Using Management Center for VPN Routers 1.3 - Configuring an IOS Firewall on your VPN Router [CiscoWorks Management Center for VPN Routers]

Table Of Contents

Configuring an IOS Firewall on your VPN Router

Defining General Firewall Settings

Understanding Context Based Access Control (CBAC)

Working with Fragmentation Rules

Viewing Fragmentation Rules

Creating a Fragmentation Rule

Accessing the Fragmentation Rule Wizard

Defining the Fragmentation Rule Parameters

Assigning an Interface for the Fragmentation Rule

Viewing a Summary of the Fragmentation Rule

Editing a Fragmentation Rule

Deleting a Fragmentation Rule

Defining Timeouts and Performance Settings

Defining the Half Open Connection Limits

Defining Authentication Proxy Settings

Defining URL Filtering

Defining Logging Settings

Defining ACL Ranges

Configuring Firewall Access Rules

Understanding Access Rules

Understanding the Ordering of Firewall Access Rules

Viewing Existing Access Rules

Creating an Access Rule

Accessing the Access Rule Wizard

Defining the Parameters for the Access Rule

Defining the Inspect Action's Parameters

Assigning an Interface for the Access Rule

Viewing a Summary of the Access Rule

Editing an Access Rule

Moving an Access Rule

Copying an Access Rule to Another Object

Enabling/Disabling an Access Rule

Deleting an Access Rule

Configuring Authentication Proxy Access Rules

Viewing Existing Authentication Proxy Rules

Creating an Authentication Proxy Rule

Accessing the Authentication Proxy Rule Wizard

Defining the Parameters for the Authentication Proxy Rule

Assigning an Interface for the Authentication Proxy Rule

Viewing a Summary of the Authentication Proxy Rule

Editing an Authentication Proxy Rule

Enabling/Disabling an Authentication Proxy Rule

Deleting an Authentication Proxy Rule

Configuring an IOS Firewall on your VPN Router

Router MC supports the configuration of policies that define firewall functionality on Cisco IOS routers. Router MC translates these policies into CLI commands that can be deployed to the relevant devices.

Configuring firewall policies on your devices involves:

•Defining firewall settings that provide the framework for implementing Context-Based Access Control (CBAC) and access rules for firewall functionality. See Defining General Firewall Settings for more information.

•Configuring the firewall access rules that define your network security policy. Access rules provide traffic filtering by enabling the implementation of Access Control Lists (ACLs) and Context Based Access Control (CBAC) inspection rules on the devices' interfaces. See Configuring Firewall Access Rules for more information.

•Configuring authentication proxy access rules that enable authorized users to log into the network and access the Internet through a Cisco IOS firewall. See Configuring Authentication Proxy Access Rules for more information.

Defining General Firewall Settings

General firewall settings include the parameters that are required for implementing CBAC and defining ACL ranges for firewall access rules. See Understanding Context Based Access Control (CBAC) for more information. These settings also include the parameters required for implementing authentication proxy and URL filtering on IOS firewall devices.

Access general firewall settings by selecting Configuration > Settings > General Firewall.

General firewall settings include:

•Fragmentation settings, where you assign a CBAC fragmentation inspection rule to an interface. See Working with Fragmentation Rules.

•Timeouts and Performance, where you define the timeouts used by CBAC for managing sessions that do not become fully established. See Defining Timeouts and Performance Settings.

•Half Open Connection, where you define the thresholds used by CBAC to determine when to drop sessions that do not become fully established. See Defining the Half Open Connection Limits.

•Authentication Proxy, where you define the settings that enable users to log into the network or access the Internet through HTTP, HTTPS, FTP, or Telnet. See Defining Authentication Proxy Settings.

•URL Filtering, where you define the settings that enable your firewall to interact with filtering software that prevents users from accessing specified websites. See Defining URL Filtering.

•Logging, where you can select logging and audit trail options to provide a record of network access through the firewall, including illegitimate access attempts, and inbound and outbound services. See Defining Logging Settings.

•ACL Ranges, where you set the ranges for standard and extended ACLs. See Defining ACL Ranges.

Note ACL ranges are settings; they are not policies that define firewall functionality.

Understanding Context Based Access Control (CBAC)

CBAC intelligently filters TCP and UDP packets based on application-layer protocol session information. Without CBAC, traffic filtering is limited to access control list (ACL) implementations that examine packets at the network layer, or at most, the transport layer. CBAC examines not only network layer and transport layer information, but also the application-layer protocol information (such as FTP connection information) to learn about the state of the session. This state information is used to create temporary openings in the firewall's ACLs. The openings allow returning traffic (that would normally be blocked) and additional data channels, to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the firewall.

CBAC uses timeout and threshold values to manage session state information, helping to determine when to drop sessions that do not become fully established. Setting timeout values for network sessions helps prevent DoS attacks by freeing up system resources, dropping sessions after a specified amount of time. Setting threshold values for network sessions helps prevent DoS attacks by controlling the number of half open sessions, which limits the amount of system resources applied to half open sessions. Default timeout and threshold values are defined on the IOS router. If a new timeout or threshold value is not configured, the default IOS value will be applied.

CBAC also protects against DoS attacks involving fragmented IP packets. Even though the firewall prevents an attacker from making actual connections to a given host, the attacker can disrupt services provided by that host. This is done by sending many non-initial IP fragments or by sending complete fragmented packets through a router with an ACL that filters the first fragment of a fragmented packet. These fragments can tie up resources on the target host as it tries to reassemble the incomplete packets.

CBAC generates real-time alerts and audit trails. Enhanced audit trail features use SYSLOG to track all network transactions: recording time stamps, source host, destination host, ports used, and the total number of transmitted bytes, for advanced, session-based reporting. When suspicious activity is detected, real-time alerts send SYSLOG error messages to central management consoles. Using CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.

If URL filtering is configured on firewall devices, CBAC initiates the communication to the Websense server, or the N2H2 Internet Filtering Protocol (IFP) server, to determine whether HTTP traffic should be permitted or denied.

In Router MC, you define general firewall settings that determine how CBAC will operate on your devices (under Configuration  >  Settings  >  General Firewall ), and you define access rules that specify how specific traffic will be inspected (under Configuration  >  Access Rules). See Understanding Access Rules and Defining the Inspect Action's Parameters for more information.

Working with Fragmentation Rules

Fragmentation rules protect hosts from DoS attacks that involve fragmented IP packets. Even though the firewall prevents an attacker from making actual connections to a given host, the attacker can disrupt services provided by that host. This is done by sending many non-initial IP fragments, or by sending complete fragmented packets through a router with an ACL that filters the first fragment of a fragmented packet. These fragments can tie up resources on the target host as it tries to reassemble the incomplete packets.

Using fragmentation inspection rules, the firewall maintains an interfragment state (structure) for IP traffic. Non-initial fragments are discarded unless the corresponding initial fragment was permitted to pass through the firewall. Non-initial fragments received before the corresponding initial fragments are discarded.

Fragmentation rules can be configured at the root (global) level, on a device group, or on a specific device.

The following topics provide information about working with fragmentation rules in Router MC:

•Viewing Fragmentation Rules

•Creating a Fragmentation Rule

•Editing a Fragmentation Rule

•Deleting a Fragmentation Rule

Viewing Fragmentation Rules

The Fragmentation Rules page displays a table showing the current assignment of fragmentation rules to interfaces, that have been defined on a particular object (global, device group, or device). See Table 1-1 for a description of the fields and buttons in the Fragmentation Rules page.

Each table row represents a fragmentation rule and each table column provides a different field of information for that rule. You can select a rule in the list to edit it, or delete it. Fragmentation rules are listed in the order that you define them. From this page, you can create new fragmentation rules.

Access the Fragmentation Rules page by selecting Configuration  >  Settings  >  General Firewall > Fragmentation Rules.

Table 1-1 describes the elements in the Fragmentation Rules page.

Table 1-1 Fragmentation Rules: GUI Reference

GUI Element

Description

Order column

Sequentially numbers the fragmentation rules in the list.

Check box column

Enables you to select a fragmentation rule to edit or delete it. You can select more than one check box at a time for deletion.

Maximum Packets

Displays the maximum number of packets that will be inspected in the fragmentation rule (must be in the range of 50-10,000).

Timeout

Displays the maximum time (in seconds) that a connection for a given protocol in the fragmentation rule can remain active without any traffic passing through the router (must be in the range of 1-1000).

Interface

Displays the interface to which the fragmentation rule is assigned.

Direction

Displays the direction (In or Out) of the interface assignment.

Defined On

Displays the object on which the fragmentation rule is defined.

Create button

Click to create a new fragmentation rule. See Creating a Fragmentation Rule.

Edit button

Click to modify a selected fragmentation rule. See Editing a Fragmentation Rule.

Delete button

Click to delete a selected fragmentation rule. See Deleting a Fragmentation Rule.

Creating a Fragmentation Rule

You can create fragmentation rules at any level in the object hierarchy (global, device group, or device). The rules will be inherited by all device groups and devices contained within the selected object. You can create new rules on a descendant object or device interface that will override inherited policies.

You create a fragmentation rule using the Fragmentation Rule wizard. The following topics describe the tasks you perform to create a fragmentation rule using this wizard:

•Accessing the Fragmentation Rule Wizard

•Defining the Fragmentation Rule Parameters

•Assigning an Interface for the Fragmentation Rule

•Viewing a Summary of the Fragmentation Rule

Note The same wizard pages are used for editing a fragmentation rule, enabling you to modify values as required. See Editing a Fragmentation Rule for more information.

Accessing the Fragmentation Rule Wizard

To access the wizard, complete the steps in this procedure.

Before You Begin

•In the Object Selector, select the object on which you want to create the fragmentation rule.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration > Settings.

Step 2 Click General Firewall  >  Fragmentation Rules in the TOC. The Fragmentation Rules page appears. See Table 1-1 for a description of the elements in the Fragmentation Rules page.

Step 3 Click Create. The first page of the Fragmentation Rule wizard appears. The steps in the wizard are listed in the TOC on the left side of the page. You can click on a step in the TOC to go directly to its corresponding page, or you can click the Next button to move sequentially through the wizard pages.

