Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA

Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
User Guide for Cisco Secure Policy
Manager 3.1
Version 3.1
Customer Order Number: DOC-7814178=
Text Part Number: 78-14178-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR

xxxii
Obtaining Documentation
xxxiii
World Wide Web
xxxiii
Ordering Documentation
xxxiii
Documentation Feedback
xxxiii
Obtaining Technical Assistance
xxxiv
Cisco.com
xxxiv
Technical Assistance Center
xxxv
Cisco TAC Web Site
xxxv
Cisco TAC Escalation Center
xxxvi
CSPM Overview
CHAPTER

1
Getting Started with CSPM
1-1
Logging In
1-1
CSPM Overview
1-2
Topology

Generating Commands
1-28
Reviewing the Generated Command Set
1-29
Publishing Commands
1-30
CHAPTER

2
Preparing Your Network
2-1
IOS Firewall Worksheet
2-2
PIX Firewall Worksheet
2-6
CHAPTER

3
Finding Objects in CSPM
3-1
Tasks for the Find Tool
3-1
Finding an Object by Name
3-1
Finding an Object by IP Address
3-3
Finding an Object by Type
3-4
Finding an Object by Group Type
3-5

5-1
Task List for Consistency Check
5-2
Configuring Consistency Checks
5-2
Performing On-Demand Consistency Checks
5-3
CHAPTER

6
Setting CSPM Options
6-1
Learn More About Options
6-1
Task List for the Options Dialog Box
6-3
Enabling or Disabling Automatic Backup
6-3
Changing the Default Fonts
6-4
Specifying the Default Command Publishing Method
6-5
Specifying the Product Information Page
6-6
Specifying the Archive Count Setting
6-7
Specifying the File Export Settings
6-7
Specifying the Multiple Path Threshold
6-8

Designing Topology from the Internet Down into Your Network
8-2
So How Much Do I Have to Define?
8-4
Mapping Between Physical Network Objects and CSPM Topology Objects
8-6
CHAPTER

9
Defining Your Network Topology
9-1
Worksheet for Defining your Network Topology
9-4
Internet
9-6
Learn More About the Internet
9-7
Learn More About Interfaces on the Internet
9-8
Networks
9-9
Adding a Network to Your Topology
9-10
Clouds
9-14
Learn More About Clouds
9-14
Learn More About Interfaces on a Cloud
9-15
Learn More about Cloud Networks

Modifying the Trust Settings of the Interfaces Installed in a
PIX Firewall
9-48
Cisco IOS Routers
9-49
Learn More About Cisco IOS Routers
9-50
Learn More About Interfaces Types: Real vs. Virtual and Numbered vs.
Unnumbered
9-51
Unnumbered Interfaces
9-52
Learn More About Interfaces on a Cisco IOS Router
9-53
IOS Interface Naming Guidelines
9-53
Adding a Cisco IOS Router to Your Topology
9-54
Adding a Cisco IOS Router to the Internet
9-54
Adding a Cisco IOS Router to a Network
9-61
Routers
9-67
Learn More About Interfaces on a Generic Router
9-68
Adding a Router to Your Topology
9-69
Adding a Router to the Internet
9-69

Authentication Server Panel
9-87
Learn More About Certificate Authority Servers
9-87
Learn More About RADIUS Authentication Servers
9-88
Learn More About TACACS+ Authentication Servers
9-89
Specifying that an Authentication Server Is Running on a Host
9-90
Syslog Server Panel
9-91
Learn More About Syslog Servers
9-92
Task List for Syslog Server
9-92
Modifying the IP Address Setting for a Syslog Server
9-92
Modifying the Network Service Port used by the Syslog Server
9-93
Selecting the Network Service Associated with a Syslog Server
9-94
CHAPTER

10
Configuring the Global Policy Override Settings for Managed Devices
10-1
Settings 1 Panel on a PIX Firewall
10-1
Learn More About the Settings 1 Panel on a PIX Firewall

10-13
Enabling Address Translation Overload for a Cisco IOS Router
10-13
Enabling ICMP Policy Override Setting for a Cisco IOS Router
10-14
Specifying Log Settings for Cisco IOS Router Activity
10-15
Specifying the Global CBAC Settings for a Cisco IOS Router
10-17
Specifying the Global Inspection Command Settings for a Cisco IOS
Router
10-19
CHAPTER

11
Configuring Administrative Control Communications
11-1
Control Panel
11-1
Learn More About Controlling Managed Devices
11-2
Notes for Defining CSPM-to-Managed Device Tunnels
11-4
Guidelines for Deploying Your CSPM Server
11-6
Avoiding Losses of Connectivity Between CSPM and a Managed
Device
11-8
Task List for the Control Panel
11-10

