Cisco ISA550 Administration Manual Download Page 204 | Manualshive

Page: 204 / 427

background image

Firewall

Configuring Firewall Rules to Control Inbound and Outbound Traffic

Cisco ISA500 Series Integrated Security Appliances Administration Guide

204

6

Configuring Firewall Rules to Control Inbound and Outbound
Traffic

The zone-based firewall can permit or deny inbound or outbound traffic based on
the zone, service, source and destination address, and schedule.

Refer to the following topics:

•

Default Firewall Settings, page 206

•

Priorities of Firewall Rules, page 207

•

Preliminary Tasks for Configuring Firewall Rules, page 207

•

General Firewall Settings, page 208

•

Configuring a Firewall Rule, page 209

•

Configuring a Firewall Rule to Allow Multicast Traffic, page 211

•

Configuring Firewall Logging Settings, page 212

About Security Zones

A security zone is a group of interfaces to which a security policy can be applied
to control traffic between zones. For ease of deployment, the Cisco ISA500 has
several predefined zones with default security settings to protect your network.
You can create additional zones as needed.

Each zone has an associated security level. The security level represents the level
of trust, from low (0) to high (100). Default firewall rules are created for all
predefined zones and your new zones, based on these security levels. For
example, by default all traffic from the LAN zone (with a Trusted security level) to
the WAN zone (with an Untrusted security level) is allowed but traffic from the
WAN (Untrusted) zone to the LAN (Trusted) zone is blocked. You can create and
modify firewall rules to specify the permit or block action for specified services,
source and destination addresses, and schedules.

To learn more, see the

Security Levels and Predefined Zones

table.

«
...
202
203
204
205
206
...
»

Summary of Contents for ISA550

Page 1: ...Cisco Small Business ISA500 Series Integrated Security Appliances ISA550 ISA550W ISA570 ISA570W ADMINISTRATION GUIDE ...

Page 2: ...Cisco and or its affiliates in the U S and other countries To view a list of Cisco trademarks go to this URL www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1110R ...

Page 3: ... there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one of the following measures Reorient or relocate the receiving antenna Increase the separation between the eq...

Page 4: ...een the radiator and your body NOTE IMPORTANTE Pour l utilisation de dispositifs mobiles Déclaration d exposition aux radiations Cet équipement est conforme aux limites d exposition aux rayonnements IC établies pour un environnement non contrôlé Cet équipement doit être installé et utilisé avec un minimum de 20 cm de distance entre la source de rayonnement et votre corps This device has been desig...

Page 5: ...embly the operating ambient temperature of the rack environment may be greater than room ambient Therefore consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature Tma 40 degree C specified by the manufacturer B Reduced Air Flow Installation of the equipment in a rack should be such that the amount of air flow required for safe ope...

Page 6: ...Settings 31 Performing Basic Configuration Tasks 32 Changing the Default Administrator Password 32 Upgrading your Firmware After your First Login 33 Backing Up Your Configuration 34 Chapter 2 Configuration Wizards 35 Using the Setup Wizard for the Initial Configuration 36 Starting the Setup Wizard 37 Configuring Cisco com Account Credentials 37 Enabling Firmware Upgrade 38 Validating Security Lice...

Page 7: ...d for IPsec Remote Access 54 Starting the Remote Access VPN Wizard 55 Configuring IPsec Remote Access Group Policy 55 Configuring WAN Settings 56 Configuring Operation Mode 56 Configuring Access Control Settings 57 Configuring DNS and WINS Settings 57 Configuring Backup Servers 58 Configuring Split Tunneling 58 Viewing Group Policy Summary 58 Configuring IPsec Remote Access User Groups 59 Viewing ...

Page 8: ...only 76 Starting the Wireless Wizard 76 Configuring Wireless Radio Settings 76 Configuring Wireless Connectivity Types 77 Specify Wireless Connectivity Settings for All Enabled SSIDs 77 Viewing Configuration Summary 78 Configuring the SSID for Intranet WLAN Access 78 Configuring the SSID for Guest WLAN Access 79 Configuring the SSID for Captive Portal Access 80 Chapter 3 Status 83 Device Status Da...

Page 9: ...urce Utilization 112 Chapter 4 Networking 114 Viewing Network Status 115 Configuring IPv4 or IPv6 Routing 115 Managing Ports 115 Viewing Status of Physical Interfaces 116 Configuring Physical Ports 117 Configuring Port Mirroring 118 Configuring Port Based 802 1x Access Control 119 Configuring the WAN 121 Configuring WAN Settings for Your Internet Connection 121 Configuring WAN Redundancy 129 Dual ...

Page 10: ...h for Upstream Traffic 155 Configuring WAN Queue Settings 156 Configuring Traffic Selectors 157 Configuring WAN QoS Policy Profiles 159 Configuring WAN QoS Class Rules 159 Mapping WAN QoS Policy Profiles to WAN Interfaces 160 WAN QoS Configuration Example 161 Configure WAN QoS for Voice Traffic from LAN to WAN 163 Configuring WAN QoS for Voice Traffic from WAN to LAN 164 Configuring LAN QoS 165 Co...

Page 11: ...less Client Status 183 Configuring the Basic Settings 183 Configuring SSID Profiles 185 Configuring Wireless Security 186 Controlling Wireless Access Based on MAC Addresses 192 Mapping the SSID to VLAN 193 Configuring SSID Schedule 193 Configuring Wi Fi Protected Setup 194 Configuring Captive Portal 196 Configuring Wireless Rogue AP Detection 199 Advanced Radio Settings 201 Chapter 6 Firewall 203 ...

Page 12: ...guration Examples 226 Allowing Inbound Traffic Using the WAN IP Address 226 Allowing Inbound Traffic Using a Public IP Address 228 Allowing Inbound Traffic from Specified Range of Outside Hosts 231 Blocking Outbound Traffic by Schedule and IP Address Range 232 Blocking Outbound Traffic to an Offsite Mail Server 232 Configuring Content Filtering to Control Internet Access 233 Configuring Content Fi...

Page 13: ...ti Virus Signatures 260 Configuring Application Control 261 Configuring Application Control Policies 262 General Application Control Policy Settings 262 Adding an Application Control Policy 263 Permitting or Blocking Traffic for all Applications in a Category 264 Permitting or Blocking Traffic for an Application 265 General Application Control Settings 266 Enabling Application Control Service 267 ...

Page 14: ...eral Site to Site VPN Settings 292 Configuring IPsec VPN Policies 293 Configuring IKE Policies 299 Configuring Transform Sets 301 Remote Teleworker Configuration Examples 302 Configuring IPsec Remote Access 305 Cisco VPN Client Compatibility 306 Enabling IPsec Remote Access 307 Configuring IPsec Remote Access Group Policies 307 Allowing IPsec Remote VPN Clients to Access the Internet 310 Configuri...

Page 15: ...ment 338 Viewing Active User Sessions 338 Configuring Users and User Groups 339 Default User and User Group 339 Available Services for User Groups 339 Preempt Administrators 340 Configuring Local Users 340 Configuring Local User Groups 341 Configuring User Authentication Settings 343 Using Local Database for User Authentication 344 Using RADIUS Server for User Authentication 344 Using Local Databa...

Page 16: ...Local PC 371 Importing Certificates from a USB Device 372 Generating New Certificate Signing Requests 372 Importing Signed Certificate for CSR from Your Local PC 373 Configuring Cisco Services and Support Settings 374 Configuring Cisco com Account 374 Configuring Cisco OnPlus 375 Configuring Remote Support Settings 376 Sending Contents for System Diagnosis 376 Configuring System Time 377 Configuri...

Page 17: ...iguring Log Settings 394 Configuring Log Facilities 397 Rebooting and Resetting the Device 398 Restoring the Factory Default Settings 398 Rebooting the Security Appliance 399 Configuring Schedules 399 Appendix A Troubleshooting 401 Internet Connection 401 Date and Time 404 Pinging to Test LAN Connectivity 405 Testing the LAN Path from Your PC to Your Security Appliance 405 Testing the LAN Path fro...

Page 18: ...Cisco ISA500 Series Integrated Security Appliances Administration Guide 18 Contents Firewall 419 Reports 421 Default Service Objects 422 Default Address Objects 426 Appendix D Where to Go From Here 427 ...

Page 19: ...configure your security appliance It includes the following sections Introduction page 20 Product Overview page 21 Getting Started with the Configuration Utility page 25 Factory Default Settings page 30 Performing Basic Configuration Tasks page 32 NOTE For information about how to physically install your security appliance see the Cisco ISA500 Series Integrated Security Appliances Quick Start Guid...

Page 20: ...twork Reputation The ISA550W and ISA570W include 802 11b g n access point capabilities The following table lists the available model numbers NOTE Any configurable port can be configured to be a WAN DMZ or LAN port Only one configurable port can be configured as a WAN port at a time Up to 4 configurable ports can be configured as DMZ ports Model Description Configuration ISA550 Cisco ISA550 Integra...

Page 21: ...Front Panel ISA550W Front Panel ISA570 Front Panel ISA570W Front Panel 282351 Small Business 1 VPN USB WAN LAN CONFIGURABLE POWER SYS SPEED LINK ACT 2 3 4 5 6 7 ISA550 Cisco 281983 Small Business 1 VPN USB WAN LAN CONFIGURABLE POWER SYS SPEED LINK ACT 2 3 4 5 6 7 WLAN ISA550W Cisco Small Business 1 VPN USB WAN LAN CONFIGURABLE POWER SYS SPEED LINK ACT 9 10 2 3 4 5 6 7 8 282350 ISA570 Cisco Small B...

Page 22: ...blem a device error occurs or the system has a problem VPN Indicates the site to site VPN connection status Solid green when there are active site to site VPN connections Flashes green when attempting to establish a site to site VPN tunnel Flashes amber when the system is experiencing problems setting up a site to site VPN connection and there is no VPN connection USB Indicates the USB device stat...

Page 23: ...affic rate of the associated port Off when the traffic rate is 10 or 100 Mbps Solid green when the traffic rate is 1000 Mbps LINK ACT Indicates that a connection is being made through the port Solid green when the link is up Flashes green when the port is transmitting and receiving data Light Description 281984 ANT02 ANT01 RESET I O POWER 12VDC 4 5 6 7 CONFIGURABLE 2 3 LAN 1 WAN ANT01 ANT02 Reset ...

Page 24: ... Connects the unit to a USB device You can use a USB device to save and restore system configuration or to upgrade the firmware Configurable Ports Can be set to operate as WAN LAN or DMZ ports ISA550 and ISA550W have 4 configurable ports ISA570 and ISA570W have 5 configurable ports NOTE Only one configurable port can be configured as a WAN port at a time Up to 4 configurable ports can be configure...

Page 25: ...solution for the PC running the Web browser used to access the Configuration Utility is 1024 x 768 This section includes the following topics Logging in to the Configuration Utility page 26 Navigating Through the Configuration Utility page 27 Using the Help System page 28 Configuration Utility Icons page 28 RESET Button To reboot the unit push and release the RESET button for less than 3 seconds T...

Page 26: ...tion Utility STEP 3 When the login page opens enter the username and password The default username is cisco The default password is cisco Usernames and passwords are case sensitive STEP 4 Click Login STEP 5 For security purposes you must change the default password of the default administrator account Set a new administrator password and click OK STEP 6 If you can access the Internet and a newer f...

Page 27: ...ity 1 2 Number Component Description 1 Left Hand Navigation Pane The left hand navigation pane provides easy navigation through the configurable features The main branches expand to provide the features Click the main branch title to expand its contents Click the triangle next to a feature to expand or contract its sub features Click the title of a feature or sub feature to open it 2 Main Content ...

Page 28: ...following table describes these icons Icon Description Action Add icon Add an entry Edit icon Edit an entry Duplicate icon Create a copy of an existing entry Delete icon Delete an entry or delete multiple selected entries Move icon Move an item to a specific location Move down icon Move an item down one position Move up icon Move an item up one position Expand triangle icon Expand the sub features...

Page 29: ...PC Export to USB or Import from USB icon Export a local certificate a CA certificate or a Certificate Signing Request to a USB key or import a local certificate or a CA certificate from a USB key Details icon View the details of a certificate or a Certificate Signing Request Download icon Download a local certificate a CA certificate or a Certificate Signing Request to PC Upload icon Upload a sign...

Page 30: ...4 or IPv6 Routing page 115 WAN Configuration By default the security appliance is configured to obtain an IP address from your ISP using Dynamic Host Configuration Protocol DHCP Depending on the requirement of your ISP configure the network addressing mode for the primary WAN You can change other WAN settings as well See Configuring WAN Settings for Your Internet Connection page121 LAN Configurati...

Page 31: ...change the username for the default administrator account See Changing the Default Administrator Password page 32 Security Services By default the security services such as Intrusion Prevention IPS Anti Virus Application Control Web URL Filtering Web Reputation Filtering and Spam Filter are disabled See Chapter 7 Security Services Firewall By default the firewall prevents inbound traffic and allow...

Page 32: ...recommend that you complete the following tasks before you configure the security appliance Changing the Default Administrator Password page 32 Upgrading your Firmware After your First Login page 33 Backing Up Your Configuration page 34 Changing the Default Administrator Password The default administrator account cisco has full privilege to set the configuration and read the system status For secu...

Page 33: ... Configuration Utility for the first time we recommend that you upgrade your firmware to the latest version before you do any other tasks This feature requires that you have an active WAN connection to access the Internet STEP 1 Log in to the Configuration Utility for the first time and change the default administrator password See Logging in to the Configuration Utility page 26 If newer firmware ...

Page 34: ...tility for the first time you can use the Setup Wizard to configure your Internet connection and then automatically check for firmware updates after the Setup Wizard is complete The Setup Wizard also allows you to manually upgrade the firmware from a firmware image stored on your local PC See Using the Setup Wizard for the Initial Configuration page 36 You can manually upgrade the firmware from a ...

Page 35: ...zard for the Initial Configuration page 36 Using the Dual WAN Wizard to Configure WAN Redundancy Settings page 51 Using the Remote Access VPN Wizard page 54 Using the Site to Site VPN Wizard to Configure Site to Site VPN page 66 Using the DMZ Wizard to Configure DMZ Settings page 71 Using the Wireless Wizard for ISA550W and ISA570W only page 76 To access the Configuration Wizards pages click Confi...

Page 36: ...Security License page 39 Enabling Bonjour and CDP Discovery Protocols page 39 Configuring Remote Administration page 40 Configuring Physical Ports page 41 Configuring the Primary WAN page 42 Configuring the Secondary WAN page 42 Configuring WAN Redundancy page 42 Configuring Default LAN Settings page 43 Configuring DMZ page 44 Configuring DMZ Services page 45 Configuring Wireless Radio Settings pa...

Page 37: ...ssage appears saying Continuing with the Setup Wizard will overwrite some of your previously modified parameters Read the warning message carefully before you start configuring STEP 2 Click Next Configuring Cisco com Account Credentials STEP 3 Use the Cisco com Credentials page to configure your Cisco com account credentials A valid Cisco com account is required to download the latest firmware ima...

Page 38: ... update when Setup Wizard completes The security appliance will immediately check for firmware updates after the Setup Wizard is complete This feature requires that you have an active WAN connection To manually upgrade the firmware from a firmware image stored on your PC uncheck the box next to Check for firmware update when Setup Wizard completes Uncheck this box when you do not have an active WA...

Page 39: ...validate the security license If your Cisco com account credentials are not configured go back to the Cisco com Credentials page to configure them NOTE If you want to continue the Setup Wizard configuration without installing the security license check the box next to Continue without installing license not recommended The security services cannot be activated without installing the security licen...

Page 40: ...isten Port Number If you enable remote management by using HTTP enter the port number By default the listen port number for HTTP is 80 Allow Address To specify the devices that can access the configuration utility through the WAN interface choose an Address Object or enter an address Address Objects These objects represent known IP addresses and address ranges such as the GUEST VLAN and the DHCP p...

Page 41: ... configurable port GE10 is set as the secondary WAN port and the configurable port GE9 is set as a DMZ port If you are using the ISA550 or ISA550W choose one of the following options 1 WAN 6 LAN switch One WAN port WAN1 and six LAN ports are configured 1 WAN 1 DMZ 5 LAN switch One WAN port WAN1 one DMZ port and five LAN ports are configured The configurable port GE7 is set as a DMZ port 1 WAN 1 WA...

Page 42: ...are configured use the Secondary WAN Connection page to configure the secondary WAN connection by using the account information provided by your ISP WAN Name The name of the secondary WAN port IP Address Assignment Depending on the requirements of your ISP choose the network addressing mode and configure the corresponding fields for the secondary WAN port For complete details see Network Addressin...

Page 43: ...ns connectivity all Internet traffic is directed to the primary link and the backup link becomes idle Select WAN Precedence Choose one of the following options Primary WAN1 Secondary WAN2 If you choose this option WAN1 is set as the primary link and WAN2 is set as the backup link Primary WAN2 Secondary WAN1 If you choose this option WAN2 is set as the primary link and WAN1 is set as the backup lin...

Page 44: ...IP address should be in the same subnet as the LAN IP address Lease Time Enter the maximum connection time that a dynamic IP address is leased to a network user When the time elapses the user is automatically renewed the dynamic IP address DNS1 Enter the IP address of the primary DNS server DNS2 Optionally enter the IP address of the secondary DNS server WINS1 Optionally enter the IP address of th...

Page 45: ...of the DHCP pool End IP Enter the ending IP address of the DHCP pool NOTE The Start IP address and End IP address should be in the same subnet with the DMZ IP address Lease Time Enter the maximum connection time that a dynamic IP address is leased to a network user When the time elapses the user is automatically renewed the dynamic IP address DNS1 Enter the IP address of the primary DNS server DNS...

Page 46: ... will be translated to the port 60001 and the port 50002 will be translated to the port 60002 Translated IP Choose the IP address of your local server that needs to be translated If the IP address that you want is not in the list choose Create a new address to create a new IP address object To maintain the IP address objects go to the Networking Address Management page See Address Management page ...

Page 47: ...ss Radio Settings STEP 37 If you are using the ISA550 or ISA570 proceed to Viewing Configuration Summary page 50 If you are using the ISA550W or ISA570W use the Wireless Radio Setting page to configure the wireless radio settings Wireless Radio Click On to turn wireless radio on and hence enable the SSID called cisco data or click Off to turn wireless radio off Wireless Network Mode Choose the 802...

Page 48: ...io off proceed to Viewing Configuration Summary page 50 If you turned the wireless radio on use the Intranet WLAN Access page to configure the wireless connectivity settings for the SSID called cisco data SSID Name The name of the SSID Security Mode Choose the encryption algorithm for data encryption for this SSID and configure the corresponding settings For complete details see Configuring Wirele...

