table J-81.
If the same ACL is applied to more than one interface and direction, you can
specify the ACL name (e.g., MyInsideACL) for a maximum of one interface and
direction. Security Manager automatically detects the sharing relationship and
applies the same ACL to all sharing interfaces.
For access-group ACLs managed by Security Manager, ACL sharing is performed
in only one situation: if you choose to reuse existing ACL names (Tools >
Security Manager Administration > Deployment) andthe ACL in a device is
shared among multiple interfaces. For those interfaces, ACLs defined in
Security Manager have the same content. During deployment, ACL sharing
remains intact. For all other cases, sharing will be broken.
Note
Although ACL sharing is not commonly used, certain circumstances might find it
beneficial with regard to ease-of-use and memory usage.
During deployment, Security Manager generates one ACL for each interface and
direction. Names of the ACLs are determined in a number of ways.
You can define a name in Access Control Settings. Go to Firewall >

Settings > Access Control.
You can select the method by which Security Manager deploys ACLs. Go to
Tools > Security Manager Administration > Deployment.
If you select "reuse existing names, the names might correspond to the ACL
name in the device, or a name previously generated by Security Manager.
Note
In situations where an ACL name is not specified in Security Manager, but a name
exists in the original configuration, Security Manager can reuse the ACL name
instead of using the default ACL naming conventions. For example, if no name is
12-56
OL-11501-03
Chapter 12

specified in the Access Control page for an ACL that is applied to the inbound of
the inside interface, but the device has an access-list named "InsideAcl" on the
inbound direction of the inside interface, Security Manager can recognize
InsideAcl if Reuse existing names is selected.
ACL names cannot be specified for all firewall rule types. For example, you can
specify a name for ACLs used in access rules, but you cannot specify a name for
ACLs used in AAA, inspection, or NAT rules. For these unnamed ACL policies,
Security Manager automatically generates ACL names. For more information, see
How ACL Names Are Generated, page 12-53.
Related Topics
Notes, page 12-59
Naming Conflicts and Resolutions

When a naming conflict occurs that results from more than one ACL with
different contents attempting to reuse the same ACL name in the original
configuration, priorities determine where the original ACL name is used and
where the Security Manager naming convention is used. The following order of
priority is used, which recognizes the different types of ACLs in descending
order:
Access ACLs > AAA ACLs > Static ACLs > NAT 0 ACLs > NAT ACL
For example, if an access ACL and a NAT 0 ACL attempt to reuse the same ACL
named MyACL, the access ACL is assigned the user-defined name and the NAT 0
ACL is assigned a name automatically generated by Security Manager. (See
Table 12-7.)
If the two competing ACLs are of the same type, (for example, they are both
Access ACLs), and using the same naming convention generated by
Security Manager, then the one recognized first based on alpha order will have
higher priority.

OL-11501-03
12-57
Chapter 12
Related Topics
Notes, page 12-59
Identifying Original ACL Names

ACLs are identified by a set of key attributes, which are described in Table 12-8.
If Security Manager is provisioning the access ACL on the inbound of the
interface Inside, and the original configuration on the device has CLI
access-group acl-inside in interface inside
Then the corresponding original ACL is identified as acl-inside.

Table 12-8
Identifying Original ACL Names
ACL
Attributes
Access
Interface, direction
AAA
Interface, AAA server tag
Nat 0
Interface, direction
Policy Nat
Interface, pool ID, direction (dns, norandomseq, embryonic limit,

tcp/udp max connection limits for PIX 6.3(x)).
Policy Static
Local interface, global interface, local IP (if non-PIX 6.3(x)

device), global IP (IP address and mask), global port (if protocol is
tcp/udp).
Related Topics
Notes, page 12-59
12-58
OL-11501-03
Chapter 12

Working with Access Rules
Notes
If an ACL has a name specified in Security Manager, it can be retained.
If an ACL is not shared on the device and you change only its content in
Security Manager, then the original name is preserved.
If an ACL is shared on the device and the according ACL policies are still
identical in Security Manager, then the original name is preserved.
If an ACL is shared on the device and the according ACL policies are not
identical in Security Manager, then one version of the ACL policies will
preserve the original name. The remaining policies will use the
Security Manager naming conventions.
Newly created ACLs use Security Manager naming conventions.
For Policy Statics, if the source of the access list that is used by the static rule
contains an object group, Security Manager flattens the object group and
deploys the IP address it contains.
Note
All ACEs defined in the ACL on the device must have the same
source.
Related Topics

When configuring access rules, you should:
1.
Configure the Access Rules table with conditions that describe a traffic
stream of packets, and actions that describe what should occur based on those
conditions. To configure access rules, select Firewall > Access Rules. For
more information, see Understanding Access Rules, page 12-49.

OL-11501-03
12-59
Chapter 12
2.
Configure Settings to optimize performance. To access settings, select

Firewall > Settings > Access Control. For more information, see
Understanding Settings for Access Controls, page 12-132.
The following topics will help you work with access rules:
Logging Events for an ACE, page 12-60
Adding Access Rules, page 12-61
Editing Access Rules, page 12-65
Enabling and Disabling Access Rules, page 12-68
Cutting, Copying, and Pasting Access Rules, page 12-69
Moving Access Rules Up and Down, page 12-70
Deleting Access Rules, page 12-71
Logging Events for an ACE

Firewall Services provides the ability to log events on any specific ACE in the
Access Rules tables. Statistics and logging are provided for each flow. A flow is
defined by source interface, protocol, source IP address, source port, destination
IP address, and destination port. The retained statistics are the number of traffic
requests permitted and denied associated with a flow by an ACE over a specified
period of time. You can configure the retained statistics for each ACE according
to your own needs.
When you configure a rule in the Access Rules table, you can enable logging for
each access rule, along with a specified syslog level and interval of time. To log
events for an ACE, you must enable the ACL Syslog setting. For more
information, see Adding Access Rules, page 12-61.
Related Topics
Add and Edit Access Rule Dialog Boxes, page J-6
12-60
OL-11501-03
Chapter 12

Adding Access Rules

This procedure assumes you are adding a rule from Device view. To add a rule
from Policy view, see Creating a New Shared Policy, page 6-45, then complete
this procedure. After you complete the procedure, you can share the global policy
and assign devices to it. For more information, see Modifying Policy Assignments
in Policy View, page 6-46.
Note
To facilitate the process for defining an access rule, the Add Access Rule dialog
box is pre-populated with values for sources, destinations, services, and
interfaces. You can make any changes as needed.
In the absence of an ACL:
ASADenies all inbound IP traffic.
PIXDenies all inbound IP traffic.
IOSPermits all traffic through an interface.
FWSMDenies all inbound and outbound IP traffic.
Procedure
Step 1
Step 2

Table J-1.
Step 3
Right-click inside the work area, then click Add Row. You can also use the
shortcut keys (Ctrl+R).
The Add Firewall Rule dialog box appears. For a description of the GUI elements,
see Table J-2.
Step 4
(Optional) Select Enable Rule, which, when selected, indicates that the rule
appears after the configuration is generated.
Step 5
Select whether to permit or deny traffic for the rule you are defining.

OL-11501-03
12-61
Chapter 12
Step 6
Enter the source addresses or click Select, which opens the Object Selector dialog
box from which to make your selection. If the latter, select whether the source
type is a network or interface role, then do one of the following, then click OK:
Select the available objects, then click >>.

Click the Add button to create a new network object or interface role object
to use as a source address.
A popup window helps you define the object. After you complete the
Step 7
Enter the destination addresses or click Select, which opens the Object Selector
dialog box from which to make your selection. If the latter, select whether the
destination type is a network or interface role, then do one of the following, then
click OK:
Select the available objects, then click >>.

Click the Add button to create a network object or interface role object to use
as a destination address.
Step 8
Understanding Network/Host Objects, page 8-127.
Enter the services or click Select, which opens the Object Selector dialog box
from which to make your selection. If the latter, do one of the following, then click
OK:
Select the available services, then click >>.

12-62
OL-11501-03
Chapter 12

Click the Add button to create a services object.

A popup window helps you define the services object. After you complete the

Step 9
then click OK:
Select the available interface roles, then click >>.

Click the Add button to create an interface role object.

A popup window helps you define the interface role object. After you
complete the definition, the new object is listed in the selected column.
Step 10
(Optional) Enter a description to help you identify the rule.
Step 11
Step 12
Click Advanced to open the Advanced dialog box for configuring additional
settings.
Step 13
(Optional) Select Enable Logging (PIX, ASA, FWSM) to select logging

behavior. For IOS devices, go to Step 15.
Step 14
a.
Default Logginglogs events based on the default logging behavior of the

device. If a packet is denied, message 106023 is generated; if a packet is
permitted, no syslog message is generated.
b.
Per ACE Logginglogs events on any specific ACE in the Access Rules
tables.
If you selected logging per ACE:

a.
Select the logging level from the list, which identifies the type of syslog used
to log events for an ACE.
b.
Enter the logging interval.

OL-11501-03
12-63
Chapter 12
Note
You must select a logging level from the list for the logging interval value
to be recognized.
Step 15
(Optional) Select Enable Logging (IOS) to cause an informational logging

message about the packet that matches the entry to be sent to the console.
Step 16
(Optional) Select Log Input to include the input interface and source MAC
address or VC in the logging output.
Step 17
Enter traffic direction.
Step 18
InPackets entering a network.
OutPackets exiting a network.
Enter a time range or click Select, which opens the Object Selector dialog box
OK:
Select the available object.
Click the Add button to create an object.

A popup window helps you define the time range object. After you complete
the definition, the new object is listed in the Time Range Selector.
For more information, see Understanding Time Range Objects, page 8-173.
Step 19
Step 20
(Optional) Select from available IOS options:
NoneNo options have been selected.
Fragmentprovides additional management of packet fragmentation and

improves compatibility with NFS.
Establishedallows outbound connections return access through the

firewall device.
Click OK.
The Advanced dialog box closes and you return to the Add Access Rules
dialog box.
Step 21
Click OK.
The Add Access Rule dialog box closes and you return to the Access Rules table.
The new rule information is displayed.
12-64
OL-11501-03
Chapter 12

Step 22
Changes must be submitted and approved before they are committed to the
database, which enables all other users to view the changes. For more
information, see Chapter 7, Managing Activities.
Changes are applied to the assigned device configuration files when they are
generated. The configuration files are then downloaded to the devices at
deployment. For more information, see Chapter 18, Managing Deployment.
After you define policy settings in Device view, you can use it locally on the
device, or share it with multiple devices. For more information, see Working with
Shared Policies in Device View, page 6-27.
Note
You can print the entire rules table from the File menu.
Related Topics
Access Rules Page, page J-2
Editing Access Rules

To facilitate the editing process, Firewall Services offers the ability to perform
inline editing on access rules shown in the tables. Editing can be performed on a
rule in its entirety or individual table cells.
You can edit rules in their entirety by double-clicking a rule number in the table
or using the shortcut key (Ctrl+E), which opens the rule dialog box or wizard
from which to make your changes. You can also right-click a rule number in the
table, then select Edit Row. You can edit individual table cells by double-clicking
a cell, which opens a dialog box specific to that table cell. You can also right-click
a cell, then click the Edit function from the shortcut menu.
OL-11501-03
12-65
Chapter 12
You can edit multiple rule entries by selecting multiple rules, then right-clicking
a column. You can then Add or Edit a feature, which is applied to the selected
column for all selected rows.
You can display a list of all source and destination addresses by clicking on a table
cell or specific entry (subfield) within the table cell, then clicking one of the
Show Contents options from the shortcut menu. The list shows flattened values
of all levels of an address, network object, or interface role and sorts the results
in ascending order on the IP address, then descending order on the mask.
You can create network/host policy objects from source and destination cell
contents using the shortcut menu. Right-click an entry in the table cell, then select
Create Network Object from Cell Contents. For more information, see
You can display a list of all services and port information. The list shows flattened
values of all levels of the Service and Port List objects and sorts the results on:
protocol, destination port, and source port.
You can display each interface role type as a separate listing in the table if you are
working from Policy view, or display actual interface names if you are working
from Device view.
You can use the table filter to filter the information displayed in the table. Click
the arrow to display the filtering bar, which enables you to set filtering
parameters. See Filtering Tables, page 3-24.
In addition to performing inline editing and displaying a flattened list of table cell
contents, you can move rules up or down within a table; cut, copy, and paste rules
from which to clone other rule entries; enable or disable defined rules; and delete
rules from the table. These functions can be performed from shortcut menus or
buttons located on the GUI page.
An inherited rule can be modified only inside the parent policy in which it was
defined. It cannot be modified inside a child policy.
Note
You must have the appropriate user privileges to edit rules. Without appropriate
privileges, you can only view rule information from the main rules tables.
To enable or disable rules, see Enabling and Disabling Access Rules,

page 12-68.
To reorder the rules within a table, see Moving Access Rules Up and Down,
page 12-70.
12-66
OL-11501-03
Chapter 12

To cut, copy, or paste rules, see Cutting, Copying, and Pasting Access Rules,
page 12-69.
To delete rules, see Deleting Access Rules, page 12-71.
This procedure assumes you are working from Device view.
Note
Although you can access table cells and table rows to edit content using several
methods as noted above, this procedure mentions only one method.
Procedure
Step 1
Step 2

Table J-1.
Step 3
Follow the basic procedure for adding access rules using any of the editing
methods described above. For more information, see Adding Access Rules,
page 12-61.
Step 4
Related Topics
Enabling and Disabling Access Rules, page 12-68
Cutting, Copying, and Pasting Access Rules, page 12-69
Deleting Access Rules, page 12-71

OL-11501-03
12-67
Chapter 12
Enabling and Disabling Access Rules

Procedure
Step 1
Step 2

Table J-1.
Step 3
From the work area, right-click the appropriate rule number then click Enable or
Disable, as appropriate.
Step 4
Note
If a rule is set to disabled, it is shown in the table with hashmarks.
Disabled rules are downloaded to a device as disabled only if the device

supports that option.
Related Topics
12-68
OL-11501-03
Chapter 12

Cutting, Copying, and Pasting Access Rules

Procedure
Step 1
Step 2

Table J-1.
Step 3
From the work area, right-click the appropriate rule number, then select Cut or
Copy as appropriate. You can also use the shortcut keys (Ctrl+X) and (Ctrl+C)
respectively.
Step 4
Right-click inside the table, then click Paste. You can also use the shortcut keys
(Ctrl+V).
The rule is added to the table.
Step 5
Edit the rule by right-clicking an entry in a table cell, then selecting from the menu
of available options for that cell. For more information, see Editing Access Rules,
page 12-65.
Step 6
To change the order in which the rule appears, see Moving Access Rules Up and
Down, page 12-70.
Step 7
Note

OL-11501-03
12-69
Chapter 12
Related Topics
How Access Rules Are Recognized on Devices, page 12-51
Moving Access Rules Up and Down

Procedure
Step 1
Step 2

Table J-1.
Step 3
From the work area, right-click the appropriate rule number, then select
Move Row Up or Move Row Down as appropriate. You can also use the shortcut
keys (Ctrl+Up) and (Ctrl+Down) respectively.
The selected rule moves up or down one row within the table.
Tip
You can also select the rule to move, then use the Up and Down arrows.
Step 4
Repeat Step 3 until the rule is positioned in the correct order.
Step 5
12-70
OL-11501-03
Chapter 12

Note
Related Topics
How Access Rules Are Recognized on Devices, page 12-51
Deleting Access Rules

Procedure
Step 1
Step 2

Table J-1.
Step 3
Right-click the appropriate rule number, then click Delete Row. You can also use
the shortcut keys (Ctrl+D).
You are prompted to confirm the deletion the first time you delete a row and any
additional time, unless you request not to be prompted.
Step 4
Click Yes.
The rule is removed from the table.

OL-11501-03
12-71
Chapter 12
Understanding Inspection Rules
Step 5
You can verify the deletion of the rule by viewing an audit report. To generate an
audit report, select Tools > Audit Report.
Related Topics
Understanding Inspection Rules

Inspection rules provide an informational list of services, protocols, and port
numbers to which a firewall device applies the Adaptive Security Algorithm
(ASA). The default ports or those you specify are the ports at which the device
listens for each service.
The default configuration of the firewall device includes a set of application
inspection entries that associate supported protocols with specific TCP or UDP
port numbers and that identify any special handling required. The inspection
function does not support NAT or PAT for certain applications because of the
constraints imposed by the applications. You can change the port assignments for
some applications, but other applications have fixed port assignments that you
cannot change.
You can extend the HTTP inspection capabilities to select which HTTP methods
defined in the RFC to permit in HTTP traffic. If the device encounters an HTTP
method not permitted, it drops the packet and closes the connection to prevent any
subsequent data from traversing the security appliance.
12-72
OL-11501-03
Chapter 12

Working with Inspection Rules
Inspection rules are based on Context-Based Access Control (CBAC) to

intelligently filter TCP and UDP packets based on application-layer protocol
session information. You can configure CBAC to permit specified TCP and UDP
traffic through a firewall only when the connection is initiated from within the
network you want to protect. CBAC can inspect traffic for sessions that originate
from either side of the firewall, and CBAC can be used for intranet, extranet, and
Internet perimeters of your network.
When configuring inspection rules, you should:
1.
Populate the Inspection Rules table with device, service, and traffic direction
information. To access the Inspection Rules table, select Firewall >
Inspection Rules.
2.
(For IOS devices) Configure settings for deeper packet inspection. To access
settings for inspection rules, select Firewall > Settings > Inspection.
From the Inspection Rules tables, you can generate Policy Query reports to help
you identify all rules in the global policy that could affect the defined packets. For
more information, see Using Policy Query, page 12-37.
Related Topics
Supported Features for Inspection, page 12-145

Note
When you configure inspection rules on appliances running ASA/PIX 7.0,

access-list, policy-map/class-map commands are generated.
When you configure inspection rules on FWSMs and PIX 6.3 devices, fixup
commands are generated.
When you configure inspection rules on routers running IOS 12.3 and later,
ip-inspect commands are generated.
The following topics will help you work with inspection rules:
Adding Inspection Rules, page 12-74

OL-11501-03
12-73
Chapter 12
Editing Inspection Rules, page 12-83
Enabling and Disabling Inspection Rules, page 12-86
Cutting, Copying, and Pasting Inspection Rules, page 12-86
Moving Inspection Rules Up and Down, page 12-87
Deleting Inspection Rules, page 12-88
Understanding Inspection Rules, page 12-72
Configuring Settings for Inspection Rules, page 12-143
Inspection Rules Page, page J-29
Adding Inspection Rules

When adding an inspection rule, you can perform packet inspection globally or on
a per-interface basis and identify traffic direction. You can constrain the
inspection further based on other criteria that differs depending on the platform
for which the rule inspected.
A branching wizard is used to help you configure inspection rules. Basically, the
steps in the wizard are the same for all platforms; however, the dialog boxes in the
wizard will vary depending on your selections.
The following procedure describes how to add an inspection rule.
Procedure
Step 1
Step 2
Select Firewall > Inspection Rules.

The Inspection Rules page appears. For a description of the GUI elements, see
Table J-15.
12-74
OL-11501-03
Chapter 12

Step 3
Right-click inside the table, then click Add Row. You can also use the shortcut
keys (Ctrl+R).
The Add Inspection Rule page appears. For a description of the GUI elements, see
Table J-16.
Step 4
Select the Enable Rule check box, which, when selected, indicates that the rule
Step 5
Identify whether the rule is global or per interface.
For PIX platforms, rules are defined globally. Go to Step 8.
For ASA platforms, rules are defined either globally or per interface.
If per interface, go to Step 6.
If globally, go to Step 8.
For IOS platforms, rules are defined per interface. Go to Step 7.
For FWSM platforms, rules are defined globally. Go to Step 8.
Step 6
If the rule is per interface, select the traffic direction, which identifies traffic
direction within a network.
Step 7
To enter interface information, click Edit to open the Edit Interfaces dialog box.
Enter interface information, or click Select, which opens the Object Selector
then click OK:

Click the Add button to create a new interface role object.


OL-11501-03
12-75
Chapter 12
Step 8
Select the matched traffic criteria. Depending on your selection, the wizard pages
will vary.
Default Protocol Ports. See Configuring Default Protocol Ports, page 12-77.
You can also limit inspection between source and destination IP address for
ASA platforms. See Configuring Source and Destination Address and Port
(ASA, FWSM 3.x), page 12-81.
Custom Destination Ports. See Configuring Custom Destination Ports,

page 12-78.
Destination Address and Port (IOS). See Configuring Destination Address

and Port (IOS), page 12-79.
Source and Destination Address and Port (ASA). See Configuring Source and
Destination Address and Port (ASA, FWSM 3.x), page 12-81.
Note
For FWSM 2.x and PIX 6.3(x), you must select the matched traffic criteria
as either Default Inspection Traffic or TCP or UDP Destination Ports. If
the latter is selected, the protocol selection must be any.
Step 9
Step 10
Step 11
Click Next.
The appropriate wizard guides you through the configuration.
Related Topics
Add and Edit Inspection Rule Dialog Boxes, page J-33
Configuring Default Protocol Ports, page 12-77
Configuring Custom Destination Ports, page 12-78
Configuring Destination Address and Port (IOS), page 12-79
Configuring Source and Destination Address and Port (ASA, FWSM 3.x),
page 12-81
12-76
OL-11501-03
Chapter 12

Configuring Default Protocol Ports

This procedure assumes you selected Default Protocol Ports as the type of traffic
matched for inspection rules. This option configures default inspection traffic.
Procedure
Step 1
To limit inspection between the source and destination, select the check box, then
complete the procedure for configuring source and destination IP addresses. (See
page 12-81.) Otherwise, click Next.
The wizard page listing protocols appears.
Step 2
Select a protocol to inspect. Certain protocols enable you to configure additional

information. For those protocols, click Configure, then complete the respective
popup window. For more information, see Add Inspect/Application FW Rule >
Match Traffic to Protocol Page, page J-37.
Step 3
Click Finish.
The dialog box closes and you return to the Inspection Rules table with the new
Step 4
Note

OL-11501-03
12-77
Chapter 12
Related Topics
Add Inspect/Application FW Rule > Match Traffic to Protocol Page,

page J-37
Configuring Custom Destination Ports

This procedure assumes you selected Custom Destination Ports as the type of
traffic matched for inspection rules (IOS). This option configures TCP and UDP.
Procedure
Step 1
Select the protocol.
Step 2
Enter port information.
Step 3
Click Next.
The page listing protocols appears.
Step 4

information. For those protocols, click Configure and complete the respective
popup window. For a description of the GUI elements, see Table J-17.
Step 5
To enable additional IOS settings, click Enable. Otherwise, go to Step 8.
Step 6
Click Enable Alert Messages, which, when selected, enables Context-based

Access Control (CBAC) alert messages, which are displayed on the console.
Click Enable Audit Trail Messages, which, when selected, shows

Context-based Access Control (CBAC) audit trail messages, which are
displayed after each CBAC session closes.
Step 7
Enter a timeout value. Values are 543200.
Step 8
Click Finish.
The dialog box closes, and you return to the Inspection Rules table with the new
rule information displayed.
12-78
OL-11501-03
Chapter 12

Step 9
Note
Related Topics
Match Traffic by Custom Destination Ports Page, page J-44
Configuring Destination Address and Port (IOS)

This procedure assumes you selected Destination IP Address (IOS) as the type of
traffic matched for inspection rules.
Procedure
Step 1
dialog box from which to make your selection. If the latter, do one of the
following, then click OK:

to use as a destination address.

OL-11501-03
12-79
Chapter 12
Step 2
Enter protocol information.
Step 3
Enter port information.
Step 4
Click Next.
Step 5

Step 6
Click Finish.
Step 7
Note
12-80
OL-11501-03
Chapter 12

Related Topics
Match Traffic by Destination Address and Port (IOS) Page, page J-46
Configuring Source and Destination Address and Port (ASA, FWSM 3.x)
This procedure assumes you selected Source and Destination Address and Port
(ASA, FWSM 3.x) as the type of traffic matched for inspection rules.
Procedure
Step 1
Select whether to permit or deny traffic.
Step 2

Step 3
click OK:


OL-11501-03
12-81
Chapter 12
Step 4
OK:

Click the Add button to create a new service object.


Step 5
Enter a time range, which identifies when the rules are enforced. For more
information, see Understanding Time Range Objects, page 8-173.
Step 6
Click Next.
Step 7

Step 8
Click Finish.
Step 9
12-82
OL-11501-03
Chapter 12

Note
Related Topics
Match Traffic by Source and Destination Address and Port (ASA, FWSM 3.x)
Page, page J-48
Editing Inspection Rules

inline editing on inspection rules shown in the tables. Editing can be performed
on a rule in its entirety or individual table cells.
from which to make your changes. You can also edit individual table cells by
right-clicking a cell, then using the shortcut menu, which opens a dialog box
specific to that table cell.
Right-click operations are restricted in certain circumstances:
If a rule's interface is Global, you cannot right-click to change interfaces or

direction.
If the matched traffic criteria is Default Inspection Traffic (option to limit is

not selected) or TCP/UDP Destination Ports, you cannot right-click to change
permit, direction, sources, destinations, or service.

OL-11501-03
12-83
Chapter 12
If the matched traffic criteria is Default Inspection Traffic with the option to
limit selected, you cannot right-click to change service.
If the matched traffic criteria is Default IP Address, you cannot right-click to

change services or sources.
In addition to performing inline editing, you can move rules up or down within a
table; cut, copy, and paste rules from which to clone other rule entries; enable or
disable defined rules; and delete rules from the table. These functions can be
performed from shortcut menus or buttons located on the GUI page.
Note
To enable or disable rules, see Enabling and Disabling Inspection Rules,

page 12-86.
To cut, copy, or paste rules, see Cutting, Copying, and Pasting Inspection
Rules, page 12-86.
To reorder the rules within a table, see Moving Inspection Rules Up and
Down, page 12-87.
To delete rules, see Deleting Inspection Rules, page 12-88.
12-84
OL-11501-03
Chapter 12

The following procedure assumes you are working from Device view.
Note
Inline editing is not available for all Inspection Rules table cells.
Procedure
Step 1
Step 2

Table J-15.
Step 3
Follow the basic procedure for adding inspection rules using any of the editing
methods described above. For more information, see Adding Inspection Rules,
page 12-74.
Step 4
Related Topics
Add and Edit Inspection Rule Dialog Boxes, page J-33
page 12-81

OL-11501-03
12-85
Chapter 12
Enabling and Disabling Inspection Rules

Procedure
Step 1
Step 2

Table J-15.
Step 3
Select a rule to enable or disable, then right-click the appropriate rule number.
Step 4
From the shortcut menu, click Enable or Disable as appropriate.
Step 5
Note

Related Topics
Cutting, Copying, and Pasting Inspection Rules

12-86
OL-11501-03
Chapter 12

Procedure
Step 1
Step 2

Table J-15.
Step 3
respectively.
Step 4
(Ctrl+V).
Step 5
of available options for that cell. For more information, see Editing Inspection
Rules, page 12-83.
Step 6
To change the order in which the rule appears, see Moving Inspection Rules Up
and Down, page 12-87.
Step 7
Related Topics
Moving Inspection Rules Up and Down, page 12-87
Moving Inspection Rules Up and Down

OL-11501-03
12-87
Chapter 12
Procedure
Step 1
Step 2

Table J-15.
Step 3
Select the rule to move, then right-click the appropriate rule number.
Step 4
From the shortcut menu, select Move Row Up or Move Row Down. You can also
use the shortcut keys (Ctrl+Up) and (Ctrl+Down) respectively.
Tip
Step 5
Repeat Step 3 and Step 4 until the rule is positioned in the correct order.
Step 6
Related Topics
Deleting Inspection Rules

12-88
OL-11501-03
Chapter 12

Working with AAA Rules
Procedure
Step 1
Step 2

Table J-15.
Step 3
Step 4
Click Yes.
Step 5
Related Topics

Access control is the way to control who is allowed access to the network server
and what services they are allowed to use once they have access. Authentication,
authorization, and accounting (AAA) network security services provide the
primary framework through which you set up access control on your firewall
device or security appliance.
OL-11501-03
12-89
Chapter 12
AAA rules control authentication (who the user is), authorization (what the user
is allowed to do), and accounting (what the user did) for traffic.
When configuring AAA rules, you should:
1.
Configure AAA rules to identify device, service, and traffic direction

information. The AAA Rules page is used to define AAA rules for all
platforms. To access the AAA Rules table, select Firewall > AAA Rules.
2.
Configure settings specific to PIX, ASA, and IOS devices. PIX and ASA
devices support HTTPS, proxy, and MAC settings. IOS devices identify AAA
servers, define banner information, and set timeout values. To access settings
for AAA rules, select:
a. Firewall > Settings > AAA Firewall (PIX/ASA/FWSM).
b. Firewall > Settings > AuthProxy (IOS).
From the AAA Rules tables, you can generate Policy Query reports to help you
identify all rules in the global policy that could affect the defined packets. For
Topics to help you work with AAA Rules are:
Adding AAA Rules, page 12-91
Editing AAA Rules, page 12-94
Enabling and Disabling AAA Rules, page 12-96
Cutting, Copying, and Pasting AAA Rules, page 12-97
Cutting, Copying, and Pasting AAA Rules, page 12-97
Moving AAA Rules Up and Down, page 12-99
Deleting AAA Rules, page 12-100
AAA Rules Page, page J-78
Topics to help you work with Settings for AAA Rules are:
Configuring Settings for AAA Firewall (PIX/ASA/FWSM), page 12-147
Adding MAC Exempt Address Lists, page 12-150
Configuring Settings for AAA (IOS), page 12-152
AuthProxy Page, page J-164
AuthProxy Timeout Tab (IOS), page J-167
12-90
OL-11501-03
Chapter 12

Firewall AAA IOS Timeout Value Setting Dialog Box, page J-168
Adding AAA Rules

Procedure
Step 1
Step 2
Select Firewall > AAA Rules.

The AAA Rule page appears. For a description of the GUI elements, see
Table J-43.
Step 3
The Add AAA Rule page appears. For a description of the GUI elements, see
Table J-44.
Step 4
(Optional) Select Enable Rule, which, when selected, indicates that the rule
Step 5
Select whether the rule applies to any of the following:
AuthenticationSupported on all platforms.
AuthorizationFor PIX/ASA/FWSM platforms only.
AccountingFor PIX/ASA/FWSM platforms only.
Step 6
Step 7


OL-11501-03
12-91
Chapter 12
Step 8
click OK:

Step 9
OK:
Select from the list of available services, then click >>.


12-92
OL-11501-03
Chapter 12

Step 10
Enter the AAA server group from the list or click Select, which opens the Object
Selector dialog box from which to make your selection. If the latter, do one of the

Click the Add button to create a new server group object.

For more information, see Understanding AAA Server Group Objects, page 8-16.
Step 11
Enter the interface information, or click Select, which opens the Object Selector
then click OK:


Step 12
Step 13
Step 14
(For IOS devices only) Select the authentication proxy methods.
Step 15
Click OK.
The page closes and you return to the AAA table. The rule information is shown
in the table.
Step 16

OL-11501-03
12-93
Chapter 12
Note
Related Topics
Add and Edit AAA Rules Dialog Boxes, page J-82
Editing AAA Rules

inline editing on AAA rules shown in the tables. Editing can performed on a rule
in its entirety or individual table cells.
12-94
OL-11501-03
Chapter 12

You can create network/host policy objects from Source and Destination cell
contents using the shortcut menu. Right-click an entry in the table cell, then select
Create Network Object from Cell Contents. A network object is created that
comprises all sources and destinations identified in the table cell.
You can display each interface role type as a separate listing in the table if you are
working from Policy view, or display actual interface names if you are working
from Device view.
Note
To edit AAA rules information, follow the procedure for Adding AAA Rules,
page 12-91 or use any of the methods described above.
To enable or disable rules, see Enabling and Disabling AAA Rules,

page 12-96.
To cut, copy, or paste rules, see Cutting, Copying, and Pasting AAA Rules,
page 12-97.
To reorder the rules within a table, see Moving AAA Rules Up and Down,
page 12-99.
To delete rules, see Deleting AAA Rules, page 12-100.

OL-11501-03
12-95
Chapter 12
The following procedure assumes you are working from Device view.
Procedure
Step 1
Step 2

The AAA Rules page appears. For a description of the GUI elements, see
Table J-43.
Step 3
methods described above. For more information, see Adding AAA Rules,
page 12-91.
Step 4
Related Topics
Enabling and Disabling AAA Rules

Procedure
Step 1
12-96
OL-11501-03
Chapter 12

Step 2

Table J-43.
Step 3
Select a rule to enable or disable, then right-click on the appropriate rule number.
Step 4
Select Enable or Disable as appropriate.
Step 5
Note

Related Topics
Cutting, Copying, and Pasting AAA Rules

Procedure
Step 1

OL-11501-03
12-97
Chapter 12
Step 2

Table J-43.
Step 3
respectively.
Step 4
(Ctrl+V).
Step 5
of available options for that cell. For more information, see Editing AAA Rules,
page 12-94.
Step 6
To change the order in which the rule appears, see Moving AAA Rules Up and
Down, page 12-99.
Step 7
Related Topics
Moving AAA Rules Up and Down, page 12-99
12-98
OL-11501-03
Chapter 12

Moving AAA Rules Up and Down

Procedure
Step 1
Step 2

Table J-43.
Step 3
Step 4
Tip
Step 5
Step 6
Related Topics

OL-11501-03
12-99
Chapter 12
Deleting AAA Rules

Procedure
Step 1
Step 2

Table J-43.
Step 3
Step 4
Click Yes.
Step 5
Related Topics
12-100
OL-11501-03
Chapter 12

Understanding Web Filter Rules
Understanding Web Filter Rules

Web filter rules are rules that specify filter URLs using a filtering server such as
Websense. You define the rules in the Web Filter Rules table and determine
whether to permit or deny traffic if the filter server is unavailable.
Java inspection enables Java applet filtering at the firewall. Java applet filtering
distinguishes between trusted and untrusted applets by relying on a list of external
sites that you designate as friendly. If an applet is from a friendly site, the firewall
device allows the applet through. If the applet is not from a friendly site, the applet
is blocked. Alternately, you could permit applets from all sites except sites
specifically designated as hostile.
From the Web Filter Rules tables, you can generate Policy Query reports to help
more information, see InterfaceDefault is any interface, which is represented as
All-Interfaces in the GUI. You can specify incoming interfaces., page 12-38.
Related Topics
Working with Web Filter Rules

When configuring Web Filter rules, you should:
1.
Configure Web Filter Rules for the firewall devices. To do this, select
Firewall > Web Filter Rules.
Note
2.
The Web Filter Rules table will vary depending on the type of device
selected.
Configure additional settings, which includes Web Filter Server configuration

and settings specific to device type. To do this, select Firewall > Settings >
Web Filter.
The Web Filter policy for IOS devices contains two subpolicies: IOS Web Filter
rules and Exclusive Domains. Under IOS Web Filter rules, you can create rules
for enabling Web filtering and Java applet scanning on traffic flows. Under

OL-11501-03
12-101
Chapter 12
Exclusive Domains, you can specify a set of domain names that will be permitted
or denied by the IOS firewall device without having to consult the external URL
server.
Topics that support Web Filter Rules for ASA, FWSM, and PIX devices are:
Adding Web Filter Rules (PIX/ASA), page 12-103
Editing Web Filter Rules (PIX/ASA), page 12-106
Enabling and Disabling Web Filter Rules (PIX/ASA), page 12-108
Cutting, Copying, and Pasting Web Filter Rules (PIX/ASA), page 12-109
Moving Web Filter Rules Up and Down (PIX/ASA), page 12-110
Deleting Web Filter Rules (PIX/ASA), page 12-111
Web Filter Rules Page (PIX/ASA), page J-104
Topics that support Web Filter Rules for IOS devices are:
Adding Web Filter Rules (IOS), page 12-112
Editing Web Filter Rules (IOS), page 12-115
Deleting Web Filter Rules (IOS), page 12-116
Adding Exclusive Domains (IOS), page 12-117
Editing Exclusive Domains (IOS), page 12-119
Deleting Exclusive Domains (IOS), page 12-120
Web Filter Rules Page (IOS), page J-126
Topics that support Settings for Web Filter Rules are:
Configuring Settings for Web Filter Servers, page 12-156
Adding Settings for Web Filter Server Configuration, page 12-158
Editing Settings for Web Filter Server Configuration, page 12-160
Deleting Settings for Web Filter Server Configuration, page 12-161
Web Filter Page, page J-170
12-102
OL-11501-03
Chapter 12

Adding Web Filter Rules (PIX/ASA)

Procedure
Step 1
Step 2
Select Firewall > Web Filter Rules.

The Web Filter Rules page appears. For a description of the GUI elements, see
Table J-58.
Step 3
Right-click on the table, then click Add Row. You can also use the shortcut keys
(Ctrl+R).
The Add PIX/ASA Web Filter Rule dialog box appears. For a description of the
GUI elements, see Table J-59.
Step 4
Step 5
Select the type of filtering.
FilterLimits traffic to particular sites and limits traffic between two

entities.
Filter ExceptExempts specific traffic from filtering.
Step 6
Select the type of action from the list.
Step 7
box from which to make your selection. If the latter, do one of the following, then
click OK:


OL-11501-03
12-103
Chapter 12
Step 8
dialog box from which to make your selection. If the latter, do one of the

Step 9
OK:


Note
You cannot select services if you selected Filter Except as your filtering
type.
12-104
OL-11501-03
Chapter 12

Step 10
(Optional) To allow traffic if the URL filter server is unavailable, select the check
box.
Step 11
(Optional) To block a connection to the HTTP proxy server, select the check box.
Step 12
(Optional) To truncate CGI requests by removing CGI parameters, select the

check box, which, when selected, sends a CGI script as a URL.
Step 13
(Optional) To block outbound traffic if the absolute FTP path is not provided,
select the check box, which, when selected, prevents users from connecting to the
FTP server through an interactive FTP program.
Step 14
Determine how to handle long URLs.
DropDiscards the URL request.
TruncateSends only the originating hostname or IP address to the

Websense server if the URL is over the URL buffer limit.
DenyDenies the URL request if the URL is over the URL buffer-size limit
or the URL buffer is not available.
Step 15
Step 16
Step 17
Click OK.
The PIX/ASA dialog box closes and you return to the Web Filter Rules page. The
rule information is shown in the table.
Step 18

OL-11501-03
12-105
Chapter 12
Note
Related Topics
Add and Edit PIX/FWSM/ASA Rules Dialog Boxes, page J-107
Understanding Web Filter Rules, page 12-101
Editing Web Filter Rules (PIX/ASA)

inline editing on Web Filter rules shown in the tables. Editing can be performed
on a rule in its entirety or individual table cells.
You can display a list of all source and destination addresses. The list shows
flattened values of all levels of an address, network object, or interface role object
and sorts the results in ascending order on the IP address, then descending order
on the mask.
12-106
OL-11501-03
Chapter 12

Note
To enable or disable rules, see Enabling and Disabling Web Filter Rules
(PIX/ASA), page 12-108.
To cut, copy, or paste rules, see Cutting, Copying, and Pasting Web Filter
Rules (PIX/ASA), page 12-109.
To reorder the rules within a table, see Moving Web Filter Rules Up and
Down (PIX/ASA), page 12-110.
To delete rules, see Deleting Web Filter Rules (PIX/ASA), page 12-111.
Note
Procedure
Step 1
Step 2
Select Policies > Firewall > Web Filter Rules (PIX/ASA).

Table J-58.
Step 3
methods described above. For more information, see Adding Web Filter Rules
(PIX/ASA), page 12-103.

OL-11501-03
12-107
Chapter 12
Step 4
Related Topics
Enabling and Disabling Web Filter Rules (PIX/ASA)

Procedure
Step 1
Step 2

Table J-58.
Step 3
Right-click the appropriate rule number, then select Enable or Disable as

appropriate.
Step 4
12-108
OL-11501-03
Chapter 12

Note

Related Topics
Cutting, Copying, and Pasting Web Filter Rules (PIX/ASA)

Procedure
Step 1
Step 2

Table J-58.
Step 3
respectively.
Step 4
(Ctrl+V).
Step 5
of available options for that cell. For more information, see Editing Web Filter
Rules (PIX/ASA), page 12-106.
OL-11501-03
12-109
Chapter 12
Step 6
To change the order in which the rule appears, see Moving Web Filter Rules Up
and Down (PIX/ASA), page 12-110.
Step 7
Related Topics
Moving Web Filter Rules Up and Down (PIX/ASA), page 12-110
Moving Web Filter Rules Up and Down (PIX/ASA)

Procedure
Step 1
Step 2

Table J-58.
Step 3
Step 4
Select Move Row Up or Move Row Down as appropriate. You can also use the
shortcut keys (Ctrl+Up) and (Ctrl+Down) respectively.
Tip
12-110
OL-11501-03
Chapter 12

Step 5
Step 6
Related Topics
Deleting Web Filter Rules (PIX/ASA)

Procedure
Step 1
Step 2

Table J-58.
Step 3
Step 4
Click Yes.

OL-11501-03
12-111
Chapter 12
Step 5
Related Topics
Adding Web Filter Rules (IOS)

Procedure
Step 1
Step 2

The Web Filter Rules page for IOS devices appears. The Web Filter Rules tab
opens by default the first time the page is accessed. For a description of the GUI
12-112
OL-11501-03
Chapter 12

Step 3
The IOS Web Filter Rule and Applet Scanner dialog box appears. For a
description of the GUI elements, see Table J-73.
Step 4
(Optional) Select Enable Web Filtering, which when selected, limits traffic to
particular sites and limits traffic between two entities.
Step 5
then click OK:
Select from the list of available interface roles, then click OK.
Click the Add button to create a new interface role. A popup window helps
you define the object.
Step 6
Select the traffic direction.
Step 7
(Optional) Select Enable Java Applet Scanner, which, when selected, the
IOS device checks for the presence of Java applets in HTTP traffic coming from
web servers to internal hosts.
Step 8
(Optional) Select whether to permit or deny traffic from a source network.
Step 9
Enter the Applet Sources or click Select, which opens the Object Selector dialog
box from which to make your selection. If the latter, do one of the following, then
click OK:
Select from the available networks, then click >>.

Click the Add button to create a new object.

The object selector dialog box closes and you return to the IOS Web Filter Rule
and Applet Scanner dialog box. For more information, see Understanding

OL-11501-03
12-113
Chapter 12
Step 10
Click OK.
The IOS Web Filter Rule and Applet Scanner dialog box closes and you return to
the Web Filter Rules page. The rule information is shown in the table.
Step 11
Step 12
Click the Exclusive Domains tab. Go to Step 12.
Right-click inside the work area, then select Add Row. You can also use the
The IOS Web Filter Exclusive Domain Name dialog box appears. For a
Step 13
Select whether to permit or deny traffic.
Step 14
Enter the domain name.
Step 15
Click OK.
The IOS Web Filter Exclusive Domain Name dialog box closes and you return to
the Web Filter Rules page. The new information is shown in the table.
Step 16
Note
12-114
OL-11501-03
Chapter 12

Related Topics
IOS Web Filter Rule and Applet Scanner Dialog Box, page J-131
Exclusive Domain Name Dialog Box, page J-134
Editing Web Filter Rules (IOS)

Unlike many of the rules tables, the IOS Web Filter Rules table does not enable
editing on a per-table cell basis. The basic procedure for editing Web Filter Rules
for IOS devices is the same as adding rules.
Procedure
Step 1
Step 2

The Web Filter Rules page for IOS devices appears. For a description of the GUI
Step 3
Right-click the appropriate rule number, then click Edit Row. You can also use
the shortcut key (Ctrl+E).
The IOS Web Filter Rule and Applet Scanner dialog box appears. For a
Step 4
Follow the basic procedure for adding web filter rules. For more information, see
Adding Web Filter Rules (IOS), page 12-112.

OL-11501-03
12-115
Chapter 12
Step 5
Related Topics
IOS Web Filter Rule and Applet Scanner Dialog Box, page J-131
Deleting Web Filter Rules (IOS)

Step 1
Select a device from the Object selector.
Step 2

Step 3
Step 4
Click Yes.
12-116
OL-11501-03
Chapter 12

Step 5
Related Topics
Adding Exclusive Domains (IOS)

Exclusive Domain policies enable you to specify a list of domain names
(exclusive domains) eliminating the need for the firewall to create a lookup
request for HTTP traffic destined for one of the domains in the exclusive list.
Thus, you can avoid sending look-up requests to the web server for HTTP traffic
that is destined for a host allowed to all users. You can enter the complete domain
name or a partial domain name.

OL-11501-03
12-117
Chapter 12
Before You Begin
You must configure a Web Filter Server for exclusive domains to be

recognized. For more information, see Configuring Settings for Web Filter
Servers, page 12-156.
Procedure
Step 1
Step 2

Step 3
Select the Exclusive Domains tab. For a description of the GUI elements, see
Table J-72.
Step 4
Step 5
Specify whether to permit or deny traffic for the rule you are defining.
Step 6
Enter a domain name.
Step 7
Complete Domain NameIf you add a complete domain name, such as

www.cisco.com, to the exclusive domain list, all HTTP traffic whose URLs
are destined for this domain (for example, www.cisco.com/news and
www.cisco.com/index) are excluded from the URL filtering policies of the
vendor server (Websense or N2H2), and on the basis of the configuration, the
URLs are permitted or denied.
Partial Domain NameIf you add only a partial domain name to the
exclusive domain list, such as cisco.com, all URLs whose domain names end
with this partial domain name (such as www.cisco.com/products and
www.cisco.com/eng) are excluded from the URL filtering policies of the
vendor server (Websense or N2H2), and on the basis of the configuration, the
URLs are permitted or denied.
Click OK.
The dialog box closes and you return to the Exclusive Domain table. The rule
information is shown in the table.
12-118
OL-11501-03
Chapter 12

Step 8
Note
Related Topics
Editing Exclusive Domains (IOS)

Unlike many of the rules tables, the Exclusive Domains table does not enable
editing on a per-table cell basis. The basic procedure for editing Web Filter
Settings for IOS Rules is the same as adding settings.
Procedure
Step 1
Select an IOS device from the Object selector.

OL-11501-03
12-119
Chapter 12
Step 2

Step 3
Table J-72.
Step 4
Right-click the appropriate rule number, then click Edit Row.

Step 5
Follow the basic procedure for adding web filter. For more information, see
Adding Web Filter Rules (IOS), page 12-112.
Step 6
Related Topics
Deleting Exclusive Domains (IOS)

Procedure
Step 1
Select an IOS device from the Device selector.
12-120
OL-11501-03
Chapter 12

Step 2

Step 3
Table J-72.
Step 4
Right-click the appropriate rule, then click Delete Row. You can also use the
shortcut keys (Ctrl+D).
Step 5
Click Yes.
Step 6
Related Topics

OL-11501-03
12-121
Chapter 12
Working with Transparent Firewall Rules

Transparent Firewall is a feature that enables you to add a transparent firewall
device into an existing network without having to reconfigure statically defined
devices. Thus, the tedious and costly overhead that is required to renumber
devices on the trusted network is eliminated.
Transparent firewall rules enable you to specify VLAN-based Layer 2 (L2)
interfaces. Use of firewall devices is within the same subnet. Only EtherType rules
are configured as firewall policies. To configure other types of transparent firewall
features, select Platform > Bridging.
Transparent Firewall includes the following features:
L3 packet filtering and inspection on a bridged (L2) interface. To set the

interface in L2 mode, you must modify certain device settings.
PIX, ASA, and FWSM devices require that you turn on transparent mode.
IOS devices require that you configure the interface as a bridged
interface.
MAC (EtherType) filtering on L2 frames.
The ability to create another L2 ACL to filter Ethernet frames based on

EtherType code.
The ability to disable MacLearning (PIX/ASA/FWSM).
The ability to specify static MAC table entries and disable learning new
entries from a particular interface.
ARP inspection (PIX/ASA/FWSM).
The ability to specify static ARP table entries and check new ARP responses
against those static entries.
The ability to forward DHCP traffic across the bridge without inspection
(IOS).
When configuring EtherType rules, you should:

1.
(For PIX/ASA/FWSM) Set the device interface in L2 mode.
2.
(For all devices) Configure the Transparent Rules table. To access the table,
select Firewall > Transparent Rules.
3.
(For IOS devices) Configure Settings. To access settings, select Firewall >
Settings > Transparent.
12-122
OL-11501-03
Chapter 12

From the Transparent Rules tables, you can generate Policy Query reports to help
The following topics will help you work with transparent rules:
Adding Transparent Rules, page 12-123
Editing Transparent Rules, page 12-125
Enabling and Disabling Transparent Rules, page 12-127
Cutting, Copying, and Pasting Transparent Rules, page 12-128
Cutting, Copying, and Pasting Transparent Rules, page 12-128
Moving Transparent Rules Up and Down, page 12-129
Deleting Transparent Rules, page 12-130
Adding Transparent Rules

Procedure
Step 1
Step 2
Select Firewall > Transparent Rules.

The Transparent Rules page appears. For a description of the GUI elements, see
Table J-75.
Step 3
Right-click the Transparent Rules table, then click Add Row. You can also use the
The Add Transparent Firewall Rule dialog box appears. For a description of the
Step 4
Step 5
OL-11501-03
12-123
Chapter 12
Step 6
assigned.
If you are using the Object Selector dialog box, do one of the following, then click
OK:
Select from the available interface roles, then click >>.

To create a new interface role, click Create.

Step 7
Select the traffic direction, which identifies traffic direction within a network.
Step 8
Enter the EtherType.
Step 9
Enter the wildcard mask.
Step 10
Step 11
(Optional). Enter a description to help you identify the rule.

For PIX/FWSM/ASA, the description is mapped to access-list remark.
Step 12
Click OK.
The dialog box closes and you return to the Transparent Rules page.
Step 13
12-124
OL-11501-03
Chapter 12

Note
Related Topics
Transparent Rules Page, page J-135
Add and Edit Transparent Firewall Rule Dialog Boxes, page J-139
Editing Transparent Rules

inline editing on transparent rules shown in the tables. Editing can performed on
a rule in its entirety or individual table cells.
from which to make your changes. You can also edit individual table cells by
right-clicking a cell, then using the shortcut menu, which opens a dialog box
specific to that table cell.
In addition to performing inline editing, you can move rules up or down within a
table; cut, copy, and paste rules from which to clone other rule entries; enable or
disable defined rules; and delete rules from the table. These functions can be
performed from shortcut menus or buttons located on the GUI page.

OL-11501-03
12-125
Chapter 12
Note
To enable or disable rules, see Enabling and Disabling Transparent Rules,

page 12-127.
To cut, copy, or paste rules, see Cutting, Copying, and Pasting Transparent
Rules, page 12-128.
To reorder rules within a table, see Moving Transparent Rules Up and Down,
page 12-129.
To delete rules, see Deleting Transparent Rules, page 12-130.
Note
Procedure
Step 1
Step 2

Table J-75.
Step 3
Follow the basic procedure for adding transparent rules using any of the editing
methods described above. For more information, see Adding Transparent Rules,
page 12-123.
Step 4
12-126
OL-11501-03
Chapter 12

Related Topics
Add and Edit Transparent Firewall Rule Dialog Boxes, page J-139
Enabling and Disabling Transparent Rules

Procedure
Step 1
Step 2

Table J-75.
Step 3
Select a rule to enable or disable, then right-click the appropriate rule number.
Step 4
Select Enable or Disable as appropriate.
Step 5

OL-11501-03
12-127
Chapter 12
Note

Related Topics
Cutting, Copying, and Pasting Transparent Rules

Procedure
Step 1
Step 2

Table J-75.
Step 3
respectively.
Step 4
(Ctrl+V).
Step 5
of available options for that cell. For more information, see Editing Transparent
Rules, page 12-125.
Step 6
To change the order in which the rule appears, see Moving Transparent Rules Up
and Down, page 12-129.
12-128
OL-11501-03
Chapter 12

Step 7
Related Topics
Moving Transparent Rules Up and Down, page 12-129
Moving Transparent Rules Up and Down

Procedure
Step 1
Step 2

Table J-75.
Step 3
Step 4
Tip

OL-11501-03
12-129
Chapter 12
Step 5
Step 6
Related Topics
Deleting Transparent Rules

Procedure
Step 1
Step 2

Table J-75.
Step 3
Step 4
Click Yes.
12-130
OL-11501-03
Chapter 12

Understanding Firewall Settings
Step 5
Related Topics

Firewall settings enable you to fine tune your firewall rules. You can configure
settings from Device view and Policy view. Unlike rule-based policies, which can
contain hundreds of rules containing values for the same set of parameters, you
can define only one set of parameters for each settings-based policy defined on a
device. Settings-based rules cannot be inherited.
From the Settings menu, you can right-click a rule-type setting to assign policy
information, such as sharing and unsharing a policy, assigning and unassigning a
shared policy, and edit policy assignments. You can also save the policy under a
new name or rename the policy from the shortcut menu.

OL-11501-03
12-131
Chapter 12
For more information, see Working with Shared Policies in Device View,
page 6-27.
The options listed in the Settings selector are based on the type of device selected.
For example, an ASA security appliance displays setting pages for Access
Control, AAA Firewall, and Web Filter (if the appliance interface is configured in
L2 mode), whereas an IOS device displays pages for Access Control, Inspection,
AuthProxy, and Web Filter. For more information, refer to the following:
Configuring Settings for Inspection Rules, page 12-143
Configuring Settings for AAA, page 12-146
Configuring Settings for AAA Firewall (PIX/ASA/FWSM), page 12-147
Understanding Settings for Access Controls

Unlike firewall policies that can be inherited by a parent policy, settings do not
recognize inheritance. By configuring settings for access control, you can:
Enable Object Group Search, which reduces the memory requirement on the
device to hold large ACLs. For more information, see Object Group Search
(PIX/ASA/FWSM), page 12-133.
Enable Per User Downloadable ACLS, which permits downloaded access

lists to override an access list applied to an interface. For more information,
see Per User Downloadable ACLs (PIX/ASA/FWSM), page 12-135
Enable Access List Compilation, which is designed to improve the average

search time of access control lists containing a large number of entries. For
more information, see Access List Compilation (PIX), page 12-138.
Related Topics
Enabling Object Group Search (PIX/ASA/FWSM), page 12-134
Enabling Per User Downloadable ACLs (PIX/ASA/FWSM), page 12-136
Enabling Access List Compilation (PIX), page 12-139
12-132
OL-11501-03
Chapter 12

Object Group Search (PIX/ASA/FWSM)

Object Group Search is a feature that you access from the Access Rules table.
Object Group Search enables you to decide whether the ACL should be expanded
or not for packet processing. If object-groups are huge, you can instruct the device
to search within an object-group instead of expanding the ACL.
When enabled, the feature reduces the memory requirement on the device to hold
large ACLs; however it impacts performance by making ACL processing slower
for each packet. When enabled, the access-list <acl_name> object-group-search
command is generated.
When Object Group Search is enabled on the device, the device performs the
traffic match based on an ACL; it searches on object-group. Less memory is
needed, but performance is slower.
When Object Group Search is disabled on the device, the device flattens all object
groups used in the ACL and stores the ACEs in memory. Performance is
improved, but more memory is required.
Consider the following:
Object-group network net1
Object-group network net2
host 1.1.1.1
host 3.3.3.3
host 2.2.2.2
host 4.4.4.4
Access-list test-acl permit ip object-group net1 object-group net2.
In the example above, IP traffic is permitted from source net1 to destination net2
(where net1 and net2 are object groups).
When Object Group Search is disabled on the device, an input packet is filtered
using the flattened object groups. Internally, the device expands the ACL as
follows:
Permit
Permit
Permit
Permit
ip
ip
ip
ip
host
host
host
host
1.1.1.1
1.1.1.1
2.2.2.2
2.2.2.2
host
host
host
host
3.3.3.3
4.4.4.4
3.3.3.3
4.4.4.4

OL-11501-03
12-133
Chapter 12
Note
If object groups are very large, expanded ACLs will require more memory to store
the expanded ACL.
To access this feature, select Firewall > Settings > Access Control. Right-click
inside the work area, then select Add Row or right-click a row, then select
Edit Row.
Related Topics
Enabling Object Group Search (PIX/ASA/FWSM), page 12-134
Configuring Settings for Access Control, page 12-140
Configuring Firewall ACL Settings, page 12-142
Enabling Object Group Search (PIX/ASA/FWSM)

The Object Group Search feature reduces the memory requirement on the device
to hold large ACLs. For more information, see Object Group Search
(PIX/ASA/FWSM), page 12-133.
Procedure
Step 1
Step 2
Select Firewall > Settings > Access Control.

The Access Control page appears. For a description of the GUI elements, see
Table J-82.
Step 3
The Firewall ACL Setting dialog box appears. For a description of the GUI
Step 4
assigned. If the latter, do one of the following, then click OK:

12-134
OL-11501-03
Chapter 12


Note
Interface roles are objects that are replaced with the actual interface
IP addresses when the configuration is generated for each device.
Step 5
Step 6
(Optional) Select the check box to enter a user-defined ACL name, then enter the
name in the field provided.
Step 7
Select Enable Object Group Search.
Step 8
Click OK.
The dialog box closes and you return to the main page. True is displayed in the
Object Group Search column.
Step 9
Related Topics
Access Control Page, page J-147
Per User Downloadable ACLs (PIX/ASA/FWSM)

The access list is applied to traffic inbound to an interface. The access-group
command binds an access list to an interface. If traffic is permitted through the
interface, the firewall device continues to process the packet. If traffic is denied,
the device discards the packet and generates a syslog message.

OL-11501-03
12-135
Chapter 12
The per-user downloadable ACLs option allows downloaded access lists to

override the access list applied to the interface. If the per-user downloadable
ACLs setting is not present, the firewall device preserves the existing filtering
behavior. If per-user downloadable ACLs is present, the firewall device allows the
permit or deny status from the per-user access-list (if one is downloaded)
associated to a user to override the permit or deny status from the access-group
command associated access list. Additionally, the following rules are observed:
When a packet arrives, if no per-user access list is associated with the packet,
the interface access list is applied.
The per-user access list is governed by the timeout value specified by the
uauth option of the timeout command, which can be overridden by the AAA
per-user session timeout value.
Existing access list log behavior will be the same. For example, if user traffic
is denied because of a per-user access list, syslog message 109025 will be
logged. If user traffic is permitted, no syslog message is generated. The log
option in the per-user access-list will have no effect.
Related Topics
Enabling Per User Downloadable ACLs (PIX/ASA/FWSM), page 12-136
Enabling Per User Downloadable ACLs (PIX/ASA/FWSM)

The Per User Downloadable ACLs feature permits downloaded access lists to
override an access list applied to an interface role.
Procedure
Step 1
Step 2

Table J-82.
12-136
OL-11501-03
Chapter 12

Step 3
Step 4


Note
Step 5
Step 6
Step 7
Select Enable Per User Downloadable ACLs (PIX,ASA,FWSM).
Step 8
Click OK.
The Firewall ACL Setting dialog box closes and you return to the Access Control
page. True is displayed in the Object Group Search column.
Step 9

OL-11501-03
12-137
Chapter 12
Related Topics
Per User Downloadable ACLs (PIX/ASA/FWSM), page 12-135
Access List Compilation (PIX)

An access list typically consists of multiple access list entries, organized
internally by a firewall device as a linked list. When a packet is subjected to access
list control, the device searches this linked list linearly to find a matching element.
The matching element is then examined to determine if the packet is to be
transmitted or dropped. With a linear search, the average search time increases in
proportion to the size of the list.
Access List Compilation is designed to improve the average search time of access
control lists containing a large number of entries. The feature causes the firewall
device to compile tables for ACLs, which improves the searching of long ACLs.
Note
Access List Compilation is recognized only if the number of access list elements
is greater than or equal to 19.
When Security Manager deploys the Access List Compilation commands to the
firewall device, Security Manager cannot detect if the ACLs were compiled
successfully. If the ACLs were not compiled successfully, the firewall device
disables the Access List Compilation feature. You can turn the feature on or off at
the global level. For more information, see Enabling Access List Compilation
(PIX), page 12-139.
The Access List Compilation feature requires significant amounts of memory and
is most appropriate for high-end PIX Firewall models, such as the PIX 525 or
PIX 535, and security appliances. The minimum memory required is 2.1 MB, and
approximately 1 MB of memory is required for every 2,000 ACL elements.
12-138
OL-11501-03
Chapter 12

Note
Access List Compilation per single ACL is currently not supported.

Related Topics
Enabling Access List Compilation (PIX), page 12-139
Enabling Access List Compilation (PIX)

The Access List Compilation feature improves the average search time of access
control lists containing a large number of entries.
Procedure
Step 1
Step 2

Table J-82.
Step 3
Right-click the Access Control table, then click Add Row. You can also use the
Step 4
Select Enable Access List Compilation (PIX).
Step 5


OL-11501-03
12-139
Chapter 12

Note
Step 6
Step 7
Step 8
Click OK.
page. True is displayed in the Access List Compilation column.
Step 9
Related Topics
Access List Compilation (PIX), page 12-138
Configuring Settings for Access Control

Procedure
Step 1
12-140
OL-11501-03
Chapter 12

Step 2

Table J-82.
Step 3
Enter the maximum number of concurrent flows, which specifies the maximum
number of concurrent deny flows that can be created. (Syslog message 106101 is
generated when the firewall device or security appliance has reached the
maximum number (n) of ACL deny flows.)
For a firewall device or security appliance with more than 64 MB of Flash

memory, values are 14096. Default is 4096.
For a firewall device or security appliance with more than 16 MB of Flash

For a firewall device or security appliance with less than or equal to 16 MB

of Flash memory, values are 1256. Default is 256.
Note
Step 4
This feature is not supported on devices running IOS software.
Enter the syslog interval, which specifies the interval of time for generating syslog
message 106101. This message alerts you that the firewall device or security
appliance has reached a deny flow maximum. When the deny flow maximum is
reached, another 106101 message is generated if the specified number of seconds
has passed since the last 106101 message. Values are 13600 seconds. Default is
300.
Note
This feature is not supported on devices running IOS software.
Step 5
(Optional) Select Enable Access List Compilation (Global) to improve the

average search time of access control lists containing a large number of entries.
For more information, see Enabling Access List Compilation (PIX), page 12-139.
Step 6
OL-11501-03
12-141
Chapter 12
To configure additional firewall ACL settings, see Configuring Firewall ACL

Related Topics
Configuring Firewall ACL Settings

Procedure
Step 1
Step 2

Table J-82.
Step 3
Right-click the Access Control table, then click Add Row. You can also use the
Step 4
dialog box from which to make your selection.The interface identifies the logical


Note
12-142
OL-11501-03
Chapter 12

Step 5
Step 6
Enter the ACL name.
Step 7
Select any of the following:
Enable Object Group SearchProhibits expansion of object groups, which

conserves memory, and identifies rules in a table that can be grouped together.
For more information, see Object Group Search (PIX/ASA/FWSM),
page 12-133.
Enable Per User OverridePermits downloaded access lists to override an

access list applied to an interface. For more information, see Per User
Downloadable ACLs (PIX/ASA/FWSM), page 12-135.
Enable Access List Compilation (PIX)Improves the average search time of

access control lists containing a large number of entries. For more
information, see Access List Compilation (PIX), page 12-138.
Step 8
Click OK.
Step 9
page. The rule information is shown in the table.
Step 10
Related Topics
Firewall ACL Setting Dialog Box, page J-151
Configuring Settings for Inspection Rules

Configure settings for inspection rules for deeper packet inspection for
IOS devices.

OL-11501-03
12-143
Chapter 12

Procedure
Step 1
Step 2
Select Firewall > Settings > Inspection.

The Inspection page appears. For a description of the GUI elements, see
Table J-84.
Step 3
Enter the DNS timeout value, which specifies the length of time in seconds for
which a DNS (Domain Name Server) name lookup session is managed while there
is no activity. Default is 5.
Step 4
Enter the session hash table size, which specifies the size of the hash table in terms
of buckets. Possible values for the hash table are 1024, 2048, 4096, and 8192.
Step 5
Enter the value for purging half-open sessions start threshold, which specifies the
number of existing half-open sessions that will cause the software to start deleting
half-open sessions. Values are 12147483647. Default is 500.
Step 6
Enter the value for purging half-open sessions stop threshold, which specifies the
number of existing half-open sessions that will cause the software to stop deleting
half-open sessions. Values are 12147483647. Default is 400.
Step 7
Enter the maximum half-open sessions in 1 minute (high), which specifies the rate
of new unestablished TCP sessions that will cause the software to start deleting
half-open sessions. Values are 12147483647 per minute. Default is 500.
Step 8
Enter the maximum half-open sessions in 1 minute (low), which specifies the rate of
new unestablished TCP sessions that will cause the software to stop deleting
half-open sessions. Values are 12147483647 per minute. Default is 400.
Step 9
Enter the maximum sessions from the same host, which specifies how many
half-open TCP sessions with the same host destination address can exist at a time,
before the software starts deleting half-open sessions to the host. Values are
12147483647 half-open sessions. Default is 50.
Step 10
Enter how long to block connections to a host, which specifies the blocking time
values for TCP host-specific denial-of-service (DoS) detection and prevention. Values
are 035791 minutes. Default is 0.
Step 11
Enter the FIN wait time, which specifies how long a TCP session will still be
managed in seconds after the firewall detects a FIN-exchange. Default is
5 seconds.
12-144
OL-11501-03
Chapter 12

Step 12
Enter the TCP establish timeout, which specifies the length of time, in seconds, for
which a TCP session will still be managed while there is no activity. Default is
30 seconds.
Step 13
Enter the TCP idle time, which specifies the length of time in seconds that a TCP
session will still be managed while there is no activity. Default is 3600 seconds (1
hour).
Step 14
Enter the UDP idle time, which specifies the length of time a UDP session will still
be managed while there is no activity. Default is 30 seconds.
Step 15
Select Enable Alert Messages, which enables Context-based Access Control

(CBAC) alert messages, which are displayed on the console.
Step 16
Select Enable Audit Trail Messages, which enables CBAC audit trail messages,
which are displayed on the console after each CBAC session closes.
Step 17
Related Topics
Inspection Page, page J-154
Supported Features for Inspection, page 12-145
Supported Features for Inspection

Table 12-9 shows how platforms managed by Security Manager support
inspection and fixup.

OL-11501-03
12-145
Chapter 12
Table 12-9
Inspection Supported Features
FEATURE
PLATFORM
ASA
PIX
FWSM
IOS
Allows configuration of host-specific protocol port.
Constrains inspection traffic on a per-interface basis.
Constrains traffic using source and destination

address.
Constrains inspection traffic based on traffic direction

through the interface.
Supports granular port inspection for TCP.
Inspects all traffic.
Related Topics
Configuring Settings for AAA

Configuring settings for AAA enables you to configure added granularity when
you are using AAA servers.
Settings for PIX/ASA/FWSM devices configures HTTPS, proxy, and MAC

settings. For more information, see
Configuring Settings for AAA Firewall (PIX/ASA/FWSM),
page 12-147.
Adding MAC Exempt Address Lists, page 12-150.
Settings for IOS devices identifies AAA servers, defines banner information,
and sets timeout values. For more information, see Configuring Settings for
AAA (IOS), page 12-152.
12-146
OL-11501-03
Chapter 12

Configuring Settings for AAA Firewall (PIX/ASA/FWSM)

Before You Begin
Configure a AAA rule for the device or device group. For more information,
see Adding AAA Rules, page 12-91.
Procedure
Step 1
Step 2
Select Firewall > Settings > AAA Firewall.

The AAA Firewall page appears. The Advanced Setting tab is displayed by
default. For a description of the GUI elements, see Table J-85.
Step 3
(Optional) Select Use Secure HTTP Authentication, which, when selected,

requires additional user authentication during the session establishment.
Step 4
(Optional) Select Enable Proxy Limit, then enter a value in the field provided.
Step 5
Decide whether to disable authentication challenge for FTP, HTTP, HTTPS, and
Telnet protocols.
If you disable challenge authentication for a particular protocol, traffic using that
protocol is allowed only if the traffic belongs to a session previously
authenticated. This authentication can be accomplished by traffic using a protocol
whose authentication challenge remains enabled. For example, if you disable
challenge authentication for FTP, the FWSM denies new sessions using FTP if the
traffic is included in an authentication rule. If you establish the session with a
protocol whose authentication challenge is enabled (such as HTTP), FTP traffic
is allowed.
Step 6

The Clear Connection Configuration dialog box appears. For a description of the
Step 7
Enter the interface information or click Select, which opens the Interfaces
Selector from which to make your selection. If the latter, do one of the following,
then click OK:


OL-11501-03
12-147
Chapter 12

Step 8
Enter the source address and netmask information or click Select, which opens the
Networks/Hosts Selector from which to make your selection. If the latter, do one
of the following, then click OK:


Step 9
Click OK.
The dialog box closes and you return to the Advanced Setting page with the new
information shown in the table.
Step 10
(Optional) Click the MAC-Exempt List tab to complete MAC-exempt address

list information. For more information, see Understanding MAC Exempt Address
Lists, page 12-149.
Note
This feature is not supported for IOS devices.
Step 11
Enter a name for the MAC-Exempt list.
Step 12

The Firewall AAA MAC Exempt Setting dialog box appears. For a description of
the GUI elements, see Table J-88.
Step 13
Complete the dialog box information, then select OK.

The Firewall AAA MAC Exempt Setting dialog box closes and you return to the
MAC-Exempt List page. The new setting information is shown in the table.
Step 14
12-148
OL-11501-03
Chapter 12

Related Topics
Edit AAA Option Dialog Box, page J-99
Understanding MAC Exempt Address Lists

The security appliance can exempt from authentication and authorization any
traffic from specific MAC addresses.
For example, if the security appliance authenticates TCP traffic originating on a
particular network but you want to allow unauthenticated TCP connections from
a specific server, you would create a MAC rule permitting traffic from the MAC
address of the server. This generates a mac-list command. You would then exempt
from authentication and authorization any traffic from the server specified by the
MAC list. This generates a aaa mac-exempt command.
Conversely, if traffic from a particular computer should never be permitted
regardless of authentication, you can use the MAC address of the computer that
denies traffic from the MAC address. Traffic is disallowed from the computer
even though authentication rules would otherwise permit the traffic.
Related Topics
Dialog Box, page J-163
Adding MAC Exempt Address Lists, page 12-150
Editing MAC Exempt Address Lists, page 12-151
Deleting MAC Exempt Address Lists, page 12-152

OL-11501-03
12-149
Chapter 12
Adding MAC Exempt Address Lists

Procedure
Step 1
Step 2

The AAA Firewall page appears.
Click the MAC-Exempt List tab. For a description of the GUI elements, see
Table J-87.
Step 3
Right-click the rule to edit, then click Edit Row.

Step 4
Step 5
Enter the MAC address and mask in the fields provided.
Step 6
Click OK.
The dialog box closes are you return to the MAC-exempt Address table. The rule
Step 7
Related Topics
Understanding MAC Exempt Address Lists, page 12-149
12-150
OL-11501-03
Chapter 12

Editing MAC Exempt Address Lists

Unlike many of the policy rule tables, the MAC-exempt Address List table does
not enable editing on a per-table cell basis.
Procedure
Step 1
Step 2

The AAA Firewall page appears.
Click the MAC-Exempt List tab. For a description of the GUI elements, see
Table J-87.
Step 3
Right-click the rule to edit, then click Edit Row.

Step 4
Step 5
Enter the MAC address and mask in the fields provided.
Step 6
Click OK.
The dialog box closes are you return to the MAC-exempt Address table. The rule
Step 7
Related Topics

OL-11501-03
12-151
Chapter 12
Deleting MAC Exempt Address Lists

Procedure
Step 1
Step 2

The AAA Firewall page appears. The Advanced Setting tab is displayed by
default.
Step 3
Click the MAC-Exempt List tab.
Step 4
Right-click the appropriate rule, then select Delete Row. You can also use the
Step 5
Click Yes.
Related Topics
Configuring Settings for AAA (IOS)

AuthProxy provides information about all authenticated-proxy user events for
IOS devices.
Before You Begin
Configure a AAA rule for the device or device group. For more information,
see Adding AAA Rules, page 12-91.

Procedure
Step 1
12-152
OL-11501-03
Chapter 12

Step 2
Select Firewall > Settings > AuthProxy.

The AuthProxy page appears with the General tab displayed.
Step 3
Enter the authorization server groups or click Select, which opens the Object


Step 4
Enter the accounting server groups or click Select, which opens the Object


Step 5
(Optional) Select Use Broadcast for Accounting, which, when enabled, sends
accounting records to multiple AAA servers. Accounting records are
simultaneously sent to the first server in each group. If the first server is
unavailable, failover occurs using the backup servers defined within that group.
Step 6
(Optional) Configure authentication server groups. Go to Platform >

Device Admin > AAA.

OL-11501-03
12-153
Chapter 12
Step 7
Step 8
Select the type of accounting notice.
Start-stopSends a start accounting notice at the beginning of a process and

a stop accounting notice at the end of a process. The start accounting record
is sent in the background. The requested user process begins regardless of
whether the start accounting notice was received by the accounting server.
Stop-onlySends a stop accounting notice at the end of the requested user

process.
NoneDisables accounting services on this line or interface.
(Optional) Select the banner style to use as the HTTP banner.

Default BannerDisplays the default banner Cisco Systems, <router
hostname> Authentication for the authentication proxy login page for

HTTP.
Custom BannerEnables you to enter a custom message that appears for
the authentication proxy login page for HTTP (for example, Welcome
<Username>.
Disable BannerNo banner is displayed for the authentication proxy
login page for HTTP.

Use HTTP banner from fileWhen selected, enables you to enter the
location of the HTTP banner file in the URL field provided.
(Optional) Configure HTTPS server. Go to Platform > Device Admin >

Device Access > HTTP.
(Optional) Select the banner style to use as the FTP banner.


FTP.
the authentication proxy login page for FTP (for example, Welcome
<Username>.
login page for FTP.
12-154
OL-11501-03
Chapter 12

(Optional) Select the banner style to use as the Telnet banner.


Telnet.
the authentication proxy login page for Telnet (for example, Welcome
<Username>.
login page for Telnet.
(Optional) Select the check box Location of the File used for Banner to
enable the banner, then enter the directory path for accessing the file.
Step 9
Select the Timeout tab.
Step 10
Enter global inactivity time, which specifies the length of time in minutes that an
authentication cache entry, along with its associated dynamic user access control
list (ACL), is managed after a period of inactivity. Values are 12,147,483,647
minutes.
Step 11
Enter global absolute time, which specifies a window in which the authentication
proxy on the enabled interface is active. Values are 165,535 minutes (45 and a
half days).
Step 12
From the IOS timeout values table, right-click inside the table, then click
Add Row. You can also use the shortcut keys (Ctrl+R).
The Firewall AAA IOS Timeout Value Setting dialog box appears.
Step 13
dialog box from which to make your selection.The interface identifies the logical



OL-11501-03
12-155
Chapter 12
Step 14
Enter the inactivity/cache time, which specifies the length of time in minutes that
an authentication cache entry, along with its associated dynamic user access
control list (ACL), is managed after a period of inactivity. Values are
12,147,483,647 minutes.
Step 15
Enter the absolute time, which specifies a window in which the authentication
proxy on the enabled interface is active. Values are 165,535 minutes (45 and a
half days).
Step 16
Select the authentication proxy methods for which the rule applies.
Step 17
Click OK.
The dialog box closes and you return to the AuthProxy page. The rule information
is shown in the table.
Step 18
Related Topics
Configuring Settings for Web Filter Servers

Procedure
Step 1
Select a device from the Object selector.
Step 2
Select Firewall > Settings > Web Filter.

The Web Filter page appears. For a description of the GUI elements, see Web
Filter Page, page J-170.
12-156
OL-11501-03
Chapter 12

Step 3
(Optional) Select the web filter server type from the list. If your selection is
something other than None you are prompted with a warning. To continue,
select Yes.
Step 4
Add settings for the Web Filter Server configuration. For more information, see
Adding Settings for Web Filter Server Configuration, page 12-158.
Step 5
For IOS Settings, go to Step 6.
For PIX, ASA, and FWSM Settings, go to Step 10.
For IOS Settings:

Step 6
Allow Traffic when all Servers UnreachableWhen selected, enables the

default mode of the filtering algorithm.
Enable AlertsWhen selected, enables Context-based Access Control

(CBAC) alert messages, which are displayed on the console.
Enable Audit TrailWhen selected, shows CBAC audit trail messages,

which are displayed after each CBAC session closes.
Enable Web Filter Server Logging
Step 7
Enter the cache size.
Step 8
Enter the maximum requests.
Step 9
Enter the packet buffer for HTTP responses. Go to Step 15.

For PIX, ASA, and FWSM Settings:
Step 10
Specify whether to base cache entries on source and destination, or destination

only.
Step 11
(For Websense servers) Enter the URL buffer memory value. Values are
210240 KB.
Step 12
(For Websense servers) Enter the maximum allowed URL size. Values are
24 KB.
Step 13
Enter the cache size. Values are 1128.
Step 14
Enter the URL block buffer limit. Values are 1128.
Step 15

OL-11501-03
12-157
Chapter 12
Related Topics
Deleting Settings for Web Filter Server Configuration, page 12-161
Adding Settings for Web Filter Server Configuration

Note
Filter FTP and Filter HTTPS actions will only work with a Websense URL server.
Filter URL, Filter URL Except, Filter Java, and Filter ActiveX actions will work
with either a Websense or an N2H2 URL server.
Procedure
Step 1
Step 2

Step 3
Select the Web Filter Server type. If you are not using a Web Filter Server, select
None.
Step 4
Right-click inside the Web Filter Server table, then click Add Row. You can also
use the shortcut keys (Ctrl+R).
The Web Filter Server Configuration dialog box appears. For a description of the
GUI elements, see Web Filter Server Configuration Dialog Box, page J-174.
12-158
OL-11501-03
Chapter 12

Step 5
Enter the IP address of the Web Filter Server.
Step 6
Enter the port number of the Web Filter Server.
Step 7
Enter the timeout value.
Step 8
For PIX, ASA, and FWSM devices, go to Step 9.
For IOS devices, go to Step 13.
For PIX, ASA, and FWSM Devices:

Step 9
Enter interface information in the field provided or click Select, which opens the
Interface Selector dialog box from which to make your selection. The interface
identifies the logical name of the interface (interface role) or physical interface to
which a rule is assigned. If you are using the Interface Selector dialog box, do one
of the following:
Select from the list of available objects.

definition, the new object is highlighted in the available column.
Step 10
Click OK.
Step 11
Select the protocol type.
Step 12
Enter the connection value. Go to Step 15.

For IOS Devices:
Step 13
Enter the retransmit value, which specifies the number of times the Cisco IOS
device will retransmit the request when a response does not arrive for the request.
Step 14
Enter the port value.
Step 15
Click OK.
The Web Filter Server Configuration dialog box closes and you return to the Web
Filter Server Configuration page.
Step 16
OL-11501-03
12-159
Chapter 12
Related Topics
Web Filter Server Configuration Dialog Box, page J-174
Editing Settings for Web Filter Server Configuration

Unlike many of the rules tables, the Web Filter Settings for Server Configuration
table does not enable editing on a per-table cell basis. The basic procedure for
editing Web Filter Settings for Server Configuration is the same as adding
settings.
Procedure
Step 1
Step 2

Step 3
Select the Web Filter Server type.
Step 4
Right-click the appropriate rule, then click Edit Row.

The Web Filter Server Configuration dialog box appears. For a description of the
GUI elements, see Web Filter Server Configuration Dialog Box, page J-174.
Step 5
Follow the procedure for adding settings for Web Filter Server configuration.
Step 6
Click OK.
The Web Filter Server Configuration dialog box closes and you return to the Web
Filter page.
12-160
OL-11501-03
Chapter 12

Step 7
Related Topics
Web Filter Server Configuration Dialog Box, page J-174
Deleting Settings for Web Filter Server Configuration

Procedure
Step 1
Step 2

Step 3
Right-click the appropriate rule, then click Delete Row. You can also use the
Step 4
Click Yes.

OL-11501-03
12-161
Chapter 12
Step 5
Related Topics
12-162
OL-11501-03
CH A P T E R
13
Managing IPS Services

Cisco Security Manager supports the management and configuration of
Cisco Intrusion Prevention System (IPS) sensors (appliances, switch modules,
network modules, and Security Service modules [SSMs]) and Cisco IOS IPS
devices (Cisco IOS routers with IPS-enabled images and
Cisco Integrated Services Routers [ISRs]). You configure IPS sensors and
IOS IPS devices through the use of policies, each of which defines a different part
of the configuration of the sensor. For a detailed explanation of the policy
paradigm used by Cisco Security Manager, see the Managing Policies chapter.
By right-clicking a policy type in one of the policy selectors, you can assign a
policy to a single sensor or IOS IPS device, share the policy among more than one
sensor or IOS IPS device, or unassign the policy from the sensor or IOS IPS
device. For more information about the options available from this shortcut menu,
see Policy Selector Shortcut Menu Options.
The following topics describe how to manage IPS services on Cisco IPS sensors
and Cisco IOS IPS devices:
Understanding Network Sensing, page 13-2
Configuring Interfaces, page 13-2
Configuring Signatures, page 13-9
Configuring Signature Settings, page 13-17
Configuring Anomaly Detection, page 13-18
Configuring Event Actions, page 13-21
Configuring Policies Specific to IOS IPS Devices, page 13-24

OL-11501-03
13-1
Chapter 13
Understanding Network Sensing
Understanding Network Sensing

Network sensing can be accomplished using Cisco IPS sensors (appliances,
switch modules, network modules, and SSMs) and Cisco IOS IPS devices
(Cisco IOS routers with IPS-enabled images and Cisco ISRs). These sensing
platforms are components of the Cisco Intrusion Prevention System and can be
managed and configured through Cisco Security Manager. These sensing
platforms monitor and analyze network traffic in real time. They do this by
looking for anomalies and misuse on the basis of network flow validation, an
extensive embedded signature library, and anomaly detection engines. However,
these platforms differ in how they can respond to perceived intrusions.
Note
Cisco IPS sensors and Cisco IOS IPS devices are often referred to collectively as
IPS devices or simply sensors.
When an IPS device detects unauthorized network activity, it can terminate the
connection, permanently block the associated host, and take other actions. Event
actions were previously called alarms in Cisco IPS.
Network sensing requires you to define several IPS policies. One of the most
important policies is the tuning of an IPS device to achieve maximum security and
optimal performance, and particularly to minimize false positives and false
negatives. In Security Manager, the term used for tuning is editing signature
parameters.
Configuring Interfaces
The Interfaces policy is where you configure interfaces for Cisco IPS sensors:
Configuring Physical Interfaces, page 13-4
Configuring Bypass Mode, page 13-4
Configuring Inline Pairs, page 13-5
Configuring VLAN Pairs, page 13-6
Configuring VLAN Groups, page 13-7
Interface Summary, page 13-9
13-2
OL-11501-03
Chapter 13

Note
No interface configuration as described in this chapter is supported by Cisco

IOS IPS.
Understanding Interfaces
The sensor interfaces are named according to the maximum speed and physical
location of the interface.
There are three interface roles: command and control, sensing, and alternate TCP
reset. There are restrictions on which roles you can assign to specific interfaces,
and some interfaces have more than one role. The command and control interface
has an IP address and is used for configuring the sensor. It receives security and
status events from the sensor and queries the sensor for statistics. Sensing
interfaces are used by the sensor to analyze traffic for security violations. Using
alternate TCP reset interfaces, you can configure sensors to send TCP reset
packets to try to reset a network connection between an attacker host and its
intended target host.
There are five interface modes: promiscuous (simple physical interface), inline
interface mode, inline VLAN pair mode, physical interface VLAN group mode
(IPS 6.0), and inline interface pair VLAN group mode (IPS 6.0). In promiscuous
mode, packets do not flow through the sensor; the sensor analyzes a copy of the
monitored traffic rather than the actual forwarded packet. Operating in inline
interface pair mode puts the IPS directly into the traffic flow and affects
packet-forwarding rates making them slower by adding latency. You can associate
VLANs in pairs on a physical interface. This is known as inline VLAN pair mode.
Packets received on one of the paired VLANs are analyzed and then forwarded to
the other VLAN in the pair. You can divide each physical interface or inline
interface into VLAN group subinterfaces, each of which consists of a group of
VLANs on that interface.

OL-11501-03
13-3
Chapter 13
Configuring Physical Interfaces

From the Interfaces policy, the Physical Interfaces tab lists the existing physical
interfaces on your sensor and their associated settings. The sensor detects the
interfaces and populates the summary table in the Physical Interfaces tab. In the
Physical Interfaces policy, interfaces can only be edited; they cannot be added or
deleted.
Tip
Each physical interface can be divided into VLAN group subinterfaces, each of
which consists of a group of VLANs on that interface.
To edit the physical interface settings, follow these steps:
Step 1
In Device View, select the sensor whose physical interface settings you want to
edit.
Step 2
Also in Device View, select Interfaces > Physical Interfaces.
Step 3
In the summary table on the Physical Interfaces tab, select the interface that you
want to edit and click the Edit button. The Modify Physical Interface Map dialog
box appears.
Step 4
You can change the description in the Description field, or change the state from
enabled to disabled by selecting Yes or No in the list box. You can have the
interface use the alternate TCP reset interface by checking the Specify Interface
for TCP Reset check box.
Step 5
Click OK. The edited interface appears in the summary table in the Physical
Interfaces tab.
Step 6
Click Save to apply your changes and save the revised configuration.
Configuring Bypass Mode

You can use inline bypass as a diagnostic tool and a failover protection
mechanism. Normally, the sensor Analysis Engine performs packet analysis.
When inline bypass is activated, Analysis Engine is bypassed, allowing traffic to
flow through the inline interfaces and inline VLAN pairs without inspection.
13-4
OL-11501-03
Chapter 13

Inline bypass ensures that packets continue to flow through the sensor when the
sensor processes are temporarily stopped for upgrades or when the sensor
monitoring processes fail. There are three modes: on, off, and auto(matic). By
default, bypass mode is set to auto.
To change the bypass mode setting, follow these steps:
Step 1
In Device View, select the sensor whose bypass mode settings you want to change.
Step 2
Also in Device View, select Interfaces > Physical Interfaces.
Step 3
Beneath the summary table on the Physical Interfaces tab, in the Bypass Mode
field, select the mode that you want.
Configuring Inline Pairs

You can pair interfaces on your sensor if your sensor is capable of inline
monitoring.
To configure inline pairs, follow these steps:
Step 1
In Device View, select the sensor for which you want to pair interfaces.
Step 2
Also in Device View, select Interfaces > Inline Pairs.
Step 3
Click the Add button. The Add Interface Pair dialog box appears.
Step 4
Enter a name in the Interface Pair Name field. The inline interface name is a name
that you assign.
Step 5
Select two interfaces to form a pair in the Interface A and Interface B fields. For
example, select GigabitEthernet0/0 and GigabitEthernet0/1.
Step 6
You can add a description of the inline interface pair in the Description field if you
want to.
Step 7
Click OK. The new inline pair appears in the summary table on the Inline Pairs
tab.
Step 8
To edit an inline pair, select that pair and then click the Edit button. The Edit
Interface Pair dialog box appears.

OL-11501-03
13-5
Chapter 13
Step 9
You can choose a new inline pair or edit the description. You cannot change the
name.
Step 10
Click OK. The edited inline pair appears in the summary table on the Inline Pairs
tab.
Step 11
To delete an inline pair, select that pair and then click the Delete button. The inline
interface pair no longer appears in the summary table.
Step 12
Configuring VLAN Pairs

The summary table on the VLAN Pairs tab displays the existing VLAN pairs for
each physical interface. Multiple VLAN pairs may be created on a single physical
interface.
To configure a VLAN pair, follow these steps:
Step 1
In Device View, select the sensor for which you want to configure a VLAN pair.
Step 2
Also in Device View, select Interfaces > VLAN Pairs.
Step 3
Click the Add button. The Add VLAN Pair dialog box appears.
Step 4
Choose an interface from the Physical Interfaces list box.
Step 5
Enter a subinterface number (1 to 255) for the VLAN pair in the Subinterface
Number field.
Step 6
Specify the first VLAN (1 to 4095) for this VLAN pair in the VLAN A field.
Step 7
Specify the other VLAN (1 to 4095) for this VLAN pair in the VLAN B field.
Step 8
You can add a description of the inline VLAN pair in the Description field if you
want to.
Step 9
Click OK. The new VLAN pair appears in the summary table on the VLAN Pairs
tab.
Step 10
To edit an inline VLAN pair, select that pair and then click the Edit button. The
Edit VLAN Pair dialog box appears.
Step 11
You can change the subinterface number, the VLAN numbers, or the description.
Step 12
Click OK. The edited VLAN pair appears in the summary table.
13-6
OL-11501-03
Chapter 13

Step 13
To delete a VLAN pair, select that pair and then click Delete. The VLAN pair no
longer appears in the summary table.
Step 14
Configuring VLAN Groups

Each physical interface can be divided into VLAN group subinterfaces, each of
which consists of a group of VLANs on that interface. Also, an inline interface
can also be divided into VLAN group subinterfaces. More than one VLAN group
can be created on a single physical interface or single inline pair, as long as each
VLAN group is assigned a unique subinterface number.
Note
VLAN groups are supported in IPS 6.0 only.

A VLAN group consists of a group of VLAN IDs that exist on an interface. Each
VLAN group consists of at least one VLAN ID. You can have up to 255 VLAN
groups per interface (logical or physical). Each group can contain any number of
VLAN IDs. You then assign each VLAN group to a virtual sensor (but not more
than one virtual sensor). You can assign different VLAN groups on the same
sensor to different virtual sensors. Certain IPS models support assignment of
VLAN groups to a virtual sensor. The following sensors support assignment of
promiscuous VLAN groups and inline VLAN groups to a virtual sensor:
IDS-4235, IDS-4250-TX, IDS-4250-SX, IDS-4250-XL, IPS-4240, IPS-4255, and
IPS-4260.
After you assign the VLAN IDs to the VLAN group, you must assign the VLAN
group to a virtual sensor.
To configure a VLAN group, follow these steps:
Step 1
In Device View, select the sensor for which you want to configure a VLAN group.
Step 2
Also in Device View, select Interfaces > VLAN Groups.
Step 3
Click Add to add a VLAN group.The Add VLAN Group Map dialog box appears.
Step 4
In the Physical and Logical Interfaces list box, select an interface.

OL-11501-03
13-7
Chapter 13
Step 5
In the Subinterface Number field, enter a subinterface number (1 to 255) for the
VLAN group.
Step 6
Specify the VLAN group for this interface by selecting one of the following radio
buttons:
a.
All Unassigned VLAN IDsLets you assign all the VLANs that are not
already specifically assigned to a subinterface.
b.
Range of free VLAN IDsLets you specify the VLANs that you want to
assign to this subinterface. You can assign more than one VLAN (1 to 4095)
in this pattern: 1, 5-8, 10-15. This lets you set up different policies based on
VLAN ID. For example, you can make VLANs 1-10 go to one virtual sensor
(VS0) and VLANs 20-30 go to another virtual sensor (VS1).
Note
You need to have the VLAN IDs that are set up on your switch to enter in
the Specify VLAN Group field.
Step 7
You can add a description of the VLAN group in the Description field if you want
to.
Step 8
Click OK. The new VLAN group appears in the list in the VLAN Groups pane.
You must assign this VLAN group to a virtual sensor.
Step 9
To edit a VLAN group, select it, and click Edit. The Edit VLAN Group Map
dialog box appears.
Step 10
You can change the subinterface number, the VLAN group, or edit the description.
Step 11
Click OK. The edited VLAN group appears in the summary table on the VLAN
Groups tab.
Step 12
To delete a VLAN group, select that group and then click Delete. The VLAN
group no longer appears in the summary table.
Step 13
13-8
OL-11501-03
Chapter 13

Configuring Signatures
Interface Summary
The Summary tab contains a table summarizing how you have configured the
sensing interfacesthe interfaces you have configured for promiscuous mode, the
interfaces you have configured as inline pairs, the interfaces you have configured
as inline VLAN pairs, inline VLAN groups, and promiscuous VLAN groups. The
content of this table changes when you change your interface configuration.
Caution
You can configure any single physical interface to run in promiscuous mode,
inline pair mode, or inline VLAN pair mode, but you cannot configure an
interface in a combination of these modes.
The Signatures policy is where you configure signatures for Cisco IPS sensors:
Understanding Signatures, page 13-9
Accessing the Cisco NSDB, page 13-10
Understanding Signature Inheritance, page 13-11
Editing SignaturesSeverity, Fidelity Rating, and Action, page 13-12
Enabling and Disabling Signatures, page 13-14
Cloning Signatures, page 13-14
Adding Custom Signatures, page 13-15
Editing Signature Parameters (Tuning Signatures), page 13-16
Understanding Signatures
Network intrusions are attacks on, or other misuses of, network resources.
Cisco IPS sensors and Cisco IOS IPS devices use a signature-based technology to
detect network intrusions. A signature specifies the types of network intrusions
that you want the sensor to detect and report. As sensors scan network packets,
they use signatures to detect known types of attacks, such as denial of service
(DoS) attacks, and respond with actions that you define.

OL-11501-03
13-9
Chapter 13
On a basic level, signature-based intrusion detection technology can be compared

to virus-checking programs. Cisco IPS contains a set of signatures that the sensor
compares with network activity. When a match is found, the sensor takes some
action, such as logging the event or sending an alarm to the
Cisco IPS Event Viewer (Cisco IEV).
Signatures can produce false positives, because certain normal network activity
can be construed as malicious. For example, some network applications or
operating systems may send out numerous ICMP messages, which a
signature-based detection system might interpret as an attempt by an attacker to
map out a network segment. You can minimize false positives by editing your
signature parameters (tuning your signatures).
Accessing the Cisco NSDB

The Cisco Network Security Database (NSDB) can be accessed, or invoked,
through the user interface of Security Manager.
The NSDB is a database of security information that explains the signatures the
IPS uses along with the vulnerabilities on which these signatures are based. The
NSDB contains a description for each attack signature that the sensor can detect.
In Security Manager, the table in the content area of the IPS Signature policy
contains several columns by default, one of which is Signature ID. The Signature
ID column contains hyperlinks to the NSDB. Clicking on the link in the ID
column will trigger the opening of an external browser window that opens to the
entry in MySDN for that signature.
MySDN, which stands for My Self-Defending Network, provides up-to-date
intelligence reports about current vulnerabilities and threats, as well as education
on advanced security topics to help you protect your network, prioritize
remediation, and structure your systems to reduce organizational risk. For more
information, refer to http://www.cisco.com/go/MySDN.
If you have access to Cisco.com, then the signature ID is linked to MySDN. If you
do not have access to Cisco.com, then the signature ID is linked to the local copy
of the NSDB. Security Manager will detect whether or not you have access to
Cisco.com and make the appropriate link for you without your having to set a
preference.
13-10
OL-11501-03
Chapter 13

Some signatures in IPS 5.x, IPS 6.0, and IOS IPS have special characteristics:
Built-in signatures cannot be added, deleted, or renamed, because they are
provided with IPS itself. (Built-in means all signatures other than those that you
create.) The information for built-in signatures, such as their names and IDs,
appears as it does in the NSDB. The other type of signatures, custom signatures,
are those that you create. Custom signatures do not have MySDN links.
Tip
For a particular signature in the NSDB, the Release Version refers to the version
of IPS that the signature first appeared in, or was last modified in. The Release
Version appears in the bottom left-hand corner of the header information when
you are looking at a particular signature.
Understanding Signature Inheritance

Signature inheritance for IPS devices is different than for any other Security
Manager policy. Inheritance refers to the capability of Security Manager to
enforce hierarchical lists of first-match, rule-based policies such as access rules.
Signature inheritance is different because for IPS devices, Security Manager
allows inheritance on a per-signature basis.
This example shows what is meant by inheritance on a per-signature basis:
Step 1
In Policy View, select IPS > Signatures > Signatures.
Step 2
Create a policy named test1.
Step 3
Create a second policy, named test2.
Step 4
Right-click test 2 and select Inherit Signatures. The Inherit Rulestest 2 dialog
box appears.
Step 5
Select test1 and click the OK button.
Step 6
Select test1 and edit a signature. Note the edit that you made and save your
change.
Step 7
Select test2 and select the signature that you just edited. Observe that test2
inherited the editing that you did on test1.

OL-11501-03
13-11
Chapter 13
Editing SignaturesSeverity, Fidelity Rating, and Action

You can edit the following properties of Cisco IPS signatures:
EnableConfigures the sensor to scan network traffic for that particular

signature and to generate an alarm when an attack is detected. Disabling a
signature causes the sensor to disregard any network traffic that displays the
signature.
RetireRemoves the signature from the signature micro-engine.
Note
You can enable a signature that is retired, but it then is not used to
scan traffic, because it is not in the signature micro-engine. If you
want a sensor to scan network traffic for a particular signature, you
must enable it and not retire it.
ActivateChanges the value in the Retired field from No to Yes
Sig Fidelity Rating (SFR)Identifies the weight associated with how well
this signature might perform in the absence of specific knowledge of the
target. This rating can be any number from 0 to 100, with 100 indicating the
most confidence in the signature.
SeverityCategorizes the attack. The severity setting is used in Event

Viewer in Security Monitor to distinguish among the types of attacks being
logged.
ActionDetermines the action or actions the sensor will take, in addition to

generating an alarm, when it detects an attack. Action is the term in Cisco IPS
6.x for what previously was called event action or alarm. You can configure
a variety of actions to add or remove activities associated with a signature
event.
Signature NameUsed when adding a new signature (not used for all
categories and groupings of signatures).
You cannot edit the following properties of signatures:
Signature IDThe ID of the signature, which is generated by

Security Manager (generated only for custom signatures).
Subsig IDSpecifies the subsignature ID (not used for all signatures). For
example, every string-matching signature has a subsignature ID, which is
generated by Security Manager. Also, every ACL violation signature has a
13-12
OL-11501-03
Chapter 13

subsignature ID, which is generated by Security Manager. When you create

an ACL violation signature, the Subsig ID field is populated with a value that
is greater by 1 than the subsignature having the highest number in the list.
Some signatures have special characteristics:
Build-in signatures cannot be added, deleted, or renamed, because they are

provided with the sensor software.
The information for built-in signatures, such as their names and IDs, reflects
how it is recorded in the Cisco Network Security Database (NSDB). To view
the NSDB from the Signatures page, click a signature ID, such as 2000, in the
ID column. The entries in the ID column are hyperlinks to the NSDB.
No custom signatures are provided with a new 5.x or 6.x sensor. You can
create custom signatures and modify any existing custom signatures.
However, you cannot create a custom signature that has the same ID as
another custom signature.
Some signatures have special requirements. For example, to configure a sensor to

detect ACL violation signatures, you must first configure one or more Cisco IOS
routers to log ACL violations. Then, you must configure those routers to
communicate with the sensor. Finally, you must configure the sensor to accept
syslog traffic from those routers.
To edit a signature, follow these steps:
Step 1
In Device View, select the sensor whose signature you want to edit.
Step 2
Also in Device View, select IPS > Signatures > Signatures. The signature
summary table appears.
Tip
You can filter the display of the signature table. Using the Filter list, select
any of the displayed columns as the filter source. Next, enter a value in
the adjacent field and click Apply. For example, select Severity in the list
box and enter the value High in the adjacent field. When you click Apply,
the signature table displays all signatures that have a high severity. Click
Clear to cancel filtering.
Step 3
In the summary table on the Signatures page, find the signature that you want to
edit and right-click its row. The row shortcut menu appears.
Step 4
In the row shortcut menu, click Edit Row. The Edit Signature dialog box appears.

OL-11501-03
13-13
Chapter 13
Note
The default policy cannot be edited, so if you want to change the signature
settings, you will have to override them in the local policy for the device. You can
do this by selecting Local from the Source Policy list box. After you change the
source policy to Local, the controls are enabled.
Step 5
Edit the Severity, Fidelity, or Actions by selecting a new value in those fields.
Step 6
Click OK. The edited signature property appears in the summary table on the
Signatures page.
Step 7
Enabling and Disabling Signatures

To enable or disable a signature, follow these steps:
Step 1
In Device View, select the sensor whose signature you want to enable or disable.
Step 2
Also in Device View, select IPS > Signatures > Signatures.
Step 3
enable or disable and right-click its row. The row shortcut menu appears.
Step 4
In the row shortcut menu, click Enable or Disable. The signature appears enabled
or disabled in the summary table on the Signatures page.
Step 5
Cloning Signatures
To clone a signature, follow these steps:
Step 1
In Device View, select the sensor whose signature you want to clone.
Step 2
13-14
OL-11501-03
Chapter 13

Step 3
clone and right-click its row. The row shortcut menu appears.
Step 4
In the row shortcut menu, click Clone. The Add Custom Signature dialog box
appears.
Step 5
Edit the properties of the clone.
Step 6
Click OK. The clone appears in the summary table on the Signatures page.
Step 7
Click Save to apply your changes and save the clone.
Note
Cloned signatures are enabled and active by default.
Adding Custom Signatures

To add a custom signature, follow these steps:
Step 1
In Device View, select the sensor for which you want to add a custom signature.
Step 2
Step 3
In the summary table on the Signatures page, right-click on a row (any row). The
row shortcut menu appears.
Step 4
In the row shortcut menu, click Add Row. The Add Custom Signature dialog box
appears.
Timesaver
In place of steps 3 and 4, you can click the Add button at the bottom of the table.
Step 5
Click the Edit Parameters button. The Edit Signature Parameters dialog box
appears. At a minimum, you must click the OK button on the Edit Signature
Parameters dialog box; you do not need to edit any parameters, but if you click
the Cancel button first, your custom signature will not be created.
Step 6
Click OK. The custom signature appears in the summary table on the Signatures
page.
Step 7
Click Save to apply your changes and save the clone.

OL-11501-03
13-15
Chapter 13
Note
Custom signatures are enabled and active by default.
Editing Signature Parameters (Tuning Signatures)

After you configure your sensors, you must edit their parameters (tune them) to
achieve optimal performance on your network, and particularly to minimize false
positives and false negatives.
A false positive occurs when legitimate network activity, such as virus scanning,
is interpreted and reported as an attack. This happens when network activity meets
criteria that were specified to identify an attack before the attack occurred. You
can decrease the number false positives by tuning your sensor configurations.
A false negative occurs when an attack was not detected. Tuning your sensor
configurations will help you decrease the number of false negatives.
This procedure describes how to edit signature parameters (tune a signature).
Procedure
Step 1
In Device view, select an IPS device from the Device selector.
Step 2
Also in Device view, select IPS > Signatures > Signatures.
Step 3
In the summary table on the Signatures page, find the signature whose parameters
you want to edit and right-click its row. The row shortcut menu appears.
Step 4
Click Edit Row. The Edit Signature dialog box appears.
Step 5
In the Source Policy Field, change the setting to Local to enable editing.
Step 6
Click Edit Parameters. The Edit Signature Parameters dialog box appears.
Step 7
In the category you want, such as Engine, select the setting you want, such as
Fragment Status, and then select a value from among those available, such as
Fragmented.
Step 8
Click the OK button to save your changes.
13-16
OL-11501-03
Chapter 13

Configuring Signature Settings
Configuring Signature Settings

The Settings page is where you configure signature settings for Cisco IPS sensors
that define application policy (enable HTTP, maximum number of HTTP
Requests, AIC web ports, and enable FTP), fragment reassembly policy, stream
reassembly policy, and IP logging policy. These settings result in policies that can
be shared but cannot be inherited. When a new IPS device is added, it has a local
policy that contains the default settings for all signatures.
Signature settings policies are supported with these features:
Enable HTTP
Max HTTP Requests
AIC Web Ports
Enable FTP
IP Reassembly Mode
TCP Handshake Required
TCP Reassembly Mode
Max IP Log Packets
IP Log Time
Max IP Log Bytes
Configuring signature settings consists of four tasks:

Step 1
Define application policy. Enable or disable HTTP, determine and specify the
maximum number of HTTP requests, specify AIC web ports, and enable or
disable FTP. For detailed descriptions of these settings, see Table N-20 on
page N-33.
Step 2
Define fragment reassembly policy. Configure the sensor to reassemble a

datagram that has been fragmented over more than one packet by selecting the IP
reassembly mode. For a detailed descriptions of the IP reassembly mode, see
Table N-20 on page N-33.

OL-11501-03
13-17
Chapter 13
Configuring Anomaly Detection
Step 3
Define stream reassembly policy. Configure the sensor to monitor only TCP
sessions that have been established by a complete three-way handshake by
specifying whether or not a TCP handshake is required and by selecting the TCP
reassembly mode. For detailed descriptions of these settings, see Table N-20 on
page N-33.
Step 4
Define IP logging policy. Configure the sensor to generate an IP session log when
the sensor detects an attack by determining and selecting the maximum allowable
number of log packets, the IP log time and the maximum allowable size of the IP log.
For detailed descriptions of these settings, see Table N-20 on page N-33.

Anomaly detection is a new feature, introduced with Cisco IPS 6.x sensors. Not
all Cisco IPS devices support anomaly detection.
Anomaly detection is designed to recognize network congestion caused by worm
traffic that exhibits scanning behavior. Anomaly detection also will identify
infected hosts on the network that are scanning for other vulnerable hosts.
Note
Anomaly detection is not supported by Cisco IOS IPS.
Explaining Anomaly Detection

The anomaly detection component of the sensor detects worm-infected hosts that
exhibit scanning-type behavior. This enables the sensor to be less dependant on
signature updates for protection again worm viruses, such as Code-red and
SQL-slammer and so forth. The anomaly detection component lets the sensor
learn normal activity and then sends alerts and takes dynamic response actions for
behavior that deviates from what it has learned as normal behavior.
Note
Anomaly detection does not detect email-based worms, such as Nimda.
13-18
OL-11501-03
Chapter 13

Anomaly detection recognizes when a single or multiple worm-infected source

starts scanning for other vulnerable hosts.
Worm Viruses
Worm viruses are automated, self-propagating, intrusion agents that make copies
of themselves and then facilitate their spread. Worm viruses attack a vulnerable
host, infect it, and then use it as a base to attack other vulnerable hosts. They
search for other hosts by using a form of network inspection, typically a scan, and
then propagate to the next target. A scanning worm virus locates vulnerable hosts
by generating a list of IP addresses to probe, and then contacts the hosts. Code
Red worm, Sasser worm, Blaster worm, and the Slammer worm are examples of
worms that spread in this manner.
Anomaly detection identifies worm-infected hosts by their behavior as a scanner.
To spread, a worm virus must find new hosts. It finds them by scanning the
Internet using TCP, UDP, and other protocols to generate unsuccessful attempts
to access different destination IP addresses. A scanner is defined as a source IP
address that generates events on the same destination port (in TCP and UDP) for
too many unresponsive destination IP addresses.
The events that are important for TCP protocol are non-established connections,
such as a SYN packet that does not have its SYN-ACK response for a given
amount of time. A worm-infected host that scans using TCP protocol generates
non-established connections on the same destination port for an anomalous
number of IP addresses.
The events that are important for UDP protocol are unidirectional connections,
such as a UDP connection where all packets are going in only one direction. A
worm-infected host that scans using UDP protocol generates UDP packets but
does not receive UDP packets on the same quad within a time-out period on the
same destination port for multiple destination IP addresses.
The events that are important for other protocols, such as ICMP, are from a source
IP address to many different destination IP addresses, that is, packets that are
received in only one direction.
Caution
If a worm virus has a list of IP addresses it should infect and does not have to use
scanning to spread itself (for example, it uses passive mappinglistening to the
network as opposed to active scanning), it will not be detected by anomaly

OL-11501-03
13-19
Chapter 13
detections worm policies. Worm viruses that receive a mailing list from probing
files within the infected host and email this list will not be detected, because no
L3/L4 anomaly is generated.
Learning Mode
Anomaly detection initially conducts a peacetime learning process when the
most normal state of the network is reflected. Anomaly detection then derives a
set of policy thresholds that best fit the normal network. This is done in two
phases:
Initial setupIn the initial setup, the sensor is in learning mode. We assume
that during this phase no attack is being carried out. Anomaly detection
creates an initial baseline, known as a knowledge base, of the network traffic.
The default amount of time for anomaly detection to be in learning mode is
24 hours, but depending on your network complexity, you may want to
change the default. After the learning mode time has expired, you terminate
this phase by configuring anomaly detection to operate in detect mode.
Ongoing operationFor ongoing operation, the sensor is in learning plus

detecting mode. This is for 24 hours, 7 days a week. Once a knowledge base
has been created, anomaly detection detects attacks based on it. It looks at the
network traffic flows that violate thresholds in the knowledge base and send
alerts. As anomaly detection looks for anomalies, it also records gradual
changes to the knowledge base that do not violate the thresholds and thus
creates a new knowledge base. The new knowledge base is periodically saved
and takes the place of the old one thus maintaining an up-to-date knowledge
base.
By default, anomaly detection functions even if you do not follow the two phases
and manually change the operational mode from learning to detect. Anomaly
detection does not detect attacks when working with the initial knowledge base,
which is empty. After the default of 24 hours, the default operational mode is
changed to detect. A knowledge base is saved and loaded and now anomaly
detection also detects attacks.
Anomaly Detection Zones

By subdividing the network into zones, you can achieve a lower false negative
rate. A zone is a set of destination IP addresses. There are three zones, each with
its own thresholds: internal, illegal, and external.
13-20
OL-11501-03
Chapter 13

Configuring Event Actions
The external zone is the default zone with the default Internet range of
0.0.0.0-255.255.255.255. By default, the internal and illegal zones contain no IP
addresses. Packets that do not match the set of IP addresses in the internal or
illegal zone are handled by the external zone.
We recommend that you configure the internal zone with the IP address range of
your internal network. If you configure it in this way, the internal zone is all the
traffic that comes to your IP address range, and the external zone is all the traffic
that goes to the Internet.
You can configure the illegal zone with IP address ranges that should never be
seen in normal traffic, for example, unallocated IP addresses or part of your
internal IP address range that is unoccupied. An illegal zone can be very helpful
for accurate detection, because we do not expect any legal traffic to reach this
zone. This allows very low thresholds, which in turn can lead to very quick worm
virus detection.

An event is an IPS message that contains an alert, a block request, a status
message, or an error message. An event action is the sensor's response to an event.
An event action happens only if the event is not filtered. Possible event actions are
TCP reset, block host, block connection, IP logging, and capturing the alert
trigger packet. Event actions were known as alarms in Cisco IPS versions earlier
than 5.x.
The Event Actions folder is where you configure settings for the event action
processing component of the sensor. These settings define the actions for the
sensor to take when an event is detected:
Configuring Event Action Filters, page 13-22
Configuring Event Action Overrides, page 13-22
Configuring Network Information, page 13-22
Configuring Settings for Event Actions, page 13-24

OL-11501-03
13-21
Chapter 13
Configuring Event Action Filters

A Cisco IPS 5.x or 6.x EAF removes one or more actions from the signature event.
For any given signature event, the filters are applied in the order specified in the
summary table. EAFs are listed as either default or mandatory.
An EAF removes one or more actions from the signature event. For a given
signature event, filters are applied in the order specified in the Signature Event
Action Filters summary table. EAFs are processed on a first-match basis. You can
move filters up or down in the summary table to change the order of their
application.
You can define filters on the basis of signature categories such as operating system
signatures and web signatures.
Configuring Event Action Overrides

Event action overrides (EAOs) add actions to the signature event, based on some
criteria. You configure the following configuration elements when adding an
EAO:
Signature Event ActionA selection from the list of signature event

actions.
Risk Rating Inclusive Range (0-100)The range of RR values at which the

EAO is valid. This is expressed as two numbers, each from 0 to 100, separated
by a hyphen. For example, 0-66.
Enable actionA check box that when selected enables EAO.
Configuring Network Information

The Network Information Page is where you configure Target Value Ratings and
OS Identification (Cisco IPS 6.x sensors only).
Note
OS Identification is not supported by Cisco IPS 5.x sensors or by IOS IPS.
13-22
OL-11501-03
Chapter 13

Understanding Target Value Ratings

A target value rating (TVR) is one weight factor that is used to calculate the Risk
Rating (RR) value for each alert. You can assign different TVR values to different targets based on the importance of the target. You have the following choices
for TVR values: No value, Low, Medium, High and Mission Critical. You can
configure TVRs at the device, group, or global levels. The addresses you specify
in the TVR are one of the following possible choices: a single IP address, a range
of IP addresses, or a variable.
Configuring Target Value Ratings

The Target Value Ratings tab on the Network Information page is where you
configure TVRs for 5.x sensors and 6.x sensors. The addresses you specify in the
TVR are one of the following possible choices: a single IP address, an IP address
range, a set of IP address ranges, a building blocks.
When you add a TVR you specify its type, a value that corresponds to that type,
and value rating. The following configuration elements and corresponding values
apply:
VariableThe name of a variable.
Single IPAn IP address in standard form.
RangeThe Start IP Address and the End IP Address, both in standard form.
Value RatingOne of the following: Low, Medium, High, Mission Critical.
Configuring OS Identification (Cisco IPS 6.x Sensors Only)

The OS Identification (6.x only) tab on the Network Information page is where
you configure passive OS fingerprinting for 6.x sensors.
Note
OS Identification is not supported by Cisco IPS 5.x sensors or by IOS IPS.

Passive OS fingerprinting functions as part of the sensor. As the sensor analyzes
network traffic between hosts, the sensor stores the identity of the OS running on
the hosts alongside the IP addresses of the hosts. The sensor determines the
identity of the OSs on the hosts by inspecting characteristics of the packets

OL-11501-03
13-23
Chapter 13
Configuring Policies Specific to IOS IPS Devices
exchanged on the network. The sensor then uses the target system's OS
information to compute the ARR (Attack Relevance Rating) component for RR
(Risk Rating). The RR can then be used to drop suspicious packets.
Configuring Settings for Event Actions

The Settings Page in the Event Actions folder is where you configure the
following settings:
Enable Event Action Overrides
Enable Event Action Filters
Enable Event Action Summarizer
Enable Meta Event Generator
Enable Threat Rating Adjustment
Deny Attacker Duration in Seconds
Block Action Duration in minutes
Maximum number of Denied Attackers
For detailed information on these settings, see Event Actions > Settings Page,
page N-60.

This section details policies that are specific to IOS IPS devices supported by
Security Manager:
Understanding Cisco IOS IPS, page 13-25
Limitations and Restrictions, page 13-25
Preparation for Use, page 13-26
Signatures, page 13-26
General Settings, page 13-27
Interface Rules, page 13-27
13-24
OL-11501-03
Chapter 13

Understanding Cisco IOS IPS

You can use Cisco Security Manager with the Cisco IOS Intrusion Prevention
System (IOS IPS) to manage intrusion prevention on Cisco routers that use
supported Cisco IOS releases.
The earliest support by Cisco Security Manager 3.1 for IOS IPS is in IOS
12.4(11)T2.
Tip
The IPS subsystem version is a version number used to keep track of Cisco IOS
IPS feature changes. You can use the command show subsys name ips at a
command line on the router that is running Cisco IOS IPS to show the detailed
Cisco IOS IPS subsystem version.
Cisco IOS IPS acts as an inline, signature-based IPS sensor that can be turned on
in Cisco IOS Software router platforms with security feature images. Cisco IOS
IPS can be configured to respond to signature identification by dropping packets,
resetting connections, and sending alarms. Within Security Manager you can
configure policies specific to IOS IPS, such as editing, deleting, enabling, and
disabling signatures in addition to configuring event actions.
Limitations and Restrictions

Cisco IOS IPS devices (Cisco IOS routers with IPS-enabled images and
Cisco Integrated Services Routers [ISRs]) do not support all the features that are
supported by IPS sensors (appliances, switch modules, network modules, and
Security Service modules [SSMs]). In addition, routers that support IOS IPS may
not allocate as much memory to IPS functionality as an IPS sensor does. The
following limitations and restrictions are important:
When configuring an IOS IPS device, select only the signatures that you
need. If you select all signatures that are available in Security Manager, the
IOS IPS device may fail from loading the signatures or performance may be
significantly degraded.
Anomaly detection is not supported by Cisco IOS IPS.
OS Identification is not supported by IOS IPS.
Virtual sensors are not supported by IOS IPS.

OL-11501-03
13-25
Chapter 13
When using event action filters with an IOS IPS device, only a subset of IPS
actions are available for removal from an event that meets the criteria of the
event action filter. For detailed information, see Filter Item Dialog Box,
page N-49.
Preparation for Use

You must prepare an IOS router before you can use it as an IOS IPS device.
Preparation for use consists of the following steps:
Step 1
Download Cisco IOS IPS Files.
Step 2
Create a Directory on Flash.
Step 3
Configure a Cisco IOS IPS Crypto Key.
Step 4
Enable Cisco IOS IPS. Also enable HTTP/HTTPS, without which discovery fails.
Step 5
Load Signatures to Cisco IOS IPS.
For detailed procedures, see Getting Started with Cisco IOS IPS with 5.x Format
Signatures.
Signatures
You can use Security Manager to configure IOS IPS signature policies such as
editing, deleting, enabling, and disabling signatures. You can also create custom
signatures.
Signature Sets in Previous Versions of IOS IPS

Built-in signatures are removed from Cisco IOS IPS starting from Cisco IOS
Software Release 12.4(11)T. In previous releases, built-in signatures are
predefined signatures bundled with Cisco IOS Software. These built-in signatures
exist solely to maintain backward compatibility with the previous Cisco IOS
Intrusion Detection System (IDS), which has about 135 signatures. Cisco does not
recommend using built-in signatures.
13-26
OL-11501-03
Chapter 13

The basic signature set (in file 128MB.sdf) and the advanced signature set (in file
256MB.sdf) are not used by Security Manager 3.1.
Cisco decommissioned the use of the file attack-drop.sdf.
General Settings
The General Settings page is where you specify the global settings used for IPS
rules defined for a particular router. Security Manager enables you to configure
two general settings for IOS IPS devices:
Traffic Blocking when IPS engine unavailable setting
Deny Action Properties
SDEE Properties
IPS Config Location properties
Configuring general settings consists of four tasks:

Step 1
Determine whether or not all traffic should be denied if the IPS engine is
unavailable. For detailed information on this setting, see General Settings Page,
page N-104.
Step 2
Determine whether to cause Cisco IPS to apply the ACLs directly to the Cisco IPS
interfaces, rather than to the interfaces that originally received the attack traffic.
For detailed information on this setting, see General Settings Page, page N-104.
Step 3
Configure SDEE properties. For detailed information on this setting, see General
Settings Page, page N-104.
Step 4
Configure IPS Config Location properties. For detailed information on this

setting, see General Settings Page, page N-104.
Interface Rules
Cisco IPS rules specify the interface or interfaces and the direction of traffic
relative to the interface(s) that Cisco IPS is to examine. Additionally, the interface
rule may also define a sub-set of the IP traffic to be examined, by assigning an
ACL to select or filter IP traffic.
OL-11501-03
13-27
Chapter 13
The Interface Rules page is where you add and edit IPS rules for Cisco IOS IPS
devices. For detailed information on adding and editing IPS rules, see Interface
Rules Page, page N-107.
13-28
OL-11501-03
CH A P T E R
14
Managing Routers
Cisco Security Manager supports the management and configuration of security
features and other platform-specific features on Cisco IOS access security routers.
You configure these features in the form of policies, each of which defines a
different aspect of the configuration of the router. For a detailed explanation of
the policy paradigm used by Security Manager, see Managing Policies, page 6-1.
You can discover the configurations that are already defined on Cisco IOS routers.
The discovery process imports the device configuration into Security Manager as
policies and policy objects that you can then manage as required. For more
information, see Discovering Router Policies, page 14-4.
Note
Security Manager supports Cisco IOS Software Releases 12.3 and higher.
However, a limited number of policies are supported for routers running Cisco
IOS Software Release 12.1 or 12.2. See Configuring Routers Running IOS
Software Releases 12.1 and 12.2, page 14-3.
By right-clicking a policy type in one of the policy selectors, you can assign a
policy to a single router, share the policy among multiple routers, or unassign the
policy from the device. For more information about the options available from this
shortcut menu, see Policy Selector Shortcut Menu Options, page C-63.
The following topics describe how to configure platform policies and interface
policies on Cisco IOS routers:
Network address translation:

NAT on Cisco IOS Routers, page 14-5

OL-11501-03
14-1
Chapter 14
Managing Routers
Interface polices:
Advanced Interface Settings on Cisco IOS Routers, page 14-29
ADSL on Cisco IOS Routers, page 14-39
SHDSL on Cisco IOS Routers, page 14-44
PVCs on Cisco IOS Routers, page 14-47
PPP on Cisco IOS Routers, page 14-61
Device administration policies:

AAA on Cisco IOS Routers, page 14-68
User Accounts and Device Credentials on Cisco IOS Routers, page 14-75
Bridging on Cisco IOS Routers, page 14-77
Time Zone Settings on Cisco IOS Routers, page 14-81
CPU Utilization Settings on Cisco IOS Routers, page 14-83
HTTP and HTTPS on Cisco IOS Routers, page 14-85
Line Access on Cisco IOS Routers, page 14-89
Optional SSH Settings on Cisco IOS Routers, page 14-100
SNMP on Cisco IOS Routers, page 14-103
DNS on Cisco IOS Routers, page 14-107
Hostnames and Domain Names on Cisco IOS Routers, page 14-109
Memory Settings on Cisco IOS Routers, page 14-111
Secure Device Provisioning on Cisco IOS Routers, page 14-112
DHCP on Cisco IOS Routers, page 14-119
NTP on Cisco IOS Routers, page 14-126
Identity policies:
802.1x on Cisco IOS Routers, page 14-129
Network Admission Control on Cisco IOS Routers, page 14-136
Logging policies:
Logging on Cisco IOS Routers, page 14-146
14-2
OL-11501-03
Chapter 14
Managing Routers
Configuring Routers Running IOS Software Releases 12.1 and 12.2
Quality of Service:
Quality of Service on Cisco IOS Routers, page 14-153
Routing policies:
BGP Routing on Cisco IOS Routers, page 14-181
EIGRP Routing on Cisco IOS Routers, page 14-187
OSPF Routing on Cisco IOS Routers, page 14-195
RIP Routing on Cisco IOS Routers, page 14-212
Static Routing on Cisco IOS Routers, page 14-217
Note
The settings on the Policy Management page of the Security Manager

Administration window determine which router platform policies can be managed
with Security Manager. Any policy type that you do not select in this window does
not appear on the configuration pages of Security Manager. See Defining Policy
Management Settings, page 2-89.
Configuring Routers Running IOS Software Releases

12.1 and 12.2
Security Manager provides limited support for routers running Cisco IOS
Software Releases 12.1 and 12.2. You can configure the following policies on
these routers:
Access Rules (Layer 3 only). See Working with Access Rules, page 12-59.
Access Rule Settings. See Working with Access Rules, page 12-59.
Interfaces. See Basic Interface Settings on Cisco IOS Routers, page 14-21.
FlexConfigs. See Managing FlexConfigs, page 19-1.
All other policies require Cisco IOS Software Release 12.3 or higher. For more
information, see Supported Devices and Software Versions for Cisco Security
Manager 3.1 at:
http://www.cisco.com/en/US/products/ps6498/products_device_support_tables_l
ist.html.

OL-11501-03
14-3
Chapter 14
Managing Routers
Discovering Router Policies
Related Topics
Discovering Router Policies

You can discover the configurations of your Cisco IOS routers and import these
configurations as policies into Security Manager. This makes it possible to add
existing devices and manage them with Security Manager without having to
manually configure each device policy by policy. For more information, see
Adding Devices to the Security Manager Inventory, page 5-30.
You can discover all Cisco IOS commands that can be configured with Security
Manager. Discovery ignores unsupported commands, which means that they are
left intact on the device even after subsequent deployments. Additionally, in cases
where Security Manager can discover the command, but not all the subcommands
and keywords related to that command, the unsupported elements are ignored and
left intact on the device.
You can also rediscover the configurations of devices that you are already
managing with Security Manager at any time. Be aware, however, that performing
rediscovery overwrites the policies that you have defined in Security Manager,
and is therefore not generally recommended. For more information, see
Discovering Policies on Devices Already in Security Manager, page 6-10.
Note
We recommend that you perform deployment immediately after you discover

the policies on a Cisco IOS router, before you make any changes to policies
or unassign policies from the device. Otherwise, the changes that you
configure in Security Manager might not be deployed to the device.
If a policy that is not configured in Security Manager was configured on the

device using an out-of-band method (such as the CLI) between the time of the
first discovery and rediscovery, we recommend that you perform deployment
immediately after rediscovery.
14-4
OL-11501-03
Chapter 14
Managing Routers
NAT on Cisco IOS Routers
Related Topics

Network Address Translation (NAT) is a form of address translation that extends
addressing capabilities by providing both static address translations and dynamic
address translations. NAT enables a host that does not have a valid registered IP
address to communicate with other hosts through the Internet, as shown in
Figure 14-1.
The hosts might be using private addresses or addresses assigned to another
organization; in either case, NAT allows these addresses that are not
Internet-ready to continue to be used while allowing communication with hosts
across the Internet.
NAT Addressing Flow
original
NAT
address
translated
address
My Network
Inside Host
Outside Host
144756
Figure 14-1
Sites inside a VPN can use NAT through a split tunnel to exchange
nonconfidential traffic with outside devices without wasting VPN bandwidth on
nonessential traffic.
The following topics describe the tasks you perform to create NAT policies on
Cisco IOS routers:
Designating Inside and Outside Interfaces, page 14-6
Defining Static NAT Rules, page 14-8

OL-11501-03
14-5
Chapter 14
Managing Routers
Defining Dynamic NAT Rules, page 14-16
Specifying NAT Timeouts, page 14-20
Related Topics
Designating Inside and Outside Interfaces

Before you create any NAT rules, you should designate the inside and outside
interfaces on the router to use in NAT translations. Inside interfaces typically
connect to a LAN that the router serves. Outside interfaces typically connect to
your organizations WAN or to the Internet. You must designate at least one inside
interface and one outside interface for the router to perform NAT.
NAT uses the Inside and Outside designations when interpreting translation rules,
translating the original, inside addresses to outside ones. After these interfaces are
designated, they are used in all static and dynamic NAT translation rules.
Procedure
Step 1
(Device view) Select NAT from the Policy selector, then click the Interface
Specification tab in the work area.
(Policy view) Select NAT (Router) > Translation Rules from the Policy
Type selector. Right-click Translation Rules to create a policy, or select an
existing policy from the Shared Policy selector. Then click the Interface
Specification tab.
The NAT Interface Specification tab is displayed. See Table K-1 on page K-4 for
a description of the fields on this tab.
Step 2
Define the inside interfaces of the router:

a.
Click Edit under NAT Inside Interfaces to display the Edit Interfaces dialog
box. Use this dialog box to define which interfaces are connected to the LAN
served by the router.
b.
Enter the names of one or more interfaces or interface roles, or click Select
to display a selector (see Object Selectors, page F-558). For more
information, see Specifying Interfaces During Policy Definition, page 8-118.
14-6
OL-11501-03
Chapter 14
Managing Routers
c.
Step 3
Define the outside interfaces of the router:

a.
Click Edit under NAT Outside Interfaces to display the Edit Interfaces dialog
box. Use this dialog box to define which interfaces are connected to the WAN
or the Internet.
b.
to display a selector. For more information, see Specifying Interfaces During
c.
Click OK to save your changes and return to the NAT Interface Specification
tab.
Tip
Step 4
Click OK to save your changes and return to the NAT Interface Specification
tab.
If the required interface role for either the inside or outside interface is
not listed, click the Create button or the Edit button in the selector to
open the Interface Role Dialog Box, page F-419. From here you can
define an interface role to include in the policy.
Click Save to save your definitions to the Security Manager server. The interfaces
definitions are used for all static and dynamic NAT translation rules.
Note
Related Topics

OL-11501-03
14-7
Chapter 14
Managing Routers
Defining Static NAT Rules

You define a static NAT rule by defining the inside local address that must be
translated and the inside global address to which it is translated. You can define
static NAT rules that translate the addresses of single hosts as well as static rules
that translate multiple addresses in a subnet. When multiple inside local addresses
must use the same inside global address, you must define the necessary port
redirection information, which specifies a different port for each local address
using the global address.
Note
We strongly recommend that you not perform NAT on traffic that is meant to be
transmitted over a VPN. Translating addresses on this traffic causes it to be sent
out unencrypted instead of encrypted over the VPN.
The procedure for creating a static rule depends on whether the address being
translated represents a port, a single host, or an entire subnet, as described in the
following sections:
Defining a Static NAT Rule for a Host, page 14-8
Defining a Static NAT Rule for a Subnet, page 14-11
Defining a Static NAT Rule for a Port, page 14-13
Related Topics
Defining a Static NAT Rule for a Host

You define a static NAT rule for a single host by entering the original address to
translate and the global address to which it should be translated. The global
address may be taken from an interface on the device.
Before You Begin
Define the inside and outside interfaces used for NAT. See Designating Inside
and Outside Interfaces, page 14-6.
14-8
OL-11501-03
Chapter 14
Managing Routers
Procedure
Step 1
(Device view) Select NAT from the Policy selector, then click the Static
Rules tab in the work area.
existing policy from the Shared Policy selector. Then click the Static Rules
tab.
The NAT Static Rules tab is displayed. See Table K-4 on page K-7 for a
Step 2
On the NAT Static Rules tab, select a static NAT rule from the table, then click the
Edit button, or click the Add button to create a rule.
The NAT Static Rule dialog box is displayed. See Table K-5 on page K-8 for a
Step 3
Select Static Host from the Static Rule Type list.
Step 4
Under Original Address, enter the host address to translate in the Original
IP/Network field, or click Select to display a selector (see Object Selectors,
page F-558). For more information, see Specifying IP Addresses During Policy
Definition, page 8-135.
Step 5
Tip
If the host you want is not listed in the selector, click the Create button
or the Edit button to display the Network/Host Dialog Box, page F-433.
From here you can create a network/host object to use in the policy.
Note
We recommend not entering a local address belonging to this router, as it

could cause Security Manager management traffic to be translated.
Translating this traffic causes a loss of communication between the router
and Security Manager.
Under Translated Address, select the type of address translation to perform:
To base translation on a specific address, select Specify IP, then enter the
global address in the field provided, or click Select to display a selector (see
Object Selectors, page F-558).
OL-11501-03
14-9
Chapter 14
Managing Routers
Tip
Step 6
To base translation on an interface with a globally registered IP address,

select Use Interface IP, then enter the name of an interface or interface role,
or click Select to display a selector. Only one static rule may be defined per
interface.
Edit button in the selector to display the Interface Role Dialog Box,
page F-419. From here you can define an interface role to use in the
policy.
(Optional when Translated IP is selected) Under Advanced, select one or more of

the following options:
Select the No alias check box to prevent an alias from being created for the
global address. See Disabling the Alias Option for Attached Subnets,
page 14-15.
Select the No payload check box to prevent an embedded address or port in

the payload from being translated. Disabling the Payload Option for
Overlapping Networks, page 14-16.
Deselect the Create Extended Translation Entry check box to limit each
local address to a single global address.
Step 7
Click OK to save your definitions locally on the client and close the dialog box.
The static NAT rule appears in the table in the NAT Static Rules tab.
Step 8
Click Save to save your definitions to the Security Manager server.
Note
Related Topics
14-10
OL-11501-03
Chapter 14
Managing Routers
Defining a Static NAT Rule for a Subnet

You define a static NAT rule for a subnet by entering one of the addresses in the
subnet (including the subnet mask) as the original address and one of the global
addresses that you want to use as the translated address. The router configures the
remaining addresses based on the subnet mask you provide.
Before You Begin
Procedure
Step 1
tab.
Step 2
On the NAT Static Rules tab, select a static NAT rule from the table, then click the
Edit button, or click the Add button to create a rule.
The NAT Static Rule dialog box is displayed. See Table K-5 on page K-8 for a
Step 3
Select Static Network from the Static Rule Type list.
Step 4
Under Original Address, enter the network address to be translated in the Original
IP/Network field, or click Select to display a selector (see Object Selectors,
page F-558). For more information, see Specifying IP Addresses During Policy

OL-11501-03
14-11
Chapter 14
Managing Routers
Tip
If the network you want is not listed in the selector, click the Create
button or the Edit button to display the Network/Host Dialog Box,
page F-433. From here you can create a network/host object to use in the
policy.
Note

Translating this traffic causes a loss of communication between the router
and Security Manager.
Step 5
Under Translated Address, select Specify IP, then enter the IP address that you
want to use in the translation in the Translated IP/Network field, or click Select
to display a selector (see Object Selectors, page F-558).
Step 6
(Optional) Under Advanced, select one or more of the following options:
page 14-15.

Step 7
Step 8
Note
14-12
OL-11501-03
Chapter 14
Managing Routers
Related Topics
Defining a Static NAT Rule for a Port

You define a static NAT rule for a port by entering the original IP address and the
global address to which it should be translated. The global address may be taken
from an interface on the device. In addition, you must select the protocol used by
the port as well as the local and global port numbers.
Before You Begin
Procedure
Step 1
tab.
Step 2
On the NAT Static Rules tab, select a static NAT rule from the table, then click
Edit, or click Add to create a rule. The NAT Static Rule dialog box is displayed.
See Table K-5 on page K-8 for a description of the fields in this dialog box.
Step 3
Select Static Port from the Static Rule Type list.
Step 4
Under Original Address, enter the address to translate in the Original IP/Network
field, or click Select to display a selector (see Object Selectors, page F-558). For
more information, see Specifying IP Addresses During Policy Definition,
page 8-135.

OL-11501-03
14-13
Chapter 14
Managing Routers
Step 5
Tip
If the object you want is not listed in the selector, click the Create button
Note

Translating this traffic will cause a loss of communication between the
router and Security Manager.
Under Translated Address, select the type of address translation to perform:
To base translation on a specific address, select Specify IP, then enter the
global address in the Translated IP/Network field, or click Select to display a
selector (see Object Selectors, page F-558).
To base translation on an interface with a globally registered IP address,

select Interface, then enter the name of an interface or interface role, or click
Select to display a selector (see Object Selectors, page F-558).
Tip
Step 6
Step 7
policy.
Under Port Redirection, include port information for the inside device in the
translation:
a.
Select a protocol (TCP or UDP).
b.
Enter the port number on the inside device and the port number to use for the
translation. This enables you to use the same public IP address for multiple
devices as long as the port specified for each device is different.
(Optional when Translated IP selected) Under Advanced, select one or more of

the following options:
page 14-15.
14-14
OL-11501-03
Chapter 14
Managing Routers

Step 8
Step 9
Note
Related Topics
Disabling the Alias Option for Attached Subnets

If the NAT pool used as an inside global pool consists of addresses on an attached
subnet, an alias is generated for that address so that the router can answer Address
Resolution Protocol (ARP) requests for those addresses.
To disable automatic aliasing, select the No alias check box when you create a
static NAT rule based on a global IP translation.
Related Topics
Disabling the Payload Option for Overlapping Networks, page 14-16

OL-11501-03
14-15
Chapter 14
Managing Routers
Disabling the Payload Option for Overlapping Networks

Overlapping networks result when you assign an IP address to a device on your
network that is already legally owned and assigned to a different device on the
Internet or outside network. Overlapping networks can also result after the merger
of two companies using RFC 1918 IP addresses in their networks. These two
networks need to communicate, preferably without your having to re-address all
their devices.
This communication is achieved as follows. The outside device cannot use the IP
address of the inside device because it is the same as the address assigned to itself
(the outside device). Instead, the outside device sends a Domain Name System
(DNS) query for the inside device's domain name. The source of this query is the
IP address of the outside device, which is translated to an address from a
designated address pool. The DNS server located on the inside network replies
with the IP address associated with the inside devices domain name in the data
portion of the packet. The destination address of the reply packet is translated
back to the outside device's address, and the address in the data portion of the
reply packet is translated to an address from a different address pool. In this way,
the outside device learns that the IP address for the inside device is one of the
addresses from that second address pool, and it uses this address when it
communicates with the inside device. The router running NAT takes care of the
translations at this point.
To disable the translation of the address inside the payload, select the No payload
check box when you create a static NAT rule based on a global IP translation.
Related Topics
Disabling the Alias Option for Attached Subnets, page 14-15
Defining Dynamic NAT Rules

You define a dynamic NAT rule by selecting the access list (ACL) whose rules
specify the traffic requiring translation.
In addition, you must either select an interface with an IP address to which the
addresses should be translated or define an address pool. You define the pool by
specifying a range of addresses and giving the range a unique name. The
configured router uses the available addresses in the pool (those not used for static
14-16
OL-11501-03
Chapter 14
Managing Routers
translations or for its own WAN IP address) for connections to the Internet or
other outside network. When an address is no longer in use, it is returned to the
address pool to be dynamically assigned later to another device. Access lists
(ACLs) define the traffic requiring translation.
If the addressing requirements of your network exceed the available addresses in
your dynamic NAT pool, you can use the Port Address Translation (PAT) feature
(also called Overload) to associate many private NAT addresses with a small
group of public IP address through port addressing. With PAT enabled, the router
chooses a unique port number for the PAT IP address of each outbound translation
slot. This feature is useful if you cannot allocate enough unique IP addresses for
your outbound connections. The global pool addresses always come before a PAT
address is used.
Note
By default, Security Manager does not perform NAT on traffic that is meant to be
transmitted over a VPN. Otherwise, any traffic appearing in both the NAT ACL
and the crypto ACL defined on an interface would be sent out unencrypted
because NAT is always performed before encryption. However, you can change
this default setting.
Tip
You can perform PAT on split-tunneled traffic on the spokes of your VPN
topology directly from the Global VPN Settings page. There is no need to create
a dynamic NAT rule for each spoke using the NAT policy, as described in this
procedure. Any NAT rules that you define on an individual device override the
VPN setting. For more information, see NAT Settings Tab, page G-54.
Procedure
Step 1
(Device view) Select NAT from the Policy selector, then click the Dynamic
existing policy from the Shared Policy selector. Then click the Dynamic
Rules tab.

OL-11501-03
14-17
Chapter 14
Managing Routers
The NAT Dynamic Rules tab is displayed. See Table K-6 on page K-13 for a
Step 2
On the NAT Dynamic Rules tab, select a dynamic NAT rule from the table, then
click Edit, or click Add to create a rule. The NAT Dynamic Rule dialog box
appears. See Table K-7 on page K-15 for a description of the fields in this dialog
box.
Step 3
Under Traffic Flow, enter the name of the ACL object whose rules specify the
addresses requiring translation in the Access List field, or click Select to display
a selector (see Object Selectors, page F-558).
Step 4
Tip
If the required ACL is not listed in the selector, click the Create button or
the Edit button in the selector to open the Add and Edit Extended Access
List Pages, page F-36. From here, you can define an ACL object to use in
the policy.
Note
Make sure that the ACL you select does not permit the translation of
Security Manager management traffic over any device address on this
router. Translating this traffic will cause a loss of communication between
the router and Security Manager.
Under Translated Address, select an address translation option:
Tip
To base address translation on an interface with a globally registered IP

address, select Interface, then enter an interface or interface role, or click
Select to display a selector (see Object Selectors, page F-558). The interface
or interface role must represent an outside interface on the router for you to
configure the dynamic NAT rule (see Designating Inside and Outside
Interfaces, page 14-6).
policy.
14-18
OL-11501-03
Chapter 14
Managing Routers
Step 5
(Optional) Select the Enable Port Translation (Overload) check box to enable
the use of PAT if the supply of global addresses in the address pool runs out.
Note
Step 6
To base address translation on the addresses found in a predefined pool, select

Address Pool, then enter one or more address ranges, including the prefix,
using the format min1-max1/prefix (in CIDR notation). You can add as many
address ranges to the address pool as required, but all ranges must share the
same prefix. Separate multiple entries with commas.
This option is selected by default when you select Interface as the source
of the translated address.
(Optional) Deselect the Do Not Translate VPN Traffic check box to perform
address translation on traffic meant for a site-to-site VPN.
Note
We strongly recommend that you not deselect this check box, because it
causes any traffic appearing in both the NAT ACL and the crypto ACL to
be sent unencrypted. When you perform NAT into IPsec, we also
recommend that you leave this check box selected; it does not interfere
with the translation of addresses arriving from overlapping networks.
Step 7
The dynamic NAT rule appears in the table on the NAT Dynamic Rules tab.
Step 8
Note
Related Topics

OL-11501-03
14-19
Chapter 14
Managing Routers
Specifying NAT Timeouts

Dynamic NAT translations have a timeout period for non-use, after which they
expire and are purged from the translation table. If you enable the Overload
feature for performing PAT, you can specify a variety of values that provide finer
control over these timeouts, because each translation entry contains additional
context about the traffic using it. For more information about Overload, see
Defining Dynamic NAT Rules, page 14-16.
For example, non-DNS translations time out by default after 5 minutes, but DNS
translations time out after 1 minute. TCP translations time out after 24 hours,
unless an RST or FIN is seen on the stream, in which case they time out after
1 minute. You can change any of the default timeout values.
If you disable the Overload feature, you need not enter any timeout values.
However, you can modify the default timeout value for dynamic translations that
are not PAT translations. (By default, all dynamic translations expire after 24
hours.)
Procedure
Step 1
(Device view) Select NAT from the Policy selector, then click the Timeouts
tab in the work area.
existing policy from the Shared Policy selector. Then click the Timeouts tab.
The NAT Timeouts tab is displayed. See Table K-8 on page K-17 for a description
of the fields on this tab.
Step 2
(Optional) Enter the maximum number of entries allowed in the dynamic NAT
rules table in the Max Entries field. If you leave this field blank, there is no limit
to the number of table entries allowed.
Step 3
(Optional) Modify the number of seconds after which dynamic translations expire
in the Timeout field.
Step 4
(Optional) If you enabled PAT for dynamic translations, modify the default
timeout values as required. See Table K-8 on page K-17 for a description of the
available timeouts.
14-20
OL-11501-03
Chapter 14
Managing Routers
Basic Interface Settings on Cisco IOS Routers
Step 5
Note
Related Topics

You typically add interfaces to Security Manager by performing discovery, as
described in Discovering Policies, page 6-7. After you have discovered the
interfaces, you can modify the properties of each interface.
You can also use Security Manager to configure physical and virtual interfaces
manually. This is useful when you modify interface configurations of existing
devices, and makes it possible for you to configure all the interfaces of a device
before you physically add the device to the network.
Related Topics
Available Interface Types, page 14-22
Defining Basic Router Interface Settings, page 14-24
Deleting a Cisco IOS Router Interface, page 14-28

OL-11501-03
14-21
Chapter 14
Managing Routers
Available Interface Types

Table 14-1 describes the types of interfaces that can be configured on Cisco IOS
routers.
Table 14-1
Router Interface Types
Type
Description
Null
Null interface.
Analysis-module
A Fast Ethernet interface that connects to the internal interface on

the Network Analysis Module (NAM).
Note
You cannot configure parameters such as speed and duplex

mode for this type of interface.
Async
Port line used as an asynchronous interface.
ATM
ATM interface.
BRI
ISDN BRI interface. This interface configuration propagates to each

B channel. B channels cannot be configured individually.
Note
You must configure a dialer interface policy for calls to be

placed on a BRI interface. For more information, see Dialer
Interfaces on Cisco IOS Routers, page 14-34.
BVI
Bridge-group virtual interface. BVI interfaces are used to route

traffic at Layer 3 to the interfaces in a bridge group.
Content-engine
Content engine (CE) network module interface.

Note
You cannot configure parameters such as speed and duplex

mode for this type of interface. You cannot create
subinterfaces for this type of interface.
Dialer
Dialer interface.
Ethernet
Ethernet IEEE 802.3 interface.
Fast Ethernet
100-Mbps Ethernet interface.
FDDI
Fiber Distributed Data Interface.
Gigabit Ethernet
1000-Mbps Ethernet interface.
14-22
OL-11501-03
Chapter 14
Managing Routers
Table 14-1
Router Interface Types (continued)
Type
Description
Group-Async
Master asynchronous interface. This interface type creates a single

asynchronous interfaces to which other interfaces are associated.
This one-to-many configuration enables you to configure all
associated member interfaces by configuring the master interface.
HSSI
High-Speed Serial Interface.
Loopback
A logical interface that emulates an interface that is always up. For

example, having a loopback interface on the router prevents a loss
of adjacency with neighboring OSPF routers if the physical
interfaces on the router go down.
The name of a loopback interface must end with a number ranging
from 0-2147483647.
Note
This interface type is supported on all platforms. You can

create an unlimited number of loopback interfaces.
Multilink
Multilink interface. A logical interface used for multilink PPP

(MLP).
Port channel
Port channel interface. This interface type enables you to bundle

multiple point-to-point Fast Ethernet links into one logical link. It
provides bidirectional bandwidth of up to 800 Mbps.
POS
Packet OC-3 interface on the Packet-over-SONET (POS) interface

processor.
PRI
ISDN PRI interface. Includes 23/30 B-channels and one D-channel.
Serial
Serial interface.
Switch
Switch interface.
Token Ring
Token Ring interface.
Tunnel
Tunnel interface.
Note
VG-AnyLAN
You can create an unlimited number of virtual, tunnel

interfaces. Valid values range from 0-2147483647.
100VG-AnyLAN port adapter.

OL-11501-03
14-23
Chapter 14
Managing Routers
Table 14-1
Router Interface Types (continued)
Type
Description
VLAN
Virtual LAN subinterface.
Virtual Template
Virtual template interface. When a user dials in, a predefined

configuration template is used to configure a virtual access
interface; when the user is done, the virtual access interface goes
down and the resources are freed for other dial-in uses.
Related Topics
Defining Basic Router Interface Settings

When you add an interface to the definition of a Cisco IOS router, you name the
interface, specify the method used for assigning the interface an IP address, and
optionally define other properties of the interface, such as the speed, maximum
transmission unit (MTU), and the encapsulation type.
Note
Basic interface settings are always local to the device on which they are
configured. You cannot share this policy with other devices. You can, however,
share advanced interface settings. For more information, see Advanced Interface
Settings on Cisco IOS Routers, page 14-29.
Procedure
Step 1
Step 2
Select a router from the Device selector.
Step 3
Select Interfaces > Interfaces from the Policy selector. The Router Interfaces
page is displayed. See Table K-9 on page K-19 for an explanation of the fields on
this page.
14-24
OL-11501-03
Chapter 14
Managing Routers
Step 4
Select an interface from the table, then click the Edit button, or click the Create
button to open the Create Router Interface dialog box. See Table K-10 on
page K-21 for an explanation of the fields in this dialog box.
Step 5
Select the Enabled check box to have Security Manager actively manage this
interface. If you do not select this check box, the interface definition is retained,
but the interface itself is disabled (moved to shutdown state).
Step 6
Select Interface or Sub-interface from the Type list.

If you are creating an interface, continue with Step 7. If you creating a
subinterface, continue with Step 8.
Step 7
Enter a name for the interface, or click Select to display the utility for generating
an automatic name for the interface. See Generating an Interface Name,
page 14-27. Continue with Step 10.
Note
Step 8
If you modify the interface name, Security Manager informs you if the
new name affects the default interface roles that it assigns to the interface.
In such cases, you can either have Security Manager assign new interface
roles to match the new name or leave the current assignments intact.
Define the subinterface:

a.
Select the parent interface of this subinterface from the Parent list.
b.
Enter the ID number of the subinterface.
Note
Security Manager always configures serial subinterfaces as point-to-point

not multipoint.
Step 9
Specify whether the interface operates at Level 2 (data link) or Level 3 (network)
of the OSI reference model.
Step 10
Select the method for configuring an IP address for this interface, then define the
address and network mask as required.
Note
Step 11
Layer 2 interfaces do not support IP addresses. If you define an IP address

on a Layer 2 interface, deployment fails.
Define additional properties of the interface:

OL-11501-03
14-25
Chapter 14
Managing Routers
Step 12
Select the transmission mode from the Duplex list. If you select Auto, be sure
the network device to which this interface is connected is set to automatically
detect the transmission mode.
Note
You must configure a fixed speed in order to define the duplex value.
Tunnel and loopback interfaces do not support this setting.
(Fast Ethernet and Gigabit Ethernet interfaces only) Select the transmission
speed from the Speed list. If you select Auto, be sure the network device to
which this interface is connected is set to automatically detect the
transmission speed.
Enter the maximum transmission unit (MTU), which defines the largest
packet size, in bytes, that this interface can handle.
Select an encapsulation method from the Encapsulation list:
NoneNo encapsulation. Continue with Step 15.
(Ethernet subinterfaces only) DOT1QVLAN encapsulation, as defined by

the IEEE 802.1Q standard. Continue with Step 13.
(Serial interfaces only) Frame RelayIETF Frame Relay encapsulation.

Continue with Step 14.
Note
Step 13
IETF Frame Relay encapsulation provides interoperability between a

Cisco IOS router and equipment from other vendors. To configure Cisco
Frame Relay encapsulation, use CLI commands or FlexConfigs.
Enter VLAN properties for this subinterface:
Note
Enter the VLAN ID to associate with this subinterface.
All VLAN IDs must be unique among all subinterfaces configured on the
same physical interface.
If you are defining the 802.1Q trunk interface, select the Native VLAN check
box.
14-26
OL-11501-03
Chapter 14
Managing Routers
Tip
Step 14
To configure DOT1Q encapsulation on an Ethernet interface without

associating the VLAN with a subinterface, enter the vlan-id dot1q
command using CLI commands or FlexConfigs. See Understanding
FlexConfig Objects, page 8-52. Configuring VLANs on the main
interface increases the number of VLANs that can be configured on the
router.
Enter the data link connection identifier (DLCI) to assign to the subinterface, then
continue with Step 15.
Note
Frame relay must be configured on the parent interface.
Step 15
(Optional) Enter a description of the interface (up to 1024 characters).
Step 16
The new interface is displayed on the Router Interfaces page. Subinterfaces are
displayed beneath the parent interface.
Related Topics
Generating an Interface Name

To streamline the process of manually defining a Cisco IOS router interface,
Security Manager includes a utility for generating a name for the interface. This
name is based on the interface type and details about the interfaces location, such
as card, slot, and subinterface.
Procedure
Step 1
Open the Create Router Interface dialog box for defining physical and virtual
interfaces on Cisco IOS routers. See Basic Interface Settings on Cisco IOS
OL-11501-03
14-27
Chapter 14
Managing Routers
Step 2
Select Interface from the Type list.
Step 3
In the Name field, click Select to open the Interface Auto Name Generator Dialog
Box, page K-27.
Step 4
Select the interface type from the Type list.
Step 5
Enter information regarding the location of the interface in one or more of the
following fields:
Card
Slot
Port
As you enter information, the interface name is generated and displayed in the
Result field.
Note
Step 6
When naming a BVI interface, use the bridge group number as the card
number. Deployment will fail if you configure a BVI interface without
configuring a corresponding bridge group.
Click OK to save your definitions. The new interface name is displayed in the
Interface Name field in the Create Router Interface dialog box. You can modify
this name manually.
Related Topics
Deleting a Cisco IOS Router Interface

Although you can delete the definition of a virtual interface at any time, use this
option with great care. If the interface is included in any policy definitions that
exist for this router, deleting the interface causes these policy definitions to fail
when they are deployed to the device.
14-28
OL-11501-03
Chapter 14
Managing Routers
Advanced Interface Settings on Cisco IOS Routers
Note
Deleting the basic interface definition does not delete any advanced settings
that are configured under Interface > Settings > Advanced Settings. You
must delete these advanced settings separately. If you fail to do so,
deployment fails.
Deleting the definition of a physical interface from the Router Interfaces page
does not remove the interface from the device. If you perform this operation
by mistake, you can perform rediscovery to restore the definition to Security
Manager. For more information, see Discovering Policies on Devices Already
in Security Manager, page 6-10.
Procedure
Step 1
Step 2
Select a router from the Device selector.
Step 3
Select Interfaces > Interfaces from the Policy selector. The Router Interfaces
page is displayed. See Table K-9 on page K-19 for an explanation of the fields on
this page.
Step 4
Select an interface from the table, then click the Delete button. The interface is
deleted.
Related Topics

In addition to the basic interface definitions that you can define on the Interfaces
page, Security Manager provides a method for defining selected advanced settings
on interfaces that support those settings. Unlike the basic interface settings
defined on the Interface page, you can share an advanced settings policy with
multiple devices.

OL-11501-03
14-29
Chapter 14
Managing Routers
The following topic describes how to define advanced interface settings:
Defining Advanced Interface Settings, page 14-32
Related Topics
Understanding Helper Addresses, page 14-30
Understanding Helper Addresses

Network hosts occasionally use User Datagram Protocol (UDP) broadcasts to
determine address, configuration, and name information. This presents a problem
if the host is on a network segment that does not include the required server, as by
default, routers do not forward UDP broadcasts beyond their subnet. You can
remedy this situation by configuring the interface to forward certain classes of
broadcasts to a helper address.
One common use of helper addresses is when the router acts as a relay agent for
DHCP clients who need to contact a DHCP server located on a different subnet.
The helper address can either represent a specific DHCP server or a network
address for a segment containing multiple DHCP servers. You can also configure
a helper address for each DHCP server.
In Figure 14-2, hosts located on network 192.168.1.0 can use 10.44.23.7 as a
helper address to forward UDP broadcasts to the other network, while hosts
located on network 10.44.0.0 can use 192.168.1.19 as their helper address.
14-30
OL-11501-03
Chapter 14
Managing Routers
Figure 14-2
Helper Addresses
Network 192.168.1.0
E1
E2
Server
192.168.1.19
180759
Network 10.44.0.0
Server
10.44.23.7
Table 14-2 lists the default UDP services that can be forwarded to helper
addresses.
Table 14-2
Default UDP Services Forwarded to Helper Addresses
Service
Port
BOOTP/DHCP Client
68
BOOTP/DHCP Server
67
DNS
53
NetBIOS datagram service
138
NetBIOS name service
137
TACACS
49
TFTP
69
Time
37

OL-11501-03
14-31
Chapter 14
Managing Routers
Tip
To forward additional UDP services, use the CLI or FlexConfigs to configure the
ip forward-protocol command. Use the no form of this command to prevent the
forwarding of any of the default services listed in Table 14-2.
Note
All of the following conditions must be met in order for a UDP or IP packet to use
helper addresses:
The MAC address of the received frame must be an all-ones broadcast address
(ffff.ffff.ffff).
The IP destination address must be one of the following: all-ones broadcast

(255.255.255.255), subnet broadcast for the receiving interface, or major-net
broadcast for the receiving interface if the no ip classless command is also
configured.
The IP time-to-live (TTL) value must be at least 2.
The IP protocol must be UDP (17).
Related Topics
Defining Advanced Interface Settings, page 14-32
Defining Advanced Interface Settings

You can define a variety of advanced settings on a selected interface or
subinterface, including:
Cisco Discovery Protocol (CDP) settings.
Internet Control Message Protocol (ICMP) settings.
Directed broadcast settings.
Load interval for determining the average load.
Helper addresses for forwarding UDP broadcasts.
14-32
OL-11501-03
Chapter 14
Managing Routers
Tip
Enabling virtual fragmentation reassembly (VFR).
Enabling proxy ARP.
Enabling NBAR protocol discovery.
You can define these settings for multiple interfaces on a device at once by
choosing an interface role instead of a specific interface. For example, if you
have defined an All-Ethernets interface role, you can define identical
advanced settings for every Ethernet interface on the device with a single
definition. See Understanding Interface Role Objects, page 8-115.
After you have defined an advanced interface settings policy, you can share
the policy and assign it to other devices. This provides a convenient method
for configuring multiple devices with identical settings. See Working with
Before You Begin
Define basic interface settings. See Basic Interface Settings on Cisco IOS
Procedure
Step 1
(Device view) Select Interfaces > Settings > Advanced Settings from the
Policy selector.
(Policy view) Select Router Interfaces > Settings > Advanced Settings
from the Policy Type selector. Right-click Advanced Settings to create a
policy, or select an existing policy from the Shared Policy selector.
The Advanced Interface Settings page is displayed. See Table K-12 on page K-29
for an explanation of the fields on this page.
Step 2
Select an interface from the table, then click the Edit button, or click the Create
button to open the Advanced Interface Settings Dialog Box, page K-30.
Step 3
In the Interface field, enter the name of the interface or interface role on which
you want to define advanced settings, or click Select to display a selector (see

OL-11501-03
14-33
Chapter 14
Managing Routers
Dialer Interfaces on Cisco IOS Routers
Step 4
Define one or more advanced settings, as required. For details about each setting,
see Table K-13 on page K-31.
Step 5
Your definitions are displayed in the Advanced Interface Settings table.
Note
To edit the advanced settings for an interface, select the interface from the
table, then click Edit. To remove the advanced settings defined for an
interface, select the interface, then click Delete.
Step 6
Repeat Steps 2 through 5 to define advanced settings for additional interfaces.

Only one definition per interface is permitted.
Step 7
Note
Related Topics
Understanding Helper Addresses, page 14-30

Before you can configure a dial backup policy for a site-to-site VPN (see
Configuring Dial Backup, page 9-39), you must configure a dialer interface policy
on the appropriate Cisco IOS router. The dialer interface policy uses dialer pools
to associate the dialer interface used by dial backup with a physical BRI interface
on the router. Each dialer interface is associated with a single dialer pool, which
can contain one or more physical interfaces. Multiple dialer interfaces can
reference the same dialer pool.
The following topics describe how to create dialer interfaces policies on Cisco
IOS routers:
Defining Dialer Profiles, page 14-35
Defining BRI Interface Properties, page 14-37
14-34
OL-11501-03
Chapter 14
Managing Routers
Related Topics
Defining Dialer Profiles

When you configure a dialer profile, you must select the interface or interface role
representing the dialer interface and specify the number to be dialed. You must
also assign a pool ID, which you use to reference this dialer interface when
configuring the physical dialer interface. Additionally, you can modify the default
timeout settings for the line.
Note
IP is the only protocol supported for dialer profiles by Security Manager.
Authentication parameters for the dialer profile are defined in the PPP policy.
See Defining PPP Connections, page 14-63.
Before You Begin
Note
Define the virtual and physical dialer interfaces on the router. See Basic
In addition, you can optionally define interface roles for the virtual and
physical dialer interfaces. See Creating Interface Role Objects,
page 8-116.
Procedure
Step 1
(Device view) Select Interfaces > Settings > Dialer from the Policy selector.
(Policy view) Select Router Interfaces > Settings > Dialer from the Policy
Type selector. Right-click Dialer to create a policy, or select an existing
policy from the Shared Policy selector.
The Dialer page is displayed. See Table K-14 on page K-38 for a description of
the fields on this page.

OL-11501-03
14-35
Chapter 14
Managing Routers
Step 2
Select a dialer profile from the upper table on the Dialer Interfaces page, then
click Edit, or click Add to create a profile. The Dialer Profile dialog box appears.
Step 3
Enter the name of the interface or interface role that represents the virtual dialer
interface, or click Select to display a selector (see Object Selectors, page F-558).
For more information, see Specifying Interfaces During Policy Definition,
page 8-118.
Tip
Step 4
policy.
Enter a name for the dialer profile. Having a name makes it easier for you to assign
the correct dialer pool to the physical interface. See Defining BRI Interface
Properties, page 14-37.
Tip
We recommend that you define a name that is logically associated with

the site to which the dialer interface serves as a backup. For example, if
the dialer interface is serving as a backup connection to the London site,
define the name London for the dialer profile.
Step 5
Enter an ID number for the dialer pool to associate with this dialer interface. Each
dialer interface is associated with a single pool. Multiple interfaces may, however,
be associated with the same dialer pool.
Step 6
Enter the number of the dialer group to assign to the dialer interface.
Step 7
(Optional) In the Interesting Traffic ACL field, enter the name of the extended,
numbered ACL object that defines which packets are permitted to initiate calls
using this dialer profile, or click Select to display a selector (see Object Selectors,
page F-558). Use this option to limit the IP traffic that can make use of the dialer.
Note
List Pages, page F-36. From here, you can define an extended ACL object
to use in the policy.
14-36
OL-11501-03
Chapter 14
Managing Routers
Step 8
Enter the dialer string, which is the phone number of the remote side of the dialer
interface connection.
Step 9
(Optional) Modify the default timeout values (Idle Timeout and Fast Idle
Timeout), if required.
Step 10
The dialer profile appears in the Dialer Profile table on the Dialer page.
Step 11
Note
Related Topics
Defining BRI Interface Properties

You configure the properties of the physical BRI interfaces used for dialer
interface policies by selecting the appropriate interface or interface role, defining
the dialer pools to which the interface belongs, and defining the ISDN switch
type. It is the dialer pool that connects the physical interface with the virtual dialer
interface.
Note
To define other types of physical dialer interfaces, such as ATM and Ethernet, use
FlexConfigs. For more information, see Understanding FlexConfig Objects,
page 8-52.
Before You Begin
Define the virtual and physical dialer interfaces on the router. See Basic

OL-11501-03
14-37
Chapter 14
Managing Routers
Note
In addition, you can optionally define interface roles for the virtual and
physical dialer interfaces. See Creating Interface Role Objects,
page 8-116.
Procedure
Step 1
The Dialer Interfaces page is displayed. See Table K-14 on page K-38 for a
description of the fields on this page.
Step 2
Select a physical BRI interface from the Dialer Physical Interfaces table, then
click Edit, or click Add to add an interface. The Dialer Physical Interface dialog
box appears. See Table K-16 on page K-43 for a description of the fields in this
dialog box.
Step 3
Enter the name of the interface or interface role that represents the physical dialer
interface, or click Select to display a selector (see Object Selectors, page F-558).
page 8-118.
Tip
policy.
Step 4
Enter the names of the dialer pools to associate with the physical interface, or
click Select to display a selector. Separate multiple entries with commas.
Step 5
Select the ISDN switch type used by the physical interface. Table K-16 on
page K-43 describes the available switch types.
Step 6
(Optional) If you selected the Basic-DMS-100, Basic-NI, or Basic-5ess switch type,

enter up to two service provider identifiers (SPIDs).
14-38
OL-11501-03
Chapter 14
Managing Routers
ADSL on Cisco IOS Routers
Note
We recommend that you do not enter SPIDs for the Basic-5ess switch
type, even though SPIDs are supported.
Step 7
The interface definition appears in the Dialer Physical Interfaces table on the
Dialer Interface page.
Step 8
Note
Related Topics

Digital Subscriber Line (DSL) is a family of technologies that transports data over
existing twisted-pair copper wire. DSL uses frequencies that are beyond the upper
list used by POTS (plain old telephone service) to deliver broadband applications,
such as multimedia and video, over the local loop (or last mile) that connects the
telephone companys central office to customer sites.
Asymmetric Digital Subscriber Line (ADSL) is a form of DSL where the data
flow downstream to customer sites is much greater than the data flow upstream to
the central office (CO). This asymmetric setup is well-suited for applications
where users typically download far more information than they send, such as web
surfing, video-on-demand, and remote LAN access. With ADSL, the connection
speed is related to the distance between the customer site and the digital
subscriber line-access multiplexer (DSLAM) that aggregates the connections
from multiple customer sites onto a high-speed line.
ADSL downstream rates range from 1.5 to 9 Mbps, whereas upstream bandwidth
ranges from 16 to 640 kbps. ADSL transmissions work at distances up to
18,000 feet (5,488 meters) over a single copper twisted pair. Newer versions of
OL-11501-03
14-39
Chapter 14
Managing Routers
ADSL technology, such as ADSL2 and ADSL2+, offer even higher data rates for
short distances, as well as power management and realtime performance
monitoring.
ATM is used in many ADSL implementations due to its small, fixed-length cell
size, which makes it suitable for carrying time-critical traffic, such as voice and
video, in conjunction with other traffic. You can use Security Manager to
configure ATM over DSL on a Cisco IOS router. For more information about
configuring ADSL policies in Security Manager, see Defining ADSL Settings,
page 14-42.
To configure ADSL in Security Manager, you must do the following:
Note
1.
Configure an ATM interface or subinterface. See Defining Basic Router

Interface Settings, page 14-24.
2.
Configure ADSL settings on the ATM interface or subinterface. See Defining

ADSL Settings, page 14-42.
3.
Configure PVCs on the ATM interface or subinterface. See Defining ATM

PVCs, page 14-55.
If you perform discovery on the device, Security Manager populates the Interfaces
policy with the ATM interface and subinterface and the ADSL policy with the
ADSL settings for that interface. Any discovered PVCs are added to the PVC
policy.
Related Topics
Supported ADSL Operating Modes, page 14-41
14-40
OL-11501-03
Chapter 14
Managing Routers
Supported ADSL Operating Modes

Table 14-3 describes the operating modes that are supported on each ADSL
interface card that can be configured with Security Manager.
Table 14-3
ADSL Cards and Supported DSL Operating Modes
ADSL Interface Card
Supported DSL Operating Modes
WIC-1ADSL
auto, ansi-dmt, itu-dmt,

splitterless
WIC-1ADSL-I-DG
auto, etsi, itu-dmt
WIC-1ADSL-DG
auto, ansi-dmt, itu-dmt,

splitterless
HWIC-1ADSL
auto, ansi-dmt, itu-dmt, adsl2,

adsl2+
HWIC-1ADSLI
auto, etsi, itu-dmt, adsl2, adsl2+
HWIC-ADSL-B/ST

adsl2+
HWIC-ADSLI-B/ST
Table 14-4 describes the operating modes that are supported on each ADSL
device that can be configured with Security Manager.
Table 14-4
Fixed ADSL Devices and Supported DSL Operating Modes
Device
857 Integrated Services Router

adsl2+

adsl2+

OL-11501-03
14-41
Chapter 14
Managing Routers
Table 14-4
Fixed ADSL Devices and Supported DSL Operating Modes
Device
1801 Integrated Services Router auto, ansi-dmt, itu-dmt, adsl2,

adsl2+
1802 Integrated Services Router auto, etsi, itu-dmt, adsl2, adsl2+
Related Topics
Defining ADSL Settings, page 14-42
Defining ADSL Settings

When you configure an ADSL definition in Security Manager, you must select the
ATM interface on which ADSL is being defined. In addition, we highly
recommend that you specify the router type or the type of WIC (WAN interface
card) installed in the router. The validity of DSL policy definitions is highly
dependent on the hardware. By specifying the hardware used by this policy, you
enable Security Manager to properly validate the values you define and avoid
deployment failures.
You can optionally specify the following parameters:
The DSL operating mode.
Whether to enable dynamic VC bandwidth adjustments when using Inverse

Multiplexing over ATM (IMA).
Whether certain interface cards should use a particular set of carrier tones.
Modular Cisco IOS routers may contain multiple interface cards, each of which
contains a single ATM interface. You may define only one ADSL definition per
interface.
Before You Begin
Make sure that the device contains an ADSL ATM interface. See Basic
14-42
OL-11501-03
Chapter 14
Managing Routers
Procedure
Step 1
(Device view) Select Interfaces > Settings > DSL > ADSL from the Policy
selector.
(Policy view) Select Router Interfaces > Settings > DSL > ADSL from the
Policy Type selector. Right-click ADSL to create a policy, or select an
existing policy from the Shared Policy selector.
The ADSL page is displayed. See Table K-17 on page K-45 for a description of
Step 2
Click the Add button beneath the table to display the ADSL Settings dialog box.
Step 3
In the ATM Interface field, enter the name of the ATM interface or interface role
on which you want to define ADSL settings, or click Select to display a selector
(see Object Selectors, page F-558). For more information, see Specifying
Interfaces During Policy Definition, page 8-118.
Step 4
Tip
policy.
Note
The interface that you select must be physically present on the device;
otherwise, deployment fails.
(Optional) Select the interface card type installed on the router.
Note
When discovering from a live device, the correct interface card type is
already displayed. If you did not perform discovery on a live device, or if
Security Manager cannot detect the type of interface card installed on the
device, this field displays Unknown.

OL-11501-03
14-43
Chapter 14
Managing Routers
SHDSL on Cisco IOS Routers
Step 5
(Optional) When using IMA groups, select the Allow bandwidth change on
ATM PVCs check box to enable dynamic adjustments to VC bandwidth in
response to changes in group bandwidth. If this check box is left deselected, you
must make these adjustments manually.
Step 6
(Optional) Specify the DSL operating mode for this ATM interface. See
Table 14-3 on page 14-41 for a list of the operating modes supported for each card
type.
Step 7
(Optional) Select the Use low tone set check box to have the interface card use
carrier tones 29 through 48.
Step 8
Your definitions are displayed in the ADSL table.
Note
To edit an ADSL definition, select it from the table, then click Edit. To
remove an ADSL definition, select it, then click Delete.
Step 9
Repeat Steps 2 through 8 to define ADSL settings on additional ATM interfaces.

Only one ADSL definition may be defined on an interface.
Step 10
Note
Related Topics
Supported ADSL Operating Modes, page 14-41

Digital Subscriber Line (DSL) is a family of technologies that transports data over
existing twisted-pair copper wire. DSL uses frequencies that are beyond the upper
list used by POTS (plain old telephone service) to deliver broadband applications,
such as multimedia and video, over the local loop (or last mile) that connects the
telephone companys central office to customer sites.
14-44
OL-11501-03
Chapter 14
Managing Routers
Based on the International Telecommunications Union (ITU) G.991.2 global

industry standard, symmetric high-speed digital subscriber line (SHDSL) delivers
symmetrical data rates from 192 up to 2.3 Mbps on a single wire pair. It
transports many types of signals, such as T1, E1, ISDN, ATM, and IP. In addition,
the G.SHDSL signal has a greater distance reach from the central office than
ADSL and proprietary SDSL connections.
To configure SHDSL in Security Manager, do the following:
Note
1.
Configure the SHDSL controller. See Defining SHDSL Controllers,

page 14-46.
2.
Deploy the SHDSL policy. If ATM mode is activated, the router creates an
ATM interface that corresponds to the controller upon deployment. See
Working with Deployment, page 18-35.
3.
Rediscover the device to add the new ATM interface to Security Manager. See
4.
(Optional) Create one or more subinterfaces on the ATM interface. See

Defining Basic Router Interface Settings, page 14-24.
5.
Configure PVCs on the ATM interface or subinterface. See Defining ATM

PVCs, page 14-55.
If you perform discovery on the device, Security Manager populates the SHDSL
policy with the definition of the controller and the Interfaces policy with the ATM
interface and subinterface. Any discovered PVCs are added to the PVC policy.
Related Topics

OL-11501-03
14-45
Chapter 14
Managing Routers
Defining SHDSL Controllers

When you configure an SHDSL controller in Security Manager, you must enter
the name of the controller that is installed in the Cisco IOS router. The following
settings are then applied automatically:
ATM mode is enabled.
The line termination is set to CPE (customer premises equipment).
The line mode is set to Auto.
You can optionally change the line termination to CO and specify the DSL mode
and line mode. In addition, you can define signal-to-noise ratio margins to
improve line stability.
A Cisco IOS router may contain multiple SHDSL controllers. You may define
only one SHDSL definition per controller.
Note
When you deploy an SHDSL policy with ATM mode enabled, an ATM interface
is created automatically on the router. Perform rediscovery to add the interface
into Security Manager. You can then define PVCs on the ATM interface as
required. See Defining ATM PVCs, page 14-55.
Before You Begin
Make sure that an SHDSL controller in installed on the device.
Procedure
Step 1
(Device view) Select Interfaces > Settings > DSL > SHDSL from the Policy
selector.
(Policy view) Select Router Interfaces > Settings > DSL > SHDSL from
the Policy Type selector. Right-click SHDSL to create a policy, or select an
The SHDSL page is displayed. See Table K-19 on page K-51 for a description of
Step 2
Click the Add button beneath the table to display the SHDSL dialog box.
14-46
OL-11501-03
Chapter 14
Managing Routers
PVCs on Cisco IOS Routers
Step 3
Enter the name of the controller, or click Select to display the utility for
generating the name. See Controller Auto Name Generator Dialog Box,
page K-56.
Note
The controller that you select must be physically present on the device;
otherwise, deployment fails.
Step 4
Define the SHDSL controller as required. For more information, see Table K-20
on page K-53.
Step 5
Your definitions are displayed in the SHDSL table.
Note
To edit an SHDSL controller, select it from the table, then click Edit. To
remove an SHDSL controller, select it, then click Delete.
Step 6
Repeat Steps 2 through 5 to define additional SHDSL controllers. Only one

definition may be defined per controller.
Step 7
Note
Related Topics

Asynchronous Transfer Mode (ATM) is an International Telecommunication
Union (ITU-T) standard designed for the high-speed transfer of voice, video, and
data through public and private networks using cell relay technology. A cell
switching and multiplexing technology, ATM combines the benefits of circuit
switching (constant transmission delay, guaranteed capacity) with those of packet

OL-11501-03
14-47
Chapter 14
Managing Routers
switching (flexibility, efficiency for intermittent traffic). An ATM network is

made up of one or more ATM switches and ATM endpoints, such as a Cisco IOS
router.
There are three general types of ATM services, permanent virtual connections
(PVCs), switched virtual connections (SVCs), and connectionless service. PVCs
allow direct and permanent connections between sites to provide a service that is
similar to a leased line. Advantages of PVCs are the guaranteed availability of a
connection and that no call setup procedures are required between switches. Each
piece of equipment between the source and destination must be manually
provisioned for the PVC.
For more information about ATM PVCs, see:
Understanding Virtual Paths and Virtual Channels, page 14-48
Understanding ATM Service Classes, page 14-50
Understanding ATM Management Protocols, page 14-52
For more information about defining PVCs in Security Manager, see:
Defining ATM PVCs, page 14-55
Defining OAM Management on ATM PVCs, page 14-59
Related Topics
Understanding Virtual Paths and Virtual Channels

ATM networks are fundamentally connection oriented. This means that a virtual
connection needs to be established across the ATM network before any data
transfer. Two types of ATM connections exist:
Virtual path connections (VPCs), identified by a virtual path identifier (VPI).
Virtual channel connections (VCCs), identified by the combination of a VPI

and a VCI (virtual channel identifier). PVCs are a type of VCC where a
permanent connection is defined between two sites.
14-48
OL-11501-03
Chapter 14
Managing Routers
As shown in Figure 14-3, a virtual path is a bundle of virtual channels, all of

which are switched transparently across the ATM network on the basis of the
common VPI. A VPC can be thought of as a bundle of VCCs with the same VPI
value.
ATM Virtual Path and Virtual Channel Connections
VC
VP
VP
VC
VC
VP
VP
VC
180933
Figure 14-3
Every cell header contains a VPI field and a VCI field, which explicitly associate
a cell with a given virtual channel on a physical link. It is important to remember
the following attributes of VPIs and VCIs:
VPIs and VCIs are not addresses, such as MAC addresses used in LAN
switching.
VPIs and VCIs are explicitly assigned at each segment of a connection and,
as such, have only local significance across a particular link. They are
remapped, as appropriate, at each switching point.
Using the VPI/VCI identifier, the ATM layer can multiplex (interleave),
demultiplex, and switch cells from multiple connections. Certain VPI/VCI
identifiers are reserved for particular uses, such as the Integrated Local
Management Interface (ILMI).
Related Topics

OL-11501-03
14-49
Chapter 14
Managing Routers
Understanding ATM Service Classes

Version 4.0 of the Traffic Management Specification published by the ATM
Forum defines five service classes that describe the user traffic transmitted on a
network and the quality of service that a network needs to provide for that traffic.
Security Manager supports the following ATM service classes:
Available Bit Rate (ABR)This is a service class where ATM switches

make no guarantee of cell delivery, but do guarantee a minimum bit rate and
that cell loss is kept as low as possible with the use of a feedback mechanism.
The ABR service category is designed for VCs that carry file transfers and
other bursty, non-real-time traffic that requires a minimum amount of
bandwidth. This bandwidth is specified via a minimum cell rate that must be
available while the VC is configured and active. For more details, see
Understanding the Available Bit Rate (ABR) Service Category for ATM VCs
at:
http://www.cisco.com/en/US/tech/tk39/tk51/technologies_tech_note09186a
00800fbc76.shtml.
Constant Bit Rate (CBR)This is a service class where cells are

transmitted in a continuous bitstream in order to meet voice and video QoS
needs. The CBR service class is designed for ATM virtual circuits (VCs) that
need a static amount of bandwidth that is continuously available for the
duration of the active connection. An ATM VC configured as CBR can send
cells at peak cell rate (PCR) at any time and for any duration. It also can send
cells at a rate less than the PCR or even emit no cells. The configuration on
CBR may vary with different platforms. For more details, see Understanding
the CBR Service Category for ATM VCs at:
0080094e6a.shtml.
Unspecified Bit Rate (UBR)This is a service class where the network

management makes no Quality of Service (QoS) commitment. It models the
best-effort service that the Internet normally provides and is suitable for
applications tolerant to delay that do not require real-time responses.
Examples include email, fax transmission, file transfers, Telnet, LAN and
remote office interconnections. For more details, see Understanding the UBR
Service Category for ATM Virtual Circuits at:
00800a4837.shtml.
14-50
OL-11501-03
Chapter 14
Managing Routers
Unspecified Bit Rate (UBR+)Cisco provides a variant of the UBR service

class called UBR+. The main advantage of the UBR+ service class is that it
allows an ATM end-system to signal a minimum cell rate to an ATM switch
in a connection request, and the ATM network attempts to maintain this
minimum as an end-to-end guarantee. For more details, see Understanding
the UBR+ Service Category for ATM VCs at:
0080094b40.shtml.
Variable Bit Rate - Non-Real Time (VBR-nrt)This service class is used

in order to transmit non-real-time applications that are bursty in nature. The
traffic characteristics are defined in terms of the Peak Cell Rate (PCR),
Sustained Cell Rate (SCR), and Minimum Burst Size (MBS). For more
details, see Understanding the VBR-nrt Service Category and Traffic Shaping
for ATM VCs at:
0080102a42.shtml.
Variable Bit Rate - Real Time (VBR-rt)This service class is used in order
to transmit real-time data that is sensitive to time delays, like compressed
voice over IP and video conferencing. As with VBR-nrt, VBR-rt traffic is
defined in terms of a PCR, SCR, and MBS. For more details, see
Understanding the Variable Bit Rate Real Time (VBR-rt) Service Category for
ATM VCs at:
0080094cd0.shtml.
You can use these service classes to define ATM quality of service (QoS)
guarantees, such as traffic shaping. Traffic shaping is the use of queues to
constrain data bursts, limit peak data rate, and smooth jitter so that traffic fits
within the envelope defined by the traffic contract. ATM devices use traffic
shaping to adhere to the terms of the traffic contract.
Related Topics

OL-11501-03
14-51
Chapter 14
Managing Routers
Understanding ATM Management Protocols

ATM uses two different types of signaling for tracking the status of PVCs:
Integrated Local Management Interface (ILMI). For more information, see

Understanding ILMI, page 14-52.
Flow 4 (F4) and Flow 5 (F5) Operation, Administration, and Maintenance

(OAM) cells. For more information, see Understanding OAM, page 14-53.
Security Manager can be used to enable and disable ILMI on specific PVCs and
to configure F5 OAM functionality.
Related Topics
Understanding ILMI
The Integrated Local Management Interface (ILMI) is a protocol defined by the
ATM Forum for setting and capturing physical layer, ATM layer, virtual path, and
virtual circuit parameters on ATM interfaces. ILMI facilitates network-wide
autoconfiguration by enabling devices to determine the status of components at
the other end of a physical link and to negotiate a common set of operational
parameters to ensure interoperability. The ATM routing protocols, PNNI and IISP,
use this information to discover and bring up a network of interconnected ATM
switch routers.
When two ATM interfaces run the ILMI protocol, they exchange ILMI packets
across the physical connection. These packets consist of SNMP messages as large
as 484 octets. ATM interfaces encapsulate these messages in an ATM adaptation
layer 5 (AAL5) trailer, segment the packet into cells, and schedule the cells for
transmission. ATM interfaces use the SNMP object IDs in network functions such
as permanent virtual circuit (PVC) autodiscovery, which is particularly useful in
digital subscriber line (DSL) applications.
14-52
OL-11501-03
Chapter 14
Managing Routers
ILMI organizes managed objects into multiple information bases (MIBs),

including one for link management. This MIB contains the following object
groups for all ATM interfaces:
Physical layerILMI 4.0 discontinues or "deprecates" earlier physical-layer

ILMI values and specifies the use of the standard Interface MIB (RFC 1213).
ATM layerIndicates the number of available bits for VPI and VCI values in
the ATM cell header, maximum number of virtual path connections (VPCs)
and virtual channel connections (VCCs) allowed, number of configured
PVCs, and so on.
Virtual path connectionIndicates the up or down status of a VPC and its

Quality of Service (QoS) parameters.
Virtual channel connectionIndicates the up or down status of the VCC and

its QoS parameters.
Administrators may enable or disable ILMI at will, but it is highly recommended

to enable it. Without ILMI, you must manually configure many of the parameters
otherwise managed by ILMI for the ATM devices to operate correctly. ILMI
operates over a reserved PVC of VPI=X, VCI=16.
Related Topics
Understanding OAM
The Operation, Administration, and Maintenance (OAM) feature provides fault
management and performance management for ATM and is based on the standard
defined in ITU recommendation I.610. OAM detects network connectivity
failures on a PVC and reacts by bringing down the PVC. Without OAM, a PVC
would remain up after network connectivity is lost. In such a situation, routing
table entries would continue to point to the PVC, resulting in lost packets.

OL-11501-03
14-53
Chapter 14
Managing Routers
Security Manager enables the use of F5 OAM, which operates at the virtual circuit
(VC) level. In order to detect a failure along the PVC path on an end-device, such
as a Cisco IOS router, OAM uses the following cells:
Loopback cellsAt regular intervals, routers configured for OAM send

loopback cells which must be looped in the network. This looping point can
be the machine at the end of the PVC (end-to-end loopback cells) or a device
on the path (segment loopback cells). A failure occurs when the loopback cell
fails to return to its point of origin.
Continuity Check (CC) cellsCC cells are sent regularly by routers

configured for OAM to check the integrity of the link. CC cells can be sent
either end-to-end or confined to a particular segment of the PVC. Activation
and deactivation cells are used to initiate and suspend continuity checking.
Any connectivity failures are reported in special SNMP notifications.
Alarm Indication Signal (AIS) cellsIn the event of a failure at the physical
layer, AIS cells are sent to downstream devices to report a virtual connection
failure at the ATM layer. The PVC moves to the down state after a defined
number of AIS cells are received and does not come up again until a defined
interval passes without additional AIS cells.
Remote Detection Indication (RDI) cellsWhen AIS cells are sent to warn
downstream devices of a connectivity failure, RDI cells are sent upstream in
response as a control and feedback mechanism for the network.
AIS/RDI cells are sent using the same VPI/VCI as the user cells on the affected
PVC until the failure is resolved.
Related Topics
14-54
OL-11501-03
Chapter 14
Managing Routers
Defining ATM PVCs

You define an ATM permanent virtual circuit (PVC) by selecting an ATM
interface and then defining the following settings:
The PVC ID.
The type of encapsulation to use.
Whether ILMI management is enabled on this PVC.
Whether Inverse ARP (InARP) is used to learn the IP addresses of the

destination devices.
Options related to PPP over Ethernet (PPPoE) and PPP over ATM (PPPoA).
Quality-of-service settings, such as traffic shaping.
Static IP address mappings in place of InARP.
For information about defining F5 Operation, Administration, and Maintenance

(OAM) management, such as loopbacks and continuity checks, on PVCs, see
Defining OAM Management on ATM PVCs, page 14-59.
Before You Begin
Note
When configuring ATM over DSL, make sure that you have configured either
an ADSL policy (see ADSL on Cisco IOS Routers, page 14-39) or an SHDSL
policy (SHDSL on Cisco IOS Routers, page 14-44).
Make sure that the device contains an ATM interface and subinterface. (PVCs
are typically configured on ATM subinterfaces.) See Basic Interface Settings
on Cisco IOS Routers, page 14-21.
When configuring ATM for SHDSL, the ATM interface is created when you
define the SHDSL controller and enable ATM mode. You must then rediscover the
device to add the ATM interface to Security Manager. See Defining SHDSL
Controllers, page 14-46.
Procedure
Step 1
(Device view) Select Interfaces > Settings > PVC from the Policy selector.

OL-11501-03
14-55
Chapter 14
Managing Routers
(Policy view) Select Router Interfaces > Settings > PVC from the Policy
Type selector. Right-click PVC to create a policy, or select an existing policy
from the Shared Policy selector.
The PVC page is displayed. See Table K-22 on page K-58 for a description of the
fields on this page.
Step 2
Click the Add button beneath the table to display the PVC dialog box. See
Table K-23 on page K-60 for a description of the fields in this dialog box.
Step 3
In the Interface field, enter the name of the ATM interface, ATM subinterface, or
interface role on which you want to define the PVC, or click Select to display a
Tip
Step 4
Select the type of device or DSL WAN interface card that contains the ATM
interface.
Note
Step 5
policy.
We highly recommend that you define this setting to ensure the proper
validation of your PVC policy, as the settings in this policy are highly
hardware-dependent.
On the Settings tab of the PVC dialog box, define the basic settings of the PVC:
a.
Enter the VPI/VCI identifier and an optional text handle. If you are defining
the management PVC, select the Management PVC (ILMI) check box.
Note
b.
An error occurs if two users attempt to define PVCs with the same
identifiers at the same time.
Select the type of ATM encapsulation to use. If you select aal5autoppp or

aal5ciscoppp, you must define the virtual template to use for PPPoA, or click
Select to display a selector (see Object Selectors, page F-558). If you select
aal5mux as the encapsulation type, you must select the protocol that is
carried by the PVC.
14-56
OL-11501-03
Chapter 14
Managing Routers
c.
Note
Do not select an encapsulation type when defining the management

PVC.
Note
If you modify the virtual template settings on an existing PVC, you

must enter the shutdown command followed by the no shutdown
command on the ATM subinterface to restart the interface. This
causes the newly configured parameters to take effect.
Select the Enable ILMI check box to enable the ILMI to manage this PVC.
For more information, see Understanding ILMI, page 14-52.
Note
d.
You cannot configure the management PVC on a subinterface.
Select the Inverse ARP check box to enable the PVC to dynamically learn
the Layer 3 addresses that are required to forward traffic to those devices.
Note
Alternatively, you can create static address mappings, as described in

Step 7.
e.
In the PPPoE Max Sessions field, define the maximum number of PPPoE
sessions allowed on the PVC.
f.
In the VPN Service Name field, define the static domain name to use for
PPPoA sessions on the PVC.
See Table K-24 on page K-63 for a description of the fields on the Settings tab.
Step 6
(Optional) On the QoS tab of the PVC dialog box, define the type of ATM traffic
shaping to perform on the traffic carried by this PVC. Traffic shaping regulates
the flow of traffic carried by the PVC by queuing traffic that exceeds the defined
bit rates. See Table K-25 on page K-68 for a description of the fields on the QoS
tab.
Step 7
(Optional) On the Protocol tab of the PVC dialog box, create static mappings for
the IP addresses at the other end of the PVC:
a.
Click Add to display the Define Mapping dialog box. See Table K-27 on
page K-73 for a description of the fields in this dialog box.
OL-11501-03
14-57
Chapter 14
Managing Routers
b.
Select IP Address, then enter the address or network/host object that you want
to map, or click Select to display a selector (see Object Selectors,
page F-558).
c.
Click OK. The static mapping is displayed on the Protocol tab.
d.
Repeat Steps a through c to define additional static mappings.
Note
You can also use the Protocol tab to change the type of InARP to use,
broadcast or non-broadcast.
Step 8
Click Advanced to configure OAM management on the PVC. See Defining OAM
Management on ATM PVCs, page 14-59.
Step 9
Your definitions are displayed in the PVC table.
Note
To edit a PVC, select it from the table, then click Edit. To remove a PVC,
select it, then click Delete.
Step 10
Repeat Steps 2 through 9 to define additional PVCs.
Step 11
Note
Related Topics
Understanding Policing and Shaping Parameters, page 14-161
14-58
OL-11501-03
Chapter 14
Managing Routers
Defining OAM Management on ATM PVCs

Security Manager enables you to configure the following F5 (VC level)
Operation, Administration, and Maintenance (OAM) cells for detecting PVC
failures in a Cisco IOS router:
Loopback cells
Continuity Check (CC) cells
Alarm Indication Signal (AIS) cells
Remote Detection Indication (RDI) cells
You can enable and disable each of these cell types and define settings that
determine how each cell type affects the PVC when a failure is detected.
Before You Begin
Select the ATM interface on which the PVC is defined.
Define the general settings and the QoS settings of the PVC. See Defining
ATM PVCs, page 14-55.
Procedure
Step 1
In the PVC dialog box, click Advanced to display the PVC Advanced Settings
dialog box. See Table K-28 on page K-74 for a description of the fields in this
dialog box.
Step 2
Enable OAM loopback cells on the selected PVC:
Step 3
a.
Click the OAM-PVC tab. See Table K-30 on page K-78 for a description of
the fields on this tab.
b.
Select the Enable OAM Management check box.
c.
Define the frequency of loopback cell transmissions.
(Optional) Enable segment CC cells on the PVC:

a.
Under Segment Continuity Check, select Configure Continuity Check.
b.
Choose whether the router should act as the sink, source, or both. This
determines the direction in which CC cells are sent.
c.
Choose whether the PVC should remain up after segment or end-to-end

failures are detected.

OL-11501-03
14-59
Chapter 14
Managing Routers
Note
Select Deny Activation Requests to have the router reject CC activation

requests received from peers.
Step 4
(Optional) Enable end-to-end CC cells on the PVC, using the procedure described
in Step 3 for segment CC cells.
Step 5
(Optional) Configure additional loopback cell parameters:
Step 6
Step 7
Step 8
a.
Click the OAM tab.
b.
Select the Enable OAM Retry check box, then define the down count, up
count, and retry frequency. See Table K-29 on page K-75 for a description of
the available options.
(Optional) Configure additional CC cell parameters:

a.
Select the Enable check box for segment CC cells, then define the activation
count, deactivation count, and retry frequency. These fields determine how
many activation and deactivation requests are sent to peers and how often the
router waits between each attempt. See Table K-29 on page K-75 for a
description of the available options.
b.
Repeat Step a for end-to-end CC cells.
(Optional) Configure AIS/RDI cells on the PVC:

a.
On the OAM tab, select the Enable AIS-RDI Detection check box.
b.
Define how many AIS/RDI cells are required to move the PVC to the down
state.
c.
Define how many seconds must elapse without receiving AIS/RDI cells in
order to move the PVC to the up state.
Click OK to close the dialog box and return to PVC dialog box.
Related Topics
14-60
OL-11501-03
Chapter 14
Managing Routers
PPP on Cisco IOS Routers

The Point-to-Point Protocol (PPP), as defined in RFC 1661, provides a method for
transporting packets between two devices or hosts using physical or logical links.
PPP is a Layer 2 data-link protocol that can work with multiple Layer 3
network-layer protocols, including IP, IPX, and AppleTalk.
PPP is used in many common scenarios, such as:
Connecting remote users to a central network over dial-in connections.
Connecting the gateway of an enterprise network to an ISP for internet access.
Connecting two LANs (for example, a central office and a branch office) in
order to exchange data between them.
PPP connectivity is established in stages:

1.
First, a Link Control Protocol (LCP) establishes, configures, and tests the
data-link connection.
2.
(Optional) Authentication verifies the identity of the two parties.
3.
A family of Network Control Protocols (NCPs) establishes and configures the

necessary network-layer protocols.
The PPP policy in Security Manager provides a method for configuring selected
parameters that are negotiated between the two nodes during the LCP stage,
including authentication (typically CHAP or PAP) and Multilink PPP (MLP). For
more information about MLP, see Defining Multilink PPP Bundles, page 14-66.
The following topics describe the tasks you perform to create PPP policies on
Cisco IOS routers:
Defining PPP Connections, page 14-63
Defining Multilink PPP Bundles, page 14-66
Related Topics

OL-11501-03
14-61
Chapter 14
Managing Routers
Understanding Multilink PPP (MLP)

MLP, as defined in RFC 1990, is a method for splitting, recombining, and
sequencing datagrams across multiple logical data links. MLP was originally
designed to exploit multiple bearer channels in ISDN, but it can be used whenever
multiple PPP links connect two systems, including asynchronous links.
MLP spreads inbound and outbound traffic across multiple physical WAN links
(known collectively as a bundle) while providing the following benefits:
Packet fragmentation and reassembly
Proper sequencing
Multivendor interoperability
Load balancing
As shown in Figure 14-4, traffic routed across an MLP link is fragmented, with
the fragments being sent across the different physical links. At the remote end of
the link, the fragments are reassembled and forwarded to the next hop toward their
ultimate destination. By using multiple physical links, MLP provides a way to
temporarily use the additional bandwidth afforded by these links.
Figure 14-4
Multilink PPP
Cisco 2500
Bundle of four T1's
T3
Cisco 2500
180727
Cisco 7200
Every MLP bundle is controlled by a single interface, the bundle master, which is
a virtual-access interface. This interface is created in the background when the
bundle is first created. The physical interface becomes part of the bundle that is
14-62
OL-11501-03
Chapter 14
Managing Routers
managed by the bundle master. Bundles are also used when you create a multilink
group consisting of a multilink interface and its associated serial interfaces, which
is a setup that is often found in static, leased-line environments.
MLP uses an endpoint discriminator to identify the system transmitting a packet.
By default, this discriminator is based on the hostname of the router, but it can
also be based on other criteria, such as the IP address or MAC address of the
interface, a telephone number, or a user-defined string. If the endpoint
discriminator matches the discriminator of an existing link, the new link is added
to the matching bundle. If no match exists, a new bundle is created. When
authentication is used, a new bundle is established whenever there is a mismatch
in either the discriminator or the authentication information exchanged between
the two nodes.
Related Topics
Defining PPP Connections

When you define a PPP connection, the first step is to select the interface on which
PPP should be enabled. You must select one of the following interface types:
Note
Async
Group-Async
Serial
High-Speed Serial Interface (HSSI)
Dialer
BRI, PRI (ISDN)
Virtual template
Multilink
You cannot define PPP connections on:

Subinterfaces.
Serial interfaces with Frame Relay encapsulation.
OL-11501-03
14-63
Chapter 14
Managing Routers
Virtual template interfaces defined as Ethernet or tunnel types (serial is
supported).
You cannot configure PPP on serial interfaces that are configured for Frame
Relay encapsulation. See Defining Basic Router Interface Settings,
page 14-24.
Deployment might fail if you define PPP on a virtual template that is also
used in an 802.1x policy. See Defining 802.1x Policies, page 14-133.
You can select one or more authentication protocols and define when
authentication should be performed.
In addition, you can configure the authentication and authorization methods to use
when performing AAA on a remote security server. You can either define a default
method list to use for all PPP connections on the device or define a customized
method list that applies to a specific connection.
Before You Begin
Make sure that the device contains an interface on which PPP can be
configured. See Basic Interface Settings on Cisco IOS Routers, page 14-21.
Procedure
Step 1
(Device view) Select Interfaces > Settings > PPP/MLP from the Policy
selector.
(Policy view) Select Router Interfaces > Settings > PPP/MLP from the
Policy Type selector. Right-click PPP/MLP to create a policy, or select an
The PPP/MLP page is displayed. See Table K-31 on page K-81 for a description
of the fields on this page.
Step 2
Click the Add button beneath the table to display the PPP dialog box.
Step 3
In the Interface field, enter the name of the interface or interface role on which
you want to define the PPP connection, or click Select to display a selector (see
14-64
OL-11501-03
Chapter 14
Managing Routers
Tip
Step 4
policy.
(Optional) On the PPP tab, define authentication for the PPP connection:
a.
Select one or more authentication protocols.
b.
Select one or more authentication options. These options determine when to

perform authentication (callin, callout, and callback) and whether to use
one-time passwords.
Note
The Call Back option only enables authentication during callback.

Use the CLI or FlexConfigs to configure the callback feature on the
device.
See Table K-32 on page K-84 for a description of the fields on this tab.
Step 5
(Optional) When using a remote AAA server to perform authentication, select

Default List or Custom Method List in the Authenticate Using field, then define
the methods to use in the Prioritized Method List field.
Note
Step 6
(Optional) When using a remote AAA server to perform authorization, select

AAA Policy Default List or Custom Method List, then define the methods to use
in the Prioritized Method List field.
Note
Step 7
If you modify the default list, your changes affect all PPP connections on
the device that use this list. If you leave this field blank, authentication is
performed using the local database on the device.
If you choose AAA Policy Default List, the device uses the default
authorization methods defined in the AAA policy. See Defining AAA
Services, page 14-72.
(Optional) Define the username and password to send in response to PAP

authentication requests.

OL-11501-03
14-65
Chapter 14
Managing Routers
Note
Step 8
If you entered the encrypted version of the password, select the

Encrypted check box.
(Optional) Define a different hostname to send in all CHAP challenges and

responses in place of the routers own hostname.
Note
If you entered the encrypted version of the password, select the

Encrypted check box.
Step 9
(Optional) To enable Multilink PPP on this connection, click the MLP tab. See
Defining Multilink PPP Bundles, page 14-66.
Step 10
Your definitions are displayed in the PPP table.
Note
To edit a PPP connection, select it from the table, then click Edit. To
remove a PPP connection, select it, then click Delete.
Step 11
Repeat Steps 2 through 10 to define PPP connections on additional interfaces.

Only one PPP connection may be defined on an interface.
Step 12
Note
Related Topics
Defining Multilink PPP Bundles

You enable Multilink PPP (MLP) on the selected interface by selecting the check
box at the top of the Multilink tab in the PPP dialog box. You can optionally
enable Multiclass Multilink PPP (MCMP), which prevents delay-sensitive traffic
14-66
OL-11501-03
Chapter 14
Managing Routers
from fragmentation, and interleaving, which enables packets to be interspersed

among the fragments of larger packets. If you want to restrict a serial interface to
a specific bundle, you can select the multilink interface that represents that
bundle.
In addition, you can optionally modify the following default settings:
The maximum fragment delay.
The endpoint discriminator that identifies the router when negotiating the use
of MLP.
The maximum receive reconstructed unit (MRRU) permitted by the router

and its peers.
The maximum queue depth for first-in, first-out (FIFO) and non-FIFO
queues.
Before You Begin
Select the interface on which the PPP connection should be enabled.
Procedure
Step 1
In the PPP dialog box, click the MLP tab. See Table K-33 on page K-88 for a
Step 2
Select the Enable Multilink Protocol (MLP) check box.
Step 3
(Optional) Configure one or more of the following options:

a.
Whether to enable the multiclass feature that prevents delay-sensitive traffic

from being fragmented. This is achieved by placing delay-sensitive traffic in
a separate class from regular traffic.
b.
Whether to enable the interleaving of packets among the fragments of larger

packets on the MLP bundle.
c.
Whether to restrict the physical link to joining only a designated

multilink-group (defined by selecting a multilink interface). If a peer at the
other end of the link tries to join a different bundle, the connected is severed.
d.
Whether to modify the default amount of time required to transmit a fragment

on the MLP bundle. The default is 30 milliseconds.

OL-11501-03
14-67
Chapter 14
Managing Routers
AAA on Cisco IOS Routers
Note
Step 4
If you enable interleaving without defining a fragment delay, the

default delay of 30 seconds is configured. This value does not appear
in Security Manager or in the device configuration.
(Optional) Under Endpoint, modify the default endpoint discriminator used on the
MLP bundle.
The endpoint discriminator is used to identify the router on the MLP bundle. The
default endpoint discriminator is either the globally configured hostname, or the
PAP username or CHAP hostname (depending on the authentication protocol
being used), if you configured those values on the PPP tab. See Defining PPP
Connections, page 14-63.
Step 5
(Optional) In the MRRU fields, modify the default maximum packet size that the
router (local) or the peer (remote) is capable of receiving.
Step 6
(Optional) Modify the default maximum size of link transmit queues when using
FIFO and non-FIFO (QoS) queuing.
Step 7
Click OK to close the dialog box. Your definitions are displayed on the PPP page.
Step 8
Note
Related Topics

Authentication, authorization, and accounting (AAA) network security services
provide the primary framework through which you set up access control on your
Cisco IOS router. Use the AAA policy in Security Manager to enable AAA
functionality on Cisco IOS routers and to configure default AAA settings. The
default settings that you define in this policy can be used in other policies, such
14-68
OL-11501-03
Chapter 14
Managing Routers
as HTTP and line access (console and VTY) policies. Enabling AAA
functionality is a prerequisite for any device policy that makes use of AAA,
including NAC, SDP, and 802.1x.
For more information about AAA, see:
Supported Authorization Types, page 14-69
Supported Accounting Types, page 14-70
Understanding Method Lists, page 14-71
To configure a AAA policy, see:
Defining AAA Services, page 14-72
Related Topics
Supported Authorization Types

AAA authorization enables you to limit the services available to an authenticated
user. Security Manager supports the following types of authorization:
NetworkAuthorizes various types of network connections, such as PPP,

SLIP, and ARAP.
EXECAuthorizes the launching of EXEC (CLI) sessions.
CommandAuthorizes the use of all EXEC mode commands that are

associated with specific privilege levels.
When authorization is enabled, the router uses information retrieved from the
users profile to configure the user session. The profiles are located either in the
local user database or on a security server. Users are granted access to a requested
service only if the profile allows it.

OL-11501-03
14-69
Chapter 14
Managing Routers
Related Topics
Supported Accounting Types

AAA accounting enables you to track the services the users are accessing and the
amount of network resources that they are consuming. Security Manager supports
the following accounting types:
ConnectionRecords information about all outbound connections made

from this device, such as Telnet, local-area transport (LAT), TN3270, packet
assembler/disassembler (PAD), and rlogin connections.
For example, a RADIUS connection accounting record for an outbound
Telnet connection includes such information as the port and IP address of the
network access server (NAS), the start and end times of the connection, the
identity of the user, and the number of packets that were transmitted during
the session.
EXECRecords information about user EXEC (CLI) sessions on the

devices, including the username, date, start and stop times, and the IP address
of the NAS. For dial-in users, the record includes the telephone number from
which the call originated.
CommandRecords information about the EXEC commands executed on

the device by users with specific privilege levels. Each command accounting
record includes a list of the commands executed for that privilege level, the
date and time each command was executed, and the name of the user who
executed it.
For each accounting type, you can choose whether you want to generate an
accounting record at the start and end of each user session or only at the end.
When AAA accounting is enabled, the router sends accounting records of user
activity to the TACACS+ or RADIUS security server. Each accounting record
contains accounting attribute-value (AV) pairs and is stored on the security server.
This data can later be analyzed for network management, client billing, and
auditing purposes.
14-70
OL-11501-03
Chapter 14
Managing Routers
Related Topics
Understanding Method Lists

A method list is a sequential list describing the methods to use to perform a
particular AAA function. In Security Manager, you define method lists by
selecting AAA server groups, which are reusable objects that typically contain
one or more AAA servers running the same protocol, such as RADIUS or
TACACS+. Method lists enable you to designate one or more security protocols
to be used for each AAA function, thus ensuring a backup system if the initial
method fails.
Note
Security Manager also contains predefined AAA server group objects for using
the enable password or a local database. See Predefined AAA Authentication
Server Groups, page 8-17.
For each AAA function, the device initially uses the first method defined in the
list. If that method fails to respond, the device selects the next method in the list.
This process continues until there is successful communication with a listed
method, or all methods defined in the method list are exhausted.
Note
The device attempts to communicate with the next listed method only when there
is no response from the previous method. If the AAA service fails at any point in
this cyclemeaning that the security server or local username database responds
by denying the user access or servicesthe process stops and no other methods
are attempted.

OL-11501-03
14-71
Chapter 14
Managing Routers
Related Topics
Defining AAA Services

To define AAA services on a Cisco IOS router, you must first enable AAA
functionality on the router. After you do this, you can define the kind of
functionality (authentication, authorization, and accounting) that you want the
device to implement. You must define a method list for each function, including
lists for each type of authorization and accounting that you enable.
For example, if you want to configure EXEC authorization and command
authorization, you must define one method list for EXEC authorization and other
method lists for each privilege level on which command authorization is
performed.
Note
If you use RADIUS for authentication, you must use the same RADIUS server
group for authorization as well.
Procedure
Step 1
(Device view) Select Platform > Device Admin > AAA from the Policy
selector.
(Policy view) Select Router Platform > Device Admin > AAA from the
Policy Type selector. Right-click AAA to create a policy, or select an existing
The AAA page is displayed. See Table K-34 on page K-91 for a description of the
fields on this page.
14-72
OL-11501-03
Chapter 14
Managing Routers
Step 2
Define which login authentication methods to use on users who access the device:
a.
On the Authentication tab (see Table K-35 on page K-93), select the Enable
Device Login Authentication check box.
b.
Enter the names of one or more AAA server group objects (up to four) in the
Prioritized Method List field, or click Select to display a selector (see Object
Selectors, page F-558). Use the up and down arrows in the object selector to
define the order in which the selected server groups should be used.
Tip
server group.
Note
If you select None as a method, it must appear as the last method in the
list.
Step 3
(Optional) In the Maximum Number of Attempts field, define the maximum

number of unsuccessful authentication attempts to allow before a user is locked
out.
Step 4
(Optional) Define which authorization methods to use on users who have been
successfully authenticated:
a.
Click the Authorization tab on the AAA page. See Table K-37 on page K-95
for a description of the fields on this tab.
b.
Define method lists for one or more of the following types of authorization:
Network
EXEC
CommandClick the Add button to display the Command
Authorization dialog box (see Table K-37 on page K-97). From here, you
can select a privilege level and the method list to apply to it.
For more information about these authorization types, see Supported
Authorization Types, page 14-69.

OL-11501-03
14-73
Chapter 14
Managing Routers
Note
Step 5
RADIUS uses the same server for authentication and authorization.

Therefore, if you use define a RADIUS method list for authentication,
you must define the same method list for authorization.
(Optional) Define which accounting methods to use on the activities performed

by users:
a.
Click the Accounting tab on the AAA page. See Table K-39 on page K-99 for
a description of the fields on this tab.
b.
Define method lists for one or more of the following types of accounting:
Connection
EXEC
CommandClick the Add button to display the Command Accounting
dialog box (see Table K-39 on page K-101). From here, you can select a
privilege level and the method list to apply to it.
For more information about these accounting types, see Supported
Accounting Types, page 14-70.
Step 6
c.
For each accounting type defined in Step b, select a value from the
Accounting Process Notices list. This defines when to create an accounting
record, at the beginning and end of the user process or only at the end.
d.
For each accounting type defined in Step b, select the Enable broadcast to
multiple servers check box if you want accounting information sent
simultaneously to the first server in each AAA server group defined in the
method list.
Note
Related Topics
14-74
OL-11501-03
Chapter 14
Managing Routers
User Accounts and Device Credentials on Cisco IOS Routers
User Accounts and Device Credentials on Cisco IOS

Routers
Accounts and credential policies define the contact information for accessing the
router, including the privilege level provided to each user account. You can
configure as many user accounts as required. However, the user account that
Security Manager uses to connect to the router is always the one configured in the
Device Properties page.
Additionally, you use device access policies to define the enable or enable secret
password required to access privileged EXEC mode. This is the mode required to
make any configuration changes on the router.
Note
If you use this policy to define a password, be careful later not to unassign this
policy without assigning a replacement policy before your next deployment. If
you deploy a device access policy that removes this password and the device
contains a different type of password not known to Security Manager, such as a
line console password, you will not be able to configure this device in the future.
This is because the device reverts to this unknown password if Security Manager
removes the enable password that it had previously configured.
Related Topics
Defining Accounts and Credential Policies, page 14-75
Defining Accounts and Credential Policies

This procedure describes how to define a device access policy on a Cisco IOS
router. If the username that you configured on the Device Properties page to
connect to the router (see Device Properties Page, page C-53) matches one of the
user accounts you defined in this policy, Security Manager updates the device
credentials according to your policy definition.
When you deploy this policy, the Device Properties page is updated with any new
password information.

OL-11501-03
14-75
Chapter 14
Managing Routers
User Accounts and Device Credentials on Cisco IOS Routers
Note
You can discover encrypted passwords, but any password you enter must be in
clear text. If you discover an encrypted password and then modify it, the password
is saved as clear text.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Accounts and
Credentials from the Policy selector.
(Policy view) Select Router Platform > Device Admin > Accounts and
Credentials from the Policy Type selector. Right-click Accounts and
Credentials to create a policy, or select an existing policy from the Shared
Policy selector.
The Accounts and Credentials page is displayed. See Table K-41 on page K-105
for a description of the fields on this page.
Step 2
Enter the password for switching to privileged EXEC mode on the router:
a.
Select Enable Password or Enable Secret Password. The Enable Secret

Password option offers better security than the Enable Password option by
storing the password using MD5 encryption. This option is useful in
environments in which the password crosses the network or is stored on a
TFTP server.
Note
b.
Step 3
After you set an enable secret password, you can switch to an enable
password only if the enable secret is disabled or an older version of
Cisco IOS software is being used, such as when running an older
rxboot image.
Enter a password, then enter it again in the Confirm field. The password that
you enter must be in clear text. If you are configuring the enable secret
password, the password is encrypted on deployment.
(Optional) Select the Enable Password Encryption Service check box to encrypt
all passwords on the device. This includes, for example, the enable password,
username passwords, authentication key passwords, console and VTY line access
passwords, and BGP neighbor passwords.
14-76
OL-11501-03
Chapter 14
Managing Routers
Bridging on Cisco IOS Routers
We recommend using this feature to help prevent unauthorized individuals from

viewing the passwords in your configuration file.
Note
Step 4
To define new user accounts for the router:

a.
Click the Add button under the table to display the User Accounts dialog box.
b.
Enter the details for the new user. See Table K-42 on page K-107 for a
description of the available fields.
c.
Click OK to save your definitions locally on the client and close the dialog
box. Your definitions are displayed in the User Accounts table.
Note
Step 5
This option does not provide a high level of security and should not be
used as a substitute for additional network security measures.
To edit a user account, select it from the User Accounts table, then click
Edit. To remove a user account, select it, then click Delete.
Note
Related Topics

Bridging policies enable you to perform transparent bridging (as specified in
RFC 1286) on selected interfaces that you have configured to function as a bridge
group. Security Manager supports integrated routing and bridging, which makes
it possible to route a specific protocol between routed interfaces and bridge
groups, or route a specific protocol between bridge groups. Local or unroutable

OL-11501-03
14-77
Chapter 14
Managing Routers
traffic can be bridged among the bridged interfaces in the same bridge group,
while routable traffic can be routed to other routed interfaces or bridge groups, as
shown in Figure 14-5.
Using integrated routing and bridging, you can:
Switch packets from a bridged interface to a routed interface.
Switch packets from a routed interface to a bridged interface.
Switch packets within the same bridge group.

Transparent Bridging
Routed
interface
Bridge group 1
E0
E1
E2
E3
10.0.0.1
Router
Bridged
interfaces
180109
Figure 14-5
Related Topics
Defining Bridge Groups, page 14-80
Bridge-Group Virtual Interfaces, page 14-78
Bridge-Group Virtual Interfaces

Because bridging takes places at the data link layer and routing takes place at the
network layer, they have different protocol configuration models. With IP, for
example, bridge group interfaces belong to the same network and have a collective
IP network address. In contrast, each routed interface represents a distinct
network and has its own IP network address. Integrated routing and bridging uses
the concept of a bridge-group virtual interface (BVI) to enable these interfaces to
exchange packets for a given protocol. As shown in Figure 14-6, the interface
14-78
OL-11501-03
Chapter 14
Managing Routers
number assigned to the BVI corresponds to the bridge group that the BVI
represents. This number serves as the link between the virtual interface and the
bridge group.
Figure 14-6
Bridge-Group Virtual Interface

Routed
interface
Bridge group 1
E0
E1
E3
10.0.0.1
BVI 1
10.0.0.2
Bridged
interfaces
181105
E2
When you enable routing for a given protocol on the BVI, packets coming from a
routed interface that are destined for a host in a bridged domain are routed to the
BVI and then forwarded to the corresponding bridged interface. All traffic routed
to the BVI is forwarded to the corresponding bridge group as bridged traffic. All
routable traffic received on a bridged interface is routed to other routed interfaces
as if it is coming directly from the BVI.
Note
BVI interfaces are configured using the Interfaces policy. See Defining Basic
Router Interface Settings, page 14-24. The BVI interface must have a
corresponding bridge group with the same number; otherwise, deployment
will fail.
When the bridge group contains more than two interfaces, add a BVI interface
to the group to help prevent unicast flooding, which is a potential security
issue.
Related Topics

OL-11501-03
14-79
Chapter 14
Managing Routers
Defining Bridge Groups

You define a bridge group by selecting the L3 interfaces that are part of the bridge
group and assigning the group a number. All bridge groups in Security Manager
perform integrated routing and bridging on IP traffic only and use the standard
Spanning Tree Protocol (IEEE 802.1D).
Note
Use CLI commands or FlexConfigs to bridge other protocols, such as AppleTalk

or IPX, and to use other spanning tree protocols, such as VLAN-Bridge.
Concurrent routing and bridging is not supported.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Bridging from the Policy
selector.
(Policy view) Select Router Platform > Device Admin > Bridging from the
Policy Type selector. Right-click Bridging to create a policy, or select an
The Bridging page is displayed. See Table K-43 on page K-109 for a description
Step 2
Click the Add button under the table to display the Bridge Group dialog box. See
Table K-44 on page K-110 for a description of the fields in this dialog box. From
here you can define a bridge group.
Step 3
Enter a number to identify the bridge group.
Step 4
Enter the names of the interfaces and interface roles that are part of the bridge
group, or click Select to display a selector (see Object Selectors, page F-558). For
more information, see Specifying Interfaces During Policy Definition,
page 8-118.
You can select most Layer 3 interfaces, except X.25 and Integrated Services
Digital Network (ISDN) bridged interfaces and certain types of logical interfaces
(such as loopback, tunnel, null, and BVI). Each interface can be included in only
one bridge group.
You can select a LAN subinterface only if the parent interface is configured with
Inter-Switch Link (ISL) or 802.1Q encapsulation.
14-80
OL-11501-03
Chapter 14
Managing Routers
Time Zone Settings on Cisco IOS Routers
Step 5
Tip
policy.
Note
Make sure that your bridge group does not prevent Security Manager from
communicating with the device.
The bridge group is displayed in the table on the Bridging page.
Note
Step 6
To edit a bridge group, select it from the Groups table, then click Edit. To
remove a bridge group, select it, then click Delete.
Note
Related Topics
Bridge-Group Virtual Interfaces, page 14-78

The local time on a Cisco IOS router is typically set using the clock set
command in the CLI command or by dynamically deriving the time from an NTP
server. You can adjust these time settings by defining the time zone in which the
router resides and the start and end dates of Daylight Saving Time (DST) in that
time zone.

OL-11501-03
14-81
Chapter 14
Managing Routers
Related Topics
Defining Time Zone and DST Settings, page 14-82
Defining Time Zone and DST Settings

Security Manager enables you to define the time zone in which a Cisco IOS router
is located. You can also define the start and end dates for Daylight Saving Time
(DST).
Procedure
Step 1
(Device view) Select Platform > Device Admin > Clock from the Policy
selector.
(Policy view) Select Router Platform > Device Admin > Clock from the
Policy Type selector. Right-click Clock to create a policy, or select an
The Clock page is displayed. See Table K-45 on page K-112 for a description of
Step 2
Select the time zone in which the router is located. Time zones are listed
according the number of hours behind or ahead of Greenwich Mean Time (GMT).
Step 3
(Optional) Select the method for determining the start and end dates for DST:
Step 4
Set by DateSelect this option when DST starts and ends on fixed dates.
Set by DaySelect this option when DST starts and ends on days whose
specific dates vary from year to year. Continue with Step 5.
NoneSelect this option when DST is not used. Continue with Step 7.
(When Set by Date is selected) Define the fixed dates when DST starts and ends:
a.
Under Start, click the calendar icon, then click the appropriate date.
b.
Select the hour and minute from the displayed lists.
14-82
OL-11501-03
Chapter 14
Managing Routers
CPU Utilization Settings on Cisco IOS Routers
c.
Repeat steps a and b to configure the end date and time.
d.
Step 5
(When Set by Day is selected) Select the Specify Recurring Time check box if
you want to define a DST period other than the default, which is the period used
throughout most of the United States. Continue with Step 6.
Step 6
(When Specify Recurring Time is selected) Define the start and end of DST:
Step 7
a.
Under Start, select the month when DST begins.
b.
Select the week of the month (1, 2, 3, 4, first, or last).
c.
Select the day of the week.
d.
Select the hour and minute from the displayed lists. For example, if DST
begins at 1:00 a.m. on the last Sunday of each March, select March, last,
Sunday, 1, and 00.
e.
Repeat Steps a through d to configure the end date and time.
Note
Related Topics
Defining NTP Servers, page 14-127
Time Zone Settings on Cisco IOS Routers, page 14-81

The CPU policy configures settings relating to CPU utilization. This policy
provides you with methods for monitoring CPU resources and tracking processes
that exceed a predetermined level of utilization.
Note
The CPU policy is supported on routers running Cisco IOS Software Release
12.3(14)T or later.

OL-11501-03
14-83
Chapter 14
Managing Routers
Related Topics
Defining CPU Utilization Settings, page 14-84
Defining CPU Utilization Settings

You can use Security Manager to modify the following default CPU utilization
settings:
The size of the CPU history table.
The size of the extended CPU load history table.
Whether to enable the automatic CPU Hog profiling.
In addition, you can optionally define:
The CPU utilization level that causes a process to be included in the history
table.
The types of CPU utilization thresholds to enable. For each type of threshold,
you can determine the threshold values that trigger notifications.
Procedure
Step 1
(Device view) Select Platform > Device Admin > CPU from the Policy
selector.
(Policy view) Select Router Platform > Device Admin > CPU from the
Policy Type selector. Right-click CPU to create a policy, or select an existing
The CPU page is displayed.

Step 2
(Optional) Define the CPU utilization settings of the router, as required. See
Table K-46 on page K-115 for a description of the available fields.
Step 3
14-84
OL-11501-03
Chapter 14
Managing Routers
HTTP and HTTPS on Cisco IOS Routers
Note
Related Topics
CPU Utilization Settings on Cisco IOS Routers, page 14-83

Security Manager enables you to configure HTTP and HTTP over Secure Socket
Layer (known as HTTP over SSL or HTTPS) server functionality on Cisco IOS
routers. This feature provides SSL version 3.0 support for the HTTP 1.1 server.
A secure HTTP connection means that data sent to and received from an HTTP
server are encrypted before being sent out over the internet. HTTP with SSL
encryption provides a secure connection to allow such functions as configuring a
router from a web browser.
In addition to providing access to the device via the Cisco web browser user
interface, HTTP and HTTPS are used by device management applications, such
as the Cisco Router and Security Device Manager (SDM), to communicate with
the device.
Related Topics
Defining HTTP Policies, page 14-86

OL-11501-03
14-85
Chapter 14
Managing Routers
Defining HTTP Policies

When you define an HTTP policy, you can:
Enable and disable HTTP and SSL functionality on the router.
Specify the ports used by each protocol.
Optionally define a standard, numbered ACL that restricts access to the

device using these protocols.
In addition, you can define the methods of AAA authentication and authorization
methods to perform on users.
You must use caution when defining an HTTP policy, as your settings may affect
communication between Security Manager (as well as other management
applications that use these protocols) and the device.
Note
As a general rule, Cisco IOS routers that have been discovered by Security
Manager already have HTTPS enabled because Security Manager uses SSL as the
default protocol for communicating with them. See Setting Up SSL on Cisco IOS
Routers, page 5-6.
Before You Begin
Enable AAA services on the router. See Defining AAA Services, page 14-72.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Device Access > HTTP
from the Policy selector, then click the Setup tab in the work area.
(Policy view) Select Router Platform > Device Admin > Device Access >
HTTP from the Policy Type selector. Right-click HTTP to create a policy, or
select an existing policy from the Shared Policy selector. Then click the
Setup tab.
The HTTP Setup tab is displayed. See Table K-47 on page K-119 for a description
Step 2
Select the check boxes to enable HTTP and SSL (HTTPS) server functionality on
the router.
14-86
OL-11501-03
Chapter 14
Managing Routers
Note
If SSL is disabled (or if the HTTP policy as a whole is unassigned),

Security Manager cannot communicate with the device after deployment
unless you change the transport protocol for this device to SSH. This
setting can be found in Device Properties. See Changing the Device
Transport Protocol on Cisco IOS Routers, page 5-22.
Tip
We recommend that you disable HTTP when SSL is enabled. This is

required to ensure only secure connections to the server.
Step 3
(Optional) Modify the default ports used by HTTP (80) and HTTPS (443).
Step 4
(Optional) In the Allow Connection From field, enter the name of the standard,
numbered ACL object that specifies which addresses can use HTTP and HTTPS
on this device, or click Select to display a selector (see Object Selectors,
page F-558). Use this option to restrict access to these protocols.
Step 5
Tip
the Edit button in the selector to open the Standard Access List dialog
box. From here you can define an ACL to use in the policy. See Creating
Access Control List Objects, page 8-36.
Note
Make sure that the ACL you select permits the Security Manager server;
otherwise, communication with the device is lost.
(Optional) On the AAA tab, modify the default type of authentication to perform
on users who attempt to access the device using HTTP or HTTPS. Options include
AAA, Enable Password (default), Local Database, and TACACS.
If you select AAA, continue with Step 6; otherwise, continue with Step 8.
Note
The TACACS option applies only to devices using an IOS software

version prior to 12.3(8).
See Table K-48 on page K-121 for a description of the fields on the AAA tab.

OL-11501-03
14-87
Chapter 14
Managing Routers
Step 6
Select the authentication method to perform on users:
If you want to use the default AAA login authentication methods defined in
the devices AAA policy (see Defining AAA Services, page 14-72), do not
select the Enable Device Login Authentication check box. Continue with
Step 7.
If you want to define a method list especially for this policy, do the following:
a.
Select the Enable Device Login Authentication check box.
b.
Under Prioritized Method List, enter the names of the AAA server groups to
use for authentication, or click Select to display a selector (see Object
Selectors, page F-558). Use the up and down arrows in the selector to define
the order in which you want to apply these authentication methods.
Note
Step 7
Select the authorization method to perform on users who use HTTP or HTTPS to
begin an EXEC session:
If you want to use the default AAA authorization methods defined in the
devices AAA policy, do not select the Enable CLI/EXEC Operations
Authorization check box. Continue with Step 8.
If you want to define a method list especially for this policy, select the Enable
CLI/EXEC Operations Authorization check box, then define the method
list.
Note
Step 8
Make sure that Security Manager users are defined on the AAA servers;
otherwise communication with the device is lost.
If you leave this option deselected, make sure that EXEC authorization is
enabled in the routers AAA policy. Otherwise, you will be unable to
connect to the device via HTTP or HTTPS (SSL). This applies to Security
Manager as well as other applications, such as SDM. See Defining AAA
Services, page 14-72.
(Optional) Create command authorization definitions for specific privilege levels:

a.
Click the Add button under the Command Authorization Override table. The
Command Authorization Override dialog box is displayed. See Table K-49
on page K-124 for a description of the fields in this dialog box.
b.
Configure the command authorization definition as required.
14-88
OL-11501-03
Chapter 14
Managing Routers
Line Access on Cisco IOS Routers
Step 9
c.
Click OK. The dialog box closes and the authorization method is displayed
in the Command Authorization Override table.
d.
Repeat Steps a through c to create additional command authorization

definitions.
Note
Related Topics

Security Manager enables you to configure command line access (also called
EXEC access) to a router using the following methods:
Console portPhysical connection via a standard RS232 cable for local

access. For more information, see:
Defining Console Port Setup Parameters, page 14-90
Defining Console Port AAA Settings, page 14-92
VTY linesVirtual terminal lines for remote access, typically using

protocols such as Telnet, SSH, or rlogin. For more information, see:
Defining VTY Line Setup Parameters, page 14-94
Defining VTY Line AAA Settings, page 14-98
After you configure and deploy these policies, you can use these lines to
communicate with individual devices directly when you want to configure or
diagnose them using the CLI.
Related Topics

OL-11501-03
14-89
Chapter 14
Managing Routers
Defining Console Port Setup Parameters

The console port on a router is generally used for local system access by an
administrator with physical access to the device. By default, the console port is
set up as follows:
All permitted users have privileged access to the router, including all
configuration commands (privilege level 15).
The line is disconnected after 10 minutes without user input.
Incoming connections are not permitted.
Outgoing connections support Telnet only.
In addition to modifying any of the default settings, you can optionally define the
following settings:
The password for accessing the console.
Whether to disable all EXEC sessions on the console.
Incoming and outgoing ACLs that restrict the connections that are permitted
on the console.
Whether VRF connections are permitted on the console.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Device Access > Line
Access > Console from the Policy selector, then click the Setup tab in the
work area.
Line Access > Console from the Policy Type selector. Right-click Console
to create a policy, or select an existing policy from the Shared Policy selector.
Then click the Setup tab.
The Console Setup tab is displayed. See Table K-50 on page K-127 for a
Step 2
(Optional) Enter the password for accessing the console port, then enter it again
in the Confirm field.
14-90
OL-11501-03
Chapter 14
Managing Routers
Step 3
(Optional) Modify the default privilege level (15) granted to users of the console
port.
Step 4
(Optional) Select the Disable all the EXEC sessions to the router via this line
check box to prevent any incoming connections via the console.
Note
Step 5
(Optional) Modify the default timeout after which the line is disconnected if no
user input is detected.
Note
Step 6
Setting this value to 0 disables the timeout. Disabling the timeout could
compromise the security of your network.
(Optional) Specify which protocols can be used for outbound connections on the
console port:
AllAll supported protocols are permitted.
NoneNo protocols are permitted.
ProtocolEnables one or more of the following protocols: SSH, Telnet, and

rlogin.
Note
Step 7
Selecting this option blocks all access to the device via the console port.
You must configure AAA authentication on devices where the console

port permits the SSH and rlogin protocols. See Defining Console Port
AAA Settings, page 14-92.
(Optional) Enter the names of ACLs that restrict incoming and outgoing
connections between the device and the addresses in these lists, or click Select to
display a selector (see Object Selectors, page F-558).
Tip
List Pages, page F-36. From here you can create an extended ACL object

OL-11501-03
14-91
Chapter 14
Managing Routers
Step 8
(Optional) Click the AAA tab to define authentication, authorization, and

accounting settings for the console port. See Defining Console Port AAA
Step 9
Note
Related Topics
Defining Console Port AAA Settings

By default, authentication, authorization, and accounting are not performed on the
console port. When you configure one or more of these access control options,
you can either make use of the default method lists defined in the devices AAA
policy or define a custom method list containing one or more AAA methods.
Procedure
Step 1
Access > Console from the Policy selector, then click the Authentication tab
in the work area.
Then click the Authentication tab.
The Console Authentication tab is displayed.

Step 2
(Optional) Select the authentication method to perform on users who attempt to

access the console line.
See Table K-51 on page K-130 for a description of the fields on the
Authentication tab.
14-92
OL-11501-03
Chapter 14
Managing Routers
Note
Step 3
If you select local authentication, preview the full configuration before

deployment to make sure that the aaa new-model command is not
configured by another policy (for example, by configuring a method list
in the AAA policy) or is already configured on the device itself.
(Optional) On the Authorization tab, select the authorization method to perform

on users who access the console line and begin an EXEC session.
See Table K-52 on page K-131 for a description of the fields on the Authorization
tab.
Note
Step 4
Step 5


a.
Click the Add button under the Commands Authorization table. The
Command Authorization dialog box is displayed. See Table K-60 on
page K-154 for details.
b.
c.
in the Commands Authorization table.
d.

definitions.
(Optional) On the Accounting tab, select the EXEC and connection accounting
methods to perform on users who access the console line.
Step 6
(Optional) Create command accounting definitions for specific privilege levels:

a.
Click the Add button under the Commands Accounting table. The Command
Accounting Dialog BoxLine Access, page K-155 is displayed.
b.
Configure the command accounting definition as required.
c.
Click OK. The dialog box closes and the accounting method is displayed in
the Commands Accounting table.

OL-11501-03
14-93
Chapter 14
Managing Routers
d.
Step 7
Repeat Steps a through c to create additional command accounting

definitions.
Note
Related Topics
Defining Console Port Setup Parameters, page 14-90
Defining VTY Line Setup Parameters

All Cisco IOS routers are configured by default with five VTY lines (labeled 0-4)
that have the following settings:
All permitted users have privileged access to the router, including all
configuration commands (privilege level 15).
VTY lines are disconnected after 10 minutes without user input.
Incoming connections are not permitted.
Outgoing connections support Telnet only.
You can use Security Manager to modify the default settings on these five VTY
lines or to configure additional lines (up to a maximum of 16). In addition, you
can optionally configure the following settings on each line:
The password for accessing the line.
Whether to disable all EXEC sessions on the line.
Incoming and outgoing ACLs that restrict the connections that are permitted
on the line.
Whether VRF connections are permitted on the line.
Defining Groups of VTY Lines
You can configure multiple VTY lines as a contiguous group, which enables you
to define identical settings for all the lines in the group with one procedure. All
the lines within the group must fall within one of two ranges, 0-4 or 6-15. The
group cannot overlap these two ranges.
14-94
OL-11501-03
Chapter 14
Managing Routers
The rules for configuring VTY line 5 are as follows. Line 5 can be part of the same
definition as lines 0-4 only when there are no lines configured above line 5. If
there are lines configured above line 5, you cannot include line 5 in the definition
for lines 0-4, even if their configurations are the same. Line 5 can be included in
the definition of the lines above line 5 if their configurations are the same.
For example, if lines 0-5 all share one configuration and lines 6-9 have a different
configuration, you need to create three definitionsone definition for lines 0-4,
a second definition for line 5, and a third definition for lines 6-9.
Note
When you configure VTY lines, bear in mind that users are assigned a line at
random when they connect to the device.
You can create only one definition per VTY line. An error is displayed if you
create a VTY line definition that overlaps an existing definition.
If you use Security Manager to configure the default VTY lines (0-4), your
definition overrides the default settings on the device. If you later delete this
definition from Security Manager, the input protocol settings are retained and
the other default settings are restored. This ensures that you always have VTY
lines available for remote access to the device.
You can use the CLI or FlexConfigs to configure additional VTY lines on
devices that support more than 16 lines.
Procedure
Step 1
Access > VTY from the Policy selector.
Line Access > VTY from the Policy Type selector. Right-click VTY to create
a policy, or select an existing policy from the Shared Policy selector.
The VTY page is displayed. See Table K-54 on page K-138 for a description of
Step 2
Click the Add button beneath the Lines table, or select a line definition and then
click the Edit button. The Setup tab of the VTY Lines dialog box is displayed.

OL-11501-03
14-95
Chapter 14
Managing Routers
Step 3
Enter the relative line number of the VTY line. If you are configuring a group of
VTY lines, enter the first and last numbers of the group in the fields provided.
Step 4
(Optional) Enter the password for accessing the console line, then enter it again
Step 5
(Optional) Modify the default privilege level (15) granted to users of this VTY
line (or group of lines).
Step 6
(Optional) Select the Disable all the EXEC sessions to the router via this line
check box to prevent any incoming connections over this VTY line (or group of
lines).
Step 7
(Optional) Modify the default timeout after which the line is disconnected if no
user input is detected.
Setting this value to 0 to disables the timeout. Disabling the timeout could
cause abandoned sessions to block available VTY lines. It can also
compromise the security of your network.
Note
Step 8
(Optional) Specify which protocols can be used for inbound and outbound
connections on this VTY line (or group of lines):
AllAll supported protocols are permitted.
NoneNo protocols are permitted.
ProtocolEnables one or more of the following protocols: SSH, Telnet, and

rlogin.
Caution
Note
Step 9
Setting the inbound connections setting to None might prevent Security

Manager from connecting to the device after deployment.
You must configure AAA authentication when the VTY line permits the
SSH and rlogin protocols. See Defining VTY Line AAA Settings,
page 14-98.
(Optional) Enter the names of ACLs that restrict incoming and outgoing
connections between the device and the addresses in these lists, or click Select to
display a selector (see Object Selectors, page F-558).
14-96
OL-11501-03
Chapter 14
Managing Routers
Tip
List Pages, page F-36. From here you can create an extended ACL object
Tip
Defining an inbound ACL is a good way to reserve a VTY line for

administrative access only.
Step 10
(Optional) Click the AAA tab to define authentication, authorization, and

accounting settings for this VTY line (or group of lines). See Defining VTY Line
AAA Settings, page 14-98.
Step 11
Your definitions are displayed in the Lines table.
Step 12
Note
Note
To edit a VTY line definition, select it from the Lines table, then click Edit.
To remove a VTY line definition, select it, then click Delete.
If you delete a VTY line from an IOS device, any subsequent lines are also
deleted. For example, if the device contains lines 0-9 and you delete line 5,
lines 6-9 are deleted as well.
If you delete the definition for lines 0-4 from Security Manager, the router
retains the inbound protocol definition and restores the other default settings
for these lines on the device. This ensures that five VTY lines are always
available.
Related Topics

OL-11501-03
14-97
Chapter 14
Managing Routers
Defining VTY Line AAA Settings

By default, authentication, authorization, and accounting are not performed on
VTY lines. When you configure one or more of these access control options, you
can either make use of the default method lists defined in the devices AAA policy
or define a custom method list containing one or more AAA methods.
Before You Begin
Define the basic parameters of the VTY line or group of VTY lines. See
Defining VTY Line Setup Parameters, page 14-94.
Procedure
Step 1
The VTY page is displayed. See Table K-54 on page K-138 for a description of
Step 2
Select a VTY line definition in the Lines tables, click the Edit button to display
the VTY Line dialog box, then click the Authentication tab.
Step 3
(Optional) Select the authentication method to perform on users who attempt to

access the VTY line.
Note
Step 4
If you select local authentication, preview the full configuration before

deployment to make sure that the aaa new-model command is not
configured by another policy (for example, by configuring a method list
in the AAA policy) or is already configured on the device itself.
(Optional) On the Authorization tab, select the authorization method to perform

on users who access the VTY line and begin an EXEC session.
14-98
OL-11501-03
Chapter 14
Managing Routers
See Table K-58 on page K-147 for a description of the fields on the Authorization
tab.
Note
Step 5
Step 6


a.
Click the Add button under the Commands Authorization table. The
Command Authorization Dialog BoxLine Access, page K-153 is
displayed.
b.
c.
in the Commands Authorization table.
d.

definitions.
(Optional) On the Accounting tab, select the EXEC and connection accounting
methods to perform on users who attempt to access the VTY line.
See Table K-59 on page K-149 for a description of the fields on the Accounting
tab.
Step 7
Step 8
(Optional) Create command accounting definitions for specific privilege levels:

a.
Click the Add button under the Commands Accounting table. The Command
Accounting Dialog BoxLine Access, page K-155 is displayed.
b.
Configure the command accounting definition as required.
c.
Click OK. The dialog box closes and the accounting method is displayed in
the Commands Accounting table.
d.
Repeat Steps a through c to create additional command accounting

definitions.
Note

OL-11501-03
14-99
Chapter 14
Managing Routers
Optional SSH Settings on Cisco IOS Routers
Related Topics

Secure Shell (SSH) is an application and a protocol that uses encryption to
provide secure communication between a client and server. You can use SSH to
connect remotely to a Cisco IOS router over a VTY line and establish an EXEC
session. SSH is the recommended replacement for other protocols, such as Telnet
and rlogin, in environments where security is a concern.
All Cisco IOS routers are required to have SSH configured before they can be
added to Security Manager. This is because Security Manager uses SSH (in
addition to SSL) to communicate with them. The SSH policy provides a way to
modify selected default settings and configure selected optional settings.
Related Topics
Defining Optional SSH Settings, page 14-100
Defining Optional SSH Settings

SSH is configured by default with the following settings:
Both SSH version 1 and SSH version 2 are supported.
The negotiation phase is terminated if not completed successfully after

120 seconds.
The router tries 3 times to authenticate SSH clients before disconnecting.
You can use Security Manager to modify these default settings and optionally
configure the following settings:
The source interface for SSH packets.
The name of the RSA key pair to use.
14-100
OL-11501-03
Chapter 14
Managing Routers
Whether to regenerate the key during the next deployment.
Before You Begin
Make sure that SSH is enabled on the router. See Preparing the Devices for
Security Manager to Manage, page 5-2.
Make sure that the VTY lines on the router allow inbound SSH traffic. See
Defining VTY Line Setup Parameters, page 14-94.
Make sure that a hostname and domain name are configured on the router
(unless you plan to use a different RSA key pair). You can use the CLI or the
Hostname policy in Security Manager for this purpose. See Hostnames and
Domain Names on Cisco IOS Routers, page 14-109.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Device Access > Secure
Shell from the Policy selector.
Secure Shell from the Policy Type selector. Right-click Secure Shell to
create a policy, or select an existing policy from the Shared Policy selector.
The Secure Shell page is displayed. See Table K-62 on page K-158 for a
Step 2
Step 3
(Optional) Modify the following default settings:

a.
The version of SSH to support.
b.
The timeout for completing the negotiation phase of the SSH connection.
c.
The number of times to attempt authentication of the SSH client.
(Optional) In the Source Interface field, enter the name of the interface or
interface role whose address should be used as the source interface for all SSH
packets sent to SSH clients, or click Select to display a selector (see Object
Selectors, page F-558). The source interface must have an IP address.

OL-11501-03
14-101
Chapter 14
Managing Routers
Tip
policy.
If you do not enter a value in this field, the address of the closest interface to the
destination is used.
Step 4
(Optional) Enter the name of the RSA key pair to use for SSH connections. If you
do not enter a value in this field, the router uses the key pair that is based on the
hostname and domain name.
Tip
Step 5
Step 6
Use the CLI command show crypto key mypubkey rsa to display the
names and values of each key pair configured on the device.
(Optional) Select the Regenerate Key During Deployment check box if you
want the router to regenerate the RSA key pair used for SSH. This option is useful
if you believe that the secrecy of the keys might be compromised. Enter the size
of the modulus to use in order to regenerate the keys.
Note
You must remember to return to this policy after deployment to deselect

the check box. If you do not do this, a new key is generated during each
deployment.
Note
This option requires interaction with the device during deployment.

Therefore, you should use it only when deploying to live devices, not
when deploying to a file.
Note
A key pair must already exist on the device before you select this option;
otherwise, deployment will fail. (This will typically be the case, since IOS
routers must have SSH enabled in order to be added to Security Manager.)
14-102
OL-11501-03
Chapter 14
Managing Routers
SNMP on Cisco IOS Routers
Note
Related Topics
Optional SSH Settings on Cisco IOS Routers, page 14-100

Simple Network Management Protocol (SNMP) defines a standard way for
network management stations or workstations to monitor the health and status of
many types of devices, including switches, routers, and firewall devices. It
comprises a protocol, a database-structure specification, and a set of management
data objects. Each SNMP device or member is part of a community, which
determines the access that each device has (read-only or read-write).
SNMP obtains information from the managed device through a Management
Information Base (MIB). The MIB is a database of code blocks called MIB
objects, each of which controls one specific function. The MIB object comprises
MIB variables, which define the MIB object name, description, default value, and
so forth. MIB objects are structured hierarchically in a MIB tree.
SNMP policies enable you to configure the behavior of the SNMP agent running
on the router. The agent sends unsolicited information back to the SNMP host as
events occur. These unsolicited messages, which are generated in response to
significant, predetermined events on the router, are called traps.
The following topics describe the tasks you perform to create SNMP policies on
Cisco IOS routers:
Defining SNMP Agent Properties, page 14-104
Enabling SNMP Traps, page 14-106
Related Topics

OL-11501-03
14-103
Chapter 14
Managing Routers
Defining SNMP Agent Properties

When you define the properties of the SNMP agent, you must define the
community string and community string type, as well as the address and
properties of the SNMP host that receives the traps.
SNMP community strings are embedded passwords to MIBs, which store data
about the routers operation and are meant to be available to authenticated remote
users. Two types of community strings exist: public community strings, which
provide read-only access to all objects in the MIB (except community strings
themselves), and private community strings, which provide read-write access to
all objects in the MIB (except community strings).
SNMP hosts receive the traps generated by the router. You must define the
address, password, and port number for accessing the SNMP host, as well as the
SNMP version being used. Security Manager supports SNMP version 1,
version 2c (also called community-based SNMP) and version 3, which offers
authentication and encryption.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Device Access > SNMP
from the Policy selector.
SNMP from the Policy Type selector. Right-click SNMP to create a policy,
or select an existing policy from the Shared Policy selector.
The SNMP page is displayed. See Table K-63 on page K-160 for a description of
Step 2
Define the community string needed to access the MIB:

a.
Under Permissions, click Add to display the Permission dialog box.
b.
Define the string. See Table K-64 on page K-163 for a description of the
available fields.
c.
box. Your definitions are displayed in the Permissions table.
14-104
OL-11501-03
Chapter 14
Managing Routers
Note
Step 3
Step 4
A warning is displayed if you attempt to edit or delete a community

string that is in use by an SNMP host. If you continue with the
operation, the device creates a private, read-only string that matches
the definition for the host in the Trap Receiver table, as described in
Step 3.
Define the SNMP host that receives the traps generated by the SNMP agent:
a.
Under Trap Receiver, click Add to display the Trap Receiver dialog box.
b.
Define the host. See Table K-65 on page K-164 for a description of the
available fields.
c.
box. Your definitions are displayed in the Trap Receiver table.
Under SNMP Server Properties, enter the location and contact information for the
administrator responsible for routers configured with this SNMP policy.
This definition, which is text-only and does not affect the operation of the router,
provides useful information to the manager of the SNMP host when the manager
investigates a particular trap.
Step 5
Click Configure Traps to display the SNMP Traps dialog box, which is used to
select which traps to enable on the router. For more information, see Enabling
SNMP Traps, page 14-106.
Step 6
Note
Related Topics

OL-11501-03
14-105
Chapter 14
Managing Routers
Enabling SNMP Traps

The router immediately sends notifications, also called SNMP traps, to the
designated SNMP host (management station) when a defined condition occurs,
such as a link up, link down, or a syslog event.
To enable SNMP traps, select the check box next to each relevant trap. Certain
check boxes activate multiple, related traps.
Note
Each trap that you enable consumes system resources. To lessen the impact on
system performance, select only those traps that you need for network monitoring.
Procedure
Step 1
Open the SNMP page for defining SNMP server policies on Cisco IOS routers, as
described in Defining SNMP Agent Properties, page 14-104.
Step 2
On the SNMP page, click Configure Traps. The SNMP Traps dialog box is
displayed.
Step 3
Select the check box next to each type of trap to enable. The traps are divided into
the following four categories:
Standard SNMP traps (for example, Authentication, Cold Start, and Warm
Start).
ISAKMP traps (related to Phase 1 of the IPsec process).
IPsec traps (related to Phase 2 of the IPsec process).
Other traps (includes syslog messages, protocol-related notifications, and

CPU usage warnings).
See Table K-66 on page K-166 for a description of the available traps.
Note
You must add command-line interface (CLI) commands to fully

implement the IP multicast and CPU traps. One method available for
entering these commands is by using FlexConfigs. See Chapter 19,
Managing FlexConfigs.
14-106
OL-11501-03
Chapter 14
Managing Routers
DNS on Cisco IOS Routers
Tip
Step 4
Click Select All to enable all traps displayed in the dialog box or Deselect
All to disable all the traps.
Tip
To configure SNMP traps not included in this dialog box, define a

FlexConfig. See Chapter 19, Managing FlexConfigs, for more
information.
Related Topics

The Domain Name System (DNS) is a distributed database in which you can map
hostnames to IP addresses through the DNS protocol from a DNS server. Each
unique IP address can have an associated hostname. DNS is what makes it
possible to connect to hosts without having to know the 32-bit IP address of that
host. The DNS server takes the provided hostname and translates it into the
appropriate IP address.
In addition to the translation provided by remote DNS servers, you can configure
Cisco IOS routers with a local host table containing static mappings of hosts to IP
addresses. When commands such as connect, telnet, and ping are used, the
router checks this host table before querying the DNS servers, which speeds the
translation process.
By default, the DNS feature is enabled on all Cisco IOS routers.
Related Topics
Defining DNS Policies, page 14-108

OL-11501-03
14-107
Chapter 14
Managing Routers
Defining DNS Policies

When you define a DNS policy in Security Manager, you can specify the remote
DNS servers used by the router for hostname-to-address translations. In addition,
you can define a static host table that contains local translations used exclusively
by this device. Having selected addresses in this type of cache can speed the
translation process by eliminating the need to query the DNS servers.
Procedure
Step 1
(Device view) Select Platform > Device Admin > DNS from the Policy
selector.
(Policy view) Select Router Platform > Device Admin > DNS from the
Policy Type selector. Right-click DNS to create a policy, or select an existing
The DNS page is displayed. See Table K-67 on page K-169 for a description of
Step 2
In the Servers field, enter the addresses of the DNS servers (up to 6) that can
perform hostname-to-address translations for the router. You can use a
combination of addresses and network/host objects, or click Select to display a
selector. For more information, see Specifying IP Addresses During Policy
Tip
Step 3
button or the Edit button in the selector to display the Network/Host
Dialog Box, page F-433. From here you can create a network/host object
(Optional) In the Hosts field, enter the static host mappings that you want to
define in the routers host table:
a.
Click Add to display the IP Host Dialog Box, page K-169.
b.
Enter the hostname to translate.
14-108
OL-11501-03
Chapter 14
Managing Routers
Hostnames and Domain Names on Cisco IOS Routers
c.
Enter up to three addresses or network/host objects, or click Select to display

a selector. These are the addresses to which the router translates the
hostname.
d.
Click OK. The mapping is displayed in the Hosts field on the DNS page.
e.
Repeat Steps a through d to add more hosts to the host table.
Note
To edit a host mapping, select the definition from the Hosts field, then
click Edit. To remove a host mapping, select it, then click Delete.
Step 4
(Optional) Deselect the Domain Lookup check box to disable DNS functionality
on the router.
Step 5
Note
Related Topics

The Hostname policy configures the hostname and domain name of the selected
router. After you deploy this policy, any changes that you made to the hostname
and domain name are reflected in the Device Properties Page, page C-53.
Related Topics
Defining Hostname Policies, page 14-110

OL-11501-03
14-109
Chapter 14
Managing Routers
Defining Hostname Policies

When you define a hostname policy, Security Manager updates the hostname and
domain name fields in the Device Properties dialog box after deployment. See
Device Properties Page, page C-53.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Hostname from the
Policy selector.
(Policy view) Select Router Platform > Device Admin > Hostname from
the Policy Type selector. Right-click Hostname to create a policy, or select
an existing policy from the Shared Policy selector.
The Hostname page is displayed. See Table K-69 on page K-171 for a description
Step 2
Enter the hostname for the router. Names must start with a letter, end with a letter
or digit, and include only letters, digits, and hyphens. The maximum length is
63 characters.
Step 3
Enter the domain name for the router. The router uses this domain name for RSA
key generation and in policies when you do not enter the fully-qualified domain
name (FQDN).
Step 4
Note
Related Topics
14-110
OL-11501-03
Chapter 14
Managing Routers
Memory Settings on Cisco IOS Routers
Memory Settings on Cisco IOS Routers

The Memory policy configures settings relating to router memory. This policy
provides you with methods for monitoring memory consumption, including the
ability to generate notification messages when available memory drops below
predefined thresholds.
Note
The Memory policy is supported on routers running Cisco IOS Software Release
12.3(14)T or later.
Related Topics
Defining Router Memory Settings, page 14-111
Defining Router Memory Settings

You can use Security Manager to modify the following default memory settings:
The number of hours that the router maintains the log of memory
consumption.
Whether to enable the Memory Allocation Lite feature.
The amount of memory to reserve for critical system log messages.
In addition, you can define:
The lower thresholds for processor and I/O memory. Log messages are sent
when available memory drops below these thresholds.
The types of sanity checks to perform.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Memory from the Policy
selector.

OL-11501-03
14-111
Chapter 14
Managing Routers
Secure Device Provisioning on Cisco IOS Routers
(Policy view) Select Router Platform > Device Admin > Memory from the
Policy Type selector. Right-click Memory to create a policy, or select an
The Memory page is displayed.

Step 2
(Optional) Define the memory settings of the router, as required. See Table K-70
on page K-172 for a description of the available fields.
Step 3
Note
Related Topics

Secure Device Provisioning (SDP) offers an integrated solution for streamlining
VPN and network security deployment. SDP (previously called Easy Secure
Device Deployment, or EzSDD) enables remote-site users to securely bootstrap
their VPN device through an easy-to-use web interface, thereby easing the
deployment burden, lowering costs, and shortening the network development
cycle. For example, a telecommuter or small branch office user can remove a new
device from its shipping package, plug it in, open a simple web management
interface, and establish VPN connectivity, all within a period of just a few
minutes.
For more information about SDP, see Setting Up Secure Device Provisioning
(SDP) for Enrollment in a PKI, which can be found in Cisco IOS Security
Configuration Guide, Release 12.4T.
Note
SDP requires Cisco IOS Software Release 12.3(8)T or later. Attempting to deploy
this policy to a router running an earlier version could result in deployment
failure.
14-112
OL-11501-03
Chapter 14
Managing Routers
Trusted Transitive Introduction (TTI) is the protocol that acts as the primary
mechanism for implementing SDP. As shown in Figure 14-7, TTI comprises the
following three entities:
IntroducerA mutually trusted device that introduces the petitioner to the

registrar. Introducers can be end users who use SDP to deploy VPN devices
associated with themselves to the PKI network, or an
administrator/management system that uses SDP to deploy many VPN
devices to the PKI network. This latter type is known as an administrative
introducer. For more information, see Configuring a AAA Server Group for
Administrative Introducers, page 14-119.
PetitionerA remote-site device that is joined to the secure domain. The

petitioner serves web pages to the introducer and receives the bootstrap
configuration from the introducers web browser. The petitioner component
is enabled by default on all Cisco IOS devices.
RegistrarA server that authorizes the petitioner by communicating directly

with an authentication, authorization, and accounting (AAA) server to verify
user credentials, permit or deny enrollment, and retrieve user-specific
configuration information.
Use the SDP policy in Security Manager to configure the router as a registrar.
Figure 14-7
Secure Device Provisioning
Introducer
Point introduction
Registrar
144755
Secure communication
Petitioner
For more information about Secure Device Provisioning, see:
Contents of Bootstrap Configuration, page 14-114
Secure Device Provisioning Workflow, page 14-114

OL-11501-03
14-113
Chapter 14
Managing Routers
To configure a Secure Device Provisioning policy, see:
Defining Secure Device Provisioning Policies, page 14-115
Related Topics
Contents of Bootstrap Configuration

The bootstrap configuration provided by SDP typically does the following:
Sets the petitioners hostname.
Synchronizes the petitioners system clock with the registrar.
Sets the petitioners trustpoint.
Sets the petitioners authentication and authorization mechanism.
Pushes the CA certificate.
Enrolls the petitioner with the PKI server.
Sets other VPN configurations, such as the configuration required to establish

a management tunnel.
Sets Cisco Networking Services (CNS) configuration.
Sets the petitioners DHCP pool.
Related Topics
Secure Device Provisioning Workflow

The following illustrates the steps required to use SDP to register a remote-site
device in a secure network:
1.
Unpack the router and connect the power, LAN, and WAN cables.
14-114
OL-11501-03
Chapter 14
Managing Routers
2.
Turn on a computer (introducer) that is assigned an IP address from the

DHCP server on the router, open a web browser, and go to the petitioner URL
(http://device/ezsdd/welcome) on the router. The router responds with a
registration page (also called the local login dialog box).
3.
Enter the username and password, then click OK. On the welcome page, enter
the URL for the registrar. The following actions occur:
a. The browser opens an HTTPS-secured session to the central-site
registrar, which verifies the username with the AAA server and returns
the appropriate bootstrap configuration to the browser.
b. The browser feeds the bootstrap configuration to the remote-site router,
configuring PKI trustpoint enrollment and IPsec VPN connectivity, and

provisioning system attributes and other information.
c. You are notified that bootstrap configuration is complete.
Related Topics
Contents of Bootstrap Configuration, page 14-114
Defining Secure Device Provisioning Policies

The petitioner component is automatically enabled on all Cisco IOS routers. The
SDP policy in Security Manager enables the registrar. To define an SDP policy
you must define:
The AAA server group containing the AAA server that the registrar uses to
authenticate and authorize the introducer.
The CA server to which the petitioner enrolls during the bootstrap process.
The location of the introduction page that is displayed after authorization was
performed.
The location of the bootstrap configuration to be provided to the petitioner.
Procedure
Step 1

OL-11501-03
14-115
Chapter 14
Managing Routers
(Device view) Select Platform > Device Admin > Secure Device
Provisioning from the Policy selector.
(Policy view) Select Router Platform > Device Admin > Secure Device
Provisioning from the Policy Type selector. Right-click Secure Device
Provisioning to create a policy, or select an existing policy from the Shared
Policy selector.
The Secure Device Provisioning page is displayed. See Table K-71 on page K-176
for a description of the fields on this page.
Step 2
Under Introducer Authentication, enter the name of the AAA server group
containing the relevant AAA server, or click Select to display a selector (see
The selected AAA server determines whether the username and password
supplied by the introducer represent an authorized user. The AAA server must use
TACACS+, RADIUS, or be local.
Step 3
Tip
policy.
Note
Each AAA server in the selected group must be configured to

communicate with an interface that exists on the router; otherwise,
validation fails.
Note
If you want to configure a different AAA server group for authenticating

and authorizing administrative introducers, see Configuring a AAA
Server Group for Administrative Introducers, page 14-119.
Under Petitioner Authentication, define the CA server that authenticates the

identity of the petitioner by doing one of the following:
Select Local CA Server, then enter the local CA name in the field provided.
If you have already configured the CA server locally on the registrar, a
trustpoint is generated automatically.
14-116
OL-11501-03
Chapter 14
Managing Routers
Note
If you have not configured the router as the CA server, enter the command
Crypto pki server [name] using the CLI or FlexConfigs. This command
is mandatory when you deploy an SDP policy configured with a local CA
server.
Select Remote CA Server, then enter the name of a PKI enrollment object,
or click Select to display a selector (see Object Selectors, page F-558).
The PKI enrollment object defines the external CA server used in the SDP
policy.
Tip
Step 4
If the required PKI enrollment object is not listed in the selector, click the
Create button or the Edit button to open the PKI Enrollment Dialog Box,
page F-437. From here you can define a CA server to include in the
policy.
Select the source of the introduction page that is displayed after you log in to the
registrar. The introduction page indicates whether authorization was successfully
completed and contains a button for completing the process of obtaining the
bootstrap configuration.
If you do not select the default welcome page, you must enter the URL required
to access a different welcome page that you prepared elsewhere.
Step 5
Step 6
Select the source of the bootstrap configuration provided to the petitioner to

implement its first-time configuration:
If the source of the bootstrap configuration is a non-Security Manager URL,

continue with Step 6.
If the source of the configuration file is a Security Manager URL, continue

with Step 7.
(Optional) If the source of the bootstrap configuration is a non-Security Manager

URL, do the following:
a.
Enter the required URL in the field provided.
b.
Enter the username and password for accessing the URL, if required.
c.

OL-11501-03
14-117
Chapter 14
Managing Routers
Step 7
(Optional) If the source of the bootstrap configuration is a Security Manager

URL, do the following:
a.
Tip
Enter the name of a FlexConfig, or click Select to display a selector (see

Object Selectors, page F-558). The FlexConfig contains the command-line
interface (CLI) commands required to retrieve the appropriate bootstrap
configuration.
If the required FlexConfig object is not listed in the selector, click the
Create button or the Edit button in the selector to open the FlexConfig
Editor Dialog Box, page P-11. From here you can define a FlexConfig to
use in the policy.
b.
Enter a username and password for accessing the Security Manager server
containing the FlexConfig. The password can contain alphanumeric
characters, but cannot consist of a single digit.
c.
Enter the device name formula required by the FlexConfig to derive the
device name of the petitioner from the username submitted by the introducer.
(The two names typically have a fixed relationship.) The default formula is
$n, which uses the introducer name to determine the device name.
The device name determines which bootstrap configuration the petitioner
should receive. The resulting URL contains the name of the FlexConfig you
selected, as well as the parameters and formula you defined.
d.
Step 8
Note
Related Topics
Configuring a AAA Server Group for Administrative Introducers,

page 14-119
14-118
OL-11501-03
Chapter 14
Managing Routers
DHCP on Cisco IOS Routers
Configuring a AAA Server Group for Administrative Introducers

Administrative introducers are administrators or management systems that
introduce many devices to the PKI network. You can configure a AAA server
group for authenticating and authorizing administrative introducers by appending
the following FlexConfig to the configuration of the router:
aaa new-model
radius-server host 1.2.3.4 auth-port 1645 acct-port 1646 key key
aaa group server radius default-radius-group2
server 1.2.3.4 auth-port 1645 acct-port 1646
exit
aaa authentication login CSM_SDP2 group default-radius-group2
crypto provisioning registrar
administrator authentication list CSM_SDP2
administrator authorization list CSM_SDP2
exit
This FlexConfig serves two functionsit configures the AAA server group to use
and it associates this server group with the SDP crypto.
For more information about administrative introducers, see Administrative Secure
Device Provisioning Introducer on Cisco.com at this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtadintr.html
Related Topics
Defining Secure Device Provisioning Policies, page 14-115

In Security Manager, certain security features, such as Easy VPN and 802.1x,
require Dynamic Host Configuration Protocol (DHCP) client/server
configuration. DHCP is widely used in LAN environments to dynamically assign
host IP addresses from a centralized server, which significantly reduces the
overhead of administering IP addresses.

OL-11501-03
14-119
Chapter 14
Managing Routers
DHCP servers assign and manage IP addresses from specified address pools
within a router to DHCP clients. If the DHCP server cannot satisfy a DHCP
request from its own database, it can forward the request to one or more secondary
DHCP servers defined by the network administrator.
Security Manager enables you to configure a Cisco IOS device as a DHCP server
for clients (hosts) that are connected to the devices inside interface. When you
configure a DHCP server, you use IP pools (a range of IP addresses reserved for
a DHCP server). The IP pools you select determine the range of IP addresses the
server can use. These addresses are provided to client devices for a defined period
of time called a lease. When this lease expires, the address is returned to the
address pool, enabling the DHCP server to assign it to a different device.
For more information about DHCP, see:
Understanding DHCP Database Agents, page 14-120
Understanding DHCP Relay Agents, page 14-121
Understanding DHCP Option 82, page 14-122
Understanding Secured ARP, page 14-122
To configure a DHCP policy, see:
Defining DHCP Policies, page 14-123
Defining DHCP Address Pools, page 14-125
Related Topics
Understanding DHCP Database Agents

A DHCP database agent is any external hostfor example, an FTP, TFTP, or RCP
serverthat stores the DHCP bindings database. You can include one or more
DHCP database agents in each DHCP policy, as well as configure the interval
between database updates to the agent.
Note
If you configure an external DHCP database agent, it is not necessary to define IP

address pools, but you may do so. For more information about IP address pools,
see Defining DHCP Address Pools, page 14-125.
14-120
OL-11501-03
Chapter 14
Managing Routers
Related Topics
Understanding DHCP Relay Agents

A DHCP relay agent is any host that forwards DHCP packets between clients and
servers when they do not reside on the same physical subnet. Relay agents receive
DHCP messages and then generate a new DHCP message to send on another
interface. You can configure a reforwarding policy that determines what the
DHCP relay agent should do if a forwarded message already contains relay
information.
DHCP relay options in Security Manager include:
DropThe relay agent discards messages with existing relay information if

Option 82 information is also present.
KeepThe relay agent retains existing relay information.
ReplaceThe relay agent overwrites existing information with its own relay
information.
For example, you can have the DHCP relay agent replace the forwarded message
with a new relay message. Additionally, you can choose whether to have the relay
agent check the validity of relay information contained within forwarded
BOOTREPLY messages.
Related Topics

OL-11501-03
14-121
Chapter 14
Managing Routers
Understanding DHCP Option 82

DHCP option 82 enables the DHCP relay agent to include information about itself
and its attached client when it forwards requests from a DHCP client to a DHCP
server. The DHCP server can use this information to assign IP addresses, perform
access control, and set quality of service (QoS) and security policies for each of
its subscribers. When the DHCP option 82 feature is enabled, a subscriber is
identified by the switch port through which it connects to the networks, instead of
by its MAC address. Multiple hosts on the subscriber LAN can be connected to
the same port on the access switch and are uniquely identified. Option 82 also
enhances security on access switches by providing the ability to use a users IP
address to locate the port on which a user is attached.
Related Topics
Understanding Secured ARP

The DHCP Secure IP Address Assignment feature (also called DHCP Authorized
ARP) enables you to secure Address Resolution Protocol (ARP) table entries to
DHCP leases in the DHCP database. This feature secures and synchronizes the
clients MAC address to the DHCP binding, preventing unauthorized clients or
hackers from spoofing the DHCP server and taking over a DHCP lease of an
authorized client.
When you enable this feature and the DHCP server assigns an IP address to the
DHCP client, the DHCP server adds a secure ARP entry to the ARP table with the
assigned IP address and the MAC address of the client. These ARP entries cannot
be updated by any other dynamic ARP packets, and they exist in the ARP table
for as long as the lease is active.
14-122
OL-11501-03
Chapter 14
Managing Routers
Secure ARP entries can be deleted only by an explicit termination message from
the DHCP client or by the DHCP server when the binding expires. To detect when
a client has logged out, Secured ARP sends periodic ARP messages to which only
authorized users can respond. Unauthorized responses are blocked at the DHCP
server, providing an additional level of security.
Note
Secured ARP disables dynamic ARP learning on an interface.

Related Topics
Defining DHCP Policies

When you configure a DHCP policy, you must define the IP address pools for the
server to use to provide addresses to DHCP clients. In addition, you can optionally
define the following:
Note
External DHCP database agent.
IP ranges to exclude from DHCP.
DHCP relay parameters.
When configuring DHCP on a Cisco IOS router, make sure that the router does
not contain an access rule denying Bootstrap Protocol (BootP) traffic. Having
such a rule blocks DHCP traffic from being transmitted.
Procedure
Step 1

OL-11501-03
14-123
Chapter 14
Managing Routers
(Device view) Select Platform > Device Admin > Server Access > DHCP
(Policy view) Select Router Platform > Device Admin > Server Access >
DHCP from the Policy Type selector. Right-click DHCP to create a policy,
The DHCP Policy page is displayed. See Table K-72 on page K-179 for a
Step 2
(Optional) Under Databases, click the Add button to display the DHCP Database
Dialog Box, page K-182. From here you can define external DHCP database
agents. For more information, see Understanding DHCP Database Agents,
page 14-120.
Step 3
(Optional) Under Excluded IPs, enter the IP addresses or address ranges within a
DHCP address pool that should not be made available to DHCP clients. You can
use a combination of addresses and network/host objects, or click Select to
display a selector. For more information, see Specifying IP Addresses During
Tip
button to display the Network/Host Dialog Box, page F-433. From here
you can create a network/host object.
For more information, see Specifying IP Addresses During Policy Definition,

page 8-135 and Supported IP Address Formats, page 8-128.
Step 4
Under IP Pools, click the Add button to display the IP Pool Dialog Box,
page K-183. From here you can define the address pools to be used by the DHCP
server. For more information, see Defining DHCP Address Pools, page 14-125.
Step 5
(Optional) When you use a relay agent to manage requests from DHCP clients
located on a different subnet from the DHCP server, define the following DHCP
relay options:
a.
Select the relay agent information reforwarding policy (Drop, Keep, or

Replace). DHCP relay agents implement this policy when they receive
messages already containing relay information.
b.
Select the Option check box to enable the insertion of Option 82 data in
requests that the relay agent forwards to the DHCP server.
14-124
OL-11501-03
Chapter 14
Managing Routers
c.
Select the Check check box to validate DHCP Option 82 reply packets sent
by the DHCP server.
When you enable this option, invalid messages are dropped. Valid messages
are stripped of the option-82 field before they are forwarded to the DHCP
client. When you disable this option, the option-82 field is removed from the
packet without being checked first for validity.
See Understanding DHCP Relay Agents, page 14-121 for more information.
Step 6
Note
Related Topics
Defining DHCP Address Pools

When you configure a DHCP policy that does not include an external database
agent, you must define at least one IP address pool. This pool contains the
addresses that the DHCP server can dynamically assign to DHCP clients.
Additionally, you can define the following IP pool-specific options:
The default routers, DNS servers, WINS servers, and domain used by DHCP
clients.
Whether to import information regarding IP pool options from a centralized

DHCP server.
Whether to use the Secured ARP feature.
The length of the lease.
The location of the TFTP server that IP telephony devices require to use
addresses from this pool.

OL-11501-03
14-125
Chapter 14
Managing Routers
NTP on Cisco IOS Routers
Procedure
Step 1
On the DHCP page, click the Create button under IP Pools. The IP Pool dialog
box is displayed.
Step 2
Define the address pool. See Table K-74 on page K-184 for a description of the
available fields.
Step 3
The IP pool appears in the table displayed under IP Pools on the DHCP page.
Step 4
Repeat Steps 1 through 3 to define additional address pools, if required.
Note
To edit an IP pool, select it from the table, then click the Edit button. To
delete an IP pool, select it from the table, then click the Delete button. You
cannot delete a pool whose addresses have been assigned to DHCP
clients.
Related Topics

The Network Time Protocol (NTP) is the standard for time synchronization
between network devices. Synchronized time enables you to correlate syslog and
other debug output to specific events, which is essential for troubleshooting, fault
analysis, and security incident tracking. Time comparisons are not possible
without precise time synchronization between the logging, management, and
AAA functions occurring in your network.
NTP uses the concept of a stratum to describe how far removed a machine is from
an authoritative time source. For example, a stratum 1 time server is directly
attached to a radio or atomic clock. NTP then distributes the time from this
authoritative time source across the network. A stratum 2 time server
14-126
OL-11501-03
Chapter 14
Managing Routers
synchronizes with a stratum 1 time server; a stratum 3 time server synchronizes

with a stratum 2 time server and so on. One NTP transaction per minute is
sufficient to synchronize two machines to within a millisecond.
NTP runs over the User Datagram Protocol (UDP) using port 123. Security
Manager supports NTP version 3, as defined in RFC 1305.
Related Topics
Defining NTP Servers

This procedure describes how to define the NTP servers that the routers users to
synchronize time. After the NTP policy is deployed, the router uses an algorithm
(based on factors such as delay, dispersion, and jitter) to determine which NTP
server is the most accurate and synchronizes to that one.
At the global level, you can enable MD5 authentication and specify a source
address to use on all NTP packets sent from the router.
To add an NTP server to the policy, all you need to do is enter its IP address. In
addition, you can optionally define authentication parameters and determine
whether a particular server should be preferred over other NTP servers of similar
accuracy.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Server Access > NTP
NTP from the Policy Type selector. Right-click NTP to create a policy, or
select an existing policy from the Shared Policy selector.
The NTP page is displayed. See Table K-75 on page K-188 for a description of

OL-11501-03
14-127
Chapter 14
Managing Routers
Step 2
interface role whose address should be used as the source interface for all NTP
packets sent from the router, or click Select to display a selector (see Object
Tip
policy.
This option is useful when the NTP server cannot reach the address from which
the connection originated (for example, due to a firewall). If you do not enter a
value in this field, the address of the outgoing interface is used.
Note
You can override this global setting for individual NTP servers, as
described in Step 5.
Step 3
(Optional) Select the Enable NTP Authentication check box to authenticate all
associations between this router and the NTP servers defined in this policy.
Step 4
Click the Add button under the Servers table to display the NTP Server dialog
box. From here you can define an NTP server.
Step 5
Define an NTP server. See Table K-76 on page K-190 for a description of the
available fields.
Step 6
(Optional) Define authentication parameters for this NTP server.
Step 7
Note
If you modify the value of a previously defined authentication key, the

change affects all NTP servers that share this key.
Note
When you define an authentication key in Security Manager, the value 0

is automatically appended to the end of the CLI command. This value,
which represents the default authentication key encryption type, can be
modified using the CLI.
Repeat steps 5 and 6 to define additional NTP servers.
14-128
OL-11501-03
Chapter 14
Managing Routers
802.1x on Cisco IOS Routers
Step 8
Your definitions are displayed in the Servers table.
Note
Step 9
To edit an NTP server, select it from the Servers table, then click Edit. To
remove an NTP server, select it, then click Delete. If the key defined on
the server you delete is not defined on a different NTP server, the key is
also deleted.
Note
Related Topics

The IEEE 802.1x standard defines 802.1x port-based authentication as a
client-server based access control and authentication protocol that restricts
unauthorized clients from connecting to a LAN through public ports. The
authentication server validates each client connected to an interface before
making available any services offered by the router or the LAN.
Until the client is authenticated, 802.1x access control allows only Extensible
Authentication Protocol over LAN (EAPOL) traffic through the interface to
which the client is connected. If authentication is successful, normal traffic can
pass through the interface.
802.1x authentication provides VPN access control, enabling unauthenticated
traffic to access the Internet while preventing it from accessing the VPN tunnel.
This solution is especially useful for enterprises whose workers access the
corporate VPN through a home access router that other family members use to
access the Internet. When you use 802.1x, you create a virtual interface to carry
unauthenticated traffic while authenticated traffic continues to pass through the
physical interface.

