Table Of Contents
Configuring the Firewall Module
Configuring VLANs in a VLAN Group
Using the Firewall Module/Context Setup Wizards
Configuring the Outside Interface
Configuring the Inside Interface
Configuring Firewall Interfaces
Configuring the SSL Services Module
Editing SSL Services Module Information
Editing VPN Crypto Connections
Configuring the Network Analysis Module
Modifying SNMP Community Strings
Using the NAM Configuration Wizard
Configuring Basic IP Parameters
Intrusion Detection System Services Module
Configuring the Intrusion Detection System Services Module
Modifying IDSM Service Details
Configuring Basic IP Parameters
Service Module Setup
To enable CVDM-C6500 to effectively manage the modules on your device, you need to provide credentials for each module. For example, the Firewall Services Module (FWSM) ships with PIX Device Manager (PDM). However, before you can launch PDM from the FWSM or access the FWSM via telnet/SSH, you need to make use of the bootstrap functionality provided by CVDM-C6500. This functionality and service-level overview page are provided for the following modules:
•
Intrusion Detection System Services Module
Firewall Services Module
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other; for example, by keeping a human resources network separate from a user network. If you have network resources that need to be available to an outside user such as a web or FTP server, you can place these resources on a separate network behind the firewall, called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ includes only the public servers, an attack there affects only the servers and does not affect the other inside networks.
You can also control outside access by inside users (for example, access to the Internet) by allowing only certain addresses out, by requiring authentication or authorization, or by coordinating with an external authentication, authorization, and accounting (AAA) server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the inside network is protected and behind the firewall, and the DMZ, while behind the firewall, allows limited access to outside users. Because the Firewall Services Module (FWSM) allows you to configure many interfaces with varied security policies, including inside interfaces, DMZs, and even outside interfaces, if desired, these terms are used in a general sense only.
If you do not provide credentials for the FWSM, you will not be able to:
•
•
•
•
For more information on credentials, see the "Understanding User Credentials" section.
Note
Configuring the Firewall Module
To access the firewall module overview page (see Figure 8-1), click Services at the top of the window, click Firewall from the left-most pane, and then click Firewall: Slot X from the selector.
Figure 8-1 Firewall Page
From the firewall module overview page, you can:
•
•
•
•
The following table describes the information provided on the Firewall module overview page.
Setup Wizard button
Click to open the firewall module setup wizard. See the "Using the Firewall Module/Context Setup Wizards" section for more information.
Launch PDM button
Click to open PDM. You must first configure the module using the setup wizard before you can access this application.
Note
Descriptor field
Textual identifier of this module.
Model field
Model number of this module.
Slot Number field
Device slot in which this module is located.
Status field
Current status of this module.
Software Version field
Software version of this module.
Hardware Version field
Hardware version of this module.
Firmware Version field
Firmware version of this module.
Serial Number field
Serial number of this module.
Total Memory field
Total memory available on this module.
Total Flash field
Total flash memory available on this module.
Service Details pane
This pane lists applicable service detail information. See the "Service Details" section for more information.
VLAN Groups pane - root node selected
When the root node is selected in the VLAN Groups selector, this pane lists the VLAN groups that are configured on this device. See the "Configuring VLAN Groups" section for more information.
VLAN Groups pane - VLAN group selected
When a VLAN group is selected in the VLAN Groups selector, this pane lists the VLANs associated with that VLAN group. See the "Configuring VLANs in a VLAN Group" section for more information.
Service Details
The following table lists the information provided in the Service Details pane.
Host Name field
Name of this module.
Domain Name field
Name of the domain to which the host belongs.
PDM Version field
Version of PDM installed on this module.
CPU Usage field
Percentage of CPU resources being used by this module.
Memory Usage field
Percentage of Flash memory being used by this module.
Number of Firewall Interfaces field
Number of firewall interfaces configured on this module.
Note
Number of Firewall Contexts field
Number of firewall contexts configured on this module.
Note
Number of Assigned VLANs field
Number of VLANs assigned on this module.
HTTP Server field
Indicates whether the HTTP server is enabled on this module.
Note
Edit button
Click to modify the information provided in the Service Details pane. See the "Modifying Service Details" section for more information.
Modifying Service Details
Step 1
Step 2
Step 3
Configuring VLAN Groups
When the root node is selected in the VLAN Groups selector, the information in the following table is displayed.
VLAN Groups selector
Displays the VLAN groups that are configured on the device.
VLAN Group column
Numerical identifier for this VLAN group.
VLAN IDs column
VLANs that belong to this VLAN group.
Assigned column
Indicates whether this VLAN Group has been assigned to the firewall module.
VLAN Group button
With a VLAN group in the table selected, click and then select one of the following:
•
•
Add button
Click to add a VLAN group. See the "Adding a VLAN Group" section for more information.
Edit button
Click to edit the selected VLAN group. See the "Modifying a VLAN Group" section for more information.
Delete button
Click to delete the selected VLAN group.
