Learn how to a build a cloud-first strategyRegister Now


Cisco SDM

Posted on 2008-10-03
Medium Priority
Last Modified: 2009-07-29
I have a question about the Security Device Manager (SDM). I have a remote router with an private IP address and I need to configure a VPN conection from my site (the central site) to the remote router site. How am I going to connect to the remote router through my DSL so that I can use SDM to configure the router? If I specify the private IP address of the remote router to connect in SDM, it will not work as it goes through my ISP and I am sure that they are using NAT/PAT. Is there workaround? or I need to have that router to be shipped to me and I can configure it locally with SDM? Thanks

PS. I looked at the FAQs on the Cisco site and it did not say anything about my issue.
Question by:netdoc01
LVL 29

Expert Comment

by:Jan Springer
ID: 22634488
You can ask your provider to [temporarily] assign you a static NAT IP address to use to reach that device.

If that's not possible, ask them if they can identify the IP address assigned to that unit.  They may need to know the router's MAC address.

Absent those two options, you would need to be local to the device for configuration.
LVL 10

Expert Comment

ID: 22634663
If that isn't possible, you could always give this a shot:

Some business grade internet connections will give you a username based DNS name, like if my username for my ISP was somecompany@myisp.com, they might give you a DNS like somecompany.dsl.myisp.com

If your with the same ISP as the remote site, get your public IP, download nmap, and do this command:

nmap -sP [your pub IP]

nmap will display your DNS name, and if your username is a part of it, just replace it with the username the other site uses.

Good luck.
LVL 12

Expert Comment

ID: 22637063
Usually when configuring a router remotely the command line is used by connecting with SSH.
The SDM is a very clunky tool that by my standards is garbage.
I don't know how we got into a discussion about ISP DNS because it has nothing to do with the question.
You said your ISP uses NAT - what do you have to support this? Are you provided with a private address on the outside interface of the router instead of a public one?
Cheers! I look forward to helping!
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Expert Comment

ID: 22640996
You can do a

show ip interface brief

This will give you a list of all your interfaces and the IP address (if any) that they have. You maybe able to sort out from the IP address if it is a public or private one.
LVL 12

Expert Comment

ID: 22641420
Assuming that your ISP is NOT using NAT, one option is to enable the http secure-server on the outside interface of the router. In this situation, you would be able to open the SDM securely (using SSL) from across the internet. While this is generally not recommended, it can be done. Just make sure you create (or add) and ACL rule to restrict traffic to the SDM to the IP address at your location so nobody can brute force your router through the SDM.
You need these commands:
ip http-secure server enable
no ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 149 permit tcp host <PUBLIC IP YOU WILL BE CONNECTING FROM> host <PUBILIC IP YOU WILL BE CONNECTING TO> eq https
ip access-group 149 in

This will allow you to connect to the router securely with SSL which is encrypted over the internet. This means you must access the SDM with https:// in you web broswer OR check the Use HTTPS? option in the SDM launcher.
If this doesn't work, post the config and you IP addresses.

LVL 12

Expert Comment

ID: 22641432
Oops - replace
no ip http server
above with
no ip http server enable

Author Comment

ID: 22641896
Thanks for all your inputs. This is the situation.

My PC w/ SDM <-> My router (non Cisco)<->DSL cable<->My provider<-->Internet<->remote provider<->Cisco router (configure with PPPoE no VPN yet).

My router IP add is a public DHCP IP address ( and my gateway is a private IP address (10.x.x.x) coming from the ISP. The remote site cannot ping my public IP address. In order to use my SDM to connect to the remote Cisco router, do I need to order an public IP address for my router and the remote Cisco router so that I can have a connection? My guess is yes.  

PS. most of the people don't like SDM but I want to test it myself.
LVL 12

Accepted Solution

Pugglewuggle earned 2000 total points
ID: 22642139
You will need a static public address for the router you want to connect to. The access-list can be modified to allow a connection from anywhere even though it's less secure, but if it needs to be done, then it needs to be done.
Does that make sense?
Also, please post a config of the remote router if possible so I can make sure your commands are right.
BTW about the SDM... I think you'll abandon it soon after seeing it... it doesn't do what it's supposed to all the time, it adds bunches of lines to your config, it messes stuff up, and frankly it just plain sucks. I hate it. It's never caused me anything but trouble. I think it's the only GUI tool I've ever used that's actually harder to get things accomplished with than a command line.
Cheers! Let me know!

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question