User Guide for Cisco Secure Policy Manager 3.1 Version 3.1 Corporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7814178= Text Part Number: 78-14178-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system All rights reserved Copyright © 1981, Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc and/or its affiliates in the U.S and certain other countries All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0203R) User Guide for Cisco Secure Policy Manager 3.1 Copyright © 2002, Cisco Systems, Inc All rights reserved C O N T E N T S Preface xxv What’s In This User Guide xxv Audience xxxi Conventions xxxi Related Documentation xxxii Obtaining Documentation xxxiii World Wide Web xxxiii Ordering Documentation xxxiii Documentation Feedback xxxiii Obtaining Technical Assistance xxxiv Cisco.com xxxiv Technical Assistance Center xxxv Cisco TAC Web Site xxxv Cisco TAC Escalation Center xxxvi CSPM Overview CHAPTER Getting Started with CSPM 1-1 Logging In 1-1 CSPM Overview 1-2 Topology 1-5 Policy 1-7 Commands 1-10 User Guide for Cisco Secure Policy Manager 3.1 78-14178-01 iii Contents Status 1-12 Reports 1-13 Getting Started Checklist 1-15 Configure Topology 1-16 Adding a PIX Firewall to the Internet 1-17 Adding a CSPM Server to Your Topology 1-23 Configure Policy 1-25 Creating a Policy Rule 1-25 Configure Logging, Reporting, and Notifications 1-27 Publish Commands 1-27 Generating Commands 1-28 Reviewing the Generated Command Set 1-29 Publishing Commands 1-30 CHAPTER Preparing Your Network 2-1 IOS Firewall Worksheet 2-2 PIX Firewall Worksheet 2-6 CHAPTER Finding Objects in CSPM 3-1 Tasks for the Find Tool 3-1 Finding an Object by Name 3-1 Finding an Object by IP Address 3-3 Finding an Object by Type 3-4 Finding an Object by Group Type 3-5 Finding a Rule by Keyword 3-6 User Guide for Cisco Secure Policy Manager 3.1 iv 78-14178-01 Contents CHAPTER Saving Changes in CSPM 4-1 Save 4-1 Learn More About Save 4-2 Saving Your Changes 4-3 Save and Update 4-4 Learn More About Save and Update 4-4 Saving Changes and Updating Network Policy 4-5 CHAPTER Consistency Check 5-1 Learn More About Consistency Check 5-1 Task List for Consistency Check 5-2 Configuring Consistency Checks 5-2 Performing On-Demand Consistency Checks 5-3 CHAPTER Setting CSPM Options 6-1 Learn More About Options 6-1 Task List for the Options Dialog Box 6-3 Enabling or Disabling Automatic Backup 6-3 Changing the Default Fonts 6-4 Specifying the Default Command Publishing Method 6-5 Specifying the Product Information Page 6-6 Specifying the Archive Count Setting 6-7 Specifying the File Export Settings 6-7 Specifying the Multiple Path Threshold 6-8 Enabling or Disabling Automatic Denies for Wildcard Policies 6-9 User Guide for Cisco Secure Policy Manager 3.1 78-14178-01 v Contents Configuring Network Topology CHAPTER Representing Your Network Topology 7-1 Roles of the Network Topology 7-2 Identifying Key Components in Your Topology 7-3 How the Network Topology Organizes Device-Centric Settings and Rules 7-5 Learn More About Defining the Physical Network Topology 7-7 How Network Objects Provide the Building Blocks for Policy Rules 7-9 Learn More About Perimeters and Interfaces 7-15 CHAPTER Guidelines and Techniques for Defining Your Network Topology 8-1 Designing Topology from the Internet Down into Your Network 8-2 So How Much Do I Have to Define? 