Adding a VLAN Group
Step 1
Step 2
Step 3
Group ID field
Enter the numerical identifier for the VLAN group.
Assign this Group to Firewall: Slot X check box
Select to assign this VLAN group to the selected firewall module.
Selected VLANs field
Indicates the VLANs to be added to the VLAN group. Do one of the following:
•
to open the Enter VLAN Range dialog box. See the "Entering a VLAN Range" section for more information.
•
VLAN ID column
Numerical identifier for a VLAN.
Add column
Select the check box for the VLANs you want to add to the VLAN group.
Modifying a VLAN Group
Step 1
Step 2
•
•
The Edit VLAN Group dialog box appears.
Step 3
Group ID field
Numerical identifier for the selected VLAN group. This field cannot be edited.
Assign this Group to Firewall: Slot X check box
Select to assign this VLAN group to the selected firewall module.
Selected VLANs field
Indicates the VLANs that belong to the selected VLAN group. To make changes, do one of the following:
•
•
VLAN ID column
Numerical identifier for the VLAN. This field cannot be edited.
Add column
Select the check box for the VLANs you want to add to or remove from the selected VLAN group.
Entering a VLAN Range
Step 1
Step 2
•
•
Note
Step 3
Step 4
For example, to add VLANs 22 through 27 and VLAN 35 to a VLAN group, you would enter
(22-27,35).Selecting a VLAN Group
This dialog box lists the VLAN groups that are configured on the device, as well as the VLANs associated with each group. Select a VLAN group and then click OK to continue.
Configuring VLANs in a VLAN Group
When a VLAN group is selected in the VLAN Groups selector, the information in the following table is displayed.
VLAN Groups selector
Displays the VLAN groups that are configured on the device.
Misconfigured VLAN graphic:
Indicates that the VLAN is configured incorrectly on this device.
VLAN ID column
Numerical identifier for this VLAN.
VLAN Name column
Name of this VLAN.
Ports column
Ports that belong to this VLAN in Access and/or Trunk mode.
Add button
Click to add a VLAN to the selected VLAN group. See the "Adding a VLAN to a VLAN Group" section for more information.
Edit button
Click to edit the selected VLAN. See the "Modifying a VLAN in a VLAN Group" section for more information.
Delete button
Click to delete the selected VLAN.
Adding a VLAN to a VLAN Group
Step 1
Step 2
Step 3
VLAN ID field
Specify the VLAN to be added to the selected VLAN group.
Click
and then select one of the following:
•
•
•
Access Ports field
Specify the access ports associated with this VLAN.
Click
Trunk Ports field
Specify the trunk ports associated with this VLAN.
Click
Modifying a VLAN in a VLAN Group
Step 1
Step 2
Step 3
•
•
The VLAN Group X: Edit VLAN dialog box appears.
Step 4
VLAN ID field
Numerical identifier for the selected VLAN. This field cannot be edited.
Access Ports
Edit the access ports associated with this VLAN.
Click
Trunk Ports
Edit the trunk ports associated with this VLAN.
Click
Using the Firewall Module/Context Setup Wizards
CVDM-C6500 provides three wizards which allow you to perform the initial configuration of either a Firewall Services Module (FWSM) or a context defined on that FWSM:
•
•
•
Note
After completing one of these wizards, you can run the PIX Device Manager (PDM) application to perform more advanced configuration.
Navigation
To launch either the Firewall Module Setup Wizard or the Multi Mode Firewall Module Setup Wizard, do one of the following:
Procedure A
Step 1
Procedure B
Step 1
Step 2
Step 3
To launch the Firewall Context Setup Wizard, click Services at the top of the window, click Firewall from the left-most pane, select a context from the selector, and then click Setup Wizard.
Wizard Steps
The wizards consist of the following steps:
1.
Note
2.
3.
4.
Configuring the Admin Context
On this page of the wizard, you configure the Admin context on the firewall module. To do so, enter the information specified in the following table.
Note
Note
Configuring the Outside Interface
On this page of the wizard, you configure the outside interface for either the firewall module (single and multiple mode setup wizards) or the selected context (context setup wizard). To do so, enter the information specified in the following table.
Note
Outside VLAN list
Specify the VLAN associated with the outside interface.
Click
•
•
•
Interface field
Enter the name of the outside interface.
IP Address field
Enter the IP address of the outside interface.
Mask list
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select one from the list.
Security Level (0-100) field
Enter the security level for the outside interface. Higher values indicate higher security levels. By default, the value of this object is 0.
VLAN Group list
Specify the VLAN group associated with the outside interface.
Click
Configuring the Inside Interface
On this page of the wizard, you configure the inside interface for either the firewall module (single and multiple mode setup wizards) or the selected context (context setup wizard). If you run the wizard after an inside interface has already been configured, the current credentials will be displayed. You can either keep these credentials or make the necessary changes.
To configure the inside interface, enter the information specified in the following table.
VLAN list
Specify the VLAN associated with the inside interface.
Click
•
•
•
Interface field
Enter the name of the inside interface.
