Table of Contents

Hardware Requirements

Minimum Hardware Requirements

Software Requirements

Requisite Software

Converting Your File Partition from FAT to NTFS
Installing the TCP/IP Protocol Stack
Installing Cisco Secure VPN Client
Installing TAPI and MAPI
Disabling DHCP
Changing the Timeout Setting
Creating a Windows NT Account for Installation
Testing Connectivity between the Policy Enforcement Point and Policy Proxy Host
Bootstrapping the PIX Firewall

PIX Firewall Worksheet

Bootstrapping a Cisco Router

Cisco Router Worksheet
Working with Passwords

Configuring a Console Terminal

Meeting the Prerequisites

This appendix provides detailed discussions and procedures for meeting the requirements listed in the "Preparation Worksheets" in "Planning Your Installation." You will find the following sections discussed in this appendix:

Prerequisites for the target host(s):

• Hardware Requirements

• Software Requirements

• Converting Your File Partition from FAT to NTFS

• Installing the TCP/IP Protocol Stack

• Installing Cisco Secure VPN Client

• Installing TAPI and MAPI

• Disabling DHCP

• Changing the Timeout Setting

• Creating a Windows NT Account for Installation

Prerequisites for the Policy Enforcement Point(s):

• Testing Connectivity between the Policy Enforcement Point and Policy Proxy Host

• Bootstrapping the PIX Firewall

• Bootstrapping a Cisco Router

• Configuring a Console Terminal

Hardware Requirements

The target host(s) for your Cisco Secure Policy Manager system must meet the minimum hardware requirements; otherwise, we cannot guarantee the integrity and functionality of the system that you install. However, you should always consider your network topology, the number of Policy Enforcement Points you intend to manage, and your performance requirements for command distribution and monitoring when reviewing the minimum hardware requirements. For example, the Policy Server is a multi-threaded application that would benefit from multiple CPUs and available memory on a single host. Whereas enhancing the Policy Administrator host would not necessarily optimize the GUI performance. The minimum hardware requirements may be sufficient for a standalone or client-server system, but they are not optimal for a distributed system. To ensure optimal performance, you should install Cisco Secure Policy Manager on hosts that exceed the minimum hardware requirements.

Minimum Hardware Requirements

• 200 MHz Pentium processor

• 96 MB of RAM memory

• 2 GB free hard drive space

• 1 or more properly configured network adapter cards

• 1024 x 768 video adapter card capable of at least 64 K color

• CD-ROM drive (preferably Autorun-enabled)

• Modem (optional for pager notifications)

• Mouse

• SVGA color monitor

Software Requirements

You can install the Cisco Secure Policy Manager feature sets on any host that meets the minimum hardware requirements and that also runs Windows NT 4.0. The Policy Administrator feature set can also be installed on a host that runs Windows 95 or Windows 98.

Requisite Software

You cannot access the setup program unless the target host on which you are installing Cisco Secure Policy Manager has the following requisite software properly installed:

• Service Pack 5 for Windows NT (to update files in the operating system)

• Microsoft Internet Explorer version 5 (for displaying system-generated reports)

• HTML Help 1.22 Update (for viewing online HTML-based Help topics)

The Autostart utility automatically searches the target host for these requisites and lists the ones that you must install before proceeding with the setup program. You can install all three requisite pieces of software from the Autostart panel.

---

Note If you downloaded Cisco Secure Policy Manager from CCO, the Autostart utility will launch your web browser to access the download site for the requisite software. If you are using Microsoft Internet Explorer 2.0, you will have to perform a manual upgrade to Internet Explorer 3.0 or later before you can access the download site.

---

Converting Your File Partition from FAT to NTFS

To ensure the integrity and security of the host on which you install Cisco Secure Policy Manager, you must install the product on an NTFS file partition. If the host on which you want to install the product currently runs a FAT file partition, you can convert it to NTFS by performing the following task.

To convert FAT to NTFS, perform the following task:

Result: The Command Prompt window appears.

Step 2 To convert the drive, type convert driveletter /FS:NTFS, and then press Enter.