OL-11501-03
14-129
Chapter 14
Managing Routers
802.1x requires that you use DHCP to provide IP addresses to the clients that
request authentication. We recommend that you use two IP address pools, one for
authenticated traffic and the other for unauthenticated traffic. If you use two
pools, the DNS server in the corporate DHCP pool should point to the corporate
DNS server. The DNS server for the noncorporate DHCP pool should use the DNS
server provided by the ISP on the public interface. You configure DHCP by
selecting a DHCP policy. See DHCP on Cisco IOS Routers, page 14-119 for more
information.
Note
802.1x is supported on the following platformsCisco 800 Series, 1700 Series,

1800 Series, 2600 Series, 2800 Series, 3600 Series, 3700 Series, 3800 Series.
For more information about 802.1x, see:
Understanding 802.1x Device Roles, page 14-130
802.1x Interface Authorization States, page 14-131
Topologies Supported by 802.1x, page 14-132
Defining 802.1x Policies, page 14-133
Related Topics
Understanding 802.1x Device Roles

802.1x port-based authentication uses the following device roles:
ClientThe workstation requesting access to the VPN. It must be running

802.1x-compliant client software, such as that offered with the Microsoft
Windows XP operating system.
Authentication serverAuthenticates clients. The authentication server

validates the clients identity and notifies the router whether the client is
authorized to access the network. The Remote Authentication Dial-In User
Service (RADIUS) security system with EAP extensions is the only
supported authentication server. In Security Manager, a AAA (authentication,
authorization, and accounting) server, as defined in a AAA server object, is
the authentication server for 802.1x policies.
14-130
OL-11501-03
Chapter 14
Managing Routers
Router (edge router or wireless access point)Controls physical access to

the network based on the authentication status of the client. The router is an
intermediary (proxy) between the client and the authentication server,
requesting identity information from the client, verifying that information
with the authentication server, and relaying a response to the client. In
Security Manager, the router on which you configure an 802.1x policy acts as
the switch.
Related Topics
802.1x Interface Authorization States

When you use 802.1x, the interface state determines whether to grant the client
network access. By default, the interface starts in the unauthorized state. While in
this state, the interface disallows all traffic in both directions, except for EAPOL
packets. After a client is authenticated, the interface transitions to the authorized
state, enabling all client traffic to flow normally.
If a client that does not support 802.1x is connected to an unauthorized 802.1x
interface, the router requests the clients identity. In this situation, the client does
not respond to the request, the interface remains in the unauthorized state, and the
client is not granted access to the network. In contrast, when an 802.1x-enabled
client connects to an interface that is not running the 802.1x protocol, the client
initiates the authentication process by sending the EAPOL-Start frame. If no
response is received, the client sends the request a fixed number of times. Because
no response is received, the client begins sending frames as if the interface were
in the authorized state.
You can control the interface authorization state by selecting one of the following
options:
AutoEnables 802.1x authentication, which causes the interface to start in

the unauthorized state. Only EAPOL frames are sent and received through the
interface. Authentication begins when the link state of the interface
transitions from down to up or when an EAPOL-Start frame is received. The

OL-11501-03
14-131
Chapter 14
Managing Routers
router requests the clients identity and begins relaying authentication

messages between the client and the authentication server. The router uses the
MAC address of each client trying to access the network as unique client
identifiers.
Force authorizedDisables 802.1x authentication, which causes the

interface to move to the authorized state without authenticating the client.
After a client is successfully authenticated, the interface state changes to

authorized, which enables all frames from the client to enter the network. If
authentication fails, the interface remains in the unauthorized state, but
authentication can be retried. If the authentication server cannot be reached, the
router can retransmit the request. If the authentication server does not respond
after the defined number of attempts, authentication fails and network access is
denied to the client.
When a client logs off, it sends an EAPOL-Logoff message, which causes the
interface to return to the unauthorized state.
Related Topics
Topologies Supported by 802.1x

802.1x port-based authentication supports two topologies:
Point-to-point
Wireless LAN
In a point-to-point configuration, only one client can be connected to the

802.1x-enabled interface. The router detects the client when the interface state
changes from down to up. If a client leaves the network or is replaced by another
client, the interface state changes from up to down, which returns the interface to
the unauthorized state.
14-132
OL-11501-03
Chapter 14
Managing Routers
Figure 14-8
802.1x Topology
Authentication
server
(RADIUS)
Router
144746
Workstations
(clients)
In a wireless LAN configuration, the 802.1x interface is configured in multihost

mode, which is authorized as soon as one client is authenticated. After the
interface is authorized, all other clients indirectly attached to the interface are
granted access to the network. If the port becomes unauthorized (either because
reauthentication fails or an EAPOL-Logoff message is received), the router denies
access to the network to all attached clients. In this topology, the wireless access
point is a client to the router and is responsible for authenticating the clients
attached to it.
Related Topics
Defining 802.1x Policies

You configure an 802.1x policy by defining:
The AAA server group containing the AAA server that authenticates hosts
that are trying to connect to the network.
The virtual interface that carries unauthenticated traffic and the physical
interface that carries authenticated traffic.

OL-11501-03
14-133
Chapter 14
Managing Routers
(Optional) Properties of the physical interface, including the control type,

automatic reauthentication, and several timeout values.
If the router on which you are defining the 802.1x policy is not part of a VPN (for
example, if it is directly connected to the corporate network to which you want to
restrict access), you must manually define an access list. You can do this by
defining an access rules policy (see Working with Access Rules, page 12-59) or
by defining a FlexConfig object (see Understanding FlexConfig Objects,
page 8-52).
Before You Begin
Configure the selected router with a DHCP policy that contains two IP
address pools, one for authenticated clients and one for unauthenticated
clients. See Defining DHCP Policies, page 14-123.
Make sure the router can route packets to the configured AAA (RADIUS)
server. You can verify this by pinging the server from the router.
Procedure
Step 1
(Device view) Select Platform > Identity > 802.1x from the Policy selector.
(Policy view) Select Router Platform > Identity > 802.1x from the Policy
Type selector. Right-click 802.1x to create a policy, or select an existing
The 802.1x page is displayed. See Table K-77 on page K-194 for a description of
Step 2
Enter the name of the AAA server group containing the AAA server to use for
authenticating clients using 802.1x, or click Select to display a selector (see
Object Selectors, page F-558). The selected AAA server must use RADIUS with
EAP extensions.
Tip
If the required AAA server group is not listed in the selector, click the
Create button or the Edit button to open the AAA Server Group Dialog
Box, page F-14. From here you can define a AAA server group to use in
the policy.
14-134
OL-11501-03
Chapter 14
Managing Routers
Note
Step 3
Step 4

validation fails.
In the Virtual Template field, enter the name of the interface or interface role that
serves as the untrusted, virtual interface for carrying unauthenticated traffic, or
click Select to display a selector (see Object Selectors, page F-558). For more
Note
Integrated Services Routers (ISRs), such as the Cisco 800, 1800, 2800,
and 3800 Series, automatically use VLANs to carry unauthenticated
traffic. If you define a virtual template, however, it is used in place of the
VLAN.
Note
Deployment might fail if PPP is defined on the virtual template defined

here. See Defining PPP Connections, page 14-63.
Enter the name of the interface or interface role that serves as the trusted, physical
interface for carrying authenticated traffic, or click Select to display a selector.
page 8-118.
The interface role you select should represent the internal protected interface that
was configured as part of the VPN topology and no other physical interface on the
selected router. For more information, see Defining the Endpoints and Protected
Networks, page 9-28.
Tip
If the interface roles you want are not listed in the selectors, click the
Create button or the Edit button to open the Interface Role Dialog Box,
page F-419. From here you can define interface roles to use in the policy.
Note
If you want to modify the default settings for the physical interface, go to
Step 5 below. Otherwise, go to Step 6.

OL-11501-03
14-135
Chapter 14
Managing Routers
Network Admission Control on Cisco IOS Routers
Step 5
(Optional) Modify the defaults of the physical interface used for 802.1x
authentication. See Table K-77 on page K-194 for details.
Step 6
Note
Related Topics

Network Admission Control (NAC), an industry initiative sponsored by Cisco
Systems, uses the network infrastructure to enforce security-policy compliance on
all devices seeking to access network computing resources, thereby limiting
damage from viruses and worms. By using NAC, organizations can provide
network access to endpoint devices such as PCs, PDAs, and servers that are
verified to be fully compliant with established security policy. NAC can also
identify noncompliant devices and deny them access, place them in a quarantined
area, or give them restricted access to computing resources.
Network access decisions are made through a process of posture validation, which
evaluates the posture credentials presented by the endpoint device. These
credentials can include such information as the endpoints antivirus state,
operating system version, operating system patch level, or Cisco Security Agent
version and settings.
You can use NAC to enforce security policy compliance in many types of
deployments, including branch offices, remote access, and dial-in access.
14-136
OL-11501-03
Chapter 14
Managing Routers
NAC policies in Security Manager enable a Cisco IOS router to act as a Network
Access Device (NAD) for enforcing policy compliance on devices seeking to
access the network. The following topics describe additional details about NAC:
Understanding NAC Components, page 14-138
Understanding NAC System Flow, page 14-139
The following topics describe the tasks you perform to create NAC policies on
Cisco IOS routers:
Defining NAC Setup Parameters, page 14-140
Defining NAC Interface Parameters, page 14-142
Defining NAC Identity Parameters, page 14-145
Related Topics
Router Platforms Supporting NAC

The following Cisco IOS router platforms that can be managed by Security
Manager support NAC:
Cisco 7500 Series
Cisco 7200 Series
Cisco 3800 Series (3825, 3845)
Cisco 3700 Series (3725, 3745)
Cisco 3600 Series (3640/3640A and 3660-ENT)
Cisco 2800 Series (2801, 2811, 2821, 2851)
Cisco 2600 Series (2600XM and 2691)
Cisco 1800 Series (1841)
Cisco 1700 Series (1701, 1711, 1712, 1751, 1751-V, 1760)
Cisco 830 Series
Cisco IOS Software Release 12.3(8)T images and beyond (with security)

OL-11501-03
14-137
Chapter 14
Managing Routers
The following Cisco IOS router platforms that can be managed by Security
Manager do not support NAC:
Note
Cisco 7600 Series (7603, 7604, 7606, 7609, 7613)
Cisco 7300 Series (7301, 7304)
Cisco 7100 Series VPN Routes (7120, 7140, 7160)
Cisco 3600 Series Multiservice Platforms (3620, 3631, 3661, 3662)
Cisco 1700 Series Modular Access Routers (1710, 1720, 1750)
Cisco 1600 Series (1601, 1602, 1603, 1604, 1605)
Cisco 800 Series (801, 803, 805, 811, 813, 828, 851, 857, 871, 876, 877, 878)
Cisco SOHO 90 Series Secure Broadband Routers (91, 96, 97)
Cisco SOHO 77 Series (71, 76, 77 ADSL, 77 H ADSL, 78)
For the most recent list of router platforms that support NAC, go to the document
Network Admission Control Documentation Reference Guide at:
http://www.cisco.com/en/US/docs/security/nac/framework/nac_2.0/doc_referenc
e_guide/NAC_DRTx.html.
Understanding NAC Components

NAC contains the following components:
Cisco Trust Agent (CTA)The CTA acts as the NAC client. It provides
posture credentials for the endpoint device on which it is installed, including
the type of operating system and the version of antivirus software installed.
Network access device (NAD)The NAD initiates posture validation with

the CTA when its Intercept ACL is triggered. It relays posture credentials
received from the CTA to a AAA server. In return, the NAD receives
configuration information from the AAA server, which it enforces on the
selected interface. The NAD also:
Periodically polls the CTA to confirm that it is communicating with the
same client at this IP address.

Revalidates all current sessions.
14-138
OL-11501-03
Chapter 14
Managing Routers
Sends username and password information from devices lacking a CTA
(clientless hosts) to the AAA server for authentication.

Supports an exception list of predefined actions applied to specific
devices, based on the device IP address or MAC address.

When you configure NAC policies in Security Manager, you are configuring
the behavior of the Cisco IOS router acting as the NAD.
AAA serverThe AAA server obtains and validates posture credentials

received from the CTA and returns the access policy to be enforced on the
NAD. The AAA server must be a Cisco Secure Access Control Server (ACS),
running the RADIUS protocol. Existing ACS authorization support can be
used to provide access to clientless hosts. Posture validation rules and the
access policies resulting from those rules are configured on the ACS.
Related Topics
Understanding NAC System Flow, page 14-139
Understanding NAC System Flow

As shown in Figure 14-9, the system flow for NAC is:
1.
An IP packet from a connecting device triggers the Intercept ACL configured

on the NAD.
2.
The NAD triggers posture validation with the CTA configured on the device
using the Extensible Authentication Protocol over User Datagram Protocol,
otherwise known as EAP over UDP, or simply EoU.
3.
The CTA sends its posture credentials to the NAD using EAP over UDP.
4.
The NAD sends these posture credentials to the ACS using RADIUS.
5.
The ACS performs posture validation, which determines whether to allow the
device to access the network. (If necessary, the ACS requests additional
posture validation from a third-party server. For example, if the CTA forwards
credentials that are specific to a particular antivirus application, the ACS
forwards this information via the HCAP protocol to a vendor server for
validation.) If the device is a clientless host, the ACS checks the username
and password it receives against its locally stored list.

OL-11501-03
14-139
Chapter 14
Managing Routers
6.
NAC System Flow
CTA client
Network Access
Device
EAPoUDP
ACS (AAA Server)
RADIUS
Vendor Policy Server

(Optional)
HCAP
144751
Figure 14-9
The ACS directs the NAD to enforce the appropriate access policy on the
requesting device. Access may be granted, denied, redirected, or restricted.
Related Topics
Understanding NAC Components, page 14-138
Defining NAC Setup Parameters

You configure NAC setup parameters by selecting the AAA server groups that
obtain and validate the posture credentials received from devices trying to connect
to the network. You can configure an option that allows devices lacking the Cisco
Trust Agent (CTA) to be authenticated by a predefined username and password
stored on a Cisco Secure Access Control Server (ACS). Additionally, you can
modify default settings for EAP over UDP. This is the protocol used for posture
validation communications between the Cisco IOS router serving as the network
access device (NAD) and the device trying to access your network.
Procedure
Step 1
(Device view) Select Platform > Identity > Network Admission Control
from the Policy selector, then click the Setup tab in the work area.
(Policy view) Select Router Platform > Identity > Network Admission
Control from the Policy Type selector. Right-click Network Admission
Control to create a policy, or select an existing policy from the Shared Policy
selector. Then click the Setup tab.
14-140
OL-11501-03
Chapter 14
Managing Routers
The NAC Setup tab is displayed. See Table K-78 on page K-199 for a description
Step 2
Step 3
Enter the name of the AAA server group containing the AAA server that performs
posture validation, or click Select to display a selector (see Object Selectors,
page F-558). The selected AAA server group must contain ACS devices running
RADIUS.
Tip
If the required AAA server group is not listed in the selector, click the
Create button or the Edit button to open the AAA Server Group Dialog
Box, page F-14. From here you can define a AAA server group to use in
the policy.
Note

validation fails.
(Optional) Select up to two AAA server groups as backups to the main server
group. If all the servers in the main server group go down, the servers in the
backup server group perform NAC.
Both backup server groups must consist of ACS devices running RADIUS.
Step 4
(Optional) Under EAP over UDP, select one or both of the following Allow
parameters:
a.
Select the Allow IP Station ID check box to include IP addresses in the

RADIUS requests sent to the ACS.
b.
Select the Allow Clientless check box to provide access to devices that do not
have the CTA installed. In such cases, the ACS authenticates these devices by
checking the username and password against a predefined list.
If you do not select this check box, devices without CTA are prevented from
accessing the network if their traffic matches the Intercept ACL. This is
because without CTA, posture validation cannot be performed.
Note
This feature is not supported on routers running Cisco IOS Software

Release 12.4(6)T or later.

OL-11501-03
14-141
Chapter 14
Managing Routers
Step 5
(Optional) Under EAP over UDP, modify the default settings related to the EAP
over UDP (EoU) protocol, if required. See Table K-78 on page K-199 for details.
Step 6
Note
Related Topics
Defining NAC Interface Parameters

You configure NAC interface parameters by selecting the interfaces on which
NAC is performed. You must also define the Intercept ACL, which determines
which traffic on these interfaces is subject to posture validation. Additionally, you
can optionally override the device-level setting for initiating EAP over UDP
sessions and subject all sessions to periodic revalidation (see Defining NAC Setup
Parameters, page 14-140).
A NAC policy must include at least one interface definition in order to function.
Before You Begin
Select the AAA server group containing the ACS device performing posture
validation. See Defining NAC Setup Parameters, page 14-140.
Define an ACL object that defines the traffic to subject to posture validation
in NAC policies. See Creating Access Control List Objects, page 8-36.
Define an ACL object that defines the default access on the selected interface
(default ACL). See Creating Access Control List Objects, page 8-36.
Procedure
Step 1
14-142
OL-11501-03
Chapter 14
Managing Routers
from the Policy selector, then click the Interfaces tab in the work area.
selector. Then click the Interfaces tab.
The NAC Interfaces tab is displayed. See Table K-79 on page K-201 for a
Step 2
On the NAC Interfaces tab, select an interface definition from the table, then click
Edit, or click Add to create a definition. The NAC Interface Configuration dialog
box appears. See Table K-80 on page K-203 for a description of the fields in this
dialog box.
Step 3
Enter the name of the interface or interface role on which NAC is performed, or
click Select to display a selector (see Object Selectors, page F-558). For more
Tip
Step 4
If the interface roles you want are not listed in the selectors, click the
Create button or the Edit button to open the Interface Role Dialog Box,
page F-419. From here you can define interface roles to use in the policy.
(Optional) Enter the name of the ACL object that acts as the intercept ACL, or
click Select to display a selector (see Object Selectors, page F-558).
The intercept ACL determines which traffic on the selected interfaces is subject
to posture validation before being granted access to the network. If you do not
select an ACL, all traffic on the selected interfaces is subject to posture validation.
Note
List Pages, page F-36. From here, you can define an ACL object to use in
the policy.

OL-11501-03
14-143
Chapter 14
Managing Routers
Note
If you defined an authentication proxy on the same interface as a NAC

interface, you must use the same intercept ACL in both policies.
Otherwise, deployment might fail. For more information about
authentication proxies, see Configuring Settings for AAA (IOS),
page 12-152.
Step 5
(Optional) To override the device-level value defined for maximum attempts to

initiate an EAP over UDP session, enter a new value in the EAP over UDP Max
Retries field.
Step 6
(Optional) Deselect the Enable EOU Session Revalidation check box if you do
not want the NAD to periodically revalidate all EAP over UDP sessions.
Note
Subinterfaces support default values only for the options described in

steps 5 and 6.
Step 7
Your interface definitions appear in the table on the NAC Interfaces tab.
Step 8
Note
Related Topics
14-144
OL-11501-03
Chapter 14
Managing Routers
Defining NAC Identity Parameters

By default, any traffic over the selected interfaces that match the intercept ACL is
subjected to posture validation before it is permitted to enter the network.
However, you can create an exception list of predefined actions to apply to
specific devices. You use identity profiles to create this exception list. Each
profile contains two elements:
A profile definition, identifies the device to which the profile applies. Devices
can be identified by their IP addresses, MAC addresses, or types (for Cisco
IP phones).
An action, which defines the result when this device tries to access the
network. Each action can include an ACL, a redirect URL, or both. If you do
not specify an action, the default ACL is applied.
When you configure NAC identity parameters, you first define one or more
identity actions and then create the identity profiles to which these actions apply.
You can apply each action to multiple profiles.
Procedure
Step 1
from the Policy selector, then click the Identities tab in the work area.
selector. Then click the Identities tab.
The NAC Identities tab is displayed. See Table K-81 on page K-204 for a
Step 2
Define one or more identity actions:

a.
On the NAC Identities tab, select an identity action from the lower table, then
click Add. The NAC Identity Action dialog box appears.
b.
Define an identity action. See Table K-83 on page K-207 for a description of
the available fields.
c.
Click OK to save your definitions and close the dialog box. The action
appears in the Identity Actions table in the NAC Identities tab.

OL-11501-03
14-145
Chapter 14
Managing Routers
Logging on Cisco IOS Routers
d.
Step 3
Step 4
(Optional) Repeat steps a through c to define additional identity actions, as

required.
Define identity profiles:

a.
Select an identity profile from the upper table on the NAC Identities tab, then
click Add. The NAC Identity Profile dialog box appears. See Table K-82 on
b.
Enter the name of an identity action (as defined in Step 2) or click Select to
display a selector.
c.
Select and define a profile definition, which identifies the device to which the
profile should apply.
d.
Click OK to save your definitions and close the dialog box. The profile
appears in the Identity Profiles table in the NAC Identities tab.
e.
(Optional) Repeat steps a through d to define additional identity profiles, as

required.
Note
Related Topics

Security Manager provides the following policies for configuring logging on a
Cisco IOS router:
Logging SetupEnables the logging feature and defines basic logging

parameters. For more information, see Defining Logging Setup Parameters,
page 14-148.
14-146
OL-11501-03
Chapter 14
Managing Routers
Note
Syslog ServersDefines the remote servers to which logging messages are

sent. For more information, see Defining Syslog Servers, page 14-151.
We strongly recommend configuring a Network Time Protocol (NTP) policy on

all routers on which logging is enabled. NTP synchronization provides accurate
timestamps for syslog messages, which is essential for comparing logs on
multiple devices.
Related Topics
Understanding Log Message Severity Levels

Log messages on Cisco IOS routers are classified into eight severity levels. Each
severity level is identified by a number and a corresponding name. The lower the
number, the greater the severity, as described in Table 14-5.
Table 14-5
Log Message Severity Levels
Level Number
Level Name
Description
emergencies
System unusable
alerts
Immediate action needed
critical
Critical conditions
errors
Error conditions
warnings
Warning conditions
notifications
Normal but significant condition
informational
Informational messages only
debugging
Debugging messages
Related Topics
Defining Logging Setup Parameters, page 14-148
Defining Syslog Servers, page 14-151

OL-11501-03
14-147
Chapter 14
Managing Routers
Defining Logging Setup Parameters

This procedure describes how to enable logging on the router and define which
messages are sent to a syslog server. In addition, you can optionally define:
Note
The source interface for all syslog messages sent from this device.
The messages that are saved to a local buffer.
The origin identifier added to each message.
A rate limit on the number of messages that can be sent.
To send logging messages from the router to a syslog server, you must also define
the IP address of the syslog server. For more information, see Defining Syslog
Servers, page 14-151.
Procedure
Step 1
(Device view) Select Platform > Logging > Logging Setup from the Policy
selector.
(Policy view) Select Router Platform > Logging > Logging Setup from the
Policy Type selector. Right-click Logging Setup to create a policy, or select
The Logging Setup page is displayed. See Table K-84 on page K-209 for a
Step 2
Select the Enable Logging check box to turn on the logging feature. If this check
box is not selected, no log messages are created. By default, this check box is not
selected.
Tip
To use the devices default logging settings, simply select the Enable
Logging check box, then click Save.
14-148
OL-11501-03
Chapter 14
Managing Routers
Step 3
interface role whose address should be used as the source interface for all log
messages sent to the syslog server, or click Select to display a selector (see Object
Tip
policy.
This option is useful when the syslog server cannot reach the address from which
the connection originated (for example, due to a firewall). If you do not enter a
value in this field, the address of the outgoing interface is used.
Step 4
Step 5
(Optional) To send log messages to a syslog server:

a.
Select the Enable Trap check box. By default, this check box is selected.
b.
Select a value from the Trap Level list. All messages of this severity or greater
(that is, having a lower number) are sent to the syslog server; messages of a
lesser severity are ignored. For more information about severity levels, see
Table 14-5 on page 14-147.
(Optional) To save log messages locally to a buffer on the router:

a.
Select the Enable Buffer check box. By default, this check box is selected.
b.
Enter the size of the buffer in bytes.
c.
Select the lowest severity level that should be saved to the buffer. All
messages of that severity level or greater are saved to the buffer.
d.
Select the Use XML Format check box to save messages in XML. (You can
configure both the regular buffer and the XML buffer in the same policy.) If
you select the XML check box, enter the size of the XML buffer in bytes.
Note
Step 6
Make sure not to make buffers so large that the router runs out of memory
for other tasks. If this happens, deployment might fail.
(Optional) Define a rate limit to avoid a flood of output messages:

a.
Select the Enable Rate Limit check box. By default, this check box is
selected.

OL-11501-03
14-149
Chapter 14
Managing Routers
b.
Enter the maximum number of messages that can be sent per second.
c.
Select the severity levels exclude from the rate limit. For example, if you
select 2 (critical), all syslog messages of severity 0-2 are sent to the syslog
server regardless of the defined rate limit.
d.
Select the All Messages check box to apply the rate limit to all syslog
messages except console messages (with the exception of the severity levels
excluded in Step c).
e.
Select the Console Messages check box to apply the rate limit to console
messages only.
Note
Step 7
If you enable rate limiting without specifying any options, the default
settings (10 messages per second applied to console messages) are
applied.
(Optional) To add an origin identifier to the beginning of each syslog message:

a.
Select the type of origin ID to sendthe IP address of the router, the

hostname, or a user-defined text string.
b.
If you select String, enter the text in the field provided. Spaces are permitted.
The origin identifier is useful for identifying the source of syslog messages in
cases where you send output from multiple devices to a single syslog server.
Step 8
Note
The origin identifier is not added to messages sent to local destinations,

such as the buffer, the console, and the monitor.
Tip
To restore the routers default trap, buffer, and rate limit settings, select
the check box but leave the settings in the other fields blank. The default
settings differ according to platform. See your router documentation for
more details.
Note
14-150
OL-11501-03
Chapter 14
Managing Routers
Note
To restore the default logging settings, unassign the policy from the
device.
Related Topics
Understanding Log Message Severity Levels, page 14-147
Defining Syslog Servers

This procedure describes how to define the servers to which the router should send
syslog messages. When you define a syslog server, you can choose whether the
logging messages it receives should be sent as plain text or in XML format.
If you define multiple syslog servers, logging messages are sent to all of them.
Before You Begin
Enable logging and define basic logging parameters on the Logging Setup
page. For more information, see Defining Logging Setup Parameters,
page 14-148.
Procedure
Step 1
(Device view) Select Platform > Logging > Syslog Servers from the Policy
selector.
(Policy view) Select Router Platform > Logging > Syslog Servers from the
Policy Type selector. Right-click Syslog Servers to create a policy, or select
The Syslog Servers page is displayed. See Table K-85 on page K-213 for a
Step 2
Under the table, click the Add button to display the Syslog Server dialog box. See
Table K-86 on page K-215 for a description of the fields in this dialog box. From
here you can define the syslog server.

OL-11501-03
14-151
Chapter 14
Managing Routers
Step 3
In the IP Address field, enter the address of the syslog server, or click Select to
display a selector (see Object Selectors, page F-558). For more information, see
Specifying IP Addresses During Policy Definition, page 8-135.
Tip
Step 4
(Optional) Select the Forward Messages in XML Format dialog box to have
routers send messages to this syslog server in XML instead of plain text.
Step 5
Click OK to save your definitions and close the dialog box. The syslog server you
defined is displayed in the table.
Note
To edit a syslog server, select it from the table, then click Edit. To remove
a syslog server, select it, then click Delete.
Step 6
Repeat steps 2 through 5 to define additional syslog servers.
Step 7
Note
Related Topics
Defining Logging Setup Parameters, page 14-148
Understanding Log Message Severity Levels, page 14-147
14-152
OL-11501-03
Chapter 14
Managing Routers
Quality of Service on Cisco IOS Routers

Quality of service (QoS) refers to the ability of a network to provide priority
service to selected network traffic over various underlying technologies,
including Frame Relay, ATM, Ethernet and 802.1 networks, SONET, and
IP-routed networks. QoS features enhance the predictability of network service
by:
Supporting dedicated bandwidth.
Improving loss characteristics.
Avoiding and managing network congestion.
Shaping network traffic.
Setting traffic priorities across the network.
QoS is generally used at entry points to service providers, as well as at

consolidation points where multiple lines converge. QoS is also useful where
speed mismatches occur (for example, at the boundary between a WAN and a
LAN), as these places are often traffic congestion points.
QoS policies in Security Manager are based on the Cisco Systems Modular QoS
CLI (MQC). MQC standardizes the CLI and semantics for QoS features across all
platforms supported by Cisco IOS software, which provides a modular and highly
extensible framework for deploying QoS. Security Manager provides an
easy-to-use interface for MQC that concentrates key QoS features inside a single
dialog box, streamlining the creation of QoS policies for selected traffic entering
and leaving the router.
For a description of the procedure for defining a QoS policy in Security Manager,
see Defining QoS Policies, page 14-167.
Related Topics
Quality of Service and CEF, page 14-154
Understanding Marking Parameters, page 14-155
Understanding Queuing Parameters, page 14-157

OL-11501-03
14-153
Chapter 14
Managing Routers
Quality of Service and CEF

Cisco Express Forwarding (CEF) is an advanced Layer 3 IP switching technology
that optimizes network performance and scalability for all kinds of networks. It
defines the fastest method by which a Cisco IOS router forwards packets from
ingress to egress interfaces.
Certain QoS features configurable in Security Manager, such as Class-Based
Policing and Class-Based Weighted Random Early Detection, are supported only
on routers that run CEF. All routers from the Cisco 800 Series to the Cisco 7200
Series require CEF for these QoS features; the Cisco 7500 Series requires
distributed CEF (dCEF).
Note
For a complete list, see When is CEF Required for Quality of Service on
Cisco.com at this URL:
http://www.cisco.com/en/US/tech/tk39/tk824/technologies_tech_note09186a008
0094978.shtml
By default, CEF is enabled as part of the routers initial configuration. To verify
whether CEF is enabled on your router, use the show ip cef command. Be aware,
however, that if your router does not have CEF enabled, activating CEF could
have a significant impact on your routers packet streaming. Consult your router
documentation before enabling CEF.
Related Topics
Understanding Matching Parameters

You define matching parameters by identifying the traffic on which QoS is
performed, that is, classifying the interesting packets. Various classification tools
are available, including protocol type, IP precedence (IPP) value, Differentiated
Service Code Point (DSCP) value, and ACLs.
Traffic classes consist of a series of match criteria and a means of evaluating these
criteria. For example, you might define a class with matching criteria based on
several specified protocols and a DSCP value. You can then specify that a packet
14-154
OL-11501-03
Chapter 14
Managing Routers
must match only one of these defined criteria to be considered part of this class.
Your other option is to specify that packets must match all defined criteria
considered part of the traffic class.
Packets that are members of a defined traffic class are forwarded according to the
QoS specifications that you defined in the policy map. Packets that fail to meet
any of the matching criteria are classified as members of the default traffic class.
For information about defining matching parameters in a QoS policy, see Defining
QoS Class Matching Parameters, page 14-172.
Related Topics
Defining QoS Policies, page 14-167
Understanding Marking Parameters

Marking parameters enable you to classify packets, which entails using a traffic
descriptor to categorize a packet within a specific group. This defines the packet
and makes it accessible for QoS handling on the network. Both traffic policers and
traffic shapers use the packet classification to ensure adherence to the contracted
level of service agreed upon between the source and your network. Additionally,
marking parameters enable you to take packets that might have arrived at the
device with one QoS classification and reclassify them. Downstream devices use
this new classification to identify the packets and apply the appropriate QoS
functions to them.
Security Manager uses two types of marking for IPv4 packetsone based on IPP
classes and one based on DSCP values. IPP is based on the three most significant
bits in the Type of Service (ToS) byte of each packet, which means you can
partition traffic into eight classes. For historical reasons, each precedence value
corresponds with a name, as defined in RFC 791. Table 14-6 lists the numbers and
their corresponding names, from least to most important.

OL-11501-03
14-155
Chapter 14
Managing Routers
Table 14-6
Note
IP Precedence Classes
Class
Name
routine
priority
immediate
flash
flash-override
critical
internet
network
Classes 6 and 7 are generally reserved for network control information, such as
routing updates.
DSCP is based on the six most significant bits in the ToS byte (the remaining two
bits are used for flow control), with values ranging from 0 to 63. The DSCP bits
contains the IPP bits, which makes DSCP backward-compatible with IPP.
Marking is generally used on devices that are close to the network edge or
administrative domain so that subsequent devices can provide service based on
the classification mark.
For information about defining marking parameters in a QoS policy, see Defining
QoS Class Marking Parameters, page 14-175.
Related Topics
14-156
OL-11501-03
Chapter 14
Managing Routers
Understanding Queuing Parameters

Queuing manages congestion on traffic leaving a Cisco IOS router by determining
the order in which to send packets out over an interface, based on priorities you
assign to those packets. Queuing makes it possible to prioritize traffic to satisfy
time-critical applications, such as desktop video conferencing, while still
addressing the needs of less time-dependent applications, such as file transfer.
During periods of light traffic, that is, when no congestion exists, packets are sent
out as soon as they arrive at an interface. However, during periods of transmission
congestion at the outgoing interface, packets arrive faster than the interface can
send them. By using congestion management features such as queuing, packets
accumulating at the interface are queued until the interface is free to send them.
They are then scheduled for transmission according to their assigned priority and
the queuing mechanism configured for the interface. The router determines the
order of packet transmission by controlling which packets are placed in which
queue and how queues are serviced with respect to one another.
Security Manager uses a form of queuing called Class-Based Weighted Fair
Queuing (CBWFQ). With CBWFQ, you define traffic classes based on match
criteria. Packets matching the criteria constitute the traffic for this class. A queue
is reserved for each class, containing the traffic belonging to that class. You assign
characteristics to queues, such as the bandwidth (fixed or minimum) assigned to
it and the queue limit, which is the maximum number of packets allowed to
accumulate in the queue.
When you use CBWFQ, the sum of all bandwidth allocation on an interface
cannot exceed 75 percent of the total available interface bandwidth. The
remaining 25 percent is used for other overhead, including Layer 2 overhead,
routing traffic, and best-effort traffic. Bandwidth for the CBWFQ default class,
for instance, is taken from the remaining 25 percent.
For more information about queuing, see:
Tail Drop vs. WRED, page 14-158
Low-Latency Queuing, page 14-160
Default Class Queuing, page 14-160
For information about defining queuing parameters in a QoS policy, see Defining
QoS Class Queuing Parameters, page 14-176.

OL-11501-03
14-157
Chapter 14
Managing Routers
Related Topics
Tail Drop vs. WRED

After a queue reaches its configured queue limit, the arrival of additional packets
causes tail drop or packet drop to take effect, depending on how you configured
the QoS policy. Tail drop, which is the default response, treats all traffic equally
and does not differentiate between different classes of service. When tail drop is
in effect, packets are dropped from full queues until the congestion is eliminated
and the queue is no longer full. This often leads to global synchronization, in
which a period of congestion is followed by a period of underutilization, as
multiple TCP hosts reduce their transmission rates simultaneously.
A more sophisticated approach to managing queue congestion is offered by
Ciscos implementation of Random Early Detection, called Weighted Random
Early Detection, or WRED. As shown in Figure 14-10, WRED reduces the
chances of tail drop by selectively dropping packets when the output interface
begins to show signs of congestion. By dropping some packets early instead of
waiting until the queue is full, WRED avoids dropping large numbers of packets
at once and allows the transmission line to be used fully at all times.
14-158
OL-11501-03
Chapter 14
Managing Routers
Figure 14-10
Weighted Random Early Detection
Transmit
queue
Discard test
Incoming packets
Outgoing
packets
Classify
FIFO scheduling
Queueing
buffer
resources
144752
Discard test based on:

Buffer queue
depth
IP Precedence
RSVP session
WRED is useful only when the bulk of the traffic is TCP/IP traffic, because TCP
hosts reduce their transmission rate in response to congestion. With other
protocols, packet sources might not respond, or might resend dropped packets at
the same rate. As a result, dropping packets does not decrease congestion.
Note
WRED treats non-IP traffic as precedence 0, the lowest precedence value.

Therefore, non-IP traffic is more likely to be dropped than IP traffic.
Related Topics

OL-11501-03
14-159
Chapter 14
Managing Routers
Low-Latency Queuing
The low-latency queuing (LLQ) feature brings strict priority queuing to CBWFQ.
Strict priority queuing gives delay-sensitive data, such as voice traffic, preference
over other traffic.
Note
Although it is possible to assign various types of real-time traffic to the strict

priority queue, we strongly recommend that you direct only voice traffic to it.
LLQ defines the maximum bandwidth that you can allocate to priority traffic
during times of congestion. Setting a maximum ensures that nonpriority traffic
does not starve (meaning that this traffic is also provided with bandwidth). When
the device is not congested, the priority class traffic is allowed to exceed its
allocated bandwidth. Policing drops packets from the priority queue; therefore,
neither WRED nor tail drop (as configured in the Queue Limit field) is used.
When LLQ is not used, CBWFQ provides weighted fair queuing based on defined
classes, with no strict priority queue available for real-time traffic.
Related Topics
Default Class Queuing

You use the Fair Queue field to define the number of dynamic queues that should
be reserved for the default class to use. This is the class to which traffic that does
not satisfy the match criteria of other classes is directed. By default, the number
of queues that are created is based on the interface bandwidth.
14-160
OL-11501-03
Chapter 14
Managing Routers
Table 14-7 lists the default number of dynamic queues that CBWFQ uses when it
is enabled on an interface:
Table 14-7
Default Number of Queues for Default Class
Bandwidth Range
Number of Dynamic Queues
Less than or equal to 64 kbps
16
More than 64 kbps and less than 32

or equal to 128 kbps
More than 512 kbps
256
Related Topics
Understanding Policing and Shaping Parameters

Security Manager offers two kinds of traffic regulation mechanisms:
The rate-limiting feature of Class-Based Policing for policing traffic.

Policing limits traffic flow to a configured rate. Policing can be performed on
a selected interface or on the control plane. See Understanding Control Plane
Policing, page 14-166.
Distributed Traffic Shaping (DTS) for shaping traffic. Traffic shaping enables
you to control the traffic leaving an interface (output traffic) in order to match
its flow to the speed of the remote target interface and to ensure that the traffic
conforms to the policies defined for it. By shaping traffic to meet downstream
requirements, you can eliminate bottlenecks in topologies with data-rate
mismatches. Shaping can either be performed on selected QoS classes or at
the interface level (hierarchical shaping).
OL-11501-03
14-161
Chapter 14
Managing Routers
Both policing and shaping mechanisms use the traffic descriptor for a
packetindicated by the classification of the packet (see Understanding Marking
Parameters, page 14-155)to ensure adherence to the agreed upon level of
service. Although policers and shapers usually identify traffic descriptor
violations in the same way, they differ in the way they respond to violations, as
shown in Figure 14-11:
A policer typically drops excess traffic. In other cases, it transmits the traffic
with a different (usually lower) priority.
A shaper typically delays excess traffic using a buffer, or queuing mechanism,

to hold packets and shape the flow when the data rate of the source is higher
than expected.
Figure 14-11
Traffic Policing vs. Traffic Shaping
Traffic
Policing
Traffic
Traffic Rate
Time
Traffic Rate
Time
Time
Traffic Rate
Time
144753
Traffic
Shaping
Traffic
Traffic Rate
For information about defining policing and shaping parameters in a QoS policy,
see Defining QoS Class Policing Parameters, page 14-178 and Defining QoS
Class Shaping Parameters, page 14-180.
14-162
OL-11501-03
Chapter 14
Managing Routers
Related Topics
Understanding the Token-Bucket Mechanism, page 14-163
Understanding the Token-Bucket Mechanism

Both policing and shaping use a token-bucket mechanism to regulate data flow. A
token bucket is a formal definition of a rate of transfer. It has three components:
a burst size, a mean rate, and a time interval (Tc). Any two values may be derived
from the third using this formula:
mean rate = burst size / time interval
These terms are defined as follows:
Mean rateAlso called the committed information rate (CIR), it specifies

how much data can be sent or forwarded per unit time on average. The CIR is
defined either as an absolute value or as a percentage of the available
bandwidth on the interface. When defined as a percentage, the equivalent
value in bits per second (bps) is calculated after deployment based on the
interface bandwidth and the percent value defined in the policy.
Note
If the interface bandwidth changes (for example, more bandwidth is

added), the bps value of the CIR is recalculated based on the revised
amount of bandwidth.
Burst sizeAlso called the committed burst (Bc) size, it specifies for each
burst how much data can be sent within a given time without creating
scheduling concerns. When you use percentages to calculate the CIR, burst
size is measured in milliseconds.
Time intervalAlso called the measurement interval, it specifies the amount

of time in seconds per burst. Over any integral multiple of this interval, the
bit rate of the interface does not exceed the mean rate. The bit rate, however,
might be arbitrarily fast within the interval.

OL-11501-03
14-163
Chapter 14
Managing Routers
In the token-bucket metaphor, tokens are put into the bucket at a certain rate.
These tokens represent permission for the source to send a certain number of bits
into the network. To send a packet, the regulator (policer or shaper) must remove
a number of tokens from the bucket that equals the packet size.
Security Manager uses a two-bucket algorithm, as shown in Figure 14-12. The
first bucket is the conform bucket and the second bucket is the exceed bucket. The
full size of the conform bucket is the number of bytes specified as the normal burst
size. The full size of the exceed bucket is the number of bytes specified in the
maximum burst size. Both buckets are initially full, and they are updated based on
the token arrival rate, which is determined by the CIR. If the number of bytes in
the arriving packet is less than the number of bytes in the conform bucket, the
packet conforms. The required number of tokens are removed from the conform
bucket and the defined conform action is taken (for example, the packet is
transmitted). The exceed bucket is unaffected.
If the conform bucket does not contain sufficient tokens, the excess token bucket
is checked against the number of bytes in the packet. If enough tokens are present
in the two buckets combined, the exceed action is taken on the packet and the
required number of bytes are removed from each bucket. If the exceed bucket
contains an insufficient number of bytes, the packet is in violation of the burst
limits and the violate action is taken on the packet.
14-164
OL-11501-03
Chapter 14
Managing Routers
Figure 14-12
Two-Token Bucket Algorithm
Bc
Be
Tc: Tokens in bucket #1

Te: Tokens in bucket #2
SIZE < TC
yes
Action
Conform
no
SIZE < Tc+ Te
no
SIZE > Tc+ Te
yes
Exceed
yes
Violate
Drop
144754
Transmit
Remark Packet
When you use traffic policing, the token-bucket algorithm provides three actions
for each packet: a conform action, an exceed action, and an optional violate
action. For instance, packets that conform can be configured to be transmitted,
packets that exceed can be configured to be sent with a decreased priority, and
packets that violate can be configured to be dropped.
Traffic policing is often configured on interfaces at the edge of a network to limit
the rate of traffic entering or leaving the network. In the most common traffic
policing configurations, traffic that conforms is transmitted and traffic that
exceeds is sent with a decreased priority or is dropped. You can change these
configuration options to suit your network needs.
When you use traffic shaping, the token-bucket mechanism includes a data buffer
for holding packets that cannot be sent immediately. (Policers do not have such a
buffer.) The token buckets permit packets to be sent in bursts, but places bounds
on this capability so that the flow is never faster than the capacity of the buckets
plus the time interval multiplied by the refill rate. The buffer also guarantees that
the long-term transmission rate does not exceed the CIR.

OL-11501-03
14-165
Chapter 14
Managing Routers
Related Topics
Understanding Control Plane Policing, page 14-166
Understanding Control Plane Policing

The Control Plane Policing feature enables you to manage input traffic entering
the control plane (CP) of the router. The CP is a collection of processes that run
at the process level on the route processor. These processes collectively provide
high-level control for most Cisco IOS functions. Control plane policing protects
the CP of Cisco IOS routers and switches against reconnaissance and
denial-of-service (DoS) attacks, enabling the CP to maintain packet forwarding
and protocol states despite an attack or heavy traffic load on the router or switch.
The Control Plane Policing feature treats the CP as a separate entity with its own
ingress (input) and egress (output) ports, enabling you to use Security Manager to
configure QoS policies on input. These policies are applied when a packet enters
the CP. You can configure a QoS policy to prevent unwanted packets from
progressing after a specified rate limit is reached. For example, a system
administrator can limit all TCP/SYN packets that are destined for the CP to a
maximum rate of 1 megabit per second. Additional packets beyond this limit are
silently discarded.
The following types of Layer 3 packets are forwarded to the CP and processed by
aggregate control plane policing:
Note
Routing protocol control packets
Packets destined for the local IP address of the router
Packets from management protocols, such as SNMP, Telnet, and secure shell
(SSH).
Support for output policing is available only in Cisco IOS Release 12.3(4)T and
later T-train releases.
For information about how to define Control Plane Policing, see Defining QoS on
the Control Plane, page 14-171. For more information about this feature, refer to
the document, Control Plane Policing on Cisco.com at this URL:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
14-166
OL-11501-03
Chapter 14
Managing Routers
Related Topics
Understanding the Token-Bucket Mechanism, page 14-163
Defining QoS Policies

When you define QoS policies, you must first decide whether to configure the
policy on specific interfaces or on the control plane. This initial choice determines
how you configure the rest of the policy, as described in the following topics:
Note
Defining QoS on Interfaces, page 14-167
Defining QoS on the Control Plane, page 14-171
If you define a QoS policy on both the interfaces and the control plane of the same
device, only the control plane configuration is deployed.
Related Topics
Defining QoS on Interfaces

You can create multiple QoS interface definitions, each of which applies to either
input traffic (entering the router) or output traffic (exiting the router).
When you create a QoS interface definition on output traffic, you have the option
of configuring hierarchical shaping on the interface as a whole instead of
configuring shaping on individual QoS classes.
After you create your interface definitions, you must define one or more QoS
classes on each interface. QoS classes contain the matching criteria that determine
which packets are included in the class and the QoS functions (marking, queuing,
policing, and shaping) to apply to that traffic. You can configure each interface (or
interface role) with up to 16 QoS classes, each containing its own set of matching
criteria and a defined set of QoS functions to apply to the traffic in that class.
For each interface, we recommend that for each interface you define at least one
QoS class and a default class. If you do not configure a default class, packets that
do not match the criteria of the other defined classes are treated as members of a

OL-11501-03
14-167
Chapter 14
Managing Routers
default class that has no configured QoS functionality. Packets assigned to this
class are placed in a simple first-in first-out (FIFO) queue, and are forwarded at a
rate determined by the available underlying link bandwidth. This FIFO queue is
managed by tail drop, which avoids congestion by dropping packets from the
queue until it is no longer full.
Note
QoS is applied to packets on a first-match basis. The router examines the table of
QoS classes starting from the top and applies the properties of the first class
whose matching criteria matches the packet. Therefore, it is important that you
define and order your classes carefully. The default class should be placed last to
prevent traffic that matches a specific class from being treated as unmatched
traffic.
Before You Begin
Use FlexConfigs or the CLI to configure the ip cef command. On certain

Cisco IOS routers, QoS does not work if this command is not configured. For
more information, see Quality of Service and CEF, page 14-154.
Procedure
Step 1
(Device view) Select Platform > Quality of Service from the Policy selector.
(Policy view) Select Router Platform > Quality of Service from the Policy
Type selector. Right-click Quality of Service to create a policy, or select an
The Quality of Service page is displayed. See Table K-87 on page K-216 for a
Step 2
In the Applied to field, select Interfaces to define QoS parameters for specific
interfaces on the selected router.
Step 3
Click the Add button under the upper table to display the QoS Policy dialog box.
Step 4
In the Interface field, enter the name of an interface or interface role, or click
Select to display a selector (see Object Selectors, page F-558).
14-168
OL-11501-03
Chapter 14
Managing Routers
Tip
If the interface role you want is not listed in the selector, click the Create
button or the Edit button to open the Interface Role Dialog Box,
policy.
Step 5
Select the traffic direction on which you want to apply the QoS definition, Output
(traffic exiting the interface) or Input (traffic entering the interface). Queuing and
shaping can be applied only to output traffic.
Step 6
(Optional) Define interface-level (hierarchical) shaping parameters. See

Table K-88 on page K-220 for details.
Step 7
Note
When you enable hierarchical shaping on an interface, you cannot define

shaping parameters for specific QoS classes.
Note
Shaping can be used only on output traffic. See Understanding Policing

and Shaping Parameters, page 14-161 for more information about
shaping.
Click OK. The QoS interface definition is displayed in the upper table of the
Quality of Service page.
Note
Step 8
To edit a QoS interface definition, select an interface from the upper table,
then click the Edit button. To remove an interface definition, select it
from the table, then click the Delete button. You cannot delete an interface
that has defined classes.
With the interface selected in the upper table, click the Add button beneath the
QoS Classes table. The QoS Class dialog box is displayed. See Table K-89 on
The QoS Class dialog box enables you to determine which traffic over the selected
interface is included in the QoS class and how to handle that traffic.

OL-11501-03
14-169
Chapter 14
Managing Routers
Step 9
(Optional) Select the Default class check box if you are defining the properties
of the default QoS class for this interface. The default class is assigned to all
traffic that does not match the criteria of the other defined classes.
Step 10
Define the QoS class using one or more tabs in the QoS Class dialog box, as
described in:
Step 11
Defining QoS Class Matching Parameters, page 14-172
Defining QoS Class Marking Parameters, page 14-175
Defining QoS Class Queuing Parameters, page 14-176
Defining QoS Class Policing Parameters, page 14-178
Defining QoS Class Shaping Parameters, page 14-180
Repeat steps 8 through 10 to add QoS classes to the interface defined in Step 3. If
required, use the Up Row and Down Row buttons to reorder the classes.
Note
To edit a QoS class, select the relevant interface from the upper table to
display its defined classes in the QoS Class table. Select the class to edit,
then click the Edit button. To remove a class, select it from the table, then
click the Delete button.
Step 12
Repeat steps 3 through 11 to define QoS classes for a different interface on the
selected router.
Step 13
Note
Related Topics
14-170
OL-11501-03
Chapter 14
Managing Routers
Defining QoS on the Control Plane

When you configure QoS on input traffic entering the control plane, you can
define multiple QoS classes, including a default class for traffic that does not
match the criteria you define for the other classes. After defining the matching
criteria for a particular class, you can configure a policing definition for that class.
(Marking, queuing, and shaping are not available.) For more information, see
Understanding Control Plane Policing, page 14-166.
QoS policies defined on the control plane override any QoS parameters defined
on an interface of the same device.
Note
traffic.
Before You Begin
Use FlexConfigs or the CLI to configure the ip cef command. On certain

Cisco IOS routers, QoS does not work if this command is not configured. For
more information, see Quality of Service and CEF, page 14-154.
Procedure
Step 1
The Quality of Service page is displayed. See Table K-87 on page K-216 for a
Step 2
In the Applied to field, select Control Plane to define QoS policing on input
traffic entering the control plane.

OL-11501-03
14-171
Chapter 14
Managing Routers
Step 3
Click the Add button beneath the Control Plane QoS Classes table. The QoS Class
dialog box is displayed. See Table K-89 on page K-223 for a description of the
fields in this dialog box.
The QoS Class dialog box enables you to determine which traffic over the selected
interface is included in the QoS class and how to handle that traffic.
Step 4
(Optional) Select the Default class check box if you are defining the properties
of the default QoS class for the control plane. The default class is assigned to all
traffic that does not match the criteria of the other defined classes.
Step 5
Define the QoS class using the tabs in the QoS Class dialog box, as described in
the following sections:
Step 6
Repeat steps 3 through 5 to add QoS classes to the control plane. If required, use
the Up Row and Down Row buttons to reorder the classes.
Step 7
Note
Related Topics
Defining QoS Class Matching Parameters

When you define matching parameters, you must define matching criteria and
specify whether packets must meet one or all of the criteria to be considered part
of the class. See Understanding Matching Parameters, page 14-154 for more
information.
Note
You do not define matching parameters when configuring the default class.
14-172
OL-11501-03
Chapter 14
Managing Routers
Procedure
Step 1
On the Quality of Service page, click the Add button beneath the QoS Classes
table, or select a class and then click the Edit button. The QoS Class dialog box
is displayed.
Step 2
Click the Matching tab. See Table K-90 on page K-225 for a description of the
fields on this tab.
Step 3
Select a matching method:
Step 4
AnyTraffic matching any of the defined parameters is included in this class.
AllOnly traffic matching all of the defined parameters is included in this

class.
(Optional) Under Protocol, click Add to display a selector for choosing the
protocols to include in this class. Select one or more items from the Available
Protocols list, then click >> to add them to the Selected Protocols list.
Note
When configuring QoS on the control plane, only the ARP protocol can
be selected.
When you finish, click OK to save your definitions and return to the QoS Class
dialog box. Your selections are displayed in the Protocol field.
Step 5
(Optional) Under Precedence, click Add to display a selector for choosing which
IP precedence values (from 0 to 7) to include in this class. Select one or more
items from the Available Precedences list, then click >> to add them to the
Selected Precedences list. Traffic that arrives marked with one of these values
matches this criterion.
Note
For more information about IP precedence values, see Table 14-6 on

page 14-156.
dialog box. Your selections are displayed in the Precedences field.
Step 6
(Optional) Under DSCP, click Add to display a selector for choosing which DSCP
values (from 0 to 63) to include in this class. Select one or more items (up to eight)
from the Available DSCPs list, then click >> to add them to the Selected DSCPs
list. Traffic that arrives marked with one of these values matches this criterion.
OL-11501-03
14-173
Chapter 14
Managing Routers
dialog box. Your selections are displayed in the DSCP field.
Step 7
(Optional) Under ACL, define ACLs as part of the matching criteria for this class:
a.
Click Edit to display the Edit ACLs dialog box. Use this dialog box to define
which ACLs to include in this class. See Table K-91 on page K-227 for a
b.
Enter one or more ACLs, or click Select to display a selector (see Object
Selectors, page F-558). Traffic that matches these ACL definitions matches
this criterion.
c.
When you finish, click OK twice to save your definitions and return to the
QoS Class dialog box. Your selections are displayed in the ACL field.
Tip
Use the up and down arrows to order the ACLs. We recommend placing
more frequently used ACLs at the top of the list to optimize the matching
process.
Step 8
Go to another tab or click OK to save your definitions locally on the client and
close the dialog box. The defined class is displayed in the QoS Classes table on
the Quality of Service page.
Step 9
When defining QoS on interfaces, continue as described in Defining QoS

Policies, page 14-167, Step 11.
When defining control plane policing, continue as described in Defining QoS

on the Control Plane, page 14-171, Step 6.
Related Topics
14-174
OL-11501-03
Chapter 14
Managing Routers
Defining QoS Class Marking Parameters

When you define marking parameters, you can mark the packets in this QoS class
with either a precedence value or a DSCP value. See Understanding Marking
Parameters, page 14-155 for more information.
Note
Marking is not available when you configure QoS on the control plane.
Procedure
Step 1
is displayed.
Step 2
Click the Marking tab. See Table K-92 on page K-228 for a description of the
fields on this tab.
Step 3
Select the Enable Marking check box.
Step 4
Select one of the following marking options:
PrecedenceSelect an IP precedence value (0 to 7) from the displayed list.

For more information about these values, see Table 14-6 on page 14-156.
DSCPSelect a DSCP value (0 to 63) from the displayed list.
Step 5
Step 6
Continue as described in Defining QoS Policies, page 14-167, Step 11.
Related Topics

OL-11501-03
14-175
Chapter 14
Managing Routers
Defining QoS Class Queuing Parameters

When you define queuing parameters, you can specify the amount of available
bandwidth to provide to the traffic in this QoS class. You can also define a fixed
amount of bandwidth that must be provided to high-priority traffic; you can define
the priority parameter on only one class per interface. In addition, you must
specify the type of queue management to perform on this class. See
Understanding Queuing Parameters, page 14-157 for more information.
Note
Queuing is not available when you configure QoS on the control plane.
Procedure
Step 1
is displayed.
Step 2
Click the Queuing and Congestion Avoidance tab. See Table K-93 on
page K-230 for a description of the fields on this tab.
Step 3
Click the Enable Queuing and Congestion Avoidance check box.

Queuing options depend on whether you are defining the default class or a
different class:
When you define any class other than the default class, select one of the
following queuing options:
PriorityDefine the amount of bandwidth to make available to
high-priority traffic. Low Latency Queuing (LLQ) ensures that this

traffic receives this fixed amount of bandwidth at all times. This is
particularly useful for voice traffic, which requires low latency. You can
define this amount by percentage or by an absolute value of kilobits per
second.
Note
You can define this option for only one class per interface.
BandwidthEnter the amount of bandwidth to allocate to this class. You
can define this amount by percentage or by an absolute value of kilobits

per second.
14-176
OL-11501-03
Chapter 14
Managing Routers
Note
The sum of all class bandwidth allocations on an interface cannot

exceed 100 percent of the total available bandwidth.
When you define the default class, select one of the following queuing
options:
Fair queueEnter the number of queues to reserve for the default class.
Values range in powers of 2 from 16 to 4096. By default, the number of

queues is based on the available bandwidth of the selected interface. For
more information, see Table 14-7 on page 14-161.
BandwidthEnter the amount of bandwidth to allocate to this class. You
can define this amount by percentage or by an absolute value of kilobits

per second.
Step 4
(Optional) Define one of the following queue length management options:
Queue Limit(Default) Specify the maximum number of packets allowed. If

you select this option, tail drop drops excess packets when the queue reaches
its capacity.
WRED Weight for Mean Queue DepthWRED proactively drops packets

until the transmitting protocol (usually TCP) responds by dropping its
transmission rate, thereby alleviating congestion. Configure WRED by
entering an exponential weight factor that is used to calculate the average
queue size.
For more information, see Tail Drop vs. WRED, page 14-158.
Note
You should change the default only if you are certain that your
applications will benefit from a different value.
Note
Do not use WRED with protocols that are not sufficiently robust to
reduce their transmission rates in response to packet loss, such as IPX
or AppleTalk. WRED cannot be configured when you select the
Priority percent option.

OL-11501-03
14-177
Chapter 14
Managing Routers
Step 5
Step 6
Related Topics
Defining QoS Class Policing Parameters

When you define policing parameters, you must specify the average data rate,
which determines the amount of traffic that can be transmitted. In addition, you
must specify the action to take on traffic bursts that exceed this data rate.
You can configure policing for all QoS classes, including the default class. For
more information about policing, see Understanding Policing and Shaping
Parameters, page 14-161.
You can also configure policing on the control plane. For more information, see
Understanding Control Plane Policing, page 14-166.
Procedure
Step 1
is displayed.
Step 2
Click the Policing tab. See Table K-94 on page K-232 for a description of the
fields on this tab.
Step 3
Select the Enable Policing check box.
14-178
OL-11501-03
Chapter 14
Managing Routers
Step 4
Define CIR, confirm burst, and excess burst values. You can define the CIR by
percentage or by an absolute value of bits per second. The option you choose
determines how you define the burst values.
Step 5
Select the action to perform on packets that conform to the rate limit:
Step 6
transmitTransmit the packet.
set-prec-transmitSet the IP precedence to a defined value, then send the

packet. This option is not available when configuring QoS on the control
plane.
set-dscp-transmitSet the DSCP to a defined value, then send the packet.

This option is not available when configuring QoS on the control plane.
dropDrop the packet.
Select the action to perform on exceed packets. The list of available actions
depends on the selected conform action.
For example, if transmit is performed on conforming packets, you can select any
of the actions listed in Step 5 for exceeding packets. However, if you selected one
of the set actions for conforming packets, you can select only a set action or the
drop action for exceeding packets. If you selected drop as the conform action, you
must select drop as the exceed action.
Step 7
Select the action to perform on violate packets. The list of available actions
depends on the selected exceed action.
For example, if transmit is performed on exceeding packets, you can select any of
the actions listed in Step 5 for violating packets. However, if you selected one of
the set actions for exceeding packets, you can select only a set action or the drop
action for violating packets. If you selected drop as the exceed action, you must
select drop as the violate action.
Step 8
Go to another tab, or click OK to save your definitions locally on the client and
Step 9
When defining QoS on interfaces, continue as described in Defining QoS

Policies, page 14-167, Step 11.
When defining control plane policing, continue as described in Defining QoS

on the Control Plane, page 14-171, Step 6.

OL-11501-03
14-179
Chapter 14
Managing Routers
Related Topics
Defining QoS Class Shaping Parameters

When you define shaping parameters, you must specify whether to base traffic
shaping on the average data rate or on the average data rate plus the excess burst
rate that occurs during traffic peaks. In both cases, traffic that exceeds these
definitions is buffered until the rate lowers, allowing the packets to be sent.
For more information about shaping, see Understanding Policing and Shaping
Parameters, page 14-161.
Note
Tip
Shaping can be used only on output traffic.
Shaping can be configured for all QoS classes, including the default class.
Shaping is not available when you configure the QoS class for priority traffic.
Shaping is not available when you configure QoS on the control plane.
To configure shaping on all the QoS classes defined for the interface (hierarchical
shaping), see Defining QoS on Interfaces, page 14-167.
Procedure
Step 1
is displayed.
14-180
OL-11501-03
Chapter 14
Managing Routers
BGP Routing on Cisco IOS Routers
Step 2
Click the Shaping tab. See Table K-95 on page K-235 for a description of the
fields on this tab.
Step 3
Select the Enable Shaping check box.
Step 4
Select the shaping type (Average or Peak).
Step 5
Define CIR, sustained burst, and excess burst values. You can define the CIR by
percentage or by an absolute value of bits per second. The option you choose
determines how you define the burst values.
Step 6
Proceed to another tab or click OK to save your definitions locally on the client
and close the dialog box. The defined class is displayed in the QoS Classes table
on the Quality of Service page.
Step 7
Related Topics

BGP is an Exterior Gateway Protocol (EGP) that guarantees the loop-free
exchange of routing information between autonomous systems (ASs). The
primary function of a BGP system is to exchange information with other
BGP systems about the networks it can reach, including AS path information.
This information can be used to construct a graph of AS connectivity from
which routing loops can be pruned and with which AS-level policy decisions
can be enforced.

OL-11501-03
14-181
Chapter 14
Managing Routers
BGP is the routing protocol used on the Internet and is commonly used between
Internet service providers. To achieve scalability at this level, BGP uses several
route parameters (attributes) to define routing policies and maintain a stable
routing environment. Additionally, BGP uses classless interdomain routing
(CIDR) to greatly reduce the size of Internet routing tables.
A BGP route consists of a network number, a list of ASs through which
information has passed (called the autonomous system path), and the defined path
attributes.
A BGP router exchanges routing information only with those routers that you
define as its neighbors. BGP neighbors exchange complete routing information
when the TCP connection between them is established. Updates are sent to
neighbors only when changes to the routing table are detected. BGP routers do not
send regular, periodic updates.
The following topics describe the tasks you perform to create a BGP routing
policy:
Note
Defining BGP Routes, page 14-183
Redistributing Routes into BGP, page 14-185
Security Manager supports versions 2, 3 and 4 of BGP, as defined in RFCs 1163,

1267 and 1771.
Related Topics
14-182
OL-11501-03
Chapter 14
Managing Routers
Defining BGP Routes

As with all EGPs, when you configure a BGP routing policy, you must define the
relationship the router has with its neighbors. BGP supports two kinds of
neighbors: internal (located in the same AS) and external (located in a different
AS). Typically, external neighbors are adjacent to each other and share a subnet;
internal neighbors can be anywhere in the same AS.
In addition, you can select whether to enable the following optional features:
Auto-summarization
Synchronization
Neighbor logging
If enabled, auto-summarization injects only the network route when a subnet is

redistributed from an Interior Gateway Protocol (IGP) such as OSPF or EIGRP
into BGP. Synchronization is useful if your AS acts as an intermediary, passing
traffic from one AS to another AS, because it ensures that your AS is consistent
about the routes it advertises. For example, if BGP were to advertise a route before
all routers in your network had learned about the route through your IGP, your AS
might receive traffic that some routers cannot yet route. Neighbor logging enables
the router to keep track of messages issued by BGP neighbors when they reset,
become unreachable, or restore their connection to the network.
This procedure describes how to define a BGP route. You can define only one
BGP route on each router.
Procedure
Step 1
(Device view) Select Platform > Routing > BGP from the Policy selector,
then click the Setup tab in the work area.
(Policy view) Select Router Platform > Routing > BGP from the Policy
Type selector. Right-click BGP to create a policy, or select an existing policy
from the Shared Policy selector. Then click the Setup tab.
The BGP Setup is displayed. See Table K-96 on page K-238 for a description of
the fields on this tab.
Step 2
On the BGP Setup tab, enter the AS number to which the router belongs.

OL-11501-03
14-183
Chapter 14
Managing Routers
Step 3
(Optional) Enter the addresses of the networks that are local to this AS. You can
use a combination of addresses and network/host objects, or click Select to
Tip
Step 4
If the network you want is not listed, click the Create button or the Edit
button in the selector to display the Network/Host Dialog Box,
page F-433. From here you can define a network/host object to use in the
policy.
Define external and internal BGP neighbors for the routers:

a.
Click Add under Neighbors to display the BGP Neighbors dialog box. See
b.
Enter an AS number and then click Select to select the hosts that are
neighbors within the defined AS. Internal neighbors are located in the same
AS as the router; external neighbors are located in a different AS.
c.
Click OK to save your definitions and return to the BGP Neighbors dialog
box.
d.
(Optional) Repeat steps b and c to define neighbors in additional ASs.
Note
When you define BGP neighbors, the IP addresses cannot belong to

an interface on the selected router. In addition, you cannot define the
same IP address in more than one AS.
When you finish, click OK in the BGP Neighbors dialog box to return to the BGP
Setup tab. Your selections are displayed in the Neighbors field.
Step 5
(Optional) Select the Auto-Summary check box to enable automatic

summarization. If automatic summarization is enabled, only the network route is
injected into the BGP table when a subnet is redistributed from an IGP (such as
OSPF or EIGRP) into BGP.
Step 6
(Optional) Select the Synchronization check box to synchronize BGP with the
IGP. Enabling this feature causes BGP to wait until the IGP propagates routing
information across the AS.
14-184
OL-11501-03
Chapter 14
Managing Routers
You do not need synchronization if your AS does not pass traffic it receives from
one AS to another AS, or if all the routers in your AS run BGP. Disabling
synchronization enables BGP to converge more quickly.
Step 7
(Optional) Select the Log-Neighbor check box to enable the logging of messages
generated when a BGP neighbors resets, comes up, or goes down.
Step 8
Note
Related Topics
Redistributing Routes into BGP

Redistribution refers to using a routing protocol, such as BGP, to advertise routes
that are learned by some other means, such as a different routing protocol, static
routes, or directly connected routes. For example, you can redistribute routes from
the OSPF routing protocol into your BGP autonomous system (AS).
Redistribution is necessary in networks that operate in multiple-protocol
environments and can be applied to all IP-based routing protocols.
Before You Begin
Define a BGP AS. See Defining BGP Routes, page 14-183.
Procedure
Step 1
(Device view) Select Platform > Routing > BGP from the Policy selector,
then click the Redistribution tab in the work area.

OL-11501-03
14-185
Chapter 14
Managing Routers
from the Shared Policy selector. Then click the Redistribution tab.
The BGP Redistribution tab is displayed. See Table K-98 on page K-241 for a
Step 2
On the BGP Redistribution tab, select a row from the BGP Redistribution
Mappings table, then click Edit, or click Add to create a mapping. The BGP
Redistribution Mapping dialog box appears. See Table K-99 on page K-243 for a
Step 3
Select the protocol whose routes you want to redistribute into BGP.
Note
You can create a single mapping for each static route, RIP route, EIGRP
AS, and OSPF process.
Step 4
(Optional) Modify the default metric (cost) of the redistributed routes. The metric
determines the priority of the routes.
Step 5
The redistribution mapping appears in the Redistribution Mapping table in the
BGP Redistribution tab.
Step 6
Note
Related Topics
14-186
OL-11501-03
Chapter 14
Managing Routers
EIGRP Routing on Cisco IOS Routers

Enhanced Interior Gateway Routing Protocol (EIGRP) is an enhanced distance
vector protocol developed by Cisco Systems that integrates the capabilities of
link-state protocols. EIGRP is suited for many different topologies and media.
Key capabilities that distinguish EIGRP from other routing protocols are fast
convergence, support for variable-length subnet masks, partial updates, and
multiple network-layer protocols.
The metric that the router uses to reach the destination, and to advertise to other
routers, is the sum of the best-advertised metrics from all neighbors and the link
cost to the best neighbor.
EIGRP uses neighbor tables to store address and interface information about each
of the routers neighbors. Hello packets advertise hold times, which is the length
of time a neighbor can be considered reachable and operational. Topology tables
contain all destinations advertised by neighboring routers. For each neighbor, the
entry records the advertised metric, which the neighbor stores in its routing table.
A router running EIGRP stores all its neighbors routing tables so that it can
quickly adapt to alternate routes. If no appropriate route exists, EIGRP queries its
neighbors to discover an alternate route. These queries propagate until an
alternate route is found. EIGRP sends incremental updates when the state of a
destination changes, instead of sending the entire contents of the routing table.
EIGRP ensures that only those routers needing the information are updated. This
feature minimizes the bandwidth required for EIGRP packets.
EIGRP supports both internal and external routes. Internal routes originate within
an EIGRP Autonomous System (AS). Therefore, a directly attached network that
is configured to run EIGRP is considered an internal route and is propagated with
this information throughout the AS. External routes are learned by another routing
protocol or reside in the routing table as static routes. These routes are tagged
individually with the identity of their origin.
The following topics describe the tasks you perform to create an EIGRP routing
policy:
Defining EIGRP Routes, page 14-188
Defining EIGRP Interface Properties, page 14-190
Redistributing Routes into EIGRP, page 14-193

OL-11501-03
14-187
Chapter 14
Managing Routers
Related Topics
Defining EIGRP Routes

To configure an EIGRP routing policy, you must assign each autonomous system
a number, which identifies the autonomous system to other routers. You then must
select the networks to which routes will be created. In addition, you can select
which interfaces should be passive. Unlike other routing protocols, passive
interfaces in EIGRP neither send nor receive routing updates from their
neighbors, resulting in the loss of their neighbor relationship.
When you configure EIGRP routing policies, you can also decide whether to
enable auto-summarization, which greatly simplifies routing tables and the
exchange of routing information by having many subnets represented by a single
network entry.
Procedure
Step 1
(Device view) Select Platform > Routing > EIGRP from the Policy selector,
(Policy view) Select Router Platform > Routing > EIGRP from the Policy
Type selector. Right-click EIGRP to create a policy, or select an existing
policy from the Shared Policy selector. Then click the Setup tab.
The EIGRP Setup tab is displayed. See Table K-100 on page K-245 for a
Step 2
On the EIGRP Setup tab, select an EIGRP route from the table, then click Edit,
or click Add to create a route. The EIGRP Setup dialog box appears. See
14-188
OL-11501-03
Chapter 14
Managing Routers
Step 3
Enter the autonomous system number for the route. This number identifies the
autonomous system to other routers.
Step 4
Enter the addresses of the networks to include in the EIGRP route. You can use a
selector (see Object Selectors, page F-558). For more information, see Specifying
IP Addresses During Policy Definition, page 8-135.
Tip
Step 5
policy.
Click Edit under Passive Interfaces to display a dialog box for selecting which
interfaces should not send routing updates to its neighbors. Enter the names of one
or more interfaces or interface roles, or click Select to display a selector. For more
Tip
policy.
Step 6
(Optional) Select the Auto-Summary check box to enable the auto

summarization of subnet routes into network-level routes. Summarization reduces
the size of routing tables, thereby reducing the complexity of the network.
Step 7
The EIGRP route appears in the table displayed in the EIGRP Setup tab.
Step 8
Note

OL-11501-03
14-189
Chapter 14
Managing Routers
Related Topics
Defining EIGRP Interface Properties

You can optionally modify the default values of the following two interface
properties in a selected EIGRP autonomous system:
Hello interval.
Split horizon.
The hello interval defines the interval between hello packets. Routing devices
periodically send these packets to each other to dynamically learn of other routers
on their directly attached networks. This information is used to discover
neighbors and to learn when neighbors become unreachable or inoperative. By
default, hello packets are sent every 5 seconds. The default interval for low speed
(T1 or slower), nonbroadcast multiaccess (NBMA) media is every 60 seconds.
Split horizon is a feature that prevents route information from being sent back in
the direction from which that information originated. If you enable split horizon
on an interface (this is the default), update and query packets are not sent to
destinations for which this interface is the next hop. This helps to prevent routing
loops.
For example, as shown in Figure 14-13, if Router One is connected to Routers
Two and Three through a single multipoint interface, and Router One learned
about Network A from Router Two, Router One does not advertise the route to
Network A over that same multipoint interface to Router Three. Router One
assumes that Router Three would learn about Network A directly from Router
Two.
14-190
OL-11501-03
Chapter 14
Managing Routers
Figure 14-13
EIGRP Split Horizon Example
Router Two
Bandwidth = 10000
Delay = 100
Bandwidth = 56
Delay = 2000
Router Four
Bandwidth = 128
Delay = 1000
Bandwidth = 56
Delay = 2000
Router Three
Network A
144750
Router One
Bandwidth = 56
Delay = 2000
Split horizon is enabled by default on all EIGRP interfaces, because it typically

optimizes communications among multiple routing devices. However, in certain
cases with nonbroadcast networks (such as Frame Relay and SMDS), you might
want to disable split horizon.
If you decide to disable split horizon on an EIGRP interface, keep the following
in mind:
In a hub-and-spoke network, you should disable split horizon only at the hub.
This is because disabling split horizon on the spokes greatly increases EIGRP
memory consumption on the hub router, as well as the amount of traffic
generated on the spoke routers.
Changing the split horizon setting on an interface resets all adjacencies with
the EIGRP neighbors that are reachable over that interface.
Before You Begin
Define at least one EIGRP autonomous system. See Defining EIGRP Routes,
page 14-188.
Procedure
Step 1

OL-11501-03
14-191
Chapter 14
Managing Routers
then click the Interfaces tab in the work area.
policy from the Shared Policy selector. Then click the Interfaces tab.
The EIGRP Interfaces tab is displayed. See Table K-103 on page K-249 for a
Step 2
On the EIGRP Interfaces tab, select an interface from the table, then click Edit,
or click Add to create an interface definition. The EIGRP Interface dialog box
appears. See Table K-104 on page K-250 for a description of the fields in this
dialog box.
Step 3
Select the AS number of the autonomous system whose interface properties you
want to modify. See Defining EIGRP Routes, page 14-188 for more information
about defining an autonomous system.
Step 4
Enter the name of the interface or interface role to define, or click Select to
Specifying Interfaces During Policy Definition, page 8-118.
Tip
Step 5
policy.
(Optional) In the Hello Interval field, modify the default interval between hello
packets sent over the selected interfaces.
The default is 5 seconds for all interfaces, except for low-speed (T1 or less)
NBMA media, for which the default interval is 60 seconds.
Step 6
(Optional) Deselect the Split Horizon check box to disable the split horizon
feature. If you disable this feature, the selected interfaces can advertise a route out
of the interface from which they learned the route.
14-192
OL-11501-03
Chapter 14
Managing Routers
Note
In general, we recommend that you not disable split horizon unless you
are certain that your application requires the change to properly advertise
routes. If you disable split horizon on a serial interface, and that interface
is attached to a packet-switched network, you must disable split horizon
for all routers and access servers in all relevant multicast groups on that
network.
Step 7
The interface definition appears in the table on the EIGRP Interfaces tab.
Step 8
Note
Related Topics
Redistributing Routes into EIGRP

Redistribution refers to using a routing protocol, such as EIGRP, to advertise
routes that are learned by some other means, such as a different routing protocol,
static routes, or directly connected routes. For example, you can redistribute
routes from the RIP routing protocol into your EIGRP autonomous system (AS).
Redistribution is necessary in networks that operate in multiple-protocol
environments and can be applied to all IP-based routing protocols.
Before You Begin
Define at least one EIGRP AS. See Defining EIGRP Routes, page 14-188.

OL-11501-03
14-193
Chapter 14
Managing Routers
Procedure
Step 1
policy from the Shared Policy selector. Then click the Redistribution tab.
The EIGRP Redistribution tab is displayed. See Table K-105 on page K-252 for a
Step 2
On the EIGRP Redistribution tab, select a row from the EIGRP Redistribution
Mappings table, then click Edit, or click Add to create a mapping. The EIGRP
Redistribution Mapping dialog box appears. See Table K-106 on page K-254 for
Step 3
Select an existing EIGRP AS from the displayed list.
Step 4
Select the protocol whose routes you want to redistribute into the selected EIGRP
AS.
Note
Step 5
You can create a single mapping for each static route, RIP route, BGP AS,
EIGRP AS, and OSPF process.
(Optional) Under Metrics, modify the default metric (cost) of the redistributed
routes by entering values in the fields used to calculate the metric. The metric
Note
Entering a metric is optional, but if you do specify a value, you must enter
values for all five parameters. You need not define metric values when
redistributing one EIGRP process into another.
Step 6
The redistribution mapping appears in the Redistribution Mapping table in the
EIGRP Redistribution tab.
Step 7
14-194
OL-11501-03
Chapter 14
Managing Routers
OSPF Routing on Cisco IOS Routers
Note
Related Topics

Open Shortest Path First (OSPF) is an interior gateway routing protocol that uses
link states instead of distance vectors to distribute routing information within a
single autonomous system (AS). OSPF propagates link-state advertisements
(LSAs) instead of routing table updates, which allows OSPF networks to converge
more quickly than RIP networks. You define areas to limit the number of LSAs
that need to be propagated to changes that occur within the area.
A router that has interfaces in multiple OSPF areas is called an Area Border
Router (ABR). An ABR uses LSAs to send information about available routes to
other OSPF routers. A router that acts as a gateway to redistribute traffic between
routers using OSPF and routers using other routing protocols is called an
Autonomous System Boundary Router (ASBR). Any router can act as an ABR or
ASBR.
The following topics describe the tasks you perform to create an OSPF routing
policy:
Defining OSPF Process Settings, page 14-196
Defining OSPF Area Settings, page 14-197
Redistributing Routes into OSPF, page 14-199
Defining OSPF Interface Settings, page 14-204

OL-11501-03
14-195
Chapter 14
Managing Routers
Related Topics
Defining OSPF Process Settings

You configure OSPF process parameters by specifying a process ID number,
which identifies the OSPF process to other routers, and by deciding whether any
interfaces should be passive. Passive interfaces do not send routing updates to
their neighbors.
Procedure
Step 1
(Device view) Select Platform > Routing > OSPF Process from the Policy
selector, then click the Setup tab in the work area.
(Policy view) Select Router Platform > Routing > OSPF Process from the
Policy Type selector. Right-click OSPF to create a policy, or select an
existing policy from the Shared Policy selector. Then click the Setup tab.
The OSPF Process Setup tab is displayed. See Table K-109 on page K-265 for a
Step 2
On the OSPF Process Setup tab, select an OSPF process from the table, then click
Edit, or click Add to create a process. The OSPF Setup dialog box appears. See
Step 3
Enter the process ID number in the field provided. The process ID defined here
does not need to match the process ID on any other devices.
Step 4
Define which interfaces should not send routing updates to its neighbors:
a.
Click Edit under Passive Interfaces to display the Edit Interfaces dialog box.
Use this dialog box to define which interfaces should not send routing updates
to its neighbors.
14-196
OL-11501-03
Chapter 14
Managing Routers
b.
to display a selector (see Object Selectors, page F-558). For more
c.
Click OK to save your changes and return to the OSPF Setup dialog box.
Tip
policy.
Step 5
Step 6
Note
Related Topics
Defining OSPF Area Settings

You configure OSPF area settings by associating an area ID with a particular
OSPF process, selecting the networks included in the area, and selecting the type
of authentication used by the routers in the area.
Each OSPF process that you define should contain at least one defined area. If you
define more than one area, one area must be area 0. This is called the backbone.
All other areas must be physically connected to the backbone. This enables other
areas to inject routing information into the backbone, which the backbone
distributes to the remaining areas.

OL-11501-03
14-197
Chapter 14
Managing Routers
You must configure at least one OSPF process before defining OSPF area/network
settings for that process.
Procedure
Step 1
selector, then click the Area tab in the work area.
existing policy from the Shared Policy selector. Then click the Area tab.
The OSPF Process Area tab is displayed. See Table K-112 on page K-268 for a
Step 2
On the OSPF Process Area tab, select an OSPF area from the table, then click
Edit, or click Add to create an area. The OSPF Area dialog box appears. See
Step 3
Select a process ID from the displayed list.
Step 4
Enter an area ID to associate with the selected OSPF process.
Step 5
Enter the addresses of the networks to include in the OSPF area. You can enter a
selector (see Object Selectors, page F-558). For more information, see Specifying
Tip
Step 6
policy.
Select the authentication type to use in the OSPF area: MD5, clear text, or none.
We recommend MD5 when security is of concern. Please note the following:
The authentication type must be the same for all routers and access servers in
the same area.
Specifying clear-text authentication for an area sets the authentication to

Type 1 (simple password). All routers on a network must use the same
clear-text password to communicate with each other using OSPF.
14-198
OL-11501-03
Chapter 14
Managing Routers
MD5 passwords need not be the same throughout an area, but they must be
the same between neighbors.
If you use interface authentication (see Defining OSPF Interface Settings,

page 14-204), the authentication type used for the area must match the
authentication type used for the interface.
Step 7
Click OK to save your definitions. The OSPF area appears in the table displayed
on the OSPF Area tab.
Step 8
Note
Related Topics
Redistributing Routes into OSPF

Redistribution refers to using a routing protocol, such as OSPF, to advertise routes
the RIP routing protocol into your OSPF domain. Redistribution is necessary in
networks that operate in multiple-protocol environments and can be applied to all
IP-based routing protocols.
Redistributing routes into OSPF from other routing protocols or from static routes
causes these routes to become OSPF external routes (Type 1 or Type 2).
Redistributing routes into OSPF involves:
Defining OSPF Redistribution Mappings, page 14-200
Defining OSPF Maximum Prefix Values, page 14-202

OL-11501-03
14-199
Chapter 14
Managing Routers
Related Topics
Defining OSPF Redistribution Mappings

When you define OSPF redistribution mappings, you must select the protocol to
redistribute and the OSPF process into which routes from that protocol are
redistributed. Additionally, you can manually define the metric, which determines
the priority of the redistributed routes, and the type of external OSPF route to
create, Type 1 or Type 2. See Type 1 versus Type 2 External Routes, page 14-200.
You can create multiple mappings to the same OSPF process. For example, you
can redistribute both RIP and EIGRP routes into the same OSPF process. You can
also redistribute routes from other OSPF processes.
Note
Redistribution into an OSPF Not-So-Stubby Area (NSSA) creates a special type

of link-state advertisement (LSA) called type 7, which can exist only in an NSSA
area. An NSSA autonomous system router (ASBR) generates this LSA, and an
NSSA area border router (ABR) translates it into a type 5 LSA, which is
propagated into the OSPF domain.
Type 1 versus Type 2 External Routes
Two types of OSPF external routes exist, Type 1 and Type 2. The difference
between the two is related to how the cost (metric) of the route is calculated. The
cost of a Type 1 route is the sum of the external cost and the internal cost used to
reach that route. The cost of a Type 2 route is based on the external cost only. By
default, external routes are defined as Type 2. However, a Type 1 route is always
preferred over a Type 2 route to the same destination.
Before You Begin
Define at least one OSPF process. See Defining OSPF Process Settings,
page 14-196.
14-200
OL-11501-03
Chapter 14
Managing Routers
Procedure
Step 1
selector, then click the Redistribution tab in the work area.
existing policy from the Shared Policy selector. Then click the
Redistribution tab.
The OSPF Process Redistribution tab is displayed. See Table K-114 on

Step 2
On the OSPF Process Redistribution tab, select a row from the OSPF
Redistribution Mappings table, then click Edit, or click Add to create a mapping.
The OSPF Redistribution Mapping dialog box is displayed. See Table K-115 on
Step 3
Select an existing OSPF process from the displayed list.
Step 4
Select the protocol whose routes you want to redistribute into the selected OSPF
process.
Note
You can create a single mapping for each static route, RIP route, BGP AS,
EIGRP AS, and OSPF process.
Step 5
(Optional) Modify the default metric (cost) of the redistributed routes. The metric
Step 6
Select the type of external route to create, Type 1 or Type 2. The default is Type 2.
See Type 1 versus Type 2 External Routes, page 14-200.
Step 7
(Optional) Select the Limit to Subnets check box to redistribute only subnetted
routes. By default, this option is not selected.
Step 8
Click OK to save your definitions. The redistribution mapping appears in the

Redistribution Mapping table on the OSPF Process Redistribution tab.
Step 9

OL-11501-03
14-201
Chapter 14
Managing Routers
Note
Related Topics
Defining OSPF Maximum Prefix Values, page 14-202
Defining OSPF Maximum Prefix Values

You can define a maximum number of prefixes (routes) that may be redistributed
from other protocols or OSPF processes into a selected OSPF process. Setting a
limit helps prevent the router from being flooded by too many redistributed routes.
For example, without a defined maximum, flooding can occur when BGP is
redistributed into OSPF.
When you define a maximum prefix value, you can decide whether to prevent
additional routes from being redistributed once this maximum is reached, or
whether to only issue a warning.
The redistribution limit applies to all IP redistributed prefixes, including
summarized ones. The limit does not apply to default routes or prefixes that are
generated as a result of type 7 to type 5 translations.
Before You Begin
Define at least one OSPF process. See Defining OSPF Process Settings,
page 14-196.
Define at least one OSPF redistribution mapping. See Defining OSPF

Redistribution Mappings, page 14-200.
Procedure
Step 1
selector, then click the Redistribution tab in the work area.
14-202
OL-11501-03
Chapter 14
Managing Routers
existing policy from the Shared Policy selector. Then click the
Redistribution tab.
The OSPF Process Redistribution tab is displayed. See Table K-114 on

Step 2
On the OSPF Process Redistribution tab, select a row from the Max Prefix
Mapping table, then click Edit, or click Add to create a definition. The Max
Prefix Mapping dialog box appears. See Table K-116 on page K-275 for a
Step 3
Select an existing OSPF process from the displayed list.
Step 4
In the Max Prefix field, enter the maximum number of routes that can be
redistributed into the selected OSPF process.
Step 5
(Optional) Modify the default threshold percentage. When the number of

redistributed routes reaches this threshold, a warning is issued. By default, the
threshold value is 75% of the defined maximum prefix value.
Step 6
(Optional) Select what should happen when the maximum prefix value is reached:
Step 7
Enforce Maximum RoutePrevents additional routes from being

redistributed to the selected process.
Warning OnlyIssues an additional warning, but allows route redistribution

to continue even after the maximum prefix value is reached.
Note
Flooding can result if you allow route redistribution to continue after

exceeding the maximum prefix value.
Click OK to save your definitions. The maximum prefix definition appears in the
Maximum Prefix table on the OSPF Process Redistribution tab.
Related Topics
Defining OSPF Redistribution Mappings, page 14-200

OL-11501-03
14-203
Chapter 14
Managing Routers
Defining OSPF Interface Settings

You can modify a variety of interface-specific OSPF parameters. This procedure
describes how to define these parameters. For more information about a particular
parameter, see the following topics:
Understanding Interface Cost, page 14-206.
Understanding Interface Priority, page 14-207.
Disabling MTU Mismatch Detection, page 14-207.
Blocking LSA Flooding, page 14-208.
Understanding OSPF Timer Settings, page 14-209.
Understanding the OSPF Network Type, page 14-210.
Understanding OSPF Interface Authentication, page 14-211.
Procedure
Step 1
(Device view) Select Platform > Routing > OSPF Interface from the Policy
selector.
(Policy view) Select Router Platform > Routing > OSPF Interface from
the Policy Type selector. Right-click OSPF to create a policy, or select an
The OSPF Interface page is displayed. See Table K-107 on page K-257 for a
Step 2
On the OSPF Interface page, select an interface definition from the table, then
click Edit, or click Add to create a definition. The OSPF Interface dialog box
dialog box.
Step 3
Enter the name of the interface or interface role to define, or click Select to
Specifying Interfaces During Policy Definition, page 8-118.
14-204
OL-11501-03
Chapter 14
Managing Routers
Tip
Step 4
policy.
Define interface authentication. The authentication type you select for the
interface must match the authentication type you select for the area (see Defining
OSPF Area Settings, page 14-197).
All neighboring routers on the same network must have the same password to be
able to exchange OSPF information. For more information, see Understanding
OSPF Interface Authentication, page 14-211.
Tip
The key ID number can be associated with multiple passwords. This is an

easy and secure way to migrate passwords. For example, to migrate from
one password to another, configure a password under a different key ID,
then remove the first key.
Note
Do not use clear text authentication in OSPF packets for security

purposes, because the unencrypted authentication key is sent in every
packet. Use clear text authentication only when security is not an issue,
for example, to ensure that misconfigured hosts do not participate in
routing.
Step 5
(Optional) Under Properties, configure interface parameters as required. See

Table K-108 on page K-260 for information about each parameter.
Step 6
Click OK to save your definitions. The defined interfaces appear on the OSPF
Interface page.
Step 7
Repeat Steps 2 through 6 to define interface-specific parameters on additional

OSPF interfaces.
Step 8

OL-11501-03
14-205
Chapter 14
Managing Routers
Note
Related Topics
Understanding Interface Cost

The cost of an OSPF interface is a metric representing the cost of sending a packet
over that interface. By default, this cost is calculated using this formula:
108/ bandwidth [bits per second]
For example, if the bandwidth of a Fast Ethernet interface is 10 Mbps (equal to
107), the cost of sending packets over that interface is calculated as 108/107 or 10.
This formula establishes an inverse relationship between the bandwidth of an
interface and its cost; the greater the bandwidth, the lower the cost.
Although cost is a calculated value, you can manually enter the cost of a selected
interface.
Related Topics
Understanding Interface Priority, page 14-207
Disabling MTU Mismatch Detection, page 14-207
Blocking LSA Flooding, page 14-208
Understanding OSPF Timer Settings, page 14-209
Understanding the OSPF Network Type, page 14-210
Understanding OSPF Interface Authentication, page 14-211
14-206
OL-11501-03
Chapter 14
Managing Routers
Understanding Interface Priority

Routers that share a common segment are elected through the Hello protocol to
be neighbors on that segment. Election occurs as soon as the routers see
themselves listed in their neighbor's hello packet. Adjacency is the next step.
Adjacent routers are routers that proceed beyond the simple Hello exchange to a
database exchange.
On each multiaccess (as opposed to point-to-point) segment, OSPF elects one
router as the designated router (DR) for that segment. The DR acts as a central
point of contact to minimize information exchange. Each router in the segment
sends updates to the DR, which in turn relays the information to the other routers.
A second router is elected as the backup designated router (BDR) in case the DR
goes down.
DR and BDR election is performed via the Hello protocol. The router with the
highest OSPF priority becomes the DR for that segment. The same process is then
repeated for the BDR. In the case of a tie, the router with the higher router ID
(RID) is elected. By default, each interface is given a priority of 1, but you can
assign a higher priority to selected interfaces, as required.
Note
The priority setting does not apply to point-to-point, nonbroadcast interfaces.

Related Topics
Understanding Interface Cost, page 14-206
Disabling MTU Mismatch Detection

The MTU is the largest packet size that a particular interface can handle. If one
router sends a DBD packet that is larger than the MTU setting on a neighboring
router, the neighboring router ignores the packet. In many cases, an MTU
OL-11501-03
14-207
Chapter 14
Managing Routers
mismatch causes the two routers to become stuck in exstart/exchange state, which
prevents OSPF adjacency from being established. This is why it is important that
all neighboring routers share the same MTU setting and that MTU mismatch
detection be enabled.
You can, however, disable MTU mismatch detection. This is useful in cases where
mismatch detection is preventing adjacency from taking place in an otherwise
valid setup between two devices with different MTUs.
Related Topics
Blocking LSA Flooding

By default, OSPF floods new LSAs over all interfaces in the same area, except the
interface on which the LSA arrives. Although some redundancy is desirable, too
much redundancy can waste bandwidth. In certain topologies, such as full mesh,
LSA flooding can destabilize the network because of excessive link and CPU
usage. Therefore, you can block LSA flooding to selected interfaces on broadcast,
nonbroadcast, and point-to-point networks.
Related Topics
14-208
OL-11501-03
Chapter 14
Managing Routers
Understanding OSPF Timer Settings

OSPF uses a series of timers during operation:
Hello IntervalDetermines how often an interface sends hello packets,

which are used to acquire neighbors and act as indicators that the router is still
functioning. The smaller the interval, the faster topological changes on the
network are detected. However, a smaller interval also results in more traffic
being sent over the interface. The hello interval must be the same on all
routers and access servers on a specific network.
Transmit DelayDetermines the delay before an LSA is flooded over the

link. The transmit delay setting should take into account the transmission and
propagation delays for the interface. These factors are particularly important
when configuring low-speed and on-demand links.
Retransmit IntervalDetermines how long to wait before retransmitting an

unacknowledged database description (DBD) packet to its neighbors. The
retransmit interval setting should be low enough to prevent excessive
retransmissions.
Note
You should increase the retransmit interval for serial lines and virtual
links.
Dead IntervalDetermines how long an interface should wait before

declaring its neighbor to be down. This declaration is caused by an absence
of hello packets from the neighbor during this interval. The dead interval
setting must be the same for all routers and access servers on a specific
network. By default, this interval is four times the hello interval.
Related Topics

OL-11501-03
14-209
Chapter 14
Managing Routers
Understanding the OSPF Network Type

You can manually configure the OSPF network type on an interface as either
broadcast or nonbroadcast multiaccess (NBMA), regardless of the default media
type. For example, you can use this feature to configure broadcast networks (such
as Ethernet, Token Ring, and FDDI) as NBMA when your network contains
routers that do not support multicast addressing. You can also configure NBMA
networks (such as X.25, Frame Relay, and SMDS) as broadcast networks, which
eliminates the need to configure neighbors.
Configuring NBMA networks as either broadcast or nonbroadcast assumes the
existence of virtual circuits (VCs) from every router to every router (fully meshed
network). If VCs do not exist between each router, due to cost constraints or the
existence of an only partially meshed network, you can configure the OSPF
network type as point-to-multipoint. An OSPF point-to-multipoint interface is
defined as a numbered point-to-point interface having one or more neighbors. It
creates multiple host routes.
If you use the point-to-multipoint network type, routing between two routers that
are not directly connected go through a third router that has VCs to both routers.
You do not need to configure neighbors when using this feature. OSPF
point-to-multipoint networks have the following benefits compared to NBMA and
point-to-point networks:
Note
Point-to-multipoint is easier to configure because it consumes only one IP

subnet and does not require neighbor configuration or designated router
election.
It costs less because it does not require a fully meshed topology.
It is more reliable because it maintains connectivity in the event of VC failure.
For point-to-multipoint, broadcast networks, you can optionally define neighbors,

in which case you should specify the cost to each neighbor. For
point-to-multipoint, nonbroadcast networks, you must identify neighbors, but
specifying a cost to each neighbor is optional. In both cases, you define neighbors
using FlexConfig. See Chapter 19, Managing FlexConfigs, for more
information.
14-210
OL-11501-03
Chapter 14
Managing Routers
Related Topics
Understanding OSPF Interface Authentication

You define neighbor authentication settings for OSPF interfaces by selecting the
interfaces and selecting an authentication type, either MD5 or clear text.
When you use MD5 authentication, neighboring routers must share the same
password. When you use clear-text authentication, all routers on the network
using OSPF must share the same password.
Whenever you configure an interface with a new key, the router sends multiple
copies of the same packet, each authenticated by different keys. The router stops
sending duplicate packets when it detects that all of its neighbors have adopted
the new key.
Note
You should use authentication with all routing protocols when possible, because
attackers can use route redistribution between OSPF and other protocols (such as
RIP) to subvert routing information.
Related Topics

OL-11501-03
14-211
Chapter 14
Managing Routers
RIP Routing on Cisco IOS Routers

Routing Information Protocol (RIP) is an Interior Gateway Protocol (IGP) that
was created for use in small, homogeneous networks. RIP is a distance-vector
protocol that sends routing-update messages at regular intervals (in a process
called advertising) and whenever the network topology changes. When a router
receives a routing update that includes changes to an entry, it updates its routing
table to reflect the new route. If a router does not receive an update from another
router for 180 seconds or more, it marks the routes served by the non-updating
router as being unusable. If there is still no update after 240 seconds, the router
removes all routing table entries for the non-updating router. Routing information
is exchanged using UDP packets.
RIP evaluates routes by measuring the number of hops (the number of routers
traversed) from the source to the destination. A directly connected network has a
metric of zero. The maximum hop count allowed by RIP is 15. Any route with a
hop count greater than 15 is considered unreachable.
Security Manager supports RIP version 2 only, which is described in RFC 1723.
RIP 2 improves on the original RIP by enabling RIP messages to carry more
information, which permits the use of a simple authentication mechanism (clear
text or MD5) to secure table updates. RIP 2 also supports subnet masks, a critical
feature that was not available in the original version of RIP.
The following topics describe the tasks you perform to create a RIP routing
policy:
Defining RIP Setup Parameters, page 14-213
Defining RIP Interface Authentication Settings, page 14-214
Redistributing Routes into RIP, page 14-216
Related Topics
14-212
OL-11501-03
Chapter 14
Managing Routers
Defining RIP Setup Parameters

You configure RIP setup parameters by selecting the networks to include in the
route and deciding whether any interfaces should be passive. These interfaces do
not send routing updates to their neighbors. Additionally, you can enable
auto-summarization, which reduces the size and complexity of the routing tables
the router must maintain.
Procedure
Step 1
(Device view) Select Platform > Routing > RIP from the Policy selector,
(Policy view) Select Router Platform > Routing > RIP from the Policy
Type selector. Right-click RIP to create a policy, or select an existing policy
from the Shared Policy selector. Then click the Setup tab.
The RIP Setup tab is displayed. See Table K-117 on page K-278 for a description
Step 2
Enter the addresses of the directly connected networks whose interfaces are to
receive RIP updates. You can use a combination of addresses and network/host
objects, or click Select to display a selector. For more information, see Specifying
Tip
Step 3
button to display the Network/Host Dialog Box, page F-433. From here
you can create a network/host object.
Define which interfaces should not send routing updates to its neighbors:
a.
Click Edit under Passive Interfaces to display the Edit Interfaces dialog box.
Use this dialog box to define which interfaces should not send routing updates
to its neighbors. (These interfaces continue to receive RIP routing broadcasts,
which they use to populate their routing tables.)
b.
to display a selector. For more information, see Specifying Interfaces During

OL-11501-03
14-213
Chapter 14
Managing Routers
c.
Tip
Step 4
Click OK to save your changes and return to the RIP Setup tab.
If the interface role you want is not listed in the selector, click the Create
button to open the Interface Role dialog box. The new interface role
object is displayed in the Selected Interface Roles list. See Interface Role
(Optional) Select the Auto Summary check box to enable the automatic
summarization of subnet routes into network-level routes. Summarization reduces
the size of routing tables, thereby reducing the complexity of the network.
Disable automatic summarization when you perform routing between
disconnected subnets. When automatic summarization is turned off, subnets are
advertised.
Step 5
Note
Related Topics
Defining RIP Interface Authentication Settings

You define neighbor authentication settings for RIP interfaces by selecting the
interfaces and then selecting an authentication type, either MD5 or clear text.
Procedure
Step 1
then click the Authentication tab in the work area.
14-214
OL-11501-03
Chapter 14
Managing Routers
from the Shared Policy selector. Then click the Authentication tab.
The RIP Authentication tab is displayed. See Table K-119 on page K-280 for a
Step 2
On the RIP Authentication tab, select an interface definition from the table, then
click Edit, or click Add to create a definition. The RIP Authentication dialog box
dialog box.
Step 3
Enter the name of the interface or interface role for which authentication is
defined, or click Select to display a selector (see Object Selectors, page F-558).
page 8-118.
Tip
Step 4
policy.
Define interface authentication (MD5 or clear text).
Note
We do not recommend that you use clear text authentication in RIP

packets, because the unencrypted authentication key is sent in every
packet. Use plain text authentication only when security is not an issue,
for example, to ensure that misconfigured hosts do not participate in
routing.
Step 5
The defined interface appears on the RIP Authentication tab.
Step 6
Note

OL-11501-03
14-215
Chapter 14
Managing Routers
Related Topics
Redistributing Routes into RIP

Redistribution refers to using a routing protocol, such as RIP, to advertise routes
the OSPF routing protocol into your RIP route. Redistribution is necessary in
networks that operate in multiple-protocol environments and can be applied to all
IP-based routing protocols.
When you redistribute into RIP, you can maintain the original metric of the route
by redistributing it transparently.
Before You Begin
Define at least one RIP route. See Defining RIP Setup Parameters,
page 14-213.
Procedure
Step 1
from the Shared Policy selector. Then click the Redistribution tab.
The RIP Redistribution tab is displayed. See Table K-121 on page K-283 for a
Step 2
On the RIP Redistribution tab, select a row from the RIP Redistribution Mappings
table, then click Edit, or click Add to create a mapping. The RIP Redistribution
Mapping dialog box appears. See Table K-122 on page K-284 for a description of
Step 3
Select the protocol whose routes you want to redistribute into RIP.
14-216
OL-11501-03
Chapter 14
Managing Routers
Static Routing on Cisco IOS Routers
Note
Step 4
You can create a single mapping for each static route, BGP AS, EIGRP
AS, and OSPF process.
Define the metric (cost) of the redistributed routes by doing one of the following:
Select the Default Metric check box, then enter the default metric of the
redistributed routes. The metric determines the priority of the routes.
Select the Transparent check box to maintain the original metric of the
routes being redistributed into RIP.
Step 5
The redistribution mapping appears in the Redistribution Mapping table on the
RIP Redistribution tab.
Step 6
Note
Related Topics

You can configure static routing policies to ensure that the router correctly
forwards packets to their destination when a route cannot be built dynamically. By
default, static routes have a default administrative distance of 1 (implying a
directly connected network), which causes them to override any dynamic routes
discovered for the same host or network. You can, however, define a larger
administrative distance to a static route so that it does not take precedence over a
corresponding dynamic route.

OL-11501-03
14-217
Chapter 14
Managing Routers
For example, EIGRP routes have a default administrative distance of 5. To have a

static route that can be overridden by an EIGRP route, you must specify an
administrative distance greater than 5. This feature is useful when you define the
static route as a floating route, which is inserted into the routing table only when
the preferred route is unavailable.
Tip
When you use the static route as a backup, floating route, specify the interface
through which the next hop IP address can be reached instead of entering a
specific IP address. Otherwise, the floating route is not inserted in the routing
table if the primary link fails. For more information, see Specifying a Next Hop IP
Address for Static Routes on Cisco.com at this URL:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800ef
7b2.shtml
Related Topics
Defining Static Routes, page 14-218
Defining Static Routes

To define a static route, you must define the IP address (and optionally, the metric)
of the hop gateway to which the router forwards packets destined to the selected
host or network. You can define as many static routes as required.
Procedure
Step 1
(Device view) Select Platform > Routing > Static Routing from the Policy
selector.
(Policy view) Select Router Platform > Routing > Static Routing from the
Policy Type selector. Right-click Static Routing to create a policy, or select
an existing static routing policy from the Shared Policy selector.
The Static Routing page is displayed. See Table K-123 on page K-286 for a
14-218
OL-11501-03
Chapter 14
Managing Routers
Step 2
On the Static Routing page, select a static route from the table, then click Edit, or
click Add to create a route. The Static Routing dialog box appears. See
Step 3
(Optional) Select the Use as Default Route check box to make this route the
default route for all unknown outbound packets.
Step 4
In the Prefix field, enter the address for the destination network, or click Select to
Tip
Step 5
Select a forwarding option:
To define the router interface that forwards packets to the remote network,
select Forwarding Interface, then do one of the following:
Enter the name of an interface or interface role. See Understanding
Interface Role Objects, page 8-115.

Click Select to open a selector. See Selecting Objects for Policies,
page 8-203. The interface role you select must represent one interface
only on the router in order to configure the static route.
Tip
policy.
To specify the next hop router that receives and forwards packets to the
remote network, select Forwarding IP, then enter the address in the field
provided, or click Select to display a selector (see Object Selectors,
page F-558). For more information, see Specifying IP Addresses During

OL-11501-03
14-219
Chapter 14
Managing Routers
Step 6
(Optional) In the Distance Metric field, enter the number of hops to the next hop
address for this router. This metric identifies the priority of the static route. If two
routing entries specify the same network, the route with the lower metric value
(that is, the lower cost) is given a higher priority and is selected.
Note
If no value is specified, the default is 1, which implies a directly

connected network.
Step 7
(Optional) Select the Permanent route check box to prevent this static route entry
from being deleted, even in cases in which the interface is shut down or the router
cannot communicate with the next router.
Step 8
The static route appears in the table on the Static Routing page.
Step 9
Note
Related Topics
14-220
OL-11501-03
CH A P T E R
15
Managing Firewall Devices

The PIX/ASA/FWSM Platform tool supports the management and configuration
of security services and policies on Adaptive Security Appliances (ASA), PIX
Firewalls, and Firewall Services Modules (FWSM).
The following topics describe how to configure platform policies on firewall
devices:
Configuring NAT Policies on Firewall Devices, page 15-20
Configuring Bridging Policies on Firewall Devices, page 15-28
Configuring Device Administration Policies on Firewall Devices, page 15-30
Configuring Logging Policies on Firewall Devices, page 15-77
Configuring Multicast Policies on Firewall Devices, page 15-88
Configuring Routing Policies on Firewall Devices, page 15-93
Configuring Security Policies on Firewall Devices, page 15-98
Configuring Service Policy Rules on Firewall Devices, page 15-103
Configuring User Preferences on Firewall Devices, page 15-104
Configuring Security Contexts on Firewall Devices, page 15-105

OL-11501-03
15-1
Chapter 15
Understanding Factory-Default Configurations
Understanding Factory-Default Configurations

Firewall devices come with certain settings already configured. After you
manually add a firewall device to Security Manager or add a device from the DCR,
you should discover (import) the factory-default policies for that device. Bringing
these policies into Security Manager prevents you from unintentionally removing
them the first time you deploy to that device. For more information about
importing policies, see Discovering Policies, page 6-7.
Security Manager provides a set of configuration files that contain the
factory-default policies for various device types and versions (see Table 15-1).
These configuration files are located at:
<install_dir>\CSCOpx\MDC\fwtools\pixplatform
(for example, C:\Program Files\CSCOpx\MDC\fwtools\pixplatform).

Table 15-1
Factory-Default Configuration Files
File Name
Device
OS
Context
Mode
Firewall
Mode
FactoryDefault_PIX6_3_1.cfg
PIX
6.3
FactoryDefault_PIX6_3_2PLUS.cfg
PIX
6.3(2)/
6.3(3)
FactoryDefault_ASA7_0_MR.cfg
ASA
7.0
Multiple Router
FactoryDefault_ASA7_0_SR.cfg
ASA
7.0
Single
FactoryDefault_ASA7_0_MT.cfg
ASA
7.0
Multiple Transparent
FactoryDefault_ASA7_0_ST.cfg
ASA
7.0
Single
FactoryDefault_FWSM2_2_MR.cfg
FWSM 2.2
Multiple Router
FactoryDefault_FWSM2_2_SR.cfg
FWSM 2.2
Single
FactoryDefault_FWSM2_2_MT.cfg
FWSM 2.2
FactoryDefault_FWSM2_2_ST.cfg
FWSM 2.2
Single
FactoryDefault_FWSM2_3_MR.cfg
FWSM 2.3
Multiple Router
FactoryDefault_FWSM2_3_SR.cfg
FWSM 2.3
Single
FactoryDefault_FWSM2_3_MT.cfg
FWSM 2.3
FactoryDefault_FWSM2_3_ST.cfg
FWSM 2.3
Single
Router
Transparent
Router
Transparent
Router
Transparent
15-2
OL-11501-03
Chapter 15

Configuring Firewall Device Interfaces

The Interfaces page displays configured interfaces and subinterfaces. From this
page, you can add or delete interfaces and subinterfaces and enable
communication between interfaces on the same security level.
Transparent firewall mode allows only two interfaces to pass through traffic;
however, if your platform includes a dedicated management interface, you can use
it (either the physical interface or a sub-interface) as a third interface for
management traffic.
If you intend to use a physical interface for failover, do not configure the interface
in this dialog box; instead, use the Failover page (see Configuring Failover,
page 15-55). In particular, do not set the interface name, as this parameter
disqualifies the interface from being used as the failover link; other parameters are
ignored.
After you assign the interface as the failover link or state link, you cannot edit or
delete the interface from the Interfaces page. The only exception is if you set a
physical interface to be the state link, then you can configure the speed and
duplex.
Firewall devices come in a variety of configurations. The configuration
determines how to define the interfaces associated with a firewall device. For
more information, see Table 15-2.
Table 15-2
Interface Definition Methods by Device Type
Device Type
Operational Mode
(N/A, Router,
Transparent)
Context Support
(NA, Single,
Multiple)
PIX 6.3.x
N/A
N/A
Configuring PIX 6.3 Interfaces,

page 15-16
PIX 7.0/ASA
Router or
Transparent
Single
Configuring PIX 7.0/ASA Interfaces

in Single Context Mode, page 15-6
Interface Definition Method

OL-11501-03
15-3
Chapter 15
Table 15-2
Interface Definition Methods by Device Type
Operational Mode
(N/A, Router,
Transparent)
Device Type
Router or
PIX 7.0/ASA or
Security Context of Transparent
unmanaged PIX
7.0/ASA
FWSM or Security
Context of
unmanaged Switch
(multiple mode)
Router or
Transparent
Context Support
(NA, Single,
Multiple)
Interface Definition Method
Multiple
Checklist for Configuring PIX

7.0/ASA Interfaces in Multi Context
Mode, page 15-10
Single or Multiple
Configuring FWSM Interfaces,

page 15-18
Understanding ASA 5505 Ports and Interfaces

The ASA 5505 adaptive security appliance supports a built-in switch. There are
two kinds of ports and interfaces that you need to configure:
Physical switch portsThe adaptive security appliance has eight Fast

Ethernet switch ports that forward traffic at Layer 2, using the switching
function in hardware. Two of these ports are PoE ports. You can connect these
interfaces directly to user equipment such as PCs, IP phones, or a DSL
modem. Or you can connect to another switch. For more information, see
ASA 5505 Ports and Interfaces Page, page L-59.
Logical VLAN interfacesIn routed mode, these interfaces forward traffic

between VLAN networks at Layer 3, using the configured security policy to
apply firewall and VPN services. In transparent mode, these interfaces
forward traffic between the VLANs on the same network at Layer 2, using the
configured security policy to apply firewall services.
To segregate the switch ports into separate VLANs, you assign each switch port
to a VLAN interface. Switch ports on the same VLAN can communicate with each
other using hardware switching. But when a switch port on VLAN 1 wants to
communicate with a switch port on VLAN 2, then the adaptive security appliance
applies the security policy to the traffic and routes or bridges between the two
VLANs.
15-4
OL-11501-03
Chapter 15

Note
Subinterfaces are not available for the ASA 5505 adaptive security appliance.
Enabling Traffic between Interfaces with the Same Security

Level
For selected platforms, the Interfaces panel lets you enable communication
between interfaces on the same security level.
By default, interfaces on the same security level cannot communicate with each
other. Allowing communication between same security interfaces provides the
following benefits:
You can configure more than 101 communicating interfaces.

If you use different levels for each interface and do not assign any interfaces
to the same security level, you can configure only one interface per level (0
to 100).
Note
You can allow traffic to flow freely between all same security interfaces
without access lists.
If you enable NAT control, you do not need to configure NAT between
same security level interfaces.
Procedure
Step 1
Note
For more information on using the Device view to configure policies for
devices, see Managing Policies in Device View, page 6-20).
Step 2
Select the firewall device for which you want to configure interfaces.
Step 3
Select Interfaces from the Device Policy selector.

The Interfaces page is displayed. For a description of the fields on this page, see
Table L-16 on page L-35.

OL-11501-03
15-5
Chapter 15
Step 4
Step 5
Specify the option that identifies how you want this device to handle traffic
between interfaces with the same security level:
DisabledDoes not allow communication between interfaces on the same

security level.
Inter-interfaceEnables traffic flows between interfaces with the same

security level setting. When this option is enabled, you are not required to
define translation rules to enable traffic flow between interfaces in the
firewall device.
Intra-interfaceEnables traffic flows between sub-interfaces with the same

security level setting. When this option is enabled, you are not required to
define translation rules to enable traffic flow between sub-interfaces assigned
to an interface.
BothAllows both intra- and inter-interface communications among

interfaces and sub-interfaces with the same security level.
Configuring PIX 7.0/ASA Interfaces in Single Context Mode

Defining interfaces for a PIX 7.0 or ASA security appliance operating in single
context, routed mode is straight forward. Configured in this mode, the security
appliance simply acts as a firewall that inspects and filters traffic traversing
among the networks attached to its interfaces. Interfaces attach to router-based
networks, and subinterfaces attach to switch-based networks. All subinterfaces
must be associated with a physical interface that is responsible for routing allowed
traffic correctly.
If the security appliance is operating in transparent mode, you can only define two
interfaces: inside and outside. In this mode, the interfaces do not require IP
addresses; they simply use VLAN IDs to switch inspected traffic.
Procedure
Step 1
15-6
OL-11501-03
Chapter 15

Note
For more information on using the Device view to configure policies for
devices, see Managing Policies in Device View, page 6-20).
Step 2
Select the firewall device for which you want to configure interfaces.
Step 3

Step 4
To define an interface, click the Add Row button.

The Add/Edit Interfaces dialog box appears.
Step 5
Verify that the Enable Interface check box is selected.

Traffic cannot traverse an interface unless it is enabled. If you are defining a
sub-interface, enable the interface with which it is associated before attempting to
define the sub-interface.
Step 6
If this interface is used exclusively for administration of the security appliance,

select the Management Only check box.
By selecting this option, you are restricting the type of traffic allowed by the
interface. For example, the intra- and inter-interface traffic flow selections do not
apply to this interface.
Step 7
Select the type of interface that you are defining in the Type list.
Interface represents a physical interface; whereas Sub-interface represents a
logical interface associated with a previously defined physical interface.
Step 8
Specify the logical name to be used for this interface in the Name field.
Specific name values are reserved for specific interfaces, in accordance with the
interface naming conventions of the security appliance. As such, these reserved
names enforce default, reserved security level values. Specifically, inside and
outside are used to represent the internal and external network connections
respectively. Also, subinterfaces typically identify their associated interface, as
well as their unique name. For example, DMZoobmgmt could represent an
out-of-band management network attached to the DMZ interface.
Step 9
Specify or select the network interface type and slot number in the Hardware ID
field.

OL-11501-03
15-7
Chapter 15
If you are defining a sub-interface, you must select the hardware ID of the
physical interface to which you want to associate the sub-interface. Otherwise,
you must specify the physical_interface ID, which includes the network type, slot,
and port number as type[slot/]port.
The physical interface types include the following:
ethernet
gigabitethernet
For the PIX 500 series security appliance, enter the type followed by the port
number, for example, ethernet0.
For the ASA 5500 series adaptive security appliance, enter the type followed by
slot/port, for example, gigabitethernet0/1. Interfaces that are built into the chassis
are assigned to slot 0, while interfaces on the 4GE SSM are assigned to slot 1.
The ASA 5500 series adaptive security appliance also includes the following type:
Step 10
managementThe management interface is a Fast Ethernet interface

designed for management traffic only, and is specified as management0/0.
You can, however, use it for through traffic if desired (deselect the
Management Only check box). In transparent firewall mode, you can use the
management interface in addition to the two interfaces allowed for through
traffic. You can also add subinterfaces to the management interface to provide
management in each security context for multiple context mode
Select the method to use for assigning addresses from the IP Type list, and
complete the assignment.
If you select Static IP, you must assign a static IP address and subnet mask
pair that allows the interface to connect to the network to which it is attached.
Firewall interfaces do not have IP addresses until you assign them
If you select Use DHCP, you must specify whether to obtain the default route
using DHCP.
If you select Use PPPoE, you must specify whether to obtain the default route
using PPPoE and assign a static IP address and subnet mask pair that allows
the interface to connect to the network to which it is attached.
Note
You can configure DHCP and PPPoE only on the outside interface of a
firewall device. If you used PPPoE for the outside interface, it will no
longer be available as an option.
15-8
OL-11501-03
Chapter 15

Step 11
Verify the correct options are selected in the Speed and Duplex list boxes.
Note
Step 12
We recommend that you use the auto option to allow the security
appliance to automatically select the correct speed and duplex setting. If
you use a fixed setting and you later change the setting, the interface will
shut down.
Specify the maximum transmission unit in the MTU field.

Valid values are 30065535 bytes. Default is 1500 for all types except PPPoE, for
which the default is 1492.
Step 13
(Sub-interface) To specify an ID for this sub-interface, enter a value between 1

and 4,294,967,295 in the Sub-interface ID field. Do not include commas in the
value.
Step 14
(Sub-interface) To specify a VLAN ID for the sub-interface, enter a value between

1 and 4094 in the VLAN ID field.
This VLAN ID must not be in use on connected devices.
Step 15
Specify the a number between 0 and 100 in the Security Level field.
Outside interface is always 0.
Inside interface is always 100.
DMZ interface are between 199.
Step 16
To specify a description for this interface, enter it in the Description field.
Step 17
To accept your changes, click OK.
Step 18
For each interface that you want to add, repeat Step 4 through Step 17.
Step 19

You must save a new interface definition before you can begin to define another.
Related Topics
Interfaces Page, page L-31
Add/Edit Interface Dialog Box, page L-34

OL-11501-03
15-9
Chapter 15
Checklist for Configuring PIX 7.0/ASA Interfaces in Multi Context

Mode
When a firewall device uses a single security context, it appears to the network
and to CSM as a single firewall device, just as a firewall with no support for
contexts. However, when you configure a firewall device to use multiple security
contexts, each security context appears, from the network perspective, as a
standalone firewall device. As such, representing multiple firewalls that reside
within the same physical appliance requires special care.
The following checklist describes the basic flow required to define a firewall
device running multiple security contexts, describes how to configure the contexts
and interfaces, and explains how to represent each context as a firewall device in
CSM. Each step may contain multiple substeps; the steps and substeps should be
performed in order. The checklist contains references to the specific procedures
used to perform each task.
Task
Step 1
Define the interfaces and sub-interfaces of the base security appliance.
This task defines the hardware ID and physical parameters of the network interfaces, such as
speed, duplex, connection type (Ethernet, gigabit Ethernet, etc.), and VLAN ID associated
with a sub-interface. These interfaces and sub-interfaces will be allocated to the security
contexts that you define later in this checklist.
Result: All physical interfaces and sub-interfaces are defined.
For more information, see Configuring Physical Interfaces of a PIX 7.0/ASA Security
Appliance in Multi Context Mode, page 15-13.
15-10
OL-11501-03
Chapter 15

Task
Step 2
Define admin context and the administrative interface to represent the base security appliance.
This task is called out separately to ensure you define the context for the IP address through
which the security appliance will be administered. It follows the same process as that for
defining a security context; however, it is designated as the admin context when you select the
Admin Context check box. The configuration file for the admin context must reside on the
local drive, disk0:/, of the security appliance.
In addition to being used to administer the appliance, the admin context is used to publish
syslog and SNMP messages to monitoring devices, such as Cisco Security Monitoring,
Analysis, and Response System (CS-MARS), for further processing.
Until you define the IP address associated with the admin context, later in this checklist, the
IP address used to manage the security appliance is the one that you specified when defining
the device. After you define the IP address associated with the admin context, the admin
contexts address takes precedence over the settings on the Device Properties page, and you
must modify the address associated with the admin context to change the setting.
Result: The admin context is defined and associated with a physical interface.
Step 3
Add/Edit a Security Context for PIX or ASA, page 15-106
Define each security context, or virtual firewall, that resides on the base appliance.
This task defines the individual firewalls, assigning a name and a location for configuration
files. While the admin context can operate as a firewall device, it is typically used as such only
when operating in single context mode. Therefore, the security contexts are treated separately
in this checklist. Each security context represents a virtual firewall, and it identifies the
interface and range of VLAN IDs associated that are under the purview of the security
context.
Result: Each security context is defined and associated with a physical interface and the
VLAN ranges are defined for which that security context will inspect traffic.

OL-11501-03
15-11
Chapter 15
Task
Step 4
Submit/deploy to generate the virtual firewall instances as children of the base appliance.
Just as you would first define the security contexts, and then define the settings for each
context at the CLI, you must create the contexts on the security appliance before you can
begin defining the individual settings of each context. To create the contexts on the appliance,
you must define and then either submit the changes in Workflow mode or deploy the changes
to the security appliance in non-Workflow mode.
After you submit the security contexts, a virtual firewall device appears beneath the
originally defined security appliance in the Device View. These virtual firewalls have the base
named of security appliance with _context_name appended to the base. For example,
asaMultiRouted_admin would represent the admin context (named admin) of the security
appliance named asaMultiRouted appliance, and asaMutliRouted_security1 would
represent the security context named security1.
The IP address used to create the contexts on the security appliance is the one defined on the
Device Properties dialog box of the base security appliance. To access this dialog box,
right-click on the security appliance and select Device Properties. After you complete Step 5,
the administrative IP will be the one assigned to the admin context.
Result: Your changes are submitted or deployed (depending on the Workflow mode), which
creates the admin and security contexts as children of the base security appliance. You can
now complete the definition of the interfaces by selecting a device that represents a context
and editing its interfaces.
Workflow Overview, page 1-14
15-12
OL-11501-03
Chapter 15

Task
Step 5
Define interface settings for each security context.
This task specifies the interface details, including names, addresses, and security levels, for
the interfaces and sub-interfaces managed by each security context.
The difference in the approach that you take here, relative to a single context mode device, is
that you select and defined settings for each security context, not the base security appliance.
In addition, you cannot add new interfaces or modify the Hardware Port value, you select the
interfaces that are defined and edit them within the scope of the security context.
Result: The interface settings are defined for each context.
For more information, see Configuring PIX 7.0/ASA Interfaces in Single Context Mode,
page 15-6.
Configuring Physical Interfaces of a PIX 7.0/ASA Security Appliance in Multi

Context Mode
Defining interfaces for an firewall device operating in multi context, routed, or
transparent mode brings with it a level of indirectionone tied to the security
contexts defined for the security appliance.
In this configuration, the appliance acts as multiple firewalls. For each security
context, a unique firewall inspects and filters traffic traversing among the
networks attached to the interfaces of that security context. Each context is
unaware of other contexts defined on the same security appliance. As in single
context, routed mode, interfaces attach to router-based networks, sub-interfaces
attach to switch-based networks, and each sub-interface must be associated the
interface that routes allowed traffic correctly. However, you cannot define IP
addresses, the routed mode portion of the configuration, or identify the
management only interface until you have defined and deployed the admin and
security contexts. You cannot define a security context until you define one or
more physical interfaces, which requires identifying the hardware ID.
This procedure is not complete; it only defines the physical interface for the base
security appliance. Refer to the Checklist for Configuring PIX 7.0/ASA Interfaces
in Multi Context Mode, page 15-10 for complete instructions.
Procedure
Step 1
(Device view) Select Interfaces from the Device Policy selector.

OL-11501-03
15-13
Chapter 15
Step 2
To define a physical interface, click the Add Row button.

The Add/Edit Interfaces dialog box appears.
Step 3
Verify that the Enable Interface check box is selected.

Traffic cannot traverse an interface unless it is enabled. If you are defining a
sub-interface, enable the interface with which it is associated before attempting to
define the sub-interface.
Step 4
Select the type of interface that you are defining in the Type list.
Interface represents a physical interface; whereas sub-interface represents a
logical interface that is associated with a previously defined physical interface.
Step 5
Specify or select the network interface type and slot number and port in the
Hardware Port field.
If you are defining a sub-interface, you must select the hardware ID of the
physical interface to which you want to associate the sub-interface. Otherwise,
you must specify the physical_interface ID, which includes the network type, slot,
and port number as type[slot/]port.
The physical interface types include the following:
ethernet
gigabitethernet
For the PIX 500 series security appliance, enter the type followed by the port
number, for example, ethernet0.
For the ASA 5500 series adaptive security appliance, enter the type followed by
slot/port, for example, gigabitethernet0/1. Interfaces that are built into the chassis
are assigned to slot 0, while interfaces on the 4GE SSM are assigned to slot 1.
The ASA 5500 series adaptive security appliance also includes the following type:
managementThe management interface is a Fast Ethernet interface

designed for management traffic only, and is specified as management0/0.
You can, however, use it for through traffic if desired by deselecting the
Management Only check box when you complete the definition of the
interface after the security contexts are defined and submitted. In transparent
firewall mode, you can use the management interface in addition to the two
15-14
OL-11501-03
Chapter 15

interfaces allowed for through traffic. You can also add sub-interfaces to the
management interface to provide management in each security context for
multiple context mode
Step 6
(Interface) Verify the correct options are selected in the Speed and Duplex list
boxes.
Note
shut down.
Step 7
(Sub-interface) To specify an ID for this sub-interface, enter a value between 1

and 4,294,967,295 in the Sub-interface ID field. Do not include commas in the
value.
Step 8
(Sub-interface) To specify a VLAN ID for the sub-interface, enter a value between

1 and 4094 in the VLAN ID field.
Step 9
To specify a description for this interface, enter it in the Description field.
Step 10
Step 11
For each physical interface that you want to add, repeat Step 2 through Step 10.
Step 12

You must save a new interface definition before you can begin to define another.
Related Topics
Checklist for Configuring PIX 7.0/ASA Interfaces in Multi Context Mode,

page 15-10

OL-11501-03
15-15
Chapter 15
Configuring PIX 6.3 Interfaces

Configuring interfaces in a PIX 6.3 security appliance is straightforward because
it does not support transparent mode, contexts, or sub-interfaces. You are limited
to defining physical and logical interfaces. The number of each type of interface
that you can define varies depending on the appliance model and license type that
you purchased. For more information on the number and type of interfaces that
you can define, see Table 2-6 in the Cisco PIX Firewall and VPN Configuration
Guide, Version 6.3.
Note
A logical interface is similar in many respects to a so-called physical interface.

Both logical and physical interfaces are software objects (the actual physical
object is the network interface card on the PIX security appliance). What is called
the physical interface for the purpose of configuration is a software object that has
both Layer 2 (Data link) and Layer 3 (Network) attributes. Layer 2 attributes
include maximum transmission unit (MTU) size and failover status, while Layer
3 attributes include IP address and security level.
A logical interface has only Layer 3 attributes. As a result, you can issue certain
commands, such as failover link if_name or failover lan interface if_name on a
physical interface that you cannot use with a logical interface. When you disable
a physical interface, all the associated logical interfaces are also disabled. When
you disable a logical interface, it only affects the logical interface.
Procedure
Step 1

Step 2
To define a new interface, click the Add Row button.

The Add/Edit Interfaces page appears.
Step 3
To enable the interface, select the Enable Interface check box.

Explicitly enable each interface you are using. All interfaces in a new PIX
Firewall are shut down by default.
Step 4
Specify the name assigned to the interface in the Name field.
15-16
OL-11501-03
Chapter 15

By default, the lowest security interface is named outside, while the highest
security interface is named inside.
Step 5
Enter the hardware name for the network interface in the Hardware Port field.
For details about the interface numbering of a specific PIX Firewall model, refer
to the Cisco PIX Firewall Hardware Installation Guide, Version 6.3. If you are
defining a logical interface, select the previously defined physical interfaces to
which you want to associate this logical interface.
Step 6
Select the method to use for assigning addresses from the IP Type list, and
complete the assignment.
If you select Static IP, you must assign a static IP address and subnet mask
pair that allows the interface to connect to the network to which it is attached.
Firewall interfaces do not have IP addresses until you assign them
If you select Use DHCP, you must specify whether to obtain the default route
using DHCP and specify the retry count.
If you select Use PPPoE, you must specify whether to obtain the default route
using PPPoE and assign a static IP address and subnet mask pair that allows
the interface to connect to the network to which it is attached.
Note
Step 7
(Physical Interface) Verify the correct option is selected in the Speed and Duplex
list box.
Note
Step 8
You can configure DHCP and PPPoE only on the outside interface of a
firewall device. If you used PPPoE for the outside interface, it will no
longer be available as an option.
shut down.

Valid values are 30065535 bytes. Default is 1500 for all types except PPPoE, for
which the default is 1492.
Step 9
(Physical Interface) To specify a VLAN ID for the interface, enter a value between
1 and 4094 in the Physical VLAN ID field.
OL-11501-03
15-17
Chapter 15

Step 10
(Logical Interface) To specify an alias/VLAN ID for this interface, enter a value

between 1 and 4094 in the Logical VLAN ID field.
Step 11
Specify a number from 0 to 100 in the Security Level field.
Step 12
Step 13
For each interface that you want to define, repeat Step 2 through Step 12.
Step 14
Related Topics
Configuring FWSM Interfaces

The FWSM does not include any external physical interfaces. Instead, it uses
internal VLAN interfaces. For example, you assign VLAN 201 to the FWSM
inside interface, and VLAN 200 to the outside interface. You assign these VLANs
to physical switch ports, and hosts connect to those ports. When communication
occurs between VLANs 201 and 200, the FWSM is the only available path
between the VLANs, forcing traffic to be statefully inspected.
If the FWSM is operating in transparent mode, you can only define two interfaces:
inside and outside. In this mode, the interfaces do not require IP addresses. They
simply use VLAN IDs to switch the inspected traffic.
Routed mode supports up to 256 interfaces per context or in single mode, with a
maximum of 1000 interfaces divided between all contexts. In this mode, each
interface requires an IP address on a different subnet.
15-18
OL-11501-03
Chapter 15

Note
Cisco Security Manager does not populate the interface information for FWSM
2.x devices during discovery.
Procedure
Step 1
(Device view) Select Interfaces from the Device Policy selector.

Step 2
To define a new interface, click the Add Row button.

The Add/Edit Interfaces page appears.
Step 3
To enable the interface, select the Enable Interface check box.

Explicitly enable each interface you are using.
Step 4
To set this interface to accept traffic to the security appliance only, and not through
traffic, select the Management Only check box.
Step 5
Specify the name assigned to the interface in the Name field.

By default, the lowest security interface is named outside, while the highest
security interface is named inside.
Step 6
(Routed Mode) Specify a static IP address and subnet mask pair that allows the
interface to connect to the network to which it is attached.
Step 7

Valid values are 30065535 bytes. Default is 1500.
Step 8
Enter a value from 1 to 4096 in the VLAN ID field.

Step 9
Step 10
Specify a number from 0 to 100 in the Security Level field.
To add this interface to an asymmetric routing group, enter the ASR group number
(1-32) in the ASR Group field. Stateful failover must be enabled for asymmetric
routing support to function properly between units in failover configurations.

OL-11501-03
15-19
Chapter 15
Configuring NAT Policies on Firewall Devices
Step 11
Step 12
For each interface that you want to define, repeat Step 2 through Step 11.
Step 13
Related Topics
Troubleshooting Interfaces
Use the following information to help troubleshoot problems encountered while
configuring interfaces.
Error: Interface IP addresses defined for this device have overlap.
Conditions: Attempting to save changes made to the Interfaces page, such as
manually adding an interface to a firewall device.
Description: Indicates that two or more interfaces defined in this device share an
IP address on the same subnet. Each interface in the device must be attached to a
different network or subnet.
Resolution: Verify that you have entered the correct IP address and subnet mask
values required to identify a unique subnet for each interface.

The NAT section contains pages for defining translation rules and NAT settings
for firewall devices. For more information, see the following topics:
Configuring Translation Options, page 15-22
Defining Translation Exemptions (NAT 0 ACL), page 15-23
Defining Simple Dynamic Rules, page 15-24
Defining Policy Dynamic Rules, page 15-25
15-20
OL-11501-03
Chapter 15

Defining Static Rules, page 15-26
Viewing Translation Summary, page 15-27
Understanding NAT
Cisco firewall devices support both the Network Address Translation feature,
which provides a globally unique address for each outbound host session, and the
Port Address Translation feature, which provides a single, unique global address
for up to 64,000 simultaneous outbound or inbound host sessions. The global
addresses used for NAT come from a pool of addresses to be used specifically for
address translation. The unique global address that is used for PAT can either be
one global address or the IP address of a given interface.
Cisco firewall devices can perform NAT or PAT in both inbound and outbound
connections. This ability to translate inbound addresses is called Outside NAT
because addresses on the outside, or less secure, interface are translated to a
usable inside IP address. Outside NAT gives you the option to translate an outside
host or network to an inside host or network, and it is sometimes referred to as
bidirectional NAT. Just as when you translate outbound traffic with NAT, you may
choose dynamic NAT, static NAT, dynamic PAT, and static PAT. If necessary, you
may use outside NAT together with inside NAT to translate the both source and
destination IP addresses of a packet.
Defining Address Pools

Use the Address Pools page to view, define new, or delete existing global address
pools used in dynamic NAT rules.
Procedure
Step 1
(Device view) Select NAT > Address Pools from the Device Policy selector.
(Policy view) Select NAT (PIX) > Address Pools from the Policy Types
selector. Right-click Address Pools and select New Address Pools Policy to
create a policy, or select an existing policy from the Policies selector.

OL-11501-03
15-21
Chapter 15
The Address Pools page is displayed. For a description of the fields on this
page, see Table L-1 on page L-6.
Step 2
For each address pool you want to define:

a.
Click the Add Row button.

The Address Pool dialog box is displayed.
Step 3
b.
Enter the name of the interface to which this address pool applies.
c.
Enter the pool ID.
d.
Enter the addresses in the pool. You can enter multiple addresses separated
by a comma, address ranges (for example, 192.168.1.1-192.168.1.10), or a
combination of the two.
e.
To enable interface Port Address Translation (PAT), select the Enable

Interface PAT check box.
f.
Click OK.
Configuring Translation Options

Use the Translation Options page to configure settings that affect network address
translation for a security appliance. These settings apply to all interfaces on the
device.
Procedure
Step 1
(Device view) Select NAT > Translation Options from the Device Policy
selector.
(Policy view) Select NAT (PIX) > Translation Options from the Policy
Types selector. Right-click Translation Options and select New Translation
Options Policy to create a policy, or select an existing policy from the
Policies selector.
The Translation Options page is displayed. For a description of the fields on
this page, see Table L-3 on page L-8.
15-22
OL-11501-03
Chapter 15

Step 2
To allow traffic to pass through the security appliance without address translation,
select the Enable traffic through the firewall without address translation check
box. If this option is not selected, any traffic that does not match a translation rule
will be dropped.
Note
This option is only available on PIX 7.x, FWSM 3.x, and ASA devices.
Step 3
To allow VPN traffic to pass through the security appliance without address
translation, select the Do not translate VPN traffic check box.
Step 4
Defining Translation Exemptions (NAT 0 ACL)

Use the Translation Exemptions (NAT 0 ACL) tab to specify traffic that is exempt
from address translation.
Procedure
Step 1
(Device view) Select NAT > Translation Rules from the Device Policy
selector.
(Policy view) Select NAT (PIX) > Translation Rules from the Policy Types
selector. Right-click Translation Rules and select New Translation Rules
Policy to create a policy, or select an existing policy from the Policies
selector.
The Translation Rules page is displayed. For a description of the fields on this
page, see Translation Rules Page, page L-8.
Step 2
Click the Translation Exemptions (NAT 0 ACL) tab.

The Translation Exemptions (NAT 0 ACL) tab displays a table containing the
translation exemption rules defined for this device or shared policy. For a
description of the fields on this page, see Translation Exemptions (NAT 0 ACL)
Tab, page L-9.

OL-11501-03
15-23
Chapter 15
Step 3
For each translation exemption rule that you want to define:

a.

The Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box is
displayed.
b.
Complete the fields in this dialog box. For more information, see Add/Edit
Translation Exemption (NAT-0 ACL) Rule Dialog Box, page L-22.
c.
Click OK.
The Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box closes
and the translation exemption rule is added to the table.
Step 4
Defining Simple Dynamic Rules

With dynamic NAT, internal IP addresses are dynamically translated using IP
addresses from a pool of global addresses. With dynamic PAT, internal IP
addresses are translated to a single mapped address by using dynamically
assigned port numbers with the mapped address. Dynamic translations are often
used to map local, RFC 1918 IP addresses to addresses that are Internet-routable.
Procedure
Step 1
selector.
selector.
Step 2
Click the Dynamic Rules tab.
15-24
OL-11501-03
Chapter 15

The Dynamic Rules tab displays a table containing the dynamic translation rules
defined for this device or shared policy. For a description of the fields on this
page, see Dynamic Rules Tab, page L-11.
Step 3
For each dynamic rule that you want to define:

a.

The Add/Edit Dynamic Translation Rule dialog box is displayed.
b.
Dynamic Translation Rule Dialog Box, page L-24.
c.
Click OK.
The Add/Edit Dynamic Translation Rule dialog box closes and the dynamic
translation rule is added to the table.
Step 4
Defining Policy Dynamic Rules

The Policy Dynamic Rules tab allows you to configure dynamic translation rules
based on source and destination addresses/ports.
Procedure
Step 1
selector.
selector.
Step 2
Click the Policy Dynamic Rules tab.

OL-11501-03
15-25
Chapter 15
The Policy Dynamic Rules tab displays a table containing the policy dynamic
translation rules defined for this device or shared policy. For a description of the
fields on this page, see Policy Dynamic Rules Tab, page L-13.
Step 3
For each policy dynamic rule that you want to define:

a.

The Add/Edit Policy Dynamic Rules dialog box is displayed.
b.
Policy Dynamic Rules Dialog Box, page L-25.
c.
Click OK.
The Add/Edit Policy Dynamic Rules dialog box closes and the policy
dynamic translation rule is added to the table.
Step 4
Defining Static Rules

With static translation, internal IP addresses are permanently mapped to a global
IP address. These rules map a host address on a lower security level interface to a
global address on a higher security level interface. For example, a static rule
would be used for mapping the local address of a web server on a perimeter
network to a global address that hosts on the outside interface would use to access
the web server.
Procedure
Step 1
selector.
selector.
15-26
OL-11501-03
Chapter 15

Step 2
Click the Static Rules tab.

The Static Rules tab displays a table containing the static translation rules defined
for this device or shared policy. For a description of the fields on this page, see
Static Rules Tab, page L-16.
Step 3
For each static rule that you want to define:

a.

The Add/Edit Static Rule dialog box is displayed.
b.
Static Rule Dialog Box, page L-26.
c.
Click OK.
The Add/Edit Static Rule dialog box closes and the static translation rule is
added to the table.
Step 4
Viewing Translation Summary

You can view a summary of all translation rules defined for a device or shared
policy. The summary table shows the translation rules in the order in which the
rules are applied on the security appliance.
Procedure
Step 1
selector.
selector.
Step 2
Click the General tab.

OL-11501-03
15-27
Chapter 15
Configuring Bridging Policies on Firewall Devices
The General tab displays a table summarizing all translation rules in order of
consideration. For a description of the fields on this page, see General Tab,
page L-19.
Step 3

Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that
connect to one of its screened subnets. A transparent firewall, on the other hand,
is a Layer 2 firewall that acts like a bump in the wire, or a stealth firewall, and
is not seen as a router hop to connected devices. The security appliance connects
the same network on its inside and outside ports. Because the firewall is not a
routed hop, you can easily introduce a transparent firewall into an existing
network; IP readdressing is unnecessary.
Maintenance is facilitated because there are no complicated routing patterns to
troubleshoot and no NAT configuration.
Even though transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic,
cannot pass through the security appliance unless you explicitly permit it with an
extended access list. The only traffic allowed through the transparent firewall
without an access list is ARP traffic. ARP traffic can be controlled by ARP
inspection.
In routed mode, some types of traffic cannot pass through the security appliance
even if you allow it in an access list. The transparent firewall, however, can allow
any traffic through using either an extended access list (for IP traffic) or an
EtherType access list (for non-IP traffic).
Note
The transparent mode security appliance does not pass CDP packets.
For example, you can establish routing protocol adjacencies through a transparent
firewall; you can allow OSPF, RIP, EIGRP, or BGP traffic through based on an
extended access list. Likewise, protocols like HSRP or VRRP can pass through
the security appliance.
Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be
configured to go through using an EtherType access list.
15-28
OL-11501-03
Chapter 15

For features that are not directly supported on the transparent firewall, you can
allow traffic to pass through so that upstream and downstream routers can support
the functionality. For example, by using an extended access list, you can allow
DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic
such as that created by IP/TV.
When the security appliance runs in transparent mode, the outgoing interface of a
packet is determined by performing a MAC address lookup instead of a route
lookup. Route statements can still be configured, but they only apply to security
appliance-originated traffic. For example, if your syslog server is located on a
remote network, you must use a static route so the security appliance can reach
that subnet.
Under Bridging, you can customize your transparent firewall by adding static
MAC address entries or enabling ARP inspection, for example.
Prerequisites
To change the mode from routed to transparent, access the security appliance CLI
and enter the firewall transparent command (in the system execution space in
multiple context mode). To change from transparent to routed, enter the no
firewall transparent command.
When you change modes, the security appliance clears the configuration because
many commands are not supported for both modes. If you already have a
populated configuration, be sure to back up your configuration before changing
the mode; you can use this backup for reference when you create your
configuration.
If you download a text configuration to the security appliance that changes the
mode with the firewall transparent command, be sure to put the command at the
top of the configuration; the security appliance changes the mode as soon as it
reads the command and then continues reading the configuration you
downloaded. If the command is later in the configuration, the security appliance
clears all the preceding lines in the configuration.
For more information, see Bridging, page L-65.
Bridging Support for FWSM 3.1

Although FWSM 3.1 can support multiple L2 interface pairs, Security Manager
only allows you to specify no more than two L2 interfaces (a single interface pair)
and one associated management IP address. That means only one bridge group
OL-11501-03
15-29
Chapter 15
Configuring Device Administration Policies on Firewall Devices
with two named interfaces associated is provisioned with a management IP

address. A named interface is one that is configured with the nameif
subcommand. If the device configuration contains a maximum of one bridge
group and two named interfaces, it is valid for discovery. All other scenarios result
in an error message and the commands are ignored during discovery. Furthermore,
discovery will not show any bridge-group information in the Security Manager
user interface although the bridge-group commands will be generated during
deploy. Bridge group 1 will be deployed and used in transparent rule policies if
no bridge group exists in the device configuration.
Configuring Device Administration Policies on

Firewall Devices
The Device Administration section contains pages for configuring device
administration policies for firewall devices. For more information, see the
following topics:
Configuring AAA, page 15-31
Configuring Banners, page 15-37
Configuring Boot Image and Configuration Settings, page 15-39
Configuring Clock Settings, page 15-40
Configuring Contact Credentials, page 15-42
Configuring Device Access Settings on Firewall Devices, page 15-43

Configuring Console Timeout, page 15-44
Configuring HTTP, page 15-45
Configuring ICMP, page 15-46
Configuring Management Access, page 15-48
Configuring Secure Shell, page 15-49
Configuring SNMP, page 15-50
Configuring Telnet, page 15-54
Configuring Failover, page 15-55
Configuring Hostname Settings, page 15-62
15-30
OL-11501-03
Chapter 15

Configuring Resources on Firewall Services Modules, page 15-63
Configuring Server Access Settings on Firewall Devices, page 15-64

Configuring AUS Settings, page 15-64
Configuring DHCP Relay, page 15-66
Configuring DHCP Servers, page 15-68
Configuring DNS, page 15-70
Configuring NTP Settings, page 15-72
Configuring SMTP Servers, page 15-73
Configuring TFTP Servers, page 15-74
Configuring User Accounts, page 15-75
Configuring AAA
AAA enables the security appliance to determine who the user is (authentication),
what the user can do (authorization), and what the user did (accounting). You can
use authentication alone or with authorization and accounting. Authorization
always requires a user to be authenticated first. You can use accounting alone, or
with authentication and authorization.
Understanding AAA
AAA provides an extra level of protection and control for user access than using
access lists alone. For example, you can create an ACL that allows all outside
users to access Telnet on a server on the DMZ network. If you want only some
users to access the server and you might not always know IP addresses of these
users, you can enable AAA to allow only authenticated and/or authorized users to
make it through the security appliance. (The Telnet server enforces
authentication, too; the security appliance prevents unauthorized users from
attempting to access the server.)
The following list describes the elements that make up AAA:
About AuthenticationAuthentication grants access based on user identity.

Authentication establishes user identity by requiring valid user credentials,
which are typically a username and password. You can configure the security
appliance to authenticate the following items:
OL-11501-03
15-31
Chapter 15
Administrative connections to the security appliance using telnet, SSH,
HTTPS/ASDM, or serial.
The enable command
About AuthorizationAuthorization controls access per user after users

authenticate. Authorization controls the services and commands available to
each authenticated user. Were you not to enable authorization, authentication
alone would provide the same access to services for all authenticated users.
If you need the control that authorization provides, you can configure a broad
authentication rule, and then have a detailed authorization configuration. For
example, you authenticate inside users who attempt to access any server on
the outside network and then limit the outside servers that a particular user
can access using authorization.
The security appliance caches the first 16 authorization requests per user, so
if the user accesses the same services during the current authentication
session, the security appliance does not resend the request to the
authorization server.
About AccountingAccounting tracks traffic that passes through the

security appliance, enabling you to have a record of user activity. If you
enable authentication for that traffic, you can account for traffic per user. If
you do not authenticate the traffic, you can account for traffic per IP address.
Accounting information includes when sessions start and stop, username, the
number of bytes that pass through the security appliance for the session, the
service used, and the duration of each session.
Preparing for AAA

AAA services depend upon the use of the LOCAL database or at least one AAA
server. You can also use the LOCAL database as a fallback for most services
provided by a AAA server. Before you implement AAA, you should configure the
LOCAL database and configure AAA server groups and servers.
How you configure the LOCAL database and AAA servers depends upon the
AAA services you want the security appliance to support. Regardless of whether
you use AAA servers, you should configure the LOCAL database with user
accounts that support administrative access, to prevent accidental lockouts and, if
so desired, to provide a fallback method when AAA servers are unreachable. For
more information, see Configuring User Accounts, page 15-75.
15-32
OL-11501-03
Chapter 15

Table 15-3 provides a summary of AAA service support by each AAA server type
and by the LOCAL database. You manage the LOCAL database by configuring
user profiles on the Platform > Device Admin > User Accounts page (see
Configuring User Accounts, page 15-75). You establish AAA server groups and
add individual AAA servers to the server groups using the Platform > Device
Admin > AAA page.
Table 15-3
Summary of AAA Support
Database Type
Local
RADIUS TACACS+ SDI
NT
Kerberos LDAP
HTTP
Form
VPN users
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes1
Firewall sessions
Yes
Yes
Yes
No
No
No
No
No
Administrators
Yes
Yes
Yes
No
No
No
No
No
Yes
Yes
No
No
No
No
Yes
No
Yes
No
No
No
No
No
AAA Service
Authentication of...
Authorization of...
VPN users
Firewall sessions
No
Yes
Administrators
Yes3
No
Yes
No
No
No
No
No
VPN connections
No
Yes
Yes
No
No
No
No
No
Firewall sessions
No
Yes
Yes
No
No
No
No
No
Administrators
No
Yes
Yes
No
No
No
No
No
Accounting of...
1. HTTP Form protocol supports single-sign on authentication for WebVPN users only.
2. For firewall sessions, RADIUS authorization is supported with user-specific ACLs only, which are received or specified in a
RADIUS authentication response.
3. Local command authorization is supported by privilege level only.
LOCAL Database
The security appliance maintains a local database that you can populate with user
profiles.

OL-11501-03
15-33
Chapter 15
User ProfilesUser profiles contain, at a minimum, a username. Typically,

you assign a password to each username, although passwords are optional.
User profiles can also specify VPN access policy per user. You can manage
user profiles on the Platform > Device Admin > User Accounts page (see
Configuring User Accounts, page 15-75).
Fallback SupportThe local database can act as a fallback method for

console and enable password authentication, for command authorization, and
for VPN authentication and authorization. This behavior is designed to help
you prevent accidental lockout from the security appliance. For users who
need fallback support, we recommend that their usernames and passwords in
the local database match their usernames and passwords in the AAA servers.
This provides transparent fallback support. Because the user cannot
determine whether a AAA server or the local database is providing the
service, using usernames and passwords on AAA servers that are different
than the usernames and passwords in the local database means that the user
cannot be certain which username and password should be given.
AAA for Device Administration

You can authenticate all administrative connections to the security appliance,
including:
Telnet
SSH
Serial console
ASDM
VPN management access
You can also authenticate administrators who attempt to enter enable mode. You
can authorize administrative commands. You can have accounting data for
administrative sessions and for commands issued during a session sent to an
accounting server.
You can configure AAA for device administration using the Platform > Device
Admin > AAA page (see Defining AAA Policies, page 15-35).
15-34
OL-11501-03
Chapter 15

AAA for Network Access

You can configure rules for authenticating, authorizing, and accounting for traffic
passing through the firewall by using the Firewall > AAA Rules page (see
Working with AAA Rules, page 12-89). The rules you create are similar to access
rules, except that they specify whether to authenticate, authorize, or perform
accounting for the traffic defined; and which AAA server group the security
applianceis to use to process the AAA service request.
AAA for VPN Access

AAA services for VPN access include the following:
User account settings for assigning users to VPN groups, configured on the
Platform > Device Admin > User Accounts page (see Configuring User
Accounts, page 15-75).
VPN group policies that can be referenced by many user accounts or tunnel
groups, configured on the Remote Access VPN > RA VPN Policies >
User Group Policy or Site to Site VPN > User Group Policy page.
Tunnel group policies, configured on the Remote Access VPN >

RA VPN Policies > PIX7.0/ASA Tunnel Group Policy or
Site to Site VPN > PIX7.0/ASA Tunnel Group Policy page.
Defining AAA Policies

Use the following procedure to define the AAA settings for a device or shared
policy.
Procedure
Step 1
(Device view) Select Platform > Device Admin > AAA from the Device
Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > AAA
from the Policy Types selector. Right-click AAA and select New AAA Policy
to create a policy, or select an existing policy from the Policies selector.
The AAA page is displayed. For a description of the fields on this page, see
AAA Page, page L-75.
OL-11501-03
15-35
Chapter 15
Step 2
Click the Authentication tab.
Step 3
To require AAA authentication for privileged commands:
Step 4
a.
Select the Enable check box under Require AAA Authentication to allow use
of privileged commands.
b.
Enter the name of the AAA server group to use for authentication or click
Select to select from a list.
c.
To use the local database as a fallback method for privileged command

authentication, select the Use LOCAL when server group fails check box.
To require AAA authentication for HTTP, serial, SSH, or Telnet access to the
security appliance:
a.
Select the check box next to the type of device access you want to
authenticate (HTTP, Serial, SSH, or Telnet).
b.
Enter the name of the AAA server group to use for authentication or click
c.
To use the local database as a fallback method for authentication of this

device access, select the Use LOCAL when server group fails check box.
Step 5
Enter the prompt you want users to see when authentication takes place in the
Login Prompt box.
Step 6
Enter the messages you want users to see when accepted or rejected in the
corresponding boxes.
Step 7
Click the Authorization tab.
Step 8
To require AAA authorization for command access:

a.
Select the Enable Authorization for Command Access check box.
b.
Enter the name of the AAA server group to use for authorization or click
c.
To use the local database as a fallback method for command authorization,

select the Use LOCAL when server group fails check box.
Step 9
Click the Accounting tab.
Step 10
To require AAA accounting for privileged commands:

a.
Select the Enable check box under Require AAA Accounting for privileged
commands.
15-36
OL-11501-03
Chapter 15

b.
Step 11
Step 12
Step 13
Enter the name of the AAA server group to use for accounting or click Select
to select from a list.
To require AAA accounting for HTTP, serial, SSH, or Telnet access to the security
appliance:
a.
Select the check box next to the type of device access for which you want
accounting enabled (HTTP, Serial, SSH, or Telnet).
b.
To require AAA accounting for command access:

a.
Select the Enable check box under Require Accounting for command access.
b.
c.
Select the minimum privilege level that must be associated with a command
for an accounting record to be generated.
Related Topics
AAA Page, page L-75
Configuring User Accounts, page 15-75
Configuring Banners
You can use the Banner page to specify the Session (exec), Login, and
Message-of-the-Day (motd) banners for a firewall device or shared policy.
If you use the tokens $(hostname) or $(domain), they are replaced with the
hostname and domain name of the security appliance. When you enter the
$(system) token in a context configuration, the context uses the banner configured
in the system configuration.
Spaces in the text are preserved; however, tabs cannot be entered. Multiple lines
in a banner are handled by entering a line of text for each line you wish to add.
Each line is then appended to the end of the existing banner. If the text is empty,
then a carriage return (CR) will be added to the banner.

OL-11501-03
15-37
Chapter 15
There is no limit on the length of a banner other than RAM and Flash memory
limits. You can only use ASCII characters, including new line (the Enter key,
which counts as two characters). When accessing the security appliance through
Telnet or SSH, the session closes if there is not enough system memory available
to process the banner messages or if a TCP write error occurs when attempting to
display the banner messages.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Banner from the Device
Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Banner
from the Policy Types selector. Right-click Banner and select New Banner
selector.
The Banner page is displayed. For a description of the fields on this page, see
Step 2
Enter the text that you want the system to display as a banner before displaying
the enable prompt in the Session(exec) Banner box.
Step 3
Enter the text that you want the system to display as a banner before the password
login prompt when accessing the security appliance using Telnet in the Login
Banner box.
Step 4
Enter the text that you want the system to display as a message-of-the-day banner
in the Message-of-the-Day (motd) Banner box.
Step 5
To replace a banner, change the contents of the appropriate box.
Step 6
To clear a banner, clear the contents of the appropriate box.
Step 7
Related Topics
Banner Page, page L-81
15-38
OL-11501-03
Chapter 15

Configuring Boot Image and Configuration Settings

Boot Image/Configuration lets you choose which image file a security appliance
running PIX 7.x or later will boot from, as well as which configuration file it will
use at startup.
You can specify up to four local binary image files for use as the startup image,
and one image located on a TFTP server for the device to boot from. If you specify
an image located on a TFTP server, it must be first in the list. In the event the
device cannot reach the tftp server to load the image from, it will attempt to load
the next image file in the list located in Flash.
If you do not specify any boot variable, the first valid image on internal flash will
be chosen to boot the system.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Boot

Image/Configuration from the Device Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Boot
Image/Configuration from the Policy Types selector. Right-click Boot
Image/Configuration and select New Boot Image/Configuration Policy to
The Boot Image/Configuration page is displayed. For a description of the
fields on this page, see Table L-40 on page L-84.
Step 2
Enter the URL of the configuration file to use when the system is loaded. For
syntax information, see Table L-40 on page L-84.
Step 3
Enter the path to the ASDM image file on the security appliance, for example,
flash:/asdm. For syntax information, see Table L-40 on page L-84.
Step 4
For each system image file that you want to add, edit, or delete, do one of the
following:
To add a system image file to the Boot Images table, click Add Row to
display the Images dialog box, and then proceed to Step 5.
To edit a system image file, select the entry and click Edit Row to display the
Images dialog box, and then proceed to Step 5.

OL-11501-03
15-39
Chapter 15
To delete a system image file from the Boot Images table, select the entry and
click Delete Row. Proceed to Step 6.
Step 5
Enter the URL of the system image file to use when the system is loaded, and then
click OK. For syntax information, see Images Dialog Box, page L-85.
Step 6
To move a system image file up or down in the table, select the row for that image
file and then click the Up Arrow or Down Arrow buttons as necessary.
Step 7
Related Topics
Boot Image/Configuration Page, page L-83
Configuring Clock Settings

The Clock page lets you manually set the date and time for the security appliance.
Note
In multiple context mode, set the time in the system configuration only.
To dynamically set the time using an NTP server, see Configuring NTP Settings,
page 15-72; time derived from an NTP server overrides any time set manually on
the Clock page.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Clock from the Device
Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Clock
from the Policy Types selector. Right-click Clock and select New Clock
selector.
The Clock page is displayed. For a description of the fields on this page, see
15-40
OL-11501-03
Chapter 15

Step 2
Select the time zone for this device in the Device Time Zone list box.
Step 3
If daylight savings time does not apply to this device, select None, and then go to
Step 6.
Step 4
To specify daylight savings time using a start and end date:
Step 5
a.
Select Set by Date.
b.
Click the Calendar button under Start to pick the date on which daylight
savings time begins.
c.
Select the hour and minute that daylight savings time begins using the
drop-down list boxes.
d.
Click the Calendar button under End to pick the date on which daylight
savings time ends.
e.
Select the hour and minute that daylight savings time ends using the
drop-down list boxes.
To specify daylight savings time using a specific day of the year (for example, the
first Sunday in August):
a.
To specify that daylight savings time occurs on the same days every year,
select the Specify Recurring Time check box.
b.
Select the month in which daylight savings time begins in the Month
drop-down list box under Start.
c.
Select the number that corresponds to the week in which daylight savings
time begins in the Week drop-down list box under Start.
d.
Select the day of the week on which daylight savings time begins in the
Weekday drop-down list box under Start.
e.
Select the hour at which daylight savings time begins in the Hour drop-down
list box under Start.
f.
Select the minute at which daylight savings time begins in the Minute
drop-down list box under Start.
g.
Select the month in which daylight savings time ends in the Month
drop-down list box under End.
h.
Select the number that corresponds to the week in which daylight savings
time ends in the Week drop-down list box under End.
i.
Select the day of the week on which daylight savings time ends in the
Weekday drop-down list box under End.

OL-11501-03
15-41
Chapter 15
Step 6
j.
Select the hour at which daylight savings time ends in the Hour drop-down
list box under End.
k.
Select the minute at which daylight savings time ends in the Minute
drop-down list box under End.
Related Topics
Clock Page, page L-86
Configuring Contact Credentials

You can use the Contact Credentials page to specify the future contact settings
that Security Manager should use when contacting a device. You can also use the
Contact Credentials page to change the login password and the enable password
on a device.
The login password lets you access EXEC mode if you connect to the security
appliance using a Telnet or SSH session. (If you configure user authentication for
Telnet or SSH access, then each user has their own password, and this login
password is not used.)
The enable password lets you access privileged EXEC mode after you log in. (If
you configure user authentication for enable access, then each user has their own
password, and this enable password is not used.)
Procedure
Step 1
(Device view) Select Platform > Device Admin > Contact Credentials from
the Device Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Contact
Credentials from the Policy Types selector. Right-click Contact Credentials
and select New Contact Credentials Policy to create a policy, or select an
existing policy from the Policies selector.
The Contact Credentials page is displayed. For a description of the fields on
15-42
OL-11501-03
Chapter 15

Step 2
To change the contact username and password:

a.
Select the Change the contact username and password check box.
The Username and Password fields become enabled.
Step 3
b.
Enter the username to user for logging in to the device.
c.
Enter the password for logging in to the device.
d.
Reenter the password for logging in to the device.
e.
Select the privilege level of the user logging in to the device.
To change the enable password:

a.
Select the Change the enable password check box.

The Enable Password fields become enabled.
Step 4
b.
Enter the enable password.
c.
Reenter the enable password.
To change the Telnet/SSH password:

a.
Select the Change the TELNET/SSH password check box.

The Telnet Password fields become enabled.
Step 5
b.
Enter the new login password.
c.
Reenter the login password.
Related Topics
Credentials Page, page L-88
Configuring Device Access Settings on Firewall Devices

The Device Access section contains pages for defining access to firewall devices.
For more information, see the following topics:
Configuring Console Timeout, page 15-44
Configuring HTTP, page 15-45
Configuring ICMP, page 15-46

OL-11501-03
15-43
Chapter 15
Configuring Management Access, page 15-48
Configuring Console Timeout

You can use the Console page to specify the timeout settings for a console session.
The firewall device uses the console timeout setting to close inactive sessions.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Device Access > Console
from the Device Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device
Access > Console from the Policy Types selector. Right-click Console and
select New Console Policy to create a policy, or select an existing policy from
the Policies selector.
The Console page is displayed. For a description of the fields on this page,
see Table L-45 on page L-91.
Step 2
Enter the number of minutes (0-60) a console session can remain idle before the
firewall device closes it. The default timeout is 0, which means the console will
not time out.
Step 3
Related Topics
Console Page, page L-91
15-44
OL-11501-03
Chapter 15

Configuring HTTP
The HTTP page provides a table that specifies the addresses of all the hosts or
networks that are allowed access to the firewall device using HTTPS. You can use
this table to add or change the hosts or networks that are allowed access.
The HTTP page also displays information about HTTP redirection and HTTPS
user certificate requirements for interfaces on the firewall device. You can use this
table to change the entries for HTTP redirection and HTTPS user certificate
requirements.
Procedure
Step 1
Access > HTTP from the Policy Types selector. Right-click HTTP and select
New HTTP Policy to create a policy, or select an existing policy from the
Policies selector.
The HTTP page is displayed. For a description of the fields on this page, see
Step 2
To add an HTTP entry, click Add Row to display the HTTP Configuration
dialog box, and then proceed to Step 3.
To edit an HTTP entry, select the entry and click Edit Row to display the
HTTP Configuration dialog box, and then proceed to Step 3.
To delete an HTTP entry, select the entry and click Delete Row. Proceed to
Step 7.
Step 3
Enter the name of the interface from which administrative access to the security
appliance is allowed. You can click Select to select the interface from a list.
Step 4
Enter the IP address and netmask of the host or network that is permitted to
connect to this security appliance through the specified interface. The default
netmask is 255.255.255.255 regardless of class.

OL-11501-03
15-45
Chapter 15
Note
To limit access to a single IP address, use 255.255.255.255. Do not use

the subnetwork mask of the internal network.
Step 5
To require authentication via certificate from users who are establishing HTTPS
connections, select the Enable Authentication Certificate check box.
Step 6
To enable HTTP redirect, enter the number of the port the security appliance
listens on for HTTP requests, which it then redirects to HTTPS. To disable HTTP
redirect, ensure that this field is blank.
Step 7
To enable the HTTP server on the security appliance, select the Enable HTTP
Server check box.
Step 8
Related Topics
HTTP Page, page L-92
Configuring ICMP
The ICMP page provides a table that lists the ICMP rules, which specify the
addresses of all hosts or networks that are allowed or denied ICMP access to the
firewall device. You can use this table to add or change the hosts or networks that
are allowed or prevented from sending ICMP messages to the firewall device.
The ICMP rule list controls ICMP traffic that terminates on any firewall device
interface. If no ICMP control list is configured, the firewall device accepts all
ICMP traffic that terminates at any interface, including the outside interface.
However, by default, the firewall device does not respond to ICMP echo requests
directed to a broadcast address.
It is recommended that permission is always granted for the ICMP unreachable
message type (type 3). Denying ICMP unreachable messages disables ICMP Path
MTU discovery, which can halt IPsec and PPTP traffic. See RFC 1195 and RFC
1435 for details about Path MTU Discovery.
If an ICMP control list is configured, the firewall device uses a first match to the
ICMP traffic followed by an implicit deny all. That is, if the first matched entry is
a permit entry, the ICMP packet continues to be processed. If the first matched
15-46
OL-11501-03
Chapter 15

entry is a deny entry or an entry is not matched, the firewall device discards the
ICMP packet and generates a syslog message. An exception is when an ICMP
control list is not configured; in that case, a permit statement is assumed.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Device Access > ICMP
Access > ICMP from the Policy Types selector. Right-click ICMP and select
New ICMP Policy to create a policy, or select an existing policy from the
Policies selector.
The ICMP page is displayed. For a description of the fields on this page, see
Step 2
To add an ICMP entry, click Add Row to display the Add ICMP dialog box,
and then proceed to Step 3.
To edit an ICMP entry, select the entry and click Edit Row to display the Edit
ICMP dialog box, and then proceed to Step 3.
To delete an ICMP entry, select the entry and click Delete Row. Proceed to
Step 8.
Step 3
Select the action (permit or deny) associated with this ICMP entry.
Step 4
Enter the ICMP service to which this ICMP rule applies. You can click Select to
select the ICMP service from a list.
Step 5
Enter the name of the interface to which this ICMP rule applies. You can click
Select to select the interface from a list.
Step 6
Enter the IP address and netmask of the host or network from which ICMP access
is permitted or denied. The default netmask is 255.255.255.255 regardless of
class.
Note


OL-11501-03
15-47
Chapter 15
Step 7
Click OK to close the dialog box.
Step 8
Related Topics
ICMP Page, page L-94
Configuring Management Access

You can use the Management Access page to specify an interface on a firewall
device that permits management access connections. Enabling this feature on an
internal interface allows PIX management functions to be performed on the
interface over an IPsec VPN tunnel. You can enable the Management Access
feature on only one interface at a time.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Device Access >
Management Access from the Device Policy selector.
Access > Management Access from the Policy Types selector. Right-click
Management Access and select New Management Access Policy to create a
policy, or select an existing policy from the Policies selector.
The Management Access page is displayed. For a description of the fields on
Step 2
Enter the name of the interface on the firewall device that should permit
management access connections. Enabling this feature on an internal interface
allows PIX management functions to be performed on the interface over an IPsec
VPN tunnel. You can enable the Management Access feature on only one
interface at a time. Clear this field to disable management access. You can click
Select to select the interface from a list of interface building blocks.
Step 3
15-48
OL-11501-03
Chapter 15

Related Topics
Management Access Page, page L-96
Configuring Secure Shell

The Secure Shell page lets you configure rules that permit only specific hosts or
networks to connect to a firewall device for administrative access using the SSH
protocol. The rules restrict SSH access to a specific IP address and netmask. SSH
connection attempts that comply with the rules must then be authenticated by a
AAA server or the Telnet password.
Procedure
Step 1
Shell from the Device Policy selector.
Access > Secure Shell from the Policy Types selector. Right-click Secure
Shell and select New Secure Shell Policy to create a policy, or select an
The Secure Shell page is displayed. For a description of the fields on this
Step 2
Specify the version of SSH accepted by the security appliance. By default, SSH
Version 1 and SSH Version 2 connections are accepted
Step 3
In the Timeout (minutes) field, enter the number of minutes an SSH session can
remain idle before the firewall device closes it.
Step 4
Step 5
To add an SSH entry, click Add Row to display the Add Host dialog box, and
then proceed to Step 5.
To edit an SSH entry, select the entry and click Edit Row to display the Edit
Host dialog box, and then proceed to Step 5.
To delete an SSH entry, select the entry and click Delete Row. Proceed to
Step 8.
Enter the name of the interface that will permit SSH sessions. You can click Select
to select the interface from a list.
OL-11501-03
15-49
Chapter 15
Step 6
Enter the IP address and netmask of the host or network that is permitted to
connect to this security appliance through the specified interface. The default
netmask is 255.255.255.255 regardless of class.
Note

Step 7
Step 8
To enable the secure copy server on the security appliance, select the Enable
Secure Copy check box.
Step 9
Related Topics
Secure Shell Page, page L-97
Configuring SNMP
Simple Network Management Protocol (SNMP) defines a standard way for
network management stations running on PCs or workstations to monitor the
health and status of many types of devices, including switches, routers, and the
security appliance. You can use the SNMP page to configure a firewall device for
monitoring by SNMP management stations.
SNMP Terminology
Management stationNetwork management stations running on PCs or

workstations use the SNMP protocol to administer standardized databases
residing on the device being managed. Management stations can also receive
messages about events, such as hardware failures, which require attention.
AgentIn the context of SNMP, the management station is a client and an

SNMP agent running on the security appliance is a server.
OIDThe SNMP standard assigns a system object ID (OID) so that a

management station can uniquely identify network devices with SNMP
agents and indicate to users the source of information monitored and
displayed.
15-50
OL-11501-03
Chapter 15

MIBThe agent maintains standardized data structures called Management

Information Databases (MIBs), which are compiled into management
stations. MIBs collect information, such as packet, connection, and error
counters, buffer usage, and failover status. MIBs are defined for specific
products and for the common protocols and hardware standards used by most
network devices. SNMP management stations can browse MIBs or request
only specific fields. In some applications, MIB data can be modified for
administrative purposes.
TrapThe agent also monitors alarm conditions. When an alarm condition

defined in a trap occurs, such as a link up, link down, or syslog event, the
agent sends notification, also known as SNMP trap, to the designated
management station immediately.
SNMP
For Cisco MIB files and OIDs, refer to:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. OIDs may be
downloaded at this URL: ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz.
SNMP CPU Utilization

Cisco firewall devices support monitoring CPU utilization through SNMP. This
feature allows network administrators to monitor firewall device CPU usage using
SNMP management software, such as HP OpenView, for capacity planning.
This functionality is implemented through support for the cpmCPUTotalTable of
the Cisco Process MIB (CISCO-PROCESS-MIB.my). The other two tables in the
MIB, cpmProcessTable and cpmProcessExtTable, are not supported in this
release.
Each row of the cpmCPUTotalTable includes the index of each CPU and the
following objects:
MIB Object Name
Description
cpmCPUTotalPhysicalIndex
The value of this object will be zero because the

entPhysicalTable of Entity MIB is not supported
on the security appliance SNMP agent.

OL-11501-03
15-51
Chapter 15
Note
cpmCPUTotalIndex
The value of this object will be zero because the

entPhysicalTable of Entity MIB is not supported
on the security appliance SNMP agent.
cpmCPUTotal5sec
Overall CPU busy percentage in the last

five-second period.
cpmCPUTotal1min

one-minute period.
cpmCPUTotal5min

five-minute period.
Because all current firewall device hardware platforms support a single CPU, the
firewall device returns only one row from cpmCPUTotalTable and the index is
always 1.
The values of the last three elements are the same as the output from the show cpu
usage command.
The security appliance does not support the following new MIB objects in the
cpmCPUTotalTable:
cpmCPUTotal5secRev
cpmCPUTotal1minRev
cpmCPUTotal5minRev
Procedure
Step 1
Access > SNMP from the Policy Types selector. Right-click SNMP and select
New SNMP Policy to create a policy, or select an existing policy from the
Policies selector.
The SNMP page is displayed. For a description of the fields on this page, see
15-52
OL-11501-03
Chapter 15

Step 2
Enter the shared secret used by the SNMP management station when sending
requests to the security appliance in the Read Community String field.
Step 3
Enter the name of the system administrator.
Step 4
Enter the location of the security appliance.
Step 5
For PIX 7.x and ASA:
Step 6
a.
To enable the security appliance to send traps to the SNMP management

station, select the Enable SNMP Servers check box.
b.
To configure the traps that are sent to the SNMP management station, click
Configure Traps to display the SNMP Trap Configuration dialog box, select
the check boxes that correspond to the traps you want to enable, and then
click OK to close the dialog box.
c.
Specify the port on which incoming requests will be accepted.
To add an SNMP Host entry, click Add Row to display the Add SNMP Host
Access Entry dialog box, and then proceed to Step 7.
To edit an SNMP Host entry, select the entry and click Edit Row to display
the Add SNMP Host Access Entry dialog box, and then proceed to Step 7.
To delete an SNMP Host entry, select the entry and click Delete Row. Proceed
to Step 14.
Step 7
Enter the name of the interface on which the SNMP management station resides.
You can click Select to select the interface from a list.
Step 8
Enter the IP address of the SNMP management station.
Step 9
For PIX 7.x, ASA, and FWSM 2.3 devices, enter the port to which notifications
should be sent.
Step 10
For PIX 7.x and ASA, enter the community string to use for this management
station.
Step 11
For PIX 7.x and ASA, select the SNMP version used by this management station.
Step 12
Select the appropriate check boxes to identify the method for communicating with
this management station:
PollFirewall device waits for a periodic request from the management

station.
TrapSends syslog events when they occur.

OL-11501-03
15-53
Chapter 15
Step 13
Step 14
Related Topics
SNMP Page, page L-99
Configuring Telnet
The Telnet page lets you configure rules that permit only specific hosts or
networks to connect to the firewall device using the Telnet protocol.
The rules restrict administrative Telnet access through a firewall device interface
to a specific IP address and netmask. Connection attempts that comply with the
rules must then be authenticated by a preconfigured AAA server or the Telnet
password. You can monitor Telnet sessions using Monitoring > Telnet Sessions.
Note
Only five telnet sessions may be active at the same time in single context mode.
In multiple context mode on ASAs, there may be only five telnet sessions active
per context, 100 telnet sessions active per blade. With resource class, the
administrator can further tune this parameter.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Device Access > Telnet
Access > Telnet from the Policy Types selector. Right-click Telnet and select
New Telnet Policy to create a policy, or select an existing policy from the
Policies selector.
The Telnet page is displayed. For a description of the fields on this page, see
Step 2
In the Timeout (minutes) field, enter the number of minutes a Telnet session can
remain idle before the firewall device closes it.
15-54
OL-11501-03
Chapter 15

Step 3
To add a Telnet entry, click Add Row to display the Telnet Configuration
dialog box, and then proceed to Step 4.
To edit a Telnet entry, select the entry and click Edit Row to display the
Telnet Configuration dialog box, and then proceed to Step 4.
To delete a Telnet entry, select the entry and click Delete Row. Proceed to
Step 6.
Step 4
Enter the name of the interface that receives Telnet packets from the client. You
can click Select to select the interface from a list.
Step 5
Enter the IP address and netmask of the host or network that is permitted to access
PIX Firewall Telnet console through the specified interface. The default netmask
is 255.255.255.255 regardless of class.
Note
Step 6

Related Topics
Telnet Page, page L-104
Telnet Configuration Dialog Box, page L-105
Configuring Failover
The Failover page contains the settings for configuring failover on the security
appliance. However, the Failover page changes depending upon the type of device
and whether you are in multiple mode or single mode, and when you are in
multiple mode, it changes based on the security context you are in.
How you configure failover depends upon both the security context and the
firewall mode of the security appliance.
In single mode, you only use Active/Standby failover. All failover configuration
occurs in the Failover panel and associated sub-tabs. However, the Interfaces tab
varies between routed firewall mode and transparent firewall mode.
OL-11501-03
15-55
Chapter 15
Note
When using Active/Standby failover, you must make all configuration changes on
the active unit. The active unit replicates the changes to the standby unit. The
standby unit should not be imported or added to the Security Manager device list.
In multiple mode, you can configure Active/Standby or Active/Active failover. In
both types of failover, you need to provide system-level failover settings in the
system context, and context-level failover settings in the individual security
contexts. Additionally, the security context failover interface settings vary
between routed firewall mode and transparent firewall mode.
Related Topics
Failover Policies, page L-106
Understanding Failover
Failover allows you to configure two security appliances so that one will take over
operation if the other fails. Using a pair of security appliances, you can provide
high availability with no operator intervention. The security appliance
communicates failover information over a dedicated failover link. This failover
link can be either a LAN-based connection or, on the PIX security appliance
platform, a dedicated serial failover cable. The following information is
communicated over the failover link:
Caution
The failover state (active or standby).
Hello messages (keep-alives).
Network link status.
MAC address exchange.
Configuration replication.
All information sent over the failover and Stateful Failover links is sent in clear
text unless you secure the communication with a failover key. If the security
appliance is used to terminate VPN tunnels, this information includes any
usernames, passwords, and preshared keys used for establishing the tunnels.
15-56
OL-11501-03
Chapter 15

Transmitting this sensitive data in clear text could pose a significant security risk.
We recommend securing the failover communication with a failover key if you are
using the security appliance to terminate VPN tunnels.
The security appliance supports two types of failover: Active/Standby and
Active/Active. Additionally, failover can be stateful or stateless. For more
information about the types of failover, refer to the following topics:
Active/Standby Failover
Active/Active Failover
Stateless (Regular) Failover
Stateful Failover
Active/Standby Failover
In an Active/Standby configuration, the active security appliance handles all
network traffic passing through the failover pair. The standby security appliance
does not handle network traffic until a failure occurs on the active security
appliance. Whenever the configuration of the active security appliance changes,
it sends configuration information over the failover link to the standby security
appliance.
When a failover occurs, the standby security appliance becomes the active unit. It
assumes the IP and MAC addresses of the previously active unit. Because the
other devices on the network do not see any changes in the IP or MAC addresses,
ARP entries do not change or time out anywhere on the network.
Active/Standby failover is available to security appliances in single mode or
multiple mode.
Note
When using Active/Standby failover, you must make all configuration changes on
the active unit. The active unit replicates the changes to the standby unit. The
standby unit should not be imported or added to the Security Manager device list.
Active/Active Failover
In an Active/Active failover configuration, both security appliances pass network
traffic. Active/Active failover is only available to security appliances in multiple
context mode.

OL-11501-03
15-57
Chapter 15
Note
To reliably manage security contexts in active/active failover mode, Cisco

Security Manager requires an IP address for the management interface of each
context so that it can directly communicate with the active security context of a
failover pair. To specify the IP address or hostname for a security context, select
Tools > Device Properties.
To enable Active/Active failover on the security appliance, you need to create
failover groups. If you enable failover without creating failover groups, you are
enabling Active/Standby failover. A failover group is a logical group of one or
more security contexts. You can create two failover groups on the security
appliance. You should create the failover groups on the unit that will have failover
group 1 in the active state. The admin context is always a member of failover
group 1. Any unassigned security contexts are also members of failover group 1
by default.
As in Active/Standby failover, each unit in an Active/Active failover pair is given
a primary or secondary designation. Unlike Active/Standby failover, this
designation does not indicate which unit is active when both units start
simultaneously. Each failover group in the configuration is given a primary or
secondary role preference. This preference determines on which unit in the
failover pair the contexts in the failover group appear in the active state when both
units start simultaneously. You can have both failover groups be in the active state
on a single unit in the pair, with the other unit containing the failover groups in
the standby state. However, a more typical configuration is to assign each failover
group a different role preference to make each one active on a different unit,
balancing the traffic across the devices.
Initial configuration synchronization occurs when one or both units start. This
synchronization occurs as follows:
When both units start simultaneously, the configuration is synchronized from

the primary unit to the secondary unit.
When one unit starts while the other unit is already active, the unit that is
starting up receives the configuration from the already active unit.
After both units are running, commands are replicated from one unit to the other
as follows:
Commands entered within a security context are replicated from the unit on
which the security context appears in the active state to the peer unit.
15-58
OL-11501-03
Chapter 15

A context is considered in the active state on a unit if the failover group

to which it belongs is in the active state on that unit.
Note
Commands entered in the system execution space are replicated from the unit
on which failover group 1 is in the active state to the unit on which failover
group 1 is in the standby state.
Commands entered in the admin context are replicated from the unit on which
failover group 1 is in the active state to the unit on which failover group 1 is
in the standby state.
Failure to enter the commands on the appropriate unit for command replication to
occur will cause the configurations to be out of synchronization. Those changes
may be lost the next time the initial configuration synchronization occurs.
Note
When bootstrapping the peer devices in an Active/Active Failover configuration,

the bootstrap configurations are only applied to the system contexts of the
respective failover peer devices.
In an Active/Active failover configuration, failover occurs on a failover group
basis, not a system basis. For example, if you designate both failover groups as
active on the primary unit, and failover group 1 fails, failover group 2 remains
active on the primary unit, while failover group 1 becomes active on the secondary
unit.
Note
When configuring Active/Active failover, make sure that the combined traffic for
both units is within the capacity of each unit.
Stateless (Regular) Failover

Stateless failover is also referred to as regular failover. In stateless failover, all
active connections are dropped when a failover occurs. Clients need to reestablish
connections when the new active unit takes over.

OL-11501-03
15-59
Chapter 15
Stateful Failover
Note
Stateful Failover is not supported on the ASA 5505 series adaptive security
appliance.
When stateful failover is enabled, the active unit in the failover pair continually
passes per-connection state information to the standby unit. After a failover
occurs, the same connection information is available at the new active unit.
Supported end-user applications are not required to reconnect to keep the same
communication session.
Note
The IP address and MAC address for the state and LAN failover links do not
change at failover.
To use stateful failover, you must configure a state link to pass all state
information to the standby unit. If you are using a LAN failover connection rather
than the serial failover interface (available on the PIX security appliance platform
only), you can use the same interface for the state link as the failover link.
However, it is recommended that you use a dedicated interface for passing state
information the standby unit.
The following information is passed to the standby unit when stateful failover is
enabled:
NAT translation table.
TCP connection table (except for HTTP), including the timeout connection.
HTTP connection states (if HTTP replication is enabled).
H.323, SIP, and MGCP UDP media connections.
The system clock.
The ISAKMP and IPsec SA table.
The following information is not copied to the standby unit when stateful failover
is enabled:
HTTP connection table (unless HTTP replication is enabled).
The user authentication (uauth) table.
The ARP table.
15-60
OL-11501-03
Chapter 15

Routing tables.
Additional Steps for an Active/Standy Failover Configuration

Security Manager enables you to authenticate a PIX/ASA/FWSM devices by
validating the certificate installed on the device. When configuring firewalls in an
active/standby failover configuration, you must manually copy the certificate
from the active device to the standby device so that Security Manager can
communicate with the standby device after a failover occurs.
The following procedures describe how to export or display the identity
certificate, CA certificate, and keys for a security appliances in your network
using ASDM, and then import that information onto a standby device using
ASDM.
Exporting the Certificate to a File or PKCS12 data
To export a trustpoint configuration, follow these steps using ASDM:

Step 1
Go to Configuration > Features > Device Administration > Certificate >

Trustpoint > Export.
Step 2
Fill in the Trustpoint Name, Encryption Passphrase, and Confirm Passphrase

fields. For information on these fields, click Help.
Step 3
Select a method for exporting the trustpoint configuration.
Step 4
Export to a FileType the filename or browse for the file.
Display the trustpoint configuration in PKCS12 formatDisplay the entire

trustpoint configuration in a text box and then copy it for importing. For more
information, click Help.
Click Export.
Importing the Certificate onto the Standby Device
To import a trustpoint configuration, follow these steps using ASDM:

Step 1
Go to Configuration > Features > Device Administration > Certificate >

Trustpoint > Import.

OL-11501-03
15-61
Chapter 15
Step 2
Fill in the Trustpoint Name, Decryption Passphrase, and Confirm Passphrase

fields. For information on these fields, click Help. The decryption passphrase is
the same as the encryption passphrase used when the trustpoint configuration was
exported.
Step 3
Select a method for importing the trustpoint configuration.
Import from a FileType the filename or browse for the file.
Enter the trustpoint configuration in PKCS12 formatPaste the entire

trustpoint configuration from the exported source into a text box. For more
information, click Help.
Configuring Hostname Settings

Use the Hostname policy to enter a hostname and domain name to be used by the
firewall device after the configuration file is deployed.
When you set a hostname for the security appliance, that name appears in the
command line prompt. If you establish sessions to multiple devices, the hostname
helps you keep track of where you enter commands. The default hostname
depends on your platform.
For multiple context mode, the hostname that you set in the system execution
space appears in the command line prompt for all contexts. The hostname that you
optionally set within a context does not appear in the command line, but can be
used by the banner command $(hostname) token.
The firewall device appends the domain name as a suffix to unqualified names.
For example, if you set the domain name to example.com, and specify a syslog
server by the unqualified name of jupiter, the security appliance qualifies the
name to jupiter.example.com.
For multiple context mode, you can set the domain name for each context, as well
as within the system execution space.
Procedure
Step 1
Select the firewall device for which you want to configure hostname settings.
Step 2
Select Platform > Device Admin > Hostname from the Device Policy selector.
15-62
OL-11501-03
Chapter 15

The Hostname page is displayed. For a description of the fields on this page, see
Step 3
Enter the name you want to use for the device in the Host Name field.
Note
We recommend that you use a unique hostname for each device you
create. The device name can be up to 63 alphanumeric (U.S. English)
characters and can include any of the following special characters: ` ( ) +
- , . / : =.
Step 4
Optionally, enter a valid Domain Name System (DNS) domain name for the
device, for example, cisco.com.
Step 5
Related Topics
Hostname Page, page L-128
Configuring Resources on Firewall Services Modules

Use the Resources page to view configured classes and information about each
class. You can also use the Resources page to add, edit, or delete a class.
Procedure
Step 1
Select the system context of an FWSM in multiple-context mode.
Step 2
Select Resources from the Device Policy selector.

The Resources page is displayed. For a description of the fields on this page, see
Resources Page, page L-129.
Step 3

OL-11501-03
15-63
Chapter 15
Configuring Server Access Settings on Firewall Devices

The Server Access section contains pages for configuring server access on
firewall devices. For more information, see the following topics:
Configuring AUS Settings, page 15-64
Configuring DHCP Relay, page 15-66
Configuring DHCP Servers, page 15-68
Configuring DNS, page 15-70
Configuring SMTP Servers, page 15-73
Configuring TFTP Servers, page 15-74
Configuring AUS Settings

The AUS page lets you configure a firewall device to be managed remotely from
a server that supports the Auto Update specification. Auto Update lets you apply
configuration changes to the firewall device and receive software updates from a
remote location.
Auto Update is useful in solving many challenges facing administrators for
security appliance management:
Overcomes dynamic addressing and NAT challenges
Gives ability to commit configuration changes in one atomic action
Provides a reliable method for updating software
Leverages well understood methods for high scalability
Open interface gives developers tremendous flexibility
Simplifies security solutions for Service Provider environments
High reliability, rich security/management features, broad support by many

products
Procedure
Step 1
15-64
OL-11501-03
Chapter 15

(Device view) Select Platform > Device Admin > Server Access > AUS
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server
Access > AUS from the Policy Types selector. Right-click AUS and select
New AUS Policy to create a policy, or select an existing policy from the
Policies selector.
The AUS page is displayed. For a description of the fields on this page, see
Step 2
Select the Enable Auto Update check box.
Step 3
Select the protocol the Auto Update Server will use to communicate with the
firewall device. The choices are http and https.
Step 4
Enter the IP address of the AUS server.
Step 5
Enter the port to contact on the Auto Update Server. The default is TCP port 80
for http and TCP port 443 for https.
Step 6
Enter the path on the Auto Update Server.
Step 7
To verify that the certificate returned by the Auto Update Server will be checked
against the Certification Authority (CA) root certificates, select the Verify
Certificate check box. This option requires that the Auto Update Server and the
firewall device use the same CA.
Step 8
Enter the username needed to access the Auto Update Server.
Step 9
Enter the user password for the Auto Update Server in the Password and Confirm
fields.
Step 10
To enable the firewall device to timeout if no response is received from the Auto
Update Server:
a.
Select the Enable Timeout check box.
b.
Enter the number of minutes the firewall device should wait to timeout if no
response is received from the Auto Update Server.
c.
Enter the number of minutes the firewall device should wait to poll the Auto
Update Server for new information.
d.
Enter the number of minutes the firewall device should wait to poll the Auto
Update Server for new information if the attempt to poll the server fails.
e.
Enter the number of times the firewall device should try to poll the Auto
Update Server for new information.

OL-11501-03
15-65
Chapter 15
Step 11
Step 12
To enable authentication using a Device ID:

a.
Select the Use Device ID check box.
b.
Select the type of Device ID to use.
Related Topics
AUS Page, page L-135
Configuring DHCP Relay

Use the DHCP Relay page to configure DHCP relay services on a firewall device.
DHCP relay passes DHCP requests received on one interface to an external DHCP
server located behind a different interface. To configure DHCP relay, you need to
specify at least one DHCP relay server and then enable a DHCP relay agent on the
interface receiving DHCP requests.
Note
You cannot enable a DHCP relay agent on an interface that has a DHCP relay
server configured for it.
The DHCP relay agent works only with external DHCP servers; it will not
forward DHCP requests to a security appliance interface configured as a DHCP
server.
Procedure
Step 1
Relay from the Device Policy selector.
Access > DHCP Relay from the Policy Types selector. Right-click DHCP
Relay and select New DHCP Relay Policy to create a policy, or select an
15-66
OL-11501-03
Chapter 15

The DHCP Relay page is displayed. For a description of the fields on this
Step 2
For each interface on which you want to enable a DHCP Relay Agent:
a.
Click the Add Row button for the DHCP Relay Agent table.
The Configure DHCP Relay Agent Parameters dialog box appears.
b.
Enter the name of the interface.
c.
Select the Enable DHCP Relay Agent check box.
d.
To configure the DHCP relay agent to modify the default router address in the
information returned from the DHCP server, select the Set Route check box.
When this check box is selected, the DHCP relay agent substitutes the address
of the selected interface for the default router address in the information
returned from the DHCP server.
e.
Click OK.
The Configure DHCP Relay Agent Parameters dialog box closes and the
interface is added to the DHCP Relay Agent table.
Step 3
For each DHCP relay server that you want to define:

a.
Click the Add Row button for the DHCP Relay Servers table.
The Configure DHCP Relay Server Parameters dialog box appears.
b.
Enter the IP address of a configured, external DHCP server.
c.
Enter the name of the interface to which the specified DHCP server is
attached.
d.
Click OK.
The Configure DHCP Relay Server Parameters dialog box closes and the
server is added to the DHCP Relay Servers table.
Step 4
Enter the amount of time, in seconds, allowed for DHCP address negotiation.
Step 5
Related Topics
DHCP Relay Page, page L-137

OL-11501-03
15-67
Chapter 15
Configuring DHCP Servers

A Dynamic Host Configuration Protocol (DHCP) server provides network
configuration parameters, such as IP addresses, to DHCP clients. The security
appliance can provide a DHCP server or DHCP relay services to DHCP clients
attached to security appliance interfaces. The DHCP server provides network
configuration parameters directly to DHCP clients. DHCP relay passes DHCP
requests received on one interface to an external DHCP server located behind a
different interface. For more information about DHCP relay, see Configuring
DHCP Relay, page 15-66.
Note
The security appliance DHCP server does not support BOOTP requests.
In multiple context mode, you cannot enable the DHCP server or DHCP relay on
an interface that is used by more than one context.
You can configure a DHCP server on each interface of the security appliance.
Each interface can have its own pool of addresses to draw from. However, the
other DHCP settings, such as DNS servers, domain name, options, ping timeout,
and WINS servers, are configured globally and used by the DHCP server on all
interfaces.
You cannot configure a DHCP client or DHCP relay services on an interface on
which the DHCP server is enabled. Additionally, DHCP clients must be directly
connected to the interface on which the server is enabled.
If your firewall is also acting as a DHCP client on the outside interface, you can
enable auto-negotiated IP configuration. This allows the firewall to pass the DNS,
WINS, and domain name parameters it gets from the outside interface (as a DHCP
client) to hosts on its inside network. Alternatively, you can manually specify the
DNS, WINS, and domain name parameters. If you specify those parameters
manually and auto-configuration is on, your values take precedence over
auto-configuration.
Procedure
Step 1
Server from the Device Policy selector.
15-68
OL-11501-03
Chapter 15

Access > DHCP Server from the Policy Types selector. Right-click DHCP
Server and select New DHCP Server Policy to create a policy, or select an
The DHCP Server page is displayed. For a description of the fields on this
Step 2
For each interface on which you want to enable DHCP server:

a.

The Edit DHCP Server dialog box appears.
b.
Select the Enable DHCP Server check box.
c.
Enter the name of the interface.
d.
Enter the beginning and ending addresses, separated by a hyphen, for the
range of IP addresses that the DHCP server uses when assigning IP addresses.
e.
Click OK.
The Edit DHCP Server dialog box closes and the interface for which you
enabled the DHCP server is added to the table.
Step 3
Enter the ping timeout in milliseconds.
Step 4
Enter the lease length in seconds.
Step 5
To enable auto-configuration, select the Enable auto-configuration check box

and enter the name of the interface on which the DHCP client is enabled.
Step 6
To define the values that the server communicates to DHCP clients or to override
the auto-configuration settings:
Step 7
a.
Enter the domain name.
b.
Enter the IP address of the primary DNS server.
c.
Enter the IP address of an alternate DNS server.
d.
Enter the IP address of the primary WINS server.
e.
Enter the IP address of an alternate WINS server.

OL-11501-03
15-69
Chapter 15
Related Topics
DHCP Server Page, page L-140
Configuring DNS
The DNS page lets you specify one or more DNS servers for a firewall device so
it can resolve server names to IP addresses in your WebVPN configuration or
certificate configuration. Other features that define server names (such as AAA)
do not support DNS resolution. You must enter the IP address or manually resolve
the name to an IP address by adding the server name in the Hosts/Networks panel.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Server Access > DNS
Access > DNS from the Policy Types selector. Right-click DNS and select
New DNS Policy to create a policy, or select an existing policy from the
Policies selector.
The DNS page is displayed. For a description of the fields on this page, see
Step 2
For each DNS server group that you want to define:

a.

The Add DNS Server Group dialog box appears.
b.
Enter the name of the DNS server group.
c.
For each DNS server that you want to define for this DNS server group:
Click the Add button.
The Add DNS Server dialog box appears.

Enter the IP address or the object name of the DNS server.
Click OK.
The Add DNS Server dialog box closes and the server is added to the list.
15-70
OL-11501-03
Chapter 15

d.
Enter the number of times, from 0 to 10, to retry the list of DNS servers when
the firewall device does not receive a response.
e.
Enter the amount of time, from 1 to 30 seconds, to wait before trying the next
DNS server in the list.
f.
Enter a valid DNS domain name for the server; for example example.com.
g.
Click OK.
The Add DNS Server Group dialog box closes and the server group is added
to the DNS Server Groups table.
Step 3
To specify the interfaces on which you want to enable DNS lookup:

a.
Click Edit.
The Edit Interfaces dialog box appears.
b.
Enter the names of the interfaces on which you want to enable DNS lookup
separated by a comma.
c.
Click OK.
The Edit Interfaces dialog box closes and the specified interfaces are added
to the DNS Lookup Interfaces list.
Step 4
To enable DNS Guard for the selected device or shared policy, select the Enable
DNS Guard (ASA/PIX 7.0(5) only) check box. This command is effective only on
interfaces for which DNS inspection is disabled. When DNS inspection is
enabled, the DNS guard function is always performed.
Note
Step 5
In releases prior to 7.0(5), the DNS guard functions are always enabled
regardless of the configuration of DNS inspection.
Related Topics
DNS Page, page L-144

OL-11501-03
15-71
Chapter 15
Configuring NTP Settings

NTP is used to implement a hierarchical system of servers that provide a precisely
synchronized time among network systems. This kind of accuracy is required for
time-sensitive operations, such as validating CRLs, which include a precise time
stamp. You can configure multiple NTP servers. The firewall device chooses the
server with the lowest stratuma measure of how reliable the data is.
Use the NTP page to define NTP servers to dynamically set the time on a firewall
device.
Note
Time derived from an NTP server overrides any time set manually in the Clock
panel.
Procedure
Step 1
Access > NTP from the Policy Types selector. Right-click NTP and select
New NTP Policy to create a policy, or select an existing policy from the
Policies selector.
The NTP page is displayed. For a description of the fields on this page, see
Step 2
For each NTP server that you want to define:

a.

The NTP Server Configuration dialog box appears.
b.
Enter the IP address of the NTP server.
c.
To set this server as the preferred server, select the Preferred check box.
d.
Enter the name of the outgoing interface for NTP packets.
e.
If you want to use MD5 authentication for communicating with the NTP
server:
15-72
OL-11501-03
Chapter 15

Specify the key ID for this authentication key in the Key Number list. The
NTP server packets must also use this key ID. If you previously
configured a key ID for another server, you can select it in the list;
otherwise, type a number between 1 and 4294967295.
To set this key as a trusted key, select the Trusted check box.
Enter the authentication key as a string of up to 32 characters in length in
the Key Value and Confirm fields.

f.
Click OK.
The NTP Server Configuration dialog box closes and the server is added to
the table.
Step 3
Related Topics
NTP Page, page L-149
Configuring SMTP Servers

Use the SMTP Server page to specify the IP address of an SMTP server and,
optionally, the IP address of a backup server.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Server Access > SMTP
Access > SMTP Server from the Policy Types selector. Right-click SMTP
Server and select New SMTP Server Policy to create a policy, or select an
The SMTP Server page is displayed. For a description of the fields on this
Step 2
Enter the IP address of the SMTP server in the Primary Server IP Address field.

OL-11501-03
15-73
Chapter 15
Step 3
To specify a secondary server, enter the IP address of the secondary SMTP server
in the Secondary Server IP Address field.
Step 4
Related Topics
SMTP Server Page, page L-152
Configuring TFTP Servers

TFTP is a simple client/server file transfer protocol described in RFC783 and
RFC1350 Rev. 2. You can use the TFTP Server page to configure a firewall device
to propagate its configuration files to a server using the Trivial File Transfer
Protocol (TFTP). Only one server is supported.
This page allows you to specify the gateway interface, the IP address of the TFTP
server, and the path and filename to which the configuration file will be written.
Procedure
Step 1
(Device view) Select Platform > Device Admin > Server Access > TFTP
Access > TFTP Server from the Policy Types selector. Right-click TFTP
Server and select New TFTP Server Policy to create a policy, or select an
The TFTP Server page is displayed. For a description of the fields on this
Step 2
Enter the name of the interface that will use these TFTP server settings.
Step 3
Enter the IP address of the TFTP server.
Step 4
Enter the path on the TFTP server, beginning with / and ending in the filename,
to which the running configuration file will be written.
Example TFTP server path:
/tftpboot/config/test_config
15-74
OL-11501-03
Chapter 15

Note
Step 5
The path must begin with a forward slash (/).
Related Topics
TFTP Server Page, page L-153
Configuring User Accounts

The User Accounts page lets you manage the local user database. The local
database is used for the following features:
ASDM per-user access

By default, you can log in to ASDM with a blank username and the enable
password. However, if you enter a username and password at the login screen
(instead of leaving the username blank), ASDM checks the local database for
a match.
Note
Although you can configure HTTP authentication using the local

database, that functionality is always enabled by default. You should only
configure HTTP authentication if you want to use a RADIUS or
TACACS+ server for authentication.
Console authentication
Telnet and SSH authentication
enable command authentication
Command authorization
If you enable command authorization using the local database, the security
appliance refers to the user privilege level to determine what commands are
available. Otherwise, the privilege level is not generally used. By default, all
commands are either privilege level 0 or level 15.

OL-11501-03
15-75
Chapter 15
Note
If you add users to the local database who can gain access to the CLI and
whom you do not want to enter privileged mode, you should enable
command authorization. Without command authorization, users can
access privileged mode (and all commands) at the CLI using their own
password if their privilege level is 2 or greater (2 is the default).
Alternatively, you can use RADIUS or TACACS+ authentication for
console access so the user will not be able to use the login command, or
you can set all local users to level 1 so you can control who can use the
system enable password to access privileged mode.
Network access authentication
VPN client authentication
You cannot use the local database for network access authorization.
For multiple context mode, you can configure usernames in the system execution
space to provide individual logins at the CLI using the login command; however,
you cannot configure any aaa commands that use the local database in the system
execution space.
Note
VPN functions are not supported in multimode.

Procedure
Step 1
(Device view) Select Platform > Device Admin > User Accounts from the
Device Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > User
Accounts from the Policy Types selector. Right-click User Accounts and
select New User Accounts Policy to create a policy, or select an existing
policy from the Policies selector.
The User Accounts page is displayed. For a description of the fields on this
Step 2
For each user account you want to define:

a.
15-76
OL-11501-03
Chapter 15

Configuring Logging Policies on Firewall Devices
The Add User Account dialog box appears.

b.
Enter the username.
c.
Enter the users password in the Password and Confirm fields.
d.
Select the privilege level for the user account.
e.
Click OK.
The Add User Account dialog box closes and the user is added to the User
Accounts list.
Step 3
Related Topics
User Accounts Page, page L-154

The Logging feature lets you enable logging, set up logging parameters, configure
event lists (syslog filters), apply the filters to a destination, set up syslog
messages, configure syslog servers, and specify e-mail notification parameters.
Once you have enabled logging and set up the logging parameters using the
Logging Setup page, the Event Lists page lets you configure filters (of a set of
syslog messages) which can be sent to a logging destination. The Logging Filters
page lets you specify a logging destination for the syslog messages to be sent.
Finally, the Syslog and E-Mail pages configure syslog and e-mail setup.
The Logging section contains pages for defining the following settings for
firewall devices:
Configuring E-Mail Setup, page 15-78
Configuring Event Lists, page 15-79
Configuring Logging Filters, page 15-81
Configuring Logging Setup, page 15-82
Configuring Rate Limit Levels, page 15-84

OL-11501-03
15-77
Chapter 15
Configuring Server Setup, page 15-85
Configuring E-Mail Setup

The E-Mail Setup (PIX 7.0/ASA Only) page lets you set up a source e-mail
address as well as a list of recipients for specified syslog messages to be sent as
e-mails. You can filter the syslog messages sent to a destination e-mail address by
severity. The table shows which entries have been set up.
The syslog severity filter used for the destination e-mail address will be the higher
of the severity selected in this section and the global filter set for all e-mail
recipients in the Logging Filters page.
Procedure
Step 1
Select Platform > Logging > E-Mail Setup (PIX7.0/ASA Only).

The E-Mail Setup page appears.
Step 2
Verify or enter the address from which these notifications will be sent in the
Source Email Address field.
Step 3
To add a new recipient, click the Add Row button.
To edit the settings of an existing recipient, select the check box for that
recipient, then click the Edit Row button.
The Add/Edit Email Recipient dialog box appears.

Step 4
Specify the recipients e-mail address in the Destination Email Address field.
Step 5
Select the severity level of the events that should be sent to the recipient in the
Severity list.
Step 6
Click OK.
The recipient rule appears in the table on the E-Mail setup page.
Step 7
15-78
OL-11501-03
Chapter 15

Related Topics
E-Mail Setup Page, page L-157
Add/Edit Email Recipient Dialog Box, page L-158
Configuring Event Lists

The Event Lists (PIX 7.0/ASA Only) page lets you define a set of syslog messages
to filter for logging. Once you have enabled logging and set up the logging
parameters using the Logging Setup page, the Event Lists page lets you configure
filters (of a set of syslog messages) which can be sent to a logging destination.
The Logging Filters page lets you specify a logging destination for event lists.
You can use three criteria to define an event list:
Class
Severity
Message ID
The class associates related syslog messages so you do not have to select the
syslog messages individually. For example, the auth class lets you select all the
syslog messages that are related to user authentication.
Severity defines syslog messages based on the relative importance of the event in
the normal functioning of the network. The highest severity is Emergency, which
means the resource is no longer available. The lowest severity is Debugging,
which provides detailed information about every network event.
The message ID is a numeric value that uniquely identifies each message. You can
use the message ID in an event list to identify a range of syslog messages, such as
101001-101010.
Procedure
Step 1
Select Platform > Logging > Event Lists (PIX 7.0/ASA Only).
The Events Lists page appears.
Step 2
To add a new event list definition, click the Add Row button.

OL-11501-03
15-79
Chapter 15
To edit an existing event list definition, select the check box for the row, then
click the Edit Row button.
The Add/Edit Event List dialog box appears.

Step 3
Specify a unique name for the event list in the Event List Name field.
Step 4
To add events based on system event classes and severity level pairings, click Add
Row under Event Class/Severity Filters, and do the following:
a.
Select the event class in the Event Class list.
b.
Select the severity level of the events that you want to generate in the Severity
list.
c.
Click OK to add this new filter.
Step 5
Repeat Step 4 as needed.
Step 6
To add events based on the message ID, click Add Row under Message ID Filters,
and do the following:
a.
Enter one or more message ID in the Message IDs field.

These values and their corresponding messages are identified in the System
Log Message guides for the appropriate product. You can access these guides
from the following URLs:
PIX Firewall
http://cco.cisco.com/en/US/products/sw/secursw/ps2120/products_system
_message_guides_list.html
ASA
http://cco.cisco.com/en/US/products/ps6120/products_system_message_g
uides_list.html
FWSM
http://cco.cisco.com/en/US/products/hw/modules/ps2706/products_syste
m_message_guides_list.html
b.
Click OK to add this new filter.
Step 7
Repeat Step 6 as needed
Step 8
Click OK.
The event list appears in the table on the Event List page.
15-80
OL-11501-03
Chapter 15

Step 9
Related Topics
Event Lists Page, page L-158
Add/Edit Event List Dialog Box, page L-160
Configuring Logging Filters

The Logging Filters page lets you configure a logging destination for event lists
(syslog filters) that have been configured using the Event Lists page, or for only
the syslog messages that you specify using the Edit Logging Filters page. Syslog
messages from specific or all event classes can be selected using the Edit Logging
Filters page.
Procedure
Step 1
Select Platform > Logging > Logging Filters.

The Logging Filters page appears.
Step 2
To add a new filter rule, click the Add Row button.
To edit the settings defined for a rule, select the check box for the filter rule,
then click the Edit Row button.
The Edit Logging Filters dialog box appears.

Step 3
Select the destination for this filter rule in the Logging Destination list.
Step 4
To specify settings that apply to all syslog event classes, do one of the following:
To specify the highest level of events to log, click the Filter on severity radio
button and then select the appropriate level in the list box that becomes
editable.
Severity levels are aggregate; they add events to lower severity levels. This
list organizes from sparse to detailed in ascending order.

OL-11501-03
15-81
Chapter 15
Step 5
To specify that you want this device to generate only those events defined in
an event list, click the Use event list radio button and then select the
appropriate event list in the list box that becomes editable.
To disable event logging for this security appliance, click the Disable logging
radio button.
To define custom event levels based on a system-defined event class, select the
event class and the associated level of events, and click the >> (Add) button.
The custom event level appears in the list.
Step 6
Repeat Step 5 as needed.
Step 7
Click OK.
The logging filter rule appears in the table.
Step 8
Related Topics
Logging Filters Page, page L-163
Configuring Logging Setup

The Logging Setup page lets you enable system logging on the security appliance
and configure other logging options. These options include enabling logging on
the security appliance and failover unit, specifying the base log format and detail,
logging to longer-term storage devices, FTP server or flash, before purging the
internal buffer.
Procedure
Step 1
Select Platform > Logging > Logging Setup.

The Logging Setup page appears.
Step 2
Select the Enable Logging check box.

This option enables logging on the security appliance.
Step 3
To enable logging on the failover unit paired with this security appliance, select
the Enable logging on the standby failover unit check box.
15-82
OL-11501-03
Chapter 15

Step 4
To enable EMBLEM format or to send debug messages as part of the syslog

messages, select the corresponding check boxes.
If you enable EMBLEM, you must use the UDP protocol to publish syslog
messages. It is not compatible with TCP.
Step 5
Step 6
To write the internal buffer data to an FTP server for future processing prior to
clearing the buffer, do the following:
a.
Select the FTP Server Bu.... check box.
b.
Enter the IP address of the FTP server in the IP Address field.
c.
Enter the username of the account used to log into the FTP server in the User
Name field.
d.
Enter the path in the Path field, relative to the FTP root, where the file should
be stored.
e.
Enter and confirm the password used to authenticate the username.
To write the internal buffer data to flash for future processing prior to clearing the
buffer, do the following:
a.
Select the Flash check box.
b.
Specify the maximum amount of memory to allocate to the storage of internal

buffer data.
c.
Specify the minimum memory that should remain free on the flash drive. If
this minimum value cannot be retained while writing out the data from the
internal buffer, the messages will be pruned to meet the space requirements.
Step 7
To specify the maximum queue size maintained on the appliance for viewing by
an ASDM client, enter that value in the Message Queue Size (Messages) field.
Step 8
Related Topics
Logging Setup Page, page L-166

OL-11501-03
15-83
Chapter 15
Configuring Rate Limit Levels

The Rate Limit (FWSM Only) page allows you to specify the maximum number
of log messages of a particular type (for example, alert or critical) that should be
generated within a given period of time. You can specify a limit for each logging
level or syslog message ID. If the settings differ, syslog message ID limits are
recognized.
Using the Add/Edit Rate Limited Syslog Message dialog box you can specify the
maximum number of log messages of a particular Syslog ID that should be
generated within a given period of time. A limit can be specified for each syslog
message ID or logging level (see Add/Edit Rate Limit for Syslog Logging Levels
Dialog Box, page L-169). If the settings differ, the syslog message ID limits are
recognized. To access this feature, select Platform > Logging > Rate Limit
(FWSM Only).
Note
This feature is available only when configuring Firewall Services Modules

(FWSMs). Neither PIX Firewall nor ASA supports these commands.
A limit can be specified for each logging level or syslog message ID. If the
settings differ, the rate limited syslog ID-level settings override rate limit logging
level settings.
Procedure
Step 1
Select Platform > Logging > Rate Limit (FWSM Only).

The Rate Limit page appears.
Step 2
To specify the maximum number of log messages for particular log level that
should be generated within a given period of time, click the Add Row button
under Rate Limits for Syslog Logging Levels, and then select a logging level
from the Logging Level list.
To specify the maximum number of log messages of a particular Syslog ID

that should be generated within a given period of time, click the Add Row
button under Individual Rate Limited Syslog Messages, and then enter the ID
of the syslog message that you want to limit in the Syslog ID field.
15-84
OL-11501-03
Chapter 15

Step 3
Enter the maximum number of messages that should be generated for the specified
period of time. To generate an unlimited number of messages, leave the Number
of Messages field blank.
Step 4
Enter the number of seconds before the counter should reset in the Interval
(seconds) field.
Step 5
Click OK.
The rule appears in the corresponding table.
Step 6
Related Topics
Rate Limit Page, page L-168
Add/Edit Rate Limit for Syslog Logging Levels Dialog Box, page L-169
Add/Edit Rate Limited Syslog Message Dialog Box, page L-170
Configuring Server Setup

The Server Setup page allows you to configure the syslog server that runs on the
security appliance. The settings that you specify on this page define the possible
behaviors of the specific syslog server instance on the security appliance. You can
set the facility code to include in syslog messages, include timestamp in syslog,
view syslog ID levels, modify syslog ID levels, and suppress syslog messages.
To generate meaningful reports about the network activity of a security appliance
and to monitor the security events associated with that device, you must select the
appropriate logging level. The logging level generates the syslog details required
to track session-specific data. After you select a logging level, you can define a
syslog rule that directs traffic to a third-party syslog server or CS-MARS.
Procedure
Step 1
Select Platform > Logging > Server Setup.

The Server Setup page appears.
Step 2
Select the log facility to use for this security appliance in the Facility field.

OL-11501-03
15-85
Chapter 15
Step 3
To include a timestamp with each syslog message, select the Enable Timestamp
on Each Syslog Message check box.
Step 4
To specify a unique device ID as part of the syslog message, select the Enable
Syslog Device ID check box and do one of the following:
Step 5
To identify the device using the interface name from which the syslog
message are sent, click the Interface radio button and enter or select the
interface name in the * field.
To provide a custom name, click the User Defined ID radio button and enter
the name in the empty field that becomes editable.
To use the hostname of the security appliance, click the Host Name radio
button.
Do one of the following to modify the syslog settings:
To add a new row, click the Add Row button.
To edit a row, select the check box for the row, then click the Edit Row button.
The Add/Edit Syslog Message dialog box appears.

Step 6
Select the message for which you want to change the current settings in the Syslog
ID list.
Step 7
To change the logging level of this message, select the new level in the Logging
Level list.
Step 8
To enable the generation of this message, deselect the Suppress check box
Step 9
Click OK.
The rule appears in the table.
Step 10
Related Topics
Server Setup Page, page L-171
15-86
OL-11501-03
Chapter 15

Defining Syslog Servers

The Syslog Servers page lets you specify the syslog servers to which the security
appliance will send syslog messages. To make use of the syslog server(s) you
define, you must enable logging using the Logging Setup page and set up the
appropriate filters for destinations using the Logging Filters page.
Note
Syslog messages can be sent to CS-MARS and third-party products.

By directing syslog records generated by a security appliance to a syslog server,
you can process and study the records.
Before You Begin
Enable logging. See the Configuring Logging Setup, page 15-82.

Procedure
Step 1
Select Platform > Logging > Syslog Servers.

The Syslog Servers page appears.
Step 2
Step 3
To add a new syslog target, click the Add Row button.
To edit an existing syslog target, select the check box for the row, then click
the Edit Row button.
Enter or select the interface name in the Interface field.

The list displays all interfaces defined at the current scope.
Step 4
Enter or select the IP address of the syslog server in the IP Address field.
Step 5
Determine whether to use UDP or TCP, then click the appropriate radio button
under Protocol.
Step 6
Enter the port from which the security appliance sends either UDP or TCP syslog
messages. The port must be the same port at which the syslog server listens.
TCP1470 (Default). TCP ports work only with a security appliance syslog
server.
UDP514 (Default).

OL-11501-03
15-87
Chapter 15
Configuring Multicast Policies on Firewall Devices
Step 7
To generate syslog messages using the EMBLEM format, select the Log messages
in Cisco EMBLEM format check box.
To enable this option, you must select UDP protocol to publish messages to this
syslog server.
Step 8
Click OK.
The definition appears in the Syslog Servers table.
Step 9
Related Topics
Syslog Servers Page, page L-175
Add/Edit Syslog Server Dialog Box, page L-176

The Multicast section contains pages for defining multicast routing settings for
firewall devices. For more information, see the following topics:
Enabling Multicast Routing, page 15-88
Configuring IGMP, page 15-89
Configuring Multicast Routes, page 15-91
Configuring PIM, page 15-92
Enabling Multicast Routing

The Enable Multicast Routing page lets you enable multicast routing on the
security appliance. Enabling multicast routing enables Internet Group
Management Protocol (IGMP) and Protocol Independent Multicast (PIM) on all
interfaces by default. IGMP is used to learn whether members of a group are
present on directly attached subnets. Hosts join multicast groups by sending
IGMP report messages. PIM is used to maintain forwarding tables to forward
multicast datagrams.
15-88
OL-11501-03
Chapter 15

Procedure
Step 1
(Device view) Select Platform > Multicast > Enable Multicast Routing
(Policy view) Select PIX/ASA/FWSM Platform > Multicast > Enable

Multicast Routing from the Policy Types selector. Right-click Enable
Multicast Routing and select New Enable Multicast Routing Policy to
The Enable Multicast Routing page is displayed. For a description of the
fields on this page, see Table L-108 on page L-179.
Step 2
To enable IP multicast routing on the security appliance, select the Enable

multicast routing check box.
Step 3
Related Topics
Enable Multicast Routing Page, page L-178
Configuring IGMP
IP hosts use IGMP to report their group memberships to directly connected
multicast routers. IGMP uses group address (Class D IP addresses). Host group
addresses can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0
is never assigned to any group. The address 224.0.0.1 is assigned to all systems
on a subnet. The address 224.0.0.2 is assigned to all routers on a subnet.
For more information about configuring IGMP on the security appliance, see the
following:
Protocol
Access Group
Static Group
Join Group

OL-11501-03
15-89
Chapter 15
Protocol
The Protocol tab displays the IGMP parameters for each interface on the security
appliance. From this tab, you can disable IGMP and change IGMP parameters for
an interface. For more information, see Protocol Tab, page L-180.
Access Group
Access groups control restrict the multicast groups that are allowed on an
interface. From the Access Group tab, you can add a new access group to the
Access Group Table or change information for an existing access group entry.
Some fields may be locked when editing existing entries. For more information,
see Access Group Tab, page L-183.
Static Group
Sometimes, hosts on a network may have a configuration that prevents them from
answering IGMP queries. However, you still want multicast traffic to be
forwarded to that network segment. There are two methods to pull multicast
traffic down to a network segment:
Use the Join Group panel to configure the interface as a member of the
multicast group. With this method, the security appliance accepts the
multicast packets in addition to forwarding them to the specified interface.
Use the Static Group panel configure the security appliance to be a statically
connected member of a group. With this method, the security appliance does
not accept the packets itself, but only forwards them. Therefore, this method
allows fast switching. The outgoing interface appears in the IGMP cache, but
itself is not a member of the multicast group.
From the Static Group tab, you can statically assign a multicast group to an
interface or change existing static group assignments. For more information, see
Static Group Tab, page L-184.
Join Group
You can configure the security appliance to be a member of a multicast group. The
Join Group tab displays the multicast groups of which the security appliance is a
member.
15-90
OL-11501-03
Chapter 15

Note
If you simply want to forward multicast packets for a specific group to an

interface without the security appliance accepting those packets as part of the
group, see Static Group.
From the Join Group tab, you can configure an interface to be a member of a
multicast group or change existing membership information. For more
information, see Join Group Tab, page L-186.
Configuring Multicast Routes

Defining static multicast routes lets you separate multicast traffic from unicast
traffic. For example, when a path between a source and destination does not
support multicast routing, the solution is to configure two multicast devices with
a GRE tunnel between them and to send the multicast packets over the tunnel.
Static multicast routes are local to the security appliance and are not advertised or
redistributed. For more information, see Multicast Routing Page, page L-187.
Procedure
Step 1
(Device view) Select Platform > Multicast > Multicast Routing from the
(Policy view) Select PIX/ASA/FWSM Platform > Multicast > Multicast

Routing from the Policy Types selector. Right-click Multicast Routing and
select New Multicast Routing Policy to create a policy, or select an existing
policy from the Policies selector.
The Multicast Routing page is displayed. For a description of the fields on
Step 2
To add a multicast route, click the Add Row button.

The Add/Edit MRoute Configuration dialog box is displayed.
Step 3
For instructions on completing this dialog box, see Add/Edit MRoute

Configuration Dialog Box, page L-188.

OL-11501-03
15-91
Chapter 15
Step 4
Related Topics
Configuring Multicast Policies on Firewall Devices, page 15-88
Multicast Routing Page, page L-187
Configuring PIM
Routers use Protocol Independent Multicast (PIM) to maintaining forwarding
tables for forwarding multicast datagrams.
When you enable multicast routing on the security appliance, PIM is enabled on
all interfaces by default. You can disable PIM on a per-interface basis.
For more information about configuring PIM, see the following:
Protocol
Rendezvous Points
Route Tree
Request Filter
Protocol
The Protocol tab displays the interface-specific PIM properties. From this tab, you
can you change the PIM properties for an interface. For more information, see
Protocol Tab, page L-190.
Rendezvous Points
When you configure PIM, you must choose one or more routers to operate as the
rendezvous point (RP). An RP is a single, common root of a shared distribution
tree and is statically configured on each router. First hop routers use the RP to
send register packets on behalf of the source multicast hosts.
You can configure a single RP to serve more than one group. If a specific group
is not specified, the RP for the group is applied to the entire IP multicast group
range (224.0.0.0/4).
15-92
OL-11501-03
Chapter 15

Configuring Routing Policies on Firewall Devices
You can configure more than one RP, but you cannot have more than one entry
with the same RP. For more information, see Rendezvous Points Tab, page L-192.
Route Tree
By default, PIM leaf routers join the shortest-path tree immediately after the first
packet arrives from a new source. This reduces delay, but requires more memory
than shared tree.
You can configure whether the security appliance should join shortest-path tree or
use shared tree, either for all multicast groups or only for specific multicast
addresses. For more information, see Route Tree Tab, page L-196.
Request Filter
When the security appliance is acting as an RP, you can restrict specific multicast
sources from registering with it. This prevents unauthorized sources from
registering with the RP. The Request Filter panel lets you define the multicast
sources from which the security appliance will accept PIM register messages. For
more information, see Request Filter Tab, page L-198.

The Routing section contains pages for defining routing settings for firewall
devices. For more information, see the following topics:
Configuring No Proxy ARP, page 15-94
Configuring OSPF, page 15-95
Configuring RIP, page 15-96
Configuring Static Routes, page 15-98

OL-11501-03
15-93
Chapter 15
Configuring No Proxy ARP

The No Proxy ARP page allows you to disable proxy ARP for global addresses.
When a host sends IP traffic to another device on the same Ethernet network, the
host needs to know the MAC address of the device. ARP is a Layer 2 protocol that
resolves an IP address to a MAC address. A host sends an ARP request asking
Who is this IP address? The device owning the IP address replies, I own that
IP address; here is my MAC address.
Proxy ARP is when a device responds to an ARP request with its own MAC
address, even though the device does not own the IP address. The security
appliance uses proxy ARP when you configure NAT and specify a global address
that is on the same network as the security appliance interface. The only way
traffic can reach the hosts is if the security appliance uses proxy ARP to claim that
the security appliance MAC address is assigned to destination global addresses.
Procedure
Step 1
(Device view) Select Platform > Routing > No Proxy ARP from the Device
Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Routing > No Proxy

ARP from the Policy Types selector. Right-click No Proxy ARP and select
New No Proxy ARP Policy to create a policy, or select an existing policy
from the Policies selector.
The No Proxy ARP page is displayed. For a description of the fields on this
Step 2
Click Edit.
The Edit Interfaces dialog box is displayed.
Step 3
Enter the names of the interfaces for which proxy ARP is disabled. By default,
proxy ARP is enabled for all interfaces. Separate multiple interfaces with a
comma.
Tip
You can click Select to choose the interfaces from a list of interfaces defined on
the device or from the interface roles defined in Security Manager.
15-94
OL-11501-03
Chapter 15

Step 4
Configuring OSPF
OSPF is an interior gateway routing protocol that uses link states rather than
distance vectors for path selection. OSPF propagates link-state advertisements
(LSAs) rather than routing table updates. Because only LSAs are exchanged,
rather than entire routing tables, OSPF networks converge more quickly than RIP
networks.
OSPF supports MD5 and clear text neighbor authentication. Authentication
should be used with all routing protocols when possible because route
redistribution between OSPF and other protocols (like RIP) can potentially be
used by attackers to subvert routing information.
If NAT is used, if OSPF is operating on public and private areas, and if address
filtering is required, then you need to run two OSPF processesone process for
the public areas and one for the private areas.
A router that has interfaces in multiple areas is called an Area Border Router
(ABR). A router that acts as a gateway to redistribute traffic between routers using
OSPF and routers using other routing protocols is called an Autonomous System
Boundary Router (ASBR).
An ABR uses LSAs to send information about available routes to other OSPF
routers. Using ABR type 3 LSA filtering, you can have separate private and public
areas with the security appliance acting as an ABR. Type 3 LSAs (inter-area
routes) can be filtered from one area to other. This lets you use NAT and OSPF
together without advertising private networks.
Note
Only type 3 LSAs can be filtered. If you configure the security appliance as an
ASBR in a private network, it will send type 5 LSAs describing private networks,
which will get flooded to the entire AS including public areas.
If NAT is employed but OSPF is only running in public areas, routes to public
networks can be redistributed inside the private network, either as default or type
5 AS External LSAs. However, you need to configure static routes for the private
networks protected by the security appliance. Also, you should not mix public and
private networks on the same security appliance interface.
OL-11501-03
15-95
Chapter 15
Procedure
Step 1
(Device view) Select Platform > Routing > OSPF from the Device Policy
selector.
(Policy view) Select PIX/ASA/FWSM Platform > Routing > OSPF from the
Policy Types selector. Right-click OSPF and select New OSPF Policy to
The OSPF page is displayed. For a description of the fields on this page, see
OSPF Page, page L-203.
Step 2
Configuring RIP
RIP is a distance-vector routing protocol that uses hop count as the metric for path
selection. When RIP is enabled on an interface, the interface exchanges RIP
broadcasts with neighboring devices to dynamically learn about and advertise
routes.
The security appliance support both RIP version 1 and RIP version 2. RIP
version 1 does not send the subnet mask with the routing update. RIP version 2
sends the subnet mask with the routing update and supports variable-length subnet
masks. Additionally, RIP version 2 supports neighbor authentication when
routing updates are exchanged. This authentication ensures that the security
appliance receives reliable routing information from a trusted source.
Note
You cannot enable RIP if you have OSPF processes running.

Limitations
RIP has the following limitations:
The security appliance cannot pass RIP updates between interfaces.
RIP Version 1 does not support variable-length subnet masks.
15-96
OL-11501-03
Chapter 15

RIP has a maximum hop count of 15. A route with a hop count greater than
15 is considered unreachable.
RIP convergence is relatively slow compared to other routing protocols.
RIP Version 2 Notes
The following information applies to RIP Version 2 only:
If using neighbor authentication, the authentication key and key ID must be

the same on all neighbor devices that provide RIP version 2 updates to the
interface.
With RIP version 2, the security appliance transmits and receives default
route updates using the multicast address 224.0.0.9. In passive mode, it
receives route updates at that address.
When RIP version 2 is configured on an interface, the multicast address

224.0.0.9 is registered on that interface. When a RIP version 2 configuration
is removed from an interface, that multicast address is unregistered.
Procedure
Step 1
(Device view) Select Platform > Routing > RIP from the Device Policy
selector.
(Policy view) Select PIX/ASA/FWSM Platform > Routing > RIP from the
Policy Types selector. Right-click RIP and select New RIP Policy to create a
The RIP page is displayed. For a description of the fields on this page, see
Step 2

OL-11501-03
15-97
Chapter 15
Configuring Security Policies on Firewall Devices
Configuring Static Routes

The Static Route page lets you create static routes that will access networks
connected to a router on any interface. To enter a default route, set the IP address
and mask to 0.0.0.0, or the shortened form of 0.
If an IP address from one of the security appliance's interfaces is used as the
gateway IP address, the security appliance will resolve the designated IP address
in the packet instead of resolving the gateway IP address.
Leave the Metric to the default of 1 unless you are sure of the number of hops to
the gateway router.
Procedure
Step 1
(Device view) Select Platform > Routing > Static Route from the Device
Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Routing > Static Route
from the Policy Types selector. Right-click Static Route and select New
Static Route Policy to create a policy, or select an existing policy from the
Policies selector.
The Static Route page is displayed. For a description of the fields on this
Step 2

You can configure the following security policies for firewall devices:
Configuring Floodguard, Anti-Spoofing, and Fragment Settings, page 15-99
Configuring Timeouts, page 15-102
15-98
OL-11501-03
Chapter 15

Configuring Floodguard, Anti-Spoofing, and Fragment Settings

Use the General page under Security to enable or disable Floodguard on a PIX 6.3
or FWSM 2.x firewall device, to enable Unicast Reverse Path Forwarding
(anti-spoofing) on an interface, and to configure IP fragment settings for a
security appliance or for each interface of the security appliance.
Floodguard
Floodguard lets you reclaim firewall resources if the user authentication

subsystem runs out of resources. If an inbound or outbound uauth connection is
being attacked or overused, the firewall will actively reclaim TCP user resources.
If the user authentication subsystem is depleted, TCP user resources in different
states are reclaimed depending on urgency in the following order:
1.
Timewait
2.
LastAck
3.
FinWait
4.
Embryonic
5.
Idle
The floodguard command is enabled by default.

Anti-Spoofing
Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP

address to obscure its true source) by ensuring that all packets have a source IP
address that matches the correct source interface according to the routing table.
Normally, the security appliance only looks at the destination address when
determining where to forward the packet. Unicast RPF instructs the security
appliance to also look at the source address; this is why it is called Reverse Path
Forwarding. For any traffic that you want to allow through the security appliance,
the security appliance routing table must include a route back to the source
address. See RFC 2267 for more information.
For outside traffic, for example, the security appliance can use the default route
to satisfy the Unicast RPF protection. If traffic enters from an outside interface,
and the source address is not known to the routing table, the security appliance
uses the default route to correctly identify the outside interface as the source
interface.

OL-11501-03
15-99
Chapter 15
If traffic enters the outside interface from an address that is known to the routing
table, but is associated with the inside interface, the security appliance drops the
packet. Similarly, if traffic enters the inside interface from an unknown source
address, the security appliance drops the packet because the matching route (the
default route) indicates the outside interface.
Unicast RPF is implemented as follows:
ICMP packets have no session, so each packet is checked.
UDP and TCP have sessions, so the initial packet requires a reverse route
lookup. Subsequent packets arriving during the session are checked using an
existing state maintained as part of the session. Non-initial packets are
checked to ensure they arrived on the same interface used by the initial
packet.
Fragment Settings
Fragment settings provide additional management of packet fragmentation and

improve compatibility with the Network File System (NFS).
Procedure
Step 1
(Device view) Select Platform > Security > General from the Device Policy
selector.
(Policy view) Select PIX/ASA/FWSM Platform > Security > General from
the Policy Types selector. Right-click General and select New General
selector.
The General page is displayed. For a description of the fields on this page, see
Step 2
To disable floodguard, select the Disable Floodguard (PIX 6.3 and FWSM 2.x
only) check box.
Step 3
To configure default fragment settings for this policy:

a.
Select the Enable Default Settings check box.
b.
Enter the maximum number of packets that can be in the IP reassembly

database waiting for reassembly. The default is 200.
15-100
OL-11501-03
Chapter 15

Step 4
c.
Enter the maximum number of packets into which a full IP packet can be
fragmented. The default is 24 packets.
d.
Enter the maximum number of seconds to wait for an entire fragmented

packet to arrive. The timer starts after the first fragment of a packet arrives.
If all fragments of the packet do not arrive by the number of seconds
specified, all fragments of the packet that were already received will be
discarded. The default is 5 seconds.
For each interface on which you want to enable anti-spoofing or configure

fragment settings:
a.

The Add General Security Configuration dialog box appears.
b.
Enter the name of the interface for which you want to enable anti-spoofing or
configure fragment settings.
c.
To enable anti-spoofing on the specified interface, select the Enable

Anti-Spoofing check box.
d.
To override the default fragment settings on the specified interface, select the
Override Default Fragment Settings check box and then enter the new
value:
e.
Enter the maximum number of packets that can be in the IP reassembly

database waiting for reassembly. The default is 200.
Enter the maximum number of packets into which a full IP packet can be
fragmented. The default is 24 packets.
Enter the maximum number of seconds to wait for an entire fragmented

packet to arrive. The timer starts after the first fragment of a packet
arrives. If all fragments of the packet do not arrive by the number of
seconds specified, all fragments of the packet that were already received
will be discarded. The default is 5 seconds.
Click OK.
The Add General Security Configuration dialog box closes and the interface
is added to the table.
Step 5

OL-11501-03
15-101
Chapter 15
Related Topics
General Page, page L-245
Add/Edit General Security Configuration Dialog Box, page L-247
Configuring Timeouts
The Timeouts page lets you set the timeout durations for use with the security
appliance. All durations are displayed in the format hh:mm:ss. It sets the idle time
for the connection and translation slots of various protocols. If the slot has not
been used for the idle time specified, the resource is returned to the free pool. TCP
connection slots are freed approximately 60 seconds after a normal connection
close sequence.
Note
It is recommended that you do not change these values unless advised to do so by

Customer Support.
Procedure
Step 1
(Device view) Select Platform > Security > Timeouts from the Device
Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Security > Timeouts

from the Policy Types selector. Right-click Timeouts and select New
Timeouts Policy to create a policy, or select an existing policy from the
Policies selector.
The Timeouts page is displayed. For a description of the fields on this page,
see Table L-155 on page L-248.
Step 2
To enter a timeout value for a field, select the radio button to the left of the field
and then enter the timeout value in the box to the right of the field. For information
on valid values and formats, see Table L-155 on page L-248.
Step 3
15-102
OL-11501-03
Chapter 15

Configuring Service Policy Rules on Firewall Devices
Related Topics
Timeouts Page, page L-248
Configuring Service Policy Rules on Firewall

Devices
Some applications require special handling by the security appliance and specific
application inspection engines are provided for this purpose. Applications that
require special application inspection engines are those that embed IP addressing
information in the user data packet or open secondary channels on dynamically
assigned ports. Application inspection is enabled by default for many protocols,
while it is disabled for other protocols. In many cases, you can change the port on
which the application inspection listens for traffic.
Application inspection engines work with NAT to help identify the location of
embedded addressing information. This allows NAT to translate these embedded
addresses and to update any checksum or other fields that are affected by the
translation.
Service policy rules define how specific types of application inspection are
applied to different types of traffic that is received by the security appliance. You
apply a specific rule to an interface or globally to every interface.
Use traffic match criteria to define the set of traffic to which you want to apply
application inspection. For example, TCP traffic with a port value of 23 might be
classified as the Telnet traffic class. You can use the traffic class to change the
default port for application inspection for protocols where this is permitted.
Multiple traffic match criteria can be assigned to a single interface, but a packet
will only match the first criteria within a specific service policy rule.
Service policy rules provide a way to configure security appliance features in a
manner similar to Cisco IOS software QoS CLI. For example, with service policy
rules you can include IP Precedence as one of the criteria to identify traffic for
rate-limiting. You can also create a timeout configuration that is specific to a
particular TCP application, as opposed to one that applies to all TCP applications.
Service policy rules are supported with these features:
TCP and general connection settings
Inspection

OL-11501-03
15-103
Chapter 15
Configuring User Preferences on Firewall Devices
Intrusion Prevention Services
QoS
Details regarding the scope and implementation of particular service policies is

beyond the scope of this guide. Detailed information can be found on Cisco.com.
The following references may be particularly helpful:
Quality of Service (QoS)
Using Modular Policy Framework
Configuring Service Policy Rules consists of three tasks:

Step 1
Configure a service policy. Create a service policy and determine the interfaces
to which the service policy applies. For more information, see Table L-159 on
page L-255.
Step 2
Configure the traffic class. Specify the criteria you want to use to identify the
traffic to which the service policy applies. For more information, see Table L-160
on page L-256.
Step 3
Configure the actions. Specify the actions that should be taken to protect
information or resources, or to perform QoS functionality for the traffic specified
in this service policy. For more information, see Table L-161 on page L-256.
Configuring User Preferences on Firewall Devices

Use the User Preferences policy to specify deployment options for specific
firewall devices. You can create a policy with the deployment options you want to
use and then apply that policy to all devices that you want using those deployment
settings.
Procedure
Step 1
(Device view) Select Platform > User Preferences > Deployment from the
15-104
OL-11501-03
Chapter 15

Configuring Security Contexts on Firewall Devices
(Policy view) Select PIX/ASA/FWSM Platform > User Preferences >

Deployment from the Policy Types selector. Right-click Deployment and
select New Deployment Policy to create a policy, or select an existing policy
from the Policies selector.
The Deployment page is displayed. For a description of the fields on this
Step 2
To specify that you want to clear the translation table when a configuration is
deployed to the device, select the Clear XLATE on deployment check box.
Note
This option is necessary for certain commands to take effect. If such

commands are changed, you should make sure this option is enabled for
the device.
However, clearing the translation table disconnects all current
connections that use translations.
Step 3

You can partition a single security appliance into multiple virtual devices, known
as security contexts. Each context is an independent device, with its own security
policy, interfaces, and administrators. Multiple contexts are similar to having
multiple standalone devices. Many features are supported in multiple context
mode, including routing tables, firewall features, IPS, and management. Some
features are not supportedVPN, multicast, and dynamic routing protocols.
Security contexts support only static routes. You cannot enable OSPF or RIP in
multiple context mode. Also, some features are not directly managed by Security
Manager, such as the IPS feature set in ASA and PIX.
In multiple context mode, the security appliance includes a configuration for each
context that identifies the security policy, interfaces, and almost all the options
you can configure on a standalone device. The system administrator adds and
manages contexts by configuring them in the system configuration, which, like a
single mode configuration, is the startup configuration. The system configuration
identifies basic settings for the security appliance. The system configuration does
OL-11501-03
15-105
Chapter 15
not include any network interfaces or network settings for itself; rather, when the
system needs to access network resources (such as downloading the contexts from
the server), it uses one of the contexts that is designated as the admin context. The
system configuration is used to add, delete, and edit basic context settings,
including allocating network interfaces to the various contexts.
The admin context is just like any other context, except that when a user logs in
to the admin context, that user has system administrator rights and can access the
system configuration and all other contexts.
This section contains the following topics:
Add/Edit a Security Context for FWSM, page 15-108
Delete a Security Context, page 15-109
Enabling Multi-Context Mode, page 15-110
Restoring Single Context Mode, page 15-111
View the Contexts Defined for a Device, page 15-111
Add/Edit a Security Context for PIX or ASA

Use the following procedure to define security contexts for a security appliance.
At least one security context must be designated as the admin context.
Before You Begin
Before you can configure contexts using Security Manager, you must make sure
the security appliance is in multiple context mode. When manually defining a
device, select Multi in the Contexts list under Operating System in the New
Device - Device Information dialog box.
Procedure
Step 1
In Device view, select the PIX or ASA security appliance, and then select
Security Context from the Device Policy selector.
The Security Contexts page is displayed. For a description of the fields on this
Step 2
Click the Add a row button.
15-106
OL-11501-03
Chapter 15

The Add Security Context dialog box appears.

Step 3
Enter the name to use for this context in the Name field.
Step 4
If this context is the admin context, select the Admin Context check box.
Step 5
Under Configuration URL, select the file system type and enter the path and
filename to use for the context configuration.
Step 6
For each interface belonging to this security context, do the following:

a.
Click the Add a row button beneath the Interfaces table.

The Allocate Interfaces dialog box appears.
b.
Under Interfaces, specify the physical interface and sub interface IDs for
which the security context will inspect traffic.
You can select just a physical interface, a single sub-interface (defined as a
range of one), or a range of sub-interfaces.
c.
To enable an aliased name for ACLs applied to the specified interfaces as part
of this security context, select Use aliased names in the security context
check box and then enter a name in the Alias Name field.
d.
To show the hardware properties of this context, select the Show hardware
properties in context check box.
Select this option to see physical interface properties in the show interface
command in the security context even if you set a mapped name. If not
selected, it only shows the mapped name.
e.
Click OK to save the interface settings.
Step 7
If active/active failover is enabled, select the failover group for this context in the
Failover Group list.
Step 8
Enter the IP address that Security Manager should use for communicating with
this security context in the Management IP Address field.
Step 9
Click OK to define the security context.

A message box states that the context will appear as a standalone device after you
perform the Submit operation.
Step 10

OL-11501-03
15-107
Chapter 15
Related Topics
Add/Edit a Security Context for FWSM, page 15-108
Add/Edit a Security Context for FWSM

Use the following procedure to define security contexts for an FWSM. At least
one security context must be designated as the admin context.
Before You Begin
Before you can configure contexts using Security Manager, you must make sure
the security appliance is in multiple context mode. When manually defining a
device, select Multi in the Contexts list under Operating System in the New
Device - Device Information dialog box.
Procedure
Step 1
In Device view, select the FWSM, and then select Security Context from the
Step 2
Click the Add a row button.

The Add Security Context dialog box appears.
Step 3
Enter the name to use for this context in the Name field.
Step 4
If this context is for an FWSM 3.x, select the mode (Router or Transparent) in
which this context should operate.
Step 5
If this context is the admin context, select the Admin Context check box.
Step 6
Enter the VLAN IDs for this context. Use a comma to separate multiple
VLAN IDs.
15-108
OL-11501-03
Chapter 15

Step 7
In the Config URL fields, select the file system type and enter the path and
filename to use for the context configuration.
Step 8
If active/active failover is enabled, select the failover group for this context in the
Failover Group list.
Step 9
Enter the IP address that Security Manager should use for communicating with
this security context in the Management IP Addr field.
Step 10
Click OK to define the security context.

A message box states that the context will appear as a standalone device after you
perform the Submit operation.
Step 11
Related Topics
Delete a Security Context

When you delete a security context, you are deleting all settings and policy
references associated with that security context.
Procedure
Step 1
In Device view, select the PIX, ASA, or FWSM security appliance, and then select
Security Context from the Device Policy selector.

OL-11501-03
15-109
Chapter 15
Step 2
For each context that you want to delete, select the context and click the Delete
selected row(s) button.
The Confirm Delete dialog box appears.
Step 3
To delete the selected context, click OK.
Note
Deleting the security context will also cause the security context device
to be removed from device inventory.
Step 4
Click Yes to confirm the deletion of the security context and corresponding
security context device.
Step 5
Related Topics
Enabling Multi-Context Mode

Security Manager does not support enabling multiple context mode on a device.
To perform this task, you must delete the device from Security Manager, enable
multiple context mode using ASDM or CVDM, and then add the device again to
CSM. After the device is added as operating in multiple context mode, you can
add, edit, or delete security contexts.
Related Topics
15-110
OL-11501-03
Chapter 15

Restoring Single Context Mode

Security Manager does not support restoring a device to single context mode. To
perform this task, you must delete the device and any of its child contexts from
Security Manager, restore the single context using ASDM or CVDM, and then add
the device again to CSM.
Related Topics
View the Contexts Defined for a Device

You can view the contexts that are defined for a device in one of three ways:
(Device view) Select the device and then select Security Contexts from the
(Device view) Right-click on the device and select Show Containment.
In Device view, each context is defined as a child of the device on which they
reside.
Tip
The system configuration and security contexts of a firewall device in

multi mode are represented using a different icon than firewall devices in
single mode.
Related Topics

OL-11501-03
15-111
Chapter 15
15-112
OL-11501-03
CH A P T E R
16
Managing Catalyst Devices

Cisco Security Manager supports the management and configuration of security
services and other platform-specific services on Catalyst 6500 Series switches
and Cisco 7600 Series routers (referred to in this User Guide as
Catalyst 6500/7600 devices).
Appendix M, Catalyst Platform User Interface Reference, describes the
Security Manager pages and dialog boxes that are specific to Catalyst 6500/7600
devices. The following topics describe how to configure platform-specific
services and policies on this platform:
Migrating Inventory From an Earlier Security Manager Release, page 16-2
Discovering Policies on 6500 Series and 7600 Series Devices, page 16-6
Interfaces, page 16-8

Creating or Editing Ports on Catalyst 6500/7600 Devices, page 16-9
Deleting Ports on Catalyst 6500/7600 Devices, page 16-12
VLANs, page 16-12

Deleting VLANs, page 16-15
VLAN Groups, page 16-16

Creating or Editing VLAN Groups, page 16-16
Deleting VLAN Groups, page 16-18

OL-11501-03
16-1
Chapter 16
Migrating Inventory From an Earlier Security Manager Release
VLAN ACLs (VACLs), page 16-19

Creating or Editing VACLs, page 16-20
Deleting VACLs, page 16-23
IDSM Settings, page 16-24

Creating or Editing EtherChannel VLAN Definitions, page 16-25
Deleting EtherChannel VLAN Definitions, page 16-27
Creating or Editing Data Port VLAN Definitions, page 16-28
Deleting Data Port VLAN Definitions, page 16-30
Viewing Configuration Summaries, page 16-31
Migrating Inventory From an Earlier Security

Manager Release
Security Manager 3.1.x differs significantly from 3.0.x in its features for
managing Catalyst 6500 Series switches and Cisco 7600 Series routers, as well as
their associated services modules (blades) and security contexts:
Security Manager 3.0.x used features from an embedded variant of

CiscoView Device Manager, which is not included in Security Manager 3.1.x.
Security Manager 3.1.x offers a fully integrated management tool that is

consistent with other Security Manager features.
This change to an integrated management tool affects the installation process

when upgrading from Security Manager 3.0.x to Security Manager 3.1.x. In most
cases, information from the older Security Manager database is added to the new
database as part of the process of upgrading to the newer Security Manager
version. However, the new methods for managing Catalyst 6500/7600 devices are
different enough from the old methods that you must do more than simply install
the newer Security Manager version in order to manage these devices in your
network.
16-2
OL-11501-03
Chapter 16

Before You Begin
Note
We recommend that you perform an inventory discovery on the chassis and

service modules immediately before performing migration. This discovery
option discovers the interfaces, VLANs, and VLAN groups configured on the
live devices. See Discovering Policies on Devices Already in Security
Manager, page 6-10.
Use Common Services to back up the Security Manager 3.0.x database. See
Backup and Restore, page 20-25.
Do not make any out-of-band changes on the chassis or any of the service
modules (for example, using the CLI) from the time migration starts until the
operation is complete, as described in this procedure.
Procedure
Step 1
Upgrade from the older Security Manager version to the newer version.
To understand the prerequisites, tasks, and options that apply to an upgrade, see
the Upgrading Server Applications topic in Chapter 4 of Installation Guide for
Cisco Security Manager 3.1.
Catalyst 6500 Series switches, Cisco 7600 Series routers, their services modules,
and their security contexts are migrated automatically, along with all associated
VPN policies and firewall policies. However, old inventory information from
Security Manager 3.0.x is discarded including, for example, the records of
described interfaces and configured VLANs.
Note
Step 2
When the installation utility reaches its Important Instructions page, it

specifies a location on your server from which to access a migration
report file. In most cases, the location will be
NMSROOT\MDC\log\readme.txt, where NMSROOT is the path to the
Security Manager installation directory. The default is C:\Program
Files\CSCOpx.
Open and print the migration report. It contains important information that you
should read.

OL-11501-03
16-3
Chapter 16
Step 3
Install the newest Security Manager Client software version on a client system,
then use that client system to log in to your upgraded Security Manager server.
Step 4
To use Device view (not Policy view), click the Device View button on the main
toolbar.
In the Device selector, a red X partially covers each icon that represents your
6500 Series and 7600 Series chassis, as well as the services modules (blades) and
security contexts associated with those chassis. The red X serves as a visual cue
to indicate that inventory information is not yet available for that device.
Step 5
Click any red X icon in the Device selector, then click Yes in the popup message
to confirm that Security Manager should discover the device. Security Manager
contacts the live device and retrieves its inventory information.
Note
Step 6
Note
The discovery operation performed during migration retrieves only

inventory information; it does not discover the device configuration, such
as firewall and VPN policies on the chassis and FWSM security contexts.
Submit your changes (or approve your activity when working in workflow mode).
The red X is cleared from the icon. The chassis, services module, or security
context is now available to you for deployments from Security Manager.
If there are any FWSM 2.x devices that continue to display the red X icon
after you complete this procedure, do the following:
Click the red X icon for each FWSM system context, then repeat steps 5
and 6 until the icons are cleared.

After you clear the system contexts, click the red X icon for each security
context, then repeat steps 5 and 6 until the icons are cleared.
You do not need to perform this procedure when you migrate FWSMs that
were added individually to Security Manager without the chassis.
Certain types of service modules do not display the red X icon and are marked
instead as unmanaged. See Migrating Unmanaged Service Modules,
page 16-5.
Do not deploy any chassis, services module, or security context that displays
a red X icon. If you try, the deployment fails.
16-4
OL-11501-03
Chapter 16

Other device lists in the Security Manager interface (such as the lists for
deployment and policy assignment) do not include any icons for these
chassis, services modules, or security contexts.
Related Topics
Migrating Unmanaged Service Modules, page 16-5
Managing Catalyst Devices, page 16-1
Migrating Unmanaged Service Modules

The first time that you launch the Security Manager client after upgrading from
version 3.0.1 to 3.1, the 6500/7600 chassis and the firewall service modules
(FWSMs) and security contexts associated with the chassis are displayed with a
red X icon in the Device selector. As described in Migrating Inventory From an
Earlier Security Manager Release, page 16-2, you must click the icon in order to
retrieve the inventory information for that device.
The following service modules, however, are not marked with the red X icon:
FWSM 3.x service modules.
Any FWSMs, such as standby failover blades, that were marked as

unmanaged in Security Manager 3.0.1.
Any FWSMs that were not discovered in Security Manager 3.0.1.
All of these FWSMs are displayed in the Device selector with a light blue icon,
which indicates that they are unmanaged.
You have two options for each unmanaged FWSM:
You can leave the FWSM unmanaged.
You can delete the FWSM and then rediscover the chassis. The following
procedure describes how this is done.

OL-11501-03
16-5
Chapter 16
Discovering Policies on 6500 Series and 7600 Series Devices
Procedure
Step 1
Upgrade Security Manager, install and launch the new client, and perform
discovery on at least one device marked with the red X icon, as described in
Migrating Inventory From an Earlier Security Manager Release, page 16-2. The
discovery operation ignores any unmanaged FWSMs.
Step 2
Delete the FWSMs marked with the light blue icon that you want to manage with
Security Manager 3.1. Make sure that you perform this step after performing
discovery, as desccribed in Step 1.
Step 3
Right-click the chassis, then select Discover Policies on Device.
Step 4
In the discovery wizard, enter the credentials for each FWSM that you deleted in
Step 2.
After discovery is complete, you can manage the FWSMs in Security Manager.
Note
The discovery operation performed during migration retrieves only inventory

information, not the device configuration.
Related Topics
Discovering Policies on 6500 Series and 7600 Series Devices, page 16-6
Discovering Policies on 6500 Series and 7600 Series

Devices
You can discover the configurations of your 6500 Series and 7600 Series chassis
(as well as the configurations of the services modules and security contexts
associated with those chassis) and import the configurations as policies into
Security Manager. This makes it possible to add existing devices and manage
16-6
OL-11501-03
Chapter 16

Discovering Policies on 6500 Series and 7600 Series Devices
them with Security Manager without having to configure each device manually,
policy by policy. For more information, see Adding Devices to the Security
Manager Inventory, page 5-30.
You can discover any command that Security Manager can configure. Discovery
ignores unsupported commands, which means that they are left intact on the
device even after subsequent deployments. Additionally, in cases where
Security Manager can discover the command, but not all the subcommands and
keywords related to that command, the unsupported elements are ignored and left
intact on the device.
At any time, you can also rediscover the configurations of devices that you are
already managing with Security Manager. Be aware, however, that we do not
recommend rediscovery generally because performing rediscovery overwrites the
policies that you have defined in Security Manager. For more information, see
Note
We recommend that you perform deployment immediately after you discover the
policies on a 6500 Series or 7600 Series chassis, before you make any changes to
policies or unassign policies from the device. (This recommendation also applies
to any services module or security context associated with a 6500 Series or
7600 Series chassis.) Otherwise, the changes that you configure in
Security Manager might not be deployed to the device. See Working with
Related Topics

OL-11501-03
16-7
Chapter 16
Interfaces
Interfaces
You use the Interfaces tab on the Interfaces/VLANs page to view and manage the
following types of ports:
Access portsA switching port that is used to connect host machines or

servers. An access port belongs to and carries the traffic of only one VLAN.
Traffic is received and sent in native formats with no VLAN tagging.
Trunk portsA switching port operating at Layer 2 to carry the traffic of

multiple VLANs. Traffic is tagged with a VLAN number to differentiate
traffic from each VLAN. A trunk port is used to connect switches to switches
or to connect switches to routers.
Routed portsA physical port that acts like a port on a router. A routed port
is not associated with a particular VLAN, and it behaves like a regular router
interface. You can configure a routed port with a Layer 3 routing protocol.
Dynamic portsA port that can change dynamically to a trunk port if the
neighboring port is configured as a trunk port.
Unsupported portsPorts on the Catalyst device that are not supported by

Security Manager.
To display the Interfaces tab, select a Catalyst device in Device view, select
Interfaces/VLANs from the Policy selector, then click the Interfaces tab in the
work area.
The following topics describe the actions you can perform when defining
interfaces on Catalyst devices:
Related Topics
Interfaces/VLANs PageInterfaces Tab, page M-14
VLANs, page 16-12
16-8
OL-11501-03
Chapter 16

Interfaces
Creating or Editing Ports on Catalyst 6500/7600 Devices

You can create access ports, routed ports, or trunk ports on Catalyst 6500/7600
devices, with these restrictions:
Each interface must have a name.
You can associate an access port with only one VLAN.
You can associate a trunk port with one or more VLANs.
Procedure
Step 1
(Device view) Select a Catalyst device, select Interfaces/VLANs from the Policy
selector, then click the Interfaces tab in the work area.
The Interfaces tab is displayed. For a description of the fields on this tab, see
Interfaces/VLANs PageInterfaces Tab, page M-14.
Step 2
To define the attributes of a new interface, click Add Row.
To edit the attributes of an interface, select it in the list, then click Edit Row.
Step 3
(Optional) Deselect the Enable Interface check box if you want this interface to
be in shutdown mode.
Step 4
From the Type list, select Interface or Subinterface:
If you select Interface, proceed with Step 5.
If you select Subinterface, proceed with Step 7.
Step 5
[Interfaces only] Enter a name for the interface, or click Select to display the
utility for generating an automatic name for the interface. See Generating an
Interface Name for Catalyst Devices, page 16-11.
Step 6
[Interfaces only] Select an option from the Mode list to specify the port
configuration type. The fields in the dialog box vary according to your selection.
Proceed with Step 8.
Step 7
[Subinterfaces only] Select the parent interface of the subinterface, then enter the
ID number.
Step 8
Define or configure the settings for the type that you selected:
Access Port See Create and Edit Interface Dialog BoxesAccess Port
Mode, page M-17 for a description of the fields.
OL-11501-03
16-9
Chapter 16
Interfaces
Routed Port See Create and Edit Interface Dialog BoxesRouted Port
Trunk Port See Create and Edit Interface Dialog BoxesTrunk Port Mode,
page M-25 for a description of the fields.
Dynamic PortSee Create and Edit Interface Dialog BoxesDynamic

SubinterfaceSee Create and Edit Interface Dialog BoxesSubinterfaces,

page M-37 for a description of the fields.
UnsupportedSee Create and Edit Interface Dialog BoxesUnsupported

Step 9
From the Speed list, select an option to define the speed of the interface.
Step 10
If you defined a specific speed for the interface, and therefore the Duplex list is
enabled, select a duplexing option.
Step 11
In the MTU field, enter the maximum transmission unit value.
Step 12
Configure whether to use flow control on inbound (Receive) and outbound (Send)
traffic.
Step 13
(Optional) Enter a description for the interface in the Description field.
Step 14
Step 15
Note
Related Topics
16-10
OL-11501-03
Chapter 16

Interfaces
Generating an Interface Name for Catalyst Devices

To streamline the process of manually defining an interface on a Catalyst device,
Security Manager includes a utility for generating a name for the interface. This
name is based on the interface type and details about the interfaces location, such
as card, slot, and subinterface.
Procedure
Step 1
Open the Create Interface dialog box for defining ports/interfaces on Catalyst
devices. See Creating or Editing Ports on Catalyst 6500/7600 Devices, page 16-9.
Step 2
Select Interface from the Type list.
Step 3
In the Name field, click Select to open the Interface Auto Name Generator Dialog
Box, page K-27.
Step 4
Select the interface type from the Type list.
Step 5
Enter information regarding the location of the interface in one or more of the
following fields:
Card
Slot
Port
As you enter information, the interface name is generated and displayed in the
Result field.
Step 6
Click OK to save your definitions. The new interface name is displayed in the
Name field in the Create Interface dialog box. You can modify this name
manually.
Related Topics

OL-11501-03
16-11
Chapter 16
VLANs
Deleting Ports on Catalyst 6500/7600 Devices

Although you can delete the definition of an interface at any time, use this option
with great care. If the relevant device includes the interface definition in any
policy definitions, deleting the interface causes these policy definitions to fail
when they are deployed to the device.
Procedure
Step 1
Step 2
Select a Catalyst 6500 Series switch or Cisco 7600 Series router from the Device
selector.
Step 3
Select Interfaces/VLANs from the Policy selector to display the

Interfaces/VLANs Page, page M-3.
Step 4
Click the Interfaces tab in the work area.

The Interfaces tab is displayed. For a description of the fields on this tab, see
Interfaces/VLANs PageInterfaces Tab, page M-14.
Step 5
Select an interface from the table, then click Delete Row. The interface is deleted.
Related Topics
VLANs
A VLAN is a switched network that is segmented logically instead of on the basis
of geography. For example, a VLAN might interconnect members of a
geographically dispersed workgroup. VLANs offer a practical convenience for
many organizations because they reduce the need to rearrange the physical
placement of personnel, equipment, and network infrastructure. Properly
configured VLANs are scalable, secure, and can simplify the tasks of network
management.
16-12
OL-11501-03
Chapter 16

VLANs
A VLAN consists of hosts and network devices (such as bridges and routers),
connected by a single bridging domain. Traffic between VLANs must be routed.
Security Manager helps you to create VLANs and define VLAN settings for the
defined interfaces on Catalyst 6500 Series switches and Cisco 7600 Series
routers, their supported services modules, and their security contexts.
The following topics describe the actions you can perform when defining VLANs
on Catalyst devices:
Related Topics
Interfaces/VLANs PageVLANs Tab, page M-4
Creating or Editing VLANs

You can create a VLAN or reconfigure the attributes of a VLAN.
Procedure
Step 1
selector, then click the VLANs tab in the work area.
The VLANs tab is displayed. For a description of the fields on this tab, see
Interfaces/VLANs PageVLANs Tab, page M-4.
Step 2
To define the attributes of a new VLAN, click Add Row.
To edit the attributes of a VLAN, select it in the list, then click Edit Row.
See Create and Edit VLAN Dialog Boxes, page M-6, for a description of the fields
in the dialog box.
Step 3
In the VLAN ID field, enter a unique ID number for the VLAN. The number that
you enter must not be assigned to any other VLAN in the bridging group.
OL-11501-03
16-13
Chapter 16
VLANs
Step 4
(Optional) Enter a name for the VLAN.
Step 5
(Optional) If the VLAN is part of a VLAN group, select the group ID, or select
Add Group to open the Create VLAN Group dialog box. For more information,
see Creating or Editing VLAN Groups, page 16-16.
Step 6
From the Status list, specify the status of the VLAN (active or suspended).
Step 7
From the Type list, select either Layer 2 or Layer 3. If you select Layer 3,
continue with Step 8. Otherwise, continue with Step 9.
Step 8
(Optional) For a Layer 3 VLAN, define a switched virtual interface (SVI):
Step 9
a.
To make the SVI active, select the Enable Interface check box. An SVI
enables routing between VLANs and provides IP host connectivity to the
switch. If you do not select this check box, the SVI is created in shutdown
mode.
b.
Enter the IP address for the SVI.
c.
Enter the SVI subnet mask by typing it, or select a netmask value from the
Subnet Mask list.
d.
Enter an optional description, if required.
Do one or both of the following:
To associate access ports with the VLAN, enter their names in the Access
Ports text box or click Select to open an interface selector.
To associate trunk ports with the VLAN, enter their names in the Trunk Ports
text box or click Select to open an interface selector.
See Interface Selector Dialog BoxVLAN ACL Content, page M-55, for a
description of the fields in the dialog box. For more information about defining
ports, see Creating or Editing Ports on Catalyst 6500/7600 Devices, page 16-9.
Step 10
Step 11
Note
Related Topics
16-14
OL-11501-03
Chapter 16

VLANs
Create and Edit VLAN Dialog Boxes, page M-6
VLANs, page 16-12
Deleting VLANs
You can delete a VLAN.
Procedure
Step 1
Step 2
selector.
Step 3
Select Interfaces/VLANs from the Policies selector to display the

Step 4
Click the VLANs tab in the work area.

Interfaces/VLANs PageVLANs Tab, page M-4.
Step 5
Select a VLAN from the table, then click Delete Row.

The VLAN is deleted.
Related Topics
VLANs, page 16-12

OL-11501-03
16-15
Chapter 16
VLAN Groups
VLAN Groups
A VLAN group defines a logical collection of VLANs. The VLAN Groups tab on
the Interfaces/VLANs page displays:
All VLAN groups that are defined on the selected device.
The service module slots to which a VLAN group is bound.
Which VLANs belong to each VLAN group.
VLAN groups can be used when assigning VLANs to an FWSM security context.
A VLAN group can be assigned to multiple FWSMs, and each FWSM can have
multiple VLAN groups assigned to it. To perform this assignment, see Add/Edit
a Security Context for FWSM, page 15-108.
The following topics describe the actions you can perform when defining VLAN
groups on Catalyst devices:
Related Topics
Interfaces/VLANs PageVLAN Groups Tab, page M-10
VLANs, page 16-12
Creating or Editing VLAN Groups

You can create VLAN groups. When you create a VLAN group, remember that:
Each group must have an ID.
You can associate a VLAN group with one or more FWSM modules.
Each VLAN can be a member of only one VLAN group.
16-16
OL-11501-03
Chapter 16

VLAN Groups
Procedure
Step 1
selector, then click the VLAN Groups tab in the work area.
The VLAN Groups tab is displayed. For a description of the fields on this tab, see
Interfaces/VLANs PageVLAN Groups Tab, page M-10.
Step 2
To define the attributes of a new VLAN group, click Add Row.
To edit the attributes of a VLAN group, select it in the list, then click Edit
Row.
See Create and Edit VLAN Group Dialog Boxes, page M-11, for a description of
Step 3
In the VLAN Group ID field, enter a unique ID number for the VLAN group. The
number that you enter must not be assigned to any other VLAN group.
Step 4
To associate the VLAN group with specific service module slots, enter their slot
numbers in the Service Module Slots text box, or click Select to open a selector.
Note
Defining this association makes it possible to later assign this VLAN

group to a security context on the FWSM. See Add/Edit a Security
Context for FWSM, page 15-108.
Step 5
Enter the VLANs to add to the VLAN group, or click Select to open a selector.
Step 6
Step 7
Note
Related Topics

OL-11501-03
16-17
Chapter 16
VLAN Groups
Deleting VLAN Groups

You can delete VLAN groups. Deleting a VLAN group has no affect on the
VLANs in the group.
Procedure
Step 1
Step 2
selector.
Step 3
Select Interfaces/VLANs from the Policy selector to display the

Step 4
Click the VLAN Groups tab in the work area.

Interfaces/VLANs PageVLAN Groups Tab, page M-10.
Step 5
Select a VLAN group from the table, then click Delete Row. The VLAN group is
deleted.
Related Topics
16-18
OL-11501-03
Chapter 16

VLAN ACLs (VACLs)
VLAN ACLs (VACLs)

Cisco IOS standard or extended ACLs are configured on router interfaces only,
and are applied on routed packets only. In contrast, Catalyst 6500 Series switches
and Cisco 7600 Series routers can use VLAN ACLs (VACLs) to control the access
of all packets that are bridged within a VLAN or that are routed to or from a
VLAN for VACL capture through a WAN interface. VACLs:
Note
Are processed in hardware.
Use Cisco IOS ACLs.
Ignore any Cisco IOS ACL fields that are not supported in hardware.
Security Manager does not support the creation or configuration of MAC ACLs
(MACLs), which are named ACLs that are sometimes used with VACLs to filter
IPX, DECnet, AppleTalk, VINES, or XNS traffic based on MAC addresses.
When you configure a VACL and apply it to a VLAN, all packets entering the
VLAN are checked against the VACL.
If you apply a VACL to a VLAN and you apply an ACL to a routed interface in
that same VLAN, any packet coming into the VLAN is first checked against the
VACL. Then, if permitted, the packet is checked against the input ACL before it
reaches the routed interface.
When a packet is routed from one VLAN to another, it is first checked against the
output ACL that is applied to the routed interface. Then, if permitted, the packet
is checked against any VACLs that are configured for the destination VLAN.
If a VACL is configured for a packet type, and a packet of that type does not match
the VACL, the default action is deny.
VLAN Access Maps
Security Manager uses VLAN access maps to configure VACLs. Conceptually

similar to a route map, a VLAN access map is a container in which you place one
or more statements (conditions that match an action) and number them by their
order of importance. A VLAN access map must also identify the VLANs to which
it is applied, contain the map name, and identify at least one VACL sequence.
A VACL sequence must have a sequence number and at least one action, and must
match at least one ACL.

OL-11501-03
16-19
Chapter 16
VLAN ACLs (VACLs)
Devices evaluate map statements in sequence and you can associate more than one
VLAN access map with any device chassis.
To manage a VACL, select a Catalyst device in Device View, then select
Platform > VLAN Access Lists. You use VLAN access maps to configure
VACLs for IP traffic.
The following topics describe the actions you can perform when defining VACLs
on Catalyst devices:
Related Topics
VLAN Access Lists Page, page M-50
Create and Edit VLAN ACL Dialog Boxes, page M-52
Create and Edit VLAN ACL Content Dialog Boxes, page M-54
VLANs, page 16-12
Creating or Editing VACLs

When you can create or edit a VACL, you must:
Name the VACL.
Define the VLANs to which the VACL applies.
Define a sequence map containing at least one VACL sequence.
Procedure
Step 1
(Device view) Select a Catalyst device, then select Platform > VLAN Access
Lists from the Policy selector.
(Policy view) Select Catalyst Platform > VLAN Access Lists.
16-20
OL-11501-03
Chapter 16

VLAN ACLs (VACLs)
The VLAN Access Lists page is displayed. For a description of the fields on
this page, see VLAN Access Lists Page, page M-50.
Step 2
To define the attributes of a new VACL, click Add Row.
To edit the attributes of a VACL, select it in the list, then click Edit Row.
A dialog box opens. See Create and Edit VLAN ACL Dialog Boxes,
page M-52, for a description of the fields in the dialog box.
Step 3
Enter a name for the VACL in the VLAN ACL Name field.
Step 4
In the VLANs field, specify the VLANs to which the VACL should be applied, or
click Select to open a VLAN selector.
Step 5
Define the sequence map:

a.
Click Add Row or Edit Row beneath the Sequence Map table. A dialog box
opens. See Create and Edit VLAN ACL Content Dialog Boxes, page M-54.
b.
Enter a number to identify the sequence.
c.
Specify the standard and extended ACLs to assign to the sequence, or click
Select to display a selector (see Object Selectors, page F-558). For more
information about ACL objects, see Understanding Access Control List
Objects, page 8-31.
d.
Specify the action to perform on traffic that matches the ACLs defined in this
sequence. (When you select Redirect as the action, you must specify the
physical destination interfaces, or click Select to display a selector. See
Specifying Interfaces During Policy Definition, page 8-118.)
e.
box. The sequence is displayed in the Sequence Map table.
f.
Repeat steps a through e to add sequences to the sequence map.
g.
Use the up and down arrows to reorder the sequences, if required.

OL-11501-03
16-21
Chapter 16
VLAN ACLs (VACLs)
Note
Step 6
The order in which you place the sequences is significant. When a

flow matches a permit ACL entry, the associated action is taken
without checking the remaining sequences. When a flow matches a
deny ACL entry, it is checked against the next ACL in the same
sequence or the next sequence. If a flow does not match any ACL
entry and at least one ACL is configured for that packet type, the
packet is denied.
Note
Related Topics
Create and Edit VLAN ACL Dialog Boxes, page M-52
VLAN Access Lists Page, page M-50
16-22
OL-11501-03
Chapter 16

VLAN ACLs (VACLs)
Deleting VACLs
You can delete a VACL if it is not being used by any device, policy, or object.
Before You Begin
You must delete all references to the VACL before you can remove it from the
database. To locate all references to the VACL, run an object usage report for it.
See Generating Object Usage Reports, page 8-14.
Procedure
Step 1
(Device view) Select a Catalyst device, then select Platform > VLAN Access
Lists from the Policy selector.
(Policy view) Select Catalyst Platform > VLAN Access Lists.

