Cisco ISA500 Series Administration Manual Download Page 12

Page: 12 / 371

Cisco ISA500 Series Integrated Security Appliance Administration Guide

Contents

Priorities of NAT Rules

200

Configuring the Session Settings

200

Configuring the Content Filtering to Control Access to Internet

201

Configuring the Content Filtering Policy Profiles

201

Configuring the Website Access Control List

203

Mapping the Content Filtering Policy Profiles to Zones

204

Configuring Advanced Settings

204

Configuring the MAC Filtering to Permit or Block Traffic

205

Configuring the IP/MAC Binding to Prevent Spoofing

206

Configuring the Attack Protection

207

Configuring the Application Level Gateway

209

Chapter 7: Security Services

210

Managing the Security Services

210

About the Security Services

211

Security License

212

Priority of Security Services

212

Managing the Security Services

212

Viewing the Security Service Reports

214

Intrusion Prevention Service

214

General IPS Settings

215

Configuring the IPS Policy and Protocol Inspection

216

Blocking the Instant Messaging and Peer-to-Peer Applications

218

Anti-Virus

220

Configuring the Anti-Virus

220

Configuring the Email Notification

223

Configuring the HTTP Notification

224

Email Reputation Filter

224

Web URL Filter

226

Configuring the Web URL Filter Policy Profiles

226

Configuring the Whitelist and Blacklist of Websites

227

Mapping the Web URL Filter Policy Profiles to Zones

228

Summary of Contents for ISA500 Series

Page 1: ...Cisco Small Business ISA500 Series Integrated Security Appliance ADMINISTRATION GUIDE ...

Page 2: ... and or its affiliates in the U S and other countries A listing of Cisco s trademarks can be found at www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1005R ...

Page 3: ...orrect the interference by one of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio TV technician for help FCC Caution Any changes or modifications not expressly approved by the...

Page 4: ...iated power e i r p is not more than that necessary for successful communication Le manuel d utilisation de dispositifs émetteurs équipés d antennes amovibles doit contenir les informations suivantes dans un endroit bien en vue Ce dispositif a été conçu pour fonctionner avec une antenne ayant un gain maximal de 1 8 dBi Une antenne à gain plus élevé est strictement interdite par les règlements d In...

Page 5: ...ven to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring Appropriate consideration of equipment nameplate ratings should be used when addressing this concern ...

Page 6: ...6 OL 23370 01 ...

Page 7: ... Using the Help System 25 Using the Management Buttons 25 About the Default Settings 25 Performing Common Configuration Tasks 27 Changing the User Name and Password of the Default Administrator Account at Your First Login 27 Saving Your Configuration 28 Upgrading the Firmware if needed 29 Resetting the Device 30 Chapter 2 Wizards 32 Using the Startup Wizard 32 Using the Wireless Wizard to Configur...

Page 8: ...icies 57 Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access 58 Using Cisco IPSec VPN to Establish the IPSec VPN Tunnels 58 Configuring the Cisco IPSec VPN User Groups 63 Using SSL VPN to Establish the SSL VPN Tunnels 63 Configuring the SSL VPN Group Policies 66 Configuring the SSL VPN User Groups 69 Chapter 3 Status 70 System Status 70 Interface ...

Page 9: ...ccess Control on Physical Ports 98 Configuring the Port Mirroring 100 Configuring the WAN 101 Configuring the Primary WAN 101 Configuring the Secondary WAN 104 Configuring the Network Addressing Mode 106 Configuring the PPPoE Profiles 111 Configuring the WAN Redundancy 112 Loading Balancing for WAN Redundancy 113 Load Balancing with Policy based Routing Configuration Example 115 Failover for WAN R...

Page 10: ...guring the WAN Queue Settings 142 Configuring the Traffic Selectors for WAN Interfaces 144 Configuring the WAN QoS Policy Profiles 145 Mapping the WAN QoS Policy Profiles to WAN Interfaces 146 Configuring the LAN QoS 147 Configuring the LAN Queue Settings 147 Configuring the LAN QoS Classification Methods 148 Mapping CoS to LAN Queue 149 Mapping DSCP to LAN Queue 149 Configuring Default CoS 149 Co...

Page 11: ...4 Chapter 6 Firewall 177 Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic 178 Default Firewall Settings 178 Priorities of Firewall Access Rules 180 Preliminary Tasks for Configuring the Firewall Access Rules 180 General Settings for Configuring the Firewall Access Rules 181 Configuring a Firewall Access Rule 183 Configuring a Firewall Access Rule to Allow the Multicast...

Page 12: ...g the Application Level Gateway 209 Chapter 7 Security Services 210 Managing the Security Services 210 About the Security Services 211 Security License 212 Priority of Security Services 212 Managing the Security Services 212 Viewing the Security Service Reports 214 Intrusion Prevention Service 214 General IPS Settings 215 Configuring the IPS Policy and Protocol Inspection 216 Blocking the Instant ...

Page 13: ...ode 241 General Settings 242 Configuring the Group Policies for Cisco IPSec VPN Client 243 Configuring the Site to Site VPN 246 Configuration Tasks to Establish a Site to Site VPN 246 General Site to Site VPN Settings 247 Configuring the IPSec VPN Policies 248 Configuring the IPSec IKE Policies 254 Configuring the IPSec Transform Policies 256 Configuring the SSL VPN 257 Elements of the SSL VPN 258...

Page 14: ...cation Settings 277 Authentication Methods for User Login 278 Using Local Database for Authentication 279 Using RADIUS Server for Authentication 279 Using Local Database and RADIUS Server for Authentication 282 Using LDAP for Authentication 283 Using Local Database and LDAP for Authentication 286 Configuring the User Session Settings 286 Viewing Active User Sessions 287 Chapter 10 Device Managemen...

Page 15: ...the Logs 306 Managing the Security License 307 Checking the License Status 308 Renewing the Security License 309 Managing the Certificates for Authentication 310 Viewing the Certificate Status 310 Managing the Certificates 311 Exporting the Certificates to Local PC 312 Exporting the Certificates to a USB Device 313 Importing the Certificates from Your Local PC 313 Importing the Certificates from a...

Page 16: ...tings 332 Appendix A Troubleshooting 333 Internet Connection 333 Date and Time 336 Pinging to Test LAN Connectivity 337 Testing the LAN Path from Your PC to Your Security Appliance 337 Testing the LAN Path from Your PC to a Remote Device 338 Restoring Factory Default Settings 339 Appendix B Technical Specifications and Environmental Requirements 340 Appendix C Factory Default Settings 343 Device M...

Page 17: ...Cisco ISA500 Series Integrated Security Appliance Administration Guide 11 Contents Appendix D Where to Go From Here 365 ...

Page 18: ... Started with the Configuration Utility page 23 About the Default Settings page 25 Performing Common Configuration Tasks page 27 Introduction The Cisco ISA500 Series Integrated Security Appliances are a set of Unified Threat Management UTM security appliances that provide business class security gateway solutions with zone based firewall site to site and remote access VPN including Cisco IPSec VPN...

Page 19: ...orts 1 USB 2 0 port and 802 11b g n ISA570 Cisco ISA570 Integrated Security Appliance 1 WAN port 4 LAN ports 5 configurable ports and 1 USB 2 0 port ISA570W Cisco ISA570 Integrated Security Appliance with WiFi 1 WAN port 4 LAN ports 5 configurable ports 1 USB 2 0 port and 802 11b g n Feature ISA550 ISA550W ISA570 ISA570W Firewall Throughput 1000B 150 Mbps 150 Mbps 300 Mbps 300 Mbps Firewall Throug...

Page 20: ...ck Panel page17 Front Panel ISA550 Front Panel ISA550W Front Panel Maximum Concurrent Sessions 15 000 15 000 40 000 40 000 Sessions per Seconds cps 2 500 2 500 3 000 3 000 Wireless 802 11b g n No Yes No Yes IPSec Tunnels 50 50 100 100 SSL VPN Tunnels 25 25 50 50 Feature ISA550 ISA550W ISA570 ISA570W 282351 Small Business 1 VPN USB WAN LAN CONFIGURABLE POWER SYS SPEED LINK ACT 2 3 4 5 6 7 ISA550 Ci...

Page 21: ... CONFIGURABLE POWER SYS SPEED LINK ACT 9 10 2 3 4 5 6 7 8 WLAN 281980 ISA570W Cisco Lights Description POWER SYS Indicates the power status and system status Green lights when the system is powered on and operates normally Green flashes when the system is booting Amber flashes when the system booting has a problem a device error occurs or the system has a problem VPN Indicates the Site to Site VPN...

Page 22: ...ansmitting and receiving data WLAN ISA550W and ISA570W only Indicates the WLAN status Green lights when the WLAN is enabled and associated Green flashes when the WLAN is transmitting and receiving data SPEED Indicates the traffic rate of the associated port Off when the traffic rate is 10 or 100 Mbps Green lights when the traffic rate is 1000 Mbps LINK ACT Indicates a connection is being made thro...

Page 23: ...del ISA550 and ISA550W Back Panel ISA570 and ISA570W Back Panel 281984 ANT02 ANT01 RESET I O POWER 12VDC 4 5 6 7 CONFIGURABLE 2 3 LAN 1 WAN ANT01 ANT02 Reset Button Power Switch Power Connector WAN Port USB Port Configurable Ports LAN Ports 281981 I O RESET ANT02 ANT01 1 6 7 8 9 10 WAN CONFIGURABLE POWER 12VDC 2 3 4 5 LAN ANT01 ANT02 Reset Button Power Switch Power Connector WAN Port USB Port Conf...

Page 24: ...ore the configurations or to upgrade the firmware images Configurable Ports Can be set to operate as WAN LAN or DMZ ports The ISA550 and ISA550W have 4 configurable ports The ISA570 and ISA570W have 5 configurable ports LAN Ports Connects PCs and other network appliances to the unit The ISA550 and ISA550W have 2 dedicated LAN ports The ISA570 and ISA570W have 4 dedicated LAN ports WAN Port Connect...

Page 25: ...s and 4 washers NOTE The Wall mounting kit is not included RJ 45 Ethernet cables Category 5 or higher for connecting computers WAN and LAN interfaces or other devices A computer with Microsoft Internet Explorer 8 0 or Mozilla Firefox 3 6 x or later for using the web based Configuration Utility Installation Options You can place your security appliance on a desktop mount it on a wall or mount it in...

Page 26: ...our security appliance to the wall or the ceiling WARNING Insecure mounting might damage the device or cause injury Cisco is not responsible for damages incurred by improper wall mounting To mount the security appliance to the wall STEP 1 Determine where you want to mount the security appliance Verify that the surface is smooth flat dry and sturdy STEP 2 Insert two 18 6 mm 0 73 inch screws with an...

Page 27: ...1 Place one of the supplied silicon rubber spacers on the side of the security appliance so that the four holes align to the screw holes Place the rack mount bracket next to the silicon rubber spacer and install the M3 screws NOTE If the M3 screws are not long enough to reattach the bracket with the silicon rubber spacer attach the bracket directly to the case without the silicon rubber spacer STE...

Page 28: ...twork devices connect an Ethernet network cable from the network device to one of the dedicated LAN ports on the back panel STEP 5 For a UC 500 or a UC 300 connect an Ethernet network cable from the WAN port of the UC 500 or a UC 300 to an available LAN port of the security appliance STEP 6 For a UC500 or a UC300 connect an Ethernet network cable from the WAN port of the UC500 or UC300 to an avail...

Page 29: ...ge 25 Using the Management Buttons page 25 Launching the Configuration Utility STEP 1 Connect your computer to an available LAN port on the back panel of the security appliance STEP 2 Start a web browser In the Address bar enter the default IP address of the security appliance 192 168 1 1 NOTE The above address is the factory default LAN address If you change this setting in the DEFAULT VLAN confi...

Page 30: ...on pane and content pane to perform the tasks in the Configuration Utility 1 2 Number Components Description 1 Left Hand Navigation Pane The left hand navigation pane provides easy navigation through the configurable features The main branches expand to provide the features Click on the main branch title to expand its contents Click on the right arrow of a feature to open its subfeatures or click ...

Page 31: ...ate what the buttons or icons are used for About the Default Settings The security appliance is predefined with the settings that allow you to start using the device with minimal changes needed Depending the requirements of your Internet Service Provider ISP and the needs of your business you might need to modify some of these settings You can use the Configuration Utility to customize all setting...

Page 32: ...ddresses to connected devices rather than allowing the security appliance to act as a DHCP server See Configuring the VLAN page118 VLAN Configuration The security appliance predefines a native VLAN DEFAULT and a guest VLAN GUEST You can customize new VLANs for your specific business needs See Configuring the VLAN page118 Configurable Ports By default all configurable ports are set to act as LAN po...

Page 33: ...a SSL VPN gateway so that remote users can securely access the corporate network resources over the VPN tunnels You can also establish a secure IPSec VPN tunnel between two sites that are physically separated by using the Site to Site VPN feature For more information about how to configure the VPN features see VPN page 232 Performing Common Configuration Tasks We strongly recommend that you comple...

Page 34: ...user name or the reversed user name The password cannot be set as cisco ocsic or any variant obtained by changing the capitalization of letters Confirm Password Enter the new password again for confirmation STEP 3 Click Save to apply your settings Saving Your Configuration At any point during the configuration process you can save your configurations Later if you make changes that you want to aban...

Page 35: ...n optionally encrypt the configurations for security purposes check the Encrypt box and then enter the password in the Key field and then click OK Your current settings are saved as a configuration file on the root folder of the USB device Upgrading the Firmware if needed Before you do any other tasks ensure that you are using the latest firmware version You can upgrade from a firmware file stored...

Page 36: ...k the mounting status of the USB device Make sure that the USB Driver Status shows as UP when you use the USB device to manage the firmware c In the USB Backup Restore Settings area all firmware images located on the USB device appears in the list To upgrade the firmware and keep using the current settings select the latest firmware image from the list and then click Upgrade To upgrade the firmwar...

Page 37: ...pliance Administration Guide 31 1 STEP 1 Click Device Management Firmware and Configuration Configuration The Configuration window opens STEP 2 In the Backup Restore Settings Revert To Factory Default Settings area click Default The security appliance will reboot with the factory default settings ...

Page 38: ...1 Using the Site to Site Wizard to Establish the Site to Site VPN Tunnels page 53 Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access page 58 To access the Wizards pages click Wizards in the left hand navigation pane Using the Startup Wizard The Startup Wizard helps you configure the remote management port WAN LAN DMZ and WLAN for ISA550W and ISA5...

Page 39: ...r example https xxx xxx xxx xxx 8080 Enter the following information Remote Management Click On to enable remote management by using HTTPS or click Off to disable it We recommend that you use HTTPS for secure purposes HTTPS Listen Port Number If you enable remote management by using HTTPS enter the port number to be listened on By default the listened port for HTTPS is 8080 HTTP Enable Click On bo...

Page 40: ...itch This is the default setting The security appliance is set to one WAN port WAN1 and nine LAN ports 1 WAN 1 DMZ and 8 LAN Switch The security appliance is set to one WAN port WAN1 one DMZ port and eight LAN ports The configurable port GE10 is set to a DMZ port 1 WAN 1 WAN Backup and 8 LAN Switch The security appliance is set to two WAN ports WAN1 is the primary WAN and WAN2 is the secondary WAN...

Page 41: ... DMZ port NOTE The configurable ports can be set as the WAN LAN and DMZ ports Up to two WAN ports and four DMZ ports can be configured on the security appliance To configure multiple DMZ ports go to the Networking DMZ page For more information see Configuring the DMZ page123 STEP 4 After you are finished click Next The Primary WAN Connection window opens From this page you can configure the primar...

Page 42: ...width If you choose this mode then choose one of the following options and finish the setting Weighted By percentage Allows you to set the percentage for each WAN such as 80 percentage bandwidth for WAN1 and lest 20 percentage bandwidth for WAN2 Weighted By Link Bandwidth Allows you to set the rate limiting for each WAN such as 10 Mbps for WAN1 and 5 Mbps for WAN2 Use the Failover mode if you want...

Page 43: ...the Relay IP field If you choose DHCP Server as the DHCP mode enter the following information Start IP Enter the starting IP address of the DHCP pool End IP Enter the ending IP address of the DHCP pool NOTE The starting and ending IP addresses should be in the same range as the LAN s subnet address Lease Time Enter the maximum connection time that a dynamic IP address is leased to a network user W...

