-
User Guide for Cisco Security Manager 3.0.2
-
Preface
-
Getting to Know Security Manager
-
Performing Administrative Tasks
-
Working With the Security Manager User Interface
-
Using Map View
-
Managing Devices
-
Managing Policies
-
Managing Activities
-
Managing Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing Firewall Services
-
Managing Routers
-
Managing Firewall Devices
-
Using the Catalyst 6500/7600 Device Manager
-
Managing Deployment
-
Using Tools
-
Devices User Interface Reference
-
Site-to-Site VPN User Interface Reference
-
Policy User Interface Reference
-
Map View User Interface Reference
-
Tools User Interface Reference
-
Administrative Settings User Interface Reference
-
Activities User Interface Reference
-
Deployment User Interface Reference
-
Index
-
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X -
Index
Numerics
3DES encryption algorithm
in IKE proposals 9-60
802.1x
802.1x Policy page C-546
configuring on Cisco IOS routers 12-59
defining policies 12-64
interface authorization states 12-61
supported topologies 12-62
understanding device roles 12-60
A
AAA
accounting 10-1
authorization 10-1
configuring on firewall devices 13-30
local fallback 13-33
support 13-32
user authentication 10-1
AAA authentication groups
predefined 8-7
AAA Firewall page C-784
AAA Mode Setup page 2-2
AAA rules
AAA Rules page C-710
Add AAA Rules dialog box C-713
adding 11-88
AuthProxy dialog box C-730
configuring settings
for AAA (IOS) 11-104
for AAA firewall (PIX/ASA) 11-99
copying 11-96
cutting 11-96
deleting 11-98
disabling 11-94
Edit AAA Option dialog box C-728
Edit AAA Rules dialog box C-713
Edit AAA Server Group dialog box C-731
Edit Category dialog box C-733
Edit Description dialog box C-732
Edit Destinations dialog box C-720
editing 11-91
Edit Interface dialog box C-726
Edit Service dialog box C-691, C-723
Edit Sources dialog box C-718
enabling 11-94
finding usage 11-95
generating usage reports 11-95
MAC exempt address lists
adding 11-101
deleting 11-103
editing 11-102
using 11-101
moving down 11-97
moving up 11-97
pasting 11-96
Show Destination dialog box C-722
Show Interface Contents dialog box C-727
Show Service Contents dialog box C-725
Show Source Contents dialog box C-719
understanding 11-86
AAA Rules page C-710
AAA server group objects
AAA Server Group dialog box C-36
AAA Server Groups page C-35
creating 8-9
deleting 8-18
duplicating 8-12
editing 8-13
generating usage reports for 8-17
managing overrides 8-16
override page in Device Properties A-55
override page in Policy Object Manager C-207
predefined authentication groups 8-7
understanding 8-6
viewing details 8-15
AAA Server Groups Override page A-55
AAA server objects
AAA Server dialog box C-42
AAA Servers page C-40
creating 8-24
deleting 8-30
duplicating 8-26
editing 8-27
generating usage reports for 8-29
supported types 8-21
understanding 8-19
viewing details 8-28
AAA servers
external servers 10-1
supported types on ASA devices 8-22
table of services on ASA devices 8-23
Abort Deployment Job dialog box H-27
ABR
definition of 13-93
access control list objects
creating 8-35
deleting 8-42
duplicating 8-41
editing 8-40
Extended IP ACL tab C-51
Add Extended Access Control Entry dialog box C-56
Add Extended Access List page C-52
Edit Extended Access Control Entry dialog box C-56
Edit Extended Access List page C-52
extended objects 8-35
generating usage reports for 8-44
Standard IP ACL tab C-59
Add Standard Access Control Entry dialog box C-62
Add Standard Access List page C-60
Edit Standard Access Control Entry dialog box C-62
Edit Standard Access List page C-60
standard objects 8-38
understanding 8-32
viewing details 8-45
Access Control page C-776
access controls
access list compilation
enabling 11-59
object group search
enabling 11-54
per user downloadable ACLs (PIX/ASA/FWSM)
enabling 11-57
understanding settings 11-53
Access Group tab
access list compilation
enabling 11-59
understanding 11-58
access permissions
maps 4-3
access ports in DM 6500/7600
configuring 14-49
editing 14-49
restarting 14-49
access rules
Access Rules page C-637
Adaptive Security Algorithm (ASA) and 11-12
Add Firewall Rule dialog box C-641
adding 11-16
Advanced dialog box C-646
ASA, and 11-13
copying 11-25
cutting 11-25
deleting 11-28
disabling 11-24
Edit Category dialog box C-662
Edit Description dialog box C-661
Edit Destinations dialog box C-651
Edit Firewall Option dialog box C-656
Edit Firewall Rule dialog box C-641
editing 11-20
Edit Interface dialog box C-658, C-693
Edit Service dialog box C-654
Edit Sources dialog box C-649
enabling 11-24
FWSM, and 11-13
IOS router, and 11-14
logging events for an ACE 11-15
moving down 11-27
moving up 11-27
pasting 11-25
PIX Firewalls, and 11-13
recognizing on devices 11-12
Show Destination Contents dialog box C-653
Show Interface Contents dialog box C-660
Show Service Contents dialog box C-656
Show Source Contents dialog box C-650
understanding 11-10, 11-13, 11-14
Access Rules page C-637
accounting
configuring on firewall devices 13-30
ACL names
conflicts and resolutions 11-8
generating 11-4
identifying original 11-9
naming conventions 11-4
notes 11-9
preserving user-defined 11-6
Active/Active failover
about 13-56
command replication 13-57
configuration synchronization 13-57
Active/Standby failover 13-56
activities
accessing functions 7-9
Activity Details tab G-5
Activity Manager window G-1
Activity Required (Create Activity) dialog box G-15
Activity Required (Create or Open Activity) dialog box G-18
and locking 7-4
Approve Activity dialog box G-9
Approved state 7-6
benefits of 7-3
Change Report window G-16
closing 7-12
Create Activity dialog box G-7
creating 7-11
Devices tab G-14
Discard Activity dialog box G-11
discarding 7-18
Edit state 7-5
Errors tab G-12
History tab G-6
managing 7-1
multiple users 7-5
Openable Activities dialog box G-19
opening 7-12
Reject Activity dialog box G-10
Rejected state 7-6
rejecting 7-16
Submit Activity dialog box G-8
Submitted state 7-6
understanding 7-2
validating 7-13
Validation dialog box G-12
viewing details 7-19
viewing historical data 7-19
working with 7-9
Activities menu 3-12
Activity Details tab G-5
Activity Manager window G-1
Activity Required (Create Activity) dialog box G-15
Activity Required (Create or Open Activity) dialog box G-18
Adaptive Security Appliances
Add/Edit IGMP Join Group dialog box
description 13-88
Add/Edit IGMP Static Group dialog box
description 13-88
Add/Edit Multicast Route dialog box
description C-401
Add AAA Rules dialog box C-713
Add Certificate dialog box F-12
Add Client Access Rules dialog box C-73
Add Country Network Codes dialog box C-102
Add Device from Config File wizard A-25
Device Grouping page A-24
Device Information page - Config File A-25
Add Device from DCR wizard A-40
Device Grouping page A-24
Device Information page - DCR A-40
Add Device from Network wizard A-7
Device Credentials page A-14
Device Grouping page A-24
Device Information page - Network A-8
Add Devices to Groups page A-71
Add Extended Access Control Entry dialog box C-56
Add Firewall Rule dialog box C-641
Add FTP Map dialog box C-96
Add Groups dialog box A-72
Add GTP Map dialog box C-100
Add Link dialog box D-23
