Populating the Network Topology Tree

• Internet perimeter

• Real and virtual network interfaces, and associated addresses or address ranges, that are connected to the existing perimeter that is inherited (Internet perimeter)

• Real networks connected to an interface

• Cloud Networks interface

• Cloud networks assigned to the Cloud Networks interface

The Internet node is special because it organizes the information that represents your connections to your ISPs. These connections are commonly high-speed serial connections (although they are not required to be serial interfaces) between your outermost routers and the downstream routers owned by your ISPs. Therefore, they also represent the default gateway used by the upstream networks attached to your outermost routers.

As part of your connection specifications, you must identify the networks that are shared between you and your ISP. Each interface that you define on the Internet node should represent an interface on a downstream router owned by your ISP. Unlike other gateway objects that represent a single gateway, the Internet node (and other Cloud nodes) can represent a group of gateways. Each interface defined on the Internet node can represent a different connection to one or more ISPs.

In addition, the Cloud Networks interface on the Internet node has a unique meaning. It represents all unknown networks residing on the Internet. An unknown network is one that you have not explicitly defined in the Network Topology tree, and all unknown networks are considered untrusted by all the network objects that you do define in the Network Topology tree.

Cloud networks enable you to represent networks that you know about and for which you want to specify special security policies, such as not permitting traffic to a particular network. As is typical of defining cloud networks, you do not need to define the gateway objects, interfaces, and addresses associated with those networks because they are all reachable through the gateways represented by the ISP interfaces. Your outermost Policy Enforcement Points are used to enforce such restrictions by enforcing the defined security policies against any network traffic destined to these cloud networks and originating from the networks that are upstream from those Policy Enforcement Points.

Step 2 To view the Interfaces panel, point to Properties, and then click Interfaces on the shortcut menu.

Result: The Interfaces panel appears in the View pane.

Step 3 To select Interface 1 so that you can rename it, click the Interface 1 icon in the Interfaces panel.

Result: The Name box becomes available under Edit Interface Selection.

Step 4 To give Interface 1 a meaningful name, type that name in the Name box and press Enter.

This interface usually represents that interface residing on an access router that is owned by your ISP. Therefore, a good name for this interface might be something like "ISP Router Interface." If you have multiple ISPs, you must define a unique interface to represent each service provider.

Step 6 To define a new network, point to New, and then click Network.

Result: A new node named Network # appears under the selected interface.

Step 7 To name the network, type the new name in the Name box under Edit Network Selection.

Result: The new name appears in the Name box of the selected node.

The name of a network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Step 8 To specify the address assigned to this network, type that address in the Network Address box.

This value identifies the address of a specific network. Typically, this network is shared between you and your ISP. This specific network exists behind a gateway (represented by the Internet node) that is directly connected to that network. This address is used to derive routing rules on a Policy Enforcement Point.

This value identifies the mask of the network specified in the Network Address box. A Policy Enforcement Point uses this mask value to determine the appropriate routing rule.

Step 10 To access the shortcut menu, right-click the Interface 1 icon in the Interfaces panel.

Step 11 To define a new default gateway address that corresponds to the network that you just defined, point to New, and then click IP Address.

Result: A new node named 0.0.0.0 appears under the selected interface.

Step 12 To specify the default gateway, type that gateway address in the IP Address box under Edit IP/Range Address Selection.

This address identifies the default gateway that all networks defined under this network node in the Network Topology tree will use to reach the cloud networks, as well as all unknown networks, that the Internet node represents.

Note These IP addresses represent the default gateways used by your outermost gateway objects, such as your outermost PIX Firewall. However, they are not the addresses assigned to the downstream interfaces of your gateway objects. Instead, these IP addresses represent the addresses assigned to the "upstream" interfaces of the access routers to which your gateway objects deliver packets.

In addition, these IP addresses must be paired with the networks of which they are members. In other words, for each IP address you define, you must also define the corresponding network on which that IP address resides.

Step 13 If you want to define cloud networks on the Internet node, continue with Step 14. Otherwise, skip to Step 20.

Step 15 To define a new cloud network, point to New, and then click Network.

Result: A new node named Cloud Network # appears under the Cloud Networks interface.

Step 16 To name the cloud network, type the new name in the Name box under Edit Network Selection.

Result: The new name appears in the Name box of the selected node.

The name of a cloud network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Step 17 To specify the address of the cloud network, type that address in the Network Address box under Edit Network Selection.

This address represents a network that exists behind other gateways that you do not intend to define or possibly behind other cloud networks in the list.

Step 19 For each cloud network that you want to define, repeat Steps 14 through 18.

Result: Any networks that you specified in Steps 5 through 9 appear under the Internet node in the Network Topology tree.

Step 21 To save any changes that you have made, click Save on the File menu.

Result: A new node named Network # appears under the Interface 1 interface.

Step 2 To name the network, type the new name in the Name box under Edit Network Selection.

Result: The new name appears in the Name box of the selected node.

The name of a network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Step 3 To specify the address of the network, type that address in the Network Address box under Edit Network Selection.

This value identifies the address of a specific network. Typically, this network is shared between you and your ISP. This specific network exists behind a gateway (represented by the Internet node) that is directly connected to that network. This address is used to derive routing rules on a Policy Enforcement Point.

Step 4 To specify the network mask that corresponds to the network address you specified, type that value in the Network Mask box.

This value identifies the mask of the network specified in the Network Address box. A Policy Enforcement Point uses this mask value to determine the appropriate routing rule.

Step 5 To define a new default gateway address that corresponds to the network that you just defined, right-click the Network node, point to New, and then click IP Address.

Result: A new node named 0.0.0.0 appears under the selected interface.

This address identifies the default gateway that all networks defined under this network node in the Network Topology tree will use to reach the cloud networks, as well as all the unknown networks, that the Internet node represents.

Step 7 For each network that you want to define, repeat Steps 1 through 6.

Step 8 To accept your changes and close the selected panel, click OK.

Step 9 To save any changes that you have made, click Save on the File menu.

Result: A new node named Cloud Network # appears under the Cloud Networks interface.

Step 2 To name the cloud network, type the new name in the Name box under Edit Network Selection.

