manualshive.com logo in svg

Cisco RVS4000 - Gigabit Security Router, Administration Manual, Page: 49 / 195

Share
Download
Cisco RVS4000 - Gigabit Security Router Administration Manual Download Page 49

Setting Up and Configuring the Router

Firewall

Cisco RVS4000 Security Router with VPN Administrator Guide

49

5

 

To add a new rule to the ACL rule table, click 

Add New Rule

 and the 

Edit IP ACL 

Rule

 window appears. Follow the instructions in the section below to create a new 

ACL rule. To disable all the rules without deleting them, click 

Disable All Rules

. To 

delete all the rules from the table, click 

Delete All Rules

.

Editing IP ACL Rules

Editing IP ACL Rules

Action

 Select the desired action, 

Allow

 or 

Deny

, from the drop-down menu.

Service

 Select the service types to which the rule applies. You can either select 

one of the predefined services in the drop-down menu; select 

ALL

 to allow or 

deny all types of IP traffic; or define a new service by clicking 

Service 

Management

 to bring up the 

Service Management 

window, then the new 

service’s Name, select the Type (TCP, UDP, or TCP/UDP), enter the Start Port and 
Finish Port, then click 

Save

. The new service appears in the drop-down menu on 

the 

Edit IP ACL Rule

 window. 

Log

 Select this option to log all traffic that is filtered by this rule.

Log Prefix

 Enter a text string to prepend to each matched event in the log.

Summary of Contents for RVS4000 - Gigabit Security Router

Page 1: ...Cisco Small Business RVS4000 4 Port Gigabit Security Router with VPN ADMINISTRATION GUIDE ...

Page 2: ... and or its affiliates in the U S and other countries A listing of Cisco s trademarks can be found at www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1005R ...

Page 3: ... VPN 13 1 MAC Address Spoofing 14 2 Data Sniffing 14 3 Man in the middle attacks 14 What is a VPN 15 VPN Router to VPN Router 16 Computer using the Cisco QuickVPN Client software to VPN Router 17 Chapter 4 Getting Started with the RVS4000 Router 18 Front Panel 18 Back Panel 19 Placement Options 20 Desktop Option 20 Stand Option 20 Wall Option 21 Installing the Router 22 Configuring the Router 23 C...

Page 4: ...Port Range Forwarding 55 Firewall Port Range Triggering 56 ProtectLink 57 ProtectLink ProtectLink Purchase 57 VPN 58 VPN Summary 58 VPN IPSec VPN 60 VPN VPN Client Accounts 64 VPN VPN Passthrough 66 QoS 67 QoS Bandwidth Management 67 QoS QoS Setup 70 QoS DSCP Setup 71 Administration 72 Administration Management 72 Router Access 72 Administration Log 74 Administration Diagnostics 76 Administration ...

Page 5: ...Statistics 92 L2 Switch Port Mirroring 93 L2 Switch RSTP 94 Status 95 Status Gateway 95 Status Local Network 97 Chapter 6 Using the VPN Setup Wizard 98 VPN Setup Wizard 98 Before You Begin 98 Running the VPN Setup Wizard 99 Building Your VPN Connection Remotely 109 Appendix A Troubleshooting 116 Frequently Asked Questions 128 Appendix B Using Cisco QuickVPN for Windows 2000 XP or Vista 133 Overvie...

Page 6: ...re IPSec Tunnel 144 Appendix D Gateway to Gateway VPN Tunnel 166 Overview 166 Before You Begin 166 Configuration when the Remote Gateway Uses a Static IP Address 167 Configuration when the Remote Gateway Uses a Dynamic IP Address 172 Configuration When Both Gateways Use Dynamic IP Addresses 177 Appendix E Cisco ProtectLink Web Service 182 Overview 182 How to Access the Configuration Utility 182 Ho...

Page 7: ... Administrator Guide 7 Contents Setup Config 190 Management 191 Security Features 191 QoS 191 Network 192 VPN 192 Routing 192 Layer 2 192 Environmental 193 Appendix G Where to Go From Here 194 Product Resources 194 Related Documentation 195 ...

Page 8: ...fice network from off site Users connecting through a VPN tunnel are attached to your company s network with secure access to files email and your intranet just as if they were in the building You can also use the VPN capability to allow users on your small office network to securely connect out to a corporate network The QoS features provide consistent voice and video quality throughout your busi...

Page 9: ... home or office to the Internet The router processes and regulates the data that travels between these two networks The router s Network Address Translation NAT technology protects your network of PCs so users on the Internet cannot see your PCs This feature keeps your LAN remains private The router protects your network by inspecting the first packet received through the Internet port before deli...

Page 10: ...temporarily assigned to the PC or other device After a certain time period they expire and may change If a PC logs onto the network or the Internet and its dynamic IP address has expired the DHCP server will assign it a new dynamic IP address A DHCP server can either be a designated PC on the network or another network device such as the router By default the router s Internet Connection Type is O...

Page 11: ...0 has hardware based acceleration for real time pattern matching to detect malicious attacks It actively filters and drops malicious TCP UDP ICMP IGMP packets and can reset TCP connections This feature prevents network worm attacks against client PCs and servers with various operating systems including Windows Linux and Solaris However this system does not prevent viruses contained in email attach...

Page 12: ...Networking and Security Basics The Intrusion Prevention System IPS Cisco RVS4000 Security Router with VPN Administrator Guide 12 2 IPS Scenarios ...

Page 13: ...work from a hotel or remote office How is your data protected A VPN can help VPNs are called Virtual Private Networks because they secure data moving outside of your network as if it were still within that network When data travels across the Internet from your computer it is always open to attacks You may already have a firewall which helps protect data in your network from being corrupted or int...