8-4 Mapping Between Physical Network Objects and CSPM Topology Objects 8-6 CHAPTER Defining Your Network Topology 9-1 Worksheet for Defining your Network Topology 9-4 Internet 9-6 Learn More About the Internet 9-7 Learn More About Interfaces on the Internet 9-8 Networks 9-9 Adding a Network to Your Topology 9-10 Clouds 9-14 Learn More About Clouds 9-14 Learn More About Interfaces on a Cloud 9-15 Learn More about Cloud Networks 9-16 Learn More about Wildcard Networks 9-17 User Guide for Cisco Secure Policy Manager 3.1 vi 78-14178-01 Contents Task List for Clouds 9-18 Adding a Cloud to Your Topology 9-18 Adding a Cloud Network to Your Topology 9-26 Adding a Wildcard Network to Your Topology 9-27 PIX Firewall 9-28 Learn More About PIX Firewalls 9-29 Learn about PIX Firewall Failover 9-29 Learn More About Interfaces on a PIX Firewall 9-31 Task List for PIX Firewalls 9-33 Adding a PIX Firewall to Your Topology 9-34 Configuring a PIX Firewall for Failover 9-46 Modifying the Trust Settings of the Interfaces Installed in a PIX Firewall 9-48 Cisco IOS Routers 9-49 Learn More About Cisco IOS Routers 9-50 Learn More About Interfaces Types: Real vs Virtual and Numbered vs Unnumbered 9-51 Unnumbered Interfaces 9-52 Learn More About Interfaces on a Cisco IOS Router 9-53 IOS Interface Naming Guidelines 9-53 Adding a Cisco IOS Router to Your Topology 9-54 Adding a Cisco IOS Router to the Internet 9-54 Adding a Cisco IOS Router to a Network 9-61 Routers 9-67 Learn More About Interfaces on a Generic Router 9-68 Adding a Router to Your Topology 9-69 Adding a Router to the Internet 9-69 Adding a Router to a Network 9-73 User Guide for Cisco Secure Policy Manager 3.1 78-14178-01 vii Contents CSPM Servers 9-77 Adding a CSPM Server to Your Topology 9-77 Configuring the CSPM Server to Publish Notifications to an SMTP Server 9-79 IP Ranges 9-80 Adding an IP Range to Your Topology 9-80 Hosts 9-82 Learn More About Hosts 9-82 Task List for Hosts 9-83 Adding a Host to Your Topology 9-83 Specifying a Client/Server Product is Running on a Host 9-84 Configuring a Host to Receive SMTP-Based Notifications 9-86 Authentication Server Panel 9-87 Learn More About Certificate Authority Servers 9-87 Learn More About RADIUS Authentication Servers 9-88 Learn More About TACACS+ Authentication Servers 9-89 Specifying that an Authentication Server Is Running on a Host 9-90 Syslog Server Panel 9-91 Learn More About Syslog Servers 9-92 Task List for Syslog Server 9-92 Modifying the IP Address Setting for a Syslog Server 9-92 Modifying the Network Service Port used by the Syslog Server 9-93 Selecting the Network Service Associated with a Syslog Server 9-94 CHAPTER 10 Configuring the Global Policy Override Settings for Managed Devices 10-1 Settings Panel on a PIX Firewall 10-1 Learn More About the Settings Panel on a PIX Firewall 10-2 Task List for the Settings Panel on a PIX Firewall 10-2 Specifying Global ICMP Policy Overrides on a PIX Firewall 10-2 Specifying Global Timeout Settings on a PIX Firewall 10-3 User Guide for Cisco Secure Policy Manager 3.1 viii 78-14178-01 Contents Specifying Log Settings for PIX Firewall Activity 10-5 Enabling Flood Guard on a PIX Firewall 10-7 Settings Dialog Box on the Interfaces Panel of a PIX Firewall 10-8 Default Security Stance for an Interface 10-8 Specifying the Routing Table Update and Broadcast Settings for a PIX Firewall Interface 10-10 Device-Specific Settings for a Cisco IOS Router 10-11 Learn More About Device-Specific Settings on a Cisco IOS Router 10-11 Default Security Stance for an Interface 10-12 Task List for the Device-Specific Settings on a Cisco IOS Router 10-13 Enabling Address Translation Overload for a Cisco IOS Router 10-13 Enabling ICMP Policy Override Setting for a Cisco IOS Router 10-14 Specifying Log Settings for Cisco IOS Router Activity 10-15 Specifying the Global CBAC