Defining the Fragmentation Rule Parameters

In this page, you define the maximum packets and timeout for the fragmentation rule you are creating.

Procedure

Step 1 Enter the maximum number of packets and timeout in the fields provided. See Table 1-2 for descriptions of the fields.

Step 2 Click Next. The Interface Assignment page appears. Proceed to Assigning an Interface for the Fragmentation Rule.

Table 1-2 describes the elements in the Fragmentation Rule Parameters page.

Table 1-2 Fragmentation Rule Parameters: GUI Reference

GUI Element

Description

Maximum Packets

Enter the maximum number of packets that will be inspected in the new fragmentation rule (must be in the range of 50-10,000).

Timeout

Enter the maximum time (in seconds) that a connection for a given protocol in the fragmentation rule can remain active without any traffic passing through the router (must be in the range of 1-1000).

Next button

Click to go to the next page in the wizard.

Cancel button

Click to exit the wizard without saving your settings.

Assigning an Interface for the Fragmentation Rule

For each fragmentation rule, you must determine the interface(s) that will enforce the rule. You do this by defining the interface type, slot, port, and direction.

Note You do not need to define a slot and port. If you select a slot, you must also select a port. If you don't select a port, Router MC will include all the interfaces of the specified interface type. For example, if you select Ethernet as the interface type and do not select a port, the selected interface will be Ethernet *, where * indicates that any Ethernet interface will be included.

The Interface Assignment page of the Fragmentation Rule wizard enables you to create an interface assignment for the new fragmentation rule.

Procedure

Step 1 Select the interface type, slot, port, and direction in the fields provided. See Table 1-3 for descriptions of the fields.

Step 2 If required, you can select an interface from the Show Interfaces dialog box that lists all the available interfaces on the selected object, and then validate your selection. To do this, click Show Interfaces. The Show Interfaces dialog box appears. See Table 1-4 on page 1-22 for a description of the elements in the Show Interfaces dialog box.

•Select the check box next to one or more of the listed interface options to select it.

•Click Select to confirm your choice(s) and close the Show Interfaces dialog box.

•Click Validate to open the Validate Interface dialog box and validate your interface selection. See Table 1-11 on page 1-39 for a description of the elements in the Validate Interface dialog box.

For example, if you selected Ethernet 1/0, the Validate Interface dialog box will indicate how many of the devices in your selected object have this interface available. If the selected interface is not available on any of the devices, you must either choose another interface that is on at least one of the devices, or select a different interface on the individual devices that are not covered.

•Click Close to return to the Interface Assignment page.

Step 3 If Summary appears in the TOC, click Next. The Fragmentation Rule Summary page appears. Proceed to Viewing a Summary of the Fragmentation Rule.

OR

If Summary does not appear in the TOC, click Finish to complete the creation of the fragmentation rule, or go back to a previous step in the wizard to change your definitions, as required.

Note The system might be set up to exclude summary pages from all wizards. See Defining System Settings, page 1-1 for more information.

Table 1-3 describes the elements in the Interface Assignment page.

Table 1-3 Interface Assignment: GUI Reference

GUI Element

Description

Interface Type list box

Select the physical interface on the device.

Slot list box

Select the slot on which the interface is located.

Port list box

Select the interface's physical port. If you do not select a port, Router MC will include all the interfaces of the specified type. For example, if you select Ethernet in the Interface Type list box and do not select a port, the selected interface will be Ethernet *, where * indicates that any Ethernet interface will be included.

Subinterface field

Optionally, specify a subinterface that will enforce the fragmentation rule.

Direction

Select the direction of the interface:

•In: An inbound interface.

•Out: An outbound interface.

Validate button

Opens the Validate Interface dialog box that indicates how many of the devices in the selected object contain that interface. See Table 1-11 on page 1-39 for a description of the elements in the Validate Interface dialog box.

Show Interfaces button

Opens the Show Interfaces dialog box in which you can select from a list of available interfaces on the selected object. See Table 1-4 on page 1-22 for a description of the elements in the Show Interfaces dialog box.

Back button

Click to go back to the previous page in the wizard.

Next button

Available only if Summary appears in the TOC. The system might be set up to exclude summary pages from all wizards. See Defining System Settings, page 1-1 for more information.

Click to go to the next page in the wizard.

Finish button

Available only if Summary does not appear in the TOC. See Defining System Settings, page 1-1.

Click to exit the wizard and complete the fragmentation rule creation or modification process.

Cancel button

Click to exit the wizard without saving your settings.

Viewing a Summary of the Fragmentation Rule

Note If the Show Summary Step in Wizards check box in the System Settings page, is deselected, the Fragmentation Rule Summary page is not available. See Defining System Settings, page 1-1.

The Fragmentation Rule Summary page provides an overview of your fragmentation rule definitions for your verification. See Table 1-4 for a description of the fields and buttons in this page.

Procedure

Step 1 Verify that your fragmentation rule definitions are correct.

Step 2 Click Finish to complete the creation of the fragmentation rule, or go back to a previous step in the wizard to change your definitions, as required.

Table 1-4 describes the elements in the Fragmentation Rule Summary page.

Table 1-4 Fragmentation Rule Summary: GUI Reference

GUI Element

Description

Summary of Fragmentation Rule

Lists all your definitions for the fragmentation rule.

Back button

Click to go back to the previous page in the wizard.

Finish button

Click to exit the wizard and complete the rule creation or modification process.

Cancel button

Click to exit the wizard without saving your settings.

Editing a Fragmentation Rule

You can edit any existing fragmentation rule. Rules editing is done in the Fragmentation Rule wizard that was used to create the rule. You can use the TOC to go directly to the page you want to edit.

Before You Begin

•In the Object Selector, select the object on which the rule you want to edit is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration  >  Settings.

Step 2 Click General Firewall  >  Fragmentation Rules in the TOC. The Fragmentation Rules page appears. It contains a list of the fragmentation rules defined on the selected object. See Table 1-1 for a description of the elements in the Fragmentation Rules page.

Step 3 Select the check box next to the rule you want to edit and click Edit. The first page of the Fragmentation Rule wizard appears.

Step 4 Select the required page from the TOC or click the Next button to move through the pages in the wizard. Each page shows the values that were defined for the selected access rule and you can edit them as required.

Step 5 Click Finish when you have finished editing the rule.

Deleting a Fragmentation Rule

You can delete any existing fragmentation rule. You can delete multiple rules at one time.

Before You Begin

•In the Object Selector, select the object on which the fragmentation rule you want to delete is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration  >  Settings.

Step 2 Click General Firewall >  Fragmentation Rules in the TOC. The Fragmentation Rules page appears. It contains a list of the fragmentation rules defined on the selected object. See Table 1-1 for a description of the elements in the Fragmentation Rules page.

Step 3 Select the check box next to the rule you want to delete and click Delete. The rule is deleted from the list of fragmentation rules in the table.

Defining Timeouts and Performance Settings

CBAC uses timeout and threshold values to manage session state information, to determine when to drop sessions that do not become fully established. These timeouts apply to all the sessions that were inspected.

Timeouts and performance settings can be configured at the root (global) level, on a device group, or on a specific device.

In the Timeouts and Performance page, you can define the timeouts for TCP, UDP, and DNS sessions, and configure the size of the session hash table.

For enhanced performance, Router MC lets you dynamically configure the size of the session hash table. When a packet belonging to an existing session comes into a router, a hash table is used to map the packet to an existing firewall session. As the number of sessions increases, the number of sessions hashing into the same bucket increases if the size of the hash table is fixed. By changing the size of the hash table when the number of concurrent sessions increases, the search time for a session is reduced, thus greatly improving the throughput performance.

Note Default timeout and threshold values are defined on the IOS router. If a value is not configured in the Timeouts and Performance page, the default IOS value will be applied.

Follow this procedure to define timeout and performance settings.

Before You Begin

•In the Object Selector, select the object on which you want to define the timeout and performance settings.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration  >  Settings.

Step 2 Click General Firewall > Timeouts and Performance in the TOC. The Timeouts and Performance page appears. Table 1-5 describes the elements displayed in the Timeouts and Performance page.

Step 3 Enter the appropriate values in the fields provided.

Note If you don't enter a value in any of the fields, the default value that is defined on the IOS will be applied.

Step 4 Click Apply to confirm your definitions and enable the timeout and performance settings in your network.

Table 1-5 describes the elements in the Timeouts and Performance page.

Table 1-5 Timeouts and Performance: GUI Reference

GUI Element

Description

TCP SYN Wait

Enter a number that specifies the length of time the software will wait for a TCP session to reach the established state before dropping the session. The IOS default value is 30 seconds.

TCP FIN Wait

Enter a number that specifies the length of time a TCP session will continue to be managed after the firewall detects the exchange has ended. The IOS default value is 5 seconds.

TCP Idle

Enter a number that specifies the length of time a TCP session will continue to be managed after no activity is detected (i.e., the TCP idle timeout). The IOS default value is 3,600 seconds (1 hour).

UDP Idle

Enter a number that specifies the length of time a UDP session will continue to be managed after no activity is detected (i.e., the UDP idle timeout). The IOS default value is 30 seconds.

DNS Idle

Enter a number that specifies the length of time a DNS name lookup session will continue to be managed after no activity is detected. The IOS default value is 5 seconds.

CBAC Caching Size

Enter a number that specifies the size of the hash table in terms of buckets. Possible values for the hash table are 1024, 2048, 4096, and 8192. The IOS default value is 1024.

You should increase the hash table size when the total number of sessions running through the CBAC router is approximately twice the current hash size. You should decrease the hash table size when the total number of sessions is reduced to approximately half the current hash size. Essentially, try to maintain a 1:1 ratio between the number of sessions and the size of the hash table.

Apply button

Click to apply your definitions.

Clear button

The Clear button is only present if Global is selected in the Object Selector. Click the Clear button to remove your current definitions.

Defaults button

The Defaults button is present when any object other than Global is selected in the Object Selector. Click to remove your local definitions and restore the inherited default values.