Page 14: ...ch as protocol analyzers and network diagnostic tools are often built into operating systems and allow the data to be viewed in clear text 3 Man in the middle attacks Once the hacker has either sniffed or spoofed enough information he can now perform a man in the middle attack Hackers use this attack when data is transmitted from one network to another by rerouting the data to a new destination Ev...

Page 15: ...secure connection that in effect operates as if you were directly connected to your local network You can use VPN to create a secure network that links a central office with branch offices telecommuters and or professionals on the road travelers can connect to a VPN router by using any computer with the Cisco QuickVPN Client software There are two basic ways to create a VPN connection VPN router t...

Page 16: ...ction His router is configured with his office s VPN settings When he connects to his office s router the two routers create a VPN tunnel encrypting and decrypting data As VPNs utilize the Internet distance is not a factor While using the VPN the telecommuter now has a secure connection to the central office s network as if he were physically connected For more information refer to Appendix D Gate...

Page 17: ...r office s IP address She accesses the Cisco QuickVPN Client software and connects to the VPN router at the central office As VPNs utilize the Internet distance is not a factor While using the VPN she now has a secure connection to the central office s network as if she were physically connected Computer to VPN Router For additional information and instructions about creating your own VPN please v...

Page 18: ...It includes these sections Front Panel page18 Back Panel page 19 Placement Options page 20 Installing the Router page 22 Configuring the Router page 23 Front Panel The LEDs are located on the front panel of the router Front Panel POWER LED Steady green when the router is powered on Flashes when the router is running a diagnostic test DIAG LED Unlit when the system is ready Flashes red during firmw...

Page 19: ...y sending or receiving data on the port INTERNET LED Steady green to indicate the line speed of the device attached to the Internet port Flashes to indicates activity If the router is connected to a cable or DSL modem typically the 100 LED is the only LED lit up indicating 100 Mbps RESET Button You can use the Reset button in two ways If the router has problems connecting to the Internet press the...

Page 20: ...For desktop placement place the Cisco RVS4000 router horizontally on a surface so it sits on its four rubber feet Stand Option To install the router vertically in the supplied stands follow the steps below ETHERNET Ports 1 4 Provide a LAN connection to network devices such as PCs print servers or additional switches POWER Port Connects the router to power via the supplied AC power adapter 274946 P...

Page 21: ...lace STEP 3 Repeat step 2 with the other stand Wall Option To mount the Cisco RVS4000 router on the wall follow these steps STEP 1 Determine where you want to mount the router and install two screws not supplied that are 2 9 16 in apart approximately 64 5 mm STEP 2 With the back panel pointing up if installing vertically line up the router so that the wall mount crisscross slots on the bottom of t...

Page 22: ...ff all of your network hardware including the router PCs and cable modem or DSL modem Perform the steps in this section to install the hardware STEP 1 Connect one end of an Ethernet network cable to one of the LAN ports labeled 1 4 on the back of the router Connect the other end to an Ethernet port on a PC STEP 2 Repeat step 1 to connect up to four PCs switches or other network devices to the rout...

Page 23: ...er is connected STEP 7 Power on the PCs The router hardware installation is now complete Configuring the Router To configure the RVS4000 connect a PC to the router and launch the configuration utility NOTE Before setting up the router make sure your PCs are configured to obtain an IP or TCP IP address automatically from the router STEP 1 Launch a web browser such as Internet Explorer or Mozilla Fi...

Page 24: ...P If your ISP assigns you a static IP address select Static IP from the drop down menu Complete the Internet IP Address Subnet Mask Default Gateway and DNS fields Enter at least one DNS address PPPoE If you connect through PPPoE select PPPoE from the drop down menu Complete the User Name and Password fields PPTP PPTP is used in Europe only If you use a PPTP connection check with your ISP for the n...

Page 25: ...cess the configuration utility of the router open your web browser and enter http 192 168 1 1 into the Address field Press the Enter key and the Login window appears NOTE The default IP address is 192 168 1 1 If the IP address has been changed via DHCP or the console interface enter the assigned IP address instead of the default The first time you open the configuration utility enter admin the def...

Page 26: ...g in The utility s menus and windows are described below For brevity window names are listed in this format Menu Window Setup Use the Setup menu to access all of the router s basic setup functions You can use the router in most network settings without changing any of the default values Some users may need to enter additional information in order to connect to the Internet through an ISP Internet ...

Page 27: ...uter s CPU type System up time Displays the length of time that has elapsed since the router was last reset DRAM Displays the amount of DRAM installed in the router Flash Displays the amount of flash memory installed in the router Port Statistics This section displays color coded status information on the router s Ethernet ports Green Indicates that the port has a connection Black Indicates that t...

Page 28: ...es whether the DMZ hosting feature is enabled Firewall Setting Status DoS Denial of Service Indicates whether the DoS Protection feature is enabled to block DoS attacks Block WAN Request Indicates whether the Block WAN Request feature is enabled Remote Management Indicates whether the Remote Management feature is enabled IPSec VPN Setting Status IPSec VPN Summary Click the IPSec VPN Summary hyperl...

Page 29: ...orts six types of connections Each Setup WAN window and available features differ depending on the selected connection type Automatic Configuration DHCP By default the router s Configuration Type is set to Automatic Configuration DHCP and it should be kept only if your ISP supports DHCP or you connect through a dynamic IP address Automatic Configuration DHCP ...

Page 30: ...SP will provide you with the IP Address to specify here Subnet Mask The router s Subnet Mask as seen by external users on the Internet including your ISP Your ISP will provide you with the Subnet Mask Default Gateway Your ISP will provide you with the Default Gateway Address which is the ISP server s IP address Primary DNS Required and Secondary DNS Optional Your ISP will provide you with at least...

