Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

User Guide for Cisco Security Manager 3.1

Text Part Number: OL-11501-03

http://www.cisco.com

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, the Cisco logo, DCE, and Welcome to theHuman Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar,Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco CertifiedInternetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, CollaborationWithout Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient,IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone,MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect,ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, andthe WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not implya partnership relationship between Cisco and any other company. (0807R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

User Guide for Cisco Security Manager 3.1 2002- 2007 Cisco Systems, Inc. All rights reserved.

OL-11501-03C O N T E N T SPreface 81

Audience 1-81

Conventions 1-81

Product Documentation 1-82

Obtaining Documentation, Obtaining Support, and Security Guidelines 1-83

C H A P T E R 1 Getting to Know Security Manager 1-1

Whats New in Cisco Security Manager 3.1 1-1

Product Overview 1-4Primary Benefits of Cisco Security Manager 3.1 1-5Security Manager Feature Sets 1-7

Using Security Manager - Overview 1-10Configuration Views 1-10User Taskflow 1-11Policy Overview 1-13Workflow Overview 1-14

Getting Started Checklist 1-15

Using the JumpStart 1-16

C H A P T E R 2 Performing Administrative Tasks 2-1

Define These Settings First 2-2

Setting Up User Permissions 2-3Security Manager Permissions 2-43User Guide for Cisco Security Manager 3.1

ContentsView Permissions 2-5Modify Permissions 2-14Assign Permissions 2-23Approve Permissions 2-26

Understanding CiscoWorks Roles 2-27CiscoWorks Common Services Default Roles 2-27Assigning Roles to Users in CiscoWorks Common Services 2-28

Understanding Cisco Secure ACS Roles 2-29Cisco Secure ACS Default Roles 2-30Customizing Cisco Secure ACS Roles 2-31

Default Associations Between Permissions and Roles in Security Manager 2-32

Integrating Security Manager with Cisco Secure ACS 2-34ACS Integration Requirements 2-35Checklist for Initial Cisco Secure ACS Setup 2-37Integration Procedures Performed in Cisco Secure ACS 2-38

Defining Users and User Groups in Cisco Secure ACS 2-39Adding Managed Devices as AAA Clients in Cisco Secure ACS 2-41Creating an Administration Control User in Cisco Secure ACS 2-47

Integration Procedures Performed in CiscoWorks 2-47Creating a Local User in CiscoWorks 2-48Defining the System Identity User 2-49Configuring the AAA Setup Mode in CiscoWorks 2-50

Restarting the Daemon Manager 2-51Assigning Roles to User Groups in Cisco Secure ACS 2-52

Assigning Roles to User Groups Without NDGs 2-53Associating NDGs and Roles with User Groups 2-54

Selecting a Workflow Mode 2-56Working in Workflow Mode 2-56Working in Non-Workflow Mode 2-574User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsComparing the Two Workflow Modes 2-58Enabling and Disabling Workflow Modes 2-59

Working with AutoLink 2-61

Defining Configuration Archive Settings 2-62

Customizing Your Desktop 2-64

Defining Deployment Settings 2-65

Defining Device Communication Settings 2-68About Security Manager and Device Authentication 2-70Defining Connection and Transport Protocol Settings in the UI 2-71Adding Certificates for IPS Devices, Cisco IOS Devices, and PIX/ASA/FWSM Devices 2-73Defining SSH by Editing the DCS Properties File 2-74

Working with Device Groups 2-75

Defining Discovery Settings 2-76

Administering IPS Update Settings 2-77Establishing the IPS Update Server 2-78Administering IPS Updates 2-79Automating IPS Updates 2-80

Administering Licenses 2-82Installing Security Manager License Files 2-82Updating IPS License Files 2-85Redeploying IPS License Files 2-86Automating IPS License File Updates 2-87Getting Help with Licensing 2-87

Archiving Log Files 2-88

Defining Policy Management Settings 2-89

Defining Policy Object Settings 2-91

Working with Server Security 2-92

Working with Status Providers 2-945User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsTaking Over Another Users Work 2-96

Defining TMS (Token Management System) Settings 2-97

Configuring VPN Policy Defaults 2-98

C H A P T E R 3 Working with the Security Manager User Interface 3-1

Logging In to and Exiting Security Manager 3-2Logging In to the Cisco Security Management Suite Server 3-2Logging In to and Exiting the Security Manager Client 3-3Server Connection Status and the Idle Timeout 3-4

Security Manager User Interface Overview 3-4

Security Manager Views 3-5Device View Interface Overview 3-6Map View Interface Overview 3-7Policy View Interface Overview 3-9

Menu Bar Reference 3-10File Menu 3-10Edit Menu 3-11View Menu 3-12Policy Menu 3-13Map Menu 3-14Tools Menu 3-15Activities Menu 3-17Help Menu 3-18

Toolbar Reference 3-19

Using Selectors 3-20Selecting Items from Selectors 3-21Managing Items in Selectors 3-21Filtering Items in Selectors 3-21

Using Wizards 3-226User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUsing Rules Tables 3-22Filtering Tables 3-24Table Columns and Column Heading Features 3-26Understanding Rules Table Sections 3-27Working with Rules Table Data 3-27Using Main Menu Table Commands 3-29Using Rules Table Buttons 3-30

Using Text Boxes 3-30Finding Text in Text Boxes 3-30Navigating Within Text Boxes 3-31

Selecting a File or Directory on the Server File System 3-31

Accessing Online Help 3-32

C H A P T E R 4 Using Map View 4-1

Understanding Maps 4-1

Working With Maps 4-2Access Permissions for Maps 4-3Creating Maps 4-3Saving Maps 4-4Opening Maps 4-4Deleting Maps 4-5Exporting Maps 4-6Navigating Maps 4-7

Using the Navigation Window 4-7Panning Maps 4-8Changing the Zoom Level of Maps 4-8Selecting Map Elements 4-9Centering Map Elements 4-9Using Map Layouts 4-97User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUndocking the Map Window 4-9Searching for Map Elements 4-10Refreshing Maps 4-10Using Linked Maps 4-11Using the Default Map 4-11Changing the Map Background Color 4-12Working With Map Background Images 4-13

Importing Map Background Images 4-13Setting Map Background Images 4-14Deleting Map Background Images 4-14Using Background Image Coordinates and Scale 4-15

Displaying Your Network on the Map 4-16Understanding Map Elements 4-16Displaying Managed Devices on the Map 4-17

Adding a New Managed Device to the Map 4-17Displaying an Existing Managed Device on the Map 4-18Showing Containment of Catalyst Switches, Firewalls, and Adaptive Security Appliances 4-19Displaying Devices on the Map from the Device View 4-19

Using Map Objects To Represent Network Topology 4-20Adding Map Objects 4-20Deleting Map Objects 4-21

Displaying Layer 3 Links on the Map 4-21Creating Layer 3 Links 4-22Deleting Layer 3 Links 4-23Understanding Automatic Layer 3 Connectivity Display 4-23

Managing Firewall Services in Map View 4-24Managing Firewall Policies (Map View) 4-24

Managing Firewall Access Rules (Map View) 4-24Managing Firewall Inspection Rules (Map View) 4-258User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsManaging Firewall AAA Rules (Map View) 4-25Managing Web Filter Rules (Map View) 4-26Managing Firewall Transparent Rules (Map View) 4-26

Managing Firewall Settings (Map View) 4-27Managing Firewall Access Control Settings (Map View) 4-27Managing Firewall Inspection Settings (Map View) 4-27Managing AuthProxy Firewall Settings (Map View) 4-28Managing Web Filter Settings (Map View) 4-28

Managing VPNs in Map View 4-29Creating VPN Topologies (Map View) 4-29

Creating a Point-to-Point VPN Connection 4-30Creating Full Mesh or Hub and Spoke VPNs (Map View) 4-30

Editing VPN Policies From the Map 4-31Editing VPN Peers From the Map 4-32Displaying Existing VPNs on the Map 4-33Adding and Removing VPN Tunnels on the Map 4-33Listing VPN Peers on the Map 4-34

Managing Device Policies in Map View 4-34Copying Policies Between Devices (Map View) 4-35Sharing Device Policies (Map View) 4-35Cloning Devices (Map View) 4-36Previewing Device Configuration 4-36Discovering Device Configurations 4-36

C H A P T E R 5 Managing Devices 5-1

Preparing the Devices for Security Manager to Manage 5-2Setting Up SSL 5-4

Setting Up SSL on PIX Firewall, ASA, and FWSM Devices 5-5Setting Up SSL on Cisco IOS Routers 5-6

Setting Up SSH 5-99User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsCritical Line-ending Conventions for SSH 5-9Testing Authentication 5-9Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 devices 5-10Preventing Non-SSH ConnectionsOptional 5-11

Setting Up AUS 5-13Setting Up AUS on PIX Firewall and ASA Devices 5-13Setting Up CNS Gateway on an Auto Update Server 5-14

Setting Up CNS 5-15Setting Up CNS on PIX Firewall and ASA Devices 5-15Setting Up CNS on Cisco IOS Routers 5-15

Setting Up TMS 5-21Changing the Device Transport Protocol on Cisco IOS Routers 5-22

Initializing IPS Devices 5-23

Understanding the Device View 5-24Filtering the Device Selector 5-28

Adding Devices to the Security Manager Inventory 5-30

Adding Catalyst 6500/7600 Devices from the Network 5-33Adding VPN SPA Slot Locations 5-35

Working with Devices with Dynamically Assigned IP Addresses 5-36Understanding Auto Update Server and Configuration Engine 5-36Adding an Auto Update Server or Configuration Engine 5-37

Adding an Auto Update Server or Configuration Engine When Adding a New Device 5-38Adding an Auto Update Server When Adding a Device from Network 5-39

Editing the Auto Update Server or Configuration Engine Information 5-40Editing an Auto Update Server or Configuration Engine When Adding a New Device 5-41Editing the Auto Update Server Information when Adding Device from Network 5-4210User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUnderstanding Device Credentials 5-43

Working with Device Connectivity Test 5-45Understanding Device Connectivity Test 5-45Verifying Device Connectivity from Security Manager 5-47

Testing Device Connectivity While Adding a Device from the Network 5-47Testing Device Connectivity While Adding a New Device 5-49Testing Device Connectivity After Adding a Device to Security Manager 5-50

Understanding Device Properties 5-51Defining Device Properties 5-53

Working with Device Policies 5-54

Cloning a Device 5-55

Deleting Devices from the Security Manager Inventory 5-56

Understanding Device Grouping 5-57Working With Device Groups 5-59

Creating Device Group Types 5-59Creating Device Groups 5-60Deleting Device Group Types, Device Groups, or Subgroups 5-61

Adding Devices to Device Groups 5-62

C H A P T E R 6 Managing Policies 6-1

Understanding Policies 6-1Settings-Based Policies vs. Rule-Based Policies 6-2Service Policies vs. Platform-Specific Policies 6-3Local Policies vs. Shared Policies 6-4Policy Management and Objects 6-6

Discovering Policies 6-7Discovering Policies on Devices Already in Security Manager 6-1011User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsViewing Policy Discovery Task Status 6-12Frequently Asked Questions about Policy Discovery 6-13

