|
|
You can define a number of network objects within the Network Topology tree. This chapter identifies some guidelines for selecting among the different types of network objects, and it provides the basic tasks for creating each of the available network object types. The next chapter provides more detailed tasks for configuring the different device-specific settings that are available as a subset of the network objects described in this chapter.
 |
Note The only network objects that you should define manually are IP ranges, hosts, and policy enablement objects, such as a Cisco Secure Policy Manager, TACACS+, or certificate authority server. For all other network objects, we strongly recommend that you use the Topology Wizard. |
The following table maps between common objects found in your network to objects within Cisco Secure Policy Manager that can be used to represent them.
 |
Tips We encourage you to investigate the possible uses of Cloud nodes. Clouds are not included in the following table because, like IP ranges, they are logical grouping structures to accelerate the definition of the physical network topology. |
| Object on Your Network | Maps to Network Object in Network Topology Tree | Node Icon |
|---|---|---|
For: Access routers, default gateways, Internet service provider connections, etc. | Use: The Internet node. | |
For: Cisco Secure Policy | Use: You must define the parent network on which the host resides, and then create a new Host node under that network. If you have defined the network correctly, you will be prompted to install the specific host based on the Windows NT computer name. The following icons will appear if you have defined the host node correctly:
| |
For: Certificate authority servers, TACACS+ authentication servers, Radius authentication servers, and syslog servers | Use: A Host node that runs the client/server product type matching the server's role in your network. | |
For: E-mail servers, web servers, FTP servers, etc. | Use: A Host node. | |
For: Generic routers or gateways that Cisco Secure Policy | Use: A Router node. Management options available under Feature Set in the General panel of the node:
| |
For: Cisco IOS Routers | Use: An IOS Router node. Management options available under Feature Set in the General panel of the node:
| |
For: Cisco Secure PIX Firewalls | Use: A PIX Firewall node. Management options available under Feature Set in the General panel of the node:
| |
The remainder of this chapter presents step-by-step procedures for manually defining each network object type. For more information about using the Topology Wizard and detailed descriptions and additional tasks related to these network objects, refer to the online Help system provided with the product.
The Internet node is a special Cloud node that represents all unknown networks to which your trusted and untrusted networks are connected. It identifies one or more points of connection between your network and your Internet service provider (ISP). Therefore, when you define your network topology, you should view this definition as starting from the connection to your ISP and continuing upstream to the innermost networks. From the Interfaces panel on the Internet node, you can define the networks that form the boundary between your networks and the ISPs, as well as the IP addresses of the default gateways used by your network. To do so, you must define the ISP's upstream gateway interfaces and networks connected to those interfaces. Only one perimeter exists for the Internet node---the untrusted Internet perimeter, which represents all uncontrolled networks, including those networks attached to the downstream interfaces of your outermost Policy Enforcement Points.
|
Tips When you define your Network Topology, you must define it from the outside to the inside, starting with the access routers of your outermost gateway objects. These access routers often represent your ISPs' access routers. To identify different ISP connections, we recommend that you define a unique interface for each connection. |
The first task that you must complete when defining your Network Topology tree is specifying the settings in the Interfaces panel for the Internet node. In the Interfaces panel, you must specify the IP addresses of the default gateways that your outermost gateway objects use to reach all undefined networks. Because the Internet node is a special cloud, this logical gateway object also identifies the default gateways used by any other networks defined under the Network Topology tree to reach the Internet.
You must also specify any cloud networks under the Cloud Networks interface that you require for special cases in your network policy definitions. These cloud networks represent untrusted networks that exist within the larger cloud of the Internet, and they identify networks to/from which you want to control the ability of users on your trusted networks to access services provided by servers residing on those networks.
|
Note For each IP address that you assign to the Internet Perimeter's interface, you must define the network on which that IP address resides. These networks represent the shared networks between your ISP's and your outermost gateway objects. After you define these networks, you can define a Policy Enforcement Point, such as a PIX Firewall, or some other gateway object below one of these shared networks. However, all such gateway objects must have an IP address assigned to the downstream interface that is connected to these networks. |
To specify interface settings of the Internet node, perform the following task:
Step 2 To view the Interfaces panel, point to Properties, and then click Interfaces on the shortcut menu.
Result: The Interfaces panel appears in the View pane.
Step 3 To select Interface 1 so that you can rename it, click the Interface 1 icon in the Interfaces panel.
Result: The Name box becomes available under Edit Interface Selection.
Step 4 To give Interface 1 a meaningful name, type that name in the Name box and press Enter.
This interface usually represents that interface residing on an access router that is owned by your ISP. Therefore, a good name for this interface might be something like "ISP Router Interface." If you have multiple ISPs, you must define a unique interface to represent each service provider.
Step 5 To access the shortcut menu, right-click the Interface icon that you just renamed in the Interfaces panel.
Step 6 To define a new network, point to New, and then click Network.
Result: A new node named Network # appears under the selected interface.
Step 7 To name the network, type the new name in the Name box under Edit Network Selection.
Result: The new name appears in the Name box of the selected node.
The name of a network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
Step 8 To specify the address assigned to this network, type that address in the Network Address box.
This value identifies the address of a specific network. Typically, this network is shared between you and your ISP. This specific network exists behind a gateway (represented by the Internet node) that is directly connected to that network. This address is used to derive routing rules on a Policy Enforcement Point.
Step 9 To specify the network mask that corresponds to the network address you specified, type that value in the Network Mask box under Edit Network Selection.