Settings for a Cisco IOS Router 10-17 Specifying the Global Inspection Command Settings for a Cisco IOS Router 10-19 CHAPTER 11 Configuring Administrative Control Communications 11-1 Control Panel 11-1 Learn More About Controlling Managed Devices 11-2 Notes for Defining CSPM-to-Managed Device Tunnels 11-4 Guidelines for Deploying Your CSPM Server 11-6 Avoiding Losses of Connectivity Between CSPM and a Managed Device 11-8 Task List for the Control Panel 11-10 Modifying the IP Address used to Communicate with a Managed Device 11-11 Selecting the CSPM Server to Control a Managed Device 11-12 Requiring that a Managed Device Use an IPSec Tunnel for Administration 11-12 User Guide for Cisco Secure Policy Manager 3.1 78-14178-01 ix Contents Configuring CSPM to Monitor the Syslog Data Streams Generated by a Managed Device 11-13 Selecting the Syslog Servers that Monitor the Syslog Data Streams Generated by a Managed Device 11-14 Specifying the Enable Password used to Administer a Managed Device 11-15 Specifying the Telnet Password used to Administer a Managed Device 11-15 CHAPTER 12 Defining Traffic Flows, Shaping Rules, and Enforcement Path Rules 12-1 Routes 12-1 Learn More About Routes 12-2 Task List for the Routes Panel 12-5 Creating a Routing Rule on a Gateway 12-6 Modifying a Routing Rule on a Gateway 12-7 Specifying Route Management Settings on a Gateway 12-9 Viewing Active Routing Rules on a Gateway 12-10 Using Mapping Rules 12-11 Learn More About Static Translation 12-11 Task List for Static Translation Rules 12-13 Creating a Static Translation Rule 12-13 Modifying a Static Translation Rule 12-17 Viewing Active Static Translation Rules 12-20 Learn More About Address Hiding 12-21 Learn More About Why You Should Use Address Hiding 12-22 Learn More About How Address Hiding Works 12-24 Learn More About How Session Awareness and Port Mapping Affect Address Hiding 12-25 Task List for Address Hiding Rules 12-26 Creating an Address Hiding Rule 12-26 Modifying an Address Hiding Rule 12-29 User Guide for Cisco Secure Policy Manager 3.1 x 78-14178-01 Index types hosts 9-82 inter-gateway 12-39 adding 9-83 intra-gateway 12-37 adding a client/server product type 9-85 regional 12-40 configuring SMTP server 9-86, 27-12 fonts example uses 9-82 overview 9-82 changing defaults 6-4 hubs defining in IKE tunnels 20-16, 21-19 G multiple hubs with spokes 23-1 getting started checklist 1-15 GRE advantages of using with IPSec 23-4 I IKE configuring 23-5 certificate server 19-4 in tunnel policies 19-12 creating 20-5, 21-5, 22-3 limitations of 23-5 device settings 19-4 using the IPSec/GRE action 15-11 using certificates with 19-5 with IPSec tunnels 23-4 with certificates 19-4 gui with preshared keys 19-4 See user interface IKE, definition of 19-7 IKE IPSec Tunnel Templates node tasks H modifying IKE settings 20-7, 21-6, 22-5 IKE tunnel groups help technical assistance, obtaining xxxiv accessing IPSec Wizard for 20-15, 21-18 Cisco.com xxxiv associating spokes with hubs 20-19, 21-22 TAC xxxv creating 20-13, 21-15 User Guide for Cisco Secure Policy Manager 3.1 78-14178-01 IN-9 Index defining AAA servers 20-21, 21-23 types 9-51 defining certificate server 20-22, 21-25 Cisco IOS router interfaces 9-53 defining Mode Config address pool 20-22, cloud 9-15 21-25 external 7-17 defining preshared keys 20-20, 21-23 generic routers 9-68 defining tunnel hubs 20-16, 21-19 internal 7-17 defining tunnel spokes 20-18, 21-21 Internet 9-8 saving settings 20-23, 21-26 loopback 9-51 selecting tunnel template 20-16, 21-18 PIX Firewall interfaces 9-31 IKE tunnels real 7-17, 9-51 benefits 19-8 