IP Address field
Enter the IP address of the inside interface.
Mask list
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select one from the list.
Security Level (0-100) field
Enter the security level for the inside interface. Higher values indicate higher security levels. By default, the value of this object is 100.
VLAN Group list
Specify the VLAN group associated with the inside interface.
Click
Enable HTTP Server check box
Select to enable the HTTP server on the firewall module (in single or multiple mode) or the selected context (in multiple mode).
Enable HTTP Access to this host with IP address <ip address>
Select to grant the specified device access to the firewall module (in single or multiple mode) or the selected context (in multiple mode).
Configuring Static Routes
On this page of the wizard, you configure static routes for the selected interface on either the firewall module (single and multiple mode setup wizards) or the selected context (context setup wizard). These static routes are used to route packets.
Note
To configure static routes for the selected interface on the firewall module, enter the information specified in the following table.
Summary
In this dialog box, you can view a summary of the settings entered in the firewall module/context setup wizards. Click Finish to configure the device with these settings.
After completion of a wizard, you can launch PDM by clicking Launch PDM in the module's overview page. Use this application to make more advanced configuration changes.
Security Context Overview
You can partition a single FWSM into multiple virtual firewalls, known as security contexts. Each context is an independent system, with its own security policy, interfaces, and administrators. Multiple contexts are equivalent to having multiple standalone firewalls.
The FWSM runs in one of two modes: single mode or multiple mode. In single mode, any changes made affect the entire module. In multiple mode, a number of contexts are configured with only one having administrative privileges at any given time: the Admin context. Unlike in single mode, the changes made to a context in multiple mode apply only to that context.
Note
Configuring Firewall Contexts
The Contexts overview page displays the firewall contexts configured on this module. Keep in mind that context management is only available in multiple mode.
To access this page, click Services at the top of the window, click Firewall from the left-most pane, and then select Contexts from the selector.
The following table describes the information provided on this page.
Name column
Name of the context.
Description column
Description of the context.
Config URL column
Configuration URL for the context.
Allocated VLANs column
Number of VLANs allocated to the context.
Add button
Click to add a context. See the "Adding a Context" section for more information.
Edit button
Click to edit the selected context. See the "Modifying a Context" section for more information.
Delete button
Click to delete the selected context.
Adding a Context
Step 1
Step 2
Step 3
Name field
Enter the name of the context.
Config URL field
Enter the configuration URL for the context.
You can download a context from either a server (FTP, TFTP, HTTP, or HTTPS) or the local disk. The URL syntax for each is as follows:
•
•
where server type is the type of server, server is the IP address of the appropriate server, path is the directory that contains the context file, and filename is the name of the context file.
Please note the following:
•
•
•
Description field
Enter a description of the context.
Make This Firewall Context the Admin Context check box
Select to designate this context as the Admin context.
VLAN ID column
Numerical identifier of the VLAN. This field cannot be edited.
Allocate check box
Select to allocate the selected VLAN to the context.
Alias column
Enter the alias for the VLAN.
VLAN Group column
Specify the VLAN group to which the VLAN belongs.
Click
Add button
Click to open the Enter VLAN Range dialog box.
Entering a VLAN Range
Modifying a Context
Step 1
Step 2
Note
Step 3
Name field
Name of the selected context. This field cannot be edited.
Config URL field
Configuration URL for the selected context. This field cannot be edited.
Description field
Edit the description of the selected context.
Make This Firewall Context the Admin Context check box
Select to designate this context as the Admin context. Note that this option is not available if the selected context is already the Admin context.
VLAN ID column
Numerical identifier of the VLAN. This field cannot be edited.
Allocate check box
Select to allocate the selected VLAN to this context.
Alias column
Edit the alias for the VLAN.
VLAN Group column
Edit the VLAN group to which the VLAN belongs.
Click
Firewall Context Details
The Firewall Contexts Details page displays the parameters for the selected firewall context. To access this page, click Services at the top of the window, click Firewall from the left-most pane, and then select a context from the selector.
The following table describes the information provided on this page.
Modifying Context Details
Step 1
Step 2
Step 3
Allocate VLAN
Step 1
Step 2
Step 3
VLAN ID list
Specify the VLAN to be allocated to the selected context.
Click
•
•
•
Alias field
Enter the alias for this VLAN.
VLAN Group field
Specify the VLAN group to which this VLAN belongs.
Click
Modify Allocated VLAN
Step 1
Step 2
Step 3
VLAN ID field
Numerical identifier of the selected VLAN. This field cannot be edited.
Alias field
Modify the alias for the selected VLAN.
VLAN Group field
Modify the VLAN group to which this VLAN belongs.
Click
Configuring Firewall Interfaces
The Interfaces overview page displays the firewall interfaces configured on this module. Although this page looks the same in both single and multiple modes, keep in mind that:
•
•
Note
To access this page, click Services at the top of the window, click Firewall from the left-most pane, and then select Interfaces (for either the module in single mode or the selected context in multiple mode) from the selector.