Defining the Half Open Connection Limits

Half open connections occur when a network attacker floods a server with a barrage of requests for connection and does not complete the connection. The resulting volume of half open connections can overwhelm the server, causing it to deny service to valid requests.

CBAC uses thresholds to determine when to drop sessions that do not become fully established. These thresholds apply to all the sessions that were inspected.

CBAC measures both the total number of existing half open sessions and the rate of session establishment attempts. Both TCP and UDP half open sessions are counted in the total number and rate measurements. Rate measurements are made several times per minute.

In the Half Open Connection Limits page, you define the following thresholds:

•Maximum number of incomplete half open sessions: When the number of existing half open sessions rises above a threshold (the maximum incomplete high number), the software will delete half open sessions as required to accommodate new connection requests. The software will continue to delete half open requests as necessary, until the number of existing half open sessions drops below another threshold (the maximum incomplete low number).

•Rate Per One Minute: When the rate of new connection attempts rises above a threshold (the rate per one minute high number), the software will delete half open sessions as required to accommodate new connection attempts. The software will continue to delete half open sessions as necessary, until the rate of new connection attempts drops below another threshold (the rate per one minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period.

•Maximum Incomplete Per Host: The number of existing half open TCP sessions with the same destination host address, that will cause the software to start dropping half open sessions to the same destination host address. You must also define the length of time to block a host that tried to open more than the specified number of connections per minute.

Note Default threshold values are defined on the IOS router. If a value is not configured in the Half Open Connection Limits page, the default IOS value will be applied.

Follow this procedure to define the half open connection thresholds.

Before You Begin

•In the Object Selector, select the object on which you want to define the half open connection limits.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration >  Settings.

Step 2 Select General Firewall > Half Open Connection in the TOC. The Half Open Connection Limits page appears. Table 1-6 describes the elements displayed in the Half Open Connection Limits page.

Step 3 Enter the appropriate values in the fields provided.

Note If you don't enter a value in any of the fields, the default value that is defined on the IOS will be applied.

Step 4 Click Apply to confirm your definitions and enable the half open connection limits in your network.

Table 1-6 describes the elements in the Half Open Connection Limits page.

Table 1-6 Half Open Connection Limits: GUI Reference

GUI Element

Description

Maximum Incomplete

Enter High and Low values for the maximum number of incomplete half open sessions, as follows:

•High: The number of existing half open sessions that will cause the software to start deleting half open sessions, to accommodate new connection requests. The IOS default value is 500.

•Low: The number of existing half open sessions that will cause the software to stop deleting half open sessions. The IOS default value is 400.

Note You must enter both the High and Low values.

Rate Per One Minute

The Rate Per One Minute thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period.

Enter High and Low values for the Rate Per One Minute thresholds, as follows:

•High: The rate of new session connection attempts that will cause the software to start deleting half open sessions, to accommodate new connection attempts. The IOS default value is 500.

•Low: The rate of new session connection attempts that will cause the software to stop deleting half open sessions. The IOS default value is 400.

Note You must enter both the High and Low values.

Maximum Incomplete Per Host

Enter the number and block time for the Maximum Incomplete Per Host threshold, as follows:

•Number: The number of existing half open TCP sessions with the same destination host address, that will cause the software to start dropping half open sessions to the same destination host address. The default number is 50.

•Block Time: The length of time to block a host that tried to open more than the specified number of connections per minute. The default block time timeout is 0 minutes.

Whenever this threshold is exceeded, the software will drop half open sessions differently, depending on whether the block-time timeout is zero or a positive non-zero number. If the block-time timeout is zero, the software will delete the oldest existing half open session for the host for every new connection request to the host, and will let the SYN packet through. If the block-time timeout is greater than zero, the software will delete all existing half open sessions for the host, and then block all new connection requests to the host. The software will continue to block all new connection requests until the block-time expires.

Apply button

Click to apply your definitions.

Clear button

The Clear button is only present if Global is selected in the Object Selector. Click the Clear button to remove your current definitions.

Defaults button

The Defaults button is present when any object other than Global is selected in the Object Selector. Click to remove your local definitions and restore the inherited default values.

Defining Authentication Proxy Settings

Note Authentication proxy is supported on IOS versions 12.3 (1) and higher.

If authentication proxy is enabled on an IOS firewall, users can log into the network or access the internet through HTTP, HTTPS, FTP, or Telnet. When a user initiates an HTTP/HTTPS, FTP, or Telnet session through the firewall, the authentication proxy is triggered. It first checks the authentication of the user. If a valid authentication entry exists for the user, the connection is completed with no further intervention by authentication proxy. If no valid authentication entry exists, the authentication proxy prompts the user for a username and password. After authentication is approved, the specific user access profiles are automatically retrieved and applied from a CiscoSecure Access Control Server (ACS), or other authentication server. The user profiles are only active when there is active traffic from authenticated users. See Appendix A, "Router MC User Permissions" for information about authentication and authorization in Router MC.

Note You must configure the router manually to use AAA (Tacacs or RADIUS server) for authentication, or the authentication proxy feature will not work. You must also make sure that the router is configured as an HTTP server, to use HTTP or HTTPS as the authentication trigger.

To configure authentication proxy, you first define the authentication proxy settings, and then you define authentication proxy access rules. See Creating an Authentication Proxy Rule.

Follow this procedure to define the authentication proxy settings.

Before You Begin

•In the Object Selector, select the object on which you want to define the authentication proxy settings.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration >  Settings.

Step 2 Select General Firewall > Authentication Proxy in the TOC. The Authentication Proxy page appears. Table 1-7 describes the elements displayed in the Authentication Proxy page.

Step 3 Enter the required values in the Inactivity Timer and Absolute Timer fields.

Step 4 Enter messages that the user will see on login, in the Banner fields.

Step 5 Click Apply to confirm your definitions and enable the authentication proxy settings in your network.

Table 1-7 describes the elements in the Authentication Proxy page.

Table 1-7 Authentication Proxy: GUI Reference

GUI Element

Description

Inactivity Timer

Enter the maximum number of minutes required to keep the authentication proxy alive after a connection fails.

Absolute Timer

Enter the maximum number of minutes required to keep the authentication proxy up and running.

HTTP Banner

Enter a message the user will see on logging in from an HTTP/HTTPS initiated session.

FTP Banner

Enter a message the user will see on logging in from an FTP initiated session.

Telnet Banner

Enter a message the user will see on logging in from a Telnet initiated session.

Apply button

Click to apply your definitions.

Clear button

The Clear button is only present if Global is selected in the Object Selector. Click the Clear button to remove your current definitions.

Defaults button

The Defaults button is present when any object other than Global is selected in the Object Selector. Click to remove your local definitions and restore the inherited default values.

Defining URL Filtering

Router MC provides support for Cisco IOS firewalls to interact with URL filtering software, such as Websense or N2H2, to prevent users from accessing specific websites on the basis of a specified policy. The firewall forwards specific URLs to the Websense server, or the N2H2 Internet Filtering Protocol (IFP) server, which determines whether the HTTP traffic should be permitted or denied.

Note After you define the IP address of the URL filtering server, you enable the URL filtering feature when defining the CBAC inspect action during access rule creation. CBAC will initiate the URL filtering mechanism if the traffic is HTTP traffic. See Defining the Inspect Action's Parameters.

Follow this procedure to define the URL filtering settings.

Before You Begin

•In the Object Selector, select the object on which you want to define the URL filtering settings.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration >  Settings.

Step 2 Select General Firewall > URL Filtering in the TOC. The URL Filtering page appears. Table 1-8 describes the elements displayed in the URL Filtering page.

Step 3 Select the URL filter server; Websense or N2H2.

Step 4 Click Define Server and define the server's IP address or host name.

Step 5 In the URL Filtering page, select the required check boxes, and enter the appropriate values in the fields provided.

Step 6 Click Apply to confirm your definitions and enable URL filtering in your network.

Table 1-8 describes the elements in the URL Filtering page.

Table 1-8 URL Filtering: GUI Reference

GUI Element

Description

URL Filter Server

Select the Websense or N2H2 radio button to choose the required URL filter server.

This area also contains the following button:

•Define Server button—Opens the Define URL Filtering Server dialog box in which you define the parameters of the URL filtering server. See Table 1-9 for a description of the fields and buttons in the dialog box.

Audit

Select this check box if you want to enable the logging of messages into the syslog server or router. By default, the check box is disabled.

Alert

Select this check box if you want to enable system alert messages, such as a the server entering allow mode or going down. By default, the check box is enabled.

Server Logging

Select this check box if you want to enable the logging of all system messages on the URL filtering server.

Allow Mode

If the connection to the URL filtering server is down, the system goes into allow mode which you can configure to forward or drop packets.

By default, allow mode is off, which means that the HTTP traffic is denied. If you want to permit the HTTP traffic in allow mode, select this check box.

Maximum Destination Addresses

Enter the maximum number of destination IP addresses that can be cached (within the range of 0-2,147,483,647). The default number is 5,000.

Maximum HTTP Responses

Enter the maximum number of HTTP responses that the firewall can keep in its packet buffer (within the range of 0-20,000). The default number is 200.

Maximum Outstanding Requests

Enter the maximum number of outstanding requests that can exist at any given time (within the range of 0-2,147,483,647). The default number is 2,000.

Permit Exclusive Domain(s)

In this field, you can enter a list of domain names, from an exclusive domain list, for which the HTTP traffic is permitted.

This feature saves the server from having to deal with look-up requests from the firewall for HTTP traffic that is destined for a host that has already been marked as "permitted."

Deny Exclusive Domain(s)

In this field, you can enter a list of predefined domain names, from an exclusive domain list, for which the HTTP traffic is denied.

Apply button

Click to apply your definitions.

Clear button

The Clear button is only present if Global is selected in the Object Selector. Click the Clear button to remove your current definitions.

Defaults button

The Defaults button is present when any object other than Global is selected in the Object Selector. Click to remove your local definitions and restore the inherited default values.

Table 1-9 describes the elements in the URL Filtering Server Definition dialog box.

Table 1-9 URL Filtering Server Definition: GUI Reference

GUI Element

Description

IP Address/Host Name

Enter the IP address or host name of the selected server.