This value identifies the mask of the network specified in the Network Address box. A Policy Enforcement Point uses this mask value to determine the appropriate routing rule.
Step 10 To access the shortcut menu, right-click the Interface 1 icon in the Interfaces panel.
Step 11 To define a new default gateway address that corresponds to the network that you just defined, point to New, and then click IP Address.
Result: A new node named 0.0.0.0 appears under the selected interface.
Step 12 To specify the default gateway, type that gateway address in the IP Address box under Edit IP/Range Address Selection.
This address identifies the default gateway that all networks defined under this network node in the Network Topology tree will use to reach the cloud networks, as well as all the unknown networks, that the Internet node represents.
|
Note These IP addresses represent the default gateways used by your outermost gateway objects, such as your outermost PIX Firewall. However, they are not the addresses assigned to the downstream interfaces of your gateway objects. Instead, these IP addresses represent the addresses assigned to the upstream interfaces of the access routers to which your gateway objects deliver packets. |
In addition, these IP addresses must be paired with the networks of which they are members. In other words, for each IP address you define, you must also define the corresponding network on which that IP address resides.
Step 13 If you want to define cloud networks on the Internet node, continue with Step 14. Otherwise, skip to Step 20.
Step 14 To access the shortcut menu, right-click the Cloud Networks icon in the Interfaces panel.
Step 15 To define a new cloud network, point to New, and then click Network.
Result: A new node named Cloud Network # appears under the Cloud Networks interface.
Step 16 To name the cloud network, type the new name in the Name box under Edit Network Selection.
Result: The new name appears in the Name box of the selected node.
The name of a cloud network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
Step 17 To specify the address of the cloud network, type that address in the Network Address box under Edit Network Selection.
This address represents a network that exists behind other gateways that you do not intend to define or possibly behind other cloud networks in the list.
Step 18 To specify the network mask of the cloud network, type that mask in the Network Mask box under Edit Network Selection.
Step 19 For each cloud network that you want to define, repeat Steps 14 through 18.
Step 20 To accept your changes and close the selected panel, click OK.
Result: Any networks that you specified in Steps 5 through 9 appear under the Internet node in the Network Topology tree.
Step 21 To save any changes that you have made, click Save on the File menu.
You can define one or more networks under the Internet node. These networks identify those networks that you are connecting to the Internet, or all unknown networks. Typically, these networks represent networks that you share with your ISP. For each network that you define under the Internet node, you must also specify the IP address of the default gateway that all other networks and gateway nodes defined under the Internet node use to reach all unknown networks and the cloud networks defined in the Interfaces panel of the Internet node.
|
Tips Because Cisco Secure Policy Manager assumes that all gateway objects under the same Internet interface are directly connected to one another, we strongly recommend that you define a new interface for each ISP connection. Each interface represents the upstream interface on an access router of your ISP. |
To define a network under the Internet node, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To access the shortcut menu, right-click the Internet icon under which you intend to define new networks.
Step 3 To view the Interfaces panel, point to Properties, and then click Interfaces on the shortcut menu.
Result: The Interfaces panel appears in the View pane.
Step 4 To access the shortcut menu, right-click the Interface 1 icon in the Interfaces panel.
Step 5 To define a network, point to New, and then click Network.
Result: A new node named Network # appears under the Interface 1 interface.
Step 6 To name the network, type the new name in the Name box under Edit Network Selection.
Result: The new name appears in the Name box of the selected node.
The name of a network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
Step 7 To specify the address of the network, type that address in the Network Address box under Edit Network Selection.
This value identifies the address of a specific network. Typically, this network is shared between you and your ISP. This specific network exists behind a gateway (represented by the Internet node) that is directly connected to that network. This address is used to derive routing rules on a Policy Enforcement Point.
Step 8 To specify the network mask that corresponds to the network address you specified, type that value in the Network Mask box.
This value identifies the mask of the network specified in the Network Address box. A Policy Enforcement Point uses this mask value to determine the appropriate routing rule.
Step 9 To define a new default gateway address that corresponds to the network that you just defined, right-click the Network icon, point to New, and then click IP Address.
Result: A new node named 0.0.0.0 appears under the selected interface.
Step 10 To specify the default gateway, type that gateway address in the Network Address box under Edit Network Selection.
This address identifies the default gateway that all networks defined under this network node in the Network Topology tree will use to reach the cloud networks, as well as all the unknown networks, that the Internet node represents.
Step 11 For each network that you want to define, repeat Steps 4 through 10.
Step 12 To accept your changes and close the Interfaces panel, click OK.
Step 13 To save any changes that you have made, click Save on the File menu.
You can define one or more cloud networks within the Internet node. Cloud networks identify those networks that can be reached through the cloud. The Internet node is a logical grouping structure that identifies the gateway used to reach all unknown networks, as well as any specific cloud networks. The real interfaces defined for the Internet node include the IP addresses of the default gateways that all networks defined in the Network Topology tree use to reach all unknown networks and the cloud networks defined in the Interfaces panel of the Internet node. Cloud networks are organized under a special interface called Cloud Networks.
These cloud networks represent untrusted networks that exist within the larger cloud of the Internet, and they identify networks to/from which you want to control the ability of users on your trusted networks to access services provided by servers residing on those networks. After you define a cloud network, you can reference that network within security policy abstracts, as well as perform a drag-and-drop operation to move the network into the Security Policy Enforcement branch to express how you want to apply security policies to traffic that originates from or is destined to the cloud network.
To define a cloud network on the Internet node, perform the following task:
Result: A new node named Cloud Network # appears under the Cloud Networks interface.