Routes
12-1
Learn More About Routes
12-2
Task List for the Routes Panel
12-5
Creating a Routing Rule on a Gateway
12-6
Modifying a Routing Rule on a Gateway
12-7
Specifying Route Management Settings on a Gateway
12-9
Viewing Active Routing Rules on a Gateway
12-10
Using Mapping Rules
12-11
Learn More About Static Translation
12-11
Task List for Static Translation Rules
12-13
Creating a Static Translation Rule
12-13
Modifying a Static Translation Rule
12-17
Viewing Active Static Translation Rules
12-20
Learn More About Address Hiding
12-21
Learn More About Why You Should Use Address Hiding
12-22

Changing a Path Restriction Rule
12-47
Viewing Active Path Restriction Rules
12-49
Regional Flow Control Tool
12-49
Learn More About the Regional Flow Control Tool
12-49
Defining a Regional Flow Restriction
12-50
Learn More About Enforced On and the Global Enforcement Path Table
12-51
CHAPTER

13
Importing Your Configuration
13-1
Learn More About the Configuration Import Tool
13-1
Checklist for the Configuration Import tool
13-2
Accessing the Configuration Import Tool
13-4
Loading Devices from a CSV File
13-5
Loading Devices from a CiscoWorks2000 Database
13-6
Adding Devices to the Device List
13-7
Editing Devices in the Device List

Policy Ordering and Enforcement
14-5
Policy Evaluation
14-5
Wildcard Networks in Policy Rules
14-6
Internet Node in Policy Rules
14-8
Task Flow for Configuring and Publishing Policy
14-9
CHAPTER

15
Policy Components
15-1
Conditions
15-1
Learn More About the Source Condition
15-3
Learn More About the Destination Condition
15-5
Learn More About Network Object Groups
15-7
Learn More About Perimeter Groups and Perimeters
15-8
Learn More About the Service Condition
15-10
Learn More About Network Service Groups
15-10
Actions


17
Basic Configuration
17-1
Basic Configuration Tasks
17-1
Creating a Policy Rule
17-2
Editing a Policy Rule
17-4
Deleting a Policy Rule
17-6
Generating Commands
17-7
Reviewing Command Generation and Distribution Status for all
Managed Devices
17-8
Reviewing the Generated Command Set
17-9
Mapping Commands to Policy Rules
17-10
Comparing Commands and Configurations Using the Command Diff
Tool
17-11
Adding Prologue Commands and Epilogue Commands
17-13
Verifying Policy Using the Policy Query Tool
17-15
Publishing Commands
17-18

How CSPM Manages IPSec
19-2
About IPSec Device Settings
19-3
About Certificates in IKE Negotiations
19-5
About Preshared Secrets in IKE Negotiations
19-6
About IPSec Tunnel Templates
19-6
About IKE Tunnels Templates
19-7
About Manual IPSec Tunnels
19-9
About the Default Tunnel Templates
19-9
About IPSec Tunnel Groups
19-11
About Tunnel Policy
19-12
Additional Information
19-13
CHAPTER

20
Remote-User Tunnels
20-1
Creating Remote User Tunnels
20-2
Enabling IPSec on a Network Object

Defining the AAA Servers
20-21
Defining the Mode Config IP Address Pool
20-22
Defining the Certificate Authority Server
20-22
Reviewing Your Tunnel Group Settings
20-23
Creating Tunnel Policy Rules
20-23
Discovering Certificate Information
20-24
Entering Certificate Information Manually
20-26
Generating Commands
20-27
Publishing Commands
20-27
CHAPTER

21
Site-to-Site Tunnels
21-1
Creating Site-to-Site Tunnels
21-2
Enabling IPSec on a Network Object
21-4
Creating an IKE Tunnel Template
21-5
Accessing the IPSec Wizard for Creating IKE Tunnel Templates

User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Defining the Certificate Authority Server
21-25
Reviewing Your Tunnel Group Settings
21-26
Creating a Manual Tunnel Group
21-26
Creating Tunnel Policy Rules
21-31
Discovering Certificate Information
21-32
Entering Certificate Information Manually
21-33
Generating Commands
21-34
Publishing Commands
21-35
CHAPTER

