Managing Cisco Devices with ASDM and SDM

Page 1 of 13

Managing Cisco Devices with ASDM and SDM
Peter J. Welcher

Introduction
Hello again! I've been working on a course development project, with some rather long hours due to a very tight deadline. Part of the course goes into the Cisco Router and Security Device Manager (SDM), and another part looks at Adaptive Security Device Manager (ASDM). Of course, that means these look like good topics for an article. I wrote about those about 18 months ago. It does seem timely to do a quick update on them. I've been working with the latest versions, which show some solid improvements. One of the things I've been noticing is that the NAT, VPN, and Firewall Wizards do some safety checking. Don't you just hate it when you don't think of something and end up cutting off your VPN access into a remote router? Well, they've made it harder to "shoot yourself in the foot" with these tools.
l

SDM 2.1.2 is the latest version of SDM. I wrote about SDM 1.1 in March 2004, see also http://www.netcraftsmen.net/welcher/papers/sdm.html. SDM, is available now for the router series 850, 870, 1800, 2800, 3800 (Integrated Services Routers -- ISR's). It is also available and usable in some of the other models. It is orderable as a factory-installed option. ASDM 5.0(2) is the successor to PIX Device Manager (PDM). I wrote about PDM in February 2004, see also http://www.netcraftsmen.net/welcher/papers/pdm.html. ASDM is for some of the PIX models, and for the new integrated ASA devices.

l

There are now some substantial user interface similarities between the two tools. For screen shots and so on, we will focus on ASDM here. There are a nice set of tutorial graphical documents ("technical references") online showing various uses of SDM. The main URL for this: http://www.cisco.com/en/US/products/sw/secursw/ps5318/prod_technical_reference_list.html. This is a great place to look if you want screen captures of SDM, or some idea of what it can do and how to use it in various settings. This is also why I'm not going to post a PDF of a wide variety of SDM or ASDM screen captures this time around. It has already been done for us!

Versions and Pre-Requisites
Rather than reproduce the lengthy information about platforms and Cisco IOS versions, I'll refer you to the authoritative data.

Document URL SDM main http://www.cisco.com/en/US/products/sw/secursw/ps5318/ page SDM data sheet http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_data_sheet0900aecd800fd118.h

http://www.netcraftsmen.net/welcher/papers/asdm01.html

10/9/2005

cisco. you'll need to point your browser at the inside of the PIX or ASA device. installation is fairly easy.cisco.10. You will then need to briefly RTFM (Read The Fine Manual) for the configuration commands.10. These amount to turning on the ASDM web server in the PIX.0.bin If the PIX or ASA is configured. you will then need routing and network connectivity from your PC in the 10.0 255. but lack ASDM.netcraftsmen.html main page ASDM http://www. Command syntax: http server enable http 10. using HTTPS.0 here.10. We're not going to go into PIX 7.html data sheet Do note that ASDM 5.255.10.html 10/9/2005 .Managing Cisco Devices with ASDM and SDM Page 2 of 13 ASDM http://www.com/en/US/products/ps6121/index. You should then see the following screen: http://www.net/welcher/papers/asdm01.0 requires PIX OS 7.255.0 or later.com/en/US/products/ps6121/products_data_sheet09186a008014871d.0 /24 subnet to the PIX So Show Me ASDM Already! When you launch ASDM.10. but realize there are many new features and changes in 7.10.0 /24.0 inside asdm image flash:asdm502. copy to flash.0. You may need to identify the binary file name for ASDM in flash as well. Suppose your management group is on subnet 10. Installing and Enabling ASDM If you already have a PIX or ASA running 7. and allowing HTTPS access to specific address(es). which is a significant (but useful) transition. Download the code.

net/welcher/papers/asdm01.html 10/9/2005 . and log in. you can't see mine!) The Home page is intended as a dashboard for keeping an eye on basic operation of the device. It shows current state of the security device. accept certificates.Managing Cisco Devices with ASDM and SDM Page 3 of 13 When you then click.netcraftsmen. http://www. (No. You can click on the License tab to check the licensing information for the device. you will arrive at the Home page.

The "built" and "teardown" messages show the stateful firewall activity. When syslog is enabled.html 10/9/2005 . messages show up in the bottom area of this window. and selected interface I/O in Kbps. Click on the Configuration button to switch to configuration mode. Our next screen capture shows the Interfaces configuration screen. RAM memory. http://www.netcraftsmen.net/welcher/papers/asdm01. connections per second. The icons or buttons down the left side are the various major things you can configure.Managing Cisco Devices with ASDM and SDM Page 4 of 13 You may have noticed the nifty graphs at the bottom showing CPU.