The following table describes the information provided on this page.
Misconfigured VLAN graphic:
Indicates that the VLAN is configured incorrectly on this device.
VLAN ID column
Corresponding VLAN for an interface.
VLAN Name column
Name of the corresponding VLAN for an interface.
Interface Name column
Name of an interface.
IP Address/Mask column
IP address/mask of an interface.
Security Level (0-100) column
Security level set for the interface. Higher values indicate higher security levels.
•
•
Add button
Click to add an interface. See the "Adding a Firewall Module Interface" section for more information.
Edit button
Click to edit the selected interface. See the "Editing a Firewall Module Interface" section for more information.
Delete button
Click to delete the selected interface.
Adding a Firewall Module Interface
Step 1
Step 2
Step 3
VLAN ID list
Specify the VLAN associated with the interface.
Click
•
Note
•
•
Interface Name field
Enter the name of the interface.
IP Address field
Enter the IP address of the interface.
Mask field
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select one from the list.
VLAN Group field
Specify the VLAN group associated with the interface.
Click
Security Level (0-100) field
Enter the security level for the interface. Higher values indicate higher security levels.
•
•
Editing a Firewall Module Interface
Step 1
Step 2
Note
Step 3
VLAN ID field
VLAN associated with the selected interface. This field cannot be edited.
Interface Name field
Name of the selected interface. This field cannot be edited.
IP Address field
Edit the IP address of the selected interface.
Mask field
Edit the subnet mask to which the specified IP address belongs. You can either type a value or select one from the list.
VLAN Group field
Modify the VLAN group associated with the selected interface.
Click
Security Level (0-100) field
Edit the security level for the selected interface. Higher values indicate higher security levels.
•
•
Configuring Static Routes
The Static Routes overview page displays the static routes configured on the firewall module. To access this page, click Services at the top of the window, click Firewall from the left-most pane, and then select Static Routes (for either the module in single mode or the selected context in multiple mode) from the selector.
Note
The following table describes the information (identical in both single and multiple modes) provided on this page.
Interface Name column
Name of the interface on which a route is configured.
VLAN ID column
Corresponding VLAN for a static route.
Destination IP Address/Mask column
Destination network address of a static route.
Mask field
Subnet mask to which the network address belongs. You can either type a value or select a value from the list.
Next Hop column
IP address of the next hop device.
Metric column
Route metric configured for a static route.
Add button
Click to add a static route. See the "Adding a Static Route" section for more information.
Edit button
Click to edit the selected static route. See the "Editing a Static Route" section for more information.
Delete button
Click to delete the selected static route.
Adding a Static Route
Step 1
Step 2
Step 3
Editing a Static Route
Step 1
Step 2
Note
Step 3
Configuring HTTP Rules
The HTTP Rules overview page displays the rules configured on the firewall module. Although this page looks the same in both single and multiple modes, keep in mind that:
•
•
Note
To access this page, click Services at the top of the window, click Firewall from the left-most pane, and then select HTTP Rules (for either the module in single mode or the selected context in multiple mode) from the selector.
The following table describes the information provided on this page.
Interface Name column
The interface an HTTP rule is configured on.
VLAN ID column
ID of the corresponding VLAN for an HTTP rule.
Allowed IP Address column
IP/network address of an HTTP rule.
Allowed Network Mask column
Subnet mask to which the specified IP/network address belongs.
Add button
Click to add an HTTP rule. See the "Adding an HTTP Rule" section for more information.
Edit button
Click to edit the selected HTTP rule. See the "Editing an HTTP Rule" section for more information.
Delete button
Click to delete the selected HTTP rule.
Adding an HTTP Rule
Step 1
Step 2
Step 3
Editing an HTTP Rule
Step 1
Step 2
Note
Step 3
Content Switching Module
The Content Switching Module (CSM) integrates advanced Layer 4 through Layer 7 content switching into the Cisco Catalyst 6500 Series Internet router. The CSM provides high-performance, high-availability load balancing while taking advantage of the complete set of Layer 2, Layer 3, and quality-of-service (QoS) features inherent to the platform. The CSM load balances all common IP protocols across firewalls, web servers, caches, and other network devices.
To access the CSM overview page (see Figure 8-2), click Services at the top of the window, click Content from the left-most pane, and then click CSM: Slot X from the selector.
Figure 8-2 CSM Page
Configuring the CSM
From the CSM overview page, you can:
•
•
–
–
•
The following table describes the information provided in the CSM overview page.
Launch CVDM-CSM button
Click to open the CSM Device Manager application.
Descriptor field
Textual identifier of this module.
Model field
Model number of this module.
Slot Number field
Device slot in which this module is located.
Status field
Current status of this module.
Software Version field
Software version of this module.
Hardware Version field
Hardware version of this module.
Firmware Version field
Firmware version of this module.
Serial Number field
Serial number of this module.
SLB Mode field
Current server load balancing (SLB) mode configured for this module.
