Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Empowered Branch Services

Cisco Virtual Office-Zero-Touch Deployment Installation Guide for IT Administrators

Downloads

Introduction

This document describes how to install the Cisco® Virtual Office head-end routers and management server. It is intended for IT administrators.
The installation process involves the following steps:

1. Assign hostnames and IP addresses to all head-end devices.

2. Open firewall rules in the corporate firewall to allow Cisco Virtual Office spokes to establish IP Security (IPSec) tunnels and be securely provisioned.

3. Configure the VPN head ends and management servers.

The configuration examples in this guide use Dynamic Multipoint VPN (DMVPN) for the Cisco Virtual Office data traffic, but they do not show how head ends are installed. For information on how to deploy the various types of head ends, visit http://www.cisco.com/go/cvo and look for the "CVO Converged VPN" white paper.
Cisco Virtual Office uses a Cisco IOS® Secure Device Provisioning (SDP) server, called a registrar, to securely deploy remote devices. The management console for Cisco Virtual Office is Cisco Security Manager. This management tool is complemented by Cisco Configuration Engine (CE), which interacts with remote devices and provides a "pull" based configuration.
For more information about Cisco Virtual Office, how to manage the converged VPN, and how to add new security features, visit http://www.cisco.com/go/cvo and look for "Converged VPN" and "Advanced Layered Identity."

Network Architecture

Figure 1 shows the Cisco Virtual Office network topology that is deployed internally at Cisco. We recommend having three tunnels available for any remote Cisco Virtual Office router at all times:

• One to access the management network

• One for primary data traffic

• One for failover

Public key infrastructure (PKI) is recommended instead of preshared keys (PSK) for ISAMKP, as it is more secure and is easier to manage, although PSK also works perfectly well.
Cisco recommends using the Cisco Security Manager management tool for large enterprise provisioning. This tool allows IT administrators to do zero-touch deployments, making day-to-day ongoing management activities very convenient, as it provides a framework for easily and quickly updating security policies for thousands of remote routers with centralized management.

Figure 1. Cisco Virtual Office Network Topology

Platforms and Images

Typical small office/home office (SOHO) user: Cisco 871W or Cisco 881W Integrated Services Router
Cisco Unified IP Phone 7965G
Data VPN head end: Cisco 7206 Router with Cisco 7200 Series NPE-G2 Network Processing Engine and VSA encryption card
Cisco IOS Software Release 12.4(15)T6 for VPN head ends and 12.4(20)T for SOHO boxes
PKI server: Cisco 2821 Integrated Services Router
Management gateway: Cisco 3845 Integrated Services Router (for up to 1500 sites) or a Cisco Catalyst® 6500 Series Switch with VPN SPA for many thousands of sites Cisco Secure ACS AAA Version 4.2 (optional, in case a RADIUS server exists already in the company)
Cisco Security Manager 3.2.1
Cisco Configuration Engine 2.0
Cisco Unified Communications Manager 6.x (optional)

Preparing for Cisco Virtual Office

1. Assign an Internet-facing IP address to the VPN gateways and SDP server.

2. Open ports on the corporate firewall.

VPN gateways need UDP 500, 4500, and ESP (IP 50).

SDP server needs SSL (443) and HTTP (can be 80, but it is better for it to be another one, such as TCP 8000).

3. Reserve the IP address for the Cisco Virtual Office remote routers.

For DMVPN, you need to have individual /29 subnets for each of the spokes (or whatever subnet makes more sense). These subnets need to be routed, companywide, to the respective DMVPN hub.

You also need to have unique multipoint generic routing encapsulation (mGRE) IP addresses for every router that is part of the domain. This pool of addresses is internal to the DMVPN domain and does not need to be routable back to the company. It can be any available private pool of addresses: 10net, 192.168net, 172.16net.

4. Choose a routing protocol for DMVPN. The recommended one is Enhanced Interior Gateway Routing Protocol (EIGRP). This routing system runs only between the DMVPN hub and spokes, and can be distributed into the corporate routing protocol.

Setting Up the Head Ends and Servers

1. Install the routers according to the list given earlier, with the correct versions (see Figure 1).

2. Install Cisco Security Manager:

A. download

B. installation guide

3. Install Cisco Networking Services Configuration Engine version 2.0:

A. part number

B. Linux_installation_guide

C. Solaris_installation_guide

Make sure you enable cryptographic communication between the Configuration Engine and devices, to allow Cisco Security Manager to connect to Configuration Engine using its respective APIs. You will need to generate private RSA keys using Cisco OpenSSL in the Configuration Engine.

