Table Of Contents
Preparing Devices for Management
Understanding Device Communication Requirements
Setting Up SSL
Setting Up SSL on PIX Firewall, ASA and FWSM Devices
Setting Up SSL on Cisco IOS Routers
Setting Up SSH
Critical Line-Ending Conventions for SSH
Testing Authentication
Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices
Preventing Non-SSH Connections—Optional
Setting Up AUS
Setting Up AUS on PIX Firewall and ASA Devices
Setting Up CNS Gateway on an Auto Update Server
Setting Up CNS
Setting Up CNS on PIX Firewall and ASA Devices
Setting Up CNS on Cisco IOS Routers
Setting Up TMS
Initializing IPS Devices
Preparing Devices for Management
Before you start to manage a device using Security Manager, you should prepare the device with at least a minimal configuration. The following sections describe the basic device configurations needed for various transport protocols or device types. Before configuring transport protocols, determine the requirements for your devices by reading Understanding Device Communication Requirements.
•
Understanding Device Communication Requirements
•Setting Up SSL
•Setting Up SSH
•Setting Up AUS
•Setting Up CNS
•Setting Up TMS
•Initializing IPS Devices
Understanding Device Communication Requirements
Security Manager provides many different ways for you to manage devices. The easiest methods involve Security Manager directly contacting the devices. Security Manager might access a device during inventory or policy discovery, during configuration deployment, or in response to actions you take in Security Manager that request device contact (such as testing connectivity).
Because you can use off-line methods to add devices to the Security Manager inventory or to deploy configuration changes to the devices, configuring device communication settings for Security Manager's use is optional. However, you typically need to configure basic device communication settings on the devices to implement your off-line or customized configuration deployment tools.
In Security Manager, you can configure which transport protocol to use as the default for a type of device, and change it for specific devices that are configured to respond to a different protocol. Security Manager is configured with default protocols that are the most commonly-used protocols for that type of device. To change the default device communication setting for a type of device, select Tools > Security Manager Administration and select Device Communication from the table of contents (for more information, see Device Communication Page, page A-14). To change the transport setting for a specific device, modify its device properties as described in Viewing or Changing Device Properties, page 6-23.
Security Manager can use these transport protocols:
•SSL (HTTPS)—Secure Socket Layer, which is an HTTPS connection, is the only transport protocol used with PIX Firewalls, Adaptive Security Appliances (ASA), and Firewall Services Modules (FWSM). It is also the default protocol for IPS devices and for routers running Cisco IOS Software release 12.3 or higher.
If you use SSL as the transport protocol on Cisco IOS routers, you must also configure SSH on the routers. Security Manager uses SSH connections to handle interactive command deployments during SSL deployments.
Note DES encryption is not supported on Common Services 3.0 and later. Ensure that all PIX Firewalls and Adaptive Security Appliances that you intend to manage with Security Manager have a 3DES/AES license.
For information on configuring SSL, see Setting Up SSL.
•SSH—Secure Shell is the default transport protocol for Catalyst switches and Catalyst 6500/7600 devices. You can also use it with Cisco IOS routers.
For information on configuring SSH, see Setting Up SSH.
•Telnet—Telnet is the default protocol for routers running Cisco IOS software releases 12.1 and 12.2. You can also use it with Catalyst switches, Catalyst 6500/7600 devices, and routers running Cisco IOS Software release 12.3 and higher. See the Cisco IOS software documentation for configuring Telnet.
•HTTP—You can use HTTP instead of HTTPS (SSL) with IPS devices. HTTP is not the default protocol for any device type.
•TMS—Token Management Server is treated like a transport protocol in Security Manager, but it is not a real transport protocol. Instead, by configuring TMS as the transport protocol of a router, you are telling Security Manager to deploy configurations to a TMS. From the TMS, you can download the configuration to an eToken, plug the eToken into the router's USB bus, and update the configuration. TMS is available only for routers running Cisco IOS Software 12.3 or higher.
For information on downloading configurations using TMS, see Setting Up TMS.
Security Manager can also use indirect methods to deploy configurations to devices, staging the configuration on a server that manages the deployment to the devices. These indirect methods also allow you to use dynamic IP addresses on your devices. The methods are not treated as transport protocols, but as adjuncts to the transport protocol for the device. You can use these indirect methods:
•AUS (Auto Update Server)—When you add a device to Security Manager, you can select the AUS server that is managing it. You can use AUS with PIX Firewalls, ASA devices, and Cisco IOS routers.