Port

Enter the server's physical port number.

Timeout

Enter the time (in seconds) that the firewall will wait for a response from the server (within the range of 1-300). The default time is 300 seconds.

Retransmit

Enter the number of times the firewall will retransmit the request when a response does not arrive (within the range of 1-10). The default value is 2.

OK

Click to accept the definitions and close the dialog box.

Cancel

Click to cancel any definitions and close the dialog box.

Defining Logging Settings

In the Logging page, you can enable or disable the configuration of the audit trail and alert features on the selected object. By default, the Alert feature is selected on the IOS router.

Deselecting the audit or alert options will disable these actions in the inspection rules and fragmentation rules policies on deployment, for new policies only. Access rules that previously enabled these logging actions will not be changed automatically.

Logging settings can be configured at the root (global) level, on a device group, or on a specific device. Configurations can be overridden by a descendant object.

Before You Begin

•In the Object Selector, select the object on which you want to define the logging settings.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration >  Settings.

Step 2 Select General Firewall > Logging in the TOC. The Logging page appears. Table 1-10 describes the elements displayed in the Logging page.

Step 3 Select the required option(s) in the check boxes provided.

Note If you don't make any selection, the default selection (i.e., the Alert feature) defined on the IOS will be applied.

Step 4 Click Apply to confirm your selection and enable the logging settings in your network.

Table 1-10 describes the elements in the Logging page.

Table 1-10 Logging: GUI Reference

GUI Element

Description

Audit

Select this check box if you want the inspection rule to configure audit trails to be generated on the selected object. By IOS default, this check box is selected.

Alert

Select this check box if you want the inspection rule to configure alert messages on the selected object.

Apply button

Click to apply your selections.

Clear button

The Clear button is only present if Global is selected in the Object Selector. Click the Clear button to remove your current selections.

Defaults button

The Defaults button is present when any object other than Global is selected in the Object Selector. Click to remove your local selections and restore the inherited default selections.

Defining ACL Ranges

Both standard and extended type ACLs might be used when configuring CBAC on an outbound ACL at an external interface, or inbound ACL at an internal interface. Only extended ACLs can be used to deny CBAC return traffic from entering the network through the firewall. So when CBAC creates temporary openings in an ACL, the ACL must be an extended type.

Each ACL on an object has a unique name or number that is used to identify it. Although names are usually used to identify ACLs, specific cases require ACLs to be identified by numbers, such as, when using javablocking in an http inspection rule. When a number is used to identify an ACL, the number must be within the specific range of numbers that is valid for the protocol.

Note When uploading access rules from a device, the uploaded ACLs might be numbered. The values of the ACL ranges will distinguish between Router MC ACLs and non Router MC ACLs.

In the ACL Ranges page, you define the ranges of standard and extended access control list numbers. Since only 99 numbers are available for each type of ACL, Router MC provides an extended range of numbers for each of the standard and extended ACL types.

ACL range settings can be configured at the root (global) level, on a device group, or on a specific device.

Before You Begin

•In the Object Selector, select the object on which you want to define the ACL ranges.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration >  Settings.

Step 2 Select General Firewall > ACL Ranges in the TOC. The ACL Ranges page appears. Table 1-11 describes the elements displayed in the ACL Ranges page.

Step 3 Enter the appropriate values in the fields provided. You can only enter values that are within the specified ranges.

Step 4 Click Apply to confirm your definitions and enable the ACL ranges on the selected object in your network.

Table 1-11 describes the elements in the ACL Ranges page.

Table 1-11 ACL Ranges: GUI Reference

GUI Element

Description

Standard ACLs

Enter a range of numbers that can be used for standard ACLs. Values must be within the range of 1-99.

Standard ACLs - Extended Range

Enter an extended range of numbers that can be used for standard ACLs. Values must be within the range of 1300-1999.

Extended ACLs

Enter a range of numbers that can be used for extended ACLs. Values must be within the range of 100-199.

Extended ACLs - Extended Range

Enter an extended range of numbers that can be used for extended ACLs. Values must be within the range of 2000-2699.

Apply button

Click to apply your definitions.

Clear button

The Clear button is only present if Global is selected in the Object Selector. Click the Clear button to remove your current definitions.

Defaults button

The Defaults button is present when any object other than Global is selected in the Object Selector. Click to remove your local definitions and restore the inherited default values.

Configuring Firewall Access Rules

Access rules provide traffic filtering by enabling the implementation of Access Control Lists (ACLs) and Context Based Access Control (CBAC) inspection rules on the devices' interfaces.

The following topics provide information about configuring and working with firewall access rules in Router MC:

•Understanding Access Rules

•Viewing Existing Access Rules

•Creating an Access Rule

•Editing an Access Rule

•Moving an Access Rule

•Copying an Access Rule to Another Object

•Enabling/Disabling an Access Rule

•Deleting an Access Rule

Understanding Access Rules

Access rules comprise conditions and actions. A condition describes a traffic flow of packets. You specify the source and destination devices, the services (such as, protocols and ports), and assign this condition to an interface. An action describes what should occur if the condition is met. For example, if the packet flow meets all the conditions, access to the destination IP address is approved and the packets are forwarded.

An action can be one of the following:

•Permit: Allow the packet into and out from the device for further processing.

•Deny: Disallow the packet from entering and exiting the device.

•Inspect: Allow inspection rules on a device (when CBAC is configured). Inspection rules might also include additional actions that are required for CBAC configuration: Alert, Audit, and Timeouts. See Understanding Context Based Access Control (CBAC).

Each interface on a router can be associated with a list of Access Control Lists (ACLs) that determine the traffic that is allowed to enter or exit the interface. Router MC derives the ACLs for a device from the access rules defined on the device itself, and the access rules defined on higher level objects (such as global or device group), that are inherited by the device. If CBAC is configured on a router, the access rules defined on the device might also include CBAC inspection rules that are configured on the router's interfaces.

Access rules are defined as either mandatory or default, and can be applied on the global level, device group level, or on an individual device. Since ACLs operate on a first match basis, the order of the access rules is very important. Mandatory rules are listed first, so they take precedence over any rules that come later. Default rules take effect if no relevant mandatory rules apply.

See Understanding the Ordering of Firewall Access Rules for more information.

To learn how access rules are used in Router MC, you must first understand how Access Control Lists and CBAC inspection rules work.

Access Control Lists (ACLs)

An ACL is an ordered list of rules, known as Access Control Entries (ACEs), that describe how an entire subnet or specific network host interacts with another to permit or deny a specific service, protocol, or both.

Each ACE describes network traffic based on source IP address, destination IP address, protocol, and possibly ports. Each ACE has an action to permit or deny the specified traffic. When a packet arrives at a router, the ACEs in the ACL are scanned for the first one that matches the packet.

When the device finds a matching ACE, the device performs the associated action, either permitting the packet into or out of the device for further processing, or denying entry or exit to the packet. After finding a matching ACE, the device looks no further. If no ACE matches the packet, the packet is denied.

In Router MC, you can create access rules for each network protocol you want to filter, per router interface. From these access rules, Router MC derives the ACLs that will be applied to the interface.

CBAC Inspection Rules

Context-Based Access Control (CBAC) filters TCP and UDP packets based on application-layer protocol session information. CBAC examines not only network layer and transport layer information (as do ACLs), but also the application-layer protocol information (such as FTP connection information) to learn about the state of a session.

When CBAC is configured on a router, inspection rules are applied on a device's interfaces. For example, if a CBAC rule is defined on inbound traffic on a specific interface, then packets entering that interface from the network will be inspected. If a CBAC rule is defined on outbound traffic on a specific interface, then packets leaving that interface to the network will be inspected. The inspection rule must include the protocols that you want to monitor against Denial of Service (DoS) attacks.

CBAC inspection involves the following:

•Inspecting packets that travel through a firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's ACLs to allow return traffic and perform any required content inspection on any future packets for this session.

•Detecting and preventing certain network attacks, such as when a network attacker floods a server with a barrage of requests for connection and does not complete the connection. The resulting volume of half-open connections can overwhelm the server, causing it to deny service to valid requests. CBAC can be configured to drop half-open connections, which require firewall processing and memory resources to maintain.

•Tracking sequence numbers in all TCP packets, and dropping those packets with sequence numbers that are not within expected ranges.

•Protecting against DoS attacks involving fragmented IP packets.

•Generating real-time alert messages and audit trails in the event of a suspected DoS attack.

See Understanding Context Based Access Control (CBAC) for more information.

Automatic ACE Generation in Router MC

In certain cases, Router MC automatically creates additional ACE commands during the job generation process. These commands are necessary to ensure that the access rules you defined for your firewall configuration, are compatible with any defined VPN configurations. Router MC does not generate policies, but the actual CLI commands. If required, you can view the CLI commands that will be written to your devices (or to configuration files) to implement your policy definitions. See Viewing Device Configurations, page 1-30.

Router MC ensures automatically generates the required ACEs to:

•Enable a hub and spoke VPN connection to co-exist with the firewall configuration. The generated ACEs can support IPSec with or without GRE, and NAT traversal, depending on the tunnel type. See How is Traffic Secured in an IPSec Tunnel?, page 1-5. See also Defining NAT Traversal Settings, page 1-41.

•Allow SSH protocol which is used for connecting to the devices for import and deployment.

Note For the routing protocol, ACEs are not automatically generated. To avoid the disconnection of the VPN tunnel, you would have to apply the ACEs manually.

•Enable CBAC inspection on return traffic. When CBAC inspection is defined on outbound traffic on a specific interface, an access rule must be attached to the inbound traffic on that interface. If not, an "implicit deny all" (explicit deny ip any any) ACE command is automatically generated, and attached to the inbound traffic on the interface.

Note To enable the automatic generation of ACEs in Router MC, the "Allow automatic generation of supplementary ACEs" check box in the Configuration Support Settings page of the Admin tab is selected by default. If you do not want to automatically generate these additional commands, you must deselect this check box. See Defining System Settings, page 1-1.