unnumbered 9-51, 9-52 limitations 19-8 proposals 19-8 use of preshared secrets with 19-6 virtual 7-17, 9-51 Interfaces panel interface naming guidelines IKE tunnel templates accessing IPSec Wizard for 20-6, 21-6, 22-4 creating 20-5, 21-5, 22-3 defining IKE options 20-7, 21-6, 22-5 defining tunnel protocols 20-9, 21-9, 22-7 saving settings 20-12, 21-12, 22-10 Import from File importing settings 33-5 overview 33-4 importing for Cisco IOS routers 9-53 Internet 9-6 adding cloud networks within 9-26 default wildcard 14-8 interfaces 9-8 overview 9-7 Internet perimeter overview 9-8 See Internet IOS See Configuration Import tool initial setup 8-2 contructing prologue and epilogue commands (note) 17-14 interfaces unsupported version of A-1 default security stance 10-8, 10-12 key concepts 7-17 overview 7-6 wr mem command requirement after manual image upgrade (note) 1-30, 17-18, 20-28, 21-36, 22-26 User Guide for Cisco Secure Policy Manager 3.1 IN-10 78-14178-01 Index IOS Router node 9-49 specifying pre-shared secrets for IKE 22-20 IP ranges specifying which certificate authority to use 22-17 adding to your topology 9-81 dependencies 9-80 IPSec setting enabling 20-4, 21-4, 22-15 example uses 9-80 purpose 20-4, 21-4, 22-15 overview 9-80 IPSec Tunnel Groups branch IPSec tasks advanced features 23-1 creating an IPSec Tunnel Group 21-26 books 19-13 device settings 19-3 IPSec tunnels checklist disabling NAT with 23-2 Peer to Peer 21-2 how CSPM implements 19-2 IPSec Wizard 14-5 overview 19-1 J publishing commands with 19-4 remote-user tunnels 20-1 Java request for comments 19-13 specifying block Java 14-4 role of policy in 19-12 using the Block Java action 15-11 See also tunnel groups See also tunnel templates K site-to-site tunnels 21-1 specifying use tunnel 14-4 supported devices 19-3 using the IPSec/GRE action 15-11 using when publishing commands 22-1 IPSec panel key components definition of 7-1 key concepts interfaces 7-15 perimeters 7-15 keys tasks discovering certificate information 20-25, 21-32, 22-18 automatic generation of IKE 23-6 defining in device properties 22-20 specifying DES cipher support 22-16 User Guide for Cisco Secure Policy Manager 3.1 78-14178-01 IN-11 Index defining manual keys 22-21 generating IKE keys 23-7 in IKE tunnels 20-20, 21-23 troubleshooting avoiding loss of connectivity with CSPM server 11-8 crossover traffic examples 11-7 early PIX Firewall versions 11-2 L modifying IPSec tunnel groups used for communication 11-4 license troubleshooting command distribution 16-5 See Product License license disk 34-1 log files 29-2 logging troubleshooting command generation 16-5 man-in-the-middle attack 26-18 manual keys 22-21 how used 19-12 overview 25-1 See also event filtering in tunnel groups 19-12 manual tunnels benefits 19-9 creating 21-13, 22-11 M key management 19-9 Managed Devices key management limitations 19-9 controlling 11-2 limitations 19-9 default security stance 10-8, 10-12 when to use 19-9 determining command distribution status 17-8 determining command generation status 17-8 overview 7-1 selecting a CSPM Server for controlling 11-6 selecting a CSPM server to control 11-12 selecting target syslog servers for 11-14, 25-6 selecting the CSPM server to control a Managed Device 11-7 specifying the monitoring server for a Managed Device 11-14, 25-5 manual tunnel templates about 19-9 Mapping panel overview 12-11 tasks creating address hiding rules 12-26 creating a path restriction rule 24-11, 24-12 creating Creating a Static Translation Rule 12-14 creating path restriction rules 12-45 User Guide for Cisco Secure Policy Manager 3.1 