Page 44: ...the DHCP pool DHCP Relay Allows the security appliance to use a DHCP Relay If you choose DHCP Relay enter the IP address of the remote DHCP server in the Relay IP field If you choose DHCP Server as the DHCP mode enter the following information Start IP Enter the starting IP address of the DHCP pool End IP Enter the ending IP address of the DHCP pool NOTE The starting and ending IP addresses should...

Page 45: ...ep 12 Wireless Network Mode Choose the 802 11 modulation technique The ISA550W and ISA550W supports the following radio modes 802 11b only Choose this mode if all devices in the wireless network use 802 11b Only 802 11b clients can connect to the access point 802 11g only Choose this mode if all devices in the wireless network use 802 11g Only 802 11g clients can connect to the access point 802 11...

Page 46: ...ng the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W page 40 SSID Name The SSID name Security Mode Choose the encryption algorithm for data encryption for this SSID Depending on the selected security mode configure the corresponding settings See Configuring the Security Mode page162 VLAN Name Choose the VLAN to which this SSID is mapped All traffic from the wireless cl...

Page 47: ... network use 802 11g Only 802 11g clients can connect to the access point 802 11b g mixed Choose this mode if some devices in the wireless network use 802 11b and others use 802 11g Both 802 11b and 802 11g clients can connect to the access point 802 11n only Choose this mode if all devices in the wireless network can support 802 11n Only 802 11n clients operating in the 2 4 GHz frequency can conn...

Page 48: ... then be directed to a specified web portal after login successfully before they can access the Internet NOTE Only one SSID can be set for Guest WLAN access and Captive Portal WLAN access STEP 4 Specify the wireless connectivity settings for all enabled SSIDs Depending on the wireless connectivity type that you selected for the SSID you need to complete the relevant settings for each enabled SSID ...

Page 49: ...et up a wireless connection to this SSID PC Visibility Check the box so that the wireless clients on the same SSID will be able to see eachother STEP 3 In the Security Settings area specify the wireless security settings Security Mode Choose the security mode and configure the correspoinding information For security purposes Cisco strongly recommends WPA2 for wireless security For example if you c...

Page 50: ...ion SSID Enter the SSID name Broadcast SSID Check the box to broadcast the SSID in its beacon frames All wireless devices within range are able to see the SSID when they scan for available networks Uncheck the box to prevent auto detection of the SSID In this case users must know the SSID to set up a wireless connection to this SSID PC Visibility Check the box so that the wireless clients on the s...

Page 51: ...e SSID In this case users must know the SSID to set up a wireless connection to this SSID PC Visibility Check the box so that the wireless clients on the same SSID are able to see eachother STEP 3 In the Security Settings area specify the wireless security settings Security Mode Choose the security mode and configure the correspoinding information For the complete details for how to configure the ...

Page 52: ...r sends to your security appliance for authentication For example if you select Internal for authentication and the web portal is set to www ABcompanyC com when a wireless user tries to access the website www google com the default web authentication login page opens The user needs to enter the user name and password and then click Submit After login the user is directed to the www ABcompanyC com ...

Page 53: ... provider Password Enter the password of the account that you registered in the DDNS provider Host Domain Name Specify the complete host name and domain name for the DDNS service STEP 3 After you are finised click Next The DMZ Configure window opens From this page you can the DMZ network For complete details see Configuring the DMZ page 48 STEP 4 After you are finished click Next The DMZ Service w...

Page 54: ...onfigurable port from the Port list and click Access to add it to the Member list The selected configurable port will be set to a DMZ port with Access mode Zone Choose the default or custom DMZ zone to which the DMZ is mapped STEP 3 In the DHCP Pool Settings tab choose the DHCP mode from the DHCP Server drop down list Disable Choose this option if the computers on the DMZ are configured with stati...

Page 55: ...e primary WINS server WINS 2 Optionally enter the IP address of a secondary WINS server Domain Name Optionally enter the domain name for the DMZ Default Gateway Enter the IP address of default gateway STEP 5 Click OK to save your settings STEP 6 Connect your local server to the specified DMZ port and then configure the DMZ service Configuring the DMZ Services In the DMZ Service window follow these...

Page 56: ...r that will need to be translated You can get the IP address after you connect your local server to the specified DMZ port If the IP address you want is not in the list choose Create an IP Address to create a new IP address object To maintain the IP address objects go to the Networking Address Object Management page See Address Management page152 WAN Choose either WAN1 or WAN2 or both as the incom...

Page 57: ... from GE 6 to GE10 as the secondary WAN interface The dedicated physical port GE1 is set as the primary WAN interface STEP 3 After you are finished click Next The Primary WAN Connection window opens Depending on the requirements of your ISP choose the network addressing mode from the IP Address Assignment drop down list for the primary WAN port and complete the corresponding fields The security ap...

Page 58: ...2 as the primary link By default WAN1 is set as the primary link and WAN2 is set as the backup link You can also set WAN2 as the primary link Preempt Delay Timer Enter the time in seconds that the system will preempt the primary link from the backup link after the primary link is up again The default is 5 seconds STEP 6 After you are finished click Next The Network Detection window opens From this...

Page 59: ...Wizard to Establish the Site to Site VPN tunnel page 53 Configuring the IKE Policies page 55 Configuring the Transform Policies page 57 NOTE Before you begin you need to know the subnet address of your local and remote networks and import the digital certificates for authentication between the two peers if needed Using the Site to Site Wizard to Establish the Site to Site VPN tunnel STEP 1 Click W...

Page 60: ... same here and on the remote peer Certificate If you choose this option choose the local certificate and the peer certificate for authentication On the remote site the selected local certificate should be set as the peer certificate and the selected peer certificate should be set as the local certificate If the certificate you want is not in the list go to the Device Management Certificate Managem...

Page 61: ...ance can support multiple subnets for IPSec VPN tunnel you may need to select a group address object including multiple VLANs for local and remote network STEP 6 After you are finished click Next The Summary window opens The Summary window displays the summary information for all configurations you made STEP 7 Click Submit to save your settings and exit the Site to Site Wizard Configuring the IKE ...

Page 62: ... to authenticate RSA SIG is a digital certificate with keys generated by the RSA signatures algorithm In this case a certificate must be configured in order for the RSA Signature to work D H Group Choose the Diffie Hellman group identifier The identifier is used by two IPsec peers to derive a shared secret without transmitting it to each other The D H Group sets the strength of the algorithm in bi...

Page 63: ...sures that a packet comes from where it says it comes from and that it has not been modified in transit The default is ESP_SHA1_HMAC ESP_SHA1_HMAC Authentication with SHA_1 160 bit ESP_MD5_HMAC Authentication with MD5 128 bit MD5 has a smaller digest and is considered to be slightly faster than SHA_1 A successful but extremely difficult attack against MD5 has occurred however the HMAC variant IKE ...

Page 64: ...PSec VPN User Groups page 63 Using SSL VPN to Establish the SSL VPN Tunnels page 63 Configuring the SSL VPN Group Policies page 66 Configuring the SSL VPN User Groups page 69 Using Cisco IPSec VPN to Establish the IPSec VPN Tunnels The security appliance can function as a Cisco IPSec VPN server to allow the remote users to establish the IPSec tunnels and securely access the corporate network resou...

Page 65: ...ose this option enter the desired value that the peer device must provide to establish a connection The pre shared key must be entered exactly the same here and on the remote clients Certificate If you choose this option choose a local certificate and a remote certificate for authentication On the remote clients the selected local certificate should be set as the remote certificate and the selecte...

Page 66: ...is purpose Dynamic DNS has to be configured because the IP address will change due to failover or let the remote gateway use a dynamic IP address WAN Interface Choose the WAN interface that the traffic passes through over the IPSec VPN tunnel STEP 5 After you are finished click Next The Network Setting window opens From this page you can configure the mode of operation The operation mode determine...

Page 67: ...rated by the Zone Access Control settings will be automatically added to the firewall access rule table with the priority higher than the default access rules but lower than the custom access rules STEP 7 After you are finished click Next The DNS WINS Setting window opens From this page you can specify the DNS and domain settings Primary DNS Server Enter the IP address of the primary DNS server Se...

Page 68: ... enter the IP address in the IP filed and and netmask address in the Netmask filed and then click Add To delete a subnet choose a subnet from the list and then click Delete STEP 10 After you are finished click Next The Cisco IPSec VPN Group Policy Summary window opens The Group Policy Summary page displays the summary information for all configurations that you made for the Cisco IPSec VPN group p...

Page 69: ...licy for the group The Cisco IPSec VPN service must be enabled for this user group so that all members of the group to securely access your network resources over the IPSec VPN tunnels STEP 3 In the Membership tab specify the members of the user group To add a member select an existing user from the User list and then click the right arrow The members of the groups appear in the Membership list To...

Page 70: ... connectting purposes Certificate File Choose a certificate to authenticate the users who want to access your network resource through the SSL VPN tunnel Client Address Pool The SSL VPN gateway has a configurable address pool with maximum size of 255 which is used to allocate IP addresses to the remote clients Enter the IP address pool for all remote clients The client is assigned an IP address by...

Page 71: ...L VPN client must send an IP address lease renewal request to the server Max MTU Enter the maximum transmission unit for the session Rekey Method Specify the session rekey method SSL or New Tunnel Rekey allows the SSL keys to be renegotiated after the session is established Rekey Interval Enter the frequency of the rekey in this field STEP 6 After you are finished click Next The SSL VPN Group Poli...

Page 72: ...fter you click Add the Group Policy Add Edit window opens STEP 2 In the Basic Settings tab enter the following information Policy Name Enter the name for the SSLP VPN group policy Primary DNS Enter the IP address of the primary DNS server Secondary DNS Enter the IP address of the secondary DNS server Primary WINS Enter the IP address of the primary WINS server Secondary WINS Enter the IP address o...

Page 73: ...d and excluded at the same time Enable Split Tunneling By default the SSL VPN gateway operates in full tunnel mode which means that all of traffic from the host is directed through the tunnel Check the box to enable the Split Tunnel mode so that the tunnel is used only for the traffic that is specified by the client routes Split Include If you enable split tunneling choose one of the following opt...

Page 74: ...acket destined for myfavoritesearch com would be handled by the ISP s DNS By default this feature is configured on the SSL VPN gateway and is enabled on the client To use Split DNS you must also have Split Tunnel mode configured To add a domain to the Cisco AnyConnect VPN Client for tunneling packets to destinations in the private network end the domian name in the field and then click Add To dele...

Page 75: ...he letters numbers or underline for the SSL VPN user group Services Specify the service policy for the group The SSL VPN service must be enabled for this user group Choose a SSL VPN group policy so that all members of the group at the remote site can establish the SSL VPN tunnels based on the selected SSL VPN group policy to access your network resources STEP 3 In the Membership tab specify the me...

Page 76: ...s page 74 Wireless Status for ISA550W and ISA570W page 79 Active Users page 81 VPN Status page 81 Reports page 85 Process Status page 92 Resource Utilization page 92 To access the Status pages click Status in the left hand navigation pane System Status The Dashboard page displays the current system status To open this page click Status Dashboard Router Information System Name The device name of yo...

Page 77: ...ult the security appliance boots up with the primary firmware To switch to the secondary firmware see Using the Secondary Firmware page 300 Bootloader Version The bootloader version Serial Number The security appliance serial number PID The product identifier PID of the security appliance also known as product name model name and product number UDI The Unique Device Identifier UDI of the security ...

Page 78: ...s Click the number link for details Warning Total number of Warning logs Click the number link for details Notification Total number of Notification logs Click the number link for details Information Total number of Information logs SSL Users Total number of active SSL VPN sessions Click the SSL Users link for details IPSec Users Total number of active IPSec VPN sessions that initiated by your sec...

Page 79: ...s for all VLANs click details DMZ Interface To see complete details for DMZ click details Wireless Interface To see complete details for all SSIDs click details Mode The link status of the physical interface WAN1 to WANx The name of the WAN interface IP Address The IP addresses assigned to the WAN interface Index The VLAN ID Name The VLAN name DHCP Mode The DHCP mode of the VLAN IP Address The sub...

Page 80: ...g protocol that determines a network host s Link Layer or hardware address when only the Internet Layer IP or Network Layer address is known The ARP table displays the IP addresses and corresponding MAC addresses of the devices under your local network To open this page click Status Interface Status Show ARP Table SSID Number The SSID ID SSID Name The SSID name VLAN The VLANs to which the SSID is ...

Page 81: ...e following information for all physical ports Device Indicates the interface for which the ARP parameters are defined IP Address The IP address assigned to the host or the remote device MAC Address The MAC address of the host or the remote device Lease Start Time The lease starting time of the IP address Lease End Time The lease ending time of the IP address Port The number of the physical port N...

Page 82: ...nternet for the WAN interface Connection Time How long the WAN interface is connected in seconds Connection Status Shows if the WAN interface obtains an IP address successfully or not If yes the connection status shows as Connected MAC Address The MAC address of the WAN interface IP Address The IP address of the WAN interface that is accessible from the Internet Netmask The IP address of subnet ma...

Page 83: ...able displays the traffic data for all active physical ports Name The VLAN name VID The VLAN ID Address The subnet IP address and netmask of the VLAN Physical Port The physical ports that are assigned to the VLAN Zone The zone to which the VLAN is mapped Name The DMZ name VID The VLAN ID Address The subnet IP address and netmask of the DMZ Physical Port The physical port that is assigned to the DM...

Page 84: ...s received by the port per second Up Time How long the port has been active The uptime is reset to zero when the security appliance or the port is restarted Name The name of the WAN port Tx Pkts The number of IP packets going out of the WAN port Rx Pkts The number of IP packets received by the WAN port Collisions The number of signal collisions that have occurred on this WAN port Tx B s The number...

Page 85: ...to view the wireless status and the number of client stations that are connected to the SSIDs It includes the following sections Wireless Status page 80 Client Status page 81 Collisions The number of signal collisions that have occurred on this VLAN Tx B s The number of bytes going out of the VLAN per second Rx B s The number of bytes received by the VLAN per second Up Time How long the LAN port h...

Page 86: ...the following information of all active SSIDs Wireless Statistics Table This table displays the traffic data for a given SSID SSID Number The SSID ID SSID Name The SSID name MAC The MAC address of the SSID VLAN The VLAN to which the SSID is mapped Client List The number of client stations that are connected to the SSID Name The SSID name Tx Pkts The number of transmitted packets on the SSID Rx Pkt...

Page 87: ...inate an active user session To open this page click Status Active Users You can check the following user session information VPN Status The VPN Status pages display the status and statistic information of IPSec and SSL VPN sessions You can manually connect or disconnect the VPN tunnels It includes the following sections IPSec VPN Status page 82 SSL VPN Status page 83 User Name The name of the log...

Page 88: ...onnection type of the IPSec VPN session such as Site to Site Cisco IPSec VPN Server or Cisco IPSec VPN Client WAN Interface The WAN interface used for the IPSec VPN session Remote Gateway The IP address of the remote gateway for a Site to Site VPN session or the IP address of the remote VPN client for a Cisco IPSec VPN session Local Network The subnet IP address and netmask of your local network R...

Page 89: ...traffic in Kilobytes transmitted from the VPN tunnel Rx Bytes The volume of traffic in Kilobytes received from the VPN tunnel Tx Pkts The number of IP packets transmitted from the VPN tunnel Rx Pkts The number of IP packets received from the VPN tunnel Session ID The SSL VPN session ID User Name The name of the connected SSL VPN user Client IP Actual The actual IP address used by the SSL VPN clien...

Page 90: ...rames received from all clients In CSTP bytes The total number of bytes in the CSTP frames received from all clients In CSTP data The number of CSTP data frames received from all clients In CSTP control The number of CSTP control frames received from all clients Out CSTP frames The number of CSTP frames sent to all clients Out CSTP bytes The total number of bytes in the CSTP frames sent to all cli...

Page 91: ...ontrol frames implement control functions within the protocol Data frames carry the client data such as the tunneled payload Reports The security appliance provides the report ability to help the operator or administrator analyze the system performance and security It includes the following sections Reports of Event Logs page 86 Reports of WAN Bandwidth page 87 Reports of Security Services page 87...