Understanding the Ordering of Firewall Access Rules

Access rules are listed sequentially and are applied in the order in which they appear in the Router MC Access Rules table. Rules are recognized and processed by the device from first to last. When a rule's condition matches the network traffic that a device is processing, the device uses that rule to decide if traffic is permitted. If traffic is not explicitly permitted by an access rule, it is denied.

Access Rules are defined as either mandatory or default, and can be applied on the global level, device group level, or on an individual device. Mandatory rules are listed first, so they take precedence over any rules that come later. Default rules take effect if no relevant mandatory rules apply.

•Mandatory: Mandatory rules are obligatory for descendants and cannot be overridden. They are ordered from the root level (global) down to the current object.

•Default: Default rules can be overridden on descendant objects. They are ordered from the current object up to the root level (global).

As previously mentioned, each router interface has an associated list of ACLs that determine the traffic that is allowed to enter or exit the interface. Router MC derives the ACLs for a device from the access rules defined on the device itself, and the access rules defined on higher level objects (such as global or device group) that are inherited by the device. Since ACLs operate on a first match basis, the order of the access rules is very important.

Router MC orders the access rules defined on a device, as follows:

1. Mandatory rules have the highest priority. They are always placed first in the list of ACLs. Mandatory rules defined on the global level have the highest priority and are listed first, followed by mandatory rules defined on a device group within global, and then on any lower level device groups.

2. Access rules defined on a device itself are next in priority, and are listed after all the mandatory rules.

3. Default access rules have the lowest priority and are listed after a device's access rules (both mandatory and default). The default access rules defined on the device group that contains the device have the highest priority and are listed first. The default access rules defined on higher level objects are listed next, with default rules defined on the global level having the lowest priority (i.e., they appear last in the list).

The example in Figure 1-1 shows the rules that are defined on Device 1, and the order in which they will be applied. Device 1 is contained within DeviceGroup 2, which is part of DeviceGroup 1.

Figure 1-1 Mandatory and Default Access Rules Ordering Example

The following topics describe how you use the Router MC User Interface to configure mandatory and default access rules on your device interfaces:

•Viewing Existing Access Rules

•Creating an Access Rule

•Editing an Access Rule

•Enabling/Disabling an Access Rule

•Moving an Access Rule

•Copying an Access Rule to Another Object

•Deleting an Access Rule

Viewing Existing Access Rules

The Access Rules page is accessed by selecting Configuration > Access Rules. It contains three entries in the TOC: Mandatory Rules, Default Rules, and Authentication Proxy Rules. Selecting Authentication Proxy Rules enables you to configure authentication proxy access rules (see Viewing Existing Authentication Proxy Rules for more information). Selecting either the Mandatory Rules or Default Rules entries in the TOC displays a page with a scrollable table showing all the mandatory/default (depending on the selection) access rules that have been defined on a particular object (global, device group, or device). Each table row represents an access rule and each table column provides a different field of information for that rule. The rules can be ACLs or CBAC rules. You can select a rule in the list to edit it, enable/disable it, copy it, and/or delete it. You can also select an access rule that was defined on a specific object to copy it to another object. Access rules are listed in the order that you define them.

Table 1-12 lists and describes the fields and buttons in the Mandatory Rules/Default Rules page (the fields and buttons are the same for both pages).

Router MC also allows you to view a complete list of all the mandatory and default rules, including the inherited rules, that are defined on the selected object. The rules are displayed in the order in which they will be deployed. This feature enables you to see in one view the complete process of how a packet will be handled. See Table 1-13 for a description of the Access Rules View All dialog box.

Table 1-12 describes the elements in the Mandatory Rules page and the Default Rules page (the elements are identical for both pages).

Table 1-12 Mandatory/Default Rules: GUI Reference

GUI Element

Description

Order column

Sequentially numbers the access rules in the list.

Check box column

Enables you to select an access rule for editing, deleting, moving, copying, or enabling/disabling. You can select more than one check box at a time for deletion.

Source Address column

Displays the source address.

Dest Address column

Displays the destination address.

Service column

Displays the name of the service (protocol) used by the rule.

Action column

Identifies the associated action for the specified access rule. Available actions include:

•Permit: Allow the traffic.

•Deny: Block the traffic.

•Inspect: Allow inspection rules on the device's interface.

Assigned I/F column

Displays the name of the interface to which the access rule is assigned.

Enable column

Displays "true" if the access rule is enabled, or "false" if it is disabled.

Insert button

Click to create a new access rule to be inserted in the list.

Edit button

Click to modify a selected access rule.

Copy button

Click to copy a selected access rule to the clipboard, to move it.

Cut button

Click to remove a selected access rule from the list, and place it on the clipboard, to move it.

Paste button

Click to insert an access rule that was copied or cut into the table.

You define the required location of the rule by selecting the rule that precedes it in the list: the cut or pasted rule will appear after the selected rule. If you don't select a location, the inserted rule will appear at the beginning of the table.

Enable/Disable button

Click to enable or disable a selected rule. The Enable column will display "true" or "false" depending on its current status.

Delete button

Click to delete a selected access rule.

View All button

Click to open a dialog box that displays a scrollable table listing all the mandatory and default access rules, including inherited rules, for the selected object. The rules are displayed in the order in which they will be deployed. See Table 1-13 for more information.

Table 1-13 describes the elements in the Access Rules View All dialog box. This dialog box provides a complete list of all the mandatory and default rules, including the inherited rules, that are defined on the selected object. The rules are displayed in the order in which they will be deployed.

Access the Access Rules View All dialog box by clicking View All in the Mandatory/Default Rules page.

Table 1-13 Access Rules View All: GUI Reference

GUI Element

Description

# column

Sequentially numbers the access rules in the list.

Source Address column

Displays the source address of the access rule.

Dest Address column

Displays the destination address of the access rule.

Service column

Displays the name of the service(s) (protocols) used by the access rule.

Action column

Displays the action performed on the access rule: Permit, Deny or Inspect.

Assigned I/F column

Displays the name of the interface to which the access rule is assigned.

Enable column

Displays "true" or "false" depending on whether the access rule is enabled or disabled.

Close button

Click to close the dialog box and return to the mandatory/default access rules table.

Creating an Access Rule

You can create access rules, both mandatory and default, at any level in the object hierarchy (global, device group, or device), using the Access Rule wizard.

The following topics describe the tasks you perform to create an access rule using this wizard:

•Accessing the Access Rule Wizard

•Defining the Parameters for the Access Rule

•Defining the Inspect Action's Parameters

•Assigning an Interface for the Access Rule

•Viewing a Summary of the Access Rule

Note The same wizard pages are used for editing an access rule, enabling you to modify values as required. The Mode in the TOC that lists the wizard steps will display Editing. See Editing an Access Rule for more information.

Accessing the Access Rule Wizard

To access the wizard, complete the steps in this procedure.

Before You Begin

•In the Object Selector, select the object on which you want to create the access rule.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration > Access Rules.

Step 2 Select Mandatory Rules/Default Rules from the TOC, depending on the type of rule you want to create. The Mandatory/Default Rules page appears. It contains a list of the access rules defined on the selected object.

Step 3 Click Insert. The first page of the Access Rule wizard appears.

The steps in the wizard are listed in the TOC on the left side of the page. The Mode in the TOC displays Adding. You can click on a step in the TOC to go directly to its corresponding page, or you can click the Next button to move sequentially through the wizard pages.

Note Some steps in the TOC might only be displayed as you progress through the wizard. They depend on the selections you make in a page.

Defining the Parameters for the Access Rule

In the Access Rules Parameters page of the wizard, you define the following parameters for the access rule:

•Enabled or disabled.

•The required action for the rule.

•Source address of the packet.

•Destination address of the packet.

•The service (protocol) used by the access rule.

•Enable or disable ACL logging.

Table 1-14describes the elements in the Access Rules Parameters page.

Procedure

Step 1 Select the Enable Rule check box if you want to enable the access rule; otherwise deselect it.

Step 2 Select the required action for the access rule in the Action list box.

Step 3 If the selected action is Inspect, and you want only traffic from a specific source and destination to be inspected:

a. Select the Create ACL to permit traffic to be inspected check box.

b. Enter the source and destination addresses.

Step 4 Specify the required service(s).

Step 5 If required, select the ACL Log check box to log all filtered traffic that matches the access rule to an external Syslog server.

Step 6 Click Next.

If the selected action is Inspect, the Inspect Action page appears (see Defining the Inspect Action's Parameters). If the selected action is Deny or Permit, the Interface Assignment page appears (see Assigning an Interface for the Access Rule).

Table 1-14 describes the elements in the Access Rule Parameters page.

Table 1-14 Access Rule Parameters: GUI Reference

GUI Element

Description

Enable Rule check box

Select/unselect this check box depending on whether you want to enable the access rule. By default, the check box is selected.

Note If you are editing an access rule, this check box will indicate the current status of the rule.

Action area

Select the required action for the access rule from the list box:

•Deny: Block the traffic.

•Permit: Allow the traffic.

•Inspect: Allow inspection rules on the device's interface.

If the selected action is Inspect, the following check box is also displayed:

•Create ACL to permit traffic to be inspected: Select this check box if you want Router MC to permit only the inspected traffic from a specified source to a specified destination. Then, specify the source and destination in the relevant fields.

Source Address(es)

Note This field is unavailable if the selected action is Inspect, and the Create ACL to permit traffic to be inspected check box is deselected.

Enter source network object name(s) or address(es) directly in the field. Multiple entries must be separated by commas.

This area also contains the following two buttons:

•Select Network Groups: If your required source address(es) is one or more network groups, click this button to open a dialog box, in which you can select your network group(s) from a list of predefined network groups for the current building block. See Table 1-15 for a description of elements displayed in the Select Network Group dialog box.

See Working with Network Groups, page 1-13.

•Create Network Groups: Click this button if you want to create a network group to be your source network address. The first page of the Network Group wizard appears. See Creating a Network Group, page 1-14.

Destination Address(es)

Note This field is unavailable if the selected action is Inspect, and the Create ACL to permit traffic to be inspected check box is deselected.

Enter destination network object name(s) or address(es) directly in the field. Multiple entries must be separated by commas.