Page 31: ...e and Password Enter the User Name and Password provided by your ISP Connect on Demand Max Idle Time You can configure the router to cut the Internet connection after it has been inactive for a specified period of time Max Idle Time and then automatically re establish the connection as soon as you attempt to access the Internet again To activate Connect on Demand select the Connect on Demand optio...

Page 32: ...30 seconds Click Save to save your changes or click Cancel to undo your changes PPTP Point to Point Tunneling Protocol PPTP is a service that applies to connections in Europe and Israel only PPTP IP Address The router s IP address when seen from the WAN or the Internet Your ISP will provide you with the IP Address you need to specify here Subnet Mask The router s Subnet Mask as seen by external us...

Page 33: ... terminated automatically Keep Alive Redial period If you select this option the router periodically checks your Internet connection If you are disconnected then the router automatically re establishes your connection To use this option click the radio button next to Keep Alive In the Redial Period field specify how often you want the router to check the Internet connection The default Redial Peri...

Page 34: ...Internet connection If you are disconnected then the router will automatically re establishes your connection To use this option click the radio button next to Keep Alive In the Redial Period field specify how often you want the router to check the Internet connection The default Redial Period is 30 seconds Click Save to save your changes or click Cancel to undo your changes L2TP Layer 2 Tunneling...

Page 35: ...on as you attempt to access the Internet again To activate Connect on Demand select the Connect on Demand option and enter in the Max Idle Time field the number of minutes of inactivity that must elapse before your Internet connection is terminated automatically Keep Alive Redial period If you select this option the router periodically checks your Internet connection If you are disconnected then t...

Page 36: ...ually cable ISPs require a domain name as identification You may have to check with your ISP to see if your broadband Internet service has been configured with a domain name In most cases you can leave this field blank MTU MTU is the Maximum Transmission Unit It specifies the largest packet size permitted for Internet transmission Select Manual if you want to manually enter the largest packet size...

Page 37: ...p for DDNS Service DynDNS Sign up for DDNS service at www dyndns org and write down your User Name Password and Host Name information TZO Sign up for DDNS service at www tzo com and write down your email address password and domain name information STEP 2 Select your DDNS service provider STEP 3 Configure these fields User Name DynDNS or Email address TZO Password Host Name DynDNS or Domain name T...

Page 38: ...tting Up and Configuring the Router Setup Cisco RVS4000 Security Router with VPN Administrator Guide 38 5 Setup LAN The Setup LAN window allows you to change the router s local network settings Setup LAN ...

Page 39: ...ady have a DHCP server on your network and you want this router to act as a Relay for that DHCP Server select DHCP Relay then enter the DHCP Server IP Address If you disable DHCP assign a static IP address to the router Starting IP Address Enter a value for the DHCP server to start with when it issues IP addresses This value must be 192 168 1 2 or greater but smaller than 192 168 1 254 because the...

Page 40: ...dress in this field Prefix Length Enter the appropriate IPv6 prefix length Router Advertisement When enabled this option allows IPv6 hosts to configure their IP addresses automatically by using the IPv6 prefix broadcast by the router DHCPv6 To enable the DHCP v6 feature select Enable To disable DHCP v6 select Disable Lease time Enter the lease time in minutes DHCP6 address range start Enter the st...

Page 41: ...re that you register a MAC address This feature clones your network adapter s MAC address onto the router and prevents you from having to call your ISP to change the registered MAC address to the router s MAC address The router s MAC address is a 12 digit code assigned to a unique piece of hardware for identification Setup MAC Address Clone MAC Address Clone Select Enabled or Disabled from the dro...

Page 42: ... Gateway or all PCs on your LAN must be assigned fixed Internet IP addresses In Router mode the NAT mechanism is disabled Dynamic Routing You can use the router s dynamic routing feature to automatically adjust to physical changes in the network s layout The router can use the dynamic RIP protocol to calculate the most efficient route for the network s data packets to travel between the source and...

Page 43: ...his data to create a static route entry Select Set Number Select the set number routing table entry number that you wish to view or configure If necessary click Delete This Entry to clear the entry Destination IP Address Enter the network address of the remote LAN segment For a standard Class C IP domain the network address is the first three fields of the Destination LAN IP while the last field s...

Page 44: ...d Set the local time using Network Time Protocol NTP Automatically If you wish to use a Network Time Protocol server to set the time and date select this option and then complete these fields Time Zone Select the time zone for your location and your time setting is synchronized over the Internet Auto Daylight Saving If your location observes daylight savings time select the Enable option User defi...

Page 45: ...e IPv4 Only Select this option to use IPv4 on the Internet and local network Dual Stack IP Select this option to use IPv4 on the Internet and IPv4 and IPv6 on the local network IPv6 hosts in the LAN are connected to remote IPv6 islands over 6to4 tunnels per RFC3056 Click Save to save your settings or click Cancel to undo your changes ...

Page 46: ...er Firewall Basic Settings Firewall Basic Settings Firewall When this feature is enabled the router s NAT firewall feature is enabled DoS Protection When this feature is enabled the router blocks DoS Denial of Service attacks A DoS attack does not attempt to steal data or damage your PCs but overloads your Internet connection so you can not use it Block WAN Request When this feature is enabled the...

Page 47: ...t traffic to come in from the Internet The default is Disable SIP Application Layer Gateway When this feature is enabled the SIP Application Layer Gateway ALG allows Session Initiation Protocol SIP packets used for Voice over IP to traverse the NAT firewall You can disable this feature if the VoIP service provider uses other NAT traversal solutions such as STUN TURN and ICE Block Place a checkmark...

Page 48: ...er Allow or Deny Service The service s to which the rule applies Source Interface The source interface either WAN LAN or ANY Source The source IP address which can be one specific IP address ANY all IP addresses a range of IP addresses or a specific IP subnet Destination The destination IP address which can be one specific IP address ANY all IP addresses a range of IP addresses or a specific IP su...

