Cisco SDM

Posted on 2008-10-03
Last Modified: 2009-07-29
I have a question about the Security Device Manager (SDM). I have a remote router with an private IP address and I need to configure a VPN conection from my site (the central site) to the remote router site. How am I going to connect to the remote router through my DSL so that I can use SDM to configure the router? If I specify the private IP address of the remote router to connect in SDM, it will not work as it goes through my ISP and I am sure that they are using NAT/PAT. Is there workaround? or I need to have that router to be shipped to me and I can configure it locally with SDM? Thanks

PS. I looked at the FAQs on the Cisco site and it did not say anything about my issue.
Question by:netdoc01
LVL 28

Expert Comment

by:Jan Springer
ID: 22634488
You can ask your provider to [temporarily] assign you a static NAT IP address to use to reach that device.

If that's not possible, ask them if they can identify the IP address assigned to that unit.  They may need to know the router's MAC address.

Absent those two options, you would need to be local to the device for configuration.
LVL 10

Expert Comment

ID: 22634663
If that isn't possible, you could always give this a shot:

Some business grade internet connections will give you a username based DNS name, like if my username for my ISP was, they might give you a DNS like

If your with the same ISP as the remote site, get your public IP, download nmap, and do this command:

nmap -sP [your pub IP]

nmap will display your DNS name, and if your username is a part of it, just replace it with the username the other site uses.

Good luck.
LVL 12

Expert Comment

ID: 22637063
Usually when configuring a router remotely the command line is used by connecting with SSH.
The SDM is a very clunky tool that by my standards is garbage.
I don't know how we got into a discussion about ISP DNS because it has nothing to do with the question.
You said your ISP uses NAT - what do you have to support this? Are you provided with a private address on the outside interface of the router instead of a public one?
Cheers! I look forward to helping!

Expert Comment

ID: 22640996
You can do a

show ip interface brief

This will give you a list of all your interfaces and the IP address (if any) that they have. You maybe able to sort out from the IP address if it is a public or private one.
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

LVL 12

Expert Comment

ID: 22641420
Assuming that your ISP is NOT using NAT, one option is to enable the http secure-server on the outside interface of the router. In this situation, you would be able to open the SDM securely (using SSL) from across the internet. While this is generally not recommended, it can be done. Just make sure you create (or add) and ACL rule to restrict traffic to the SDM to the IP address at your location so nobody can brute force your router through the SDM.
You need these commands:
ip http-secure server enable
no ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 149 permit tcp host <PUBLIC IP YOU WILL BE CONNECTING FROM> host <PUBILIC IP YOU WILL BE CONNECTING TO> eq https
ip access-group 149 in

This will allow you to connect to the router securely with SSL which is encrypted over the internet. This means you must access the SDM with https:// in you web broswer OR check the Use HTTPS? option in the SDM launcher.
If this doesn't work, post the config and you IP addresses.

LVL 12

Expert Comment

ID: 22641432
Oops - replace
no ip http server
above with
no ip http server enable

Author Comment

ID: 22641896
Thanks for all your inputs. This is the situation.

My PC w/ SDM <-> My router (non Cisco)<->DSL cable<->My provider<-->Internet<->remote provider<->Cisco router (configure with PPPoE no VPN yet).

My router IP add is a public DHCP IP address ( and my gateway is a private IP address (10.x.x.x) coming from the ISP. The remote site cannot ping my public IP address. In order to use my SDM to connect to the remote Cisco router, do I need to order an public IP address for my router and the remote Cisco router so that I can have a connection? My guess is yes.  

PS. most of the people don't like SDM but I want to test it myself.
LVL 12

Accepted Solution

Pugglewuggle earned 500 total points
ID: 22642139
You will need a static public address for the router you want to connect to. The access-list can be modified to allow a connection from anywhere even though it's less secure, but if it needs to be done, then it needs to be done.
Does that make sense?
Also, please post a config of the remote router if possible so I can make sure your commands are right.
BTW about the SDM... I think you'll abandon it soon after seeing it... it doesn't do what it's supposed to all the time, it adds bunches of lines to your config, it messes stuff up, and frankly it just plain sucks. I hate it. It's never caused me anything but trouble. I think it's the only GUI tool I've ever used that's actually harder to get things accomplished with than a command line.
Cheers! Let me know!

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now