Add Map Object and Node Properties dialog boxes D-24
Add New Device wizard A-29
Device Credentials page A-14
Device Grouping page A-24
Device Information page - New Device A-29
Add Other Devices dialog box H-22
Add Permit Response dialog box C-103
address pools 13-20
Add Standard Access Control Entry dialog box C-62
Add Standard Access List page C-60
Add TCP Map dialog box C-165
Add Traffic Flow dialog box C-176
Add Transparent Firewall Rule dialog box C-767
admin context
overview 13-103
administration
selecting policies to manage 6-44
Advanced dialog box
access rules C-646
AES encryption algorithm
in IKE proposals 9-61
in VPN SPA 9-33
Analysis C-802
analysis reports
generating 11-40
understanding 11-38
Analysis Reports page C-802
anti-spoofing 13-97
appended CLI commands 16-2, 16-3
Approve Activity dialog box G-9
Approve Deployment Job dialog box H-24
Approved state 7-6
approvers 2-13
area border router 13-93
ARP table
ASA
FlexConfig object samples 16-7
ASA devices
AAA support 8-22
table of AAA services 8-23
use of Kerberos 8-22
use of LDAP servers 8-22
use of NT servers 8-22
use of SDI servers 8-22
see also PIX/ASA/FWSM Platform policies
ASA user group objects
ASA User Groups page C-64
Client Configuration tab 8-54, C-74
Client Firewall Attributes tab 8-57, C-77
creating 8-47
deleting 8-64
duplicating 8-63
editing 8-62
generating usage reports for 8-65
Hardware Client Attributes tab C-81
Hardware Client tab 8-61
Add Client Access Rules dialog box C-73
Edit Client Access Rules dialog box C-73
understanding 8-45
viewing details 8-67
ASA User Groups page C-64
ASBR
definition of 13-93
ASDM
version C-483
assignment overview 1-11
Assignments tab C-26
Assign Shared Policy dialog box C-3
audit log entries
purging 17-9
audit logs
archiving 2-61
understanding 2-61
Audit Logs Settings page F-16
Audit Message Details dialog box E-8
Audit Report page E-6
audit reports
examples for defining 17-7
generating 17-7
understanding 17-6
AUS
setting up 5-12
authentication
configuring on firewall devices 13-30
authentication methods
in IKE proposals 9-62
preshared keys 9-62
RSA signatures 9-62
authorization
configuring on firewall devices 13-30
AuthProxy dialog box
AAA rules C-730
AuthProxy General tab (IOS) C-788, C-790
AuthProxy page C-787
autolink
omitting reserved networks from maps F-2
Auto Update Server (AUS) 15-26
licensing 2-59
Auto Update Server Properties dialog box A-12
Auto Update Servers
using to deploy to ASA devices 15-12
using to deploy to PIX firewalls 15-12
Auto Update Servers (AUS)
adding 5-65
configuring AUS settings on firewall devices 13-62
editing 5-69
understanding 5-64
Available Auto Update Servers dialog box A-13
Available CNS-Configuration Engines dialog box A-38
Available Servers dialog box A-36
B
background image, map
deleting 4-15
importing 4-13
overview 4-13
scale and position 4-15
setting 4-14
backups
understanding 17-17
using Common Services 17-17
bandwidth C-484
banners
Banner page C-289
configuring on firewall devices 13-36
benefits of product 1-3
BGP routing
BGP Routing Policy page C-586
configuring on Cisco IOS routers 12-115
defining routes 12-116
Neighbors dialog box C-589
redistributing routes 12-119
Redistribution Mapping dialog box C-591
Redistribution tab C-590
Setup tab C-587
boot image and configuration settings
configuring on firewall devices 13-38
bridging
PIX/ASA/FWSM
Add/Edit ARP Inspection dialog box C-277
Add/Edit ARP Table Entry dialog box C-275
Add/Edit MAC Learning dialog box C-281
Add/Edit MAC Table Entry dialog box C-280
ARP Inspection page C-276
ARP Table page C-273
configuring on 13-27
MAC Address Table page C-278
MAC Learning page C-280
Management IP page C-282
buttons
main toolbar 15-32
C
CA server authentication methods
SCEP (Simple Certificate Enrollment Protocol) 9-81
Catalyst 6500/7600 Device Manager (DM 6500/7600)
action buttons 14-14
basic concepts 14-1
desktop 14-10
features 14-3
navigating in 14-4
opening 14-4
preferences 14-16
quick reference 14-18
selector, understanding 14-13
starting 14-4
Catalyst 6500/7600 Device Manager (DM 6500/7600) wizards
Firewall-Inside setup 14-133
Firewall-Outside setup 14-142
Port 14-37
VLAN 14-89
Catalyst 6500/7600 Device Manager access window
opening from Tools menu E-5
Catalyst 6500/7600 devices
configuring FWSM on 9-38
configuring VPNSM on 9-31
configuring VPN SPA on 9-33
Catalyst 6500/7600 switches
including in deployment jobs H-5
Catalyst 6500 switches
deployment 15-34
Catalyst VPN Services Module (VPNSM)
configuring a VPN interface 9-31
configuring in remote access VPNs 10-11
defining settings (site-to-site VPN) B-21
VPNSM/VPN SPA Settings dialog box C-846
VPNSM blade 9-31
Catalyst VPN Shared Port Adapter (VPN SPA)
adding location information during Catalyst 6500/7600 discovery 5-42
configuring a VPN SPA blade 9-33
configuring in remote access VPNs 10-11
defining settings (site-to-site VPN) B-21
dialog box for entering VPN SPA locations during discovery A-19
VPNSM/VPN SPA Settings dialog box C-846
VPN SPA blade 9-33
VPN SPA Slots dialog box A-21
VPN SPA Slot Selector A-22
categories
editing 8-69
understanding 8-68
category objects
Categories page C-84
Category Editor dialog box C-85
certificate authentication
procedure 2-55
certificates, device
Add Certificate dialog box F-12
adding manually 2-55
settings for authentication F-10
Certification Authority (CA) servers
naming guidelines 8-157
Change Report window G-16
checklist for getting started 1-13
Choose Files dialog box A-28
Cisco Adaptive Security Appliances
Cisco Discovery Protocol (CDP) settings, configuring in DM6500/7600 14-24
Cisco Express Forwarding (CEF)
importance for QoS 12-86
Cisco IOS
banners, configuring in DM6500/7600 14-26
FlexConfig object samples 16-9
Cisco IOS devices
selecting transport protocols 2-53
Cisco IOS routers
available interface types 12-6
configuring 802.1x 12-59
configuring BGP routing 12-115
configuring device access 12-26
configuring DHCP 12-43
configuring dialer interfaces 12-29
configuring EIGRP routing 12-120
configuring host and domain names 12-34
configuring interfaces 12-2
configuring logging 12-79
configuring NAC 12-68
configuring NAT 12-10
configuring NTP 12-51
configuring OSPF routing 12-129
configuring platform policies 12-1
configuring QoS 12-85
configuring RIP routing 12-148
configuring SDP 12-35
configuring SNMP 12-54
configuring static routing 12-154
deleting interfaces 12-9
generating interface names 12-8
managing 12-1
Cisco Networking Services (CNS) 15-28
Cisco Networking System (CSN)
using to deploy to IOS routers 15-13
Cisco PIX firewalls
see PIX/ASA/FWSM Platform policies
Cisco Secure Access Control Server (ACS)
adding users 2-24
associating user roles and permissions 2-18
customizing user roles 2-17
default roles 2-16
integrating with Security Manager 2-20, 2-66
integration checklist 2-22
integration requirements 2-21
performing integration 2-23
performing integration in CiscoWorks 2-31
registering Security Manager 2-35
understanding user permissions 2-2
Cisco Secure Access Control Server (ACS) integration
adding managed devices 2-38
adding system administrator 2-24
checklist of tasks 2-22
configuring CiscoWorks AAA mode 2-34
configuring NDGs 2-38