Managing Policies in Device View 6-20Performing Basic Policy Management 6-20

Configuring Local Policies in Device View 6-21Policy Status Icons 6-22Copying Policies Between Devices 6-23Unassigning a Policy 6-25

Working with Shared Policies in Device View 6-27Sharing a Local Policy 6-28Sharing Multiple Policies of a Selected Device 6-30Unsharing a Policy 6-32Assigning a Shared Policy to a Selected Device 6-33Adding Local Rules to a Shared Policy 6-34Copying a Shared Policy 6-36Renaming a Shared Policy 6-37Modifying Shared Policy Definitions in Device View 6-38Modifying Shared Policy Assignments in Device View 6-39

Managing Shared Policies in Policy View 6-40Policy View Selectors 6-42

Filtering the Shared Policy Selector 6-43Policy View Work Area 6-44Creating a New Shared Policy 6-45Modifying Policy Assignments in Policy View 6-46Deleting a Shared Policy 6-48

Advanced Policy Features 6-49Customizing Policy Management 6-49Understanding Rule Inheritance 6-50

Inheritance vs. Assignment 6-53Inheriting Rules 6-5412User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUnderstanding Locking 6-55Understanding Locking and Policies 6-57Understanding Locking and VPN Topologies 6-58Understanding Locking and Objects 6-59

C H A P T E R 7 Managing Activities 7-1

Understanding Activities 7-2Benefits of Activities 7-3Activity Approval 7-3Activities and Locking 7-4Activities and Multiple Users 7-5Understanding Activity States 7-5

Working with Activities 7-9Accessing Activity Functions 7-9Creating an Activity 7-11Opening an Activity 7-12Closing an Activity 7-12Validating an Activity 7-13Submitting an Activity for Approval 7-14Approving or Rejecting an Activity 7-16Understanding Activity Change Reports 7-17Discarding an Activity 7-19Displaying Activity Details 7-19Displaying Activity History 7-20

C H A P T E R 8 Managing Objects 8-1

Introduction to Objects 8-1Creating Objects 8-2Guidelines for Managing Objects 8-413User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUnderstanding the Policy Object Manager Window 8-5Object Type Selector 8-7Policy Object ManagerFiltering Bar 8-7Policy Object ManagerWork Area 8-8

Managing Existing Objects 8-9Editing Objects 8-10Deleting Objects 8-11Managing Object Overrides 8-12Duplicating Objects 8-13Generating Object Usage Reports 8-14Viewing Object Details 8-15

Understanding AAA Server Group Objects 8-16Predefined AAA Authentication Server Groups 8-17Default AAA Server Groups and IOS Devices 8-18Creating AAA Server Group Objects 8-19

Understanding AAA Server Objects 8-23Supported AAA Server Types 8-25AAA Support on ASA Devices 8-26Creating AAA Server Objects 8-29

Understanding Access Control List Objects 8-31Understanding the GUI 8-35Creating Access Control List Objects 8-36

Creating Extended Access Control List Objects 8-36Creating Standard Access Control List Objects 8-39Creating Web Access Control List Objects 8-41

Understanding ASA User Group Objects 8-43Creating ASA User Group Objects 8-45

Understanding Category Objects 8-48Editing Category Objects 8-4914User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUnderstanding Credential Objects 8-50Creating Credential Objects 8-50

Understanding FlexConfig Objects 8-52Creating FlexConfig Objects 8-53

Understanding IKE Proposal Objects 8-54Creating IKE Proposal Objects 8-55

Understanding Inspection Map Objects 8-57Creating DNS Class Map Objects 8-59Creating FTP Class Map Objects 8-61Creating HTTP Class Map Objects 8-63Creating IM Class Map Objects 8-67Creating SIP Class Map Objects 8-70Understanding DNS Policy Maps 8-72Creating DNS Map Objects 8-73Understanding FTP Policy Maps 8-76Creating FTP Map Objects 8-76Understanding GTP Policy Maps 8-79Creating GTP Map Objects 8-80Understanding HTTP Policy Map Objects 8-83Creating HTTP Map Objects (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) 8-84

Configuring the General Tab 8-85Configuring the Entity Length Tab 8-87Configuring the RFC Request Method Tab 8-88Configuring the Extension Request Method Tab 8-90Configuring the Port Misuse Tab 8-91Configuring the Transfer Encoding Tab 8-93

Creating HTTP Map Objects (ASA 7.2/PIX 7.2) 8-94Understanding IM Map Objects 8-99

Creating IM Map Objects for ASA 7.2 and PIX 7.2 Devices 8-99Creating IM Map Objects for IOS Devices 8-10215User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUnderstanding SIP Map Objects 8-104Creating SIP Map Objects 8-104Creating Regular Expression Group Objects 8-107Creating Regular Expression Objects 8-109

Metacharacters Used to Build Regular Expressions 8-111Notes 8-113

Creating TCP Map Objects 8-113

Understanding Interface Role Objects 8-115Creating Interface Role Objects 8-116Specifying Interfaces During Policy Definition 8-118Exceptional Cases When Using Interface Roles 8-119

Understanding IPsec Transform Set Objects 8-120IPsec Protocols 8-121IPsec Modes 8-122Creating IPsec Transform Set Objects 8-122

Understanding LDAP Attribute Map Objects 8-124Creating LDAP Attribute Map Objects 8-125

Understanding Network/Host Objects 8-127Supported IP Address Formats 8-128Contiguous and Discontiguous Network Masks 8-129Creating Network/Host Objects 8-131Using Unspecified Network/Host Objects 8-134Specifying IP Addresses During Policy Definition 8-135

Understanding PKI Enrollment Objects 8-136Creating PKI Enrollment Objects 8-138

Defining CA Server Properties 8-140Defining PKI Enrollment Parameters 8-142Defining Additional PKI Attributes 8-145Defining the Trusted CA Hierarchy 8-14616User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUnderstanding Port Forwarding List Objects 8-147Creating Port Forwarding List Objects 8-148

Understanding Port List Objects 8-150Creating Port List Objects 8-151

Understanding Secure Desktop Configuration Objects 8-153Creating Secure Desktop Configuration Objects 8-154

Understanding Service Group Objects 8-157Creating Service Group Objects 8-157

Understanding Service Objects 8-159Creating Service Objects 8-160

Understanding Single Sign-On Server Objects 8-162Creating Single Sign-On Server Objects 8-164

Understanding SLA Monitor Objects 8-166Creating SLA Monitor Objects 8-167

Understanding Style Objects 8-169Creating Style Objects 8-170

Understanding Text Objects 8-171Creating Text Objects 8-172

Understanding Time Range Objects 8-173Creating Time Range Objects 8-174

Creating Traffic Flow Objects 8-176Understanding IP Precedence Bits 8-178

Understanding URL List Objects 8-179Creating URL List Objects 8-179

Understanding User Group Objects 8-181Creating User Group Objects 8-182

Understanding SSL VPN Customization Objects 8-186Creating SSL VPN Customization Objects 8-18717User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUnderstanding SSL VPN Gateway Objects 8-191Creating SSL VPN Gateway Objects 8-192

Understanding WINS Server List Objects 8-194Creating WINS Server List Objects 8-195

Overriding Global Objects for Individual Devices 8-197Allowing a Global Object to Be Overridden 8-198Creating Device-Level Object Overrides 8-199

Creating Object Overrides for a Single Device 8-199Creating Object Overrides for Multiple Devices 8-200

Deleting Device-Level Object Overrides 8-202Deleting Overrides from the Device Properties Window 8-202Deleting Overrides from the Policy Object Manager window 8-202

Selecting Objects for Policies 8-203Filtering Object Selectors 8-207Object Filtering Options 8-209

How Policy Objects are Provisioned as PIX/ASA Object Groups 8-211How Network/Host Objects are Provisioned as PIX/ASA Object Groups 8-212How Port List Objects are Provisioned as PIX/ASA Object Groups 8-214How Service Objects are Provisioned as PIX/ASA Object Groups 8-215How Service Group Objects are Provisioned as PIX/ASA Object Groups 8-218

C H A P T E R 9 Managing Site-to-Site VPNs 9-1

Understanding VPN Topologies 9-2Hub-and-Spoke VPN Topologies 9-3Point-to-Point VPN Topologies 9-5Full Mesh VPN Topologies 9-6Implicitly Supported Topologies 9-8

Understanding IPsec Technologies and Policies 9-8Understanding VPN Default Policies 9-1218User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsSite-To-Site VPN Discovery 9-13Supported Technologies and Topologies for VPN Discovery 9-13Prerequisites for VPN Discovery 9-14VPN Discovery Rules 9-16Discovering Site-to-Site VPNs 9-17Rediscovering Site-to-Site VPNs 9-18

Working with VPN Topologies 9-20Creating a VPN Topology 9-20

Defining a Name and IPsec Technology 9-22About Selecting Devices in a VPN Topology 9-23Selecting Devices for Your VPN Topology 9-25About Defining and Editing the Endpoints and Protected Networks 9-26Defining the Endpoints and Protected Networks 9-28Assigning Default Policies to Your VPN Topology 9-31

About Editing a VPN Topology 9-33Editing a VPN Topology 9-35Deleting a VPN Topology 9-37Understanding Dial Backup 9-37Configuring Dial Backup 9-39Configuring a Catalyst VPN Services Module (VPNSM) VPN Interface 9-40Configuring a Catalyst VPN Shared Port Adapter (VPN SPA) Blade 9-42Procedure for Configuring a VPNSM or VPN SPA Blade 9-44Configuring a Firewall Services Module (FWSM) Interface with VPNSM or VPN SPA 9-48Understanding VRF-Aware IPsec 9-51

VRF-Aware IPsec One-Box Solution 9-52VRF-Aware IPsec Two-Box Solution 9-53

Configuring VRF-Aware IPsec Settings 9-55Understanding High Availability 9-58Configuring High Availability in Your VPN Topology 9-6019User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsManaging VPN Devices in Device View 9-62

Working with Site-to-Site VPN Policies 9-64Managing Shared Site-to-Site VPN Policies in Policy View 9-65Understanding IKE 9-67

Deciding Which Encryption Algorithm to Use 9-68Deciding Which Hash Algorithm to Use 9-69Deciding Which Diffie-Hellman Group to Use 9-69Deciding Which Authentication Method to Use 9-70

Configuring an IKE Proposal 9-71Understanding IPsec Tunnel Policies 9-72

About Crypto Maps 9-73About Transform Sets 9-74About Reverse Route Injection 9-76

Configuring IPsec Proposals 9-77Understanding VPN Global Settings 9-78

Understanding ISAKMP/IPsec Settings 9-79Understanding NAT 9-80Understanding Fragmentation 9-82

Configuring VPN Global Settings 9-83Understanding Preshared Key Policies 9-84Configuring Preshared Key Policies 9-86Understanding Public Key Infrastructure Policies 9-87

Prerequisites for Successful PKI Enrollment 9-89Configuring Public Key Infrastructure Policies 9-92Understanding GRE 9-94