Note You cannot convert the current drive; therefore, driveletter must specify a target drive that is different from the one on which you are typing the convert command.

Result: The volume is converted to NTFS.

Installing the TCP/IP Protocol Stack

You must have the TCP/IP network protocol installed, properly configured, and operational before you begin the setup program. This section defines the tasks that you must perform to install TCP/IP, if you have not already installed TCP/IP on the target host.

To install TCP/IP on the target host, perform the following task:

To verify that TCP/IP is functioning properly, perform the following task:

Step 2 To verify that the host on which you installed TCP/IP can communicate using that protocol suite, type ping at the command prompt followed by a space and then a valid IP address of another host on the network.

Step 3 To verify that other hosts can communicate with the host on which you installed TCP/IP, repeat Step 2 on another host by trying to ping the IP address of the host on which you installed TCP/IP.

Result: If TCP/IP is not functioning properly, a request timeout message appears. Otherwise, the host receives a response from the IP address that you pinged.

Installing Cisco Secure VPN Client

Cisco Secure VPN Client enables you to secure the communications channel between the Cisco Secure Policy Manager system and a managed IPSec-enabled Policy Enforcement Point. To use this feature, you must install Cisco Secure VPN Client on any host on which you have installed a standalone Cisco Secure Policy Manager system, the Policy Proxy-Monitor, or the Policy Proxy.

Cisco Secure VPN Client provides Virtual Private Networking (VPN) capability on a desktop or laptop computer. Based on the latest industry-standard IPSec recommendations, Cisco Secure VPN Client enables secure client-to-gateway communications over TCP/IP networks, including the Internet. Cisco Secure VPN Client gives you the tools you need to use public key encryption for your secure Internet communications. It automatically generates the public/private key pair you need to obtain a digital certificate and lets you import and maintain digital certificates in Certificate Manager.

---

Note Cisco Secure VPN Client is also referenced as SafeNet/Soft-PK version 2.0 in the software. The SafeNet icon appears as the graphical user interface icon in the Windows taskbar. Unless the taskbar is changed, this icon appears in the lower right of the screen. If you are upgrading from a previous version of SafeNet/Soft-PK Client or Cisco Secure VPN Client, uninstall the old version, reboot, and then install the new version. When you uninstall a previous version, you may keep any existing key pairs and certificates.

---

If you want to install Cisco Secure VPN Client, you must do so before you begin the setup program for Cisco Secure  Policy  Manager. This section defines the tasks that you must perform to install Cisco Secure VPN Client on the target host(s).

To install Cisco Secure VPN Client, perform the following task:

---

Step 1 Close all other programs before continuing. Insert the Cisco Secure VPN Client CD-ROM disc into the drive on the target host.

Result: The Welcome panel appears.

• If the setup program does not start automatically, locate (with Windows NT Explorer or My Computer) and double-click the setup.exe file in the root directory on the Cisco Secure VPN Client CD-ROM disc. If you downloaded the zip file, the setup.exe file is located in the directory where you extracted the zip file.

Step 2 To begin setup, click Next.

---

Note Because this is a legally binding agreement, please read each condition carefully before continuing with the setup program. If you do not accept the conditions of the license agreement, you must click No and exit the setup program.

---

Result: The License Agreement panel appears.

Step 3 To review all conditions of the license agreement, use the scroll bar on the right side of the window.

Step 4 To accept the license agreement and continue with the installation process, click Yes.

Result: The User Information panel appears.

Step 5 To specify user information, type your name and the name of your company in the corresponding fields. To proceed to the next panel, click Next.

Result: The Choose Destination Location panel appears.

Step 6 To specify where to install Cisco Secure VPN Client, click Browse to find the correct path. To proceed to the next panel, click Next.

Cisco Secure VPN Client starts automatically each time your computer starts, and runs transparently on your computer. For more information, review the help file, which you can view by right-clicking the SafeNet icon on the taskbar, or refer to the latest version of the Cisco Secure VPN Client release notes at http://www.cisco.com/go/vpnclient.