Installing Configuration Engine 2.0

To install CE 2.0, you first need a Linux Red Hat Enterprise server running version 3.0.
After Red Hat is running, start by executing the Cisco Configuration Engine software from the installation CD.
Then log in to Red Hat and follow these steps, which define the CE 2.0 settings and also let you install an SSL certificate, which will be used for the https connection between the Configuration Engine and Cisco Security Manager and remote devices.
Make sure to enable cryptographic operations when you see the following question during setup:
Enable cryptographic (crypto) operation between Event Gateway(s)/Config server and device(s) (y/n)?
The steps are as follows:
Log in to Red Hat and define the CE login credentials:
Username:root
Password: <...>
CE username: admin
CE password: demo123
Change the IP address of the eth0 interface:
ifconfig eth0 address <ip> netmask 255.255.255.0
Add the new IP address and hostname to /etc/hosts.
Add the new hostname to /etc/sysconfig/network.
Generate a Certificate Signing Request (CSR) and install the certificate.
To generate a CSR, enter the following commands:
% openssl genrsa -out server.key 1024
% chown root:root server.key
% chmod 400 server.key
% openssl req -new -key server.key -out server.csr
Send the file server.csr to the certificate authority (CA) for signing.
Copy the certificate file server.cer that you receive from the CA to the directory in which the server.key file is located.
Generate a certificate file using a Cisco IOS PKI server (a Cisco IOS Router):
Open the file server.csr in Notepad.
On the Cisco IOS Certificate Server (CS), type the following command, then paste the .csr file:
ios-cs#crypto pki server demo-cert request pkcs10 terminal
% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE REQUEST-----
MIIBpjCCAQ8CAQAwZjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
D5mHTTaVwqNkJd0kCB3juWXGyDWioehqAz3L1ROw/+iNK6V529Jp6Pv6
-----END CERTIFICATE REQUEST-----
Quit
% Granted certificate:
-----BEGIN CERTIFICATE-----
MIICMjCCAZugAwIBAgIBLDANBgkqhkiG9w0BAQQFADAUMRIwEAYDVQQDEwlkZW1v
LWNlcnQwHhcNMDgwNjE2MTg1OTA5WhcNMDkwNjE2MTg1OTA5WjBmMQswCQYDVQQG
8ePUwKVs/6uS5fshwqm/g46Gq1La2IVuj9PczLH+q4H3KX69pJk=
-----END CERTIFICATE-----
ios-cs#
Copy the granted certificate into a file server.cer.
Copy the file to the directory in which the server.key is located.
Reconfigure Configuration Engine:
Go to /opt/ConfigEngine/CSCOcnsie/bin
Run ./setup to reconfigure Configuration Engine and use the new certificate file.
The parameters in bold below are important to enable Configuration Engine to function properly
[root@demo-ce bin]# ./setup
------------------------------------------------
Entering Config Engine Setup.
Please note, 'setup' needs to run in a BASH shell.
If your shell is not in BASH, type ctrl-c to exit;
Set your shell in BASH and rerun 'setup'.
------------------------------------------------
For detailed information about the parameters in this setup, refer to the
Cisco Configuration Engine 2.0 Administrator's Guide.
Choose operational mode of system. 0=internal directory mode, 1=external
directory mode. [0]
Enter country code: [us]
Enter company code: [cisco]
Configuration Engine user ID is used to log in to the web-based GUI
and manage network device objects and templates. This account does
NOT have shell access.
Enter Configuration Engine login name: [admin]
Enter Configuration Engine login password: *******
Re-enter Configuration Engine login password: *******
Enter internal LDAP server port number: [389]
Enter internal LDAP server password: *******
Re-enter internal LDAP server password: *******
Email service settings:
-----------------------
Enter SMTP server (hostname.domainname or IP address):
Encryption settings:
--------------------
Enable cryptographic (crypto) operation between Event Gateway(s)/Config
server and device(s) (y/n)? [n] y
Enter absolute pathname of server key file: server.key
Enter absolute pathname of server certificate file: server.crt
Enabling plaintext operation will increase security risk.
Enable plaintext operation between Config Server and devices/GUI
administration (y/n)? [y]
Enable plaintext operation between Event Gateway and devices (y/n)? [y]
Enter port number for http web access: [80]
Enter port number for https web access: [443]
Enter Tomcat internal port number: [8009]
Enter Tomcat shutdown port number: [8005]
Authentication settings:
------------------------
IOS Devices are normally authenticated before being allowed to
connect to the Event Gateway/Config Server. Disabling
authentication will increase security risk.
Enable authentication (y/n)? [n]
Event services settings:
------------------------
Enter Event Gateway application parameter(s) for NSM: [config]
Enable Event Gateway debug log (y/n)? [n] y
Enter log file rotation timer (minutes, 0 = no rotation): [2]
Enter max log file size (Kbytes): [3072]
Enable log backup (y/n)? [y]
Each Event Gateway process serves 500 devices. Maximum number of
Event Gateways allowed is 11.
Enter number of Event Gateways that will be started with crypto operation:
[0] 6
Enter number of Event Gateways that will be started with plaintext
operation: [5]
Enter Cisco-CE Event Bus Network Parameter: [demo-ce]
Enter Cisco-CE Event Bus Service Parameter: [7500]
Enter Cisco-CE Event Bus Daemon Parameter: [7500]
Enable Cisco-CE Event Bus routing daemon logging (y/n)? [n]
Enter http port for Event Bus Web Administration GUI: [7580]
Event Bus Web Admin port should always be closed unless the Web
admin GUI is needed. Keeping web admin port open is a security
risk.
Would you like to open Event Bus Administration port (y/n)? [n] y
Current settings of IMGW:
-------------------------
Gateway ID: demo-ce
Run as daemon (y/n)? y
Timeout in seconds for a CLI command to complete: 180
Timeout in seconds to get the next prompt in Telnet session: 60
Concurrent Telnet session limit: 25
Hoptest success retry interval (sec): 0
Hoptest failure retry interval (sec): 0
Logging level (verbose, error, silent): error
Log file Prefix: IMGW-LOG
Log file size (bytes): 50331648
Log file rotation timer (seconds): 60
Logging mode (append, overwrite): append
Alternative username prompt for device using TACACS/RADIUS:
Alternative password prompt for device using TACACS/RADIUS:
Re-configure IMGW (y/n)? [n] n
CE Monitor Settings:
-----------------------
Enter CE Monitor timer (seconds): [1800]
Web Services settings:
----------------------
Enable CEConfigService web service (y/n)? [y]
Enable CEImageService web service (y/n)? [y]
Enable CEAdminService web service (y/n)? [y]
Enable CEExecService web service (y/n)? [y]
Enable CENSMService web service (y/n)? [y]
Please review the following parameters:
country code: us
company code: cisco
Configuration Engine login name: admin
Configuration Engine login password: *****
internal LDAP server port number: 389
internal LDAP server password: *****
SMTP server (hostname.domainname or IP address):
Enable cryptographic (crypto) operation between Event Gateway(s)/Config server and device(s) (y/n)? y
absolute pathname of server key file: server.key
absolute pathname of server certificate file: server.crt
Enable plaintext operation between Config Server and devices/GUI administration (y/n)? y
Enable plaintext operation between Event Gateway and devices (y/n)? y
port number for http web access: 80
port number for https web access: 443
Tomcat internal port number: 8009
Tomcat shutdown port number: 8005
Enable authentication (y/n)? n
Event Gateway application parameter(s) for NSM: config
Enable Event Gateway debug log (y/n)? y
log file rotation timer (minutes, 0 = no rotation): 2
max log file size (Kbytes): 3072
Enable log backup (y/n)? y
number of Event Gateways that will be started with crypto operation: 6
number of Event Gateways that will be started with plaintext operation: 5
Cisco-CE Event Bus Network Parameter: demo-ce
Cisco-CE Event Bus Service Parameter: 7500
Cisco-CE Event Bus Daemon Parameter: 7500
Enable Cisco-CE Event Bus routing daemon logging (y/n)? n
http port for Event Bus Web Administration GUI: 7580
Would you like to open Event Bus Administration port (y/n)? y
Re-configure IMGW (y/n)? n
CE Monitor timer (seconds): 1800
Enable CEConfigService web service (y/n)? y
Enable CEImageService web service (y/n)? y
Enable CEAdminService web service (y/n)? y
Enable CEExecService web service (y/n)? y
Enable CENSMService web service (y/n)? y
Warning: setup cannot be aborted while committing changes.
Commit changes (y/n):y
Install the certificate in the browser:
After Configuration Engine is installed and running, it is useful to install the certificate to the browser store, to prevent a security warning from popping up every time you want to log in to the Configuration Engine.
Go to https://<ip-of-ce>
A security warning will pop up.
Click "Certificate Error" on the right side of the URL.
Click "View Certificates" at the bottom of the pop-up.
Click "Install Certificate" in the pop-up to install the certificate.
The next time you log in to the Configuration Engine, the security warning will not pop up.