Result: The new name appears in the Name box of the selected node.

The name of a cloud network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Step 3 To specify the address of the cloud network, type that address in the Network Address box under Edit Network Selection.

This address represents a network that exists behind other gateways that you do not intend to define or possibly behind other cloud networks in the list.

Step 5 For each cloud network that you want to define, repeat Steps 1 through 4.

Step 6 To accept your changes and close the selected panel, click OK.

Step 7 To save any changes that you have made, click Save on the File menu.

When you define a network, you are informing Cisco Secure Policy Manager where to expect network packets from and where to deliver them when they are destined for nodes on that network. Cisco Secure Policy Manager uses networks to help derive implicit routing rules on the Policy Enforcement Points over which it has control.

Result: A new node named Network # appears under the selected gateway in the Interfaces panel.

The following gateway types exist:

• IOS Router icon

• PIX Firewall icon

• Internet icon

• Cloud icon

• Router icon

Step 2 To name the network, type the new name in the selected box and press Enter.

Result: The new name appears in the Name box of the selected node.

The name of the network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Tips If you cannot edit the name, right-click the new Network icon, and click Rename on the shortcut menu.

Step 3 To access the shortcut menu, right-click the Network icon for the network that you just created in the Navigator pane.

Step 4 To see the properties associated with the new network, click Properties on the shortcut menu.

Result: The General panel associated with the new network appears in the View pane.

Step 5 To specify the address assigned to this network, type that address in the Network Address box.

This value identifies the address of a specific network. This specific network exists behind a gateway that is directly connected to that network. This address is used to derive routing rules on a Policy Enforcement Point.

Step 6 To specify the network mask that corresponds to the network address you specified, type that value in the Network Mask box.

This value identifies the mask of the network specified in the Network Address box. A Policy Enforcement Point uses this mask value to determine the appropriate routing rule.

Step 7 To accept your changes and close the selected panel, click OK.

Step 8 To save any changes that you have made, click Save on the File menu.

Network shortcuts must reference an existing network and that network's perimeter, and they can be defined easiest using the Topology Wizard, which is used to define new gateway objects, such as a Policy Enforcement Point. A Network Shortcut node identifies a network that is attached to the upstream interface of more than one gateway object.

Note You cannot define a Network Shortcut node if you select the Discover interface settings option in the Topology Wizard. You must select the Manually define interface settings option because a Network Shortcut node is a logical representation of the physical network within Cisco Secure Policy Manager.

Tips If you do not require the complete definition of your network, you should define a Cloud node rather than attempt to define a large number of network shortcuts. Using a Cloud node reduces the possibility of generating a large number of routing rules, which can degrade the performance of a Save operation or a Save and Update operation where you have a Network Topology tree definition that includes a large number of network shortcuts.

You cannot use a drag-and-drop operation to move a Network Shortcut node into the Policy Enforcement branch, as you can with a Network node. Instead, the network shortcut is considered to be the actual Network node. Therefore, any security policies that you apply to the Network node affect any Policy Enforcement Points that are attached to that network and its associated network shortcuts.

Step 2 Under Specify the perimeter for which this interface is a member, click Existing Perimeter.

Result: The Existing Perimeter box becomes active.

Step 3 In the Existing Perimeter box, select the perimeter that you defined on the upstream interface of the gateway object that is attached to the physical network to which you want to create a shortcut.

Step 4 To proceed to the IP Address Setting panel for the selected interface, click Next.

Step 5 Under Network Shortcut, select This option creates a Network Shortcut.

Result: The Network box under Network Shortcut becomes active, and the IP address box is populated with one of the networks attached to that perimeter.

Step 6 In the Network box, select the network to which you want to create a shortcut.

Step 7 In IP Address box under IP Address and Network Mask, specify the IP address assigned to this interface.

This IP address must reside on the selected network.

Step 8 To continue defining the settings for gateway object, click Next and provide the information requested in the Topology Wizard panels.

Result: A new node named Perimeter # appears in the Interfaces panel.

You must specify the name of this perimeter exactly as it appears on the gateway object for which you originally defined that perimeter.

Step 3 To define the shared network, click Network under Insert New.

Result: A new node named Network # appears in the Interfaces panel.

Step 4 To specify the name of the shared network, type that name in the Name box under Edit Network Selection.

You must specify the name of this network exactly as it appears on the gateway object for which you originally defined that network.

Step 5 To define the IP address that this gateway object has on the shared network, click IP Address under Insert New.

Result: A new node named 0.0.0.0 appears in the Interfaces panel.

Step 6 To specify the IP address that this gateway object has on the shared network, specify that address in the IP Address box under Edit IP Address Selection.

This address must be a valid address on the specified network.

Step 7 Continue defining the interfaces on the selected gateway object. When you click OK to close the Interfaces panel, a message box appears stating that a physical network with the same network address has been found inside the perimeter that you specified in Step 2. You are prompted to click Yes to create a shortcut (reference) to that network.

Step 8 To create the reference to the existing network, click Yes.

Result: A shortcut to the specified network appears as one of the networks upstream from the selected gateway object.

Clouds enable you to stop defining your network topology in detail beyond a reasonable point. In other words, if you do not want to define the physical topology of all your internal networks, you can specify only the default gateway address that can be used to reach cloud networks. Clouds can be a little misleading in that they do represent some real gateway object, such as a router, firewall, or switch. However, they do not represent ones that you want to control with Cisco Secure Policy Manager; instead, they represent a gateway object that acts as a downstream concentration point/default gateway that leads to all the cloud networks that are defined within it. These cloud networks do not have to be directly connected to the cloud; they can be reached through a gateway attached to one of the networks defined in the cloud.

When you define a cloud, the routing rules required to reach all cloud networks are automatically defined on the Cloud node and your Policy Enforcement Points can derive the rules that they require to reach those networks. You can also use a Cloud node to identify an IPSec tunnel peer. By specifying the IPSec information for this gateway object, you can include it in IPSec Tunnel Groups as a hub or spoke object (a peer type).

Tips It is assumed that any settings that Cisco Secure Policy Manager generates for a Cloud node, such as routes and the information specified in the IPSec panel, are settings that either you or another administrator has verified to be on the gateway object that the Cloud node represents.