Installing TAPI and MAPI

To receive e-mail and pager notifications, you must configure TAPI (Telephony Application Programming Interface) and MAPI (Messaging Application Programming Interface) on any host on which you have installed a standalone Cisco Secure  Policy  Manager system, the Policy Proxy-Monitor, or the Policy Monitor.

TAPI is a collection of software features built into Windows NT that gives users access to telephony services. TAPI is automatically configured when you install a modem on a Windows NT-based computer. If you have properly installed and configured your modem, you do not need to do anything else for TAPI functionality.

MAPI is a collection of software features built into Windows NT that enables different e-mail clients to distribute mail. MAPI is installed with Windows Messaging. You need to install Windows Messaging and create a user profile if you want Cisco Secure  Policy  Manager to notify you via e-mail. The following task walks you through the process of checking for Windows Messaging on the computer, installing Windows Messaging, and then creating a user profile.

To set up Windows Messaging, perform the following task:

Step 10 Type the name of the e-mail account on the mail server in the Mailbox Name box. Also, type the password associated with this account in the Password box. Then, click Next.

Disabling DHCP

The Dynamic Host Control Protocol (DHCP) enables hosts to receive dynamically assigned IP addresses. Because these IP addresses are not permanently assigned to the hosts, distributing Cisco Secure  Policy  Manager among a number of hosts with dynamically assigned IP addresses may result in loss of communication between the hosts if one IP address or more changes. Therefore, we recommend, but do not require, that you disable DHCP or assign a permanent, static lease for all Cisco Secure  Policy  Manager hosts.

You should make sure that each target host has a permanently assigned IP address before you install Cisco Secure Policy Manager. If you choose to disable DHCP, perform the following task to disable DHCP on every host on which you intend to install Cisco Secure  Policy  Manager.

---

Note If you choose to use DHCP, you must define a permanent, static lease for all hosts on which Cisco Secure  Policy  Manager runs. As long as the lease is permanent, communications between Cisco Secure  Policy  Manager hosts are performed correctly.

---

To disable DHCP and assign a permanent IP address, perform the following task:

---

Step 1 To access the Network dialog box, right-click Network Neighborhood on the desktop, and then click Properties on the shortcut menu.

You can also access this dialog box by double-clicking the Network icon in Control Panel.

Result: The Network dialog box appears.

Step 2 Click the Protocols tab on the Network dialog box.

Result: The Protocols tab appears at the forefront.

Step 3 To access TCP/IP properties, click TCP/IP Protocol in the Network Protocols list, and then click Properties.

Result: The Microsoft TCP/IP Properties dialog box appears with the IP Address tab at the forefront.

Step 4 To disable DHCP, click Specify an IP address.

Result: The IP Address, Subnet Mask, and Default Gateway boxes become available.

Step 5 To assign a permanent IP address to the host, type an available IP address in the IP Address box, its corresponding subnet mask in the Subnet Mask box, and the default gateway IP address to which all packets should be sent for routing in the Default Gateway box. Click Apply.

Result: The IP address that you specified becomes permanently associated with the host, unless you change it in the future.

---

Note You must disable DHCP for each network adapter installed in the host. You can select another adapter by clicking that adapter in the Adapter box in the IP Address panel.

---

Step 6 To effect your changes against your network settings, click the Bindings tab.

Result: Windows NT recalculates the TCP/IP stack bindings.

Step 7 To exit and reboot your host, click OK.

Result: You are prompted to reboot your computer. You should reboot before you continue verifying the network connectivity.

---

Changing the Timeout Setting

We strongly recommend that you set the Windows NT startup timeout to zero seconds and that you load Windows NT by default. Setting the timeout to zero prevents someone from gaining access to the host before the operating system takes control. Follow the procedures in this section to change the timeout setting.

To change the Windows NT timeout setting, perform the following task:

Creating a Windows NT Account for Installation

We recommend that you use the same Windows NT account (with administrative privileges) whenever you install or uninstall Cisco Secure  Policy  Manager or any of its feature sets. This account can be either a domain account or a local account. Follow the procedures in this section to create a new Windows NT account with administrative privileges.

To create a new Windows NT account with administrative privileges, perform the following task:

Result: The User Manager appears.