If you configure the AUS server to support the CNS Gateway protocol, you can use it with Cisco IOS routers that have dynamic IP addresses. However, you must also configure SSH and SSL on the routers.
For information on configuring a device to use an AUS server, see Setting Up AUS.
•CNS-Configuration Engine—When you add a router to Security Manager, you can select the Configuration Engine that is managing it.
For more information on configuring a router to use a CNS-Configuration Engine server, see Setting Up CNS.
For information on adding devices that use AUS or CNS servers to Security Manager, and how to add the servers, see these topics:
•Adding Devices to the Device Inventory, page 6-8
•Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 6-19
Setting Up SSL
Security Manager deploys the configuration to the device using a Secure Socket Layer (SSL) protocol. With this protocol, Security Manager encrypts the configuration file and sends it to the device.
The following topics describe how to set up SSL on devices:
•Setting Up SSL on PIX Firewall, ASA and FWSM Devices
•Setting Up SSL on Cisco IOS Routers
Setting Up SSL on PIX Firewall, ASA and FWSM Devices
Table 5-1 describes the tasks to complete before you use SSL as the transport protocol for device management on PIX Firewall, ASA and FWSM devices.
Table 5-1 Setting Up SSL on PIX Firewall, ASA, and FWSM Devices
Steps
|
Enter
|
Result
|
1. Step 1
|
hostname# config terminal
|
Enters configuration mode from the terminal.
Respond to the prompts appropriately. Here are some tips:
1. Enter y when the prompt asks if you want to preconfigure using interactive prompts.
2. Enter the current enable password.
3. Specify the time zone, year, month, day, and time.
4. If the device:
–Is new—Specify the network interface IP address of the device and the network mask that applies to the inside IP address.
–Exists—Verify that the interface IP address and mask are correct.
5. If the device:
–Is new—Specify the hostname and the domain name.
–Exists—Verify that the hostname and domain name are correct.
6. When prompted for the IP address of the host that runs the PIX Device Manager, specify the IP address of the Security Manager server.
7. Enter yes when the prompt asks if you want to write the above changes to Flash.
|
Step 2
|
hostname(config)# http server enable
|
Enables the HTTP server.
|
Step 3
|
hostname(config)# httpip_address [netmask] [if_name]
|
Specifies the host or network authorized to initiate an HTTP connection to the device.
•ip_address—IP address of the Security Manager server.
•netmask—Network mask for the http ip_address.
•if_name—Device interface name (default is inside) from which Security Manager initiates the HTTP connection.
|
Step 4
|
hostname(config)# write memory
|
Stores the current configuration in Flash memory.
|
Setting Up SSL on Cisco IOS Routers
Table 5-2 describes the tasks to complete before you use SSL as the transport protocol for device management on Cisco IOS routers.
Table 5-2 Setting Up SSL on Cisco IOS Routers
Steps
|
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
router(config)# hostname<name>
|
Configures the hostname.
If the device is new, you must configure its hostname.
After you configure the hostname, the device prompt changes to hostname (config)#. For example, if the hostname is router1, the device prompt changes to router1(config)# (see Step 3).
|
Step 3
|
router1(config)# ip domain-name<your_domain>
|
Specifies the IP domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name of the router.
|
Step 4
|
router1(config)# username<username>privilege 15 password 0<password>
|
Configures level 15 privilege.
SSL requires that you must have level 15 privileges to log in to a Cisco IOS router.
|
Step 5
|
router1(config)# no aaa authorization network<list-name>
|
(Optional) Disables AAA authorization.
If you are using AAA for authorization but would like to use local authorization, use this command to disable the AAA authorization.
•list-name—Character string used to name the list of authorization methods.
|
Step 6
|
router1(config)# no aaa authentication login<list-name>
|
(Optional) Disables AAA authentication at login.
If you are using AAA for authentication but would like to use local authentication, use this command to disable the AAA authentication.
•list-name—Character string used to name the list of authentication methods activated when a user logs in.
|
Step 7
|
router1(config)#ip http authentication local
|
(Optional) Enables local authentication for SSL.
Enables Security Manager to authenticate with the local username you created in Step 4.