Cloud nodes organize those settings required to identify and route to networks that reside upstream from the gateway. Clouds are unique gateway objects because they do not require at least two real interfaces, as do Policy Enforcement Points. Instead, the Cloud node has at least one real interface (the downstream interface) and exactly one Cloud Networks interface (an upstream interface). When you specify an IP address associated with a non-cloud interface, you are specifying the default gateway through which the cloud networks organized under the Cloud Networks interface (and therefore, within the cloud) can be reached.

• Inherited perimeter

• Real and virtual network interfaces, and associated addresses or address ranges, that are connected to the existing perimeter that is inherited from the downstream network

• Real networks connected to an interface

• Cloud Networks interface

• Cloud networks assigned to the Cloud Networks interface

A Cloud represents a collection of networks residing behind an unmanaged gateway object. To define a Cloud node, you must specify at least one physical interface and the IP address that is used to reach that collection of networks. This physical interface, which is always the downstream interface, represents the default gateway used to reach all cloud networks that you define as part of a Cloud node.

Cloud networks are networks that reside upstream from the gateway object represented by the Cloud node. Because you are leveraging the default gateway assigned to the downstream interface, you only have to define the cloud networks, not additional interfaces or addresses that would be assigned to those interfaces.

Cloud networks enable you to represent networks that you know about and for which you want to specify special security policies, such as not permitting traffic to a particular network. For cloud networks, you do not need to define the gateway objects, interfaces, and addresses associated with those networks because they are all reachable through the gateways represented by the downstream physical interface. Your upstream and downstream Policy Enforcement Points are used to enforce such restrictions by enforcing the defined security policies against any network traffic destined to these cloud networks and originating from the networks that are downstream or upstream from those Policy Enforcement Points.

In addition, you are not limited to defining only cloud networks on a Cloud node. You can also define other real, unnumbered, and virtual interfaces that are attached to upstream networks that you need to identify.

Result: A new node named Cloud # appears under the Network node.

Step 2 To name the cloud, type the new name in the selected Name box and press Enter.

Result: The new name appears in the Name box of the selected node.

The cloud name may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Tips If you cannot edit the name, right-click the new Cloud icon, and click Rename on the shortcut menu.

Step 3 You have now defined the Cloud node under a specific network. For instructions on completing your Cloud node definition, click the following task topic:

Result: The Interfaces panel appears in the View pane.

Step 2 To select the IP address object that represents the default gateway address, click the IP address icon under the downstream interface in the Interfaces panel.

The downstream interface is the interface that is attached to the shared network under which this Cloud node resides.

Step 3 To specify the default gateway, type that gateway address in the IP Address box under Edit IP/Range Address Selection.

This address identifies the gateway that fully defined networks upstream from this Cloud node will use to reach the cloud networks that you intend to define.

Result: A new node named Cloud Network # appears under the Cloud Networks interface.

Step 5 To name the cloud network, type the new name in the Name box under Edit Network Selection.

Result: The new name appears in the Name box of the selected node.

The name of a cloud network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Step 6 To specify the address of the cloud network, type that address in the Network Address box under Edit Network Selection.

This address represents a network that exists behind other gateways that you do not intend to define or possibly behind other cloud networks in the list.

Step 8 For each cloud network that you want to define, repeat Steps 4 through 7.

Step 9 To accept your changes and close the selected panel, click OK.

Step 10 To save any changes that you have made, click Save on the File menu.

Result: The Interfaces panel appears in the View pane.

Step 3 To define a new cloud network, point to New, and then click Network.

Result: A new node named Cloud Network # appears under the Cloud Networks interface.

Step 4 To name the cloud network, type the new name in the Name box under Edit Network Selection.

Result: The new name appears in the Name box of the selected node.

The name of a cloud network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Step 5 To specify the address of the cloud network, type that address in the Network Address box under Edit Network Selection.

This address represents a network that exists behind other gateways that you do not intend to define or possibly behind other cloud networks in the list.

Step 7 For each cloud network that you want to define, repeat Steps 2 through 6.

Step 8 To accept your changes and close the selected panel, click OK.

Step 9 To save any changes that you have made, click Save on the File menu.

• Perimeters

• Network interface names and types

• The network connected to each network interface

• IP address associated with each network interface

• Security level associated with each network interface

• Device-specific settings for the propagation of routes on a per-interface basis

The PIX Firewall requires the following relationships to exist for each interface that is installed in that firewall:

• Each interface is assigned to a unique perimeter; only one interface can exist on each perimeter.

• Each interface has exactly one IP address assigned to it, and exactly one network is attached to that interface (the network and netmask for which the IP address is a valid member).

For the PIX Firewall node, you must have a minimum of two interfaces installed and enabled, and therefore, two perimeters must exist. One perimeter is always inherited from the downstream network and one perimeter is one you must define on this PIX Firewall. These two interfaces must be installed in slots 0 and 1 of the PIX Firewall. However, if you have more than two interfaces installed in the PIX Firewall, you can disable the use of the interfaces that are not installed in slots 0 or 1. By disabling the interface, you are specifying that you do not want to send or receive network packets on that interface. In addition, the names of the interfaces must adhere to the following specific guidelines:

• The interface installed in slot 0 must be named outside.

• The interface installed in slot 1 must be named inside.

• The interface installed in slot 2 must be named DMZ-slot:2.

• The interface installed in slot 3 must be named DMZ-slot:3.

Therefore, the only interfaces that you must rename are the DMZ-slot:# interfaces, where the "#" is replaced by the slot number in which that interface is installed. Also, you will only modify the slot number itself. If you change the interface to a name that is not listed above, a consistency error results.

When you select an interface node in the Interfaces panel of a PIX Firewall, the Settings button appears under Edit Interface Selection. This button presents a panel in which you can specify, on a per-interface basis, whether you want to allow the PIX Firewall to pass routing table updates through the firewall and whether you want it to broadcast new routing table updates.

Warning Any use of routing protocols, such as RIP, may expose your networks to attacks based on the inherent weakness in routing protocols. We do not recommend that you enable these features.