Page 92: ...d IP Bandwidth This report lists the top 25 users of bandwidth usage It displays the number of megabytes transmitted per IP address since the system is up Service Bandwidth This report lists the top 25 Internet services that consume the most bandwidth It displays the number of megabytes received from the service since the system is up This report is helpful to determine whether the services being ...

Page 93: ... for the primary WAN interface by hour in the past 24 hours STEP 5 If a secondary WAN interface is configured in the Secondary WAN tab you can see the run time network bandwidth usage for the secondary WAN interface by hour in the past 24 hours STEP 6 Click Reset to reset the network bandwidth usages for both the primary WAN and secondary WAN interfaces Reports of Security Services The Security Se...

Page 94: ...umber of viruses detected by the Anti Virus service In the Anti Virus tab check the Enable Anti Virus Report box to enable this report and then click Save to save your settings After you enable this report the corresponding statistic information is displayed Device System Date The current date for counting the data Total since the service was actived The total number of web access requests process...

Page 95: ...mber of files checked and the total number of viruses detected in last seven days Total for today The total number of files checked and the total number of viruses detected in one day Graph Shows the total number of files checked and the total number of viruses detected by day for last seven days Device System Date The current date for counting the data Total since the service was actived The tota...

Page 96: ...kets dropped by the IPS service In the IPS Policy Protocol Inspection tab check the Enable IPS Policy Protocol Inspection Report box to enable this report and then click Save to save your settings After you enable this report the corresponding statistic information is displayed Device System Date The current date for counting the data Total since the service was actived The total number of packets...

Page 97: ...er of packets for suspicious behaviors and attacks detected and the total number of packets dropped in last seven days Total for today The total number of packets for suspicious behaviors and attacks detected and the total number of packets dropped in one day Graph Shows the total number of packets for suspicious behaviors and attacks detected and the total number of packets dropped by day for las...

Page 98: ... number of packets blocked by day for last seven days Name The process name that is running on your security appliance Description A brief description for the running process Protocol The protocol that is used by the socket Port The port number of the local end of the socket Local Address The IP address of the local end of the socket Foreign Address The IP address of the remote end of the socket C...

Page 99: ...emory Utilization Total Memory The total amount of memory space available on the security appliance Used Memory The amount of memory space used by the processes at current time Free Memory The amount of memory space not used by the processes at current time Cached Memory The amount of memory space used as cache at current time Buffer Memory The amount of memory space used as buffers at current tim...

Page 100: ...IP Routing Mode page 95 Port Management page 95 Configuring the WAN page101 Configuring the WAN Redundancy page112 Configuring the VLAN page118 Configuring the DMZ page 123 Configuring the Zones page127 Configuring the Routing page130 Dynamic DNS page136 IGMP page 138 VRRP page 139 Configuring the Quality of Service page 140 Address Management page 152 Service Management page154 To access the Netw...

Page 101: ... addressing enable the IPv4 IPv6 mode STEP 1 Click Networking IPv4 IPv6 Routing Mode The IPv4 IPv6 Routing Mode window opens STEP 2 Click IPv4 IPv6 mode to enable both IPv4 and IPv6 addressing or click IPv4 only mode to enable only IPv4 addressing STEP 3 Click Save to save your settings Port Management This section describes how to configure the physical ports enable or disable the port mirroring ...

Page 102: ...d to forward or filter the untagged packets coming into port The PVID of a trunk port is fixed to the DEFAULT VLAN 1 Speed Duplex The duplex mode speed and duplex setting of the physical port Link Status Shows if the physical port is connected or not If you are using the ISA550W or ISA570W in the Wireless Interfaces area all active SSIDs available on your security appliance are listed in the table...

Page 103: ...t is tagged Untagged data coming into the port is not forwarded except for the DEFAULT VLAN which is untagged Trunk mode is recommended if the port is connected to a VLAN aware switch or router Port Click On to enable the port or click Off to disable it By default all ports are enabled VLAN You can assign the physical port to VLANs To assign the port to a VLAN choose an existing VLAN from the Avai...

Page 104: ...authorized devices 802 1X capable clients from gaining access to the network The IEEE 802 1X standard defines a client server based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports The authentication server authenticates each client supplicant in Windows 2000 XP Vista Windows 7 and Mac OS connected to a port b...

Page 105: ...rol Check the box to enable 802 1X access control This feature is not available for Trunk ports Authenticated VLAN If you enable 802 1X access control choose the authenticated VLAN to which this port is assigned The users who authenticated successfully can access the authenticated VLAN through the port If the authentication fails block the access on the port Guest Authenticated If you enable 802 1...

Page 106: ...ns when the link state of the port transitions from down to up or when an EAPOL start frame is received The security appliance requests the identity of the client and begins relaying authentication messages between the client and the authentication server Each client attempting to access the network is uniquely identified by the security appliance by using the client s MAC address STEP 6 Click Sav...

Page 107: ...d to receive a public IP address from your ISP automatically through DHCP Depending on the requirements of your ISP you may need to modify the WAN settings to ensure Internet connectivity This section describes how to configure the WAN connections by using the account information provided by your ISP It includes the following sections Configuring the Primary WAN page101 Configuring the Secondary W...

Page 108: ...u can use the unique 48 bit local Ethernet address of the security appliance as your MAC address source Use Default MAC Address Choose this option to use the default MAC address Use the Following MAC Address If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP choose this option and enter the MAC address that your ISP requires for this connec...

Page 109: ...s Enter the number of common initial bits in the network s addresses The default prefix length is 64 Default IPv6 Gateway Enter the IPv6 address of the gateway for your ISP This is usually provided by the ISP or your network administrator Primary DNS Server Enter a valid IP address of the primary DNS Server Secondary DNS Server Optional Optionally enter a valid IP address of the secondary DNS Serv...

Page 110: ...oose the network addressing mode for the secondary WAN depending on the requirements of your ISP For complete details see Configuring the Network Addressing Mode page 106 DNS Server Source DNS servers map Internet domain names example www cisco com to IP addresses You can get DNS server addresses automatically from your ISP or use ISP specified addresses Get Dynamically from ISP Choose this option...

Page 111: ...curity appliance can generate its own addresses using a combination of locally available information and information advertised by routers Static IP If your ISP assigned a static IPv6 address configure the IPv6 WAN connection in the following fields IPv6 Address Enter the static IP address that was provided by your ISP IPv6 Prefix Length The IPv6 network subnet is identified by the initial bits of...

Page 112: ... port will be the DHCP client and get the IP address from your ISP or the peer router Choose DHCP for most of Internet service providers that use the cable modem Choose this option if your ISP automatically assigns you a dynamic IP address and enter the following information MTU The Maximum Transmission Unit is the size in bytes of the largest packet that can be passed on Choose Auto to use the de...

Page 113: ...nter the IP address of the subnet mask Gateway Enter the IP address of default gateway DNS0 Enter the IP address of the primary DNS server DNS1 Enter the IP address of the secondary DNS server MTU The Maximum Transmission Unit is the size in bytes of the largest packet that can be passed on Choose Auto to use the default MTU size or choose Manual if you want to specify another size MTU Value If yo...

Page 114: ...w PPPoE profile by choosing Create a PPPoE Profile See Configuring the PPPoE Profiles page111 User Name Password Enter the user name and password that are required to log into the ISP Authentication Type Choose the authentication type specified by your ISP Connect Idle Time Choose this option to let the security appliance disconnect from the Internet after a specified period of inactivity Idle Tim...

Page 115: ... up connections or PPTP VPN connections Check the box to enable the MPPE encryption to provide data security for the PPTP connection that is between the VPN client and VPN server Connect Idle Time Choose this option to let the security appliance disconnect from the Internet after a specified period of inactivity Idle Time This choice is recommended if your ISP fees are based on the time that you s...

Page 116: ...er the IP address of the L2TP server Secret Optional L2TP incorporates a simple optional CHAP like tunnel authentication system during control connection establishment Enter the secret for tunnel authentication if necessary Connect Idle Time Choose this option to let the security appliance disconnect from the Internet after a specified period of inactivity Idle Time This choice is recommended if y...

Page 117: ...rofile User Name Enter the user name that is required to log into the ISP Password Enter the password that is required to log into the ISP Authentication Type Choose the method to authenticate the PPP sessions as specified by your ISP Auto The PPP protocol auto negotiates the authentication method PAP Password authentication protocol PAP is used by PPP protocol to validate the users before allowin...

Page 118: ...mended if your ISP fees are based on the time that you spend online MTU The Maximum Transmission Unit MTU is the size in bytes of the largest packet that can be passed on Choose Auto to use the default MTU size or choose Manual if you want to specify another size MTU Size If you choose Manual enter the custom MTU size in bytes NOTE For PPPoE connections the default MTU size is 1492 bytes Unless a ...

Page 119: ...ncy page117 Configuring the Link Failover Detection page117 Loading Balancing for WAN Redundancy The Load Balancing can segregate traffic between links that are not of the same speed For example you can bind the high volume services through the port that is connected to a high speed link and bind the low volume services to the port that is connected to the slower link The Load Balancing is impleme...

Page 120: ...ted Load Balancing Distributes the bandwidth to two WAN ports by the weighted percange or by the weighted link bandwidth If you choose this mode choose one of the following options and finish the setting Weighted By Percentage Allows you to set the percentage for each WAN such as 80 percentage bandwidth for WAN1 and lest 20 percentage bandwidth for WAN2 Weighted By Link Bandwidth Allows you to set...

Page 121: ...e DSL link As lots of secure websites such as bank or online shopping are sensitive to flip flop the source IP address let the traffic for https ftp video and game go through the cable link Configuration Tasks Configure a configurable port as the secondary WAN port WAN2 See Configuring the Secondary WAN page104 Connect the cable modem to the primary WAN port WAN1 and connect the DSL modem to the s...

Page 122: ...igured with Failover Figure 3 Example Dual WAN Ports with Failover STEP 1 Click Networking WAN Redundancy WAN Redundancy Operation Configuration The WAN Redundancy Operation Configuration opens STEP 2 Choose Failover if you want to use one ISP link as a backup and enter the following information Auto Failover to Choose either WAN1 or WAN2 as the primary link By default WAN1 is set as the primary l...

Page 123: ...orward the traffic to the primary WAN The traffic for other static routings are forwarded to the secondary WAN For more inforamtion to configure the static routing policies see Configuring the Static Routing page 132 NOTE The Link Failover Detection settings will be ignored if you enable the Routing Table feature Configuring the Link Failover Detection The Link Failover Detection feature detects t...

Page 124: ...if the primary WAN remote host can be detected the network connection is active In Load Balancing mode if the primary WAN and secondary WAN remote hosts can be detected the WAN connection is active DNS Detection Choose this option to detect the WAN failure by looking up the DNS servers that you specify in the following fields DNS Lookup using WAN DNS Servers The security appliance sends the DNS qu...

Page 125: ... After you click Add or Edit the VLAN Add Edit window opens STEP 3 In the Basic Setting tab enter the following information Name Enter a descriptive name for the VLAN VID Enter an unique identification number for the VLAN which can be any number from 3 to 4089 The VLAN ID 1 is reserved for the DEFAULT VLAN and the VLAN ID 2 is reserved for the GUEST VLAN IP Enter the subnet IP address for the VLAN...

Page 126: ... LAN port Changing the port type will wipe out all configurations relative to the physical port Zone Choose the zone to which the VLAN is mapped By default the DEFAULT VLAN is mapped to the LAN zone and the GUEST VLAN is mapped to the GUEST zone STEP 4 In the DHCP Pool Settings tab choose the DHCP mode from the DHCP Server drop down list Disable Choose this option if the computers on the VLAN are ...

Page 127: ...oot file name or configuration file name on the specified TFTP server Optional 150 Supports a list of TFTP servers 2 TFTP servers Enter the IP addresses of TFTP servers Separate multiple entries with commas NOTE Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution typically implement Cisco CallManager at a central office to control Cisco IP Phones at sma...

Page 128: ...Use the Static IP Reservations page to bind the MAC address of the device with the desired IP address Whenever the DHCP server receives a request from a device the hardware address is compared with the database If the device is found then the reserved IP address is used Otherwise an IP address is assigned automatically from the DHCP pool STEP 1 Click Networking Static IP Reservations The Static IP...

Page 129: ... include any hosts that must be exposed to the WAN such as web or email servers The DMZ configuration is identical to the VLAN configuration There are no restrictions on the IP address or subnet assigned to the DMZ port except it cannot be identical to the IP address given to the predefined VLANs Figure 4 Example DMZ with One Public IP Address for WAN and DMZ 235140 www example com Internet Public...

Page 130: ... to the web server The same IP address is used for the WAN interface Figure 5 Example DMZ with Two Public IP Addresses In this scenario the ISP has supplied two static IP addresses 209 165 200 225 and 209 165 200 226 The address 209 165 200 225 is used for the security appliance s public IP address The administrator configures the configurable port to be used as a DMZ port and created a firewall a...

Page 131: ... DMZ Netmask Enter the subnet mask for the DMZ Spanning Tree Check the box to enable the Spanning Tree feature to determine if there are loops in the network topology Port Specify a configurable port as a DMZ port The traffic through the DMZ port is directed to the DMZ All available configurable ports appears in the Port list choose a port and click Access to add it to the Member list The selected...

Page 132: ... in the DHCP range End IP Enter the last IP address in the DHCP range Any new DHCP client joining the DMZ is assigned an IP address between the Start IP address and the End IP address NOTE The Start and End IP addresses must be in the same subnet with the DMZ s subnet IP address Lease Time Enter the maximum connection time that a dynamic IP address is leased to a network user When the time elapses...

Page 133: ...les page195 or Configuring Advanced NAT Rules page197 and create a firewall access rule to allow the inbound access to the server see Configuring a Firewall Access Rule page183 If you want to reserve certain IP addresses for specified devices go to the Networking Static IP Reservations page See Configuring DHCP Reserved IPs page122 You must enable DCHP Server mode or DHCP Relay mode for this purpo...

Page 134: ...t than a Guest zone but a lower level of trust than a VPN zone The DMZ zone is a public zone Guest 25 Offers a higher level of trust than an untrusted zone but a lower level of trust than a public zone Guest zones can only be used for guest access Untrusted 0 Offers the lowest level of trust It is used by both the WAN and the virtual multicast zones You can map one or multiple WAN interfaces to an...

Page 135: ...s You can custom new zones for your specific business needs STEP 1 Click Networking Zone The Zone window opens All predefined and custom zones are listed in the table STEP 2 Click Reset Zone Configuration to restore your zone configurations to the factory default settings All custom zones will be removed and the relevant settings to these custom zones will be cleaned up after you perform this oper...

Page 136: ...security level of the new zone By default the firewall prevents all inbound traffic and allows all outbound traffic To customize firewall access rules for the new zone go to the Firewall ACL Rules Rule page For more information see Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic page178 Map the security services to zones If you enabled the security services such as IP...

Page 137: ...our ISP assigns an IP address for each of the computers that you use click On to enable the Routing mode When you enable the Routing mode the NAT settings are disabled STEP 3 If you are sharing IP addresses across several devices such as your LAN and using other dedicated devices for the DMZ click Off to disable the Routing mode STEP 4 Click Save to apply your settings Viewing the Routing Table ST...

Page 138: ... Networking Routing Static Routing The Static Routing window opens STEP 2 To add a static route click Add Other options To edit an entry click Edit To delete an entry click Delete To delete multiple entries check the boxes of multiple entries and click Delete Selection After you click Add or Edit the Static Routing Add Edit window opens STEP 3 Enter the following information Destination Address Ch...

Page 139: ...h other routers and allows it to dynamically adjust its routing tables and adapt to changes in the network STEP 1 Click Networking Routing Dynamic RIP The Dynamic RIP window opens STEP 2 Enter the following information RIP Enable Click On to enable RIP or click Off to disable it By default RIP is disabled RIP Version If you enable RIP specify the RIP version The security appliance supports RIPv1 a...

Page 140: ...ed Routing PBR allows users to specify the internal IP and or service going through a specified WAN port to provide more flexbile and granular traffic handling capabilities This feature can be used to segregate traffic between links that are not of the same speed High volume traffic can be routed through the port connected to a high speed link and low volume traffic can be routed through the port ...

Page 141: ...se an internal IP address that passes through the specific WAN port Dest IP For service binding only choose Any For IP binding only choose an IP address as the destination IP address of the outbound traffic If the address object is not in the list choose Create New Address to create a new address object To main the address objects go to the Networking Address Object Management page See Address Man...

