|
|
While the primary goal of Cisco Secure Policy Manager is to avoid device-centric views of your network and the devices that compose it, some settings and rules require that you consider the role that a specific network object has in your network. Many of these settings are peculiar to the network object, such as the name of the interfaces installed in a Policy Enforcement Point or the amount of disk space the Cisco Secure Policy Manager database can consume before it must archive or purge the oldest records. Most of Cisco Secure Policy Manager focuses on defining a high-level, abstract policy from which all appropriate, device-specific commands are generated automatically for you. However, the Network Topology tree enables few of these abstractions because it defines the physical layer of your network.
This section focuses on explaining the device-centric settings that you can define within the Network Topology tree. It also pays special attention to those settings that you must define. The purpose of this section is to help you understand why you must define these settings and to help you focus your energies correctly, because by knowing what you can specify within the Network Topology tree, you also know what you cannot specify, which encourages you to look outside of this tree to accomplish other goals.
Device-specific settings pertain to the proper operation of a network object in your network. Some network objects have relatively few device-specific settings, while others have a large number of settings. We can define six categories of device-specific settings:
The remainder of this chapter presents step-by-step procedures for manually configuring many of these device-specific settings. Some of these settings, such as the interface settings, are specified as part of the initial definition of the device or they can be discovered by the Topology Wizard. For more information about defining a network object, refer to "Populating the Network Topology Tree." For more information about using the Topology Wizard and detailed descriptions of these network objects, refer to the online help system provided with the product.
The following tasks describe how to configure the settings that are specific to a managed gateway object. The panels in which these settings appear are only visible when the Managed Object check box is selected in the General panel of the PIX Firewall and IOS Router nodes.
The PIX Firewall has one panel that organizes its device-specific settings: the Settings 1 panel.
From the Settings 1 panel, you can specify certain device-specific settings for the selected PIX Firewall. These settings include global network policy overrides that are enabled for this Policy Enforcement Point only, such as timeout settings for certain services as well as all sessions, global ICMP service enablement, and the timeout settings for user authentication sessions. In addition, you can specify the configuration settings for options such as the generating and labeling syslog data streams and whether to enable the SMTP Flood Guard security feature to protect your e-mail server against flood attacks.
You can specify global policy overrides for specific types of inbound ICMP network traffic that the PIX Firewall receives from either upstream or downstream networks. This feature is useful for enabling common features required by administrative tools like ping and traceroute.
To specify the global policy overrides for specific types of ICMP traffic, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall for which you want to define global policy overrides for inbound ICMP traffic, expand the Network Topology tree until you view that PIX Firewall node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the PIX Firewall icon for which you want to define global policy overrides for inbound ICMP traffic.
Step 4 To view the Settings 1 panel, point to Properties, and then click Settings 1 on the shortcut menu.
Step 5 To specify the global policy override, select the box for the appropriate type of ICMP traffic that you want to permit under Policy overrides for Inbound ICMP.
You can enable the following policy overrides:
Step 6 To accept your changes and close the Settings 1 panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
You can specify global values for specific types of network service that the PIX Firewall uses to forcefully end network sessions based on those network services. This feature is useful for ending stagnant sessions and limiting the length of time that a particular session can last.
To specify the global timeout settings for specific session types, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall for which you want to define global timeout settings, expand the Network Topology tree until you view that PIX Firewall node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the PIX Firewall icon for which you want to specify global timeout settings.
Step 4 To view the Settings panel, point to Properties, and then click Settings on the shortcut menu.
Step 5 To specify the timeout values in minutes for specific session types, type that value in the appropriate box under Timeouts.
You can specify a global timeout value for the following session types:
Step 6 To accept your changes and close the Settings 1 panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
To generate meaningful reports about the network activity of the PIX Firewall, you must select the appropriate log level that generates the syslog details required to track session-specific data. From the Settings 1 panel, you can specify that you want to enable logging, specify the log level, and specify the log facility for the selected PIX Firewall.
 |
Note The log levels generated by the PIX Firewall are listed in the Log level (trap) box. This list is ordered to indicate events recorded, and each subsequent log level option includes all the events generated by the previous log level in that list. |
To specify the PIX Firewall log settings, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall for which you want to specify the log settings, expand the Network Topology tree until you view that PIX Firewall node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the PIX Firewall icon for which you want to specify the log settings.
Step 4 To view the Settings 1 panel, point to Properties, and then click Settings 1 on the shortcut menu.
Step 5 To specify that you want to enable logging, select the Enable logging check box under Logging.
By default, this option is selected.
Step 6 To specify the facility number that you want this PIX Firewall to use when generating syslog data streams, select that number in the Log facility box under Logging.
The syslog facility is useful when you have a central syslog monitoring system that needs to distinguish among the various network devices that generate syslog data streams. This value enables you to specify that the selected PIX Firewall has a syslog facility value between 16 and 23. This value is included in any syslog messages that are generated by this PIX Firewall. The default value for this box is 20.
Step 7 To specify the level of syslog messages that you want this PIX Firewall to generate, select that level in the Log level (trap) box under Logging.
This value identifies the syslog logging level generated by the PIX Firewall. You can specify one of the following values for this box:
|
Note This setting directly affects what level of reports you can generate about the network activity for this PIX Firewall. It is recommended that you select Information or Debugging to ensure that all report data is available. |
Step 8 To accept your changes and close the Settings 1 panel, click OK.
Step 9 To save any changes that you have made, click Save on the File menu.
You can specify that you want a PIX Firewall to guard against flood attacks that occur on the TCP ports. By enabling this feature, you can improve availability of TCP-based sessions, which protects your network against TCP_SYN flood attacks. This attack simply consumes resources by requesting new sessions without actually completing the handshake. By consuming all available connections, a TCP_SYN flood attack can prevent those sessions that you want to allow through your PIX Firewall from ever occurring. Flood Guard reclaims these resources by cancelling unanswered session requests when the number of possible connections is running low.
To enable the Flood Guard e-mail protection, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall on which you want to enforce Flood Guard, expand the Network Topology tree until you view that PIX Firewall node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the PIX Firewall icon on which you want to enforce Flood Guard.
Step 4 To view the Settings panel, point to Properties, and then click Settings 1 on the shortcut menu.
Step 5 To enable Flood Guard for all TCP traffic traversing this PIX Firewall, select the Enable Flood Guard check box under Configuration.
By default, this option is not selected.
Step 6 To accept your changes and close the Settings 1 panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
The IOS Router has three panels that organize its device-specific settings: the Settings 1, Settings 2, and Settings 3 panels.
For IOS Routers, you can specify that the router should overload the global pool of IP addresses when enforcing the mapping rules defined on the router. This option enables you to conserve addresses in the inside global address pool by allowing the router to use one global address for many local addresses. When this overloading is configured, the router maintains enough information from higher-level protocols (for example, TCP or UDP port numbers) to translate the global address back to the correct local address. When multiple local addresses map to one global address, each TCP or UDP port number of each inside host distinguishes between the local addresses.
To specify that this IOS Router should enable address translation overload, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the IOS Router for which you want to enable address translation overload, expand the Network Topology tree until you view that IOS Router node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the IOS Router icon for which you want to specify the log settings.
Step 4 To view the Settings panel, point to Properties, and then click Settings 1 on the shortcut menu.
Step 5 To specify that this IOS Router should overload the global pool of IP addresses when enforcing the mapping rules defined for it, select the Enable NAT Overload check box.
The default value for this option is Off (cleared).
Step 6 To accept your changes and close the Settings 1 panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
For IOS Routers, you can specify that you want the router to permit ICMP echo-reply traffic for those network packets that originate from a network attached to any interface in the router and that are destined for the router or a network attached to another interface on that router. Much of the traffic that this setting enables supports network applications such as ping and traceroute.
Because ICMP traffic is not inspected by content-based access control (CBAC), you must enable this option to permit return traffic for ICMP commands. For example, a user on a protected network uses the ping command to get the status of a host on an unprotected network; without entries in the access list that permit echo reply messages, the user on the protected network gets no response to the ping command.
Currently, Cisco Secure Policy Manager does not implicitly permit any ICMP echo-reply traffic for a Policy Enforcement Point on any outgoing interfaces. If you want to be able to ping between two network objects, all IOS Router nodes in the path between the two objects must have this feature enabled.
 |
Caution As with any network services designed with the sole purpose of providing information about the objects residing on your network, this feature could enable what many administrators consider to be a security hole. |
To specify that this IOS Router should permit ICMP echo-reply traffic, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the IOS Router for which you want to enable ICMP echo-reply traffic traversal, expand the Network Topology tree until you view that IOS Router node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the IOS Router icon for which you want to specify the log settings.