Note If you do not enter this command, the default enable password is used for authentication.
Note You can either enable AAA authentication or local authentication. To enable AAA authentication, enter the commands in Step 8 and Step 9. To enable local authentication, enter the command in this step.
|
Step 8
|
router1(config)#ip http authentication aaa
|
(Optional) Enables AAA authentication/authorization for SSL.
Note You can either enable AAA authentication or local authentication. To enable AAA authentication, enter the commands in Step 8 and Step 9. To enable local authentication, enter the command in Step 7.
|
Step 9
|
router1(config)#ip http authentication aaa login-authentication<list-name>
router1(config)# ip http authentication aaa exec-authorization<list-name>
|
(Optional) If multiple AAA lists are defined, you must enter these commands.
These commands authenticate the user that is contacting the device using the HTTPS protocol. The authentication uses AAA.
•list-name—Character string used to name the list of AAA server groups.
Note You can either enable AAA authentication or local authentication. To enable AAA authentication, enter the commands in Step 8 and Step 9. To enable local authentication, enter the command in
Step 7.
|
Step 10
|
router1(config)# ip http secure-server
|
Enables the HTTPS server.
|
Step 11
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 12
|
router1# show ip http server secure status
|
Verifies that SSL is set up on the device. Device responds with an "enabled" status.
|
Setting Up SSH
Security Manager deploys the configuration to Cisco IOS Routers, Catalyst switches, and Catalyst 6500/7600 devices using a Secure Shell (SSH). This provides strong authentication and secure communications over insecure channels. Security Manager supports both SSHv1.5 and SSHv2. Once connected to the device, Security Manager determines which version to use and downloads using that version.
Note Security Manager supports Catalyst 6500/7600 devices running the Cisco IOS software only.
The following topics describe the tasks required to set up SSH on Cisco IOS routers, Catalyst switches, and Catalyst 6500/7600 devices:
•Critical Line-Ending Conventions for SSH
•Testing Authentication
•Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices
•Preventing Non-SSH Connections—Optional
Critical Line-Ending Conventions for SSH
The following line-ending conventions for SSH must be observed to avoid
system failure:
1. Do not end banner message lines with "#", "# ", ">", or "> ". If your system requires a pound sign or greater-than sign at the end of a banner message, ensure that it is followed by two spaces.
2. Do not use banner message lines that contain only "Username: " or "Password: "
3. Do not customize the device user-mode prompt to not end with ">" or "#".
Testing Authentication
Before you set up SSH, you must test authentication without SSH to make sure the device can be authenticated. You can authenticate with a local username and password or with an authentication, authorization, and accounting (AAA) server running TACACS+ or RADIUS.
To test authentication without SSH using a local or AAA server username and password, enter the commands described in Table 5-3.
Table 5-3 Testing Authentication Without SSH
Steps
|
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
hostname(config)#aaa new-model
|
Uses the local username and password in the absence of aaa statements.
Note On Cisco IOS routers, you can use the login local command on vty lines instead of the aaa new-model command.
|
Step 3
|
hostname(config)# username<name>password 0<password>
|
Configures the user in the local database of the device. This command is optional.
|
Step 4
|
hostname(config)# exit
|
Exits configuration mode.
|
Step 5
|
hostname# write memory
|
Saves the configuration changes.
|
Related Topics
•Setting Up SSH
•Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices
•Preventing Non-SSH Connections—Optional
Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices
Table 5-4 describes the tasks required to set up SSH on Cisco IOS routers, Catalyst switches, and Catalyst 6500/7600 devices.
Note You must configure SSH on Cisco IOS routers because Security Manager uses SSH connections to handle interactive command deployments during SSL deployments.
Table 5-4 Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 Devices
Steps
|
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
router(config)# hostname<name>
|
Configures the hostname.
If the device is new, you must configure its hostname. Configuring the host name changes the command prompt to use the name (for example, router1).
|
Step 3
|
router1(config)# ip domain-name<your_domain>
|
Specifies the IP domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name of the router.
|
Step 4
|
router1(config)# crypto key generate rsa
|
Generates the RSA key pair for the SSH session.
