[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Cisco SDM

Posted on 2008-10-03
Medium Priority
Last Modified: 2009-07-29
I have a question about the Security Device Manager (SDM). I have a remote router with an private IP address and I need to configure a VPN conection from my site (the central site) to the remote router site. How am I going to connect to the remote router through my DSL so that I can use SDM to configure the router? If I specify the private IP address of the remote router to connect in SDM, it will not work as it goes through my ISP and I am sure that they are using NAT/PAT. Is there workaround? or I need to have that router to be shipped to me and I can configure it locally with SDM? Thanks

PS. I looked at the FAQs on the Cisco site and it did not say anything about my issue.
Question by:netdoc01
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 29

Expert Comment

by:Jan Springer
ID: 22634488
You can ask your provider to [temporarily] assign you a static NAT IP address to use to reach that device.

If that's not possible, ask them if they can identify the IP address assigned to that unit.  They may need to know the router's MAC address.

Absent those two options, you would need to be local to the device for configuration.
LVL 10

Expert Comment

ID: 22634663
If that isn't possible, you could always give this a shot:

Some business grade internet connections will give you a username based DNS name, like if my username for my ISP was somecompany@myisp.com, they might give you a DNS like somecompany.dsl.myisp.com

If your with the same ISP as the remote site, get your public IP, download nmap, and do this command:

nmap -sP [your pub IP]

nmap will display your DNS name, and if your username is a part of it, just replace it with the username the other site uses.

Good luck.
LVL 12

Expert Comment

ID: 22637063
Usually when configuring a router remotely the command line is used by connecting with SSH.
The SDM is a very clunky tool that by my standards is garbage.
I don't know how we got into a discussion about ISP DNS because it has nothing to do with the question.
You said your ISP uses NAT - what do you have to support this? Are you provided with a private address on the outside interface of the router instead of a public one?
Cheers! I look forward to helping!
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.


Expert Comment

ID: 22640996
You can do a

show ip interface brief

This will give you a list of all your interfaces and the IP address (if any) that they have. You maybe able to sort out from the IP address if it is a public or private one.
LVL 12

Expert Comment

ID: 22641420
Assuming that your ISP is NOT using NAT, one option is to enable the http secure-server on the outside interface of the router. In this situation, you would be able to open the SDM securely (using SSL) from across the internet. While this is generally not recommended, it can be done. Just make sure you create (or add) and ACL rule to restrict traffic to the SDM to the IP address at your location so nobody can brute force your router through the SDM.
You need these commands:
ip http-secure server enable
no ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 149 permit tcp host <PUBLIC IP YOU WILL BE CONNECTING FROM> host <PUBILIC IP YOU WILL BE CONNECTING TO> eq https
ip access-group 149 in

This will allow you to connect to the router securely with SSL which is encrypted over the internet. This means you must access the SDM with https:// in you web broswer OR check the Use HTTPS? option in the SDM launcher.
If this doesn't work, post the config and you IP addresses.

LVL 12

Expert Comment

ID: 22641432
Oops - replace
no ip http server
above with
no ip http server enable

Author Comment

ID: 22641896
Thanks for all your inputs. This is the situation.

My PC w/ SDM <-> My router (non Cisco)<->DSL cable<->My provider<-->Internet<->remote provider<->Cisco router (configure with PPPoE no VPN yet).

My router IP add is a public DHCP IP address ( and my gateway is a private IP address (10.x.x.x) coming from the ISP. The remote site cannot ping my public IP address. In order to use my SDM to connect to the remote Cisco router, do I need to order an public IP address for my router and the remote Cisco router so that I can have a connection? My guess is yes.  

PS. most of the people don't like SDM but I want to test it myself.
LVL 12

Accepted Solution

Pugglewuggle earned 2000 total points
ID: 22642139
You will need a static public address for the router you want to connect to. The access-list can be modified to allow a connection from anywhere even though it's less secure, but if it needs to be done, then it needs to be done.
Does that make sense?
Also, please post a config of the remote router if possible so I can make sure your commands are right.
BTW about the SDM... I think you'll abandon it soon after seeing it... it doesn't do what it's supposed to all the time, it adds bunches of lines to your config, it messes stuff up, and frankly it just plain sucks. I hate it. It's never caused me anything but trouble. I think it's the only GUI tool I've ever used that's actually harder to get things accomplished with than a command line.
Cheers! Let me know!

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question