Note
Number of CSM VLANs field
Number of VLANs configured on this module.
Number of Virtual Servers field
Number of virtual servers active on this module.
Misconfigured VLAN graphic:
Indicates that the VLAN is configured incorrectly on this device.
VLAN ID column
Numerical identifier assigned to a VLAN.
VLAN Name column
Name assigned to a VLAN.
IP Address/Mask column
IP address/mask of a VLAN.
Ports columns
Indicates the ports that belong to a particular VLAN in Access or Trunk mode.
Type column
Indicates whether the VLAN is a client or server VLAN.
Route button
Click to open the Routes dialog box. See the "Configuring Static Routes" section for more information.
Add button
Click to add a VLAN to the module. See the "Adding a CSM VLAN" section for more information.
Edit button
Click to edit the selected VLAN. See the "Editing a CSM VLAN" section for more information.
Delete button
Click to delete the selected VLAN from this module.
CSM VLANs
Adding a CSM VLAN
Step 1
Step 2
Step 3
VLAN ID field
Specify the VLAN you want to add to this module.
Click
•
•
•
VLAN Type list
Specify whether this is a server or client VLAN.
IP Address field
Enter the IP address of the VLAN.
Mask field
Enter the subnet mask to which the IP address specified in the IP Address field belongs. You can either type a value or select one from the list.
Access Ports field
Specify the access ports associated with this VLAN.
Click
Trunk Ports field
Specify the trunk ports associated with this VLAN.
Click
IP Address field
IP address of an alias. This field cannot be edited.
Add button
Click to add an alias IP address. See the "Adding an Alias IP Address" section for more information.
Delete button
Click to delete the selected alias IP address.
IP Address field
IP address of a gateway. This field cannot be edited.
Add button
Click to add a gateway IP address. See the "Adding a Gateway IP Address" section for more information.
Delete button
Click to delete the selected gateway.
Route button
Click to manage the static routes configured on the module. See the "Configuring Static Routes" section for more information.
Editing a CSM VLAN
Step 1
Step 2
Note
Step 3
VLAN ID field
Numerical identifier of the selected VLAN. This field cannot be edited.
VLAN Type field
Specify whether this is a server or client VLAN.
IP Address field
Edit the IP address of the selected VLAN.
Mask field
Edit the subnet mask to which the IP address specified in the IP Address field belongs. You can either type a value or select one from the list.
Access Ports field
Edit the access ports associated with this VLAN.
Click
Trunk Ports field
Edit the trunk ports associated with this VLAN.
Click
IP Address field
IP address of an alias. This field cannot be edited.
Add button
Click to add an alias IP address. See the "Adding an Alias IP Address" section for more information.
Delete button
Click to delete the selected alias IP address.
IP Address field
IP address of a gateway. This field cannot be edited.
Add button
Click to add a gateway IP address. See the "Adding a Gateway IP Address" section for more information.
Delete button
Click to delete the selected gateway.
Route button
Click to manage the static routes configured on the module. See the "Configuring Static Routes" section for more information.
IP Addresses
Adding an Alias IP Address
Step 1
Step 2
•
•
Step 3
Step 4
Adding a Gateway IP Address
Step 1
Step 2
•
•
Step 3
Step 4
Configuring Static Routes
In the Routes dialog box, you can manage the routes configured for the selected VLAN. The following table describes the information provided here.
Destination IP Address column
IP address of the destination network.
Mask column
Subnet mask of the destination network.
Next Hop column
IP address of the next hop.
Add button
Click to add a static route. See the "Adding a Static Route" section for more information.
Delete button
Click to delete the selected route from the VLAN it is associated with.
Adding a Static Route
Step 1
Step 2
Note
Step 3
Step 4
SSL Services Module
The SSL Services Module is an integrated service module that terminates secure sockets layer (SSL) transactions and accelerates the encryption and decryption of data used in SSL sessions.
Configuring the SSL Services Module
You can view information about the SSL Services Module, services running on the SSL Services Module, and VLANs running on the SSL Services Module. Click Services at the top of the window, click SSL in the left-most pane, and select SSL: Slot X from the selector to display the SSL page (see Figure 8-3).
Figure 8-3 SSL Page
If you do not have the proper credentials for the SSL Services Module, CVDM-C6500 does not display the following information:
•
•
For more information on credentials, see Understanding User Credentials.
This page provides the following information:
From this page, you can access functions to do the following:
•
•
•
•
Editing SSL Services Module Information
Step 1
Step 2
Step 3
Host Name field
Enter the name of the host module.
Domain Name field
Name of the domain to which this module belongs.
Selected VLANs field
Select the VLANs that are allowed on the SSL Services Module. Click
VLANs column
Number (ID) of the VLAN.
Allowed check box
Click the check box corresponding to the VLANs that you want to allow on the SSL Services Module.
Step 4
Adding SSL VLANs
Step 1
Step 2
Step 3
VLAN field
Specify the number (ID) of the SSL VLAN. Click
•
•
You can select Clear VLAN to clear the entry.