Step 4 To view the Settings panel, point to Properties, and then click Settings 1 on the shortcut menu.
Step 5 To specify that this IOS Router should permit ICMP echo-reply traffic, select the Enable Replied ICMP check box.
The default value for this option is Off (cleared).
Step 6 To accept your changes and close the Settings 1 panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
To generate meaningful reports about the network activity of the IOS Router, you must select the appropriate log level that generates the syslog details required to track session-specific data. From the Settings 1 panel, you can specify that you want to enable logging, specify the log level, and specify the log facility for the selected IOS Router.
|
Note The log levels generated by the IOS Router are listed in the Log level (trap) box. This list is ordered to indicate events recorded, and each subsequent log level option includes all the events generated by the previous log level in that list. |
To specify the IOS Router log settings, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the IOS Router for which you want to specify the log settings, expand the Network Topology tree until you view that IOS Router node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the IOS Router icon for which you want to specify the log settings.
Step 4 To view the Settings panel, point to Properties, and then click Settings 1 on the shortcut menu.
Step 5 To specify that you want to enable logging, select the Enable logging check box under Logging.
By default, this option is selected.
Step 6 To specify the facility number that you want this IOS Router to use when generating syslog data streams, select that value in the Log facility box under Logging.
The syslog facility is useful when you have a central syslog monitoring system that needs to distinguish among the various network objects that generate syslog data streams. This value enables you to specify that the selected IOS Router has a syslog facility value that can be differentiated from other network objects. This value is included in any syslog messages that are generated by this IOS Router. The default value for this box is local7.
Step 7 To specify the level of syslog messages that you want this IOS Router to generate, select that level in the Log level (trap) box under Logging.
This value identifies the syslog logging level generated by the IOS Router. You can specify one of the following values for this box:
|
Note This setting directly affects what level of reports you can generate about the network activity for this IOS Router. It is recommended that you select Information or Debugging to ensure that all report data is available. |
Step 8 To save any changes that you have made, click Save on the File menu.
For IOS Routers running Cisco Secure Integrated Software or Cisco Secure Integrated VPN Software, you can specify specific settings for the CBAC commands that are generated for this Policy Enforcement Point by Cisco Secure Policy Manager. These CBAC settings enable you to customize specific global options, such as timeouts, half-open session thresholds, and session initiation rate thresholds.
To specify the global CBAC settings for the IOS Router, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the IOS Router for which you want to specify the global CBAC settings, expand the Network Topology tree until you view that IOS Router node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the IOS Router icon for which you want to specify the log settings.
Step 4 To view the Settings panel, point to Properties, and then click Settings 2 on the shortcut menu.
Step 5 To specify the length of time the software waits for a TCP session to reach the established state before dropping the session, type that value in the TCP Synwait-time box.
The default value for this timeout setting is 30 seconds.
Step 6 To specify the length of time a TCP session will be managed after the firewall detects a FIN-exchange, type that value in the TCP Finwait-time box.
The default value for this timeout setting is 5 seconds.
Step 7 To specify the length of time a DNS name lookup session will be managed after no activity, type that value in the TCP Finwait-time box.
The default value for this timeout setting is 5 seconds.
Step 8 To specify the number of existing half-open sessions that can exist before the software starts deleting half-open sessions, type that value in the Max-incomplete High Number box.
The default value for this session threshold setting is 500 sessions.
Step 9 To specify the number of existing half-open sessions that will cause the software to stop deleting half-open sessions, type that value in the Max-incomplete Low Number box.
The default value for this session threshold setting is 400 sessions.
Step 10 To specify the rate (in number of sessions per minute) of new unestablished sessions that will cause the software to start deleting half-open sessions, type that value in the One-minute High Number box.
The default value for this session threshold setting is 500 sessions/minute.
Step 11 To specify the rate (in number of sessions per minute) of new unestablished sessions that will cause the software to stop deleting half-open sessions, type that value in the One-minute Low Number box.
The default value for this session threshold setting is 400 sessions/minute.
Step 12 To specify the number of existing half-open TCP sessions with the same destination host address that will cause the software to start dropping half-open sessions to the same destination host address, type that value in the TCP Max-incomplete Host box.
The default value for this session threshold setting is 50 sessions.
Step 13 To specify the length of time the software waits for a TCP session to reach the established state before dropping the session, type that value in the Block-Time (Seconds) box.
The default value for this timeout setting is 30 seconds.
Step 14 To accept your changes and close the Settings 2 panel, click OK.
Step 15 To save any changes that you have made, click Save on the File menu.
For IOS Routers running Cisco Secure Integrated Software or Cisco Secure Integrated VPN Software, you can specify the specific settings for the inspection commands used to study the network services supported by these software modules. You can specify the time that a session can remain idle before the router tears down the session automatically. In addition, you can specify whether you want to provide additional information within the syslog messages about such sessions evaluated by the router or issue alerts when certain suspicious network activities are detected.
To specify the global inspection command settings for the IOS Router, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the IOS Router for which you want to specify the global inspection command settings, expand the Network Topology tree until you view that IOS Router node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the IOS Router icon for which you want to specify the log settings.
Step 4 To view the Settings panel, point to Properties, and then click Settings 3 on the shortcut menu.
Step 5 To specify the maximum period of time that a session can remain idle, type that value in the text box to the right of each network service for which you want to modify the idle timeout value.
Step 6 To specify that the IOS Router should log summary data about a session, select the Audit-trail check box to the right of the network service name.
This option generates an additional per-session transaction log of network activities. The message is issued at the end of each inspected session and it records the source/destination addresses and ports, as well as the number of bytes transmitted by the client and server. It is an informational syslog message type, and therefore, you must specify that this router generates at least the informational log level.
Step 7 To specify that the IOS Router should issue alerts to the console when it detects suspicious network activities, select the Alert check box to the right of the network service name.
This option generates console alerts the following network activities are detected:
Step 8 To accept your changes and close the Settings 3 panel, click OK.
Step 9 To save any changes that you have made, click Save on the File menu.
The following tasks describe how to configure the settings that are specific to primary and secondary servers that are running components of the Cisco Secure Policy Manager system. The set of panels that actually appears on one of these servers depends on the installation type selected when the Cisco Secure Policy Manager system software was installed on the host.
You can enable or disable a Policy Distribution Point that resides on a primary or secondary server. If you enable a previously disabled Policy Distribution Point, you can use it to generate and publish device-specific command sets to the Policy Enforcement Points on your network. However, if you disable a Policy Distribution Point, you can no longer use it to generate and publish device-specific command sets to any Policy Enforcement Points on your network. In fact, a disabled Policy Distribution Point is not a valid option for the Policy Distribution Point box in the Enforcement panel of the Policy Enforcement Points that are managed by Cisco Secure Policy Manager.
To enable or disable the Policy Distribution Point, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the primary or secondary server for which you want to enable or disable the Policy Distribution Point residing on that server, expand the Network Topology tree until you view that server node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Monitor Point is running.
Step 4 To view the Policy Distribution panel, point to Properties, and then click Policy Distribution on the shortcut menu.
Result: The Policy Distribution panel appears in the View pane.
Step 5 To change the availability of the Policy Distribution Point running on this host, select or clear the Disabled box under General Settings.
When this box is selected, the Policy Distribution Point is disabled. When the box is cleared, the Policy Distribution Point can be used to generate and publish command sets to the Policy Enforcement Points residing on your network.
Step 6 To accept your changes and close the Policy Distribution panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
|
Note Maintenance operations for the Policy Monitor, such as archiving event records, are covered in "Maintaining Cisco Secure Policy Manager." |
You can specify the IP address that clients, such as Policy Enforcement Points submitting audit event streams, use to contact the Policy Monitor Point. This feature is useful if you are interested in separating the Cisco Secure Policy Manager services onto different IP addresses so that you can monitor network sessions across Policy Enforcement Points to these services. By assigning separate IP addresses, you can study network sessions to the Policy Monitor Point that occur across a Policy Enforcement Point and develop custom reports that summarize this activity. This feature is also useful if you have multiple IP addresses assigned to the host, but you only have a DNS entry defined for one of the IP addresses.
To modify the IP address used to connect to the Policy Monitor Point, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the primary or secondary Server for which you want to modify the IP address that clients use to connect to the Policy Monitor Point that resides on that server, expand the Network Topology tree until you view that server node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Monitor Point is running.
Step 4 To view the Policy Monitor panel, point to Properties, and click Policy Monitor on the shortcut menu.
Result: The Policy Monitor panel appears in the View pane.
Step 5 To change the IP address that clients will use to contact the Policy Monitor Point running on this computer, click the new IP address in the IP Address list under General Settings.