This area also contains the following two buttons:

•Select Network Groups: If your required destination address(es) is one or more network groups, click this button to open a dialog box, in which you can select your network group(s) from a list of predefined network groups for the current building block. See Table 1-15 for a description of elements displayed in the Select Network Group dialog box.

See Working with Network Groups, page 1-13.

•Create Network Group: Click this button if you want to create a network group to be your destination network address. The first page of the Network Group wizard appears. See Creating a Network Group, page 1-14.

Service(s)

Enter the name of one or more services in the field. Multiple entries must be separated by commas. You can only define a service(s) that is defined in the current building block.

Note If you intend to perform an Inspect action on the rule, you can only define one service. You should select a single service, or Inspect All which includes all the CBAC inspections that are provided by Router MC.

This area also contains the following two buttons:

•Select Service Groups: Click this button to open a dialog box, in which you can make your selection from a list of predefined services for the current building block, depending on the selected action. See Table 1-16 for a description of elements displayed in the Select Service Groups dialog box.

See Working with Service Groups, page 1-20.

•Create Service Group: Click this button if you want to create a service group to be your service. The first page of the Service Group wizard appears. See Creating a Service Group, page 1-22.

ACL Log

Note Available only if the selected action is Permit or Deny.

Select this check box to enable the logging of all filtered traffic that matches the access rule to be logged to an external Syslog server. By default, the check box is deselected.

Comment field

Enter a description of the access rule, if required.

Next button

Click to go to the next page in the wizard.

Cancel button

Click to exit the wizard without saving your settings.

Table 1-15 describes the elements in the Select Network Group dialog box. From this dialog box, you can select one or more network groups for your source or destination address(es), when defining the access rule parameters.

Access the Select Network Group dialog box by clicking Select Network Groups in the Access Rules Parameters page.

Table 1-15 Select Network Group: GUI Reference

GUI Element

Description

Available Network Groups list

Displays the network groups available on the selected object. You can select one or more network groups from the list.

Selected Network Groups list

Displays the network groups that are selected, on the selected object.

> Add >> button

Click to move a selected network group(s) from the available network groups list to the selected network groups list.

<< Remove < button

Click to remove a selected network group(s) from the selected network groups list to the available network groups list.

OK button

Click to accept the selection(s) and close the dialog box.

Cancel button

Click to cancel any selection(s) and close the dialog box.

Table 1-16 describes the elements in the Select Service Groups dialog box. From this dialog box, you can select one or more services from the services that are available in the current building block, when defining the access rule parameters.

Access the Select Service Groups dialog box by clicking Select Service Groups in the Access Rules Parameters page.

Table 1-16 Select Service Groups: GUI Reference

GUI Element

Description

Available Services list

Displays the services and service groups that are available in the current building block, for the selected object. The list includes only the services that are available for the currently selected action—Permit/Deny or Inspect.

Note If the action you want to perform on the access is rule is Permit or Deny, you can select one or more services from the list. If you intend to perform an Inspect action on the rule, you can only select one service, which must contain a CBAC keyword, and must not contain other services. This list includes the Inspect All service which lets you define multiple CBAC inspections that are provided by Router MC, in a single access rule.

Selected Services list

Displays the service(s) and service groups that are selected, for the selected object.

> Add >> button

Click to move a selected service or service group from the available services list to the selected services list.

<< Remove < button

Click to remove a selected service or service group from the selected services list to the available services list.

OK button

Click to accept the selection(s) and close the dialog box.

Cancel button

Click to cancel any selection(s) and close the dialog box.

Defining the Inspect Action's Parameters

Note The Inspect Action page is only available if the action selected for the access rule in the Access Rules Parameters page is "Inspect".

The Inspect Action page of the Access Rule wizard enables you to configure the inspect action's parameters, such as real-time alerts and audit trails, for the access rule. From this page, you can also enable CBAC to initiate the URL filtering mechanism for HTTP traffic.

The parameters that you define on this page depend on the keyword in the service that was selected for the access rule, in the Access Rules Parameters page.

Procedure

Step 1 Select the Alert and/or Audit check boxes as required, and enter a value in the Timeout field.

Step 2 If the selected service is RPC inspection protocol or Inspect All, enter the appropriate values in the Program Number and Wait Time fields.

Note If you don't want to include an RPC inspection subservice in an Inspect All service, leave the Program Number and Wait Time fields empty.

Step 3 Select the Use URL Filtering check box if you want to enable URL filtering for HTTP traffic.

Step 4 If the selected service is Inspect All or one that includes an http CBAC keyword, enter the source address of the traffic in the Host Address(es) field. If your source address is a network group, click Select Network Groups to open a dialog box from which to make your selection. If you want to create a network group to be your source network address, click Create Network Group. See Table 1-17 for a description of the fields.

Note If you don't want to include the Javablocking Inspection subservice in an Inspect All service, leave the Host Address(es) field empty.

Step 5 Select the Permit or Deny action radio button.

Step 6 Click Next. The Interface Assignment page appears. Proceed to Assigning an Interface for the Access Rule.

Table 1-17 describes the elements that can be displayed in the Inspect Action page.

Note Some of the elements described in this table might not always be displayed. Their availability depends on the service that was selected for the access rule.

Table 1-17 Inspect Action: GUI Reference

GUI Element

Description

Alert check box

Available for any selected service(s).

Select this check box if you want the inspection rule to configure alert messages to be displayed at the end of each CBAC session. See Defining Logging Settings.

Audit check box

Available for any selected service(s).

Select this check box if you want the inspection rule to configure audit trail messages to be displayed at the end of each CBAC session. See Defining Logging Settings.

Timeout field

Available for any selected service(s).

Enter the maximum number of seconds allowed for the inspection rule to be active. The default is 3600 seconds.

Program Number field

Available if the selected service protocol is "RPC Inspection" or "Inspect All".

To enable CBAC inspection for the RPC protocol, or all the CBAC inspection services that are provided by Router MC, enter the program number in this field.

Note If you don't want to include an RPC Inspection subservice in an Inspect All service, leave this field empty.

Wait Time field

Available if the selected service protocol is "RPC Inspection" or "Inspect All".

Enter the number of minutes required to keep a small opening in the firewall for subsequent connections from the same source address and to the same destination address and port. The default is 0 minutes.

Note If you don't want to include an RPC Inspection subservice in an Inspect All service, leave this field empty.

Use URL Filtering

Select this check box to enable CBAC to initiate the URL filtering mechanism for HTTP traffic. See Defining URL Filtering for more information.

Host Address(es)

Available only if the selected service is "Inspect All" or Javablocking Inspection.

Enter the source address of the traffic in this field.

Note If you don't want to include the Javablocking Inspection subservice in an Inspect All service, leave this field empty.

This area also contains the following two buttons:

•Select Network Groups: If your required source address is a network groups, click this button to open a dialog box, in which you can select your network group from a list of predefined network groups for the current building block. See Table 1-15 for a description of elements displayed in the Select Network Group dialog box.

See Working with Network Groups, page 1-13.

•Create Network Group: Click this button if you want to create a network group to be your source network address. The first page of the Network Group wizard appears. See Creating a Network Group, page 1-14.

Action buttons

Available only if the selected service includes an http CBAC keyword.

Choose the required action by selecting one of the radio buttons:

•Permit: Allow the Java applet to pass through the firewall.

•Deny: Block the Java applet from passing through the firewall.

Back button

Click to go back to the previous page in the wizard.

Next button

Click to go to the next page in the wizard.

Cancel button

Click to exit the wizard without saving your settings.

Assigning an Interface for the Access Rule

For each access rule, you must determine the interface(s) on which the rule will be defined. You do this by defining the interface type, slot, port, channel, and direction.

The Interface Assignment page of the Access Rule wizard enables you to create an interface assignment for the new access rule.

Procedure

Step 1 Select the interface type, slot, port, channel, and direction in the fields provided. See Table 1-18for descriptions of the fields.

Step 2 If required, you can select an interface from the Show Interfaces dialog box that lists all the available interfaces on the selected object, and then validate your selection. To do this:

•Click Show Interfaces. The Show Interfaces dialog box appears. See Table 1-4 on page 1-22 for a description of the elements in the Show Interfaces dialog box.

•Select the check box next to one or more of the listed interface options to select it.

•Click Select to confirm your choice(s) and close the Show Interfaces dialog box.

•Click Validate to open the Validate Interface dialog box and validate your interface selection. See Table 1-11 on page 1-39 for a description of the elements in the Validate Interface dialog box.

For example, if you selected Ethernet 1/0, the Validate Interface dialog box will indicate how many of the devices in your selected object have this interface available. If the selected interface is not available on any of the devices, you must either choose another interface that is on at least one of the devices, or select a different interface on the individual devices that are not covered.

•Click Close to return to the Interface Assignment page.

Step 3 If Summary appears in the TOC, click Next. The Access Rule Summary page appears. Proceed to Viewing a Summary of the Access Rule.

OR

If Summary does not appear in the TOC, click Finish to complete the creation of the access rule, or go back to a previous step in the wizard to change your definitions, as required.

Table 1-18 describes the elements in the Interface Assignment page.

Table 1-18 Interface Assignment: GUI Reference

GUI Element

Description

Interface Type list box

Select the physical source interface on the device:

•Ethernet

•FastEthernet

•GigabitEthernet

•Serial

Slot list box

Select the slot number on which the interface is located.

Port list box

Select the interface's physical port number. If you do not select a port, Router MC will include all the interfaces of the specified type. For example, if you select Ethernet in the Interface Type list box and do not select a port, the selected interface will be Ethernet *, where * indicates that any Ethernet interface will be included.

Channel field

Specify the channel you want to serve as the interface. This field is filled in automatically if you select an interface with a channel in the Show Interfaces dialog box.

Subinterface field

If you want to assign the rule on a subinterface, specify the subinterface in this field.

Direction radio buttons

Select the direction of the source interface:

•In: An inbound interface.

•Out: An outbound interface.

Validate button

Click to open the Validate Interface dialog box that indicates how many of the devices in the selected object (device group or device) contain the selected interface. See Table 1-11 on page 1-39 for a description of the elements in the Validate Interface dialog box.

Note You must select a port before you click the Validate button.