4. Enable Cisco Security Manager to talk to the Configuration Engine.

a. Start Cisco Security Manager.

b. Create a device on Cisco Security Manager.

c. Edit the device properties by double-clicking the device.

d. Under CNS-Configuration Engine, click "Add Configuration Engine" (Figure 2).

Figure 2. Adding a Configuration Engine to Cisco Security Manager

Enter the Cisco Networking Services access properties (Figure 3). Note that Cisco Security Manager will use only https, port 443, to talk to CE.

Figure 3. Entering Configuration Engine Properties in Cisco Security Manager

5. Install SDP (Cisco IOS Router) and its respective PKI CA server.

Installing an SDP Server

SDP has two main goals: install a PKI certificate in the client and push a template-based config.
We can push a full config or a bootstrap config. For Cisco Virtual Office in production, we push the bootstrap only with SDP.
For the SDP guide (formerly called EZSDD), go to the following URL:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_setup_SDP_piki_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Install SDP

SDP runs on any Cisco IOS Router. It grants a certificate to a remote user when the user provides valid credentials.

Note: The PKI server should not be put into auto-enroll mode, as it needs to be accessible from the Internet and you don't want people to get certificates all the time-only when they first join Cisco Virtual Office.

(a) Create a PKI server.

Start by setting the following:

1. Hostname

2. Domain name

3. Time zone and a Network Time Protocol (NTP) server for clock synchronization (if the router does not have a built-in hardware clock).
4. Enable HTTP to allow clients to do Simple Certificate Enrollment Protocol (SCEP) enrollment.
Finally, apply the PKI server configuration and save the config.
The following shows the process of creating a PKI server. Note that the items in red need to be changed to the local environment.
hostname <hostname>
ip domain name <domain.com>
ip http server
ip http authentication aaa
!
clock timezone PST -8
clock summer-time PDT recurring
!
!!! Add your own NTP servers here
!
ntp server 192.5.41.40
ntp server 198.123.30.132
!
!
!!! FTP access configuration for storing .crt, .cnm, and .crl files in external FTP server
Other methods could be used, ssh, tftp, telnet, http, etc.!!!
!
ip ftp username <ftp user>
ip ftp password <ftp password>
ip host ftpserver <ip address of server for certificate storage>
!
!!! RSA key pair is generated automatically when enabling Cisco IOS Certificate Server using 1024 bits. Optionally, RSA keys with the rsa-keypair name matching the certificate server can be generated manually with different options such as higher modulus, exportable, etc. Keys must be generated with the exportable option to export them for later restoration in case of certificate server failure. However, the user needs to take the utmost care to store keys securely as it would be easy for someone to get access with the keys.
!!!
pki-servber(config)#crypto key generate rsa general-keys label pki-server modulus 1024 exportable
!!!
!!! The following Cisco IOS Certificate Server configuration uses a complete database that stores separate .crt and .cnm files for each certificate it issues. In general, router flash memory has less capacity to store all these files; hence, only essential files should be stored in router flash memory, and all other files can be stored on an external FTP server. The lifetime values shown here are for illustration purposes only. !!!
!
crypto pki server pki-server
!!! pki server name must match rsakeypair name !!!
database level complete
database archive pkcs12 password <password>
!!! Keys can be auto archived !!!
issuer-name cn= pki-server,ou=IT
!!! Identification of the PKI server within Cisco CVO !!!
lifetime crl 24
!!! Every 24 hours the crl database is renewed and published !!!
lifetime certificate 365
!!! Issued router (client) certificates are valid for 1 year !!!
lifetime ca certificate 1825
!!! Root (certificate server)certificate is valid for 5 years !!!
cdp-url http://<cdp-address>/pki-server.crl
!!! PKI clients get CRL from this location !!!
database url ftp://<ftp-server>/pki
!!! All files are stored on this external FTP server!!!
no shutdown