IP Address field
Enter the IP address of the SSL VLAN.
Mask list
Specify the subnet mask of the SSL VLAN from the list.
Gateway field
Enter the gateway address.
Make Admin VLAN check box
Select to make this VLAN an admin VLAN.
When you configure VLANs on the SSL Services Module, configure one of the VLANs as an admin VLAN. The admin VLAN is used for all management traffic. The system adds the default route through the gateway of the admin VLAN.
Destination IP Address field
Enter the destination IP address for a static route for servers that are one or more Layer 3 hops away from the SSL Services Module.
Destination Netmask list
Select the destination subnet mask for a static route for servers that are one or more Layer 3 hops away from the SSL Services Module.
Next Hop field
Enter the next hop to which to route the packet.
Step 4
Editing SSL VLANs
Step 1
Step 2
Step 3
Step 4
VPN Module
Configuring VPNs using the Virtual Private Network (VPN) Services Module is similar to configuring VPNs on routers running Cisco IOS software. When you configure VPNs with the VPN module, you attach crypto maps to VLANs (using interface VLANs); when you configure VPNs on routers running Cisco IOS software, you configure individual interfaces. CVDM-C6500 allows you to connect interface VLANs and port VLANs via crypto connections.
Configuring the VPN Module
You can view the information about your VPN module. Click Services at the top of the window, click VPN in the left-most pane, and select VPN: Slot X from the selector to display the VPN page (see Figure 8-4).
Figure 8-4 VPN Page
This page provides the following information:
From this page, you can access functions to do the following:
•
•
•
Adding VPN Crypto Connections
Step 1
Step 2
Step 3
Interface VLAN field
Specify the interface VLAN, which is the Layer 3 VLAN that contains only the VPN module inside port.
Before a router can forward the packets using the correct routing table entries, the router needs to know which interface that a packet was received on. For each port VLAN, you need to create another VLAN so that the packets from every switch outside port are presented to the router with the corresponding VLAN number.
Note
You can create a VLAN or select from an available VLAN.
Click
•
•
You can select Clear VLAN to clear the VLAN that is specified in this field.
IP Address field
Enter the IP address of the interface VLAN.
Mask field
Enter the subnet mask of the interface VLAN.
Crypto Map field
Specify the crypto map attached to the interface VLAN.
Click
You can also clear the crypto map entry by clicking
Connection Mode radio button
Specify if you want the outside VLAN attached to an access or trunk port or to a VLAN. You can select the Access/Trunk or Routed Port radio button.
If you select the Access/Trunk radio button, do the following:
•
–
–
You can select Clear VLAN to clear the VLAN that is specified in this field.
•
•
If you select the Routed Port radio button, you must select a routed port. From the Routed Port field, click
Step 4
Select Crypto Dialog Box
Select Routed Ports Dialog Box
Editing VPN Crypto Connections
Step 1
Step 2
Step 3
Interface VLAN field
Number (ID) of the inside VLAN. You cannot edit this field.
IP Address field
Enter the IP address of the inside VLAN.
Mask list
Select the subnet mask of the inside VLAN.
Crypto Map field
Select the crypto map attached to the interface VLAN.
Click
You can clear this entry by clicking
Connection Mode radio button
Specify if you want the outside interface attached to an access or trunk port or to a VLAN. You can select the Access/Trunk or Routed Port radio button.
If you select the Access/Trunk radio button, do the following:
•
–
–
You can select Clear VLAN to clear the VLAN that is specified in this field.
•
•
If you select the Routed Port radio button, you must select a routed port. From the Routed Port field, click
Step 4
Adding VPN VLANs
You can add a VPN VLAN from the Flows page. For more information, see "Service Module Configuration (Services > Flows)."
Step 1
Step 2
Step 3
Step 4
VLAN field
Specify the VPN VLAN.
You can create a VLAN or select from an available VLAN.
Click
•
•
You can select Clear VLAN to clear the entry.
Interface (Inside) radio button
Select this radio button to make the VPN VLAN an interface VLAN; the interface VLAN is a Layer 3 VLAN that contains only the VPN module inside port.
If you select the Interface (Inside) radio button, do the following:
•
•
•
Click
You can click Clear Selection to clear your entry.
•
Port (Outside) radio button
Select this radio button to create the VPN VLAN on the outside port; the outside port handles all traffic going to and coming from the local LAN or outside ports.
Step 5
Editing VPN VLANs
You can modify an interface VLAN from the Flows page. For more information, see "Service Module Configuration (Services > Flows)."
Step 1
Step 2
Step 3
Step 4
Note
VLAN field
Number (ID) of the VPN VLAN.
Interface (Inside) radio button
Specifies that this is VPN VLAN on an interface VLAN; the interface VLAN is a Layer 3 VLAN that contains only the VPN module inside port.
IP Address field
Enter the IP address of the VPN VLAN.
Mask list
Select subnet mask address of the VPN VLAN.
Crypto Map field
Specify the crypto map attached to the interface VLAN.