creating administration control user 2-30
creating local users in CiscoWorks 2-32
customizing user roles 2-17
defining system identity user 2-33
list of ACS procedures 2-23
list of CiscoWorks procedures 2-31
list of requirements 2-21
restarting Daemon Manager 2-35
Cisco Secure Access Control Server (ACS) user interface
Add Administrator page 2-30
Administration Control page 2-30
Group Setup page 2-39
New Network Device page 2-29
Shared Components page 2-17
User Setup page 2-24
Cisco Security Management Suite server
exiting 3-2
logging in to 3-2
Cisco Trust Agent (CTA) 12-69
CiscoWorks Common Services
assigning roles to users 2-14
associating user roles and permissions 2-18
available user roles 2-13
backing up Security Manager with 17-17
configuring AAA mode 2-34
creating local user for Cisco Secure ACS 2-32
defining system identity user 2-33
exiting 3-2
logging in to 3-2
performing integration for Cisco Secure ACS 2-31
registering Security Manager with Cisco Secure ACS 2-35
understanding user permissions 2-2
CiscoWorks Common Services user interface
AAA Setup Mode page 2-34
Local User Setup page 2-32
System Identity Setup page 2-33
Class-Based Policing 12-93
CLI commands
in FlexConfigs 16-2
prepended 16-2
Client Configuration tab
ASA user group objects C-74
client connection characteristics
Client Connection Characteristics page B-88
configuring policies for Easy VPN 9-110
Client Firewall Attributes tab
ASA user group objects C-77
clock
configuring on firewall devices 13-39
cluster load balancing
configuring 10-16
PIX7.0/ASA Cluster Load Balance page C-867
understanding 10-15
CNS
setting up 5-15
CNS-Configuration Engine Properties dialog box A-37
commands
Activities menu 3-12
Edit menu 3-7
Edit menu, table commands 3-22
File menu 3-6
Help menu 3-12
Policy menu 3-9
Tools menu 3-11
View menu 3-8
Common Services
licensing 2-59
Common Services backup
of Security Manager 17-17
config files
adding devices from 5-44
Device Grouping page 5-40
Device Information page 5-47
configuration
frequently asked questions 15-17
Configuration Archive
New Configuration Version dialog box E-14
rolling back to archived configuration files 17-14
settings 2-46
toolbar, customizing 17-11
transcripts, understanding 17-12
version viewer E-12
viewing configuration files 17-12
viewing transcripts 17-12
window E-10
Configuration Archive Settings page F-3
Configuration Engines
adding 5-65
editing 5-69
understanding 5-64
configuration files
deploying in non-Workflow mode 15-34
deploying in Workflow mode 15-36
previewing 15-38
redeploying to devices 15-40
rolling back to archived configurations 17-14
rolling back to devices 15-43
selecting 3-24
understanding factory-deafult configurations 13-2
viewing 17-12
configuration views 1-8
Configure DNS dialog box
inspection rules C-699
Configure ESMTP dialog box
inspection rules C-702
Configure Fragments dialog box
inspection rules C-703
Configure IMAP dialog box
inspection rules C-705
Configure POP3 dialog box
inspection rules C-706
Configure RPC dialog box
inspection rules C-707
Configure SMTP dialog box
inspection rules C-700
connection
server status 3-3
connections per second C-484
console timeout settings
configuring on firewall devices 13-43
contact credentials
configuring on firewall devices 13-41
contained modules
show 17-5
Contents pane A-7
context mode
viewing C-483
contexts
control plane (CP)
defining QoS on 12-103
policing on 12-98
Control Plane Policing 12-98
Copy Policies wizard
Copy Policies from this Device page C-5
Copy Policies to these Devices page C-6
Select Policies to Copy page C-7
understanding C-4
core network connections, configuring for MSFC in DM6500/7600 14-134
CPU usage C-484
Create a Clone page A-46
Create Activity dialog box G-7
Create a Job dialog box H-12
Create a Policy dialog box C-27
Create Discovery Task dialog box C-15
Create Filter dialog box A-3
Policy view C-24
Create Overrides for Device dialog box C-216
Create Text Object dialog box C-91
Create VLAN dialog box 14-44
Create VPN Topology wizard B-8
Credentials page A-51
crypto maps
dynamic 9-67
in IPSec proposals 9-67
static 9-67
Customize Desktop Settings page F-4
Custom Protocol dialog box
inspection rules C-701
D
Daemon Manager
restarting after Cisco Secure ACS integration 2-35
job status
Scheduled to run at 15-9
DCS properties file
defining SSH settings by editing 2-54
dead-peer detection (DPD) 9-70
Delete Map dialog box D-16
Deploy Job dialog box H-26
deployment
Abort Deployment Job dialog box H-27
Add Other Devices dialog box H-22
Approve Deployment Job dialog box H-24
clearing XLATE on 13-102
configurations 15-34
Create a Job dialog box H-12
Deploy Job dialog box H-26
Deployment Rollback dialog box H-28
Details tab H-34
Discard Deployment Job dialog box H-25
Edit Deploy Method dialog box H-17
Edit Selected Deployment Method dialog box H-18
frequently asked questions 15-17
History tab H-35
managing 15-1
maximum number of devices 15-23
non-Workflow mode 15-3
Deploy Saved Changes dialog box H-3
Preview Config dialog box H-20
Preview Messages dialog box H-19
Redeploy a Job dialog box H-31
Reject Deployment Job dialog box H-23
Rollback Confirmation dialog box H-30
Submit Deployment Job dialog box H-22
Summary tab H-33
to devices
OS version mismatches 15-14
understanding 15-11
to files 15-13
understanding 15-1
using a Cisco Networking Services (CNS) server 15-28
using an Auto Update Server (AUS) 15-26
using a Token Management Server (TMS) 15-24
viewing status information 15-33
Warning - Partial VPN Deployment dialog box H-16
Workflow mode 15-5
Create a Job dialog box H-12
Deployment Manager window H-10
dialog boxes H-10
tasks 15-46
windows H-10
working with 15-31
deployment device details 15-45
deployment errors
OS version mismatches 15-14
deployment job approval 15-9
deployment job changes 15-10
deployment job history 15-53
deployment jobs
aborting 15-42
approving 15-51
benefits of 15-2
creating 15-46
discarding 15-52
including devices in 15-10
multiple users and 15-10
opening 15-49
rejecting 15-51
submitting 15-50
deployment job states
non-Workflow mode 15-4
Workflow mode 15-8
Deployment Manager window
Details tab H-34
History tab H-35
Summary tab H-33
Deployment Manager window in non-Workflow mode H-2
Deployment Manager window in Workflow mode H-10
deployment methods
changing 15-40
understanding 15-11
Deployment Rollback dialog box H-28
Deployment Settings page F-5
Deployment Status Details dialog box H-6
refreshing 15-40
viewing 15-33
deployment summary 15-45
deployment taskflow
in Workflow mode 15-5
non-Workflow mode 15-3
deployment transport protocols
for ASA devices 15-12
for Catalyst 6500/7600 devices 15-12
for IOS routers 15-12
for PIX firewalls 15-12
Deploy Saved Changes dialog box H-3
DES encryption algorithm
in IKE proposals 9-60
device access
Cisco IOS routers
configuring on 12-26
configuring on firewall devices 13-42
device access policies
defining 12-26
device administration policies
configuring on firewall devices 13-29
device certificates
Add Certificate dialog box F-12
adding manually 2-55
settings for authentication F-10
device credentials
naming guidelines 5-73
understanding 5-71
validation error messages 5-74