Step 2 To name the cloud network, type the new name in the Name box under Edit Network Selection.
Result: The new name appears in the Name box of the selected node.
The name of a cloud network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
Step 3 To specify the address of the cloud network, type that address in the Network Address box under Edit Network Selection.
This address represents a network that exists behind other gateways that you do not intend to define or possibly behind other cloud networks in the list.
Step 4 To specify the network mask of the cloud network, type that mask in the Network Mask box under Edit Network Selection.
Step 5 For each cloud network that you want to define, repeat Steps 1 through 4.
Step 6 To accept your changes and close the selected panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
From the panel associated with a network, you can define the address and mask settings for a specific network that is attached to a gateway object, such as a Policy Enforcement Point, a router, a switch, a firewall, or a cloud.
You can manually define a Network node under any Gateway node in the Network Topology tree. Gateway nodes include the Internet, clouds, IOS Routers, PIX Firewalls, and generic routers. Defining a new network is useful when you are defining your entire network topology because it ensures that Cisco Secure Policy Manager derives the correct routing rules required for a Policy Enforcement Point to deliver packets to hosts residing on that network. In addition, you can use a drag-and-drop operation to move Network nodes in the Security Policy Enforcement branch to refine network policy definitions.
To create a Network node, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the gateway under which you want to define a new network, expand the Network Topology tree until you view that gateway node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the gateway icon under which you want to define a new network. The following gateway types exist:
Step 4 To create a new network, point to New, and then click Network on the shortcut menu.
Result: A new node named Network # appears under the selected gateway in the Interfaces panel.
Step 5 To name the network, type the new name in the selected box and press Enter.
Result: The new name appears in the Name box of the selected node.
The network name may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
|
Tips If you cannot edit the name, right-click the new Network icon, and click Rename on the shortcut menu. |
Step 6 To access the shortcut menu, right-click the Network icon for the network that you just created in the Navigator pane.
Step 7 To see the properties associated with the new network, click Properties on the shortcut menu.
Result: The General panel associated with the new network appears in the View pane.
Step 8 To specify the address assigned to this network, type that address in the Network Address box.
This value identifies the address of a specific network. This specific network exists behind a gateway that is directly connected to that network. This address is used to derive routing rules on a Policy Enforcement Point.
Step 9 To specify the network mask that corresponds to the network address you specified, type that value in the Network Mask box.
This value identifies the mask of the network specified in the Network Address box. A Policy Enforcement Point uses this mask value to determine the appropriate routing rule.
Step 10 To accept your changes and close the General panel, click OK.
Step 11 To save any changes that you have made, click Save on the File menu.
You can manually define a network shortcut by duplicating the exact names of the perimeter and network in the Interfaces panel of a gateway object that has an upstream interface attached to the same network as another gateway object. Before you can define a network shortcut, you must have defined the network (and its associated perimeter) that you want to reference as part of the interface definition of an existing gateway object, such as a cloud, PIX Firewall, IOS Router, or a generic Router.
This task assumes that you are working in the Interfaces panel of a gateway object. It also assumes that you have not yet defined the perimeter that will be shared or that the perimeter is inherited from a downstream gateway object. In other words, it assumes that you have defined the downstream interface settings for this gateway object, but not the interface settings for the upstream interface that is connected to the network to which you want to create a Network Shortcut node.
To define a shortcut to an existing network manually, perform the following task:
Result: A new node named Perimeter # appears in the Interfaces panel.
Step 2 To specify the name of the perimeter that is defined on the gateway object that shares the network with the selected gateway object, type that perimeter's name in the Name box under Edit Perimeter Selection.
You must specify the name of this perimeter exactly as it appears on the gateway object for which you originally defined that perimeter.
Step 3 To define the shared network, click Network under Insert New.
Result: A new node named Network # appears in the Interfaces panel.
Step 4 To specify the name of the shared network, type that name in the Name box under Edit Network Selection.
You must specify the name of this network exactly as it appears on the gateway object for which you originally defined that network.
Step 5 To define the IP address that this gateway object has on the shared network, click IP Address under Insert New.
Result: A new node named 0.0.0.0 appears in the Interfaces panel.
Step 6 To specify the IP address that this gateway object has on the shared network, specify that address in the IP Address box under Edit IP Address Selection.
This address must be a valid address on the specified network.
Step 7 Continue defining the interfaces on the selected gateway object. When you click OK to close the Interfaces panel, a message box appears stating that a physical network with the same network address has been found inside the perimeter that you specified in Step 2. You are prompted to click Yes to create a shortcut (reference) to that network.
Step 8 To create the reference to the existing network, click Yes.
Result: A shortcut to the specified network appears as one of the networks upstream from the selected gateway object.
To define a Cloud node under your Network Topology tree, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the network below which you want to define a Cloud, expand the Network Topology tree until you view that Network node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Network icon under which you intend to define a cloud.
Step 4 To create a new cloud, point to New, and then to Gateway, and then click Cloud on the shortcut menu.
Result: A new node named Cloud # appears under the Network node.
Step 5 To name the cloud, type the new name in the selected Name box and press Enter.
Result: The new name appears in the Name box of the selected node.