The list of IP addresses available are those IP addresses that are defined for this Primary or Secondary Server node. These addresses are defined in the IP Addresses box in the General panel of the selected Primary or Secondary Server node. By default, the Policy Monitor Point uses the first IP address in the IP Addresses box.
Step 6 To accept your changes and close the Policy Monitor panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
You can specify a custom UDP port on which the Policy Monitor Point listens for audit streams from the Policy Enforcement Points. This feature is useful if you already have a network service that listens on the default UDP port used by the Policy Monitor Point, which is UDP port 514. To modify the UDP port for the Policy Monitor Point, you must modify the provided network service definition (the Cisco Policy Monitor definition under the Network Services branch of the Tools and Services tree) or define a custom network service. To make the Policy Monitor Point consistent with your new port settings, you must then select that network service in the Policy Monitor panel. This modification ensures that any security polices that you have applied that permit Policy Monitor Point network traffic will continue to operate correctly after you have modified the port value.
|
Note By changing the Cisco Policy Monitor definition rather than defining a new network service, you can ensure that any applied security policies that permit Policy Monitor Point communications across a Policy Enforcement Point will be updated automatically. |
To modify the UDP port used to connect to the Policy Monitor Point, perform the following task:
Result: The Tools and Services tree appears in the Navigator pane.
Step 2 To find the network service for which you want to change the UDP port value, expand the Tools and Services tree, the Network Services branch, and the Cisco Policy Monitor network service.
Step 3 To configure the UDP transport layer of the network service definition, right-click the Cisco Policy Monitor icon in the Navigator pane, and click Properties on the shortcut menu.
Result: The UDP panel appears in the View pane. You can make any changes directly in this panel.
Step 4 To change the UDP port value used by the Cisco Policy Monitor network service, type that new port number in the Port box under Instance Settings.
If you change this port setting from the default value of 514, the Policy Monitor Point automatically detects the change; you will not need to reboot the server for the change to take effect.
Step 5 To accept your changes and close the UDP panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
From the Policy Monitor panel, you can specify the network service that is associated with the Policy Monitor Point. This network service identifies the UDP port on which the Policy Monitor Point listens for audit streams from remote Policy Enforcement Points. When you specify a network service that uses a different UDP port value than the network service that is currently associated with the Policy Monitor Point, the Policy Monitor Point stops listening to the old port number and starts listening on the new port.
|
Note Changing the UDP port can result in the loss of data and state. Therefore, any Cisco Secure Policy Manager components that are requesting services at the time you change the port number must reissue their requests once the process starts listening on the new port. Such changes cancel the existing sessions. |
To select the network service definition used to connect to the Policy Monitor Point, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the primary or secondary server for which you want to select the associated network service, expand the Network Topology tree until you view that server node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Monitor Point is running.
Step 4 To view the Policy Monitor panel, point to Properties, and click Policy Monitor on the shortcut menu.
Result: The Policy Monitor panel appears in the View pane.
Step 5 To select the network service definition used by the Policy Monitor Point running on this host, click that network service in the Associated Network Service box under General Settings.
This network service must be defined under the Network Services branch of the Tools and Services tree. By default, the Policy Monitor Point uses the Cisco Policy Monitor network service, which specifies UDP port 514 to conduct communications. If you change this port setting from the default value of 514, the Policy Monitor Point automatically detects the change; you will not need to reboot the server for the change to take effect.
|
Caution If you change the network service name from Cisco Policy Monitor, any security policies that you have applied that permit this service to pass through Policy Enforcement Points will need to be updated manually. |
Step 6 To accept your changes and close the Policy Monitor panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
You can specify that you want the Policy Monitor Point to duplicate the syslog data packets that it receives from the Policy Enforcement Points that it monitors. This feature enables both the Policy Monitor Point and a third-party syslog server to study the syslog data streams even though both the Policy Monitor Point and the syslog server reside on the same primary or secondary server. This feature is useful if you use a centralized syslog system to track application and network activity.
To specify that you want the Policy Monitor Point to duplicate and direct syslog messages, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the primary or secondary server that is running the Policy Monitor Point for which you want to duplicate and redirect syslog messages, expand the Network Topology tree until you view that server node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Monitor Point is running.
Step 4 To view the Policy Monitor panel, point to Properties, and click Policy Monitor on the shortcut menu.
Result: The Policy Monitor panel appears in the View pane.
Step 5 To specify that you want the syslog messages duplicated and redirected to a specific UDP port on the selected server, type the number of that UDP port in the Redirect Port box under Other.
To specify that you do not want to generate and publish syslog messages, type 0 (zero) in this box. Otherwise, specify the UDP port that the syslog server running on this primary or secondary server listens to for syslog data streams. You must configure a syslog server separately to monitor this event stream. For more information on defining a syslog server, refer to Specifying a Client/Server Product is Running on a Host Node.
Step 6 To accept your changes and close the Policy Monitor panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
From the Policy Reports panel, you can specify the network service definition that HTTP clients can use to request services from the reporting agent. You can also specify the URL to the HTML page that accesses all HTML-based reports, scheduled and on-demand, that the reporting agent presents to requesting web browsers.
You can specify the IP address that web browsers and other HTTP clients, including the GUI client, use to contact the Policy Report Point. This feature is useful if you are interested in separating the Cisco Secure Policy Manager services onto different IP addresses so that you can monitor network sessions across Policy Enforcement Points to these services. By assigning separate IP addresses, you can study the network sessions to the Policy Report Point that occur across a Policy Enforcement Point and develop custom reports that summarize this activity. This feature is also useful if you have multiple IP addresses assigned to the host, but you only have a DNS entry defined for one of the IP addresses.
To modify the IP address used to connect to the Policy Report Point, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the primary server for which you want to modify the IP address that client applications use to contact the Policy Report Point, expand the Network Topology tree until you view that Primary Server node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Primary Server icon that represents the server on which the Policy Report Point is running.
Step 4 To view the Policy Reports panel, point to Properties, and click Policy Reports on the shortcut menu.
Results: The Policy Reports panel appears in the View pane.
Step 5 To change the IP address on which the Policy Report Point running on this host listens for requests from web browsers, select the new IP address in the IP Address box under General Settings.
The list of IP addresses available are those IP addresses that are defined for the primary server on which the Policy Report Point is running. These addresses are defined in the IP Addresses box in the General panel of the selected server node. By default, the Policy Report Point uses the first IP address in the IP Addresses box.
Step 6 To accept your changes and close the Policy Reports panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
You can specify a custom TCP port on which the Policy Report Point listens for requests from web browsers. This feature is useful if you already have a network service that listens on the default TCP port used by the Policy Report Point, which is TCP port 8080. To modify the TCP port for the Policy Report Point, you must modify the provided network service definition (the Cisco Policy Reporter definition under the Network Services branch of the Tools and Services tree) or define a custom network service. To make the Policy Report Point consistent with your new port settings, you must then select that network service in the Policy Reports panel. This modification ensures that any security policies that you have applied that permit Policy Report Point network traffic will continue to operate correctly once you have modified the port value.
|
Note By changing the Cisco Policy Reporter definition rather than defining a new network service, you can ensure that any applied security policies that permit Policy Report Point communications across a Policy Enforcement Point will be updated automatically. |
When you specify a network service that uses a different TCP port value than the network service that is currently associated with the Policy Report Point, the Policy Report Point automatically detects the change; you will not need to reboot the server for the change to take effect.
To modify the TCP port used to connect to the Policy Report Point, perform the following task:
Result: The Tools and Services tree appears in the Navigator pane.
Step 2 To find the network service for which you want to change the TCP port value, expand the Tools and Services tree, the Network Services branch, and the Cisco Policy Reporter network service.
Step 3 To configure the TCP transport layer of the network service definition, right-click the Cisco Policy Reporter icon in the Navigator pane, and click Properties on the shortcut menu.
Result: The TCP panel appears in the View pane. You can make any changes directly in this panel.
Step 4 To change the TCP port value used by the Cisco Policy Reporter network service, type that new port number in the Port box under Instance Settings.
Step 5 To accept your changes and close the TCP panel, click OK.
|
Note For the change to take effect, you must select the Cisco Policy Reporter in the Associated Network Service box in the Policy Reports panel. |
Step 6 To save any changes that you have made, click Save on the File menu.
From the Policy Reports panel, you can specify the network service that is associated with the Policy Report Point. This network service identifies the TCP port on which the Policy Report Point listens for requests from web browsers. When you specify a network service that uses a different TCP port value than the network service that is currently associated with the Policy Report Point, the Policy Report Point automatically detects the change. You will not need to reboot the server for the change to take effect.