Device Credentials page A-14
Device Credentials Repository (DCR)
adding devices from 5-59
Device Grouping page 5-40
Device Information page 5-62
Device Delete Validation Details dialog box A-45
Device Grouping page A-24
device grouping shortcut menu options A-69
device groups
working with 2-56
Device Information page - Config File A-25
Choose Files dialog box A-28
Device Information page - DCR A-40
Device Information page - Network A-8
Device Information page- New Device A-29
device policies shortcut menu options A-67
Device Properties
Credentials page A-51
Device Groups page A-53
General page A-48
Policy Object Override pages
AAA Server Groups Override page A-55
general reference A-54
Interface Roles Override page A-56
Networks/Hosts Override page A-57
PKI Enrollments Override page A-58
Port Lists Override page A-60
Service Groups Override page A-63
Services Override page A-61
Text Objects Override page A-64
device properties
defining 5-77
editing 5-79
understanding 5-75
viewing 5-80
Device Properties page
creating object overrides 8-252
deleting overrides 8-255
understanding A-47
devices
adding from configuration file 5-44
adding from DCR 5-59
adding from network 5-32
adding new 5-49
assigning shared policies 6-28
choosing add method 5-30
configuring local policies 6-17
copying policies between 6-19
copying shared policies 6-30
creating policy object overrides 8-252
deleting from inventory 5-83
deleting policy object overrides 8-255
deploying to dynamically addressed 15-12
deploying to 15-13
deployment to 15-11
discovering policies 6-5
discovering policies on existing devices 6-6
including in jobs 15-10, H-5, H-14
managing 5-1
maps
adding existing managed 4-18
adding new managed 4-18
displaying devices from Device View 4-20
displaying managed 4-17
showing containment for Catalyst switches, ASA, PIX devices 4-19
modifying policy assignment 6-34
modifying shared policies 6-33
policy status icons 6-18
preparing 5-2
redeploying configuration files to 15-40
renaming policies 6-32
replacing policies 6-28
rolling back configuration files to 15-43
sharing multiple policies 6-25
unassigning policies 6-21
unsharing policies 6-27
working with communication settings UI 2-52
Device selector A-2
device selector
filtering 5-27
device shortcut menu options A-65
Devices page A-2
Devices tab G-14
Devices User Interface Reference A-1
Device view
assigning shared policies 6-28
configuring local policies 6-17
copying policies between devices 6-19
copying shared policies 6-30
editing site-to-site VPN policies in 9-57
managing policies 6-16
managing VPN devices in 9-54
modifying policy assignments 6-34
modifying shared policies 6-33
overview 1-8
policy status icons 6-18
renaming policies 6-32
sharing local policies 6-23
sharing multiple policies 6-25
Site-to-Site VPN Topologies page B-89
unassigning policies 6-21
understanding basic policy management 6-16
understanding shared policies 6-22
unsharing policies 6-27
device view
understanding 5-23
DHCP
Cisco IOS routers
configuring on 12-43
defining address pools 12-49
defining policies 12-47
DHCP Database dialog box C-528
DHCP Policy page C-525
IP Pool dialog box C-529
understanding database agents 12-44
understanding option 82 12-45
understanding relay agents 12-44
understanding secured ARP 12-46
PIX/ASA/FWSM
configuring DHCP relay 13-64
configuring DHCP servers 13-65
DHCP pools in DM 6500/7600
viewing status 14-28
dial backup
configuring 9-29
Dial Backup Settings dialog box B-33
understanding 9-27
dialer interfaces
configuring on Cisco IOS routers 12-29
defining BRI properties 12-32
defining profiles 12-29
Dialer Interfaces Policy page C-513
Dialer Physical Interface dialog box C-517
Dialer Profile dialog box C-516
Diffie-Hellman groups
in IKE proposals 9-61
Discard Activity dialog box G-11
Discard Deployment Job dialog box H-25
discovery
Map View 4-37
overview 1-11
Settings page F-14
Discovery Details pane E-4
Discovery Status dialog box C-18
discovery task
frequently asked questions 6-10
starting 6-6
viewing status 6-9
Distinguished Name (DN) matching policies
configuring 10-25
DN Matching Policy page C-870
understanding 10-24
Distinguished Name (DN) matching rules
configuring 10-27
DN Matching Rules page C-871
DN Rule dialog box (lower pane) C-875
DN Rule dialog box (upper pane) C-874
understanding 10-26
Distributed Traffic Shaping (DTS) 12-93
DMVPN (Dynamic Multipoint VPN)
advantages of using with GRE 9-96
configuring policies 9-97
IPSec technology 9-8
understanding 9-95
using with GRE 9-96
DNS
configuring on firewall devices 13-67
dynamically assigned IP addresses
adding devices with 5-64
dynamic crypto maps 9-67
dynamic IP devices
GRE for 9-91
dynamic NAT
creating rules on Cisco IOS routers 12-20
E
Easy VPN
Advanced tab B-85
client connection characteristics 9-110
Client VPN Software Update tab B-87
configuring policies for 9-104
General tab B-80
IPSec Proposal page B-70
IPSec proposals 9-104
IPSec tab B-83
IPSec technology 9-8
tunnel group policies 9-108
Tunnel Group Policy page B-79
understanding 9-101
user group policies 9-107
User Group Policy page B-77
Edit AAA Option dialog box C-728
Edit AAA Rules dialog box C-713
Edit AAA Server Group dialog box C-731
Edit Category dialog box
AAA rules C-733
access rules C-662
inspection rules C-709
transparent rules C-774
web filter rules C-753
Edit Client Access Rules dialog box C-73
Edit Country Network Codes dialog box C-102
Edit Deploy Method dialog box H-17
Edit Description dialog box
AAA rules C-732
access rules C-661
inspection rules C-708
transparent rules C-773
web filter rules C-754
Edit Destinations dialog box C-651
AAA rules C-720
inspection rules C-688
web filter rules C-744
Edit Device Groups page A-70
Edit Endpoints dialog box B-16
Protected Networks tab B-24
VPN Interface tab B-17
Edit Extended Access Control Entry dialog box C-56
Edit Extended Access List page C-52
Edit Firewall Option dialog box C-656
Edit Firewall Rule dialog box C-641
Edit FTP Map dialog box C-96
Edit GTP Map dialog box C-100
editing
HTTP maps
editing 8-107
Edit Inspected Protocol dialog box C-696
Edit Interface dialog box
AAA rules C-726
transparent rules C-772, C-795
Edit menu 3-7
Edit menu, table commands 3-22
Edit Permit Response dialog box C-103
Edit Selected Deployment Method dialog box H-18
Edit Service dialog box
access rules C-654
web filter rules C-748
Edit Sources dialog box C-649
AAA rules C-718
inspection rules C-685
web filter rules C-742
Edit Standard Access Control Entry dialog box C-62
Edit Standard Access List page C-60
Edit state 7-5
Edit TCP Map dialog box C-165
Edit Traffic Flow dialog box C-176
Edit Transparent EtherType dialog box C-770
Edit Transparent Firewall Rule dialog box C-767
Edit Transparent Mask dialog box
transparent rules C-771
Edit Web Filter Options dialog box C-752
Edit Web Filter Type dialog box C-751
EIGRP routing
configuring on Cisco IOS routers 12-120
defining interface properties 12-124
defining routes 12-122
Edit Interfaces dialog box C-597
EIGRP Routing Policy page C-594
Interface dialog box C-599
Interfaces tab C-598
redistributing routes 12-127
Redistribution Mapping dialog box C-603
Redistribution tab C-601
Setup dialog box C-596