Page 49: ...y license through the Internet and then activates security services The following features are available Anti Virus Anti Virus blocks viruses and malware from entering your network through email web FTP CIFS and NetBIOS applications Check this box to enable the Anti Virus feature on the security appliance or uncheck this box to disable it Intrusion Prevention IPS IPS monitors network protocols and...

Page 50: ...b URL Filtering are reputation based security services You can specify how to deal with the affected traffic when these reputation services are unavailable Choose one of the following options Prevent affected network traffic All affected traffic is blocked until the reputation based security services are available Allow affected network traffic All affected traffic is allowed until the reputation ...

Page 51: ...e Dual WAN Wizard page 51 Configuring a Configurable Port as a Secondary WAN Port page 51 Configuring the Primary WAN page 52 Configuring the Secondary WAN page 52 Configuring WAN Redundancy page 52 Configuring Network Failure Detection page 53 Viewing Configuration Summary page 54 Starting the Dual WAN Wizard STEP 1 Click Configuration Wizards Dual WAN Wizard STEP 2 Click Next Configuring a Confi...

Page 52: ...ction page to configure the secondary WAN connection by using the account information provided by your ISP WAN Name The name of the secondary WAN port IP Address Assignment Depending on the requirements of your ISP choose the network addressing mode and configure the corresponding fields for the secondary WAN port For complete details see Network Addressing Mode page124 STEP 8 After you are finish...

Page 53: ... If you choose this option WAN1 is set as the primary link and WAN2 is set as the backup link Primary WAN2 Secondary WAN1 If you choose this option WAN2 is set as the primary link and WAN1 is set as the backup link Preempt Delay Timer Enter the time in seconds that the security appliance will preempt the primary link from the backup link after the primary link is up again The default is 5 seconds ...

Page 54: ...as an IPsec VPN server If you choose this option follow the on screen prompts to configure an IPsec Remote Access group policy and specify the users and user groups for IPsec remote access For complete details see Using the Remote Access VPN Wizard for IPsec Remote Access page 54 SSL Remote Access Enable the SSL Remote Access feature and hence set the security appliance as a SSL VPN server If you ...

Page 55: ...up Policy STEP 4 Use the IPsec Group Policy page to configure the following parameters of the IPsec Remote Access group policy Group Name Enter the name for the group policy IKE Authentication Method Specify the authentication method Pre shared Key Uses a simple password based key to authenticate If you choose this option enter the desired value that remote VPN clients must provide to establish th...

Page 56: ...ed on the configurations of the backup WAN link For this purpose Dynamic DNS has to be configured because the IP address will change due to failover In this case remote VPN clients must use the domain name of the IPsec VPN server to establish the VPN connections WAN Interface Choose the WAN port that traffic passes through over the VPN tunnel STEP 7 After you are finished click Next Configuring Op...

Page 57: ...ntrol Settings STEP 10 Use the Access Control page to control access from the PC running the Cisco VPN Client software or the private network of the Cisco VPN hardware client to the zones over the VPN tunnel Click Permit to permit access or click Deny to deny access NOTE The VPN firewall rules that are automatically generated by the zone access control settings will be added to the list of firewal...

Page 58: ... Tunnel Click On to enable the split tunneling feature or click Off to disable it Split tunneling allows only traffic that is specified by the VPN client routes to corporate resources through the VPN tunnel If you enable the split tunneling feature you need to define the split subnets To add a subnet enter the IP address and netmask in the IP Address and Netmask fields and click Add To delete a su...

Page 59: ...for this user group so that all members of the group can establish the VPN tunnel to securely access your network resources STEP 23 In the Membership tab specify the members of the user group You must add at least one user in the user group before proceeding To add a member select an existing user from the User list and click the right arrow The members of the group appear in the Membership list T...

Page 60: ...Refer to the following steps Starting the Remote Access VPN Wizard with SSL Remote Access page 60 Configuring SSL VPN Gateway page 60 Configuring SSL VPN Group Policy page 62 Configuring SSL VPN User Groups page 65 Viewing SSL VPN Summary page 66 Starting the Remote Access VPN Wizard with SSL Remote Access STEP 1 Click Configuration Wizards Remote Access VPN Wizard STEP 2 Choose SSL Remote Access ...

Page 61: ...nfigure an IP address range that does not directly overlap with any other addresses on your local network Client Netmask Enter the IP address of the netmask used for SSL VPN clients The client netmask can only be one of 255 255 255 0 255 255 255 128 and 255 255 255 192 The Client Address Pool is used with the Client Netmask The following table displays the valid settings for entering the client ad...

Page 62: ...te client The default value is 300 seconds Gateway DPD Timeout Enter the DPD timeout that a session will be maintained with a nonresponsive SSL VPN gateway The default value is 300 seconds NOTE If the SSL VPN gateway has no response over two or three times of the DPD timeout the SSL VPN session will be terminated Keep Alive Enter the interval in seconds at which the SSL VPN client will send keepal...

Page 63: ...condary WINS server STEP 11 In the IE Proxy Settings tab enter the following information The SSL VPN gateway can specify several Microsoft Internet Explorer MSIE proxies for client PCs If these settings are enabled IE on the client PC is automatically configured with these settings IE Proxy Policy Choose one of the following options None Allows the browser to use no proxy settings Auto Allows the ...

Page 64: ...field and the subnet mask for the destination network in the Netmask field and then click Add Exclude Traffic Allows you to exclude the destination networks on the SSL VPN client Traffic to the destination networks is redirected using the SSL VPN client s native network interface resolved through the ISP or WAN connection To add a destination subnet enter the destination subnet to which a route is...

Page 65: ...roups for SSL remote access The SSL VPN service must be enabled for the user groups All members of a user group can use the selected SSL VPN group policy to establish the SSL VPN connections STEP 17 Click Add to add a user group Other options To edit an entry click the Edit pencil icon To delete an entry click the Delete x icon To delete multiple entries check them and click Delete STEP 18 In the ...

Page 66: ...apply your settings After the settings are saved the security appliance is set as a SSL VPN server The SSL VPN users that belong to the specified user groups can use the selected group policies to establish the SSL VPN connections If you check Client Internet Access the advanced NAT rules will be automatically created to allow SSL VPN clients to access the Internet over SSL VPN tunnels Using the S...

Page 67: ...emote network such as vpn company com Enter the domain name of the remote device in the Remote Address field Authentication Method Specify the authentication method Pre Shared Key Uses a simple password based key to authenticate If you choose this option enter the desired value that the peer device must provide to establish a connection in the Key field The pre shared key must be entered exactly t...

Page 68: ...o HASH algorithms supported by the security appliance SHA1 and MD5 Ensure that the authentication algorithm is configured identically on both sides Authentication Specify the authentication method that the security appliance uses to establish the identity of each IPsec peer PRE_SHARE Use a simple password based key to authenticate The alpha numeric key is shared with IKE peer Pre shared keys do no...

Page 69: ...ntry select it and click Delete The default transform set DefaultTrans cannot be edited or deleted STEP 12 Enter the following information Name Enter the name for the transform set Integrity Choose the hash algorithm used to ensure data integrity The hash algorithm ensures that a packet comes from where it says it comes from and that it has not been modified in transit ESP_SHA1_HMAC Authentication...

Page 70: ...ddress object or choose Create a new address group to add a new address group object To maintain the address and address group objects go to the Networking Address Management page See Address Management page173 NOTE The security appliance can support multiple subnets for establishing the VPN tunnels You should select an address group object including multiple subnets for local and remote networks ...

Page 71: ...he DMZ Wizard to Configure DMZ Settings Use the DMZ Wizard to configure DMZ and DMZ services if you need to host public services Refer to the following steps Starting the DMZ Wizard page 71 Configuring DDNS Profiles page 71 Configuring DMZ Network page 72 Configuring DMZ Services page 74 Viewing Configuration Summary page 76 Starting the DMZ Wizard STEP 1 Click Configuration Wizards DMZ Wizard STE...

Page 72: ... Name Enter the username of the account that you registered in the DDNS provider Password Enter the password of the account that you registered in the DDNS provider Host and Domain Name Specify the complete host name and domain name for the DDNS service Use wildcards Check this box to allow all sub domains of your DDNS host name to share the same public IP address as the host name Update every wee...

Page 73: ...ses or are configured to use another DHCP server DHCP Server Allows the security appliance to act as a DHCP server and assigns IP addresses to all devices that are connected to the DMZ Any new DHCP client joining the DMZ is assigned an IP address of the DHCP pool DHCP Relay Allows the security appliance to use a DHCP Relay If you choose DHCP Relay enter the IP address of the remote DHCP server in ...

Page 74: ... choose Original if the translated service is same as the incoming service If the service that you want is not in the list choose Create a new service to create a new service object To maintain the service objects go to the Networking Service Management page See Service Management page175 NOTE One to one translation will be performed for port range forwarding For example if you want to translate a...

Page 75: ...ox NOTE If you choose Both as the incoming WAN port a firewall rule from Any zone to Any zone will be created accordingly Description Enter the name for the DMZ service For example you host an RDP server 192 168 12 101 on the DMZ Your ISP has provided a static IP address 172 39 202 102 that you want to expose to the public as your RDP server address You can create a DMZ service as follows to allow...

Page 76: ...uring Wireless Radio Settings page 76 Configuring Wireless Connectivity Types page 77 Specify Wireless Connectivity Settings for All Enabled SSIDs page 77 Viewing Configuration Summary page 78 Starting the Wireless Wizard STEP 1 Click Configuration Wizards Wireless Wizard STEP 2 Click Next Configuring Wireless Radio Settings STEP 3 Use the Wireless Radio page to configure the wireless radio settin...

Page 77: ...at you want to use Enable Check this box to enable the SSID Mode Choose the wireless connectivity type for each enabled SSID Intranet WLAN Access Allows the wireless users to access the corporate network via the wireless network By default the WLAN is mapped to the DEFAULT VLAN Guest WLAN Access Only allows the wireless users who connect to the guest SSID to access the corporate network via the wi...

Page 78: ...save your settings Configuring the SSID for Intranet WLAN Access Follow these steps to configure the connectivity settings for Intranet WLAN access STEP 1 Enter the following information SSID Enter the name of the SSID Broadcast SSID Check this box to broadcast the SSID in its beacon frames All wireless devices within range are able to see the SSID when they scan for available networks Uncheck thi...

Page 79: ... to the selected VLAN For Intranet VLAN access you must choose a VLAN that is mapped to a trusted zone User Limit Specify the maximum number of users that can simultaneously connect to this SSID Enter a value in the range of 0 to 200 The default value is zero 0 which indicates that there is no limit for this SSID NOTE The maximum number of users that can simultaneously connect to all enabled SSIDs...

Page 80: ...s that can simultaneously connect to all enabled SSIDs is 200 Configuring the SSID for Captive Portal Access Follow these steps to configure the connectivity settings for Captive Portal access In this configuration the wireless network allows access only by the wireless users who have authenticated successfully When attempting to access the Internet the wireless users will be directed to a specifi...

Page 81: ...n page to access the wireless network without authentication External Uses a custom HotSpot Login page on an external web server to authenticate the wireless users The username and password are required to login External no auth with accept button Allows the wireless users to access the wireless network without entering the username and password If you choose this option click the Accept button on...

Page 82: ... List Specify the ports to monitor HTTP requests HTTP requests through the monitored HTTP ports will be directed to the specified web portal page To add a monitored HTTP port click Add To edit an entry click the Edit pencil icon To delete an entry click the Delete x icon NOTE Captive Portal only monitors HTTPS requests through the port 443 STEP 5 In the Advanced Settings area specify the following...

Page 83: ...only page 98 NAT Status page 99 VPN Status page 100 Active User Sessions page104 Security Services Reports page105 System Status page111 To access the Status pages click Status in the left hand navigation pane Device Status Dashboard Use the Status Dashboard page to view information about the security appliance and its current settings Status Dashboard Field Description System Information System N...

Page 84: ...n standard for hardware products Resource Utilization To see complete details for resource utilization click details CPU Utilization Current CPU usage CPU Utilization Over 1 Minute Average CPU usage in last one minute Memory Utilization Total memory usage after the security appliance boots System Up Time Duration for which the security appliance has been running Current Time The current date and s...

Page 85: ... of Debug logs Click the number link for complete details Site to Site VPN Displays the total number of active site to site VPN tunnels To see complete details click details Remote Access VPN SSL Users Total number of active SSL VPN users Click the SSL Users link for complete details IPsec Users Total number of active IPsec VPN users Click the IPsec Users link for complete details This option is o...

Page 86: ...all VLANs click details Index ID of the VLAN Name Name of the VLAN DHCP Mode DHCP mode of the VLAN IP Address Subnet IP address of the VLAN DMZ Interface To see complete details for all DMZs click details Port Configurable port that is set as the DMZ port Name Name of the DMZ port IP Address Subnet IP address of the DMZ port Wireless Interfaces for ISA550W and ISA570W only To see complete details ...

Page 87: ...e 94 STP Status page 95 CDP Neighbor page 97 Status Summary Use the Status Summary page to view information for the various interfaces Status Summary Field Description Ethernet Port Number of the physical port Name Name of the physical port Enable Shows if the physical port is enabled or disabled Port Type Type of the physical port such as WAN LAN or DMZ Line Status Shows if the physical port is c...

Page 88: ...he WAN port is active or inactive for routing If the WAN port is active for routing the WAN state shows Up If the WAN port is inactive for routing the WAN state shows Down NOTE The state Down means that the network detection fails Even though the WAN state is down due to network detection failure the WAN services like SSL VPN and Remote Administration can still be connected except the IPsec VPN Ac...

Page 89: ... VLAN LAN MAC Address MAC address of the default LAN Name Name of the VLAN VID ID of the VLAN IP Address Subnet IP address of the VLAN Subnet Mask Prefix Length Subnet mask or IPv6 prefix length of the VLAN Physical Port Physical ports that are assigned to the VLAN Zone Zone to which the VLAN is mapped DMZ Physical Port Physical port that is assigned to the DMZ Zone Zone to which the DMZ is mapped...

Page 90: ...t have occurred on this port A collision occurs when the port tries to send data at the same time as a port on the other router or computer that is connected to this port Tx Bytes Sec Number of bytes transmitted by the port per second Rx Bytes Sec Number of bytes received by the port per second Uptime Time that the port has been active The uptime is reset to zero when the security appliance or the...

Page 91: ...VLAN Rx Packets Number of IP packets received by the VLAN Collisions Number of signal collisions that have occurred on this VLAN Tx Bytes Sec Number of bytes transmitted by the VLAN per second Rx Bytes Sec Number of bytes received by the VLAN per second Uptime Time that the LAN port has been active DMZ Name Name of the DMZ Tx Packets Number of IP packets transmitted by the DMZ Rx Packets Number of...

Page 92: ...age by Internet Service This report displays the following information for the top 25 services and applications that consume the most bandwidth Application The name for an known service or application or the port number for an unknown service or application For example if SMTP 6 25 is displayed SMTP is the service name 6 is the protocol number and 25 is the port number of the service Sessions The ...

Page 93: ...r the report is reset Last Refresh Time Displays the time of your last refresh operation WAN Bandwidth Reports Use the WAN Bandwidth page to view the real time WAN network bandwidth usage per hour in the past 24 hours This page is automatically updated every 10 seconds STEP 1 To enable the WAN bandwidth reports check the box next to Collect and Display WAN Bandwidth Statistics STEP 2 Click Save to...

Page 94: ... Use the DHCP Bindings page to view information for DHCP address assignment This page is automatically updated every 10 seconds Click Refresh to manually refresh the data DHCP Bindings Field Description IP Address IP address of the device Flag Flag type of the device MAC Address MAC address of the device which is associated with the IP address Device Device interface type Field Description IP Addr...

Page 95: ... choose a VLAN STP Status Global Status Interface Status Table Field Description Bridge ID An unique ID for the other devices on the network to identify this device Root Bridge ID The bridge ID of the root bridge Root Port The Port ID of the root port The root port is the port with the lowest path cost to the root bridge The root bridge does not have a root port Root Path Cost The cost of the shor...

Page 96: ...ut blocked by STP It will not transmit or receive any traffic Listening This port will receive and process STP bridge protocol data units BPDUs but will not forward any data traffic Learning This port will start to learn MAC addresses from the received packets It will also receive and process STP BPDUs but will not forward any data traffic Forwarding This port will forward data traffic process BPD...

Page 97: ...the LAN segment Field Description Field Description Device ID The host name of the neighboring device Local Port The outgoing port that the security appliance is using for this connection Duration The time interval in seconds that the security appliance will keep CDP information from a neighboring device Function The neighbor s device type R Router T Trans Bridge B Source Route Bridge S Switch H H...

Page 98: ...onds Click Refresh to manually refresh the data Wireless Status Wireless Status Field Description Wireless Status SSID Number Number of the SSID SSID Name Name of the SSID MAC Address MAC address of the SSID VLAN VLAN to which the SSID is mapped Client List Number of client stations that are connected to the SSID Wireless Statistics Name Name of the SSID Tx Packets Number of transmitted packets on...

Page 99: ... active Field Description Field Description Original Source Address Original source IP address in the packet Original Destination Address Original destination IP address in the packet Source Port Source interface that traffic comes from Destination Port Destination interface that traffic goes to Translated Destination Address IP address that the specified original destination address is translated...

Page 100: ... transmitted packets Rx Packets Number of received packets Tx Bytes Sec Volume in bytes of transmitted traffic Rx Bytes Sec Volume in bytes of received traffic Field Description Field Description Active Sessions To manually terminate an active IPsec VPN session click the Disconnect icon in the Connect column To manually terminate multiple active IPsec VPN sessions check them and click the Disconne...

Page 101: ... VPN server and a remote VPN client it displays the IP address of the remote VPN client Local Network Subnet IP address and netmask of your local network Remote Network Subnet IP address and netmask of the remote network Statistics Name VPN policy used for an IPsec VPN session VPN Type VPN connection type for an IPsec VPN session WAN Interface WAN port used for an IPsec VPN session Remote Gateway ...

Page 102: ... IP address of the primary DNS server Secondary DNS IP address of the secondary DNS server Primary WINS IP address of the primary WINS server Secondary WINS IP address of the secondary WINS server Default Domain Default domain name Split Tunnel IP address and netmask for the specified split subnets Split DNS IP address or domain name for the specified split DNS Backup Server 1 2 3 IP address or ho...