(b) Enter the SDP config.

Now you will configure the SDP server itself. In the following example, $n is the username that you enter in your authentication. You must use it as the name of the file that contains the config you want to push, and it must be an individual file per the Cisco 871 to be provisioned.
Items shown in red need to be entered according to the local environment.
aaa new-model
!
aaa group server radius sdp-aaa
server-private <corporate-aaa> auth-port 1812 acct-port 1813 key 0 <key>
!
aaa authentication login sdp-aaa group sdp-aaa
aaa authorization network sdp-aaa group sdp-aaa
!
crypto pki server pki-server
issuer-name CN=pki-server O=Company.com OU=Teleworker
!
crypto provisioning registrar
pki-server pki-server
template config https://csm.cisco.com/athena/SDPReg?device=$n&template=sdp
!!! enter user a password if needed (for ftp, scp, https, etc)
template username <csm-admin-user> password 0 <csm-admin-password>
authentication list sdp-aaa
authorization list sdp-aaa

(c) Get a certificate for the router, to be used for the SSL connection. (The exchange of user credentials and config is done over an SSL session.)

config terminal
crypto pki trustpoint own-pki-cert
enrollment url http://<ip-address-of-your-sdp-server>:80
exit
crypto pki authenticate own-pki-cert
yes
crypto pki enroll own-pki-cert
end
!!! grant the cert
crypto pki server pki-server grant all
!!! Add it as the https trustpoint
config terminal
ip http secure-server
ip http secure-trustpoint own-pki-cert

Note: To be able to enter "?" in the command-line interface, you need to press Ctrl-V first.

If you don't have Cisco Security Manager yet, then create configuration files in a file server, which can be use FTP, TFTP, HTTP, and so on. Any server that is reachable by the SDP server will do.

(e) Create a profile in the authentication, authorization, and accounting (AAA) for the SDP authentication.

This is the profile that the end user will enter during SDP client-side authentication.

Note: The username must match the file name $n of the configuration file (Cisco Security Manager device hostname) for the respective user.

6. Create a bootstrap FlexConfig in Cisco Security Manager. This will be the Cisco Virtual Office bootstrap config. It will do the following:

A. Create the management tunnel config for the new SOHO router.

B. Install a PKI certificate in the new SOHO router.

C. Configure the Cisco Networking Services agent on the SOHO router. This will cause the router to do a "call-home" and get its full config from the Configuration Engine, over the management tunnel.

SDP─Cisco Security Manager FlexConfig Example

Open Cisco Security Manager.
Go to Tools -> Policy Manager.
Go to the FlexConfig tab.
Click "Add FlexConfig."
$SYS_HOSTNAME and $SYS_MANAGEMENT_IP are Cisco Security Manager internal variables. They correspond to the device name and IP address shown in the Cisco Security Manager GUI.

Note: Insert these variables by using the mouse and right-clicking on the editor and then entering the respective variable.

Make sure all "$c" is set to "optional" when you save the FlexConfig.
All of the items in red need to be changed for your environment.
clock timezone PST -8
clock summer-time PDT recurring
hostname $SYS_HOSTNAME
no logg buffer
logg console debug
no ip inspect
bridge irb
bridge 10 route ip
bridge 20 route ip
interface vlan10
bridge-group 10
bridge-group 10 spanning-disabled
int vlan20
bridge-group 20
bridge-group 20 spanning-disabled
int bvi10
int bvi20
service timestamps debug datetime localtime show-timezone
service timestamps log datetime msec localtime show-timezone
do clock set #systemCurrentTimeInIOSFormat()
ntp server 192.5.41.40
!!! to kick off some traffic to the mgt tunnel
ntp server <management GW internal ip address> source bvi10
ntp server 198.123.30.132
service password-encryption
aaa new-model
user admin privilege 15 secret 0 secret123
user localdebug privilege 1 secret 0 local123
enable secret 0 secret123
line vty 0 4
no access-class 23 in
no loggin cns-events
no access-list 100
no access-list 101
no access-list 1
no service config
ip domain name cisco.com
#set ($domain = ".cisco.com")
crypto ca trustpoint tti
enroll url http://<sdp public ip address>:80
rsakeypair $k 1024
revocation-check none
subject-name CN=$SYS_HOSTNAME
password none
serial-number none
fqdn $SYS_HOSTNAME$domain
ip-address none
auto-enroll 70
$c
crypto ca enroll tti
crypto isakmp policy 5
encr aes 256
crypto isakmp keepalive 10
crypto isakmp nat keepalive 10
crypto ipsec transform-set t1 esp-aes 256 esp-sha-hmac
!!!
!!! This is the Management DMZ, where CSM, ACS, CE, will be placed:
!!!
ip access-list extended smg_acl
permit ip host #systemGetAddr($SYS_MANAGEMENT_IP) <management dmz network>
crypto map Management 1 ipsec-isakmp
description Secure Management Gateway - SMG
set peer <public address of your management GW>
set transform-set t1
match address smg_acl
interface BVI10
ip address $SYS_MANAGEMENT_IP 255.255.255.248
interface vlan1
bridge-group 10
bridge-group 10 spanning-disabled
no autostate
interface FastEthernet4
crypto map Management
no ip access-group in
no ip access-group out
ip host config-engine.cisco.com <config-engine-ip address>
cns trusted-server all-agents config-engine.cisco.com
cns event config-engine.cisco.com 11011 source bvi10 keep 180 3
cns config partial config-engine.cisco.com source bvi10
cns exec source bvi10
end