When the device prompts you to enter the size of the modulus, we recommend that you enter 1024.
|
Step 5
|
router1(config)# ip ssh timeout<time>
|
(Optional) Sets the timeout interval in minutes.
|
Step 6
|
router1(config)# ip ssh authentication-retries<n>
|
(Optional) Sets the number of retries.
|
Step 7
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 8
|
router1# write memory
|
Saves the configuration changes.
|
Related Topics
•Setting Up SSH
•Testing Authentication
•Preventing Non-SSH Connections—Optional
Preventing Non-SSH Connections—Optional
After configuring SSH, you can configure the Cisco IOS routers, Catalyst switches, and Catalyst 6500/7600 devices to use SSH connections only. To prevent non-SSH connections, enter the commands described in Table 5-5.
Table 5-5 Preventing Non-SSH Connections (Optional)
Steps
|
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
hostname(config)# line vty<first line number> <last line number>
|
Sets up the router for Telnet access.
•first line number—valid values are 0 to 1180.
•last line number—valid values are 1 to 1180.
|
Step 3
|
hostname(config-line)# transport input ssh
|
Prevents non-SSH connections, such as Telnet.
|
Step 4
|
hostname(config-line)# end
|
Exits configuration mode.
|
Step 5
|
hostname# write memory
|
Saves the configuration changes.
|
Related Topics
•Setting Up SSH
•Testing Authentication
•Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices
Setting Up AUS
Security Manager deploys configuration files to the Auto Update Server, where they are stored for later retrieval by the device.
The following topics provide more information:
•Setting Up AUS on PIX Firewall and ASA Devices
•Setting Up CNS Gateway on an Auto Update Server
Setting Up AUS on PIX Firewall and ASA Devices
Devices, such as PIX Firewall and ASA, use the AUS protocol to contact the Auto Update Server for configuration (and image) updates. See the Auto Update Server product documentation for more information.
Table 5-6 describes the tasks to complete before you use AUS as the transport protocol for device management on PIX Firewall and ASA devices.
Table 5-6 Setting Up AUS on PIX Firewall and ASA Devices
Steps
|
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
hostname(config)# auto-update server https://username:password@AUSserver_IP_address:port/autoupdate/AutoUpdateServlet
|
Connects to the AUS.
•username—The username is the one you enter when you use Security Manager.
•password—The password is the one you enter when you use Security Manager.
•The port number is typically 443.
|
Step 3
|
hostname(config)# auto-update poll-periodpoll_period [retry_count ] [retry_period ]
|
Specifies the polling period for AUS.
•poll_period—Polling period interval between two updates. Default is 720 minutes (12 hours).
•retry_count—(Optional) Number of times to retry if the server connection attempt fails. Default is 0.
•retry_period—(Optional) Number of minutes between retries. Default is 5.
|
Step 4
|
hostname(config)# auto-update device-id hardware-serial | hostname | ipaddress [<if_name> ]|mac-address [<if_name> ] | string <text>
|
Configures the device to use the specified unique device ID to identify itself.
•if_name—Device interface name (default is inside).
•text—A unique string name.
|
Step 5
|
hostname(config)# write memory
|
Saves the configuration changes.
|
Setting Up CNS Gateway on an Auto Update Server
An Auto Update Server can provide the CNS event-bus feature to Cisco IOS routers that have dynamic IP addresses obtained from a DHCP server. Security Manager communicates with the Auto Update Server that is running the CNS Gateway protocol to determine the IP address of the device. To configure CNS on a Cisco IOS router in event-bus mode, see Table 5-7.
If you changed the CNS password on a Cisco IOS router, you must also change the password in the Auto Update Server, as described in the next paragraph.
Changing the Default CNS Bootstrap Password in the Auto Update Server
The default CNS bootstrap password configured in an Auto Update Server is callhome. If you changed the CNS password on the router (Step 7 in Table 5-7), you must change the default CNS bootstrap password in the Auto Update Server also.
This procedure describes how to change the default CNS bootstrap password in an Auto Update Server.
Related Topics
•Setting Up CNS on Cisco IOS Routers
Step 1 Open the Windows command prompt on the machine where you installed AUS.
Step 2 Enter set NMSROOT=<dir>
where <dir> is the directory where you installed AUS. For example, set NMSROOT=C:\Progra~1\CSCOpx.
Step 3 Entercd %NMSROOT%\MDC\autoupdate\bin\eventgateway.