22
Command Publication Tunnels
22-1
Creating Command Publication Tunnels
22-1
Creating an IKE Tunnel Template
22-3
Accessing the IPSec Wizard for Creating IKE Tunnel Templates
22-4
Defining IKE Tunnel Options

xvii
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
CHAPTER

23
Advanced IPSec Features
23-1
About Tunnel Failover
23-1
About No-NAT Tunnels
23-2
Configuring NAT with IPSec
23-3
About GRE-Over-IPSec Tunnels
23-4
Configuring GRE-Over-IPSec
23-5
About IKE Preshared Key Generation
23-6
Generating Preshared Keys
23-7
Configuring AAA
CHAPTER

24
AAA
24-1
Learn More About AAA

Contents
xviii
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Administering Audit Control Communications
25-4
Configuring CSPM to Monitor the Syslog Data Streams Generated by a
Managed Device
25-5
Selecting the Syslog Servers that Monitor the Syslog Data Streams
Generated by a Managed Device
25-6
Specifying Log Settings for Managed Devices
25-6
Specifying Log Settings for Cisco IOS Router Activity
25-7
Specifying Log Settings for PIX Firewall Activity
25-9
Event Filtering
25-11
Learn More About How to Configure Event Filtering
25-11
Event Categories
25-12
Event Classifications
25-13
Defining Event Filtering Rules Based on Event Classifications
25-14
Defining Event Filtering Rules Based on Specific Events
25-16

26-4

xix
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
Learning More About System Reports
26-5
Learning More About User Defined Reports
26-5
Learning More About Scheduled Reports
26-5
Checklist for Configuring Reports
26-5
Task List for CSPM Reports
26-7
Generating and Viewing Reports
26-7
Scheduling Reports
26-8
Viewing Scheduled Reports
26-10
Creating User Defined Reports
26-10
Generating, Scheduling, and Viewing Reports Remotely
26-12
Printing a Report
26-13
Configuring Reporting Settings
26-13

27-7

Contents
xx
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Task List for Notifications
27-8
Defining Notification Rules
27-8
Configuring a Host to Receive SMTP-Based Notifications
27-12
Configuring the CSPM Server to Publish Notifications to an SMTP
Server
27-14
Reviewing Generated Audit Event Notifications
27-14
Sorting Generated Audit Event Notifications
27-15
Confirming Notification Entries
27-16
Deleting Notification Entries
27-17
Refining Notification Settings
27-18
System Configuration and Maintenance
CHAPTER

28
Defining and Maintaining Administrative Accounts

Scheduling Checkpoint Events and Defining Log File Settings for the
Database
29-8

xxi
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
CHAPTER

30
Backup and Recovery Procedures
30-1
Database Backup Options
30-1
Backing Up the Database Using the Backup Command on the File > Database
Menu
30-2
Performing Scheduled Database Backups Using CSPMfmbackup.exe and
scheduleBackup.bat
30-3
Cancelling Database Backups that Were Scheduled Using CSPMfmbackup.exe
and scheduleBackup.bat
30-5
Using CSPMfmrestore.exe to Restore the Database from Backup
30-6
CHAPTER

31
Resetting and Restoring the CSPM Client

33-4
Learn More About the Import from File Command
33-4
Importing a Copy of CSPM Settings from a File
33-5

Contents
xxii
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Active Standby Server
33-6
Configuring a Standby Server
33-6
Using cspmsupport to Collect Support Data
33-8
CHAPTER

34
Update Options
34-1
Update Product License
34-1
Updating Product License
34-1
File Signatures
34-2
Learn More About File Signatures
34-3
Updating File Signatures

Changing the Default Database Port Value for the CSPM server
B-3
Restore Policy Database
B-4
Using a Backup File to Recover the System
B-4

xxiii
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
File Signatures
B-5
Learn More About File Signatures
B-5
Updating File Signatures on the CSPM Server
B-5
APPENDIX

C
Example Scenarios
C-1
Case 1: Out-of-Band Management (CSPM on DMZ)
C-1
Description
C-1
Setup
C-2
Topology
C-2

Description
C-14
Setup
C-14
Topology
C-14
Policy
C-17
Summary
C-17

Contents
xxiv
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Case 5: Replicated DMZ and Out-of-Band Management
C-18
Description
C-18
Setup
C-19
Topology
C-19
Policy
C-22
Summary
C-22
Case 6: No-NAT IPSEC and NAT Architecture
C-23
Description

This user guide describes how to use Cisco Secure Policy Manager 3.1.
This user guide is divided into 8 parts, as follows.
•
CSPM Overview
This part introduces the basic functionality and tasks for CSPM.
This part is organized into the following chapters:
–
Chapter 1, “Getting Started with CSPM”
This chapter describes the various parts of the CSPM Graphical User
Interface (GUI), and describes how to log in to CSPM and perform some
basic required tasks.