IN-12 78-14178-01 Index modifying address hiding rules 12-29 selecting network service definition for 25-22 modifying path restriction rules 12-47 specifying ODBC connection information for use with 25-26 modifying static translation rules 12-17 viewing active address hiding rules 12-32 Multiple Path Threshold 6-8 viewing active path restriction rules 12-49 viewing active static translation rules 12-21 mapping rules 12-11 overview 12-11 types 12-11 address hiding 12-11 path restriction 12-11 static translation 12-11 Mode Config about 20-1 defining addresses 20-22, 21-25 policy tip 20-2 topology tip 20-2 monitoring subsystem role in CSPM 25-1 See also logging Monitor panel overview 25-19 tasks archiving audit records 25-23, 32-5 deleting audit records 25-23, 32-5 duplicating/redirecting received Syslog messages from 25-27 modifying IP address used for 25-20 modifying UDP port used for 25-21 N NAT advantages of disabling with IPSec 23-2 configuring with IPSec 23-3 limitations with IPSec 23-2 with IPSec tunnels 23-2 network address translation 12-21 Network Discovery Viewer features 13-11 network interfaces See interfaces network object groups creating 18-6 example use of 15-8 modifying 18-7 overview 15-7 tasks 18-1 viewing a list of 15-8 networks adding to your topology 9-10 overview 9-9 network security policy advanced configuration tasks 18-1 User Guide for Cisco Secure Policy Manager 3.1 78-14178-01 IN-13 Index basic configuration tasks 17-1 configuration Network Service Groups panel tasks AAA Wizard 14-4 creating network service groups 18-2 creating network object groups 18-6 modifying network service groups 18-4 creating network service groups 18-2 network topology creating perimeter groups 18-8 abstract physical topology 7-8 creating policy rules 1-25, 17-2 checklist 9-1 deleting policy rules 17-6 clouds example 8-2 editing policy rules 17-4 dependencies 7-9 IPSec Wizard 14-5 creation 7-9 modifying network object groups 18-7 policy enablement 7-10 modifying network service groups 18-4 guidelines 8-1 policy rules 14-3 how much to define 7-8 Configuration Import tool 14-5 evaluation 14-5 introduction 14-1 importing 13-16 See also Configuration Import tool key components 7-3 overview 16-1 authentication servers 7-4 scope of 14-2 certificate authority servers 7-4 tools for configuring 14-4 IOS Routers/Firewalls 7-4 updating 4-5 ISP connections 7-3 network service groups Managed Devices 7-3 creating 18-2 PIX Firewalls 7-4 modifying 18-4 syslog servers 7-5 overview 15-10 logical structures 7-9 tasks 18-1 modeling 8-1 viewing list of 15-11 map common objects 8-6 User Guide for Cisco Secure Policy Manager 3.1 IN-14 78-14178-01 Index network objects O Cisco IOS routers 7-15 cloud networks 7-13 On-Demand Reports 26-7 clouds 7-12 Options CSPM servers 7-11 archive count setting 6-7 dependencies 7-10 automatic backup 6-3 hosts 7-10 automatic denies for wildcard policies 6-9 Internet 7-12 enabling automatic backup 6-1 IP ranges 7-11 file export settings 6-7 networks 7-11 fonts 6-4 PIX Firewalls 7-14 Multiple Path Threshold 6-8 routers 7-14 policy update default 6-5 servers 7-10 printer settings 6-1 uses 7-10 product information page Web address 6-6 wildcard networks 7-13 overview 7-1 planning worksheet 9-4 relationship to policy 7-8 role in CSPM 7-2, 7-8 device-centric settings 7-5 top-down design 8-2 notifications P password life 28-7 path restriction rules creating 12-45 flow restrictions types 12-37 modifying 12-47 checklist for defining notification rules 27-5 tasks 12-45 configuring 27-1 viewing 12-49 configuring hosts to receive 9-86, 27-12 overview 