Click
You can click Clear Selection to clear your entry.
Admin Status list
Select the admin status (up or down) of the VPN VLAN.
Step 5
Network Analysis Module
The Network Analysis Module (NAM) is an interface module installed in the Catalyst 6500 Series switches. The NAM monitors and analyzes network traffic using remote monitoring (RMON), RMON Extensions for Switched Networks (SMON), and other management information bases (MIBs).
The NAM Traffic Analyzer software is embedded in the NAM and gives you browser-based access to the RMON1, RMON2, SMON, DSMON, and voice monitoring features of the NAM. You use this software to troubleshoot and monitor network availability and health.
If you do not provide credentials for the NAM, you will not be able to do the following:
•
•
•
To access the NAM overview page (see Figure 8-5), click Services at the top of the window, click NAM from the left-most pane, and then click NAM: Slot X from the selector.
Figure 8-5 NAM Page
Configuring the Network Analysis Module
From the NAM overview page, you can:
•
•
•
The following table describes the information provided on the NAM overview page.
Setup Wizard button
Click to open the NAM setup wizard.
Launch NAM Traffic Analyzer button
Click to open NAM Traffic Analyzer.
Note
Descriptor field
Textual identifier of the module.
Model field
Model number of the module.
Slot Number field
Device slot in which the module is located.
Status field
Current status of the module.
Software Version field
Software version of the module.
Hardware Version field
Hardware version of the module.
Firmware Version field
Firmware version of the module.
Serial Number field
Serial number of the module.
Host Name field
Name of the host module.
Domain Name field
Name of the domain to which the module belongs.
IP Address field
IP address of the module.
Subnet Mask field
Subnet mask to which the module's IP address belongs.
Default Gateway field
IP address of the default gateway associated with the module.
IP Broadcast field
IP broadcast address of the module.
Name Server(s) field
IP address of the name servers associated with the module.
Edit button field
Click to launch the Edit NAM Service Details dialog box.
Management VLAN field
Indicates the VLAN configured for module access.
HTTP Server field1
Indicates whether the HTTP server is enabled.
HTTP Secure Server field1
Indicates whether the HTTP secure server is enabled.
Note
HTTP Port field
Port used by the HTTP server.
HTTP Secure Port field
Port used by the HTTP secure server.
Telnet field
Indicates whether Telnet access into the module is enabled.
SSH field
Indicates whether SSH access into the module is enabled.
Note
SNMPv1 field
Indicates whether SNMPv1 is enabled.
SNMPv2C field
Indicates whether SNMPv2C is enabled.
Edit button
Click to launch the Edit NAM Access Details dialog box.
Community String field
Name of a community string configured on the module.
Type field
Indicates whether the community string is read-only or read-write.
Add button
Click to launch the Add SNMP Community String dialog box.
Edit button
With a community string selected, click to launch the Edit SNMP Community String dialog box.
Delete button
Click to delete the selected community string.
1 HTTP and secure HTTP cannot be enabled at the same time.
Modifying NAM Service Details
Step 1
Step 2
Step 3
Modifying NAM Access Details
Step 1
Step 2
Step 3
Note
Management VLAN list
Specify the VLAN configured for module access.
Click
•
•
•
HTTP Port field
Enter the port used by the HTTP server.
HTTP Secure Port field
Enter the port used by the HTTP secure server.
HTTP radio button
Select to enable the HTTP server on the module.
Secure HTTP radio button
Select to enable the Secure HTTP server on the module.
Telnet check box
Select to enable Telnet access into the module.
SSH check box
Select to enable SSH access into the module.
Adding SNMP Community Strings
Step 1
Step 2
Step 3
Modifying SNMP Community Strings
Step 1
Step 2
Step 3
Using the NAM Configuration Wizard
In this wizard, you can perform the initial configuration of the NAM. After completing the wizard, you can run the NAM Traffic Analyzer application to perform more advanced configuration of the module. To access the wizard, click Services at the top of the window, click NAM from the left-most pane, and then click Setup Wizard.
The wizard consists of two steps:
1.
2.
Note
Configuring Basic IP Parameters
To configure the basic IP parameters for the NAM, enter the information specified in the following table.
Host Name field
Enter the name of the host module.
Domain Name field
Enter the name of the domain to which this module belongs.
IP Address field1
Enter the IP address of the host module.
Note
Mask list
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select one from the list.
Note
Default Gateway field1
Enter the default gateway for the host module.
IP Broadcast field
Enter the IP broadcast address of the host module.
Name Servers pane
Enter the IP address of the name servers associated with this module.
Note
1 The values specified in these fields must belong to the same subnet.
Configuring Access Parameters
To configure the access parameters for the NAM, enter the information specified in the following table.
Management VLAN list
Specify the VLAN configured for module access.
Click
•
•
•
HTTP Port field
Enter the port used by the HTTP server.
HTTP Secure Port field
Enter the port used by the HTTP secure server.
HTTP radio button
Select to enable the HTTP server on the module.