Step 2 To create a new user, click New User on the User menu.

Result: The New User dialog box appears.

Step 3 To specify account parameters, type the username in the Username box and a corresponding password in the Password box. You must confirm the password by retyping it in the Confirm Password box.

Result: The username and password that you typed become associated with the new account.

You can also provide more information by filling in the Full Name and Description boxes.

Step 4 To assign administrative privileges to the account, click Groups, click Administrators in the Not member of box, and then click Add.

Result: Administrators appears in the Member of box.

Step 5 To close the Group Memberships and New User dialog boxes, click OK.

Result: The Windows NT user account becomes active. You can now use this account to log on to the host.

Testing Connectivity between the Policy Enforcement Point and Policy Proxy Host

To ensure successful command distribution, you should test the connectivity between a Policy Enforcement Point and the Policy Proxy host for that Policy Enforcement Point. This task involves Telneting from the Policy Proxy host to the Policy Enforcement Point and verifying the login after a successful Telnet or troubleshooting connectivity for an unsuccessful Telnet attempt.

To Telnet from the Policy Proxy host to the Policy Enforcement Point, perform the following task:

Step 3 To run Telnet, type telnet [M] in the Open box, where [M] represents the interface the Policy Proxy host is connecting to, and press Enter.

Result: The system attempts to Telnet to the interface you specified.

• If you get a password prompt, enter the Telnet password for this Policy Enforcement Point.

Result: Connectivity between the Policy Proxy host and Policy Enforcement Point is confirmed when the password is accepted.

• If the Telnet attempt fails, use the instructions that follow to troubleshoot the connectivity.

---

Note If you get a router prompt or a username prompt, refer to the "Working with Passwords" section in this appendix.

---

To troubleshoot the connectivity for this Policy Enforcement Point, perform the following task:

Bootstrapping the PIX Firewall

To connect to and configure the initial settings for the PIX Firewall, you must use a console terminal, such as the one described in the "Configuring a Console Terminal" in this appendix. These bootstrap settings can be discovered automatically by the Topology Wizard provided with Cisco Secure Policy Manager, but you must specify them on the PIX Firewall before Cisco Secure Policy Manager can discover the PIX Firewall on your network. Complete the following worksheet before performing the bootstrapping procedures.

PIX Firewall Worksheet

The worksheet in Table A-1 asks you questions about your PIX Firewall and your network. You should write the answer to each question in the corresponding box. Then, as you are performing the procedures for the PIX Firewall, you should replace any reference letter within a procedure with the answer corresponding to that reference letter.

Table A-1: PIX Firewall Worksheet

Reference	Question	Answer
(procedures display this)	(used to obtain real value)	(this is your real value)
[A]	If you want to change the enable password for your PIX Firewall, what is the new password?	For security purposes, do not record your password in this worksheet.
[B]	What is the outside IP address of your PIX Firewall?
[C]	What netmask is associated with the network connected to the outside of your PIX Firewall?
[D]	What is the inside IP address of your PIX Firewall?
[E]	What netmask is associated with the network connected to the inside of your PIX Firewall?
[F]	What is the default route for your PIX Firewall?
[G]	If you want to set up address hiding, what is the low IP address used for the NAT pool?
[H]	If you want to set up address hiding, what is the high IP address used for the NAT pool?
[I]	What is the IP address of the Policy Proxy host that controls this PIX Firewall?
[J]	If the Policy Proxy host resides on a network other than the inside network, what is the default gateway for the inside network to use when trying to reach that other network?
Note You should also consider the following questions as you perform the bootstrapping procedures: For the devices between a Policy Enforcement Point and the Policy Proxy for that Policy Enforcement Point, what routes need to be set up on each device to ensure connectivity between the Policy Enforcement Point and the Policy Proxy? For this Policy Enforcement Point, what interface does the Policy Proxy connect to? For any Policy Enforcement Point protecting the network where the Policy Proxy host resides, is the Policy Enforcement Point performing NAT? You must apply a bi-directional mapping rule to the Policy Enforcement Point that is performing NAT. Always keep in mind the final translated address for the Policy Proxy host, as this is the address the Policy Enforcement Point will expect during command distribution. For any Policy Enforcement Point, what routes need to be set up to ensure connectivity between all Cisco Secure  Policy  Manager hosts for TCP traffic on port 2567?