Page 103: ...received from all clients In CSTP Data Number of CSTP data frames received from all clients In CSTP Control Number of CSTP control frames received from all clients Out CSTP Frames Number of CSTP frames sent to all clients Out CSTP Bytes Total number of bytes in the CSTP frames sent to all clients Out CSTP Data Number of CSTP data frames sent to all clients Out CSTP Control Number of CSTP control f...

Page 104: ...ll active user sessions that are currently logged into the security appliance This page is automatically updated every 10 seconds Click Refresh to manually refresh the data Click the Logout icon to terminate a web login user session or a VPN user session Active User Sessions In CSTP Bytes Total number of bytes in the CSTP frames received from the client In CSTP Data Number of CSTP data frames rece...

Page 105: ...ake sure that the corresponding security service is enabled Web Security Report This report displays the number of web access requests logged and the number of websites blocked by Web URL Filtering Web Reputation Filtering or both STEP 1 In the Web Security tab specify the following information Enable Check this box to enable the web security report or uncheck this box to disable it Blocked Reques...

Page 106: ...ormation Enable Check this box to enable the Anti Virus report or uncheck this box to disable it Detected Requests Check this box to display the number of viruses detected by the Anti Virus service in the graph To view more information about detected requests click the red bar in the graph A pop up window Field Description System Date Current system time Total Since Activated Total number of web a...

Page 107: ...ify the following information Enable Check this box to enable the email security report or uncheck this box to disable it Blocked Requests Check this box to display the number of spam or suspected spam emails detected by the Spam Filter service in the graph Processed Requests Check this box to display the number of emails checked by the Spam Filter service in the graph Field Description System Dat...

Page 108: ...cessed Requests Check this box to display the number of packets checked by the Network Reputation service in the graph STEP 2 Click Save to save your settings Field Description System Date Current system time Total Since Activated Total number of emails checked and total number of spam or suspected spam emails detected since the Spam Filter service was activated Total Last 7 Days Total number of e...

Page 109: ...ate and time the IP address and the MAC address of the source and of the destination the action taken and the number of times that this event was detected Processed Requests Check this box to display the number of packets detected by the IPS service in the graph STEP 2 Click Save to save your settings Field Description System Date Current system time Total Since Activated Total number of packets c...

Page 110: ...blocked request the date and time the IP address and the MAC address of the host that initiated the request the blocked application and the number of times that the application was blocked Processed Requests Check this box to display the number of packets detected by the Application Control service in the graph STEP 2 Click Save to save your settings Field Description System Date Current system ti...

Page 111: ...tus Processes Field Description System Date Current system time Total Since Activated Total number of packets detected and total number of packets blocked since the Application Control service was activated Total Last 7 Days Total number of packets detected and total number of packets blocked in last seven days Total Today Total number of packets detected and total number of packets blocked in one...

Page 112: ...scription CPU Utilization CPU Usage by User CPU resource currently used by user space processes in percentage CPU Usage by Kernel CPU resource currently used by kernel space processes in percentage CPU Idle CPU idle resource at current time in percentage CPU Waiting for I O CPU resource currently waiting for I O in percentage Memory Utilization Total Memory Total amount of memory space available o...

Page 113: ...Status System Status edit TITLE 113 3 Buffer Memory Total amount of memory space currently used as buffers Field Description ...

Page 114: ...atus page 115 Configuring IPv4 or IPv6 Routing page115 Managing Ports page 115 Configuring the WAN page121 Configuring a VLAN page136 Configuring DMZ page 140 Configuring Zones page145 Configuring DHCP Reserved IPs page148 Configuring Routing page 148 Configuring Quality of Service page154 Configuring IGMP page170 Configuring VRRP page172 Address Management page 173 Service Management page175 To a...

Page 115: ...rld IPv6 quadruples the number of network address bits from 32 bits in IPv4 to 128 bits resulting in an exponentially larger address space You can configure the security appliance to support IPv6 addressing on the WAN LAN and DMZ CAUTION ISA500 currently supports limited IPv6 functionalities ISA500 does not support firewall VPN and other security services for IPv6 in this firmware Enabling IPv6 ca...

Page 116: ...port is always set to the Access mode A LAN port can be set to the Access or Trunk mode VLAN The VLANs to which the physical port is mapped PVID The Port VLAN ID PVID is used to forward or filter the untagged packets coming into port The PVID of a trunk port is fixed to the DEFAULT VLAN 1 Speed Duplex The duplex mode speed and duplex setting of the physical port Link Status Shows if the physical p...

Page 117: ...l port Port Type The type of the physical port such as WAN LAN or DMZ Mode Choose either Access or Trunk mode for a LAN port or choose Access for a WAN or DMZ port By default all ports are set to the Access mode Access All data going into and out of the Access port is untagged Access mode is recommended if the port is connected to a single end user device which is VLAN unaware Trunk All data going...

Page 118: ...he source port and the destination port Even with flow control enabled the packet drops may occur if the receiving port runs out of buffers Speed Choose one of these options AUTO 10M 100M and 1000M The default is AUTO for all ports The AUTO option lets the system and network determine the optimal port speed Duplex Choose either Half or Full based on the port speed setting The default is Full Duple...

Page 119: ...vices 802 1x capable clients from gaining access to the network The IEEE 802 1x standard defines a client server based access control and authentication protocol that restricts unauthorized devices from connecting to a VLAN through publicly accessible ports The authentication server authenticates each client supplicant in Windows 2000 XP Vista Windows 7 and Mac OS connected to a port before making...

Page 120: ... one of the following icons Forced Authorized Disable the 802 1x access control feature and cause the port to transition to the authorized state without any authentication exchange required The port transmits and receives normal traffic without 802 1x based authentication of the client Forced Unauthorized Cause the port to remain in the unauthorized state ignoring all attempts by the client to aut...

Page 121: ...e port is also assigned to the selected guest VLAN when Guest Authentication is enabled STEP 5 Click OK to save your settings STEP 6 Click Save to apply your settings Configuring the WAN By default the security appliance is configured to receive a public IP address from your ISP automatically through DHCP Depending on the requirements of your ISP you may need to use the Networking WAN pages modify...

Page 122: ...The physical port associated with the primary WAN WAN Name The name of the primary WAN WAN1 IP Address Assignment Depending on the requirements of your ISP choose the network addressing mode and complete the corresponding settings The security appliance supports DHCP Client Static IP PPPoE PPTP and L2TP For information on configuring network addressing mode see Network Addressing Mode page124 DNS ...

Page 123: ...to configuration SLAAC SLAAC SLAAC provides a convenient method to assign IP addresses to IPv6 nodes This method does not require any human intervention from an IPv6 user If you choose SLAAC the security appliance can generate its own addresses using a combination of locally available information and information advertised by routers Static IP If your ISP assigned a static IPv6 address configure t...

Page 124: ...ssing Mode The security appliance supports five types of network addressing modes You need to specify the network addressing mode for the primary WAN and the secondary WAN depending on your ISP requirements NOTE Confirm that you have proper network information from your ISP or a peer router to configure the security appliance to access the Internet Network Addressing Mode Configuration DHCP Client...

Page 125: ...llowing fields IP Address Enter the IP address of the WAN port that can be accessible from the Internet Subnet Mask Enter the IP address of the subnet mask Gateway Enter the IP address of default gateway MTU The Maximum Transmission Unit is the size in bytes of the largest packet that can be passed on Choose Auto to use the default MTU size or choose Manual if you want to specify another size MTU ...

Page 126: ...he connection always on regardless of the level of activity This choice is recommended if you pay a flat fee for your Internet service MTU Choose Auto to use the default MTU size or choose Manual if you want to specify another size MTU Value If you choose Manual enter the custom MTU size in bytes Add VLAN Tag Click Yes to support VLAN Tagging 802 1q over the WAN port or click No to disable it VLAN...

Page 127: ...t Point to Point Encryption MPPE encrypts data in PPP based dial up connections or PPTP VPN connections Check this box to enable the MPPE encryption to provide data security for the PPTP connection that is between the VPN client and the VPN server Connect Idle Time Choose this option to let the security appliance disconnect from the Internet after a specified period of inactivity Idle Time This ch...

Page 128: ...is required to log into the L2TP server L2TP Server IP Address Enter the IP address of the L2TP server Secret Optional L2TP incorporates a simple optional CHAP like tunnel authentication system during control connection establishment Enter the secret for tunnel authentication if necessary Connect Idle Time Choose this option to let the security appliance disconnect from the Internet after a specif...

Page 129: ...f the same speed For example you can bind the high volume services through the port that is connected to a high speed link and bind the low volume services to the port that is connected to the slower link Load balancing is implemented for outgoing traffic and not for incoming traffic To maintain better control of WAN port traffic consider making the WAN port Internet address public and keeping the...

Page 130: ...he backup link When the primary link regains connectivity all Internet traffic is directed to the primary link and the backup link becomes idle By default WAN1 is set as the primary link and the WAN2 is set as the backup link NOTE When the security appliance is working in the Failover mode the Policy Based Routing settings will be ignored Select WAN Precedence Choose which link to use as the prima...

Page 131: ...r click Off to disable it Retry Count Enter the number of retries The security appliance repeatedly tries to connect to the ISP after the link failure is detected The default value is 5 Retry Timeout If the connection to the ISP is down the security appliance tries to connect to the ISP after a specified timeout Enter the timeout in seconds to re connect to the ISP The default value is 5 seconds P...

Page 132: ...raffic goes through the cable link since it has larger bandwidth and the rest traffic goes through the DSL link As lots of secure websites such as bank or online shopping are sensitive to flip flop the source IP address let traffic for https ftp video and game go through the cable link Solution Complete the following configuration tasks Configure a configurable port as the secondary WAN WAN2 See C...

Page 133: ... The DDNS daemon starts but the DDNS updating process is not complete yet Active updated WANx The DDNS updating process is complete and the address of the WAN interface is updated to the user specified domain name Adding or modifying a DDNS service Click Add to add a new DDNS service To edit an entry click the Edit pencil icon To delete an entry click the Delete x icon STEP 1 Enter the following i...

Page 134: ...e the navigation tree to choose either Primary WAN Metering or Secondary WAN Metering STEP 1 In the Traffic Meter area enter the following information Enable Click On to enable traffic metering on the port or click Off to disable it Enabling this feature on the port will keep a record of the volume of traffic going from this port Traffic Limit Specify the restriction on the volume of data being tr...

Page 135: ...es mm and select the day of the month in the Reset Time area Send Email Report Click On to send an alert email to the specified email address before the traffic counter is reset or click Off to disable it This feature requires that you enable the Traffic Meter Alert feature and configure the email server settings on the Email Alert Settings page See Configuring Email Alert Settings page 358 STEP 3...

Page 136: ...N GUEST with VLAN ID 2 and IP address 192 168 25 1 By default this VLAN is in the GUEST zone A voice VLAN VOICE with VLAN ID 100 and IP address 10 1 1 2 By default this VLAN is in the VOICE zone You can change the settings for predefined VLANs or add new VLANs to meet your business needs NOTE Up to 16 VLANs can be configured on the security appliance Start Date Time Date on which the traffic meter...

Page 137: ...ure broadcast radiation Voice VLAN Check the box if you want voice applications to use this VLAN Port Assign the LAN ports to the VLAN Traffic through the selected LAN ports is directed to the VLAN All available ports including the dedicated LAN ports and the configurable ports appear in the Port list Choose the ports from the Port list and click Access to add them to the Member list and set the s...

Page 138: ...ddress and End IP address should be in the same subnet with the VLAN IP address Lease Time Enter the maximum connection time that a dynamic IP address is leased to a network user When the time elapses the user will be automatically renewed the dynamic IP address DNS1 Enter the IP address of the primary DNS server DNS2 Optionally enter the IP address of the secondary DNS server WINS1 Optionally ent...

Page 139: ...IP address pre configured it sends a request with option 150 or 66 to the DHCP server to obtain this information STEP 5 In the IPv6 Setting tab specify IPv6 addressing for the VLAN if you enable the IIPv4 or Pv6 mode IPv6 Address Enter the IPv6 address based on your network requirements IPv6 Prefix Length Enter the number of characters in the IPv6 prefix The IPv6 network subnet is identified by th...

Page 140: ...security to the LAN The public can connect to the services on the DMZ but cannot penetrate the LAN You should configure your DMZ to include any hosts that must be exposed to the WAN such as web or email servers About DMZ networks This section describes how to configure the DMZ networks The DMZ configuration is identical to the VLAN configuration There are no restrictions on the IP address or subne...

Page 141: ...rable port to be used as a DMZ port A firewall rule allows inbound HTTP traffic to the web server at 172 16 2 30 Internet users enter the domain name that is associated with the IP address 209 165 200 225 and can then connect to the web server The same IP address is used for the WAN interface DMZ Interface 172 16 2 1 283049 www example com Internet Public IP Address 209 165 200 225 ISA500 User 192...

Page 142: ... 30 The firewall rule specifies an external IP address of 209 165 200 226 Internet users enter the domain name that is associated with the IP address 209 165 200 226 and can then connect to the web server Configuring a DMZ STEP 1 To add a new DMZ click Add To modify the settings for a DMZ click the Edit pencil icon Other options To delete a DMZ click the Delete x icon DMZ Interface 172 16 2 1 2830...

Page 143: ...ical port Zone Choose the default DMZ zone or a custom DMZ zone to which the DMZ is mapped You can click the Create Zone link to view edit or add the zones on the security appliance STEP 3 In the DHCP Pool Settings tab choose the DHCP mode from the DHCP Mode drop down list Disable Choose this option if the computers on the DMZ are configured with static IP addresses or are configured to use anothe...

Page 144: ...is is used in conjunction with the option 66 to allow the client to form an appropriate TFTP request for the file Enter the configuration bootstrap file name on the specified TFTP server Option 150 Supports a list of TFTP servers 2 TFTP servers Enter the IP addresses of TFTP servers Separate multiple entries with commas STEP 5 In the IPv6 Setting tab specify IPv6 addressing for the DMZ if you enab...

Page 145: ...We recommend that you configure the zones before you configure WAN VLAN DMZ zone based firewall and security services Security Levels for Zones The security level for the zone defines the level of trust given to that zone The security appliance supports five security levels for the zones as described below The greater value the higher the permission level The predefined VPN and SSLVPN zones have t...

Page 146: ...nnections This zone does not have an assigned physical port VPN The VPN zone is a virtual zone used for simplifying secure IPsec VPN connections This zone does not have an assigned physical port GUEST The GUEST zone can only be used for guest access By default the GUEST VLAN is mapped to this zone VOICE The VOICE zone is a security zone designed for voice traffic Traffic coming and outgoing from t...

Page 147: ...ick the right arrow to add them to the Mapped to Zone list Up to 16 VLANs can be mapped to a zone STEP 3 Click OK to save your settings and close the pop up window STEP 4 Click Save to apply your settings NOTE Next steps After you create a new zone a certain amount of firewall rules will be automatically generated to permit or block traffic from the new zone to other zones or from other zones to t...

Page 148: ...ete x icon The DHCP IP Reservation Add Edit window opens STEP 2 Enter the following information Name Enter the name for the DHCP Reservation rule MAC Address Enter the MAC address of the host under a VLAN IP Address Enter the IP address that is assigned to the host The address must be within the DHCP pool of the VLAN STEP 3 Click OK to save your settings and close the pop up window STEP 4 Click Sa...

Page 149: ...rovide measurable values that can be used to judge how useful or how low cost a route will be Interface The physical port through which this route is accessible This page is automatically updated every 10 seconds Click Refresh to manually refresh the routing table Configuring Routing Mode Use the Networking Routing Routing Mode page to enable or disable routing mode based on the requirements of yo...

Page 150: ... an existing address object for the host or for the network that the route leads to If the address object that you want is not in the list choose Create a new address to create a new address object To maintain the address objects go to the Networking Address Management page See Address Management page173 Setting as default route Check this box to set this static route as the default route Next Hop...

Page 151: ...s is the most commonly supported version RIP Version 2 includes all the functionality of RIPv1 plus it supports subnet information Default The data is sent in RIP Version 1 format and received in RIP Version 1 and 2 format This is the default setting STEP 2 In the table specify the RIP settings for each available interface RIP Enable Check this box to enable the RIP settings on the port or VLAN Au...

Page 152: ...WAN1 and bind the FTP protocol to WAN2 In this case the security appliance automatically channels FTP data through WAN2 If multiple routing features operate simultaneously the security appliance first matches the Policy Based Routing rules and then matches the Static Routing and default routing rules For example if the WAN redundancy is set as the Weighted Load Balancing mode and the Policy Based ...

Page 153: ...s to create a new address object To maintain the address objects go to the Networking Address Management page See Address Management page173 Destination IP For service binding only choose Any For IP binding only choose the destination IP address for outbound traffic DSCP Choose the DSCP value to assign the traffic priority Route to Choose the WAN port that outbound traffic routes to Failover Click...

Page 154: ...age 154 Configuring WAN QoS page155 Configuring LAN QoS page165 Configuring Wireless QoS page168 General QoS Settings Use the General Settings page to enable or disable the WAN QoS LAN QoS and WLAN QoS features STEP 1 Click Networking QoS General Settings STEP 2 Enter the following information WAN QoS Check this box to enable WAN QoS By default WAN QoS is disabled LAN QoS Check this box to enable ...

Page 155: ...ping WAN QoS Policy Profiles to WAN Interfaces page 160 WAN QoS Configuration Example page 161 Configure WAN QoS for Voice Traffic from LAN to WAN page 163 Configuring WAN QoS for Voice Traffic from WAN to LAN page164 Managing WAN Bandwidth for Upstream Traffic Use the Bandwidth page to specify the maximum bandwidth for upstream traffic allowed on each WAN interface STEP 1 Click Networking QoS WAN...

Page 156: ...obin WRR Enter the WRR weight in percentage assigned to the queues that you want to use Traffic scheduling for the selected queue is based on WRR Strict Priority SP Egress traffic from the highest priority queue Q1 is transmitted first Traffic from the lower queues is processed only after the highest queue has been transmitted thus providing the highest level of priority of traffic to the highest ...

Page 157: ...ket source to decrease its transmission rate Assuming the packet source is using TCP it will decrease its transmission rate until all the packets reach their destination indicating that the congestion is cleared STEP 5 Click Save to apply your settings Configuring Traffic Selectors Traffic Selector or Traffic Classification is used to classify traffic through WAN interfaces to a given traffic clas...

Page 158: ... from the drop down list If the service objects that you want are not in the list choose Create a new service to create a new service object To maintain the service objects go to the Networking Service Management page See Service Management page175 DSCP DSCP is a field in an IP packet that enables different levels of service to be assigned to network traffic Select the DSCP values for the traffic ...