Page 142: ...Static Routing rules traffic A will be firstly handled by the PBR or Static Routing rules while other traffic follows the Weighted Loading Balance settings Dynamic DNS Dynamic DNS DDNS is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names If your ISP has not provided you with a static IP and your WAN connection is configured to use DH...

Page 143: ...When WAN failover occurs DDNS will switch the traffic to the active WAN interface User Name Enter the user name of the account you registered in the DDNS provider Password Enter the password of the account you registered in the DDNS provider Host and Domain Name Specify the complete host name and domain name for the DDNS service Use wildcards Check this box to allow all subdomains of your DDNS hos...

Page 144: ...on 3 that is backward compatible with the previous versions NOTE By default the multicast traffic from Any zone to Any zone is blocked by the default firewall access rules When you enable IGMP Proxy and want to receive the multicast packets from WAN to LAN you need to uncheck the Block Multicast Packets box in the Firewall Attack Protection page and create a firewall access rule to permit the mult...

Page 145: ...ueries from either IGMP or the IGMP snooping querier Click On to enable IGMP Snooping or click Off to disable it STEP 3 Click Save to apply your settings VRRP The Virtual Router Redundancy Protocol VRRP is a redundancy protocol for LAN access device VRRP configures a groups of routers include a master router and several backup routers as a virtual router STEP 1 Click Networking VRRP The VRRP windo...

Page 146: ...e current master virtual router NOTE All routers in a VRRP group must use the same advertisement interval value If the interval values are not same the routers in the VRRP group will not communicate with eachother and any misconfigured router will change its state to master Verify Click On to enable the authentication or click Off to disable it If you enable the authentication specify the authenti...

Page 147: ... Networking QoS General Settings The General Settings window opens STEP 2 Enter the following information WAN QoS Check this box to enbale the WAN QoS feature By default WAN QoS is disabled LAN QoS The LAN QoS specifies priority values that can be used to differentiate the traffic and give preference to higher priority traffic such as telephone calls Check this box to enbale the LAN QoS feature By...

Page 148: ...bps STEP 3 Click Save to apply your settings NOTE Next Steps To specify the WAN queue settings go to the WAN QoS Queue Settings page See Configuring the WAN Queue Settings page 142 To specify the traffic classes for WAN interfaces go to the WAN QoS Traffic Selector Classification page See Configuring the Traffic Selectors for WAN Interfaces page144 To create the WAN QoS policy profiles go to the W...

Page 149: ...rly Detection RED mechanism RED is a congestion avoidance mechanism that takes advantage of TCP s congestion control mechanism By randomly dropping packets prior to periods of high congestion RED tells the packet source to decrease its transmission rate Assuming the packet source is using TCP it will decrease its transmission rate until all the packets reach their destination indicating that the c...

Page 150: ...d in the table STEP 2 To add a new traffic selector click Add Other options To edit an entry click Edit To delete an entry click Delete After you click Add or Edit the QoS Class Add Edit window opens STEP 3 Enter the following information Class Name Enter a descriptive name for the traffic class Source Address Choose Any or choose an existing address or group address network that the traffic comes...

Page 151: ... 0 and 7 that can be used to differentiate traffic and give preference to higher priority traffic Choose the CoS remarking value for the traffic class VLAN Choose the VLAN for identifying the host to which the traffic selector will apply NOTE The traffic that matches up with the above settings will be classified to a class for management purposes STEP 4 Click Save to apply your settings Configurin...

Page 152: ... disabled for the inbound traffic policy profile DSCP Marking Choose the DSCP remarking value to assign the priority for the traffic CoS Marking For an inbound traffic policy profile choose the CoS remarking value to assign the priority for the inbound traffic This option will be disabled for the outbound traffic policy profile Policing Enter the amount of bandwidth limitation for the selected tra...

Page 153: ...values that can be used to differentiate traffic and give preference to higher priority traffic such as telephone calls It includes the following topics Configuring the LAN Queue Settings page147 Configuring the LAN QoS Classification Methods page148 Mapping CoS to LAN Queue page 149 Mapping DSCP to LAN Queue page149 Configuring Default CoS page149 Configuring the LAN Queue Settings Use the Queue ...

Page 154: ...lways sending traffic greater than the maximum bandwidth of the LAN ports STEP 4 Click Save to apply your settings NOTE Next Steps To specify the LAN QoS classification method go to the LAN QoS Classification Method page See Configuring the LAN QoS Classification Methods page148 To map the CoS to LAN queues go to the LAN QoS Mapping CoS to Queue page See Mapping CoS to LAN Queue page149 To map the...

Page 155: ... where Q4 is the lowest and Q1 is the highest STEP 3 Click Save to apply your settings Mapping DSCP to LAN Queue STEP 1 Click Networking QoS LAN QoS Mapping DSCP to Queue The Mapping DSCP to Queue window opens STEP 2 Choose the traffic forwarding queue to which the DSCP priority tag value is mapped Four traffic priority queues are supported where Q4 is the lowest and Q1 is the highest STEP 3 Click...

Page 156: ...ods page151 Mapping CoS to Wireless Queue page 151 Mapping DSCP to Wireless Queue page151 Default Wireless QoS Settings The Wireless QoS uses the default queuing method for wireless traffic Wireless traffic is always trusted The wireless QoS treats all untagged packets as tagged packets with the default CoS value 0 so that the security appliance can refer to the CoS to Queue mapping settings to ob...

Page 157: ... Method window opens STEP 2 Depending on your networking design choose either DSCP or CoS remarking method for traffic through each active SSID STEP 3 Click Save to apply your settings Mapping CoS to Wireless Queue STEP 1 Click Networking QoS Wireless QoS Mapping CoS to Queue The Mapping CoS to Queue window opens STEP 2 Choose the traffic forwarding queue to which the CoS priority tag value is map...

Page 158: ...e following topics Configuring the Addresses page152 Configuring the Group Addresses page153 Configuring the Addresses STEP 1 Click Networking Address Object Management The Address Object Management window opens All existing address objects are listed in the Address table STEP 2 In the Address Table area click Add to add a new address Other options To edit an entry check the box and click Edit To ...

Page 159: ...s address and a corresponding netmask As a general rule the first address in a network the network address and the last address in a network the broadcast address are unusable If you choose Network enter the subnet IP address in the IP Address field and the broadcast address in the Netmask field MAC Identifies a host by its hardware address or MAC Media Access Control address MAC addresses are uni...

Page 160: ...ck the left arrow STEP 6 Click OK to save your settings STEP 7 Click Save to apply your settings Service Management Use the Services page to maintain the service or group service objects The security appliance is configured with a long list of standard services so you can use to configure the firewall access rules port forwarding rules or other features For more information see Default Service Obj...

Page 161: ...n TCP IP TCP ensures that a message is sent accurately and in its entirety If you choose this option enter the starting port number in the Port Range Start field and the ending port number in the Port Range End field UDP User Datagram Protocol UDP is a protocol within the TCP IP protocol suite that is used in place of TCP when a reliable delivery is not required If you choose this option enter the...

Page 162: ... an entry click Delete To delete multiple entries check the boxs of multiple entries and click Delete Group After you click Add or Edit the Service Table Add Edit window opens STEP 3 Enter the name for the group service in the Name field STEP 4 To add the services to the group select the services from the Services list and click the right arrow to add them into the Member list STEP 5 To remove the...

Page 163: ...Setup page172 Configuring Wireless Rogue AP Detection page173 Configuring Wireless Captive Portal page 174 To access the Wireless pages click Wireless in the left hand navigation pane Configuring the Radio Settings The ISA550W and ISA570W can function as an Internet or network gateway for the wireless clients The ISA550W and ISA570W supports wireless protocols called IEEE 802 11b 802 11g and 802 1...

Page 164: ...radio modes 802 11b only Choose this mode if all devices in the wireless network use 802 11b Only 802 11b clients can connect to the access point 802 11g only Choose this mode if all devices in the wireless network use 802 11g Only 802 11g clients can connect to the access point 802 11b g mixed Choose this mode if some devices in the wireless network use 802 11b and others use 802 11g Both 802 11b...

Page 165: ...nable the SSID uncheck the box to disable the SSID By default all four SSID are enabled SSID Name Enter an unique identifier for the SSID SSID Broadcast Check this box to broadcast the SSID in its beacon frames All wireless devices within range are able to see the SSID when they scan for available networks Uncheck this box to prevent auto detection of the SSID In this case users must know the SSID...

Page 166: ...Settings The Wireless Advanced Settings window opens STEP 2 Enter the following information Guard Interval Choose either Long 800 ns or Short 400 ns that the security appliance will retry a frame transmission that fails NOTE The short frame is only available when the specified wireless network mode includes 802 11n CTS Protection Mode CTS Clear To Send Protection Mode function boosts the ability o...

Page 167: ...To Send RTS Clear To Send CTS handshake before sending A low threshold setting can be useful in areas where many client devices are associating with the wireless device or in areas where the clients are far apart and can detect only the access point but not other clients Although a low threshold value consumes more bandwidth and reduces the throughput of the packet frequent RTS packets can help th...

Page 168: ... multicast traffic which affects network performance This section includes the following topics Configuring the Security Mode page 162 Controlling the Wireless Access Based on MAC Addresses page169 Mapping the SSID to VLAN page 170 Configuring the SSID Schedule page171 Configuring the Security Mode This section describes how to configure the security mode for the SSID NOTE Cisco strongly recommend...

Page 169: ... be configured in the SSID Security Mode Description Open Any wireless device that is in range can connect to the SSID WEP Wired Equivalent Privacy WEP is a data encryption protocol for 802 11 wireless networks All wireless stations and SSIDs on the network are configured with a static 64 bit or 128 bit Shared Key for data encryption The higher the bit for data encryption the more secure for your ...

Page 170: ...tes Message Integrity Code MIC to provide protection against hackers AES uses symmetric 128 bit block data encryption WPA Enterprise WPA Enterprise uses an external RADIUS server for client authentication WPA Enterprise supports TKIP and AES encryption mechanisms default is TKIP This security mode is only available when a RADIUS server is connected to the SSID WPA2 WPA2 provides the best security ...

Page 171: ...ndexes 1 through 4 are available WPA WPA2 This mode allows both WPA and WPA2 clients to connect simultaneously The SSID automatically chooses the encryption algorithm used by each client device This option is a good choice to enable a higher level of security while allowing access by devices that might not support WPA2 The following WPA WPA2 security modes are supported on your security appliance ...

Page 172: ...g information Encryption Choose either TKIP or AES as the encryption algorithm for data encryption The default is TKIP Shared Secret The Pre shared Key PSK is the shared secret key for WPA Enter a string of at least 8 characters to a maximum of 63 characters Key Renewal Timeout Enter a value to set the interval at which the key is refreshed for clients associated to this SSID The valid range is 0 ...

Page 173: ...Key Renewal Timeout Enter a value to set the interval at which the key is refreshed for clients associated to this AP The valid range is 0 to 86400 seconds A value of 0 indicates that the key is not refreshed The default is 3600 seconds RADIUS Server ID The security appliance predefines three RADIUS groups choose an existing RADIUS group for client authentication The following RADIUS server settin...

Page 174: ...elected group are displayed You can also change the RADIUS server settings The RADIUS server settings you specify will replace the default settings of the selected group Go to the Device Management RADIUS Settings page to maintain the RADIUS server settings See Configuring the RADIUS Servers page 319 STEP 11 If you choose WPA WPA2 Enterprise Mixed as the security mode enter the following informati...

Page 175: ...clients The default is Open access which means that the MAC filtering is disabled The MAC Filtering provides additional security but it also adds to the complexity and maintenance Be sure to enter each MAC address correctly to ensure that the policy is applied as intended Before performing this procedure decide whether you want to enter a list of MAC addresses that will be blocked or allowed acces...

Page 176: ... You can add up to 16 MAC addresses you want to deny or permit STEP 5 Click OK to save your settings STEP 6 Click Save to apply your settings Mapping the SSID to VLAN STEP 1 Click Wireless Basic Settings The Wireless Basic Settings window opens STEP 2 In the SSID table area click Edit to edit the settings of the SSID After you click Edit the Edit window opens STEP 3 In the Edit VLAN tab enter the ...

Page 177: ...ou can specify the time per day to keep the SSID active Enter the following information SSID Name The name of the SSID on which the schedule setting is applied Active Time Click On to enable the schedule feature for the SSID or click Off to disable it Disabling the schedule feature will keep the SSID active in 24 hours per day If you enable this feature configure the time range per day to keep thi...

Page 178: ...client has a WPS button follow these steps to estabilsh the wireless connection a Press the WPS button on the wireless client b Click the WPS button on this page c Verify that the wireless client is connected to the SSID STEP 4 If the wireless client has a WPS PIN number follow these steps to establish the wireless connection a Get the PIN number on the wireless client b Enter the PIN number on th...

Page 179: ...e its own wireless LAN Often employees seeking to enhance their productivity will innocently install an access point for their personal use on your network without understanding the security risks The security appliance is configurable by the network administrator to provide proactive rogue AP detection in the 2 4 GHz band Rogue AP Detection RAD is able to discover detect and report an unauthorize...

Page 180: ...ist choose Merge click Browse to locate the file and then click OK STEP 6 Click Save to apply your settings Configuring Wireless Captive Portal The Captive Portal feature allows the wireless users who authenticated successfully to be directed to a specified web page portal before they can access the Internet The wireless users will be directed to a specified web authentication login page to authen...

Page 181: ...with accept button Allows users to access the wireless network without entering a user name and password If you choose this option a web passthrough window is prompted Click the Accept button to access the network without the user name and password External Web Server Uses a customized web authentication login page on an external web server to authenticate the wireless users If you choose this opt...

Page 182: ...e You can import your company logo to change the default Cisco logo that appears in the top right corner of the default page Click Browse to locate and select the logo file from your local PC and then click Upgrade To delete the upgraded logo file and revert the default Cisco logo click Delete STEP 3 In the Monitored HTTP Port List area you can specify the HTTP ports to be monitored The security a...

Page 183: ...ic page178 Configuring the Firewall Schedule page 186 Firewall Access Rule Configuration Examples page187 Configuring the NAT Rules to Securely Access a Remote Network page192 Configuring the Session Settings page 200 Configuring the Content Filtering to Control Access to Internet page 201 Configuring the MAC Filtering to Permit or Block Traffic page 205 Configuring the IP MAC Binding to Prevent S...

Page 184: ...ewall Access Rule to Allow the Multicast Traffic page185 NOTE For detailed firewall configuration examples see Firewall Access Rule Configuration Examples page187 Default Firewall Settings By default your firewall prevents all traffic from a lower security level to a higher security level commonly known as Inbound and allows all traffic from a higher security level to a lower security level common...

Page 185: ...y page to view the default firewall access settings for all predefined zones STEP 1 Click Firewall ACL Rules Default Policy The Default Policy window opens The default access settings for all predefined zones are listed in the table STEP 2 To expand the default access settings for a specific zone click the Expand button To hide the default access settings for a specific zone click the Collapse but...

Page 186: ...ntrol settings go to the VPN pages For more information about the VPN access control settings see VPN page 232 All firewall access rules are displayed in the Rule table and sorted by the priority The custom access rules have the highest priority The VPN access rules have higher priorities than the default access rules but lower than the custom access rules Preliminary Tasks for Configuring the Fir...

Page 187: ...or move it to a specified location in the table MoveUp Moves the rule up one position MoveDown Moves the rule down one position Move Moves the rule to a specific location Enter the target index number to move the selected rule to For example A target index of 2 moves the rule to position 2 and moves the other rules down to position 3 in the list NOTE You cannot reorder the default access rules and...

Page 188: ...ed to enable the Log feature set the log buffer size and the severity for local log and then check the Local Log box for the Firewall log facility To save the firewall logs to the remote syslog server if you have a remote syslog server support you need to enable the Log feature specify the Remote Log settings and then check the Remote Log box for the Firewall log facility For more information abou...

Page 189: ...etworking Zone page For more information about zone configurations see Configuring the Zones page127 Services Choose an existing service or group service that is covered by this rule If the service or group service you want is not in the list choose Create New Service to create new service objects or choose Create New Group to create new group service objects To maintain the service and group serv...

