Table Of Contents
Bootstrapping
Devices to Operate with AUS
Bootstrapping Security Appliances
Bootstrapping CNS Devices
Changing the Default CNS Bootstrap Password in AUS
Bootstrapping
Devices to Operate with AUS
To enable communication between AUS and devices, you must configure transport settings on the devices, before you add them to AUS or the Security Manager inventory. You configure devices according to the functionality you need.
•
Bootstrapping Security Appliances
•Bootstrapping CNS Devices
Bootstrapping Security Appliances
Before you can manage a PIX security appliance or an ASA device using AUS, you must set up the PIX security appliance or ASA device with a minimum configuration that provides basic connectivity. See User Guide for Cisco Security Manager 3.0 for details about setting up basic connectivity.
In addition to basic connectivity, you need to configure some settings specific to AUS. The following procedures describe how to configure and verify these settings using the PIX security appliance or ASA device command line interface.
Note You can also use the PIX Firewall Device Manager (PDM) Setup wizard to configure the PIX security appliance running PIX security appliance software version 6.3. See PDM documentation for more information. Use the Adaptive Security Device Manager (ASDM) Startup Wizard to configure PIX security appliance running PIX security appliance software version 7.0 and ASA devices. See ASA and ASDM documentation for more information.
To bootstrap a PIX security appliance or an ASA device to operate with AUS, follow these steps from the console terminal connected to the PIX security appliance or ASA device console port:
| |
Command
|
Purpose
|
Step 1
|
enable password
|
Enters privileged mode from which you can configure the PIX security appliance and ASA devices.
|
Step 2
|
config terminal
|
Enters configuration mode from the terminal.
|
Step 3
|
http server enable
|
Enables the PIX security appliance or ASA device to be monitored or have its configuration modified from a browser.
|
Step 4
|
http ip_address [netmask] [if_name]
|
Specifies the host or network authorized to initiate an HTTP connection to the PIX security appliance or ASA device.
•ip_address - IP address of the host or network authorized to initiate an HTTP connection to the PIX security appliance and ASA devices.
•netmask - Network mask for the http ip_address.
•if_name - PIX security appliance or ASA interface name on which the host or network initiating the HTTP connection resides.
Note This setting must be configured for the Auto Update Immediate feature to work.
|
Step 5
|
auto-update server https://username:
password@AUSserver_
IP_address:port/
autoupdate/AutoUpdateServlet
|
Connects the device to AUS.
•username—Login name used to enter the CiscoWorks2000 Server.
•password—Password used to enter the CiscoWorks2000 Server.
•AUSserver_IP_address—IP address of the AUS server.
•port—Port number of the AUS server. Number is typically 443.
|
Step 6
|
auto-update poll-period poll_period [retry_count]
[retry_period]
|
Changes the polling period for AUS.
•poll_period—Period in minutes between poll updates. Default is 720 minutes (12 hours).
•retry_count—Number of times to retry if unable to connect to server. Default is 0. (Optional)
•retry_period—Time, in minutes, between retries. Default is 5. (Optional)
|
Step 7
|
auto-update device-id hardware-serial_ip|
hostname|ip_address [if_name|mac-address
[if_name]|string text]
|
Configures the device to use the specified device ID to identify itself.
•if_name—The interface name.
•text—Text that identifies the device.
Because a PIX security appliance or an ASA device might have more than one interface, the assigned device ID could be the IP address or MAC address of one of the interfaces.
In the following example, "outside" is the name of the outside interface of and the device ID is the IP address of that outside interface.
auto-update device-id ipaddress outside
|
Step 8
|
http ip_address [netmask] [if_name]
|
(Optional) Use this command if you plan to use the Launch Device Manager feature and you want to limit HTTP access to the device for security purposes. Enter this command for each host you want to allow HTTP access.
•ip_address—The host or network authorized to initiate an HTTP connection to the PIX security appliance and ASA devices.
•netmask—The network mask for the http ip_address.
•if_name—PIX security appliance or ASA device interface name on which the host or network initiating the HTTP connection resides.
In the following example, the host with IP address 10.10.10.10 is permitted access to the device's web server through the outside interface:
http 10.10.10.10 255.255.255.255 outside
Caution We do not recommend that you configure the device with http 0.0.0.0 0.0.0.0 outside. This will allow any external host to connect to your device through the web server.
|
Step 9
|
write memory
|
Stores the current configuration in Flash memory.
|
Step 10
|
show auto-update
|
Shows the AUS URL, poll period, timeout, and device ID. Make sure that the settings match those you entered. If necessary, make any modifications.
|
Step 11
|
exit
|
Exits configuration mode.
|
Bootstrapping CNS Devices
To use AUS and the CNS Event Gateway feature with Security Manager, you must enable and configure CNS services on CNS devices. Use the command line interface from a console terminal connected to the device console port. The following tables describes the tasks to complete before you use CNS as the transport protocol for device management on Cisco IOS routers.