When defining a PIX Firewall gateway object with more than three interfaces installed in it, you have the option of specifying security levels that are different from the defaults generated by Cisco Secure Policy Manager. The PIX Firewall has specific requirements about the levels associated with the inside and outside interfaces; however, you can modify the levels of the DMZ:Slot:#.

The security level values range from 0 to 100. The outside interface (the first interface) must be security level 0 and the security level for the inside interface (the second interface) must be 100. DMZ interfaces have security levels between 0 and 100, such as 10, 20, 39, etc. The absolute value of the security level is not important, and these values are generated automatically by Cisco Secure Policy Manager based on the order of the interfaces within the Interfaces panel on a PIX Firewall node.

From the perspective of Cisco Secure Policy Manager, you cannot define address hiding rules to hide an object, or any attached interfaces, with a lower security level from an object with a higher security level. In other words, you cannot use an interface with a higher security level to hide an interface with a lower security level (or a network object reached via that interface).

From the perspective of a PIX Firewall, an interface with a higher security level is considered more secure than one with a lower security level. Traffic that flows from an interface with a higher security level to an interface with a lower security level is considered outbound traffic, which results in "outbound permit," "outbound deny," and "apply" commands being generated to control such traffic flows.

Traffic that flows from an interface with a lower security level to an interface with a higher security level is considered to be inbound traffic, which results in "conduit permit" and "conduit deny" commands being generated to control such traffic flows. Cisco Secure Policy Manager is responsible for translating all security policies into the device-specific command sets that represent the traffic flows described by the higher-level security policies. You can use the Command panel of a PIX Firewall node to review the generated command sets. Therefore, security levels are also important if you plan to define additional commands using the epilogue or prologue command sets in the Command panel on the selected PIX Firewall node.

In some cases, you can also only control the PIX Firewall from the most secure interface (the inside interface). This case is true when you are managing versions of the PIX Firewall that are running software versions earlier than 5.0.

Result: A new node named PIX Firewall # appears under the Network node.

Step 2 To name the PIX Firewall, type the new name in the selected Name box and press Enter.

Result: The new name appears in the Name box of the selected node.

The name of the PIX Firewall may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Tips If you cannot edit the name, right-click the new PIX Firewall icon, and click Rename on the shortcut menu.

Step 3 You have now defined the PIX Firewall node under a specific network. For instructions on completing your PIX Firewall node definition, click the appropriate task topic:

Result: The Interfaces panel appears in the View pane.

Step 2 To select the network for which you want to define a default gateway that is attached to this PIX Firewall, click that Network icon in the Interfaces panel.

Result: The boxes under Edit Network Selection populate with values for that network.

Step 3 To create the address that will be used as a default gateway, click IP Address under Insert New.

Result: A new IP address node appears in the Interfaces tree.

Step 4 To specify the default gateway, type that gateway address in the IP Address box under Edit IP/Range Address Selection.

This address identifies the gateway that the fully defined networks upstream from this PIX Firewall node will use to reach additional networks that you intend to define under this firewall.

Result: The Interface button under Insert New becomes available.

Result: A new node named DMZ-slot:# appears under the selected perimeter.

Step 7 To name the new interface, type the new name in the Name box under Edit Interface Selection.

Result: The new name appears in the Name box of the selected node.

When naming an interface installed in a PIX Firewall, you must adhere to the following specific guidelines.

• The interface installed in slot 0 must be named outside.

• The interface installed in slot 1 must be named inside.

• The interface installed in slot 2 must be named DMZ-slot:2.

• The interface installed in slot 3 must be named DMZ-slot:3.

Therefore, the only interfaces that you must rename are the DMZ-slot:# interfaces, where the "#" is replaced by the slot number in which that interface is installed. Also, you will only modify the slot number itself. If you change the interface to a name that is not listed above, a consistency error results.

Step 8 To specify the media type of the new interface, click that type in the Type list under Edit Interface Selection.

You can specify one of the following media types:

• Ether-auto. Identifies that the interface is an Ethernet interface and that the data transfer rate is detected automatically by the 10/100 Mbps (megabits per second) interface card installed in the firewall.

• Ether-10. Identifies that the interface is an Ethernet interface and that the data transfer rate is 10 Mbps for half-duplex connections.

• Ether-10-aui. Identifies that the interface is an Ethernet interface and that the data transfer rate is 10 Mbps using an AUI cable connection for half-duplex connections.

• Ether-10-bnc. Identifies that the interface is an Ethernet interface and that the data transfer rate is 10 Mbps using a BNC cable interface for half-duplex connections.

• Ether-100-half-duplex. Identifies that the interface is an Ethernet interface and that the connection speed is 100 Mbps, half duplex.

• Ether-100-full-duplex. Identifies that the interface is an Ethernet interface and that the connection speed is 100 Mbps, full duplex.

• TokenRing-4-mbps. Identifies that the interface is a Token Ring interface and that the data transfer rate is 4 Mbps.

• TokenRing-16-mbps. Identifies that the interface is a Token Ring interface and that the data transfer rate is 16 Mbps.

• GB-Ether-auto. Identifies that the interface is a Gigabit Ethernet interface and that the data transfer rate is detected automatically by the 10/100 Mbps (megabits per second) versus 1 Gbps (gigabit per second) interface card installed in the firewall.

• GB-Ether-half-duplex. Identifies that the interface is a Gigabit Ethernet interface and that the data transfer rate is 1 Gbps, half duplex.

• GB-Ether-full-duplex. Identifies that the interface is a Gigabit Ethernet interface and that the data transfer rate is 1 Gbps, full duplex.

Step 10 To define a new network, point to New, and then click Network.

Result: A new node named Network # appears under the interface that you just defined.

Step 11 To name the network, type the new name in the Name box under Edit Network Selection.

Result: The new name appears in the Name box of the selected node.

The name of the network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Step 12 To specify the address of the network, type that address in the Network Address box under Edit Network Selection.

This address represents a network that is attached to the interface on this PIX Firewall node.

Step 14 For each network that you want to define under this interface, repeat Steps 9 through 13.

Step 15 To create the address that will be used as the gateway for reaching this network, click IP Address under Insert New.

Result: A new IP address node appears under the selected network in the Interfaces panel.