27-1, 27-7 tasks 27-8 viewing 27-1 path restrictions overview 12-33 perimeter groups creating 18-8 User Guide for Cisco Secure Policy Manager 3.1 78-14178-01 IN-15 Index deleting 18-10 tasks 9-33 moving perimeters between 18-10 enabling Flood Guard on 10-7 overview 15-8 inverting trust relationships for interfaces 9-48 renaming 18-10 modifying trust relationships for interfaces 9-48 tasks 18-1 perimeters on Settings panel 10-2 example of 15-8 key concepts 7-16 specifying global policy overrides for ICMP 10-3 moving between groups 18-10 specifying global timeout settings for 10-4 overview 15-8 restrictions 7-16 specifying interface route settings for 10-10 understanding how CSPM creates 15-8 specifying log settings for 10-5, 25-9 viewing lists of perimeter groups 15-8 unsupported version of A-1 worksheet 2-6 permit overview 15-12 PIX Firewalls 9-28 adding to a network 9-41 adding to the Internet 1-17, 9-34 configuring failover 9-46 default security stance 10-8, 10-12 definition of 9-29 device-specific settings 10-2 flipping 9-48 interfaces 9-31 publishing commands to the outside interface 19-2, 22-1 Settings dialog box 10-8 Settings panel 10-1 policy for remote-user tunnels 20-2 See network security policy Policy Monitor panel tasks installing/defining ODBC driver for use with 25-24 policy queries example scenarios 16-11 effective intersections example 16-14, 16-18, 16-23 effective rules example 16-13, 16-17, 16-21 matching rules example 16-12, 16-16, 16-20 performing 17-15 troubleshooting policy evaluation 16-21 User Guide for Cisco Secure Policy Manager 3.1 IN-16 78-14178-01 Index types for tunneled traffic 20-23, 21-31 effective intersections 16-11 inserting 1-25, 17-2 effective rules 16-11 Java 14-2 matching rules 16-11 limitations of 14-2 Policy Query tool tasks using to verify policies 17-15 Policy Reports panel definition of 26-13 policy rules non-terminal actions 15-11 purpose of 20-23, 21-31 referencing the Internet in 14-8 role in IPSec tunnels 19-2 role in network security policy 14-1 See service AAA 14-2 services of the network traffic 15-10 action 14-3 source 14-3 actions associated with 15-11 source of network traffic 15-4 adding 1-25, 17-2 terminal actions 15-12 basic configuration tasks 17-1 tunnels 14-2 components using network object groups 15-8 optional 14-4 using network service groups 15-11 required 14-3 using perimeter groups in 15-10 components of 15-1 using the AAA action 15-12 configuration using the Block Java action 15-11 See also Command Viewer using the Deny action 15-12 See also Policy Query tool using the IPSec/GRE action 15-11 See also Policy Wizard using the IPSec action 15-11 tools 16-1 using the Permit action 15-12 deleting from Policy Rule table 17-6 valid destinations 15-6 destination 14-3 valid sources 15-4 destination for network traffic 15-6 wildcard networks in 14-6 editing 17-4 evaluation of conditions 15-1 Policy Rule table See overview User Guide for Cisco Secure Policy Manager 3.1 78-14178-01 IN-17 Index tasks prologue commands creating policy rules 1-25, 17-2 deleting policy rules 17-6 entering 17-14 protocols editing policy rules 17-4 AH Policy Update See AH Protocol automatic 6-5 ESP changing the default 6-5 See ESP Protocol manual 6-5 See also Save and Update Policy Wizard R overview 16-1 RADIUS 20-1 policy rule components 15-1 RADIUS Server panel 9-88, 24-3 port address translation 12-11 preshared secrets reader comment form, submitting electronically xxxiii automatic generation of 19-6 recovering from premature shutdown 29-2 benefits of 19-6 Regional Flow Control Tool 12-49 drawbacks of 19-6 