Cisco SDM

I have a question about the Security Device Manager (SDM). I have a remote router with an private IP address and I need to configure a VPN conection from my site (the central site) to the remote router site. How am I going to connect to the remote router through my DSL so that I can use SDM to configure the router? If I specify the private IP address of the remote router to connect in SDM, it will not work as it goes through my ISP and I am sure that they are using NAT/PAT. Is there workaround? or I need to have that router to be shipped to me and I can configure it locally with SDM? Thanks

PS. I looked at the FAQs on the Cisco site and it did not say anything about my issue.
Who is Participating?
PugglewuggleConnect With a Mentor Commented:
You will need a static public address for the router you want to connect to. The access-list can be modified to allow a connection from anywhere even though it's less secure, but if it needs to be done, then it needs to be done.
Does that make sense?
Also, please post a config of the remote router if possible so I can make sure your commands are right.
BTW about the SDM... I think you'll abandon it soon after seeing it... it doesn't do what it's supposed to all the time, it adds bunches of lines to your config, it messes stuff up, and frankly it just plain sucks. I hate it. It's never caused me anything but trouble. I think it's the only GUI tool I've ever used that's actually harder to get things accomplished with than a command line.
Cheers! Let me know!
Jan SpringerCommented:
You can ask your provider to [temporarily] assign you a static NAT IP address to use to reach that device.

If that's not possible, ask them if they can identify the IP address assigned to that unit.  They may need to know the router's MAC address.

Absent those two options, you would need to be local to the device for configuration.
If that isn't possible, you could always give this a shot:

Some business grade internet connections will give you a username based DNS name, like if my username for my ISP was, they might give you a DNS like

If your with the same ISP as the remote site, get your public IP, download nmap, and do this command:

nmap -sP [your pub IP]

nmap will display your DNS name, and if your username is a part of it, just replace it with the username the other site uses.

Good luck.
Never miss a deadline with

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Usually when configuring a router remotely the command line is used by connecting with SSH.
The SDM is a very clunky tool that by my standards is garbage.
I don't know how we got into a discussion about ISP DNS because it has nothing to do with the question.
You said your ISP uses NAT - what do you have to support this? Are you provided with a private address on the outside interface of the router instead of a public one?
Cheers! I look forward to helping!
You can do a

show ip interface brief

This will give you a list of all your interfaces and the IP address (if any) that they have. You maybe able to sort out from the IP address if it is a public or private one.
Assuming that your ISP is NOT using NAT, one option is to enable the http secure-server on the outside interface of the router. In this situation, you would be able to open the SDM securely (using SSL) from across the internet. While this is generally not recommended, it can be done. Just make sure you create (or add) and ACL rule to restrict traffic to the SDM to the IP address at your location so nobody can brute force your router through the SDM.
You need these commands:
ip http-secure server enable
no ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 149 permit tcp host <PUBLIC IP YOU WILL BE CONNECTING FROM> host <PUBILIC IP YOU WILL BE CONNECTING TO> eq https
ip access-group 149 in

This will allow you to connect to the router securely with SSL which is encrypted over the internet. This means you must access the SDM with https:// in you web broswer OR check the Use HTTPS? option in the SDM launcher.
If this doesn't work, post the config and you IP addresses.

Oops - replace
no ip http server
above with
no ip http server enable
netdoc01Author Commented:
Thanks for all your inputs. This is the situation.

My PC w/ SDM <-> My router (non Cisco)<->DSL cable<->My provider<-->Internet<->remote provider<->Cisco router (configure with PPPoE no VPN yet).

My router IP add is a public DHCP IP address ( and my gateway is a private IP address (10.x.x.x) coming from the ISP. The remote site cannot ping my public IP address. In order to use my SDM to connect to the remote Cisco router, do I need to order an public IP address for my router and the remote Cisco router so that I can have a connection? My guess is yes.  

PS. most of the people don't like SDM but I want to test it myself.
All Courses

From novice to tech pro — start learning today.