Understanding GRE Configuration for Dynamically Addressed Spokes 9-98

Configuring GRE or GRE Dynamic IP Policies 9-99Understanding DMVPN 9-101Configuring DMVPN Policies 9-10420User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsConfiguring Large Scale DMVPNs 9-107Understanding Easy VPN 9-109Configuring an IPsec Proposal for Easy VPN 9-115Configuring a User Group Policy for Easy VPN 9-117Configuring a Tunnel Group Policy for Easy VPN 9-119Configuring Client Connection Characteristics for Easy VPN 9-121

C H A P T E R 10 Managing Remote Access VPNs 10-1

Discovering Remote Access VPN Policies 10-2

Working with Policies in Remote Access VPNs 10-3Using the Remote Access Configuration Wizard 10-4User Group Policies in Remote Access VPNs 10-6

Configuring User Group Policies 10-7Tunnel Group Policies in Remote Access VPNs 10-8

Configuring Tunnel Group Policies 10-9Assigning the Default Remote Access VPN Policies 10-11IPsec Proposals in Remote Access VPNs 10-12

Configuring an IPsec Proposal on a Remote Access VPN Server 10-14IKE Proposals in Remote Access VPNs 10-18

Configuring IKE Proposals on a Remote Access VPN Server 10-18High Availability in Remote Access VPNs 10-19

Configuring a High Availability Policy 10-20Cluster Load Balancing 10-22

Configuring a Cluster Load Balance Policy 10-23Public Key Infrastructure Policies in Remote Access VPNs 10-24

Configuring a PKI Policy in a Remote Access VPN 10-25VPN Global Settings in Remote Access VPNs 10-27

Configuring Global Settings in a Remote Access VPN 10-27DN Matching Policies 10-30

Configuring a DN Matching Policy 10-3121User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsDN Matching Rules 10-32Configuring a DN Matching Rules Policy 10-33

Managing Shared Remote Access VPN Policies in Policy View 10-35

C H A P T E R 11 Managing SSL VPNs 11-1

SSL VPN Access Modes 11-3

Working with SSL VPN Policies 11-5

Configuring SSL VPN on an IOS Device 11-6Using the Wizard to Create an IOS SSL VPN Connection 11-7

Configuring an SSL VPN Gateway and Context 11-7Customizing the SSL VPN Portal Page 11-10

Configuring an SSL VPN Policy (IOS) 11-11Configuring General Settings for an IOS SSL VPN Policy 11-12Configuring the Portal Page for an IOS SSL VPN Policy 11-14Configuring the Secure Desktop Software for an IOS SSL VPN Policy 11-15Configuring Advanced Settings for an IOS SSL VPN Policy 11-16

Understanding User Groups in SSL VPN 11-17Configuring User Groups on an IOS Device 11-19Configuring User Groups on an ASA Device 11-20Creating a New User Group 11-22

Defining the User Group Name and Access Methods 11-22Configuring the Full Tunnel Access Mode 11-24Configuring the Clientless and Thin Client Access Modes 11-26

Configuring SSL VPN on an ASA Device 11-28Using the Wizard to Create an ASA SSL VPN Connection Profile 11-28

Defining the ASA SSL VPN Access Parameters 11-29Defining the ASA SSL VPN Connection Profile Parameters 11-30

Configuring SSL VPN Policies on an ASA Device 11-33Configuring an Access Policy 11-3322User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUnderstanding SSL VPN Connection Profile Policies 11-35Configuring an SSL VPN Connection Profile Policy 11-36Configuring ASA User Groups Policy in Your SSL VPN 11-43Configuring the Cisco Secure Desktop Software 11-45Configuring Global Settings 11-47

C H A P T E R 12 Managing Firewall Services 12-1

Managing Your Rules Tables 12-5Using Analysis 12-6

Generating Analysis Reports 12-8Combining Rules 12-11

Combined Rules Criteria Notes 12-13Defining Combined Rules Criteria 12-15Understanding Combined Rules Summary Results 12-16

Using Find and Replace 12-18Find and Replace Notes 12-19How Regular Expressions are Supported in Find and Replace 12-20Defining Find and Replace Criteria 12-22

Using Hit Count 12-24Generating Hit Count Reports 12-25Understanding Hit Count Results 12-26Changing How Hit Count Results Are Displayed 12-27

Importing Rules 12-32Notes 12-33Extended Access List: Example 1 12-34Extended Access List: Example 2 12-34Standard Access List: Example 12-35How to Import Rules 12-36

Using Policy Query 12-37Generating Policy Query Reports 12-3923User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUnderstanding Policy Query Results 12-40Understanding Rule Table Sections 12-44

Notes About Rule Table Sections 12-44Adding Rule Table Sections 12-45Adding Rules to an Existing Table Section 12-46Removing Rules from an Existing Table Section 12-46Editing a Rule Table Section 12-46Removing a Rule Table Section 12-47

Optimizing Policy Objects in Rules 12-47Notes about Policy Object Optimization 12-48

Expanding Object Groups During Discovery 12-49

Understanding Access Rules 12-49How Access Rules Are Recognized on Devices 12-51Notes About Access Rules 12-52How ACL Names Are Generated 12-53Preserving User-Defined ACL Names 12-56Naming Conflicts and Resolutions 12-57Identifying Original ACL Names 12-58Notes 12-59

Working with Access Rules 12-59Logging Events for an ACE 12-60Adding Access Rules 12-61Editing Access Rules 12-65Enabling and Disabling Access Rules 12-68Cutting, Copying, and Pasting Access Rules 12-69Moving Access Rules Up and Down 12-70Deleting Access Rules 12-71

Understanding Inspection Rules 12-72

Working with Inspection Rules 12-73Adding Inspection Rules 12-7424User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsConfiguring Default Protocol Ports 12-77Configuring Custom Destination Ports 12-78Configuring Destination Address and Port (IOS) 12-79Configuring Source and Destination Address and Port (ASA, FWSM 3.x) 12-81

Editing Inspection Rules 12-83Enabling and Disabling Inspection Rules 12-86Cutting, Copying, and Pasting Inspection Rules 12-86Moving Inspection Rules Up and Down 12-87Deleting Inspection Rules 12-88

Working with AAA Rules 12-89Adding AAA Rules 12-91Editing AAA Rules 12-94Enabling and Disabling AAA Rules 12-96Cutting, Copying, and Pasting AAA Rules 12-97Moving AAA Rules Up and Down 12-99Deleting AAA Rules 12-100

Understanding Web Filter Rules 12-101

Working with Web Filter Rules 12-101Adding Web Filter Rules (PIX/ASA) 12-103Editing Web Filter Rules (PIX/ASA) 12-106Enabling and Disabling Web Filter Rules (PIX/ASA) 12-108Cutting, Copying, and Pasting Web Filter Rules (PIX/ASA) 12-109Moving Web Filter Rules Up and Down (PIX/ASA) 12-110Deleting Web Filter Rules (PIX/ASA) 12-111Adding Web Filter Rules (IOS) 12-112Editing Web Filter Rules (IOS) 12-115Deleting Web Filter Rules (IOS) 12-116Adding Exclusive Domains (IOS) 12-117Editing Exclusive Domains (IOS) 12-11925User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsDeleting Exclusive Domains (IOS) 12-120

Working with Transparent Firewall Rules 12-122Adding Transparent Rules 12-123Editing Transparent Rules 12-125Enabling and Disabling Transparent Rules 12-127Cutting, Copying, and Pasting Transparent Rules 12-128Moving Transparent Rules Up and Down 12-129Deleting Transparent Rules 12-130

Understanding Firewall Settings 12-131Understanding Settings for Access Controls 12-132

Object Group Search (PIX/ASA/FWSM) 12-133Per User Downloadable ACLs (PIX/ASA/FWSM) 12-135Access List Compilation (PIX) 12-138Configuring Settings for Access Control 12-140Configuring Firewall ACL Settings 12-142

Configuring Settings for Inspection Rules 12-143Supported Features for Inspection 12-145Configuring Settings for AAA 12-146

Configuring Settings for AAA Firewall (PIX/ASA/FWSM) 12-147Understanding MAC Exempt Address Lists 12-149Configuring Settings for AAA (IOS) 12-152

Configuring Settings for Web Filter Servers 12-156Adding Settings for Web Filter Server Configuration 12-158Editing Settings for Web Filter Server Configuration 12-160Deleting Settings for Web Filter Server Configuration 12-161

C H A P T E R 13 Managing IPS Services 13-1

Understanding Network Sensing 13-2

Configuring Interfaces 13-2Understanding Interfaces 13-326User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsConfiguring Physical Interfaces 13-4Configuring Bypass Mode 13-4Configuring Inline Pairs 13-5Configuring VLAN Pairs 13-6Configuring VLAN Groups 13-7Interface Summary 13-9

Configuring Signatures 13-9Understanding Signatures 13-9Accessing the Cisco NSDB 13-10Understanding Signature Inheritance 13-11Editing SignaturesSeverity, Fidelity Rating, and Action 13-12Enabling and Disabling Signatures 13-14Cloning Signatures 13-14Adding Custom Signatures 13-15Editing Signature Parameters (Tuning Signatures) 13-16

Configuring Signature Settings 13-17

Configuring Anomaly Detection 13-18Explaining Anomaly Detection 13-18

Worm Viruses 13-19Learning Mode 13-20Anomaly Detection Zones 13-20

Configuring Event Actions 13-21Configuring Event Action Filters 13-22Configuring Event Action Overrides 13-22Configuring Network Information 13-22

Understanding Target Value Ratings 13-23Configuring Target Value Ratings 13-23Configuring OS Identification (Cisco IPS 6.x Sensors Only) 13-23

Configuring Settings for Event Actions 13-24

Configuring Policies Specific to IOS IPS Devices 13-2427User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUnderstanding Cisco IOS IPS 13-25Limitations and Restrictions 13-25Preparation for Use 13-26Signatures 13-26

Signature Sets in Previous Versions of IOS IPS 13-26General Settings 13-27Interface Rules 13-27

C H A P T E R 14 Managing Routers 14-1

Configuring Routers Running IOS Software Releases 12.1 and 12.2 14-3

Discovering Router Policies 14-4

NAT on Cisco IOS Routers 14-5Designating Inside and Outside Interfaces 14-6Defining Static NAT Rules 14-8

Defining a Static NAT Rule for a Host 14-8Defining a Static NAT Rule for a Subnet 14-11Defining a Static NAT Rule for a Port 14-13Disabling the Alias Option for Attached Subnets 14-15Disabling the Payload Option for Overlapping Networks 14-16

Defining Dynamic NAT Rules 14-16Specifying NAT Timeouts 14-20

Basic Interface Settings on Cisco IOS Routers 14-21Available Interface Types 14-22Defining Basic Router Interface Settings 14-24Generating an Interface Name 14-27Deleting a Cisco IOS Router Interface 14-28

Advanced Interface Settings on Cisco IOS Routers 14-29Understanding Helper Addresses 14-30Defining Advanced Interface Settings 14-3228User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsDialer Interfaces on Cisco IOS Routers 14-34Defining Dialer Profiles 14-35Defining BRI Interface Properties 14-37

ADSL on Cisco IOS Routers 14-39Supported ADSL Operating Modes 14-41Defining ADSL Settings 14-42