To select the network service definition used to connect to the Policy Report Point, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the primary server for which you want to select the associated network service, expand the Network Topology tree until you view that Primary Server node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Primary Server icon that represents the server on which the Policy Report Point is running.
Step 4 To view the Policy Reports panel, point to Properties, and click Policy Reports on the shortcut menu.
Result: The Policy Reports panel appears in the View pane.
Step 5 To select the network service definition used by the Policy Report Point running on this host, click that network service in the Associated Network Service box.
This network service must be defined under the Network Services branch of the Tools and Services tree. By default, the Policy Report Point uses the Cisco Policy Reporter network service, which specifies TCP port 8080 to conduct communications. If you change this port setting from the default value of 8080, the Policy Report Point automatically detects the change; you will not need to reboot the server for the change to take effect.
|
Caution If you change the network service name from Cisco Policy Reporter, any security policies that you have applied that permit this service to pass through Policy Enforcement Points will need to be updated manually. |
Step 6 To accept your changes and close the Policy Reports panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
To modify the Policy Report Point start page setting, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the primary server for which you want to modify the starting page for the reporting agent, expand the Network Topology tree until you view that Primary Server node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Primary Server icon that represents the server on which the reporting agent is running.
Step 4 To view the Policy Reports panel, point to Properties, and click Policy Reports on the shortcut menu.
Result: The Policy Reports panel appears in the View pane.
Step 5 To change the HTML page that the reporting agent loads when a web browser requests services from the server, type the new URL in the Starting Page box.
This URL identifies the start page for the HTML reports that the Policy Report Point generates to summarize network service and system event activity.
Step 6 To accept your changes and close the Policy Reports panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
The Policy Database panel enables you to define the rules governing checkpointing and to specify the maximum size allowed for the log file created by a Policy Database. In addition, you can export the Policy Database key from this panel on a primary server for use when installing GUI client software on remote administrative workstations.
|
Note Maintenance operations for the Policy Database, such as checkpointing, are covered in "Maintaining Cisco Secure Policy Manager." |
You can specify the IP address that the Policy Database uses when listening for requests from other Cisco Secure Policy Manager components. This feature is useful if you are interested in separating Cisco Secure Policy Manager services across different IP addresses so you can monitor network sessions across Policy Enforcement Points between these services and the Policy Database. By assigning separate IP addresses, you can study network sessions with the Policy Database that occur across a Policy Enforcement Point and develop custom reports that summarize this activity.
To modify the IP address used to connect to the Policy Database, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the primary or secondary server for which you want to modify the IP address at which the Policy Database can be contacted, expand the Network Topology tree until you view that server node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Database is running.
Step 4 To view the Policy Database panel, point to Properties and click Policy Database on the shortcut menu.
Result: The Policy Database panel appears in the View pane.
Step 5 To change the IP address on which the Policy Database running on this host listens for requests from the GUI client workstations and other Cisco Secure Policy Manager components, click the new IP address in the IP Address list under General Settings.
The IP addresses listed are those IP addresses that are defined for the Primary or Secondary Server node that you selected. These addresses are defined in the IP Addresses box in the General panel of the selected server node. By default, the Policy Database uses the first IP address in the IP Addresses box.
Step 6 To accept your changes and close the Policy Database panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
From the Policy Database panel, you can specify the network service that is associated with the Policy Database. This network service identifies the TCP port on which the Policy Database communicates with other Cisco Secure Policy Manager components, including the GUI clients. When you specify a network service that uses a TCP port value different from the one used by the network service that is currently associated with the Policy Database, you must restart the Policy Database before it will respond to requests on the new port. You can restart the Policy Database by either rebooting the Windows NT host on which it is running or stopping and restarting the Cisco Controlled Host Component service in the Services dialog box in Windows NT Control Panel.
|
Caution Stopping a Windows NT service can result in the loss of data and state. Therefore, any components or users who are requesting services at the time you stop a Windows NT service must reissue their requests after the service is restarted. |
To select the network service definition used to connect to the Policy Database, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the primary or secondary server for which you want to select the associated network service, expand the Network Topology tree until you view that server node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Database is running.
Step 4 To view the Policy Database panel, point to Properties and click Policy Database on the shortcut menu.
Result: The Policy Database panel appears in the View pane.
Step 5 To select the network service definition used by the Policy Database running on this host, click that network service in the Associated Network Service box.
This network service must be defined under the Network Services branch of the Tools and Services tree. By default, the Policy Database uses the Cisco Policy Database network service, which specifies TCP port 2567, as assigned by IANA, to conduct communications. If you change this port setting from the default value of 2567, you must reboot the primary server for the change to take effect.
|
Caution If you change the network service name from Cisco Policy Database, any security policies that you have applied that permit this service to pass through Policy Enforcement Points will need to be updated manually. |
Step 6 To accept your changes and close the Policy Database panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
You can specify a custom TCP port on which the Policy Database listens for requests from clients, such as the GUI client, update agent, and other Policy Databases (such as secondary servers in a distributed installation). This feature is useful if you already have a network service that listens on the default TCP port, which is TCP port 2567, used by the Policy Database. To modify the TCP port for the Policy Database, you must modify the provided network service definition (the Cisco Policy Database definition under the Network Services branch of the Tools and Services tree) or define a custom network service. To make the Policy Database consistent with your new port setting, you must then select that network service in the Policy Database panel. This modification ensures that any security policies that you have applied that permit Policy Database network traffic will continue to operate correctly once you have modified the port value.
|
Note By changing the Cisco Policy Database definition rather than defining a new network service, you can ensure that any applied security policies that enable Policy Database communications across a Policy Enforcement Point will be updated automatically. |
When you specify a network service that uses a TCP port value different from the value used by the network service that is currently associated with the Policy Database, you must restart the Cisco Controlled Host Component service before it will respond to requests on the new port. You can restart the Cisco Controlled Host Component service by stopping and starting that service in the Services dialog box in Windows NT Control Panel. Once this service is restarted, the new port number is picked up automatically.
To modify the TCP port used to connect to the Policy Database, perform the following task:
Result: The Tools and Services tree appears in the Navigator pane.
Step 2 To find the network service for which you want to change the TCP port value, expand the Tools and Services tree, the Network Services branch, and the Cisco Policy Database network service.
Step 3 To configure the TCP transport layer of the network service definition, right-click the Cisco Policy Database icon in the Navigator pane, and click Properties on the shortcut menu.
Result: The TCP panel appears in the View pane. You can make any changes directly in this panel.
Step 4 To change the TCP port value used by the Cisco Policy Database network service, type that new port number in the Port box under Instance Settings.
This port number identifies the TCP port that the Policy Database uses to communicate with other Cisco Secure Policy Manager components. By default, the Policy Database uses TCP port 2567, as assigned by IANA, to conduct these communications.
Step 5 To accept your changes and close the Policy Database panel, click OK.
|
Note For the change to take effect, you must select Cisco Policy Database in the Associated Network Service box in the Policy Database panel. Then, you must restart the Cisco Controlled Host Component service. |
Step 6 To save any changes that you have made, click Save on the File menu.
To facilitate secure traffic between the Primary Policy Database and a remote host from which you intend to administer that Primary Policy Database, you must export a key from the Primary Policy Database and import it to the remote host. You can export this key to your local machine, to a network machine, or to a diskette, whichever is most conveniently accessed when you are setting up remote administration.
|
Caution We strongly recommend that you import this key to a diskette or some other medium that you can lock up securely. At the least, any network shares or hosts containing the key should be secured and have restricted access. Otherwise, the security of the Primary Policy Database, and hence your networks, could be compromised. |
Using the GUI client (remote/standalone or otherwise), you can administer more than one Primary Policy Database. To administer more than one Primary Policy Database, you must export the Policy Database key from each Primary Policy Database and import it in to the GUI client that you want to use.
Even though you can administer more than one Primary Policy Database from a single GUI client, only one person at a time, using the full access privilege, can administer each Primary Policy Database. However, no restrictions exist for how many administrators using the read-only privilege can connect to a Primary Policy Database.
To export a file key, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the primary server that runs the Primary Policy Database for which you want to export the database key, expand the Network Topology tree until you view the Primary Server node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Primary Server icon that represents the server on which the Primary Policy Database is running.
Step 4 To view the Policy Database panel, point to Properties and click Policy Database on the shortcut menu.
Result: The Policy Database panel appears in the View pane.
Step 5 To export the key, click Export Key under General Settings.
Result: The Export Key To dialog box appears, presenting a tree-based view of your Cisco Secure Policy Manager folder.
Step 6 To specify the location where you want to export the key file, select that destination in the Save in box.
You can create a new folder by clicking Create New Folder, typing a name for the new folder, and pressing Enter.