Page 190: ...og settings and log facilities and how to view the logs see Log Management page 302 Match Action Choose the action when the traffic match up with the access rule Deny Deny the access Permit Permit the access Accounting Increase the Hit Count number by one when the packet hits the access rule STEP 4 Click OK to save your settings STEP 5 Click Save to apply your settings NOTE In addition to configur...

Page 191: ...d create a firewall access rule to permit the multicast traffic from WAN to LAN This section provides a configuration example about how to create a WAN to LAN access rule to permit the multicast traffic by using the predefined multicast address STEP 1 Click Firewall ACL Rules Rule The ACL Rules window opens STEP 2 To add a new access rule click Add After you click Add the Rule Add Edit window open...

Page 192: ...s window opens STEP 2 To create a new schedule click Add Other options To edit an entry click Edit To delete an entry click Delete To delete multiple entries check the boxes of multiple entries and click Delete Selection After you click Add or Edit the Schedule Add Edit window opens STEP 3 Enter the following information Schedule Name Enter the name for the schedule Schedule Days Schedule the acce...

Page 193: ...ddress User Case You host a FTP server on your LAN You want to open the FTP server to Internet by using the IP address of the WAN1 interface The inbound traffic is addressed to your WAN1 IP address but is directed to the FTP server Solution You can create a port forwarding rule or an Advanced NAT rule to open the internal FTP server to Internet and create a firewall access rule to allow the access...

Page 194: ...to the Firewall ACL Rules Rule page to create a firewall access rule as follows to allow the access From WAN1 To DEFAULT Original source address ANY Original destination address WAN1_IP Original services FTP CONTROL Translated source address ANY Translated destination address InternalFTP Translated services FTP CONTROL From Zone WAN To Zone LAN Services FTP CONTROL Source Address ANY Destination A...

Page 195: ...e as follows to allow inbound traffic to the RDP server Problem DMZ Wizard STEP 1 Set the IP address of 172 39 202 101 to the WAN interface STEP 2 Create a host address object with the IP 192 168 12 101 called RDPServer and a host address object with the IP 172 39 202 102 called PublicIP STEP 3 Create a TCP service object with the port range from 3389 to 3389 called RDP STEP 4 Go to the Firewall N...

Page 196: ...54 Solution Create a range address object with the range 132 177 88 2 to 132 177 88 254 called OutsideNetwork and a host address object with the IP address 192 168 1 110 called InternalIP and then create an access rule as follows In the example connections for CU SeeMe an Internet video conferencing client are allowed only from a specified range of external IP addresses Original services RDP Trans...

Page 197: ...cess rule is in effect and then configure an access rule as follows Blocking Outbound Traffic to an Offsite Mail Server User Case If you want to block access to the SMTP service to prevent a user from sending email through an offsite mail server Solution Create a host address object with the IP address 10 64 173 20 called OffsiteMail and then configure an access rule as follows Source Address Outs...

Page 198: ...T can also provide the following benefits Security Keeping internal IP addresses hidden discourages direct attacks IP routing solutions Overlapping IP addresses are not a problem when you use NAT Flexibility You can change internal IP addressing schemes without affecting the public addresses available externally for example for a server accessible to the Internet you can maintain a fixed IP addres...

Page 199: ...namic PAT The Dynamic PAT window opens STEP 2 Specify the PAT IP address for each WAN interface Auto Use the IP address of the WAN port as the translated IP address Manual Choose a single public IP address or a network address as the translated IP address If the address object you want is not in the list choose Create an IP Address to create a new address object To maintain the address objects go ...

Page 200: ...to allow the access so that the Static NAT rule can function properly STEP 1 Click Firewall NAT Static NAT The Static NAT window opens STEP 2 To add a static NAT rule click Add Other options To edit an entry click Edit To delete an entry click Delete To delete multiple entries check the boxes of multiple entries and click Delete Selection After you click Add or Edit the Static NAT Add Edit window ...

Page 201: ...firewall access rule to allow the access so that the port forwarding rule can function properly NOTE To open an internal FTP server to Internet make sure that the internal FTP server is listening on TCP port 21 or the FTP server and client must use the active mode when the internal FTP server is listening on some other TCP port Otherwise the FTP client cannot access the FTP server STEP 1 Click Fir...

Page 202: ...lick Off to create only the port forwarding rule Description Enter the name for the port forwarding rule STEP 4 Click OK to save your settings STEP 5 Click Save to apply your settings Configuring Port Triggering Rules Port triggering opens an incoming port for a specified type of traffic on a defined outgoing port When a LAN device makes a connection on one of the defined outgoing ports the securi...

Page 203: ... Edit To delete an entry click Delete To select multiple entries check the boxes of multiple entries and click Delete Selection After you click Add or Edit the Port Triggering Add Edit window opens STEP 4 Enter the following information Description Enter the name for the port triggering rule Trigger Service Choose an outgoing TCP or UDP service Opened Service Choose an incoming TCP or UDP service ...

Page 204: ...you click Add the Add Edit Rule window opens STEP 3 Enter the following information Name Enter the name for the advanced NAT rule Enable Click On to enable the advanced NAT rule or click Off to create only the advanced NAT rule From Choose the WAN interface or the VLAN that the traffic originates from To Choose the VLAN or the WAN interface that the traffic goes to Original Source Address Choose t...

Page 205: ... page to view the status of all NAT rules STEP 1 Click Firewall NAT NAT Status The NAT Status window opens All existing NAT rules are listed in the table You can check the following information Original Source Address The original source IP address in the packet Original Destination Address The original destination IP address in the packet Source Port The interface that the traffic comes from Dest...

Page 206: ... Configuring the Session Settings Use the Session Settings page to configure the maximum number of connection sessions When the connnection table is full the new sessions that access the security appliance are dropped STEP 1 Click Firewall Session Settings The Session Settings window opens STEP 2 Enter the following information Current All Connections Displays the number of all current connected s...

Page 207: ...er to block or forward the HTTP request from the hosts in the zone The blocked request will be logged This section includes the following topics Configuring the Content Filtering Policy Profiles page 201 Configuring the Website Access Control List page 203 Mapping the Content Filtering Policy Profiles to Zones page 204 Configuring Advanced Settings page 204 CAUTION Enabling the Web URL Filter serv...

Page 208: ...bsites that you want to permit or block For complete details see Configuring the Website Access Control List page 203 STEP 5 In the For URLs not Specified Above area specify the action how to deal with the websites that are not specified in the whitelist or blacklist Permit Them If you choose this option all websites not specified in the list are permitted Deny Them If you choose this option all w...

Page 209: ...reate only the access control rule URL Enter the domain name or URL keyword of a website that you want to permit or block Match Type Specify how to match up with this rule Domain If you choose this option permit or block the HTTP access of a website that fully matches up with the domain you entered in the URL field For example if you enter yahoo com in the URL field then it can match up with the w...

Page 210: ...ck Save to apply your settings Configuring Advanced Settings STEP 1 Click Firewall Content Filtering Advanced Settings The Advanced Settings window opens STEP 2 Enter the following information Specify HTTP port for the filtering default 80 Enter the port number that is used for content filtering The default is 80 For example if you permit the HTTP access to the website http www ABcompanyC com and ...

Page 211: ...an permit and deny network access from specific devices through the use of MAC address list The firewall MAC filtering settings apply for all traffic except the traffic for Intra VLAN and Intra SSID STEP 1 Click Firewall MAC Filtering MAC Filtering The MAC Filtering window opens STEP 2 Click On to enable the MAC Filtering feature or click Off to disable it STEP 3 If you enable MAC Filtering specif...

Page 212: ...ique MAC address of device please ensure that traffic from the specified IP address is not spoofed If a violation the traffic s source IP address doesn t match up with the expected MAC address having the same IP address occurs the packets will be dropped and can be logged for diagnosis STEP 1 Click Firewall MAC Filtering IP MAC Binding The IP MAC Binding window opens STEP 2 To add an IP MAC bindin...

Page 213: ... Protection The Attack Protection window opens STEP 2 In the WAN Security Checks area enter the following information Block Ping to WAN interface Check the box to prevent attackers from discovering your network through ICMP Echo ping requests We recommend that you disable this feature only if you need to allow the security appliance to respond to pings for diagnostic purposes Enable Stealth Mode C...

Page 214: ...mit the multicast traffic will be overrided if you enable this feature STEP 5 In the DoS Attacks area enter the following information SYN Flood Detect Rate max sec Enter the maximum number of SYN packets per second that will cause the security appliance to determine that a SYN Flood Intrusion is occurring Enter a value from 0 to 10000 SYN packets per second A value of zero indicates that the SYN F...

Page 215: ...1 Click Firewall Application Level Gateway The Application Level Gateway window opens STEP 2 Enter the following information SIP Protocol Support SIP ALG can rewrite the information within the SIP messages SIP headers and SDP body to make signaling and audio traffic between the client behind NAT and the SIP endpoint possible Check this box to allow the SIP sessions to pass through the security app...

Page 216: ...irus page 220 Email Reputation Filter page 224 Web URL Filter page 226 Web Reputation Filter page 230 Network Reputation page 231 To access the Security Services pages click Security Services in the left hand navigation pane Managing the Security Services This section includes the following topics About the Security Services page 211 Security License page 212 Priority of Security Services page 212...

Page 217: ...MAP For more information see Anti Virus page 220 Email Reputation Filter The Email Reputation Filter service detects the email sender s reputation score If the reputation score is below a threshold then the email is blocked or tagged as SPAM or SUSPECT SPAM For more information see Email Reputation Filter page 224 Web URL Filter The Web URL Filter service provides protection against URL categories...

Page 218: ... is permitted by the Web URL Filter setting but it has reputation score lower than the web reputation threshold the connection to this website will be blocked even if it is in the whitelist unless you change the web reputation threshold Managing the Security Services Use the Dashboard page to view the status of the security license enable or disable the security services and check new updates for ...

Page 219: ...yed in the Last Check column When the signature file is upated successfully the date and time of the last successful update are displayed in the Last Update column If a new signature file is available the new signature file will be downloaded to your local flash partition The registered CCO account is required to log into the Cisco server to download the signature file To configure your CCO accoun...

Page 220: ... show the total number of web access requests processed and the total number of websites blocked by day for the last seven days For more information about the security service reports go to the Status Report Security Services page See Reports of Security Services page 87 Intrusion Prevention Service The Intrusion Prevention Service IPS feature can protect the zones for a given set of categories IP...

Page 221: ...coming traffic from the selected zones WAN zone Choose this option to block the intrusion for incoming traffic from the WAN zone This is the default setting WAN VPN zone Choose this option to block the intrusion for incoming traffic from both WAN and VPN zones All zones Choose this option to block the intrusion for the incoming traffic from all zones STEP 4 In the IPS Status area you can perform t...

Page 222: ...CCO account click Edit Account Setting Update Click this button to immediately update the IPS signatures if a new signature file is available The new signature file will be downloaded from the Cisco server and saved on the flash partition of your device Manual Signature Updates To manually update the IPS signatures you first need to download the latest signature file from the Cisco server to your ...

Page 223: ...p tools cisco com security center search x search Signature to check the Small Business IPS signature definitions by using the Signature ID or other information STEP 3 Specify the inspection setting for all signatures under a category or for a signature only Disabled Click this option to disable checking the attacks Detect Only Click this option to check the attacks and to log the event when an at...

Page 224: ...IPS Alert feature and configure the email account settings see Configuring the Email Alert Settings page 316 STEP 4 Click Save to apply your settings Blocking the Instant Messaging and Peer to Peer Applications Use the IM P2P blocking page to block Instant Message IM and Peer to Peer P2P traffic on the security appliance STEP 1 Click Security Services IPS IM P2P Blocking The IM P2P Blocking window...

Page 225: ...the packet when an attack is detected To log the IPS events you first need to choose Detect Only or Detect and Prevent for the IM or P2P applications and then go to the Device Management Loggings pages to configure the log settings and log facilities To save the IPS logs in the lcoal syslog daemon you need to enable the Log feature set the log buffer size and the severity for local log and then ch...

Page 226: ...Anti Virus feature supports virus scanning for one layer compressed files in the zip gzip tar bzip2 and rar2 0 formats CAUTION Enabling Anti Virus consumes additional system resources and may impact the system performance Go to the Status Dashboard page to view the CPU and memory utilizations To conserve the system resources disable the service when it is no longer needed This section includes the...

Page 227: ...agement Loggings pages to configure the log settings and log facilities To save the Anti Virus logs in the lcoal syslog daemon you need to enable the Log feature set the log buffer size and the severity for local log and then check the Local Log box for the Anti Virus log facility To save the Anti Virus logs to the remote syslog server if you have a remote syslog server support you need to enable ...

Page 228: ...s setting the compressed file will not be detected STEP 5 Click Save to apply your settings NOTE Next Steps If you select Alert or Alert Descruct File for SMTP or POP3 protocol go to the Email Notification page to configure the email notification settings See Configuring the Email Notification page 223 If you select Alert or Alert Drop Connection for HTTP protocol go to the HTTP Notification page ...

Page 229: ...e Email Notification window opens STEP 2 Enter the following information Email Alert Status Shows if the Alert or Alert Destruct File action is selected or not for SMTP or POP3 protocol From Email Address The email address of the SMTP email account to send the alert email SMTP Server The IP address or Internet name of the SMTP server SMTP Authentication Shows if the SMTP authentication is enabled ...

Page 230: ... Click Save to apply your settings Email Reputation Filter The Email Reputation Filter feature detects the email sender s reputation score The reputation scores range from 10 bad to 10 good An email is classified as SPAM if the sender s reputation is below the SPAM threshold or is classified as SUSPECT SPAM if the sender s reputation is between the SPAM threshold and SUSPECT SPAM threshold An emai...

Page 231: ... sender s address is the address that initiated the connection to the SMTP server not an address within the email header STEP 3 Specify the actions for SPAM and SUSPECT SPAM emails Action for SPAM Is Choose Block to block the email or choose TAG to get the email tagged with SPAM Action for SUSPECT SPAM Is Choose Block to block the email or choose TAG to get the email tagged with SUSPECT SPAM STEP ...

Page 232: ...s Configuring the Web URL Filter Policy Profiles page 226 Mapping the Web URL Filter Policy Profiles to Zones page 228 Configuring Advanced Web URL Filter Settings page 229 Configuring the Web URL Filter Policy Profiles A Web URL Filter policy profile is used to specify the URL categories to be blocked STEP 1 Click Security Services Web URL Filter Policy Profile The Web URL Filter Policy Profile w...

Page 233: ...xample if the Sports category is blocked but you want to permit the www espn com you can add it to the whitelist STEP 5 Click Save to apply your settings NOTE Next Steps To map the Web URL Filter policy profile to zones go to the Zone Mapping page See Mapping the Web URL Filter Policy Profiles to Zones page 228 To configure advanced Web URL Filter settings go to the Advanced Settings page See Conf...

Page 234: ...u enter yahoo com in the URL field then it can match up with the website such as http yahoo com but cannot match up with the website such as http yahoo com uk Keyword Permit or deny the HTTP access of a website that contains the keyword you entered in the URL field For example if you enter yahoo in the URL field then it can match up with the websites such as www yahoo com tw yahoo com www yahoo co...

Page 235: ...s The default is 80 For example if you permit the HTTP access to the website http www ABcompanyC com and set the HTTP port to 80 The access to http www ABcompanyC com 8080 will be blocked Select which Web Components to block You can block or permit the web components like Proxy Java ActiveX and Cookies By default all of them are permitted Proxy Check the box to block proxy servers which can be use...

Page 236: ...web page is blocked The default blocked page will display a message such as Access of this website is blocked due to security policy configurations on the security appliance You can edit the message in the Block Message field Redirect to this URL Enter the URL to be redirected if a web page is blocked STEP 3 Click Save to apply your settings Web Reputation Filter The Web Reputation Filter service ...

Page 237: ...services are unavailable Block all web traffic until the web reputation filter services are restored If you choose this option all web traffic will be blocked until the Web Reputation Filter services are restored and the default blocked page will used The default blocked page displays a message to remind the user You can edit the message in the Block Message field Allow all web traffic until the w...

Page 238: ...the VPN pages click VPN in the left hand navigation pane About VPN A VPN provides a secure communication channel tunnel between two gateway routers or between a remote PC and a gateway router The security appliance provides the following VPN solutions Cisco IPSec VPN Server The Cisco IPSec VPN Server feature allows the security appliance to act as a head end device in remote access VPNs The server...