This address identifies the gateway that the fully defined networks downstream from this PIX Firewall node will use to reach networks defined upstream from this firewall.

Step 17 To define additional interfaces, repeat Steps 5 through 16. However, you must first define a new perimeter for each interface that you want to define. Otherwise, continue with Step 18.

• To create a new perimeter, click Perimeter under Insert New.

Result: A new node named Perimeter # appears in the Interfaces panel.

• To give the new perimeter a meaningful name, type that name in the Name box under Edit Perimeter Selection, and then press Enter.

Result: The new name appears in the Name box of the selected node.

Because Cisco Secure Policy Manager defines the security levels of the PIX Firewall interfaces based on their position in the Interfaces box, the inside interface must be last, representing the security level of 100. In addition, the outside must be the first interface in the list, which represents the security level of 0.

By selecting an interface in the Interface Security Levels list and clicking Move Down, you can raise the security level of the selected interface (increase the automatically assigned value). By selecting an interface in the Interface Security Levels list and clicking Move Up, you can lower the security level of the selected interface (decrease the automatically assigned value). For more information on this subject, refer to the "Help for PIX Firewall Users" topic in the online help system provided with the product.

Step 19 To accept your changes and close the selected panel, click OK.

Result: The Interfaces panel appears in the View pane.

Step 2 To specify that a perimeter is the least trusted perimeter, select that perimeter and move it to the highest position in the Interfaces tree by clicking Move Up until it is first.

Position, and therefore security level, is relative top to bottom within the Interfaces tree control, where the top is the lowest (least trusted) or first position and bottom is the highest or last position (most trusted). Cisco Secure Policy Manager automatically generates the values that are assigned to the interfaces based on their position in the Interfaces panel. In this panel, the least trusted interfaces, identified as the highest position in the tree control, is assigned the value of 0 (zero). The most trusted interface, identified as the lowest position in the tree control, is assigned the value of 100. All intermediate interfaces are assigned values between 0 and 100.

Step 3 To specify that a perimeter is the most trusted perimeter, select that perimeter and move it to the lowest position in the Interfaces tree by clicking Move Down until it is last.

Step 4 To move the outside interface to the first perimeter, select the interface named outside and move it to the first perimeter by clicking Move Up.

The outside interface represents the interface installed in slot 0.

Step 5 To move the inside interface to the last perimeter, select the interface named inside and move it to the last perimeter by clicking Move Down.

The inside interface represents the interface installed in slot 1.

Step 6 To move the network assigned to the outside interface, select the network that is connected to the interface installed in slot 0 and move it to the outside interface by clicking Move Up.

Step 7 To move the IP address that matches the network assigned to the outside interface, select the IP address that is a member of the network attached to the interface installed in slot 0 and move it to the outside interface by clicking Move Up.

Step 8 To move the network assigned to the inside interface, select the network that is connected to the interface installed in slot 1 and move it to the inside interface by clicking Move Down.

Step 9 To move the IP address that matches the network assigned to the inside interface, select the IP address that is a member of the network attached to the interface installed in slot 1 and move it to the inside interface by clicking Move Down.

Step 10 To accept your changes and close the selected panel, click OK.

Step 11 To save any changes that you have made, click Save on the File menu.

Unnumbered Interfaces

In the IP scheme, each interface in the internetwork must be assigned a valid IP address. Normally, when you specify a routing rule, you must specify the IP address of the interface to which a network packet bound for a particular destination should be sent. This IP address must reside on a locally attached network. In other words, the network portion of the next hop address must match the network portion of some interface on the IOS Router for which you are specifying the routing rule.

When two network objects are connected by a serial line, it is not necessary to specify the IP address of the network object on the other end of the serial line. There is no ambiguity about where the packet should be delivered, because only one other device is connected to the serial line in question. Because an IOS Router can determine exactly where packets should be sent and the fact that IP addresses have become scarce resources, an IOS Router allows serial interfaces to exist without IP addresses. The routing rules are entered by using the interface name for the next hop.

IP packets can originate on the network object with the unnumbered interface(s). These IP packets must have a source IP address in their IP headers. IOS Routers solve this problem by associating some other interface with the unnumbered interface. This associated interface must have an IP address assigned to it, which the IOS Router uses as the source address when originating a packet to be sent through the unnumbered interface. IOS Routers use the associated interface for no other purpose, so the only restriction on an associated interface is that it must have an IP address. Only serial interfaces can be unnumbered.

Within Cisco Secure Policy Manager, all unnumbered networks are assigned the illegal IP address of 255.255.255.255/32 as a placeholder to consider the definition of the unnumbered network as completed. This address is not a legal address for non-unnumbered networks. As a result, Cisco Secure Policy Manager does not allow you to select a network with this address with an IF Source is or IF Destination is condition or as a member of a Network Object Group definition because Cisco Secure Policy Manager cannot resolve it externally.

Within Cisco Secure Policy Manager, you can select an unnumbered network or unnumbered interface as the next hop within a routing rule. This use is their only purpose within the system.

• Perimeters

• Network interface names and types

• The network connected to each network interface

• IP address or address ranges associated with each network interface

Result: A new node named IOS Router # appears under the selected network.

Step 2 To name the IOS Router, type the new name in the selected box and press Enter.

Result: The new name appears in the Name box of the selected node.

The name of the router may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Tips If you cannot edit the name, right-click the new IOS Router icon, and then click Rename on the shortcut menu.

Step 3 You have now defined the IOS Router node under a specific network. For instructions on completing your IOS Router node definition, click the appropriate task topic:

Result: The Interfaces panel appears in the View pane.

Step 2 To select the downstream interface that is connected to the downstream network, click the Interface icon in the Interfaces panel.

The downstream interface is defined automatically when you create a new IOS Router node. It is connected to the network that you selected to create the IOS Router node.

Step 3 To name the downstream interface, type the new name in the Name box under Edit Interface Selection.

Result: The new name appears in the Name box of the selected node.

Step 4 To specify the media type of the downstream interface, click that type in the Type list under Edit Interface Selection.

Step 5 To specify the default gateway, type that gateway address in the Network Address box under Edit Network Selection.