Step 7 To specify the name for the key file, type that name in the File name box.
Step 8 To export the file to the specified location, click OK.
The new file is created at the specified location.
When you change the TCP port value by modifying the Cisco Policy Database network service definition, you must also restart the Policy Database by either rebooting the server on which it is running or stopping and restarting the Cisco Controlled Host Component service in the Services dialog box found in Windows NT Control Panel. In addition, you should close any GUI clients that may be accessing the Policy Database before you perform this task. This section explains how to stop the Cisco Controlled Host Component service.
|
Caution Stopping a Windows NT service can result in the loss of data and state. Therefore, any components or users who are requesting services at the time you stop a Windows NT service must reissue their requests after the service is restarted. |
To restart Policy Database, perform the following task:
Step 2 To display the Services dialog box, double-click the Services icon in Control Panel.
Result: The Services dialog box appears.
Step 3 To select the Cisco Controlled Host Component service, scroll through the list of services and click the service named Cisco Controlled Host Component.
Step 4 To stop the Cisco Controlled Host Component service, click Stop.
Result: The Services dialog box displays a message prompting you for confirmation to stop the selected service.
Step 5 To confirm that you want to stop the service, click Yes.
Result: The Services dialog box appears while the service is stopped. This action causes all Cisco Secure Policy Manager processes to stop, including the Policy Database service (named fms.exe).
Step 6 To restart the Cisco Controlled Host Component service, click Start.
Result: The Service Control dialog box appears while the service is started. This action restarts all Cisco Secure Policy Manager processes, including the fms.exe service, which is the Policy Database service. After these processes are restarted, normal operation resumes.
Step 7 To close the Services dialog box, click Close on the File menu.
Step 8 To close Control Panel, click Close on the File menu.
The following procedures describe how to configure the settings that are common among gateway objects; however, some settings, such as those defined in the Command and Policy Enforcement Point panels, are specific to managed gateway objects. In addition, the IPSec settings panel can appear on any gateway object or Cisco Secure Policy Manager servers, when those primary or secondary servers act as peers in tunnel group definitions that define secure communications tunnels between Policy Enforcement Points and Policy Distribution Points.
While routing rules can be viewed on non-managed gateway objects, such as clouds and routers, such rules are not distributed to those gateway objects by Cisco Secure Policy Manager. Instead, Cisco Secure Policy Manager assumes that you have defined such routing rules on those gateway objects.
|
Note All static routing rules that have been defined using administrative interfaces other than Cisco Secure Policy Manager are replaced by those routing rules that are defined using Cisco Secure Policy Manager. Therefore, you should be sure to copy your current configuration to a safe location so that you can specify any non-derived static routing rules within Cisco Secure Policy Manager. |
You can define new routing rules to optimize network packet delivery and to override a derived routing rule (by selecting the same target as that of a derived routing rule). All rules that you define are MANUAL routing rules.
|
Note You can only define routing rules on managed gateway objects (Policy Enforcement Points) that exist on your network. In addition, all static routing rules that have been defined using a non-Cisco Secure Policy Manager administrative interface are replaced by those routing rules that have been defined using Cisco Secure Policy Manager. |
To create a new MANUAL routing rule, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall node or IOS Router node for which you want to define a new routing rule, expand the Network Topology tree until you view that gateway object in the Navigator pane.
Step 3 To access the shortcut menu, right-click the gateway object icon for which you want to create a new routing rule.
Step 4 To view the Routes panel, point to Properties, and click Routes on the shortcut menu.
Result: The Routes panel appears in the View pane.
Step 5 To begin defining a new rule, click Insert Route.
Result: A new rule appears as the last item in the Active Routing Rules list with the word "Unknown" selected in the Network box.
Step 6 To select the network, network shortcut, or cloud network to which you want this Policy Enforcement Point to be able to route
---or---
The options list displays all network, network shortcut, cloud networks, and IP ranges that are defined in the Network Topology tree. This options list also includes the (specify) option.
Step 7 If you selected an existing object, skip to Step 10. Otherwise continue with Step 8.
Step 8 To manually specify the network address, type the address of the network to which you are routing in the Network Address box under Selected Route.
Because routes to all directly connected networks are automatically derived, this value identifies an address of a network, network shortcut, or cloud network that is not directly connected to the Policy Enforcement Point---it does not belong to an object to which the Policy Enforcement Point's network interfaces are directly connected. This value is also a network that is not defined under the Network Topology tree.
Step 9 To specify the network mask that corresponds to the network specified in the Network Address box, type that value in the Network Mask box.
Step 10 To specify the gateway that is used to reach the object specified in the Network Address box, type the IP address of that gateway in the Gateway box under Active Routing Rules.
This value identifies a gateway that either
---or---
Step 11 Repeat Steps 5 through 10 for each new rule that you want to create.
Step 12 To save your changes and close the Routes panel, click OK. To discard your changes and close the Routes panel, click Cancel.
Step 13 To save any changes that you have made, click Save on the File menu.
You can disable the generation of derived routing rules for a specific gateway object. When you disable the generation of derived routes, you must define the routing rules for all objects to/from which this gateway object can send/receive network packets; otherwise, this gateway object will not be able to communicate to any networks other than those to which it is directly attached.
The effect of disabling the generation of derived routing rules can reduce the time required by Cisco Secure Policy Manager to perform a Save or a Save and Update operation. While this feature may be used to view only MANUAL routes on a managed gateway object, disabling route generation on unmanaged gateway objects can still reduce the time required to perform a Save or Save and Update operation.
To disable the generation of derived routing rules, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall node, IOS Router node, Router node, or Cloud node for which you want to disable the generation of derived routing rules, expand the Network Topology tree until you view that gateway object in the Navigator pane.
Step 3 To access the shortcut menu, right-click the gateway object icon for which you want to disable the generation of derived routing rule.
Step 4 To view the Routes panel, point to Properties, and click Routes on the shortcut menu.
Result: The Routes panel appears in the View pane.
Step 5 To disable the generation of derived routing rules, select the Inhibit generation of non-MANUAL rules.
Result: Any derived routing rules, marked Implicit or Derived, are removed from the Routes panel. The only routing rules, based on this gateway object, that Cisco Secure Policy Manager will publish to any Policy Enforcement Points on your network are those MANUAL routing rules that you define in this panel.
Step 6 To save your changes and close the Routes panel, click OK. To discard your changes and close the Routes panel, click Cancel.
Step 7 To save any changes that you have made, click Save on the File menu.
The Mapping panel enables you to define two types of address translation rules enforced by a Policy Enforcement Point when network packets are transferred between two perimeters (inter-perimeter communications) attached to that Policy Enforcement Point. These rules are enforced on a per-Policy Enforcement Point basis. You can also define path restriction rules that enable you to restrict network flows across your network. From the Mapping panel, you can define the following types of rules:
A Policy Enforcement Point enables you to map an external IP address on the Policy Enforcement Point to an IP address assigned to an internal network object. To define a rule, you must map between an IP address on a particular interface of the Policy Enforcement Point and the network object that you want to translate.
 |
Warning If you expose your internal DNS servers using a static translation rule, you do not benefit from the address hiding feature provided by network address translation. External users can simply request information about your trusted networks from the DNS servers that you expose. |
|
Note To allow communications with an exposed server, you must define and apply a security policy to the Internet node (or an untrusted network) that permits session requests originating on the untrusted networks to reach the internal server. |
To create a static translation rule, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the Policy Enforcement Point for which you want to create a new static translation rule, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the PIX Firewall icon or IOS Router icon that will enforce the static translation rule that you want to create.
Step 4 To view the Mapping panel, point to Properties, and then click Mapping on the shortcut menu.
Result: The Mapping panel appears in the View pane.
Step 5 To specify that you want to define a static translation rule, click Static Translation (bidirectional remapping) in the Select rule type box.
Result: The list of active static translation rules appears in the Static Translation list.
Step 6 To begin defining a new static translation rule, click Insert Rule.
Result: A new rule named S# is created in the Static Translation list.
Step 7 To specify which network object to translate with this rule, click that network or host in the Translate object box under Static Translation (bidirectional remapping).
The Translate object box displays a list of the network objects that reside under the Policy Enforcement Point node for which you are defining this rule. If you do not see the network object that you want to hide, you must define it within the Network Topology tree.
|
Caution If you define a static translation rule for a Policy Distribution Point, you can cause a temporary command set publishing problem. The problem results because the connection to the Policy Enforcement Point is broken after the new command set is published to the Policy Enforcement Point because it effectively changes the address of the Cisco Secure Policy Manager host by which the current command set is being published. |
In this case, you have two possible solutions to resolve this temporary problem:
 |
Tips You can lock the Mapping panel by clicking the Lock this view box at the bottom of the panel, and then use a drag-and-drop operation to move a host from the Network Topology tree onto the Translate object box. |
Step 8 To specify the interface, or set of interfaces, from which the network or host will be translated, click the interface(s) in the via interface(s) box.