The following procedures detail the commands entered at the console terminal. The commands use brackets surrounding a capital letter, such as [A], to refer to values that you have written on the worksheet. When you are carrying out a procedure that has a reference to the worksheet, type the value from the field on the worksheet, not the reference letter that we use to point you to the field on the worksheet.

For cases where we cannot use the worksheet to collect the required data, we use the standard command syntax. Do not include the braces <, >, [, or ] in any commands that you type.

---

Caution Cisco Secure  Policy  Manager only detects and imports a small number of configuration commands installed on a PIX Firewall (for support limitations, see Release Notes for Cisco Secure Policy Manager; for a full list of supported commands, see the Cisco Secure Policy Manager Administrator's Guide). If you have a large number of configuration rules active on the target PIX Firewall(s), you should copy that configuration to a backup location before continuing with this task. If you have rules defining unsupported commands, you can copy those rules into Cisco Secure Policy Manager after the initial configuration is completed.

---

To bootstrap a PIX Firewall, perform the following task:

---

Step 1 Using a console terminal, connect to the PIX Firewall console port.

Step 2 To specify that you want to configure the PIX Firewall using privileged mode, type enable and press Enter.

Step 3 Type the enable password [A] for the PIX Firewall, and then press Enter.

Step 4 To enter terminal configuration mode, type configure terminal and press Enter.

Result: You are in the PIX Firewall terminal configuration mode.

Step 5 To name each interface and specify an interface security level between 0 and 100, type nameif <hardware_id> <if_name> <security_lvl>, and then press Enter.

Use the following parameter guidelines to complete the nameif command:

• hardware_id---if you have all Ethernet interfaces, replace hardware_id with ethernet2.

If you have both Token Ring and Ethernet interfaces, specify three nameif command statements and for each, replace hardware_id starting with ethernet0 or token0 and consecutively number the Ethernet or Token Ring interfaces thereafter. For example, if you have an Ethernet interface on the outside, a Token Ring on the inside, and an Ethernet interface as the third interface, the slots would be named ethernet0, token0, and ethernet1.

You can abbreviate the hardware_id name with any significant letters, such as e0 for ethernet0, or t0 for token0.

• interface---When naming an interface (the if_name parameter) installed in a PIX Firewall, you must adhere to the following specific guidelines.

  • The interface installed in slot 0 must be named outside. The security level for outside must be 0.

  • The interface installed in slot 1 must be named inside. The security level for inside must be 100.

  • The interface installed in slot 2 must be named DMZ-slot:2. The security level must be an unused level between 0 and 100.

  • The interface installed in slot 3 must be named DMZ-slot:3. The security level must be an unused level between 0 and 100.

For a PIX Firewall that has more than four interfaces installed, you must name all the DMZ-slot:# interfaces, where the "#" is replaced by the slot number in which that interface is installed. Also, you will only modify the slot number itself. If you change the interface to a name that is not listed above, Cisco Secure  Policy  Manager issues consistency errors.

• security_level---a value such as security40 or security60. You can choose any security level between 1 and 99 for a perimeter interface as long as it is not the same as the inside and outside interfaces.

Step 6 To name each additional interface installed in the PIX Firewall and to specify an interface security level for each interface, repeat Step 6 until all interfaces have been named.

Step 7 To designate the network IP address and network mask for the outside interface, type ip address outside [B] [C], and then press Enter.

Step 8 To designate the network IP address and network mask for the inside interface, type ip address inside [D] [E], and then press Enter.

Step 9 To specify the default gateway for your PIX Firewall, type route outside 0 0 [F] [metric], and then press Enter.

• metric---Specify the number of hops to the gateway identified by [F]. The default value is 1 if a metric is not specified.