Page 239: ...emote users to access the corporate network by using the Cisco AnyConnect VPN Client Remote access is provided through a SSL VPN gateway See Configuring the SSL VPN page 257 L2TP L2TP allows remote clients to use a public IP network to secure communicate with private corporate network servers This protocol is based on the client and server model See Configuring the L2TP Server page 266 NOTE The se...

Page 240: ...the following platforms Windows 7 32 bit x86 and 64 bit x64 Windows Vista 32 bit x86 and 64 bit x64 Windows XP 32 bit x86 and 64 bit x64 Mac OS X 10 5 and 10 6 You can find the software installers for Cisco VPN Client on the CD or download the software installers from Cisco com A registered CCO account is required to log into the website For more information about how to download install and confi...

Page 241: ... Other Options To edit an entry click Edit To delete an entry click Delete After you click Add or Edit the Cisco IPSec VPN Server Add Edit window opens STEP 4 In the Basic Settings tab enter the following information Group Name Enter the name for the group policy WAN Interface Choose the WAN interface that the traffic passes through over the IPSec VPN tunnel Authentication Method Choose the authen...

Page 242: ...that works as the Cisco VPN hardware client The Cisco VPN hardware client can obtain a private IP address from a DHCP server over the IPSec VPN tunnel WAN Failover Click On to enable WAN Failover or click Off to disable it If you enable WAN Failover the traffic is automatically redirected to the secondary link when the primary link is down NOTE To enable the WAN Failover for Cisco IPSec VPN tunnel...

Page 243: ...onnect to the backup server The backup server 1 has the highest priority and the backup server 3 has the lowest priority NOTE The backup servers that you specified on the Cisco IPSec VPN Server will be sent to the remote clients when initiating the VPN connection The remote clients will cache them Split Tunnel Click On to enable the split tunneling feature or click Off to disable it Split tunnelin...

Page 244: ...e Cisco IPSec VPN Client feature minimizes the configuration requirements at remote locations by allowing the security appliance to work as a Cisco VPN hardware client to receive the security policies upon the VPN tunnel from a remote Cisco IPSec VPN Server This solution is ideal for remote offices with little IT support or for large customer premises equipment CPE deployments where it is impracti...

Page 245: ...f only one destination peer If your application requires multiple VPN tunnels you must manually configure the IPSec VPN and Network Address Translation Peer Address Translation NAT PAT parameters on both client and server NOTE If you set the security appliance as a Cisco VPN hardware client the VPN tunnels established by Site to Site VPN or Cisco IPSec VPN Server are automatically disconnected The...

Page 246: ...ther the inside hosts relative to the Cisco VPN hardware client are accessible from the corporate network over the tunnel Specifying a operation mode is mandatory before making a connection because the Cisco VPN hardware client does not have a default mode All modes of operation also optionally support split tunneling which allows secure access to corporate resources through the VPN tunnel while a...

Page 247: ...ion Mode NEM specifies that the PCs and other hosts at the client end of the VPN tunnel should be given IP addresses that are fully routable and reachable by the destination network over the tunneled network so that they form one logical network PAT is not used which allows the client PCs and hosts to have direct access to the PCs and hosts at the destination network In NEM mode the Cisco VPN hard...

Page 248: ...g that the destination routers are configured to properly route those IP addresses over the tunnel Figure 9 Cisco IPSec VPN Network Extension Connection General Settings You can enable the Cisco IPSec VPN Client feature configure the Auto Initiation Retry settings or manually connect or disconnect the IPSec VPN tunnels STEP 1 Click VPN Remote User Access Cisco IPSec VPN Client The Cisco IPSec VPN ...

Page 249: ...N connection check the box of the group policy you want and then click Connect Disconnect To manuall terminate an estalished the IPsec VPN connection click Disconnect STEP 3 Click Save to apply your settings Configuring the Group Policies for Cisco IPSec VPN Client As a Cisco VPN hardware client the security appliance will initiate the VPN connection with a remote Cisco IPSec VPN Server You can sp...

Page 250: ...l with the remote server The server pushes the security settings over the IPSec VPN tunnel to the clients Certificate If you choose this option choose a local certificate and a peer certificate for authentication On the remote server the selected local certificate should be set as the peer certificate and the selected peer certificate should be set as the local certificate If the certificates are ...

Page 251: ...o the backup servers The backup server 1 has the highest priority and the backup server 3 has the lowest priority NOTE The Cisco VPN hardware client can get the backup servers from the remote Cisco IPSec VPN server during the tunnel negotiation The backup servers specified on the remote Cisco IPSec VPN server have higher priority than the back servers specified on the Cisco VPN hardware client Whe...

Page 252: ...te to Site VPN page 246 General Site to Site VPN Settings page 247 Configuring the IPSec VPN Policies page 248 Configuring the IPSec IKE Policies page 254 Configuring the IPSec Transform Policies page 256 Configuration Tasks to Establish a Site to Site VPN To establish a Site to Site VPN tunnel complete the following configuration tasks Add the subnet IP address objects of the local network and re...

Page 253: ...PSec VPN policy and then click Connect to initiate the IPSec VPN connection Check the status and statistic information for IPSec VPN tunnels See Monitoring the IPSec VPN Status page 269 General Site to Site VPN Settings STEP 1 Click VPN Site to Site IPSec Policies The IPSec Policies window opens All existing IPSec VPN policies are listed in the table You can check the following information of an I...

Page 254: ...PN Policies The Site to Site VPN policy is used to establish the IPSec VPN tunnel between two peers The ISA550 and ISA550W supports up to 50 IPSec VPN tunnels The ISA570 and ISA570W supports up to 100 IPSec VPN tunnels NOTE Before you create an IPSec VPN policy make sure that the IKE and transform policies are configured Then you can apply the IKE and transform policy on the IPSec VPN policy STEP ...

Page 255: ...200 236 in the Address field Authentication Method Choose the authentication method for the IPSec VPN policy Preshare Key If you choose this option enter the desired value that the peer device must provide to establish a connection The same pre shared key has to be entered on the remote peer device Certificate If you choose this option choose a local certificate and a remote certificate for authen...

Page 256: ...ffie Hellman exchange is performed for every phase 2 negotiation PFS is desired on the keying channel of the VPN connection DPD Enable Click On to enable Dead Peer Detection DPD or click Off to disable it DPD is a method of detecting a dead Internet Key Exchange IKE peer The method uses IPsec traffic patterns to minimize the number of messages required to confirm the availability of a peer DPD is ...

Page 257: ...at are automatically generated by the zone access control settings will be added in the firewall access rule table with the priority higher than the default firewall access rules but lower than the custom firewall access rules Apply NAT Policies Click On to apply the NAT settings for both the local network and remote network communicating over the VPN tunnel This option is particularly useful in c...

Page 258: ...dressed host at Site B it connects to a 172 19 1 2 address rather than to the actual 172 16 1 2 address When the host at Site B to accesses Site A it connects to a 172 18 1 2 address NAT on Router A translates any 172 16 x x address to look like the matching 172 18 x x host entry NAT on Router B changes 172 16 x x to look like 172 19 x x NOTE This configuration only allows the two networks to comm...

Page 259: ...nterface ensures that VPN traffic rolls over to the backup link whenever the primary link fails The security appliance will automatically update the local WAN gateway for the VPN tunnel based on the configurations of the backup WAN link For this purpose Dynamic DNS has to be configured because the IP address will change due to failover or let the remote gateway use dynamic IP address NOTE To enabl...

Page 260: ...icies The Internet Key Exchange IKE protocol is a negotiation protocol that includes an encryption method to protect data and ensure privacy It is also an authentication method to verify the identity of devices that are trying to connect to your network You can create IKE policies to define the security parameters such as authentication of the peer encryption algorithms and so forth to be used for...

Page 261: ... alpha numeric key is shared with IKE peer Pre shared keys do not scale well with a growing network but are easier to set up in a small network RSA SIG Uses a digital certificate to authenticate RSA SIG is a digital certificate with keys generated by the RSA signatures algorithm In this case a certificate must be configured in order for the RSA Signature to work D H Group Choose the Diffie Hellman...

Page 262: ... an IPSec transform policy click Add Other options To edit an entry Edit To delete an entry click Delete The default transform policy DefaultTrans can not be edited or deleted After you click Add or Edit the Transform Policy Add Edit window opens STEP 3 Enter the following information Name Enter an unique name for the transform policy Integrity Choose the hash algorithm used to ensure the data int...

Page 263: ..._192 Encryption with AES 192 bit ESP_AES_256 Encryption with AES 256 bit STEP 4 Click OK to save your settings STEP 5 Click Save to apply your settings Configuring the SSL VPN SSL VPN is a flexible and secure way to extend network resources to virtually any remote user The security appliance supports the SSL VPN and interoperates with the Cisco AnyConnect VPN Client software Figure 12 shows an exa...

Page 264: ... s PC page 260 Importing the Certificates for User Authentication page 260 Configuring the SSL VPN Users page 260 Configuring the SSL VPN Gateway page 261 Configuring the SSL VPN Group Policies page 263 Configuring the SSL VPN Portal page 266 Elements of the SSL VPN Several elements work together to support SSL VPN SSL VPN Users Create your SSL VPN users The user groups to which the SSL VPN users ...

Page 265: ...mote user s PC See Installing the Cisco AnyConnect VPN Client on User s PC page 260 Import the SSL VPN certificate to your security appliance used for user authentication See Importing the Certificates for User Authentication page 260 Enable and configure the SSL VPN gateway on your security appliance See Configuring the SSL VPN Gateway page 261 Define the SSL VPN group policies See Configuring th...

Page 266: ... 6 x kernel You can find the software installer on the CD If you have a CCO account you can access the SSL VPN portal to download the software installer from Cisco com website For more information about the SSL VPN portal see Configuring the SSL VPN Portal page 266 Importing the Certificates for User Authentication The SSL VPN gateway holds a CA certificate that is presented to the client when the...

Page 267: ...le SSL VPN or click Off to disable SSL VPN If you enable SSL VPN the security appliance is set as the SSL VPN server STEP 3 In the Gateway Mandatory area enter the following information Gateway Interface Choose the WAN interface that the traffic passes through over the SSL VPN tunnel Gateway Port Enter the port number used for the SSL VPN gateway By default HTTPS or SSL typically operates on port ...

Page 268: ...the Gateway Optional area enter the following information Idle Timeout Enter the timeout value in seconds that the SSL VPN session can remain idle Session Timeout Enter the timeout value in seconds that a SSL VPN session can remain connected Client DPD Timeout Dead Peer Detection DPD allows detection of dead peers Enter the DPD timeout for client in this field Gateway DPD Timeout Enter the DPD tim...

Page 269: ...or IP address range on the LAN or to other SSL VPN services that are supported by the security appliance NOTE The security appliance supports up to 32 SSL VPN goup policies STEP 1 Click VPN SSL Remote Acess SSL VPN Group Policies The SSL VPN Group Policies window opens The default and custom SSL VPN group policies are listed in the table STEP 2 To add a new SSL VPN group policy click Add Other opt...

Page 270: ... number of the MSIE proxy server IE Proxy Exception If you choose Bypass Local enter the IP address or domain name of an exception host This option allows the browser not to send traffic for the given hostname or IP address through the proxy STEP 5 In the Split Tunneling Settings area enter the following information Split tunneling permits specific traffic to be carried outside of the SSL VPN tunn...

Page 271: ...served through an external DNS serving your ISP or through SSL VPN tunnel to domains served by the corporate DNS For example a query for a packet destined for corporate com would go through the tunnel to the DNS that serves the private network while a query for a packet destined for myfavoritesearch com would be handled by the ISP s DNS By default this feature is configured on the SSL VPN gateway ...

Page 272: ...e SSL VPN portal from LAN side STEP 1 Click VPN SSL Remote Acess SSL VPN Portal The SSL VPN Portal window opens STEP 2 Enter the message that you want to display on the SSL VPN portal STEP 3 The SSL VPN portal provides a link to download the Cisco AnyConnect VPN Client software installer from Cisco com website Click Download to open the website and enter your CCO account to login Depending on your...

Page 273: ...ethod You can choose either CHAP or PAP or both to authenticate to the L2TP clients Click On to enable CHAP or PAP or click Off to disable it Local Service IP Enter the IP address of the established PPP link Address Pool The L2TP server assigns IP addresses to L2TP clients Enter the starting IP address in the Start IP field and the ending IP address in the End IP field DNS1 IP Enter the IP address...

Page 274: ...net or click Off to disable it PPTP Click On to allow the hosts at LAN site to establish a tunnel with a PPTP server on Internet click Off to disable it IPSec Click On to allow the IPSec traffic to pass through the security appliance over the IPSec VPN tunnel or click Off to disable it The VPN tunnel can be established by a Site to Site VPN session or a Cisco IPSec VPN session STEP 3 Click Save to...

Page 275: ...remote client for a Cisco IPSec VPN session Local Network The subnet IP address and netmask of your local network Remote Network The subnet IP address and netmask of the remote network Connect To manually establish a VPN connection click Connect Disconnect To terminate an active VPN connection click Disconnect NOTE When a VPN policy is in place and enabled a connection is triggered by any traffic ...

Page 276: ...SL VPN sessions STEP 1 Click VPN Session Status SSL VPN Monitoring The SSL VPN Monitoring window opens STEP 2 In the Active Sessions tab all active SSL VPN sessions are listed in the table Session ID The SSL VPN session ID User Name The name of the logged SSL VPN user Client IP Actual The actual IP address used by the SSL VPN client Client IP VPN The virtual IP address of the SSL VPN client assign...

Page 277: ...tic table lists the statistic information for each SSL VPN session The following information is displayed for a single SSL VPN session To clear the statistic information of the SSL VPN session click Clear Active Users The number of all connected SSL VPN users In CSTP frames The number of CSTP frames received from all clients In CSTP bytes The total number of bytes in the CSTP frames received from ...

Page 278: ...he number of CSTP data frames received from the client In CSTP control The number of CSTP control frames received from the client Out CSTP frames The number of CSTP frames sent to the client Out CSTP bytes The total number of bytes in the CSTP frames sent to the client Out CSTP data The number of CSTP data frames sent to the client Out CSTP control The number of CSTP control frames sent to the cli...

Page 279: ...s the user and user group information in the local database The local database supports up to 100 users and 16 user groups A user group can include up to 100 users Any user must be a member of a user group It includes the following sections Available Services for User Groups page 273 Default User and Group page 274 Preempt the Administrators page 274 Available Services for User Groups A user can o...

Page 280: ...iple services need to authenticate at the same time Default User and Group The default administrator account user name cisco password cisco is an administrative account that has fully privilege to set the configurations and read the system status It does not belong to any user group To prevent unauthorized access you are forced to immediately change the default user name and password at its first ...

Page 281: ...ick Add to add a user Other options To edit an entry click Edit To delete an entry click Delete To delete multiple entries check the boxes of multiple entries and click Delete Selection After you click Add Edit the Local User Add Edit window opens STEP 3 Enter the following information User Enter an unique identifier that contains the letters numbers or underline for the user New Password Enter th...

Page 282: ...roups are listed in the Groups table STEP 2 In the Groups area click Add to add a user group Other options To edit an entry click Edit To delete an entry click Delete To delete multiple entries check the boxes of multiple entries and click Delete Selection After you click Add or Edit the Group Add Edit window opens STEP 3 In the Group Settings tab enter the following information Name Enter an uniq...

Page 283: ...members of the user group who authenticated successfully will be directed to a specified web page portal before they can access the Internet This service only applies to the ISA550W and ISA570W STEP 4 In the Membership tab specify the members of the group To add a member select the member from the User list and click the right arrow The members of the groups appear in the Membership list To delete...

Page 284: ...supports the following authentication methods for user login Local Database Allows you to use the local database for authentication if the number of users is relatively small Only the local users in local database are allowed to access the network resources See Using Local Database for Authentication page 279 RADIUS Allows you to use the RADIUS server for authentication if you have more than 100 u...

Page 285: ...rver to authenticate the users when more than 100 users need to access the network The security appliance uses the Framed Filter ID attribute to store the user and group information in the RADIUS server and checks a user s credentials by using the Password Authentication Protocol PAP authentication scheme If you use RADIUS for user authentication users must log into the security appliance using HT...