This address identifies the gateway that the fully defined networks downstream from this IOS Router node will use to reach additional networks that you intend to define under this router.

Note For any unnumbered interface that you define in an IOS Router node, the network address cannot be edited. In addition, the IP address/range that you must define for any unnumbered interface is the invalid host address of 255.255.255.255, which serves merely as a placeholder for Cisco Secure Policy Manager.

Result: A new node named Perimeter # appears in the Interfaces panel.

Step 7 To give the new perimeter a meaningful name, type that name in the Name box under Edit Perimeter Selection, and then press Enter.

Result: The new name appears in the Name box of the selected node.

Step 8 If you want to define a new upstream interface, click the perimeter under which you want to define the new interface in the Interfaces panel. Otherwise, skip to Step 19.

Result: The Interface button under Insert New becomes available.

Step 9 To create a new upstream interface in this IOS Router, click Interface under Insert New.

Result: A new node named Ethernet appears under the selected perimeter.

Step 10 To name the upstream interface, type the new name in the Name box under Edit Interface Selection.

Result: The new name appears in the Name box of the selected node.

Step 11 To specify the media type of the upstream interface, click that type in the Type list under Edit Interface Selection.

Step 12 To access the shortcut menu, right-click the Interface icon that you have just defined in the Interfaces panel.

Step 13 To define a new upstream network, point to New, and then click Network.

Result: A new node named Network # appears under the interface that you just defined.

Step 14 To name the upstream network, type the new name in the Name box under Edit Network Selection.

Result: The new name appears in the Name box of the selected node.

The name of the network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Step 15 To specify the address of the upstream network, type that address in the Network Address box under Edit Network Selection.

This address represents a network that is attached to an upstream interface on this IOS Router node.

Step 16 To specify the network mask of the upstream network, type that mask in the Network Mask box under Edit Network Selection.

Step 17 To create the address that will be used as the gateway for reaching this upstream network, click IP Address under Insert New.

Result: A new IP address node appears under the selected upstream network in the Interfaces panel.

This address identifies the gateway that the fully defined networks upstream from this IOS Router node will use to reach networks defined downstream from this IOS Router.

Step 21 To save any changes that you have made, click Save on the File menu.

In addition, Cisco Secure Policy Manager displays information on these unmanaged Router nodes that identify configuration information that must be specified on those gateway objects to ensure proper command set distribution and to guarantee traffic flows required for Cisco Secure Policy Manager to distribute command sets to the Policy Enforcement Points that it manages. This information includes required routing rules and IPSec configuration settings (assuming that the Router node is a candidate for inclusion in an IPSec tunnel group).

A Router node represents a gateway object or host on your network, such as a router, a switch, IPSec gateways, or a third-party firewall. Router nodes organize the interfaces and IP address settings that represent default gateways into and out of networks residing on either side of the Router node. You can use this generic gateway node to define a full network topology because it helps you organize networks behind their respective gateways. As Cisco Secure Policy Manager supports additional devices, the Router node will become more device-specific and less generic.

• Inherited perimeter

• Real and virtual network interfaces, and associated addresses or address ranges, that are connected to the existing perimeter that is inherited from the downstream network

• Real networks connected to an interface

A generic Router represents an unmanaged gateway object and the networks that are directly attached to it. To define a Router node, you must specify at least one physical interface and the IP address that is used to reach that interface. This physical interface, which is always the downstream interface, represents the default gateway used to reach all attached networks that you define as part of a Router node.

The additional networks that you define as part of a generic router definition are all attached to upstream interfaces, either real or virtual. All these interfaces are attached to the perimeter that is inherited from the downstream network.

In addition, you can define unnumbered interfaces and networks as part of a generic Router node.

Step 2 To create a new gateway, point to New and then to Gateway, and then click Router on the shortcut menu.

Result: A new node named Router # appears under the selected network.

Step 3 To name the router, type the new name in the selected box, and then press Enter.

Result: The new name appears in the Name box of the selected node.

The name of the router may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Tips If you cannot edit the name, right-click the new Router icon, and click Rename on the shortcut menu.

Step 4 You have now defined the Router node under a specific network. For instructions on completing your Router node definition, click the following task topic:

Step 2 To view the Interfaces panel, point to Properties, and then click Interfaces on the shortcut menu.

Step 3 To select the IP address object that represents the default gateway address, click the IP address icon under the downstream interface in the Interfaces panel.

The downstream interface is the interface that is attached to the shared network under which this Router node resides.

Step 4 To specify the default gateway, type that gateway address in the Network Address box under Edit Network Selection.

This address identifies the gateway that the fully defined networks upstream from this Router node will use to reach additional networks that you intend to define under this router.

Result: A new node named Interface # appears under the selected perimeter.

Step 6 To name the new interface, type the new name in the Name box under Edit Interface Selection.

Result: The new name appears in the Name box of the selected node.

The name of the interface may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Step 8 To define a new network, point to New, and then click Network.

Result: A new node named Network # appears under the interface that you just defined.

Step 9 To name the network, type the new name in the Name box under Edit Network Selection.

Result: The new name appears in the Name box of the selected node.

The name of the network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Step 10 To specify the address of the network, type that address in the Network Address box under Edit Network Selection.

This address represents a network that is attached to the interface on this router.

Step 13 To define additional interfaces, repeat Steps 5 through 12.

Step 14 To accept your changes and close the selected panel, click OK.

Step 15 To save any changes that you have made, click Save on the File menu.

The Secondary Server node indicates that this host is running a distributed installation feature set. Depending on what feature set you installed, this node organizes those settings specific to the subsystems that store and retrieve audit event records, generate and display reports, and publish network policies to Policy Enforcement Points. These subsystems can include the Secondary Policy Database, Policy Monitor Point, Policy Report Point, and Policy Distribution Point.

Note You must create the nodes that represent any Cisco Secure Policy Manager servers that you have installed on your network. To create these nodes, you must first define the parent network on which these hosts reside and then create a host under that node. You will be prompted to add a host based on the Windows NT name of that computer. The special panels associated with a primary or secondary server were automatically defined when you chose to add a host of this type.

Step 2 To specify that you want to create a new primary or secondary server, point to New, and then click Host on the shortcut menu.