The cloud name may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
|
Tips If you cannot edit the name, right-click the new Cloud icon, and click Rename on the shortcut menu. |
Step 6 You have now defined the Cloud node under a specific network. For instructions on completing your Cloud node definition, refer to the appropriate task section:
Step 7 To save any changes that you have made, click Save on the File menu.
|
Note This procedure assumes that you have just created and named a Cloud node as described in the "Defining a Cloud Node" section. Therefore, we assume that you are on the Cloud node that you have just created and are attempting to complete the requisite settings to pass a system Consistency Check. |
To specify interface settings of a Cloud node, perform the following task:
Step 2 To view the Interfaces panel, point to Properties, and then click Interfaces on the shortcut menu.
Result: The Interfaces panel appears in the View pane.
Step 3 To select the IP address object that represents the default gateway address, click the IP address icon under the downstream interface in the Interfaces panel.
The downstream interface is the interface that is attached to the shared network under which this Cloud node resides.
Step 4 To specify the default gateway, type that gateway address in the IP Address box under Edit IP/Range Address Selection.
This address identifies the gateway that fully defined networks upstream from this Cloud node will use to reach the cloud networks that you intend to define.
Step 5 To access the shortcut menu, right-click the Cloud Networks icon in the Interfaces panel.
Step 6 To define a new cloud network, point to New, and then click Network.
Result: A new node named Cloud Network # appears under the Cloud Networks interface.
Step 7 To name the cloud network, type the new name in the Name box under Edit Network Selection.
Result: The new name appears in the Name box of the selected node.
The name of a cloud network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
Step 8 To specify the address of the cloud network, type that address in the Network Address box under Edit Network Selection.
This address represents a network that exists behind other gateways that you do not intend to define or possibly behind other cloud networks in the list.
Step 9 To specify the network mask of the cloud network, type that mask in the Network Mask box under Edit Network Selection.
Step 10 For each cloud network that you want to define, repeat Steps 5 through 9.
Step 11 To accept your changes and close the Interfaces panel, click OK.
Step 12 To save any changes that you have made, click Save on the File menu.
To define a cloud network, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the cloud in which you want to define a new cloud network, expand the Network Topology tree until you view that Cloud node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Cloud icon under which you intend to define new cloud networks.
Step 4 To view the Interfaces panel, point to Properties, and then click Interfaces on the shortcut menu.
Result: The Interfaces panel appears in the View pane.
Step 5 To access the shortcut menu, right-click the Cloud Networks icon in the Interfaces panel.
Step 6 To define a new cloud network, point to New, and then click Network.
Result: A new node named Cloud Network # appears under the Cloud Networks interface.
Step 7 To name the cloud network, type the new name in the Name box under Edit Network Selection.
Result: The new name appears in the Name box of the selected node.
The name of a cloud network may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
Step 8 To specify the address of the cloud network, type that address in the Network Address box under Edit Network Selection.
This address represents a network that exists behind other gateways that you do not intend to define or possibly behind other cloud networks in the list.
Step 9 To specify the network mask of the cloud network, type that mask in the Network Mask box under Edit Network Selection.
Step 10 For each cloud network that you want to define, repeat Steps 5 through 9.
Step 11 To accept your changes and close the Interfaces panel, click OK.
Step 12 To save any changes that you have made, click Save on the File menu.
|
Note Cloud networks are defined from the Interfaces panel on a cloud. To define a cloud network, you must define a network under the Cloud Networks interface of the Cloud node (or Internet node) within which the cloud network is logically organized. |
You can manually define a PIX Firewall node that enforces network policy between two or more networks from any Network node defined under the Network Topology tree. You can also use the Topology Wizard to define a PIX Firewall node. PIX Firewalls represent Policy Enforcement Points in your network that Cisco Secure Policy Manager uses to enforce the network policies applied under the Network Policy tree.
Defining a new managed Policy Enforcement Point is useful when you are defining your entire network topology because it helps you organize networks behind their respective gateways and enforce network policy against traffic destined to and originating from those networks. In addition, you can use a drag-and-drop operation to move PIX Firewall nodes in the Security Policy Enforcement branch to refine network policy definitions.
|
Tips We strongly recommend that you use the Topology Wizard to create new Policy Enforcement Points. You can access this wizard by clicking Topology Wizard on the Wizards menu. |
To create a PIX Firewall node under your Network Topology tree, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the network below which you want to define a PIX Firewall, expand the Network Topology tree until you view that Network node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Network icon under which you intend to define a PIX Firewall.
Step 4 To create a new firewall, point to New, then to Gateway, then to Firewall, and then click PIX Firewall on the shortcut menu.
Result: A new node named PIX Firewall # appears under the Network node.
Step 5 To name the PIX Firewall, type the new name in the selected Name box and press Enter.
Result: The new name appears in the Name box of the selected node.
The PIX Firewall name may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
|
Tips If you cannot edit the name, right-click the new PIX Firewall icon, and click Rename on the shortcut menu. |
Step 6 You have now defined the PIX Firewall node under a specific network. For instructions on completing your PIX Firewall node definition, refer to the appropriate task section:
Step 7 To save any changes that you have made, click Save on the File menu.
After you have defined a PIX Firewall node, your first task is to specify the settings in the Interfaces panel for that PIX Firewall node. In the Interfaces panel, you must specify the IP address of the default gateway used to reach any networks that you intend to define. Next, you must define a second interface, any new networks under that interface, and the IP addresses belonging to those networks that are assigned to that interface. However, each interface that you define for a PIX Firewall must reside on its own perimeter. In other words, only one interface can reside on a single perimeter that is represented in the Interfaces panel.
|
Tips For a PIX Firewall, you can only have one interface per perimeter. Therefore, for each interface that you want to define, you must also define a perimeter. |
|
Note This procedure assumes that you have just created and named a PIX Firewall node as described in the Create a PIX Firewall Node task. Therefore, we assume that you are on the PIX Firewall node that you have just created and are attempting to complete the requisite settings to pass a system consistency check. |
To specify the interface settings of a PIX Firewall node, perform the following task:
Step 2 To view the Interfaces panel, point to Properties, and then click Interfaces on the shortcut menu.
