Q. What is CiscoWorks Management Center for VPN Routers?
A. CiscoWorks Management Center for VPN Routers, a component of CiscoWorks VPN/Security Management Solution (VMS), is a Web-based management tool for the scalable configuration and deployment of large-scale, site-to-site VPN connections for Cisco
® VPN routers and the Cisco Catalyst
® VPN service module. In addition, CiscoWorks Management Center for VPN Routers provides configuration and management for the Cisco IOS
® Firewall settings on Cisco Systems
® access and VPN routers. Through administrative user-approval controls (multiple administrative and operational roles) for individual user and deployment permissions, the application can scale from deployments for small and medium to large enterprises.
Q. What are the features and benefits of CiscoWorks Management Center for VPN Routers?
A. CiscoWorks Management Center for VPN Routers includes features such as support for Cisco IOS Firewall context based access control (CBAC), access control lists (ACLs), configuration of IP Security (IPSec) high availability-Hot Standby Routing Protocol (HSRP), and various enhancements to configuration of CA and IPSec policies. In addition, configuration and management of the IP VPN services module for the Cisco Catalyst 6500 Series is supported in CiscoWorks Management Center for VPN Routers 1.3.1. The Cisco Catalyst VPN services module provides high performance and scalability and can terminate thousands of VPN tunnels simultaneously. Some of the main features of CiscoWorks Management Center for VPN Routers are:
• Easy-to-use Web browser interface-Standard Web interface makes it easy to define and deploy policies
• Simplified VPN and firewall security definitions-Wizard-based interface guides users through the creation of VPN and firewall settings
• Support for numerous devices-Uses device grouping and Smart Rules hierarchy, reusable policy components to enable VPN configurations that scale to thousands of devices
• Integrated security management for the Cisco IOS Firewall and VPN in a single Web-based application
• Support for configuration and management of the IP VPN service module on the Cisco Catalyst 6500 Series
• Enhanced resiliency with Internet Key Exchange (IKE) keepalives, generic routing encapsulation (GRE), HSRP-Supports IKE keep alive configuration, GRE (with Enhanced Interior Gateway Routing Protocol [EIGRP], or Open Shortest Path First [OSPF] Protocol) configuration as well as configuration of HSRP
• Translation of VPN policies to command-line interface (CLI) commands-Web interface allows configuring and managing VPN policies without requiring CLI command knowledge. VPN policies are translated into CLI commands, which are deployed to devices
• Flexible deployment to files or devices-Deploy configurations directly to devices in the form of CLI commands or generate files containing relevant CLI commands, which can be written to devices later
• High-level reporting and audit reports for users and administrators from within the application
• Configuration rollback-You can return to a device's previous configuration if you are not satisfied with a configuration after you deploy VPN policies
• Support for Frame Relay networks-Ability to deploy hub-and-spoke VPN configurations over a Frame Relay network
Q. What are the new features in CiscoWorks Management Center for VPN Routers 1.3.1?
A. New features in CiscoWorks Management Center for VPN Routers 1.3.1 include:
• New wizard-like workflow to assist in end-to-end setup and management of VPN configurations
• GRE support for dynamically addressed devices
• Support for dial back up configuration
• Authentication proxy support and wide range of inspection rules for Cisco IOS Firewall configuration
• Management of preshared keys only-For customers who want to manage keys without managing VPN policies
• Support for new access routers (see release notes and user guides for more detail)
Q. Is CiscoWorks Management Center for VPN Routers part of CiscoWorks VMS?
A. Yes. CiscoWorks Management Center for VPN Routers is the part of the CiscoWorks VMS.
Q. Who should use CiscoWorks Management Center for VPN Routers?
A. CiscoWorks Management Center for VPN Routers is ideal for users who want to configure and deploy scalable VPNs on Cisco access and enterprise routers. It configures not only secure VPNs but also Cisco IOS firewalls on Cisco IOS VPN and access routers. In addition, CiscoWorks Management Center for VPN Routers can be used to configure the VPN Services Module on the Cisco Catalyst 6500 Series.
Q. Does CiscoWorks Management Center for VPN Routers have a similar "look and feel" to that of the CiscoWorks Management Center for Firewalls and the CiscoWorks Management Center for IDS Sensors? Is it a standalone product?
A. CiscoWorks Management Center for VPN Routers is not a standalone product; it is a part of CiscoWorks VMS and shares a common interface with the CiscoWorks Management Center for Firewalls and the Management Center for IDS Sensors. They all are started from the CiscoWorks desktop.
CiscoWorks Management Center for VPN Routers works with CiscoWorks Common Services (another component of VMS), which supplies core server-side components required by CiscoWorks Management Center for VPN Routers , such as Apache Web server, Secure Sockets Layer (SSL) and Secure Shell (SSH) Protocol libraries, embedded Structured Query Language (SQL) database, Tomcat servlet engine, the CiscoWorks desktop, and others.
Q. What devices does CiscoWorks Management Center for VPN Routers 1.3.1 support?
A. CiscoWorks Management Center for VPN Routers supports the Cisco 800, 1700, 2600, 3600, 3700, and 7000 series routers. In addition, it supports the configuration of the VPN service module on the Cisco Catalyst 6500 Series switches. For a detailed list of device and Cisco IOS Software release support, refer to the CiscoWorks Management Center for VPN Routers data sheet
Q. What IKE, VPN, and tunnel policies can be configured with CiscoWorks Management Center for VPN Routers?
A. Users can configure the following types of VPN configurations:
• VPN settings-Includes settings for network behavior and policy implementation. Also included are settings for failover and routing protocols, packet fragmentation, internal networks, interfaces for hubs and spokes, and hub assignment for spokes and device credentials.
• IKE policies-Define the combination of security parameters to be used during IKE negotiation, including encryption and authentication algorithms.
• Tunnel policies-Define what data is securely transmitted using the tunnel (crypto ACL) and which authentication and encryption algorithms are applied to the data to ensure its authenticity, integrity, and confidentiality (transform set).
• Transform sets-Combination of security protocols, algorithms, and other settings that specifies how data in the (IPSec) tunnel is encrypted and authenticated.
• Firewall settings-Including configuration of firewall features such as ordered ACLs per interface, as well as CBAC features.
Q. What Cisco IOS Firewall policies can you configure with Cisc
oWorks Management Center for VPN Routers?
A. Users can configure firewall features such as ACLs per interface as well as CBAC features (including availability of the inspect action for access rules, alert and audit settings, fragmentation settings, Domain Name System [DNS] timeouts, protocol timeouts, and denial of service [DoS] prevention [half open connections control]).
Q. What encryption algorithms are supported in CiscoWorks Management Center for VPN Routers?
A. CiscoWorks Management Center for VPN Routers supports Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES).
Q. Is HSRP supported in CiscoWorks Management Center for VPN Routers?
A. Yes. HSRP for high availability of hub endpoints is supported.
Q. Is IPSec network address translation (NAT) transparency supported in CiscoWorks Management Center for VPN Routers?
A. Yes. IPSec NAT transparency is supported.
Q. Are unsupported commands and other CLI inputs possible in CiscoWorks Management Center for VPN Routers?
A. Yes. Using the epilog/prolog capability, additional user-entered commands can be added at the beginning or end of the configurations generated by CiscoWorks Management Center for VPN Routers.
Q. What is device hierarchy and inheritance?
A. CiscoWorks Management Center for VPN Routers incorporates a powerful architectural paradigm for device hierarchy and inheritance, which provides significant benefits for use and scalability across thousands of devices. All devices are contained within a global object. By enabling device hierarchy, you can define VPN configurations on multiple devices simultaneously rather than having to configure each device individually. VPN configurations that you define on the global level are inherited by all devices in the device inventory, and VPN configurations that you define on the device-group level are inherited by all groups and devices contained within that group and override the global configurations (if any) for those devices. You can also define VPN configurations on an individual device and override any configurations inherited from a higher level.
Q. What tunneling topologies does CiscoWorks Management Center for VPN Routers support?
A. The following tunneling technologies are supported: IPSec, IPSec with GRE, and IPSec with GRE over a Frame Relay network.
Q. What steps are needed to configure a site-to-site VPN using CiscoWorks Management Center for VPN Routers?
A. CiscoWorks Management Center for VPN Routers makes it simple to configure and deploy a site-to-site VPN across multiple devices in a hub-and-spoke topology. The steps involved include:
• Creating an activity
• Creating device groups
• Importing devices
• Defining VPN settings
• Defining IKE policies
• Defining tunnel policies
• Approving an activity
• Creating and deploying a job
Q. What administrative settings and roles are available in CiscoWorks Management Center for VPN Routers?
A. CiscoWorks Management Center for VPN Routers allows users to specify whether user permissions should be managed using Cisco Secure Access Control Server (ACS) or Common Management Framework (CMF). ACS privileges are mapped to CiscoWorks user roles within CMF. ACS and CMF permissions in Router Management Center rely on the user group or username, the command set of privileges associated with the user group or username, and the device or device group for which privileges are requested. Before performing an action, the device checks to see if the user has the permission to perform the action. The CiscoWorks server checks the privileges to modify administrative settings, modify device hierarchy, and view administrative settings. The device affected checks all other privileges. CMF has five role types:
• Help desk-Log in as guest; no password is required
• System administrator-Log in using password specified during installation; can modify devices, device hierarchies, policies, and administrative settings
• Approver-Log in using password specified by network administrator; can review policy changes and reject or approve them
• Network administrator-Log in using password you specified; superuser mode
• Network operator-Log in using password specified by network administrator; can create and submit jobs
Q. What are the system requirements for CiscoWorks Management Center for VPN Routers?