Show Interfaces button

Click to open the Show Interfaces dialog box in which you can select from a list of available interfaces on the selected object. See Table 1-4 on page 1-22 for a description of the elements in the Show Interfaces dialog box.

Back button

Click to go back to the previous page in the wizard.

Next button

Available only if Summary appears in the TOC. See Defining System Settings, page 1-1.

Click to go to the next page in the wizard.

Finish button

Available only if Summary does not appear in the TOC. See Defining System Settings, page 1-1.

Click to exit the wizard and complete the access rule creation or modification process.

Cancel button

Click to exit the wizard without saving your settings.

Viewing a Summary of the Access Rule

Note If the Show Summary Step in Wizards check box in the System Settings page, is deselected, the Access Rule Summary page is not available. See Defining System Settings, page 1-1.

The Access Rule Summary page provides an overview of your access rule definitions for your verification. See Table 1-19 for a description of the fields and buttons in this page.

Procedure

Step 1 Verify that your access rule definitions are correct.

Step 2 Click Finish to complete the creation of the access rule, or go back to a previous step in the wizard to change your definitions, as required.

Note The new access rule will appear at the end of the list of rules that are displayed in the Mandatory Rules/Default Rules table. If required, you can move the rule to a different location so that it will be implemented in the order you want it to be executed. See Moving an Access Rule for more information.

Table 1-19 describes the elements in the Access Rule Summary page.

Table 1-19 Access Rule Summary: GUI Reference

GUI Element

Description

Summary of Access Rules

Lists all your definitions for the access rule.

Back button

Click to go back to the previous page in the wizard.

Finish button

Click to exit the wizard and complete the rule creation or modification process.

Cancel button

Click to exit the wizard without saving your settings.

Editing an Access Rule

You can edit any existing access rule. Rules editing is done in the Access Rule wizard that is used to create an access rule. You can use the TOC to go directly to the page you want to edit.

Before You Begin

•In the Object Selector, select the object on which the rule you want to edit is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration > Access Rules.

Step 2 Select Mandatory Rules/Global Rules from the TOC, depending on the type of access rule you want to edit. The Mandatory/Default Rules page appears. It contains a list of the access rules defined on the selected object. See Table 1-12 for a description of the elements in the Mandatory/Default Rules page.

Step 3 Select the check box next to the rule you want to edit and click Edit. The Access Rule Parameters page of the Access Rule wizard appears. It contains the source and destination addresses, the services and the action for the selected rule.

Step 4 Select the required page from the TOC or click the Next button to move through the pages in the wizard. Each page shows the values that were defined for the selected access rule and you can edit them, as required.

Step 5 Click Finish when you have finished editing the rule.

Moving an Access Rule

The sequence in which access rules appear in the Access Rules table is very important, since this is the order in which the rules will be applied on the selected object. See Understanding the Ordering of Firewall Access Rules for more information. The rules displayed in the Access rules table appear in the order in which you define them. This might not necessarily be the order in which you want to apply them on the selected object.

This section describes how you can move access rules within the table, so they appear in the order in which you want to execute them. In addition to changing the position of an access rule in the list, you can copy a rule to duplicate it. This is also useful if you want to create an access rule with a slight modification on an existing rule; you can copy and then edit it.

Before You Begin

•In the Object Selector, select the object on which the rule you want to move is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration > Access Rules.

Step 2 Select Mandatory Rules/Global Rules from the TOC, depending on the type of access rule you want to move. The Access Rules page appears. It contains a list of the access rules defined on the selected object. See Table 1-12 for a description of the elements in the Mandatory/Default Rules page.

Step 3 To move an access rule to a new location in the list:

a. Select the check box next to the rule you want to move, and click Cut.

b. Select the check box next to the rule after which you want to place the selected rule.

c. Click Paste.

The access rule will be displayed in the required position in the access rules list.

Note If you don't select a new location for the rule, it will be placed at the top of the rules list.

Step 4 To copy an access rule to a new location in the list:

a. Select the check box next to the rule you want to copy, and click Copy.

b. Select the check box next to the rule after which you want to place the copied rule.

c. Click Paste.

The access rule will be displayed in the required position in the access rules list.

Note If you don't select a new location for the rule, it will be placed at the top of the rules list.

Copying an Access Rule to Another Object

Access rules may be applied on all objects; global, device group, or device. In addition to duplicating an access rule in the Access Rules table for the currently selected object, you can also copy a rule from one object to another.

This section describes how you can select an access rule that was defined on a specific object, and copy it to another object.

Note If the access rule you want to copy references a network group, make sure that the same network group is defined on the group to which you are copying the access rule. If not, you will receive an error on deployment that the network group is not recognized.

Before You Begin

•In the Object Selector, select the object on which the rule you want to copy is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration > Access Rules.

Step 2 Select Mandatory Rules/Default Rules from the TOC, depending on the type of access rule you want to copy. The Access Rules page appears. It contains a list of the access rules defined on the selected object. See Table 1-12 for a description of the elements in the Mandatory/Default Rules page.

Step 3 Select the check box next to the rule you want to copy, and click Copy.

Step 4 In the Object Selector, select the object on which you want to define the copied access rule. The Access Rules page appears for the selected object.

Step 5 Select Mandatory Rules/Default Rules from the TOC, as required. The Mandatory/Default Rules page displays a list of the access rules defined on the currently selected object.

Step 6 Select the check box next to the rule after which you want to place the copied rule.

Step 7 Click Paste.

The copied access rule will be displayed in the required position in the access rules list.

Note If you don't select a new location for the rule, it will be placed at the top of the rules list.

Enabling/Disabling an Access Rule

For each access rule, a status of "true" or "false" is displayed in the Access Rules table, depending on whether the access rule is enabled or disabled.

During the creation of access rules, it is useful to disable them until you are sure you want to deploy them. On deployment, an access rule will only be configured on an interface if it is enabled.

This procedure describes how to enable and disable access rules.

Before You Begin

•In the Object Selector, select the object on which the rule you want to enable/disable is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration > Access Rules.

Step 2 Select Mandatory Rules/Global Rules from the TOC, depending on the type of access rule you want to enable/disable. The Access Rules page appears. It contains a list of the access rules defined on the selected object. See Table 1-12 for a description of the elements in the Mandatory/Default Rules page.

Step 3 Select the check box next to the access rule you want to enable or disable, and click Enable/Disable.

Note You can only enable a "false" rule, and disable a "true" rule.

The Enable column will display "true" or "false" depending on whether the access rule was enabled or disabled.

Deleting an Access Rule

You can delete any existing access rule. You can delete multiple rules at one time.

Before You Begin

•In the Object Selector, select the object on which the access rule you want to delete is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration > Access Rules.

Step 2 Select Mandatory Rules/Global Rules from the TOC, depending on the type of access rule you want to delete. The Access Rules page appears. It contains a list of the access rules defined on the selected object. See Table 1-12 for a description of the elements in the Mandatory/Default Rules page.

Step 3 Select the check box next to each rule you want to delete, and click Delete. The rule(s) is deleted from the list of access rules in the table.

Configuring Authentication Proxy Access Rules

Authentication proxy access rules provide traffic filtering for users who log into the network or access the Internet through an HTTP, HTTPS, FTP, or Telnet session. The authentication proxy is triggered when a session is initiated. If a valid authentication entry exists for the user, the connection is completed. If no valid authentication entry exists, the authentication proxy prompts the user for a username and password. After authentication is approved, the specific user access profiles are automatically retrieved and applied from a CiscoSecure Access Control Server (ACS), or other authentication server.

Before you create authentication proxy rules, you must define the settings that enable authentication proxy to be configured on your firewall devices. See Defining Authentication Proxy Settings for more information.

The following topics provide information about configuring and working with authentication proxy access rules in Router MC:

•Viewing Existing Authentication Proxy Rules

•Creating an Authentication Proxy Rule

•Editing an Authentication Proxy Rule

•Enabling/Disabling an Authentication Proxy Rule

•Deleting an Authentication Proxy Rule

Viewing Existing Authentication Proxy Rules

The Authentication Proxy Rules page is accessed by selecting Configuration > Access Rules > Authentication Proxy Rules. It displays a page with a scrollable table showing all the authentication proxy rules that have been defined on a particular object (global, device group, or device). Each table row represents an authentication proxy rule and each table column provides a different field of information for that rule. You can select a rule in the list to edit it, enable/disable it, and/or delete it. Authentication proxy rules are listed in the order that you define them.

Table 1-20 lists and describes the fields and buttons in the Authentication Proxy Rules page.

Table 1-20 Authentication Proxy Rules: GUI Reference

GUI Element

Description

Check box column

Enables you to select an authentication proxy rule for editing, deleting, or enabling/disabling. You can select more than one check box at a time for deletion.

Authentication Trigger column

Displays the type of traffic (HTTP/S, FTP, or Telnet) that initiated the authentication proxy rule.

Inactivity Timer column

Displays the maximum number of minutes required to keep the authentication proxy alive after a connection fails.

Absolute Timer column

Displays the maximum number of minutes required to keep the authentication proxy up and running.

Assigned I/F column

Displays the name of the interface to which the authentication proxy rule is assigned.

Enable column

Displays "true" if the authentication proxy rule is enabled, or "false" if it is disabled.

Insert button

Click to create a new authentication proxy rule to be inserted in the list.

Edit button

Click to modify a selected authentication proxy rule.

Enable/Disable button

Click to enable or disable a selected rule. The Enable column will display "true" or "false" depending on its current status.

Delete button

Click to delete a selected authentication proxy rule.

Creating an Authentication Proxy Rule

You can create authentication proxy rules at any level in the object hierarchy (global, device group, or device). The rules will be inherited by all device groups and devices contained within the selected object. You can create new rules on the device group or device level to override inherited policies.

You create an authentication proxy rule using the Authentication Proxy Rule wizard. The following topics describe the tasks you perform to create an authentication proxy rule using this wizard:

•Accessing the Authentication Proxy Rule Wizard

•Defining the Parameters for the Authentication Proxy Rule

•Assigning an Interface for the Authentication Proxy Rule

•Viewing a Summary of the Authentication Proxy Rule

Note The same wizard pages are used for editing an authentication proxy rule, enabling you to modify values as required. The Mode in the TOC that lists the wizard steps will display Editing. See Editing an Authentication Proxy Rule for more information.