Setup tab C-595
Encoding tab
HTTP map objects C-118
encryption algorithms
3DES (Triple DES) 9-60
AES (Advanced Encryption Standard) 9-61
DES (Data Encryption Standard) 9-60
in IKE proposals 9-60
endpoints and protected networks
defining in VPN topologies 9-18
Protected Networks tab B-24
understanding 9-16
VPN Interface tab B-17
Entity Length tab
HTTP map objects C-110
Errors tab G-12
evaluation license
upgrading to permanent license 2-58
Exclusive Domain Name dialog box
web filter rules C-763
exclusive domains
adding (IOS) 11-125
deleting (IOS) 11-128
editing (IOS) 11-127
Exclusive Domains tab
web filter rules C-759
exiting
Cisco Security Management Suite server 3-2
CiscoWorks Common Services 3-2
Exporting inventory 5-92
Extended IP ACL tab C-51
Ext Request Method tab
HTTP map objects C-114
F
factory-default configurations 13-2
failover
PIX/ASA/FWSM
active/active 13-56
active/standby 13-56
configuring on 13-54
stateful 13-59
stateless 13-58
types of 13-56
understanding 13-55
failover link 13-55
feature sets 1-5
File menu 3-6
files
deploying to 15-13
selecting 3-24
Find Node dialog box D-17
Firewall AAA IOS Timeout Value Setting dialog box C-791
Firewall AAA MAC Exempt Setting dialog box C-786
Firewall ACL Setting dialog box C-779
Firewall-Inside setup wizard in DM 6500/7600
core network connection, configuring routed port details 14-135
final configuration, delivering 14-141
inside network connection, configuring 14-139
MSFC/Firewall VLAN
firewall context, creating 14-138
firewall context, selecting 14-138
VLAN group, selecting 14-137
service module, selecting 14-134
summary page 14-141
firewall mode
changing 13-28
viewing C-483
Firewall-Outside setup wizard in DM 6500/7600
core network connection, configuring 14-146
final configuration, delivering 14-147
Firewall/MSFC VLAN, configuring 14-144
Internet connection, configuring 14-142
service module, selecting 14-142
summary page 14-147
firewall policy properties 11-3
firewall service module (FWSM)
including in deployment jobs H-5, H-14
Firewall Service Module Credentials and VPN SPA Slot Location dialog box A-19
firewall services
ACL names
conflicts and resolutions 11-8
generating 11-4
identifying original 11-9
naming conventions 11-4
notes 11-9
preserving user-defined 11-6
managing 11-1
Map View 4-24
optimizing policy objects
in rules 11-29
notes 11-30
Firewall Services Module (FWSM)
configuring 9-38
configuring with VPNSM 9-39
FWSM blades 9-38
FWSM Settings tab (remote access VPN) C-849
FWSM tab (site-to-site VPN) B-26
see also PIX/ASA/FWSM Platform policies
Firewall Services Module (FWSM) setup in DM 6500/7600
configuring 14-148
firewall contexts, configuring 14-158
interfaces
adding 14-166
configuring 14-165
editing 14-168
security contexts
configuring 14-158
viewing details 14-162
VLANs
adding to a VLAN group 14-156
editing in a VLAN group 14-157
range, entering 14-154
firewall settings
AAA Firewall page C-784
Access Control page C-776
access controls
access list compilation 11-58
configuring settings 11-61
object group search 11-53
per user downloadable ACLs (PIX/ASA/FWSM) 11-56
AuthProxy General tab (IOS) C-788
AuthProxy page C-787
AuthProxy Timeout tab (IOS) C-790
configuring settings
firewall ACL 11-62
Firewall AAA IOS Timeout Value Setting dialog box C-791
Firewall AAA MAC Exempt Setting dialog box C-786
Firewall ACL Setting dialog box C-779
Inspection page C-782
Transparent page C-793
Web Filter page C-796
Web Filter Server Configuration dialog box C-800
firewall system variables 16-13, 16-16
Flash memory, amount C-483
FlexConfig Editor dialog box C-87
FlexConfig objects
ASA samples 16-7
Cisco IOS samples 16-9
creating 8-70
deleting 8-76
duplicating 8-71
editing 8-73
generating usage reports for 8-75
PIX samples 16-10
router samples 16-11
viewing details 8-74
FlexConfig object variables
deleting 16-45
FlexConfig policie C-217
FlexConfig policies
understanding 16-35
FlexConfig Policy page C-218
FlexConfig Policy Preview dialog box C-225
FlexConfigs
adding 16-40
CLI commands in 16-2
creating (scenario) 16-35
deleting 16-42
editing 16-41
example 16-6
managing 16-1
previewing 16-44
reordering 16-43
scripting language
understanding 16-3
understanding 16-1
working with 16-40
FlexConfigs objects page C-86
FlexConfig system variables
remote access 16-34
routers 16-23
understanding 16-12
VPNs 16-24
FlexConfig Undefined Variables dialog box C-92
floodguard 13-97
fragmentation
in remote access VPNs 10-21
General Settings tab C-864
in site-to-site VPNs
General Settings tab B-51
understanding 9-73
maximum transmission unit (MTU) 9-73
fragments settings 13-97
frequently asked questions
policy discovery 6-10
FTP map objects
Add FTP Map dialog box C-96
creating 8-78
deleting 8-81
duplicating 8-81
Edit FTP Map dialog box C-96
editing 8-80
FTP Maps page C-94
generating usage reports for 8-83
understanding 8-77
viewing details 8-84
FTP Maps page C-94
full mesh topologies
description 9-5
diagram 9-5
FWSM
see Firewall Services Module (FWSM)
FWSM Settings tab (remote access VPN) C-849
G
General page A-48
General tab
ASA user group objects C-68
HTTP map objects C-108
getting started
checklist 1-13
getting started with Catalyst 6500/7600 Device Manager (DM 6500/7600)
features 14-3
home page 14-4
navigating 14-4
preferences, editing 14-16
refreshing 14-16
starting 14-4
startup configurations, saving 14-15
user role 14-17
what to do after starting DM6500/7600 14-18
getting to know Security Manager
global settings in DM 6500/7600
editing 14-22
protocol settings 14-23
GRE (generic routing encapsulation)
advantages of IPSec tunneling with GRE 9-87
configuring policies 9-92
for devices with dynamic IP 9-91
GRE Modes page B-60
implementation 9-88
IPSec technology 9-8
prerequisites for successful configuration 9-88
understanding in site-to-site VPNs 9-87
using DMVPN with 9-96
GRE Dynamic IP
configuring policies 9-92
for dynamically addressed spokes 9-91
IPSec technology 9-8
group names
modifying 5-90
groups
add A-72
add devices to A-71
adding devices to 5-91
creating 5-87
deleting 5-89
group type names
modifying 5-90
group types
creating 5-86
deleting 5-89
GTP map objects
Add Country Network Codes dialog box C-102
Add GTP Map dialog box C-100
Add Permit Response dialog box C-103
creating 8-85
deleting 8-90
duplicating 8-89
Edit Country Network Codes dialog box C-102
Edit GTP Map dialog box C-100
editing 8-88
Edit Permit Response dialog box C-103
generating usage reports for 8-91
GTP Maps page C-98
GTP Map Timeouts dialog box C-104
understanding 8-85
viewing details 8-93
GTP Maps page C-98
GTP Map Timeouts dialog box C-104
GUI timeout
H
Hardware Client Attributes tab
ASA user group objects C-81
hash algorithms
in IKE proposals 9-61
MD5 9-61
SHA 9-61
help
accessing 3-13
help desk users 2-13
Help menu 3-12
high availability (HA groups)
configuring 9-52
High Availability page B-35
stateful failover 9-51
stateless failover 9-51
understanding 9-49
History tab G-6
hit count
changing displayed results 11-47
filtering columns 11-47
sorting columns 11-48
viewing details 11-49
generating reports 11-45
understanding 11-43
understanding report results 11-46
Hit Count page C-818
home page in DM6500/7600 14-4