in IKE negotiations 19-4 tasks defining a regional flow restriction 12-50 use in IKE tunnels 19-6 reporting agent 26-13 where defined 19-6 reporting subsystem Product Information 6-6 specify Web site address 6-6 Product Information page 6-6 Product License associated IP Address 26-16 associated network service 26-16 TCP port used by 26-14 reports overview 34-1 checklist for configuring and defining 26-5 updating 34-1 configuring reporting agent 26-13 overview 26-2 prologue IOS configuration mode requirement (note) 17-14 scheduling 26-5 User Guide for Cisco Secure Policy Manager 3.1 IN-18 78-14178-01 Index tasks RFC accessing remotely 26-12 2401 19-13 creating user defined reports 26-10 2402 19-13 defining scheduled reports 26-8 2406 19-13 generating 26-7 printing a report 26-13 viewing 26-7 viewing scheduled reports 26-10 types of route management settings specifying 12-9 routers adding to a network 9-73 adding to your topology 9-69 detailed 26-4 interfaces 9-68 scheduled 26-5 overview 9-67 summary 26-3 system 26-5 user defined 26-5 Reports panel modifying associated IP address for 26-16 modifying TCP port for 26-15 overview 26-13 reporting agent 26-13 selecting associated network service for 26-17 request for comments See RFC Reset System command effect on logging and notifications 31-2 Routes panel example uses identify networks not defined in network topology 12-3 override generated routes 12-3 overview 12-1 tasks changing an existing rule 12-8 creating routing rules 12-6 specifying route management settings 12-9 viewing active routing rules 12-10 routing rules overview 12-2 types overview 31-2 Derived 12-3 Restore command Implicit 12-3 restoring last saved changes 31-1 usefulness in read-only mode 31-1 restoring the database 30-6 types of 12-3 MANUAL 12-3 viewing 12-10 User Guide for Cisco Secure Policy Manager 3.1 78-14178-01 IN-19 Index syslog data streams S selecting target syslog servers for a Managed Device 11-14, 25-6 Save 4-2 specifying the monitoring server for a Managed Device 11-14, 25-5 Save and Update 4-4 optimizing command generation 12-9 scheduleBackup.bat 30-3 Syslog Server panel 9-91 modifying IP address for 9-92 scheduled reports modifying port setting for 9-93 overview 26-8 overview 9-92 service conditions specifying network service definition for 9-95 overview 15-10 Settings panel 10-5, 25-9 source conditions overview 15-3 spokes T TAC (Technical Assistance Center) defining in IKE tunnels 20-18, 21-21 standby servers obtaining support from xxxv how the Escalation Center works xxxvi configuring 33-6 priority levels, understanding xxxv overview 33-6 telephone numbers xxxvi stateful failover 9-29 website xxxv stateless failover 9-29 TACACS+ 20-1 static translation rules TACACS+ Server panel 9-89, 24-4 creating 12-14 TCP port modifying 12-17 modifying use by database 29-3 overview 12-11 network service definition 29-3 tasks 12-13 used by reporting subsystem 26-14 viewing 12-21 Support Technical Assistance Center (see TAC) xxxv technical support xxxiv gathering information for 33-8 through Cisco.com xxxiv through TAC xxxv User Guide for Cisco Secure Policy Manager 3.1 IN-20 78-14178-01 Index telephone numbers for TAC (see technical support) xxxvi tools traffic flows overview 7-2 settings 7-6 Command Diff tool 14-4 Import Configuration 14-5 Policy Query tool 14-4 Policy Wizard 14-4 topology See network topology Topology Wizard tasks Triple DES 19-3, 22-16 troubleshooting avoiding loss of connectivity 11-8 command distribution 16-6 command generation 16-6 crossover traffic examples 11-7 determining configuration differences 16-8 