The VLAN Access Lists page is displayed. For a description of the fields on
this page, see VLAN Access Lists Page, page M-50.
Step 2
Click in a row to select a VACL, then click Delete.
Step 3
Step 4
Note
Related Topics

OL-11501-03
16-23
Chapter 16
IDSM Settings
IDSM Settings
When you select a Catalyst device in Device view, then select Platform > IDSM
Settings from the Policy selector, a list is displayed that:
Displays the settings for data ports on Intrusion Detection System Service
Modules (IDSMs).
Helps you to organize IDSM data ports in channel groups.
The IDSM card detects and stops security threats on network connections. The
card inspects the traffic that enters its two data ports and drops packets if a
security threat is detected. The data port settings define:
Which traffic is received by the data ports, as defined by the VLAN IDs.
The sensing mode used by the data ports:

Trunk (IPS)The IDSM performs VLAN bridging between pairs of
VLANs within the same data port, operating as an 802.1q trunk. The
IDSM inspects the traffic it receives on each VLAN in a VLAN pair and
can either forward the packets on the other VLAN in the pair or drop the
packet if an intrusion attempt is detected.
Capture (IDS)The IDSM passively monitors network traffic that was
copied to the data ports by the Catalyst switch using either VACL capture
or SPAN. The data ports operate as 802.1q trunks that can be configured
to trunk different VLANs. When operating in this passive mode, the
IDSM cannot drop packets in response to a network intrusion attempt,
but it can send TCP resets over the data ports in an attempt to block the
intrusion.
For high-traffic networks, EtherChannel is used to perform load balancing among
multiple data ports. These data ports might be located on different IDSM cards
within the same Catalyst device.
EtherChannel is also used to redirect traffic in the event of port failure to the
remaining ports within the channel group. This resiliency help preserve intrusion
detection and prevention without user intervention and with minimum packet loss.
The following topics describe the actions you can perform when defining IDSM
settings:
16-24
OL-11501-03
Chapter 16

IDSM Settings
Related Topics
VLANs, page 16-12
Creating or Editing EtherChannel VLAN Definitions

When defining an EtherChannel VLAN definition, you must:
Define the slot-port combination containing the data ports to include in the
channel group.
Select the sensing mode used by the data ports.
Define which VLANs are forwarded to the data ports.
The following restrictions apply:
You may have a single definition only for each channel group.
You may have a single definition only for each slot-data port combination.
This means that you cannot create an EtherChannel VLAN definition if a data
port definition already exists for this slot-data port.
Procedure
Step 1
(Device view) Select a Catalyst device, then select Platform > IDSM
Settings from the Policy selector.
(Policy view) Select Catalyst Platform > IDSM Settings.

The IDSM Settings page is displayed. For a description of the fields on this
page, see Table M-17 on page M-44.

OL-11501-03
16-25
Chapter 16
IDSM Settings
Step 2
To create an IDSM EtherChannel VLAN definition, click Add Row beneath

the EtherChannel VLANs table.
To edit an IDSM EtherChannel VLAN definition, select it in the list, then

click Edit Row beneath the table.
The IDSM EtherChannel VLAN dialog box is displayed. For a description of the
fields in this dialog box, see Table M-18 on page M-46.
Step 3
To assign a channel group number to the Ethernet interface for the VLAN, or to
change the channel group number, enter a number in the Channel Group text box.
Step 4
To associate the VLAN with the numbered chassis slot where you installed your
IDSM services module and to associate one module data port with the VLAN, do
one of the following:
Enter the slot-port number in the Slot-Ports text box.
Click Select to open the IDSM Slot-Port Selector dialog box.
Note
Step 5
From the Mode list, select the running mode of the EtherChannel VLAN. If you
select Capture, select the check box to configure the specified channel group as a
capture destination.
Note
Step 6
Associating one module data port with the VLAN enables you to
configure the port at the group level instead of configuring it manually.
If you do not select this check box, the capture port is created in shutdown
mode.
To include a VLAN in the specified channel group, do one of the following:
Enter its numeric ID in the VLAN IDs text box.
Click Select to open the VLAN Selector dialog box.
You can enter or select more than one VLAN ID.

Step 7
Step 8
16-26
OL-11501-03
Chapter 16

IDSM Settings
Note
Related Topics
Deleting EtherChannel VLAN Definitions

You can delete an EtherChannel VLAN definition on the IDSM.
Procedure
Step 1

page, see IDSM Settings Page, page M-44.
Step 2
Click a row in the table to select the VLAN definition to delete.
Step 3
Click Delete Row.
Step 4
Note
Related Topics

OL-11501-03
16-27
Chapter 16
IDSM Settings
Creating or Editing Data Port VLAN Definitions

When defining a data port VLAN definition, you must:
Define the slot-port combination where the data port is located.
Select the sensing mode used by the data port.
Define which VLANs are forwarded to the data port.
The following restrictions apply:
You may have a single definition only for each data port.
You cannot create a data port definition if the port is already defined as part
of a channel group.
Procedure
Step 1

page, see Table M-17 on page M-44.
Step 2
To create an IDSM data port VLAN definition, click Add Row beneath the
Data Port VLANs table.
To edit an IDSM data port VLAN definition, select it in the list, then click
Edit Row beneath the table.
The IDSM Data Port VLAN dialog box is displayed. For a description of the fields
in this dialog box, see Table M-19 on page M-47.
Step 3
To associate the VLAN with the numbered chassis slot where you installed your
IDSM services module and to associate one module data port with the VLAN, do
16-28
OL-11501-03
Chapter 16

IDSM Settings
Enter the slot-port number in the Slot-Ports text box.
Click Select to open the IDSM Slot-Port Selector dialog box.
Note
Step 4
From the Mode list, select the running mode of the data port VLAN. If you select
Capture, select the check box to configure the specified data port as a capture
destination.
Note
Step 5
Associating one module data port with the VLAN enables you to
configure the port at the group level instead of configuring it manually.
If you do not select this check box, the capture port is created in shutdown
mode.
To assign a VLAN to the specified data port, do one of the following:
Enter its numeric ID in the VLAN IDs text box.
Click Select to open the VLAN Selector dialog box.
You can enter or select more than one VLAN ID.

Step 6
Step 7
Note
Related Topics

OL-11501-03
16-29
Chapter 16
IDSM Settings
Deleting Data Port VLAN Definitions

You can delete a data port VLAN definition on the IDSM.
Procedure
Step 1

page, see IDSM Settings Page, page M-44.
Step 2
Click a row in the table to select the VLAN definition to delete.
Step 3
Click Delete Row.
Step 4
Note
Related Topics
16-30
OL-11501-03
Chapter 16

Viewing Configuration Summaries

You can view a summary of the configurations saved to your Catalyst 6500 Series
switches and Cisco 7600 Series routers.
Procedure
Step 1
(Device view) Select a Catalyst device, then select Interfaces/VLANs from the
Policy selector.
Step 2
Click the Summary tab in the work area. The Summary tab is displayed. For a
description of the fields on this tab, see Interfaces/VLANs PageSummary Tab,
page M-42.
Related Topics
Interfaces/VLANs PageSummary Tab, page M-42
Interfaces/VLANs Page, page M-3

OL-11501-03
16-31
Chapter 16
16-32
OL-11501-03
CH A P T E R
17
Managing IPS Devices

Network sensing in support of intrusion prevention can be accomplished using a
sensor, an IDSM (Intrusion Detection System Module), a Cisco IOS router
running IOS IPS, and line-card modules running in certain Cisco IOS routers.
These sensing platforms are components of the
Cisco Intrusion Prevention System and can be managed by Cisco Security
Manager.
These sensing platforms monitor and analyze network traffic in real time. They
do this by looking for anomalies and misuse on the basis of an extensive
embedded signature library. However, these platforms differ in how they can
respond to perceived intrusions.
The following topics describe how to manage IPS devices (Cisco IPS sensors and
Cisco IOS IPS devices):
Identifying Allowed Hosts, page 17-2
Configuring the External Product Interface, page 17-5
Identifying an NTP Server, page 17-9
Configuring Logging, page 17-10
Configuring Blocking, page 17-11
Configuring Virtual Sensors, page 17-12

OL-11501-03
17-1
Chapter 17
Identifying Allowed Hosts
Identifying Allowed Hosts

By default, all hosts on your network can connect to a sensor to configure it and
receive alarm data from it. However, you can identify the hosts that are allowed
to connect to a sensor, and no other hosts will be allowed to connect.
This procedure describes how to identify allowed hosts for a sensor.
Note
If you do not identify the Security Manager server as an allowed host, then you
will not be able to connect to your sensors or manage them.
Procedure
Step 1
In Device View, select the sensor for which you want to add an allowed host.
Step 2
Also in Device View, select Platform > Device Admin > Device Access >
Allowed Hosts. The Allowed Hosts summary page appears.
Step 3
Click the Add button. The Add Access List dialog box appears.
Step 4
Enter the network address of the allowed host you want to add, or click the Select
button and select the allowed host in the Networks/Hosts Selector dialog box that
appears. Allowed hosts should be entered in prefix notation: <IP network> /
subnet mask. For example, 64.0.0.0/8. The hosts available via Select button can
be predefined from the Security Manager Policy Object Manager (Tools > Policy
Object Manager > Networks/Hosts).
Step 5
Click OK. The Allowed Hosts summary page appears, updated to show the host
that you just added.
Step 6
Configuring SNMP
SNMP is a simple request/response application-layer protocol for the exchange of
management information between network devices. In SNMP, there are a
network-management system, which issues a request, and managed devices,
which return responses. SNMP implements these requests and responses by using
17-2
OL-11501-03
Chapter 17

Configuring SNMP
one of four protocol operations: Get, GetNext, Set, and Trap. An SNMP trap is a
notification. You can configure an IPS sensor to send a trap to classify an event as
a warning, as an error, or as fatal.
The General Configuration tab on the SNMP page enables you to configure
certain general SNMP parameters:
Enable SNMP Gets/SetsAllows you to enable the sensor to respond to get

and set queries. If this field is disabled, the sensor does not respond to the
query.
Read-Only Community StringSets the read-only community string of the

sensor to a string you specify. When a sensor receives an SNMP get request
with the specified read-only community string, it responds. This string gives
access to all SNMP get requests.
Read-Write CommunitySets the read-write community string of the

sensor to a string you specify. When a sensor receives an SNMP get request,
or an SNMP set request, with the specified read-write community string, it
responds. This string gives access to all SNMP get requests and set requests.
Sensor Agent PortInstructs a sensor to run SNMP Agent in the specified

port. Valid port numbers range from 1 to 65535.
ProtocolInstructs a sensor to run SNMP on top of particular transport

protocol. The options available are TCP (Transmission Control Protocol) and
UDP (User Datagram Protocol).
The SNMP Trap Configuration tab on the SNMP page enables you to configure
SNMP traps, to enable error events notification, to enable detailed traps, and to
modify the default trap community string:
Enable TrapsAllows you to enable the sensor to notify interested parties

whenever a specific type of event occurs in a sensor. When you select this
check box, the sensor is instructed to perform notification. (You can also use
the Traps Destination function to configure interested parties.) If the Enable
Traps check box is not selected, the sensor does not respond to the query.
Select the error events to notify through SNMPUse this set of check
boxes to specify the level of notifications that are enabled. The three levels of
notification are Fatal, Error, and Warning. When you select one or more of
these check boxes, you enable the sensor to send notification of events that
correspond to the levels selected.
Enable detailed traps for alertsWhen you select this check box, you
enable the sensor to send the detailed traps for all alerts.
OL-11501-03
17-3
Chapter 17
Configuring SNMP
Default Trap Community StringAll traps that are being notified carry a
community string. All traps that have a community string identical to that of
the destination are taken by the destination. All other traps are discarded by
the destination. This is a primary default condition, but this default can also
be overridden at any destination.
This procedure describes how to configure general SNMP parameters and how to
configure SNMP traps.
Procedure
Step 1
In Device view, select the sensor for which you want to configure general SNMP
parameters or SNMP traps or both.
Step 2
Also in Device View, select Platform > Device Admin > Device Access >
SNMP. The SNMP summary page appears, and the General Configuration tab is
visible by default. The General Configuration tab displays the general SNMP
parameters, which are the parameters that the SNMP management workstation
(on the Security Manager server) can request from the SNMP agent (on the
sensor).
Step 3
Check the Enable SNMP Gets/Sets check box to enable the sensor to respond to
get and set queries.
Step 4
In the Read-Only Community String field, enter the read-only community string.
The read-only community string helps identify the SNMP agent (on the sensor).
Step 5
In the Read-Write Community String field, enter the read-write community string.
The read-write community string helps identify the SNMP agent (on the sensor).
Note
The management workstation (on the Security Manager server) sends SNMP
requests to the SNMP agent (on the sensor). If the management workstation issues
a request and the community string does not match what is on the senor, the sensor
rejects it.
Step 6
In the Sensor Contact field, enter the user ID of the person who is the sensor
contact.
Step 7
In the Sensor Location field, enter the location of the sensor.
Step 8
In the Sensor Agent Port field, enter the port of the SNMP agent (on the sensor).
The default SNMP port number is 161.
17-4
OL-11501-03
Chapter 17

Configuring the External Product Interface
Step 9
From the Sensor Agent Protocol drop-down list, choose the protocol that the
SNMP agent (on the sensor) will use. The default protocol is UDP.
Step 10
Step 11
Click the SNMP Trap Configuration tab. The SNMP trap configuration fields are
visible on this tab.
Step 12
To enable SNMP traps, check the Enable Notifications check box.
Step 13
In the Error Filter area, select the type(s) of error events you want to be notified
about through SNMP traps. The types of error events you can select are Warning,
Error, and Fatal.
Step 14
To receive detailed SNMP traps, check the Enable Detail Traps check box.
Step 15
In the Default Trap Community String field, enter the community string to be
included in the detailed traps.
Step 16
In the Trap Destinations area, click the Add button. The Add Snmp Trap
Communication dialog box appears.
Step 17
In the Ip Address field, enter the IP address of the SNMP management station (on
the Security Manager server).
Step 18
In the Trap Community String field, enter the trap Community string.
Step 19
In the Trap Port field, enter the UDP port or the TCP port of the SNMP
management station (on the Security Manager server), depending upon whether
you chose UDP or TCP in the Sensor Agent Protocol drop-down list on the
General Configuration tab.
Step 20

The External Product Interface tab in the Server Access folder enables you to
configure Management Center for Cisco Security Agents settings.
In general, the external product interface is designed to receive and process
information from external security and management products. These external
security and management products collect information that can be used to
automatically enhance the sensor configuration information. In particular, in

OL-11501-03
17-5
Chapter 17
IPS 6.0, Management Center for Cisco Security Agents is the only external
product that can be configured to communicate with the IPS. At most two
Management Center for Cisco Security Agents servers can be configured per IPS.
Management Center for Cisco Security Agents enforces a security policy on
network hosts. It has two components:
Agents that reside on and protect network hosts.
A management consoleAn application that manages agents. It downloads

security policy updates to agents and uploads operational information from
agents.
For detailed information on Management Center for Cisco Security Agents, refer
to About CSA MC in Installing and Using Cisco Intrusion Prevention System
Device Manager 6.0. (You will be prompted to log in.)
Before You Begin
Add the external product as an allowed host so that Security Manager allows the
sensor to communicate with the external product. For more information, refer to
Identifying Allowed Hosts, page 17-2.
Procedure
This procedure describes how to add, edit, and delete external product interfaces
and posture ACLs.
Step 1
In Device View, select the sensor for which you want to configure an external
product interface.
Step 2
Also in Device View, select Platform > Device Admin > Server Access >
External Product Interface. The External Product Interface page appears, and
the Management Center for Cisco Security Agents tab is active.
Step 3
Click the Add button. The Add External Product Interface dialog box appears.
Step 4
In the External Products IP Address field, enter the IP address of the external
product.
Step 5
In the Port field, change the default port 443 if you need to.
Step 6
Configure the authentication settings:

a.
In the User name field, enter the user name of the user who can log in to the
external product.
b.
In the Password field, enter the password the user will use.
17-6
OL-11501-03
Chapter 17

Step 7
(Optional) Check the Enable receipt of host postures check box to allow the host
posture information to be passed from the external product to the sensor. This
check box is selected by default, so you must deselect it if you do not want this
configuration.
Note
Step 8
(Optional) Check the Allow unreachable hosts postures check box to allow the
host posture information from unreachable hosts to be passed from the external
product to the sensor. This check box is selected by default, so you must deselect
it if you do not want this configuration.
Note
Step 9
If you do not check the Enable receipt of host postures check box, the
host posture information received from the Management Center for Cisco
Security Agents is deleted.
A host is not reachable if the Management Center for Cisco Security

Agents cannot establish a connection with the host on any of the IP
addresses in the hosts posture. This option is useful in filtering the
postures whose IP addresses may not be visible to the IPS or may be
duplicated across the network. This filter is most applicable in network
topologies where hosts that are not reachable by the Management Center
for Cisco Security Agents are also not reachable by the IPS, for example
if the IPS and the Management Center for Cisco Security Agents are on
the same network segment.
(Optional) Configure the watch list settings:

a.
Check the Enable receipt of watch listed addresses check box to allow the
watch list information to be passed from the external product to the sensor.
This check box is selected by default, so you must deselect it if you do not
want this configuration.
Note
b.
If you do not check the Enable receipt of watch listed addresses

check box, the watch list information received from the Management
Center for Cisco Security Agents is deleted.
In the Manual Watch List RR (Risk Rating) increase field, you can change the
percentage from the default of 25. The valid range is 0 to 35.

OL-11501-03
17-7
Chapter 17
Step 10
c.
In the Session-based Watch List RR Increase field, you can change the
d.
In the Packet-based Watch List RR Increase field, you can change the
(Optional) Click the Add button to add a posture ACL (Access Control List).
The Add Posture Acl dialog box appears.
Note
Posture ACLs are network address ranges for which host postures are
allowed or denied. Use posture ACLs to filter postures that have IP
addresses that may not be visible to the IPS or may be duplicated across
the network.
Step 11
(Optional unless you chose to add a posture ACL) In the Network Address field,
enter the network address the posture ACL will use.
Step 12
(Optional unless you chose to add a posture ACL) In the Action drop-down list,
choose the action (Deny or Permit) the posture ACL will take.
Step 13
(Optional unless you chose to add a posture ACL) Click OK.

The new posture ACL appears in the Posture ACLs list in the Add External
Product Interface dialog box.
You can use the Move Up and Move Down buttons to reorder the posture ACLs
that you create.
ACLs will be applied in order from the top of the list to the bottom.
Step 14
To modify an existing posture ACL, select it, and then click the Edit button. The
Modify Posture ACL dialog box appears.
Step 15
Modify the Network Address and Action fields.
Step 16
Click OK. The modified posture ACL appears in the Posture ACLs list in the Add
External Product Interface dialog box.
Step 17
To delete a posture ACL from the list, select it, and then click the Delete button.
The posture ACL no longer appears in the Posture ACLs list in the Add External
Product Interface dialog box.
Step 18
Click OK. The external product interface now appears in the Management Center
for Cisco Security Agents settings summary table.
17-8
OL-11501-03
Chapter 17

Identifying an NTP Server
Step 19
To edit the external product interface, select it, and then click the Edit button. The
Edit External Product Interface dialog box appears.
Step 20
Make any changes needed to the fields in the dialog box.
Step 21
Click OK. The edited external product interface appears in the Management
Center for Cisco Security Agents settings summary table.
Step 22
To delete an external product interface, select it, and then click the Delete button.
The external product interface no longer appears in the Management Center for
Cisco Security Agents settings summary table.
Step 23
Identifying an NTP Server

Network Time Protocol (NTP) server time can be used with a sensor if the sensor
is managed by Security Manager.
For detailed information on how to set the time on a sensor, refer to Configuring
the Sensor to Use an NTP Time Source in Configuring the Cisco Intrusion
Prevention System Sensor Using the Command Line Interface Version 6.0.
Tip
Check the time on your IPS sensor if you are having trouble updating your IPS
software. If the time on the sensor is ahead of the time on the associated
certificate, the certificate is rejected, and the sensor software update fails.
Procedure
Step 1
In Device view, select the IPS sensor for which you want to identify an NTP
server.
Step 2
Select Platform > Device Adman > Server Access > NTP. The Network Time
Protocol page appears.
Step 3
In the NTP Server IP Address field, enter the address of the NTP server. You can
use the Select button to select previously defined hosts from the Security Manager
Policy Object Manager (Tools > Policy Object Manager > Networks/Hosts).

OL-11501-03
17-9
Chapter 17
Configuring Logging
Step 4
In the Key field, enter the key value of the NTP server. The key is an MD5 type
of key (either numeric or character); it is the key that was used to set up the NTP
server.
Step 5
In the Key ID field, enter the key ID value of the NTP server.
Step 6
Configuring Logging
The Logging page in the Platform folder in Device view is where you configure
traffic flow notifications and Analysis Engine global variables.
Traffic flow notifications have to do with the flow of traffic across the interface of
a sensor. You can configure the sensor to monitor the flow of packets across an
interface and send notification if that flow changes (starts and stops) during a
specified interval. You can configure the missed packet threshold within a specific
notification interval and also configure the interface idle delay before a status
event is reported.
Procedure
This procedure describes how to configure traffic flow notifications.

Step 1
In Device view, select an IPS sensor from the Device selector.
Step 2
Select Platform > Logging. The Logging page appears with the Interface
Notifications tab selected.
Step 3
Determine the percent of missed packets that has to occur before you want to
receive notification and enter that amount in the Missed Packets Threshold field.
Step 4
Determine the amount of seconds that you want to check for the percentage of
missed packets and enter that amount in the Notification Interval field.
Step 5
Determine the amount of seconds that you will allow an interface to be idle and
not receiving packets before you want to be notified and enter that in the Interface
Idle Threshold field.
17-10
OL-11501-03
Chapter 17

Configuring Blocking
Configuring Analysis Engine Global Variables

The Analysis Engine performs packet analysis and alert detection. It monitors
traffic that flows through specified interfaces. For the Analysis Engine, there is
only one global variable: Maximum Open IP Log Files.
Procedure
This procedure describes how to configure Analysis Engine global variables.

Step 1
In Device view, select an IPS sensor from the Device selector.
Step 2
Select Platform > Logging. The Logging page appears.
Step 3
Select the Analysis Engine tab.
Step 4
Determine the maximum number of open IP log files that you want to have and
enter that value in the Maximum Open IP Log Files field. The valid range is from
20 to 100. The default is 20.
Configuring Blocking
Blocking is one of the most common and well-established responses that is made
by Cisco IPS when it detects an intrusion or malicious activity. In Cisco IPS, block
means to block attacks on your network by blocking offending traffic: The IPS
device communicates with a network device such as a Cisco IOS router and
applies an access control list (ACL) entry specifying that the source address of the
attack be denied.
To configure blocking in Security Manager, you must specify the network device
that performs the blocking and then specify several parameters to configure
blocking as an effective response that protects your network. A network device
that performs blocking is called a blocking device. Before you can use a network
device as a blocking device, you must identify it in Security Manager and specify
its properties.
Many network devices can be used to support blocking: Cisco IOS routers, Cisco
firewalls, and Catalyst 6000-series switches.

OL-11501-03
17-11
Chapter 17
Configuring Virtual Sensors
An essential part of configuring blocking is identify hosts and networks that

should never be blocked. For example, you may have a trusted network device
whose normal, expected behavior mimics an attack. But such a device should
never be blocked. Also, trusted, internal networks should never be blocked, such
as the network where Security Manager is running.
Note
In IOS IPS, you cannot identify hosts and networks that should never be blocked.
Attack Response Control (ARC) is responsible for rate limiting traffic in
protected networks. Rate limiting lets sensors restrict the rate of specified traffic
classes on network devices. Rate limit responses are supported for the Host Flood
and Net Flood engines, and the TCP half-open SYN signature. ARC can configure
rate limits on network devices running Cisco IOS version 12.3 or later. Rate
limiting can be configured with Security Manager on the Blocking page.
In some configurations it may be more effective to have a proxy sensor that
controls blocking on one or more network devices on behalf of one or more other
sensors.
These proxy sensors are referred to as master blocking sensors. Rate limit
requests can be forwarded to other sensors using the master blocking sensor
forwarding mechanism.
Note
Attack Response Control (ARC) was previously referred to as Network Access

Control.
Use the Blocking page in the Security folder to specify the devices that will
perform blocking and to specify other parameters.

The Virtual Sensors page is where you create, name, and configure virtual sensors
on your Cisco IPS devices. A virtual sensor is a logical grouping of sensing
interfaces and the configuration policy for the signature engines and event action
filters to apply.
17-12
OL-11501-03
Chapter 17

The process of creating and naming virtual sensors on your Cisco IPS devices is
sometimes called virtualization. Virtualization is the separation of a single
physical IPS device into two or more logical devices on the basis of port, IP
address range, VLAN tag, and other criteria.
Note
Not all Cisco IPS 4200 Series Sensors support virtual sensors; specifically, the
Cisco IPS 4215 does not support virtual sensors. IDSM2 supports virtualization
except for vlan-groups on inline-interface-pairs. NM-CIDS does not support
virtualization.
Note
Not all versions of Cisco Intrusion Prevention System support virtual sensors;
specifically, support for virtual sensors requires Cisco IPS 6.0 or later.
Note
Virtual sensors are not supported by Cisco IOS IPS.

Creating a virtual sensor involves signature policies, event action policies,
anomaly detection policies, and interfaces. More specifically, creating a virtual
sensor involves the following policy configuration instances:
Signature definition (optional)
Anomaly detection (optional)
Anomaly detection operation mode (optional)
Event action rules (optional)
List of assigned/available interfaces (required)
After defining these policies, you need to apply these policies to the virtual sensor.
Note
The Virtual Sensors policy cannot be inherited or shared.

OL-11501-03
17-13
Chapter 17
Advantages of Virtualization
An advantage of using virtual sensors is that you can operate more than one virtual
sensor on one appliance while configuring each virtual sensor differently with
regard to signature behavior and traffic feed. For example, if you want to create a
policy for a data center and a second much different policy for the campus
network, yet run both policies on the same hardware device, Security Manager
enables you to do so.
You can configure up to four virtual sensors on one appliance, but you can add
only three (the number four being the sum of vs0, the default virtual sensor, and
the three that you can add). No packet is processed by more than one virtual
sensor.
In summary, virtualization has the following advantages:
You can apply different configurations to different sets of traffic.
You can monitor two networks with overlapping IP spaces with one sensor.
You can monitor both inside and outside a firewall or NAT device.
Virtualization has the following disadvantages:
You must assign both sides of asymmetric traffic to the same virtual sensor.
Using VACL capture or SPAN (promiscuous monitoring) is inconsistent with

regard to VLAN tagging, which causes problems with VLAN groups.
When using Cisco IOS software, a VACL capture port or a SPAN target
does not always receive tagged packets even if it is configured for

trunking.
When using the MSFC, fast path switching of learned routes changes the
behavior of VACL captures and SPAN.
Persistent store is limited.
Virtualization has the following traffic capture requirements:
The virtual sensor must receive traffic that has 802.1q headers (other than
traffic on the native VLAN of the capture port).
The sensor must see both directions of traffic in the same VLAN group in the
same virtual sensor for any given sensor.
17-14
OL-11501-03
Chapter 17

Understanding the Virtual Sensor

The sensor can receive data inputs from one or many monitored data streams.
These monitored data streams can either be physical interface ports or virtual
interface ports. For example, a single sensor can monitor traffic from in front of
the firewall, from behind the firewall, or from in front of and behind the firewall
concurrently. And a single sensor can monitor one or more data streams. In this
situation a single sensor policy or configuration is applied to all monitored data
streams.
A virtual sensor is a collection of data that is defined by a set of configuration
policies. The virtual sensor is applied to a set of packets as defined by interface
component.
A virtual sensor can monitor multiple segments, and you can apply a different
policy or configuration for each virtual sensor within a single physical sensor. You
can set up a different policy per monitored segment under analysis. You can also
apply the same policy instance, for example, sig0, rules0, or ad0, to different
virtual sensors.
You can assign interfaces, inline interface pairs, inline VLAN pairs, and VLAN
groups to a virtual sensor.
Note
The default virtual sensor is vs0. You cannot delete the default virtual sensor;
however, you can edit it and change the interfaces, anomaly detection mode, inline
TCP session tracking mode, and the description.
Assigning Interfaces to Virtual Sensors

A Cisco IPS sensor monitors traffic that traverses (1) interfaces, (2) interface
pairs, or (3) VLAN pairs assigned to a virtual sensor.
You can assign one or more of the following types of interfaces to a virtual sensor:
promiscuous interface
inline interface pair
inline VLAN pair
promiscuous VLAN group
inline VLAN group

OL-11501-03
17-15
Chapter 17
A promiscuous VLAN group is a VLAN group assigned to a subinterface on an

interface. The interface cannot already be used for an inline interface or VLAN
pair. There can be many promiscuous VLAN groups on the same promiscuous
interface, but the VLANs assigned cannot overlap. Once a VLAN group is
assigned to a promiscuous interface, it is no longer a plain promiscuous interface
and can only be used for promiscuous VLAN groups.
An inline VLAN group is a VLAN group assigned to a subinterface of an existing
inline interface pair. There can be many inline VLAN groups on the same inline
interface pair, but the VLANs assigned cannot overlap. Once a VLAN group is
assigned to an inline interface pair it is no longer a plain inline interface pair and
can only be used for inline VLAN groups.
VLAN groups cannot be assigned to inline VLAN pairs.
Viewing Your Virtual Sensors

This procedure describes how to see a summary table of all the virtual sensors for
a particular IPS device.
Procedure
Step 1
Step 2
Select Virtual Sensors. The Main Virtual Sensor Table appears.
Defining A Virtual Sensor

This procedure describes how to define, or add, a virtual sensor for an IPS device.
Procedure
Step 1
Step 2
Step 3
Click the Add button. The Add Virtual Sensor dialog box appears.
17-16
OL-11501-03
Chapter 17

Step 4
Enter the Virtual Sensor Name, Anomaly Detection Mode, and Inline TCP
Session Tracking Mode.
Step 5
Note
Step 6
Note
The display name of the real device is prepended to the beginning of the name of
the virtual sensor. As a result, the virtual sensors appear next to the real device
that the virtual sensor is on. For example, on the host (real device) named bob,
the virtual sensor with the name vs1 will appear in the device list as bob_vs1.
Click Save.
After you click Save, you must click File > Submit for the new virtual sensor to
appear in the device list. After you click File > Submit, a moment is required for
the new virtual sensor to appear.
Editing A Virtual Sensor

This procedure describes how to edit a virtual sensor for an IPS device.
Procedure
Step 1
Step 2
Step 3
Click the Edit button. The Edit Virtual Sensor dialog box appears.
Step 4
Edit the Virtual Sensor Name, Anomaly Detection Mode, and Inline TCP Session
Tracking Mode.
Step 5

OL-11501-03
17-17
Chapter 17
Deleting A Virtual Sensor

This procedure describes how to delete a virtual sensor from an IPS device.
Procedure
Step 1
Step 2
Step 3
Select a virtual sensor in the summary table.
Note
Step 4
Note
You cannot delete vs0, the default virtual sensor.

Click the Delete button. The virtual sensor that you selected is deleted.
After you delete a virtual sensor, it will take a few moments before the device
view is updated and the virtual sensor disappears from the list of devices.
17-18
OL-11501-03
CH A P T E R
18
Managing Deployment
The settings and policies you define in Security Manager must be deployed to
your devices so that you can implement them in your network. The steps you take
to deploy configurations to devices depend on whether you are using Workflow
mode or non-Workflow mode.
Although non-Workflow mode is the default mode of operation for Security
Manager, you can use Workflow mode if your company requires it. For more
information, see Selecting a Workflow Mode, page 2-56.
The following topics provide information about deploying configurations to
devices, in each workflow mode:
Understanding Deployment
A deployment job defines how configuration changes are sent to devices. In a
deployment job, you can define several parameters, such as the devices to which
you want to deploy configurations and the method used to deploy configurations
to devices. In Workflow mode, you can also specify the dates and times for future
deployments.
Understanding these topics will help you better understand and use the
deployment feature:
Benefits of Deployment Jobs, page 18-2
Deployment in Non-Workflow Mode, page 18-3

OL-11501-03
18-1
Chapter 18
Managing Deployment
Deployment in Workflow Mode, page 18-5
Including Devices in Deployment Jobs, page 18-10
Understanding Deployment Methods, page 18-11
Deploying to a File, page 18-13
Frequently Asked Questions about Deployment, page 18-17
Benefits of Deployment Jobs

The Deployment feature provides these benefits in both Workflow mode and
non-Workflow mode, unless noted otherwise:
Previewing and comparing configurationsBefore you deploy a

configuration file to a device, you can preview the proposed configuration
file. You can also compare the prosed configuration file to what was last
imported from devices or what is currently running on devices.
After successful deployment to a device, you can view a transcript of the
configuration commands downloaded and the devices responses. For more
information, see Previewing Configurations, page 18-42.
Aborting deployment jobsYou can stop deployments that have not started
to send a configuration file to a device. You cannot stop deployments that are
in progress or that have completed. For more information, see Aborting
Deployment Jobs, page 18-46.
Rolling back to a previous configurationIf you deploy configurations to

devices, and then determine that there is something wrong with the new
configurations, you can revert to and deploy the previous configurations for
those devices. For more information, see Rolling Back Configurations to
Viewing deployment summary and detailed informationYou can display

information about the deployment to specific devices, including information
about errors, the proposed configuration, and the transcript of the download.
For more information, see Viewing Deployment Summary Information,
page 18-48 or Viewing Deployment Device Details, page 18-49.
18-2
OL-11501-03
Chapter 18
Managing Deployment
Logging deployment job history (Workflow mode only)You can display the
time that a deployment job was created and when configuration files were
deployed to devices. You can also track whether the deployment to devices
was successful. For more information, see Viewing Deployment Job History,
page 18-56.
Scheduling deployment jobs (Workflow mode only)You can schedule

deployment jobs to occur at future times. This enables you to plan
deployments for times when traffic on devices is low. For more information,
see Deployment in Workflow Mode, page 18-5.
Deployment in Non-Workflow Mode

These topics help you understand deployment non-Workflow mode:
Deployment Task Flow in Non-Workflow Mode, page 18-3
Job States in Non-Workflow Mode, page 18-4
Deployment Task Flow in Non-Workflow Mode

The deployment task flow in non-Workflow mode consists of three simple steps
(see Figure 18-1):
1.
Create job: A deployment job is created for you when you do one of the
following:
Click the Submit and Deploy Changes button on the main toolbar.
(Validation is automatically performed on the policies with this option.)

Select File > Deploy.
Select Tools > Deployment Manager and click Deploy.
2.
Define job: You specify parameters, such as the devices to which you want
to deploy the configurations and whether you want to deploy directly to the
devices or to a file.
During this step, you can also preview configurations and compare them to
the previously deployed configurations or the configuration currently running
on the device.

OL-11501-03
18-3
Chapter 18
Managing Deployment
Note
3.
Devices selected for one job cannot be included in any other job. This
measure ensures that the order policies are deployed is correct.
Deploy job: Deploying the job sends the generated CLI to devices, either
directly or through intermediary transport server (such as AUS, CNS, or
TMS) or to output files. The destination (device or file) is selected when
defining a job (see step 2). The transport server is selected when defining
devices. See Understanding Deployment Methods, page 18-11 for more
details about defining deployment methods and transport servers. For
information about the affects of deployment on your devices, see Frequently
Asked Questions about Deployment, page 18-17.
Figure 18-1
Deployment Task Flow in Non-Workflow Mode
1. Create job
3. Deploy job
144369
2. Define job
Job States in Non-Workflow Mode

In non-Workflow mode, the Status column on the Deployment Manager window
lists the state of each job. Table 18-1 lists and describes all possible job states in
non-Workflow mode. For more details, see Deployment Manager Window
(Non-Workflow Mode), page O-2.
18-4
OL-11501-03
Chapter 18
Managing Deployment
Table 18-1
Job States in Non-Workflow Mode
State
Description
Deployed
Configurations for all the devices in the job were successfully deployed to the devices
or to output files. Devices in the job can now be included in another job.
Deploying
Configurations generated for the job are being deployed to the devices or to an output
directory (depending on the option selected during job creation). You can monitor the
generation progress for specific devices on the Status tab of the Deployment page and
on the Job Details page. To access the Job Details page, click the job name in the list.
Aborted
Job was manually halted. Devices in the job can now be included in another job.
Failed
Deployment to one or more devices in the job failed. Devices in the job can now be
included in another job.
Rolling Back Security Manager is in the process of reverting to and deploying previous
configurations for the devices within the deployment job. You can abort a job that is in
the Rolling Back state.
Rolled Back
Security Manager has successfully reverted to and deployed previous configurations for
the devices within the deployment job.
Deployment in Workflow Mode

These topics help you understand deployment in Workflow mode:
Deployment Task Flow in Workflow Mode, page 18-5
Job States in Workflow Mode, page 18-8
Deployment Job Approval, page 18-9
Deployment Job Changes, page 18-10
Deployment Jobs and Multiple Users, page 18-10
Deployment Task Flow in Workflow Mode

The following is a typical task flow in Workflow mode (see Figure 18-2):
1.
Create job: Before you deploy configurations to your devices, you must
create a deployment job.

OL-11501-03
18-5
Chapter 18
Managing Deployment
2.
Define job: When you create a job, you specify parameters, such as the
devices to which you want to deploy the configurations, whether you want to
deploy directly to the devices or to a file, and when you want the job to take
place.
3.
Submit job: If you are using Workflow mode without a deployment job
approver, you can review and approve the job yourself. Submitting the job
submits and approves the job in one step. Proceed to step 6.
In some organizations, before jobs can be deployed, they must be approved
by a separate user with the appropriate permissions. In this case, Workflow
mode is enabled with a deployment job approver, and you must submit the job
to this user for review. The user reviews the job and either approves or rejects
it.
4.
Approve/Reject job: If you are working in Workflow mode with a

deployment job approver, the approver reviews it, and can then either approve
or reject the job. If the job is approved, the submitter can then deploy the job.
If the job is rejected, the submitter can discard the job and start over or modify
the job and resubmit it.
5.
Deploy job: Deploying the job sends the generated CLI to either devices,
intermediary transport servers (such as AUS, CNS, or TMS), or files. The
destination (device or file) is selected when defining a job (see step 2). The
transport server is selected when defining devices. See Understanding
Deployment Methods, page 18-11 for more details about defining
deployment methods and transport servers. For information about the affects
of deployment on your devices, see Frequently Asked Questions about
For descriptions of job states (shown in red in Figure 18-2), see Job States in
Workflow Mode, page 18-8.
18-6
OL-11501-03
Chapter 18
Managing Deployment
Figure 18-2
Deployment Task Flow in Workflow Mode

1. Create job
Edit
2. Define job
3. Submit job
Submitted
4. Approve job
4. Reject job
Approved
Rejected
Deployed
120464
5. Deploy job

OL-11501-03
18-7
Chapter 18
Managing Deployment
Job States in Workflow Mode

In Workflow mode, jobs can be in many different states. The Status column in the
Deployment Manager window lists the state of each job. Table 18-2 lists and
describes all possible job states. For more details about the Deployment Manager
window, see Deployment Manager Window (Workflow Mode), page O-10.
Table 18-2
Job States in Workflow Mode
State
Description
Edit
Job was created, but changes are not being captured in the job. The job can be opened,
approved (in auto-approval mode), or discarded while it is in the Edit state.
Edit-In Use
Job is open for editing. Changes, such as policy changes, are captured in the job. The
job can be closed, approved, discarded, or submitted while it is in the Edit Open state.
Submitted
Job was submitted for review. It can be viewed but not edited while it is in the Submitted
state. The job can be opened for viewing, discarded, rejected, or approved while it is in
the Submitted state. Available only when Workflow mode is enabled with deployment
approval required.
Approved
Job was approved and is ready to be deployed. The job can be deployed or discarded
while it is in the Approved state. Available only when Workflow mode is enabled with
deployment approval required.
Rejected
Job was rejected. You can open the job for editing or discard the job while it is in the
Rejected state. Available only when Workflow mode is enabled with deployment
approval required.
Discarded
Changes made to the job since the job was created were discarded and further changes
to the job are not allowed. The job remains in the Deployment table showing a
Discarded state until it is purged from the system. Devices in the job can now be
Deployed
Configurations for all the devices in the job were successfully deployed to the devices
or to output files. Devices in the job can now be included in another job.
Deploying
Configurations generated for the job are being deployed to the devices or to an output
directory (depending on the option selected during job creation). You can monitor the
generation progress for specific devices on the Status tab of the Deployment page and
on the Job Details page. To access the Job Details page, click the job name in the list.
Aborted
Job was manually halted. Devices in the job can now be included in another job.
18-8
OL-11501-03
Chapter 18
Managing Deployment
Table 18-2
Job States in Workflow Mode (continued)
State
Description
Failed
Deployment to one or more devices in the job failed. Devices in the job can now be
Scheduled to Job is scheduled to be deployed at the date and time specified.

run at [date]
Rolling Back Security Manager is in the process of reverting to and deploying previous
configurations for the devices within the deployment job. You can abort a job that is in
the Rolling Back state.
Rolled Back
Security Manager has successfully reverted to and deployed previous configurations for
the devices within the deployment job.
Related Topics
Deployment Manager Window (Workflow Mode), page O-10
Deployment Job Approval

By default, Security Manager operates in non-Workflow mode; deployment jobs
are handled behind the scenes and the user does not need to be aware of jobs or
their approval. When using Workflow mode, you can choose to operate with or
without a deployment job approver.
If you choose to operate without an approver, you have the permissions to define
and approve jobs.
If your organization requires a different person with higher permissions to
approve deployment of new or changed configurations to devices, use Workflow
mode with a deployment job approver.When using Workflow mode with a
deployment job approver, the job must be reviewed by a person with the
appropriate permissions to approve or reject the job. This approval process helps
to ensure that no inappropriate configurations reach the network devices and that
deployment jobs are scheduled effectively.

OL-11501-03
18-9
Chapter 18
Managing Deployment
Note
You enable and disable deployment job approval under Tools > Security Manager
Administration > Workflow. For more information, see Chapter 2, Performing
Administrative Tasks.
Deployment Job Changes

The changes you make within a deployment job are visible only within the
deployment job. Other users cannot see your deployment job parameters unless
they open your deployment job after you close it.
Deployment Jobs and Multiple Users

Only one user can define or change parameters or devices within an individual
deployment job at one time. However, multiple users can work on the same
deployment job in sequence: if a deployment job is closed, another user can open
it and make changes to it. Multiple users can work in parallel on different
deployment jobs.
Including Devices in Deployment Jobs

When you create a job, you select the devices to include in the job. When you
select a device for a specific job, it cannot be selected for any other job until the
original job is deployed, rejected (Workflow mode), discarded, or aborted. This
mechanism prevents two or more people from deploying changes to the same
device at the same time and ensures that policies are deployed to devices in the
correct order.
When deploying a job, Security Manager displays devices on which policy
changes were made but were not deployed. You can deploy to these devices, and
you can select additional devices.
For VPNs, Security Manager must generate commands for devices that are
affected by the policies defined for the devices you select for the job. So, if you
select a device that is part of a VPN, Security Manager adds the other relevant
devices to the job. For example, if you define a tunnel policy on a spoke, and you
select the spoke for the job, Security Manager adds the spokes assigned hub to
the job. During job generation, Security Manager generates commands for both
18-10
OL-11501-03
Chapter 18
Managing Deployment
peers so that the VPN configuration is complete and the tunnel can be established.
If you deselect one of the devices associated with the VPN, Security Manager
warns that removing the device might result in the VPN not functioning property.
Understanding Deployment Methods

Security Manager uses two types of deployment methods:
Deploying to a Device, page 18-11 (default)
Deploying to a File, page 18-13
If necessary, you can change the default deployment method. For more
information, see Changing Deployment Methods, page 18-43.
Deploying to a Device
If you choose to deploy to the device, Security Manager deploys the configuration
to the device according to the transport protocol that the device supports and that
is configured on the device (see Table 18-3) and whether a transport server is
specified when adding devices (see Table 18-4).
When deploying directly to a device, Security Manager uploads the devices
current configuration and compares it against the configuration it has in its
database. If changes were made to the device manually (using the CLI), Security
Manager does one of the following, depending on the behavior you define:
Overwrites change and shows warning.
Cancels deployment.
Does not check for changes.
You can set a default behavior under Tools > Security Manager Administration.
For more information, see Defining Deployment Settings, page 2-65.
Caution
You must configure at least one policy on a device before deploying to that device.
If you deploy to a device without assigning at least one policy, the device's current
configuration is overwritten with a blank configuration.

OL-11501-03
18-11
Chapter 18
Managing Deployment
Table 18-3
Device Type
Deployment Transport Protocols
Transport
Protocol
ASA, IOS
Router,
FWSM, PIX
Firewall
SSL
(Default)
Catalyst
6500/7600
SSH
(Default)
Table 18-4
Device Type
ASA, PIX
Firewall
Description
Security Manager deploys the configuration to the device using a Secure
Socket Layer (SSL) protocol. With this protocol, Security Manager
encrypts the configuration file and sends it to the device.
Note
DES encryption is not supported on Common Services 3.0 and

later. Please make sure that all PIX Firewalls and Adaptive
Security Appliances that you intend to manage with Cisco
Security Manager have a 3DES/AES license.
Security Manager deploys the configuration to the device using a Secure

Shell (SSH). This provides strong authentication and secure
communications over insecure channels. Security Manager supports both
SSHv1.5 and SSHv2. Once connected to the device, Security Manager
determines which version to use and downloads using that version.
Deployment Transport Servers
Transport
Server
AUS
Description
This option is used to deploy configurations to dynamically addressed
devices. Security Manager deploys the configuration file to the Auto
Update Server (AUS), where it is stored for later retrieval from the
device. Devices, such as PIX Firewalls, that use a Dynamic Host
Configuration Protocol (DHCP) server contact AUS for configuration
(and image) updates. See AUS Setup Checklist, page 18-29 and the AUS
18-12
OL-11501-03
Chapter 18
Managing Deployment
Table 18-4
Deployment Transport Servers (continued)
Device Type
Transport
Server
IOS Routers
CNS
This option is used to deploy configurations to dynamically addressed

devices. Security Manager deploys the configuration file to the Cisco
Configuration Engine (CE), where it is stored for later retrieval from the
device. Devices, such as IOS routers, that use a Dynamic Host
Configuration Protocol (DHCP) server contact the CE for configuration
(and image) updates. See CNS Setup Checklist, page 18-32 and the CE
IOS Routers
TMS
Management Server (TMS), from which it can be downloaded and
encrypted onto an eToken. The eToken can then be connected to the USB
port of a router and the configuration downloaded. See TMS Setup
Checklist, page 18-27 and the TMS product documentation for more
information.
Description
Note
To deploy using TMS, you must configure token management

under Tools > Security Manager Administration > Device
Communication > Token Management and configure FTP on the
token management server.
Deploying to a File
You can deploy a configuration to a file on a selected server. If you are deploying
to file, Security Manager creates two files: device_name_delta.cfg for the delta
configuration, and device_name_full.cfg for the full configuration.You must
specify the directory on the Security Manager server in which to create the
configuration files. Configuration files are in TFTP format so that you can upload
them to your devices using TFTP.
Note
If you deploy to file, you must transfer the configurations to your devices.
Security Manager assumes that you have done this, so the next time you deploy to
the same devices, the generated incremental commands are based on the
configurations from the previous deployment.

OL-11501-03
18-13
Chapter 18
Managing Deployment
Deploying configurations to a file is useful when the devices are not yet in place
in your network (known as greenfield deployment), if you have your own
mechanisms in place to transfer configurations to your devices, or if you want to
delay deployment.
Note
Commands requiring interaction with the device during deployment should not be
used when deploying to file. We recommend previewing your configuration
before deployment to make sure there are no such commands in the file. For more
information, see Previewing Configurations, page 18-42.
Handling Device OS Version Mismatches

Before deploying a changed configuration file to a device, Security Manager
uploads the current running configuration file from the device and checks the OS
version running on the device with the OS version stored in the Security Manager
database. Security Manager takes action depending on whether the OS versions
match or differ from each other.
Table 18-5 lists the possible actions Security Manager takes depending on the
whether the OS versions match or differ from each other.
Note
The PIX Firewall device is used as an example; however, the actions apply to all
supported device types.
18-14
OL-11501-03
Chapter 18
Managing Deployment
Table 18-5
Deployment Action Based on OS Version Match or Mismatch
Scenario
OS Version in
Security
Manager
Database
OS Version On
Device
OS Version
Used In
Deployment
Versions match
pix 6.3 (1)
pix 6.3 (1)
pix 6.3 (1)
Deployment proceeds
with no warnings.
Device has newer OS

version.
pix 6.3 (1)
pix 6.3 (4)
pix 6.3 (4)
Security Manager warns

that it has detected a
different OS version on
the device than the one
in the Security Manager
database.
Action
Security Manager
generates CLI based on
the OS version running
on the device.
Device has newer OS
version, which is not
supported by Security
Manager.
pix 6.3 (1)
pix 6.3 (6)
pix 6.3 (4)

database.
Security Manager
generates CLI based on
the highest OS version
that it supports.

OL-11501-03
18-15
Chapter 18
Managing Deployment
Table 18-5
Deployment Action Based on OS Version Match or Mismatch (continued)
Scenario
Device has new major
OS version.
OS Version in
Security
Manager
Database
OS Version On
Device
OS Version
Used In
Deployment
pix 6.3 (1)
pix 7.0
pix 7.0
Action
Security Manager
reports an error
indicating that it has
detected a different OS
version on the device
than the one in the
Security Manager
database.
Security Manager
cannot proceed until
you correct this
mismatch. Remove the
device from inventory
and create a new device
with the correct OS
version.
18-16
OL-11501-03
Chapter 18
Managing Deployment
Table 18-5
Deployment Action Based on OS Version Match or Mismatch (continued)
Scenario
Device has older OS
version.
OS Version in
Security
Manager
Database
OS Version On
Device
OS Version
Used In
Deployment
pix 6.3 (4)
pix 6.3 (1)
pix 6.3 (1)
Action
If the older version is a
different major version
(6.0 vs. 7.0), Security
Manager reports an
error and aborts the
deployment.
If the older version is
within the same major
version (6.0 vs. 6.3),
database, and it
continues with the
deployment.
Frequently Asked Questions about Deployment

These questions and answers describe how policy deployment modifies your
device configurations:
1.
How does deployment work?
2.
Which deployment method should I use?
3.
How can I control the location used when I deploy to a configuration file?
4.
If I deploy to file, how does Security Manager know that I applied the
configuration to the device?
5.
What happens during configuration rollback?

OL-11501-03
18-17
Chapter 18
Managing Deployment
6.
After configurations are deployed, which are completely owned by

Security Manager, and which are only partially owned, and what does
this mean?
7.
What happens if I make changes to a device configuration outside of

Security Manager (an out-of-band change)? How can I get the changed
configurations into Security Manager?
8.
What happens during deployment if the version of the OS running on the

device is not the same version listed for the device in Security Manager?
How do I fix a version mismatch problem?
9.
How is ACL configuration managed when I use Security Manager and

ACL Manager together?
10.
Does Security Manager deploy full configurations or only the changes

made since the last deployment (delta configurations)?
11.
What are the default deployment methods for each type of device, and
how do I change one for a device or for a deployment job?
12.
To how many devices can Security Manager deploy simultaneously?
13.
Deployment to a Cisco IOS router fails and an Error Writing to Server

or Http Response Code 500 error message occurs. Why?
14.
Why does deployment to FWSM fail when the configuration contains a

large number of ACLs?
15.
Why does deployment fail even though the warning expression in the
properties files is set to ignore the error?
16.
How can I deploy configurations to devices using a Token Management

Server (TMS)?
17.
How can I deploy configurations to devices using an Auto Update Server

(AUS)?
18.
How can I deploy configurations to devices using a Cisco Networking

Services (CNS) server?
19.
Why do some platforms require a reload after performing configuration

rollback but not others?
18-18
OL-11501-03
Chapter 18
Managing Deployment
Q. How does deployment work?

A. Broadly speaking, deployment is a three-step process, as described in
Table 18-6.
Table 18-6
Overview of the Deployment Process
Deployment Steps
Step 1
Security Manager obtains the current configuration for the device and compares
it to the latest saved policies for the device in Security Manager. What Security
Manager considers the current configuration depends on the type of device,
the deployment method, and the settings for deployment preferences. These are
the possible sources and the conditions under which they are used:
Obtain the running configuration from the device.

Used when deploying to the device unless the deployment method is
AUS, TMS, or CNS. You can force Security Manager to use

Configuration Archive by selecting When Deploying to Device Get
Reference Config from: Config Archive as the deployment preference
(select Tools > Security Manager Administration, then select
Deployment).
Obtain the last full configuration from the Security Manager Configuration
Archive.
Used when deploying to file, unless you select When Deploying to File
Get Reference Config from: Device as the deployment preference.

Used when the deployment method is TMS or CNS.
Used when the device is unmanaged (not managed by Security
Manager).
Used when deploying to a device if uploading the configuration from
the device failed. (Configuration Archive is used as a backup to

obtaining the configuration from the live device.)
Used when you preview configurations.
Use the factory default configuration.

Used with PIX or ASA devices if you use the AUS deployment method.
Used when previewing PIX or ASA configurations if you use the AUS
deployment method.

OL-11501-03
18-19
Chapter 18
Managing Deployment
Table 18-6
Overview of the Deployment Process (continued)
Deployment Steps
Step 2
Security Manager builds a delta configuration that contains the commands

needed to update the device configuration to make it consistent with the
assigned policies. It also builds a full device configuration.
Step 3
If you are deploying to the device, Security Manager deploys either the delta
configuration or the full configuration, depending on which deployment method
you use. If you are deploying to file, Security Manager creates two files:
device_name_delta.cfg for the delta configuration, and device_name_full.cfg
for the full configuration. In both cases, the configurations are also added to
Configuration Archive.These are the actions based on deployment method:
SSL or SSHSecurity Manager contacts the device directly and sends the
delta configuration to it.
Auto Update Server (standalone or running on Configuration Engine) for

PIX and ASA devicesSecurity Manager sends the full configuration to
Auto Update Server, where the device retrieves it. The delta configuration
is not sent.
CNS gateway running on an Auto Update Server (for IOS devices with
dynamic IP addresses)Security Manager contacts the CNS gateway to get
the device IP address, then uses SSL to contact the device directly and send
it the delta configuration.
Configuration Engine for IOS devicesSecurity Manager sends the delta

configuration to Configuration Engine, where the device retrieves it.
TMSSecurity Manager sends the delta configuration to the TMS server,

from which it can be downloaded to an eToken to be loaded onto the device.
Q. Which deployment method should I use?

A. If you are using Configuration Engine (CNS) or Auto Update Server (AUS),
use those deployment methods. You must use one of these for devices that use
dynamic IP addresses. Otherwise, for devices with static IP addresses, use
SSL for IOS, PIX, ASA, and standalone FWSM devices, and SSH for FWSM
with Catalyst 6000 and 7600 router devices. If you are using the Token
Management Server (TMS) for some devices, you can also use that method
18-20
OL-11501-03
Chapter 18
Managing Deployment
Q. How can I control the location used when I deploy to a configuration file?
A. To set a default directory for file deployments, select Tools > Security
Manager Administration, then select Deployment. If you select File for the
default deployment method, you also select the default directory. When you
create a deployment job, you can change this directory for that job.
Q. If I deploy to file, how does Security Manager know that I applied the
configuration to the device?

A. Security Manager assumes that the previously deployed configuration was
applied to the device no matter which deployment method you use. Later
deployments include only the changes you made since the last deployment
(the delta). If for some reason the last change was not applied to the device,
the new delta configuration will not bring the device configuration up to the
one reflected in Security Manager.
Q. What happens during configuration rollback?
A. When you roll back the configuration on a device, Security Manager
redeploys either the last good configuration or the configuration that you
selected from the Configuration Archive. In either case, after rollback, the
configuration on the device is no longer consistent with the configuration in
Security Manager. After rollback, you should rediscover policies on the
device to make the device configuration and its configuration in Security
Manager consistent. If you roll back configurations on Catalyst or IOS
devices, you also need to restart the device.
Q. After configurations are deployed, which are completely owned by Security
Manager, and which are only partially owned, and what does this mean?
A. When you manage devices that run the ASA, PIX, or FWSM operating
systems, Security Manager controls their configurations; you should make all
changes within Security Manager. For devices running IOS software, you
have more control. If you do not create policies for a feature in Security
Manager, such as routing policies, Security Manager does not control those
features on the device. If you do create policies for these features, Security
Manager overwrites the settings on the device with the settings you defined
in Security Manager. Through administration settings, you can control the
types of policies that will be available for IOS devices, thereby preventing
Security Manager from displaying or changing policies for these features. To
see the available features for IOS routers and control whether they are

OL-11501-03
18-21
Chapter 18
Managing Deployment
available for management in Security Manager, select Tools > Security

Manager Administration, then select Policy Management. For IOS
devices, Security Manager does manage VPN-related policies.
Q. What happens if I make changes to a device configuration outside of Security
Manager (an out-of-band change)? How can I get the changed configurations
into Security Manager?
A. During deployment, if Security Manager determines that the configuration on
the device differs from the last-deployed configuration, Security Manager

overwrites the changes by default. (You can control this behavior using the
deployment preferences; select Tools > Security Manager Administration,
then select Deployment, and look for the When Out of Bound Changes
Detected setting. You can also control this for a specific deployment job by
editing the deployment method for the job.) If you make changes to the device
configuration outside of Security Manager, you have two choices for bringing
those changes into Security Manager:
1.
You can rediscover policies on the device, in which case all policies for
the device become local policies, and any assignments of shared policies
to the device are removed.
2.
You can make the required changes in Security Manager and redeploy
them to the device. During deployment, do not select the option to force
an error if out-of-band changes are found on the device.
Q. What happens during deployment if the version of the OS running on the
device is not the same version listed for the device in Security Manager? How
do I fix a version mismatch problem?
A. In some cases, Security Manager deploys the configuration and issues a
warning, but in other cases, Security Manager cannot deploy the

configuration. Security Manager deploys the configuration when: the device
has a newer minor version (for example, PIX 6.3(4) instead of the 6.3(1)
indicated in Security Manager), even if Security Manager does not support
the version running on the device (in this case, Security Manager builds the
configuration using the CLI for the closest supported version); the device has
a down-level minor version (for example, 6.3(1) instead of 6.3(4)). If the
device is running a new major version of the OS (for example, PIX 7.0 instead
of the 6.3 indicated in Security Manager), Security Manager cannot deploy
the configuration. You must delete the device, add it again, and rediscover
policies. Similarly, if the device is running a down-level major version (6.3
18-22
OL-11501-03
Chapter 18
Managing Deployment
instead of 7.0), the deployment fails, and you must re-create the device in
Security Manager. See Handling Device OS Version Mismatches,
page 18-14.
Q. How is ACL configuration managed when I use Security Manager and ACL
Manager together?
A. Do not use Security Manager and ACL Manager (or any other software) to
manage the same ACLs. Use Security Manager to manage all firewall- and
VPN-related ACLs. You can use ACL Manager to manage ACLs for other
features, such as quality of service (QoS).
Q. Does Security Manager deploy full configurations or only the changes made
since the last deployment (delta configurations)?

A. In most cases, Security Manager sends only delta configurations to the
device. The only exception is if you are using Auto Update Server for PIX and
ASA devices, in which case the full configuration is sent to the Auto Update
Server.
Q. What are the default deployment methods for each type of device, and how
do I change one for a device or for a deployment job?

A. When you add devices to Security Manager, you select the deployment
method to be used by that device. This determines the method used for
deploying to the device (instead of a file). When you create a deployment job,
an additional deployment method default applies to the job as a whole, which
determines whether deployment creates configuration files or whether it
sends the configuration to the device using the method selected for the device.
You control this default in the administration settings (select Tools >
Security Manager Administration, then select Deployment). When you
create a deployment job, you can also change whether the deployment is to a
file or to the device for each device by clicking Edit Deploy Method in the
Create Job window.
Q. To how many devices can Security Manager deploy simultaneously?
A. Security Manager can deploy to up to 20 devices simultaneously per job, up
to 40 devices total. These restrictions enable Security Manager to use system

memory efficiently, which ensures that jobs with many devices do not prevent
jobs with fewer devices from deployment. There is no restriction to the
number of jobs that Security Manager processes simultaneously.

OL-11501-03
18-23
Chapter 18
Managing Deployment
Q. Deployment to a Cisco IOS router fails and an Error Writing to Server or
Http Response Code 500 error message occurs. Why?

A. When you use SSL as the transport protocol for deploying configurations to
a Cisco IOS router, the configuration is split into multiple configuration

bulks. The size of this configuration bulk varies from platform to platform. If
Security Manager tries to deploy a configuration bulk that exceeds the size of
the SSL chunk configured on that device, the deployment fails and you get an
Error Writing to Server or Http Response Code 500 error message.
To resolve this, do the following:
1.
Go to ...\CSCOpx\MDC\athena\config.
2.
Select DCS.properties file to open the DCS properties file.
3.
Locate DCS.IOS.ssl.maxChunkSize=<value of the configuration

bulk>.
4.
Reduce the value of the configuration bulk.
5.
Restart the CiscoWorks Daemon Manager.
Q. Why does deployment to FWSM fail when the configuration contains a large
number of ACLs?
A. This could occur because the CPU utilization is high during ACL
compilation. To resolve this, reconfigure the CPU utilization threshold limit

by doing the following:
1.
Go to ...\CSCOpx\MDC\athena\config.
2.
Select DCS.properties file to open the DCS properties file.
3.
Locate the DCS.FWSM.checkThreshold=False property.
4.
Change the value to true: DCS.FWSM.checkThreshold=True.
5.
Restart the CiscoWorks Daemon Manager.
6.
Deploy the configuration to the device again.

After you set the value to true, discovery and deployment checks the CPU
utilization and generates error messages if the CPU utilization is not
within the configured value set in the DCS.FWSM.minThresholdLimit
property. The default value is 85.
Q. Why does deployment fail even though the warning expression in the
properties files is set to ignore the error?

18-24
OL-11501-03
Chapter 18
Managing Deployment
A. Setting the properties file to ignore the error is not sufficient. Deployment
fails because the Allow Download on Error check box (located on the Tools
> Security Manager Administration > Deployment page) is deselected by
default. To resolve this, select the Allow Download on Error check box and
deploy again.
The following tables provide further details about how Security Manager
behaves when an error occurs during deployment and the Allow Download on
Error checkbox is either selected or deselected:
Table 18-7 describes the behavior when SSL transport protocol is used on
PIX Firewall, ASA, and Cisco IOS routers.

Table 18-8 describes the behavior when SSH transport protocol is used
on Cisco IOS routers.
Note
On Cisco IOS routers with SSL protocol, deployment on devices

stops on command syntax errors. It does not stop when
configuration-related errors occur. There is no workaround for
this.

OL-11501-03
18-25
Chapter 18
Managing Deployment
Table 18-7
Security Manager Behavior When SSL is Used on PIX Firewall, ASA, and Cisco IOS
Routers
Error Occurred
Error Ignored
Using Warning
Expression
Deployment
Status
Selected
Yes
No
Failed
Based on Write
Memory flag setting.
Selected
Yes
Yes
Success
Based on Write
Selected
No
Not Applicable
Success
Based on Write
Deselected
Yes
No
Failed1
No
Deselected
Yes
Yes
Failed
No
Deselected
No
Not Applicable
Success
Based on Write
Allow Download on
Error
Write Memory Done
1. You get a Deploy Not Completed error message.
Table 18-8
Security Manager Behavior When SSH is Used on Cisco IOS Routers
Error Occurred
Error Ignored
Using Warning
Expression
Deployment
Status
Selected
Yes
No
Failed
Based on Write
Selected
Yes
Yes
Success
Based on Write
Selected
No
Not Applicable
Success
Based on Write
Deselected
Yes
No
Failed
No
Allow Download on
Error
Write Memory Done
18-26
OL-11501-03
Chapter 18
Managing Deployment
Table 18-8
Security Manager Behavior When SSH is Used on Cisco IOS Routers (continued)
Error Occurred
Error Ignored
Using Warning
Expression
Deployment
Status
Deselected
Yes
Yes
Success
Based on Write
Deselected
No
Not Applicable
Success
Based on Write
Allow Download on
Error
Write Memory Done
Q. How can I deploy configurations to devices using a Token Management
Server (TMS)?
A. To perform this type of deployment, you need to set up the device, TMS, and
Security Manager. The following checklist shows the tasks that you need to
perform.
Table 18-9
TMS Setup Checklist
Task
1. Set up the TMS as an FTP server.
You must set up the TMS as an FTP server because files are transferred from Security Manager
to the TMS server using FTP.
2. Add devices to Security Manager inventory.
Select File > Add Devices.
3. Specify TMS as the transport protocol to be used for Cisco IOS devices.
You can set this parameter globally for all Cisco IOS devices or for a specific device, as
follows:
GloballySelect Tools > Security Manager Administration > Device Communication.
DeviceSelect Device properties > DCS settings > Transport protocols.
4. Configure TMS parameters on Security Manager.

Specify the TMS name or IP address, username and password, directory where configuration
files are to be copied, and public key file information in Security Manager. Select Tools >
Security Manager Administration > Token Management.

OL-11501-03
18-27
Chapter 18
Managing Deployment
Table 18-9
TMS Setup Checklist (continued)
Task
5. Set the deployment method to Device either globally or for a specific device.
GloballySelect Tools > Security Manager Administration > Deployment.
DeviceDepends on workflow mode:

Non-Workflow modeSelect Submit and Deploy Changes > Edit Deploy Method.
Workflow modeSelect Tools > Deployment Management > Create > Edit Deploy
Method.
6. Deploy the configuration to the device.
Non-Workflow modeSelect Submit and Deploy Changes.
Workflow mode (if no deployment job exists)Select Tools > Deployment Management
> Create.
Workflow mode (if a deployment already job exists)Select Tools > Deployment
Management and select the desired deployment job; then click Deploy.
7. Using TMS, download the configuration to the eToken.

See TMS product documentation.
8. Download the configuration from the eToken to the router and save the configuration
to the device.
Plug the eToken into the router, then enter the following commands to download the
configuration to the router:
router# crypto pki token <usb_token_id> login <PIN>
router(config)# crypto pki token default secondary config CCCD
router(config)# exit
router# write memory
18-28
OL-11501-03
Chapter 18
Managing Deployment
For more information, click Help from any Security Manager dialog box
or page.
Tip
Q. How can I deploy configurations to devices using an Auto Update Server
(AUS)?
A. To perform this type of deployment, you need to set up AUS, the device, and
Security Manager. The following checklist shows the tasks that you need to
perform.
Table 18-10
AUS Setup Checklist
Task
1. Set up the AUS.
See the AUS product documentation.
2. Bootstrap firewall devices for AUS.
Enter the following commands to bootstrap devices:
hostname(config)# auto-update server
https://username:password@AUSserver_IP_address:port/autoupdate/AutoUpdateServlet
hostname(config)# auto-update poll-period poll_period [retry_count] [retry_period]
hostname(config)# auto-update device-id hardware-serial | hostname | ipaddress
[<if_name>] | mac-address [<if_name>] | string<text>
hostname(config)# write memory

OL-11501-03
18-29
Chapter 18
Managing Deployment
Table 18-10
AUS Setup Checklist (continued)
Task
3. Add devices to Security Manager inventory and assign AUS to devices.
If you are adding a new device, from the Device view, select File > New Device > Add
New Device. Configure the following fields on the Device Information page:
Device selectorSelect a PIX Firewall or ASA device type.
IP TypeSelect Static or Dynamic.
Auto Update ServerClick the arrow to display a list of servers. Select the server that
is managing the device. If the server does not appear in the list, click the arrow, then
select + Add Server... to add the server.
Device IdentityEnter the string value that uniquely identifies the device in AUS.
If you are adding a device by importing it from DCR, from the Device view, select File >
New Device > Add Device From DCR. The device must have been created as an AUS
device in DCR for it to be successfully imported into Security Manager as an AUS device.
For more information, see Adding Devices to the Security Manager Inventory, page 5-30.
4. Configure AUS settings in Security Manager.

(Device view) Select Platform > Device Admin > Server Access > AUS from the Device
Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Server Access > AUS
from the Policy Types selector. Right-click AUS and select New AUS Policy to create a
18-30
OL-11501-03
Chapter 18
Managing Deployment
Table 18-10
AUS Setup Checklist (continued)
Task
5. Set the deployment method to Device.
You can set this parameter either globally or for a specific device, as follows:

Non-Workflow modeSelect Submit and Deploy Changes > Edit Deploy Method
Method.
> Create.
Q. How can I deploy configurations to devices using a Cisco Networking
Services (CNS) server?

A. To perform this type of deployment, you need to set up the configuration
engine (CE), the device, and Security Manager. The following checklist
shows the tasks that you need to perform.
Note
If PIX Firewall and ASA devices are configured for CNS, they use the
AUS protocol. The required steps are identical to the steps that you follow
when you configure PIX Firewall and ASA for AUS. See How can I
deploy configurations to devices using an Auto Update Server (AUS)?,
page 18-29

OL-11501-03
18-31
Chapter 18
Managing Deployment
Table 18-11
CNS Setup Checklist
Task
1. Set up the Configuration Engine.
To set up the Configuration Server on AUS, see the AUS product documentation. To set up the
Configuration Server on another server, see the Configuration Server documentation.
2. Bootstrap devices for CNS.
If PIX Firewall and ASA devices are configured for CNS, they use the AUS protocol. The
required steps are identical to the steps that you follow when you configure PIX Firewall and
ASA for AUS. See Table 18-10. For Cisco IOS routers, you can configure CNS in the event-bus
mode or the call-home mode.
To configure CNS in event-bus mode, enter the following commands:
hostname(config)# hostname<name>
hostname(config)# ip domain-name <your_domain>
hostname(config)# cns trusted-server all-agents <ip_address>
hostname(config)# cns event <ip_address> [port]
hostname(config)# cns config partial <ip_address>
hostname(config)# cns password <password>
hostname(config)# cns exec
hostname# copy running startup
To configure CNS in call-home mode, enter the following commands:

hostname(config)# ip domain-name <your_domain>
hostname(config)# cns trusted-server all-agents <ip_address>
hostname(config)# kron occurrence occurrence-name [user username] {in
[[numdays:]numhours:]nummin | at hours:min [[month] day-of-month] [day-of-week]}
{oneshot | recurring}
hostname(config-kron-occurrence)# policy-list <list-name>
hostname(config-kron-occurrence)# exit
hostname(config)# kron policy-list <list-name>
hostname(config-kron-policy)# cli cns config retrieve <ip_address> page
/cns/JobbedDynaConfig status http://<ip_address>/cns/PostStatus
hostname(config-kron-policy)# exit
hostname(config)# cns exec
hostname# copy running startup
For more information about these commands, see Setting Up CNS, page 5-15.
18-32
OL-11501-03
Chapter 18
Managing Deployment
Table 18-11
CNS Setup Checklist (continued)
Task
3. Add devices to Security Manager inventory.
If you are adding a new device, from the Device view, select File > New Device > Add
New Device. Configure the following fields on the Device Information page:
IP TypeSelect Static or Dynamic, as appropriate.
Device selectorSelect a Cisco IOS router (excludes Cisco 7600 series routers).
CNS-Configuration Engine ServerIf the device is using static addressing, select a
Configuration Engine from the CNS-Configuration Engine Server field. If the desired
Configuration Engine does not appear in the list, you can add it now. Click the arrow,
then select + Add Configuration Engine.... The Configuration Engine Properties
dialog box appears.
If the device is using dynamic addressing, select the server that is managing the device
(Auto Update Server or Configuration Engine). If the desired server does not appear
in the list, click the arrow, then select + Add Server.... The Server Properties dialog
box appears.
If you are adding a device that already exists in the network, from the Device view, select
File > New Device > Add Device From Network. If the device is using dynamic
addressing, you must select the Configuration Engine (CNS Gateway) that is managing the
device. If the desired Configuration Engine does not appear in the list, click the arrow, then
select + Add Auto Update Server.... The Auto Update Server Properties dialog box
appears.

OL-11501-03
18-33
Chapter 18
Managing Deployment
Table 18-11
CNS Setup Checklist (continued)
Task
4. Set the deployment method to Device.
You can set this parameter either globally or for a specific device, as follows:

Non-Workflow modeSelect Submit and Deploy Changes > Edit Deploy Method.
Method.
> Create.
18-34
OL-11501-03
Chapter 18
Managing Deployment
Working with Deployment
Q. Why do some platforms require a reload after performing configuration
rollback but not others?

A. On PIX/ASA/FWSM devices, Security Manager uses the replace config
option on the devices SSL interface to perform the equivalent of a reload

(xlates are cleared, IPSec tunnels are torn down, and so on).
Routers running IOS 12.3(7)T or later use the configure replace command to
replace the running config with the contents of a configuration file. Support
for this command is dependent on the IOS version installed on the router:
On routers running IOS 12.3(7)T or later, Security Manager copies the
configuration file to the startup configuration before executing the

configure replace command. If the configure replace operation fails,
Security Manager issues the reload command to reload the operating
system using the contents of the startup configuration. Please note that
the reload command restarts the system, which might result in a
temporary network outage.
On routers running a version prior to 12.3(7)T, Security Manager copies
the configuration file to the startup configuration and issues the reload
command.

The following topics provide information about managing deployment in both
Workflow and non-Workflow modes:
Using the Main Toolbar, page 18-36
Viewing Deployment Status Information, page 18-36
Deploying Configurations in Non-Workflow Mode, page 18-37
Deploying Configurations in Workflow Mode, page 18-40
Previewing Configurations, page 18-42
Changing Deployment Methods, page 18-43
Refreshing Deployment Status Information, page 18-44
Redeploying Configurations to Devices, page 18-44
Aborting Deployment Jobs, page 18-46

OL-11501-03
18-35
Chapter 18
Managing Deployment
Rolling Back Configurations to Devices, page 18-47
Viewing Deployment Summary Information, page 18-48
Viewing Deployment Device Details, page 18-49
The following are additional topics that apply only to managing deployment in
Workflow mode:
Creating Deployment Jobs, page 18-50
Opening and Closing Deployment Jobs, page 18-53
Submitting Deployment Jobs, page 18-54
Approving and Rejecting Deployment Jobs, page 18-55
Discarding Deployment Jobs, page 18-56
Viewing Deployment Job History, page 18-56
Using the Main Toolbar

In non-Workflow mode, you can use the Save & Deploy Changes button to save
your policy changes and automatically create a deployment job that deploys them
to devices in your network or to output files. See Deploying Configurations in
Non-Workflow Mode, page 18-37 for details.
The Deployment Manager window, which you access by clicking the Deployment
Manager button on the main toolbar or by selecting Tools > Deployment
Manager, also enables you to deploy policy changes and discard deployment
jobs. However, you can manage more than the current deployment job and
perform additional functions. For more information, see Viewing Deployment
Status Information, page 18-36.
Viewing Deployment Status Information

To display a list of deployment jobs and their status, select Tools > Deployment
Manager. The Deployment Manager window appears. From this window, you can
perform various functions depending on the Workflow mode in which you are
operating. For more information about these functions, see the following topics:
Non-Workflow Mode
Deploying Configurations in Non-Workflow Mode, page 18-37
18-36
OL-11501-03
Chapter 18
Managing Deployment
Refreshing Deployment Status Information, page 18-44

Workflow Mode
Deploying Configurations in Non-Workflow Mode

When you deploy configurations, you can transfer them to devices either directly
or to another transport server (such as AUS, CNS, or TMS) in the network or to
files in a specified directory.
Caution
You must configure at least one policy on a device before deploying to that device. If
you deploy to a device without assigning at least one policy, the device's current

OL-11501-03
18-37
Chapter 18
Managing Deployment
Notes
Deployment might take from a few minutes to an hour or more, depending on

the number of devices in the deployment job.
Firewall devices onlyIf you manually added a firewall device or added a

device from DCR, we highly recommend that you discover (import) the
factory-default policies for that device before deploying to that device.
Bringing these policies into Security Manager prevents you from
unintentionally removing them the first time you deploy to that device. For
more information about factory-default policies for firewall devices, see
Chapter 15, Understanding Factory-Default Configurations. For more
information about importing policies, see Chapter 18, Managing
Deployment.
The status of deployments to Catalyst 6500/7600 devices shows deployment

to the device as well as its interface contexts when policy changes contain
interface commands that affect the interface contexts (child devices). This
can occur when you deploy a policy change that affects a VLAN in which the
switch participates or when you update inventory, for example, by adding or
deleting interface contexts.
Before You Begin
Make sure that devices have been bootstrapped. For more information, see
Preparing the Devices for Security Manager to Manage, page 5-2.
If you are deploying to a transport server, such as AUS, CNS, or TMS, make
sure the server, Security Manager settings, and device have been set up
properly.
Procedure
Step 1
Click the Submit & Deploy Changes button on the Main toolbar.
The Deploy Saved Changes dialog box appears. For a description of the elements
in this dialog box, see Deploy Saved Changes Dialog Box, page O-3.
Step 2
Select the devices to which you want to deploy configurations.
Step 3
To change the method used to deploy configurations (default is Device), click

Edit Deploy Method.
The Edit Deployment Method dialog box appears. One of the following
deployment methods can be specified for each device:
18-38
OL-11501-03
Chapter 18
Managing Deployment
DeviceDeploys the configuration directly to the device or to the transport

mechanism specified for the device. For more information, see Deploying to
a Device, page 18-11.
FileDeploys the configuration file to a file on a selected server. If you select

File, enter the directory to which you want to deploy the configuration file or
click Browse to select from a list of available servers in the Destination
column. For more information, see Deploying to a File, page 18-13.
Note
Before proceeding with the deployment, you can preview proposed

configurations and compare them against last deployed configurations or
current running configurations. See Previewing Configurations,
page 18-42 for more information.
For a description of the elements displayed in the dialog box, see Edit Deploy
Method Dialog Box, page O-17.
Step 4
To add devices that do not have proposed policy changes to the deployment job,
click Add other devices. You might want to do this if a device was manually
modified, and you want to return the device to its previous configuration (the one
stored in the Security Manager database).
The Add Devices dialog box appears. Complete the fields in this dialog box. For
a description of the elements displayed, see Add Other Devices Dialog Box,
page O-23.
Step 5
Click Deploy to deploy the job.

The Deployment Status Details dialog box appears while configurations are being
deployed to devices. It displays summary information about the job, status about
the deployment to each device, and messages indicating why the deployment
failed.
In the Deployment Details table, select a row corresponding to a device to display
deployment status messages specifically for that device. For more information,
see Deployment Status Details Dialog Box, page O-6.
If deployment to any device failed, you can redeploy configurations to the failed
devices. For more information, see Redeploying Configurations to Devices,
page 18-44.

OL-11501-03
18-39
Chapter 18
Managing Deployment
Related Topics
Deploying Configurations in Workflow Mode

When you deploy configurations in Workflow mode, you transfer the
configurations directly to the devices in the network or to file in a specified output
directory, depending on which option you chose when creating the job. See
Understanding Deployment Methods, page 18-11 for more information.
You deploy a job from the Deployment Status window, as described in the
following procedure. The status of the deployment is displayed in the Status
column of the Deployment Status window. See Deployment Manager Window
(Workflow Mode), page O-10. After a job is deployed, its devices become
available for inclusion in other jobs.
You can view more detailed status information about the deployment in the
Summary and Details tabs. See Summary Tab (Deployment Manager Window),
page O-34 and Details Tab (Deployment Manager Window), page O-35 for more
information.
Caution
Notes
Deployment might take from a few minutes to an hour or more, depending on

the number of devices in the deployment job.
Firewall devices onlyAfter manually adding a firewall device or adding a

factory-default policies for that device. Bringing these policies into Security
Manager prevents you from unintentionally removing them the first time you
deploy to that device. For more information about factory-default policies for
firewall devices, see Chapter 15, Understanding Factory-Default
Configurations. For more information about importing policies, see
Chapter 18, Managing Deployment.
18-40
OL-11501-03
Chapter 18
Managing Deployment
The status of deployments to Catalyst 6500/7600 devices shows deployment

to the device as well as its interface contexts when policy changes contain
interface commands that affect the interface contexts (child devices). This
can occur when you deploy a policy change that affects a VLAN in which the
switch participates or when you update inventory, for example, by adding or
deleting interface contexts.
Before You Begin
properly.
Create a job. For more information, see Creating Deployment Jobs,

page 18-50.
If using Workflow mode with activity approval, submit the job. For more
information, see Submitting Deployment Jobs, page 18-54.
Approve the job. For more information, see Approving and Rejecting
Procedure
Step 1
Click the Deployment Manager button in the Main toolbar.

The Deployment Manager window appears.
Step 2
Select the job to deploy.
Step 3
Click Deploy.
The Deploy Job dialog box appears.
Step 4
In the Deployment Options field, select when you want to deploy the job. Valid
options are Schedule and Deploy Now.
If you choose Deploy Now, proceed to step 6. If you choose Schedule, the Enter
Deployment Time field appears.
Step 5
In the Deployment Time field, enter the date and time that you want the job to be
deployed. For more details, see Deploy Job Dialog Box, page O-27.
Step 6
In the Deployment comments field, enter comments regarding the job.

OL-11501-03
18-41
Chapter 18
Managing Deployment
Step 7
Click OK.
The Job Deployment Manager page appears. The job status changes to Deploying.
When the deployment is complete, the job status changes to Deployed.
Related Topics
Previewing Configurations
You can preview configurations from several different locations in Security
Manager (see Table 18-12).
This procedure shows you how to display proposed configurations and compare
them to last deployed configurations or current running configurations for specific
devices, whether you are in Workflow mode or non-Workflow Mode.
Table 18-12
Previewing Configurations
Workflow Modes
Action
Both
From Device view, right-click a device in the Non-committed configuration

Device selector and select Preview Config.
Both
From Maps view, right-click a device on the

map and select Preview Config.
Both
Non-Workflow mode
Configuration Type
Non-committed configuration
1.
Click Deployment Manager button in the Last committed configuration

Main toolbar.
2.
Select a job.
3.
Click Details tab.
4.
Click the icon in the Config column for

the desired device.
1.
Click File > Deploy.
2.
Right click on a device in the device

selector and select Preview config.
Committed configuration
18-42
OL-11501-03
Chapter 18
Managing Deployment
Table 18-12
Previewing Configurations (continued)
Workflow Modes
Action
Non-Workflow mode
Configuration Type
Last committed configuration
1.
Click File > Deploy.
2.
Define job.
3.
Click Deploy.
4.
Click the icon in the Config column for

the desired device.
Workflow mode
Right-click a device in the Device selector and Committed configuration

select Preview config.
Workflow mode
Select a device and click Preview Config.
Committed configuration
The Configuration Preview dialog box appears. Click one of the following radio
buttons to display configurations for comparison:
NoneDisplays only the changed configuration on the device.
Last DeployedDisplays the last configuration that was imported from the
device and compares it with the proposed full configuration.
Current RunningDisplays the current configuration running on the device

and compare it with the proposed full configuration.
For more information about the Preview Config dialog box, see Preview Config
Dialog Box, page O-21.
Changing Deployment Methods

The system default deployment method is to deploy to the device. You can set the
default deployment method for all devices under Tools > Security Manager
Administration > Deployment. For more details, see Chapter 20, Using Tools.
In addition, you can change the deployment method for specific devices. If you
are using non-Workflow mode, see Deploying Configurations in Non-Workflow
Mode, page 18-37. If you are using Workflow mode, see Creating Deployment
Jobs, page 18-50.

OL-11501-03
18-43
Chapter 18
Managing Deployment
Refreshing Deployment Status Information

You can update the deployment status information at any time.
Procedure
Step 1

Step 2
Click Refresh.
Information in the window is updated.
Related Topics
Deployment Manager Window (Non-Workflow Mode), page O-2
Redeploying Configurations to Devices

You can redeploy any job. When redeploying a failed job, the devices that failed
are automatically selected. However, you can also add devices to which
deployment succeeded.
Caution
Before You Begin
18-44
OL-11501-03
Chapter 18
Managing Deployment
properly.
Procedure
Step 1

Step 2
Select the job that contains the devices to which you want to redeploy
configurations, then do one of the following:
In non-Workflow mode, click Redeploy.
In Workflow mode, click Deploy.
The Redeploy a Job dialog box appears.

Step 3
Select the rows corresponding to the devices to which you want to redeploy
configurations.
Step 4
To change the deployment method, in the Method column, select one of the
following deployment methods from the list:
DeviceDeploys the configuration directly to the device or to the transport

mechanism specified for the device. For more information, see Deploying to
a Device, page 18-11.
FileDeploys the configuration file to a file on a selected server. If you select

File, enter the directory to which you want to deploy the configuration file or
click Browse to select from a list of available servers in the Destination
column. For more information, see Deploying to a File, page 18-13.
Note
Before redeploying configurations to devices, you can preview proposed

configurations and compare them against last deployed configurations or
current running configurations. For more information, see Previewing
For a description of all elements displayed in the dialog box, see Redeploy a Job
Dialog Box, page O-32.
Step 5
Click OK.

OL-11501-03
18-45
Chapter 18
Managing Deployment
Related Topics
Preview Config Dialog Box, page O-8
Aborting Deployment Jobs

You can stop a job if you do not want to deploy the defined configuration file or
you want to postpone deployment.
You can abort deployment jobs only while they are in the Deploying, Scheduled,
or Rolling Back state. Aborting a job stops deployment of configuration files to
pending devices, but has no effect on devices to which deployments are in
progress (commands are being written to a device) or to which deployment has
already completed successfully.
After you abort a job, the deployment status of pending devices changes to
Aborted.
To resume deployment, redeploy the job. See Redeploying Configurations to
Devices, page 18-44 for more information.
Procedure
Step 1

Step 2
Select a deployment job, then click Abort.

A dialog box requests confirmation of the abort operation.
Step 3
Click Yes.
Related Topics
18-46
OL-11501-03
Chapter 18
Managing Deployment
Rolling Back Configurations to Devices

If you deploy configurations to devices and then determine that there is something
wrong with the new configurations, you can revert to and deploy the previous
configurations for those devices.
You can also use the Config Archive tool to rollback to any configuration archived
from a device. For more information, see Using the Configuration Archive Tool,
page 20-11.
Notes
You cannot rollback to a previous configuration if the previous deployment

was to a file or if there are no previous configurations.
There is limited support for the rollback function on Catalyst 6500/7600

devices. VLAN configuration changes made through the CVDM home page
are not captured in the running configuration of the Catalyst 6500/7600.
Therefore, they are not included in the configurations saved to Security
Manager database after each deployment. If you want to use the rollback
function in this case, you need to reconfigure the VLANs on the CVDM home
page after rolling back the configuration.
Special considerations apply to the rollback of IPS devices and IOS IPS
devices; see Understanding Rollback for IPS and IOS IPS, page 20-19.
Before You Begin
properly.
For Catalyst 6500/7600 devices, you must enable a TFTP server on the
Security Manager server, because for these two device types, the rollback is
archived by transferring the configuration to the device (using TFTP) and
then reloading it. In addition, you must set the TFTP root directory the same
as the one set in Tools > Security Manager Administration > Config Archive.

OL-11501-03
18-47
Chapter 18
Managing Deployment
Procedure
Step 1
Step 2
Select a deployment job, then click Rollback.

A warning message appears.
Note
Step 3
The rollback operation causes the devices in the job to reload. If you do
not want to reload devices, instead you can redeploy the job or create and
deploy a new job with the desired configuration changes. Use the rollback
operation only in extreme circumstances.
To cancel the operation, click Cancel. To continue, click OK.

Step 4
Select the devices for which you want to roll back configurations. By default, all
the devices with the status Succeeded are selected.
The Rollback a Job dialog box appears. See Deployment Rollback Dialog Box,
page O-29 for a description of the elements in this dialog box.
Step 5
Click Yes.
Related Topics
Viewing Deployment Summary Information

You can display summary information about deployment jobs, such as the job
status, number of devices deployed successfully, and number of devices deployed
with errors.
18-48
OL-11501-03
Chapter 18
Managing Deployment
Procedure
Step 1

Step 2
Select a job.
Information about the selected job appears on the Summary tab. See Summary
Tab (Deployment Manager Window), page O-34 for a description of the elements
in this tab.
Related Topics
Viewing Deployment Device Details

While deployment is in progress, you can display deployment status details about
specific devices.
Procedure
Step 1

Step 2
Select a job, then click the Details tab.

Information about the selected deployment job appears on the Details tab. See
Details Tab (Deployment Manager Window), page O-35 for a description of the
elements on the tab.
Related Topics

OL-11501-03
18-49
Chapter 18
Managing Deployment
Performing Additional Workflow-Mode Tasks

In Workflow mode, there are additional tasks that are performed to deploy
configurations. The following topics provide information about these tasks:
Creating Deployment Jobs

Before you deploy policy configurations to your devices, you must create a
deployment job. When you create a job, you specify parameters, such as the
devices to which you want to deploy the configurations, whether you want to
deploy directly to the devices or to an output file, and when you want the job to
take place.
Notes
If you choose to deploy the job immediately, deployment might take from a
few minutes to an hour or more, depending on the number of devices in the
deployment job.
Firewall devices onlyIf you manually added a firewall device or added a

factory-default policies for that device before deploying to that device.
Bringing these policies into Security Manager prevents you from
unintentionally removing them the first time you deploy to that device. For
more information about factory-default policies for firewall devices, see
Chapter 15, Understanding Factory-Default Configurations. For more
information about importing policies, see Chapter 18, Managing
Deployment.
The status of deployments to Catalyst 6500 switches shows deployment to the

device as well as its interface contexts when policy changes contain interface
commands that affect the interface contexts (child devices). This can occur
18-50
OL-11501-03
Chapter 18
Managing Deployment
when you deploy a policy change that affects a VLAN in which the switch
participates or when you update inventory, for example, by adding or deleting
interface contexts.
Before You Begin
properly.
Procedure
Step 1

Step 2
Click Create.
The Create a Job dialog box appears.
Step 3
In the Name field, a default name appears. Keep this name or enter a different,
unique name for the deployment job. Because the job name enables you to
distinguish one job from another, you should assign a logical name that reflect the
contents of the job.
Step 4
In the Description field, enter some information that reflects the contents of the
job.
Step 5
Select the devices to which you want to deploy configurations.
Step 6
To change the method used to deploy configurations to specific devices, click

Edit Deploy Method.
Note
The system default deployment method is Device unless it has been

changed under Tools > Security Manager Administration. To change the
system-wide default deployment method, see Chapter 20, Using Tools.
The Edit Deployment Method dialog box appears.

a.
Select the row corresponding to the device for which you want to change the
deployment method.

OL-11501-03
18-51
Chapter 18
Managing Deployment
b.
In the Method column, select one of the following deployment methods from
the list:
Device(Default) Deploys the configuration directly to the device or to
the transport mechanism specified for the device. For more information,
see Deploying to a Device, page 18-11.
FileDeploys the configuration file to a file on a selected server. If you
select File, enter the directory to which you want to deploy the
configuration file or click Browse to select from a list of available servers
in the Destination column. For more information, see Deploying to a File,
page 18-13.
Note
Before deploying to devices, you can preview proposed configurations

and compare them against last deployed configurations or current running
configurations. For more information, see Previewing Configurations,
page 18-42.
For a description of all elements displayed in the dialog box, see Edit Deploy
Method Dialog Box, page O-17.
Step 7
To add devices that do not have proposed policy changes to the deployment job,
click Add other devices. For example, you might want to do this if a device was
manually modified, and you want to return the device to its previous configuration
(the one stored in the Security Manager database).
The Add Devices dialog box appears, listing all devices whether or not they
contain proposed policy changes.
a.
Select the check box next to the devices to include in the job; then click >>
to move the devices to the Selected Devices field.
b.
Click OK.
For a description of all elements displayed in this dialog box, see Add Other
Devices Dialog Box, page O-23.
Step 8
To select the state of the job when you are done, click one of the following radio
buttons:
Leave the job in the edit stateSaves the job so that you can make additional
changes later.
Approve the jobApproves the job so that it can be deployed later. If you
click this option, you can add approval comments.
18-52
OL-11501-03
Chapter 18
Managing Deployment
Step 9
Deploy the jobDeploys the job. If you click this option, you can select
whether to deploy the job now or schedule it for a later time, and you can add
deployment comments.
Click OK.
The status of the deployment job depends on the state you selected in the previous
step.
Related Topics
Opening and Closing Deployment Jobs

If you want to make changes to a deployment job, you must open the job. The job
status changes to Edit Open.
Normally, you do not need to close a job, because you will typically submit,
approve, deploy, or schedule the job for deployment. However, if the Security
Manager server is suddenly unavailable or your login session times out, a job
might be left in the Edit Open state. If this happens, you can close it manually.
Procedure
Step 1

Step 2
Select a job and do one of the following:
Click Open to open the job.
Click Close to close the job.
Related Topics

OL-11501-03
18-53
Chapter 18
Managing Deployment
Submitting Deployment Jobs

In some organizations, before jobs can be deployed, they must be approved by a
separate user with the appropriate permissions. In this case, Workflow mode is
enabled with a deployment job approver, and you must submit the job to this user
for review. The user reviews the job and either approves or rejects it.
If you are using Workflow mode without a deployment job approver, you can
review and approve the job yourself. Submitting the job submits and approves the
job in one step.
Note
Procedure
Step 1

The Deployment Status window appears.
Step 2
Select the job to submit.
Step 3
Click Submit.
In Workflow mode with a deployment job approver, the job status changes to
Submitted. In Workflow mode without a deployment job approver, the job status
changes to Approved.
Related Topics
18-54
OL-11501-03
Chapter 18
Managing Deployment
Approving and Rejecting Deployment Jobs

In some organizations, before jobs can be deployed, they must be approved by a
separate user with the appropriate permissions. In Workflow mode with a
deployment job approver, one user submits a job, and another one previews the
job and either approves or rejects it.
In Workflow mode without a deployment job approver, you can create and
approve the job at the same time. For more information, see Creating Deployment
Jobs, page 18-50.
When you reject a job, the devices in the job immediately become available for
inclusion in other jobs. A rejected job cannot be deployed, but it can be opened
for viewing and editing.
Note
Procedure
Step 1

Step 2
Select a submitted job and do one of the following:
Click Approve.
Click Reject.
The job status changes to Approved or Rejected, as appropriate.
Related Topics

OL-11501-03
18-55
Chapter 18
Managing Deployment
Discarding Deployment Jobs

You can discard a job when it is in any state except Deployed, Deployment Failed,
or Aborted. The job state is shown as discarded until the job is purged from the
system, either automatically as set on the Workflow Management page or
manually.
Procedure
Step 1

Step 2
Select the job to discard.
Step 3
Click Discard.
Step 4
In the Comment field, enter a comment explaining why you are discarding the job.
Step 5
Click OK.
Related Topics
Viewing Deployment Job History

The Deployment Job History tab displays transactions that occurred to the
selected job since it was created. Each row in the table shows the action that
occurred, the user who performed the action, the date and time it occurred, and
comments, if any, that the user entered.
Procedure
Step 1

Step 2
Select the desired job.
Step 3
Click the History tab.
18-56
OL-11501-03
Chapter 18
Managing Deployment
Information about the transactions that occurred during the deployment are
displayed. See History Tab (Deployment Manager Window), page O-36 for
information about the elements in this tab.
Note
The timestamps shown on the History tab use the timezone of the server, not the
timezone of the client.
Related Topics

OL-11501-03
18-57
Chapter 18
Managing Deployment
18-58
OL-11501-03
CH A P T E R
19
Managing FlexConfigs
Security Manager provides tools to configure most parameters needed to manage
your devices. For those parameters for which there is not a tool for configuration,
and for certain customized applications, Security Manager provides the
FlexConfig feature. The FlexConfig feature provides a simple way for you to
write configuration commands, variables, and scripts and save these as
FlexConfig policy objects. A FlexConfig policy objects contents can range from
a single simple command string to elaborate CLI command structures that
incorporate scripting and variables.
FlexConfig policy objects are reusable, named components that can be referenced
by other policy objects and policies. FlexConfig policy objects simplify the
distribution and reuse of CLI commands to manage your devices.
FlexConfig policy objects can be contained within a FlexConfig policy. You use
the FlexConfig policies, as you would other policies, to define particular aspects
of network configuration and to produce various configuration assignment and
deployment results.
Understanding policies and objects is central to understanding and using
FlexConfig policy objects. For more information on how Security Manager
defines and uses polices, see Chapter 6, Managing Policies, and for information
on how Security Manager defines and uses objects, see Chapter 8, Managing
Objects.
The following topics describe the FlexConfig feature and how to use it:
Understanding FlexConfig Policy Objects, page 19-2
Understanding FlexConfig Policies, page 19-36
A FlexConfig Creation Scenario, page 19-36

OL-11501-02
19-1
Chapter 19
Understanding FlexConfig Policy Objects
Configuring FlexConfig Policy Objects, page 19-41

FlexConfig policy objects are reusable, named components that can be referenced
by other policy objects and policies. You create FlexConfig policy objects by
entering configuration commands, either with or without additional scripting
language instructions, in the FlexConfig.
Or, you can create a FlexConfig policy object by duplicating and then modifying
an existing FlexConfig policy object, either one that you have created, or one of
the predefined FlexConfig policy objects that are shipped with Security Manager.
The following topics describe FlexConfig policy objects:
CLI Commands, page 19-2
Scripting Language Instructions, page 19-3
Object Variables, page 19-6
FlexConfig Policy Object Example, page 19-7
Predefined FlexConfig Policy Objects, page 19-7
FlexConfig System Variables, page 19-13
For more information about policy objects in general, see Chapter 8, Managing
Objects.
CLI Commands
The configuration commands that you enter into the FlexConfig Editor are actual
CLI commands used to configure devices, such as PIX Firewalls and Cisco IOS
Routers. You can include CLI commands that are not supported in Security
Manager 3.1. You are responsible for knowing and implementing the command
according to the proper syntax for the device type. See the command reference for
the particular device type (Cisco Router, PIX Firewall, and so on) for more
information.
You can add commands and instructions to the beginning or end of the
configurations:
19-2
OL-11501-02
Chapter 19
Prepended commandsCommands placed at the beginning of the

configurations. Prepended commands are always replaced when
configuration files are deployed.
Appended commandsCommands placed after all other commands in a

configuration file and before the write mem command are called appended
commands.
If the appended commands are already configured on the device, the device
generates an error when you try to add them again. To resolve this, two
workarounds are available:
Enter the command that removes the configuration in question as an
appended command. For example, if the command is xyz, enter the

following two lines:
no xyz
xyz
Change the setting that controls the action that device will take to warn.
This is set under Tools > Security Administration > Deployment.

The setting change will affect the behavior of devices for all commands
being deployed, not just those designated as appended commands.
Note
If you are deploying to a device, you should remove most appended

commands after the initial deployment. This is especially true for
object groups, where any unbound object group is replaced in the
Ending Command section during command generation, then re-sent
each time the configuration is deployed to a device. The device
displays an error because the firewall device shows that the object
group already exists. If you are deploying to a file or AUS, the
appended commands should remain.
Scripting Language Instructions

When creating or editing a FlexConfig policy object you have the option to use
scripting language instructions. Scripting language instructions are a subset of
commands supported in the Velocity Template Engine, a Java-based scripting
language, where control flows, such as looping and if/else statements, and
variables can be used.

OL-11501-02
19-3
Chapter 19
Security Manager supports all Velocity Template Engine commands except the
include and parse commands. For information about additional supported
commands supported, see Velocity Template Engine documentation.
The following topics provide examples of the most commonly used functions:
Example 1: Looping, page 19-4
Example 2: Looping with Two-Dimensional Arrays, page 19-4
Example 3: Looping with If/Else Statements, page 19-5
Example 1: Looping
A plain old telephone service (POTS) dial peer enables incoming calls to be
received by a telephony device by associating a telephone number to a voice port.
The following example enables caller ID for a set of POTS dial peers.
Object Body
#foreach ($peer_id in ["2", "3", "4"])
dial-peer voice $peer_id pots
caller-id
#end
CLI Output
dial-peer voice 2 pots
caller-id
caller-id
caller-id
Example 2: Looping with Two-Dimensional Arrays

In this example, a set of phone numbers is associated to voice ports, so incoming
calls can be received at a router.
19-4
OL-11501-02
Chapter 19
Object Body
#foreach ($phone in [ [ "2000", "15105552000", "1/0/0" ], [ "2100",
"15105552100", "1/0/1" ], [ "2200", "15105552200", "1/0/2" ] ] )
dial-peer voice $phone.get(0) pots
destination-pattern $phone.get(1)
port $phone.get(2)
#end
CLI Output
destination-pattern 15105552000
port 1/0/0
port 1/0/1
port 1/0/2
Example 3: Looping with If/Else Statements

In this example, a set of phone numbers is associated to voice ports, so incoming
calls can be received at a router. In addition, another set of phone numbers is
associated to IP addresses to enable Voice Over IP outgoing calls from the router.
Object Body
#foreach ( $phone in [ [ "2000", "15105552000", "1/0/0", "" ],
[ "2100", "15105552100", "1/0/1", "" ],
[ "2200", "15105552200", "" , "ipv4:150.50.55.55"]
[ "2300", "15105552300", "" , "ipv4:150.50.55.55"] ] )
dial-peer voice $phone.get(0) pots
destination-pattern $phone.get(1)
#if ( $phone.get(2) == "" )
session target $phone.get(3)
#else
port $phone.get(2)
#end
#end

OL-11501-02
19-5
Chapter 19
CLI Output
port 1/0/0
port 1/0/1
session target ipv4:150.50.55.55
session target ipv4:150.50.55.55
Object Variables
There are three types of variables you employ in a FlexConfig:
Policy Object VariablesStatic variables that reference a specific property.

For example, Text objects are a type of policy object variable. They are a
name and value pair, and the value can be a single string, a list of strings, or
a table of strings. Their flexibility allows you to enter any type of textual data
to be referenced and acted upon by any policy object.
System VariablesDynamic variables that reference a value during

deployment when the CLI is generated. The values are obtained from either
the deploying device or policies configured for the deploying device. System
variables can be declared optional in FlexConfig policy objects, which means
that the variables do not need to be assigned a value for it to be deployed to
the device.
Local VariablesVariables that are local in the looping and assignment

derivatives (for each and set statements). Local variables get their values
directly from the Velocity Template Engine. There is no need to supply values
for the local variables.
You can manually enter variables (denoted with a starting $ character) in an

object. For example:
interface $inside
19-6
OL-11501-02
Chapter 19
FlexConfig Policy Object Example

Using CLI commands and variables, you can create a FlexConfig policy object to
name the inside interface and crypto map on a Cisco router:
You enter these commands:
interface $inside
crypto map $xyz
You enter these variable assignments:

$inside = serial0
$xyz = my_crypto
When the configuration is generated, the following output is created from the
commands and variables you entered:
interface serial0
crypto map my_crypto
Predefined FlexConfig Policy Objects

Security Manager provides predefined FlexConfig policy objects for you to use.
These policy objects have predefined commands and scripting.
Predefined FlexConfig policy objects are permanently set as read-only objects. To
edit these predefined FlexConfig policy objects, duplicate the desired object,
make changes to the copy, and save it with a new name. This way, the original
predefined FlexConfigs remain unchanged. For lists of these predefined policy
objects and further information on each, see the following tables:
Predefined ASA FlexConfig Policy ObjectsTable 19-2
Predefined Cisco IOS FlexConfig Policy ObjectsTable 19-2
Predefined PIX Firewall FlexConfig Policy ObjectsTable 19-3
Predefined Router FlexConfig Policy ObjectsTable 19-4

OL-11501-02
19-7
Chapter 19
Table 19-1
Predefined ASA FlexConfig Policy Objects
Name
Description
ASA_add_ACEs
Adds an access control entry (ACE) to all access control lists on

the device.
ASA_add_EtherType_ACL_remark Loops through a list of ethertype access-list names and adds

ACEs or remarks to them. The ethertype access list is the same
as Transparent Rules for Firewalls in Security Manager. The
remarks set by the CLI in this FlexConfig will be shown in the
description field of a transparent rule.
ASA_command_alias
Creates a command alias named save for the copy

running-config and copy startup_config commands.
ASA_csd_image
Provides an ASA Cisco Secure Desktop image. Copy csd image

from CSM server /CSCOpx/tftpboot/device-hostname to device,
then configure the csd image path. Make sure you fill out the
devices hostname in Device Properties. If the image name is
different than the default, you can override it in Device
Properties > Policy Object Overrides > Text Objects >
AsaCsdImageName. Unassign this FlexConfig from device after
the image has been copied and configured.
ASA_define_traffic_flow_tunnel
_group
Defines site-to-site VPN tunnel groups listed in the

SYS_FW_MPCRULE_TRAFFICFLOW_TUNNELGROUPNA
ME system variable. This variable is populated with tunnel
group names defined in Traffic Flow objects.
ASA_established
Permits return access for outbound connections through the

security appliance. This command works with an original
connection that is outbound from a network and protected by the
security appliance and a return connection that is inbound
between the same two devices on an external host.
Uses the established command to specify the destination port
that is used for connection lookups, which gives you more
control over the command and supports protocols where the
destination port is known, but the source port is unknown. The
permitto and permitfrom keywords define the return inbound
connection.
ASA_FTP_mode_passive
Sets the FTP mode to passive.
19-8
OL-11501-02
Chapter 19
Table 19-1
Predefined ASA FlexConfig Policy Objects (continued)
Name
Description
ASA_generate_route_map
Generates a route map to be used by the pim accept-register

route-map command configured under Platform > Multicast >
PIM > Request Filter. Security Manager exports the route-map
name used in the pim command so that you can configure it as
desired.
ASA_IP_audit
Uses the ip-audit command to provide the following:
Sets the default actions (alarm, drop, reset) for packets that
match an attack signature.
Sets the default actions (alarm, drop, reset) for packets that
match an informational signature.
Creates a named audit policy that identifies the actions to

take (alarm, drop, reset) when a packet matches a defined
attack signature or an informational signature.
Disables a signature for an audit policy.
Assigns an audit policy to an interface.
ASA_MGCP
Identifies a specific map for defining the parameters for Media

Gateway Control Protocol (MGCP) inspection.
ASA_no_router_Id
Removes the router ID for each OSPF process.
ASA_no_shut_Intf
Loops through and enables all interfaces on a device.
ASA_privilege
Sets the privilege levels for the configuration, show and clear
commands.
ASA_route_map
Defines a route map for each OSPF process redistribution route

map name.
ASA_RSA_KeyPair_generation
Resets and generates RSA key pairs for certificates.
ASA_svc_image
Provides an ASA SSL VPN Client image. Copy svc image from
CSM server /CSCOpx/tftpboot/device-hostname to device, then
configure svc image path. Make sure you fill out the devices
hostname in Device Properties. If the image name is different
than the default, you can override it in Device Properties >
Policy Object Overrides > Text Objects >AsaSvcImageName.
Unassign this FlexConfig from the device after the image has
been copied and configured.
OL-11501-02
19-9
Chapter 19
Table 19-1
Predefined ASA FlexConfig Policy Objects (continued)
Name
Description
ASA_sysopt
Uses the sysopt command to provide the following examples:
ASA_virtual
Table 19-2
Ensures that the maximum TCP segment size does not

exceed the value you set or that the minimum is not less than
a specified size.
Forces each TCP connection to remain in a shortened

TIME_WAIT state of at least 15 seconds after the final
normal TCP close-down sequence.
Disables DNS inspection that alters the DNS A record

address.
Ignores the authentication key in RADIUS accounting

responses.
Enables the web browser to supply a username and

password from its cache when it reauthenticates with the
virtual HTTP server on the security appliance.
Configures virtual HTTP and Telnet servers.
Predefined Cisco IOS FlexConfig Policy Objects
Name
Description
IOS_add_bridge_interface_desc
Loops through a list of bridge interfaces and adds the

description, this is a bridge interface.
IOS_CA_server
Configures a certificate server.
IOS_compress_config
Compresses large Cisco IOS configurations.
IOS_console_AAA_bypass
Provides examples of the following scenarios:
IOS_enable_SSL
Enables the authentication, authorization, and accounting

(AAA) access-control model.
Sets AAA at login.
Enables AAA authentication for logins.
Enables SSL.
19-10
OL-11501-02
Chapter 19
Table 19-2
Predefined Cisco IOS FlexConfig Policy Objects (continued)
Name
Description
IOS_FPM
Copies traffic class definition files to a router and applies

policy-maps.
IOS_set_clock
Sets the clock to the current time on the Security Manager

server.
IOS_VOIP_advanced
Loops through and associates a POTS port number to a

telephone number and port or IP address number.
IOS_VOIP_simple
Associates a POTS port number to a telephone number and port

number.
IOS_VPN_config_gre_tunnel
Uses VPN variables to configure the GRE tunnel for each VPN
in which the device participates.
IOS_VPN_set_interface_desc
Using VPN variables, updates the description of the public

interface for each VPN in which the device participates.
IOS_VPN_shutdown_inside_interfa Using VPN variables, shuts down all inside interfaces for each
ce
VPN in which the device participates.
IOS_VRF_on_vFW
Configures virtual routing and forwarding (VRF) on virtual

firewall interfaces.
IOS_config_root_wireless__station
Creates and configures the root radio station for a wireless LAN
on Cisco IOS 851 or 871 routers.
Table 19-3
Predefined PIX Firewall FlexConfig Policy Objects
Name
Description
PIX6.3_nat0_acl_compiled
Generates a compiled access list for NAT 0 access-control lists.
PIX6.3_policy_nat_acl_compiled
Generates a compiled access list for Policy NAT ACLs
PIX6.3_policy_static_acl_compiled Generates a compiled access list for Policy Static ACLs.

PIX_VPDN
Configures a virtual private dialup network (VPDN).

OL-11501-02
19-11
Chapter 19
Table 19-4
Predefined Router FlexConfig Policy Objects
Name
Description
ROUTER_add_inspect_rules
Loops through and appends inspect rules.
ROUTER_BGP_no_auto_summary
Disables the auto route summary for each BGP process by using
the no auto-summary sub-command.
This FlexConfig policy object uses the list of border gateway
protocol (BGP) numbers from the
SYS_ROUTER_BGP_AS_NUMBERS_LIST system variable.
ROUTER_BGP_untrusted_info
Uses the distance bgp 255 255 255 sub-command to make the
border gateway protocol (BGP) routing information untrusted
for each BGP.
This FlexConfig policy object uses the list of BGP numbers from
the SYS_ROUTER_BGP_AS_NUMBERS_LIST system
variable.
ROUTER_EIGRP_min_cost_routes Configures traffic to use minimum cost routes when multiple

routes have different cost routes to the same destination
network. This is done using multi-interface load splitting on
different interfaces with equal cost paths.
This FlexConfig policy object uses the list of router enhanced
interior gateway routing protocol (EIGRP) numbers from the
SYS_ROUTER_EIGRP_AS_NUMBERS_LIST system
variable.
Router_EIGRP_no_auto_summary
Disables the auto route summary for each router enhanced

interior gateway routing protocol (EIGRP) processes by using
the no auto-summary sub-command. This FlexConfig policy
object uses the list of EIGRP numbers from the
SYS_ROUTER_EIGRP_AS_NUMBERS_LIST system
variable.
ROUTER_interface_prevent_dos
_attacks
Prevents denial-of-service (DOS) attacks on all device

interfaces.
This FlexConfig policy object uses the list of interface names
from the SYS_INTERFACE_NAME_LIST system variable.
19-12
OL-11501-02
Chapter 19
Table 19-4
Predefined Router FlexConfig Policy Objects (continued)
Name
Description
ROUTER_OSPF_router_ID_reset
Removes the router OSPF ID for each OSPF process.

This FlexConfig policy uses the list of OSPF IDs from the
SYS_ROUTER_OSPF_PROCESS_IDS_LIST system variable.
ROUTER_QoS_Class_Map
_description
Sets QoS class map descriptions.
ROUTER_QoS_Policy_Map
_description
Sets QoS policy descriptions.
This FlexConfig policy object uses the list of router QoS class
names from the SYS_ROUTER_QOS_CLASS_MAP_LIST
system variable.
This FlexConfig policy object uses the list of router QoS policy
names from the SYS_ROUTER_QOS_POLICY_MAP_LIST
system variable.
FlexConfig System Variables

System variables reference values during deployment when commands are
generated. Security Manager provides a set of defined system variables for you to
use in defining FlexConfig policy objects and policies. The values for these
variables are required unless otherwise noted. For information about these
variables, see the following tables:
Device system variablesTable 19-5. For more information about

discovering or configuring devices to obtain values for these variables, see
Chapter 5, Managing Devices.
Firewall system variablesTable 19-6. For more information about creating

Firewall system variables, see Chapter 15, Managing Firewall Devices and
Router platform system variablesTable 19-7. For more information about

creating router system variables, see Chapter 14, Managing Routers.
VPN system variablesTable 19-8. For more information about creating

VPN system variables, see Chapter 9, Managing Site-to-Site VPNs.
Remote access system variablesTable 19-9. For more information about

creating remote access system variables, see Chapter 10, Managing Remote
Access VPNs.
OL-11501-02
19-13
Chapter 19
Table 19-5
Device System Variables1
Name
Dimension Description
SYS_DOMAIN_NAME
The DNS domain name.

Discover or configure devices on Security
Manager to generate values for this variable.
SYS_FW_OS_MODE
OS mode of the FWSM or ASA device. Valid

values are ROUTER (routed mode),
TRANSPARENT, or NOT_APPLICABLE.
Discover or configure device operating system
information (Tools > Device Properties >
General) to generate values for this variable.
This variable applies only to FWSM or ASA
devices.
SYS_FW_OS_MULTI
Device OS context (single or multi mode). Valid

values are SINGLE, MULTI, or
NOT_APPLICABLE.
This variable applies only to FWSM or ASA
devices.
Discover or configure device properties (Tools >
Device Properties > General) to generate values
for this variable.
SYS_HOSTNAME
The device's hostname.

SYS_IMAGE_NAME
The device's image name.

19-14
OL-11501-02
Chapter 19
Table 19-5
Device System Variables1 (continued)
Name
SYS_INTERFACE_IP_LIST
IP addresses and masks of the interfaces

configured in the Interface policy.
The IP address and mask are in the x.x.x.x/nn
format (for example, 10.20.1.2/24). If there are
no interfaces defined on the device, no list will
be returned.
Each element in
SYS_INTERFACE_NAME_LIST and
SYS_INTERFACE_IP_LIST share the same
index for the interface. For example, if element
3 in SYS_INTERFACE_NAME_LIST is for
Ethernet1, element 3 in
SYS_INTERFACE_IP_LIST is the IP address
for Ethernet1. If Ethernet1 has no ip address,
element 3 in the SYS_INTERFACE_IP_LIST is
empty.
Configure interface policies on the device to
generate values for this variable.
This variable is optional.

OL-11501-02
19-15
Chapter 19
Table 19-5
Name
SYS_INTERFACE_NAME_LIST
Names of the interfaces on the device. If no

interfaces are defined on the device, no list is
returned.
Each element in
SYS_INTERFACE_NAME_LIST and
SYS_INTERFACE_IP_LIST share the same
index for the interface. For example, if element
3 in SYS_INTERFACE_NAME_LIST is for
Ethernet1, element 3 in
SYS_INTERFACE_IP_LIST is the IP address
for Ethernet1. If Ethernet1 has no ip address,
element 3 in the SYS_INTERFACE_IP_LIST is
empty.
Discover or configure interfaces on the device to
SYS_MANAGEMENT_IP
Management IP address of the device.

Discover or configure device IP addresses
(Tools > Device Properties > General) to
SYS_MDF_TYPE
The Cisco MDF (MetaData Framework) Type of

the device. Indicates the device model.
SYS_OS_RUNNING_VERSION
The software version of the OS running on the

device. Version string could be 6.1, 6.2, and so
on, on a PIX platform; 12.1, 12.2S, and so on, on
an IOS platform; and 3.5, 4.1, and so on in an
IDS platform.
19-16
OL-11501-02
Chapter 19
Table 19-5
Name
SYS_OS_TARGET_VERSION
Indicates the OS version to be used when

generating the device configuration.
SYS_OS_TYPE
Device OS type. Valid values are IOS, PIX,

ASA, CATOS, FWSM, IDS.
Discover or configure device properties (Tools >
Device Properties > General) to generate values
for this variable.
SYS_SYS_OID
The SysObjId of the device.

1. Device variables apply to all device types.
Table 19-6
Firewall System Variables
Name
SYS_FPM_INPUT_SP
FPM policy map names applied on the

interface corresponding to the entry in
the SYS_FPM_INTERFACE list in the
in direction.
This data is not configured in Security
Manager. It is obtained from a routers
running configuration and is used by
the FPM FlexConfig.
SYS_FPM_INTERFACE
Interface names.
the FPM FlexConfig.

OL-11501-02
19-17
Chapter 19
Table 19-6
Firewall System Variables (continued)
Name
SYS_FPM_OUTPUT_SP
FPM policy map names applied on the

interface corresponding to the entry in
the SYS_FPM_INTERFACE list in the
out direction.
the FPM FlexConfig.
SYS_FW_ACL_IN_NAME
Names of ACLs applied to interfaces

for traffic filtering in the inbound
direction. Each element has a
one-to-one correspondence with the
variable for Cisco IOS routers, PIX
Firewalls, Firewall Service Modules,
and ASA devices.
Configure firewall access rules to
SYS_FW_ACL_OUT_NAME
Names of ACLs applied to interfaces

for traffic filtering in the outbound
direction. Each element of this array
has a one-to-one correspondence with
variable for Cisco IOS routers, PIX
Firewalls, Firewall Service Modules,
and ASA devices.
Configure Access Rules policies to
19-18
OL-11501-02
Chapter 19
Table 19-6
Name
SYS_FW_BRIDGE_INTERFACE_NAMES
Names of bridge interfaces.

This variable applies only to IOS
transparent firewalls.
Configure Policy Firewall > Settings >
Transparent to generate values for this
variable.
SYS_FW_ETHERTYPERULE_ACL_NAMES
Names of ethertype access-lists applied

to interfaces for traffic filtering coming
in or going out. Each element of this
array has a one-to-one correspondence
with the elements in the
SYS_FW_ETHERTYPERULE_INTE
RFACE_NAMES and
SYS_FW_ETHERTYPERULE_DIRE
CTION_NAMES variables.
Configure Firewall transparent rules
policies to generate values for this
variable.
SYS_FW_ETHERTYPERULE_DIRECTION_
NAMES
Direction that ethertype access-lists are

applied. The value is either in or
out. Each element has a one-to-one
correspondence with the elements in
the
SYS_FW_ETHERTYPERULE_ACL_
NAMES and
SYS_FW_ETHERTYPERULE_INTE
RFACE_NAMES variables.
variable.

OL-11501-02
19-19
Chapter 19
Table 19-6
Name
SYS_FW_ETHERTYPERULE_INTERFACE_
NAMES
Interface names to which ethertype

access-lists are applied. Each element
the
SYS_FW_ETHERTYPERULE_ACL_
NAMES and
SYS_FW_ETHERTYPERULE_DIRE
CTION_NAMES variables.
variable.
SYS_FW_INSPECT_IN_NAME
Names of Inspect rules applied to Cisco

IOS router interfaces in the inbound
the SYS_INTERFACE_NAME_LIST
variable for Cisco IOS routers.
Configure Inspection Rules policies to
SYS_FW_INSPECT_OUT_NAME
Names of Inspect rules applied to Cisco

IOS router interfaces in the outbound
the SYS_INTERFACE_NAME_LIST
variable for Cisco IOS routers.
Configure Inspection Rules policies as
values for this variable.
19-20
OL-11501-02
Chapter 19
Table 19-6
Name
SYS_FW_INTERFACE_HARDWARE_ID_
LIST
Hardware IDs for the device.

Configure interface policies on the
device to generate values for this
variable.
SYS_FW_INTERFACE_NETWORK_LIST
Interface networks on the device.

variable.
SYS_FW_INTERFACE_SECURITY_LEVEL_ 1
LIST
Interface security levels on the device.
SYS_FW_INTERFACE_STATE_LIST
Interface states on the device.

variable.
variable.
SYS_FW_MPCRULE_TRAFFICFLOW_
TUNNELGROUPNAME
Names of tunnel groups specified in

Traffic Flow objects.
Traffic Flow objects configure
class-map commands on PIX
Firewalls, and the names of the tunnel
groups listed in Traffic Flow objects
populate this variable. This variable is
used by the
define_traffic_flow_tunnel_group
FlexConfig object to create tunnel
groups on PIX firewalls.

OL-11501-02
19-21
Chapter 19
Table 19-6
Name
SYS_FW_MULTICAST_PIM_ACCEPT_REG
_ROUTEMAP
Route-map name used in the pim

accept-register route-map command.
Enter a name for the route-map
(Platform > Multicast > PIM > Request
Filter), then configure its features using
FlexConfig to generate values for this
variable.
SYS_FW_NAT0_ACL_NAMES
Names of ACLs used in the nat

interface_name 0 access-list
acl_name command.
SYS_FW_OSPF_PROCESS_ID_LIST
IDs for OSPF routing processes

globally configured on PIX Firewalls,
Firewall Service Modules, and ASA
devices.
Configure OSPF (Platform > Routing >
OSPF) to generate values for this
variable.
SYS_FW_OSPF_REDISTRIBUTION_ROUTE 1
_MAP_LIST
Names for the route maps to apply to

the OSPF redistribute commands
configured on PIX Firewalls, Firewall
Service Modules, and ASA devices.
Configure the OSPF policy to generate
19-22
OL-11501-02
Chapter 19
Table 19-6
Name
SYS_FW_POLICY_NAT_ACL_NAMES
Names of ACLs used in the policy nat

commands (nat commands with non-0
pool id).
Configure NAT (NAT > Translation
Rules > Policy NAT) to generate values
for this variable. This variable applies
to only PIX 6.3(3), PIX/ASA 7.0, and
FWSM devices. This variable does not
apply to Cisco IOS routers.
SYS_FW_POLICY_STATIC_ACL_NAMES
Names of ACLs used in the policy

static commands that include access
lists.
Configure NAT 0 (NAT > Translation
Rules > Policy NAT) to generate values
for this variable. The variable contains
the access-list names used by the nat-0,
policy nat, and policy static
commands.
This variable applies to only PIX
6.3(3), PIX/ASA 7.0, and FWSM
devices. This variable does not apply to
Cisco IOS routers.

OL-11501-02
19-23
Chapter 19
Table 19-7
Router Platform System Variables
Name
SYS_ROUTER_BGP_AS_NUMBERS 1
_LIST
Autonomous system (AS) number of the border

gateway protocol (BGP) and exterior gateway
protocol (EGP) on the device.
Configure BGP policies as values for this
variable (Router Platform > Routing > BGP).
SYS_ROUTER_EIGRP_AS_
NUMBERS_LIST
Autonomous system (AS) numbers of the

different enhanced internet gateway routing
protocols (EIGRP) and interior gateway
protocols (IGP) on the device.
Configure EIGRP policies as values for this
variable (Router Platform > Routing > EIGRP).
SYS_ROUTER_OSPF_PROCESS_
IDS_LIST
Open shortest path first (OSPF) interior gateway

protocol (IGP) process numbers on the device.
Configure OSPF Process policies as values for
this variable (Router Platform > Routing >
OSPF Process).
SYS_ROUTER_QOS_CLASS_MAP_
LIST
Names of QoS class maps on the device.

Configure Quality of Service policies to
SYS_ROUTER_QOS_POLICY_MAP
_LIST
Names of the QoS policy-maps on the device.

Configure Quality of Service policies to
19-24
OL-11501-02
Chapter 19
Table 19-8
VPN System Variables
Name
TopologyVariables related to the VPN in which a device participates. For more information, see Creating a
VPN Topology, page 9-20.
SYS_VPN_TOPOLOGY
Virtual private network

(VPN) topology type.
Valid values are
HUB_AND_SPOKE,
POINT_TO_POINT,
and FULL_MESH.
SYS_VPN_TOPOLOGY_NAME
Name of the VPN

topology in which the
device participates.
Configure VPNs to
generate values for this
variable.
SYS_VPN_TOPOLOGY_ROLE
Details about the role of

the device in the VPN.
Valid values are PEER,
HUB, and SPOKE.
Configure VPNs to
variable.
DevicesVariables related to devices in the VPN in which a device participates. For more information, see
Creating a VPN Topology, page 9-20.
SYS_VPN_HOST_NAME
Device host name.

Configure VPNs to
variable.
SYS_VPN_LOCAL_PREFIXES
Interface and network

IP addresses of
protected networks.
Configure VPNs to
variable.

OL-11501-02
19-25
Chapter 19
Table 19-8
VPN System Variables (continued)
Name
SYS_VPN_PRIVATE_INTERFACES
Private interface names.

Configure VPNs to
variable.
SYS_VPN_PRIVATE_TUNNEL_ENDPT_IP
Interface tunnel IP
address.
Configure VPNs to
variable.
SYS_VPN_PUBLIC_INTERFACES
Public interface names.

Configure VPNs to
variable.
SYS_VPN_TUNNEL_ENDPT_INTERFACE_IP
IP address of the VPN

endpoint. (In IPSec, the
endpoint is the VPN
interface; in GRE, it is
the tunnel source.)
Configure VPNs to
variable.
SYS_VPN_TUNNEL_ENDPT_INTERFACE_NAME
Name of the VPN

endpoint. (In IPSec, the
endpoint is the VPN
the tunnel source.)
Configure VPNs to
variable.
SYS_VPN_VPNSM_PUBLIC_IFC
Export port names (for

Catalyst 6000 series
switches only).
19-26
OL-11501-02
Chapter 19
Table 19-8
Name
Remote PeersVariables related to remote peers in which a device participates. For more information, see
Creating a VPN Topology, page 9-20.
SYS_VPN_REM_PEER_BAK_LOGICAL_PRIVATE_IP
Interface tunnel IP
addresses of remote
peers of failover hubs.
This value is used in
DMVPN for next hop
resolution protocol
(NHRP).
Configure VPNs to
variable.
SYS_VPN_REM_PEER_BAK_PREFIX
Protected networks
(interface and network
IP addresses) of remote
peers of failover hubs.
Configure VPNs to
variable.
SYS_VPN_REM_PEER_BAK_PUBLIC_IP
Public interface names

of remote peers of
failover hubs.
Configure VPNs to
variable.
SYS_VPN_REM_PEER_BAK_TUNNEL_SRC
IP address of the VPN

endpoint of remote
peers. (In IPSec, the
endpoint is the VPN
the tunnel source.)
Configure VPNs to
variable.

OL-11501-02
19-27
Chapter 19
Table 19-8
Name
SYS_VPN_REM_PEER_DEVICE_NAME
Device host names of

remote peers.
Configure VPNs to
variable.
SYS_VPN_REM_PEER_LOGICAL_PRIVATE_IP
Interface tunnel IP
addresses of remote
peers. This value is used
in DMVPN for next hop
resolution protocol
(NHRP).
Configure VPNs to
variable.
SYS_VPN_REM_PEER_PREFIX
Protected networks
(interface and network
IP addresses) of remote
peers.
Configure VPNs to
variable.
SYS_VPN_REM_PEER_PRIVATE_IP
Private interface names

of remote peers.
Configure VPNs to
variable.
SYS_VPN_REM_PEER_PUBLIC_IP
Public interface names

of remote peers.
Configure VPNs to
variable.
19-28
OL-11501-02
Chapter 19
Table 19-8
Name
SYS_VPN_REM_PEER_TUNNEL_SRC
Tunnel sources (if

included in the interface
tunnel of remote peers).
Configure VPNs to
variable.
IPSec ProposalVariables related to policy IPSec proposals. For more information, see Configuring IPsec
Proposals, page 9-77 and Configuring High Availability in Your VPN Topology, page 9-60.
SYS_VPN_CRYPTO_MAP_TYPE
Crypto map type. Valid

values are STATIC and
DYNAMIC.
Configure an IPSec
proposal policy to
variable.
SYS_VPN_DYNAMIC_CRYPTO_NAME
Dynamic crypto map

name.
Configure VPNs to
variable.
SYS_VPN_DYNAMIC_CRYPTO_NUM
Dynamic crypto map

number.
Configure VPNs to
variable.
SYS_VPN_STATIC_CRYPTO_NAME
Static crypto map name.

Configure VPNs to
variable.

OL-11501-02
19-29
Chapter 19
Table 19-8
Name
SYS_VPN_STATIC_CRYPTO_NAME_BAK
Static crypto map name

of failover hubs.
Configure VPNs to
variable.
SYS_VPN_STATIC_CRYPTO_NUM
Static crypto map

number.
Configure VPNs to
variable.
SYS_VPN_STATIC_CRYPTO_NUM_BAK
Static crypto map

number of failover
hubs.
Configure VPNs to
variable.
Preshared KeysVariables related to preshared key/IKE policies. For more information, see Configuring
Preshared Key Policies, page 9-86.
SYS_VPN_IKE_AUTHENTICATION_MODE
Authentication method
of IKE policy. Valid
values are pre-share,
rsa-sig, rsa-encr,
dsa-sig.
Configure an IKE
proposal policy to
variable.
SYS_VPN_IKE_PRIORITY
Priority number of the

IKE policy
Configure an IKE
proposal policy to
variable.
19-30
OL-11501-02
Chapter 19
Table 19-8
Name
SYS_VPN_NEGOTIATION_MODE
Negotiation method.
Valid values are
MAIN_ADDRESS,
MAIN_HOST, and
AGGRESSIVE.
Configure a Preshared
Key policy to generate
GRE ModesVariables related to GRE Modes policies. For more information, see Configuring GRE or GRE
Dynamic IP Policies, page 9-99.
SYS_VPN_BAK_TUNNEL_IFC
Interface tunnel
number. (Matches the
tunnel number of
remote peers of failover
hubs, for example,
tunnel0.)
Configure VPNs to
variable.
SYS_VPN_SIGP_PROCESS_NUMBER
Process number of
interior gateway
protocol (IGP).
Configure GRE Modes
policies to generate
SYS_VPN_SIGP_ROUTING_PROTOCOL
Type of secured interior

gateway protocol (IGP)
used. Valid values are
STATIC, OSPF, EIGRP,
RIPV2, BGP, and ODR.
Configure GRE Modes

OL-11501-02
19-31
Chapter 19
Table 19-8
Name
SYS_VPN_SPOKE_TO_SPOKE_
CONN
Indication whether
DMVPN is configured
for spoke-to-spoke
connectivity. Valid
values are true or false.
Configure GRE Modes
SYS_VPN_TUNNEL_IFC
Interface tunnel
number. (Matches the
tunnel number of
remote peers, for
example, tunnel0.)
Configure VPNs to
variable.
VRFVariables related to VRF. For more information, see Configuring VRF-Aware IPsec Settings, page 9-55.
SYS_VPN_VRF_AREA_ID
Area ID numbers (if the

OSPF process number
was chosen).
Configure VPNs to
variable.
SYS_VPN_VRF_MPLS_INTERFACE_IP
Multiprotocol label
switching (MPLS)
interface IPs.
Configure VPN VRF
settings to generate
19-32
OL-11501-02
Chapter 19
Table 19-8
Name
SYS_VPN_VRF_MPLS_INTERFACE_NAME
Multiprotocol label
switching (MPLS)
interface names.
Configure VPN VRF
SYS_VPN_VRF_NAME
VRF names.
Configure VPN VRF
SYS_VPN_VRF_PROCESS_NUMBER
Interior gateway
protocol (IGP) process
numbers.
Configure VPN VRF
SYS_VPN_VRF_RD
RD values.
Configure VPN VRF

OL-11501-02
19-33
Chapter 19
Table 19-8
Name
SYS_VPN_VRF_ROUTING_PROTOCOL
Interior gateway
protocol (IGP) values.
The IGP is used for
routing the IPSec
aggregator toward the
Provider Edge
(PE)/Multiprotocol
Label Switching
(MPLS) network.
Valid values are
STATIC, OSPF, EIGRP,
RIPV2, and BGP.
Configure VPN VRF
SYS_VPN_VRF_SOLUTION
Virtual routing and

forwarding (VRF)
solution. Valid values
are 1BOX and 2BOX.
Configure VPN VRF
CAVariables related to CA policies. For more information, see Configuring Public Key Infrastructure
SYS_VPN_CA_NAME
Certificate authority
(CA) names.
Configure PKI policies
to generate values for
this variable.
EZVPNVariables related to EZVPN. For more information, see Overview of Configuring Easy VPN,
page 9-112.
19-34
OL-11501-02
Chapter 19
Table 19-8
Name
SYS_VPN_EZVPN_GROUP_NAME
User group names.

Configure User Group
Dial BackupVariables related to dial backup configurations. For more information, see Configuring Dial
Backup, page 9-39.
SYS_VPN_RTR_WATCH
Rtr/watch number.
Configure dial backup
to generate values for
this variable.
Table 19-9
Remote Access System Variables
Name
SYS_EZVPN_RA_DYNAMIC_CRYPTO_MAP_NAME
Dynamic Crypto map

name
SYS_EZVPN_RA_DYNAMIC_CRYPTO_MAP_SEQ_NUM
Dynamic Crypto map

number
SYS_EZVPN_RA_PUBLIC_INTERFACE_PIX
External interface
names (PIX Firewall
and ASA devices only).
SYS_EZVPN_RA_STATIC_CRYPTO_MAP_NAME
Static crypto map

names.
SYS_EZVPN_RA_STATIC_CRYPTO_MAP_SEQ_NUM
Static crypto map

numbers.
SYS_IOS_RA_CA_NAME
Certificate authority
(CA) names (Cisco IOS
routers only).
SYS_IOS_RA_PUBLIC_INTERFACE
External interface
names (Cisco IOS
routers only)

OL-11501-02
19-35
Chapter 19
Understanding FlexConfig Policies
Table 19-9
Remote Access System Variables (continued)
Name
SYS_IOS_RA_USER_GROUP
User group names

(Cisco IOS routers
only).
SYS_IOS_RA_VRF_NAME
Virtual routing and

forwarding (VRF)
names (Cisco IOS
routers only).
Understanding FlexConfig Policies

You can assign FlexConfig policies to devices using either Policy view or Device
view. Then, you can deploy configurations containing these policies as you would
deploy any configuration generated by Security Manager. For more information
about working with policies in general, see Chapter 6, Managing Policies. For
a scenario that takes you through setting up a FlexConfig policy object and
creating a shared FlexConfig policy, see A FlexConfig Creation Scenario,
page 19-36.
A FlexConfig Creation Scenario

This scenario takes you through the steps to set up Media Gateway Control
Protocol (MGCP) for a PIX Firewall using one of the predefined FlexConfig
policy objects that are shipped with Security Manager. MGCP is used by the call
agent application to control media gateways (devices that convert telephone
circuit audio to data packets). Security Manager does not support MGCP
configuration, but a FlexConfig policy object can be used to provide a
configuration. This illustrates how the FlexConfig feature enables you to
customize, for your network, what is not natively supported in Security Manager.
In this scenario, you do the following:
1.
Create a policy object by duplicating an existing policy object
2.
Assign the policy object to a device
19-36
OL-11501-02
Chapter 19
3.
Preview the configuration to verify that it is correct
4.
Share the policy object with another device
5.
Deploy the configuration to the devices
You can use this scenario as an example to implement other features by creating
copies of and modifying predefined FlexConfig policy objects or by creating your
own FlexConfig policy objects.
Before You Begin
Add two PIX Firewalls to Security Manager for this scenario.
Procedure
Step 1
Step 2
Duplicate the FlexConfig policy object by doing the following:

a.
appears. For more information, see Policy Object Manager Window,
page F-3.
b.
Select FlexConfigs from the Policy Object Type selector. The FlexConfig
Objects page appears. For more information, see FlexConfigs Objects Page,
page P-10
c.
Right-click ASA_MGCP FlexConfig and select Create Duplicate. The Add

FlexConfig dialog box appears. For more information, see FlexConfig Editor
Dialog Box, page P-11.
d.
Enter a new name for the new FlexConfig object, for this example
MyASA_MGCP.
e.
Enter a new group name and a description.
Tip
The group name and description are optional. We recommend you

establish descriptions and groups for objects you create.
f.
Click OK. The new FlexConfig object appears in the list of FlexConfigs.
Duplicate and edit the $callAgentList text object by doing the following:

OL-11501-02
19-37
Chapter 19
The original ASA_MGCP FlexConfig object uses Policy Object Variable

$callAgentList, a text object. The text object is read-only and cannot be edited.
Duplicating the text object enables you to edit the duplicate object to apply to your
network settings.
a.
From the Policy Object Manager, select Text Objects from the Objects list.
The Text Objects window appears.
b.
Right-click callAgentList and select Create Duplicate. The Add Text Object
dialog box appears.
c.
Edit the name of the text object. For this example change it to
mycallAgentList.
d.
Double-click the first value in column A, then enter the IP address for a call
agent in your network. For this example, change the value to 10.10.10.10.
e.
Double-click the first value in column B, then enter the port number for a call
agent in your network. For this example, change the value to 105.
f.
Repeat Steps d and e to change the values for another call agent. For this
example, change the IP address to 20.20.20.20 and the port number to 106.
Or, if you have only one call agent in your network, you could remove the
second row in the table by decreasing the number in the Number of Rows
field. Similarly, if you have more than two call agents, you can add rows by
increasing the number in this field.
This concept is similar for increasing and decreasing the number of columns
by increasing or decreasing the Number of Columns field.
g.
Step 3
Click OK. The new text object appears in the list of text objects.
Edit the new FlexConfig policy object to use the new variable by doing the
following:
a.
From the Policy Object Manager, select FlexConfigs from the Objects list.
The FlexConfigs page appears.
b.
Double-click MyASA_MGCP. The Edit FlexConfig dialog box appears.
c.
Edit $callAgentList to read $mycallAgentList.
d.
Click OK.
A warning appears that reads: The following variables are undefined:
mycallAgentList Define them now?
e.
Click Yes to the warning.
19-38
OL-11501-02
Chapter 19
The FlexConfig Undefined Variables dialog box appears with

mycallAgentList listed in the Variable Name column.
f.
From the Object Type list, select Text Objects. The Text Objects window
appears.
g.
Select mycallAgentList from the Available Text Objects list and click OK.
h.
In the FlexConfig Undefined Variables window, click OK.

The mycallAgentList variable appears in the Variables list of the Edit
FlexConfig dialog box.
Step 4
i.
In the Edit FlexConfig dialog box, click OK.
j.
Close the Policy Object Manager window.
Assign the new FlexConfig policy to a device by doing the following:

a.
From the Device view, select the device for which you want to set up MGCP.
b.
Select FlexConfigs from the Policy selector. The FlexConfigs Policy page
appears.
c.
Click the Add button. The FlexConfigs Selector dialog box appears.
d.
Select the new MyASA_MGCP FlexConfig policy object and click >> to add
the policy object to the Selected FlexConfigs column.
Note
e.
You can select multiple policy objects at one time by holding either
the Control (for multiple selections) or Shift (for multiple continuous
selections) keys while selecting.
Click OK.
The MyASA_MGCP policy object is added to the Appended FlexConfigs
table, because it is set to be appended to the configuration. You configure
FlexConfig policy objects that you want added to the beginning of the
configuration as prepended policy objects.
f.
Step 5
Click Save.
Preview the commands before they are generated and sent to the device by doing
the following:
a.
From the FlexConfigs Policy page, select the MGCP_Configuration policy

object.

OL-11501-02
19-39
Chapter 19
b.
Click Preview.
The commands that are generated with this FlexConfig policy object and the
values assigned to the selected device appear. Note the changed values:
class-map sj_mgcp_class
match access-list mgcp_list
exit
mgcp-map inbound_mgcp
call-agent 10.10.10.10 105
call-agent 20.20.20.20 106
gateway 10.10.10.115 101
gateway 10.10.10.116 102
command-queue 150
exit
policy-map inbound_policy
class sj_mgcp_class
inspect mgcp inbound_mgcp
exit
exit
service-policy inbound_policy interface outside
Step 6
If you have additional PIX Firewall devices that require MGCP, you can share this
policy with them by doing the following:
a.
In Device view, right-click FlexConfigs in the Policy selector, then select

Share Policy.
The Share Policy dialog box appears.
b.
Enter a name in the Policy Name field and click OK. For this example, enter
My Shared Policies.
c.
On the main toolbar, click the Policy View button.
d.
From the Policy Types selector, select FlexConfigs. Note the policy type
(FlexConfigs) and policy name (My Shared Policies) appear at the top of the
page.
e.
Click the Assignments tab.
f.
From the Devices selector, navigate to the desired device. For this example,
navigate to the other PIX Firewall.
g.
Select the device and click >>.
19-40
OL-11501-02
Chapter 19
Configuring FlexConfig Policy Objects
h.
Step 7
Click Save.
Deploy the configurations to the devices. For information about deploying

configurations, see Working with Deployment, page 18-35.

You work with FlexConfig policy objects in much the same manner as other
objects in Security Manager. For general information on handling objects, see
Guidelines for Managing Objects, page 8-4.
Due to their complexity and interdependency, FlexConfig policy objects are
described with FlexConfig policies. For more information, see Understanding
FlexConfig Policy Objects, page 19-2. For more information about working with
policies in general, see Chapter 6, Managing Policies.
To better understand the steps involved with working with FlexConfig policy
objects, from creation through to deployment, see A FlexConfig Creation
Scenario, page 19-36.
The following topics describe how to work with FlexConfig policy objects:
Creating FlexConfig Policy Objects, page 19-42
Duplicating FlexConfig Policy Objects, page 19-43
Editing FlexConfig Policy Objects, page 19-45
Viewing FlexConfig Policy Objects, page 19-47
Generating Usage Reports for FlexConfig Policy Objects, page 19-47
Deleting FlexConfig Policy Objects, page 19-49
Adding FlexConfig Policy Objects to a Device, page 19-50
Removing FlexConfig Policy Objects from a Device, page 19-51
Reordering FlexConfig Policy Objects, page 19-52
Previewing FlexConfig Policy Objects, page 19-52
Deleting FlexConfig Object Variables, page 19-53

OL-11501-02
19-41
Chapter 19
Creating FlexConfig Policy Objects

You can create FlexConfig policy objects to configure features on devices that are
not supported by Security Manager. For more information about FlexConfigs, see
Chapter 19, Managing FlexConfigs.
Tip
You can also create FlexConfig policy objects when defining policies or objects
page 8-203.
This procedure describes how to create FlexConfig policy objects.
Before You Begin
Ensure that your commands do not conflict in any way with the VPN or firewall
configuration on the devices.
Note
Do not use beginning and ending commands to configure interfaces.
Procedure
Step 1
appears. For more information, see Policy Object Manager Window, page F-3.
Step 2
Select FlexConfigs from the Policy Object Type selector. The Policy Object
Manager window appears.
Step 3

The Add FlexConfig Object dialog box appears. See Table P-6 on page P-15 for
Step 4
Enter a name for the new FlexConfig object.
Step 5
Enter a description for the new FlexConfig object.
Step 6
(Optional) Assign the new FlexConfig object to a category by selecting an

existing group name or by entering a new group name.
Step 7
In the Type field, select whether commands in the object are to be prepended (put
at the beginning) or appended (put at the end) of configurations.
19-42
OL-11501-02
Chapter 19
Step 8
(Optional) If this FlexConfig object is designed to negate another, enter in the

Negate for field the name of the FlexConfig object whose commands are undone
by the new FlexConfig object.
Step 9
In the object body area, enter the commands and instructions to produce the
desired configuration file output. You can right-click in the object body field to
use the following:
a.
Create Text ObjectAllows you to create a variable definition for the

FlexConfig object you are creating. For a description of the dialog box that
appears, see Create Text Object Dialog Box, page P-15.
b.
Insert Policy ObjectAllows you to choose a policy object type, then select
from a list of previously created policy objects.
c.
Insert System VariableAllows you to choose a system variable type

(Firewall, Remote Access VPN, Router, VPN), then select from a list of
predefined variables.
Step 10
(Optional) Click Validate FlexConfig to check the integrity and deployability of

the new FlexConfig object.
Step 11
Click OK to save the new FlexConfig object.
Note

Related Topics
Duplicating FlexConfig Policy Objects

You can create policy objects by duplicating an existing object. The new object
contains all attributes of the copied object and a default name. You can then
modify the name and all attributes as required.

OL-11501-02
19-43
Chapter 19
Duplicating is particularly useful for creating objects that are based on predefined
objects that cannot be edited.
This procedure describes how to duplicate a FlexConfig object.
Before You Begin
Ensure that your commands do not conflict in any way with the VPN or firewall
configuration on the devices.
Note
Security Manager does not manipulate or validate your commands; it

simply deploys them to the devices.
Note
If there is more than one set of commands for an interface, only the last
set of commands is deployed. Therefore, we recommend you not use
beginning and ending commands to configure interfaces.
Procedure
Step 1
Step 2
Select FlexConfigs from the Policy Object Type selector. The Policy Object
Manager dialog box appears.
Step 3
In the work area, right-click the object you want to duplicate, then select Create
Duplicate.
The FlexConfig Editor dialog box appears. For a description of the fields in this
dialog box, see FlexConfig Editor Dialog Box, page P-11.
Step 4
Note

19-44
OL-11501-02
Chapter 19
Related Topics
Editing FlexConfig Policy Objects

You can edit any user-defined FlexConfig object as required. Changes that you
make to the object are reflected in all policies that use the object.
Tip
You can also edit FlexConfig policy objects when you define policies or objects
page 8-203.
This procedure describes how to edit a FlexConfig object.
Before You Begin
Generate a usage report to determine if the object is being used and which
policies, objects, and devices would be affected by the changes. See
Generating Usage Reports for FlexConfig Policy Objects, page 19-47.
Ensure that your commands do not conflict in any way with the VPN or
firewall configuration on the devices.
Note

When editing FlexConfigs involving route-maps (for example, OSPF

route-maps, multicast route-maps, and others), the corresponding access
control lists (ACLs) must be defined before the route-maps. This is a device
requirement. If you do not define ACLs before route-maps, a deployment
error results.

OL-11501-02
19-45
Chapter 19
Procedure
Note
The predefined FlexConfig policy objects that are shipped with Security Manager
cannot be edited. You can duplicate and rename predefined FlexConfig policy
objects and then edit the duplicate. For more information, see Duplicating
FlexConfig Policy Objects, page 19-43
Step 1
Step 2
Select FlexConfigs from the Objects selector. The Policy Object Manager dialog
box appears.
Step 3
In the work area, right-click the object you want to edit, then select Edit Object.
The FlexConfig Editor dialog box appears. For a description of the fields in this
dialog box, see FlexConfig Editor Dialog Box, page P-11.
Tip
You can navigate to the FlexConfig Editor dialog box from a device that
contains the FlexConfig object you want to edit. Do this by selecting the
device in device view, clicking FlexConfigs, selecting a FlexConfig
object in the work area, and then clicking Edit.
Step 4
Edit the parameters and body of the FlexConfig policy object, as required for your
purpose.
Step 5
Note

Related Topics
19-46
OL-11501-02
Chapter 19
Viewing FlexConfig Policy Objects

You can view detailed object information in read-only mode, even when the object
is locked by another activity. This is useful when you need to view complete
configuration details for complex objects whose definitions cannot be fully
displayed in the Policy Object Manager window, or when your user privileges
allow you only to view object information.
Note
You can display object details without opening an activity.

This procedure describes how to display complete configuration details for a
selected object in read-only mode.
Procedure
Step 1
Step 2
box appears.
Step 3
In the work area, right-click the object that you want to view configuration details
for, then select View Object.
The FlexConfig Editor dialog box appears in read-only mode. For a description of
the fields in this dialog box, see FlexConfig Editor Dialog Box, page P-11.
Related Topics
Understanding FlexConfig Policy Objects, page 19-2, page 19-1
Generating Usage Reports for FlexConfig Policy Objects

Before you make any changes, you should determine whether the FlexConfig
object is referenced and which policies and devices would be affected by any
changes. You can do this by generating a usage report that shows which policies,

OL-11501-02
19-47
Chapter 19
objects, and devices are using the selected object. Usage reports contain any
references to the selected object in your current activity as well as references
found in the data committed to the Security Manager database.
This procedure describes how to generate a usage report.
Procedure
Step 1
Step 2
box appears.
Step 3
In the work area, right-click the object for which you want to generate a report,
then select Find Usage.
The usage report appears, displaying all references to the object.
Tip
Step 4
Click a column header to sort the table according to the contents of that
column. Click the column header again to sort the table in reverse order.
(Optional) Filter the information displayed in the usage reports by deselecting one
or more of the following check boxes:
Devices
Policies
Other Objects
The deselected entries are removed from the report.
Related Topics
Object Usage Window, page F-563
19-48
OL-11501-02
Chapter 19
Deleting FlexConfig Policy Objects

You can delete only the FlexConfig policy objects that you or others define; you
cannot delete the predefined FlexConfig policy objects that are shipped with
Security Manager. In addition, you can delete objects only when they are not
being referenced by policies or other objects, and when you have the correct
permissions.
Note
You might be prevented from deleting an unreferenced object from the database,
for example, if you replace a local policy that used the object with a shared policy
that does not. If object deletion fails, submit or discard all pending changes (in
Workflow mode, submit or discard all pending activities), then try again to delete
the objects. Or, you can leave unreferenced objects in the database, because they
will not affect Security Manager operation.
This procedure describes how to delete FlexConfig policy objects.
Before You Begin
Generate a usage report to determine whether the object is referenced and

which policies, objects, or devices would be affected by the deletion. See
Generating Usage Reports for FlexConfig Policy Objects, page 19-47.
You need to remove all references to the object before you can delete it.
Procedure
Step 1
Step 2
box appears.
Step 3
In the work area, right-click the user-defined object, then select Delete Object.
Note
Step 4
You can select multiple objects by pressing Ctrl and clicking the desired
objects.
When prompted, click Yes to confirm the deletion.

OL-11501-02
19-49
Chapter 19
Step 5
To verify that the object was deleted, select Tools > Audit Report and view the
generated report.
Related Topics
Generating the Audit Report, page 20-9
Adding FlexConfig Policy Objects to a Device

This procedure describes how to add existing FlexConfig policy objects to a
device and assumes that you are doing so from the Device view.
Before You Begin
Ensure that your commands do not conflict in any way with the VPN or
firewall configuration on the devices.
Note

When creating FlexConfig policy objects involving route-maps (for example,

OSPF route-maps, multicast route-maps, and others), the corresponding
access control lists (ACLs) must be defined before the route-maps. This is a
device requirement. If you do not define ACLs before route-maps, a
deployment error results.
Procedure
Step 1
Select the desired device and click FlexConfig. The FlexConfigs page appears.
Step 2
Click Add.
The FlexConfigs Selector dialog box appears. For details, see FlexConfigs
Selector Dialog Box, page P-6.
19-50
OL-11501-02
Chapter 19
Note
Step 3
To add a new FlexConfig policy object, click Add. For details, see FlexConfig
Editor Dialog Box, page P-11.
Select one or more of the available FlexConfigs and click >> . For descriptions of
predefined FlexConfig policy objects, see Table 19-4.
The FlexConfigs appear in the Selected FlexConfigs column.
Step 4
Click OK.
The FlexConfigs policy page appears with the FlexConfigs in the prepended or
appended field depending on the type defined for each FlexConfig.
Removing FlexConfig Policy Objects from a Device

You might want to remove a FlexConfig policy object from a device if it is no
longer used. This procedure describes how to remove FlexConfig policy objects
and assumes that you are doing so from the Device view.
For information on deleting a FlexConfig policy object from Security Manager,
see Deleting FlexConfig Policy Objects, page 19-49
Procedure
Step 1
Step 2
Select the FlexConfig policy object you want to remove.
Step 3
Click Remove.
Step 4
Click Yes.
The FlexConfigs policy page appears with the selected FlexConfigs policy objects
removed from the prepended or appended fields.

OL-11501-02
19-51
Chapter 19
Reordering FlexConfig Policy Objects

The order of FlexConfig policy objects within the FlexConfig policy affects the
way CLI commands are deployed to devices. First prepended FlexConfig policy
objects are deployed, then all other policy objects, and finally appended
FlexConfig policy objects. In addition, the FlexConfig policy objects in the
prepended and appended fields are deployed sequentially.
The order of CLI commands can affect the results that are deployed and
implemented. Therefore, make sure to order the FlexConfig policy objects based
on dependencies. That is, the one that is used by most FlexConfig policy objects
should be put on the top of the list.
This procedure describes how to reorder FlexConfig policy objects and assumes
that you are doing so from Device view.
Before You Begin
When reordering FlexConfigs involving route-maps (for example, OSPF

route-maps, multicast route-maps, and others), the corresponding access
control lists (ACLs) must be defined before the route-maps. This is a device
requirement. If you do not define ACLs before route-maps, a deployment
error results.
Procedure
Step 1
Step 2
Select the FlexConfig policy object you want to move.
Step 3
Click the up arrow or down arrow to move the FlexConfig policy object
accordingly.
Step 4
Click Save.
Previewing FlexConfig Policy Objects

You can display the CLI commands to be generated by a FlexConfig policy. This
is especially useful for checking that the CLI commands generated are what you
intend to implement on the device.
19-52
OL-11501-02
Chapter 19
Note
During deployment, when the FlexConfig policy objects are compiled on the
Security Manager server, the correct system variable values and settings are used
to generate commands. However, because the Preview function does not have
access to these values the way it normally would during deployment, it might not
display some CLI commands. In addition, because the Preview function generates
CLI commands on the client, some macros used in FlexConfig policy objects
reflect client settings instead of server settings.
This procedure describes how to preview FlexConfig policy objects and assumes
that you are doing so from the Device view.
Procedure
Step 1
Step 2
Select the FlexConfig policy object you want to preview.
Step 3
Click Preview. The CLI generated from the selected FlexConfig policy object is
displayed.
Step 4
Click Close when you are done viewing the CLI command.
Deleting FlexConfig Object Variables

If you no longer need a FlexConfig object variable, you can remove it from
Security Manager.
This procedure show you how to delete a FlexConfig object variable.
Before You Begin
Determine whether the object is being used and which policies, objects, and
devices would be affected by the changes. You can generate a usage report for
this purpose. See Generating Usage Reports for FlexConfig Policy Objects,
page 19-47.

OL-11501-02
19-53
Chapter 19
Procedure
Step 1
Delete the object variable.

a.
appears. For more information, see Policy Object Manager Window,
page F-3.
b.
Select FlexConfigs from the Objects selector. The Policy Object Manager
dialog box appears.
c.
In the work area, right-click the object that contains the variable you want to
delete, then select Edit Object.
d.
The FlexConfig Editor dialog box appears. For a description of the fields in
this dialog box, see FlexConfig Editor Dialog Box, page P-11.
e.
In the object body, highlight the variable and click the Delete key.
f.
Note
Step 2

Validate the FlexConfig object.

a.
From Device view, select the device and click FlexConfigs from the Policy
selector.
b.
Select the FlexConfig object from which you removed the variable.
c.
Click Values. The Values Assignment dialog box appears.
d.
Click Validate.
e.
Click OK.
19-54
OL-11501-02
CH A P T E R
20
Using Tools
The Tools menu provides access to these device and network management
features:
Device PropertiesProvides general information about the device,

credentials, the group the device is assigned to, and policy overrides. For
more information, see Understanding Device Properties, page 5-51.
Policy Object ManagerAllows you to view all available objects grouped

according to object type, access all object dialog boxes to create, copy, edit,
and delete objects, and generate usage reports, which describe how selected
objects are being used by other Security Manager objects and policies. For
information see Policy Object Manager User Interface Reference section
on page F-1.
Site-To-Site VPN ManagerEnables you to configure site-to-site VPNs. For

information, see Site-to-Site VPN Manager Window, page G-2.
Deployment ManagerEnables you to deploy configurations and manage

deployment jobs. For information, see Appendix O, Deployment User
Interface Reference.
Activity ManagerAllows you to create and manage activities. For

information, see Activity Manager Window, page E-1.
Policy Discovery StatusAllows you to see the status of policy discovery

and device import on the Policy Discovery Status page. For more information,
see Understanding Policy Discovery Status, page 20-3.
Show ContainmentDisplays information about composite devices. For

information, see Understanding Show Containment, page 20-5.

OL-11501-03
20-1
Chapter 20
Using Tools
Inventory StatusAllows you to view and export device summary

information for all devices. For information, see Understanding Inventory
Status, page 20-6.
Catalyst Summary InformationEmbedded in Security Manager, enables

you to set up, configure, and monitor devices in the Cisco Catalyst 6500 and
7600 families. For information, see Chapter 16, Managing Catalyst Devices.
Device ManagerAllows you to start device managers for all supported

devices, such as PIX security appliances, Firewall Services Modules
(FWSM), IPS sensors, IOS routers, and Adaptive Security Appliance (ASA)
devices. Device managers provide several monitoring and diagnostic features
that enable you to get information regarding the services running on the
device and a snapshot of the overall health of the system. For more
information, see Device Managers, page 21-2.
IPS Event ViewerOffers a monitoring solution for small-scale IPS

deployments. Monitoring individual IPS devices, IEV is easy to set up and
lets you view and manage alerts for up to five sensors. For information, see
IPS Event Viewer, page 21-31.
Apply IPS UpdateThe Apply IPS Updates wizard allows you to manually
apply image and signature updates to compatible IPS devices. For
information, see Apply IPS Update, page Q-18.
Preview ConfigurationDisplays the proposed changes, last deployed

configuration, or current running configuration for specific devices. For
information, see Preview Config Dialog Box, page O-8.
Device OS ManagementProvides access to Resource Manager Essentials

(RME) Software Image Manager (SWIM) and Inventory Reporting,
according to access settings in the Security Manager administration pages.
For more details see Working With Device OS Management, page 20-6.
Audit ReportAllows you to generate audit report data according to

parameters set in the audit report page. For information, see Understanding
Audit Reports, page 20-7.
Change Reports (Activity Report)Allows you to generate a table of

changes to devices, shared policies, and building blocks within a given
activity (Workflow Mode) or configuration session (nonWorkflow Mode).
For information, see Understanding Audit Reports, page 20-7.
20-2
OL-11501-03
Chapter 20
Using Tools
Understanding Policy Discovery Status
Configuration ArchiveStores archived device configuration versions and

allows you to view, compare and roll back from one configuration to another.
For information, see Using the Configuration Archive Tool, page 20-11.
BackupAllows backing up of Security Manager database using

Common Services. For information, see Backup and Restore, page 20-25.
Security Manager DiagnosticsDescribes how to gather troubleshooting

information and contact the Technical Assistance Center (TAC). For
information, see Security Manager Diagnostics, page 20-26.
Security Manager AdministrationDetails administrative settings,

recommends which settings to define first, and explains user permissions and
access modalities. For information, see Performing Administrative Tasks,
page 2-1.

When you initiate policy discovery, a task is created. For each initiation, only one
task is created regardless of the number of devices in the discovery.
You can see the status of policy discovery and device import on the Policy
Discovery Status page. The Policy Discovery Status page contains three panes:
Tasks paneProvides status information for the overall task.
Discovery Details or Import Details paneDepending on the type of task,

this pane is called either Discovery Details or Import Details. For each task
you select in the Tasks pane, you will see corresponding information in the
Discovery Details or Import Details pane.
The Discovery Details pane displays details about the policy discovery,
such as the list of devices in the selected task, the status of the discovery
(completed or failed), and the discovery method used (discovered from
live device or discovered from file).
The Import Details pane displays details about the device import, such as
the list of devices involved in the selected task, the task type for each
device (import only or import and discover), and the status of device
import (device added or device add failed).

OL-11501-03
20-3
Chapter 20
Using Tools
Messages paneContains three elements: Message Summary, Description,

and Action. Displays messages about the selected device, the severity of the
problem (error or warning), detailed descriptions for each message, and the
steps you can take to resolve the problem.
Related Topics
Policy Discovery Status Page, page Q-2
Viewing Policy Discovery Status Information, page 20-4
Viewing Policy Discovery Status Information

This procedure describes how to view the status of the policy discovery.
Procedure
Step 1
Select Tools > Policy Discovery Status. The Policy Discovery Status page
appears. The Tasks pane displays the status of the overall task.
Step 2
Select a task from the Tasks pane. Corresponding information about that task is
displayed in the Discovery Details pane or Import Details pane, whichever
applies.
Step 3
Select a device from the Discovery Details pane or Import Details pane.
Corresponding information about that device is displayed in the Messages text
box.
Step 4
Click a message row. Detailed information about that message is displayed in the
Description text box.
Step 5
Look at the Action field for steps to resolve the problem.

For information about the elements in the Policy Discovery Status page, see
Policy Discovery Status Page, page Q-2.
Related Topics
Understanding Show Containment, page 20-5
Policy Discovery Status Page, page Q-2
20-4
OL-11501-03
Chapter 20
Using Tools
Understanding Show Containment
Understanding Show Containment

The Show Containment option displays information about composite devices. If
you select this option, the containment of a device, that is, the service modules
and security contexts supported on the selected device, is displayed:
Note
This option is available for Catalyst 6500/7600, FWSM, PIX Firewall 7.0, and
ASA devices.
For Catalyst 6500/7600 devices, displays the IDSM and FWSM service
modules, and the security contexts supported by the FWSM.
For FWSMs, displays security contexts supported by the FWSM.
For PIX Firewalls, displays security contexts supported by the PIX Firewall.
For ASA devices, displays security contexts supported by the ASA device.
For information about security contexts, see Configuring Security Contexts on

Firewall Devices, page 15-105.
This procedure describes how to view the containment of a device.
Procedure
Step 1
Select a Catalyst 6500/7600, PIX Firewall 7.0, FWSM, or ASA device from the
Device selector.
Step 2
Select Tools > Show Containment.

The Composite View opens and displays containment information on the selected
device.
Related Topics

OL-11501-03
20-5
Chapter 20
Using Tools
Understanding Inventory Status
Understanding Inventory Status

Security Manager provides a summary of device properties for all devices that you
are authorized to manage. The summary includes device contact information and
all device configurations, indicating which settings are local, which are used a
shared policy, and indicate any policy object overrides in effect.
The report is in table format, allowing you to organize information by filtering,
sorting, and reordering and removing columns. You can also export the table
contents to a CSV file in the Security Manager server file system.
This procedure will help you view and customize device summary information:
Procedure
Step 1
Select Tools > Inventory Status. The Inventory Status appears. For more
information on the fields in this page, see Table Q-4 on page Q-6.
Step 2
To view a subset of the devices listed, select a filter from the Filter list, or you can
create a filter. For more information, see Filtering Tables, page 3-24.
Step 3
Use the scroll buttons to highlight the device for which you wish to view data.
Step 4
To generate a CSV file on the Security Manager server:

a.
Click Export. The Export Inventory Status dialog box appears.
b.
Select a directory for the CSV file in the left pane of the Export Inventory
Status window.
c.
Enter a name for your file in the File name field.
d.
Click OK. The CSV file will be generated and ready to retrieve on the server.
Working With Device OS Management

Security Manager integrates several key features from Resource Manager
Essentials (RME). You can use software management to analyze individual device
operating systems versions (also known as image versions) and generate image
20-6
OL-11501-03
Chapter 20
Using Tools
Understanding Audit Reports
analysis reports. This then allows you to import and distribute operating system
images to groups of devices. Operating system upgrade jobs can also be scheduled
to ensure up-to-date versions and minimize errors.
Software Image Management (SWIM) includes the following features:
Software RepositoryDetermines the images that are missing from the

network, imports these images into the software library, keeps the library
up-to-date, and periodically synchronizes the library with the images running
on the network devices. You can also schedule an image import for a later,
more convenient time, as well as download an appropriate image from
Cisco.com.
Software DistributionGenerates upgrade analysis reports that allow you to

determine prerequisites for image upgrade. You can either select a set of
devices and perform an image upgrade, or select a software image and select
a set of devices on which to perform the upgrade.
Software Management JobsAllows you to view, edit, stop, or delete

scheduled image upgrade jobs.
For a detailed description of the fields on this page, see Device OS Management
Page, page A-16. The following features are all cross launch points to RME
features:
Using the Software Repository
Understanding Software Distribution
Scheduling Management Jobs
For more information consult the context sensitive online help available on these
pages, or the RME user guide online at
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/index.html.

When state changes occur in Security Manager, an audit entry is created in the
audit log. You can display the aggregated results of the audit entries by defining
the parameters in the Audit Report page. The state changes that generate an event
and create an audit entry are:
Changes to the runtime environment:

OL-11501-03
20-7
Chapter 20
Using Tools
System changes, such as login attempts (successful for failed), logout,
and scheduled backups.

Authorization issues, such as failed attempts and security breaches.
Map changes, such as saving, deleting, and changing background map
views.
Admin changes, such as workflow on and workflow off modes.
Changes to the state of Security Manager objects:

Activity changes, such as creating, editing, submitting, and approving an
activity.
Deployment changes, such as creating, editing, and submitting a
deployment job.
Changes to the state of managed devices:

Object changes, such as changes to building blocks.
Inventory changes, such as adding, deleting, modifying devices in the
inventory.
Policy changes, such as creating, restoring, modifying, and deleting
policies.
VPN changes, such as creating, modifying, and deleting a VPN.
Before you generate the audit report, you can narrow your search criteria by
defining the parameters for the report in the Audit Report page. The Audit Report
page contains two panes. You define the parameters in the left pane and click
Search to display the audit report, corresponding to the parameters you defined,
in the right pane.
Guidelines for Defining the Audit Report Parameters, page 20-9
Viewing Audit Logs, page 20-10
Purging Audit Log Entries, page 20-11
20-8
OL-11501-03
Chapter 20
Using Tools
Guidelines for Defining the Audit Report Parameters

The following examples provide some guidelines that will help you understand
what parameters you should define to get the information you need:
To find out the deployment history of device XFrom the Search by action
column, select Deployment > Create. In the Search by all or part of the
object name field, enter the name of the device. In this instance, enter X, then
click Search.
To find out when the device X was removed from Security Manager
managementFrom the Search by action column, select Devices > Delete.
In the Search by all or part of the object name field, enter the name of the
device. In this instance, enter X, then click Search.
To find out if a failed login attempt occurred in the systemFrom the Search
by action column, select System > Authorization > Login > Failed, then
click Search.
Related Topics
Generating the Audit Report

You narrow down your search criteria by defining the parameters for the audit
report in the Audit Report page.
This procedure describes how to generate an audit report.
Procedure
Step 1
Select Tools > Audit Report. The Audit Report page appears.
Step 2
Enter the information in the required fields in the left pane. For more information,
see Table Q-5.
Step 3
Click Search to generate the audit report.

OL-11501-03
20-9
Chapter 20
Using Tools
The audit report is displayed in the right pane. For more information, see
Table Q-6.
Step 4
For a detailed description, double-click a row. The Audit Message Details page
appears. For elements in this page, see Audit Message Details Dialog Box,
page Q-11.
Related Topics
Guidelines for Defining the Audit Report Parameters, page 20-9
Viewing Audit Logs

Audit logs are stored in two locations, in the Security Manager database and in
the CiscoWorks Common Services database.
To view the audit logs in the Security Manager database, see Generating the Audit
Report, page 20-9.
To view the archived audit logs in Common Services, go to:
CSCOpx/MDC/Logs/audit/ on the server machine or use the following procedure.
This procedure describes how to view audit logs in Common Services.
Procedure
Step 1
Select Common Services > Device and Credentials > Reports. The Report
Generator page appears.
Step 2
Select Audit Report.
Step 3
Enter the report range in the fields provided, then click Generate Report.
The generated report contains all audit logs from both Common Services and
Security Manager.
20-10
OL-11501-03
Chapter 20
Using Tools
Using the Configuration Archive Tool
Related Topics
Purging Audit Log Entries

To prevent database overload, the following audit log parameters have factory-set
defaults:
Time60 days.
Maximum number of entries10,000 entries.
When the time limit or the maximum number of entries limit is reached, the audit
logs that have expired are purged (deleted) from the system. To change the
factory-set defaults, select Tools > Security Manager Administration >
Preferences > Logs. For more information, see Logs Page, page A-30.
Related Topic
Logs Page, page A-30

Configuration Archive stores configuration versions for each device managed by
Security Manager.
Note
Security Manager does not support the archiving of VLAN configurations.

You can use Configuration Archive to:
View the transcript of a configuration deployment for a selected device.
View and compare configuration versions.
View CLI differences between deployed configuration versions.

OL-11501-03
20-11
Chapter 20
Using Tools
Rollback to an earlier configuration version that originated from the device.
Retrieve a current device configuration.
You must have the proper permissions to access all of these features. For more
information on permissions, see Default Associations Between Permissions and
Roles in Security Manager, page 2-32.
Note
Configuration Archive differs from Preview Configuration which

displays proposed configuration changes to the CLI. For more
information on the Preview Configuration functions, see Previewing
Related Topics
Adding Configuration Versions from a Device to the Archive, page 20-23
Configuration Version Viewer, page Q-15
Customizing the Configuration Archive Toolbar, page 20-12
Using Rollback to Deploy Archived Configurations, page 20-15
Viewing and Comparing Configurations, page 20-14
Viewing Transcripts, page 20-13
Transcript Viewer Window, page Q-17
Customizing the Configuration Archive Toolbar

In the right pane you can view and sort configuration file versions by version ID,
creation date, creator, archival source, creation comment, and transcript. You can
rearrange the column headings to appear in any order, and you can hide columns
that you do not find useful.
This procedure will help you add or remove toolbar buttons.
20-12
OL-11501-03
Chapter 20
Using Tools
Procedure
Step 1
Select Tools > Configuration Archive to go to Configuration Archive.
Step 2
In the Device selector, click any device. The Security Manager Configuration
Archive window populates with archived configuration versions. For a description
of the fields in this page, see Table Q-8 on page Q-14.
Step 3
Right click the Configuration Archive toolbar and select Show Columns. A list of
toolbar buttons appears. A checkmark indicates that the button appears on the
toolbar. No checkmark indicates that the button does not appear.
Step 4
Select buttons to include or deselect buttons to exclude from the toolbar.
Related Topics
Viewing Transcripts
A transcript is the log file of Security Manager server and device transactions
captured during a deployment or rollback operation. It includes commands sent
and received between server and device from the time of deployment or rollback
request. If rollback is unsuccessful, there might be a partial transcript generated
depending on which stage rollback or deployment failed.
This procedure will help you view transcripts.
Procedure
Step 1

OL-11501-03
20-13
Chapter 20
Using Tools
In the Device selector, click the device for which you want to view a transcript.
The Security Manager Configuration Archive window populates with archived
configuration versions for the device you selected. For a description of the fields
in this page, see Table Q-8 on page Q-14.
Step 2
Double-click the Transcript icon next to the configuration version for which you
want to view its transcript. The transcript for that configuration version appears.
Related Topics
Transcript Viewer Window, page Q-17
Customizing the Configuration Archive Toolbar, page 20-12
Viewing and Comparing Configurations

You can view and compare any one full configuration version to any other in the
archive from the configuration version viewer. You can view a delta configuration
file from this viewer as well. A delta configuration file is generated by Security
Manager during deployment and represents policy changes between the existing
configuration and the one currently being deployed. Delta configuration versions
contain command syntax different from that for full configuration versions, and
include negation commands. A delta configuration file is available only for
configuration versions in the archive that have been deployed to a device by
Security Manager. When available, these can be viewed from the configuration
version viewer.
This procedure will help you view and compare configurations.
Procedure
Step 1
20-14
OL-11501-03
Chapter 20
Using Tools
In the Device selector, click the device for which you want to view a full or delta
configuration version. The Security Manager Configuration Archive window
populates with archived configuration versions for the device you selected. For a
description of the fields in this page, see Table Q-8 on page Q-14.
Step 2
Select the configuration version that you want to view or compare and click View.
Tip
If you are comparing configuration versions, you only need to select one
of the two in the version list.
The configuration version viewer opens. The configuration version you selected
is in the left pane of the configuration version viewer. For details on interpreting
the color coding in the file versions, and using the change indicator buttons, see
Configuration Version Viewer, page Q-15.
Step 3
To compare configuration versions, select a different version from the Compare

with version list. The version you selected appears in the right pane of the
configuration viewer.
Step 4
To view the delta configuration for the version in the left pane, from the Config
Type list select the (Delta) configuration. For details on interpreting the color
coding in the file versions, and using the change indicator buttons, see
Configuration Version Viewer, page Q-15.
Related Topics
Using Rollback to Deploy Archived Configurations

You can roll back any configuration version, from Configuration Archive to the
device for which it is archived, provided that the configuration originated from the
device. You cannot roll back to a file configuration. The rolled-back configuration
then becomes another archived version in the list for that device.
This procedure will help you roll back to an archived configuration.

OL-11501-03
20-15
Chapter 20
Using Tools
What happens during rollback
On PIX/ASA/FWSM devices, Security Manager uses the replace config option on

the devices SSL interface to perform the equivalent of a reload (xlates are
cleared, IPsec tunnels are torn down, and so on).
For routers running IOS 12.3(7)T or later, Security Manager uses the configure
replace command to replace the running configuration with the contents of a
configuration file. Support for this command is dependent on the IOS version
installed on the router:
Note
On routers running IOS 12.3(7)T or later, Security Manager copies the

configuration file to the startup configuration before executing the configure
replace command. If the configure replace operation fails, Security Manager
issues the reload command to reload the operating system using the contents
of the startup configuration. Please note that the reload command restarts the
system, which might result in a temporary network outage.
On routers running a version prior to 12.3(7)T, Security Manager copies the

configuration file to the startup configuration and issues the reload
command.
Special considerations apply to the rollback of certain device types and

configurations. Please see the following sections for more information:
Understanding Rollback for Devices in Multiple Context Mode, page 20-18
Understanding Rollback for Failover Devices, page 20-18
Understanding Rollback for Catalyst 6500/7600, page 20-19
Understanding Rollback for IPS and IOS IPS, page 20-19
Commands that Can Cause Conflicts after Rollback, page 20-22
Commands to Recover from Failover Misconfiguration after Rollback,

page 20-23
Procedure
Step 1
20-16
OL-11501-03
Chapter 20
Using Tools
In the Device selector, click the device for which you want to roll back a different
configuration version. The Security Manager Configuration Archive window is
populated with archived configuration versions for the device you selected. For a
description of the fields in this page, see Table Q-8 on page Q-14.
Step 2
Highlight the device by clicking the device name.
Step 3
Highlight the configuration version to deploy to device.
Note
You can roll back only to a configuration that originated from the device. You
cannot roll back to a file configuration.
To view the configuration version before rollback, click View. For a description
Step 4
Click Rollback to deploy the selected configuration version to the selected

device. A progress box appears, followed by a notification message when the
configuration version is successfully deployed. An error message appears if the
deployment was not successful.
Related Topics
Understanding Rollback for Devices in Multiple Context Mode, page 20-18
Understanding Rollback for Failover Devices, page 20-18
Understanding Rollback for Catalyst 6500/7600, page 20-19
Understanding Rollback for IPS and IOS IPS, page 20-19

page 20-23

OL-11501-03
20-17
Chapter 20
Using Tools
Understanding Rollback for Devices in Multiple Context Mode

If the configuration of the system context to which you are rolling back specifies
connectivity options to security contexts (for example, vlan config) and there is a
mismatch between the configuration selected for rollback and the current running
configurations of the security contexts, Security Manager might not be able to
connect to the security contexts. In such cases. we recommend that you roll back
configurations for the security contexts before rolling back a configuration for the
system context.
Note
If you roll back a configuration for the system context of a device in multiple
context mode to one that includes a different set of security contexts, after
rollback the security contexts on the device might not match the security contexts
managed by Security Manager that appear in the Device selector.
Related Topics

page 20-23
Understanding Rollback for Failover Devices

If you roll back a configuration that contains a failover policy, a switchover could
occur during rollback or connectivity between the active and standby units might
be lost. To prevent problems, please copy the bootstrap configuration to the
standby unit after rollback completes. For more information, please see Bootstrap
Configuration for LAN Failover Dialog Box, page L-127.
Related Topics

page 20-23
Bootstrap Configuration for LAN Failover Dialog Box, page L-127
20-18
OL-11501-03
Chapter 20
Using Tools
Understanding Rollback for Catalyst 6500/7600

If you roll back a configuration to a Catalyst 6500/7600 device that specifies
connectivity options to service modules (for example, vlan config) and there is a
mismatch between the configuration selected for rollback and the current running
configuration, Security Manager might not be able to connect to the service
modules. We recommend that you roll back configurations for the service
modules before rolling back a configuration to the Catalyst 6500/7600 chassis.
Related Topics

page 20-23
Understanding Rollback for IPS and IOS IPS

Special considerations apply to the rollback of IPS devices and IOS IPS devices.
For IPS devices and IOS IPS devices, rollback could possibly include rolling back
sensor updates or signature updates. The reason for this is that for IPS devices and
IOS IPS devices, Security Manager supports not only the management of
configuration but also the support of image management in the form of manual
and automatic upgrades and signature updates.
Rollback is accomplished through Configuration Archive. For IPS devices and
IOS IPS devices, only the current configuration is archived. The current
configuration for one device version (say, Version X) may not be valid for a
different device version (say, Version Y). Security Manager rolls back a
configuration of Version X to a sensor with Version Y as long as the configuration
for X is valid for Y.
If the configuration for X is valid for Y, rollback proceeds and Security Manager
displays a confirmation dialog box to you. If the configuration for X is not valid
for Y, Security Manager displays a warning dialog box to you and provides you
with the option of downgrading the sensor during rollback if such a downgrade
will help accomplish the rollback.

OL-11501-03
20-19
Chapter 20
Using Tools
Caution
Downgrading an IPS device removes certain capabilities of the IPS device. For
example, downgrading the engine prevents you from applying the latest signature
updates. Operation of an IPS device without the latest signature updates
diminishes the effectiveness of the IPS device.
For rollback of a deployment job, the warning dialog box contains one or more of
the following types of warnings:
Note
Security Manager warns you about IPS devices that need to have their sensor
version downgraded before a rollback can be performed.
Security Manager warns you about IOS IPS devices whose signature level has
changed. For these devices, only the non-IPS sections of the configuration
can be rolled back.
Security Manager warns you about IPS devices that must be downgraded
more than one level, and as a result, Security Manager cannot do it. You must
use the Cisco IPS CLI for such downgrades. The warning dialog box displays
the version to which the device must be reimaged or downgraded.
The option of downgrading an IOS IPS device during rollback is not available,
because IOS IPS devices do not support downgrade.
If the option of downgrading the sensor during rollback will not help accomplish
the rollback, you receive an error message stating that rollback cannot occur and
that you need to manually reinstall the image on the device to roll back. Only the
update package most recently installed on a device can be downgraded, so
downgrade does not help in the following cases:
Rollback of a deployment (signature update) that involves downloading more

than one update package to the device.
Selection of an old deployment or configuration for rollback subsequent to

which several upgrades occurred.
Rollback of an upgrade that cannot be downgraded. Major, minor, and most

service pack upgrades cannot be downgraded, as shown in Table 20-1
For rollback of a configuration that requires a downgrade to a version prior to

Cisco IPS 5.1(4), Security Manager does not support automatic downgrade. You
must manually downgrade the device to the specified version and then proceed
with rollback.
20-20
OL-11501-03
Chapter 20
Using Tools
Table 20-1
Caution
Downgrade Support for Possible Sensor Upgrade Types
Upgrade Type
Downgrade Support
Major Upgrade
Downgrade is not supported.
Minor Upgrade
Downgrade is not supported.
Service Pack Update
Downgrade from Cisco IPS 5.1(4) onward is not

supported.
Patch update
Downgrade is supported.
Signature Update
Engine Update
Repackage (applicable
to major, minor, and
service pack updates).
Repackages for service packs prior to 5.1(4) can

be downgraded.
Outbreak Prevention updates on a particular device may be lost if that device is

downgraded.
Out-of-band changes discovered during rollback result in Security Manager
taking the actions listed in Table 20-2.
Table 20-2
Result of Out-of-Band Changes Discovered During Rollback
Out-of-Band Condition
Action Taken by Security Manager
During rollback, Security Manager

discovers that there have been
out-of-band changes to the device
that prevent rollback.
Security Manager displays an error

message stating that out-of-band
changes prevent rollback
Related Topics

OL-11501-03
20-21
Chapter 20
Using Tools
Commands that Can Cause Conflicts after Rollback

The following commands can potentially cause conflicts after rollback is
performed:
http server enable <port>

http <ip_address> <net_mask> <interface_name>
Applicable only to security contexts (not system context).
allocate-interface <physical_interface -or- subinterface> [map_name]

visible | invisible]
Applicable only to the system context under the context subcommand.
config-url <diskX:/path/filename>
Applicable only to the system context under the context subcommand.
join -failover-group <group_number>

Applicable only for active/active failover and only to the system context
under the context subcommand. The failover group defaults to group 1 if not
specified.
failover
Applicable only to system context. Enabling failover causes configuration
synchronization to trigger between peers.
failover lan enable

Applicable only to system context. If this command is omitted, this implies
serial cable failover on a PIX platform or warrants an incomplete failover
configuration warning on ASA and FWSM.
failover lan unit <primary | secondary>

Applicable only to system context. If this command is not specified, both
units are secondary by default. If rollback takes place on wrong unit, both can
become primary which impacts which unit becomes active initially.
failover group <group_number>

Applicable only to system context. This command enables active/active
failover. If this command is omitted, active/standby is enabled.
20-22
OL-11501-03
Chapter 20
Using Tools
preempt <delay>
Applicable only to system context and under the failover group subcommand
to force which failover group becomes active if both units are booted up at the
same time, or the primary does not boot up within the delay specified.
monitor-interface <interface_name>
Applicable only to security contexts and used to enable health monitoring of
critical interfaces. If this interface is bounced or fails, a switchover could
occur.
Related Topics

page 20-23
Commands to Recover from Failover Misconfiguration after Rollback

If a switchover happens during rollback and the two units are no longer
synchronized, you might need to use the following commands to recover:
failover active <group_number>
failover reset <group_number>
failover reload-standby
clear configure failover
For more information on these commands, please refer to the command reference
for your security appliance.
Related Topics
Adding Configuration Versions from a Device to the Archive

Configuration Archive is updated any time a configuration version is rolled back
to a device, in the form of a new line item in the archive for the device to which
you rolled back.
OL-11501-03
20-23
Chapter 20
Using Tools
You can retrieve a configuration directly from the device to add to the
Configuration Archive. This is useful when changes have been made directly to
device configurations (out-of-band changes outside the scope of Security
Manager).
Note
Configurations cannot be retrieved from those devices that are managed by AUS,
and have been configured with dynamic IP addresses.
This procedure will help you retrieve a configuration from a device and add it to
the archive for that device.
Procedure
Step 1

In the Device selector, click the device for which you want to retrieve its running
configuration. The Security Manager Configuration Archive window populates
with archived configuration versions for the device you selected. For a description
Step 2
Click Add from Device. The configuration version is added to the list of
configuration versions in Configuration Archive.
Step 3
Locate the Creation Comment next to the version you just added to verify the new
version was added. Time, date, and userid appear in this column.
Note
You will receive a notification message if the retrieval was successful, and
an error message if it was not.
Related Topics
20-24
OL-11501-03
Chapter 20
Using Tools
Apply IPS Update
Apply IPS Update

The Apply IPS Updates wizard allows you to manually apply image and signature
updates to compatible IPS devices. For step-by-step details on the Apply IPS
Updates wizard, refer to Apply IPS Update, page Q-18.
Automatic updates can be configured via Tools > Security Manager
Administration > IPS Updates. For details on automatic updates, refer to IPS
Updates Page, page A-19.
Backup and Restore

You can backup and restore the Security Manager database using Common
Services. From the Backup page you can schedule immediate, daily, weekly, or
monthly automatic backups. This is accessible from the Tools menu by selecting
Tools > Backup. For more information, click Help from the Common Services
Backup page. Restoration of Security Manager database and data files is
supported only by running a script on the command line.
A procedure for backup and restore is documented in Common Services
documentation. We strongly recommend you take a backup of your current system
before restoring an older backup. For information and a procedure on restoring the
database, please see
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_sof
tware/3.0/user/guide/admin.html#wp257472.
Note
While backing up and restoring data, both Common Services and Security
Manager processes will be shutdown and restarted.
You cannot restore a backup from an earlier version of Security Manager into
Security Manager 3.1 if that backup contains any pending data, meaning data that
has not been committed to the database. Before upgrading to a new version of
Cisco Security Manager, we recommend committing or discarding all
uncommitted changes and then creating a backup of your database. You can use
the following instructions to help with committing or discarding pending data:

OL-11501-03
20-25
Chapter 20
Using Tools
Security Manager Diagnostics
In non-Workflow mode:
To commit changes, select File > Submit.
To discard uncommitted changes, select File > Discard.
Note
If there are multiple users with pending data, the changes for those users
must also be committed or discarded. If you need to commit or discard
changes for another user, you can take over that users session. To take
over a session, select Tools > Security Manager Administration > Take
Over User Session.
In Workflow mode:
Note
To commit changes, select Tools > Activity Manager. From the Activity
Manager window, select an activity, then click Submit.
If you have enabled the activity approval requirement, you must also
approve all activities after submitting. To approve an activity, select Tools
> Activity Manager. From the Activity Manager window, select an
activity and click Approve.
To discard uncommitted changes, select Tools > Activity Manager. From the
Activity Manager window, select an activity, then click Discard. Only an
activity in the Edit or Edit Open state can be discarded.

Cisco Technical Assistance Center (TAC) personnel might ask you to submit
system configuration information when you submit a problem report. This
information assists them with diagnosing the reported problem. The Security
Manager diagnostic tool is a utility that you can use to collect the diagnostic
information from the Security Manager server. This tool is a plug-in for the
MDCSupport utility provided by Common Services. The Security Manager
diagnostic tool is invoked whenever you run the MDCSupport utility; it collects
log files, configuration settings, memory info, complete system related
20-26
OL-11501-03
Chapter 20
Using Tools
information, process status, and host environment information. It also collects any
other relevant data into a tar (compressed form) file to support the security
management applications installed.
The following topics describe how to gather troubleshooting information and to
contact TAC for help:
Diagnostic Utility Executable Menu Item, page 20-27
Generating a Diagnostic File from a Security Manager Client, page 20-28
Generating a Diagnostic File from a Security Manager Server, page 20-29
Obtaining Documentation, Obtaining Support, and Security Guidelines,

page 20-29
Diagnostic Utility Executable Menu Item

You can use the diagnostic utility to run diagnostics on your system. A file with
diagnostic information, CSMDiagnostics.zip, is generated and saved to a
specified location on your server. This file is useful when working with the TAC
to troubleshoot.
By default, the CSMDiagnostic.zip file is placed in the
<installation_location>/CSCOpx/MDC/etc directory, where
<installation_location> is the drive and directory in which you installed
CiscoWorks Common Services (for example, c:\Program Files).
The CSMDiagnostic.zip file consists of:
Configuration files.
Apache configuration and log files.
Tomcat configuration and log files.
Installation, audit, and operation log files.
The CiscoWorks Common Services Registry subtree

([HKEY_LOCAL_MACHINE][SOFTWARE][Cisco][MDC]).
Windows System Event and Application Event log files.
Host environment information (operating system version and installed

service packs, amount of RAM, disk space on all volumes, computer name,
and virtual memory size).

OL-11501-03
20-27
Chapter 20
Using Tools
Note
There is no requirement to submit a CSMDiagnostics.zip file when you first

submit a problem report. If Cisco requires the file, your support engineer tells you
how to submit it.
You can run Security Manager Diagnostics in either of two ways:
Generating a Diagnostic File from a Security Manager Client, page 20-28
Generating a Diagnostic File from a Security Manager Server, page 20-29
Generating a Diagnostic File from a Security Manager Client

This procedure will help you generate a diagnostic file for troubleshooting
purposes from a Security Manager client.
Procedure
Step 1
Select Tools > Security Manager Diagnostics to begin file generation. The
Security Manager Diagnostics dialog box appears.
Step 2
Click OK to begin generating the diagnostics file. A Security Manager

Diagnostics progress bar indicates the progress of the file generation.
When file generation is complete a confirmation dialog box indicates that the file
has been created. It will say something like Diagnostic file CSMDiagnostic.zip
is generated in the directory C:\PROGRA~\CSCOpx\MDC\etc on the client
Security Manager client name.
Tip
We recommend that you rename this file so it will not get overwritten each
time this utility is run.
20-28
OL-11501-03
Chapter 20
Using Tools
Generating a Diagnostic File from a Security Manager Server

This procedure will help you generate a CSMDiagnostics.zip file for
troubleshooting from a Security manager server.
Procedure
Step 1
Select Start > Run, then enter command. Or, if your server keyboard includes a
Windows key, press Windows-R, then enter command.
Step 2
Enter C:\Program Files\CSCOpx\MDC\bin\CSMDiagnostics. Or, to save the

ZIP file in a different location than NMSROOT\MDC\etc\, enter CSMDiagnostics
drive:\path. For example, CSMDiagnostics D:\temp.
The utility creates a tar file in the directory you specified.
Before you close the command window, ensure that the MDC Support utility has
completed its action.
If you close the window prematurely, the subsequent instances of MDCSupport
Utility will not function properly.
If you happen to close the window, delete the mdcsupporttemp directory from
NMSROOT\MDC\etc directory, for subsequent instances to work properly.
Obtaining Documentation, Obtaining Support, and

Security Guidelines
For information on obtaining documentation, obtaining support, providing
documentation feedback, security guidelines, and also recommended aliases and
general Cisco documents, see the monthly Whats New in Cisco Product
Documentation, which also lists all new and revised Cisco technical
documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.

OL-11501-03
20-29
Chapter 20
Using Tools
20-30
OL-11501-03
CH A P T E R
21
Using Monitoring, Troubleshooting,

and Diagnostic Tools
High network availability is a requirement for large enterprise and service
provider networks. Network managers face increasing challenges to providing
high availability, including unscheduled down time, lack of expertise, insufficient
tools, complex technologies, business consolidation, and competing markets.
Monitoring involves the study of network activities and device status to identify
anomalous activities or behavior. Diagnosing and correcting network and system
faults (outages and degradations) increases service availability and tools to
isolate, analyze, and correct faults are highly imperative. The following topics
describe the tools that are available in Security Manager 3.1 to provide integrated
network monitoring services and diagnostic capabilities for troubleshooting
significant events in your network and resolution:
Device Managers, page 21-2
Device Connectivity Test, page 21-15
Performance Monitor (Status Provider), page 21-15
IPS Event Viewer, page 21-31
Security Manager Access Rule Lookup from Device Manager Syslog,

page 21-42

OL-11501-03
21-1
Chapter 21
Using Monitoring, Troubleshooting, and Diagnostic Tools
Device Managers
Device Managers
In Security Manager 3.0.1 and earlier, you cannot start device managers for
devices that are managed by Security Manager, with the exception of Catalyst
6500/7600 Device Manager (DM 6500/7600). With Security Manager 3.1, you
can start device managers for all supported devices, such as PIX security
appliances, Firewall Services Module (FWSM), IPS sensors, IOS routers, and
Adaptive Security Appliance (ASA) devices. Device managers provide several
monitoring and diagnostic features that enable you to get information regarding
the services running on the device and a snapshot of the overall health of the
system. By starting device managers from Security Manager, you eliminate the
need to open an HTTPS connection between your client system and the device you
want to monitor.
The Security Manager server is shipped with device manager images for the
supported devices. When the Security Manager server receives a request to start a
device manager, the corresponding device manager image is downloaded to the
Security Manager client. The default location for the device manager images is
C:\Program Files\Cisco Systems\Cisco Security Manager Client\cache. The
device manager images are uninstalled when you uninstall the Security Manager
client on your client system.
Note
When you use a device manager that you started from Security Manager, you can
only view the existing device configuration. If you perform configuration changes
from the device manager, and save the changes to apply them to the running
configuration of the device, an error message is displayed stating that the device
manager started from Security Manager does not allow you to perform
configuration changes on the device.
Although you can modify device configurations using the device manager running
on the device, we recommend that you do not make changes to a device
configuration outside of Security Manager (an out-of-band change) if you are
adding the device to the inventory to be managed by Security Manager.
The following topics describe the device managers that you can start from
Security Manager:
IDM, page 21-3
PDM, page 21-4
21-2
OL-11501-03
Chapter 21

Device Managers
ASDM, page 21-5
SDM, page 21-6
IDM
The Cisco Intrusion Prevention System (IPS) Sensor software is an inline,
network-based solution, that identifies, classifies, and stops malicious traffic,
including worms, spyware/adware, network viruses, and application abuse, before
they affect business continuity. IPS sensors analyze network packets and flows to
determine whether their contents appear to indicate a network intrusion.
Additionally, the IPS solution, in combination with IPS Sensor software, works
with other network security resources to provide proactive protection of your
network.
Intrusion Prevention System Device Manager (IDM) is an application that enables
you to configure and manage your IPS sensors. The web server for IDM resides
on the sensor. Security Manager provides the ability to start IDM without the need
for IDM to be installed on your IPS sensor. IDM started from Security Manager
does not depend on the type of browser. Using IDM, you can monitor whether
sensors that are initialized and configured to be managed by IDM can be reached
and are functioning properly. When an IPS sensor detects an unauthorized
network activity, the alarm generated can be viewed from IDM.
Note
The IDM user interface consists of the File and Help menus. There are
Configuration and Monitoring buttons in IDM 5.0 and 5.1 whereas IDM 6.0
contains an additional button, Home. IDM constantly retrieves status information
to keep the Home window updated with the device details, alert summary, and
sensor resource and interface status.
From an IDM started from Security Manager client, you can click the Monitoring
button and navigate to the menus in the left-hand pane to configure monitoring.
You can use the Monitoring menus to edit the settings that enable you to monitor
sensor health.
When you access the online help for IDM 5.1, the Enter Network Password dialog
box pops up after you click Yes in the Security Alert dialog box. Enter your
username and password and click OK. This behavior is different from the method

OL-11501-03
21-3
Chapter 21
Device Managers
of accessing online help for other versions of IDMs in which only the security
certificate alert appears and you are not prompted to enter credentials to display
online help.
See IDM product documentation for more information.
Related Topics
Understanding Communication, page 21-7
Starting Device Managers, page 21-7
PDM
PIX Device Manager (PDM) software provides secure administration of FWSM
and PIX Firewalls. Security Manager provides the ability to start PDM without the
need for PDM to be installed on your PIX Firewall or FWSM. PDM started from
Security Manager does not depend on the type of browser and uses the Java
plug-in shipped with Security Manager. PDM manages FWSM Releases 1.1, 2.3
and 2.2 when it runs in single or multiple context modes, and PIX OS versions 6.0
through 6.3.
PDM provides you with a graphical user interface to the firewall and FWSM to
administer it. PDM is also compatible with the firewall and FWSM CLI and
includes a tool for using standard CLI commands within PDM. With PDM, you
can graph many aspects of the firewall and FWSM, including system activity such
as CPU and memory utilization, and performance statistics for xlates,
connections, AAA, fixups, URL filtering and TCP Intercept. You can also print or
export the graphs. Additionally, using PDM, you can monitor DHCP client lease
information, interface statistics, Telnet and SSH sessions, current PDM sessions
to the firewall, syslog messages based on their level of severity, and VPN tunnels.
The PDM home page lets you view at a glance important information about your
firewall such as the status of your interfaces, the version you are running,
licensing information, and performance. Many of the details available on the
PDM home page are available elsewhere in PDM, but this is a useful and quick
way to see how your firewall is running. All information on the home page is
updated every ten seconds, except for the Device Information.
See PDM product documentation for more information.
21-4
OL-11501-03
Chapter 21

Device Managers
Related Topics
ASDM
Cisco Adaptive Security Device Manager (ASDM) provides security management
and monitoring through a web-based management interface. Bundled with ASA
5500 Series Adaptive Security Appliances, PIX Security Appliances, and FWSM,
ASDM integrates an array of robust security services to prevent unauthorized
administrative access to a device. Security Manager provides the ability to start
ASDM without the need for ASDM to be installed on your device. ASDM started
from Security Manager does not depend on a type of browser and uses the same
Java plug-in that is shipped with Security Manager.
ASDM offers in-depth monitoring and reporting services in addition to the
at-a-glance monitoring capabilities on the home page. You can view detailed
device status information, including blocks used and free, current memory
utilization, and CPU utilization. ASDM also tracks real-time session and
performance monitoring data for connections, address translations, and AAA
transactions on a per-second basis. Connection graphs enable you to stay fully
informed of your network connections and activities. ASDM provides 16 different
graphs to display potentially malicious activity, real-time monitoring of
bandwidth usage for each interface on the security appliance, and VPN statistics
and connection graphs. By running separate instances of ASDM, you can connect
to multiple security appliances from a single workstation.
The ASDM home page includes a dynamic dashboard that provides a complete
system overview and device health statistics at a glance. You can view important
information about your security appliance, such as the status of your interfaces,
CPU and memory usage details, number of connected IKE and IPsec tunnels, the
version you are running, device information, UDP and TCP connections per
second, real-time syslog viewer and traffic throughput. Many of the details
available on the ASDM home page are available elsewhere in ASDM, but this is
a useful and quick way to see how your security appliance is running. Status
information on the Home page is updated every ten seconds.
See ASDM product documentation for more information.

OL-11501-03
21-5
Chapter 21
Device Managers
Related Topics
SDM
Cisco Router and Security Device Manager (SDM) is a tool that can be used to
proactively manage Cisco IOS software-based router resources and security
before they affect mission-critical applications on the network. Security Manager
provides the ability to start SDM without the need for SDM to be installed on your
router. SDM started from Security Manager does not depend on the type of
browser. SDM requires no previous experience with Cisco devices or the Cisco
command-line interface (CLI). Cisco SDM supports a wide range of Cisco IOS
Software releases.
The SDM home page displays system and configuration overview information
about your router hardware and software, such as the running configuration,
interface-specific firewall policies, and number of static and dynamic routes. The
home page provides for faster and easier monitoring of security configurations.
The home page also provides a quick snapshot of detailed VPN status, such as the
number of active VPN connections, the name of an interface with a configured
VPN connection, the type of VPN connection configured on the interface, and the
name of the IPsec policy associated with the VPN connection.
See SDM product documentation for more information.
Related Topics
21-6
OL-11501-03
Chapter 21

Device Managers
Understanding Communication
Security Manager client intercepts all HTTPS requests made by device managers
and sends them to the Security Manager server. The server processes the requests
redirected by the client by obtaining information from the device or sending data
such as the device manager image to the client. This communication between the
client and server is transparent to the device manager, and appears as though there
is a direct connection between the device manager and the device. Because the
Security Manager client intercepts all requests from the device manager, you do
not need to enable SSL on all Security Manager clients for secure access between
the client and the server and between the device manager and Security Manager.
When a device manager is started from Security Manager, the Security Manager
client starts the correct device manager image for the selected device. If the device
manager image is not available in the client cache directory, the image is obtained
from the Security Manager server. The Security Manager client starts only one
instance of device manager per device and closes the device manager window
when you exit the Security Manager client or the idle session timeout period is
exceeded.
Related Topics
Device OS Version Interoperability with Device Managers, page 21-13
Starting Device Managers

You can start device managers for all devices (both static and dynamic IP
addresses) that are supported by Security Manager. Device managers can be
started on all versions of Windows that are supported by Security Manager. The
device manager opens in a separate window and you can switch between the
Security Manager client and device manager windows at any time. If the device
manager window for a device is not active or has been minimized, an error
message is displayed when you attempt to start the device manager for the same
device. You can either choose to close the previous instance of device manager
and start a new window, or cancel the operation to start a fresh device manager
instance and activate the device manager window that was started before. The
credentials that you supplied while adding the device to Security Manager
OL-11501-03
21-7
Chapter 21
Device Managers
inventory are reused to start the device manager. If you did not enter the device
credentials while adding the device, an error message is displayed when you start
the device manager stating that the device credential information for logging in to
the device must be entered.
Keep in mind the following guidelines when working with device managers
started from Security Manager:
Security Manager is shipped with device manager images and does not use
the device manager image installed on the device to start a device manager.
All users associated with any of the CiscoWorks Common Services roles
except the Help Desk role or any of the predefined Cisco Secure ACS roles
have permission to start device managers from Security Manager clients.
You can start device managers for multiple devices at the same time from the
same Security Manager client.
You can start only one device manager per device per Security Manager
client.
You can start multiple device managers for the same device at the same time
from different Security Manager clients systems.
You can start a device manager from Security Manager even if the device
manager is not installed on the device.
The security appliance and FWSM allow a maximum of 5 concurrent ASDM

instances per context, if available, with a maximum of 32 ASDM instances
divided between all contexts for security appliance and 80 ASDM sessions
between all contexts for FWSM. To display a list of active ASDM sessions
and their associated session IDs, use the show asdm sessions command in
privileged EXEC mode. ASDM sessions use two HTTPS connections: one for
monitoring that is always present, and one for making configuration changes
that is present only when you make changes. For example, the system limit of
32 ASDM sessions represents a limit of 64 HTTPS sessions, divided between
all contexts.
The maximum number of persistent HTTPS connections that can be
established with the security appliance is limited by the system limit for your
device model. An error message is displayed if you attempt to exceed this
limit. The concurrent firewall connections are based on a traffic mix of 80%
TCP and 20% UDP, with one host and one dynamic translation for every four
connections.
21-8
OL-11501-03
Chapter 21

Device Managers
PDM allows multiple PCs or workstations to each have one browser session
open with the same firewall. A single firewall can support up to 16 concurrent
PDM sessions. Only one session per browser per PC or workstation is
supported for a particular firewall. The FWSM allows up to 32 PDM sessions
for the entire module, and it allows a maximum of 5 concurrent HTTPS
connections per context, which can be configurable.
The number of concurrent IDM sessions is limited based on the IPS platform.
IDS-4210, IDS-4215, and NM-CIDS are limited to three concurrent sessions.
All other platforms allow ten concurrent sessions.
If the device has a newer OS version, which is not supported by Security

Manager, the most recent version of device manager that supports the OS
version on the device is started. If no such version of device manager exists
on the client, an error message is displayed when you start the device manager
for such a device.
The device manager started from Security Manager for a Cisco IOS router
supports the most recent Cisco IOS software release, regardless of whether
the device manager running on the router supports the most recent version of
Cisco IOS software or not.
You need to modify the Cisco Security Agent or any other anti-virus and
network firewall software policies on the Security Manager client system to
allow the device manager (xdm-launcher.exe) to be cross-launched. Else, the
security agent installed on your client system might terminate the execution
of the xdm-launcher.exe file when you attempt to start device manager.
Starting multiple device managers might impact the Security Manager server
and client performance. Memory and performance impact on the client is
proportional to the number of device managers that are started. Increased
number of requests to start device managers or retrieve current information
from the device can have an adverse impact on the server performance.
Device managers started from Security Manager provide read-only view. The
home pages of device managers provide a birds eye view of device health
statistics and vital system information. In addition to the dashboard view
capabilities on the home page, you can navigate to the other menus and view
detailed information on various device configuration parameters.
Device managers can be started for FWSM blades and ASA devices running
in transparent mode (Layer 2 firewall) or routed mode (Layer 3 firewall) and
supporting single security context or multiple security context. For FWSM

OL-11501-03
21-9
Chapter 21
Device Managers
and ASA devices in which multiple independent virtual firewall security

contexts exist, you must define a unique management IP address for each
security context to start the device manager.
The credentials for the device that you entered using the Device Credentials
page when you added the device to Security Manager are used to start the
device manager for that device; you need not reenter the credentials.
However, if you have not entered the device credentials during device
addition to the Security Manager inventory, an error message indicates that
the device credentials are not available when you start the device manager.
Double-click the device in the Device selector, then click Credentials from
the Device Properties page to add device credential information to the
Security Manager database.
You must enable HTTPS server on the devices so that the Security Manager
client can intercept all requests from device managers and redirect them to the
server. See the relevant product documentation for information on how to
enable HTTPS server on the devices.
The preferences that you set to change the behavior of some device manager
functions in the read-only view are retained across sessions. For example, if
you choose not to display the confirmation prompt when you try to exit the
device manager window, that setting applies to all future instances of the
device manager.
You can access the command line interface (CLI) on the device from the Tools
menu of device manager started from Security Manager and run several show
commands to help you view pertinent information about device configuration
parameters. Only show commands can be run from the Tools menu and you
cannot execute other commands on the device from device manager.
From an IDM started from Security Manager client, you can click the
Monitoring button and navigate to the menus in the left-hand pane to
configure monitoring. You can use the Monitoring menus to edit the settings
that enable you to monitor sensor health.
When you exit the Security Manager client, all device manager windows are
closed.
This procedure describes how to start a device manager for a device added to the
21-10
OL-11501-03
Chapter 21

Device Managers
Before You Begin
If an instance of the device manager is already running on your client system,

an error message is displayed when you try to start the device manager again
for the same device. If you get this error message, you are prompted to
confirm whether you want to close the device manager window that was
previously started and start it afresh or terminate the start operation. Click
OK to close the previous instance of device manager and start a new window.
Because Security Manager cannot determine the management interface and,

therefore, the management IP address when you add a device from a
configuration file, the hostname in the configuration file is used as the DNS
hostname. If the hostname is missing in the CLI of the configuration file, the
configuration filename is used as the DNS hostname. During live device
discovery, the DNS hostname in the Device Properties page is not updated
with the hostname configured on the device. Therefore, if the DNS hostname
that appears on the Device Properties page is not the same as the hostname
that you configured on the device, the device manager fails to start.
Ensure that you have valid and complete configurations for the primary
credentials and HTTP connection-related configurations by editing the device
credentials information from the Device Properties page.
If Security Manager cannot reach the device, an error message is displayed

and the device manager fails to start. Configure device communication
settings, such as device identity, the operating system running on the device,
and device communication settings using the Device Properties page to
establish a connection between Security Manager and the device.
If Security Manager cannot reach the device and the device credentials are
also not specified, an error message is displayed stating that the credential
information for the device is not available when Security Manager checks the
device properties before attempting to start the device manager.
If SSL is not enabled on the device for secure access between the Security
Manager server and the device, an error message is displayed when you try to
start the device manager. Ensure SSL is enabled on the device so that
communication between the Security Manager and device is encrypted. See
the relevant product documentation for the command you must configure to
enable SSL on the device.

OL-11501-03
21-11
Chapter 21
Device Managers
Note
DES encryption is not supported on Common Services 3.0 and later.

Please make sure that all PIX Firewalls and Adaptive Security Appliances
that you intend to manage with Cisco Security Manager have a
3DES/AES license.
Procedure
Step 1
Click the Device View button on the toolbar. The Devices page appears.
Step 2
In Device view, select a device from the Device selector, then do one of the
following:
From the Device selector, right-click a device to display menu options, then
select Device Manager.
Select Tools > Device Manager.
A warning message states that the device manager started from Security Manager
does not allow you to perform configuration changes on the device and asks if you
want to continue.
Tip
Step 3
To prevent this warning message from appearing in the future for any
device, select the Do not show this again check box before continuing.
To continue, click Yes.
Note
When you start a device manager from Security Manager, the

xdm-launcher.exe application, which is the device manager image, is run.
If you had set the Cisco Security Agent (CSA) security level to medium
or high on your server system, CSA displays a popup window, which
indicates that a problem is detected, prompting you to confirm whether
you want to allow xdm-launcher.exe to be started. You can either click
Yes to allow the xdm-launcher.exe process to run whenever you are
prompted to confirm, or modify the CSA policies on the Security
Manager client system to allow xdm-launcher.exe to be run always.
If you have configured the CSA policies to prevent the execution of the
xdm-launcher.exe process, the icon in the system tray (the red flag) will
21-12
OL-11501-03
Chapter 21

Device Managers
wave to indicate that CSA has a message for you when you start device
manager. To read the message, double-click the CSA icon (the red flag in
the Windows system tray) to open the CSA utility. The Messages tab
displays by default. CSA considers xdm.launcher.exe as an untrusted
application and places this information in the Untrusted Applications edit
box. To remove the program executable from the list of untrusted
applications, from the Untrusted Applications window of the CSA utility,
select the <installation_location>\Cisco Security Manager
Client\cache\xdm.launcher.exe entry in the edit box, where
<installation_location> is the is the drive and directory in which you
installed Security Manager client and press the Delete key. The restriction
on the device manager application is removed and the device manager
allowed to be started from Security Manager.
A progress bar indicates the progress of the device manager start and displays
what percentage of the launch has been completed. The device manager home
page is displayed when the start operation is complete.
Related Topics
Device OS Version Interoperability with Device Managers

Each version of the device manager image is compatible with specific versions of
software running on the device. The most recent version of device manager
supported for the software version running on the device is started from Security
Manager, regardless of the device manager version installed on the device. For
example, if SDM 2.2 is installed on a router running Cisco IOS 12.3 release, when
you start the device manager for this router from Security Manager, SDM 2.3.2,
which is the most recent version of SDM that supports the current and earlier
Cisco IOS releases, is started. The version of device manager installed on the
device is not taken into consideration. Only the most recent version of device
manager is started for all devices.

OL-11501-03
21-13
Chapter 21
Device Managers
Note
For more information on the minimum hardware requirements for the device
manager software, see the relevant device manager product documentation.
Table 21-1 lists the device manager version supported for the software version
running on the device when you start the device manager from Security Manager.
Table 21-1
Supported Device Manager Versions and

Device OS Versions
Device Manager
Device Manager OS
Version
Device OS Version
ASDM
5.0(1)F
FWSM 3.11
5.2(2)
ASA 7.21
5.1(2)
ASA 7.11, PIX 7.1
5.0(4)
ASA 7.01, PIX 7.0
4.1(3)
FWSM 2.2, 2.31
3.0(4)
PIX 6.3
2.1(1)
PIX 6.2, FWSM 1.11
1.1(2)
PIX 6.0, 6.1
5.1
IPS 5.0(x), IPS 5.1(x)
6.0
IPS 6.0(x)
2.3.4
Most recent and previous

releases of Cisco IOS
software running on your
Cisco router.
PDM
IDM
SDM
1. Device managers can be started for FWSM blades and ASA devices running in transparent mode
(Layer 2 firewall) or routed mode (Layer 3 firewall) and supporting single security context or
multiple security context.
Related Topics
21-14
OL-11501-03
Chapter 21

Device Connectivity Test
Device Connectivity Test

In Cisco Security Manager 3.0.1 and earlier, you cannot validate whether a device
that is added to the Security Manager inventory can be reached. Although Security
Manager validates the data you entered, it does not validate whether the data you
entered will allow you to contact the device. In release 3.1, you can verify whether
Security Manager can contact the device when you are adding the device. For
more information on device connectivity test, see Working with Device
Connectivity Test, page 5-45.
Related Topics
Working with Device Connectivity Test, page 5-45
Performance Monitor (Status Provider)

Effective network management requires the fastest possible identification and
resolution of events that occur on mission-critical systems. As a result, the need
to monitor and troubleshoot the health and performance of enterprise network
security services has become very essential. Security Manager 3.0.1 and earlier
enabled you to centrally administer security policies and device settings for either
small or large scale networks. However, any errors generated by deploying
configurations containing these polices to devices or while discovering polices
from devices were not easy to rectify. In some cases, a deployment or discovery
error could have been caused by device connectivity or network problems rather
than an incorrect policy configuration.
Security Manager 3.1 enables you to configure status providers that collect
information about the status of various events from external sources or status
providers, such as Performance Monitor, and from internal sources, such as
deployment. As a status provider, Performance Monitor collects the status of
events, such as VPN tunnel up/down status, device reachability, and CPU usage
threshold, and reports them to Security Manager. You can use the Inventory Status
window in the Security Manager GUI to view the events reported by status
providers. Performance Monitor is a browser-based tool that monitors and
troubleshoots the health and performance of services that contribute to network
security. It helps you to isolate, analyze, and troubleshoot events in your network
as they occur, so that you can increase service availability.

OL-11501-03
21-15
Chapter 21
Performance Monitor, which is an external status provider, must be registered

with Security Manager and needs to be authenticated by Security Manager to send
status on events it is monitoring. Security Manager authenticates Performance
Monitor by comparing the username and password with the account information
stored in the CiscoWorks or Cisco Secure Access Control Server (ACS) database,
depending on which you established at installation as your AAA provider. After
the authentication of your credentials, Security Manager begins to receive the
status of events. Security Manager uses SSL to establish a secure communication
with Performance Monitor. You must add a device to both the Security Manager
inventory and Performance Monitor for its status to be collected and displayed by
the Security Manager client. If the device is deleted from Performance Monitor
but is still available in Security Manager, or if you excluded the device from being
polled by Performance Monitor, the health and performance of the device is not
displayed by Security Manager.
Related Topics
Understanding Performance Monitor as a Status Provider, page 21-16
Configuring Performance Monitor as a Status Provider, page 21-17
Understanding the Events to be Monitored, page 21-18
Understanding Performance Monitor as a Status Provider

Security Manager polls data from external status providers, such as Performance
Monitor, at an interval of five minutes by default. When a new external status
provider is added, Security Manager begins polling and displays events from that
provider. When a status provider is deleted from Security Manager, events from
that provider are not displayed and polling of that provider is stopped. When the
Security Manager server is restarted, the last event statuses that were obtained
from deployment and Performance Monitor are displayed until the next polling
cycle.
Security Manager overwrites the older events with the most recent events reported
by status providers. Most recent events refer to events that were reported most
recently by the providers for each event type. In other words, Security Manager
does not accumulate the events reported by status providers at different points in
time. As an example of two most recent events that will be persisted for Device1,
assume that Performance Monitor logs a DEVICE event type with critical
severity level, an INTERFACE event type with warning severity level at
21-16
OL-11501-03
Chapter 21

12:00 noon, and no events of the same type have occurred since then until the time
you view the event statuses in the Inventory Status window. In this case, both
events would be displayed. As an example of one most recent event that will be
persisted for Device1, assume that Performance Monitor logs a DEVICE event
type with warning severity level at 1:00 p.m. and another DEVICE event type
with critical severity level at 2:00 p.m. When you view the Inventory Status
window at say, 2:00 p.m., the event that occurred at 2:00 p.m. would only be
retained and displayed.
Whenever Cisco Security Manager Daemon Manager is started or restarted, or the
connection is restored with Performance Monitor after a network outage, Security
Manager sends a list of devices, whose status needs to be monitored, to
Performance Monitor. Security Manager also notifies Performance Monitor when
a new device is added to the inventory or an existing device is deleted from the
inventory. Security Manager also polls Performance Monitor for incremental
changes in status at other times.
Related Topics
Performance Monitor (Status Provider), page 21-15
Supported Services and Platforms for Monitoring and Reports, page 21-25
Supported Event Types for Each Service Type, page 21-27
Working with Event Thresholds, page 21-28
Configuring Performance Monitor as a Status Provider

The Status Provider page enables you to select the status providers that you want
to send information to the Security Manager server. Depending on the status
providers you choose, Security Manager polls the appropriate sources and
modifies the display of events in the Inventory Status window.
You can add more than one Performance Monitor as a status provider and view
status messages from all of them at the same time. Additionally, you can configure
the same status provider to send event details to multiple Security Manager
servers. You can also view information from the same Performance Monitor on
multiple Security Manager clients.

OL-11501-03
21-17
Chapter 21
For more information on how to configure Performance Monitor as a status

provider to send event details to Security Manager, see Working with Status
Providers, page 2-94.
Related Topics
Understanding Performance Monitor as a Status Provider, page 21-16
Understanding the Events to be Monitored

From the Inventory Status window, select a device in the upper pane and click the
Status tab in the lower pane to view the list of Performance Monitors configured
as status providers. You can click the arrow to expand or collapse the events
reported by each status provider. Similarly, you can expand and collapse the event
details by clicking the arrow next to the event name. The status of each event
(whether it is normal or an abnormal condition has occurred) is displayed next to
the event name. Table 21-2 describes the fields displayed for each event.
Table 21-2
Event Status Elements
Element
Description
Timestamp
Displays the most recent time at which Security

Manager polling recorded the problem.
Description
Displays a description of the problem condition.
Recommended
Action
Information about how the warning, error, or failure

might be corrected.
Performance Monitor collects the status of events, such as VPN tunnel up/down
status, device reachability, and CPU usage threshold, and reports them to Security
Manager. An event is a notification that a managed device or component has an
abnormal condition. Multiple events can occur simultaneously on a single
21-18
OL-11501-03
Chapter 21

monitored device or service module. Using Performance Monitor, you can

configure a threshold for an event or use the default threshold. For more
information on how to configure and enable thresholds to generate performance
or failure events of any priority, see Working with Event Thresholds, page 21-28.
The events in which a monitored component or service exceeded acceptable
thresholds are displayed. Supported service types are remote-access VPN,
site-to-site VPN, firewall, web server load-balancing, and proxied SSL. For more
information on the service types supported for different device platforms, see
Supported Services and Platforms for Monitoring and Reports, page 21-25. The
following sections describe the events whose statuses are reported by
Performance Monitor to Security Manager:
Device Reachability, page 21-19
VPN Tunnel Status, page 21-22
CPU Usage Threshold, page 21-23
Device Reachability
You must add a device to both the Security Manager inventory and Performance
Monitor for its status to be recorded in the Inventory Status window. Security
Manager does not display events from devices that are added only to Performance
Monitor. The device that you want to monitor must be a device type supported by
both Security Manager 3.1 and Performance Monitor 3.1. Using Performance
Monitor, you cannot add, import, or validate any unsupported device type, any
device when the MCP process has stopped, any device that uses a dynamic IP
address or lacks configured SNMP values, and a VPN 3000 Series concentrator,
unless you specify the correct SNMP and XML credentials, HTTPS is enabled,
and the VPN 3000 Concentrator Series Manager is running.
You must set up devices by configuring the bootstrapping devices so Performance
Monitor can validate, poll, and monitor them. Performance Monitor enables you
to import or manually enter the IP addresses, hostnames, and read-only
community strings for supported devices in your network. You can import device
attributes from a comma-separated value (CSV) file or from the Device
Credentials Repository (DCR) on a Common Services-based server, or you can
add device attributes manually. You can also create device groups to interact with
multiple devices in a single operation. A device group is a named entity that can
contain devices, other groups, or a combination of devices and groups.

OL-11501-03
21-19
Chapter 21
After adding a device to Performance Monitor, you can validate a device of any
kind to confirm that it exists and is reachable, has the required features and
interfaces enabled, has the correct credentials, uses a static (non-dynamic) IP
address, and has configured SNMP values. During device validation, Performance
Monitor sets all validated devices to a managed state by default meaning that
polling is enabled. If you choose to move a device to an unmanaged state, you
must move it back to the managed state manually before you can monitor its
health or performance. By default, device validation occurs once every day, at
midnight. It also occurs at other times and intervals that you specify. You can
perform an immediate, one-time validation at any time. For more information on
how to add, validate, and manage devices, see User Guide for Cisco Performance
Monitor 3.1.
In Performance Monitor, a device is either a physical node in the network or it is
a virtual node that is defined by a physical node. In either case, a device must have
an IP address. For example, you can use multicontext mode to partition a single
firewall into multiple virtual devices, known as security contexts. You can add and
manage contexts in the system configuration. The system configuration identifies
basic firewall settings, but does not include any network interfaces or network
settings for itself, rather, it uses a context that is designated as the admin context.
The admin context is just like any other security context, except that a user who
logs in to the admin context has administrative rights over the system and all of
the other contexts. In Performance Monitor, you import only the admin context
from a device when you want to monitor every configured context on a physical
device. Similarly, when you delete an admin context in Performance Monitor, you
simultaneously delete the record that Performance Monitor maintains for every
context on the relevant physical device.
Performance Monitor reports information about only those validated devices for
which monitoring is enabled. Performance Monitor enables monitoring after a
successful device validation; thus, it polls the device in following polling cycles.
If you decide to exclude a device from polling, you can disable monitoring for it.
Later, at your discretion, you can reenable monitoring manually.
Table 21-3 describes the different management protocols that Performance
Monitor uses to test device connectivity, depending on the device platform.
21-20
OL-11501-03
Chapter 21

Table 21-3
Management Protocols Supported for Device

Platforms
Device Platform
Management Protocols
Cisco IOS VPN Routers
SNMP, HTTPS for some of the show

commands, and VPN-related SNMP traps.
Adaptive Security
Appliances 5500 Series
SNMP and HTTPS for some of the show

commands and some syslogs.
SNMP and content-switching module-related

Catalyst 6500 Series
SNMP traps.
Switches with
Content-switching Services
Modules
Switches with Firewall
Services Modules
SNMP and HTTPS for some of the show

commands and some syslogs.

Switches with SSL
Services Modules
SSH for show commands.

Switches with VPNSMs
SNMP, HTTPS for some of the show

commands, and VPN-related SNMP traps
PIX Security Appliances

(known commonly as PIX
Firewalls)
SNMP, HTTPS for some of the show commands

and some syslogs.
VPN 3000 Concentrator

Series
SNMP, HTTPS, XML interface (if the device is

in a cluster), syslogs, and SNMP traps.
After you update the list of devices to be monitored, Performance Monitor polls
reachable devices for their current status to compare device status information to
performance and failure thresholds, generate performance and failure events, send
event notifications, when appropriate, and update the values in tables and graphs.
Security Manager obtains and displays a snapshot of the most recent device
reachability status in the Inventory Status window during the next polling cycle.
For a categorization of the device reachability, VPN tunnel status, and CPU usage
event types by service type, see Table 21-6.

OL-11501-03
21-21
Chapter 21
Related Topics
VPN Tunnel Status

Performance Monitor enables you to determine whether a VPN Tunnel is up or
down. Whenever a VPN Tunnel is not functioning, an event is logged in the Event
Browser window in the Performance Monitor GUI. A tunnel is considered as
down when an IPsec security association (SA) is not present. Performance
Monitor tracks the IPsec SAs and displays the event status. Internet Key Exchange
(IKE) is the facilitator and manager of IPsec-based communications. It is a hybrid
protocol used to authenticate IPsec peers, negotiate and distribute encryption
keys, and automatically establish IPsec security associations (SAs). IKE protocol
lets two hosts agree on how to build an IPsec SA. Each IKE negotiation is divided
into a Phase 1 and Phase 2. Phase 1 creates the first tunnel, which protects IKE
negotiation messages. Phase 2 creates the tunnel that protects data. With IKE
keepalive, tunnel peers exchange messages that demonstrate they are available to
send and receive data in the tunnel. Keepalive messages transmit at set intervals,
and any disruption in that interval results in the creation of a new tunnel, using a
backup device. Devices that rely on IKE keepalive for resiliency transmit their
keepalive messages regardless of whether they are exchanging other information.
These keepalive messages can therefore create a small but additional demand on
your network.
Both IPsec SAs and IKE SAs can have timeout values. The absence of these SAs
does not necessarily indicate a problem with IPsec tunnel. But in majority of
site-to-site VPNs, both IPsec SAs and IKE SAs need to be present for all the
interesting traffic.
You must define parameters for each of the available authentication methods so
that IKE and IPsec can use your IKE policies successfully. For preshared key, you
can either enter a key manually, or have Security Manager automatically generate
a key for each hub-spoke communication session. When using preshared keys for
authentication, you can use main mode or aggressive mode for negotiating key
21-22
OL-11501-03
Chapter 21

information and setting up IKE SAs. Security Manager mirrors the spokes
preshared key and configures it on its assigned hub, so that the key on the spoke
and hub are the same.
With IPsec, crypto ACLs define what traffic should be protected between two
IPsec peers. Traffic might be selected based on source and destination address.
The crypto ACLs used for IPsec are used only to determine which traffic should
be protected by IPsec, not which traffic should be blocked or permitted through
the interface. ACLs are applied to interfaces by way of crypto map sets. Each
tunnel policy you create with Security Manager is translated into a crypto map
entry that includes an ACL. A crypto map set can contain multiple entries, each
with a different ACL. The crypto map entries are searched in order and the router
tries to match the packet to the ACL specified in each entry.
When some packets to be encrypted are encountered by the VPN device, it uses
the symmetrical keys derived in the IKE SA establishment for encryption of data.
The interesting traffic is specified by a crypto ACL as in GRE and standard IPsec
VPNs. In DMVPNs, the crypto ACL is derived automatically. The pair of SAs
called as IPsec SAs are created for data encryption.
Based on the threshold you configure for the site-to-site VPN tunnel status event
type, Security Manager polls Performance Monitor at the preconfigured interval
and displays the status in the Inventory Status window. For a categorization of the
device reachability, VPN tunnel status, and CPU usage event types by service
type, see Table 21-6.
Related Topics
CPU Usage Threshold

Performance Monitor enables you to track and analyze system CPU utilization.
Commonly, high CPU utilization is caused by a security issue, such as a worm or
virus operating in your network. This is especially likely to be the cause if there
OL-11501-03
21-23
Chapter 21
have not been recent changes to the network. Usually, a configuration change,
such as adding additional lines to your access lists, can mitigate the effects of this
problem. Although debugging can also be of great help in troubleshooting high
CPU utilization in processes, it should be carried out with extreme caution
because it may raise the CPU utilization even more. Cisco software-based routers
use software in order to process and route packets. CPU utilization on a Cisco
router tends to increase as the router performs more packet processing and
routing. Catalyst 6500/6000 switches do not use the CPU in the same way. These
switches make forwarding decisions in hardware, not in software. Therefore,
when the switches make the forwarding or switching decision for most frames that
pass through the switch, the process does not involve the supervisor engine CPU.
Throttles are a good indication of an overloaded router. They show the number of
times the receiver on the port has been disabled, possibly due to buffer or
processor overload. Together with high CPU utilization on an interrupt level,
throttles indicate that the router is overloaded with traffic. Unusual activity related
to a process could also load the CPU and result in an error message in the log.
Therefore, the output of the show logging exec command should be checked first
for any errors related to the process which consumes lots of CPU cycles. When
the TCP timer process uses a lot of CPU resources, there are too many TCP
connection endpoints. This can happen in data-link switching (DLSw)
environments with many peers, or in other environments where many TCP
sessions are simultaneously opened on the router. High CPU utilization in the
Address Resolution Protocol (ARP) Input process occurs if the router has to
originate an excessive number of ARP requests.
High CPU utilization also can result from the merging of two or more VLANs due
to improper cabling. Also, if STP is disabled on those ports where the VLAN
merger happens, high CPU utilization can occur. The Exec process in Cisco IOS
Software is responsible for communication on the TTY lines (console, auxiliary,
asynchronous) of the router. The Virtual Exec process is responsible for the VTY
lines (Telnet sessions). The Exec and Virtual Exec processes are medium priority
processes, so if there are other processes that have a higher priority (High or
Critical), the higher priority processes get the CPU resources. If there is a lot of
data transferred through these sessions, the CPU utilization for the Exec process
increases. High CPU utilization on an interrupt level is primarily caused by
packets handled on interrupt level. Interrupts are generated any time a character
is output from the console or auxiliary ports of a router. Universal Asynchronous
Receiver/Transmitters (UARTs) are slow compared to the processing speed of the
21-24
OL-11501-03
Chapter 21

router, so it is unlikely, though possible, that console or auxiliary interrupts can

cause a high CPU utilization on the router (unless the router has a large number
of tty lines in use).
Based on the threshold you configure for the CPU usage event type associated
with a particular service, Security Manager polls Performance Monitor at the
preconfigured interval and displays the status in the Inventory Status window. For
a categorization of the device reachability, VPN tunnel status, and CPU usage
event types by service type, see Table 21-6.
Related Topics
Supported Services and Platforms for Monitoring and Reports

See Table 21-4 to understand which services this Performance Monitor release
can monitor, and can issue reports for, on each supported Cisco platform.
Table 21-4
Supported Services and Platforms for Monitoring
Monitored Service Type3, 4
SSL
Other
Load Balancing
Multicontext
Firewall
Site-to-Site
NA
Remote Access
Adaptive Security Appliances 5500 Series
Firewall
Easy VPN
Platform1, 2
DMVPN
VPN
NA NA

OL-11501-03
21-25
Chapter 21
Table 21-4
Supported Services and Platforms for Monitoring (continued)
Monitored Service Type3, 4

Switches
Other
Content-switching
Services Modules
NA NA NA NA NA NA
Firewall Services
Modules
NA
SSL Services Modules
NA NA NA NA NA NA NA
SSL
Load Balancing
Multicontext
Firewall
Site-to-Site
Remote Access
Platform1, 2
Firewall
Easy VPN
DMVPN
VPN
NA
NA NA
VPNSMs
NA
NA NA NA
VPN SPAs
NA
NA NA NA
Cisco IOS VPN Routers
NA
NA NA NA
Cisco Integrated Services Routers
NA
NA NA NA
Cisco 7300 Series Routers
NA
NA
NA
PIX Security Appliances (known commonly as PIX

Firewalls)
NA
NA NA
VPN 3000 Concentrator Series
NA
NA NA NA NA
1. Cisco no longer sells VPNSM for Catalyst 6500 Series switches. We encourage you to migrate to VPN SPA, which
supports DES and 3DES, as well as 128-, 192-, and 256-bit AES keys. See:
http://www.cisco.com/en/US/products/ps6917/index.html.
2. Supported services that vary for specific software or device versions:
PIX OS 7.0 and later support Easy VPN services, but not RAS clustering for Easy VPNs.
PIX OS 7.0 and later support Easy VPN, RAS VPN, site-to-site VPN, and virtual (multicontext) firewall services.
PIX OS 7.0 and later support RAS VPN and site-to-site VPN services in routed single context mode only.
FWSM versions 2.2 and later support virtual (multicontext) firewall services.
FWSM versions 3.1 and later support RAS VPN and site-to-site VPN services in routed single context mode only.
Cisco ASA Software Version 7.0 and later support Easy VPN, RAS VPN, site-to-site VPN, and virtual (multicontext)
firewall services.
3. Performance Monitor neither monitors nor offers reports for the load balancing of Cisco VPN 3000 concentrators or
supported ASA appliances that you organize in virtual clusters. The Load Balancing column in this table refers exclusively
to the web server load balancing services associated with supported content switching services modules in Catalyst 6500
series switches.
21-26
OL-11501-03
Chapter 21

4. In this table:
NA describes a service that the specified platform does not provide.
The em-dash character ( ) describes a service that Performance Monitor does not monitor on the specified platform.
Related Topics
Supported Event Types for Each Service Type

To configure the threshold for device reachability, VPN tunnel status, or CPU
usage event types, depending on the platform type, you need to enable the event
type supported by a particular service. Configuring an event type under one of the
services enables the threshold for that event type under all applicable services.
Table 21-5 describes only the events that affect the relevant service.
Table 21-5
Event Types Supported for Service Types
Monitored Service
Supported Event Types
Firewall
CPU Usage
Device Accessible via Https
Device Accessible via Snmp
Remote Access VPN CPU Usage

SSL
CPU Usage
Site-to-Site VPN
CPU Usage
Tunnel Status
OL-11501-03
21-27
Chapter 21
Related Topics
Working with Event Thresholds

While Tunnel Status is a failure metric, CPU Usage and Device Accessible via
Https or Device Accessible via Snmp are performance metrics. When you create
a threshold, you:
Define the boundaries of operational states (such as OK, Degraded, and

Overloaded) for a performance metric or failure metric in a specific service.
Specify the number of consecutive polling cycles during which an operational

state must recur before records are updated.
Associate a priority level with each possible operational state for a specific
metric (for GUI display and user notification purposes).
Although the thresholds that you define use different services, metrics, and states,
every threshold definition follows the same basic workflow.
Tip
When conditions exceed or fall below the thresholds that you define,
Performance Monitor records an alarm that you can display and interpret in the
relevant Event Browser.
This procedure describes how to configure thresholds for the event types.
Procedure
Step 1
Select Admin > Events .
Step 2
Select a service from the TOC.
Step 3
Scan the entries in the Events list until you locate the performance metric or
failure metric for which you plan to configure thresholds, then select the radio
button in the relevant row.
21-28
OL-11501-03
Chapter 21

Step 4
Click Threshold.
Tip
You can also configure thresholds for an event if you select Admin >
Notifications, then select an event and click Threshold.
A Threshold Configuration page appears. Table 21-6 describes the elements in

this page.
Step 5
If you select a failure metric, two opposite State Name values (such as Up and
Down) appear in the Threshold Configuration page. Or, one extreme state
value (such as OK) precedes multiple intermediate state values.
If you select a performance metric, a range of State Name values (such as OK,
Medium, and High) appears in the Threshold Configuration page; each value
is associated with an upper and lower percentage in a range.
Select the Enable check box.

You must select the Enable check box, or you cannot define values in a Threshold
Configuration page.
Step 6
If you see two opposite values (such as the benign Up and the problematic
Down) in the State Name area, specify:
The event priority level for the problematic state.
The number of polling cycle failures that trigger, and the number of
successes that clear, the event associated with the problematic state.
If you see a range of three values in the State Name area, specify the upper
and lower threshold percentages, polling cycle repetitions, and priority levels
for each of the three values in the range.
Note
Step 7
When you configure thresholds for a performance metric, the lower

threshold percentage for a benign state is always zero (0%), and the
priority is always OK. The upper threshold percentage for a
problematic state is always 100%. You cannot change these values.
To discard your selections and return to the Events page, click Cancel.

OL-11501-03
21-29
Chapter 21
To save and implement your selections, click Apply.
To reset all values to their default settings and remain in the Threshold
Configuration page, click Default.
Table 21-6
Threshold Configuration Page Elements
Element
Description
Common GUI Elements for All Thresholds
Enable check box
Enables you to enable or disable the modification

and implementation of threshold values.
State Name column
Displays two opposite states for a failure metric and

a range of states for a performance metric.
Repetitions Before State

Change column
Enables you to specify the number of consecutive

polling cycles during which the relevant state must
recur before Performance Monitor registers that the
state has changed.
Event Priority column
Enables you to associate the relevant state with a

priority level between P1 (the most severe) and P5
(the least severe).
Cancel button
Enables you to discard your changes and return to

the Events page.
Apply button
Enables you to save and implement your threshold

definitions for the current metric.
Default button
Enables you to reset all values to their default

settings and remain in the Threshold Configuration
page.
GUI Elements for Performance Thresholds Only
Lower Threshold column Enables you to select the percentage that defines the
lower boundary of a state. For example, you could
select 10% as the lower threshold boundary for the
intermediate state. (Your selection would, in such a
case, be applied automatically as the upper threshold
percentage for the benign state.)
21-30
OL-11501-03
Chapter 21

IPS Event Viewer
Table 21-6
Threshold Configuration Page Elements (continued)
Element
Description
Upper Threshold column Displays a value that is equal to your definition of

the lower threshold for the adjacent state, or displays
100% as the upper threshold for the problematic
state.
Related Topics
IPS Event Viewer

The Cisco IPS Event Viewer (IEV) offers a free monitoring solution for
small-scale IPS deployments. Monitoring individual IPS devices, IEV is easy to
set up and use, and provides the following capabilities:
Support for IPSv6 through SDEE compatibility
Customized reporting
Configurable notification actions such as email and paging
Visibility into applied response actions, virtual sensor ID, learned DST OS,
and threat rating
IEV is a Java-based application that lets you view and manage alerts for up to five
sensors. With IEV, you can connect to and view alerts in real time or in imported
log files. You can configure filters and views to help you manage the alerts and
import and export event data for further analysis. IEV reports the top alerts,
attackers, and victims over a specified number of hours or days. IEV also provides
access to MySDN for signature descriptions. See Cisco IPS Event Viewer
Version 5.2 documentation for more information.

OL-11501-03
21-31
Chapter 21
IPS Event Viewer
You can start IEV from Security Manager as a client-server application. IEV
server is installed when you install the Security Manager server. When you start
IEV on a Security Manager client, the IEV client files are obtained from the
Security Manager server and copied to the folder where the Security Manager
client was installed on your client system. The IEV client files are uninstalled
when you uninstall the Security Manager client on your client system. The
requirements and dependencies for installing IEV server and client are the same
as those for Security Manager server and client software.
Note
To enable communication between IEV server and IEV client, you need to modify
the Cisco Security Agent or any other anti-virus and network firewall software
policies on the Security Manager server to configure TCP ports 60002 and 60003
as open ports. If the server has a preexisting installation of the full Cisco Security
Agent, the standalone agent is not installed on the system when you install
Security Manager. In such a case, configure the Cisco Security Agent network
services to accept connections on TCP ports 60002 and 60003. However, if the
server on which you install Security Manager was not previously installed with
the full, commercial version of Cisco Security Agent, the Security Manager
installer installs a customized, standalone agent on your server and opens the
necessary TCP ports for communication between IEV server and IEV client.
When you start IEV client from the Security Manager client system, IEV client
automatically opens TCP port 5001 to establish communication with the IEV
server.
Note
Although IEV is displayed in the list of installed programs in the Add/Remove

Programs window after installation, we recommend that you uninstall IEV using
the Security Manager uninstaller instead of using the Add/Remove Programs
control panel.
Note
When you install Security Manager in a high availability (HA) or data redundancy
(DR) deployment configuration, the Security Manager installer application does
not install IEV server on your server system. The functionality to start IEV client
from your Security Manager client is available only when Security Manager is
configured in a non-HA/DR environment.
21-32
OL-11501-03
Chapter 21

IPS Event Viewer
Caution
Disable any anti-virus or host-based intrusion detection software before

beginning the Security Manager server installation. Close any open applications.
The Wise installer, which is a commercially available Windows Installer (MSI)
package, spawns a command shell application that can trigger your host-based
detection software, which causes the IEV installation to fail.
To verify IEV server installation, follow these steps:
Step 1
Review the /<path to Cisco IPS Event Viewer>/IEV/log/system.log file. It should

only contain the following message:
Cisco IPS Event Viewer service successfully started.
Step 2
Select Start > Settings > Control Panel > Administrative Tools > Services to
verify that the following Windows services have started:
Cisco IPS Event Viewer service

This service lets IEV retrieve alerts from remote device(s), store alerts in the
MySQL database, archive database files, and check for available disk space.
MySQL service
This service controls the persistent storing and serving of data.
Note
Caution
The Cisco IPS Event Viewer service depends on MySQL services. If you
want to stop retrieving alerts, you can stop the Cisco IPS Event Viewer
service. Later you can restart the Cisco IPS Event Viewer service to
resume retrieving and storing alerts.
Do not remove the c:\my.cnf file. The MySQL server used by IEV requires this
file.
IEV server is uninstalled when you uninstall Security Manager server.

OL-11501-03
21-33
Chapter 21
IPS Event Viewer
Related Topics
Guidelines for Working with IEV from Security Manager, page 21-35
Starting IEV Client, page 21-37
Understanding Communication
Security Manager client intercepts all SSL requests made by IEV client and sends
them to the IEV server running on Security Manager server. IEV server processes
the requests redirected by the IEV client by obtaining information from the sensor
or sending data such as the IEV image to the client. This communication between
the IEV client and IEV server is transparent to the IPS sensor, and appears as
though there is a direct connection between IEV client and the sensor.
The Cisco IPS Event Viewer and MySQL services must be running on the IEV
server to enable IEV monitor sensors. IEV server retrieves the events from IPS
sensors and stores them in the MySQL database. When you start the IEV client
from Security Manager client, a secure connection is established between IEV
client and IEV server, the Java application on the IEV client reads the event details
from the MySQL database, and event data is displayed on the IEV client in various
views, tables, and graphs.
If the IEV client files are not available in the client cache directory, the image is
obtained from the Security Manager server. The Security Manager client starts
only one instance of IEV client and closes the IEV client window when you exit
the Security Manager client or when the idle session timeout period is exceeded.
Related Topics
Navigating to IPS Signature Policy in Security Manager from IEV,

page 21-37
21-34
OL-11501-03
Chapter 21

IPS Event Viewer
Guidelines for Working with IEV from Security Manager

Keep in mind the following guidelines when working with IEV started from
Security Manager:
IEV enables you to view alarms for up to five sensors at a time.
IEV uses the same JRE version as Security Manager.
IEV client is not preinstalled with Ethereal or any packet sniffer.
If Ethereal was previously installed on your computer when you install

Security Manager, you need to specify the directory where Ethereal was
installed from the IEV main menu. You also need to modify the location of
Ethereal if you later move the Ethereal executable file to a different directory
or if you decide to install Ethereal after installing Security Manager.
Note
Ethereal is a network protocol analyzer for Windows that lets you

examine data from a live network or from a captured file. You can
interactively browse the captured data and view summary and detail
information for each packet, including the reconstructed stream of a TCP
session. If you have Ethereal installed on the same host as IEV, you can
start the Ethereal application from the IEV Tools menu and view IP log
files. Also, if you have configured the sensor capturePacket parameter,
IEV uses Ethereal to display the trigger packet.
Cisco IPS Event Viewer and MySQL services are installed as Windows NT
services.
All IEV client-side runtime files, such as client log files and cache files, are
copied to the subdirectory under the Security Manager client installation
directory. The default location for these files is C:\Program Files\Cisco
Systems\Cisco Security Manager Client\cache.
All IEV server-side files, databases, log files, configuration files and other
runtime files are installed in a subdirectory under the Security Manager server
installation directory. The default location for these files is C:\Program
Files\CSCOpx\IPSEventViewer.
If you attempt to install IEV server on a Security Manager server system that
has been already installed with IEV from Cisco.com, an error message is
displayed.

OL-11501-03
21-35
Chapter 21
IPS Event Viewer
You can start only one instance of IEV client per Security Manager client
system.
You can start multiple IEV clients for the same IEV server at the same time
from different Security Manager clients systems.
You cannot start IEV client from a Security Manager client if the Security
Manager server has also been installed on the same system.
If you installed IEV server on a system using the Security Manager installer,
you cannot install IEV separately from Cisco.com on the same system.
If you installed IEV server on a system using the Security Manager installer,
IEV server is not reinstalled when you attempt to reinstall Security Manager
on the same system.
Before IEV can receive events from a sensor, you must add the sensor to the
list of devices that IEV monitors and specify the device credentials. See Cisco
IPS Event Viewer Version 5.2 documentation for information on how to add
a sensor to be monitored by IEV. You must also add the sensor to the Security
Manager inventory to view event data from the sensors you are monitoring.
When you want to stop receiving events from a sensor, you must remove the
sensor from the list of devices that IEV monitors and from the Security
Manager inventory separately. IEV terminates the connection to that sensor
and no longer receives events from that sensor.
Backup and restore of the Security Manager database does not apply to IEV
database.
IEV log files are archived when you generate the Security Manager
diagnostics file.
When you exit the Security Manager client, the IEV client window is closed.
Related Topics
21-36
OL-11501-03
Chapter 21

IPS Event Viewer
Starting IEV Client

This procedure describes how to start an IEV client from the Security Manager
client.
Before You Begin
Make sure the Windows NT services for IEV server are running on the
Security Manager server. To review the status of the Cisco IEV and MySQL
services, select Start > Settings > Control Panel > Administrative
Tools > Services.
Make sure you selected an IPS sensor from the Device selector.
Procedure
Step 1
Select Tools > IPS Event Viewer.

A dialog box asks you to confirm that you want to start IEV client from the
Security Manager client.
Step 2
Click Yes to continue.

The IEV client window is displayed when the start operation is complete.
Related Topics

page 21-37
Navigating to IPS Signature Policy in Security Manager from IEV

Sensors use signatures to determine whether the contents of network packets meet
the criteria of an attack. A signature is a pattern of traffic, often thought of as a
set of rules, that your sensor uses to detect typical intrusive activity, such as denial
of service (DoS) attacks. The Signatures policy page in Security Manager enables
OL-11501-03
21-37
Chapter 21
IPS Event Viewer
you to configure signatures for Cisco IPS sensors. When the packets match a
given signature rule, the sensor generates an alarm. You can configure IEV to
manage alarms from sensors by adding the sensors to the IEV Devices folder.
After you add the device to IEV, IEV sends a subscription request to the sensor.
IEV will receive alerts and events from the sensor, beginning with the first event
the sensor receives after connecting with IEV. An event is an IPS message that
contains an alert, a block request, a status message, or an error message.
Using IEV, you can select an event generated by an IPS signature from the log of
events within the Realtime Dashboard or the View folders, and navigate to the
signature policy in Security Manager for that specific event. You can then edit the
signature properties to modify the action the sensor must take to handle network
attacks. The following sections describe how to look up the Signatures policy
page in Security Manager from IEV:
IPS Signature Policy Lookup from the Realtime Dashboard, page 21-38
IPS Signature Policy Lookup from the Views Tab, page 21-39
IPS Signature Policy Lookup from the Realtime Dashboard

You can use the Realtime Dashboard to view a continuous stream of real-time
events from the sensor. By default, the Realtime Dashboard displays the most
recent events received from every device configured in IEV. You can configure the
Realtime Dashboard to display only events from a particular device or only events
of a particular severity level. You can also configure how often the Realtime
Dashboard retrieves events from the sensor(s) and the maximum number of events
to display.
This procedure describes how to look up an IPS signature in the Signatures policy
page of Security Manager from the Realtime Dashboard of IEV:
Step 1
Open IEV client from the Security Manager client. For a description of the
procedure to start IEV client, see Starting IEV Client, page 21-37.
Step 2
Choose Tools > Realtime Dashboard > Launch Dashboard.

IEV opens a subscription request with the sensor. If the connection is successful,
the Realtime Dashboard appears and displays the most recent events received by
the sensor since the request was opened.
21-38
OL-11501-03
Chapter 21

IPS Event Viewer
Step 3
Right-click a row associated with an event, then select Go to CSM. The Security
Manager client window is activated and the Signatures policy page appears with
the IPS signature that generated the event highlighted in the policy table.
For each event entry in IEV, Security Manager searches all the signatures within
the context of your current activity when Workflow mode is enabled (including
policies defined in your private view and saved locally on the client, and policies
committed to the Security Manager database), or current login session when
non-Workflow mode is enabled. If the event entry had been triggered by a
signature not referenced in the current activity, an error message appears.
You can edit the signature that triggered the event by right-clicking its row in the
table and selecting Edit Row from the Row Context Menu.
Related Topics
IPS Signature Policy Lookup from the Views Tab, page 21-39

page 21-37
IPS Signature Policy Lookup from the Views Tab

The Views tab lets you analyze filtered event data from a specified source. IEV
ships with five default views; however, you can use the View Wizard to create and
store user-defined views in the Views folder. Based on the data that is populated
in a specific view, you can navigate to the events. For example, you can select the
view configured to group events by signature name to organize the table of events
by signature name. You can expand an event to view the details, such as signature
name and severity level, associated with that event, and navigate to the Signatures
policy in Security Manager.
IEV lets you access various tables and graphs that provide specialized views into
the event data you are analyzing. Before you create a view and begin working with
the individual tables and graphs, review the following descriptions.
The following tables organize the events for a view. The events shown in these
tables and graph differ depending on the data source you choose for the view. The
data source can be the event_realtime_table, archived tables, or imported log files.

OL-11501-03
21-39
Chapter 21
IPS Event Viewer
Alert Aggregation tableThe first table displayed for any view. You access
an alert aggregation table by double-clicking the view name in the Views
folder.
Expanded Details Dialog tableDisplays the details of a particular event

listed in an alert aggregation table. You access the Expanded Details Dialog
table by right-clicking a row in the first column of an alert aggregation table.
Drill Down Dialog tableDisplays the individual entries for a particular

column in the alert aggregation table, such as the individual source addresses
associated with a UDP Bomb event. You access the Drill Down Dialog table
by double-clicking a column (except first or Total Alarm Count) in an alert
aggregation table.
Alarm Information Dialog tableDisplays the individual alerts for a

particular event. You access the Alarm Information Dialog table by
double-clicking the Total Alarm Count column in the alert aggregation table,
or by right-clicking the first column of the Expanded Details Dialog table.
See Cisco IPS Event Viewer Version 5.2 documentation for more information.
This procedure describes how to look up an IPS signature in the Signatures policy
page of Security Manager from the Views folder of IEV:
Step 1
Open IEV client from the Security Manager client. For a description of the
procedure to start IEV client, see Starting IEV Client, page 21-37.
Step 2
Click the Views tab.
Step 3
Double-click the Views folder to view the list of defined views.
Step 4
To view individual alarms associated with an event from an alert aggregation

table, do the following:
a.
Right-click a cell in the first column in an alert aggregation table associated

with the event you want to expand, and then choose Expand Whole Details.
The Expanded Details Dialog appears with the Whole Address tab displayed.
b.
To view the events by address category, click the Class A Level, Class B
Level, or Class C Level tab.
c.
Right-click any column in the Expanded Details Dialog, then select View
Alarms.
The Alarm Information Dialog appears.
21-40
OL-11501-03
Chapter 21

IPS Event Viewer
Tip
You also access the Alarm Information Dialog by double-clicking a

column (except first or Total Alarm Count) in an alert aggregation table,
right-clicking a cell in the first column from the Drill Down Dialog, and
selecting View Alarms.
Note
For cells that display an arrow (>) after the number of occurrences,
double-click that cell to display the contents of the cell.
A second table appears in the Drill Down Dialog and displays the contents
of the cell. Double-clicking a cell containing an arrow (>) in this
second table displays the Alarm Information Dialog.
Step 5
Right-click a row associated with an event, then select Go to CSM. The Security
Manager client window is activated and the Signatures policy page appears with
the IPS signature that generated the event highlighted in the policy table.
For each event entry in IEV, Security Manager searches all the signatures within
the context of your current activity when Workflow mode is enabled (including
non-Workflow mode is enabled. If the event entry had been triggered by a
signature not referenced in the current activity, an error message appears.
You can edit the signature that triggered the event by right-clicking its row in the
table and selecting Edit Row from the Row Context Menu.
Related Topics
IPS Signature Policy Lookup from the Realtime Dashboard, page 21-38

page 21-37

OL-11501-03
21-41
Chapter 21 Using Monitoring, Troubleshooting, and Diagnostic Tools

Security Manager Access Rule Lookup from Device Manager Syslog
Security Manager Access Rule Lookup from Device

Manager Syslog
Each interface on the device or appliance is associated with a list of ACEs that are
associated with an ACL. When the firewall device finds a matching ACE, the
device performs the associated action either permitting the packet into the firewall
device for further processing, or denying entry to the packet. If no ACE matches
the packet, the packet is denied. Activity on your firewall or router is monitored
through the creation of syslog entries. If logging is enabled on the device,
whenever an access rule that is configured to generate syslog entries is
invokedfor example, if a connection were attempted from a denied IP address
a log entry is generated.
Security Manager 3.1 introduces a new Syslog to Access Rule Correlation tool
that enhances day-to-day security management and troubleshooting activities.
With this tool, you can quickly resolve common configuration issues, along with
most user and network connectivity problems. Because the configuration process
is simple, operational efficiency and response times for business-critical functions
are improved. For ASDM and SDM started from within Security Manager, you
can identify the ACL on a router or firewall that generated a syslog message
received by ASDM and SDM. The access rule that triggered the syslog entry is
highlighted on a first-match basis, even if there are multiple access rules that
cause the same syslog message to be generated. The feature to perform the
Security Manager policy table lookup, when the device generates a syslog
message, is available in SDM 2.3.4, which supports all versions of Cisco IOS
software running on a router, ASDM 5.2(2), which manages ASA 7.2, and ASDM
5.0(1)F, which runs with FWSM 3.1.
Using ASDM 5.2.2 and 5.0(1)F, you can select a syslog message generated by an
ACL within the Real-time Log Viewer window or Log Buffer Viewer window, and
navigate to the access control rule in Security Manager for that specific syslog.
The Syslog to Access Rule Correlation tool also offers an intuitive view into
syslog messages invoked by user-configured access rules. You can closely
observe enterprise traffic patterns and monitor resource access behavior. For more
information, see Navigating to ACL in Security Manager from ASDM Syslog,
page 21-43.
Using SDM 2.3.4, you can select a syslog message generated by an ACL from the
log of events categorized by security level and displayed under the Syslog tab of
the Logging window. For each selected syslog message, you can look up the
21-42
OL-11501-03
Chapter 21

Security Manager to highlight the access control entry that matches the traffic that
generated the message. You can then disable the rule to permit or deny the traffic.
For more information, see Navigating to ACL in Security Manager from SDM
Syslog, page 21-46.
Related Topics
Navigating to ACL in Security Manager from ASDM Syslog, page 21-43
Navigating to ACL in Security Manager from SDM Syslog, page 21-46
Navigating to ACL in Security Manager from ASDM Syslog

The Log viewing feature of ASDM lets you view real-time system log messages
that appear in the log buffer. When you start ASDM from Security Manager, the
most recent ASDM system log messages appear at the bottom of the ASDM home
page. The Log Buffer panel enables you to view log messages saved in the buffer
in a separate window. Depending on the level of logging messages to view,
ranging from Emergency to Debugging, and click View to open a separate window
in which log messages appear. The Log Buffer window displays the identification
number of the log message, date and time that the system log messages was
generated, the logging level of a syslog message, and the addresses of the network
or host from which the packet is being sent and received. You can select a syslog
message and identify the ACL in Security Manager that created the log message.
This procedure describes how to look up the access rule in the policy table of
Security Manager from the Log Buffer panel of ASDM.
Procedure
Step 1
Open ASDM from the Security Manager client. For a description of the procedure
to start device manager, see Starting Device Manager from Security Manager.
Step 2
Perform one of the following:
Step 3
From ASDM 5.2(2), select Monitoring > Logging > Log Buffer. The Log
Buffer panel appears.
From ASDM 5.0(1)F, select Monitoring > Features > Logging > Log Buffer.
The Log Buffer panel appears.
Click View to display the log messages currently in the buffer. The Log Buffer
window opens as a separate window.
OL-11501-03
21-43

Step 4
Right-click a syslog message generated by a firewall access rule, then select Goto
Rule in CSM. The Security Manager client window is activated and the Access
Rules page appears with the access rule that generated the syslog message
highlighted in the policy table.
Note
If you try to navigate to Security Manager from a syslog message that was
not generated by a firewall access rule, a popup window prompts you to
select a message generated by an ACL.
For each syslog entry, Security Manager searches all the access rules within the
context of your current activity when Workflow mode is enabled (including
non-Workflow mode is enabled. If the syslog entry had been triggered by an
access rule not referenced in the current activity, an error message appears.
You can edit the access rule that triggered the syslog message in their entirety by
double-clicking a rule number in the table, or edit individual table cells by
double-clicking a cell.
If you did not close any modal dialog box in Security Manager, navigation to the
access rule in the policy table fails from ASDM. Close the modal dialog box and
try to invoke the access rule in Security Manager again.
Note
Security Manager uses modal dialog windows to display warnings or user

notification messages. Generally, when an application displays a modal
window or dialog, the application stops responding to any event (mouse
action, keyboard entry, and so on) other than the event associated with the
modal window (you must first respond to the modal window). If you
overlay the modal window with any other application window (the modal
window now is invisible), the application appears frozen. If your
browser window appears frozen, ensure that there is no modal window
that has inadvertently been covered.
The Real-time Log Viewer panel enables you to view real-time system log
messages in a separate window. Depending on the level and maximum number of
logging messages to view, click View to display a separate window in which log
21-44
OL-11501-03
Chapter 21

messages appear. The Real-time Log Viewer window enables you to view
incoming messages in real time and look up the ACL that generated the syslog
message.
Security Manager from the Real-time Log Viewer panel of ASDM.
Procedure
Step 1
Open ASDM from the Security Manager client. For a description of the procedure
Step 2
Perform one of the following:
From ASDM 5.2(2), select Monitoring > Logging > Real-time Log Viewer.
The Real-time Log Viewer panel appears.
From ASDM 5.0(1)F, select Monitoring > Features > Logging > Live Log.
The Live Log Viewer panel appears.
Step 3
Click View to display the incoming log messages on the security appliance in
real-time. The Real-time Log Viewer window opens as a separate instance.
Step 4
Right-click a syslog message generated by an ACL, then select Goto Rule in

CSM. The Security Manager client window is activated and the Access Rules
page appears with the access rule that generated the syslog message highlighted
in the policy table.
Note

OL-11501-03
21-45

Related Topics
Navigating to ACL in Security Manager from SDM Syslog

SDM 2.3.4 offers the following logs:
SyslogThe router contains a log of events categorized by severity level. It

is the router log that is displayed, even if log messages are being forwarded
to a syslog server.
Firewall Log The log entries shown in the top part of this window are
determined by log messages generated by the firewall. In order for the
firewall to generate log entries, you must configure individual access rules to
generate log messages when they are invoked.
Application Security LogIf logging has been enabled, and you have
specified that alarms be generated when the router encounters traffic from
applications or protocols that you have specified, those alarms are collected
in a log that can be viewed from this window.
SDEE Message LogIf SDEE has been configured on the router, this log
records SDEE messages. SDEE messages are generated when there are
changes to IPS configuration.
Security Manager from the Logging panel of SDM 2.3.4.
Procedure
Step 1
Open SDM from the Security Manager client. For a description of the procedure
Step 2
Select Monitor > Logging. The Logging panel appears with Syslog tab
displayed. You can also open it by clicking the Syslog tab from any other tab in
the Logging panel.
21-46
OL-11501-03
Chapter 21

Step 3
Select a syslog message generated by an access rule, then click the Goto Rule in
CSM button above the table of log messages displayed. The Security Manager
client window is activated and the Access Rules page appears with the access rule
that generated the syslog message highlighted in the policy table.
Note
Related Topics
Security Manager Access Rule Lookup from Device Manager Syslog,

page 21-42

OL-11501-03
21-47

21-48
OL-11501-03
APPENDIX
Administrative Settings User Interface

Reference
Tip
For helpful information on the most important settings to define first, read Define
These Settings First, page 2-2.
The following topics describe Security Manager settings administration:
AutoLink Settings Page, page A-2
Configuration Archive Settings Page, page A-3
Customize Desktop Page, page A-4
Deployment Page, page A-5
Device Communication Page, page A-10
Device Groups Page, page A-15
Device OS Management Page, page A-16
Discovery Page, page A-17
IPS Updates Page, page A-19
Licensing Page, page A-26
Logs Page, page A-30
Policy Management Page, page A-32
Policy Objects Page, page A-33
Server Security Page, page A-35

OL-11501-03
A-1
Appendix A
Administrative Settings User Interface Reference
AutoLink Settings Page
Status Page, page A-36
Take Over User Session Page, page A-41
Token Management Page, page A-42
VPN Policy Defaults Page, page A-44
Workflow Page, page A-48

Layer 3 network topology. Using device nodes to represent managed devices and
map objects to represent unmanaged objects such as devices, clouds, and
networks, you can create topology maps with which to study your network.
AutoLink settings enable you to exclude any one of five private or reserved
networks from Map view. For example, you might want to exclude any networks
that are not relevant to the management tasks you are using Security Manager to
perform, for example, test networks. For the procedure, see Working with
AutoLink, page 2-61.
Navigation Path
Select Tools > Security Manager Administration, then click AutoLink.

Related Topics
A-2
OL-11501-03
Appendix A

Configuration Archive Settings Page
Field Reference
Table A-1
Element
Description
IP addresses
Selected by default and grouped by category. There are five: three internal,
one used for loopback testing, and one for multicast routing. Deselect the
check box for each IP address you want to omit from any topology maps
you create.
Save button
Saves and applies changes.
Reset button
Resets changes to the last saved values.
Restore Defaults button
Resets values to Security Manager defaults.

From the Configuration Archive page, you can purge configuration file versions
maintained for devices managed by Security Manager. Here you can also enter the
TFTP server and directory information for Cisco IOS and Catalyst OS devices
used during configuration rollback. For the procedure, see Defining Configuration
Archive Settings, page 2-62.
Navigation Path
Select Tools > Security Manager Administration, then click Configuration

Archive.
Related Topics
Using the Configuration Archive Tool, page 20-11

OL-11501-03
A-3
Appendix A
Customize Desktop Page
Field Reference
Table A-2
Element
Description
Max. Versions per Device Enter how many versions you want to retain for each device after you click
Purge Now. Values are 1 through 100.
Purge Now button
Deletes all configuration versions for each device older than the number
you entered in Max. Versions Per Device field.
TFTP Server for Rollback The server name or IP address for TFTP file transfers to be used for IOS
devices only.
TFTP Root Directory
The root directory for configuration file transfers on your TFTP server.
Save button
Reset button
Restore Defaults button

Adjust your GUI timeout and Do Not Ask settings from the Customize Desktop
page. For the procedure, see Customizing Your Desktop, page 2-64.
Navigation Path
Select Tools > Security Manager Administration, then click Customize

Desktop.
Field Reference
Table A-3
Element
Description
Reset Do Not Ask on

Warnings button
Reestablishes Are you sure . . .? pop-up reminders. You might want to do

this if you enabled any Do Not Ask Me Again settings in the application.
Enable Idle Timeout
When selected enables the idle timeout for the user interface.
A-4
OL-11501-03
Appendix A

Deployment Page
Table A-3
Customize Desktop Page (continued)
Element
Description
Idle Timeout (minutes)
The number of minutes Security Manager waits for input before logging the
user out of the system and disconnecting the server. The default is 120
minutes.
Save button
Reset button
Restore Defaults button Resets values to Security Manager defaults.
Deployment Page
Use the Deployment page to define the methods by which Security Manager
deploys configurations to devices. To make changes for only a single device, see
Working with Device Policies, page 5-54.
For the procedure, see Defining Deployment Settings, page 2-65.
Navigation Path
Select Tools > Security Manager Administration, then click Deployment.

Related Topics
Policy Object Manager User Interface Reference, page F-1
Field Reference
Table A-4
Deployment Page
Element
Description
Deployment
Purge Debugging Files

Older Than* (days)
The maximum number of days the system should keep debugging files. You
can click Purge Now to immediately delete all debugging files older than the
number of days specified.

OL-11501-03
A-5
Appendix A
Deployment Page
Table A-4
Deployment Page (continued)
Element
Description
Purge Now button
Immediately deletes debugging files older than the number of days specified
in the Purge debugging files older than (days) field. For example, if you
change the number of days from 10 to 7 and click Purge Now all debugging
files older than 7 days are deleted.
Default Deployment
Method
Specifies how configurations are deployed to devices. You can pick one of
the following:
Device (default)Configurations deploy directly to a device unless the

device is unreachable.
FileConfigurations deploy to a file.
Directory
If you selected File as the default deployment method, enter a directory path
to which the file should be saved. Or you can click Browse to select the
directory to which to save the file.
When Out of Band

Changes Detected
Specifies how Security Manager responds when it detects changes made

directly to the device CLI and the change is then deployed. You can choose
Deploy to File
Reference
Configuration
WarnDeployment proceeds, but a warning message is displayed.
CancelDeployment stops.
SkipDeployment proceeds without checking for out-of-band changes.
Use when the selected deployment method is File. Specifies the

configuration against which changes are compared. You can choose one of
the following:
Archive (default)The most recently archived configuration.
DeviceThe current device configuration.
After comparing the configurations, Security Manager generates the correct

CLI for deployment.
A-6
OL-11501-03
Appendix A

Deployment Page
Table A-4
Element
Description
Deploy to Device
Reference
Configuration
Use when the selected deployment method is Device. Specifies the

configuration against which changes are compared. You can choose one of
the following:
Archive (default)The most recently archived configuration.
DeviceThe current device configuration.
After comparing the configurations, Security Manager generates the correct

CLI for deployment.
Optimize the
Deployment of Access
Rules For
Specifies how firewall rules are deployed. You can choose one of the
following:
Speed (default)Increases deployment speed by sending only the delta

(difference) between the new and old ACLs. This is the recommended
option. By making use of the ACL line number feature, this approach
selectively adds, updates, or deletes ACEs at specific positions and
avoids resending the entire ACL. Because the ACL being edited is still
in use, there is a small chance that some traffic might be handled
incorrectly between the time an ACE is removed and the time that it is
added to a new position. The ACL line number feature is supported by
most Cisco IOS, PIX and ASA versions, and becomes available in
FWSM from FWSM 3.1(1).
TrafficThis approach switches ACLS seamlessly and avoids traffic

interruption. However, deployment takes longer and uses more device
memory before the temporary ACLs are deleted. First, a temporary copy
is made of the ACL that is intended for deployment. This temporary
ACL binds to the target interface. Then the old ACL is recreated with its
original name but with the content of the new ACL. It also binds to the
target interface. At this point, the temporary ACL is deleted.
Note
You cannot choose a deployment speed on devices that do not

support ACL line numbers.

OL-11501-03
A-7
Appendix A
Deployment Page
Table A-4
Element
Description
Firewall Access-Lst
Names
Determines how ACL names are deployed to devices.
Disable Access-list
Compilation During
Deployment (FWSM)
Reuse existing namesRecognizes user-defined ACL names that were

configured on the device. See Preserving User-Defined ACL Names,
page 12-56.
Reset to CS-Manager generated namesRecognizes Security Manager

auto-generated ACL names. See How ACL Names Are Generated,
page 12-53.
When selected, FWSM automatically determines for itself when to compile

access lists. Selecting this option might increase deployment speed but
traffic might be disrupted and the system may become incapable of reporting
ACL compilation error messages.
When deselected, Security Manager controls ACL compilation to avoid
traffic interruption and to minimize peak memory usage on the device. For
more information, see Understanding Access Rules, page 12-49.
Caution
Enable Advanced
Debugging
You should not select this option unless you are experiencing
deployment problems and are an advanced user.
When selected, Security Manager generates data files about configuration

generation, deployment, and discovery as these functions are performed. The
temporary data files are stored in a temporary directory that you can use for
debugging.
Note
Selecting this check box slows down product response time.
Allow Download on
Error
When selected, enables deployments to devices to continue even if there are

minor device configuration errors.
Remove Unreferenced
Object Groups on
Device (PIX, ASA,
FWSM)
When selected, any object groups that are not being used by other CLI
commands are removed from devices during deployment.
A-8
OL-11501-03
Appendix A

Deployment Page
Table A-4
Element
Description
Create Object Groups

When selected (default) Security Manager creates object groups, such as
for Policy Objects (PIX, network objects and service objects, for PIX, ASA, and FWSM devices.
ASA, FWSM)
When deselected, Security Manager flattens the object groups to display the
IP addresses, sources and destinations, ports, and protocols for
PIX/ASA/FWSM devices. Deselecting this check box also disables the
check box that follows, Create Object Groups for Multiple Sources,
Destinations or Services in a Rule (PIX, ASA, FWSM).
Create Object Groups
for Multiple Sources,
Destinations or Services
in a Rule (PIX, ASA,
FWSM)
When selected, you can elect to automatically create network objects and
service objects to replace comma-separated values in a rule table cell that
resulted when multiple rules were combined. The objects are created during
deployment. This check box is disabled when the preceding check
box,Create Object Groups for Policy Objects (PIX, ASA, FWSM), is
deselected. For more information, see Combining Rules, page 12-11.
Remove Unreferenced
Access-lists on Device
When selected, any access lists that are not being used by other CLI
commands are removed from devices during deployment.
Save Changes
Permanently on Device
When selected, ensures that any changes to the device configuration for PIX,
FWSM, ASA, or Cisco IOS devices are copied to the startup configuration
for that device. Deselect this check box to keep startup configuration as is.
Generate ACL Remarks When selected, displays ACL warning messages during deployment.
During Deployment
Optimize Network
Object Groups During
Deployment (PIX,
ASA, FWSM)
When selected, optimizes network object groups when you generate

configurations for PIX, FWSM, and ASA devices for deployment. For more
information, see Optimizing Policy Objects in Rules, page 12-47.
Save button
Reset button
Restore Defaults button Resets values to Security Manager defaults. The default is to enable any
configuration changes to be saved to startup configuration.