Page 286: ...connection is dropped The default value is 3 RADIUS Servers Choose the RADIUS group index from the drop down list The RADIUS server settings of the selected group are disaplayed You can edit these settings here but the settings you specify will replace the default settings of the selected group To maintain the RADIUS settings go to the Device Management RADIUS Settings page See Configuring the RAD...

Page 287: ...local database has two user groups Group1 and Group2 The following table displays the user group membership settings In the above table if the User1 in the RADIUS server belongs to the Group1 and the User1 in the local database belongs to the Group2 then the User1 belongs to the Group2 after passed the RADIUS authentication If the User1 doex not exist in the local database it is set to the specifi...

Page 288: ...appliance first verifies the user name and password information of the users through the RADIUS server The RADIUS server returns the authentication result to the security appliance For a valid RADIUS user the security appliance checks its user group service policy from the local database and allows the user to access the network For an invalid RADIUS user then the security appliance uses the local...

Page 289: ...nter the number of the listening port used on the LDAP server Enter a value from 1 to 65535 The default is 389 Server Timeout Enter the amount of time in seconds that the security appliance will wait for a response from the LDAP server before timing out Login Method Choose one of the following login methods Annonymous Login Choose this option if the LDAP server allows for the user tree to be acces...

Page 290: ...oprietary LDAP scheme configurations Object Class The object class of the individual user account Login Name Attribute The user name that is used for login authentication Qualified Login Name Attribute The attribute that sets an alternative login name for the user in name domain format User Group Membership Attribute The membership attribute that contains information about the group to which the u...

Page 291: ...bject and are not used with AD To add an entry click Add To edit an entry click Edit To delete an entry click Remove To modify the location of an entry in the tree click Move Up or Move Down buttons NOTE All the above trees are given in the format of disginguished names cn users dc ExampleCorporation dc com STEP 7 In the LDAP Users tab enter the following information Allow Only Users Listed Locall...

Page 292: ... settings see Using LDAP for Authentication page 283 STEP 4 Click Save to apply your settings Configuring the User Session Settings The user session settings are used for the web login service and are applicable for all authentication methods STEP 1 Click Users Settings The User Settings window opens STEP 2 In the User Session Settings area enter the following information Inactivity Timeout Enter ...

Page 293: ...Sessions The Active Sessions window opens All active user sessions are listed in the table You can view the following user session information User Name The name of the logged user Address Information The host IP address from which the user accessed the security appliance Login Method How the user logs into the security appliance such as web login SSL VPN or Cisco IPSec VPN Session Duration How lo...

Page 294: ...ion Management page 294 Firmware Management page 297 Log Management page 302 Managing the Security License page 307 Managing the Certificates for Authentication page 310 Configuring the Email Alert Settings page 316 Configuring the RADIUS Servers page 319 Configuring the Time Zone page 320 Device Discovery page 321 Diagnosing the Device page 324 Measuring and Limiting Traffic with the Traffic Mete...

Page 295: ...ne who knows its IP address Since a malicious WAN user can reconfigure the security appliance and misuse it in many ways we highly recommend that you change the user name and password of the default administrator account cisco before continuing STEP 1 Click Device Management Remote Management The Remote Management window opens STEP 2 Enter the following information Remote Management Click On to en...

Page 296: ...manage the device from WAN side STEP 3 Click Save to apply your settings Administration Use the Administration page to modify the user name and password of the default adminstrator account and configure the user session settings It includes the following topics Changing the User Name and Password for the Default Administrator Account page 290 Configuring the User Session Settings page 291 Changing...

Page 297: ... password cannot be set as cisco ocsic or any variant obtained by changing the capitalization of letters Confirm New Password Enter the new password again for confirmation STEP 3 Click Save to apply your settings Configuring the User Session Settings The user session settings are used for the web login service and are applicable for all authentication methods STEP 1 Click Device Management Adminis...

Page 298: ...to manage the configurations statistics collection performance and security STEP 1 Click Device Management SNMP The SNMP window opens STEP 2 Click On to enable SNMP or click Off to disable SNMP By default SNMP is disabled STEP 3 If you enable SNMP specify the SNMP version By default SNMP V1 V2 is selected SNMP V1 V2 SNMP version 1 SNMPv1 is the initial implementation of the SNMP protocol SNMPv1 is...

Page 299: ...assword Enter the password for data encryption the minimum length of password is 8 charactors This is only available for SNMPV3 SNMP Engine ID Displays the engine ID of the SNMP entity The engine ID is used as an unique identification between two SNMP entities This is only available for SNMPV3 STEP 5 To enable the SNMP Trap enter the following information SNMP Read Only Community Enter the read on...

Page 300: ...s a configuration file on the local PC or on a USB device if applicable NOTE When saving the configurations to a file the security license and self certificates will not be saved in the file STEP 1 Click Device Management Firmware and Configuration Configuration The Configuration window opens STEP 2 To save the current settings on your local PC perform the following steps a In Backup Restore Setti...

Page 301: ...gurations check the Encrypt box and enter the password in the Key field and then click OK f After you click OK your current settings are saved as a configuration file on the root folder of the USB device Restoring your Settings from a Saved Configuration File You can restore the settings from a saved configuration file on your local PC or on a USB device if applicable STEP 1 Click Device Managemen...

Page 302: ...on window opens Enter the password in the Key field and then click OK e The security appliance automatically reboots with the saved settings of the selected configuration file Reverting to the Factory Default Settings To revert your security appliance to the factory default settings you can press and hold the RESET button on the back panel for minimal three seconds or use the Revert to Factory Def...

Page 303: ...ystem See Using the Rescue Mode to Recover the System page 302 Reboot the security appliance See Rebooting the Security Appliance page 302 CAUTION During a firmware upgrade do NOT try to go online turn off the device shut down the PC remove the cable or interrupt the process in anyway until the operation is complete This process should take several minutes or so including the reboot process Interr...

Page 304: ...y reboots with the previous settings that were in use To upgrade the firmware and revert to the factory default settings click Upgrade Factory Reset When the operation is complete the security appliance automatically reboots with the factory default settings Checking for New Firmwares The security appliance uses a built in IDA client to query and upgrade the firmware The IDA client connects to Cis...

Page 305: ...PC b To upgrade the firmware and keep using the current settings click Upgrade When the operation is complete the security appliance automatically reboots with the previous settings that were in use c To upgrade the firmware and revert to the factory default settings click Upgrade Factory Reset When the operation is complete the security appliance automatically reboots with the factory default set...

Page 306: ... Do NOT go online 3 Do NOT turn off or power cycle the security appliance 4 Do NOT shutdown the computer 5 Do NOT remove the cable Using the Secondary Firmware If the primary firmware is not stable you can manually set the secondary firmware that was in use as the primary firmware The original primary firmware will then become the secondary firmware After you switch to the secondary firmware the s...

Page 307: ...ader checks the CRC of the primary firmware 2 If the primary firmware occurs a CRC Error or a Boot Failure the Bootloader will switch to the secondary firmware and check the CRC for the secondary firmware CRC Error An error that the firmware cannot pass the CRC validation Downloading an incomplete firmware or incompletely writing the firmware to the flash may cause the CRC error Boot Failure A fai...

Page 308: ...s 192 168 1 1 STEP 3 The security appliance will upgrade the firmware after you uploaded the image This process should take several minutes or so including the reboot process During firmware upgrade do NOT try to go online turn off the device shut down the PC interrupt the process or remove the cable in anyway until the operation is complete When the POWER SYS lights green color the system operate...

Page 309: ... are not logged All Broadcast Multicast Traffic Click On to log all broadcast or multicast packets directed to the security appliance By default all broadcast or multicast packets are not logged STEP 4 In the Email Alert area specify the syslogs to be sent on schedule Email Alert Shows if the Syslog Email is enabled or disabled From Email Address The email address of the SMTP email account to send...

Page 310: ...hoose this option specify the time to send the syslogs in the Time field Weekly Sends the syslogs on a weekly basis If you choose this option specify the day of the week in the Day field and the time in the Time field Day If syslogs are sent on a weekly basis choose the day of the week Time Choose the time of day when syslogs should be sent Severity Levels Description Emergency level 0 highest sev...

Page 311: ...ample If you select Critical all log messages listed under the Critical Emergency and Alert categories are saved to the local syslog daemon STEP 7 Click Save to apply your settings Configuring the Log Facilities A variety of events can be captured and logged for review These logs can be saved to the local syslog daemon or to a specified remote syslog server or be emailed to a specified email addre...

Page 312: ...Log heading to enable the local log settings for all log facilities or check the box of a log facility to enable the local log settings for the selected log facility If you enable this feature the logs that belong to the selected facilities and match up with the specified severity level for Local Log can be saved to the local syslog daemon NOTE For more information about the Email Alert Remote Log...

Page 313: ... the Logs table The logs can be sorted by clicking the cellheading in the table By default the logs are sorted by the time For example if you click Severity the logs are sorted by the severity level in ascending sequence Double click Severity the logs are sorted by the severity level in descending sequence STEP 5 You can specify how many logs are displayed in the table per page If one page cannot ...

Page 314: ...e Credentials The Device Credentials window opens The device credential information is requested by Cisco sales or support for licensing purpose STEP 3 Click Email Alert Settings the Email Alert Settings window opens You can see the following settings of the License Expiration Alert We recommend that you enable the License Expiration Alert feature so that the system can send an alert email to remi...

Page 315: ...EP 3 Click Renew The Install License window opens STEP 4 The license can be a license code PAK or a license file downloaded from cisco com Choose the license type from the License Type drop down list License Code PAK from cisco com Automatically retrieves and installs the license on the security appliance from the Cisco server If you choose this option enter the following credential information Th...

Page 316: ...cation It includes the following sections Viewing the Certificate Status page 310 Managing the Certificates page 311 Viewing the Certificate Status STEP 1 Click Device Management Certificate Management The Certificate Management window opens All existing certificates are listed in the table The following certificate information is displayed Certificate The certificate name Type The certificate typ...

Page 317: ...Managing the Certificates Perform the following tasks to manage different types of certificates To export a local certificate or a CSR to your PC check the box and click Download See Exporting the Certificates to Local PC page 312 Certificate Types Details CA Certificate or Local Certificate Name Name used to identify this certificate Issuer Name of the CA that issued the certificate Subject Name ...

Page 318: ...nerate a CSR click New Signing Request See Generating New Certificate Signing Requests page 315 To delete a certificate or a CSR check the box and click Delete To delete multiple entries check the boxes of multiple entires and click Delete Selection Exporting the Certificates to Local PC You can export a local certificate or a CSR to your local PC The CA certificate is not allowed to export STEP 1...

Page 319: ...d USB device in PEM format If you are downloading a local certificate the Export Certificate to USB window opens Enter a password in the Enter Export Password field to protect the certificate file and then click Export The certificate file will be saved on the mounted USB device in p12 format Importing the Certificates from Your Local PC You can import a local or CA certificate from your local PC ...

Page 320: ...EP 2 To import a local or CA certificate from the USB device click Import from USB The Import Certificates window opens All available local certificates and CA certificates appear in the list STEP 3 Check the box of the certificate file enter the certificate name in the Certificate Name field and the protection password in the Import Password field and then click Import Importing the Signed Certif...

Page 321: ...s of your location Organization Name Enter your organization name Organization Unit Name Enter your department name Common Name Enter the common name for the certificate E mail Address Enter your email address Subject Distinguished Name After you enter the above information the Distinguished Name DN is created in this field Subject Key Type Displays the signature algorithm RSA used to sign the cer...

Page 322: ...k On to enable SMTP authentication Users need to provide the SMTP account information for authentication Account Enter the user name of the SMTP email account Password Enter the password of the SMTP email account From Email Address Enter the email address to send the alert messages To Email Address Enter the email address to receive the alert messages This email address is used to receive all aler...

Page 323: ... negotiation fails To Email Address Enter the email address to receive the alert messages IPS Alert Sends an alert email if an attack is detected over the specified email alert threshold for IPS categories or IM and P2P applications You first need to enable the IPS service and specify the email alert thresholds for the IM and P2P Blocking feature and or the IPS Policy and Protocol Inspection featu...

Page 324: ...reshold Setting Enter the threshold value of CPU utilization Debug Support Sends the debug support package zip that is generated by the System Diagnostics settings for debugging purposes To specify the contents to be compressed in a file in the zip format see System Diagnostics page 327 To Email Address Enter the email address to receive the alert messages Anti Virus Alert Sends an alert email if ...

Page 325: ...he table STEP 2 To edit the settings of the predefined RADIUS group click Edit in the Configuration column After you click Edit the RADIUS Group Edit window opens STEP 3 Enter the following information Primay RADIUS Server IP Enter the IP address of the primary RADIUS server Primay RADIUS Server Port Enter the port number on the primary RADIUS server that is used to send the RADIUS traffic The def...

Page 326: ...ngs Configuring the Time Zone Use the Time Zone Clock Settings page to manually configure the time zone and clock settings or to dynamically synchronize the time zone and clock settings with the Network Time Protocol NTP server STEP 1 Click Device Management TimeZone Clock Settings The Time Zone and Clock Settings window opens STEP 2 Click Manual to manually set the date and time Enter the values ...

Page 327: ...scovery The security appliance supports the following tools to discover the devices UPnP page 321 Bonjour page 322 CDP page 323 LLDP page 324 UPnP UPnP Universal Plug and Play allows for automatic discovery of devices that can communicate with your security appliance The UPnP Portmap table displays the port mapping entries of the UPnP enabled devices that accessed your security appliance STEP 1 Cl...

Page 328: ...otocol Bonjour only advertises the default services configured on the security appliance when Bonjour is enabled STEP 1 Click Device Management Discovery Bonjour The Bonjour window opens STEP 2 In the Bonjour Configuration area click On to enable Bonjour or click Off to disable it If you enable Bonjour all default services are enabled STEP 3 In the Enabled Default Service area the default enabled ...

Page 329: ...anagement Discovery CDP The CDP window opens STEP 2 In the CDP Configuration area enter the following information CDP Choose one of the following options Enable All Enables CDP on all ports supported by the security appliance Disable All Disables CDP on all ports supported by the security appliance Per Port Configures CDP on selective ports CDP Timer Enter the value of the time interval between tw...

Page 330: ...formation Base MIB The network management system models the topology of the network by querying these MIB databases STEP 1 Click Device Management Discovery LLDP The LLDP window opens STEP 2 Click On to enable LLDP or click Off to disable it If you enable LLDP the LLDP neighbors are listed in the LLDP Neighbor table STEP 3 To view the detail of a LLDP neighbor check the box and click Details STEP ...

Page 331: ...the range of 32 to 65500 bytes to ping The security appliance will send the packet with the specified size to the destination Ping Time Enter the times to ping The security appliance will send the packet for specific times to check the connectivity with the destination IP address STEP 3 Click Start Ping to ping the IP address or the URL or click Stop Ping to stop pinging Tracert Use the Tracert pa...

Page 332: ...ok up in the IP Address or Domain Name field STEP 3 Click Run Lookup to query the server on the Internet If the host or domain name exists you will see a response with the IP address STEP 4 Click Cleanup Result to clean up the querying result Packet Capture Use the Packet Capture page to capture all packets that pass through a selected interface STEP 1 Click Device Management Diagnostics Packet Ca...

Page 333: ...les for system diagnosis Syslog File Click On to compress the syslog files for system diagnosis System Status Click On to compress the system status data for system diagnosis STEP 3 In the Password Protection area you can set a password to secure the compressed file Password Protection Click On to enable password protection or click Off to disable it Password If you enable the password protection ...

Page 334: ...asure and limit the traffic routed by the security appliance You can enable the traffic meter settings for both primary WAN and secondary WAN if applicable STEP 1 Click Device Management Traffic Meter Primary WAN Settings The Primary WAN Settings window opens NOTE To configure the traffic meter settings for the secondary WAN if applicable click Device Management Traffic Meter Secondary WAN Setting...

Page 335: ...it if the monthly traffic limit has been reached or click Off to disable it If you enable this feature enter the amount of the increase in this field This Month Limit The data transfer limit applicable for this month that is the sum of the values in the Monthly Limit field and the Increase this month limit by field STEP 3 In the Traffic Counter area enter the following information Traffic Counter ...

Page 336: ...itoring and management protocol If you enable ViewMaster the devices accept the HTTP or HTTPS connections with the Local Management Agent that is embodied in the security appliance STEP 1 Click Device Management ViewMaster The ViewMaster window opens Start Date Time The date on which the traffic meter was started or the last time when the traffic counter was reset Outgoing Traffic Volume The volum...