Page 49: ...desired action Allow or Deny from the drop down menu Service Select the service types to which the rule applies You can either select one of the predefined services in the drop down menu select ALL to allow or deny all types of IP traffic or define a new service by clicking Service Management to bring up the Service Management window then the new service s Name select the Type TCP UDP or TCP UDP e...

Page 50: ...estination IP address select Single from the drop down menu then enter the address in the field To apply the rule to all destination IP addresses select ANY from the drop down menu To apply the rule to a range of IP addresses select Range and enter the starting and ending IP addresses To apply the rule to a subnet select Net and enter the IP address and subnet mask Days To make the rule apply on a...

Page 51: ...wall Internet Access Policy You can manage access to your network by configuring a policy Use the settings on this window to establish an access policy Select a policy from the drop down menu to display the settings for a policy You can then perform these operations Create a Policy See the instructions below Delete the current policy Click Delete ...

Page 52: ...mary window which lists all of the Internet access policies and includes this information No Policy Name Days Time and a check box to delete clear the policy To delete a policy check the box in the Delete column and then click Delete View or change the PCs covered by the current policy Click Edit List of PCs to display the List of PCs window Internet Policy Summary List of PCs ...

Page 53: ...lick Save to apply your changes STEP 5 Click the appropriate option Deny or Allow depending on whether you want to block or allow Internet access for the PCs you listed on the List of PCs popup STEP 6 Decide which Days and what Times you want this policy to be enforced Select the individual days during which the policy will be in effect or select Everyday Enter a range of hours and minutes during ...

Page 54: ...he same as the External Port number If it is different the router performs a Port Translation so that the port number used by Internet users is different from the port number used by the server or Internet application For example you could configure your Web Server to accept connections on both port 80 standard and port 8080 Then enable Port Forwarding and set the External Port to 80 and the Inter...

Page 55: ...sed by the server or Internet application Check with the software documentation of the Internet application for more information if necessary End The end of the port range Enter the end of the range of port numbers external ports used by the server or Internet application Check with the software documentation of the Internet application for more information if necessary Protocol Select the protoco...

Page 56: ...he first field enter the starting port number of the Triggered Range In the second field enter the ending port number of the Triggered Range Forwarded Range For each application list the forwarded port number range These ports are used by incoming traffic Check with the Internet application documentation for the port number s needed In the first field enter the starting port number of the Forwarde...

Page 57: ...urity Router with VPN Administrator Guide 57 5 ProtectLink ProtectLink ProtectLink Purchase ProtectLink ProtectLink Purchase The optional Cisco ProtectLink Web service provides security for your network For more information see Appendix E Cisco ProtectLink Web Service ...

Page 58: ...lays the tunnel s status Connected Hostname Resolution Failed Resolving Hostname or Waiting for Connection Phase2 Enc Auth Displays the Phase 2 Encryption type 3DES Authentication type MD5 or SHA1 and Group 768 bit 1024 bit or 1536 bit that you chose in the VPN IPSec VPN window Local Group Displays the IP address and subnet of the local group Remote Group Displays the IP address and subnet of the ...

Page 59: ... if any defined tunnels have been disabled VPN Clients Status No Displays the user number from 1 to 5 Username Displays the username of the VPN Client Status Displays the connection status of the VPN Client Start Time Displays the start time of the most recent VPN session for the specified VPN Client End Time Displays the end time of a VPN session if the VPN Client has disconnected Duration Displa...

Page 60: ...and Configuring the Router VPN Cisco RVS4000 Security Router with VPN Administrator Guide 60 5 VPN IPSec VPN Use the VPN IPSec VPN window to create and configure a Virtual Private Network VPN tunnel VPN IPSec VPN ...

Page 61: ...Name field Local Security Group Type Select the local LAN user s behind the router that can use this VPN tunnel This may be a single IP address or Sub network Notice that the Local Security Group Type must match the other router s Remote Security Group Type IP Address Enter the IP address on the local network Subnet Mask If the Local Security Group Type is set to Subnet enter the mask to determine...

Page 62: ...f manual key management is selected no key negotiation is needed Basically manual key management is used in small static environments or for troubleshooting purposes Note that both sides must use the same Key Management method Phase 1 Encryption The Encryption method determines the length of the key used to encrypt decrypt ESP packets Only 3DES is supported Notice that both sides must use the same...

Page 63: ...he remote IKE peer Both character and hexadecimal values are acceptable in this field e g My_ 123 or 0x4d795f40313233 Note that both sides must use the same Preshared Key Group The Diffie Hellman DH group to be used for key exchange Select the 768 bit Group 1 1024 bit Group 2 or 1536 bit Group 5 algorithm Group 5 provides the most security Group 1 the least Key Life Time This specifies the lifetim...

Page 64: ...x to enable NetBIOS traffic to pass through the VPN tunnel By default the RVS4000 blocks these broadcasts Click Save to save your changes or click Cancel to undo your changes VPN VPN Client Accounts Use this window to administer your VPN Client users After you enter the information at the top of the window the information for the specified users appears in the table This feature is available with ...

Page 65: ...ted indicate where to store your certificate The default file name is RVS4000_Admin pem but you can use another name The certificate for administrator contains the private key and needs to be stored in a safe place as a backup If the router s configuration is reset to the factory default this certificate can be imported and restored on the router Export for Client Click this button to export the c...

Page 66: ...s through the router To disable IPSec Passthrough select Disabled PPTP PassThrough Point to Point Tunneling Protocol PPTP allows the Point to Point Protocol PPP to be tunneled through an IP network PPTP Passthrough is enabled by default To disable it select Disabled L2TP PassThrough Layer 2 Tunneling Protocol is the method used to enable Point to Point sessions via the Internet on the Layer 2 leve...