OL-11501-03
A-9
Appendix A
Device Communication Page

Use the Device Communication page to define these settings:
The number of seconds that Security Manager has to establish a connection

with a device before timing out.
The number of seconds Security Manager can spend blocked waiting for
incoming data.
Whether to use HTTP or HTTPS as the default transport protocol for

contacting Cisco IOS IPS routers and IPS sensors.
Whether to use SSL, SSH, Telnet, or TMS as the default transport protocol
for contacting Cisco IOS devices running IOS versions 12.3 and later.
Whether to use SSH or Telnet as the default transport protocol for contacting
Catalyst 6500 Series switches and Cisco 7600 Series routers.
Whether to use SSH or Telnet as the default transport protocol for contacting
routers running Cisco IOS software release 12.1 or 12.2.
The credentials that Security Manager uses to contact the device for various
operations, such as deployment, discovery, and rollback of configurations.
Whether and when to authenticate device certificates for devices that use SSL
firewall devices, FWSMs, ASAs , IPS devices, and Cisco IOS devices.
The HTTPS port number to be used for secure communication between

Security Manager and a device.
Whether Security Manager applies changes to SSH keys made directly on the
device.
For the procedure, see Defining Device Communication Settings, page 2-68.
Navigation Path
Select Tools > Security Manager Administration, then click Device

Communication.
Related Topics
Managing Devices, page 5-1
A-10
OL-11501-03
Appendix A

Field Reference
Table A-5
Element
Description
Device Connection Parameters
Device Connection
Timeout
Enter the number of seconds that Security Manager has to establish a

connection with a device before timing out.
Retry Count
Enter the number of times that Security Manager tries to establish a

connection before failing. The default value is 3. An error message displays
at the third (or whatever number of times you enter) failed attempt of
Security Manager to connect to device.
Socket Read Timeout
(For SSH and telnet sessions only.) Enter the maximum number of seconds
Security Manager can spend blocked waiting for incoming data. If no
incoming data is received within this period an error displays.
Transport Protocol
(IPS)
Select HTTPS or HTTP as the transport protocol to use when contacting

Cisco IOS routers and IPS devices. For more information, see Preparing the
Devices for Security Manager to Manage, page 5-2.
Transport Protocol
(IOS Routers 12.3 and
above)
Select HTTPS, SSH, Telnet, or TMS transport protocol to use when

contacting Cisco IOS devices. For more information, see Preparing the
Devices for Security Manager to Manage, page 5-2.
Transport Protocol
(Catalyst 6500/7600)
Select SSH or Telnet as the transport protocol to use when contacting

Catalyst 6500 Series switches and Cisco 7600 Series routers. For more
page 5-2.
Transport Protocol (IOS Select SSH or Telnet as the transport protocol to use when contacting routers
Routers 12.2, 12.1)
running Cisco IOS software release 12.1 and 12.2. For more information, see
Note
This selection does not apply to Catalyst 6500/6000 series swiches

running Cisco IOS software 12.2 or earlier.

OL-11501-03
A-11
Appendix A
Table A-5
Device Communication Page (continued)
Element
Description
Connect to device using Select the Security Manager credentials option to be used to access the
device from the list:
Security Manager User Login CredentialsSecurity Manager

contacts the device using the credentials that you entered while logging
in to Security Manager. The same set of credentials are used for all
devices added to the inventory, regardless of the credentials configured
for each device in the Device Credentials page. The login credentials
are discarded when you exit the Security Manager client or the idle
session timeout period is exceeded.
Security Manager Device CredentialsSecurity Manager contacts the

device using the credentials that you specified in the Device Credentials
page when you added the device to the inventory or Device Properties
page after you added the device to Security Manager. This is the default.
Selecting this option is the same as the behavior that existed in Security
Manager 3.0.1 and earlier to establish communication with the device.
Select Retrieve while adding devices to enable Security Manager to

automatically obtain certificates from IPS devices while you add one or
more devices from the network or DCR. Security Manager calculates
the IPS device certificate thumbprints and stores the calculated
thumbprints in the certificate data store. For information and procedures
see Adding Devices to the Security Manager Inventory, page 5-30.
Select Manually add certificates to prevent Security Manager from

automatically accepting certificates from the Add Device From Network
thumbprint manually before adding the IPS devices by clicking Add
Certificate or from Device Properties pages to be successful. See
Select Do not use certificate authentication to prevent automatic

certificate validation for IPS devices using SSL.
SSL Certificate Parameters
IPS Device
Authentication
Certificates
A-12
OL-11501-03
Appendix A

Table A-5
Element
IOS Device
Authentication
Certificates
PIX/ASA/FWSM
Device Authentication
Certificates
Description

automatically obtain certificates from Cisco IOS devices while you add
one or more devices from the network or DCR. Security Manager
calculates the device certificate thumbprints and stores the calculated

thumbprint manually before adding the IOS devices by clicking Add

certificate validation for IOS devices using SSL.

automatically obtain certificates from firewall devices while you add
one or more devices from the network or DCR. Security Manager
calculates the device certificate thumbprints and stores the calculated

thumbprint manually before adding the firewall devices by clicking Add

certificate validation for firewall devices using SSL.

OL-11501-03
A-13
Appendix A
Table A-5
Element
Description
Accept Device SSL

Certificate after
Rollback
Select to obtain the certificate installed on a firewall device, FWSM, ASA,

or Cisco IOS router when you roll back the configuration on the device. Note
that this is true only for devices that use SSL as their transport protocol.
Add certificate button
Opens the Add Certificate Dialog Box. See Add Certificate Dialog Box,
page A-14.
HTTPS Port Number
Enter the port number that the device uses for secure communication with
Security Manager (as well as other management applications that use these
protocols). This value overrides the HTTPS port number that you configure
in the HTTP policy for a device.
In addition to providing access to the device via the Cisco web browser user
interface, HTTPS port number is used by device management applications,
such as the Cisco Router and Security Device Manager (SDM), and
monitoring tools, such as IPS Event Viewer (IEV), to communicate with the
device.
Note
Overwrite SSH Keys
Save button
The security appliance can support both SSL VPN connections and
HTTPS connections for device manager administrative sessions
simultaneously on the same interface. Both HTTPS and SSL VPN
use port 443 by default. Therefore, to enable both HTTPS and
SSL VPN on the same interface, you must specify a different port
number for either HTTPS or WebVPN. An alternative is to configure
SSL VPN and HTTPS on different interfaces.
Select to allow Security Manager to apply changes in the devices SSH

keys when they are updated directly on the device.
Deselect this check box with caution, and only if a greater level of
security is necessary. Security manager does not communicate with the
device if keys are changed on the device.
Add Certificate Dialog Box

With Security Manager, you can add device certificates manually for devices that
use the SSL transport protocol (firewall devices, FWSMs, ASAs, IPS devices, and
Cisco IOS devices). Adding the device certificates manually gives you the highest
A-14
OL-11501-03
Appendix A

Device Groups Page
level of security because then an intruder is prevented from introducing a

fraudulent certificate thumbprint. Device certificates are stored in the database to
be used for device authentication.
For the procedure, see Adding Certificates for IPS Devices, Cisco IOS Devices,
and PIX/ASA/FWSM Devices, page 2-73.
Navigation Path
Select Tools > Security Manager Administration, then click Device

Communication. Click Add Certificate....
Field Reference
Table A-6
Add Certificate Dialog Box
Element
Description
Host Name or IP Address
Hostname or IP address of the device from which you are retrieving the
certificate.
Certificate Thumbprint
The string of hexadecimal digits that is unique to each device certificate.
OK button
Initiates device contact and adding of certificate thumbprint.
Device Groups Page

Use the Device Groups page to create group types (the highest level of the
hierarchy) and groups, to delete groups, and to modify group names. For more
information, see Working with Device Groups, page 2-75.
Navigation Path
Select Tools > Security Manager Administration > Device Groups.

Related Topics

OL-11501-03
A-15
Appendix A
Device OS Management Page
Field Reference
Table A-7
Device Groups Page
Element
Description
Add Type button
Creates a new group type.
Add(+) button
Creates a group or subgroup.
Save button
Saves your changes and closes the page.
Reset button
Restores all fields to their previous values.
Device OS Management Page

Security Manager 3.1 integrates several key features from Resource Manager
Essentials (RME). You can use software management to analyze individual device
operating system versions (also known as image versions) and to generate image
analysis reports. This allows you to import and distribute operating system images
to groups of devices. You can also schedule operating system upgrade jobs to
ensure up-to-date versions and to minimize errors. For more information, and for
detailed procedures, see Working With Device OS Management, page 20-6.
Navigation Path
Select Tools > Security Manager Administration, then click Device OS

Management.
Related Topics
Resource Manager Essentials Documentation
Working With Device OS Management, page 20-6
Field Reference
Table A-8
Device OS Management
Element
Description
RME server address
IP address of RME server.
Connect using https
When selected indicates you are connecting to RME server using SSL.
A-16
OL-11501-03
Appendix A

Discovery Page
Table A-8
Device OS Management (continued)
Element
Description
Save button
Saves your changes to the Security Manager database.
Reset button
Resets changes to the previously applied values.
Discovery Page
From the Discovery page you can define how long to keep a record of discovery
and device-import tasks. Any tasks older than the number of days you specify will
be deleted. You can also determine whether to substitute any matching named
objects that are already defined in Security Manager for any inline values found
in the CLI, and whether to roll back all policies if an error is encountered during
policy discovery. For the procedure see Defining Discovery Settings, page 2-76.
Navigation Path
Select Tools > Security Manager Administration, then click Discovery.

Related Topics

OL-11501-03
A-17
Appendix A
Discovery Page
Field Reference
Table A-9
Discovery Page
Element
Description
Prepend Device Name Selecting this check box prepends device names (that is, the device display
when Generating
names) when generating security context names. This turns off the Security
Security Context Names Manager default naming method.
Note
Purge discovery tasks

older than (days)
By selecting this option, you disable Security Managers method for

ensuring unique names. Instead, Security Manager will append a
number to any duplicate name it encounters. (So, for example, the
name mydevice when encountered a second time would be
rendered as mydevice_01.)
The number of days to save discovery and device-import tasks. Tasks older
than the number of days you enter are deleted.
Reuse policy objects for When selected substitutes any named policy objects, such as IP addresses
inline values
already defined in Security Manager for inline values in the CLI. For more
information on policy objects, see Managing Objects, page 8-1.
Allow Device Override
for Discovered Policy
Objects
For certain types of objects, selecting this check box enables you to override
the parent object values at the device level. For more information see,
On error, rollback
discovery for entire
device
When selected, rolls back all discovered policies if even one error is
encountered for a single policy. When deselected, Security Manager keeps
the policies successfully discovered and discards only those policies with
errors. For more information on policy discovery, see Discovering Policies,
page 6-7.
Auto-Expand
object-groups with
prefixes.
For more information, see Expanding Object Groups During Discovery,

page 12-49.
Save button
Reset button
A-18
OL-11501-03
Appendix A

IPS Updates Page
IPS Updates Page

Use the IPS Updates page to perform administrative tasks associated with keeping
your sensors up to date with regard to signatures, minor version updates, and
service packs. You can use the IPS Updates page to:
Monitor update status
Check the availability of and download updates
Configure an IPS update server
Configure automatic update settings
Navigation Path
Select Tools > Security Manager Administration, then click IPS Updates.
Related Topics
Caution
Administering IPS Updates, page 2-79
If you did not set Category CLI commands on your IOS IPS device to select a
subset of IPS signatures that the device will attempt to compile, Security Manager
will push CLI commands to enable the IOS IPS Basic category to prevent the
device resources from being overloaded. These CLI commands are not managed
by Security Manager after they are deployed. You can change these manually on
the device to select another set of signatures to compile.

OL-11501-03
A-19
Appendix A
IPS Updates Page
Field Reference
Table A-10
IPS Updates Page
Element
Description
Update
Status area
The Update Status area of the IPS Updates page lists the following items:
Most recent signature and sensor update available on Cisco.com or local HTTP
server
Most recent signature and sensor update downloaded to Security Manager
Most recent signature and sensor update deployed to any device in Security
Manager
Time that last check of Cisco.com was performed
Time that last update was downloaded to Security Manager
Time that last update was deployed to any of the devices
Check for
Updates
When clicked, opens a new window to check sensors for updates. Clicking Start then
initiates the checking process.
Download
Latest
Updates
button
When clicked, downloads the most recent sensor update package and the most recent
signature update package to the Security Manager server if those packages have not
already been downloaded.
Update
Server area
The Update Server area of the IPS Updates page contains the settings used to access
Cisco.com or the local server that contains the update packages. The area lists the
following items:
Get Updates From
Update Server
User Name
Proxy Server
Edit Settings Opens the Edit Update Server Settings dialog box. For more information, see
Auto Update Contains the settings specific to automatic updates. For more information, see
Settings
A-20
OL-11501-03
Appendix A

IPS Updates Page
Table A-10
Element
IPS Updates Page (continued)
Description
Auto Update Establishes whether, and to what extent, automatic updates are performed. Contains the
Mode
following options:
Download, Apply, and Deploy Updates
Disable Auto Update
Check for Updates
Download Updates
Download and Apply Updates
By default, auto update is disabled. The other options are a combination of one or more
of the following options:
Check for
Updates At
Check for Updates: CSM server contacts Cisco.com or Local HTTP Server to check
if update available and send email if email notification configured.
Download Updates: CSM server downloads latest updates from Cisco.com or Local
HTTP Server, and send email notification if configured.
Apply Updates: Modifies device configuration on CSM server based on the

downloaded update package(s).
Deploy Updates: Send applicable update package(s) to device(s) if device(s) has

Auto Update turned on.
Determines when Cisco.com or the local server will be checked for updates. Time is
entered in hh:mm:ss format. After you enabled it, a job will be scheduled and will
happen daily at this time. If the selected Auto Update Mode is Download, Apply, and
Deploy Updates, then the scheduled job will Check for Updates first followed by
Download, Apply and Deploy Updates.

OL-11501-03
A-21
Appendix A
IPS Updates Page
Table A-10
Element
Description
Notify Email Defines the email address to which notifications of automatic updates are sent. Only one
email address can be entered. A notification is sent when an update meets one of the
following conditions:
Is available for download
Has been downloaded
Has been downloaded and applied
Has been downloaded, applied, and deployed.

The notification contains the status of the operation; for example, An update was
successfully deployed to 12 of 12 devices.
Deploy
Updates
Contains the following options:
When applied
At the time specified
If When applied is selected, the Time field is disabled. The update is deployed as soon
as it is downloaded . If At the time specified is selected, the Time field is enabled. The
update is deployed at the time entered. If the download is not completed when the
specified deployment time is reached, then the deployment occurs as soon as the
download is completed. By default, this field is set to When applied. It is always
disabled in non-workflow mode. It means if the Download, Apply, and Deploy
Updates is chosen, then deploy to real devices always happens right after new packages
are downloaded and applied.
Time
Indicates at what time the downloaded update should be deployed to devices. If the
download is not completed when the specified time is reached, the deployment occurs
as soon as the download is complete. This field is unavailable when "When
Downloaded" is selected under Deploy Updates. Time is entered in hh:mm:ss format.
A-22
OL-11501-03
Appendix A

IPS Updates Page
Table A-10
Element
Description
Apply
Update To
A table which is used to define the auto update properties of the devices. The context
menu and the edit button both open the Modify Signature Update Policies dialog box.
The left-hand side of the table and the Type dropdown list provide a quick way for
turning on Auto Update settings for devices based on Local Signatures Policies and
Shared Signatures Policies; and the right hand side panel Devices to be Auto Updated:
lists device(s) with Auto Update turned on.
Type
Allows you to switch between a list of Local Signatures Policies and a list of Shared
Signatures Policies. Signatures are used as a convenient way to select, group, and turn
on/off a device's Auto Update setting. When Shared Signatures Policies is selected,
the shared signature inheritance tree is shown. Each shared signature policy may have
one or more devices assigned to it. If assigned devices have different Auto Update
settings, the checkboxes next to the policy will be partial selected (grayish checked
box).
Edit Update Server Settings Dialog Box

Use the upper portion of the Edit Update Server Settings dialog box to configure
or edit the configuration of the server for use with IPS updates performed using
auto update. In the lower half of this dialog box, you can configure or edit the
configuration of a proxy server.
Navigation Path
Select Tools > Security Manager Administration, then click IPS Updates and
Edit Settings.
Table A-11
Element
Description
(Upper Section: Server Settings)
Update From
Select from the list whether to get update from Cisco.com or from a local
server. The local server is an HTTP server that you need to set up if you decide
to use it.
IP Address/
Host Name
Hostname or IP address of the IPS update web server.

OL-11501-03
A-23
Appendix A
IPS Updates Page
Table A-11
Element
Description
Web Server Port
The port number that your local server listens on. The default value is 80.
User Name
The user name that Security Manager uses when connecting to your local
server. If your local server does not need authentication, then leave this field
blank.
Password
The password that Security Manager uses when connecting to your local
server. If your local server does not need authentication, then leave this field
blank.
Confirm
Re-enter the password. This action verifies that this password matches the one
entered in the previous field.
Path to Update Files
The path to the IPS update files location on your local server. For example, if
update files can be accessed at http://local-server-ip:port/update_files_path/,
then type in update_files_path in this text field.
Connect Using
HTTPS
When selected, indicates you are connecting to the IPS web using SSL.
(Lower Section: Proxy Server)
Enable Proxy Server
When selected, indicates that a proxy server is needed to connect to Cisco.com

or to your local server.
IP Address/
Host Name
Host name or IP address of the proxy server.
Web Server Port
The port number that the proxy server listens on. The default value is 80.
User Name
The user name that Security Manager uses when connecting to the proxy
server. If the proxy server does not need authentication, then leave this field
blank.
Password
The password that Security Manager uses when connecting to the proxy server.
If the proxy server does not need authentication, then leave this field blank.
Confirm
A-24
OL-11501-03
Appendix A

IPS Updates Page
Modify Signature Update Policies Dialog Box

Use the Modify Signature Update Policies dialog box to configure auto update
options for a device or group of devices in the Apply Update To table. You can
access the Modify Signature Update Policies dialog box from the shortcut menu
and the Edit button.

OL-11501-03
A-25
Appendix A
Licensing Page
Licensing Page
The Licensing Page allows you to manage licenses for both Security Manager and
IPS devices. The following tabs are available on the Licensing Page:
CSM Tab, page A-26
IPS Tab, page A-27
CSM Tab
From the CSM tab on the Licensing page you can view a record of installed
Security Manager licenses and install new Security Manager licenses from
Cisco.com or from a server to which a new Security Manager license has been
sent.
Navigation Path
Select Tools > Security Manager Administration, then click Licensing and the
CSM tab.
Field Reference
Table A-12
Licensing Page > CSM Tab
Element
Description
License Information
Displays all relevant information about the license registered with the
product: Edition, License Type, Expiration, Number of Licensed Devices,
Number of Devices in Use, and Percentage device count used.
Install License
Displays a record of installed licenses and installation dates.
Install a License button
Enables you to obtain license file from Cisco.com or hard drive.
A-26
OL-11501-03
Appendix A

Licensing Page
IPS Tab
From the IPS tab on the Licensing page you can view a record of installed IPS
device licenses, update IPS device licenses from Cisco.com or from local license
files, or redeploy licenses. The IPS license list shows not only current licenses,
but also unlicensed devices, devices with expired licenses, and devices with
invalid licenses.
Navigation Path
IPS tab.
Related Topics
Updating Licenses via CCO Dialog Box, page A-28
Redeploying Licenses Dialog Box, page A-29
Updating Licenses from File Dialog Box, page A-30
Field Reference
Table A-13
Licensing Page > IPS Tab
Element
Description
IPS License Table
License summary displaying all relevant information about the license

registered with the IPS device: Type, Device, Serial Number, Status, and
Expiration date. The IPS license list shows not only current licenses, but also
unlicensed devices, devices with expired licenses, and devices with invalid
licenses.
Update Selected from

CCO
Click to update the license file for the selected device(s) by connecting to
CCO. The updated file is automatically applied.
Update from License

File
Click to update the license file for the selected device(s) by navigating to a
stored license file. The updated file is automatically applied.
Redeploy Selected
License
Click this button when you have obtained an updated license file that was not
applied to the device successfully during the automatic update.

OL-11501-03
A-27
Appendix A
Licensing Page
Table A-13
Licensing Page > IPS Tab (continued)
Element
Description
Download and apply

licenses automatically
Sets the system to automatically download and apply IPS licenses. To enable
this feature, select the Download and apply licenses automatically check
box and then specify how frequently Security Manager should check for new
licenses using the Check list:
Refresh
Daily: Once a day at midnight
Weekly: Once a week at midnight on Sunday
Monthly: Once a month at midnight on the first day of the month.
Click to refresh the data in the IPS license table.
Updating Licenses via CCO Dialog Box

When you click Update Selected via CCO. . ., the Updating Licenses via CCO
dialog box displays the list of IPS devices that you selected and for which you can
update the license. Only supported devices are displayed.
Navigation Path
IPS tab. Next, select an IPS device in the table, then click Update Selected via
CCO. Click OK.
Field Reference
Table A-14
Updating Licenses via CCO Dialog Box
Element
Description
Device List
A list of IPS devices for which you can update the license through
communication with Cisco.com.
License Update Status Details Dialog Box

The License Update Status Details dialog box displays all relevant information
about the license registered with the IPS device and the details of its update.
A-28
OL-11501-03
Appendix A

Licensing Page
Field Reference
Table A-15
License Update Status Details Dialog Box
Element
Description
License Update Status

Details
Displays all relevant details about the status of the license update for the IPS
device(s) that was (were) selected for update:
Summary listing of Status, Devices to be updated (number of devices),

Devices updated successfully (number of devices), Devices updated
with errors (number of devices), and a heading that shows who ordered
the update and when.
Tabular listing of Type, Device, Status, and Summary
Tabular listing of Messages and their Severity
Text listing of Description and Actions taken
Abort
Stops the update
Close
Closes the License Update Status Details
Redeploying Licenses Dialog Box

Use the Redeploying Licenses dialog box to see and confirm a list of IPS devices
for which you are redeploying licenses.
Navigation Path
IPS tab. Select an IPS device in the table, and then click Redeploy Selected
License.
Note
You must deploy the license file to the sensor before you can select the Redeploy
button.

OL-11501-03
A-29
Appendix A
Logs Page
Field Reference
Table A-16
Redeploying Licenses Dialog Box
Element
Description
Device List
A list of IPS devices for which you are redeploying licenses.
Updating Licenses from File Dialog Box

Use the Updating Licenses from File dialog box to update the license for a
particular IPS device when you have a license file stored locally or on your
network.
Navigation Path
IPS tab. Finally, select an IPS device in the table and then click Update from
License File. . .
Field Reference
Table A-17
Update from License File Dialog Box
Element
Description
License File
Name of local file (obtained by browsing) that contains the license needed to
update a particular IPS device.
Browse
Opens the Choose The License Files dialog box, from which you can
navigate to a particular license file from which to update.
Logs Page
When state changes occur in Security Manager, an event is generated and an audit
entry is created in the audit log. You can display the aggregated results of the audit
entries by defining the parameters in the Audit Report page. The System
Administration Logs page allows you to determine how long to keep log files
archived. For the procedure, see Archiving Log Files, page 2-88.
A-30
OL-11501-03
Appendix A

Logs Page
Navigation Path
Select Tools > Security Manager Administration, then click Logs.

Related Topics
Field Reference
Table A-18
Logs Page
Element
Description
Keep Audit Log For

(days)
The number of days to save audit report entries before deleting them. This
field is used with the Purge Audit Log after (entries) field. Entries are deleted
based on the number of days or entries, whichever maximum is reached first.
Purge Now button
Immediately purges entries older than the number of days specified in the
Keep Audit Log For field.
Purge Audit Log after

(entries)
The maximum number of audit report entries to save. This field is used with
the Keep Audit Log For (days) field. Entries are deleted based on the number
of days or entries, whichever maximum is reached first.
Keep Operation Log For The number of days that Security Manager keeps operation logs before
(days)
deleting them. These logs are used for debugging purposes.
Log Level
Specifies the level of information, according to severity, that you would like
collected in the operation logs. Valid choices are Severe, Warning, and Info.
Each level collects different amounts of data. For example, the Info level
yields the most data, and the Severe level collects the least.
Note
If you select the Info level (greatest amount of data), system

performance might be slower than expected.
Save button
Reset button

OL-11501-03
A-31
Appendix A
Policy Management Page

Customizing policy management settings on a Cisco IOS router makes it possible,
for example, to use Security Manager to manage DHCP and NAT policies on
Cisco IOS routers while leaving routing protocol policies, such as EIGRP and
RIP, unmanaged. These settings, which can be modified only by a user with
administrative permissions, apply globally in Security Manager.
unmanaged policies, local or shared, are removed from the Security Manager
database.
the policies are no longer stored in the database or accessible from the Security
Manager interface. For the procedure, see Defining Policy Management Settings,
page 2-89.
Navigation Path
Select Tools > Security Manager Administration, then click Policy

Management.
Related Topics
Managing Policies, page 6-1
A-32
OL-11501-03
Appendix A

Policy Objects Page
Field Reference
Table A-19
Element
Description
Policies to Manage
Displays the router platform policies that Security Manager manages,

organized by category (NAT, Router Interfaces, and Router Platform). By
default, all policies are selected. Deselected router platform policies are not
managed. Deselecting the check box for a group of policies deselects all
policies in that group.
Note
Unmanaged policies are removed from the Policy selectors in

Device view and Policy view.
Save button
Reset button
Policy Objects Page

Use the Policy page to define these policy object settings:
The warning behavior of Security Manager when identical objects are found.
The default source ports for service objects.
For the procedure, see Defining Policy Object Settings, page 2-91.
Navigation Path
Select Tools > Security Manager Administration, then click Policy Objects.
Related Topics

OL-11501-03
A-33
Appendix A
Policy Objects Page
Field Reference
Table A-20
Policy Objects Page
Element
Description
When Redundant
Objects Detected
(Conflict Detection)
Defines the action you want Security Manager to take when you try to create
a policy object that has the same definition as an existing object:
IgnoreYou can freely create objects with identical definitions. Any

conflicts are ignored by Security Manager.
WarnSecurity Manager displays a warning if you attempt to create an

object that is identical to an existing object. You may proceed to create
the object, if you wish.
EnforceSecurity Manager prevents you from creating an object that is

identical to an existing object. An error message is displayed.
For more information, see Guidelines for Managing Objects, page 8-4.
Default Source Ports
Specifies the port range value that is used as the default source port range for
service objects.
You can choose one of the following:
Use all portsIncludes all ports from 1 to 65535.
Use secure portsIncludes all ports from 1024 to 65535.
Note
If you change the default source ports (Use all ports), you must
manually redeploy any previously deployed devices that might be
affected. These changes might not be reflected in any open activities,
until you refresh the data.
For more information on objects, see Understanding Port List Objects,

page 8-150.
Save button
Reset button
A-34
OL-11501-03
Appendix A

Server Security Page

Common Services provides the administrative functions that control a users
access in Security Manager. Security Manager provides access to these functions
through the Server Security page. The buttons found in the Server Security page
are actually a series of buttons that open Commons Services functions.
When you log in to Security Manager, your username and password are compared
with the account information stored in the CiscoWorks or Cisco Secure Access
Control Server (ACS) database, depending on which system you established at
installation as your AAA provider. After the authentication of your credentials,
you have access according to the role you have been assigned.
For more information on Security Manager roles and privileges, including
descriptions of how Common Services roles translate to user functions in Security
Manager, see Setting Up User Permissions, page 2-3. For the procedure, see
Working with Server Security, page 2-92.
Navigation Path
Select Tools > Security Manager Administration, then click Server Security.
Related Topics

page 2-32
Field Reference
Table A-21
Element
Description
AAA Setup
button
Opens Common Services and displays the AAA Mode Setup page. From this page, you
can set AAA as your fallback sign-on method. For more information about AAA, click
Help from the AAA Mode Setup page.
Certificate
Opens Common Services and displays the Self-Signed Certificate Setup page.
Setup button CiscoWorks enables you to create self-signed security certificates, which you can use to
enable SSL connections between your client browser and management server. For more
information about self-signed certificates, click Help from the Certificate Setup page.
OL-11501-03
A-35
Appendix A
Status Page
Table A-21
Server Security Page (continued)
Element
Description
Single Sign
On button
Opens Common Services and displays the Single Sign-On Setup page. With Single Sign
On (SSO), you can use your browser session to transparently navigate to multiple
CiscoWorks servers without having to authenticate to each of them. Communication
between multiple CiscoWorks servers is enabled by a trust mode addressed by
certificates and shared secrets. For more information about setting up SSO, click Help
from the Single Sign-On page.
Local User
Setup
Opens Common Services and displays the Local User Setup page, from which you can
add and delete users, edit user settings, and assign roles or permissions. For more
information, see Default Associations Between Permissions and Roles in Security
Manager, page 2-32.
System
Identity
Setup
Opens Common Services and displays the System Identity Setup page. Communication
between multiple CiscoWorks servers is enabled by a trust mode addressed by
certificates and shared secrets. System Identity setup helps you to create a trust user on
servers that are part of a multi- server setup. For more information about system identity
setup, click Help from the System Identity Setup page.
Status Page
From the Status page you can enable deployment and Monitoring Center for
Performance to send status updates to Security Manager. You can also access the
Add and Edit Status Providers dialog boxes in order to set up a connection for
these status providers. You can use the Inventory Status window from the Tools
menu to view the events reported by status providers. For more information, and
a procedure to configure status providers, see Working with Status Providers,
page 2-94.
Navigation Path
Select Tools > Security Manager Administration, then click Status.

Related Topics
A-36
OL-11501-03
Appendix A

Status Page
Field Reference
Table A-22
Status Page
Element
Description
Connect Devices Status

Deployment
When selected, displays details about deployment jobs for devices to the
Status tab of the Inventory Status window. Deselect only if you do not want
Deployment to appear as a column in the Inventory Status table. Selected is
the default mode.
Providers table
Provider
Monitoring Center for Performance (Performance Monitor) is the only

external status provider available for monitoring in this release. If more than
one instance is available on different servers, enter a short name or server
name to distinguish one location from another. Each name you enter here
appears as a separate column in the Inventory Status table.
Short name
Nickname, if any, for provider name above.
Status
Pull-down menu allowing you to select Enabled or Disabled. Specifies

whether to enable or disable the display of status reported by the external
status provider. The default is Enabled.
Add provider button(+)
Click to display the Add Status Provider dialog box to configure a new status
provider.
Edit provider button
Click to display the Edit Status Provider dialog box to edit the status
provider settings.
Trash button
Click to discard status provider name and contact information.
Save button
Reset button

OL-11501-03
A-37
Appendix A
Status Page
Add Status Provider Dialog Box

Use the Add Status Provider dialog box to add Performance Monitor server
contact information, so that Security Manager can check Performance Monitor
event status, and report back, by creating an entry in the Inventory Status table in
the Tools menu.
Navigation Path
Select Tools > Security Manager Administration, then click Status. Click the
Add button(+) to open the Add Status Provider dialog box. For a detailed
procedure see Working with Status Providers, page 2-94.
Related Topics
Field Reference
Table A-23
Add Status Provider Dialog Box
Element
Description
Provider name
The name of the service provider, for example, Performance Monitor. You
can enter up to 128 characters. Valid characters are: 0-9; uppercase A-Z;
lowercase a-z; and the following characters: - _ : . and space.
Server
The DNS host and domain names for Performance Monitor. You can enter
up to 128 characters. Valid characters are: 0-9; uppercase A-Z; lowercase
a-z; and the following characters: - _ : . and space. The domain name
resolution requires that you configure at least one DNS name server on
Security Manager. You can configure one or more DNS name servers.
Routable domain names are fully qualified domain names (FQDN).
Note
Short Name
This field does accept IP addresses.
Short name, if any, for provider name above. Valid characters are: 0-9;
uppercase A-Z; lowercase a-z; and the following characters: - _ : . and space.
A-38
OL-11501-03
Appendix A

Status Page
Table A-23
Add Status Provider Dialog Box (continued)
Element
Description
Port
The port number that Security Manager uses to communicate with

Performance Monitor. The default is 443.
Poll Cycle
The number of minutes the firewall device will wait between polling
Performance Monitor for new information. The default is 600 seconds (5
minutes). Minimum time is 60 seconds.
Username
The username for logging in to Performance Monitor. Maximum length is 70

characters.
Password
The password for logging in to Performance Monitor. In the Confirm field,

enter the password again. Maximum length is 70 characters.
URN
The uniform resource name for Performance Monitor. URN is the name that
identifies the resource on the Internet. URN is part of a URL, for example,
/status/StatusServlet. The full URL could be:
https://:<server ip>:443/status/StatusServlet
where:
<server ip> is the IP address of Performance Monitor.
443 is the port number of Performance Monitor.
/status/StatusServlet is the URN of the Performance Monitor.
Status
Select Enabled from the pull-down menu to specify whether Security

Manager needs to poll Performance Monitor for event details and display in
the Inventory Status window. Alternatively, choose Disabled for Security
Manager to stop polling Performance Monitor.
OK
Saves status provider information.
Edit Status Provider Dialog Box

Use the Edit Status Provider dialog box to revise Performance Monitor contact
information you have entered using the Add Status Provider dialog box.

OL-11501-03
A-39
Appendix A
Status Page
Navigation Path
Select Tools > Security Manager Administration, then click Status. Click the
Edit button to open the Edit Status Provider dialog box. For a detailed procedure
see Working with Status Providers, page 2-94.
Related Topics
Field Reference
Table A-24
Edit Status Provider Dialog Box
Element
Description
Provider name
The name of the service provider, for example, Performance Monitor. You
can enter up to 128 characters. Valid characters are: 0-9; uppercase A-Z;
lowercase a-z; and the following characters: - _ : . and space.
Server
The DNS host and domain names for Performance Monitor. You can enter
up to 128 characters. Valid characters are: 0-9; uppercase A-Z; lowercase
a-z; and the following characters: - _ : . and space. The domain name
resolution requires that you configure at least one DNS name server on
Security Manager. You can configure one or more DNS name servers.
Routable domain names are fully qualified domain names (FQDN).
Note
This field does accept IP addresses.
Short Name
Short name, if any, for provider name above. Valid characters are: 0-9;
uppercase A-Z; lowercase a-z; and the following characters: - _ : . and space.
Port
The port number that Security Manager uses to communicate with

Performance Monitor. The default is 443.
Poll Cycle
The number of minutes the firewall device will wait between polling
Performance Monitor for new information. The default is 600 seconds (5
minutes). Minimum time is 60 seconds.
A-40
OL-11501-03
Appendix A

Take Over User Session Page
Table A-24
Edit Status Provider Dialog Box (continued)
Element
Description
Username
The username for logging in to Performance Monitor. Maximum length is 70

characters.
Password
The password for logging in to Performance Monitor. In the Confirm field,

enter the password again. Maximum length is 70 characters.
URN
The uniform resource name for Performance Monitor. URN is the name that
/status/StatusServlet. The full URL could be:
https://:<server ip>:443/status/StatusServlet
where:
<server ip> is the IP address of Performance Monitor.
443 is the port number of Performance Monitor.
/status/StatusServlet is the URN of the Performance Monitor.
Status
Select Enabled from the pull-down menu to specify whether Security

Manager needs to poll Performance Monitor for event details and display in
the Inventory Status window. Alternatively, choose Disabled for Security
Manager to stop polling Performance Monitor.
OK
Saves status provider information.

A user with administrative privileges can take over the work of another user from
the Take Over User session page in non-Workflow mode. This feature is useful
when a user is working on devices and policies, causing the devices and policies
to be locked, and another user needs access to the same devices and policies. For
the procedure, see Taking Over Another Users Work, page 2-96.
Navigation Path
Select Tools > Security Manager Administration, then click Take Over User
Session.

OL-11501-03
A-41
Appendix A
Token Management Page
Related Topics
Field Reference
Table A-25
Element
Description
User
The usernames of the persons whos session you might take over.
Session State
Displays the state of the activity. See Understanding Activity States, page 7-5 for a
list of valid states.
Take over
session button
Transfers changes made by the selected user to the currently logged in user. Any
changes that have not already been committed are discarded.
Note
If the selected user is logged in at the time changes are taken over, the user
receives a warning message, loses the changes in progress, and then is logged
out.

Management System (TMS) server, from which it can be downloaded and
encrypted onto an eToken. Security Manager uses the server settings and
passwords you provide to connect to the designated TMS server. For the
procedure, see Defining TMS (Token Management System) Settings, page 2-97.
Note
To use TMS with Cisco IOS routers, you must specify TMS as the transport
protocol in the device properties. (This is set by going to Device properties > DCS
settings > Transport protocols. See Working with Device Policies, page 5-54.)
You must also configure the TMS server as an FTP server, otherwise deployment
will fail.
A-42
OL-11501-03
Appendix A

Navigation Path
Select Tools > Security Manager Administration, then click Token

Management.
Related Topics
Device Communication Page, page A-10
Field Reference
Table A-26
Element
Description
Server Name or IP
Address
The hostname or IP address for the TMS server.
Username
Enter the username Security Manager uses to sign on to the TMS server.
Password
Enter the password Security Manager uses to sign on to the TMS server.
Confirm Password
Directory in the
TMS for Config
Files
Enter the directory on the TMS server where deployed configuration files will be
downloaded. The . character is the default FTP location on the TMS server.
Public Key File

Location
Location of the public and private key files on the Security Manager server, as
copied from the TMS server. Security Manager uses the public key to encrypt
data sent to the TMS server. Then the server uses its private key to decrypt the
data. Security Manager comes with a default public key that matches the default
private key on the server.
Note
Save button
If needed, you can generate a new pair of public and private keys using
the TMS server. If you do this, you need to copy the new public key to
the Security Manager server.

OL-11501-03
A-43
Appendix A
VPN Policy Defaults Page
Table A-26
Token Management Page (continued)
Element
Description
Reset button
Restore Defaults
button

The VPN Policy Defaults page has 8 tabs, see Table A-27. The tab you choose
depends on the policy type or parameter for which you want to configure the
policy defaults. For the procedure to configure VPN policy defaults, see
Configuring VPN Policy Defaults, page 2-98.
Note
To use this page to set a default VPN policy, you must have previously defined an
applicable shared VPN policy.
Navigation Path
Select Tools > Security Manager Administration, then click

VPN Policy Defaults.
Related Topics
A-44
OL-11501-03
Appendix A

Field Reference
Table A-27
Element
Description
Tabs
The VPN Policy Default page in the Security Manager Administration section presents
eight tabbed areas. Six of these tabs are for the following VPN technologies:
DMVPN
Large Scale DMVPN
Easy VPN
IPsec/GRE
GRE Dynamic IP
Regular IPsec
The other two tabs on this page cover default settings for S2S (site-to-site) Endpoints
and Remote Access.
DMVPN tab Lists the six policy types for the DMVPN (Dynamic Multipoint VPN) VPN technology,
and shows the name of the current default policy for each policy type. The types include
the following:
GRE (DMVPN)
IKE Proposal
IPsec Proposal
Preshared Key
Public Key Infrastructure
VPN Global Settings

OL-11501-03
A-45
Appendix A
Table A-27
Element
VPN Policy Defaults Page (continued)
Description
Large Scale Lists the six policy types for the Large Scale DMVPN VPN technology, and shows the
DMVPN tab name of the current default policy for each policy type. The types include the following:
Easy VPN
tab
IPsec/GRE
tab
GRE (Large Scale)
IKE Proposal
IPsec Proposal
Preshared Key
VPN Global Settings
Lists the seven policy types for the Easy VPN technology, and shows the name of the
current default policy for each policy type. The types include the following:
Client Connection Characteristics
Easy VPN IPsec Proposal
IKE Proposal
PIX7.0/ASA Tunnel Group Policy
User Group Policy
VPN Global Settings
Lists the six policy types for the IPsec/GRE VPN technology, and shows the name of
the current default policy for each policy type. The types include the following:
GRE (GRE Method)
IKE Proposal
IPsec Proposal
Preshared Key
VPN Global Settings
A-46
OL-11501-03
Appendix A

Table A-27
Element
Description
GRE
Dynamic IP
tab
Lists the six policy types for the IPsec/GRE VPN technology, and shows the name of
the current default policy for each policy type. The types include the following:
Regular
IPsec tab
S2S
Endpoints
tab
GRE (Dynamic IP)
IKE Proposal
IPsec Proposal
Preshared Key
VPN Global Settings
Lists the five policy types for regular IPsec VPN technology, and shows the name of the
current default policy for each policy type. The types include the following:
IKE Proposal
IPsec Proposal
Preshared Key
VPN Global Settings
Presents drop-down lists for Internal and External endpoints, each of which you can
configure to:
All Interfaces
Internal
External
(Policy Type Lists the policies that are available to be set as the default policy for each policy type.
Drop Down Until you have created new, shared, VPN policies, only Factory Default is listed.
List)
View
Content
Opens the detailed specification page for each VPN policy.
Save button

OL-11501-03
A-47
Appendix A
Workflow Page
Table A-27
Element
Description
Reset button Resets changes to the last saved values.

Restore
Defaults
button
Resets all policy values to Security Manager (factory) defaults.
Workflow Page
Security Manager workflow mode has two main modes:
Workflow mode (with and without a approvers)
Non-Workflow mode (default)
The workflow mode you choose depends on your organizational structure and the
level of control you wish to have over changes to the network. For the procedure
to enable or disable Workflow mode, see Selecting a Workflow Mode, page 2-56.
Navigation Path
Select Tools > Security Manager Administration, then click Workflow.

Related Topics
Managing Activities, page 7-1
Field Reference
Table A-28
Workflow Page
Element
Description
Workflow Control
Enable Workflow
Select to enable Workflow mode. When Workflow mode is enabled, you can
select whether to have an approver for activities and jobs. See the fields
below. For information on the differences between workflow modes, see
Working in Workflow Mode, page 2-56.
A-48
OL-11501-03
Appendix A

Workflow Page
Table A-28
Workflow Page (continued)
Element
Description
Require Activity
Approval
Automatically selected when you select Enable Workflow. Deselect to

disable activity approval. If the check box is selected, an approver is
required. A deselected check box means no approver is necessary. For more
information about the differences between working with and without an
approver, see Activity Approval, page 7-3.
Require Deployment
Approval
Automatically selected when you select Enable Workflow. Deselect to

disable deployment job approval. If the check box is selected, an approver is
required. A deselected check box means no approver is necessary. For more
information about the differences between working with and without an
approver, see Understanding Deployment, page 18-1.
Default Approvers
Sender Email
Enter the default email address for the person submitting the activity. A
standard entry in the Sender field prevents email from not being delivered if
the sender does not have the required permission set. For more information,
see Submitting an Activity for Approval, page 7-14.
Activity Approval
Email
Enter the default email address for the person responsible for approving
activities. Only one approver email can be entered. If necessary, you can
replace the default email address with a different one when submitting an
activity to an approver. For more information, see Submitting an Activity for
Approval, page 7-14.
Job Approval Email
Enter the default email address for the person responsible for approving
deployment jobs. Only one approver email can be entered. If necessary, you
can replace the default email address with a different one when submitting
an activity to an approver. For more information, please see Submitting

OL-11501-03
A-49
Appendix A
Workflow Page
Table A-28
Workflow Page (continued)
Element
Description
Workflow History
Keep Activity for (days) Do one of the following:
Enter the number of days that activity information is kept in the Activity
table. Valid values are 1-180 days. The default is 30 days.
Note
Keep Job for (days)
To keep information longer than the maximum number of days,

you need to perform a backup. For more information, see
Click Purge Now to delete all activities older than the number of days
specified in the Keep Activity for (days) field.
Enter the number of days that job deployment information is kept in the
Deployment table. Valid values are 1-180 days. The default is 30 days.
Note
To keep information longer than the maximum number of days,

you need to perform a backup. For more information, see
Click Purge Now to delete all jobs greater than the number of days
specified in the Keep Job for (days) field.
Save button
Reset button
A-50
OL-11501-03
APPENDIX
Map View User Interface Reference

These topics describe the pages, dialog boxes, and menus you can use when in
Map view:
Map View Main Page, page B-1
Map Elements, page B-3
Map Toolbar, page B-5
Navigation Window, page B-6
Maps Menus, page B-7
Dialog Boxes, page B-12
Map View Main Page

Figure B-1 identifies the functional areas of the Map view main page. For more
information about these functional areas, see the Related Topics section.
Navigation Path
To open the Map view main page, click the Map View button in the toolbar.
Undocking the Map view also activates it (select Map > Undock Map View).
Related Topics
Map Menu, page 3-14

OL-11501-02
B-1
Appendix B
Map View Main Page
Map Toolbar, page B-5
Map Elements, page B-3
Navigation Window, page B-6
Map View Main Page

Figure B-1
Map View Main Page
menu bar
navigation window
map toolbar
map
B-2
OL-11501-02
Appendix B

Map Elements
Map Elements
A map is a visual representation of your network, or a portion of it. For more
information about maps, see Working With Maps, page 4-2. To open a map, see
Opening Maps, page 4-4.
These tables describe the elements that can appear on a map:
Table B-1
Table B-1 describes the device nodes that can appear on a map. These
elements are managed by Security Manager.
Table B-2 describes the map objects that can appear on a map. These
elements are not managed by Security Manager.
Table B-3 describes the map element indicators that can appear with a device
node.
Device Node Types
Node Type
Icon
Description
Firewall
When you select a device, its security contexts are

highlighted.
Firewall security
context
When you select a security context, the parent

device is highlighted. The dotted outline
distinguishes the icon as a security context.
Adaptive Security
Appliance
When you select a device, its security contexts are

highlighted.
Adaptive Security
Appliance security
context

Router
Router or VPN concentrator.
Catalyst 6500/7600
When you select a Catalyst 6500/7600 device

node, any Firewall Service Modules contained in
it are highlighted.

OL-11501-02
B-3
Appendix B
Map Elements
Table B-1
Device Node Types (continued)
Node Type
Icon
Description
Catalyst 6500/7600
Firewall Services
Module (FWSM)
When you select a Firewall Services Module, the

security contexts it contains are highlighted on the
map.
Catalyst 6500/7600
FWSM security context

IPS Sensor or Security

Service Module
An IPS sensor.
VPN connection
Any type of VPN connection.
Table B-2
Map Object Types
Node Type
Icon
Description
Unmanaged firewall
Unmanaged firewall device.
Unmanaged router
Unmanaged router.
Network
Network with a specified address space.
Host
Network host.
Examples: CSA, Syslog Server, CA Server, AAA
Host
B-4
OL-11501-02
Appendix B

Map Toolbar
Table B-2
Map Object Types (continued)
Node Type
Icon
Cloud
An unspecified group of map objects that provides

connectivity between specified nodes.
Layer 3 link
Table B-3
Description
Layer 3 network connection
Map Element Indicators
Indicator
Icon
Linked map
Description
Node is linked to another map.
Map Toolbar
Table B-4 describes the buttons on the map toolbar.
Table B-4
Map Toolbar
Toolbar Button
Description
Selects objects on the map. Click the button, then click items on the map.
Pans the map. Click the button, click and hold on the map, then drag the cursor.
Zooms in on the map.
Zooms out from the map.
Zooms the map to fill a rectangle that you draw.

OL-11501-02
B-5
Appendix B
Navigation Window
Table B-4
Map Toolbar (continued)
Toolbar Button
Description
Zooms the map to include the entire open map.
Zooms the map to actual size.
Creates a new Security Manager-managed node. After you create the new device in
the inventory, it is added to the active map as a device node.
Adds a new map object to the open map.
Adds a new link to the open map.
Creates a new VPN connection between nodes on the open map.
Select devices to show on the map as device nodes.
Select VPNs to show on the map.
Navigation Window
The navigation window displays a smaller version of the entire active map. The
shaded rectangle defines the area of the map that is currently displayed.
B-6
OL-11501-02
Appendix B

Maps Menus
Use the navigation window to select the portion of the map to view, and to change
the map zoom level.
To toggle the display of the navigation control, select Map > Hide/Show
Navigation Window.
To pan the navigation control to select which portion of the map to display,
click the shaded rectangle and drag it to a new location.
To change the zoom level, click one of the resizing handles in the corners of
the shaded rectangle, then drag it to increase or decrease the area of the map
to display. The map zooms to display the area covered by the map indicator.
The title bar in the navigation window displays the name of the map. If the map
has unsaved changes, an asterisk (*) appears next to the map name.
Maps Menus
The following topics describe the menus that contain maps commands. To open
the context menus, right-click map elements.
Maps Menus, page B-7
Managed Device Node Context Menu, page B-7
Multiple Selected Nodes Context Menu, page B-9
VPN Connection Context Menu, page B-10
Layer 3 Link Context Menu, page B-10
Map Object Context Menu, page B-11
Map Background Context Menu, page B-11
Managed Device Node Context Menu

The Managed Device Node context menu opens when you right-click a map node
that represents a managed device.

OL-11501-02
B-7
Appendix B
Maps Menus
Table B-5
Managed Device Node Context Menu
Menu Command
Description
Edit Firewall Policies
Edits firewall policies on the device.

Select a firewall policy type from the submenu to edit it.
Edit Firewall Settings
Edits firewall settings on the device.

Select a setting from the submenu to edit it.
Edit VPN Peers
Edits peers in VPNs in which the device participates.
Edit VPN Policies
Edits VPN policies on the device.
Device Properties
Displays device properties.
Catalyst Device Manager
Manages Catalyst 6500 and 7600 series devices.
Show Containment
Shows the security contexts and service modules in devices that have
them.
Clone Device
Clones the device. See Cloning a Device, page 5-55 for more
information.
Copy Policies Between

Devices
Copies policies between the device and other devices. See Copying
Policies Between Devices, page 6-23.
Share Device Policies
Shares device local policies.
Show in Device View
Launches the Device View for the selected device.
Device Manager
Launches the Device Manager. See Device Managers, page 21-2.
Inventory Status
Displays the Inventory Status window for the device. See Inventory
Status Window, page Q-6.
Show VPN Peers
Shows peers in VPNs in which the device participates.
Preview Configuration
Previews the device configuration with all committed changes included.
Node Properties
Displays node properties.
Set Linked Map
Creates a link from this node to another map.
Open Linked Map
Opens the map that is linked to the node.
Discover Policies on Device Discovers policies on the device.

Move To Center
Pans the map to display the node in the center.
B-8
OL-11501-02
Appendix B

Maps Menus
Table B-5
Managed Device Node Context Menu (continued)
Menu Command
Description
Delete Device
Deletes the device from the device inventory.
Remove from Map
Removes the node from the map.
Multiple Selected Nodes Context Menu

The Multiple Selected Device Node context menu opens when you select more
than one map node, then right-click on a selected node.
If all of the selected nodes are not VPN-capable, the commands to configure
VPNs do not appear.
Table B-6
Multiple Selected Nodes Context Menu
Menu Command
Description
Create Point to Point VPN
Creates a point to point VPN between two selected devices.

All selected nodes must be managed and VPN-capable.
Create Hub and Spoke VPN Creates a hub and spoke VPN that includes the selected nodes.
The node that you right-click becomes the VPN hub. All selected nodes
must be managed and VPN-capable.
Create Meshed VPN
Creates a full mesh VPN that includes the selected nodes.

All selected nodes must be managed and VPN-capable.
Remove Selected Nodes
Removes all selected device nodes. Appears only if you right-click on a

selected device node.
Delete Map Objects
Deletes all selected map objects. Appears only if you right-click on a

selected map object.

OL-11501-02
B-9
Appendix B
Maps Menus
VPN Connection Context Menu

The VPN Connection context menu opens when you right-click on a VPN
connection on the map.
Table B-7
VPN Connection Context Menu
Menu Command
Description
Edit VPN Peers
Edits the peers in the VPN.

For more information, see Editing VPN Peers From the Map, page 4-32
Edit VPN Policies
Edits the VPN policies.

For more information, see Editing VPN Policies From the Map,
page 4-31
Layer 3 Link Context Menu

The Layer 3 Link context menu opens when you right-click on a layer 3 link on
the map.
Table B-8
Layer 3 Link Context Menu
Menu Command
Description
Link Properties
Displays the link properties.
Delete Link
Deletes the link from the map.
B-10
OL-11501-02
Appendix B

Maps Menus
Map Object Context Menu

The Map Object context menu opens when you right-click a map object that does
not represent a managed device.
Table B-9
Map Object Context Menu
Menu Command
Description
Node Properties
Displays the node properties.
Move To Center
Pans the map to display the node in the center.
Set Linked Map
Links the node to a map.
Open Linked Map
Opens the map to which the node is linked.
Delete Map Object
Deletes the map object.
Map Background Context Menu

The Map Background context menu opens when you right-click in the background
area of a map, that is, not on any object or link.
Table B-10
Map Background Context Menu
Menu Command
Description
Show Devices on Map
Selects the managed devices to show on the map.
Show VPNs on Map
Selects the VPNs to display on the map.
Add Map Object
Adds a map object to the map.
Add Link
Adds a Layer 3 link to the map.
New Device
Creates a new managed device and adds it to the map as a device node.
New VPN
Creates a new VPN and adds it to the map.
Find Map Node
Finds nodes on the map.
Open Map
Opens a saved map.
Save Map
Saves the open map.
Show/Hide Navigation
Window
Toggles the display of the navigation window on the map.

OL-11501-02
B-11
Appendix B
Dialog Boxes
Table B-10
Map Background Context Menu (continued)
Menu Command
Description
Map Properties
Displays the properties of the map.
Hierarchical layout
Arranges the network nodes in a hierarchical layout.
Radial layout
Arranges the network nodes in a radial layout.
Circular layout
Arranges the network nodes in a circular layout.
Dock/Undock Map
Undocks the Map view.
Dialog Boxes
The following topics describe the Map view dialog boxes:
Open Map Dialog Box, page B-13
Save Map As Dialog Box, page B-13
Delete Map Dialog Box, page B-14
Find Node Dialog Box, page B-15
Select Color Dialog Box, page B-17
Import Background Image Dialog Box, page B-18
Set Linked Map Dialog Box, page B-19
Link Properties Dialog Box, page B-19
Select Interfaces Dialog Box, page B-20
Add Link Dialog Box, page B-21
Node Properties Dialog Box, page B-22
Add Map Object and Node Properties Dialog Boxes, page B-22
Interface Properties Dialog Box, page B-23
Select Policy Object Dialog Box, page B-24
Show Devices on Map Dialog Box, page B-25
Show VPNs on Map Dialog Box, page B-26
B-12
OL-11501-02
Appendix B

Dialog Boxes
Show VPN Peers Dialog Box, page B-26
VPN Peers Dialog Box, page B-27
Select VPN to Configure Dialog Box, page B-28
Open Map Dialog Box

Use the Open Map dialog box to open a saved map.
Navigation Path
To open this dialog box, select Map > Open Map.

Related Topics
Opening Maps, page 4-4
Field Reference
Table B-11
Open Map Dialog Box
Element
Description
Available Maps
Lists the maps saved on the system and the Default map. Select the map to
open.
Selected Map
Displays the selected map.
Open button
Opens the selected map.
Cancel button
Closes the dialog box without saving your changes.
Help button
Opens help for this dialog box.
Save Map As Dialog Box

Use the Save Map As dialog box to save a new map or to save a copy of the current
map with a new name.

OL-11501-02
B-13
Appendix B
Dialog Boxes
Navigation Path
To open this dialog box, do one of the following:
Open a new map and select Map > Save Map.
Select Map > Save Map As.
Related Topics
Saving Maps, page 4-4
Field Reference
Table B-12
Save Map As Dialog Box
Element
Description
Map Name
The name for the map. The map name can be as long as 256 characters, but
cannot be the reserved names Default Map or New Map.
OK button
Saves your changes locally on the client and closes the dialog box.
Cancel button
Help button
Delete Map Dialog Box

Use the Delete Map dialog box to delete maps. Deleting a map does not delete any
devices from the inventory.
Navigation Path
To open this dialog box, select Map > Delete Map.

Related Topics
Deleting Maps, page 4-5
B-14
OL-11501-02
Appendix B

Dialog Boxes
Field Reference
Table B-13
Delete Map Dialog Box
Element
Description
Available Maps
Lists the maps that you can delete. Select the map to delete.
Selected Map
Lists the selected map.
OK button
Deletes the selected map.
Cancel button
Help button
Find Node Dialog Box

Use the Find Node dialog box to find a node on the open map.
Navigation Path
To open this dialog box, select Map > Find Map Node.
Related Topics
Searching for Map Elements, page 4-10
Field Reference
Table B-14
Find Node Dialog Box
Element
Description
Name
Enter the name, or a portion of the name, of the node to find.

The node list is filtered to display only the nodes whose names begin with
the entered text.
Interface IP Address
Enter the IP address, or a portion of the IP address, of the node to find.

The node list is filtered to display only the nodes whose IP addresses match
the entered address.
Type
Lists node types. Select a node type from the list.

The node list is filtered to display only the nodes of the selected node type.

OL-11501-02
B-15
Appendix B
Dialog Boxes
Table B-14
Find Node Dialog Box (continued)
Element
Description
Node list
Displays the list of nodes on the map that match the criteria entered in the
Name, IP address, and Type fields.
Select a node and click OK to find it on the map.
OK button
Closes the dialog box and highlights the selected node on the map.
The selected node is highlighted and appears in the center of the map.
Cancel button
Help button
Map Settings Dialog Box

Use the Map Settings dialog box to set the background for the active map.
Navigation Path
To open this dialog box, select Map > Map Properties from the map context
menu.
Field Reference
Table B-15
Map Settings Dialog Box
Element
Description
Available Background
Images
Lists the images that are available for use as background images for the map.
Add button
Imports a new image file, making it available as a background image.
Remove button
Removes the selected background image file.
Selected Background
Image
Displays the selected background image or an asterisk if none.
Change Background
Color
Displays the background color of the map.
Select button
Selects a background color for the map. The Select Color dialog box opens.
Select an image to set it as the map background. Select none to remove the
maps background image.
B-16
OL-11501-02
Appendix B

Dialog Boxes
Table B-15
Map Settings Dialog Box (continued)
Element
Description
Map X
Sets the X-axis coordinate of the background images top left corner.
Map Y
Sets the Y-axis coordinate of the background images top left corner.
Scale
Sets the scale of the background image.
OK button
Cancel button
Help button
Select Color Dialog Box

Use the Select Color dialog box to set the background color for the active map.
Navigation Path
To open this dialog box, click Select in the Map Settings dialog box.
Field Reference
Table B-16
Tab
Swatches
Select Color Dialog Box
Element
Description
OK button
Saves your changes locally on the client and closes the

dialog box.
Cancel button
Reset button
Resets the background color.
Preview Pane
Displays a preview of the selected color.

Enables you to sets the background color by picking
from swatches.
Click a color swatch to select it.
HSB
Enables you to set the background color by setting HSB

(hue, saturation, and brightness) values.

OL-11501-02
B-17
Appendix B
Dialog Boxes
Table B-16
Select Color Dialog Box (continued)
Tab
Element
RGB
Description
Enables you to set the background color by setting RGB
(red, green, and blue) values.
Import Background Image Dialog Box

Use the Import Background Image dialog box to import an image into the library
of map background images.
You can import background images of the following file formats: JPEG, GIF,
PNG, IVL, and SVG. Before importing a background image, you must transfer the
image to the Security Manager server file system by accessing the server directly.
For security reasons, Security Manager does not provide a way to transfer files to
the server.
Navigation Path
To open this dialog box, click the Add button in the Map Setting dialog box.
Field Reference
Table B-17
Import Background Image Dialog Box
Element
Description
Image Name
Displays the name of the image to add.

Enter a filename, including the full path.
Browse button
Enables you to browse for image files on the Security Manager server.
OK button
Adds the image to the server, where it is immediately available to all clients,
and closes the dialog box.
Cancel button
Help button
B-18
OL-11501-02
Appendix B

Dialog Boxes
Set Linked Map Dialog Box

Use the Set Linked Map dialog box to link a map element to an existing map. You
must create the map before you can link to it.
Navigation Path
To open this dialog box, select Set Linked Map from a map node context menu.
Related Topics
Using Linked Maps, page 4-11
Field Reference
Table B-18
Set Linked Map Dialog Box
Element
Description
Available Topology
Maps
Displays the maps that are available for selection. Select the map to link to
this node.
Selected Linked Map
The map you selected.
OK button
Cancel button
Help button
Link Properties Dialog Box

Use the Link Properties dialog box to view a Layer 3 links properties.
Navigation Path
To open this dialog box, select Link Properties from a Layer 3 link context menu.
Related Topics

OL-11501-02
B-19
Appendix B
Dialog Boxes
Field Reference
Table B-19
Link Properties Dialog Box
Element
Description
Source Node
Displays the name and type of the link source node.
Source Interface
Lists the interfaces configured on the source node.
Destination Node
Displays the name and type of the link destination node.
Destination Interface
Lists the interfaces configured on the destination node.
OK button
Cancel button
Help button
Select Interfaces Dialog Box

Use the Select Interfaces dialog box to create a new Layer 3 link on the map.
Navigation Path
To open this dialog box, select Map > Add link (the cursor changes to a crosshair
icon), click one of the link endpoint nodes on the map, then click the other link
endpoint node.
Related Topics
Field Reference
Table B-20
Select Interfaces Dialog Box
Element
Description
Source Device
Displays the name and type of the link source device.
Source Interface
Lists the interfaces configured on the source node.

Select a source interface from the list to change the source interface.
Destination Node
Displays the name and type of the link destination node.
B-20
OL-11501-02
Appendix B

Dialog Boxes
Table B-20
Select Interfaces Dialog Box (continued)
Element
Description
Destination Device
Displays the name and type of the link source device.
Destination Interface
Lists the interfaces configured on the destination node.

Select a destination interface from the list to change the destination
interface.
OK button
Cancel button
Help button
Add Link Dialog Box

Use the Add Link dialog box to select how to represent the Layer 3 link that you
are adding to the map.
The contents of the Add Link dialog box vary according to which nodes and
interfaces you are connecting. Select the check boxes for each intermediary map
object (network or cloud) that you want to insert between the connected nodes.
Navigation Path
This dialog box might open when you add a link between nodes, depending on
which interfaces you select to connect.
Field Reference
Table B-21
Add Link Dialog Box
Element
Description
Network check boxes
Represent the intermediary networks that you can include in the link.
Select the networks to include.
Cloud check boxes
Represent the intermediary network clouds that you can include in the link.
Select the clouds to include.
OK
Cancel

OL-11501-02
B-21
Appendix B
Dialog Boxes
Table B-21
Add Link Dialog Box (continued)
Element
Description
Help
Node Properties Dialog Box

Use the Node Properties dialog box to view the properties of a managed node.
Navigation Path
To open this dialog box, select Node Properties from a map node context menu.
Field Reference
Table B-22
Node Properties Dialog Box
Element
Description
Name
Displays the node name.
Type
Displays the node type.
Interface IP Address
Lists the node interfaces and their IP addresses.
Close button
Exits the dialog box.
Help button
Add Map Object and Node Properties Dialog Boxes

Use the Add Map Object dialog box to add an object to the map. Use the Node
Properties dialog box to edit map object properties. These dialog boxes are
identical except for their titles.
Navigation Path
To open the Add Map Object dialog box, select Map > Add Map Object.
To open the Node Properties dialog box, select Node Properties from a map
object context menu.
B-22
OL-11501-02
Appendix B

Dialog Boxes
Field Reference
Table B-23
Add Map Object and Node Properties Dialog Boxes
Element
Description
Name
Displays the name of the map object.

Enter a name for a new map object.
Copy Policy Object

button
Click to browse for a policy object to use as the basis for the map object.
Type list
Lists the available object types. Select an object type.
Interfaces table
Lists the interfaces on the node. Select an interface to edit it.
Add button
Adds an interface to the node.
The Select Policy Object dialog box opens.
The Interface Properties dialog box opens.

Edit button
Edits the selected interface.

The Interface Properties dialog box opens.
Remove button
Removes the selected interface.
OK button
Cancel button
Help button
Interface Properties Dialog Box

Use the Interface Properties dialog box to add and edit interfaces on map objects.
Navigation Path
To open this dialog box, click the Add or Edit button in the Add Map Object or
Node Properties dialog boxes.

OL-11501-02
B-23
Appendix B
Dialog Boxes
Field Reference
Table B-24
Interface Properties Dialog Box
Element
Description
Interface Name
Displays and edits the interface name.
Interface IP Addr/Mask Displays and edits the interface IP address and network mask.
OK button
Cancel button
Help button
Select Policy Object Dialog Box

Use the Select Policy Object dialog box to add an object to the map that is based
on a building block.
Navigation Path
To open this dialog box, click Copy Policy Object in the Add Map Object dialog
box.
Field Reference
Table B-25
Select Policy Object Dialog Box
Element
Description
Select a Policy Object
Displays the building block types that you can use for a map object.
Select the building block type to use.
The name of the policy object to use. Click Select to select a policy object
Policy object text box
(field name depends on from a list of existing objects.
the object you selected)
Select button
OK
Cancel
Help
B-24
OL-11501-02
Appendix B

Dialog Boxes
Show Devices on Map Dialog Box

Use the Show Devices on Map dialog box to select which devices to display on
the active map.
Navigation Path
To open this dialog box, select Map > Show Devices on Map, then click on the
map.
Field Reference
Table B-26
Show Devices on Map Dialog Box
Element
Description
Filter
Filters the device list to match filter criteria.

You can modify existing filters and create new filters. For more information,
see Filtering Items in Selectors, page 3-21
Available Devices list
Lists devices that are available to add to the map.

Select devices to display in the map. Select a device group to select all of its
member devices.
Filter
Filters the device list. See Filtering Items in Selectors, page 3-21.
>> button
Adds devices that you selected in the Available Devices list to the Selected
Devices list.
<< button
Removes devices that you selected in the Selected Devices list.
Selected Devices list
Lists devices that are selected to appear on the map.

Select devices to remove from the map. Select a device group to select all of
its member devices.
OK button
The map is updated to display only the devices that you have selected to
display.
Cancel button
Help button

OL-11501-02
B-25
Appendix B
Dialog Boxes
Show VPNs on Map Dialog Box

Use the Show VPNs on Map dialog box to select VPNs to display on the active
map.
Navigation Path
To open this dialog box, select Map > Show VPNs on Map.
Field Reference
Table B-27
Show VPNs on Map Dialog Box
Element
Description
Available VPNs list
Lists VPNs that are available to add to the map.

Select VPNs that you want to display in the map. Select a VPN group to
select all of its member VPN subgroups and VPNs.
>> button
Adds VPNs that are selected in the Available VPNs list to the Selected VPNs
list.
<< button
Removes VPNs that are selected in the Selected VPNs list.
Selected VPNs list
Lists VPNs that are selected to appear on the map.

Select VPNs to remove from the map. Select a VPN group to select all of its
member VPN subgroups and VPNs.
OK button
Cancel button
Help button
Show VPN Peers Dialog Box

Use the Show VPN Peers dialog box to display the VPN peers of a device node.
Navigation Path
To open this dialog box, select Show VPN Peers from a device node context
menu. If the selected device participates in only one VPN, the Show VPN Peers
command opens the VPN Peers dialog box instead of this one.
B-26
OL-11501-02
Appendix B

Dialog Boxes
Related Topics
VPN Peers Dialog Box, page B-27
Field Reference
Table B-28
Show VPN Peers Dialog Box
Element
Description
Available VPNs
Lists the VPNs in which the node participates.
Selected VPNs
Lists the selected VPN.
OK button
Opens the VPN Peer List dialog box, which lists the peers in the selected
VPN.
Cancel button
Help button
VPN Peers Dialog Box

Use the VPN Peers dialog box to view a list of the VPN peers of a device node.
Navigation Path
To open this dialog box, click OK in the VPN Peers dialog box. This dialog box
also opens when you select Show VPN Peers from a device node context menu
when the device participates in only one VPN.
Related Topics
Show VPN Peers Dialog Box, page B-26
Field Reference
Table B-29
VPN Peers List Dialog Box
Element
Description
Name
The name of the VPN.
VPN Peers
Lists the VPN peers in the selected VPN.
Close
Closes the dialog box.

OL-11501-02
B-27
Appendix B
Dialog Boxes
Table B-29
VPN Peers List Dialog Box (continued)
Element
Description
Help
Select VPN to Configure Dialog Box

Use the Select VPN to Configure dialog box to select a VPN to configure.
Navigation Path
To open this dialog box, select Edit VPN Policies or Edit VPN Peers from a
managed node context menu.
Field Reference
Table B-30
Select VPN to Configure Dialog Box
Element
Description
Available VPNs
Lists the VPNs in which the managed node participates. Select the VPN to
configure.
Selected VPN
Displays the selected VPN.
OK
Opens the dialog box or page required for configuring the type of VPN peer
or policy you selected. Click Help in the dialog box or page for information
on using it.
Cancel
Help
B-28
OL-11501-02
APPENDIX
Devices User Interface Reference

The following topics describe the user interface information for the Devices page:
Add Device from Network Wizard, page C-7
Add Device(s) from Config File Wizard, page C-29
Add New Device Wizard, page C-34
Add Device(s) from DCR Wizard, page C-45
Create a Clone of <device name> Page, page C-52
Device Properties Page, page C-53
Device Shortcut Menu Options, page C-62
Policy Selector Shortcut Menu Options, page C-63
Add Devices to Group Page, page C-67
Add Group Dialog Box, page C-68

OL-11501-02
C-1
Appendix C
Devices Page
Devices Page
Use the Devices page to view device information, to add, edit, or delete devices,
and to assign policies to specific devices.
Navigation Path
To open this page, click the Device View button in the toolbar.
Related Topics
Device Selector, page C-2
Policy Selector, page C-7
Work Area, page C-7
The Devices page contains two panes (Figure 5-1). The left pane contains the
following two elements:
Device selector, located in the top left pane. For more information, see
Device Selector, page C-2.
Policy selector, located in the bottom left pane. For more information, see
Policy Selector, page C-7.
The right pane is the main content area. For more information, see Work Area,
page C-7.
Device Selector
Use the Device selector to filter, add, and delete devices from the Security
Manager inventory.
Related Topics
Work Area, page C-7
C-2
OL-11501-02
Appendix C

Devices Page
Field Reference
Table C-1
Device Selector
Element
Description
Device selector
Filter
Enables you to filter and display a subset of devices based on the filtering criteria you
define. For more information, see Create Filter Dialog Box, page C-3.
Add button
Opens the New Device - Choose Method wizard page that provides options, which
enable you to add devices to the Security Manager inventory.
Delete button
Removes the selected device from the Security Manager inventory.
Device Tree
Lists all device groups and devices added to or created in Security Manager. Each
device type is represented by an icon. For information about the icons, see Figure 5-2.
Create Filter Dialog Box

Use the Create Filter dialog box to filter and display a subset of devices based on
the filtering criteria you define.
Navigation Path
Select Create Filter from the Filter field in a selector tree.

Related Topics
Filtering the Device Selector, page 5-28

OL-11501-02
C-3
Appendix C
Devices Page
Field Reference
Table C-2
Create Filter Dialog Box
Element
Description
Device selector
Match Any of the When clicked, creates an or relationship between all filter controls that you
Following
created in the filter control area.
For example, you add the following two controls in the filter control area:
Name contains a
Type is ASA
If you click OK, the two filter controls are combined into one filter with an or in
between them.
Name contains a or Type is ASA
This filter is then available from the arrow in the Filter field.
If you select this filter option, the Device selector displays devices that contain an
a in their name or all devices that are ASA devices. See Filter Control
Relationship Example, page 5-29.
Match All of the
Following
When clicked, creates an and relationship between all the filter controls that you
created in the filter control area.
For example, you add the following two controls in the filter control area:
Name contains a
Type is ASA
After you click OK, the two filter controls are combined into one filter with an
and in between them.
Name contains a and Type is ASA
This filter is then available from the arrow in the Filter field.
If you select this filter option, the Device selector displays all devices that have an
a in their names and that are ASA devices because only devices that match both
criteria are displayed. So only ASA devices that contain a in their device name
are displayed. See Filter Control Relationship Example, page 5-29.
C-4
OL-11501-02
Appendix C

Devices Page
Table C-2
Create Filter Dialog Box (continued)
Element
Description
First
FieldFilter
Type
Provides two options:
Second
FieldFilter
Relation
NameFilters the devices by device name. You specify the device name or
portion of the device name in the Filter Value field (third field).
TypeFilters the devices by device type. You specify the type of device in the
Filter Value field (third field).
Enables you to narrow the filter results by defining additional parameters. This
field establishes a relationship between the filter type and the filter value fields.
If you select Name in the Filter Type field (first field), the following options
are displayed:
contains
doesnt contain
is
isnt
begins with
ends with
If you select Type in the Filter Type field (first field), the following options are
displayed:
is
isnt

OL-11501-02
C-5
Appendix C
Devices Page
Table C-2
Create Filter Dialog Box (continued)
Element
Description
Third
FieldFilter
Value
If you select Name in the Filter Type field (first field), the Filter Value field is
blank. Enter a string value; either the device name or part of the device name.
If you select Type in the Filter Type field (first field), the following options are
displayed:
ASA
ASA IPS
PIX
Catalyst 6500/7600
FWSM
IPSSM
Router
Cisco IDS Network Module
Sensor
Filter Control
Content Area
Displays all the filter controls that you created. Filter controls are the filter name,
filter relation, and filter value that you selected in a row format.
Add button
Adds a row of filter controls in the Filter Control Content area based on the filter
name, filter relation, and filter value that you selected.
Remove button
Removes the selected row of filter control from the Filter Control Content area.
OK button
Saves your changes and closes the dialog box.
Cancel button
Help button
C-6
OL-11501-02
Appendix C

Add Device from Network Wizard
Policy Selector
Use the Polices selector located in the bottom left pane of the Devices page to
display policies for the device types you select in the Device selector.
Based on the device you select in the Device selector, policies appropriate to that
device type are displayed in the Policy selector. For details, see Working with
Device Policies, page 5-54.
Related Topics
Work Area, page C-7
Work Area
Use the work to view information. The information displayed in the work area
depends on the device you selected from the Device selector and the option you
selected from the Policy selector.
Related Topics

To add a device from the network, click the Add button in the Device selector. The
New Device - Choose Method wizard page appears with four options. Select Add
Device from Network, then click Next.
The following topics describe the pages in the Add Device from Network wizard:
Device Information PageNetwork, page C-8

OL-11501-02
C-7
Appendix C
Device Grouping Page, page C-28
Device Information PageNetwork

Use the Device Information page of the Add Device from Network wizard to add
device information.
Navigation Path
You can access the Device Information page from the Add Device from Network
wizard. Click the Add button in the Device selector, select Add Device from
Network, then click Next.
Related Topics
Auto Update Server Properties Dialog Box, page C-13
Available Auto Update Servers Dialog Box, page C-14
Field Reference
Table C-3
Element
Device Information Page in Add Device from Network Wizard
Description
Identity
IP Type
Provides two options:
StaticSelect this option if the device has a static IP address.
Dynamic Applies to Cisco IOS routers only. Select this option if the
device has a dynamic IP address obtained from a CNS Gateway running on
an Auto Update Server.
The device information fields displayed differ, depending on whether you select
static or dynamic.
C-8
OL-11501-02
Appendix C

Table C-3
Element
Description
Hostname
Displayed for static IP types only.

The DNS hostname for the device. Enter the DNS hostname if the IP address is
not known.
The maximum length is 70 characters. Valid characters are: 09; uppercase AZ;
lowercase az; and the following character: -
Domain Name
Note
You must enter either the DNS hostname or the IP address.
Note
Two devices cannot have the same DNS hostname and domain name
combination.

The DNS domain name for the device.
lowercase az; and the following characters: . -
IP Address

The management IP address of the device.
Valid characters are . and 09. The IP address must be in the dotted quad format,
for example, 192.64.3.8.
Note
Display Name
You must enter either the IP address or the DNS hostname.
For static IP typesDisplays the hostname, which you can change. When you
enter the hostname, it is entered automatically in the Display Name field.
For dynamic IP typesEnter the name that you want displayed for the device.
lowercase az; and the following characters: _ - . : and space
Note
Device Identity
Two devices cannot have the same display name.
Displayed for dynamic IP types only.

The string value that uniquely identifies the device in Auto Update Server.

OL-11501-02
C-9
Appendix C
Table C-3
Element
Description
CNS Gateway
Displayed for dynamic IP types only.

Enables you to select or add an Auto Update Server that is running the CNS
Gateway protocol.
If the Auto Update Server does not appear in the list, select + Add Auto Update
Server... to display the Auto Update Server Properties dialog box. For a
description of the fields in the page, see Auto Update Server Properties Dialog
Box, page C-13.
Security Manager communicates with the AUS server running the CNS Gateway
protocol to retrieve the IP address of an IOS device, then discovers directly from
the IOS device.
OS Type
Note
Only Cisco IOS routers with dynamic IP addresses can be associated with
an Auto Update Server running the CNS Gateway protocol.
Note
You cannot add PIX Firewall, ASA, FWSM, or Catalyst 6500/7600

devices with a dynamic IP address from the Add Device from Network
page.
The family of the operating system running on the device:

For static IP types: IOS, IOS - 12.2, 12.1, IOS - Catalyst 6500/7600, ASA,
FWSM, or PIX
For dynamic IP types: IOS, IOS - 12.2, 12.1
Note
System Context
Select IOS - 12.2, 12.1 to add routers running Cisco IOS versions 12.1,
12.2, and associated releases. However, this selection does not apply to
Catalyst 6500/6000 series switches running Cisco IOS software 12.1 or
12.2. Select IOS to add routers running Cisco IOS versions 12.3 and
later.
Discovers the device as a system context instead of a security context.

Select the system context check box if the device you are adding is a PIX Firewall
7.0, ASA, or FWSM device that meets the following criteria:
The device supports system contexts.
The device is running in multi-mode.
C-10
OL-11501-02
Appendix C

Table C-3
Element
Description
Discover Device Settings

OL-11501-02
C-11
Appendix C
Table C-3
Element
Description
Discover
Provides the following discovery options:
Policies and InventoryWhen selected, discovers policies and interfaces.

This is the default option.
When policy discovery is initiated, the system analyzes the configuration on
the device, then imports the configured service and platform policies into
Security Manager to be managed. When inventory discovery is initiated, the
system analyzes the interfaces on the device and then imports them into
Security Manager to be managed. If the device is a composite device, all the
service modules in that device are discovered.
If you select this option, the following policies are displayed:
Platform SettingsAlso called platform-specific policy domains.
Platform-specific policy domains exist on firewall devices and Cisco

IOS routers. These domains contain policies that configure features that
are specific to the selected platform. For more information, see Service
Policies vs. Platform-Specific Policies, page 6-3.
Firewall PoliciesAlso called firewall services. Firewall services
contain policies such as access rules, inspection rules, AAA rules, web
filter rules, and transparent rules. For details see, Appendix J, Firewall
Services User Interface Reference.
Discover Policies for Security ContextWhen selected, discovers
policies for security contexts. Security contexts apply to PIX Firewall,

ASA, or FWSM devices. This field is active for static IP type only.
Note
During discovery, if you import an ACL that is inactive, it is shown as

disabled in Security Manager. If you deploy the same ACL, it will be
removed by Security Manager.
Inventory OnlyWhen selected, discovers interfaces. If the device is a

composite device, all the service modules in that device are discovered.
No DiscoveryWhen selected, Security Manager does not initiate

discovery.
C-12
OL-11501-02
Appendix C

Table C-3
Element
Description
Back button
Returns to the previous wizard page.
Next button
Advances to the next wizard page.
Cancel button
Closes the wizard without saving your changes.
Help button
Opens help for this page.
Auto Update Server Properties Dialog Box

Use the Auto Update Server Properties dialog box to provide the Auto Update
Server properties information.
Navigation Path
Select + Add Auto Update Server... from the CNS Gateway field in the Device
Information page of the Add Device from Network wizard.
Related Topics
Available Auto Update Servers Dialog Box, page C-14
Adding an Auto Update Server When Adding a Device from Network,

page 5-39
Field Reference
Table C-4
Element
Description
Server Name
The hostname of the Auto Update Server.
Domain Name
The domain name of the Auto Update Server.
IP Address
The IP address of the Auto Update Server.
Display Name
The name that is displayed for the Auto Update Server.
Username
The username of the Auto Update Server.
Password
The password for accessing the Auto Update Server. In the Confirm field, enter
the password again.
OL-11501-02
C-13
Appendix C
Table C-4
Element
Description
Port
The port number that the AUS managed device uses to communicate with the
Auto Update Server. Port number is typically 443.
URN
The uniform resource name of the Auto Update Server. URN is the name that
/autoupdate/AutoUpdateServlet. The full URL could be:
https://:<server ip>:443/autoupdate/AutoUpdateServlet
where:
<server ip> is the IP address of the Auto Update Server.
443 is the port number of the Auto Update Server.
/autoupdate/AutoUpdateServlet is the URN of the Auto Update Server.
OK button
Cancel button
Help button
Available Auto Update Servers Dialog Box

Use the Available Auto Update Servers dialog box to select, edit, or add an Auto
Update Server.
Navigation Path
Select Edit Auto Update Servers from the CNS Gateway field in the Device
Information page of the Add Device from Network wizard.
Related Topics
Auto Update Server Properties Dialog Box, page C-13
Editing the Auto Update Server Information when Adding Device from
Network, page 5-42
Adding an Auto Update Server When Adding a Device from Network,

page 5-39
C-14
OL-11501-02
Appendix C

Field Reference
Table C-5
Available Auto Update Servers Dialog Box
Element
Description
Display Name
The name that is displayed for the Auto Update Server.
IP Address
The IP address of the Auto Update Server.
Server Name
The hostname of the Auto Update Server.
Domain Name
The domain name of the Auto Update Server.
Create button
Enables you to add a new Auto Update Server. When clicked, opens the Auto
Update Server Properties dialog box. For a description of the elements, see Auto
Update Server Properties Dialog Box, page C-13.
Edit button
Enables you to edit the Auto Update Server information. When clicked, opens the
Auto Update Server Properties dialog box. For a description of the elements, see
Auto Update Server Properties Dialog Box, page C-13.
OK button
Cancel button
Help button
Device Credentials Page

Use the Device Credentials page to add credentials for the device. For information
about device credentials, see Understanding Device Credentials, page 5-43.
Note
You can use a maximum of 70 characters to define device credentials. The only
restriction is that you may not add a space in the password.
Navigation Path
You can access the Device Credentials page from the Add Device from Network
and from the Add New Device wizards. To access the wizards, click the Add button
in the Device selector, then select the appropriate add device method.
Related Topics
Understanding Device Credentials, page 5-43

OL-11501-02
C-15
Appendix C
Device Validation Error Messages, page C-27
Rx-Boot Mode Credentials Dialog Box, page C-17
SNMP Credentials Dialog Box, page C-18
HTTP Credentials Dialog Box, page C-19
Field Reference
Table C-6
Element
Description
Primary CredentialsRequired for all device types.
Username
The username for logging into the device.
Password
The password for logging into the device. In the Confirm field, enter the password
again.
Enable Password The password that activates enable mode on a device if enable mode is configured
on that device. In the Confirm field, enter the enable password again.
SDEE CredentialsDisplayed for devices that support Intrusion Prevention Systems (IPS), such as
Cisco IOS routers, ASA, and IDS.

Username
The SDEE username.
Password
The SDEE password. In the Confirm field, enter the SDEE password again.
HTTP CredentialsDisplayed for devices that support IPS, such as Cisco IOS routers, ASA, and IDS.
This information is required for devices that support SDEE.
HTTP Port
Port 80.
HTTPs Port
Port 443.
Certificate
Common Name
The name assigned to the certificate. The common name can be the name of a
person, system, or other entity that was assigned to the certificate. In the Confirm
field, enter the common name again.
Mode
HTTP or HTTPS.
Rx-Boot Mode Credentials Tab
For more information, see Rx-Boot Mode Credentials Dialog Box, page C-17
SNMP Credentials Tab
C-16
OL-11501-02
Appendix C

Table C-6
Element
Device Credentials Page (continued)
Description
For more information, see SNMP Credentials Dialog Box, page C-18
HTTP Credentials TabDisplayed for PIX Firewall, FWSM, and Catalyst 6500/7600 devices.
For more information, see HTTP Credentials Dialog Box, page C-19
Back button
Next button
Finish button
Saves your wizard definitions and closes the wizard.

After you click Finish, the system performs device validation tasks. If the data you
entered is incorrect, the system generates error messages and displays the wizard
page where the error occurs with a red error icon corresponding to it. Otherwise,
the Task Status page appears, displaying the status of the device import and
discovery.
Cancel button
Help button
Rx-Boot Mode Credentials Dialog Box

Use the RX-Boot Mode Credentials dialog box to add RX-Boot mode credentials.
Navigation Path
You can access the RX-Boot Mode Credentials dialog box from the Device
Credentials page in the Add Device from Network and the Add New Device
wizards. To access the wizards, click the Add button in the Device selector, then
select the appropriate add device method.
Related Topics

OL-11501-02
C-17
Appendix C
Field Reference
Table C-7
Rx-Boot Mode Credentials Dialog Box
Element
Description
Username
The Rx-Boot Mode username.
Password
The Rx-Boot Mode password. In the Confirm field, enter the Rx-Boot mode
password again.
OK button
Cancel button
Help button
SNMP Credentials Dialog Box

Use the SNMP Credentials dialog box to add SNMP credentials.
Navigation Path
You can access the SNMP Credentials dialog box from the Device Credentials
page in the Add Device from Network and the Add New Device wizards. To access
the wizards, click the Add button in the Device selector, then select the appropriate
add device method.
Related Topics
Field Reference
Table C-8
SNMP Credentials Dialog Box
Element
Description
SNMP V2C
RO Community
String
The read-only community string. In the Confirm field, enter the community string
again.
C-18
OL-11501-02
Appendix C

Table C-8
SNMP Credentials Dialog Box (continued)
Element
Description
RW Community
String
The read-write community string. In the Confirm field, enter the community string
again.
SNMP V3
Username
The SNMP V3 username.
Password
The SNMP V3 password. In the Confirm field, enter the password again.
Auth Algorithm
The authorization algorithm for encrypting the password. Valid selections are MD5
or SHA-1.
OK button
Cancel button
Help button
HTTP Credentials Dialog Box

Use the HTTP Credentials dialog box to add HTTP credentials.
Navigation Path
You can access the HTTP Credentials dialog box from the Device Credentials
page in the Add Device from Network and the Add New Device wizards. To access
the wizards, click the Add button in the Device selector, then select the appropriate
add device method.
Related Topics

OL-11501-02
C-19
Appendix C
Field Reference
Table C-9
HTTP Credentials Dialog Box
Element
Description
Username
The HTTP username.
Password
The HTTP password.
HTTP Port
Port 80.
HTTPS Port
Port 443.
Certificate
Common Name
The common name assigned to the certificate. The common name can be the name
of a person, system, or other entity that was assigned to the certificate. In the
Confirm field, enter the password again.
Mode
HTTP or HTTPS.
OK button
Cancel button
Help button
Device Connectivity Test Dialog Box

Use the Device Connectivity Test dialog box to determine whether the device you
are adding (or a device that has been added to the inventory) can be reached by
Security Manager. The transport protocol used to test device connectivity, the
status of connectivity test, and the time elapsed are displayed after connectivity
test is complete. For the procedure, see Verifying Device Connectivity from
Security Manager, page 5-47.
Navigation Path
To access the Device Connectivity Test dialog box, do one of the following:
In Device view, click the Add button in the Device selector, then select the
Add New Device Wizard, page C-34, then enter device identity information
in the Device Information PageNew Device, page C-35, and then enter the
username, password and click Test Connectivity from the Device
Open the Device Properties page in one of the three ways and click Test
Connectivity:
C-20
OL-11501-02
Appendix C

From the Device selector, right-click a device, then select Device
Properties.
From the Device selector, double-click a device.
Select Tools > Device Properties.
Related Topics
Device Properties Page, page C-53
Field Reference
Table C-10
Device Connectivity Test Dialog Box
Element
Description
Connectivity Protocol
The transport protocol, such as SSL, SSH, AUS, CNS, or TMS, that
is set on the device. Security Manager communicates with the
device according to the transport mechanism or protocols you set on
the device.
For Cisco IOS routers and Catalyst 6500/7600 switches, the default
transport protocol you have specified for all devices in the Device
Communication settings window is used to test connectivity.
Connectivity Status
Connectivity Test Passed/Failed
Displays whether the connectivity test was successful.
Time Elapsed
Displays the amount of time that has elapsed since the connectivity
test was started.
Details button
If the device can be reached, opens the Details dialog box and
displays the output of the show version command for PIX Firewall,
Adaptive Security Appliances (ASA), Firewall Service Modules
(FWSM), Cisco IOS routers, and VPN Services Modules
(VPNSM), or the output of the getVersion command for IPS
Sensors and Cisco IOS IPS Sensors. You can copy the command
output and paste it into a file for analysis.
If the device cannot be reached, an error message states the probable
cause and its possible solution. Take the recommended action to
correct the error.

OL-11501-02
C-21
Appendix C
Table C-10
Device Connectivity Test Dialog Box (continued)
Element
Description
Abort button
Aborts the connectivity test. Closes the dialog box. This button is
enabled during the device connectivity test operation.
FWSM Credentials and VPN SPA Slot Location Dialog Box

Use the Firewall Service Module Credentials and VPN SPA Slot Location dialog
box to add FWSM credentials and Catalyst VPN Shared Port Adapter (VPN SPA)
subslot locations.
Navigation Path
After you have successfully added a Catalyst 6500/7600 device as described in

Adding Catalyst 6500/7600 Devices from the Network, you are asked if you want to
proceed with FWSM inventory and policy discovery. If you click Yes, the Firewall
Service Module Credentials and VPN SPA Slot Location window appears.
Related Topics
C-22
OL-11501-02
Appendix C

Field Reference
Table C-11
Element
Firewall Service Module Credentials and VPN SPA Slot Location Dialog Box
Description
Slot <number> Credentials
Management IP
The management IP address for the FWSM.

Although this is optional, we recommend that you enter the management IP address
because:
If you do not enter the management IP address, Security Manager connects to

the Catalyst 6500/7600 device through SSH and then to the FWSM through the
session command. The number of concurrent SSH sessions is limited on a
Catalyst 6500/7600 device, with a default of 5. Policy discovery uses one SSH
session for each security context. If there are a large number of security
contexts, even with the retry mechanism in place, Security Manager might fail
to connect.
If you do enter the management IP address, Security Manager connects to the

FWSM through SSL, which has a greater concurrent session limit.
For FWSM failover management, the management IP address serves as a
logical address to connect to an active FWSM. Without the management IP
address, Security Manager might connect to a standby FWSM after a failover
switch.
Username
The username for the FWSM.

If the device you are adding is a multi-mode FWSM, and you entered the
management IP address, you must configure the same username, password, and
enable password for both System Space and Admin Context in the Catalyst
6500/7600 device and enter those credentials in this field. For details, see Adding
Catalyst 6500/7600 Devices from the Network, page 5-33.
Password
The password for the FWSM. In the Confirm field, enter the password again.

OL-11501-02
C-23
Appendix C
Table C-11
Firewall Service Module Credentials and VPN SPA Slot Location Dialog Box
Element
Description
Enable Password The enable password for the FWSM. In the Confirm field, enter the password again.
Discover Policies Discovers policies for the FWSM. This check box is selected by default.
check box
If you deselect the check box, only inventory data, such as VLAN configuration,
security contexts, and interfaces are discovered. You can discover the policy
configuration later by right-clicking an FWSM, then selecting Discover Policies on
Device.
VPN SPA Slots
The location of any Cisco IPSec VPN SPA installed on the device. Each slot is
divided into two subslots that can hold one to two VPN SPAs. Enter the slot and
subslot location of each installed VPN SPA, separated by a comma.
You can also click Select to open the VPN SPA Slot Selector from which you can
select the slot and subslot locations from a list. For more information about
configuring a VPN SPA blade, see Configuring a Catalyst VPN Shared Port
OK button
Cancel button
Help button
VPN SPA Slots Dialog Box

Use the VPN SPA Slots dialog box to add the locations of any VPN SPAs installed
on Catalyst 6500/7600 devices.
Navigation Path
After you have successfully added a Catalyst 6500/7600 device as described in

Adding Catalyst 6500/7600 Devices from the Network, you are asked if you want to
proceed with FWSM inventory and policy discovery. If you decide not to discover
service modules and policies at this time by clicking No, the VPN SPA Slots
Dialog Box appears.
C-24
OL-11501-02
Appendix C

Related Topics
Adding VPN SPA Slot Locations, page 5-35

page 9-42
Field Reference
Table C-12
VPN SPA Slots Dialog Box
Element
Description
VPN SPA Slots
The location of any VPN SPAs installed on the device. Each slot is divided into two
subslots that can hold one to two VPN SPAs. Enter the slot and subslot location of
each VPN SPA installed, separated by a comma.
You can also click Select to open the VPN SPA Slot Selector in which you can
choose the slot and subslot locations from a list. For more information about
configuring a VPN SPA blade, see Configuring a Catalyst VPN Shared Port
Select button
Opens the VPN SPA Slot selector. For details see VPN SPA Slot Selector,
page C-25.
OK button
Cancel button
Help button
VPN SPA Slot Selector

Use the VPN SPA Slot selector to add the locations of any Cisco VPN SPAs
(VPN SPAs) installed on Catalyst 6500/7600 devices. A slot can hold two
separate VPN SPAs, therefore you must enter a subslot number. The subslot
number for the first subslot is 0, and for the second one is 1.
Navigation Path
You can access the VPN SPA Slot selector in one of two ways:

OL-11501-02
C-25
Appendix C
Click Select next to the VPN SPA Slots field in the Firewall Service Module
Credentials and VPN SPA Slot Location Dialog Box.
Click Select next to the VPN SPA Slots field in the VPN SPA Slots dialog box
that appears when you decline policy discovery for service modules on a Catalyst
6500/7600 device(s).
For the procedure, see Adding VPN SPA Slot Locations, page 5-35.
Related Topics

page 9-42
Field Reference
Table C-13
VPN SPA Slot Selector
Element
Description
Available
Slots/Subslots
Contains two elements:
>> button
Filter fieldFilters and displays a subset of devices based on the filtering

criteria you define. For more information, see Create Filter Dialog Box,
page C-3.
Available Slot/Subslots ListDisplays list of available slots, numbered

according to the number of slots on the device chassis on the left of the /, and
two subslots numbered 0 and 1 to the right of the /. A VPN SPA card resides
in one half of a slot, called a subslot, so each slot can contain one or two
VPN SPA cards.
Moves the selected slots from one pane to the other pane.
<< button
Selected
Slots/Subslots
Displays all the Slot/Subslots that you selected.
OK button
Cancel button
Help button
C-26
OL-11501-02
Appendix C

Device Validation Error Messages

When you add a device, Security Manager validates the data you entered. If the
data is incorrect, the system generates error messages and displays the page on
which the error occurs with a red error icon corresponding to it.
Security Manager does not validate whether the data you entered will allow you
to contact the device. It validates whether the data is formatted correctly, whether
you have entered duplicate display name and hostname combinations, and
whether the display name you entered exists in DCR. The following error
messages could be displayed:
Cannot Add a Display Name that Exists in DCR
If you are in the Add New Device page and you enter a display name that already
exists in DCR (but not in Security Manager), a Duplicate Device Notification
window displays the following message:
A device with the same display name exists in DCR. Duplicate display
names are not allowed in DCR. To change the display name, click No. To
import the existing device from DCR into Cisco Security Manager, click
Yes.
If you click No, the Add New Device page appears. You can enter another display
name and continue adding the device. For a description of the elements in this
page, see Add New Device Wizard, page C-34.
If you click Yes, the Add Device from DCR page appears, with the device name
selected in the DCR List of Devices pane. Click >>. The selected device moves to
the Selected Devices pane. For a description of the elements in this page, see Add
Device(s) from DCR Wizard, page C-45.
Cannot Add a DNS Hostname and Domain Name Combination that Exists in DCR
When you are in the Add New Device page and you enter a hostname and domain
name combination that already exists in DCR (but not in Security Manager), a
Duplicate Device Notification window displays the following message:
A device with the same DNS (hostname + domain name) exists in DCR.
Duplicate DNS is not allowed in DCR. To change the DNS, click No. To
import the existing device from DCR into Cisco Security Manager, click
Yes.

OL-11501-02
C-27
Appendix C
If you click No, the Add New Device page appears. You can enter another
hostname and domain name combination and continue adding the device. For a
description of the elements in this page, see Add New Device Wizard, page C-34.
If you click Yes, the Add Device from DCR page appears, with the device name
selected in the DCR List of Devices pane. Click >>. The selected device moves to
the Selected Devices pane. For a description of the elements in this page, see Add
Device(s) from DCR Wizard, page C-45.
Device Grouping Page

Use the Device Grouping page to assign devices to groups.
Navigation Path
You can access the Device Grouping page from all of the add device wizards. For
the procedures, see:
Related Topics
C-28
OL-11501-02
Appendix C

Add Device(s) from Config File Wizard
Field Reference
Table C-14
Element
Description
Group Types,
such as Department and
Location
The group type, for example, Department or Location, into which the device will be
grouped. Enables you to select an existing group or to create a new group under a
group type.
To create a new group, click the arrow, then select Edit Groups. The Edit Device
Groups page appears. For a description of the fields in this page, see Edit Device
Groups Page, page C-66.
Set values as
default
When selected, sets the current values as defaults. These values are defaults for
adding and editing device groups later.
Back button
Finish button

After you click Finish, the system performs device validation tasks. If the data you
entered is incorrect, the system generates error messages and displays the wizard page
where the error occurs with a red error icon corresponding to it. Otherwise, the Task
Status page appears, displaying the status of the device import and discovery.
Cancel button
Help button

To add a device from a config file, click Add in the Device selector. The New
Device - Choose Method wizard page appears with four options. Select Add
Devices from Config File, then click Next.
The following topics describe the pages in the Add Device from Config File
wizard:
Device Information PageConfig File, page C-30

OL-11501-02
C-29
Appendix C
Device Information PageConfig File

Use the Device Information page of the Add Device from Config File wizard to
add device information.
Navigation Path
You can access the Device Information page from the Add Device from Config
File wizard. Click the Add button in the Device selector, select Add Device from
Config File, then click Next.
Related Topics
Field Reference
Table C-15
Element
Device Information Page in Add Device from Config File Wizard
Description
Device Type
Device Type
selector
Organizes the devices by device-type and device-family. Select the device type
for the new device.
Note
If you do not know the device type, select the device-family folder.
Security Manager automatically selects the first available device type
under that family.
System object IDs for that device type are displayed in the SysObjectId field.
C-30
OL-11501-02
Appendix C

Table C-15
Device Information Page in Add Device from Config File Wizard (continued)
Element
Description
SysObjectId
The system object IDs for the device type you selected from the Device Type
selector.
When you click the device type from the Device Type selector, the system object
IDs for that particular device are displayed in this field.
When you specify the device type, the first available system object ID of the first
device type is selected by default. You can select another one if needed.
Configuration Files Enter the full path to the device configuration file, or click Browse to navigate to
the file in the directory structure. You can include multiple device configuration
files, of the same device type, by using commas to separate the files.
Browse button
Opens the Choose Files dialog box, which enables you to navigate and locate the
device configuration files. For elements in this page, see Choose Files Dialog
Box, page C-33.

OL-11501-02
C-31
Appendix C
Table C-15
Element
Description
Discover


include policies such as access rules, inspection rules, AAA rules, web
Note
Back button



discovery.
C-32
OL-11501-02
Appendix C

Table C-15
Element
Description
Next button
Finish button

After you click Finish, the system performs device validation tasks. If the data
you entered is incorrect, the system generates error messages and displays the
wizard page where the error occurs with a red error icon corresponding to it.
Otherwise, the Task Status page appears, displaying the status of the device
import and discovery.
Cancel button
Help button
Choose Files Dialog Box

Use the Choose Files dialog box to navigate and locate the device configuration
file.
Navigation Path
Click the Browse button in the Device Information page of the Add Device from
Config File wizard.
Related Topics
Device Information PageConfig File, page C-30

OL-11501-02
C-33
Appendix C
Add New Device Wizard
Field Reference
Table C-16
Choose Files Dialog Box
Element
Description
Left pane
Displays all the folders on the server.
Right pane
The contents of the folder that you selected in the left pane. Enables you to
navigate and select the appropriate configuration files.
Note
You cannot choose multiple configuration files in sequence by pressing

Ctrl-A (Select all), or by selecting the first file in the list and pressing the
down arrow key while holding down the Shift key. Instead, click the first
file in the range; then, hold down the Shift key while clicking the last
configuration file in the range to add multiple files that are listed
consecutively. However, you can choose multiple individual files by
holding down the Ctrl key and clicking on the individual files.
File Selected
Displays the configuration files that you selected from the right pane.
File of Type
Determines the type of files you want displayed in the right pane. When you
select or enter a file type, corresponding files are displayed in the right pane.
OK button
Cancel button
Help button

For elements in the Device Grouping page, see Device Grouping Page, page C-28.

To add a single device, click Add in the Device selector. The New Device Choose Method wizard page appears with four options. Select Add New Device,
then click Next.
The following topics describe the pages in the Add New Device wizard:
Device Information PageNew Device, page C-35
C-34
OL-11501-02
Appendix C

Device Information PageNew Device

Use the Device Information page of the Add New Device wizard to add device
information.
Navigation Path
You can access the Device Information page from the Add New Device wizard.
Click the Add button in the Device selector, select Add New Device, then click
Next.
Related Topics
Server Properties Dialog Box, page C-40
Available Servers Dialog Box, page C-41
CNS-Configuration Engine Properties Dialog Box, page C-42
Available Configuration Engines Dialog Box, page C-43
Field Reference
Table C-17
Element
Device Information Page in Add New Device Wizard
Description
Device Type
Device Type
selector
Organizes the devices by device-type and device-family.

Select the device type for the new device. System object IDs for that device type
are displayed in the SysObjectId field.

OL-11501-02
C-35
Appendix C
Table C-17
Device Information Page in Add New Device Wizard (continued)
Element
Description
Selected Device
Type
Displays the device type you selected in the Device Type selector.
SysObjectId
The system object IDs for the device type you selected from the Device Type
selector.
The first system object ID is selected by default. You can select another one if
needed.
Identity
IP Type
Provides two options: Static or Dynamic. Depending on the IP type you select,
the displayed fields differ.
Hostname

The DNS hostname for the device. Enter the DNS hostname if the IP address is
not known.
lowercase az; and the following character: Note
You must enter either the DNS hostname or the IP address.
Two devices cannot have the same DNS hostname and domain name
combination.
Domain Name

The DNS domain name for the device.
lowercase az; and the following characters: . -
IP Address

The management IP address of the device.
Valid characters are. and 09. The IP address must be in the dotted quad format,
for example 192.64.3.8.
Note
This field is active only if the IP type is static.
Note
You must enter either the IP address or the DNS hostname.
C-36
OL-11501-02
Appendix C

Table C-17
Element
Description
Display Name
Displays the hostname, which you can change. When you enter the hostname, the
same name is entered automatically in the Display Name field.
Note
Two devices cannot have the same display name.
Note
If the display name you enter already exists in DCR, a dialog box
appears.
Operating System
OS Type
Based on the device type, the OS type is selected automatically.
Image Name
The name of the image.
Target OS Version
The target OS version for which you want to apply the configuration.
Options
A read-only field whose values are NONE or IPS. The value IPS indicates that
the IPS feature is available on the device.
Contexts
This field is displayed only if the OS type is an FWSM, ASA, or PIX Firewall
7.0. The two options available are: Single or Multi.
Operational Mode
This field is displayed only if the OS type is an FWSM, ASA, or PIX Firewall
7.0. The two options available are: Transparent, Routed, or Mixed (Mixed applies
only to FWSM 3.1 when the Contexts is Multi).

Note
For Catalyst 6500/7600 and FWSM devices, this field is not active.
Server
Enables you to select or add an Auto Update Server or a Configuration Engine.

If the server does not appear in the list, select + Add Server... to display the
Server Properties dialog box. For a description of the fields in the page, see
Server Properties Dialog Box, page C-40.
Device Identity
The string value that uniquely identifies the device in Auto Update Server or the
Configuration Engine.

Note
This field is not active for Catalyst 6500/7600 and FWSM devices.

OL-11501-02
C-37
Appendix C
Table C-17
Element
Description
Server
Depending on the IP type selected, Static or Dynamic, different information is

displayed:
Cisco IOS routers with static IP addressesEnables you to select or add a

If the Configuration Engine does not appear in the list, select + Add
Configuration Engine... to display the CNS-Configuration Engine
Properties dialog box. For a description of the fields in the page, see
CNS-Configuration Engine Properties Dialog Box, page C-42.
Cisco IOS routers with dynamic IP addressesEnables you to select or add

an Auto Update Server or a Configuration Engine.
If the server does not appear in the list, select + Add Server... to display the
Server Properties dialog box. For a description of the fields in the page, see
Server Properties Dialog Box, page C-40.
Device Identity
The string value that uniquely identifies the device in Auto Update Server or the
Additional Fields
Manage in Cisco
Security Manager
When selected, Security Manager manages the device. This check box is selected
by default.
If the only function of the device you are adding is to serve as a VPN end point,
this check box should be deselected. Security Manager will not manage
configurations nor will it upload or download configurations on this device.
C-38
OL-11501-02
Appendix C

Table C-17
Element
Description
Security Context of This field is active only if the device you selected in the Device selector is a
Unmanaged Device firewall device, such as PIX Firewall, ASA, or FWSM and that firewall device
supports security context.
When selected, manages a security context, whose parent (PIX Firewall, ASA, or
FWSM) is not managed by Security Manager.
You can partition a PIX Firewall, ASA, or FWSM into multiple security
firewalls, also known as security contexts. Each context is an independent
system, with its own configuration and policies. You can manage these
standalone contexts in Security Manager, even though the parent (PIX Firewall,
ASA, or FWSM) is not managed by Security Manager. For more information, see
Configuring Security Contexts on Firewall Devices, page 15-105.
Note
If you select this check box, the available target OS version for the
security module is displayed in the Target OS Version field.
Back button
Next button
Finish button

When you click Finish, the system performs device validation tasks. If all looks
okay, the wizard definitions are saved and the wizard closes. The device is added
to the inventory and it appears in the Device selector.
If errors are found, the system generates error messages and displays the wizard
page where the error occurs.
Cancel button
Help button

OL-11501-02
C-39
Appendix C
Server Properties Dialog Box

Use the Server Properties dialog box to provide the Auto Update Server or
Configuration Engine properties information.
Navigation Path
Click the + Add Server... from the Server field in the Device Information page of
the Add New Device wizard. For detailed procedure, see Adding an Auto Update
Server or Configuration Engine When Adding a New Device, page 5-38.
Related Topics
Available Servers Dialog Box, page C-41

Device, page 5-38
Field Reference
Table C-18
Element
Description
Type
The type of server managing the device. Click the arrow to select one of the
following options:
Auto Update ServerSelect this option if the device you are adding is
managed by an Auto Update Server.
Configuration EngineSelect this option if the device you are adding is

managed by a Configuration Engine.
Server Name
The hostname of the server.
Domain Name
The domain name of the server.
IP Address
The IP address of the server.
Display Name
The name that is displayed for the server.
Username
The username for the server.
Password
The password for accessing the server. In the Confirm field, enter the password
again.
C-40
OL-11501-02
Appendix C

Table C-18
Element
Description
Port
The port number that the Auto Update Server or Configuration Engine managed
device uses to communicate with the server. Port number is typically 443.
URN
This field is displayed when you select Auto Update Server from the Type field
only. It is not displayed when you select CNS-Configuration Engine.
The uniform resource name for the Auto Update Server. URN is the name that
/autoupdate/AutoUpdateServlet. The full URL could be:
https://:<server ip>:443/autoupdate/AutoUpdateServlet
where:
<server ip> is the IP address of the Auto Update Server.
443 is the port number of the Auto Update Server.
/autoupdate/AutoUpdateServlet is the URN of the Auto Update Server.
OK button
Cancel button
Help button
Available Servers Dialog Box

Use the Available Servers dialog box to select, edit, or add an Auto Update Server
or Configuration Engine.
Navigation Path
Select Edit Servers from the Server field in the Device Information page of the
Add New Device wizard. For detailed procedure, see Editing an Auto Update
Server or Configuration Engine When Adding a New Device, page 5-41.
Related Topics
Server Properties Dialog Box, page C-40
Editing an Auto Update Server or Configuration Engine When Adding a New

Device, page 5-41

OL-11501-02
C-41
Appendix C

Device, page 5-38
Field Reference
Table C-19
Available Servers Dialog Box
Element
Description
Display Name
The name that is displayed for the server.
Type
The type of server: AUS or CNS.
IP Address
The IP address of the server.
Server Name
The hostname of the server.
Domain Name
The domain name of the server.
Create button
Enables you to add a new server. When clicked, the Server Properties dialog box
appears. For a description of the elements, see Server Properties Dialog Box,
page C-40.
Edit button
Enables you to edit the server information. When clicked, the Server Properties
dialog box appears. For a description of the elements, see Server Properties
Dialog Box, page C-40.
OK button
Cancel button
Help button
CNS-Configuration Engine Properties Dialog Box

Use the CNS-Configuration Engine Properties dialog box to provide the
Configuration Engine properties information.
Navigation Path
Click the + Add Configuration Engine... from the Server field in the Device
Information page of the Add New Device wizard.
Related Topics
Available Configuration Engines Dialog Box, page C-43
C-42
OL-11501-02
Appendix C

Field Reference
Table C-20
CNS-Configuration Engine Properties Dialog Box
Element
Description
Server Name
The hostname of the Configuration Engine.
Domain Name
The domain name of the Configuration Engine.
IP Address
The IP address of the Configuration Engine.
Display Name
The name that is displayed for the Configuration Engine.
Username
The username for the Configuration Engine.
Password
The password for accessing the Configuration Engine. In the Confirm field, enter
the password again.
Port
The port number that the CNS managed device uses to communicate with the
Configuration Engine. Port number is typically 443.
OK button
Cancel button
Help button
Available Configuration Engines Dialog Box

Use the Available Configuration Engines dialog box to select, edit, or add a
Navigation Path
Select Edit Configuration Engines...from the Server field in the Device

Information page of the Add New Device wizard.
Related Topics
CNS-Configuration Engine Properties Dialog Box, page C-42

OL-11501-02
C-43
Appendix C
Field Reference
Table C-21
Available Configuration Engines Dialog Box
Element
Description
Display Name
The name that is displayed for the Configuration Engine.
IP Address
The IP address of the Configuration Engine.
Server Name
The hostname of the Configuration Engine.
Domain Name
The domain name of Configuration Engine.
Create button
Enables you to add a new Configuration Engine. When clicked, the

CNS-Configuration Engine Properties dialog box appears. For a description of
the elements, see CNS-Configuration Engine Properties Dialog Box, page C-42.
Edit button
Enables you to edit the Configuration Engine information. When clicked, the
CNS-Configuration Engine Properties dialog box appears. For a description of
the elements, see CNS-Configuration Engine Properties Dialog Box, page C-42.
OK button
Cancel button
Help button

For elements in the Device Credentials page, see Device Credentials Page,
page C-15.

C-44
OL-11501-02
Appendix C

Add Device(s) from DCR Wizard

To add a device from DCR into Security Manager, click Add in the Device
selector. The New Device - Choose Method wizard page appears with four
options. Select Add Devices from DCR, then click Next.
The following topics describe the pages in the Add Device from DCR wizard:
Device Information PageDCR, page C-45
Device Information PageDCR

Use the Device Information page of the Add Device from DCR wizard to add
devices from DCR to Security Manager.
The Device Information page displays two panes: the left pane is called DCR List
of Devices and the right pane is called Selected Devices. These panes have arrows
between them that enable you to move devices from one pane to the other.
Navigation Path
You can access the Device Information page from the Add Device from DCR
wizard. Click the Add button in the Device selector, select Add Device from DCR,
then click Next.
Related Topics

OL-11501-02
C-45
Appendix C
Field Reference
Table C-22
Device Information Page in Add Device(s) from DCR Wizard
Element
Description
DCR List of
Devices pane
Filter fieldFilters and displays a subset of devices based on the filtering

criteria you define. For more information, see Create Filter Dialog Box,
page C-3.
System Defined GroupsDisplays device groups and devices that are

available in the Device and Credential Repository (DCR) but not in Security
Manager.
DCR resides in the CiscoWorks Server. DCR is a common repository of
devices that stores device attributes and device credential information.
>> button
Moves the selected devices from one pane to the other pane.
<< button
Selected Devices
pane
Displays all the devices that you selected to add from DCR into Security
Manager.
C-46
OL-11501-02
Appendix C

Table C-22
Element
Device Information Page in Add Device(s) from DCR Wizard (continued)
Description

OL-11501-02
C-47
Appendix C
Table C-22
Element
Description
Discover


This is the default option. If you do not want these discovered, deselect
this check box.
include policies such as access rules, inspection rules, AAA rules, web
This is the default option. If you do not want these discovered, deselect
this check box.
Note



discovery.
C-48
OL-11501-02
Appendix C

Device Delete Validation Page
Table C-22
Element
Description
Back button
Next button
Finish button

After you click Finish, the system performs device validation tasks. If the data
you entered is incorrect, the system generates error messages and displays the
wizard page where the error occurs with a red error icon corresponding to it.
Otherwise, the Task Status page appears, displaying the status of the device
import and discovery.
Cancel button
Help button


Use the Device Delete Validation page to view error and warning messages during
device deletion.
Navigation Path
Select a device from the Device selector, then click the Delete button. (This page
appears only when there is an error or warning regarding the deletion.)
Related Topics
Device Delete Validation Details Dialog Box, page C-51

OL-11501-02
C-49
Appendix C
Field Reference
Table C-23
Element
Description
Severity
Displays one or all of the following:
Device
Error iconA problem was detected. See the Results column for details.
Warning iconProceed with caution. See the Results column for details.
Information iconInformation about the problem. See the Results column

for details.
Note
This column is not displayed if the status is Passed and there are no
errors, warnings, or informational messages to report.
Displays the name of the device that you are trying to delete.
Note
Result
Provides detailed information about the severity. Double click a row to open the
Device Delete Validation Details dialog box, or click the Details button. See
Device Delete Validation Details Dialog Box, page C-51.
Note
Details button
Displays the Device Delete Validation Details page. See Device Delete
Validation Details Dialog Box, page C-51.
OK button
Proceeds with deletion.

The OK button appears only if the system has not experienced errors. You might
see warning messages though. Read the warning message details in the Results
column to determine whether to continue the deletion. If you want to continue,
click OK to proceed with the deletion.
Cancel button
Help button
C-50
OL-11501-02
Appendix C

Device Delete Validation Details Dialog Box

Use the Device Delete Validation Details dialog box to view details about the
device deletion.
Navigation Path
You can access the Device Delete Validation Details dialog box from the Device
Delete Validation page in either of two ways:
Double-click a row from the Result column in the Device Delete Validation
page.
Click the Details button in the Device Delete Validation page.
Related Topics
Field Reference
Table C-24
Device Delete Validation Details
Element
Description
Severity
Displays one or all of the following:
ErrorA problem was detected. See the Results column for details.
WarningProceed with caution. See the Results column for details.
InformationProvides information about the problem. See the Results

column for details.
Device
Displays the name of the device that you are trying to delete.
Result
Provides detailed information about the severity.
OK button

OL-11501-02
C-51
Appendix C
Create a Clone of <device name> Page
Create a Clone of <device name> Page

Use the Create a Clone of <device name> page to duplicate a device.
Navigation Path
Right-click the device in the Device selector, then select Clone.

Related Topics
Cloning a Device, page 5-55
Field Reference
Table C-25
Create a Clone Device Page
Element
Description
IP Type
The device IP type of the cloned device: Static or Dynamic.
Hostname
The DNS hostname for the cloned device.

lowercase az; and the following characters: Note
Domain Name
This field is not displayed if the device you select for cloning has a
dynamic IP address.
The DNS domain name for the cloned device. If you do not provide the domain
name, Security Manager will use the default DNS suffix configured on the server.
lowercase az; and the following characters: . Note
dynamic IP address.
C-52
OL-11501-02
Appendix C

Device Properties Page
Table C-25
Create a Clone Device Page
Element
Description
IP Address
The management IP address of the cloned device.

Valid characters are . and 09. The IP address must be in the dotted quad format,
for example, 192.64.3.8.
Display Name
Note
If you do not know the IP address, enter the DNS hostname in the
appropriate field. You must enter either the IP address or the DNS
hostname.
Note
dynamic IP address.
The unique name for the cloned device.

Device Identity
The string value that uniquely identifies the device in Auto Update Server or
This field is only displayed if the device is managed by Auto Update Server or
OK button
Cancel button
Help button

You can open the Device Properties page in three ways:
From the Device selector, right-click a device, then select Device Properties.
From the Device selector, double-click a device.
Select Tools > Device Properties.
The following topics describe the options in the Device Properties page:

OL-11501-02
C-53
Appendix C
General Page
Use the General page to add or edit information for the following four elements:
Note
Identity
Operating System
DCS Settings
Auto Update or CNS-Configuration Engine
Security Manager does not assume that the DNS hostname that appears on the
Device Properties page is the same as the hostname that you configured on
the device.
When you add a device to Security Manager, you must enter either the
management IP address or the DNS hostname. Because it is not possible to
determine the management interface and, therefore, the management IP
address when you discover from a configuration file, the hostname in the
configuration file is used as the DNS hostname. If the hostname is missing in
the CLI of the configuration file, the configuration filename is used as the
DNS hostname.
During live device discovery, the DNS hostname in the Device Properties
page is not updated with the hostname configured on the device. Therefore,
if you want to specify the DNS hostname for the device, you must specify it
manually when you add the device to Security Manager or on the Device
Properties page.
If the DNS hostname or display name of the security context you are
discovering exists in DCR, Security Manager appends it with a _01, _02, and
so on to give it a unique name.
C-54
OL-11501-02
Appendix C

Caution
Cisco Security Manager 3.1 does not support IOS version 12.4(11)T and later
routers that use the Cisco CNS Configuration Engine to manage and deploy
configurations.
Navigation Path
Double-click a device in the Device selector, then click General from the Device
Properties page.
Related Topics
Field Reference
Table C-26
Element
General Page
Description
Identity
Device Type The type of device. For example, if the device is a Firewall device, the type of Firewall,
such as PIX or ASA is displayed.
IP Type
Provides two options: Static or Dynamic. Depending on the IP type you select, the
displayed fields differ.
Hostname

The DNS hostname for the device. The maximum length is 70 characters. Valid
characters are: 09; uppercase AZ; lowercase az; and the following character: -
Domain
Name
IP Address
The DNS domain name for the device. The maximum length is 70 characters. Valid
characters are: 09; uppercase AZ; lowercase az; and the following characters: . The management IP address of the device. Valid characters are 09. The IP address must
be in the dotted quad format, for example 192.64.3.8.

OL-11501-02
C-55
Appendix C
Table C-26
General Page (continued)
Element
Description
Display
Name
The display name of the device.

Operating System
OS Type
The family of the operating system running on the device.
Image Name The name of the image.

Running OS The version of the operating system running on the device.
Version
Target OS
Version
The target OS version for which you want to apply the configuration.
Options
A read-only field whose values are NONE or IPS. The value IPS indicates that the IPS
feature is available on the device
IPS Running A read-only field that displays the version of IOS IPS running on the router. This field
OS Version does not appear if the Options field has the value of NONE.
IPS Target
OS Version
A read-only field that displays the target version of IOS IPS running on the router. This
field does not appear if the Options field has the value of NONE.
Contexts
Displayed if the OS type is an FWSM, ASA, or PIX Firewall version 7.0. The two
options are: Single or Multi.
Operational
Mode
Displayed if the OS type is an FWSM, ASA, or PIX Firewall 7.0. The options are:
Transparent or Routed, or Mixed. (Mixed applies only to FWSM 3.1 when the Contexts
is Multi).
DCS Settings
Transport
Protocol
The transport protocol set on the device, such as SSL, SSH, AUS, CNS, or TMS.
Security Manager deploys the configuration to the device according to the transport
mechanism or protocols you set on the device.
For Cisco IOS routers, note the following:
You can override the global default settings by selecting SSL or SSH.
If you select Use Default, the transport protocol set in the Device Communication
page (Tools > Security Manager Administration > Device Communication) is used.
C-56
OL-11501-02
Appendix C

Table C-26
Element
General Page (continued)
Description
Auto Update or CNS-Configuration EngineDepending on device type, this field will be either called Auto
Update or CNS-Configuration Engine.
For PIX Firewall, FWSM, or ASA devices, this field is called Auto Update.
For Cisco IOS routers, this field is called CNS-Configuration Engine.
Server
If you selected a server, that server name is displayed in the field.

If you want to select another server but it does not appear in the list, you could add it.
To do so, select + Add Server... to display the Server Properties dialog box. For a
description of the fields in the page, see Server Properties Dialog Box, page C-40.
Device
Identity
The string value that uniquely identifies the device in Auto Update Server or
Manage in
Cisco
Security
Manager
If selected when you added the device, this check box remains selected.
Save button
Saves your changes.
If you do not want to manage this device in Security Manager, deselect the check box.
Close button Closes the page.

Help button
Credentials Page
Use the Credentials page to add or edit device credential information. For
information about device credentials, see Understanding Device Credentials,
page 5-43.
Note
You can use a maximum of 70 characters to define device credentials. Security

Manager does not restrict in the types of characters you can use to define them.
The only restriction is that you may not add a space in the password.
Navigation Path
Double-click a device in the Device selector, then click Credentials from the
OL-11501-02
C-57
Appendix C
Related Topics
Rx-Boot Mode Credentials Dialog Box, page C-17
SNMP Credentials Dialog Box, page C-18
HTTP Credentials Dialog Box, page C-19
Field Reference
Table C-27
Credentials Page
Element
Description
Primary CredentialsRequired for all device types.
Username
The username for logging into the device.
Password
The password for logging into the device. In the Confirm field, enter the password
again.
Enable Password The password that activates enable mode on a Cisco IOS device if enable mode is
configured on that device. In the Confirm field, enter the enable password again.
Authentication
Certificate
Thumbprint
Certificate thumbprint available in the certificate data store for the given device.
Click the Retrieve from Device button next to the field to fetch the certificate
thumbprint from the device. The Certificate Details dialog box appears. Click
Accept to add the thumbprint to the Security Manager certificate data store.
SDEE CredentialsDisplayed for devices that support Intrusion Prevention Systems (IPS), such as
Cisco IOS routers, ASA, and IDS.

Username
The SDEE username.
Password
The SDEE password. In the Confirm field, enter the SDEE password again.
HTTP CredentialsDisplayed for devices that support IPS, such as Cisco IOS routers, ASA, and IDS.
This information is required for devices that support SDEE.
HTTP Port
Port 80.
HTTPs Port
Port 443.
C-58
OL-11501-02
Appendix C

Table C-27
Credentials Page (continued)
Element
Description
Certificate
Common Name
The name assigned to the certificate. The common name can be the name of a
person, system, or other entity that was assigned to the certificate. In the Confirm
field, enter the common name again.
Mode
HTTP or HTTPS.
Rx-Boot Mode Credentials Tab
For more information, see Rx-Boot Mode Credentials Dialog Box, page C-17.
SNMP Credentials Tab
For more information, see SNMP Credentials Dialog Box, page C-18.
HTTP Credentials TabDisplayed for PIX Firewall, FWSM, and Catalyst 6500/7600 devices.
For more information, see HTTP Credentials Dialog Box, page C-19.
Save button
Saves your changes.
Close button
Closes the window.
Help button
Device Groups Page

Use the Device Groups page to assign, edit, or delete groups.
Navigation Path
Double-click a device in the Device selector, then click Device Groups from the
Related Topics

OL-11501-02
C-59
Appendix C
Field Reference
Table C-28
Device Groups Page
Element
Description
Group
Types, such
as Department and
Location
The group type, for example, Department or Location, into which the device is grouped
or will be grouped. Enables you to select an existing group or to create a new group
under a group type.
To create a new group, click the arrow, then select Edit Groups... The Edit Device
Groups page appears. For a description of the fields in this page, see Edit Device Groups
Page, page C-66.
Set values as When selected, sets the current values as defaults for adding and editing device groups
default
later.
Save button
Saves your changes.
Close button Closes the window.

Help button
Policy Object Override Pages

You can override the global settings for many types of policy objects from the
Device Properties window of a selected device. This enables you to customize the
definition of an object on that device. For more information, see Overriding
Navigation Path
Open the Device Properties Page, page C-53. From the selector, select Policy
Object Overrides > [name of object type].
Related Topics
Policy Object Overrides Window, page F-565
C-60
OL-11501-02
Appendix C

Field Reference
Table C-29
Policy Object Override PagesCommon Fields
Column
Description
Filter
Click the arrow to display the filtering bar, which enables you to
filter the information displayed in the table. For more information,
Name
The name of the object.
Category
The category that is assigned to the object. See Understanding

Value Overridden?
Indicates whether the global object definition has been overridden

by values defined for the selected device. See Allowing a Global
Object to Be Overridden, page 8-198.
Description
Displays an icon if a description is defined for the object. Point at

the icon to display a tooltip with the text of the description.
Tip
Double-click the icon to display the text of the description

in a popup window.
Create Override button
Opens the dialog box for that object type. From here you can create
an override object.
Edit Override button
Opens the dialog box for that object type. From here you can edit
the selected override object.
Delete Override button
Deletes the selected override object and restores the global object
definition.
Note
For information about the columns specific to each object type, see Policy Object
Manager User Interface Reference, page F-1, then click the link for the relevant
object page.

OL-11501-02
C-61
Appendix C
Device Shortcut Menu Options
Device Shortcut Menu Options

Use the device shortcut menu options to access several tasks, such as device
properties, containment, cloning device, showing devices in a map, discovering
policies on a device, and so on.
Navigation Path
Select a device in the Device selector, then right-click the device to display a list
of menu options.
Related Topics
Field Reference
Table C-30
Devices Shortcut Menu Options
Element
Description
Device Properties
Displays device properties for the selected device. Valid properties are: General,
Credentials, Device Groups, and Policy Object Overrides. See Device Properties
Page, page C-53.
Show Containment
Displays information about composite devices.

Note
This option is available only for Catalyst 6500/7600 devices, FWSM,

PIX Firewall 7.0, and ASA devices.
If you select this option, the containment of a device, that is service modules and
security contexts supported on the selected device, is displayed:
For Catalyst 6500/7600 devices, displays the IDSM and FWSM service
modules, and the security contexts supported by the FWSM.
For FWSMs, displays security contexts supported by the FWSM.
For PIX Firewalls, displays security contexts supported by the PIX Firewall.
For ASA devices, displays security contexts supported by the ASA device.
For information about security contexts, see Configuring Security Contexts on

Firewall Devices, page 15-105.
C-62
OL-11501-02
Appendix C

Policy Selector Shortcut Menu Options
Table C-30
Devices Shortcut Menu Options (continued)
Element
Description
Health and Status
Enables you to view the health and status of FWSM and PIX Firewall devices.
Note
This option is available only for FWSM and PIX Firewall devices.
Show in Map View
Displays your network topology on a map. See Displaying Your Network on the
Map, page 4-16.
Clone Device
Clones (duplicates) a device. The cloned device shares the configurations and
properties of the source device. See Cloning a Device, page 5-55.
Note
Copy Policies
Between Devices
Copies polices from one device to another or to a group of devices of the same
type. See Copying Policies Between Devices, page 6-23.
Note
Share Policies
Between Devices
This option is not available for Catalyst 6500/7600 devices.
Makes a private policy assigned to a single device available for assignment to

multiple devices. See Sharing a Local Policy, page 6-28.
Note
Preview
Configuration
Enables you to preview the complete proposed configuration that will be on the
device after deployment, including the configuration changes you made using
Security Manager and the existing configuration. See Preview Config Dialog
Box, page O-8.
Delete Device
Deletes a selected device. See Deleting Devices from the Security Manager
Inventory, page 5-56.
Discover Policies
on Device
Initiates policy discovery for a selected device or a device group. See

Discovering Policies, page 6-7.

Right-click a policy type in the Policy selector to display a shortcut menu for
performing actions on the selected policy. The available options depend on
whether the policy type:
Is unassigned.
Contains a local policy for that specific device.
Contains a shared policy that may be assigned to multiple devices.

OL-11501-02
C-63
Appendix C
The current status of each policy type is indicated by the icon displayed next to
the policy name. See Policy Status Icons, page 6-22.
Navigation Path
Right-click a policy in the Policy selector to display a list of menu options.

Related Topics
Policy Menu General Reference, page D-1
Field Reference
Table C-31
Policy Selector Options
Menu Command
Description
Unassigned policy options
Assigns an existing shared policy to the selected device. See Assign

Shared Policy Dialog Box, page D-3.
Local policy options
Share Policy
Shares the local policy so that it can be assigned to other devices.

See Share Policy Dialog Box, page D-2.
Replaces the local policy assigned to the device with a shared policy
of the same type. See Assign Shared Policy Dialog Box, page D-3.
Unassign Policy
Unassigns the policy from the device. When deployed, the

configuration that corresponds to the settings defined in this policy
is removed from the device.
Shared policy options
Unshare Policy
Creates a local copy of the shared policy and assigns it to the device
in place of the shared policy. See Unsharing a Policy, page 6-32.
Replaces the shared policy assigned to the device with a different

shared policy of the same type. See Assign Shared Policy Dialog
Box, page D-3.
Unassign Policy
Unassigns the policy from the device. When deployed, the

configuration that corresponds to the settings defined in this policy
is removed from the device.
C-64
OL-11501-02
Appendix C

Device Group Shortcut Menu Options
Table C-31
Policy Selector Options (continued)
Menu Command
Description
Edit Policy Assignments
Enables you to assign and unassign the shared policy from the
devices in your network. See Shared Policy Assignments Dialog
Box, page D-11.
Save Policy As
Saves a new instance of the selected shared policy under a different

name. Use this option to create a new policy with the same
definition as the policy from which it was created. See Save Policy
As Dialog Box, page D-13.
Rename Policy
Renames the selected policy. See Rename Policy Dialog Box,

page D-14.
Device Group Shortcut Menu Options

Use the device group shortcut menu options to access several grouping tasks, such
as add device group, edit device group information, add devices to device group,
and add a device to Security Manager.
Navigation Path
Right-click a group in the Device selector to display a list of menu options.

Related Topics
Field Reference
Table C-32
Device Grouping Shortcut Menu Options
Element
Description
New Device
Opens the New Device - Choose Method wizard page from which you can select
the method for adding a device to the Security Manager inventory.
Edit Device Groups Enables you to perform device group editing tasks, including, add a group type,
add a device group, modify the device group name, and delete a device group.

OL-11501-02
C-65
Appendix C
Edit Device Groups Page
Table C-32
Device Grouping Shortcut Menu Options (continued)
Element
Description
New Device Group Enables you to add a new device group.

Add Devices to
Group
Enables you to add devices to a a selected device group.

Use the Edit Device Groups page to edit device groups, create new device group
types and device groups, create subgroups under existing device groups, and
delete device groups or subgroups.
Navigation Path
Right-click a device group type or a device group in the Device selector, then
select Edit Device Groups...
Select File > Edit Device Groups...
Related Topics
Field Reference
Table C-33
Element
Description
Groups
Displays device group types, device groups, and subgroups.
Add Type button
Creates a new device group type.
Add button
Creates a device group or subgroup.
Delete button
Deletes a device group type, device group, or subgroup.
OK button
C-66
OL-11501-02
Appendix C

Add Devices to Group Page
Table C-33
Element
Description
Cancel button
Closes the page without saving your changes.
Help

Use the Add Devices to Group page to add devices to the selected group.
Navigation Path
Right-click a device group or subgroup in the Device selector, then select

Add Devices to Group.
Select File > Add Devices to Group...
Related Topics

OL-11501-02
C-67
Appendix C
Add Group Dialog Box
Field Reference
Table C-34
Element
Description
Available Devices
pane
Filter fieldFilters and displays a subset of devices and groups based on the
filtering criteria you define. For more information, see Create Filter Dialog
Box, page C-3.
Device GroupsDisplays device group types, device groups, and devices

that are available in Security Manager.
>> button
Moves the selected devices from one pane to the other pane.
<< button
To add a single device or multiple devices, select the devices or a group from the
Available Devices pane, then click >>. The selected devices or all of the devices
in the selected group move to the Selected Devices pane.
To remove a device from the Selected Devices pane, select the device from the
Selected Devices pane, then click <<. The selected device moves to the Available
Devices pane.
Selected Devices
pane
Displays all the devices that you selected to add to a group.
OK button
Cancel button
Closes the page without saving your changes.
Help button

Use the Add Group dialog box to create a group.
Navigation Path
Right-click a device group or device group type in the Device selector, then select
New Device Group.
Related Topics
C-68
OL-11501-02
Appendix C

Field Reference
Table C-35
Add Devices to Groups Page
Element
Description
Group Name
A unique name for the group.
OK button
Cancel button
Help button

OL-11501-02
C-69
Appendix C
C-70
OL-11501-02
APPENDIX
Policy User Interface Reference

These topics describe the pages that are accessed from the Policy menu and within
the Policy view. The Policy view is used to globally manage all the shared policies
configured with Cisco Security Manager:
Policy View General Reference, page D-21
Policy Menu General Reference

Use the options in the Policy menu to manage local and shared policies in Device
view. The options in the Policy menu display the dialog boxes and wizards
described in the following topics:
Share Policy Dialog Box, page D-2
Assign Shared Policy Dialog Box, page D-3
Copy Policies Wizard, page D-6
Share Policies Wizard, page D-9
Shared Policy Assignments Dialog Box, page D-11
Save Policy As Dialog Box, page D-13
Rename Policy Dialog Box, page D-14
Inherit Rules Dialog Box, page D-15
Create Discovery Task Dialog Box, page D-16

OL-11501-03
D-1
Appendix D
Share Policy Dialog Box

Use the Share Policy dialog box to convert a local policy to a shared policy that
you can assign to multiple devices or VPNs. For more information, see Sharing a
Local Policy, page 6-28.
Navigation Path
In Device view, select a policy from the Device Policies selector, then do one of
the following:
Select Policy > Share Policy.
Right-click the policy, then select Share Policy.
Related Topics
Field Reference
Table D-1
Share Policy Dialog Box
Element
Description
Policy Name
The name that identifies the shared policy. Unlike local policies,
shared policies require a name so that they can be identified when
you assign the policy to devices or VPN topologies. Names can
contain up to 255 characters, including spaces and special
characters.
OK button
Note
To save your changes to the server so that they are not lost
when you log out or close your client, click Save on the
source page.
D-2
OL-11501-03
Appendix D

Assign Shared Policy Dialog Box

Use the Assign Shared Policy dialog box to assign an existing shared policy to a
selected device. For more information, see Assigning a Shared Policy to a
Note
If you use this option to replace a local, rule-based policy, a warning message is
displayed that gives you the option to inherit the rules of the shared policy instead
of replacing the local policy through assignment. See Local Policy Will Be
Replaced Dialog Box, page D-4.
Navigation Path
In Device view, select a policy from the Device Policies selector, then do one of
the following:
Select Policy > Assign Shared Policy.
Right-click the policy in the Device Policies selector, then select Assign
Shared Policy.
Click the Shared Policy in use link in the header above the work area.
Related Topics

OL-11501-03
D-3
Appendix D
Field Reference
Table D-2
Assign Shared Policy Dialog Box
Element
Description
Policy selector
Lists all shared policies defined for the selected policy type. Select
the shared policy to assign to the selected device.
OK button
Note
Note
source page.
You cannot change the policy assigned to the device if the device is locked
by another user. Click Close to close the dialog box.
Local Policy Will Be Replaced Dialog Box

When working with a rule-based policy such as access rules or AAA rules, use the
Local Policy Will Be Replaced dialog box to choose between:
Assigning a shared policy in place of the existing local policy. If you choose
to assign, all local rules are removed and cannot be retrieved.
Inheriting the rules of the shared policy. If you choose to inherit, the inherited
rules are added to the local rules that are already defined.
Navigation Path
The Local Policy Will Be Replaced dialog box is displayed automatically when
you do the following:
1.
Select a local, rule-based policy (such as Access Rules).
2.
Right-click the policy in the Device Policies selector, then select Assign
Shared Policy.
3.
Select a shared policy from the displayed list, then click OK.
Related Topics
D-4
OL-11501-03
Appendix D

Field Reference
Table D-3
Local Rules Will Be Replaced Dialog Box
Element
Description
Assign Policy [name of policy]
Select this option to confirm that you want to replace the local
policy defined for the device with the selected shared policy.
If you choose this option, the shared policy replaces the local policy,
and all rules defined in the local policy are removed.
Inherit from Policy [name of

policy]
Select this option to have the local policy inherit the rules defined
in the shared policy.
If you choose this option, the inherited rules are added to the local
rules. Use inheritance instead of assignment when the device needs
to maintain the set of local rules already defined for it.
Do not show this again
When selected, Security Manager implements your choice

(assignment or inheritance) automatically whenever this situation
arises in the future.
When deselected, Security Manager displays this dialog box so that
you can choose between assignment and inheritance. This is the
default.
Tip
OK button
To reset hidden warning messages, select Tools > Security

Manager Administration > Customize Desktop, then
click Reset Do Not Ask on Warnings.
Note
source page.

OL-11501-03
D-5
Appendix D
Copy Policies Wizard

Use the Copy Policies wizard to copy selected policies (both local and shared) to
one or more devices of the same type. For example, you can use the Copy Policies
wizard to copy a set of firewall service policies and routing policies from one
firewall device to fifty other firewall devices with a single operation.
For more information, see Copying Policies Between Devices, page 6-23.
The pages of the Copy Policies wizard are described in the following topics:
Copy Policies WizardCopy Policies from this Device Page, page D-6
Copy Policies WizardCopy Policies to these Devices Page, page D-7
Copy Policies WizardSelect Policies to Copy Page, page D-8
Navigation Path
following:
Select Policy > Copy Policies Between Devices.
Right-click the device in the Device selector, then select Copy Policies
Between Devices.
Related Topics
Copy Policies WizardCopy Policies from this Device Page

Use the Copy Policies from this Device page of the Copy Policies wizard to select
the device whose policies will be copied to other devices of the same type.
Note
When you access the Copy Policies wizard by right-clicking a specific device, the
device you right-clicked is automatically selected as the source device and you are
brought directly to the Copy Policies WizardCopy Policies to these Devices
Page, page D-7. You can return to the Copy Policies from this Device page by
clicking Back.
D-6
OL-11501-03
Appendix D

Navigation Path
In Device view, select a device from the Device selector, then select Policy >
Copy Policies Between Devices.
Related Topics
Field Reference
Table D-4
Copy Policies WizardCopy Policies from this Device Page
Element
Description
Filter
Selects a filter to apply to the device selector, or enables you to

create a new filter. By default, the active filter in Device view is
applied to the filter displayed in the wizard. For more information,
see Filtering Items in Selectors, page 3-21.
Note
If you create a filter while working inside the wizard, it is

added to the list of filters available in Device view. The
active filter in Device view, however, does not change.
Device selector
Selects the device containing the policies to be copied.
Next button
Copy Policies WizardCopy Policies to these Devices Page

Use the Copy Policies to these Devices page of the Copy Policies wizard to select
the devices to which policies from the source device will be copied.
Navigation Path
Go to the Copy Policies Wizard, page D-6, then click Next on the Copy Policies
from this Device page.
Related Topics

OL-11501-03
D-7
Appendix D
Field Reference
Table D-5
Copy Configuration WizardCopy Policies to these Devices Page
Element
Description
Filter

Note
Device selector

active filter in Device view, however, does not change.
Selects the devices to which policies from the source device should
be copied. Selecting the check box for a device group selects all of
the devices in that group.
The device selector displays only those devices that are the same
type as the source device. For example, if the source device is a
Cisco IOS router, only routers are displayed, not firewall devices.
Back button
Next button
Copy Policies WizardSelect Policies to Copy Page

Use the Select Policies to Copy page of the Copy Policies wizard to select which
policies to copy from the source device to the target devices.
Navigation Path
Go to the Copy Policies Wizard, page D-6, then click Next on the Copy Policies
to these Devices page.
Related Topics
D-8
OL-11501-03
Appendix D

Field Reference
Table D-6
Copy Policies WizardSelect Policies to Copy Page
Element
Description
Policy selector
Selects the policies to copy from the source device to the target
devices. Selecting the check box for a policy group selects all of the
policies in that group.
Note
When copying policies between PIX/ASA/FWSM devices,

copying the failover policy automatically copies the
interfaces policy and vice-versa.
Back button
Next button
Finish button
Saves your definitions and closes the wizard.
Share Policies Wizard

Use the Share Policies wizard to take the policies configured on a particular
device and make them shared policies that you can assign to other devices. For
more information, see Sharing Multiple Policies of a Selected Device, page 6-30.
The pages of the Share Policies wizard are described in the following topics:
Share Policies WizardShare Policies from this Device Page, page D-10
Share Policies WizardSelect Policies to Share Page, page D-11
Navigation Path
following:
Select Policy > Share Device Policies.
Right-click the device in the Device selector, then select Share Device
Policies.
Related Topics

OL-11501-03
D-9
Appendix D
Share Policies WizardShare Policies from this Device Page

Use the Share Policies from this Device page of the Share Policies wizard to select
the device whose policies you want to share.
Note
When you access the Share Policies wizard by right-clicking a specific device, the
device you right-clicked is automatically selected as the source device and you are
brought directly to the Share Policies WizardSelect Policies to Share Page,
page D-11. You can return to the Select Source Device page by clicking Back.
Navigation Path
In Device view, select a device from the Device selector, then select Policy >
Share Device Policies.
Related Topics
Field Reference
Table D-7
Share Configuration WizardShare Policies from this Device Page
Element
Description
Filter

Note

active filter, however, does not change.
Device selector
Selects the device containing the policies to be shared.
Next button
D-10
OL-11501-03
Appendix D

Share Policies WizardSelect Policies to Share Page

Use the Select Policies to Share page of the Share Policies wizard to select which
policies you want to share.
Navigation Path
Go to the Share Policies Wizard, page D-9, then click Next on the Share Policies
from this Device page.
Related Topics
Field Reference
Table D-8
Share Policies WizardSelect Policies to Share Page
Element
Description
Policy selector
Selects the policies to share. Selecting the check box for a policy
group selects all of the devices in that group. By default, all
configured policies (local and shared) are selected.
Note
If you select a policy that is already shared, Security

Manager creates a copy of that policy using the name that
you define in the wizard.
Save policies as
The name to give to the policies you are sharing.
Back button
Next button
Finish button
Saves your definitions and close the wizard.
Shared Policy Assignments Dialog Box

Use the Shared Policy Assignments dialog box to modify the list of devices or
VPN topologies to which you have assigned a selected shared policy. For more
information, see Modifying Shared Policy Assignments in Device View,
page 6-39.

OL-11501-03
D-11
Appendix D
Tip
You can also modify policy assignments from Policy view. See Policy
Navigation Path
In Device view, select a shared policy from the Device Policies selector, then do
Select Policy > Edit Policy Assignments.
Right-click the policy in the Device Policies selector, then select Edit Policy
Assignments.
Click the Assigned to link in the header above the work area.
Related Topics
Share Policy Dialog Box, page D-2
D-12
OL-11501-03
Appendix D

Field Reference
Table D-9
Shared Policy Assignments Dialog Box
Element
Description
Available Devices/VPNs
Lists all existing devices or VPN topologies. To assign the selected

policy to additional devices or VPNs, select one or more items from
this list, then click >> to add them to the Selected Devices/VPNs
list.
Assigned Devices/VPNs
Lists all devices or VPNs to which the selected policy has been
assigned. To remove items from this list, select the item, then
click <<.
If you unassign a shared, mandatory policy from a VPN (for
example, IKE), a default policy is configured automatically in its
place. Unassigning a VPN policy that is not mandatory removes the
policy completely from the VPN.
If you unassign a shared policy from a remote access VPN, an
empty policy is configured in its place, even if it is a mandatory
policy, such as IKE. In such cases, you must configure a new policy
in order to avoid validation errors during deployment.
If you unassign a shared policy from a device, the policy type is
effectively removed from that device configuration.
OK button
Note
source page.
Save Policy As Dialog Box

Use the Save Policy As dialog box to duplicate an existing shared policy under a
new name. For more information, see Copying a Shared Policy, page 6-36.
Navigation Path
Select a shared policy in either Device view or Policy view, then do one of the
following:
Select Policy > Save Policy As.

OL-11501-03
D-13
Appendix D
Right-click the shared policy, then select Save Policy As.
Related Topics
Field Reference
Table D-10
Save Policy As Dialog Box
Element
Description
Policy Name
The name that identifies the shared policy. Unlike local policies,
shared policies require a name so that they can be identified when
you assign the policy to devices or VPN topologies. Names can
characters.
OK button
Note
source page.
Rename Policy Dialog Box

Use the Rename Policy dialog box to assign a different name to a selected shared
policy. For more information, see Renaming a Shared Policy, page 6-37.
Navigation Path
Select a shared policy in either Device view or Policy view, then do one of the
following:
Select Policy > Rename Policy.
Right-click the policy, then select Rename Policy.
D-14
OL-11501-03
Appendix D

Related Topics
Create a Policy Dialog Box, page D-29
Field Reference
Table D-11
Rename Policy Dialog Box
Element
Description
Policy Name
The new name to assign to the selected shared policy. Names can
characters.
OK button
Note
source page.
Inherit Rules Dialog Box

Use the Inherit Rules dialog box to have a rule-based policy (such as access rules)
inherit the rules of a shared policy of the same type. For more information, see
Inheriting Rules, page 6-54.
Navigation Path
Select a shared rule-based policy in either Device view or Policy view, then do one
of the following:
Select Policy > Inherit Rules.
Right-click the policy, then select Inherit Rules.
Related Topics

OL-11501-03
D-15
Appendix D
Field Reference
Table D-12
Inherit Rules Dialog Box
Element
Description
Policy selector
Selects the parent policy, that is, the policy whose rules should be
inherited. Policies can inherit only from shared policies of the same
type.
The name of the selected parent policy is displayed below the
selector.
OK button
Note
source page.
Create Discovery Task Dialog Box

Use the Create Discovery Task dialog box to have Security Manager discover the
policies that already exist on a device.
Navigation Path
following:
Select Policy > Discover Policies on Device.
Right-click the device in the Device selector, then select Discover Policies on
Device.
Related Topics
D-16
OL-11501-03
Appendix D

Field Reference
Table D-13
Create Discovery Task Dialog Box
Element
Description
Discovery Task Name
The name assigned to the discovery task. This name can be used to
identify the task in the Discovery Manager. Security Manager
automatically generates a name for the task based on the current
date and time, but you can modify this name as required.
Discover From
The source of information to be discovered:
Config. File
Live DevicePerforms discovery on a live device.
Config FilePerforms discovery based on the contents of a

configuration file. When you select this option, you must
specify the location of the file.
Note
Security Manager supports only device-generated

configuration files. For more information, see Adding
Devices to the Security Manager Inventory, page 5-30.
Factory Default ConfigurationPerforms discovery on a

firewall device using a file containing the factory-default
settings for that device. Security Manager automatically
chooses the appropriate file for the selected device. For more
information, see Understanding Factory-Default
Applies only when performing discovery on a configuration file.

The location of the configuration file on which discovery will be
performed. You can manually enter the path and file name, or click
Browse to display a file selector. For more information, see
Selecting a File or Directory on the Server File System, page 3-31.

OL-11501-03
D-17
Appendix D
Table D-13
Create Discovery Task Dialog Box (continued)
Element
Description
Discover Policies for Security

Contexts
Applies only to ASA/PIX/FWSM devices.

When selected, Security Manager attempts to discover policies on
each virtual firewall (security context) that is configured on a
firewall device running in multiple mode.
When deselected, Security Manager treats the entire device as
having a single set of policies configured in single mode.
For more information about security contexts, see Configuring
Security Contexts on Firewall Devices, page 15-105.
Policies to Discover
OK button
The policy types to discover on the selected device. Select one or

more of the following options:
InventoryIncludes device information such as the hostname

and domain name, interfaces, and security contexts (for firewall
devices running in multiple mode). On Cisco IOS routers, this
option also discovers all interface-related policies, such as
DSL, PPP, and PVC policies.
Platform SettingsIncludes all platform-specific policies that

can be configured on the selected device. For example, if you
are performing policy discovery on a PIX firewall device, this
option includes such policies as device admin policies,
multicast policies, and routing policies.
Firewall ServicesIncludes all firewall service policies. For

more information, see Managing Firewall Services, page 12-1.
RA VPN PoliciesIncludes all remote access VPN policies are

configured on the selected device. For more information, see
Managing Remote Access VPNs, page 10-1.
IPSIncludes all IPS policies that are configured on the

selected device. For more information, see Managing IPS
Devices, page 17-1 and Managing IPS Services, page 13-1.
Initiates the discovery task. The Create Discovery dialog box closes
and is replaced by the Discovery Status dialog box. For more
information, see Discovery Status Dialog Box, page D-19.
D-18
OL-11501-03
Appendix D

Discovery Status Dialog Box

Use the Discovery Status dialog box to view detailed information about the
current policy discovery task. The dialog box includes general information about
the status of the task, as well as detailed information about any warnings or errors
generated by the device being discovered.
The Discovery Status dialog box opens automatically when you initiate a
discovery task on existing devices and when you add devices from a configuration
file or the DCR. For more information about initiating a discovery task, see Create
Discovery Task Dialog Box, page D-16.
Related Topics
Field Reference
Table D-14
Element
Description
Progress bar
Indicates what percentage of the discovery task on the current

device has been completed. After discovery on all devices is
complete, the bar is colored green if discovery was successful and
red if one or more devices failed.
Status
The current state of the discovery task.
Devices to be discovered
The total number of devices being discovered during this task.

Note
When discovering security contexts on a firewall device

running in multiple mode, this value represents the parent
device plus all the security contexts configured on the
device. For more information, see Create Discovery Task
Dialog Box, page D-16.
Devices discovered successfully The number of devices discovered without errors.

Devices discovered with errors
The number of devices that generated errors during discovery.

OL-11501-03
D-19
Appendix D
Table D-14
Element
Description
Discovery Details table
Device
The name of the device being discovered.
Severity
The overall severity level of the discovery task performed on each

device (Info, Warning, Error). For example, if the discovery task
completed successfully, an Info icon is displayed. If the task failed,
an Error icon is displayed.
State
The current state of the policy discovery task for the selected
device:
Device AddedThe device has been added to Security

Manager, but policy discovery has not yet started.
Discovery StartedPolicy discovery has started.
Reading and Parsing Device ConfigThe policy discovery task

is parsing the device configuration.
Importing ObjectsThe policy discovery task is importing

objects from the configuration.
Importing PoliciesThe policy discovery task is importing

policies from the configuration.
Discovery CompletePolicy discovery has been completed

successfully.
Discovery FailedPolicy discovery failed due to errors.
Discovered From
The source of policy information. For example, when discovering

from a configuration file, this field displays the name and path of the
file.
Messages
The text of each message.
Severity
The severity level of each message related to the discovery task

(Info, Warning, Error).
Description
Additional information about the warning or error.
Action
The steps you should take to resolve the problem.
Discovery Status buttons
D-20
OL-11501-03
Appendix D

Policy View General Reference
Table D-14
Element
Description
Abort button
Aborts the discovery task.

If you abort the task when performing policy discovery on a single
device, the result is partial discovery of that device. In such cases,
we recommend deleting the information (for example, by discarding
the activity) and starting again.
If you abort the task when performing policy discovery on multiple
devices, Security Manager automatically discards the information
for any partially discovered device. Devices for which discovery
was completed before you aborted the operation are fully
discovered.
Close button
Help button

Use Policy view to globally manage all the shared policies configured with Cisco
Security Manager. Unlike Device view, which you use to manage all the policies
configured on a selected device, Policy view enables you to manage all shared
policies of a particular type regardless of device.
Policy view enables you to:
Create new shared policies.
Edit any policy configuration.
Modify the list of devices or VPNs to which shared policies are assigned.
Delete shared policies that are not assigned to any devices or VPNs.
Navigation Path
Click the Policy View button on the toolbar or select View > Policy View.
Related Topics

OL-11501-03
D-21
Appendix D
Field Reference
Table D-15
Policy View
Element
Description
Policy Type selector
Lists the policy types available in Security Manager, divided by

category. Clicking a policy type in the selector displays all the
shared policies defined for that type in the Shared Policy selector.
See Policy ViewPolicy Type Selector, page D-23.
Shared Policy selector
Lists the shared policies that are defined for the selected type.
Clicking a policy in the selector displays the definition of that
policy on the Details tab of the work area. You can modify the
definition as required. Changes affect all devices or VPN topologies
to which the policy is assigned.
Use the Filter list to filter the list of policies displayed in the
selector. For more information about creating filters, see Create
Filter Dialog BoxPolicy View, page D-26.
The list of devices or VPN topologies to which the policy is
assigned is displayed on the Assignments tab. For more
information, see Policy ViewAssignments Tab, page D-28.
Work area
Contains two tabs:
DetailsUse this tab to view and edit the definition of the

selected policy. Any changes you make to a policy affect every
device or VPN to which the policy is assigned. See Policy
ViewPolicy Type Selector, page D-23.
AssignmentsUse this tab to view and edit the list of devices

or VPNs to which a shared policy is assigned. See Policy
The banner at the top of the work area displays the name of the
shared policy, the policy type, and the number of devices or VPNs
to which the policy is assigned.
D-22
OL-11501-03
Appendix D

Policy ViewPolicy Type Selector

The Policy Type selector displayed on the upper-left side of Policy view lists each
policy type available in Security Manager, divided by domain. Select a policy type
to display a list of shared policies that are defined for that type in the Shared
Policy selector.
Related Topics
Policy ViewPolicy Type Selector Options, page D-24
Policy ViewShared Policy Selector Options, page D-25
Field Reference
Table D-16
Policy ViewPolicy Type Selector
Element
Description
Firewall
Lists all policy types for configuring firewall services. See

Managing Firewall Services, page 12-1.
NAT (PIX/ASA/FWSM)
Lists all NAT policies configured on PIX/ASA/FWSM devices. See

Configuring NAT Policies on Firewall Devices, page 15-20.
NAT (Router)
Lists all NAT policies configured on Cisco IOS routers. See NAT on
Cisco IOS Routers, page 14-5.
Site-to-Site VPN
Lists all policy types for configuring site-to-site VPNs. See

Managing Site-to-Site VPNs, page 9-1.
Remote Access VPN
Lists all policy types for configuring remote-access VPNs. See

Managing Remote Access VPNs, page 10-1.
SSL VPN
Lists all policy types for configuring SSL VPNs. See Managing SSL
VPNs, page 11-1.
Catalyst Platform
Lists all policy types for configuring Catalyst 6500/7600 devices.

See Managing Catalyst Devices, page 16-1.
IPS
Lists all policy types for configuring IPS devices. See Managing
IPS Services, page 13-1 and Managing IPS Devices, page 17-1.

OL-11501-03
D-23
Appendix D
Table D-16
Policy ViewPolicy Type Selector (continued)
Element
Description
IPS (Router)
Lists all policy types for configuring IPS policies on IOS routers.
See Managing IPS Services, page 13-1 and Managing IPS Devices,
page 17-1.
PIX/ASA/FWSM Platform
Lists all policy types for configuring PIX/ASA/FWSM

platform-specific policies. See Managing Firewall Devices,
page 15-1.
Router Interfaces
Lists all policy types for configuring interface-related policies on

Cisco IOS Routers. See Managing Routers, page 14-1.
Router Platform
Lists all policy types for configuring platform-specific Cisco IOS

router policies. See Managing Routers, page 14-1.
FlexConfigs
Lists all FlexConfig policies. See Managing FlexConfigs,

page 19-1.
Policy ViewPolicy Type Selector Options

Right-click a policy type in the Policy Type selector (see Policy ViewPolicy
Type Selector, page D-23) to display a shortcut menu for performing functions on
the selected policy type.
Related Topics
Field Reference
Table D-17
Policy Type Selector Options
Menu Command
Description
New [policy type] Policy
Opens the Create a Policy Dialog Box, page D-29. Use this dialog
box to create a shared policy of the selected type.
D-24
OL-11501-03
Appendix D

Policy ViewShared Policy Selector Options

Right-click a policy in the Shared Policy selector of Policy view to display a
shortcut menu for performing functions on the selected policy.
Related Topics
Policy ViewPolicy Type Selector Options, page D-24
Create Filter Dialog BoxPolicy View, page D-26
Field Reference
Table D-18
Shared Policy Selector Options
Menu Command
Description
Save Policy As
Saves a new instance of the selected shared policy under a different

name. Use this option to create a new policy with the same
definition as the policy from which it was created. See Save Policy
As Dialog Box, page D-13.
Rename Policy
Renames the selected policy. See Rename Policy Dialog Box,

page D-14.
Inherit Rules
Applies only to rule-based policies such as access rules.

Causes a rule-based policy to inherit the rules of a different shared
policy of the same type. See Inherit Rules Dialog Box, page D-15.
New [policy type] Policy
Opens the Create a Policy Dialog Box, page D-29. Use this dialog
box to create a shared policy of the selected type.
Delete Policy
Deletes a shared policy from Security Manager.

Note
You can delete only those policies that are not assigned to
any devices or VPNs.

OL-11501-03
D-25
Appendix D
Create Filter Dialog BoxPolicy View

Use the Create Filter dialog box to filter the shared policies displayed in Policy
view, based on the filtering criteria you define. For more information, see
Filtering the Shared Policy Selector, page 6-43.
Navigation Path
In Policy view, select Create Filter from the Filter list displayed above the Shared
Policy selector.
Related Topics
D-26
OL-11501-03
Appendix D

Field Reference
Table D-19
Create Filter Dialog BoxPolicy View
Element
Description
Match Any of the Following
When you select this option an OR relationship is created among the

filtering criteria you define.
For example, if you define the following criteria:
Name contains OSPF
Name contains RIP
When you click OK, the filter is defined as:

Name contains OSPF or Name contains RIP
If you select this filter from the Filter list, the Shared Policy selector
displays all shared policies whose name contains either OSPF or
RIP.
Match All of the Following
When you select this option an AND relationship is created among

Name contains OSPF
Name contains West

Name contains OSPF and Name contains RIP
If you select this filter from the Filter list, the Shared Policy selector
displays all shared policies whose name contains both OSPF and
West.
Filter type
Filters the policies by name. You specify the policy name, or a

portion of the name, in the filter value field.

OL-11501-03
D-27
Appendix D
Table D-19
Create Filter Dialog BoxPolicy View (continued)
Element
Description
Filter operator
The relationship between the filter type and the filter value:
contains
doesnt contain
is
isnt
begins with
ends with
Filter value
The full or partial policy name to include in the filter. Enter a string
in this field.
Filter content area
The filter type, operator, and value that you have selected for each
criterion.
Add button
Adds a criterion to the filter control content area.
Remove button
Removes the selected criterion from the filter control content area.
OK button
Saves your changes and closes the dialog box. The filter is added to
the Filter list.
Policy ViewAssignments Tab

Use the Assignments tab in Policy view to modify the list of devices or VPNs to
which the selected shared policy is assigned. For more information, see
Modifying Policy Assignments in Policy View, page 6-46.
Navigation Path
In Policy view, select a policy from the Shared Policy selector, then click the
Assignments tab in the work area.
Related Topics
D-28
OL-11501-03
Appendix D

Field Reference
Table D-20
Policy ViewAssignments Tab
Element
Description
Available Devices/VPNs
Lists all existing devices or VPN topologies. To assign the selected

policy to additional devices or VPNs, select one or more items from
this list, then click >> to add them to the Selected Devices list.
Assigned Devices/VPNs
Lists all devices or VPNs to which the selected policy has been
assigned. To remove items from this list, select the item, then
click <<.
If you unassign a shared, mandatory policy from a VPN (for
example, IKE), a default policy is configured automatically in its
place. Unassigning a VPN policy that is not mandatory removes the
policy completely from the VPN.
If you unassign a shared policy from a remote access VPN, an
empty policy (that is, a policy instance with no values) is configured
in its place, even if it is a mandatory policy, such as IKE. In such
cases, you must configure a new policy in order to avoid validation
errors during deployment.
If you unassign a shared policy from a device, an empty policy is
assigned in its place.
Save button
Saves your changes to the server but keeps them private.

Note
To publish your changes, click the Submit button on the

toolbar.
Create a Policy Dialog Box

When working in Policy view, use the Create a Policy dialog box to create a new
shared policy of a selected type. The new policy is initially not assigned to any
devices or VPN topologies. For more information, see Creating a New Shared
Policy, page 6-45.
Note
See Policy ViewAssignments Tab, page D-28 for information about assigning
the new policy.

OL-11501-03
D-29
Appendix D
Navigation Path
In Policy view, do one of the following:
Right-click a policy type in the Policy Types selector, then select New [name
of policy] Policy.
Right-click a policy in the Shared Policy selector, then select New [name of
policy] Policy.
Related Topics
Policy ViewAssignments Tab, page D-28
Field Reference
Table D-21
Create a Policy Dialog Box
Element
Description
Policy Name
The name to assign to the new shared policy. Names can contain up
to 255 characters, including spaces and special characters.
OK button
Note
source page.
D-30
OL-11501-03
APPENDIX
Activities User Interface Reference

An activity is a temporary container within which you define and assign policies.
You must create an activity or open an existing activity before you can define
policies and assign them to devices.
To create and open activities, and perform other management functions, ensure
that Workflow mode is enabled and then select Tools > Activity Manager. The
Activity Manager window appears. To help you understand the information
available and functions you can perform in the Activity Manager window, see
Activity Manager Window, page E-1.
If you do not create or open an activity before trying to define policies, a dialog
box prompts you to do so. The following topics explain these dialog boxes:
Activity Required (Create Activity) Dialog Box, page E-17
Activity Required (Create or Open Activity) Dialog Box, page E-18
Openable Activities Dialog Box, page E-19
Activity Manager Window

The Activity Manager window contains three parts: the Activity Table, Activity
Details tab, and Activity History tab. These parts allow you to create and manage
activities.
Note
The Activity Manager option from the Tools menu is only visible when Workflow
mode is enabled.

OL-11501-03
E-1
Appendix E
This section also describes the following features of the Activity Manager
window:
Activity States
Details Tab
History Tab
Create Activity Dialog Box
Submit Activity Dialog Box
Approve Activity Dialog Box
Reject Activity Dialog Box
Discard Activity Dialog Box
Validation Dialog Box
View Changes (Activity Change Report)
Navigation Path
Click the Activity Manager button on the Main toolbar.

Related Topics
Field Reference
Table E-1
Activities Manager Window
Element
Description
Activity
Contains the unique name of each activity.
State
The state of each activity. For a list of valid states, see Table E-2.
Last Modified
The timestamp for the most recent action.
User
The username of the person who changed the state of the activity.
Last Action
The most recent action performed on the activity.
Create button
Adds a new activity so that you can create or change policies or assign policies to
devices. For more information, see Create Activity Dialog Box, page E-7.
E-2
OL-11501-03
Appendix E

Table E-1
Activities Manager Window (continued)
Element
Description
Open button
Opens the activity so that changes, such as defining and assigning policies, are
captured within the activity. You can open an activity when it is in the Edit or the
Submitted state.
Close button
Closes and save all changes made while the activity was open. You can close an
activity when it is in the Edit Open or the Submit Open state.
Validate button Validates changes that you have made to the activity from the time you created the
activity to the current time, then generates and displays a report. Validating an
activity checks policy integrity and deployability. For more information, see
Validation Dialog Box, page E-12.
Submit button
Submits the activity. When using Workflow mode without activity approval,
submitting the activity approves and saves it to the database in one step. When using
Workflow mode with activity approval, submitting the activity sends notification that
the activity is ready for review to the specified approver. For more information, see
Submit Activity Dialog Box, page E-8.
You can submit an activity when it is in the Edit or the Edit Open state.
Approve button Saves the proposed changes to the database. Devices associated with the activity are
unlocked, meaning they can be included in policy definitions and changes in other
activities. You must have appropriate user permissions to approve the activity. You
can approve an activity only when it is in the Submitted state. For more information,
see Approve Activity Dialog Box, page E-9.
Note
The Approve button is available only in Workflow mode with an activity

approver.

OL-11501-03
E-3
Appendix E
Table E-1
Activities Manager Window (continued)
Element
Description
Reject button
Rejects the changes proposed in the activity. You must have appropriate user
permissions to reject an activity. If the activity is rejected, the submitter can continue
to make changes to the activity. Devices associated with the activity are not unlocked,
meaning that they cannot be included in policy definitions or changes in another
activity. For more information, see Reject Activity Dialog Box, page E-10.
You can reject an activity only when it is in the Submitted or the Submitted Open
state.
Note
The Reject button is available only in Workflow mode with an activity

approver.
Discard button
Discards the activity. The activity is then purged from the system when you perform
the purge action manually or automatically, as set under Tools > Security Manager
Administration > Workflow. The activity state is shown as discarded until the activity
is purged from the system. For more information, see Discard Activity Dialog Box,
page E-11 and Deployment Page, page A-5.
View Changes
Generates a report in pdf for any individual activity. If activity is in the Closed state,
this button is grayed out. For more information, see View Changes (Activity Change
Report), page E-15.
Refresh button
Refreshes the information presented on the Activity page.
Activity
Details tab
Information about the selected activity, such as the name and description of the
activity and the date and time it was created and modified. For more information, see
Details Tab, page E-5.
Activity
History tab
Transactions that occurred to the selected activity since it was created. For more
information, see History Tab, page E-6.
Close button
Closes the window.
Help button
Opens help for this window.
Activity States
The State column in the Activity Table lists the status of each activity.
E-4
OL-11501-03
Appendix E

Related Topics
Field Reference
Table E-2
Activity States
State
Description
Edit
The activity was created, but the activity is not currently being edited. The activity can
be opened or discarded while it is in the Edit state.
Edit Open
The activity is open for editing. Changes, such as defining and assigning policies, are
made in the activity. Devices or groups being configured are locked from other
activities. The activity can be closed, discarded, submitted, or approved while it is in
the Edit Open state.
Submitted
The activity was submitted for review. It can be viewed but not edited while it is in the
Submitted state. It must be opened (in the Submitted Open state) to be edited. Devices
and groups in the activity are locked from other activities. The activity can be opened,
discarded, or rejected while it is in the Submitted state.
Submitted
Open
The activity is open for viewing. Devices in the activity are locked to other activities.
The activity can be approved or rejected while it is in the Submitted Open state.
Approved
The activity was approved, and the corresponding configuration elements are now
committed policy configurations. Devices associated with the activity are unlocked and
can now be used by another activity. The activity can be deployed or discarded while it
is in the Approved state.
Approve
Failed
The activity is placed in the Approve Failed state if errors occur during approval (for
example, due to a power failure). If this happens, try to approve the activity again or
reboot the server.
Discarded
Changes made to the activity since the activity was created were discarded and further
changes to the activity are not allowed. Devices associated with the activity are
unlocked and can now be used in a new activity. The activity remains in the Activity
table showing a Discarded state until it is purged from the system.
Details Tab
The Details tab provides information about the selected activity.
OL-11501-03
E-5
Appendix E
Navigation Path
Click the Activity Manager button on the Main toolbar, select an activity, then
click the Details tab.
Related Topics
Activity Manager Window, page E-1
History Tab, page E-6
Field Reference
Table E-3
Details Tab
Element
Description
Activity ID
Identification number assigned by Security Manager when you create the activity.
Activity Name
Name of the activity. The default activity name contains the username, date, and time
the activity was created. However, whoever creates the activity can create a different
name for the activity.
Created
Date and time the activity was created.
Last Modified
Date and time the activity was last modified.
Description
Comments entered when the activity state is changed.
Close button
Closes the window.
Help button
Opens help for this window.
History Tab
The History tab displays the transactions that occurred to the selected activity
since the activity was created. The History tab provides information about the
selected activity.
Navigation Path
Click the Activity Manager button on the Main toolbar, select an activity, then
click the History tab.
Related Topics
Activity Manager Window, page E-1
E-6
OL-11501-03
Appendix E

History Tab, page E-6
Field Reference
Table E-4
History Tab
Element
Description
State
State of the activity. For a list of valid states, see Table E-2.
User
Username of the person who performed the action on the activity.
Date/Time
Date and time the action was performed on the activity.
Comment
Comments entered when the activity state is changed.

Activities must be created before you can make policy changes.
Navigation Path
Click the Create Activity button on the Main toolbar.

Related Topics
Activity States, page E-4
Field Reference
Table E-5
Element
Description
Activity Name
the activity was created. If you enter a different name, you should assign a logical
name that reflects the contents of the activity. The activity name must be unique.
Comment
Brief description of the changes to the activity or other pertinent information.
OK button
Cancel button
Help button

OL-11501-03
E-7
Appendix E

When in Workflow mode with an activity approver, you must submit activities for
approval before policy changes can be committed to the Security Manager
database and deployed to devices.
Navigation Path
To submit an open activity, click the Submit Activity button on the Main
toolbar.
To submit a closed activity, click the Activity Management button on the

Main toolbar, select the desired activity, then click Submit.
Related Topics
Field Reference
Table E-6
Element
Description
Approver
Default email address of the person assigned approval permissions. This person receives
notification of your submission. You can leave the default address or enter a new email
address. The default email address is set in Tools > Security Manager Administration >
Workflow.
Note
If the email does not reach the recipient, Security Manager displays a message
indicating that the email server is unreachable, and you must contact the
approver directly.
Comment
Brief description of the changes included in the activity or other pertinent information.
OK button
E-8
OL-11501-03
Appendix E

Table E-6
Submit Activity Dialog Box (continued)
Element
Description
Cancel
button
Help button

When in Workflow mode with an activity approver, you must submit activities for
review.
Approving an activity commits policy changes to the Security Manager database
so that they can then be deployed to devices.
Navigation Path
To approve an open activity, click the Approve Activity button on the Main
toolbar.
To approve a closed activity, click the Activity Management button on the

Main toolbar, select the desired activity, then click Approve.
Related Topics
Field Reference
Table E-7
Element
Description
Comment
Brief explanation of why you are approving the activity.
OK button

OL-11501-03
E-9
Appendix E
Table E-7
Approve Activity Dialog Box (continued)
Element
Description
Cancel
button
Help button

In Workflow mode with an activity approver, you must submit activities to an
activity approver who has permissions to approve or reject the activity.
Rejecting an activity does not commit policy changes to the Security Manager
database. The activity is retuned to the Edit state so that changes can be made. As
the activity approver, you can specify any desired changes in the comments field.
Navigation Path
To reject an open activity, click the Reject Activity button on the Main
toolbar.
To reject a closed activity, click the Activity Management button on the Main
toolbar, select the desired activity, then click Reject.
Related Topics
Field Reference
Table E-8
Element
Description
Comment
Brief description of why you are rejecting the activity and any suggested revisions.
OK button
E-10
OL-11501-03
Appendix E

Table E-8
Reject Activity Dialog Box (continued)
Element
Description
Cancel
button
Help button

You can discard an activity if you want to cancel the changes that you have made.
For tracking purposes, you can enter a comment explaining why you are
discarding the activity.
Navigation Path
To discard an open activity, click the Discard Activity button on the Main
toolbar.
To discard a closed activity (must be in the Edit or Edit Open state), click the
Activity Management button on the Main toolbar, select the desired activity,
then click Discard.
Related Topics
Field Reference
Table E-9
Element
Description
Comment
Brief explanation of why you are discarding the activity.
OK button
Cancel
button
Help button

OL-11501-03
E-11
Appendix E
Validation Dialog Box

The validation process checks the integrity and deployability of policy changes
you have made. The process works slightly differently depending on whether
Workflow mode is turned disabled or enabled.
Workflow mode disabledThe validation process checks policy changes

that took place within a login session and displays the results. The validation
process reports on policy changes that were made up until the changes are
saved or deployed. After changes are saved or deployed, the validation report
remains static; it does not contain any policy changes to the activity after it
was saved or deployed.
Workflow mode enabledThe validation process checks policy changes

within an open activity and displays a report with the results. The validation
process reports on policy changes that were made to the activity until it was
submitted. After an activity is submitted, the validation report remains static.
The Validation dialog box contains detailed error information organized in two
tabs. Click the desired tab to display its contents.
The following topics contain information about these tabs:
Errors Tab
The Error tab contains the Validation Results table and Details pane.
The Validation Results table provides details about each error found during
validation. The details consist of a description of the error, the severity of the
error, and the number of devices affected.
Click an error to display the Details pane. The pane shows a description of and
solution to the error and the specific devices affected.
Navigation Path
To display validation errors for an open activity, click the Validate Activity
button on the Main toolbar. When the Validation Result dialog box appears,
click Details, then click the Errors tab.
E-12
OL-11501-03
Appendix E

To display validation errors for a closed activity, click the Activity

Management button on the Main toolbar, select the desired activity, then click
Validate. When the Validation Result dialog box appears, click Details, then
click the Errors tab.
Related Topics
Field Reference
Table E-10
Errors Tab
Element
Description
Validation Results tableList of validation errors.
Error
Error message headline.
Severity
Icon representing the severity of the error:
Information icon shows that there are no errors to prevent approval.
Warning icon shows that there are errors; however they are not severe
enough to prevent approval.
Note
# devices effected
A validation warning will not prevent activity approval or deployment.

Error icon shows that errors prevent approval.
Number of devices affected by the validation error listed in the Error column.
Details paneInformation about the errors and affected devices.
Devices
Name of the device.
Types
Icon representing the type of device, for example firewall, router, and so on.
Error
Description
Error message details, such as device types affected and current device status.
Solution
Probable cause and suggested resolution when relevant and available.
OK button

OL-11501-03
E-13
Appendix E
Table E-10
Errors Tab (continued)
Element
Description
Cancel button
Help button
Devices Tab
The Devices tab contains the Validation Results table and Details pane.
The Validation Results table provides details about each device and the errors and
warnings found during validation. The details consist of the type of device, the
status of the validation, and the number of errors and warnings encountered.
Click a device to display the Details pane. The pane shows a description of and
solution to each error and warning.
Navigation Path
To display errors grouped by device for an open activity, click the Validate
Activity button on the Main toolbar. When the Validation Result dialog box
appears, click Details, then click the Devices tab.
To display errors grouped by device for a closed activity, click the Activity
Management button on the Main toolbar, select the desired activity, then click
Validate. When the Validation Result dialog box appears, click Details, then
click the Devices tab.
Related Topics
Field Reference
Table E-11
Devices Tab
Validation Results tableList of devices.
Type
Icon representing the type of device effected.

E-14
OL-11501-03
Appendix E

Table E-11
Devices Tab (continued)
Validation Results tableList of devices.
Device
Name of the device.
Status
Icon indicating the results of the validation test:
Summary
Information icon shows there are no errors to prevent approval.
Warning icon shows that there are errors; however, they are not severe
Error icon shows that errors prevent approval.
Number of errors, warnings, or no text if neither is present.
Details paneInformation about the errors and warnings for the device selected in the Validation
Results table.
Error
Severity
Icon representing the severity of the error:
Information icon indicates there are no errors to prevent approval.
Warning icon indicates there are errors; however they are not severe
Error icon indicates errors prevent approval.
Summary
Brief description of the error.
Description
Details about the error.
Solution
Probable cause and suggested resolution when relevant and available.
OK button
Cancel button
Help button
View Changes (Activity Change Report)

From the Tools > Change Reports menu (non-Workflow mode), or Activity
Manager (Workflow mode) you can view reports about actions that users have
taken within an activity. You can see which actions were taken and what devices
and groups were acted upon within an activity or configuration session
(non-Workflow mode). The Activity Change report, generated in PDF format,

OL-11501-03
E-15
Appendix E
also identifies the policy changes made as part of that activity. You must disable
any popup-blocker applications in your browser for the Activity Change report to
launch.
Note
If you discover a device or rediscover policies on a device, subsequent policy

changes in the same activity performed on that device are not listed in the activity
change report. This is also true on a device that you clone from another device.
For more information, see Understanding Activity Change Reports, page 7-17.
Navigation Path
If you are in non-Workflow Mode do the following:
In Device view, highlight a device and select Select Tools > Change Reports.
Select an entry from the Change Report window and click the View Changes
button.
If you are in Workflow Mode do any one of the following:
In Device View, highlight a device and select Activities > View Changes.
In Device View, highlight a device and click the View Changes icon from the
Activity toolbar.
Highlight an activity in the Activity Manager window and click the View
Changes button.
Use File > View Changes to obtain an Activity Change Report that only reports
changes on the current activity (or configuration session in non-Workflow mode).
Related Topics
Understanding Activity Change Reports, page 7-17
E-16
OL-11501-03
Appendix E

Activity Required (Create Activity) Dialog Box
Field Reference
Table E-12
Activity Report PDF
Element
Description
Bookmarks tab Use the PDF bookmarks structure to navigate the report.
Activity name
Name of the activity (or the user and session start date and time if unnamed).
Created by
User and start date and time of activity.
Current state
Current state of activity.
Report created
on
Date and time Activity Report generated.
Devices
Devices names acted upon (added, modified, deleted) within this activity. Changes to
local policies only will be listed here.
Shared Policies Changes to all shared policies displayed here.

Policy Objects
Changes to all policy objects displayed here.

When in Workflow mode, creating or modifying policies requires that an activity
be open.
Navigation Path
If you attempt to create or modify policies without first creating an activity, the
Activity Required (Create Activity) Dialog Box appears.
Related Topics

OL-11501-03
E-17
Appendix E
Activity Required (Create or Open Activity) Dialog Box
Field Reference
Table E-13
Element
Description
Activity Name
the activity was created.
Comment
Brief description of the changes included in the activity or other pertinent

information.
OK button
Cancel button
Help button
Activity Required (Create or Open Activity) Dialog

Box
In Workflow mode, creating or modifying policies requires that an activity be
open.
Navigation Path
If you attempt to create or modify policies without first creating or opening an

activity, the Activity Required (Create or Open Activity) Dialog Box appears.
Related Topics
E-18
OL-11501-03
Appendix E

Openable Activities Dialog Box
Field Reference
Table E-14
Activity Required (Create or Open Activity) Dialog Box
Element
Description
Create a new
activity
Creates a new activity with the following information:
NameName of the activity. The default activity name contains the username,
date, and time the activity was created.
DescriptionBrief description of the changes in the activity or other pertinent

information.
Open an
existing
activity
Opens the activity selected from the Activity list (if there are activities available in
the Edit state).
OK button
Cancel button
Help button

In Workflow mode, creating or modifying policies requires that an activity be
open.
Navigation Path
Click the Open Activity button on the Main toolbar.

Related Topics

OL-11501-03
E-19
Appendix E
Field Reference
Table E-15
Element
Description
Activity Name
Name of the activity. The default activity name includes the username, date, and time
the activity is created.
State
State of the activity. For a list of valid states, see Table E-2.
Creator
Username of the person who created the activity.
OK button
Cancel button
Help button
E-20
OL-11501-03
APPENDIX
Policy Object Manager User Interface

Reference
The Policy Object Manager user interface reference contains the following topics:
Policy Object Manager Window, page F-3
AAA Server Groups Page, page F-12
AAA Servers Page, page F-18
Categories Page, page F-87
IKE Proposals Page, page F-92
Inspection Class Maps

DNS Class Maps Page, page F-96
FTP Class Maps Page, page F-109
HTTP Class Maps Page, page F-121
IM Class Maps Page, page F-168
SIP Class Maps Page, page F-184
Inspection Policy Maps

DNS Maps Page, page F-203

OL-11501-03
F-1
Appendix F
Policy Object Manager User Interface Reference

HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) Page, page F-261
HTTP Maps (ASA 7.2/PIX 7.2) Page, page F-283
IM Maps (ASA 7.2/PIX 7.2) Page, page F-345
IM Maps (IOS) Page, page F-365
SIP Maps Page, page F-377
Additional Inspection Object Types

Regular Expressions Page, page F-409
Regular Expression Groups Page, page F-405
TCP Maps Page, page F-413
Interface Roles Page, page F-416
IPsec Transform Sets Page, page F-422
LDAP Attribute Maps Page, page F-426
Networks/Hosts Page, page F-431
PKI Enrollments Page, page F-435
Port Forwarding List Page, page F-448
Services
Port Lists Page, page F-459
Service Groups Page, page F-463
Services Page, page F-465
SLA Monitors Page, page F-475
Text Objects Page, page F-482
Time Ranges Page, page F-485
Traffic Flows Page, page F-489
URL Lists Page, page F-504
F-2
OL-11501-03
Appendix F

Note
SSL VPN Customization Page, page F-534
Object Selectors, page F-558
See FlexConfigs Objects Page, page P-10 for information about the user interface
for defining FlexConfig objects.

Use the Policy Object Manager window to:
View all the available objects grouped according to object type.
Access all object dialog boxes to create, copy, edit, and delete objects.
Generate usage reports, which describe how selected objects are being used
by other Security Manager objects and policies.
Navigation Path
Click the Policy Object Manager button on the toolbar or select Tools >
Policy Object Manager.
Related Topics

OL-11501-03
F-3
Appendix F
Field Reference
Table F-1
Element
Description
Object Type selector
Lists the object types available in Security Manager. Clicking an

object type in the selector displays a table in the work area
containing all the objects currently defined for that type. See Object
Type Selector, page F-4.
Work area
Displays the objects that are defined for the type selected in the
Object Type selector. For information about the buttons displayed
beneath the work area, see Policy Object Manager WindowWork
Area Buttons, page F-8.
Right-clicking anywhere inside the table displays a shortcut menu
for performing object operations. See Policy Object Manager
WindowShortcut Menu, page F-9.
Use the filtering bar located above the table to filter the list of
objects displayed in the work area. See Filtering Tables, page 3-24.

The Object Type selector is displayed on the left side of the Policy Object
Manager window. Select an object type to display a list of objects that have been
defined for that type in the work area.
Navigation Path
Related Topics
Policy Object Manager WindowWork Area Buttons, page F-8
Policy Object Manager WindowShortcut Menu, page F-9
F-4
OL-11501-03
Appendix F

Field Reference
Table F-2
Element
Description
AAA Server Groups
Displays a table of defined AAA server group objects. See AAA

Server Groups Page, page F-12.
AAA Servers
Displays a table of defined AAA server objects. See AAA Servers

Page, page F-18.
Access Control Lists
Displays a table of defined ACL objects. See Access Control Lists

Page, page F-33.
ASA User Groups
Displays a table of defined ASA user group objects. See ASA User
Groups Page, page F-58.
Categories
Displays a table of defined category objects. See Categories Page,

page F-87.
Credentials
Displays a table of defined credential objects. See Credentials Page,

page F-88.
IKE Proposals
Displays a table of defined IKE proposal objects. See IKE Proposals

Page, page F-92.
FlexConfigs
Displays a table of defined FlexConfig objects. See FlexConfigs

Objects Page, page P-10.
DNS Class Maps
Displays a table of defined DNS class map objects. See DNS Class
Maps Page, page F-96.
FTP Class Maps
Displays a table of defined FTP class map objects. See FTP Class
HTTP Class Maps
Displays a table of defined HTTP class map objects. See HTTP

Class Maps Page, page F-121.
IM Class Maps
Displays a table of defined IM class map objects. See IM Class

SIP Class Maps
Displays a table of defined SIP class map objects. See SIP Class
DNS Policy Maps
Displays a table of defined DNS map objects. See DNS Maps Page,
page F-203.
FTP Policy Maps
Displays a table of defined FTP map objects. See FTP Maps Page,
page F-228.
OL-11501-03
F-5
Appendix F
Table F-2
Object Type Selector (continued)
Element
Description
GTP Policy Maps
Displays a table of defined GTP map objects. See GTP Maps Page,
page F-243.
HTTP Policy Maps

(ASA 7.1.x/PIX 7.1.x/IOS)
Displays a table of defined HTTP map objects for ASA 7.0.x/PIX

7.0.x/IOS devices. See HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM
3.x/IOS) Page, page F-261.
HTTP Policy Maps

(ASA 7.2/PIX 7.2)
Displays a table of defined HTTP map objects for ASA 7.2/PIX 7.2
devices. See HTTP Maps (ASA 7.2/PIX 7.2) Page, page F-283.
IM Policy Maps
(ASA 7.2/PIX 7.2)
Displays a table of defined IM map objects for ASA 7.2/PIX 7.2.

See IM Maps (ASA 7.2/PIX 7.2) Page, page F-345.
IM Policy Maps (IOS)
Displays a table of defined IM map objects for IOS devices. See IM

Maps (IOS) Page, page F-365.
SIP Policy Maps
Displays a table of defined SIP map objects. See SIP Maps Page,
page F-377.
Regular Expressions
Displays a table of defined regular expressions objects. See Regular

Expressions Page, page F-409.
Regular Expressions Groups
Displays a table of defined regular expressions group objects. See

Regular Expression Groups Page, page F-405.
TCP Maps
Displays a table of defined TCP map objects. See TCP Maps Page,
page F-413.
Interface Roles
Displays a table of defined interface role objects. See Interface

Roles Page, page F-416.
IPsec Transform Sets
Displays a table of defined IPsec transform set objects. See IPsec

Transform Sets Page, page F-422.
Networks/Hosts
Displays a table of defined network/host objects. See

Networks/Hosts Page, page F-431.
PKI Enrollments
Displays a table of defined PKI enrollment objects. See PKI

Enrollments Page, page F-435.
Port Forwarding List
Displays a table of defined port forwarding list objects. See Port

Forwarding List Page, page F-448.
Secure Desktop Configuration
Displays a table of defined secure desktop configuration objects.

See Secure Desktop Configuration Page, page F-453.
F-6
OL-11501-03
Appendix F

Table F-2
Object Type Selector (continued)
Element
Description
Port Lists
Displays a table of defined port list objects. See Port Lists Page,
page F-459.
Service Groups
Displays a table of defined service group objects. See Service

Groups Page, page F-463.
Services
Displays a table of defined service objects. See Services Page,

page F-465.
Single Sign On Servers
Displays a table of defined single sign-on server (SSO) objects. See

Single Sign On Server (SSO) Page, page F-471.
SLA Monitors
Displays a table of defined SLA monitor objects. See SLA Monitors

Page, page F-475.
SSL VPN Customization
Displays a table of defined SSL VPN Customization objects. See

SSL VPN Customization Page, page F-534.
SSL VPN Gateways
Displays a table of defined SSL VPN gateway objects. See

SSL VPN Gateway Page, page F-550.
Style Objects
Displays a table of defined style objects. See WINS Server Lists

Page, page F-554.
Text Objects
Displays a table of defined free-form text objects. See TCP Maps

Page, page F-413.
Time Ranges
Displays a table of defined time range objects. See Time Ranges

Page, page F-485.
Traffic Flows
Displays a table of defined traffic flow objects. See Traffic Flows

Page, page F-489.
URL Lists
Displays a table of defined URL List objects. See URL Lists Page,
page F-504.
User Groups
Displays a table of defined user group objects. See User Groups

Objects Page, page F-508.
WINS Server Lists
Displays a table of defined WINS Server List objects. See WINS

Server Lists Page, page F-554.

OL-11501-03
F-7
Appendix F
Policy Object Manager WindowWork Area Buttons

Use the buttons displayed in the work area of the Policy Object Manager window
to perform actions on the objects that are displayed there.
Navigation Path
Related Topics
Object Type Selector, page F-4
Field Reference
Table F-3
Button
Policy Object Manager Work Area Buttons
Description
New ObjectOpens the dialog box for creating an object of the
selected type.
Edit ObjectOpens the dialog box for editing the selected object.
Only user-defined objects may be edited.
Delete ObjectDeletes the selected objects. Only user-defined
objects may be deleted.
Close button
Closes the Policy Object Manager window.
Help button
Displays a context-sensitive help topic for the page displayed in the

work area.
F-8
OL-11501-03
Appendix F

Policy Object Manager WindowShortcut Menu

Right-click anywhere inside the work area of the Policy Object Manager window
to display a shortcut menu for performing various functions on the selected object
type.
Navigation Path
Related Topics
Policy Object Manager WindowWork Area Buttons, page F-8
Field Reference
Table F-4
Policy Object Manager WindowShortcut Menu
Menu Command
Description
New Object
Opens the dialog box for creating an object of the selected type.
Edit Object
Opens the dialog box for editing the selected object. Only
user-defined objects may be edited.
Delete Object
Deletes the selected objects. Only user-defined objects may be

deleted.
Edit Device Overrides
Opens the Policy Object Overrides Window, page F-565. From

here, you can create, edit, and delete device-level object overrides.
Create Duplicate
Opens the dialog box for creating a copy of the selected object.
Note
You must enter a name for the new object. Other object
properties can be modified as required.
Find Usage
Opens the Object Usage Window, page F-563, which contains a

usage report about the selected object.
View Object
Opens a read-only dialog box containing the complete definition of

the selected object.

OL-11501-03
F-9
Appendix F
Create Filter Dialog BoxPolicy Object Manager

Use the Create Filter dialog box to filter the objects displayed in the Policy object
Manager, based on the filtering criteria that you define.
Navigation Path
In the Policy Object Manager, select Create Filter from the Filter list displayed
above the objects table in the work area.
Related Topics
F-10
OL-11501-03
Appendix F

Field Reference
Table F-5
Create Filter Dialog BoxPolicy Object Manager
Element
Description
When you select this option an OR relationship is created among the

filtering criteria you define.
For example, if you define the following criteria when filtering
AAA server groups:
Name contains RADIUS
Name contains Local

Name contains RADIUS or Name contains Local
If you select this filter from the Filter list, the objects table displays
all AAA server groups whose name contains either RADIUS or
Local.
When you select this option an AND relationship is created among

For example, if you define the following criteria when filtering
interface roles:
Interface Name Pattern contains Ethernet
Description contains West

Interface Name Pattern contains Ethernet and Description
contains West
If you select this filter from the Filter list, the objects table displays
all interface roles whose naming pattern contains Ethernet and
whose description contains the word West.
Filter type
(1st dropdown list)
Filters the objects according to one of the columns displayed in the

table. The options available in this list depend on the type of object
you have selected.

OL-11501-03
F-11
Appendix F
AAA Server Groups Page
Table F-5
Create Filter Dialog BoxPolicy Object Manager (continued)
Element
Description
Filter operator
(2nd dropdown list)
contains
doesnt contain
is
isnt
begins with
ends with
Filter value
(3rd dropdown list)
The full or partial value to include in the filter. Enter a string in this
field.
Filter content area
The filter type, operator, and value that you have selected for each
criterion.
Add button
Remove button
OK button
the Filter list.

Use the AAA Server Groups page to view, create, edit, copy, and delete AAA
server group objects. When defining a policy that uses a AAA server for
authentication, authorization, or accounting, you select the server by selecting the
server group to which the server belongs.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select AAA Server
Groups from the Object Type selector.
Related Topics
F-12
OL-11501-03
Appendix F

Field Reference
Table F-6
Column
Description
Filter
filter the information displayed in the table. See Filtering Tables,
page 3-24.
[Icon]
The icon that represents the object type. Icons marked with a star
indicate user-defined objects that may be modified. Icons without a
star indicate predefined objects that cannot be modified.
Name
Protocol
The protocol defined for the AAA servers contained in the AAA
server group.
Category

Overridable
Indicates whether the global object definition can be overridden by

object values defined at device level. See Allowing a Global Object
to Be Overridden, page 8-198.
Description

Tip
New Object button

in a popup window.
Opens the AAA Server Group Dialog Box, page F-14. From here
you can create a AAA server group object.

OL-11501-03
F-13
Appendix F
Table F-6
AAA Server Groups Page (continued)
Column
Description
Edit Object button
Opens the AAA Server Group Dialog Box, page F-14. From here
you can edit the selected user-defined AAA server group.
Note
Delete Object button
You cannot edit predefined objects.
Deletes the selected AAA server groups from the table.

Note
You cannot delete an object that is referenced by policies or

other objects.
AAA Server Group Dialog Box

Use the AAA Server Group dialog box to create, copy, and edit AAA server
groups.
Navigation Path
Go to the AAA Server Groups Page, page F-12 in the Policy Object Manager
Window, page F-3, then click New Object or Edit Object beneath the table.
Related Topics
AAA Server Dialog Box, page F-20
F-14
OL-11501-03
Appendix F

Field Reference
Table F-7
AAA Server Group Dialog Box
Element
Description
Name
The object name (up to 16 characters when using this object with
firewall devices; up to 128 characters for Cisco IOS routers). Object
names are not case-sensitive. Spaces are not supported.
For more information, see Guidelines for Managing Objects,
page 8-4.
Note
Cisco IOS routers do not support AAA server groups named

RADIUS, TACACS, or TACACS+. In addition, we do not
recommend using an abbreviation of one of these names,
such as rad or tac.
Note
If you define this AAA server group as the RADIUS or

TACACS+ default group, any name you define here is
automatically replaced in the device configuration by the
default name (RADIUS or TACACS+) upon deployment.
Description
Additional information about the object (up to 1024 characters).
Protocol
The protocol used by the AAA servers in the group:
RADIUS
Kerberos
TACACS+
LDAP
NT
SDI
HTTP-FORM

OL-11501-03
F-15
Appendix F
Table F-7
AAA Server Group Dialog Box (continued)
Element
Description
AAA Servers
The AAA servers that comprise the server group. Enter the names
of AAA servers or click Select to display an object selector. The
selector displays only those AAA servers that match the protocol
you selected for the group.
Tip
Make this Group the Default

AAA Server Group (IOS)
If the AAA server group you want is not listed, click the
Create button or the Edit button in the selector to display
the AAA Server Dialog Box, page F-20. From here you can
define a AAA server object. Bear in mind, however, that the
group must include servers that use the protocol you
selected.
Applies only to IOS devices.

When selected, designates this AAA server group as the default
group for the RADIUS or TACACS+ protocol. Select this check box
if you intend to use a single global group for the selected protocol
for all policies on a specific device requiring AAA.
When deselected, creates a AAA server group that is not designated
as the default group for that protocol. Leave this check box
deselected if you intend to create multiple RADIUS or TACACS+
AAA server groups. Multiple groups can be used to separate
different AAA functions (for example, use one group for
authentication and a different group for authorization) or to separate
different customers in a VRF environment.
Note
When you discover an IOS router, any AAA servers in the

device configuration that are not members of a AAA server
group are placed in special groups created by Security
Manager called CSM-rad-grp (for RADIUS) and
CSM-tac-grp (for TACACS+). These two groups, which are
marked as default AAA server groups in the Policy Object
Manager, are created solely to enable Security Manager to
manage these servers. During deployment, the AAA servers
in these special groups are deployed back to the device as
individual servers. For more information, see Default AAA
Server Groups and IOS Devices, page 8-18.
F-16
OL-11501-03
Appendix F

Table F-7
Element
Description
Max Failed Attempts

(PIX,ASA,FWSM)
Applies only to PIX/ASA/FWSM devices.

The number of connection attempts that can fail before an
unresponsive AAA server in the group is deactivated.
Values range from 1 to 5.
Reactivation Mode
(PIX,ASA,FWSM)
Applies only to PIX/ASA/FWSM devices.

The method to use when reactivating failed AAA servers in the
group:
DepletionReactivate failed servers only after all of the

servers in the group fail. This is the default.
TimedReactivate failed servers after 30 seconds of

downtime.
Note
Reactivation Deadtime
(PIX,ASA,FWSM)
You must use the Timed option when using Simultaneous as

the Group Accounting Mode.
Applies only to PIX/ASA/FWSM devices and only when Depletion

is the selected reactivation mode.
The number of minutes that should elapse between the deactivation
of the last server in the group and the reactivation of all the servers
in the group. Values range from 0 to 1440 minutes (24 hours).
Group Accounting Mode

(PIX,ASA,FWSM)
Applies only to PIX/ASA/FWSM devices using RADIUS or

TACACS+.
The method for sending accounting messages to the AAA servers in
the group:
SimultaneousAccounting messages are sent to all servers in

the group simultaneously.
Note
If you select this option, you must select Timed as the

Reactivation Mode.
Category
SingleAccounting messages are sent to a single server in the

group. This is the default.
The category assigned to the object. Categories help you organize

and identify rules and objects. See Categories Page, page F-87.

OL-11501-03
F-17
Appendix F
AAA Servers Page
Table F-7
Element
Description
Allow Value Override per

Device
When selected, allows the global object definition defined here to

be changed at the device level. See Allowing a Global Object to Be
When deselected, does not allow the global object definition to be
overridden.
Tip
OK button
When editing a AAA server group object that can be

overridden, click the Edit button to display the Policy
Object Overrides Window, page F-565. From here you can
create, edit, and view device-level overrides.
Saves your changes to the server and closes the dialog box.
AAA Servers Page

Use the AAA Servers page to view, create, edit, copy, and delete AAA server
objects. These objects are collected into AAA server group objects.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select AAA Servers
from the Object Type selector.
Related Topics
AAA Server Groups Page, page F-12
F-18
OL-11501-03
Appendix F

AAA Servers Page
Field Reference
Table F-8
AAA Servers Page
Column
Description
Filter
page 3-24.
[Icon]
Name
Host
The IP address of the AAA server to which authentication requests

will be sent.
Protocol
The protocol defined for the AAA server.
Category
The category that is assigned to the object.
Description

Tip

in a popup window.
New Object button
Opens the AAA Server Dialog Box, page F-20. From here you can
create a AAA server object.
Edit Object button
Opens the AAA Server Dialog Box, page F-20. From here you can
edit the selected AAA server object.
Note
Deletes the selected AAA server objects from the table.

Note

other objects.

OL-11501-03
F-19
Appendix F
AAA Servers Page
AAA Server Dialog Box

Use AAA Server dialog box to create, copy, and edit a AAA server object.
Navigation Path
Go to the AAA Servers Page, page F-18 in the Policy Object Manager Window,
page F-3, then click New Object or Edit Object beneath the table.
Related Topics
AAA Server Group Dialog Box, page F-14
Field Reference
Table F-9
AAA Server Dialog BoxGeneral Settings
Element
Description
Name
The object name (up to 128 characters). Object names are not
case-sensitive. For more information, see Guidelines for Managing
Objects, page 8-4.
Description
Host
IP AddressThe IP address of the AAA server to which

authentication requests will be sent. Enter one or more host
addresses or network/host objects, or click Select to display an
object selector.
DNS Name(For PIX/ASA devices running 7.2 and above)

The DNS hostname of the AAA server. The maximum length is
128 characters. The hostname can contain alphanumeric
characters and hyphens, but each element of the hostname must
begin and end with an alphanumeric character. Use a period (.)
to separate elements.
F-20
OL-11501-03
Appendix F

AAA Servers Page
Table F-9
AAA Server Dialog BoxGeneral Settings (continued)
Element
Description
Interface
The interface whose IP address should be used for all outgoing

RADIUS or TACACS packets (known as the source interface). Enter
the name of an interface or interface role, or click Select to display
an object selector.
If you enter the name of an interface, make sure the policy that uses
this AAA object is assigned to a device containing an interface with
this name.
If you enter the name of an interface role, make sure the role
represents a single interface, not multiple interfaces.
Timeout
Tip
If the interface role you want is not listed, click the Create
button or the Edit button in the selector to display the
Interface Role Dialog Box, page F-419. From here you can
define an interface role object.
Note
Only one source interface can be defined for the AAA

servers in a AAA server group. An error is displayed when
you submit your changes if different AAA servers in the
group use different source interfaces. See Creating AAA
Server Group Objects, page 8-19.
The amount of time to wait until the AAA server is considered

unresponsive.
Valid values for Cisco IOS routers range from 1-1000 seconds. The
default is 5 seconds.
Valid values for ASA devices and other firewall devices running
PIX 7.0 is 1-60 seconds. The default is 10 seconds.
Valid values for PIX devices running PIX 6.3 is 1-30 seconds. The

OL-11501-03
F-21
Appendix F
AAA Servers Page
Table F-9
AAA Server Dialog BoxGeneral Settings (continued)
Element
Description
Protocol
The protocol used by the AAA server:
RADIUSSee AAA Server Dialog BoxRADIUS Settings,

page F-22.
TACACS+See AAA Server Dialog BoxTACACS+

Kerberos (ASA devices only)See AAA Server Dialog

BoxKerberos Settings, page F-26.
LDAP (ASA devices only)See AAA Server Dialog

BoxLDAP Settings, page F-26.
NT (ASA devices only)See AAA Server Dialog BoxNT

SDI (ASA devices only)See AAA Server Dialog BoxSDI

HTTP-FORM (ASA devices only)See AAA Server Dialog

BoxHTTP-FORM Settings, page F-31.
Note
You cannot edit the protocol if the server is defined as part

of a AAA server group.
Category

OK button
AAA Server Dialog BoxRADIUS Settings

Use the RADIUS settings in the AAA Server dialog box to configure a RADIUS
AAA server object.
Navigation Path
Go to the AAA Server Dialog Box, page F-20, then click RADIUS in the Protocol
field.
F-22
OL-11501-03
Appendix F

AAA Servers Page
Related Topics
Field Reference
Table F-10
AAA Server Dialog BoxRADIUS Settings
Element
Description
Key
The shared secret that is used to encrypt data between the client and
AAA server. The key is a case-sensitive, alphanumeric string of up
to 127 characters (U.S. English). Spaces and special characters are
permitted.
The key you define in this field must match the key on the RADIUS
server. Enter the key again in the Confirm field.
Note
Spaces are not allowed in keys defined for PIX/ASA/FWSM

devices. A key with a space causes activity validation to fail.
Note
You can discover encrypted keys defined on Cisco IOS

routers. However, if you make any changes to the key, the
key type is changed to clear text.
Note
If you do not define a key, all traffic between the AAA

server and its AAA clients is sent unencrypted. A warning
message is displayed.
Authentication/Authorization
Port
The port on which AAA authentication and authorization are

performed. Default is 1645.
Accounting Port
The port on which AAA accounting is performed. Default is 1646.
RADIUS Password (PIX 7.x,

ASA/FWSM 3.x)
Applies to PIX 7.x/ASA/FWSM 3.1 and later devices.

The alphanumeric keyword that serves as the password to the
RADIUS server (maximum of 128 characters; spaces are not
allowed). Enter the password again in the Confirm field.

OL-11501-03
F-23
Appendix F
AAA Servers Page
Table F-10
AAA Server Dialog BoxRADIUS Settings (continued)
Element
Description
Retry Interval (PIX 7.x,

ASA/FWSM 3.x)
Applies to PIX 7.x/ASA/FWSM 3.1 and later devices.

The interval between attempts to contact the AAA server. Valid
values are:
ASA devices1 to 10 seconds.
PIX devices1 to 5 seconds.
ACL Netmask Convert (PIX 7.x, Applies to PIX 7.x/ASA/FWSM 3.1 and later devices.
ASA/FWSM 3.x)
The method for handling the netmask expressions that are contained
in downloadable ACLs received from the RADIUS server:
StandardThe security appliance assumes that all

downloadable ACLs received from the RADIUS server contain
only standard netmask expressions. No translation from
wildcard netmask expressions is performed. This is the default.
Auto-DetectThe security appliance tries to determine the

type of netmask expression used in the downloadable ACL. If it
detects a wildcard netmask expression, it converts it to a
standard netmask expression.
WildcardThe security appliance assumes that all

downloadable ACLs received from the RADIUS server contain
only wildcard netmask expressions, which it converts to
standard netmask expressions.
Some Cisco products, including Cisco IOS routers, require that

downloadable ACLs be configured with wildcards instead of
network masks. ASA devices, on the other hand, require that
downloadable ACLs be configured with network masks. This
feature allows the ASA device to internally convert a wildcard to a
netmask. Translation of wildcard netmask expressions means that
downloadable ACLs written for Cisco IOS routers can be used by
ASA devices without altering the configuration of the ACLs on the
RADIUS server.
F-24
OL-11501-03
Appendix F

AAA Servers Page
AAA Server Dialog BoxTACACS+ Settings

Use the TACACS+ settings in the AAA Server dialog box to configure a
TACACS+ AAA server object.
Navigation Path
Go to the AAA Server Dialog Box, page F-20, then click TACACS+ in the
Protocol field.
Related Topics
Field Reference
Table F-11
AAA Server Dialog BoxTACACS+ Settings
Element
Description
Key
The shared secret that is used to encrypt data between the client and
the AAA server. The key is a case-sensitive, alphanumeric string of
up to 127 characters (U.S. English). Spaces and special characters
are permitted.
The key you define in this field must match the key on the
TACACS+ server. Enter the key again in the Confirm field.
Server Port
Note
Activity validation fails if you try defining a key with a

space on a PIX/ASA/FWSM device.
Note
You can discover encrypted keys defined on Cisco IOS

routers. However, if you make any changes to the key, the
key type is changed to clear text.
Note
If you do not define a key, all traffic between the AAA

server and its AAA clients is sent unencrypted. A warning
message is displayed.
The port used for communicating with the AAA server. The default
is 49.

OL-11501-03
F-25
Appendix F
AAA Servers Page
AAA Server Dialog BoxKerberos Settings

Use the Kerberos settings in the AAA Server dialog box to configure a Kerberos
AAA server object.
Note
This type of AAA server can be configured only on ASA security appliances.
Navigation Path
Go to the AAA Server Dialog Box, page F-20, then click Kerberos in the
Protocol field.
Related Topics
Field Reference
Table F-12
AAA Server Dialog BoxKerberos Settings
Element
Description
Server Port
The port used for communicating with the AAA server. Default is
88.
Kerberos Realm Name
The name of the realm containing the Kerberos authentication

server and ticket granting server (maximum of 64 characters).
Retry Interval

values range from 1 to 10 seconds.
AAA Server Dialog BoxLDAP Settings

Use the LDAP settings in the AAA Server dialog box to configure a LDAP AAA
server object.
Note
F-26
OL-11501-03
Appendix F

AAA Servers Page
Navigation Path
Go to the AAA Server Dialog Box, page F-20, then click LDAP in the Protocol
field.
Related Topics
Field Reference
Table F-13
AAA Server Dialog BoxLDAP Settings
Element
Description
Enable LDAP over SSL
When selected, establishes a secure SSL connection between the

ASA device and the LDAP server.
When deselected, SSL is not used for communications between the
ASA device and the LDAP server.
Note
You must select this option when using a Microsoft Active

Directory LDAP server in order to enable password
management.
Server Port
The port used for communicating with the AAA server. Default is
389.
LDAP Hierarchy Location
The base distinguished name (DN), which is the location in the

LDAP hierarchy where the authentication server should being
searching when it receives an authorization request. For example,
OU=Cisco. The maximum length is 128 characters.
The string is case-sensitive. Spaces are not permitted, but other
special characters are allowed.
LDAP Scope
The scope of LDAP searches:
onelevelSearches only one level beneath the base DN. This

type of search scope is faster than a subtree search, because it
is less comprehensive. This is the default.
subtreeSearches all levels beneath the base DN.

OL-11501-03
F-27
Appendix F
AAA Servers Page
Table F-13
AAA Server Dialog BoxLDAP Settings (continued)
Element
Description
LDAP Distinguished Name
The DN and password that uniquely identify this ASA device in the
LDAP schema (maximum of 128 characters). The DN is similar to
a unique key in a database or a fully qualified path for a file.
Note
LDAP Login Directory
These parameters are used only when the LDAP server

requires them for authentication.
The name of the directory object in the LDAP hierarchy used for
authenticated binding (maximum of 128 characters). Authenticated
binding is required by some LDAP servers (including the Microsoft
Active Directory server) before other LDAP operations can be
performed.
This string is case-sensitive. Spaces are not permitted in the string,
but other special characters are allowed.
LDAP Login Password
The case-sensitive, alphanumeric password for accessing the LDAP

server (maximum of 64 characters). Spaces are not allowed.
SASL MD5 Authentication
Establishes a Simple Authentication and Security Layer (SASL)

mechanism to authenticate an LDAP client (the ASA device) with
an LDAP server.
When selected, the ASA device sends the LDAP server an MD5
value computed from the username and password.
When deselected, the MD5 authentication option is not used.
SASL Kerberos Authentication
Establishes an SASL mechanism to authenticate an LDAP client

(the ASA device) to an LDAP server.
When selected, the ASA device sends the LDAP server the
username and realm using the GSSAPI (Generic Security Services
Application Programming Interface) Kerberos mechanism. This
mechanism is stronger than the MD5 mechanism.
When deselected, the Kerberos authentication option is not used.
Note
You can define one or both SASL authentication

mechanisms. When negotiating SASL authentication, the
ASA device retrieves the list of SASL mechanisms
configured on the LDAP server and selects the strongest
mechanism configured on both devices.
F-28
OL-11501-03
Appendix F

AAA Servers Page
Table F-13
AAA Server Dialog BoxLDAP Settings (continued)
Element
Description
Kerberos Server Group
Applies only when SASL Kerberos authentication is enabled.

The name of the Kerberos AAA server group used for SASL
authentication. The maximum length is 16 characters.
LDAP Server Type
The type of LDAP server used for AAA:
Auto-DetectThe ASA device tries to determine the server

type automatically. This is the default.
MicrosoftThe LDAP server is a Microsoft Active Directory

server.
SunThe LDAP server is a Sun Microsystems JAVA System

Directory Server.
Note
LDAP Attribute Map
You must configure LDAP over SSL to enable password

management with Microsoft Active Directory.
The LDAP attribute configuration to bind to the LDAP server. Enter

the name of an LDAP attribute map or click Select to display an
object selector.
LDAP attribute maps take the attribute names that you define and
map them to Cisco-defined attributes. For more information, see
Understanding LDAP Attribute Map Objects, page 8-124.
AAA Server Dialog BoxNT Settings

Use the NT settings in the AAA Server dialog box to configure an NT AAA server
object.
Note
Navigation Path
Go to the AAA Server Dialog Box, page F-20, then click NT in the Protocol field.
Related Topics

OL-11501-03
F-29
Appendix F
AAA Servers Page
Field Reference
Table F-14
AAA Server Dialog BoxNT Settings
Element
Description
Server Port
is 139.
NT Authentication Host
The name of the authentication domain controller hostname

(maximum of 16 characters).
AAA Server Dialog BoxSDI Settings

Use the SDI settings in the AAA Server dialog box to configure an SDI AAA
server object.
Note
Navigation Path
Go to the AAA Server Dialog Box, page F-20, then click SDI in the Protocol
field.
Related Topics
F-30
OL-11501-03
Appendix F

AAA Servers Page
Field Reference
Table F-15
AAA Server Dialog BoxSDI Settings
Element
Description
Server Port
is 5500.
Retry Interval

values range from 1 to 10 seconds. The default is 10 seconds.
SDI Server Version
The SDI server version:
SDI pre-5 Slave Server
SDI-pre-5 (all SDI versions before version 5.0; this is the

default)
SDI-5 (SDI version 5.0)
Applies only when using a version of SDI prior to version 5.0.

A secondary server to be used for authentication if the primary
server fails. Enter an IP address or the name of a network/host
object, or click Select to display a selector.
AAA Server Dialog BoxHTTP-FORM Settings

Use the HTTP-FORM settings in the AAA Server dialog box to configure an
HTTP-Form AAA server object for single sign-on authentication (SSO).
Note
Navigation Path
Go to the AAA Server Dialog Box, page F-20, then click HTTP-FORM in the
Protocol field.
Related Topics

OL-11501-03
F-31
Appendix F
AAA Servers Page
Field Reference
Table F-16
AAA Server Dialog BoxHTTP-Form Settings
Element
Description
Start URL
The URL from which the WebVPN server of the security appliance
should retrieve an optional pre-login cookie. The maximum URL
length is 1024 characters.
The authenticating web server may execute a pre-login sequence by
sending a Set-Cookie header along with the login page content. The
URL in this field defines the location from which the cookie is
retrieved.
Note
Action URI
The actual login sequence starts after the pre-login cookie

sequence.
The Uniform Resource Identifier (URI) that defines the location and
name of the authentication program on the web server to which the
security appliance sends HTTP POST requests for single sign-on
(SSO) authentication.
The maximum length of the action URI is 2048 characters.
Tip
Username Parameter
The name of the username parameter included in HTTP POST

requests for SSO authentication. The maximum length is
128 characters.
Note
Password Parameter
You can discover the action URI on the authenticating web

server by connecting to the web servers login page directly
with a browser. The URL of the login web page displayed in
your browser is the action URI for the authenticating web
server.
At login, the user enters the actual name value, which is

entered into the HTTP POST request and passed on to the
authenticating web server.
The name of the password parameter included in HTTP POST

requests for SSO authentication. The maximum length is
128 characters.
Note
At login, the user enters the actual password value, which is

entered into the HTTP POST request and passed on to the
authenticating web server.
F-32
OL-11501-03
Appendix F

Access Control Lists Page
Table F-16
AAA Server Dialog BoxHTTP-Form Settings (continued)
Element
Description
Hidden Values
The hidden parameters included in HTTP POST requests for SSO

authentication. They are referred to as hidden parameters because,
unlike the username and password, they are not visible to the user.
The maximum length of the hidden parameters is 2048 characters.
Tip
Authentication Cookie Name
You can discover the hidden parameters that the

authenticating web server expects in POST requests by
using an HTTP header analyzer on a form received from the
web server.
The name of the authentication cookie used for SSO by the security
appliance. The maximum length is 128 characters.
If SSO authentication succeeds, the authenticating web server
passes this authentication cookie to the client browser. The client
browser then authenticates to other web servers in the SSO domain
by presenting this cookie.

Use the Access Control Lists page to define extended, standard, and web Access
Control List objects. You can designate ACL objects as entries within other ACL
objects. From this page, you can add, edit, and delete objects. You can also
generate usage reports of policies that use the object
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from
the Object Type selector.
Related Topics

OL-11501-03
F-33
Appendix F
Field Reference
Table F-17
Element
Description
Extended IP ACL tab
Enables you to configure settings for extended ACL objects. For a

description of the GUI elements see Table F-18.
Standard IP ACL tab
Enables you to configure settings for standard ACL objects. For a

Web ACL tab
Enables you to configure settings for web ACL objects. For a

Filter
Filters the information displayed in the table. Click the arrow to

display the filtering bar, which enables you to set filtering
New Object button
Enables you to create an object. See Creating Access Control List

Objects, page 8-36.
Edit Object button
Enables you to edit the selected object. See Editing Objects,

page 8-10.
Enables you to delete a selected object. If the object is used in a rule

or nested within another object, you are prompted to modify or
delete the reference before the deletion can occur. See Deleting
Objects, page 8-11.
Note
An object used in a rule or within another object cannot be

deleted.
Extended Tab
Use the Extended tab to define an extended ACL object. From this page, you can
add, edit, and delete objects. You can also generate usage reports of policies that
use the object.After a configuration is generated for the device, the access-list
extended command is used.
F-34
OL-11501-03
Appendix F

Navigation Path
Note
The Extended tab opens by default the first time the Access Control Lists page is
accessed. Subsequent visits to the page display the last opened tab.
Related Topics
Field Reference
Table F-18
Extended Tab
Element
Description
Filter
Filters the information displayed in the table. Click the arrow to display the
filtering bar, which enables you to set filtering parameters. See Filtering
Tables, page 3-24.
Name
Identifies the name of the ACL object. The number of entries defined for
the ACL is shown in brackets beside the ACL name.
You can click the arrow to expand or collapse the contents of the ACL
object.
Permit
Shows whether rules permit or deny traffic based on the conditions set.
PermitShown as a green checkmark.
Source
Identifies the source network/host object names or host addresses. Multiple

entries are separated by commas. See Understanding Network/Host
Destination
Identifies the destination network/host object names or host addresses.

Multiple entries are separated by commas. See Understanding
Service
Identifies service objects that specify the service type of traffic. Multiple
entries are separated by commas. See Understanding Service Objects,
page 8-159.
OL-11501-03
F-35
Appendix F
Table F-18
Extended Tab (continued)
Element
Description
Category
Provides an intermediate level of detail to objects and helps you readily

identify rules and objects by use of color-coding. See Understanding
Note
Description
No commands are generated for the category attribute.
Displays an icon if a description is defined for the object. Point at the icon
to display a tooltip with the text of the description. Descriptions help you
identify a policy.
Tip
Double-click the icon to display the text of the description in a

popup window.
New Object button
Enables you to create an object. See Creating Extended Access Control List
Objects, page 8-36.
Edit Object button
Enables you to edit the selected object. See Editing Objects, page 8-10.
Enables you to delete a selected object. If the object is used in a rule or

nested within another object, you are prompted to modify or delete the
reference before the deletion can occur. See Deleting Objects, page 8-11.
Note
An object used in a rule or within another object cannot be deleted.
Add and Edit Extended Access List Pages

Use the Add and Edit Extended Access List pages to define ACEs for an ACL
object. From this page, you can change the order of the ACEs and ACL objects
within the table, add or edit ACEs and ACL objects, and delete ACEs and ACL
objects.
Navigation Path
the Object Type selector. Right-click inside the work area, then select
New Object or right-click a row, then select Edit Object.
Related Topics
F-36
OL-11501-03
Appendix F

Field Reference
Table F-19
Add and Edit Extended Access List Pages
Element1
Description
Name*
Identifies the name of the ACL object. Object names are not case sensitive.
The first character of the name must be a letter. The remaining characters
can be letters and numbers. Spaces are permitted, as are the following
special characters: hyphens (-), underscores (_), periods (.), and plus signs
(+). Maximum length is 128 characters.
Description
Enables you to enter a description to help you identify a rule. Maximum

characters allowed is 1024.
Name
Identifies the name of the included ACL object.
Permit
Source
Identifies the source network/host object names or addresses of hosts or

networks. Multiple entries are separated by commas. Accepted formats are:
a.b.c.d where a,b,c,d = 0255 (host).
a.b.c.d/e where a,b,c,d = 0255 and e = 132 (subnet).
a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0255 (range).
a.b.c.d/e where e = subnet in x.x.x.x format*
Freeform text that is the name of a network object
* For information on how network masks are handled, see Contiguous and
Discontiguous Network Masks, page 8-129.
Enter the addresses in the field provided or click Select, which opens the
Object Selector dialog box from which you can make your selections. You
can also create an object by clicking the Create button in the Object
Selector dialog box.
For more information, see Understanding Network/Host Objects,
page 8-127.

OL-11501-03
F-37
Appendix F
Table F-19
Add and Edit Extended Access List Pages (continued)
Element1
Description
Destination
Identifies the destination network/host object names or addresses of hosts

or networks. Multiple entries are separated by commas. Accepted formats
are:
page 8-127.
Service
Enter the service objects in the field provided or click Select, which opens
the Object Selector dialog box from which you can make your selections.
You can also create an object by clicking the Create button in the Objects
selector dialog box.
The following formats are supported:
TCP or UDP / Destination port or port range (for example, TCP / 80).
TCP or UDP / Source port or port range / Destination port or port range
(for example, TCP / 102465535/80).
ICMP / ICMP message (for example, ICMP / echo-reply,

ICMP / 200).
Freeform text that is the name of the service object.
F-38
OL-11501-03
Appendix F

Table F-19
Add and Edit Extended Access List Pages (continued)
Element1
Description
Category

Note
Description

New Object button
Objects, page 8-36.
Edit Object button
Enables you to edit the selected object. SeeEditing Objects, page 8-10.

Note
Category

Note
OK button
Saves your changes to the server and closes the page.
1. An asterisk indicates that the field is required.
Add and Edit Extended Access Control Entry Dialog Boxes

Use the Add or Edit Extended Access Control Entry dialog box to add an ACL
object, or add or edit an ACE.
Note
The same dialog box is used for adding and editing access control entries.

OL-11501-03
F-39
Appendix F
Navigation Path
New Object or right-click a row, then select Edit Object. The Add or Edit
Extended Access List page appears based on your selection. Right click inside the
table, then select Add Row or right-click a row, then select Edit Row.
Related Topics
Field Reference
Table F-20
Element1
Type
Add and Edit Extended Access Control Entry Dialog Boxes
Description
ACL Object(s)Identifies the entry as an ACL object.
Note
The dialog box values will vary according to your selection.
Access Control Entry (ACE) Type
Action
Describes what should occur based on the conditions set.
PermitAllows traffic.
DenyDenies traffic.
Note
Category
The security appliance denies all packets on the originating

interface unless you specifically permit access.

Note
F-40
OL-11501-03
Appendix F

Table F-20
Add and Edit Extended Access Control Entry Dialog Boxes (continued)
Element1
Description
Source*

page 8-127.

OL-11501-03
F-41
Appendix F
Table F-20
Element1
Description
Destination*
Identifies the destination network/host object names or addresses of hosts

or networks. Multiple entries are separated by commas. Accepted formats
are:
page 8-127.
Service*
Enter the service objects in the field provided or click Select, which opens
the Object Selector dialog box from which you can make your selections.
You can also create an object by clicking the Create button in the Objects
selector dialog box.
The following formats are supported:
TCP or UDP / Destination port or port range (for example, TCP / 80).
TCP or UDP / Source port or port range / Destination port or port range
(for example, TCP / 102465535/80).
ICMP / ICMP message (for example, ICMP / echo-reply,

ICMP / 200).
Freeform text that is the name of the service object.
For more information, see Understanding Service Objects, page 8-159,
F-42
OL-11501-03
Appendix F

Table F-20
Element1
Description
Description
(Optional) Enables you to enter a description to help you identify a rule.

Maximum characters allowed is 1024.
ACL Object(s) Entry Type
Available Access Control Displays the ACL objects that are defined.
Lists
Filter
Tables, page 3-24.
Add >> button
Adds selected ACL objects to the Selected Access Control Lists column.
Remove << button
Removes selected ACL objects from the Selected Access Control Lists
column.
Selected Access Control

Lists
Displays the ACL objects that are selected.
OK button
Standard Tab
Use the Standard IP ACL page to define standard ACL objects. From this page,
you can add, edit, and delete objects. You can also generate usage reports of
policies that use the object. After a configuration is generated for the device, the
access-list standard command is shown, which is used in global configuration
mode.
Navigation Path
the Object Type selector. Click the Standard tab.
Note

OL-11501-03
F-43
Appendix F
Related Topics
Field Reference
Table F-21
Standard ACL Tab
Element
Description
Filter
Tables, page 3-24.
Name
Identifies the name of the ACL object. The number of entries defined for
the ACL is shown in brackets beside the ACL name.
You can click the arrow to expand or collapse the contents of the ACL
object.
Permit
Source

networks. Multiple entries are separated by commas. See Understanding
Options
Displays if logging is turned on.
Category
Enabled = LOG
Disabled = blank

Note
F-44
OL-11501-03
Appendix F

Table F-21
Standard ACL Tab (continued)
Element
Description
Description

New Object button
Enables you to create an object. See Creating Standard Access Control List
Objects, page 8-39.
Edit Object button

Note
Add and Edit Standard Access List Pages

Use the Add and Edit Standard Access List pages define ACEs for an ACL object.
From this page, you can change the order of the ACEs and ACL objects within the
table, add or edit ACEs and ACL objects, and delete ACEs and ACL objects.
Note
The same page is used for adding and editing standard access lists.
Navigation Path
the Object Type selector. Click the Standard tab. Right-click inside the work
area, then select New Object or right-click a row, then select Edit Object.
Related Topics

OL-11501-03
F-45
Appendix F
Field Reference
Table F-22
Add and Edit Standard Access List Pages
Element1
Description
Name*
Identifies the name of the ACL object. Object names are not case sensitive.
The first character of the name must be a letter. The remaining characters
can be letters and numbers. Spaces are permitted, as are the following
special characters: hyphens (-), underscores (_), periods (.), and plus signs
(+). A maximum of 128 characters is allowed.
Description
Enables you to enter a description to help you identify a rule. A maximum

of 1024 characters is allowed.
Name
Identifies the name of the access control entry.
Permit
Source*

page 8-127.
F-46
OL-11501-03
Appendix F

Table F-22
Add and Edit Standard Access List Pages (continued)
Element1
Description
Options
Category
Enabled = LOG
Disabled = blank

Note
Description

New Object button
Enables you to create an object. See Creating Standard Access Control List
Objects, page 8-39.
Edit Object button

Note
Category

Note
Add and Edit Standard Access Control Entry Dialog Boxes

Use the Add and Edit Standard Access Control Entry dialog boxes to add an ACL
Note
The same dialog box is used for adding and editing standard access control
entries.

OL-11501-03
F-47
Appendix F
Navigation Path
the Object Type selector. Click the Standard tab. Right-click inside the work
area, then select New Object or right-click a row, then select Edit Object. The
Add or Edit Standard Access List page appears based on your selection.
Right-click inside the table, then select Add Row, or right-click a row, then select
Edit Row.
Related Topics
Field Reference
Table F-23
Element1
Type
Add and Edit Standard Access Control Entry Dialog Boxes
Description
Access Control EntryIdentifies the entry added as an ACE.
ACL Object(s)Identifies the entry added as an ACL object.
Note
Access Control Entry (ACE) Type
Action
DenyDenies traffic.
Note
Category
The security appliance denies all packets on the originating

interface unless you specifically permit access.

Note
F-48
OL-11501-03
Appendix F

Table F-23
Add and Edit Standard Access Control Entry Dialog Boxes (continued)
Element1
Description
Source*

page 8-127.
Description
Log option
Enables you to enter a description to help you identify an object or rule.

Yes
No
Note
ACL logging generates syslog message 106023 for denied packets.

Deny packets must be present to log denied packets.
Note
When the log optional keyword is specified, the default level for
syslog message 106100 is 6 (informational).
Access Control List (ACL) Entry Type
Available Access Control Displays the ACL objects that are defined.
Lists
Filter
Tables, page 3-24.
Add >> button
Adds selected ACL objects to the Selected Access Control Lists column.
OL-11501-03
F-49
Appendix F
Table F-23
Add and Edit Standard Access Control Entry Dialog Boxes (continued)
Element1
Description
Remove << button
Removes selected ACL objects from the Selected Access Control Lists
column.
Selected Access Control

Lists
Displays the ACL objects that are selected.
OK button
Web Tab
Use the Web page to define Web ACL objects. You can add and edit WebVPN
ACLs and the ACL entries that each ACL contains. From this page, you can add,
edit, and delete objects. You can also generate usage reports of policies that use
the object. After a configuration is generated for the device, the access-list
<name> webtype command is shown, which is used in global configuration
mode.
Note
The same dialog box is used for adding and editing standard access control
entries.
Navigation Path
the Object Type selector. Click the Web tab.
Note
Related Topics
F-50
OL-11501-03
Appendix F

Field Reference
Table F-24
Web Tab
Element1
Description
Filter

Name
Identifies the name of the ACL object. The number of entries

defined for the ACL is shown in brackets beside the ACL name.
You can click the arrow to expand or collapse the contents of the
ACL object.
Permit
Shows whether rules permit or deny traffic based on the conditions

set.
Destination
Identifies the destination network/host object names or addresses of

hosts or networks. Multiple entries are separated by commas. For
more information, see Understanding Network/Host Objects,
page 8-127.
TCP Port
Identifies the port range or service port list to which you want to
apply the filter (permit or deny user access). Multiple entries are
separated by commas.
URLs
Identifies the URLs to which you want to apply the filter (permit or
deny user access).
Options
Enabled = LOG
Disabled = blank

OL-11501-03
F-51
Appendix F
Table F-24
Web Tab (continued)
Element1
Description
Category
Provides an intermediate level of detail to objects and helps you

readily identify rules and objects by use of color-coding. See
Note
Description
Enables you to enter a description to help you identify a rule.

New Object button
Enables you to create an object. See Creating Web Access Control

Edit Object button

page 8-10.

Objects, page 8-11.
Note

deleted.
Add and Edit WebType Access List Dialog Boxes

Use the Add and Edit WebType Access List dialog boxes to add an ACL object or
add or edit an ACE. From this page, you can change the order of the ACEs and
ACL objects within the table, add or edit ACEs and ACL objects, and delete ACEs
and ACL objects.
Navigation Path
the Object Type selector. Click the Web tab. Right-click inside the work area, then
select New Object or right-click a row, then select Edit Object. The Add or Edit
WebType Access List page appears based on your selection. Right-click inside the
table, then select Add Row, or right-click a row, then select Edit Row.
F-52
OL-11501-03
Appendix F

Related Topics
Field Reference
Table F-25
Add and Edit Web Type Access List Dialog Boxes
Element1
Description
Name*
Identifies the name of the ACL object. A maximum of 55 characters

is allowed.
Description
Enables you to enter a description to help you identify a rule. A

maximum of 1024 characters is allowed.
Name
Identifies the name of the access control entry.
Permit
Shows whether rules permit or deny traffic based on the conditions

set.
Destination
Identifies the destination network/host object names or addresses of

hosts or networks. Multiple entries are separated by commas.
Accepted formats are:
* For information on how network masks are handled, see

page 8-127.
TCP Port
Shows the TCP port list information if filter destination is a network

filter.
URLs
Shows URL information if filter destination is a URL filter.

OL-11501-03
F-53
Appendix F
Table F-25
Add and Edit Web Type Access List Dialog Boxes (continued)
Element1
Description
Options
Category
Enabled = LOG
Disabled = blank

Note
Description

New Object button
Enables you to create an object. See Creating Web Access Control

Edit Object button

page 8-10.

Objects, page 8-11.
Note
Category

Note
OK button

deleted.
Add and Edit Web Access Control Entry Dialog Boxes

Use the Add and Edit Web Access Control Entry dialog boxes to add an ACL
F-54
OL-11501-03
Appendix F

Navigation Path
the Object Type selector. Click the Web tab. Right-click inside the work area, then
select New Object or right-click a row, then select Edit Object. The Add or Edit
WebType Access List page appears based on your selection. Right-click inside the
table, then select Add Row, or right-click a row, then select Edit Row.
Related Topics
Field Reference
Table F-26
Element1
Type
Add and Edit Web Access Control Entry Dialog Boxes
Description
Access Control EntryIdentifies the entry added as an ACE.
ACL Object(s)Identifies the entry added as an ACL object.
Note
Action
Enables you to select whether to permit or deny traffic based on the

conditions set.

OL-11501-03
F-55
Appendix F
Table F-26
Add and Edit Web Access Control Entry Dialog Boxes (continued)
Element1
Description
Filter Destination
Network FilterWhen selected, enables you to define the

destination and ports.
Destination*Identifies the destination network/host object

names or addresses of hosts or networks. Multiple entries are
separated by commas. Accepted formats are:
Freeform text that is the name of the network/host object.
Note
* For information on how network masks are handled, see

Contiguous and Discontiguous Network Masks,
page 8-129.
Enter the addresses in the field provided or click Select, which
opens the Object Selector dialog box from which you can make
your selections. You can also create an object by clicking the
Create button in the Object Selector dialog box.
Ports(Optional)
URL FilterWhen selected, enables you to define the URL filter.
URL Filter*Applies the filter to the specified URL.
F-56
OL-11501-03
Appendix F

Table F-26
Element1
Logging
Logging Interval
Description
No Log
DefaultDefault settings on the device
Emergency(0) System is unstable
Alert (1) Immediate action is needed
Critical(2) Critical conditions
Error(3) Error conditions
Warning(4) Warning conditions
Notification(5) Normal but significant condition
Informational(6) Informational messages only
Debugging(7) Debugging messages
Defines the interval of time, in seconds, used to generate logging

messages. Values are 1600 seconds. Default is 300. You must
select a logging level from the list for the logging interval value to
be recognized.
If you select Default as the logging level, the default logging
interval value (300) is used.
Time Range
Defines access to a firewall device or security appliance based on

specific times of the day and weekly access. Time range relies on
the system clock of the device or appliance; however, the feature
works best with NTP synchronization. See Understanding Time Range
Enter the time range value in the field provided or click Select,
which opens the Object Selector dialog box from which you can
make your selection. You can also create a Time Range object by
clicking the Create button in the Object Selector dialog box.
Note
Time range is not supported on FWSM 2.x or PIX 6.3

devices.

OL-11501-03
F-57
Appendix F
ASA User Groups Page
Table F-26
Element1
Description
Category

Note
Description

OK button

Use the ASA User Groups page to view, create, edit, copy, and delete ASA user
group objects. ASA User groups are used in Easy VPNs, remote access VPNs, and
SSL VPNs.
ASA user groups define a set of user-oriented attributes and values for IPsec
connections (Easy VPN, remote access and SSL VPN) that are stored either
internally (locally) on the device or externally on an AAA server.
Navigation Path
Select Tools > Policy Object Manager, then select ASA User Groups from the
Object Type selector.
Related Topics
F-58
OL-11501-03
Appendix F

Field Reference
Table F-27
Column
Description
Filter
Click the arrow to display the filtering bar, which enables you to filter the
information displayed in the table. See Filtering Tables, page 3-24.
[Icon]
The icon that represents the object type. Icons marked with a star indicate
user-defined objects that may be modified. Icons without a star indicate
predefined objects that cannot be modified. The icon is displayed after the
object is defined.
Name
The name of the ASA user group object. Names can be sorted in ascending
or descending order.
Type
The type of ASA user group depending on its configuration:
InternalThe ASA user group is configured locally on the device.
ExternalThe ASA user group is configured on an external server.
Tunneling Protocol
The protocols used after a tunnel is established.
AAA Server Group
The AAA server group used for user authentication.
Category
The category that is assigned to the object, if defined. See Categories Page,
page F-87.
Description
Displays an icon if a description is defined for the object. A tooltip displays

the text of the description.
Tip

popup window.
New Object button
Opens the ASA User Group Dialog Box, page F-60. From here you can
create an ASA user group object.
Edit Object button
Opens the ASA User Group Dialog Box, page F-60. From here you can edit
the selected ASA user group object.
Note
Deletes the selected ASA user group objects from the table.
Note
You cannot delete an object that is referenced by policies or other

objects.

OL-11501-03
F-59
Appendix F
ASA User Group Dialog Box

Use the ASA User Group dialog box to create, copy, and edit an ASA user group
object.
From this dialog box, you can configure the settings that will be applied to an
ASA user group object in an Easy VPN topology or remote access VPN, or
SSL VPN.
Note
The dialog box opens to display the Technology settings.

Navigation Path
Go to the ASA User Groups Page, page F-58, then do one of the following:
To create an ASA user group object, click New Object, or right-click inside
the table, then select New Object.
To copy an ASA user group object, right-click the row that contains the object
to copy, then select Create Duplicate.
To edit an ASA user group object, select the row that contains the object to
edit, then click Edit Object, or right-click and select Edit Object.
Related Topics
F-60
OL-11501-03
Appendix F

Field Reference
Table F-28
ASA User Group Dialog Box > Technology Settings
Element
Description
Name
The name of the object (up to 128 characters). The object name is
displayed in the ASA User Groups page.
Object names are not case sensitive. For more information, see
Guidelines for Managing Objects, page 8-4.
Description
Settings pane
A list of settings that you can configure for an ASA user group
object.
When you open the ASA user group dialog box, the Technology
settings are displayed.
Note
Settings (apart from Technology) are available for

configuration only if you selected to store the ASA user
groups attributes locally on the device (when configuring
the Technology settings).
Note
When configuring on the local device, the list of settings

available for configuration differ depending on whether you
are configuring the ASA user group for an
Easy VPN/remote access VPN, or SSL VPN, or both.
Technology settings
Group Policy Source
Unavailable if you are editing an ASA user group object.

If you are creating or copying an ASA user group object, select
where the ASA user groups attributes and values are stored:
On DeviceInternally (locally) on the device. This is the

default.
External ServerExternally on an AAA server.
Note
If you select to store the ASA user groups attributes on an

external AAA server, you do not need to configure any of
the Technology settings.

OL-11501-03
F-61
Appendix F
Table F-28
ASA User Group Dialog Box > Technology Settings (continued)
Element
Description
Technology
Unavailable if you are editing an ASA user group object.

If you are creating or copying an ASA user group object, and the
ASA user groups attributes are stored on the device, select the type
of VPN for which you are creating the ASA user group object:
External Server Group
Easy VPN/Remote Access VPN
SSL VPN
Boththe user group object can be shared between

Easy VPN/Remote Access VPN and SSL VPN. This is the
default.
If the ASA user groups attributes are stored on an external AAA

server, specify the AAA server group that will be used for
authentication.
You can click Select to open the AAA Server Groups Selector from
which you can make your selection.
Password
Available after you have specified the AAA server group that will
be used for authentication.
Enter an alphanumeric keyword that will serve as the password to
the AAA server. The keyword can be a maximum of 128 characters;
spaces are not allowed.
Confirm
After you have entered the alphanumeric keyword that will serve as
the password to the AAA server, enter the password again to
confirm it.
Category

OK button
ASA User Group Dialog BoxClient Configuration Settings

Use the Client Configuration settings page to configure the Cisco client
parameters for the ASA user group in an Easy VPN or remote access VPN.
F-62
OL-11501-03
Appendix F

Navigation Path
Open the ASA User Group Dialog Box, page F-60, select the Easy VPN/Remote
Access VPN (or Both) technology, then select Client Configuration under the
Easy VPN/ Remote Access VPN folder in the Settings pane.
Related Topics
Field Reference
Table F-29
ASA User Group Dialog Box > Client Configuration Settings
Element
Description
Store Password on Client

System
When selected, enables users to store a password on their LOCAL

system.
Note
Enable IPsec over UDP
When selected, allows a Cisco VPN client or hardware client to connect

via UDP to a security appliance that is running NAT.
Note
UDP Port
It is recommended that you enable password storage only on

systems that you know to be in secure sites.
The Cisco VPN client must also be configured to use IPsec over
UDP, which is configured by default on certain devices.
Specifies a port value when IPsec over UDP is enabled, within the range
400149151.
In IPsec negotiations, the security appliance listens on the configured
port and forwards UDP traffic for that port even if other filter rules drop
UDP traffic. Port values are 4001-49151.

OL-11501-03
F-63
Appendix F
Table F-29
ASA User Group Dialog Box > Client Configuration Settings (continued)
Element
Description
IPsec Backup Servers
Specify the backup servers configuration from these options:
Servers List
Keep Client ConfigurationThe security appliance sends no

backup server information to the client. The client uses its own
backup server list, if configured. This is the default.
Clear Client ConfigurationThe client uses no backup servers.

The security appliance pushes a null server list.
Use Specified Backup Servers Enables you to configure backup

servers either on the client or on the primary security appliance. If
you configure backup servers on the security appliance, it pushes
the backup server policy to the clients in the group, replacing the
backup server list on the client if one is configured. When selected,
you must specify the IPsec Backup Server addresses.
Specifies the backup server IP addresses.

You can click Select to open the Network/Hosts Selector from which
ASA User Group Dialog BoxClient Firewall Attributes

Use the Client Firewall Attributes settings to configure the firewall settings for
VPN clients for the ASA user group in an Easy VPN or remote access VPN.
Note
Only VPN clients running Microsoft Windows can use these firewall settings.
Navigation Path
Access VPN (or Both) technology, then select Client Firewall Attributes under
the Easy VPN/ Remote Access VPN folder in the Settings pane.
Related Topics
F-64
OL-11501-03
Appendix F

Field Reference
Table F-30
ASA User Group Dialog Box > Client Firewall Attributes Settings
Element
Description
Firewall Mode
Remote users connecting to the security appliance with the VPN client can
select from the following firewall mode options:
No FirewallNo firewall exists. If you select this option, the

remaining fields on the page are unavailable.
Firewall Required(The default). A firewall exists and is required.

All users in this group must use the designated firewall. The security
appliance drops any session that attempts to connect without the
designated, supported firewall installed and running. In this case, the
security appliance notifies the VPN client that its firewall configuration
does not match.
Note
Make sure the group does not include any clients other than
Windows VPN Clients. Any other clients in the group (including
VPN 3002 Hardware Clients) are unable to connect.
Firewall OptionalA firewall exists and is optional. This is beneficial
if you have remote users in this group who do not yet have firewall
capacity. This option allows all the users in the group to connect. Those
who have a firewall can use it; users that connect without a firewall
receive a warning message. This setting is useful if you are creating a
group in which some users have firewall support and others do not. For
example, you may have a group that is in gradual transition, in which
some members have set up firewall capacity and others have not yet
done so.

OL-11501-03
F-65
Appendix F
Table F-30
ASA User Group Dialog Box > Client Firewall Attributes Settings (continued)
Element
Description
Firewall Type
Lists firewalls from several vendors, including Cisco.
Cisco Integrated Client Firewall
Cisco Security AgentSpecifies Cisco Intrusion Prevention Security

Agent firewall type.
Custom FirewallWhen selected, the fields in the Custom Firewall

and Firewall Policy group boxes become active. The firewall you
designate must correlate with the firewall policies available. The
specific firewall you configure determines which firewall policy
options are supported.
Network ICE BlackICE Defender
Sygate Personal Firewall
Sygate Personal Firewall Pro
Sygate Security Agent
Zone Labs Zone Alarm
Get Policy From Remote Select this option when the client PC firewall application controls the
Firewall
firewall policy.
When selected, the security appliance checks to make sure that the firewall
is running. It asks, Are You There? If there is no response, the security
appliance tears down the tunnel.
Use Specified Policy
When selected, enables you to specify the actual VPN client firewall policy
that must be applied by the specified client firewall type.
Inbound Traffic Policy
When selected, enables you to enter an ACL to specify the policy the client
uses for inbound traffic.
You can click Select to open the Access Control Lists Selector from which
Outbound Traffic Policy
When selected, enables you to enter an ACL to specify the policy the client
uses for outbound traffic.
You can click Select to open the Access Control Lists Selector from which
F-66
OL-11501-03
Appendix F

Table F-30
ASA User Group Dialog Box > Client Firewall Attributes Settings (continued)
Element
Description
Custom Firewall
Vendor ID
Specifies the vendor of the custom firewall being configured for this ASA
user group. Values are 132.
Product ID
Specifies the product or model name of the custom firewall being

configured for this ASA user group.
Values are 132 or 255. Multiple ranges are allowed, for example, 412,
2432. Use 255 for all supported products.
Description
Enables you to enter a description to help you identify the custom firewall.
ASA User Group Dialog BoxHardware Client Attributes

Use the Hardware Client Attributes settings to configure the VPN 3002 Hardware
Client settings for the ASA user group in an Easy VPN or remote access VPN.
Navigation Path
Open the ASA User Group Dialog Box, page F-60, select the Easy VPN/IPsec
Remote Access VPN (or Both) technology, then select Hardware Client
Attributes under the Easy VPN/Remote Access VPN folder in the Settings pane.
Related Topics

OL-11501-03
F-67
Appendix F
Field Reference
Table F-31
ASA User Group Dialog Box > Hardware Client Attributes
Element
Description
Require Interactive Client

Authentication
When selected, enables secure unit authentication, which provides

additional security by requiring VPN hardware clients to authenticate
with a username and password each time that the client initiates a tunnel.
The hardware client does not have a saved username and password.
Require Individual User

Authentication
Note
Secure unit authentication requires that you have an

authentication server group configured for the tunnel group the
hardware clients use.
Note
If you require secure unit authentication on the primary security

appliance, be sure to configure it on any backup servers as well.
When selected, requires that individual users behind a hardware client

authenticate to gain access to the network across the tunnel. Individual
users authenticate according to the order of authentication servers that
you configure.
When deselected, allows inheritance of a value for user authentication
from another user group policy.
Enable Cisco IP Phone

Bypass
When selected, allows IP phones behind hardware clients to connect

without undergoing a user authentication processes. Secure unit
authentication remains in effect.
Enable LEAP Bypass
When selected, enables LEAP packets from wireless devices behind a

VPN hardware client to travel across a VPN tunnel prior to user
authentication. This action lets workstations using Cisco wireless access
point devices establish LEAP authentication and then authenticate again
per user authentication.
Note
Cisco Systems has developed an 802.1X wireless authentication

type called Cisco LEAP. LEAP (Lightweight Extensible
Authentication Protocol) implements mutual authentication
between a wireless client on one side of a connection and a
RADIUS server on the other side. The credentials used for
authentication, including a password, are always encrypted
before they are transmitted over the wireless medium.
F-68
OL-11501-03
Appendix F

Table F-31
ASA User Group Dialog Box > Hardware Client Attributes (continued)
Element
Description
Allow Network Extension

Mode
When selected, enables network extension mode for hardware clients.

Network Extension mode lets hardware clients present a single, routable
network to the remote private network over the VPN tunnel. IPsec
encapsulates all traffic from the private network behind the hardware
client to networks behind the security appliance. PAT does not apply.
Devices behind the security appliance have direct access to devices on
the private network behind the hardware client over the tunnel, and only
over the tunnel, and vice versa. The hardware client must initiate the
tunnel, but after the tunnel is up, either side can initiate data exchange.
Idle Timeout Mode
Specified Timeout
When selected, enables you to specify an idle timeout for individual

users behind hardware clients. If there is no communication activity by
a user behind a hardware client in the idle timeout period, the security
appliance terminates the client's access.
Values are 135791394 minutes.
Unlimited Timeout
When selected, permits an unlimited idle timeout period.
ASA User Group Dialog BoxIPsec Settings

Use the IPsec settings to specify tunneling protocols, filters, connection settings,
and servers for the ASA user group in an Easy VPN or remote access VPN. This
creates security associations that govern authentication, encryption,
encapsulation, and key management.
Navigation Path
Access VPN (or Both) technology, then select IPsec under the Easy VPN/Remote
Access VPN folder in the Settings pane.
Related Topics

OL-11501-03
F-69
Appendix F
Field Reference
Table F-32
ASA User Group Dialog Box > IPsec Settings
Element
Description
Enable Re-Authentication on
IKE Re-Key
When selected, the security appliance prompts the user to enter a

username and password during initial Phase 1 IKE negotiation and
also prompts for user authentication whenever an IKE rekey occurs,
providing additional security.
Note
Enable IPsec Compression
Reauthentication fails if no user is at the other end of the

connection.
When selected, enables data compression that speeds up data

transmission rates for remote dial-in users connecting with
modems.
Caution
Data compression increases the memory requirement and

CPU usage for each user session and consequently
decreases the overall throughput of the security
appliance. For this reason, it is recommended that you
enable data compression only for remote users
connecting with a modem. Design a group policy specific
to modem users, and enable compression only for them.
Enable Perfect Forward Secrecy When selected, enables the use of Perfect Forward Secrecy (PFS) to
(PFS)
generate and use a unique session key for each encrypted exchange.
In IPsec negotiations, PFS ensures that each new cryptographic key
is unrelated to any previous key.
Tunnel Group Lock
Specifies whether to restrict remote users to access through the

tunnel group only.
Group-lock restricts users by checking if the group configured in the
VPN client is the same as the tunnel group to which the user is
assigned. If it is not, the security appliance prevents the user from
connecting. If you do not configure group-lock, the security
appliance authenticates users without regard to the assigned group.
Group locking is disabled by default.
F-70
OL-11501-03
Appendix F

Table F-32
ASA User Group Dialog Box > IPsec Settings (continued)
Element
Description
Client Access Rules
Priority
Identifies the priority for this rule.

The rule with the lowest integer has the highest priority. Therefore,
the rule with the lowest integer that matches a client type and/or
version is the rule that applies. If a lower priority rule contradicts,
the security appliance ignores it.
Action
Specifies whether this rule permits or denies access.
Client Type
Specifies the type of VPN client to which this rule applies, software
or hardware, and for software clients, all Windows clients or a
subset.
VPN Client Version
Specifies the versions of the VPN client (software or firmware) to

which this rule applies. Multiple entries are separated by a comma.
Create button
Opens a dialog box in which you can create a client access rule. See
ASA User Group Dialog BoxClient Access Rules Dialog Box,
page F-71.
Edit button
Opens a dialog box in which you can edit a selected client access
rule. See ASA User Group Dialog BoxClient Access Rules
Delete button
Enables you to delete selected client access rules from the table.
ASA User Group Dialog BoxClient Access Rules Dialog Box

In the Client Access Rules dialog box, you can create or edit the priority, action,
VPN client type and VPN client version for a client access rule.
Navigation Path
Open the ASA User Group Dialog BoxIPsec Settings, page F-69, then click
Create, or select an item in the table and click Edit.
Related Topics
ASA User Group Dialog BoxIPsec Settings, page F-69

OL-11501-03
F-71
Appendix F
Field Reference
Table F-33
ASA User Group Dialog Box > IPsec Settings > Client Access Rules Dialog Box
Element
Description
Priority
Associates priority with a value.

The rule with the lowest integer has the highest priority. Therefore, the rule
with the lowest integer that matches a client type and/or version is the rule
that applies. If a lower priority rule contradicts, the security appliance
ignores it. Values are 165535.
Action
Specifies whether this rule permits or denies traffic access.
VPN Client Type
Specifies the type of VPN client to which this rule applies, software or
hardware, and for software clients, all Windows clients or a subset.
VPN Client Version
Specifies the version or versions of the VPN client (software or firmware)

to which this rule applies. Multiple entries are separated by a comma.
OK button
ASA User Group Dialog BoxSSL VPN Clientless Settings

Clientless settings enable you to configure the Clientless mode of access to the
corporate network in an SSL VPN, for the ASA user group object.
In clientless access mode, once a user is authenticated and a session is established,
an SSL VPN portal page and toolbar is displayed on the users web browser. From
the portal page, the user can access all available HTTP sites, access web e-mail,
and browse Common Internet File System (CIFS) file servers.
Navigation Path
Open the ASA User Group Dialog Box, page F-60, select the SSL VPN (or Both)
technology, then select Clientless under the SSL VPN folder in the Settings pane.
Related Topics
F-72
OL-11501-03
Appendix F

Field Reference
Table F-34
ASA User Group Dialog Box > SSL VPN Clientless Settings
Element
Description
Portal Page Websites
A list of websites that will be displayed on the portal page as a

bookmark to enable users to access the resources available on the
SSL VPN websites.
You can click Select to open the URL List Selector from which you
can select the required URL List from a list of URL List objects. See
URL Lists Page, page F-504.
Allow Users to Enter Websites
When selected, enables the remote user to input the website URLs
directly.
Enable File Server Access
When selected, enables the remote user to access to the Common

Internet File System (CIFS) file servers.
In Clientless mode, files and directories created on Microsoft
Windows servers can be accessed by the remote client through the
web browser. When the Common Internet File System (CIFS)
feature is selected, a list of file server and directory links are
displayed on the portal page after login.
Enable File Server Browsing
When selected, enables the remote user read-only access to browse

the shared files on the Common Internet File System (CIFS) file
servers.
Enable File Server Entry
When selected, enables the remote user full-write access to modify

the shared files on the Common Internet File System (CIFS) file
servers.
Enable Outlook/Exchange Proxy When selected, enables the remote user to have web access to the
Microsoft Outlook and Microsoft Exchange server.
Enable HTTP Proxy
When selected, enables users access to the external HTTP proxy

server to which the security appliance forwards HTTP connections.
Enable Citrix
When selected, enables remote users to run Citrix-enabled

applications, such as Microsoft Word or Excel, through the
SSL VPN as if the application was locally installed, without the
need for client software. The Citrix software must be installed on
one or more servers on a network that the router can reach.

OL-11501-03
F-73
Appendix F
Table F-34
ASA User Group Dialog Box > SSL VPN Clientless Settings (continued)
Element
Description
Enable Content Filtering
When selected, enables you to restrict user access to the SSL VPN.
Filter ACL
Specifies the WebType access control list that will be used to restrict
user access to the SSL VPN.
You can click Select to open the Access Control Lists Selector from
ASA User Group Dialog BoxSSL VPN Thin Client Settings

Thin Client settings enable you to configure the Thin Client mode of access to the
In Thin Client access mode, the client application uses TCP to connect to a
well-known server and port. The remote user downloads a Java applet which acts
as a TCP proxy on the client machine for the services configured on the SSL VPN
gateway.
Navigation Path
technology, then select Thin Client under the SSL VPN folder in the Settings
pane.
Related Topics
F-74
OL-11501-03
Appendix F

Field Reference
Table F-35
ASA User Group Dialog Box > SSL VPN Thin Client Settings
Element
Description
Enable Thin Client
When selected, enables you to configure the Thin Client settings for
the ASA user group.
The Port Forwarding List, that defines the mapping of the port
number on the client machine to the applications IP address and
You can click Select to open the Port Forwarding List Selector from
which you can make your selection. See Port Forwarding List Page,
page F-448.
Port Forwarding Applet Name
The Java applet that will be used as a TCP proxy on the client
machine.
The Java applet initiates an HTTP request from the remote user
client to the ASA device. The Java applet starts a new SSL
connection for every client connection.
Download Port Forwarding

Applet on Client Login
When selected, enables the port-forwarding Java applet to be

ASA User Group Dialog BoxSSL VPN Full Tunnel Settings

Full Tunnel settings enable you to configure the Full Tunnel mode of access to the
Full Tunnel mode enables access to the corporate network completely over an
SSL VPN tunnel. In Full Tunnel Client access mode, the tunnel connection is
determined by the group policy configuration. The full tunnel client software,
SSL VPN Client (SVC), is downloaded to the remote client, so that a tunnel
connection is established when the remote user logs in to the SSL VPN gateway.
Navigation Path
technology, then select Full Tunnel under the SSL VPN folder in the Settings
pane.

OL-11501-03
F-75
Appendix F
Related Topics
Field Reference
Table F-36
ASA User Group Dialog Box > SSL VPN Full Tunnel Settings
Element
Description
Mode
Use Other Access Modes if

For the full tunnel access mode to work properly, the SSL VPN
SSL VPN Client Download Fails Client (SVC) software must be installed on the device.
When selected, this option enables the remote client to use
clientless or thin client access modes if the SVC download fails.
Full Tunnel Only
When selected, enables only the Full Tunnel access mode to be

configured.
Keep SSL VPN Client on Client

Computer
When selected, enables the Full Tunnel software to remain on the

clients PC after the client has logged out.
When deselected, clients must download the software each time
they establish communication with the gateway.
Enable Compression
When selected, enables data compression that speeds up data

transmission rates for remote users connecting with modems.
Enable Keepalive Messages
When selected, enables keepalive messages to be exchanged

between peers to demonstrate that they are available to send and
receive data in the tunnel.
Keepalive messages transmit at set intervals, and any disruption in
that interval results in the creation of a new tunnel, using a backup
device.
Then enter the time interval (in seconds) that the remote client waits
between sending IKE keepalive packets, in the Interval field.
F-76
OL-11501-03
Appendix F

Table F-36
ASA User Group Dialog Box > SSL VPN Full Tunnel Settings (continued)
Element
Description
Client Dead Peer Detection

Timeout (sec)
The time interval, in seconds, that the Dead Peer Detection (DPD)
timer is reset each time a packet is received over the SSL VPN
tunnel from the remote user.
Note
DPD is used to send keepalive messages between peer

devices only when no incoming traffic is received and
outbound traffic needs to be sent.
Gateway Dead Peer Detection

Timeout (sec)
The time interval, in seconds, that the Dead Peer Detection (DPD)
timer is reset each time a packet is received over the SSL VPN
tunnel from the gateway.
Key Renegotiation Method
The method by which the tunnel key is refreshed for the remote user
group client:
DisabledDisables the tunnel key refresh.
Use Existing TunnelRenegotiates the SSL tunnel

connection.
Create New TunnelInitiates a new tunnel connection.
Then enter the time interval (in minutes) between the tunnel refresh
cycles, in the Interval field.
ASA User Group Dialog BoxSSL VPN General Settings

SSL VPN General Settings enable you to configure attributes that are required for
Clientless and Thin Client access modes to work, including auto signon rules for
user access to servers. Auto Signon configures the security appliance to
automatically pass SSL VPN user login credentials (username and password) on
to internal servers. You can configure multiple auto signon rules. For more
information, see Understanding Single Sign-On Server Objects, page 8-162.
Navigation Path
technology, then select Settings under the SSL VPN folder in the Settings pane.
Related Topics

OL-11501-03
F-77
Appendix F
Field Reference
Table F-37
ASA User Group Dialog Box > SSL VPN Settings
Element
Description
Clientless/Port Forwarding Setting
Home Page
The URL of the SSL VPN home page on which the available
websites appear as links.
Authentication Failure Message
The error message displayed on the login page if a user

authentication failure occurs.
Minimum Keepalive Object Size Specifies the minimum size (in kilobytes) of an IKE keepalive
(kilobytes)
packet that can be stored in the cache on the security appliance.
Single Sign On Server
Specifies the Single Sign On (SSO) server that allows users to enter
their username and password once, and be able to access a range of
servers.
You can click Select to open a dialog box that lists all available SSO
servers from which you can make your selection, or create an SSO
server object. See Understanding Single Sign-On Server Objects,
page 8-162.
Enable HTTP Compression
When selected, enables an HTTP compressed object to be cached on

Auto Signon Rules table
IP Address
The IP address of the SSO server that receives the login credentials.
Mask
The IP mask of the SSO server that receives the login credentials.
URL
The URL used to specify the SSO server that receives the login
credentials.
Authentication Type
The authentication method used to configure SSOHTTP Basic,

NTLM authentication, or both of these.
F-78
OL-11501-03
Appendix F

Table F-37
ASA User Group Dialog Box > SSL VPN Settings (continued)
Element
Description
Up/Down buttons
Enable you to change the order of the Auto Signon rules.

Note
The security appliance processes the rules according to the

order in the table.
Add button
Opens a dialog box in which you can create an Auto Signon rule.
See ASA User Group Dialog BoxAuto Signon Rules Dialog Box,
page F-79.
Edit button
Opens a dialog box in which you can edit the parameters of a

selected Auto Signon rule. See ASA User Group Dialog BoxAuto
Signon Rules Dialog Box, page F-79.
Delete button
Removes selected Auto Signon rules from the table.
Web Page Customization
Specifies the customization profile that defines the appearance of

the portal page that allows the remote user access to all the
resources available on the SSL VPN networks.
You can click Select to open a dialog box that lists all available
SSL VPN customization objects, from which you can make your
selection. See Understanding SSL VPN Customization Objects,
page 8-186.
ASA User Group Dialog BoxAuto Signon Rules Dialog Box

Use this dialog box to configure the Auto Signon rules that the security appliance
uses to pass SSL VPN user login credentials on to an internal server. You can
configure multiple Auto Signon rulesthe security appliance processes them
according to the input order.
Navigation Path
Open the ASA User Group Dialog BoxSSL VPN General Settings, page F-77,
then click Create, or select an item in the table and click Edit.
Related Topics
ASA User Group Dialog BoxSSL VPN General Settings, page F-77

OL-11501-03
F-79
Appendix F
Field Reference
Table F-38
ASA User Group Dialog Box > Settings > Auto Signon Rules Dialog Box
Element
Description
Allow IP
When selected, enables you to specify the IP address and IP mask

of the SSO server that receives the login credentials, in the fields
provided.
Allow URL
When selected, enables you to specify the URL of the SSO server
that receives the login credentials, in the field provided.
Authentication Type
Select the required SSO authentication method.

Options are HTTP Basic, NTLM (NT LAN Manager)
authentication, or both of these methods.
OK button
ASA User Group Dialog BoxDNS/WINS Settings

Configuring the DNS/WINS settings for your ASA user group enable you to
define the DNS and WINS servers and the domain name that should be pushed to
clients associated with the ASA user group.
Note
The DNS/WINS settings you configure for an ASA user group apply in
Easy VPN, remote access VPN and SSL VPN configurations.
Navigation Path
Open the ASA User Group Dialog Box, page F-60, select the On Device group
policy source, then select DNS/WINS in the Settings pane.
Related Topics
F-80
OL-11501-03
Appendix F

Field Reference
Table F-39
ASA User Group Dialog Box > DNS/WINS Settings
Element
Description
Primary DNS Server
The IP address of the primary DNS server you want to configure on

the ASA user group.
You can click Select to open the Network/Hosts Selector from
Secondary DNS Server
The IP address of the secondary DNS server you want to configure

on the ASA user group.
Primary WINS Server
The IP address of the primary WINS server you want to configure

Secondary WINS Server
The IP address of the secondary WINS server you want to configure

DHCP Network Scope
The scope of the DHCP network to be configured on the ASA user

group.
Default Domain
Specifies the default domain name for the ASA user group.
A blank field = none.
ASA User Group Dialog BoxSplit Tunneling

Split tunneling lets a remote client conditionally direct packets over an IPsec or
SSL VPN tunnel in encrypted form or to a network interface in clear text form.
With split tunneling enabled, packets not bound for destinations on the other side

OL-11501-03
F-81
Appendix F
of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and
then routed to a final destination. The split tunneling policy is applied to a specific
network.
Configuring split tunneling for your ASA user group enables you to specify a
secure tunnel to the central site and simultaneous clear text tunnels to the Internet.
Note
The split tunneling settings you configure for an ASA user group apply in
Navigation Path
policy source, then select Split Tunneling in the Settings pane.
Related Topics
F-82
OL-11501-03
Appendix F

Field Reference
Table F-40
ASA User Group Dialog Box > Split Tunneling
Element
Description
DNS Names
A list of domain names that must be tunneled or resolved to the

private network. All other names will be resolved via the public
DNS server.
Entries in the list of domains are separated by a single space. There
is no limit on the number of entries, but the entire string can be no
longer than 255 characters. You can use only alphanumeric
characters, hyphens (-), and periods (.).

OL-11501-03
F-83
Appendix F
Table F-40
ASA User Group Dialog Box > Split Tunneling (continued)
Element
Description
Tunnel Option
Specifies the traffic that will be secured or transmitted unencrypted

across the public network:
Networks
Disabled(Default) When selected, specifies that no traffic

goes in the clear or to any other destination than the security
appliance. This, in effect, disables split tunneling. Remote users
reach Internet networks through the corporate network and do
not have access to local networks.
Tunnel Specified TrafficWhen selected, tunnels all traffic

from or to the specified networks. This option enables split
tunneling. It lets you create a network list of addresses to
tunnel. Data to all other addresses travels in the clear and is
routed by the remote user's Internet service provider.
Exclude Specified TrafficWhen selected, enables you to

specify a list of networks to which traffic goes in the clear. This
feature is useful for remote users who want to access devices on
their local network, such as printers, while they are connected
to the corporate network through a tunnel. This option applies
only to the Cisco VPN client.
A list of networks/hosts to which traffic is transmitted secured or

unencrypted, depending on the selected Tunnel Policy option.
Multiple entries are separated by commas. Accepted formats are:
You can click Select to open the Networks/Hosts Selector from

which you can make your selection(s).
F-84
OL-11501-03
Appendix F

ASA User Group Dialog BoxGeneral Settings

An Easy VPN, remote access VPN, or SSL VPN session is disconnected if the
client is connected longer than the session timeout, or if it is idle longer than the
idle timeout.
Use this page to configure the connection settings for the ASA user group,
including the banner text.
Navigation Path
policy source, then select General Settings in the Settings pane.
Related Topics
Field Reference
Table F-41
ASA User Group Dialog Box > Connection Settings
Element
Description
Filter ACL
Specifies the Access Control List (ACL) that will be used to restrict
You can click Select to open the Access Control Lists Selector from
Banner Text
The banner, for example, a welcome message that is displayed on

remote clients when they connect. Banner text can be a maximum
of 500 characters.

OL-11501-03
F-85
Appendix F
Table F-41
ASA User Group Dialog Box > Connection Settings (continued)
Element
Description
Connection Settings
Access hours
Enables you to enter a time range value that allows VPN access
based on specific times of the day and weekly access.
The time range relies on the system clock of the security appliance;
therefore, the feature works best with NTP synchronization.
Note
Time range is not supported on FWSM or PIX 6.3 devices.
You can click Select to open the Time Ranges Selector from which
you can make your selection. See Understanding Time Range
Max Simultaneous Logins
Specifies the number of simultaneous logins allowed for any user.

Values are 02147483647. A zero (0) value disables login and
prevents user access. A user group policy can inherit this value from
another user group policy.
Note
Max Connect Time
Idle Timeout (min)
While there is no maximum limit to the number of

simultaneous logins, allowing several could compromise
security and affect performance.
Enables you to specify the amount of time that the security

appliance should allow for a connection. Options are:
Specified Connection timeWhen selected, enables you to

specify the connection timeout period. Values are 135791394
minutes.
Unlimited Connection timeWhen selected, permits an

unlimited session timeout period.
Enables you to specify the amount of time that the security

appliance should terminate a connection if there is no
communication activity. Options are:
Specified TimeoutWhen selected, enables you to specify the

idle timeout period. Values are 135791394 minutes.
Unlimited TimeoutWhen selected, permits an unlimited idle

timeout period.
F-86
OL-11501-03
Appendix F

Categories Page
Categories Page
Use the Categories page to view or edit category objects. Categories objects help
you categorize and readily identify rules and other objects.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select Categories from
Related Topics
Field Reference
Table F-42
Categories Page
Column
Description
Filter
page 3-24.
[Icon]
Name
Display
Description

Tip
Edit Object button

in a popup window.
Opens the Category Editor Dialog Box, page F-88. From here you
can edit the selected category.
OL-11501-03
F-87
Appendix F
Credentials Page
Category Editor Dialog Box

Use the Category Editor dialog box to edit a category object. You can edit the
name of the object as well as its description.
Navigation Path
Go to the Categories Page, page F-87 in the Policy Object Manager Window,
page F-3, then click Edit Object beneath the table.
Related Topics
Editing Category Objects, page 8-49
Field Reference
Table F-43
Category Editor Dialog Box
Element
Description
Label
The color associated with the category.
Name
The object name (up to 128 characters).
Description
OK button
Credentials Page
Use the Credentials page to view, create, edit, copy, and delete Credential objects.
Credential objects are used in Easy VPN configuration during IKE Extended
Navigation Path
Open the Policy Object Manager Window, page F-3, then select Credentials from
F-88
OL-11501-03
Appendix F

Credentials Page
Related Topics
Field Reference
Table F-44
Credentials Page
Column
Description
Filter
page 3-24.
[Icon]
Name
The name of the Credentials object.
Username
The name that identifies the user during Xauth authentication.
Category
The category that is assigned to the object. See Categories Page,

page F-87.
Overridable

Description

Tip
New Object button

in a popup window.
Opens the Credentials Dialog Box, page F-90. From here you can
create a Credentials object.

OL-11501-03
F-89
Appendix F
Credentials Page
Table F-44
Credentials Page (continued)
Column
Description
Edit Object button
Opens the Credentials Dialog Box, page F-90. From here you can
edit the selected Credentials object.
Note
Deletes the selected Credentials objects from the table.

Note

other objects.
Credentials Dialog Box

Use the Credentials dialog box to create, copy and edit Credential objects.
Navigation Path
Go to the Credentials Page, page F-88 in the Policy Object Manager Window,
Related Topics
Creating Credential Objects, page 8-50
F-90
OL-11501-03
Appendix F

Credentials Page
Field Reference
Table F-45
Credentials Dialog Box
Element
Description
Name
The Credentials object name (up to 128 characters). Object names

are not case-sensitive. For more information, see Guidelines for
Managing Objects, page 8-4.
Description
Additional information about the Credentials object (up to 1024

characters).
Username
Enter a name that will be used to identify the user during Xauth
authentication.
Password
Enter an alphanumeric keyword that will serve as the password to

identify the user during Xauth authentication (maximum of 128
characters; spaces are not allowed).
Confirm
Enter the password again to confirm it.
Category
The category assigned to the Credentials object. Categories help

you organize and identify rules and objects. See Categories Page,
page F-87.

Device
Allows you to configure different Xauth credentials on the remote

client.
When selected, the global Credentials List object definition defined
here is changed at the device level. See Allowing a Global Object to
Be Overridden, page 8-198.
overridden.
Tip
OK button
When editing a Credentials object that can be overridden,

click the Edit button to display the Policy Object Overrides
Window, page F-565. From here you can create, edit, and
view device-level overrides.