Result: The Interfaces panel appears in the View pane.
Step 3 To select the network for which you want to define a default gateway that is attached to this PIX Firewall, click that Network icon in the Interfaces panel.
Result: The boxes under Edit Network Selection populate with values for that network.
Step 4 To create the address that will be used as a default gateway, click IP Address under Insert New.
Result: A new IP address node appears in the Interfaces tree.
Step 5 To specify the default gateway, type that gateway address in the IP Address box under Edit IP/Range Address Selection.
This address identifies the gateway that the fully defined networks upstream from this PIX Firewall node will use to reach additional networks that you intend to define under this firewall.
Step 6 If you want to define a new interface, click the perimeter under which you want to define the new interface in the Interfaces panel. Otherwise, skip to Step 20.
Result: The Interface button under Insert New becomes available.
Step 7 To create a new interface on this PIX Firewall, click Interface under Insert New.
Result: A new node named DMZ-slot:# appears under the selected perimeter.
Step 8 To name the new interface, type the new name in the Name box under Edit Interface Selection.
Result: The new name appears in the Name box of the selected node.
When naming an interface installed in a PIX Firewall, you must adhere to the following specific guidelines.
Therefore, the only interfaces that you must rename are the DMZ-slot:# interfaces, where the "#" is replaced by the slot number in which that interface is installed. Also, you will only modify the slot number itself. If you change the interface to a name that is not listed above, a consistency error results.
Step 9 To specify the media type of the new interface, click that type in the Type list under Edit Interface Selection.
You can specify one of the following media types:
Step 10 To access the shortcut menu, right-click the Interface icon that you have just defined in the Interfaces panel.
Step 11 To define a new network, point to New, and then click Network.
Result: A new node named Network # appears under the interface that you just defined.
Step 12 To name the network, type the new name in the Name box under Edit Network Selection.
Result: The new name appears in the Name box of the selected node.
The network name may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
Step 13 To specify the address of the network, type that address in the Network Address box under Edit Network Selection.
This address represents a network that is attached to the interface on this PIX Firewall node.
Step 14 To specify the network mask of the network, type that mask in the Network Mask box under Edit Network Selection.
Step 15 For each network that you want to define under this interface, repeat Steps 10 through 14.
Step 16 To create the address that will be used as the gateway for reaching this network, click IP Address under Insert New.
Result: A new IP address node appears under the selected network in the Interfaces panel.
Step 17 To specify the gateway, type that gateway address in the IP Address box under Edit IP/Range Address Selection.
This address identifies the gateway that the fully defined networks downstream from this PIX Firewall node will use to reach networks defined upstream from this firewall.
Step 18 To define additional interfaces, repeat Steps 6 through 17. However, you must first define a new perimeter for each interface that you want to define. Otherwise, continue with Step 19.
a. To create a new perimeter, click Perimeter under Insert New.
Result: A new node named Perimeter # appears in the Interfaces panel.
b. To give the new perimeter a meaningful name, type that name in the Name box under Edit Perimeter Selection, and then press Enter.
Result: The new name appears in the Name box of the selected node.
Step 19 To move the inside interface to be the last interface in the list, click the perimeter under which the inside interface is defined and click Move Down until it is the last Perimeter in the list.
Because Cisco Secure Policy Manager defines the security levels of the PIX Firewall interfaces based on their position in the Interfaces box, the inside interface must be last, representing the security level of 100. In addition, the outside must be the first interface in the list, which represents the security level of 0.
Step 20 To accept your changes and close the Interfaces panel, click OK.
Step 21 To save any changes that you have made, click Save on the File menu.
|
Note For an IOS Router, Cisco Secure Policy Manager does not actually generate the commands that assign names, networks, and addresses to the interfaces installed in the router. Instead, you must match the current configuration of the router exactly with the settings specified in the Interfaces panel of the IOS Router node. Cisco Secure Policy Manager uses this information to generate the correct commands based on the interfaces that are previously configured. |
You can manually define an IOS Router node that enforces network policy between two or more networks from any Network node defined under the Network Topology tree. You can also use the Topology Wizard to define an IOS Router node. IOS Routers represent Policy Enforcement Points in your network that Cisco Secure Policy Manager uses to enforce the network policies applied under the Network Policy tree.
Defining a new managed Policy Enforcement Point is useful when you are defining your entire network topology because it helps you organize networks behind their respective gateways and enforce network policy against traffic destined to and originating from those networks. In addition, you can use a drag-and-drop operation to move an IOS Router node in the Security Policy Enforcement branch to refine network policy definitions.
|
Tips We strongly recommend that you use the Topology Wizard to create Policy Enforcement Points. You can access this wizard by clicking Topology Wizard on the Wizards menu. |
To create a IOS Router, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the network under which you want to define a new IOS Router, expand the Network Topology tree until you view that Network node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Network icon under which you want to define a new IOS Router.
Step 4 To create a new IOS Router, point to New, then to Gateways, then to Routers, and then click IOS Router on the shortcut menu.
Result: A new node named IOS Router # appears under the selected network.
Step 5 To name the IOS router, type the new name in the selected box and press Enter.
Result: The new name appears in the Name box of the selected node.