Page 67: ...outer with VPN Administrator Guide 67 5 QoS You can use QoS Quality of Service to perform Bandwidth Management by either Rate Control or Priority You can also configure QoS Trust Mode and the DSCP settings QoS Bandwidth Management QoS Bandwidth Management Rate Control ...

Page 68: ...ervice Select the service from the drop down menu If it does not contain the service you need click Service Management to add the service IP Enter the IP address or IP range you need to control The default is zero which includes all internal IP addresses Direction Select Upstream for outbound traffic or Downstream for inbound traffic Mini Rate Enter the minimum rate for the guaranteed bandwidth Ma...

Page 69: ...Select Upstream for outbound traffic or Downstream for inbound traffic from the drop down menu Priority Select High Medium Normal or Low priority for the service The default is Medium Enable Check this box to enable this Priority Rule Add to list After a rule is set up click this button to add it to the list The list can contain a maximum of 15 entries Delete selected application Click this button...

Page 70: ...ault is Port Default CoS Port Priority If Trust Mode is set to Port select the port priority from 1 to 4 from the drop down menu where 4 is the highest priority If Trust Mode is set to CoS select the default CoS priority from 0 to 7 from the drop down menu CoS Setup Priority The CoS priority from 0 to 7 Queue Select the traffic forwarding queue 1 to 4 to which the CoS priority is mapped Queue 4 ha...

Page 71: ...tup DSCP The Differentiated Services Code Point value in the incoming packet Queue Select the traffic forwarding queue 1 to 4 to which the DSCP priority is mapped Queue 4 has the highest priority Restore Defaults Click this button to restore the default DSCP values Click Save to save your changes or click Cancel to undo your changes ...

Page 72: ...ion Management Administration Management Router Access Router Userlist Select the desired router user list Router Username Enter the user name here Router Password Enter the password Re enter to Confirm Retype the password in this field SNMP SNMP Select Enable if you wish to use SNMP To use SNMP you need SNMP software on your PC System Name Enter a suitable name to identify this device It will be ...

Page 73: ...name for SNMP Set commands Trap Community Enter the SNMP community name for SNMP Trap commands Trap To Enter the IP Address of the SNMP Manager to which traps will be sent If desired this may be left blank UPnP You can use Universal Plug and Play UPnP to set up public services on your network When the UPnP function is enabled Windows XP can add or delete entries to the underlined UPnP Forwarding T...

Page 74: ... 74 5 Administration Log Administration Log Log Setting Log Level Select the log level s that the router should record Log levels and their meanings are Log Levels Level Severity Name Description 7 LOG_DEBUG Debug level message 6 LOG_INFO Informational messages only 5 LOG_NOTICE Normal but significant condition ...

Page 75: ... the number of DoS Denial of Service attacks which need to be blocked by the built in Firewall before an email alert is sent The minimum value is 20 and the maximum value is 100 Log Queue Length The default is 50 entries The router emails the log if there are more than 50 entries Log Time Threshold The default is 10 minutes The router emails the log every 10 minutes SMTP Mail Server Enter the addr...

Page 76: ...g Enable Syslog Check the box if you want to use this feature Syslog Server Enter the IP Address in this field when Enable Syslog is checked Local Log Local Log Enable this if you want to see a log of all incoming and outgoing URLs or IP addresses View Log Click this button when you wish to view the logs A new window appears with the log data Administration Diagnostics Administration Diagnostics ...

Page 77: ...esponse is not received within the defined ping period the ping is considered to have failed Start Test Click this button to begin the test A new window appears with the test results Ping Result Displays the Ping status Traceroute Test Parameters Traceroute Target Enter the target IP address for the traceroute test Start Test Click this button to begin the test A new window appears with the test r...

Page 78: ...e Administration Backup Restore To download a copy of the current configuration and store the file on your PC click Backup to start the download Restore Configuration To restore a previously saved config file back to the router enter the file name in the field or click Browse to select the config file then click Restore to upload the config file ...

Page 79: ...ult Administration Factory Default Restore Factory Defaults Click this button to reset all configuration settings to their factory default values Any previously saved settings will be lost when the default settings are restored After clicking the button another window appears Click OK to continue Another window appears while the system reboots ...

Page 80: ...e any of its stored settings Administration Firmware Upgrade Administration Firmware Upgrade Use this page to upgrade the router by using firmware from Cisco com Step by step instructions are provided on the next page File Type in the name of the extracted firmware upgrade or click Browse to locate the file Start to Upgrade Once you have selected the appropriate file click Start to Upgrade and fol...

Page 81: ...om go software STEP 3 In the search box enter RVS4000 and then click Go STEP 4 In the Search Results click the Download Software link for your router usually the first link STEP 5 Click the Small Business Router Firmware link STEP 6 Click the link for the latest release STEP 7 Click the Download Now button STEP 8 Continue through the screens to download the most recent firmware STEP 9 Extract the ...

Page 82: ...re pattern match FTP FTP Bounce Detection and Inserting telnet opcodes into FTP command stream Detection TELNET Normalization of Telnet negotiation strings RPC RPC record fragging detection Signature Update Before upgrading the signature file get the Router Intrusion Prevention System IPS file from the Cisco website To find the file go to www cisco com go software registration login required and s...

Page 83: ...ons can be blocked Block or allowed Non Block The preconfigured file sharing networks are GNUTELLA EZPEER FASTTRACK KURO EDONKEY2000 BITTORRENT DIRECTCONNECT PIGO and WINMX Instant Messenger Instant messaging applications can be blocked Block or allowed Non Block The preconfigured instant messaging applications are MSN ICQ YAHOO_MESSENGER IRC ODIGO REDIFF GOOGLE_TALK and IM_QQ ...