determining source of commands 16-9 adding a Cisco IOS router to a network 9-62 adding a Cisco IOS router to the Internet 9-54 adding a PIX Firewall to a network 9-41 adding a PIX Firewall to the Internet 1-17, 9-34 adding cloud networks 9-26 adding clouds 9-18 adding clouds to a network 9-23 adding clouds to the Internet 9-19 adding CSPM servers 9-78 adding hosts 9-83 adding IP ranges 9-81 adding networks 9-10 adding routers 9-69, 9-73 adding the CSPM server 1-23 traffic flow early PIX Firewall versions 11-2 IOS command distribution (note) 1-30, 17-18, 20-28, 21-36, 22-26 mapping commands back to policy rules 17-10 mapping command to policy rule 16-9 modifying IPSec tunnel groups used for communication 11-4 policy evaluation 14-6, 16-21 Internet example 14-9 rule enforcement 14-6 unsupported version of IOS A-1 unsupported version of PIX A-1 using command verification tools 16-5 using Policy Query to verify policies 17-15 trusted networks overview 9-7 types of restrictions on 12-37 User Guide for Cisco Secure Policy Manager 3.1 78-14178-01 IN-21 Index tunnel groups site-to-site configuration about 21-1 combination 19-11 categories of 21-1 hub-and-spoke 19-11 how created 21-1 mesh 19-11 limitations 21-1 creating a manual 21-26 to business partner network 21-2 definition of 19-2 to remote office 21-2 overview 19-11 types of 19-2 peer topologies 19-11 with GRE 23-4 using manual keys 19-12 tunnel templates creating manual 21-13, 22-11 tunnel policy use with IPSec 19-12 default tunnels about 19-9 about failover 23-1 Highly Secure IKE 19-10 configuring devices for 22-14 Highly Secure Manual 19-11 creating a manual tunnel group 21-26 Secure IKE 19-10 creating between sites 21-2 definition of 19-2 creating for command publication 22-1 IKE 19-7 creating manual 21-13, 22-11 manual 19-9 for publishing command sets 22-1 types 19-7 IKE key generation 23-6 Tunnel Templates dialog box 19-9 policy rules for 20-23, 21-31 typographical conventions used in this document xxxi remote user about 20-1 creating 20-2 U See also IPSec single hub 20-1 unknown networks overview 9-7 User Guide for Cisco Secure Policy Manager 3.1 IN-22 78-14178-01 Index unscheduleBackup.bat 30-5 replacing the certificate 26-18 untrusted networks overview 9-8 file permissions for 26-19 wildcard networks updating policy 4-5 overview 9-17, 14-6 updating product license See also Internet See Product License user interface network topology 1-5 wildcard policies enabling or disabling automatic denies 6-9 World Wide Web contacting TAC via xxxv obtaining Cisco documentation via xxxiii V Version Management Utility overview A-1 tasks accessing A-2 X Xauth about 20-1 creating version mapping rules A-3 deleting version mapping rules A-5 modifying version mapping rules A-4 View Notifications panel See notifications W warnings significance of xxxii web browser certificate 26-19 configuring for secure communications 26-19 encryption 26-17 User Guide for Cisco Secure Policy Manager 3.1 78-14178-01 IN-23 ... flow for developing and enforcing policy – Chapter 15, ? ?Policy Components” Defines and describes the components of a policy: Conditions and Actions User Guide for Cisco Secure Policy Manager 3.1. .. 13-16 User Guide for Cisco Secure Policy Manager 3.1 78-14178-01 xi Contents Configuring Policy CHAPTER 14 Introduction to Network Security Policy 14-1 Role and Importance of Policy in CSPM 14-2 Policy. .. between Cisco and any other company (0203R) User Guide for Cisco Secure Policy Manager 3.1 Copyright © 2002, Cisco Systems, Inc All rights reserved C O N T E N T S Preface xxv What’s In This User Guide