The router name may include up to 256 alphanumeric characters, but it may not include quotation marks (").
|
Tips If you cannot edit the name, right-click the new IOS Router icon, and then click Rename on the shortcut menu. |
Step 6 You have now defined the IOS Router node under a specific network. For instructions on completing your IOS Router node definition, refer to the appropriate task section:
Step 7 To save any changes that you have made, click Save on the File menu.
After you have defined an IOS Router node, the first task is to identify the settings in the Interfaces panel for that IOS Router node. In the Interfaces panel, you must identify the IP address of the default gateway used to reach any networks that you intend to define. Next, you must identify all other interfaces and any networks under those interfaces. All managed Policy Enforcement Points require that you have at least two interfaces defined: one downstream (created by default) and one upstream. However, each interface that you define for an IOS Router must reside on its own perimeter. In other words, only one interface can reside on a single perimeter that is represented in the Interfaces panel.
|
Note For an IOS Router, Cisco Secure Policy Manager does not actually generate the commands that assign names, networks, and addresses to the interfaces installed in the router. Instead, you must match the current configuration of the router exactly with the settings specified in the Interfaces panel of the IOS Router node. Cisco Secure Policy Manager uses this information to generate the correct commands based on the interfaces that are previously configured. |
|
Tips For an IOS Router, you can only have one interface per perimeter. Therefore, for each interface that you want to define, you must also define a perimeter. The downstream interface is automatically created and assigned to the inherited perimeter, which is defined as part of a downstream Policy Enforcement Point or the Internet node. |
|
Note This procedure assumes that you have just created and named an IOS Router node as described in Creating an IOS Router Node. Therefore, we assume that you are on the IOS Router node that you have just created and are attempting to complete the requisite settings to pass a system consistency check. |
To specify the interface settings of a IOS Router node, perform the following task:
Step 2 To view the Interfaces panel, point to Properties, and then click Interfaces on the shortcut menu.
Result: The Interfaces panel appears in the View pane.
Step 3 To select the downstream interface that is connected to the downstream network, click the Interface icon in the Interfaces panel.
The downstream interface is defined automatically when you create a new IOS Router node. It is connected to the network that you selected to create the IOS Router node.
Step 4 To name the downstream interface, type the new name in the Name box under Edit Interface Selection.
Result: The new name appears in the Name box of the selected node.
Step 5 To specify the media type of the downstream interface, click that type in the Type list under Edit Interface Selection.
Step 6 To specify the default gateway, type that gateway address in the Network Address box under Edit Network Selection.
This address identifies the gateway that the fully defined networks downstream from this IOS Router node will use to reach additional networks that you intend to define under this router.
|
Note For any unnumbered interface that you define in an IOS Router node, the network address cannot be edited. In addition, the IP address/range that you must define for any unnumbered interface is the invalid host address of 255.255.255.255, which serves merely as a placeholder for Cisco Secure Policy Manager. |
Step 7 To create a new perimeter that will attach to an upstream network, click Perimeter under Insert New.
Result: A new node named Perimeter # appears in the Interfaces panel.
Step 8 To give the new perimeter a meaningful name, type that name in the Name box under Edit Perimeter Selection, and then press Enter.
Result: The new name appears in the Name box of the selected node.
Step 9 If you want to define a new upstream interface, click the perimeter under which you want to define the new interface in the Interfaces panel. Otherwise, skip to Step 19.
Result: The Interface button under Insert New becomes available.
Step 10 To create a new upstream interface in this IOS Router, click Interface under Insert New.
Result: A new node named Ethernet appears under the selected perimeter.
Step 11 To name the upstream interface, type the new name in the Name box under Edit Interface Selection.
Result: The new name appears in the Name box of the selected node.
Step 12 To specify the media type of the upstream interface, click that type in the Type list under Edit Interface Selection.
Step 13 To access the shortcut menu, right-click the Interface icon that you have just defined in the Interfaces panel.
Step 14 To define a new upstream network, point to New, and then click Network.
Result: A new node named Network # appears under the interface that you just defined.
Step 15 To name the upstream network, type the new name in the Name box under Edit Network Selection.
Result: The new name appears in the Name box of the selected node.
The network name may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
Step 16 To specify the address of the upstream network, type that address in the Network Address box under Edit Network Selection.
This address represents a network that is attached to an upstream interface on this IOS Router node.
Step 17 To specify the network mask of the upstream network, type that mask in the Network Mask box under Edit Network Selection.
Step 18 To create the address that will be used as the gateway for reaching this upstream network, click IP Address under Insert New.
Result: A new IP address node appears under the selected upstream network in the Interfaces panel.
Step 19 To specify the gateway, type that gateway address in the IP Address box under Edit IP/Range Address Selection.
This address identifies the gateway that the fully defined networks upstream from this IOS Router node will use to reach networks defined downstream from this IOS Router.
Step 20 To define additional perimeter/interface pairs, repeat Steps 7 through 19. However, you must first define a new perimeter for each interface that you want to define. Otherwise, continue with Step 21.
Step 21 To accept your changes and close the Interfaces panel, click OK.
Step 22 To save any changes that you have made, click Save on the File menu.
You can manually define a Router node under any Network node in the Network Topology tree. Defining a new router is useful when you are defining your entire network topology because it helps you organize networks behind their respective gateways. In addition, you can use a drag-and-drop operation to move Router nodes in the Security Policy Enforcement branch to refine network policy definitions. A router represents a generic gateway object over which Cisco Secure Policy Manager does not have control because it cannot define and distribute network policies to that device. However, Cisco Secure Policy Manager does use a Router node definition to derive routing rules for those Policy Enforcement Points over which it does have control, such as the PIX Firewall.