SHDSL on Cisco IOS Routers 14-44Defining SHDSL Controllers 14-46

PVCs on Cisco IOS Routers 14-47Understanding Virtual Paths and Virtual Channels 14-48Understanding ATM Service Classes 14-50Understanding ATM Management Protocols 14-52

Understanding ILMI 14-52Understanding OAM 14-53

Defining ATM PVCs 14-55Defining OAM Management on ATM PVCs 14-59

PPP on Cisco IOS Routers 14-61Understanding Multilink PPP (MLP) 14-62Defining PPP Connections 14-63Defining Multilink PPP Bundles 14-66

AAA on Cisco IOS Routers 14-68Supported Authorization Types 14-69Supported Accounting Types 14-70Understanding Method Lists 14-71Defining AAA Services 14-72

User Accounts and Device Credentials on Cisco IOS Routers 14-75Defining Accounts and Credential Policies 14-75

Bridging on Cisco IOS Routers 14-77Bridge-Group Virtual Interfaces 14-7829User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsDefining Bridge Groups 14-80

Time Zone Settings on Cisco IOS Routers 14-81Defining Time Zone and DST Settings 14-82

CPU Utilization Settings on Cisco IOS Routers 14-83Defining CPU Utilization Settings 14-84

HTTP and HTTPS on Cisco IOS Routers 14-85Defining HTTP Policies 14-86

Line Access on Cisco IOS Routers 14-89Defining Console Port Setup Parameters 14-90Defining Console Port AAA Settings 14-92Defining VTY Line Setup Parameters 14-94Defining VTY Line AAA Settings 14-98

Optional SSH Settings on Cisco IOS Routers 14-100Defining Optional SSH Settings 14-100

SNMP on Cisco IOS Routers 14-103Defining SNMP Agent Properties 14-104Enabling SNMP Traps 14-106

DNS on Cisco IOS Routers 14-107Defining DNS Policies 14-108

Hostnames and Domain Names on Cisco IOS Routers 14-109Defining Hostname Policies 14-110

Memory Settings on Cisco IOS Routers 14-111Defining Router Memory Settings 14-111

Secure Device Provisioning on Cisco IOS Routers 14-112Contents of Bootstrap Configuration 14-114Secure Device Provisioning Workflow 14-114Defining Secure Device Provisioning Policies 14-115Configuring a AAA Server Group for Administrative Introducers 14-119

DHCP on Cisco IOS Routers 14-11930User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUnderstanding DHCP Database Agents 14-120Understanding DHCP Relay Agents 14-121Understanding DHCP Option 82 14-122Understanding Secured ARP 14-122Defining DHCP Policies 14-123Defining DHCP Address Pools 14-125

NTP on Cisco IOS Routers 14-126Defining NTP Servers 14-127

802.1x on Cisco IOS Routers 14-129Understanding 802.1x Device Roles 14-130802.1x Interface Authorization States 14-131Topologies Supported by 802.1x 14-132Defining 802.1x Policies 14-133

Network Admission Control on Cisco IOS Routers 14-136Router Platforms Supporting NAC 14-137Understanding NAC Components 14-138Understanding NAC System Flow 14-139Defining NAC Setup Parameters 14-140Defining NAC Interface Parameters 14-142Defining NAC Identity Parameters 14-145

Logging on Cisco IOS Routers 14-146Understanding Log Message Severity Levels 14-147Defining Logging Setup Parameters 14-148Defining Syslog Servers 14-151

Quality of Service on Cisco IOS Routers 14-153Quality of Service and CEF 14-154Understanding Matching Parameters 14-154Understanding Marking Parameters 14-155Understanding Queuing Parameters 14-157

Tail Drop vs. WRED 14-15831User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsLow-Latency Queuing 14-160Default Class Queuing 14-160

Understanding Policing and Shaping Parameters 14-161Understanding the Token-Bucket Mechanism 14-163Understanding Control Plane Policing 14-166

Defining QoS Policies 14-167Defining QoS on Interfaces 14-167Defining QoS on the Control Plane 14-171Defining QoS Class Matching Parameters 14-172Defining QoS Class Marking Parameters 14-175Defining QoS Class Queuing Parameters 14-176Defining QoS Class Policing Parameters 14-178Defining QoS Class Shaping Parameters 14-180

BGP Routing on Cisco IOS Routers 14-181Defining BGP Routes 14-183Redistributing Routes into BGP 14-185

EIGRP Routing on Cisco IOS Routers 14-187Defining EIGRP Routes 14-188Defining EIGRP Interface Properties 14-190Redistributing Routes into EIGRP 14-193

OSPF Routing on Cisco IOS Routers 14-195Defining OSPF Process Settings 14-196Defining OSPF Area Settings 14-197Redistributing Routes into OSPF 14-199

Defining OSPF Redistribution Mappings 14-200Defining OSPF Maximum Prefix Values 14-202

Defining OSPF Interface Settings 14-204Understanding Interface Cost 14-206Understanding Interface Priority 14-207Disabling MTU Mismatch Detection 14-20732User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsBlocking LSA Flooding 14-208Understanding OSPF Timer Settings 14-209Understanding the OSPF Network Type 14-210Understanding OSPF Interface Authentication 14-211

RIP Routing on Cisco IOS Routers 14-212Defining RIP Setup Parameters 14-213Defining RIP Interface Authentication Settings 14-214Redistributing Routes into RIP 14-216

Static Routing on Cisco IOS Routers 14-217Defining Static Routes 14-218

C H A P T E R 15 Managing Firewall Devices 15-1

Understanding Factory-Default Configurations 15-2

Configuring Firewall Device Interfaces 15-3Understanding ASA 5505 Ports and Interfaces 15-4Enabling Traffic between Interfaces with the Same Security Level 15-5Configuring PIX 7.0/ASA Interfaces in Single Context Mode 15-6Checklist for Configuring PIX 7.0/ASA Interfaces in Multi Context Mode 15-10

Configuring Physical Interfaces of a PIX 7.0/ASA Security Appliance in Multi Context Mode 15-13

Configuring PIX 6.3 Interfaces 15-16Configuring FWSM Interfaces 15-18Troubleshooting Interfaces 15-20

Configuring NAT Policies on Firewall Devices 15-20Understanding NAT 15-21Defining Address Pools 15-21Configuring Translation Options 15-22Defining Translation Exemptions (NAT 0 ACL) 15-23Defining Simple Dynamic Rules 15-2433User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsDefining Policy Dynamic Rules 15-25Defining Static Rules 15-26Viewing Translation Summary 15-27

Configuring Bridging Policies on Firewall Devices 15-28Bridging Support for FWSM 3.1 15-29

Configuring Device Administration Policies on Firewall Devices 15-30Configuring AAA 15-31

Understanding AAA 15-31Defining AAA Policies 15-35

Configuring Banners 15-37Configuring Boot Image and Configuration Settings 15-39Configuring Clock Settings 15-40Configuring Contact Credentials 15-42Configuring Device Access Settings on Firewall Devices 15-43

Configuring Console Timeout 15-44Configuring HTTP 15-45Configuring ICMP 15-46Configuring Management Access 15-48Configuring Secure Shell 15-49Configuring SNMP 15-50Configuring Telnet 15-54

Configuring Failover 15-55Understanding Failover 15-56Additional Steps for an Active/Standy Failover Configuration 15-61

Configuring Hostname Settings 15-62Configuring Resources on Firewall Services Modules 15-63Configuring Server Access Settings on Firewall Devices 15-64

Configuring AUS Settings 15-64Configuring DHCP Relay 15-66Configuring DHCP Servers 15-6834User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsConfiguring DNS 15-70Configuring NTP Settings 15-72Configuring SMTP Servers 15-73Configuring TFTP Servers 15-74

Configuring User Accounts 15-75

Configuring Logging Policies on Firewall Devices 15-77Configuring E-Mail Setup 15-78Configuring Event Lists 15-79Configuring Logging Filters 15-81Configuring Logging Setup 15-82Configuring Rate Limit Levels 15-84Configuring Server Setup 15-85Defining Syslog Servers 15-87

Configuring Multicast Policies on Firewall Devices 15-88Enabling Multicast Routing 15-88Configuring IGMP 15-89

Protocol 15-90Access Group 15-90Static Group 15-90Join Group 15-90

Configuring Multicast Routes 15-91Configuring PIM 15-92

Protocol 15-92Rendezvous Points 15-92Route Tree 15-93Request Filter 15-93

Configuring Routing Policies on Firewall Devices 15-93Configuring No Proxy ARP 15-94Configuring OSPF 15-95Configuring RIP 15-9635User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsConfiguring Static Routes 15-98

Configuring Security Policies on Firewall Devices 15-98Configuring Floodguard, Anti-Spoofing, and Fragment Settings 15-99Configuring Timeouts 15-102

Configuring Service Policy Rules on Firewall Devices 15-103

Configuring User Preferences on Firewall Devices 15-104

Configuring Security Contexts on Firewall Devices 15-105Add/Edit a Security Context for PIX or ASA 15-106Add/Edit a Security Context for FWSM 15-108Delete a Security Context 15-109Enabling Multi-Context Mode 15-110Restoring Single Context Mode 15-111View the Contexts Defined for a Device 15-111

C H A P T E R 16 Managing Catalyst Devices 16-1

Migrating Inventory From an Earlier Security Manager Release 16-2Migrating Unmanaged Service Modules 16-5

Discovering Policies on 6500 Series and 7600 Series Devices 16-6

Interfaces 16-8Creating or Editing Ports on Catalyst 6500/7600 Devices 16-9

Generating an Interface Name for Catalyst Devices 16-11Deleting Ports on Catalyst 6500/7600 Devices 16-12

VLANs 16-12Creating or Editing VLANs 16-13Deleting VLANs 16-15

VLAN Groups 16-16Creating or Editing VLAN Groups 16-16Deleting VLAN Groups 16-18

VLAN ACLs (VACLs) 16-1936User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsCreating or Editing VACLs 16-20Deleting VACLs 16-23

IDSM Settings 16-24Creating or Editing EtherChannel VLAN Definitions 16-25Deleting EtherChannel VLAN Definitions 16-27Creating or Editing Data Port VLAN Definitions 16-28Deleting Data Port VLAN Definitions 16-30

Viewing Configuration Summaries 16-31

C H A P T E R 17 Managing IPS Devices 17-1

Identifying Allowed Hosts 17-2

Configuring SNMP 17-2

Configuring the External Product Interface 17-5

Identifying an NTP Server 17-9

Configuring Logging 17-10Configuring Analysis Engine Global Variables 17-11

Configuring Blocking 17-11

Configuring Virtual Sensors 17-12Advantages of Virtualization 17-14Understanding the Virtual Sensor 17-15Assigning Interfaces to Virtual Sensors 17-15Viewing Your Virtual Sensors 17-16Defining A Virtual Sensor 17-16Editing A Virtual Sensor 17-17Deleting A Virtual Sensor 17-18

C H A P T E R 18 Managing Deployment 18-1

Understanding Deployment 18-1Benefits of Deployment Jobs 18-237User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsDeployment in Non-Workflow Mode 18-3Deployment Task Flow in Non-Workflow Mode 18-3Job States in Non-Workflow Mode 18-4