7. Enable the SDP registrar to grab the Cisco Virtual Office bootstrap config from Cisco Security Manager. Note that Cisco Security Manager allows only https to be used to get an instantiated FlexConfig.

Enabling SDP to Grab Cisco Virtual Office Bootstrap Configs from Cisco Security Manager

1. SDP will have to use https to talk to Cisco Security Manager. For SSL, you need to have the certificate of the server installed in the client. Start by adding your Cisco Security Manager SSL certificate to your SDP Cisco IOS Router, following these instructions:
(a) Install the Cisco Security Manager SSL certificate in your browser (Internet Explorer) by editing the https://your-csm presented certificate and then clicking "Install."
(b) From the browser, export the certificate as base64 encoded X.509, and then open the file newly created with Notepad.
You have to open IE Tools -> Internet Options -> Content -> Certificates, find the Cisco Security Manager certificate, and export it to a file.
(c) On the router, create a trustpoint and set it to manual authorization:
crypto pki trustpoint csm
enroll terminal
revocation-check none
exit
(d) Then authenticate:
crypto pki authenticate csm
It will let you paste in the certificate (copy and paste from Notepad, from the file you saved in step a.
Press Enter and, when asked if you want to accept it, click "Yes."
2. Enter the respective SDP registrar config to be able to talk to Cisco Security Manager and authenticate the end user against an AAA:
!
crypto provisioning registrar
template config https://<csm-ipaddress>/athena/SDPReg?device=$n-vpn&template=sdp
In this example, "-vpn" is concatenated to the device name. This is optional. It is to show you that you can add a prefix/suffix to the username of the end-user credentials. The template name is also customizable. It is whatever you created for SDP on Cisco Security Manager previously.

Create Templates/Parameters for Spokes in Cisco Security Manager

Go to Tools -> Object Manager, create a "Network/Host," and call it "protected-subnet" (Figure 4). Give it a random network number. This value will need to be overridden for every spoke.

Figure 4. Creating a Protected Subnet

Now edit your device properties. Go to Interface Roles and create an override for external and internal interfaces (Figure 5). It should be:
External: FastEthernet4, Dialer1, Outside
Internal: BVI10, BVI20

Figure 5. Creating Overrides for Internal and External Interfaces

Creating a Master Device in Cisco Security Manager

There are two main ways of adding devices initially to Cisco Security Manager. The first is to create an empty device and define its policies, one by one.
A faster method is to start with an existing Cisco Virtual Office router config and import it, thus allowing Cisco Security Manager to create policies on the fly (Figure 6).

Figure 6. Importing an Existing Device Configuration File into Cisco Security Manager

You will find a sample Cisco 881 router spoke config in Appendix 1.
To add an already configured Cisco 881, go to Cisco Security Manager and click "Create Device." You can use a network or config file. After the policies have been imported, make them all shared (Figure 7).

Figure 7. Making Policies Shared

If you created a device from scratch, you need to add interfaces for BVI10 and BVI20 (corporate and guest) VLANs (Figure 8).

Figure 8. Creating Router Interfaces

If you imported your existing Cisco 871 and want to make it "template 871," make sure that its properties for Interface Roles list the correct BVI number in the internal network (Figure 9).

Figure 9. Mark BVI10 and VLAN10 as Internal Interfaces

Now add your DMVPN hubs from the network or config file.
Open the properties for these DMVPN hubs (double-click them) and make them unmanaged in Cisco Security Manager, since you have them working already (Figure 10).

Figure 10. Marking Hubs as Unmanaged

Create a DMVPN policy: Go to Tools -> Site-to-Site VPN > DMVPN (Figure 11).

Figure 11. Creating a New DMVPN Policy

Add the hubs and spokes (Figure 12).

Figure 12. Adding Hubs and Spokes

Discovering an Existing DMVPN

You can use the information in the config given in Appendix 2, or your own config if you already have it.

• Create your existing spokes and hubs from "network" Figure 12 (see 3 slides back) Go to Policy -> Discover VPN.

• Select your hubs and spokes and discover them (Figure 13).

Figure 13. Adding Existing Head Ends

Edit and Change DMVPN Policies

• Edit hubs and select the actual interface for VPN external.

• Do the same for the spoke.

• Finish the DMVPN wizard.

• Unassign the preshared key policy.

• Edit the GRE Modes: Enter your correct routing protocol and the Tunnel Parameters on the network of your DMVPN internal cloud.

• Make the Protected Networks the "protected-subnet" you created before (Figure 14).

Figure 14. Specifying the Protected Network

Finally, click "Submit" to save the changes to the Cisco Security Manager database so that other users can see it.