Secure HTTP radio button
Select to enable the Secure HTTP server on the module.
Web User field1
Enter the login name for the web user.
Password field1
Enter the password for the web user.
Confirm Password field1
Re-enter the password for the web user.
Telnet check box
Select to enable Telnet access into the module.
SSH check box
Select to enable SSH access into the module.
Read Only field
Enter the appropriate read-only community string for the module.
Read Write field
Enter the appropriate read-write community string for the module.
1 This field is available only if a web user has not already been configured and either the HTTP or Secure HTTP radio button is selected.
Wizard Summary
In this dialog box, you can view a summary of the settings entered in the NAM setup wizard. Click Finish to configure the device with these settings.
After completion of the wizard, you can launch NAM Traffic Analyzer by clicking Launch NAM Traffic Analyzer on the NAM overview page. Use this application to make more advanced configuration changes to the module.
Intrusion Detection System Services Module
The Intrusion Detection System Services Module (IDSM) is a switching module that performs network sensing: real-time monitoring of network packets through packet capture and analysis. The IDSM captures network packets, then reassembles and compares this data against a rule set indicating typical intrusion activity. Network traffic is either copied to the IDSM based on security VLAN access control lists (VACLs) in the switch or is routed to the IDSM via the switch's Switched Port Analyzer (SPAN) feature. Both methods allow user-specified traffic based on switch ports, VLANs, or traffic type to be inspected.
If you do not provide credentials for the IDSM, you will not be able to do the following:
•
•
•
To access the IDSM overview page (see Figure 8-6), click Services at the top of the window, click IDS from the left-most pane, and then click IDS: Slot X from the selector.
Figure 8-6 IDS Page
Configuring the Intrusion Detection System Services Module
From the IDSM overview page, you can:
•
•
•
The following table describes the information provided on the IDSM overview page.
Setup Wizard button
Click to open the IDSM setup wizard. See the "Using the IDSM Setup Wizard" section for more information.
Launch IDS DM button
Click to open IDS Device Manager.
Note
Descriptor field
Textual identifier of the module.
Model field
Model number of the module.
Slot Number field
Device slot in which the module is located.
Status field
Current status of the module.
Software Version field
Software version of the module.
Hardware Version field
Hardware version of the module.
Firmware Version field
Firmware version of the module.
Serial Number field
Serial number of the module.
Host Name field
Name of the host module.
IP Address field
IP address of the module.
Subnet Mask field
Subnet mask to which the module's IP address belongs.
Default Gateway field
IP address of the default gateway associated with the module.
Webserver Port field
Web server port configured for the module.
Telnet field
Indicates whether Telnet access is enabled.
SSL field
Indicates whether SSL is enabled.
Management VLAN field
Number of VLANs configured on the module.
Edit button
Click to launch the Edit IDS Service Details dialog box.
IP Address column
IP address of a trusted host/network.
Network Mask column
Subnet mask to which the trusted host/network's IP address belongs.
Add button
Click to launch the Add Trusted Host dialog box.
Delete button
Click to delete the selected trusted host/network.
Modifying IDSM Service Details
Step 1
Step 2
Step 3
Host Name field
Enter the name of the host module.
IP Address field1
Enter the IP address of the module.
Mask list
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select one from the list.
Default Gateway field1
Enter the IP address of the default gateway associated with the module.
Webserver Port field
Enter the web server port for the host module.
Enable Telnet check box
Select to enable Telnet access into the module.
Enable SSL check box
Select to enable SSL access into the module.
1 The values specified in these fields must belong to the same subnet.
Adding Trusted Hosts/Networks
Step 1
Step 2
Step 3
Using the IDSM Setup Wizard
In this wizard, you configure the credentials required to run the IDS Device Manager application. To access the wizard, click Services at the top of the window, click IDS from the left-most pane, and then click Setup Wizard.
The wizard consists of two steps:
1.
2.
Configuring Basic IP Parameters
On this page of the wizard, you configure basic IP parameters for the IDSM. To do so, enter the information specified in the following table.
Host Name field
Enter the name of the host module.
IP Address field1
Enter the IP address of the host module.
Mask list
Enter the subnet mask to which the specified IP address belongs. You can either type a value or select one from the list.
Default Gateway field1
Enter the default gateway for the host module.
Webserver Port field
Enter the web server port for the host module.
Enable Telnet check box
Select to enable Telnet access into the module.
Enable SSL check box
Select to enable SSL access into the module.
1 The values specified in these fields must belong to the same subnet.
Configuring Host Access
On this page of the wizard, you configure host access into the IDSM. To do so, enter the information specified in the following table.
Enable HTTP Access to this host with IP address <IP address> check box
Select to allow access to this host.
Wizard Summary
In this dialog box, you can view a summary of the settings entered in the IDSM setup wizard. Click Finish to configure the device with these settings.
After completion of the wizard, you can launch IDS Device Manager by clicking Launch IDS DM on the module's overview page. Use this application to make more advanced configuration changes to the module.