Page 84: ...ort Provides a graphical representation of the level of network traffic and attacks during the last twenty four hours Attacker Displays the IP Address of attackers and the frequency number of times of the attacks Attack Category Displays the category type of attack and the frequency number of times of the attacks ...

Page 85: ...Setting Up and Configuring the Router IPS Cisco RVS4000 Security Router with VPN Administrator Guide 85 5 IPS Report ...

Page 86: ...st L2 Switch L2 Switch Create VLAN VLANs are logical subgroups of a Local Area Network LAN created via software rather than defining a hardware solution VLANs combine user stations and network devices into a single domain regardless of the physical LAN segment to which they are attached VLANs allow network traffic to flow more efficiently within subgroups VLANs managed through software reduce the ...

Page 87: ...traffic is generated The RVS4000 supports up to 4 VLANs including the default VLAN L2 Switch Create VLAN VLAN ID The VLAN ID number This can be any number from 2 to 3290 or from 3293 to 4094 VLAN ID 1 is reserved for the default VLAN which is used for untagged frames received on the interface VLAN IDs 3291 3292 are reserved and cannot be used To create a VLAN enter the ID number and click Add VLAN...

Page 88: ...tagged In Trunk mode incoming and outgoing frames can be either tagged or untagged incoming untagged frames are tagged with the default PVID Port VLAN ID In Untagged mode all incoming and outgoing frames are untagged In Tagged mode all incoming and outgoing frames must be tagged all untagged frames are dropped PVID The Port VLAN ID PVID assigned to untagged frames received on the interface The def...

Page 89: ...cters Function Port table The top half of the table indicates each port s current mode Untagged Tagged or Trunk The lower half of the table is used to assign port membership for the selected VLAN The default for each port is Exclude the port is not a member of the VLAN To make a port a member of the VLAN select the applicable mode s For example if the port mode is Untagged select Untagged if the m...

Page 90: ...uthenticating and encrypting all RADIUS communications between the device and the RADIUS server This key must match the RADIUS server encryption key If no host specific value is specified the global value applies to each host Administration State Specifies the port authorization state The possible field values are Auto The controlled port state is set by the Authentication method Force Authorized ...

Page 91: ...taneously Half Duplex indicates that the interface supports transmission between the device and the client in only one direction at a time Mode Select the port duplex mode and speed from the drop down menu You can also select Auto Negotiation which is a protocol between two link partners that enables a port to advertise its transmission rate duplex mode and flow control abilities to its partner Fl...

Page 92: ...es transmitted from the selected port Tx Frames Displays the number of Frames transmitted from the selected port Rx Bytes Displays the number of Bytes received on the selected port Rx Frames Displays the number of Frames received on the selected port Tx Errors Displays the number of error packets transmitted from the selected port Rx Errors Displays the number of error packets received from the se...

Page 93: ...h Port Mirroring Mirror Source Use this to enable or disable source port mirroring for each port on the router To enable source port mirroring on a port check the box next to that port To disable source port mirroring on a port leave the box unchecked The default is disabled Mirror Port Select the mirror destination port from the drop down menu ...

Page 94: ...rity the more likely the router is to become the root in the Spanning Tree The default is 32768 Hello Time Enter a number from 1 to 10 The default is 2 Max Age Enter a number from 6 to 40 The default is 20 Forward Delay Enter a number from 4 to 30 The default is 15 Force Version The default protocol version to use Select Normal use RSTP or Compatible compatible with old STP The default is Normal P...

Page 95: ...ay Status Gateway Firmware Version Displays the Gateway s current firmware MAC Address Displays the Gateway MAC Address as seen by your ISP Current Time Displays the time based on the time zone you selected on the Setup menu Internet Connection Connection Type Displays the type of the connection Interface Displays the Gateway Internet Interface IP Address Displays the Gateway Internet IP Address S...

Page 96: ...rack The IP Conntrack Connection Tracking window displays information about TCP UDP connections such as source and destination IP address and port number pairs known as socket pairs protocol types TCP UDP ICMP connection state and timeouts To see more information click Next Page or Previous Page or select the page from the Go to Page drop down menu To see the latest information click Refresh Click...

Page 97: ...he range of IP addresses used by the DHCP Server End IP Address The final address in the range of IP addresses used by the DHCP Server DHCP Client Table Click this button to open a window that displays the PCs that use the router as a DHCP server The DHCP Client Table window displays all DHCP clients PCs and other network devices with this information Client Names Interfaces IP Addresses MAC Addre...

Page 98: ...PN Setup Wizard The VPN Setup Wizard works with users running Microsoft Windows 2000 XP and Vista This document describes how to run the VPN Setup Wizard Before You Begin The VPN Setup Wizard works with these routers Cisco RVS4000 4 Port Gigabit Security Router with VPN Cisco WRVS4400N v1 1 Wireless N 4 Port Gigabit Security Router with VPN Cisco WRVS4400N v2 Wireless N 4 Port Gigabit Security Rou...

Page 99: ...not zero STEP 5 Ensure that the LAN IP addresses of routers with VPN are in different subnets in order for the VPN connection to work NOTE The VPN Setup Wizard assumes that no firewall NAT device sits in front of the VPN router Running the VPN Setup Wizard STEP 1 Access the VPN Setup Wizard in one of two ways If you have an RVS4000 WRVS4400N v1 1 or WRVS4400N v2 Installation CD ROM insert it into ...

Page 100: ...Using the VPN Setup Wizard Running the VPN Setup Wizard Cisco RVS4000 Security Router with VPN Administrator Guide 100 6 Welcome Window ...