The first was that the ACL rule name is not visible.) ASDM's Security Policy configuration allows you to view. I found this tool quite usable. outside_access_out. The highlighted rule is an example of such. I was thinking "gee.net/welcher/papers/asdm01.Managing Cisco Devices with ASDM and SDM Page 5 of 13 You may click on any interface and configure it via the Edit button at the right. And that's what bit me briefly in some testing. with an entry flagged as inactive. if you think about it. I'd never used the inactive option in a PIX ACL rule. allowing traffic from more to less secure interfaces. If you create an ACL rule. (I suspect you can figure out for yourself what Add and Delete do. The reason is that the rule names default. I do have to mention two minor surprises. Displaying the implicit deny any might have been something the programmers could have done as a reminder of this. Well. The second one is also a CLI gotcha I just had not run into. I disabled the rule.g. this option is much easier to use. With the GUI. With all the CLI typing. that ACL must end with the default deny any. You can also add. then uncheck it to disable it. e.html 10/9/2005 . or delete your own ACL rules via a colorful and informative GUI screen. but sequence numbers are. enable or disable the default policy.netcraftsmen. you still have an access list. so why is my traffic getting blocked". edit. http://www.

But once it catches up. and Send or Cancel. SDM is a bit more basic than that in the routing arena.Managing Cisco Devices with ASDM and SDM Page 6 of 13 You should note the Apply button at the bottom. and quite a bit of OSPF. While doing screen captures.html 10/9/2005 . RIP. http://www. I noticed that doing Fn+Alt+ScreenCap was apparently interpreted as the same as clicking on Send. So ASDM gives a lot of routing configuration assistance in its GUI. You may want to stay away from the Alt key. you see the routing options with PIX 7. nothing is done to the security device.0. One more configuration mode screen. One of the preference options is to let you preview the configuration changes. When you click on Routing. Static routes. most of the more routine and even moderately advanced routing features will be configurable via GUI. including redistribution and summary addresses.net/welcher/papers/asdm01. Until you apply changes.netcraftsmen.

html 10/9/2005 . Just to give the flavor of the VPN screens: http://www.Managing Cisco Devices with ASDM and SDM Page 7 of 13 The real power of ASDM lies in the areas of NAT.net/welcher/papers/asdm01.netcraftsmen. There is also a VPN Wizard. accessible through the menus at the top. also VPN.

3. The ASDM/HTTPS and Secure Shell screens serve a similar purpose. The VPN Wizard makes VPN tunnel setup much easier and less confusing for beginners. to allow telnet access from 10. ASDM also provides two screens for more routine administration of the PIX or ASA device.20. Much less work than typing. The next frame over shows all of the items that may be configured through ASDM.html 10/9/2005 . I had clicked on Telnet. In case you were wondering.Managing Cisco Devices with ASDM and SDM Page 8 of 13 This lets you configure all the VPN policies via GUI. Device Administration is the fairly obvious place to start.netcraftsmen. http://www.0 /24.net/welcher/papers/asdm01.

DHCP services. then Show Graphs.netcraftsmen. We then clicked the one visible item. and Add. DNS client. logging. and many other features).net/welcher/papers/asdm01. IP audit. Click the Monitoring button to enter this mode. anti-spoofing. http://www.html 10/9/2005 . The final major mode in ASDM is the Monitoring mode. Down the left side of the screen (below) you will see the various areas you can monitor. and graphs. We clicked on CPU under System Graphs.Managing Cisco Devices with ASDM and SDM Page 9 of 13 The Properties button allows you to set up more of the security device configuration (AAA servers. You get a mix of screens showing status.

html 10/9/2005 .netcraftsmen. http://www. ranging from interface utilization to VPN connections. SImilar graphs are available for many things.net/welcher/papers/asdm01.Managing Cisco Devices with ASDM and SDM Page 10 of 13 That brought up the following graph.