Deployment in Workflow Mode 18-5Deployment Task Flow in Workflow Mode 18-5Job States in Workflow Mode 18-8Deployment Job Approval 18-9Deployment Job Changes 18-10Deployment Jobs and Multiple Users 18-10

Including Devices in Deployment Jobs 18-10Understanding Deployment Methods 18-11

Deploying to a Device 18-11Deploying to a File 18-13

Handling Device OS Version Mismatches 18-14Frequently Asked Questions about Deployment 18-17

Working with Deployment 18-35Using the Main Toolbar 18-36Viewing Deployment Status Information 18-36Deploying Configurations in Non-Workflow Mode 18-37Deploying Configurations in Workflow Mode 18-40Previewing Configurations 18-42Changing Deployment Methods 18-43Refreshing Deployment Status Information 18-44Redeploying Configurations to Devices 18-44Aborting Deployment Jobs 18-46Rolling Back Configurations to Devices 18-47Viewing Deployment Summary Information 18-48Viewing Deployment Device Details 18-49Performing Additional Workflow-Mode Tasks 18-50

Creating Deployment Jobs 18-5038User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsOpening and Closing Deployment Jobs 18-53Submitting Deployment Jobs 18-54Approving and Rejecting Deployment Jobs 18-55Discarding Deployment Jobs 18-56Viewing Deployment Job History 18-56

C H A P T E R 19 Managing FlexConfigs 19-1

Understanding FlexConfig Policy Objects 19-2CLI Commands 19-2Scripting Language Instructions 19-3

Example 1: Looping 19-4Example 2: Looping with Two-Dimensional Arrays 19-4Example 3: Looping with If/Else Statements 19-5

Object Variables 19-6FlexConfig Policy Object Example 19-7Predefined FlexConfig Policy Objects 19-7FlexConfig System Variables 19-13

Understanding FlexConfig Policies 19-36

A FlexConfig Creation Scenario 19-36

Configuring FlexConfig Policy Objects 19-41Creating FlexConfig Policy Objects 19-42Duplicating FlexConfig Policy Objects 19-43Editing FlexConfig Policy Objects 19-45Viewing FlexConfig Policy Objects 19-47Generating Usage Reports for FlexConfig Policy Objects 19-47Deleting FlexConfig Policy Objects 19-49Adding FlexConfig Policy Objects to a Device 19-50Removing FlexConfig Policy Objects from a Device 19-51Reordering FlexConfig Policy Objects 19-52Previewing FlexConfig Policy Objects 19-5239User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsDeleting FlexConfig Object Variables 19-53

C H A P T E R 20 Using Tools 20-1

Understanding Policy Discovery Status 20-3Viewing Policy Discovery Status Information 20-4

Understanding Show Containment 20-5

Understanding Inventory Status 20-6

Working With Device OS Management 20-6

Understanding Audit Reports 20-7Guidelines for Defining the Audit Report Parameters 20-9Generating the Audit Report 20-9Viewing Audit Logs 20-10Purging Audit Log Entries 20-11

Using the Configuration Archive Tool 20-11Customizing the Configuration Archive Toolbar 20-12Viewing Transcripts 20-13Viewing and Comparing Configurations 20-14Using Rollback to Deploy Archived Configurations 20-15

Understanding Rollback for Devices in Multiple Context Mode 20-18Understanding Rollback for Failover Devices 20-18Understanding Rollback for Catalyst 6500/7600 20-19Understanding Rollback for IPS and IOS IPS 20-19Commands that Can Cause Conflicts after Rollback 20-22Commands to Recover from Failover Misconfiguration after Rollback 20-23

Adding Configuration Versions from a Device to the Archive 20-23

Apply IPS Update 20-25

Backup and Restore 20-25

Security Manager Diagnostics 20-2640User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsDiagnostic Utility Executable Menu Item 20-27Generating a Diagnostic File from a Security Manager Client 20-28Generating a Diagnostic File from a Security Manager Server 20-29

Obtaining Documentation, Obtaining Support, and Security Guidelines 20-29

C H A P T E R 21 Using Monitoring, Troubleshooting, and Diagnostic Tools 21-1

Device Managers 21-2IDM 21-3PDM 21-4ASDM 21-5SDM 21-6Understanding Communication 21-7Starting Device Managers 21-7Device OS Version Interoperability with Device Managers 21-13

Device Connectivity Test 21-15

Performance Monitor (Status Provider) 21-15Understanding Performance Monitor as a Status Provider 21-16Configuring Performance Monitor as a Status Provider 21-17Understanding the Events to be Monitored 21-18

Device Reachability 21-19VPN Tunnel Status 21-22CPU Usage Threshold 21-23

Supported Services and Platforms for Monitoring and Reports 21-25Supported Event Types for Each Service Type 21-27Working with Event Thresholds 21-28

IPS Event Viewer 21-31Understanding Communication 21-34Guidelines for Working with IEV from Security Manager 21-35Starting IEV Client 21-3741User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsNavigating to IPS Signature Policy in Security Manager from IEV 21-37IPS Signature Policy Lookup from the Realtime Dashboard 21-38IPS Signature Policy Lookup from the Views Tab 21-39

Security Manager Access Rule Lookup from Device Manager Syslog 21-42Navigating to ACL in Security Manager from ASDM Syslog 21-43Navigating to ACL in Security Manager from SDM Syslog 21-46

A P P E N D I X A Administrative Settings User Interface Reference A-1

AutoLink Settings Page A-2

Configuration Archive Settings Page A-3

Customize Desktop Page A-4

Deployment Page A-5

Device Communication Page A-10Add Certificate Dialog Box A-14

Device Groups Page A-15

Device OS Management Page A-16

Discovery Page A-17

IPS Updates Page A-19Edit Update Server Settings Dialog Box A-23Modify Signature Update Policies Dialog Box A-25

Licensing Page A-26CSM Tab A-26IPS Tab A-27

Updating Licenses via CCO Dialog Box A-28Redeploying Licenses Dialog Box A-29Updating Licenses from File Dialog Box A-30

Logs Page A-30

Policy Management Page A-3242User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsPolicy Objects Page A-33

Server Security Page A-35

Status Page A-36Add Status Provider Dialog Box A-38Edit Status Provider Dialog Box A-39

Take Over User Session Page A-41

Token Management Page A-42

VPN Policy Defaults Page A-44

Workflow Page A-48

A P P E N D I X B Map View User Interface Reference B-1

Map View Main Page B-1

Map Elements B-3

Map Toolbar B-5

Navigation Window B-6

Maps Menus B-7Managed Device Node Context Menu B-7Multiple Selected Nodes Context Menu B-9VPN Connection Context Menu B-10Layer 3 Link Context Menu B-10Map Object Context Menu B-11Map Background Context Menu B-11

Dialog Boxes B-12Open Map Dialog Box B-13Save Map As Dialog Box B-13Delete Map Dialog Box B-14Find Node Dialog Box B-15Map Settings Dialog Box B-16Select Color Dialog Box B-1743User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsImport Background Image Dialog Box B-18Set Linked Map Dialog Box B-19Link Properties Dialog Box B-19Select Interfaces Dialog Box B-20Add Link Dialog Box B-21Node Properties Dialog Box B-22Add Map Object and Node Properties Dialog Boxes B-22Interface Properties Dialog Box B-23Select Policy Object Dialog Box B-24Show Devices on Map Dialog Box B-25Show VPNs on Map Dialog Box B-26Show VPN Peers Dialog Box B-26VPN Peers Dialog Box B-27Select VPN to Configure Dialog Box B-28

A P P E N D I X C Devices User Interface Reference C-1

Devices Page C-2Device Selector C-2

Create Filter Dialog Box C-3Policy Selector C-7Work Area C-7

Add Device from Network Wizard C-7Device Information PageNetwork C-8

Auto Update Server Properties Dialog Box C-13Available Auto Update Servers Dialog Box C-14

Device Credentials Page C-15Rx-Boot Mode Credentials Dialog Box C-17SNMP Credentials Dialog Box C-18HTTP Credentials Dialog Box C-19Device Connectivity Test Dialog Box C-2044User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsFWSM Credentials and VPN SPA Slot Location Dialog Box C-22VPN SPA Slots Dialog Box C-24VPN SPA Slot Selector C-25

Device Validation Error Messages C-27Device Grouping Page C-28

Add Device(s) from Config File Wizard C-29Device Information PageConfig File C-30

Choose Files Dialog Box C-33Device Grouping Page C-34

Add New Device Wizard C-34Device Information PageNew Device C-35

Server Properties Dialog Box C-40Available Servers Dialog Box C-41CNS-Configuration Engine Properties Dialog Box C-42Available Configuration Engines Dialog Box C-43

Device Credentials Page C-44Device Grouping Page C-44

Add Device(s) from DCR Wizard C-45Device Information PageDCR C-45Device Grouping Page C-49

Device Delete Validation Page C-49Device Delete Validation Details Dialog Box C-51

Create a Clone of Page C-52

Device Properties Page C-53General Page C-54Credentials Page C-57Device Groups Page C-59Policy Object Override Pages C-60

Device Shortcut Menu Options C-6245User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsPolicy Selector Shortcut Menu Options C-63

Device Group Shortcut Menu Options C-65

Edit Device Groups Page C-66

Add Devices to Group Page C-67

Add Group Dialog Box C-68

A P P E N D I X D Policy User Interface Reference D-1

Policy Menu General Reference D-1Share Policy Dialog Box D-2Assign Shared Policy Dialog Box D-3

Local Policy Will Be Replaced Dialog Box D-4Copy Policies Wizard D-6

Copy Policies WizardCopy Policies from this Device Page D-6Copy Policies WizardCopy Policies to these Devices Page D-7Copy Policies WizardSelect Policies to Copy Page D-8

Share Policies Wizard D-9Share Policies WizardShare Policies from this Device Page D-10Share Policies WizardSelect Policies to Share Page D-11

Shared Policy Assignments Dialog Box D-11Save Policy As Dialog Box D-13Rename Policy Dialog Box D-14Inherit Rules Dialog Box D-15Create Discovery Task Dialog Box D-16Discovery Status Dialog Box D-19

Policy View General Reference D-21Policy ViewPolicy Type Selector D-23Policy ViewPolicy Type Selector Options D-24Policy ViewShared Policy Selector Options D-25

Create Filter Dialog BoxPolicy View D-2646User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsPolicy ViewAssignments Tab D-28Create a Policy Dialog Box D-29

A P P E N D I X E Activities User Interface Reference E-1

Activity Manager Window E-1Activity States E-4Details Tab E-5History Tab E-6Create Activity Dialog Box E-7Submit Activity Dialog Box E-8Approve Activity Dialog Box E-9Reject Activity Dialog Box E-10Discard Activity Dialog Box E-11Validation Dialog Box E-12

Errors Tab E-12Devices Tab E-14

View Changes (Activity Change Report) E-15

Activity Required (Create Activity) Dialog Box E-17

Activity Required (Create or Open Activity) Dialog Box E-18

Openable Activities Dialog Box E-19

A P P E N D I X F Policy Object Manager User Interface Reference F-1

Policy Object Manager Window F-3Object Type Selector F-4Policy Object Manager WindowWork Area Buttons F-8Policy Object Manager WindowShortcut Menu F-9Create Filter Dialog BoxPolicy Object Manager F-10