Page 101: ...e VPN Setup Wizard Running the VPN Setup Wizard Cisco RVS4000 Security Router with VPN Administrator Guide 101 6 STEP 4 Read the information about the wizard and then click Next to proceed Informational Window ...

Page 102: ... your PC is local to one of the two routers choose Build VPN connection from Local LAN port of one router click Next and continue with these instructions If your PC is remote to the routers choose Build VPN connection from Internet remotely and see the Building Your VPN Connection Remotely on page109 for instructions on this type of installation Build VPN Connection Remotely ...

Page 103: ...Enter the user name of the Router 2 Router 2 Password Enter the password of the Router 2 Tunnel Name Enter a name for this tunnel Pre shared Key IKE uses the Pre shared Key field to authenticate the remote IKE peer Both character and hexadecimal values are acceptable in this field e g My_ 123 or 0x4d795f40313233 Note that both sides must use the same Pre shared Key Router 2 WAN IP address Enter th...

Page 104: ...Using the VPN Setup Wizard Running the VPN Setup Wizard Cisco RVS4000 Security Router with VPN Administrator Guide 104 6 The router configuration is checked Check Router Configuration ...

Page 105: ...VS4000 Security Router with VPN Administrator Guide 105 6 STEP 7 When the Summary window appears use the Click button to view the VPNC Summary window Summary Window STEP 8 Review the settings as needed Click Close when you are ready to continue VPNC Summary Window ...

Page 106: ...rity Router with VPN Administrator Guide 106 6 STEP 9 In the Summary window if all your entries appear correct click Go Otherwise click Back to go back and make any corrections Configure the Router STEP 10 Click Testing to make sure the connection is successfully established ...

Page 107: ...Using the VPN Setup Wizard Running the VPN Setup Wizard Cisco RVS4000 Security Router with VPN Administrator Guide 107 6 Test the Connection STEP 11 When testing is done click Exit to end the Wizard ...

Page 108: ...nning the VPN Setup Wizard Cisco RVS4000 Security Router with VPN Administrator Guide 108 6 Exit the Wizard Congratulations Setup is now complete You may now log into the Web Administrator Interface and see the results Test Results ...

Page 109: ...onnection Remotely This procedure continues from Step 5 on page 102 Use this procedure to build your VPN connection from a remote PC STEP 1 Choose Build VPN connection from Internet remotely Click Next to continue Build VPN Connection Remotely STEP 2 Enter the required data in the Configure VPN Tunnel window and then click Next to continue ...

Page 110: ...IKE uses the Pre shared Key field to authenticate the remote IKE peer Both character and hexadecimal values are acceptable in this field e g My_ 123 or 0x4d795f40313233 Note that both sides must use the same Pre shared Key Router 1 WAN IP address Enter the WAN IP address of the Router 1 Router 1 IP by DNS Resolved Enter the DDNS Domain Name of Router 1 if it does not have a static IP address for i...

Page 111: ...he VPN Setup Wizard Cisco RVS4000 Security Router with VPN Administrator Guide 111 6 STEP 3 The router configuration is checked Check Router Configuration STEP 4 The Summary window appears Use the Click box to view the VPNC Summary window ...

Page 112: ...de 112 6 Summary Window STEP 5 The VPNC Summary window appears showing the settings that were made to industry standards Click Close when you are ready to continue VPNC Summary Window STEP 6 In the Summary window if all your entries appear correct click Go Otherwise click Back to go back and make any corrections ...

Page 113: ...e VPN Setup Wizard Running the VPN Setup Wizard Cisco RVS4000 Security Router with VPN Administrator Guide 113 6 Configure the Router STEP 7 Click Testing to make sure the connection is successfully established ...

Page 114: ...Using the VPN Setup Wizard Running the VPN Setup Wizard Cisco RVS4000 Security Router with VPN Administrator Guide 114 6 Test the Connection STEP 8 When testing is done click Exit to end the Wizard ...

Page 115: ...rd Running the VPN Setup Wizard Cisco RVS4000 Security Router with VPN Administrator Guide 115 6 Congratulations Setup is now complete You may now log into the Web Administrator Interface and see the results View Test Results ...

Page 116: ... message You can assign a static IP address to a PC by performing these steps Windows 2000 STEP 1 Click Start Settings and Control Panel Double click Network and Dial Up Connections STEP 2 Right click the Local Area Connection that is associated with the Ethernet adapter you are using and click Properties STEP 3 In the Components checked are used by this connection box select Internet Protocol TCP...

Page 117: ...ox select Internet Protocol TCP IP Click Properties STEP 5 Select Use the following IP address and enter a unique IP address that is not used by any other computer on the network connected to the router You can only use an IP address in the ranges 192 168 1 2 to 192 168 1 99 and 192 168 1 151 to 192 168 1 254 STEP 6 Enter the Subnet Mask 255 255 255 0 STEP 7 Enter the Default Gateway 192 168 1 1 R...

Page 118: ...dow e Restart the computer if asked Windows XP These instructions are for the default interface of Windows XP If you are using the Classic interface the icons and menus look like previous Windows versions please follow the instructions for Windows 2000 a Click Start and Control Panel b Click the Network and Internet Connections icon and then the Network Connections icon c Right click the Local Are...

Page 119: ...is connected to the Internet If you cannot open a web page try the ping command from a different computer to verify that your original computer is not the cause of the problem If you do NOT get a reply there may be a problem with the connection Try the ping command from a different computer to verify that your original computer is not the cause of the problem I am not getting an IP address on the ...

Page 120: ...ual Private Network VPN to work through the router Access the router s web interface by going to http 192 168 1 1 or the IP address of the router and go to VPN VPN Pass Through Make sure you have IPSec passthrough and or PPTP passthrough enabled VPNs that use IPSec with the ESP Encapsulation Security Payload known as protocol 50 authentication will work fine At least one IPSec session will work th...