The via interface(s) box displays a list of the interfaces directly attached to the Policy Enforcement Point. However, this list does not contain the interface to which the network or host that you want to translate is attached. You cannot translate a host or network from the interface to which it is attached.
When you translate a network object from an interface, you are declaring that any network object attached to that interface cannot use the real address to access the translated network object. Instead, such network objects must deliver all network traffic to the address specified in the using address box (presumably, the address assigned to the interface to which the network objects are attached). The Policy Enforcement Point acts as a proxy agent between the translated network object and the interface objects by mapping between the two addresses. This mapping occurs for communications that originate either from the translated network object or from an object residing on the interface specified in this field.
|
Tips To select more than one value from this list, press and hold the Shift key or the Ctrl key while selecting an item in the list. The Shift+Click option enables you to select a sequential set of values. The Ctrl+Click option enables you to select values in any order. |
Step 9 To specify the IP address, or starting address of an IP range, that the internal network object's address(es) will be remapped to, type that IP address in the using address box.
This value is the specific alias IP address to which you want to translate the real addresses of the translated object. If the value in the through with box is also specified, this address identifies the starting address of the IP range that will be used to translate the network object. However, you can define a range of exactly one address. If the Policy Enforcement Point is exposing the network object to users on the Internet, this IP address must be a valid IP address that is registered with the American Registry for Internet Numbers (ARIN).
Step 10 To specify the ending address of the IP range that the internal network object address(es) will be remapped to, type that IP address in the through with box.
This value identifies the ending alias IP address in an IP address range that will be used for this translation rule. If the Policy Enforcement Point is exposing the network object to users on the Internet, this IP address must be a valid IP address that is registered with ARIN.
Step 11 To specify the network mask value of the IP range that the internal network object address(es) will be remapped to, type that value in the mask box.
This value identifies the mask of the network on which IP address(es) used as aliases are members. It represents the number of bits in the netmask.
Step 12 (PIX Firewall only: Optional) To specify the maximum number of simultaneous connections for this rule, type that value in the MaxC box.
This value is a whole number that represents the maximum number of simultaneous connections that can use this translation rule. The Policy Enforcement Point enforces this value against new session requests. Use 0 (zero) to specify the default value assigned to the Policy Enforcement Point.
Step 13 (PIX Firewall only: Optional) To specify the maximum number of simultaneous embryonic links for this rule, type that value in the EmbL box.
This value is a whole number (smaller than the MaxC value) that represents the maximum number of simultaneous embryonic links that can use this translation rule. The Policy Enforcement Point enforces this value against new session requests by restricting the number of session requests that have not completed the handshake. This feature enables you to guard against TCP_SYN attacks. Use 0 (zero) to specify the default value assigned to the Policy Enforcement Point.
Step 14 For each new rule that you want to create, repeat Steps 6 through 13.
Step 15 To accept your changes and close the Mapping panel, click OK.
Step 16 To save any changes that you have made, click Save on the File menu.
You can define the address translation rules that the selected Policy Enforcement Point uses for inter-interface communications (transferring network packets between two interfaces). To define a rule, you map one or more external IP addresses (exposed) to an internal network address of any class. Thus, you can hide that internal network's actual address from networks that exist on other interfaces.
|
Note You cannot hide a network's address from computers on that network. Also, any address translation rules that you defined during installation are included in the list of active address translation rules shown in this panel. |
|
Caution Before you can hide a network address, the Policy Enforcement Point must have a route defined to access that network. These routes can be implicitly defined by the routes attached to the network interfaces installed on the Policy Enforcement Point, or you can explicitly define a route for that network. |
To create a new address translation rule, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the Policy Enforcement Point for which you want to create a new address hiding rule, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the PIX Firewall icon or IOS Router icon that will enforce the address hiding rule that you want to create.
Step 4 To view the Mapping panel, point to Properties, and then click Mapping on the shortcut menu.
Result: The Mapping panel appears in the View pane.
Step 5 To specify that you want to define an address hiding rule, click Address Hiding (source remapping) in the Select rule type box.
Result: The list of active address hiding rules appears in the Address Hiding list.
Step 6 To begin defining a new address hiding rule, click Insert Rule.
Result: A new rule named H# is created in the Address Hiding list.
Step 7 To specify which network object to hide with this rule, click that network or host in the Hide object box under Address Hiding (source remapping).
The Hide object box displays a list of the network objects that reside under the Policy Enforcement Point node for which you are defining this rule. If you do not see the network object that you want to hide, you must define it within the Network Topology tree.
|
Tips You can lock the Mapping panel by clicking the Lock this view box at the bottom of the panel, and then use a drag-and-drop operation to move a network host from the Network Topology tree onto the Hide object box. |
Step 8 To specify the interface, or set of interfaces, from which the network or host will be hidden, click the interface(s) in the from interface(s) box.
The from interface(s) box displays a list of the interfaces directly attached to the Policy Enforcement Point. However, this list does not contain the interface to which the network or host that you want to hide is attached. You cannot hide a network or host from the interface to which it is attached.
When you hide a network or host from an interface, you are declaring that any network object attached to that interface cannot use the real address to access the hidden network object. Instead, such network objects must deliver all network traffic to one of the addresses specified in the using address and through with boxes (presumably, the address assigned to the interface to which the network objects are attached). The Policy Enforcement Point acts as a proxy agent between the hidden objects and the interface objects by mapping between the two addresses. However, this mapping only occurs for communications that originate from the hidden object.
|
Tips To select more than one value from this list, press and hold the Shift key or the Ctrl key while selecting an item in the list. The Shift+Click option enables you to select a sequential set of values. The Ctrl+Click option enables you to select values in any order. |
Step 9 To specify the IP address, or starting address of an IP range, that the internal network object address(es) will be remapped to, type that IP address in the using address box.
This value is the specific alias IP address to which you want to translate the real addresses of the translated object. If the value in the through with box is also specified, this address identifies the starting address of the IP range that will be used to translate the network object. However, you can define exactly one address. If the Policy Enforcement Point is exposing the network object to users on the Internet, this IP address must be a valid IP address that is registered with ARIN.
Step 10 To specify the ending address of the IP range that the internal network object address(es) will be remapped to, type that IP address in the through with box.
This value identifies the ending alias IP address in an IP address range that will be used for this translation rule. If the Policy Enforcement Point is exposing the network object to users on the Internet, this IP address must be a valid IP address that is registered with ARIN.
Step 11 To specify the network mask value of the IP range that the internal network object address(es) will be remapped to, type that value in the mask box.
This value identifies the mask of the network on which IP address(es) used as aliases are members. It represents the number of bits in the netmask.
Step 12 (PIX Firewall only: Optional) To specify the maximum number of simultaneous connections for this rule, type that value in the MaxC box.
This value is a whole number that represents the maximum number of simultaneous connections that can use this translation rule. The Policy Enforcement Point enforces this value against new session requests. Use 0 (zero) to specify the default value assigned to the Policy Enforcement Point.
Step 13 (PIX Firewall only: Optional) To specify the maximum number of simultaneous embryonic links for this rule, type that value in the EmbL box.
This value is a whole number (smaller than the MaxC value) that represents the maximum number of simultaneous embryonic links that can use this translation rule. The Policy Enforcement Point enforces this value against new session requests by restricting the number of session requests that have not completed the handshake. This feature enables you to guard against TCP_SYN attacks. Use 0 (zero) to specify the default value assigned to the Policy Enforcement Point.
Step 14 For each new rule that you want to create, repeat Steps 6 through 13.
Step 15 To accept your changes and close the Mapping panel, click OK.
Step 16 To save any changes that you have made, click Save on the File menu.
You can define the path restriction rules that the selected Policy Enforcement Point enforces against network traffic that traverses this Policy Enforcement Point. To define a rule, you specify what network object that you want to restrict the traffic flows to and from, and then you specify the interface(s) that should be used to enforce the rule.
|
Note You cannot restrict the paths used to reach a specific host or IP range. In other words, you cannot select a host or IP range as part of this rule type definition. |
To add a path restriction rule, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the gateway object for which you want to create a new path restriction rule, expand the Network Topology tree until you view that gateway object node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the gateway object icon on which you want to create the path restriction rule.
Step 4 To view the Mapping panel, point to Properties, and then click Mapping on the shortcut menu.
Result: The Mapping panel appears in the View pane.