AAA Server Groups Page F-12AAA Server Group Dialog Box F-1447User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsAAA Servers Page F-18AAA Server Dialog Box F-20

AAA Server Dialog BoxRADIUS Settings F-22AAA Server Dialog BoxTACACS+ Settings F-25AAA Server Dialog BoxKerberos Settings F-26AAA Server Dialog BoxLDAP Settings F-26AAA Server Dialog BoxNT Settings F-29AAA Server Dialog BoxSDI Settings F-30AAA Server Dialog BoxHTTP-FORM Settings F-31

Access Control Lists Page F-33Extended Tab F-34

Add and Edit Extended Access List Pages F-36Add and Edit Extended Access Control Entry Dialog Boxes F-39

Standard Tab F-43Add and Edit Standard Access List Pages F-45Add and Edit Standard Access Control Entry Dialog Boxes F-47

Web Tab F-50Add and Edit WebType Access List Dialog Boxes F-52

Add and Edit Web Access Control Entry Dialog Boxes F-54

ASA User Groups Page F-58ASA User Group Dialog Box F-60

ASA User Group Dialog BoxClient Configuration Settings F-62ASA User Group Dialog BoxClient Firewall Attributes F-64ASA User Group Dialog BoxHardware Client Attributes F-67ASA User Group Dialog BoxIPsec Settings F-69ASA User Group Dialog BoxSSL VPN Clientless Settings F-72ASA User Group Dialog BoxSSL VPN Thin Client Settings F-74ASA User Group Dialog BoxSSL VPN Full Tunnel Settings F-75ASA User Group Dialog BoxSSL VPN General Settings F-77ASA User Group Dialog BoxDNS/WINS Settings F-8048User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsASA User Group Dialog BoxSplit Tunneling F-81ASA User Group Dialog BoxGeneral Settings F-85

Categories Page F-87Category Editor Dialog Box F-88

Credentials Page F-88Credentials Dialog Box F-90

IKE Proposals Page F-92IKE Proposal Dialog Box F-93

DNS Class Maps Page F-96Add and Edit DNS Class Maps Dialog Boxes F-98Add and Edit Match Criterion Dialog Boxes F-100

Add and Edit DNS Class Map > Add and Edit Match Criterion > DNS Class F-102Add and Edit DNS Class Map > Add and Edit Match Criterion > DNS Type F-103Add and Edit DNS Class Map > Add and Edit Match Criterion > Domain Name F-104Add and Edit DNS Class Map > Add and Edit Match Criterion > Header Flag F-106Add and Edit DNS Class Map > Add and Edit Match Criterion > Question F-107Add and Edit DNS Class Map > Add and Edit Match Criterion > Resource Record F-108

FTP Class Maps Page F-109Add and Edit FTP Class Map Dialog Boxes F-111Add and Edit FTP Class Map > Add and Edit Match Criterion Dialog Boxes F-113

Add and Edit FTP Class Map > Add and Edit Match Criterion > Request Command F-115Add and Edit FTP Class Map > Add and Edit Match Criterion > Filename F-11649User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsAdd and Edit FTP Class Map > Add and Edit Match Criterion > File Type F-117Add and Edit FTP Class Map > Add and Edit Match Criterion > Server F-119Add and Edit FTP Class Map > Add and Edit Match Criterion > Username F-120

HTTP Class Maps Page F-121Add and Edit HTTP Class Map Dialog Boxes F-123Add and Edit HTTP Class Map > Add and Edit Match Criterion Dialog Boxes F-125

IM Class Maps Page F-168Add and Edit IM Class Map Dialog Boxes F-170Add and Edit IM Class Map > Add and Edit Match Criterion Dialog Boxes F-172

Add and Edit IM Class Map > Add and Edit Match Criterion > Filename F-174Add and Edit IM Class Map > Add and Edit Match Criterion > Client IP Address F-175Add and Edit IM Class Map > Add and Edit Match Criterion > Client Login Name F-176Add and Edit IM Class Map > Add and Edit Match Criterion > Peer IP Address F-178Add and Edit IM Class Map > Add and Edit Match Criterion > Peer Login Name F-179Add and Edit IM Class Map > Add and Edit Match Criterion > Protocol F-180Add and Edit IM Class Map > Add and Edit Match Criterion > Service F-181Add and Edit IM Class Map > Add and Edit Match Criterion > File Transfer Service Version F-182

SIP Class Maps Page F-184Add and Edit SIP Class Map Dialog Boxes F-18650User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsAdd and Edit Match Criterion Dialog Boxes F-188Add and Edit SIP Class Map > Add and Edit Match Criterion > Called Party F-190Add and Edit SIP Class Map > Add and Edit Match Criterion > Calling Party F-191Add and Edit SIP Class Map > Add and Edit Match Criterion > Content Length F-192Add and Edit SIP Class Map > Add and Edit Match Criterion > Content Type F-193Add and Edit SIP Class Map > Add and Edit Match Criterion > IM Subscriber F-195Add and Edit SIP Class Map > Add and Edit Match Criterion > Message Path F-196Add and Edit SIP Class Map > Add and Edit Match Criterion > Third Party Registration F-197Add and Edit SIP Class Map > Add and Edit Match Criterion > URI Length F-199Add and Edit SIP Class Map > Add and Edit Match Criterion > Request Method F-200

DNS Maps Page F-203Add and Edit DNS Map Dialog Boxes F-204

Add and Edit DNS Map > Protocol Conformance F-206Add and Edit DNS Map > Filtering F-208Add and Edit DNS Map > Mismatch Rate F-210Add and Edit DNS Map > Match Condition and Action F-212Add and Edit DNS Map > Add and Edit Match Condition and Action Dialog Boxes F-214

FTP Maps Page F-228Add and Edit FTP Map Dialog Boxes F-230Add and Edit FTP Map > Parameters F-231Add and Edit FTP Map > Match Conditions and Actions F-23251User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsAdd and Edit FTP Map > Add and Edit Match Condition and Action Dialog Boxes F-233

GTP Maps Page F-243Add and Edit GTP Map Dialog Boxes F-245

Add and Edit GTP Map Dialog Boxes > Parameters F-247Add and Edit GTP Map > Match Condition and Action Tab F-254

HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) Page F-261Add and Edit HTTP Map Dialog Boxes F-264

Add and Edit HTTP Map > General Tab F-266Add and Edit HTTP Map > Entity Length Tab F-269Add and Edit HTTP Map > RFC Request Method Tab F-271Add and Edit HTTP Map > Extension Request Method Tab F-274Add and Edit HTTP Map > Port Misuse Tab F-277Add and Edit HTTP Map > Transfer Encoding Tab F-280

HTTP Maps (ASA 7.2/PIX 7.2) Page F-283Add and Edit HTTP Map Dialog Boxes F-285

Add and Edit HTTP Map > Parameters Tab F-287Add and Edit HTTP Map > Match Condition and Action Tab F-289Add and Edit HTTP Map > Add and Edit Match Condition and Action Dialog Boxes F-291

IM Maps (ASA 7.2/PIX 7.2) Page F-345Add and Edit IM Map Dialog Boxes (for ASA 7.2/PIX 7.2) F-347

Add and Edit IM Map > Add and Edit Match Condition and Action Dialog Boxes F-349

IM Maps (IOS) Page F-365Add and Edit IM Map (IOS) Dialog Boxes F-367

Add and Edit IM Map (IOS) > Yahoo! Tab F-368Add and Edit IM Map (IOS) > MSN Tab F-371Add and Edit IM Map (IOS) > AOL Tab F-374

SIP Maps Page F-37752User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsAdd and Edit SIP Map Dialog Boxes F-379Add and Edit SIP Map > Parameters Tab F-381Add and Edit SIP Map > Match Condition and Action Tab F-384

Regular Expression Groups Page F-405Add and Edit Regular Expression Group Dialog Boxes F-407

Regular Expressions Page F-409Add and Edit Regular Expression Dialog Boxes F-411

TCP Maps Page F-413Add and Edit TCP Map Dialog Boxes F-414

Interface Roles Page F-416Interface Role Dialog Box F-419Interface Name Conflict Dialog Box F-421

IPsec Transform Sets Page F-422IPsec Transform Set Dialog Box F-424

LDAP Attribute Maps Page F-426Add and Edit LDAP Attribute Map Dialog Boxes F-428

Add and Edit LDAP Attribute Map > Add and Edit LDAP Attribute Map Value F-429Add and Edit LDAP Attribute Map > Add and Edit LDAP Attribute Map Value > Add and Edit Map Value F-430

Networks/Hosts Page F-431Network/Host Dialog Box F-433

PKI Enrollments Page F-435PKI Enrollment Dialog Box F-437

PKI Enrollment Dialog BoxCA Information Tab F-438PKI Enrollment Dialog BoxEnrollment Parameters Tab F-442PKI Enrollment Dialog BoxCertificate Subject Name Tab F-445PKI Enrollment Dialog BoxTrusted CA Hierarchy Tab F-447

Port Forwarding List Page F-44853User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsPort Forwarding List Dialog Box F-450Add/Edit Port Forwarding Entry Dialog Box F-452

Secure Desktop Configuration Page F-453Secure Desktop Configuration Dialog Box F-455

Port Lists Page F-459Port List Dialog Box F-461

Service Groups Page F-463Service Group Dialog Box F-464

Services Page F-465Service Dialog Box F-467

Single Sign On Server (SSO) Page F-471Single Sign On Server (SSO) Dialog Box F-473

SLA Monitors Page F-475SLA Monitor Dialog Box F-477

Style Objects Page F-479Style Objects Dialog Box F-481

Text Objects Page F-482Text Object Dialog Box F-484

Time Ranges Page F-485Time Range Dialog Box F-487Recurring Ranges Dialog Box F-488

Traffic Flows Page F-489Add and Edit Traffic Flow Dialog Boxes F-491

Add and Edit Traffic Flow > Source and Destination IP Address (access-list) F-493Default Inspection Traffic F-494Add and Edit Traffic Flow > Default Inspection Traffic with Access Lists F-496Add and Edit Traffic Flow > TCP or UDP Destination Port F-49754User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsAdd and Edit Traffic Flow > RTP Range F-498Add and Edit Traffic Flow > Tunnel Group F-499Add and Edit Traffic Flow > IP Precedence Bits F-501Add and Edit Traffic Flow > IP DiffServe CodePoints (DSCP) Values F-502

URL Lists Page F-504URL Lists Dialog Box F-506

Add URL Entry Dialog Box F-507

User Groups Objects Page F-508User Group Dialog Box F-510

User Group Dialog BoxGeneral Settings F-512User Group Dialog BoxDNS/WINS Settings F-514User Group Dialog BoxSplit Tunneling F-515User Group Dialog BoxIOS Client Settings F-517User Group Dialog BoxIOS Xauth Options F-519User Group Dialog BoxIOS Client VPN Software Update F-522User Group Dialog BoxAdvanced PIX Options F-524User Group Dialog BoxClientless Settings F-525User Group Dialog BoxThin Client Settings F-527User Group Dialog BoxSSL VPN Full Tunnel Settings F-528User Group Dialog BoxSSL VPN Split Tunneling F-530User Group Dialog BoxBrowser Proxy Settings F-532User Group Dialog BoxSSL VPN Connection Settings F-533