Page 159: ...information Policy Name Enter the name for the WAN QoS policy profile Apply this policy to Click Inbound Traffic to apply this policy profile for inbound traffic or click Outbound Traffic to apply this policy profile for outbound traffic STEP 4 Specify the QoS settings for the traffic classes that you want to associate with the policy profile For complete details see Configuring WAN QoS Class Rule...

Page 160: ...ps for the selected traffic class For example if the policy profile is applied to inbound traffic the rate limiting setting only applies to incoming traffic that belongs to the selected class The default value is 0 Kbps which indicates that there is no limit STEP 3 Click OK to save your settings Mapping WAN QoS Policy Profiles to WAN Interfaces Use the Policy Profile to Interface Mapping page to a...

Page 161: ...ort of the security appliance Solution For the voice traffic from LAN to WAN outbound voice traffic make sure that the outbound voice traffic is handled by the highest priority queue Q1 and other outbound traffic such as data traffic is handled by the lower priority queues Q2 to Q6 For the voice traffic from WAN to LAN inbound voice traffic CoS and DSCP will be remarked so that the voice switch ca...

Page 162: ...fy the upstream bandwidth for the WAN port Configure WAN QoS for the outbound voice traffic For complete details see Configure WAN QoS for Voice Traffic from LAN to WAN page 163 Configure WAN QoS for the inbound voice traffic For complete details see Configuring WAN QoS for Voice Traffic from WAN to LAN page164 IP Address voice_switch_ip NOTE In this case you can manually create an IP address obje...

Page 163: ... priority and is always processed to completion before the lower priority queues b Enter the percentage assigned to other queues Q2 to Q6 that you want to use STEP 2 Go to the Networking QoS WAN QoS Traffic Selector Classification page to add two traffic selectors used to classify the outbound voice and data traffic a Add a traffic selector as follows to classify the outbound data traffic b Add a ...

Page 164: ...e inbound voice traffic from WAN to LAN STEP 1 Go to the Networking QoS WAN QoS Traffic Selector Classification page to add a traffic selector as follows to classify the inbound voice traffic STEP 2 Go to the Networking QoS WAN QoS QoS Policy Profile page to add a class based QoS policy profile as follows to manage the inbound voice traffic through the WAN port QoS Class Rule 1 Class Choose the tr...

Page 165: ...and give preference to higher priority traffic such as telephone calls Refer to the following topics Configuring LAN Queue Settings page166 Configuring LAN QoS Classification Methods page166 Mapping CoS to LAN Queue page 167 Mapping DSCP to LAN Queue page167 Configuring Default CoS page168 QoS Class Rule Add a QoS class rule with the following settings Class Choose the traffic class called voice i...

Page 166: ...nd WRR to other queues Q2 to Q4 If you choose SP WRR the PQ is assigned to Q1 and the predefined weights 4 2 and 1 are assigned to Q2 Q3 and Q4 respectively There is no limit for PQ indicating that WRR queues may be starved if PQ is always sending traffic greater than the maximum bandwidth of the LAN ports STEP 3 If needed enter the description for each queue in the field in the Queue Description ...

Page 167: ...CoS priority tag value is mapped Four traffic priority queues are supported where Q4 is the lowest and Q1 is the highest STEP 3 Click Save to apply your settings Mapping DSCP to LAN Queue STEP 1 Click Networking QoS LAN QoS Mapping DSCP to Queue STEP 2 Choose the traffic forwarding queue to which the DSCP priority tag value is mapped Four traffic priority queues are supported where Q4 is the lowes...

Page 168: ...ts through the LAN interfaces or choose No to change the CoS tag value for packets through the LAN interfaces STEP 3 Click Save to apply your settings Configuring Wireless QoS Wireless QoS controls priority differentiation for data packets in wireless egress direction Refer to the following topics Default Wireless QoS Settings page168 Configuring Wireless QoS Classification Methods page169 Mapping...

Page 169: ... Click Networking QoS Wireless QoS Classification Methods STEP 2 Depending on your networking design choose either DSCP or CoS remarking method for traffic through each SSID 1 1 Background Priority 2 2 Background Priority 3 4 Video Priority 4 5 Video Priority 5 6 Voice Priority 6 7 Voice Priority 7 7 Voice Priority 802 11e Priority 802 1p Priority 0 Best Effort Priority 0 1 Background Priority 1 2...

Page 170: ...ck Save to apply your settings Configuring IGMP Internet Group Management Protocol IGMP is a communication protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships IGMP can be used for online streaming video and gaming and can allow more efficient use of resources when supporting these types of applications IGMP Proxy enables hosts that are not directly c...

Page 171: ...P Version 1 Hosts can join multicast groups There are no leave messages Routers use a time out based mechanism to discover the groups that are of no interest to the members IGMP Version 2 Leave messages are added to the protocol This allows group membership termination to be quickly reported to the routing protocol which is important for high bandwidth multicast groups and or subnets with highly v...

Page 172: ...hysical interface this router will function as a master virtual router VRID The ID of the master virtual router A virtual router has a unique ID that will be represented as the unique virtual MAC address Enter a value from 1 to 255 Priority The priority of the master virtual router Priority determines the role that each VRRP router plays and what happens if the master virtual router fails Enter a ...

Page 173: ...gement Use the Address Management page to manage the address and address group objects The security appliance is configured with a long list of common address objects so that you can use to configure firewall rules port forwarding rules or other features See Default Address Objects page 426 Refer to the following topics Configuring Addresses page173 Configuring Address Groups page 174 Configuring ...

Page 174: ...undaries are defined by a valid netmask Network address objects must be defined by the network s address and a corresponding netmask As a general rule the first address in a network the network address and the last address in a network the broadcast address are unusable If you choose Network enter the subnet IP address in the IP Address field and the broadcast address in the Netmask field MAC Iden...

Page 175: ...om the right list and click the left arrow STEP 6 Click OK to save your settings STEP 7 Click Save to apply your settings Service Management Use the Service Management page to maintain the service or service group objects The security appliance is configured with a long list of standard services so that you can use to configure the firewall rules port forwarding rules or other features See Default...

Page 176: ...used to send error and control messages If you choose this option enter the ICMP type in the ICMP Type field TCP Transmission Control Protocol TCP is a transport protocol in TCP IP TCP ensures that a message is sent accurately and in its entirety If you choose this option enter the starting port number in the Port Range Start field and the ending port number in the Port Range End field UDP User Da...

Page 177: ...or the service group in the Group Name field STEP 4 To add the services to the group select the services from the left list and click the right arrow STEP 5 To remove the services from the group select the services from the right list and click the left arrow STEP 6 Click OK to save your settings STEP 7 Click Save to apply your settings Configuring Captive Portal Captive Portal allows the users wh...

Page 178: ...t Login page on the specified external web server to authenticate the users The username and password are required to login External no auth with accept button Allows the users to access the wireless network without entering the username and password If you choose this option click the Accept button on the custom HotSpot Login page to access the wireless network without authentication Redirected U...

Page 179: ...play on the login page Click Browse to locate and select an image file from your local PC and then click Upload To delete the loaded file click Delete Background File You can import an image to display as the background for the login page Click Browse to locate and select an image file jpg gif or png from your local PC and then click Upload To delete the loaded file click Delete NOTE When uploadin...

Page 180: ...d web page portal NOTE Captive Portal only monitors HTTPS requests through the port 443 a To add a monitored HTTP port click Add The Port Configuration Add Edit window opens b Enter the port number in the Port field c Click OK to save your settings STEP 5 In the Advanced Settings Open Domains area specify the IP address or domain name for the websites that you want to open The users can access the...

Page 181: ...k It includes the following sections Viewing Wireless Status page182 Configuring the Basic Settings page183 Configuring SSID Profiles page185 Configuring Wi Fi Protected Setup page194 Configuring Captive Portal page 196 Configuring Wireless Rogue AP Detection page199 Advanced Radio Settings page 201 To access the Wireless pages click Wireless in the left hand navigation pane ...

Page 182: ...ery 10 seconds Click Refresh to manually refresh the data Wireless Wireless Status Wireless Status Field Description Wireless Status SSID Number Number of the SSID SSID Name Name of the SSID MAC Address MAC address of the SSID VLAN VLAN to which the SSID is mapped Client List Number of client stations that are connected to the SSID Wireless Statistics Name Name of the SSID Tx Packets Number of tra...

Page 183: ... 1 Click Wireless Basic Settings STEP 2 Enter the following information Wireless Radio Click On to turn wireless radio on and hence enable the SSID called cisco data or click Off to turn wireless radio off Enabling any SSID will turn on wireless radio Disabling all SSIDs will turn off wireless radio Wireless Mode Choose the 802 11 modulation technique 802 11b g mixed Choose this mode if some devic...

Page 184: ...nter the name for a SSID SSID Broadcast Check this box to broadcast the SSID in its beacon frames All wireless devices within range are able to see the SSID when they scan for available networks Uncheck this box to prevent auto detection of the SSID In this case users must know the SSID to set up a wireless connection to this SSID NOTE Disabling SSID Broadcast is sufficient to prevent clients from...

Page 185: ...re allocated among different applications By default WMM is enabled when you choose a wireless mode that includes 802 11n Station Isolation Check so that the wireless clients on the same SSID will be unable to see each other STEP 4 Click Save to apply your settings Configuring SSID Profiles ISA550W and ISA570W support four SSIDs By default all SSIDs are disabled For security purposes we strongly r...

Page 186: ...nt stations will not exceed 54 Mbps STEP 1 Click Wireless Basic Settings STEP 2 In the SSIDs area click the Edit pencil icon to edit the settings for the SSID The SSID Edit window opens STEP 3 In the Security Mode tab specify the following information SSID Name The name of the SSID on which the security settings are applied User Limit Specify the maximum number of users that can simultaneously con...

Page 187: ...provides better security than WEP because it uses dynamic key encryption This standard was implemented as an intermediate measure to replace WEP pending final completion of the 802 11i standard for WPA2 The security appliance supports the following WPA security modes Choose one of them if you need to allow access to devices that do not support WPA2 WPA Personal Supports TKIP Temporal Key Integrity...

Page 188: ...nterprise Uses WPA2 with RADIUS authentication This mode always uses AES encryption mechanism for data encryption and requires the use of a RADIUS server to authenticate users WPA WPA2 Allows both WPA and WPA2 clients to connect simultaneously The SSID automatically chooses the encryption algorithm used by each client device This security mode is a good choice to enable a higher level of security ...

Page 189: ...e to use the wireless network Key 1 4 If a WEP Passphrase is not specified a key can be entered directly into one of the Key boxes The length of the key should be 5 ASCII characters or 10 hex characters for 64 bit encryption and 13 ASCII characters or 26 hex characters for 128 bit encryption STEP 6 If you choose WPA Personal as the security mode enter the following information Encryption Choose ei...

Page 190: ...key is not refreshed The default value is 3600 seconds STEP 9 If you choose WPA Enterprise as the security mode enter the following information Encryption Choose either TKIP or AES as the encryption algorithm for data encryption The default is TKIP Key Renewal Timeout Enter a value to set the interval at which the key is refreshed for clients associated to this SSID The valid range is 0 to 4194303...

Page 191: ...specify will replace the default settings of the selected group To maintain the RADIUS servers go to the Users RADIUS Servers page See Configuring RADIUS Servers page 351 STEP 11 If you choose WPA WPA2 Enterprise Mixed as the security mode enter the following information Encryption Automatically choose TKIP or AES encryption algorithm for data encryption Key Renewal Timeout Enter a value to set th...

Page 192: ... secure to use this feature to allow access to the specified MAC addresses thereby denying access to unknown MAC addresses STEP 1 Click Wireless Basic Settings STEP 2 In the SSIDs area click the Edit pencil icon to edit the settings for the SSID The SSID Edit window opens STEP 3 In the MAC Filtering tab enter the following information SSID Name The name of the SSID on which the MAC Filtering setti...

Page 193: ...pped VLAN Choose the VLAN from the drop down list The SSID is mapped to the selected VLAN All traffic from the wireless clients that are connected to this SSID will be directed to the selected VLAN STEP 4 Click OK to save your settings STEP 5 Click Save to apply your settings Configuring SSID Schedule This section describes how to specify the schedule to keep the SSID active within a specific time...

Page 194: ...cted Setup page to configure Wi Fi Protected Setup WPS on the security appliance to allow WPS enabled devices to more easily connect to the wireless network STEP 1 Click Wireless Wi Fi Protected Setup The Wi Fi Protected Setup window opens STEP 2 Click On to enable WPS or click Off to disable it STEP 3 If you enable WPS specify the following WPS settings WPS Configuration Status Determines whether...

Page 195: ...curity The security mode currently used for the selected SSID Encryption The encryption method currently used for the selected SSID STEP 4 If the wireless client device has a WPS push button follow these steps to establish the WPS connection a Enable WPS on the security appliance b Click the WPS button on this page c Press the WPS push button on the wireless client device within 2 minutes d Verify...

Page 196: ... WPS on the security appliance to prevent the WPS brute force attack STEP 7 Click Save to apply your settings Configuring Captive Portal Captive Portal allows the users who have authenticated successfully to be directed to a specified web page portal before they can access the Internet The users will be directed to a specified web authentication login page to authenticate and then be directed to t...

Page 197: ...sername and password If you choose this option click the Accept button on the custom HotSpot Login page to access the wireless network without authentication Redirected URL After Login Choose one of the following options Redirect Client to Customer URL Directs the users to a particular URL such as the URL for your company after they logged in If you choose this option enter the desired URL in the ...

Page 198: ...en click Upload To delete the loaded file click Delete NOTE When uploading a file select a bmp jpg gif or png file of 200KB or less The Current Logo File field displays the filename of the file that is in use or Default if no file has been uploaded for this purpose Cisco Logo If you want to hide the Cisco logo that appears on the login page choose Hide Otherwise choose Show Headline If you want to...

Page 199: ... Click Save to apply your settings Configuring Wireless Rogue AP Detection A Rogue AP is an access point connected to your network without authorization It is not under the management of your network administrators and does not necessarily conform to your network security policies The security appliance provides proactive Rogue AP Detection in the 2 4 GHz band Rogue AP Detection is able to discove...

Page 200: ...lick the Delete x icon To change the MAC address of an authorized access point click the Edit pencil icon To export the list of authorized access points to a file click Export To import the list of authorized access points from a file click Import Choose whether to replace the existing list of Authorized Access Points or add the entries in the imported file to the list of Authorized Access Points ...

Page 201: ... can minimize collisions among hidden stations Select the Disabled radio button if you want to permanently disable this feature Power Output You can adjust the output power of the access point to get the appropriate coverage for your wireless network Choose the level that you need for your environment If you are not sure of which setting to select then use the default setting 100 Beacon Interval B...

Page 202: ...ts can help the network recover from interference or collisions Set the threshold by entering the packet size in bytes Enter a value from 1 to 2347 The default value is 2347 which effectively disables RTS Fragmentation Threshold The fragmentation threshold is the frame length that requires packets to be broken up fragmented into two or more frames Setting a lower value can reduce collisions becaus...

Page 203: ...und Traffic page 204 Configuring NAT Rules to Securely Access a Remote Network page 213 Firewall and NAT Rule Configuration Examples page 226 Configuring Content Filtering to Control Internet Access page 233 Configuring MAC Address Filtering to Permit or Block Traffic page 237 Configuring IP MAC Binding to Prevent Spoofing page 238 Configuring Attack Protection page 239 Configuring Session Limits ...

Page 204: ...urity zone is a group of interfaces to which a security policy can be applied to control traffic between zones For ease of deployment the Cisco ISA500 has several predefined zones with default security settings to protect your network You can create additional zones as needed Each zone has an associated security level The security level represents the level of trust from low 0 to high 100 Default ...

Page 205: ... trusted zone This security level is used exclusively for VPN connections All traffic is encrypted VPN SSLVPN Public 50 Higher level of trust than a guest zone but a lower level of trust than a VPN zone DMZ Guest 25 Higher level of trust than an untrusted zone but a lower level of trust than a public zone GUEST Untrusted 0 Lowest level of trust By default the WAN1 interface is mapped to the WAN zo...

Page 206: ...le displays the default access control settings for traffic between the zones in the same or different security levels If you want to alter the default behaviors for example allowing some inbound access to your network WAN to LAN or blocking some outbound traffic from your network LAN to WAN you must create firewall rules Use the Default Policies page to view the default firewall behaviors for all...

Page 207: ...l settings in your VPN configurations The VPN firewall rules cannot be edited in the Firewall Access Control ACL Rules page To edit the zone access control settings in your VPN configurations go to the VPN pages All firewall rules are sorted by the priority The custom firewall rules have the highest priority The VPN firewall rules have higher priorities than the default firewall rules but lower th...

Page 208: ...riority You can reorder the custom firewall rules by the priority You can move a rule up move a rule down or move it to a specified location in the list To move the rule up one position click the Move up icon To move the rule down one position click the Move down icon To move the rule to a specific location click the Move icon and enter the target index number to move the selected rule to For exam...

Page 209: ... page 212 To permit traffic access choose Permit To deny traffic access choose Deny To increase the Hit Count number by one when the packet hits the firewall rule choose Accounting To view the type of a firewall rule point your mouse cursor to the Detail icon To set the values in the Hit Count column for all firewall rules to zero click Reset To manually refresh the data in the table click Refresh...

Page 210: ...ect To maintain the service and service group objects go to the Networking Service Management page See Service Management page175 Source Address Choose an existing address or address group as the source address or network that is covered by this firewall rule Destination Address Choose an existing address or address group as the destination address or network that is covered by this firewall rule ...

Page 211: ...event spoofing See Configuring IP MAC Binding to Prevent Spoofing page 238 Allow or block the websites that contain specific domains or URL keywords See Configuring Content Filtering to Control Internet Access page 233 Configuring a Firewall Rule to Allow Multicast Traffic By default multicast traffic from Any zone to Any zone is blocked by the firewall To enable multicast traffic you must first u...

Page 212: ...s Choose ANY for this firewall rule Source Address Choose ANY as the source address Destination Address Choose the predefined multicast address called IPv4_Multicast as the destination address Schedule Choose Always On for this firewall rule Log Click Off for this firewall rule We recommend that you disable the Log feature for a multicast firewall rule Match Action Choose Permit to allow access ST...

Page 213: ...ll logs Choose Firewall from the Log Facility drop down list to view firewall logs You can filter firewall logs by the severity level or by the source and destination IP addresses See Viewing Logs page 392 Configuring NAT Rules to Securely Access a Remote Network Network Address Translation NAT enables private IP networks to connect to the Internet NAT replaces a private IP address with a public I...