• If you do not want to perform address hiding, proceed to Step 11. To define a global pool of IP addresses to use for address hiding (NAT), type global (outside) <nat_id> [G]-[H] netmask <global_mask>, and then press Enter.

• nat_id---A positive number shared with the nat command that groups the nat and global command statements together. The valid ID numbers can be any positive number up to 2,147,483,647.

• global_mask---The network mask for global_ip. If subnetting is in effect, use the subnet mask, for example, 255.255.255.128. If you specify an address range that overlaps subnets, global will not use the broadcast or network addresses in the pool of global addresses. For example, if you use 255.255.255.128 and an address range of 192.150.50.20-192.150.50.140, the 192.150.50.127 broadcast address and the 192.150.50.128 network address will not be included in the pool of global addresses.

Step 10 To apply the global pool of IP addresses that you just specified to the inside interface, type nat (inside) <nat_id> <local_ip> [<netmask> [<max_conns> [em_limit>]]] [norandomseq], and then press Enter.

The nat_id value is the same value that you specified in ·. The remaining parameters must adhere to the following guidelines:

• local_ip---Internal network IP address to be translated. You can use 0.0.0.0 to allow all hosts to start outbound connections. The 0.0.0.0 local_ip can be abbreviated as 0.

• netmask---Network mask for local_ip. You can use 0.0.0.0 to allow all outbound connections to translate with IP addresses from the global pool.

• max_conns---The maximum TCP connections permitted from the interface you specify.

• em_limit---The embryonic connection limit. The default is 0, which means unlimited connections. Set it lower for slower systems, higher for faster systems.

• norandomseq---Do not randomize the TCP packet's sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Using this option opens a security hole in the PIX Firewall.

Step 11 To allow the Policy Proxy to distribute commands to the PIX Firewall, type telnet [I], and then press Enter.

See Table 1-1, "Supported Policy Enforcement Points and Interface Dependencies," for the PIX Firewall versions that require you to connect to the inside interface when distributing commands.

Step 13 To save your configuration changes to the Flash memory of the PIX Firewall, type write memory, and then press Enter.

Step 14 To exit the enable privileged mode and close the terminal console connection, type exit, and then press Enter.

You should be able to Telnet and log in to this Policy Enforcement Point from the Policy Proxy host.

Note If this Policy Enforcement Point supports IPSec, you will be required to perform additional bootstrapping procedures when you define your network topology in Cisco Secure  Policy  Manager. These procedures are required after Cisco Secure  Policy  Manager is installed and are therefore not covered in this installation guide.

Bootstrapping a Cisco Router

To connect to and configure the initial settings for a Cisco router/firewall or Cisco VPN Gateway, you must use a console terminal, such as the one described in "Configuring a Console Terminal." These bootstrap settings can be discovered automatically by the Topology Wizard provided with Cisco Secure Policy Manager, but you must specify them before Cisco Secure Policy Manager can discover the Policy Enforcement Point on your network.

Cisco Router Worksheet

The worksheet in Table A-2 asks you questions about your Cisco router and your network. You should write the answer to each question in the corresponding box. Then, as you are performing the procedures for the Cisco IOS software setup command, you should replace any reference letter within a procedure with the answer corresponding to that reference letter.

Table A-2: Cisco Router Worksheet

Reference	Question	Answer
(procedures display this)	(used to obtain real value)	(this is your real value)
What version of Cisco IOS software is running on this Cisco router?
Does this Cisco router have the firewall feature set?
Does this Cisco router support IPSec?
[A]	What is the enable password for this Cisco router?	For security purposes, do not record your password in this worksheet.
[B]	What is the default route for your Cisco router?
[C]	If the Policy Proxy resides on a network other than the inside network, what is the default gateway for the inside network to use when trying to reach that other network?
[D]	For dynamic NAT, what is the starting IP address used for the NAT pool?
[E]	What is the ending IP address used for the NAT pool?
[F]	For static NAT, what is the alias IP address of the Policy Proxy host?
[G]	What is the actual IP address of the Policy Proxy host?
How many interfaces are on your Cisco router? For each interface on your Cisco router,
[H]	What is the interface name?
	Is this interface enabled?
[I]	What is the IP address of this interface?
[J]	What is the netmask?
Note You should also consider the following questions as you perform the bootstrapping procedures: For the devices between a Policy Enforcement Point and the Policy Proxy for that Policy Enforcement Point, what routes need to be set up on each device to ensure connectivity between the Policy Enforcement Point and the Policy Proxy? For this Policy Enforcement Point, what interface does the Policy Proxy connect to? For any Policy Enforcement Point protecting the network where the Policy Proxy host resides, is the Policy Enforcement Point performing NAT? You must assign a static IP address to the Policy Proxy protected by the Policy Enforcement Point that is performing NAT. Always keep in mind the final translated address for the Policy Proxy host, as this is the address the Policy Enforcement Point will expect during command distribution. For any Policy Enforcement Point, what routes need to be set up to ensure connectivity between all Cisco Secure  Policy  Manager hosts for TCP traffic on port 2567?