SSL VPN Customization Page F-534SSL VPN Customization Dialog Box F-536

SSL VPN Customization Dialog BoxPage Title Tab F-538SSL VPN Customization Dialog BoxLogin/out Pages Tab F-539SSL VPN Customization Dialog BoxHome Page Tab F-543SSL VPN Customization Dialog BoxApplication-Access/Prompt Tab F-548

SSL VPN Gateway Page F-55055User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsSSL VPN Gateway Dialog Box F-552

WINS Server Lists Page F-554WINS Server Lists Dialog Box F-556

Add/Edit WINS Server Dialog Box F-557

Object Selectors F-558Create Filter Dialog BoxObject Selectors F-561

Object Usage Window F-563

Policy Object Overrides Window F-565Create Overrides for Device Dialog Box F-567

A P P E N D I X G Site-to-Site VPN User Interface Reference G-1

Site-to-Site VPN Manager Window G-2VPN Summary Page G-3Peers Page G-7

Create VPN Wizard G-9Name and Technology Page G-10Device Selection Page G-12Endpoints Page G-14

Edit Endpoints Dialog Box G-18VPN Interface Tab G-19Protected Networks Tab G-27FWSM Tab G-29VRF Aware IPsec Tab G-31Dial Backup Settings Dialog Box G-36

High Availability Page G-37VPN Defaults Page G-41

Site to Site VPN Policies G-42IKE Proposal Page G-43IPsec Proposal Page G-4556User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsVPN Global Settings Page G-49ISAKMP/IPsec Settings Tab G-50NAT Settings Tab G-54General Settings Tab G-56

Preshared Key Page G-59Public Key Infrastructure Page G-63GRE Modes Page G-66Server Load Balance Page G-76

Edit Load Balancing Parameters Dialog Box G-77Easy VPN IPsec Proposal Page G-78

Easy VPN IPsec Proposal Tab G-79Dynamic VTI Tab G-84

User Group Policy Page G-87Tunnel Group Policy (PIX 7.0/ASA) Page G-88

Tunnel Group Policy > General Tab G-89Tunnel Group Policy > IPsec Tab G-92Tunnel Group Policy > Advanced Tab G-94Tunnel Group Policy > Client VPN Software Update Tab G-96

Client Connection Characteristics Page G-97

VPN Topologies Device View Page G-104

Discover VPN Policies Wizard G-106Discover VPN Policies WizardName and Technology Page G-107Discover VPN Policies WizardDevice Selection Page G-108

Rediscover VPN Policies Wizard G-110Rediscover VPN Policies WizardName and Technology Page G-111Rediscover VPN Policies WizardDevice Selection Page G-112

A P P E N D I X H Remote Access VPN User Interface Reference H-1

Remote Access Configuration Wizard H-257User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsUser Group Policy Page H-3

Tunnel Group Policy Page H-4Tunnel Group Editor Dialog Box H-6

Tunnel Group Editor > General Tab H-7Tunnel Group Editor > IPsec Tab H-10Tunnel Group Editor > Advanced Tab H-12Tunnel Group Editor > Client VPN Software Update Tab H-14

Remote Access VPN Defaults Page H-15

IPsec Proposal Page H-16IPsec Proposal Editor Dialog Box (for PIX and ASA Devices) H-19IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices) H-22

VPNSM/VPN SPA Settings Dialog Box H-26FWSM Settings Tab (IPsec Proposal Editor) H-29Dynamic VTI/VRF Aware IPsec Tab (IPsec Proposal Editor) H-31

IKE Proposal Page H-36

High Availability Page H-37

Public Key Infrastructure Page H-39

VPN Global Settings Page H-42ISAKMP/IPsec Settings Tab H-43NAT Settings Tab H-46General Settings Tab H-47

ASA Cluster Load Balance Page H-50

DN Matching Policy Page H-52

DN Matching Rules Page H-54DN Rule Dialog Box (Upper Pane) H-56DN Rule Dialog Box (Lower Pane) H-5758User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsA P P E N D I X I SSL VPN User Interface Reference I-1

SSL VPN Server Wizard (IOS) I-2Gateway and Context Page (IOS) I-2Portal Page Customization Page I-5

User Groups Selector Page I-7Create User Group Wizard I-9

Name and Access Method Page I-10Full Tunnel Access Mode Page I-11Clientless and Thin Client Access Modes Page I-15

SSL VPN Policy Page (IOS) I-16SSL VPN Context Editor Dialog Box (IOS) I-18

General Tab I-18Portal Page Tab I-21Secure Desktop Tab I-22Advanced Tab I-24

SSL VPN Wizard for ASA Device I-25Access Page (ASA) I-26Connection Profile Page (ASA) I-27

SSL VPN Access Policy Page I-32

SSL VPN Connection Profiles Policy Page I-34Add/Edit SSL VPN Connection Profile Dialog Box I-36

Basic Tab (ASA) I-36AAA Tab (ASA) I-41Settings Tab (ASA) I-47

ASA User Groups Policy Page I-51Add User Group Selector Dialog Box (ASA) I-53

Cisco Secure Desktop Page (ASA) I-54

SSL VPN Global Settings Page I-55Performance Tab I-5659User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsContent Rewrite Tab I-58Add/Edit Content Rewrite Dialog Box I-59

Encoding Tab I-61Add/Edit File Encoding Dialog Box I-63

Proxy Tab I-64Add/Edit Proxy Bypass Dialog Box I-66

Advanced Tab I-69

A P P E N D I X J Firewall Services User Interface Reference J-1

Access Rules Page J-2Add and Edit Access Rule Dialog Boxes J-6Advanced Dialog Box J-12Edit Sources Dialog Box J-15Show Source Contents Dialog Box J-17Edit Destinations Dialog Box J-18Show Destination Contents Dialog Box J-20Edit Service Dialog Box J-21Show Service Contents Dialog Box J-23Edit Firewall Option Dialog Box J-23Edit Interfaces Dialog Box J-25Show Interface Contents Dialog Box J-26Edit Category Dialog Box J-27Edit Description Dialog Box J-28

Inspection Rules Page J-29Add and Edit Inspection Rule Dialog Boxes J-33Add Inspect/Application FW Rule > Match Traffic to Protocol Page J-37Limit Inspection Between Source and Destination IP Addresses (ASA, FWSM 3.x) Page J-40Match Traffic by Custom Destination Ports Page J-44Match Traffic by Destination Address and Port (IOS) Page J-4660User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsMatch Traffic by Source and Destination Address and Port (ASA, FWSM 3.x) Page J-48Edit Sources Dialog Box J-53Show Source Contents Dialog Box J-55Edit Destinations Dialog Box J-56Show Destination Contents Dialog Box J-58Edit Service Dialog Box J-59Show Service Contents Dialog Box J-61Edit Interfaces Dialog Box J-61Show Interface Contents Dialog Box J-63Edit Inspected Protocol Dialog Box J-65Configure DNS Dialog Box J-67Configure SMTP Dialog Box J-68Custom Protocol Dialog Box J-69Configure ESMTP Dialog Box J-70Configure Fragments Dialog Box J-71Configure IMAP Dialog Box J-72Configure POP3 Dialog Box J-73Configure RPC Dialog Box J-74Configuring Protocol Platform Dialog Box J-75Edit Category Dialog Box J-76Edit Description Dialog Box J-77

AAA Rules Page J-78Add and Edit AAA Rules Dialog Boxes J-82Edit Sources Dialog Box J-88Show Source Contents Dialog Box J-90Edit Destinations Dialog Box J-91Show Destination Contents Dialog Box J-93Edit Service Dialog Box J-94Show Service Contents Dialog Box J-9661User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsEdit Interfaces Dialog Box J-97Show Interface Contents Dialog Box J-98Edit AAA Option Dialog Box J-99AuthProxy Dialog Box J-100Edit AAA Server Group Dialog Box J-101Edit Category Dialog Box J-102Edit Description Dialog Box J-103

Web Filter Rules Page (PIX/ASA) J-104Add and Edit PIX/FWSM/ASA Rules Dialog Boxes J-107Edit Sources Dialog Box J-113Show Source Contents Dialog Box J-115Edit Destinations Dialog Box J-116Show Destination Contents Dialog Box J-118Edit Service Dialog Box J-119Show Service Contents Dialog Box J-121Edit Web Filter Type Dialog Box J-122Edit Web Filter Options Dialog Box J-123Edit Category Dialog Box J-124Edit Description Dialog Box J-125

Web Filter Rules Page (IOS) J-126Web Filter Rules Tab J-127Exclusive Domains Tab J-130

IOS Web Filter Rule and Applet Scanner Dialog Box J-131Exclusive Domain Name Dialog Box J-134

Transparent Rules Page J-135Add and Edit Transparent Firewall Rule Dialog Boxes J-139Edit Transparent EtherType Dialog Box J-143Edit Transparent Mask Dialog Box J-144Edit Interfaces Dialog Box J-144Edit Description Dialog Box J-14662User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsEdit Category Dialog Box J-146

Firewall Settings J-147Access Control Page J-147

Firewall ACL Setting Dialog Box J-151Inspection Page J-154AAA Firewall > Advanced Setting Page J-157

AAA Firewall > Advanced Setting > Clear Connection Configuration Dialog Box J-158

AAA Firewall > MAC-Exempt List Page J-161AAA Firewall > MAC-Exempt List > Firewall AAA MAC Exempt Setting Dialog Box J-163

AuthProxy Page J-164AuthProxy General Tab (IOS) J-165AuthProxy Timeout Tab (IOS) J-167

Web Filter Page J-170Web Filter Server Configuration Dialog Box J-174

Add and Edit Rule Section Dialog Boxes J-176

Find and Replace Page J-177

Analysis Reports Page J-179

Import Rules - Enter Parameters Dialog Box J-183Import Rules - Status Page J-185Import Rules - Preview Page J-186

Import Rules - Preview Page (Rules Tab) J-187Importing Rules - Preview Page (Objects Tab) J-190

Policy Query Page J-195Policy Query Results Page J-200

Hit Count Selection Summary Dialog Box J-209Hit Count Summary Results Page J-209

Combine Rules Selection Summary Dialog Box J-214Combined Rules Results Summary J-21563User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsRule Combiner Detail Report J-219

A P P E N D I X K Router Platform User Interface Reference K-1

NAT Policy Page K-3NAT PageInterface Specification Tab K-3

Edit Interfaces Dialog BoxNAT Inside Interfaces K-4Edit Interfaces Dialog BoxNAT Outside Interfaces K-5

NAT PageStatic Rules Tab K-6NAT Static Rule Dialog Box K-7

NAT PageDynamic Rules Tab K-13NAT Dynamic Rule Dialog Box K-14

NAT PageTimeouts Tab K-16

Router Interfaces Page K-18Create Router Interface Dialog Box K-20Interface Auto Name Generator Dialog Box K-27