Page 214: ...NAT Hairpinning page 224 NOTE For detailed NAT configuration examples see Firewall and NAT Rule Configuration Examples page 226 Viewing NAT Translation Status Use the NAT Status page to view information for all NAT rules If one page cannot show all NAT entries choose the page number from the drop down list to view the NAT entries on another page Firewall NAT NAT Status Field Description Original S...

Page 215: ...rt Forwarding 4 Port Triggering Outbound Traffic For an outbound packet the security appliance will perform NAT after a forwarding decision is made and will use the following order of precedence for various types of rules 1 Advanced NAT 2 Static NAT 3 Dynamic PAT Translated Source Address IP address that the specified original source address is translated to Translated Destination Port Interface t...

Page 216: ...u can rely on the security of the firewall rules STEP 1 Click Firewall NAT Dynamic PAT STEP 2 Specify the PAT IP address for each WAN port Auto Automatically use the IP address of the WAN port as the translated IP address Manual Manually choose a single public IP address or a network address as the translated IP address from the IP Address drop down list If the address object that you want is not ...

Page 217: ...u create a static NAT rule that maps 192 168 75 100 to the WAN IP address 173 39 202 68 remote users will not have access to the configuration utility via http 173 39 202 68 8080 STEP 1 Click Firewall NAT Static NAT STEP 2 To add a static NAT rule click Add Other options To edit an entry click the Edit pencil icon To delete an entry click the Delete x icon To delete multiple entries check them and...

Page 218: ...ly To open an internal FTP server to the Internet make sure that the FTP server is listening on TCP port 21 or both the FTP server and client must use the active mode when the FTP server is listening on some other TCP port Otherwise the FTP client cannot access the FTP server STEP 1 Click Firewall NAT Port Forwarding STEP 2 To enable a port forwarding rule check the box in the Enable column STEP 3...

Page 219: ... objects go to the Networking Address Management page See Address Management page 173 WAN Choose either WAN1 or WAN2 or both as the incoming WAN port WAN IP Specify the public IP address of the server You can use the IP address of the selected WAN port or a public IP address that is provided by your ISP When you choose Both as the incoming WAN port this option is grayed out Enable Port Forwarding ...

Page 220: ...You can specify a port triggering rule by defining the type of traffic TCP or UDP and the range of incoming and outgoing ports to open when enabled NOTE Up to 15 port triggering rules can be configured on the security appliance Port triggering is not appropriate for servers on the LAN since the LAN device must make an outgoing connection before an incoming port is opened In this case you can creat...

Page 221: ... enable an advanced NAT rule check the box in the Enable column STEP 3 To add a new advanced NAT rule click Add Other options To edit an entry click the Edit pencil icon To delete an entry click the Delete x icon To delete multiple entries check them and click Delete The Advanced NAT Rule Add Edit window opens STEP 4 Enter the following information Name Enter the name for the advanced NAT rule Ena...

Page 222: ...t page 173 If the service that you want is not in the list choose Create a new service to create a new service object To maintain the service objects go to the Networking Service Management page See Service Management page175 STEP 5 Click OK to save your settings STEP 6 Click Save to apply your settings STEP 7 Firewall rules must be configured to allow access so that advanced NAT rules can functio...

Page 223: ...a host address object with the IP 1 1 1 3 called PublicIP and then configure an advanced NAT rule as follows to open the HTTP server to the Internet Use Case The outbound interface To is set to a WAN port but the translated source IP address Translated Source Address is different with the public IP address of the selected WAN port For example you have provided a static IP address 1 1 1 3 The secur...

Page 224: ... at LAN side to access internal servers by using their respective external IP addresses public IP addresses This section provides a configuration example about how to create an advanced NAT rule to support NAT hairpinning STEP 1 Go to the Networking Address Management page to create a host address object with the IP 192 168 10 100 called FTPServer The FTP server locates in the LAN zone STEP 2 Go t...

Page 225: ... Advanced NAT page to create an advanced NAT rule as follows Original Service FTP CONTROL Translated Service FTP CONTROL Translated IP FTPServer WAN WAN1 WAN IP WAN1_IP Enable Port Forwarding On Create Firewall Rule On From Zone WAN To Zone LAN Services FTP CONTROL Source Address ANY Destination Address FTPServer Match Action Permit From DEFAULT To Any Original Source Address DEFAULT_NETWORK Origi...

Page 226: ...ocking Outbound Traffic to an Offsite Mail Server page 232 Allowing Inbound Traffic Using the WAN IP Address Use Case You host a FTP server on your LAN You want to open the FTP server to Internet by using the IP address of the WAN1 port Inbound traffic is addressed to your WAN1 IP address but is directed to the FTP server Solution Perform the following tasks to complete the configuration STEP 1 Go...

Page 227: ... ACL Rules page to create a firewall rule as follows to allow access Original Service FTP CONTROL Translated Service FTP CONTROL Translated IP InternalFTP WAN WAN1 WAN IP WAN1_IP Enable Port Forwarding On From WAN1 To DEFAULT Original Source Address ANY Original Destination Address WAN1_IP Original Services FTP CONTROL Translated Source Address ANY Translated Destination Address InternalFTP Transl...

Page 228: ...ng the specified public IP address Solution 1 Perform the following tasks to complete the configuration STEP 1 Go to the Networking Address Management page to create a host address object with the IP 192 168 12 101 called RDPServer and a host address object with the IP 172 39 202 102 called PublicIP STEP 2 Go to the Networking Service Management page to create a TCP service object with the port 33...

Page 229: ...low access NOTE When you create the port forwarding rule you can check Create Firewall Rule to automatically generate the firewall rule Solution 2 For this use case you can use the DMZ Wizard to complete the configuration From WAN1 To DMZ Original Source Address ANY Original Destination Address PublicIP Original Services RDP Translated Source Address ANY Translated Destination Address RDPServer Tr...

Page 230: ...DMZ Service page create a DMZ service as follows STEP 4 Click Finish to apply your settings STEP 5 A firewall rule will be automatically generated as follows to allow access Name DMZ IP 192 168 12 1 Netmask 255 255 255 0 Port GE6 Zone DMZ Original Service RDP Translated Service RDP Translated IP RDPServer WAN WAN1 WAN IP PublicIP Enable DMZ Service On Create Firewall Rule On From Zone WAN To Zone ...

Page 231: ...sses Solution Perform the following tasks to complete the configuration STEP 1 Go to the Networking Address Management page to create an address object with the range 132 177 88 2 to 132 177 88 254 called OutsideNetwork and a host address object with the IP 192 168 75 110 called InternalIP STEP 2 Go to the Firewall NAT Port Forwarding page to create a port forwarding rule as follows STEP 3 Go to t...

Page 232: ...to define the time period when the firewall rule is in effect Then create a firewall rule as follows Blocking Outbound Traffic to an Offsite Mail Server Use Case Block access to the SMTP service to prevent a user from sending email through an offsite mail server Solution Create a host address object with the IP address 10 64 173 20 called OffsiteMail and then create a firewall rule as follows Serv...

Page 233: ...page 233 Configuring Website Access Control List page 234 Mapping Content Filtering Policy Profiles to Zones page 235 Configuring Advanced Content Filtering Settings page 236 NOTE Enabling Firewall Content Filtering will disable Web URL Filtering Enabling Web URL Filtering will disable Firewall Content Filtering Configuring Content Filtering Policy Profiles A content filtering policy profile is us...

Page 234: ...t specified above area specify how to deal with the websites that are not specified in the list Permit them If you choose this option all websites not specified in the list are allowed Deny them If you choose this option all websites not specified in the list are blocked STEP 6 Click OK to save your settings STEP 7 Click Save to apply your settings Configuring Website Access Control List This sect...

Page 235: ...of a website that contains the keyword that you entered in the URL field For example if you enter yahoo in the URL field then it can match the websites such as www yahoo com tw yahoo com www yahoo com uk and www yahoo co jp Action Choose Permit to permit access or choose Block to block access STEP 3 Click OK to save your settings Mapping Content Filtering Policy Profiles to Zones Use the Policy to...

Page 236: ... Proxy Java ActiveX and Cookies By default all of them are permitted Proxy Check this box to block proxy servers which can be used to circumvent certain firewall rules and thus present a potential security gap Java Check this box to block Java applets that can be downloaded from pages that contain them ActiveX Check this box to prevent ActiveX applets from being downloaded through Internet Explore...

Page 237: ...and allow all others The MAC addresses in the list are blocked and all other MAC addresses not included in the list are permitted Allow MAC Addresses and block all others Only the MAC addresses in the list are permitted and all other MAC addresses not included in the list are blocked STEP 4 In the MAC Address Filtering Rules area specify the list of MAC addresses To add a MAC address click Add To ...

Page 238: ...inding rule click Add Other options To edit an entry click the Edit pencil icon To delete an entry click the Delete x icon To delete multiple entries check them and click Delete The IP MAC Binding Rule Add Edit window opens STEP 3 Enter the following information Name Enter the name for the IP MAC binding rule MAC Address Choose an existing MAC address object If the MAC address object that you want...

Page 239: ... attacks Block TCP Flood Check this box to drop all invalid TCP packets This feature protects your network from a SYN flood attack in which an attacker sends a succession of SYN synchronize requests to a target system It blocks all TCP SYN flood attacks more than 200 simultaneous TCP packets per second from the WAN ports STEP 3 In the LAN Security Checks section enter the following information Blo...

Page 240: ...ne that an echo storm intrusion event is occurring Enter a value from 0 to 65535 ping packets per second The default value is 15 ping packets per seconds A value of zero 0 indicates that the Echo Storm feature is disabled ICMP Flood Enter the number of ICMP packets per second including PING packets that will cause the security appliance to determine that an ICMP flood intrusion event is occurring ...

Page 241: ...as SIP or H 323 to operate properly through the security appliance If Voice over IP VoIP is used in your organization you should enable H 323 ALG or SIP ALG to open the ports necessary to allow the VoIP through your voice device The ALGs are created to work in a NAT environment to maintain the security for privately addressed conferencing equipment protected by your voice device You can use both H...

Page 242: ...al time point to point and multipoint communication between client computers over a packet based network that does not provide a guaranteed quality of service Check this box to enable H 323 ALG support or uncheck this box to disable this feature FTP Support on TCP port Check the box to enable FTP support or uncheck the box to disable the this feature Then choose a listening port The default port i...

Page 243: ...ing Security Services page 245 Priority of Security Services page 245 Security Services Dashboard page 246 Viewing Security Services Reports page 247 Configuring Anti Virus page 254 Configuring Application Control page 261 Configuring Spam Filter page 271 Configuring Intrusion Prevention page 273 Configuring Web Reputation Filtering page 277 Configuring Web URL Filtering page 279 Network Reputatio...

Page 244: ...age 261 Spam Filter Spam Filter detects the email sender s reputation score If the reputation score is below the threshold then the email is blocked or tagged as spam or suspected spam See Configuring Spam Filter page 271 Intrusion Prevention IPS IPS monitors network traffic for malicious or unwanted behaviors and can react in real time to block or prevent those activities See Configuring Intrusio...

Page 245: ...ense You can find the license code from the Software License Claim Certificate that Cisco provides upon purchase of the security appliance Make sure that the security license is installed and does not expire before you configure security services Go to the Device Management License Management page to validate the security license or to renew the security license before it expires See Installing or...

Page 246: ...security services click Check for Updates Now For signature based security services such as Anti Virus Application Control and IPS clicking this button will check for signature updates from Cisco s signature server Anti Virus and IPS use different signature database but IPS and Application Control use the same signature database This operation will check for signature updates for all of them at a ...

Page 247: ...Click On to support such as Scansafe and third party outbound web proxies or click Off to disable it NOTE When the external web proxy feature is enabled the Firewall QoS Web URL Filtering and Web Reputation Filtering settings will not work or be skipped for HTTP traffic Redirected Web Proxy IP Address Enter the IP address of the external web proxy used to redirect HTTP traffic Redirected HTTP Port...

Page 248: ...locked Requests Check this box to display the number of websites blocked by Web URL Filtering and or Web Reputation Filtering in the graph To view more information about blocked requests click the red bar in the graph A pop up window displays the following information for each blocked request the date and the time the IP address and the MAC address of the host that initiated the request the web si...

Page 249: ... window displays the following information for each detected request the date and the time the IP address and the MAC address of the source and of the destination the protocol used for the connection the action taken and the number of times a virus was found Processed Requests Check this box to display the number of files checked by the Anti Virus service in the graph STEP 2 Click Save to apply yo...

Page 250: ...ed Requests Check this box to display the number of emails checked by the Spam Filter service in the graph STEP 2 Click Save to apply your settings Total Since Activated Total number of files checked and total number of viruses detected since the Anti Virus service was activated Total Last 7 Days Total number of files checked and total number of viruses detected in last seven days Total Today Tota...

Page 251: ...to display the number of packets checked by the Network Reputation service in the graph STEP 2 Click Save to apply your settings Total Last 7 Days Total number of emails checked and total number of spam or suspected spam emails detected in last seven days Total Today Total number of emails checked and total number of spam or suspected spam emails detected in one day Graph Total number of emails ch...

Page 252: ...e IP address and the MAC address of the source and of the destination the action taken and the number of times that this event was detected Processed Requests Check this box to display the number of packets detected by the IPS service in the graph STEP 2 Click Save to apply your settings Total Today Total number of packets checked and total number of packets blocked in one day Graph Total number o...

Page 253: ...wing information for each blocked request the date and time the IP address and the MAC address of the host that initiated the request the blocked application and the number of times that the application was blocked Processed Requests Check this box to display the number of packets detected by the Application Control service in the graph STEP 2 Click Save to apply your settings Graph Total number o...

Page 254: ...nt types of traffic You can choose to drop the connection delete the infected files and or send an alert email to the email receiver if viruses are detected Because files containing malicious code and viruses can be compressed Anti Virus can automatically decompress the compressed files and then scan the viruses Anti Virus supports scanning single level compressed files for these file types zip gz...

Page 255: ...Choose this option to scan the viruses for all incoming and outgoing traffic for the WAN zone WAN VPN Zone Choose this option to scan the viruses for all incoming and outgoing traffic for both WAN and VPN zones All Zone Choose this option to scan the viruses for all incoming and outgoing traffic for all zones STEP 4 In the Applications to Scan area perform the following tasks to scan for viruses o...

Page 256: ...he user when viruses are detected in web pages or in files that the user tries to access Notify Drop Connection Drop the connection and send an alert message to the user when viruses are detected in web pages or in files that the user tries to access Disable HTTP Resume Optionally check this box to disable resuming web based file transfer by using the HTTP protocol when viruses are detected NOTE I...

Page 257: ...ge 259 POP3 Email Attachments None No action is required when viruses are detected Notify Send the original email and an alert email to the email receiver when viruses are detected in email attachments Notify Destruct File Delete the infected files and send the original email and an alert email to the email receiver when viruses are detected in email attachments NOTE If you choose Notify or Notify...

Page 258: ...ting 0 to indicate that there is no limit on the file size NOTE For compressed files Anti Virus will scan each file after decompression and bypass virus scanning for the files larger than the maximum file size STEP 3 For each protocol make the desired selections HTTP Check the Optimize Performance box to suspend the Anti Virus scan for websites with a good reputation Uncheck the box to scan all si...

Page 259: ... Notification Email Notification allows you to send an alert email to the email receiver when viruses are detected in email attachments Use the Email Notification page to customize the tag and notification message that are displayed in the alert email STEP 1 Click Security Services Anti Virus Email Notification The Email Notification window opens The following information is displayed Email Notifi...

Page 260: ...signature updates from Cisco s signature server every 24 hours or to manually check for Anti Virus signature updates at any time by clicking Update When a newer signature file is available on the server the new signature file will be downloaded to your device NOTE A valid Cisco com account is required to check for signature updates from Cisco s signature server Go to the Device Management Cisco Se...

Page 261: ...ication Control Application Control monitors traffic through the Cisco ISA500 to permit or block traffic for individual applications and categories of applications For some applications you can permit or block certain features or functions of the application Important Read the information in this guide to understand the features required tasks and recommendations before you implement this service ...

Page 262: ...ol uses signatures to identify and block the applications You must update the application signatures frequently so that Application Control can identify the latest applications See Updating Application Signature Database page 269 Refer to the following topics General Application Control Policy Settings page 262 Adding an Application Control Policy page 263 Permitting or Blocking Traffic for all Ap...

Page 263: ...ons at a specific time of a day or at the specified days of a week If the schedule that you want is not in the list choose Create a new schedule to add a new schedule object To maintain the schedules go to the Device Management Schedules page See Configuring Schedules page 399 STEP 3 The security appliance supports a long list of applications You can use the table filter settings to filter the app...

Page 264: ...e settings for each application in the category You must first choose keep application level settings for the Action and Logging options of the category and then click the Edit pencil icon in the Configure column for the application For complete details see Permitting or Blocking Traffic for an Application page 265 STEP 6 Click OK to save your settings Permitting or Blocking Traffic for all Applic...

Page 265: ... logs to the remote syslog server if you have a remote syslog server support you must enable the Log feature specify the Remote Log settings and enable the Remote Log settings for the Application Control facility NOTE Changing the category default settings will override the application level settings for all applications in the category STEP 3 Click OK to save your settings Permitting or Blocking ...

Page 266: ...er function Check this box and then specify the action for each feature or function of the application NOTE When the action for the application is set as Deny this feature will be grayed out STEP 3 Click OK to save your settings General Application Control Settings Use the Application Control Settings page to enable the Application Control feature apply the application control policies to differen...

Page 267: ...Policies to Zones You can apply different application control policies to different zones You can have multiple policies within a given zone for a different set of users By default the default application control policy that permits traffic for all applications is selected to all zones STEP 1 Click Security Services Application Control Application Control Settings STEP 2 In the Zone Mapping area y...

Page 268: ...tion control policies before you configure the policy mapping rules See Configuring Application Control Policies page 262 STEP 1 Click Add Mapping Rule to add a new application control policy mapping rule The Application Control Policy Mapping Add Edit window opens STEP 2 Enter the following information Zone Choose an existing zone to control application traffic from and to the selected zone This ...

Page 269: ...lly update the application signatures through the Configuration Utility A valid Cisco com account is required to check for signature updates from Cisco s signature server Go to the Device Management Cisco Services Support Cisco com Account page to configure your Cisco com account credentials on the security appliance See Configuring Cisco com Account page 374 NOTE Application Control and IPS use t...

Page 270: ...able the detection for each application STEP 1 Click Security Services Application Control Application Control Advanced Settings The Application Control Advanced Settings window opens STEP 2 The security appliance supports a long list of applications You can use the table filter settings to filter the applications in the table and then specify the detection settings for all selected applications C...