The following procedures detail the commands entered at the console terminal. The commands use brackets surrounding a capital letter, such as [A], to refer to values that you have written on the worksheet. When you are carrying out a procedure that has a reference to the worksheet, type the value from the field on the worksheet, not the reference letter that we use to point you to the field on the worksheet.

For cases where we cannot use the worksheet to collect the required data, we use the standard command syntax. Do not include the braces <, >, [, or ] in any commands that you type.

---

Caution Cisco Secure  Policy  Manager only detects and imports a small number of configuration commands installed on a Policy Enforcement Point (for support limitations, see Release Notes for Cisco Secure Policy Manager; for a full list of supported commands, see the Cisco Secure Policy Manager Administrator's Guide). If you have a large number of configuration rules active on the target Policy Enforcement Point(s), you should copy that configuration to a backup location before continuing with this task. If you have rules defining unsupported commands, you can copy those rules into Cisco Secure  Policy  Manager after the initial configuration is completed.

---

To bootstrap the Cisco router, perform the following task:

---

Step 1 Using a console terminal, connect to the router console port.

Step 2 Turn ON power to the router.

• If you start up the router for the first time, the system automatically enters the setup command facility, which determines which interfaces are installed, and prompts you for configuration information for each interface. On the console terminal, after the system displays the system banner and hardware configuration, you will see the following System Configuration Dialog prompt:

--- System Configuration Dialog ---
At any point you may enter a questions mark '?' for help.
Refer to the 'Getting Started' Guide for additional help.
Default settings are in square brackets '[]'. continue with
configuration dialog? [yes]:

You have the option of proceeding with the setup command facility to configure the interfaces, or exit from setup and use configuration commands to configure global (system-wide) and interface-specific parameters. You do not have to configure the interfaces immediately; however, you cannot enable the interfaces or connect them to any networks until you have configured them.

Step 8 If you do not want to perform addressing hiding, skip to Step 12.

Step 9 To define a global pool of IP addresses to use for address hiding (NAT), type ip nat pool <pool_name> [D] [E] netmask<netmask>, and then press Enter.

Use the following parameter guidelines to complete the ip nat pool command:

• pool_name---Name given to the global pool of IP addresses.

• netmask---Network mask that indicates which address bits belong to the network/subnetwork fields and which bits belong to the host field. Specify the netmask of the network to which the pool addresses belong.

Step 10 To apply the global pool of IP addresses that you just specified to the inside interface, type
ip nat inside source list <list_name> pool <pool_name> overload, and then press Enter.

Use the following parameter guidelines to complete the ip nat inside source list command:

• pool_name---The same name that you specified in the previous step.

• list_name---Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.

• overload---(optional) Enables the router to use one global address for many local addresses. When overload is enabled, each inside host's TCP or UDP port number distinguishes between the multiple conversations using the same local IP address.

Step 11 If you do not want to perform static NAT, skip to Step 13.

Step 12 To enable static NAT of the inside source address, type ip nat inside source static [F] [G], and then press Enter.

Step 13 To select an interface to assign an IP address to, type interface [H], and then press Enter.

Step 15 If you want to proceed NAT on this interface, type ip nat inside, and press Enter.