Advanced Interface Settings Page K-28Advanced Interface Settings Dialog Box K-30

Dialer Policy Page K-38Dialer Profile Dialog Box K-40Dialer Physical Interface Dialog Box K-42

ADSL Policy Page K-44ADSL Settings Dialog Box K-46

SHDSL Policy Page K-50SHDSL Controller Dialog Box K-52Controller Auto Name Generator Dialog Box K-56

PVC Policy Page K-57PVC Dialog Box K-59

PVC Dialog BoxSettings Tab K-63PVC Dialog BoxQoS Tab K-6764User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsPVC Dialog BoxProtocol Tab K-71Define Mapping Dialog Box K-72

PVC Advanced Settings Dialog Box K-74PVC Advanced Settings Dialog BoxOAM Tab K-75PVC Advanced Settings Dialog BoxOAM-PVC Tab K-78

PPP/MLP Policy Page K-81PPP Dialog Box K-82

PPP Dialog BoxPPP Tab K-84PPP Dialog BoxMLP Tab K-88

AAA Policy Page K-91AAA PageAuthentication Tab K-93AAA PageAuthorization Tab K-94

Command Authorization Dialog Box K-97AAA PageAccounting Tab K-98

Command Accounting Dialog Box K-101

Accounts and Credentials Policy Page K-104User Account Dialog Box K-107

Bridging Policy Page K-108Bridge Group Dialog Box K-110

Clock Policy Page K-111

CPU Policy Page K-114

HTTP Policy Page K-118HTTP PageSetup Tab K-119HTTP PageAAA Tab K-121

Command Authorization Override Dialog Box K-124

Console Policy Page K-125Console PageSetup Tab K-126Console PageAuthentication Tab K-129Console PageAuthorization Tab K-13165User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsConsole PageAccounting Tab K-133

VTY Policy Page K-137VTY Line Dialog Box K-139

VTY Line Dialog BoxSetup Tab K-140VTY Line Dialog BoxAuthentication Tab K-145VTY Line Dialog BoxAuthorization Tab K-146VTY Line Dialog BoxAccounting Tab K-149Command Authorization Dialog BoxLine Access K-153Command Accounting Dialog BoxLine Access K-155

Secure Shell Policy Page K-157

SNMP Policy Page K-160Permission Dialog Box K-162Trap Receiver Dialog Box K-163SNMP Traps Dialog Box K-165

DNS Policy Page K-168IP Host Dialog Box K-169

Hostname Policy Page K-170

Memory Policy Page K-171

Secure Device Provisioning Policy Page K-174

DHCP Policy Page K-179DHCP Database Dialog Box K-182IP Pool Dialog Box K-183

NTP Policy Page K-187NTP Server Dialog Box K-189

802.1x Policy Page K-192

Network Admission Control Policy Page K-197Network Admission Control PageSetup Tab K-198Network Admission Control PageInterfaces Tab K-201

NAC Interface Configuration Dialog Box K-20266User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsNetwork Admission Control PageIdentities Tab K-204NAC Identity Profile Dialog Box K-205NAC Identity Action Dialog Box K-206

Logging Setup Policy Page K-207

Syslog Servers Policy Page K-212Syslog Server Dialog Box K-214

Quality of Service Policy Page K-215QoS Policy Dialog Box K-219QoS Class Dialog Box K-222

QoS Class Dialog BoxMatching Tab K-224Edit ACLs Dialog BoxQoS Classes K-226QoS Class Dialog BoxMarking Tab K-227QoS Class Dialog BoxQueuing and Congestion Avoidance Tab K-229QoS Class Dialog BoxPolicing Tab K-231QoS Class Dialog BoxShaping Tab K-234

BGP Routing Policy Page K-236BGP PageSetup Tab K-237

Neighbors Dialog Box K-239BGP PageRedistribution Tab K-240

BGP Redistribution Mapping Dialog Box K-242

EIGRP Routing Policy Page K-244EIGRP PageSetup Tab K-245

EIGRP Setup Dialog Box K-246Edit Interfaces Dialog BoxEIGRP Passive Interfaces K-247

EIGRP PageInterfaces Tab K-248EIGRP Interface Dialog Box K-249

EIGRP PageRedistribution Tab K-251EIGRP Redistribution Mapping Dialog Box K-253

OSPF Interface Policy Page K-25667User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsOSPF Interface Dialog Box K-258

OSPF Process Policy Page K-264OSPF Process PageSetup Tab K-265

OSPF Setup Dialog Box K-266Edit Interfaces Dialog BoxOSPF Passive Interfaces K-267

OSPF Process PageArea Tab K-268OSPF Area Dialog Box K-269

OSPF Process PageRedistribution Tab K-270OSPF Redistribution Mapping Dialog Box K-273OSPF Max Prefix Mapping Dialog Box K-275

RIP Routing Policy Page K-276RIP PageSetup Tab K-277

Edit Interfaces Dialog BoxRIP Passive Interfaces K-278RIP PageAuthentication Tab K-279

RIP Authentication Dialog Box K-280RIP PageRedistribution Tab K-282

RIP Redistribution Mapping Dialog Box K-283

Static Routing Policy Page K-285Static Routing Dialog Box K-287

A P P E N D I X L PIX/ASA/FWSM Platform User Interface Reference L-1

NAT Policies L-5Address Pools Page L-5

Address Pool Dialog Box L-6Translation Options Page L-7Translation Rules Page L-8

Translation Exemptions (NAT 0 ACL) Tab L-9Dynamic Rules Tab L-11Policy Dynamic Rules Tab L-13Static Rules Tab L-1668User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsGeneral Tab L-19Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box L-22Add/Edit Dynamic Translation Rule Dialog Box L-24Add/Edit Policy Dynamic Rules Dialog Box L-25Add/Edit Static Rule Dialog Box L-26Advanced NAT Options Dialog Box L-28Select Address Pool Dialog Box L-30

Interfaces Page L-31Add/Edit Interface Dialog Box L-34Advanced Interface Settings Dialog Box L-45

Add VPND Group Dialog Box L-47PPPoE Users Dialog Box L-48

FWSM Interfaces Page L-50FWSM Add/Edit Interface Dialog Box L-54Add/Edit Bridge Group Dialog Box L-57

ASA 5505 Ports and Interfaces Page L-59Configure Hardware Ports Dialog Box L-63

Bridging L-65ARP Table Page L-66

Add/Edit ARP Table Entry Dialog Box L-68ARP Inspection Page L-69

Add/Edit ARP Inspection Dialog Box L-70MAC Address Table Page L-71

Add/Edit MAC Table Entry Dialog Box L-72MAC Learning Page L-73

Add/Edit MAC Learning Dialog Box L-74Management IP Page L-75

AAA Page L-75Authentication Tab L-76Authorization Tab L-7869User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsAccounting Tab L-79

Banner Page L-81

Boot Image/Configuration Page L-83Images Dialog Box L-85

Clock Page L-86

Credentials Page L-88

CPU Threshold Page L-89

Device Access L-90Console Page L-91HTTP Page L-92

HTTP Configuration Dialog Box L-93ICMP Page L-94

ICMP Configuration Dialog Box L-95Management Access Page L-96Secure Shell Page L-97

SSH Configuration Dialog Box L-98SNMP Page L-99

SNMP Trap Configuration Dialog Box L-101Add SNMP Host Access Entry Dialog Box L-103

Telnet Page L-104Telnet Configuration Dialog Box L-105

Failover Policies L-106Failover Page (PIX 6.x) L-107

Edit Failover Interface Configuration Dialog Box (PIX 6.x) L-109Failover Page (FWSM) L-110

Advanced Settings Dialog Box L-114Edit Failover Interface Configuration Dialog Box (FWSM) L-116

Failover Page (ASA/PIX 7.x) L-117Settings Dialog Box L-12070User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsAdd Failover Group Dialog Box L-124Edit Failover Interface Configuration Dialog Box (ASA/PIX 7.x) L-125Add Interface MAC Address Dialog Box L-127

Bootstrap Configuration for LAN Failover Dialog Box L-127

Hostname Page L-128

Resources Page L-129Add/Edit Resource Dialog Box L-131

Server Access L-134AUS Page L-135DHCP Relay Page L-137

Configure DHCP Relay Agent Parameters Dialog Box L-138Configure DHCP Server Parameters Dialog Box L-139

DHCP Server Page L-140Edit DHCP Server Dialog Box L-142DHCP Server - Advanced Dialog Box L-143

DNS Page L-144Add DNS Server Group Dialog Box L-146Add DNS Server Dialog Box L-147Edit Interfaces Dialog Box L-148

DDNS Page L-148NTP Page L-149

NTP Server Configuration Dialog Box L-151SMTP Server Page L-152TFTP Server Page L-153

User Accounts Page L-154Add/Edit User Account Dialog Box L-155

Logging Policies L-156E-Mail Setup Page L-157

Add/Edit Email Recipient Dialog Box L-158Event Lists Page L-15871User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsAdd/Edit Event List Dialog Box L-160Add/Edit Syslog Class Dialog Box L-161Add/Edit Syslog Message ID Filter Dialog Box L-162

Logging Filters Page L-163Edit Logging Filters Dialog Box L-164

Logging Setup Page L-166Rate Limit Page L-168

Add/Edit Rate Limit for Syslog Logging Levels Dialog Box L-169Add/Edit Rate Limited Syslog Message Dialog Box L-170

Server Setup Page L-171Add/Edit Syslog Message Dialog Box L-174

Syslog Servers Page L-175Add/Edit Syslog Server Dialog Box L-176

Multicast Policies L-178Enable Multicast Routing Page L-178IGMP Page L-179

Protocol Tab L-180Configure IGMP Parameters Dialog Box L-181Access Group Tab L-183Configure IGMP Access Group Parameters Dialog Box L-184Static Group Tab L-184Configure IGMP Static Group Parameters Dialog Box L-185Join Group Tab L-186Configure IGMP Join Group Parameters Dialog Box L-187

Multicast Routing Page L-187Add/Edit MRoute Configuration Dialog Box L-188

PIM Page L-189Protocol Tab L-190Add/Edit PIM Protocol Dialog Box L-191Rendezvous Points Tab L-19272User Guide for Cisco Security Manager 3.1

OL-11501-03

ContentsAdd/Edit Rendezvous Point Dialog Box L-193Add/Edit Multicast Groups Dialog Box L-195Route Tree Tab L-196Multicast Group Dialog Box L-197Request Filter Tab L-198Multicast Group Dialog Box L-200

Routing Policies L-200No Proxy ARP Page L-201

Edit Interfaces Dialog Box L-202OSPF Page L-203

General Tab L-203OSPF Advanced Dialog Box L-205Area Tab L-208Add/Edit Area/Area Networks Dialog Box L-210Range Tab L-212Add/Edit Area Range Network Dialog Box L-213Neighbors Tab L-215Add/Edit Static Neighbor Dialog Box L-216Redistribution Tab L-217Redistribution Dialog Box L-218Virtual Link Tab L-220Add/Edit OSPF Virtual Link Configuration Dialog Box L-221Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box L-224Fil