Page 271: ...as suspected spam if the sender s reputation is between the spam threshold and suspected spam threshold An email is not classified as spam if the sender s reputation is above the suspected spam threshold Spam Filter detects spam emails based on the reputation score of the sender s IP address The sender s address is the address of the host that connects to the SMTP server to deliver an email messag...

Page 272: ...ustom Manually set the spam reputation threshold When the Custom radio button is selected choose the threshold values for spam and suspected spam The allowable values for the threshold are integers from 10 to 1 and the value 0 5 STEP 4 In the Allowed Senders area you can specify the email sender exceptions against your Spam Filter settings Traffic from the specified hostnames or IP addresses will ...

Page 273: ...he IPS report from the Security Services Security Services Reports page or from the Status Security Services Reports page to see the number of packets detected and the number of packets dropped by IPS See Viewing IPS Report page 252 Enable the IPS Alert feature to send an alert email to a specified email address if an attack is detected by IPS See Configuring Email Alert Settings page 358 NOTE You...

Page 274: ... signatures regardless of the type of operating system or choose Selected OS Types Only to include only the signatures that match the specified types of operation systems Host Type Choose a host type Category Choose All to include all signatures regardless of the category or choose Selected Categories Only to include only the signatures that match the specified categories The Selected Signature ta...

Page 275: ...ck Save to apply your settings Configuring Signature Actions After selecting one or more signatures on the Security Services Intrusion Prevention IPS IPS Policy and Protocol Inspection page use the Edit Selected Signature Actions page to enable or disable the selected signatures and to configure the actions STEP 1 Enter the following information Enable detection of selected signatures Check this b...

Page 276: ...er on a weekly basis or manually check for signature updates at any time by clicking Check for Update Now If a newer signature file is available the new signature file will be automatically downloaded to your device You can also first download the latest signature file from Cisco s signature server to your local PC and then manually update the IPS signatures through the Configuration Utility A val...

Page 277: ...ces Dashboard page to manually update the IPS signatures STEP 5 To manually update the IPS signatures from your local PC perform the following steps a You must first download the signature file from Cisco s signature server to your local PC b In the Manually Update Signature Database area click Browse to locate and select the signature file from your local PC c Click Update Database Configuring We...

Page 278: ...eshold value is 4 Custom Manually set the web reputation threshold When the Custom radio button is selected choose the threshold value from the drop down list The available values for the threshold are integers from 10 to 1 and the value 0 5 STEP 4 In the Allowed Web Sites area you can specify the website exceptions against your Web Reputation Filtering settings The specified websites will not be ...

Page 279: ...gs Configuring Web URL Filtering Web URL Filtering allows you to block HTTP access to malicious websites based on URL categories You can allow or block an entire URL category to make configuration simpler You can also specify the website exceptions against the URL category settings For example you can block the websites that Web URL Filtering usually allows or allow the websites that Web URL Filte...

Page 280: ...ies to Block Check an URL category to block it or uncheck this box to permit it If an URL category is blocked or permitted all websites that belong to this category are blocked or permitted STEP 4 Specify the website exceptions if needed The website exceptions allow you to permit or block specific websites against the URL category settings All website exceptions can be added to the website access ...

Page 281: ...o enable the website access rule or click Off to create only the website access rule URL Enter the domain name or URL keyword of a website that you want to permit or block Match Type Specify the method for applying this rule Domain Permit or deny the HTTP access of a website that fully matches the domain name that you entered in the URL field For example if you enter yahoo com in the URL field the...

Page 282: ...choose a Web URL Filtering policy for each zone STEP 4 Click Save to apply your settings Configuring Advanced Web URL Filtering Settings STEP 1 Click Security Services Web URL Filtering Advanced Settings STEP 2 Enter the following information Filter Traffic on HTTP port Enter the port number that is used for filtering HTTP traffic Web URL Filtering only monitors and controls the website visits thr...

Page 283: ... If you choose this option the message that you specify in the Blocked URL Message field will show on the default block page Redirect URL Redirects to a specified web page when a web page is blocked If you choose this option enter a desired URL to be redirected Make sure that the specified URL is allowed by the Website Access Control List STEP 5 Click Save to apply your settings Network Reputation...

Page 284: ...cess your network resources It includes the following sections About VPNs page 285 Viewing VPN Status page 286 Configuring a Site to Site VPN page 290 Configuring IPsec Remote Access page 305 Configuring Teleworker VPN Client page 313 Configuring SSL VPN page 322 Configuring L2TP Server page 334 Configuring VPN Passthrough page 336 To access the VPN pages click VPN in the left hand navigation pane...

Page 285: ...lso terminate the VPN connections initiated by remote VPN clients This flexibility allows mobile and remote users to access critical data and applications on corporate Intranet See Configuring IPsec Remote Access page 305 Teleworker VPN Client Minimizes the configuration requirements at remote locations by allowing the security appliance to work as a Cisco VPN hardware client to receive the securi...

Page 286: ...e data VPN VPN Status IPsec VPN Status Field Description Active Sessions To manually terminate an active IPsec VPN session click the Disconnect icon in the Connect column To manually terminate multiple active IPsec VPN sessions check them and click the Disconnect button If an IPsec VPN session is terminated you can manually establish the VPN connection by clicking the Connect icon in the Connect c...

Page 287: ...of the remote network Statistics Name VPN policy used for an IPsec VPN session VPN Type VPN connection type for an IPsec VPN session WAN Interface WAN port used for an IPsec VPN session Remote Gateway IP address of the remote peer Tx Bytes Volume of traffic in kilobytes transmitted from the VPN tunnel Rx Bytes Volume of traffic in kilobytes received from the VPN tunnel Tx Packets Number of IP pack...

Page 288: ...address and netmask for the specified split subnets Split DNS Domain name for the specified split DNS Backup Server 1 2 3 IP address or hostname for the specified backup servers Field Description Field Description Active Sessions To manually terminate an active SSL VPN session click the Disconnect icon in the Configure column To manually terminate multiple active SSL VPN sessions check them and cl...

Page 289: ... number of bytes in the CSTP frames sent to all clients Out CSTP Data Number of CSTP data frames sent to all clients Out CSTP Control Number of CSTP control frames sent to all clients In the Session Statistics table the following information for each SSL VPN session is displayed To clear the statistic information for a single SSL VPN session click Clear in the Configure column To clear the statist...

Page 290: ... control frames and data frames Control frames implement control functions within the protocol Data frames carry the client data such as the tunneled payload Configuring a Site to Site VPN A site to site VPN tunnel connects two routers to secure traffic between two sites that are physically separated Figure 3 Site to Site VPN Out CSTP Bytes Total number of bytes in the CSTP frames sent to the clie...

Page 291: ... the pre shared key for authentication See Managing Certificates for Authentication page 368 Enable the site to site VPN feature on the security appliance See General Site to Site VPN Settings page 292 Configure IKE policies See Configuring IKE Policies page 299 Configure transform policies See Configuring Transform Sets page 301 Configure IPsec VPN policies See Configuring IPsec VPN Policies page...

Page 292: ...mote peer IKE The IKE policy used for the IPsec VPN policy Transform The transform set used for the IPsec VPN policy STEP 2 Click On to enable site to site VPN or click Off to disable it NOTE Enabling the Site to Site VPN feature will disable the Teleworker VPN Client feature STEP 3 If you enable site to site VPN perform the following actions To add a new IPsec VPN policy click Add See Configuring...

Page 293: ...elete multiple entries check them and click Delete The IPsec Policies Add Edit window opens STEP 3 In the Basic Settings tab enter the following information Description Enter the name for the IPsec VPN policy IPsec Policy Enable Click On to enable the IPsec VPN policy or click Off to create only the IPsec VPN policy Remote Type Specify the remote peer Static IP Choose this option if the remote pee...

Page 294: ...g Certificates for Authentication page 368 WAN Interface Choose the WAN port that traffic passes through over the IPsec VPN tunnel Local Network Choose the IP address for the local network If you want to configure the zone access control settings for site to site VPN choose Any for the local network Then you can control incoming traffic from remote VPN network to the zones over the VPN tunnels Rem...

Page 295: ...t Enter the value of detection timeout in seconds If no response and no traffic over the timeout declare the peer dead The default value is 30 seconds DPD Action Choose one of the following actions over the detection timeout Hold Traffic from your local network to the remote network can trigger the security appliance to re initiate the VPN connection over the detection timeout We recommend that yo...

Page 296: ...lect a translated address object for the local network Translates Remote Network To translate the remote network select a translated address object for the remote network If the address object that you want is not in the list choose Create a new address to add a new address object or choose Create a new address group to add a new address group object To maintain the address or address group object...

Page 297: ...e 172 19 x x NOTE This configuration only allows the two networks to communicate It does not allow for Internet connectivity You need additional paths to the Internet for connectivity to locations other than the two sites in other words you need to add another router or firewall on each side with multiple routes configured on the hosts IKE Policy Choose the IKE policy used for the IPsec VPN policy...

Page 298: ...Gateway Click On to enable Redundant Gateway or click Off to disable it If you enable Redundant Gateway when the connection of the remote gateway fails the backup connection automatically becomes active A backup policy comes into effect only if the primary policy fails Select Backup Policy Choose a policy to act as a backup of this policy Fallback Time to switch from back up to primary Enter the n...

Page 299: ...define the security parameters such as authentication of the peer encryption algorithms and so forth to be used for a VPN tunnel NOTE Up to 16 IKE policies can be configured on the security appliance STEP 1 Click VPN Site to Site IKE Policies The IKE Policies window opens The default and custom IKE policies are listed in the table STEP 2 To add a new IKE policy click Add Other options To edit an e...

Page 300: ...ust be configured in order for the RSA Signature to work D H Group Choose the Diffie Hellman group identifier which the two IPsec peers use to derive a shared secret without transmitting it to each other The D H Group sets the strength of the algorithm in bits The lower the Diffie Hellman group number the less CPU time it requires to be executed The higher the Diffie Hellman group number the great...

Page 301: ... The Transform Set Add Edit window opens STEP 3 Enter the following information Name Enter the name for the transform set Integrity Choose the HASH algorithm used to ensure the data integrity It ensures that a packet comes from where it says it comes from and that it has not been modified in transit ESP_SHA1_HMAC Authentication with SHA1 160 bit ESP_MD5_HMAC Authentication with MD5 128 bit MD5 has...

Page 302: ...N settings on the UC500 CCA MSM uses the default IKE policy and transform set In this case the security appliance must create an IPsec VPN policy as follows to establish the site to site VPN tunnel with the UC500 ISA500 IP Phone IP UC500 IP Phone IP site to site VPN 283881 Field Setting Remote Network Choose an address group that includes multiple subnets on the UC500 NOTE By default three VLANs 1...

Page 303: ...ork you must disable those functions on the UC500 For instructions refer to the documentation or online Help for the Cisco Configuration Assistant CCA To allow the hosts in non native subnets of the security appliance to access the Internet over the VPN tunnels you must manually create advanced NAT rules on your security appliance Go to the Firewall NAT Advanced NAT page to do this For example you...

Page 304: ...n NOTE You can choose the Create a new address option from the drop down list to create an address object for the data LAN 10 25 1 0 24 behind the UC500 and then select it as the original source address Original Destination Address Any Original Services Any Translated Source Address WAN1_IP Translated Destination Address Any Translated Services Any ...

Page 305: ...nd users Figure 5 IPsec Remote Access with the Cisco VPN Client Software or a Cisco Device as a Cisco VPN Hardware Client NOTE When the security appliance is acting as an IPsec VPN server the following IKE policy and transform set are used by default The IKE policy and transform set used on the security appliance are unconfigurable 283054 Inside 10 10 10 0 Outside DNS Server 10 10 10 163 WINS Serv...

Page 306: ...x or 5 x The Cisco VPN Client software is an IPsec client software for Windows Mac or Linux users The Cisco VPN Client software is compatible with the following platforms Windows 7 32 bit and 64 bit Windows Vista 32 bit and 64 bit Windows XP 32 bit Linux Intel 2 6 x kernel Mac OS X 10 5 and 10 6 You can find the software installers for Cisco VPN Client from the CD that is packed with the device Th...

Page 307: ... IPsec Remote Access feature and hence set the security appliance as an IPsec VPN server or click Off to disable it NOTE Enabling the IPsec Remote Access feature will disable the Teleworker VPN Client feature STEP 3 Click Save to apply your settings Configuring IPsec Remote Access Group Policies An IPsec Remote Access group policy is used by remote VPN clients to establish the VPN connections NOTE...

Page 308: ... imported on your security appliance before choosing this option Go to the Device Management Certificate Management page to import the CA certificates See Managing Certificates for Authentication page 368 Mode The Cisco VPN hardware client supports NEM Network Extension Mode and Client mode The IPsec Remote Access group policy must be configured with the corresponding mode to allow only the Cisco ...

Page 309: ...sh the VPN connections STEP 4 In the Zone Access Control tab you can control access from the PC running the Cisco VPN Client software or the private network of the Cisco VPN hardware client to the zones over the VPN tunnels Click Permit to permit access or click Deny to deny access NOTE The VPN firewall rules that are automatically generated by the zone access control settings will be added to the...

Page 310: ...gh the VPN tunnel to domains served by the corporate DNS To add a domain enter the Domain name that should be resolved by your network s DNS server and then click Add To delete a domain select it from the list and click Delete NOTE To use Split DNS you must also enable the split tunneling feature and specify the domains The Split DNS feature supports up to 10 domains STEP 6 Click OK to save your s...

Page 311: ...nced NAT rule as follows STEP 3 If two WAN interfaces are configured go to the Firewall NAT Advanced NAT page to create two advanced NAT rules as follows Mode Client Pool Range for Client LAN Start IP 192 168 3 2 End IP 192 168 3 254 Client Internet Access Disable WAN Failover On Field Setting Field Setting Name VPNClient_to_WAN1 Enable On From Any To WAN1 Original Source Address EZVPN_VPNGroup1 O...

Page 312: ...Original Source Address EZVPN_VPNGroup1 Original Destination Address Any Original Services Any Translated Source Address WAN1_IP Translated Destination Address Any Translated Services Any Field Setting Name VPNClient_to_WAN2 Enable On From Any To WAN2 Original Source Address EZVPN_VPNGroup1 Original Destination Address Any Original Services Any Translated Source Address WAN2_IP ...

Page 313: ... When the Teleworker VPN client initiates the VPN connection the IPsec VPN server pushes the IPsec policies to the Teleworker VPN client and creates the corresponding VPN tunnel This solution is ideal for remote offices with little IT support or for large Customer Premises Equipment CPE deployments where it is impractical to configure multiple remote devices individually Figure 6 IPsec Remote Acce...

Page 314: ...ettings page 318 Configuring Teleworker VPN Client Group Policies page 319 Required IPsec VPN Servers The Teleworker VPN Client feature requires that the destination peer is an ISA500 device acting as the IPsec VPN server or a Cisco IOS router such as C871 C1801 C1812 C1841 and C2821 or a Cisco ASA5500 platform that supports the IPsec VPN server feature The Teleworker VPN Client feature supports c...

Page 315: ... based software VPN clients external hardware based VPN solutions and other VPN applications Sets up a single IPsec tunnel regardless of the number of multiple subnets that are supported and the size of the split include list Modes of Operation The Teleworker VPN Client feature sets the security appliance as a Cisco VPN hardware client The Cisco VPN hardware client supports two operation modes Cli...

Page 316: ...vides access to two PCs which have IP addresses in the 10 0 0 0 private network space These PCs connect to the Ethernet interface on the security appliance and the server assigns an IP address 192 168 101 2 to the security appliance The security appliance performs NAT or PAT translation over the VPN tunnel so that the PCs can access the destination network When accessing the remote network 192 168...

Page 317: ...te IPsec VPN server The hosts attached to the security appliance have IP addresses in the 10 0 0 0 private network space The server does not assign an IP address to the security appliance and the security appliance does not perform NAT or PAT translation over the VPN tunnel When accessing the remote network 192 168 100 x the hosts 10 0 0 3 and 10 0 04 will not be translated and the hosts in the re...

Page 318: ... Interval field the security appliance then re initiates the VPN connection to the primary server This continues for the number of times that you set in the Retry Limit field or until the primary server is connected If the primary server cannot be connected after the specified number of times the security appliance tries to re initiate the VPN connection to the backup servers by following the spec...

Page 319: ...group policy name Pre shared key or digital certificates for IKE authentication NOTE Up to 16 Teleworker VPN Client group policies can be configured on the security appliance You can create multiple group polices to connect to different VPN servers but only one VPN connection can be active at a time STEP 1 Click VPN Teleworker VPN Client STEP 2 To add a group policy click Add Other Options To edit...

Page 320: ...Local Certificate drop down list and select the CA certificate used on the remote IPsec VPN server as the remote certificate from the Peer Certificate drop down list for authentication NOTE You must have valid CA certificates imported on your security appliance before choosing this option Go to the Device Management Certificate Management page to import the CA certificates See Managing Certificate...

Page 321: ...TEP 5 In the Advanced Settings tab enter the following information Backup Server 1 2 3 Enter the IP address or hostname for the backup server You can specify up to three servers as backup When the connection to the primary IPsec VPN server fails the security appliance can initiate the VPN connection to the backup servers The backup server 1 has the highest priority and the backup server 3 has the ...

Page 322: ... different from the Active Connection on Startup feature It is used to activate the connection immediately after the settings are saved but the Activate Connection on Startup feature is used to activate the connection when the security appliance starts up STEP 8 Click Save to apply your settings Configuring SSL VPN SSL VPN is a flexible and secure way to extend network resources to virtually any r...

Page 323: ...onfiguring SSL VPN Group Policies page 329 Accessing SSL VPN Portal page 332 Allowing SSL VPN Clients to Access the Internet page 332 NOTE We do not recommend that you connect a PC or a phone device directly to a WAN port of the security appliance to establish the SSL VPN connection between them Elements of the SSL VPN Several elements work together to support SSL VPN SSL VPN Users Create your SSL...

Page 324: ... complete below configuration tasks to establish the SSL VPN tunnel Download and install the Cisco AnyConnect Secure Mobility Client software on remote user s PC See Installing Cisco AnyConnect Secure Mobility Client page 325 Optional Import the certificates to your security appliance used for user authentication See Importing Certificates for User Authentication page 326 Enable the SSL VPN featur...

Page 325: ...packages for Windows Mac OS X and Linux Choose correct AnyConnect package from the CD to download depending on your operating system You can also download the Cisco AnyConnect Secure Mobility Client software by going to this site http www cisco com cisco software type html mdfid 283000185 catid null You must log in and possess a valid service contract in order to access the Cisco AnyConnect Secure...