Step 4 Enter cnspassword<password>
where <password> is the password you set on the device.
Step 5 Restart the Daemon Manager if it is running.
Setting Up CNS
Security Manager deploys the configuration file to the Cisco Configuration Engine, where it is stored for later retrieval from the device. Devices, such as Cisco IOS router, PIX Firewall, and ASA that use a Dynamic Host Configuration Protocol (DHCP) server, contact the Cisco Configuration Engine for configuration (and image) updates. See the Cisco Configuration Engine product documentation for more information.
The following topics describe how to set up CNS on devices:
•Setting Up CNS on PIX Firewall and ASA Devices
•Table 5-7
Setting Up CNS on PIX Firewall and ASA Devices
If PIX Firewall and ASA devices are configured for CNS, they use the AUS protocol. The required steps are identical to the steps that you follow when you configure PIX Firewall and ASA for AUS. See Setting Up AUS.
Setting Up CNS on Cisco IOS Routers
The following tables describes the tasks to complete before you use CNS as the transport protocol for device management on Cisco IOS routers. You can configure CNS in the event-bus mode or the call-home mode.
•To configure CNS in event-bus mode, see Table 5-7.
•To configure CNS in call-home mode, see Table 5-8.
Table 5-7 Setting Up CNS on Cisco IOS Routers in Event-Bus Mode
Steps
|
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
router(config)# hostname<name>
|
Configures the hostname.
If the device is new, you must configure its hostname.
After you configure the hostname, the device prompt changes to hostname (config)#. For example, if the hostname is router1, the device prompt changes to router1(config)# (see step 3).
|
Step 3
|
router1(config)# ip domain-name<your_domain>
|
Specifies the IP domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name of the router.
|
Step 4
|
router1(config)# cns trusted-server all-agents<ip_address>
|
Specifies the trusted server for the CNS agent.
•ip_address—The IP address of the trusted server.
|
Step 5
|
router1(config)# cns event<ip_address> [port ]
|
Configures the CNS event gateway, which provides CNS event services to Cisco IOS clients.
•ip_address—IP address of the event gateway.
•port—The port is an optional parameter, and by default it is either 11011 (with no encryption) or 11012 (with encryption).
|
Step 6
|
router1(config)# cns config partial<ip_address>
|
Starts the CNS configuration agent and accepts a partial configuration.
|
Step 7
|
router1(config)# cns password<password>
|
Sets the CNS password.
<password>—The password you want to set on the router.
You can set the CNS password to callhome (which is the default bootstrap password in AUS) or you can set a different password.
If you set a different password on the router, you must change the default CNS bootstrap password in the Auto Update Server. For instructions, see Setting Up CNS Gateway on an Auto Update Server.
Note For information on how to authenticate a Cisco IOS router on a Configuration Engine, see the Cisco CNS Configuration Engine Administrator Guide.
|
Step 8
|
router1(config)# cns exec
|
Enables and configures the CNS execute agent.
|
Step 9
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 10
|
router1# copy running startup
|
Saves the configuration changes to NVRAM.
|
Table 5-8 Setting Up CNS on Cisco IOS Routers in Call-Home Mode
Steps
|
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
router(config)# hostname<name>
|
Configures the hostname.
If the device is new, you must configure its hostname.
After you configure the hostname, the device prompt changes to hostname (config)#. For example, if the hostname is router1, the device prompt changes to router1(config)# (see step 3).
|
Step 3
|
router1(config)# ip domain-name<your_domain>
|
Specifies the IP domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name of the router.
|
Step 4
|
router1(config)# cns trusted-server all-agents<ip_address>
|
Specifies the trusted server for the CNS agent.
•ip_address—IP address of the trusted server.
|
Step 5
|
router1(config)# kron occurrenceoccurrence-name [userusername ] {in [[numdays:]numhours:]nummin | athours:min [[month] day-of-month] [day-of-week]} {oneshot | recurring}
|
Specifies schedule parameters for a Command Scheduler occurrence and enters kron-occurrence configuration mode.
•occurrence-name—Name of occurrence. Length of occurrence-name is from 1 to 31 characters. If the occurrence-name is new, an occurrence structure will be created. If the occurrence-name is not new, the existing occurrence will be edited.
•username—(Optional) Name of user.