But it's more than that. and that's pretty much it! Folks that know me have heard me saying to use CiscoWorks. Confusing. configuring a single device.html 10/9/2005 . I do hope you've found this useful and informative. The most recent version of SDM makes it much more of a breeze. But SDM and ASDM are a different kind of power tool. and quite useful for. these tools have grown up and are showing http://www. They are directed at. I still feel that's true for networks with more than 5-10 devices.net/welcher/papers/asdm01. there's good advice and a fair degree of intelligence behind the pretty GUI. Easy VPN Server or Easy VPN Remote setup makes it even easier. With them. In particular. you may be able to get a Cisco device up and running a lot more easily. because it is a power tool.Managing Cisco Devices with ASDM and SDM Page 11 of 13 That's all we have room to show. I had found VPN setup a bit of a twisty little maze of passages before. With the built-in VPN test and troubleshooting in SDM. Now the workflow seems natural. Put in the address to connect to. These tools do significantly lower the training and knowledge threshold. I see a real shift happening here. with good built-in defaults. shared key.netcraftsmen. and with the built-in troubleshooting. The tools are quite easy to use. When I used the tools 18 months ago. With all the Wizards in SDM (more than ASDM). identify outside interface. My reaction after driving SDM in particular was that it was much improved. I found myself fighting them a bit.

netcraftsmen. if my router is running high CPU. not play guessing games with show commands or GUI. Am I right that this is a Really." (That certainly violates my expectations that EVERYTHING running in the router shows up in the running config. MPLS. NAT. This might also be described as "How to Make a Catalyst 6500/7600 Unhappy". For multi-site VPN deployment.html 10/9/2005 . The difference now is. suggestions for articles. it is faster and more likely to be right the first time using the GUI. VPN. with expertise including large network high-availability routing/switching and design. Thanks! Summary Your comments. IP multicast. http://www. please do email me if you have ideas on these. Questions.netcraftsmen.Managing Cisco Devices with ASDM and SDM Page 12 of 13 some real potential. then publish any new ideas. and that is quite a big change! Would I only use the GUI? Well. "Things that configure via GUI and don't show up in the running config. I'm looking for ideas that fit the title "Surprise: Top 10 (or 20) Things That Defeat or Disable CEF". Peter J.) There are two cases of this I know of to date: l l If you configurate SAA (now IP SLA) via CiscoWorks IPM. The IPS component documentation specifically states that the documented IPS CLI commands are quietly ignored. But you only need minimal CLI knowledge if you work with SDM or ASDM. Really Bad Idea(TM) and that the Cisco engineers need to stop doing it? Or add a "show run" variant that shows such commands too? What are your thoughts? Any more examples of this? Anyway. Gotcha! Bragging rights go to the "best" entry. Dr. I've got another Gotcha topic this month. can be sent to pjw <at> netcraftsmen <dot> net (formatted this way to fool email harvesting software). and that all configuration must be done via the GUI. I'll collect answers for a month or two. Thanks to those that responded. CCIP) is a Senior Consultant with Chesapeake NetCraftsmen. They do show up when you do "show rtr" commands. They already dramatically lower the barriers to getting started in the Cisco world. To encourage participation. the first thing I want to do is compare the running config to see what might have changed. questions. one I'd appreciate your (brief!) thoughts and email on. NetCraftsmen has ten CCIE's. and suggestions for future articles are of course welcome! See below to decipher my email address. I'd probably build a template. IPSec VPN. etc. SDM supports IOS-based IPS in the ISR routers. and other areas. the rtr commands don't show up in the running config. New articles will be posted under the Articles link. etc. VoIP. wireless LAN and bridging. I might use ASDM or SDM to configure the central site and one remote site. For example: l l l l Using a packet or QoS classification ACL with "log" in it Large packets sent out a GRE tunnel needing fragmentation and being process switched because of that Had to disable CEF due to bug with WCCP (the surprise was the bug. security. Pete's links start at http://www.net/welcher/papers/asdm01. Now you need some idea what you're doing in terms of routing. By the way. not that CEF was off) QoS NBAR configuration causing process switching (at least Cisco IOS apparently put out a syslog message warning about this) What other things disable CEF? I'm particularly interested in those that most surprised you. Welcher (CCIE #1773. network management. See http://www.net for more information about NetCraftsmen.netcraftsmen. Even though I know IPsec from the CLI. NetCraftsmen is a high-end consulting firm and Cisco Premier Partner dedicated to quality consulting and knowledge transfer. the motivation for the first and possibly the second of these is apparently so that NOC or Security staff can enable or change a feature without tipping off the Change Control Police. So maybe I tend to lean that way. I know the Cisco CLI quite well. and then take my template from them. Reader Participation Item Last month I opened a reader participation thread. then edit it to configure new sites.net/welcher . QoS. CCSI #94014. On the other hand.

html 10/9/2005 .net/welcher/papers/asdm01.netcraftsmen. Welcher http://www.Managing Cisco Devices with ASDM and SDM Page 13 of 13 10/9/2005 Copyright (C) 2005 Peter J.

Sign up to vote on this title
UsefulNot useful