Page 326: ... specify different SSL VPN group policies for them Specifying a SSL VPN group policy for a user group can enable the SSL VPN service for all members of the user group For complete details see Configuring Users and User Groups page 339 According to the user authentication settings specified on the security appliance the SSL VPN users can be authenticated by the local database or external AAA server...

Page 327: ...ress pool for all remote clients The client is assigned an IP address by the SSL VPN gateway NOTE Configure an IP address range that does not directly overlap with any of addresses on your local network Client Netmask Enter the IP address of the netmask used for SSL VPN clients The client netmask can only be one of 255 255 255 0 255 255 255 128 and 255 255 255 192 The Client Address Pool is used w...

Page 328: ...Gateway DPD Timeout Enter the DPD timeout that a session will be maintained with a nonresponsive SSL VPN gateway The default value is 300 seconds NOTE If the SSL VPN gateway has no response over two or three times of the DPD timeout the SSL VPN session will be terminated Keep Alive Enter the interval in seconds at which the SSL VPN client will send keepalive messages These messages ensure that the...

Page 329: ... be deleted The SSL VPN Group Policy Add Edit window opens STEP 3 In the Basic Settings tab enter the following information Policy Name Enter the name for the SSL VPN group policy Primary DNS Enter the IP address of the primary DNS server Secondary DNS Enter the IP address of the secondary DNS server Primary WINS Enter the IP address of the primary WINS server Secondary WINS Enter the IP address o...

Page 330: ...from the host is directed through the VPN tunnel Check this box to enable the split tunneling feature so that the VPN tunnel is used only for traffic that is specified by the client routes Split Selection Choose one of the following options Include Traffic Allows you to add the client routes on the SSL VPN client so that only traffic to the destination networks can be redirected through the VPN tu...

Page 331: ...rporate com would go through the VPN tunnel to the DNS that serves the private network while a query for a packet destined for myfavoritesearch com would be handled by the ISP s DNS To use Split DNS you must also have split tunneling configured To add a domain for tunneling packets to destinations in the private network enter the IP address or domain name in the field and click Add To delete a dom...

Page 332: ...he entire address pair Gateway IP address Gateway port number in the address bar to access the SSL VPN portal Allowing SSL VPN Clients to Access the Internet Enabling Client Internet Access will automatically create advanced NAT rules to allow SSL VPN clients to access the Internet over SSL VPN tunnels This section provides an example of manually configuring advanced NAT rules to allow SSL VPN cli...

Page 333: ...page to create two advanced NAT rule as follows Enable On From Any To WAN1 Original Source Address SSLVPN_ADDRESS_POOL Original Destination Address Any Original Services Any Translated Source Address WAN1_IP Translated Destination Address Any Translated Services Any Field Setting Field Setting Name SSLVPN_to_WAN1 Enable On From Any To WAN1 Original Source Address SSLVPN_ADDRESS_POOL Original Desti...

Page 334: ...ommunicate with private corporate network servers L2TP uses PPP over UDP port 1701 to tunnel the data Translated Source Address WAN1_IP Translated Destination Address Any Translated Services Any Field Setting Field Setting Name SSLVPN_to_WAN2 Enable On From Any To WAN2 Original Source Address SSLVPN_ADDRESS_POOL Original Destination Address Any Original Services Any Translated Source Address WAN2_...

Page 335: ...that can be sent over the network The valid range is 128 to 1400 bytes The default value is 1400 bytes Authentication Method Choose either CHAP Challenge Handshake Authentication Protocol or PAP Password Authentication Protocol or both to authenticate the L2TP clients Click On to enable CHAP or PAP or click Off to disable it Address Pool The L2TP server assigns IP addresses to all L2TP clients Ent...

Page 336: ...fic that originates from VPN clients to pass through your security appliance Use this feature if there are devices behind your security appliance that need the IPSec tunnels to be set up independently such as connecting to another router on the WAN STEP 1 Click VPN VPN Passthrough The VPN Passthrough window opens STEP 2 Specify the type of traffic that can pass through the security appliance Field...

Page 337: ... pass through the security appliance or click Off to disable it Point to Point Tunneling Protocol PPTP Click On to allow PPTP tunnels to pass through the security appliance or click Off to disable it Internet Protocol Security IPsec Click On to allow IP security tunnels to pass through the security appliance or click Off to disable it STEP 3 Click Save to apply your settings ...

Page 338: ...ive User Sessions Use the Active User Sessions page to view information for all active user sessions that are currently logged into the security appliance This page is automatically updated every 10 seconds Click Refresh to manually refresh the data Click the Logout icon to terminate a web login user session or a VPN user session Users Active User Sessions Field Description User Name Name of the l...

Page 339: ...ator account cisco has full privilege to set the configuration and read the system status The default administrator account cannot be deleted For security purposes you must change the default administrator password at the first login See Changing the Default Administrator Password page 32 The default user group admin has the administrative web login access ability and enables the SSL VPN IPsec Rem...

Page 340: ...m the authentications in parallel when multiple services need to authenticate at the same time Preempt Administrators When an administrator attempts to log in while another administrator is logged in a warning message appears saying Another administrative user is logged into the application Do you want to take control of the session The other user will be logged out Click Yes to preempt the curren...

Page 341: ...user group to which the user belongs NOTE For a SSL VPN user make sure that the selected user group enables the SSL VPN service For an IPsec VPN user make sure that the selected user group enables the IPsec Remote Access service STEP 4 Click OK to save your settings Configuring Local User Groups A user group is used to create a logical grouping of users that share the same service policy Use the U...

Page 342: ...nable SSL VPN all members of the user group can establish the SSL VPN tunnels based on the selected SSL VPN group policy to securely access your network resources For more information about the SSL VPN group policy see Configuring SSL VPN Group Policies page 329 IPsec Remote Access Click Enable to enable the IPsec Remote Access service for the user group or click Disable to disable it If you enabl...

Page 343: ...e security appliance supports a local database that is stored on the security appliance and a variety of AAA server types such as RADIUS Lightweight Directory Access Protocol LDAP and Active Directory AD You can use the local database an AAA server or both to perform user authentication The local database supports up to 100 users so you need to use the AAA server for authentication if the number o...

Page 344: ...nd user group information and checks the user s credentials by using the Password Authentication Protocol PAP authentication scheme When a user authenticates the security appliance verifies the user s credentials through the RADIUS server The RADIUS server returns the authentication results to the security appliance For a valid RADIUS user the security appliance checks its user group service polic...

Page 345: ...is dropped RADIUS Servers Choose the RADIUS group index from the drop down list The RADIUS server settings of the selected group are displayed You can edit these settings here but the settings you specify will replace the default settings of the selected group To maintain the RADIUS server settings go to the Users RADIUS Servers page See Configuring RADIUS Servers page 351 STEP 5 In the RADIUS Use...

Page 346: ... groups Group1 Group2 and Group3 and the local database has two user groups Group1 and Group2 The following table displays the user group membership settings In the above table if the User1 in the RADIUS server belongs to the Group1 but the User1 in the local database belongs to the Group2 then the User1 will belong to the Group2 after the user passes the RADIUS authentication If the User1 does no...

Page 347: ...abase and RADIUS server to authenticate users who try to access the network When a user authenticates the security appliance first verifies the user s credentials through the RADIUS server The RADIUS server returns the authentication results to the security appliance For a valid RADIUS user the security appliance checks its user group service policy from the local database and permits access For a...

Page 348: ...ore timing out The default value is 5 seconds The security appliance will retry to log in to the LDAP server if there is no response from the LDAP server after the timeout For example if the server timeout is set as 5 seconds and there is no response from the LDAP server after 5 seconds the security appliance will then retry to log in to the LDAP server 5 seconds later Login Method Choose one of t...

Page 349: ...s if you have a specific LDAP scheme configuration Object Class The object class of the individual user account Login Name Attribute The attribute that is used for login authentication Qualified Login Name Attribute The attribute of a user object that sets an alternative login name for the user in name domain format User Group Membership Attribute The membership attribute that contains information...

Page 350: ...ck the up arrow or the down arrow NOTE All the above trees are given in the format of distinguished names cn Users dc ExampleCorporation dc com STEP 7 In the LDAP Users tab enter the following information Allow Only Users Listed Locally Click On to allow only the LDAP users who also are present in the local database to login or click Off to disable it Default LDAP User Group Choose a local user gr...

Page 351: ... edit the settings for a predefined RADIUS group click the Edit pencil icon The RADIUS Group Edit window opens STEP 3 Enter the following information Primary RADIUS Server IP Enter the IP address of the primary RADIUS server Primary RADIUS Server Port Enter the port number on the primary RADIUS server that is used to send the RADIUS traffic The default is 1812 Primary RADIUS Server Pre shared Key ...

Page 352: ...User Management Configuring RADIUS Servers Cisco ISA500 Series Integrated Security Appliances Administration Guide 352 9 STEP 6 Click Save to apply your settings ...

Page 353: ...page 355 Backing Up and Restoring a Configuration page 366 Managing Certificates for Authentication page 368 Configuring Cisco Services and Support Settings page 374 Backing Up and Restoring a Configuration page 366 Configuring System Time page 377 Configuring Device Properties page 378 Diagnostic Utilities page 378 Device Discovery Protocols page 380 Firmware Management page 384 Managing Security...

Page 354: ... to manually refresh the data Device Management System Status Processes Viewing Resource Utilization Use the Resource Utilization page to view information for the system s CPU and memory utilization Device Management System Status Resource Utilization Field Description Name Name of the process that is running on the security appliance Description Brief description for the running process Protocol ...

Page 355: ...onfiguring Email Alert Settings page 358 Configuring SNMP page 365 CPU Usage by Kernel CPU resource currently used by kernel space processes in percentage CPU Idle CPU idle resource at current time in percentage CPU Waiting for I O CPU resource currently waiting for I O in percentage Memory Utilization Total Memory Total amount of memory space available on the security appliance Memory Used Total ...

Page 356: ...Enter the current administrator password New Password Enter a new administrator password Passwords are case sensitive NOTE A password requires a minimum of 8 characters including at least three of these character classes uppercase letters lowercase letters digits and special characters Do not repeat any password more than three times in a row Do not set the password as the username or cisco Do not...

Page 357: ...to allow an administrator to connect to the configuration utility from a different network than the local network LAN of the security appliance You can allow connections through HTTPS HTTP over SSL and HTTP When this feature is enabled a user can access the configuration utility by launching a web browser and entering the protocol the WAN IP address of the security appliance and the specified List...

Page 358: ...tworking Address Management page Create new address Choose this option to enter an IP address or address range In the pop up window enter a Name and specify the Type Host or Range For a single host enter the IP address For a range enter the Starting IP Address and the Ending IP Address Remote SNMP Click On to enable SNMP for the remote connection or click Off to disable SNMP Enabling SNMP allows r...

Page 359: ... can choose either TLS or SSL for securing the SMTP communication Secure Connectivity Method Choose either TLS or SSL for securing the SMTP communication or choose None for an unsecured connection If you choose TLS or SSL SMTP Authentication will be enabled SMTP Authentication Click On if the SMTP server requires authentication before accepting the connections Users must provide the SMTP account c...

Page 360: ... the alert emails To enable CPU Overload Alert you must complete the following tasks Configure the email server settings used to send the alert emails Check CPU Overload Alert in the Enable column and specify the CPU utilization threshold and the email address used to receive the alert emails New Firmware Alert Sends an alert email to the specified email address if a newer firmware is detected on ...

Page 361: ...send the alert emails and specify the email address used to receive the alert emails Syslog Email Sends the syslogs on schedule to the specified email address for troubleshooting purposes Send to Email Address Enter the email address to receive the syslog messages To enable Syslog Email you must complete the following tasks Enable the Log feature and specify the subtitle in the syslog emails the s...

Page 362: ... to Site VPN page 290 Configure the email server settings used to send the alert emails Check Site to Site VPN Up Down Alert in the Enable column and specify the email address used to receive the alert emails WAN Up Down Alert Sends an alert email if the WAN link is up or down Alert Interval Specify how often in minutes that the security appliance sends the alert emails Enter a value in the range ...

Page 363: ...e alert emails Anti Virus Alert Sends an alert email at the specified interval to a specified email address if viruses are detected Alert Interval Specify how often in minutes that the security appliance sends an alert email for virus events Enter a value in the range 1 to 1440 minutes The default value is 30 minutes The security appliance will log the virus events between alert intervals and send...

Page 364: ... Intrusion Prevention page 273 Enable Application Control and configure the Application Control settings See Configuring Application Control page 261 Configure the email server settings used to send the alert emails Check IPS Alert in the Enable column and specify the email address used to receive the alert emails Web URL Filtering Alert Sends an alert email to the specified email address when Web...

Page 365: ...sion enter the following information System Contact Enter the name of the contact person for your security appliance Device Enter the device name for easy identification of your security appliance System Location Enter the physical location of your security appliance Security User Name Enter the name of the administrator account with the ability to access and manage the SNMP MIB objects This is on...

Page 366: ...ou can back up your current settings as a configuration file to your local PC or to a USB device if applicable You can later restore the saved configuration if needed You should always back up your configuration whenever you make any modifications to the device configuration or performing any firmware updates NOTE When saving the configuration to a file the security license and self signed certifi...

Page 367: ...t otherwise you cannot upload the configuration file later without the correct password STEP 4 To restore the settings from a saved configuration file on your local PC perform the following steps a In Configuration Restore area select the Restore Configuration From PC radio button b Click Browse to select the saved configuration file from your local PC and click Restore c If the selected configura...

Page 368: ...column See Exporting Certificates to Your Local PC page 370 To export a local certificate or a CSR to a mounted USB device check it and click the Export to USB icon in the Configure column See Exporting Certificates to a USB Device page 371 To import a CA certificate or a local certificate from your local PC click Import PC See Importing Certificates from Your Local PC page 371 To import a CA cert...

Page 369: ...st generated by your security appliance that needs to be sent to the Certificate Authority CA for signing CSR contains all information required to create your digital certificate Local Certificate The local certificate is issued by a trusted CA and is involved in the applications like remote management and SSL VPN To use a local certificate you must first request a certificate from the CA and then...

Page 370: ...ow opens Click Download The certificate file will be saved in pem format Certificate Type Details CA Certificate or Local Certificate Name Name used to identify this certificate Issuer Name of the CA that issued the certificate Subject Name which other organizations will see as the holder owner of this certificate Serial number Serial number maintained by the CA and used for identification purpose...

Page 371: ...ificate Signing Request to USB window opens Click Export The CSR file will be saved on the USB device in pem format If you are downloading a local certificate the Export Certificate to USB window opens Enter a password in the Enter Export Password field to protect the certificate file and click Export The certificate file will be saved on the USB device in p12 format Importing Certificates from Yo...

Page 372: ... window opens All available local certificates and CA certificates appear in the list STEP 3 Check the certificate file enter the certificate name in the Certificate Name field and the protection password in the Import Password field and then click Import Generating New Certificate Signing Requests STEP 1 Click Device Management Certificate Management STEP 2 Click Request Signing to generate a new...

Page 373: ...2 bits 1024 bits or 2048 bits STEP 4 Click Generate to create a certificate signing request file After you generate a certificate signing request file you need to export this file to your local PC for submission to a Registration or CA The CSR file will be saved in pem format Importing Signed Certificate for CSR from Your Local PC You can upload the signed certificate for a CSR from your local PC ...

Page 374: ... your Cisco com account credentials on the security appliance A valid Cisco com account is required to download the latest firmware image from Cisco com and to check for signature updates from Cisco s signature server for IPS Application Control and Anti Virus If you do not have one go to https tools cisco com RPF register register do by clicking the Create a Cisco com Account link on this page to...

Page 375: ...o Services Support Cisco OnPlus STEP 2 Check the box next to Enable Cisco OnPlus Advanced Security Service to enable Cisco OnPlus on your security appliance or uncheck this box to disable it By default Cisco OnPlus is enabled This setting is provided mainly for support and troubleshooting purposes If you disable Cisco OnPlus on the security appliance Cisco OnPlus Service will be unable to communic...

Page 376: ...res STEP 3 Click Save to apply your settings Sending Contents for System Diagnosis Use the Send Diagnostics page to select the contents like the configuration file the syslog file and the system status data and compress them into one file in zip format and then send the compressed file to the specified email address for system diagnosis You can set a password to protect the compressed file for sec...

Page 377: ...EP 5 Click Save to apply your settings STEP 6 Click Send Now to send the compressed file to the specified email address immediately STEP 7 Click Download to save the compressed file to your local PC Configuring System Time Use the Date and Time page to manually configure the system time or to dynamically synchronize the system time with the Network Time Protocol NTP server STEP 1 Click Device Mana...

Page 378: ...Save to apply your settings Configuring Device Properties Use the Device Properties page to configure the host name and domain name to identify your security appliance on the network STEP 1 Click Device Management Device Properties STEP 2 Enter the following information Host Name Enter the host name for your security appliance which is displayed on the network to identify your device Domain Name E...

Page 379: ...ppliance will send the packet with the specified size to the destination Number of Pings Enter the times to ping The security appliance will send the packet for specific times to check the connectivity with the destination STEP 3 Click Start to ping the IP address or the URL or click Stop to stop pinging Traceroute Use the Traceroute page to view the route between the security appliance and a dest...

Page 380: ...pture page to capture all packets that pass through a selected interface STEP 1 Click Device Management Diagnostic Utilities Packet Capture STEP 2 Choose an interface or a network such as DEFAULT VLAN that you want to capture the packets from the Network drop down list NOTE Selecting WAN1 or WAN2 if applicable means capturing the packets through a logical interface Selecting GEx means capturing th...

Page 381: ... If UPnP is disabled the security appliance will not allow for automatic device configuration LAN Choose an existing VLAN to which the UPnP information is broadcasted and listened on Advertisement Period Enter the value in seconds of how often the security appliance broadcasts its UPnP information to all devices within range The default value is 1800 seconds Advertisement Time to Live Enter the va...

Page 382: ... VLAN is the broadcasting domain To associate a VLAN choose a VLAN from the VLAN drop down list and click Apply To dissociate the VLANs from the default services check the boxes next to the appropriate VLANs and click Delete STEP 4 Click Save to apply your settings CDP Discovery Cisco Discovery Protocol CDP is a device discovery protocol that runs on all Cisco manufactured equipment Each CDP enabl...

Page 383: ...e CDP This is required if you choose Per Port from the CDP drop down list STEP 4 Click Save to apply your settings LLDP Discovery Link Layer Discovery Protocol LLDP enables network managers to troubleshoot and enhance network management by discovering and maintaining network topologies over multi vendor environments LLDP discovers network neighbors by standardizing methods for network devices to a...