•numdays:—(Optional) Number of days. Identifies that the occurrence is to run after a specified time interval. The timer starts when the occurrence is configured. If used, add a colon after the number.
•numhours:—(Optional) Number of hours. If used, add a colon after the number.
•nummin—Number of minutes.
•hours:—Hour as a number using the 24-hour clock. Identifies that the occurrence is to run at a specified calendar date and time. Add a colon after the number.
•min—Minute as a number.
•month—(Optional) Month name. If used, you must also specify day-of-month.
•day-of-month—(Optional) Day of month as a number.
•day-of-week—(Optional) Name of the day of the week.
|
| |
|
•oneshot—Identifies that the occurrence is to run only once. After the occurrence runs, the configuration is removed.
•recurring—Identifies that the occurrence is to run on a recurring basis.
|
Step 6
|
router1(config-kron-occurrence)# policy-list<list-name>
|
Specifies the policy list associated with a Command Scheduler occurrence.
Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the same time or interval.
•list-name—Name of policy. Length of list-name is from 1 to 31 characters. If the list-name is new, a policy list structure will be created. If the list-name is not new, the existing policy list will be edited.
|
Step 7
|
router1(config-kron-occurrence)# exit
|
Exits kron-occurrence and returns to configuration mode.
|
Step 8
|
router1(config)# kron policy-list<list-name>
|
Specifies a name for a Command Scheduler policy and enters kron-policy configuration mode.
•list-name—Name of policy. Length of list-name is from 1 to 31 characters. If the list-name is new, a policy list structure will be created. If the list-name is not new, the existing policy list will be edited.
|
Step 9
|
router1(config-kron-policy)# cli cns config retrieve<ip_address>page /cns/JobbedDynaConfig status http://<ip_address>/cns/PostStatus
|
Retrieves the config from the staged CNS job.
•ip address—IP address of the CNS server.
•JobbedDynaConfig status—You must use JobbedDynaConfig status so that the device retrieves the config from the staged CNS job; otherwise, the device retrieves the template associated with the device.
|
Step 10
|
router1(config-kron-policy)# exit
|
Exits kron-policy configuration mode and returns to configuration mode.
|
Step 11
|
router1(config)# cns exec
|
Enables and configures the CNS execute agent.
|
Step 12
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 13
|
router1# copy running startup
|
Saves the configuration changes to NVRAM.
|
Related Topics
•Setting Up CNS Gateway on an Auto Update Server
Setting Up TMS
Security Manager uses FTP to deploy the configuration file to the Token Management Server (TMS), from which it can be downloaded and encrypted onto an eToken. The eToken can then be connected to the USB port of a router and the configuration downloaded. See TMS product documentation for more information.
To download the configuration from the eToken to the router, plug the eToken into the router, then enter the commands as described in Table 5-9.
Table 5-9 Setting Up TMS on Cisco IOS Routers
Steps
|
Enter
|
Result
|
Step 1
|
router# crypto pki token<usb_token_id>login<PIN>
|
Logs into the eToken.
•usb_token_id—Depending on the port in which the e-token is inserted, usb_token_id could either be usbtoken0 or usbtoken1.
•PIN—The default is 1234567890.
|
Step 2
|
router#config terminal
|
Enters configuration mode from the terminal.
|
Step 3
|
router(config)# crypto pki token default secondary configCCCD
|
Enables configuration provisioning with eToken.
CCCD is the private sector on the eToken where the configuration file resides. When you enter this command, the CLI on the e-token merges with the CLI on the router.
|
Step 4
|
router(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 5
|
router# write memory
|
Keeps the CLI on the router after you disconnect the eToken.
|
Initializing IPS Devices
To initialize an IPS device, you must configure the following settings. These are network settings, and only a user with administrator privileges on the IPS device can configure them:
•Sensor name
•IP address
•Netmask
•Default route
•Enable TLS/SSL (to enable TLS/SSL in the web server on the device)
•Web server port
•Use default ports
You configure these settings through the setup command in Intrusion Prevention System Device Manager (IDM) or in a command-line session, depending upon which platform is used by your IPS device. The platform is one of the following:
•Sensor appliance
•IDSM-2
•AIP-SSM
•NM-CIDS
For detailed information on these settings, refer to the technical documentation for your IPS device.
Note For information on preparing an IOS IPS device for use, see Preparation for Use, page 14-26.