Note For Cisco IOS routers configured with dynamic IP addresses and associated with the CNS gateway protocol running on AUS, you must configure CNS in event-bus mode on the routers. See User Guide for Cisco Security Manager 3.0 for details about setting up basic connectivity.
| |
Command
|
Purpose
|
Step 1
|
enable password
|
Enters privileged mode from which you can configure the PIX security appliance or ASA device.
|
Step 2
|
config terminal
|
Enters configuration mode from the terminal.
|
Step 3
|
cns config partial ip_address
|
Enables the config agent on the device so that AUS gets the connect and disconnect messages it needs.
•ip_address—IP address of AUS.
|
Step 4
|
cns event ip-address [port-number] [keepalive seconds retry-count]
|
Configures the device to communicate with the event gateway.
•ip_address—IP address of AUS.
•port-number—Port number device uses to subscribe to the correct events. Use the default, 11011 with no encryption.
•seconds—Keepalive timeout. Default is 0.
•retry-count—Number of retries. Default is 0.
|
Step 5
|
cns exec [port-number]
|
Enables and configures the CNS execute agent. The default port number is 80.
|
Step 6
|
cns id type number {dns-reverse | ipaddress | mac-address} [event]
or
cns id {hardware-serial | hostname | string string} [event]
|
The default (hostname) is recommended for use with AUS. However, you can change the unique event ID to something other than the default.
The first command sets the unique event ID to the IP address or MAC address.
•type number—Type of interface (for example, Ethernet, group-async, loopback, or virtual-template) and the interface number. Indicates from which interface the IP or MAC address should be retrieved in order to define the unique ID.
•dns-reverse—(Optional) Uses DNS reverse lookup to retrieve the hostname and assign it as the unique ID.
•ipaddress—(Optional) Uses the IP address specified in the type number arguments as the unique ID.
•mac-address—(Optional) Uses the MAC address specified in the type number arguments as the unique ID.
•event —Sets this ID to be the event ID value, which identifies the router for CNS event services. If omitted, sets it to be the config ID value, which identifies the router for CNS configuration services.
The second command sets the unique event ID to the hardware serial number, hostname, or a string.
•hardware-serial—(Optional) Uses the hardware serial number as the unique ID.
•hostname—(Optional) Uses the hostname as the unique ID. This is the system default.
•string string—(Optional) Uses an arbitrary text string—typically the hostname—as the unique ID.
•event—Sets this ID to be the event ID value, used to identify the router for CNS event services. If omitted, sets it to be the config ID value, which identifies the router for CNS configuration services.
|
Step 7
|
router1(config)# cns password <password>
|
Sets the CNS password.
•<password> - The password you want to set on the router.
You can set the CNS password to callhome (which is the default bootstrap password in AUS) or you can set a different password.
If you set a different password on the router, you must change the default CNS bootstrap password in AUS. For instructions, see Changing the Default CNS Bootstrap Password in AUS.
Note For information on how to authenticate a Cisco IOS router on a Configuration Engine, see the Cisco CNS Configuration Engine Administrator Guide.
|
Step 8
|
write memory
|
Stores the current configuration in Flash memory.
|
Step 9
|
show cns event connections
|
Displays the status of the event agent connection, such as whether it is connecting to the gateway, connected, or active. Also displays the gateway used by the event agent and its IP address and port number.
|
Step 10
|
exit
|
Exits configuration mode.
|
Changing the Default CNS Bootstrap Password in AUS
If you changed the CNS password on a Cisco IOS router, you must change the password in the AUS also.
The default CNS bootstrap password configured in an AUS is callhome. If you changed the CNS password on the router, you must change the default CNS bootstrap password in the AUS also.
This procedure describes how to change the default CNS bootstrap password in an AUS.
Step 1 Open the Windows command prompt on the machine where you installed AUS.
Step 2 Enter set NMSROOT=<dir>.
where <dir> is the directory where you installed AUS. For example, set NMSROOT=C:\Progra~1\CSCOpx.
Step 3 Enter cd %NMSROOT%\MDC\autoupdate\bin\eventgateway.
Step 4 Enter cnspassword <password>.
where <password> is the password you set on the device.
Step 5 Restart the Daemon Manager if it is running.