host/domain policies
defining 12-34
Host/Domain Policy page C-520
hostnames
Cisco IOS routers
configuring on 12-34
hostname settings
configuring on firewall devices 13-60
HSRP 13-28
HTTP Credentials dialog box A-18
HTTP map objects
creating 8-95
deleting 8-108
duplicating 8-108
editing 8-107
Extension Request Method tab 8-101
Ext Request Method tab C-114
generating usage reports for 8-110
HTTP Maps page C-106
IOS Specific tab C-120
RFC Request Method tab 8-100, C-112
understanding 8-94
viewing details 8-111
HTTP Maps page C-106
HTTP settings
configuring on firewall devices 13-44
hub-and-spoke topology
description 9-3
diagram 9-3
I
ICMP settings
configuring on firewall devices 13-45
icons
map elements D-4
toolbar reference 3-13
Identity tab
ASA user group objects C-66
idle timeout 3-3
IGMP
configuring on firewall devices 13-87
IKE (Internet Key Exchange)
aggressive mode negotiation 9-59
main mode negotiation 9-59
proposals 9-59
understanding 9-59
IKE keepalive
understanding 9-70
IKE proposal objects
creating 8-113
deleting 8-119
duplicating 8-115
editing 8-116
generating usage reports for 8-118
IKE Proposal dialog box C-123
IKE Proposals page C-121
understanding 8-112
viewing details 8-117
IKE proposals (policies)
configuring 9-63
configuring on remote access VPN servers 10-14, C-855
IKE Proposal page (remote access VPN) C-855
IKE Proposal page (site-to-site VPN) B-38
understanding in remote access VPNs 10-13
IKE tunnels, amount C-483
Import Background Image dialog box D-20
Import Details pane E-5
inheritance
inheriting rules 6-47
Inherit Rules dialog box C-14
understanding 6-45
Inherit Rules dialog box C-14
Inspection page C-782
inspection rules
adding 11-66
Add Inspection Rule dialog box C-666
Configure DNS dialog box C-699
Configure ESMTP dialog box C-702
Configure Fragments dialog box C-703
Configure IMAP dialog box C-705
Configure POP3 dialog box C-706
Configure RPC dialog box C-707
Configure SMTP dialog box C-700
configuring custom destination ports 11-70
configuring default inspection traffic 11-68
configuring destination address and port (IOS) 11-71
configuring settings 11-84
configuring source and destination address and port (ASA) 11-73
copying 11-81
Custom Protocol dialog box C-701
cutting 11-81
deleting 11-83
disabling 11-79
Edit Category dialog box C-709
Edit Description dialog box C-708
Edit Destinations dialog box C-688
editing 11-75
Edit Inspected Protocol dialog box C-696
Edit Inspection Rule dialog box C-666
Edit Sources dialog box C-685
enabling 11-79
finding usage 11-80
generating usage reports 11-80
Inspection Rules page C-663
Limit Inspection Between Source and Destination IP Addresses (ASA) page C-673
Match Traffic by Custom Destination Ports page C-677
Match Traffic by Destination Address and Port (IOS) page C-678
Match Traffic by Source and Destination Address and Port (ASA) page C-681
Match Traffic to Default Protocol Ports page C-670
moving down 11-82
moving up 11-82
pasting 11-81
Show Destination Contents dialog box C-690
Show Interface Contents dialog box C-695
Show Service Contents dialog box C-693
Show Source Contents dialog box C-687
supported features 11-86
Inspection Rules page C-663
installing
Security Manager client 3-3
interface
status C-484
throughput C-484
interface management
See ports and interface management in DM 6500/7600
Interface Properties dialog box D-25
interface role objects
creating 8-121
deleting 8-129
duplicating 8-123
editing 8-124
exceptional cases 8-131
generating usage reports for 8-128
Interface Name Conflict dialog box C-129
Interface Role dialog box C-127
Interface Roles page C-126
managing overrides 8-127
override page in Policy Object Manager C-208
specifying during policy definition 8-130
understanding 8-120
viewing details 8-126
interface roles
override page in Device Properties A-56
Interface Roles Override page A-56
interfaces
Cisco IOS routers
available types 12-6
configuring on 12-2
Create Router Interface dialog box C-487
deleting from 12-9
generating interface names 12-8
Interface Auto Name Generator dialog box C-492
Router Interfaces page C-486
Interface Name Conflict dialog box C-129
PIX/ASA/FWSM
checklist for configuring interfaces in multi context mode 13-9
configuring on 13-3
enabling traffic between same security levels 13-4
troubleshooting 13-19
specifying during policy definition 8-130
interface timeout 3-3
interface types supported in DM6500/7600 14-34
inventory
adding devices to 5-29
deleting devices from 5-83
reports 5-92
IOS routers
deployment using Token Management Servers (TMS) 15-13
IOS Specific tab
HTTP map objects C-120
IOS Web Filter Rule and Applet Scanner dialog box C-759
IP address
management, transparent firewall C-282
IP addresses
specifying in policies 8-152
supported formats 8-143
IPSec proposals (policies)
configuring for Easy VPN 9-104
configuring in remote access VPNs 10-10
configuring in site-to-site VPNs 9-68
IPSec Proposal Editor (remote access VPN)
IOS and Catalyst 6500/7600 devices C-843
PIX and ASA devices C-840
IPSec Proposal page (in Easy VPN) B-70
IPSec Proposal page (remote access VPN) C-837
IPSec Proposal page (site-to-site VPN) B-40
understanding in remote access VPNs 10-9
using crypto maps in 9-67
using transform sets in 9-65
IPSec tab
ASA user group objects C-70
IPSec technologies
defining 9-12
DMVPN 9-8
Easy VPN 9-8
GRE 9-8
GRE Dynamic IP 9-8
mandatory policies 9-8
optional policies 9-8
regular IPSec 9-8
understanding 9-8
working with policies 9-8
IPSec transform set objects
creating 8-135
deleting 8-140
duplicating 8-136
editing 8-137
generating usage reports for 8-139
IPSec Transform Set dialog box C-132
IPSec Transform Sets page C-130
supported modes 8-134
supported protocols 8-133
understanding 8-132
viewing details 8-138
IPSec tunnels
understanding policies 9-64
IPSec tunnels, amount C-483
IPS Manager
managing devices with 5-83
ISAKMP/IPSec settings
IKE keepalive 9-70
in remote access VPNs 10-20
in site-to-site VPNs 9-70
ISAKMP/IPSec Settings tab (remote access VPN) C-860
ISAKMP/IPSec Settings tab (site-to-site VPN) B-45
J
job approval 15-9
job changes 15-10
job deployment methods
understanding 15-11
jobs
aborting 15-42
approving 15-51
benefits of 15-2
creating 15-46
discarding 15-52
including devices in 15-10
opening 15-49
rejecting 15-51
submitting 15-50
job states
non-Workflow mode 15-4
Workflow mode 15-8
job status
Aborted 15-8
Approved 15-8
Deployed 15-8
Deploying 15-8
Discarded 15-8
Edit 15-8
Edit-In Use 15-8
Failed 15-9
Rejected 15-8
Rolled Back 15-9
Rolling Back 15-9
Submitted 15-8
joined hub-and-spoke topology 9-7
Join Group tab
description 13-88
JumpStart 1-14
K
Kerberos
use by ASA devices 8-22
L
Layer 2 firewall
license C-483
licenses
installing 2-60
Product Authorization Key (PAK) 2-59
SecurityManager kit part numbers 2-58
Software License Claim Certificate 2-59
understanding 2-58
upgrading 2-58
uploading new 2-58
working with 2-58
licensing
Settings page F-16
Lightweight Directory Access Protocol (LDAP)
use by ASA devices 8-22
Limit Inspection Between Source and Destination IP Addresses (ASA) page C-673
locking
and activities 7-4
committed configuration 7-4
devices 6-48
objects 6-50
policies 6-48
understanding 6-48
VPN topologies 6-49
logging
Cisco IOS routers
configuring on 12-79
defining setup parameters 12-80
defining syslog servers 12-83
understanding severity levels 12-79
PIX/ASA/FWSM
configuring on 13-75
e-mail setup 13-76
event lists 13-77
logging filters 13-79
logging setup 13-80
rate limit levels 13-81
server setup 13-83
syslog servers 13-84
logging command
class option
message class variables C-369
logging in to
Cisco Security Management Suite server 3-2
logging into
logging policies
Logging Setup Policy page C-560
Syslog Server dialog box C-567
Syslog Servers Policy page C-565
logs
archiving logs 2-61
Settings page F-16
understanding 2-61
loopback interfaces in DM 6500/7600
adding 14-80
configuring 14-77
editing 14-78
restarting 14-78
low-latency queuing (LLQ) 12-92
M
MAC address table
learning, disabling C-280
overview C-278
MAC exempt address lists
adding 11-101
deleting 11-103
editing 11-102
using 11-101
macro, definition in DM6500/7600 14-81
Main toolbar buttons 15-32
management access settings
configuring on firewall devices 13-47
maps
access permissions 4-3
adding existing managed devices 4-18
adding new managed devices 4-18
background color 4-12
background images
deleting 4-15
importing 4-13
overview 4-13
scale and position 4-15
setting 4-14
centering elements 4-9
changing the zoom level 4-8
creating 4-3
default map 4-11
deleting 4-5
displaying devices from Device View 4-20
displaying managed devices 4-17
displaying your network 4-16
elements, understanding 4-16
exporting 4-6
icons D-4
Layer 3 automatic connectivity display 4-24
Layer 3 link
creating 4-22
deleting 4-23
displaying 4-22
layouts, using 4-9
navigating 4-7
navigation window 4-7
objects
adding 4-21
deleting 4-21
user created overview 4-20
opening 4-4
overview 4-1
panning 4-8
refreshing 4-10
saving 4-4
searching for elements 4-10
selecting elements 4-9
showing containment for Catalyst, ASA, PIX devices 4-19
understanding 4-1
undocking window 4-9
unlinked, using 4-11
working with 4-2
Map Settings dialog box D-18
Map View
cloning devices 4-36
context menu
Layer 3 link D-12
managed device node D-10
map background D-13
map objects D-13
selected nodes D-11
VPN connection D-12
copying policies between devices 4-35
device policies, managing 4-35
dialog box reference D-14
discovering device configurations 4-37
firewall
AAA rules 4-26
access rules 4-25
ACL settings 4-28
AuthProxy settings 4-29
inspection rules 4-25
inspection settings 4-28
policies 4-24
services 4-24
settings 4-27
transparent rules 4-27
web filter rules 4-26
web filter settings 4-29
icons for elements D-4
main page D-1
menus D-8
navigation window D-7
previewing device configurations 4-37
sharing device policies 4-36
toolbar reference D-6
user interface reference D-1
VPNs
adding or removing tunnels 4-33
creating 4-30
creating full mesh or hub and spoke 4-31
creating point-to-point 4-30
displaying existing 4-33
editing peers 4-33
editing policies 4-32
listing peers 4-34
managing 4-30
Map view
Autolink Settings page F-2
Match Traffic by Custom Destination Ports page
inspection rules C-677
Match Traffic by Destination Address and Port (IOS) page
inspection rules C-678
Match Traffic by Source and Destination Address and Port (ASA) page
inspection rules C-681
Match Traffic to Default Protocol Ports
inspection rules C-670
maximum transmission unit (MTU) 9-73
MD5 hash algorithm 9-61
memory, amount
Flash C-483
memory usage C-484
menu reference
Activities 3-12
Edit 3-7
Edit, table commands 3-22
File 3-6
Help 3-12
overview 3-6
Policy 3-9
Tools 3-11
View 3-8
message classes
list of C-369
messages
classes of
list of classes C-369
model C-483
additional types 2-11
for objects 2-9
for policies 2-8
MRoute page
description 13-89
MST mode in DM6500/7600, and STP data 14-111
multicast routing
PIX/ASA/FWSM
configuring on 13-86
enabling 13-86
IGMP 13-87
multicast routes 13-89
PIM 13-90
multicast traffic 13-28
Multilayer Switch Feature Card (MSFC)
Firewall-Inside setup wizard in DM 6500/7600
final configuration, delivering 14-141
firewall context, creating 14-138
firewall context, selecting 14-138
inside network connection, configuring 14-139
MSFC-Firewall VLANs, configuring 14-135
service module, selecting 14-134
summary page 14-141
VLAN group, selecting 14-137
Firewall-Outside setup wizard in DM 6500/7600 14-142
core network connection, configuring 14-146
final configuration, delivering 14-147
Firewall-MSFC VLAN, configuring 14-144
inside network connection, configuring 14-146
Internet connection, configuring 14-142
service module, selecting 14-142
summary page 14-147
multiple users
activities 7-5
deployment jobs and 15-10
N
NAT traversal 9-72
network/host objects
creating 8-143
deleting 8-151
duplicating 8-145
editing 8-146
generating usage reports for 8-150
managing overrides 8-149
Network/Host dialog box C-136
Networks/Hosts page C-134
override page in Device Properties A-57
override page in Policy Object Manager C-209
provisioning as PIX object groups 8-265
supported IP address formats 8-143
understanding 8-142
viewing details 8-148
network access device (NAD) 12-69
Network Access Restriction (NAR) 2-21
Network Address Translation (NAT)
Cisco IOS routers
configuring on 12-10
creating dynamic rules 12-20
creating static rules 12-13
designating interfaces 12-11
Dynamic Rule dialog box C-503
Dynamic Rules tab C-502
Edit Inside Interfaces dialog box C-495
Edit Outside Interfaces dialog box C-496
Interface Specification tab C-494
NAT Policy page C-493
specifying timeouts 12-24
Static Rule dialog box C-498
Static Rules tab C-497
Timeouts tab C-506
configuring in remote access VPNs 10-20
configuring in site-to-site VPNs 9-71
configuring NAT traversal 9-72
NAT Settings tab (remote access VPN) C-863
NAT Settings tab (site-to-site VPN) B-49
PIX/ASA/FWSM
Address Pool dialog box C-231
Address Pools page C-230
clearing XLATE on deployment 13-102
configuring on 13-19
configuring translation options 13-21
defining address pools 13-20
defining dynamic translation rules 13-23
defining policy-based dynamic translation rules 13-24
defining static translation rules 13-25
defining translation exemptions (NAT 0 ACL) 13-22
Translation Options page C-232
Translation Rules page C-233
understanding 13-20
viewing translation rules 13-26
network administrators
in Cisco Secure ACS 2-16
in CiscoWorks 2-13
Network Admission Control (NAC)
Cisco Trust Agent 12-69
components 12-69
configuring on Cisco IOS routers 12-68
defining identity parameters 12-76
defining interface parameters 12-74
defining setup parameters 12-71
Identities tab C-556
Identity Action dialog box C-559
Identity Profile dialog box C-558
Interface Configuration dialog box C-554
Interfaces tab C-553
NAC Policy page C-550
network access device (NAD) 12-69
Setup tab C-551
supported platforms 12-69
understanding system flow 12-70
network device groups (NDGs)
activating NDG feature 2-28
associating with roles and user groups 2-38
configuring in Cisco Secure ACS 2-38
creating 2-29
network operators 2-13
networks
adding devices from 5-32
Device Credentials page 5-38
Device Grouping page 5-40
Device Information page 5-34
Networks/Hosts Override page A-57
Network Time Protocol
Network Time Protocol (NTP)
Cisco IOS routers
configuring on 12-51
creating NTP servers 12-51
NTP Policy page C-532
NTP Server dialog box C-534
new devices
adding 5-49
Device Credentials page 5-38
Device Grouping page 5-40
Device Information page 5-51
Node Properties dialog box' D-24
Non-Workflow mode
main toolbar buttons 15-32
viewing
deployment device details 15-45
non-Workflow mode 15-45
comparing with Workflow mode 2-42
configuration files
deploying in 15-34
previewing 15-38
rolling back 15-43
deployment 15-3
taskflow 15-3
deployment jobs
aborting 15-42
states 15-4
Deployment Manager window H-2
Deployment Status Details dialog box H-6
Deploy Saved Changes dialog box H-3
disabling 2-43
enabling 2-43
Preview Config dialog box H-8
selecting 2-40
understanding 2-41
NTP
configuring on firewall devices 13-69
NTP broadcast settings in DM 6500/7600, configuring
date and time settings 14-29
NTP servers and peers 14-31
O
object group search
enabling 11-54
understanding 11-53
objects
AAA server groups
creating 8-9
deleting 8-18
duplicating 8-12
editing 8-13
generating usage reports for 8-17
managing overrides 8-16
viewing details 8-15
AAA servers
creating 8-24
deleting 8-30
duplicating 8-26
editing 8-27
generating usage reports for 8-29
viewing details 8-28
access control lists
creating 8-35
deleting 8-42
duplicating 8-41
editing 8-40
extended objects 8-35
generating usage reports for 8-44
standard objects 8-38
understanding 8-32
viewing details 8-45
ASA user groups
Client Configuration tab 8-54
Client Firewall Attributes tab 8-57
creating 8-47
deleting 8-64
duplicating 8-63
editing 8-62
General tab 8-50
generating usage reports for 8-65
Hardware Client tab 8-61
Identity tab 8-49
IPSec tab 8-53
understanding 8-45
viewing details 8-67
categories
editing 8-69
FlexConfigs
creating 8-70
deleting 8-76
duplicating 8-71
editing 8-73
example 16-6
FlexConfig Editor dialog box C-87
FlexConfigs Objects page C-86
FlexConfig Undefined Variables dialog box C-92
generating usage reports for 8-75
system variables 16-12
understanding 16-2
viewing details 8-74
FTP maps
creating 8-78
deleting 8-81
duplicating 8-81
editing 8-80
generating usage reports for 8-83
understanding 8-77
viewing details 8-84
GTP maps
creating 8-85
deleting 8-90
duplicating 8-89
editing 8-88
generating usage reports for 8-91
understanding 8-85
viewing details 8-93
HTTP maps
creating 8-95
deleting 8-108
duplicating 8-108
Encoding tab 8-105
Entity Length tab 8-98
Extension Request Method tab 8-101
General tab 8-96
generating usage reports for 8-110
Port Misuse tab 8-103
RFC Request Method tab 8-100
understanding 8-94
viewing details 8-111
IKE proposals
creating 8-113
deleting 8-119
duplicating 8-115
editing 8-116
generating usage reports for 8-118
viewing details 8-117
interface roles
creating 8-121
deleting 8-129
duplicating 8-123
editing 8-124
generating usage reports for 8-128
managing overrides 8-127
viewing details 8-126
IPSec transform sets
creating 8-135
deleting 8-140
duplicating 8-136
editing 8-137
generating usage reports for 8-139
viewing details 8-138
locking
effects on activities 7-4
networks/hosts
creating 8-143
deleting 8-151
duplicating 8-145
editing 8-146
generating usage reports for 8-150
managing overrides 8-149
viewing details 8-148
Object Type selector C-31
overview 1-11
PKI enrollments
creating 8-155
deleting 8-170
duplicating 8-164
editing 8-165
generating usage reports for 8-169
managing overrides 8-168
viewing details 8-167
port lists
creating 8-172
deleting 8-180
duplicating 8-174
editing 8-175
generating usage reports for 8-178
managing overrides 8-177
viewing details 8-176
provisioning as PIX object groups 8-264
service groups
creating 8-192
deleting 8-199
duplicating 8-194
editing 8-195
generating usage reports for 8-198
managing overrides 8-197
viewing details 8-196
services
creating 8-182
deleting 8-189
duplicating 8-184
editing 8-185
generating usage reports for 8-188
managing overrides 8-187
viewing details 8-186
TCP maps
creating 8-201
deleting 8-205
duplicating 8-204
editing 8-203
generating usage reports for 8-206
understanding 8-200
viewing details 8-207
text
creating 8-209
deleting 8-215
duplicating 8-210
editing 8-211
generating usage reports for 8-213
managing overrides for 8-214
Text Object Editor dialog box C-169
Text Objects page C-167
viewing details 8-212
Text objects
Create Text Object dialog box C-91
Property Selector dialog box C-93
time ranges
creating 8-217
deleting 8-224
duplicating 8-220
editing 8-221
generating usage reports for 8-223
viewing details 8-222
Traffic flows
creating 8-225
default inspection traffic with access list 8-228
deleting 8-233
duplicating 8-233
editing 8-232
generating usage reports for 8-235
IP diffserv codepoints (DSCPs) 8-232
IP precedence bits 8-230
RTP ranges 8-229
source and destination IP addresses 8-227
TCP or UDP destination ports 8-228
tunnel groups 8-230
viewing details 8-236
traffic flows
understanding 8-225
user groups
creating 8-238
deleting 8-249
duplicating 8-244
editing 8-245
generating usage reports for 8-248
viewing 8-247
object selectors C-199
Create Filter dialog box C-202
filtering 8-260
filtering options per object type 8-262
using 8-256
Object Type selector C-31
object variables
FlexConfig
deleting 16-45
understanding 16-6
Openable Activities dialog box G-19
Open Map dialog box D-15
optimizing policy objects
in rules 11-29
notes 11-30
OSPF
authentication support 13-93
configuring on firewall devices 13-93
interaction with NAT 13-93
LSAs 13-93
OSPF interfaces
blocking LSA flooding 12-144
defining on Cisco IOS routers 12-138
disabling MTU mismatch detection 12-143
Interface dialog box C-607
OSPF Interface Policy page C-605
understanding
authentication 12-147
cost 12-142
network types 12-146
priority 12-142
timer settings 12-145
OSPF parameters
dead interval C-453
hello interval C-453
retransmit interval C-453
transmit delay C-453
OSPF redistribution
defining mappings 12-134
defining maximum prefix values 12-136
understanding 12-133
OSPF routing
Cisco IOS routers
Area dialog box C-617
Area tab C-616
configuring on 12-129
defining area settings 12-131
defining interface settings 12-138
defining setup parameters 12-130
Edit Interfaces dialog box C-615
Max Prefix Mapping dialog box C-623
OSPF Process Policy page C-612
redistributing routes 12-133
Redistribution Mapping dialog box C-621
Redistribution tab C-619
Setup dialog box C-614
Setup tab C-613
OS version mismatches
handling 15-14
overview
policies 1-11
workflow 1-12
P
partial mesh topologies 9-7
Peers page B-7
Performance Monitor
licensing 2-59
permanent license
upgrading from evaluation license 2-58
per user downloadable ACLs (PIX/ASA/FWSM)
enabling 11-57
understanding 11-56
PIM
configuring on firewall devices 13-90
PIX
FlexConfig object samples 16-10
PIX/ASA/FWSM Platform policies
configuring AAA 13-30
configuring AUS settings 13-62
configuring banners 13-36
configuring boot image and configuration settings 13-38
configuring bridging 13-27
configuring clock 13-39
configuring console timeout settings 13-43
configuring contact credentials 13-41
configuring device access 13-42
configuring device administration policies 13-29
configuring DHCP relay 13-64