Appendix 1: Cisco Virtual Office Spoke Config Sample

=============================================================================================
881 Router Part Config
=============================================================================================
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 881demo-cvo
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 65555
no logging cns-events
enable secret <removed>
!
aaa new-model
!
aaa group server radius corporate-aaa
server-private 172.16.0.1 auth-port 1812 acct-port 1813 key <removed>
ip radius source-interface Vlan10
!
aaa authentication login eap_methods group corporate-aaa
aaa authentication login module none
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PST recurring
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint cert-server
enrollment mode ra
enrollment url http://cert-server:80
serial-number
ip-address none
password 7 02080B550E
revocation-check none
source interface Vlan10
auto-enroll 75
!
!
!
crypto pki certificate map check-crl 1
subject-name co management_gw.cisco.com
!
!
crypto pki certificate chain cert-server
certificate <removed>
certificate ca <removed>
no ip source-route
no ip gratuitous-arps
!
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 10.99.229.162
!
ip dhcp pool corporate-user
import all
network 10.99.229.160 255.255.255.248
domain-name cisco.com
option 150 ip 172.16.112.211 172.16.196.221
netbios-name-server 171.69.2.87 172.16.235.228
dns-server 172.16.226.120 172.16.168.183
default-router 10.99.229.161
update arp
!
ip dhcp pool guest-user
import all
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server 208.67.222.222
!
!
ip cef
no ip bootp server
ip domain lookup source-interface Vlan10
ip domain name cisco.com
ip name-server 172.16.226.120
ip name-server 172.16.168.183
ip multicast-routing
ip ips notify SDEE
ip ips name stealth-ips
ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw realaudio
ip inspect name fw rtsp
ip inspect name fw tftp
ip inspect name fw ftp
ip inspect name fw h323
ip inspect name fw netshow
ip inspect name fw streamworks
ip inspect name fw esmtp
ip inspect name fw skinny
ip inspect name fw sip
ip inspect name fw sip-tls
ip inspect name voice_fw skinny
ip inspect name voice_fw sip
ip inspect name voice_fw tftp
ip inspect name voice_fw sip-tls
ip sdee subscriptions 3
ip sdee alerts 1000
no ip igmp snooping
login on-failure trap
login on-success log
!
!
dot1x system-auth-control
username admin privilege 15 secret <removed>
!
!
crypto isakmp policy 1
encr aes 256
crypto isakmp keepalive 10
crypto isakmp nat keepalive 10
!
crypto ipsec security-association lifetime kilobytes 530000000
crypto ipsec security-association lifetime seconds 14400
!
crypto ipsec transform-set stealth-aes 256 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set t1 esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile cvo_profile
set transform-set t1
!
!
crypto map VPNSC_CME 1 ipsec-isakmp
description Security Management Tunnel - SMG
set peer 172.16.200.75
set transform-set stealth-aes 256
match address smg_acl
!
archive
log config
hidekeys
!
!
ip ftp source-interface Vlan10
ip tftp source-interface Vlan10
!
class-map match-any call-setup
match ip dscp cs3
match ip precedence 3
class-map match-any internetwork-control
match access-group name isakmp_acl
match ip precedence 6
match ip precedence 7
class-map match-any voice
match access-group name voice_acl
match ip precedence 5
class-map match-any routing
match protocol eigrp
class-map match-all discover_signaling
match protocol skinny
class-map match-all discover_video
match protocol rtp video
class-map match-all discover_voip
match protocol rtp audio
class-map match-any video
match access-group name video_acl
match ip dscp af41
match ip precedence 4
class-map match-all non_voip
match access-group name non_voip_traffic_acl
!
policy-map mark_incoming_traffic
class discover_signaling
set dscp cs3
class discover_video
set dscp af41
class discover_voip
set dscp ef
class non_voip
set dscp default
!
policy-map voice_and_video
class voice
bandwidth 128
class call-setup
priority percent 5
class internetwork-control
priority percent 5
class routing
priority percent 5
class video
priority 384
class class-default
fair-queue
random-detect
policy-map shaper
class class-default
shape average 750000 7500
service-policy voice_and_video
!
bridge irb
!
!
interface Tunnel0
description DMVPN Phase 3
bandwidth 2000
ip address 10.200.13.98 255.255.254.0
ip access-group tidp-acl in
no ip redirects
ip mtu 1400
ip pim sparse-dense-mode
ip multicast rate-limit out 128
ip nhrp map multicast 172.16.200.67
ip nhrp map 10.200.12.1 172.16.200.67
ip nhrp map multicast 172.16.200.68
ip nhrp map 10.200.12.2 172.16.200.68
ip nhrp network-id 7860
ip nhrp holdtime 300
ip nhrp nhs 10.200.12.1
ip nhrp nhs 10.200.12.2
ip nhrp registration no-unique
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
delay 2000
qos pre-classify
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile cvo_profile
!
!
interface FastEthernet0
description inside interface
switchport access vlan 10
switchport voice vlan 11
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 11
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface FastEthernet2
description inside interface
switchport access vlan 10