Step 5 To specify that you want to define a path restriction rule, click Path Restriction in the Select rule type box.
Result: The list of active path restriction rules appears in the Path Restriction list.
Step 6 To begin defining a new path restriction rule, click Insert Rule.
Result: A new rule named R# is created in the Path Restriction list.
Step 7 To specify the network object to/from which you want to restrict network traffic, click that network object in the Disable paths to box under Path Restriction.
The Disable paths to box displays a list of the network objects that reside under the Network Topology tree. If you do not see the network object to/from which you want to restrict a specific network path, you must define it within the Network Topology tree. However, you can select neither Host nor IP Range nodes. To refer to an interface on another Policy Enforcement Point, you must select the interface by navigating the tree shown in the Disable paths to box in the Mapping panel. The interfaces are not first-level objects in the Network Topology tree in the Navigator pane.
Step 8 To specify the interface, or set of interfaces, that will enforce the path restriction rule, click that interface(s) in the from interface(s) box.
The from interface(s) box displays a list of the interfaces attached to the Policy Enforcement Points that can enforce the path restriction rule. If you are defining a rule on a specific Policy Enforcement Point, only the interfaces on that Policy Enforcement Point are presented as options for enforcing the rule. However, this list does not contain the interface to which the network object to which you are disabling the paths is attached. You cannot hide a network object from the interface to which it is attached.
When you disable paths to a network object from an interface, you are declaring that any packets received from or sent to that network object will not be permitted to traverse the selected interface(s). In other words, these interfaces cannot be used to reach the network object.
|
Tips To select more than one value from this list, press and hold the Shift key or the Ctrl key while selecting an item in the list. The Shift+Click option enables you to select a sequential set of values. The Ctrl+Click option enables you to select values in any order. |
Step 9 For each new rule that you want to create, repeat Steps 6 through 8.
To verify that the path restriction rule you are defining is a valid path restriction rule, ensure that the flow that you want to restrict actually traverses the gateway object on which you are defining this rule.
Step 10 To accept your changes and close the Mapping panel, click OK.
Step 11 To save any changes that you have made, click Save on the File menu.
From the IPSec panel, you can identify the strongest DES cipher that the selected node supports. Cisco Secure Policy Manager uses this information to perform consistency checks that validate that all peers in IPSec Tunnel Group definitions based on IPSec Tunnel Templates that require specific ciphers can support those ciphers.
To specify the strongest DES cipher that this node can support, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the gateway object for which you want to specify the DES cipher support settings, expand the Network Topology tree until you view that gateway object node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the gateway object icon that has IPSec Support enabled in its General panel.
Step 4 To view the IPSec panel, point to Properties and click IPSec on the shortcut menu.
Result: The IPsec panel appears in the View pane.
Step 5 To specify which DES cipher is supported by this node, click that cipher in the list of ciphers in the DES Cipher Support box.
Two types of DES ciphers are available, depending on the type of software that is running on the selected node:
Step 6 To accept your changes and close the IPSec panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
From the IPSec panel, you can specify a pre-shared secret that is used to perform IKE negotiations between the selected node and its IPSec Tunnel Group peers. Cisco Secure Policy Manager uses this secret to generate the device-specific commands that enable these pre-shared secrets on this node and its peers. You only need to specify this secret in this panel, as it is propagated to the IPSec panels for the specified peers. In other words, you only have to specify a shared secret on one of the two peer nodes.
To specify the secrets to share between this node and its peers, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the gateway object for which you want to specify the pre-shared keys to use with peers when negotiating the IPSec sessions based on IKE, expand the Network Topology tree until you view that gateway object node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the gateway object icon that has IPSec Support enabled in its General panel.
Step 4 To view the IPSec panel, point to Properties and click IPSec on the shortcut menu.
Result: The IPsec panel appears in the View pane.
Step 5 To specify the peer for which you want to define a pre-shared secret between the selected node and that peer, click that peer in the list of available peers in the Tunnel Peers box.
Result: The Secret shared with peer label displays the name of the selected peer.
This list contains only those gateway objects and Cisco Secure Policy Manager hosts defined under the Network Topology tree that have the IPSec Support option selected in the General panel.
Step 6 To specify the secret to share between this node and the peer selected in the Tunnel Peers box, type that secret in the Secret shared with peer box.
This secret identifies a valid secret that can be used by IKE to set up an IPSec tunnel between this node and the selected peer. The minimum length for this secret value is 8 characters and the maximum length is up to 128 alphanumeric characters. You cannot use Tab, Enter, spaces, question marks, or double quotes when defining this shared secret.
Step 7 For each peer that you want to define a pre-shared secret, repeat Steps 5 and 6.
Step 8 To accept your changes and close the IPSec panel, click OK.
Step 9 To save any changes that you have made to the Policy Database, click Save on the File menu. To generate a new command set that includes the pre-shared secrets required by each peer, click Save and Update on the File menu.
From the IPSec panel, you can identify that you want the selected node to be able to communicate with a certificate authority server that is defined under the Network Topology tree. Certificate authority servers use HTTP as the protocol for renewing and validating certificates. They manage data about when the certificates managed by the server expire and the rules for automatically refreshing or issuing new certificates to the network objects that are subscribers to that certificate authority. In addition, certificate authority servers provide support for certificate revocation lists (CRLs), which enable you to specify that certain certificates should not be trusted.
|
Tips Cisco Secure Policy Manager automatically creates and applies a security policy that permits HTTP traffic to pass between this node and the specified certificate authority server. |
To specify the certificate authority server to use for this node, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the gateway object for which you want to specify the certificate authority server to use, expand the Network Topology tree until you view that gateway object node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the gateway object icon that has IPSec Support enabled in its General panel.
Step 4 To view the IPSec panel, point to Properties and click IPSec on the shortcut menu.
Result: The IPsec panel appears in the View pane.
Step 5 To specify which certificate authority server to use with this node, click that server in the list of certificate authority servers in the Trusted Certificate Authority Server box.
This value identifies a host defined in the Network Topology tree that has been configured to identify a certificate authority server by adding the Certificate Authority client/server product type to that host.
Step 6 To accept your changes and close the IPSec panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
From the IPSec panel, you can discover specific information about any certificates that are installed on a managed Policy Enforcement Point that has the IPSec Support option selected in the General panel for that Policy Enforcement Point node.
To discover the certificate information, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the Policy Enforcement Point for which you want to discover the certificate information, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the PIX Firewall icon or IOS Router icon that has IPSec Support enabled in its General panel and has a previously configured certificate installed on that Policy Enforcement Point.
Step 4 To view the IPSec panel, point to Properties and click IPSec on the shortcut menu.
Result: The IPsec panel appears in the View pane.
Step 5 To specify that you want to discover the information about the certificates used by this node, click Discover.
Result: The Discovery dialog box appears with the IPSec box selected under the Discovery Selections box.
Step 6 To discover the certificate information and other IPSec settings for this node, click Discover.
Result: The Discovery Status box displays the status of the device discovery, including the time remaining before the discovery process aborts its discover attempt. When this process is complete, a message stating "Configuration completed. The configuration attempt was successful" appears.
In addition, the Results button appears, which provides information about the discovery. Specifically, the Discovery Results dialog box should display the following messages:
Step 7 To close the Discovery dialog box, click OK.
Result: The IPSec panel now displays information about each certificate that was discovered. This information is organized on separate subtabs (below the Trusted Certificate Authority box) for each certificate that is discovered.
Step 8 To accept your changes and close the IPSec panel, click OK.
Step 9 To save any changes that you have made, click Save on the File menu.
|
Caution If you modify the IP address that Cisco Secure Policy Manager uses to publish the commands to a Policy Enforcement Point (the address in the Policy Enforcement Point panel), you must define an intermediate security policy to allow the network service selected in the Policy Enforcement Point panel for both the old and the new IP addresses. Otherwise, the connection to the Policy Enforcement Point is broken while the Policy Distribution Point is publishing the command set that changes from the old address to the new address. |
You can specify the IP address that a Cisco Secure Policy Manager host acting as a Policy Distribution Point uses to contact the Policy Enforcement Point for the purpose of publishing the derived network policies and to obtain status about the Policy Enforcement Point. This IP address must be an IP address assigned to an interface of the Policy Enforcement Point. This IP address can also be the IP address used by any other administrative tools that you use to review the status of this Policy Enforcement Point.
|
Note For Policy Enforcement Points based on 4.x and earlier versions of PIX Firewall software, you cannot assign an IP address that is assigned to the outside interface of a PIX Firewall. The IP address must be assigned to the inside interface or one of the perimeter interfaces. |
To modify the IP address used to connect to the PEP, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall node or IOS Router node for which you want to modify the IP address used by the Policy Distribution Point to download new network policies, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Policy Enforcement Point icon.