Result: If you have selected a network on which a host resides where you have installed a component of Cisco Secure Policy Manager and you have not previously defined that host elsewhere in the Network Topology tree, a message box appears that states, "A network object of the specified type has been detected in the Policy Database, and the external address of the object is consistent with the parent network address. The name of the object is: <Windows NT computer name>. Is this the object that you wish to insert into the Network Topology?"

Step 3 To to create a new primary or secondary server, click Yes in the message box.

Result: A new node named the same as Windows NT computer name appears under the selected network. This node has the Cisco Secure Policy Manager-specific panels added as client/server product types residing on that host.

Step 4 To accept your changes and close the selected panel, click OK.

Step 5 To save any changes that you have made, click Save on the File menu.

If you want to define a broader IP range, you can define a network that includes additional addresses. For example, you can define the 192.168.0.0 network with the network mask of 255.255.0.0, and then you can define a broader IP range to include networks that are included within the network definition, such as 192.168.1.0 through 192.168.5.255.

Tips Dependency. Before you can define an IP range, you must define the parent network in which the range of IP addresses falls.

Result: A new node named IP Range # appears under the selected network.

Step 2 To name the IP range, type the new name in the selected box and press Enter.

Result: The new name appears in the Name box of the selected node.

The name of the IP range may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Tips If you cannot edit the name, right-click the new IP Range icon, and click Rename on the shortcut menu.

Step 3 Right-click the IP Range icon for the IP range that you just created, and click Properties on the shortcut menu.

Result: The General panel associated with the IP range appears in the View pane.

Step 4 To specify the starting IP address in the range that you want to define, type that address in the Low IP Address box.

Step 5 To specify the ending IP address in the range that you want to define, type that value in the High IP Address box.

Step 6 To accept your changes and close the selected panel, click OK.

Step 7 To save any changes that you have made, click Save on the File menu.

An example use of a generic host is when you want to restrict network traffic to and from a particular network object, such as your mail server. In this case, you can define a host that represents your internal mail server. When you define a network policy for network sessions originating from the Internet perimeter, you can specify that only SMTP-based traffic destined for a particular port is permitted to reach your internal mail server. Such network policies reduce the risk of successful attacks on important hosts on your network.

You can also define limited sets of hosts that can access other hosts residing on your network. For example, if you have a specific host, representing a server running your accounting software, you may choose to restrict traffic to that host to a select set of hosts that belong to authorized staff. Of course, placement of your Policy Enforcement Points is critical to ensuring that such restrictive policies can be enforced.

Step 2 To create a new host, point to New, and then click Host on the shortcut menu.

Result: A new node named Host # appears under the selected network.

Step 3 To name the host, type the new name in the selected box and press Enter.

Result: The new name appears in the Name box of the selected node.

The name of the host may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).

Tips If you cannot edit the name, right-click the new Host icon, and click Rename on the shortcut menu.

Step 4 To access the shortcut menu, right-click the Host icon for the host that you just created.

Step 5 To see the properties associated with the new host, click Properties on the shortcut menu.

Result: The General panel appears in the View pane.

This value identifies the IP address assigned to this host. A host can have multiple IP addresses associated with its network stack. Each IP address must reside on the network under which this Host node is defined.

Step 7 To specify additional addresses for this host, click Add, and repeat Step 6.

Result: The Add Client/Server Product dialog box appears.

Step 9 To select the client/server product type, click that type in the Product Type box.

The Product Type list displays the supported client/server product types:

• Certificate Authority. Identifies that a certificate authority server resides on this host. A Certificate Authority panel appears on hosts that you have specified are running this product.

• Radius. Identifies that a RADIUS authentication server resides on this host. A Radius Authentication tab appears on hosts that you have specified are running this product.

• Syslog. Identifies that a Syslog server resides on this host. A System Log tab appears on hosts that you have specified are running this product.

• TACACS+. Identifies that a TACACS+ authentication server resides on this host. A TACACS+ Authentication tab appears on hosts that you have specified are running this product.

Result: The Product Name (specify) box displays the selected product type name.

Step 10 To specify a meaningful name for this client/server product type, type the name in the Product Name (specify) box.

Result: The Add Client/Server Product dialog box closes.

Step 12 For each client/server product type that you want to add to this host, repeat Steps 8 through 11. Otherwise, continue with Step 13.

Step 14 To save any changes that you have made, click Save on the File menu.

Step 2 To see the properties associated with the new host, click Properties on the shortcut menu.

Result: The Host panel appears in the View pane.

Result: The Add Client/Server Product dialog box appears.

Step 4 To select the client/server product type, click that type in the Product Type box.

The Product Type list displays the supported client/server product types:

• Certificate Authority. Identifies that a certificate authority server resides on this host. A Certificate Authority panel appears on hosts that you have specified are running this product.

• Radius. Identifies that a RADIUS authentication server resides on this host. A Radius Authentication tab appears on hosts that you have specified are running this product.

• Syslog. Identifies that a Syslog server resides on this host. A System Log tab appears on hosts that you have specified are running this product.

• TACACS+. Identifies that a TACACS+ authentication server resides on this host. A TACACS+ Authentication tab appears on hosts that you have specified are running this product.

Result: The Product Name (specify) box displays the selected product type name.

Step 5 To specify a meaningful name for this client/server product type, type the name in the Product Name (specify) box.

Result: The Add Client/Server Product dialog box closes.

Step 7 For each client/server product type that you want to add to this host, repeat Steps 3 through 6. Otherwise, continue with Step 8.

Step 9 To save any changes that you have made, click Save on the File menu.

From the Authentication Server panel, you can specify three types of authentication servers: certificate authority, TACACS+, and RADIUS. You can configure Cisco Secure Policy Manager to utilize these server types to authenticate clients and users that are trying to access network services through a Policy Enforcement Point residing on your network or to authenticate peer Policy Enforcement Points participating in an IPSec tunnel.

The primary reason that you must specify these hosts in the Network Topology tree is to help Cisco Secure Policy Manager generate the commands that ensure the appropriate Policy Enforcement Points permit the required Policy Enforcement Point-to-certificate authority server traffic to pass. Once you associate a Policy Enforcement Point to a certificate authority server in the Network Topology tree, Cisco Secure Policy Manager generates the correct security policies that enable this traffic to flow correctly.

RADIUS is an open and scalable client/server mode of authentication developed by Livingston Enterprises. It was initially designed to authenticate remote users who were accessing network services via a modem.

RADIUS-based authentication works by comparing a secret username/password combination to data stored in a central location, called the RADIUS server. The RADIUS server receives authentication requests and either accepts or rejects them on the basis of information stored in the RADIUS server database. If a submitted username and password are correct, the RADIUS server returns an authentication acknowledgment to the client requesting the services.

Some Policy Enforcement Points, such as PIX Firewall, implement RADIUS to authenticate users regardless of whether they are using a dial-up connection. When a Policy Enforcement Point receives a request for network services that require RADIUS user authentication, it submits the username and password to the RADIUS server with which the firewall has been configured to work. Depending upon the response from the RADIUS server, the Policy Enforcement Point either permits the requested network services or denies the user that connection.

If you have an active RADIUS server, all you need to do is specify in the Network Topology tree where the RADIUS server is located so that Policy Enforcement Points can route authentication requests to it. Then, for every network service that requires RADIUS-based user authentication, the Policy Enforcement Points forward the request to the RADIUS server for actual authentication.

TACACS+ is a TCP-based mode of user authentication that also provides advanced authorization and accounting features. TACACS+ is an open protocol and can be ported to any username or password database.

TACACS+ authentication works by forwarding an MD5-encrypted piece of secret, shared information (a username/password combination) to a TACACS+ server. TACACS+ can forward password types for ARA, SLIP, PAP, CHAP, and standard Telnet, and therefore, TACACS+ allows different clients to use the same username/password for different protocols. TACACS+ authentication also supports multiple challenge and response demands from the TACACS+ server.

Some Policy Enforcement Points, such as the PIX Firewall, implement TACACS+ so that they can authenticate users regardless of whether they are using a dial-up connection. When a Policy Enforcement Point receives a session request for a network service that requires TACACS+ user authentication, it submits the username and password to the TACACS+ server with which the Policy Enforcement Point has been configured to work. Depending upon the response from the TACACS+ server, the Policy Enforcement Point either permits the network service session or denies the user that connection.

If you have an active TACACS+ server, all you need to do is specify in the Network Topology tree where the TACACS+ server is located so that the Policy Enforcement Point can route authentication requests to it. Then, for every network service that requires TACACS+ user authentication, the Policy Enforcement Point forwards the request to the server for actual authentication.

Step 2 To see the properties associated with the new host, click Properties on the shortcut menu.

Result: The Host panel appears in the View pane.

Step 3 To specify that an authentication server runs on this host, click Add.

Result: The Add Client/Server Product dialog box appears.

Step 4 To select the authentication server type, click that type in the Product Type box.

The lists displays the supported authentication server types:

• Certificate Authority. Identifies that a certificate authority server resides on this host. A Certificate Authority tab appears on hosts that you have specified are running this product.

• TACACS+ Authentication. Identifies that a TACACS+ authentication server resides on this host. A TACACS+ Authentication tab appears on hosts that you have specified are running this product.

• Radius Authentication. Identifies that a RADIUS authentication server resides on this host. A Radius Authentication tab appears on hosts that you have specified are running this product.

Result: The Product Name (specify) box displays the selected product type name.

Step 6 To add this authentication server type to the host, click OK.

Result: The Add Client/Server Product dialog box closes and a new tab appears on the Host node.

Step 7 To configure the authentication server residing on this host, click the new tab that was created for this network service.

The panel associated with the new authentication server appears in the View pane.

The tab's name is the product name that you specified in Step 5.

Step 8 To specify the network service that clients should use when requesting services from this authentication server, click that service name in the Associated Network Service box.

This network services identifies the protocol and port on which the authentication service listens for requests from clients. For a certificate authority server, this service must be HTTP.

Step 9 To specify the IP address that clients use when requesting services from this authentication server, click that IP address in the Associated IP address box.

This IP address is assigned in the General panel of the Host node on which this authentication server resides. Since a host can have multiple IP addresses associated with it, this selection ensures that Cisco Secure Policy Manager generates the correct commands for the Policy Enforcement Points that must communicate with the authentication server.

Step 10 To accept your changes and close the selected panel, click OK.

Step 11 To save any changes that you have made, click Save on the File menu.

Step 2 To view the System Log panel, point to Properties, and then click System Log on the shortcut menu.

Result: The System Log panel appears in the View pane.

Step 3 To change the IP address on which the syslog server running on this host listens for audit event streams from Policy Enforcement Points, select the new IP address in the IP Address box under General Settings.

The list of IP addresses available are those IP addresses that are defined for the server node that you selected. These addresses are defined in the IP Addresses box in the General panel of the selected server node. By default, the syslog server uses the first IP address in the IP Addresses box.

Step 4 To accept your changes and close the selected panel, click OK.

Step 5 To save any changes that you have made, click Save on the File menu.

Result: The TCP panel appears in the View pane. You can make any changes directly on this panel.

Step 2 To change the port value used by the network service, type that new port number in the Port box under Instance Settings.

Step 3 To accept your changes and close the selected panel, click OK.

Note For the change to take effect, you must select the modified network service definition in the Associated Network Service box in the Policy Monitor panel.

You must also verify that the syslog server is listening on the same port that you specified. For instructions on modifying the port for the syslog server, please refer to the documentation provided with that product.

Step 4 To save any changes that you have made, click Save on the File menu.

Step 2 To view the System Log panel, point to Properties, and then click System Log on the shortcut menu.

Result: The System Log panel appears in the View pane.

Step 3 To select the network service definition used by the syslog server running on this host, click that network service in the Associated Network Service box.

This network service must be defined under the Network Services branch of the Tools and Services tree. By default, the syslog server uses the System Log network service, which specifies UDP port 514 to conduct communications.

Caution If you change the network service name from System Log, any security policies that you have applied that permit this service to pass through Policy Enforcement Points will need to be updated manually.

Step 4 To accept your changes and close the selected panel, click OK.

Step 5 To save any changes that you have made, click Save on the File menu.