OL-11501-03
F-91
Appendix F
IKE Proposals Page
IKE Proposals Page

Use the IKE Proposals page to view, create, edit, or delete IKE proposal objects.
IKE proposal objects contain the parameters required for IKE proposals when
defining remote access and site-to-site VPN policies.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select IKE Proposals
Related Topics
Field Reference
Table F-46
IKE Proposals Page
Column
Description
Filter
page 3-24.
[Icon]
Name
Priority
The priority value of the IKE proposal.
Hash
The hash algorithm used in the IKE proposal for authentication.
Encryption
The encryption algorithm used in the IKE proposal.
F-92
OL-11501-03
Appendix F

IKE Proposals Page
Table F-46
IKE Proposals Page (continued)
Column
Description
DH Group
The Diffie-Hellman modulus group used in the IKE proposal.
Lifetime
The lifetime of the security association (SA) defined by this IKE

proposal.
Authentication
The authentication method used in the IKE proposal.
Category

page F-87.
Description

Tip

in a popup window.
New Object button
Opens the IKE Proposal Dialog Box, page F-93. From here you can
create an IKE proposal object.
Edit Object button
Opens the IKE Proposal Dialog Box, page F-93. From here you can
edit the selected IKE proposal object.
Note
Deletes the selected IKE proposals from the table.

Note

other objects.
IKE Proposal Dialog Box

Use the IKE Proposal dialog box to create, copy, and edit an IKE proposal object.
Navigation Path
Go to the IKE Proposals Page, page F-92 in the Policy Object Manager Window,
Related Topics
Creating IKE Proposal Objects, page 8-55

OL-11501-03
F-93
Appendix F
IKE Proposals Page
IPsec Transform Set Dialog Box, page F-424
Field Reference
Table F-47
IKE Proposal Dialog Box
Element
Description
Name
Objects, page 8-4.
Description
Priority
The priority value of the IKE proposal. The priority value

determines the order of the IKE proposals compared by the two
negotiating peers when attempting to find a common SA.
Valid values range from 1 to 10000. The lower the number, the
higher the priority.
Note
Encryption Algorithm
If you leave this field blank, Security Manager assigns the

lowest unassigned value starting with 1, then 5, then
continuing in increments of 5.
The encryption algorithm used to establish the Phase 1 SA for

protecting Phase 2 negotiations:
AES-128Encrypts according to the Advanced Encryption

Standard using 128-bit keys.


DESEncrypts according to the Data Encryption Standard

using 56-bit keys.
3DESEncrypts three times using 56-bit keys. 3DES is more

secure than DES, but requires more processing for encryption
and decryption. A 3DES license is required to use this option.
F-94
OL-11501-03
Appendix F

IKE Proposals Page
Table F-47
IKE Proposal Dialog Box (continued)
Element
Description
Hash Algorithm
The hash algorithm used in the IKE proposal. The hash algorithm
creates a message digest, which is used to ensure message integrity.
Options are:
Modulus Group
SHA (Secure Hash Algorithm)Produces a 160-bit digest.

SHA is more resistant to brute-force attacks than MD5.
MD5 (Message Digest 5)Produces a 128-bit digest. MD5

uses less processing time than SHA.
The Diffie-Hellman group to use for deriving a shared secret

between the two IPsec peers:
1 Diffie-Hellman Group 1 (768-bit modulus).
7 Diffie-Hellman Group 7 (163-bit elliptical curve field size).
Note
Lifetime
A larger modulus provides higher security but requires more

processing time. The two peers must have a matching
modulus group.
The lifetime of the SA, in seconds. When the lifetime is exceeded,

the SA expires and must be renegotiated between the two peers.
As a general rule, the shorter the lifetime (up to a point), the more
secure your IKE negotiations will be.

OL-11501-03
F-95
Appendix F
DNS Class Maps Page
Table F-47
IKE Proposal Dialog Box (continued)
Element
Description
Authentication Method
The method of authentication to use between the two peers:
Preshared KeyPreshared keys allow for a secret key to be

shared between two peers and used by IKE during the
authentication phase. If one of the participating peers is not
configured with the same preshared key, the IKE SA cannot be
established.
CertificateAn authentication method in which RSA key pairs

are used to sign and encrypt IKE key management messages.
This method provides non-repudiation of communication
between two peers, meaning that it can be proved that the
communication actually took place. When you use this
authentication method, the peers are configured to obtain
digital certificates from a Certification Authority (CA).
Category

OK button
DNS Class Maps Page

Use the DNS Class Maps page to define DNS class maps for DNS inspection.
From this page, you can add, edit, and delete objects, and edit policy override
settings. You can also generate usage reports of policies that use the object.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps >
Class Maps > DNS Class Maps from the Object Type selector.
Related Topics
F-96
OL-11501-03
Appendix F

DNS Class Maps Page
Field Reference
Table F-48
DNS Class Maps Page
Element
Description
Filter

[Icon]
Displays the icon that represents the object type. Icons marked with
a star indicate user-defined objects that may be modified. Icons
without a star indicate predefined objects that cannot be modified.
The icon is displayed after the object is defined.
Name
Shows the name of the DNS class map. Names can be sorted in
ascending or descending order.
Criterion
Shows the criterion of the DNS class map.
Type
Shows the match type, which can be a positive or negative match.
Value
Shows the value to match in the DNS class map.
Category

Note
Overridable

Description

Descriptions help you identify a policy.
Tip
Add Object button

in a popup window.
Enables you to create an object. See Creating DNS Class Map

Objects, page 8-59.

OL-11501-03
F-97
Appendix F
DNS Class Maps Page
Table F-48
DNS Class Maps Page (continued)
Element
Description
Edit Object button

page 8-10.

Objects, page 8-11.
Note

deleted.
Add and Edit DNS Class Maps Dialog Boxes

Use the Add and Edit DNS Traffic Class Map dialog boxes to define a DNS class
map.
Navigation Path
Class Maps > DNS Class Maps from the Object Type selector. Right-click inside
the work area, then select New Object, or right-click a row, then select
Edt Object.
Related Topics
Field Reference
Table F-49
Add and Edit DNS Class Maps Dialog Boxes
Element1
Description
Name*
Enables you to enter the name of the DNS class map. A maximum
Description
Enables you to enter the description of the DNS class map. A

F-98
OL-11501-03
Appendix F

DNS Class Maps Page
Table F-49
Add and Edit DNS Class Maps Dialog Boxes (continued)
Element1
Description
Match All Table
Criterion
Shows the criterion of DNS traffic to match.
Type
Value
New Object button
Enables you to create an object. See Creating DNS Class Map

Objects, page 8-59.
Edit Object button

page 8-10.

Objects, page 8-11.
Note
Category

Note

Device

deleted.

client.
overridden.
Tip


OL-11501-03
F-99
Appendix F
DNS Class Maps Page
Table F-49
Add and Edit DNS Class Maps Dialog Boxes (continued)
Element1
Description
Overrides: None
Shows that no overrides exist on the device. You must manually set
overrides in order to change the display. For more information, see
Note
OK button
Selecting Allow Value Override per Device does not

automatically set overrides.
Add and Edit Match Criterion Dialog Boxes

Use the Add and Edit Match Criterion dialog boxes to define the match criterion
and value for the DNS class map.
Navigation Path
the work area, then select Add Row or right-click a row, then select Edit Row.
Related Topics
F-100
OL-11501-03
Appendix F

DNS Class Maps Page
Field Reference
Table F-50
Element
Description
Criterion
Specifies which criterion of DNS traffic to match:
Type
Value
OK button
DNS ClassMatches a DNS query or resource record class.

DNS TypeMatches a DNS query or resource record type. For

Domain NameMatch a domain name from a DNS query or

resource record. For a description of the GUI elements, see
Table F-53.
Header FlagMatch a DNS flag in the header. Header Flag

criterion values specify the value details for the DNS header
flag match. For a description of the GUI elements, see
Table F-54.
QuestionMatch a DNS question. For a description of the GUI

Resource RecordMatch a DNS resource record. For a

Specifies whether the class map includes traffic that matches the
criterion, or traffic that does not match the criterion. For example,
if Doesnt Match is selected on the string example.com, then any
traffic that contains example.com is excluded from the class map.
MatchesMatches the criterion.
Doesnt MatchDoes not match the criterion.
Internet.
DNS Class Field ValueEnables you to enter an arbitrary

value to match between 0 and 65535.
DNS Class Field RangeEnables you to enter a range of values

to match between 0 and 65535.

OL-11501-03
F-101
Appendix F
DNS Class Maps Page
Add and Edit DNS Class Map > Add and Edit Match Criterion > DNS Class
Select DNS Class to match a DNS query or resource record class.
Note
The table includes default map settings that cannot be edited or deleted.
Navigation Path
the work area, then select New Object or right-click a row, then select
Edit Object. The Add or Edit DNS Class Map dialog box appears based on your
selection. Right-click inside the table, then select Add Row or right-click a row,
then select Edit Row. The Add or Edit Match Criterion dialog box appears based
on your selection. Select DNS Class as your criterion.
Related Topics
Field Reference
Table F-51
Add and Edit DNS Class Map > Add and Edit Match Criterion > DNS Class
Element
Description
Criterion
Shows DNS Class as the selected criterion.
Type
F-102
OL-11501-03
Appendix F

DNS Class Maps Page
Table F-51
Add and Edit DNS Class Map > Add and Edit Match Criterion > DNS Class (continued)
Element
Description
Value
OK button
Internet.
DNS Class Field ValueEnables you to enter an arbitrary

value between 0 and 65535 to match.
DNS Class Field RangeEnables you to enter a range match.

Both values between 0 and 65535.
Add and Edit DNS Class Map > Add and Edit Match Criterion > DNS Type
Select DNS Type to match a DNS query or resource record type.
Navigation Path
then select Edit Row. Select DNS Type as your criterion.
Related Topics

OL-11501-03
F-103
Appendix F
DNS Class Maps Page
Field Reference
Table F-52
Add and Edit DNS Class Map > Add and Edit Match Criterion > DNS Type
Element
Description
Criterion
Shows DNS Type as the selected criterion.
Type
Value
DNS Type Field NameLists the DNS types to select.

AIPv4 address
AXFRFull (zone) transfer
CNAMECanonical name
IXFRIncremental (zone) transfer
NSAuthoritative name server
SOAStart of a zone of authority
TSIGTransaction signature
OK button
DNS Type Field ValueLets you enter an arbitrary value

between 0 and 65535 to match.
DNS Type Field RangeLets you enter a range of values to

match between 0 and 65535.
Add and Edit DNS Class Map > Add and Edit Match Criterion > Domain Name
Select Domain Name to match on the DNS domain name.
Navigation Path
F-104
OL-11501-03
Appendix F

DNS Class Maps Page
then select Edit Row. Select Domain Name as your criterion.
Related Topics
Field Reference
Table F-53
Add and Edit DNS Class Map > Add and Edit Match Criterion > Domain Name
Element1
Description
Criterion
Shows Domain Name as the selected criterion.
Type
Value
Regular ExpressionLists the defined regular expressions to

match. You can configure Regular Expressions for use in
pattern matching. Enter the information in the field provided or
click Select, which opens a list of available regular expressions
Regular expressions that start with default are default
regular expressions and cannot be modified or deleted.
OK button
Regular Expression GroupLists the defined regular

expression classes to match. Enter the information in the field
provided or click Select, which opens a list of available regular
expressions from which to make your selection.

OL-11501-03
F-105
Appendix F
DNS Class Maps Page
Add and Edit DNS Class Map > Add and Edit Match Criterion > Header Flag
Select Header Flag to specify the value details for the DNS header flag match.
Navigation Path
then select Edit Row. Select Header Flag as your criterion.
Related Topics
Field Reference
Table F-54
Element
Description
Criterion
Shows Header Flag as the selected criterion.
Type
Options
EqualsSpecifies an exact match.
ContainsSpecifies to match all bits (bit mask match).
F-106
OL-11501-03
Appendix F

DNS Class Maps Page
Table F-54
Element
Description
Value
Header Flag NameLets you select one or more header flag

names to match.
AA (authoritative answer)
QR (query)
RA (recursion available)
RD (recursion denied)
TC (truncation) flag bits
OK button
Header Flag Value (Ox)Lets you enter an arbitrary 16-bit

value in hex to match.
Add and Edit DNS Class Map > Add and Edit Match Criterion > Question
Select Question to match a DNS question section.
Navigation Path
then select Edit Row. Select Question as your criterion.
Related Topics

OL-11501-03
F-107
Appendix F
DNS Class Maps Page
Field Reference
Table F-55
Add and Edit DNS Class Map > Add and Edit Match Criterion > Question
Element
Description
Criterion
Shows Question as the selected criterion.
Type
OK button
Add and Edit DNS Class Map > Add and Edit Match Criterion > Resource Record
Select Resource Record to match a DNS resource record.
Navigation Path
then select Edit Row. Select Resource Record as your criterion.
Related Topics
F-108
OL-11501-03
Appendix F

FTP Class Maps Page
Field Reference
Table F-56
Add and Edit DNS Class Map > Add and Edit Match Criterion > Resource Record
Element
Description
Criterion
Shows Resource Record as the selected criterion.
Type
Resource Record
OK button
Lists the sections to match:
AdditionalDNS additional resource record
AnswerDNS answer resource record
AuthorityDNS authority resource record
FTP Class Maps Page

Use the FTP Class Maps page to define FTP class maps for FTP inspection. From
this page, you can add, edit, and delete objects, and edit policy override settings.
You can also generate usage reports of policies that use the object.
application. You then identify the class map in the inspect map and enable actions.
The difference between creating a class map and defining the traffic match
directly in the inspect map is that you can create more complex match criteria and
you can reuse class maps.
Navigation Path
Class Maps > FTP Class Maps from the Object Type selector.

OL-11501-03
F-109
Appendix F
FTP Class Maps Page
Related Topics
Field Reference
Table F-57
FTP Class Maps Page
Element
Description
Filter

[Icon]
Name
Shows the name of the FTP class map. Names can be shown in
Criterion
Shows the criterion of the FTP class map.
Type
Value
Shows the value to match in the FTP class map.
Category

Note
Overridable

F-110
OL-11501-03
Appendix F

FTP Class Maps Page
Table F-57
FTP Class Maps Page (continued)
Element
Description
Description

Tip

in a popup window.
New Object button
Enables you to create an object. See Creating FTP Class Map

Objects, page 8-61.
Edit Object button

page 8-10.

Objects, page 8-11.
Note

deleted.
Add and Edit FTP Class Map Dialog Boxes

Use the Add and Edit FTP Class Map dialog boxes to define an FTP class map.
Navigation Path
Class Maps > FTP Class Maps from the Object Type selector. Right-click inside
Edit Object.
Related Topics

OL-11501-03
F-111
Appendix F
FTP Class Maps Page
Field Reference
Table F-58
Add and Edit FTP Class Map Dialog Boxes
Element1
Description
Name*
Identifies the name of the FTP class map. A maximum of

40 characters is allowed.
Description
Enables you to add a description for the class map. A maximum of

Match All Table
Criterion
Shows the criterion of the FTP traffic to match.
Type
Value
Shows the value to match in the FTP class map.
New Object button
Enables you to create an object. See Creating FTP Class Map

Objects, page 8-61.
Edit Object button

page 8-10.

Objects, page 8-11.
Note
Category

deleted.

Note
F-112
OL-11501-03
Appendix F

FTP Class Maps Page
Table F-58
Add and Edit FTP Class Map Dialog Boxes (continued)
Element1
Description

Device

client.
overridden.
Tip
Overrides: None
Note
OK button


Add and Edit FTP Class Map > Add and Edit Match Criterion
Dialog Boxes
Use the Add and Edit FTP Match Criterion dialog boxes to define the match
criterion and value for the FTP class map.
Navigation Path
Edit Object. The Add or Edit FTP Class Map dialog box appears based on your
then select Edit Row.

OL-11501-03
F-113
Appendix F
FTP Class Maps Page
Note
The Add Match Criterion dialog boxes open with Request Command criterion
displayed by default.
Related Topics
Field Reference
.
Table F-59
Add and Edit FTP Class Map > Add and Edit Match Criterion Dialog Boxes
Element
Description
Criterion
Specifies which criterion of FTP traffic to match:
Type
Request CommandMatches an FTP request command. For a

FilenameMatches a filename for FTP transfer. For a

File TypeMatches a file type for FTP transfer. For a

ServerMatches an FTP server. For a description of the GUI

UsernameMatches an FTP user. For a description of the GUI

Specifies whether the class map includes traffic that matches or that
does not match the criterion. For example, if Doesnt Match is
selected on the string example.com, then any traffic that contains
example.com is excluded from the class map.
Request Commands
Specifies which request commands to match. For a description of

OK button
F-114
OL-11501-03
Appendix F

FTP Class Maps Page
Add and Edit FTP Class Map > Add and Edit Match Criterion > Request Command
Select Request Command to base the match one or more request commands to
match.
Navigation Path
Note
The Add Match Criterion dialog boxes open with Request Command criterion
displayed by default.
Related Topics
Field Reference
.
Table F-60
Add and Edit Match Criterion > Request Command
Element
Description
Criterion
Shows Request Command as the selected criterion.
Type
Request Commands
Append
(APPE)Appends to a file.
Delete
(DELE)Deletes a file at the server site.

OL-11501-03
F-115
Appendix F
FTP Class Maps Page
Table F-60
Add and Edit Match Criterion > Request Command (continued)
Element
Description
Help
(HELP)Provides help information from the server.
Put
(PUT)FTP client command for the stor (store a file) command.
Rename From
(RNFR)Specifies rename-from filename.
Server Specific Command
(SITE)Specifies commands that are server specific. Usually used

for remote administration.
Change to Parent
(CDUP)Changes to the parent directory of the current working

directory.
Get
(GET)FTP client command for the retr (retrieve a file) command.
Create Directory
(MKD)Creates a directory.
Remove Directory
(RMD)Removes a directory.
Rename To
(RNTO)Specifies rename-to filename.
Store File with Unique Name
(STOU)Stores a file with a unique filename.
OK button
Add and Edit FTP Class Map > Add and Edit Match Criterion > Filename
Select File Name to base the match on the FTP transfer filename.
Navigation Path
then select Edit Row. Select Filename as your criterion.
Related Topics
F-116
OL-11501-03
Appendix F

FTP Class Maps Page
Field Reference
.
Table F-61
Add and Edit Match Criterion > Filename
Element1
Description
Criterion
Shows Filename as the selected criterion.
Type
Value

match. Enter the information in the field provided or click
Select, which opens a list of available regular expressions from
which to make your selection.
You can configure Regular Expressions for use in pattern
matching. Regular expressions that start with default are
default regular expressions and cannot be modified or deleted.
OK button

Add and Edit FTP Class Map > Add and Edit Match Criterion > File Type
Select File Type to base the match on the FTP transfer file type.
Navigation Path

OL-11501-03
F-117
Appendix F
FTP Class Maps Page
then select Edit Row. Select File Type as your criterion.
Related Topics
Field Reference
.
Table F-62
Add and Edit Match Criterion > File Type
Element1
Description
Criterion
Shows File Type as the selected criterion.
Type
Value

OK button

F-118
OL-11501-03
Appendix F

FTP Class Maps Page
Add and Edit FTP Class Map > Add and Edit Match Criterion > Server
Select Server to base the match on the FTP server.
Navigation Path
the work area, then click New Object or right-click a row, then select
then select Edit Row. Select Server as your criterion.
Related Topics
Field Reference
.
Table F-63
Add and Edit Match Criterion > Server
Element1
Description
Criterion
Shows Server as the selected criterion.
Type

OL-11501-03
F-119
Appendix F
FTP Class Maps Page
Table F-63
Add and Edit Match Criterion > Server (continued)
Element1
Description
Value

OK button

Add and Edit FTP Class Map > Add and Edit Match Criterion > Username
Select Username to base the match on the FTP user.
Navigation Path
then select Edit Row. Select Username as your criterion.
Related Topics
F-120
OL-11501-03
Appendix F

HTTP Class Maps Page
Field Reference
.
Table F-64
Add and Edit Match Criterion > Username
Element1
Description
Criterion
Shows Username as the selected criterion.
Type
Value

OK button


Use the HTTP Class Maps page to define HTTP class maps for HTTP inspection.
From this page, you can add, edit, and delete objects, and edit policy override
settings. You can also generate usage reports of policies that use the object.

OL-11501-03
F-121
Appendix F
Navigation Path
Class Maps > HTTP Class Maps from the Object Type selector.
Related Topics
Field Reference
Table F-65
Element
Description
Filter

[Icon]
Name
Shows the name of the HTTP class map. Names can be shown in
Criterion
Shows the criterion of the HTTP class map.
Type
Value
Shows the value to match in the HTTP class map.
F-122
OL-11501-03
Appendix F

Table F-65
HTTP Class Maps Page (continued)
Element
Description
Category

Note
Overridable

Description

Tip

in a popup window.
New Object button
Enables you to create an object. See Creating HTTP Class Map

Objects, page 8-63.
Edit Object button

page 8-10.

Objects, page 8-11.
Note

deleted.
Add and Edit HTTP Class Map Dialog Boxes

Use the Add and Edit HTTP Traffic Class Map dialog boxes to define an HTTP
class map.

OL-11501-03
F-123
Appendix F
Navigation Path
Class Maps > HTTP Class Maps from the Object Type selector. Right-click
inside the work area, then select New Object or right-click a row, then select
Edit Object.
Related Topics
Field Reference
Table F-66
Add and Edit HTTP Class Map Dialog Boxes
Element1
Description
Name*
Identifies the name of the HTTP class map. A maximum of

Description
Enables you to enter the description of the HTTP class map. A

Match All Table
Criterion
Type
Value
New Object button
Enables you to create an object. See Creating HTTP Class Map

Objects, page 8-63.
Edit Object button

page 8-10.

Objects, page 8-11.
Note

deleted.
F-124
OL-11501-03
Appendix F

Table F-66
Add and Edit HTTP Class Map Dialog Boxes (continued)
Element1
Description
Category

Note

Device

client.
overridden.
Tip
Overrides: None
Note
OK button


Add and Edit HTTP Class Map > Add and Edit Match Criterion
Dialog Boxes
Use the Add and Edit HTTP Match Criterion dialog boxes to define the match
criterion and value for the HTTP class map.

OL-11501-03
F-125
Appendix F
Navigation Path
Edit Object. The Add or Edit HTTP Class Map dialog box appears based on your
Related Topics
Field Reference
Table F-67
Add and Edit HTTP Class Map Match Criterion Dialog Boxes
Element
Description
Criterion
Specifies which criterion of HTTP traffic to match.
Request/Response Content
Type Mismatch
Specifies that the content type in the response must match one of the
MIME types in the accept field of the request. For a description of
Request Arguments
Applies the regular expression match to the arguments of the

Request Body
Applies the regular expression match to the body of the request. For
Request Body Length
Applies the regular expression match to the body of the request with
field length greater than the bytes specified. For a description of the
Request Header Count
Applies the regular expression match to the header of the request

with a maximum number of headers. For a description of the GUI
Request Header Length

with length greater than the bytes specified. For a description of the
Request Header Field
Applies the regular expression match to the header of the request.

F-126
OL-11501-03
Appendix F

Table F-67
Add and Edit HTTP Class Map Match Criterion Dialog Boxes (continued)
Element
Description
Request Header Field Count Applies the regular expression match to the header of the request
with a maximum number of header fields. For a description of the
Length

with field length greater than the bytes specified. For a description
Request Header Content

Type
Applies the content type for the request header. For a description of
Request Header Transfer

Encoding
Applies the transfer encoding for the request header. For a

description of the GUI elements, see Table F-78
Request Header Non-ASCII Matches non-ASCII characters in the header of the request. For a
Request Method
Applies the regular expression match to the method of the request.

Request URI
Applies the regular expression match to the URI of the request.For

Request URI Length
Applies the regular expression match to the URI of the request with
length greater than the bytes specified. For a description of the GUI
Response Body ActiveX
Specifies to match on ActiveX. For a description of the GUI

Response Body Java Applet Specifies to match on a Java Applet. For a description of the GUI
Response Body
Applies the regular expression match to the body of the response.

Response Body Length
Applies the regular expression match to the body of the response

Response Header Count
Applies the regular expression match to the header of the response


OL-11501-03
F-127
Appendix F
Table F-67
Add and Edit HTTP Class Map Match Criterion Dialog Boxes (continued)
Element
Description
Response Header Length

Response Header Field
Applies the regular expression match to the header of the response.


Count


Length

Response Header Content

Type
Applies the content type for the response header. For a description
Response Header Transfer

Encoding
Applies the transfer encoding for the response header. For a

Response Header
Non-ASCII
Matches non-ASCII characters in the header of the response.For a

Response Status Line
Applies the regular expression match to the status line. For a

Type
OK button
Specifies whether the class map includes traffic that matches or

Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request/Response Content Type Mismatch
Select Request/Response Content Type Mismatch to specify that the content type
request.
F-128
OL-11501-03
Appendix F

Navigation Path
on your selection. Select Request/Response Content Type Mismatch as your
criterion.
Related Topics
Field Reference
Table F-68
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request/Response
Content Type Mismatch
Element
Description
Criterion
Shows Request/Response Content Type Mismatch as the selected

criterion of HTTP traffic to match.
Type

OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Arguments
Select Request Arguments to apply the regular expression match to the arguments
of the request.

OL-11501-03
F-129
Appendix F
Navigation Path
selection. Right-click inside the table, then click Add Row or right-click a row,
on your selection. Select Request Arguments as your criterion.
Related Topics
Field Reference
Table F-69
Add and Edit HTTP Class Map > Add and Edit Match Criterion >
Request Arguments
Element1
Description
Criterion
Shows Request Arguments as the selected criterion of HTTP traffic

to match.
Type

F-130
OL-11501-03
Appendix F

Table F-69
Request Arguments (continued)
Element1
Description
Value

OK button

expression classes to match. Enter the regular expression class
in the field provided or click Select, which opens a list of
available regular expressions from which to make your
selection.
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Body
Select Request Body to apply the regular expression match to the body of the
request.
Navigation Path
on your selection. Select Request Body as your criterion.
Related Topics

OL-11501-03
F-131
Appendix F
Field Reference
Table F-70
Request Body
Element1
Description
Criterion
Shows Request Body as the selected criterion of HTTP traffic to

match.
Type

Value

OK button

selection.
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Body Length
Select Request Body Length to apply the regular expression match to the body of
the request with field length greater than the bytes specified.
F-132
OL-11501-03
Appendix F

Navigation Path
on your selection. Select Request Body Length as your criterion.
Related Topics
Field Reference
Table F-71
Request Body Length
Element1
Description
Criterion
Shows Request Body Length as the selected criterion of HTTP

traffic to match.
Type

Greater Than Length
Enables you to enter a field length value in bytes that request field
lengths will be matched against. Values are 02147483647.
OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Count
Select Request Header Count to apply the regular expression match to the header
of the request with a maximum number of headers.

OL-11501-03
F-133
Appendix F
Navigation Path
on your selection. Select Request Header Count as your criterion.
Related Topics
Field Reference
Table F-72
Element1
Description
Criterion
Shows Request Header Count as the selected criterion of HTTP

traffic to match.
Type

Greater Than Count
Enables you to enter the maximum number of headers. Values are

0255.
OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Length
Select Request Header Length to apply the regular expression match to the header
of the request with length greater than the bytes specified.
F-134
OL-11501-03
Appendix F

Navigation Path
on your selection. Select Request Header Length as your criterion.
Related Topics
Field Reference
Table F-73
Element1
Description
Criterion
Shows Request Header Length as the selected criterion of HTTP

traffic to match.
Type

Greater Than Length
OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Field
Select Request Header Field to apply the regular expression match to the header
of the request.

OL-11501-03
F-135
Appendix F
Navigation Path
on your selection. Select Request Header Field as your criterion.
Related Topics
Field Reference
Table F-74
Element1
Description
Criterion
Shows Request Header Field as the selected criterion of HTTP

traffic to match.
Type

F-136
OL-11501-03
Appendix F

Table F-74
Element1
Field Name
Request Header Field (continued)
Description
PredefinedSpecifies the request header fields: accept,

accept-charset, accept-encoding, accept-language, allow,
authorization, cache-control, connection, content-encoding,
content-language, content-length, content-location,
content-md5, content-range, content-type, cookie, date, expect,
expires, from, host, if-match, if-modified-since, if-none-match,
if-range, if-unmodified-since, last-modified, max-forwards,
pragma, proxy-authorization, range, referer, te, trailer,
transfer-encoding, upgrade, user-agent, via, warning.

Value

OK button


OL-11501-03
F-137
Appendix F
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Field Count
Select Request Header Field Count to apply the regular expression match to the
header of the request with a maximum number of header fields.
Navigation Path
on your selection. Select Request Header Field Count as your criterion.
Related Topics
Field Reference
Table F-75
Request Header Field Count
Element1
Description
Criterion
Shows Request Header Field Count as the selected criterion of

HTTP traffic to match.
Type

F-138
OL-11501-03
Appendix F

Table F-75
Request Header Field Count (continued)
Element1
Field Name
Description


Greater Than Count
Enables you to enter the maximum number of header fields. Values

are 0127.
OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Field Length
Select Request Header Field Length to apply the regular expression match to the
header of the request with field length greater than the bytes specified.
Navigation Path

OL-11501-03
F-139
Appendix F
on your selection. Select Request Header Field Length as your criterion.
Related Topics
Field Reference
Table F-76
Request Header Field Length
Element1
Description
Criterion
Shows Request Header Field Length as the selected criterion of

Type

F-140
OL-11501-03
Appendix F

Table F-76
Request Header Field Length (continued)
Element1
Field Name
Description


Greater Than Length
OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Content Type
Select Request Header Content Type to apply the content type for the request
header.
Navigation Path

OL-11501-03
F-141
Appendix F
on your selection. Select Request Header Content Type as your criterion.
Related Topics
Field Reference
Table F-77
Request Header Content Type
Element1
Description
Criterion
Shows Request Header Content Type as the selected criterion of

Type

Content Type
Specified By
Enables you to select from a list of predefined mime-types.
Unknown
Used when the mime-type must match a built-in known

mime-type.
Violation
Used when the magic number in the body must correspond to the
mime-type in the content-type header field.
Regular Expression
Lists the defined regular expressions to match. Enter the

information in the field provided or click Select, which opens a list
of available regular expressions from which to make your selection.
You can configure Regular Expressions for use in pattern matching.
Regular expressions that start with default are default regular
expressions and cannot be modified or deleted.
F-142
OL-11501-03
Appendix F

Table F-77
Request Header Content Type (continued)
Element1
Description
Regular Expression Group
Lists the defined regular expression classes to match. Enter the

regular expression class in the field provided or click Select, which
opens a list of available regular expressions from which to make
your selection.
OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Transfer Encoding
Select Request Header Transfer Encoding to apply the transfer encoding for the
request header.
Navigation Path
on your selection. Select Request Header Transfer Encoding as your criterion.
Related Topics

OL-11501-03
F-143
Appendix F
Field Reference
Table F-78
Request Header Transfer Encoding
Element1
Description
Criterion
Shows Request Header Transfer Encoding as the selected criterion

of HTTP traffic to match.
Type

Content Type
Specified By
ChunkedIdentifies the transfer encoding type in which the

message body is transferred as a series of chunks.
CompressedIdentifies the transfer encoding type in which the

message body is transferred using UNIX file compression.
DeflateIdentifies the transfer encoding type in which the

message body is transferred using zlib format (RFC 1950) and
deflate compression (RFC 1951).
GZIPIdentifies the transfer encoding type in which the

message body is transferred using GNU zip (RFC 1952).
IdentityIdentifies connections in which the message body is

no transfer encoding is performed.
Empty
Used when traffic has an empty transfer-encoding field in request

header, it matches the class map.
Regular Expression

F-144
OL-11501-03
Appendix F

Table F-78
Request Header Transfer Encoding (continued)
Element1
Description

your selection.
OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Non-ASCII
Select Request Header Non-ASCII to match non-ASCII characters in the header
of the request.
Navigation Path
on your selection. Select Request Header Non-ASCII as your criterion.
Related Topics

OL-11501-03
F-145
Appendix F
Field Reference
Table F-79
Request Header Non-ASCII
Element1
Description
Criterion
Shows Request Header Non-ASCII as the selected criterion of

Type

OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Method
Select Request Method to apply the regular expression match to the method of the
request.
Navigation Path
on your selection. Select Request Method as your criterion.
Related Topics
F-146
OL-11501-03
Appendix F

Field Reference
Table F-80
Request Method
Element1
Description
Criterion
Shows Request Method as the selected criterion of HTTP traffic to

match.
Type

Request Method
Specified By
Specifies to match on a request method: bcopy, bdelete, bmove,

bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute,
getattributenames, getproperties, head, index, lock, mkcol, mkdir,
move, notify, options, poll, post, propfind, proppatch, put, revadd,
revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev,
subscribe, trace, unedit, unlock, unsubscribe.
Regular Expression


your selection.
OK button

OL-11501-03
F-147
Appendix F
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request URI
Select Request URI to apply the regular expression match to the URI of the
request.
Navigation Path
on your selection. Select Request URI as your criterion.
Related Topics
Field Reference
Table F-81
Request URI
Element1
Description
Criterion
Shows Request URI as the selected criterion of HTTP traffic to

match.
Type

F-148
OL-11501-03
Appendix F

Table F-81
Request URI (continued)
Element1
Description
Value
Regular ExpressionApplies the regular expression match to

the URI of the request. Enter the information in the field
OK button

selection.
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request URI Length
Select Request URI Length to apply the regular expression match to the URI of
the request with length greater than the bytes specified.
Navigation Path
on your selection. Select Request URI Length as your criterion.
Related Topics

OL-11501-03
F-149
Appendix F
Field Reference
Table F-82
Request URI Length
Element1
Description
Criterion
Shows Request URI Length as the selected criterion of HTTP traffic

to match.
Type

Greater Than Length
Enter a URI length value in bytes. Values are 165535.
OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Body ActiveX
Select Response Body Active X to specify to match on ActiveX.
Navigation Path
on your selection. Select Response Body ActiveX as your criterion.
Related Topics
F-150
OL-11501-03
Appendix F

Field Reference
Table F-83
Element1
Description
Criterion
Shows Response Body ActiveX as the selected criterion of HTTP

traffic to match.
Type

OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Body Java Applet
Select Response Body Java Applet to specify to match on a Java Applet.
Navigation Path
on your selection. Select Response Body Java Applet as your criterion.
Related Topics

OL-11501-03
F-151
Appendix F
Field Reference
Table F-84
Response Body Java Applet
Element1
Description
Criterion
Shows Response Body Java Applet as the selected criterion of

Type

OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Body
Select Response Body to apply the regular expression match to the body of the
response.
Navigation Path
on your selection. Select Response Body as your criterion.
Related Topics
F-152
OL-11501-03
Appendix F

Field Reference
Table F-85
Response Body
Element1
Description
Criterion
Shows Response Body as the selected criterion of HTTP traffic to

match.
Type

Value

OK button

selection.
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Body Length
Select Response Body Length to apply the regular expression match to the body
of the response with field length greater than the bytes specified.

OL-11501-03
F-153
Appendix F
Navigation Path
on your selection. Select Response Body Length as your criterion.
Related Topics
Field Reference
Table F-86
Element1
Description
Criterion
Shows Response Body Length as the selected criterion of HTTP

traffic to match.
Type

Greater Than Length
Enables you to enter a field length value in bytes that response field
OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Count
Select Response Header Count to apply the regular expression match to the header
of the response with a maximum number of headers.
F-154
OL-11501-03
Appendix F

Navigation Path
on your selection. Select Response Header Count as your criterion.
Related Topics
Field Reference
Table F-87
Element1
Description
Criterion
Shows Response Header Count as the selected criterion of HTTP

traffic to match.
Type

Greater Than Count

0255.
OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Length
Select Response Header Length to apply the regular expression match to the
header of the response with length greater than the bytes specified.

OL-11501-03
F-155
Appendix F
Navigation Path
on your selection. Select Response Header Length as your criterion.
Related Topics
Field Reference
Table F-88
Element1
Description
Criterion
Shows Response Header Length as the selected criterion of HTTP

traffic to match.
Type

Greater Than Length
OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Field
Select Response Header Field to apply the regular expression match to the header
of the response.
F-156
OL-11501-03
Appendix F

Navigation Path
on your selection. Select Response Header Field as your criterion.
Related Topics
Field Reference
Table F-89
Element1
Description
Criterion
Shows Response Header Field as the selected criterion of HTTP

traffic to match.
Type


OL-11501-03
F-157
Appendix F
Table F-89
Element1
Field Name
Response Header Field (continued)
Description
PredefinedSpecifies the response header fields:

accept-ranges, age, allow, cache-control, connection,
content-encoding, content-language, content-length,
content-location, content-md5, content-range, content-type,
date, etag, expires, last-modified, location, pragma,
proxy-authenticate, retry-after, server, set-cookie, trailer,
transfer-encoding, upgrade, vary, via, warning,
www-authenticate.

Value

OK button

selection.
F-158
OL-11501-03
Appendix F

Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Field Count
Select Response Header Field Count to apply the regular expression match to the
header of the response with a maximum number of header fields.
Navigation Path
on your selection. Select Response Header Field Count as your criterion.
Related Topics
Field Reference
Table F-90
Response Header Field Count
Element1
Description
Criterion
Shows Response Header Field Count as the selected criterion of

Type


OL-11501-03
F-159
Appendix F
Table F-90
Response Header Field Count (continued)
Element1
Description
Field Name

www-authenticate.

Greater Than Count

0127.
OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Field Length
Select Response Header Field Length to apply the regular expression match to the
header of the response with field length greater than the bytes specified.
Navigation Path
on your selection. Select Response Header Field Length as your criterion.
F-160
OL-11501-03
Appendix F

Related Topics
Field Reference
Table F-91
Response Header Field Length
Element1
Description
Criterion
Shows Response Header Field Length as the selected criterion of

Type

Field Name

www-authenticate.


OL-11501-03
F-161
Appendix F
Table F-91
Response Header Field Length (continued)
Element1
Description
Greater Than Length
OK button
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Content Type
Select Response Header Content Type to apply the content type for the response
header.
Navigation Path
on your selection. Select Response Header Content Type as your criterion.
Related Topics
F-162
OL-11501-03
Appendix F

Field Reference
Table F-92
Response Header Content Type
Element1
Description
Criterion
Shows Response Header Content Type as the selected criterion of

Type

Content Type
Specified By
Unknown
Used when the mime-type must match a built-in known

mime-type.
Violation
Used when the magic number in the body must correspond to the
mime-type in the content-type header field.
Regular Expression


your selection.
OK button

OL-11501-03
F-163
Appendix F
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Transfer Encoding
Select Response Header Transfer Encoding to apply the transfer encoding for the
response header.
Navigation Path
on your selection. Select Response Header Transfer Encoding as your criterion.
Related Topics
Field Reference
Table F-93
Response Header Transfer Encoding
Element1
Description
Criterion
Shows Response Header Transfer Encoding as the selected criterion

Type

F-164
OL-11501-03
Appendix F

Table F-93
Response Header Transfer Encoding (continued)
Element1
Description
Value
Specified By
Lists available transfer mime-types.
ChunkedIdentifies the transfer encoding type in which the

message body is transferred as a series of chunks.

DeflateIdentifies the transfer encoding type in which the

message body is transferred using zlib format (RFC 1950) and
deflate compression (RFC 1951).
GZIPIdentifies the transfer encoding type in which the

message body is transferred using GNU zip (RFC 1952).
IdentityIdentifies connections in which the message body is

no transfer encoding is performed.
Empty
Used when traffic has an empty transfer-encoding field in response

header, it matches the class map.
Regular Expression


your selection.
OK button

OL-11501-03
F-165
Appendix F
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Non-ASCII
Select Response Header Non-ASCII to match non-ASCII characters in the header
of the response.
Navigation Path
on your selection. Select Response Header Non-ASCII as your criterion.
Related Topics
Field Reference
Table F-94
Response Header Non-ASCII
Element1
Description
Criterion
Shows Response Header Non-ASCII as the selected criterion of

Type

OK button
F-166
OL-11501-03
Appendix F

Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Status Line
Select Response Status Line to apply the regular expression match to the status
line.
Navigation Path
on your selection. Select Response Status Line as your criterion.
Related Topics
Field Reference
Table F-95
Element1
Description
Criterion
Shows Response Status Line as the selected criterion of HTTP

traffic to match.
Type


OL-11501-03
F-167
Appendix F
IM Class Maps Page
Table F-95
Element1
Value
Response Status Line (continued)
Description

OK button

selection.
IM Class Maps Page

Use the IM Class Map page to define IM class maps for IM inspection. From this
page, you can add, edit, and delete objects, and edit policy override settings. You
can also generate usage reports of policies that use the object.
Navigation Path
Class Maps > IM Class Maps from the Object Type selector.
F-168
OL-11501-03
Appendix F

IM Class Maps Page
Related Topics
Field Reference
Table F-96
IM Class Maps Page
Element
Description
Filter

[Icon]
Name
Shows the name of the IM class map. Names can be shown in

Criterion
Shows the criterion of the IM class map.
Type

Value
Shows the value to match in the IM class map.
Category

Note

OL-11501-03
F-169
Appendix F
IM Class Maps Page
Table F-96
IM Class Maps Page (continued)
Element
Description
Overridable

Description

Tip

in a popup window.
New Object button
Enables you to create an object. See Creating IM Class Map

Objects, page 8-67.
Edit Object button

page 8-10.

Objects, page 8-11.
Note

deleted.
Add and Edit IM Class Map Dialog Boxes

Use the Add and Edit IM Traffic Class Map dialog boxes to define an IM class
map.
Navigation Path
Class Maps > IM Class Maps from the Object Type selector. Right-click inside
the work area, then select New Object or Edit Object.
Related Topics
F-170
OL-11501-03
Appendix F

IM Class Maps Page
Field Reference
Table F-97
Add and Edit IM Class Map Dialog Boxes
Element1
Description
Name*
Enables you to enter the name of the IM class map. A maximum of

Description
Shows a description, which is displayed as an icon. A tooltip

displays the content. Descriptions help you identify an object. A
Match All Table
Criterion
Shows the criterion of the IM class map.
Type

Value
Shows the value to match in the IM class map.
New Object button
Enables you to create an object. See Creating IM Class Map

Objects, page 8-67.
Edit Object button

page 8-10.

Objects, page 8-11.
Note
Category

deleted.

Note

OL-11501-03
F-171
Appendix F
IM Class Maps Page
Table F-97
Add and Edit IM Class Map Dialog Boxes (continued)
Element1
Description

Device

client.
overridden.
Tip
Overrides: None
Note
OK button


Add and Edit IM Class Map > Add and Edit Match Criterion Dialog
Boxes
Use the Add and Edit Match Criterion dialog boxes to define the match criterion
and value for the IM class map.
Navigation Path
Edit Object. The Add or Edit IM Class Map dialog box opens based on your
F-172
OL-11501-03
Appendix F

IM Class Maps Page
Related Topics
Field Reference
Table F-98
Add and Edit IM Class Map > Add and Edit Match Criterion Dialog Boxes
Element
Description
Criterion
Shows the criterion of the IM Class Map:
Type
FilenameMatches filename from IM file transfer service. For

Client IP AddressMatches a source IP address. For a

Client Login NameMatches client login name from IM

service. For a description of the GUI elements, see Table F-101.
Peer IP AddressMatches a destination IP address. For a

Peer Login NameMatches client peer login name from IM

ProtocolMatches IM protocols. For a description of the GUI

ServiceMatches IM services. For a description of the GUI

File Transfer Service VersionMatches IM file transfer service

version. For a description of the GUI elements, see
Table F-106.


OL-11501-03
F-173
Appendix F
IM Class Maps Page
Table F-98
Add and Edit IM Class Map > Add and Edit Match Criterion Dialog Boxes (continued)
Element
Description
Value
Values are based on the criterion selected. Values can consist of any
of the following:
OK button

match.

expression classes to match.
IP Address
ProtocolSpecifies which IM protocols to match.
ServiceSpecifies which IM services to match.
Add and Edit IM Class Map > Add and Edit Match Criterion > Filename
Select Filename to match a filename from the IM file transfer service.
Navigation Path
Edit Object. The Add or Edit IM Class Map dialog box appears based on your
on your selection. Select Filename as your criterion.
Related Topics
F-174
OL-11501-03
Appendix F

IM Class Maps Page
Field Reference
Table F-99
Add and Edit IM Class Map > Add and Edit Match Criterion > Filename
Element
Description
Criterion
Shows Filename as the selected criterion of IM traffic to match.
Type

Value

OK button

selection.
Add and Edit IM Class Map > Add and Edit Match Criterion > Client IP Address
Select Client IP Address to match a source IP address.
Navigation Path

OL-11501-03
F-175
Appendix F
IM Class Maps Page
on your selection. Select Client P Address as your criterion.
Related Topics
Field Reference
Table F-100
Add and Edit IM Class Map > Add and Edit Match Criterion > Client IP Address
Element1
Description
Criterion
Shows Client IP Address as the selected criterion of IM traffic to

match.
Type

IP Address*
Specifies the client source IP address.
OK button
Add and Edit IM Class Map > Add and Edit Match Criterion > Client Login Name
Select Client Login Name to match the client login name from IM service.
Navigation Path
F-176
OL-11501-03
Appendix F

IM Class Maps Page
on your selection. Select Client Login Name as your criterion.
Related Topics
Field Reference
Table F-101
Add and Edit IM Class Map > Add and Edit Match Criterion > Client Login Name
Element
Description
Criterion
Shows Client Login Name as the selected criterion of IM traffic to

match.
Type

Value

OK button

selection.

OL-11501-03
F-177
Appendix F
IM Class Maps Page
Add and Edit IM Class Map > Add and Edit Match Criterion > Peer IP Address
Select Peer IP Address to match the destination IP address.
Navigation Path
on your selection. Select Peer IP Address as your criterion.
Related Topics
Field Reference
Table F-102
Add and Edit IM Class Map > Add and Edit Match Criterion > Peer IP Address
Element
Description
Criterion
Shows Peer IP Address as the selected criterion of IM traffic to

match.
Type

IP Address*
Specifies the destination IP address.
OK button
F-178
OL-11501-03
Appendix F

IM Class Maps Page
Add and Edit IM Class Map > Add and Edit Match Criterion > Peer Login Name
Select Peer Login Name to match the client peer login name from IM service.
Navigation Path
on your selection. Select Peer Login Name as your criterion.
Related Topics
Field Reference
Table F-103
Element
Description
Criterion
Shows Peer Login Name as the selected criterion of IM traffic to

match.
Type


OL-11501-03
F-179
Appendix F
IM Class Maps Page
Table F-103
Element
Description
Value

OK button

selection.
Add and Edit IM Class Map > Add and Edit Match Criterion > Protocol
Select Protocol to specify which IM protocols to match.
Navigation Path
on your selection. Select Protocol as your criterion.
Related Topics
F-180
OL-11501-03
Appendix F

IM Class Maps Page
Field Reference
Table F-104
Add and Edit IM Class Map > Add and Edit Match Criterion > Protocol
Element
Description
Criterion
Shows Protocol as the selected criterion of IM traffic to match.
Type

Protocol
Specifies which IM protocols to match.
OK button
MSN MessengerSpecifies to match MSN Messenger instant

messages.
Yahoo! MessengerSpecifies to match Yahoo! Messenger

instant messages.
Add and Edit IM Class Map > Add and Edit Match Criterion > Service
Select Service to specify which IM services to match.
Navigation Path
on your selection. Select Service as your criterion.
Related Topics

OL-11501-03
F-181
Appendix F
IM Class Maps Page
Field Reference
Table F-105
Add and Edit IM Class Map > Add and Edit Match Criterion > Service
Element
Description
Criterion
Shows Service as the selected criterion of IM traffic to match.
Type

Service
OK button
Specifies which IM services to match.
ChatSpecifies to match IM message chat service.
ConferenceSpecifies to match IM conference service.
File TransferSpecifies to match IM file transfer service.
GamesSpecifies to match IM gaming service.
Voice ChatSpecifies to match IM voice chat service (not

available for Yahoo IM).
WebcamSpecifies to match IM webcam service.
Add and Edit IM Class Map > Add and Edit Match Criterion > File Transfer Service
Version
Select File Transfer Service Version to specify to match the version from the IM
file transfer service.
Navigation Path
F-182
OL-11501-03
Appendix F

IM Class Maps Page
on your selection. Select File Transfer Service Version as your criterion.
Related Topics
Field Reference
Table F-106
File Transfer Service Version
Element
Description
Criterion
Shows File Transfer Service Version as the selected criterion of IM

traffic to match.
Type

Value

OK button

selection.

OL-11501-03
F-183
Appendix F
SIP Class Maps Page
SIP Class Maps Page

Use the SIP Class Maps page to define SIP class maps for SIP inspection. From
this page, you can add, edit, and delete objects, and edit policy override settings.
You can also generate usage reports of policies that use the object.
Navigation Path
Class Maps > SIP Class Maps from the Object Type selector.
Related Topics
Field Reference
Table F-107
SIP Class Maps Page
Element
Description
Filter

[Icon]
Name
Shows the name of the SIP class map. Names can be shown in
F-184
OL-11501-03
Appendix F

SIP Class Maps Page
Table F-107
SIP Class Maps Page (continued)
Element
Description
Criterion
Shows the criterion of the SIP class map.
Type

Value
Shows the value to match in the SIP class map.
Category

Note
Overridable

Description

Tip

in a popup window.
New Object button
Enables you to create an object. See Creating SIP Class Map

Objects, page 8-70.
Edit Object button

page 8-10.

Objects, page 8-11.
Note

deleted.

OL-11501-03
F-185
Appendix F
SIP Class Maps Page
Add and Edit SIP Class Map Dialog Boxes

Use the Add and Edit SIP Class Map dialog boxes to define a SIP class map.
Navigation Path
Class Maps > SIP Class Maps from the Object Type selector. Right-click inside
Edit Object. The Add or Edit SIP Class Map dialog box appears based on your
selection.
Related Topics
Field Reference
Table F-108
Add and Edit SIP Class Map Dialog Boxes
Element1
Description
Name*
Enables you to enter the name of the SIP class map. A maximum of
Description
Enables you to enter a description to identify the SIP class map. A

Match All Table
Criterion
Shows the criterion of the SIP class map.
Type

Value
New Object button
Enables you to create an object. See Creating SIP Class Map

Objects, page 8-70.
F-186
OL-11501-03
Appendix F

SIP Class Maps Page
Table F-108
Add and Edit SIP Class Map Dialog Boxes (continued)
Element1
Description
Edit Object button

page 8-10.

Objects, page 8-11.
Note
Category

Note

Device

deleted.

client.
overridden.
Tip
Overrides: None
Note
OK button



OL-11501-03
F-187
Appendix F
SIP Class Maps Page

Use the Add and Edit SIP Match Criterion dialog boxes to define the match
criterion and value for the SIP class map.
Navigation Path
Related Topics
F-188
OL-11501-03
Appendix F

SIP Class Maps Page
Field Reference
Table F-109
Add and Edit SIP Class Map Match Criterion Dialog Boxes
Element
Description
Criterion
Specifies which criterion of SIP traffic to match.
Type
Called PartyMatches the called party as specified in the To

header. For a description of the GUI elements, see Table F-110.
Calling PartyMatches the calling party as specified in the

From header. For a description of the GUI elements, see
Table F-111.
Content LengthMatches the Content Length header. For a

Content TypeMatches the Content Type header. For a

IM SubscriberMatches the SIP IM subscriber. For a

Message PathMatches the SIP Via header. For a description

Third Party RegistrationMatches the requester of a

third-party registration. For a description of the GUI elements,
see Table F-115.
URI LengthMatches a URI in the SIP headers. For a

Request MethodMatches the SIP request method. For a


Value
OK button

OL-11501-03
F-189
Appendix F
SIP Class Maps Page
Add and Edit SIP Class Map > Add and Edit Match Criterion > Called Party
Select Called Party to match the called party as specified in the To header.
Navigation Path
on your selection. Select Called Party as your criterion.
Related Topics
Field Reference
Table F-110
Element
Description
Criterion
Shows Called Party as the selected criterion of SIP traffic to match.
Type

F-190
OL-11501-03
Appendix F

SIP Class Maps Page
Table F-110
Element
Description
Value

OK button

selection.
Add and Edit SIP Class Map > Add and Edit Match Criterion > Calling Party
Select Calling Party to match the calling party as specified in the From header.
Navigation Path
on your selection. Select Calling Party as your criterion.
Related Topics

OL-11501-03
F-191
Appendix F
SIP Class Maps Page
Field Reference
Table F-111
Add and Edit SIP Class Map > Add and Edit Match Criterion > Calling Party
Element
Description
Criterion
Shows Calling Party as the selected criterion of SIP traffic to match.
Type

Value

OK button

selection.
Add and Edit SIP Class Map > Add and Edit Match Criterion > Content Length
Select Content Length to match the Content Length header.
Navigation Path
F-192
OL-11501-03
Appendix F

SIP Class Maps Page
on your selection. Select Content Length as your criterion.
Related Topics
Field Reference
Table F-112
Add and Edit SIP Class Map > Add and Edit Match Criterion > Content Length
Element
Description
Criterion
Shows Content Length as the selected criterion of SIP traffic to

match.
Type

Greater Than Length
Enables you to enter a header length value in bytes. Values are

065536.
OK button
Add and Edit SIP Class Map > Add and Edit Match Criterion > Content Type
Select Content Type to match the Content Type header.
Navigation Path

OL-11501-03
F-193
Appendix F
SIP Class Maps Page
on your selection. Select Content Type as your criterion.
Related Topics
Field Reference
Table F-113
Add and Edit SIP Class Map > Add and Edit Match Criterion > Content Type
Element
Description
Criterion
Shows Content Type as the selected criterion of SIP traffic to match.
Type

Content Type
SDPMatches an SDP SIP content header type.

OK button

selection.
F-194
OL-11501-03
Appendix F

SIP Class Maps Page
Add and Edit SIP Class Map > Add and Edit Match Criterion > IM Subscriber
Select IM Subscribe to match the SIP IM subscriber.
Navigation Path
on your selection. Select IM Subscriber as your criterion.
Related Topics
Field Reference
Table F-114
Add and Edit SIP Class Map > Add and Edit Match Criterion >
IM Subscriber
Element
Description
Criterion
Shows IM Subscriber as the selected criterion of SIP traffic to

match.
Type


OL-11501-03
F-195
Appendix F
SIP Class Maps Page
Table F-114
Add and Edit SIP Class Map > Add and Edit Match Criterion >
IM Subscriber (continued)
Element
Description
Value

OK button

selection.
Add and Edit SIP Class Map > Add and Edit Match Criterion > Message Path
Select Message Path to Match the SIP Via header.
Navigation Path
on your selection. Select Message Path as your criterion.
Related Topics
F-196
OL-11501-03
Appendix F

SIP Class Maps Page
Field Reference
Table F-115
Add and Edit SIP Class Map > Add and Edit Match Criterion > Message Path
Element
Description
Criterion
Shows Message Path as the selected criterion of SIP traffic to match.
Type

Value

OK button

selection.
Registration
Select Third Party Registration to match the requester of a third-party registration.
Navigation Path
OL-11501-03
F-197
Appendix F
SIP Class Maps Page
on your selection. Select Third Party Registration as your criterion.
Related Topics
Field Reference
Table F-116
Registration
Element
Description
Criterion
Shows Third Party Registration as the selected criterion of SIP

traffic to match.
Type

F-198
OL-11501-03
Appendix F

SIP Class Maps Page
Table F-116
Add and Edit SIP Class Map > Add and Edit Match Criterion > Third Party Registration
(continued)
Element
Description
Value

OK button

selection.
Add and Edit SIP Class Map > Add and Edit Match Criterion > URI Length
Select URI Length to match a URI in the SIP headers.
Navigation Path
on your selection. Select URI Length as your criterion.
Related Topics

OL-11501-03
F-199
Appendix F
SIP Class Maps Page
Field Reference
Table F-117
Add and Edit SIP Class Map > Add and Edit Match Criterion > URI Length
Element
Description
Criterion
Shows URI Length as the selected criterion of SIP traffic to match.
Type

URI Type
Specifies to match SIP URI or TEL URI.
Greater Than Length
Specifies length in bytes. Values are 065536.
OK button
Add and Edit SIP Class Map > Add and Edit Match Criterion > Request Method
Select Request Method to match the SIP resource method.
Navigation Path
on your selection. Select Request Method as your criterion.
Related Topics
F-200
OL-11501-03
Appendix F

SIP Class Maps Page
Field Reference
Table F-118
Element
Description
Criterion
Type


OL-11501-03
F-201
Appendix F
SIP Class Maps Page
Table F-118
Element
Description
Resource Method
Specifies a request method:
OK button
ackConfirms that the client has received a final response to

an INVITE request.
byeTerminates a call and can be sent by either the caller or

the callee.
cancelCancels any pending searches but does not terminate a

call that has already been accepted.
infoCommunicates mid-session signaling information along

the signaling path for the call.
inviteIndicates a user or service is being invited to participate

in a call session.
messageSends instant messages where each message is

independent of any other message.
notifyNotifies a SIP node that an event which has been

requested by an earlier SUBSCRIBE method has occurred.
optionsQueries the capabilities of servers.
prack (provisional response acknowledgement)
referRequests that the recipient REFER to a resource

provided in the request.
registerRegisters the address listed in the To header field with

a SIP server.
subscribeRequests notification of an event or set of events at

a later time.
unknownUses a nonstandard extension that could have

unknown security impacts on the network.
updatePermits a client to update parameters of a session but

has no impact on the state of a dialog.
F-202
OL-11501-03
Appendix F

DNS Maps Page
DNS Maps Page

Use the DNS Maps page to define DNS maps for DNS inspection. From this page,
you can add, edit, and delete objects, and edit policy override settings. You can
also generate usage reports of policies that use the object.
Navigation Path
Policy Maps > DNS Maps from the Object Type selector.
Related Topics
Field Reference
Table F-119
DNS Maps Page
Element
Description
Filter
Tables, page 3-24.
[Icon]
Displays the icon that represents the object type. Icons marked with a star
indicate user-defined objects that may be modified. Icons without a star
indicate predefined objects that cannot be modified. The icon is displayed
after the object is defined.
Name
Shows the name of the DNS map. Names can be sorted in ascending or
descending order.
Parameters
Identifies a constant whose values vary with the circumstances of its

application.
Criterion
Type

OL-11501-03
F-203
Appendix F
DNS Maps Page
Table F-119
DNS Maps Page (continued)
Element
Description
Value
Action
Shows what action to take based on the defined settings.
Category

Note
Overridable
Indicates whether the global object definition can be overridden by object

values defined at device level. See Allowing a Global Object to Be
Description
identify a policy.
Tip

popup window.
New Object button
Enables you to create an object. See Creating DNS Map Objects,

page 8-73.
Edit Object button

Note
Add and Edit DNS Map Dialog Boxes

Use the Add and Edit DNS Map dialog boxes to define DNS Maps.
Navigation Path
Policy Maps > DNS Maps from the Object Type selector. Right-click inside the
work area, then select New Object or right-click a row, then select Edit Object.
F-204
OL-11501-03
Appendix F

DNS Maps Page
Related Topics
Field Reference
Table F-120
Add and Edit DNS Map Dialog Boxes
Element1
Description
Name*
Identifies the name of the DNS map. Names can be sorted in

ascending or descending order. A maximum of 40 characters is
allowed.
Description
Enables you to enter a description to help you identify an object. A

Protocol Conformance
Defines DNS security settings and actions. For a description of the

Filtering
Defines the filtering settings for DNS. For a description of the GUI
Mismatch Rate
Defines the ID mismatch rate for DNS. For a description of the GUI
Match Condition and Action
Enables you to configure the action to take when certain conditions

are matched. For a description of the GUI elements, see
Table F-124.
Category

Note

OL-11501-03
F-205
Appendix F
DNS Maps Page
Table F-120
Add and Edit DNS Map Dialog Boxes (continued)
Element1
Description

Device

client.
overridden.
Tip
Overrides: None
Note
OK button


Add and Edit DNS Map > Protocol Conformance

Use Protocol Conformance to define DNS security settings and actions.
Navigation Path
The Add or Edit DNS Map dialog box appears based on your selection.
Note
The Protocol Conformance tab opens by default the first time the dialog box is
accessed.
F-206
OL-11501-03
Appendix F

DNS Maps Page
Related Topics
Field Reference
Table F-121
Add and Edit DNS Map > Protocol Conformance
Element1
Description
Name

allowed.
Description

Enable DNS Guard Function
Performs a DNS query and response mismatch check using the

identification field in the DNS header. One response per query is
allowed to go through the security appliance.
Generate Syslog for ID

Mismatch
Reports excessive instances of DNS identifier mismatches.
Randomize the DNS Identifier

for DNS Query
Randomizes the DNS identifier in the DNS query message.
Enable NAT Rewrite Function
Enables IP address translation in the A record of the DNS response.
Enable Protocol Enforcement
Enables DNS message format check, including domain name, label

length, compression, and looped pointer check.
Require Authentication Between RFC specifications for the protocol that is inspected.
DNS Server (RFC2845)
Action
Category
Drop Packet and LogDrops the packet and enables logging.
LogEnables logging.

Note

OL-11501-03
F-207
Appendix F
DNS Maps Page
Table F-121
Add and Edit DNS Map > Protocol Conformance (continued)
Element1
Description

Device
When selected, allows the global object definition to be changed at

the device level. See Allowing a Global Object to Be Overridden,
page 8-198.
overridden.
Tip
Overrides: None
Note
OK button
When editing an object that can be overridden, click the

Edit button to display the Policy Object Overrides page.
From here you can create, edit, and view device-level
overrides; however, you must first save the policy object
before you define override settings. For a description of the
GUI elements, see Policy Object Overrides Window,
page F-565.

Add and Edit DNS Map > Filtering

Select Filtering to define the filtering settings for DNS.
Navigation Path
The Add or Edit DNS Map dialog box appears based on your selection. Click
Filtering.
F-208
OL-11501-03
Appendix F

DNS Maps Page
Related Topics
Field Reference
Table F-122
Add and Edit DNS Map > Filtering
Element1
Description
Name

allowed.
Description
Enables you to enter a description to help you identify an object.

A maximum of 200 characters is allowed.
Drop Packets that Exceed

Specified Length
(Global setting) Drops packets that exceed maximum length in

bytes.
Maximum Packet Length
Enables you to enter maximum packet length in bytes.
Drop Packets Sent to Server that

Exceed Specified Maximum
Length
Applies settings on the server only. Drops packets that exceed

maximum length in bytes.
Maximum Length
Drop Packets Sent to Server that

Exceed Length Indicated by
Resource Record
Drops packets sent to the server that exceed the length indicated
by the Resource Record.
Drop Packets Sent to Client that

Exceed Specified Length
Applies settings on the client only. Drops packets that exceed

maximum length in bytes.
Maximum Length
Drop Packets Sent to Client that

Exceed Length Indicated by
Resource Record
Drops packets sent to the client that exceed the length indicated
by the Resource Record.
Category

Note

OL-11501-03
F-209
Appendix F
DNS Maps Page
Table F-122
Add and Edit DNS Map > Filtering (continued)
Element1
Description
Allow Value Override per Device
When selected, allows the global object definition to be changed

at the device level. See Allowing a Global Object to Be
overridden.
Tip
Overrides: None
Shows that no overrides exist on the device. You must manually

set overrides in order to change the display. For more information,
see Overriding Global Objects for Individual Devices,
page 8-197.
Note
OK button

before you define override settings. For a description of
the GUI elements, see Policy Object Overrides Window,
page F-565.

Add and Edit DNS Map > Mismatch Rate

Select Mismatch Rate to configure the ID mismatch rate for DNS.
Navigation Path
Mismatch Rate.
F-210
OL-11501-03
Appendix F

DNS Maps Page
Related Topics
Field Reference
Table F-123
Add and Edit DNS Map > Mismatch Rate
Element1
Description
Name
Identifies the name of the DNS map. Names can be sorted in ascending or
descending order. A maximum of 40 characters is allowed.
Description

Log When DNS ID

Mismatch Rate Exceeds
When selected, reports excessive instances of DNS identifier mismatches

based on:
Category
ThresholdEnables you to enter the maximum number of mismatch

instances before a system message log is sent. Values are
04294967295.
Time IntervalEnables you to enter the time period to monitor (in

seconds). Values are 131536000.

Note
Allow Value Override per When selected, allows the global object definition to be changed at the
Device
device level. See Allowing a Global Object to Be Overridden, page 8-198.
overridden.
Tip
When editing an object that can be overridden, click the Edit button
to display the Policy Object Overrides page. From here you can
create, edit, and view device-level overrides; however, you must
first save the policy object before you define override settings. For
a description of the GUI elements, see Policy Object Overrides
Window, page F-565.

OL-11501-03
F-211
Appendix F
DNS Maps Page
Table F-123
Add and Edit DNS Map > Mismatch Rate (continued)
Element1
Description
Overrides: None
Note
OK button
Selecting Allow Value Override per Device does not automatically

set overrides.
Add and Edit DNS Map > Match Condition and Action
Select the Match Condition and Action tab to define match criterion and
subsequent actions for DNS Map inspection.
Navigation Path
Match Condition and Action.
Related Topics
Field Reference
Table F-124
Add and Edit DNS Map > Match Condition and Action
Element1
Description
Name
Identifies the name of the DNS map. Names can be sorted in ascending or
descending order. A maximum of 40 characters is allowed.
Description

F-212
OL-11501-03
Appendix F

DNS Maps Page
Table F-124
Add and Edit DNS Map > Match Condition and Action (continued)
Element1
Description
Match All Table
Type
Criterion
Shows the criterion of the DNS inspection.
Value
Shows the value to match in the DNS inspection.
Action
New Object button
Enables you to create an object. See Creating DNS Map Objects,

page 8-73.
Edit Object button

Note
Category

Note
Device
overridden.
Tip
Window, page F-565.

OL-11501-03
F-213
Appendix F
DNS Maps Page
Table F-124
Add and Edit DNS Map > Match Condition and Action (continued)
Element1
Description
Overrides: None
Note
OK button

set overrides.
Add and Edit DNS Map > Add and Edit Match Condition and Action Dialog Boxes
Use the Add and Edit Match Condition and Action dialog boxes to define match
criterion and subsequent actions for DNS Map inspection.
Navigation Path
The Add or Edit DNS Map dialog box appears based on your selection. Click the
Match Condition and Action tab. Right-click inside the table, then select
Add Row or right-click a row, then select Edit Row.
Related Topics
F-214
OL-11501-03
Appendix F

DNS Maps Page
Field Reference
Table F-125
Add and Edit DNS Map > Add and Edit Match Condition and Action
Element1
Description
Match Type
Enables you to use an existing DNS Class Map or define a new DNS Map.
Criterion
Type
Value/Option/Resource
Record
Use Specified ValuesEnables you to define match criterion. See the

description for Criterion that follows.
Use Values in Class MapEnables you to use an existing class map or

define a new class map. For a description of the GUI elements, see
Table F-132.
DNS ClassMatches a DNS query or resource record class. For a

DNS TypeMatches a DNS query or resource record type. For a

Domain NameMatches a domain name from a DNS query or

resource record. For a description of the GUI elements, see
Table F-128.
Header FlagMatches a DNS flag in the header. For a description of

QuestionMatches a DNS question. For a description of the GUI

Resource RecordMatches a DNS resource record. For a description

Specifies whether the class map includes traffic that matches or does not
match the criterion. For example, if Doesnt Match is selected on the string
example.com, then any traffic that contains example.com is excluded
from the class map.
Conditions that vary based on the criterion selected. The conditions are
described in the criterion tables listed above.

OL-11501-03
F-215
Appendix F
DNS Maps Page
Table F-125
Add and Edit DNS Map > Add and Edit Match Condition and Action (continued)
Element1
Description
Action
OK button
Add and Edit DNS Map > Add and Edit Match Condition and Action > Use Specified Values > DNS Class
Select DNS Class to match a DNS query or resource record class.
Navigation Path
Match Condition and Action. Right-click inside the table, then select Add Row
or right-click a row, then select Edit Row. Select Use Specified Values as the
match type and DNS class as the criterion.
Related Topics
F-216
OL-11501-03
Appendix F

DNS Maps Page
Field Reference
Table F-126
Add and Edit DNS Map > Add and Edit Match Condition and Action > Use Specified
Values > DNS Class
Element
Description
Criterion
Shows DNS Class as the selected criterion.
Type
Value
Action
OK button
MatchesMatches the criterion
Doesnt MatchDoes not match the criterion
InternetA string representation of DNS Class Field value

with a value of 1.
DNS Class Field ValueLets you enter an arbitrary value

between 0 and 65535 to match.
DNS Class Field RangeLets you enter a range match. Both

values between 0 and 65535.
Drop Connection
Drop Connection and Log
Drop Packet
Drop Packet and Log
Log
Enforce TSIG1 and Log
Enforce TSIG and Drop Packet
Enforce TSIG and Drop Packet and Log
1. TSIG = Transaction signature.

OL-11501-03
F-217
Appendix F
DNS Maps Page
Add and Edit DNS Map > Add and Edit Match Condition and Action > Use Specified Values > DNS Type
Select DNS Type to match a DNS query or resource record type.
Navigation Path
Add Row or right-click a row, then select Edit Row. Select Use Specified Values
as the match type and DNS Type as the criterion.
Related Topics
Field Reference
Table F-127
Values > DNS Type
Element
Description
Criterion
Shows DNS Type as the selected criterion.
Type

F-218
OL-11501-03
Appendix F

DNS Maps Page
Table F-127
Element
Value
Values > DNS Type (continued)
Description
DNS Type Field NameLists the DNS types to select.

AIPv4 address
AXFRFull (zone) transfer
CNAMECanonical name
IXFRIncremental (zone) transfer
NSAuthoritative name server
SOAStart of a zone of authority
TSIGTransaction signature
Action
OK button
DNS Type Field ValueLets you enter an arbitrary value to

match. Values are 065535.
DNS Type Field RangeLets you enter a range match. Values

are 065535.
Drop Connection
Drop Packet
Drop Packet and Log
Log
Enforce TSIG and Log

OL-11501-03
F-219
Appendix F
DNS Maps Page
Add and Edit DNS Map > Add and Edit Match Condition and Action > Use Specified Values > Domain Name
Select Domain Name to match a domain name from a DNS query or resource
record.
Navigation Path
as the match type and Domain Name as the criterion.
Related Topics
Field Reference
Table F-128
Values > Domain Name
Element1
Description
Criterion
Shows Domain Name as the selected criterion.
Type

F-220
OL-11501-03
Appendix F

DNS Maps Page
Table F-128
Values > Domain Name (continued)
Element1
Value
Description

Action
OK button

Drop Connection
Drop Packet
Drop Packet and Log
Log


OL-11501-03
F-221
Appendix F
DNS Maps Page
Add and Edit DNS Map > Add and Edit Match Condition and Action > Use Specified Values > Header Flag
Select Header Flag to match a DNS flag in the header.
Navigation Path
as the match type and Header Flag as the criterion.
Related Topics
Field Reference
Table F-129
Values > Header Flag
Element
Description
Criterion
Shows Header Flag as the selected criterion.
Type
Options
EqualsSpecifies an exact match
ContainsSpecifies to match all bits (bit mask match)
F-222
OL-11501-03
Appendix F

DNS Maps Page
Table F-129
Values > Header Flag (continued)
Element
Value
Description
Header Flag NameLets you select one or more header flag

names to match.
AA - Authoritative Answer
QR - Query
RA - Recursive Available
RD - Recursive Desired
TC - Truncation
Action
OK button
Header Flag Value (Ox)Lets you enter an arbitrary 16-bit

value in hex to match.
Drop Connection
Drop Packet
Drop Packet and Log
Log
Mask
Mask and Log

OL-11501-03
F-223
Appendix F
DNS Maps Page
Add and Edit DNS Map > Add and Edit Match Condition and Action > Use Specified Values > Question
Select Question to match a DNS question.
Navigation Path
match type and Question as the criterion.
Related Topics
Field Reference
Table F-130
Values > Question
Element
Description
Criterion
Shows Question as the selected criterion.
Type
F-224
OL-11501-03
Appendix F

DNS Maps Page
Table F-130
Values > Question (continued)
Element
Description
Action
OK button
Drop Connection
Drop Packet
Drop Packet and Log
Log
Add and Edit DNS Map > Add and Edit Match Condition and Action > Use Specified Values > Resource
Record
Select Resource Record to specify to match on the DNS resource record section.
Navigation Path
match type and Resource Record as the criterion.
Related Topics

OL-11501-03
F-225
Appendix F
DNS Maps Page
Field Reference
Table F-131
Values > Resource Record
Element
Description
Criterion
Shows Resource Record as the selected criterion.
Type
Resource Record
Action
Lists the sections to match:
AdditionalDNS additional resource record
AnswerDNS answer resource record
AuthorityDNS authority resource record
OK button
Drop Connection
Drop Packet
Drop Packet and Log
Log
F-226
OL-11501-03
Appendix F

DNS Maps Page
Add and Edit DNS Map > Add and Edit Match Condition and Action > Use Values in Class Map
Select Use Values in Class Map to match a DNS query using a DNS class map.
Navigation Path
or right-click a row, then select Edit Row. Select Use Values in Class Map as the
match type.
Related Topics
Field Reference
Table F-132
Add and Edit DNS Map > Add and Edit Match Condition and Action > Use Values in
Class Map
Element1
Description
Match Type
Shows Use Values in Class Map as the selected match type.
Class Map*
Enables you to enter the DNS Class Map or click Select, which
opens the DNS Class Map Selector from which you can make your
selection.

OL-11501-03
F-227
Appendix F
FTP Maps Page
Table F-132
Add and Edit DNS Map > Add and Edit Match Condition and Action > Use Values in
Class Map (continued)
Element1
Description
Action
OK button
Drop Connection
Drop Packet
Drop Packet and Log
Log
Mask
Mask and Log

FTP Maps Page

Use the FTP Maps page to define parameters for strict FTP inspection. From this
page, you can add, edit, and delete objects, and edit policy override settings. You
can also generate usage reports of policies that use the object.
After a configuration is generated for the device, the ftp-map command is shown.
You can use an FTP map to block specific FTP protocol methods, such as an FTP
PUT, from passing through the security appliance and reaching your FTP server.
Navigation Path
Select Tools > Policy Object Manager, then select FTP Maps from the Object
Type selector.
F-228
OL-11501-03
Appendix F

FTP Maps Page
Related Topics
Field Reference
Table F-133
FTP Maps Page
Element
Description
Filter
Tables, page 3-24.
[Icon]
Name
Shows the name of the FTP map. Names can be sorted in ascending or
descending order.
Parameters

application.
Criterion
Shows the criterion of the FTP map.
Type
Value
Shows the value to match in the FTP map.
Action
Category

Note
Overridable


OL-11501-03
F-229
Appendix F
FTP Maps Page
Table F-133
(continued)FTP Maps Page (continued)
Element
Description
Description
identify a policy.
Tip

popup window.
New Object button
Enables you to create an object. See Creating FTP Map Objects, page 8-76.
Edit Object button

Note
Add and Edit FTP Map Dialog Boxes

Use the Add and Edit FTP Map dialog boxes to define the match criterion and
values for the FTP inspect map.
Navigation Path
Type selector. Right-click inside the table, then select New Object or right-click
a row, then select Edit Object.
Related Topics
Editing Objects, page 8-10
F-230
OL-11501-03
Appendix F

FTP Maps Page
Field Reference
Table F-134
Add and Edit FTP Map Dialog Boxes
Element1
Description
Name*
Enables you to enter the name of the object. A maximum of 40 characters

is allowed.
Description

Parameters tab

application. For a description of the GUI elements, see Table F-135.
Match Condition and

Action tab
Enables you to configure the action to take when certain conditions are
matched. For a description of GUI elements, see Table F-136.
Category

Note
Validate For
Provides a list of platforms for which to perform validation.
Validate button
Initializes the validation process.
OK button
Add and Edit FTP Map > Parameters

Use the Parameters tab to configure settings for the FTP Map object.
Navigation Path
a row, then select Edit Object. The Add or Edit FTP Map dialog box appears
based on your selection.
Note
The Parameters tab opens by default the first time the dialog box is accessed.

OL-11501-03
F-231
Appendix F
FTP Maps Page
Related Topics
Field Reference
Table F-135
Add and Edit FTP Map > Parameters
Element
Description
Mask Greeting Banner from

Server
When selected, masks the greeting banner from the FTP server to
prevent the client from discovering server information.
Mask Reply to SYST Command When selected, masks the reply to the syst command to prevent the
client from discovering server information.
Add and Edit FTP Map > Match Conditions and Actions
Navigation Path
a row, then select Edit Object. The Add or Edit FTP Map dialog box appears
based on your selection. Click Match Condition and Action.
Related Topics
Field Reference
Table F-136
Add and Edit FTP Map > Match Conditions and Actions
Element
Description
Type
Criterion
Shows the criterion of the inspection.
Value
Shows the value to match in the inspection.
Action
F-232
OL-11501-03
Appendix F

FTP Maps Page
Table F-136
Add and Edit FTP Map > Match Conditions and Actions (continued)
Element
Description
New Object button
Enables you to create an object.
Edit Object button
Enables you to edit the selected object.

delete the reference before the deletion can occur.
Note

deleted.
Add and Edit FTP Map > Add and Edit Match Condition and Action Dialog Boxes
Use the Add and Edit Match Condition and Action dialog boxes to define match
criterion and subsequent actions for FTP Map inspection.
Navigation Path
Type selector. Right-click inside the work area, then select New Object or
right-click a row, then select Edit Object. The Add or Edit FTP Map dialog box
appears based on your selection. Right-click inside the table, then select
Add Row, or right-click a row, then select Edit Row.
Related Topics

OL-11501-03
F-233
Appendix F
FTP Maps Page
Field Reference
Table F-137
Add and Edit Match Condition and Action Dialog Boxes
Element
Description
Match Type
Enables you to use an existing FTP Class Map or define a new FTP
Map.
Criterion
Use Specified ValuesEnables you to define match criterion.
Use Values in Class MapEnables you to use an existing class

map or define a new class map.
Shows the criterion of the FTP map.
Type
Request CommandMatches an FTP request command. For a

FilenameMatches a filename for FTP transfer. For a

File TypeMatches a file type for FTP transfer. For a

ServerMatches an FTP server. For a description of the GUI

UsernameMatches an FTP user. For a description of the GUI

Request Commands
Enables you to select Request Command options when you select

Request Command as your criterion.
Value
Enables you to define value options when you select a criterion

other than Request Command.
F-234
OL-11501-03
Appendix F

FTP Maps Page
Table F-137
Add and Edit Match Condition and Action Dialog Boxes (continued)
Element
Description
Action
OK button
Reset
Reset and Log
Add and Edit FTP Map > Add and Edit Match Condition and Action > Use Specified Values > Request
Command
Select Request Command to match an FTP request command.
Navigation Path
Add Row, or right-click a row, then select Edit Row.
Note
The match type appears with Use Specified Values by default and the criterion
appears with Request Command by default.
Related Topics
Field Reference
Table F-138
Add and Edit Match Condition and Action > Use Specified Values > Request
Command
Element
Description
Match Type
Shows Use Specified Values as the selected match type.
Criterion
Shows Request Command as the selected criterion.

OL-11501-03
F-235
Appendix F
FTP Maps Page
Table F-138
Add and Edit Match Condition and Action > Use Specified Values > Request
Command (continued)
Element
Description
Type
Specifies whether the class map includes traffic that matches the criterion,
or traffic that does not match the criterion. For example, if Doesnt Match
is selected on the string example.com, then any traffic that contains
Request Commands
Append
(APPE)Appends to a file.
Delete
(DELE)Deletes a file at the server site.
Help
(HELP)Provides help information from the server.
Put
(PUT)FTP client command for the stor (store a file) command.
Rename From
(RNFR)Specifies rename-from filename.
Server Specific
Command
(SITE)Specifies commands that are server specific. Usually used for

remote administration.
Change to Parent
(CDUP)Changes to the parent directory of the current working directory.
Get
(GET)FTP client command for the retr (retrieve a file) command.
Create Directory
(MKD)Creates a directory.
Remove Directory
(RMD)Removes a directory.
Rename To
(RNTO)Specifies rename-to filename.
Store File with Unique

Name
(STOU)Stores a file with a unique filename.
Action
OK button
Reset
Reset and Log
F-236
OL-11501-03
Appendix F

FTP Maps Page
Add and Edit FTP Map > Add and Edit Match Condition and Action > Use Specified Values > Filename
Select File Name to match a filename for FTP transfer.
Navigation Path
Add Row, or right-click a row, then select Edit Row. Select Use Specified Values
as the match type and Filename as the criterion.
Related Topics
Field Reference
Table F-139
Add and Edit FTP Map > Add and Edit Match Condition and Action > Use Specified
Values > Filename
Element
Description
Match Type
Criterion
Type

OL-11501-03
F-237
Appendix F
FTP Maps Page
Table F-139
Values > Filename (continued)
Element
Description
Value

Action

OK button
Reset
Reset and Log
Add and Edit FTP Map > Add and Edit Match Condition and Action > Use Specified Values > File Type
Select File Type to match a file type for FTP transfer.
Navigation Path
as the match type and File Type as the criterion.
Related Topics
F-238
OL-11501-03
Appendix F

FTP Maps Page
Field Reference
Table F-140
Values > File Type
Element
Description
Match Type
Criterion
Shows File Type as the selected criterion.
Type
Value

Action
OK button

Reset
Reset and Log
Add and Edit FTP Map > Add and Edit Match Condition and Action > Use Specified Values > Server
Select Server to match an FTP server.

OL-11501-03
F-239
Appendix F
FTP Maps Page
Navigation Path
as the match type and Server as the criterion.
Related Topics
Field Reference
Table F-141
Values > Server
Element
Description
Match Type
Criterion
Shows Server as the selected criterion.
Type
F-240
OL-11501-03
Appendix F

FTP Maps Page
Table F-141
Values > Server (continued)
Element
Description
Value

Action

OK button
Reset
Reset and Log
Add and Edit FTP Map > Add and Edit Match Condition and Action > Use Specified Values > Username
Select Username to match an FTP user.
Navigation Path
as the match type and Username as the criterion.
Related Topics

OL-11501-03
F-241
Appendix F
FTP Maps Page
Field Reference
Table F-142
Values > Username
Element
Description
Match Type
Criterion
Shows Username as the selected criterion.
Type
Value

Action
OK button

Reset
Reset and Log
Add and Edit FTP Map > Add and Edit Match Condition and Action > Use Values in Class Map
Select Use Values in Class Map to match an FTP query using an FTP class map.
F-242
OL-11501-03
Appendix F

GTP Maps Page
Navigation Path
Add Row, or right-click a row, then select Edit Row. Select Use Values in Class
Map as the match type.
Related Topics
Field Reference
Table F-143
Add and Edit FTP Map > Add and Edit Match Condition and Action > Use Values in
Class Map
Element1
Description
Match Type
Class Map*
Enables you to enter the FTP Class Map or click Select, which
opens the FTP Class Map Selector from which you can make your
selection.
Action
OK button
Reset
Reset and Log
GTP Maps Page

Use the GTP Maps page to define GTP maps for GTP inspection. From this page,

OL-11501-03
F-243
Appendix F
GTP Maps Page
Navigation Path
To access the GTP Maps page, select Tools > Policy Object Manager, then select
GTP Maps from the Object Type selector.
Related Topics
Field Reference
Table F-144
GTP Maps Page
Element
Description
Filter
Tables, page 3-24.
[Icon]
Name
Shows the name of the GTP map. Names can be sorted in ascending or
descending order.
Parameters

application.
Criterion
Shows the criterion of the GTP map.
Type
Value
Shows the value to match in the GTP map.
Action
F-244
OL-11501-03
Appendix F

GTP Maps Page
Table F-144
GTP Maps Page (continued)
Element
Description
Category

Note
Overridable

Description
Shows a description as an icon. A tooltip displays the content. Descriptions

help you identify an object.
New Object button
Enables you to create an object. See Creating GTP Map Objects, page 8-80.
Edit Object button

Note
Add and Edit GTP Map Dialog Boxes

Use the Parameters tab to configure settings for the GTP policy object.
Navigation Path
Policy Maps > GTP Maps from the Object Type selector. Right-click inside the
work area, then select New Object, or right-click a row, then select Edit Object.
Note

OL-11501-03
F-245
Appendix F
GTP Maps Page
Related Topics
Field Reference
Table F-145
Add and Edit GTP Map Dialog Boxes
Element1
Description
Name*
Enables you to enter the name of the GTP map. A maximum of

Description
Identifies a user-defined GTP configuration map description to help you

identify a configuration. A maximum of 200 characters is allowed.
Parameters tab

application. Opens by default the first time the dialog box is accessed. For
Match Condition and

Action tab
matched. For a description of GUI elements, see Table F-150.
Category

Note
Device
overridden.
Tip
When editing an object that can be overridden, click the Edit

button to display the Policy Object Overrides page. From here you
can create, edit, and view device-level overrides; however, you
must first save the policy object before you define override
settings. For a description of the GUI elements, see Policy Object
Overrides Window, page F-565.
F-246
OL-11501-03
Appendix F

GTP Maps Page
Table F-145
Add and Edit GTP Map Dialog Boxes (continued)
Element1
Description
Overrides: None
Note

set overrides.
Validate For
Validate button
OK button
Add and Edit GTP Map Dialog Boxes > Parameters

Use the Parameters tab to configure settings for the GTP policy object.
Navigation Path
Note
Related Topics

OL-11501-03
F-247
Appendix F
GTP Maps Page
Field Reference
Table F-146
Add and Edit GTP Map Dialog Boxes > Parameters
Element1
Description
Name*
Enables you to enter the name of the GTP map. A maximum of 40Enables
you to enter characters is allowed.
Description
Shows a description as an icon. A tooltip displays the content.

Descriptions help you identify an object. A maximum of 200 characters is
allowed.
Country and Network Codes

Table
Lists the three-digit Mobile Country Code (mcc) and Mobile Network
Code (mnc). For a description of the GUI elements, see Table F-147.
Create Object button
Enables you to create an object. See Creating GTP Map Objects,

page 8-80.
Edit Object button
Opens the appropriate object page for the selected object, enabling you to
edit object settings. See Editing Objects, page 8-10.

Note
Permit Response Table
Identifies GTP responses from a GSN that is different from the one to
which the response was sent. For a description of the GUI elements, see
Table F-148.
Enables you to create an object. See Creating GTP Map Objects,

page 8-80.
Edit Object button

Note
Request Queue
Specifies the maximum requests allowed in the queue. When the limit has
been reached and a new request arrives, the request that has been in the
queue for the longest time is removed. Values are 19999999. Default is
200.
F-248
OL-11501-03
Appendix F

GTP Maps Page
Table F-146
Add and Edit GTP Map Dialog Boxes > Parameters (continued)
Element1
Description
Tunnel Limit
Specifies the maximum number of tunnels allowed.
Permit Errors
When selected, permits packets with errors or different GTP versions. By

default, all invalid packets or packets that failed during parsing are
dropped.
Edit Timeouts button
Opens the GTP Map Timeouts dialog box. For a description of the GUI
Category

Note
Device
overridden.
Tip
Overrides: None

button to display the Policy Object Overrides page. From here you
can create, edit, and view device-level overrides; however, you
must first save the policy object before you define override
Note

set overrides.
Validate For
Validate button
OK button

OL-11501-03
F-249
Appendix F
GTP Maps Page
Add and Edit GTP Map > Parameters > Add and Edit Country Network Codes Dialog Boxes
Use the Add and Edit Country Network Codes dialog boxes to change Mobile
Country Code (mcc) and Mobile Network Code (mnc) values.
Navigation Path
Select the Parameters tab if it is not already selected. Right-click inside the
Country and Network Codes table, then select Add Row, or right-click a row, then
select Edit Row.
Note
The Parameters tab opens by default the first time the Add and Edit GTP Map
dialog box is displayed.
Related Topics
Field Reference
Table F-147
Add and Edit Country Network Codes Dialog Boxes
Element
Description
MCC* (000999)
Specifies the three-digit Mobile Country Code (mcc).Values are 000999.

One- or two- digit entries are prepended with 0s. Multiple entries are
MNC* (000999)
Specifies the three-digit Mobile Network Code (mnc).Values are 000999.

One- or two- digit entries are prepended with 0s. Multiple entries are
Add button
F-250
OL-11501-03
Appendix F

GTP Maps Page
Table F-147
Add and Edit Country Network Codes Dialog Boxes (continued)
Element
Description
Edit button
edit object settings.
Delete button

reference before the deletion can occur.
Note
Add and Edit GTP Map > Parameters > Add and Edit Permit Response Dialog Boxes
Use the Add and Edit Permit Response dialog boxes to permit GTP responses
from a GSN that is different from the one to which the response was sent.
Navigation Path
Select the Parameters tab if it is not already selected. Right-click inside the Permit
Response table, then select Add Row, or right-click a row, then select Edit Row.
Note
Related Topics

OL-11501-03
F-251
Appendix F
GTP Maps Page
Field Reference
Table F-148
Add and Edit Permit Response Dialog Boxes
Element1
Description
To Object Group*
Identifies the source network/host object name of a host or network from

which to allow GTP responses from a GSN that is different from the one to
which the response was sent.
Enter the object name in the field provided or click Select, which opens the
Object Selector dialog box from which you can make your selection. You
Note
From Object Group*
Only a named network/host object (except any) can be entered.
Identifies the destination network/host object name of a host or network

from which to allow GTP responses from a GSN that is different from the
one to which the response was sent.
Enter the object name in the field provided or click Select, which opens the
Object Selector dialog box from which you can make your selection. You
Note
OK button
Only a named network/host object (except any) can be entered.
Add and Edit GTP Map > Parameters > GTP Map Timeouts Dialog Box
Use the GTP Map Editor Timeouts dialog box to set timeout values.
Navigation Path
Select the Parameters tab if it is not already selected. Click Edit Timeouts.
Note
F-252
OL-11501-03
Appendix F

GTP Maps Page
Related Topics
Field Reference
Table F-149
GTP Map Timeouts Dialog Box
Element
Description
GSN Timeout
Specifies the period of inactivity (hh:mm:ss) after which a GSN is removed.

Default is 30 minutes.
Note
PDP Context Timeout
Specifies the maximum period of time allowed (hh:mm:ss) before

beginning to receive the PDP context. Default is 30 minutes.
Note
Request Queue Timeout
A value of 0 means never tear down immediately.
Specifies the period of inactivity (hh:mm:ss) after which the GTP signaling
is removed. Default is 30 minutes.
Note
Tunnel Timeout
Specifies the maximum period of time allowed (hh:mm:ss) before

beginning to receive the GTP message. Default is 60 seconds.
Note
Signaling Connections
Timeout
Specifies the period of inactivity (hh:mm:ss) after which the GTP tunnel is
torn down. Default is 60 seconds (when a Delete PDP Context Request is
not received).
Note
T3 Response Timeout
Specifies the maximum wait time for a response before removing the
connection.
OK button

OL-11501-03
F-253
Appendix F
GTP Maps Page
Add and Edit GTP Map > Match Condition and Action Tab
Use the Match Condition and Action tab to configure the action to take when
certain conditions are matched.
Navigation Path
Click the Match Condition and Action tab if it is not already selected.
Related Topics
Field Reference
Table F-150
Add and Edit GTP Map Dialog Boxes > Match Condition and Action Tab
Element1
Description
Type
Criterion
Shows the criterion of the GTP map, such as Access Point Name,
Message ID, Message Length, and Version.
Value
Shows the value to match in the GTP map.
Action
Enables you to create an object. See Creating GTP Map Objects, page 8-80.
Edit Object button

Note
F-254
OL-11501-03
Appendix F

GTP Maps Page
Table F-150
Add and Edit GTP Map Dialog Boxes > Match Condition and Action Tab (continued)
Element1
Description
Category

Note
Allow Value Override

per Device
When selected, allows the global object definition to be changed at the

overridden.
Tip
Overrides: None
Window, page F-565.
Note

set overrides.
Validate For
Validate button
OK button
Add and Edit GTP Map > Add Match Condition and Action > Access Point Name
Use the Access Point Name to define the access points to drop when GTP application
inspection is enabled.

OL-11501-03
F-255
Appendix F
GTP Maps Page
Navigation Path
Click the Match Condition and Action tab if it is not already selected.
Right-click inside the table, then select Add Row or right-click a row, then select
Edit Row. Select Access Point Name as your criterion.
Related Topics
Field Reference
Table F-151
Dialog Box
Element
Description
Criterion
Shows Access Point Name as the criterion selected.
Type
F-256
OL-11501-03
Appendix F

GTP Maps Page
Table F-151
Dialog Box (continued)
Element
Description
Access Point Name
Identifies the access points to drop when GTP application inspection

is enabled.
Specified BySpecifies an access point name to be dropped.

By default, all messages with valid APNs are inspected, and any
APN is allowed.

Action
OK button

selection.
Drop PacketBy default, all invalid packets or packets that

failed during parsing are dropped.
Drop Packet and Log
Add and Edit GTP Map > Add Match Condition and Action > Message ID
Select Message ID to specify the numeric identifier for the message that you want
to drop. By default, all valid message IDs are allowed.
Navigation Path

OL-11501-03
F-257
Appendix F
GTP Maps Page
Click the Match Condition and Action tab if it is not already displayed.
Edit Row. Select Message ID as your criterion.
Related Topics
Field Reference
Table F-152
Add and Edit GTP Map > Add Match Condition and Action > Message ID
Element
Description
Criterion
Shows Message ID as the criterion selected.
Type
ID Type
Specifies the numeric identifier for the message that you want
to drop.
ValueSpecifies a single value. Values are 1255.
Range Specifies a value range. Values are 1255.
Note
Action
OK button
By default, all valid message IDs are allowed.
Drop Packet
Drop Packet and Log
Rate Limit
F-258
OL-11501-03
Appendix F

GTP Maps Page
Add and Edit GTP Map > Add Match Condition and Action > Message Length
Select Message Length to change the default for the maximum message length for
the UDP payload that is allowed.
Navigation Path
Edit Row. Select Message Length as your criterion.
Related Topics
Field Reference
Table F-153
Element1
Description
Criterion
Shows Message Length as the criterion selected.
Type
Minimum Length*
Specifies the minimum number of bytes in the UDP payload. Values

are 165536.
Maximum Length*
Specifies the maximum number of bytes in the UDP payload. Values

are 165536.

OL-11501-03
F-259
Appendix F
GTP Maps Page
Table F-153
Element1
Description
Action
OK button
Drop Packet
Drop Packet and Log
Add and Edit GTP Map > Add Match Condition and Action > Version
Select Version to specify the GTP version for messages that you want to drop.
Navigation Path
Edit Row. Select Version as your criterion.
Related Topics
F-260
OL-11501-03
Appendix F

HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) Page
Field Reference
Table F-154
Add and Edit GTP Map > Add Match Condition and Action > Version
Element
Description
Criterion
Shows Version as the criterion selected.
Type
Version Type
Shows the version as a single value or range of values. Values are

0255.
Use 0 to identify Version 0 and 1 to identify Version 1. Version 0 of
GTP uses port 2123, while Version 1 uses port 3386. By default all
GTP versions are allowed.
Action
OK button
Drop Packet
Drop Packet and Log
HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS)

Page
Use the HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) page to create an
HTTP map for applying enhanced HTTP inspection parameters. From this page,
The enhanced HTTP inspection feature, which is also known as an application
firewall, verifies that HTTP messages conform to RFC 2616, use RFC-defined
methods, and comply with various other criteria. This can help prevent attackers
from using HTTP messages for circumventing network security policy.

OL-11501-03
F-261
Appendix F
Note
After a configuration is generated for the device, the http-map command is
shown.
Navigation Path
Policy Maps > HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) from the
Related Topics
Field Reference
Table F-155
HTTP Maps Page (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS)
Column
Description
Filter
Tables, page 3-24.
[Icon]
Name
Identifies the name of the object. Names can be sorted in ascending or

descending order.
F-262
OL-11501-03
Appendix F

Table F-155
HTTP Maps Page (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) (continued)
Column
Description
General
Displays general settings for HTTP inspection. For a description of the GUI
Entity Length
Displays settings for inspection based on the length of the HTTP content. For
RFC Method
Displays settings for RFC. For a description of the GUI elements, see
Table F-159.
Ext Method
Displays settings for RFC extension format criteria. For a description of the
Port Misuse
Displays settings for port misuse application inspection. For a description of

Transfer Encoding
Displays settings for inspection based on the transfer encoding type. For a
IOS-Specific
Displays values that are associated with IOS-specific devices.
Category

Note
Overridable

Description
Displays an icon if a description is defined for the object. Point at the icon to
display a tooltip with the text of the description. Descriptions help you
identify a policy.
Tip
New Object button
Double-click the icon to display the text of the description in a popup

window.
Enables you to create an object. See Creating HTTP Map Objects (ASA
7.1.x/PIX 7.1.x/FWSM 3.x/IOS), page 8-84.

OL-11501-03
F-263
Appendix F
Table F-155
HTTP Maps Page (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) (continued)
Column
Description
Edit Object button
Enables you to delete a selected object. If the object is used in a rule or nested
within another object, you are prompted to modify or delete the reference
before the deletion can occur. See Deleting Objects, page 8-11.
Note
Add and Edit HTTP Map Dialog Boxes

Use the Add and Edit HTTP Map dialog boxes to define HTTP maps.
Navigation Path
Policy Maps > HTTP Maps (ASA 7.1.x/PIX 7.1.x/IOS) from the Object Type
selector. Right-click inside the work area, then select New Object or right-click
a row, then select Edit Object.
Note
The General tab opens by default the first time the dialog box is accessed.
Related Topics

page 8-84
F-264
OL-11501-03
Appendix F

Field Reference
Table F-156
Element1
Description
Name*
Enables you to enter the name of the HTTP Map. A maximum of

Description
Shows a description as an icon. A tooltip displays the content.

Descriptions help you identify an object. A maximum of
General tab
Enables you to configure general settings for HTTP inspection.

Open by default. For a description of the GUI elements, see
Table F-157.
Entity Length tab
Enables you to configure settings for inspection based on the length

of the HTTP content. For a description of the GUI elements, see
Table F-158.
RFC Request Method tab
Enables you to configure settings for RFC. For a description of the

Extension Request Method tab
Enables you to configure settings for RFC extension format criteria.

Port Misuse tab
Enables you to configure settings for port misuse application

inspection. For a description of the GUI elements, see Table F-161.
Transfer Encoding tab
Enables you to configure settings for inspection based on the

transfer encoding type. For a description of the GUI elements, see
Table F-162.
Category


OL-11501-03
F-265
Appendix F
Table F-156
Add and Edit HTTP Map Dialog Boxes (continued)
Element1
Description

Device

page 8-198.
overridden.
Tip
Overrides: None
Note
OK button

page F-565.

Add and Edit HTTP Map > General Tab

Use the General tab to verify that HTTP messages conform to RFC 2616 methods.
Navigation Path
selector. Right-click inside the work area, then select New Object, or right-click
a row, then select Edit Object. The Add or Edit HTTP Map dialog box appears
based on your selection.
F-266
OL-11501-03
Appendix F

Note
The General tab opens by default the first time the dialog box is accessed.
Related Topics
Field Reference
Table F-157
Add and Edit HTTP Map > General Tab
Element1
Description
Name*

Description

Take action for non-RFC When selected, enables you to set action and syslog parameters for
2616 compliant traffic
non-RFC 2616 compliant traffic.
Select the action to be taken for non-RFC 2616 compliant traffic:
Generate Syslog
Allow PacketAllows the message.
Drop PacketCloses the connection.
Reset Connection (default)Sends a TCP reset message to client and

server.
When selected, generates a syslog report.
Verify Content-type field When selected, enables you to set action and syslog parameters when
belongs to the supported verifying the content type belongs to the supported internal content-type
internal content-type list. list.

OL-11501-03
F-267
Appendix F
Table F-157
Add and Edit HTTP Map > General Tab (continued)
Element1
Description
Verify Content-type field When selected, verifies that the content-type in the response message
for response matches the matches the accept-type field in the request message. If the criteria are not
Accept field of request.
met, action is taken based on your selection.
Specify the action to take when a message fails the inspection.

server.
Generate Syslog
Override Global TCP

Idle Timeout (IOS only)
When selected, enables you to change the TCP idle timeout setting.
Timeout (sec)
Specifies the amount of time, in seconds, that the IOS device should
terminate a connection if there is no communication activity.
Override Global Audit

Trail Setting (IOS only)
When selected, enables you to change the audit trail setting.
Enable Audit Trail
When selected, generates audit trail messages.
Category

Note
Device
overridden.
Tip
Window, page F-565.
F-268
OL-11501-03
Appendix F

Table F-157
Add and Edit HTTP Map > General Tab (continued)
Element1
Description
Overrides: None
Note
OK button

set overrides.
Add and Edit HTTP Map > Entity Length Tab

Use the Entity Length tab to enable inspection based on the length of the HTTP
content.
Navigation Path
based on your selection. Click the Entity Length tab.
Related Topics
Field Reference
Table F-158
Add and Edit HTTP Map > Entity Length Tab
Element1
Description
Name*

Description
Enables you to enter a description to help you identify an object. A maximum


OL-11501-03
F-269
Appendix F
Table F-158
Add and Edit HTTP Map > Entity Length Tab (continued)
Inspect URI Length
When selected, enables inspection based on the length of the URI. You can
set action and syslog parameters.
Maximum (bytes)
Identifies the maximum size allowed for the URI length. Values are 165535.
Excessive URI Length

Action
Specifies the action taken when a message fails the inspection.
Reset ConnectionSends a TCP reset message to client and server.
Generate Syslog
Inspect Maximum
Header Length
When selected, enables inspection based on the length of the HTTP header.
You can set action and syslog parameters.
Request (bytes)
Specifies the request message header size in bytes. Values are 165535.
Response (bytes)
Specifies the response message header size in bytes. Values are 165535.
Excessive Header
Length Action
Allow PacketAllows the HTTP request even though it contains a

header that exceeds the permitted maximum length.
Drop PacketDrops the HTTP request if it contains a header that

Reset Connection Resets the TCP connection when it receives the

HTTP request with a header that exceeds the permitted maximum length.
Generate Syslog
Inspect Body Length
When selected, enables you to set action and syslog parameters.
Minimum Threshold
(bytes)
Specifies the minimum body size recognized as within configurable limits.

Values are 165535.
Maximum Threshold
(bytes)
Specifies the maximum body size recognized as within configurable limits.

Values are 165535.
F-270
OL-11501-03
Appendix F

Table F-158
Add and Edit HTTP Map > Entity Length Tab (continued)
Body Length
Threshold Action
Allow PacketAllows the HTTP request even though it contains a

header that exceeds the permitted maximum length.
Drop PacketDrops the HTTP request if it contains a header that

Reset Connection Resets the TCP connection when it receives the

HTTP request with a header that exceeds the permitted maximum length.
Generate Syslog
Category

Note

per Device
When selected, allows the global object definition to be changed at the device
level. See Allowing a Global Object to Be Overridden, page 8-198.
When deselected, does not allow the global object definition to be overridden.
Tip
Overrides: None
Shows that no overrides exist on the device. You must manually set overrides
in order to change the display. For more information, see Overriding Global
Objects for Individual Devices, page 8-197.
Note
OK button
create, edit, and view device-level overrides; however, you must first
save the policy object before you define override settings. For a
description of the GUI elements, see Policy Object Overrides
Window, page F-565.
Selecting Allow Value Override per Device does not automatically set
overrides.
Add and Edit HTTP Map > RFC Request Method Tab
Use the RFC Request Method tab to set criteria to conform to HTTP RFC format
criteria.
OL-11501-03
F-271
Appendix F
Navigation Path
based on your selection. Click the RFC Request Method tab.
Related Topics
Field Reference
Table F-159
Add and Edit HTTP Map > RFC Request Method
Element
Description
Name*

Description

Available Methods
Lists available predefined request methods. For more information, refer

to RFC 2616.
Select Action
Reset Connection (default)Sends a TCP reset message to client

and server.
Generate Syslog
When selected, generates a syslog report. The syslog is generated when

the security appliance receives the HTTP request containing the selected
method.
>> button
Adds selected request method, action and syslog settings to the Method
Table.
<< button
Removes selected request method, action and syslog settings from the
Method Table.
F-272
OL-11501-03
Appendix F

Table F-159
Add and Edit HTTP Map > RFC Request Method (continued)
Element
Description
Method Table
Method
Shows the request method selected from the Available Methods list. For
more information, refer to RFC 2616.
Action
Shows the action taken when a message fails the inspection.
Generate Syslog

and server.
Shows syslog setting.
Specify the action to be

applied for the remaining
available methods above.
Action

and server.
Generate Syslog

method.
Category

Note

OL-11501-03
F-273
Appendix F
Table F-159
Add and Edit HTTP Map > RFC Request Method (continued)
Element
Description

Device

device level. See Allowing a Global Object to Be Overridden,
page 8-198.
overridden.
Tip
Overrides: None

button to display the Policy Object Overrides page. From here
you can create, edit, and view device-level overrides; however,
you must first save the policy object before you define override
Note
OK button

Add and Edit HTTP Map > Extension Request Method Tab
Use the Extension Request Method tab to set criteria to conform to HTTP RFC
extension format criteria.
Navigation Path
Policy Maps > HTTP Maps (ASA/PIX 7.x/IOS) from the Object Type selector.
Right-click inside the work area, then select New Object or right-click a row, then
select Edit Object. The Add or Edit HTTP Map dialog box appears based on your
selection. Click the Ext Request Method tab.
Related Topics
F-274
OL-11501-03
Appendix F

Field Reference
Table F-160
Add and Edit HTTP Map > Extension Request Method Tab
Element
Description
Name*

Description

Available Methods
Lists available predefined request methods. For more information, refer

to RFC 2616.
Action
Allow PacketAllows the HTTP request containing the methods

that are not included in the method table.
Drop PacketDrops the HTTP request if it contains any method

that is not included in the method table.
Reset ConnectionResets the TCP connection if the HTTP

message contains any method that is not included in the method
table.
Generate Syslog

method.
>> button
Table.
<< button
Method Table.
Method Table
Method
Shows the request method selected from the Available Methods list. For
more information, refer to RFC 2616.
Action

and server.

OL-11501-03
F-275
Appendix F
Table F-160
Add and Edit HTTP Map > Extension Request Method Tab (continued)
Element
Description
Generate Syslog
Specify the action to be

Action
Allow PacketAllows the HTTP request containing the methods

that are not included in the method table.
Drop PacketDrops the HTTP request if it contains any method

that is not included in the method table.
Reset ConnectionResets the TCP connection if the HTTP

message contains any method that is not included in the method
table.
Generate Syslog

method.
Category

Note

Device

device level. See Allowing a Global Object to Be Overridden,
page 8-198.
overridden.
Tip

button to display the Policy Object Overrides page. From here
you can create, edit, and view device-level overrides; however,
you must first save the policy object before you define override
settings. For a description of the GUI elements, see Policy
Object Overrides Window, page F-565.
F-276
OL-11501-03
Appendix F

Table F-160
Add and Edit HTTP Map > Extension Request Method Tab (continued)
Element
Description
Overrides: None
Note
OK button

Add and Edit HTTP Map > Port Misuse Tab

Use the Port Misuse tab to enable port misuse application inspection.
Navigation Path
Policy Maps > HTTP Maps (ASA/PIX 7.x/IOS) from the Object Type selector.
selection. Click the Port Misuse tab.
Related Topics
Field Reference
Table F-161
Add and Edit HTTP Map > Port Misuse Tab
Element
Description
Name*

Description


OL-11501-03
F-277
Appendix F
Table F-161
Add and Edit HTTP Map > Port Misuse Tab (continued)
Element
Description
Available Categories
Lists available categories:
Action
IMRestricts traffic in the instant messaging application category.

The applications checked for are Yahoo Messenger, AIM, and
MSN IM.
P2PRestricts traffic in the peer-to-peer application category. The

Kazaa application is checked.
TunnelingRestricts traffic in the tunneling application category. The

applications checked for are: HTTPort/HTTHost, GNU Httptunnel,
GotoMyPC, Firethru, and Http-tunnel.com Client.
Allow PacketAllows the HTTP request containing any of the

categories in the category table.
Drop PacketDrops the HTTP request if it includes any category in

the category table.
Reset ConnectionResets the TCP connection if the HTTP message

includes any category in the category table.
Generate Syslog
When selected, generates a syslog report. The syslog is generated when the
security appliance receives the HTTP request containing the selected
category.
>> button
Table.
<< button
Method Table.
Application Categories Table

Category
Shows the application categories selected.
Action

server.
F-278
OL-11501-03
Appendix F

Table F-161
Element
Generate Syslog
Description
Specify the action to be When selected, enables you to set action and syslog parameters.
Action
Allow PacketAllows the HTTP request containing the categories that

are not in the category table.
Drop PacketDrops the HTTP request if it contains any category that

is not in the category table.
Reset SelectionResets the TCP connection if the HTTP message

contains any category that is not in the category table.
Generate Syslog
category.
Category

Note

per Device

overridden.
Tip
Window, page F-565.

OL-11501-03
F-279
Appendix F
Table F-161
Element
Description
Overrides: None
Note
OK button

set overrides.
Add and Edit HTTP Map > Transfer Encoding Tab

Use the Transfer Encoding tab to enable inspection based on the transfer
encoding type.
Navigation Path
based on your selection. Click the Transfer Encoding tab.
Related Topics
Field Reference
Table F-162
Add and Edit HTTP Map > Transfer Encoding Tab
Element
Description
Name*

Description

F-280
OL-11501-03
Appendix F

Table F-162
Add and Edit HTTP Map > Transfer Encoding Tab (continued)
Element
Description
Available Encoding
Types
Lists available transfer encoding types.
Action
ChunkedIdentifies the transfer encoding type in which the message

body is transferred as a series of chunks.

DeflateIdentifies the transfer encoding type in which the message

body is transferred using zlib format (RFC 1950) and deflate
compression (RFC 1951).
GZIPIdentifies the transfer encoding type in which the message

body is transferred using GNU zip (RFC 1952).
IdentityIdentifies connections in which the message body is no

transfer encoding is performed.
Allow PacketAllows the HTTP request containing any transfer

encoding type in the transfer encoding type table.
Drop PacketDrops the HTTP request if it includes any transfer

encoding type in the transfer encoding type table.

includes any transfer encoding type in the transfer encoding type table.
Generate Syslog
encoding type.
>> button
Adds selected encoding type, action and syslog settings to the Encoding
Type Table.
<< button
Encoding Type Table.

OL-11501-03
F-281
Appendix F
Table F-162
Element
Description
Encoding Type Table

Encoding type
Shows the encoding types selected.
Action
Generate Syslog

server.
Specify the action to be When selected, enables you to set action and syslog parameters.
Action
Allow PacketAllows the HTTP request containing the methods that

are not included in the method table.
Drop PacketDrops the HTTP request if it contains any method that

is not included in the method table.

contains any method that is not included in the method table.
Generate Syslog
encoding type.
Category

Note
F-282
OL-11501-03
Appendix F

HTTP Maps (ASA 7.2/PIX 7.2) Page
Table F-162
Element
Description

per Device

overridden.
Tip
Overrides: None
Window, page F-565.
Note
OK button

set overrides.

Use the HTTP Maps (ASA 7.2/PIX 7.2) page to define HTTP maps for HTTP
inspection. From this page, you can add, edit, and delete objects, and edit policy
override settings. You can also generate usage reports of policies that use the
object.
Navigation Path
Policy Maps > HTTP Maps (ASA 7.2/PIX 7.2) from the Object Type selector.
Related Topics

OL-11501-03
F-283
Appendix F
Field Reference
Table F-163
Element
Description
Filter
Tables, page 3-24.
[Icon]
Name

descending order.
Parameters

application.
Criterion
Type
Value
Action
Shows the action to take when the criterion value occurs.
Category

identify rules and objects by use of color-coding. Understanding Category
Objects, page 8-48.
Note
Overridable

F-284
OL-11501-03
Appendix F

Table F-163
HTTP Maps (ASA 7.2/PIX 7.2) Page (continued)
Element
Description
Description
identify a policy.
Tip

popup window.
Enables you to create an object. See Creating HTTP Map Objects (ASA
7.2/PIX 7.2), page 8-94.
Edit Object button

Note

Use the Add and Edit HTTP Map dialog boxes to define the match criterion and
values for the HTTP inspect map.
Navigation Path
selection.
Related Topics

OL-11501-03
F-285
Appendix F
Field Reference
Table F-164
Add and Edit HTTP Map Dialog Boxes (ASA 7.2/PIX 7.2)
Element1
Description
Name*

Description
Enables you to enter a description. A maximum of 200 characters is

allowed.
Parameters tab

Match Condition and Action tab For a description of the GUI elements, see Table F-165.
Enables you to create an object. See Creating HTTP Map Objects

(ASA 7.2/PIX 7.2), page 8-94.
Edit Object button
Opens the appropriate object page for the selected object, enabling
you to edit object settings. See Editing Objects, page 8-10.

Objects, page 8-11.
Note
Category

deleted.

Note
F-286
OL-11501-03
Appendix F

Table F-164
Add and Edit HTTP Map Dialog Boxes (ASA 7.2/PIX 7.2) (continued)
Element1
Description

Device

page 8-198.
overridden.
Tip
Overrides: None
Note
OK button

page F-565.

Add and Edit HTTP Map > Parameters Tab

Use the Parameters tab to configure settings for the HTTP Map object.
Navigation Path
selection.
Note
The Parameters tab is displayed by default the first time the dialog box is
accessed.
OL-11501-03
F-287
Appendix F
Related Topics
Field Reference
Table F-165
Add and Edit HTTP Map > Parameters Tab
Element
Description
Name*

Description

allowed.
Body Match Maximum
The maximum number of characters in the body of an HTTP

message that should be searched in a body match. Values are
04294967295.
Note
A high value will have a significant impact on performance.
Check for protocol violations
When selected, checks for protocol violations.
Action
Drop Connection
Reset
Reset and Log
Log
Spoof Server
Enables you to replace the server HTTP header value with the
specified string.
Category

Note
F-288
OL-11501-03
Appendix F

Table F-165
Add and Edit HTTP Map > Parameters Tab (continued)
Element
Description

Device

page 8-198.
overridden.
Tip
Overrides: None
Note
OK button

page F-565.

Add and Edit HTTP Map > Match Condition and Action Tab
Select the Match Condition and Action tab to configure the action to take when
Navigation Path
Right-click inside the work area, then select New Object or click a row, then
selection. Click the Match Condition and Action tab.

OL-11501-03
F-289
Appendix F
Related Topics
Field Reference
Table F-166
Add and Edit HTTP Map > Match Condition and Action
Element
Description
Name*

Description

allowed.
Type
Criterion
Value
Action
Enables you to create an object. See Creating HTTP Map Objects

(ASA 7.2/PIX 7.2), page 8-94.
Edit Object button

Objects, page 8-11.
Note
Category

deleted.

Note
F-290
OL-11501-03
Appendix F

Table F-166
Add and Edit HTTP Map > Match Condition and Action (continued)
Element
Description
Overridable

OK button
Add and Edit HTTP Map > Add and Edit Match Condition and Action Dialog Boxes
Use the Add and Edit Match Condition and Action dialog boxes to configure the
action to take when certain conditions are matched.
Navigation Path
selection. Click the Match Condition and Action tab. Right-click inside the
Related Topics

OL-11501-03
F-291
Appendix F
Field Reference
Table F-167
Dialog Boxes
Element
Description
Match Type
Enables you to use an existing HTTP Class Map or define a new

HTTP Map.
Criterion

map or define a new class map.
Specifies which criterion of HTTP traffic to match.
Request/Response Content
Type Mismatch
Specifies that the content type in the response must match one of the
MIME types in the accept field of the request. For a description of
Request Arguments
Applies the regular expression match to the arguments of the

Request Body
Applies the regular expression match to the body of the request. For
Request Body Length
Applies the regular expression match to the body of the request with
field length greater than the bytes specified. For a description of the


with length greater than the bytes specified. For a description of the
Applies the regular expression match to the header of the request.

Request Header Field Count Applies the regular expression match to the header of the request
F-292
OL-11501-03
Appendix F

Table F-167
Dialog Boxes (continued)
Element
Description

Length

Request Header Content

Type
Applies the content type for the request header. For a description of
Request Header Transfer

Encoding
Applies the transfer encoding for the request header. For a

Request Header Non-ASCII Matches non-ASCII characters in the header of the request. For a
Request Method
Applies the regular expression match to the method of the request.

Request URI
Applies the regular expression match to the URI of the request.For

Request URI Length
Applies the regular expression match to the URI of the request with
length greater than the bytes specified. For a description of the GUI
Specifies to match on ActiveX. For a description of the GUI

Response Body Java Applet Specifies to match on a Java Applet. For a description of the GUI
Response Body
Applies the regular expression match to the body of the response.

Applies the regular expression match to the body of the response




OL-11501-03
F-293
Appendix F
Table F-167
Dialog Boxes (continued)
Element
Description
Applies the regular expression match to the header of the response.


Count


Length

Response Header Content

Type
Applies the content type for the response header. For a description
Response Header Transfer

Encoding
Applies the transfer encoding for the response header. For a

Response Header
Non-ASCII
Matches non-ASCII characters in the header of the response. For a

Applies the regular expression match to the status line. For a

Type
Action
OK button

Drop Connection
Reset
Reset and Log
Log
F-294
OL-11501-03
Appendix F

Add and Edit HTTP Map > Add and Edit Match Condition and Action > Use Specified Values >
Request/Response Content Type Mismatch
Select Request/Response Content Type Mismatch to specify that the content type
request.
Navigation Path
then select Edit Row. Select Request/Response Content Type Mismatch as
your criterion.
Related Topics
Field Reference
Table F-168
Add and Edit HTTP Map > Add and Edit Match Condition and Action > Use Specified
Values > Request/Response Content Type Mismatch
Element
Description
Match Type
Criterion
Shows Request/Response Content Type Mismatch as the selected

criterion of HTTP traffic to match.
Type


OL-11501-03
F-295
Appendix F
Table F-168
Values > Request/Response Content Type Mismatch (continued)
Element
Description
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Add and Edit HTTP Class Map > Add and Edit Match Condition and Action > Use Specified Values >
Request Arguments
Select Request Arguments to apply the regular expression match to the arguments
of the request.
Navigation Path
then select Edit Row. Select Request Arguments as your criterion.
Related Topics
F-296
OL-11501-03
Appendix F

Field Reference
Table F-169
Values > Request Arguments
Element1
Description
Match Type
Criterion
Shows Request Arguments as the selected criterion of HTTP traffic

to match.
Type

Value


selection.

OL-11501-03
F-297
Appendix F
Table F-169
Values > Request Arguments (continued)
Element1
Description
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Add and Edit HTTP Map > Add and Edit Match Condition and Action > Use Specified Values > Request
Body
Select Request Body to apply the regular expression match to the body of the
request.
Navigation Path
then select Edit Row. Select Request Body as your criterion.
Related Topics
F-298
OL-11501-03
Appendix F

Field Reference
Table F-170
Values > Request Body
Element1
Description
Match Type
Criterion
Shows Request Body as the selected criterion of HTTP traffic to

match.
Type

Value

match. You can configure Regular Expressions for use in pattern
matching. Enter the information in the field provided or click
Regular Expression GroupLists the defined regular expression
classes to match. Enter the regular expression class in the field
Action
OK button
Drop Connection
Reset
Reset and Log
Log

OL-11501-03
F-299
Appendix F
Body Length
Select Request Body Length to apply the regular expression match to the body of
the request with field length greater than the bytes specified.
Navigation Path
then select Edit Row. Select Request Body Length as your criterion.
Related Topics
Field Reference
Table F-171
Values > Request Body Length
Element1
Description
Match Type
Criterion
Shows Request Body Length as the selected criterion of HTTP

traffic to match.
Type

Greater Than Length
F-300
OL-11501-03
Appendix F

Table F-171
Values > Request Body Length (continued)
Element1
Description
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Header Count
Select Request Header Count to apply the regular expression match to the header
of the request with a maximum number of headers.
Navigation Path
then select Edit Row. Select Request Header Count as your criterion.
Related Topics

OL-11501-03
F-301
Appendix F
Field Reference
Table F-172
Values > Request Header Count
Element1
Description
Match Type
Criterion
Shows Request Header Count as the selected criterion of HTTP

traffic to match.
Type

Greater Than Count

0255.
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Header Length
Select Request Header Length to apply the regular expression match to the header
of the request with length greater than the bytes specified.
F-302
OL-11501-03
Appendix F

Navigation Path
then select Edit Row. Select Request Header Length as your criterion.
Related Topics
Field Reference
Table F-173
Values > Request Header Length
Element1
Description
Match Type
Criterion
Shows Request Header Length as the selected criterion of HTTP

traffic to match.
Type

Greater Than Length

OL-11501-03
F-303
Appendix F
Table F-173
Values > Request Header Length (continued)
Element1
Description
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Header Field
Select Request Header Field to apply the regular expression match to the header
of the request.
Navigation Path
then select Edit Row. Select Request Header Field as your criterion.
Related Topics
F-304
OL-11501-03
Appendix F

Field Reference
Table F-174
Values > Request Header Field
Element1
Description
Match Type
Criterion
Shows Request Header Field as the selected criterion of HTTP

traffic to match.
Type

Field Name



OL-11501-03
F-305
Appendix F
Table F-174
Element1
Value
Values > Request Header Field (continued)
Description

Action
OK button

Drop Connection
Reset
Reset and Log
Log
Header Field Count
Select Request Header Field Count to apply the regular expression match to the
header of the request with a maximum number of header fields.
Navigation Path
F-306
OL-11501-03
Appendix F

then select Edit Row. Select Request Header Field Count as your criterion.
Related Topics
Field Reference
Table F-175
Values > Request Header Field Count
Element1
Description
Match Type
Criterion
Shows Request Header Field Count as the selected criterion of

Type


OL-11501-03
F-307
Appendix F
Table F-175
Values > Request Header Field Count (continued)
Element1
Description
Field Name


Greater Than Count
Enables you to enter the maximum number of header fields.
Action
OK button
Drop Connection
Reset
Reset and Log
Log
F-308
OL-11501-03
Appendix F

Header Field Length
Select Request Header Field Length to apply the regular expression match to the
header of the request with field length greater than the bytes specified.
Navigation Path
then select Edit Row. Select Request Header Field Length as your criterion.
Related Topics
Field Reference
Table F-176
Values > Request Header Field Length
Element1
Description
Match Type
Criterion
Shows Request Header Field Length as the selected criterion of

Type


OL-11501-03
F-309
Appendix F
Table F-176
Values > Request Header Field Length (continued)
Element1
Description
Field Name


Greater Than Length
Action
OK button
Drop Connection
Reset
Reset and Log
Log
F-310
OL-11501-03
Appendix F

Header Content Type
Select Request Header Content Type to apply the content type for the request
header.
Navigation Path
then select Edit Row. Select Request Header Content Type as your criterion.
Related Topics
Field Reference
Table F-177
Values > Request Header Content Type
Element1
Description
Match Type
Criterion
Shows Request Header Content Type as the selected criterion of

Type


OL-11501-03
F-311
Appendix F
Table F-177
Values > Request Header Content Type (continued)
Element1
Description
Content Type
Specified ByEnables you to select from a list of predefined

mime-types.
UnknownUsed when the mime-type must match a built-in

known mime-type.
ViolationUsed when the magic number in the body must

correspond to the mime-type in the content-type header field.

Action
OK button

selection.
Drop Connection
Reset
Reset and Log
Log
F-312
OL-11501-03
Appendix F

Header Transfer Encoding
Select Request Header Transfer Encoding to apply the transfer encoding for the
request header.
Navigation Path
then select Edit Row. Select Request Header Transfer Encoding as your
criterion.
Related Topics
Field Reference
Table F-178
Values > Request Header Transfer Encoding
Element1
Description
Match Type
Criterion
Shows Request Header Transfer Encoding as the selected criterion

Type


OL-11501-03
F-313
Appendix F
Table F-178
Values > Request Header Transfer Encoding (continued)
Element1
Description
Content Type
Enables you to select from a list of predefined content types.
EmptyUsed when traffic has an empty transfer-encoding

field in request header, it matches the class map.

Action
OK button

selection.
Drop Connection
Reset
Reset and Log
Log
F-314
OL-11501-03
Appendix F

Header Non-ASCII
Select Request Header Non-ASCII to match non-ASCII characters in the header
of the request.
Navigation Path
then select Edit Row. Select Request Header Non-ASCII as your criterion.
Related Topics
Field Reference
Table F-179
Values > Request Header Non-ASCII
Element1
Description
Match Type
Criterion
Shows Request Header Non-ASCII as the selected criterion of

Type


OL-11501-03
F-315
Appendix F
Table F-179
Values > Request Header Non-ASCII (continued)
Element1
Description
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Method
Select Request Method to apply the regular expression match to the method of the
request.
Navigation Path
then select Edit Row. Select Request Method as your criterion.
Related Topics
F-316
OL-11501-03
Appendix F

Field Reference
Table F-180
Values > Request Method
Element1
Description
Match Type
Criterion
Shows Request Method as the selected criterion of HTTP traffic to

match.
Type


OL-11501-03
F-317
Appendix F
Table F-180
Values > Request Method (continued)
Element1
Description
Request Method
Specified BySpecifies to match on a request method: bcopy,

bdelete, bmove, bpropfind, bproppatch, connect, copy, delete,
edit, get, getattribute, getattributenames, getproperties, head,
index, lock, mkcol, mkdir, move, notify, options, poll, post,
propfind, proppatch, put, revadd, revlabel, revlog, revnum,
save, search, setattribute, startrev, stoprev, subscribe, trace,
unedit, unlock, unsubscribe.

Action
OK button

selection.
Drop Connection
Reset
Reset and Log
Log
F-318
OL-11501-03
Appendix F

Add and Edit HTTP Map > Add and Edit Match Condition and Action > Use Specified Values > Request URI
Select Request URI to apply the regular expression match to the URI of the
request.
Navigation Path
then select Edit Row. Select Request URI as your criterion.
Related Topics
Field Reference
Table F-181
Values > Request URI
Element1
Description
Match Type
Criterion
Shows Request URI as the selected criterion of HTTP traffic to

match.
Type


OL-11501-03
F-319
Appendix F
Table F-181
Element1
Value
Values > Request URI (continued)
Description
Regular ExpressionApplies the regular expression match to

the URI of the request. Enter the information in the field
Action
OK button

selection.
Drop Connection
Reset
Reset and Log
Log
Add and Edit HTTP Map > Add and Edit Match Condition and Action > Use Specified Values > Request URI
Length
Select Request URI Length to apply the regular expression match to the URI of
the request with length greater than the bytes specified.
Navigation Path
F-320
OL-11501-03
Appendix F

then select Edit Row. Select Request URI Length as your criterion.
Related Topics
Field Reference
Table F-182
Values > Request URI Length
Element1
Description
Match Type
Criterion
Shows Request URI Length as the selected criterion of HTTP traffic

to match.
Type

Greater Than Length
Enter a URI length value in bytes. Values are 132767.
Action
OK button
Drop Connection
Reset
Reset and Log
Log

OL-11501-03
F-321
Appendix F
Add and Edit HTTP Map > Add and Edit Match Condition and Action > Use Specified Values > Response
Body ActiveX
Select Response Body Active X to specify to match on ActiveX.
Navigation Path
then select Edit Row. Select Response Body ActiveX as your criterion.
Related Topics
Field Reference
Table F-183
Values > Response Body ActiveX
Element1
Description
Match Type
Criterion
Shows Response Body ActiveX as the selected criterion of HTTP

traffic to match.
Type

Action
Enables you to select Mask from the list.
OK button
F-322
OL-11501-03
Appendix F

Body Java Applet
Select Response Body Java Applet to specify to match on a Java Applet.
Navigation Path
then select Edit Row. Select Response Body Java Applet as your criterion.
Related Topics
Field Reference
Table F-184
Values > Response Body Java Applet
Element1
Description
Match Type
Criterion
Shows Response Body Java Applet as the selected criterion of

Type

Action
Enables you to select Mask from the list.
OK button

OL-11501-03
F-323
Appendix F
Body
Select Response Body to apply the regular expression match to the body of the
response.
Navigation Path
then select Edit Row. Select Response Body as your criterion.
Related Topics
Field Reference
Table F-185
Values > Response Body
Element1
Description
Match Type
Criterion
Shows Response Body as the selected criterion of HTTP traffic to

match.
Type

F-324
OL-11501-03
Appendix F

Table F-185
Element1
Value
Values > Response Body (continued)
Description

Action
OK button

selection.
Drop Connection
Reset
Reset and Log
Log
Body Length
Select Response Body Length to apply the regular expression match to the body
of the response with field length greater than the bytes specified.
Navigation Path

OL-11501-03
F-325
Appendix F
then select Edit Row. Select Response Body Length as your criterion.
Related Topics
Field Reference
Table F-186
Values > Response Body Length
Element1
Description
Match Type
Criterion
Shows Response Body Length as the selected criterion of HTTP

traffic to match.
Type

Greater Than Length
Action
OK button
Drop Connection
Reset
Reset and Log
Log
F-326
OL-11501-03
Appendix F

Header Count
Select Response Header Count to apply the regular expression match to the header
of the response with a maximum number of headers.
Navigation Path
then select Edit Row. Select Response Header Count as your criterion.
Related Topics
Field Reference
Table F-187
Values > Response Header Count
Element1
Description
Match Type
Criterion
Shows Response Header Count as the selected criterion of HTTP

traffic to match.
Type

Greater Than Count

0217.

OL-11501-03
F-327
Appendix F
Table F-187
Values > Response Header Count (continued)
Element1
Description
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Header Length
Select Response Header Length to apply the regular expression match to the
header of the response with length greater than the bytes specified.
Navigation Path
then select Edit Row. Select Response Header Length as your criterion.
Related Topics
F-328
OL-11501-03
Appendix F

Field Reference
Table F-188
Values > Response Header Length
Element1
Description
Match Type
Criterion
Shows Response Header Length as the selected criterion of HTTP

traffic to match.
Type

Greater Than Length
Action
OK button
Drop Connection
Reset
Reset and Log
Log

OL-11501-03
F-329
Appendix F
Header Field
Select Response Header Field to apply the regular expression match to the header
of the response.
Navigation Path
then select Edit Row. Select Response Header Field as your criterion.
Related Topics
Field Reference
Table F-189
Values > Response Header Field
Element1
Description
Match Type
Criterion
Shows Response Header Field as the selected criterion of HTTP

traffic to match.
Type

F-330
OL-11501-03
Appendix F

Table F-189
Element1
Field Name
Values > Response Header Field (continued)
Description

www-authenticate.

Value


selection.

OL-11501-03
F-331
Appendix F
Table F-189
Values > Response Header Field (continued)
Element1
Description
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Header Field Count
Select Response Header Field Count to apply the regular expression match to the
header of the response with a maximum number of header fields.
Navigation Path
then select Edit Row. Select Response Header Field Count as your criterion.
Related Topics
F-332
OL-11501-03
Appendix F

Field Reference
Table F-190
Values > Response Header Field Count
Element1
Description
Match Type
Criterion
Shows Response Header Field Count as the selected criterion of

Type

Field Name

www-authenticate.

Greater Than Count
Enables you to enter the maximum number of headers.

OL-11501-03
F-333
Appendix F
Table F-190
Values > Response Header Field Count (continued)
Element1
Description
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Header Field Length
Select Response Header Field Length to apply the regular expression match to the
header of the response with field length greater than the bytes specified.
Navigation Path
then select Edit Row. Select Response Header Field Length as your criterion.
Related Topics
F-334
OL-11501-03
Appendix F

Field Reference
Table F-191
Values > Response Header Field Length
Element1
Description
Match Type
Criterion
Shows Response Header Field Length as the selected criterion of

Type

Field Name

www-authenticate.

Greater Than Length

OL-11501-03
F-335
Appendix F
Table F-191
Values > Response Header Field Length (continued)
Element1
Description
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Header Content Type
Select Response Header Content Type to apply the content type for the response
header.
Navigation Path
then select Edit Row. Select Response Header Content Type as your criterion.
Related Topics
F-336
OL-11501-03
Appendix F

Field Reference
Table F-192
Values > Response Header Content Type
Element1
Description
Match Type
Criterion
Shows Response Header Content Type as the selected criterion of

Type


OL-11501-03
F-337
Appendix F
Table F-192
Values > Response Header Content Type (continued)
Element1
Description
Content Type

mime-types.
UnknownUsed when the mime-type must match a built-in

known mime-type.
ViolationUsed when the magic number in the body must

correspond to the mime-type in the content-type header field.

Action
OK button

selection.
Drop Connection
Reset
Reset and Log
Log
F-338
OL-11501-03
Appendix F

Header Transfer Encoding
Select Response Header Transfer Encoding to apply the transfer encoding for the
response header.
Navigation Path
then select Edit Row. Select Response Header Transfer Encoding as your
criterion.
Related Topics
Field Reference
Table F-193
Values > Response Header Transfer Encoding
Element1
Description
Match Type
Criterion
Shows Response Header Transfer Encoding as the selected criterion

Type


OL-11501-03
F-339
Appendix F
Table F-193
Element1
Value
Values > Response Header Transfer Encoding (continued)
Description

mime-types.
EmptyUsed when traffic has an empty transfer-encoding

field in response header, it matches the class map.

Action
OK button

selection.
Drop Connection
Reset
Reset and Log
Log
F-340
OL-11501-03
Appendix F

Header Non-ASCII
Select Response Header Non-ASCII to match non-ASCII characters in the header
of the response.
Navigation Path
then select Edit Row. Select Response Header Non-ASCII as your criterion.
Related Topics
Field Reference
Table F-194
Values > Response Header Non-ASCII
Element1
Description
Match Type
Criterion
Shows Response Header Non-ASCII as the selected criterion of

Type


OL-11501-03
F-341
Appendix F
Table F-194
Values > Response Header Non-ASCII (continued)
Element1
Description
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Status Line
Select Response Status Line to apply the regular expression match to the status
line.
Navigation Path
then select Edit Row. Select Response Status Line as your criterion.
Related Topics
F-342
OL-11501-03
Appendix F

Field Reference
Table F-195
Values Response Status Line
Element1
Description
Match Type
Criterion
Shows Response Status Line as the selected criterion of HTTP

traffic to match.
Type

Value


selection.

OL-11501-03
F-343
Appendix F
Table F-195
Values Response Status Line (continued)
Element1
Description
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Add and Edit HTTP Map > Add and Edit Match Condition and Action > Use Values in Class Map
Navigation Path
then select Edit Row. Select Use Values in Class Map as your match type.
Related Topics
F-344
OL-11501-03
Appendix F

IM Maps (ASA 7.2/PIX 7.2) Page
Field Reference
Table F-196
Add and Edit HTTP Map > Add and Edit Match Condition and Action > Use Values in
Class Map
Element
Description
Match Type
Class Map*
Enables you to enter the HTTP Class Map or click Select, which
opens the HTTP Class Map Selector from which to make your
selection.
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Mask

Use the IM Maps (ASA 7.2/PIX 7.2) page to define Instant Messaging (IM) maps
for IM inspection. From this page, you can add, edit, and delete objects, and edit
policy override settings. You can also generate usage reports of policies that use
the object.
Navigation Path
Select Tools > Policy Object Manager, then select IM Maps (ASA 7.2/PIX 7.2)
Related Topics

OL-11501-03
F-345
Appendix F
Field Reference
Table F-197
Element
Description
Filter
Tables, page 3-24.
[Icon]
Name

descending order.
Criterion
Shows the criterion of the inspection, for example, Filename or Client

IP address.
Type
Shows whether the class map includes traffic that matches or does not
match the criterion.
Value
Shows the value to match in the inspection, for example, regular expression
or regular expression group.
Action
Category

Note
Overridable

F-346
OL-11501-03
Appendix F

Table F-197
IM Maps (ASA 7.2/PIX 7.2) Page (continued)
Element
Description
Description
identify a policy.
Tip

popup window.
New Object button
Enables you to create an object. See Creating IM Map Objects for ASA 7.2
and PIX 7.2 Devices, page 8-99.
Edit Object button

Note
Add and Edit IM Map Dialog Boxes (for ASA 7.2/PIX 7.2)
Use the Add and Edit IM Map dialog boxes to define settings for the IM inspect
map.
Navigation Path
from the Object Type selector. Right-click inside the work area, then select
Related Topics
Understanding IM Map Objects, page 8-99

OL-11501-03
F-347
Appendix F
Field Reference
Table F-198
Add and Edit IM Map Dialog Boxes
Element1
Description
Match All
Name*
Enables you to enter the name of the IM Map. A maximum of

Description
Enables you to enter a description of the IM Map. A maximum of

Type
Shows whether the class map includes traffic that matches or does
not match the criterion.
Criterion
Shows the criterion of the inspection, for example, Filename or

Client IP address.
Value
Shows the value to match in the inspection, for example, regular

expression or regular expression group.
Action
New Object button
Edit Object button
you to edit object settings.

delete the reference before the deletion can occur.
Note
Category

deleted.

Note
F-348
OL-11501-03
Appendix F

Table F-198
Add and Edit IM Map Dialog Boxes (continued)
Element1
Description

Device

page 8-198.
overridden.
Tip
Overrides: None
Note
OK button

page F-565.

Add and Edit IM Map > Add and Edit Match Condition and Action Dialog Boxes
Use the Add and Edit Match Condition and Action dialog boxes to configure the
conditions for the inspect map.
Navigation Path
New Object or right-click a row, then select Edit Object. Right-click inside the

OL-11501-03
F-349
Appendix F
Related Topics
Field Reference
Table F-199
Element
Description
Match Type
Enables you to use an existing IM Class Map or define a new IM

Map.
Criterion

map or define a new class map. For a description of GUI
FilenameMatches the filename from IM file transfer service.

Client IP Address For a description of the GUI elements, see

Table F-201.
Client Login NameMatches the client login name from IM

Peer IP Address For a description of the GUI elements, see

Table F-203.
Peer Login NameMatches the client peer login name from IM

ProtocolMatches IM protocols. For a description of the GUI

ServiceMatches IM services. For a description of the GUI

File Transfer Service VersionMatches the IM file transfer

service version. a description of the GUI elements, see
Table F-207.
F-350
OL-11501-03
Appendix F

Table F-199
Element
Description
Type

Value

Action
OK button

selection.
Drop Connection
Reset
Reset and Log
Log

OL-11501-03
F-351
Appendix F
Add and Edit IM Map > Add and Edit Match Condition and Action > Use Specified Values > Filename
Select Filename to match the filename from IM file transfer service.
Navigation Path
table, then select Add Row or right-click a row, then select Edit Row. Select
Filename as the criterion.
Related Topics
Field Reference
Table F-200
Add and Edit IM Map > Add and Edit Match Condition and Action > Use Specified
Values > Filename
Element
Description
Match Type
Criterion
Type

F-352
OL-11501-03
Appendix F

Table F-200
Element
Value
Add and Edit IM Map > Add and Edit Match Condition and Action (continued)> Use
Specified Values > Filename (continued)
Description

Action
OK button

selection.
Drop Connection
Reset
Reset and Log
Log
Add and Edit IM Map > Add and Edit Match Condition and Action > Use Specified Values > Client IP
Address
Select Client IP Address to match the source IP address.
Navigation Path
Client IP Address as the criterion.

OL-11501-03
F-353
Appendix F
Related Topics
Field Reference
Table F-201
Values > Client IP Address
Element1
Description
Match Type
Criterion
Shows Client IP Address as the selected criterion.
Type

IP Address*
Enables you to enter the source IP address.
Action
OK button
Drop Connection
Reset
Reset and Log
Log
F-354
OL-11501-03
Appendix F

Add and Edit IM Map > Add and Edit Match Condition and Action > Use Specified Values > Client Login
Name
Select Client Login Name to match the client login name from IM service.
Navigation Path
Client Login Name as the criterion.
Related Topics
Field Reference
Table F-202
Values > Client Login Name
Element1
Description
Match Type
Criterion
Shows Client Login Name as the selected criterion.
Type


OL-11501-03
F-355
Appendix F
Table F-202
Element1
Value
Specified Values > Client Login Name (continued)
Description

Action
OK button

selection.
Drop Connection
Reset
Reset and Log
Log
Add and Edit IM Map > Add and Edit Match Condition and Action > Use Specified Values > Peer IP Address
Select Peer IP Address to match the destination IP address.
Navigation Path
Peer IP Address as the criterion.
F-356
OL-11501-03
Appendix F

Related Topics
Field Reference
Table F-203
Values > Peer IP Address
Element1
Description
Match Type
Criterion
Shows Peer IP Address as the selected criterion.
Type

IP Address*
Enables you to enter the destination IP address.
Action
OK button
Drop Connection
Reset
Reset and Log
Log

OL-11501-03
F-357
Appendix F
Add and Edit IM Map > Add and Edit Match Condition and Action > Use Specified Values > Peer Login
Name
Select Peer Login Name to match the client peer login name from IM service.
Navigation Path
from the Object Type selector. Right-click inside the table, then select
table, then select Add Row or right-click a row, then select Edit Row. Select Peer
Login Name as the criterion.
Related Topics
Field Reference
Table F-204
Values > Peer Login Name
Element1
Description
Match Type
Criterion
Shows Peer Login Name as the selected criterion.
Type

F-358
OL-11501-03
Appendix F

Table F-204
Element1
Value
Specified Values > Peer Login Name (continued)
Description

Action
OK button

selection.
Drop Connection
Reset
Reset and Log
Log
Add and Edit IM Map > Add and Edit Match Condition and Action > Use Specified Values > Protocol
Select Protocol to match IM protocols.
Navigation Path
Protocol as the criterion.

OL-11501-03
F-359
Appendix F
Related Topics
Field Reference
Table F-205
Values > Protocol
Element1
Description
Match Type
Criterion
Shows Protocol as the selected criterion.
Type

Protocol
Action
OK button
MSN Messenger
Yahoo! Messenger
Drop Connection
Reset
Reset and Log
Log
F-360
OL-11501-03
Appendix F

Add and Edit IM Map > Add and Edit Match Condition and Action > Use Specified Values > Service
Select Service to match IM services.
Navigation Path
Service as the criterion.
Related Topics
Field Reference
Table F-206
Values > Service
Element1
Description
Match Type
Criterion
Shows Service as the selected criterion.
Type


OL-11501-03
F-361
Appendix F
Table F-206
Element1
Service
Action
OK button
Specified Values > Service (continued)
Description
ChatSpecifies to match IM message chat service.
ConferenceSpecifies to match IM conference service.
File TransferSpecifies to match IM file transfer service.
GamesSpecifies to match IM gaming service.
Voice ChatSpecifies to match IM voice chat service (not

available for Yahoo IM)
WebcamSpecifies to match IM webcam service.
Drop Connection
Reset
Reset and Log
Log
Add and Edit IM Map > Add and Edit Match Condition and Action > Use Specified Values > File Transfer
Service Version
Select File Transfer Service Version to match IM file transfer service version.
Navigation Path
File Transfer Service Version as the criterion.
F-362
OL-11501-03
Appendix F

Related Topics
Field Reference
Table F-207
Values > File Transfer Service Version
Element1
Description
Match Type
Criterion
Shows File Transfer Service Version as the selected criterion.
Type

Value


selection.

OL-11501-03
F-363
Appendix F
Table F-207
Specified Values > File Transfer Service Version (continued)
Element1
Description
Action
OK button
Drop Connection
Reset
Reset and Log
Log
Add and Edit IM Map > Add and Edit Match Condition and Action > Use Values in Class Map
Select Use Values in Class Map to match an IM query using an IM class map.
Navigation Path
table, then select Add Row or right-click a row, then select Edit Row. Select Use
Values in Class Map as the match type.
Related Topics
F-364
OL-11501-03
Appendix F

IM Maps (IOS) Page
Field Reference
Table F-208
Add and Edit IM Map > Add and Edit Match Condition and Action > Use Values in
Class Map
Element1
Description
Match Type
Class Map*
Enables you to enter the IM Class Map or click Select, which opens
the IM Class Map Selector from which to make your selection.
Action
OK button
Drop Connection
Reset
Reset and Log
Log
IM Maps (IOS) Page

Use the IM Maps (IOS) page to define IM Maps for IOS devices. From this page,
Navigation Path
Select Tools > Policy Object Manager, then select IM Maps (IOS) from the
Related Topics

OL-11501-03
F-365
Appendix F
IM Maps (IOS) Page
Field Reference
Table F-209
IM Maps (IOS) Page
Element
Description
Filter
Tables, page 3-24.
[Icon]
Name

descending order.
Details
Identifies the protocols and services configured for Yahoo, MSN, and AOL.
Category

Note
Overridable

Description
identify a policy.
Tip

popup window.
New Object button
Enables you to create an object. See Creating IM Map Objects for IOS
Edit Object button

Note
F-366
OL-11501-03
Appendix F

IM Maps (IOS) Page
Add and Edit IM Map (IOS) Dialog Boxes

Use the Add and Edit IM Map (IOS) dialog boxes to configure IM policies for
IOS devices.
Navigation Path
Object Type selector. Right-click inside the work area, then select New Object or
right-click a row, then select Edit Object.
Related Topics
Field Reference
Table F-210
Add and Edit IM Map (IOS) Dialog Boxes
Element1
Description
Name*

Description

Yahoo! tab
Enables you to configure services and inspection settings for Yahoo.

MSN tab
Enables you to configure services and inspection settings for MSN.

AOL tab
Enables you to configure services and inspection settings for AOL.

Category

Note

OL-11501-03
F-367
Appendix F
IM Maps (IOS) Page
Table F-210
Add and Edit IM Map (IOS) Dialog Boxes (continued)
Element1
Description

Device

page 8-198.
overridden.
Tip
Overrides: None
Note
OK button

page F-565.

Add and Edit IM Map (IOS) > Yahoo! Tab

Select the Yahoo! tab to match Yahoo! Messenger instant messages.
Navigation Path
Object Type selector. Right-click inside the work area, then select New Object,
or right-click a row, then select Edit Object.
Note
The Yahoo! tab opens by default the first time the dialog box is accessed.
F-368
OL-11501-03
Appendix F

IM Maps (IOS) Page
Related Topics
Field Reference
Table F-211
Add and Edit IM Map (IOS) > Yahoo! Tab
Element1
Description
Name*

Description

Text Chat
IOS software recognizes text chat as a separate function from other

services. Supported actions for text chat are:
Other Services
Permit Servers
Allow
Deny
Log
Allow and Log
Deny and Log
IOS software recognizes all other services, such as voice-chat,

video-chat, file sharing and transferring, and gaming as a single
group. They are not separate functions. Supported actions for other
services are:
Allow
Deny
Log
Allow and Log
Deny and Log
Enables you to enter servers from which to permit traffic. Accepted

formats are IP addresses, IP ranges, and hostnames separated by
commas.

OL-11501-03
F-369
Appendix F
IM Maps (IOS) Page
Table F-211
Add and Edit IM Map (IOS) > Yahoo! Tab (continued)
Element1
Description
Deny Servers
Enables you to enter servers from which to deny traffic. Accepted

commas.
Alert
Enables you to set an alert value or obey global defaults already set.
Options are:
Audit
Timeout
Category
Use Default Inspection Settings
Enable
Disable
Enables you to set an audit trail value or obey global defaults

already set. Options are:
Enable
Disable
Enables you to set a timeout value or obey global defaults already

set. Options are:
Specify TimeoutWhen selected, you can enter a timeout

value (in seconds) in the field provided.

Note
F-370
OL-11501-03
Appendix F

IM Maps (IOS) Page
Table F-211
Add and Edit IM Map (IOS) > Yahoo! Tab (continued)
Element1
Description

Device

page 8-198.
overridden.
Tip
Overrides: None

page F-565.
Note
OK button

Add and Edit IM Map (IOS) > MSN Tab

Select the MSN tab to match MSN Messenger instant messages.
Navigation Path
right-click a row, then select Edit Object. Click the MSN tab.
Related Topics

OL-11501-03
F-371
Appendix F
IM Maps (IOS) Page
Field Reference
Table F-212
Add and Edit IM Map (IOS) > MSN Tab
Element1
Description
Name*

Description

Text Chat

Other Services
Allow
Deny
Log
Allow and Log
Deny and Log

services are:
Allow
Deny
Log
Allow and Log
Deny and Log
Permit Servers

commas.
Deny Servers

commas.
F-372
OL-11501-03
Appendix F

IM Maps (IOS) Page
Table F-212
Add and Edit IM Map (IOS) > MSN Tab (continued)
Element1
Description
Alert
Options are:
Audit
Timeout
Category
Enable
Disable

Enable
Disable

set. Options are:


Note

Device

page 8-198.
overridden.
Tip

page F-565.
OL-11501-03
F-373
Appendix F
IM Maps (IOS) Page
Table F-212
Add and Edit IM Map (IOS) > MSN Tab (continued)
Element1
Description
Overrides: None
Note
OK button

Add and Edit IM Map (IOS) > AOL Tab

Select the AOL tab to match AOL instant messages.
Navigation Path
Policy Maps > IM Maps (IOS) from the Object Type selector. Right-click inside
the work area, then select New Object, or right-click a row, then select
Edit Object. Click the AOL tab.
Related Topics
Field Reference
Table F-213
Add and Edit IM Map (IOS) > AOL Tab
Element1
Description
Name*

Description

F-374
OL-11501-03
Appendix F

IM Maps (IOS) Page
Table F-213
Add and Edit IM Map (IOS) > AOL Tab (continued)
Element1
Description
Text Chat

Other Services
Allow
Deny
Log
Allow and Log
Deny and Log

services are:
Allow
Deny
Log
Allow and Log
Deny and Log
Permit Servers

commas.
Deny Servers

commas.
Alert
Options are:
Enable
Disable

OL-11501-03
F-375
Appendix F
IM Maps (IOS) Page
Table F-213
Element1
Description
Audit

Timeout
Enable
Disable

set. Options are:
Category


Note

Device

page 8-198.
overridden.
Tip

page F-565.
F-376
OL-11501-03
Appendix F

SIP Maps Page
Table F-213
Element1
Description
Overrides: None
Note
OK button

SIP Maps Page

Use the SIP Maps page to define SIP maps for SIP inspection. From this page, you
can add, edit, and delete objects, and edit policy override settings. You can also
generate usage reports of policies that use the object.
Navigation Path
Policy Maps > SIP Maps from the Object Type selector.
Related Topics

OL-11501-03
F-377
Appendix F
SIP Maps Page
Field Reference
Table F-214
SIP Maps Page
Element
Description
Filter
Tables, page 3-24.
[Icon]
Name

descending order.
Parameters

application.
Criterion
Shows the criterion of the inspection, for example, Filename or Client

IP address.
Type
Shows whether the class map includes traffic that matches or does not
match the criterion.
Value
Shows the value to match in the inspection, for example, regular expression
or regular expression group.
Action
Category

Note
Overridable

Description
identify a policy.
Tip

popup window.
F-378
OL-11501-03
Appendix F

SIP Maps Page
Table F-214
SIP Maps Page (continued)
Element
Description
New Object button
Enables you to create an object. See Creating SIP Map Objects, page 8-104.
Edit Object button

Note
Add and Edit SIP Map Dialog Boxes

Use the Add and Edit SIP Map dialog boxes to configure values used for SIP
application inspection.
Navigation Path
Policy Maps > SIP Maps from the Object Type selector. Right-click inside the
Related Topics
Field Reference
Table F-215
Add and Edit SIP Map Dialog Box
Element1
Description
Name*
Enables you to enter the name of the SIP Map. A maximum of 40 characters
is allowed.
Description
Enables you to enter a description of the SIP Map. A maximum of


OL-11501-03
F-379
Appendix F
SIP Maps Page
Table F-215
Add and Edit SIP Map Dialog Box (continued)
Element1
Description
Parameters tab

Match Condition and

Action tab
matched. For a description of the GUI elements, see Table F-217.
Category

Note

per Device

overridden.
Tip
Overrides: None
Note
OK button
Window, page F-565.

set overrides.
F-380
OL-11501-03
Appendix F

SIP Maps Page
Add and Edit SIP Map > Parameters Tab

Use the Parameters tab to define settings for the SIP Map object.
Navigation Path
Note
Related Topics
Field Reference
Table F-216
Add and Edit Sip Map > Parameters Tab
Element
Description
Name*
Enables you to enter the name of the SIP Map. A maximum of

Description

Enable SIP Instant Messaging

Extensions
When selected, enables Instant Messaging extensions.
Permit Non-SIP Traffic on SIP

Port
When selected, permits non-SIP traffic on the SIP port.
Hide Servers and Endpoints IP When selected, enables IP address privacy.

Address
Check RTP Packets for Protocol When selected, checks RTP/RTCP packets flowing on the pinholes
Conformance
for protocol conformance.
Limit Payload to Audio or Video When selected, enforces the payload type to be audio/video based
based on the Signaling Exchange on the signaling exchange.

OL-11501-03
F-381
Appendix F
SIP Maps Page
Table F-216
Add and Edit Sip Map > Parameters Tab (continued)
Element
Description
If Number of Hops to
Destination is Greater Than 0
When selected, enables check for the value of Max-Forwards header

is zero. When detected, you can elect to:
If State Transition is Detected
If Header Fields Fail Strict

Validation
Drop Packet
Drop Packet and Log
Drop Connection
Drop Connection and Reset
Reset and Log
Log
When selected, enables SIP state checking. When detected, you can
elect to:
Drop Packet
Drop Packet and Log
Drop Connection
Reset and Log
Log
When selected, enables validation of SIP header fields. When

detected, you can elect to:
Drop Packet
Drop Packet and Log
Drop Connection
Reset and Log
Log
F-382
OL-11501-03
Appendix F

SIP Maps Page
Table F-216
Element
Description
Inspect Servers and Endpoints

Software Version
When selected, inspects SIP endpoint software version in

User-Agent and Server headers. When detected, you can elect to:
If Non-SIP URI is Detected
Category
Mask
Mask and Log
Log
When selected, enables non-SIP URI inspection in Alert-Info and

Call-Info headers. When detected, you can elect to:
Mask
Mask and Log
Log

Note

Device

page 8-198.
overridden.
Tip

page F-565.

OL-11501-03
F-383
Appendix F
SIP Maps Page
Table F-216
Element
Description
Overrides: None
Note
OK button

Add and Edit SIP Map > Match Condition and Action Tab
Select the Match Condition and Action tab to configure the action to take when
Navigation Path
Click the Match Condition and Action tab.
Related Topics
Field Reference
Table F-217
Add and Edit Sip Map > Match Condition and Action Tab
Element
Description
Name*
Enables you to enter the name of the SIP Map. A maximum of

Description

F-384
OL-11501-03
Appendix F

SIP Maps Page
Table F-217
Element
Add and Edit Sip Map > Match Condition and Action Tab (continued)
Description
Match All Table
Type
Criterion
Value

Specifies which criterion of SIP traffic to match.
Called PartyMatches the called party as specified in the To

header. For a description of the GUI elements, see Table F-218.
Calling PartyMatches the calling party as specified in the

From header. For a description of the GUI elements, see
Table F-219.
Content LengthMatches the Content Length header. For a

Content TypeMatches the Content Type header. For a

IM SubscriberMatches the SIP IM subscriber. For a

Message PathMatches the SIP Via header. For a description

Third Party RegistrationMatches the requester of a

third-party registration. For a description of the GUI elements,
see Table F-224.
URI LengthMatches a URI in the SIP headers. For a

Request MethodMatches a SIP request method. For a

Use Values in Class MapTable F-227.
Shows the value to match in the inspection, for example, regular

expression or regular expression group.
OL-11501-03
F-385
Appendix F
SIP Maps Page
Table F-217
Element
Description
Action
New Object button
Enables you to create an object. See Creating SIP Map Objects,

page 8-104.
Edit Object button

Objects, page 8-11.
Note
Category

deleted.

Note

Device

page 8-198.
overridden.
Tip

page F-565.
F-386
OL-11501-03
Appendix F

SIP Maps Page
Table F-217
Element
Description
Overrides: None
Note
OK button

Add and Edit SIP Map > Match Condition and Action > Use Specified Values > Called Party
Select Called Party to match the called party as specified in the To header.
Navigation Path
The Add or Edit SIP Map dialog box appears based on your selection. Right-click
inside the table, then click Add Row or right-click a row, then select Edit Row.
The Add or Edit Match Criterion dialog box appears based on your selection.
Select Called Party as your criterion.
Related Topics
Field Reference
Table F-218
Add and Edit SIP Map > Add and Edit Match Condition and Action > Use Specified
Values > Called Party
Element
Description
Match Type
Criterion
Shows Called Party as the selected criterion of SIP traffic to match.

OL-11501-03
F-387
Appendix F
SIP Maps Page
Table F-218
Values > Called Party (continued)
Element
Description
Type

Value

Action
OK button

selection.
Drop Packet
Drop Packet and Log
Drop Connection
Reset
Reset and Log
Log
F-388
OL-11501-03
Appendix F

SIP Maps Page
Add and Edit SIP Map > Add and Edit Match Condition and Action > Use Specified Values > Calling Party
Select Calling Party to match the calling party as specified in the From header.
Navigation Path
Select Calling Party as your criterion.
Related Topics
Field Reference
Table F-219
Values > Calling Party
Element
Description
Match Type
Criterion
Shows Calling Party as the selected criterion of SIP traffic to match.
Type


OL-11501-03
F-389
Appendix F
SIP Maps Page
Table F-219
Values > Calling Party (continued)
Element
Description
Value

Action
OK button

selection.
Drop Packet
Drop Packet and Log
Drop Connection
Reset
Reset and Log
Log
F-390
OL-11501-03
Appendix F

SIP Maps Page
Add and Edit SIP Map > Add and Edit Match Condition and Action > Use Specified Values > Content Length
Select Content Length to match the Content Length header.
Navigation Path
Select Content Length as your criterion.
Related Topics
Field Reference
Table F-220
Values > Content Length
Element
Description
Match Type
Criterion
Shows Content Length as the selected criterion of SIP traffic to

match.
Type

Greater Than Length
Enables you to enter a header length value in bytes. Values are

065536.

OL-11501-03
F-391
Appendix F
SIP Maps Page
Table F-220
Values > Content Length (continued)
Element
Description
Action
OK button
Drop Packet
Drop Packet and Log
Drop Connection
Reset
Reset and Log
Log
Add and Edit SIP Map > Add and Edit Match Condition and Action > Use Specified Values > Content Type
Select Content Type to match the Content Type header.
Navigation Path
Select Content Type as your criterion.
Related Topics
F-392
OL-11501-03
Appendix F

SIP Maps Page
Field Reference
Table F-221
Values > Content Type
Element
Description
Match Type
Criterion
Shows Content Type as the selected criterion of SIP traffic to match.
Type

Content Type
Specifies to match a SIP content header type.
SDPMatches an SDP SIP content header type.


selection.

OL-11501-03
F-393
Appendix F
SIP Maps Page
Table F-221
Values > Content Type (continued)
Element
Description
Action
OK button
Drop Packet
Drop Packet and Log
Drop Connection
Reset
Reset and Log
Log
Add and Edit SIP Map > Add and Edit Match Condition and Action > Use Specified Values > IM Subscriber
Select IM Subscribe to match the SIP IM subscriber.
Navigation Path
Select IM Subscriber as your criterion.
Related Topics
F-394
OL-11501-03
Appendix F

SIP Maps Page
Field Reference
Table F-222
Values > IM Subscriber
Element
Description
Match Type
Criterion
Shows IM Subscriber as the selected criterion of SIP traffic to

match.
Type

Value


selection.

OL-11501-03
F-395
Appendix F
SIP Maps Page
Table F-222
Values > IM Subscriber (continued)
Element
Description
Action
OK button
Drop Packet
Drop Packet and Log
Drop Connection
Reset
Reset and Log
Log
Add and Edit SIP Map > Add and Edit Match Condition and Action > Use Specified Values > Message Path
Select Message Path to Match the SIP Via header.
Navigation Path
Select Message Path as your criterion.
Related Topics
F-396
OL-11501-03
Appendix F

SIP Maps Page
Field Reference
Table F-223
Values > Message Path
Element
Description
Match Type
Criterion
Shows Message Path as the selected criterion of SIP traffic to match.
Type

Value


selection.

OL-11501-03
F-397
Appendix F
SIP Maps Page
Table F-223
Values > Message Path (continued)
Element
Description
Action
OK button
Drop Packet
Drop Packet and Log
Drop Connection
Reset
Reset and Log
Log
Add and Edit SIP Map > Add and Edit Match Condition and Action > Use Specified Values > Third Party
Registration
Select Third Party Registration to match the requester of a third-party registration.
Navigation Path
Select Third Party Registration as your criterion.
Related Topics
F-398
OL-11501-03
Appendix F

SIP Maps Page
Field Reference
Table F-224
Values > Third Party Registration
Element
Description
Match Type
Criterion
Shows Third Party Registration as the selected criterion of SIP

traffic to match.
Type

Value


selection.

OL-11501-03
F-399
Appendix F
SIP Maps Page
Table F-224
Values > Third Party Registration (continued)
Element
Description
Action
OK button
Drop Packet
Drop Packet and Log
Drop Connection
Reset
Reset and Log
Log
Add and Edit SIP Map > Add and Edit Match Condition and Action > Use Specified Values > URI Length
Select URI Length to match a URI in the SIP headers.
Navigation Path
Select URI Length as your criterion.
Related Topics
F-400
OL-11501-03
Appendix F

SIP Maps Page
Field Reference
Table F-225
Values > URI Length
Element
Description
Match Type
Criterion
Type

URI Type
Specifies to match SIP URI or TEL URI.
Greater Than Length
Specifies length in bytes. Values are 065536.
Action
OK button
Drop Packet
Drop Packet and Log
Drop Connection
Reset
Reset and Log
Log

OL-11501-03
F-401
Appendix F
SIP Maps Page
Add and Edit SIP Map > Add and Edit Match Condition and Action > Use Specified Values > Request
Method
Select Request Method to match a SIP request method.
Navigation Path
Select Request Method as your criterion.
Related Topics
Field Reference
Table F-226
Values > Request Method
Element
Description
Match Type
Criterion
Type

F-402
OL-11501-03
Appendix F

SIP Maps Page
Table F-226
Element
Description
Resource Method
Specifies a request method:
ackConfirms that the client has received a final response to

an INVITE request.
byeTerminates a call and can be sent by either the caller or

the callee.
cancelCancels any pending searches but does not terminate a

call that has already been accepted.
infoCommunicates mid-session signaling information along

the signaling path for the call.
inviteIndicates a user or service is being invited to participate

in a call session.
messageSends instant messages where each message is

independent of any other message.
notifyNotifies a SIP node that an event which has been

requested by an earlier SUBSCRIBE method has occurred.
optionsQueries the capabilities of servers.
prack (provisional response acknowledgement)
referRequests that the recipient REFER to a resource

provided in the request.
registerRegisters the address listed in the To header field with

a SIP server.
subscribeRequests notification of an event or set of events at

a later time.
unknownUses a nonstandard extension that could have

unknown security impacts on the network.
updatePermits a client to update parameters of a session but

has no impact on the state of a dialog.

OL-11501-03
F-403
Appendix F
SIP Maps Page
Table F-226
Element
Description
Action
OK button
Drop Packet
Drop Packet and Log
Drop Connection
Reset
Reset and Log
Log
Add and Edit SIP Map > Add and Edit Match Condition and Action > Use Values in Class Map
Select Use Values in Class Map to match a SIP query using a SIP class map.
Navigation Path
Select Use Values in Class Map as your Match Type.
Related Topics
F-404
OL-11501-03
Appendix F

Regular Expression Groups Page
Field Reference
Table F-227
Add and Edit SIP Map > Add and Edit Match Condition and Action > Use Values in
Class Map
Element1
Description
Match Type
Class Map*
Enables you to enter the SIP Class Map or click Select, which opens
the SIP Class Map Selector from which to make your selection.
Action
OK button
Drop Packet
Drop Packet and Log
Drop Connection
Reset
Reset and Log
Log

Use the Regular Expression Groups page to view configured regular expression
groups. From this page, you can add, edit, and delete objects, and edit policy
override settings. You can also generate usage reports of policies that use the
object.
Navigation Path
Regular Expressions Groups from the Object Type selector.

OL-11501-03
F-405
Appendix F
Related Topics
Field Reference
Table F-228
Element
Description
Filter
Tables, page 3-24.
[Icon]
Name

descending order.
Match Regular
Expressions
Identifies the regular expressions to match.
Category

Objects, page 8-48.
Note
Overridable

F-406
OL-11501-03
Appendix F

Table F-228
Regular Expression Groups Page (continued)
Element
Description
Description
identify a policy.
Tip

popup window.
Enables you to create an object. See Creating Regular Expression Group

Edit Object button

Note
Add and Edit Regular Expression Group Dialog Boxes

Use the Add and Edit Regular Expression Groups dialog boxes to define regular
expression groups.
Navigation Path
Regular Expressions Groups from the Object Type selector. Right-click inside
Edit Object.
Related Topics

OL-11501-03
F-407
Appendix F
Field Reference
Table F-229
Add and Edit Regular Expression Class Map Dialog Boxes
Element1
Description
Name*
Enables you to enter a name of the Regular Expression Class Map. A

Description
Enables you to enter a description of the Regular Expression Class Map. A

Regular Expressions
Enables you to enter the defined regular expressions to match. You can
configure Regular Expressions for use in pattern matching. Enter the
information in the field provided or click Select, which opens a list of
defined regular expressions from which to make your selection.
Category

Objects, page 8-48.
Note

per Device

overridden.
Tip
Window, page F-565.
F-408
OL-11501-03
Appendix F

Regular Expressions Page
Table F-229
Add and Edit Regular Expression Class Map Dialog Boxes (continued)
Element1
Description
Overrides: None
Note
OK button

set overrides.

Use the Regular Expressions page to define regular expressions. From this page,
Navigation Path
Regular Expressions from the Object Type selector.
Related Topics

OL-11501-03
F-409
Appendix F
Field Reference
Table F-230
Element
Description
Filter
Tables, page 3-24.
[Icon]
Name

descending order.
Value
Displays system-generated predefined objects. System-generated objects

cannot be edited or overridden.
Category

Note
Overridable

Description
identify a policy.
Tip

popup window.
Enables you to create an object. See Creating Regular Expression Objects,

page 8-109.
F-410
OL-11501-03
Appendix F

Table F-230
Regular Expressions Page (continued)
Element
Description
Edit Object button

Note
Add and Edit Regular Expression Dialog Boxes

Use the Add and Edit Regular Expression dialog boxes to define regular
expressions.
Navigation Path
Select Tools > Policy Object Manager, then select Regular Expressions from
Related Topics
Metacharacters Used to Build Regular Expressions, page 8-111

OL-11501-03
F-411
Appendix F
Field Reference
Table F-231
Add and Edit Regular Expression Dialog Boxes
Element1
Description
Name*
Enables you to enter a name of the Regular Expression. A maximum of

Description
Enables you to enter a description of the Regular Expression. A maximum

Value*
Enables you to enter the regular expression, up to 100 characters in length.

See Table 8-5 for the metacharacters used to build regular expressions.
Category

Note

per Device
When selected, allows the global object definition defined to be changed at

page 8-198.
overridden.
Tip
Overrides: None
Note
OK button

set overrides.
F-412
OL-11501-03
Appendix F

TCP Maps Page
TCP Maps Page

Use the TCP Maps page to customize inspection on TCP flows on PIX 7.x and
ASA devices. From this page, you can add, edit, and delete objects, and edit
policy override settings. You can also generate usage reports of policies that use
the object.
After a configuration is generated for the device, the tcp-map command is shown.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > TCP Maps
Related Topics
Field Reference
Table F-232
TCP Map Page
Element
Description
Filter
Tables, page 3-24.
[Icon]
Name

descending order.
TCP Option Ranges
Identifies lower- and upper-bound ranges and methods for handling

reserved bits.

OL-11501-03
F-413
Appendix F
TCP Maps Page
Table F-232
TCP Map Page (continued)
Element
Description
Category

Note
Description
identify a policy.
Tip

popup window.
New Object button
Enables you to create an object. See Creating TCP Map Objects,

page 8-113.
Edit Object button

Note
Add and Edit TCP Map Dialog Boxes

Use the Add and Edit TCP dialog boxes to define a TCP map for customizing
inspection on TCP flows on PIX 7.x and ASA 7.x devices.
Note
The same dialog box is used for adding and editing TCP Map objects.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > TCP Maps
F-414
OL-11501-03
Appendix F

TCP Maps Page
Related Topics
Creating TCP Map Objects, page 8-113
Field Reference
Table F-233
Add and Edit TCP Map Dialog Boxes
Element1
Description
Name*
Enables you to enter the name of the TCP Map. A maximum of

128 characters is allowed. Object names are not case sensitive. The first
character of the name must be a letter. The remaining characters can be
letters and numbers. Spaces are permitted, as are the following special
characters: hyphens (-), underscores (_), periods (.), and plus signs (+).
Description
Enables you to enter a description of the TCP Map. A maximum of

Queue Limit
When selected, configures the maximum number of out-of-order packets

that can be queued for a TCP connection.
Note
Queue limit is supported only on ASA devices.
Verify TCP Checksum
When selected, enables checksum verification.
Drop SYN Packets with

Data
When selected, drops SYN packets with data.
Drop Connection on
Window Variation
When selected, drops a connection that changes its window size

unexpectedly.
Drop Packets that Exceed When selected, drops packets that exceed maximum segment size (MSS)
Maximum Segment Size set by a peer.
Check if Transmitted
Data is the Same as
Original
When selected, enables the retransmit data checks.
Clear Urgent Flag
When selected, clears the URG pointer through the TCP normalizer
(security appliance).
Clear Selective Ack
When selected, clears the selective acknowledgement mechanism (SACK)

option.
Clear TCP Timestamp
When selected, clears the timestamp option, which disables PAWS and
RTT.

OL-11501-03
F-415
Appendix F
Interface Roles Page
Table F-233
Add and Edit TCP Map Dialog Boxes (continued)
Element1
Description
Clear Window Scale
When selected, clears the window scale mechanism.
Enable TTL Evasion

Protection
When selected, enables the TTL evasion protection offered by the TCP
normalizer.
Reserved Bits
Clear and Allow
Clears the TCP options through the TCP normalizer and allows the packet.
Allow only
Allows the TCP options through the TCP normalizer.
Drop
Drops the packet.
TCP Options Range
Lower
Identifies lower bound ranges (67) and (9255).
Upper
Identifies upper bound ranges (67) and (9255).
Action
Enables you to select the method for handing reserved bits. Options are:
Allow
Clear
Drop
Add button
Adds an IP address to the column.
Remove button
Removes an IP address from the column.
Category

Note
OK button
No commands are generated for the color attribute.

Use the Interface Roles page to view, create, edit and delete interface role objects.
Interface role objects allow you to apply policies to specific interfaces on multiple
devices without having to manually define the names of each interface.
F-416
OL-11501-03
Appendix F

Navigation Path
Open the Policy Object Manager Window, page F-3, then select Interface Roles
Related Topics
Field Reference
Table F-234
Column
Description
Filter
page 3-24.
[Icon]
Name

OL-11501-03
F-417
Appendix F
Table F-234
Column
Description
Interface Name Patterns
One or more naming patterns used to identify the interfaces that are
assigned the interface role.
Use a period (.) to represent a single character.
Use an asterisk (*) at the end of a pattern to represent multiple

interfaces with similar names. (An asterisk can also be used on
its own to indicate all interfaces.)
Note
When the pattern defines a subinterface, enter a backslash

(\) before the period. Otherwise, Security Manager treats the
period as a wildcard.
Note
If the pattern does not include a wildcard, it must match the

exact name of the interface. For example, the pattern
FastEthernet will not match FastEthernet0/1 unless you
include an asterisk at the end of the pattern.
Category

Overridable

Note
Description
By default, all interface roles can be overridden.

Tip
New Object button

in a popup window.
Opens the Interface Role Dialog Box, page F-419. From here you
can create an interface role object.
F-418
OL-11501-03
Appendix F

Table F-234
Column
Description
Edit Object button
Opens the Interface Role Dialog Box, page F-419. From here you
can edit the selected interface role object.
Note
Deletes the selected interface roles from the table.

Note

other objects.
Interface Role Dialog Box

Use the Interface Role dialog box to create, copy, or edit an interface role object.
Navigation Path
Go to the Interface Roles Page, page F-416 in the Policy Object Manager Window,
Related Topics
Create Router Interface Dialog Box, page K-20

OL-11501-03
F-419
Appendix F
Field Reference
Table F-235
Interface Role Dialog Box
Element
Description
Name
Objects, page 8-4.
Description
Interface Name Patterns
The name, or partial name, of the interfaces (including subinterfaces

and other virtual interfaces) to which the interface role should
apply.
Use a period (.) as a wildcard for a single character.
Use an asterisk (*) as a wildcard for one or more characters at

the end of the interface pattern. For example, FastEthernet*
would include interfaces named FastEthernet0 and
FastEthernet1. Separate multiple patterns with commas.
Note
To use a period as part of the pattern itself (for example,

when defining subinterfaces), enter a backslash (\) before
the period.
Category


Device

Overridden, page 8-198. This is the default for interface roles.
overridden.
OK button
F-420
OL-11501-03
Appendix F

Interface Name Conflict Dialog Box

When defining a policy requiring an interface, you might enter a name that
corresponds to both an interface role and an actual interface on the device. In such
cases, use the Interface Name Conflict dialog box to choose between the interface
and the interface role.
Note
The Interface Name Conflict dialog box is displayed automatically when

attempting to save a policy containing an interface definition with a naming
conflict. For more information about the exact circumstances that lead to this
conflict, see Exceptional Cases When Using Interface Roles, page 8-119.
Related Topics
Interface Roles Page, page F-416
Field Reference
Table F-236
Interface Name Conflict Dialog Box
Element
Description
Name
The names in your policy definition that correspond to both

interfaces and interface roles.
Interface
Selects the interface over the interface role.
Interface Role
Selects the interface role over the interface.
OK button
Note
source page.

OL-11501-03
F-421
Appendix F
IPsec Transform Sets Page

Use the IPsec Transform Sets page to view, create, edit, or delete IPsec transform
set objects. IPsec transform set objects contain an acceptable combination of
security protocols, algorithms, and other settings to apply to IPsec protected
traffic in a remote access or site-to-site VPN.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select IPsec Transform
Sets from the Object Type selector.
Related Topics
Field Reference
Table F-237
Column
Description
Filter
page 3-24.
[Icon]
Name
Mode
The mode in which IPsec operates: Tunnel Mode (default) or

Transport Mode.
ESP Encryption
The ESP encryption algorithm used in the transform set.
F-422
OL-11501-03
Appendix F

Table F-237
IPsec Transform Sets Page (continued)
Column
Description
ESP Hash
The ESP hash algorithm used for authentication in the transform set.
AH Hash
The Authentication Header hash algorithm used for authentication

in the transform set.
Compression
Indicates whether or not compression is enabled for this transform

set.
Category

page F-87.
Description

Tip

in a popup window.
New Object button
Opens the IPsec Transform Set Dialog Box, page F-424. From here
you can create an IPsec transform set object.
Edit Object button
Opens the IPsec Transform Set Dialog Box, page F-424. From here
you can edit the selected IPsec transform set object.
Note
Deletes the selected IPsec transform set objects from the table.
Note

other objects.

OL-11501-03
F-423
Appendix F
IPsec Transform Set Dialog Box

Use the IPsec Transform Set dialog box to create, copy and edit IPsec transform
set objects.
Navigation Path
Go to the IPsec Transform Sets Page, page F-422 in the Policy Object Manager
Related Topics
IKE Proposal Dialog Box, page F-93
Field Reference
Table F-238
IPsec Transform Set Dialog Box
Element
Description
Name
Objects, page 8-4.
Description
Mode
The mode in which IPsec operates. You can use the AH and ESP
protocols to protect an entire IP payload (Tunnel mode) or just the
upper-layer protocols of an IP payload (Transport mode). Options
are:
TunnelTunnel mode encapsulates the entire IP packet. This is

the default.
TransportTransport mode encapsulates only the upper-layer

protocols of an IP packet.
F-424
OL-11501-03
Appendix F

Table F-238
IPsec Transform Set Dialog Box (continued)
Element
Description
ESP Encryption
The Encapsulating Security Protocol (ESP) encryption algorithm

that the transform set should use. Options are:
ESP Hash Algorithm
[null]Does not use ESP encryption.
DESEncrypts according to the Data Encryption Standard

using 56-bit keys.
3DESEncrypts three times using 56-bit keys. 3DES is more

secure than DES, but requires more processing for encryption
and decryption. A 3DES license is required to use this option.



ESP-NullA null encryption algorithm. Transform sets

defined with ESP-Null provide authentication without
encryption; it is typically used for testing purposes only.
The ESP hash algorithm used in the transform set for authentication.
Options are:
NoneDoes not perform ESP authentication.


uses less processing time than SHA, below.
Note
We recommend using both encryption and authentication on

IPsec tunnels.

OL-11501-03
F-425
Appendix F
LDAP Attribute Maps Page
Table F-238
IPsec Transform Set Dialog Box (continued)
Element
Description
AH Hash Algorithm
The Authentication Header hash algorithm used in the transform

set. Options are:
Compression (IOS Only)
NoneDoes not perform AH authentication.


uses less processing time than SHA.
Applies only to Cisco IOS routers.

When selected, compresses the data in the IPsec tunnel using the
Lempel-Ziv-Stac (LZS) algorithm.
When deselected, data in the IPsec tunnel is not compressed.
Category

OK button

Use the LDAP (Lightweight Directory Access Protocol) Attribute Maps page to
view attribute maps for mapping custom (user-defined) attribute names to Cisco
LDAP attribute names. From this page, you can add, edit, and delete objects, and
edit policy override settings. You can also generate usage reports of policies that
use the object.
Navigation Path
Select Tools > Policy Object Manager, then select LDAP Attribute Map from
Related Topics
F-426
OL-11501-03
Appendix F

Field Reference
Table F-239
LDAP Attribute Map Page
Element
Description
Filter

[Icon]
Name
Shows the name of the object.
Attribute Map Name
Shows the user-identified name of the attribute map.
Category

Note
Description

Tip

in a popup window.
New Object
Enables you to create an object. See Creating LDAP Attribute Map

Edit Object

page 8-10.
Delete Object

Objects, page 8-11.
Note

deleted.

OL-11501-03
F-427
Appendix F
Add and Edit LDAP Attribute Map Dialog Boxes

Use the Add and Edit LDAP Attribute Map dialog boxes to populate the attribute
map with name mappings that translate Cisco attribute names to custom,
user-defined attribute names.
Navigation Path
the Object Type selector. Right-click inside the table, then select New Object, or
Related Topics
Field Reference
Table F-240
Add and Edit LDAP Attribute Map Dialog Boxes
Element1
Description
Name*
Enables you to enter the name of the LDAP Attribute Map. A

Description
Enables you to enter a description of the LDAP Attribute Map. A

Custom Map Name
Enables you to enter an attribute name that maps to an attribute

name selected from the Cisco Map Name list.
Cisco Map Name
Lists Cisco attribute names that will map to the user-defined name
in the Custom Map Name field.
Custom to Cisco Map Value
Displays the mapping of a custom value to a Cisco value for a custom

attribute.
New Object
Enables you to create an object. See Creating LDAP Attribute Map

Edit Object

page 8-10.
F-428
OL-11501-03
Appendix F

Table F-240
Add and Edit LDAP Attribute Map Dialog Boxes (continued)
Element1
Description
Delete Object

Objects, page 8-11.
Note
Category

deleted.

Note

Device

overridden.
Overrides: None
Note
OK button

Add and Edit LDAP Attribute Map > Add and Edit LDAP Attribute Map Value
Use the Add and Edit LDAP Attribute Map Value dialog boxes to populate the
attribute map with value mappings that apply custom, user-defined attribute
values to the custom attribute name and to the matching Cisco attribute name and
value.

OL-11501-03
F-429
Appendix F
Navigation Path
New Object or right-click a row, then select Edit Object. The Add or Edit LDAP
Attribute Map dialog box appears based on your selection. Right-click inside the
Related Topics
Field Reference
Table F-241
Add and Edit LDAP Attribute Map > Add and Edit LDAP Attribute Map Value
Element1
Description
Custom Map Name*
Specifies the custom, user-defined attribute name that maps to an

attribute name selected from the Cisco Name drop-down list.
Cisco Map Name
Specifies the Cisco attribute name you want to map to the

user-defined name in the Custom Map Name field.
Custom to Cisco Map Value
Displays the mapping of a custom value to a Cisco value for a custom

attribute.
OK button
Add and Edit LDAP Attribute Map > Add and Edit LDAP Attribute Map Value > Add
and Edit Map Value
Use the Add and Edit Map Value dialog boxes to map a custom attribute value to
add values for custom maps and Cisco maps.
Navigation Path
New Object or right-click a row, then select Edit Object. The Add or Edit LDAP
Attribute Map dialog box appears based on your selection. Right-click inside the
table, then select Add Row or right-click a row, then select Edit Row. The Add
F-430
OL-11501-03
Appendix F

Networks/Hosts Page
or Edit LDAP Attribute Map Value dialog box appears based on your selection.
Edit Row.
Related Topics
Field Reference
Table F-242
Add and Edit LDAP Attribute Map > Add and Edit LDAP Attribute Map Value > Add
and Edit Map Value
Element1
Description
Custom Map Value*
Enables you to enter the custom map value that maps to a Cisco Map
Value.
Cisco Map Value
Enables you to enter the Cisco map value that maps to the Custom
Map Value.
OK button
Networks/Hosts Page
Use the Networks/Hosts page to view, create, edit, or delete IPv4 network/host
objects. A network/host object is a named collection of networks, hosts, and/or
network groups.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select Networks/Hosts
Related Topics

OL-11501-03
F-431
Appendix F
Networks/Hosts Page
Field Reference
Table F-243
Networks/Hosts Page
Element
Description
Filter
page 3-24.
[Icon]
Name
Content
The addresses and network/host objects contained in the selected

object.
Category

Overridable

Description

Tip
New Object button

in a popup window.
Opens the Network/Host Dialog Box, page F-433. From here you
can create a network/host object.
F-432
OL-11501-03
Appendix F

Networks/Hosts Page
Table F-243
Networks/Hosts Page (continued)
Element
Description
Edit Object button
Opens the Network/Host Dialog Box, page F-433. From here you
can edit the selected network/host object.
Note
Deletes the selected network/host objects from the table.

Note

other objects.
Network/Host Dialog Box

Use the Network/Host dialog box to create, edit, and copy network/host objects.
Navigation Path
Go to the Networks/Hosts Page, page F-431 in the Policy Object Manager

Related Topics
Field Reference
Table F-244
Network/Host Dialog Box
Element
Description
Name
Objects, page 8-4.
Note
Description
Network/host names must begin with a letter.

OL-11501-03
F-433
Appendix F
Networks/Hosts Page
Table F-244
Network/Host Dialog Box (continued)
Element
Description
Networks/Hosts
The networks and or hosts that comprise the object. Enter the
addresses (including net masks) and/or address ranges to include in
the object, or click Select to display an object selector. Use a - to
separate the first and last IP address in an address range.
Tip
Click the Edit button in the selector to modify the properties

of a selected network/host object.
For more information, see Supported IP Address Formats,

page 8-128.
Note
Make sure a / separates the network IP address and mask.

If you do not specify a network mask for an IP address, an
error message is displayed. Host masks (/32) are not
required.
Note
You can leave this field blank when creating an object that
will be overridden on all devices that use the object. See
Using Unspecified Network/Host Objects, page 8-134.
Category


Device

overridden.
OK button
Tip
When editing a network/host object that can be overridden,

Note
You must select this check box when creating a null value
network/host object. See Using Unspecified Network/Host
F-434
OL-11501-03
Appendix F

PKI Enrollments Page

Use the PKI Enrollments page to view, create, edit, copy, and delete Public-Key
Infrastructure (PKI) enrollment objects. A PKI enrollment object represents an
external certification authority (CA) server that responds to certificate requests
from devices in the network.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select PKI
Enrollments from the Object Type selector.
Related Topics
Field Reference
Table F-245
Column
Description
Filter
page 3-24.
[Icon]
Name
CA Name
The name of the certification authority (CA) server used for

enrollment.
OL-11501-03
F-435
Appendix F
Table F-245
PKI Enrollments Page (continued)
Column
Description
URL
The URL of the CA server (or the TFTP server, in cases of indirect
access) used for enrollment.
Certificate
The text of the CA servers certificate, if available.
CRL Support
The method used by this CA server for handling Certificate

Revocation Lists (CRLs).
LDAP Server
The URL of the LDAP server from which the CRL is downloaded.
OCSP Server
The URL of the OCSP server that checks the revocation status of
certificates.
Category

page F-87.
Overridable

Description

Tip

in a popup window.
New Object button
Opens the PKI Enrollment Dialog Box, page F-437. From here you
can create a PKI enrollment object.
Edit Object button
Opens the PKI Enrollment Dialog Box, page F-437. From here you
can edit the selected PKI enrollment object.
Note
Deletes the selected PKI enrollment objects from the table.

Note

other objects.
F-436
OL-11501-03
Appendix F

PKI Enrollment Dialog Box

Use the PKI Enrollment dialog box to create, copy, or edit a PKI enrollment
object.
Navigation Path
Go to the PKI Enrollments Page, page F-435 in the Policy Object Manager
Related Topics
Field Reference
Table F-246
PKI Enrollment Dialog Box
Element
Description
Name
Objects, page 8-4.
Description
CA Information tab
Use this tab to enter settings related to the CA server, its certificate,
and its level of revocation checking support. See PKI Enrollment
Dialog BoxCA Information Tab, page F-438.
Enrollment Parameters tab
Use this tab to enter settings related to PKI enrollment. See PKI
Enrollment Dialog BoxEnrollment Parameters Tab, page F-442.
Certificate Subject Name tab
Use this tab to enter optional information to be included in the

certificate, including subject attributes. See PKI Enrollment Dialog
BoxCertificate Subject Name Tab, page F-445.
Trusted CA Hierarchy tab
Use this tab to define trusted CA servers that are arranged in a

hierarchical framework. See PKI Enrollment Dialog BoxTrusted
CA Hierarchy Tab, page F-447.
Category

OL-11501-03
F-437
Appendix F
Table F-246
PKI Enrollment Dialog Box (continued)
Element
Description

Device

overridden.
Tip
OK button
When editing a PKI enrollment object that can be

PKI Enrollment Dialog BoxCA Information Tab

Use the CA Information tab of the PKI Enrollment Dialog Box, page F-437 to:
Define the name and location of the external CA server.
Manually paste the certificate, if known.
Define the servers level of support for revocation checking.
Navigation Path
Go to the PKI Enrollment Dialog Box, page F-437, then click the CA
Information tab.
Related Topics
PKI Enrollment Dialog BoxEnrollment Parameters Tab, page F-442
PKI Enrollment Dialog BoxCertificate Subject Name Tab, page F-445
PKI Enrollment Dialog BoxTrusted CA Hierarchy Tab, page F-447
F-438
OL-11501-03
Appendix F

Field Reference
Table F-247
PKI Enrollment Dialog BoxCA Information Tab
Element
Description
CA Server Nickname
The name used to identify the CA server in the certificate request.
Enrollment URL
Note
If you leave this field blank, the domain name is used. You
must leave this field blank for Verisign CAs.
Note
You cannot configure two CA servers with the same name

and different URLs on the same device. For additional
restrictions, see Naming the CA Server, page 8-140.
The URL of the CA server to which devices should attempt to

enroll. The URL can be in the following formats:
SCEPUses an HTTP URL in the form of

http://CA_name:port, where CA_name is the host DNS name
or IP address of the CA server. The port number is mandatory.
TFTPUses the format tftp://certserver/file_specification.

Use this option when you do not have direct access to the CA
server. The TFTP server transfers certificate requests and
certificates.
Other supported formats include: bootflash, cns, flash, ftp, null,

nvram, rcp, scp, system.
Note
Retrieve CA Certificate Using

SCEP
If the CA cgi-bin script location is not the default

/cgi-bin/pkiclient.exe at the CA, you must also include the
nonstandard script location in the URL, in the form of
http://CA_name:port/script_location, where
script_location is the full path to the CA scripts.
When selected (the default), retrieves the CAs certificate from the
CA server using the Simple Certificate Enrollment Process (SCEP).
When this option is selected, you must enter the fingerprint.

OL-11501-03
F-439
Appendix F
Table F-247
PKI Enrollment Dialog BoxCA Information Tab (continued)
Element
Description
Fingerprint
Applies only when you use SCEP to retrieve the CAs certificate.
The fingerprint used to authenticate the certificate of the CA server.
You must enter this fingerprint (in hexadecimal) when using SCEP
to retrieve the CAs certificate. If the value you enter does not match
the fingerprint on the certificate, the certificate is rejected.
Using the fingerprint to verify the authenticity of the CAs
certificate helps prevent an unauthorized party from substituting a
fake certificate in place of the real one.
Note
Enter Manually
You can obtain the CAs fingerprint by contacting the server

directly, or by entering the following address in a web
browser: http://URLHostName/certsrv/mscep/mscep.dll
Manually copies the CA servers certificates from another device.

Copy up to three certificates from another device and paste them
into the CA Certificate Source field using your browsers Paste
function or the Ctrl-V keyboard shortcut. Each certificate must
begin with the word certificate and end with the word quit.
F-440
OL-11501-03
Appendix F

Table F-247
Element
Description
Revocation Check Support
The type of certificate revocation checking to be performed:
Checking Not PerformedThis is the default. The device does

not perform any revocation checking, even if a CRL is on the
device.
CRL Check RequiredThe device must check a CRL. If no

CRL exists on the device and the device cannot obtain one,
certificates are rejected and a tunnel cannot be established. This
is the default.
OCSP Check RequiredThe device must check revocation

status from an OCSP server. If this check fails, certificates are
rejected.
CRL Check AttemptedThe device tries to download the latest

CRL from the specified LDAP server. If the download fails,
however, certificates are accepted.
OCSP Check AttemptedThe device tries to check revocation

status from an OCSP server. If this fails, however, certificates
are accepted.
CRL or OCSP Check RequiredThe device first checks for a

CRL. If a CRL does not exist or cannot be obtained, the device
tries to check revocation status from an OCSP server. If both
options fail, certificates are rejected.
OCSP or CRL Check RequiredThe device first tries to check

revocation status from an OCSP server. If this fails, the device
checks for a CRL. If both options fail, certificates are rejected.
CRL and OCSP Checks AttemptedThe device first checks for

a CRL. If a CRL does not exist or cannot be obtained, the device
tries to check revocation status from an OCSP server. If both
options fail, however, certificates are accepted.
OCSP and CRL Checks AttemptedThe device first tries to

check revocation status from an OCSP server. If this fails, the
device tries to download the latest CRL. If both options fail,
however, certificates are accepted.

OL-11501-03
F-441
Appendix F
Table F-247
Element
Description
OCSP Server URL
Applies only when checking for revocation from an OCSP server.

The URL of the OCSP server checking for revocation. This URL
must start with http://
LDAP Server URL
Applies only when checking for revocation using a CRL.

The URL of the LDAP server from which the CRL can be
downloaded. This URL must start with ldap://
Note
Enable Registration Authority

Mode
You must include a port number in the URL when using this
AAA server on ASA devices, otherwise LDAP will fail.
Does not apply to PIX/ASA 7.0+ devices.

When selected, the CA server operates in RA (Registration
Authority) mode. A Registration Authority is a server that acts as a
proxy for the CA so that CA operations can continue when the CA
server is offline.
When deselected, the CA server does not operate in RA mode. This
is the default.
Note
If you plan to use this PKI enrollment object with Cisco IOS
routers only, you do not need to configure this option. Cisco
IOS routers configure this option automatically as required.
PKI Enrollment Dialog BoxEnrollment Parameters Tab

Use the Enrollment Parameters tab of the PKI Enrollment Dialog Box, page F-437
to define how the router enrolls with the external CA server.
Navigation Path
Go to the PKI Enrollment Dialog Box, page F-437, then click the Enrollment
Parameters tab.
Related Topics
PKI Enrollment Dialog BoxCA Information Tab, page F-438
F-442
OL-11501-03
Appendix F

Field Reference
Table F-248
PKI Enrollment Dialog BoxEnrollment Parameters Tab
Element
Description
Challenge Password
The password used by the CA server to validate the identity of the

router. This password is mandatory for PIX 6.3 devices, but optional
for PIX/ASA 7.0 devices and Cisco IOS routers.
You can obtain the password by contacting the CA server directly,
or by entering the following address in a web browser:
http://URLHostName/certsrv/mscep/mscep.dll
Note
Each password is valid for one hour, starting from the

moment you obtain it from the CA server. Therefore, it is
important that you deploy the password as soon as possible
after you create it.
Note
Each password is valid for a single enrollment by a single

device. Therefore, we do not recommend assigning a PKI
enrollment object where this field is defined to a VPN,
unless you first configure a device-level override for each
device in the VPN. For more information, see Overriding
Retry Period
The interval between certificate request attempts, in minutes. Valid

values range from 1 to 60 minutes. The default is 1 minute.
Retry Count
The number of retries that should be made if no certificate is issued

upon the first request. Valid values range from 1 to 100. The default
is 10.

OL-11501-03
F-443
Appendix F
Table F-248
PKI Enrollment Dialog BoxEnrollment Parameters Tab (continued)
Element
Description
Certificate Auto-Enrollment
(IOS)

The percentage of the current certificates lifetime after which the
router requests a new certificate. For example, if you enter 70, the
router requests a new certificate after 70% of the lifetime of the
current certificate has been reached. Valid values range from 10%
to 100%.
If you do not specify a value, the router requests a new certificate
after the old certificate expires.
Include Devices Serial Number When selected, includes the serial number of the router in the
certificate.
When deselected, does not include the serial number of the router in
the certificate.
RSA Key Pair Name
If the key pair you want to associate with the certificate already
exists, this field specifies the name of that key pair.
If the key pair does not exist, this field specifies the name to assign
to the key pair that will be generated during enrollment.
RSA Key Size (IOS)
Note
If you do not specify an RSA key pair, the fully qualified

domain name (FQDN) key pair is used instead.
Note
On PIX and ASA devices, the key pair must exist on the
device before deployment.

If the key pair does not exist, defines the desired key size (modulus),
in bits. If you want a modulus between 512 and 1024, enter an
integer that is a multiple of 64. If you want a value higher than 1024,
enter 1536 or 2048. The recommended size is 1024.
Note
The larger the modulus size, the more secure the key is.
However, keys with larger modulus sizes take longer to
generate (a minute or more when larger than 512 bits) and
longer to process when exchanged.
F-444
OL-11501-03
Appendix F

Table F-248
PKI Enrollment Dialog BoxEnrollment Parameters Tab (continued)
Element
Description
RSA Encryption Key Size (IOS) Applies only to Cisco IOS routers.
The size of the second key, which is used to request separate
encryption, signature keys, and certificates.
Source Interface (IOS)

The source address for all outgoing connections sent to a CA or
LDAP server during authentication, enrollment, and when obtaining
a revocation list. This parameter may be necessary when the CA
server or LDAP server cannot respond to the address from which the
connection originated (for example, due to a firewall).
If you do not define a value in this field, the address of the outgoing
interface is used.
Enter the name of an interface or interface role, or click Select to
display an object selector.
Tip
PKI Enrollment Dialog BoxCertificate Subject Name Tab

Use the Certificate Subject Name tab of the PKI Enrollment Dialog Box,
page F-437 to optionally include additional information about the device in
certificate requests sent to the CA server. Enter all information using the standard
LDAP X.500 format.
Navigation Path
Go to the PKI Enrollment Dialog Box, page F-437, then click the Certificate
Subject Name tab.
Related Topics

OL-11501-03
F-445
Appendix F
Field Reference
Table F-249
PKI Enrollment Dialog BoxCertificate Subject Name Tab
Element
Description
Include Devices FQDN
When selected, includes the routers fully qualified domain name

(FQDN) in the certificate request.
When deselected, the FQDN is not included in the certificate
request.
Include Devices IP Address
The interface whose IP address is included in the certificate request.

Enter the name of an interface (see Basic Interface Settings on Cisco
IOS Routers, page 14-21) or interface role (see Understanding
Interface Role Objects, page 8-115), or click Select to display a
Tip

of the selected interface role.
Tip
button in the selector to display the Interface Role Dialog
Box, page F-419. From here you can define an interface role
object.
Common Name (CN)
The X.500 common name to include in the certificate.
Organization Unit (OU)
The name of the organization unit (for example, a department name)

to include in the certificate.
Note
When you configure PKI server objects for Cisco EzVPN

Remote components, this field must contain the name of the
client group to which the component connects. Otherwise,
the component will not be able to connect. See
Understanding Easy VPN, page 9-109.
Organization (O)
The organization or company name to include in the certificate.
Locality (L)
The locality to include in the certificate.
F-446
OL-11501-03
Appendix F

Table F-249
PKI Enrollment Dialog BoxCertificate Subject Name Tab (continued)
Element
Description
State (ST)
The state or province to include in the certificate.
Country (C)
The country to include in the certificate.
Email (E)
The email address to include in the certificate.
PKI Enrollment Dialog BoxTrusted CA Hierarchy Tab

Use the Trusted CA Hierarchy tab of the PKI Enrollment Dialog Box, page F-437
to define the trusted CA servers within a hierarchical PKI framework. Within this
framework, all enrolled peers can validate each others certificates if they share a
trusted root CA certificate or a common subordinate CA.
Navigation Path
Go to the PKI Enrollment Dialog Box, page F-437, then click the Trusted CA
Hierarchy tab.
Related Topics
Field Reference
Table F-250
PKI Enrollment Dialog BoxTrusted CA Hierarchy Tab
Element
Description
Available CA Servers
Lists all existing CA servers. To add an existing CA server to the list

of trusted CA servers, select one or more items from this list, then
click >> to add them to the Selected CA Servers list.
Filter
Enables you to apply a filter to the list of available objects or open

the Create Filter Dialog BoxObject Selectors, page F-561. From
here, you can create a filter.
OL-11501-03
F-447
Appendix F
Port Forwarding List Page
Table F-250
PKI Enrollment Dialog BoxTrusted CA Hierarchy Tab (continued)
Element
Description
Selected CA Servers
Lists all CA servers that are treated as trusted servers. To remove

items from this list, select the servers, then click <<.
Create button
Opens a new PKI Enrollment dialog box for creating a PKI

enrollment to include in this object.
Edit button
Opens a new PKI Enrollment dialog box for modifying the

definition of the selected PKI enrollment object.

Use the Port Forwarding List page to view, create, edit, or delete Port Forwarding
List objects.
Application port forwarding is configured for thin client access mode in
SSL VPN. Port forwarding allows users to access applications (such as telnet,
email, VNC, SSH, and Terminal services) inside the enterprise via an SSL VPN
session. A Port Forwarding List object defines the mappings of port numbers on
the remote client to the applications IP address and port behind the SSL VPN
gateway.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select Port Forwarding
List from the Object Type selector.
Related Topics
Creating Port Forwarding List Objects, page 8-148
F-448
OL-11501-03
Appendix F

Field Reference
Table F-251
Column
Description
Filter
page 3-24.
[Icon]
Name
The name of the port forwarding list object.
Port Forwarding List BBs
The names of other Port Forwarding List objects that are included
in this port forwarding list object.
Local TCP Port
The port number to which the local application is mapped

(between1 and 65535).
Remote Server
The IP address or fully qualified domain name of the remote server.
Remote TCP Port
The port number of the application for which port forwarding is

configured (between1 and 65535).
Category

Overridable

Description
Displays an icon if a description is defined for the object. A tooltip

displays the text of the description.
Tip
New Object button

in a popup window.
Opens the Port Forwarding List Dialog Box, page F-450. From here
you can create a port forwarding list object.

OL-11501-03
F-449
Appendix F
Table F-251
Port Forwarding List Page (continued)
Column
Description
Edit Object button
Opens the Port Forwarding List Dialog Box, page F-450. From here
you can edit the selected port forwarding list object.
Note
Deletes the selected port forwarding list objects from the table.
Note

other objects.
Port Forwarding List Dialog Box

Use the Port Forwarding List dialog box to create, copy and edit Port Forwarding
List objects.
Navigation Path
Go to the Port Forwarding List Page, page F-448 in the Policy Object Manager
Related Topics
Add/Edit Port Forwarding Entry Dialog Box, page F-452
Field Reference
Table F-252
Port Forwarding List Dialog Box
Element
Description
Name
The Port Forwarding List object name (up to 128 characters). Object
names are not case-sensitive. For more information, see Guidelines
for Managing Objects, page 8-4.
Description
Additional information about the Port Forwarding List object (up to

1024 characters).
F-450
OL-11501-03
Appendix F

Table F-252
Port Forwarding List Dialog Box (continued)
Element
Description
A table listing the port forwarding entries that are currently defined
for the object.
You can use the buttons below the table to add, edit, and delete
entries from the table.
Create button
Click to open a dialog box that lets you add a port forwarding entry
to the table. See Add/Edit Port Forwarding Entry Dialog Box,
page F-452.
Edit button
Select the row of a port forwarding entry in the table, then click to
open a dialog box in which you can edit it. See Add/Edit Port
Forwarding Entry Dialog Box, page F-452.
Delete button
Select the rows of one or more port forwarding entries in the table,
then click to remove from the list.
Include Port Forwarding Lists
The names of other Port Forwarding List objects that are included
in this port forwarding list object. You can click Select to open the
Port Forwarding List Selector from which to make your selection.
Note
Category
This is a convenient way to include port forwarding entries

that are defined in other Port Forwarding List objects. These
entries will be included in the CLI commands of the current
port forwarding list object, but the object names will not be
reflected in the CLI.

Note

OL-11501-03
F-451
Appendix F
Table F-252
Port Forwarding List Dialog Box (continued)
Element
Description

Device
When selected, allows the global port forwarding list object

definition defined here to be changed at the device level. See
overridden.
Tip
OK button
When editing a port forwarding list object that can be

Add/Edit Port Forwarding Entry Dialog Box

Use the Port Forwarding Entry dialog box to create a new port forwarding list
entry or edit an existing one.
Navigation Path
Go to the Port Forwarding List Dialog Box, page F-450, then click Add or Edit
beneath the Port Forwarding List table.
Related Topics
Port Forwarding List Dialog Box, page F-450
F-452
OL-11501-03
Appendix F

Secure Desktop Configuration Page
Field Reference
Table F-253
Add/Edit Port Forwarding Entry Dialog Box
Element
Description
Local TCP Port
Specify the port number to which the local application is mapped

(between1 and 65535).
Remote Server
Specify the IP address or fully qualified domain name of the remote

server.
Remote TCP Port
Specify the port number of the application for which port

forwarding is configured (between1 and 65535).
Description
Additional information about the port forwarding entry (up to 1024

characters). This information is mandatory on IOS routers.
OK button

Cisco Secure Desktop (CSD) provides a reliable means of eliminating all traces
of sensitive data by providing a single, secure location for session activity and
removal on the client system. A Secure Desktop Configuration object defines the
configuration for Cisco Secure Desktop (CSD) to provide endpoint security.
Use the Secure Desktop Configuration page to view, create, edit, or delete a
Secure Desktop Configuration object.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select Secure Desktop
Configuration from the Object Type selector.
Related Topics
Creating Secure Desktop Configuration Objects, page 8-154

OL-11501-03
F-453
Appendix F
Field Reference
Table F-254
Column
Description
Filter
page 3-24.
[Icon]
Name
Shows the name of the object. Names can be sorted in ascending or

descending order.
Category

Description

Tip

in a popup window.
New Object button
Opens the Secure Desktop Configuration Dialog Box, page F-455.

From here you can create a Secure Desktop Configuration object.
Edit Object button
Opens the Secure Desktop Configuration Dialog Box, page F-455.

From here you can edit the selected Secure Desktop Configuration
object.
Note
Deletes the selected Secure Desktop Configuration objects from the

table.
Note

other objects.
F-454
OL-11501-03
Appendix F

Secure Desktop Configuration Dialog Box

Use the Secure Desktop Configuration dialog box to create, copy, and edit Secure
Desktop Configuration objects.
Using the Secure Desktop Manager interface, you can configure the settings
required for Windows clients who are connecting from different location types,
enable or restrict web browsing and file access for Windows CE clients, and
configure the cache cleaner for Macintosh and Linux clients.
Note
For more information about configuring the Secure Desktop, see Cisco Secure
Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release
3.1.1 (from Chapter 3 onwards), at this URL:
http://www.cisco.com/en/US/docs/security/csd/csd311/csd_for_asa/configuratio
n/311j.html.
Navigation Path
Go to the Secure Desktop Configuration Page, page F-453 in the Policy Object
Manager Window, page F-3, then click New Object or Edit Object beneath the
table.
Related Topics
Creating Secure Desktop Configuration Objects, page 8-154
Field Reference
Table F-255
Secure Desktop Configuration Dialog Box
Element
Description
Name
The Secure Desktop Configuration object name (up to 128

characters). Object names are not case-sensitive. For more
information, see Guidelines for Managing Objects, page 8-4.
Description
Additional information about the Secure Desktop Configuration

object (up to 1024 characters).

OL-11501-03
F-455
Appendix F
Table F-255
Secure Desktop Configuration Dialog Box (continued)
Element
Description
Windows Location Settings
Windows Locations
Enable you to create a group of settings for Windows clients

connecting from a particular type of location, such as Work, Home,
or Insecure. Once you create a location, you can specify how to
determine that clients are connecting from that particular location.
For each location you want to configure, enter its name in the field
provided, and click Add to move it to the Locations field. You can
reorder the locations using the Move Up/Move Down buttons.
CSD checks locations in the order listed in this dialog box, and
grants privileges to client PCs based on the first location definition
they match. For more information, see About Windows Locations,
page 8-153.
Note
VPN Feature Policy
Enables you to configure a group-based policy, web browsing,

remote server file access, port forwarding, and full tunneling
settings for SSL VPN.
Note
Keystroke Logger
After you create a location, you can configure the VPN

Feature Policy, Keystroke Logger, Cache Cleaner, and
Secure Desktop features for the location, as follows.
This feature may require and verify the presence of certain

safeguards such as antivirus software, antispyware
software, firewall software, and the operating system
version and patch.
Scans the client PC for a keystroke logging application. You can

configure a location type to require a scan for keystroke logging
applications on the client PC. You can list the applications that are
safe or let the remote user approve the applications the scan
identifies.
Note
Secure Desktop and Cache Cleaner launch only if the scan

is clear, or only if you assign administrative control to the
user and the user approves of the applications the scan
identifies. CSD may be unable to detect every potentially
malicious keystroke logger, including but not limited to
hardware keystroke logging devices.
F-456
OL-11501-03
Appendix F

Table F-255
Element
Description
Cache Cleaner
These settings enable you to disable or erase data that a user

downloaded, inserted, or created in the browser, including cached
files, configuration changes, cached browser information,
passwords entered, and auto-completed information.
The Cache Cleaner works with Microsoft Internet Explorer 5.0 or
later on Windows 98, ME, NT 4, 2000, and XP; Internet Explorer
5.2 or later, or Safari 1.0 or later, on Macintosh (MacOS X); and
Mozilla 1.1 or later on Red Hat Linux v9.
Secure Desktop General
Enables you to configure the Secure Desktop features and

customize the user experience.
Secure Desktop Settings
Enables you to configure restrictions on the Secure Desktop.
Secure Desktop Browser
Enables you to specify the home page to which the browser

connects when the remote user establishes a CSD session.
This option also lets you specify the folders and bookmarks
(or favorites) to insert into the respective browser menu during
the CSD session.
Close all open browser windows When selected (the default), closes all the open browser windows
after installation
after the Secure Desktop installation.
VPN Feature Policy
Select the check boxes to enable these features if installation or

location matching fails:
Web Browsing
File Access
Port Forwarding
Full Tunneling

OL-11501-03
F-457
Appendix F
Table F-255
Element
Description
Windows CE
VPN Feature Policy
The Windows CE options enable you to configure a VPN feature

policy to enable or restrict web browsing and remote server file
access for remote clients running Microsoft Windows CE.
Select the Web Browsing and File Access check boxes to enable
these features, if required.
Note
CSD does not support location entries for Windows CE

clients, but does let you enable or restrict web browsing and
remote server file access for them.
Mac and Linux Cache Cleaner
Launch Cleanup Upon Global

Timeout
When selected, enables you to set a global timeout after which CSD
launches the cache cleaner, then specify the timeout period after
which the cleanup will begin. The default is 5 minutes.
Note
If required, you can select the check box to allow the user to
reset the timeout period.
Launch Cleanup Upon Exiting of When selected, configures the cache cleaner to be launched when all
Browser
the browser windows are closed.
Enable Cancelling of Cleaning
When selected, enables the remote user to cancel the cleaning of the
cache.
Secure Delete
Select the number of passes for CSD to perform a

Windows-delete cleanup. The default is 1 pass.
CSD encrypts and writes the cache to the remote clients disk. Upon
termination of the Secure Desktop, CSD converts all bits occupied
by the cache to all 0s, then to all 1s, and then to randomized 0s
and 1s.
Enable Web Browsing if Mac or When selected, allows web browsing (but disables other remote
Linux Installation Fails
access features) if the cache cleaner installation fails.
F-458
OL-11501-03
Appendix F

Port Lists Page
Table F-255
Element
Description
VPN Feature Policy
Enables you to configure a VPN Feature Policy that allows or

restricts web browsing, remote server file access, and port
forwarding for Macintosh and Linux clients.
Select the check boxes if you want to enable these features after a
successful installation:
Web Browsing
File Access
Port Forwarding
Note
Category
Port forwarding permits the use of the Secure Desktop to

connect a client application installed on the local PC to the
TCP/IP port of a peer application on a remote server.

Note
OK button
Port Lists Page

Use the Port Lists page to view, create, edit, copy, and delete port list objects. A
port list object is a named definition of one or more port ranges that you use when
defining service objects.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select Port Lists from
Related Topics
Service Dialog Box, page F-467

OL-11501-03
F-459
Appendix F
Port Lists Page
Field Reference
Table F-256
Port Lists Page
Column
Description
Filter
page 3-24.
[Icon]
Name
Content
The port ranges defined for the object.
Category
Overridable

object values defined on a device. See Allowing a Global Object to
Description

Tip

in a popup window.
New Object button
Opens the Port List Dialog Box, page F-461. From here you can
create a port list object.
Edit Object button
Opens the Port List Dialog Box, page F-461. From here you can edit
the selected port list object.
Note
Deletes the selected port list objects from the table.

Note

other objects.
F-460
OL-11501-03
Appendix F

Port Lists Page
Port List Dialog Box

Use the Port List dialog box to create, edit, or copy a port list object.
Navigation Path
Go to the Port Lists Page, page F-459 in the Policy Object Manager Window,
Related Topics
Creating Port List Objects, page 8-151
Field Reference
Table F-257
Port List Dialog Box
Element
Description
Name
Objects, page 8-4.
Description

OL-11501-03
F-461
Appendix F
Port Lists Page
Table F-257
Port List Dialog Box (continued)
Element
Description
Ports
The port ranges included in the port list object, for example, 1-1000.
You can define a single port, a range of ports, multiple port ranges,
or any combination of single ports and ranges. Separate multiple
entries with commas.
The following operators are supported:
gtgreater than
ltless than
eqequals
neqdoes not equal
Valid port values range from 1 to 65535.

Note
Port Lists
You cannot combine a port range containing the neq

operator with additional ranges.
The port lists included in the object. Enter the port lists to include
in the object, or click Select to display an object selector for adding
existing port list objects.
Tip

of the selected port list object.
Category
The category that is assigned to the object. Categories help you

organize and identify rules and objects. See Categories Page,
page F-87.

Device

overridden.
Tip
OK button
When editing a service group object that can be overridden,

F-462
OL-11501-03
Appendix F

Service Groups Page
Service Groups Page

Use the Service Groups page to view, create, edit, or delete service group objects.
Service group objects are collections of service objects.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select Service Groups
Related Topics
Services Page, page F-465
Field Reference
Table F-258
Service Groups Page
Element
Description
Filter
page 3-24.
[Icon]
Name
Content
The service objects contained in the service group.
Category


OL-11501-03
F-463
Appendix F
Service Groups Page
Table F-258
Service Groups Page (continued)
Element
Description
Overridable

Description

Tip

in a popup window.
New Object button
Opens the Service Group Dialog Box, page F-464. From here you
can create a service group object.
Edit Object button
Opens the Service Group Dialog Box, page F-464. From here you
can edit the selected service group object.
Note
Deletes the selected service group objects from the table.

Note

other objects.
Service Group Dialog Box

Use the Server Group dialog box to create, copy, or edit service groups.
Navigation Path
Go to the Service Groups Page, page F-463 in the Policy Object Manager
Related Topics
Creating Service Group Objects, page 8-157
F-464
OL-11501-03
Appendix F

Services Page
Field Reference
Table F-259
Service Group Dialog Box
Element
Description
Name
Objects, page 8-4.
Description
Services
The services and service groups included in the object. Enter the
names of the services and service groups to include in the object, or
click Select to display an object selector for adding existing objects.
Tip

of a selected service or service group object.
Category


Device

overridden.
Tip
OK button

Services Page
Use the Services page to view, create, edit, or delete service objects. A service
object is a named definition of traffic protocol and ports.
Note
Service objects that share common traits can be combined into service groups. See
Service Groups Page, page F-463.

OL-11501-03
F-465
Appendix F
Services Page
Navigation Path
Open the Policy Object Manager Window, page F-3, then select Services from the
Related Topics
Field Reference
Table F-260
Services Page
Element
Description
Filter
page 3-24.
[Icon]
Name
Protocol
The protocol selected for the service.
Source Ports
(TCP and UDP services only) The source port, or range of ports,
specified for the service.
Destination Ports
(TCP and UDP services only) The destination port, or range of

ports, specified for the service.
ICMP Message Type
(ICMP services only) The ICMP qualifier message.
Category

F-466
OL-11501-03
Appendix F

Services Page
Table F-260
Services Page (continued)
Element
Description
Overridable

Description

Tip

in a popup window.
New Object button
Opens the Service Dialog Box, page F-467. From here you can
create a service object.
Edit Object button
Opens the Service Dialog Box, page F-467. From here you can edit
the selected service object.
Note
Deletes the selected services from the table.

Note

other objects.
Service Dialog Box

Use the Service dialog box to create or edit service objects.
Navigation Path
Go to the Services Page, page F-465 in the Policy Object Manager Window,
Related Topics
Creating Service Objects, page 8-160
Service Group Dialog Box, page F-464

OL-11501-03
F-467
Appendix F
Services Page
Field Reference
Table F-261
Service Dialog Box
Element
Description
Name
Objects, page 8-4.
Description
Protocol
The protocol that is defined by the service.

If the protocol you require is not listed, select the blank option
from the list and enter the protocol key or number in the field
provided. Separate multiple entries with commas.
Protocol Keys/Numbers
Applies only when you select the blank protocol from the
Protocol list.
The number or key of the IP protocol defined by this service.
Separate multiple entries with commas.
Note
If you select a protocol from the Protocol list box, this field
is disabled.
F-468
OL-11501-03
Appendix F

Services Page
Table F-261
Service Dialog Box (continued)
Element
Description
Destination Port Ranges
Available only if you select TCP, UDP, or TCP & UDP from the
Protocol list.
The destination ports contained in the service. Options are:
Enter rangesEnables you to manually enter a port range. Use

commas to separate multiple entries. This is the default.
gtgreater than
ltless than
eqequals
neqdoes not equal
Note
Tip
When you define a range of ports, make sure the range you
specify does not contain spaces. If you enter an invalid
range, an error message will indicate the permissible range
of numbers.
Select Port List objectEnables you to define the ports to
include in the destination range by defining a port list object.
Enter the name of the port list, or click Select to display an
object selector.
If the port list you want is not listed, click the Create button
or the Edit button in the selector to display the Port List
Dialog Box, page F-461. From here you can define a port
list object.

OL-11501-03
F-469
Appendix F
Services Page
Table F-261
Element
Description
Source Port Ranges
Available only if you selected TCP, UDP, or TCP & UDP from the
Protocol list.
The source ports contained in the service. Options are:
Enter rangesEnables you to manually enter a port range. Use

commas to separate multiple entries.
gtgreater than
ltless than
eqequals
neqdoes not equal
Note
When you define a range of ports, make sure the range you
specify does not contain spaces. If you enter an invalid
range, an error message will indicate the permissible range
of numbers.
Select Port List objectEnables you to define the ports to
include in the source range by defining a port list object. Enter
the name of the port list, or click Select to display an object
selector.
The predefined Default Range port list object serves as the
default source range. The Default Range can have one of two
valuesall ports between 1 and 65535, or all secure ports
(1024 to 65535). To change the definition of the Default Range
port list, see Defining Policy Object Settings, page 2-91.
Tip
ICMP Message Type
If the port list you want is not listed, click the Create button
or the Edit button in the selector to display the Port List
Dialog Box, page F-461. From here you can define a port
list object.
Available only if you selected ICMP in the Protocol list box.

The message (qualifier) associated with the Internet Control
Message Protocol (ICMP) service.
F-470
OL-11501-03
Appendix F

Single Sign On Server (SSO) Page
Table F-261
Element
Description
ICMP Message Keys/Numbers
Available if the ICMP message you require is not listed in the ICMP
Message Type list.
The message (qualifier) associated with the ICMP service. Enter the
appropriate message key or number.
Category


Device

overridden.
Tip
OK button
When editing a service object that can be overridden, click

the Edit button to display the Policy Object Overrides

Use the Single Sign On (SSO) Server page to view, create, edit, or delete a Single
Sign On (SSO) Server object, for SSL VPN users using Computer Associates
SiteMinder SSO server. An SSO Server object allows end users to enter a
username and password once, and be able to access a range of secure services on
different servers. For more information, see Understanding Single Sign-On Server
Navigation Path
Open the Policy Object Manager Window, page F-3, then select Single Sign-On
Server (SSO) from the Object Type selector.

OL-11501-03
F-471
Appendix F
Related Topics
Field Reference
Table F-262
Single Sign-On Server (SSO) Page
Column
Description
Filter
page 3-24.
[Icon]
Name
The name of the SSO Server object. Names can be sorted in

Authentication Type
The type of SSO server. The security appliance supports the

SiteMinder type configured using Security Manager. See SSO
Authentication with SiteMinder, page 8-163.
URL
Displays the SSO server URL to which the security appliance makes
SSO authentication requests.
Category

Overridable

Description

Tip

in a popup window.
F-472
OL-11501-03
Appendix F

Table F-262
Single Sign-On Server (SSO) Page (continued)
Column
Description
New Object button
Opens the Single Sign On Server (SSO) Dialog Box, page F-473.
From here you can create an SSO Server object.
Edit Object button
Opens the Single Sign On Server (SSO) Dialog Box, page F-473.
From here you can edit the selected SSO Server object.
Note
Deletes the selected SSO server objects from the table.

Note

other objects.
Single Sign On Server (SSO) Dialog Box

Use the Single Sign On Server (SSO) dialog box to create, copy, and edit Single
Sign On (SSO) Server objects.
Navigation Path
Go to the Single Sign On Server (SSO) Page, page F-471 in the Policy Object
table.
Related Topics
Creating Single Sign-On Server Objects, page 8-164

OL-11501-03
F-473
Appendix F
Field Reference
Table F-263
Single Sign-On Server (SSO) Dialog Box
Element
Description
Name
The SSO server object name (up to 128 characters). Object names
Description
Additional information about the SSO server object (up to 1024

characters).
Authentication Type
The type of SSO server configured for SSL VPN users is displayed
as SiteMinder. See SSO Authentication with SiteMinder,
page 8-163.
URL
Select a protocol (http or https) from the list, then specify the SSO
server URL to which the security appliance makes SSO
authentication requests, in the field provided.
Secret Key
The key used to encrypt authentication communications with the

SSO server. The key can contain any regular or shifted
alphanumeric character. There is no minimum or maximum number
of characters.
Note
The secret key is similar to a passwordyou create it, save

it, and enter it on both the security appliance and the
SiteMinder Policy Server using the Cisco Java plug-in
authentication scheme.
Confirm
Confirms the key entered in the Secret Key field. The values in the
Secret Key and Confirm fields must match, before you can save
these settings.
Max Retries
The number of times the security appliance retries a failed SSO

authentication attempt before the authentication times out. The
range is 1 to 5 retries, and the default is 3 retries.
Request Timeout
The number of seconds before a failed SSO authentication attempt

times out. The range is 1 to 30 seconds, and the default is 5 seconds.
Category

Note
F-474
OL-11501-03
Appendix F

SLA Monitors Page
Table F-263
Single Sign-On Server (SSO) Dialog Box (continued)
Element
Description

Device
When selected, allows the global SSO Server object definition

defined here to be changed at the device level. See Allowing a
overridden.
Tip
OK button
When editing an SSO Server object that can be overridden,

SLA Monitors Page

Use the SLA Monitors page to view, create, edit, or delete SLA monitor objects.
Each SLA monitor represents a defined route that is periodically checked for
availability by sending ICMP echo requests and waiting for the response. If the
requests time out, the route is removed from the routing table and replaced with a
backup route.
Note
SLA monitors can only be configured for security appliances running PIX/ASA
version 7.2 or higher.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select SLA Monitors
Related Topics
Static Route Page, page L-240

OL-11501-03
F-475
Appendix F
SLA Monitors Page
Field Reference
Table F-264
SLA Monitors Page
Column
Description
Filter
page 3-24.
[Icon]
Name
Monitored Object
The address that is monitored for availability.
SLA Monitor ID
The ID number of the SLA monitoring process.
SLA Monitor Interface
The source interface for the ICMP echo requests that test the
availability of the monitored object.
Category

page F-87.
Description

Tip

in a popup window.
New Object button
Opens the SLA Monitor Dialog Box, page F-477. From here you
can create an SLA monitor object.
Edit Object button
Opens the SLA Monitor Dialog Box, page F-477. From here you
can edit the selected SLA monitor object.
Deletes the selected SLA monitor objects from the table.

Note

other objects.
F-476
OL-11501-03
Appendix F

SLA Monitors Page
SLA Monitor Dialog Box

Use the SLA Monitor dialog box to create, edit, and copy SLA monitor objects.
Navigation Path
Go to the SLA Monitors Page, page F-475 in the Policy Object Manager Window,
Related Topics
Field Reference
Table F-265
SLA Monitor Dialog Box
Element
Description
Name
Objects, page 8-4.
Description
SLA Monitor ID
The ID number of the SLA operation. Valid values range from 1 to

2147483647. You can create a maximum of 2000 SLA operations.
Each ID number must be unique to the policy and the device
configuration.
Monitored Address
The IP address that is being monitored for availability by the SLA

operation.
Interface
The source address for all ICMP echo requests sent to the monitored
address to test its availability.
Tip

OL-11501-03
F-477
Appendix F
SLA Monitors Page
Table F-265
SLA Monitor Dialog Box (continued)
Element
Description
Category

Monitoring Options settings
Frequency
The frequency of ICMP echo request transmissions, in seconds.

Valid values range from 1 to 604800 seconds (7 days). The default
is 60 seconds.
Threshold
The amount of time that must pass after an ICMP echo request
before a rising threshold is declared, in milliseconds. Valid values
range from 0 to 2147483647 milliseconds. The default is
5000 milliseconds.
The threshold value is used only to indicate events that exceed the
defined value. You can use these events to evaluate the proper
timeout value. It is not a direct indicator of the reachability of the
monitored address.
Note
Time out
The threshold value should not exceed the timeout value.
The amount of time that the SLA operation waits for a response to
the ICMP echo requests, in milliseconds. Valid values range from 0
to 604800000 milliseconds (7 days). The default is
5000 milliseconds.
If a response is not received from the monitored address within the
amount of time defined in this field, the static route is removed the
routing table and replaced by the backup route.
Note
Request Data Size
The timeout value cannot exceed the frequency value.
The size of the ICMP request packet payload, in bytes. Valid values
range from 0 to 16384 bytes. The default is 28 bytes. Do not set this
value higher than the maximum allowed by the protocol or the Path
Maximum Transmission Unit (PMTU).
Note
For purposes of reachability, it may be necessary to increase

the default data size to detect PMTU changes between the
source and the target. A low PMTU can affect session
performance and, if detected, may indicate that the
secondary path should be used.
F-478
OL-11501-03
Appendix F

Style Objects Page
Table F-265
SLA Monitor Dialog Box (continued)
Element
Description
ToS
The type of service (ToS) defined in the IP header of the ICMP

request packet. Valid values range from 0 to 255. The default is 0.
This field contains information such as delay, precedence,
reliability, and so on. It can be used by other devices on the network
for policy routing and features such as Committed Access Rate.
Number of Packets
The number of packets that are sent during an SLA operation. Valid
values range from 1 to 100. The default is 1 packet.
Tip
Increase the default number of packets if you are concerned

that packet loss may falsely cause the security appliance to
believe that the monitored address cannot be reached.
SLA Monitor dialog box buttons
OK button
Style Objects Page

Style objects offer convenient features for configuring style elements, including
font family, style, weight, and size, color swatches, and preview capabilities.
These style objects can be reused when you configure customization objects.
Use the Style Objects page to view, create, edit, or delete Style objects.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select Style Objects
Related Topics

OL-11501-03
F-479
Appendix F
Style Objects Page
Field Reference
Table F-266
Style Objects Page
Column
Description
Filter
page 3-24.
[Icon]
Name
The name of the Style object. Names can be sorted in ascending or

descending order.
Content
The font properties, such as style, size, and foreground and

background colors as comma-separated RGB values.
RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for
each color (red, green, blue); the comma-separated entry indicates
the level of intensity of each color to combine with the others.
Category

Description

Tip

in a popup window.
New Object button
Opens the Style Objects Dialog Box, page F-481. From here you
can create a style object.
Edit Object button
Opens the Style Objects Dialog Box, page F-481. From here you
can edit the selected style object.
Note
Deletes the selected style objects from the table.

Note

other objects.
F-480
OL-11501-03
Appendix F

Style Objects Page
Style Objects Dialog Box

Use the Style Objects dialog box to create, copy, and edit Style objects.
Navigation Path
Go to the Style Objects Page, page F-479 in the Policy Object Manager Window,
Related Topics
Creating Style Objects, page 8-170
Field Reference
Table F-267
Style Objects Dialog Box
Element
Description
Name
The style object name (up to 128 characters). Object names are not
Objects, page 8-4.
Description
Additional information about the style object (up to 1024

characters).
Font
Name
Select a name for the font from the list of font families.
Size
Select a size for the font from the list of font sizes.
Style
Select a style for the font from the list of font styles.
Weight
Select a weight for the font from the list of font weights.
Color
Foreground
Click Select to open the Select Color dialog box from which you
can select a different foreground color for the font. For more
information, see Select Color Dialog Box, page B-17.
Background
Click Select to open the Select Color dialog box from which you
can select a different background color for the font. For more
information, see Select Color Dialog Box, page B-17.
OL-11501-03
F-481
Appendix F
Text Objects Page
Table F-267
Style Objects Dialog Box (continued)
Element
Description
Preview
This is preview
The preview of the font is displayed here.
Category

Note
OK button
Text Objects Page

Text objects are a type of policy object variable that consist of a name and value
pair. The value can be a single string, a list of strings, or a table of strings. You
can enter any type of textual data to be referenced and acted upon by FlexConfigs.
Use the Text Objects page to create, edit, delete, duplicate, find usages of, and
view text objects. You can also edit device overrides from this page.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select Text Objects
Related Topics
Chapter 19, Managing FlexConfigs
F-482
OL-11501-03
Appendix F

Text Objects Page
Field Reference
Table F-268
Text Objects Page
Element
Description
Filter
page 3-24.
[Icon]
Name
Name of the object (up to 128 characters). Object names are not
Objects, page 8-4.
Category
Category assigned to the object. See Understanding Category

Objects, page 8-48.
Overridable

Description

Tip

in a popup window.
New Object button
Opens the Text Object Dialog Box, page F-484. From here you can
create a text object.
Edit Object button
Opens the Text Object Dialog Box, page F-484. From here you can
edit the selected text object.
Note
Deletes the selected text objects from the table.

Note

other objects.

OL-11501-03
F-483
Appendix F
Text Objects Page
Text Object Dialog Box

Use the Text Object dialog box to create, edit, duplicate, and view text objects.
Navigation Path
Go to the Text Objects Page, page F-482 in the Policy Object Manager Window,
Related Topics
Creating Text Objects, page 8-172
Chapter 19, Managing FlexConfigs
Field Reference
Table F-269
Text Object Dialog Box
Element
Description
Name
Objects, page 8-4.
Description
Dimension
The structure of the data in the variable. Valid values are as follows:
0scaler (a single string)
1one-dimensional array (a list of strings)
2two-dimensional table (a table of strings)
Number of Rows
The number of data rows in the variable. This field is enabled only
when the Dimension is 1 or 2.
Number of Columns
The number of data columns in the variable. This field is enabled

only when the Dimension is 2.
[text field]
The content of the text object. Click the cell, then enter the data.
Category

F-484
OL-11501-03
Appendix F

Time Ranges Page
Table F-269
Text Object Dialog Box (continued)
Element
Description

Device

overridden.
Tip
OK button

Time Ranges Page

Use the Time Ranges page to view, create, edit, or delete time range objects. A
time range object is a defined period of time that can be used when creating
time-based ACLs and inspection rules, or when configuring VPN access in ASA
user group objects.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select Time Ranges
Related Topics

OL-11501-03
F-485
Appendix F
Time Ranges Page
Field Reference
Table F-270
Time Ranges Page
Column
Description
Filter
page 3-24.
[Icon]
Name
Start Time
The start time of the time range.
End Time
The end time of the time range.
Recurring Ranges
Distinct, recurring time intervals that are defined between the start
time and end time.
Category

page F-87.
Description

Tip

in a popup window.
New Object button
Opens the Time Range Dialog Box, page F-487. From here you can
create a time range object.
Edit Object button
Opens the Time Range Dialog Box, page F-487. From here you can
edit the selected time range object.
Note
Deletes the selected time range objects from the table.

Note

other objects.
F-486
OL-11501-03
Appendix F

Time Ranges Page
Time Range Dialog Box

Use the Time Range dialog box to create, edit, or copy a time range object.
Navigation Path
Go to the Time Ranges Page, page F-485 in the Policy Object Manager Window,
Related Topics
Creating Time Range Objects, page 8-174
Field Reference
Table F-271
Time Range Dialog Box
Element
Description
Name
Objects, page 8-4.
Description
Start Time
The start time for the time range object:
End Time
Recurring Ranges
Start NowDefines the time of deployment as the start time.
Start AtEnables you to define a specific start date and time.

Click the calendar icon to display a tool for selecting the date.
Enter the start time in the Time field using the format, HH:MM.
The end time for the time range object:
Never EndCauses the time range to continue indefinitely.
End AtEnables you to define a specific end date and time.

Click the calendar icon to display a tool for selecting the date.
Enter the end time in the Time field using the format, HH:MM.
Enables you to optionally define recurring time periods between the

start time and end time during which the time range object should
apply. See Recurring Ranges Dialog Box, page F-488.
OL-11501-03
F-487
Appendix F
Time Ranges Page
Table F-271
Time Range Dialog Box (continued)
Element
Description
Category

OK button
Recurring Ranges Dialog Box

Use the Recurring Ranges dialog box to add or edit recurring time intervals that
are defined as part of a time range object. You can define as many recurring ranges
as required.
Navigation Path
Go to the Time Range Dialog Box, page F-487, then click the New Recurring
Range button under Recurring Ranges.
Related Topics
Creating Time Range Objects, page 8-174
Time Ranges Page, page F-485
F-488
OL-11501-03
Appendix F

Traffic Flows Page
Field Reference
Table F-272
Recurring Ranges Dialog Box
Element
Description
Specify days of the week and

times during which this
recurring range will be active
Enables you to define a recurring range that is based on specific

days (and optionally, times) of the week.
Days of the week
The type of day-based recurring range:
Every day
Weekdays
Weekends
On these days of the weekEnables you to select specific days

of the week to include in the recurring range.
Daily Start Time
Enables you to define a specific start time for the recurring range.
The default start time is midnight.
Daily End Time
Enables you to define a specific end time for the recurring range.
The default end time is midnight.
Specify a weekly interval during Enables you to define a recurring range that is based on a specific
which this recurring range will interval that falls between the start time and end time.
be active
Weekly Interval
The start day/time and the end day/time for the weekly interval.
OK button
Traffic Flows Page

Use the Traffic Flows page to define traffic classifications. Traffic flows map to
class maps. With the introduction of the concept of Modular Policy CLI (MPC) to
configure network policies on devices, the class map command is used to define
traffic classifications. The Traffic Flow object simplifies MPC rule
implementation.

OL-11501-03
F-489
Appendix F
Traffic Flows Page
Navigation Path
Select Tools > Policy Object Manager, then select Traffic Flows from the
Related Topics
Field Reference
Table F-273
Traffic Flows Page
Element
Description
Filter
Tables, page 3-24.
[Icon]
The icon that represents the object type. Icons marked with a star indicate
user-defined objects that may be modified. Icons without a star indicate
predefined objects that cannot be modified.
Name
Specifies the class map name. Object names are not case sensitive. The first
character of the name must be a letter. The remaining characters can be
letters and numbers. Spaces are permitted, as are the following special
characters: hyphens (-), underscores (_), periods (.), and plus signs (+). The
maximum length is 40 characters.
Match Type
Shows the match type selected, for example, RTP Range and Tunnel Group.
Match Value
Shows the value used for the match type selected.
Category

Note
F-490
OL-11501-03
Appendix F

Traffic Flows Page
Table F-273
Traffic Flows Page (continued)
Element
Description
Description
identify a policy.
Tip

popup window.
New Object button
Enables you to create an object. See Creating Traffic Flow Objects,

page 8-176.
Edt button

Note
Add and Edit Traffic Flow Dialog Boxes

Use the Add and Edit Traffic Flow dialog boxes to configure traffic match type.
Note
The same dialog box is used for adding and editing Traffic Flows objects.
Navigation Path
Related Topics

OL-11501-03
F-491
Appendix F
Traffic Flows Page
Field Reference
Table F-274
Add and Edit Traffic Flow Dialog Boxes
Element1
Description
Name*
Identifies the name of the class map. A maximum of 40 characters is

allowed. The name space for class map is local to a security context.
Therefore, the same name may be used in multiple security contexts. The
maximum number of class maps per security context is 255.
Description

Traffic Match Type*
Any TrafficMatches any traffic.
Source and Destination IP Address (access-list)Matches a

predefined access list in the system. Uses Access Control Lists objects.
Default Inspection TrafficMatches default inspection traffic. For a

list of default settings, see Table F-276.
Default Inspection Traffic with access listMatches default inspection

traffic and uses Access Control Lists objects. For a description of the
TCP or UDP Destination PortSpecifies a single port value or range

of port values associated with the traffic flow. Values are 065535. For
RTP RangeMatches the lower bound of UDP destination ports

(200065535) and the range of UDP ports (016383). For a description
Tunnel GroupMatches the destination address based on flows of

VPN tunnels belonging to a tunnel group. For a description of the GUI
IP Precedence BitsMatches precedence. A maximum of

4 IP precedence values can be used. For a description of the GUI
IP DiffServ CodePoints (DSCP) ValuesMatches DSCP traffic. One

or more values can be matched. Differentiated services codepoint
values are 063. A maximum of 7 DSCP values can be used. For a
F-492
OL-11501-03
Appendix F

Traffic Flows Page
Table F-274
Add and Edit Traffic Flow Dialog Boxes (continued)
Element1
Description
Category

Note
OK button
Add and Edit Traffic Flow > Source and Destination IP Address (access-list)
Navigation Path
right-click a row, then select Edit Object. Select Source and Destination
IP Address (access-list) as the Traffic Match Type.
Related Topics
Field Reference
Table F-275
(access-list)
Element1
Description
Name*
Specifies the name of the class map. A maximum of 40 characters is

allowed. The name space for class-map is local to a security context.
maximum number of class-maps per security context is 255.
Description

Traffic Match Type*
Shows Source and Destination IP Address (access-list) as the selected

match type.

OL-11501-03
F-493
Appendix F
Traffic Flows Page
Table F-275
(access-list) (continued)
Element1
Description
Available ACL(s)
Enables you to select from a list of available extended access control lists
that have been defined. You can click the Create button to create a new
extended access list.
Filter
Enables you to apply a filter to the list of available objects or open the
Create Filter Dialog BoxObject Selectors, page F-561. From here, you
can create a filter.
Selected
Displays the selected extended ACL object.
Create button
Objects, page 8-36.
Edit button
Category

Note
OK button
Default Inspection Traffic

Navigation Path
right-click a row, then select Edit Object. Select Default Inspection Traffic as
the Traffic Match Type.
Related Topics
F-494
OL-11501-03
Appendix F

Traffic Flows Page
Field Reference
Table F-276
Default Inspection Traffic
Value
Port
ctiqbe (TCP)
2748
cuseeme (UDP)
7648
DNS (UDP)
53
FTP (TCP)
21
GTP (UDP)
2123, 3386
h323, h225 (TCP)
1720
h323 ras (UDP)
1718, 1719
HTTP (TCP)
80
ICMP
icmp
ils (TCP)
389
MGCP (UDP)
2427, 2727
netbios (UDP)
137, 138
rpc (UDP)
111
rsh (TCP)
514
RTSP (TCP)
554
SIP (TCP)
5060
SIP (UDP)
5060
skinny (TCP)
2000
SMTP (TCP)
25
sqlnet (TCP)
1521
TFTP (UDP)
69
XDMCP (UDP)
177

OL-11501-03
F-495
Appendix F
Traffic Flows Page
Add and Edit Traffic Flow > Default Inspection Traffic with Access Lists
Navigation Path
right-click a row, then select Edit Object. Select Default Inspection Traffic with
Access Lists as the Traffic Match Type.
Related Topics
Field Reference
Table F-277
Add and Edit Traffic Flow > Default Inspection Traffic With Access List
Element1
Description
Name*

Description

Traffic Match Type*
Shows Default Inspection Traffic with access-list as the selected match

type.
Available ACL(s)
Enables you to select from a list of available extended access control lists
that have been defined. You can click the Create button to create a new
extended access list.
Filter
Enables you to apply a filter to the list of available objects or open the
Create Filter Dialog BoxObject Selectors, page F-561. From here, you
can create a filter.
Selected
Displays the selected extended ACL object.
Create button
Objects, page 8-36.
Edit button
F-496
OL-11501-03
Appendix F

Traffic Flows Page
Table F-277
Add and Edit Traffic Flow > Default Inspection Traffic With Access List (continued)
Element1
Description
Category

Note
OK button
Add and Edit Traffic Flow > TCP or UDP Destination Port
Navigation Path
right-click a row, then select Edit Object. Select TCP or UDP Destination Port
as the Traffic Match Type.
Related Topics
Field Reference
Table F-278
Add and Edit Traffic Flow > TCP or UDP Destination Port
Element1
Description
Name*

Description

Traffic Match Type*
Shows TCP or UDP Destination Port as the selected match type.

OL-11501-03
F-497
Appendix F
Traffic Flows Page
Table F-278
Add and Edit Traffic Flow > TCP or UDP Destination Port (continued)
Element1
Description
Protocol
TCP
UDP
TCP/UDP Port or Port

Range*
Specifies a single port value or range of port values associated with the
traffic flow. Values are 065535.
Category

Note
OK button
Add and Edit Traffic Flow > RTP Range

Navigation Path
right-click a row, then select Edit Object. Select RTP Range as the Traffic Match
Type.
Related Topics
F-498
OL-11501-03
Appendix F

Traffic Flows Page
Field Reference
Table F-279
Add and Edit Traffic Flow > RTP Range
Element1
Description
Name*

Description

Traffic Match Type*
Shows RTP Range as the selected match type.
RTP Port
Matches the lower bound of UDP destination ports (200065535).
RTP Range
Matches the range of UDP ports (016383).
Category

Note
OK button
Add and Edit Traffic Flow > Tunnel Group

Navigation Path
right-click a row, then select Edit Object. Select Tunnel Group as the Traffic
Match Type.
Tip
You can use FlexConfig objects and policies to predefine a VPN tunnel
group on a PIX device. For more information, see Understanding
FlexConfig Objects, page 8-52.

OL-11501-03
F-499
Appendix F
Traffic Flows Page
Related Topics
Field Reference
Table F-280
Add and Edit Traffic Flow > Tunnel Group
Element1
Description
Name*

Description

Traffic Match Type*
Shows Tunnel Group as the selected match type.
Tunnel group name*
Lists available tunnel groups.
Match Flow IP
Destination Address
When selected, recognizes the destination address as the match type.
F-500
OL-11501-03
Appendix F

Traffic Flows Page
Table F-280
Add and Edit Traffic Flow > Tunnel Group (continued)
Element1
Description
Category

Note
OK button
Add and Edit Traffic Flow > IP Precedence Bits

Navigation Path
right-click a row, then select Edit Object. Select IP Precedence Bits as the
Traffic Match Type.
Related Topics
Understanding IP Precedence Bits, page 8-178
Field Reference
Table F-281
Add and Edit Traffic Flow > IP Precedence Bits
Element1
Description
Name*

Description

Traffic Match Type*
Shows IP Precedence Bits as the selected match type.

OL-11501-03
F-501
Appendix F
Traffic Flows Page
Table F-281
Add and Edit Traffic Flow > IP Precedence Bits (continued)
Element1
Description
Available IP Precedence
Lists available values used to match traffic flow. Up to four IP precedence

values can be used.
Routine
Matches packets with routine precedence (0).
Priority
Matches packets with priority precedence (1).
Immediate
Matches packets with immediate precedence (2).
Flash
Matches packets with flash precedence (3).
Flash-override
Matches packets with flash override precedence (4).
Critical
Matches packets with critical precedence (5).
Internet
Matches packets with internetwork control precedence (6).
Network
Matches packets with network control precedence (7).
>> button
Moves your selection to the Match on IP Precedence column.
<< button
Moves your selection from the Match on IP Precedence column.
Match on IP Precedence
Displays selected values used to match traffic flow.
Category

Note
OK
Saves your settings and closes the dialog box.
Add and Edit Traffic Flow > IP DiffServe CodePoints (DSCP) Values
Navigation Path
right-click a row, then select Edit Object. Select IP DiffServe CodePoints
(DSCP) Values as the Traffic Match Type.
Related Topics
F-502
OL-11501-03
Appendix F

Traffic Flows Page
Field Reference
Table F-282
Add and Edit Traffic Flow > IP DiffServe CodePoints (DSCP) Values
Value
Description
Name*

Description

Traffic Match Type*
Shows IP DiffServe CodePoints (DSCP) Values as the selected match type.
af1
Matches packets with AF11 dscp (001010).
af12
af13
af21
af22
af23
af31
af32
af33
af41
af42
af43
cs1
Matches packets with CS1 (precedence 1) dscp (001000).
cs2
cs3
cs4
cs5
cs6
cs7
default
Matches packets with default dscp (000000).

OL-11501-03
F-503
Appendix F
URL Lists Page
Table F-282
Add and Edit Traffic Flow > IP DiffServe CodePoints (DSCP) Values (continued)
Value
Description
ef
Matches packets with EF dscp (101110).
Category

Note
OK
Saves your settings and closes the dialog box.
URL Lists Page

Use the URL Lists page to view, create, edit, or delete URL List objects for remote
access in Clientless mode. A URL List object defines the URLs that are displayed
on the portal page after a successful login, to enable users to access the resources
available on SSL VPN websites, in Clientless access mode.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select URL Lists from
Related Topics
F-504
OL-11501-03
Appendix F

URL Lists Page
Field Reference
Table F-283
URL Lists Page
Column
Description
Filter
page 3-24.
[Icon]
star indicate predefined objects that cannot be modified. The icon is
displayed after the object is defined.
Name
The name of the URL List object.
Content
The URLs that will be displayed on the portal page after login.
Category
The category that is assigned to the URL List object. See

Overridable

Description
Displays an icon if a description is defined for the URL List object.

Point at the icon to display a tooltip with the text of the description.
Tip

in a popup window
New Object button
Opens the URL Lists Dialog Box, page F-506. From here you can
create a URL List object.
Edit Object button
Opens the URL Lists Dialog Box, page F-506. From here you can
edit a selected URL List object.
Note
Deletes the selected URL List object(s) from the table.

Note
Deleting a URL List object also deletes any device level

overrides defined for the object.

OL-11501-03
F-505
Appendix F
URL Lists Page
URL Lists Dialog Box

Use the URL Lists dialog box to configure URL Lists for a URL Lists object.
From this dialog box, you can change the order of the URL Lists within the table,
create, copy, edit, and delete URL List objects.
Navigation Path
Go to the URL Lists Page, page F-504 in the Policy Object Manager Window,
Related Topics
URL Lists Page, page F-504
Field Reference
Table F-284
URL Lists Dialog Box
Element
Description
Name
The URL Lists object name (up to 128 characters). Object names
Description
Additional information about the URL Lists object (up to 1024

characters).
URL List Heading (IOS)
The heading that is displayed above the URLs listed on the portal
page of an SSL VPN (only available for an IOS router).
URL List
The URLs included in the URL Lists object.

The buttons below the table enable you to:
Change the order of the URLs within the table.
Create a URL entry. See Add URL Entry Dialog Box,

page F-507.
Edit the properties of a selected URL. See Add URL Entry

Delete URLs from the table.
F-506
OL-11501-03
Appendix F

URL Lists Page
Table F-284
URL Lists Dialog Box (continued)
Element
Description
Category
The category assigned to the URL Lists object. Categories help you
page F-87.

Device
When selected, allows the global URL List object definition defined
here to be changed at the device level. See Allowing a Global Object
overridden.
Tip
OK button
When editing a URL List object that can be overridden,

Add URL Entry Dialog Box

Use the URL Entry dialog box to create or edit a URL entry to be included in the
URL Lists object.
Navigation Path
Go to the URL Lists Dialog Box, page F-506, then click Add or Edit beneath the
URL List table.
Related Topics
URL Lists Dialog Box, page F-506

OL-11501-03
F-507
Appendix F
User Groups Objects Page
Field Reference
Table F-285
Add/Edit URL Entry Dialog Box
Element
Description
Enter URL
When selected, enables you to define a URL for the URL List
object, as follows:
Include Existing URL List
LabelSpecify the text label for the URL.
URL ValueEnter the http of the URL.
When selected, enables you to include an existing URL List in the

URL List object.
Specify the required URL List in the URL Lists field, or click
Select to open the URL Lists Selector from which you can make
your selection.
OK button

Use the User Groups Objects page to view, create, edit, copy, and delete user
group objects. User group objects are used in Easy VPN topologies, remote access
VPNs, and SSL VPNs.
Navigation Path
Select Tools > Policy Object Manager, then select User Groups from the Object
Type selector.
Related Topics
F-508
OL-11501-03
Appendix F

Field Reference
Table F-286
Column
Description
Filter
page 3-24.
[Icon]
Name
The name of the user group object.
Group Name
The user group name.
Technology
The technology assigned to the user group objectEasy VPN,

IPsec Remote Access VPN or SSL VPN.
Pool
The IP address of the local address pool for the user group.
DNS
The IP address of the DNS servers used for the user group.
WINS
The IP address of the WINS servers used for the user group.
Domain Name
The domain name of the DNS servers used for the user group.
Other SSL VPN Attributes
If the assigned technology is SSL VPN, displays the access modes

configured for the connection. See SSL VPN Access Modes,
page 11-3.
Category
The category of the object, if defined. See Categories Page,

page F-87.
Description

New Object button
Opens the Add User Group dialog box. From here you can create a
user group object. See User Group Dialog Box, page F-510.

OL-11501-03
F-509
Appendix F
Table F-286
User Groups Objects Page (continued)
Column
Description
Edit Object button
Opens the Edit User Group dialog box. From here you can edit the
selected user group object. See User Group Dialog Box, page F-510
for details.
Note
Deletes the selected user group objects from the table.

Note

other objects.
User Group Dialog Box

Use the User Group dialog box to create or edit a user group object.
From this dialog box, you can configure the settings that will be applied to a user
group object in an Easy VPN or remote access VPN, or an SSL VPN.
Navigation Path
To open this dialog box, go to the User Groups Objects page (User Groups Objects
Page, page F-508), then do one of the following:
To create a user group object, click New Object, or right-click inside the
table, then select New Object.
To copy a user group object, right-click the row that contains the object to
copy, then select Create Duplicate.
To edit a user group object, select the row that contains the object to edit, then
click Edit Object, or right-click and select Edit Object.
Related Topics
F-510
OL-11501-03
Appendix F

Field Reference
Table F-287
User Group Dialog Box
Element
Description
Name
The name for the object. The object name is displayed in the
User Groups page.
You can use uppercase and lowercase characters and most
alphanumeric or symbol characters. The value can be up to 128
characters.
Description
A description of the object, if required.

alphanumeric or symbol characters. The value can be up to
1024 characters.
Group Name
The name for the user group. You should configure the same
user group name within the remote client or device to ensure
that the appropriate group attributes are downloaded.
characters.
Technology
Available only if you are adding a new user group object, and if
you opened the User Group dialog box from the Policy Object
Manager window.
Enables you to select the type of technology for which you are
creating the user group objectEasy VPN,
IPsec Remote Access VPN, or SSL VPN.
Note
Settings pane
If you open this dialog box from the Site-to-site VPN

Manager, Remote Access VPN folder, or the SSL VPN
folder, this option is unavailable as the technology is
already selected.
A list of settings that you can configure for your user group
object. The displayed settings differ depending on whether the
technology type is Easy VPN or IPsec Remote Access VPN, or
SSL VPN.

OL-11501-03
F-511
Appendix F
Table F-287
User Group Dialog Box (continued)
Element
Description
Category
A category for the object, if required. The object list displays

objects with their defined category color, thus helping you to
organize and identify rules and objects. See Understanding
OK button
User Group Dialog BoxGeneral Settings

The general settings you configure for your user group include the authentication
method, IP address pool information, and connection attributes for PIX Firewalls.
Note
These settings apply in Easy VPN and remote access VPN configurations.
Navigation Path
Open the User Group Dialog Box, page F-510, select the Easy VPN/Remote
Access VPN technology, then select General in the Settings pane.
Related Topics
F-512
OL-11501-03
Appendix F

Field Reference
Table F-288
User Group Dialog BoxGeneral Settings
Element
Description
Preshared key
The preshared key that will be used to authenticate the clients

associated to the user group.
Note
You do not have to enter a preshared key if you are using

digital certificates for group authentication.
In regular IPsec VPNs, preshared keys allow for one or more

peers to use individual shared secrets to authenticate encrypted
tunnels. A preshared key must be configured on each
participating peer. If one of the participating peers is not
configured with the same preshared key, the IKE SA cannot be
established.
In Easy VPN authentication, the same Easy VPN server key is
used for the spoke configuration to ensure that the server/client
keys match.
In remote access VPN authentication, the same key is used to
negotiate a VPN connection between the remote access VPN
server and the remote clients.
IP Address Pool Subnet/Ranges
The IP address ranges for a local pool that will be used to

allocate an internal IP address to a client. Remote clients will be
assigned IP addresses from this pool. Multiple entries are
separated by commas.
Note
Backup Servers IP Address
The default is 172.16.0.1-172.16.4.254.
The IP address of the servers to be used as backups for the

Easy VPN or remote access VPN server. The router tries to
connect to these servers if the primary connection to the
Easy VPN or remote access VPN server fails. Multiple entries
are separated by commas.

OL-11501-03
F-513
Appendix F
Table F-288
User Group Dialog BoxGeneral Settings (continued)
Element
Description
PIX Only Attributes
Idle Time (Seconds)
The timeout period for VPN connections. If no communication

occurs on the connection during this period, the device
terminates the connection.
The minimum is 60 seconds, and the maximum time is
35791394 minutes. The default is 30 minutes.
Note
Max Time (Seconds)
This option is available only for PIX Firewalls.
The maximum amount of time for VPN connections. At the end

of the time, the device terminates the connection.
The minimum is 60 seconds, and the maximum is 35791394
minutes. There is no default.
Note
This option is available only for PIX Firewalls.
User Group Dialog BoxDNS/WINS Settings

Configuring the DNS/WINS settings for your user group enable you to define the
DNS and WINS servers and the domain name that should be pushed to clients
associated with the user group.
Note
The DNS/WINS settings you configure for a user group apply in Easy VPN,
remote access VPN, and SSL VPN configurations.
Navigation Path
Open the User Group Dialog Box, page F-510, then select DNS/WINS in the
Settings pane.
F-514
OL-11501-03
Appendix F

Related Topics
Field Reference
Table F-289
User Group Dialog BoxDNS/WINS Settings
Element
Description
Primary DNS Server
The IP address of the primary DNS server you want to configure

on the user group.
The IP address of the secondary DNS server you want to

configure on the user group.
Domain Name
The domain name of the DNS server you want to configure on

the user group.
Primary WINS Server
The IP address of the primary WINS server you want to

The IP address of the secondary WINS server you want to

User Group Dialog BoxSplit Tunneling

Split tunneling lets a remote client conditionally direct packets over an IPsec or
SSL VPN tunnel in encrypted form or to a network interface in clear text form.
With split tunneling enabled, packets not bound for destinations on the other side
of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and
then routed to a final destination. The split tunneling policy is applied to a specific
network. When you configure split tunneling, you can transmit both secured and
OL-11501-03
F-515
Appendix F
unsecured traffic on the same interface. You must specify which traffic will be
secured and what the destination of that traffic is, so that you have a secure tunnel
to the central site, while the clear (unsecured) traffic is transmitted across the
public network.
Note
Split tunneling can be applied in Easy VPN, remote access VPN, and SSL VPN
configurations. For information about configuring split tunneling for SSL VPN,
see User Group Dialog BoxSSL VPN Split Tunneling, page F-530.
Navigation Path
Access VPN technology, then select Split Tunneling in the Settings pane.
Related Topics
Field Reference
Table F-290
User Group Dialog BoxSplit Tunneling
Element
Description
Protected Networks
When selected, enables you to specify the protected networks in

the central site.
Packets destined for these networks are sent through the IPsec
tunnel to the Easy VPN server, and any other packets are sent
through clear text tunnels.
You can click Select to open the Networks/Hosts Selector, from
which you can select the required network.
F-516
OL-11501-03
Appendix F

Table F-290
User Group Dialog BoxSplit Tunneling (continued)
Element
Description
ACL
When selected, enables you to specify an access control list to

be used for split tunneling.
You can click Select to open the Access Control Lists selector,
from which you can select the required access control list.
Split DNS

DNS server.
You can enter multiple domain names separated by commas.
User Group Dialog BoxIOS Client Settings

Configuring IOS client settings enable you to define Cisco IOS specific options
for your user group, including firewall settings for VPN clients.
Note
Navigation Path
Access VPN technology, then select Client Settings (IOS) in the Settings pane.
Related Topics

OL-11501-03
F-517
Appendix F
Field Reference
User Group Dialog BoxClient Settings (IOS)
Table F-291
Element
Description
Firewall Are-You-There
Available on IOS routers except 7600 devices.

This feature may be used if a VPN client is running the Black
Ice or Zone Alarm personal firewall.
When selected, it ensures that the personal firewall is running at
connection time and throughout the connection. The
Firewall-Are-U-There attribute is sent by the Black Ice and
Zone Alarm personal firewalls if the server prompts them to do
so. If the personal firewall stops running, the connection is
terminated. If this feature is enabled and there is no personal
firewall running on the server, the connection is never
established.
Mode
A Central Policy Push (CPP) firewall policy on a server allows

or denies a tunnel on the basis of whether the remote device has
a required firewall for a local AAA server.
The Mode option specifies whether the Central Policy Push
(CPP) policy is optional or mandatory, as follows:
Firewall Type
OptionalIf the CPP policy is defined as optional, and is

included in the Easy VPN server configuration, the tunnel
setup is continued even if the client does not confirm the
defined policy.
RequiredIf the CPP policy is defined as mandatory and

is included in the Easy VPN server configuration, the
tunnel setup is allowed only if the client confirms this
policy. Otherwise, the tunnel is terminated.
Lists the available firewalls from vendors, including Cisco:
Cisco Integrated Client Firewall
Cisco Security Agent
Zone Labs ZoneAlarm
Zone Labs ZoneAlarm Pro
F-518
OL-11501-03
Appendix F

Table F-291
User Group Dialog BoxClient Settings (IOS) (continued)
Element
Description
Policy Type
Specifies the CPP firewall policy type:
Check PresenceInstructs the server to check for the

presence of the specified firewall type.
Central Policy PushThe actual policy, such as the input

and output access lists, that must be applied by the
specified client firewall type.
When Central Policy Push is selected, you must also
specify:
The access control list to be used. You can click Select
to open the Access Control Lists selector, from which

you can select the required access control list.
The direction of the access control listInbound or
Outbound.
Include Local LAN
When selected, enables the Include Local LAN attribute.

If the Include Local LAN attribute is enabled, it allows a non
split-tunneling connection to access the local subnetwork at the
same time as the client.
Perfect Forward Secrecy
When selected (the default), enables Perfect Forward Secrecy

(PFS).
If PFS is enabled, the server is configured to notify the client of
the central-site policy about whether PFS is required for any
IPsec SA. The Diffie-Hellman (D-H) group that is proposed for
PFS is the same that was negotiated in Phase 1 of the IKE
negotiation.
User Group Dialog BoxIOS Xauth Options

IOS Xauth options enable you to configure IKE Extended Authentication (Xauth)
user authentication and connection parameters for the user group, including the
banner text.

OL-11501-03
F-519
Appendix F
Note
Navigation Path
Access VPN technology, then select Xauth Options (IOS) in the Settings pane.
Related Topics
Field Reference
Table F-292
User Group Dialog BoxIOS Xauth Options
Element
Description
Banner
The banner text that is displayed to Easy VPN remote clients

during Xauth and web-based activation. A maximum of
The banner is pushed to the remote client device by the
Easy VPN server, and is displayed the first time the Easy VPN
tunnel is brought up.
Maximum Logins Per User
The maximum number of connections a user can establish

simultaneously. The maximum is 10.
Maximum Connections
The maximum number of client connections to the Easy VPN

Server from this group. The maximum is 5000 per group.
F-520
OL-11501-03
Appendix F

Table F-292
User Group Dialog BoxIOS Xauth Options (continued)
Element
Description
Enable Group-Lock
When selected, enables the Group-Lock attribute for which you

must enter the extended Xauth username in one of the following
formats:
username/groupname
username\groupname
username@groupname
username%groupname
The group that you specified after the delimiter is then

compared to the group identifier that is sent during IKE
aggressive mode. The groups must match or the connection is
rejected.
Note
Enable Save Password
Do not use the Group-Lock attribute if you are using

RSA signature authentication mechanisms such as
certificates.
When selected, this attribute lets you save your Xauth password
locally on the client so that after you initially enter the
password, the Save-Password attribute is pushed from the
server to the client.
On subsequent authentications, you can activate the password
by using the check box on the software client or by adding the
username and password to the Cisco IOS hardware client
profile.
The password setting remains until the Save-Password attribute
is removed from the server group profile. After you activate the
password, your username and password are sent to the server
automatically during Xauth.
The save-password option is useful only if your password is
static, that is, if it is not a one-time password such as one that is
generated by a token.

OL-11501-03
F-521
Appendix F
User Group Dialog BoxIOS Client VPN Software Update

Client VPN Software Update (IOS) settings include the platform type, VPN
Client revisions, and image URL for each client VPN software package installed
on an IOS VPN client. You can view or edit these settings for the user group.
Note
The Client Update feature is supported on IOS routers version 12.4(2)T and later,
and Catalyst 6500/7600 devices version 12.2(33)SRA and later.
Navigation Path
Access VPN technology, then select Client VPN Software Update (IOS) in the
Settings pane.
Related Topics
Field Reference
Table F-293
Element
Description
System Type
The platform on which the IOS VPN client is

configuredAll Windows or Macintosh OS X.
Note
IOS Image URL
The specific URL from where to download the IOS VPN client.
Note
IOS VPN Client Revisions
The All Windows system type includes Windows 95,

98, NT, 2000, XP and 2003 platforms.
The IOS image URL must start with http:// or https://
depending on the platform type.
The specific revision levels of the IOS VPN client.

Note
You can specify more than one client revision, separated

by delimiters.
F-522
OL-11501-03
Appendix F

Table F-293
Element
Description
Add button
Opens a dialog box in which you can create a client update

version. See Add/Edit Client Update Dialog Box, page F-523.
Edit button
Opens a dialog box in which you can edit the parameters of a

selected client update version. See Add/Edit Client Update
Delete button
Deletes the selected client update version(s) from the table.
Add/Edit Client Update Dialog Box

In the Add/Edit Client Update dialog box, you can create or edit the platform type,
image URL, and VPN Client revisions for a client VPN software package.
Navigation Path
Open the User Group Dialog BoxIOS Client VPN Software Update,
page F-522, then click Add, or select an item in the table and click Edit.
Related Topics
User Group Dialog BoxIOS Client VPN Software Update, page F-522
Field Reference
Table F-294
User Group Dialog BoxAdd/Edit Client Update Dialog Box
Element
Description
System Type
Select the platform on which to configure the IOS VPN client:
All Windows (Default)This option includes Windows 95,

98, NT, 2000, XP and 2003.
Macintosh OS X
IOS Image URL
Select the URL from where to download the IOS VPN client.
IOS VPN Client Revisions
Select the specific revision level of the IOS VPN client.
OK button

OL-11501-03
F-523
Appendix F
User Group Dialog BoxAdvanced PIX Options

The Advanced PIX Options enable you to configure options specifically for PIX
Firewalls in your user group.
Note
Navigation Path
Access VPN technology, then select Advanced Options (PIX) in the Settings
pane.
Related Topics
Field Reference
Table F-295
User Group Dialog BoxAdvanced PIX Options
Element
Description
User Idle Timeout (sec)
The length of time that a VPN tunnel can remain open without
user activity, in seconds.
Values range from 60-86400 seconds.
User Authentication Server
The AAA server to which remote devices send user

authentication requests.
You can click Select to open the AAA Server Groups Selector,
from which you can select the AAA server group. See
Understanding AAA Server Group Objects, page 8-16.
F-524
OL-11501-03
Appendix F

Table F-295
User Group Dialog BoxAdvanced PIX Options (continued)
Element
Description
Enable Device Pass-Through
When selected, enables you to use Media Access Control

(MAC) addresses to bypass authentication for devices, such as
Cisco IP phones, that do not support AAA authentication.
When MAC-based AAA exemption is enabled, the device
bypasses the AAA server for traffic that matches both the MAC
address of the device and the IP address that was dynamically
assigned by a DHCP server. Authorization services are disabled
automatically when you bypass authentication. Accounting
records continue to be generated (if enabled), but the username
is not displayed.
Enable Secure Unit Authentication
When selected, provides increased security when allowing

access to the device from a remote client.
With Secure Unit Authentication (SUA), you can use one-time
passwords, two-factor authentication, and similar
authentication schemes to authenticate the remote device
during Extended Authentication (Xauth).
SUA is specified in the VPN policy on the device and is
downloaded to the remote client. This enables SUA and
determines the connection behavior of the remote client.
Enable User Authentication
When selected, Individual User Authentication (IUA) supports

individually authenticating clients on the inside network of the
remote access VPN, based on the IP address of each inside
client. IUA supports both static and OTP authentication
mechanisms.
User Group Dialog BoxClientless Settings

Clientless settings must be configured in your user group to enable the Clientless
access mode of access to the corporate network in an SSL VPN.
In clientless access mode, once a user is authenticated and a session is established,
an SSL VPN portal page and toolbar is displayed on the users web browser. From
the portal page, the user can access all available HTTP sites, access web e-mail,
and browse Common Internet File System (CIFS) file servers.

OL-11501-03
F-525
Appendix F
Navigation Path
Open the User Group Dialog Box, page F-510, select the SSL VPN technology,
then select Clientless in the Settings pane.
Related Topics
Field Reference
Table F-296
User Group Dialog BoxClientless Settings
Element
Description
The URL List that is displayed on the portal page after login,
that enables the remote user to browse the SSL VPN websites.
Click Select to open the URL List Selector in which you can
select the required link from a list of URL objects. For more
information, see URL Lists Page, page F-504.
When selected, enables the remote user to input the website

URLs directly.
Enable Common Internet File

System (CIFS)
In Clientless mode, files and directories created on Microsoft

Windows servers can be accessed by the remote client through
the web browser. When the Common Internet File System
(CIFS) feature is selected, a list of file server and directory links
are displayed on the portal page after login.
The CIFS protocol lets you customize permissions on the
SSL VPN gateway to allows shared files to be accessed or
modified by the remote client, as follows:
Enable File BrowsingAllows read-only access to

browse the shared files.
Enable File EntryAllows full-write access to modify

the shared files.
F-526
OL-11501-03
Appendix F

Table F-296
User Group Dialog BoxClientless Settings (continued)
Element
Description
WINS Server List
A WINS server list must be configured for a user group.

You can click Select to open the WINS List Selector in which
you can select an WINS server from a list of WINS server
objects. For more information, see WINS Server Lists Page,
page F-554.
Enable Citrix
When selected, enables remote clients to run Citrix-enabled

applications, such as Microsoft Word or Excel, through the
SSL VPN as if the application was locally installed, without the
need for client software. The Citrix software must be installed
on one or more servers on a network that the router can reach.
User Group Dialog BoxThin Client Settings

Thin Client settings must be configured in your user group to enable the Thin
Client mode of access to the corporate network in an SSL VPN.
In Thin Client access mode, the client application uses TCP to connect to a
well-known server and port. The remote user downloads a Java applet which acts
as a TCP proxy on the client machine for the services configured on the SSL VPN
gateway.
Navigation Path
then select Thin Client in the Settings pane.
Related Topics

OL-11501-03
F-527
Appendix F
Field Reference
Table F-297
User Group Dialog BoxThin Client Settings
Element
Description
Enable Thin Client (Port

Forwarding)
When selected, enables TCP port forwarding to be used to

connect to a known server and port.
Port Forward List
Specifies the Port Forward List server.

You can click Select to open the Port Forwarding List Selector
in which you can select a Port Forward List from a list of Port
Forwarding List objects. For more information, see Port
Forwarding List Page, page F-448.
Download Port Forwarding Applet

on Client Login
When selected, enables you to download and install a Java

applet, on login, that acts as a TCP proxy on the client machine
for the services configured on the SSL VPN gateway.
User Group Dialog BoxSSL VPN Full Tunnel Settings

SSL VPN Full Tunnel settings must be configured in your user group to enable
the Full Tunnel access mode in your SSL VPN. When configuring the Full Tunnel
settings, you may also define DNS/WINS server settings, browser proxy settings,
and split tunneling for the user group.
In Full Tunnel Client access mode, the tunnel connection is determined by the
group policy configuration. The full tunnel client software, SSL VPN Client
(SVC), must be downloaded to the remote client, so that a tunnel connection can
be established when the remote user logs in to the SSL VPN gateway.
Navigation Path
then select Settings in the Full Tunnel folder in the Settings pane.
Related Topics
User Group Dialog BoxDNS/WINS Settings, page F-515
User Group Dialog BoxSplit Tunneling Settings, page F-531
User Group Dialog BoxBrowser Proxy Settings, page F-533
F-528
OL-11501-03
Appendix F

Field Reference
Table F-298
User Group Dialog BoxFull Tunnel Settings
Element
Description
Enable Full tunnel
When selected, enables full tunnel support and activates the

other fields on this page.

SSL VPN Client Download Fails
For the full tunnel access mode to work properly, the SSL VPN
Client (SVC) software must be installed on the device.
When selected, this option enables the remote client to use
clientless or thin client access modes if the SVC download fails.
Full Tunnel Only
When selected, enables the Full Tunnel access mode only to be

used.
Client IP Address Pool
The IP address ranges of the address pool that full tunnel clients
will draw from, when they log on.
Filter ACL
Specifies the Access Control List (ACL) that is used to restrict

You can click Select to open the Access Control Lists Selector
from which you can make your selection.
Keep SSL VPN Client on Client

Computer
When selected, enables the Full Tunnel software to remain on

the clients PC after the client has logged out.
When deselected, clients must download the software each time
they establish communication with the gateway.
Home Page URL
The URL of the login Home page of the SVC software.
Client Dead Peer Detection Timeout
The time interval that the Dead Peer Detection (DPD) timer is
reset each time a packet is received over the SSL VPN tunnel
from the remote user.
Enter a value in the range 1-3600 seconds.

OL-11501-03
F-529
Appendix F
Table F-298
User Group Dialog BoxFull Tunnel Settings (continued)
Element
Description
Gateway Dead Peer Detection

Timeout
The time interval that the Dead Peer Detection (DPD) timer is
reset each time a packet is received over the SSL VPN tunnel
from the gateway. Enter a value in the range 1-3600 seconds.
Key Renegotiation Method
The method by which the tunnel key is refreshed for the remote
user group client:
DisabledDisables the tunnel key refresh.
Create New TunnelInitiates a new tunnel connection.

Enter the time interval (in seconds) between the tunnel
refresh cycles, in the Interval field.
User Group Dialog BoxSSL VPN Split Tunneling

Split tunneling enables you to transmit both secured and unsecured traffic on the
same interface. Split tunneling requires that you specify exactly which traffic will
be secured and what the destination of that traffic is, so that only the specified
traffic enters the VPN tunnel, while the rest is transmitted unencrypted across the
public network.
Navigation Path
then select Split Tunneling in the Full Tunnel folder in the Settings pane.
Related Topics
F-530
OL-11501-03
Appendix F

Field Reference
Table F-299
User Group Dialog BoxSplit Tunneling Settings
Element
Description
Split Tunneling
Tunnel Option
Destination Networks
Specifies the traffic that will be secured or transmitted

unencrypted across the public network:
DisabledSplit tunneling is disabled and no traffic will be

secured.
Tunnel Specified TrafficSplit tunneling is enabled. All

traffic from or to the specified networks will be secured.
Exclude Specified TrafficSplit tunneling is enabled.

You can specify the networks to which traffic is transmitted
in the clear (unencrypted).
A list of networks/hosts to which traffic is transmitted secured

or unencrypted, depending on the selected Tunnel Option.
Multiple entries are separated by commas. Accepted formats
are:

which you can make your selection(s) from a list of available
network and host objects. See Networks/Hosts Page,
page F-431.

OL-11501-03
F-531
Appendix F
Table F-299
User Group Dialog BoxSplit Tunneling Settings (continued)
Element
Description
Exclude Local LANs
Available only if you selected the Exclude Tunneling

Specified Traffic option.
When selected, this attribute disallows a non split-tunneling
connection to access the local subnetwork at the same time as
the client.
Split DNS Names

DNS server.
You can enter up to 10 entries in the list of domains, separated
by commas. The entire string can be no longer than 255
characters. You can use only alphanumeric characters, hyphens
(-), and periods (.).
User Group Dialog BoxBrowser Proxy Settings

The Browser Proxy settings enable you to configure proxy bypass for the user
groups remote client in an SSL VPN.
A security appliance can terminate HTTPS connections and forward
HTTP/HTTPS requests to HTTP and HTTPS proxy servers, which act as
intermediaries between users and the Internet. Proxy bypass is an alternative
method of content rewriting that makes minimal changes to the original content.
It is useful with custom web applications.
Navigation Path
then select Browser Proxy Settings in the Full Tunnel folder in the Settings pane.
Related Topics
F-532
OL-11501-03
Appendix F

Field Reference
Table F-300
User Group Dialog BoxBrowser Proxy Settings
Element
Description
Browser Proxy Option
Select the required browser proxy option for the user groups
remote client, as follows:
Do Not Use Proxy ServerTo configure the browser on the

remote client not to use a proxy.
Automatically Detect SettingsTo configure the browser

on the remote client to automatically detect proxy settings.
Bypass Proxy Server for Local AddressesTo configure

local addresses to bypass the proxy.
Proxy Server
Define the proxy server for the remote client by entering an IP

address or a fully qualified domain name.
Proxy Server Port
Specify the port number for the proxy traffic. Enter a value in
the range 1-65535.
Do Not Use Proxy Server for

Addresses Beginning With
If you select to bypass the proxy server for local addresses,

enter the addresses in the field provided.
User Group Dialog BoxSSL VPN Connection Settings

Use this page to configure the SSL VPN session connection settings for the user
group, including the banner text. An SSL VPN session is disconnected if the client
is connected longer than the session timeout, or if it is idle longer than the idle
timeout.
Navigation Path
then select Connection Settings in the Settings pane.
Related Topics

OL-11501-03
F-533
Appendix F
SSL VPN Customization Page
Field Reference
User Group Dialog BoxConnection Settings
Table F-301
Element
Description
Idle Timeout
The idle timeout period for the SSL VPN session.

The session is disconnected if the client is idle longer than the
specified idle timeout. Values range from 0-3600 seconds.
Session Timeout
The timeout period for the SSL VPN session.

If no activity occurs on the session during this time, the session
is disconnected. Values range from 1-1209600 seconds.
Banner Text
The banner, for example, a welcome message that is displayed

on remote clients when they connect.
You cannot use double quotes in the banner text.

Use the SSL VPN Customization page to view, create, edit, or delete SSL VPN
Customization objects. A Customization object describes how to customize web
pages for SSL VPN. For more information, see Understanding SSL VPN
Customization Objects, page 8-186.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select SSL VPN
Customization from the Object Type selector.
Related Topics
Creating SSL VPN Customization Objects, page 8-187
F-534
OL-11501-03
Appendix F

Field Reference
Table F-302
Column
Description
Filter
page 3-24.
[Icon]
Name
The name of the SSL VPN customization object. Names can be

sorted in ascending or descending order.
Category

Overridable

Description

Tip

in a popup window.
New Object button
Opens the SSL VPN Customization Dialog Box, page F-536. From
here you can create an SSL VPN customization object.
Edit Object button
Opens the SSL VPN Customization Dialog Box, page F-536. From
here you can edit the selected SSL VPN customization object.
Note
Deletes the selected SSL VPN customization objects from the table.
Note

other objects.

OL-11501-03
F-535
Appendix F
SSL VPN Customization Dialog Box

Use the SSL VPN Customization dialog box to create, copy, and edit SSL VPN
Customization objects.
Navigation Path
Go to the SSL VPN Customization Page, page F-534 in the Policy Object
table.
Related Topics
SSL VPN Customization Page, page F-534
Field Reference
Table F-303
SSL VPN Customization Dialog Box
Element
Description
Name
The customization object name (up to 128 characters). Object

Description
A description of the customization object, if required.

characters.
Page Title tab
Enables you to customize the SSL VPN page that appears to

SSL VPN users when they initially connect to the security
appliance. See SSL VPN Customization Dialog BoxPage Title
Tab, page F-538.
F-536
OL-11501-03
Appendix F

Table F-303
SSL VPN Customization Dialog Box (continued)
Element
Description
Login/out Pages tab
Enables you to customize the appearance of the SSL VPN Login

page that appears to SSL VPN users when they initially connect to
the security appliance, and the SSL VPN Logout page when
SSL VPN users log out of SSL VPN service.
See SSL VPN Customization Dialog BoxLogin/out Pages Tab,
page F-539.
Home Page tab
Enables you to customize the appearance of the SSL VPN Home

page that the security appliance displays to authenticated SSL VPN
users.
See SSL VPN Customization Dialog BoxHome Page Tab,
page F-543.
Application-Access/Prompt tab
Enables you to customize the Application Access window that

launches when the remote user selects an application.
See SSL VPN Customization Dialog
BoxApplication-Access/Prompt Tab, page F-548.
Category
The category assigned to the URL Lists object. Categories help you
page F-87.

Device
When selected, allows the global URL List object definition defined
overridden.
Tip
OK button
When editing a URL List object that can be overridden,


OL-11501-03
F-537
Appendix F
SSL VPN Customization Dialog BoxPage Title Tab

Use the Page Title tab of the SSL VPN Customization dialog box to customize the
SSL VPN page that appears to users when they initially connect to the security
appliance, including the page style, the title, and the logo.
Navigation Path
Open the SSL VPN Customization Dialog Box, page F-536 to display the Page
Title tab, or click the Page Title tab from any other tab in the SSL VPN
Customization dialog box.
Related Topics
Field Reference
Table F-304
SSL VPN Customization Dialog Box > Page Title Tab
Element
Description
Title Text
Specifies the text displayed in the title bar of the SSL VPN page.
The default title is Welcome!.
Style
The style of the title text in the title bar of the SSL VPN page.
The predefined Default style object is displayed.
If you want to use a different style, enter the style in the field
provided. You can click Select to open the Style Selector from
which you can make your selection from a list of available Style
objects, or create a Style object. For more information, see
Understanding Style Objects, page 8-169.
F-538
OL-11501-03
Appendix F

Table F-304
SSL VPN Customization Dialog Box > Page Title Tab (continued)
Element
Description
Page Style
The style parameters, such as font, background color and

foreground color, for the SSL VPN page that are displayed when
you connect to the security appliance.
The predefined Default style object is displayed.
If you want to use a different style, enter the style in the field
provided. You can click Select to open the Style Selector from
which you can make your selection from a list of available Style
objects, or create a Style object. For more information, see
Understanding Style Objects, page 8-169.
Title Bar Logo
The logo displayed on the title bar of the SSL VPN login and portal
pages.
Options are:
NoneNo logo is displayed.
DefaultTo use the default logo.
CustomWhen selected, enables you to specify your own

logo. Specify the source image file for the logo in the Specify
File field, or click Select to select an image file.
The source image file for the logo can be a gif, jpg, or png file,
with a filename of up to 255 characters, and up to 100 kilobytes
in size.
The Logo Preview displays the uploaded logo using your
current title and logo settings.
SSL VPN Customization Dialog BoxLogin/out Pages Tab

Use the Login/out Pages tab of the SSL VPN Customization dialog box to
customize the title of the login box, login prompts of the SSL VPN page
(including username, password, and group prompts), and login buttons that
appear to SSL VPN users when they initially connect to the security appliance.
On this tab, you can also customize the Logout page that appears to users when
they log out of SSL VPN service.

OL-11501-03
F-539
Appendix F
Navigation Path
Open the SSL VPN Customization Dialog Box, page F-536, then click the
Login/out Pages tab.
Related Topics
Field Reference
Table F-305
SSL VPN Customization Dialog Box > Login/out Pages Tab
Element
Description
Login Window
Title
The text to appear in the login box title of the SSL VPN page when
you connect to the security appliance. The default title text is
LOGIN. You can enter a maximum of 256 characters.
The Style field displays the style of the title text to appear in the
login box of the SSL VPN page. The predefined Default style object
is displayed. If you want to use a different style, enter the style in
the field provided, or click Select to open the Style Selector dialog
box from which you can make your selection.
Message
The message that appears in the login box of the SSL VPN page
when you connect to the security appliance. The default login
message is LOGIN MESSAGE. You can enter a maximum of 256
characters.
The Style field displays the style of the message to appear in the
login box of the SSL VPN page. The predefined Default style object
is displayed. If you want to use a different style, enter the style in
the field provided or click Select to open the Style Selector dialog
box from which you can make your selection.
F-540
OL-11501-03
Appendix F

Table F-305
SSL VPN Customization Dialog Box > Login/out Pages Tab (continued)
Element
Description
Username
The text of the username prompt that appears in the SSL VPN page
login box that is displayed to SSL VPN users when they connect to
the security appliance. The default text of the username prompt is
USER NAME. You can enter a maximum of 256 characters.
The Style field displays the style of the username prompt that
appears in the login box of the SSL VPN page. The predefined
Default style object is displayed. If you want to use a different style,
enter the style in the field provided or click Select to open the Style
Selector dialog box from which you can make your selection.
Password
The text of the password prompt that appears in the SSL VPN page
login box that is displayed to SSL VPN users when they connect to
the security appliance. The default text of the password prompt is
PASSWORD. You can enter a maximum of 256 characters.
The Style field displays the style of the password prompt that
appears in the login box of the SSL VPN page. The predefined
Group
The text of the group prompt in the SSL VPN page login box that is
displayed to SSL VPN users when they connect to the security
appliance. The default text of the group prompt is GROUP. You
can enter a maximum of 256 characters.
The Style field displays the style of the group prompt that appears
in the login box of the SSL VPN page. The predefined Default style
object is displayed. If you want to use a different style, enter the
style in the field provided or click Select to open the Style Selector

OL-11501-03
F-541
Appendix F
Table F-305
Element
Description
Login Button
The text of the Login button that appears in the SSL VPN page login
box that is displayed to SSL VPN users when they connect to the
security appliance. The default login button text is LOGIN. You
The Style field displays the style of the Login button that appears in
the login box of the SSL VPN page. The predefined Default style
Clear Button
The text of the Clear button that appears in the SSL VPN page login
box that is displayed to SSL VPN users when they connect to the
security appliance. The default login button text is CLEAR. You
The Style field displays the style of the Clear button that appears in
the login box of the SSL VPN page. The predefined Default style
F-542
OL-11501-03
Appendix F

Table F-305
Element
Description
Logout Window
Title
The text to appear in the logout box title of the SSL VPN page when
you log out of the SSL VPN service. The default title text is
LOGOUT. You can enter a maximum of 256 characters.
The Style field displays the style of the title text that appears in the
logout box of the SSL VPN page. The predefined Default style
Message
The logout message of the SSL VPN logout page that is displayed
to SSL VPN users when they logout from SSL VPN service. The
default logout message text is You have logged out. You can enter
a maximum of 256 characters.
The Style field displays the style of the logout message in the
SSL VPN logout page. The predefined Default style object is
displayed. If you want to use a different style, enter the style in the
field provided or click Select to open the Style Selector dialog box
SSL VPN Customization Dialog BoxHome Page Tab

Use the Home Page tab of the SSL VPN Customization dialog box to customize
the appearance of the SSL VPN home page that the security appliance displays to
authenticated SSL VPN users.
Navigation Path
Home Page tab.
Related Topics

OL-11501-03
F-543
Appendix F
Creating SSL VPN Customization Objects, page 8-187.
Field Reference
Table F-306
SSL VPN Customization Dialog Box > Home Page Tab
Element
Description
Overall and Bookmarks
Overall Style
The style of the border of the SSL VPN home page that appears to
SSL VPN users after they are authenticated by the security
appliance.
The predefined Default style object is displayed. If you want to use
a different style, enter the style in the field provided, or click Select
to open the Style Selector dialog box from which you can make your
selection.
Web Bookmark Title
The web bookmark title that is displayed in the SSL VPN Home
page to authenticated SSL VPN users. The default title text is Web
Bookmarks. You can enter a maximum of 256 characters.
The Style field displays the style of the web bookmark title that is
displayed in the SSL VPN home page. The predefined Default style
Web Bookmark Link Style
The appearance of the web bookmarks links in the SSL VPN Home
page.
a different style, enter the style in the field provided or click Select
selection.
F-544
OL-11501-03
Appendix F

Table F-306
SSL VPN Customization Dialog Box > Home Page Tab (continued)
Element
Description
File Bookmark Title
The file bookmark title that is displayed in the SSL VPN Home page
to authenticated SSL VPN users. The default title text is File
Bookmarks. You can enter a maximum of 256 characters.
The Style field displays the style of the file bookmark title that is
displayed in the SSL VPN home page. The predefined Default style
File Bookmark Link Style
The appearance of the file bookmarks links in the SSL VPN Home
page.
a different style, enter the style in the field provided or click Select
selection.
Web Applications
Title
The title text that is displayed in the Web Application box of the
SSL VPN home page. The default title text is Web Applications.
You can enter a maximum of 256 characters.
The Style field displays the style of the title text in the Web
Application box of the SSL VPN home page. The predefined
Message
The text that you want to appear as the message (under the title) of
the Web Applications box in the SSL VPN home page. The default
message is Web Applications Message. You can enter a maximum
of 256 characters.
The Style field displays the style of the message of the Web
Applications box in the SSL VPN home page. The predefined

OL-11501-03
F-545
Appendix F
Table F-306
Element
Description
Drop-down
The text that you want to appear in the drop-down list of the Web
Applications box in the SSL VPN home page. The default
drop-down text is Web Applications Dropdown. You can enter a
maximum of 256 characters.
The Style field displays the style of the text that you want to appear
in the drop-down list of the Web Applications box in the SSL VPN
home page. The predefined Default style object is displayed. If you
want to use a different style, enter the style in the field provided or
click Select to open the Style Selector dialog box from which you
can make your selection.
Application Access
Title
The title text that is displayed in the Applications Access box of the
SSL VPN home page that appears to authenticated SSL VPN users.
The default title text of the Application Access box is Application
Access. You can enter a maximum of 256 characters.
The Style field displays the style of the title text in the Applications
Access box of the SSL VPN home page. The predefined Default
style object is displayed. If you want to use a different style, enter
the style in the field provided or click Select to open the Style
Message
The text that you want to appear as the message (under the title) of
the Applications Access box in the SSL VPN home page. The
default message text of the Application Access box is Applications
Access Message. You can enter a maximum of 256 characters.
The Style field displays the style of the message of the Applications
Access box in the SSL VPN home page. The predefined Default
style object is displayed. If you want to use a different style, enter
the style in the field provided or click Select to open the Style
F-546
OL-11501-03
Appendix F

Table F-306
Element
Description
Network Browse
Title
The title text that is displayed in the Browse Networks box of the
SSL VPN Home page that appears to authenticated SSL VPN users.
The default title text of the Browse Networks box is Network
Access. You can enter a maximum of 256 characters.
The Style field displays the title text in the Browse Networks box of
the SSL VPN home page. The predefined Default style object is
Message
The message text that is displayed under the title of the Browse
Networks box in the SSL VPN home page. The default message text
of the Browse Networks box is Network Access Message. You
The Style field displays the style of the message text that is
displayed under the title of the Browse Networks box in the
SSL VPN home page. The predefined Default style object is
Drop-down
The text that you want to appear in the drop-down list of the Browse
Networks box in the SSL VPN home page. The default drop-down
text is Network Access Dropdown. You can enter a maximum of
256 characters.
The Style field displays the style of the text that you want to appear
in the drop-down list of the Browse Networks box in the SSL VPN
home page. The predefined Default style object is displayed. If you
want to use a different style, enter the style in the field provided or
click Select to open the Style Selector dialog box from which you
can make your selection.

OL-11501-03
F-547
Appendix F
SSL VPN Customization Dialog BoxApplication-Access/Prompt Tab

Use the Application-Access/Prompt tab of the SSL VPN Customization dialog
box to customize the Application Access window that appears to authenticated
SSL VPN users that select Application Access on the SSL VPN Home page.
Navigation Path
Application-Access/Prompt tab.
Related Topics
Field Reference
Table F-307
SSL VPN Customization Dialog Box > Application-Access/Prompt Tab
Element
Description
Application Access
Window Style
The style of the Application Access window that appears to

authenticated SSL VPN users that select Application Access on the
SSL VPN Home page.
selection.
Warning Message Style
The style of the warning message in the Application Access

window.
selection.
F-548
OL-11501-03
Appendix F

Table F-307
SSL VPN Customization Dialog Box > Application-Access/Prompt Tab (continued)
Element
Description
Warning Message
The text that you want to appear as the warning message in the
Application Access window.
The default message is Warning Message. You can enter a enter a
maximum of 256 characters.
Show application details in the

Application Access Window
When selected, displays application details in the Application

Access Window. This check box is selected by default.
Prompt Dialog
Title Style
The style of the title of dialog messages that appear to authenticated

SSL VPN users.
selection.
Message Style
The style of the dialog messages that appear to authenticated

SSL VPN users.
selection.
Border Width
Select the border width of the various prompt dialog messages as

notices or warnings.
Collapse
When selected, this option wraps the prompt dialog messages

around the lines of text.

OL-11501-03
F-549
Appendix F
SSL VPN Gateway Page

Use the SSL VPN Gateway page to view, create, edit, or delete an SSL VPN
Gateway object. An SSL VPN gateway acts as a proxy for connections to the
protected resources in an SSL VPN.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select SSL VPN
Gateway from the Object Type selector.
Related Topics
Field Reference
Table F-308
Column
Description
Filter
page 3-24.
[Icon]
Name
The unique name of the SSL VPN gateway object.
F-550
OL-11501-03
Appendix F

Table F-308
SSL VPN Gateway Page (continued)
Column
Description
Content
Displays the following information:
The IP address used to configure the gateway.
The port that carries the HTTPS traffic.
Whether the gateway is enable or disabled.
Category
The category that is assigned to the gateway object. See

Overridable

Description
Displays an icon if a description is defined for the gateway object.

Point at the icon to display a tooltip with the text of the description.
Tip

in a popup window
New Object button
Opens the SSL VPN Gateway Dialog Box, page F-552. From here
you can create a gateway object.
Edit Object button
Opens the SSL VPN Gateway Dialog Box, page F-552. From here
you can edit the selected gateway object.
Note
Deletes the selected SSL VPN gateway object(s) from the table.
Note
Deleting an SSL VPN gateway object also deletes any

device level overrides defined for the object.

OL-11501-03
F-551
Appendix F
SSL VPN Gateway Dialog Box

Use the SSL VPN Gateway dialog box to create, copy and edit SSL VPN Gateway
objects.
Navigation Path
Go to the SSL VPN Gateway Page, page F-550 in the Policy Object Manager
Related Topics
Creating SSL VPN Gateway Objects, page 8-192
Field Reference
Table F-309
SSL VPN Gateway Dialog Box
Element
Description
Name
The gateway object name (up to 128 characters). Object names are
not case-sensitive. For more information, see Guidelines for
Description
Additional information about the gateway object (up to 1024

characters).
IP Address
The IP address used to configure the gateway object:
Obtained from InterfaceSelect this option to use the public

static IP address of the router interface to configure the
gateway. Then, specify the interface in the field provided.
You can click Select to open the Interfaces Selector from which
you can select an interface from a list of interface or interface
role objects.
Use Static IP AddressSelect this option to use the routers

public static IP address to configure the gateway. Then, specify
the IP address in the field provided.
F-552
OL-11501-03
Appendix F

Table F-309
SSL VPN Gateway Dialog Box (continued)
Element
Description
Port
The number of the port that will carry the HTTPS traffic (between
1025 and 65535). Default is 443.
Trustpoint
The digital certificate required to establish the secure connection.

Note
A self-signed certificate is generated when an SSL VPN

gateway is activated.
Enable Gateway
When selected, activates the SSL VPN gateway.
Specify SSL Encryption

Algorithms
When selected, enables you to specify the encryption algorithm(s)

to be used for the SSL VPN connections. You can specify up to
three algorithms in order of preference.
These encryption algorithm options are available:
Redirect HTTP Traffic
RC4 and MD5 (Default)
3DES and SHA1
AES and SHA1
NoneNo encryption algorithm is specified (only available for

the 2nd and 3rd Algorithm options).
When selected, configures the gateway to redirect HTTP traffic over

secure HTTP (HTTPS).
In the HTTP Port field, specify the port number over which the
HTTP traffic will be redirected. You can click Select to open the
Port List selector from which you can make your selection, or create
a port list object. See Creating Port List Objects, page 8-151.
Note
Category
A valid HTTP port is 80, or within the range 1025-65535.
The category assigned to the gateway object. Categories help you

page F-87.

OL-11501-03
F-553
Appendix F
WINS Server Lists Page
Table F-309
SSL VPN Gateway Dialog Box (continued)
Element
Description

Device
When selected, allows the global gateway object definition defined

overridden.
Tip
OK button
When editing a gateway object that can be overridden, click

the Edit button to display the Policy Object Overrides

A WINS Server List object defines a list of Windows Internet Naming Server
(WINS) servers, which are used to translate Windows file server names to IP
addresses.
Use the WINS Server Lists page to view, create, edit, or delete WINS Server List
objects.
Navigation Path
Open the Policy Object Manager Window, page F-3, then select WINS Server
Lists from the Object Type selector.
Related Topics
F-554
OL-11501-03
Appendix F

Field Reference
Table F-310
Column
Description
Filter
page 3-24.
[Icon]
Name
The name of the WINS server list object. Names can be sorted in
Content
The name of the WINS server contained in this object and whether
the server can also be a CIFS server (that is, a master browser).
Category

Overridable

Description

Tip

in a popup window.
New Object button
Opens the WINS Server Lists Dialog Box, page F-556. From here
you can create an WINS server list object.
Edit Object button
Opens the WINS Server Lists Dialog Box, page F-556. From here
you can edit the selected WINS server list object.
Note
Deletes the selected WINS server list objects from the table.
Note

other objects.

OL-11501-03
F-555
Appendix F
WINS Server Lists Dialog Box

Use the WINS Server Lists dialog box to create, copy, and edit WINS server list
objects.
Navigation Path
Go to the WINS Server Lists Page, page F-554 in the Policy Object Manager
Related Topics
Field Reference
Table F-311
WINS Server Lists Dialog Box
Element
Description
Name
The WINS server list object name (up to 128 characters). Object
Description
Additional information about the WINS server list object (up to

1024 characters).
WINS Server List
A table listing the WINS server list entries that are defined for the
object.
You can use the buttons below the table to add, edit, and delete
entries from the table.
Create button
Click to open a dialog box that lets you add a WINS server list entry
to the table. See Add/Edit WINS Server Dialog Box, page F-557.
Edit button
Select the row of a WINS server list entry in the table, then click to
open a dialog box in which you can edit it. See Add/Edit WINS
Server Dialog Box, page F-557.
Delete button
Select the rows of one or more WINS server list entries in the table,
then click to remove from the list.
F-556
OL-11501-03
Appendix F

Table F-311
WINS Server Lists Dialog Box (continued)
Element
Description
Category

Note

Device
When selected, allows the global port forwarding list object

definition defined here to be changed at the device level. See
overridden.
Tip
OK button
When editing a port forwarding list object that can be

Add/Edit WINS Server Dialog Box

Use the Add/Edit WINS Server dialog box to create a new WINS server entry or
edit an existing entry in the table in the WINS Server Lists dialog box.
Navigation Path
Go to the WINS Server Lists Dialog Box, page F-556, then click Add or Edit
beneath the WINS Server List table.
Related Topics
WINS Server Lists Dialog Box, page F-556

OL-11501-03
F-557
Appendix F
Object Selectors
Field Reference
Table F-312
Add/Edit WINS Server Dialog Box
Element
Description
Server
Enter the IP address of the WINS server used to translate Windows

file server names to IP addresses.
Set as Master Browser
When selected, enables the WINS server to function as a CIFS

server.
The master browser maintains the list of computers and shared
resources.
Timeout
The period of time the security appliance waits for a response to a

WINS query before sending the query again to the same server (if it
is the only one), or to the next server (if there is more than one).
The default timeout is 2 seconds. The valid range is between 1 and
30 seconds.
Retries
The number of times to retry sending WINS queries to the

configured servers. The security appliance recycles through the list
of servers this number of times before sending an error message.
The default is 2. The valid range is between 1 and 10.
OK button
The new or modified WINS Server entry appears in the table on the
WINS Server Lists dialog box.
Object Selectors
Use object selectors to quickly and easily select one or more objects when
defining a policy or another object. You can also use object selectors to create and
edit objects on the fly as an alternative to using the Policy Object Manager
Window, page F-3.
F-558
OL-11501-03
Appendix F

Object Selectors
Security Manager features two types of object selectors:
Single-object selectorsUsed to select a single object of the required type.
Multi-object selectorsUsed to select one or more objects of the required

type.
Navigation Path
Click Select on any page or dialog box that requires you to define a policy object
as part of the policy or object definition.
Related Topics
Defining Policy Object Settings, page 2-91
Field Reference
Table F-313
Object Selectors
Element
Description
Type
Enables you to choose what type of object to display in the selector:
When configuring sources and destinations in the following

rule-based policiesAAA Rules, Access Rules, Inspection
Rules, and NAT (for PIX/ASA devices)you can choose
between network/host objects and interface roles.
When configuring ACLs (for example, when configuring

VLAN ACLs on Catalyst 6500/7600 devices), you can choose
between standard and extended ACL objects.
All of your selections are displayed in the Selected Items list.

Note
Filter
After you close the selector, your selections are displayed in

separate tabs in the page or dialog box in which the objects
are defined.
Enables you to apply a filter to the list of available objects or open

the Create Filter Dialog BoxObject Selectors, page F-561. From
here, you can create a filter.

OL-11501-03
F-559
Appendix F
Object Selectors
Table F-313
Object Selectors (continued)
Element
Description
Available [object type]
Displays all objects that are relevant to the policy or object you are
configuring.
Note
Selected [object type]
When selecting interfaces, be aware that there may be

interfaces and interface roles with the same name. They can
be distinguished by the icon displayed next to the name. For
more information, see Specifying Interfaces During Policy
Displays the object or objects that you selected.
Multi-object selector elements
>> button
Moves the objects you select from the Available list to the Selected
list.
Note
<< button
Objects can also be moved between lists by double-clicking

them or pressing Enter.
Returns the objects you select from the Selected list to the Available
list.
Note
Objects can also be moved between lists by double-clicking

them.
Applies only to selector types, such as AAA server groups, where

the order of the objects is important to the configuration.
Moves the selected object up one row.
Applies only to selector types, such as AAA server groups, where
the order of the objects is important to the configuration.
Moves the selected object down one row.
Common Buttons
Opens the dialog box for creating an object of this type. For
example, if you click this button in the object selector for networks,
the Network/Host dialog box is displayed.
Opens the dialog box for editing a user-defined object selected from
the Available list.
Note
F-560
OL-11501-03
Appendix F

Object Selectors
Table F-313
Object Selectors (continued)
Element
Description
Applies only to services.
Creates a service group from the objects you select in the Available
list.
OK button
Tip
Right-clicking an object in the list displays a shortcut menu with Create and
Edit options. Objects that can be grouped also include a Group option.
You can quickly find an object inside a selector by starting to type the name
of the object.
Create Filter Dialog BoxObject Selectors

Use the Create Filter dialog box to filter the objects displayed in object selectors,
based on the filtering criteria you define.
Navigation Path
Select Create Filter from the Filter list displayed above the list of available
objects inside any object selector.
Related Topics
Object Selectors, page F-558

OL-11501-03
F-561
Appendix F
Object Selectors
Field Reference
Table F-314
Create Filter Dialog BoxObject Selectors
Element
Description
When you select this option, an OR relationship is created among

Name contains East
Name contains South

Name contains East or Name contains South
If you select this filter from the Filter list, the available list displays
all objects whose name contains either East or South.
When you select this option, an AND relationship is created among

Name contains East
Name contains Region

Name contains East and Name contains Region
If you select this filter from the Filter list, the available list displays
all objects whose name contains both East and Region.
Filter type
Filters the objects by name. You specify the object name, or a

portion of the name, in the filter value field.
F-562
OL-11501-03
Appendix F

Object Usage Window
Table F-314
Create Filter Dialog BoxObject Selectors (continued)
Element
Description
Filter operator
contains
doesnt contain
is
isnt
begins with
ends with
Filter value
The object name or a portion of the name.
Filter content area
The filter type, operator, and value that you selected as filter
criteria.
Add button
Remove button
OK button
the Filter list.
Object Usage Window

Use the Object Usage window to view a list of all places where a selected object
is referenced within Security Manager, including your current activity and the
data committed to the database.
Navigation Path
Right-click an object in the Policy Object Manager Window, page F-3, then
select Find Usage.
Left-click an object in a firewall rules table, then right-click and select

Find Usage.

OL-11501-03
F-563
Appendix F
Object Usage Window
Related Topics
Field Reference
Table F-315
Object Usage Window
Element
Description
Used By
The name of the Security Manager item that is referencing the

selected object.
Type
The type of item that is referencing the selected object. This can be
a device, policy, VPN, or another object.
Usage
Indicates how the object is being referenced. For example, if a

device is referencing the selected object, this column will indicate
that it is a policy assigned to the device that is referencing the
object.
Proximity
Indicates the relationship between the selected object and the item
that it using it. For example:
Devices
A service group object has a direct relationship with the

services that are included as part of the group.
An access rule that includes this service group in its definition

has a direct relationship with the service group and an indirect
relationship with the services in the group.
A device on which this access rule policy is assigned references

the service group directly and the services inside that service
group indirectly.
When selected, the table includes all device references to the

selected object.
When deselected, the table filters out all device references to the
selected object.
F-564
OL-11501-03
Appendix F

Policy Object Overrides Window
Table F-315
Object Usage Window (continued)
Element
Description
Policies
When selected, the table includes all policy references to the

selected object.
When deselected, the table filters out all policy references to the
selected object.
Other Objects
When selected, the table includes all policy references to the

selected object.
When deselected, the table filters out all policy references to the
selected object.

Use the Policy Object Overrides window to view a list of all device-level overrides
that are defined for a selected object. From this window, you can:
Tip
Create an override that applies to one or more devices.
Select an object override and edit its definition.
You can also create new device-level overrides from the Device Properties
window of a selected device. See Creating Object Overrides for a Single Device,
page 8-199.
Navigation Path
Open the Policy Object Manager Window, page F-3. Select an object type that can
be overridden (its object page contains a column called Overridable), then do one
of the following:
Double-click the green checkmark in the Overridable column.
Right-click the object, then select Edit Device Overrides.
Related Topics

OL-11501-03
F-565
Appendix F
Field Reference
Table F-316
Policy Object Overrides WindowCommon Fields
Element
Description
Filter
page 3-24.
[Icon]
Device
The name of the device to which the object override applies.
Content
The addresses and network/host objects contained in the selected

object.
Category

Description

Create Override button
Opens the Create Overrides for Device Dialog Box, page F-567.
From here you can create an override on selected devices.
Edit Override button
Opens the Create Overrides for Device Dialog Box, page F-567.
From here you can edit the selected override object.
Delete Override button
Deletes the selected override objects.
Note
For information about the columns specific to each object type, see Policy Object
Manager User Interface Reference, page F-1, then click the link for the relevant
object page.
F-566
OL-11501-03
Appendix F

Create Overrides for Device Dialog Box

Use the Create Overrides for Device dialog box to choose the devices for which
you want to create device-level overrides for a selected object.
Note
After making your selections and clicking OK, you can define the properties of
the override. For more information, see Creating Object Overrides for Multiple
Navigation Path
Open the Policy Object Overrides Window, page F-565, then click the Create
Override button.
Related Topics
Field Reference
Table F-317
Create Overrides for Device Dialog Box
Element
Description
Available Devices
Lists all existing devices. Devices for which an override has already
been defined are grayed out. To select a device for object overriding,
select one or more items from this list, then click >> to add them to
the Selected Devices list.
Selected Devices
Lists all devices for which you want to define a new device-level
object override. To remove devices from this list, select the devices,
then click <<.
OK button

OL-11501-03
F-567
Appendix F
F-568
OL-11501-03
APPENDIX
Site-to-Site VPN User Interface

Reference
The pages that you access by selecting Site-To-Site VPN Manager from the Tools
menu, or clicking the Site-To-Site VPN Manager button on the toolbar, help you
configure site-to-site VPNs.
Note
You can also configure site-to-site VPNs in Device view (View > Device View)
and Policy view (View > Policy View). For more information, see:
These topics describe the pages that help you create VPN topologies, and the
policies that will be assigned to them:
Site to Site VPN Policies, page G-42
VPN Topologies Device View Page, page G-104

OL-11501-03
G-1
Appendix G
Site-to-Site VPN User Interface Reference
Site-to-Site VPN Manager Window

Use the Site-to-Site VPN Manager window to:
View all available VPN topologies.
Create, edit, and delete VPN topologies.
View detailed information about each VPN topology.
View the endpoints defined for a VPN topology.
View and edit the policies assigned to a VPN topology.
The VPNs selector, in the upper left pane of the window, lists all available VPN
topologies, and enables you to select topologies for viewing or editing. The lower
left pane of the page lists the policies that are assigned to the VPN topology
selected in the upper pane.
Navigation Path
Click the Site-To-Site VPN Manager button on the toolbar or select

Tools > Site-To-Site VPN Manager.
Related Topics
Field Reference
Table G-1
Element
Description
VPNs selector
Lists each VPN topology, represented by its name and an icon

indicating its VPN type (hub and spoke, point to point, or full
mesh).
Create VPN Topology button
Click to create a VPN topology, then select the type of topology you
want to create from the options that are displayed. The Create VPN
wizard opens.
G-2
OL-11501-03
Appendix G

Table G-1
Site-to-Site VPN Manager Window (continued)
Element
Description
Edit VPN Topology button
Opens the Edit VPN dialog box for editing a selected VPN
topology.
Note
Delete VPN Topology button
You can also edit a VPN topology by right-clicking it in the

VPNs selector, and selecting the Edit option.
Deletes a selected VPN topology.

Note
You can also delete a selected VPN topology by

right-clicking it and selecting the Delete option.
A confirmation dialog box opens asking you to confirm the deletion.

Policies selector
Lists each individually named policy that is already assigned to, or

can be configured on, devices in the selected VPN topology.
Note
VPN Summary and Peers, are not policies. For a

description of these pages, see VPN Summary Page,
page G-3 and Peers Page, page G-7.
Select a policy to open a page on which you can view or edit the
parameters for the selected policy. See Site to Site VPN Policies,
page G-42.
VPN Summary Page

Use the VPN Summary page to view information about a selected VPN topology.
This includes information about the type of VPN topology, its devices, the
assigned technology, and specific policies that are configured in it.

OL-11501-03
G-3
Appendix G
Navigation Path
Open the Site-to-Site VPN Manager Window, page G-2, select a topology in the
VPNs selector, then select VPN Summary in the Policies selector.
Note
The VPN Summary page opens when you finish creating or editing a VPN
topology.
The VPN Summary page also opens from Device view, when editing the VPN
policies defined for a VPN topology. For more information, see Managing
VPN Devices in Device View, page 9-62.
You can also open the VPN Summary page from Policy view. For more
information, see Working with Site-to-Site VPN Policies in Policy View,
page 9-65.
Related Topics
G-4
OL-11501-03
Appendix G

Field Reference
Table G-2
VPN Summary Page
Element
Description
Type
The VPN topology typeHub-and-Spoke, Point-to-Point, or Full

Mesh.
Description
A description of the VPN topology.
IPsec Terminator
Available if the VPN topology is large scale DMVPN.

The name of the IPsec Terminator(s) used to load balance GRE
traffic to the hubs in the large scale DMVPN.
Primary Hub
Available if the VPN topology type is hub-and-spoke.

The name of the primary hub in the hub-and-spoke topology.
Failover Hubs

The name of any secondary backup hubs that are configured in the
hub-and-spoke topology.
Number of Spokes

The number of spokes that are included in the hub-and-spoke
topology.
Peer 1
Available if the VPN topology type is point-to-point.

The name of the device that is defined as Peer One in the
point-to-point VPN topology.
Peer 2
Available if the VPN topology type is point-to-point.

The name of the device that is defined as Peer Two in the
point-to-point VPN topology.
Number of Peers
Available if the VPN topology type is full mesh.

The number of devices included in the full mesh VPN topology.
IPsec Technology
The IPsec technology assigned to the VPN topology. See

Understanding IPsec Technologies and Policies, page 9-8.
IKE Proposal
The security parameters of the IKE proposal configured in the VPN

topology. See IKE Proposal Page, page G-43.

OL-11501-03
G-5
Appendix G
Table G-2
VPN Summary Page (continued)
Element
Description
Dynamic VTI
Available in an Easy VPN topology.

Displays if a dynamic virtual template interface is configured on a
device in an Easy VPN topology. See Dynamic VTI Tab, page G-84.
Transform Sets
The transform sets that specify the authentication and encryption

algorithms that will be used to secure the traffic in the VPN tunnel.
See IPsec Proposal Page, page G-45.
Preshared Key
Unavailable if the selected technology is Easy VPN.

Specifies whether the shared key to use in the preshared key policy
is user defined or auto-generated. See Preshared Key Page,
page G-59.
If a Public Key Infrastructure policy is configured in the VPN

topology, specifies the CA server. See Public Key Infrastructure
Page, page G-63.
Routing Protocol
Available only if the selected technology is IPsec/GRE, GRE

Dynamic IP, or DMVPN.
The routing protocol and autonomous system (or process ID)
number used in the secured IGP for configuring a GRE, GRE
Dynamic IP, or DMVPN routing policy.
Note
Security Manager adds a routing protocol to all the devices

in the secured IGP on deployment. If you want to maintain
this secured IGP, you must create a router platform policy
using this routing protocol and autonomous system (or
process ID) number.
See GRE Modes Page, page G-66.

Tunnel Subnet IP
Available only if the selected technology is IPsec/GRE, GRE

Dynamic IP, or DMVPN.
If a tunnel subnet is defined, displays the inside tunnel interface IP
address, including the unique subnet mask.
See GRE Modes Page, page G-66.
G-6
OL-11501-03
Appendix G

Table G-2
VPN Summary Page (continued)
Element
Description
User Group
Available for an Easy VPN topology.

If a User Group policy is configured on a device in the Easy VPN
topology, displays the details of the policy. See User Group Policy
Page, page G-87.
PIX7.0/ASA Tunnel Group
Available for an Easy VPN topology.

If a Tunnel Group policy is configured on a PIX Firewall version
7.0, or ASA appliance in the Easy VPN topology, displays the
details of the policy. See Tunnel Group Policy (PIX 7.0/ASA) Page,
page G-88.
High Availability

If a High Availability policy is configured on a device in your
hub-and-spoke VPN topology, displays the details of the policy. See
High Availability Page, page G-37.
VRF-Aware IPsec

If a VRF-Aware IPsec policy is configured on a hub in your
hub-and-spoke VPN topology, displays the type of VRF solution
(1-Box or 2-Box) and the name of the VRF policy. See VRF Aware
IPsec Tab, page G-31.
Peers Page
Use the Peers page to view the endpoints defined for a VPN topology, including
the internal and external VPN interfaces and protected networks assigned to the
devices in the topology. The interface roles, or interfaces that match each interface
role, may also be displayed for the VPN interfaces and protected networks.
The Peers page contains a scrollable table displaying the device roles, VPN
interfaces and protected networks for all selected devices. By clicking the arrow
displayed alongside any table heading, you can switch the order of the list to
display from ascending to descending order, and vice versa. You can also filter the
table contents using the filter controls above it to display only rows that match the
criteria that you specify (see Filtering Tables, page 3-24).

OL-11501-03
G-7
Appendix G
Navigation Path
Open the Site-to-Site VPN Manager Window, page G-2, select a topology in
the VPNs selector, then select Peers in the Policies selector.
You can also open the Peers page from Device view. For more information,
see Managing VPN Devices in Device View, page 9-62.
Related Topics
Field Reference
Table G-3
Peers Page
Element
Description
Role
The role of the devicehub (primary or failover), spoke, or peer.
Device
The name of the device.
VPN Interface
The VPN interface (external and internal) that is defined for the
selected device.
Protected Networks
The protected networks that are defined for the selected device.
Show
Select to display either the interface roles or matching interfaces,

for the VPN interfaces and protected networks in the table, as
follows:
Create button
Interface Roles Only (default)To display only the interface

roles assigned to the VPN interfaces and protected networks.
Matching InterfacesTo display the interfaces that match the

pattern of each interface role. If there are no matching
interfaces No Match will be displayed.
Opens the Device Selection tab of the Edit VPN dialog box on
which you can change the selection of devices in your VPN
topology.
Note
You can also open the Device Selection tab by right-clicking

in the page and selecting the Add Row option.
G-8
OL-11501-03
Appendix G

Create VPN Wizard
Table G-3
Peers Page (continued)
Element
Description
Edit button
Opens the Endpoints tab of the Edit VPN dialog box on which you
can edit the VPN interfaces and protected networks for a selected
device in the table.
Note
Delete button
You can also open the Endpoints tab for editing the VPN
interfaces and protected networks for a device by
double-clicking its row in the table, or right-clicking it and
selecting the Edit Row option.
Not available in a point-to-point VPN topology.

Deletes a selected device in the table. A dialog box opens asking
you to confirm the deletion.
Note
You can also delete a device by right-clicking it in the table

and selecting the Delete Row option.
For more information, see Removing Devices from a VPN

Topology, page 9-34.
Create VPN Wizard

Security Manager supports three basic types of topologies with which you can
create a site-to-site VPN. Use the Create VPN wizard to create a hub-and-spoke,
point-to-point, or full mesh VPN topology across multiple device types. For more
information, see Understanding VPN Topologies, page 9-2.
Note
You can deploy to your devices immediately after creating a VPN topology, using
the default policy configurations provided by Security Manager. All you need to
do is complete the steps of the Create VPN wizard.
Editing a VPN topology is done using the Edit VPN dialog box, which comprises
tabs whose elements are identical (except for the buttons) to the pages of the
Create VPN wizard. You can click a tab to go directly to the page that contains the
fields you want to edit, without having to go through each step of the wizard.
Clicking OK on any tab in the dialog box saves your definitions on all the tabs.
For more information, see Editing a VPN Topology, page 9-35.
OL-11501-03
G-9
Appendix G
Create VPN Wizard
The following pages describe the steps in the Create VPN wizard:
Name and Technology Page, page G-10
Navigation Path
1.
In the Site-to-Site VPN Manager Window, page G-2, click the Create VPN
Topology button above the VPNs selector.
2.
Select the type of VPN topology you want to create from the options that are
displayedHub and Spoke, Point to Point, or Full Mesh.
Related Topics
Name and Technology Page

Use the Name and Technology page of the Create VPN wizard to provide a name
and description for the VPN topology, and select the IPsec technology that will be
assigned to it.
Note
When editing a VPN topology, the Name and Technology tab is used. The
elements of the tab (except for the buttons) are identical to those that appear on
the Name and Technology page. For more information, see Editing a VPN
Navigation Path
When creating a VPN topology, open the Create VPN Wizard, page G-9.
When editing a VPN topology, open the Site-to-Site VPN Manager Window,
page G-2, then right-click a VPN topology in the VPNs selector, or click the
Name and Technology tab in the Edit VPN dialog box.
G-10
OL-11501-03
Appendix G

Create VPN Wizard
Related Topics
Field Reference
Table G-4
Create VPN wizard > Name and Technology Page
Element
Description
Name
A unique name you want to specify for the VPN topology, for
identification purposes.
Description
Any descriptive text or comments that you want to add about the
VPN topology.
IPsec Technology
The IPsec technology that you want to assign to the VPN topology.
Four options are availableRegular IPsec, IPsec/GRE, DMVPN, or
Easy VPN.
Note
Type
If you are editing an existing VPN, the assigned IPsec

technology is displayed, but unavailable for editing. To edit
the technology, you must delete the VPN topology and
create a new one.
Available if the selected IPsec technology is IPsec/GRE or

DMVPN.
If the IPsec technology is IPsec/GRE, enables you to select

either Standard (for IPsec/GRE) or Spokes with Dynamic IP
(to configure GRE Dynamic IP). For more information, see
Configuring GRE or GRE Dynamic IP Policies, page 9-99.
If the IPsec technology is DMVPN, enables you to select either

Standard (for regular DMVPN) or Large Scale with IPsec
Terminator (to configure a large scale DMVPN). For more
information, see Configuring Large Scale DMVPNs,
page 9-107.

OL-11501-03
G-11
Appendix G
Create VPN Wizard
Device Selection Page

Use the Device Selection page of the Create VPN wizard to select the devices that
will be included in the VPN topology. The devices that are available for selection
include only those that can be used for the selected VPN topology type, that
support the IPsec technology type, and which you are authorized to view.
Note
When editing the device selection for a VPN topology, the Device Selection tab
is used. The elements of the tab (except for the buttons) are identical to those that
appear on the Device Selection page. For more information, see Editing a VPN
Navigation Path
When creating a VPN topology, open the Create VPN Wizard, page G-9, then
click Next on the Name and Technology page.
When editing a VPN topology, click the Device Selection tab in the Edit VPN
dialog box.
In the VPN Topologies Device View Page, page G-104, click the Edit VPN
Topology button.
Related Topics
Adding Unmanaged Devices to Your VPN Topology, page 9-24
G-12
OL-11501-03
Appendix G

Create VPN Wizard
Field Reference
Table G-5
Create VPN wizard > Device Selection Page
Element
Description
Available Devices
Lists all devices that can be included in your selected VPN

topology, that support the IPsec technology type, and which you are
authorized to view.
Note
IPsec Terminators
Clicking a device group selects all its devices.
Available only if you selected Large Scale with IPsec Terminator

as the DMVPN technology type in the Name and Technology page.
Lists the Catalyst 6500/7600 devices you selected to be IPsec
Terminators in your Large Scale DMVPN configuration.
Note
You can use the Up and Down buttons to change the order
of the devices in the list.
For more information, see Configuring Large Scale DMVPNs,

page 9-107.
Hubs
The devices you selected to be hubs in your hub-and-spoke

topology. In an Easy VPN topology, the selected devices are
servers.
Note
If multiple devices are selected, you must make sure that the
required primary hub device appears first in the list. You can
use the Up and Down buttons to change the order of the
Hubs in the list.
To remove devices from the list, select them and click <<.
Spokes
The devices you selected to be spokes in your hub-and-spoke

topology. In an Easy VPN topology, the selected devices are clients.

OL-11501-03
G-13
Appendix G
Create VPN Wizard
Table G-5
Create VPN wizard > Device Selection Page (continued)
Element
Description
Peer One/Peer Two
The devices you selected to be peers in your point-to-point

topology.
To remove the selected device from the Peer One/Peer Two field,
click <<.
Selected Devices
The devices you selected to be included in your full mesh topology.

To remove selected devices from the Selected Devices list, click <<.
Endpoints Page
Use the Endpoints page of the Create VPN wizard to view the devices in your
VPN topology, and define or edit their external or internal interfaces and protected
networks.
Note
The internal and external interfaces that appear on the Endpoints page are the
default interfaces that are defined in the Administration tools VPN Defaults page.
For more information, see Configuring VPN Policy Defaults, page 2-98.
The Endpoints page displays a scrollable table listing the VPN interfaces and
protected networks for all selected devices. By clicking on the arrow displayed
alongside any table heading, you can switch the order of the list to display from
ascending to descending order, and vice versa. You can also filter the table contents
using the filter controls above it to display only rows that match the criteria that
you specify (see Filtering Tables, page 3-24).
Note
When editing a VPN topology, the Endpoints tab is used. The elements of the tab
(except for the buttons) are identical to those that appear on the Endpoints page.
For more information, see Editing a VPN Topology, page 9-35.
Navigation Path
When creating a VPN topology, open the Create VPN Wizard, page G-9, then
click Next on the Device Selection page.
G-14
OL-11501-03
Appendix G

Create VPN Wizard
When editing a VPN topology, click the Endpoints tab in the Edit VPN
dialog box.
Related Topics
About Defining and Editing the Endpoints and Protected Networks,

page 9-26
Field Reference
Table G-6
Create VPN wizard > Endpoints Page
Element
Description
Role
The role of the devicehub, spoke, peer, or IPsec Terminator.
Device
The name of the device.

OL-11501-03
G-15
Appendix G
Create VPN Wizard
Table G-6
Create VPN wizard > Endpoints Page (continued)
Element
Description
VPN Interface
The primary or backup VPN interface that is defined for the selected
device.
Depending on the selection in the Show list, the interface roles, or
the interfaces that match each interface role, for the VPN interface
may also be displayed.
Select a row and click Edit to change the devices VPN interfaces.
The Edit Endpoints dialog box opens, from which you can select the
required VPN interface. See VPN Interface Tab, page G-19.
Note
You can select more than one device at a time for editing.
The changes you make in the VPN Interface tab are applied
to all the selected devices.
Note
When selecting multiple devices for editing the VPN

interfaces, you cannot include Catalyst 6500/7600 devices
in your selection. If you want to edit these devices, you must
select them separately.
Note
To edit the VPN interface for a Catalyst 6500/7600 device,

see VPN Interface Tab, page G-19.
G-16
OL-11501-03
Appendix G

Create VPN Wizard
Table G-6
Create VPN wizard > Endpoints Page (continued)
Element
Description
Protected Networks
The protected networks that are defined for the selected device.
Depending on the selection in the Show list, the interface roles, or
the interfaces that match each interface role, for the protected
networks may also be displayed.
Select a row and click Edit to change the devices protected
networks. The Edit Endpoints dialog box opens, from which you
can select the required protected networks. See Protected Networks
Tab, page G-27.
Show
Edit button
Note
You can select more than one device at a time for editing.
The changes you make in the Protected Networks tab are
applied to all selected devices.
Note
When selecting multiple devices for editing the protected

networks, you cannot include Catalyst VPN Service Module
devices in your selection. If you want to edit these devices,
you must select them separately.
Select to display either the interface roles or matching interfaces,

for the VPN interfaces and protected networks in the table, as
follows:
Interface Roles Only (default)To display only the interface

roles assigned to the VPN interfaces and protected networks.
Matching InterfacesTo display the interfaces that match the

pattern of each interface role. If there are no matching
interfaces No Match will be displayed.
Opens the Edit Endpoints dialog box so you can edit the VPN
interface and/or protected networks for a selected device in the
table. See Edit Endpoints Dialog Box, page G-18.

OL-11501-03
G-17
Appendix G
Create VPN Wizard
Edit Endpoints Dialog Box

Use the Edit Endpoints dialog box to:
Edit the VPN interfaces and protected networks defined for devices.
Edit a hub interface that is connected to an IPsec Terminator in a large scale

DMVPN.
Configure a dial backup interface to use as a fallback link for a primary VPN
interface.
Define VPN Services Module (VPNSM) settings for a Catalyst 6500/7600

device.
Define VPN SPA settings for a Catalyst 6500/7600 device (which may be an
IPsec Terminator in a Large Scale DMVPN topology).
Configure FWSM on a Catalyst 6500/7600 device.
Configure a VRF-Aware-IPsec policy on a hub device.
The following tabs may be available on the Edit Endpoints dialog box:
Protected Networks Tab, page G-27
FWSM Tab, page G-29
VRF Aware IPsec Tab, page G-31
Navigation Path
You can access the Edit Endpoints dialog box from the Endpoints Page,
page G-14 (or tab). Then select a device in the Endpoints table, and click Edit.
Related Topics

page 9-40

page 9-42
G-18
OL-11501-03
Appendix G

Create VPN Wizard

VPN SPA, page 9-48
If the device you selected for editing in the Endpoints table is a hub in a large
scale DMVPN, the Hub Interface tab opens, enabling you to specify the
interface that is connected to the IPsec Terminator, in the field provided. For
more information, see Configuring Large Scale DMVPNs, page 9-107.
If you selected a Catalyst 6500/7600 device in the Endpoints table for editing,
the VPN Interface tab provides settings that enable you to configure a VPN
Services Module (VPNSM) or a VPN SPA blade on the device. For more
information, see Defining VPN Services Module (VPNSM) or VPN SPA
Settings, page G-24. For a description of the elements that appear on the VPN
Interface tab for a Catalyst 6500/7600 device, see Table G-8 on page G-25.
VPN Interface Tab

Note
Use the VPN Interface tab in the Edit Endpoints dialog box to edit the VPN
interfaces defined for devices in the Endpoints table. When defining a primary
VPN interface for a router device, you can also configure a backup interface to
use as a fallback link for the primary route VPN interface, if its connection link
becomes unavailable. You can configure a backup interface on a Cisco IOS
security router, that is in a point-to-point or full mesh topology, or that is a spoke
in a hub-and-spoke topology, or is a remote client in an Easy VPN topology. For
more information, see Understanding Dial Backup, page 9-37.
Navigation Path
The VPN Interface tab is displayed when you open the Edit Endpoints Dialog
Box, page G-18. You can also open it by clicking the VPN Interface tab from any
other tab in the Edit Endpoints dialog box.
Related Topics

OL-11501-03
G-19
Appendix G
Create VPN Wizard
Field Reference
Table G-7 describes the elements on the VPN Interface tab when a device other
than a Catalyst 6500/7600 is selected. For a description of the elements that
appear on the VPN Interface tab for a Catalyst 6500/7600 device, see Table G-8
on page G-25.
Table G-7
Edit Endpoints Dialog Box > VPN Interface Tab
Element
Description
Enable the VPN Interface

Changes on All Selected Peers
Available if you selected more than one device on the Endpoints

page for editing.
When selected, applies any changes you make in the VPN interface
tab to all the selected devices.
VPN Interface
The VPN interface defined for the selected device. The default is
External.
VPN interfaces are predefined interface role objects. If required,
click Select to open a dialog box that lists all available interfaces,
and sets of interfaces defined by interface roles, in which you can
make your selection, or create interface role objects. For more
information, see Interface Roles Page, page F-416.
If the device is an ASA 5505 version 7.2(1) or later, it must have two
interfaces defined with different security levels. For more
information, see Configuring PIX 7.0/ASA Interfaces in Single
Context Mode, page 15-6.
G-20
OL-11501-03
Appendix G

Create VPN Wizard
Table G-7
Edit Endpoints Dialog Box > VPN Interface Tab (continued)
Element
Description
Connection Type
Only available in a hub-and-spoke VPN topology, if the selected

device is an ASA or PIX 7.0 hub, and the selected technology is
Regular IPsec.
Select the type of connection that the ASA hub will use during an
SA negotiation:
Peer IP Address
Answer OnlyTo configure the hub to only respond to an SA

negotiation, but not initiate it.
Originate OnlyTo configure the hub to only initiate an SA

negotiation, but not respond to one.
BidirectionalTo configure the hub to both initiate and

respond to an SA negotiation.
Unavailable if the selected technology is Easy VPN.

Specifies the IP address of the VPN interface of the peer device. You
can select one of the following options:
VPN Interface IP AddressThis is the default. Uses the

configured IP address on the selected VPN interface. Only one
VPN interface can match the interface role.
IP Address for IPsec TerminationTo enter manually the IP

address of the peer device. Enter the IP address in the field
provided. Only one VPN interface can match the interface role.
IP Address of Another Existing Interface to be Used as

Local Address (unavailable if IPsec technology is
DMVPN)To use the configured IP address on any interface as
a local address, not necessarily a VPN interface. Enter the
interface in the field provided.
You can choose the required interface by clicking Select. A
dialog box opens that lists all available predefined interface
roles, and in which you can create an interface role object. For
more information, see Interface Roles Page, page F-416.

OL-11501-03
G-21
Appendix G
Create VPN Wizard
Table G-7
Element
Description
Tunnel Source
Available only for a hub when the selected technology is IPsec/GRE

or DMVPN.
Specifies the tunnel source address to be used by the GRE or
DMVPN tunnel on the spoke side. You can select one of the
following options:
VPN InterfaceThis is the default. Uses the selected VPN

interface as the tunnel source address.
Another Existing InterfaceTo use any interface as the

tunnel source address, not necessarily a VPN interface. Enter
the interface in the field provided.
You can choose the required interface by clicking Select. A
dialog box opens that lists all available predefined interface
roles, and in which you can create an interface role object. For
more information, see Interface Roles Page, page F-416.
Dial Backup Settings
Enable Backup
Available if the selected device is an IOS router which is a spoke in

a hub-and-spoke, point-to-point, full mesh topology, or a remote
client in an Easy VPN topology.
Available if the selected device is an IOS router that is in a
point-to-point or full mesh topology, or that is a spoke in a
hub-and-spoke topology, or is a remote client in an Easy VPN
topology.
When selected, enables you to configure a backup interface to use
as a fallback link for the primary route VPN interface, if its
connection link becomes unavailable.
Note
Before configuring a backup interface, you must first

configure the dialer interface settings on the device. For
more information, see Dialer Interfaces on Cisco IOS
G-22
OL-11501-03
Appendix G

Create VPN Wizard
Table G-7
Element
Description
Dialer Interface
The logical interface through which the secondary route traffic is

directed when the dialer interface is activated. This can be a Serial,
Async, or BRI interface.
You can choose the required interface by clicking Select. A dialog
box opens that lists all available interfaces and predefined interface
roles, and in which you can create an interface role object.
Primary Next Hop IP Address
Available only if the selected technology is Regular IPsec,

IPsec/GRE, GRE Dynamic IP, or Easy VPN.
The IP address to which the primary interface connects when it is
active. This is known as the next hop IP address.
If you do not specify the next hop IP address, Security Manager
configures a static route using the VPN interface name. The VPN
interface must be point-to-point or deployment fails.
You can choose the required IP address by clicking Select. The
Network/Hosts selector opens, in which you can select a network
from which the IP address will be allocated.
Tracking IP Address
The IP address of the destination device to which connectivity must

be maintained from the primary VPN interface connection. This is
the device that is pinged by the Service Assurance agent through the
primary route to track connectivity. The backup connection is
triggered if connectivity to this device is lost.
Note
If you do not specify an IP address, the primary hub VPN

interface is used in a hub-and-spoke or Easy VPN topology.
In a point-to-point or full mesh VPN topology, the peer VPN
interface is used.


OL-11501-03
G-23
Appendix G
Create VPN Wizard
Table G-7
Element
Description
Advanced button
Available if the selected technology is Regular IPsec, IPsec/GRE,

GRE Dynamic IP, or Easy VPN.
Opens the Dial Backup Settings dialog box for configuring
additional (optional) settings. See Dial Backup Settings Dialog
Box, page G-36.
OK button
The changes appear in the Endpoints table for the selected
device(s).
Defining VPN Services Module (VPNSM) or VPN SPA Settings
When you select a Catalyst 6500/7600 device in the Endpoints table for editing,
the VPN Interface tab of the Edit Endpoints dialog box provides settings for
configuring a VPN Services Module (VPNSM) or VPN SPA on the device. You
can select more than one Catalyst 6500/7600 device at the same time. Your
changes are applied to all the selected devices.
Note
These settings must also be configured if the selected device is an IPsec

Terminator in a large scale DMVPN. See Configuring Large Scale DMVPNs,
page 9-107.
Before you define the VPNSM or VPN SPA settings, you must import your
Catalyst 6500/7600 device to the Security Manager inventory and discover its
interfaces. For more information, see Procedure for Configuring a VPNSM or
VPN SPA Blade, page 9-44.
If you are configuring a VPNSM or VPN SPA with VRF-Aware IPsec on a

device, verify that the device does not belong to a different VPN topology in
which VRF-Aware IPsec is not configured. Similarly, if you are configuring
a VPNSM or VPN SPA without VRF-Aware IPsec, make sure that the device
belongs to a different VPN topology in which VRF-Aware IPsec is
configured.
G-24
OL-11501-03
Appendix G

Create VPN Wizard
Field Reference
Table G-8 describes the elements that appear on the VPN Interface tab of the Edit
Endpoints dialog box, after you select a Catalyst 6500/7600 device (or IPsec
Terminator) in the Endpoints dialog box.
Table G-8
Edit Endpoints Dialog Box > VPN Interface Tab > VPNSM/VPN SPA Settings
Element
Description
Enable the VPN Interface

Available if you selected more than one Catalyst 6500/7600 device

for editing in the Endpoints page.
When selected, applies any changes you make in the VPN interface
VPNSM/VPN SPA Settings
VPN Interface
The inside VLAN that serves as the inside interface to the VPN
Services Module or VPN SPA. It is also the hub endpoint of the
VPN tunnel (unless VRF-Aware IPsec is configured on the device).
If required, click Select to open a dialog box that lists all available
interfaces, and sets of interfaces defined by interface roles, in which
you can make your selection, or create interface role objects.
Slot
From the list of available slots, select the VPNSM blade slot number
to which the inside VLAN interface is connected, or the number of
the slot in which the VPN SPA blade is inserted.
For more information, see Adding VPN SPA Slot Locations,
page 5-35.
Subslot
The number of the subslot (0 or 1) on which the VPN SPA blade is

actually installed.
Note
If you are configuring a VPNSM, select the blank option.

OL-11501-03
G-25
Appendix G
Create VPN Wizard
Table G-8
(continued)
Element
Description
External Port
The external port or VLAN that connects to the inside VLAN.

Note
If VRF-Aware IPsec is configured on the device, the

external port or VLAN must have an IP address. If
VRF-Aware IPsec is not configured, the external port or
VLAN must not have an IP address.
Click Select to open a dialog box that lists all available interfaces,
and sets of interfaces defined by interface roles, in which you can
make your selection, or create interface role objects.
Note
Enable Failover Blade
You must select an interface or interface role that differs

from the one selected for the inside VLAN.
When selected, enables you to configure a failover VPNSM or VPN

SPA blade for intrachassis high availability.
Note
A VPNSM blade and VPN SPA blade cannot be used on the

same device as primary and failover blades.
Failover Slot
that will serve as the failover blade, or the number of the slot in
which the failover VPN SPA blade is inserted.
Failover Subslot
Select the number of the subslot (0 or 1) on which the failover VPN

SPA blade is actually installed.
Note
G-26
OL-11501-03
Appendix G

Create VPN Wizard
Table G-8
(continued)
Element
Description
Peer IP Address
The IP address of the VPN interface of the peer device. You can
select one of the following options:
OK button
VPN Interface IP AddressTo use the configured IP address

on the selected VPN interface.
IP Address for IPsec TerminationTo enter manually the IP

address of the peer device. Enter the IP address in the field
provided.
IP Address of Another Existing Interface to be Used as

Local AddressTo use the configured IP address as a local
address on any interface (not necessarily a VPN interface).
Enter the interface in the field provided, or click Select to
choose the required interface from a list of available predefined
interfaces and interface role objects.
device(s).
Protected Networks Tab

Use the Protected Networks tab on the Edit Endpoints dialog box to edit the
protected networks that are defined on a selected device in the Endpoints table.
You can specify the protected networks as interface roles whose naming patterns
match the internal VPN interface type of the device, as network objects containing
one or more network or host IP addresses, interfaces, or other network objects, or
as access control lists (if Regular IPsec is the assigned technology).

OL-11501-03
G-27
Appendix G
Create VPN Wizard
Navigation Path
You can access the Protected Networks tab from the Edit Endpoints dialog box.
Open the Edit Endpoints Dialog Box, page G-18, then click the Protected
Networks tab.
Related Topics
Field Reference
Table G-9
Edit Endpoints Dialog Box > Protected Networks Tab
Element
Description
Enable the Protected Networks

Available if you selected more than one device for editing in the
Endpoints page.
When selected, applies any changes you make in the Protected
Networks tab to all the selected devices.
Available Protected Networks
A hierarchy of all available protected networks, including the

interface roles whose naming pattern may match the internal VPN
interface type of the device. If Regular IPsec is the assigned
technology, access control lists (ACLs) are also included in the list
of available protected networks.
Note
In a hub-and-spoke VPN topology in which Regular IPsec is

the assigned technology, when an ACL object is used to
define the protected network on a spoke, Security Manager
mirrors the spokes ACL object on the hub to the matching
crypto map entry.
Select the interface role(s), protected networks, and/or access

control lists that you want to define for the selected device, then
click >>.
Selected Protected Networks
The protected networks and interface roles you selected for the
device.
Note
You can reorder the selected protected networks/interface

roles in the list by selecting them (one at a time), then
clicking the Move Up or Move Down button, as required.
G-28
OL-11501-03
Appendix G

Create VPN Wizard
Table G-9
Edit Endpoints Dialog Box > Protected Networks Tab (continued)
Element
Description
>> button
Moves protected networks from the available networks list to the

selected networks list.
<< button
Removes protected networks from the selected list.
Create button
If the required interface roles, protected networks, or access control

lists do not appear in the Available Protected Networks list, click
Create and select the required option to create an interface role,
protected network, or access control list.
Note
The Access Control List option is only available if the

assigned technology is Regular IPsec.
If you select the Interface Role option, the Interface Role Editor
page opens in which you can create an interface role object. For
more information, see Creating Interface Role Objects, page 8-116.
If you select the Protected Network option, the Network Editor page
opens in which you can create a network object. For more
information, see Creating Network/Host Objects, page 8-131.
If you select the Access Control List option, the Access Lists Editor
page opens in which you can create an access control list object. For
more information, see Creating Access Control List Objects,
page 8-36.
OK button
device(s).
FWSM Tab
Note
The FWSM tab is only available in a hub-and-spoke VPN topology, when the
selected hub is a Catalyst 6500/7600 device.

OL-11501-03
G-29
Appendix G
Create VPN Wizard
Use the FWSM tab on the Edit Endpoints dialog box to define the settings that
enable you to connect between a Firewall Services Module (FWSM) and an IPsec
VPN Services Module (VPNSM) or VPN SPA, that is already configured on a
Note
Before defining the FWSM settings, you must import your Catalyst 6500/7600
device to the Security Manager inventory. Then open Cisco Catalyst Device
Manager (Cisco CDM), and discover the FWSM configurations on the device, and
assign a VLAN that will serve as the inside interface to the FWSM.

VPN SPA, page 9-48
Navigation Path
You can access the FWSM tab from the Edit Endpoints dialog box. Open the Edit
Endpoints Dialog Box, page G-18, then click the FWSM tab.
Note
Make sure you selected a Catalyst 6500/7600 device in the table on the Endpoints
Page, page G-14 (or tab), before opening the Edit Endpoints dialog box.
Related Topics

VPN SPA, page 9-48
G-30
OL-11501-03
Appendix G

Create VPN Wizard
Field Reference
Table G-10
Edit Endpoints Dialog Box > FWSM Tab
Element
Description
Enable FWSM Settings
When selected, enables you to configure the connection between the

Firewall Services Module (FWSM) and the VPN Services Module
(VPNSM) or VPN SPA on the selected Catalyst 6500/7600 device.
FWSM Inside VLAN
The VLAN which serves as the inside interface to the Firewall

Services Module (FWSM).
interfaces, and sets of interfaces defined by interface roles, and in
which you can make your selection, or create interface role objects.
FWSM Blade
From the list of available blades, select the blade number to which
the selected FWSM inside VLAN interface is connected.
Security Context
If the selected FWSM inside VLAN is part of a security context,

specify its name in this field. The name is case-sensitive.
You can partition an FWSM into multiple virtual firewalls, known
as security contexts. A security context is an independent virtual
firewall that has its own security policy, interfaces, and
administrators. You can define security contexts when you import a
Catalyst 6500/7600 device into the Security Manager inventory.
For more information, see Security Contexts Page, page L-265.
OK button
VRF Aware IPsec Tab

Use the VRF-Aware IPsec tab on the Edit Endpoints dialog box to configure a
VRF-Aware IPsec policy on a hub in your hub-and-spoke VPN topology. When
you select the row in the Endpoints table that contains the required hub device (the
IPsec Aggregator), and click Edit, the VRF Aware IPsec tab opens. You can
configure VRF-Aware IPsec as a one-box or two-box solution.
Note
In a VPN topology with two hubs, you must configure VRF-Aware IPsec on
both devices.

OL-11501-03
G-31
Appendix G
Create VPN Wizard
You cannot configure VRF-Aware IPsec on a device that belongs to another

VPN topology in which VRF-Aware IPsec is not configured.
Deployment may fail if the IPsec Aggregator is configured with the same
keyring CLI command as the existing preshared key (keyring) command, and
is not referenced by any other command. In this case, Security Manager does
not use the VRF keyring CLI, but generates the keyring with a different name,
causing deployment to fail. You must manually remove the preshared key
keyring command through the CLI, before you can deploy the configuration.
For more information about creating or editing a VRF-Aware IPsec policy, see
Understanding VRF-Aware IPsec, page 9-51.
Navigation Path
You can access the VRF-Aware IPsec tab from the Edit Endpoints dialog box.
Open the Edit Endpoints Dialog Box, page G-18, then click the VRF-Aware
IPsec tab.
Note
Make sure you selected a hub device in the table on the Endpoints Page,
page G-14 (or tab), before opening the Edit Endpoints dialog box.
Related Topics
G-32
OL-11501-03
Appendix G

Create VPN Wizard
Field Reference
Table G-11
Edit Endpoints Dialog Box > VRF Aware IPsec Tab
Element
Description
Enable the VRF Settings

Available if you selected more than one device for editing in the
Endpoints page.
When selected, applies any changes you make in the VRF Settings
Enable VRF Settings
When selected, enables the configuration of VRF settings on the

selected hub for the selected hub-and-spoke topology.
Note
To remove VRF settings that were defined for the VPN

topology, deselect this check box.
1-Box (IPsec Aggregator +

MPLS PE)
When selected, enables you to configure a one-box VRF solution.
2-Box (IPsec Aggregator Only)
When selected (the default), enables you to configure a two-box

VRF solution.
In the one-box solution, one device serves as the Provider Edge (PE)
router that does the MPLS tagging of the packets in addition to
IPsec encryption and decryption from the Customer Edge (CE)
devices. For more information, see VRF-Aware IPsec One-Box
Solution, page 9-52.
In the two-box solution, the PE device does just the MPLS tagging,
while the IPsec Aggregator device does the IPsec encryption and
decryption from the CEs. For more information, see VRF-Aware
IPsec Two-Box Solution, page 9-53.
VRF Name
The name of the VRF routing table on the IPsec Aggregator. The
VRF name is case-sensitive.

OL-11501-03
G-33
Appendix G
Create VPN Wizard
Table G-11
Edit Endpoints Dialog Box > VRF Aware IPsec Tab (continued)
Element
Description
Route Distinguisher
The unique identifier of the VRF routing table on the IPsec

Aggregator.
This unique route distinguisher maintains the routing separation for
each VPN across the MPLS core to the other PE routers.
The identifier can be in either of the following formats:
IP address:X (where X is in the range 0-2147483647).
N:X (where N is in the range 0-65535, and X is in the range

0-2147483647).
Note
You cannot override the RD identifier after deploying the

VRF configuration to your device. To modify the RD
identifier after deployment, you must manually remove it
using the device CLI, and then deploy again.
Interface Towards Provider Edge Available only when a 2-Box solution is selected.
Specify the VRF forwarding interface on the IPsec Aggregator
towards the PE device.
Note
If the IPsec Aggregator (hub) is a Catalyst VPN service

module, you must specify a VLAN.
Interfaces and VLANs are predefined interface role objects. If

required, you can click Select to open a dialog box that lists all
available interfaces, and sets of interfaces defined by interface roles,
in which you can make your selection, or create interface role
objects.
G-34
OL-11501-03
Appendix G

Create VPN Wizard
Table G-11
Element
Description
Routing Protocol
Available only when a 2-Box solution is selected.

Select the routing protocol to be used between the IPsec Aggregator
and the PE.
If the routing protocol used for the secured IGP differs from the
routing protocol between the IPsec Aggregator and the PE, select
the routing protocol to use for redistributing the routing to the
secured IGP.
The options are BGP, EIGRP, OSPF, RIPv2, or Static route. The
default is BGP.
For information about protocols, see Chapter 14, Managing
Routers.
AS Number
Available only when a 2-Box solution is selected.

Enter the number that will be used to identify the autonomous
system (AS) area between the IPsec Aggregator and the PE.
If the routing protocol used for the secured IGP differs from the
routing protocol between the IPsec Aggregator and the PE, enter an
AS number that will be used to identify the secured IGP into which
the routing will be redistributed from the IPsec Aggregator and the
PE. This is relevant only when IPsec/GRE or DMVPN are applied.
The AS number must be within the range 1-65535.
Process Number
Available only if the 2-Box radio button is selected, and if the

selected routing protocol is OSPF.
The routing process ID number that will be used to identify the
secured IGP.
The range is 1-65535.
OSPF Area ID

The ID number of the area in which the packet belongs. You can
enter any number from 0-4294967295.
Note
All OSPF packets are associated with a single area, so all

devices must have the same area ID number.

OL-11501-03
G-35
Appendix G
Create VPN Wizard
Table G-11
Element
Description
Next Hop IP Address
Available only when a 2-Box solution is selected with static routing.

Specify the IP address of the interface that is connected to the IPsec
Aggregator.
Redistribute Static Route
Available only when a 2-Box solution is selected with any routing

protocol other than Static route.
When selected, enables static routes to be advertised in the routing
protocol configured on the IPsec Aggregator towards the PE device.
OK button
Note
When you select the new or edited hub-and-spoke topology

in the Site-to-Site VPN Manager window, an indication of
VRF-Aware IPsec configuration appears in the VPN
Summary page. See VPN Summary Page, page G-3.
Dial Backup Settings Dialog Box

Use the Dial Backup Settings dialog box to define optional settings for
configuring a dial backup policy for your site-to-site VPN. These settings are
available for Regular IPsec, IPsec/GRE, GRE Dynamic IP, or Easy VPN
technologies.
Mandatory settings for dial backup are configured in the VPN Interface tab on the
Edit Endpoints dialog box. See VPN Interface Tab, page G-19.
Note
You must configure the dialer interface settings before dial backup can work
properly. For more information, see Dialer Interfaces on Cisco IOS Routers,
page 14-34.
Navigation Path
Open the VPN Interface Tab, page G-19 from the Edit Endpoints dialog box,
select the Enable check box in the Backup area, and click Advanced.
Related Topics
G-36
OL-11501-03
Appendix G

Create VPN Wizard
Field Reference
Table G-12
Dial Backup Settings Dialog Box
Element
Description
Next Hop Forwarding
Backup Next Hop IP Address
If required, enter the next hop IP address of the ISDN BRI or analog
modem backup interface (that is, the IP address to which the backup
interface will connect when it is active).
If you do not enter the next hop IP address, Security Manager
configures a static route using the interface name.
Tracking Object Settings
Timeout
The number of milliseconds the Service Assurance Agent operation

waits to receive a response from the destination device. The default
is 5000 ms.
Frequency
How often Response Time Reporter (RTR) should be used to detect

loss of performance on the primary route. The default is every 60
seconds.
Threshold
The rising threshold in milliseconds that generates a reaction event

and stores history information for the RTR operation. The default is
5000 ms.
OK button
High Availability Page

Use the High Availability page to define a group of hubs as an HA group.

OL-11501-03
G-37
Appendix G
Create VPN Wizard
Note
When editing a VPN topology, the High Availability tab is used. The elements of
the tab (except for the buttons) are identical to those that appear on the High
Availability page. For more information, see Editing a VPN Topology, page 9-35.
High Availability may be configured in a hub-and-spoke VPN topology when
Regular IPsec or Easy VPN is the assigned technology.
For more information about the prerequisites for configuring high availability, see
Prerequisites for Successful High Availability Configuration, page 9-59.
Navigation Path
When creating a hub-and-spoke VPN topology, open the Create VPN Wizard,
page G-9, then click Next on the Endpoints page.
When editing a hub-and-spoke or Easy VPN topology, click the High

Availability tab in the Edit VPN dialog box.
Related Topics
Understanding High Availability, page 9-58
G-38
OL-11501-03
Appendix G

Create VPN Wizard
Field Reference
Table G-13
Create VPN wizard > High Availability Page
Element
Description
Enable
When selected, enables you to configure high availability on a

group of hubs.
When deselected, enables you to remove an HA group that was
defined for the VPN topology.
Inside Virtual IP
The IP address that is shared by the hubs in the HA group and

represents the inside interface of the HA group. The virtual IP
address must be on the same subnet as the inside interfaces of the
hubs in the HA group, but must not be identical to the IP address of
any of these interfaces.
from which the IP address is allocated.
Note
If there is an existing standby group on the device, make

sure that the IP address you provide is different to the virtual
IP address already configured on the device.
Inside Mask
The subnet mask for the inside virtual IP address.
VPN Virtual IP
The IP address that is shared by the hubs in the HA group and

represents the VPN interface of the HA group. This IP address
serves as the hub endpoint of the VPN tunnel.
Network/Hosts selector opens, in which you can select a host from
which the IP address is allocated.
Note

sure that the IP address you provide is different to the virtual
IP address already configured on the device.
VPN Mask
The subnet mask for the VPN virtual IP address.
Hello Interval
The duration in seconds (within the range of 1-254) between each

hello message sent by a hub to the other hubs in the group to indicate
status and priority. The default is 5 seconds.

OL-11501-03
G-39
Appendix G
Create VPN Wizard
Table G-13
Create VPN wizard > High Availability Page (continued)
Element
Description
Hold Time
The duration in seconds (within the range of 2-255) that a standby

hub will wait to receive a hello message from the active hub before
concluding that the hub is down. The default is 15 seconds.
Standby Group
Number (Inside)
The standby number of the inside hub interface that matches the
internal virtual IP subnet for the hubs in the HA group. The number
must be within the range of 0-255. The default is 1.
Standby Group
Number (Outside)
The standby number of the outside hub interface that matches the
external virtual IP subnet for the hubs in the HA group. The number
Note
Stateful Failover
The outside standby group number must be different to the

inside standby group number.
When selected, enables SSO for stateful failover.

Note
In an Easy VPN topology, this check box appears selected

and disabled, as stateful failover must always be configured.
You can only configure stateful failover on an HA group that

contains two hubs that are Cisco IOS routers. This check box is
disabled if the HA group contains more than two hubs.
Note
When deselected in a Regular IPsec topology, stateless

failover is configured on the HA group. Stateless failover
will also be configured if the HA group contains more than
two hubs. Stateless failover can be configured on Cisco IOS
routers or Catalyst 6500/7600 devices.
For more information, see Enabling Stateful Failover, page 9-59.

OK button
Note
When you select the new or edited hub-and-spoke topology

in the Site-to-Site VPN Manager window, the VPN
Summary page displays the details of the High Availability
policy configured. See VPN Summary Page, page G-3.
G-40
OL-11501-03
Appendix G

Create VPN Wizard
VPN Defaults Page

Use the VPN Defaults page of the Create VPN wizard to view and select the
default site-to-site VPN policies that will be assigned to the VPN topology you
are creating. The page displays all the available mandatory and optional policies
that can be assigned to your VPN topology, according to the selected IPsec
technology.
Note
When you click Finish on this page, the default policies are assigned to the new
VPN topology. The policies you select will be applied only to the specific VPN
topology you are creating. If you want the selected policies to be applied to all
future VPN topologies that are created, you must change the policy defaults
selection on the Administration tools VPN Policy Defaults page.
For more information, see Understanding VPN Default Policies, page 9-12.
Navigation Path
Open the Create VPN Wizard, page G-9, then click Next on the Endpoints
page, or High Availability page (if you are configuring a hub-and-spoke VPN
topology).
Related Topics
About Mandatory and Optional Policies, page 9-9

OL-11501-03
G-41
Appendix G
Site to Site VPN Policies
Field Reference
Table G-14
Create VPN wizard > VPN Defaults Page
Element
Description
Policy type
Lists the VPN policy types that can be assigned to your VPN
topology. For each policy type, select the default VPN policy you
want to assign to your VPN topology.
You can accept the Factory Default policy (available for a
mandatory policy only) or select a shared VPN policy that was
created (and submitted or approved, depending on the workflow
mode) using Security Manager.
View Content button
Note
If you want to assign a default policy that is not provided in

the list, you can change the policy defaults selection in the
Administration tools VPN Policy Defaults page. The policy
will then be available for assignment to all future VPN
topologies that are created. For more information, see
Configuring VPN Policy Defaults, page 2-98.
Note
If you try to select a default policy that is currently locked

by another user, a message is displayed warning you of a
lock problem. To bypass the lock, select a different policy or
cancel the VPN topology creation until the lock is approved.
For more information, see Understanding Locking,
page 6-55.
Opens a page that displays the contents of the selected VPN policy.
Note
If you make any changes on this page, you cannot save

them.

You can access site-to-site VPN policies by selecting Tools > Site-To-Site VPN
Manager, or clicking the Site-To-Site VPN Manager button on the toolbar, and
then selecting the required policy in the Policies selector of the Site-to-Site VPN
window.
You can also access site-to-site VPN policies from Device view or Policy view.
G-42
OL-11501-03
Appendix G

In Device view, you can see the VPN topology (topologies) to which each device
in the CSM inventory belongs, and if necessary, change its assignment to or from
a VPN topology. For more information, see VPN Topologies Device View Page,
page G-104.
For more information about accessing site-to-site VPN policies from Policy view,
see Managing Shared Site-to-Site VPN Policies in Policy View, page 9-65.
These topics describe the pages of the policies that you can assign to your VPN
topologies:
VPN Global Settings Page, page G-49
IKE Proposal Page

Use the IKE Proposal page to select the IKE proposal that will be used to secure
the IKE negotiation between two peers. An IKE proposal is a mandatory policy
that is already configured in your VPN topology with predefined default values.
On the IKE Proposal page, you can view the parameters of the selected IKE
proposal, select a different one from a list of predefined IKE proposals, or create
a new one.

OL-11501-03
G-43
Appendix G
Navigation Path
the VPNs selector, then select IKE Proposal in the Policies selector.
You can also open the IKE Proposal page from Policy view. See Managing
Shared Site-to-Site VPN Policies in Policy View, page 9-65.
Related Topics
Field Reference
Table G-15
IKE Proposal Page
Element
Description
Available IKE Proposals
Lists the predefined IKE proposals available for selection.

Select the required IKE proposal in the list. The IKE proposal
replaces the one in the Selected IKE Proposal field.
IKE proposals are predefined objects. If the required IKE proposal
is not included in the list, click Add to open the IKE Editor dialog
box that enables you to create or edit an IKE proposal object. For
more information, see IKE Proposal Dialog Box, page F-93.
Selected
The selected IKE proposal with its predefined default values. The
default is preshared_sha_3des_dh5_5.
Note
You cannot edit the selected IKE proposal because it is a

predefined object. You can only edit the properties of an
IKE proposal object you create.
To remove the IKE proposal from this field, select a different one.
G-44
OL-11501-03
Appendix G

Table G-15
IKE Proposal Page (continued)
Element
Description
Create button
Opens the IKE Editor dialog box for creating an IKE proposal
object. For more information, see IKE Proposal Dialog Box,
page F-93.
Edit button
Opens the IKE Editor dialog box for editing the selected IKE
proposal. For more information, see IKE Proposal Dialog Box,
page F-93.
Save button

Note

toolbar.
IPsec Proposal Page

Use the IPsec Proposal page to edit the IPsec policy definitions for your VPN
topology.
Note
When configuring IPsec policy definitions on an Easy VPN server, the IPsec
Proposal page contains different elements. See Easy VPN IPsec Proposal Page,
page G-78.
Navigation Path
the VPNs selector, then select IPsec Proposal in the Policies selector.
You can also open the IPsec Proposal page from Policy view. See Managing
Shared Site-to-Site VPN Policies in Policy View, page 9-65.
Related Topics

OL-11501-03
G-45
Appendix G
Field Reference
Table G-16
IPsec Proposal Page
Element
Description
Crypto Map Type
A crypto map combines all the components required to set up IPsec

security associations. When two peers try to establish an SA, they
must each have at least one compatible crypto map entry.
Select the type of crypto map you want to generate:
StaticUse a static crypto map in a point-to-point or full mesh

VPN topology.
DynamicDynamic crypto maps can only be used in a

hub-and-spoke VPN topology. Dynamic crypto map policies
allow remote peers to exchange IPsec traffic with a local hub,
even if the hub does not know the remote peers identity.
For more information, see About Crypto Maps, page 9-73.

Transform Sets
The transform set(s) to use for your tunnel policy. Transform sets
specify which authentication and encryption algorithms will be
used to secure the traffic in the tunnel. You can select up to six
transform sets.
Note
Transform sets may use tunnel mode or transport mode of

IPsec operation. When IPsec or Easy VPN is the assigned
technology, you cannot use transport mode.
A default transform set is displayed (tunnel_3des_sha). If you want

to use a different transform set, or select additional transform sets,
click Select to open a dialog box that lists all available transform
sets, and in which you can create transform set objects. For more
information, see IPsec Transform Sets Page, page F-422.
If more than one of your selected transform sets is supported by both
peers, the transform set that provides the highest security will be
used.
For more information, see About Transform Sets, page 9-74.
G-46
OL-11501-03
Appendix G

Table G-16
Element
IPsec Proposal Page (continued)
Description
Enable Perfect Forward Secrecy When selected, enables the use of Perfect Forward Secrecy (PFS) to
generate and use a unique session key for each encrypted exchange.
The unique session key protects the exchange from subsequent
decryption, even if the entire exchange was recorded and the
attacker has obtained the preshared and/or private keys used by the
endpoint devices.
Note
Modulus Group
To enable PFS, you must also select a Diffie-Hellman group

for generating the PFS session key.
Available if Enable Perfect Forward Secrecy is selected.

Select the required Diffie-Hellman key derivation algorithm from
the Modulus Group list box.
Security Manager supports Diffie-Hellman group 1, group 2, group
5, and group 7 key derivation algorithms. Each group has a different
size modulus:
Group 1 (the default): 768-bit modulus.
Group 2: 1024-bit modulus.
Group 5: 1536-bit modulus.
Group 7: Use when the elliptical curve field size is 163

characters.
For more information, see Deciding Which Diffie-Hellman Group

to Use, page 9-69.
Lifetime (sec)
The number of seconds an SA will exist before expiring. The default

is 3600 seconds (one hour).
Lifetime refers to the global lifetime settings for the crypto IPsec
security association (SA). The IPsec lifetime can be specified in
seconds, in kilobytes, or both.

OL-11501-03
G-47
Appendix G
Table G-16
Element
Description
Lifetime (kbytes)
The volume of traffic (in kilobytes) that can pass between IPsec
peers using a given SA before it expires.
Valid values depend on the device type. Enter a value within the
range 10-2147483647 for an IOS router, and 2560-536870912 for a
PIX7.0/ASA device.
The default value is 4,608,000 kilobytes.
QoS Preclassify
Supported on Cisco IOS routers, except 7600 devices.

When selected, enables the classification of packets before
tunneling and encryption occur.
The Quality of Service (QoS) for VPNs feature enables Cisco IOS
QoS services to operate with tunneling and encryption on an
interface.
The QoS features on the output interface classify packets and apply
the appropriate QoS service before the data is encrypted and
tunneled, enabling traffic flows to be adjusted in congested
environments, and resulting in more effective packet tunneling.
G-48
OL-11501-03
Appendix G

Table G-16
Element
Description
Reverse Route
Supported on ASA devices, PIX 7.0 devices, and Cisco IOS routers
except 7600 devices.
Reverse Route Injection (RRI) enables static routes to be
automatically inserted into the routing process for those networks
and hosts protected by a remote tunnel endpoint. For more
Select one of the following options to configure RRI on the crypto
map:
NoneDisables the configuration of RRI on the crypto map.
StandardIt creates routes based on the destination

information defined in the crypto map access control list
(ACL). This is the default option.
Remote PeerCreates two routes, one for the remote endpoint

and one for route recursion to the remote endpoint via the
interface to which the crypto map is applied.
Remote Peer IPSpecifies an interface or address as the

explicit next hop to the remote VPN device. Then, click Select
to open the Network/Hosts Selector, from which you can select
the IP address of the remote peer to be used as the next hop.
Note
Save button
You can select the Allow Value Override per Device

check box to override the default route, if required.

Note

toolbar.
VPN Global Settings Page

Use the VPN Global Settings page to define global settings for IKE, IPsec, NAT,
and fragmentation, that apply to devices in your VPN topology.

OL-11501-03
G-49
Appendix G
The following tabs are available on the VPN Global Settings page:
Navigation Path
the VPNs selector, then select VPN Global Settings in the Policies selector.
You can also open the VPN Global Settings page from Policy view. See
Managing Shared Site-to-Site VPN Policies in Policy View, page 9-65.
ISAKMP/IPsec Settings Tab

Use the ISAKMP/IPsec Settings tab of the VPN Global Settings page to specify
global settings for Internet Key Exchange (IKE) and IPsec.
Internet Key Exchange (IKE), also called Internet Security Association and Key
Management Protocol (ISAKMP), is the negotiation protocol that lets two hosts
agree on how to build an IPsec security association.
Navigation Path
The ISAKMP/IPsec Settings tab appears when you open the VPN Global Settings
Page, page G-49. You can also open it by clicking the ISAKMP/IPsec Settings
tab from any other tab in the VPN Global Settings page.
Related Topics
G-50
OL-11501-03
Appendix G

Field Reference
Table G-17
VPN Global Settings Page > ISAKMP/IPsec Settings Tab
Element
Description
ISAKMP Settings
Enable Keepalive
When selected, enables you to configure IKE keepalive as the

default failover and routing mechanism.
IKE keepalive is defined on the spokes in a hub-and-spoke VPN
topology, or on both devices in a point-to-point VPN topology.
Interval
The number of seconds that a device waits between sending IKE

keepalive packets. The default is 10 seconds.
Retry
The number of seconds a device waits between attempts to establish

an IKE connection with the remote peer. The default is 2 seconds.
Periodic
Available only if Enable Keepalive is selected, and supported on

routers running IOS version 12.3(7)T and later, except 7600
devices.
When selected, enables you to send dead-peer detection (DPD)
keepalive messages even if there is no outbound traffic to be sent.
Usually, DPD keepalive messages are sent between peer devices
only when no incoming traffic is received but outbound traffic needs
to be sent.
For more information, see About IKE Keepalive, page 9-79.
Identity
During Phase I IKE negotiations, peers must identify themselves to

each other.
When selected, enables you to use the (IP) address or the hostname
of the device that it will use to identify itself in IKE negotiations.
You can also select to use a Distinguished Name (DN) to identify a
user group name. The default is Address.
SA Requests System Limit
Supported on routers running IOS version 12.3(8)T and later, except

7600 routers.
The maximum number of SA requests allowed before IKE starts
rejecting them. The specified value must equal or exceed the
number of peers, or the VPN tunnels may be disconnected.
You can enter a value in the range of 0-99999.

OL-11501-03
G-51
Appendix G
Table G-17
VPN Global Settings Page > ISAKMP/IPsec Settings Tab (continued)
Element
Description
SA Requests System Threshold
Supported on Cisco IOS routers and Catalyst 6500/7600 devices.

The percentage of system resources that can be used before IKE
starts rejecting new SA requests. The default is 75 percent.
Enable Aggressive Mode
Supported on ASA devices and PIX 7.0 devices.

When selected, enables you to use aggressive mode in ISAKMP
negotiations, for an ASA device. Aggressive mode is enabled by
default.
Deselect this check box to disable the use of aggressive mode in
ISAKMP negotiations, for an ASA device.
See Understanding IKE, page 9-67.
IPsec Settings
Enable Lifetime
When selected, enables you to configure the global lifetime settings

for the crypto IPsec security associations (SAs) on the devices in
your VPN topology.
Lifetime (secs)
The number of seconds a security association will exist before

expiring. The default is 3,600 seconds (one hour).
Lifetime (kbytes)
peers using a given security association before it expires. The
default is 4,608,000 kilobytes.
Xauth Timeout
Available when Easy VPN is the selected technology, and the

selected device is a Cisco IOS router or Catalyst 6500/7600 device.
The number of seconds the device waits for a response from the end
user after an IKE SA has been established.
When negotiating tunnel parameters for establishing IPsec tunnels
in an Easy VPN configuration, Xauth adds another level of
authentication that identifies the user who requests the IPsec
connection. Using the Xauth feature, the client waits for a
"username/password" challenge after the IKE SA has been
established. When the end user responds to the challenge, the
response is forwarded to the IPsec peers for an additional level of
authentication.
G-52
OL-11501-03
Appendix G

Table G-17
VPN Global Settings Page > ISAKMP/IPsec Settings Tab (continued)
Element
Description
Max Sessions
Supported on ASA devices and PIX 7.0 devices.

The maximum number of SAs that can be enabled simultaneously
on the device.
Enable IPsec via Sysopt
Supported on ASA devices and PIX Firewalls versions 6.3 or 7.0.

When selected (the default), specifies that any packet that comes
from an IPsec tunnel is implicitly trusted (permitted).
Enable SPI Recovery
Supported on routers running IOS version 12.3(2)T and later, in

addition to Catalyst 6500/7600 devices running version
12.2(18)SXE and later.
When selected, enables the SPI recovery feature to configure your
device so that if an invalid SPI (Security Parameter Index) occurs,
an IKE SA will be initiated.
SPI (Security Parameter Index) is a number which, together with a
destination IP address and security protocol, uniquely identifies a
particular security association. When using IKE to establish
security associations, the SPI for each security association is a
pseudo-randomly derived number. Without IKE, the SPI is
manually specified for each security association. When an invalid
SPI occurs during IPsec packet processing, the SPI recovery feature
enables an IKE SA to be established.
Save button

Note

toolbar.

OL-11501-03
G-53
Appendix G
NAT Settings Tab

Use the NAT Settings tab of the VPN Global Settings page to define the NAT
settings that will be configured on the devices in your VPN topology.
Note
If you want to bypass NAT configuration on IOS routers, make sure the Do Not
Translate VPN Traffic check box is selected in the NAT Dynamic Rule platform
policy (see NAT Dynamic Rule Dialog Box, page K-14). To exclude NAT on PIX
Firewalls or ASA devices, make sure this check box is selected in the NAT
Translation Options platform policy (see Translation Options Page, page L-7).
Navigation Path
Open the VPN Global Settings Page, page G-49, then click the NAT Settings tab.
Related Topics
G-54
OL-11501-03
Appendix G

Field Reference
Table G-18
VPN Global Settings Page > NAT Settings Tab
Element
Description
Enable Traversal Keepalive
When selected, enables you to configure NAT traversal keepalive on

a device.
NAT traversal keepalive is used for the transmission of keepalive
messages when there is a device (middle device) located between a
VPN-connected hub and spoke, and that device performs NAT on
the IPsec flow.
Note
On Cisco IOS routers, NAT traversal is enabled by default.

If you want to disable the NAT traversal feature, you must
do this manually on the device or using a FlexConfig (see
Chapter 19, Managing FlexConfigs).
For more information, see About NAT Traversal, page 9-81.

Interval
Available when NAT Traversal Keepalive is enabled.

The interval, in seconds, between the keepalive signals sent between
the spoke and the middle device to indicate that the session is active.
The NAT keepalive value can be from 5 to 3600 seconds. The

OL-11501-03
G-55
Appendix G
Table G-18
VPN Global Settings Page > NAT Settings Tab (continued)
Element
Description
Enable PAT (Port Address

Translation) on Split Tunneling
for Spokes

When selected, enables Port Address Translation (PAT) to be used
for split-tunneled traffic on spokes in your VPN topology.
PAT can associate thousands of private NAT addresses with a small
group of public IP address, through the use of port addressing. PAT
is used if the addressing requirements of your network exceed the
available addresses in your dynamic NAT pool. See Understanding
NAT, page 9-80.
Note
When this check box is enabled, Security Manager

implicitly creates an additional NAT rule for split-tunneled
traffic, on deployment. This NAT rule, which denies
VPN-tunneled traffic and permits all other traffic (using the
external interface as the IP address pool), is not reflected as
a router platform policy.
For information on creating or editing a dynamic NAT rule as a

router platform policy, see Defining Dynamic NAT Rules,
page 14-16.
Save button

Note

toolbar.
General Settings Tab

Use the General Settings tab of the VPN Global Settings page to define
fragmentation settings including maximum transmission unit (MTU) handling
parameters.
Navigation Path
Open the VPN Global Settings Page, page G-49, then click the General Settings
tab.
G-56
OL-11501-03
Appendix G

Related Topics
Field Reference
Table G-19
VPN Global Settings Page > General Settings Tab
Element
Description
Fragmentation Settings
Fragmentation Mode

Fragmentation minimizes packet loss in a VPN tunnel when
transmitted over a physical interface that cannot support the original
size of the packet.
Select the required fragmentation mode option from the list:
No Fragmentation - Select if you do not want to fragment

before IPsec encapsulation. After encapsulation, the device
fragments packets that exceed the MTU setting before
transmitting them through the public interface.
End to End MTU Discovery - Select to use ICMP messages for

the discovery of MTU. Use this option when the selected
technology is IPsec.
End-to-end MTU discovery uses Internet Control Message
Protocol (ICMP) messages to determine the maximum MTU
that a host can use to send a packet through the VPN tunnel
without causing fragmentation.
Local MTU Size
Local MTU Handling - Select to set the MTU locally on the

devices. This option is typically used when ICMP is blocked,
and when the selected technology is IPsec/GRE.
Supported on Cisco IOS routers and Catalyst 6500/7600 devices,

when Local MTU Handling is the selected fragmentation mode
option.
Note
The permitted MTU size is between 68 and 65535 bytes

depending on the VPN interface.

OL-11501-03
G-57
Appendix G
Table G-19
VPN Global Settings Page > General Settings Tab (continued)
Element
Description
DF Bit
Supported on Cisco IOS routers, Catalyst 6500/7600 devices,

PIX 7.0 and ASA devices.
A Don't Fragment (DF) bit within an IP header determines whether
a device is allowed to fragment a packet.
Select the required setting for the DF bit:
Enable Fragmentation Before

Encryption
CopyCopies the DF bit from the encapsulated header in the

current packet to all the devices packets. If the packets DF bit
is set to fragment, all future packets are fragmented. This is the
default option.
SetSets the DF bit in the packet you are sending. A large

packet that exceeds the MTU is dropped and an ICMP message
is sent to the packets initiator.
ClearFragments packets regardless of the original DF bit

setting. If ICMP is blocked, MTU discovery fails and packets
are fragmented after encryption.

When selected, enables fragmentation to occur before encryption, if
the expected packet size exceeds the MTU.
Lookahead Fragmentation (LAF) is used before encryption takes
place to calculate the packet size that would result after encryption,
depending on the transform sets configured on the IPsec SA. If the
packet size exceeds the specified MTU, the packet will be
fragmented before encryption.
Enable Notification on
Disconnection
Supported on PIX 7.0 and ASA devices.

When selected, enables the device to notify qualified peers of
sessions that are about to be disconnected. The peer receiving the
alert decodes the reason and displays it in the event log or in a
pop-up panel. This feature is disabled by default.
G-58
OL-11501-03
Appendix G

Table G-19
VPN Global Settings Page > General Settings Tab (continued)
Element
Description
Enable Split Tunneling
When selected (the default), enables you to configure split

tunneling in your VPN topology.
Split tunneling enables you to transmit both secured and unsecured
traffic on the same interface. Split tunneling requires that you
specify exactly which traffic will be secured and what the
destination of that traffic is, so that only the specified traffic enters
the IPsec tunnel, while the rest is transmitted unencrypted across the
public network.
Enable Spoke-to-Spoke
Connectivity through the Hub
Enable Default Route
When selected, enables direct communication between spokes in a

hub-and-spoke VPN topology, in which the hub is an ASA/PIX 7.0
device.
When selected, the device uses the configured external interface as
the default outbound route for all incoming traffic.
Save button

Note

toolbar.
Preshared Key Page

Use the Preshared Key page to view or edit the parameters for a preshared key
policy.
Note
A preshared key policy is not available when configuring Easy VPN.

OL-11501-03
G-59
Appendix G
Navigation Path
the VPNs selector, then select Preshared Key in the Policies selector.
You can also open the Preshared Key page from Policy view. For more
information, see Managing Shared Site-to-Site VPN Policies in Policy View,
page 9-65.
Related Topics
Field Reference
Table G-20
Preshared Key Page
Element
Description
Key Specification
User Defined
When selected, enables you to use a manually defined preshared

key.
Enter the required preshared key in the Key field, then enter it again
Auto Generated
When selected, allocates a random key to the participating peers.

This ensures security because a different key is generated for every
hub-spoke connection. Auto Generated is the default selection.
Note
Key Length
The key is allocated during the first deployment to the

devices and is used in all subsequent deployments to the
same devices, until you select the Regenerate Key (Only in
Next Deployment) check box.
The required length of the preshared key to be automatically

generated (maximum 127 characters). The default is 24.
G-60
OL-11501-03
Appendix G

Table G-20
Preshared Key Page (continued)
Element
Description
Same Key for All Tunnels
Unavailable in a point-to-point VPN topology.

When selected, enables you to use the same auto-generated key for
all tunnels.
Note
If you do not select this check box, different keys are used
for the tunnels, except in cases, such as DMVPN
configuration, when different multipoint GRE interfaces in
the same network must use the same preshared key.

OL-11501-03
G-61
Appendix G
Table G-20
Element
Description
Regenerate Key (Only in Next

Deployment)
Only available if Auto Generate is selected.

When selected, enables Security Manager to generate a new key for
the next deployment to the device(s). This is useful if it is possible
that the secrecy of the keys might be compromised.
Note
When you submit the job for deployment, this check box is
cleared. It does not remain selected because the new key
will only be generated for the upcoming deployment, and
not for subsequent deployments (unless you select it again).
Negotiation Method
Main Mode Address
This is the default negotiation method.

Use this negotiation method for exchanging key information, if the
IP address of the devices is known. Negotiation is based on IP
address. Main mode provides the highest security because it has
three two-way exchanges between the initiator and receiver. Main
mode address is the default negotiation method.
Then click one of the following three radio buttons to define the
negotiation address type:
Peer AddressNegotiation is based on the unique IP address

of each peer. A key is created for each peer, providing high
security. This is the default.
SubnetCreates a group preshared key on a hub in a

hub-and-spoke topology to use for communication with any
device in a specified subnet, even if the IP address of the device
is unknown. Each peer is identified by its subnet. After
selecting this option, enter the subnet in the field provided.
In a point-to-point or full mesh VPN topology, a group
preshared key is created on the peers.
(continued)
G-62
OL-11501-03
Appendix G

Table G-20
Element
Description
Main Mode Address (continued)
WildcardCreates a wildcard key on a hub or on a group of

hubs in a hub-and-spoke topology to use when a spoke does not
have a fixed IP address or belong to a specific subnet. In this
case, all spokes connecting to the hub have the same preshared
key, which could compromise security. Use this option if a
spoke in your hub-and-spoke VPN topology has a dynamic IP
address.
In a point-to-point or full mesh VPN topology, a wildcard key
is created on the peers.
Note
When configuring DMVPN with direct spoke-to-spoke

connectivity, you create a wildcard key on the spokes.
Main Mode FQDN
Select this negotiation method for exchanging key information, if

the IP address is not known and DNS resolution is available for the
device(s). Negotiation is based on DNS resolution, with no reliance
on IP address.
Aggressive Mode
Available only in a hub-and-spoke VPN topology.

Select this negotiation method for exchanging key information, if
the IP address is not known and DNS resolution might not be
available on the devices. Negotiation is based on hostname and
domain name.
Note
Save button
If direct spoke to spoke tunneling is enabled, you cannot use

aggressive mode.

Note

toolbar.
Public Key Infrastructure Page

Use the Public Key Infrastructure page to select the CA server that will be used
to create a Public Key Infrastructure (PKI) policy, for generating enrollment
requests for CA certificates.

OL-11501-03
G-63
Appendix G
Navigation Path
the VPNs selector, then select Public Key Infrastructure in the Policies
selector.
You can also open the Public Key Infrastructure page from Policy view. For
more information, see Working with Site-to-Site VPN Policies, page 9-64.
Related Topics
G-64
OL-11501-03
Appendix G

Field Reference
Table G-21
Public Key Infrastructure (PKI) Page
Element
Description
Lists the predefined CA servers available for selection.

CA servers are predefined PKI enrollment objects that contain
server information and enrollment parameters that are required for
creating enrollment requests for CA certificates.
Select the required CA server if you want to replace the default one
in the Selected field.
If the required CA server is not included in the list, click Create to
open a dialog box that enables you to create or edit a PKI enrollment
object. For more information, see PKI Enrollment Dialog Box,
page F-437.
Note
Selected
If you are making a PKI enrollment request on an Easy VPN

remote access system, you must configure each remote
component (spoke) with the name of the user group to which
it connects. You specify this information in the Organization
Unit (OU) field in the Certificate Subject Name tab of the
PKI Enrollment Editor dialog box. You do not need to
configure the name of the user group on the hub (Easy VPN
Server). For more information, see Defining Additional PKI
Attributes, page 8-145.
The selected CA server.

Note
You cannot edit the selected CA server because it is a

object you define.
To remove the selected CA server, select a different one.

Save button
Saves your changes to the server but keeps them private. To publish
your changes, click the Submit button on the toolbar.
Note
To save the RSA key pairs and the CA certificates between

reloads permanently to Flash memory on a PIX firewall
version 6.3, you must configure the "ca save all" command.
You can do this manually on the device or using a
FlexConfig (see Chapter 19, Managing FlexConfigs).
OL-11501-03
G-65
Appendix G
GRE Modes Page

Use the GRE Modes page to define the routing and tunnel parameters, that enable
you to configure IPsec tunneling with GRE, GRE Dynamic IP, and DMVPN
policies.
Table G-22 on page G-67 describes the elements on the GRE Modes page for
configuring IPsec tunneling with GRE or GRE Dynamic IP.
Table G-23 on page G-72 describes the elements on the GRE Modes page for
configuring DMVPN.
Note
When configuring an IPsec/GRE, GRE Dynamic IP, or DMVPN routing policy,

Security Manager adds a routing protocol to all the devices in the secured IGP, on
deployment. If you want to maintain this secured IGP, you must create a router
platform policy using the same routing protocol and autonomous system (or
process ID) number as defined in the GRE Modes policy.
Navigation Path
the VPNs selector, then select GRE Modes in the Policies selector.
You can also open the GRE Modes page from Policy view. For more
page 9-65.
Related Topics

page 9-98
Prerequisites for Successful Configuration of GRE, page 9-96
Understanding DMVPN, page 9-101
G-66
OL-11501-03
Appendix G

Field Reference
Table G-22 describes the elements on the GRE Modes page for configuring IPsec
tunneling with GRE or GRE Dynamic IP.
Table G-22
GRE Modes Page > GRE or GRE Dynamic IP Policy
Element
Description
Routing Parameters Tab
Routing Protocol
Select the required dynamic routing protocol (EIGRP, OSPF, or

RIPv2,) or static route to be used for GRE or GRE Dynamic IP.
The default routing protocol is EIGRP.
AS Number
Available only if you selected the EIGRP routing protocol.

The number that will be used to identify the autonomous system
(AS) area to which the EIGRP packet belongs. The range is
1-65535. The default is 110.
An autonomous system (AS) is a collection of networks that share
a common routing strategy. An AS can be divided into a number of
areas, which are groups of contiguous networks and attached hosts.
Routers with multiple interfaces can participate in multiple areas.
An AS ID identifies the area to which the packet belongs. All
EIGRP packets are associated with a single area, so all devices must
have the same AS number.
Process Number
Available only if you selected the OSPF routing protocol.

secured IGP that Security Manager adds when configuring GRE.
The range is between 1 and 65535. The default is 110.
Security Manager adds an additional Interior Gateway Protocol
(IGP) that is dedicated for IPsec and GRE secured communication.
An IGP refers to a group of devices that receive routing updates
from one another by means of a routing protocol. Each routing
group is identified by the process number.
For more information, see How Does Security Manager Implement
GRE?, page 9-95.

OL-11501-03
G-67
Appendix G
Table G-22
GRE Modes Page > GRE or GRE Dynamic IP Policy (continued)
Element
Description
Hello Interval

The interval between hello packets sent on the interface, between 1
and 65535 seconds. The default is 5 seconds.
Hold Time

The number of seconds the router will wait to receive a hello
message before invalidating the connection. The range is between 1
and 65535. The default hold time is 15 seconds (three times the
hello interval).
Delay

The throughput delay for the primary route interface, in
microseconds. The range of the tunnel delay time is 1-16777215.
The default is 1000.
Failover Delay

The throughput delay for the failover route interface, in
Bandwidth

The amount of bandwidth available to the primary route interface
for the EIGRP packets. You should enter a value that gives priority
to the primary route over other routes.
You can enter a value in the range 1 to 10000000 kb. The default is
1000 kb.
The amount of bandwidth available to the primary route interface
for the EIGRP packets. You can enter a value in the range 1 to
10000000 kb. The default is 1000 kb.
Note
By default, the cost of sending a packet on an interface is

calculated based on the bandwidththe higher the
bandwidth, the lower the cost.
G-68
OL-11501-03
Appendix G

Table G-22
Element
Description
Failover Bandwidth

The amount of bandwidth available to the failover route interface
for the EIGRP packets.
Enter a value in the range 1 to 10000000 kb. The default is 1000 kb.
Hub Network Area ID

The ID number of the area in which the hubs protected networks
will be advertised, including the tunnel subnet. You can specify any
number. The default is 1.
Spoke Protected Network Area

ID
Authentication
Available if you selected the OSPF or RIPv2 routing protocol.
The ID number of the area in which the remote protected networks

will be advertised, including the tunnel subnet. You can specify any
A string that specifies the OSPF or RIPv2 authentication key. The
string can be up to eight characters long.
Cost

The cost of sending a packet on the primary route interface.
If the selected protocol is OSPF, enter a value in the range 1-65535;
the default is 100.
If the selected protocol is RIPv2, enter a value in the range 1-15; the
default is 1.
Failover Cost

The cost of sending a packet on the secondary (failover) route
interface.
You can enter a value in the range 1-65535 for OSPF (the default is
125), or in the range 1-15 for RIPv2 (the default is 2).
Filter Dynamic Updates on

Spokes
When selected, enables the creation of a redistribution list that

filters all dynamic routing updates on the spokes. This forces the
spoke devices to advertise (populate on the hub device) only their
own protected subnets and not other IP addresses.

OL-11501-03
G-69
Appendix G
Table G-22
Element
Description
Tunnel Parameters Tab
Tunnel IP
Select the required option to specify the GRE or GRE Dynamic IP

tunnel interface IP address.
Note
To view the new GRE tunnel and/or loopback interfaces in

the Router Interfaces page, you must rediscover the device
inventory details after successfully deploying the VPN to
the device. For more information, see Basic Interface
Settings on Cisco IOS Routers, page 14-21.
Use Physical Interface
When selected, uses the private IP address of the tunnel taken from
the protected network.
Use Subnet
When selected, uses the tunnel IP address taken from an IP range.

This is the default.
In the Subnet field, enter the private IP address including the unique
subnet mask (default is 1.1.1.0/24).
If you are also configuring a dial backup interface, enter its subnet
in the Dial Backup Subnet field provided (default is 1.1.2.0/24).
Note
Use Loopback Interface
In most cases, when you use a subnet to specify a GRE

tunnel interface IP address, Security Manager creates a
loopback interface on the device which is used for the tunnel
IP address. If the device belongs to a VPN topology whose
configurations were discovered by Security Manager, and
you configure an IP address directly on the devices GRE
tunnel, Security Manager keeps that configuration and does
not create a loopback interface on the device. However, a
loopback is always configured on a hub in a VPN topology;
in a hub-and-spoke VPN topology with multiple hubs, a
loopback interface is also configured on the spokes.
When selected, uses the tunnel IP address taken from an existing

loopback interface.
In the Role field, enter the interface, or select it from the list of
interface roles provided. For more information, see Interface Roles
Page, page F-416.
G-70
OL-11501-03
Appendix G

Table G-22
Element
Description
Tunnel Source IP Range
Available only if the assigned IPsec technology is GRE Dynamic IP.

The private IP address including the unique subnet mask that
supports the loopback for GRE. The GRE tunnel interface has an IP
address (inside tunnel IP address) which is taken from a loopback
interface that Security Manager creates specifically for this
purpose.
When a spoke has a dynamic IP address, there is no fixed GRE
tunnel source address (to be used by the GRE tunnel on the spoke
side) or destination address (to be used by the GRE tunnel on the
hub side). Therefore, Security Manager creates additional loopback
interfaces on the hub and the spoke to use as the GRE tunnel
endpoints. You must specify a subnet from which Security Manager
can allocate an IP address for the loopback interfaces.
Enable IP Multicast
When selected, enables multicast transmissions across your GRE

tunnels. IP multicast delivers application source traffic to multiple
receivers without burdening the source or the receivers, while using
a minimum of network bandwidth.
Rendezvous Point
Only available if you selected the Enable IP Multicast check box.

If required, you can enter the IP address of the interface that will
serve as the rendezvous point (RP) for multicast transmission.
Sources send their traffic to the RP. This traffic is then forwarded to
receivers down a shared distribution tree.
Save button

Note

toolbar.

OL-11501-03
G-71
Appendix G
Table G-23 describes the elements on the GRE Modes page for configuring a
DMVPN policy.
Table G-23
GRE Modes Page > DMVPN Policy
Element
Description
Routing Parameters Tab
Routing Protocol
Select the required dynamic routing protocol, or static route, to be

used in the DMVPN tunnel.
Options include the EIGRP, OSPF, and RIPv2 dynamic routing
protocols, and GRE static routes. On-Demand Routing (ODR) is
also supported. On-Demand Routing is not a routing protocol. It can
be used in a hub-and-spoke VPN topology when the spoke routers
connect to no other router other than the hub. If you are running
dynamic protocols, On-Demand Routing is not suitable for your
network environment.
For more information, see Prerequisites for Successful
Configuration of GRE, page 9-96.
AS Number

The number that is used to identify the autonomous system (AS)
area to which the EIGRP packet belongs. The range is 1-65535. The
default is 110.
An autonomous system (AS) is a collection of networks that share
a common routing strategy. An AS can be divided into a number of
areas, which are groups of contiguous networks and attached hosts.
Routers with multiple interfaces can participate in multiple areas.
An AS ID identifies the area to which the packet belongs. All
EIGRP packets are associated with a single area, so all devices must
have the same AS number.
Process Number

secured IGP that Security Manager adds when configuring
DMVPN.
The valid range for either protocol is 1-65535. The default is 110.
G-72
OL-11501-03
Appendix G

Table G-23
GRE Modes Page > DMVPN Policy (continued)
Element
Description
Hello Interval

The interval between hello packets sent on the interface, from 1 to
65535 seconds. The default is 5 seconds.
Hold Time

The number of seconds the router will wait to receive a hello
message before invalidating the connection. The range is 1-65535.
The default hold time is 15 seconds (three times the hello interval)
Delay

The throughput delay for the primary route interface, in
Hub Network Area ID

The ID number of the area in which the hubs protected networks
will be advertised, including the tunnel subnet. You can enter any
Spoke Protected Network Area

ID
Authentication
A string that indicates the OSPF authentication key. The string can
be up to eight characters long.
Cost
The ID number of the area in which the remote protected networks

will be advertised, including the tunnel subnet. You can enter any
The cost of sending a packet on the primary route interface.

If the selected protocol is OSPF, enter a value in the range 1-65535;
the default is 100.
If the selected protocol is RIPv2, enter a value in the range 1-15; the
default is 1.

OL-11501-03
G-73
Appendix G
Table G-23
Element
Description
Allow Direct Spoke to Spoke

Connectivity
When selected, enables direct communication between spokes,

without going through the hub.
Note
Filter Dynamic Updates On

Spokes
With direct spoke-to-spoke communication, you must use

the Main Mode Address option for preshared key
negotiation. For more information, see Understanding
Preshared Key Policies, page 9-84.
Unavailable if you are using On-Demand Routing or a static route

for your DMVPN tunnel.
When selected, enables the creation of a redistribution list that
filters all dynamic routing updates (EIGRP, OSPF, and RIPv2) on
spokes. This forces the spoke devices to advertise (populate on the
hub device) only their own protected subnets and not other IP
addresses.
Tunnel Parameters Tab
Tunnel IP Range
The IP range of the inside tunnel interface IP address, including the

unique subnet mask.
Note
If CSM detects that a tunnel interface IP address already

exists on the device, and its IP address matches the tunnels
IP subnet field, it will use that interface as the GRE tunnel.
Dial Backup Tunnel IP Range
If you are configuring a dial backup interface, enter its inside tunnel
interface IP address, including the unique subnet mask.
Server Load Balance
When selected, enables the configuration of load balancing on a

Cisco IOS router that serves as a hub in a multiple hubs
configuration.
Server load balancing optimizes performance in a multiple hubs
configuration, by sharing the workload. In this configuration, the
DMVPN server hubs share the same tunnel IP and source IP
addresses, presenting the appearance of a single device to the
spokes in a VPN topology.
G-74
OL-11501-03
Appendix G

Table G-23
Element
Description
Enable IP Multicast
When selected, enables multicast transmissions across your GRE

tunnels.
IP multicast delivers application source traffic to multiple receivers
without burdening the source or the receivers, while using a
minimum of network bandwidth.
Rendezvous Point
Only available if you selected the Enable IP Multicast check box.

If required, you can enter the IP address of the interface that will
serve as the rendezvous point (RP) for multicast transmission.
Sources send their traffic to the RP. This traffic is then forwarded to
receivers down a shared distribution tree.
Tunnel Key
A number that identifies the tunnel key. The default is 1.

The tunnel key differentiates between different multipoint GRE
(mGRE) tunnel Non Broadcast Multiple Access (NBMA) networks.
All mGRE interfaces in the same NBMA network must use the same
tunnel key value. If there are two mGRE interfaces on the same
router, they must have different tunnel key values.
Note
To view the newly created tunnel interfaces in the Router

Interfaces page, you must rediscover the device inventory
details after successfully deploying the VPN to the device.
For more information, see Basic Interface Settings on Cisco
IOS Routers, page 14-21.
NHRP Parameters
Network ID
All Next Hop Resolution Protocol (NHRP) stations within one

logical Non-Broadcast Multi-Access (NBMA) network must be
configured with the same network identifier. Enter a globally
unique, 32-bit network identifier within the range of 1 to
4294967295.
Hold time
The time, in seconds, that routers will keep information provided in

authoritative NHRP responses. The cached IP-to-NBMA address
mapping entries are discarded after the hold time expires.
The default is 300 seconds.

OL-11501-03
G-75
Appendix G
Table G-23
Element
Description
Authentication
An authentication string that controls whether the source and

destination NHRP stations allow intercommunication. All routers
within the same network using NHRP must share the same
authentication string. The string can be up to eight characters long.
Save button

Note

toolbar.
Server Load Balance Page

Use the Server Load Balance page to view or edit the server load balance policy
configured on the IPsec Terminators in a large scale DMVPN. Server load
balancing optimizes performance in multiple hub-and-spoke VPN topologies, by
sharing the workload. In large scale DMVPN configurations, the IPsec
Terminators perform the traffic load balancing.
For more information, see Configuring Large Scale DMVPNs, page 9-107.
The Server Load Balance page contains a scrollable table displaying the server
load balance parameters for each hub that is connected to an IPsec Terminator. By
clicking the arrow displayed alongside any table heading, you can switch the
order of the list to display from ascending to descending order, and vice versa. You
can also filter the table contents using the filter controls above it to display only
rows that match the criteria that you specify (see Filtering Tables, page 3-24).
Navigation Path
Open the Site-to-Site VPN Manager Window, page G-2, in the VPNs selector
select a hub-and-spoke topology on which large scale DMVPN is configured,
then select Server Load Balance in the Policies selector.
You can also open the Server Load Balance page from Policy view. For more
page 9-65.
Related Topics
G-76
OL-11501-03
Appendix G

Field Reference
Table G-24
Server Load Balance Page
Element
Description
Hub
The name of the hub connected to the IPsec Terminator.
Weight
The capacity of the hub relative to other hubs connected to the IPsec
Terminator.
A weighted round robin (WRR) scheduling algorithm is used to
control the bandwidth allocated to output transmission queues.
Weighting is based on the amount of bandwidth used by each
transmit queue on an interface. Packets from queues with higher
capacity are transmitted more often than those from queues with
less capacity.
Max Connections
The maximum number of active connections to the IPsec

Terminator permitted to the hub.
Edit button
Click to open the Edit Load Balancing Parameters Dialog Box,

page G-77, in which you can modify the parameters of a selected
load balancing policy.
Save button

Note

toolbar.
Edit Load Balancing Parameters Dialog Box

In the Edit Load Balancing Parameters dialog box, you can edit the server load
balance parameters configured on a hub that is connected to an IPsec Terminator
in a large scale DMVPN.
Navigation Path
Open the Server Load Balance Page, page G-76, select an entry in the table and
click Edit.
Related Topics

OL-11501-03
G-77
Appendix G
Field Reference
Table G-25
Edit Load Balancing Parameters Dialog Box
Element
Description
Weight
Specify the capacity of the hub relative to other hubs connected to

the IPsec Terminator, based on the weighted round robin (WRR)
scheduling algorithm.
You can enter a value between 1 and 255.
Max Connections
Specify the maximum number of active connections to the IPsec

Terminator that are permitted to the hub.
You can enter a value between 1 and 65535. The default is 500.
OK button
The modified policy is displayed in the table on the Server Load
Balance page.
Easy VPN IPsec Proposal Page

Use the Easy VPN IPsec Proposal page to create or edit the IPsec policy
definitions for your Easy VPN server, including the configuration of Dynamic
VTI. For more information, see Configuring an IPsec Proposal for Easy VPN,
page 9-115.
Note
This topic describes the IPsec Proposal page when the assigned technology is
Easy VPN. For a description of the IPsec Proposal page when the assigned
technology is Regular IPsec, IPsec/GRE, GRE Dynamic IP, or DMVPN, see IPsec
Proposal Page, page G-45.
The following tabs are available on the Easy VPN IPsec Proposal page:
Easy VPN IPsec Proposal Tab, page G-79
Dynamic VTI Tab, page G-84
G-78
OL-11501-03
Appendix G

Navigation Path
the VPNs selector, then select Easy VPN IPsec Proposal in the Policies
selector.
You can also open the Easy VPN IPsec Proposal page from Policy view. For
more information, see Managing Shared Site-to-Site VPN Policies in Policy
View, page 9-65.
Easy VPN IPsec Proposal Tab

Use the Easy VPN IPsec Proposal tab to create or edit the IPsec policy definitions
for your Easy VPN server.
Navigation Path
The Easy VPN IPsec Proposal tab appears when you open the Easy VPN IPsec
Proposal Page, page G-78.
Related Topics
Important Notes About Site-to-Site Easy VPN Configuration, page 9-114

OL-11501-03
G-79
Appendix G
Field Reference
G-80
OL-11501-03
Appendix G


OL-11501-03
G-81
Appendix G
Table G-26
Easy VPN IPsec Proposal Tab
Element
Description
Transform Sets
The transform set(s) to be used for your tunnel policy. Transform

sets specify which authentication and encryption algorithms will be
used to secure the traffic in the tunnel. You can select up to six
transform sets.
Transform sets may use only tunnel mode IPsec operation.
Note
If more than one of your selected transform sets is supported

by both peers, the transform set that provides the highest
security will be used.
A default transform set is displayed. If you want to use a different

transform set, or select additional transform sets, click Select to
open a dialog box that lists all available transform sets, and in which
you can create transform set objects. For more information, see
IPsec Transform Sets Page, page F-422.
G-82
OL-11501-03
Appendix G

Table G-26
Easy VPN IPsec Proposal Tab (continued)
Element
Description
Reverse Route
Supported on ASA devices, PIX 7.0 devices, and Cisco IOS routers
except 7600 devices.
Reverse Route Injection (RRI) enables static routes to be
automatically inserted into the routing process for those networks
and hosts protected by a remote tunnel endpoint. For more
Select one of the following options to configure RRI on the crypto
map:
NoneTo disable the configuration of RRI on the crypto map.
StandardTo create routes based on the destination

information defined in the crypto map access control list
(ACL). This is the default option.
Remote PeerTo create two routes, one for the remote

endpoint and one for route recursion to the remote endpoint via
the interface to which the crypto map is applied.
Remote Peer IPTo specify an interface or address as the

explicit next hop to the remote VPN device. Then, click Select
the IP address of the remote peer to be used as the next hop.
Note
Enable Network Address

Translation


When selected, enables you to configure Network Address
Translation (NAT) on a device.
NAT enables devices that use internal IP addresses to send and
receive data through the Internet. Private NAT addresses are
converted to globally routable IP addresses when they try to access
data on the Internet.
For more information, see Understanding NAT, page 9-80.

OL-11501-03
G-83
Appendix G
Table G-26
Easy VPN IPsec Proposal Tab (continued)
Element
Description
Group Policy Lookup/AAA

Authorization Method
Supported on Cisco IOS routers only.

The AAA authorization method list that will be used to define the
order in which the group policies are searched. Group policies can
be configured on both the local server or on an external AAA server.
AAA group servers, and in which you can create AAA group server
objects.
User Authentication
(Xauth)/AAA Authentication
Method

The AAA or Xauth user authentication method used to define the
order in which user accounts are searched.
Xauth allows all Cisco IOS software AAA authentication methods
to perform user authentication in a separate phase after the IKE
authentication phase 1 exchange. The AAA configuration list-name
must match the Xauth configuration list-name for user
authentication to occur.
For more information about defining user accounts, see Defining
Accounts and Credential Policies, page 14-75.
AAA group servers from which you can make your selection, and in
which you can create additional AAA group server objects.
Save button

Note

toolbar.
Dynamic VTI Tab

Use the Dynamic VTI tab to configure a dynamic virtual interface on a device in
a hub-and-spoke Easy VPN topology. For more information, see Easy VPN with
Dynamic Virtual Tunnel Interfaces, page 9-111.
G-84
OL-11501-03
Appendix G

Note
Dynamic VTI can be configured only on IOS routers running IOS version
12.4(2)T and later, except 7600 devices.
Navigation Path
Open the Easy VPN IPsec Proposal Page, page G-78, then click the Dynamic
VTI tab.
Related Topics

OL-11501-03
G-85
Appendix G
Field Reference
Table G-27
Dynamic VTI Tab
Element
Description
Enable Dynamic VTI
When selected, enables Security Manager to implicitly create a

dynamic virtual template interface on the device.
Specify Virtual Template IP
Note
If the device is a hub server that does not support Dynamic

VTI, a warning message is displayed, and a crypto map is
deployed without dynamic VTI. In the case of a client
device, an error message is displayed.
Note
Virtual Template IPs are configured only on IOS router

hubs. You do not need to specify a virtual template IP
address on client devices in an Easy VPN topology.
If you are configuring Dynamic VTI on a hub in the topology,

specify the IP address that will be used as the virtual template
interface from these options:
Use SubnetTo use the IP address taken from a pool of

addresses. Then, in the Subnet field, enter the private IP
address including the unique subnet mask, for example
10.1.1.0/24.
If required, click Select to open the Network/Hosts selector in
which you can select a network from which the IP address will
be allocated.
Save button
Use Loopback InterfaceTo use the IP address taken from an

existing loopback interface. Then, in the Role field, enter the
interface, or click Select to select it from the list of interface
roles provided.

Note

toolbar.
G-86
OL-11501-03
Appendix G

User Group Policy Page

Use the User Group Policy page to create or edit a user group policy on your
Easy VPN server. An Easy VPN user group policy can be configured on a Cisco
IOS security router, PIX 6.3 Firewall, or Catalyst 6500/7600 device.
Note
You can also configure user group policies in remote access VPNs. For more
information, see User Group Policies in Remote Access VPNs, page 10-6.
Navigation Path
the VPNs selector, then select User Group Policy in the Policies selector.
You can also open the User Group Policy page from Policy view. For more
page 9-65.
Related Topics

OL-11501-03
G-87
Appendix G
Field Reference
Table G-28
Easy VPN Server > User Group Policy Page
Element
Description
Available User Groups
Lists the predefined user groups available for selection.

Select the required user group if you want to replace the default one
in the Selected field.
User groups are predefined objects. If the required user group is not
included in the list, click Create to open the User Groups Editor
dialog box that enables you to create or edit a user group object.
Selected
Displays the selected user group.

To remove the selected user group, select a different one.
Note
Save button
You cannot edit the selected user group because it is a

object you create.

Note

toolbar.
Tunnel Group Policy (PIX 7.0/ASA) Page

Use the Tunnel Group Policy (PIX 7.0/ASA) page to create or edit tunnel group
policies on your Easy VPN server. An Easy VPN tunnel group policy can be
configured only on PIX Firewalls running version 7.0, and ASA devices.
Note
You can also configure tunnel group policies in remote access VPNs. For more
information, see Tunnel Group Policies in Remote Access VPNs, page 10-8.
The following tabs are available on the Tunnel Group Policy (PIX 7.0/ASA)
page:
Tunnel Group Policy > General Tab, page G-89
Tunnel Group Policy > IPsec Tab, page G-92
Tunnel Group Policy > Advanced Tab, page G-94
G-88
OL-11501-03
Appendix G

Tunnel Group Policy > Client VPN Software Update Tab, page G-96
Navigation Path
the VPNs selector, then select Tunnel Group Policy (PIX 7.0/ASA) in the
Policies selector.
You can also open the Tunnel Group Policy (PIX 7.0/ASA) page from Policy
view. For more information, see Working with Site-to-Site VPN Policies in
Related Topics
Tunnel Group Policy > General Tab

Use the General tab of the Tunnel Group Policy (PIX 7.0/ASA) page to specify
the global AAA settings for your tunnel group. On this tab you can also select the
method (or methods) of address assignment to use.
Navigation Path
The General tab appears when you open the Tunnel Group Policy (PIX 7.0/ASA)
Page, page G-88. You can also open it by clicking the General tab from any other
tab on the Tunnel Group Policy (PIX 7.0/ASA) page.
Related Topics

OL-11501-03
G-89
Appendix G
Field Reference
Table G-29
Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > General Tab
Element
Description
Tunnel Group Name
The name of the tunnel group that contains the policies for this
IPsec connection.
Group Policy
The group policy to be applied to the tunnel group. A group policy

is a collection of user-oriented attribute/value pairs stored either
internally on the device or externally on a RADIUS/LDAP server.
Click Select to open a dialog box that lists all available ASA group
policies, and in which you can create an ASA group policy object.
AAA
Authentication Server Group
The name of the authentication server group (LOCAL if the tunnel

group is configured on the local device).
AAA server groups, and in which you can create AAA server group
objects.
Note
User LOCAL if Server Group

fails
If you want to set the authentication server group per

interface, click the Advanced tab.
Available if you selected LOCAL for the authentication server

group.
When selected, enables fallback to the local database for
authentication if the selected authentication server group fails.
Authorization Server Group
The name of the authorization server group (LOCAL if the tunnel

objects.
User must exist in the

authorization database to
connect
When selected, specifies that the username of the remote client must
exist in the database so a successful connection can be established.
If the username does not exist in the authorization database, then the
connection is denied.
G-90
OL-11501-03
Appendix G

Table G-29
Element
Description
Accounting Server Group
The name of the accounting server group (LOCAL if the tunnel

objects.
Strip Realm from Username
When selected, removes the realm from the username before

passing the username on to the AAA server. A realm is an
administrative domain. Enabling this option allows the
authentication to be based on the username alone.
You must select this check box if your server cannot parse
delimiters.
Strip Group from Username
When selected, removes the group name from the username before
passing the username on to the AAA server. Enabling this option
allows the authentication to be based on the username alone.
delimiters.
Client Address Assignment
DHCP Server
The DHCP servers to be used for client address assignments. The

server uses the DHCP servers in the order listed. You can add up to
10 servers.
A default DHCP server is displayed. DHCP servers are predefined
network objects. If you want to use a different DHCP server, or
select additional DHCP servers, click Select to open the
Network/Hosts selector that lists all available network hosts, and in

OL-11501-03
G-91
Appendix G
Table G-29
Element
Description
Address Pools
The address pools from which IP addresses will be assigned. The

server uses these pools in the order listed. If all addresses in the first
pool have been assigned, it uses the next pool, and so on. You can
specify up to 6 pools.
A default address pool is displayed. Address pools are predefined
network objects. If you want to use a different address pool, or
select additional address pools, click Select to open the
Network/Hosts selector that lists all available network hosts, and in
Save button

Note

toolbar.
Tunnel Group Policy > IPsec Tab

Use the IPsec tab of the Tunnel Group Policy (PIX 7.0/ASA) page to specify
IPsec and IKE parameters for the tunnel group policy.
Navigation Path
Open the Tunnel Group Policy (PIX 7.0/ASA) Page, page G-88, then click the
IPsec tab. You can also open the IPsec tab by clicking it from any other tab on the
Tunnel Group Policy (PIX 7.0/ASA) page.
Related Topics
G-92
OL-11501-03
Appendix G

Field Reference
Table G-30
Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > IPsec Tab
Element
Description
Preshared Key
The value of the preshared key for the tunnel group. The maximum
length of a preshared key is 127 characters.
Trustpoint Name
The trustpoint name if any trustpoints are configured. A trustpoint

represents a CA/identity pair and contains the identity of the CA,
CA-specific configuration parameters, and an association with one
enrolled identity certificate.
IKE Peer ID Validation
Select whether IKE peer ID validation is ignored, required, or

checked only if supported by a certificate. During IKE negotiations,
peers must identify themselves to one another.
Enable Sending Certificate

Chain
When selected, enables the sending of the certificate chain for

authorization. A certificate chain includes the root CA certificate,
identity certificate, and key pair.
Enable Password Update with

RADIUS Authentication
When selected, enables passwords to be updated with the RADIUS

authentication protocol.
For more information, see Supported AAA Server Types,
page 8-25.
ISAKMP Keepalive
Monitor Keepalive

default failover and routing mechanism.
Confidence Interval

keepalive packets.
Retry Interval


OL-11501-03
G-93
Appendix G
Table G-30
Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > IPsec Tab (continued)
Element
Description
Authorization Settings
Use Entire DN as the Username
Select to use the entire Distinguished Name (DN) as the identifier

for the username.
A distinguished name (DN) is a unique identification, made up of
individual fields, that can be used as the identifier when matching
users to a tunnel group. DN rules are used for enhanced certificate
authentication on PIX Firewalls and ASA devices.
Specify Individual DN fields as

the Username
Select to use individual DN fields as the username when matching

users to the tunnel group.
A DN certificate is made up of different field identifiers to match
users to tunnel groups.
Primary DN field
Available if you selected to use individual DN fields as the

username.
Select the primary DN field identifier to be used for identification
from the list.
Secondary DN field

username.
Select the secondary DN field indentifier to be used for
identification. Select None if no secondary field identifier is
required.
Save button

Note

toolbar.
Tunnel Group Policy > Advanced Tab

Use the Advanced tab of the PIX7.0/ASA Tunnel Group Policy page to specify
interface-specific information for your tunnel group.
G-94
OL-11501-03
Appendix G

Navigation Path
Advanced tab. You can also open the Advanced tab by clicking it from any other
tab on the Tunnel Group Policy (PIX 7.0/ASA) page.
Related Topics
Field Reference
Table G-31
Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > Advanced Tab
Element
Description
Interface-Specific Authentication Server Groups
Interface Role
The interface role to be associated with the authentication server

group.
Server Group
The server group to be associated with the selected interface role.

objects.
Use LOCAL if server group

fails.
When selected, enables fallback to the LOCAL database if the

selected server group fails.
Add >> button
Click to add the specified interface role and server group to the list.
Remove button
Click to remove an associated interface role and server group from

the list.

OL-11501-03
G-95
Appendix G
Table G-31
Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > Advanced Tab
(continued)
Element
Description
Interface-Specific Client Address Pools
Interface Role
The interface role to assign a client address to.

Address Pool
The address pool to be used to assign to a client address to the

selected interface.
Address pools are predefined network objects. You can click Select
to open a dialog box that lists all available network hosts, and in
which you can create or edit network host objects.
Add >> button
Click to add the specified interface role and address pool to the list.
Remove button
Click to remove an associated interface role and address pool from

the list.
Tunnel Group Policy > Client VPN Software Update Tab

Use the Client VPN Software Update tab of the
PIX7.0/ASA Tunnel Group Policy page to view or edit the client type, VPN
Navigation Path
Client VPN Software Update tab. You can also open the Client VPN Software
Update tab by clicking it from any other tab on the
Tunnel Group Policy (PIX 7.0/ASA) page.
Related Topics
G-96
OL-11501-03
Appendix G

Field Reference
Table G-32
Easy VPN Server > Tunnel Group Policy (PIX 7.0/ASA) Page > Client VPN Software
Update Tab
Element
Description
Windows Configuration
All Windows Platforms
When selected, enables you to configure the specific revision level

and URL of the VPN client on all Windows platforms.
Then enter the appropriate information in the fields provided.
Various Windows Platforms

and URL of the VPN client on Windows 95/98/ME or
NT4.1/2000/XP platforms.
Then enter the appropriate information in the fields provided.
VPN3002 Hardware Client
VPN Client Revisions
The specific revision level of the VPN3002 client.
Image URL
The specific URL of the VPN3002 client software image.
Save button

Note

toolbar.
Client Connection Characteristics Page

Use the Client Connection Characteristics page to specify how traffic will be
routed in the VPN and how the VPN tunnel will be established. You configure
these characteristics on a remote client, which may be a PIX Firewall, a Cisco
800-3800 Series router, or an ASA 5505 running OS version 7.2(1) or later.
Navigation Path
Open the Site-to-Site VPN Manager Window, page G-2, select an Easy VPN
topology in the VPNs selector, then select
Client Connection Characteristics in the Policies selector.
You can also open the Client Connection Characteristics page from Policy
view. For more information, see Managing Shared Site-to-Site VPN Policies
OL-11501-03
G-97
Appendix G
Related Topics
Configuring Client Connection Characteristics for Easy VPN, page 9-121
G-98
OL-11501-03
Appendix G

Field Reference

OL-11501-03
G-99
Appendix G
G-100
OL-11501-03
Appendix G

Table G-33
Easy VPN Remote > Client Connection Characteristics Page
Element
Description
Mode
Select the required configuration mode for your remote device, as

follows:
ClientSpecifies that all traffic from the remote clients inside

network will undergo Port Address Translation (PAT) to a
single IP address which was assigned for the device by the
head end server at connect time.
Network ExtensionSpecifies that PCs and other hosts at the

client end of the VPN tunnel should be given IP addresses that
are fully routable and reachable by destination network. PAT is
not used, allowing the client PCs and hosts to have direct access
to the PCs and hosts at the destination network.
Network Extension PlusAn enhancement to Network

Extension mode, that enables an IP address that is received via
mode configuration to be automatically assigned to an available
loopback interface. The IPsec SAs for this IP address are
automatically created by the Easy VPN client. The IP address
is typically used for troubleshooting (using ping, Telnet, and
Secure Shell).
Note
Network Extension Plus mode can be configured only on

IOS routers. If the selected client device is a PIX 6.3 or ASA
5505 running OS version 7.2(1), Network Extension mode
will be configured.
For more information, see Easy VPN Configuration Modes,

page 9-121.

OL-11501-03
G-101
Appendix G
Table G-33
Easy VPN Remote > Client Connection Characteristics Page (continued)
Element
Description
Xauth Credentials Source
Select how you want to enter the Xauth credentials for user
authentication when you establish a VPN connection with the
server, as follows:
Device Stored Credentials (default)The username and

password are saved on the device itself in the devices
configuration file to be used each time the tunnel is established.
Interactive Entered CredentialsEnables you to manually

enter the username and password each time Xauth is requested,
in a web browser window or from the command line interface.
For more information, see Easy VPN and IKE Extended

Authentication (Xauth), page 9-122.
Xauth Credentials
Available only if you selected Device Stored Credentials as the

Xauth Credentials Source.
Displays the default Xauth credentials.
Xauth Credentials are predefined objects. If required, click Select
to open the Credentials Selector in which you can select different
Xauth credentials, and from which you can create or edit Credential
objects.
Note
If you want to configure different Xauth credentials on your

remote client, you must override the default one by clicking
the Allow Value Override per Device check box in the
Add/Edit Xauth Credentials dialog box.
For more information, see Understanding Credential Objects,

page 8-50.
G-102
OL-11501-03
Appendix G

Table G-33
Element
Description
User Authentication Method

(IOS)
Available only if the remote device is an IOS router, and if you

selected the Interactive Entered Credentials option for the Xauth
credentials source.
Select one of these ways to enter the Xauth username and password
interactively each time Xauth authentication is requested:
Tunnel Activation (IOS)
Web Browser (default)Manually in a web browser window

(http page).
Router ConsoleManually from the command line interface

(CLI).
If the remote device is an IOS router, and if you selected the Device
Stored Credentials option for the Xauth password source, you
must select a tunnel activation method, as follows:
Auto (default)The Easy VPN tunnel is established

automatically when the Easy VPN configuration is delivered to
the device configuration file. If the tunnel times out or fails, the
tunnel automatically reconnects and retries indefinitely.
Traffic Triggered ActivationThe Easy VPN tunnel is

established whenever outbound local (LAN side) traffic is
detected. When using this option, you must specify the Access
Control List (ACL) that defines the interesting traffic.
Traffic Triggered Activation is recommended for use when
Easy VPN dial backup is configured so that backup is activated
only when there is traffic to send across the tunnel.
Note
Manual tunnel activation is configured implicitly when you

select to configure the Xauth password interactively.

OL-11501-03
G-103
Appendix G
VPN Topologies Device View Page
Table G-33
Element
Description
ACL (IOS)
If you selected the Traffic Triggered Activation option for Tunnel

Activation, you must configure an ACL-triggered tunnel by
specifying the Access Control List (ACL) that defines the
interesting traffic.
Click Select to open the Access Control Lists Selector from which
you can select the required ACL, or create or edit an ACL object.
Save button

Note

toolbar.

Device view provides an easy way to view and edit the structure of your VPN
topologies at the device level. Use this page to view the VPN topology
(topologies) to which each device in the CSM inventory belongs, and if necessary,
change its assignment to or from a VPN topology. From this page, you can also
create and delete VPN topologies, edit the properties of a VPN topology,
including its device selection, and edit its policies.
Navigation Path
1.
2.
Select the device from the Device selector.
3.
Select Site-to-Site VPN from the Policy selector.
Related Topics
About Locking in Site-to-Site VPN Topologies, page 9-33
G-104
OL-11501-03
Appendix G

Field Reference
Table G-34
Element
Description
Type
An icon that depicts the topology type.
Name
The unique name that identifies the VPN topology.
IPsec Technology
The IPsec technology assigned to the VPN topology.
Description
Any description defined for the VPN topology.
Edit VPN Policies button
Click to edit the VPN policies defined for a selected VPN topology.
The VPN Summary page opens, displaying information about the
VPN topology, including its defined policies.
To edit a policy, select it in the Policies selector. A page opens on
which you can view or edit the parameters for the selected policy.
See Site to Site VPN Policies, page G-42.
Note
Create VPN Topology button
You can also open the VPN Summary page by right-clicking

the VPN topology in the table, and selecting the Edit VPN
Policies option.
Opens the Create VPN wizard to create a VPN topology. See Create
VPN Wizard, page G-9.
Note
You can also create a VPN topology by right-clicking in the

table and selecting the Create VPN Topology option.

OL-11501-03
G-105
Appendix G
Discover VPN Policies Wizard
Table G-34
VPN Topologies Device View Page (continued)
Element
Description
Edit VPN Topology button
Click to edit the properties of a selected VPN topology. The Edit

VPN dialog box opens, displaying the Device Selection tab. See
Device Selection Page, page G-12.
Note
You can also edit the properties of a VPN topology by

double-clicking its row in the table, or right-clicking it and
selecting the Edit VPN Topology option.
For more information, see About Editing a VPN Topology,

page 9-33.
Delete VPN Topology button
Deletes a selected VPN topology. A dialog box opens asking you to

confirm the deletion.
Note
You can also delete a VPN topology by right-clicking it in

the table and selecting the Delete VPN Topology option.
For more information, see Deleting a VPN Topology, page 9-37.

Security Manager allows you to import your existing VPN configurations so that
they can be managed by Security Manager, without you having to recreate them.
You can do this using the Discover VPN Policies wizard.
The following pages describe the steps in the Discover VPN Policies wizard:
Discover VPN Policies WizardName and Technology Page, page G-107
Discover VPN Policies WizardDevice Selection Page, page G-108
Navigation Path
Select Policy > Discover VPN Policies in Device view.

Related Topics
G-106
OL-11501-03
Appendix G

Discover VPN Policies WizardName and Technology Page

Use the Name and Technology page of the Discover VPN Policies wizard to
provide a name and description for the VPN, specify the topology type and IPsec
technology of the VPN to be discovered, and whether you want to discover the
VPN directly from the live devices in your network or from the Config Archive.
Navigation Path
Select Policy > Discover VPN Policies in Device view. The Discover VPN
Policies wizard opens, displaying the Name and Technology page.
Related Topics
Discover VPN Policies WizardDevice Selection Page, page G-108
Field Reference
Table G-35
Discover VPN Policies wizard > Name and Technology Page
Element
Description
VPN Name
The name of the VPN being discovered.
Description
Any descriptive text or comments that you want to specify about the
VPN.
Topology
The type of VPN that you want to discoverHub and Spoke, Point
to Point, or Full Mesh.

OL-11501-03
G-107
Appendix G
Table G-35
Discover VPN Policies wizard > Name and Technology Page (continued)
Element
Description
IPsec Technology
The IPsec technology assigned to the VPNRegular IPsec,

IPsec/GRE, GRE Dynamic IP (sub-technology), DMVPN, or
Easy VPN.
Note
Discover From
If you selected IPsec/GRE, you must also specify the type

which may be Standard (for IPsec/GRE) or Spokes with
Dynamic IP (to configure GRE Dynamic IP).
You can either discover the VPN directly from the network or from
Config Archive.
NetworkSecurity Manager connects to all live devices to

obtain the device configuration.
Config ArchiveDiscovery from Config Archive is

recommended if you use configuration files. The most recent
version of the device configuration in Config Archive is used
for all devices.
Discover VPN Policies WizardDevice Selection Page

Use the Device Selection page of the Discover VPN Policies wizard to specify the
devices participating in the VPN being discovered, and their role in the VPN
topology. The devices that are available for selection include only those that can
be used for the selected VPN topology type, that support the IPsec technology
type, and which you are authorized to view.
The contents of this page differ depending on the VPN topology type. For
example, if the topology type is hub and spoke, the page allows you to specify the
devices as hubs or spokes.
Navigation Path
Open the Discover VPN Policies WizardName and Technology Page,

page G-107, then click Next.
Related Topics
Discover VPN Policies WizardName and Technology Page, page G-107
G-108
OL-11501-03
Appendix G

Field Reference
Table G-36
Discover VPN Policies wizard > Device Selection Page
Element
Description
Available Devices

authorized to view.
Note
Hubs
The devices that are hubs in your hub-and-spoke topology. In an

Easy VPN topology, the selected devices are servers.
Note
hubs in the list.
Spokes
The devices that are spokes in your hub-and-spoke topology. In an

Easy VPN topology, the selected devices are clients.
Peer One/Peer Two
The devices that are peers in your point-to-point topology.

click <<.

OL-11501-03
G-109
Appendix G
Rediscover VPN Policies Wizard
Table G-36
Discover VPN Policies wizard > Device Selection Page (continued)
Element
Description
Selected Devices
The devices that participate in your full mesh topology.

Finish button

The Discovery Status dialog box opens, allowing you to monitor the
status of the VPN discovery task and view any relevant error or
warning messages. See Viewing Policy Discovery Task Status,
page 6-12.
Note
When the process is complete, the Site-to-Site VPN

Manager window opens, displaying summary information
for the VPN that was discovered.

Security Manager allows you to rediscover the configurations of existing VPN
topologies that are already managed with Security Manager, without you having
to recreate them. You can do this in the Rediscover VPN Policies wizard.
Note
Only the configurations of device specific policies, such as VPN interfaces and
protected networks, and any High Availability (HA) policies that are configured
on hubs, can be rediscovered. VPN global policies, such as IKE proposals or PKI
enrollments cannot be rediscovered.
The following pages describe the steps in the Rediscover VPN Policies wizard:
Rediscover VPN Policies WizardName and Technology Page, page G-111
Rediscover VPN Policies WizardDevice Selection Page, page G-112
Navigation Path
configurations you want to rediscover, and click Rediscover Peers.
G-110
OL-11501-03
Appendix G

Related Topics
Rediscover VPN Policies WizardName and Technology Page

Use the Name and Technology page of the Rediscover VPN Policies wizard to
specify whether you want to rediscover the VPN directly from the live devices in
your network or from the Config Archive.
Note
You cannot change the topology type or IPsec technology.

Navigation Path
configurations you want to rediscover, and click Rediscover Peers. The
Rediscover VPN Policies wizard opens, displaying the Name and Technology
page.
Related Topics
Rediscover VPN Policies WizardDevice Selection Page, page G-112

OL-11501-03
G-111
Appendix G
Field Reference
Table G-37
Rediscover VPN Policies wizard > Name and Technology Page
Element
Description
VPN Name
The name of the VPN whose policies will be rediscovered.

Note
You cannot edit this VPN name.
Description
Any descriptive text or comments that you want to add about the
VPN.
Discover From
Specify whether you want to rediscover the VPN policies directly

from the network or from the Config Archive.
Note
Only device specific VPN policies can be rediscovered.
NetworkWhen selected, Security Manager connects to all

live devices to obtain the device configuration.
Config ArchiveWhen selected, the most recent version of the

device configuration in Config Archive is used for all devices.
Rediscovery from Config Archive is recommended if you use
configuration files.
Rediscover VPN Policies WizardDevice Selection Page

Use the Device Selection page of the Rediscover VPN Policies wizard to specify
the devices whose peer level policies need to be rediscovered, and their role in the
VPN topology.
The contents of this page differ depending on the VPN topology type. For
example, if the topology type is hub and spoke, the page allows you to specify the
devices as hubs or spokes.
Navigation Path
Open the Rediscover VPN Policies WizardName and Technology Page,

page G-111, then click Next.
Related Topics
Rediscover VPN Policies WizardName and Technology Page, page G-111
G-112
OL-11501-03
Appendix G

Field Reference
Table G-38
Rediscover VPN Policies wizard > Device Selection Page
Element
Description
Available Devices

authorized to view.
Note
Hubs
The devices that are hubs in your hub-and-spoke topology. In an

Easy VPN topology, the selected devices are servers.
Note
hubs in the list.
Spokes
The devices that are spokes in your hub-and-spoke topology. In an

Easy VPN topology, the selected devices are clients.
Peer One/Peer Two
The devices that are peers in your point-to-point topology.

click <<.

OL-11501-03
G-113
Appendix G
Table G-38
Rediscover VPN Policies wizard > Device Selection Page (continued)
Element
Description
Selected Devices
The devices that participate in your full mesh topology.

Finish button

The Discovery Status dialog box opens, allowing you to monitor the
status of the VPN rediscovery task and view any relevant error or
warning messages. See Viewing Policy Discovery Task Status,
page 6-12.
Note
When the process is complete, the Site-to-Site VPN

Manager window opens, displaying summary information
for the VPN that was rediscovered.
G-114
OL-11501-03
APPENDIX
Remote Access VPN User Interface

Reference
The pages that you access by selecting the Remote Access VPN folder from the
Policy selector in Device View enable you to configure remote access VPNs. The
following topics describe the pages that help you configure remote access VPNs
for Cisco IOS security routers, PIX Firewalls, Catalyst 6500/7600 devices, and
Adaptive Security Appliance (ASA) devices and the policies that will be assigned
to them.
Note
You must have read-write permissions to modify a remote access VPN policy.
For more information, see Modify Policies Permissions, page 2-14.
You can also discover policies on devices in remote access VPNs that are
already deployed in your network, so that Security Manager can manage
them. For more information, see Discovering Remote Access VPN Policies,
page 10-2.
These topics describe the main pages available from the Remote Access VPN
folder:
Remote Access Configuration Wizard, page H-2

OL-11501-03
H-1
Appendix H
Remote Access VPN User Interface Reference
Remote Access Configuration Wizard
Remote Access Configuration Wizard

Use the Remote Access Configuration wizard to configure your device with the
policies that enable it to act as a remote access VPN server.
Depending on the device type, you must configure a user group or tunnel group
policy first. A user group policy is configured on an IOS security router, PIX
Firewall, or Catalyst 6500/7600 device. Tunnel group policies are configured on
ASA devices or PIX Firewalls version 7.0. Other policies are then assigned to the
device. These can be factory default policies provided by Security Manager or
shared policies that were created in Security Manager. See Assigning the Default
Remote Access VPN Policies, page 10-11.
Note
You cannot use the wizard to edit a remote access VPN. Each time you launch the
wizard, any previous user group (or tunnel group) policy assignment is removed
from the device, and you must create it again.
The following topics describe the steps in the Remote Access Configuration
wizard:
Tip
You can also configure a user group or tunnel group policy on your device from
the Remote Access VPN Policies folder.
H-2
OL-11501-03
Appendix H

Navigation Path
1.
2.
From the Device selector, select the device to configure as your remote access
server.
3.
Select Remote Access VPN > Configuration Wizard from the Policy
selector.
Related Topics

Use the User Group Policy page to specify the user groups you want to use for
Note
The User Group Policy page is available if the selected device is a Cisco IOS
router, PIX 6.3 Firewall, or Catalyst 6500/7600 device.
Navigation Path
Do one of the following in Device view:
Note
Open the Remote Access Configuration Wizard, page H-2, then click Remote
Access Configuration Wizard.
Select Remote Access VPN > User Group Policy from the Policy selector.
You can also open the User Group Policy page from Policy view. For more
information, see Managing Shared Remote Access VPN Policies in Policy View,
page 10-35.
Related Topics

OL-11501-03
H-3
Appendix H
Tunnel Group Policy Page
Field Reference
Table H-1
Element
Description

Select the required user groups and click >>.
In Security Manager, user groups are objects. If the required user
group is not in the list, click Create to open the User Groups Editor
dialog box, which enables you to create or edit a user group object.
Selected User Groups
Displays the selected user groups.

To remove a user group from this list, select it and click <<.
To modify the properties of a user group, select it and click Edit.
>> button
Click to move a selected user group from the Available User Groups
list to the Selected User Groups list.
<< button
Click to remove a selected user group from the Selected User

Groups list to the Available User Groups list.
Save button
Available only if you opened this page from the Remote Access
VPN Policies folder, and if you are authorized to modify this policy.
Note

toolbar.

Use the Tunnel Group Policy page to view the tunnel group policies defined on
your remote access VPN server. From this page, you can create tunnel group
policies or edit existing policies.
H-4
OL-11501-03
Appendix H

Note
The Tunnel Group Policy page is available only for PIX Firewalls version 7.0, or
ASA devices.
Navigation Path
Do one of the following in Device view:
Note
Open the Remote Access Configuration Wizard, page H-2, then click Remote
Access Configuration Wizard.
Select Remote Access VPN > Tunnel Group Policy (PIX 7.0/ASA) from
the Policy selector.
You can also open the Tunnel Group Policy page from Policy view. For more
page 10-35.
Related Topics
Tunnel Group Editor Dialog Box, page H-6
Field Reference
Table H-2
Tunnel Group Policy (PIX 7.0/ASA) Page
Element
Description
Tunnel Group Name
The name of the tunnel group that contains the policies for the
tunnel connection.
Group Policy Name
The name of the group policy to be applied to the tunnel group.

A group policy is a collection of user-oriented attribute/value pairs
stored either internally on the device or externally on a RADIUS
server.

OL-11501-03
H-5
Appendix H
Table H-2
Tunnel Group Policy (PIX 7.0/ASA) Page (continued)
Element
Description
Create button
Click to create a tunnel group policy. The Tunnel Group Policy

Editor dialog box opens. See Tunnel Group Editor Dialog Box,
page H-6.
Edit button
Select the row of a tunnel group in the table, then click to open the
Tunnel Group Policy Editor dialog box for editing the selected
tunnel group. See Tunnel Group Editor Dialog Box, page H-6.
Delete button
Select the rows of one or more tunnel groups, then click to delete.
Save button
Available if you opened this page from the Remote Access VPN
Policies folder, and if you are authorized to modify this policy.
Note

toolbar.
Tunnel Group Editor Dialog Box

Use the Tunnel Group Editor dialog box to create or edit tunnel group policies on
Note
This dialog box is available only when the selected device is a PIX Firewall
version 7.0, or an ASA device.
The following tabs are available on the Tunnel Group Policy Editor dialog box:
Tunnel Group Editor > General Tab, page H-7
Tunnel Group Editor > IPsec Tab, page H-10
Tunnel Group Editor > Advanced Tab, page H-12
Tunnel Group Editor > Client VPN Software Update Tab, page H-14
Navigation Path
Open the Tunnel Group Policy Page, page H-4, then click Create, or select a
device in the table and click Edit. For more information, see Table H-2 on
page H-5.
H-6
OL-11501-03
Appendix H

Related Topics
Tunnel Group Editor > General Tab

Use the General tab of the Tunnel Group Policy Editor to specify the global AAA
settings for your tunnel group. On this tab you can also select the method (or
methods) of address assignment to use.
Navigation Path
Open the Tunnel Group Editor Dialog Box, page H-6, or click the General tab
from any other tab on the Tunnel Group Policy Editor.
Related Topics
Field Reference
Table H-3
Tunnel Group Editor Dialog Box > General Tab
Element
Description
Tunnel Group Name
The name of the tunnel group that contains the policies for
this IPsec connection.

OL-11501-03
H-7
Appendix H
Table H-3
Tunnel Group Editor Dialog Box > General Tab (continued)
Element
Description
Group Policy
The group policy to be applied to the tunnel group. A group

policy is a collection of user-oriented attribute/value pairs
stored either internally on the device or externally on a
RADIUS server.
Click Select to open a dialog box that lists all available ASA
user groups and enables you to create an ASA group policy
object.
AAA
The name of the authentication server group (LOCAL if the

users are defined on the local device).
Note
The default is LOCAL.
Click Select to open a dialog box that lists all available AAA
server groups and enables you to create AAA server group
objects.
Note

interface, click the Advanced tab.
User LOCAL if Server Group fails

authentication, if the selected authentication server group
fails.
The name of the authorization server group (LOCAL,

external server, or none).
objects.
User must exist in the authorization

database to connect
When selected, specifies that the username of the remote

client must exist in the database so that a successful
connection can be established. If the username does not exist
in the authorization database, then the connection is denied.
H-8
OL-11501-03
Appendix H

Table H-3
Element
Description
The name of the accounting server group (LOCAL, external

server, or none).
objects.
Strip Realm from Username
When selected, removes the realm from the username before

passing the username to the AAA server. A realm is an
administrative domain. Enabling this option allows the
authentication to be based on the username alone.
You must select this check box if your AAA server cannot
parse delimiters.
Strip Group from Username
When selected, removes the group name from the username

before passing the username to the AAA server. Enabling this
option allows the authentication to be based on the username
alone.
delimiters.
Client Address Assignment
DHCP Server
The servers to use for client address assignments. The server

uses the DHCP servers in the order listed. You can add up to
10 servers.
The DHCP Server field displays a default DHCP server.
DHCP servers are network objects. If you want to use a
different DHCP server, or select additional DHCP servers,
click Select to open the Network/Hosts selector that lists all
available network hosts and enables you to create network
host objects.

OL-11501-03
H-9
Appendix H
Table H-3
Element
Description
Address Pools
The local address pools from which IP addresses will be

assigned. The server uses these pools in the order listed. If all
addresses in the first pool have been assigned, it uses the next
pool, and so on. You can specify up to 6 pools.
Address pools are predefined network objects. If you want to
use a different address pool, or select additional address
pools, click Select to open the Network/Hosts selector that
lists all available network hosts and enables you to create
network host objects.
OK button
Saves your changes locally on the client and closes the dialog
box.
Tunnel Group Editor > IPsec Tab

Use the IPsec tab of the Tunnel Group Policy Editor to specify IPsec and IKE
parameters for the tunnel group policy.
Navigation Path
Open the Tunnel Group Editor Dialog Box, page H-6, then click the IPsec tab.
Related Topics
Field Reference
Table H-4
Tunnel Group Editor Dialog Box > IPsec Tab
Element
Description
Preshared Key
The value of the preshared key for the tunnel group. The maximum
length of a preshared key is 128 characters.
H-10
OL-11501-03
Appendix H

Table H-4
Tunnel Group Editor Dialog Box > IPsec Tab (continued)
Element
Description
Trustpoint Name
Select the trustpoint name if any trustpoints are configured, and if

certificates are to be used for authentication. A trustpoint represents
a CA/identity pair and contains the identity of the CA, CA-specific
configuration parameters, and an association with one enrolled
identity certificate.
IKE Peer ID Validation
Select whether IKE peer ID validation is ignored, required, or

checked only if supported by a certificate. During IKE negotiations,
peers must identify themselves to one another.
Note
The default option is Required.
Enable sending certificate chain
When selected, enables the sending of the certificate chain for

authorization. A certificate chain includes the root CA certificate,
identity certificate, and key pair.
Enable password update with

RADIUS authentication
When selected, enables passwords to be updated with the RADIUS

authentication protocol.
For more information, see Supported AAA Server Types,
page 8-25.
ISAKMP Keep Alive
Monitor Keep Alive
When selected (the default), enables you to configure IKE keepalive

as the default failover and routing mechanism. For more
information, see About IKE Keepalive, page 9-79.
Note
The IKE keepalive settings you define here apply only to

ASA devices and PIX Firewalls version 7.0. For Cisco IOS
routers, Catalyst 6500/7600 devices, and PIX Firewalls
version 6.3, you define these settings when configuring the
VPN global settings. See ISAKMP/IPsec Settings Tab,
page H-43.
Confidence Interval

Retry Interval


OL-11501-03
H-11
Appendix H
Table H-4
Tunnel Group Editor Dialog Box > IPsec Tab (continued)
Element
Description
Authorization Settings
User Entire DN as the Username Select to use the entire distinguished name (DN) as the identifier for
the username.
users to a tunnel group. Distinguished name (DN) rules are used for
enhanced certificate authentication on PIX Firewalls and ASA
devices.
For more information, see DN Matching Policies, page 10-30.
Specify individual DN fields as
the username
When selected (the default), enables you to use individual DN fields

as the username when matching users to the tunnel group.
A DN certificate is made up of different field identifiers that can be
used to match users to tunnel groups.
Primary DN Field
Available if you selected the option to use individual DN fields as

the username.
from the list. The default is UID (User ID).
Secondary DN Field
Available if you selected the option to use individual DN fields as

the username.
identification, from the list. Select None if no secondary field
identifier is required.
OK button
Tunnel Group Editor > Advanced Tab

Use the Advanced tab of the Tunnel Group Policy Editor to specify
interface-specific information for your tunnel group.
Navigation Path
Open the Tunnel Group Editor Dialog Box, page H-6, then click the Advanced
tab.
H-12
OL-11501-03
Appendix H

Related Topics
Field Reference
Table H-5
Tunnel Group Editor Dialog Box > Advanced Tab
Element
Description
Interface Role
The interface role to be associated with the authentication server

group.
Click Select to open a dialog box that lists all available interfaces
and sets of interfaces defined by interface roles, and enables you to
create interface role objects.
Server Group
The server group to be associated with the selected interface role.

Click Select to open a dialog box that lists all available AAA server
groups and enables you to create AAA server group objects.
Use LOCAL if server group

fails.
When selected, enables fallback to the LOCAL database if the

Add button (>>)
Click to add the specified interface role and server group to the list.
Remove button (<<)
Click to remove an associated interface role and server group from

the list.
Interface-Specific Client Address Pools
Interface Role
The interface on which to assign addresses to the client.

and sets of interfaces defined by interface roles, and enables you to

OL-11501-03
H-13
Appendix H
Table H-5
Tunnel Group Editor Dialog Box > Advanced Tab (continued)
Element
Description
Address Pool
The address pool to use to assign to a client address the selected

interface.
Address pools are predefined network objects. Network objects can
contain one or more network or host IP addresses, interfaces, or
other network objects. Click Select to open a dialog box that lists all
available network hosts and enables you to create network host
objects.
Add >> button
Click to add the specified interface role and address pool to the list.
Remove button
Click to remove an associated interface role and address pool from

the list.
OK button
Tunnel Group Editor > Client VPN Software Update Tab

Use the Client VPN Software Update tab of the Tunnel Group Policy Editor to
view and edit the client type, VPN client revisions, and image URL for each client
VPN software package installed.
Navigation Path
Open the Tunnel Group Editor Dialog Box, page H-6, then click the Client VPN
Software Update tab.
Related Topics
H-14
OL-11501-03
Appendix H

Remote Access VPN Defaults Page
Field Reference
Table H-6
Tunnel Group Editor Dialog Box > Client VPN Software Update Tab
Element
Description
Windows Configuration
All Windows Platforms
When selected (the default), enables you to configure the specific

revision level and URL of the VPN client on all Windows platforms.
After you select this option, enter the appropriate information in the
fields provided.
Various Windows Platforms

and URL of the VPN client on Windows 95/98/ME or
NT4.1/2000/XP platforms.
After you select this option, enter the appropriate information in the
fields provided.
VPN3002 Hardware Client
VPN Client Revisions
The specific revision level of the VPN3002 client.
Image URL
The specific URL of the VPN3002 client software image.
OK button
Remote Access VPN Defaults Page

Use the VPN Defaults page of the Remote Access Configuration wizard to view
and select the default policies that will be assigned to the device you are
configuring as a remote access VPN server.
The page displays all the available policy types that can be assigned to your
device. Each policy type has a list from which you can select to assign either the
factory default or a shared policy that was created (and submitted or approved,
depending on the workflow mode) using Security Manager.
Navigation Path
Open the Remote Access Configuration Wizard, page H-2, click Remote
Access Configuration Wizard, and then click Next on the User Group
Policy or Tunnel Group Policy page.

OL-11501-03
H-15
Appendix H
IPsec Proposal Page
Related Topics
Field Reference
Table H-7
Remote Access Configuration Wizard > VPN Defaults Page
Element
Description
Policy type
For each policy type, select the default remote access VPN policy to
assign to your device.
You can accept the Factory Default policy or select a shared VPN
policy that appears in the list.
Note
View Content button
If you want to assign a default policy that is not in the list,

you can change the policy defaults selection in the
Administration tools VPN Policy Defaults page. For more
information, see Configuring VPN Policy Defaults,
page 2-98.
Opens a page that displays the contents of the selected remote

access VPN policy.
Note
If you make any changes on this page, you cannot save

them.
IPsec Proposal Page

An IPsec proposal defines the external interface through which remote access
clients connect to the server, and the encryption and authentication algorithms
used to protect the data in the VPN tunnel.
Use the IPsec Proposal page to create or edit IPsec policy definitions for your
remote access VPN. For more information on IPsec proposals, see Understanding
IPsec Tunnel Policies, page 9-72 and About Crypto Maps, page 9-73.
H-16
OL-11501-03
Appendix H

IPsec Proposal Page
Navigation Path
Note
1.
2.
From the Device Selector, select the device on which to configure the IPsec
Proposal.
3.
Select Remote Access VPN > IPsec Proposal from the Policy selector.
You can also open the IPsec Proposal page from Policy view. For more
page 10-35.
Related Topics
IPsec Proposal Editor Dialog Box (for PIX and ASA Devices), page H-19
Devices), page H-22
Field Reference
Table H-8
IPsec Proposal Page
Element
Description
Endpoint
The external interface (or inside VLAN for a Catalyst 6500/7600

device) through which remote access clients will connect to the
server.
Transform Sets
The transform set(s) selected for the policy (the default is

tunnel_3des_sha).
Transform sets specify which authentication and encryption
algorithms will be used to secure the traffic in the tunnel.

OL-11501-03
H-17
Appendix H
IPsec Proposal Page
Table H-8
Element
Description
RRI
Shows whether Reverse Route Injection (RRI) is enabled or

disabled on the crypto map for the support of VPN clients.
For more information, see About Reverse Route Injection,
page 9-76.
AAA Authorization
Supported on Cisco IOS routers and Catalyst 6500/7600 devices

only.
Displays the selected AAA server groups for authorization.
AAA Authorization defines the order in which group policies are
searched and whether they are configured on the local server or on
an external AAA server.
AAA Authentication

only.
Displays selected AAA server groups for authentication.
AAA authentication is required to enable IKE Extended
Authentication (Xauth) as the user authentication method. It
determines the username and password storage location. Usernames
and passwords can be stored on the device (local) or on an external
AAA server, which can provide authentication to numerous other
databases.
VRF

only.
Shows whether VRF settings for the proposal are enabled or
disabled. For more information, see Understanding VRF-Aware
IPsec, page 9-51.
DVTI

Shows whether a dynamic virtual template interface is configured
on the device. For more information, see Using Dynamic Virtual
Template Interfaces in Remote Access VPNs, page 10-13.
H-18
OL-11501-03
Appendix H

IPsec Proposal Page
Table H-8
Element
Description
Create button
Click to open the IPsec Proposal Editor dialog box to create an

IPsec proposal.
If the device is a PIX Firewall or ASA device, see IPsec Proposal
Editor Dialog Box (for PIX and ASA Devices), page H-19.
If the device is a Cisco IOS router or Catalyst 6500/7600, see IPsec
Proposal Editor Dialog Box (for IOS Routers and Catalyst
6500/7600 Devices), page H-22.
Edit button
Select the row of a proposal from the table, then click to open the
IPsec Proposal Editor dialog box to edit the selected proposal.
If the device is a PIX Firewall or ASA device, see IPsec Proposal
Editor Dialog Box (for PIX and ASA Devices), page H-19.
If the device is a Cisco IOS router or Catalyst 6500/7600, see IPsec
Proposal Editor Dialog Box (for IOS Routers and Catalyst
6500/7600 Devices), page H-22.
Delete button
Select the rows of one or more proposals, then click to delete.
Save button
Available only if you are authorized to modify this policy.

Note

toolbar.
IPsec Proposal Editor Dialog Box (for PIX and ASA Devices)
Use the IPsec Proposal Editor to create or edit an IPsec proposal for a device in
your remote access VPN.
The elements in this dialog box differ according to the selected device. Table H-9
describes the elements in the IPsec Proposal Editor dialog box when a PIX 7.0 or
ASA device is selected.
Note
For a description of the elements in the dialog box when a Cisco IOS router or
Catalyst 6500/7600 is selected, see Table H-10 on page H-23.

OL-11501-03
H-19
Appendix H
IPsec Proposal Page
Navigation Path
Open the IPsec Proposal Page, page H-16, then click Create, or select a proposal
from the list and click Edit.
Related Topics
Field Reference
Table H-9
IPsec Proposal Editor (for PIX and ASA Devices)
Element
Description
External Interface
The external interface (endpoint) through which remote access

clients connect to the server.
An endpoint can be an interface or a set of interfaces that are defined
by a particular interface role. Click Select to open a dialog box that
lists all available interfaces and sets of interfaces defined by
interface roles, and enables you to create interface role objects.
H-20
OL-11501-03
Appendix H

IPsec Proposal Page
Table H-9
Element
Description
Transform Sets
The transform set or sets to use for your tunnel policy (the default
is tunnel_3des_sha).
Transform sets specify which authentication and encryption
algorithms will be used to secure the traffic in the tunnel.
transform set or select additional transform sets, click Select to
open a dialog box that lists all available transform sets and enables
you to create transform set objects. For more information, see IPsec
peers, the transform set that provides the highest security will be
used.
Note
You can select up to six transform sets.

Reverse Route Injection
Note
Available only for ASA devices.
Select the required option to configure Reverse route Injection

(RRI) on the crypto map in your tunnel policy:
NoneTo disable the RRI configuration on the crypto map.
StandardThis is the default. It creates routes based on the

destination information defined in the crypto map access
control list (ACL).

page 9-76.
Enable Network Address
Translation Traversal
Note
Available only for ASA devices.
When selected (the default), enables you to configure NAT traversal

on the device.
You use NAT traversal when a device (referred to as the middle
device) is located between a VPN-connected hub and spoke, that
performs NAT on the IPsec flow.
OL-11501-03
H-21
Appendix H
IPsec Proposal Page
Table H-9
Element
Description
User Authentication
Method
Note
Available only for PIX devices.
The AAA or Xauth user authentication method that defines the

authentication phase 1 exchange.
OK button
IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst
6500/7600 Devices)
Use the IPsec Proposal Editor to create or edit an IPsec proposal for a device in
If you select an IOS router, the IPsec Proposal Editor dialog box displays two
tabsGeneral and Dynamic VTI/VRF Aware IPsec. If you select a
Catalyst 6500/7600, the FWSM Settings tab is also displayed.
Click the appropriate tab to specify general IPsec settings, configure Dynamic
VTI or VRF Aware IPsec, or both, on the selected device, or configure FWSM on
a Catalyst 6500/7600 device.
Navigation Path
Open the IPsec Proposal Page, page H-16, then click Create, or select a proposal
from the list and click Edit. The IPsec Proposal Editor dialog box opens,
displaying the General tab.
Related Topics
VPNSM/VPN SPA Settings Dialog Box, page H-26
H-22
OL-11501-03
Appendix H

IPsec Proposal Page
Dynamic VTI/VRF Aware IPsec Tab (IPsec Proposal Editor), page H-31
Field Reference
Table H-10 describes the elements in the General tab of the IPsec Proposal Editor
dialog box, if you selected an IOS router or Catalyst 6500/7600.
Note
Table H-10
For a description of the elements in the dialog box if you selected a PIX Firewall
or ASA device, see Table H-9 on page H-20.
IPsec Proposal Editor > General Tab
Element
Description
External Interface
The external interface through which remote access clients will

connect to the server.
An external interface can be defined by a specific interface role.
Interface roles are predefined objects. Click Select to open a dialog
box that lists all available interfaces and sets of interfaces defined
by interface roles, and enables you to create interface role objects.

OL-11501-03
H-23
Appendix H
IPsec Proposal Page
Table H-10
IPsec Proposal Editor > General Tab (continued)
Element
Description
Inside VLAN
Note
Available only if the selected device is a Catalyst

6500/7600.
The inside VLAN that serves as the inside interface to the VPN
Services Module (VPNSM) or VPN SPA.
Click Select to open a dialog box in which you define the settings
that enable you to configure a VPN Services Module (VPNSM)
external interface or a VPN SPA blade on the Catalyst 6500/7600
device. See VPNSM/VPN SPA Settings Dialog Box, page H-26.
For information about configuring a VPNSM, see Configuring a
Catalyst VPN Services Module (VPNSM) VPN Interface,
page 9-40.
For information about configuring a VPN SPA, see Configuring a
Catalyst VPN Shared Port Adapter (VPN SPA) Blade, page 9-42.
Transform Sets
The transform set or sets to use for your tunnel policy. Transform
sets specify which authentication and encryption algorithms are
used to secure the traffic in the tunnel.
transform set or select additional transform sets, click Select to
open a dialog box that lists all available transform sets and enables
you to create transform set objects. For more information, see IPsec
peers, the transform set that provides the highest security is used.
Note
You can select up to six transform sets.
H-24
OL-11501-03
Appendix H

IPsec Proposal Page
Table H-10
Element
Description
Reverse Route Injection
Select one of the following options to configure Reverse Route

Injection (RRI) on the crypto map:
NoneTo disable the configuration of RRI on the crypto map.
StandardThe default. It creates routes according to the

destination information defined in the crypto map access
control list (ACL).
Remote PeerTo create two routes, one for the remote

endpoint and one for route recursion to the remote endpoint
through the interface to which the crypto map is applied.
Remote Peer IPTo specify an interface or address as the

explicit next hop to the remote VPN device. Then click Select
the IP address of the remote peer to use as the next hop.
Note


page 9-76.
Group Policy Lookup/AAA
Authorization Method
The AAA authorization method list that defines the order in which
the group policies are searched. Group policies can be configured
on the local server or on an external AAA server.
Note
The default is LOCAL.

OL-11501-03
H-25
Appendix H
IPsec Proposal Page
Table H-10
Element
Description
User Authentication
Method
The AAA or Xauth user authentication method that defines the

Note
The default authentication method is LOCAL.

authentication phase 1 exchange.
For more information about defining user accounts, see Defining
Accounts and Credential Policies, page 14-75.
OK button
VPNSM/VPN SPA Settings Dialog Box

Note
This dialog box is available only if the selected device is a Catalyst 6500/7600.
Use the VPNSM/VPN SPA Settings dialog box to specify the settings for
configuring a VPN Services Module (VPNSM) or a VPN Shared Port Adapter
(VPN SPA) on a Catalyst 6500/7600 device.
Note
Before you define the VPNSM or VPN SPA settings, you must import your
Catalyst 6500/7600 device to the Security Manager inventory and discover its
interfaces. For more information, see Procedure for Configuring a VPNSM or
VPN SPA Blade, page 9-44.
Before you configure VPNSM or VPN SPA with VRF-Aware IPsec on a

device, verify that an IPsec proposal with VRF-Aware IPsec and an IPsec
proposal without VRF-Aware IPsec were not configured on the device.
H-26
OL-11501-03
Appendix H

IPsec Proposal Page
For more information about VPNSM, see Configuring a Catalyst VPN Services
Module (VPNSM) VPN Interface, page 9-40.
For more information about VPN SPA, see Configuring a Catalyst VPN Shared
Port Adapter (VPN SPA) Blade, page 9-42.
Navigation Path
1.
Open the IPsec Proposal Page, page H-16, then click Create, or select a
proposal from the list and click Edit. The IPsec Proposal Editor dialog box
opens.
2.
In the General tab of the IPsec Proposal Editor dialog box, click Select next
to the Inside VLAN field.
Related Topics
Devices), page H-22
Field Reference
Table H-11
VPNSM/VPN SPA Settings Dialog Box
Element
Description
Inside VLAN
The inside VLAN that serves as the inside interface to the VPNSM
or VPN SPA, and to which the required crypto maps will be applied.
interfaces and sets of interfaces defined by interface roles, from
Slot
to which the inside VLAN interface is connected or the number of
the slot in which the VPN SPA blade is inserted.
For more information, see Adding VPN SPA Slot Locations,
page 5-35.

OL-11501-03
H-27
Appendix H
IPsec Proposal Page
Table H-11
VPNSM/VPN SPA Settings Dialog Box (continued)
Element
Description
Subslot
The number of the subslot (0 or 1) on which the VPN SPA blade is

installed.
Note
External Port
The external port or VLAN that connects to the inside VLAN.

Note
If VRF-Aware IPsec is configured on the device, the

external port or VLAN must have an IP address. If
VRF-Aware IPsec is not configured, the external port or
VLAN must not have an IP address.
and sets of interfaces defined by interface roles, from which you can
make your selection, or create interface role objects.
Note
Enable Failover Blade
You must specify an interface or interface role that differs

from the one specified for the inside VLAN.
When selected, enables you to configure a failover VPNSM or VPN

SPA blade for intrachassis high availability.
Note
A VPNSM blade and VPN SPA blade cannot be used on the

same device as primary and failover blades.
Failover Slot
that serves as the failover blade, or the number of the slot in which
the failover VPN SPA blade is inserted.
Failover Subslot
Select the number of the subslot (0 or 1) on which the failover VPN

SPA blade is actually installed.
Note
OK button
H-28
OL-11501-03
Appendix H

IPsec Proposal Page
FWSM Settings Tab (IPsec Proposal Editor)

Note
The FWSM Settings tab is available only if the selected device is a Catalyst
6500/7600.
Use the FWSM tab of the IPsec Proposal Editor dialog box to specify settings that
enable you to connect between a Firewall Services Module (FWSM) and an IPsec
VPN Services Module (VPNSM) or VPN SPA blade that is already configured on
a Catalyst 6500/7600 device.
For more information, see Configuring a Firewall Services Module (FWSM)
Interface with VPNSM or VPN SPA, page 9-48.
Note
Before defining the FWSM settings, you must import your Catalyst 6500/7600
device to the Security Manager inventory and define (or discover) any required
security contexts. Then open Cisco Catalyst Device Manager (Cisco CDM) and
discover the FWSM configurations on the device, and then create a VLAN to
serve as the inside interface to the FWSM.

VPN SPA, page 9-48
Navigation Path
1.
proposal from the list and click Edit.
2.
In the IPsec Proposal Editor dialog box, click the FWSM Settings tab.
Related Topics
Devices), page H-22

OL-11501-03
H-29
Appendix H
IPsec Proposal Page

VPN SPA, page 9-48
Field Reference
Table H-12
IPsec Proposal Editor > FWSM Tab
Element
Description
Enable FWSM Settings
When selected, enables you to configure the connection between the

FWSM and the VPNSM or VPN SPA on the selected Catalyst
6500/7600 device.
FWSM Inside VLAN
The VLAN that serves as the inside interface to the Firewall

Services Module (FWSM).
interfaces and sets of interfaces defined by interface roles, and in
FWSM Blade
From the list of available blades, select the blade number to which
the selected FWSM inside VLAN interface is connected.
Security Context
You can partition an FWSM into multiple virtual firewalls, known

as security contexts. Each security context has its own security
policy, interfaces, and administrators. You can define security
contexts when you import a Catalyst 6500/7600 device into the
If the selected FWSM inside VLAN is part of a security context,
enter its name in this field. The name is case-sensitive.
For more information, see Security Contexts Page, page L-265.
OK button
H-30
OL-11501-03
Appendix H

IPsec Proposal Page
Dynamic VTI/VRF Aware IPsec Tab (IPsec Proposal Editor)

Note
The Dynamic VTI/VRF Aware IPsec tab is available only when the selected
device is a Cisco IOS router or Catalyst 6500/7600.
Use the Dynamic VTI/VRF Aware IPsec tab of the IPsec Proposal Editor to
configure VRF Aware IPsec settings (on a Cisco IOS router or Catalyst 6500/7600
device), configure a dynamic virtual interface on a Cisco IOS router, or do both,
in your remote access VPN.
Navigation Path
1.
proposal from the list and click Edit.
2.
In the IPsec Proposal Editor dialog box, click the

Dynamic VTI/VRF Aware IPsec tab.
Related Topics

OL-11501-03
H-31
Appendix H
IPsec Proposal Page
Field Reference
Table H-13
IPsec Proposal Editor > Dynamic VTI/VRF Aware IPsec Tab
Element
Description
Enable Dynamic VTI
When selected, enables Security Manager to implicitly create a

dynamic virtual template interface on an IOS router.
Note
Dynamic VTI can be configured only on IOS routers

running Cisco IOS Release 12.4(2)T and later, except 7600
devices. If the device does not support Dynamic VTI, an
error message is displayed.
For more information, see Using Dynamic Virtual Template

Interfaces in Remote Access VPNs, page 10-13.
Enable VRF Settings
When selected, enables you to configure VRF settings on the device

for the selected hub-and-spoke topology.
Note
User Group
To remove VRF settings that were defined for the VPN

topology, deselect this check box.
When you configure a remote access VPN server, remote clients

must have the same group name as the user group object configured
on the VPN server so that they can connect to the device.
Select the name of the user group associated with the device.
If the user group is not included in the list, click Select to open a
dialog box that lists all available user groups and enables you to
create a user group object.
CA Server
Select the Certification Authority (CA) server to use for managing

certificate requests for the device.
If the required CA server is not included in the list, click Select to
open a dialog box that lists all available CA servers and enables you
to create a PKI enrollment object. For more information, see PKI
Enrollment Dialog Box, page F-437.
For more information about IPsec configuration with CA servers,
see Public Key Infrastructure Policies in Remote Access VPNs,
page 10-24.
H-32
OL-11501-03
Appendix H

IPsec Proposal Page
Table H-13
IPsec Proposal Editor > Dynamic VTI/VRF Aware IPsec Tab (continued)
Element
Description
Specify Virtual Template IP
Available if you selected the Enable Dynamic VTI check box.

Specify the virtual template interface to use by clicking one of the
following radio buttons:
Use IPTo use an IP address as the virtual template interface.

Then specify the private IP address in the IP field.
If required, click Select to open the Network/Hosts selector in
which you can select a host to be used as the IP address.
Note
VRF Solution
Use Loopback InterfaceTo use the IP address taken from an

existing loopback interface as the virtual template interface.
Then, in the Role field, enter the interface or click Select to
select it from the list of interface roles.
A virtual template IP address is configured only on a server
in a remote access VPN.
Available if you selected the Enable VRF Settings check box.

Click one of the following radio buttons to configure the required
VRF solution:
VRF Name
1-Box (IPsec Aggregator + MPLS PE)One device serves as

the Provider Edge (PE) router that does the MPLS tagging of
the packets in addition to IPsec encryption and decryption from
the Customer Edge (CE) devices. For more information, see
VRF-Aware IPsec One-Box Solution, page 9-52.
2-Box (IPsec Aggregator Only)The PE device does only the

MPLS tagging, while the IPsec Aggregator device does the
IPsec encryption and decryption from the CEs. For more
information, see VRF-Aware IPsec Two-Box Solution,
page 9-53.
The name of the VRF routing table on the IPsec Aggregator. The
VRF name is case-sensitive.

OL-11501-03
H-33
Appendix H
IPsec Proposal Page
Table H-13
Element
Description
Route Distinguisher
The unique identifier of the VRF routing table on the IPsec

Aggregator.
This unique route distinguisher maintains routing separation for
each VPN across the MPLS core to the other PE routers.
The identifier can be in either of the following formats:
IP address:X (where X is in the range of 0-999999999).
N:X (where N is in the range of 0-65535, and X is in the range

of 0-999999999).
Note
You cannot override the RD identifier after deploying the

VRF configuration to your device. To modify the RD
identifier after deployment, you must manually remove it
through the device CLI and then deploy again.
Interface Towards Provider Edge Available only if the 2-Box radio button is selected.
The VRF forwarding interface on the IPsec Aggregator towards the
PE device.
Note
If the IPsec Aggregator (hub) is a Catalyst VPN service

module, you must specify a VLAN.
Interfaces and VLANs are predefined interface role objects. If

required, click Select to open a dialog box that lists all available
interfaces and sets of interfaces defined by interface roles, in which
you can make your selection or create interface role objects.
Routing Protocol
Available only if the 2-Box radio button is selected.

Select the routing protocol to use between the IPsec Aggregator and
the PE.
If the routing protocol for the secured IGP differs from the routing
protocol between the IPsec Aggregator and the PE, select the
routing protocol for redistributing the routing to the secured IGP.
The options are BGP, EIGRP, OSPF, RIPv2, or Static route.
For information about these protocols, see Chapter 14, Managing
Routers.
H-34
OL-11501-03
Appendix H

IPsec Proposal Page
Table H-13
Element
Description
AS Number
Available only if the 2-Box radio button is selected.

The number to use to identify the autonomous system (AS) area
between the IPsec Aggregator and the PE.
If the routing protocol for the secured IGP differs from the routing
protocol between the IPsec Aggregator and the PE, enter an AS
number that identifies the secured IGP into which the routing will
be redistributed from the IPsec Aggregator and the PE. This is
relevant only if GRE or DMVPN are applied.
The AS number must be between 1 and 65535.
Process Number

The routing process ID number to use to configure the routing
between the IPsec Aggregator and the PE.
The process number must be between 1 and 65535.
OSPF Area ID

The ID number of the area in which the packet belongs. You can
enter any number from 0 to 4294967295.
Note
Redistribute Static Route
All OSPF packets are associated with a single area, so all

devices must have the same area ID number.
Available only if the 2-Box radio button is selected, and for any
selected routing protocol other than Static route.
When selected, enables static routes to be advertised in the routing
protocol configured on the IPsec Aggregator towards the PE device.
Note
OK button
If this check box is deselected and Enable Reverse Route

Injection is enabled (default) for the IPsec proposal, static
routes are still advertised in the routing protocol on the
IPsec Aggregator.

OL-11501-03
H-35
Appendix H
IKE Proposal Page
IKE Proposal Page

Use the IKE Proposal page to select the IKE proposals to use for your remote
access VPN server.
Navigation Path
Note
1.
2.
From the Device Selector, select the device on which you want to configure
the IKE Proposal.
3.
Select Remote Access VPN > IKE Proposal from the Policy selector.
You can also open the IKE Proposal page from Policy view. For more information,
see Managing Shared Remote Access VPN Policies in Policy View, page 10-35.
Related Topics
Configuring IKE Proposals on a Remote Access VPN Server, page 10-18
Creating IKE Proposal Objects, page 8-55
Field Reference
Table H-14
IKE Proposal Page
Element
Description
Available IKE Proposals
Lists the predefined IKE proposals available for selection.

Select the required IKE proposals and click >>.
IKE proposals are predefined objects. If the required IKE proposal
is not included in the list, click Create to open the IKE Editor dialog
box that enables you to create or edit an IKE proposal object.
H-36
OL-11501-03
Appendix H

Table H-14
IKE Proposal Page (continued)
Element
Description
Selected IKE Proposals
Lists the selected IKE proposals.

To remove an IKE proposal from this list, select it and click <<.
To modify the properties of an IKE proposal, select it and click
Edit.
>> button
Click to move a selected IKE proposal from the Available IKE

Proposals list to the Selected IKE Proposals list.
<< button
Click to remove a selected IKE proposal from the Selected IKE

Proposals list to the Available IKE Proposals list.
Save button

Note

toolbar.

Use the High Availability page to configure a High Availability (HA) policy on a
Cisco IOS router in a remote access VPN.
Navigation Path
Note
1.
2.
From the Device Selector, select the device on which to configure a High
Availability policy.
3.
Select Remote Access VPN > High Availability from the Policy selector.
You can also open the High Availability page from Policy view. For more
page 10-35.

OL-11501-03
H-37
Appendix H
Related Topics
High Availability in Remote Access VPNs, page 10-19
Configuring a High Availability Policy, page 10-20
Field Reference
Table H-15
Element
Description
Inside Virtual IP
The IP address that will be shared by the hubs in the HA group and
will represent the inside interface of the HA group. The virtual IP
address must be on the same subnet as the inside interfaces of the
hubs in the HA group.
Note
You must provide an inside virtual IP that matches the

subnet of one of the interfaces on the device, in addition to
a VPN virtual IP that matches the subnet of one of the
devices interfaces and is configured with an IPsec proposal;
otherwise an error is displayed.
Note

sure that the IP address you provide is different from the
virtual IP address already configured on the device.

Inside Mask
The subnet mask for the inside virtual IP address.
VPN Virtual IP
The IP address that will be shared by the hubs in the HA group and
will represent the VPN interface of the HA group. This IP address
will serve as the hub endpoint of the VPN tunnel.
Note
VPN Mask

sure that the IP address you provide is different from the
virtual IP address already configured on the device.
The subnet mask for the VPN virtual IP address.
H-38
OL-11501-03
Appendix H

Table H-15
High Availability Page (continued)
Element
Description
Hello Interval
The duration in seconds (within the range of 1-254) between each

hello message sent by a hub to the other hubs in the group to indicate
status and priority. The default is 5 seconds.
Hold Time
The duration in seconds (within the range of 2-255) that a standby

hub will wait to receive a hello message from the active hub before
concluding that the hub is down. The default is 15 seconds.
Standby Group
Number (Inside)
The standby number of the inside hub interface that matches the
internal virtual IP subnet for the hubs in the HA group. The number
Standby Group
Number (Outside)
The standby number of the outside hub interface that matches the
external virtual IP subnet for the hubs in the HA group. The number
Note
Failover Server
The outside standby group number must be different to the

inside standby group number.
The IP address of the inside interface of the remote peer device.

You can click Select to open the Network/Hosts Selector, from
which you can select a host from which the IP address of the remote
peer will be allocated.
Save button

Note

toolbar.

Use the Public Key Infrastructure page to select the CA servers to use for creating
a Public Key Infrastructure (PKI) policy for generating enrollment requests for
CA certificates.

OL-11501-03
H-39
Appendix H
Navigation Path
Note
1.
2.
a PKI policy.
3.
Select Remote Access VPN > Public Key Infrastructure from the Policy
selector.
You can also open the Public Key Infrastructure page from Policy view. For more
page 10-35.
Related Topics
Configuring a PKI Policy in a Remote Access VPN, page 10-25
H-40
OL-11501-03
Appendix H

Field Reference
Table H-16
Element
Description
Lists the CA servers available for selection.

Select the required CA server(s) and click >>.
CA servers are defined as PKI enrollments objects that contain
server information and enrollment parameters required for creating
enrollment requests for CA certificates.
If the required CA server is not included in the list, click Create to
open a dialog box that enables you to create a PKI enrollment
object. You can also edit the properties of a CA server by selecting
it and clicking Edit.
Note
Selected CA Servers
When creating or editing a PKI enrollment object, you must

configure each remote component (spoke) with the name of
the user group to which it connects. You specify this
information in the Organization Unit (OU) field in the
Certificate Subject Name tab of the PKI Enrollment Editor
dialog box. In addition, the certificate issued to the client
should have OU as the name of the user group. For more
information, see Defining Additional PKI Attributes,
page 8-145.
The selected CA servers.

To remove a CA server from this list, select it and click <<.
Note
You can select more than one CA server at a time.
>> button
Click to move one or more selected CA servers from the Available

CA Servers list to the Selected CA Servers list.
<< button
Click to move one or more selected CA server from the Selected CA

Servers list to the Available CA Servers list.

OL-11501-03
H-41
Appendix H
Table H-16
Public Key Infrastructure Page (continued)
Element
Description
Save button

Saves your changes to the server but keeps them private. To publish
your changes, click the Submit button on the toolbar.
Note
To save the RSA key pairs and the CA certificates

permanently to flash memory on a PIX Firewall version 6.3
between reloads, you must configure the "ca save all"
command. You can do this manually on the device or using
a FlexConfig (see Chapter 19, Managing FlexConfigs).

Use the VPN Global Settings page to define global settings for IKE, IPsec, NAT,
and fragmentation that apply to devices in your remote access VPN.
The following tabs are available on the VPN Global Settings page:
ISAKMP/IPsec Settings Tab, page H-43
NAT Settings Tab, page H-46
General Settings Tab, page H-47
Navigation Path
Note
1.
2.
the global VPN settings.
3.
Select Remote Access VPN > VPN Global Settings from the Policy
selector.
You can also open the VPN Global Settings page from Policy view. For more
page 10-35.
H-42
OL-11501-03
Appendix H

ISAKMP/IPsec Settings Tab

Use the ISAKMP/IPsec Settings tab of the VPN Global Settings page to specify
global settings for IKE and IPsec.
Navigation Path
Open the VPN Global Settings Page, page H-42, or click the ISAKMP/IPsec
Settings tab from any other tab in the VPN Global Settings page.
Related Topics
Field Reference
Table H-17
VPN Global Settings > ISAKMP/IPsec Settings Tab
Element
Description
ISAKMP Settings
Enable Keepalive

default failover and routing mechanism for your devices.
Note
The IKE keepalive settings you configure here apply only to

Cisco IOS routers, Catalyst 6500/7600 devices, and PIX
Firewalls version 6.3. For ASA devices and PIX Firewalls
version 7.0, you configure these settings when creating a
tunnel group. See Tunnel Group Editor > IPsec Tab,
page H-10.
Interval (seconds)

Retry (seconds)


OL-11501-03
H-43
Appendix H
Table H-17
Element
Description
Periodic
Available only if Enable Keepalive is selected and supported on

routers running IOS version 12.3(7)T and later, except 7600
devices.
When selected, enables you to send dead-peer detection (DPD)
keepalive messages even if there is no outbound traffic to be sent.
Usually, DPD keepalive messages are sent between peer devices
only when no incoming traffic is received but outbound traffic needs
to be sent.
Identity
During Phase I IKE negotiations, peers must identify themselves to

each other.
Select to use the IP address or the host name that the device will use
to identify itself in IKE negotiations. You can also select a
distinguished name (DN) to identify a user group name.
SA Requests System Limit
Supported on routers running Cisco IOS Release 12.3(8)T and later,

except 7600 routers.
The maximum number of SA requests allowed before IKE starts
rejecting them.
You can enter a value in the range of 0-99999.
Note
SA Requests System Threshold
Make sure the value you enter equals or exceeds the number
of peers connected to the device.

The percentage of system resources that can be used before IKE
starts rejecting new SA requests.
IPsec Settings
Enable Lifetime
Select to enable you to configure the global lifetime settings for the
crypto IPsec SAs on the devices in your remote access VPN.
Lifetime (secs)
The number of seconds a security association will exist before

expiring. The default is 3,600 seconds (1 hour).
H-44
OL-11501-03
Appendix H

Table H-17
Element
Description
Lifetime (kbytes)
peers using a given security association before it expires. The
default is 4,608,000 kilobytes.
Xauth Timeout (seconds)

The number of seconds the device will wait for a system response
to the Xauth challenge.
When negotiating tunnel parameters for establishing IPsec tunnels
in a remote access configuration, Xauth adds another level of
authentication that identifies the user who requests the IPsec
connection. Using the Xauth feature, the client waits for a
"username/password" challenge after the IKE SA was established.
When the end user responds to the challenge, the response is
forwarded to the IPsec peers for an additional level of
authentication.
Max Sessions

The maximum number of SAs that can be enabled simultaneously
on the device.
Enable IPsec via Sysopt (PIX

and ASA only)
Supported on ASA devices, and PIX Firewalls versions 6.3 or 7.0.
Save button
When selected (the default), specifies that any packet that comes
from an IPsec tunnel is implicitly trusted (permitted).
Note

toolbar.

OL-11501-03
H-45
Appendix H
NAT Settings Tab

Use the NAT Settings tab of the VPN Global Settings page to define global
Network Address Translation (NAT) settings that enable devices that use internal
IP addresses to send and receive data through the Internet.
Navigation Path
Open the VPN Global Settings Page, page H-42, then click the NAT Settings tab.
Related Topics
Field Reference
Table H-18
VPN Global Settings > NAT Settings Tab
Element
Description
Enable Traversal Keepalive
When selected, enables you to configure NAT traversal keepalive on

a device.
NAT traversal keepalive is used for the transmission of keepalive
messages when there is a device (middle device) located between a
VPN-connected hub and spoke, and that device performs NAT on
the IPsec flow.
Note
On Cisco IOS routers, NAT traversal is enabled by default.

If you want to disable the NAT traversal feature, you must
do this manually on the device or using a FlexConfig (see
Chapter 19, Managing FlexConfigs).
H-46
OL-11501-03
Appendix H

Table H-18
VPN Global Settings > NAT Settings Tab
Element
Description
Interval
Available when NAT Traversal Keepalive is enabled.

The interval, in seconds, between the keepalive signals sent between
the spoke and the middle device to indicate that the session is active.
The NAT keepalive value can be from 5 to 3600 seconds. The
Enable Traversal over TCP

When selected, encapsulates both the IKE and IPsec protocols
within a TCP packet and enables secure tunneling through both
NAT and PAT devices and firewalls.
TCP Ports
Available only when Enable Traversal over TCP is selected.

The TCP ports for which you want to enable NAT traversal. You
must configure TCP ports on the remote clients and on the VPN
device. The client configuration must include at least one of the
ports you set for the security appliance. You can enter up to 10 ports.
Save button

Note

toolbar.
General Settings Tab

Use the General Settings tab of the VPN Global Settings page to define
fragmentation settings and other global settings on devices in your remote access
VPN.
Navigation Path
Open the VPN Global Settings Page, page H-42, then click the General Settings
tab.
Related Topics

OL-11501-03
H-47
Appendix H
Field Reference
Table H-19
VPN Global Settings > General Settings Tab
Element
Description
Fragmentation Settings
Fragmentation mode

Fragmentation minimizes packet loss in a VPN tunnel when packets
are transmitted over a physical interface that cannot support the
original size of the packet.
Select the required fragmentation mode option from the list:
No Fragmentation Select if you do not want to fragment

prior to IPsec encapsulation.
End to End MTU Discovery Select to use ICMP messages

for the discovery of MTU.
End-to-end MTU discovery uses Internet Control Message
Protocol (ICMP) messages to determine the maximum MTU
that a host can use to send a packet through the VPN tunnel
without causing fragmentation.
Local MTU Size
Local MTU Handling Select to set the MTU locally on the

devices. This option is typically used when ICMP is blocked.
Supported on Cisco IOS routers and Catalyst 6500/7600 devices,

when Local MTU Handling is the selected fragmentation mode
option.
Note
The permitted MTU size is between 68 and 65535 bytes

depending on the VPN interface.
H-48
OL-11501-03
Appendix H

Table H-19
VPN Global Settings > General Settings Tab (continued)
Element
Description
DF Bit

A Don't Fragment (DF) bit is a bit in an IP header that determines
whether a device is allowed to fragment a packet.
Select the required setting for the DF bit:
Enable Fragmentation Before

Encryption
CopyTo copy the DF bit from the encapsulated header in the

current packet to all the devices packets. If the packets DF bit
is set to fragment, all packets will be fragmented.
SetTo set the DF bit in the packet you are sending. A packet
that exceeds the MTU will be dropped and an ICMP message
sent to the packets initiator.
ClearTo cause the device to fragment packets regardless of

the original DF bit setting. If ICMP is blocked, MTU discovery
fails and packets are fragmented only after encryption.

When selected, enables fragmentation before encryption, if the
expected packet size exceeds the MTU.
Lookahead Fragmentation (LAF) is used before encryption takes
place to calculate the packet size that would result after encryption,
depending on the transform sets configured on the IPsec SA. If the
packet size exceeds the specified MTU, the packet will be
fragmented before encryption.
Enable Notification on
Disconnection

When selected, enables the device to notify qualified peers of
sessions that are about to be disconnected. The peer receiving the
alert decodes the reason and displays it in the event log or in a
pop-up window. This feature is disabled by default.
IPsec sessions may be dropped for several reasons, such as, a
security appliance shutdown or reboot, session idle timeout,
maximum connection time exceeded, or administrator cut-off.

OL-11501-03
H-49
Appendix H
ASA Cluster Load Balance Page
Table H-19
VPN Global Settings > General Settings Tab (continued)
Element
Description
Enable Spoke-to-Spoke
Connectivity through the Hub
Enable Default Route
When selected, enables direct communication between spokes in a

hub-and-spoke VPN topology, in which the hub is an ASA or
PIX 7.0 device.
When selected, the device uses the configured external interface as
the default outbound route for all incoming traffic.
Save button

Note

toolbar.

Use the Cluster Load Balance page to enable load balancing for an ASA device in
Note
Load balancing requires an active 3DES/AES license. The ASA device checks for
the existence of this crypto license before enabling load balancing. If it does not
detect an active 3DES or AES license, the device prevents load balancing, and
also prevents internal configuration of 3DES by the load balancing system.
Navigation Path
1.
2.
From the Device selector, select the device on which you want to configure
load balancing.
Note
You can configure load balancing only on an ASA device.
H-50
OL-11501-03
Appendix H

3.
Note
Select Remote Access VPN > ASA Cluster Load Balance from the Policy
selector.
You can also open the Cluster Load Balance page from Policy view. For more
page 10-35.
Related Topics
Configuring a Cluster Load Balance Policy, page 10-23
Field Reference
Table H-20
Element
Description
VPN Load Balancing
Participate in Load Balancing

Cluster
Select to specify that the device belongs to the load-balancing

cluster.
VPN Cluster Configuration
Cluster IP Address
The single IP address that represents the entire virtual cluster. The
IP address should be in the same subnet as the external interface.
UDP Port
The UDP port for the virtual cluster in which the device is
participating. If another application is using this port, enter the UDP
destination port number that you want to use for load balancing.
Enable IPsec Encryption
Select this check box to ensure that all load-balancing information

communicated between the devices is encrypted.
When the check box is selected, you must also specify and verify a
shared secret. The security appliances in the virtual cluster
communicate via LAN-to-LAN tunnels using IPsec.
IPsec Shared Secret
The shared secret to be communicated between IPsec peers if you

enabled IPsec encryption. This can be a case-sensitive value
between 4 and 16 characters, without spaces.
OL-11501-03
H-51
Appendix H
DN Matching Policy Page
Table H-20
ASA Cluster Load Balance Page (continued)
Element
Description
Priority
Accept default device value
When selected (the default), accepts the default priority value

assigned to the device.
Configure same priority on all

devices in the cluster
When selected, enables you to configure the same priority value to

all the devices in the cluster. The priority indicates the likelihood of
this device becoming the virtual cluster master, either at startup or
when the existing master fails.
Enter a value between 1 and 10.
VPN Server Configuration
Public interfaces
The public interfaces to be used on the server.

Interfaces are predefined objects. You can click Select to open a
dialog box that lists all available interfaces, and sets of interfaces
defined by interface roles, in which you can make your selection, or
Private Interfaces
The private interfaces to be used on the server.

Interfaces are predefined objects. You can click Select to open a
dialog box that lists all available interfaces, and sets of interfaces
defined by interface roles, in which you can make your selection, or
Save button

Note

toolbar.

Use the DN Matching Policy page to configure the DN rule matching policies for
any remote client connecting to the device.
Distinguished Name (DN) rules are used for enhanced certificate authentication
on PIX Firewalls version 7.0 and ASA devices.
H-52
OL-11501-03
Appendix H

Navigation Path
Note
1.
2.
the DN Matching policy.
3.
Select Remote Access VPN > DN Matching Policy from the Policy selector.
You can also open the DN Matching Policy page from Policy view. For more
page 10-35.
Related Topics
Configuring a DN Matching Policy, page 10-31
Field Reference
Table H-21
Element
Description
Use Configured Rules to Match a When selected, the server uses the configured DN rules to establish
Certificate to a Group
authentication and determine which tunnel group to map the client
to.
Use Certificate Organization
Unit field to Determine the
Group
When selected (default), the server uses the organizational unit

(OU) field of the DN to establish authentication and determine
which tunnel group to map the client to.
Use IKE Identity to Determine

the Group
When selected (default), the server uses the IKE identity of the DN
to establish authentication and determine which tunnel group to
map the client to.
User Peer IP Address to

Determine the Group
When selected (the default), the server uses the peer IP address of
the DN to establish authentication and determine which tunnel
group to map the client to.

OL-11501-03
H-53
Appendix H
DN Matching Rules Page
Table H-21
DN Matching Policy Page (continued)
Element
Description
Save button

Note

toolbar.

Use the DN Matching Rules page to configure the DN rule matching rules and
parameters for any remote client connecting to the device.
Distinguished Name (DN) rules are used for enhanced certificate authentication
on PIX Firewalls version 7.0 and ASA devices.
Note
A tunnel group must exist in the configuration before you can create and map a
DN Matching rule to it. If you unassign a tunnel group after creating a DN
Matching rule, the DN rules that are mapped to the tunnel group are unassigned.
See Configuring Tunnel Group Policies, page 10-9.
Navigation Path
Note
1.
2.
the DN Matching Rules policy.
3.
Select Remote Access VPN > DN Matching Rules from the Policy selector.
You can also open the DN Matching Rules page from Policy view. For more
page 10-35.
Related Topics
H-54
OL-11501-03
Appendix H

DN Rule Dialog Box (Upper Pane), page H-56
DN Rule Dialog Box (Lower Pane), page H-57
Field Reference
Table H-22
Element
Description
Upper Pane
Mapped to Tunnel Group
The tunnel group to which the DN matching rule is mapped.
Priority
The priority number of the DN matching rule. A lower number has

higher priority.
Create button
Click to open the dialog box for creating a DN matching rule. The
DN Rule dialog box appears. See DN Rule Dialog Box (Upper
Pane), page H-56.
Edit button
Select the row of a DN matching rule from the upper pane, then
click to open the dialog box for editing the selected DN matching
rule. See DN Rule Dialog Box (Upper Pane), page H-56.
Delete button
Select the rows of one or more rules, then click to delete.
Lower Pane
Field
The specified field of the DN matching rule. The certificate field

can be either Subject or Issuer.
Component
The matching component of the certificate for the DN matching

rule.
Operator
The operator of the matching rule.
Value
The value of the matching rule. The displayed value must match the
value in the client certificate.
Create button
Click to open the DN Rule dialog box for creating a new DN

matching rule. See DN Rule Dialog Box (Lower Pane), page H-57.
Edit button
Select the row of a DN matching rule from the lower pane, then
click to open the dialog box for editing the selected DN matching
rule. See DN Rule Dialog Box (Lower Pane), page H-57.
Delete button
Select the rows or one or more rules, then click to delete.

OL-11501-03
H-55
Appendix H
Table H-22
DN Matching Rules Page (continued)
Element
Description
Default Tunnel Group
Select the default tunnel group to be used if no matching rules are

found.
Save button

Note

toolbar.
DN Rule Dialog Box (Upper Pane)

Use the upper pane of the DN Matching Rules page to specify the priority and
tunnel groups to which the rules will be mapped. You can create a new DN
matching rule or edit an existing one in the DN Rule dialog box.
Navigation Path
On the DN Matching Rules Page, page H-54, click Create in the upper pane or
select a row in the upper table and click Edit.
Related Topics
DN Rule Dialog Box (Lower Pane), page H-57
Field Reference
Table H-23
DN Rule Dialog Box (Upper Pane)
Element
Description
Tunnel Group
Select the tunnel group to which the DN matching rule will apply.
Clients attempting to connect to this tunnel group must satisfy DN
matching rule conditions to connect to the device.
H-56
OL-11501-03
Appendix H

Table H-23
DN Rule Dialog Box (Upper Pane) (continued)
Element
Description
Priority
The priority number of the matching rule. A lower number has a

higher priority. For example, a matching rule with a priority number
of 2, has a higher priority than a matching rule with a priority
number of 5.
If multiple rules are established for the same tunnel group, the
device will go through the rules in numerical order. All matching
rules must be satisfied for a remote client to connect to the device.
OK button
DN Rule Dialog Box (Lower Pane)

The lower pane of the DN Matching rules page displays the details of the tunnel
group mapping selected in the upper pane. In this pane, you create the DN
matching rules that must be satisfied for a remote client to connect to the device.
You can create a DN matching rule or edit an existing one in the DN Rule dialog
box.
Navigation Path
On the DN Matching Rules Page, page H-54, click Create in the lower pane or
select a row in the lower table and click Edit.
Related Topics
DN Rule Dialog Box (Upper Pane), page H-56
Field Reference
Table H-24
DN Rule Page (Lower Pane)
Element
Description
Field
Select the field for the matching rule according to the Subject or the
Issuer of the client certificate.

OL-11501-03
H-57
Appendix H
Table H-24
DN Rule Page (Lower Pane) (continued)
Element
Description
Component
Select the component of the client certificate to use for the matching
rule.
Operator
Select the operator for the matching rule as follows:
EqualsThe certificate component must match the entered

value. If they do not match exactly, the connection is denied.
ContainsThe certificate component must contain the entered

value. If the component does not contain the value, the
connection is denied.
Does Not EqualThe certificate component cannot equal the

entered value. For example, for a selected certificate
component of Country, and an entered value of USA, if the
client county value equals USA, then the connection is denied.
Does Not ContainThe certificate component cannot contain

the entered value. For example, for a selected certificate
component of Country, and an entered value of USA, if the
client county value contains USA, the connection is denied.
Value
The value of the matching rule. The value entered is associated with
the selected component and operator.
OK button
H-58
OL-11501-03
APPENDIX
SSL VPN User Interface Reference

The pages that you access by selecting the SSL VPN folder from the Policy
selector in Device View help you configure SSL VPNs. The following topics
describe the pages that help you to create SSL VPNs for Cisco IOS security
routers running software version 12.4(6)T and later, and Adaptive Security
Appliance (ASA) devices software version 7.1 and later, and to configure the
policies that will be assigned to them.
For more information, see Managing SSL VPNs, page 11-1.
Note
You must have read-write permissions to modify an SSL VPN policy. For more
information, see Modify Policies Permissions, page 2-14.
These topics describe the main pages available from the SSL VPN folder:
SSL VPN Server Wizard (IOS), page I-2
SSL VPN Policy Page (IOS), page I-16
SSL VPN Wizard for ASA Device, page I-25
SSL VPN Access Policy Page, page I-32
Cisco Secure Desktop Page (ASA), page I-54
SSL VPN Global Settings Page, page I-55

OL-11501-03
I-1
Appendix I
SSL VPN Server Wizard (IOS)

Use the SSL VPN wizard to configure a basic SSL VPN connection on your server
device. The wizard creates the policies required for a basic SSL VPN to function.
After configuring the wizard, you can create new policies or modify the
connection from the SSL VPN folder.
Note
SSL VPN server configuration is supported on Cisco IOS security routers running
software version 12.4(6)T and later.
These topics describe the steps for configuring an SSL VPN connection on an IOS
device, using the SSL VPN wizard:
Portal Page Customization Page, page I-5
Navigation Path
1.
2.
From the Device Selector, select the IOS router on which you want to
configure an SSL VPN connection.
3.
Related Topics
Gateway and Context Page (IOS)

A gateway and context must be configured on a device before a remote user can
access resources on a private network behind the SSL VPN. Use this step of the
SSL VPN wizard to specify a gateway and context configuration, including
information that will allow users to access a portal page.
For more information about how to configure a gateway and context, see
Configuring an SSL VPN Gateway and Context, page 11-7.
I-2
OL-11501-03
Appendix I

Navigation Path
In Device view, open the SSL VPN Server Wizard (IOS), page I-2, then click
Related Topics
Creating SSL VPN Gateway Objects, page 8-192
Field Reference
Table I-1
SSL VPN WizardGateway and Context Page
Element
Description
Gateway
The gateway to be used as a proxy for connections to the protected

resources in your SSL VPN.
Options are:
Use Existing GatewayWhen selected, enables you to use an

existing gateway for your SSL VPN.
Create Using IP AddressWhen selected, enables you to

configure a new gateway using a reachable (public static) IP
address on the router.
Create Using InterfaceWhen selected, enables you to

configure a new gateway using the public static IP address of
the router interface.

OL-11501-03
I-3
Appendix I
Table I-1
SSL VPN WizardGateway and Context Page (continued)
Element
Description
Gateway Name
Specify the name of the gateway.

If you selected to use an existing gateway, you can click Select to
open a dialog box from which you can select a gateway from a list
of SSL VPN gateway objects, or create a new gateway object.
Note
IP Address
After selecting the gateway, the port number and digital

certificate required to establish a secure connection are
displayed in the relevant fields.
Available only if you selected to create a new gateway using the

routers IP address.
Specify the IP address that will be used to configure the gateway.
Interface

routers interface.
Specify the interface that will be used to configure the gateway. You
can click Select to open a dialog box from which you can select an
interface from a list of interface or interface role objects.
Port

routers IP address or interface.
Specify the number of the port that will carry the HTTPS traffic
(between 1024 and 65535). The default is 443, unless HTTP port
redirection is enabled, in which case the default HTTP port number
is 80.
You can click Select to open the Port List Selector from which you
can select a port list object. A port list object is a named definition
of one or more port ranges that you use when defining service
objects.
Trustpoint

routers IP address or interface.
The digital certificate required to establish a secure connection. If
you need to configure a specific CA certificate, a self-signed
certificate is generated when an SSL VPN gateway is activated. All
gateways on the router can use the same certificate.
I-4
OL-11501-03
Appendix I

Table I-1
SSL VPN WizardGateway and Context Page (continued)
Element
Description
Context Name
The name of the context that identifies the resources needed to

support the SSL VPN tunnel between the remote clients and the
corporate or private intranet.
Tip
To simplify the management of multiple context

configurations, it is recommended to use the domain or
virtual hostname for the context name.
Portal Page URL
The URL that will be displayed on the Portal page to access the
SSL VPN gateway.
User Groups
The names of the user groups that will be used in your SSL VPN
connection, and whether Full Tunnel access mode is enabled or
disabled for them (see Configuring User Groups on an IOS Device,
page 11-19).
You can click Edit to open the User Groups Selector, in which you
can select the required user groups, and from which you can create
and edit user groups. See User Groups Selector Page, page I-7.
The name of the authentication server group (LOCAL if the users

are defined on the local device).
You can click Select to open a dialog box from which you can select
an AAA server group from a list of AAA server group objects.
Authentication Domain
Specifies a list or method for SSL VPN remote user authentication.

Note
If you do not specify a list or method, the SSL VPN gateway

uses global AAA parameters for remote-user authentication.
The name of the accounting server group.

Portal Page Customization Page

Use this step of the SSL VPN wizard to define the appearance of the portal page.
The portal page allows the remote user access to all websites available on the
SSL VPN networks.

OL-11501-03
I-5
Appendix I
Navigation Path
1.
In Device view, open the SSL VPN Server Wizard (IOS), page I-2, and click
2.
In the Gateway and Context Page (IOS), page I-2, click Next.
Related Topics
Field Reference
Table I-2
SSL VPN WizardPortal Page Customization Page
Element
Description
Title
The title that is displayed in the title bar of the portal page.
The default title is SSL VPN Service.
Logo
The logo to be displayed on the title bar of the SSL VPN login and
portal page.
Options are:

logo. Specify the source image file for the logo in the Logo File
field, or click Select to select an image file.
in size.
Login Message
The message that will be displayed to the user upon login.
Primary Title Color
The color of the title bars on the login and portal pages of the
SSL VPN.
Click Select to open a dialog box in which you can choose the
required color for the title bars.
I-6
OL-11501-03
Appendix I

User Groups Selector Page
Table I-2
SSL VPN WizardPortal Page Customization Page (continued)
Element
Description
Secondary Title Color
The color of the secondary title bars on the login and portal pages
of the SSL VPN.
required color for the secondary title bars.
Primary Text Color
The color of the text on the title bars of the login and portal pages.
Options are white or black (the default).
Note
Secondary Text Color
The color of the text must be aligned with the color of the
text on the title bar.
The color of the text on the secondary title bars of the login and
portal pages.
Note
Preview
text on the secondary title bar.
A preview of how the portal page will appear.

Note
The User Groups Selector is available if the selected device is a Cisco IOS router
or ASA device.
In the User Groups Selector page you can select the user group(s) that will be used
in your SSL VPN connection. From this page, you can open the User Group
wizard in which you can create a new user group. See Create User Group Wizard,
page I-9.

OL-11501-03
I-7
Appendix I
Navigation Path
In Device view, select the required device in the Device selector.
If you selected an IOS router:

a. Open the SSL VPN Server Wizard (IOS), page I-2, and click

b. On the Gateway and Context Page (IOS), page I-2, click Edit alongside
the User Groups table.
If you selected an ASA device:

a. Open the SSL VPN Wizard for ASA Device, page I-25, click
SSL VPN Server Wizard, then click Next on the Access Page (ASA),
page I-26.
b. On the Connection Profile Page (ASA), page I-27, click Edit alongside
the User Groups table.

Related Topics
Field Reference
Table I-3
Element
Description

Select the required user group(s) and click >>.
If the required user group is not included in the list, click Create to
open the Create User Group Wizard in which you can create a user
group. See Create User Group Wizard, page I-9.
In Security Manager, user groups are objects. To modify the
properties of a user group, select it and click Edit. The Edit User
Groups dialog box opens, enabling you to edit the user group object.
I-8
OL-11501-03
Appendix I

Table I-3
User Groups Selector Page (continued)
Element
Description
Selected User Groups
Displays the selected user groups.

To remove user group(s) from this list, select them and click <<.
To modify the properties of a user group, select it and click Edit.
The Edit User Groups dialog box opens, enabling you to edit the
user group object.
Note
To specify a user group as the default user group, select it

and click Set As Default. This option is only available for
an IOS router.
>> button
Click to move selected user group(s) from the Available User

Groups list to the Selected User Groups list.
<< button
Click to remove selected user group(s) from the Selected User

Groups list to the Available User Groups list.
OK button
To save your changes to the server so that they are not lost when you
log out or close your client, click Save on the source page.
Create User Group Wizard

Use the Create User Group wizard to create a new user group that will be
configured on an IOS router or ASA device in your SSL VPN connection.
These pages describe the configuration steps of the Create User Group wizard:
Name and Access Method Page, page I-10
Navigation Path
1.
In Device view, select the required IOS or ASA device.
2.
Select SSL VPN > SSL VPN Wizard, then click SSL VPN Server Wizard.
3.
Open the User Groups Selector page as follows:

OL-11501-03
I-9
Appendix I
If you selected an IOS router, click Edit alongside the User Groups table
in the Gateway and Context page.

If you selected an ASA device, click Next in the Access page, then click
Edit alongside the User Groups table in the Connection Profiles page.
4.
In the User Groups Selector Page, page I-7, click Create. The Create User
Group wizard opens, displaying the Name and Access Method page opens.
Related Topics
Name and Access Method Page

Use this step of the Create User Group wizard to define a name for your user
group, and optionally, select the remote access method(s) that will be used to
access the SSL-enabled gateway (IOS router) or ASA security appliance.
Navigation Path
In the User Groups Selector Page, page I-7, click Create.

Related Topics
SSL VPN Access Modes, page 11-3
I-10
OL-11501-03
Appendix I

Field Reference
Table I-4
Create User Group WizardName and Access Method Page
Element
Description
Name
The name of the user group.

You can enter up to 128 characters, including uppercase and
lowercase characters and most alphanumeric or symbol characters.
Access Method
Select the required remote access mode option(s), as follows:
Full TunnelTo access to the corporate network completely

over an SSL VPN tunnel. This is the recommended option.
ClientlessTo access the internal or corporate network using

a web browser on the client machine.
Thin ClientTo download a Java applet that acts as a TCP

proxy on the client machine.
Full Tunnel Access Mode Page

This page is only available if you selected the Full Tunnel option in step 1 of the
wizard (Name and Access Method Page, page I-10).
In the Full Tunnel page of the Create User Group wizard, you can configure the
Full Tunnel Client mode that enables access to the corporate network completely
over an SSL VPN tunnel.
Note
The SSL VPN Client (SVC) software must be installed on the device in order
for Full tunnel mode to work properly.
The SVC is managed using a FlexConfig policy. For more information, see
Predefined FlexConfig Policy Objects, page 19-7.
Navigation Path
In Device view, open the Create User Group Wizard, page I-9, select the Full
Tunnel access method option, then click Next.

OL-11501-03
I-11
Appendix I
Related Topics
Full Tunnel Client Access Mode, page 11-4
Field Reference
Table I-5
Create User Group WizardFull Tunnel Page
Element
Description

When selected, enables the remote client to use clientless or thin
SSL VPN Client Download Fails client access modes if the SVC download fails.
Note
Full Tunnel
For the full tunnel access mode to work properly, the

SSL VPN Client (SVC) software must be installed on the
device.
When selected, enables the Full Tunnel access mode to be

configured.
Note
Client IP Address Pools
For the full tunnel access mode to work properly, the

SSL VPN Client (SVC) software must be installed on the
device.
Available only if the selected device is an IOS router.

The IP address ranges of the address pool that full tunnel clients will
draw from, when they log on.
Primary DNS Server
The IP address of the primary DNS server to be used for the Full
Tunnel SSL VPN connection.
The IP address of a secondary DNS server to be used for the Full

I-12
OL-11501-03
Appendix I

Table I-5
Create User Group WizardFull Tunnel Page (continued)
Element
Description
Default DNS Domain
The domain name of the DNS server to be used for the Full Tunnel
SSL VPN connection.
Primary WINS Server
The IP address of the primary WINS server to be used for the Full
The IP address of a secondary WINS server to be used for the Full

Split Tunnel Option
Specifies the traffic that will be secured or transmitted unencrypted

across the public network:
DisabledSplit tunneling is disabled and no traffic will be

secured.
Exclude Specified NetworksSplit tunneling is enabled. You

can specify the networks to which traffic is transmitted in the
clear (unencrypted).
Tunnel Specified NetworksSplit tunneling is enabled. All

traffic from or to the specified networks will be secured.

OL-11501-03
I-13
Appendix I
Table I-5
Create User Group WizardFull Tunnel Page (continued)
Element
Description
Destinations
Available if the selected device is an IOS router and split tunneling

is enabled.
The specified networks to which traffic is transmitted secured or
unencrypted, depending on the selected Split Tunneling option.

which you can make your selection(s) from a list of available
network and host objects.
Networks
Available if the selected device is an ASA security appliance and

split tunneling is enabled.
The networks to be used for split tunneling.
Split tunneling network lists distinguish networks that require
traffic to travel across the tunnel from those that do not require
tunneling. The security appliance makes split tunneling decisions
on the basis of a network list, which is an ACL that consists of a list
of addresses on the private network.
You can click Select to open the Access Control Lists selector, from
which you can select the required access control list.
Exclude Local LANs
Available if the selected device is an IOS router and split tunneling

is enabled.
When selected, disallows a non split-tunneling connection to access
the local subnetwork at the same time as the client.
Split DNS Names

DNS server.
I-14
OL-11501-03
Appendix I

Clientless and Thin Client Access Modes Page

In the Clientless and Thin Client page of the Create User group wizard, you can
configure the Clientless and/or Thin Client modes to be used for accessing the
corporate network in your SSL VPN.
For more information about how to configure the Clientless and Thin Client
access modes, see Configuring the Clientless and Thin Client Access Modes,
page 11-26.
Note
This page is only available if you selected the Clientless and/or Thin Client
options in step 1 of the wizard (Name and Access Method Page, page I-10).
Navigation Path
In Device view, open the Create User Group Wizard, page I-9, select the
Clientless and/or Thin Client access method options, then click Next, or click
Next in the Full Tunnel page.
Related Topics
Clientless Access Mode, page 11-3

OL-11501-03
I-15
Appendix I
SSL VPN Policy Page (IOS)
Field Reference
Table I-6
Create User Group WizardClientless and Thin Client Page
Element
Description
Clientless
A list of websites that will be displayed on the portal page as a

bookmark to enable users to access the resources available on the
SSL VPN websites.
You can click Select to open the URL List Selector from which you
can select the required URL List from a list of URL List objects.
When selected, enables remote users to input the website URLs

directly.
Thin Client
The Port Forwarding List, that defines the mapping of the port
number on the client machine to the applications IP address and
You can click Select to open the Port Forwarding List Selector from
which you can select the required Port Forwarding List from a list
of Port Forwarding List objects.
Port Forwarding Applet Name
The Java applet that will be used as a TCP proxy on the client
machine. The Java applet starts a new SSL connection for every
client connection.
The Java applet initiates an HTTP request from the remote user
client to the ASA device. The name and port number of the internal
email server is included in the HTTP request. A TCP connection is
created to that internal email server and port.
Download Port Forwarding

Applet on Client Login
When selected, enables a port-forwarding Java applet to be


Use this page to view the SSL VPN connection policies currently defined on your
IOS router. From this page, you can create, edit, or delete SSL VPN policies.
For more information, see Configuring an SSL VPN Policy (IOS), page 11-11.
I-16
OL-11501-03
Appendix I

Navigation Path
1.
2.
From the Device Selector, select the IOS router on which you want to view or
configure an SSL VPN policy.
3.
Select SSL VPN > SSL VPN Policy from the Policy selector.
Related Topics
Working with SSL VPN Policies, page 11-5
SSL VPN Context Editor Dialog Box (IOS), page I-18
Field Reference
Table I-7
SSL VPN (IOS) Policy Page
Element
Description
Filter
page 3-24.
Name
The name of the context that defines the virtual configuration of the
SSL VPN.
Note

configurations, the context name should be the same as the
domain or virtual hostname.
Gateway
The gateway defined for the SSL VPN connection.
Domain
The domain or virtual hostname of the SSL VPN connection.
Status
The current status of the SSL VPN connectionIn Service or Out

of Service.
Policies
The user groups associated with the SSL VPN connection.
Create button
Click to open the SSL VPN Context Editor to create an SSL VPN
policy. See SSL VPN Context Editor Dialog Box (IOS), page I-18.
Edit button
Select a row of an SSL VPN policy in the table, then click to open
the SSL VPN Context Editor to edit its properties. See SSL VPN
Context Editor Dialog Box (IOS), page I-18.

OL-11501-03
I-17
Appendix I
Table I-7
SSL VPN (IOS) Policy Page (continued)
Element
Description
Delete button
Select the rows of one or more SSL VPN policies, then click to
remove from the list.
SSL VPN Context Editor Dialog Box (IOS)

Use this dialog box to create or modify an SSL VPN policy (context). For more
information, see Configuring an SSL VPN Policy (IOS), page 11-11.
These tabs are available on the SSL VPN Context Editor dialog box:
General Tab, page I-18
Secure Desktop Tab, page I-22
Navigation Path
Open the SSL VPN Policy Page (IOS), page I-16, then click Create, or select a
policy in the table and click Edit. For more information, see Table I-7 on
page I-17. The SSL VPN Context Editor opens with the General tab displayed.
General Tab
Use the General tab of the SSL VPN Context Editor dialog box to define or edit
the general settings required for an SSL VPN policy. General settings include
specifying the gateway, domain, AAA servers for accounting and authentication,
and user groups.
Navigation Path
The General tab appears when you open the SSL VPN Context Editor Dialog Box
(IOS), page I-18. You can also open it by clicking the General tab from any other
tab in the SSL VPN Context Editor dialog box.
Related Topics
Configuring General Settings for an IOS SSL VPN Policy, page 11-12
I-18
OL-11501-03
Appendix I

Field Reference
Table I-8
SSL VPN Context Editor > General Tab (IOS)
Element
Description
Name
The name of the context that defines the virtual configuration of the
SSL VPN.
Note
Gateway

configurations, the context name is the same as the domain
or virtual hostname.
The gateway to be used in the SSL VPN policy.

the gateway from a list of SSL VPN gateway objects. A gateway
object provides the interface and port configuration for an SSL VPN
connection.
Domain
The domain or virtual hostname of the SSL VPN connection.
Portal Page URL
The URL that will appear on the Portal page enabling a user to
access the SSL VPN gateway.
Enable SSL VPN
When selected, activates the SSL VPN connection, putting it

In Service.
When deselected, puts the SSL VPN connection Out of Service.
The authentication server group (LOCAL if the users are defined on

the local device).
Authentication Domain
A list or method for SSL VPN remote user authentication.

Note
If a list or method is not specified, the SSL VPN gateway

uses global AAA parameters for remote-user authentication.

OL-11501-03
I-19
Appendix I
Table I-8
SSL VPN Context Editor > General Tab (IOS) (continued)
Element
Description
The accounting server group.

User Groups
A table listing the user group(s) that will be used in your SSL VPN
policy. User groups define the resources available to users when
connecting to an SSL VPN gateway.
Using the buttons below the table, you can add user groups, edit
their properties, and delete them from the table.
Create button
Click to add a user group(s) to the User Groups table.

The User Groups Selector Page, page I-7 opens, from which you
can select the required user group(s).
If the required user group is not included in the Selector, click
Create to open the Add User Group dialog box in which you can
create a new user group object.
Edit button
Select a user group in the User Groups table, then click Edit to
modify its properties.
The Edit User Group dialog box opens, enabling you to edit the user
group object.
Delete button
Select the rows of one or more user groups, then click to remove
from the table.
OK button
Note
source page.
I-20
OL-11501-03
Appendix I

Portal Page Tab

Use the Portal Page tab of the SSL VPN Context Editor dialog box to define or
edit the customization of the login page and portal page for the SSL VPN policy.
Navigation Path
Open the SSL VPN Context Editor Dialog Box (IOS), page I-18, then click the
Portal Page tab.
Related Topics
Field Reference
Table I-9
SSL VPN Context Editor > Portal Page Tab (IOS)
Element
Description
Title
The title displayed in the title bar of the portal page.

The default title is SSL VPN Service.
Logo
The logo displayed on the title bar of the SSL VPN login and portal
page.
Options are:

logo. Specify the source image file for the logo in the Logo File
field, or click Select to select an image file.
in size.
Login Message
The message that will be displayed to the user upon login.

OL-11501-03
I-21
Appendix I
Table I-9
SSL VPN Context Editor > Portal Page Tab (IOS) (continued)
Element
Description
Primary Title Color
The color of the title bars on the login and portal pages of the
SSL VPN.
required color for the title bars.
Secondary Title Color
The color of the secondary title bars on the login and portal pages
of the SSL VPN.
required color for the secondary title bars.
Primary Text Color
The color of the text on the title bars of the login and portal pages.
Note
Secondary Text Color
text on the title bar.
The color of the text on the secondary title bars of the login and
portal pages.
Note
text on the secondary title bar.
Preview
A preview of how the portal page will appear.
OK button
Note
source page.
Secure Desktop Tab

Use the Secure Desktop tab to configure the Cisco Secure Desktop (CSD)
software on your selected IOS router.
I-22
OL-11501-03
Appendix I

Cisco Secure Desktop (CSD) provides a single, secure location for session
activity and removal on the client system, ensuring that sensitive data is shared
only for the duration of an SSL VPN session. For more information, see
page 11-15.
Note
The Secure Desktop Client software must be installed and activated on a

device in order for an SSL VPN policy to work properly.
The CSD is managed using a FlexConfig policy. For more information, see
Navigation Path
Secure Desktop tab.
Related Topics
Field Reference
Table I-10
SSL VPN Context Editor > Secure Desktop Tab (IOS)
Element
Description
Enable
When selected, enables the CSD on the device.
Configuration
Specify the filename of the CSD distribution package to install into

the running configuration (the securedesktop_asa_<n>_<n>*.pkg
You can click Select to open the Secure Desktops Selector from
which you can select a CSD distribution package file from a list of
CSD distribution package objects.

OL-11501-03
I-23
Appendix I
Table I-10
SSL VPN Context Editor > Secure Desktop Tab (IOS) (continued)
Element
Description
OK button
Note
source page.
Advanced Tab
Use the Advanced tab of the SSL VPN Context Editor dialog box to define or edit
the maximum number of SSL VPN users, and other advanced settings required for
an SSL VPN policy.
Navigation Path
Advanced tab.
Related Topics
Configuring Advanced Settings for an IOS SSL VPN Policy, page 11-16
Field Reference
Table I-11
SSL VPN Context Editor > Advanced Tab (IOS)
Element
Description
Maximum Number of Users
The maximum number of SSL VPN user sessions that can be

configured. You can specify a value in the range 1-1000.
VRF Name
If Virtual Routing Forwarding (VRF) is configured on the device,

the name of the VRF instance that is associated with the SSL VPN
context.
Note
Only one VRF instance can be associated with each

SSL VPN context.
For information about VRF, see Understanding VRF-Aware IPsec,

page 9-51.
I-24
OL-11501-03
Appendix I

SSL VPN Wizard for ASA Device
Table I-11
SSL VPN Context Editor > Advanced Tab (IOS) (continued)
Element
Description
OK button
Note
source page.

Use the SSL VPN wizard to configure a basic SSL VPN connection profile on
your server device. The wizard creates the policies required for a basic SSL VPN
to function. After configuring the wizard, you can create new policies or modify
the connection profile from the SSL VPN folder.
Note
SSL VPN server configuration is supported on ASA 5500 devices running

software version 7.1 and later.
These topics describe the steps for configuring an SSL VPN connection profile on
an ASA device:
Access Page (ASA), page I-26
Navigation Path
1.
2.
configure an SSL VPN connection profile.
3.
Related Topics

OL-11501-03
I-25
Appendix I
Access Page (ASA)

Use the Access page of the SSL VPN Configuration Wizard to configure the
security appliance interfaces for SSL VPN sessions, select a port for SSL VPN
connection profiles, and specify the URLs that will be displayed on the Portal
page to access the connection profiles.
Navigation Path
In Device view, open the SSL VPN Wizard for ASA Device, page I-25, then click
SSL VPN Wizard.
Related Topics
Defining the ASA SSL VPN Access Parameters, page 11-29
Field Reference
Table I-12
SSL VPN WizardAccess Page (ASA)
Element
Description
Interfaces
Specify the interfaces on which you want to enable the SSL VPN
connection profiles.
an interface from a list of interface or interface role objects.
Port
Specify the port number you want to use for the SSL VPN sessions.
The default port is 443, for HTTPS traffic. The port number can be
443, or within the range of 1024-65535. If you change the port
number, all current SSL VPN connections terminate, and current
users must reconnect.
Note
If HTTP port redirection is enabled, the default HTTP port

number is 80.
You can click Select to open the Port List Selector dialog box from
which you can make your selection, or create a new port list.
I-26
OL-11501-03
Appendix I

Table I-12
SSL VPN WizardAccess Page (ASA) (continued)
Element
Description
Portal Page URLs
The URLs that will be displayed on the Portal page to access the
SSL VPN connection profile.
Allow Users to Select

Connection Profile in Portal
Page
When selected, enables you to select a tunnel group at login from a

list of tunnel group connection profiles configured on the device.
This is the default setting.
When deselected, the user cannot select a tunnel group at login.
Enable SSL VPN Access
When selected, enables the SSL VPN functionality on the ASA

device. This is the default setting.
When deselected, disables the SSL VPN functionality on the ASA
device.
Connection Profile Page (ASA)

Use the Connection Profile page of the SSL VPN wizard to configure the tunnel
group policies on your security appliance. You can specify a name for the tunnel
connection profile policy that you are adding, select the user group policy, specify
address pools for this policy, and specify authentication server group settings.
Navigation Path
1.
In Device view, open the SSL VPN Wizard for ASA Device, page I-25, click
SSL VPN Wizard.
2.
In the Access Page (ASA), page I-26, click Next.
Related Topics

OL-11501-03
I-27
Appendix I
Field Reference
Table I-13
SSL VPN WizardConnection Profile Page (ASA)
Element
Description
Connection Profile Name
Default User Group
The default user group associated with the device.

You can click Select to open the ASA User Groups Selector from
which you can select a user group from a list of ASA user group
objects.
If the required default user group is not included in the list, click
Create to open the Create User Group Wizard in which you can
create a user group. See Create User Group Wizard, page I-9.
ASA user groups are objects. If you want to modify the properties
of a user group in the list, select it and click Edit. The Edit User
Groups dialog box opens, enabling you to edit the user group object.
Full Tunnel
Indicates whether full tunnel access mode was configured for the
user group or not.
I-28
OL-11501-03
Appendix I

Table I-13
SSL VPN WizardConnection Profile Page (ASA) (continued)
Element
Description
User Groups
The names of the user groups that will be used in your SSL VPN
connection profile, and whether Full Tunnel access mode is enabled
or disabled for them.
Note
All SSL VPN connection profiles on an ASA device share

one user group. Each time you create a connection profile
using the wizard, the User Groups list may be populated
with data from the previous connection profile defined on
the device.
Click Edit to open the User Groups Selector, in which you can
select the required ASA user groups from a list of ASA user group
objects. See User Groups Selector Page, page I-7.
If a required user group is not included in the User Groups Selector,
click Create to open the Create User Group Wizard in which you
can create a user group. See Create User Group Wizard, page I-9.
To modify the properties of a user group in the User Groups
Selector, select it and click Edit. The Edit User Groups dialog box
opens, enabling you to edit the user group object.
Portal Page Customization
Specify the customization profile that defines the appearance of the

portal page that allows the remote user access to all the resources
available on the SSL VPN networks.
Customization profiles are predefined objects. You can click Select
to open the SSL VPN Customization Selector dialog box that lists
all available customization objects, from which you can make your
selection.
Note
You can set up different login windows for different groups

by using a combination of customization profiles and tunnel
groups. For example, assuming that you had created a
customization profile called salesgui, you can create an
SSL VPN tunnel group called sales that uses that
customization profile.

OL-11501-03
I-29
Appendix I
Table I-13
Element
Description
Group URL
The URL that is associated with the tunnel group connection

profile. This URL provides users with direct access to the portal
page of the tunnel group connection profile.
A group URL is made up of the host name or IP address of the ASA
device and port number, and the alias used to identify the SSL VPN
connection profile.
Select a protocol (http or https) from the list, and specify the group
URL including the name of the connection profile, in the field
provided.
Note
Global IP Address Pool
If you do not specify a group URL, you can access the portal
page by entering the portal page URL, and then selecting the
tunnel group connection profile alias from a list of
configured tunnel group connection profile aliases
configured on the device. See Access Page (ASA),
page I-26.

Address pools are predefined network objects. If you want to use a
different address pool, or select additional address pools, click
Select to open the Network/Hosts selector from which you can
make your selection(s).
I-30
OL-11501-03
Appendix I

Table I-13
Element
Description
Authentication Method
Select the authentication method to use for the SSL VPN

connection profile:
AAASelect if you want users to provide a username and

password that the security appliance checks against a
previously configured AAA server.
CertificateSelect if you want users to be provided with a

certificate during SSL negotiation.
If you configure authentication using digital certificates, you
can specify whether to send the entire certificate chain (which
sends the peer the identity certificate and all issuing
certificates) or just the issuing certificates (including the root
certificate and any subordinate CA certificates).
BothSelect if you require both AAA and certificate

authentication, in which case users must provide both a
certificate and a username and password.

objects.

Fails

group.
The name of the authorization server group (LOCAL if the tunnel

objects.

OL-11501-03
I-31
Appendix I
SSL VPN Access Policy Page
Table I-13
Element
Description

objects.

Use the SSL VPN Access Policy page to configure access parameters for your
SSL VPN. For information about configuring an Access policy, see Configuring
an Access Policy, page 11-33.
Navigation Path
1.
2.
configure an SSL VPN Access policy.
3.
Select SSL VPN > Access from the Policy selector.
Related Topics
Configuring an Access Policy, page 11-33
Field Reference
Table I-14
Element
Description
Interfaces to Enable SSL VPN

Service
Specify the interfaces on which you want to enable SSL VPN.

interfaces from a list of available interface or interface role objects.
I-32
OL-11501-03
Appendix I

Table I-14
SSL VPN Access Policy Page (continued)
Port Number
The port number that you want to use for SSL VPN sessions. The
default port is 443, for HTTPS traffic; the range is 1024 through
65535. If you change the port number, All current SSL VPN
connections terminate, and current users must reconnect.
Note
If HTTP port redirection is enabled, the default HTTP port

number is 80.
Enter the name of a port list, or click Select to open the Port List
Selector from which you can make your selection, or create a port
list object. A port list object is a named definition of one or more
port ranges that you use when defining service objects.
Default Idle Timeout
Amount of time, in seconds, that an SSL VPN session can be idle

before the security appliance terminates it.
This value applies only if the Idle Timeout value in the group policy
for the user is set to zero (0), which means there is no timeout value;
otherwise the group policy Idle Timeout value takes precedence
over the timeout you configure here. The minimum value you can
enter is 1 minute. The default is 30 minutes (1800 seconds).
Maximum is 24 hours (86400 seconds).
We recommend that you set this attribute to a short time period. This
is because a browser set to disable cookies (or one that prompts for
cookies and then denies them) can result in a user not connecting but
nevertheless appearing in the sessions database. If the Simultaneous
Logins attribute for the group policy is set to one, the user cannot
log back in because the database indicates that the maximum
number of connections already exists. Setting a low idle timeout
removes such phantom sessions quickly, and lets a user log in again.
Max Session Limit
The maximum number of SSL VPN sessions you want to allow.

Be aware that the different ASA models support SSL VPN sessions
as follows: ASA 5510 supports a maximum of 150; ASA 5520
maximum is 750; ASA 5540 maximum is 2500.
Allow Users to Select

Connection Profile in Portal
Page
When selected, includes a list of configured tunnel groups on the

SSL VPN end-user interface, from which users can select a tunnel
when they log on. This is the default setting.
When deselected, the user cannot select a tunnel group on login.

OL-11501-03
I-33
Appendix I
SSL VPN Connection Profiles Policy Page
Table I-14
SSL VPN Access Policy Page (continued)
Enable SSL VPN Access
When selected, enables the SSL VPN functionality on the ASA

device. This is the default setting.
When deselected, disables the SSL VPN functionality on the ASA
device.
Save button

Note

toolbar.

Use the Connection Profiles Policy page to view the SSL VPN connection profile
policies currently defined on the security appliance. From this page, you can
create, edit, or delete connection profile policies.
Navigation Path
1.
2.
configure an SSL VPN Connection Profiles policy.
3.
Select SSL VPN > Connection Profiles from the Policy selector.
Related Topics
I-34
OL-11501-03
Appendix I

Field Reference
Table I-15
SSL VPN Connection Profiles (ASA) Policy Page
Element
Description
Filter
page 3-24.
The name of the configured SSL VPN Connection Profile policy.
Alias
If defined, an alternate name by which the user can select the

SSL VPN connection profile at login.
URL
The URL the user enters in the browser to access the security
appliance.
Default User Group
The default user group assigned to the SSL VPN connection profile,
if one is defined.
Note
The default user group for the connection profile is used if

you do not assign a specific user group.
See Configuring User Groups on an ASA Device, page 11-20.

Thin Client
An indication (Enabled or Disabled) of whether Thin Client access

mode is configured for the user group associated with the
connection profile. See Thin Client Access Mode, page 11-3.
Full Tunnel
An indication (Enabled or Disabled) of whether Full Tunnel access

mode is configured for the user group associated with the
connection profile. See Full Tunnel Client Access Mode, page 11-4.
Create button
Opens the Add/Edit SSL VPN Connection Profile Dialog Box,

page I-36 to create an SSL VPN Connection Profile policy.
Edit button
Opens the Add/Edit SSL VPN Connection Profile Dialog Box,

page I-36 in which you can edit the properties of a selected
SSL VPN Connection Profile policy.
Delete button
Deletes the selected SSL VPN Connection Profile policies from the
table.

OL-11501-03
I-35
Appendix I
Table I-15
SSL VPN Connection Profiles (ASA) Policy Page (continued)
Element
Description
Save button

Note

toolbar.
Add/Edit SSL VPN Connection Profile Dialog Box

Use this dialog box to create or modify an SSL VPN Connection Profile policy.
Note
This dialog box is available only when the selected device is an ASA device.
For more information, see Configuring an SSL VPN Connection Profile Policy,
page 11-36.
These tabs are available in the Add/Edit SSL VPN Connection Profile dialog box:
Navigation Path
Open the SSL VPN Connection Profiles Policy Page, page I-34, then click
Create, or select a connection profile in the table and click Edit (see Table I-15
on page I-35). The Add/Edit SSL VPN Connection Profile dialog box opens with
the Basic tab displayed.
Basic Tab (ASA)

Use the Basic tab of the Add/Edit SSL VPN Connection Profile dialog box to
configure the basic parameters for an SSL VPN Connection Profile policy.
For more information, see Defining Basic Parameters, page 11-36.
I-36
OL-11501-03
Appendix I

Navigation Path
The Basic tab appears when you open the Add/Edit SSL VPN Connection Profile
Dialog Box, page I-36. You can also open it by clicking the Basic tab from any
other tab in the Add/Edit SSL VPN Connection Profile dialog box.
Related Topics
Defining Basic Parameters, page 11-36
Add/Edit SSL VPN Connection Profile Dialog Box, page I-36
Field Reference
Table I-16
Add/Edit SSL VPN Connection Profile > Basic Tab (ASA)
Element
Description
Default User Group
If required, the default user group associated with the device.

objects.
Alternate User Group
If required, an alternate user group to be applied to the tunnel group.

objects.
DNS Group
The DNS group to use for the SSL VPN tunnel group. The DNS
group resolves the hostname to the appropriate DNS server for the
tunnel group.

OL-11501-03
I-37
Appendix I
Table I-16
Add/Edit SSL VPN Connection Profile > Basic Tab (ASA) (continued)
Element
Description
Global IP Address Pool

to open the Network/Hosts selector from which you can make your
selection(s).
Group Aliases
Filter
page 3-24.
Alias
The alternate name by which the tunnel group is referred to.

A group alias creates one or more alternate names by which a user
can refer to a tunnel group. This feature is useful when the same
group is known by several common names (such as Devtest and
QA). If you want the actual name of the tunnel group to appear on
this list, you must specify it as an alias. The group alias that you
specify here appears on the login page. Each tunnel group can have
multiple aliases or no alias.
For more information, see About Group Aliases, page 11-35.
Status
Specifies whether a group alias is enabled or not.

If enabled, the group alias appears in a list during login.
Create button
Opens the Add/Edit Group Alias Dialog Box, page I-39 for creating
a group alias.
Edit button
Opens the Add/Edit Group Alias Dialog Box, page I-39 for editing
the settings of a selected group alias in the table.
Delete button
Group URLs
Deleted one or more group aliases that are selected in the table.
Filter
page 3-24.
I-38
OL-11501-03
Appendix I

Table I-16
Add/Edit SSL VPN Connection Profile > Basic Tab (ASA) (continued)
Element
Description
URL
The URL associated with the tunnel group connection profile.

You can configure multiple URLs (or no URLs) for a tunnel group.
Each URL can be enabled or disabled individually. You must use a
separate specification for each URL, specifying the entire URL
using either the HTTP or HTTPS protocol.
For more information, see About Group URLs, page 11-35.
Status
Specifies whether a group URL is enabled or not. If enabled, it

eliminates the need to select a group during login.
Create button
Click to open the Add Group URL dialog box for creating a group
URL. See Add/Edit Group URL Dialog Box, page I-40.
Edit button
Select a group URL in the table, then click to open the Edit Group
URL dialog box to edit its settings. See Add/Edit Group URL
Dialog Box, page I-40.
Delete button
Select the rows of one or more group URLs, then click to remove
from the list.
OK button
Note
source page.
Add/Edit Group Alias Dialog Box

Use the Add/Edit Group Alias dialog box to create or edit a group alias for an
SSL VPN connection profile. Specifying the group alias creates one or more
alternate names by which the user can refer to a tunnel group.
Navigation Path
Open the Basic Tab (ASA), page I-36, then click Create below the Group Aliases
table, or select a row in the table and click Edit.
Related Topics

OL-11501-03
I-39
Appendix I
Field Reference
Table I-17
Add/Edit SSL VPN Connection Profile > Add/Edit Group Alias Dialog Box
Element
Description
Enabled
Indicates whether the group alias is enabled or not.
Group Alias
An alternative name for the SSL VPN connection profile.

The group alias that you specify here appears in a list on the users
login page. Each group can have multiple aliases or no alias, each
specified in separate commands.
OK button
Note
source page.
Add/Edit Group URL Dialog Box

Use this dialog box to specify incoming URLs or IP addresses for the tunnel
group. If a group URL is enabled in a tunnel group, the security appliance selects
the associated tunnel group and presents the user with only the username and
password fields in the login window.
Note
You can configure multiple URLs or addresses (or none) for a group. Each
URL or address can be enabled or disabled individually.
You cannot associate the same URL or address with multiple groups. The
security appliance verifies the uniqueness of the URL or address before
accepting the URL or address for a tunnel group.
Navigation Path
Open the Basic Tab (ASA), page I-36, then click Create below the Group URLs
table, or select a row in the table and click Edit.
I-40
OL-11501-03
Appendix I

Related Topics
Field Reference
Table I-18
Add/Edit SSL VPN Connection Profile > Add/Edit Group URL Dialog Box
Element
Description
Enabled
Indicates whether the group URL is enabled or not.
Group URL
Select a protocol (http or https) from the list, and specify the
incoming URL for the group in the field provided.
OK button
Note
source page.
AAA Tab (ASA)

Use the AAA tab of the Add/Edit SSL VPN Connection Profile dialog box to
configure the AAA authentication parameters for an SSL VPN Connection Profile
policy.
Navigation Path
Open the Add/Edit SSL VPN Connection Profile Dialog Box, page I-36, then
click the AAA tab.
Related Topics
Defining AAA Parameters, page 11-39

OL-11501-03
I-41
Appendix I
Field Reference
Table I-19
Add/Edit SSL VPN Connection Profile > AAA Tab (ASA)
Element
Description
Authentication
Select the authentication method to use for the SSL VPN

connection profile from these options:
AAASelect if you want users to provide a username and

password that the security appliance checks against a
previously configured AAA server.
CertificateSelect if you want users to be provided with a

certificate during SSL negotiation.
If you configure authentication using digital certificates, you
can specify whether to send the entire certificate chain (which
sends the peer the identity certificate and all issuing
certificates) or just the issuing certificates (including the root
certificate and any subordinate CA certificates).
BothSelect if you require both AAA and certificate

authentication, in which case users must provide both a
certificate and a username and password.

objects.
Note

Fails

interface, see Add/Edit SSL VPN Interface Specific
Authentication Server Groups, page I-46.

group.
I-42
OL-11501-03
Appendix I

Table I-19
Add/Edit SSL VPN Connection Profile > AAA Tab (ASA) (continued)
Element
Description
When selected, enables you to specify the name of the authorization

server group (LOCAL if the tunnel group is configured on the local
device).
objects.
LOCAL Authorization
When selected, enables authorization on the local device.
User Must Exist in the

Authorization Database to
Connect
When selected, defines that the username of the remote client must
exist in the database before a successful connection can be
established. If the username does not exist in the authorization
database, then the connection is denied.
Select this check box if you want the security appliance to allow
only users in the authorization database to connect. By default this
feature is disabled. You must have a configured authorization server
to use this feature.

objects.
Use Entire DN as the Username
When selected, enables you to use the entire Distinguished Name

(DN) as the identifier for the username.
users to a tunnel group. DN rules are used for enhanced certificate
authentication on ASA devices.
Specify Individual DN fields as

the Username
When selected (the default), enables you to use individual DN fields

as the username when matching users to the tunnel group.
A DN certificate is made up of different field identifiers that can be
used to match users to tunnel groups.

OL-11501-03
I-43
Appendix I
Table I-19
Element
Description
Primary DN Field

username.
from the list. The default is UID (User ID).
Secondary DN Field

username.
identification. Select None if no secondary field identifier is
required.
Override Account-Disabled
Indication from AAA Server
When selected, enables you to override the account-disabled

indicator from an AAA server. This configuration is valid for
servers, such as RADIUS with NT LDAP, and Kerberos, that return
an account-disabled indication.
Note
If you are using an LDAP directory server for

authentication, password management is supported with the
Sun Microsystems JAVA System Directory Server (formerly
named the Sun ONE Directory Server) and the Microsoft
Active Directory.
SunThe DN configured on the security appliance to
access a Sun directory server must be able to access the

default password policy on that server. We recommend
using the directory administrator, or a user with directory
administrator privileges, as the DN. Alternatively, you can
place an ACI on the default password policy.
MicrosoftYou must configure LDAP over SSL to enable
password management with Microsoft Active Directory.

Enable Notification Upon
Password Expiration to Allow
User to Change Password
When selected, enables the security appliance to notify the remote

user at login that the current password is about to expire or has
expired, then offers the user the opportunity to change the password.
Note
If you do not also check the Enable Notification Prior to

Expiration check box, the security appliance does not
notify the user of the pending expiration, but the user can
change the password after it expires.
I-44
OL-11501-03
Appendix I

Table I-19
Element
Description
Enable Notification Prior to

Expiration
Available only if you selected the Enable Notification Upon

Password Expiration to Allow User to Change Password check
box.
When selected, enables you to specify the number of days before
expiration to warn the user about the pending expiration.
If the current password has not yet expired, the user can still log in
using that password. This parameter is valid for AAA servers that
support such notificationRADIUS, RADIUS with an NT server,
and LDAP servers. The security appliance ignores this command if
RADIUS or LDAP authentication has not been configured.
Note
Notify Prior to Expiration
The selection of this check box just enables the notification.

You must specify the number of days for it to take effect.
Available only if you selected the Enable Notification Prior to

Expiration check box.
Specifies the number of days before the current password expires to
notify the user of the pending expiration. The range is 1 through 180
days.
Filter
page 3-24.
Interface
The interface associated with the authentication server group.
Server Group
The server group associated with the selected interface role.
Fallback
Indicates whether fallback to the LOCAL database, if the selected

server group fails, is enabled or not.
Create button
Opens a dialog box that lets you add an interface-specific

authentication group to the list. See Add/Edit SSL VPN Interface
Specific Authentication Server Groups, page I-46.
Edit button
Opens a dialog box in which you can edit a selected

interface-specific authentication group from the table. See Add/Edit
SSL VPN Interface Specific Authentication Server Groups,
page I-46.

OL-11501-03
I-45
Appendix I
Table I-19
Element
Description
Delete button
Deletes one or more selected interface-specific authentication

groups from the table.
Save button

Note

toolbar.
Add/Edit SSL VPN Interface Specific Authentication Server Groups

Use the Add/Edit SSL VPN Interface Specific Authentication Server Groups
dialog box to configure interface-specific authentication for your SSL VPN
connection profile policy. This setting overrides the global authentication server
group settings configured on the Basic Tab (ASA), page I-36.
Navigation Path
Open the AAA Tab (ASA), page I-41, then click Create below the Interface
Specific Authentication Server Groups table, or select a row in the table and click
Edit.
Related Topics
I-46
OL-11501-03
Appendix I

Field Reference
Table I-20
Add/Edit SSL VPN Connection Profile > Add/Edit SSL VPN Interface Specific
Authentication Server Groups
Element
Description
Interface
The interface to be associated with the authentication server group.

interfaces and interface roles, from which you can make your
selection, or create interface role objects.
Server Group
The server group to be associated with the selected interface.

objects.
Use LOCAL if server group fails When selected, enables fallback to the LOCAL database if the
OK button
Note
source page.
Settings Tab (ASA)

Use the Settings tab of the Add/Edit SSL VPN Connection Profile dialog box to
configure the WINS servers for the connection profile policy, select a customized
look and feel for the SSL VPN end-user logon web page, DHCP servers to be used
for client address assignment, and establish an association between an interface
and client IP address pools.
Navigation Path
Open the Add/Edit SSL VPN Connection Profile Dialog Box, page I-36, then
click the Settings tab. You can also open the Settings tab by clicking it from any
other tab on the Add/Edit SSL VPN Connection Profile dialog box.
Related Topics
Defining Servers and Address Pools, page 11-42

OL-11501-03
I-47
Appendix I
Field Reference
Table I-21
Add/Edit SSL VPN Connection Profile > Settings Tab (ASA)
Element
Description
WINS Servers List
The name of the WINS (Windows Internet Naming Server) servers

list to use for CIFS name resolution.
SSL VPN uses the CIFS protocol to access or share files on remote
systems. When you attempt a file-sharing connection to a Windows
computer by using its computer name, the file server you specify
corresponds to a specific WINS server name that identifies a
resource on the network.
A WINS servers list defines a list of WINS servers, which are used
to translate Windows file server names to IP addresses. The security
appliance queries the WINS servers to map WINS names to IP
addresses. You must configure at least one, and up to three WINS
servers for redundancy. The security appliance uses the first server
on the list for WINS/CIFS name resolution. If the query fails, it uses
the next server.
WINS server lists are predefined objects. If you want to use a
different WINS servers list, click Select to open the WINS Server
List Selector dialog box that lists all available WINS Servers list
objects, and in which you can create WINS Servers list objects.
I-48
OL-11501-03
Appendix I

Table I-21
Add/Edit SSL VPN Connection Profile > Settings Tab (ASA) (continued)
Element
Description
Portal Page Customization
Defines the appearance of the portal page that allows the remote
user access to all the resources available on the SSL VPN networks.
Specify the SSL VPN customization profile in the field provided.
Customization profiles are predefined objects. You can click Select
to open the SSL VPN Customization Selector dialog box, from
which you can make your selection or create new customization
objects.
Note
DHCP Servers
You can set up different login windows for different groups

by using a combination of customization profiles and tunnel
groups. For example, assuming that you had created a
customization profile called salesgui, you can create an
SSL VPN tunnel group called sales that uses that
customization profile.
The DHCP servers to be used for client address assignments. The

server uses the DHCP servers in the order listed. You can add up to
10 servers.
DHCP servers are predefined network objects. You can click Select
to open the Network/Hosts selector that lists all available network
hosts, and in which you can create network host objects.
Client IP Address Pool
Filter
page 3-24.
Interface
The interface associated with the address pool.
Address Pool
The address pool associated with the selected interface role.
Create button
Open a dialog box that lets you add an interface-specific client

address pool to the list. See Add/Edit SSL VPN Interface Specific
Client Address Pools, page I-50.
Edit button
Opens a dialog box that lets you edit a selected item in the Client IP
Address Pool table, See Add/Edit SSL VPN Interface Specific
Client Address Pools, page I-50.

OL-11501-03
I-49
Appendix I
Table I-21
Add/Edit SSL VPN Connection Profile > Settings Tab (ASA) (continued)
Element
Description
Delete button
Deletes one or more interface-specific client address pools selected

in the table.
Save button

Note

toolbar.
Add/Edit SSL VPN Interface Specific Client Address Pools

Use the Add/Edit SSL VPN Interface Specific Client Address Pools dialog box to
configure interface-specific client address pools for your SSL VPN connection
profile policy. This setting overrides the global IP address pools configured on the
Basic Tab (ASA), page I-36.
Navigation Path
Open the Settings Tab (ASA), page I-47, then click Create below the Client IP
Address Pool table, or select a row in the table and click Edit.
Related Topics
I-50
OL-11501-03
Appendix I

ASA User Groups Policy Page
Field Reference
Table I-22
Add/Edit SSL VPN Connection Profile > Add/Edit SSL VPN Interface Specific Client
Address Pools
Element
Description
Interface
The interface to assign a client address to.

interfaces and interface roles, from which you can make your
selection or create interface role objects.
Address Pool
The address pool to be used to assign a client address to the selected

interface.
to open a dialog box that lists all available network hosts, and in
which you can create or edit network host objects.
OK button
Note
source page.

In the User Groups Policy page, you can view the ASA User Group policies
defined for your ASA SSL VPN connection profile. From this page, you can
specify new ASA user groups and edit existing ones.
Navigation Path
1.
2.
configure the user groups.
3.
Select SSL VPN > User Groups from the Policy selector.
Related Topics

OL-11501-03
I-51
Appendix I
Field Reference
Table I-23
Element
Description
Filter
page 3-24.
User Group
The name of the ASA user group assigned to the SSL VPN
connection profile.
Type
Indicates whether the user groups are assigned to your remote

access VPN server, SSL VPN connection profile, or both.
Thin Client
An indication (True or False) of whether Thin Client access mode is

configured for your user group.
Full Tunnel
An indication (True or False) of whether Full Tunnel access mode

is configured for your user group.
Create button
ASA user groups are predefined objects.

Click to open a dialog box from which you can select a user group
from a list of predefined ASA user group objects, or create new
ones. See Add User Group Selector Dialog Box (ASA), page I-53.
Edit button
Select the row of an ASA user group policy in the table, then click
to open the Edit ASA User Group dialog box in which you can edit
its properties. See ASA User Group Dialog Box, page F-60.
Delete button
Select the rows of one or more ASA user groups, then click to
Delete button
Select the rows of one or more SSL VPN policies, then click to
Save button

Note

toolbar.
I-52
OL-11501-03
Appendix I

Add User Group Selector Dialog Box (ASA)

The User Group Selector dialog box displays the predefined ASA user group
objects that are available for your selection. From this page, you can create new
user groups or edit the properties of existing ones.
Navigation Path
Open the ASA User Groups Policy Page, page I-51, then click the Create button.
Related Topics
Field Reference
Table I-24
ASA User Groups Policy > Add User Group Selector
Element
Description
Filter
page 3-24.
Available ASA User Groups
Lists the predefined ASA user groups available for selection.

Select the required ASA user group in the list. The selected user
group is displayed in the Selected field.
ASA user groups are predefined objects. If the required user group
is not included in the list, click Create to open the Add ASA User
Group dialog box that enables you to create or edit an ASA user
group object.
Selected
The selected ASA user group.
Create button
Opens the ASA User Group Dialog Box, page F-60 for creating an
ASA user group object.

OL-11501-03
I-53
Appendix I
Cisco Secure Desktop Page (ASA)
Table I-24
ASA User Groups Policy > Add User Group Selector (continued)
Edit button
Opens the ASA User Group Dialog Box, page F-60 for editing the
selected ASA user group object.
OK button
Note
source page.

Use the Cisco Secure Desktop page to configure the Cisco Secure Desktop (CSD)
software on your selected ASA device.
Cisco Secure Desktop (CSD) provides a single, secure location for session
activity and removal on the client system, ensuring that sensitive data is shared
only for the duration of an SSL VPN session.
Note
The Secure Desktop Client software must be installed and activated on a

device in order for an SSL VPN policy to work properly.
The CSD is managed using a FlexConfig policy. For more information, see
Navigation Path
1.
2.
configure the SSL VPN global settings.
3.
Select SSL VPN > Cisco Secure Desktop from the Policy selector.
Related Topics
I-54
OL-11501-03
Appendix I

SSL VPN Global Settings Page
Field Reference
Table I-25
Element
Description
Enable
When selected, enables the CSD on the device.
Configuration
Specify the filename of the CSD distribution package to install into

the running configuration (the securedesktop_asa_<n>_<n>*.pkg
You can click Select to open the Secure Desktops Selector from
which you can select a CSD distribution package file from a list of
CSD distribution package objects.
Save button

Note

toolbar.

Use the SSL VPN Global Settings page to define global settings for caching,
content rewriting, character encoding, proxy, and memory size definitions that
apply to devices in your VPN topology.
For more information, see Configuring Global Settings, page 11-47.
These tabs are available on the SSL VPN Global Settings page.
Performance Tab, page I-56
Navigation Path
1.
2.
configure the SSL VPN global settings.

OL-11501-03
I-55
Appendix I
3.
Select SSL VPN > Global Settings from the Policy selector.
Performance Tab
Use the Performance tab of the SSL VPN Global Settings page to specify caching
properties that enhance SSL VPN performance. For information on configuring
the global performance settings, see Defining Performance Settings, page 11-47.
Navigation Path
The Performance tab appears when you open the SSL VPN Global Settings Page,
page I-55. You can also open it by clicking the Performance tab from any other
tab on the SSL VPN Global Settings page.
Related Topics
Defining Performance Settings, page 11-47
Field Reference
Table I-26
SSL VPN Global Settings > Performance Tab
Element
Description
Enable
When selected, enables the use of cache settings for the security
appliance. This check box is selected by default.
When deselected, the cache settings configured on the security
appliance do not take effect and all the fields under the Performance
tab are grayed out.
Maximum Object Size
The maximum size (in kilobytes) of an HTTP object that can be

stored in the cache on the security appliance.
The maximum size limit for an HTTP object is 10,000 kilobytes.
The default is 1000 Kb.
Minimum Object Size
The minimum size of an HTTP object that can be stored in the cache
(in kilobytes) on the security appliance.
The minimum size range is 0-10,000 Kb. The default is 0 Kb.
I-56
OL-11501-03
Appendix I

Table I-26
SSL VPN Global Settings > Performance Tab (continued)
Element
Description
Last Modified Factor
Specifies an integer to set a revalidation policy for caching objects

that have only the last-modified timestamp, and no other server-set
expiration values. The range is 1100. The default is 20.
The Expires response from the origin web server to the security
appliance request, which indicates the time that the response
expires, also affects caching. This response header indicates the
time that the response becomes stale and should not be sent to the
client without an up-to-date check (using a conditional GET
operation).
The security appliance can also calculate an expiration time for each
web object before it is written to disk. The algorithm to calculate an
objects cache expiration date is as follows:
Expiration date = (Todays date - Objects last modified date) *
Freshness factor
After the expiration date has passed, the object is considered stale
and subsequent requests causes a fresh retrieval of the content by the
security appliance. Setting the last modified factor to zero is
equivalent to forcing an immediate revalidation, while setting it to
100 results in the longest allowable time until revalidation.
Expiration Time
The amount of time (in minutes) that the security appliance caches
objects without revalidating them. The range is 0900 minutes. The
default is one minute.
Revalidation consists of rejecting the objects from the origin server
before serving the requested content to the client browser when the
age of the cached object has exceeded its freshness lifetime. The age
of a cached object is the time that the object has been stored in the
security appliances cache without the security appliance explicitly
contacting the origin server to check if the object is still fresh.
Cache Compressed Content
When selected, enables compressed objects (zip, gz, and tar files)
for SSL VPN sessions to be cached on the security appliance.
When you deselect this check box, the security appliance stores
objects before it compresses them.

OL-11501-03
I-57
Appendix I
Table I-26
SSL VPN Global Settings > Performance Tab (continued)
Element
Description
Cache Static Content
When selected, enables static content to be cached on the security

appliance.
Each web page comprises static and dynamic objects. The security
appliance caches individual static objects, such as image files (*.gif,
*.jpeg), java applets (.js), and cascading style sheets (*.css), etc.
Save button

Note

toolbar.
Content Rewrite Tab

Use the Content Rewrite tab of the SSL VPN Global Settings page to enable the
security appliance to create rewrite rules that permit users to browse certain sites
and applications without going through the security appliance itself.
Navigation Path
Open the SSL VPN Global Settings Page, page I-55, then click the Content
Rewrite tab.
Related Topics
Field Reference
Table I-27
SSL VPN Global Settings > Content Rewrite Tab
Element
Description
Filter
page 3-24.
I-58
OL-11501-03
Appendix I

Table I-27
SSL VPN Global Settings > Content Rewrite Tab (continued)
Element
Description
Rule Number
An integer that indicates the position of the rule in the list.

The security appliance searches rewrite rules by order number,
starting with the lowest, and applies the first rule that matches.
Rule Name
The name of the application for which the rule applies.
Resource Mask
The application or resource for the rule.
Enable
Indicates whether the content rewrite rule is enabled or not on the

security appliance.
Create button
Opens a dialog box that lets you add a content rewrite rule to the list.
See Add/Edit Content Rewrite Dialog Box, page I-59.
Edit button
Opens a dialog box that lets you edit a selected content rewrite rule
in the table. See Add/Edit Content Rewrite Dialog Box, page I-59.
Delete button
Deletes one or more selected content rewrite rules from the table.
Save button

Note

toolbar.
Add/Edit Content Rewrite Dialog Box

Use the Add/Edit Content Rewrite dialog box to configure /rewriting engine that
includes advanced elements such as JavaScript, VBScript, Java, and multi-byte
characters to proxy HTTP traffic over a SSL VPN connection.
Navigation Path
Open the Content Rewrite Tab, page I-58, then click Create below the table, or
select a row in the table and click Edit.
Related Topics

OL-11501-03
I-59
Appendix I
Field Reference
Table I-28
SSL VPN Global Settings > Content Rewrite Tab >Add/Edit Content Rewrite Dialog
Box
Element
Description
Enable
When selected, enables content rewriting on the security appliance

for the rewrite rule.
Some applications do not require this processing, such as external
public websites. For these applications, you might choose to turn off
content rewriting.
Rule Number
Specifies a number for this rule. This number specifies the position
of the rule in the list. Rules without a number are at the end of the
list. The range is from 1 to 65534.
Rule Name
Specifies an alphanumeric string that describes the content rewrite

rule. The maximum is 128 bytes.
Resource Mask
Specifies the name of the application or resource to which the rule

applies.
You can use the following wildcards:
*Matches everything. You cannot use this wildcard by itself.

It must accompany an alphanumeric string.
?Matches any single character.
[!seq]Matches any character not in sequence.
[seq]Matches any character in sequence.
The maximum is 300 bytes.

OK button
Note
source page.
I-60
OL-11501-03
Appendix I

Encoding Tab
Use the Encoding tab of the SSL VPN Global Settings page to specify the
character set to encode in SSL VPN portal pages to be delivered to remote users.
By default, the encoding type set on the remote browser determines the character
set for SSL VPN portal pages, so you need to set the character encoding only if it
is necessary to ensure proper encoding on the browser.
For information on configuring the Encoding rules, see Defining Encoding Rules,
page 11-50.
Navigation Path
Open the SSL VPN Global Settings Page, page I-55, then click the Encoding tab.
Related Topics
Field Reference
Table I-29
SSL VPN Global Settings > Encoding Tab
Element
Description
Filter
page 3-24.

OL-11501-03
I-61
Appendix I
Table I-29
SSL VPN Global Settings > Encoding Tab (continued)
Element
Description
Global SSL VPN Encoding Type Select the attribute that determines the character encoding that all
SSL VPN portal pages inherit, except for those portal pages
delivered from the CIFS servers listed in the table.
By default, the security appliance applies the Global SSL VPN
Encoding Type to pages from Common Internet File System
servers.
You can select one of the following values:
big5
gb2312
ibm-850
iso-8859-1
shift_jis
Note
If you are using Japanese Shift_jis Character encoding,

click Do not specify in the Font Family area of the
associated Select Page Font pane to remove the font family.
unicode
windows-1252
none
If you choose None or specify a value that the browser on the

SSL VPN client does not support, it uses its own default encoding.
You can enter a string of up to 40 characters, and equal to one of the
valid character sets identified in
http://www.iana.org/assignments/character-sets. You can use either
the name or the alias of a character set listed on that page. The string
is case-insensitive. The command interpreter converts upper-case to
lower-case when you save the security appliance configuration.
Common Internet File System
Server
The name or IP address of each CIFS server for which the encoding
requirement differs from the Global SSL VPN Encoding Type
attribute setting.
Encoding Type
The character encoding override for the associated CIFS server.
I-62
OL-11501-03
Appendix I

Table I-29
SSL VPN Global Settings > Encoding Tab (continued)
Element
Description
Create button
Opens a dialog box that lets you add a CIFS server for which the
encoding requirement differs from the Global SSL VPN Encoding
Type attribute setting. See Add/Edit File Encoding Dialog Box,
page I-63.
Edit button
Opens a dialog box that lets you edit the settings of a selected CIFS
server in the table. See Add/Edit File Encoding Dialog Box,
page I-63.
Delete button
Select the rows of one or more exceptions to the global encoding

type attribute setting, then click to remove from the list.
Save button

Note

toolbar.
Add/Edit File Encoding Dialog Box

Use the Add/Edit File Encoding dialog box to configure CIFS servers and
associated character encoding, to override the value of the Global SSL VPN
Encoding Type attribute.
Navigation Path
Open the Encoding Tab, page I-61, then click Create below the table, or select a
row in the table and click Edit.
Related Topics

OL-11501-03
I-63
Appendix I
Field Reference
Table I-30
SSL VPN Global Settings > Encoding Tab >Add/Edit File Encoding Dialog Box
Element
Description
CIFS Server
The name or IP address of a CIFS server for which the encoding

requirement differs from the Global SSL VPN Encoding Type
attribute setting. The security appliance retains the case you specify,
although it ignores the case when matching the name to a server.
CIFS servers are predefined objects. You can click Select to open
the Network/Hosts Selector dialog box that lists all available
network hosts, and in which you can create network host objects.
Encoding Type
Select the character encoding that the CIFS server should provide
for SSL VPN portal pages. This selection overrides the Global
SSL VPN Encoding Type attribute setting.
If you choose None or specify a value that the browser on the SSL
VPN client does not support, it uses its own default encoding.
OK button
Note
source page.
Proxy Tab
Use the Proxy tab of the SSL VPN Global Settings page to configure the security
appliance to terminate HTTPS connections and forward HTTP/HTTPS requests
to HTTP and HTTPS proxy servers. On this tab, you can also configure the
security appliance to perform minimal content rewriting, and to specify the types
of content to rewriteexternal links and/or XML.
Navigation Path
Open the SSL VPN Global Settings Page, page I-55, then click the Proxy tab.
Related Topics
I-64
OL-11501-03
Appendix I

Field Reference
Table I-31
SSL VPN Global Settings > Proxy Tab
Element
Description
HTTP Proxy Server
The IP address of the external HTTP proxy server to which the

security appliance forwards HTTP connections.
HTTP proxy servers are predefined network objects. You can click
Select to open the Networks/Hosts Selector dialog box from which
you can make your selection(s), and in which you can create
HTTP Proxy Port
The port of the external HTTP proxy server to which the security
appliance forwards HTTP connections.
which you can make your selection, or create a port list object. A
port list object is a named definition of one or more port ranges that
you use when defining service objects.
HTTPS Proxy Server
The IP address of the external HTTPS proxy server to which the

security appliance forwards HTTP connections.
HTTPS proxy servers are predefined network objects. You can click
Select to open the Networks/Hosts Selector dialog box from which
you can make your selection(s), and in which you can create
HTTPS Proxy Port
The port of the external HTTPS proxy server to which the security
appliance forwards HTTPS connections.
which you can make your selection, or create a port list object.
Proxy Bypass
Interface
The ASA interface configured for proxy bypass.
Port
The port configured for proxy bypass.

OL-11501-03
I-65
Appendix I
Table I-31
SSL VPN Global Settings > Proxy Tab (continued)
Element
Description
Path Mask
The URL path to match for proxy bypass.

A path is the text in a URL that follows the domain name. For
example, in the URL www.mycompany.com/hrbenefits, hrbenefits
is the path. Similarly, for the URL
www.mycompany.com/hrinsurance, hrinsurance is the path. If you
want to use proxy bypass for all hr sites, you can avoid using the
command multiple times by using the * wildcard as follows: /hr*.
URL
The target URL for proxy bypass.
Create button
Opens a dialog box that lets you add a proxy bypass rule to the table.
See Add/Edit Proxy Bypass Dialog Box, page I-66.
Edit button
Opens a dialog box that lets you edit the settings of a selected proxy
bypass rule in the table. See Add/Edit Proxy Bypass Dialog Box,
page I-66.
Delete button
Deletes one or more proxy bypass rules selected in the table.
Save button

Note

toolbar.
Add/Edit Proxy Bypass Dialog Box

Use the Add/Edit Proxy Bypass dialog box to set proxy bypass rules when the
security appliance performs little or no content rewriting.
Navigation Path
Open the Proxy Tab, page I-64, then click Create below the table, or select a row
in the table and click Edit.
Related Topics
I-66
OL-11501-03
Appendix I

Field Reference
Table I-32
SSL VPN Global Settings > Proxy Tab >Add/Edit Proxy Bypass Dialog Box
Element
Description
Interface
The interface on the security appliance that is used for proxy

bypass.
an interface from a list of interface or interface role objects.
Bypass Traffic
On Port
When selected, enables you specify a port number to be used for

proxy bypass. Valid port numbers are 2000021000.
which you can make your selection, or create a port list object. A
port list object is a named definition of one or more port ranges that
you use when defining service objects.
Note
If you configure proxy bypass using ports rather than path

masks, depending on your network configuration, you
might need to change your firewall configuration to allow
these ports access to the security appliance. Use path masks
to avoid this restriction.

OL-11501-03
I-67
Appendix I
Table I-32
SSL VPN Global Settings > Proxy Tab >Add/Edit Proxy Bypass Dialog Box
Element
Description
Matching Specify Pattern
When selected, enables you to specify a URL path to match for

proxy bypass.
A path is the text in a URL that follows the domain name. For
example, in the URL www.mycompany.com/hrbenefits, hrbenefits
is the path.
You can use the following wildcards:
*Matches everything. You cannot use this wildcard by itself.

It must accompany an alphanumeric string.
?Matches any single character.
[!seq]Matches any character not in sequence.
[seq]Matches any character in sequence.
The maximum is 128 bytes.

Note
URL
Path masks can change, so you might need to use multiple

path mask statements to exhaust the possibilities.
Select the http or https protocol, then enter a URL to which you
want to apply proxy bypass, in the field provided.
URLs used for proxy bypass allow a maximum of 128 bytes. The
port for HTTP is 80 and for HTTPS it is 443, unless you specify
another port.
Rewrite XML
When selected, rewrites XML sites and applications to be bypassed

by the security appliance.
Rewrite Hostname
When selected, rewrites external links to be bypassed by the

security appliance.
OK button
Note
source page.
I-68
OL-11501-03
Appendix I

Advanced Tab
Use the Advanced tab of the SSL VPN Global Settings page to configure the
amount of security appliance memory that can be used for SSL VPN sessions.
Navigation Path
Open the SSL VPN Global Settings Page, page I-55, then click the Advanced tab.
Related Topics
Defining Advanced Settings, page 11-55
Field Reference
Table I-33
SSL VPN Global Settings > Advanced Tab
Element
Description
Memory Size
Specify the amount of memory you want to allocate to SSL VPN

sessions, as follows:
% of Total Physical MemoryAs a percentage of total

memory. Default is 50%.
KilobytesIn kilobytes. Different ASA models have different

total amounts of memory, as follows:
ASA 5510 has 256 MB
ASA5520 has 512 MB
ASA 5540 has 1GB
Note
Save button
When you change the memory size, the new setting takes
effect only after the system reboots.

Note

toolbar.

OL-11501-03
I-69
Appendix I
I-70
OL-11501-03
APPENDIX
Firewall Services User Interface

Reference
The Firewall Services general reference contains the following topics:
Firewall Settings, page J-147
Add and Edit Rule Section Dialog Boxes, page J-176
Analysis Reports Page, page J-179

OL-11501-03
J-1
Appendix J
Firewall Services User Interface Reference
Access Rules Page
Access Rules Page

Use the Access Rules page to identify access rules managed by Security Manager.
For more information, see Understanding Access Rules, page 12-49.
From the Access Rules page, you can add, edit, and delete rules, You perform
these tasks using either the shortcut menu, which is accessed by right-clicking a
table cell, using the shortcut keys, or by selecting the appropriate buttons located
below the table.
You can reorder rules, and enable or disable rules in the table using the shortcut
menu. You can also determine if objects used in rules are referenced by other
policies and devices using the shortcut menu.
Navigation Path
To access the Access Rules page, do one of the following:
(Device view) Select a device, then select Firewall > Access Rules from the
Device selector.
(Policy view) Select Firewall > Access Rules from the Policy selector.
Related Topics
Using Analysis, page 12-6
Using Hit Count, page 12-24
J-2
OL-11501-03
Appendix J

Access Rules Page
Field Reference
Table J-1
Access Rules Page
Element
Description
Filter
Tables, page 3-24.
No.
Identifies the ordered rule number in the table.
Permit
Shows whether a rule permits or denies traffic based on the conditions set.
Source
Destination
Service
Identifies the source network object names or addresses of hosts and

networks, for example, 10.1.1.1, 10.1.1.1/32,
10.1.1.1/255.255.255.255, and net10. Interface roles can also be used
to identify a source. Multiple entries are displayed as separate subfields
within the table cell. See:
Identifies the destination network object names or addresses of hosts and

networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255
and net10. Interface roles can also be used to identify a destination.
Multiple entries are displayed as separate subfields within the table cell.
See:
Identifies service objects that specify protocol and port information.

See Understanding Service Objects, page 8-159.

OL-11501-03
J-3
Appendix J
Access Rules Page
Table J-1
Access Rules Page (continued)
Element
Description
Interface
Identifies the logical name of the interface (interface role) or physical

interface to which a rule is assigned. Multiple entries are displayed as
separate subfields within the table cell. See Understanding Interface Role
For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
Dir.
Interface roles are objects that are used to help you configure
firewall rules. The objects are replaced with the actual interface
names when the configuration is generated for each device. The
access-group command is generated for the interface role selected.
Direction. Identifies traffic direction within a network. Direction is always

associated with an interface:
Note
The out direction parameter is not supported on PIX 6.3 devices. If

you enter a rule and define the direction as out, a warning
message results during activity validation and the rule is ignored.
Options
Displays additional options that are configured during the process of

defining an access rule. Options vary depending on the platform selected.
Category
Provides an intermediate level of detail to objects and rules by use of

color-coding. Color-coding helps you readily identify objects and rules
when you are viewing policy tables. See Understanding Category Objects,
page 8-48.
Note
Description
Shows a user-defined description to help you identify a rule when viewing

the rules table. A maximum of 1024 characters is allowed.
J-4
OL-11501-03
Appendix J

Access Rules Page
Table J-1
Element
Description
Tools button
Provides you with a list of tools for generating various reports and
initializes the process for importing rules into Security Manager.
Menu items are:
AnalysisInvokes a utility that identifies rules that overlap or conflict

with other rules. Analysis results are displayed in a report. See Using
Analysis, page 12-6.
Combine RulesInvokes a utility to combine rules in tables, thus

improving performance and memory usage. See Combining Rules,
page 12-11.
Hit CountInvokes a utility that collects hit count information for

access lists deployed on a device. The generated report identifies the
number of times that traffic for a device s permitted or denied based on
an access rule. Hit count information is useful in debugging the
deployed policies.
Hit Count reports can be generated for a single access rule or for all
rules in the table. See Using Hit Count, page 12-24.
Import RulesEnables you to import rules (ACEs) by pasting them

from an external application to the access rule table in Security
Manager. See Importing Rules, page 12-32.
QueryInvokes a utility to run queries against existing rules in a rule

table. Query results are displayed in a report. See Using Policy Query,
page 12-37.
Find and Replace button

(binoculars icon)
Searches for values in rules tables, such as IP addresses and policy object
names, to facilitate locating and making changes to rules in tables. See
Using Find and Replace, page 12-18.
Up button
Moves a rule up one row in the table.

Select a rule in the table to activate the appropriate buttons.
Down button
Moves a rule down one row in the table.

Add button
Adds a rule to the table.
Edit button
Edits an existing rule in the table.

OL-11501-03
J-5
Appendix J
Access Rules Page
Table J-1
Element
Description
Delete button
Deletes a rule from the table.
Save button
Saves your changes to the server, but keeps them private.

Note
To publish your changes, click the Submit icon on the toolbar.
Add and Edit Access Rule Dialog Boxes

Use the Add and Edit Firewall Rule dialog boxes to add and firewall rules.
Note
The same dialog box is used for adding and editing access rules.
Navigation Path
To access the Add and Edit Firewall Rule dialog boxes, do one of the following:
Device selector. Right-click inside the work area, then select Add Row or
right-click a row, then select Edit Row.
(Policy view) Select Firewall > Access Rules from the Policy selector.
Right-click inside the work area, then select Add Row or right-click a row,
Related Topics
J-6
OL-11501-03
Appendix J

Access Rules Page
Field Reference
Table J-2
Element1
Add and Edit Access Rule Dialog Boxes
Description
Edit Firewall Rule
Enable Rule
When selected, indicates that the rule becomes active on a device after the
configuration is generated and deployed.
When viewing the main rules tables:
Action
An enabled rule is shown without hash marks.
A disabled rule is shown with hash marks.
Note
A disabled rule is not generated and deployed to devices for

platforms that do not support the inactive flag; however, it is
retained in the rules table for debugging purposes.
Note
The inactive flag is supported on PIX/ASA 7.0 platforms.
PermitAllows traffic
DenyDenies traffic

OL-11501-03
J-7
Appendix J
Access Rules Page
Table J-2
Add and Edit Access Rule Dialog Boxes (continued)
Element1
Description
Sources*
Identifies the source object names or addresses of hosts and networks.

a.b.c.d where a,b,c,d = 0255 (host)
a.b.c.d/e where a,b,c,d = 0255 and e = 132 (subnet)
a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0255 (range)*
a.b.c.d/e where e = subnet in x.x.x.x format**
*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and
Interface roles can also be used to identify a source. When used, the rule
behaves as if you supplied the IP address of the selected interface. This is
useful for interfaces that are DHCP addressed, where you cannot know the
address that will be used when creating the policies because the address is
dynamically assigned when the device boots.
Enter the source object names, addresses, or interface roles in the field
provided or click Select, which opens the Object Selector dialog box from
which to make your selections. You can also create an object by clicking
the Create button in the Object Selector dialog box.
Note
If you manually enter 0.0.0.0/0 for the source, it automatically

matches the any predefined object.
J-8
OL-11501-03
Appendix J

Access Rules Page
Table J-2
Element1
Description
Destinations*
Identifies the destination object names or addresses of hosts and networks.


Interface roles can also be used to identify a destination. When used, the
rule behaves as if you supplied the IP address of the selected interface.
This is useful for interfaces that are DHCP addressed, where you cannot
know the address that will be used when creating the policies because the
address is dynamically assigned when the device boots.
Enter the destination object names, addresses, or interface roles in the field
which to make your selections. You can also create an object by clicking
the Create button in the Object Selector dialog box.
Note
If you manually enter 0.0.0.0/0 for the destination, it automatically


OL-11501-03
J-9
Appendix J
Access Rules Page
Table J-2
Element1
Description
Services*

<protocol> where protocol = 1255 or a well-known protocol string

for example, tcp, udp, gre, etc.
icmp/<icmp_message_type> where icmp_message_type = 1255 or

any well-known icmp message types.
tcp | udp | tcp & udp / <port_number>, where port number =

165535.The port number is for destination ports; source ports =
default port range.
tcp | udp | tcp & udp / <PortListObject>, where PortListObject is a

named port list object.
tcp | udp | tcp & udp / <port_number >| PortListObject/

<port_number> | PortListObject. Using this format, you explicitly
specify source ports outside of the default port range.
Freeform text that is the name of a service object.
Enter the service in the field provided or click Select, which opens the
Object Selector dialog box from which to make your selections. You can
also create a service object by clicking the Create button in the Object
Note
If you manually enter a service, such as TCP / 80, and that data
translates directly to a predefined service object, such as HTTP, the
rule takes the predefined object as its value.
J-10
OL-11501-03
Appendix J

Access Rules Page
Table J-2
Element1
Description
Interfaces*

interface to which a rule is assigned. For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Click Edit, which opens the Interface Selector dialog box from which to
make your selection. You can also create an interface role by clicking the
Create button in the Interface Selector dialog box.
Note
names when the configuration is generated for each device. The
access-group command is generated for the interface role
selected.
Description

Category

when you are viewing policy tables.
Note
Advanced button
Opens the Advanced dialog box. See Table J-3.
OK button
Note
To save your changes to the server so that they are not lost when
you log out or close your client, click Save on the source page.

OL-11501-03
J-11
Appendix J
Access Rules Page
Advanced Dialog Box

Use the Advanced dialog box to configure optional settings to be applied to access
rules.
Navigation Path
To access the Advanced dialog box, do one of the following:

right-click a row, then select Edit Row. Click the Advanced button.
(Policy view) Select a device, then select Firewall > Access Rules from the
right-click a row, then select Edit Row. Click the Advanced button.
Related Topics
Field Reference
Table J-3
Advanced Dialog Box
Element
Description
Log Options
Enable Logging (PIX,

ASA, FWSM)
When selected, activates syslog generation for the generated ACEs.
Default LoggingEnables you to select default logging behavior of

the device. If a packet is denied, message 106023 is generated. If a
packet is permitted, no syslog message is generated.
Per ACE LoggingEnables you to select logging level and interval

information for each ACE.
Note
If the logging level is specified, syslog message 106100 is

generated for the ACE to which it is applied.
J-12
OL-11501-03
Appendix J

Access Rules Page
Table J-3
Advanced Dialog Box (continued)
Element
Level
Interval
Description
Identifies the type of syslog message used to log events for an ACE.
Defines the interval of time for generating logging messages. Values are
1600 seconds. Default is 300. You must select a logging level from the list
for the logging interval value to be recognized.
If you select Default as the logging level, the default logging interval value
(300) is used.
Enable Logging (IOS)
When selected, causes an informational logging message about the packet

that matches the entry to be sent to the console. Enables you to select Log
Input.
Log Input
When selected, includes the input interface and source MAC address or VC
in the logging output.
Traffic Direction
Identifies traffic direction within a network. Direction is always associated

with an interface:
Note
The Direction parameter is not supported on PIX 6.3 devices.

OL-11501-03
J-13
Appendix J
Access Rules Page
Table J-3
Advanced Dialog Box (continued)
Element
Description
Time Range
Defines access to a firewall device or security appliance based on specific

times of the day and weekly access. Time range relies on the system clock
of the device or appliance; however, the feature works best with NTP
synchronization.
Enter the time range value in the field provided or click Select, which opens
the Time Ranges Object Selector dialog box from which to make your
selection. You can also create a Time Range object by clicking the Create
button in the Object Selector dialog box.
Note
Options (IOS)
Time range is not supported on FWSM 2.x or PIX 6.3 devices.
None.
FragmentWhen selected, allows fragmentation, which provides

additional management of packet fragmentation and improves
compatibility with NFS.
By default, a maximum of 24 fragments is accepted to reconstruct a full
IP packet; however, based on your network security policy, you might
want to consider configuring the device to prevent fragmented packets
from traversing the firewall.
Note
OK button
EstablishedWhen selected, allows outbound connections return

access through the device. This command works with two connections:
an original connection outbound from a network protected by the
device, and a return connection inbound between the same two devices
on an external host.
Established applies only to devices running IOS software and only
for TCP protocols.
Note
J-14
OL-11501-03
Appendix J

Access Rules Page
Edit Sources Dialog Box

Use the Edit Sources dialog box to edit a source entry in a table.
Navigation Path
Double-click the Source entry in the Access Rules table, or right-click the entry,
then select Edit Sources.
Related Topics

OL-11501-03
J-15
Appendix J
Access Rules Page
Field Reference
Table J-4
Element1
Description
Sources*


which to make your selections. You can also create an object by clicking the
OK button
Note

Note
If you identify an interface role as a source, the dialog box displays

tabs to differentiate between hosts or networks and interface roles.
Note
J-16
OL-11501-03
Appendix J

Access Rules Page
Show Source Contents Dialog Box

Use the Show Source Contents dialog box to display all source addresses. The list
shows flattened values of all levels of a source address or network object and sorts
the results in ascending order on the IP address, then descending order on the
mask.
Navigation Path
To access the Show Source Contents dialog box, do one of the following:
Right-click the Source table cell of a rule in the Access Rules table, then click
Show Source Contents to display a list of all sources.
Select an entry (subfield) in the Source table cell of a rule in the Access Rules
table, then right-click and select Show <Source> Contents.
Related Topics
Field Reference
Table J-5
Element
Description
Source Contents
Lists networks and hosts first, followed by interface roles. You can also
select a specific source (subfield) in the table, which opens a Show
<subfield> dialog box.
From Policy viewdisplays global values.
From Device viewdisplays device-specific values.
From Map viewdisplays device-specific values.
Note
If you entered 0.0.0.0/0 for the source, it automatically matches the

any predefined object.

OL-11501-03
J-17
Appendix J
Access Rules Page
Table J-5
Show Source Contents Dialog Box (continued)
Element
Description
Close button
Help button
Edit Destinations Dialog Box

Use the Edit Destinations dialog box to edit a destination entry in a table.
Navigation Path
Double-click the Destination entry in the Access Rules table, or right-click the
entry, then select Edit Destinations.
Related Topics
J-18
OL-11501-03
Appendix J

Access Rules Page
Field Reference
Table J-6
Element1
Description
Destinations*


rule behaves as if you supplied the IP address of the selected interface. This
is useful for interfaces that are DHCP addressed, where you cannot know
the address that will be used when creating the policies because the address
is dynamically assigned when the device boots.
OK button
Note

Note
If you identify an interface role as a destination, the dialog box

displays tabs to differentiate between hosts or networks and
interface roles.
Note

OL-11501-03
J-19
Appendix J
Access Rules Page
Show Destination Contents Dialog Box

Use the Show Destination Contents dialog box to display all destination
addresses. The list shows flattened values of all levels of a destination address or
Network Object and sorts the results in ascending order on the IP address, then
descending order on the mask.
Navigation Path
To access the Show Destination Contents dialog box, do one of the following:
Right-click the Destination table cell of a rule in the Access Rules table, then
click Show Destination Contents to display a list of all destinations.
Select an entry (subfield) in the Destination table cell of a rule in the Access
Rules table, then right-click and select Show <Destination> Contents.
Related Topics
Field Reference
Table J-7
Element
Description
Destination Contents
Note
If you entered 0.0.0.0/0 for the destination, it automatically matches

the any predefined object.
J-20
OL-11501-03
Appendix J

Access Rules Page
Edit Service Dialog Box

Use the Edit Service dialog box to edit protocols and ports.
Navigation Path
Double-click the Service entry in the Access Rules table, or right-click the entry,
then select Edit Services.
Related Topics

OL-11501-03
J-21
Appendix J
Access Rules Page
Field Reference
Table J-8
Element1
Description
Services*

<protocol> where protocol = 1255 or a well-known protocol string for

example, tcp, udp, gre, etc.

tcp | udp | tcp & udp/<port_number>, where port number =

default port range.
tcp | udp | tcp & udp/<PortListObject>, where PortListObject is a

tcp | udp | tcp & udp / <port_number > | PortListObject/

Note
OK button
Note
J-22
OL-11501-03
Appendix J

Access Rules Page
Show Service Contents Dialog Box

Use the Show Service dialog box to display all services and port information. The
list shows flattened values of all levels of the Service and Port List objects and
sorts the results on: protocol, destination port, and source port.
Navigation Path
To access the Show Service dialog box, do one of the following:
Right-click the Service table cell of a rule in the Access Rules table, then
click Show Service Contents to display a list of all services.
Select an entry (subfield) in the Service table cell of a rule in the Access Rules
table, then right-click and select Show <Service> Contents.
Related Topics
Field Reference
Table J-9
Element
Service Contents
Description
From Policy viewdisplays global protocol and port values.
From Device viewdisplays device-specific protocol and port values.
From Map viewdisplays device-specific protocol and port values.
Close button
Help button
Edit Firewall Option Dialog Box

Use the Edit Firewall Option dialog box to edit an option entry in the table.
Options vary depending on the platform selected.

OL-11501-03
J-23
Appendix J
Access Rules Page
Navigation Path
Double-click the entry in the Access Rules table, or right-click the entry, then
select Edit Options.
Related Topics
Field Reference
Table J-10
Edit Firewall Option Dialog Box
Element
Description
Enable Logging
When selected, activates syslog generation for the generated ACEs.

Note
Logging Level
If the logging level is specified, syslog message 106100 is

generated for the ACE to which it is applied.
Identifies the type of syslog used to log events for an ACE.
DefaultDefault settings on the device
Note
Logging level is not supported on IOS devices.
J-24
OL-11501-03
Appendix J

Access Rules Page
Table J-10
Edit Firewall Option Dialog Box (continued)
Element
Description
Logging Interval
Defines the interval of time, in seconds, used to generate logging messages.

Values are 1600 seconds. Default is 300. You must select a logging level
from the list for the logging interval value to be recognized.
If you select Default as the logging level, the default logging interval value
(300) is used.
Note
Time Range
This feature is not supported on IOS devices.

synchronization.
the Object Selector dialog box from which to make your selection. You can
also create a Time Range object by clicking the Create button in the Object
Note
OK button
Note
Edit Interfaces Dialog Box

Use the Edit Interfaces dialog box to edit an interface entry in a table.
Navigation Path
Double-click the entry in the Access Rules table, or right-click the entry, then
select Edit Interfaces.
Related Topics

OL-11501-03
J-25
Appendix J
Access Rules Page
Field Reference
Table J-11
Element1
Description
Interfaces*

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Enter the interface in the field provided or click Select, which opens the
Interface Selector dialog box from which to make your selection. You can
also create an interface role by clicking the Create button in the Interface
Note
OK button
names when the configuration is generated for each device.
Note
Show Interface Contents Dialog Box

Use the Show Interface Contents dialog box to display each role type as a separate
listing in the table if you are working from Policy view, or display actual interface
names if you are working from Device view. The list shows flattened values of all
levels of an address, network object, or interface role and sorts the results in
ascending order on the IP address, then descending order on the mask.
J-26
OL-11501-03
Appendix J

Access Rules Page
You can display a list of all interfaces by clicking on a table cell or specific entry
(subfield) within the table cell, then clicking either Show Interface Contents (for
a table cell) or Show <Interface> Contents (for a subfield) from the shortcut
menu.
Navigation Path
To access the Show Interface Contents dialog box, do one of the following:
Right-click the Interface table cell of a rule in the Access Rules table, then
click Show Interface Contents.
Select an entry (subfield) in the Interface table cell of a rule in the Access
Rules table, then right-click and select Show <Interface> Contents.
Related Topics
Field Reference
Table J-12
Element
Interface Contents
Description
From Policy viewdisplays each role type as a separate listing in the

table.
From Device viewdisplays actual interface names.
Close button
Help button
Edit Category Dialog Box

Use the Edit Category dialog box to edit a category entry in a table.

OL-11501-03
J-27
Appendix J
Access Rules Page
Navigation Path
Double-click the Category entry in the Access Rules table, or right-click the entry,
then select Edit Category.
Related Topics
Field Reference
Table J-13
Element
Description
Category

Note
OK button
Note
Edit Description Dialog Box

Use the Edit Description dialog box to edit a user-defined description entry in a
table.
Navigation Path
Double-click the Description entry in the Access Rules table, or right-click the
entry, then select Edit Description.
Related Topics
J-28
OL-11501-03
Appendix J

Inspection Rules Page
Field Reference
Table J-14
Element
Description
Description
Enables you to enter a user-defined description to help you identify a rule

when viewing the rules table. A maximum of 1024 characters is allowed.
OK button
Note

Use the Inspection Rules page to identify inspection rules managed by
Security Manager. For more information, see Understanding Inspection Rules,
page 12-72.
From the Inspection Rules page, you can add, edit, and delete rules, reorder rules,
and enable or disable rules in the table. You perform these tasks using either the
shortcut menu, which is accessed by right-clicking a table cell, or by selecting the
appropriate buttons located below the table.
From the Inspection Rules page, you can generate reports to discover object
groups that are being used and identify policies associated with a particular
device.
Navigation Path
To access the Inspection Rules page, do one of the following:
(Device view) Select a device, then select Firewall >Inspection Rules from
(Policy view) Select Firewall >Inspection Rules from the Policy selector.

OL-11501-03
J-29
Appendix J
Related Topics
Field Reference
Table J-15
Element
Description
Filter
Tables, page 3-24.
No.
Permit
Source

and net10. Interface roles can also be used to identify a source. Multiple
entries are displayed as separate subfields within the table cell. For more
information, see the following:
Note
Destination


For more information, see the following:
Note

J-30
OL-11501-03
Appendix J

Table J-15
Inspection Rules Page (continued)
Element
Description
Service

Note
Interface

interface to which a rule is assigned. See Understanding Interface Role
For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
Dir.
(Direction) Identifies traffic direction within a network. Direction is always

Note
The Direction parameter is supported on IOS devices only.
Inspected Protocol
Identifies the protocol to be inspected.
Time Range

synchronization. See Understanding Time Range Objects, page 8-173.
Note

OL-11501-03
J-31
Appendix J
Table J-15
Inspection Rules Page (continued)
Element
Description
Category

when you are viewing policy tables. See Understanding Time Range
Note
Description

Tools button
Provides you with a list of tools for generating various reports, such as rule
analysis, the ability to combine rules in table sections, checking ACE hit
count, and performing policy queries, and initializes the process for
importing ACEs into Security Manager.
Note
Query
Currently this feature supports only the Query tool for inspection
rules.
Invokes a utility to run queries against existing rules in a rule table. Query
results are displayed in a report. For more information, see Using Policy
Query, page 12-37.

(binoculars icon)
Up button
Moves a rule up one row in the table. Select a rule in the table to activate
the appropriate buttons. See Moving Inspection Rules Up and Down,
page 12-87.
Down button
Moves a rule down one row in the table. Select a rule in the table to activate
the appropriate buttons. See Moving Inspection Rules Up and Down,
page 12-87.
Add button
Adds a rule to the table. See Adding Inspection Rules, page 12-74.
Edit button
Edits an existing rule in the table. See Editing Inspection Rules,

page 12-83.
Delete button
Deletes a rule from the table. See Deleting Inspection Rules, page 12-88.
Save button

Note
J-32
OL-11501-03
Appendix J

Add and Edit Inspection Rule Dialog Boxes

Use the Add and Edit Inspection Rule dialog boxes to add and edit inspection
rules.
Note
The same dialog box is used for adding and editing inspection rules.
Navigation Path
To access the Add and Edit Inspection Rule dialog boxes, do one of the following:
the Device selector. Right-click inside the table, then select Add Rule, or
right-click a rule, then select Edit Rule.
Right-click inside the table, then select Add Rule, or right-click a rule, then
select Edit Rule.
Related Topics

OL-11501-03
J-33
Appendix J
Field Reference
Table J-16
Add and Edit Inspect/Application FW Rule Dialog Boxes
Element1
Description
Apply the Rule to
Enable Rule
Note
All Interfaces
A disabled rule is not generated and deployed to devices; however,

it is retained in the rules table for debugging purposes.
Enables you to add an inspection rule that will be associated with all
interfaces.
Note
Global inspection is supported for PIX and ASA devices only;

however, although IOS doesn't support global inspection, it is
simulated when you create an IOS inspection rule and apply it
globally. Such a rule is applied to all interfaces in the direction in.
Interface (PIX 7.x, ASA, Enables you to add an inspection rule based on an interface.
FWSM 3.x, IOS)
Traffic Direction
Enables you to further define deep packet inspection by identifying traffic

direction within a network:
Note
Traffic direction is active only when inspection is based on an

interface.
J-34
OL-11501-03
Appendix J

Table J-16
Add and Edit Inspect/Application FW Rule Dialog Boxes (continued)
Element1
Description
Interfaces*2

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Enter the interface information or click Select, which opens the Interface
Selector dialog box from which to make your selection. You can also create
an interface role by clicking the Create button in the Interface Selector
dialog box.
Note
names when the configuration is generated for each device. See
Understanding Interface Role Objects, page 8-115.
Match Traffic By
Default Protocol Ports
Enables you to inspect traffic based on a default protocol setting. Select this
option if you want to inspect a protocol without applying any constraints to
the inspected traffic. For a description of the GUI elements, see Table J-17.
Note
Limit inspection between

source and destination
IP addresses (ASA,
FWSM 3.x)
When selected, enables you to limit inspection between source and

destination IP addresses. This setting applies to PIX 7.0, ASA, and
FWSM 3.x devices only. For a description of the GUI elements, see
Table J-19.
Note
Custom Destination
Ports
You must click Next to open the appropriate wizard page.
Enables you to inspect traffic based on TCP or UDP destination ports.

Select this option if you want to associate additional TCP or UDP traffic
with a given protocol, for example, treating TCP traffic on destination port
8080 as HTTP traffic. For a description of the GUI elements, see
Table J-20.
Note

OL-11501-03
J-35
Appendix J
Table J-16
Add and Edit Inspect/Application FW Rule Dialog Boxes (continued)
Element1
Description
Destination Address and

Port (IOS)
Enables you to inspect traffic on IOS devices based on destination

IP addresses.
Select this option if you want to associate additional traffic with a given
protocol only when the traffic is going to certain destinations, for example,
if you want to treat TCP traffic on destination port 8080 as HTTP only when
the traffic is going to server 192.168.1.1. For a description of the GUI
Note
Source and Destination

Address and Port (PIX
7.x, ASA, FWSM 3.x)
Enables you to inspect traffic on ASA and FWSM 3.x devices based on
source and destination IP addresses and ports. For a description of the GUI
Note
Category

page 8-48.
Note
Description

Back button

Note
The Back button is unavailable from this dialog box.
Next button
Finish button
Completes the wizard dialog and returns you to the main page. The settings
are shown in the table.
Note
The Finish button is active on the last wizard page only.

2. The asterisk is displayed if you apply the rule to ASA or IOS device interfaces.
J-36
OL-11501-03
Appendix J

Add Inspect/Application FW Rule > Match Traffic to Protocol

Page
Use this wizard page to select the protocol to use for inspection.
Navigation Path
To access the this wizard page, do one of the following:
the Device selector. Select Default Protocol Ports, then click Next.
Select Default Protocol Ports, then click Next.
Related Topics
Field Reference
Table J-17
Add Inspect/Application FW Rule - Match Traffic To Protocol Page
Element
Description
Filter
Tables, page 3-24.
Protocol
Lists protocols. Only one protocol can be selected per rule. Certain
protocols require additional configuration information. For additional
protocol information, For a description of the GUI elements, see
Table J-17.
Note
Alert flag, audit trail, and timeout values are optional and apply
only to protocols inspected on IOS devices.
Options
Displays additional configuration settings for the selected protocol.
Device Type
Identifies the device platform, for example, ASA, PIX.

OL-11501-03
J-37
Appendix J
Table J-17
Add Inspect/Application FW Rule - Match Traffic To Protocol Page (continued)
Element
Description
Group
Identifies a general class that the protocol supports, for example, file
transfer and voice.
Selected Protocol
Displays the protocol selected. See Table J-18 for a list of protocols that
support additional settings options.
Configure button
Enables you to configure additional settings based on the protocol selected.

You can configure additional settings for the protocols listed below.
Note
The button is inactive if no additional settings are used.
Rule Settings (IOS)
Alert
Audit
Timeout
When selected, enables inspect-related alert messages to appear on the IOS

device console.
Enable
Disable
When selected, enables inspect-related audit trail messages to appear on the

IOS device console.
Enable
Disable
Specifies the length of time, in seconds, for which a session is managed

while there is no activity. Values are 543200.
Specify Timeout
Inspect Router Generated When selected,

Traffic
Back button

Note
The Back button is unavailable from this dialog box.
J-38
OL-11501-03
Appendix J

Table J-17
Add Inspect/Application FW Rule - Match Traffic To Protocol Page (continued)
Element
Description
Next button
Finish button
Note
Table J-18 lists protocols that allow you to configure additional settings options.
Table J-18
Protocols Supporting Configuration Options
Element
Description
DNS
Sets maximum DNS packet length (PIX/ASAFWSM/IOS). Values are

51265535. For a description of the GUI elements, see Table J-32.
FTP Strict
Enables you to select or create an FTP Map object to configure application

firewall (PIX/ASA 7.x/FWSM/IOS). To configure FTP strict inspection, no
map is required.
GTP
Enables you to select or create a GTP Map object to configure application

firewall (PIX/ASA 7.x/FWSM 3.x). To configure GTP inspection, no map
is required.
HTTP
Enables you to select or create an HTTP Map object to configure

application firewall (PIX/ASA 7.x/FWSM/IOS). To configure HTTP
inspection, no map is required.
RPC
Requires program number and wait time (IOS).
Program number values are 14294967295.
Wait time values are 035791.
For a description of the GUI elements, see Table J-39.

SMTP
Sets maximum data (PIX/FWSM/IOS). Values are 04294967295. For a

description of THE GUI elements, see Table J-33.
Custom protocol
Requires a custom protocol name. Custom protocols allow you to associate

protocols with destination ports and inspect them, for example, TCP with
destination ports 12000, UDP with destination ports 80009000. For a
description of THE GUI elements, see Table J-34.

OL-11501-03
J-39
Appendix J
Table J-18
Protocols Supporting Configuration Options (continued)
Element
Description
ESMTP
Sets maximum data (PIX/ASA/FWSM 3.x/IOS). Values are

04294967295. For a description of THE GUI elements, see Table J-35.
Fragment
Sets maximum fragments and timeout values (IOS).
Fragment values are 010000.
Timeout values are 11000.
For a description of THE GUI elements, see Table J-36.

IMAP
Includes optional settings for retrieving email (IOS). For a description of

THE GUI elements, see Table J-37.
POP3

RPC
Identifies a program number and optional wait time (FWSM 2.x/IOS).
Limit Inspection Between Source and Destination IP Addresses

(ASA, FWSM 3.x) Page
Use this wizard page (Step 2) to inspect traffic for specific sources and
destinations for ASA devices.
Navigation Path
To access the Limit Inspection Between Source and Destination Addresses (ASA,
FWSM 3.x) wizard page, do one of the following:
the Device selector. Right-click inside the table, then click Add Row, or
right-click a rule, then click Edit Row.
Right-click inside the table, then click Add Row, or right-click a rule, then
click Edit Row.
J-40
OL-11501-03
Appendix J

Related Topics

OL-11501-03
J-41
Appendix J
Field Reference
Table J-19
Limit Inspection Between Source and Destination Addresses (ASA, FWSM 3.x)
Page
Element1
Description
Action
Sources*
PermitAllows traffic
DenyDenies traffic


Enter the addresses or names in the field provided, or click Select, which
opens the Object Selector dialog box from which to make your selections.
You can also create an object by clicking the Create button in the Object
Note

Note

J-42
OL-11501-03
Appendix J

Table J-19
Page (continued)
Element1
Description
Destinations*


Note

Note

interface roles.

OL-11501-03
J-43
Appendix J
Table J-19
Page (continued)
Element1
Description
Time Range

synchronization.
Note
Back button
Next button
Finish button
Note
Match Traffic by Custom Destination Ports Page

Use this wizard page (Step 2) to select protocol and port values for TCP or UDP
destination ports.
Navigation Path
To access the Match Traffic By Custom Destination Ports wizard page, do one of
the following:
click Edit Row.
J-44
OL-11501-03
Appendix J

Related Topics
Field Reference
Table J-20
Element1
Protocol
Ports
Match Traffic By Custom Destination Ports Page
Description
TCP
UDP
TCP/UDP
Specifies port information. Values are 165535.
SingleIdentifies a single port value. When selected, requires a port

value.
RangeIdentifies a range of port values. When selected, requires a

range of port values.
Note
Port range values might not be supported on all platforms or OS

versions. In such cases, a validation error results.
Back button
Next button
Finish button
Note

2. Based on your Port selection, the asterisk is positioned beside the field requiring value parameters.

OL-11501-03
J-45
Appendix J
Match Traffic by Destination Address and Port (IOS) Page

Use this wizard page (Step 2) to select protocol and port values for specific
destinations for IOS devices.
To treat this matched traffic type as a supported inspect protocol only when
destined to certain hosts, you should create a network policy object and include
the list of hosts in it. Alternatively, you can also enter a list of host IP addresses
as Destinations.
Navigation Path
To access the Match Traffic By Destination Address and Port (IOS) wizard page,
do one of the following:
click Edit Row.
Related Topics
J-46
OL-11501-03
Appendix J

Field Reference
Table J-21
Match Traffic By Destination Address and Port (IOS)
Element1
Description
Destinations*
Identifies the destination object names or addresses of hosts and

networks. Multiple entries are separated by commas. Accepted
formats are:

**For information on how network masks are handled, see
Enter the addresses or names in the field provided, or click Select,
which opens the Object Selector dialog box from which to make
your selections. You can also create an object by clicking the Create
Note
Protocol
Ports
Back button
If you manually enter 0.0.0.0/0 for the destination, it

automatically matches the any predefined object.
TCP
UDP
TCP /UDP
SingleIdentifies a single port value. Values are 165535.
RangeIdentifies a range of port values. Values are 165535.

OL-11501-03
J-47
Appendix J
Table J-21
Match Traffic By Destination Address and Port (IOS) (continued)
Element1
Description
Next button
Finish button
Completes the wizard dialog and returns you to the main page. The
settings are shown in the table.
Note

2. Based on your Port selection, the asterisk is positioned beside the field requiring value parameters.
Match Traffic by Source and Destination Address and Port (ASA,

FWSM 3.x) Page
Use this wizard page (Step 2) to inspect traffic for specific sources and
destinations for ASA and FWSM 3.x devices.
Select this matched traffic type if you want to limit inspection of traffic flowing
between a set of source and destination addresses, for example, if you want to
inspect FTP traffic flowing between 192.168.1.0/24 and 192.168.2.0/24.
You can use policy objects for sources, destinations and services. A time range
can also be specified, which will activate the traffic criteria only during that period
of time.
Navigation Path
To access the Match Traffic By Source and Destination Address and Port (ASA,
FWSM 3.x) wizard page, do one of the following:
click Edit Row.
J-48
OL-11501-03
Appendix J

Related Topics
page 12-81

OL-11501-03
J-49
Appendix J
Field Reference
Table J-22
Match Traffic By Source and Destination Address and Port (ASA, FWSM 3.x)
Page
Element1
Description
Action
Sources*
DenyDenies traffic.


Enter the addresses or names in the field provided or click Select, which
Note

Note

interface roles.
J-50
OL-11501-03
Appendix J

Table J-22
Page (continued)
Element1
Description
Destinations*


Note

Note

interface roles.

OL-11501-03
J-51
Appendix J
Table J-22
Page (continued)
Element1
Description
Services*



tcp | udp | tcp & udp / <port_number>, where port number =

default port range.


Note
J-52
OL-11501-03
Appendix J

Table J-22
Page (continued)
Element1
Description
Time Range

synchronization.
Note
Back button
Next button
Finish button
Note

Navigation Path
Double-click the Source entry in the Inspection Rules table, or right-click the
entry, then select Edit Sources.
Related Topics

OL-11501-03
J-53
Appendix J
Field Reference
Table J-23
Element1
Description
Sources*


OK button
Note

Note

Note
J-54
OL-11501-03
Appendix J


shows flattened values of all levels of a source address or Network Object and
sorts the results in ascending order on the IP address, then descending order on
the mask.
Navigation Path
Right-click the Source table cell of a rule in the Inspection Rules table, then
click Show Source Contents to display a list of all sources.
Select an entry (subfield) in the Source table cell of a rule in the Inspection
Rules table, then right-click and select Show <Source> Contents.
Related Topics
Field Reference
Table J-24
Element
Description
Source Contents
<subfield> Contents dialog box.
Note


OL-11501-03
J-55
Appendix J
Table J-24
Show Source Contents Dialog Box (continued)
Element
Description
Close button
Help button

Navigation Path
Double-click the Destination entry in the Inspection Rules table, or right-click the
Related Topics
J-56
OL-11501-03
Appendix J

Field Reference
Table J-25
Element1
Description
Destinations*


OK button
Note

Note

interface roles.
Note

OL-11501-03
J-57
Appendix J

Navigation Path
Right-click the Destination table cell of a rule in the Inspection Rules table,
then click Show Destination Contents to display a list of all destinations.
Select an entry (subfield) in the Destination table cell of a rule in the

Inspection Rules table, then right-click and select
Show <Destination> Contents.
Related Topics
Field Reference
Table J-26
Element
Description
select a specific destination (subfield) in the table, which opens a Show
Note

J-58
OL-11501-03
Appendix J

Table J-26
Show Destination Contents Dialog Box (continued)
Element
Description
Close button
Help button

Navigation Path
Double-click the Service entry in the Inspection Rules table, or right-click the
entry, then select Edit Services.
Related Topics

OL-11501-03
J-59
Appendix J
Field Reference
Table J-27
Element1
Description
Services*




default port range.

tcp | udp | tcp & udp /<port_number > | PortListObject/

Note
OK button
Note
J-60
OL-11501-03
Appendix J


Use the Show Service Contents dialog box to display all services and port
information. The list shows flattened values of all levels of the Service and Port
List objects and sorts the results on: protocol, destination port, and source port.
Navigation Path
To access the Show Service Contents dialog box, right-click the entry in the
Traffic Match column of the Inspection Rules table, then click
Show Service Contents.
Related Topics
Field Reference
Table J-28
Element
Service Contents
Description
Close button
Help button


OL-11501-03
J-61
Appendix J
Navigation Path
Double-click the entry in the Inspection Rules table, or right-click the entry, then
Note
You cannot access the Edit Interfaces dialog box if the interface setting is Global.
Related Topics
J-62
OL-11501-03
Appendix J

Field Reference
Table J-29
Element1
Description
Interfaces*

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
OK button
Note

names if you are working from Device view.
The list shows flattened values of all levels of an address, network object, or
interface role and sorts the results in ascending order on the IP address, then

OL-11501-03
J-63
Appendix J
menu.
Navigation Path
Right-click the Interface table cell of a rule in the Inspection Rules table, then
Select an entry (subfield) in the Destination table cell of a rule in the

Inspection Rules table, then right-click and select
Show <Interface> Contents.
Related Topics
Field Reference
Table J-30
Element
Description
Interface Contents

table.
Close button
Help button
J-64
OL-11501-03
Appendix J

Edit Inspected Protocol Dialog Box

Use the Edit Inspected Protocol dialog box to edit values for the protocol selected.
Navigation Path
To access the Edit Inspected Protocol dialog box, right-click the entry in the
Inspected Protocol column of the Inspection Rules table, then click
Edit Inspected Protocol.
Related Topics
Field Reference
Table J-31
Edit Inspected Protocol Dialog Box
Element
Description
Filter
Tables, page 3-24.
Protocol
Lists protocols. Only one protocol can be selected per rule. Certain
protocols enable you to configure additional information,
Note
All protocols inspected on IOS devices require an alert flag, audit

trail, and timeout values.
DNS
Sets maximum DNS packet length (PIX/ASA/FWSM/IOS). Values are

51265535. For a description of the GUI elements, see Table J-32.
FTP Strict
Enables you to select or create an FTP Map object to configure application

firewall (PIX 7.0/ASA/FWSM 3.x/IOS). To configure FTP strict
GTP
Enables you to select or create a GTP Map object to configure application

firewall (PIX 7.0/ASA/FWSM 3.x). To configure GTP inspection, no map
is required.
HTTP
Enables you to select or create an HTTP Map object to configure

application firewall (PIX 7.0/ASA/FWSM 3.x/IOS). To configure HTTP

OL-11501-03
J-65
Appendix J
Table J-31
Edit Inspected Protocol Dialog Box (continued)
Element
Description
RPC
Requires program number and wait time (IOS).
For a description of the GUI elements, see Table J-39.

SMTP
Requires maximum data. Values are 04294967295. For a description of

Custom protocol
Requires a custom protocol name. Requires a custom protocol name.

Custom protocols allow you to associate protocols with destination ports
and inspect them, for example, TCP with destination ports 12000, UDP
with destination ports 80009000. For a description of THE GUI elements,
see Table J-34.
ESMTP
Requires maximum data (PIX 7.0/ASA/FWSM 3.x/IOS). Values are

04294967295. For a description of THE GUI elements, see Table J-35.
Fragment
Requires maximum fragments and timeout value.
Fragment values are 010000.
Timeout values are 11000.

IMAP

POP3

RPC
Requires a program number and wait time (IOS).
J-66
OL-11501-03
Appendix J

Table J-31
Edit Inspected Protocol Dialog Box (continued)
Element
Description
Optional IOS Settings
Enable
Indicates whether the rule appears after the configuration is generated. A

disabled rule is not generated; it is retained in the table for debugging
purposes.
Enable Alert Messages

device console.
Note
Enable Audit Trail

Messages
Supported only on IOS devices.

IOS device console.
Note
Timeout (seconds)

Note
Ok button
Note
Configure DNS Dialog Box

Use the Configure DNS dialog box to configure settings for DNS inspection
(PIX 7.0/ASA/FWSM/IOS).
Navigation Path
You can access the Configure DNS dialog box from the Inspection Rules table.
Select DNS as the protocol for inspection, then click Configure.
Related Topics

OL-11501-03
J-67
Appendix J
Field Reference
Table J-32
Configure DNS Dialog Box
Element
Description
Maximum DNS Packet

Length
Sets maximum DNS packet length (PIX/ASA/FWSM/IOS). Values are

51265535.
OK button
Note
Configure SMTP Dialog Box

Use the SMTP dialog box to edit settings for Simple Mail Transfer Protocol
(SMTP) inspection (PIX/FWSM/IOS). SMTP is used to transfer email between
servers and clients on the Internet. email clients and mail servers that use
protocols other than Message Application Programming Interface (MAPI) can use
the SMTP protocol to transfer a message from a client to the server, and then
forward it to a message recipient's server.
SMTP inspection causes Simple Mail Transfer Protocol (SMTP) commands to be
inspected for illegal commands. Any packets with illegal commands are dropped,
and the SMTP session will hang and eventually time out.
Navigation Path
You can access the Configure SMTP dialog box from the Inspection Rules table.
Select SMTP as the protocol for inspection, then click Configure.
Related Topics
J-68
OL-11501-03
Appendix J

Field Reference
Table J-33
Configure SMTP Dialog Box
Element
Description
Maximum Data
Values are 04294967295.
OK button
Note
Custom Protocol Dialog Box

Use the Custom Protocol dialog box to edit settings for custom protocol
inspection (IOS). Custom protocols allow you to associate protocols with
destination ports and inspect them, for example, TCP with destination ports
12000, UDP with destination ports 80009000.
Navigation Path
You can access the Custom Protocol dialog box from the Inspection Rules table.
Select, Custom Protocol as the protocol for inspection, then click Configure.
Related Topics

OL-11501-03
J-69
Appendix J
Field Reference
Table J-34
Configure Custom Protocol Dialog Box
Element
Description
Custom Protocol Name
Identifies the name associated with the custom protocol.
OK button
Note
Configure ESMTP Dialog Box

Use the Configure ESMTP dialog box to edit settings for Extended Simple Mail
Transport Protocol (ESMTP) inspection (PIX/ASA/FWSM 3.x/IOS). ESMTP
enables users who install mail servers behind Cisco IOS firewalls to install their
servers on the basis of ESMTP (instead of Simple Mail Transport Protocol
[SMTP]).
Navigation Path
You can access the Configure ESMTP dialog box from the Inspection Rules table.
Select ESMTP as the protocol for inspection, then click Configure.
Related Topics
J-70
OL-11501-03
Appendix J

Field Reference
Table J-35
Configure ESMTP Dialog Box
Element
Description
Maximum Data
Values are 04294967295.
OK button
Note
Configure Fragments Dialog Box

Use the Configure Fragments dialog box to edit settings for fragment inspection.
Navigation Path
You can access the Configure Fragments dialog box from the Inspection Rules
table. Select Fragments as the protocol for inspection, then click Configure.
Related Topics

OL-11501-03
J-71
Appendix J
Field Reference
Table J-36
Configure Fragments Dialog Box
Element
Description
Maximum Fragments
Specifies the maximum number of unassembled packets for which state

information (structures) is allocated by Cisco IOS software. Unassembled
packets are packets that arrive at the router interface before the initial
packet for a session. Values are 010000 state entries. Default is 256.
Note
Timeout (sec)
Memory is allocated for the state structures, and setting this value
to a larger number may cause memory resources to be exhausted.
Configures the number of seconds that a packet state structure remains

active. When the timeout value expires, the router drops the unassembled
packet, freeing that structure for use by another packet. Values are 11000.
Default timeout value is one second.
If this number is set to a value greater that one second, it is automatically
adjusted by the Cisco IOS software when the number of free state structures
goes below certain thresholds:
OK button
When the number of free states is less than 32, the timeout is divided
by 2.
When the number of free states is less than 16, the timeout is set to 1
second.
Note
Configure IMAP Dialog Box

Use the Configure IMAP dialog box to edit settings for Internet Message Access
Protocol (IMAP) inspection (IOS). IMAP is a method for accessing electronic
mail or bulletin board messages that are kept on a mail server that may be shared.
It permits a client email program to access remote messages as though they were
local.
J-72
OL-11501-03
Appendix J

Navigation Path
You can access the Configure IMAP dialog box from the Inspection Rules table.
Select IMAP as the protocol for inspection, then click Configure.
Related Topics
Field Reference
Table J-37
Configure IMAP Dialog Box
Element
Description
Reset Connection on
Invalid IMAP packet
When selected, requires that the client/server communication repeat the

validation process from the time the TCP connection is initialized until the
client is authenticated.
Enforce Secure
Authentication
When selected, allows you to download external IMAP email only if

authentication methods are secure, which generates the secure-login
command.
OK button
Note
Configure POP3 Dialog Box

Use the Configure POP3 dialog box to edit settings for Post Office Protocol,
Version 3 (POP3) inspection (IOS). POP3 is used to receive email that is stored
on a mail server. Unlike IMAP, POP retrieves mail only from a remote host.
Navigation Path
You can access the Configure POP3 dialog box from the Inspection Rules table.
Select POP3 as the protocol for inspection, then click Configure.

OL-11501-03
J-73
Appendix J
Related Topics
Field Reference
Table J-38
Configure POP3 Dialog Box
Element
Description
Reset Connection on
Invalid POP3 packet
When selected, requires that the client/server communication repeat the

validation process from the time the TCP connection is initialized until the
client is authenticated.
Enforce Secure
Authentication
When selected, allows you to download external POP3 email only if

authentication methods are secure, which generates the secure-login
command.
OK button
Note
Configure RPC Dialog Box

Use the RPC dialog box to edit settings for RPC inspection (IOS). RPC inspection
allows the specification of various program numbers. You can define multiple
program numbers by creating multiple entries for RPC inspection, each with a
different program number. If a program number is specified, all traffic for that
program number will be permitted. If a program number is not specified, all traffic
for that program number is blocked. For example, if you create an RPC entry with
the NFS program number, all NFS traffic will be allowed through the firewall.
Navigation Path
You can access the Configure RPC dialog box from the Inspection Rules table.
Select RPC as the protocol for inspection, then click Configure.
J-74
OL-11501-03
Appendix J

Related Topics
Field Reference
Table J-39
Configure RPC Dialog Box
Element
Description
Program Number
Specifies the program number to permit. Values are 14294967295.
Wait Time
Specifies the number of minutes to keep a small hole in the firewall to allow
subsequent connections from the same source address and to the same
destination address and port. Values are 035791 minutes. Default is 0.
OK button
Note
Configuring Protocol Platform Dialog Box

Use the Configure (Protocol Platform) dialog box to choose a policy object based
on device type.
Navigation Path
You can access the Configure (Protocol Platform) dialog box from the Inspection
Rules table. Select HTTP or IM as the protocol for inspection, then click
Configure.
Related Topics

OL-11501-03
J-75
Appendix J
Field Reference
Table J-40
Configuring Protocol Platform Dialog Box
Element
Description
Platform radio buttons
Enables you to select the device type, which then enables you to enter the
information in the field provided or click Select, which opens the
appropriate Selector dialog box from which to make your selection.
OK button
Note

Navigation Path
Double-click the Category entry in the Inspection Rules table, or right-click the
entry, then select Edit Category.
Related Topics
J-76
OL-11501-03
Appendix J

Field Reference
Table J-41
Element
Description
Category

Note
OK button
Note

table.
Navigation Path
Double-click the Description entry in the Inspection Rules table, or right-click the
Related Topics

OL-11501-03
J-77
Appendix J
AAA Rules Page
Field Reference
Table J-42
Element
Description
Description

OK button
Note
AAA Rules Page

Use the AAA Rules page to identify AAA rules defined in Security Manager. For
more information, see Working with AAA Rules, page 12-89.
From the AAA Rules page, you can add, edit, and delete rules, reorder rules, and
enable or disable rules in the table. You perform these tasks using either the
From the AAA Rules page, you can also generate reports to discover object
groups that are being used and identify policies associated with a particular
device.
Navigation Path
To access the AAA Rules page, do one of the following:
(Device view) Select a device, then select Firewall >AAA Rules from the
Device selector.
(Policy view) Select Firewall >AAA Rules from the Policy selector.
Related Topics.
J-78
OL-11501-03
Appendix J

AAA Rules Page
Field Reference
Table J-43
AAA Rules Page
Element
Description
Filter
Tables, page 3-24.
No.
Permit
Source

entries are displayed as separate subfields within the table cell. See:
Note
Destination


See:
Note


OL-11501-03
J-79
Appendix J
AAA Rules Page
Table J-43
AAA Rules Page (continued)
Element
Description
Service

Note
Interface

For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
Action
Identifies the AAA methods.
Authenticationindicates that the rule controls traffic based on who

the user is.
Authorizationindicates that the rule controls traffic based on what

the user is allowed to do.
Accountingindicates that the rule controls traffic based on what the

user did.
AuthProxy
Identifies the authentication proxy method used for IOS devices.
Server Group
Identifies the AAA server group.

Note
The AAA server group must have at least one AAA server defined.
J-80
OL-11501-03
Appendix J

AAA Rules Page
Table J-43
AAA Rules Page (continued)
Element
Description
Category

page 8-48.
Note
Description

Tools button
importing ACEs into Security Manager
Combine Rules
Invokes a utility to combine rules in tables, thus improving performance

and memory usage. See Combining Rules, page 12-11.
Query
results are displayed in a report. See Using Policy Query, page 12-37.

(binoculars icon)
Up button

Down button

Add button
Edit button
Delete button
Save button

Note

OL-11501-03
J-81
Appendix J
AAA Rules Page
Add and Edit AAA Rules Dialog Boxes

Use the Add and Edit AAA Rules dialog box to add and edit AAA rules.
Note
The same dialog box is used for adding and editing access rules.
Navigation Path
To access the Add and Edit AAA Rules dialog boxes, do one of the following:
Device selector. Right-click inside the table, then click Add Row, or
click Edit Row.
Related Topics
J-82
OL-11501-03
Appendix J

AAA Rules Page
Field Reference
Table J-44
Add and Edit AAA Rules Dialog Boxes
Element1
Description
Enable Rule
Note

Authentication Action
When selected, indicates that the rule controls traffic based on who the user
is.
Authorization Action
(PIX/ASA/FWSM)
When selected, indicates that the rule controls traffic based on what the user
is allowed to do.
Accounting Action
(PIX/ASA/FWSM)
did.
Action
DenyDenies traffic.

OL-11501-03
J-83
Appendix J
AAA Rules Page
Table J-44
Add and Edit AAA Rules Dialog Boxes (continued)
Element1
Description
Sources*


dynamically assigned when the device boots. See Understanding Interface
Note

J-84
OL-11501-03
Appendix J

AAA Rules Page
Table J-44
Element1
Description
Destinations*


is dynamically assigned when the device boots. See Understanding
Note


OL-11501-03
J-85
Appendix J
AAA Rules Page
Table J-44
Element1
Description
Services*

Multiple entries are separated by commas. See Understanding Service



default port range.


Note
Services are not applicable when filter except is selected from the
PIX/ASA Web Filter Rule page.
Note
J-86
OL-11501-03
Appendix J

AAA Rules Page
Table J-44
Element1
Description
AAA Server Group

(PIX,ASA,FWSM)
Identifies the AAA server group. See Understanding AAA Server Group
Objects, page 8-16.
Enter the AAA Server Object in the field provided or click Select, which
Interface*

For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
Category

page 8-48.
Note
Description

HTTP Traffic Type

Applies to
Authentication Proxy
(IOS)
When selected, specifies HTTP to trigger the authentication proxy.

OL-11501-03
J-87
Appendix J
AAA Rules Page
Table J-44
Element1
Description
FTP Traffic Type Applies When selected, specifies FTP to trigger the authentication proxy.
to Authentication Proxy
(IOS)
Telnet Traffic Type
Applies to
(IOS)
When selected, specifies Telnet to trigger the authentication proxy.
OK button
Note

Navigation Path
Double-click the Source entry in the AAA Rules table, or right-click the entry,
then select Edit Sources.
Related Topics
J-88
OL-11501-03
Appendix J

AAA Rules Page
Field Reference
Table J-45
Element1
Description
Sources*


dynamically assigned when the device boots. See Understanding Interface
Note

Note


OL-11501-03
J-89
Appendix J
AAA Rules Page
Table J-45
Edit Sources Dialog Box (continued)
Element1
Description
OK button
Note

the mask.
Navigation Path
Right-click the Source table cell of a rule in the AAA Rules table, then click
Show Source Contents to display a list of all sources.
Select an entry (subfield) in the Source table cell of a rule in the AAA Rules
table, then right-click and select Show <Source> Contents.
Related Topics
J-90
OL-11501-03
Appendix J

AAA Rules Page
Field Reference
Table J-46
Element
Description
Source Contents
Note

Close button
Help button

Navigation Path
Double-click the Destination entry in the AAA Rules table, or right-click the
Related Topics

OL-11501-03
J-91
Appendix J
AAA Rules Page
Field Reference
Table J-47
Element1
Description
Destinations*


is dynamically assigned when the device boots. See Understanding
Note

Note

interface roles.
J-92
OL-11501-03
Appendix J

AAA Rules Page
Table J-47
Edit Destinations Dialog Box (continued)
Element1
Description
OK button
Note

Navigation Path
Right-click the Destination table cell of a rule in the AAA Rules table, then
click Show Destination Contents to display a list of all destinations.
Select an entry (subfield) in the Destination table cell of a rule in the AAA
Rules table, then right-click and select Show <Destination> Contents.
Related Topics

OL-11501-03
J-93
Appendix J
AAA Rules Page
Field Reference
Table J-48
Element
Description
Note

Close button
Help button

Navigation Path
Double-click the Service entry in the AAA Rules table, or right-click the entry,
then select Edit Services.
Related Topics
J-94
OL-11501-03
Appendix J

AAA Rules Page
Field Reference
Table J-49
Element1
Description
Services*




default port range.

tcp | udp | tcp & udp /<port_number > | PortListObject/

Note
OK button
Note

OL-11501-03
J-95
Appendix J
AAA Rules Page

Navigation Path
To access the Show Service Contents dialog box, do one of the following:
Right-click the Service table cell of a rule in the AAA Rules table, then click
Show Service Contents to display a list of all services.
Select an entry (subfield) in the Service table cell of a rule in the AAA Rules
table, then right-click and select Show <Service> Contents.
Related Topics
Field Reference
Table J-50
Show Service Dialog Box
Element
Description
Service Contents
Close button
Help button
J-96
OL-11501-03
Appendix J

AAA Rules Page

Navigation Path
Double-click the entry in the AAA Rules table, or right-click the entry, then select
Edit Interfaces.
Related Topics
Field Reference
Table J-51
Element1
Description
Interfaces*

For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
OK button
Note

OL-11501-03
J-97
Appendix J
AAA Rules Page

names if you are working from Device view.
The list shows flattened values of all levels of an address, network object, or
interface role and sorts the results in ascending order on the IP address, then
menu.
Navigation Path
Right-click the Interface table cell of a rule in the AAA Rules table, then click
Show Interface Contents.
Select an entry (subfield) in the Interface table cell of a rule in the AAA Rules
table, then right-click and select Show <Interface> Contents.
Related Topics
Field Reference
Table J-52
Element
Description
Interface Contents

table.
Close button
Help button
J-98
OL-11501-03
Appendix J

AAA Rules Page
Edit AAA Option Dialog Box

Use the Edit AAA Option dialog box to edit the method for access entry.
Navigation Path
To access the Edit AAA Option dialog box, do one of the following:
Device selector. Right-click the entry in the Action column of the AAA Rules
table, then click Edit AAA.
Right-click the entry in the Action column of the AAA Rules table, then click
Edit AAA.
Related Topics
Field Reference
Table J-53
Edit AAA Option Dialog Box
Element
Description
Authentication
When selected, indicates that the rule controls traffic based on who the user
is. Authentication provides the method of identifying users, including login
and password dialog, challenge and response, messaging support, and,
depending on the security protocol you select, encryption. Authentication
is the way a user is identified prior to being allowed access to the network
and network services.
Authorization
(PIX/ASA)
is allowed to do. Authorization provides the method for remote access
control, including one-time authorization or authorization for each service,
per-user account list and profile, user group support, and support of IP and
Telnet. AA authorization works by assembling a set of attributes that
describe what the user is authorized to perform.

OL-11501-03
J-99
Appendix J
AAA Rules Page
Table J-53
Edit AAA Option Dialog Box (continued)
Element
Description
Accounting (PIX/ASA)
did. Accounting provides the method for collecting and sending security
server information used for billing, auditing, and reporting, such as user
identities, start and stop times, executed commands (such as PPP), number
of packets, and number of bytes. Accounting enables you to track the
services users are accessing as well as the amount of network resources they
are consuming.
OK button
Note
AuthProxy Dialog Box

Use the AuthProxy dialog box to edit an IOS traffic type entry in a table.
Navigation Path
To access the AuthProxy dialog box, right-click the entry in the AuthProxy
column of the AAA Rules table, then click Edit AuthProxy.
Related Topics
Field Reference
Table J-54
AuthProxy Dialog Box
Element
Description
HTTP
Specifies HTTP to trigger the authentication proxy.
FTP
Specifies FTP to trigger the authentication proxy.
J-100
OL-11501-03
Appendix J

AAA Rules Page
Table J-54
AuthProxy Dialog Box (continued)
Element
Description
Telnet
Specifies Telnet to trigger the authentication proxy.
OK button
Note
Edit AAA Server Group Dialog Box

Use the Edit AAA Server Group dialog box to edit a server group entry in a table.
Navigation Path
To access the Edit AAA Server Group dialog box, right-click the entry in the
Server Group column of the AAA Rules table, then click Edit Server Group.
Related Topics

OL-11501-03
J-101
Appendix J
AAA Rules Page
Field Reference
Table J-55
Edit AAA Server Group Dialog Box
Element
Description
AAA Server Group
Identifies the AAA Server Group.

Enter the AAA Server Object in the field provided or click Select, which
OK button
Note

Navigation Path
Double-click the Category entry in the AAA Rules table, or right-click the entry,
then select Edit Category.
Related Topics
J-102
OL-11501-03
Appendix J

AAA Rules Page
Field Reference
Table J-56
Element
Description
Category

Note
OK button
Note

table.
Navigation Path
Double-click the Description entry in the AAA Rules table, or right-click the
Related Topics

OL-11501-03
J-103
Appendix J
Web Filter Rules Page (PIX/ASA)
Field Reference
Table J-57
Element
Description
Description

OK button
Note

Use the Web Filter Rules page to identify web filter rules defined in
Security Manager for PIX and ASA devices.
From the Web Filter Rules page, you can add, edit, and delete rules, reorder rules,
Navigation Path
To access the Web Filter Rules page for PIX/ASA devices, do one of the
following:
(Device view) Select a device, then select Firewall >Web Filter Rules from
(Policy view) Select Firewall >Web Filter Rules from the Policy selector.
Related Topics
J-104
OL-11501-03
Appendix J

Field Reference
Table J-58
Element
Description
Filter
Tables, page 3-24.
No.
Source

entries are displayed as separate subfields within the table cell. See:
Note
Destination

See:
Note
Service



Note
Type
Displays filtering parameters.
Options
Displays additional configuration options for the selected protocol.

OL-11501-03
J-105
Appendix J
Table J-58
Web Filter Rules Page (PIX/ASA) (continued)
Element
Description
Category

page 8-48.
Note
Description

Tools button
importing ACEs into Security Manager.
Note
Query
Currently this feature supports only the Query tool for web filter
rules.
results are displayed in a report. See Using Policy Query, page 12-37.

(binoculars icon)
Up button

Down button

Add button
Edit button
Delete button
Save button

Note
J-106
OL-11501-03
Appendix J

Add and Edit PIX/FWSM/ASA Rules Dialog Boxes

Use the Add and Edit PIX/FWSM/ASA Rules dialog boxes to set values for Web
Filter Rules for those platforms.
Navigation Path
To access the PIX/FWSM/ASA Rules dialog box, do one of the following:
the Device selector. Right-click inside the work area, then click Add Row or
Right-click inside the work area, then click Add Row or right-click a rule,
then click Edit Row.
Related Topics

OL-11501-03
J-107
Appendix J
Field Reference
Table J-59
Add and Edit PIX/FWSM/ASA Web Filter Rule Dialog Boxes
Element1
Description
Enable Rule
Note
Filtering
Lists options for handling filtering:
FilterLimits traffic to particular sites and limits traffic between two

entities.
Note
Type

Filter except rules are recognized before filter rules.
Describes what should be filtered.
URLHTTP filtering using an external filtering server, such as

Websense or N2H2.
HTTPSSupported on Websense filtering servers only.
JavaSupported on Websense and N2H2 servers.
ActiveXSupported on Websense and N2H2 servers.
FTPSupported on Websense filtering servers only.
J-108
OL-11501-03
Appendix J

Table J-59
Add and Edit PIX/FWSM/ASA Web Filter Rule Dialog Boxes (continued)
Element1
Description
Sources*


Note

Note


OL-11501-03
J-109
Appendix J
Table J-59
Element1
Description
Destinations*


Note

Note

interface roles.
J-110
OL-11501-03
Appendix J

Table J-59
Element1
Description
Services*




default port range.


Note
Note
The Services field is not applicable when Filter Except is selected.

OL-11501-03
J-111
Appendix J
Table J-59
Element1
Description
Allow traffic if URL

When selected, permits outbound connections to pass through the security
Filter Server unavailable appliance without filtering if the server is unavailable.
If you omit this option and if the N2H2 or Websense server goes offline, the
security appliance stops outbound port 80 (Web) traffic until the N2H2 or
Websense server is back online.
Block connection to
HTTP Proxy Server.
When selected, prevents users from connecting to an HTTP proxy server.
Truncate CGI request by When selected, truncates CGI URLs to include only the CGI script location
removing CGI
and the script name without any parameters.When a URL has a parameter
parameters.
list starting with a question mark (?), the URL sent to the filtering server is
truncated by removing all characters after and including the question mark.
Long URL
Lists options for handling long URLs:
DropDrops the packet if a URL exceeds the maximum permitted

size. (Default). To avoid this, you can set the security appliance to
truncate a long URL

DenyDenies the URL request if the URL is over the URL buffer size
limit or the URL buffer is not available.
Note
Category
Filtering URLs up to 4 KB is supported for the Websense filtering

server, and up to 1159 bytes for the N2H2 filtering server.

page 8-48.
Note
J-112
OL-11501-03
Appendix J

Table J-59
Element1
Description
Description

OK button
Note

Navigation Path
Double-click the Source entry in the Web Filter Rules table, or right-click the
entry, then select Edit Sources.
Related Topics

OL-11501-03
J-113
Appendix J
Field Reference
Table J-60
Element1
Description
Sources*
Identifies the network object names or addresses of hosts and networks.


OK button
Note

Note

Note
J-114
OL-11501-03
Appendix J


the mask.
You can display a list of all sources by clicking on a table cell or specific entry
(subfield) within the table cell, then clicking either Show Source Contents (for a
table cell) or Show <Source> Contents (for a subfield) from the shortcut menu.
Navigation Path
Right-click the Source table cell of a rule in the Web Filter Rules table, then
click Show Source Contents to display a list of all sources.
Select an entry (subfield) in the Source table cell of a rule in the Web Filter
Rules table, then right-click and select Show <Source> Contents.
Related Topics

OL-11501-03
J-115
Appendix J
Field Reference
Table J-61
Element
Description
Source Contents
Note

Close button
Help button

Navigation Path
Double-click the Destination entry in the Web Filter Rules table, or right-click the
Related Topics
J-116
OL-11501-03
Appendix J

Field Reference
Table J-62
Element1
Description
Destinations*
Identifies the network object names or addresses of hosts and networks.


OK button
Note

Note

interface roles.
Note

OL-11501-03
J-117
Appendix J

Navigation Path
Right-click the Destination table cell of a rule in the Web Filter Rules table,
then click Show Destination Contents to display a list of all destinations.
Select an entry (subfield) in the Destination table cell of a rule in the Web
Filter Rules table, then right-click and select Show <Destination> Contents.
Related Topics
Field Reference
Table J-63
Element
Description
Note

Close button
Help button
J-118
OL-11501-03
Appendix J


Note
Inline editing for services is not available if you have selected Filter Except as the
filtering type.
Navigation Path
Double-click the Service entry in the Web Filter Rules table, or right-click the
entry, then select Edit Services.
Related Topics

OL-11501-03
J-119
Appendix J
Field Reference
Table J-64
Element1
Description
Services*



tcp | udp | tcp&udp/<port_number>, where port number =

default port range.
tcp | udp | tcp&udp/<PortListObject>, where PortListObject is a named

portlist object.
tcp | udp | tcp&udp/<port_number >| PortListObject/ <port_number> |

PortListObject. Using this format, you explicitly specify source ports
outside of the default port range.
Note
OK button
Note
J-120
OL-11501-03
Appendix J


Navigation Path
To access the Show Service Contents dialog box, do one of the following:
Right-click the Service table cell of a rule in the Web Filter Rules table, then
click Show Service Contents to display a list of all services.
Select an entry (subfield) in the Service table cell of a rule in the Web Filter
Rules table, then right-click and select Show <Service> Contents.
Related Topics
Field Reference
Table J-65
Show Service Dialog Box
Element
Service Contents
Description
Close button
Help button

OL-11501-03
J-121
Appendix J
Edit Web Filter Type Dialog Box

Use the Edit Web Filter Type dialog box to edit filtering and service entries.
Navigation Path
To access the Edit Web Filter Type dialog box, right-click the entry in the Type
column of the Web Filter Rules table, then click Edit Web Filter Type.
Related Topics
Field Reference
Table J-66
Edit Web Filter Type Dialog Box
Element
Description
Filtering
Lists options for handling filtering:
FilterLimit traffic to particular sites, and limits traffic between two

entities.
Note
Action
OK button
Filter Except rules are recognized before filter rules.
DenyDenies traffic.
Note
J-122
OL-11501-03
Appendix J

Edit Web Filter Options Dialog Box

Use the Edit Web Filter Options dialog box to edit additional options entries based
on the service selected.
Navigation Path
Right-click the entry in the Options column of the Web Filter Rules table, then
click Edit Web Filter Rule Options.
Related Topics
Field Reference
Table J-67
Edit Web Filter Options Dialog Box
Element
Description
Allow traffic if URL

When selected, permits outbound connections to pass through the security
Filter Server unavailable appliance without filtering if the server is unavailable.
Note
Block connection to
HTTP Proxy Server
If you omit this option and if the N2H2 or Websense server goes
offline, the security appliance stops outbound port 80 (Web) traffic
until the N2H2 or Websense server is back online.
When selected, prevents users from connecting to an HTTP proxy server.
Truncate CGI request by When selected, truncates CGI URLs to include only the CGI script location
removing CGI
and the script name without any parameters.When a URL has a parameter
parameters
list starting with a question mark (?), the URL sent to the filtering server is
truncated by removing all characters after and including the question mark.
Block outbound traffic if When selected, blocks traffic if an exact path to a particular directory is not
absolute FTP path is not specified.
provided

OL-11501-03
J-123
Appendix J
Table J-67
Edit Web Filter Options Dialog Box (continued)
Element
Description
Long URL

truncate a long URL

Note
OK button
Filtering URLs up to 4 KB is supported for the Websense filtering

server, and up to 1159 bytes for the N2H2 filtering server.
Note

Navigation Path
Double-click the Category entry in the Web Filter Rules table, or right-click the
Related Topics
J-124
OL-11501-03
Appendix J

Field Reference
Table J-68
Element
Description
Category

Note
OK button
Note

table.
Navigation Path
Double-click the Description entry in the Web Filter Rules table, or right-click the
Related Topics

OL-11501-03
J-125
Appendix J
Web Filter Rules Page (IOS)
Field Reference
Table J-69
Element
Description
Description

OK button
Note

Use the Web Filter Rules page to identify web filter rules defined in Security
Manager for IOS devices.
From the Web Filter Rules page, you can add, edit, and delete rules, reorder rules,
The Web Filter Rules page for IOS devices is divided into two sections:
Web Filter RulesDefines Web Filter Rules for IOS devices.
Exclusive DomainsDefines specified domain names that either permit or

deny traffic based on their URLs without having to check the URL server.
Navigation Path
To access the Web Filter Rules page for IOS devices, do one of the following:
Related Topics
J-126
OL-11501-03
Appendix J

Field Reference
Table J-70
Element
Description
Web Filter Rule tab
Defines web filter rules for IOS devices. The Web Filter Rules tab
opens by default the first time the page appears. For a description of
Exclusive Domains tab
Defines specified domain names that either permit or deny traffic

based on their URLs without having to check the URL server. For a
Add button
Edit button
Delete button
Save button

Note
To publish your changes, click the Submit icon on the

toolbar.
Web Filter Rules Tab

Use the Web Filter Rules page to define Web Filter Rules for IOS devices.
Navigation Path
To access the Web Filter Rules page for IOS devices, do one of the following:
Related Topics

OL-11501-03
J-127
Appendix J
Field Reference
Table J-71
Web Filter Rules Tab (for IOS)
Element
Description
Interface

For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
Traffic Direction
Enable Web Filter

When selected, limits traffic to particular sites and limits traffic between
two entities.
When enabled, shown as True in the table.
When disabled, shown as False in the table.
J-128
OL-11501-03
Appendix J

Table J-71
Web Filter Rules Tab (for IOS) (continued)
Element
Description
Java Applet Scanner
Enable Java Applet

Scanner
When selected, the IOS device checks for the presence of Java applets in
HTTP traffic coming from webservers to internal hosts. If a Java applet is
present and the webserver (applet source) is in the list of permitted sources,
the Java applet is left unmodified in the HTTP traffic. Otherwise, the Java
applet is removed from HTTP pages.
When Java applet scanner is disabled, the IOS device does not scan for Java
applets; it allows Java applets from all sources.
Applet Sources
When disabled, shown as False in the table.
Identifies the network object names or addresses of web servers. Multiple

entries are displayed as separate subfields within the table cell. See

Note


OL-11501-03
J-129
Appendix J
Table J-71
Web Filter Rules Tab (for IOS) (continued)
Element
Description
Permit
Refers to those domain names for which access is explicitly permitted or

denied by IOS.
When permitted, shown as Permit in the table.
When not permitted, shown as Deny in the table.
Add button
Edit button
Delete button
Save button

Note
Exclusive Domains Tab

Use the Exclusive Domains page to define specified domain names that either
permit or deny traffic based on their URLs without having to check the URL
server.
Navigation Path
To access the Exclusive Domains tab, do one of the following:
Related Topics
J-130
OL-11501-03
Appendix J

Field Reference
Table J-72
Exclusive Domains Tab (for IOS)
Element
Description
Permit
Refers to allowing those URLs for the specified domain without

having to check with the URL server.
When permitted, shown as Permit in the table.
When not permitted, shown as Deny in the table.
Domain Name
Enables you to enter the domain name.
Add button
Edit button
Delete button
Save button

Note

toolbar.
IOS Web Filter Rule and Applet Scanner Dialog Box

Use the IOS Web Filter Rule and Applet Scanner dialog box to set values for Web
Filter Rules for IOS devices.
Navigation Path
To access the IOS Web Filter Rule and Applet Scanner dialog box, do one of the
following:
Related Topics

OL-11501-03
J-131
Appendix J
Field Reference
Table J-73
IOS Web Filter Rule and Applet Scanner Dialog Box
Element1
Description
Enable Web Filtering
When selected, limits traffic to particular sites and limits traffic between
two entities. When selected, shown as true.
Interface*

For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Enter the interface information or click Select, which opens the Interface
dialog box.
Note
Traffic Direction

J-132
OL-11501-03
Appendix J

Table J-73
IOS Web Filter Rule and Applet Scanner Dialog Box (continued)
Element1
Description
Java Applet Scanning
Enable Java Applet

Scanner
When selected, the IOS device checks for the presence of Java applets in
HTTP traffic coming from webservers to internal hosts. If a Java applet is
present and the webserver (applet source) is in the list of permitted sources,
the Java applet is left unmodified in the HTTP traffic. Otherwise, the Java
applet is removed from HTTP pages.
When Java applet scanner is disabled, the router does not scan for Java
applets; it allows Java applets from all sources.
Permit Traffic
When disabled, shows as False in the table.
When selected, IOS permits access to those domain names explicitly.
Permit from Specified SourcesPermits traffic from a specified

source. When selected, shown as true.
Deny from Specified SourcesBlocks traffic from a specified source.

When selected, shown as false.

OL-11501-03
J-133
Appendix J
Table J-73
IOS Web Filter Rule and Applet Scanner Dialog Box (continued)
Element1
Description
Applet Sources
Identifies the network object names or addresses of web servers. Multiple

entries are separated by commas. See Understanding Network/Host

Note
OK button

Note
Exclusive Domain Name Dialog Box

Use the Exclusive Domain Name dialog to specify the domain name and whether
to permit or deny traffic based on the URL. Adding exclusive domains is
supported on IOS devices.
J-134
OL-11501-03
Appendix J

Transparent Rules Page
Navigation Path
To access the Exclusive Domains dialog box, do one of the following:
(Device view) Select a device, then select Firewall > Web Filter Rules from
Related Topics
Field Reference
Table J-74
IOS Web Filter Exclusive Domain Name Dialog Box
Element
Description
Permit traffic
Permits those URLs for the specified domain without having to check with
the URL server.
Domain Name (partial or Enables you to enter a domain name, for example, www.cisco.com or
complete)
cisco.com.

Use the Transparent Rules page to identify EtherType rules defined in
Security Manager. Before you can configure transparent rules on ASA/PIX 7.x
security appliances or FWSM firewall devices, they must be configured in
transparent mode.
To configure transparent rules on IOS devices, bridge-group and BVI must be
configured. To configure these features, select Firewall > Settings >
Transparent.
From the Transparent Rules page, you can add, edit, and delete rules, reorder
rules, and enable or disable rules in the table. You perform these tasks using either
the shortcut menu, which is accessed by right-clicking a table cell, or by selecting
the appropriate buttons located below the table.

OL-11501-03
J-135
Appendix J
Only EtherType rules are configured as firewall policies. To configure other types
of transparent firewall features, select Platform > Bridging.
Note
Transparent rules are not supported on PIX 6.x devices or IOS devices with an
image lower than 12.3(7)T.
Navigation Path
To access Transparent Rules, do one of the following:
(Device view) Select a device, then select Firewall >Transparent Rules

from the Device selector.
(Policy view) Select Firewall > Transparent Rules from the Policy selector.
Related Topics
Field Reference
Table J-75
Element
Description
Filter
Tables, page 3-24.
No.
Permit
J-136
OL-11501-03
Appendix J

Table J-75
Transparent Rules Page (continued)
Element
Description
EtherType
Specifies Ethernet packet type.
Supports PIX/FWSM/ASA EtherType access-lists:

IPX
BPDUSpanning Tree Bridge Protocol Data Units
MPLS-UNICAST
MPLS-MULTICAST
Supports IOS devices:

OtherAny valid hex value from 0x00xFFFF.
Mask
Identifies a 16-bit hexadecimal number whose ones bits correspond to bits in

the type-code argument that should be ignored when making a comparison. (A
mask for a DSAP/SSAP pair should always be at least 0x0101. This is because
these two bits are used for purposes other than identifying the SAP codes.)

OL-11501-03
J-137
Appendix J
Table J-75
Element
Description
Interface

For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Enter interface information, or click Select, which opens the Interface

dialog box.
Note
The access-group command is generated for the interface role
selected for PIX/FWSM/ASA.
The bridge-group command is generated as a subcommand of the
interface role.
Dir.
Category


page 8-48.
Note
J-138
OL-11501-03
Appendix J

Table J-75
Element
Description
Description

Note
Up button
For PIX/FWSM/ASA, the description is mapped to access-list

remark.

Down button

Add button
Edit button
Delete button
Save button

Note
Add and Edit Transparent Firewall Rule Dialog Boxes

Use the Add and Edit Transparent Firewall Rule dialog boxes to add and edit
EtherType rules.
Note
The same dialog box is used for adding and editing transparent firewall rules.
Navigation Path
To access Transparent Rules, do one of the following:
(Device view) Select a device, then select Firewall >Transparent Rules

from the Device selector. Right-click inside the table, then click Add Row, or
(Policy view) Select Firewall > Transparent Rules from the Policy selector.
click Edit Row.

OL-11501-03
J-139
Appendix J
Related Topics
Field Reference
Table J-76
Add and Edit Transparent Firewall Rule Dialog Boxes
Element1
Description
Enable Rule
Note
Action

DenyDenies traffic.
J-140
OL-11501-03
Appendix J

Table J-76
Add and Edit Transparent Firewall Rule Dialog Boxes (continued)
Element1
Description
Interfaces*

For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
interface role.
Traffic Direction

with an interface.

OL-11501-03
J-141
Appendix J
Table J-76
Add and Edit Transparent Firewall Rule Dialog Boxes (continued)
Element1
Description
EtherType*

IPX
MPLS-UNICAST
MPLS-MULTICAST

Wildcard Mask (IOS)
Identifies a 16-bit hexadecimal number whose ones bits correspond to bits

in the type-code argument that should be ignored when making a
comparison. (A mask for a DSAP/SSAP pair should always be at least
0x0101. This is because these two bits are used for purposes other than
identifying the SAP codes.)
Category

page 8-48.
Note
Description

Note
OK button
For PIX/FWSM/ASA, the description is mapped to access-list

remark.
Note
J-142
OL-11501-03
Appendix J

Edit Transparent EtherType Dialog Box

Use the Edit Transparent EtherType dialog box to edit EtherType settings in a
table.
Navigation Path
To access the Edit Transparent EtherType dialog box, right-click the entry in the
EtherType column of the Transparent Rules table, then click Edit EtherType.
Related Topics
Field Reference
Table J-77
Edit Transparent EtherType Dialog Box
Element1
Description
EtherType*

IPX
MPLS-UNICAST
MPLS-MULTICAST

OK button
Note

OL-11501-03
J-143
Appendix J
Edit Transparent Mask Dialog Box

Use the Edit Transparent Mask dialog box to edit mask settings in a table.
Navigation Path
To access the Edit Transparent Mask dialog box, right-click the entry in the Mask
column of the Transparent Rules table, then click Edit Mask.
Related Topics
Field Reference
Table J-78
Edit Transparent Mask Dialog Box
Element
Description
Wildcard Mask (IOS)
Identifies a 16-bit hexadecimal number whose ones bits correspond to bits

in the type-code argument that should be ignored when making a
comparison. (A mask for a DSAP/SSAP pair should always be at least
0x0101. This is because these two bits are used for purposes other than
identifying the SAP codes.)
OK button
Note

Navigation Path
Double-click the entry in the Transparent Rules table, or right-click the entry, then
J-144
OL-11501-03
Appendix J

Related Topics
Field Reference
Table J-79
Element1
Description
Interfaces*

Objects, page 8-115,
For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
interface role.
OK button
Note

OL-11501-03
J-145
Appendix J

table.
Navigation Path
Double-click the Description entry in the Transparent Rules table, or right-click

the entry, then select Edit Description.
Related Topics
Field Reference
Table J-80
Element
Description
Description

OK button
Note

Navigation Path
Double-click the Category entry in the Transparent Rules table, or right-click the
Related Topics
J-146
OL-11501-03
Appendix J

Firewall Settings
Field Reference
Table J-81
Element
Description
Category

page 8-48.
Note
OK button
Note
Firewall Settings
The Firewall Settings reference contains the following topics:
Access Control Page, page J-147.
Inspection Page, page J-154
AAA Firewall > Advanced Setting Page, page J-157
Access Control Page

Use the Access Control page to select options to optimize performance when
using ACLs.

OL-11501-03
J-147
Appendix J
Firewall Settings
Navigation Path
To access the Access Control Page, do one of the following:
(Device view) Select a device, then select Firewall > Settings >
Access Control from the Device selector.
(Policy view) Select Firewall > Settings > Access Control from the Policy
selector.
Related Topics
Object Group Search (PIX/ASA/FWSM), page 12-133
J-148
OL-11501-03
Appendix J

Firewall Settings
Field Reference
Table J-82
Access Control Page
Element
Description
Maximum number of
Specifies the maximum number of concurrent deny flows that can be created.
concurrent flows (PIX, (Syslog message 106101 is generated when the security appliance has
ASA, FWSM)
reached the maximum number [n] of ACL deny flows.)
For a security appliance with more than 64 MB of Flash memory, values

are 14096. Default is 4096.
For a security appliance with more than 16 MB of Flash memory, values

are 11024. Default is 1024.
For a security appliance with less than or equal to 16 MB of Flash

Note
Syslog interval (PIX,

ASA, FWSM)
Specifies the interval of time for generating syslog message 106101, which
alerts you that the security appliance has reached a deny flow maximum.
When the deny flow maximum is reached, another 106101 message is
generated if the specified number of seconds has passed since the last 106101
message. Values are 13600 milliseconds. Default is 300.
Note
Enable Access List

Compilation (Global)
This feature is not supported by devices running IOS software.
This feature is not supported by devices running IOS.
When selected, speeds up the processing of large rules tables. Optimizes your
policy rules and performance for all ACLs.
Supported on the following platforms in global command mode:

Cisco 7200, 7400, 7500, 7150, 7120, 7140, and 7304.
Supported on PIX 6.3(1)6.3x in global command mode or per ACL.
Not supported on PIX 7.x.
Note
This feature requires a minimum of 2.1 MB of memory for the device.

When enabled, additional memory might be required for the device.

OL-11501-03
J-149
Appendix J
Firewall Settings
Table J-82
Access Control Page (continued)
Element
Description
Interface

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Enter the interface in the field provided or click Edit, which opens the
Note
Direction
Interface roles are objects that are used to help you configure firewall
rules. The objects are replaced with the actual interface names when
the configuration is generated for each device. The access-group
command is generated for the interface role selected.

with an interface:
Note
ACL Name
The Direction parameter is not supported on PIX 6.3.
Shows the user-defined name for the ACL. If no user-defined name is used,
the table cell remains blank.
Note
Object Group Search
If no user-defined name is defined, Security Manager generates a

name for the ACL automatically.
Shows whether the Object Group Search feature is enabled. When enabled, it
reduces the memory requirement on the device to hold large ACLs; however
it impacts performance by making ACL processing slower for each packet.
Enabled = True
Disabled = False
J-150
OL-11501-03
Appendix J

Firewall Settings
Table J-82
Access Control Page (continued)
Element
Description
Per User Override
Allows downloaded access lists to override the access list applied to the
interface.
Enabled = True
Disabled = False
Note
Access List
Compilation
Per User Override is referred to as Enable Per User Downloadable

ACLs.
Shows if the feature is enabled.
Enabled = True
Disabled = False
Note
This feature is not supported by devices running IOS software.
Note
Access List Compilation was formerly known as Turbo ACL.
Add button
Edit button
Delete button
Save button

Note
Firewall ACL Setting Dialog Box

The Firewall ACL Setting dialog box is used to add or edit settings that support
access rules.
Note
The same dialog box is used for adding and editing access control settings.

OL-11501-03
J-151
Appendix J
Firewall Settings
Navigation Path
To access the Firewall ACL Setting dialog box, do one of the following:
Access Control from the Device selector. Right-click inside the table, then
click Add Row, or right-click a rule, then click Edit Row.
(Policy view) Select Firewall > Settings > Access Control from the Policy
selector. Right-click inside the table, then click Add Row, or right-click a
rule, then click Edit Row.
Related Topics
Configuring Settings for Access Control, page 12-140
Object Group Search (PIX/ASA/FWSM), page 12-133
J-152
OL-11501-03
Appendix J

Firewall Settings
Field Reference
Table J-83
Firewall ACL Setting Dialog Box
Element1
Description
Interface*

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Enter the interface in the field provided or click Edit, which opens the
Note
Traffic Direction

with an interface:
Note
User Defined ACL Name When selected, retains the user-defined ACL name.
Enable Per User
Downloadable ACLs
(PIX, ASA, FWSM)
When selected, allows downloaded access lists to override the access list
applied to the interface.
Enable Object Group

Search (PIX, ASA,
FWSM)
When selected, it reduces the memory requirement on the device to hold

large ACLs; however it impacts performance by making ACL processing
slower for each packet.

OL-11501-03
J-153
Appendix J
Firewall Settings
Table J-83
Firewall ACL Setting Dialog Box (continued)
Element1
Description
Enable Access List

Compilation (PIX)
When selected, speeds up the processing of large rules tables. Optimizes

your policy rules and performance for the interface roles selected. Access
List Compilation is recognized only if the number of access list elements is
greater than or equal to 19.
Supported on PIX 6.3(1)6.3x in global command mode or per ACL.
Not supported on PIX 7.x.
Note
This feature requires a minimum of 2.1 MB of memory for the

device. When enabled, additional memory might be required for the
device.
ACL Name
Enables you to enter a user-defined name for the ACL.
OK button
Note
Inspection Page
Use the Inspection page to configure deeper TCP and UDP packet inspection for
IOS devices.
Note
The Inspection page is used for IOS devices only.

Navigation Path
To access the Inspection page, do one of the following:
(Device view) Select a device, then select Firewall > Settings > Inspection
(Policy view) Select Firewall > Settings > Inspection from the Policy
selector.
J-154
OL-11501-03
Appendix J

Firewall Settings
Related Topics
Field Reference
Table J-84
Inspection Page
Element
Description
Global Timeout Values
TCP Establish Timeout

(seconds)
Specifies the length of time, in seconds, for which a TCP session will still
be managed while there is no activity. Values are 12147483 seconds.
Default is 30.
FIN Wait Time (seconds) Specifies how long a TCP session will still be managed after the firewall
detects a FIN-exchange. Values are 12147483. Default is 5.
TCP Idle Time (seconds) Specifies the length of time a TCP session will still be managed while there
is no activity. Values are 12147483. Default is 3600 (1 hour).
UDP Idle Time (seconds) Specifies the length of time a UDP session will still be managed while there
is no activity. Values are 12147483 seconds. Default is 30.
DNS Timeout (seconds)
Specifies the length of time, in seconds, for which a DNS name lookup
session is managed while there is no activity. Values are 12147483.
Default is 5.
SYN Flooding DoS Attack Thresholds
Maximum 1 Minute
Connection Rate - low
Specifies the rate of new unestablished TCP sessions that will cause the
software to stop deleting half-open sessions. Values are 12147483647 per
minute. Default is 400.
Maximum 1 Minute
Connection Rate - high
Specifies the rate of new unestablished TCP sessions that will cause the
software to start deleting half-open sessions. Values are 12147483647 per
minute. Default is 500.
Maximum Incomplete
Sessions Stop Threshold
Specifies the number of existing half-open sessions that will cause the
software to stop deleting half-open sessions. Values are 12147483647.
Default is 400.
Maximum Incomplete
Specifies the number of existing half-open sessions that will cause the
Sessions Start Threshold software to start deleting half-open sessions. Values are 12147483647.
Default is 500.

OL-11501-03
J-155
Appendix J
Firewall Settings
Table J-84
Inspection Page (continued)
Element
Description
Thresholds per Host
Max Sessions Per Host
Specifies how many half-open TCP sessions with the same host destination
address can exist at a time, before the software starts deleting half-open
sessions to the host. Values are 14294967295 half-open sessions. Default is
50.
Max Sessions Blocking

Interval (min)
Specifies blocking time values for TCP host-specific denial-of-service

(DoS) detection and prevention. Values are 035791 minutes. Default is 0.
If the blocking timeout value is 0, the software deletes the oldest

existing half-open session for the host for every new connection
request to the host. This ensures that the number of half-open sessions
to a given host will never exceed the threshold.
If the blocking timeout value is greater than 0, the software deletes all
existing half-open sessions for the host, then blocks all new connection
requests to the host. The software will continue to block all new
connection requests until the block-time expires.
Other
Session Hash Table Size

(buckets)
Specifies the size of the hash table in terms of buckets. Possible values for
the hash table are 1024, 2048, 4096, and 8192. Default is 1024.
Note
You should consider increasing the size of the hash table when the
number of concurrent sessions increases, or to reduce the search
time for the session.
Enable Alert Messages

device console.
Enable Audit Trail

Messages

IOS device console.
Permit DHCP
Passthrough
(Transparent Firewall)
When selected, enables a transparent firewall to forward DHCP packets

across the bridge without inspection.
Permitting DHCP passthrough overrides an ACL for DHCP packets, so
DHCP packets will be forwarded even if the ACL is configured to deny all
IP packets. Thus, clients on one side of the bridge can get an IP address
from a DHCP server on the opposite side of the bridge.
J-156
OL-11501-03
Appendix J

Firewall Settings
AAA Firewall > Advanced Setting Page

Use the Settings for AAA Firewalls to define HTTPS, proxy, and MAC settings
for PIX 6.3, ASA/PIX 7.x and FWSM devices.
Navigation Path
To access the AAA Firewall settings page, do one of the following:
Note
AAA Firewall from the Device selector.
(Policy view) Select Firewall > Settings > AAA Firewall from the Policy
selector.
The Advanced Setting Page is displayed by default.

Related Topics
Field Reference
Table J-85
AAA Firewall Page > Advanced Setting Page
Element
Description
Advanced Setting tab
Use Secure HTTP

Authentication
When selected, requires additional user authentication during the session

establishment.
Enable Proxy Limit
When enabled, allows proxies based on proxy limit settings.
Maximum Concurrent
Proxy Limit per User
Specifies the number of concurrent proxy connections allowed per user.

Values are 1128. Default is 16.
Disable FTP
Authentication
Challenge (FWSM 3.x)
When selected, enables you to disable the authentication challenge for FTP
traffic.
You can configure whether the FWSM challenges you for a username and
password. By default, the FWSM prompts you when a AAA rule enforces
authentication for traffic in a new session and the protocol is FTP.

OL-11501-03
J-157
Appendix J
Firewall Settings
Table J-85
AAA Firewall Page > Advanced Setting Page (continued)
Element
Description
Disable HTTP
Authentication
When selected, enables you to disable the authentication challenge for

HTTP traffic.
Disable HTTPS
Authentication
Disable TELNET
Authentication
authentication for traffic in a new session and the protocol is HTTP.
HTTPS traffic.
authentication for traffic in a new session and the protocol is HTTPS.
TELNET traffic.
authentication for traffic in a new session and the protocol is TELNET.
Clear Connections When Uauth Timer Expires (FWSM 3.2)
Interface
Identifies the interface.
Source
Identifies the source address and netmask.
Add button
Edit button
Delete button
Save button

Note
AAA Firewall > Advanced Setting > Clear Connection Configuration Dialog Box
Use the Clear Connection Configuration dialog box to define when the connection
from the certain interface and source will be cleared when the uauth timer expires.
J-158
OL-11501-03
Appendix J

Firewall Settings
Navigation Path
To access the Clear Connection Configuration dialog box, do one of the

following:
Note
AAA Firewall from the Device selector. Right-click inside the Clear
Connections When Uauth Timer Expires (FWSM).
selector. Right-click inside the Clear Connections When Uauth Timer Expires
(FWSM).
The Advanced Setting tab opens by default the first the page is accessed.
Related Topics

OL-11501-03
J-159
Appendix J
Firewall Settings
Field Reference
Table J-86

Dialog Box
Element1
Description
Interface*
Identifies the logical name of the interface (interface role) or

physical interface to which a rule is assigned. See Understanding
Interface Role Objects, page 8-115
For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Enter the information in the field provided or click Select, which

opens the Interface Selector dialog box from which to make your
selection. You can also create an interface role by clicking the
Note
Interface roles are objects that are used to help you

configure firewall rules. The objects are replaced with the
actual interface names when the configuration is generated
for each device.
J-160
OL-11501-03
Appendix J

Firewall Settings
Table J-86

Dialog Box (continued)
Element1
Description
Source IP Address/Netmask*
Identifies the network object names or addresses of hosts and

formats are:

Note
OK button
If you manually enter 0.0.0.0/0 for the source, it

Note
source page.
AAA Firewall > MAC-Exempt List Page

Use the Firewall AAA MAC Exempt Setting dialog box to add and edit AAA
MAC exempt settings.

OL-11501-03
J-161
Appendix J
Firewall Settings
Navigation Path
To access the MAC Exempt List page, do one of the following:
AAA Firewall from the Device selector. Select the MAC-Exempt List tab.
selector. Select the MAC-Exempt List tab.
Related Topics
Field Reference
Table J-87
AAA Firewall Page > MAC-Exempt List Page
Element
Description
MAC-Exempt List tab (PIX/ASA)
MAC-exempt List Name Identifies the name of a predefined list of MAC addresses to exempt from
authentication and authorization.
The list is used by the ASA security appliance in performing MAC-based
authentication.
Filter
Tables, page 3-24.
Action
DenyDenies traffic.
MAC Address
Specifies the source MAC address in 12-digit hexadecimal form, for

example, 00a0.cp5d.0282.
MAC Mask
Specifies and applies the netmask (ffff.ffff.ffff) to MAC and allows the
grouping of MAC addresses.
Add button
Edit button
J-162
OL-11501-03
Appendix J

Firewall Settings
Table J-87
AAA Firewall Page > MAC-Exempt List Page (continued)
Element
Description
Delete button
Save button

Note
AAA Firewall > MAC-Exempt List > Firewall AAA MAC Exempt Setting Dialog Box
Use the Firewall AAA MAC Exempt Setting dialog box to add and edit AAA
MAC exempt settings.
Navigation Path
To access the Firewall AAA MAC Exempt Setting dialog box, do one of the
following:
AAA Firewall from the Device selector. Select the MAC-Exempt List tab.
Right-click inside the work area, then select Add Row or right-click a row,
selector. Select the MAC-Exempt List tab. Right-click inside the work area,
then select Add Row or right-click a row, then select Edit Row.
Related Topics

OL-11501-03
J-163
Appendix J
Firewall Settings
Field Reference
Table J-88
AAA Firewall > MAC-Exempt List > Firewall AAA MAC Exempt Setting Dialog Box
Element
Description
Action
MAC Address
DenyDenies traffic.
Specifies the source MAC address for which traffic is permitted or denied.
Enter the value in 12-digit hexadecimal form, for example,
00a0.cp5d.0282.
MAC Mask
Specifies and applies the netmask (ffff.ffff.ffff) to MAC and allows the
grouping of MAC addresses.
OK button
Note
AuthProxy Page
The AuthProxy page for IOS devices is divided into two sections:
AuthProxy General Tab (IOS), page J-165
Navigation Path
To access the AuthProxy page, do one of the following:
(Device view) Select a device, then select Firewall > Settings > AuthProxy
(Policy view) Select Firewall > Settings > AuthProxy from the Policy
selector.
Related Topics
J-164
OL-11501-03
Appendix J

Firewall Settings
AuthProxy General Tab (IOS)

Navigation Path
To access the AuthProxy General page, do one of the following:
selector.
Related Topics
Field Reference
Table J-89
AuthProxy General Tab
Element
Description
Authorization Server
Groups
Selects different authorization methods by selecting different AAA Server

Groups, for example, RADIUS and TACACS+ servers.
Enter the information in the field provided or click Select, which opens the
AAA Server Groups Selector dialog box from which to make your
selection.
Accounting Server
Groups
Selects different accounting methods by selecting different AAA Server

Groups, for example, RADIUS and TACACS+ servers.
Enter the information in the field provided or click Select, which opens the
AAA Server Groups Selector dialog box from which to make your
selection.
Use Broadcast for

Accounting
When selected, enables sending accounting records to multiple AAA

servers. Accounting records are simultaneously sent to the first server in
each group. If the first server is unavailable, failover occurs using the
backup servers defined within that group.
Authentication Server
Groups
To configure authentication server groups, go to Platform >

Device Admin > AAA.

OL-11501-03
J-165
Appendix J
Firewall Settings
Table J-89
AuthProxy General Tab (continued)
Accounting Notice
HTTP Banner
Lists options for handling an accounting notice.
Start-stopSends a start accounting notice at the beginning of a

process and a stop accounting notice at the end of a process. The start
accounting record is sent in the background. The requested user
process begins regardless of whether the start accounting notice was
received by the accounting server.
Stop-onlySends a stop accounting notice at the end of the requested

user process.
NoneDisables accounting services on this line or interface.
Enables you to select an HTTP banner.
Disable Banner TextNo banner is displayed for the authentication

proxy login page for HTTP.
Use Default BannerDisplays the default banner Cisco Systems,

<router hostname> Authentication for the authentication proxy login
page for HTTP.
Use Custom BannerEnables you to enter a custom message that

appears for the authentication proxy login page for HTTP (for example,
Welcome <Username>.
Note
If HTTP banner text and URL location are selected at the same
time, the URL banner take precedence; however, the configuration
for the banner text remains on the device.
Use HTTP banner from

File
When selected, enables you to enter the URL for the HTTP banner file.
URL
Enables you to identify the location of the HTTP banner file.
HTTPS Server
To configure HTTPS Server, go to Platform > Device Admin >

Device Access > HTTP.
J-166
OL-11501-03
Appendix J

Firewall Settings
Table J-89
AuthProxy General Tab (continued)
FTP Banner
Enables you to select an FTP banner.
Telnet Banner

proxy login page for FTP.

page for FTP.

appears for the authentication proxy login page for FTP (for example,
Welcome <Username>.
Enables you to select a Telnet banner.
Save button

proxy login page for Telnet.

page for Telnet.

appears for the authentication proxy login page for Telnet (for example,
Welcome <Username>.

Note
AuthProxy Timeout Tab (IOS)

Navigation Path
To access the AuthProxy Timeout page for IOS devices, do one of the following:
selector.
Related Topics

OL-11501-03
J-167
Appendix J
Firewall Settings
Field Reference
Table J-90
AuthProxy Timeout Tab
Element
Description
Global Inactivity Time
Specifies the length of time in minutes that an authentication cache entry,

along with its associated dynamic user access control list (ACL), is
managed after a period of inactivity. Values are 12,147,483,647 minutes.
Global Absolute Time
Specifies a window in which the authentication proxy on the enabled

interface is active. Values are 165,535 minutes (45 and a half days).
Interface

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
Traffic Types
Identifies the protocols.
Inactivity Time

Absolute Time

Add button
Edit button
Delete button
Firewall AAA IOS Timeout Value Setting Dialog Box

Use the Firewall AAA IOS Timeout Value Setting dialog box to set inactivity and
cache time, absolute time, and authentication proxy methods for interfaces on
IOS devices.
J-168
OL-11501-03
Appendix J

Firewall Settings
Navigation Path
To access the Firewall AAA IOS Timeout Value Setting dialog box for IOS
devices, do one of the following:
from the Device selector. Click the Timeout tab. Right-click inside the table,
then click Add Row or Edit Row.
selector. Click the Timeout tab. Right-click inside the table, then click
Add Row or Edit Row.
Related Topics
Field Reference
Table J-91
Firewall AAA IOS Timeout Value Setting Dialog Box
Element1
Description
Interfaces*

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Enter the interface information, or click Select, which opens the Interface
dialog box.
Note
Inactivity/Cache Time


OL-11501-03
J-169
Appendix J
Firewall Settings
Table J-91
Firewall AAA IOS Timeout Value Setting Dialog Box (continued)
Element1
Description
Absolute Time

Method (IOS)
Options are:
OK button
HTTPSpecifies HTTP to trigger the authentication proxy.
FTPSpecifies FTP to trigger the authentication proxy.
TelnetSpecifies Telnet to trigger the authentication proxy.
Note
Web Filter Page

Navigation Path
To access the Web Filter settings page, do one of the following:
(Device view) Select a device, then select Firewall > Settings > Web Filter
(Policy view) Select Firewall > Settings > Web Filter from the Policy
selector.
Related Topics
J-170
OL-11501-03
Appendix J

Firewall Settings
Field Reference
Table J-92
Web Filter Page
Element
Description
Web Filter Server Type
Options are:
NoneNo web filter server is used for filtering purposes.
WebsenseIdentifies a Websense server for use with the filter

command.
Secure Computing SmartFilter/N2H2Identifies anN2H2 server for

use with the filter command.
Port(Optional) Identifies the N2H2 server port on which to connect.
IP Address
The IP address of the web filter server.
Timeout
Displays the number of seconds after which the request to the filtering
server times out.
Interface
Identifies the network interface where the web filter server resides. If not
specified, default is inside.
Protocol
Displays the protocol used to communicate with the filtering server.
Retransmit
(For IOS devices) Specifies the number of times the Cisco IOS device will
retransmit the request when a response does not arrive for the request.
Default is two times.
Add button
Edit button
Delete button
IOS Specific Settings
Enable Alert
When selected, enables Context-based Access Control (CBAC) alert

messages, which are displayed on the console.

OL-11501-03
J-171
Appendix J
Firewall Settings
Table J-92
Web Filter Page (continued)
Element
Description
Allow Traffic when all

Servers Unreachable
When selected, enables the default mode (allow mode) of the filtering
algorithm. The system will go into allow mode when connections to all
vendor servers (Websense or N2H2) are down. The system will return to
normal mode when a connection to at least one web vendor server is up.
Allow mode directs your system to forward or drop all packets on the basis
of the configurable allow mode setting.
If allow mode is on and the vendor servers are down, the HTTP
requests are allowed to pass.
If allow mode is off and the vendor servers are down, the HTTP
requests are forbidden.
Enable Alerts

device console.
Enable Audit Trail
When selected, shows CBAC audit trail messages, which are displayed after
each CBAC session closes. You can log messages such as URL request
status (allow or deny) into your syslog server.
Enable Web Filter Server Enables Cisco IOS devices to send a log request immediately after the URL
Logging
lookup request. The firewall device does not make a URL lookup request if
the destination IP address is in the cache, but it will still make a log request
to the server. (The log request contains the URL, host name, source address,
and destination address.) The server records the log request in its own log
server enabling you to view this information as necessary.
Cache Size
Specifies the cache of destination IP address entries. The maximum number

is 5000.
Maximum Request
Sets the maximum number of outstanding requests that can exist at any
given time. If the specified number is exceeded, new requests are dropped.
J-172
OL-11501-03
Appendix J

Firewall Settings
Table J-92
Element
Description
Packet Buffer
Identifies the maximum number of HTTP responses the firewall can keep
in its packet buffer. When an HTTP request arrives at a Cisco IOS device,
the firewall forwards the request to the web server while simultaneously
sending a URL look-up request to the vendor server (Websense or N2H2).
If the vendor server reply arrives before the HTTP response, the
firewall will know whether to permit or block the HTTP response.
If the HTTP response arrives before the vendor server reply, the
firewall will not know whether to allow or block the response; the
firewall will drop the response until it hears from the vendor server.
You can configure your firewall to store the HTTP responses in a buffer,
which allows your firewall to store a maximum of 20000 HTTP responses.
Each response remains in the buffer until an allow or deny message is
received from the vendor server.
If the vendor server reply allows the URL, the firewall will release the
HTTP response from the buffer to the end user.
If the vendor server reply denies the URL, the firewall will discard the
HTTP response from the buffer and close the connection to both ends.
PIX/ASA/FWSM Specific Settings
Cache Match Criteria
URL Buffer Memory
Source and DestinationCache entries are based on the both the

source address initiating the URL request as well as the URL
destination address. Select this mode if users do not share the same
URL filtering policy on the N2H2 or Websense server.
DestinationCache entries are based on the URL destination address.

Select this mode if all users share the same URL filtering policy on the
N2H2 or Websense server.
Specifies the size of the URL buffer memory pool in KB. Values are
210240.
Note
For Websense URL filtering and N2H2/Smartfilter for PIX 7.2,

ASA 7.2 only.
Maximum Allowed URL Specifies maximum allowed URL size in KB. Values are 24.
Size
Note
For Websense URL filtering and N2H2/Smartfilter for PIX 7.2,
ASA 7.2 only.

OL-11501-03
J-173
Appendix J
Firewall Settings
Table J-92
Element
Description
Cache Size
Sets the size of the cache for URL caching while pending responses from
an N2H2 or Websense server. Values are 1128.
URL Block Buffer Limit Creates an HTTP response buffer to store web server responses while
waiting for a filtering decision from the filtering server. Values are 1128,
which specifies the number of 1550-byte blocks.
Save button

Note
Web Filter Server Configuration Dialog Box

Use the Web Filter Server Configuration dialog box to specify filter URLs using
a filtering server such as Websense.
Navigation Path
To access the Web Filter Server Configuration dialog box, do one of the
following:
(Device view) Select a device, then select Firewall > Settings > Web Filter
from the Device selector. Right-click inside the Web Filter Server table, then
click Add Row, or right-click a rule, then click Edit Row.
(Policy view) Select Firewall > Settings > Web Filter from the Policy
selector. Right-click inside the Web Filter Server table, then click Add Row,
or right-click a rule, then click Edit Row.
Related Topics
J-174
OL-11501-03
Appendix J

Firewall Settings
Field Reference
Table J-93
Web Filter Server Configuration Dialog Box
Element1
Description
Common
IP Address*
Identifies the IP address of the server that runs the URL filtering
application.
Timeout
Specifies the maximum idle time permitted before the security appliance
switches to the next server you specified. Default is 5 seconds.
PIX/ASA Specific Settings
Interface
Identifies the network interface where the authentication server resides, for
example, FastEthernet0. If not specified, the default is inside.
Interface Selector dialog box from which to make your selection.
Protocol
Connection Number
Options are:
TCP v1
TCP v4
UDP v4
Limits the maximum number of connections permitted.
IOS Specific Settings
Retransmit
Specifies the number of times the Cisco IOS device will retransmit the
request when a response does not arrive for the request. Default is two
times.
Port
Specifies the port value.
OK button
Note

OL-11501-03
J-175
Appendix J
Add and Edit Rule Section Dialog Boxes

Use the Add and Edit Rule Section dialog boxes to add or edit a section in the
rules tables.
Note
The same dialog box is used for adding and editing rule table sections.
Navigation Path
Select one or more rules in the rules table, then select Include in New Section
from the shortcut (right-click) menu.
Note
Sections can be added to the following rules tables: Access Rules, AAA Rules,
Inspection Rules, Web Filter Rules, Translation Rules, and MPC Rules; however,
sections are not supported in Web Filter Rules tables for IOS devices.
Related Topics
Notes About Rule Table Sections, page 12-44
Editing a Rule Table Section, page 12-46
Field Reference
Table J-94
Element1
Description
Name*
Identifies the name associated with the new rule section.
Description

J-176
OL-11501-03
Appendix J

Find and Replace Page
Table J-94
Add and Edit Rule Section Dialog Boxes (continued)
Element1
Description
Category

Note
OK button
Note

Use the Find and Replace feature to locate policy objects and text strings or
IP addresses that are referenced in rules tables.
Navigation Path
(Device view) Select a device, then select Firewall > <AAA Rules,
Access Rules, Inspection Rules, Web Filter Rules> from the Device
selector. Click the Find and Replace icon (binoculars).
(Device view) Select a device, then select NAT > Translation Rules from the
Device selector. Click the Find and Replace icon (binoculars).
(Policy view) Select Firewall > Firewall > <AAA Rules, Access Rules,
Inspection Rules, Web Filter Rules> from the Policy selector. Click the
Find and Replace icon (binoculars).
(Policy view) Select NAT > Translation Rules from the Policy selector.
Click the Find and Replace icon (binoculars).
(Map view) Right-click a device, then select Edit Firewall Policies >
<AAA Rules, Access Rules, Inspection Rules, Web Filter Rules>. Click
the Find and Replace icon (binoculars).
Related Topics

OL-11501-03
J-177
Appendix J
Field Reference
Table J-95
Element
Description
Type
Enables you to search for policy objects or text references in the

rules tables. The search feature on object names is not case
sensitive.
NetworkA network object name or IP address. Search is

limited to the Source or Destination columns, or both columns
(All Columns).
ServiceA service object name or protocol and port, for

example TCP/80. Search is limited to the Service column. The
search is syntactic, not semantic. Therefore, if you are
searching for TCP/80 and a rule uses HTTP, the search results
will not find it.
Interface RoleAn interface role object name or interface role

pattern. Search is limited to the Interface, Source, or
Destination columns, or all three columns (All Columns).
TextA text string in a Description field. Descriptions are

case-sensitive.
Find
Enables you to search for a text string, IP address, network, or host.

opens a Selector dialog box from which to make your selection.
Replace
Enables you to replace a text string, IP address, network, or host

with a replacement value. Enter the information in the field
provided or click Select, which opens a Selector dialog box from
Search Options
Direction
Locates the next item above or below the item selected.
UpLocates the next item above the item selected from the
start point to the beginning of the rules table.
DownLocates the next item below the item selected from the
start point to the end of the rules table.
Note
If no direction is selected, the search is based on all rules.
J-178
OL-11501-03
Appendix J

Analysis Reports Page
Table J-95
Find and Replace Page (continued)
Element
Description
Match Case
When selected, matches the case for the item. Only text strings used
in Descriptions are case-sensitive.
Find Whole Words Only1
When selected, searches for whole words only, for example, if two
network objects exist that are named SanJose and SanJose1, only
the network object named SanJose is found.
Allow Wildcards1
Ensures that special characters ?, $, and * are treated as wildcards

and not literal text.
Find Next button
When clicked, locates the next reference of the text string,

IP address, network, or host identified in the Find field.
Replace button
When clicked, replaces the reference with the text string, IP address,
network, or host identified in the Replace field.
Replace All button
When clicked, replaces all references with the text string,

IP address, network, or host identified in the Replace field.
1. Allow Wildcards and Find Whole Words Only are mutually exclusive for text fields only; both cannot be selected.

Navigation Path
To generate Analysis reports, do one of the following:
Device selector. From the Access Rules page, click Analysis.
(Policy view) Select Firewall > Access Rules from the Policy selector. From
the Access Rules page, click Analysis.
Related Topics
Generating Analysis Reports, page 12-8

OL-11501-03
J-179
Appendix J
Field Reference
Table J-96
Column
Analysis Report Page
Description
Left Pane
Base Rules
Lists conflicting groups.
Top Right Pane - Compares base rule to conflicted rules analyzed in the report.
Scope
Identifies whether a rule is shared or local, mandatory or default.
Number
Displays the ordered rule number where the rule is defined.
Permit
Source
Identifies the source object names or addresses of hosts and networks, for
example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and network
object names. Interface roles can also be used to identify a source. Multiple
entries are separated by a comma.
Note
Destination

and network object names. Interface roles can also be used to identify a
destination. Multiple entries are separated by a comma.
Note
Service



Multiple entries are separated by a comma.
Note
J-180
OL-11501-03
Appendix J

Table J-96
Analysis Report Page (continued)
Column
Description
Interface

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
Direction

with an interface:

Note
Bottom Right Pane - Overlap Details
<< button
Navigation button to move to the previous page when multiple rule results
are present.
>> button
Navigation button to move to the next page when multiple rule results are
present.
Type
Rule
Redundant Base RuleFor example, the base rule and overlapping

rule are the same, except that the base rule source address is any and
the overlapping rule source address is 1.2.3.4.
Redundant Overlapping RuleFor example, Rule A is a superset of

Rule B. The actions for rules A and B are the same.
Conflicting RuleFor example, the base rule permits all rules with
source address any and the overlapping rule denies rules with source
address 1.2.3.4.
Duplicate RuleThe base rule and the overlapping rule are identical.
Identifies the base rule and the conflicting rules.

OL-11501-03
J-181
Appendix J
Table J-96
Analysis Report Page (continued)
Column
Description
Permit
Source
example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and network
Note
Destination

Note
Service


Note
Interface


All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
J-182
OL-11501-03
Appendix J

Import Rules - Enter Parameters Dialog Box

Use the Import Rules feature to import a set of ACEs in device
running-configuration format to Security Manager. When you import rules, object
groups (for PIX, ASA, and FWSM platforms) and time ranges (for all platforms)
are also imported.
Navigation Path
You access the Import Rules feature from the Access Rules tables in Device view.
Select Firewall > Access Rules. Click the Tools button located below the table,
then select Import Rules.
Related Topics
Field Reference
Table J-97
Element1
Description
CLI*
Enables you to import the ACEs. You can manually enter the CLI in
the field provided or copy and paste the configuration from an
external application to the text area.
Note the following:
Unreferenced policy objects, time ranges, and object groups are

also supported.
One or more ACEs in named/numbered format. Both standard

and extended ACEs are supported.
Only one ACL is supported.
Time range definitions and their references in ACEs are

supported as long as they are consistent. For example,
unreferenced time-range definitions and ACEs referring to
non-existing time ranges result in an error.
For PIX/FWSM/ASA, object groups and name commands are

supported as noted above.

OL-11501-03
J-183
Appendix J
Table J-97
Import Rules - Enter Parameters Dialog Box (continued)
Element1
Description
Interface*

physical interface to which a rule is assigned. See Understanding
Interface Role Objects, page 8-115
For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0

opens the Interface Selector dialog box from which to make your
Note
Traffic Direction
Identifies traffic direction within a network. Direction is always

Note
Category

Note
Next button
The Direction parameter is not supported on PIX 6.3

devices.
Provides an intermediate level of detail to objects and rules by use

of color-coding. Color-coding helps you readily identify objects and
rules when you are viewing policy tables. See Understanding
Note
Back button

for each device.
The Back button is not available from this wizard page.
J-184
OL-11501-03
Appendix J

Table J-97
Import Rules - Enter Parameters Dialog Box (continued)
Element1
Description
Finish button
Completes the wizard dialog and returns you to the main rules page.
The settings are shown in the table.
The Finish button is active on the Summary and Preview
wizard pages.
Note
Import Rules - Status Page

Use the Import Rules - Status page to view information after validation has
completed.
Navigation Path
You access the Import Rules feature from the Access Rules tables from Device
view. Select Firewall > Access Rules. Click the Tools button located below the
table, then select Import Rules. Enter the parameters, then click Next.
Related Topics
Field Reference
Table J-98
Import Rules - Status Page
Element
Description
Progress bar
Shows the status of the imported configuration.
Status
Shows the status of the imported configuration in message format.
Importing Config
Import Successful
Import Failed
Rules Imported
Shows the number of rules imported.
Policy Objects Created
Shows the number of policy objects created.

OL-11501-03
J-185
Appendix J
Table J-98
Import Rules - Status Page (continued)
Element
Description
Messages
Shows informative messages, for example, the policy objects

created during the operation or existing policy objects that were
reused.
Severity
Shows the type of message:
Info
Error
Warning
Description
Shows informative messages, for example, existing policy objects

that were reused by the operation, or internal errors.
Action
Provides additional instructions when applicable.
Abort button
Aborts the import operation.
Back button
Next button
Finish button
Note

wizard pages.
Import Rules - Preview Page

Use the Preview page of the wizard to view the newly created rules in read-only
format. If no rules are imported, the Preview page is not available for viewing.
Navigation Path
view. Select Firewall > Access Rules. Click the Tools button below the table,
then select Import Rules. Enter the parameters, then click Next. The status page
appears. Verify status information, then click Next.
Related Topics
J-186
OL-11501-03
Appendix J

Import Rules - Preview Page (Rules Tab), page J-187
Importing Rules - Preview Page (Objects Tab), page J-190
Field Reference
Table J-99
Import Rules - Preview Page
Element
Description
Rules tab
Shows the newly created rules. If no rules are imported, the tab is
not displayed. See Table J-100.
Objects tab
Shows the newly created policy objects. If no new policy objects are
created, the tab is not displayed. See Table J-101
Note
If an ACE in the configuration refers to an object group or

time range that is not defined properly, the ACEs are not
imported.
Back button
Next button

Note
Finish button
The Next button is not available from the Preview page.
Note

wizard pages.
Import Rules - Preview Page (Rules Tab)

format. If no rules are imported, the Rules tab is not available for viewing.
Navigation Path
appears. Verify status information, then click Next.

OL-11501-03
J-187
Appendix J
Related Topics
Importing Rules - Preview Page (Objects Tab), page J-190
Field Reference
Table J-100
Import Rules - Preview Page (Rules Tab)
Element
Description
Filter

No.
Permit
Shows whether a rule permits or denies traffic based on the

conditions set.
Source
Destination
Service
Identifies the source network object names or addresses of

hosts and networks, for example, 10.1.1.1, 10.1.1.1/32,
10.1.1.1/255.255.255.255, and net10. Interface roles can also
be used to identify a source. Multiple entries are displayed as
separate subfields within the table cell. See:
Identifies the destination network object names or addresses of

hosts and networks, for example, 10.1.1.1, 10.1.1.1/32,
10.1.1.1/255.255.255.255 and net10. Interface roles can also be
used to identify a destination. Multiple entries are displayed as
separate subfields within the table cell. See:

Multiple entries are displayed as separate subfields within the table
cell. See Understanding Service Objects, page 8-159.
J-188
OL-11501-03
Appendix J

Table J-100
Import Rules - Preview Page (Rules Tab) (continued)
Element
Description
Interface

physical interface to which a rule is assigned. Multiple entries are
displayed as separate subfields within the table cell. See
For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
Dir.

for each device. The access-group command is generated
for the interface role selected.
Direction. Identifies traffic direction within a network. Direction is

always associated with an interface:
Note
The out direction parameter is not supported on PIX 6.3

devices. If you enter a rule and define the direction as out,
a warning message results during activity validation and the
rule is ignored.
Options
Displays additional options that are configured during the process

of defining an access rule. Options vary depending on the platform
selected.
Category
Provides an intermediate level of detail to objects and rules by use

of color-coding. Color-coding helps you readily identify objects and
rules when you are viewing policy tables. See Understanding
Note

OL-11501-03
J-189
Appendix J
Table J-100
Import Rules - Preview Page (Rules Tab) (continued)
Element
Description
Description
Shows a user-defined description to help you identify a rule when

viewing the rules table. A maximum of 1024 characters is allowed.
Back button
Next button

Note
Finish button
Note

wizard pages.
Importing Rules - Preview Page (Objects Tab)

format. If no objects are imported, the Objects tab is not available for viewing.
Navigation Path
appears. Verify status information, then click Next. The Preview Page appears.
Click the Objects tab.
Related Topics
J-190
OL-11501-03
Appendix J

Field Reference
Table J-101
Import Rules - Preview Page (Objects Tab)
Element
Description
Filter

Object Name
Identifies the name of the imported object.
Type
Identifies the type of imported object. Options are:
Network
Service
Portlist
Time Range
Back button
Next button

Note
Finish button
Note

wizard pages.
Import Rules Show Source Contents Dialog Box

shows flattened values of all levels of a source address or network object and sorts
the results in ascending order on the IP address, then descending order on the
mask.
Navigation Path
Right-click the Source table cell of a rule in the Import Rules - Preview table,
then click Show Source Contents to display a list of all sources.

OL-11501-03
J-191
Appendix J
Select an entry (subfield) in the Source table cell of a rule in the Import Rules
- Preview table, then right-click and select Show <Source> Contents.
Related Topics
Field Reference
Table J-102
Element
Description
Source Contents
Note

Close button
Help button
Import Rules Show Destination Contents Dialog Box

Navigation Path
Right-click the Destination table cell of a rule in the Import Rules - Preview
table, then click Show Destination Contents to display a list of all sources.
Select an entry (subfield) in the Destination table cell of a rule in the Import
Rules - Preview table, then right-click and select
Show <Destination> Contents.
J-192
OL-11501-03
Appendix J

Related Topics
Field Reference
Table J-103
Element
Description
Note

Close button
Help button
Import Rules Show Service Contents Dialog Box

Use the Show Service dialog box to display all services and port information. The
list shows flattened values of all levels of the Service and Port List objects and
sorts the results on: protocol, destination port, and source port.
Navigation Path
To access the Show Service dialog box, do one of the following:
Right-click the Service table cell of a rule in the Import Rules - Preview table,
then click Show Service Contents to display a list of all services.
Select an entry (subfield) in the Service table cell of a rule in the Import Rules
- Preview table, then right-click and select Show <Service> Contents.
Related Topics

OL-11501-03
J-193
Appendix J
Field Reference
Table J-104
Element
Description
Service Contents
Displays device-specific protocol and port values.
Close button
Help button
Import Rules Show Interface Contents Dialog Box

Use the Show Interface Contents dialog box to display actual interface names. The
list shows flattened values of all levels of an address, network object, or interface
role and sorts the results in ascending order on the IP address, then descending
order on the mask.
menu.
Navigation Path
Right-click the Interface table cell of a rule in the Access Rules table, then
Select an entry (subfield) in the Interface table cell of a rule in the Access
Rules table, then right-click and select Show <Interface> Contents.
Related Topics
J-194
OL-11501-03
Appendix J

Policy Query Page
Field Reference
Table J-105
Element
Description
Interface Contents
Displays actual interface names.
Close button
Help button
Policy Query Page

Use the Policy Query page to set up the parameters to compose a query that
describes a set of packets. You can request a query for any firewall policy.
When setting up your query, you must select at least one rule type; enabled,
disabled or both; permitted, denied, or both; and mandatory, default, or both. A
Details section describes how a rule is matched with the query arguments.
Note
For inspection rules, if Global is the designated query interface value, the match
status results be shown as a partial match, even if the match is complete.
Navigation Path
To generate Policy Query reports, do one of the following:
(Device view) Select a device, then select Firewall > <any rules table> from
the Device selector. From any rules page, click Query.
(Policy view) Select Firewall > Firewall > <any rules table> from the Policy
selector. From any rules page, click Query.
Related Topics

OL-11501-03
J-195
Appendix J
Policy Query Page
Field Reference
Table J-106
Querying <Policy | Device> Page
Element
Description
Rule Types
AAA Rules
When selected, shows AAA rule information.
Access Rules
When selected, shows access rule information.
Inspection Rules
When selected, shows inspection rule information.
Web Filter Rules
When selected, shows web filter rule information.
Enabled and/or Disabled Rules
Enabled Rules
When selected, shows rules that are enabled for the selected rule
types.
Disabled Rules
When selected, shows rules that are disabled for the selected rule
types.
Mandatory and/or Default Rules
Mandatory Rules
When selected, shows rules that are mandatory.
Default Rules
When selected, shows rules that are default.
Actions
Permit
When selected, shows rules that permit traffic for the selected rule
types based on the conditions set.
Deny
When selected, shows rules that deny traffic for the selected rule
types based on the conditions set.
J-196
OL-11501-03
Appendix J

Policy Query Page
Table J-106
Querying <Policy | Device> Page (continued)
Element
Description
Source Addresses
Identifies the source object names or addresses of hosts and

formats are:

Interface roles can also be used to identify a source. When used, the
rule behaves as if you supplied the IP address of the selected
interface. This is useful for interfaces that are DHCP addressed,
where you cannot know the address that will be used when creating
the policies because the address is dynamically assigned when the
device boots.
Tip
You can create an object with a list of the IP addresses to

facilitate future policy query requests.
Note

Note
A blank field automatically matches any.

OL-11501-03
J-197
Appendix J
Policy Query Page
Table J-106
Element
Description
Destination Addresses
Identifies the destination object names or addresses of hosts and

formats are:
a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0255 (range)

Services
Tip
You can create an object with a list of the IP addresses to

Note
If you manually enter 0.0.0.0/0 for the destination, it

Note
A blank field automatically matches any.

Tip
You can create an object with a list of the services to

Note
If you manually enter a service, such as TCP / 80, and that

data translates directly to a predefined service object, such
as HTTP, the rule takes the predefined object as its value.
Note
A blank field automatically matches IP.
J-198
OL-11501-03
Appendix J

Policy Query Page
Table J-106
Element
Description
Interfaces

physical interface to which a rule is assigned. For example:
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Enter the interface in the field provided or click Edit, which opens
the Interface Selector dialog box from which to make your
Check if Matching Rules Are

Shadowed by Rules Above
Note

for each device.
Tip
You can create an object with a list of the interfaces to

Note
A blank field automatically matches All-Interfaces.
When selected, the policy query results include rule conflict

detection information.
Note
OK button
Enabling this rule might have an impact on performance and

cost results.
Note
source page.

OL-11501-03
J-199
Appendix J
Policy Query Page
Policy Query Results Page

Navigation Path
To generate Policy Query reports, do one of the following:
(Device view) Select a device, then select Firewall > <any rules table> from
the Device selector. From any rules page, click Query.
(Policy view) Select Firewall > Firewall > <any rules table> from the Policy
selector. From any rules page, click Query.
Related Topics
Example of Details Table Results, page 12-43
Field Reference
Table J-107
Policy Query Results Page
Element
Description
Top Left (Query

Parameters)
Provides the user-defined parameters on which the policy query results

were based.
Tip
Display
You can click Edit Query to change your query parameters and
rerun the report.
Enables you to select a rules table for which to display the query results for
each type of policy rule that was queried.
AAA Rule Results
Match Status
Shows match results.
Complete MatchAll elements expressed in the query report match

the query.
Partial MatchAll of the search criteria overlap or are a superset of the

matched rule.

exists that has no effect. For more information, see Understanding
J-200
OL-11501-03
Appendix J

Policy Query Page
Table J-107
Policy Query Results Page (continued)
Element
Description
Scope
Identifies whether a rule is shared or local, mandatory or default.
Rule
Identifies the rule number when you are viewing the actual Mandatory and
Default or Local rules tables.
Note
Enable
Permit
Source

purposes.
Enabled = True.
Disabled = False.

source. Multiple entries are separated by a comma.
Note
Destination


Note
Service
You can double-click on a rule in the results table, which will

highlight that row in the corresponding policy group in the actual
rules table. You can then perform inline editing of the rule as usual.


Note

OL-11501-03
J-201
Appendix J
Policy Query Page
Table J-107
Element
Description
Interface

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Dir.
Direction. Identifies whether traffic is entering or exiting a network.
Category

Note
Description

Access Rule Results
Match Status

the query.

match the query.

Scope
Shows the policy group within the hierarchy.
Rule

Note
Permit
You can select a rule number, then right-click on the number to edit
a rule in its entirety.
J-202
OL-11501-03
Appendix J

Policy Query Page
Table J-107
Element
Description
Interface

Direction
All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0

with an interface:
Note
Source Addresses

Note
Dest Addresses


Note
Options


Note
Services

OL-11501-03
J-203
Appendix J
Policy Query Page
Table J-107
Element
Description
Enabled

purposes.
Category
Enabled = True.
Disabled = False.

Note
Description

Web Filter Rule Results
Enable

purposes.
Enabled = True.
Disabled = False.
Type
Displays filtering and action parameters.
Action
Source Addresses
DenyDenies traffic.

Note

J-204
OL-11501-03
Appendix J

Policy Query Page
Table J-107
Element
Description
Dest Addresses

networks., for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255
Note
Services


Note
Description

Category

Note
Permit
Block Connection to
HTTP Proxy
Prevents users from connecting to an HTTP proxy server.
Block Outbound
Blocks traffic if an exact path to a particular directory is not specified.
Long URL

truncate a long URL


OL-11501-03
J-205
Appendix J
Policy Query Page
Table J-107
Element
Description
Inspection Rule Results
Match Status

the query.

match the query.

Scope
Shows the policy group within the hierarchy.
Rule

Note
Permit
Interface
Direction
You can select a rule number, then right-click on the number to edit
a rule in its entirety.

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0

with an interface:
Note
J-206
OL-11501-03
Appendix J

Policy Query Page
Table J-107
Element
Description
Source Addresses

networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255,
Note
Dest Addresses

networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255,
Note
Services


Note
Time Range


synchronization.
Note
Inspected Protocol
Identifies the inspected protocols.
Enabled

purposes.
Alert
Enabled = True.
Disabled = False.

device console.
Note
Supported on IOS devices only.

OL-11501-03
J-207
Appendix J
Policy Query Page
Table J-107
Element
Description
Audit Trail
Shows context-based Access Control (CBAC) audit trail messages, which

are displayed after each CBAC session closes. The ip inspect audit trail
command is used in global configuration mode.
Note
Timeout

Note
Category

Note
Description

Details Table
Sources folder
Provides greater detail pertaining to the source parameter.
Destinations folder
Provides greater detail pertaining to the destination parameter.
Services folder
Provides greater detail pertaining to the services parameter.
Interfaces folder
Provides greater detail pertaining to the interfaces parameter.
Query Value
Shows the parameter used in the query request.
Relationship
Identifies the relationship between the query and the detailed parameter.
IdenticalThe parameter result is identical to that of the query.
ContainsThe query results contain the query parameter.
Is contained byThe parameter is nested within the query parameter.
OverlapsThe query parameter requested shows results that overlap

between more than one policy object.
Rule Value
Provides a more granular description of a parameter result for the

highlighted rule in the results table.
Print button
Prints the report.
J-208
OL-11501-03
Appendix J

Hit Count Selection Summary Dialog Box

Use Hit Count to invoke a utility that collects information on the number of times
traffic for a device is permitted or denied based on an access rule deployed on a
device.
Navigation Path
To generate Hit Count reports, select a device, then select Firewall >
Access Rules from the Device selector. Click the Tools button located below the
table, then select Hit Count.
Note
You can generate a Hit Count report from Device view only.
Related Topics
Using Hit Count, page 12-24
Field Reference
Table J-108
Element
Description
Node Selected
Identifies the scope of the inquiry.
Rules Selected
Displays which rules are to be analyzed when providing hit count

information. Options are individual rules, all rules, filtered rules,
and rule sections.
OK button
Initializes the selection summary report.
Hit Count Summary Results Page

Use Hit Count Summary Results page to view the information collected that
supports the number of times traffic for a device is permitted or denied based on
an access rule deployed on a device.

OL-11501-03
J-209
Appendix J
Navigation Path
To generate Hit Count reports, do one of the following:
Device selector. Click the Tools button located below the table, then select
Hit Count.
(Policy view) Select Firewall > Access Rules from the Policy selector. Click
the Tools button located below the table, then select Hit Count.
Related Topics
Field Reference
Table J-109
Hit Count Summary Results Page
Element
Description
Select Device
From Device view, enables you to select rules from the table for which
a report is generated for a given device.
From Policy view, enables you to select rules from the table, which
generates a list of devices that use the selected rules. After you select a
device from the list, a report is generated.
Refresh Hit Count button Displays updated report information and time interval between the last
retrieval and the current retrieval of hit count information.
Selected Access Rules table
Rule
Identifies the ordered rule number in the mandatory or default rule table.
Hit Count
Identifies the number of times that traffic for a device is permitted or denied
based on an access rule.
Permit
J-210
OL-11501-03
Appendix J

Table J-109
Hit Count Summary Results Page (continued)
Element
Description
Source
example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255, and network
Note
Destination
Identifies the destination object names or addresses of hosts and networks,

for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255, and network
object names. Interface roles can also be used to identify a destination.
Multiple entries are separated by a comma.
Note
Service

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
Dir.


Note
Interface


Note
The Direction parameter is not supported on PIX 6.3 devices.

OL-11501-03
J-211
Appendix J
Table J-109
Element
Description
Options
Category

Note
Description

Choose: Expanded Table (ACE results reflect the GUI design.)
Rule
Identifies in which table the rule is located, the ordered rule number, and
whether the rule is shared or local.
Delta
Shows the difference in hit count values between a generated report and a
refresh.
Hit Count
Permit
Service

Note
Interfaces

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
J-212
OL-11501-03
Appendix J

Table J-109
Element
Description
Direction

with an interface:
Note
Source Addresses

networks. For example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255,
Note
Dest Addresses


networks. For example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255,
Note
ACL Name

Identifies the name of the ACL.
Choose: RAW ACE Table (ACE results are shown as CLI.)
Rule
Identifies in which table the rule is located, the ordered rule number, and
whether the rule is shared or local.
Hit Count
RAW ACE
Displays the ACE in the form of CLI.
OK button
Closes the report.

OL-11501-03
J-213
Appendix J
Combine Rules Selection Summary Dialog Box

Use the Combined Rules Selection Summary dialog box to define parameters used
for combining rules in tables.
Navigation Path
You can combine rules from the Access Rules tables and the AAA Rules tables.
Click Tools located at the bottom of the tables, then select Combine Rules.
Related Topics
Rule Combiner Detail Report, page J-219
Combined Rules Results Summary, page J-215
Field Reference
Table J-110
Element
Description
Policy Selected
Shows the scope selected, for example, Local.
Rules to be combined
Shows whether to consider all rules in the table or only selected

rules in the table for the purpose of combining rules.
J-214
OL-11501-03
Appendix J

Table J-110
Combine Rules Selection Summary Dialog Box (continued)
Element
Description
Choose which columns to

combine
Identifies the columns in the rules table that can be combined.

Access rules
Source
Destination
Service
Interface
AAA rules
Source
Destination
Service
Interface
Action
Auth Proxy
OK button
Initializes the report generation.
Combined Rules Results Summary

Use the access rules combined results summary to view the new rules that are
generated by combining rules that exist in the rules tables.
Navigation Path
Click the Tools button located below the tables, then select Combine Rules.
Related Topics
Rule Combiner Detail Report, page J-219

OL-11501-03
J-215
Appendix J
Field Reference
Note
Table J-111
The tables comprising the results summary describe only those elements that are
affected by combining rules. Columns will vary depending on which rules tables
are being combined.
Combined Rules Results Summary
Element
Description
Summary
Shows the original rule count and resulting rule count after rules
have been combined.
Resulting Rules Table (Scope)
No.

Note
Rule State
Source
You can right-click a rule number to edit a rule in its

entirety.
Shows the status of the rules after the combine rules request has
been generated. You can filter the combined rule results based on
the rule state.
CombinedShows that a new rule resulted from the combining

of rules. A red box around a cell shows
UnchangedShows that the rule remains unchanged, as it

could not be combined with another rule.
UnselectedShows that the rule was not included in the

combine rules request.

networks. For example, 10.1.1.1, 10.1.1.1/32,
10.1.1.1/255.255.255.255, and network object names. Interface
roles can also be used to identify a source. Multiple entries are
Note

J-216
OL-11501-03
Appendix J

Table J-111
Combined Rules Results Summary (continued)
Element
Description
Destination

hosts and networks. For example, 10.1.1.1, 10.1.1.1/32,
roles can also be used to identify a destination. Multiple entries are
Note
Service

automatically matches the 'any predefined object.

Interface

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
Action

for each device.
Authenticationindicates that the rule controls traffic based on

who the user is.
Authorizationindicates that the rule controls traffic based on

what the user is allowed to do.
Accountingindicates that the rule controls traffic based on

what the user did.
Auth Proxy
|<-
First button. Selects the first combined rule in the top table.

OL-11501-03
J-217
Appendix J
Table J-111
Element
Description
<-
Previous button. Selects the previous combined rule in the top table.
->
Next button. Selects the next combined rule in the top table.
->|
Last button. Selects the last combined rule in the top table.
Bottom Table Showing Original Rule Information
Original No.
Notes the rule number in the table before the rule was combined.
Source

networks. For example, 10.1.1.1, 10.1.1.1/32,
roles can also be used to identify a source. Multiple entries are
Note
Destination

hosts and networks. For example, 10.1.1.1, 10.1.1.1/32,
roles can also be used to identify a destination. Multiple entries are
Note
Service

automatically matches the 'any' predefined object.


J-218
OL-11501-03
Appendix J

Table J-111
Element
Description
Interface

All DMZs
All Fast Ethernets
All Interfaces
FastEthernet0
Note
Action

for each device.
Authenticationindicates that the rule controls traffic based on

who the user is.
Authorizationindicates that the rule controls traffic based on

what the user is allowed to do.
Accountingindicates that the rule controls traffic based on

what the user did.
Auth Proxy
OK button
Approves and retains the newly combined rules.
Detail Report button
Opens a rule combined detail report.
Rule Combiner Detail Report

Use the Rule Combiner Detail Report to display a text description of combined
rule information and displays table cell contents in its entirety. For a description
of THE GUI elements, see Table J-111.

OL-11501-03
J-219
Appendix J
Navigation Path
Click Tools located below the tables, then select Combine Rules. After the result
summary is generated, click Detail Report.
Related Topics
Combined Rules Results Summary, page J-215
J-220
OL-11501-03
APPENDIX
Router Platform User Interface

Reference
The main pages available in Cisco Security Manager for configuring and
managing platform-specific policies on Cisco IOS routers are discussed in the
following topics:
NAT policies:
NAT Policy Page, page K-3
Interface policies:
Router Interfaces Page, page K-18
Advanced Interface Settings Page, page K-28
Dialer Policy Page, page K-38
ADSL Policy Page, page K-44
SHDSL Policy Page, page K-50
PVC Policy Page, page K-57
PPP/MLP Policy Page, page K-81
Device Admin policies:
AAA Policy Page, page K-91
Accounts and Credentials Policy Page, page K-104
Bridging Policy Page, page K-108
Clock Policy Page, page K-111
CPU Policy Page, page K-114

OL-11501-03
K-1
Appendix K
Router Platform User Interface Reference
Device Access policies:

HTTP Policy Page, page K-118
Console Policy Page, page K-125
VTY Policy Page, page K-137
Secure Shell Policy Page, page K-157
SNMP Policy Page, page K-160
DNS Policy Page, page K-168
Hostname Policy Page, page K-170
Memory Policy Page, page K-171
Secure Device Provisioning Policy Page, page K-174
Server Access policies:

DHCP Policy Page, page K-179
NTP Policy Page, page K-187
Identity policies:
802.1x Policy Page, page K-192
Network Admission Control Policy Page, page K-197
Logging policies:
Logging Setup Policy Page, page K-207
Syslog Servers Policy Page, page K-212
Quality of Service policies:
Quality of Service Policy Page, page K-215
Routing policies:
BGP Routing Policy Page, page K-236
EIGRP Routing Policy Page, page K-244
OSPF Interface Policy Page, page K-256
OSPF Process Policy Page, page K-264
RIP Routing Policy Page, page K-276
Static Routing Policy Page, page K-285
K-2
OL-11501-03
Appendix K

NAT Policy Page
Tip
Use the Policy Management page in the Security Manager Administration

window to control which router platform policy pages are available in Security
Manager. For more information, see Policy Management Page, page A-32.
NAT Policy Page

You can configure NAT policies on a Cisco IOS router from the following tabs on
the NAT policy page:
NAT PageInterface Specification Tab, page K-3
NAT PageStatic Rules Tab, page K-6
NAT PageDynamic Rules Tab, page K-13
NAT PageTimeouts Tab, page K-16
Network Address Translation (NAT) converts private, internal LAN addresses

into globally routable IP addresses. NAT enables a small number of public IP
addresses to provide global connectivity for a large number of hosts.
For more information, see NAT on Cisco IOS Routers, page 14-5.
Navigation Path
(Device view) Select NAT from the Policy selector.
(Policy view) Select NAT (Router) from the Policy Type selector.
Right-click NAT (Router) to create a policy, or select an existing policy from
the Shared Policy selector.
Related Topics
Router Platform User Interface Reference, page K-1
NAT PageInterface Specification Tab

Use the NAT Interface Specification tab to define the inside and outside interfaces
on the router used for NAT. Inside interfaces are interfaces that connect to the
private networks served by the router. Outside interfaces are interfaces that
connect to the WAN or the Internet.
OL-11501-03
K-3
Appendix K
NAT Policy Page
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Interface Specification tab.
Related Topics
Field Reference
Table K-1
NAT Interface Specification Tab
Element
Description
NAT Inside Interfaces
The interfaces that act as the inside interfaces for address

translation. Click Edit to display the Edit Interfaces Dialog
BoxNAT Inside Interfaces, page K-4. From here you can define
these interfaces.
NAT Outside Interfaces
The interfaces that act as the outside interfaces for address

translation. Click Edit to display the Edit Interfaces Dialog
BoxNAT Outside Interfaces, page K-5. From here you can define
these interfaces.
Save button
Saves your changes to the Security Manager server but keeps them
private.
Note

toolbar.
Edit Interfaces Dialog BoxNAT Inside Interfaces

When you configure a translation rules policy on a Cisco IOS router, use the Edit
Interfaces dialog box to specify which interfaces will act as the inside interfaces
for address translation. Inside interfaces typically connect to a LAN that the router
serves.
Navigation Path
Go to the NAT PageInterface Specification Tab, page K-3, then click the Edit
button in the NAT Inside Interfaces field.
K-4
OL-11501-03
Appendix K

NAT Policy Page
Related Topics
Edit Interfaces Dialog BoxNAT Outside Interfaces, page K-5
Field Reference
Table K-2
Edit Interfaces Dialog BoxNAT Inside Interfaces
Element
Description
Interfaces
The interfaces that act as the inside interfaces for address

translation. You can enter interfaces, interface roles, or both.
For more information, see Specifying Interfaces During Policy
Select button
Opens an object selector for selecting interfaces and interface roles.

Using the selector eliminates the need to manually enter this
information.
If the interface role you want is not listed, click the Create button
in the selector to display the Interface Role Dialog Box, page F-419.
From here you can define an interface role object.
OK button
Saves your changes and closes the dialog box. Your selections are
displayed in the NAT Inside Interfaces field of the NAT Interface
Specification tab.
Edit Interfaces Dialog BoxNAT Outside Interfaces

When you configure a translation rules policy on a Cisco IOS router, use the Edit
Interfaces dialog box to specify which interfaces will act as the outside interfaces
for address translation. Outside interfaces typically connect to your organizations
WAN or to the Internet.
Navigation Path
Go to the NAT PageInterface Specification Tab, page K-3, then click the Edit
button in the NAT Outside Interfaces field.
Related Topics

OL-11501-03
K-5
Appendix K
NAT Policy Page
Edit Interfaces Dialog BoxNAT Inside Interfaces, page K-4
Field Reference
Table K-3
Edit Interfaces Dialog BoxNAT Outside Interfaces
Element
Description
Interfaces
The interfaces that act as the outside interfaces for address

translation. You can enter interfaces, interface roles, or both.
Select button

information.
OK button
displayed in the NAT Outside Interfaces field of the NAT Interface
Specification tab.
NAT PageStatic Rules Tab

Use the NAT Static Rules tab to create, edit, and delete static address translation
rules. For more information, see Defining Static NAT Rules, page 14-8.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Static Rules tab.
Related Topics
K-6
OL-11501-03
Appendix K

NAT Policy Page
Field Reference
Table K-4
NAT Static Rules Tab
Element
Description
Filter
Enables you to filter the information displayed in the table. For

more information, see Filtering Tables, page 3-24.
Original Address
The original address (and optionally, the subnet mask) that is being
translated.
Translated Address
The IP address to which the traffic is translated.
Port Redirection
(When the static rule is defined on a port) Information about the port
that is being translated, including the local and global port numbers.
Advanced
The advanced options that are enabled.
Add button
Opens the NAT Static Rule Dialog Box, page K-7. From here you
can create a static translation rule.
Edit button
Opens the NAT Static Rule Dialog Box, page K-7. From here you
can edit the selected static translation rule.
Delete button
Deletes the selected static translation rules from the table.
Save button
private.
Note
Tip

toolbar.
To choose which columns to display in the table, right-click a column header, then
select Show Columns. For more information about table display options, see
Table Columns and Column Heading Features, page 3-26.
NAT Static Rule Dialog Box

Use the NAT Static Rule dialog box to add or edit static address translation rules.

OL-11501-03
K-7
Appendix K
NAT Policy Page
Navigation Path
Go to the NAT PageStatic Rules Tab, page K-6, then click the Add or Edit
button beneath the table.
Related Topics
Disabling the Alias Option for Attached Subnets, page 14-15
Disabling the Payload Option for Overlapping Networks, page 14-16
Field Reference
Table K-5
NAT Static Rule Dialog Box
Element
Description
Static Rule Type
The type of local address requiring translation by this static rule:
Static HostA single host requiring static address translation.
Static NetworkA subnet requiring static address translation.
Static PortA single port requiring static address translation.

If you select this option, you must define port redirection
parameters.
K-8
OL-11501-03
Appendix K

NAT Policy Page
Table K-5
NAT Static Rule Dialog Box (continued)
Element
Description
Original Address
Enter an address or the name of a network/host object, or click

Select to display an object selector.
When Static Network is selected as the Static Rule Type, this

field defines the network address and subnet mask. For
example, if you want to create n-to-n mappings between the
private addresses in a subnet to corresponding inside global
addresses, enter the address of the subnet you want translated,
and then enter the network mask in the Mask field.
When Static Port or Static Host is selected as the Static Rule

Type, this field defines the IP address only. For example, if you
want to create a one-to-one mapping for a single host, enter the
IP address of the host to translate. Do not enter a subnet mask
in the Mask field.
If the network or host you want is not listed, click the Create button
in the selector to display the Network/Host Dialog Box, page F-433.
From here you can define a network/host object.
Note
We recommend not entering a local address belonging to

this router, as it could cause Security Manager management
traffic to be translated. Translating this traffic will cause a
loss of communication between the router and Security
Manager.

OL-11501-03
K-9
Appendix K
NAT Policy Page
Table K-5
Element
Description
Translated Address
The type of address translation to perform:
Specify IPThe IP address that acts as the translated address.

Enter an address or the name of a network/host object in the
Translated IP/Network field, or click Select to display an object
selector.
If you selected Static Port or Static Host as the static rule
type (to create a one-to-one mapping between a single

inside local address and a single inside global address),
enter the global address in this field. A subnet mask is not
required.
If you selected Static Network as the static rule type (to
map the original, local addresses of a subnet to the

corresponding global addresses), enter the IP address that
you want to use in the translation in this field. The network
mask is taken automatically from the mask entered in the
Original Address field.
If the network or host you want is not listed, click the Create
page F-433. From here you can define a network/host object.
Use Interface IPThe interface whose address should be used

as the translated address. (This is typically the interface from
which translated packets leave the router.) Enter the name of an
interface or interface role in the Interface field, or click Select
to display an object selector.
button or the Edit button in the selector to display the Interface
Role Dialog Box, page F-419. From here you can create an
interface role object.
Note
The Interface option is not available when Static Network is

the selected static rule type. Only one static rule may be
defined per interface.
K-10
OL-11501-03
Appendix K

NAT Policy Page
Table K-5
Element
Description
Port Redirection
Applies only when Static Port is the selected static rule type.
Redirect PortWhen selected, specifies port information for the
inside device in the translation. This enables you to use the same
public IP address for multiple devices as long as the port specified
for each device is different. Enter information in the following
fields:
ProtocolThe protocol type: TCP or UDP.
Local PortThe port number on the source network. Valid

values range from 1 to 65535.
Global PortThe port number on the destination network that

the router is to use for this translation. Valid values range from
1 to 65535.
When deselected, port information is not included in the translation.

OL-11501-03
K-11
Appendix K
NAT Policy Page
Table K-5
Element
Description
Advanced
Applies only when using the Translated IP option for address

translation.
Defines advanced options:
No AliasWhen selected, prohibits an alias from being created

for the global address.
The alias option is used to answer Address Resolution Protocol
(ARP) requests for global addresses that are allocated by NAT.
You can disable this feature for static entries by selecting the
No alias check box.
When deselected, global address aliases are permitted.
No PayloadWhen selected, prohibits an embedded address or

port in the payload from being translated.
The payload option performs NAT between devices on
overlapping networks that share the same IP address. When an
outside device sends a DNS query to reach an inside device, the
local address inside the payload of the DNS reply is translated
to a global address according to the relevant NAT rule. You can
disable this feature by selecting the No payload check box.
When deselected, embedded addresses and ports in the payload
may be translated, as described above.
Create Extended Translation EntryWhen selected, creates an

extended translation entry (addresses and ports). This enables
you to associate multiple global addresses with a single local
address. This is the default.
When deselected, creates a simple translation entry that allows
you to associate a single global address with the local address.
OK button
Note
To save your changes to the Security Manager server so that

they are not lost when you log out or close your client, click
Save on the source page.
K-12
OL-11501-03
Appendix K

NAT Policy Page
NAT PageDynamic Rules Tab

Use the NAT Dynamic Rules tab to create, edit, and delete dynamic address
translation rules. A dynamic address translation rule dynamically maps hosts to
addresses, using either the globally registered IP address of a specific interface or
addresses included in an address pool that are globally unique in the destination
network.
For more information, see Defining Dynamic NAT Rules, page 14-16.
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Dynamic Rules tab.
Related Topics
Field Reference
Table K-6
NAT Dynamic Rules Tab
Element
Description
Filter

Traffic Flow
The ACL that defines the traffic that is being translated.
Translated Address
Indicates whether the translated address is based on an interface or

on a defined address pool.
Port Translation
Indicates whether Port Address Translation (PAT) is being used by

this dynamic NAT rule.
Add button
Opens the NAT Dynamic Rule Dialog Box, page K-14. From here
you can create a dynamic translation rule.
Edit button
Opens the NAT Dynamic Rule Dialog Box, page K-14. From here
you can edit the selected dynamic translation rule.
Delete button
Deletes the selected dynamic translation rules from the table.

OL-11501-03
K-13
Appendix K
NAT Policy Page
Table K-6
NAT Dynamic Rules Tab
Element
Description
Save button
private.
Note
Tip

toolbar.
NAT Dynamic Rule Dialog Box

Use the NAT Dynamic Rule dialog box to add or edit dynamic address translation
rules.
Navigation Path
Go to the NAT PageDynamic Rules Tab, page K-13, then click the Add or Edit
Related Topics
K-14
OL-11501-03
Appendix K

NAT Policy Page
Field Reference
Table K-7
NAT Dynamic Rule Dialog Box
Element
Description
Traffic Flow
Access ListThe extended ACL that specifies the traffic requiring

dynamic translation. Enter the name of an ACL object, or click
If the ACL you want is not listed, click the Create button in the
selector to display the dialog box for defining an extended ACL
object. For more information, see Add and Edit Extended Access
List Pages, page F-36.
Note
Translated Address
Make sure that the ACL you select does not permit the
translation of Security Manager management traffic over
any device address on this router. Translating this traffic
will cause a loss of communication between the router and
Security Manager.
The method for performing dynamic address translation:
InterfaceThe router interface used for address translation.

PAT is used to distinguish each host on the network. Enter the
name of an interface or interface role, or click Select to display
an object selector.
button in the selector to display the Interface Role Dialog Box,
page F-419. From here you can create an interface role object.
Enable Port Translation

(Overload)
Address PoolTranslates addresses using a set of addresses

defined in an address pool. Enter one or more address ranges,
including the prefix, using the format min1-max1/prefix (in
CIDR notation). You can add as many address ranges to the
address pool as required, but all ranges must share the same
prefix. Separate multiple entries with commas.
When selected, the router uses port addressing (PAT) if the pool of
available addresses runs out.
When deselected, PAT is not used.
Note
PAT is selected by default when you use an interface on the

router as the translated address.

OL-11501-03
K-15
Appendix K
NAT Policy Page
Table K-7
NAT Dynamic Rule Dialog Box (continued)
Element
Description
Do Not Translate VPN Traffic

(Site-to-Site VPN only)
This setting applies only in situations where the NAT ACL overlaps
the crypto ACL used by the site-to-site VPN. Because the interface
performs NAT first, any traffic arriving from an address within this
overlap would get translated, causing the traffic to be sent
unencrypted. Leaving this check box selected prevents that from
happening.
When selected, address translation is not performed on VPN traffic.
When deselected, the router performs address translation on VPN
traffic in cases of overlapping addresses between the NAT ACL and
the crypto ACL.
OK button
Note
We recommend that you leave this check box selected, even

when performing NAT into IPsec, as this setting does not
interfere with the translation that is performed to avoid a
clash between two networks sharing the same set of internal
addresses.
Note
This option does not apply to remote access VPNs.
Note

NAT PageTimeouts Tab

Use the NAT Timeouts tab to view or modify the default timeout values for PAT
(overload) translations. These timeouts cause a dynamic translation to expire after
a defined period of non-use. In addition, you can use this page to place a limit on
the number of entries allowed in the dynamic NAT table and to modify the default
timeout on all dynamic translations that are not PAT translations.
Note
For more information about the Overload feature, see NAT Dynamic Rule Dialog
Box, page K-14.
K-16
OL-11501-03
Appendix K

NAT Policy Page
Navigation Path
Go to the NAT Policy Page, page K-3, then click the Timeouts tab.
Related Topics
Field Reference
Table K-8
NAT Timeouts Tab
Element
Description
Max Entries
The maximum number of entries allowed in the dynamic NAT table.

Values range from 1 to 2147483647.
By default, this field is left blank, which means that the number of
entries in the table is unlimited.
Timeout (sec.)
The timeout value applied to all dynamic translations except PAT

(overload) translations.
The default is 86400 seconds (24 hours).
UDP Timeout (sec.)
The timeout value applied to User Datagram Protocol (UDP) ports.

The default is 300 seconds (5 minutes).
Note
DNS Timeout (sec.)
The timeout value applied to Domain Naming System (DNS) server

connections. The default is 60 seconds.
Note
TCP Timeout (sec.)
This value applies only when the Overload feature is

enabled.

enabled.
The timeout value applied to Transmission Control Protocol (TCP)

ports. The default is 86400 seconds (24 hours).
Note

enabled.

OL-11501-03
K-17
Appendix K
Router Interfaces Page
Table K-8
NAT Timeouts Tab (continued)
Element
Description
FINRST Timeout (sec.)
The timeout value applied when a Finish (FIN) packet or Reset

(RST) packet (both of which terminate connections) is found in the
TCP stream. The default is 60 seconds.
Note
ICMP Timeout (sec.)
The timeout value applied to Internet Control Message Protocol

(ICMP) flows. The default is 60 seconds.
Note
PPTP Timeout (sec.)

enabled.
The timeout value applied to TCP flows after a synchronous

transmission (SYN) message (used for precise clocking) is
encountered. The default is 60 seconds.
Note
Save button

enabled.
The timeout value applied to NAT Point-to-Point Tunneling

Protocol (PPTP) flows. The default is 86400 seconds (24 hours).
Note
SYN Timeout (sec.)

enabled.

enabled.
private.
Note

toolbar.

Use the Router Interfaces page to view, create, edit, and delete interface
definitions (physical and virtual) on a selected Cisco IOS router. The Router
Interfaces page displays interfaces that were discovered by Security Manager as
well as interfaces added manually after you added the device to the system.
For more information, see Basic Interface Settings on Cisco IOS Routers,
page 14-21.
K-18
OL-11501-03
Appendix K

Navigation Path
Select a Cisco IOS router from the Device selector, then select Interfaces >
Interfaces from the Policy selector.
Related Topics
Field Reference
Table K-9
Element
Description
Filter

Interface Type
The interface type. Subinterfaces are displayed indented beneath

their parent interface.
Interface Name
The name of the interface.
Enabled
Indicates whether the interface is currently enabled (managed by

Security Manager) or disabled (shutdown state).
IP Address
The IP address of interfaces defined with a static address.
IP Address Type
The type of IP address assigned to the interfacestatic, DHCP,

PPPoE, or unnumbered. (IP address is defined by a selected
interface role.)
Interface Role
The interface roles that are assigned to the selected interface.
Add button
Opens the Create Router Interface Dialog Box, page K-20. From
here you can create an interface on the selected router.
Edit button
Opens the Create Router Interface Dialog Box, page K-20. From
here you can edit the selected interface.

OL-11501-03
K-19
Appendix K
Table K-9
Router Interfaces Page (continued)
Element
Description
Delete button
Deletes the selected interfaces from the table.
Save button
private.
Note
Tip

toolbar.
Create Router Interface Dialog Box

Use the Create Router Interface dialog box to create and edit physical and virtual
interfaces on the selected Cisco IOS router.
Note
Unlike other router policies, the Interfaces policy cannot be shared among
multiple devices. The Advanced Settings policy, however, may be shared. See
Local Policies vs. Shared Policies, page 6-4.
Navigation Path
Go to the Router Interfaces Page, page K-18, then click the Add or Edit button
beneath the table.
Related Topics
Advanced Interface Settings Page, page K-28
K-20
OL-11501-03
Appendix K

Field Reference
Table K-10
Create Router Interface Dialog Box
Element
Description
Enabled
When selected, the router interface is enabled.

When deselected, the router interface is in shutdown state. However,
its definition is not deleted.
Type
Specifies whether you are defining an interface or subinterface.
Name
Applies only to interfaces.

The name of the interface. Enter a name manually, or click Select to
display a dialog box for generating a name automatically. See
Interface Auto Name Generator Dialog Box, page K-27.
Note
Parent
Logical interfaces require a number after the name:
The valid range for dialer interfaces is 0-799.
The valid range for loopback interfaces is 0-2147483647.
The valid range for BVI interfaces is 1-255.
The only valid value for null interfaces is 0.
Applies only to subinterfaces.

The parent interface of the subinterface. Select the parent interface
from the displayed list.
Subinterface ID
Applies only to subinterfaces.

The ID number of the subinterface.

OL-11501-03
K-21
Appendix K
Table K-10
Create Router Interface Dialog Box (continued)
Element
Description
IP
The source of the IP address for the interface:
Note
Static IPDefines a static IP address and subnet mask for the

interface. Enter this information in the fields that appear below
the option.
You can define the mask using either dotted decimal (for
example, 255.255.255.255) or CIDR notation (/32). See
Contiguous and Discontiguous Network Masks,
page 8-129.
DHCPThe interface obtains its IP address dynamically from

a DHCP server.
PPPoEThe router automatically negotiates its own registered

IP address from a central server (via PPP/IPCP). The following
interface types support PPPoE:
Async
Serial
Dialer
BRI, PRI (ISDN)
Virtual template
Multilink
Note
UnnumberedThe interface obtains its IP address from a

different interface on the device. Choose an interface from the
Interface list. This option can be used with point-to-point
interfaces only.
Layer 2 interfaces do not support IP addresses. Deployment
fails if you define an IP address on a Layer 2 interface.
K-22
OL-11501-03
Appendix K

Table K-10
Element
Description
Layer Type
The OSI layer at which the interface is defined:
Duplex
UnknownThe layer is unknown.
Layer 2The data link layer, which contains the protocols that
control the physical layer (Layer 1) and how data is framed
before being transmitted on the medium. Layer 2 is used for
bridging and switching. Layer 2 interfaces do not have IP
addresses.
Layer 3The network layer, which is primarily responsible for

the routing of data in packets across logical internetwork paths.
This routing is accomplished through the use of IP addresses.
The interface transmission mode:
NoneThe transmission mode is returned to its device-specific

default setting.
FullThe interface transmits and receives at the same time

(full duplex).
HalfThe interface can transmit or receive, but not at the same

time (half duplex). This is the default.
AutoThe router automatically detects and sets the

appropriate transmission mode, either full or half duplex.
Note
When using Auto mode, be sure that the port on the active
network device to which you connect this interface is also
set to automatically negotiate the transmission mode.
Otherwise, select the appropriate fixed mode.
Note
You can configure a duplex value only if you set the Speed
to a fixed speed, not Auto.
Note
This setting does not apply to serial, HSSI, ATM, PRI, DSL,
tunnel, or loopback interfaces.

OL-11501-03
K-23
Appendix K
Table K-10
Element
Description
Speed
Applies only to Fast Ethernet and Gigabit Ethernet interfaces.

The speed of the interface:
1010 megabits per second (10Base-T networks).
100100 megabits per second (100Base-T networks). This is

the default for Fast Ethernet interfaces.
10001000 megabits per second (Gigabit Ethernet networks).

This is the default for Gigabit Ethernet interfaces.
AutoThe router automatically detects and sets appropriate

interface speed.
Note
MTU
When using Auto mode, be sure that the port on the active
network device to which you connect this interface is also
set to automatically negotiate the transmission speed.
Otherwise, select the appropriate fixed speed.
The maximum transmission unit, which refers to the maximum

packet size, in bytes, that this interface can handle.
Valid values for serial, Ethernet, and Fast Ethernet interfaces range
from 64 to 17940 bytes.
Valid values for Gigabit Ethernet interfaces range from 1500 to
9216 bytes.
Encapsulation
The type of encapsulation performed by the interface:
NoneNo encapsulation.
DOT1QVLAN encapsulation, as defined by the IEEE 802.1Q

standard. Applies only to Ethernet subinterfaces.
Frame RelayIETF Frame Relay encapsulation. Applies only

to serial interfaces (not serial subinterfaces).
Note
IETF Frame Relay encapsulation provides interoperability

between a Cisco IOS router and equipment from other
vendors. To configure Cisco Frame Relay encapsulation,
use CLI commands or FlexConfigs.
K-24
OL-11501-03
Appendix K

Table K-10
Element
Description
VLAN ID
Applies only to subinterfaces with encapsulation type DOT1Q.

The VLAN ID associated with this subinterface. The VLAN ID
specifies where 802.1Q tagged packets are sent and received on this
subinterface; without a VLAN ID, the subinterface cannot send or
receive traffic. Valid values range from 1 to 4094.
Note
All VLAN IDs must be unique among all subinterfaces

configured on the same physical interface.
Tip
To configure DOT1Q encapsulation on an Ethernet interface

without associating the VLAN with a subinterface, enter the
vlan-id dot1q command using CLI commands or
FlexConfigs. See Understanding FlexConfig Objects,
page 8-52. Configuring VLANs on the main interface
increases the number of VLANs that can be configured on
the router.

OL-11501-03
K-25
Appendix K
Table K-10
Element
Description
Native VLAN
Applies only when the encapsulation type is DOT1Q and you are
configuring a physical interface that is meant to serve as an 802.1Q
trunk interface. Trunking is a way to carry traffic from several
VLANs over a point-to-point link between two devices.
When selected, the Native VLAN is associated with this interface,
using the ID specified in the VLAN ID field. (If no VLAN ID is
specified for the Native VLAN, the default is 1.) The native VLAN
is the VLAN to which all untagged VLAN packets are logically
assigned by default. This includes the management traffic
associated with the VLAN. If no VLAN ID is defined, the default
is 1.
For example, if the VLAN ID of this interface is 1, all incoming
untagged packets and packets with VLAN ID 1 are received on the
main interface and not on a subinterface. Packets sent from the main
interface are transmitted without an 802.1Q tag.
When deselected, the Native VLAN is not associated with this
interface.
Note
DLCI
The Native VLAN cannot be configured on a subinterface of

the trunk interface. Be sure to configure the same Native
VLAN value at both ends of the link; otherwise, traffic may
be lost or sent to the wrong VLAN.
Applies only to serial subinterfaces with Frame Relay

encapsulation.
Enter the data-link connection identifier to associate with the
subinterface. Valid values range from 16 to 1007.
Note
Description
Security Manager configures serial subinterfaces as

point-to-point not multipoint.
Additional information about the interface (up to 1024 characters).
K-26
OL-11501-03
Appendix K

Table K-10
Element
Description
Roles
The interface roles assigned to this interface. A message is

displayed if no roles have yet been assigned.
OK button
Note

Interface Auto Name Generator Dialog Box

Use the Interface Auto Name Generator dialog box to have Security Manager
generate a name for the interface based on the interface type and its location in
the router.
Navigation Path
Go to the Create Router Interface Dialog Box, page K-20, select Interface from
the Type list, then click Select in the Name field.
Related Topics
Generating an Interface Name, page 14-27

OL-11501-03
K-27
Appendix K
Advanced Interface Settings Page
Field Reference
Table K-11
Interface Auto Name Generator Dialog Box
Element
Description
Type
The type of interface. Your selection from this list forms the first
part of the generated name, as displayed in the Result field. For
Card
The card related to the interface.

Note
When defining a BVI interface, enter the number of the

corresponding bridge group.
Slot
The slot related to the interface.
Port
The port related to the interface.

Note
Result
The name generated by Security Manager from the information you

entered for the interface type and location. The name displayed in
this field is read-only.
Tip
OK button
The information you enter in these fields forms the

remainder of the generated name, as displayed in the Result
field.
After closing this dialog box, you can edit the generated
name in the Create Router Interface dialog box, if required.
Note


Use the Advanced Interface Settings page to view, create, edit, and delete
advanced interface definitions (physical and virtual) on a selected Cisco IOS
router. Examples of advanced settings include Cisco Discovery Protocol (CDP)
settings, ICMP message settings, and virtual fragment reassembly settings.
For more information, see Advanced Interface Settings on Cisco IOS Routers,
page 14-29.
K-28
OL-11501-03
Appendix K

Navigation Path
(Device view) Select Interfaces > Settings > Advanced Settings from the
Policy selector.
(Policy view) Select Router Interfaces > Settings > Advanced Settings
from the Policy Type selector. Right-click Advanced Settings to create a
Related Topics
Field Reference
Table K-12
Element
Description
Filter

Interface
The interface or interface role for which advanced settings are

defined.
Max Bandwidth
The bandwidth value to communicate to higher-level protocols in

kilobits per second (kbps).
Load Interval
The length of time used to calculate the average load for this
interface.
CDP
Indicates whether CDP and CDP logging are enabled on this

interface.
Redirects
Indicates whether ICMP redirect messages are enabled on this

interface.
Unreachables
Indicates whether ICMP unreachable messages are enabled on this

interface.
Mask Reply
Indicates whether ICMP mask reply messages are enabled on this

interface.

OL-11501-03
K-29
Appendix K
Table K-12
Advanced Interface Settings Page (continued)
Element
Description
Directed Broadcasts
Indicates whether directed broadcasts that are intended for the

subnet to which this interface is attached are exploded as broadcasts
on that subnet.
Add button
Opens the Advanced Interface Settings Dialog Box, page K-30.

From here you can define advanced settings on the selected
interface.
Edit button
Opens the Advanced Interface Settings Dialog Box, page K-30.

From here you can edit the selected interface.
Delete button
Deletes the selected advanced interface definitions from the table.
Save button
private.
Note
Tip

toolbar.
Advanced Interface Settings Dialog Box

Use the Advanced Interface Settings dialog box to define a variety of advanced
settings on a selected interface, including:
Cisco Discovery Protocol (CDP) settings.
Internet Control Message Protocol (ICMP) settings.
Virtual fragmentation reassembly (VFR) settings.
Directed broadcast settings.
Load interval for determining the average load.
Enabling proxy ARP.
K-30
OL-11501-03
Appendix K

Enabling NBAR protocol discovery.
Navigation Path
Go to the Advanced Interface Settings Page, page K-28, then click the Add or
Edit button beneath the table.
Related Topics
Field Reference
Table K-13
Element
Description
Interface
The interface on which the advanced settings are defined. Enter the
name of an interface or interface role, or click Select to display an
object selector.
From here you can create an interface role object.
Max Bandwidth
Note
You can define only one set of advanced settings per

interface.
Note
The only advanced settings supported on Layer 2 interfaces

are Max. Bandwidth, Load Interval, and CDP.
The bandwidth value to communicate to higher-level protocols in

Note
The value you define in this field is an informational

parameter only; it does not affect the physical interface.

OL-11501-03
K-31
Appendix K
Table K-13
Advanced Interface Settings Dialog Box (continued)
Element
Description
Load Interval
The length of time, in seconds, used to calculate the average load on

the interface. Valid values range from 30 to 600 seconds, in
multiples of 30 seconds. The default is 300 seconds (5 minutes).
Modify the default to shorten the length of time over which load
averages are computed. You can do this if you want load
computations to be more reactive to short bursts of traffic.
Load data is gathered every 5 seconds. This data is used to compute
load statistics, including input/output rate in bits and packets per
second, load, and reliability. Load data is computed using a
weighted-average calculation in which recent load data has more
weight in the computation than older load data.
TCP Maximum Segment Size
Tip
You can use this option to increase or decrease the

likelihood of activating a backup interface; for example, a
backup dial interface may be triggered by a sudden spike in
the load on an active interface.
Note
Load interval is not supported on subinterfaces.
The maximum segment size (MSS) of TCP SYN packets that pass
through this interface. Valid values range from 500 to 1460 bytes. If
you do not specify a value, the MSS is determined by the originating
host.
This option helps prevent TCP sessions from being dropped as they
pass through the router. Use this option when the ICMP messages
that perform auto-negotiation of TCP frame size are blocked (for
example, by a firewall). We highly recommend using this option on
the tunnel interfaces of DMVPN networks.
For more information, see TCP MSS Adjustment at this URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/
ft_admss.html.
Note
Typically, the optimum MSS is 1452 bytes. This value plus

the 20-byte IP header, the 20-byte TCP header, and the
8-byte PPPoE header add up to a 1500-byte packet that
matches the MTU size for the Ethernet link.
K-32
OL-11501-03
Appendix K

Table K-13
Element
Description
Helper Addresses
The helper addresses that are used to forward User Datagram

Protocol (UDP) broadcasts that are received on this interface. Enter
one or more addresses or network/host objects, or click Select to
If the network you want is not listed, click the Create button in the
selector to display the Network/Host Dialog Box, page F-433. From
here, you can define a network/host object.
By default, routers do not forward broadcasts outside of their
subnet. Helper addresses provide a solution by enabling the router
to forward certain types of UDP broadcasts as a unicast to an
address on the destination subnet.
For more information, see Understanding Helper Addresses,
page 14-30.
Cisco Discovery Protocol settings
Enable CDP
When selected, the Cisco Discovery Protocol (CDP) is enabled on

this interface. This the default.
When deselected, CDP is disabled on this interface.
CDP is a media- and protocol-independent device-discovery
protocol that runs on all Cisco-manufactured equipment including
routers, access servers, bridges, and switches. It is primarily used to
obtain protocol addresses of neighboring devices and discover the
platform of those devices.
Note
Log CDP Messages
ATM interfaces do not support CDP.
Applies only to Ethernet interfaces.

When selected, duplex mismatches for this interface are displayed
in a log. This is the default.
When deselected, duplex mismatches for this interface are not
logged.
NetFlow settings

OL-11501-03
K-33
Appendix K
Table K-13
Element
Description
Enable Ingress Accounting
When selected, NetFlow accounting is enabled on traffic arriving on

this interface.
When deselected, NetFlow accounting on arriving traffic is
disabled. This is the default.
Cisco IOS NetFlow provides the metering base for a key set of
applications including network traffic accounting, usage-based
network billing, network planning, as well as Denial Services
monitoring capabilities, network monitoring, outbound marketing,
and data mining capabilities for both service provider and enterprise
customers.
Note
Enable Egress Accounting
You must use the CLI or FlexConfigs to enable Cisco

Express Forwarding (CEF) or distributed CEF (dCEF)
before using this option.
When selected, enables NetFlow accounting on traffic leaving this

interface.
When deselected, disables NetFlow accounting on traffic leaving
this interface. This is the default.
Note
You must use the CLI or FlexConfigs to enable Cisco

Express Forwarding (CEF) or distributed CEF (dCEF)
before using this option.
ICMP Messages settings
Enable Redirect Messages
When selected, enables the sending of Internet Control Message

Protocol (ICMP) redirect messages if the device is forced to resend
a packet through the same interface on which it was received to
another device on the same subnet. This is the default.
When deselected, disabled redirect messages.
Redirect messages are sent when the device wants to instruct the
originator of the packet to remove it from the route and substitute a
different device that offers a more direct path to the destination.
K-34
OL-11501-03
Appendix K

Table K-13
Element
Description
Enable Unreachable Messages
When selected, enables the sending of ICMP unreachable messages.

When deselected, disables unreachable messages.
Unreachable messages are sent in two circumstances:
If the interface receives a nonbroadcast packet destined for

itself that uses an unknown protocol. In this case, it sends an
ICMP unreachable message to the source.
If the device receives a packet that it cannot deliver to its

ultimate destination because it knows of no route to the
destination address. In this case, it sends an ICMP host
unreachable message to the originator of the packet.
Note
Enable Mask Reply Messages
This is the only advanced setting supported by the null0

interface.
When selected, enables the sending of ICMP mask reply messages.

When deselected, disables mask reply messages. This is the default.
Mask reply messages are sent in response to mask request messages,
which are sent when a device needs to know the subnet mask for a
particular subnetwork.
Additional settings
Enable Virtual Fragment

Reassembly (VFR)
When selected, virtual fragmentation reassembly (VFR) is enabled

on this interface.
When deselected, disables VFR. This is the default.
VFR is a feature that enables the Cisco IOS Firewall to create
dynamic ACLs that can protect the network from various
fragmentation attacks. For more information, see Virtual
Fragmentation Reassembly at this URL:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide
/sec_virt_frag_reassm.html.

OL-11501-03
K-35
Appendix K
Table K-13
Element
Description
Enable Proxy ARP
When selected, enables proxy Address Resolution Protocol (ARP)

on the interface. This is the default.
When deselected, disables proxy ARP.
Proxy ARP, defined in RFC 1027, is the technique in which one
host, usually a router, answers ARP requests intended for another
machine, thereby accepting responsibility for routing packets to the
real destination. Proxy ARP can help machines on a subnet reach
remote subnets without configuring routing or a default gateway.
Enable NBAR Protocol

Discovery
When selected, enables network-based application recognition

(NBAR) on this interface to discover traffic and keep traffic
statistics for all protocols known to NBAR.
When deselected, disables NBAR. This is the default.
Protocol discovery provides a method to discover application
protocols traversing an interface so that QoS policies can be
developed and applied to them. For more information, go to:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps65
58/ps6612/ps6653/prod_qas09186a00800a3ded_ps6616_Products
_Q_and_A_Item.html
K-36
OL-11501-03
Appendix K

Table K-13
Element
Description
Enable Directed Broadcasts
When selected, directed broadcast packets are exploded as a

link-layer broadcast when this interface is directly connected to the
destination subnet.
When deselected, directed broadcast packets that are intended for
the subnet to which this interface is directly connected are dropped
rather than being broadcast. This is the default.
An IP directed broadcast is an IP packet whose destination address
is a valid broadcast address on a different subnet from the node on
which it originated. In such cases, the packet is forwarded as if it
was a unicast packet until it reaches its destination subnet.
This option affects only the final transmission of the directed
broadcast on its destination subnet; it does not affect the transit
unicast routing of IP directed broadcasts.
Note
ACL
Because directed broadcasts, and particularly ICMP

directed broadcasts, have been abused by malicious persons,
we recommend deselecting this option on interfaces where
directed broadcasts are not needed.
Applies only when directed broadcasts are enabled.

The standard access list that determines which directed broadcasts
are permitted to be broadcast on the destination subnet. All other
directed broadcasts destined for the subnet to which this interface is
directly connected are dropped. Enter the name of an ACL object,
or click Select to display an object selector.
If the standard ACL you want is not listed, click the Create button
in the selector to display the Add and Edit Standard Access List
Pages, page F-45. From here you can create an ACL object.
Note
To prevent misuse by malicious persons, we recommend

using ACLs to restrict the use of directed broadcasts.
Advanced Interface Settings buttons

OL-11501-03
K-37
Appendix K
Dialer Policy Page
Table K-13
Element
Description
OK button
Note

Dialer Policy Page

Use the Dialer page to define the relationship between physical Basic Rate
Interface (BRI) and virtual dialer interfaces. You use these dialer interfaces when
you configure the dial backup feature for site-to-site VPNs.
For more information, see Dialer Interfaces on Cisco IOS Routers, page 14-34.
Navigation Path
Related Topics
Field Reference
Table K-14
Dialer Page
Element
Description
Dialer Profiles table
Filter

Interface
The interface role that the dialer interface uses.
Profile Name
The name of the dialer profile.
K-38
OL-11501-03
Appendix K

Dialer Policy Page
Table K-14
Dialer Page (continued)
Element
Description
Dial Pool
The dialing pool that this dialer profile uses.
Dial Group
The dialer group that this dialer profile uses.
Interesting Traffic ACL
The ACL that defines which traffic can use this dialer profile.
Dial String
The phone number that the dialer calls.
Idle Timeout
The defined interval after which an uncontested idle line is

disconnected.
Fast Idle
The defined interval after which a contested idle line is

disconnected.
Add button
Opens the Dialer Profile Dialog Box, page K-40. From here you can
define a dialer profile.
Edit button
Opens the Dialer Profile Dialog Box, page K-40. From here you can
edit the selected dialer profile.
Delete button
Deletes the selected dialer profiles from the table.
Dialer Physical Interfaces (BRI) table
Filter

Interface
The name of the interface role that the physical interface uses.
Pools
The dial pools related to this physical interface.
Switch Type
The ISDN switch type that the physical interface uses.
SPID1
The first service provider identifier (SPID) related to this interface.
SPID2
The second SPID related to this interface.
Add button
Opens the Dialer Physical Interface Dialog Box, page K-42. From
here you can define a dialer physical interface.
Edit button
Opens the Dialer Physical Interface Dialog Box, page K-42. From
here you can edit the selected dialer physical interface.

OL-11501-03
K-39
Appendix K
Dialer Policy Page
Table K-14
Dialer Page (continued)
Element
Description
Delete button
Deletes the selected dialer physical interfaces from the table.
Save button
private.
Note
Tip

toolbar.
Dialer Profile Dialog Box

Use the Dialer Profile dialog box to add or edit dialer profiles.
Navigation Path
Go to the Dialer Policy Page, page K-38, then click the Add or Edit button
beneath the Dialer Profile table.
Related Topics
Dialer Physical Interface Dialog Box, page K-42
K-40
OL-11501-03
Appendix K

Dialer Policy Page
Field Reference
Table K-15
Dialer Profile Dialog Box
Element
Description
Name
A descriptive name for the dialer profile. This name enables you to
assign the correct dialer pool to the physical interface. You can also
use the profile name as a reference to the site to which this dialer
interface serves as a backup.
Interface
The virtual dialer interface to associate with the dialer profile. Enter
an object selector.
Pool ID
The dialer pool ID. Each pool can contain multiple physical
interfaces and can be associated with multiple dialer interfaces.
Each dialer interface, however, is associated with only one pool.
Group
The group ID, which identifies the dialer group that this dialer
interface uses.
Interesting Traffic ACL
The extended, numbered ACL that defines which packets are

permitted to initiate calls using this dialer profile.
Enter the name of an extended, numbered ACL object, or click
Select to display an object selector. The valid ACL number range is
100 to 199.
If the extended ACL you want is not listed, click the Create button
in the selector to display the Extended Tab, page F-34. From here
you can create an ACL object.
Dialer String (Remote Phone

Number)
The phone number of the destination that the dialer contacts.
Idle Timeout
The default amount of idle time before an uncontested line is

disconnected. The default is 120 seconds.

OL-11501-03
K-41
Appendix K
Dialer Policy Page
Table K-15
Dialer Profile Dialog Box (continued)
Element
Description
Fast Idle Timeout
The default amount of idle time before a contested line is

disconnected. The default is 20 seconds.
Line contention occurs when a busy line is requested to send
another packet to a different destination.
OK button
Note

Dialer Physical Interface Dialog Box

Use the Dialer Physical Interface dialog box to add or edit the properties that
associate physical BRI interfaces with dialer interfaces.
Note
Use FlexConfigs to define other types of physical dialer interfaces, such as ATM
and Ethernet. For more information, see Understanding FlexConfig Objects,
page 8-52.
Navigation Path
Go to the Dialer Policy Page, page K-38, then click the Add or Edit button
beneath the Dialer Physical Interfaces table.
Related Topics
Dialer Profile Dialog Box, page K-40
K-42
OL-11501-03
Appendix K

Dialer Policy Page
Field Reference
Table K-16
Dialer Physical Interface Dialog Box
Element
Description
ISDN BRI
The physical BRI interface associated with the dialer interface.

Pools
Associates dialer pools with a physical interface. Enter the names of

one or more pools (as defined in the Dialer Profile Dialog Box,
page K-40), or click Select to display a selector. Use commas to
separate multiple entries.
Switch Type
The ISDN switch type.

Options for North America are:
basic-5essLucent (AT&T) basic rate 5ESS switch
basic-dms100Northern Telecom DMS-100 basic rate switch
basic-niNational ISDN switches
Options for Australia, Europe, and the UK are:
basic-1tr6German 1TR6 ISDN switch
basic-net3NET3 ISDN BRI for Norway NET3, Australia

NET3, and New Zealand NET3 switch types; ETSI-compliant
switch types for Euro-ISDN E-DSS1 signaling system
vn3French VN3 and VN4 ISDN BRI switches
Options for Japan are:
nttJapanese NTT ISDN switches
Options for Voice/PBX systems:
basic-qsigPINX (PBX) switches with QSIG signaling per

Q.931 ()

OL-11501-03
K-43
Appendix K
ADSL Policy Page
Table K-16
Dialer Physical Interface Dialog Box (continued)
Element
Description
SPID1
Applies only when you select Basic-DMS-100, Basic-NI, or

Basic-5ess as the switch type.
The service provider identifier (SPID) for the ISDN service to
which the interface subscribes. Some service providers in North
America assign SPIDs to ISDN devices when you first subscribe to
an ISDN service. If you are using a service provider that requires
SPIDs, your ISDN device cannot place or receive calls until it sends
a valid assigned SPID to the service provider when accessing the
switch to initialize the connection.
Valid SPIDs can contain up to 20 characters, including spaces and
special characters.
Note
SPID2
We recommend that you do not enter a SPID for interfaces

using the AT&T 5ESS switch type, even though they are
supported.
Applies only when you select DMS-100 or NI as the switch type.

The service provider identifier (SPID) for a second ISDN service to
which the interface subscribes. Valid SPIDs can contain up to 20
alphanumeric characters (no spaces are permitted).
OK button
Note

ADSL Policy Page

Use the ADSL page to create, edit, and delete ADSL definitions on the ATM
interfaces of the router. For more information, see Defining ADSL Settings,
page 14-42.
Navigation Path
(Device view) Select Interfaces > Settings > DSL > ADSL from the Policy
selector.
K-44
OL-11501-03
Appendix K

ADSL Policy Page
(Policy view) Select Router Interfaces > Settings > DSL > ADSL from the
Policy Type selector. Right-click ADSL to create a policy, or select an
Related Topics
Field Reference
Table K-17
ADSL Page
Element
Description
Filter

ATM Interface
The ATM interface on which ADSL settings are defined.
Interface Card
The type of device or ADSL interface card on which the ATM

interface resides.
Bandwidth Change
Indicates whether the router makes dynamic adjustments to VC

bandwidth as overall bandwidth changes. (This is relevant only
when IMA groups are configured on the ATM interface.)
DSL Operating Mode
The DSL operating mode for this interface.
Tone Low
Indicates whether the interface is using the low tone set (carrier
tones 29 through 48).
Add button
Opens the ADSL Settings Dialog Box, page K-46. From here you
can define the ADSL settings for a selected ATM interface.
Edit button
Opens the ADSL Settings Dialog Box, page K-46. From here you
can edit the selected ADSL definition.
Delete button
Deletes the selected ADSL definition from the table.

OL-11501-03
K-45
Appendix K
ADSL Policy Page
Table K-17
ADSL Page (continued)
Element
Description
Save button
private.
Note
Tip

toolbar.
ADSL Settings Dialog Box

Use the ADSL Settings dialog box to configure ADSL settings on a selected ATM
interface.
Note
When you configure ADSL settings, we highly recommend that you select the
type of device or interface card on which the ATM interface is defined. ADSL
settings are highly dependent on the hardware. Defining the hardware type in
Security Manager enables proper validation of your configuration for a successful
deployment to your devices.
Navigation Path
Go to the ADSL Policy Page, page K-44, then click the Add or Edit button
beneath the table.
Related Topics
Defining ADSL Settings, page 14-42
K-46
OL-11501-03
Appendix K

ADSL Policy Page
Field Reference
Table K-18
ADSL Settings Dialog Box
Element
Description
ATM Interface
The ATM interface on which ADSL settings are defined. Enter the
object selector.
Note
We recommend that you do not define an interface role that

includes ATM interfaces from different interface cards. The
different settings supported by each card type may cause
deployment to fail.
Note
You can create only one ADSL definition per interface.

OL-11501-03
K-47
Appendix K
ADSL Policy Page
Table K-18
ADSL Settings Dialog Box (continued)
Element
Description
Interface Card
The device type or the type of interface card installed on the router:
[blank]The interface card type is not defined.
WIC-1ADSLA 1-port ADSL WAN interface card that

provides ADSL over POTS (ordinary telephone lines).
WIC-1ADSL-I-DGA 1-port ADSL WAN interface card that

provides ADSL over ISDN with Dying Gasp support. (With
Dying Gasp, the router warns the DSLAM of imminent line
drops when the router is about to lose power.)
WIC-1ADSL-DGA 1-port ADSL WAN interface card that

provides ADSL over POTS with Dying Gasp support.
HWIC-1ADSLA 1-port high-speed ADSL WAN interface

card that provides ADSL over POTS.
HWIC-1ADSLIA 1-port high-speed ADSL WAN interface

card that provides ADSL over ISDN.
HWIC-ADSL-B/STA 2-port high-speed ADSL WAN

interface card that provides ADSL over POTS with an ISDN
BRI port for backup.
HWIC-ADSLI-B/STA 2-port high-speed ADSL WAN

interface card that provides ADSL over ISDN with an ISDN
K-48
OL-11501-03
Appendix K

ADSL Policy Page
Table K-18
Element
Interface Card
(continued)
Description
857 ADSLCisco 857 Integrated Service Router with an

ADSL interface.
876 ADSLCisco 876 Integrated Services Router with an

ADSL interface.

ADSL interface.
1801 ADSLoPOTSCisco 1801 Integrated Services Router

that provides ADSL over POTS.
1802 ADSLoISDNCisco 1802 Integrated Services Router

that provides ADSL over ISDN.
Note
Allow bandwidth change on

ATM PVCs
When discovering from a live device, the correct interface

card type will already be displayed. If you did not perform
discovery on a live device, or if Security Manager cannot
detect the type of interface card installed on the device, this
field displays Unknown.
When selected, the router makes dynamic adjustments to VC

bandwidth in response to changes in the overall bandwidth of the
Inverse Multiplexing over ATM (IMA) group defined on the ATM
interface.
When deselected, PVC bandwidth must be adjusted manually
(using the CLI) whenever an individual physical link in the IMA
group goes up or down.

OL-11501-03
K-49
Appendix K
SHDSL Policy Page
Table K-18
Element
Description
DSL Operating Mode
The operating mode configured for this ADSL line:
autoPerforms automatic negotiation with the DSLAM

located at the central office (CO). This is the default.
ansi-dmtThe line trains in ANSI T1.413 Issue 2 mode.
itu-dmtThe line trains in G.992.1 mode.
splitterlessThe line trains in G.992.2 (G.Lite) mode.
etsiThe line trains in ETSI (European Telecommunications

Standards Institute) mode.
adsl2The line trains in G.992.3 (adsl2)mode.
adsl2+The line trains in G.992.5 (adsl2+) mode.
Note
Use low tone set
See Table 14-3 on page 14-41 for a description of the

operating modes that are supported by each card type.
When selected, the interface card uses carrier tones 29 through 48.
When deselected, the interface card uses carrier tones 33
through 56.
Note
OK button
Leave this option deselected when the interface card is

operating in accordance with Deutsche Telekom
specification U-R2.
Note

SHDSL Policy Page

Use the SHDSL page to create, edit, and delete DSL controller definitions on the
router. For more information, see Defining SHDSL Controllers, page 14-46.
K-50
OL-11501-03
Appendix K

SHDSL Policy Page
Navigation Path
(Device view) Select Interfaces > Settings > DSL > SHDSL from the Policy
selector.
(Policy view) Select Router Interfaces > Settings > DSL > SHDSL from
the Policy Type selector. Right-click SHDSL to create a policy, or select an
Related Topics
Field Reference
Table K-19
SHDSL Page
Element
Description
Filter

Name
The name of the DSL controller.
Description
An optional description of the controller.
Shutdown
Indicates whether the DSL controller is in shutdown mode.
Configure ATM Mode
Indicates whether the DSL controller has been set into ATM mode.
Line Termination
The line termination set for the router (CPE or CO).
DSL Mode
The operating mode defined for the DSL controller.
Line Mode
The line mode defined for the DSL controller.
Line Rate
The line rate (in kbps) defined for the DSL controller.
Note
A value is displayed in this column only if the line mode is

not set to Auto.
SNR Margin Current
The current signal-to-noise ratio on the controller.
SNR Margin Snext
The self near-end crosstalk (Snext) signal-to-noise ratio on the

controller.

OL-11501-03
K-51
Appendix K
SHDSL Policy Page
Table K-19
SHDSL Page (continued)
Element
Description
Add button
Opens the SHDSL Controller Dialog Box, page K-52. From here
you can define the settings for a DSL controller.
Edit button
Opens the SHDSL Controller Dialog Box, page K-52. From here
you can edit the selected DSL controller definition.
Delete button
Deletes the selected DSL controller definition from the table.
Save button
private.
Note
Tip

toolbar.
SHDSL Controller Dialog Box

Use the SHDSL Controller dialog box to configure SHDSL controllers.
Navigation Path
Go to the SHDSL Policy Page, page K-50, then click the Add or Edit button
beneath the table.
Related Topics
Defining SHDSL Controllers, page 14-46
K-52
OL-11501-03
Appendix K

SHDSL Policy Page
Field Reference
Table K-20
SHDSL Dialog Box
Element
Description
Name
The name of the controller. Enter a name manually, or click Select

to display a dialog box for generating a name. See Controller Auto
Name Generator Dialog Box, page K-56.
Description
Additional information about the controller (up to 80 characters).
Shutdown
When selected, the DSL controller is in shutdown state. However,

its definition is not deleted.
When deselected, the DSL controller is enabled. This is the default.
Configure ATM mode
When selected, sets the controller into ATM mode and creates an
ATM interface with the same ID as the controller. This is the
default. You must enable ATM mode and then perform rediscovery
to configure ATM or PVCs on the device.
When deselected, ATM mode is disabled. No ATM interface is
created on deployment.
Note
Line Termination
You cannot remove ATM mode from a controller after it has

been saved in Security Manager.
The line termination that is set for the router:
CPECustomer premises equipment. This is the default.
COCentral office.

OL-11501-03
K-53
Appendix K
SHDSL Policy Page
Table K-20
SHDSL Dialog Box (continued)
Element
Description
DSL Mode
The DSL operating mode, including regional operating parameters,

used by the controller:
[blank]The operating mode is not defined. (When deployed,

the Annex A standard for North America is used.)
ASupports Annex A of the G.991.2 standard for North

America.
A-BSupports Annex A or Annex B. Available only when the

Line Term is set to CPE. The appropriate mode is selected when
the line trains.
A-B-ANFPSupports Annex A or Annex B-ANFP. Available

only when the Line Term is set to CPE. The appropriate mode
is selected when the line trains.
BSupports Annex B of the G.991.2 standard for Europe.
B-ANFPSupports Annex B-ANFP (Access Network

Frequency Plan).
Note
The available DSL modes are dependent on the selected line

termination.
Line Mode settings
Line Mode
The line mode used by the controller:
autoThe controller operates in the same mode as the other

line termination (2-wire line 0, 2-wire line 1, or 4-wire
enhanced). This is the default for CPE line termination.
2-wireThe controller operates in two-wire mode. This is the

default for CO line termination.
4-wireThe controller operates in four-wire mode.
Note
You can select Auto only when you configure the controller
as the CPE.
K-54
OL-11501-03
Appendix K

SHDSL Policy Page
Table K-20
Element
Description
Line
Applies only when the Line Mode is defined as 2-wire.

The pair of wires to use:
Exchange Handshake
line-zeroRJ-11 pin 1 and pin 2. This is the default for CO line

termination.
line-oneRJ-11 pin 3 and pin 4.
Applies only when the Line Mode is defined as 4-wire.

The type of handshake mode to use:
Line Rate
[blank]The handshake mode is not specified. (When

deployed, the enhanced option is used.) This is the default.
enhancedExchanges handshake status on both wire pairs.
standardExchanges handshake status on the master wire pair

only.
Does not apply when the Line Mode is defined as Auto.

The DSL line rate (in kbps) available for the SHDSL port:
autoThe controller selects the line rate. This is available only

in 2-wire mode.
Supported line rates:

For 2-wire mode: 192, 256, 320, 384, 448, 512, 576, 640,
704, 768, 832, 896, 960, 1024, 1088, 1152, 1216, 1280,
1344, 1408, 1472, 1536, 1600, 1664, 1728, 1792, 1856,
1920, 1984, 2048, 2112, 2176, 2240, and 2304.
For 4-wire mode: 384, 512, 640, 768, 896, 1024, 1152,
1280, 1408, 1536, 1664, 1792, 1920, 2048, 2176, 2304,

2432, 2560, 2688, 2816, 2944, 3072, 3200, 3328, 3456,
3584, 3712, 3840, 3968, 4096, 4224, 4352, 4480, and 4608.
Note
Third-party equipment may use a line rate that includes an

additional SHDSL overhead of 8 kbps for 2-wire mode or
16 kbps for 4-wire mode.
SNR Margin settings

OL-11501-03
K-55
Appendix K
SHDSL Policy Page
Table K-20
Element
Description
Current
The current signal-to-noise (SNR) ratio on the controller, in

decibels (dB). Valid values range from -10 to 10 dB.
This option can create a more stable line by making the line train
more than current noise margin plus SNR ratio threshold during
training time. If any external noise is applied that is less than the set
SNR margin, the line will be stable.
Note
Snext
Select disable to disable the current SNR.
The Self Near-End Crosstalk (SNEXT) signal-to-noise ratio on the

controller, in decibels. Valid values range from -10 to 10 dB.
This option can create a more stable line by making the line train
more than SNEXT threshold during training time. If any external
noise is applied that is less than the set SNEXT margin, the line will
be stable.
Note
Select disable to disable the SNEXT SNR.
SHDSL dialog box buttons
OK button
Note

Controller Auto Name Generator Dialog Box

Use the Controller Auto Name Generator dialog box to have Security Manager
generate a name for the DSL controller based on its location in the router.
Navigation Path
Go to the SHDSL Controller Dialog Box, page K-52, then click Select in the
Name field.
Related Topics
Defining SHDSL Controllers, page 14-46
K-56
OL-11501-03
Appendix K

PVC Policy Page
Field Reference
Table K-21
Controller Auto Name Generator Dialog Box
Element
Description
Type
The type of interface. This field displays the value DSL and is
read-only.
Card
The card related to the controller.
Slot
The slot related to the controller.
Port
The port related to the controller.

Note
Result
The information you enter in these fields forms the

remainder of the generated name, as displayed in the Result
field.
The name generated by Security Manager from the information you

entered for the controller location. The name displayed in this field
is read-only.
Tip
OK button
After closing this dialog box, you can edit the generated
name in the SHDSL dialog box, if required.
Note

PVC Policy Page

Use the PVC page to create, edit, and delete permanent virtual connections
(PVCs) on the router. PVCs allow direct and permanent connections between sites
to provide a service that is similar to a leased line. These PVCs can be used in
ADSL, SHDSL, or pure ATM environments. For more information, see Defining
ATM PVCs, page 14-55.

OL-11501-03
K-57
Appendix K
PVC Policy Page
Navigation Path
(Device view) Select Interfaces > Settings > PVC from the Policy selector.
(Policy view) Select Router Interfaces > Settings > PVC from the Policy
Type selector. Right-click PVC to create a policy, or select an existing policy
Related Topics
Field Reference
Table K-22
PVC Page
Element
Description
Filter

ATM Interface
The ATM interface on which the PVC is defined.
Interface Card
The type of device or WAN interface card on which the ATM

interface resides.
PVC ID
The Virtual Path Identifier (VPI) and Virtual Channel Identifier

(VCI) of the PVC.
Settings
Additional settings configured for the PVC, including

encapsulation, the number of PPPoE sessions, and the VPN service
name.
QoS
Quality-of-service settings defined for the PVC, such as traffic

shaping.
Protocol
The IP protocol mappings (static maps or Inverse ARP) configured

for the PVC.
OAM
The F5 Operation, Administration, and Maintenance (OAM)

loopback, continuity check, and AIS/RDI definitions configured for
the PVC.
OAM-PVC
The OAM management cells that are configured for the PVC.
K-58
OL-11501-03
Appendix K

PVC Policy Page
Table K-22
PVC Page (continued)
Element
Description
Add button
Opens the PVC Dialog Box, page K-59. From here you can define
a PVC.
Edit button
Opens the PVC Dialog Box, page K-59. From here you can edit the
selected PVC.
Delete button
Deletes the selected PVC from the table.
Save button
private.
Note
Tip

toolbar.
PVC Dialog Box

Use the PVC dialog box to configure ATM permanent virtual circuits (PVCs).
Navigation Path
Go to the PVC Policy Page, page K-57, then click the Add or Edit button beneath
the table.
Related Topics

OL-11501-03
K-59
Appendix K
PVC Policy Page
Field Reference
Table K-23
PVC Dialog Box
Element
Description
ATM Interface
The ATM interface on which the PVC is defined. Enter the name of
an interface, subinterface, or interface role, or click Select to
Note
We strongly recommend not defining an interface role that

includes ATM interfaces from different interface cards. The
different settings supported by each card type may cause
deployment to fail.
K-60
OL-11501-03
Appendix K

PVC Policy Page
Table K-23
PVC Dialog Box (continued)
Element
Description
Interface Card
The type of WAN interface card installed on the router or the router
type:
[blank]The interface card type is not defined.
WIC-1ADSLA 1-port ADSL WAN interface card that

provides ADSL over POTS (ordinary telephone lines).
WIC-1ADSL-I-DGA 1-port ADSL WAN interface card that

provides ADSL over ISDN with Dying Gasp support. (With
Dying Gasp, the router warns the DSLAM of imminent line
drops when the router is about to lose power.)
WIC-1ADSL-DGA 1-port ADSL WAN interface card that

provides ADSL over POTS with Dying Gasp support.
HWIC-1ADSLA 1-port high-speed ADSL WAN interface

card that provides ADSL over POTS.
HWIC-1ADSLIA 1-port high-speed ADSL WAN interface

card that provides ADSL over ISDN.
HWIC-ADSL-B/STA 2-port high-speed ADSL WAN

interface card that provides ADSL over POTS with an ISDN
HWIC-ADSLI-B/STA 2-port high-speed ADSL WAN

interface card that provides ADSL over ISDN with an ISDN
WIC-1-SHDSL-V2A 1-port multiline G.SHDSL WAN

interface card with support for 2-wire mode and enhanced
4-wire mode.
WIC-1-SHDSL-V3A 1-port multiline G.SHDSL WAN

interface card with support for 2-wire mode and 4-wire mode
(standard & enhanced).
NM-1A-T3A 1-port ATM network module with a T3 link.
NM-1A-OC3-POMA 1-port ATM network module with an

optical carrier level 3 (OC-3) link and three operating modes
(multimode, single-mode intermediate reach (SMIR), and
single-mode long-reach (SMLR)).
OL-11501-03
K-61
Appendix K
PVC Policy Page
Table K-23
Element
Description
Interface Card (continued)
NM-1A-E3A 1-port ATM network module with an E3 link.
857 ADSLCisco 857 Integrated Service Router with an

ADSL interface.

ADSL interface.

ADSL interface.
878 G.SHDSLCisco 878 Integrated Services Router with a

G.SHDSL interface.
1801 ADSLoPOTSCisco 1801 Integrated Services Router

that provides ADSL over POTS.
1802 ADSLoISDNCisco 1802 Integrated Services Router

that provides ADSL over ISDN.
1803 G.SHDSLCisco 1803 Integrated Services Router that

provides 4-wire G.SHDSL.
Note
To ensure proper policy validation, we highly recommend

that you define a value in this field. When you discover a
live device, the correct interface card type will already be
displayed. If you did not perform discovery on a live device,
or if Security Manager cannot detect the type of interface
card installed on the device, this field displays Unknown.
Settings tab
Defines basic PVC settings, such as the VPI/VCI and encapsulation.

See PVC Dialog BoxSettings Tab, page K-63.
QoS tab
Defines ATM traffic shaping and other quality-of-service settings

for the PVC. See PVC Dialog BoxQoS Tab, page K-67.
Protocol tab
Defines the IP protocol mappings configured for the PVC (static

maps or Inverse ARP). See PVC Dialog BoxProtocol Tab,
page K-71.
Advanced button
Defines F5 Operation, Administration, and Maintenance (OAM)

settings for the PVC. See PVC Advanced Settings Dialog
BoxOAM Tab, page K-75.
K-62
OL-11501-03
Appendix K

PVC Policy Page
Table K-23
Element
Description
OK button
Note

PVC Dialog BoxSettings Tab

Use the Settings tab of the PVC dialog box to configure the basic settings of the
PVC, including:
ID settings.
Encapsulation settings.
Whether ILMI and Inverse ARP are enabled.
The maximum number of PPPoE sessions.
The static domain (VPN service) name to use for PPPoA.
Navigation Path
Go to the PVC Dialog Box, page K-59, then click the Settings tab.
Related Topics
PVC Dialog BoxQoS Tab, page K-67
PVC Dialog BoxProtocol Tab, page K-71
PVC Advanced Settings Dialog Box, page K-74
Field Reference
Table K-24
Element
PVC Dialog BoxSettings Tab
Description
PVC ID settings

OL-11501-03
K-63
Appendix K
PVC Policy Page
Table K-24
PVC Dialog BoxSettings Tab (continued)
Element
Description
VPI
The virtual path identifier of the PVC. In conjunction with the VCI,
identifies the next destination of a cell as it passes through a series
of ATM switches on the way to its destination. Valid values for most
platforms range from 0 to 255.
For Cisco 2600 and 3600 Series routers using Inverse Multiplexing
for ATM (IMA), valid values range from 0 to 15, 64 to 79, 128 to
143, and 192 to 207.
Note
VCI
VPI/VCI values must be unique for all the PVCs configured

on a selected interface. VPI/VCI values are unique to a
single link only and might change as cells traverse the ATM
network.
The 16-bit virtual channel identifier of the PVC. In conjunction with

the VPI, identifies the next destination of a cell as it passes through
a series of ATM switches on the way to its destination. Valid values
vary by platform. Typically, values up to 31 are reserved for special
traffic (such as ILMI) and should not be used. 3 and 4 are invalid.
Note
VPI/VCI values must be unique for all the PVCs configured

on a selected interface. VPI/VCI values are unique to a
single link only and might change as cells traverse the ATM
network.
Handle
An optional name to identify the PVC. The maximum length is

15 characters.
Management PVC (ILMI)
Does not apply when configuring the PVC on a subinterface.

When selected, designates this PVC as the management PVC for
this ATM interface by enabling communication with the Interim
Local Management Interface (ILMI). ILMI is a protocol defined by
the ATM Forum for setting and capturing physical layer, ATM layer,
virtual path, and virtual circuit parameters on ATM interfaces. See
Understanding ILMI, page 14-52.
When deselected, this PVC does not act as the management PVC.
Note
The VPI/VCI for the management PVC is typically set to

0/16.
K-64
OL-11501-03
Appendix K

PVC Policy Page
Table K-24
Element
Description
Encapsulation settings
Type
Does not apply when the Management PVC (ILMI) check box is
enabled.
The ATM adaptation layer (AAL) and encapsulation type to use on
the PVC:
[blank]The encapsulation type is not defined. (When

deployed, aal5snap is applied.)
aal2For PVCs dedicated to AAL2 Voice over ATM. AAL2 is

used for variable bit rate (VBR) traffic, which can be either
realtime (VBR-RT) or non-realtime (VBR-NRT).
aal5autopppEnables the router to distinguish between

incoming PPP over ATM (PPPoA) and PPP over Ethernet
(PPPoE) sessions and create virtual access for both PPP types
based on demand.
aal5ciscopppFor the proprietary Cisco version of PPP over

ATM.
aal5muxEnables you to dedicate the PVC to a single

protocol, as defined in the Protocol field.
aal5nlpidEnables ATM interfaces to work with High-Speed

Serial Interfaces (HSSI) that are using an ATM data service unit
(ADSU) and running ATM-Data Exchange Interface (DXI).
aal5snapSupports Inverse ARP and incorporates the Logical

Link Control/Subnetwork Access Protocol (LLC/SNAP) that
precedes the protocol datagram. This allows multiple protocols
to traverse the same PVC.

OL-11501-03
K-65
Appendix K
PVC Policy Page
Table K-24
Element
Description
Virtual Template
The virtual template used for PPP over ATM on this PVC. Enter the
name of a virtual template interface or interface role, or click Select
When a user dials in, the virtual template is used to configure a
virtual access interface. When the user is done, the virtual access
interface goes down and the resources are freed for other dial-in
users.
Note
Protocol
If you modify the virtual template settings on an existing

PVC, you must enter the shutdown command followed by
the no shutdown command on the ATM subinterface to
restart the interface. This causes the newly configured
parameters to take effect.
Applies only when aal5mux is the defined encapsulation type.

The protocol carried by the MUX-encapsulated PVC:
frame-relayFrame-Relay-ATM Network Interworking

(FRF.5) on the Cisco MC3810.
fr-atm-srvFrame-Relay-ATM Service Interworking (FRF.8)

on the Cisco MC3810.
ipIP protocol.
pppIETF-compliant PPP over ATM. You must specify a

virtual template when using this protocol type.
voiceVoice over ATM.
Additional settings
Enable ILMI
When selected, enables ILMI management on this PVC.

When deselected, ILMI management on this PVC is disabled.
K-66
OL-11501-03
Appendix K

PVC Policy Page
Table K-24
Element
Description
Inverse ARP
When selected, the Inverse Address Resolution Protocol (Inverse

ARP) is enabled on the PVC.
When deselected, Inverse ARP is disabled. This is the default.
Inverse ARP is used to learn the Layer 3 addresses at the remote
ends of established connections. These addresses must be learned
before the virtual circuit can be used.
Note
Use the Protocol tab to define static mappings of IP

addresses instead of dynamically learning the addresses
using Inverse ARP. See PVC Dialog BoxProtocol Tab,
page K-71.
PPPoE Max Sessions
The maximum number of PPP over Ethernet sessions that are

permitted on the PVC.
VPN Service Name
The static domain name to use on this PVC. The maximum length
is 128 characters.
Use this option when you want PPP over ATM (PPPoA) sessions in
the PVC to be forwarded according to the domain name supplied,
without starting PPP.
PVC Dialog BoxQoS Tab

Use the QoS tab of the PVC dialog box to configure the ATM traffic shaping and
other quality-of-service settings of the PVC, including:
The limit on packets placed on transmission rings.
The QoS service.
Whether random detection is enabled.
These settings regulate the flow of traffic over the PVC by queuing traffic that
exceeds the defined allowable bit rates.
Note
QoS values are highly hardware dependent. Please refer to your router
documentation for additional details about the settings that can be configured on
your device.

OL-11501-03
K-67
Appendix K
PVC Policy Page
Navigation Path
Go to the PVC Dialog Box, page K-59, then click the QoS tab.
Related Topics
PVC Dialog BoxSettings Tab, page K-63
PVC Dialog BoxProtocol Tab, page K-71
Field Reference
Table K-25
PVC Dialog BoxQoS Tab
Element
Description
Tx Ring Limit
The maximum number of transmission packets that can be placed on

a transmission ring on the WAN interface card (WIC) or interface.
The range of valid values depends on the type of interface card
selected in the Settings tab. See PVC Dialog BoxSettings Tab,
page K-63.
Traffic Shaping settings
K-68
OL-11501-03
Appendix K

PVC Policy Page
Table K-25
PVC Dialog BoxQoS Tab (continued)
Element
Description
Traffic Shaping
The type of service to define on the PVC:
[null]The bit rate is not defined.
ABRAvailable Bit Rate. A best-effort service suitable for

applications that do not require guarantees against cell loss or
delays. See ABR.
CBRConstant Bit Rate service. Delay-sensitive data, such as

voice or video, is sent at a fixed rate, providing a service similar
to a leased line. See CBR.
UBRUnspecified Bit Rate service. A best-effort service

suitable for applications that are tolerant to delay and do not
require realtime responses. See UBR.
UBR+Unspecified Bit Rate service. Unlike UBR, UBR+

attempts to maintain a guaranteed minimum rate. See UBR+.
VBR-NRTVariable Bit Rate - Non-Real Time service. A

service suitable for non-realtime applications that are bursty in
nature. VBR is more efficient than CBR and more reliable than
UBR. See VBR-NRT.
VBR-RTVariable Bit Rate - Real Time service. A service

suitable for realtime applications that are bursty in nature. See
VBR-RT.
For more information about each service class, see Understanding

ATM Service Classes, page 14-50.
ABR
The following fields are displayed when ABR is selected as the Bit
Rate:
PCRThe peak cell rate in kilobits per second (kbps). It

specifies the maximum value of the ABR.
MCRThe minimum cell rate in kilobits per second (kbps). It

specifies the minimum value of the ABR.
The ABR varies between the MCR and the PCR. It is dynamically
controlled using congestion control mechanisms.

OL-11501-03
K-69
Appendix K
PVC Policy Page
Table K-25
Element
Description
CBR
The following field is displayed when CBR is selected as the Bit

Rate:
UBR
The following field is displayed when UBR is selected as the Bit

Rate:
UBR+
PCRThe peak cell rate for output in kilobits per second

(kbps). Cells in excess of the PCR may be discarded.
The following fields are displayed when UBR+ is selected as the Bit
Rate:

MCRThe minimum guaranteed cell rate for output in kilobits

per second (kbps). Traffic is always allowed to be sent at this
rate.
Note
VBR-NRT
RateThe constant bit rate (also known as the average cell

rate) for the PVC in kilobits per second (kbps). An ATM VC
configured for CBR can send cells at this rate for as long as
required.
UBR+ requires Cisco IOS Software Release 12.4(2)XA or

later, or version 12.4(6)T or later.
The following fields are displayed when VBR-NRT is selected as

the Bit Rate:

SCRThe sustained cell rate for output in kilobits per second

(kbps). This value, which must be lower than or equal to the
PCR, represents the maximum rate at which cells can be
transmitted without incurring data loss.
MBSThe maximum burst cell size for output. This value

represents the number of cells that can be transmitted above the
SCR but below the PCR without penalty.
K-70
OL-11501-03
Appendix K

PVC Policy Page
Table K-25
Element
Description
VBR-RT
The following fields are displayed when VBR-RT is selected as the

Bit Rate:
Peak RateThe peak information rate for realtime traffic in

Average RateThe average information rate for realtime

traffic in kilobits per second (kbps). This value must be lower
than or equal to the peak rate.
BurstThe burst size for realtime traffic, in number of cells.

Configure this value if the PVC carries bursty traffic.
These values configure traffic shaping between realtime traffic

(such as voice and video) and data traffic to ensure that the carrier
does not discard realtime traffic, for example, voice calls.
IP QoS settings
Random Detect
When selected, enables Weighted Random Early Detection

(WRED) or VIP-distributed WRED (DWRED) on the PVC.
When deselected, WRED and DWRED are disabled. This is the
default.
WRED is a queue management method that selectively drops
packets as the interface becomes congested. See Tail Drop vs.
WRED, page 14-158.
PVC Dialog BoxProtocol Tab

Use the Protocol tab of the PVC dialog box to add, edit, or delete the protocol
mappings configured for the PVC. You may configured static mappings or Inverse
ARP (broadcast or nonbroadcast) for each PVC, but not both.
Note
IP is the only protocol supported by Security Manager for protocol mapping

on ATM networks.
You cannot define protocol mappings on the Management PVC (ILMI).

OL-11501-03
K-71
Appendix K
PVC Policy Page
Navigation Path
Go to the PVC Dialog Box, page K-59, then click the Protocol tab.
Related Topics
PVC Dialog BoxSettings Tab, page K-63
PVC Dialog BoxQoS Tab, page K-67
Field Reference
Table K-26
PVC Dialog BoxProtocol Tab
Element
Description
IP Protocol Mapping
Displays the IP protocol mappings configured for the PVC.
Add button
Opens the Define Mapping Dialog Box, page K-72. From here you
can define an IP protocol mapping.
Edit button
Opens the Define Mapping Dialog Box, page K-72. From here you
can edit the selected mapping.
Delete button
Deletes the selected mapping from the table.
Define Mapping Dialog Box

Use the Define Mapping dialog box to configure the IP protocol mappings to use
on the ATM PVC. Mappings are required by the PVC to discover which IP address
is reachable at the other end of a connection. Mappings can either be learned
dynamically using Inverse ARP (InARP) or defined statically. Static mappings are
best suited for simple networks that contain only a few nodes.
Note
Inverse ARP is only supported for the aal5snap encapsulation type. See PVC
Dialog BoxSettings Tab, page K-63.
Tip
Use the CLI or FlexConfigs to configure mappings for protocols other than IP.
K-72
OL-11501-03
Appendix K

PVC Policy Page
Navigation Path
Go to the PVC Dialog BoxProtocol Tab, page K-71, then click Add or Edit.
Related Topics
PVC Dialog Box, page K-59
Field Reference
Table K-27
Define Mapping Dialog Box
Element
Description
IP Options
The type of IP protocol mapping to use:
IP AddressSelect this option when using static mapping.

Enter the address or network/host object, or click Select to
If the network you want is not listed, click the Create button in
the selector to display the Network/Host Dialog Box,
page F-433. From here, you can define a network/host object.
Note
Broadcast Options
InARPInverse ARP. Select this option when using dynamic

mapping. This allows the PVC to resolve its own network
addresses without configuring a static map. Dynamic mappings
age out and are refreshed periodically every 15 minutes by
default.
InARP can be used only when aal5snap is the defined
encapsulation type for the PVC. See PVC Dialog
BoxSettings Tab, page K-63.
Indicates whether to use this map entry when sending IP broadcast

packets (such as EIGRP updates):
BroadcastThe map entry is used for broadcast packets.
No BroadcastThe map entry is used only for unicast packets.
NoneBroadcast options are disabled.

OL-11501-03
K-73
Appendix K
PVC Policy Page
Table K-27
Define Mapping Dialog Box (continued)
Element
Description
OK button
Note

PVC Advanced Settings Dialog Box

Use the PVC Advanced Settings dialog box to configure F5 Operation,
Administration, and Maintenance (OAM) functionality on an ATM PVC. OAM is
used to detect connectivity failures at the ATM layer.
For more information, see Defining OAM Management on ATM PVCs,
page 14-59.
Navigation Path
Go to the PVC Dialog Box, page K-59, then click Advanced.

Related Topics
Field Reference
Table K-28
PVC Advanced Settings Dialog Box
Element
Description
OAM tab
Defines loopback, connectivity check, and AIS/RDI settings. See

PVC Advanced Settings Dialog BoxOAM Tab, page K-75.
OAM-PVC tab
Enables OAM loopbacks and connectivity checks on the PVC. See

PVC Advanced Settings Dialog BoxOAM-PVC Tab, page K-78.
OK button
Note

K-74
OL-11501-03
Appendix K

PVC Policy Page
PVC Advanced Settings Dialog BoxOAM Tab

Use the OAM tab of the PVC Advanced Settings dialog box to define:
The number of loopback cell responses that move the PVC to the down or up
state.
The number of alarm indication signal/remote defect indication (AIS/RDI)

cells that move the PVC to the down or up state.
The number and frequency of segment/end continuity check (CC) activation

and deactivation requests that are sent on this PVC.

page 14-59.
Note
The settings defined in this tab are dependent on the settings defined in the
OAM-PVC tab. See PVC Advanced Settings Dialog BoxOAM-PVC Tab,
page K-78.
Navigation Path
Go to the PVC Advanced Settings Dialog Box, page K-74, then click the OAM
tab.
Related Topics
Field Reference
Table K-29
PVC Advanced Settings Dialog BoxOAM Tab
Element
Description
Retry settings
Enable OAM Retry
When selected, OAM management settings can be defined.

When deselected, OAM management settings cannot be defined.
Note
If Enable OAM Management is deselected in the

OAM-PVC tab, these settings are saved in the device
configuration but are not applied.

OL-11501-03
K-75
Appendix K
PVC Policy Page
Table K-29
PVC Advanced Settings Dialog BoxOAM Tab (continued)
Element
Description
Down Count
The number of consecutive, unreceived, end-to-end loopback cell

responses that cause the PVC to move to the down state. The default
is 3.
Up Count
The number of consecutive end-to-end loopback cell responses that

must be received in order to move the PVC to the up state. The
default is 5.
Retry Frequency
The interval between loopback cell verification transmissions in

seconds. The default is 1 second.
If a PVC is up and a loopback cell response is not received within
the specified interval (as defined in the Frequency field of the
PVC-OAM tab), loopback cells are transmitted at the frequency
defined here to verify whether the PVC is down. If the number of
consecutive cells that do not receive a response matches the defined
down count, the PVC is moved to the down state.
AIS-RDI settings
Enable AIS-RDI Detection
When selected, alarm indication signal (AIS) cells and remote

defect indication (RDI) cells are used to report connectivity failures
at the ATM layer of the PVC.
When deselected, AIS/RDI cells are disabled.
AIS cells notify downstream devices of the connectivity failure. The
last ATM switch then generates RDI cells in the upstream direction
towards the device that sent the original failure notification.
Down Count
The number of consecutive AIS/RDI cells that cause the PVC to go

down. Valid values range from 1 to 60. The default is 1.
Up Count
The number of seconds after which a PVC is brought up if no

AIS/RDI cells are received. Valid values range from 3 to 60
seconds. The default is 3.
Segment Continuity Check settings
K-76
OL-11501-03
Appendix K

PVC Policy Page
Table K-29
Element
Description
Enable Segment Continuity

Check
When selected, OAM F5 continuity check (CC) activation and

deactivation requests are sent to a device at the other end of a
segment.
When deselected, segment CC activation and deactivation requests
are disabled.
Note
If Configure Continuity Check is deselected in the

Activation Count
The maximum number of times that the activation request is sent

before the receipt of an acknowledgement. Valid values range from
Deactivation Count
The maximum number of times that the deactivation request is sent

Retry Frequency
The interval between activation/deactivation retries, in seconds. The

End-to-End Continuity Check settings
Enable End-to-End Continuity

Check
When selected, OAM F5 continuity check (CC) activation and

deactivation requests are sent to a device at the other end of the
PVC.
When deselected, segment CC activation and deactivation requests
are disabled.
Note
If Configure Continuity Check is deselected in the

Activation Count
The maximum number of times that the activation request is sent

Deactivation Count
The maximum number of times that the deactivation request is sent


OL-11501-03
K-77
Appendix K
PVC Policy Page
Table K-29
Element
Description
Retry Frequency
The interval between activation/deactivation retries, in seconds. The

PVC Advanced Settings Dialog BoxOAM-PVC Tab

Use the OAM-PVC tab of the PVC Advanced Settings dialog box to enable
loopback cells and connectivity checks (CCs) on the PVC. These functions test
the connectivity of the virtual connection.
page 14-59.
Note
Use the OAM tab to define additional settings related to the settings on this tab.
See PVC Advanced Settings Dialog BoxOAM Tab, page K-75.
Navigation Path
Go to the PVC Advanced Settings Dialog Box, page K-74, then click the
OAM-PVC tab.
Related Topics
Field Reference
Table K-30
PVC Advanced Settings Dialog BoxOAM-PVC Tab
Element
Description
OAM settings
Enable OAM Management
When selected, OAM loopback cell generation and OAM

management are enabled on the PVC.
When deselected, OAM loopback cells and OAM management are
disabled. However, continuity checks can still be performed.
Frequency
The interval between loopback cell transmissions. Valid values

range from 0 to 600 seconds.
K-78
OL-11501-03
Appendix K

PVC Policy Page
Table K-30
PVC Advanced Settings Dialog BoxOAM-PVC Tab (continued)
Element
Description
Segment Continuity Check settings
Segment Continuity Check
The current configuration of OAM F5 continuity checks performed

on PVC segments:
NoneSegment continuity checks (CC) are disabled.
Deny Activation RequestsThe PVC rejects activation

requests from peer devices, which prevents OAM F5 CC
management from being activated on the PVC.
Configure Continuity CheckSegment CCs are enabled on the

PVC. The router on which CC management is configured sends
a CC activation request to the router at the other end of the
segment, directing it to act as either a source or a sink.
Segment CCs occur on a PVC segment between the router and a

first-hop ATM switch.
Direction
Applies only when CC management is enabled.

The direction in which CC cells are transmitted:
Keep VC up after segment

failure
bothCC cells are transmitted in both directions.
sinkCC cells are transmitted toward the router that initiated

the CC activation request.
sourceCC cells are transmitted away from the router that

initiated the CC activation request.
When selected, the PVC is kept in the up state when CC cells detect
connectivity failure.
When deselected, the PVC is brought down when CC cells detect
Keep VC up after end-to-end

failure
When selected, specifies that if AIS/RDI cells are received, the PVC
is not brought down because of end CC failure or loopback failure.
When deselected, the PVC is brought down because of end CC
failure or loopback failure.
End-to-End Continuity Check settings

OL-11501-03
K-79
Appendix K
PVC Policy Page
Table K-30
PVC Advanced Settings Dialog BoxOAM-PVC Tab (continued)
Element
Description
End-to-End Continuity Check
The current configuration of OAM F5 end-to-end continuity checks

on the PVC:
NoneEnd-to-end continuity checks (CC) are disabled.
Deny Activation RequestsThe PVC rejects activation

requests from peer devices, which prevents OAM F5 CC
management from being activated on the PVC.
Configure Continuity CheckEnd-to-end CCs are enabled on

the PVC. The router on which CC management is configured
sends a CC activation request to the router at the other end of
the connection, directing it to act as either a source or a sink.
End-to-end CC monitoring is performed on the entire PVC between

two ATM end stations.
Direction
Applies only when CC management is enabled.

The direction in which CC cells are transmitted:
Keep VC up after end-to-end

failure
bothCC cells are transmitted in both directions.
sinkCC cells are transmitted toward the router that initiated

the CC activation request.
sourceCC cells are transmitted away from the router that

initiated the CC activation request.
When selected, the PVC is kept in the up state when CC cells detect
When deselected, the PVC is brought down when CC cells detect
Keep VC up after segment

failure
When selected, specifies that if AIS/RDI cells are received, the PVC
is not brought down because of a segment CC failure.
When deselected, the PVC is brought down because of a segment
CC failure.
K-80
OL-11501-03
Appendix K

PPP/MLP Policy Page
PPP/MLP Policy Page

Use the PPP/MLP page to create, edit, and delete PPP connections on the router.
For more information, see Defining PPP Connections, page 14-63.
Navigation Path
(Device view) Select Interfaces > Settings > PPP/MLP from the Policy
selector.
(Policy view) Select Router Interfaces > Settings > PPP/MLP from the
Policy Type selector. Right-click PPP/MLP to create a policy, or select an
existing policy from the Shared Policies selector.
Related Topics
Field Reference
Table K-31
PPP/MLP Page
Element
Description
Filter

Interface
The interface that is configured for PPP/MLP.
Authentication
The types of authentication used on the PPP connection.
Authorization
The method list used for AAA authorization on the PPP connection.
Multilink
Indicates whether Multilink PPP (MLP) is enabled on this PPP

connection.
Endpoint
The type of default endpoint discriminator to use when negotiating

the use of MLP with the peer.
Multiclass
Indicates whether the Multiclass Multilink PPP (MCMP) feature is

enabled on this PPP connection.
Group
The number of the multilink-group interface to which the physical

link is restricted.

OL-11501-03
K-81
Appendix K
PPP/MLP Policy Page
Table K-31
PPP/MLP Page (continued)
Element
Description
Interleave
Indicates whether the PPP multilink interleave feature is enabled on

this PPP connection.
Add button
Opens the PPP Dialog Box, page K-82. From here you can define
the authentication and multilink settings for the PPP connection.
Edit button
Opens the PPP Dialog Box, page K-82. From here you can edit the
selected PPP connection.
Delete button
Deletes the selected PPP connection from the table.
Save button
private.
Note
Tip

toolbar.
PPP Dialog Box

Use the PPP dialog box to configure PPP connections on the router. When you
configure a PPP connection, you can define the type of authentication and
authorization to perform and define multilink parameters.
Navigation Path
Go to the PPP/MLP Policy Page, page K-81, then click the Add or Edit button
beneath the table.
Related Topics
K-82
OL-11501-03
Appendix K

PPP/MLP Policy Page
Field Reference
Table K-32
PPP Dialog Box
Element
Description
Interface
The interface on which PPP encapsulation is enabled. Enter the

object selector.
The following interface types support PPP:
Async
Group-Async
Serial
Dialer
BRI, PRI (ISDN)
Virtual template
Multilink
You cannot define PPP on:
PPP tab
Subinterfaces.
Serial interfaces with Frame Relay encapsulation.
Virtual template interfaces defined as Ethernet or tunnel types

(serial is supported).
Note
You can define only one PPP connection per interface.
Note
Deployment might fail if you define PPP on a virtual

template that is also used in an 802.1x policy. See 802.1x
Policy Page, page K-192.
Defines the type of authentication and authorization to perform on

the PPP connection. See PPP Dialog BoxPPP Tab, page K-84.

OL-11501-03
K-83
Appendix K
PPP/MLP Policy Page
Table K-32
PPP Dialog Box (continued)
Element
Description
MLP tab
Defines how to split and recombine sequential datagrams across

multiple logical data links using Multilink PPP (MLP). See PPP
Dialog BoxMLP Tab, page K-88.
OK button
Note

PPP Dialog BoxPPP Tab

Use the PPP tab of the PPP dialog box to define the types of authentication and
authorization to perform on the PPP connection.
Navigation Path
Go to the PPP Dialog Box, page K-82, then click the PPP tab.
Related Topics
PPP Dialog BoxMLP Tab, page K-88
Field Reference
Table K-33
PPP Dialog BoxPPP Tab
Element
Description
Authentication settings
PPP Encapsulation
When selected, indicates that PPP encapsulation is enabled for the

selected interface. This field is read-only.
K-84
OL-11501-03
Appendix K

PPP/MLP Policy Page
Table K-33
PPP Dialog BoxPPP Tab (continued)
Element
Description
Protocol
The authentication protocols to use:
CHAPChallenge-Handshake Authentication Protocol.
PAPPassword Authentication Protocol.
MS-CHAPVersion 1 of the Microsoft version of CHAP

(RFC 2433).
MS-CHAP-2Version 2 of the Microsoft version of CHAP

(RFC 2759).
EAPExtensible Authentication Protocol.
You may select one or more authentication protocols, as required.

Options
The authentication options to use:
Call InWhen selected, authentication is performed on

incoming calls.
Call OutWhen selected, authentication is performed on

outgoing calls.
Call BackWhen selected, authentication is performed on

callback.
One TimeWhen selected, one-time passwords are used for

authentication. One-time passwords are considered highly
secure since each one is used only once. When deselected,
one-time passwords are not used.
Note
AAA authentication must be enabled in order to use

one-time passwords. See AAA Policy Page, page K-91.
One-time passwords cannot be used with CHAP.
OptionalWhen selected, allows a mobile station in a Packet

Data Serving Node (PDSN) configuration to receive Simple IP
and Mobile IP services without using CHAP or PAP.
When deselected, mobile stations must use CHAP or PAP to
receive Simple IP and Mobile IP services.

OL-11501-03
K-85
Appendix K
PPP/MLP Policy Page
Table K-33
Element
Description
Authenticate Using
AAA authentication settings for the PPP connection:
PPP Default ListDefines a default list of methods to be

queried when authenticating a user for PPP. Enter the names of
one or more AAA server group objects (up to four) in the
Prioritized Method List field, or click Select to display an
object selector. Use the up and down arrows in the object
selector to define the order in which the selected server groups
should be used.
The device tries initially to authenticate users using the first
method in the list. If that method fails to respond, the device
tries the next method, and so on, until a response is received.
Tip
After you create the default list for one PPP connection, you
can use it for other PPP connections on this device.
If the AAA server group you want is not listed, click the Create
button in the selector to display the AAA Server Group Dialog
Box, page F-14. From here you can define a AAA server group
object.
Note
Prioritized Method ListDefines a sequential list of methods

to be queried when authenticating a user for this PPP
connection only.
Leave this field blank to perform authentication using the
local database on the router.
PAP Authentication settings
Username
The username to send in PAP authentication requests. The username

is case sensitive.
Password
The password to send in PAP authentication requests. Enter the

password again in the Confirm field. The password can contain 1 to
25 uppercase or lowercase alphanumeric characters. The password
is case sensitive.
The username and password are sent if the peer requests the router
to authenticate itself using PAP.
K-86
OL-11501-03
Appendix K

PPP/MLP Policy Page
Table K-33
Element
Description
Encrypted Password
When selected, this indicates that the password you entered is

already encrypted.
When deselected, this indicates that the password you entered is in
clear text.
CHAP Authentication settings
Hostname
By default, the router uses its hostname to identify itself to the peer.
If required, you can enter a different hostname to use for all CHAP
challenges and responses. For example, use this field to specify a
common alias for all routers in a rotary group.
Secret
The secret used to compute the response value for any CHAP
challenge from an unknown peer. Enter the secret again in the
Confirm field.
Encrypted Secret
When selected, this indicates that the password you entered is

already encrypted. When deselected, this indicates that the
password you entered is in clear text.
Authorization settings

OL-11501-03
K-87
Appendix K
PPP/MLP Policy Page
Table K-33
Element
Description
Authorize Using
AAA authorization settings for the PPP connection:
AAA Policy Default ListUses the default authorization

method list that is defined in the devices AAA policy. See
AAA Policy Page, page K-91.
Prioritized Method ListDefines a sequential list of methods

to be queried when authorizing a user. Enter the names of one
or more AAA server group objects (up to four), or click Select
to display an object selector. Use the up and down arrows in the
object selector to define the order in which the selected server
groups should be used.
The device tries initially to authorize users using the first
method in the list. If that method fails to respond, the device
tries the next method, and so on, until a response is received.
button in the selector to display the AAA Server Group Dialog
Box, page F-14. From here you can define a AAA server group
object.
Note
Leave this field blank to perform authorization using the

local database on the router.
PPP Dialog BoxMLP Tab

Use the MLP tab of the PPP dialog box to define Multilink PPP (MLP) parameters
for the selected PPP connection.
Navigation Path
Go to the PPP Dialog Box, page K-82, then click the MLP tab.
Related Topics
PPP Dialog BoxPPP Tab, page K-84
K-88
OL-11501-03
Appendix K

PPP/MLP Policy Page
Field Reference
Table K-34
PPP Dialog BoxMLP Tab
Element
Description
Enable Multilink PPP (MLP)
When selected, MLP is enabled on this PPP connection.

When deselected, MLP is disabled.
Allow Multiple Data Classes
When selected, enables multiple data classes on the MLP bundle.

Delay-sensitive traffic is placed into Class 1, where it can be
interleaved but never fragmented. Normal data traffic is placed into
Class 0, which is subject to fragmentation just as regular multilink
packets are.
When deselected, all traffic is subject to fragmentation.
Enable Interleaving of Packets

Among Fragments of Larger
Packets
When selected, enables the interleaving of packets among the

fragments of larger packets on the MLP bundle.
Note
If you enable interleaving without defining a fragment

delay, the default delay of 30 seconds is configured. This
value does not appear in Security Manager or in the device
configuration.
When deselected, interleaving is disabled.

Note
Multilink Group
Serial interfaces do not support interleaving.
Applies only to serial, Group-Async, and multilink interfaces.

Restricts the physical link to the selected multilink-group interface.
Enter the name of a multilink interface or interface role, or click
This option is typically used in static leased-line environments,
where the remote systems to which the devices serial lines are
connected are known in advance.
In effect, this option dedicates a specific interfaces to a particular
user, even when that user is not connected. If a peer at the other end
of the link tries to join a different bundle, the connected is severed.

OL-11501-03
K-89
Appendix K
PPP/MLP Policy Page
Table K-34
PPP Dialog BoxMLP Tab (continued)
Element
Description
Maximum Fragment Delay
The maximum amount of time that should be required to transmit a

fragment on the MLP bundle. Valid values range from 1 to 1000
milliseconds.
Fragment size is determined by the defined fragment delay and the
bandwidth of the links.
Note
Endpoint Type
Serial interfaces do not support this feature.
The identifier used by the router when transmitting packets on the

MLP bundle:
[null]Negotiation is conducted without using an endpoint

discriminator. (No CLI command is generated.)
HostnameThe hostname of the router. This option is useful

when multiple routers are using the same username to
authenticate but have different hostnames.
IPA defined IP address. Enter an address or the name of a

network/host object, or click Select to display an object
selector.
MACThe MAC address of a specific interface. Enter the

name of an interface or interface role, or click Select to display
an object selector.
NoneNegotiation is conducted without using an endpoint

discriminator. (The relevant CLI command is generated, but no
endpoint discriminator is provided.) This option is useful when
the router is connected to a malfunctioning peer that does not
handle the endpoint discriminator properly.
PhoneAn E.164-compliant telephone number. Enter the

number in the field displayed.
StringA character string. Enter the string in the field

displayed.
The default endpoint discriminator is either the globally configured

hostname, or the PAP username or CHAP hostname (depending on
the authentication protocol being used), if you have configured
those values on the PPP tab.
K-90
OL-11501-03
Appendix K

AAA Policy Page
Table K-34
PPP Dialog BoxMLP Tab (continued)
Element
Description
MRRU Local Peer
The maximum receive reconstructed unit (MRRU) value of the local

peer. This value represents the maximum size packet that the local
router is capable of receiving.
Valid values range from 128 to 16384 bytes. The default is the
maximum transmission unit (MTU) of the multilink group interface
and 1524 bytes for all other interfaces.
MRRU Remote Peer
The maximum receive reconstructed unit (MRRU) value of the

remote peer. This value represents the maximum size packet that the
remote peer is capable of receiving.
Valid values range from 128 to 16384 bytes. The default is 1524
bytes.
Maximum FIFO Queue Size
The maximum queue depth when the bundle uses first-in, first-out
(FIFO) queuing. Valid values range from 2 to 255 packets. The
default is 8.
Maximum QoS Queue Size
The maximum queue depth when the bundle uses non-FIFO

queuing. Valid values range from 2 to 255 packets. The default is 2.
AAA Policy Page

Use the AAA page to define the default authentication, authorization, and
accounting methods to use on the router. You do this by configuring method lists,
which define which methods to use and the sequence in which to use them.
Note
You can use the method lists defined in this policy as default settings when you
configure AAA on the routers console port and VTY lines. See Console Policy
Page, page K-125 and VTY Policy Page, page K-137.
Navigation Path
(Device view) Select Platform > Device Admin > AAA from the Policy
selector.

OL-11501-03
K-91
Appendix K
AAA Policy Page
(Policy view) Select Router Platform > Device Admin > AAA from the
Policy Type selector. Right-click AAA to create a policy, or select an existing
Related Topics
Field Reference
Table K-35
AAA Page
Element
Description
Authentication tab
Defines the login authentication methods to use and the sequence in

which to use them. See AAA PageAuthentication Tab,
page K-93.
Authorization tab
Defines the types of network, EXEC, and command authorization to

perform and the methods to use for each type. See AAA
PageAuthorization Tab, page K-94.
Accounting tab
Defines types of connection, EXEC, and command accounting to

perform and the methods to use for each type. See AAA
PageAccounting Tab, page K-98.
Save button
private.
Note

toolbar.
K-92
OL-11501-03
Appendix K

AAA Policy Page
AAA PageAuthentication Tab

Use the Authentication tab of the AAA page to define the methods used to
authenticate users who access the device. Authentication methods are defined in
a method list, which define the security protocols to use, such as RADIUS and
TACACS+.
Note
You can use the method list defined in this policy on the console and VTY lines
that are used to communicate with the device. See Console Policy Page,
page K-125 and VTY Line Dialog BoxAuthentication Tab, page K-145.
Navigation Path
Go to the AAA Policy Page, page K-91, then click the Authentication tab.
Related Topics
Field Reference
Table K-36
AAA PageAuthentication Tab
Element
Description
Enable Device Login

Authentication
When selected, enables the authentication of all users when they log
in to the device, using the methods defined in the method list.
When deselected, authentication is not performed.

OL-11501-03
K-93
Appendix K
AAA Policy Page
Table K-36
AAA PageAuthentication Tab (continued)
Element
Description
Prioritized Method List
Defines a sequential list of methods to be queried when

authenticating a user. Enter the names of one or more AAA server
group objects (up to four), or click Select to display an object
selector. Use the up and down arrows in the object selector to define
the order in which the selected server groups should be used.
The device tries initially to authenticate users using the first method
in the list. If that method fails to respond, the device tries the next
method, and so on, until a response is received.
Supported methods include Line, Local, Kerberos, RADIUS,
TACACS+, and None.
Note
Maximum Number of Attempts
If you select None as a method, it must appear as the last

method in the list.
The maximum number of unsuccessful authentication attempts

before a user is locked out. This feature is disabled by default. Valid
Note
From the standpoint of the user, there is no distinction

between a normal authentication failure and an
authentication failure due to being locked out. The system
administrator has to explicitly clear the status of a
locked-out user using clear commands.
AAA PageAuthorization Tab

Use the Authorization tab of the AAA page to define the type of authorization
services to enable on the device and the methods to use for each type. Security
Manager supports the following types of authorization:
NetworkAuthorizes various types of network connections, such as PPP.
EXECAuthorizes the launching of EXEC sessions.
CommandAuthorizes the use of all EXEC mode commands that are

associated with specific privilege levels.
K-94
OL-11501-03
Appendix K

AAA Policy Page
Note
You can use the method lists defined in this policy on the console and VTY lines
Navigation Path
Go to the AAA Policy Page, page K-91, then click the Authorization tab.
Related Topics
Field Reference
Table K-37
AAA PageAuthorization Tab
Element
Description
Network Authorization settings
Enable Network Authorization
When selected, enables the authorization of network connections,

such as PPP, SLIP, or ARAP connections, using the methods defined
in the method list.
When deselected, network authorization is not performed.

OL-11501-03
K-95
Appendix K
AAA Policy Page
Table K-37
AAA PageAuthorization Tab (continued)
Element
Description
Defines a sequential list of methods to be queried when authorizing

a user. Enter the names of one or more AAA server group objects
(up to four), or click Select to display an object selector. Use the up
and down arrows in the object selector to define the order in which
the selected server groups should be used.
The device tries initially to authorize users using the first method in
the list. If that method fails to respond, the device tries the next
Supported methods include RADIUS, TACACS+, Local, and None.
Note
RADIUS uses the same server for authentication and

authorization. Therefore, if you use define a RADIUS
method list for authentication, you must define the same
method list for authorization.
Note

method in the list.
EXEC Authorization settings
Enable CLI/EXEC Operations

Authorization
When selected, this type of authorization determines whether the

user is permitted to open an EXEC (CLI) session, using the methods
defined in the method list.
When deselected, EXEC authorization is not performed.
See description above.
Command Authorization settings
Filter

Privilege Level
The privilege level to which the command authorization definition

applies.
The method list to use when authorizing users with this privilege
level.
Add button
Opens the Command Authorization Dialog Box, page K-97. From

here you can configure a command authorization definition.
K-96
OL-11501-03
Appendix K

AAA Policy Page
Table K-37
AAA PageAuthorization Tab (continued)
Element
Description
Edit button
Opens the Command Authorization Dialog Box, page K-97. From

here you can edit the command authorization definition.
Delete button
Deletes the selected command authorization definitions from the

table.
Command Authorization Dialog Box

Use the Command Authorization dialog box to define which methods to use when
authorizing the EXEC commands that are associated with a given privilege level.
This enables you to authorize all commands associated with a specific privilege
level, from 0 to 15.
Navigation Path
From the AAA PageAuthorization Tab, page K-94, click the Add button
beneath the Command Authorization table.
Related Topics
Field Reference
Table K-38
Element
Description
Privilege Level
The privilege level for which you want to define a command

accounting list. Valid values range from 0 to 15.

OL-11501-03
K-97
Appendix K
AAA Policy Page
Table K-38
Command Authorization Dialog Box (continued)
Element
Description
Defines a sequential list of methods to be used when authorizing a

user. Enter the names of one or more AAA server group objects (up
to four), or click Select to display an object selector. Use the up and
down arrows in the object selector to define the order in which the
selected server groups should be used.
button in the selector to display the AAA Server Group Dialog Box,
page F-14. From here you can define a AAA server group object.
Supported methods include TACACS+, Local, and None.
Note
OK button

method in the list.
Note

AAA PageAccounting Tab

Use the Accounting tab of the AAA page to define the type of accounting services
to enable on the device and the methods to use for each type. Security Manager
supports the following types of accounting:
ConnectionRecords information about all outbound connections made

from this device.
EXECRecords information about user EXEC sessions on the devices,

including the username, date, start and stop times, and the IP address.
CommandRecords information about the EXEC commands executed on

the device by users with specific privilege levels.
K-98
OL-11501-03
Appendix K

AAA Policy Page
In addition, you use the Accounting page to determine when accounting records
should be generated and whether they should be broadcast to more than one AAA
server.
Note
You can use the method lists defined in this policy on the console and VTY lines
Navigation Path
Go to the AAA Policy Page, page K-91, then click the Accounting tab.
Related Topics
Field Reference
Table K-39
AAA PageAccounting Tab
Element
Description
Connection Accounting settings
Enable Connection Accounting
When selected, enables the recording of information about

outbound connections (such as Telnet) made over this device, using
the methods defined in the method list.
When deselected, connection accounting is not performed.

OL-11501-03
K-99
Appendix K
AAA Policy Page
Table K-39
AAA PageAccounting Tab (continued)
Element
Description
Generate Accounting Records

for
Defines when the device sends an accounting notice to the

accounting server:
Start and StopGenerates accounting records at the beginning

and the end of the user process. The user process begins
regardless of whether the accounting server receives the start
accounting record.
Stop OnlyGenerates an accounting record at the end of the

user process only.
NoneDisables this type of accounting.
Defines a sequential list of methods to be queried when creating

connection accounting records for a user. Enter the names of one or
more AAA server group objects (up to four), or click Select to
display an object selector. Use the up and down arrows in the object
should be used.
Supported methods include RADIUS and TACACS+.
Enable Broadcast to Multiple

Servers
When selected, enables the sending of accounting records to

multiple AAA servers. Accounting records are sent simultaneously
to the first server in each AAA server group defined in the method
list. If the first server is unavailable, failover occurs using the
When deselected, accounting records are sent only to the first server
in the first AAA server group defined in the method list.
EXEC Accounting Settings

Accounting
When selected, enables the recording of basic information about

user EXEC sessions, using the methods defined in the method list.
When deselected, EXEC accounting is not performed.

for

Servers
K-100
OL-11501-03
Appendix K

AAA Policy Page
Table K-39
AAA PageAccounting Tab (continued)
Element
Description
Command Accounting settings
Filter

Privilege Level

applies.

for
The points in the process where the device sends an accounting

notice to the accounting server.
Enable Broadcast
Whether accounting records are broadcast to multiple servers

simultaneously.
level.
Add button
Opens the Command Accounting Dialog Box, page K-101. From

here you can configure a command accounting definition.
Edit button
Opens the Command Accounting Dialog Box, page K-101. From

here you can edit the command accounting definition.
Delete button
Deletes the selected command accounting definitions from the

table.
Command Accounting Dialog Box

Use the Command Accounting dialog box to define which methods to use when
recording information about the EXEC commands that are executed for a given
privilege level. Each accounting record includes a list of the commands executed
for that privilege level, as well as the date and time each command was executed,
and the name of the user who executed it.
Navigation Path
From the AAA PageAccounting Tab, page K-98, click the Add button beneath
the Command Accounting table.

OL-11501-03
K-101
Appendix K
AAA Policy Page
Related Topics
Field Reference
Table K-40
Command Accounting Dialog Box
Element
Description
Privilege Level


for

accounting server:

accounting record.

user process only.
NoneNo accounting records are generated.
K-102
OL-11501-03
Appendix K

AAA Policy Page
Table K-40
Command Accounting Dialog Box (continued)
Element
Description
Defines a sequential list of methods to be used when creating

accounting records for a user. Enter the names of one or more AAA
server group objects (up to four), or click Select to display an object
The device tries initially to perform accounting using the first
method in the list. If that method fails to respond, the device tries
the next method, and so on, until a response is received.
TACACS+ is the only supported method, but you can select multiple
AAA server groups configured with TACACS+.
Note

Servers

method in the list.

OK button
Note


OL-11501-03
K-103
Appendix K
Accounts and Credentials Policy Page

Use the Accounts and Credentials page to define the enable password or enable
secret password assigned to the router. In addition, you can define a list of
usernames that can be used to access the router.
For more information, see Defining Accounts and Credential Policies,
page 14-75.
Navigation Path
(Device view) Select Platform > Device Admin > Accounts and
Credentials from the Policy selector.
(Policy view) Select Router Platform > Device Admin > Accounts and
Credentials from the Policy Type selector. Right-click Accounts and
Credentials to create a policy, or select an existing policy from the Shared
Policy selector.
Related Topics
User Account Dialog Box, page K-107
K-104
OL-11501-03
Appendix K

Field Reference
Table K-41
Accounts and Credentials Page
Element
Description
Enable Secret Password
The enable secret password for entering privileged EXEC mode on

the router. This option offers better security than the Enable
Password option.
The enable secret password can contain between 1-25 alphanumeric
characters. The first character must be a letter. Spaces are allowed,
but leading spaces are ignored. Question marks are also allowed.
Enable Password
Note
You can discover an encrypted password, but any password

you enter must be in clear text. If you modify an encrypted
password, it is saved as clear text.
Note
After you set an enable secret password, you can switch to

an enable password only if the enable secret is disabled or
an older version of Cisco IOS software is being used, such
as when running an older rxboot image.
The enable password for entering privileged EXEC mode on the

router.
The enable password can contain between 1-25 alphanumeric
characters. The first character must be a letter. Spaces are allowed,
but leading spaces are ignored. Question marks are also allowed.
Note
You must enter the password in clear text.

OL-11501-03
K-105
Appendix K
Table K-41
Accounts and Credentials Page (continued)
Element
Description
Enable Password Encryption

Service
When selected, encrypts all passwords on the device, including the

enable password (which is otherwise saved in clear text).
For example, use this option to encrypt username passwords,
authentication key passwords, console and VTY line access
passwords, and BGP neighbor passwords. This command is
primarily used for keeping unauthorized individuals from viewing
your passwords in your configuration file.
When deselected, device passwords are stored unencrypted in the
configuration file.
Note
This option does not provide a high level of network

security. You should also take additional network security
measures.
User Accounts Table
Filter

Username
The username that can be used to access the router. The username
must be a single word up to 64 characters in length. Spaces and
quotation marks are not allowed.
Encryption
Indicates whether password information for the user is encrypted

using MD5 encryption.
Privilege Level
The privilege level assigned to the user.
Add button
Opens the User Account Dialog Box, page K-107. From here you
can define a user account.
Edit button
Opens the User Account Dialog Box, page K-107. From here you
can edit the selected user.
Delete button
Deletes the selected user accounts from the table.
Save button
private.
Note

toolbar.
K-106
OL-11501-03
Appendix K

Tip
User Account Dialog Box

Use the User Account dialog box to define a username and password combination
that can be used by Security Manager to access the router. You can also define the
privilege level of the user account, which determines whether you can configure
all commands on this router or only a subset of them.
Note
Rememberthere may be additional user accounts defined on the router using

other methods, such as the CLI.
Navigation Path
Go to the Accounts and Credentials Policy Page, page K-104, then click the Add
or Edit button beneath the table.
Related Topics
Field Reference
Table K-42
User Account Dialog Box
Element
Description
Username
The username for accessing the router.
Password
The password for accessing the router with this user account.
Note
Confirm
You can discover an encrypted password, but any password

you enter must be in clear text.
Confirms the password for this user account.

OL-11501-03
K-107
Appendix K
Bridging Policy Page
Table K-42
User Account Dialog Box (continued)
Element
Description
Encrypt password using MD5
When selected, uses MD5 encryption to encrypt the password for

this user account. This is the default.
When deselected, the password is sent to the router unencrypted.
Privilege Level
The privilege level assigned to the user account. Valid values range
from 0 to 15:
0Grants access to these commands only: disable, enable,

exit, help, and logout.
1Enables nonprivileged access to the router (normal

EXEC-mode use privileges).
15Enables privileged access to the router (traditional enable

privileges).
Note
OK button
Levels 2-14 are not normally used in a default configuration,

but custom configurations can be created by moving
commands that are normally at level 15 to a lower level and
commands that are normally at level 1 to a higher level. You
can configure the privilege levels of commands using the
CLI or by defining a FlexConfig.
Note


Use the Bridging page to define bridge groups that can perform integrated routing
and bridging on the router. For more information, see Defining Bridge Groups,
page 14-80.
Navigation Path
(Device view) Select Platform > Device Admin > Bridging from the Policy
selector.
K-108
OL-11501-03
Appendix K

(Policy view) Select Router Platform > Device Admin > Bridging from the
Policy Type selector. Right-click Bridging to create a policy, or select an
Related Topics
Field Reference
Table K-43
Bridging Page
Element
Description
Filter

Group Number
The number that identifies the bridge group.
Group Interfaces
The interfaces and interface roles that are included in the bridge
group.
Add button
Opens the Bridge Group Dialog Box, page K-110. From here you
can define a bridge group.
Edit button
Opens the Bridge Group Dialog Box, page K-110. From here you
can edit the bridge group.
Delete button
Deletes the selected bridge groups from the table.
Save button
private.
Note
Tip

toolbar.

OL-11501-03
K-109
Appendix K
Bridge Group Dialog Box

Use the Bridge Group dialog box to define bridge groups on the router. Each
bridge group can contain multiple Layer 3 interfaces of various types, including
serial interfaces.
Note
All bridge groups use the standard Spanning Tree Protocol (IEEE 802.1D). Use
CLI commands or FlexConfigs to bridge other protocols, such as AppleTalk or
IPX, and to use other spanning tree protocols, such as VLAN-Bridge.
Navigation Path
Go to the Bridging Policy Page, page K-108, then click the Add or Edit button
beneath the table.
Related Topics
Field Reference
Table K-44
Bridge Group Dialog Box
Element
Description
Group Number
The number assigned to the bridge group. Valid values range from
1 to 255.
K-110
OL-11501-03
Appendix K

Clock Policy Page
Table K-44
Bridge Group Dialog Box (continued)
Element
Description
Group Interfaces
The interfaces that are included in the bridge group. Enter the name
of one or more interfaces and interface roles, or click Select to
You can select most Layer 3 interfaces, including serial interfaces,
provided the serial interface is configured with high-level data link
control (HDLC) or Frame Relay encapsulation. Each interface can
belong to only one bridge group.
You can select a LAN subinterface only if the parent interface is
configured with Inter-Switch Link (ISL) or 802.1Q encapsulation.
Note
Certain types of interfaces, such as loopback, tunnel, null,

and BVI, cannot be bridged.
Note
OK button
Make sure that your bridge group does not prevent Security
Manager from communicating with the device.
Note

Clock Policy Page

Use the Clock page to configure the time zone in which the router is located and
the settings for Daylight Saving Time (DST). For more information, see Time
Zone Settings on Cisco IOS Routers, page 14-81.
Tip
You can configure the local time on the router by defining an NTP policy or by
configuring the clock set command using the CLI.

OL-11501-03
K-111
Appendix K
Clock Policy Page
Navigation Path
(Device view) Select Platform > Device Admin > Clock from the Policy
selector.
(Policy view) Select Router Platform > Device Admin > Clock from the
Policy Type selector. Right-click Clock to create a policy, or select an
Related Topics
NTP Policy Page, page K-187
Field Reference
Table K-45
Clock Page
Element
Description
Device Time Zone
The time zone in which the router is located, expressed in relation

to GMT (Greenwich Mean Time), also known as UTC (Coordinated
Universal Time).
Daylight Savings Time (Summer The type of DST to apply to the local time on the router:
Time)
Set by DateEnables you to define the exact date and time
when DST begins and ends.
Set by DayEnables you to define the relative recurring date

and time when DST begins and ends. For example, you can use
this option when DST begins the last Sunday of March and ends
the last Sunday of October.
NoneDaylight savings time is not used.
Additional Set by Date fields
Start
The date and time when DST begins:
DateClick the calendar icon to select the start date.
HourSelect the start hour.
MinuteSelect the start minute.
K-112
OL-11501-03
Appendix K

Clock Policy Page
Table K-45
Clock Page (continued)
Element
Description
End
The date and time when DST ends:
DateClick the calendar icon to select the end date.
HourSelect the end hour.
MinuteSelect the end minute.
Note
Cisco IOS Software supports dates up to and including

December 31st, 2035.
Additional Set by Day fields
Specify Recurring Time
When selected, the router implements DST according to the dates

and times specified in this policy.
When deselected, the router implements DST according to the
schedule used throughout most of the United States.
Start
The relative date and time when daylight savings time begins:
MonthSelect the month.
WeekSelect the week of the month (1, 2, 3, 4, first, or last).
WeekdaySelect the day of the week.
HourSelect the hour.
MinuteSelect the minute.
For example, if DST begins at 1:00 a.m. on the last Sunday of each
March, select March, last, Sunday, 1, and 00.
End
The relative date and time when daylight savings time ends:
MonthSelect the month.
WeekSelect the week of the month (1, 2, 3, 4, first, or last).
WeekdaySelect the day of the week.
HourSelect the hour.
MinuteSelect the minute.

OL-11501-03
K-113
Appendix K
CPU Policy Page
Table K-45
Element
Description
Save button
private.
Note

toolbar.
CPU Policy Page

Use the CPU page to configure settings related to router CPU utilization,
including the thresholds for sending log messages, the size of the CPU history
table, and whether to enable automatic CPU Hog profiling.
For more information, see Defining CPU Utilization Settings, page 14-84.
Navigation Path
(Device view) Select Platform > Device Access > CPU from the Policy
selector.
(Policy view) Select Router Platform > Device Access > CPU from the
Policy Type selector. Right-click CPU to create a policy, or select an existing
Related Topics
Memory Policy Page, page K-171
K-114
OL-11501-03
Appendix K

CPU Policy Page
Field Reference
Table K-46
CPU Page
Element
Description
CPU Utilization Statistics
Settings related to the history table for CPU utilization statistics:
CPU Total Utilization
History Table Entry LimitThe percentage of CPU utilization

that a process must use to be included in the history table.
History Table SizeThe length of time for which CPU

statistics are stored in the history table. Valid values range from
5 to 86400 seconds (24 hours). The default is 600 seconds
(10 minutes).
The thresholds for total CPU utilization that trigger notifications:
Enable CPU Total UtilizationWhen selected, CPU total

utilization thresholds are enabled. When deselected, these
thresholds are disabled and do not trigger notifications. This is
the default.
Maximum Total Utilization ResourcesThe percentage of

CPU resources that, when usage exceeds this level for the
defined interval, triggers a notification.
Maximum Total Utilization Violation DurationThe violation

interval that triggers a maximum CPU threshold notification.
Valid values range from 5 to 86400 seconds (24 hours).
Minimum Total Utilization ResourcesThe percentage of

CPU resources that, when usage falls below this level for the
Minimum Total Utilization Violation DurationThe violation

interval that triggers a minimum CPU threshold notification.
Valid values range from 5 to 86400 seconds (24 hours).

OL-11501-03
K-115
Appendix K
CPU Policy Page
Table K-46
CPU Page (continued)
Element
Description
CPU Interrupt Utilization
The thresholds for CPU interrupt utilization that trigger

notifications:
Enable CPU Interrupt UtilizationWhen selected, CPU

interrupt utilization thresholds are enabled. When deselected,
these thresholds are disabled and do not trigger notifications.
Maximum Interrupt Utilization ResourcesThe percentage of

Maximum Interrupt Utilization Violation DurationThe

violation interval that triggers a maximum CPU threshold
notification. Valid values range from 5 to 86400 seconds
(24 hours).
Minimum Interrupt Utilization ResourcesThe percentage of

Minimum Interrupt Utilization Violation DurationThe

violation interval that triggers a minimum CPU threshold
(24 hours).
K-116
OL-11501-03
Appendix K

CPU Policy Page
Table K-46
Element
Description
CPU Process Utilization
The thresholds for CPU process utilization that trigger

notifications:
Extended CPU History Size
Enable CPU Process UtilizationWhen selected, CPU process

utilization thresholds are enabled. When deselected, these
thresholds are disabled and do not trigger notifications. This is
the default.
Maximum Process Utilization ResourcesThe percentage of

Maximum Process Utilization Violation DurationThe

violation interval that triggers a maximum CPU threshold
(24 hours).
Minimum Process Utilization ResourcesThe percentage of

Minimum Process Utilization Violation DurationThe

violation interval that triggers a minimum CPU threshold
(24 hours).
The size of the history to collect for the extended CPU load, in
increments of 5 seconds. Valid values range from 2 to 720. The
default is 12, which is equivalent to a 1-minute history.

OL-11501-03
K-117
Appendix K
HTTP Policy Page
Table K-46
Element
Description
Enable Automatic CPU Hog

Profiling
When selected, automatic CPU Hog profiling is enabled. This is the

default.
When deselected, automatic CPU Hog profiling is disabled.
This feature predicts when a process could hog the CPU and begins
profiling that process.
Note
To view the CPU Hog profile data, use the show processes
command in the CLI.
cpu autoprofile hog
Save button
private.
Note

toolbar.
HTTP Policy Page

Use the HTTP page to configure HTTP and HTTPS access on the router. You can
configure HTTP policies on a Cisco IOS router from the following tabs on the
HTTP policy page:
HTTP PageSetup Tab, page K-119
HTTP PageAAA Tab, page K-121
For more information, see HTTP and HTTPS on Cisco IOS Routers, page 14-85.
Navigation Path
HTTP from the Policy Type selector. Right-click HTTP to create a policy, or
Related Topics
K-118
OL-11501-03
Appendix K

HTTP Policy Page
HTTP PageSetup Tab

Use the Setup tab of the HTTP page to enable HTTP and HTTP over Secure
Socket Layer (HTTP over SSL or HTTPS) on the router. You can optionally limit
access to these protocols to the addresses defined in an access control list.
Note
As a general rule, Cisco IOS routers that have been discovered by Security
Manager already have HTTPS enabled because Security Manager uses SSL as the
default protocol for communicating with them. See Setting Up SSL on Cisco IOS
Routers, page 5-6.
Navigation Path
Go to the HTTP Policy Page, page K-118, then click the Setup tab.
Related Topics
HTTP PageAAA Tab, page K-121
Field Reference
Table K-47
HTTP PageSetup Tab
Element
Description
Enable HTTP
When selected, an HTTP server is enabled on the router.

When deselected, HTTP is disabled on the router. This is the default
for devices that were not discovered.
HTTP Port
The port number to use for HTTP. Valid values are 80 or any value
from 1024 to 65535. The default is 80.

OL-11501-03
K-119
Appendix K
HTTP Policy Page
Table K-47
HTTP PageSetup Tab (continued)
Element
Description
Enable SSL
When selected, a secure HTTP server (HTTP over SSL or HTTPS)

is enabled on the router.
When deselected, HTTPS is disabled. This is the default for devices
that were not discovered.
Note
If SSL is disabled (or if the HTTP policy as a whole is

unassigned), Security Manager cannot communicate with
the device after deployment unless you change the transport
protocol for this device to SSH. This setting can be found in
Device Properties.
Note
We recommend that you disable HTTP when SSL is

enabled. This is required to ensure only secure connections
to the server.
SSL Port
The port number to use for HTTPS. Valid values are 443 or any
value from 1025 to 65535. The default is 443.
Allow Connection From
The numbered ACL that restricts use of HTTP and HTTPS on this
device. Enter the name of an ACL object, or click Select to display
an object selector.
Note
Save button
If you define an ACL, make sure that it includes the Security

Manager server. Otherwise, Security Manager cannot
communicate with this device using SSL.
private.
Note

toolbar.
K-120
OL-11501-03
Appendix K

HTTP Policy Page
HTTP PageAAA Tab

Use the AAA tab of the HTTP page to define the authentication and authorization
methods to perform on users who attempt to access the router using HTTP or
HTTPS.
Navigation Path
Go to the HTTP Policy Page, page K-118, then click the AAA tab.
Related Topics
HTTP PageSetup Tab, page K-119
Field Reference
Table K-48
HTTP PageAAA Tab
Element
Description
Authenticate Using
The type of authentication to use:
AAAPerforms AAA login authentication.
Enable PasswordUses the enable password configured on the

router. This is the default.
Local DatabaseUses the local username database configured

on the router.
TACACSUses the TACACS or XTACACS server configured

on the router. Applies only to devices using an IOS software
version prior to 12.3(8) or 12.3(8)T.
Login Authentication settings
Enable Device Login

Authentication
Applies only when AAA is selected as the authentication method.

When selected, authentication is based on the methods defined in
the Prioritized Method List field.
When deselected, the default authentication list defined in the
routers AAA policy is used. See AAA PageAuthentication Tab,
page K-93.

OL-11501-03
K-121
Appendix K
HTTP Policy Page
Table K-48
HTTP PageAAA Tab (continued)
Element
Description
Applies only when the Enable Device Login Authentication check

box is selected.
Note

method in the list.

Authorization
Applies only when AAA is selected as the authentication method.

When selected, EXEC authorization is based on the methods
defined in the Prioritized Method List field. This type of
authorization determines whether the user is permitted to open an
EXEC (CLI) session.
When deselected, the default EXEC authorization list defined in the
routers AAA policy is used. See AAA PageAuthorization Tab,
page K-94.
Note
If you leave this option deselected, make sure that EXEC

authorization is enabled in the routers AAA policy.
Otherwise, you will be unable to connect to the device via
HTTP or HTTPS (SSL). This applies to Security Manager
as well as other applications, such as SDM and the device's
web interface.
K-122
OL-11501-03
Appendix K

HTTP Policy Page
Table K-48
Element
Description
Applies only when the Enable CLI/EXEC Operations Authorization

a user to open an EXEC (CLI) session. Enter the names of one or
should be used.
Note

method in the list.
Filter

Privilege Level

applies.
level.
Add button
Opens the Command Authorization Override Dialog Box,

page K-124. From here you can configure a command authorization
definition.
Edit button
Opens the Command Authorization Override Dialog Box,

page K-124. From here you can edit the command authorization
definition.
Delete button

table.
HTTP Page button

OL-11501-03
K-123
Appendix K
HTTP Policy Page
Table K-48
Element
Description
Save button
private.
Note

toolbar.
Command Authorization Override Dialog Box

Use the Command Authorization Override dialog box to define which methods to
use when authorizing the EXEC commands that are associated with a given
privilege level. This enables you to authorize all commands associated with a
specific privilege level, from 0 to 15.
Navigation Path
From the HTTP PageAAA Tab, page K-121, click the Add button beneath the
Command Authorization Override table.
Related Topics
HTTP Policy Page, page K-118
AAA Policy Page, page K-91
Field Reference
Table K-49
Element
Description
Privilege Level

K-124
OL-11501-03
Appendix K

Console Policy Page
Table K-49
Command Authorization Dialog Box (continued)
Element
Description
Defines a sequential list of methods to be used when authorizing a

user. Enter the names of one or more AAA server group objects (up
to four), or click Select to display an object selector. Use the up and
down arrows in the object selector to define the order in which the
selected server groups should be used.
Supported methods include TACACS+, Local, and None.
Note
OK button

method in the list.
Note

Console Policy Page

Use the Console page to configure access to the router over the console port. You
can configure console policies on a Cisco IOS router from the following tabs on
the Console policy page:
Console PageSetup Tab, page K-126
Console PageAuthentication Tab, page K-129
Console PageAuthorization Tab, page K-131
Console PageAccounting Tab, page K-133
For more information, see Line Access on Cisco IOS Routers, page 14-89.

OL-11501-03
K-125
Appendix K
Console Policy Page
Navigation Path
Access > Console from the Policy selector.
Related Topics
Console PageSetup Tab

Use the Setup tab of the Console page to define the basic parameters of the
console port. This includes the password for accessing the port, the privilege level
assigned to users, the protocols that are permitted, and the ACLs that limit access.
Navigation Path
Go to the Console Policy Page, page K-125, then click the Setup tab.
Related Topics
VTY Line Dialog BoxSetup Tab, page K-140
K-126
OL-11501-03
Appendix K

Console Policy Page
Field Reference
Table K-50
Console PageSetup Tab
Element
Description
Password
The password for accessing the console port.

The password is case sensitive and can contain up to
80 alphanumeric characters. The first character cannot be a number.
Spaces are not allowed.
Enter the password again in the Confirm field.
Privilege Level
The privilege level assigned to users connected to the console port.

Valid values range from 0 to 15:



privileges).
Note

Note
If you do not define a value, level 1 is assigned by default.

This value does not appear in the device configuration.
Disable all the EXEC sessions to When selected, disables EXEC sessions over this line. Select this
the router via this line
option when you want to allow only an outgoing connection on the
console. This option is useful for keeping the console port free from
unsolicited incoming data that can tie up the line.
When deselected, EXEC sessions are enabled on the console port.
Note
Selecting this option blocks all access to the device via the
console port.

OL-11501-03
K-127
Appendix K
Console Policy Page
Table K-50
Console PageSetup Tab (continued)
Element
Description
Exec Timeout
The amount of time (in seconds) that the EXEC command

interpreter waits to detect user input on the console port. If no input
is detected, the line is disconnected. Valid values range from 0 to
2147483. The default is 600 (10 minutes). Setting the value to 0
disables the timeout.
Note
Output Protocols
Although the timeout is defined in seconds, it appears in the

CLI in the format [mm ss].
The protocols that you can use for outgoing connections on the
console port:
AllAll supported protocols are permitted. Supported

protocols include LAT, MOP, NASI, PAD, rlogin, SSH, Telnet,
and V.120.
NoneNo protocols are permitted. This makes the port

unusable by outgoing connections.
ProtocolEnables one or more of the following protocols:

SSHSecure Shell protocol.
TelnetStandard TCP/IP terminal emulation protocol.
rloginUNIX rlogin protocol.
Inbound Access List
Note
SSH and rlogin require that you configure AAA

authentication. See Console PageAuthentication Tab,
page K-129.
Note
Not all IOS Software Versions support rlogin as an output

protocol.
The ACL that restricts incoming connections on the console port.

Enter the name of an ACL object, or click Select to display an object
selector.
K-128
OL-11501-03
Appendix K

Console Policy Page
Table K-50
Console PageSetup Tab (continued)
Element
Description
Permit VRF Interface

Connections
Applies only when an inbound ACL is defined on the console port.
Outbound Access List
The ACL that restricts outgoing connections on the console port.

selector.
When selected, accepts incoming connections from interfaces that

belong to a VRF. When deselected, rejects incoming connections
from interfaces that belong to a VRF.
Save button
private.
Note

toolbar.
Console PageAuthentication Tab

Use the Authentication tab of the Console page to define the AAA authentication
methods to perform on users who attempt to access the console port.
Navigation Path
Go to the Console Policy Page, page K-125, then click the Authentication tab.
Related Topics
VTY Line Dialog BoxAuthentication Tab, page K-145

OL-11501-03
K-129
Appendix K
Console Policy Page
Field Reference
Table K-51
Console PageAuthentication Tab
Element
Description
Authenticate Using
Authentication settings for the console port:
NoneAuthentication is not performed. This is the default.
Local DatabaseUses the local username database for

authentication.
AAA Policy Default ListUses the default authentication

AAA PageAuthentication Tab, page K-93.
Custom Method ListUses the authentication methods

specified in the Authentication Method List field.
Note
If you select local authentication, preview the full

configuration before deployment to make sure that the aaa
new-model command is not configured by another policy
(for example, by configuring a method list in the AAA
policy) or is already configured on the device itself.
Applies only when Custom Method List is selected as the

Note

method in the list.
K-130
OL-11501-03
Appendix K

Console Policy Page
Table K-51
Console PageAuthentication Tab (continued)
Element
Description
Save button
private.
Note

toolbar.
Console PageAuthorization Tab

Use the Authorization tab of the Console page to define the EXEC and command
authorization methods to perform on users who access the console port.
Note
You must enable AAA services on the router to use this feature; otherwise,
deployment will fail. See Defining AAA Services, page 14-72.
Navigation Path
Go to the Console Policy Page, page K-125, then click the Authorization tab.
Related Topics
VTY Line Dialog BoxAuthorization Tab, page K-146
Field Reference
Table K-52
Console PageAuthorization Tab
Element
Description

OL-11501-03
K-131
Appendix K
Console Policy Page
Table K-52
Console PageAuthorization Tab (continued)
Element
Description
Authorize EXEC Operations

Using
The authorization method that determines whether a user is allowed

to run an EXEC session:
NoneAuthorization is not performed. This is the default.

AAA PageAuthorization Tab, page K-94.
Custom Method ListUses the authorization methods

specified in the EXEC Method List field.
Applies only when Custom Method List is selected as the EXEC

method.
Note

method in the list.
Note

Filter

Privilege Level

applies.
K-132
OL-11501-03
Appendix K

Console Policy Page
Table K-52
Console PageAuthorization Tab (continued)
Element
Description
level.
Add button
Opens the Command Authorization Dialog BoxLine Access,

definition.
Edit button

definition.
Delete button

table.
Authorization tab button
Save button
private.
Note

toolbar.
Console PageAccounting Tab

Use the Accounting tab of the Console page to define the EXEC, connection, and
command accounting methods to perform on users who access the console port.
Note
Navigation Path
Go to the Console Policy Page, page K-125, then click the Accounting tab.
Related Topics

OL-11501-03
K-133
Appendix K
Console Policy Page
VTY Line Dialog BoxAccounting Tab, page K-149
Field Reference
Table K-53
Console PageAccounting Tab
Element
Description
EXEC Accounting settings
Perform EXEC Accounting

Using
The accounting method to use for recording basic information about

user EXEC sessions:
NoneAccounting is not performed. This is the default.
AAA Policy Default ListUses the default EXEC accounting

AAA PageAccounting Tab, page K-98.
Custom Method ListUses the accounting methods specified

in the EXEC Method List field.
EXEC accounting records basic details about EXEC sessions, such

as the username, date, start and stop times, and the access server IP
address.
for

method.
accounting server:

accounting record. This is the default.

user process only.
K-134
OL-11501-03
Appendix K

Console Policy Page
Table K-53
Console PageAccounting Tab (continued)
Element
Description

method.
accounting methods for a user. Enter the names of one or more AAA
Note

Servers

method in the list.
Applies only when Method List is selected as the EXEC method.

Perform Connection Accounting The accounting method to use for recording information about
Using
outbound connections made over the console line:
AAA Policy Default ListUses the default connection

accounting method list that is defined in the devices AAA
policy. See AAA PageAccounting Tab, page K-98.

in the Connection Method List field.
Connection accounting records details about outgoing connections

over the line, such as Telnet and rlogin connections.

OL-11501-03
K-135
Appendix K
Console Policy Page
Table K-53
Element
Description

for

connection method.
accounting server:


user process only.

connection method.
Note

Servers

method in the list.

connection method.
K-136
OL-11501-03
Appendix K

VTY Policy Page
Table K-53
Element
Description
Filter

Privilege Level

applies.

for

Enable Broadcast

simultaneously.
level.
Add button
Opens the Command Accounting Dialog BoxLine Access,

page K-155. From here you can configure a command accounting
definition.
Edit button

page K-155. From here you can edit the command accounting
definition.
Delete button

table.
Accounting tab button
Save button
private.
Note

toolbar.
VTY Policy Page

Use the VTY page to configure up to 16 VTY lines for remote access to the router.
In addition to configuring individual lines, you can configure a group of lines that
share the same definition.
For more information, see Line Access on Cisco IOS Routers, page 14-89.
OL-11501-03
K-137
Appendix K
VTY Policy Page
Navigation Path
Related Topics
Field Reference
Table K-54
VTY Lines Page
Element
Description
Filter

Line
The relative line number of the VTY line. This field may also
contain multiple VTY lines configured as a contiguous group.
Line/Line Group Parameters
Input Protocols
The protocols that you can use for incoming connections on the
VTY line.
Output Protocols
The protocols that you can use for outgoing connections on the VTY
line.
Privilege Level
The privilege level assigned to users.
Exec Timeout
The amount of time the EXEC command interpreter waits until user
input is detected.
Inbound ACL
The ACL used to limit inbound traffic.
Outbound ACL
The ACL used to limit outbound traffic.
Authentication
The type of AAA authentication used.
Authorization
The types of AAA authorization used.
Accounting
The types of AAA accounting used.
VTY Line Page Buttons
K-138
OL-11501-03
Appendix K

VTY Policy Page
Table K-54
VTY Lines Page (continued)
Element
Description
Add button
Opens the VTY Line Dialog Box, page K-139. From here you can
define a VTY line or line group.
Edit button
Opens the VTY Line Dialog Box, page K-139. From here you can
edit the VTY line or line group.
Delete button
Deletes the selected VTY lines from the table.

If you delete a VTY line from an IOS device, any subsequent lines
are also deleted. For example, if the device contains lines 0-9 and
you delete line 5, lines 6-9 are deleted as well.
Note
Save button
If you delete any of the default VTY lines (0-4) on the

device, the input protocol settings are retained and the other
default settings are restored. This helps prevent you from
cutting off remote access to the device.
private.
Note
Tip

toolbar.
VTY Line Dialog Box

Use the VTY Line dialog box to configure one or more VTY lines (up to 16) that
enable remote users to access the router. When you configure a VTY line, you can
define the type of authentication and authorization to perform on users who access
the lines.
Navigation Path
Go to the VTY Policy Page, page K-137, then click the Add or Edit button
beneath the table.
OL-11501-03
K-139
Appendix K
VTY Policy Page
Related Topics
Field Reference
Table K-55
VTY Line Dialog Box
Element
Description
Setup tab
Defines the basic configuration of the VTY line or line group. See
VTY Line Dialog BoxSetup Tab, page K-140.
Authentication tab
Defines the type of AAA authentication to perform on users who

access the VTY line. See VTY Line Dialog BoxAuthentication
Tab, page K-145.
Authorization tab
Defines the types of AAA authorization to perform on users who

access the VTY line. See VTY Line Dialog BoxAuthorization
Tab, page K-146.
Accounting tab
Defines the types of AAA accounting to perform on users who

access the VTY line. See VTY Line Dialog BoxAccounting Tab,
page K-149.
OK button
Note

VTY Line Dialog BoxSetup Tab

Use the Setup tab of the VTY Line dialog box to define the basic parameters of
the VTY line. This includes the password for accessing the line, the privilege level
assigned to users, the protocols that are permitted on the line, and the ACLs that
limit access.
Navigation Path
Go to the VTY Line Dialog Box, page K-139, then click the Setup tab.
K-140
OL-11501-03
Appendix K

VTY Policy Page
Related Topics
Field Reference
Table K-56
VTY Line Dialog BoxSetup Tab
Element
Description
Starting VTY Line Number
The relative line number of the VTY line. If you are configuring a
group of VTY lines, enter the number of the first line in the group.
Valid values range from 0 to 15.
Note
Ending VTY Line Number
Although different routers support a different number of

VTY lines (from four to several thousand), Security
Manager supports a maximum of 16 lines per device. You
cannot configure the same line number more than once.
Applies only when configuring a group of lines.

The relative line number of the last VTY line in the group.
Note
Password
When you configure a group of lines, all the lines in the

group must fall within one of two ranges, 0-4 or 6-15. For
more information, see Defining Groups of VTY Lines,
page 14-94.
The password for accessing this VTY line.

The password is case sensitive and can contain up to
80 alphanumeric characters. The first character cannot be a number.
Spaces are not allowed.
Enter the password again in the Confirm field.

OL-11501-03
K-141
Appendix K
VTY Policy Page
Table K-56
VTY Line Dialog BoxSetup Tab (continued)
Element
Description
Privilege Level
The privilege level assigned to users on this VTY line. Valid values
range from 0 to 15:



privileges).
Note

Note

Disable all the EXEC sessions to When selected, EXEC sessions are disabled over this line. Select
the router via this line
this option when you want to allow only an outgoing connection on
this line. This option is useful for keeping a particular line free from
unsolicited incoming data that can tie up the line.
When deselected, EXEC sessions are enabled over this line. This is
the default.
Exec Timeout
The amount of time (in seconds) that the EXEC command

interpreter waits to detect user input on the line. If no input is
detected, the line is disconnected. Valid values range from 0 to
2147483. The default is 600 (10 minutes). Setting the value to 0
disables the timeout.
Note
Although the timeout is defined in seconds, it appears in the

CLI in the format [mm ss].
K-142
OL-11501-03
Appendix K

VTY Policy Page
Table K-56
Element
Description
Input Protocols
The protocols that you can use for incoming connections on this
line:

and V.120.

unusable by incoming SSH, Telnet, and rlogin connections.
Note
Setting the input protocols setting to None might prevent

Security Manager from connecting to the device after
deployment. The device can still be managed using SSL, if
SSL is enabled in the HTTP policy. See HTTP PageSetup
Tab, page K-119.
Note

authentication. See VTY Line Dialog BoxAuthentication
Tab, page K-145.
Note
Not all IOS Software Versions support rlogin as an input

protocol.

OL-11501-03
K-143
Appendix K
VTY Policy Page
Table K-56
Element
Description
Output Protocols
The protocols that you can use for outgoing connections on this line:

and V.120.

unusable by outgoing connections.

Inbound Access List
Note

authentication. See VTY Line Dialog BoxAuthentication
Tab, page K-145.
Note
Not all IOS Software Versions support rlogin as an output

protocol.
The ACL that restricts incoming connections on this line. Enter the
name of an ACL object, or click Select to display an object selector.
in the selector to display the Add and Edit Extended Access List
Pages, page F-36. From here you can create an extended ACL
object.
Permit VRF Interface

Connections
Applies only when an inbound ACL is defined on this line.
Outbound Access List
The ACL that restricts outgoing connections on this line. Enter the
name of an ACL object, or click Select to display an object selector.
When selected, accepts incoming connections from interfaces that

belong to a VRF. When deselected, rejects incoming connections
from interfaces that belong to a VRF.
in the selector to display the Add and Edit Extended Access List
Pages, page F-36. From here you can create an extended ACL
object.
K-144
OL-11501-03
Appendix K

VTY Policy Page
VTY Line Dialog BoxAuthentication Tab

Use the Authentication tab of the VTY Line dialog box to define the
authentication methods to perform on users who attempt to access the selected
VTY line or group of lines.
Navigation Path
Go to the VTY Line Dialog Box, page K-139, then click the Authentication tab.
Related Topics
Field Reference
Table K-57
VTY Line Dialog BoxAuthentication Tab
Element
Description
Authenticate Using
Authentication settings for the VTY line:
NoneAuthentication is not performed. This is the default.
Local DatabaseUses the local username database for

authentication.
AAA Policy Default ListUses the default authentication

AAA PageAuthentication Tab, page K-93.
Custom Method ListUses the authentication methods

specified in the Prioritized Method List field.
Note
If you select local authentication, preview the full

configuration before deployment to make sure that the aaa
new-model command is not configured by another policy
(for example, by configuring a method list in the AAA
policy) or is already configured on the device itself.

OL-11501-03
K-145
Appendix K
VTY Policy Page
Table K-57
VTY Line Dialog BoxAuthentication Tab (continued)
Element
Description

Note

method in the list.
VTY Line Dialog BoxAuthorization Tab

Use the Authorization tab of the VTY Line dialog box to define the EXEC and
command authorization methods to perform on users who access the selected
VTY line or group of lines.
Note
Navigation Path
Go to the VTY Line Dialog Box, page K-139, then click the Authorization tab.
Related Topics
K-146
OL-11501-03
Appendix K

VTY Policy Page
Field Reference
Table K-58
VTY Line Dialog BoxAuthorization Tab
Element
Description
Authorize EXEC Operations

Using
The authorization method that determines whether a user is allowed

to run an EXEC session:
NoneAuthorization is not performed. This is the default.

AAA PageAuthorization Tab, page K-94.
Custom Method ListUses the authorization methods

specified in the Prioritized Method List field.

OL-11501-03
K-147
Appendix K
VTY Policy Page
Table K-58
VTY Line Dialog BoxAuthorization Tab (continued)
Element
Description

method.
Note

method in the list.
Note

Filter

Privilege Level

applies.
level.
Add button

definition.
Edit button

definition.
K-148
OL-11501-03
Appendix K

VTY Policy Page
Table K-58
VTY Line Dialog BoxAuthorization Tab (continued)
Element
Description
Delete button

table.
VTY Line Dialog BoxAccounting Tab

Use the Accounting tab of the VTY Line dialog box to define the EXEC,
connection, and command accounting methods to perform on users who access
the selected VTY line or group of lines.
Note
Navigation Path
Go to the VTY Line Dialog Box, page K-139, then click the Accounting tab.
Related Topics
Field Reference
Table K-59
VTY Line Dialog BoxAccounting Tab
Element
Description
EXEC Accounting settings

OL-11501-03
K-149
Appendix K
VTY Policy Page
Table K-59
VTY Line Dialog BoxAccounting Tab (continued)
Element
Description
Perform EXEC Accounting

Using
The accounting method to use for recording basic information about

user EXEC sessions:
AAA Policy Default ListUses the default EXEC accounting

AAA PageAccounting Tab, page K-98.

EXEC accounting records basic details about EXEC sessions, such

as the username, date, start and stop times, and the access server IP
address.
for

method.
accounting server:


user process only.
K-150
OL-11501-03
Appendix K

VTY Policy Page
Table K-59
Element
Description

method.
Note

Servers

method in the list.
Applies only when Method List is selected as the EXEC method.

Perform Connection Accounting The accounting method to use for recording information about
Using
outbound connections made over the VTY line:
AAA Policy Default ListUses the default connection

accounting method list that is defined in the devices AAA
policy. See AAA PageAccounting Tab, page K-98.

Connection accounting records details about outgoing connections

over the line, such as Telnet and rlogin connections.

OL-11501-03
K-151
Appendix K
VTY Policy Page
Table K-59
Element
Description

for

connection method.
accounting server:


user process only.

connection method.
Note

Servers

method in the list.

connection method.
K-152
OL-11501-03
Appendix K

VTY Policy Page
Table K-59
Element
Description
Filter

Privilege Level

applies.

for

Enable Broadcast

simultaneously.
level.
Add button

page K-155. From here you can configure a command accounting
definition.
Edit button

page K-155. From here you can edit the command accounting
definition.
Delete button

table.
Command Authorization Dialog BoxLine Access

Use the Command Authorization dialog box to define which methods to use when
authorizing the EXEC commands that are associated with a given privilege level.
This enables you to authorize all commands associated with a specific privilege
level, from 0 to 15.
Navigation Path
From the Console PageAuthorization Tab, page K-131 or the VTY Line Dialog
BoxAuthorization Tab, page K-146, click the Add button beneath the
Command Authorization table.

OL-11501-03
K-153
Appendix K
VTY Policy Page
Related Topics
Field Reference
Table K-60
Command Authorization Dialog BoxLine Access
Element
Description
Privilege Level

authorization list. Valid values range from 0 to 15.
Note

AAA Policy Default List
Select this option to apply the default authorization list defined in

the devices AAA policy to the EXEC commands associated with
this privilege level. See Command Accounting Dialog Box,
page K-101.
Custom Method List
Select this option to define an authorization method list for this

privilege level.
Applies only when the Custom Method List option is selected.

Note

method in the list.
K-154
OL-11501-03
Appendix K

VTY Policy Page
Table K-60
Command Authorization Dialog BoxLine Access (continued)
Element
Description
OK button
Note

Command Accounting Dialog BoxLine Access

Use the Command Accounting dialog box to define which methods to use when
recording information about the EXEC commands that are executed for a given
privilege level. Each accounting record includes a list of the commands executed
for that privilege level, as well as the date and time each command was executed,
and the name of the user who executed it.
Navigation Path
From the Console PageAccounting Tab, page K-133 or the VTY Line Dialog
BoxAccounting Tab, page K-149, click the Add button beneath the Command
Accounting table.
Related Topics
Field Reference
Table K-61
Command Accounting Dialog BoxLine Access
Element
Description
Privilege Level

Note
AAA Policy Default List

Select this option to apply the default accounting list defined in the
devices AAA policy to the EXEC commands executed for this
privilege level.
OL-11501-03
K-155
Appendix K
VTY Policy Page
Table K-61
Command Accounting Dialog BoxLine Access (continued)
Element
Description
Custom Method List
Select this option to define an accounting method list for this

privilege level.

for
Applies only when Custom Method List is selected.

accounting server:


user process only.
Applies only when the Custom Method List option is selected.

Defines a sequential list of accounting methods to be used when
creating accounting records for a user. Enter the names of one or
should be used.
Note

method in the list.
K-156
OL-11501-03
Appendix K

Secure Shell Policy Page
Table K-61
Command Accounting Dialog BoxLine Access (continued)
Element
Description

Servers
Applies only when Custom Method List is selected.

OK button
Note


Use the Secure Shell page to change the default SSH settings on the router and to
define additional optional settings, if required.
For more information, see Optional SSH Settings on Cisco IOS Routers,
page 14-100.
Note
You must configure SSH on the device using CLI commands before adding the
device to Security Manager. This is because Security Manager uses SSH (as well
as SSL) to communicate with Cisco IOS routers. For more information, see
Setting Up SSH, page 5-9.
Navigation Path
Shell from the Policy selector.
Secure Shell from the Policy Type selector. Right-click Secure Shell to

OL-11501-03
K-157
Appendix K
Related Topics
Field Reference
Table K-62
Secure Shell Page
Element
Description
SSH Version
The version of SSH to use when connecting to the router:
Timeout
1 and 2SSH version 1 and SSH version 2. This is the default.
1SSH version 1 only.
2SSH version 2 only.
The amount of time the router should wait for the SSH client to
respond during the negotiation phase before disconnecting. The
default value (and the maximum) is 120 seconds.
Note
After negotiation finishes and the EXEC session begins, the

timeout configured for the VTY line applies. See VTY Line
Dialog BoxSetup Tab, page K-140.
Authentication Retries
The number of times the router attempts to authenticate SSH clients.

Valid values range from 0 to 5. The default is 3.
Source Interface
The source address for all SSH packets sent to the SSH client.
If you do not define a value in this field, the address of the closest
interface to the destination (that is, the output interface through
which SSH packets are sent) is used.
K-158
OL-11501-03
Appendix K

Table K-62
Secure Shell Page (continued)
Element
Description
RSA Key Pair
The name of the RSA key pair to use for SSH connections.
If you do not enter a value, the router uses the RSA key pair
generated from its hostname and domain name. This is the default.
Tip
Regenerate Key During

Deployment
Use the CLI command show crypto key mypubkey rsa to

display the names and values of each key pair configured on
the device. These are the valid names that can be entered in
this field.
When selected, regenerates the RSA key pair on the router during
the next deployment. This option is useful if you are concerned that
the secrecy of the keys might be compromised.
When deselected, a new key pair is not generated.
Modulus Size
Note
This check box is not deselected automatically after

deployment. If you do not return to this policy to deselect
the check box, the key is regenerated each time you deploy.
Note
This option requires interaction with the device during

deployment. Therefore, you should use it only when
deploying to live devices, not when deploying to a file.
Note
A key pair must already exist on the device before you select
this option; otherwise, deployment will fail. (This will
typically be the case, since IOS routers must have SSH
enabled in order to be added to Security Manager.)
Applies only when the Regenerate Key check box is selected.

The size of the modulus used to generate a new key pair. A larger
modulus is more secure but takes longer to generate. Valid values
range from 360 to 2048 bits. The default is 1024 bits.
Save button
private.
Note

toolbar.

OL-11501-03
K-159
Appendix K
SNMP Policy Page
SNMP Policy Page

Use the SNMP page to configure the parameters necessary to send traps from the
router to a designated SNMP host. These traps are unsolicited messages that
notify the SNMP host of important events occurring on the router.
For more information, see Defining SNMP Agent Properties, page 14-104.
Navigation Path
SNMP from the Policy Type selector. Right-click SNMP to create a policy,
Related Topics
Field Reference
Table K-63
SNMP Page
Element
Description
Permissions table
Filter

Community String
The community string used for accessing the routers MIB.
Type
The community string typeread-only or read-write.
ACL
The standard ACL that defines the IP addresses permitted to access

the routers MIB.
Add button
Opens the Permission Dialog Box, page K-162. From here you can
enter the community string and type required to generate traps.
Edit button
Opens the Permission Dialog Box, page K-162. From here you can
edit the selected permissions profile.
Delete button
Deletes the selected permissions profiles from the table.
K-160
OL-11501-03
Appendix K

SNMP Policy Page
Table K-63
SNMP Page (continued)
Element
Description
Trap Receiver table
Filter

Host IP Address
The IP address of the SNMP host receiving the traps generated by

the router.
SNMP Version
The SNMP version being used by the router.
UDP Port
The UDP port that is being used by the SNMP host.
Add button
Opens the Trap Receiver Dialog Box, page K-163. From here you
can define the SNMP host that receives the traps generated by the
router.
Edit button
Open the Trap Receiver Dialog Box, page K-163. From here you
can edit the selected SNMP host.
Delete button
Deletes the selected SNMP hosts from the table.
Additional fields and buttons
SNMP Server Properties
The name and contact information of the system administrator

responsible for the SNMP server/agent (that is, the router). The
person managing the SNMP host can use this information when
tracking down the source of unusual events.
The maximum length of each of these properties is 255 characters,
including spaces.
Note
The values entered in these fields are text-only and do not

affect the operation of the router.
Configure Traps button
Opens a dialog box for selecting which SNMP traps the router
should generate. See SNMP Traps Dialog Box, page K-165.
Save button
private.
Note

toolbar.

OL-11501-03
K-161
Appendix K
SNMP Policy Page
Tip
Permission Dialog Box

Use the Permission dialog box to define the community string and string type
required by the SNMP policy. The community string is an embedded password for
accessing the Management Information Base (MIB) that stores operational data
about the router.
Navigation Path
Go to SNMP Policy Page, page K-160, then click the Add or Edit button beneath
the Permissions table.
Related Topics
Trap Receiver Dialog Box, page K-163
SNMP Traps Dialog Box, page K-165
K-162
OL-11501-03
Appendix K

SNMP Policy Page
Field Reference
Table K-64
Permission Dialog Box
Element
Description
Community String
The community string for accessing the routers MIB. String length
ranges from 1 to 128 characters.
Applies only to routers running Cisco IOS Software Release

12.3(2)T and up (T-train) or any 12.4 version.
The standard ACL containing the IP addresses that can access the
routers MIB. Defining an ACL provides an additional layer of
security by limiting the source addresses that can make use of the
community string.
selector.
in the selector to display the Standard Tab, page F-43. From here
you can create an ACL object.
Read-Write
This community string type provides read-write access to all objects

in the MIB (except community strings).
Read-Only
This community string type provides read-only access to all objects

in the MIB (except community strings). This is the default.
OK button
Note

Trap Receiver Dialog Box

Use the Trap Receiver dialog box to define the SNMP hosts that receive traps
generated by the router. This includes defining the version of SNMP to use.
Navigation Path
Go to the SNMP Policy Page, page K-160, then click the Add or Edit button
beneath the Trap Receiver table.

OL-11501-03
K-163
Appendix K
SNMP Policy Page
Related Topics
Permission Dialog Box, page K-162
SNMP Traps Dialog Box, page K-165
Field Reference
Table K-65
Trap Receiver Dialog Box
Element
Description
Host IP Address
The IP address of the SNMP host receiving the traps generated by

the router. Enter an IP address or the name of a network/host object,
or click Select to display an object selector.
here you can define a network/host object.
SNMP Version
The version of SNMP to useversion 1, version 2c, or version 3.
Community String
Applies only when version 1 or version 2c is selected.

The password required to access the SNMP host. Enter the string
again in the Confirm field.
Note
User Name
We recommend that you use one of the strings defined in the

Permissions table as the password to the SNMP host. You
may, however, enter a different password. String length
ranges from 1 to 128 characters. Your entry does not appear
in the Permissions table and is read-only.
Applies only when version 3 is selected.

The password required to access the SNMP host. Enter the string
Note
We recommend that you use one of the strings defined in the

Permissions table as the password to the SNMP host. You
may, however, enter a different password. String length
ranges from 1 to 128 characters. Your entry does not appear
in the Permissions table and is read-only.
K-164
OL-11501-03
Appendix K

SNMP Policy Page
Table K-65
Trap Receiver Dialog Box (continued)
Element
Description
SNMPv3 Security
Applies only when version 3 is selected.

The level of security to apply to SNMP traffic:
No MD5, No DESNo packet authentication.
MD5 (auth)MD5 authentication, but no encryption.
DES (priv)MD5 authentication and DES encryption.
UDP Port
The port number for the SNMP host. The default is 162. Valid
OK button
Note

SNMP Traps Dialog Box

Use the SNMP Traps dialog box to select the events in the router that should
generate SNMP traps.
Tip
You can configure SNMP traps not included in this dialog box by defining
FlexConfigs. For more information, see Understanding FlexConfig Objects,
page 8-52.
Note
To lessen possible degradation of system performance, select only those traps that
are needed for network monitoring purposes.
Navigation Path
Go to the SNMP Policy Page, page K-160, then click Configure Traps.
Related Topics

OL-11501-03
K-165
Appendix K
SNMP Policy Page
Permission Dialog Box, page K-162
Trap Receiver Dialog Box, page K-163
Enabling SNMP Traps, page 14-106
Field Reference
Table K-66
SNMP Traps Dialog Box
Element
Description
Standard SNMP Traps
Enables or disables standard SNMP traps. Options are:
IPsec Traps
Cold startSends a trap when the router reinitializes in a way

that could change the configuration of the SNMP agent (or any
other trap-receiving entity).
Warm startSends a trap when the router reinitializes in a way

that does not change the configuration of the SNMP agent (or
any other trap-receiving entity).
AuthenticationSends a trap if an SNMP request from the

SNMP host fails because of an invalid community string.
Enables or disables individual IPsec-related traps. Options are:
CryptomapSends a trap when a crypto map entry is added to,

or removed from, the devices crypto map set. Additionally, this
option sends a trap when a crypto map set is attached to, or
detached from, an active interface.
Too Many SAsSends a trap if an attempt is made to create a

security association (SA) when there is insufficient memory on
the device.
TunnelSends a trap when an IPsec Phase 2 tunnel becomes

active or inactive.
For more information, see Understanding IPsec Tunnel Policies,

page 9-72.
K-166
OL-11501-03
Appendix K

SNMP Policy Page
Table K-66
SNMP Traps Dialog Box (continued)
Element
Description
ISAKMP Traps
Enables or disables individual Internet Security Association and

Key Exchange Protocol (ISAKMP) traps. Options are:
PolicySends a trap when an ISAKMP policy is created or

deleted.
TunnelSends a trap when a Phase 1 IKE tunnel becomes

active or inactive.
For more information, see Understanding IKE, page 9-67.

Other Traps
Enables or disables additional SNMP traps. Options are:
SyslogSends syslog messages to the SNMP host.
TTYSends Cisco-specific notifications when a Transmission

Control Protocol (TCP) connection closes.
BGPSends notifications when Border Gateway Protocol

(BGP) state changes occur. See BGP Routing on Cisco IOS
IP Multicast(Applicable to multicast routers only) Sends a

trap if the router fails to receive a defined number of heartbeat
packets from heartbeat sources within a defined time interval.
CPUSends a trap when CPU usage rises and remains above

an upper threshold or falls and remains below a lower threshold.
Note
Note
To implement the IP multicast and CPU traps, you must

define additional command-line interface (CLI) commands
(ip multicast heartbeat and cpu threshold, respectively)
using FlexConfigs or the CLI. For more information about
the ip multicast heartbeat command, see Cisco IOS IP
Command Reference, Volume 3 of 3: Multicast. For more
information about the cpu threshold command, see CPU
Thresholding Notification. Both of these documents are
available on Cisco.com.
HSRPSends Hot Standby Routing Protocol (HSRP)
notifications.
Most Cisco 800 Series routers do not support the HSRP trap.

OL-11501-03
K-167
Appendix K
DNS Policy Page
Table K-66
SNMP Traps Dialog Box (continued)
Element
Description
Select All button
Enables all the SNMP traps displayed in the dialog box.
Deselect All button
Disables all the SNMP traps displayed in the dialog box.
OK button
Note

DNS Policy Page

Use the DNS policy page to define the local IP host table and the Domain Name
System (DNS) servers that the router should use for translating hostnames to IP
addresses. You can also prevent the router from performing DNS lookups by
disabling the DNS feature.
Navigation Path
(Device view) Select Platform > Device Admin > DNS from the Policy
selector.
(Policy view) Select Router Platform > Device Admin > DNS from the
Policy Type selector. Right-click DNS to create a policy, or select an existing
Related Topics
K-168
OL-11501-03
Appendix K

DNS Policy Page
Field Reference
Table K-67
DNS Page
Element
Description
Servers
The DNS servers used by the router to perform DNS lookups. Enter
one or more addresses or network/host objects, or click Select to
display an object selector. You can define a maximum of six DNS
servers.
If the address you want is not listed, click the Create button in the
Hosts
The local host table configured on the router. When a user types in
a hostname, the router checks this table first before querying the
DNS servers defined in the Servers field.
Click Add to display the IP Host Dialog Box, page K-169. From
here you can define a hostname and the IP addresses to associate
with that hostname.
Note
Domain Lookup
To edit an entry in the host table, select it, then click Edit.
To remove an entry, select it, then click Delete.
When selected, the router performs lookups on the defined DNS

servers. This is the default.
When deselected, lookups on remote DNS servers are disabled.
Save button
private.
Note

toolbar.
IP Host Dialog Box

Use the IP Host dialog box to configure the host table on the router. This is the
table of static, local mappings that the router uses to translate hostnames to IP
addresses. If the router does not find the required entry in the host table, it queries
the DNS servers that are defined on the DNS page.

OL-11501-03
K-169
Appendix K
Hostname Policy Page
Navigation Path
Go to the DNS Policy Page, page K-168, then click Add under Hosts.
Related Topics
Field Reference
Table K-68
IP Host Dialog Box
Element
Description
Host Name
The hostname to include in the routers local host table.
Addresses
The addresses to associate with the hostname. Enter one or more

object selector. You can define a maximum of three addresses per
hostname.
If the address you want is not listed, click the Create button in the
OK button
Note

Hostname Policy Page

Use the Hostname page to define the hostname and domain name assigned to the
router. For more information, see Defining Hostname Policies, page 14-110.
Navigation Path
(Device view) Select Platform > Device Admin > Hostname from the
Policy selector.
(Policy view) Select Router Platform > Device Admin > Hostname from
the Policy Type selector. Right-click Hostname to create a policy, or select
K-170
OL-11501-03
Appendix K

Memory Policy Page
Related Topics
Field Reference
Table K-69
Hostname Page
Element
Description
Host Name
The hostname of the router.

Names must start with a letter, end with a letter or digit, and include
only letters, digits, and hyphens. The maximum length is
63 characters.
Domain Name
The default domain name of the router. The maximum length is 63

characters.
The router uses this domain name for RSA key generation and in
policies when you do not enter the fully-qualified domain name
(FQDN).
Save button
private.
Note

toolbar.
Memory Policy Page

Use the Memory page to define settings related to router memory, including:
The amount of time to retain the memory log.
The thresholds for available processor and I/O memory.
The amount of memory reserved for critical log messages.
Whether to perform sanity checks on buffers and queues.
Whether to enable the memory-allocation lite feature.
For more information, see Defining Router Memory Settings, page 14-111.

OL-11501-03
K-171
Appendix K
Memory Policy Page
Navigation Path
(Device view) Select Platform > Device Admin > Memory from the Policy
selector.
(Policy view) Select Router Platform > Device Admin > Memory from the
Policy Type selector. Right-click Memory to create a policy, or select an
Related Topics
CPU Policy Page, page K-114
Field Reference
Table K-70
Memory Page
Element
Description
Maintain Memory Log
The number of hours that the router should maintain the log
containing the history of memory consumption on the device. Valid
values range from 12 to 72 hours. The default is 24 (1 day).
Note
Processor Threshold
The memory log is enabled by default and cannot be

disabled.
The processor memory threshold in kilobytes. When available

processor memory falls below this threshold, a notification message
is triggered. Valid values range from 1 to 4294967295 kilobytes
(4096 gigabytes).
Note
Another notification message is generated when available

free memory rises to 5% above the threshold.
K-172
OL-11501-03
Appendix K

Memory Policy Page
Table K-70
Memory Page (continued)
Element
Description
I/O Threshold
The I/O memory threshold in kilobytes. When available processor

memory falls below this threshold, a notification message is
triggered. Valid values range from 1 to 4294967295 kilobytes (4096
gigabytes).
Note
Memory Allocation Lite
Another notification message is generated when available

free memory rises to 5% above the threshold.
When selected, the memory-allocation lite (malloc_lite) feature

on the router is enabled. This feature avoids excessive memory
allocation overhead for situations where less than 128 bytes are
required. This is the default.
When deselected, the memory-allocation lite feature is disabled.
Note
Memory Region For Critical

Notifications
This feature is supported for processor memory pools only.
The amount of memory (in kilobytes) reserved for critical system

log messages. Valid values range from 1 to 4294967295 kilobytes
(4096 gigabytes), but the value you specify cannot exceed 25% of
total memory.
This option reserves a region of memory on the router so that the
router can issue critical system log messages even when system
resources are overloaded.

OL-11501-03
K-173
Appendix K
Secure Device Provisioning Policy Page
Table K-70
Memory Page (continued)
Element
Description
Perform Sanity Checks
The types of sanity checks to perform:
BufferWhen selected, performs sanity checks on all buffers.

Sanity checks are performed when a packet buffer is allocated
and when the packet buffer is returned to the buffer pool.
QueueWhen selected, performs sanity checks on all queues.
AllWhen selected, performs sanity checks on all buffers and

queues.
Note
Save button
Enabling any of these options may result in a slight

degradation of router performance.
private.
Note

toolbar.

Secure Device Provisioning (SDP) policies (formerly known as Easy Secure
Device Deployment or EzSDD) enable you to configure a Cisco IOS router as a
registrar. This is the SDP component that retrieves bootstrap configurations for
petitioners, which are remote-site devices that are enrolling in the network
security infrastructure. These devices uses the bootstrap configuration for
first-time configuration purposes. The registrar also verifies the identity of the
introducer, which is the user who introduces the petitioner to the registrar.
For more information, see Defining Secure Device Provisioning Policies,
page 14-115.
Navigation Path
(Device view) Select Platform > Device Admin > Secure Device
Provisioning from the Policy selector.
K-174
OL-11501-03
Appendix K

(Policy view) Select Router Platform > Device Admin > Secure Device
Provisioning from the Policy Type selector. Right-click Secure Device
Provisioning to create a policy, or select an existing policy from the Shared
Policy selector.
Related Topics

OL-11501-03
K-175
Appendix K
Field Reference
Table K-71
Secure Device Provisioning Page
Element
Description
Introducer Authentication
(AAA)
The AAA server group that authenticates the username and

password supplied by the introducer. Enter the name of a AAA
server group object, or click Select to display an object selector.
If the server you want is not listed, click the Create button in either
selector to display the AAA Server Group Dialog Box, page F-14.
From here you can define a AAA server group object.
Petitioner Authentication
Note
Each AAA server in the selected group must be configured

to communicate with an interface that exists on the router;
otherwise, validation fails.
Note
To configure a separate AAA server group for

authenticating administrative introducers, see Configuring a
AAA Server Group for Administrative Introducers,
page 14-119.
The CA server that authenticates the identity of the petitioner:
Note
Local CA ServerSelect this option when the router itself is

already configured to act as the CA server. Enter the name of
the local CA in the field provided.
If you have not configured the router as the CA server, enter
the command Crypto pki server [name] using the CLI or
FlexConfigs. This command is mandatory when you deploy
an SDP policy configured with a local CA server.
Remote CA ServerSelect this option when using an external
CA server. Enter the name of a a PKI enrollment object, or click
If the server you want is not listed, click the Create button in
either selector to display the PKI Enrollment Dialog Box,
page F-437. From here you can define a PKI enrollment object.
K-176
OL-11501-03
Appendix K

Table K-71
Secure Device Provisioning Page (continued)
Element
Description
Introduction Page
The source of the introduction page to display to the introducer after

authorization is performed:
Use default introduction pageUses a default page provided

Specify introduction page URLUses the introduction page

specified in the URL field. Supported protocols include: FTP,
HTTP, HTTPS, null, NVRAM, RCP, SCP, system, TFTP,
Webflash, and XMODEM.

OL-11501-03
K-177
Appendix K
Table K-71
Element
Description
Bootstrap Configuration
The source of the bootstrap configuration to provide to the

petitioner for first-time configuration:
Non-Security Manager URLUsed when the bootstrap

configuration is located externally to Security Manager. Enter
its location in the URL field.
If required, enter a username and password to access the server
containing the bootstrap configuration.
Security Manager URLUsed when Security Manager is

providing the bootstrap configuration. Enter information in the
following fields:
FlexConfigThe FlexConfig that contains the basic CLI
structure required to create the bootstrap configuration.

Enter the name of a FlexConfig object, or click Select to
display a selector.
After selecting the FlexConfig, you must enter a username
and password to access the Security Manager server that
contains the FlexConfig.
Device name formulaThe formula required by Security
Manager to determine the device name of the petitioner

from the username that the introducer supplied.
Typically a fixed relationship exists between the username
and the device name, which enables a formula like this to
be established. The default formula is $n, which uses the
introducer name to determine the device name. The device
name is required to determine the configuration file that the
petitioner should receive.
If required, enter a username and password to access the server
containing the bootstrap configuration. The password can
contain alphanumeric characters, but cannot consist of a single
digit.
K-178
OL-11501-03
Appendix K

DHCP Policy Page
Table K-71
Element
Description
Save button
private.
Note

toolbar.
DHCP Policy Page

Use the DHCP policy page to define a DHCP server policy on the selected router.
This includes specifying the address pools used by the DHCP server when
assigning addresses to requesting clients.
For more information, see Defining DHCP Policies, page 14-123.
Navigation Path
DHCP from the Policy Type selector. Right-click DHCP to create a policy,
Related Topics
Field Reference
Table K-72
Element
DHCP Policy Page
Description
Databases Table
Filter

Database URL
The URL of the external DHCP database agent.

OL-11501-03
K-179
Appendix K
DHCP Policy Page
Table K-72
DHCP Policy Page (continued)
Element
Description
Timeout
The amount of time to wait (in seconds) for a response from the
external DHCP database agent before aborting a database transfer.
Write Delay
The interval (in seconds) between DHCP assignment updates sent

to the external DHCP database agent.
Add button
Opens the DHCP Database Dialog Box, page K-182. From here you
can define a DHCP database agent.
Edit button
Opens the DHCP Database Dialog Box, page K-182. From here you
can edit the selected DHCP database agent.
Delete button
Deletes the selected DHCP database agents.
Excluded IPs
Excluded IPs or IP Ranges
The IP addresses and/or address ranges to exclude from DHCP.

These addresses are not assigned by the DHCP server to DHCP
clients requesting addresses.
Enter one or more network addresses or network/host objects, or
click Select to display an object selector.
For more information, see Specifying IP Addresses During Policy
Definition, page 8-135 and Supported IP Address Formats,
page 8-128.
IP Pools Table
Filter

Name
The name of the IP pool.
Network
The IP address and subnet mask of the IP pool.
Default Router
The IP addresses of the default routers used by DHCP clients.
DNS Server
The IP addresses of the DNS servers used by DHCP clients.
NetBIOS (WINS) Server
The IP addresses of the Windows Internet Naming Service (WINS)

servers used by Microsoft DHCP clients.
K-180
OL-11501-03
Appendix K

DHCP Policy Page
Table K-72
Element
Description
Domain Name
The domain name for DHCP clients.
Import All
Indicates whether the remote DHCP server imports certain DHCP

options from a centralized DHCP server.
Secured ARP
Indicates whether secured ARP is enabled on this IP pool to help

prevent IP spoofing by unauthorized users.
Lease
The duration of the lease for each IP address assigned by the DHCP
server from this IP pool.
Option 150
The IP address of the TFTP server required by IP phones for

configuration, as defined using DHCP option 150.
Option 66
The IP address of the TFTP server required by IP phones for

configuration, as defined using DHCP option 66.
Add button
Opens the IP Pool Dialog Box, page K-183. From here you can
define a DHCP IP address pool.
Edit button
Opens the IP Pool Dialog Box, page K-183. From here you can edit
the selected IP pool.
Delete button
Deletes the selected IP pools.
Relay parameters
Policy
Option
The policy that DHCP relay agents implement when they receive
messages already containing relay information:
DropThe relay agent discards messages with existing relay

information if option-82 information is also present.
KeepThe relay agent retains existing relay information.
ReplaceThe relay agent overwrites existing information with

its own relay information.
When selected, enables DHCP Option 82 data insertion in message

requests forwarded from the DHCP client to the server. DHCP
Option 82 provides the DHCP server with both the switch and port
ID of the requesting client. This option makes it possible to locate
where a user is physically connected to the network and prevent
spoofing. See Understanding DHCP Option 82, page 14-122.
When deselected, DHCP Option 82 is disabled.

OL-11501-03
K-181
Appendix K
DHCP Policy Page
Table K-72
Element
Description
Check
When selected, DHCP Option 82 reply packets received from the

DHCP server are validated. Invalid messages are dropped; valid
messages are stripped of the option-82 field before being forwarded
to the DHCP client.
When deselected, the option-82 field is removed from the packet
without being checked first for validity.
Save button
private.
Note
Tip

toolbar.
DHCP Database Dialog Box

Use the DHCP Database dialog box to define external DHCP database agents that
contain the automatic bindings. Each database URL that you define must be
unique.
For more information, see Understanding DHCP Database Agents, page 14-120.
Navigation Path
Go to the DHCP Policy Page, page K-179, then click the Add or Edit button
beneath the Databases table.
Related Topics
IP Pool Dialog Box, page K-183
K-182
OL-11501-03
Appendix K

DHCP Policy Page
Field Reference
Table K-73
DHCP Database Dialog Box
Element
Description
Database URL
The URL of the external DHCP database agent containing the

automatic bindings. The URL can be in HTTP, FTP, TFTP, or RCP
format.
Note
Timeout
If you define a URL, it is not necessary to define an IP

address pool. However, you may do so.
The amount of time (in seconds) the DHCP server should wait for a
response from the external DHCP database agent before aborting a
database transfer. The default is 300 seconds (5 minutes).
Note
A value of 0 disables the timeout.
Write Delay
The interval (in seconds) between updates sent from the DHCP
server to the external DHCP database agent. The minimum delay is
60 seconds. The default is 300 seconds (5 minutes).
OK button
Note

IP Pool Dialog Box

Use the IP Pool dialog box to define one or more address pools, which the DHCP
server uses to assign dynamic addresses to DHCP clients. You must define at least
one address pool, unless you have defined an external DHCP database agent.
Navigation Path
Go to the DHCP Policy Page, page K-179, then click the Add or Edit button
beneath the IP Pools table.
Related Topics
Defining DHCP Address Pools, page 14-125

OL-11501-03
K-183
Appendix K
DHCP Policy Page
DHCP Database Dialog Box, page K-182
Field Reference
Table K-74
IP Pool Dialog Box
Element
Description
Pool Name
The name of the IP pool.
Network
The IP address and subnet mask of the IP pool. This subnet contains
the range of available IP addresses that the DHCP server may assign
to clients.
Enter an address and mask or the name of a network/host object, or
Tip
Default Router Addresses
You can exclude specific addresses within the range by

defining them in the Excluded IPs field. See DHCP Policy
Page, page K-179.
The IP addresses of the default routers for DHCP clients using this
IP pool. After a DHCP client is booted, it begins sending packets to
this router, which should be located on the same subnet as the client.
Enter up to eight (8) network addresses or network/host objects, or
K-184
OL-11501-03
Appendix K

DHCP Policy Page
Table K-74
IP Pool Dialog Box (continued)
Element
Description
DNS Server Addresses
The IP addresses of the DNS servers that DHCP clients using this
IP pool should query when they need to correlate hostnames to IP
addresses.
NetBIOS (WINS) Server

Addresses
The IP addresses of the Windows Internet Naming Service (WINS)

servers used by Microsoft DHCP clients to correlate hostnames to
IP addresses within a general grouping of networks.
Domain Name
The domain name for DHCP clients using this IP pool. This name
places these clients in the general grouping of networks that make
up the domain.
Import All
When selected, enables remote DHCP servers to import specific

DHCP options (such as the DNS server) from a centralized server.
Use this option to enable configuration information to be updated
automatically.
When deselected, all DHCP options are local to this specific server.
Secured ARP
When selected, enables the DHCP Authorized ARP feature, which

limits the leasing of IP addresses to authorized mobile users. This
feature helps prevent IP spoofing by unauthorized users. See
Understanding Secured ARP, page 14-122.
When deselected, the DHCP Authorized ARP feature is disabled.
Note
This feature also disables dynamic ARP learning on an

interface.

OL-11501-03
K-185
Appendix K
DHCP Policy Page
Table K-74
Element
Description
Lease Never Expires
When selected, the DHCP server permanently assigns IP addresses

to its clients.
When deselected, addresses are leased for a predefined amount of
time, as defined in the Time Length field.
Time Length (DD:HH:MM)
Applies only when the Lease Never Expires check box is

deselected.
The duration of the lease provided to each IP address assigned from
this IP pool (using the format DD:HH:MM). After the lease expires,
the assigned IP address is no longer valid and is returned to the pool.
Option 66 (IP Addresses)
The IP address of the TFTP server used to provide configuration

files to IP phones. These configuration files define parameters
required by IP phones to connect to Cisco CallManager.
Note
This option is functionally similar to option 150. Either or

both options may be used.
K-186
OL-11501-03
Appendix K

NTP Policy Page
Table K-74
Element
Description
Option 150 (IP Addresses)
The IP address of the TFTP server used to provide configuration

files to IP phones. These configuration files define parameters
required by IP phones to connect to Cisco CallManager.
Note
OK button
This option is functionally similar to option 66. Either or

both options may be used.
Note

NTP Policy Page

Use the NTP page to define one or more NTP servers that the router can use for
time synchronization. This includes enabling authentication, if required, and
defining a global source interface for all traffic sent to these servers.
For more information, see Defining NTP Servers, page 14-127.
Navigation Path
NTP from the Policy Type selector. Right-click NTP to create a policy, or
Related Topics

OL-11501-03
K-187
Appendix K
NTP Policy Page
Field Reference
Table K-75
NTP Page
Element
Description
Source Interface
The source address for all packets sent to an NTP server. This
setting might be necessary when the NTP server cannot respond to
the address from which the packet originated (for example, due to a
firewall). The source interface must have an IP address.
interface is used.
Note
Enable NTP Authentication
The source interface defined in this field is a global setting

that you can override for individual NTP servers. For more
information, see NTP Server Dialog Box, page K-189.
When selected, enables authentication using MD5 when connecting

to an NTP server.
When deselected, authentication is disabled.
Servers Table
Filter

IP Address
The IP address of the NTP server.
Source Interface
The source address for all packets sent to this NTP server. This
setting overrides the global setting defined at the top of the page.
Preferred
Indicates whether this NTP server is preferred over other NTP

servers of similar accuracy.
Note
By default, preferred servers are listed first in the table.
K-188
OL-11501-03
Appendix K

NTP Policy Page
Table K-75
NTP Page (continued)
Element
Description
Key Number
The ID number of the key used for authentication with this NTP
server.
Trusted
Indicates whether the authentication key defined for this NTP server
is a trusted key.
Add button
Opens the NTP Server Dialog Box, page K-189. From here you can
define an NTP server.
Edit button
Opens the NTP Server Dialog Box, page K-189. From here you can
edit the selected NTP server.
Delete button
Deletes the selected NTP server from the table.

Note
Save button
If the key defined on the server you delete is not defined on

a different NTP server, the key is also deleted.
private.
Note
Tip

toolbar.
NTP Server Dialog Box

Use the NTP Server dialog box to define the address of an NTP server that the
router can use to perform time synchronization. In addition, you can use this
dialog box to define a default source interface for NTP packets sent to this server
and authentication parameters.
Navigation Path
Go to the NTP Policy Page, page K-187, then click the Add or Edit button
beneath the table.

OL-11501-03
K-189
Appendix K
NTP Policy Page
Related Topics
Field Reference
Table K-76
NTP Server Dialog Box
Element
Description
IP Address
The IP address of the NTP server. Enter an address or the name of a

network/host object, or click Select to display an object selector.
Source Interface
The source address for all packets sent to this NTP server. This
setting might be necessary when the NTP server cannot respond to
the address from which the packet originated (for example, due to a
firewall). The source interface must have an IP address.
If you do not define a value in this field and there is no global
setting, the address of the outgoing interface is used.
Note
This setting overrides the global setting you defined on the

NTP Policy Page, page K-187.

K-190
OL-11501-03
Appendix K

NTP Policy Page
Table K-76
NTP Server Dialog Box (continued)
Element
Description
Preferred
When selected, this NTP server is preferred over other NTP servers
of similar accuracy. If this server is used for synchronization, the
time offset used to correct the local clock is calculated from this
server only.
Note
If a different NTP server is significantly more accurate than

the preferred server (for example, stratum 2 versus
stratum 3), the router synchronizes to the more accurate
server.
When deselected, this NTP server is not given preference over other
NTP servers of similar accuracy. The time offset used to correct the
local clock is calculated by taking the combined offset of all NTP
servers.
We recommend that you configure an NTP server as preferred only
when multiple servers have the same stratum and you can rely on the
accuracy of the preferred server.

OL-11501-03
K-191
Appendix K
802.1x Policy Page
Table K-76
NTP Server Dialog Box (continued)
Element
Description
Authentication Key
The MD5 key that is used to authenticate associations with the NTP
server.
Key NumberThe ID number of the authentication key. Enter

the key number or select a previously defined number from the
list.
Key ValueAn arbitrary string of up to eight characters that

defines the authentication key. Enter the string again in the
Confirm field.
TrustedWhen selected, this key authenticates the identity of

systems attempting to synchronize with this server. When
deselected, this key is not used for authentication.
If you select a key number from the list and then change the key
value, you are warned that saving this change affects any other NTP
servers using the same authentication key.
Note
OK button
To use authentication, you must enable it from the NTP

Policy Page, page K-187.
Note

802.1x Policy Page

Use the 802.1x policy page to create policies that limit VPN access to authorized
users. Authenticated traffic is allowed to pass through a designated physical
interface on the router. Unauthenticated traffic is allowed to pass through a virtual
interface to the Internet but is not allowed to access the VPN.
For more information, see Defining 802.1x Policies, page 14-133.
K-192
OL-11501-03
Appendix K

802.1x Policy Page
Note
802.1x policies require DHCP address pools in order to assign IP addresses to

clients. You define these pools by defining a DHCP policy on the same router. See
DHCP Policy Page, page K-179.
Navigation Path
(Device view) Select Platform > Identity > 802.1x from the Policy selector.
(Policy view) Select Router Platform > Identity > 802.1x from the Policy
Type selector. Right-click 802.1x to create a policy, or select an existing
Related Topics

OL-11501-03
K-193
Appendix K
802.1x Policy Page
Field Reference
Table K-77
802.1x Page
Element
Description
AAA Server Group
The RADIUS AAA server group that authenticates the credentials

of users trying to access a VPN tunnel. Enter the name of a AAA
server group object, or click Add to display an object selector.
Note
Virtual Template

Mandatory for all routers except Integrated Services Routers

(ISRs).
The untrusted, virtual interface that provides Internet access to
unauthenticated traffic. Enter the name of an interface or interface
role, or click Select to display an object selector.
Note
You do not need to configure a virtual template for ISRs,

because they automatically use VLANs to provide access. If
you do define a virtual template, however, it is used instead
of the VLAN.
Note
Deployment might fail if PPP is defined on the virtual

template defined here. See PPP Dialog Box, page K-82.
K-194
OL-11501-03
Appendix K

802.1x Policy Page
Table K-77
802.1x Page (continued)
Element
Description
Interface
The trusted, physical interface that provides VPN access to

authenticated traffic. Enter the name of an interface or interface
role, or click Select to display an object selector.
Note
Number of retries
The pattern defined in the interface role must represent only

one physical interface on the selected device. This interface
should be the internal protected interface that you
configured as part of the VPN topology. For more
information, see Endpoints Page, page G-14.
The number of times the physical interface resends an Extensible

Authentication Protocol (EAP) request/identity frame to a client if
a response is not received before restarting authentication.
Note
Control type
You should change the default only to adjust for unusual

circumstances, such as unreliable links or specific problems
with certain clients and authentication servers.
The control state of the interface, which determines whether the

host is granted access to the network. Options are:
Force AuthorizeDisables 802.1x authentication and causes

the interface to move to the authorized state without requiring
any authentication exchange. This means the interface
transmits and receives normal traffic without 802.1x-based
authentication of the host. This is the default.
AutoEnables 802.1x authentication and causes the interface

to begin in the unauthorized state, allowing only EAPOL
frames to be sent and received through the interface. If a host is
successfully authenticated, the interface state changes to
authorized, which enables all frames from the host through the
interface.

OL-11501-03
K-195
Appendix K
802.1x Policy Page
Table K-77
Element
Description
Enable client reauthentication
When selected, enables periodic reauthentication of client PCs on

the 802.1x interface. Reauthentication is performed after the
interval defined in the Client reauthentication period timeout field.
The default period is 3600 seconds (1 hour).
When deselected, periodic reauthentication is not performed.
Client reauthentication period

timeout
Applies only when the Enable client reauthentication check box is

selected.
The number of seconds between client reauthentication attempts.
Valid values range from 1 to 65535 seconds. The default is
3600 seconds (1 hour).
Quiet period
The amount of time the router remains in a quiet state after a failed
authentication exchange with the client. Authentication exchanges
might fail, for example, because the client provided an invalid
password.
120 seconds.
Note
Rate Limit period
Entering a value smaller than the default provides a faster

response time to the user.
The interval after which the interface throttles the EAP-Start

packets it receives from malfunctioning client PCs. Use this setting,
called rate limiting, to prevent these clients from wasting router
processing power.
Valid values range from 1 to 65535 seconds. By default, rate
limiting is disabled.
Note
AAA Server timeout
To disable an existing rate limit, delete the value defined in

this field and leave the field blank.
The number of seconds the router waits before retransmitting

packets to the AAA server. If the router sends an 802.1x packet to
the AAA server and the server does not respond, the router sends
another packet after this interval elapses.
30 seconds.
K-196
OL-11501-03
Appendix K

Network Admission Control Policy Page
Table K-77
Element
Description
Supplicant period
The number of seconds the router waits before retransmitting

EAP-Request/Identity packets to the supplicant (client PC). If the
router sends an EAP-Request/Identity packet to the client PC
(supplicant) and the supplicant does not respond, the router sends
the packet again after this interval elapses.
30 seconds.
Save button
private.
Note

toolbar.

Network Admission Control (NAC) policies enable Cisco IOS routers acting as
network access devices (NADs) to enforce access privileges when an endpoint
tries to connect to a network. Access decisions are made on the basis of
information provided by the endpoint device, such as its current antivirus state,
thus keeping insecure nodes from infecting the network.
You can configure NAC policies on a Cisco IOS router from the following tabs on
the Network Admission Control policy page:
Network Admission Control PageSetup Tab, page K-198
Network Admission Control PageInterfaces Tab, page K-201
Network Admission Control PageIdentities Tab, page K-204
For more information, see Network Admission Control on Cisco IOS Routers,
page 14-136.
Navigation Path

OL-11501-03
K-197
Appendix K
selector.
Related Topics
Network Admission Control PageSetup Tab

Use the Network Admission Control Setup tab to select the Cisco Secure Access
Control Servers used for authentication during the NAC process, as well as to
define the EAP over UDP settings for communications between the NAD and the
client seeking access to the network.
Navigation Path
Go to the Network Admission Control Policy Page, page K-197, then click the
Setup tab.
Related Topics
K-198
OL-11501-03
Appendix K

Field Reference
Table K-78
Network Admission Control Setup Tab
Element
Description
AAA Server Group
The AAA server group used for NAC authentication. You must
select a server group consisting of Cisco Secure Access Control
Server (ACS) devices running the RADIUS protocol. Enter the
name of a AAA server group object, or click Select to display an
object selector.
Note

Backup AAA Server Group 1
The backup AAA server group in case the AAA servers in the main
group are down.
Backup AAA Server Group 2
The secondary backup AAA server group in case the AAA servers
in the main group and the first backup group are down.
EAP over UDP (EoU) settings
Allow IP Station ID
When selected, enables an IP address to be included in the

calling-station-id field of RADIUS requests sent to the ACS.
When deselected, IP addresses are not included in the
calling-station-id field of RADIUS requests sent to the ACS.
Allow Clientless
When selected, enables devices that do not have the Cisco Trust
Agent (CTA) installed to be authenticated through the use of a
username and password configured on the ACS.
If you select this check box, enter the username and password
(including confirmation) in the fields provided.
When deselected, NAC prevents devices lacking the CTA from
accessing the network, if their traffic matches the intercept ACL
(see NAC Interface Configuration Dialog Box, page K-202).
Note
This feature is not supported on routers running Cisco IOS

Software Release 12.4(6)T or later.

OL-11501-03
K-199
Appendix K
Table K-78
Network Admission Control Setup Tab (continued)
Element
Description
Max Retry
The maximum number of retries that all NAC interfaces on this

router should make when initiating an EAP over UDP session with
a connecting device.
Note
Rate Limit
You can override this global value on a specific interface, if

required. See Network Admission Control PageInterfaces
Tab, page K-201.
The number of EAP over UDP posture validations that the router
can handle simultaneously. Additional devices cannot be validated
until one or more devices drop off.
Valid values range from 1 to 200. The default is 20. If you set this
value to 0, rate limiting is turned off.
Port
The UDP port to use for EAP over UDP sessions.

Note
Enable Logging
For NAC to work, the default ACL on this router must

permit UDP traffic over the port designated here for EAP
over UDP traffic. For more information, see Working with
Access Rules, page 12-59.
When selected, EAP over UDP events on this router are logged to
the device.
When deselected, EAP over UDP logging is disabled. This is the
default.
Setup tab button
Save button
private.
Note

toolbar.
K-200
OL-11501-03
Appendix K

Network Admission Control PageInterfaces Tab

Use the Network Admission Control Interfaces tab to select and configure the
router interfaces on which to perform NAC. This includes configuring the
Intercept ACL and selected EoU interface parameters. A NAC policy must include
at least one interface definition in order to function.
Navigation Path
Interfaces tab.
Related Topics
Field Reference
Table K-79
Network Admission Control Interfaces Tab
Element
Description
Filter

Interfaces
The name of the interface on which NAC is being performed.
Intercept ACL
The name of the Intercept ACL, which determines the incoming

traffic that triggers the interface to make a posture validation check.
EoU Max Retries
The maximum number of retries that this interface should perform

when it initializes an EoU session with a connecting device.
Revalidate
Indicates whether the interface revalidates its EoU sessions to make

sure they are still active.
Add button
Opens the NAC Interface Configuration Dialog Box, page K-202.

From here you can define a NAC interface.
Edit button
Opens the NAC Interface Configuration Dialog Box, page K-202.

From here you can edit the selected NAC interface.

OL-11501-03
K-201
Appendix K
Table K-79
Network Admission Control Interfaces Tab (continued)
Element
Description
Delete button
Deletes the selected NAC interfaces from the table.
Save button
private.
Note
Tip

toolbar.
NAC Interface Configuration Dialog Box

Use the NAC Interface Configuration dialog box to add or edit the router
interfaces on which NAC is being performed.
Navigation Path
Go to the Network Admission Control PageInterfaces Tab, page K-201, then

click the Add or Edit button beneath the table.
Related Topics
K-202
OL-11501-03
Appendix K

Field Reference
Table K-80
NAC Interface Configuration Dialog Box
Element
Description
Interface
The interface that will perform NAC on connecting devices. Enter

an object selector.
Intercept ACL
The ACL that defines the traffic requiring posture validation. Enter
the name of an ACL object, or click Add to display an object
selector.
selector to display the dialog box for defining an ACL object (see
Access Control Lists Page, page F-33).
Note
EAP over UDP Max Retries
The maximum number of times that the router should try to initiate
an EoU session with a connecting device. Valid values range from 1
to 3. The default is 3.
Note
Enable EoU Session

Revalidation
If an authentication proxy is configured on the same

interface as NAC, the same Intercept ACL must be used in
both policies. Otherwise, deployment may fail. For more
information about authentication proxies, see Configuring
Settings for AAA (IOS), page 12-152.
Subinterfaces support the default value only.
When selected, the router revalidates its EoU sessions as required.

When deselected, EoU session revalidation is not performed.
Note
OK button
Subinterfaces support the default value only.
Note


OL-11501-03
K-203
Appendix K
Network Admission Control PageIdentities Tab

Use the Network Admission Control Identities tab to view, create, edit, and delete
NAC identity profiles and identity actions. Identity profiles define a specific
action to perform on traffic received from selected devices, as identified by their
IP address, MAC address, or device type. In this way, devices with identity
profiles are handled by NAC without having to undergo posture validation against
an ACS.
Navigation Path
Interfaces tab.
Related Topics
Field Reference
Table K-81
Network Admission Control Identities Tab
Element
Description
Identity Profiles Table
Filter

Profile Definition
The type of identity profiledevice IP address, MAC address, or

device type (IP phone).
Action Name
The name of the action (defined in the Identity Actions table) that is
assigned to this NAC identity profile.
Add button
Opens the NAC Identity Profile Dialog Box, page K-205. From here
you can define an identity profile.
Edit button
Opens the NAC Identity Profile Dialog Box, page K-205. From here
you can edit a selected identity profile.
Delete button
Deletes the selected identity profiles from the table.
Identity Actions Table

K-204
OL-11501-03
Appendix K

Table K-81
Network Admission Control Identities Tab (continued)
Element
Description
Filter

Action Name
The name of the identity action.
ACL
The ACL applied to profiles to which this identity action is

assigned.
Redirect URL
The URL to which traffic from devices to which this identity action
is assigned are redirected.
Add button
Opens the NAC Identity Action Dialog Box, page K-206 for
defining a NAC identity action.
Edit button
Opens the NAC Identity Action Dialog Box, page K-206 for editing
a selected NAC identity action.
Delete button
Deletes the selected identity actions from the table.
Save button
private.
Note
Tip

toolbar.
NAC Identity Profile Dialog Box

Use the NAC Identity Profile dialog box to add or edit the NAC profiles assigned
to devices that match a specific identity. Identity profiles define a NAC action to
apply to all traffic coming from a specific device, based on its IP address, MAC
address, or device type (for IP phones).
Navigation Path
Go to the Network Admission Control PageIdentities Tab, page K-204, then

click the Add or Edit button beneath the Identity Profiles table.
OL-11501-03
K-205
Appendix K
Related Topics
NAC Identity Action Dialog Box, page K-206
Field Reference
Table K-82
NAC Identity Profile Dialog Box
Element
Description
Action Name
The name of the action to assign to the profile. Enter the name of an
action, or click Select to display a selector. For more information
about creating actions, see NAC Identity Action Dialog Box,
page K-206.
Profile Definition
The device to which this profile is assigned:
OK button
IP AddressThe IP address of the device to which this profile

should be assigned. The same IP address cannot be used in
more than one profile.
MAC AddressThe MAC address of the device to which this

profile should be assigned.
Cisco IP PhoneUsed when defining a NAC identity profile

for Cisco IP phones.
Note

NAC Identity Action Dialog Box

Use the NAC Identity Action dialog box to add or edit the actions assigned to
NAC identity profiles.
Navigation Path
Go to the Network Admission Control PageIdentities Tab, page K-204, then

click the Add or Edit button beneath the Identity Actions table.
K-206
OL-11501-03
Appendix K

Logging Setup Policy Page
Related Topics
NAC Identity Profile Dialog Box, page K-205
Field Reference
Table K-83
NAC Identity Action Dialog Box
Element
Description
Name
A descriptive name for the identity action. Use this name when you
select an action to assign to a NAC identity profile. See NAC
Identity Profile Dialog Box, page K-205.
The ACL that defines how to handle traffic received from a device
which is assigned a profile that includes this action. Enter the name
of an ACL object, or click Add to display an object selector.
Note
You cannot select the same ACL object that is being used for
the intercept ACL. See NAC Interface Configuration Dialog
Box, page K-202.
Redirect URL
The address of the remediation server to which traffic from the

device should be redirected. Redirect URLs are usually of the form
http://URL or https://URL.
OK button
Note


Use the Logging Setup page to enable logging and define basic logging
parameters on the selected Cisco IOS router.

OL-11501-03
K-207
Appendix K
For more information, see Defining Logging Setup Parameters, page 14-148.
Note
We strongly recommend that you define an NTP policy on all routers on

which logging is enabled in order to create accurate timestamps for each log
message. For more information, see NTP Policy Page, page K-187.
If you unassign a logging setup policy, the default logging configuration is

restored on the device upon deployment.
Navigation Path
(Device view) Select Platform > Logging > Logging Setup from the Policy
selector.
(Policy view) Select Router Platform > Logging > Logging Setup from the
Policy Type selector. Right-click Logging Setup to create a policy, or select
Related Topics
K-208
OL-11501-03
Appendix K

Field Reference
Table K-84
Logging Setup Page
Element
Description
Enable Logging
When selected, logging is enabled on the device.

When deselected, logging is disabled on the device. This is the
default.
Tip
Source Interface
To use the devices default logging settings, select the

Enable Logging check box, then click Save, without
entering additional values.
The source address for all outgoing log messages sent to a syslog
server. This setting may be necessary when the syslog server cannot
respond to the address from which the log message originated (for
example, due to a firewall).
interface is used.
Trap
Defines which log messages are forwarded to a syslog server:
Enable TrapWhen selected, log messages are sent to the

syslog server. This is the default. When deselected, log
messages are not sent.
Trap LevelThe lowest severity level of messages that are

logged and sent to the syslog server. All messages of this
severity and greater are logged. Severity levels are identified by
a name and a number. For more information, see Table 14-5 on
page 14-147.
Tip
To restore the routers default trap settings, select Enable

Trap, then select the blank setting from the Trap Level list.

OL-11501-03
K-209
Appendix K
Table K-84
Logging Setup Page (continued)
Element
Description
Logging Buffer
Defines whether log messages are saved locally to a buffer on the

device.
Enable BufferWhen selected, log messages are saved to a

buffer on the device. This is the default. When deselected, a log
buffer is not maintained on the device.
Buffer SizeThe size of the buffer in bytes. Valid values range

from 4096 to 4294967295 bytes (4 kilobytes to 4 gigabytes).
The default size varies by platform. Make sure not to make the
buffer so large that the router runs out of memory for other
tasks; otherwise, deployment might fail.
Note
The maximum buffer size might be smaller on some

devices.
Severity LevelThe lowest severity level of messages that are

saved in the buffer. All messages of this severity and greater are
saved. On most Cisco IOS routers, the default severity level is
7 (debugging). Severity levels are identified by a name and a
number. For more information, see Table 14-5 on page 14-147.
Use XML FormatWhen selected, log messages are saved to a

buffer in XML format. (You can configure both the regular
buffer and the XML buffer in the same policy.) When
deselected, an XML buffer is not maintained on the device.
Buffer SizeThe size of the XML buffer in bytes. Valid values

range from 4096 to 4294967295 bytes (4 kilobytes to
4 gigabytes).
Note
The maximum buffer size might be smaller on some

devices.
Tip
To restore the routers default buffer settings, select Enable

Trap, erase the buffer size setting, then select the blank
setting from the Severity Level list.
K-210
OL-11501-03
Appendix K

Table K-84
Element
Description
Rate Limit
Limits the rate of log messages sent to the syslog server.
Enable Rate LimitWhen selected, the rate limit is enabled.

When deselected, the rate limit is disabled.
Messages per Sec.The maximum number of logging

messages that can be sent per second. Valid values range from
1 to 10000. The default is 10 messages per second.
ExcludeThe types of messages to exclude from the rate limit.

This setting excludes the severity level you select as well as all
messages with a lower severity level number (that is, more
severe). The default is 3 (errors), which excludes all log
messages with a severity level of 3, 2 (critical), 1 (alerts), or 0
(emergencies) from the rate limit. For more information about
severity levels, see Table 14-5 on page 14-147.
All MessagesWhen selected, the rate limit applies to all

messages except console messages.
Console MessagesWhen selected, the rate limit applies to

console messages only.
Tip
To restore the routers default rate limit settings, select the

Enable Rate Limit check box, then erase the rate limit
value setting.

OL-11501-03
K-211
Appendix K
Syslog Servers Policy Page
Table K-84
Element
Description
Origin ID
The origin identifier that is added to the beginning of all syslog

messages sent from this device to the remote syslog server. The
origin identifier is useful in cases where you send output from
multiple devices to a single syslog server.
ID TypeThe type of origin identifier added to the beginning

of each syslog message. Options are:
IP AddressThe IP address of the source device.
HostnameThe hostname of the source device.
StringUser-defined text.
Note
Save button
ValueApplies only when you select String as the ID type.

Enter the text of the user-defined string. Spaces are permitted,
except for the first character.
The origin identifier is not added to messages sent to local
destinations, such as the buffer, the console, and the
monitor.
private.
Note

toolbar.

Use the Syslog Servers page to create, edit, and delete servers that collect log
messages from the router.
For more information, see Defining Syslog Servers, page 14-151.
Note
To enable logging to the syslog servers defined on this page, you must enable
logging and define basic parameters on the Logging Setup Policy Page,
page K-207.
K-212
OL-11501-03
Appendix K

Navigation Path
(Device view) Select Platform > Logging > Syslog Servers from the Policy
selector.
(Policy view) Select Router Platform > Logging > Syslog Servers from the
Policy Type selector. Right-click Syslog Servers to create a policy, or select
Related Topics
Syslog Server Dialog Box, page K-214
Field Reference
Table K-85
Syslog Servers Page
Element
Description
Filter

IP Address
The name of the syslog server, as represented by a network/host

object, or its IP address.
XML
Indicates whether the syslog server receives log messages in XML

format.
Add button
Opens the Syslog Server Dialog Box, page K-214. From here you
can define a syslog server.
Edit button
Opens the Syslog Server Dialog Box, page K-214. From here you
can edit the selected syslog server.
Delete button
Deletes the selected syslog server from the table.
Save button
private.
Note

toolbar.

OL-11501-03
K-213
Appendix K
Tip
Syslog Server Dialog Box

Use the Syslog Server dialog box to define the server that collects syslog
messages from the router. You can also define whether the log messages it
receives are in XML format or plain text.
Note
To enable logging to the syslog servers defined on this page, you must enable
logging and define basic parameters on the Logging Setup Policy Page,
page K-207.
Navigation Path
Go to the Syslog Servers Policy Page, page K-212, then click the Add or Edit
Related Topics
K-214
OL-11501-03
Appendix K

Quality of Service Policy Page
Field Reference
Table K-86
Syslog Server Dialog Box
Element
Description
IP Address
The IP address of the syslog server. Enter an IP address or the name

of a network/host object, or click Select to display an object
selector.
If the network/host object you want is not listed, click the Create
Forward Messages in XML

Format
When selected, log messages are sent to the syslog server in XML
format.
When deselected, log messages are sent to the syslog server as plain
text.
OK button
Note


Use the Quality of Service page to view, create, and edit QoS classes on specific
interfaces of the selected device or on the control plane. QoS policies enable you
to define techniques for managing the delay, delay variation (jitter), bandwidth,
and packet loss parameters on a network. In addition, you can use the Quality of
Service page to configure hierarchical shaping on an interface as an alternative to
configuring shaping parameters for individual QoS classes.
For more information, see Quality of Service on Cisco IOS Routers, page 14-153.
Navigation Path

OL-11501-03
K-215
Appendix K
Related Topics
Field Reference
Table K-87
Quality of Service Page
Element
Description
Apply To
The router component on which to define the QoS policy:
InterfacesConfigures QoS classes on specific interfaces.
Control PlaneConfigures QoS on the router control plane.

See Understanding Control Plane Policing, page 14-166.
Note
If you configure QoS on both the interfaces and the control

plane of the same device, only the control plane
configuration is deployed.
QoS Policy Table
Filter

Interface
The interface on which you want to define QoS parameters.
Direction
The traffic direction on which the QoS parameters on this interface

applyinput or output.
Shaping
Indicates whether hierarchical shaping is defined on this interface.
Type
Applies only when you enable hierarchical shaping on this

interface.
The type of hierarchical shaping performed on this interface
average or peak.
CIR

interface.
The average data rate (also known as the committed information
rate or CIR), which is represented as a percentage of the overall
bandwidth available on this interface.
K-216
OL-11501-03
Appendix K

Table K-87
Quality of Service Page (continued)
Element
Description
Sustained Burst

interface.
The normal burst size allowed on this interface, in milliseconds.
Excess Burst

interface.
The excess burst size allowed on this interface, in milliseconds.
Add button
Opens the QoS Policy Dialog Box, page K-219. From here you can
select the interface on which you want to define QoS parameters.
Edit button
Opens the QoS Policy Dialog Box, page K-219. From here you can
edit the selected QoS interface.
Delete button
Deletes the selected QoS interfaces from the table.
Interface QoS Classes Table
Filter

No.
The sequential number of the class. QoS is applied to packets on a

first-match basis, based on class order.
Default Class
Indicates whether this class is the default for all packets on the
interface that do not match the criteria of the other defined classes.
Matching
The matching criteria that determine whether packets are

considered members of this class. This includes the match method
and any combination of protocols, precedence and DSCP values,
and ACL names.
Marking
The IP Precedence (IPP) or Differentiated Services Code Point

(DSCP) setting for the traffic in this class.
Queuing and Congestion

Avoidance
The queuing settings that are defined for this class.
Policing
Indicates whether policing is configured for this class.
Shaping
Indicates whether Distributed Traffic Shaping (DTS) is configured

for this class.
Up Row
Moves the selected class up one row.

OL-11501-03
K-217
Appendix K
Table K-87
Quality of Service Page (continued)
Element
Description
Down Row
Moves the selected class down one row.
Add button
Opens the QoS Class Dialog Box, page K-222. From here you can
create a QoS class definition for the selected interface.
Edit button
edit the selected QoS class.
Delete button
Deletes the selected QoS classes from the table.
Control Plane QoS Classes Table
Filter

No.
The sequential number of the class. QoS is applied to packets on a

first-match basis, based on class order.
Default Class
Indicates whether this class is the default for all packets on the
interface that do not match the criteria of the other defined classes.
Matching
Indicates whether packets must match any of the defined criteria or

all of the criteria to be considered members of this class.
Policing
Indicates whether policing is configured for this class.
Add button
create a QoS class definition for the control plane.
Edit button
edit the selected QoS class.
Delete button
Deletes the selected QoS classes from the table.
Save button
private.
Note
Tip

toolbar.
K-218
OL-11501-03
Appendix K

QoS Policy Dialog Box

Use the QoS Policy dialog box to select an interface on which you want to define
QoS parameters. In addition, you can use this dialog box to configure a single set
of shaping parameters for all the traffic on the selected interface (known as
hierarchical shaping). Using hierarchical shaping eliminates the need to configure
shaping parameters for each QoS class defined on the interface.
Note
This dialog box is not applicable when defining a QoS policy on the control plane.
For more information, see Defining QoS on the Control Plane, page 14-171.
After you create your QoS interface definitions, you can define one or more QoS
classes for each interface. For more information, see QoS Class Dialog Box,
page K-222.
Navigation Path
Go to the Quality of Service Policy Page, page K-215, then click the Add or Edit
button beneath the upper table to define a QoS interface definition.
Related Topics

OL-11501-03
K-219
Appendix K
Field Reference
Table K-88
QoS Policy Dialog Box
Element
Description
Interface
The interface on which QoS is defined. Enter the name of an

interface or interface role, or click Select to display an object
selector.
Direction
The direction of the traffic on which to configure QoS:
OutputTraffic that exits the interface.
InputTraffic that enters the interface.
Hierarchical Shaping settings
Enable Shaping
When selected, configures hierarchical traffic shaping on the

selected interface.
When deselected, hierarchical shaping is not used.
Note
Type
Shaping can be performed only on output traffic.
The type of shaping to perform:
AverageLimits the data rate for each interval to the sustained

burst rate (also known as the Committed Burst rate or Bc),
achieving an average rate no higher than the committed
information rate (CIR). Additional packets are buffered until
they can be sent.
PeakLimits the data rate for each interval to the sustained

burst rate plus the excess burst rate (Be). Additional packets are
buffered until they can be sent.
K-220
OL-11501-03
Appendix K

Table K-88
QoS Policy Dialog Box (continued)
Element
Description
CIR

rate or CIR). You can define this amount by:
PercentageValid values range from 0 to 100% of the overall

available bandwidth.
Bit/secValid values range from 8000 to 1000000000 bits per

second.
Although data bursts during an interval may exceed this rate, the
average data rate over any multiple integral of the interval will not
exceed this rate.
Sustained Burst
The normal burst size. If you select average as the shaping type, data
bursts during an interval are limited to this value.
The range of valid values is determined by the CIR:
When the CIR is defined by percentageValid values range

from 10 to 2000 milliseconds.
When the CIR is defined by an absolute valueValid values

range from 1000 to 154400000 bytes, in multiples of 128 bytes.
Note
We recommend that you leave this field blank when the CIR
is defined by an absolute value. This allows the algorithms
used by the device to determine the optimal sustained burst
value.

OL-11501-03
K-221
Appendix K
Table K-88
QoS Policy Dialog Box (continued)
Element
Description
Excess Burst
The excess burst size. If you select peak as the shaping type, data
bursts during an interval can equal the sum of the sustained burst
value plus this value. The average data rate over multiple intervals,
however, will continue to conform to the CIR.


Note
OK button
If you do not configure this field when the CIR is defined by

an absolute value, the sustained burst value is used.
Note

QoS Class Dialog Box

Use the QoS Class dialog box to create or edit a QoS class on a selected interface
or control plane of a Cisco IOS router. You can define up to 16 classes on a single
interface and 256 classes for the device as a whole.
Note
traffic.
K-222
OL-11501-03
Appendix K

Navigation Path
Go to the Quality of Service Policy Page, page K-215. Complete the options at the
top of the page, then do one of the following:
To create a QoS class, select an interface from the upper table, then click the
Add button beneath the QoS Class table. When creating a QoS class for the
control plane, just click the Add button beneath the table.
To edit a QoS class:

Select the interface whose class you want to edit from the upper table
(Not required when selecting the control plane.).

Select the relevant class defined for that interface in the QoS Classes
table. (Not required when selecting the control plane.)

Click the Edit button under the QoS Class table.
Related Topics
QoS Policy Dialog Box, page K-219
Field Reference
Table K-89
QoS Class Dialog Box
Element
Description
Set as Default Class
When selected, enables you to define the default class for all traffic
that does not match the other QoS classes on this interface.
When deselected, enables you to define a specific QoS class on this
interface.
Note
Matching tab
When you define the default class, you do not configure any
matching parameters; by definition the class consists of all
traffic that does not match any of the other classes.
Therefore, the Matching tab is disabled.
Defines the traffic that is included in this QoS class. See QoS Class
Dialog BoxMatching Tab, page K-224.

OL-11501-03
K-223
Appendix K
Table K-89
QoS Class Dialog Box (continued)
Element
Description
Marking tab
Marks the traffic in this class so that downstream devices can

properly identify it. See QoS Class Dialog BoxMarking Tab,
page K-227.
Queuing and Congestion

Avoidance tab
Defines how to queue the output traffic in this class. See QoS Class
Dialog BoxQueuing and Congestion Avoidance Tab, page K-229.
Policing tab
Limits the traffic flow for this class to a configured rate. See QoS
Class Dialog BoxPolicing Tab, page K-231.
Shaping tab
Controls the flow of output traffic for this class so that it conforms
with the requirements of downstream devices. See QoS Class
Dialog BoxShaping Tab, page K-234.
Note
When you configure a QoS policy on the control plane, only the Matching tab and
Policing tab are available.
QoS Class Dialog BoxMatching Tab

Use the Matching tab of the QoS Class dialog box to define which traffic over the
selected interface is considered to be part of this class.
Note
When you define the default class, the Matching tab is disabled.
Navigation Path
Go to the QoS Class Dialog Box, page K-222, then click the Matching tab.
Related Topics
K-224
OL-11501-03
Appendix K

Field Reference
Table K-90
QoS Class Dialog BoxMatching Tab
Element
Description
Match Method
The traffic matching option used for this class:
Protocol
AnyAssigns traffic matching any of the defined class map

criteria to this QoS class.
AllAssigns only traffic matching all of the defined class map

criteria to this QoS class.
One or more protocols included in this class map. Click Add to

display a selector. Select one or more items from the Available
Protocols list, then click >> to add them to the Selected Protocols
list.
The only protocol available for the control plane is ARP; ARP and
CDP are not available for input classes configured on an interface.
When you finish, click OK to return to the QoS Class dialog box.
Your selections are displayed in the Protocol field.
Note
Precedence
To remove a protocol from the QoS class, select it from the

Protocol field, then click Delete.
One or more IP Precedence (IPP) values included in this class map.

Click Add to display a selector. Select one or more items from the
Available Precedences list, then click >> to add them to the Selected
Precedences list.
Note
For more information about IP precedence values, see

Table 14-6 on page 14-156.
Your selections are displayed in the Precedence field.
Note
To remove an IPP value from the QoS class, select it from

the Precedence field, then click Delete.

OL-11501-03
K-225
Appendix K
Table K-90
QoS Class Dialog BoxMatching Tab (continued)
Element
Description
DSCP
One or more Differentiated Services Code Point (DSCP) values

included in this class map. Click Add to display a selector. Select
one or more items (up to eight) from the Available DSCPs list, then
click >> to add them to the Selected DSCPs list.
Your selections are displayed in the DSCP field.
Note
ACL
To remove a DSCP value from the QoS class, select it from

the DSCP field, then click Delete.
The ACLs that are used for defining which traffic requires QoS.
Enter one or more ACL objects, or click Select to display an object
selector. For more information, see Edit ACLs Dialog BoxQoS
Classes, page K-226.
Use the up and down arrows to order the ACLs in the list. We
recommend that you place frequently used ACLs at the top of the
list to optimize the matching process.
Edit ACLs Dialog BoxQoS Classes

When configuring a QoS policy on a Cisco IOS router, use the Edit ACLs dialog
box to specify which ACLs should be included in the matching criteria for the
selected class. Traffic matching this criteria is included as part of the class.
Navigation Path
Go to the QoS Class Dialog BoxMatching Tab, page K-224, then click Edit in
the ACL field.
Related Topics
Defining QoS Class Matching Parameters, page 172
K-226
OL-11501-03
Appendix K

Field Reference
Table K-91
Edit ACLs Dialog BoxQoS Classes
Element
Description
The ACLs to include as part of the matching criteria for the selected
QoS class. Enter the names of the ACLs or click Select to use an
object selector.
For more information, see Understanding Access Control List
Objects, page 8-31.
Select button
Opens an object selector for selecting ACLs. Using the selector

eliminates the need to manually enter this information.
OK button
Note

QoS Class Dialog BoxMarking Tab

Use the Marking tab of the QoS Class dialog box to classify packets. Traffic
policers and shapers use these classifications to ensure adherence to the
contracted level of service. Downstream devices use this classification to identify
the packets and apply the appropriate QoS functions to them.
Note
The Marking tab is unavailable when you define a QoS policy on the control
plane.
Navigation Path
Go to the QoS Class Dialog Box, page K-222, then click the Marking tab.
Related Topics

OL-11501-03
K-227
Appendix K
Field Reference
Table K-92
QoS Class Dialog BoxMarking Tab
Element
Description
Enable Marking
When selected, enables you to mark the traffic in this QoS class with
a specific precedence or DSCP value (regardless of any value the
traffic might have had when it first entered the device). This mark
enables downstream devices to identify the traffic and apply the
appropriate QoS features to it.
When deselected, disables all marking options for the selected QoS
class. The traffic in this QoS class maintains its original precedence
or DSCP value, if any.
Precedence
DSCP
The precedence value with which to mark the traffic in this class:
network (7)
internet match (6)
critical (5)
flash-override (4)
flash (3)
immediate (2)
priority (1)
routine (0)
The DSCP value (0 to 63) with which to mark the traffic in this
class.
K-228
OL-11501-03
Appendix K

QoS Class Dialog BoxQueuing and Congestion Avoidance Tab

Use the Queuing and Congestion Avoidance tab of the QoS Class dialog box to
perform Class-Based Weighted Fair Queuing (CBWFQ) on the output traffic in
the selected QoS class. Queuing prioritizes traffic and manages congestion on
your network by determining the order in which packets are sent out over an
interface.
The fields displayed in the Queuing tab depend on whether you are defining a
specific QoS class or the default class.
Note
The Queuing and Congestion Avoidance tab is unavailable when you define a QoS
policy on the control plane or on input traffic.
Navigation Path
Go to the QoS Class Dialog Box, page K-222, then click the Queuing and
Congestion Avoidance tab.
Related Topics

OL-11501-03
K-229
Appendix K
Field Reference
Table K-93
Element
QoS Class Dialog BoxQueuing and Congestion Avoidance Tab
Description
Enable Queuing and Congestion When selected, enables you to define queuing parameters for the
Avoidance
selected QoS class.
When deselected, disables all queuing options for the selected QoS
class.
Note
Priority
Queuing is available only for output traffic. Available

queuing options depend on whether you are defining a
specific QoS class or the default class.
Applies only when you are defining a specific QoS class for priority
traffic (for example, voice traffic).
The amount of bandwidth on this interface allocated to high-priority
traffic. You can define this amount by:
PercentageValid values range from 0 to 100%.
Kbit/secValid values range from 8-2000000 kilobits per

second.
Low Latency Queuing (LLQ) ensures that priority traffic receives

this defined bandwidth.
Note
Fair Queue
You can define this option for one class only per interface.
If you select this option, the Shaping tab is disabled.
Applies only when you are defining the default class.

The number of dynamic queues to reserve for this class. By default,
this number is based on the available bandwidth of the selected
interface. Values range from 16 to 4096, based on powers of 2. For
Note
Failure to provide a sufficient number of queues for the

default class (a condition known as starvation) could result
in the traffic not being sent.
K-230
OL-11501-03
Appendix K

Table K-93
QoS Class Dialog BoxQueuing and Congestion Avoidance Tab (continued)
Element
Description
Bandwidth
The minimum bandwidth to guarantee to this class (a specific class

or the default class). You can define this amount by:
Queue Limit
PercentageValid values range from 0 to 100% of the total

Kbit/secValid values range from 8-2000000 kilobits per

second.
The maximum number of packets that can be queued for the class.
Any additional packets are dropped using tail drop until the
congestion is gone.
Note
WRED Weight for Mean Queue

Depth
This is the default option for limiting queue size unless

Weighted Random Early Detection (WRED) is configured.
The exponential weight factor to use to calculate the average queue

size. Use this option when defining WRED instead of tail drop for
this class. When queue size exceeds the value determined by this
weight factor, WRED randomly discards packets until the
transmitting protocol decreases its transmission rate to ease
congestion. Exponent values range from 1 to 16. The default is 9.
Note
This option is best suited for protocols like TCP, which

respond to dropped packets by decreasing the transmission
rate. We recommend that you do not change the default
unless you determine that your applications would benefit
from the change.
QoS Class Dialog BoxPolicing Tab

Use the Policing tab of the QoS Class dialog box to configure rate limits on the
traffic in a selected QoS class. Excess traffic is either dropped or transmitted with
a different (typically lower) priority.
Navigation Path
Go to the QoS Class Dialog Box, page K-222, then click the Policing tab.

OL-11501-03
K-231
Appendix K
Related Topics
Field Reference
Table K-94
QoS Class Dialog BoxPolicing Tab
Element
Description
Enable Policing
When selected, enables you to configure Class-Based Policing to

control the maximum rate of traffic for this class. Security Manager
uses a two-token bucket algorithm, which includes a defined violate
action that is performed when neither bucket can accommodate the
incoming packet.
When deselected, disables all policing options for the selected QoS
class.
CIR



second.
In the token bucket algorithm, this rate represents the token arrival
rate for filling both token buckets. Traffic that falls under this rate
always conforms.
Note
When you configure Control Plane Policing, you must

define the CIR in bits per second.
K-232
OL-11501-03
Appendix K

Table K-94
QoS Class Dialog BoxPolicing Tab (continued)
Element
Description
Conform Burst
The normal burst size, which determines how large traffic bursts can
be before some traffic exceeds the rate limit. In the token bucket
algorithm, it represents the full size of the first (conform) token
bucket.
Excess Burst


range from 1000-512000000 bytes.
The excess burst size, which determines how large traffic bursts can
be before all traffic exceeds the rate limit. In the token bucket
algorithm, it represents the full size of the second (exceed) token
bucket.
Conform action


range from 1000-512000000 bytes.
The action to take on packets that conform to the rate limit:
transmitTransmits the packet.
set-prec-transmitSets the IP precedence to a value you

specify (0 to 7) and then sends the packet. Not available on the
control plane.
set-dscp-transmitSets the DSCP to a value you specify

(0 to 63) and then sends the packet. Not available on the control
plane.
dropDrops the packet.

OL-11501-03
K-233
Appendix K
Table K-94
QoS Class Dialog BoxPolicing Tab (continued)
Element
Description
Exceed action
The action to take on packets that exceed the rate limit, but can be
handled using the second (exceed) token bucket.
The actions available for selection depend on the defined conform
action. For example, if you select one of the set options as the
conform action, you cannot select transmit as the exceed action. If
you select drop as the conform action, then you must also select
drop as the exceed action.
Violate action
The action to take on packets that cannot be serviced by either the

conform bucket or the exceed bucket.
The actions available for selection depend on the defined exceed
action. For example, if you select one of the set options as the
exceed action, you cannot select transmit as the violate action. If
you select drop as the exceed action, then you must also select drop
as the violate action.
QoS Class Dialog BoxShaping Tab

Use the Shaping tab of the QoS Class dialog box to control the rate of output
traffic for the selected QoS class. Shaping typically delays excess traffic by using
a buffer, or queuing mechanism, to hold packets and shape the flow when the data
rate of the source is higher than expected.
Note
The Shaping tab is unavailable when you define a QoS policy on the control plane,
use hierarchical shaping on the interface, define a QoS class for input traffic, or
perform queuing on priority traffic.
Navigation Path
Go to the QoS Class Dialog Box, page K-222, then click the Shaping tab.
Related Topics
K-234
OL-11501-03
Appendix K

Field Reference
Table K-95
QoS Class Dialog BoxShaping Tab
Element
Description
Enable Shaping
When selected, enables you to configure Distributed Traffic

Shaping (DTS) to control the rate of traffic for this class. DTS uses
queues to buffer traffic surges that can congest the network.
When deselected, disables all shaping options for the selected QoS
class.
Note
Type
CIR
Shaping can be performed only on output traffic.
The type of shaping to perform:
AverageLimits the data rate for each interval to the sustained

burst rate (also known as the committed burst rate or Bc),
achieving an average rate no higher than the committed
information rate (CIR). Additional packets are buffered until
they can be sent.
PeakLimits the data rate for each interval to the sustained

burst rate plus the excess burst rate (Be). Additional packets are
buffered until they can be sent.



second.
Although data bursts during an interval may exceed this rate, the
average data rate over any multiple integral of the interval will not
exceed this rate.

OL-11501-03
K-235
Appendix K
BGP Routing Policy Page
Table K-95
QoS Class Dialog BoxShaping Tab (continued)
Element
Description
Sustained Burst
The normal burst size. If you select average as the shaping type, data
bursts during an interval are limited to this value.


Note
Excess Burst
We recommend that you leave this field blank when the CIR
is defined by an absolute value. This allows the algorithms
used by the device to determine the optimal sustained burst
value.
The excess burst size. If you select peak as the shaping type, data
bursts during an interval can equal the sum of the sustained burst
value plus this value. The average data rate over multiple intervals,
however, will continue to conform to the CIR.


Note
If you do not configure this field when the CIR is defined by

an absolute value, the sustained burst value is used.

Border Gateway Protocol (BGP) is an exterior gateway protocol (EGP) that
performs routing between multiple autonomous systems or domains and
exchanges routing and reachability information with other BGP systems. BGP is
used to exchange routing information on the Internet and is the protocol used
between Internet service providers.
K-236
OL-11501-03
Appendix K

You can configure BGP routing policies from the following tabs on the BGP
Routing page:
BGP PageSetup Tab, page K-237
BGP PageRedistribution Tab, page K-240
For more information, see BGP Routing on Cisco IOS Routers, page 181.
Navigation Path
(Device view) Select Platform > Routing > BGP from the Policy selector.
Related Topics
BGP PageSetup Tab

Use the BGP Setup tab to define the number of the autonomous system (AS) in
which the selected router is located. You must then define which networks are
included in the AS and which networks are the internal and external neighbors of
the router. Additionally, you can enable or disable options that govern the
interaction between BGP and Interior Gateway Protocols (IGPs), such as OSPF
and EIGRP. Use a third option to enable the logging of messages from BGP
neighbors.
Navigation Path
Go to the BGP Routing Policy Page, page K-236, then click the Setup tab.
Related Topics
BGP PageRedistribution Tab, page K-240

OL-11501-03
K-237
Appendix K
Field Reference
Table K-96
BGP Setup Tab
Element
Description
AS Number
The number of the autonomous system in which the router is

located. Valid values range from 1 to 65535. This number enables a
BGP routing process.
Networks
The networks associated with the BGP route. Enter one or more
network addresses or network/host objects, or click Select to
Note
To remove a network from the route, select it from the

Network field, then click Delete.
Neighbors
The internal neighbors (those located in the same AS as the router)

and external neighbors (located in different ASs) of the router. See
Neighbors Dialog Box, page K-239.
Auto-Summary
When selected, automatic summarization is enabled. When a subnet

is redistributed from an IGP (such as RIP, OSPF or EIGRP) into
BGP, this BGP version 3 feature injects only the network route into
the BGP table. Automatic summarization reduces the size and
complexity of the routing table that the router must maintain.
When deselected, automatic summarization is disabled. This is the
default.
Synchronization
When selected, synchronization is enabled. Use this feature to

ensure that all routers in your network are consistent about the
routes they advertise. Synchronization forces BGP to wait until the
IGP propagates routing information across the AS.
When deselected, synchronization is disabled. You can disable
synchronization if this router does not pass traffic from a different
AS to a third AS, or if all the routers in the AS are running BGP.
Disabling this feature has the benefit of reducing the number of
routes the IGP must carry, which improves convergence times. This
is the default.
K-238
OL-11501-03
Appendix K

Table K-96
BGP Setup Tab (continued)
Element
Description
Log-Neighbor
When selected, enables the logging of messages that are generated

when a BGP neighbors resets, connects to the network, or is
disconnected. This is the default.
When deselected, message logging is disabled.
Save button
private.
Note

toolbar.
Neighbors Dialog Box

Use the Neighbors dialog box to define the internal and external neighbors of the
selected router.
Navigation Path
Go to the BGP PageSetup Tab, page K-237, then click the Add or Edit button
in the Neighbors field.
Related Topics

OL-11501-03
K-239
Appendix K
Field Reference
Table K-97
Neighbors Dialog Box
Element
Description
AS Number
The number of the AS containing BGP neighbors. Internal

neighbors have the same AS number as the network of the selected
router. External neighbors have a different AS number.
IP Address
The IP addresses of the hosts that are neighbors of the router. BGP
neighbors exchange routing information with each other whenever
changes to the routing table are detected.
When you define BGP neighbors, the IP addresses cannot belong to
an interface on the selected router. In addition, you cannot define the
same IP address in more than one AS.
Enter one or more addresses or network/host objects, or click Select
If the host you want is not listed, click the Create button in the
Note
OK button
To remove a host from the list of BGP neighbors, select it

from the Hosts field, then click Delete.
Note

BGP PageRedistribution Tab

Use the BGP Redistribution tab to view, create, edit, and delete redistribution
settings when performing redistribution into a BGP autonomous system (AS).
Note
You must define BGP setup parameters before you can access the BGP
Redistribution tab. See BGP PageSetup Tab, page K-237.
K-240
OL-11501-03
Appendix K

Navigation Path
Go to the BGP Routing Policy Page, page K-236, then click the Redistribution
tab.
Related Topics
BGP PageSetup Tab, page K-237
Field Reference
Table K-98
BGP Redistribution Tab
Element
Description
Filter

Protocol
The protocol that is being redistributed.
AS/Process ID
The AS number or process ID of the route being redistributed.
Metric
The value that determines the priority of the redistributed route.
Match
When redistributing an OSPF process, indicates the types of OSPF

routes that are being redistributed.
Static Type
When redistributing static routes, indicates the type of static route,

IP or OSI.
Add button
Opens the BGP Redistribution Mapping Dialog Box, page K-242.

From here you can define BGP redistribution mappings.
Edit button
Opens the BGP Redistribution Mapping Dialog Box, page K-242.

From here you can edit the selected BGP redistribution mapping.
Delete button
Deletes the selected BGP redistribution mappings from the table.
Save button
private.
Note

toolbar.

OL-11501-03
K-241
Appendix K
Tip
BGP Redistribution Mapping Dialog Box

Use the BGP Redistribution Mapping dialog box to add or edit the properties of a
BGP redistribution mapping.
Navigation Path
Go to the BGP PageRedistribution Tab, page K-240, then click the Add or Edit
Related Topics
K-242
OL-11501-03
Appendix K

Field Reference
Table K-99
BGP Redistribution Mapping Dialog Box
Element
Description
Protocol to Redistribute
The routing protocol that is being redistributed:
StaticRedistributes IP or OSI static routes. You can define a

single mapping for each route.
EIGRPRedistributes an EIGRP autonomous system. Enter

the AS number in the displayed field. You can define a single
mapping for each AS.
RIPRedistributes RIP routes. You can define a single

mapping for each route.
OSPFRedistributes a different OSPF process. You can define

a single mapping for each process. Select a process from the
displayed list, then select one or more match criteria:
InternalRoutes that are internal to a specific AS.
External1Routes that are external to the AS and
imported into OSPF as a Type 1 external route.

imported into the selected process as a Type 2 external

route.
NSAAExternal1Not-So-Stubby Area (NSSA) routes that
are external to the AS and imported into the selected

process as Type 1 external routes.
NSAAExternal2 (NSSA) routes that are external to the
AS and imported into the selected process as Type 2

external routes.
ConnectedRedistributes routes that are established

automatically by virtue of having enabled IP on an interface.
These routes are redistributed as external to the AS.

OL-11501-03
K-243
Appendix K
EIGRP Routing Policy Page
Table K-99
BGP Redistribution Mapping Dialog Box (continued)
Element
Description
Metric
A value representing the cost of the redistributed route. Valid values

range from 0 to 4294967295.
OK button
Note


Enhanced Interior Gateway Routing Protocol (EIGRP) is a scalable interior
gateway protocol that provides extremely quick convergence times with minimal
network traffic.
You can configure EIGRP routing policies from the following tabs on the EIGRP
Routing page:
EIGRP PageSetup Tab, page K-245
EIGRP PageInterfaces Tab, page K-248
EIGRP PageRedistribution Tab, page K-251
For more information, see EIGRP Routing on Cisco IOS Routers, page 14-187.
Navigation Path
(Device view) Select Platform > Routing > EIGRP from the Policy selector.
Related Topics
K-244
OL-11501-03
Appendix K

EIGRP PageSetup Tab

Use the EIGRP Setup tab to view, create, edit, and delete EIGRP routes.
Navigation Path
Go to the EIGRP Routing Policy Page, page K-244, then click the Setup tab.
Related Topics
Field Reference
Table K-100
EIGRP Setup Tab
Element
Description
Filter

AS Number
The autonomous system number that identifies the autonomous

system to other routers.
Networks
The names of the networks included in the route.
Passive Interfaces
The interfaces that neither send nor receive routing updates from
their neighbors.
Auto-Summary
Indicates whether auto summarization is activated on the selected

route.
Add button
Opens the EIGRP Setup Dialog Box, page K-246. From here you
can create an EIGRP route.
Edit button
Opens the EIGRP Setup Dialog Box, page K-246. From here you
can edit the selected EIGRP route.
Delete button
Deletes the selected EIGRP routes from the table.
Save button
private.
Note

toolbar.
OL-11501-03
K-245
Appendix K
Tip
EIGRP Setup Dialog Box

Use the EIGRP Setup dialog box to add or edit EIGRP routes.
Navigation Path
Go to the EIGRP PageSetup Tab, page K-245, then click the Add or Edit button
beneath the table.
Related Topics
Field Reference
Table K-101
EIGRP Setup Dialog Box
Element
Description
AS Number
The autonomous system number for the EIGRP route. This number
is used to identify the autonomous system to other routers. Valid
values are from 1 to 65535.
Networks
The networks associated with the EIGRP route. Enter one or more
network addresses or network/host objects, or click Select to
K-246
OL-11501-03
Appendix K

Table K-101
EIGRP Setup Dialog Box (continued)
Element
Description
Passive Interfaces
The interfaces that do not send updates to their routing neighbors.

Click Edit to display the Edit Interfaces Dialog BoxEIGRP
Passive Interfaces, page K-247. From here you can define these
interfaces.
Note
Auto-Summary
When you make an interface passive, EIGRP suppresses the

exchange of hello packets between routers, resulting in the
loss of their neighbor relationship. This not only stops
routing updates from being advertised but also suppresses
incoming routing updates.
When selected, enables the automatic summarization of subnet

routes into network-level routes. Summarization reduces the size of
routing tables, thereby reducing the complexity of the network.
When deselected, automatic summarization is disabled.
OK button
Note

Edit Interfaces Dialog BoxEIGRP Passive Interfaces

When you configure an EIGRP routing policy on a Cisco IOS router, use the Edit
Interfaces dialog box to specify which interfaces will not send updates to their
routing neighbors.
Navigation Path
Go to the EIGRP Setup Dialog Box, page K-246, then click the Edit button in the
Passive Interfaces field.
Related Topics

OL-11501-03
K-247
Appendix K
Field Reference
Table K-102
Edit Interfaces Dialog BoxEIGRP Passive Interfaces
Element
Description
Interfaces

You can enter interfaces, interface roles, or both.
Select button

Using a selector eliminates the need to manually enter this
information.
OK button
displayed in the Passive Interfaces field of the EIGRP Setup dialog
box.
EIGRP PageInterfaces Tab

Use the EIGRP Interfaces tab to create, edit, and delete interface properties for
selected EIGRP autonomous systems. This includes modifying the default hello
interval and disabling split horizon.
Note
You can access the EIGRP Interfaces tab only after defining at least one EIGRP
autonomous system in the Setup tab. See EIGRP PageSetup Tab, page K-245.
Navigation Path
Go to the EIGRP Routing Policy Page, page K-244, then click the Interfaces tab.
Related Topics
K-248
OL-11501-03
Appendix K

Field Reference
Table K-103
EIGRP Interfaces Tab
Element
Description
Filter

AS Number
The EIGRP autonomous system number for which interface

properties are defined.
Interfaces
The interfaces related to the selected EIGRP autonomous system

that have specially defined values.
Split Horizon
Indicates whether the split horizon feature is enabled or disabled for

the selected interface.
Hello Interval
The defined interval between hello packets sent to neighboring

routers.
Add button
Opens the EIGRP Interface Dialog Box, page K-249. From here you
can create an EIGRP interface definition.
Edit button
Opens the EIGRP Interface Dialog Box, page K-249. From here you
can edit the selected EIGRP interface definition.
Delete button
Deletes the selected EIGRP interface definitions from the table.
Save button
private.
Note
Tip

toolbar.
EIGRP Interface Dialog Box

Use the EIGRP Interface dialog box to add or edit interface definitions for a
selected EIGRP autonomous system.

OL-11501-03
K-249
Appendix K
Navigation Path
Go to the EIGRP PageInterfaces Tab, page K-248, then click the Add or Edit
Related Topics
Field Reference
Table K-104
EIGRP Interface Dialog Box
Element
Description
AS Number
Selects the EIGRP autonomous system number whose interface

properties you want to modify. For more information about EIGRP
autonomous systems, see EIGRP Setup Dialog Box, page K-246.
Interface
Specifies the EIGRP interface you wish to configure. Enter the

object selector.
Hello Interval
The default interval between hello packets sent by the router to its
neighbors. Routers send hello packets to each other to dynamically
learn of other routers on their directly attached networks. Valid
values range from 1 to 65535 seconds. The default is 5 seconds.
K-250
OL-11501-03
Appendix K

Table K-104
EIGRP Interface Dialog Box (continued)
Element
Description
Split Horizon
When selected, the split horizon feature is used to prevent routing

loops.
When deselected, split horizon is disabled. When split horizon is
disabled, the router can advertise a route out of the same interface
through which it learned the route.
Disabling split horizon is often useful when dealing with
nonbroadcast networks, such as Frame Relay and SMDS.
Note
OK button
Changing the split horizon setting on an interface resets all

adjacencies with EIGRP neighbors that are reachable over
that interface.
Note

EIGRP PageRedistribution Tab

Use the EIGRP Redistribution tab to create, edit, and delete EIGRP redistribution
mappings.
Navigation Path
Go to the EIGRP Routing Policy Page, page K-244, then click the Redistribution
tab.
Related Topics

OL-11501-03
K-251
Appendix K
Field Reference
Table K-105
EIGRP Redistribution Tab
Element
Description
Filter

EIGRP AS Number
The area ID of the EIGRP route into which other routes are being
redistributed.
Protocol
AS/Process ID
The AS number or process ID of the route being redistributed.
Bandwidth
The minimum bandwidth of the path for the EIGRP route, as

defined for the route metric.
Delay
The mean latency of the path, as defined for the route metric.
Reliability
A value representing the estimated reliability of the path, as defined

for the route metric.
Effective Bandwidth
A value representing the effective load on the link, as defined for the
route metric.
MTU
The minimum MTU of the path, as defined for the route metric.
Match

Add button
Opens the EIGRP Redistribution Mapping Dialog Box, page K-253.

From here you can define EIGRP redistribution mappings.
Edit button
Opens the EIGRP Redistribution Mapping Dialog Box, page K-253.

From here you can edit the selected EIGRP redistribution mapping.
Delete button
Deletes the selected EIGRP redistribution mappings from the table.
Save button
private.
Note

toolbar.
K-252
OL-11501-03
Appendix K

Tip
EIGRP Redistribution Mapping Dialog Box

Use the EIGRP Redistribution Mapping dialog box to add or edit the properties
of an EIGRP redistribution mapping.
Navigation Path
Go to the EIGRP PageRedistribution Tab, page K-251, then click the Add or
Edit button beneath the table.
Note
You must create at least one EIGRP AS before you can access the EIGRP
Redistribution dialog box. See EIGRP PageSetup Tab, page K-245.
Related Topics

OL-11501-03
K-253
Appendix K
Field Reference
Table K-106
EIGRP Redistribution Mapping Dialog Box
Element
Description
EIGRP AS Numbers
The EIGRP AS into which other routes are being redistributed. You
must select an ID number from the list of EIGRP autonomous
systems defined in the EIGRP PageSetup Tab, page K-245.
StaticRedistributes static routes. You can define a single


BGPRedistributes a BGP autonomous system. You can

define a single BGP mapping on each device. If you configured
a BGP AS in the BGP Setup tab, the AS number is displayed.
Otherwise, a message is displayed indicating that no BGP AS
was defined. See BGP PageRedistribution Tab, page K-240.
K-254
OL-11501-03
Appendix K

Table K-106
EIGRP Redistribution Mapping Dialog Box (continued)
Element
(continued)
Description



route.


external routes.
RIPRedistributes RIP routes.


OL-11501-03
K-255
Appendix K
OSPF Interface Policy Page
Table K-106
EIGRP Redistribution Mapping Dialog Box (continued)
Element
Description
Metrics
The default metric (cost) of the redistributed route. Metric

parameters include:
OK button
BandwidthThe minimum bandwidth of the path in kilobits

per second. Valid values range from 1 to 4294967295.
DelayThe mean latency of the path in units of

10 microseconds. Valid values range from 0 to 4294967295.
ReliabilityA value expressing the estimated reliability of the

link. Valid values range from 0 to 255, where 255 represents
100% reliability.
Effective BandwidthA value expressing the effective load on

the link. Valid values range from 1 to 255, where 255 represents
100% utilization.
MTU of PathThe maximum transmission unit of the path.

Valid values range from 1 to 65535 bytes.
Note


Use the OSPF Interface page to view, create, edit, and delete interface-specific
OSPF settings. For more information, see Defining OSPF Interface Settings,
page 14-204.
Navigation Path
(Device view) Select Platform > Routing > OSPF Interface from the Policy
selector.
(Policy view) Select Router Platform > Routing > OSPF Interface from
the Policy Type selector. Right-click OSPF Interface to create a policy, or
K-256
OL-11501-03
Appendix K

Related Topics
OSPF Process Policy Page, page K-264
Field Reference
Table K-107
OSPF Interface Page
Element
Description
Filter

Interfaces
The name of an interface (as defined by an interface role) on which

OSPF is enabled.
Authentication
The type of OSPF neighbor authentication enabled for the selected

interface.
Key ID
The identification number of the authentication key used for MD5

authentication.
Cost
The cost of sending packets over the selected interface, if this value
is different from the cost as normally calculated.
Priority
The priority of the selected interface.
MTU Ignore
Indicates whether Maximum Transmission Rate (MTU) detection is

disabled on the selected interface.
Database Filter
Indicates whether link-state advertisement (LSA) flooding is

disabled on the selected interface.
Hello Interval
The interval between hello packets (in seconds) sent over this
interface.
Transmit Delay
The amount of time OSPF waits (in seconds) before flooding an

LSA over the link.
Retransmit Interval
The interval between LSA retransmissions (in seconds) over the

selected interface.
Dead Interval
The interval OSPF waits (in seconds) before declaring a

neighboring router dead because of an absence of hello packets.
Network Type
The network type configured for the selected interface, if it differs

from the default medium.

OL-11501-03
K-257
Appendix K
Table K-107
OSPF Interface Page (continued)
Element
Description
Add button
Opens the OSPF Interface Dialog Box, page K-258. From here you
can define the properties of an OSPF interface.
Edit button
Opens the OSPF Interface Dialog Box, page K-258. From here you
can edit the properties of the selected OSPF interface.
Delete button
Deletes the selected OSPF interface definitions from the table.
Save button
private.
Note
Tip

toolbar.
OSPF Interface Dialog Box

Use the OSPF Interface dialog box to add or edit the properties of OSPF
interfaces.
Navigation Path
Go to the OSPF Interface Policy Page, page K-256, then click the Add or Edit
Related Topics
K-258
OL-11501-03
Appendix K

Field Reference

OL-11501-03
K-259
Appendix K
Table K-108
OSPF Interface Dialog Box
Element
Description
Interface
The OSPF interface to configure. Enter the name of an interface or

interface role, or click Select to display an object selector.
Authentication
TypeThe authentication type used by the selected interface:
MD5Uses the MD5 hash algorithm for authentication. This is

the default.
Clear TextUses a clear text password for authentication.
NoneUses no authentication.
Note
The authentication type used on an interface must match the

authentication type defined for the area.
Note
Use plain text authentication only when security is not an

issue, for example, to ensure that misconfigured hosts do
not participate in routing.
Key IDAvailable only when MD5 is selected as the

authentication type.
The identification number of the authentication key. This
number must be shared with all other devices sending updates
to, and receiving updates from, the selected device. Valid values
range from 1 to 255.
KeyThe shared key used for authentication (MD5 or clear

text). This key must be shared with all other devices sending
updates to, and receiving updates from, the selected device.
Enter this key again in the Confirm field.
When using clear text, the key can include any continuous
string of characters that can be entered from the keyboard (up
to 8 bytes).
When using MD5, the key can include alphanumeric characters
only (up to 16 bytes).
K-260
OL-11501-03
Appendix K

Table K-108
OSPF Interface Dialog Box (continued)
Element
Description
Cost
The cost of sending packets over this interface. A value entered here
overrides the default calculated cost (108/bandwidth in bits per
second).
Valid values range from 1 to 65535.
Priority
The default priority of the interface. The priority is used to

determine which routers become the designated router (DR) and
backup designated router (BDR) for that segment. The higher the
number, the higher the priority.
The default priority is 1. Valid values range from 0 to 255.
MTU Ignore
Note
To exclude the interface from election as DR or BDR, assign

a priority of 0.
Note
Configure router priority only for interfaces to multiaccess

networks, not point-to-point networks.
When selected, ignores MTU mismatches between neighboring

routers.
When deselected, MTU mismatch detection is enabled.
Note
Database Filter
Typically, this option is not used, because it can cause

routers to become stuck in exstart/exchange state, which
prevents OSPF adjacency from being established.
When selected, blocks link-state advertisement (LSA) flooding to

the selected interface.
When deselected, LSA flooding is permitted.
Note
We recommend that you enable this option on fully-meshed

networks.
Note
This option is not available for point-to-multipoint

networks.

OL-11501-03
K-261
Appendix K
Table K-108
Element
Description
Hello Interval
The default interval (in seconds) between hello packets sent over the
selected interface. These packets are used by neighboring routers to
confirm the router sending the packets is still operating. Valid
values range 1 to 65535 seconds.
Note
Transmit Delay
The hello interval must be the same for all routers and
access servers in the network.
The amount of time OSPF waits (in seconds) before flooding an

LSA over the link.
The default is 1 second. Valid values range from 1 to 65535 seconds.
Note
Retransmit Interval
When you configure slow links or on-demand links that

queue traffic before sending it in bursts, we recommend that
you take these link delays into account when defining this
value.
The interval between LSA retransmissions (in seconds) over the

selected interface.
The default is 5 seconds. Valid values range from 1 to 65535
seconds.
Note
Dead Interval
We recommend that you increase this value for serial lines

and virtual links.
The interval (in seconds) after which an interface declares its

neighbor dead if no hello packets are received. Valid values range
from 1 to 655335 seconds.
Note
The value of the dead interval is typically the hello interval

value multiplied by 4. The dead interval must be the same
for all routers and access servers in the network.
K-262
OL-11501-03
Appendix K

Table K-108
Element
Description
Configure Network Type
When selected, enables you to select a network type that differs

from the default medium used by the interface.
When deselected, the network type is equivalent to the default
medium used by the interface.
For nonbroadcast multiaccess (NBMA) networks (such as ATM and
Frame Relay), options are:
BroadcastTreats the NBMA network as a broadcast network,

which eliminates the need to configure neighbors. Use this
option when there are virtual circuits from every router to every
router (fully meshed network).
Point-to-MultipointTreats the nonbroadcast network as a

series of point-to-point links. This option is easier to configure,
less costly, and more reliable than NBMA or point-to-point
networks.
Point-to-Multipoint Non-BroadcastStatically maintains the

known neighbors of the network. Selecting this option helps
avoid the problem of losing neighbors that were learned
dynamically through the reception of hello packets.
Note
Another option for NBMA networks is to configure

neighbors manually using FlexConfigs. See Understanding
FlexConfig Objects, page 8-52.
For broadcast networks (such as Ethernet, Token Ring, and FDDI),

you can select:
Non-BroadcastTreats the broadcast network as a

nonbroadcast network.
Point-to-PointTreats the broadcast network as a

point-to-point network. You can use this option, for example, to
configure a broadcast network (such as Ethernet) as a
nonbroadcast multiaccess (NBMA) network if not all routers in
the network support multicast addressing.

OL-11501-03
K-263
Appendix K
OSPF Process Policy Page
Table K-108
Element
Description
OK button
Note


OSPF is an interior gateway routing protocol that uses link states instead of
distance vectors for path selection. OSPF propagates link-state advertisements
(LSAs) instead of routing table updates, which enables OSPF networks to
converge quickly.
You can configure OSPF process policies from the following tabs on the OSPF
Process page:
OSPF Process PageSetup Tab, page K-265
OSPF Process PageArea Tab, page K-268
OSPF Process PageRedistribution Tab, page K-270
For more information, see OSPF Routing on Cisco IOS Routers, page 14-195.
Note
For more information about OSPF interface policies, see OSPF Interface Policy
Page, page K-256.
Navigation Path
selector.
Policy Type selector. Right-click OSPF Process to create a policy, or select
Related Topics
K-264
OL-11501-03
Appendix K

OSPF Process PageSetup Tab

Use the OSPF Process Setup tab to create, edit, and delete OSPF processes. This
includes selecting those interfaces that will remain passive, which means that they
will not send routing updates to their neighbors. You can create as many processes
for each router as required.
Navigation Path
Go to the OSPF Process Policy Page, page K-264, then click the Setup tab.
Related Topics
Field Reference
Table K-109
OSPF Process Setup Tab
Element
Description
Filter

Process ID
The process ID that identifies the OSPF routing process to other

routers.
Passive Interfaces
The interfaces that do not send out routing updates.
Add button
Opens the OSPF Setup Dialog Box, page K-266. From here you can
define an OSPF process.
Edit button
Opens the OSPF Setup Dialog Box, page K-266. From here you can
edit the selected OSPF process.
Delete button
Deletes the selected OSPF processes from the table.
Save button
private.
Note

toolbar.

OL-11501-03
K-265
Appendix K
Tip
OSPF Setup Dialog Box

Use the OSPF Setup dialog box to add or edit an OSPF process.
Navigation Path
Go to the OSPF Process PageSetup Tab, page K-265, then click the Add or Edit
Related Topics
Field Reference
Table K-110
OSPF Setup Dialog Box
Element
Description
Process ID
The process ID number for the OSPF process. This number

identifies the OSPF process to other routers. It does not need to
match the process ID on other devices. Valid values are from 1 to
65535.
Passive Interfaces

Click Edit to display the Edit Interfaces Dialog BoxOSPF
Passive Interfaces, page K-267. From here you can define these
interfaces.
Note
OK button
When you make an interface passive, OSPF suppresses the

sending of hello packets to neighboring routers. The
interface will continue to receive routing updates, however.
Note

K-266
OL-11501-03
Appendix K

Edit Interfaces Dialog BoxOSPF Passive Interfaces

When you configure an OSPF routing policy on a Cisco IOS router, use the Edit
routing neighbors.
Navigation Path
Go to the OSPF Setup Dialog Box, page K-266, then click the Edit button in the
Related Topics
Field Reference
Table K-111
Edit Interfaces Dialog BoxOSPF Passive Interfaces
Element
Description
Interfaces

Select button

information.
OK button
displayed in the Passive Interfaces field of the OSPF Setup dialog
box.

OL-11501-03
K-267
Appendix K
OSPF Process PageArea Tab

Use the OSPF Area tab to create, edit, and delete the areas and networks contained
in each OSPF process. This includes selecting the type of authentication used by
each area.
Navigation Path
Go to the OSPF Process Policy Page, page K-264, then click the Area tab.
Related Topics
Field Reference
Table K-112
OSPF Process Area Tab
Element
Description
Filter

Area ID
The ID number of the area associated with the process.
Process ID
The process ID that identifies the OSPF routing process to other

routers.
Networks
The networks included in the area.
Authentication
The authentication type used by the areaMD5, clear text, or none.
Add button
Open the OSPF Area Dialog Box, page K-269. From here you can
define an OSPF area.
Edit button
Opens the OSPF Area Dialog Box, page K-269. From here you can
edit the selected OSPF area.
K-268
OL-11501-03
Appendix K

Table K-112
OSPF Process Area Tab
Element
Description
Delete button
Deletes the selected OSPF areas from the table.
Save button
private.
Note
Tip

toolbar.
OSPF Area Dialog Box

Use the OSPF Area dialog box to add or edit the properties of an OSPF area. You
should define at least one area for each OSPF process (see OSPF Setup Dialog
Box, page K-266), but deployment will not fail if you do not.
Navigation Path
Go to the OSPF Process PageArea Tab, page K-268, then click the Add or Edit
Related Topics

OL-11501-03
K-269
Appendix K
Field Reference
Table K-113
OSPF Area Dialog Box
Element
Description
Process ID
The process ID associated with the OSPF area. The list contains the
OSPF processes defined in the OSPF Process PageSetup Tab,
page K-265.
Area ID
The area ID number associated with the selected process. Valid

Networks
The networks to add to the OSPF area. Enter one or more network
object selector.
Authentication
The type of authentication used for the area:
MD5(Recommended) Uses the MD5 hash algorithm for

authentication.
Clear TextUses clear text for authentication.
NoneNo authentication is used.
Note
OK button
The authentication type must be the same for all routers and
access servers in an area.
Note

OSPF Process PageRedistribution Tab

Use the OSPF Process Redistribution tab to create, edit, and delete OSPF
redistribution mappings. This includes defining the maximum number of routes
that can be redistributed into OSPF from other protocols or other OSPF processes.
K-270
OL-11501-03
Appendix K

Navigation Path
Go to the OSPF Process Policy Page, page K-264, then click the Redistribution
tab.
Related Topics
Field Reference
Table K-114
OSPF Process Redistribution Tab
Element
Description
OSPF Redistribution Mapping Table
Filter

OSPF Process ID
The ID of the OSPF routing domain into which other routes are
being redistributed.
Protocol
AS/Process ID
The AS number or process ID of the route that is being

redistributed.
Match

Metric
Metric Type
The external link type associated with the default route advertised
into the OSPF routing domain.
Subnets
Indicates whether routes that are subnetted are also being

redistributed.
Add button
Opens the OSPF Redistribution Mapping Dialog Box, page K-273.

From here you can define OSPF redistribution mappings.
Edit button
Opens the OSPF Redistribution Mapping Dialog Box, page K-273.

From here you can edit the selected OSPF redistribution mapping.

OL-11501-03
K-271
Appendix K
Table K-114
OSPF Process Redistribution Tab (continued)
Element
Description
Delete button
Deletes the selected redistribution mappings from the table.
OSPF Max Prefix Mapping Table
Filter

OSPF Process ID
The ID of the OSPF routing domain for which a maximum prefix

values has been defined.
Max Prefix
The maximum number of prefixes (routes) that may be redistributed

to the selected OSPF process.
Threshold
The percentage of the maximum prefix value that acts as a threshold

for triggering a warning message.
Action
Indicates whether redistribution to this OSPF process will stop

when the maximum is reached, or whether only a warning is
displayed.
Add button
Opens the OSPF Max Prefix Mapping Dialog Box, page K-275.
From here you can define maximum prefix values for OSPF
processes.
Edit button
Opens the OSPF Max Prefix Mapping Dialog Box, page K-275.
From here you can edit the maximum prefix value defined for the
selected OSPF process.
Delete button
Deletes the selected max prefix mappings from the table.
Save button
private.
Note
Tip

toolbar.
K-272
OL-11501-03
Appendix K

OSPF Redistribution Mapping Dialog Box

Use the OSPF Redistribution Mapping dialog box to add or edit the properties of
an OSPF redistribution mapping.
Navigation Path
Go to the OSPF Process PageRedistribution Tab, page K-270, then click the
Add or Edit button beneath the Redistribution Mapping table.
Note
You must create at least one OSPF process before you can access the OSPF
Redistribution dialog box. See OSPF Process PageSetup Tab, page K-265.
Related Topics
OSPF Max Prefix Mapping Dialog Box, page K-275
Field Reference
Table K-115
OSPF Redistribution Mapping Dialog Box
Element
Description
Process ID
The OSPF process into which other routes are being redistributed.
You must select a process ID number from the list of OSPF
processes defined in the OSPF Process PageSetup Tab,
page K-265.




OL-11501-03
K-273
Appendix K
Table K-115
OSPF Redistribution Mapping Dialog Box (continued)
Element
Description
(continued)



route.


external routes.
RIPRedistributes RIP routes. You can define a single


Default Metric
A value representing the cost of the redistributed route.
Metric Type
The external link type that is associated with the route being
redistributed into the OSPF routing domain:
1Type 1 external route. The metric is the sum of the external

redistributed cost and the internal OSPF cost.
2Type 2 external route. The metric is equal to the external

redistributed cost, as defined in the Metric field. This is the
default.
K-274
OL-11501-03
Appendix K

Table K-115
OSPF Redistribution Mapping Dialog Box (continued)
Element
Description
Limit to Subnets
When selected, only subnetted routes are redistributed.

When deselected, subnetted routes are not redistributed.
OK button
Note

OSPF Max Prefix Mapping Dialog Box

Use the OSPF Max Prefix Mapping dialog box to add or edit the maximum
number of routes that can be redistributed into an OSPF process.
Navigation Path
Go to the OSPF Process PageRedistribution Tab, page K-270, then click the
Add or Edit button beneath the Prefix Mapping table.
Related Topics
OSPF Redistribution Mapping Dialog Box, page K-273
Field Reference
Table K-116
OSPF Max Prefix Mapping Dialog Box
Element
Description
Process ID
The OSPF process into which other routes are being redistributed.
The list contains the OSPF processes defined in the OSPF Process
PageSetup Tab, page K-265.
Max Prefix
The maximum number of prefixes (routes) that can be redistributed

into the selected OSPF process. Limiting the number of
redistributed routes helps prevent the router from being flooded by
an excessive number of routes.

OL-11501-03
K-275
Appendix K
RIP Routing Policy Page
Table K-116
OSPF Max Prefix Mapping Dialog Box (continued)
Element
Description
Threshold
The percentage of the maximum prefix value that acts as a threshold

for triggering warning messages. The default is 75%.
Note
When maximum routes reached
OK button
This warning is triggered whether or not the Warning-Only

The action to take when the maximum number of redistributed

routes is reached:
Enforce Maximum RoutePrevents additional routes from

being redistributed when the defined maximum prefix value is
reached. This is the default.
Warning OnlyIssues a warning when the maximum number

of routes is reached, but does not prevent additional routes from
Note


RIP is a distance-vector routing protocol that uses hop count as the metric for path
selection. Security Manager supports RIP version 2 only, which includes support
for neighbor authentication when routing updates are exchanged.
You can configure RIP routing policies from the following tabs on the RIP
Routing page:
RIP PageSetup Tab, page K-277
RIP PageAuthentication Tab, page K-279
RIP PageRedistribution Tab, page K-282
For more information, see RIP Routing on Cisco IOS Routers, page 14-212.
K-276
OL-11501-03
Appendix K

Navigation Path
(Device view) Select Platform > Routing > RIP from the Policy selector.
Related Topics
RIP PageSetup Tab

Use the RIP Setup tab to create, edit, and delete RIP routes.
Navigation Path
Go to the RIP Routing Policy Page, page K-276, then click the Setup tab.
Related Topics

OL-11501-03
K-277
Appendix K
Field Reference
Table K-117
RIP Setup Tab
Element
Description
Networks
The directly connected networks associated with the RIP route.

Enter one or more network addresses or network/host objects, or
Passive Interfaces

Click Edit to display the Edit Interfaces Dialog BoxRIP Passive
Interfaces, page K-278. From here you can define these interfaces.
Auto-Summary
When selected, enables the automatic summarization of subnet

routes into network-level routes. Summarization reduces the size of
routing tables, thereby reducing the complexity of the network. This
feature is enabled by default.
When deselected, automatic summarization is disabled.
Note
Save button
Disable automatic summarization when performing routing

between disconnected subnets. When this feature is
disabled, subnets are advertised.
private.
Note

toolbar.
Edit Interfaces Dialog BoxRIP Passive Interfaces

When you configure a RIP routing policy on a Cisco IOS router, use the Edit
routing neighbors.
Navigation Path
Go to the RIP PageSetup Tab, page K-277, then click the Edit button in the
K-278
OL-11501-03
Appendix K

Related Topics
Field Reference
Table K-118
Edit Interfaces Dialog BoxRIP Passive Interfaces
Element
Description
Interfaces

Select button

information.
OK button
displayed in the Passive Interfaces field of the RIP Setup tab.
RIP PageAuthentication Tab

Use the RIP Authentication tab to view, create, edit, and delete the neighbor
authentication settings of RIP interfaces.
Navigation Path
Go to the RIP Routing Policy Page, page K-276, then click the Authentication
tab.
Related Topics
RIP PageSetup Tab, page K-277
RIP Routing Policy Page, page K-276

OL-11501-03
K-279
Appendix K
Field Reference
Table K-119
RIP Authentication Tab
Element
Description
Filter

Interfaces
The name of an interface (as defined by an interface role) on which

RIP is enabled.
Authentication
The type of RIP neighbor authentication that is enabled for the

selected interface roleclear text or MD5.
Key ID
The identification number of the authentication key used for MD5

authentication.
Add button
Opens the RIP Authentication Dialog Box, page K-280. From here
you can define authentication for an additional RIP interface.
Edit button
Opens the RIP Authentication Dialog Box, page K-280. From here
you can edit the authentication properties of the selected RIP
interface.
Delete button
Deletes the selected authentication definitions from the table.
Tip
RIP Authentication Dialog Box

Use the RIP Authentication dialog box to add or edit the neighbor authentication
properties of RIP interfaces.
Navigation Path
Go to the RIP PageAuthentication Tab, page K-279, then click the Add or Edit
K-280
OL-11501-03
Appendix K

Related Topics
Field Reference
Table K-120
RIP Authentication Dialog Box
Element
Description
Interface
The interface for which you want to define authentication

properties. Enter the name of an interface or interface role, or click
Note
Authentication
The type of authentication to apply to the interface:
MD5(Recommended) Uses the MD5 hash algorithm for

authentication.
Clear TextUses clear text for authentication.
Note
Key ID
You cannot specify two different authentication

configurations for the same interface.
Use plain text authentication only when security is not an

issue, for example, to ensure that misconfigured hosts do
not participate in routing.
Available only when MD5 is selected as the authentication type.

The identification number of the authentication key. This number
must be shared with all other devices sending updates to, and
receiving updates from, the selected device. Valid values range from
0 to 2147483647.

OL-11501-03
K-281
Appendix K
Table K-120
RIP Authentication Dialog Box (continued)
Element
Description
Key
The shared key used for authentication (MD5 or clear text). This key
must be shared with all other devices sending updates to, and
receiving updates from, the selected device.
The key can contain up to 80 alphanumeric characters; the first
character cannot be a number. Spaces are allowed. Enter the key
OK button
Note

RIP PageRedistribution Tab

Use the RIP Redistribution tab to view, create, edit, and delete redistribution
settings when performing redistribution into an RIP routing domain.
Note
You must define RIP setup parameters before you can access the RIP
Redistribution tab. See RIP PageSetup Tab, page K-277.
Navigation Path
Go to the RIP Routing Policy Page, page K-276, then click the Redistribution
tab.
Related Topics
K-282
OL-11501-03
Appendix K

Field Reference
Table K-121
RIP Redistribution Tab
Element
Description
Filter

Protocol
AS/Process ID
The autonomous system (AS) number or process ID of the route

Metric
Match
When redistributing an OSPF process, indicates which types of

OSPF routes are being redistributed.
Add button
Opens the RIP Redistribution Mapping Dialog Box, page K-283.

From here you can define a RIP redistribution mapping.
Edit button
Opens the RIP Redistribution Mapping Dialog Box, page K-283.

From here you can edit the selected RIP redistribution mapping.
Delete button
Deletes the selected redistribution mappings from the table.
RIP Redistribution Mapping Dialog Box

Use the RIP Redistribution Mapping dialog box to add or edit the properties of an
RIP redistribution mapping.
Navigation Path
Go to the RIP PageRedistribution Tab, page K-282, then click the Add or Edit
Related Topics

OL-11501-03
K-283
Appendix K
Field Reference
Table K-122
RIP Redistribution Mapping Dialog Box
Element
Description
(continued)






route.


external routes.

K-284
OL-11501-03
Appendix K

Static Routing Policy Page
Table K-122
RIP Redistribution Mapping Dialog Box (continued)
Element
Description
Default Metric
Establishes a default value for the redistributed route. Valid values

range from 0 to 16.
Transparent Metric
When selected, maintains the original metric of the route being

redistributed. When deselected, the value specified in the Metric
field is used.
OK button
Note


Use the Static Routing page to create, edit, and delete static routes. For more
information, see Defining Static Routes, page 14-218.
Navigation Path
(Device view) Select Platform > Routing > Static Routing from the Policy
selector.
(Policy view) Select Router Platform > Routing > Static Routing from the
Policy Type selector. Right-click Static Routing to create a policy, or select
Related Topics

OL-11501-03
K-285
Appendix K
Field Reference
Table K-123
Static Routing Page
Element
Description
Filter

Prefix
The destination IP address of the static route.
Prefix Mask
The net mask of the selected IP address.
Default Route
Indicates whether the static route is the default route for unknown
packets being forwarded by this router.
Interface or IP Address
The IP address or the interface name associated with the gateway

router that is the next hop address for this router.
Distance
The number of hops from the gateway IP to the destination. The

metric determines the priority of this route. The fewer the hops, the
higher the priority assigned to the route, based on lower costs.
When two routing entries specify the same network, the entry with
the lower metric (that is, the higher priority) is selected.
Permanent Route
Indicates whether the static route is defined as a permanent route,

which means that it will not be removed even if the interface is shut
down or if the router is unable to communicate with the next router.
Add button
Opens the Static Routing Dialog Box, page K-287. From here you
can create a static route.
Edit button
Opens the Static Routing Dialog Box, page K-287. From here you
can edit the selected static route.
Delete button
Deletes the selected static routes from the table.
Save button
private.
Note

toolbar.
K-286
OL-11501-03
Appendix K

Tip
Static Routing Dialog Box

Use the Static Routing dialog box to add or edit static routes.
Navigation Path
Go to the Static Routing Policy Page, page K-285, then click the Add or Edit
Related Topics
Defining Static Routes, page 14-218

OL-11501-03
K-287
Appendix K
Field Reference
K-288
OL-11501-03
Appendix K

Table K-124
Static Routing Dialog Box
Element
Description
Destination Network
Address information for the destination network defined by this

static route.
Use as Default RouteWhen selected, makes this the default

route on this router. A default route is used when the route from
a source to a destination is unknown or when it is not feasible
for the router to maintain many routes in its routing table. All
unknown outbound packets are forwarded over the default
route.
When deselected, this static route is not the default route.
PrefixThe IP address of the destination network. Enter an IP

address or the name of a network/host object, or click Select to
The prefix must be a class A, B, or C network or host IP. A host
IP can begin with 0 unless it contains a discontiguous mask. All
subnet addresses are valid.
Forwarding (Next Hop)
The method of forwarding data to the destination network:
Forwarding InterfaceThe router interface that forwards

packets to the remote network. Enter the name of an interface
or interface role, or click Select to display an object selector.
button in the selector to display the Interface Role Dialog Box,
page F-419. From here, you can define an interface role object.
Forwarding IPThe IP address of the next hop router that

receives and forwards packets to the remote network. Enter an
IP address or the name of a network/host object, or click Select

OL-11501-03
K-289
Appendix K
Table K-124
Static Routing Dialog Box (continued)
Element
Description
Distance Metric
The number of hops to the destination network (gateway IP). The

default is 1 if no value is specified. The range is from 1 to 255.
This metric (also known as administrative distance) is a
measurement of route expense based on the number of hops to the
network on which a specified host resides. This hop count includes
all the networks a packet must traverse, including the destination
network. Therefore, all directly connected networks have a metric
of 1.
Because the metric is based on expense, it is used to identify the
priority of the static route. If two routing entries specify the same
network, the route with the lower metric value (that is, the lower
cost) is given a higher priority and is selected.
Note
Permanent route
Under certain circumstances, it is useful to assign a static

route a lower priority (larger distance metric) than a
dynamic route. This enables the static route to act as a
backup, floating, route when the dynamic route is
unavailable.
When selected, prevents this static route entry from being deleted,
even in cases where the interface is shut down or the router cannot
communicate with the next router.
When deselected, this static route can be deleted.
OK button
Note

K-290
OL-11501-03
APPENDIX
PIX/ASA/FWSM Platform User

Interface Reference
The following topics describe the pages available for configuring policies for PIX
Firewalls, Firewall Services Modules, and Adaptive Security Appliances. These
pages are primarily organized under the Platform folder for firewall devices in
Device view and under the PIX/ASA/FWSM Platform folder for shared policies
in Policy view. The pages available in Cisco Security Manager for configuring and
managing platform-specific policies on PIX/ASA/FWSM devices are discussed in
the following topics:
NAT Policies, page L-5
Address Pools Page, page L-5
Translation Options Page, page L-7
Translation Rules Page, page L-8

Translation Exemptions (NAT 0 ACL) Tab, page L-9
Dynamic Rules Tab, page L-11
Policy Dynamic Rules Tab, page L-13
Static Rules Tab, page L-16
General Tab, page L-19
Interfaces
FWSM Interfaces Page, page L-50

OL-11501-03
L-1
Appendix L
PIX/ASA/FWSM Platform User Interface Reference
ASA 5505 Ports and Interfaces Page, page L-59
Bridging, page L-65
ARP Table Page, page L-66
ARP Inspection Page, page L-69
MAC Address Table Page, page L-71
MAC Learning Page, page L-73
Management IP Page, page L-75
Device Admin Policies
AAA Page, page L-75

Authentication Tab, page L-76
Authorization Tab, page L-78
Accounting Tab, page L-79
Banner Page, page L-81
Clock Page, page L-86
Credentials Page, page L-88
CPU Threshold Page, page L-89
Device Access, page L-90

Hostname Page, page L-128
Resources Page, page L-129
L-2
OL-11501-03
Appendix L
Server Access, page L-134

AUS Page, page L-135
DHCP Relay Page, page L-137
DHCP Server Page, page L-140
DNS Page, page L-144
DDNS Page, page L-148
SMTP Server Page, page L-152
TFTP Server Page, page L-153
Logging Policies, page L-156
E-Mail Setup Page, page L-157
Event Lists Page, page L-158
Logging Filters Page, page L-163
Logging Setup Page, page L-166
Rate Limit Page, page L-168
Server Setup Page, page L-171
Syslog Servers Page, page L-175
Multicast Policies, page L-178
Enable Multicast Routing Page, page L-178
IGMP Page, page L-179

Protocol Tab, page L-180
Access Group Tab, page L-183
Static Group Tab, page L-184
Join Group Tab, page L-186
Multicast Routing Page, page L-187
PIM Page, page L-189

Protocol Tab, page L-190

OL-11501-03
L-3
Appendix L
Rendezvous Points Tab, page L-192

Route Tree Tab, page L-196
Request Filter Tab, page L-198
Routing Policies, page L-200
No Proxy ARP Page, page L-201
OSPF Page, page L-203

Area Tab, page L-208
Range Tab, page L-212
Neighbors Tab, page L-215
Redistribution Tab, page L-217
Virtual Link Tab, page L-220
Filtering Tab, page L-225
Summary Address Tab, page L-228
Interface Tab, page L-231
RIP Page, page L-237
Static Route Page, page L-240
Security Policies, page L-244
General Page, page L-245
Timeouts Page, page L-248
Service Policy Rules, page L-250
Priority Queues Page, page L-250
IPS, QoS, and Connection Rules Page, page L-253
User Preferences, page L-264
Deployment Page, page L-264
L-4
OL-11501-03
Appendix L

NAT Policies
Security Contexts Page, page L-265
NAT Policies
The NAT section consists of the following pages:
Translation Options Page, page L-7

Address Pools Page

Use the Address Pools page to view, define, or delete global address pools used
in dynamic NAT rules.
Navigation Path
(Device view) Select NAT > Address Pools from the Device Policy selector.
(Policy view) Select NAT (PIX) > Address Pools from the Policy Type
selector. Right-click Address Pools to create a policy, or select an existing
Related Topics

OL-11501-03
L-5
Appendix L
NAT Policies
Field Reference
Table L-1
Address Pools Page
Element
Description
Global Address Pools table
Interface
Displays the name of the firewall device interface to which the

address pool applies.
ID
Displays the identification number of the address pool.
IP Address(es)
Displays the type and value of the addresses for the pool.
Description
Displays the description of the address pool.
Save button

Note

toolbar.
Address Pool Dialog Box

Use the Address Pools dialog box to define new or edit existing global address
pools used in dynamic NAT rules.
Navigation Path
You can access the Address Pools dialog box from the Address Pools page. For
more information about the Address Pools page, see Address Pools Page,
page L-5.
Related Topics
L-6
OL-11501-03
Appendix L

NAT Policies
Field Reference
Table L-2
Address Pools Dialog Box
Element
Description
Interface Name
Enter the name of the firewall device interface to which the address
pool applies.
Pool ID
Enter the identification number of the address pool. When

configuring dynamic NAT, you select the pool ID that represents the
addresses you want to use for translation.
IP address ranges
Enter the addresses to be used for this address pool. You can specify
the addresses to use for this pool in the following ways:
Address range (for example, 192.168.1.1-192.168.1.15)
Subnetwork (for example, 192.168.1.0/24)
List of addresses separated by a comma (for example,

192.168.1.1, 192.168.1.2, 192.168.1.3)
Single address to use for PAT (192.168.1.1)
Combination of the above (192.168.1.1-192.168.1.15,

192.168.1.25)
Description
Enter a description for the address pool.
Enable Interface PAT
When selected, enables port address translation on the specified

interface.
Translation Options Page

Use the Translation Options page to configure settings that affect network address
translation for a security appliance. These settings apply to all interfaces on the
device.
Navigation Path
(Device view) Select NAT > Translation Options from the Device Policy
selector.
(Policy view) Select NAT (PIX) > Translation Options from the Policy
Type selector. Right-click Translation Options to create a policy, or select
OL-11501-03
L-7
Appendix L
NAT Policies
Related Topics
Field Reference
Table L-3
Translation Options Page
Element
Description
Enable traffic through the

firewall without address
translation
When selected, allows traffic to pass through the security appliance

without address translation. If this option is not selected, any traffic
that does not match a translation rule will be dropped.
Note
Do not translate VPN traffic
This option is only available on PIX 7.x, FWSM 3.x, and

ASA devices.
When selected, allows VPN traffic to pass through the security

appliance without address translation.
Translation Rules Page

Use the Translation Rules page to define your address translation rules. The
Translation Rules page consists of the following tabs:
Navigation Path
selector.
(Policy view) Select NAT (PIX) > Translation Rules from the Policy Type
selector. Right-click Translation Rules to create a policy, or select an
L-8
OL-11501-03
Appendix L

NAT Policies
Translation Exemptions (NAT 0 ACL) Tab

Use the Translation Exemptions (NAT 0 ACL) tab to specify traffic that is exempt
from address translation.
Note
Translation exemptions are only supported by PIX/ASA/FWSM devices in router

mode and FWSM 3.2 devices in transparent mode. Other devices in transparent
mode support only static translation rules.
Navigation Path
You can access the Translation Exemptions (NAT 0 ACL) tab from the Translation
Rules page. For more information about the Translation Rules page, see
Translation Rules Page, page L-8.
Related Topics
Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box, page L-22
Advanced NAT Options Dialog Box, page L-28
Field Reference
Table L-4
Translation Exemptions (NAT 0 ACL) Tab
Element
Description
Filter
Default Translation Exemptions (NAT 0 ACL) Rules Table
Enabled
Indicates whether a rule is enabled or not.
Action
Displays whether a rule is exempt or not exempt from NAT.
Original Interface
Displays the interface on which the rule is applied.
Original Address
Displays the source addresses of the hosts or networks to which the

rule applies.

OL-11501-03
L-9
Appendix L
NAT Policies
Table L-4
Translation Exemptions (NAT 0 ACL) Tab (continued)
Element
Description
Destination
Displays the destination addresses of the hosts or networks to which

the rule applies.
Direction
Displays the direction in which the rule is applied.
DNS Rewrite
(FWSM only)
Displays whether the DNS Rewrite option is enabled or not. The

DNS Rewrite option lets the security appliance rewrite the DNS
record so that an outside client can resolve the name of an inside
host using an inside DNS server, or vice versa. For example, assume
an inside web server www.example.com has IP 192.168.1.1, it is
translated to 10.1.1.1 on the outside interface. An outside client
sends a DNS request to an inside DNS server, which will resolve
www.example.com to 192.168.1.1. When the reply comes to the
security appliance with DNS Rewrite enabled, the security
appliance will translate the IP address in the payload to 10.1.1.1, so
that the outside client will get the correct IP address.
Maximum TCP Connection

(FWSM only)
Displays the maximum number of TCP connections that are allowed

to connect to the statically translated IP address. Valid options are 0
through 65,535. If this value is set to zero, the number of
connections is unlimited.
Embryonic Limit
(FWSM only)
Displays the number of embryonic connections allowed to form

before the security appliance begins to deny these connections. Set
this limit to prevent attack by a flood of embryonic connections. An
embryonic connection is one that has been started but has not yet
been established, such as a three-way TCP handshake state. Valid
values are 0 through 65,535. If this value is set to zero, the number
of connections is unlimited. A positive number enables the TCP
Intercept feature.
Maximum UDP Connection

(FWSM only)
Displays the maximum number of UDP connections that are

allowed to connect to the statically translated IP address. Valid
of connections is unlimited.
L-10
OL-11501-03
Appendix L

NAT Policies
Table L-4
Translation Exemptions (NAT 0 ACL) Tab (continued)
Element
Description
Randomize Sequence Number

(FWSM only)
Displays whether the security appliance will randomize the

sequence number of TCP packets. Disable this feature only if
another inline security appliance is also randomizing sequence
numbers and the result is scrambling the data. Disabling this option
opens a security hole in the security appliance. This feature is
enabled by default.
Category
Displays the category to which the rule is assigned. Categories

provide an intermediate level of detail to objects and help you
To define categories, select Tools > Policy Object Manager >
Category.
Note
Description
If a description of the rule is available, it is displayed in this column.
Save button

Note

toolbar.
Dynamic Rules Tab

Use the Dynamic Rules tab to configure dynamic NAT and PAT.
Note
Dynamic translation rules are only supported by PIX/ASA/FWSM devices in

router mode and FWSM 3.2 devices in transparent mode. Other devices in
transparent mode support only static translation rules.
Navigation Path
You can access the Dynamic Rules tab from the Translation Rules page. For more
information about the Translation Rules page, see Translation Rules Page,
page L-8.
Related Topics

OL-11501-03
L-11
Appendix L
NAT Policies
Add/Edit Dynamic Translation Rule Dialog Box, page L-24
Select Address Pool Dialog Box, page L-30
Field Reference
Table L-5
Dynamic Rules Tab
Element
Description
Filter
Dynamic Rules Table
Enabled
Original Interface
Original Address

rule applies.
Translated Pool
Displays the ID number of the address pool used for translation.
Direction
DNS Rewrite


to connect to the statically translated IP address. Valid values are 0
L-12
OL-11501-03
Appendix L

NAT Policies
Table L-5
Dynamic Rules Tab (continued)
Element
Description
Embryonic Limit

Intercept feature.


enabled by default.
Category

Category.
Note
Description
Save button

Note

toolbar.
Policy Dynamic Rules Tab

Use the Policy Dynamic Rules tab to configure dynamic translation rules based
on source and destination addresses/ports.

OL-11501-03
L-13
Appendix L
NAT Policies
Note
Policy dynamic rules are only supported by PIX/ASA/FWSM devices in router

mode and FWSM 3.2 devices in transparent mode. Other devices in transparent
mode support only static translation rules.
Navigation Path
You can access the Policy Dynamic Rules tab from the Translation Rules page.
For more information about the Translation Rules page, see Translation Rules
Page, page L-8.
Related Topics
Add/Edit Policy Dynamic Rules Dialog Box, page L-25
Field Reference
Table L-6
Policy Dynamic Rules Tab
Element
Description
Filter
Policy Dynamic Rules Table
Enabled
Original Interface
Original Address
Displays the source address of the host or network to which the rule
applies.
Translated Pool
Destination

the rule applies.
Service
Displays the services to which the rule applies.
Direction
L-14
OL-11501-03
Appendix L

NAT Policies
Table L-6
Policy Dynamic Rules Tab (continued)
Element
Description
DNS Rewrite


Embryonic Limit

Intercept feature.


enabled by default.

OL-11501-03
L-15
Appendix L
NAT Policies
Table L-6
Policy Dynamic Rules Tab (continued)
Element
Description
Category

Category.
Note
Description
Save button

Note

toolbar.
Static Rules Tab

Use the Static Rules tab to configure static translation rules for a firewall device
or shared policy.
Navigation Path
You can access the Static Rules tab from the Translation Rules page. For more
page L-8.
Related Topics
Add/Edit Static Rule Dialog Box, page L-26
L-16
OL-11501-03
Appendix L

NAT Policies
Field Reference
Table L-7
Static Rules Tab
Element
Description
Filter
Original Interface
Displays the interface on which the original addresses reside.
Original Address
Displays the source network on which the traffic to be translated

resides.
Local Port
For static PAT, displays the port number supplied by the

host/network.
Translated Interface
Displays the interface on which the translated addresses reside.
Translated Address
Displays the translated addresses.
Global Port
For static PAT, displays the port number to which the original port
number will be translated.
Destination

the rule applies.
Service
Displays the service to which the rule applies.
Protocol
Displays the protocol to which the rule applies.
DNS Rewrite


OL-11501-03
L-17
Appendix L
NAT Policies
Table L-7
Static Rules Tab (continued)
Element
Description
Embryonic Limit

Intercept feature.

Timeout
For PIX 6.x devices, this column shows the timeout value for a static
translation rule. This timeout value overrides the translation timeout
specified in Platform > Security > Timeouts. A timeout value of
00:00:00 means that translations matching this rule should use the
default translation timeout specified in Platform > Security >
Timeouts.

enabled by default.
Nailed
Indicates whether the rule allows stateless TCP sessions for

asymmetrically routed traffic.
Category

Category.
Note
L-18
OL-11501-03
Appendix L

NAT Policies
Table L-7
Static Rules Tab (continued)
Element
Description
Description
Save button

Note

toolbar.
General Tab
Use the General tab to view all translation rules. The translation rules are listed in
the order that they will be evaluated on the device.
Note
The General tab is only visible for PIX/ASA/FWSM devices in router mode and
FWSM 3.2 devices in transparent mode. Other devices in transparent mode
support only static translation rules and, therefore, do not need to display the
summary information.
Navigation Path
You can access the General tab from the Translation Rules page. For more
page L-8.
Related Topics
Field Reference
Table L-8
General Tab
Element
Description
Filter
Translation Rules Summary Table
Type
Displays the translation rule type.

OL-11501-03
L-19
Appendix L
NAT Policies
Table L-8
General Tab (continued)
Element
Description
Enabled
Action
Displays whether a rule is exempt or not exempt from NAT.
Original Interface
Original Address

rule applies.
Local Port
For static PAT, displays the port number supplied by the

host/network.
Translated Pool
Displays the interface on which the translated addresses reside.
Translated Address
Displays the translated addresses.
Global Port
For static PAT, displays the port number to which the original port
number will be translated.
Destination

the rule applies.
Protocol
Displays the protocol to which the rule applies.
Service
Displays the service to which the rule applies.
Direction
DNS Rewrite

L-20
OL-11501-03
Appendix L

NAT Policies
Table L-8
Element
Description

Embryonic Limit

Intercept feature.

values are 0 through 65535. If this value is set to zero, the number
Timeout
For PIX 6.x devices, this column shows the timeout value for a static
translation rule. This timeout value overrides the translation timeout
specified in Platform > Security > Timeouts. A timeout value of
00:00:00 means that translations matching this rule should use the
default translation timeout specified in Platform > Security >
Timeouts.

enabled by default.

OL-11501-03
L-21
Appendix L
NAT Policies
Table L-8
Element
Description
Category

Category.
Note
Description
Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box

Use the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog box to add or
edit translation exemption rules.
Navigation Path
You can access the Add/Edit Translation Exemption (NAT-0 ACL) Rule dialog
box from the Translation Exemptions (NAT 0 ACL) tab. For more information
about the Translation Exemptions (NAT 0 ACL) tab, see Translation Exemptions
(NAT 0 ACL) Tab, page L-9.
Related Topics
L-22
OL-11501-03
Appendix L

NAT Policies
Field Reference
Table L-9
Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
Element
Description
Enable Rule
Specify whether the rule is enabled or not.
Action
Select the action for this rule:
exemptThe rule identifies traffic that is exempt from NAT.
do not exemptThe rules identifies traffic that is not exempt

from NAT.
Original Interface
Specify the interface on which the rule is applied.
Original Address
Specify the source addresses of the hosts or networks to which the

rule applies.
Translated Direction
Select the direction in which the rule is applied.
Traffic flow Destinations
Specify the destination addresses of the hosts or networks to which

the rule applies.
Category
To assign the rule to a category, select the category from the list.
Categories provide an intermediate level of detail to objects and
help you readily identify rules and objects by use of color-coding.
Category.
Note
Description
Enter a description of the rule.
Advanced button
(FWSM only)
Click to display the Advanced NAT Options dialog box to configure

advanced settings for this rule.

OL-11501-03
L-23
Appendix L
NAT Policies
Add/Edit Dynamic Translation Rule Dialog Box

Use the Add/Edit Dynamic Translation Rule dialog box to add or edit dynamic
NAT and PAT rules.
Navigation Path
You can access the Add/Edit Dynamic Translation Rule dialog box from the
Dynamic Rules tab. For more information about the Dynamic Rules tab, see
Dynamic Rules Tab, page L-11.
Related Topics
Field Reference
Table L-10
Add/Edit Dynamic Translation Rule Dialog Box
Element
Description
Enable Rule
Original Interface
Original Address

rule applies.
Translated Pool
Category
Category.
Note
L-24
OL-11501-03
Appendix L

NAT Policies
Table L-10
Add/Edit Dynamic Translation Rule Dialog Box (continued)
Element
Description
Description
Advanced button

Add/Edit Policy Dynamic Rules Dialog Box

Use the Add/Edit Policy Dynamic Rules dialog box to add or edit dynamic
translation rules based on source and destination addresses/ports.
Navigation Path
You can access the Add/Edit Policy Dynamic Rules dialog box from the Policy
Dynamic Rules tab. For more information about the Policy Dynamic Rules tab,
see Policy Dynamic Rules Tab, page L-13.
Related Topics
Field Reference
Table L-11
Add/Edit Policy Dynamic Rules Dialog Box
Element
Description
Enable Rule
Original Interface
Specify the interface on which the rule is applied.
Original Address
Specify the source address of the host or network to which the rule
applies.
Translated Pool
Enter the ID number of the address pool used for translation.

OL-11501-03
L-25
Appendix L
NAT Policies
Table L-11
Add/Edit Policy Dynamic Rules Dialog Box (continued)
Element
Description
Traffic flow Destinations
Specify the destination addresses of the hosts or networks to which

the rule applies.
Traffic flow Services
Specify the services to which the rule applies.
Category
Category.
Note
Description
Advanced button

Add/Edit Static Rule Dialog Box

Use the Add/Edit Static Rule dialog box to add or edit static translation rules for
a firewall device or shared policy.
Navigation Path
You can access the Add/Edit Static Rule dialog box from the Static Rules tab. For
more information about the Static Rules tab, see Static Rules Tab, page L-16.
Related Topics
L-26
OL-11501-03
Appendix L

NAT Policies
Field Reference
Table L-12
Add/Edit Static Rule Dialog Box
Element
Description
Enable Rule
Translation Type
Select the type of translation, NAT or PAT, for this rule.
Original Interface
Specify the interface on which the original addresses reside.
Original Address
Specify the source network on which the traffic to be translated

resides.
Specify the interface on which the translated addresses reside.
Translated Address
Specify the translated addresses.
Enable Policy NAT
Select this option to enable policy NAT for this translation rule.
Dest Address
For policy NAT, specify the destination addresses of the hosts or

networks to which the rule applies.
Service
For policy NAT, specify the services to which the rule applies.
Protocol
For PAT, select the protocol, TCP or UDP, to which the rule applies.
Original Port
For PAT, enter the port number to be translated.
Translated Port
For PAT, enter the port number to which the original port number
will be translated.
Category
Category.
Note
Description
Advanced button


OL-11501-03
L-27
Appendix L
NAT Policies
Advanced NAT Options Dialog Box

Use the Advanced NAT Options dialog box to configure the DNS Rewrite,
Maximum Connections, Embryonic Limit, and Randomize Sequence Number
settings for NAT and Policy NAT. You can also configure these options for
NAT 0 ACL rules on a FWSM.
Navigation Path
You can access the Advanced NAT Options dialog box by clicking the Advanced
button when adding or editing a translation rule. See the following topics for more
information:
Related Topics
L-28
OL-11501-03
Appendix L

NAT Policies
Field Reference
Table L-13
Advanced NAT Options Dialog Box
Element
Description
Translate the DNS replies that

match the translation rule
When selected, the security appliance rewrites the DNS record so

that an outside client can resolve the name of an inside host using
an inside DNS server, or vice versa. For example, assume an inside
web server www.example.com has IP 192.168.1.1, it is translated to
10.1.1.1 on the outside interface. An outside client sends a DNS
request to an inside DNS server, which will resolve
Max TCP Connections per Rule
Enter the maximum number of TCP connections that are allowed to

connect to the statically translated IP address. Valid values are 0
Max UDP Connections per Rule Enter the maximum number of UDP connections that are allowed to
connect to the statically translated IP address. Valid values are 0
Max Embryonic Connections
Enter the number of embryonic connections allowed to form before

the security appliance begins to deny these connections. Set this
limit to prevent attack by a flood of embryonic connections. An
Intercept feature.

OL-11501-03
L-29
Appendix L
NAT Policies
Table L-13
Advanced NAT Options Dialog Box (continued)
Element
Description
Timeout
For PIX 6.x devices, enter the timeout value to use for this static
translation rule using the format hh:mm:ss. This timeout value
overrides the translation timeout specified in Platform > Security >
Timeouts. Leave the default value of 00:00:00 if you want
translations matching this rule to use the default translation timeout
specified in Platform > Security > Timeouts.
When selected, the security appliance will randomize the sequence

number of TCP packets. Disable this feature only if another inline
security appliance is also randomizing sequence numbers and the
result is scrambling the data. Disabling this option opens a security
hole in the security appliance. This feature is enabled by default.
Select Address Pool Dialog Box

Use the Select Address Pool dialog box to select the address pool to use for a
dynamic or policy dynamic translation rule from a list of defined global address
pools.
Navigation Path
You can access the Select Address Pool dialog box from the Add/Edit Dynamic
Translation Rule Dialog Box, page L-24 when adding or editing a dynamic
translation rule or from the Add/Edit Policy Dynamic Rules Dialog Box,
page L-25 when adding or editing a policy dynamic translation rule.
Related Topics
L-30
OL-11501-03
Appendix L

Interfaces Page
Field Reference
Table L-14
Select Address Pool Dialog Box
Element
Description
Pool ID
Displays the identification number of the address pool.
Interface
Displays the name of the firewall device interface to which the

address pool applies.
IP Address Ranges
Displays the type and value of the addresses for the pool.
Description
Displays the description of the address pool.
Selected Row
Identifies the selected pool.
Interfaces Page
The Interfaces page displays configured interfaces and sub-interfaces. You can
add or delete interfaces and sub-interfaces, and also enable communication
between interfaces on the same security level. Each firewall device must be
configured, and each active interface must be enabled. Inactive interfaces can be
disabled. When disabled, the interface does not transmit or receive data, but the
configuration information is retained.
management traffic.
If you bootstrapped a new firewall device, the setup feature configures only the
addresses and names associated with the inside interface. You must define the
remaining interfaces on that device before you can specify access and translation
rules for traffic traversing that firewall device.
The Interfaces page settings vary based on the device type and version, the
operational mode (routed vs. transparent), and whether the device hosts a single
or multiple contexts. As such, the fields in the following table might not apply
depending on the device you are defining.

OL-11501-03
L-31
Appendix L
Interfaces Page
Navigation Path
To access this feature, select a firewall device in Device View and then select
Interfaces from the Device Policy selector.
Related Topics
Field Reference
Table L-15
Interfaces Page
Element
Description
Interfaces Table
Interface Type
Displays the interface type. This value is derived from the hardware
ID setting of the selected interface. Valid options are:
ethernet
gigabitethernet
gb-ethernet
Interface Name/Name
Displays the interface ID. All physical interfaces are listed

automatically. For ASA/PIX 7.0 devices, sub-interfaces are
indicated by the interface ID followed by .n, where n is the
sub-interface number.
IP Address
Displays the IP address, or in transparent mode, the word native.

Transparent mode interfaces do not use IP addresses.
IP Address Type
Specifies the method by which the IP address is provided. Valid

options are:
staticIdentifies that the IP address is manually defined.
dhcpIdentifies that the IP address is obtained via a DHCP

lease.
pppoeIdentifies that the IP address is obtained using PPPoE.
L-32
OL-11501-03
Appendix L

Interfaces Page
Table L-15
Interfaces Page (continued)
Element
Description
Interface Role
Lists the interface roles associated with the interface. Interface roles
are objects that are replaced with the actual interface IP addresses
when the configuration is generated for each device. They allow you
to define generic rulesones that can apply to multiple interfaces.
Valid options include:
All-InterfacesIndicates the interface is a member of the

default role assigned to all interfaces.
InternalIndicates this interface is a member of the default

role associated with all inside interfaces.
ExternalIndicates this interface is a member of the default

role associated with all outside interfaces.
For more information on roles and how to define and use them, see
Hardware ID
Identifies the type of interface installed in the device, as well as the

port or slot where the interfaces is installed.
For sub-interfaces, this value identifies the physical interface with
which the sub-interfaces is associated.
Vlan ID
For a sub-interface, sets the VLAN ID, between 1 and 4094. Some
VLAN IDs might be reserved on connected switches, so check the
switch documentation for more information. For multiple context
mode, you can only set the VLAN in the system configuration.
If this value is not specified, the column displays native.
Enabled
Indicates if the interface is enabled, true or false.

By default, all physical interfaces are shut down. You must enable
the physical interface before any traffic can pass through an enabled
sub-interface. For multiple context mode, if you allocate a physical
interface or sub-interface to a context, the interfaces are enabled by
default in the context. However, before traffic can pass through the
context interface, you must also enable the interface in the system
configuration. If you shut down an interface in the system execution
space, that interface is down in all contexts that share it.
Security Level
Displays the interface security level between 0 and 100.

OL-11501-03
L-33
Appendix L
Interfaces Page
Table L-15
Interfaces Page (continued)
Element
Description
Management Only
Indicates if the interface allows traffic to the security appliance or

for management purposes only.
MTU
Displays the MTU. By default, the MTU is 1500.
Description
Displays a description of the interface. In the case of a failover or

state link, the description is fixed as LAN Failover Interface,
STATE Failover Interface, or LAN/STATE Failover Interface,
for example. You cannot edit this description.
ASR Group
Displays the ASR group number if this interface is part of an

asymmetric routing group. Stateful failover must be enabled for
asymmetric routing support to function properly between units in
failover configurations. Valid values for ASR group range from 1
to 32.
Save button

Note

toolbar.
Add/Edit Interface Dialog Box

Use the Add/Edit Interface dialog box to add or edit an interface or sub-interface.
In multiple context mode, you can only add interfaces in the system configuration.
See the Configuring Security Contexts on Firewall Devices, page 15-105 page to
assign interfaces to contexts.
in this dialog box; instead, use the Failover page. In particular, do not set the
interface name, as this parameter disqualifies the interface from being used as the
failover link; other parameters are ignored.
duplex.
L-34
OL-11501-03
Appendix L

Interfaces Page
The options appearing in the Add/Edit Interface dialog box vary based on the
selected device type, the mode of the device (routed or transparent), and the type
of interface you are defining, such as a physical, virtual, logical, or sub-interface:
Add/Edit Interface Dialog Box (PIX 7.0/ASA), page L-35
Add/Edit Interface Dialog Box (PIX 6.3), page L-40
Navigation Path
You can access the Add/Edit Interface dialog box from the Interfaces page. For
more information about the Interfaces page, see Interfaces Page, page L-31.
Related Topics
Advanced Interface Settings Dialog Box, page L-45
Add VPND Group Dialog Box, page L-47
PPPoE Users Dialog Box, page L-48
Field Reference (PIX 7.0/ASA)

Table L-16
Add/Edit Interface Dialog Box (PIX 7.0/ASA)
Element
Description
Enable Interface
Enables this interface to pass traffic. In addition to this setting, you

need to set an IP address (for routed mode) and a name before traffic
can pass according to your security policy.
Management Only
Sets the interface to accept traffic to the security appliance only, and
not through traffic.
OL-11501-03
L-35
Appendix L
Interfaces Page
Table L-16
Add/Edit Interface Dialog Box (PIX 7.0/ASA) (continued)
Element
Description
Type
Type of interface. Valid values are:
Name
InterfaceSettings represent a physical interface.
Sub-interfaceSettings represent a logical interface attached

to the same network as its underlying physical interface.
Sets an interface name up to 48 characters in length. The name

should be a logical name of the interface that relates to its use.
Supported interface names are:
Hardware Port
InsideConnects to your internal network. Must be most

secure interface.
DMZDemilitarized zone attached to an intermediate

interface. DMZ is also known as a perimeter network. You can
name a DMZ interface any name you choose. Typically, DMZ
interfaces are prefixed with DMZ to identify the interface
type.
OutsideConnects to an external network or the Internet. Must

be least secure interface.
For a physical interface, this value represents a name by which

sub-interfaces can associate to the interface. When you add a
sub-interface, you can choose any enabled physical interface to
which you want to add a sub-interface. If you do not see an interface
ID, be sure that the interface is enabled.
Valid values are:
Ethernet0 to Ethernetn.
Gb-ethernetn.
Note
n = number of network interfaces in the device.
Sub-interface ID
Sets the sub-interface ID as an integer between 1 and 4294967293.

The number of sub-interfaces allowed depends on your platform.
You cannot change the ID after you set it.
Media Type
Specifies the media type for the interface
RJ45
SFP
L-36
OL-11501-03
Appendix L

Interfaces Page
Table L-16
Element
Description
IP Type
Specifies the address type for the interface.
Static IPAssigns a static IP address and mask to the interface.
Use DHCPAssigns a dynamic IP address and mask to the

interface.
PPPoEProvides an authenticated method of assigning an IP

address to the interface.
Note
IP Address
Specifies the IP address for the device. For a static IP address, select
the Use Static IP option and then enter the IP address and mask in
the IP Address field. To obtain the IP address from a DHCP server,
select the Obtain Address via DHCP option.
IP address must be unique for each interface.
The IP address is blank for interfaces that use dynamic

addressing.
Note
Subnet Mask
You can configure DHCP and PPPoE only on the outside

interface of a firewall device.
Do not use addresses previously used for routers, hosts, or

any other firewall device commands, such as an IP address
in the global pool or a static NAT entry.
Network mask for IP address of interface. You can express the value
in dotted decimal format (for example, 255.255.255.0) or by
entering the number of bits in the network mask (for example, 24).
Note
Do not use 255.255.255.254 or 255.255.255.255 for an

interface connected to the network because this will stop
traffic on that interface.
DHCP Learned Route Metric
Available only if Use DHCP is selected for IP Type.
Obtain default route using

DHCP
Available only if Use DHCP is selected for IP Type. If selected, the

firewall device sets the default route using the default gateway
parameter the DHCP server returns. Otherwise, you must manually
define the default route as a static route on the Static Route Page,
page L-240.

OL-11501-03
L-37
Appendix L
Interfaces Page
Table L-16
Element
Description
Enable Tracking for DHCP

Learned Route
Available only if Use DHCP is selected for IP Type.
VPDN Group Name
Available only if PPPoE is selected for IP Type.
PPPoE Learned Route Metric
Obtain Default Route using

PPPoE
Available only if PPPoE is selected for IP Type. If selected, the

parameter the PPPoE server returns. Otherwise, you must manually
page L-240.
Enable Tracking for PPPoE

Learned Route
Duplex
Lists the duplex options for the interface, including Full, Half, or
Auto, depending on the interface type.
Speed
Lists the speed options for a physical interface; not applicable to

logical interfaces. The speeds available depend on the interface
type.
10
100
1000
non-negotiable
MTU
Sets the number of bytes in the maximum transmission unit (MTU).

The value depends on the type of network connected to the
interface. Valid values are 30065535 bytes. Default is 1500 for all
types except PPPoE, for which the default is 1492. For multiple
context mode, set the MTU in the context configuration.
VLAN ID
VLAN IDs might be reserved on connected switches, so see the
L-38
OL-11501-03
Appendix L

Interfaces Page
Table L-16
Element
Description
Security Level
Sets the security level of the interface. Value are between 0 (lowest)
and 100 (highest). The security appliance lets traffic flow freely
from an inside network to an outside network (lower security level).
Many other security features are affected by the relative security
level of two interfaces.
DMZ interfaces are between 199.
Description
Sets an optional description up to 240 characters on a single line,

without carriage returns. For multiple context mode, the system
description is independent of the context description. For a failover
or state link, the description is fixed as LAN Failover Interface,
for example. You cannot edit this description. The fixed description
overwrites any description you enter here if you make this interface
a failover or state link.
Roles
Default options include:



<Back to top>

OL-11501-03
L-39
Appendix L
Interfaces Page
Field Reference (PIX 6.3)

Table L-17
Add/Edit Interface Dialog Box (PIX 6.3)
Element
Description
Enable Interface
Enables this interface to pass traffic. In addition to this setting, you

must specify an IP address and a name before traffic can pass
according to your security policy.
You must enable a physical interface before any traffic can pass
through any enabled sub-interfaces.
Type
Name
Type of VLAN interface. Valid values are:
LogicalVLAN is associated with a logical interface.
PhysicalVLAN is on the same network as its underlying

hardware interface.


secure interface.
DMZDemilitarized zone (Intermediate interface). Also

known as a perimeter network.

L-40
OL-11501-03
Appendix L

Interfaces Page
Table L-17
Add/Edit Interface Dialog Box (PIX 6.3) (continued)
Element
Description
Hardware Port
When defining a physical network interface, this value represents

the name identifies the interface type and its slot or port in the
device.
When you add a logical network interface, you can choose any
enabled physical interface to which you want to add a logical
interface. If you do not see the desired hardware port, verify that the
interface is enabled.
Valid values are:
ethernet0 to ethernetn.
gb-ethernetn.
Note
IP Type
n = number of the slot in which the network interface is

installed in the device.
Specifies the address type for the interface.
Static IPAssigns a static IP address and mask to the interface.
Use DHCPAssigns a dynamic IP address and mask to the

interface.
Use PPPoEProvides an authenticated method of assigning an

IP address to the interface.
Note
You can configure DHCP and PPPoE only on the outside

interface of a firewall device.

OL-11501-03
L-41
Appendix L
Interfaces Page
Table L-17
Element
Description
IP Address
Identifies the IP address of the interface. This field is available if

Static IP or PPPoE is the IP type.

addressing.
Note
Do not use addresses previously used for routers, hosts, or

any other firewall device commands, such as an IP address
in the global pool or a static NAT entry.
For a static IP address, select Static IP from the IP Type list and then
enter the IP address and mask in the IP Address field. To obtain the
IP address from a DHCP server, select Use DHCP from the IP Type
list.
Subnet Mask
Identifies the network mask for IP address of the interface. You can
express the value in dotted decimal format (for example,
255.255.255.0) or by entering the number of bits in the network
mask (for example, 24).
Note

interface connected to the network because those mask
values stop traffic on that interface.
Obtain Default Route using

DHCP
Available only if Use DHCP is selected for IP Type. If selected, the

parameter the DHCP server returns. Otherwise, you must manually
page L-240.
Retry Count
Identifies the number of tries before an error is returned. Valid

values are 416.
Obtain default route using

PPPoE
Available only if Use PPPoE is selected for IP Type. If selected, the

PPPoE client on the firewall device queries the concentrator for a
default route. Otherwise, the firewall device generates a default
route using the address of the concentrator as the default gateway.
L-42
OL-11501-03
Appendix L

Interfaces Page
Table L-17
Element
Description
Speed and Duplex
Lists the speed options for a physical interface; not applicable to

logical interfaces.
autoSet Ethernet speed automatically. The auto keyword can

be used only with the Intel 10/100 automatic speed sensing
network interface card.
10baset10-Mbps Ethernet half-duplex.
10full10-Mbps Ethernet full-duplex.
100basetx100-Mbps Ethernet half-duplex.
100full100-Mbps Ethernet full-duplex.
1000auto1000-Mbps Ethernet to auto-negotiate full- or half

-duplex.
Tip
We recommend that you do not use this option to maintain

compatibility with switches and other devices in your
network.
1000fullAuto-negotiate, advertising 1000-Mbps Ethernet

full-duplex.
1000full nonnegotiate1000-Mbps Ethernet full-duplex.
aui10-Mbps Ethernet half-duplex communication with an

AUI cable interface.
bnc10-Mbps Ethernet half-duplex communication with a

BNC cable interface.
Note
We recommend that you specify the speed of the network

interfaces in case your network environment includes
switches or other devices that do not handle autosensing
correctly.
MTU

types except PPPoE, for which the default is 1492.
Physical VLAN ID
For a physical interface, sets the VLAN ID, between 1 and 4094.
OL-11501-03
L-43
Appendix L
Interfaces Page
Table L-17
Element
Description
Logical VLAN ID
Identifies the alias, a value between 1 and 4094, of the VLAN

associated with this logical interface. This value is required if the
logical interface type is selected.
Security Level
Roles



<Back to top>
L-44
OL-11501-03
Appendix L

Interfaces Page

Navigation Path
You can access the Advanced Interface Settings dialog box from the Interfaces
page or the Interfaces tab on the ASA 5505 Ports and Interfaces page. For more
information about these pages, see Interfaces Page, page L-31 or ASA 5505 Ports
and Interfaces Page, page L-59.
Related Topics
FWSM Add/Edit Interface Dialog Box, page L-54

OL-11501-03
L-45
Appendix L
Interfaces Page
Field Reference
Table L-18
Element
Description
Traffic between interfaces with

same security levels
Controls communication between interfaces on the same security

level. If you enable same security interface communication, you can
still configure interfaces at different security levels as usual.
PPPoE Users button
DisabledDoes not allow communication between interfaces

on the same security level.
Inter-interfaceEnables traffic flows between interfaces with

the same security level setting. When this option is enabled, you
are not required to define translation rules to enable traffic flow
between interfaces in the firewall device.
Intra-interfaceEnables traffic flows between sub-interfaces

with the same security level setting. When this option is
enabled, you are not required to define translation rules to
enable traffic flow between sub-interfaces assigned to an
interface.
BothAllows both intra- and inter-interface communications

among interfaces and sub-interfaces with the same security
level.
Click to access the PPPoE Users dialog box.
VPDN Groups (PIX and ASA 7.2+)
Group Name
Displays the group name.
PPPoE Username
Displays the PPPoE username.
PPP Authentication
Indicates the PPP Authentication method for this VPDN group:
PAP
CHAP
MSCHAP
L-46
OL-11501-03
Appendix L

Interfaces Page
Add VPND Group Dialog Box

Navigation Path
You can access the Add VPND Group dialog box from the Advanced Interface
Settings dialog box. For more information about the Advanced Interface Settings
dialog box, see Advanced Interface Settings Dialog Box, page L-45.
Related Topics
Field Reference
Table L-19
Add VPND Group Dialog Box
Element
Description
Group Name
Enter the group name.
PPPoE Username
Select the PPPoE username.
PPP Authentication
Select the PPP Authentication method:
PAP
CHAP
MSCHAP

OL-11501-03
L-47
Appendix L
Interfaces Page
PPPoE Users Dialog Box

Navigation Path
You can access the PPPoE Users dialog box from the Advanced Interface Settings
dialog box and from the Add VPND Group dialog box. For more information
about the Advanced Interface Settings dialog box, see Advanced Interface
Settings Dialog Box, page L-45. For more information about the Add VPND
Group dialog box, see Add VPND Group Dialog Box, page L-47.
Related Topics
Add PPPoE User Dialog Box, page L-49
Field Reference
Table L-20
PPPoE Users Dialog Box
Element
Description
PPPoE Users (PIX and ASA 7.2+)
Username
Displays the PPPoE username.
Store in Local Flash
Indicates whether this PPPoE user account is to be stored in local

flash (True or False).
L-48
OL-11501-03
Appendix L

Interfaces Page
Add PPPoE User Dialog Box

Navigation Path
You can access the Add PPPoE User dialog box from the PPPoE Users dialog box.
For more information about the PPPoE Users dialog box, see PPPoE Users Dialog
Box, page L-48.
Related Topics
Field Reference
Table L-21
Add PPPoE User Dialog Box
Element
Description
Username
Enter the username.
Password
Enter the password.
Confirm
Reenter the password.
Store Username and Password in Select this checkbox to store the PPPoE user information in flash.
Local Flash

OL-11501-03
L-49
Appendix L
FWSM Interfaces Page

The FWSM Interfaces page displays configured interfaces and sub-interfaces.
You can add or delete interfaces and sub-interfaces, and also enable
communication between interfaces on the same security level. Each firewall
device must be configured, and each active interface must be enabled. Inactive
interfaces can be disabled. When disabled, the interface does not transmit or
receive data, but the configuration information is retained.
management traffic.
If you bootstrapped a new firewall device, the setup feature configures only the
addresses and names associated with the inside interface. You must define the
remaining interfaces on that device before you can specify access and translation
rules for traffic traversing that firewall device.
The Interfaces page settings vary based on the device type and version, the
operational mode (routed vs. transparent), and whether the device hosts a single
or multiple contexts. As such, the fields in the following table might not apply
depending on the device you are defining.
Navigation Path
Related Topics
Add/Edit Bridge Group Dialog Box, page L-57
L-50
OL-11501-03
Appendix L

Field Reference
Table L-22
Element
Description
Interfaces Tab
Interface Type
Displays the interface type. This value is derived from the hardware
ID setting of the selected interface. Valid options are:
ethernet
gigabitethernet
gb-ethernet
Interface Name

IP Address

IP Address Type

options are:

lease.

OL-11501-03
L-51
Appendix L
Table L-22
FWSM Interfaces Page (continued)
Element
Description
Interface Role



Hardware ID
Identifies the type of interface installed in the device, as well as the

port or slot where the interfaces is installed.
For sub-interfaces, this value identifies the physical interface with
which the sub-interfaces is associated.
Vlan ID
VLAN IDs might be reserved on connected switches, so check the
If this value is not specified, the column displays native.
Enabled
Indicates if the interface is enabled, true or false.

Security Level
L-52
OL-11501-03
Appendix L

Table L-22
FWSM Interfaces Page (continued)
Element
Description
Management Only

MTU
Description
Displays a description of the interface. In the case of a failover or

state link, the description is fixed as LAN Failover Interface,
for example. You cannot edit this description.
ASR Group
Displays the ASR group number if this interface is part of an

asymmetric routing group. Stateful failover must be enabled for
to 32.
Bridge Groups Tab
Bridge Group
Shows the name of the bridge group.
ID
Displays the bridge group ID.
Interface A
Identifies the first interface that is part of this bridge group.
Interface B
Identifies the second interface that is part of this bridge group.
IP
Displays the management IP address for the bridge group. A

transparent firewall does not participate in IP routing. The only IP
configuration required for the security appliance is to set the
management IP address for each bridge group. This address is
required because the security appliance uses this address as the
source address for traffic originating on the security appliance, such
as system messages or communications with AAA servers. You can
also use this address for remote management access.
Netmask
Displays the netmask for the management IP address of this bridge

group.
Description
Displays the description of this bridge group if one was specified.
Save button

Note

toolbar.

OL-11501-03
L-53
Appendix L
FWSM Add/Edit Interface Dialog Box

Use the Add/Edit Interface dialog box to add or edit an interface or sub-interface.
In multiple context mode, you can only add interfaces in the system configuration.
See the Configuring Security Contexts on Firewall Devices, page 15-105 page to
assign interfaces to contexts.
in this dialog box; instead, use the Failover page. In particular, do not set the
interface name, as this parameter disqualifies the interface from being used as the
failover link; other parameters are ignored.
duplex.
The options appearing in the Add/Edit Interface dialog box vary based on the
selected device type, the mode of the device (routed or transparent), and the type
of interface you are defining, such as a physical, virtual, logical, or sub-interface:
Navigation Path
You can access the FWSM Add/Edit Interface dialog box from the FWSM
Interfaces page. For more information about the Interfaces page, see FWSM
Interfaces Page, page L-50.
Related Topics
Add/Edit Bridge Group Dialog Box, page L-57
L-54
OL-11501-03
Appendix L

Field Reference
Table L-23
FWSM Add/Edit Interface Dialog Box
Element
Description
Enable Interface
Enables this interface to pass traffic. You must also set an IP address
(for routed mode) and a name before traffic can pass according to
your security policy.
subinterface. For multiple context mode, if you allocate a physical
interface or subinterface to a context, the interfaces are enabled by
Management Only
Sets the interface to accept traffic to the security appliance only, and
not through traffic.
Name


secure interface.
DMZDemilitarized zone attached to an intermediate

interface. DMZ is also known as a perimeter network. You can
name a DMZ interface any name you choose. Typically, DMZ
interfaces are prefixed with DMZ to identify the interface
type.


OL-11501-03
L-55
Appendix L
Table L-23
FWSM Add/Edit Interface Dialog Box (continued)
Element
Description
IP Address
Specifies the IP address for the device. For a static IP address, select
the Use Static IP option and then enter the IP address and mask in
the IP Address field. To obtain the IP address from a DHCP server,
select the Obtain Address via DHCP option.

addressing.
Note
Subnet Mask
Do not use addresses being used for routers, hosts, or any

other firewall device commands, such as an IP address in the
global pool or a static NAT entry.
Network mask for IP address of interface. You can express the value
in dotted decimal format (for example, 255.255.255.0) or by
Note

MTU

types except PPPoE, for which the default is 1492. For multiple
context mode, set the MTU in the context configuration.
VLAN ID
For a subinterface, sets the VLAN ID between 1 and 4096. Some

VLAN IDs might be reserved on connected switches, so see the
L-56
OL-11501-03
Appendix L

Table L-23
FWSM Add/Edit Interface Dialog Box (continued)
Element
Description
Security Level
Roles



ASR Group
To add this interface to an asymmetric routing group, enter the ASR

group number in this field. Stateful failover must be enabled for
to 32.
Add/Edit Bridge Group Dialog Box

Use the Add/Edit Bridge Group dialog box to add or edit bridge groups for an
FWSM operating in transparent mode.

OL-11501-03
L-57
Appendix L
A transparent firewall connects the same network on its inside and outside
interfaces. Each pair of interfaces belongs to a bridge group, to which you must
assign a management IP address. You can configure up to eight bridge groups of
two interfaces each. Each bridge group connects to a separate network. Bridge
group traffic is isolated from other bridge groups; traffic is not routed to another
bridge group within the security appliance, and traffic must exit the security
appliance before it is routed by an external router back to another bridge group in
You might want to use more than one bridge group if you do not want the overhead
of security contexts, or want to maximize your use of security contexts. Although
the bridging functions are separate for each bridge group, many other functions
are shared between all bridge groups. For example, all bridge groups share a
syslog server or AAA server configuration. For complete security policy
separation, use security contexts with one bridge group in each context.
Navigation Path
You can access the Add/Edit Bridge Group dialog box from the FWSM Interfaces
page. For more information about the Interfaces page, see FWSM Interfaces Page,
page L-50.
Related Topics
Field Reference
Table L-24
Add/Edit Bridge Group Dialog Box
Element
Description
Name
Enter a name for this bridge group.
ID
Enter the bridge group ID as an integer between 1 and 100.
Interface A
Select the first interface that is part of this bridge group.
Interface B
Select the second interface that is part of this bridge group.
L-58
OL-11501-03
Appendix L

ASA 5505 Ports and Interfaces Page
Table L-24
Add/Edit Bridge Group Dialog Box (continued)
Element
Description
IP Address
Enter the management IP address for the bridge group. A

transparent firewall does not participate in IP routing. The only IP
configuration required for the security appliance is to set the
management IP address for each bridge group. This address is
required because the security appliance uses this address as the
source address for traffic originating on the security appliance, such
as system messages or communications with AAA servers. You can
also use this address for remote management access.
Netmask
Network mask for IP address of bridge group. You can express the
value in dotted decimal format (for example, 255.255.255.0) or by
Note
Description

You can enter an optional description for this bridge group.

The ASA 5505 adaptive security appliance supports a built-in switch. There are
two kinds of ports and interfaces that you need to configure:
Physical switch portsThe adaptive security appliance has eight Fast

Ethernet switch ports that forward traffic at Layer 2, using the switching
function in hardware. Two of these ports are PoE ports. You can connect these
interfaces directly to user equipment such as PCs, IP phones, or a DSL
modem. Or you can connect to another switch.
Logical VLAN interfacesIn routed mode, these interfaces forward traffic

between VLAN networks at Layer 3, using the configured security policy to
apply firewall and VPN services. In transparent mode, these interfaces
forward traffic between the VLANs on the same network at Layer 2, using the
configured security policy to apply firewall services.
To segregate the switch ports into separate VLANs, you assign each switch port
to a VLAN interface. Switch ports on the same VLAN can communicate with each
other using hardware switching. But when a switch port on VLAN 1 wants to
OL-11501-03
L-59
Appendix L
communicate with a switch port on VLAN 2, then the adaptive security appliance
applies the security policy to the traffic and routes or bridges between the two
VLANs.
Note
Subinterfaces are not available for the ASA 5505 adaptive security appliance.
Navigation Path
To access this feature, select an ASA 5505 in Device View and then select
Related Topics
Configure Hardware Ports Dialog Box, page L-63
Field Reference
Table L-25
Element
Description
Hardware Ports Tab
Hardware Port
Identifies the switch port.
Enabled
Indicates whether this switch port is enabled or not (Yes or No).
Associated VLANs
Shows the VLAN or VLANs that are associated with this port.
Associated Interface Names
Shows the interface name of the VLAN(s) that are associated with
this port.
L-60
OL-11501-03
Appendix L

Table L-25
ASA 5505 Ports and Interfaces Page (continued)
Element
Description
Mode
Shows the mode for this port:
Protected
Access PortPort is in access mode.
Trunk PortPort is in trunk mode. Trunk mode is available

only with the Security Plus license. Trunk ports do not support
untagged packets; there is no native VLAN support, and the
adaptive security appliance drops all packets that do not contain
a tag specified in this command.
Identifies whether the port is isolated or not (Yes or No). This option
prevents the switch port from communicating with other protected
switch ports on the same VLAN. You might want to prevent switch
ports from communicating with each other if the devices on those
switch ports are primarily accessed from other VLANs, you do not
need to allow intra-VLAN access, and you want to isolate the
devices from each other in case of infection or other security breach.
For example, if you have a DMZ that hosts three web servers, you
can isolate the web servers from each other if you apply the
Protected option to each switch port. The inside and outside
networks can both communicate with all three web servers, and vice
versa, but the web servers cannot communicate with each other.
Interfaces Tab
Name

IP Address Type

options are:
IP Address

lease.


OL-11501-03
L-61
Appendix L
Table L-25
ASA 5505 Ports and Interfaces Page (continued)
Element
Description
Block Traffic To
Displays the interface to which traffic is blocked.
Backup Interface
Displays the interface that acts as backup for this interface.
Interface Role



Enabled
Indicates if the interface is enabled (Yes or No).
Vlan ID
Identifies the VLAN ID for this interface.
Security Level
Management Only

MTU
Description
Displays a description of the interface.
Save button

Note

toolbar.
L-62
OL-11501-03
Appendix L

Configure Hardware Ports Dialog Box

Use the Configure Hardware Ports dialog box to configure the switch ports on an
ASA 5505 including setting the mode, assigning a switch port to a VLAN, and
setting the Protected option.
Caution
The ASA 5505 adaptive security appliance does not support Spanning Tree
Protocol for loop detection in the network. Therefore you must ensure that any
connection with the adaptive security appliance does not end up in a network loop.
Navigation Path
You can access the Configure Hardware Ports dialog box for an ASA 5505 from
the Hardware Ports tab of the ASA 5505 Ports and Interfaces page. For more
information about the ASA 5505 Ports and Interfaces page, see ASA 5505 Ports
and Interfaces Page, page L-59.
Related Topics

OL-11501-03
L-63
Appendix L
Field Reference
Table L-26
Configure Hardware Ports Dialog Box
Element
Description
Enable Hardware Port
Select to enable this switch port.
Isolated
Select this option to prevent the switch port from communicating

with other protected switch ports on the same VLAN. You might
want to prevent switch ports from communicating with each other if
the devices on those switch ports are primarily accessed from other
VLANs, you do not need to allow intra-VLAN access, and you want
to isolate the devices from each other in case of infection or other
security breach. For example, if you have a DMZ that hosts three
web servers, you can isolate the web servers from each other if you
apply the Protected option to each switch port. The inside and
outside networks can both communicate with all three web servers,
and vice versa, but the web servers cannot communicate with each
other.
Hardware Port
Select the switch port that you are configuring.
Mode
Select the mode for this port:
VLAN ID
Access PortSets the mode to access mode.
Trunk PortSets the mode to trunk mode using 802.1Q

tagging. Trunk mode is available only with the Security Plus
license. Trunk ports do not support untagged packets; there is
no native VLAN support, and the adaptive security appliance
drops all packets that do not contain a tag specified in this
command.
Enter the VLAN ID(s) according to the mode you selected:
Access Port modeEnter the VLAN ID to which you want to

assign this switch port.
Trunk Port modeEnter the VLAN IDs to which you want to

assign this switch port, separated by commas.
L-64
OL-11501-03
Appendix L

Bridging
Table L-26
Configure Hardware Ports Dialog Box (continued)
Element
Description
Duplex
Lists the duplex options for the port, including Full, Half, or Auto.
The Auto setting is the default.
If you set the duplex to anything other than Auto on PoE ports
Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access
points that do not support IEEE 802.3af will not be detected and
supplied with power.
Speed
Select the speed for the port:
auto (deafult)
10
100
If you set the speed to anything other than Auto on PoE ports
Ethernet 0/6 or 0/7, then Cisco IP phones and Cisco wireless access
points that do not support IEEE 802.3af will not be detected and
supplied with power.
The default Auto setting also includes the Auto-MDI/MDIX
feature. Auto-MDI/MDIX eliminates the need for crossover cabling
by performing an internal crossover when a straight cable is
detected during the auto-negotiation phase. Either the speed or
duplex must be set to Auto to enable Auto-MDI/MDIX for the
interface. If you explicitly set both the speed and duplex to a fixed
value, thus disabling auto-negotiation for both settings, then
Auto-MDI/MDIX is also disabled.
Bridging
This section discusses the following pages:

OL-11501-03
L-65
Appendix L
Bridging
ARP Table Page

Use the ARP Table page to add static ARP entries that map a MAC address to an
IP address and identifies the interface through which the host is reached.
Navigation Path
(Device view) Select Platform > Bridging > ARP Table from the Device
Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP Table
from the Policy Type selector. Right-click ARP Table to create a policy, or
Related Topics
Add/Edit ARP Table Entry Dialog Box, page L-68
Bridging, page L-65
L-66
OL-11501-03
Appendix L

Bridging
Field Reference
Table L-27
ARP Table Page
Element
Description
Timeout (seconds)
The amount of time, between 60 and 4294967 seconds, before the

security appliance rebuilds the ARP table. The default is 14400
seconds.
Rebuilding the ARP table automatically updates new host
information and removes old host information. You might want to
reduce the timeout because the host information changes frequently.
Note
The timeout applies to the dynamic ARP table, and not the
static entries contained in the ARP table.
ARP Table
Interface
The interface to which the host is attached.
IP Address
The IP address of the host.
MAC Address
The MAC address of the host.
Alias Enabled
Indicates whether the security appliance performs proxy ARP for

this mapping. If this setting is enabled and the security appliance
receives an ARP request for the specified IP address, it responds
with the security appliance MAC address. When the security
appliance receives traffic destined for the host belonging to the IP
address, the security appliance forwards the traffic to the host MAC
address that you specify in this command. This feature is useful if
you have devices that do not perform ARP, for example.
Note
Save button
In transparent firewall mode, this setting is ignored and the

security appliance does not perform proxy ARP.

Note

toolbar.

OL-11501-03
L-67
Appendix L
Bridging
Add/Edit ARP Table Entry Dialog Box

Use the Add/Edit ARP Table Entry dialog box to add a static ARP entry that maps
a MAC address to an IP address and identifies the interface through which the host
is reached.
Navigation Path
You can access the Add/Edit ARP Table Entry dialog box from the ARP Table
page. For more information about the ARP Table page, see ARP Table Page,
page L-66.
Related Topics
Bridging, page L-65
Field Reference
Table L-28
Add/Edit ARP Table Entry dialog box
Element
Description
Interface
The name of the interface to which the host network is attached.
IP Address
The IP address of the host.
MAC Address
The MAC address of the host; for example, 00e0.1e4e.3d8b.
Alias Enabled
When selected, enables proxy ARP for this mapping. If the security
appliance receives an ARP request for the specified IP address, it
responds with the security appliance MAC address. When the
security appliance receives traffic destined for the host belonging to
the IP address, the security appliance forwards the traffic to the host
MAC address that you specify in this command. This feature is
useful if you have devices that do not perform ARP, for example.
Note
In transparent firewall mode, this setting is ignored and the

security appliance does not perform proxy ARP.
L-68
OL-11501-03
Appendix L

Bridging
ARP Inspection Page

Use the ARP Inspection page to configure ARP inspection for a transparent
firewall. ARP inspection is used to prevent ARP spoofing.
Navigation Path
(Device view) Select Platform > Bridging > ARP Inspection from the
(Policy view) Select PIX/ASA/FWSM Platform > Bridging > ARP

Inspection from the Policy Type selector. Right-click ARP Inspection to
Related Topics
Add/Edit ARP Inspection Dialog Box, page L-70
Bridging, page L-65
Field Reference
Table L-29
ARP Inspection Page
Element
Description
ARP Inspection Table
Interface
The name of the interface to which the ARP inspection setting

applies.
ARP Inspection Enabled
Indicates whether ARP inspection is enabled on the specified

interface.

OL-11501-03
L-69
Appendix L
Bridging
Table L-29
ARP Inspection Page (continued)
Element
Description
Flood Enabled
Indicates whether packets that do not match any element of a static

ARP entry should be flooded out all interfaces except the
originating interface. If there is a mismatch between the MAC
address, the IP address, or the interface, the security appliance drops
the packet. If you do not select this check box, all non-matching
packets are dropped.
Note
Save button
The dedicated management interface, if present, never

floods packets even if this parameter is set to flood.

Note

toolbar.
Add/Edit ARP Inspection Dialog Box

Use the Add/Edit ARP Inspection dialog box to enable or disable ARP inspection
for a transparent firewall interface.
Navigation Path
You can access the Add/Edit ARP Inspection dialog box from the ARP Inspection
page. For more information about the ARP Inspection page, see ARP Inspection
Page, page L-69.
Related Topics
Bridging, page L-65
L-70
OL-11501-03
Appendix L

Bridging
Field Reference
Table L-30
Add/Edit ARP Inspection dialog box
Element
Description
Interface
The name of the interface for which you are enabling or disabling
ARP inspection.
Enable ARP Inspection on this

interface
When selected, enables ARP inspection on the specified interface.
Flood ARP packets
When selected, packets that do not match any element of a static

ARP entry are flooded out all interfaces except the originating
interface. If there is a mismatch between the MAC address, the IP
address, or the interface, the security appliance drops the packet. If
you do not select this check box, all non-matching packets are
dropped.
Note
The dedicated management interface, if present, never

floods packets even if this parameter is set to flood.
MAC Address Table Page

Use the MAC Address Table page to add static MAC address entries to the MAC
Address table. The table associates the MAC address with the source interface so
that the security appliance knows to send any packets addressed to the device out
the correct interface.
Navigation Path
(Device view) Select Platform > Bridging > MAC Address Table from the
(Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC

Address Table from the Policy Type selector. Right-click MAC Address
Table to create a policy, or select an existing policy from the Shared Policy
selector.
Related Topics
Add/Edit MAC Table Entry Dialog Box, page L-72
Bridging, page L-65

OL-11501-03
L-71
Appendix L
Bridging
Field Reference
Table L-31
MAC Address Table Page
Element
Description
Aging Time (minutes)
Sets the number of minutes, between 5 and 720 (12 hours), that a
MAC address entry stays in the MAC address table before timing
out. 5 minutes is the default.
MAC Address Table
Interface
The interface to which the MAC address is associated.
MAC Address
The MAC address; for example, 00e0.1e4e.3d8b.
Save button

Note

toolbar.
Add/Edit MAC Table Entry Dialog Box

Use the Add/Edit MAC Table Entry dialog box to add static MAC address entries
to the MAC Address table or to modify entries in the MAC Address table.
Navigation Path
You can access the Add/Edit MAC Table Entry dialog box from the MAC Address
Table page. For more information about the MAC Address Table page, see MAC
Address Table Page, page L-71.
Related Topics
Bridging, page L-65
L-72
OL-11501-03
Appendix L

Bridging
Field Reference
Table L-32
Add/Edit MAC Table Entry dialog box
Element
Description
Interface
The interface to which the MAC address is associated.
MAC Address
The MAC address; for example, 00e0.1e4e.3d8b.
MAC Learning Page

Use the MAC Learning page to enable or disable MAC address learning on an
interface. By default, each interface learns the MAC addresses of entering traffic,
and the security appliance adds corresponding entries to the MAC address table.
You can disable MAC address learning if desired; however, unless you statically
add MAC addresses to the table, no traffic can pass through the security appliance.
Navigation Path
(Device view) Select Platform > Bridging > MAC Learning from the
(Policy view) Select PIX/ASA/FWSM Platform > Bridging > MAC

Learning from the Policy Type selector. Right-click MAC Learning to
Related Topics
Add/Edit MAC Learning Dialog Box, page L-74
Bridging, page L-65

OL-11501-03
L-73
Appendix L
Bridging
Field Reference
Table L-33
MAC Learning Page
Element
Description
MAC Learning Table
Interface
The interface to which the MAC learning setting applies.
MAC Learning Enabled
Indicates whether the security appliance learns MAC addresses

from traffic entering the interface.
Save button

Note

toolbar.
Add/Edit MAC Learning Dialog Box

Use the Add/Edit MAC Learning dialog box to enable or disable MAC address
learning on an interface.
Navigation Path
You can access the Add/Edit MAC Learning dialog box from the MAC Learning
page. For more information about the MAC Learning page, see MAC Learning
Page, page L-73.
Related Topics
Bridging, page L-65
Field Reference
Table L-34
Add/Edit MAC Learning dialog box
Element
Description
Interface
The interface to which the MAC learning setting applies.
MAC Learning Enabled
When selected, the security appliance learns MAC addresses from

traffic entering the interface.
L-74
OL-11501-03
Appendix L

AAA Page
Management IP Page
Use the Management IP page to set the management IP address for a security
appliance or for a context in transparent firewall mode.
Navigation Path
(Device view) Select Platform > Bridging > Management IP from the
(Policy view) Select PIX/ASA/FWSM Platform > Bridging >

Management IP from the Policy Type selector. Right-click Management IP
Related Topics
Bridging, page L-65
Field Reference
Table L-35
Management IP Page
Element
Description
Management IP Address
The management IP address.
Subnet Mask
The subnet mask that corresponds to the management IP address.
Save button

Note

toolbar.
AAA Page
This page includes tabs for configuring authentication, authorization, and
accounting:

OL-11501-03
L-75
Appendix L
AAA Page
Navigation Path
(Device view) Select Platform > Device Admin > AAA from the Device
Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > AAA
from the Policy Type selector. Right-click AAA to create a policy, or select
Authentication Tab
Use the Authentication tab to enable authentication for administrator access to the
security appliance. The Authentication tab also allows you to configure the
prompts and messages that a user sees when authenticated by a AAA server.
Navigation Path
You can access the Authentication tab from the AAA page. For more information
about the AAA page, see AAA Page, page L-75.
Related Topics
L-76
OL-11501-03
Appendix L

AAA Page
Field Reference
Table L-36
Authentication Tab
Element
Description
Require AAA Authentication to allow use of privileged mode commands
Enable
Forces AAA authentication from a server group before you can

access enable mode on the firewall. This option allows up to three
tries to access the firewall console. If this number is exceeded, an
access denied message appears.
Server Group
Provides a drop-down menu from which you can choose a server

group to force AAA authentication.
Use LOCAL when server group

fails
Uses the LOCAL server group if the selected server group fails.
Require AAA Authorization for the following types of connections
Connection type
Server Group
Specify the connection types that require authorization:
HTTPRequire AAA authentication when you start an

HTTPS connection to the firewall console.
SerialRequire AAA authentication when you connect to the

firewall console via the serial console cable. The firewall
prompts you for your username and password before you can
enter commands. If the authentication server is offline, wait
until the console login request times out. You can then access
the console with the firewall username and the enable
password.
SSHRequire AAA authentication when you start a Secure

Shell (SSH) connection to the firewall console. This option
allows up to three tries to access the firewall console. If this
number is exceeded, an access denied message appears. This
option requests a username and password before the first
command line prompt on the SSH console.
TelnetRequire AAA authentication when you start a Telnet

connection to the firewall console. You must authenticate
before you can enter a Telnet command.
Specify the server group to use for authorization.

OL-11501-03
L-77
Appendix L
AAA Page
Table L-36
Authentication Tab (continued)
Element
Description

fails
Authentication Prompts
Login Prompt
Enter the prompt a user will see when logging in to the security
appliance.
User Accepted Message
Enter the message a user will see when successfully authenticated

by the security appliance.
User Rejected Message
Enter the message a user will see when authentication by the

security appliance fails.
Save button

Note

toolbar.
Authorization Tab
The Authorization tab allows you to configure authorization for accessing firewall
commands.
Navigation Path
You can access the Authorization tab from the AAA page. For more information
Related Topics
L-78
OL-11501-03
Appendix L

AAA Page
Field Reference
Table L-37
Authorization Tab
Element
Description
Enable Authorization for

Command Access
Requires authorization for accessing firewall commands.
Server Group
Specify the server group to use for authorization.

fails
Save button

Note

toolbar.
Accounting Tab
Use the Accounting tab to enable accounting for access to the firewall device and
for access to commands on the device.
Navigation Path
You can access the Accounting tab from the AAA page. For more information
Related Topics

OL-11501-03
L-79
Appendix L
AAA Page
Field Reference
Table L-38
Accounting Tab
Element
Description
Require AAA Accounting for privileged commands
Enable
When selected, enables the generation of accounting records to

mark the entry to and exit from privileged mode for administrative
access via the console.
Server Group
Specify the server or group of RADIUS or TACACS+ servers to

which accounting records are sent.
Require AAA Accounting for the following types of connections
Connection type
Server Group
Specify the connection types that will generate accounting records:
HTTPEnable or disable the generation of accounting records

to mark the establishment and termination of admin sessions
created over HTTP. Valid server group protocols are RADIUS
and TACACS+.
SerialEnable or disable the generation of accounting records

that are established via the serial interface to the console. Valid
server group protocols are RADIUS and TACACS+.
SSHEnable or disable the generation of accounting records

created over SSH. Valid server group protocols are RADIUS
and TACACS+.
TelnetEnable or disable the generation of accounting records

created over Telnet. Valid server group protocols are RADIUS
and TACACS+.
Specify the server or group of RADIUS or TACACS+ servers to

which accounting records are sent.
Require Accounting for command access
Enable
When selected, enables the generation of accounting records for

commands entered by an administrator/user.
L-80
OL-11501-03
Appendix L

Banner Page
Table L-38
Accounting Tab (continued)
Element
Description
Server Group
Provides a drop-down menu from which you can choose the server
or group of RADIUS or TACACS+ servers to which accounting
records are sent.
Privilege Level
Minimum privilege level that must be associated with a command

for an accounting record to be generated. The default privilege level
is 0.
Save button

Note

toolbar.
Banner Page
Use the Banner page to configure message of the day, login, and session banners.
Navigation Path
(Device view) Select Platform > Device Admin > Banner from the Device
Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Banner
from the Policy Type selector. Right-click Banner to create a policy, or select
Related Topics
Server Access, page L-134

OL-11501-03
L-81
Appendix L
Banner Page
Field Reference
Table L-39
Banner Page
Element
Description
Session(exec) Banner
Enter text that you want the system to display as a banner before
displaying the enable prompt.
Note
Login Banner
Enter text that you want the system to display as a banner before the
password login prompt when someone accesses the security
appliance using Telnet.
Note
Message-of-the-Day (motd)
Banner
The tokens $(domain) and $(hostname) are replaced with

the hostname and domain name of the security appliance.
When you enter a $(system) token in a context
configuration, the context uses the banner configured in the
system configuration.
Enter text that you want the system to display as a

message-of-the-day banner.
Note
Save button



Note

toolbar.
L-82
OL-11501-03
Appendix L

Boot Image/Configuration Page

Use the Boot Image/Configuration page to specify which image file the security
appliance will boot from, as well as which configuration file it will use at startup.
You can also specify the path to the ASDM image file on the security appliance.
Navigation Path
(Device view) Select Platform > Device Admin > Boot

Image/Configuration from the Device Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Boot
Image/Configuration from the Policy Type selector. Right-click Boot
Image/Configuration to create a policy, or select an existing policy from the
Related Topics
Images Dialog Box, page L-85

OL-11501-03
L-83
Appendix L
Field Reference
Table L-40
Element
Description
Boot Config Location
The configuration file to use when the system is loaded. Use the
following syntax:
disk0:/[path/]filename
Indicates the internal Flash card. You can also use flash instead
of disk0; they are aliased.
Indicates the external Flash card.
ASDM Image Location
flash:/[path/]filename
The location of the ASDM software image to be used when ASDM

sessions are initiated. Use the following syntax:
Indicates the internal Flash card. You can also use flash instead
Indicates the external Flash card.
tftp://[user[:password]@]server[:port]/[path/]filename
Boot Images Table
No.
Identifies the number of the boot image.
Images
Identifies the path and name of the boot image.
Save button

Note

toolbar.
L-84
OL-11501-03
Appendix L

Images Dialog Box

Use the Images dialog box to add a boot image entry to the boot order list.
Navigation Path
You can access the Images dialog box from the Boot Image/Configuration page.
For more information about the Boot Image/Configuration page, see Boot
Image/Configuration Page, page L-83.
Related Topics
Field Reference
Table L-41
Images Dialog Box
Element
Description
Image File
Enter the path and name of the image file to add to the boot order
list. See the following syntax:
This option is only available for the ASA platform, and
indicates the internal Flash card. You can also use flash instead
This option is only available for the ASA platform, and
indicates the external Flash card.
tftp://[user[:password]@]server[:port]/[path/]filename

OL-11501-03
L-85
Appendix L
Clock Page
Clock Page
The Clock page lets you set the date and time for the security appliance. In
multiple context mode, set the time in the system configuration only.
To dynamically set the time using an NTP server, see Configuring NTP Settings,
page 15-72; time derived from an NTP server overrides any time set manually on
the Clock page.
Navigation Path
(Device view) Select Platform > Device Admin > Clock from the Device
Policy selector.
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Clock
from the Policy Type selector. Right-click Clock to create a policy, or select
Related Topics
Configuring Clock Settings, page 15-40
L-86
OL-11501-03
Appendix L

Clock Page
Field Reference
Table L-42
Clock Page
Element
Description
Device Time Zone
Select the time zone for the device from the list.
Daylight Savings Time (Summer Select whether daylight savings time is used and if so what method
Time)
is used to specify when daylight savings time applies:
NoneDisables daylight savings time on the security appliance.
Set by DateSelect this option to specify the date and time when
daylight savings time begins and ends for a specific year. If you use
this option, you need to reset the dates every year.
Set RecurringSelect this option to specify the start and end dates
for daylight saving time using the month, week, and day on which
daylight savings time begins and ends. This option allows you to set
a recurring date range that you do not need to alter yearly.
Set by Date
Date (Begin/End)
Enter the date on which daylight savings time begins and ends in
MMM dd YYYY format (for example, Jul 15 2005). You can also
click Calendar to select the date from a calendar.
Hour (Begin/End)
Select the hour, from 00 to 23, in which daylight savings time begins
and the hour in which it ends.
Minute (Begin/End)
Select the minute, from 00 to 59, at which daylight savings time

begins and the minute at which it ends.
Set Recurring
Specify Recurring Time
Select this option to specify the start and end dates for daylight
saving time using the month, week, and day on which daylight
savings time begins and ends. This option allows you to set a
recurring date range that you do not need to alter yearly.
Month (Begin/End)
Select the month in which daylight savings time begins and the
month in which it ends.

OL-11501-03
L-87
Appendix L
Credentials Page
Table L-42
Element
Description
Week (Begin/End)
Select the week of the month in which daylight savings time begins
and the week in which it ends. You can select the numerical value
that corresponds to the week, 1 through 5, or you can specify the
first or last week in the month by selecting first or last. For example,
if the day might fall in the partial fifth week, specify last.
Weekday (Begin/End)
Select the day on which daylight savings time begins and the day on
which it ends.
Hour (Begin/End)
Select the hour, from 0 to 23, in which daylight savings time begins
and the hour in which it ends.
Minute (Begin/End)
Select the minute, from 00 to 59, at which daylight savings time

begins and the minute at which it ends.
Save button

Note

toolbar.
Credentials Page
Use the Credentials page to specify the future contact settings that Security
Manager should use when contacting a device. You can also use the Contact
Credentials page to change the login password and the enable password on a
device.
Navigation Path
(Device view) Select Platform > Device Admin > Credentials from the
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin >

Credentials from the Policy Type selector. Right-click Credentials to create
Related Topics
Configuring Contact Credentials, page 15-42
L-88
OL-11501-03
Appendix L

CPU Threshold Page
Field Reference
Table L-43
Contact Credentials Page
Element
Description
Username
Specifies the username for logging in to the device.
Password
Specifies the password for logging in to the device.
Confirm
Confirms the password entered in the Password field. The values in

the Password and Confirm fields must match before you can save
these settings.
Privilege Level
Specifies the privilege level of the user logging in to the device.
Enable Password
Specifies the new enable password for the device.
Confirm
Confirms the password entered in the Enable Password field. The

values in the Enable Password and Confirm fields must match
before you can save these settings.
Telnet/SSH Password
Specifies the new login password for the device.
Confirm
Confirms the password entered in the Telnet/SSH Password field.

The values in the Telnet/SSH Password and Confirm fields must
match before you can save these settings.
Save button

Note

toolbar.
CPU Threshold Page

Use the CPU Threshold Page to specify the percentage of CPU usage above which
you want to receive a notification and the duration that the usage must remain
above that threshold before the notification is generated.
Navigation Path
(Device view) Select Platform > Device Admin > CPU Threshold from the

OL-11501-03
L-89
Appendix L
Device Access
(Policy view) Select PIX/ASA/FWSM Platform > Device Admin > CPU
Threshold from the Policy Type selector. Right-click CPU Threshold to
Related Topics
SNMP Trap Configuration Dialog Box, page L-101
Field Reference
Table L-44
CPU Threshold Page
Element
Description
CPU Rising Threshold

Percentage
Enter the percentage of CPU usage above which you want to receive
a notification. If the CPU utilization percentage is equal to or above
this value for the duration specified in the CPU Monitoring Period
field then a notification will be sent.
CPU Monitoring Period

(seconds)
Enter the number of seconds that the percentage of CPU usage must
remain at or above the threshold set in the CPU Rising Threshold
Percentage field before a notification is sent.
Save button

Note

toolbar.
Device Access
The Device Access section is located under the Device Admin folder in the Policy
selector. The following topics describe the pages for Device Access:
L-90
OL-11501-03
Appendix L

Device Access
Console Page
Use the Console page to specify a time period for the management console to
remain active. When the time limit you specify is reached, the console shuts
down.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > Console
Access > Console from the Policy Type selector. Right-click Console to
Related Topics
Field Reference
Table L-45
Console Page
Element
Description
Console Timeout (minutes)
Number of minutes a console session can remain idle before the

firewall device closes it. Valid values are 060 minutes. To prevent
a console session from timing out, enter 0.
Save button

Note

toolbar.

OL-11501-03
L-91
Appendix L
Device Access
HTTP Page
The HTTP page provides a table that specifies the addresses of all the hosts or
networks that are allowed access to the firewall device using HTTPS. You can use
this table to add or change the hosts or networks that are allowed access.
The HTTP page also displays information about HTTP redirection and HTTPS
user certificate requirements for interfaces on the firewall device. You can use this
table to change the entries for HTTP redirection and HTTPS user certificate
requirements.
Navigation Path
Access > HTTP from the Policy Type selector. Right-click HTTP to create a
Related Topics
HTTP Configuration Dialog Box, page L-93
Field Reference
Table L-46
HTTP Page
Element
Description
Enable HTTP Server
Enables or disables HTTPS access to the firewall device.
HTTP Interface Table
Interface
Lists the interface on the firewall device from which the

administrative access to the device manager is allowed.
Network
Lists the IP address and netmask, separated by a /, of hosts or

networks that are permitted to establish an HTTPS connection with
the firewall device.
Authentication Certificate
Identifies if a user certificate is required to authenticate users who

are establishing HTTPS connections.
L-92
OL-11501-03
Appendix L

Device Access
Table L-46
HTTP Page (continued)
Element
Description
Redirect Port
Identifies the port the security appliance listens on for HTTP

requests, which it then redirects to HTTPS. If this column is empty,
then HTTP redirect is disabled.
Save button

Note

toolbar.
HTTP Configuration Dialog Box

Use the HTTP Configuration dialog box to add a host or network that will be
allowed administrative access to the firewall device manager over HTTPS.
Navigation Path
You can access the HTTP Configuration dialog box from the HTTP page. For
more information about the HTTP page, see HTTP Page, page L-92.
Related Topics
Field Reference
Table L-47
HTTP Configuration Dialog Box
Element
Description
Interface Name
Specifies the interface on the firewall device from which

administrative access to the firewall device manager is allowed.
IP Address/Netmask
Enter the IP address and netmask, separated by a /, of the host or

network that is permitted to establish an HTTPS connection with the
firewall device.

OL-11501-03
L-93
Appendix L
Device Access
Table L-47
HTTP Configuration Dialog Box (continued)
Element
Description
Enable Authentication
Certificate
Specifies whether user certificate authentication is required to

establish an HTTPS connection.
Redirect port
Identifies the port the security appliance listens on for HTTP

requests, which it then redirects to HTTPS. To disable HTTP
redirect, ensure that this field is blank.
ICMP Page
The ICMP page provides a table that lists the ICMP rules, which specify the
addresses of all the hosts or networks that are allowed or denied ICMP access to
the firewall device. You can use this table to add or change the hosts or networks
that are allowed to or prevented from sending ICMP messages to the firewall
device.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > ICMP
Access > ICMP from the Policy Type selector. Right-click ICMP to create a
Related Topics
ICMP Configuration Dialog Box, page L-95
Field Reference
Table L-48
ICMP Page
Element
Description
ICMP Rules Table
Interface
Lists the interface on the security appliance from which ICMP

access is allowed.
L-94
OL-11501-03
Appendix L

Device Access
Table L-48
ICMP Page (continued)
Element
Description
Action
Displays whether ICMP messages are permitted or denied from the

specified network or host.
Network
Lists the IP address and netmask, separated by a /, of hosts or

networks that are allowed or denied access.
ICMP Service
Lists the type of ICMP message to which the rule applies.
Save button

Note

toolbar.
ICMP Configuration Dialog Box

Use the ICMP Configuration dialog box to add or modify an ICMP rule, which
specifies the addresses of all the hosts or networks that are allowed or denied ICMP
access to the firewall device.
Navigation Path
You can access the ICMP Configuration dialog box from the ICMP page. For
more information about the ICMP page, see ICMP Page, page L-94.
Related Topics
Field Reference
Table L-49
ICMP Configuration Dialog Box
Element
Description
Interface
Identifies the interface on the firewall device from which ICMP

access is allowed.
Network
Specifies the IP address and netmask, separated by a /, of the host

or network that is allowed or denied access.

OL-11501-03
L-95
Appendix L
Device Access
Table L-49
ICMP Configuration Dialog Box (continued)
Element
Description
Action
Displays whether ICMP messages are permitted or denied from the

specified network or host.
ICMP Service
PermitCauses ICMP messages from the specified host or

network and interface to be allowed.
DenyCauses ICMP messages from the specified host or

network and interface to be dropped.
Specifies the type of ICMP message to which the rule applies.
Management Access Page

The Management Access page lets you enable or disable management access on
a high-security interface and thus lets you perform management functions on the
firewall device. Use this feature if VPN is configured on the firewall device and
the external interface is using a dynamically assigned IP address. For example,
this feature is helpful for accessing and managing the firewall device securely from
home using the VPN client.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access >
Management Access from the Device Policy selector.
Access > Management Access from the Policy Type selector. Right-click
Management Access to create a policy, or select an existing policy from the
Related Topics
L-96
OL-11501-03
Appendix L

Device Access
Field Reference
Table L-50
Management Access Page
Element
Description
Management Access Interface
Name of firewall device interface that permits management access

connections. You can click Select to select the interface from a list
of interface objects.
You can enable this feature on an internal interface to allow
management functions to be performed on the interface over an
IPsec VPN tunnel. You can enable the Management Access feature
on only one interface at a time. Clear the Management Access
Interface field to disable management access.
Save button

Note

toolbar.
Secure Shell Page

Use the Secure Shell page to configure rules that permit only specific hosts or
networks to connect to a firewall device for administrative access using the SSH
protocol.
Navigation Path
Shell from the Device Policy selector.
Access > Secure Shell from the Policy Type selector. Right-click Secure
Shell to create a policy, or select an existing policy from the Shared Policy
selector.
Related Topics
SSH Configuration Dialog Box, page L-98

OL-11501-03
L-97
Appendix L
Device Access
Field Reference
Table L-51
Secure Shell Page
Element
Description
Enable Secure Copy Server
Select this check box to enable the secure copy server on the
security appliance.
Allowed SSH Version(s)
Restricts the version of SSH accepted by the firewall device. By

default, SSH Version 1 and SSH Version 2 connections are
accepted.
Timeout (minutes)
Displays the number of minutes, 1 to 60, the Secure Shell session

can remain idle before the firewall device closes it.
Secure Shell Access Rule table
Interface
Displays the name of the firewall device interface that will permit
SSH connections.
Network
Displays the IP address and netmask of each host or network

permitted to connect to this security appliance through the specified
interface.
Save button

Note

toolbar.
SSH Configuration Dialog Box

Use the SSH Configuration dialog box to add an SSH access rule to the rule table
or to edit an SSH access rule.
Navigation Path
You can access the SSH Configuration dialog box from the Secure Shell page. For
more information about the Secure Shell page, see Secure Shell Page, page L-97.
Related Topics
L-98
OL-11501-03
Appendix L

Device Access
Field Reference
Table L-52
SSH Configuration Dialog Box
Element
Description
Interface
Specifies the name of the firewall device interface that permits SSH
connections.
IP Address/Netmask

network that is permitted to establish an SSH connection with the
firewall device.
SNMP Page
The SNMP page lets you configure the security appliance for monitoring by
Simple Network Management Protocol (SNMP) management stations.
Navigation Path
Access > SNMP from the Policy Type selector. Right-click SNMP to create
Related Topics
Add SNMP Host Access Entry Dialog Box, page L-103

OL-11501-03
L-99
Appendix L
Device Access
Field Reference
Table L-53
SNMP Page
Element
Description
Password (Community String)
Enter the password used by the SNMP management station when

sending requests to the firewall. The SNMP community string is a
shared secret among the SNMP management stations and the
network nodes being managed. The firewall uses the password to
determine if the incoming SNMP request is valid. The password is
a case-sensitive value up to 32 characters in length. Spaces are not
permitted.
System Administrator Name
Enter the name of the firewall system administrator. The text is

case-sensitive and can be up to 127 characters. Spaces are accepted,
but multiple spaces are shortened to a single space.
Location
Specify the firewall location. The text is case-sensitive and can be

up to 127 characters. Spaces are accepted, but multiple spaces are
shortened to a single space.
Port (PIX 7.x and ASA only)
Specify the port on which incoming requests will be accepted.
Configure Traps button
Click to open the SNMP Trap Configuration dialog box from which
you can configure SNMP trap settings.
SNMP Hosts Table
Interface
Identifies the interface on which the SNMP management station

resides.
IP Address
Identifies the IP address of the SNMP management station.
Community String
Identifies the password used by the SNMP management station

when sending requests to the firewall. The SNMP community string
is a shared secret among the SNMP management stations and the
permitted.
SNMP Version
Identifies the version of SNMP set on the management station.
L-100
OL-11501-03
Appendix L

Device Access
Table L-53
SNMP Page (continued)
Element
Description
Poll/Trap
Displays the method for communicating with this management

station, poll only, trap only, or both trap and poll.
PollFirewall device waits for a periodic request from the

management station.
UDP Port
Specifies the UDP port for the SNMP host. The default value is 162
for the SNMP host UDP port.
Save button

Note

toolbar.
SNMP Trap Configuration Dialog Box

Use the SNMP Trap Configuration dialog box to configure trap settings.
Traps are different than browsing; they are unsolicited comments from the
managed device to the management station for certain events, such as link up, link
down, and syslog event generated.
An SNMP object ID (OID) for the security appliance displays in SNMP event
traps sent from the security appliance. Firewall devices provide system OID in
SNMP event traps & SNMP mib-2.system.sysObjectID.
The SNMP service running on a firewall device performs two different functions:
Replies to SNMP requests from management stations (also known as SNMP

clients).
Sends traps (event notifications) to management stations or other devices that

are registered to receive them from the security appliance.
Cisco firewall devices support 3 types of traps:
firewall
generic
syslog

OL-11501-03
L-101
Appendix L
Device Access
Navigation Path
You can access the SNMP Trap Configuration dialog box from the SNMP page.
For more information about the SNMP page, see SNMP Page, page L-99.
Related Topics
Add SNMP Host Access Entry Dialog Box, page L-103
Field Reference
Table L-54
SNMP Trap Configuration Dialog Box
Element
Description
Standard SNMP Traps

Select the standard SNMP traps you want sent:
(PIX 7.x, ASA, and FWSM only)
AuthenticationEnables authentication standard trap.
Entity MIB Notifications

(PIX 7.x and ASA only)
IPsec Traps
Cold StartEnables cold start standard trap.
Link UpEnables link up standard trap.
Link DownEnables link down standard trap.
Select the Entity MIB Notifications that you want to enable:
FRU InsertEnables a trap notification when a Field

Replaceable Unit (FRU) has been inserted.
FRU RemoveEnables a trap notification when a Field

Replaceable Unit (FRU) has been removed.
Configuration ChangeEnables a trap notification when there

has been a hardware change.
Select the IPsec traps that you want to enable:
StartEnables a trap when IPsec starts.
StopEnables a trap when IPsec stops.
L-102
OL-11501-03
Appendix L

Device Access
Table L-54
SNMP Trap Configuration Dialog Box (continued)
Element
Description
Remote Access Traps

Select the Remote Access traps that you want to enable:
Enable Syslog Traps
Enables or disables the sending of syslog messages to the SNMP

management station.
Session Threshold ExceededEnables the firewall device

send traps when remote access sessions reach the defined limit.
Add SNMP Host Access Entry Dialog Box

Use the Add SNMP Host Access Entry dialog box to add SNMP management
stations.
Navigation Path
You can access the Add SNMP Host Access Entry dialog box from the SNMP
page. For more information about the SNMP page, see SNMP Page, page L-99.
Related Topics
Field Reference
Table L-55
Add SNMP Host Access Entry Dialog Box
Element
Description
Interface Name
Select the interface on which the SNMP management station

resides. You can click Select to select the interface from a list of
interface objects.
IP Address
Enter the IP address of the SNMP management station. You can

click Select to select the IP address from a list of IP address objects.
UDP Port
Enter the UDP port for the SNMP host. This field allows you to
override the default value of 162 for the SNMP host UDP port.

OL-11501-03
L-103
Appendix L
Device Access
Table L-55
Add SNMP Host Access Entry Dialog Box (continued)
Element
Description
Community String
Enter the password used by the SNMP management station when

sending requests to the firewall. The SNMP community string is a
shared secret among the SNMP management stations and the
permitted.
SNMP Version
Select the version of SNMP set on the management station.
Server Poll/Trap Specification
Specify the method for communicating with this management

station, poll only, trap only, or both trap and poll.
PollFirewall device waits for a periodic request from the

management station.
Telnet Page
Use the Telnet page to configure rules that permit only specific hosts or networks
to connect to the firewall device using the Telnet protocol.
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > Telnet
Access > Telnet from the Policy Type selector. Right-click Telnet to create a
Related Topics
Telnet Configuration Dialog Box, page L-105
L-104
OL-11501-03
Appendix L

Device Access
Field Reference
Table L-56
Telnet Page
Element
Description
Timeout (minutes)
Number of minutes Telnet session can remain idle before the

firewall device closes it. Values are 160 minutes. Default is 5.
Telnet Access Table
Interface
Interface that receives Telnet packets from the client.
Network
The IP address and network mask of the host or network that can
access the Telnet console on the firewall device.
Save button

Note

toolbar.
Telnet Configuration Dialog Box

Use the Telnet Configuration dialog box to configure Telnet options for an
interface.
Navigation Path
You can access the Telnet Configuration dialog box from the Telnet page. For
more information about the Telnet page, see Telnet Page, page L-104.
Related Topics

OL-11501-03
L-105
Appendix L
Failover Policies
Field Reference
Table L-57
Telnet Configuration Dialog Box
Element
Description
Interface Name
Select the interface that receives Telnet packets from the client. You
can click Select to select the interface from a list of interface
objects.
Network

network that is permitted to access the firewall devices Telnet
console through the specified interface. Use a comma to separate
entries for multiple networks or hosts. You can click Select to select
the networks from a list of network objects.
Note
To limit access to a single IP address, use 255.255.255.255

or 32 as the netmask. Do not use the subnetwork mask of the
internal network.
Failover Policies
This section discusses the pages that you use to configure failover for your
firewall devices. The pages that are available for firewall configuration change
depending on the type of firewall device you are configuring.
PIX 6.x Firewalls
Failover Page (PIX 6.x), page L-107

Edit Failover Interface Configuration Dialog Box (PIX 6.x), page L-109
Firewall Services Modules
Failover Page (FWSM), page L-110

Advanced Settings Dialog Box, page L-114
Add Interface MAC Address Dialog Box, page L-127
Edit Failover Interface Configuration Dialog Box (FWSM), page L-116
L-106
OL-11501-03
Appendix L

Failover Policies
Adaptive Security Appliances and PIX 7.0 Firewalls
Failover Page (ASA/PIX 7.x), page L-117

Settings Dialog Box, page L-120
Add Failover Group Dialog Box, page L-124
Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x),
page L-125
Failover Page (PIX 6.x)

Use the Failover page to configure failover settings for a PIX 6.x Firewall.
Navigation Path
Platform > Device Admin > Failover from the Device Policy selector.
Related Topics
Edit Failover Interface Configuration Dialog Box (PIX 6.x), page L-109
Field Reference
Table L-58
Failover Page (PIX 6.x)
Element
Description
Failover
Enable Failover
Specifies whether failover is enabled on this device.

Note
To enable failover, you must ensure that both devices have

the same software version, activation key type, Flash
memory, and RAM.
LAN-Based Failover

OL-11501-03
L-107
Appendix L
Failover Policies
Table L-58
Failover Page (PIX 6.x) (continued)
Element
Description
Enable LAN-based failover
Specifies whether LAN-based failover is enabled on this device.
Interface
Allows you to select the interface to use for LAN-based failover.
Shared Key
Used to encrypt communication between primary and standby

devices. Value can be any string.
Stateful Failover
Enable Stateful Failover
Specifies whether stateful failover is enabled on this device.

Note
If you enable stateful failover, you must select a fast LAN

link from the list, (for example, 100full, 1000full, or
1000sxfull).
Enable HTTP Replication
Enables stateful failover to copy active HTTP sessions to standby

PIX Firewall.
Interface
(fast LAN link is required)
Allows you to select an interface with a fast LAN link. A dedicated

fast LAN link is required in addition to failover cable to support
stateful failover.
Failover Poll Time
Specifies how long failover waits before determining if other

devices remain available between primary and standby devices over
all network interfaces and failover cable. Values are 315 seconds.
Default is 15.
Failover Interface Table
Interface
Displays the name of the interface on the active firewall device to

be used for communication with standby device for failover. When
configured for stateful failover, the interface is connected directly to
the standby device.
Active IP Address
Displays the IP address of the active interface. This address is used

by the standby device to communicate with the active device. The
address must be on the same network as the system IP address.
Tip
You can use this IP address with the ping tool to check the
status of the active device.
L-108
OL-11501-03
Appendix L

Failover Policies
Table L-58
Failover Page (PIX 6.x) (continued)
Element
Description
Standby IP Address
Displays the IP address of the standby interface. This address is

used by the active device to communicate with the standby device.
The address must be on same network as system IP address.
Tip
status of the standby device.
Active MAC Address
Displays the MAC address of the active interface in hexadecimal

format (for example, 0123.4567.89ab).
Standby MAC Address
Displays the MAC address of the standby interface in hexadecimal

Edit Row button
Click to display the Edit Failover Interface Configuration dialog

box.
Save button

Note

toolbar.
Edit Failover Interface Configuration Dialog Box (PIX 6.x)

Use the Edit Failover Interface Configuration dialog box to configure a failover
interface for PIX 6.x devices.
Navigation Path
You can access the Edit Failover Interface Configuration dialog box from the
Failover page. For more information about the Failover page, see Failover Page
(PIX 6.x), page L-107.
Related Topics

OL-11501-03
L-109
Appendix L
Failover Policies
Field Reference
Table L-59
Edit Failover Interface Configuration Dialog Box (PIX 6.x)
Element
Description
Interface
Displays the name of the interface on the active firewall device to

be used for communication with standby device for failover. When
configured for stateful failover, the interface is connected directly to
the standby device.
Active IP Address
Displays the IP address of the active interface. This address is used

by the standby device to communicate with the active device. The
Tip
status of the active device.
Netmask
Displays the netmask of the active device.
Standby IP Address
Specify the IP address of the standby interface. This address is used

by the active device to communicate with the standby device. The
Tip
status of the standby device.
Failover MAC Addresses
Active MAC Address
Specifies the MAC address of the active interface in hexadecimal

Standby MAC Address
Specifies the MAC address of the standby interface in hexadecimal

Failover Page (FWSM)

Use the Failover page to configure basic failover settings for FWSMs.
Navigation Path
To access this feature, select a FWSM in Device View and then select Platform >
Device Admin > Failover from the Device Policy selector.
L-110
OL-11501-03
Appendix L

Failover Policies
Related Topics
Advanced Settings Dialog Box, page L-114
Edit Failover Interface Configuration Dialog Box (FWSM), page L-116
Field Reference
Table L-60
Failover Page (FWSM)
Element
Description
Enable Failover

You must configure the logical LAN failover interface and,
optionally, the stateful failover interface.
Note

memory, and RAM.
Configuration (FWSM 3.x only)
Active/Active option
(FWSM 3.x only)
In an Active/Active failover configuration, both security appliances

pass network traffic. Active/Active failover is only available to
security appliances in multiple context mode.
To enable Active/Active failover on the security appliance, you
must create failover groups. If you enable failover without creating
failover groups, you are enabling Active/Standby failover. A
failover group is a logical group of one or more security contexts.
You can create two failover groups on the security appliance. You
should create the failover groups on the unit that will have failover
group 1 in the active state. The admin context is always a member
of failover group 1. Any unassigned security contexts are also
members of failover group 1 by default.

OL-11501-03
L-111
Appendix L
Failover Policies
Table L-60
Failover Page (FWSM) (continued)
Element
Description
Active/Standby option
(FWSM 3.x only)
In an Active/Standby configuration, the active security appliance

handles all network traffic passing through the failover pair. The
standby security appliance does not handle network traffic until a
failure occurs on the active security appliance. Whenever the
configuration of the active security appliance changes, it sends
configuration information over the failover link to the standby
security appliance.
When a failover occurs, the standby security appliance becomes the
active unit. It assumes the IP and MAC addresses of the previously
active unit. Because the other devices on the network do not see any
changes in the IP or MAC addresses, ARP entries do not change or
time out anywhere on the network.
Active/Standby failover is available to security appliances in single
mode or multiple mode.
Settings button
Click to display the Advance Settings dialog box. See Advanced

Settings Dialog Box, page L-114 for more information.
LAN Failover
VLAN
VLAN interface you are using for the failover link, for example,
VLAN 11.
Logical Name
The logical name of the interface on the active firewall device that
communicates with the standby device for failover. When
configured for stateful failover, the interface is directly connected to
the standby device.
Active IP Address
Specifies the IP address of the active interface.
Standby IP Address
Specifies the IP address of the standby interface.
Subnet Mask
Mask that corresponds with active and standby IP addresses.
State Failover
VLAN
VLAN interface you are using for the stateful failover link, for
example, VLAN 12.
L-112
OL-11501-03
Appendix L

Failover Policies
Table L-60
Element
Description
Logical Name
The logical name of the interface on active firewall device that

communicates with the standby device for failover. When
configured for stateful failover, the interface is directly connected to
the standby device.
Active IP Address
Standby IP Address
Subnet Mask
Mask that corresponds with active and standby IP addresses.

check box
Enables stateful failover to copy active HTTP sessions to a standby

firewall.
Suspend Configuration
Synchronization
When selected, configurations between the active and standby

device are no longer synchronized.
(FWSM 2.3 only)
Note
You cannot disable this feature using the Security Manager

user interface. To disable this feature after enabling it in
Security Manager, issue the no failover
suspend-config-sync command directly on the device or by
using the FlexConfig feature. For more information on
FlexConfigs, see Understanding FlexConfig Policy Objects,
page 19-2, page 19-1.

OL-11501-03
L-113
Appendix L
Failover Policies
Table L-60
Element
Description
Shared Key
(FWSM 3.x only)
To encrypt and authenticate the communication between failover

peers, specify a shared secret in the Shared Key field for the active
unit of an Active/Standby failover pair or on the unit that has
failover group 1 in the active state of an Active/Active failover pair.
The shared key can be from 1 to 63 characters and can be any
combination of numbers, letters, or punctuation.
Caution
Save button
All information sent over the failover and Stateful

Failover links is sent in clear text unless you secure the
communication with a failover key. If FWSM is used to
terminate VPN tunnels, this information includes any
usernames, passwords and preshared keys used for
establishin.g the tunnels. Transmitting this sensitive data
in clear text could pose a significant security risk. We
recommend securing the failover communication with a
failover key if you are using FWSM to terminate VPN
tunnels.

Note

toolbar.
Advanced Settings Dialog Box

The Advanced Settings dialog box allows you to configure additional failover
settings for FWSMs.
Navigation Path
You can access the Advance dialog box from the Failover page. For more
information about the Failover page, see Failover Page (FWSM), page L-110.
Related Topics
L-114
OL-11501-03
Appendix L

Failover Policies
Field Reference
Table L-61
Advance Dialog Box
Element
Description
Interface Policy
Number of failed interfaces that

triggers failover option
When the number of failed monitored interfaces exceeds the value

you set with this command, the security appliance fails over. The
range is between 1 and 250 failures.
Percentage of failed interfaces

that triggers failover option
When the number of failed monitored interfaces exceeds the

percentage you set with this command, the security appliance fails
over.
Failover Poll Time
Unit Failover
The amount of time between hello messages among units. The range
is between 1 and 15 seconds or between 500 and 999 milliseconds.
Unit Hold Time
Sets the time during which a unit must receive a hello message on
the failover link, or else the unit begins the testing process for peer
failure. The range is between 3 and 45 seconds. You cannot enter a
value that is less than 3 times the poll time.
Monitored Interface
The amount of time between polls among interfaces. The range is

between 3 and 15 seconds.
MAC Address Mapping
Physical Interface
Specifies the physical interface for which failover virtual MAC

addresses are configured.
Active MAC Address

Standby MAC Address


OL-11501-03
L-115
Appendix L
Failover Policies
Edit Failover Interface Configuration Dialog Box (FWSM)

Use the Edit Failover Interface Configuration dialog box to configure a failover
interface for FWSMs.
Navigation Path
(FWSM), page L-110.
Related Topics
Field Reference
Table L-62
Edit Failover Interface Configuration Dialog Box (FWSM)
Element
Description
Interface Name
Identifies the interface name.
Active IP Address
Identifies the IP address for this interface. This field does not appear
if an IP address has not been assigned to the interface.
L-116
OL-11501-03
Appendix L

Failover Policies
Table L-62
Edit Failover Interface Configuration Dialog Box (FWSM) (continued)
Element
Description
Standby IP Address
Specifies the IP address of the corresponding interface on the

standby failover unit. This field does not appear if an IP address has
not been assigned to the interface.
Monitor this interface for failure Specifies whether this interface is monitored for failure. The
number of interfaces that can be monitored for the security
appliance is 250. Hello messages are exchanged between the
security appliance failover pair during every interface poll time
period. The failover interface poll time is 3 to 15 seconds. For
example, if the poll time is set to 5 seconds, testing begins on an
interface if 5 consecutive hellos are not heard on that interface (25
seconds). Monitored failover interfaces can have the following
status:
UnknownInitial status. This status can also mean the status

cannot be determined.
NormalThe interface is receiving traffic.
TestingHello messages are not heard on the interface for five

poll times.
Link DownThe interface is administratively down.
No LinkThe physical link for the interface is down.
FailedNo traffic is received on the interface, yet traffic is

heard on the peer interface.
Failover Page (ASA/PIX 7.x)

Use the Failover page to configure basic failover settings for ASAs and PIX 7.x
firewalls.
Navigation Path
To access this feature, select an ASA or PIX 7.x firewall device in Device View
and then select Platform > Device Admin > Failover from the Device Policy
selector.

OL-11501-03
L-117
Appendix L
Failover Policies
Related Topics
Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x), page L-125
Field Reference
Table L-63
Failover Page (ASA/PIX 7.x)
Element
Description
Enable Failover

You must configure the logical LAN failover interface and,
optionally, the stateful failover interface.
Note

memory, and RAM.
Configuration
Active/Active option
In an Active/Active failover configuration, both security appliances

pass network traffic. Active/Active failover is only available to
security appliances in multiple context mode.
To enable Active/Active failover on the security appliance, you
must create failover groups. If you enable failover without creating
failover groups, you are enabling Active/Standby failover. A
failover group is a logical group of one or more security contexts.
You can create two failover groups on the security appliance. You
should create the failover groups on the unit that will have failover
group 1 in the active state. The admin context is always a member
of failover group 1. Any unassigned security contexts are also
members of failover group 1 by default.
L-118
OL-11501-03
Appendix L

Failover Policies
Table L-63
Failover Page (ASA/PIX 7.x) (continued)
Element
Description
Active/Standby option
In an Active/Standby configuration, the active security appliance

handles all network traffic passing through the failover pair. The
standby security appliance does not handle network traffic until a
failure occurs on the active security appliance. Whenever the
configuration of the active security appliance changes, it sends
configuration information over the failover link to the standby
security appliance.
When a failover occurs, the standby security appliance becomes the
active unit. It assumes the IP and MAC addresses of the previously
active unit. Because the other devices on the network do not see any
changes in the IP or MAC addresses, ARP entries do not change or
time out anywhere on the network.
Active/Standby failover is available to security appliances in single
mode or multiple mode.
Settings button
Click to display the Settings dialog box. See Settings Dialog Box,
page L-120 for more information.
LAN Failover
Interface
Interface you are using for the failover link.
Logical Name
The logical name of the interface on the active firewall device to

communicate with standby device for failover. When configured for
stateful failover, the interface is directly connected to the standby
device.
Active IP Address
Standby IP Address
Subnet Mask
Netmask that corresponds with active and standby IP addresses.
Bootstrap button
Click to display the Bootstrap Configuration for LAN Failover

dialog box. See Bootstrap Configuration for LAN Failover Dialog
Box, page L-127 for more information.
State Failover
Interface
Interface you are using for the stateful failover link.

OL-11501-03
L-119
Appendix L
Failover Policies
Table L-63
Failover Page (ASA/PIX 7.x) (continued)
Element
Description
Logical Name
The logical name of the interface on the active firewall device to

communicate with standby device for failover. When configured for
stateful failover, the interface is directly connected to the standby
device.
Active IP Address
Standby IP Address
Subnet Mask
Netmask that corresponds with active and standby IP addresses.
When selected, enables stateful failover to copy active HTTP

sessions to standby firewall.
Shared Key
Used to encrypt communication between primary and standby

devices. Value can be any string.
Save button

Note

toolbar.
Settings Dialog Box

The Settings dialog box allows you to define criteria for when failover should
occur on an ASAs or PIX 7.x Firewall.
Navigation Path
You can access the Settings dialog box from the Failover page. For more
information about the Failover page, see Failover Page (ASA/PIX 7.x),
page L-117.
Related Topics
Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x), page L-125
L-120
OL-11501-03
Appendix L

Failover Policies
Field Reference
Table L-64
Settings Page
Element
Description
Interface Policy
Number of failed interfaces that

triggers failover option
When the number of failed monitored interfaces exceeds the value

you set with this command, the security appliance fails over. The
range is between 1 and 250 failures.
Percentage of failed interfaces

that triggers failover option
When the number of failed monitored interfaces exceeds the

percentage you set with this command, the security appliance fails
over.
Failover Poll Time
Unit Failover
The amount of time between hello messages among units. The range
is between 1 and 15 seconds or between 500 and 999 milliseconds.
Unit Hold Time
Sets the time during which a unit must receive a hello message on
the failover link, or else the unit begins the testing process for peer
failure. The range is between 3 and 45 seconds. You cannot enter a
value that is less than 3 times the poll time.
Monitored Interface
The amount of time between polls among interfaces. The range is

between 3 and 15 seconds.
Failover Groups
Group Number
Specifies the failover group number. This number is used when

assigning contexts to failover groups.
Preferred Role
Specifies the unit in the failover pair, primary or secondary, on

which the failover group appears in the active state when both units
start up simultaneously or when the preempt option is selected. You
can have both failover groups in the active state on a single unit in
the pair, with the other unit containing the failover groups in the
standby state. However, a more typical configuration is to assign
each failover group a different role preference to make each one
active on a different unit, balancing the traffic across the devices.
Preempt Enabled
Specifies whether the unit that is the preferred failover device for
this failover group should become the active unit after rebooting.

OL-11501-03
L-121
Appendix L
Failover Policies
Table L-64
Settings Page (continued)
Element
Description
Preempt Delay
Specifies the number of seconds that the preferred failover device

should wait after rebooting before taking over as the active unit for
this failover group. The range is between 0 and 1200 seconds.
Interface Policy
Specifies either the number of monitored interface failures or the

percentage of failures that are allowed before the group fails over.
The range is between 1 and 250 failures or 1 and 100 percent.
Interface Poll Time
Specifies the amount of time between polls among interfaces. The

range is between 3 and 15 seconds.
Replicate HTTP
Identifies whether Stateful Failover should copy active HTTP

sessions to the standby firewall for this failover group. If you do not
allow HTTP replication, HTTP connections are disconnected at
failover. Disabling HTTP replication reduces the amount of traffic
on the state link. This setting overrides the HTTP replication setting
on the Setup tab.
MAC Address
Identifies the MAC address of the active interface.
MAC Address Mapping
Physical Interface

Active MAC Address

Standby MAC Address

Monitor Interface Configuration
Interface Name
Displays the name of the interface.
L-122
OL-11501-03
Appendix L

Failover Policies
Table L-64
Settings Page (continued)
Element
Description
Is Monitored
Specifies whether this interface is monitored for failure. The

status:
Edit Row button


poll times.

Click to display the Edit Failover Interface Configuration dialog

box to edit a failover interface configuration.
Management IP Address
Active
Specifies the management IP address of the active device.
Netmask
Specifies the netmask that corresponds with the active and standby
IP addresses.
Standby
Specifies the management IP address of the standby device.

OL-11501-03
L-123
Appendix L
Failover Policies
Add Failover Group Dialog Box

Use the Add Failover Group dialog box to define failover groups for an
Active/Active failover configuration.
Navigation Path
You can access the Add Failover Group dialog box from the Failover page. For
more information about the Failover page, see Failover Page (ASA/PIX 7.x),
page L-117.
Related Topics
Field Reference
Table L-65
Add Failover Group Dialog Box
Element
Description
Preferred Role
Specifies the unit in the failover pair, primary or secondary, on

which the failover group appears in the active state when both units
start up simultaneously or when the preempt option is selected. You
can have both failover groups in the active state on a single unit in
the pair, with the other unit containing the failover groups in the
standby state. However, a more typical configuration is to assign
each failover group a different role preference to make each one
active on a different unit, balancing the traffic across the devices.
Preempt after booting with

optional delay of
Specifies the number of seconds that the preferred failover device

should wait after rebooting before taking over as the active unit for
this failover group. The range is between 0 and 1200 seconds.
Interface Policy
Select the failover policy for this interface:
Poll time interval for monitored

interfaces
Number of failed interfaces that triggers failover
Percentage of failed interfaces that triggers failover
Use system failover interface policy
Specifies the amount of time between polls among interfaces. The

range is between 3 and 15 seconds.
L-124
OL-11501-03
Appendix L

Failover Policies
Table L-65
Add Failover Group Dialog Box (continued)
Element
Description
Identifies whether Stateful Failover should copy active HTTP

sessions to the standby firewall for this failover group. If you do not
allow HTTP replication, HTTP connections are disconnected at
failover. Disabling HTTP replication reduces the amount of traffic
on the state link. This setting overrides the HTTP replication setting
on the Setup tab.
Interface Table
Physical Interface

Active MAC Address

Standby MAC Address

Add
Click to display the dialog box to define a failover interface

association.
Edit
Click to display the dialog box to edit a failover interface

association.
Delete
Click to delete the selected failover interface association.
Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)

Use the Edit Failover Interface Configuration dialog box to define the standby IP
address for an interface and to specify whether the status of the interface should
be monitored.
Navigation Path
(ASA/PIX 7.x), page L-117.
Related Topics

OL-11501-03
L-125
Appendix L
Failover Policies
Field Reference
Table L-66
Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x)
Element
Description
Interface Name
Identifies the interface name.
Active IP Address
Identifies the IP address for this interface. This field does not appear
if an IP address has not been assigned to the interface.
Standby IP Address
Specifies the IP address of the corresponding interface on the

standby failover unit. This field does not appear if an IP address has
not been assigned to the interface.
Monitor this interface for failure Specifies whether this interface is monitored for failure. The
status:


poll times.

L-126
OL-11501-03
Appendix L

Failover Policies
Add Interface MAC Address Dialog Box

The Add Interface MAC Address dialog box allows you to define the MAC
addresses of interfaces for ASA, FWSM 3.x and PIX 7.x security appliances that
are configured for failover.
Related Topics
Field Reference
Table L-67
Add Interface MAC Address Dialog Box
Element
Description
Physical Interface

MAC Address
Active Interface

Standby Interface

Bootstrap Configuration for LAN Failover Dialog Box

The Bootstrap Configuration for LAN Failover dialog box provides you with
bootstrap configuration that can be applied to the primary and secondary devices
in a LAN failover configuration.
Navigation Path
You can access the Bootstrap Configuration for LAN Failover dialog box from the
Failover page. For more information about the Failover page, see:

OL-11501-03
L-127
Appendix L
Hostname Page
Failover Page (ASA/PIX 7.x), page L-117.
Related Topics
Field Reference
Table L-68
Bootstrap Configuration for LAN Failover Dialog Box
Element
Description
Primary
Contains the bootstrap configuration for the primary device. Open a

console connection to the primary device and then paste this
configuration to activate failover on the device.
Secondary
Contains the bootstrap configuration for the secondary device. After

the primary device becomes active, open a console connection to the
secondary device and then paste this configuration to activate
failover on the device.
Note
For Active/Active Failover, the bootstrap configurations are only applied to the system contexts
of the respective failover peer devices.
Hostname Page
You can use the Hostname page to specify a hostname for your firewall device and
to set a default domain name. The firewall device uses this domain name when
you do not enter the fully-qualified domain name in other commands. It also uses
the domain name in RSA key generation.
Navigation Path
Platform > Device Admin > Hostname from the Device Policy selector.
L-128
OL-11501-03
Appendix L

Resources Page
Related Topics
Configuring Hostname Settings, page 15-62
PIX/ASA/FWSM Platform User Interface Reference, page L-1
Field Reference
Table L-69
Hostname Page
Field
Description
Host Name
User-defined device name to help you differentiate among devices,

for example, PIX-510-A.
Note
We recommend that you use a unique hostname for each

device you create. The device name can be up to
63 alphanumeric (U.S. English) characters and can include
any of the following special characters: ` ( ) + - , . / : =.
Domain Name
Optional field to add domain name. Enter valid Domain Name

System (DNS) domain name, for example, cisco.com.
Save button

Note

toolbar.
Resources Page
Use the Resources page to view configured classes and information about each
class. You can also use the Resources page to add, edit, or delete a class.
Navigation Path
In Device View, select the system context of an FWSM in multiple-context mode,

and then select Platform > Device Admin > Resources from the Device Policy
selector.
Related Topics
Configuring Resources on Firewall Services Modules, page 15-63

OL-11501-03
L-129
Appendix L
Resources Page
Field Reference
Table L-70
Resources Page
Field
Description
Class
Shows the class name.
Contexts
Shows the contexts assigned to this class.
Connection Rate
Shows the limit for connections per second.
Fixups
Shows the limit for application inspections per second.
Syslogs
Shows the limit for system log messages per second.
Connections
Shows the limit for TCP or UDP connections between any two
hosts, including connections between one host and multiple other
hosts.
Hosts
Shows the limit for hosts that can connect through the FWSM.

User Guide For Cisco Secure Manager 3.1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

User Guide For Cisco Secure Manager 3.1

Uploaded by

Copyright:

Available Formats

User Guide for

Cisco Security Manager 3.1

Getting to Know Security Manager 1-1

Performing Administrative Tasks 2-1

View Permissions 2-5

User Guide for Cisco Security Manager 3.1

Comparing the Two Workflow Modes 2-58

Taking Over Another Users Work 2-96

Working with the Security Manager User Interface 3-1

Using Rules Tables 3-22

Using Map View 4-1

User Guide for Cisco Security Manager 3.1

Undocking the Map Window 4-9

User Guide for Cisco Security Manager 3.1

Managing Firewall AAA Rules (Map View) 4-25

Managing Devices 5-1

Critical Line-ending Conventions for SSH 5-9

Understanding Device Credentials 5-43

Managing Policies 6-1

User Guide for Cisco Security Manager 3.1

Viewing Policy Discovery Task Status 6-12

Understanding Locking 6-55

Managing Activities 7-1

Managing Objects 8-1

User Guide for Cisco Security Manager 3.1

Understanding the Policy Object Manager Window 8-5

User Guide for Cisco Security Manager 3.1

Understanding Credential Objects 8-50

Understanding SIP Map Objects 8-104

User Guide for Cisco Security Manager 3.1

Understanding Port Forwarding List Objects 8-147

User Guide for Cisco Security Manager 3.1

Understanding SSL VPN Gateway Objects 8-191

Managing Site-to-Site VPNs 9-1

User Guide for Cisco Security Manager 3.1

Site-To-Site VPN Discovery 9-13

User Guide for Cisco Security Manager 3.1

Managing VPN Devices in Device View 9-62

User Guide for Cisco Security Manager 3.1

Configuring Large Scale DMVPNs 9-107

Managing Remote Access VPNs 10-1

DN Matching Rules 10-32

Managing SSL VPNs 11-1

User Guide for Cisco Security Manager 3.1

Understanding SSL VPN Connection Profile Policies 11-35

Managing Firewall Services 12-1

Understanding Policy Query Results 12-40

Configuring Default Protocol Ports 12-77

Deleting Exclusive Domains (IOS) 12-120

Managing IPS Services 13-1

User Guide for Cisco Security Manager 3.1

Configuring Physical Interfaces 13-4

Understanding Cisco IOS IPS 13-25

Managing Routers 14-1

User Guide for Cisco Security Manager 3.1

Dialer Interfaces on Cisco IOS Routers 14-34

User Guide for Cisco Security Manager 3.1

Defining Bridge Groups 14-80

Understanding DHCP Database Agents 14-120

Low-Latency Queuing 14-160

Blocking LSA Flooding 14-208

Managing Firewall Devices 15-1

Defining Policy Dynamic Rules 15-25