Page 384: ... firmware image on your local PC or on a USB device See Upgrading Firmware from a PC or a USB Device page 387 Automatically fall back to the secondary firmware See Firmware Auto Fall Back Mechanism page 388 Use the Rescue mode to recover the system See Using Rescue Mode to Recover the System page 388 CAUTION During a firmware upgrade do NOT close the browser window navigate away from the upgrading...

Page 385: ...ry firmware that was in use as the primary firmware The original primary firmware will then become the secondary firmware We recommend that you back up your current settings for later use before you switch to the secondary firmware CAUTION Do not try to switch the firmware if a secondary firmware image is not present Doing so can cause the security appliance to not boot up STEP 1 Click Device Mana...

Page 386: ... radio button will be grayed out Last checked Displays the date and time for the last query Unable to check firmware status Displays this message if the security appliance cannot access Cisco s IDA server due to invalid WAN connection or any other reasons New Firmware Available Displays the version number of the latest firmware image on Cisco s IDA server if newer firmware is available after the q...

Page 387: ...image from your local PC c To upgrade the firmware and keep using the current settings click Upgrade d To upgrade the firmware and restore the factory default settings click Upgrade and Factory Reset STEP 3 To upgrade the firmware through a USB device perform the following steps a Insert the USB device with the firmware images into the USB port on the back panel b In the Upgrade Firmware area sele...

Page 388: ...ary firmware STEP 3 If the CRC error or the boot failure occurs for the primary firmware the bootloader will switch to the secondary firmware STEP 4 The bootloader checks the CRC for the secondary firmware STEP 5 If the CRC error or the boot failure occurs for the secondary firmware the Rescue mode starts up In Rescue mode the security appliance works as a TFTP server You can use a TFTP client to ...

Page 389: ...ess IMPORTANT During firmware upgrade do not turn off the device shut down the PC interrupt the process or remove the cable in any way until the operation is complete When the POWER SYS light on the front panel is solid green the system is operating normally Managing Security License The security services are licensable A valid security license is required to activate security services and to supp...

Page 390: ...to complete or troubleshoot licensing STEP 3 Click Email Alerts to set up or view the email alert settings for license expiration events The Email Alerts window opens The following information is displayed Email Alert Click On to enable email alerts for license expiration or click Off to disable this feature From Email Address The email address to use as the sender of the alert emails Send to Emai...

Page 391: ...gement License Management STEP 4 To install the security license click the Install icon Other option If the security license is installed you can click the Renew icon to renew the security license before it expires Choose the license type from the License Type drop down list License Code PAK from Cisco com Automatically retrieves and installs the license on the security appliance from the Cisco se...

Page 392: ...f events can be captured and logged for review These logs can be saved to the local syslog daemon or to a specified remote syslog server or be emailed to a specified email address This section describes how to view the event logs and configure the log settings and the log facilities Refer to the following topics Viewing Logs page 392 Configuring Log Settings page 394 Configuring Log Facilities pag...

Page 393: ...he event Facility The type of facility for the log Log Data A brief description for the event Source IP Address The source IP address for the firewall event Destination IP Address The source IP address for the firewall event STEP 4 You can optionally perform the following actions Sort the log entries The logs can be sorted by clicking the column header By default the logs are sorted by date and ti...

Page 394: ...e System Logs area if you want to monitor the security appliance with more traffic data you can choose to log all unicast traffic and or all broadcast or multicast traffic directed to your security appliance for troubleshooting purposes The logs for unicast traffic and broadcast or multicast traffic are at the Information severity level Unicast Traffic Click On to log all unicast packets directed ...

Page 395: ...is displayed in the email For example if you set the device name as the subtitle the email recipient can recognize quickly what device the logs or alerts are coming from Severity Choose the severity level for the logs that you want to send For example If you select Critical all logs listed under the Critical Emergency and Alert categories are sent STEP 5 In the Email Schedule area specify the sche...

Page 396: ...runs a syslog daemon Severity Choose the severity level of the logs that you want to save to the remote syslog server For example If you select Critical the logs listed under the Critical Emergency and Alert categories are saved to the remote syslog server STEP 7 In the Local Log area choose the severity level for the events that you want to log The logs will be saved to the local syslog daemon Fo...

Page 397: ... the selected facility The events that belong to the selected facilities and match the specified severity level for Syslog Email are logged and the recorded syslogs are sent to the specified email address on schedule Remote Log Check Remote Log to enable the remote log settings for all facilities or check the box of a facility to enable the remote log settings for the selected facility The events ...

Page 398: ...d hold the RESET button on the back panel for more than 3 seconds or perform the Reset to Factory Defaults operation from the Configuration Utility CAUTION The Reset To Factory Defaults operation will wipe out the current settings used on the security appliance including the imported certificates We recommend that you back up your current settings before restoring the factory default settings STEP...

Page 399: ...e closed and the system will be down for approximately 180 seconds STEP 3 Click Yes to reboot the security appliance Configuring Schedules The schedule specifies when the firewall rule or the application control policy is active For example if you want a firewall rule only to work on the weekend you can create a schedule called Weekend that is only active on Saturday and Sunday STEP 1 Click Device...

Page 400: ...want to keep the firewall rule or the application control policy active Schedule Time Schedules the firewall rule or the application control policy on all days or at a specific time of day All Days Choose this option if you want to keep the firewall rule or the application control policy always on Specific Times Choose this option if you want to keep the firewall rule or the application control po...

Page 401: ...PC and the security appliance STEP 2 Ensure that the IP address of your PC is on the same subnet as the security appliance If you are using the recommended addressing scheme your PC s address should be in the range 192 168 75 100 to 192 168 75 200 STEP 3 Check the IP address of your PC If the PC cannot reach a DHCP server some versions of Windows and MacOS generate and assign an IP address These a...

Page 402: ...re that CAPS LOCK is off when entering this information Symptom The security appliance does not save my configuration changes Recommended Actions STEP 1 When entering configuration settings click OK or Save before moving to another page or tab otherwise your changes are lost STEP 2 Click Refresh or Reload in the browser which will clear a cached copy of the old configuration Symptom The security a...

Page 403: ... The security appliance still cannot obtain an IP address from the ISP Recommended Actions STEP 1 Click Networking WAN WAN Settings STEP 2 Click the Edit pencil icon to configure the primary WAN port The WAN Add Edit window opens STEP 3 Ask your ISP the following questions What type of network addressing mode is required for your Internet connection In the IPv4 tab choose the correct ISP connectio...

Page 404: ... gateway Date and Time Symptom Date shown is January 1 2000 Possible Cause The security appliance has not yet successfully reached a Network Time Server NTS Recommended Actions STEP 1 If you have just configured the security appliance click Device Management Date and Time STEP 2 Review the settings for the date and time STEP 3 Verify your Internet access settings Symptom The time is off by one hou...

Page 405: ...dows Start button and then click Run STEP 2 Type ping IP_address where IP_address is the IP address of the security appliance Example ping 192 168 75 1 STEP 3 Click OK STEP 4 Observe the display If the path is working you see this message sequence Pinging IP address with 32 bytes of data Reply from IP address bytes 32 time NN ms TTL xxx If the path is not working you see this message sequence Ping...

Page 406: ...appliance is listed as the default gateway If the IP configuration of your PC is assigned by DHCP this information is not visible in your PC s Network Control Panel Verify that the network subnet address of your PC is different from the network address of the remote device Verify that the cable or DSL modem is connected and functioning Call your ISP and go through the questions listed in The secur...

Page 407: ... RJ 45 connector for WAN port 4 x RJ 45 connectors for LAN WAN or DMZ ports 1 x USB connector for USB 2 0 1 x Power switch 2 x external antennas 4 x RJ 45 connectors for LAN ports 1 x RJ 45 connector for WAN port 5 x RJ 45 connectors for LAN WAN or DMZ ports 1 x USB connector for USB 2 0 1 x Power switch 4 x RJ 45 connectors for LAN ports 1 x RJ 45 connector for WAN port 5 x RJ 45 connectors for L...

Page 408: ...nge 90 to 264 VAC Input Frequency Range NormalFrequency 50 to 60 Hz Frequency Variation Range 47 Hz to 63 Hz NormalFrequency 50 to 60 Hz Frequency Variation Range 47 Hz to 63 Hz NormalFrequency 50 to 60 Hz Frequency Variation Range 47 Hz to 63 Hz NormalFrequency 50 to 60 Hz Frequency Variation Range 47 Hz to 63 Hz Output Voltage Regulation 11 4 V to 12 6 V 11 4 V to 12 6 V 11 4 V to 12 6 V 11 4 V ...

Page 409: ...s objects It includes the following sections Device Management page 409 User Management page 411 Networking page 412 Wireless page 416 VPN page 417 Security Services page 419 Firewall page 419 Reports page 421 Default Service Objects page 422 Default Address Objects page 426 Device Management Feature Setting Remote Administration Disable Remote management using HTTPS Disable Access type All IP add...

Page 410: ...ogin session limit 10 minutes 0 to 1000 minutes SNMP Disable SNMP Versions SNMP Version 1 and 2 SNMP Version 3 Maximum number of certificates 128 Remote Support Disable Cisco OnPlus Enable Send Diagnostics Disable Date and Time Dynamically set system time Daylight saving time adjustment Disable Default NTP servers Enable Host Name router and first three bytes of the MAC address UPnP Disable Bonjou...

Page 411: ... Up Down Alert Disable WAN Up Down Alert Disable WAN Up Down alert interval 5 minutes 3 to 1440 minutes Traffic Meter Alert Disable Anti Virus Alert Disable Anti Virus alert interval 30 minutes 1 to 1440 minutes IPS Alert Disable Web URL Filtering Alert Disable Feature Setting Feature Setting User Groups Default administrator user group admin Available services for user groups Web Login SSL VPN IP...

Page 412: ...l Database default RADIUS RADIUS Local Database LDAP LDAP Local Database Feature Setting Feature Setting IPv4 or IPv6 Routing IPv4 only WAN Interfaces Maximum number of WAN interfaces 2 WAN1 Physical Port GE1 WAN1 IP Address Assignment DHCP Client WAN1 MTU Auto WAN1 MTU Value 1500 WAN1 DNS Server Source Get Dynamically from ISP WAN1 MAC Address Source Use Default MAC address WAN1 Zone Mapping WAN ...

Page 413: ...rol Disable WAN Redundancy Operation Modes Equal Load Balancing default Load Balancing Failover Routing Table VLANs Maximum number of VLANs 16 DEFAULT VLAN VID 1 IP Address 192 168 75 1 Subnet 255 255 255 0 Spanning Tree Disable DHCP Mode DHCP Server DHCP Pool 192 168 75 100 to 200 Lease Time 1 day Default Gateway 192 168 75 1 Mapped Zone LAN Feature Setting ...

Page 414: ...192 168 25 100 to 200 Lease Time 1 day Default Gateway 192 168 25 1 Mapped Zone GUEST VOICE VLAN VID 100 IP Address 10 1 1 2 Subnet 255 255 255 0 Spanning Tree Enable Mapped Zone VOICE DHCP Mode Disable Zones Maximum number of zones 32 Predefined zones WAN LAN DMZ VPN GUEST SSLVPN VOICE Routing Routing mode Disable Maximum number of Static Routing rules 150 Dynamic Routing RIP Disable Policy Based...

Page 415: ...ors associated with one WAN QoS policy profile 64 LAN QOS Disable WLAN QoS Disable Service Management Maximum number of service groups 64 Maximum number of services 150 Maximum number of services in one service group 64 Address Management Maximum number of address groups 64 Maximum number of addresses 150 Maximum number of addresses in one address group 100 Maximum number of DDNS profiles 16 VRRP ...

Page 416: ...D Disable SSID isolation between SSIDs Disable Default SSIDs cisco data cisco guest cisco3 cisco4 Disable SSID broadcast Enable Station isolation between clients Disable Security mode Open Wi Fi Multimedia WMM Enable Wireless MAC Filtering Disable Advanced Radio Settings Guard interval Long 800 ns CTS protection mode Auto Beacon interval 100 ms 20 to 999 ms DTIM interval 1 ms 1 to 255 ms RTS thres...

Page 417: ...ature Setting Feature Setting Site to Site VPN Disable Maximum number of Site to Site VPN tunnels 100 for ISA570 and ISA570W 50 for ISA550 and ISA550W IKE Policies Maximum number of IKE policies 16 DefaultIke Hash SHA1 DefaultIke Authentication Pre shared Key DefaultIke D H Group Group 2 DefaultIke Encryption ESP_AES_256 DefaultIke Lifetime 24 hours Transform Policies Maximum number of transform p...

Page 418: ...to 16 SSL VPN disable Maximum number of group policies 32 Gateway interface WAN1 Gateway port number 443 Certificate file Default Client address pool 192 168 200 0 Client netmask 255 255 255 0 Idle timeout 2100 seconds 60 to 86400 seconds Session timeout 0 seconds 0 60 to 1209600 seconds Client DPD timeout 300 seconds 0 to 3600 seconds Gateway DPD timeout 300 seconds 0 to 3600 seconds Keep alive 3...

Page 419: ...ds L2TP Server Disable IPsec Passthrough Enable PPTP Passthrough Enable L2TP Passthrough Enable Feature Setting Feature Setting Anti Virus Disable Application Control Disable Spam Filter Disable Intrusion Prevention IPS Disable Web Reputation Filtering Disable Web URL Filtering Disable Network Reputation Enable Features Setting Default Firewall Rules Prevent all inbound traffic and allow all outbo...

Page 420: ...m number of Port Triggering rules 15 Maximum number of Advanced NAT rules 32 Content Filtering Disable MAC Address Filtering Disable Maximum number of MAC Address Filtering rules 100 IP MAC Binding Maximum number of IP MAC Binding rules 100 Attack Protection Block Ping WAN Interface Enable Stealth Mode Enable Block TCP Flood Enable Block UDP Flood Enable Block ICMP Notification Enable Block Fragme...

Page 421: ...nnections 60000 1000 to 60000 TCP timeout 1200 seconds 5 to 3600 seconds UDP timeout 180 seconds 5 to 3600 seconds Application Level Gateway ALG SIP ALG Enable H 323 ALG Enable Features Setting Feature Setting Bandwidth Usage Reports Bandwidth Usage Report by IP Address Disable Bandwidth Usage Report by Internet Service Disable Website Visits Report Disable WAN Bandwidth Reports Disable Security S...

Page 422: ...etting Service Name Protocol Port Start Port End Description AIM CONNECT TCP 4443 4443 AOL Instant Messenger direct connect AIM CHAT TCP 5190 5190 AOL Instant Messenger file transfer and chat BGP TCP 179 179 Border Gateway Protocol BOOTP_client UDP 68 68 Bootstrap Protocol BOOTP_server UDP 67 67 Bootstrap Protocol CU SEEME TCP UDP 7648 7652 Internet Videoconferencing Protocol DHCP UDP 67 67 Dynami...

Page 423: ...ver SSL TLS ICMP Destination Unreachable ICMP 3 0 ICMP Ping Reply ICMP 0 0 ICMP Ping Request ICMP 8 0 ICMP Redirect Message ICMP 5 0 ICMP Router Advertisement ICMP 9 0 ICMP Router Solicitation ICMP 10 0 ICMP Source Quench ICMP 4 0 ICMP Time Exceeded ICMP 11 0 ICMP Timestamp ICMP 13 0 ICMP Type 6 ICMP 6 0 Alternate Host Address ICMP Type 7 ICMP 7 0 Reserved ICQ TCP 5190 5190 Instant Messenger IDENT...

Page 424: ...P IRC TCP 6660 6660 Internet Relay Chat de facto port 6660 to 6669 ISAKMP UDP 500 500 L2TP UDP 1701 1701 Layer 2 Tunneling Protocol NEWS TCP 144 144 NFS UDP 2049 2049 Network File System NNTP TCP 119 119 Network News Transfer Protocol NNTP over SSL uses the port 563 POP3 TCP 110 110 Post Office Protocol Version 3 PPTP TCP 1723 1723 Microsoft Point to Point Tunneling Protocol RCMD TCP 512 512 REAL ...

Page 425: ...r SSL SIP TCP UDP 5060 5060 Session Initiation Protocol SMTP TCP 25 25 Simple Mail Transfer Protocol SNMP TCP UDP 161 161 Simple Network Management Protocol SNMP TRAPS TCP UDP 162 162 Simple Network Management Protocol Trap SQL NET TCP 1521 1521 SSH TCP UDP 22 22 Secure Shell Protocol STRMWORKS UDP 1558 1558 TACACS TCP 49 49 Login Host Protocol TELNET TCP 23 23 TELNET Secondary TCP 8023 8023 TELNE...

Page 426: ...e IP IP Netmask or IP Range WAN1_IP Host 0 0 0 0 WAN1_GW Host 0 0 0 0 WAN1_DNS1 Host 0 0 0 0 WAN1_DNS2 Host 0 0 0 0 WAN1_USER_DNS1 Host 0 0 0 0 WAN1_USER_DNS2 Host 0 0 0 0 WAN1_NETWORK Network 0 0 0 0 255 255 255 255 WAN1_MAC MAC N A DEFAULT_IP Host 192 168 75 1 DEFAULT_Network Network 192 168 75 0 255 255 255 0 DEFAULT_DHCP_POOL Range 192 168 75 100 to 192 168 75 200 GUEST_IP Host 192 168 25 1 GU...

Page 427: ...siness Support Community www cisco com go smallbizsupport Cisco Small Business Support and Resources www cisco com go smallbizhelp Phone Support Contacts www cisco com go sbsc Firmware Downloads www cisco com go isa500software Product Documentation Cisco ISA500 Series Integrated Security Appliances www cisco com go isa500resources Cisco Small Business Cisco Partner Central for Small Business Partn...

Reviews:

No comments

Related manuals for ISA550

Express EtherNetwork DFE-670TXD

Brand: D-Link Pages: 4

Brand: DAD Pages: 36

Brand: D-Link Pages: 2

Brand: iDirect Pages: 60

Brand: Vanguard Pages: 4

Brand: Vivotek Pages: 136

Brand: Draytek Pages: 8

Brand: FOR-A Pages: 39

Protege PRT-PX16-PCB

Brand: ICT Pages: 34

ADSL 2/2+ VPN Firewall Router ADE-4300A/B

Brand: Planet Pages: 132

CompactPCI CC8-BLUES

Brand: EKF Electronik Pages: 52

Brand: 8level Pages: 52

Brand: ADTRAN Pages: 2

Through Hole Power Inductors 1411

Brand: Delta Electronics Pages: 1

Brand: Cypress Semiconductor Pages: 33

Brand: HighPoint Pages: 10

Brand: IMC Networks Pages: 36

Brand: SafeHome Pages: 24

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands