-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Before you start to manage a device using Security Manager, you should prepare the device with at least a minimal configuration. The following sections describe the basic device configurations needed for various transport protocols or device types. Before configuring transport protocols, determine the requirements for your devices by reading Understanding Device Communication Requirements.
•Understanding Device Communication Requirements
•Setting Up AUS or Configuration Engine
Security Manager provides many different ways for you to manage devices. The easiest methods involve Security Manager directly contacting the devices. Security Manager might access a device during inventory or policy discovery, during configuration deployment, or in response to actions you take in Security Manager that request device contact (such as testing connectivity).
Because you can use off-line methods to add devices to the Security Manager inventory or to deploy configuration changes to the devices, configuring device communication settings for Security Manager's use is optional. However, you typically need to configure basic device communication settings on the devices to implement your off-line or customized configuration deployment tools.
In Security Manager, you can configure which transport protocol to use as the default for a type of device, and change it for specific devices that are configured to respond to a different protocol. Security Manager is configured with default protocols that are the most commonly-used protocols for that type of device. To change the default device communication setting for a type of device, select Tools > Security Manager Administration and select Device Communication from the table of contents (for more information, see Device Communication Page, page A-11). To change the transport setting for a specific device, modify its device properties as described in Viewing or Changing Device Properties, page 5-17.
Security Manager can use these transport protocols:
•SSL (HTTPS)—Secure Socket Layer, which is an HTTPS connection, is the only transport protocol used with PIX Firewalls, Adaptive Security Appliances (ASA), and Firewall Services Modules (FWSM). It is also the default protocol for IPS devices and for routers running Cisco IOS Software release 12.3 or higher.
If you use SSL as the transport protocol on Cisco IOS routers, you must also configure SSH on the routers. Security Manager uses SSH connections to handle interactive command deployments during SSL deployments.
Note DES encryption is not supported on Common Services 3.0 and later. Ensure that all PIX Firewalls and Adaptive Security Appliances that you intend to manage with Security Manager have a 3DES/AES license.
For information on configuring SSL, see Setting Up SSL (HTTPS).
•SSH—Secure Shell is the default transport protocol for Catalyst switches and Catalyst 6500/7600 devices. You can also use it with Cisco IOS routers.
For information on configuring SSH, see Setting Up SSH.
•Telnet—Telnet is the default protocol for routers running Cisco IOS software releases 12.1 and 12.2. You can also use it with Catalyst switches, Catalyst 6500/7600 devices, and routers running Cisco IOS Software release 12.3 and higher. See the Cisco IOS software documentation for configuring Telnet.
•HTTP—You can use HTTP instead of HTTPS (SSL) with IPS devices. HTTP is not the default protocol for any device type.
•TMS—Token Management Server is treated like a transport protocol in Security Manager, but it is not a real transport protocol. Instead, by configuring TMS as the transport protocol of a router, you are telling Security Manager to deploy configurations to a TMS. From the TMS, you can download the configuration to an eToken, plug the eToken into the router's USB bus, and update the configuration. TMS is available only for certain routers running Cisco IOS Software 12.3 or higher.
For information on deploying configurations to a TMS and downloading them to a router, see Deploying Configurations to a Token Management Server, page 17-26.
Security Manager can also use indirect methods to deploy configurations to devices, staging the configuration on a server that manages the deployment to the devices. These indirect methods also allow you to use dynamic IP addresses on your devices. The methods are not treated as transport protocols, but as adjuncts to the transport protocol for the device. You can use these indirect methods:
•AUS (Auto Update Server)—When you add a device to Security Manager, you can select the AUS server that is managing it. You can use AUS with PIX Firewalls and ASA devices.
For information on configuring a device to use an AUS server, see Setting Up AUS or Configuration Engine.
•Configuration Engine—When you add a router to Security Manager, you can select the Configuration Engine that is managing it.
For more information on configuring a router to use a Configuration Engine server, see Setting Up AUS or Configuration Engine.
For information on adding devices that use AUS or Configuration Engine servers to Security Manager, and how to add the servers, see these topics:
•Adding Devices to the Device Inventory, page 5-7
•Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 5-14
With many devices, you can use the Secure Socket Layer (SSL) protocol, also known as HTTPS, to communicate with the device. When you deploy configurations with this protocol, Security Manager encrypts the configuration file before sending it to the device.
The following topics describe how to set up SSL on the devices:
•Setting Up SSL (HTTPS) on PIX Firewall, ASA and FWSM Devices
•Setting Up SSL on Cisco IOS Routers
This procedure describes the tasks to complete before you use SSL as the transport protocol for device management on PIX Firewall, ASA and FWSM devices.
Step 1 Enter configuration mode.
hostname# config terminal
Respond to the prompts appropriately. Here are some tips:
•Enter y when the prompt asks if you want to preconfigure using interactive prompts.
•Enter the current enable password.
•Specify the time zone, year, month, day, and time.
•If the device:
–Is new—Specify the network interface IP address and network mask that applies to the inside IP address of the device.
–Exists—Verify that the interface IP address and mask are correct.
•If the device:
–Is new—Specify the hostname and the domain name.
–Exists—Verify that the hostname and domain name are correct.
•When prompted for the IP address of the host that runs the PIX Device Manager, specify the IP address of the Security Manager server.
•Enter yes when the prompt asks if you want to write the above changes to Flash.
Step 2 Enable the HTTP server.
hostname(config)# http server enable
Step 3 Specify the host or network authorized to initiate an HTTP connection to the device.
hostname(config)# http ip_address [netmask] [if_name]
Where:
•ip_address—The IP address of the Security Manager server.
•netmask—The network mask for the IP address.
•if_name—The device interface name (default is inside) from which Security Manager initiates the HTTP connection.
Step 4 Save the current configuration in Flash memory.
hostname(config)# write memory
This procedure describes the tasks to complete before you use SSL as the transport protocol for device management on Cisco IOS routers.
Step 1 Enter configuration mode.
hostname# config terminal
Step 2 Configure the hostname and domain name if the device is new.
router(config)# hostname name
hostname(config)# ip domain-name your_domain
Step 3 Configure level 15 privilege. SSL requires that you must have level 15 privileges to log in to a Cisco IOS router.
hostname(config)# username username privilege 15 password 0 password
Step 4 Enable either local authorization or AAA authorization:
•Local authorization— If you are using AAA for authorization but would like to use local authorization, use the following commands to disable AAA authorization and AAA authentication at login, where list-name is a character string used to name the list of authorization methods, and to enable local authorization using the username you just configured:
hostname(config)# no aaa authorization network list-name
hostname(config)# no aaa authentication login list-name
hostname(config)#ip http authentication local
If you do not enter the ip http authentication local command, the default enable password is used for authentication.
•AAA authorization—Use the following commands to enable AAA authentication and authorization. The last two commands are necessary only if multiple AAA lists are defined; list-name is a character string used to name the list of authorization methods. These commands authenticate the user that is contacting the device using the HTTPS protocol.
hostname(config)#ip http authentication aaa
hostname(config)#ip http authentication aaa login-authentication list-name
hostname(config)# ip http authentication aaa exec-authorization list-name
Step 5 Enable the HTTPS server.
hostname(config)# ip http secure-server
Step 6 Exit configuration mode and return to Exec mode.
hostname(config)# exit
Step 7 Verify that SSL is set up on the device. The Device should respond with an "enabled" status.
hostname# show ip http server secure status
You can use the Secure Shell (SSH) protocol to communicate with Cisco IOS Routers, Catalyst switches, and Catalyst 6500/7600 devices. This protocol provides strong authentication and secure communications over insecure channels. Security Manager supports both SSH versions 1.5 and 2. Once connected to the device, Security Manager determines which version to use and communicates using that version.
The following topics describe how to set up SSH on the supported devices:
•Critical Line-Ending Conventions for SSH
•Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices
•Preventing Non-SSH Connections (Optional)
The following line-ending conventions for SSH must be observed to avoid system failure:
•Do not end banner message lines with "#", "# ", ">", or "> ". If your system requires a pound sign or greater-than sign at the end of a banner message, ensure that it is followed by two spaces.
•Do not use banner message lines that contain only "Username: " or "Password: "
•Do not customize the device user EXEC mode prompt to not end with ">" or "#".
Before you set up SSH, you must test authentication without SSH to make sure the device can be authenticated. You can authenticate with a local username and password or with an authentication, authorization, and accounting (AAA) server running TACACS+ or RADIUS.
This procedure describes how to test authentication without SSH using a local or AAA server username and password.
Step 1 Enter configuration mode.
router# config terminal
Step 2 Specify that the local username and password should be used in the absence of AAA statements. On Cisco IOS routers, you can use the login local command on VTY lines instead of the aaa new-model command.
hostname(config)#aaa new-model
Step 3 (Optional) Configure a user account in the local database of the device.
hostname(config)# username name password 0 password
Step 4 Exit configuration mode and return to Exec mode.
hostname(config)# exit
Step 5 Save the configuration changes.
hostname(config)# write memory
This procedure describes the tasks required to set up SSH on Cisco IOS routers, Catalyst switches, and Catalyst 6500/7600 devices.
Tip You must configure SSH on Cisco IOS routers because Security Manager uses SSH connections to handle interactive command deployments during SSL deployments.
Related Topics
•Critical Line-Ending Conventions for SSH
•Preventing Non-SSH Connections (Optional)
Step 1 Enter configuration mode.
router# config terminal
Step 2 Configure the hostname and domain name if the device is new.
router(config)# hostname name
hostname(config)# ip domain-name your_domain
Step 3 Generate the RSA key pair for the SSH session. When the device prompts you to enter the size of the modulus, we recommend that you enter 1024.
hostname(config)# crypto key generate rsa
Step 4 (Optional) Set the timeout interval in minutes and the number of retries.
hostname(config)# ip ssh timeout time
hostname(config)# ip ssh authentication-retries n
Step 5 Exit configuration mode and return to Exec mode.
hostname(config)# exit
Step 6 Save the configuration changes.
hostname# write memory
After configuring SSH, you can configure the Cisco IOS routers, Catalyst switches, and Catalyst 6500/7600 devices to use SSH connections only.
Related Topics
•Critical Line-Ending Conventions for SSH
•Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices
Step 1 Enter configuration mode.
router# config terminal
Step 2 Set up the router for Telnet access, specifying the first and last line numbers that can be used (numbers range from 0 to 1180, and the last number must be greater than the first number).
hostname(config)# line vty first_line last_line
Step 3 Prevent non-SSH connections, such as Telnet.
hostname(config-line)# transport input ssh
Step 4 Exit configuration mode.
hostname(config-line)# end
Step 5 Save the configuration changes.
hostname# write memory
With many devices, you can use an intermediate transport server to stage configuration updates to the device. These transport servers can also allow you to manage devices that use dynamically assigned IP address (using a DHCP server) instead of static IP addresses. When you deploy configurations using a transport server, Security Manager deploys the configuration to the server, and the device retrieves the configuration from the server. You can use Auto Update Server, running the AUS protocol, or Cisco Configuration Engine, running the CNS protocol.
The following topics describe how to set up AUS or CNS on the devices:
•Setting Up AUS on PIX Firewall and ASA Devices
•Setting Up CNS on Cisco IOS Routers in Event-Bus Mode
•Setting Up CNS on Cisco IOS Routers in Call-Home Mode
You can configure PIX Firewalls and ASA devices to use the AUS protocol to contact an Auto Update Server for configuration and image updates. See the Auto Update Server product documentation for more information.
You can also configure PIX Firewalls and ASA devices to use the CNS Protocol. However, if PIX Firewall and ASA devices are configured for CNS, they actually use the AUS protocol. Thus, the configuration steps for AUS and CNS are identical.
This procedure describes the tasks to complete before you use AUS or CNS as the transport protocol for device management on PIX Firewall and ASA devices.
Step 1 Enter configuration mode.
router# config terminal
Step 2 Connect to the AUS. Specify a username and its password that can log into Security Manager. The port number is typically 443.
hostname(config)# auto-update server https:// username:password@AUSserver_IP_address:port /autoupdate/AutoUpdateServlet
Step 3 Specify the polling period for AUS.
hostname(config)# auto-update poll-period poll_period [retry_count ] [retry_period ]
Where:
•poll_period—The polling period interval between two updates. Default is 720 minutes (12 hours).
•retry_count—(Optional) The number of times to retry if the server connection attempt fails. Default is 0.
•retry_period—(Optional) The number of minutes between retries. Default is 5.
Step 4 Configure the device to use the specified unique device ID to identify itself.
hostname(config)# auto-update device-id [ hardware-serial | hostname |
ipaddress [if_name ] | mac-address [if_name ] | string text ]
Where:
•if_name—The device interface name (the default is inside).
•text—A unique string name.
Step 5 Save the configuration changes.
hostname# write memory
You can configure Cisco IOS routers to use the CNS protocol to contact a Cisco Configuration Engine for configuration and image updates. The Configuration Engine can operate in two modes, event-bus and call-home. The following procedure describes how to configure a router to use event-bus mode. For information on using call-home mode, see Setting Up CNS on Cisco IOS Routers in Call-Home Mode.
See the Configuration Engine product documentation for more information about configuring and using the product.
Step 1 Enter configuration mode.
router# config terminal
Step 2 Configure the hostname and domain name if the device is new.
router(config)# hostname name
hostname(config)# ip domain-name your_domain
Step 3 Specify the trusted server for the CNS agent. Enter the IP address of the trusted server.
hostname(config)# cns trusted-server all-agents ip_address
Step 4 Configure the CNS event gateway, which provides CNS event services to Cisco IOS clients. Enter the IP address of the event gateway, and optionally the port. The default port is either 11011 (with no encryption) or 11012 (with encryption). Include the encrypt keyword to use an SSL encrypted link to the event gateway.
hostname(config)# cns event ip_address [encrypt] [port]
Step 5 Start the CNS configuration agent and accept a partial configuration. Include the encrypt keyword to use an SSL encrypted link to the web server.
hostname(config)# cns config partial ip_address [encrypt]
Step 6 Set the CNS password, which must be the same password configured on the CNS gateway. For information on how to authenticate a Cisco IOS router on a Configuration Engine, see Cisco Configuration Engine Administrator Guide at http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/prod_maintenance_guides_list.html.
hostname(config)# cns password password
Step 7 Enable and configure the CNS execute agent. Include the encrypt keyword to use an SSL encrypted link to the exec server. You can specify a port number for the encrypted exchange if you do not want to use the default port 443.
hostname(config)# cns exec [encrypt [port]]
Step 8 Exit configuration mode and return to Exec mode.
hostname(config)# exit
Step 9 Save the configuration changes.
hostname# write memory
You can configure Cisco IOS routers to use the CNS protocol to contact a Cisco Configuration Engine for configuration and image updates. The Configuration Engine can operate in two modes, event-bus and call-home. The following table describes the tasks to complete to configure a router to use call-home mode. For information on using event-bus mode, see Setting Up CNS on Cisco IOS Routers in Event-Bus Mode.
See the Configuration Engine product documentation for more information about configuring and using the product.
Step 1 Enter configuration mode.
router# config terminal
Step 2 Configure the hostname and domain name if the device is new.
router(config)# hostname name
hostname(config)# ip domain-name your_domain
Step 3 Specify the IP address of the trusted server for the CNS agent.
hostname(config)# cns trusted-server all-agents ip_address
Step 4 Specify schedule parameters for a Command Scheduler occurrence and enter kron-occurrence configuration mode.
hostname(config)# kron occurrence occurrence-name [user username ]
{in [[numdays:]numhours:]nummin | at hours:min [[month] day-of-month] [day-of-week]}
{oneshot | recurring}
Where:
•occurrence-name—The name of the occurrence. The name can be from 1 to 31 characters. If the occurrence-name is new, an occurrence structure is created. If the occurrence-name is not new, the existing occurrence is edited.
•username—(Optional) The name of the user.
•in [[numdays:]numhours:]nummin—The occurrence should run after waiting the specified time. You can enter a number of days, hours, or minutes, or a combination of them. The timer starts when the occurrence is configured.
•at hours:min [[month] day-of-month] [day-of-week]—The occurrence should run at the specified hour and minute on the specified month and day, or day of the week. Specify the hour using the 24-hour clock.
•oneshot—Specifies that the occurrence is to run only once. After the occurrence runs, the configuration is removed.
•recurring—Specifies that the occurrence is to run on a recurring basis.
Step 5 Specify the policy list associated with a Command Scheduler occurrence. The name can be 1 to 31 characters. If the list-name is new, a policy list structure is created. If the list-name is not new, the existing policy list is edited.
Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the same time or interval.
hostname(config-kron-occurrence)# policy-list list-name
Step 6 Exit kron-occurrence and return to configuration mode.
hostname(config-kron-occurrence)# exit
Step 7 Specify a name for a Command Scheduler policy and enter kron-policy configuration mode. The name can be 1 to 31 characters. If the list-name is new, a policy list structure is created. If the list-name is not new, the existing policy list is edited.
hostname(config)# kron policy-list list-name
Step 8 Retrieve the configuration from the staged CNS job. Specify the IP address of the CNS server. You must use JobbedDynaConfig status so that the device retrieves the config from the staged CNS job; otherwise, the device retrieves the template associated with the device.
hostname(config-kron-policy)# cli cns config retrieve ip_address
page /cns/JobbedDynaConfig status http:// ip_address /cns/PostStatus
Step 9 Exit kron-policy configuration mode and return to configuration mode.
hostname(config-kron-policy)# exit
Step 10 Enable and configure the CNS execute agent.
hostname(config)# cns exec
Step 11 Exit configuration mode and return to Exec mode.
hostname(config)# exit
Step 12 Save the configuration changes.
hostname# write memory
To initialize an IPS device, you must configure the following settings. These are network settings, and only a user with administrator privileges on the IPS device can configure them:
•Sensor name
•IP address
•Netmask
•Default route
•Enable TLS/SSL (to enable TLS/SSL in the web server on the device)
•Web server port
•Use default ports
You configure these settings through the setup command in Intrusion Prevention System Device Manager (IDM) or in a command-line session, depending upon which platform is used by your IPS device. For a list of supported IPS platforms, see the supported devices and software versions information at the following URL: http://www.cisco.com/en/US/products/ps6498/products_device_support_tables_list.html.
For detailed information on these settings, refer to the technical documentation for your IPS device.
Note For information on preparing an IOS IPS device for use, see Preparation for Use, page 12-21.