switchport voice vlan 11
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface FastEthernet3
description inside interface
switchport access vlan 10
switchport voice vlan 11
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface FastEthernet4
description outside interface
no ip dhcp client request tftp-server-address
ip address dhcp
ip access-group fw_acl in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip ips stealth-ips in
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map VPNSC_CME
service-policy output shaper
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 10.0.0.2 255.255.255.255
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
no ip address
!
interface Vlan10
description Data VLAN to used with wireless
ip address 10.99.229.161 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip nat inside
ip inspect fw in
ip virtual-reassembly
ip tcp adjust-mss 1360
ip nbar protocol-discovery
service-policy input mark_incoming_traffic
no autostate
!
interface Vlan11
description Voice VLAN
ip unnumbered Vlan10
ip access-group allow_skinny_acl in
ip inspect voice_fw in
no autostate
!
interface Vlan20
description Guest VLAN
ip address 10.1.1.1 255.255.255.0
ip pim sparse-dense-mode
ip nat inside
ip inspect test in
ip virtual-reassembly
no autostate
!
!
router eigrp 7
network 10.200.12.0 0.0.1.255
network 10.99.229.160 0.0.0.7
distribute-list dmvpn_acl out
no auto-summary
no eigrp log-neighbor-changes
!
ip forward-protocol nd
ip route 172.16.200.0 255.255.255.0 dhcp
ip route 10.99.250.96 255.255.255.224 dhcp
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface Vlan10
!
!
ip nat inside source list nat_acl interface FastEthernet4 overload
!
ip access-list standard dmvpn_acl
permit 10.99.229.160 0.0.0.7
!
ip access-list extended CSM_IP_NAT_DYNAMIC_ACL_1
deny ip any 10.99..250.96 0.0.0.31
permit ip 10.99.229.160 0.0.0.7 any
permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended allow_skinny_acl
permit udp any any range bootps bootpc
permit udp any any eq domain
permit udp any any eq tftp
permit tcp any any eq 2000
permit udp any any range 24576 24656
permit udp any any eq 5445
permit udp any any range 2326 2373
deny ip any any log
ip access-list extended control_acl
permit udp any eq isakmp any eq isakmp
permit eigrp any any
ip access-list extended fw_acl
remark ---- DMVPN Firewall ----
permit esp any any
permit udp any any eq isakmp
permit udp any eq isakmp any
permit udp any eq non500-isakmp any
permit udp any any eq 848
permit udp host 192.5.41.40 eq ntp any
permit udp host 172.16.10.150 eq ntp any
permit udp host 198.123.30.132 eq ntp any
permit tcp 172.16.0.0 0.0.255.255 any eq 22
permit udp any any eq bootpc
permit icmp any any
deny ip any any
ip access-list extended isakmp_acl
permit udp any any eq isakmp
ip access-list extended nat_acl
deny ip any 10.99..250.96 0.0.0.31
permit ip 10.99.229.160 0.0.0.7 any
permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended smg_acl
permit ip 10.99.229.160 0.0.0.7 10.99..250.96 0.0.0.31
ip access-list extended voice_acl
permit udp any any range 24576 24656
ip access-list extended non_voip_traffic_acl
permit ip any any
ip access-list extended video_acl
permit udp any any eq 5445
permit udp any any range 2326 2373
!
kron occurrence ips-job in 1:0:0 recurring
policy-list ips-job
!
kron policy-list ips-job
cli copy /erase http://management-http-server/attack-drop.sdf flash:
!
logging trap debugging
logging source-interface BVI1
logging 10.99..250.119
snmp-server community public RO
!
!
!
control-plane
!
!
banner login ^CCisco Configuration Professional Version:1.0 Date:06/19/2008^C
privilege exec level 1 clock set
privilege exec level 1 clock
privilege exec level 1 reload
privilege exec level 1 show crypto isakmp sa
privilege exec level 1 show crypto isakmp
privilege exec level 1 show crypto ipsec sa
privilege exec level 1 show crypto ipsec
privilege exec level 1 show crypto engine connections active
privilege exec level 1 show crypto engine connections
privilege exec level 1 show crypto engine
privilege exec level 1 show crypto
privilege exec level 1 show ip inspect sessions
privilege exec level 1 show ip inspect
privilege exec level 1 show ip nat translations
privilege exec level 1 show ip nat
privilege exec level 1 show ip
privilege exec level 1 show
privilege exec level 1 clear crypto isakmp
privilege exec level 1 clear crypto sa
privilege exec level 1 clear crypto
privilege exec level 1 clear
!
line con 0
exec-timeout 120 0
logging synchronous
no modem enable
stopbits 1
line aux 0
line 2
password cisco
login authentication module
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
exec-timeout 0 0
logging synchronous
!
exception data-corruption buffer truncate
scheduler max-task-time 5000
ntp server 198.123.30.132
ntp server 172.16.10.150
ntp server 192.5.41.40
ntp server 172.16.10.80 source BVI1
ntp server 10.99..250.97 prefer source BVI1
cns trusted-server all-agents configuration-engine.cisco.com
cns event configuration-engine.cisco.com 11011 source 10.99.229.161 keepalive 180 3
cns config notify all interval 5
cns config partial configuration-engine.cisco.com 80 source 10.99.229.161
cns exec 80 source 10.99.229.161
cns image server http://configuration-engine.cisco.com/cns/HttpMsgDispatcher status http://configuration-engine.cisco.com/cns/HttpMsgDispatcher
end