Step 16 Repeat Step 13 through Step 15 for each interface.

Step 17 Type exit, and press Enter.

Step 18 To exit from the configuration mode, type end.

You should be able to Telnet and log in to this router from the Policy Proxy host. Follow the procedures for "Testing Connectivity between the Policy Enforcement Point and Policy Proxy Host."

Note If this router supports IPSec, you will be required to perform additional bootstrapping procedures when you define your network topology in Cisco Secure  Policy  Manager. These procedures are required after Cisco Secure  Policy  Manager is installed and are therefore not covered in this installation guide.

Working with Passwords

Cisco Secure  Policy  Manager currently supports basic password authentication. If you Telnet to the Policy Enforcement Point and do not receive a password prompt, you should add a password for better security. However, if you receive a username and password prompt, you will need to change the login behavior so that the Policy Enforcement Point only prompts you for a password, and not a username. Procedures for each of these tasks follow.

To add a password and/or change login behavior, perform the following task:

Result: You are in Cisco IOS terminal configuration mode.

Step 2 To go to Line VTY, type line vty 0 4, and press Enter.

Step 3 If Line VTY is set to login local, change it by typing login and press Enter. Otherwise, skip to Step 8.

Result: You will no longer be prompted for a username at login.

Step 4 If you do not have AAA (Radius or TACAS+) turned on for Telnet sessions, skip to Step 8.

Step 5 To turn off AAA for Telnet sessions, create a custom list for Line VTY by typing aaa authentication login vty line and then press Enter.

Step 6 To go to Line VTY, type line vty 0 4, and press Enter.

Step 7 To assign the custom list, type login authentication vty, and press Enter.

Step 8 To add a password, type password [A], and press Enter.

Step 9 To exit from the configuration mode, type end.

Configuring a Console Terminal

If the computer you are connecting to runs either Windows 95 or Windows NT, the Windows HyperTerminal accessory provides easy-to-use software for communicating with the Policy Enforcement Point. If you are using UNIX, refer to your system documentation for a terminal program.

HyperTerminal also lets you cut and paste configuration information from your computer to the Policy Enforcement Point console.

To configure HyperTerminal for use as the Policy Enforcement Point console, perform the following task:

Step 2 To start HyperTerminal, click Start, point to Programs, and then point to Accessories, then point to HyperTerminal, and click HyperTerminal.

Result: The HyperTerminal windows opens, and the Connection Description dialog box appears.

Step 3 To specify that this connection description is for a specific Policy Enforcement Point console, type a unique name in the Name box and click OK.

Result: The Connect To panel appears.

Step 4 To designate the COM port to which the Policy Enforcement Point serial cable is attached, click that port number in the Connect using box, and then click OK.

Step 5 To specify the required connection settings in the COM Properties dialog box, select the following values, and then click OK:

• Bits per second: 9600

• Data bits: 8

• Parity: None

• Stop bits: 1

• Flow control: Hardware

Result: The HyperTerminal window is now ready to receive information from the Policy Enforcement Point console. If the serial cable is connected to the Policy Enforcement Point, turn on the Policy Enforcement Point and you should be able to view the console startup display.

Note If the connection does not appear to be established, wait for at least 60 seconds. The Policy Enforcement Point does not send information for about 30 seconds after a connection is established. If messages do not appear after 60 seconds, press Enter. If nothing appears, ensure that the serial cable is attached securely to the COM port you specified and to the serial port on the Policy Enforcement Point. If garbage characters appear, verify that the bits per second value is 9600.

Step 6 To save your terminal configuration settings, click Save on the File menu.

Step 7 To exit HyperTerminal, click Exit on the File menu.

Result: HyperTerminal prompts you to be sure you want to disconnect.

Step 8 To disconnect and close the HyperTerminal window, click Yes.

Result: HyperTerminal saves a log of your console session that you can access the next time you use it.

Tips To restart HyperTerminal, click the connection description name that you specified in the HyperTerminal folder on the Accessories submenu. When HyperTerminal starts, drag the scroll bar up to view the previous session.

Posted: Thu May 25 12:52:15 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.