To create a gateway, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the network under which you want to define a new gateway, expand the Network Topology tree until you view that Network node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Network icon under which you want to define a new gateway.
Step 4 To create a new gateway, point to New and then to Gateway, and then click Router on the shortcut menu.
Result: A new node named Router # appears under the selected network.
Step 5 To name the router, type the new name in the selected box, and then press Enter.
Result: The new name appears in the Name box of the selected node.
The router name may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
|
Tips If you cannot edit the name, right-click the new Router icon, and click Rename on the shortcut menu. |
Step 6 You have now defined the Router node under a specific network. For instructions on completing your Router node definition, refer to the appropriate task section:
Step 7 To save any changes that you have made, click Save on the File menu.
After you have defined a Router node, the first task that you must complete is specifying the settings in the Interfaces panel for that Router node. In the Interfaces panel, you must specify the IP address of the default gateway used to reach any networks that you intend to define. Next, you must define a second interface and any new networks under that interface.
|
Note This procedure assumes that you have just created and named a Router node as described in Creating a Router Node. Therefore, we assume that you are on the Router node that you have just created and are attempting to complete the requisite settings to pass a system Consistency Check. |
To specify the interface settings of a Router node, perform the following task:
Step 2 To view the Interfaces panel, point to Properties, and then click Interfaces on the shortcut menu.
Step 3 To select the IP address object that represents the default gateway address, click the IP address icon under the downstream interface in the Interfaces panel.
The downstream interface is the interface that is attached to the shared network under which this Router node resides.
Step 4 To specify the default gateway, type that gateway address in the Network Address box under Edit Network Selection.
This address identifies the gateway that the fully defined networks upstream from this Router node will use to reach additional networks that you intend to define under this router.
Step 5 To define a new interface on this router, click Interface under Insert New.
Result: A new node named Interface # appears under the selected perimeter.
Step 6 To name the new interface, type the new name in the Name box under Edit Interface Selection.
Result: The new name appears in the Name box of the selected node.
The interface name may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
Step 7 To access the shortcut menu, right-click the Interface icon that you have just defined in the Interfaces panel.
Step 8 To define a new network, point to New, and then click Network.
A new node named Network # appears under the interface that you just defined.
Step 9 To name the network, type the new name in the Name box under Edit Network Selection.
Result: The new name appears in the Name box of the selected node.
The network name may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
Step 10 To specify the address of the network, type that address in the Network Address box under Edit Network Selection.
This address represents a network that is attached to the interface on this router.
Step 11 To specify the mask of the network, type that mask in the Network Mask box under Edit Network Selection.
Step 12 For each network that you want to define under this interface, repeat Steps 7 through 11.
Step 13 To define additional interfaces, repeat Steps 5 through 12.
Step 14 To accept your changes and close the Interfaces panel, click OK.
Step 15 To save any changes that you have made, click Save on the File menu.
The Primary Server node represents one of two server types that host the client/server products for Cisco Secure Policy Manager. The Primary Server node indicates that this host is running the Primary Policy Database, where all configuration information is stored and to which all GUI clients connect to view or edit the system configuration. This node organizes those settings specific to the subsystems that store and retrieve audit event records, generate and display reports, and publish network policies to Policy Enforcement Points. These subsystems include the Primary Policy Database, Policy Monitor Point, Policy Report Point, and Policy Distribution Point.
The Secondary Server node indicates that this host is running a distributed installation feature set. Depending on what feature set you installed, this node organizes those settings specific to the subsystems that store and retrieve audit event records, generate and display reports, and publish network policies to Policy Enforcement Points. These subsystems can include the Secondary Policy Database, Policy Monitor Point, Policy Report Point, and Policy Distribution Point.
|
Note You must create the nodes that represent any Cisco Secure Policy Manager servers that you have installed on your network. To create these nodes, you must first define the parent network on which these hosts reside and then create a host under that node. You will be prompted to add a host based on the Windows NT name of that computer. The special panels associated with a primary or secondary server were automatically defined when you chose to add a host of this type. |
To define a Cisco Secure Policy Manager host, whether it is a primary or secondary server, you create a host node under the Network node on which that server resides. In addition, you must have installed the Cisco Secure Policy Manager software on that server.
The GUI client knows about the existence of such a host based on information stored in the Primary Policy Database during the installation process. When you attempt to define a host under the correct network, the GUI client displays a message box, prompting you as to whether you are intending to create the Host node that it knows about and that is running a component of the Cisco Secure Policy Manager system. If you specify that you do want to add this host, which is identified by its Windows NT computer name in the message box, the GUI client creates a Host node and populates it with the panels required to configure the system-specific settings of the Cisco Secure Policy Manager components running on that server.
To create a primary or secondary server, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the network on which the server that is running a component of the Cisco Secure Policy Manager system resides, expand the Network Topology tree until you view that Network node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Network icon under which you want to define a previously installed primary or secondary server.
Step 4 To specify that you want to create a new primary or secondary server, point to New, and then click Host on the shortcut menu.
Result: If you have selected a network on which a host resides where you have installed a component of Cisco Secure Policy Manager and you have not previously defined that host elsewhere in the Network Topology tree, a message box appears that states, "A network object of the specified type has been detected in the Policy Database, and the external address of the object is consistent with the parent network address. The name of the object is: <Windows NT computer name>. Is this the object that you wish to insert into the Network Topology?"
Step 5 To to create a primary or secondary server, click Yes on the message box.
Result: A new node named the same as Windows NT computer name appears under the selected network. This node has the Cisco Secure Policy Manager-specific panels added as client/server product types residing on that host.
Step 6 To accept your changes and close the General panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
You can manually define a IP Range node under any Network node in the Network Topology tree. Defining a new IP range is useful when you want to define exceptional network policies on the basis of a subset of hosts residing on a particular network. To refine network policy definitions, you can use a drag-and-drop operation to move IP Range nodes in the Security Policy Enforcement branch. You can also use IP Range nodes to define Network Object Group definitions and IF Source is and IF Destination is conditions in security policy abstracts.
To create an IP Range node, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the network under which you want to define a new IP range, expand the Network Topology tree until you view that Network node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Network icon under which you want to define a new IP range.
Step 4 To create a new IP range, point to New, and then click IP Range on the shortcut menu.
Result: A new node named IP Range # appears under the selected network.
Step 5 To name the IP range, type the new name in the selected box and press Enter.
Result: The new name appears in the Name box of the selected node.
The IP range name may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
|
Tips If you cannot edit the name, right-click the new IP Range icon, and click Rename on the shortcut menu. |
Step 6 To access the shortcut menu, right-click the IP Range icon for the IP range that you just created.
Step 7 To see the properties associated with the new IP range, click Properties on the shortcut menu.
Result: The General panel associated with the IP range appears in the View pane.
Step 8 To specify the starting IP address in the range that you want to define, type that address in the Low IP Address box.
Step 9 To specify the ending IP address in the range that you want to define, type that value in the High IP Address box.
Step 10 To accept your changes and close the General panel, click OK.
Step 11 To save any changes that you have made, click Save on the File menu.
You can manually define a Host node under any Network node in the Network Topology tree. Defining a new host is useful when you are defining your entire network topology because it helps you identify those special hosts that run client/server products, such as certificate authority servers and syslog servers that Cisco Secure Policy Manager uses when informing Policy Enforcement Points about the location of such services. In addition, you can use a drag-and-drop operation to move Host nodes to the Security Policy Enforcement branch to refine network policy definitions.
To create a host, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the network under which you want to define a new host, expand the Network Topology tree until you view that Network node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Network icon under which you want to define a new host.
Step 4 To create a host, point to New, and then click Host on the shortcut menu.
Result: A new node named Host # appears under the selected network.
Step 5 To name the host, type the new name in the selected box and press Enter.
Result: The new name appears in the Name box of the selected node.
The host name may include up to 256 alphanumeric characters, but it may not include quotation marks (") or semicolons (;).
|
Tips If you cannot edit the name, right-click the new Host icon, and click Rename on the shortcut menu. |
Step 6 To access the shortcut menu, right-click the Host icon for the host that you just created.
Step 7 To see the properties associated with the new host, click Properties on the shortcut menu.
Result: The General panel appears in the View pane.
Step 8 To specify an address assigned to this host, type that address in the IP Addresses box.
This value identifies the IP address assigned to this host. A host can have multiple IP addresses associated with its network stack. Each IP address must reside on the network under which this Host node is defined.
Step 9 To specify additional addresses for this host, click Add, and repeat Step 8.
Step 10 To specify that a client/server product runs on this host, click Add next to the Resident Client/Server Products box. Otherwise, skip to Step 15.
Result: The Add Client/Server Product dialog box appears.
Step 11 To select the client/server product type, click that type in the Product Type box.
The Product Type list displays the supported client/server product types:
Result: The Product Name (specify) box displays the selected product type name.
Step 12 To specify a meaningful name for this client/server product type, type the name in the Product Name (specify) box.
Step 13 To add this client/server product type to the host, click OK.
Result: The Add Client/Server Product dialog box closes.
Step 14 For each client/server product type that you want to add to this host, repeat Steps 10 through 13. Otherwise, continue with Step 15.
Step 15 To accept your changes and close the General panel, click OK.
Step 16 To save any changes that you have made, click Save on the File menu.
You can specify that a client/server product type is running on a host after you have defined the Host node. This feature helps you identify those special hosts that run client/server product types, such as authentication servers and syslog servers that Cisco Secure Policy Manager uses when informing Policy Enforcement Points about the location of such services. The definitions of these product types are also used to ensure that requisite communications, such as those between a Policy Enforcement Point and a certificate authority server, are permitted by the security policies and routing rules that Cisco Secure Policy Manager maintains automatically for you.
To specify that a client/server product type resides on an existing host, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the host on which you want to define a client/server product type, expand the Network Topology tree until you view that Host node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Host icon on which you want to define a client/server product.
Step 4 To see the properties associated with the new host, click Properties on the shortcut menu.
Result: The Host panel appears in the View pane.
Step 5 To specify that a client/server product type runs on this host, click Add.
Result: The Add Client/Server Product dialog box appears.
Step 6 To select the client/server product type, click that type in the Product Type box.
The Product Type list displays the supported client/server product types:
Result: The Product Name (specify) box displays the selected product type name.
Step 7 To specify a meaningful name for this client/server product type, type the name in the Product Name (specify) box.
Step 8 To add this client/server product type to the host and close the Add Client/Server Product dialog box, click OK.
Step 9 For each client/server product type that you want to add to this host, repeat Steps 5 through 8. Otherwise, continue with Step 10.
Step 10 To accept your changes and close the Host panel, click OK.
Step 11 To save any changes that you have made, click Save on the File menu.
Posted: Mon Jun 5 10:48:11 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.