Appendix 2: DMVPN Configuration

This configuration is for the case in which the corporate network runs the Open Shortest Path First (OSPF) protocol and DMVPN will run EIGRP internally.
This is a hub and spoke pair of configurations for your reference. Visit http://www.cisco.com/go/cvo and look for "CVO Converged VPN" for detailed information about how to converge DMVPN with other VPN types, and also for a "high concentration hub" design.
==========
DMVPN - hub 1
==========
!! set the pki-server to its correct ip address
aaa new-model
!
aaa group server radius pki-aaa-server
server-private 10.99.99.2 auth-port 1812 acct-port 1813 key <key>
!
aaa authorization network pkiaaa group pki-aaa-server
!
crypto pki trustpoint pki-server
enrollment url http://pki-server.cisco.com:80
serial-number
ip-address none
revocation-check crl
auto-enroll 80
authorization list pkiaaa
!
crypto isakmp policy 10
encr aes 256
!
crypto isakmp keepalive 20 5
crypto isakmp nat keepalive 20
!
crypto ipsec transform-set t1 esp-aes 256 esp-sha-hmac
mode transport require
!
crypto ipsec profile ect
set transform-set t1
!
ip multicast-routing
!
interface Tunnel1
bandwidth 2000
ip address 10.11.0.1 255.255.0.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-dense-mode
ip multicast rate-limit out 768
ip nhrp map multicast dynamic
ip nhrp network-id 123456789
ip nhrp cache non-authoritative
ip nhrp redirect
ip summary-address eigrp 7 10.32.4.0 255.255.0.0 5
no ip mroute-cache
ip tcp adjust-mss 1360
delay 2000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile ect
!
interface GigabitEthernet0/0
ip address 172.16.0.1 255.255.255.0
!
!! DMVPN internal routing protocol
!
router eigrp 7
redistribute ospf 5 metric 2000 2000 255 200 1000
network 10.11.0.0 0.0.255.255
default-metric 1900 1000 255 1 1500
no auto-summary
no eigrp log-neighbor-changes
!! Corporate routing protocol
!
router ospf 5
log-adjacency-changes
redistribute eigrp 7 metric 40 subnets
network 172.16.0.0 0.0.0.255 area 5
!
ntp server 192.5.41.40
ntp server 198.123.30.132
==========
DMVPN - Hub 2
==========
aaa new-model
!
aaa group server radius pki-aaa-server
server-private 10.99.99.2 auth-port 1812 acct-port 1813 key <key>
!
aaa authorization network pkiaaa group pki-aaa-server
!
crypto pki trustpoint pki-server
enrollment url http://pki-server.cisco.com:80
serial-number
ip-address none
revocation-check crl
auto-enroll 80
authorization list pkiaaa
!
crypto isakmp policy 10
encr aes 256
!
crypto isakmp keepalive 20 5
crypto isakmp nat keepalive 20
!
crypto ipsec transform-set t1 esp-aes 256 esp-sha-hmac
mode transport require
!
crypto ipsec profile ect
set transform-set t1
!
ip multicast-routing
!
interface Tunnel1
bandwidth 2000
ip address 10.11.0.2 255.255.0.0
no ip redirects
ip mtu 1400
ip pim nbma-mode
ip pim sparse-dense-mode
ip multicast rate-limit out 768
ip nhrp map multicast dynamic
ip nhrp network-id 123456789
ip nhrp cache non-authoritative
ip nhrp redirect
ip summary-address eigrp 7 10.32.4.0 255.255.0.0 5
no ip mroute-cache
ip tcp adjust-mss 1360
delay 2000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile ect
!
interface GigabitEthernet0/0
ip address 172.16.0.2 255.255.255.0
!
!! DMVPN internal routing protocol
!
router eigrp 7
redistribute ospf 5 metric 2000 2000 255 200 1000
network 10.11.0.0 0.0.255.255
default-metric 1900 1000 255 1 1500
no auto-summary
no eigrp log-neighbor-changes
!! Corporate routing protocol
!
router ospf 5
log-adjacency-changes
redistribute eigrp 7 metric 40 subnets
network 172.16.0.0 0.0.0.255 area 5
!
ntp server 192.5.41.40
ntp server 198.123.30.132
==========
DMVPN SPOKE config sample
==========
crypto pki trustpoint pki-server
enrollment url http://pki-server.cisco.com:80
serial-number
ip-address none
revocation-check none
auto-enroll 80
!
crypto isakmp policy 1
encr aes 256
!
crypto isakmp keepalive 20 5
crypto isakmp nat keepalive 20
!
crypto ipsec transform-set t1 esp-aes 256 esp-sha-hmac
mode transport require
!
crypto ipsec profile ect
set transform-set t1
!
ip multicast-routing
!
interface Tunnel1
bandwidth 2000
ip address 10.11.0.22 255.255.0.0
no ip redirects
ip mtu 1400
ip pim sparse-dense-mode
ip multicast rate-limit out 128
ip nhrp map multicast 172.16.0.1
ip nhrp map 10.11.0.1 172.16.0.1
ip nhrp map multicast 172.16.0.2
ip nhrp map 10.11.0.2 172.16.0.2
ip nhrp network-id 123456789
ip nhrp holdtime 300
ip nhrp nhs 10.11.0.1
ip nhrp nhs 10.11.0.2
ip nhrp registration no-unique
ip nhrp cache non-authoritative
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
delay 2000
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile ect
!
interface VLAN10
description local protected network
10.32.0.1 255.255.255.240
ip inspect firewall in
ip nat inside
!
router eigrp 7
network 10.11.0.0 0.0.255.255
network 10.32.0.0 0.0.0.15
no auto-summary
no eigrp log-neighbor-changes
!
ntp server 192.5.41.40
ntp server 198.123.30.132

References

• Cisco Virtual Office solution guides and information: http://www.cisco.com/go/ect

• Cisco Security Manager: http://cisco.com/go/csmanager

• DMVPN: http://cisco.com/go/dmvpn