Accessing the Authentication Proxy Rule Wizard

To access the wizard, complete the steps in this procedure.

Before You Begin

•In the Object Selector, select the object on which you want to create the authentication proxy rule.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration > Access Rules.

Step 2 Select Authentication Proxy Rules from the TOC. The Authentication Proxy Rules page appears. It contains a list of the authentication proxy rules defined on the selected object.

Step 3 Click Insert. The first page of the Authentication Proxy Rules wizard appears.

The steps in the wizard are listed in the TOC on the left side of the page. You can click on a step in the TOC to go directly to its corresponding page, or you can click the Next button to move sequentially through the wizard pages.

Note Some steps in the TOC might only be displayed as you progress through the wizard. They depend on the selections you make in a page.

Defining the Parameters for the Authentication Proxy Rule

In the Authentication Proxy Rules Parameters page of the wizard, you define the following parameters for the authentication proxy rule:

•Authentication trigger.

•Inactivity timer.

•Absolute timer.

•Host address(es).

•The required action.

Procedure

Step 1 Select the authentication trigger for the authentication proxy rule—HTTP/HTTPS, FTP, or Telnet.

Step 2 Enter the appropriate values in the Inactivity Timer and Absolute Timer fields provided. See Table 1-21for descriptions of the fields.

Step 3 Enter the source address of the traffic in the Host Address(es) field.

Step 4 Select the required action for the rule—Permit or Deny.

Step 5 Click Next.

The Interface Assignment page appears (see Assigning an Interface for the Authentication Proxy Rule).

Table 1-21 describes the elements in the Authentication Proxy Rule Parameters page.

Table 1-21 Authentication Proxy Rule Parameters: GUI Reference

GUI Element

Description

Authentication Trigger radio buttons

Select the appropriate radio button to choose the type of traffic (HTTP/S, FTP, or Telnet) that will initiate the authentication proxy rule.

Inactivity Timer

Enter the maximum number of minutes required to keep the authentication proxy alive if a connection fails.

Absolute Timer

Enter the maximum number of minutes required to keep the authentication proxy up and running.

Host Address(es)

Enter the source address of the traffic in this field.

This area also contains the following two buttons:

•Select Network Groups: If your required source address is a network group, click this button to open a dialog box, in which you can select your network group from a list of predefined network groups for the current building block. See Table 1-15 for a description of elements displayed in the Select Network Group dialog box.

See Working with Network Groups, page 1-13.

•Create Network Group: Click this button if you want to create a network group to be your source network address. The first page of the Network Group wizard appears. See Creating a Network Group, page 1-14.

Action radio buttons

Select the required action for the authentication proxy rule:

•Deny: Block the traffic.

•Permit: Allow the traffic.

Next button

Click to go to the next page in the wizard.

Cancel button

Click to exit the wizard without saving your settings.

Assigning an Interface for the Authentication Proxy Rule

For each authentication proxy rule, you must determine the interface(s) on which the rule will be defined. You do this by defining the interface type, slot, port, and channel.

The Interface Assignment page of the Authentication Proxy Rule wizard enables you to create an interface assignment for the new authentication proxy rule.

Procedure

Step 1 Select the interface type, slot, port, and channel in the fields provided. See Table 1-22for descriptions of the fields.

Step 2 If required, you can select an interface from the Show Interfaces dialog box that lists all the available interfaces on the selected object, and then validate your selection. To do this:

•Click Show Interfaces. The Show Interfaces dialog box appears. See Table 1-4 on page 1-22 for a description of the elements in the Show Interfaces dialog box.

•Select the check box next to one or more of the listed interface options to select it.

•Click Select to confirm your choice(s) and close the Show Interfaces dialog box.

•Click Validate to open the Validate Interface dialog box and validate your interface selection. See Table 1-11 on page 1-39 for a description of the elements in the Validate Interface dialog box.

For example, if you selected Ethernet 1/0, the Validate Interface dialog box will indicate how many of the devices in your selected object have this interface available. If the selected interface is not available on any of the devices, you must either choose another interface that is on at least one of the devices, or select a different interface on the individual devices that are not covered.

•Click Close to return to the Authentication Proxy Interface Assignment page.

Step 3 If Summary appears in the TOC, click Next. The Authentication Proxy Summary page appears. Proceed to Viewing a Summary of the Authentication Proxy Rule.

OR

If Summary does not appear in the TOC, click Finish to complete the creation of the authentication proxy rule, or go back to a previous step in the wizard to change your definitions, as required.

Note The new authentication proxy rule will appear at the end of the list of rules that are displayed in the Authentication Proxy Rules table.

Table 1-22 describes the elements in the Authentication Proxy Interface Assignment page.

Table 1-22 Authentication Proxy Interface Assignment: GUI Reference

GUI Element

Description

Interface Type list box

Select the physical source interface on the device from the list box.

Slot list box

Select the slot number on which the interface is located.

Port list box

Select the interface's physical port number. If you do not select a port, Router MC will include all the interfaces of the specified type. For example, if you select Ethernet in the Interface Type list box and do not select a port, the selected interface will be Ethernet *, where * indicates that any Ethernet interface will be included.

Channel field

Specify the channel you want to serve as the interface. This field is filled in automatically if you select an interface with a channel in the Show Interfaces dialog box.

Subinterface field

If you want to assign the rule on a subinterface, specify the subinterface in this field.

Validate button

Click to open the Validate Interface dialog box that indicates how many of the devices in the selected object (device group or device) contain the selected interface. See Table 1-11 on page 1-39 for a description of the elements in the Validate Interface dialog box.

Note You must select a port before you click the Validate button.

Show Interfaces button

Click to open the Show Interfaces dialog box in which you can select from a list of available interfaces on the selected object. See Table 1-4 on page 1-22 for a description of the elements in the Show Interfaces dialog box.

Back button

Click to go back to the previous page in the wizard.

Next button

Available only if Summary appears in the TOC. See Defining System Settings, page 1-1.

Click to go to the next page in the wizard.

Finish button

Available only if Summary does not appear in the TOC. See Defining System Settings, page 1-1.

Click to exit the wizard and complete the rule creation or modification process.

Cancel button

Click to exit the wizard without saving your settings.

Viewing a Summary of the Authentication Proxy Rule

Note If the Show Summary Step in Wizards check box in the System Settings page is deselected, the Authentication Proxy Summary page is not available. See Defining System Settings, page 1-1.

The Authentication Proxy Rule Summary page provides an overview of your authentication rule definitions for your verification. See Table 1-19 for a description of the fields and buttons in this page.

Procedure

Step 1 Verify that your authentication proxy rule definitions are correct.

Step 2 Click Finish to complete the creation of the authentication proxy rule, or go back to a previous step in the wizard to change your definitions, as required.

Note The new authentication proxy rule will appear at the end of the list of rules that are displayed in the Authentication Proxy Rules table.

Table 1-23 describes the elements in the Authentication Proxy Rule Summary page.

Table 1-23 Authentication Proxy Rule Summary: GUI Reference

GUI Element

Description

Summary of Authentication Rule

Lists your definitions for the authentication proxy rule.

Back button

Click to go back to the previous page in the wizard.

Finish button

Click to exit the wizard and complete the rule creation or modification process.

Cancel button

Click to exit the wizard without saving your settings.

Editing an Authentication Proxy Rule

You can edit any existing authentication proxy rule. Rules editing is done in the Authentication Proxy Rule wizard that is used to create an authentication proxy rule. You can use the TOC to go directly to the page you want to edit.

Before You Begin

•Make sure that you are working within the context of an open activity.

•In the Object Selector, select the object on which the rule you want to edit is defined.

Procedure

Step 1 Select Configuration > Access Rules.

Step 2 Select Authentication Proxy Rules from the TOC. The Authentication Proxy Rules page appears. It contains a list of the authentication proxy rules defined on the selected object. See Table 1-20 for a description of the elements in the Authentication Proxy Rules page.

Step 3 Select the check box next to the rule you want to edit and click Edit. The Authentication Proxy Rule Parameters page of the Authentication Proxy Rule wizard appears. It displays the parameters that were defined for the selected rule.

Step 4 Select the required page from the TOC or click the Next button to move through the pages in the wizard. Each page shows the values that were defined for the selected authentication proxy rule and you can edit them, as required.

Step 5 Click Finish when you have finished editing the rule.

Enabling/Disabling an Authentication Proxy Rule

For each authentication proxy rule, a status of "true" or "false" is displayed in the Authentication Proxy Rules table, depending on whether the rule is enabled or disabled.

During the creation of authentication proxy rules, it is useful to disable them until you are sure you want to deploy them. On deployment, an authentication proxy rule will only be configured on an interface if it is enabled.

This procedure describes how to enable and disable authentication proxy rules.

Before You Begin

•In the Object Selector, select the object on which the authentication proxy rule you want to enable/disable is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration > Access Rules.

Step 2 Select Authentication Proxy Rules from the TOC. The Authentication Proxy Rules page appears. It contains a list of the authentication proxy rules defined on the selected object. See Table 1-20 for a description of the elements in the Authentication Proxy Rules page.

Step 3 Select the check box next to the authentication proxy rule you want to enable or disable, and click Enable/Disable.

Note You can only enable a "false" rule, and disable a "true" rule.

The Enable column will display "true" or "false" depending on whether the authentication proxy rule was enabled or disabled.

Deleting an Authentication Proxy Rule

You can delete any existing authentication proxy rule. You can delete multiple rules at one time.

Before You Begin

•In the Object Selector, select the object on which the access rule you want to delete is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

Step 1 Select Configuration > Access Rules.

Step 2 Select Authentication Proxy Rules from the TOC. The Authentication Proxy Rules page appears. It contains a list of the authentication proxy rules defined on the selected object. See Table 1-20 for a description of the elements in the Authentication Proxy Rules page.

Step 3 Select the check box next to each rule you want to delete, and click Delete. The rule(s) is deleted from the list of authentication proxy rules in the table.