Step 4 To view the Policy Enforcement Point panel, point to Properties and click Control on the shortcut menu.
Result: The Policy Enforcement Point panel appears in the View pane.
Step 5 To change the IP address on which the Policy Enforcement Point listens for requests from the Policy Distribution Point and other administrative tools, select the new IP address in the IP Address box under General Settings.
The list of IP addresses available are those IP addresses that are defined for the valid interfaces of this Policy Enforcement Point. These addresses are defined in the Interfaces panel of the selected Policy Enforcement Point node. By default, the Policy Enforcement Point panel uses the first IP address listed under the first interface attached to an upstream network.
|
Caution If you modify the IP address that Cisco Secure Policy Manager uses to publish the commands to a Policy Enforcement Point (the address in the Policy Enforcement Point panel), you must define an intermediate security policy to allow the network service selected on the Policy Enforcement Point panel to that enables both the old and the new IP addresses. Otherwise, the connection to the Policy Enforcement Point is broken while the Policy Distribution Point is publishing the command set that changes from the old address to the new address. |
Step 6 To accept your changes and close the Policy Enforcement Point panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
From the Policy Enforcement Point panel, you can specify the Policy Distribution Point that is used to publish new network policies to the Policy Enforcement Point. This Policy Distribution Point is responsible for generating and publishing network policies to Policy Enforcement Points, such as the PIX Firewall and IOS Router.
To select the Policy Distribution Point used to publish network policy to the Policy Enforcement Point, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall or IOS Router for which you want to select the associated Policy Distribution Point, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Policy Enforcement Point icon for which you want to select a Policy Distribution Point.
Step 4 To view the Policy Enforcement Point panel, point to Properties and click Control on the shortcut menu.
Result: The Policy Enforcement Point panel appears in the View pane.
Step 5 To select the host that is running the Policy Distribution Point that you want to use, click that host name in the Policy Distribution Point box under Policy Distribution.
This box displays only those primary and/or secondary servers defined under the Network Topology tree that have a Policy Distribution Point client/server product installed on them.
If you installed a standalone Cisco Secure Policy Manager, the Policy Distribution Point resides on that primary server. Otherwise in a distributed installation, it can reside on either a primary or secondary server, depending on which feature sets you chose to install on the various hosts.
Step 6 To accept your changes and close the Policy Enforcement Point panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
From the Policy Enforcement Point panel, you can specify that you want the Cisco Secure Policy Manager host acting as the Policy Distribution Point to use an IPSec tunnel when communicating with the Policy Enforcement Point, such as a PIX Firewall or IOS Router. This tunnel can provide additional authentication, as well as encryption, for sessions that occur between the Policy Enforcement Point and the Policy Distribution Point, providing non-repudiation and data integrity for the network policies that are published to the Policy Enforcement Point.
To require Cisco Secure Policy Manager to use an IPSec tunnel when communicating with the Policy Enforcement Point, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall or IOS Router for which you want to require the use of an IPSec tunnel during Policy Enforcement Point-to-Policy Distribution Point communications, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Policy Enforcement Point icon for which you want to require the use of an IPSec tunnel.
Step 4 To view the Policy Enforcement Point panel, point to Properties and click Control on the shortcut menu.
Result: The Policy Enforcement Point panel appears in the View pane.
Step 5 To select the IPSec Tunnel Template definition used to connect to the selected Policy Enforcement Point, click that template in the Use secure IPSec with template box under Policy Distribution.
This template must be defined under the IPSec Tunnel Templates branch of the Tools and Services tree. By default, the Policy Distribution Point does not use an IPSec tunnel when communicating with the Policy Enforcement Point.
Step 6 To accept your changes and close the Policy Enforcement Point panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
Step 8 Before publishing the command set to the Policy Enforcement Point, you must first configure the Policy Enforcement Point to accept the IPSec tunnel from the Policy Distribution Point. To configure the Policy Enforcement Point, refer to the "Configuring IPSec Bootstrap" section.
From the Policy Enforcement Point panel, you can specify the Policy Monitor Point that is used to monitor the syslog data streams generated by the Policy Enforcement Point, such as a PIX Firewall or IOS Router. This Policy Monitor Point studies the syslog data to derive higher-level audit records, such as session records.
To select the Policy Monitor Point used to monitor Policy Enforcement Point syslog data streams, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall or IOS Router for which you want to select the associated Policy Monitor Point, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Policy Enforcement Point icon for which you want to select a Policy Monitor Point.
Step 4 To view the Policy Enforcement Point panel, point to Properties and click Control on the shortcut menu.
Result: The Policy Enforcement Point panel appears in the View pane.
Step 5 To select the host that is running the Policy Monitor Point that you want to use, click that host name in the Policy Monitor box under Logging.
This box displays only those primary and/or secondary servers defined under the Network Topology tree that have a Policy Monitor Point client/server product installed on them.
Step 6 To accept your changes and close the Policy Enforcement Point panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
From the Policy Enforcement Point panel, you can specify one or more syslog servers, in addition to the Cisco Secure Policy Manager host acting as Policy Monitor Point, that you can use to provide additional monitoring of the syslog data streams generated by the Policy Enforcement Point.
To select the syslog servers used to monitor Policy Enforcement Point syslog data streams, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall or IOS Router for which you want to select the associated syslog servers, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Policy Enforcement Point icon for which you want to select a syslog server.
Step 4 To view the Policy Enforcement Point panel, point to Properties and click Control on the shortcut menu.
Result: The Policy Enforcement Point panel appears in the View pane.
Step 5 To select one or more hosts on which syslog servers are running, click those host names in the Syslog Monitors box under Logging.
This box displays only those hosts defined under the Network Topology tree that have a syslog client/server product installed on them. The host or hosts that you select must have a syslog application capable of processing the data streams. For instructions on installing and configuring these applications, refer to the documentation that came with those products.
Step 6 To accept your changes and close the Policy Enforcement Point panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
From the Policy Enforcement Point panel, you can specify the enable password for the selected Policy Enforcement Point. The Policy Distribution Point uses this password to authenticate to the Policy Enforcement Point before it can publish new network policies to that Policy Enforcement Point.
|
Note All managed gateway objects require that you specify the enable password. |
To specify the enable password used to publish network policies to the Policy Enforcement Point, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall or IOS Router for which you want to specify the enable password, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Policy Enforcement Point icon for which you want to specify the enable password.
Step 4 To view the Policy Enforcement Point panel, point to Properties and click Control on the shortcut menu.
Result: The Policy Enforcement Point panel appears in the View pane.
Step 5 To specify the enable password, type that password in the Enable password box under Authentication.
The enable password can be up to 16 alphanumeric characters. Also, you can use both uppercase and lowercase characters. This password is case sensitive.
Step 6 To accept your changes and close the Policy Enforcement Point panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
From the Policy Enforcement Point panel, you can specify the Telnet password for the selected Policy Enforcement Point. Any administrators who connect to the Policy Enforcement Point to perform any diagnostic tests must first use this password to authenticate to the Policy Enforcement Point.
|
Note Currently, only the IOS Router uses (and requires) the Telnet password. However, both the PIX Firewall and the IOS Router require that you specify the enable password. |
To specify the Telnet password used to authenticate to the Policy Enforcement Point, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the PIX Firewall or IOS Router for which you want to specify the Telnet password, expand the Network Topology tree until you view that Policy Enforcement Point node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Policy Enforcement Point icon for which you want to specify the Telnet password.
Step 4 To view the Policy Enforcement Point panel, point to Properties and click Control on the shortcut menu.
Result: The Policy Enforcement Point panel appears in the View pane.
Step 5 To specify the Telnet password, type that password in the Telnet password box under Authentication.
The Telnet password can be up to 16 alphanumeric and special characters; however, you cannot use the question mark, space, or colon in the password. You can use both uppercase and lowercase characters, because this password is case sensitive.
Step 6 To accept your changes and close the Policy Enforcement Point panel, click OK.
Step 7 To save any changes that you have made, click Save on the File menu.
Modifying the network service associated with a Policy Enforcement Point has no effect on the system or the configuration of that Policy Enforcement Point. For an IOS Router, this network service is Telnet on (TCP port 23). For a PIX Firewall, this network service is PIX Secure Telnet (TCP 1467).
Modifying the port used for the network service associated with a Policy Enforcement Point has no effect on the system or the configuration of that Policy Enforcement Point. For an IOS Router, this network service is Telnet on (TCP port 23). For a PIX Firewall, this network service is PIX Secure Telnet (TCP 1467).
Posted: Mon Jun 5 10:49:58 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.