Page 337: ... you want to download the IPS signatures or automatically update the IPS signatures you are required to provide the CCO account information To register a CCO account on the Cisco com go to https tools cisco com RPF register register do STEP 1 Click Device Management CCO Account The CCO Account window opens STEP 2 Enter the following information User Name Enter the name of your registered CCO accou...

Page 338: ... an unique domain name to identify your network STEP 3 Click Save to apply your settings Configuring the Debug Settings Use the Debug Setting page to enable the SSH version 2 server for debugging purposes STEP 1 Click Device Management Debug Setting The Debug Setting window opens STEP 2 Click On to enable the SSH version 2 server for debugging or click Off to disable it This feature allows the eng...

Page 339: ...n between the PC and the security appliance STEP 2 Ensure that the IP address of your PC is on the same subnet as the security appliance If you are using the recommended addressing scheme your PC s address should be in the range 192 168 1 100 to 192 168 1 200 STEP 3 Check the IP address of your PC If the PC cannot reach a DHCP server some versions of Windows and MacOS generate and assign an IP add...

Page 340: ... LOCK is off when entering this information Symptom The security appliance does not save my configuration changes Recommended Actions STEP 1 When entering configuration settings click OK or Save before moving to another page or tab otherwise your changes are lost STEP 2 Click Refresh or Reload in the browser which will clear a cached copy of the old configuration Symptom The security appliance can...

Page 341: ... obtain an IP address from the ISP Recommended Actions STEP 1 Click Networking WAN in the left hand navigation pane STEP 2 Click Edit The WAN Add Edit window opens STEP 3 Ask your ISP the following questions What type of network addressing mode is required for your Internet connection In the IPv4 tab choose the correct ISP connection type in the IP Address Assignment drop down list and then enter ...

Page 342: ...ed a network Time Server NTS Recommended Actions STEP 1 If you have just configured the security appliance wait at least 5 minutes click Device Management Time Zone Clock Settings in the left hand navigation pane STEP 2 Review the settings for the date and time STEP 3 Verify your Internet access settings Symptom The time is off by one hour Possible Cause The security appliance does not automatical...

Page 343: ...rity Appliance STEP 1 On your PC click the Windows Start button and then click Run STEP 2 Type ping IP_address where IP_address is the IP address of the security appliance Example ping 192 168 1 1 STEP 3 Click OK STEP 4 Observe the display If the path is working you see this message sequence Pinging IP address with 32 bytes of data Reply from IP address bytes 32 time NN ms TTL xxx If the path is n...

Page 344: ...ollowing Check that the PC has the IP address of your security appliance is listed as the default gateway If the IP configuration of your PC is assigned by DHCP this information is not visible in your PC s Network Control Panel Verify that the network subnet address of your PC is different from the network address of the remote device Verify that the cable or DSL modem is connected and functioning...

Page 345: ...nfiguration in the left hand navigation pane In the Backup Restore Settings area click Default Or press and hold the RESET button on the back panel of your security appliance for about 3 seconds until the LED lights and then blinks Release the button and wait for the security appliance to reboot If the security appliance does not restart automatically manually restart it to make the default settin...

Page 346: ...NZS 60950 1 UL 60950 1 CAN CSA C22 2 No 60950 1 EN 60950 1 IEC 60950 1 AS NZS 60950 1 Standards EMC 47CFR FCC Part 15B Industry Canada ICES 003 EN55022 EN55024 EN61000 3 2 EN61000 3 3 CISPR22 CISPR24 AS NZS CISPR22 47CFR FCC Part 15B Industry Canada ICES 003 EN 301 489 01 EN 301 489 17 EN55024 EN61000 3 2 EN61000 3 3 CISPR22 CISPR24 AS NZS CISPR22 47CFR FCC Part 15B Industry Canada ICES 003 EN5502...

Page 347: ... 45 connector for WAN port 4 X RJ 45 connector for LAN WAN or DMZ port 1 X USB connector for USB 2 0 1 X Power switch 2 X external antennas 4 X RJ 45 connectors for LAN port 1 X RJ 45 connector for WAN port 5 X RJ 45 connector for LAN WAN or DMZ port 1 X USB connector for USB 2 0 1 X Power switch 4 X RJ 45 connectors for LAN port 1 X RJ 45 connector for WAN port 5 X RJ 45 connector for LAN WAN or ...

Page 348: ...Hz NormalFrequency 50 to 60 Hz Frequency Variation Range 47 Hz to 63 Hz NormalFrequency 50 to 60 Hz Frequency Variation Range 47 Hz to 63 Hz NormalFrequency 50 to 60 Hz Frequency Variation Range 47 Hz to 63 Hz Output Voltage Regulation 11 4 V to 12 6 V 11 4 V to 12 6 V 11 4 V to 12 6 V 11 4 V to 12 6 V Output Current MAX 2 5 A MAX 2 5 A MAX 1 667 A MAX 1 667 A Physical Specifications Form Factor 1...

Page 349: ...efined service and address objects It includes the following setions Device Management page 343 User Management page 346 Networking page 347 Wireless page 352 VPN page 353 Security Services page 356 Firewall page 357 Reports page 359 Default Service Objects page 360 Default Address Objects page 363 Device Management Features Settings Remote Management enable Remote Managaement by using HTTPS enabl...

Page 350: ...Maximum Hops for Tracert 5 System Diagnostics disable Password Protection disable Syslog Settings disable Logs Facility Email Alert Kernel System Remote Log Kernel System Local Log Kernel System Time Zone and Clock Settings Dynamic Date Time GMT 00 00 Edinburgh London Automatically Adjust for Daylight Savings Time disable Use Default NTP Servers enable Maximum Certificate Number 128 SNMP disable S...

Page 351: ...Settings disable Traffic Meter Secondary WAN Settings disable ViewMaster enable RADIUS Groups 3 RADIUS Server Port 1812 SMTP Authentication disable Email Alert Settings disable WAN UP DOWN Alert disable IPSec Alert disable Firmware Upgrade Alert disable License Expiration Alert disable CPU Overload Alert disable Debug Support disable Anti Virus Alert disable Syslog Email disable Debug Support disa...

Page 352: ... enable Default Administrator Account User Name cisco Password cisco Available User Login Authentication Methods Local Database RADIUS RADIUS Local Database LDAP LDAP Local Database Default User Login Authentication Method Local Database RADIUS Settings for Authentication RADIUS Server Index 1 RADIUS Server Timeout 10 seconds Retries 3 RADIUS Users Settings Allow Only Users Listed Locally disable ...

Page 353: ...l Version LDAP version3 LDAP Schemas Microsoft Active Directory RFC2789 InetOrgPerson RFC2307 Network Information Service LDAP Users Allow Only Users Listed Locally disable LDAP Users Default LDAP User Group None User Session Settings Inactivity timeout 5 minutes Login Session Limit for Web Logins disable Feature Settings Feature Settings IPv4 IPv6 Routing Mode IPv4 only Physical Interface Number ...

Page 354: ...ss Assignment DHCPC WAN1 MTU Auto WAN1 MTU Value 1500 WAN1 Zone Mapping WAN Port Based Access Control disable Default Setting for WAN Redundancy Equal load balancing Round robin Default Settings for Weighted Loading Balancing Weighted By Percentage WAN1 50 Weighted By Percentage WAN2 50 Weighted By Link Bandwidth WAN1 1 1 to 1000 Weighted By Link Bandwidth WAN2 1 1 to 1000 Default Settings for WAN...

Page 355: ...DHCP Server DHCP Pool Start IP 192 168 1 100 DHCP Pool End IP 1 192 168 1 200 Lease Time 1 day Default Gateway 192 168 1 1 GUEST VLAN VID 2 IP Address 192 168 2 1 Subnet 255 255 255 0 Mapped Zone GUEST Spanning Tree disable DHCP Pool Settings DHCP Server DHCP Pool Start IP 192 168 2 100 DHCP Pool End IP 1 192 168 2 200 Lease Time 1 day Default Gateway 192 168 2 1 Zones Maximum number of Zones 32 P...

Page 356: ...000000 WAN2 Upstream limit 0 0 to 1000000 WAN QoS Queue Settings WAN1 Queueing Method SP WAN2 Queueing Method SP Maximum number of Traffic Selectors 256 Maximum number of Traffic Selectors associated with one WAN QoS Policy Profile 64 LAN QOS disable LAN Queueing Method SP Classification Method DSCP for all ports Mapping Cos to Queue Mapping all CoS values to Queue4 Mapping DSCP to Queue Mapping a...

Page 357: ...eue1 CoS 7 Queue1 Mapping DSCP to Queue DSCP 000xxx Queue3 DSCP 001xxx Queue4 DSCP 010xxx Queue4 DSCP 011xxx Queue3 DSCP 100xxx Queue2 DSCP 101xxx Queue2 DSCP 110xxx Queue1 DSCP 111xxx Queue1 Service Management Maximum number of Group Service Objects 64 Maximum number of Service Objects 256 Address Management Maximum number of Group Address Objects 64 Maximum number of Address Objects 512 VRRP dis...

Page 358: ...adio enable Wireless Network Mode 802 11b g n mixed Wireless Channel Auto Bandwidth Channel Lower U APSD disable SSID Isolation between SSIDs disable Default SSIDs enable Default SSIDs cisco data cisco guest cisco3 cisco4 SSID Broadcast for All SSIDs enable Station Isolation between clients disable Security Mode for All SSIDs Open WMM for All SSIDs disable Connection Control MAC Address Filtering ...

Page 359: ...46 Power Output 100 Wi Fi Protected Setup WPS disable Rogue AP Detection disable Captive Portal disable Feature Settings Feature Settings Site to Site VPN disable Site to Site VPN policies Maxinum number of Site to Site VPN policies 100 for ISA570 and ISA570W and 50 for ISA550 and ISA550W PFS enable DPD enable DPD Delay Time 30 10 to 300 DPD Detection Timeout 120 120 to 1800 DPD Action Hold Authen...

Page 360: ... Hash SHA1 Authenication Pre shared Key D H Group group_5 Encryption AES256 Lifetime 24 hours Transform policies Maximum number of Transform policies 16 Integrity ESP_MD5_HMAC Encryption ESP_3DES Cisco IPSec VPN Server disable Maximum number of group policies 16 WAN Failover disable Authentication Method Pre shared Key Network Mode Client mode Zone based Access Control Permit Split Tunnel disable ...

Page 361: ... Authentication Method Pre shared Key Network Mode Client mode Zone based Access Control Permit SSL VPN disable Gateway Interface WAN1 Gateway Port 443 Certificate File default Idle Timeout 2100 Session Timeout 43200 Client DPD Timeout 300 Gateway DPD Timeout 300 Keep Alive 30 Lease Duration 43200 Max MTU 1406 Rekey Method SSL Rekey Interval 3600 Maximum number of SSL VPN group policies 32 L2TP Se...

Page 362: ...le IPSec Passthrough enable PPTP Passthrough enable L2TP Passthrough enable Feature Settings Feature Settings Intrusion Prevention Service disable Automatically Update Signatures disable Select which zone to block intrusion WAN zone Anti Virus disable Select which zone to scan for viruses WAN zone Maximum Scan Compression File Size 0 Web URL Filter disable Policy to zone mapping for all predefined...

Page 363: ...ices are unavailable All all web traffic until Web Repuation Filter services are restored Email Reputation Filter disable Reputation Threshold Conservative Custom Spam Threshold 5 Custom Suspect Spam Threshold 3 Action for SPAM BLOCK Action for SUPECT SPAM TAG Action when Email Reputation Filter services are unavailable All all web traffic until Email Reputation Filter services are restored Networ...

Page 364: ...s 15 Maximum number of Advanced NAT rules 16 Session Settings Maximum number of Connections 60000 1000 to 60000 TCP Timeout 1200 5 to 3600 UDP Timeout 180 5 to 3600 Attack Protection Block Ping WAN interface enable Enable Stealth Mode disable Block TCP Flood Threshold 200 per seconds disable Block UDP Flood Threshold 200 per seconds disable Block ICMP Notification enable Block Fragmented Packets d...

Page 365: ...LG enable Content Filtering disable HTTP port for content filtering 80 Permit or block web components Proxy Java ActiveX Cookies permit MAC Filtering disable Maximum number of MAC Filtering rules 100 Maximum number of IP MAC Binding rules 100 Features Settings Feature Settings IP Bandwidth Report disable Service Bandwidth Report disable TopN Web Report disable WAN Bandwidth Report disable Security...

Page 366: ...port disable Email Security Blocked Report disable Anti Virus Report disable Feature Settings Service Name Protocol Port Start Port End Remarks AIM CONNECT TCP 4443 4443 Direct connect AIM CHAT TCP 5190 5190 File transfer and chat BGP TCP 179 179 BOOTP_client UDP 68 68 BOOTP_server UDP 67 67 CU SEEME TCP UDP 7648 7652 Server control port 7648 Client contact port 7649 Data stream over UDP port 7648...

Page 367: ...ou public it on the Internet or use the active mode for 21 public 21 active mode not passive HTTP TCP 80 80 HTTPS TCP 443 443 ICMP TYPE 0 ICMP ICMP TYPE 3 ICMP ICMP TYPE 4 ICMP ICMP TYPE 5 ICMP ICMP TYPE 6 ICMP Alternate host address ICMP TYPE 7 ICMP ICMP TYPE 8 ICMP ICMP TYPE 9 ICMP ICMP TYPE 10 ICMP ICMP TYPE 11 ICMP ICMP TYPE 13 ICMP ICQ TCP 5190 5190 IMAP TCP 143 143 IMAP2 TCP 143 143 Service ...

Page 368: ...119 NNTP over SSL uses the port 563 POP3 TCP 110 110 PPTP TCP 1723 1723 L2TP UDP 1701 1701 RCMD TCP 512 512 REAL AUDIO TCP 7070 7070 REXEC TCP 512 512 RLOGIN TCP 513 513 RTELNET TCP 107 107 RTSP TCP UDP 554 554 SFTP TCP 115 115 SMTP TCP 25 25 SNMP TCP UDP 161 161 SNMP TRAPS TCP UDP 162 162 SQL NET TCP 1521 1521 SSH TCP UDP 22 22 STRMWORKS UDP 1558 1558 TACACS TCP 49 49 TELNET TCP 23 23 Service Nam...

Page 369: ... 69 69 RIP UDP 520 520 IKE UDP 500 500 ISAKMP UDP 500 500 SHTTPD TCP 8080 8080 SHTTPDS TCP 443 443 IDENT TCP 113 113 VDOLIVE TCP 7000 7000 SSH TCP UDP 22 22 SIP TCP UDP 5060 5060 DHCP UDP 67 67 ESP IP Protocol 50 IPSEC UDP ENCAP UDP 4500 4500 Service Name Protocol Port Start Port End Remarks Address Name Type Start IP End IP WAN1_IP Host 192 168 100 100 192 168 100 100 WAN1_GW Host 192 168 100 1 1...

Page 370: ...168 1 1 192 168 1 1 DEFAULT_WINS1 Host 192 168 1 1 192 168 1 1 DEFAULT_WINS2 Host 192 168 1 1 192 168 1 1 DEFAULT_NETWORK Network 192 168 1 0 192 168 1 255 GUEST_IP Host 192 168 2 1 192 168 2 1 GUEST_GW Host 192 168 2 1 192 168 2 1 GUEST_DNS1 Host 192 168 2 1 192 168 2 1 GUEST_DNS2 Host 192 168 2 1 192 168 2 1 GUEST_WINS1 Host 192 168 2 1 192 168 2 1 GUEST_WINS2 Host 192 168 2 1 192 168 2 1 GUEST_...

Page 371: ...ort Community www cisco com go smallbizsupport Cisco Small Business Support and Resources www cisco com go smallbizhelp Phone Support Contacts www cisco com go sbsc Firmware Download www cisco com go isa500software Product Documentation Cisco ISA500 Series Integrated Security Appliance Technical Documentation www cisco com go isa500resources Cisco Small Business Cisco Partner Central for Small Bus...

Search results

Summary of Contents for ISA500 Series

Reviews:

Related manuals for ISA500 Series

Brands by name

Popular brands

Cisco ISA500 Series, Administration Manual

Search results

Summary of Contents for ISA500 Series

Reviews:

Related manuals for ISA500 Series

Brands by name

Popular brands