Page 121: ...3 incoming are used for the mail server You can get more information by viewing the documentation provided with the server you installed Follow these steps to set up port forwarding through the router s configuration utility We need to set up web ftp and mail servers STEP 1 Access the router s configuration utility by going to http 192 168 1 1 or the IP address of the router Go to Firewall Single ...

Page 122: ...online game or application you want to use Follow these steps to set up online game hosting or use a certain Internet application STEP 1 Access the router s configuration utility by going to http 192 168 1 1 or the IP address of the router Go to Firewall Single Port Forwarding STEP 2 Select the Service from the Application column STEP 3 Enter the IP Address of the server that you want the Internet...

Page 123: ...router s configuration utility by going to http 192 168 1 1 or the IP address of the router Go to the Firewall Single Port Forwarding STEP 2 Disable the entries you have entered for forwarding STEP 3 Go to Setup DMZ STEP 4 Enter the Ethernet adapter s IP address of the computer you want exposed to the Internet This will bypass the NAT security for that computer STEP 5 Select Enable to enable DMZ H...

Page 124: ...to the documentation for your web browser To start over I need to set the router to factory default Hold the Reset button for up to 30 seconds and then release it This will return the password forwarding and other settings on the router to the factory default settings In other words the router will revert to its original factory configuration I need to upgrade the firmware Follow the instructions ...

Page 125: ... on your desktop Alternatively run the utility by clicking Start All Programs Cisco Small Business RVS4000 STEP 12 Follow the on screen instructions to perform the upgrade My DSL service s PPPoE is always disconnecting PPPoE is not actually a dedicated or always on connection The DSL ISP can disconnect the service after a period of inactivity just like a normal phone dial up connection to the Inte...

Page 126: ... Click Save to continue STEP 6 If your difficulties continue change the Size to different values Try this list of values one value at a time in this order until your problem is solved 1462 1400 1362 1300 I need to use port triggering Port triggering looks at the outgoing port services used and will trigger the router to open a specific port depending on which port an Internet application uses Foll...

Page 127: ...er is configured correctly check your Internet connection DSL cable modem etc to see if it works correctly You can remove the router to verify a direct connection Manually configure the TCP IP with a DNS address provided by your ISP Make sure that your browser is set to connect directly and that any dial up is disabled For Internet Explorer click Tools Internet Options and then the Connection tab ...

Page 128: ... to Gateway IPSec VPN tunnel However the administrator needs to enable this feature in the Advanced section of the VPN IPSec VPN window Frequently Asked Questions What is the maximum number of IP addresses that the router will support The router will support up to 253 IP addresses Is IPSec Passthrough supported by the router Yes enable or disable IPSec Passthrough on the VPN VPN Pass Through windo...

Page 129: ...nt Server but others on the LAN cannot join What do I need to do If you are running a dedicated Unreal Tournament server you need to create a static IP for each of the LAN computers and forward ports 7777 7778 7779 7780 7781 and 27900 to the IP address of the server You can also use a port forwarding range of 7777 to 27900 If you want to use the UT Server Admin forward another port 8080 usually wo...

Page 130: ...r and then click Properties STEP 5 Click the Advanced tab STEP 6 In the Property list click Link Speed Duplex In the Value list choose 10 Mbps Half Duplex STEP 7 Also make sure that your proxy setting is disabled in the browser For Internet Explorer click Tools Internet Options and then click the Connection tab Make sure that Internet Explorer is set to Never dial a connection For Netscape Navigat...

Page 131: ...r documentation Make sure that your browser is set to connect directly and that any dial up is disabled For Internet Explorer click Tools Internet Options and then click the Connection tab Make sure that Internet Explorer is set to Never dial a connection For Netscape Navigator click Edit Preferences Advanced Proxy Make sure that Netscape Navigator is set to Direct connection to the Internet What ...

Page 132: ...ust work in conjunction with a cable or DSL modem Which modems are compatible with the router The router is compatible with virtually any cable or DSL modem that supports Ethernet How can I check whether I have static or DHCP IP addresses Ask your ISP to find out How do I get mIRC to work with the router From the Firewall SIngle Port Forwarding menu set port forwarding to 113 for the PC on which y...

Page 133: ...dows 7 version 1 4 0 5 or later is required This appendix includes these sections Before You Begin page 133 Installing the Cisco QuickVPN Software page 135 Using the Cisco QuickVPN Software page 137 Distributing Certificates to QuickVPN Users page140 Before You Begin The QuickVPN program only works with a Cisco 4 Port Gigabit Security Router with VPN that is properly configured to accept a QuickVP...

Page 134: ...or Windows 2000 XP or Vista Before You Begin Cisco RVS4000 Security Router with VPN Administrator Guide 134 B STEP 4 Click Add Save STEP 5 Check the Active box for VPN Client No 1 STEP 6 Click Save VPN Client Accounts Window ...

Page 135: ...methods Installing from the CD ROM page 135 Downloading and Installing from the Internet page 137 Installing from the CD ROM STEP 1 Insert the RVS4000 CD ROM into your CD ROM drive Go to the Start menu and then click Run In the field provided enter D VPN_Client exe if D is the letter of your CD ROM drive STEP 2 The License Agreement window appears Click Yes to accept the agreement and the appropri...

Page 136: ... Installing the Cisco QuickVPN Software Cisco RVS4000 Security Router with VPN Administrator Guide 136 B Copying Files Finished Installing Files STEP 3 Click Finished to complete the installation Proceed to Using the Cisco QuickVPN Software on page137 ...

Page 137: ... Save the zip file to your PC and extract the exe file STEP 6 Double click the exe file and follow the on screen instructions Proceed to the next section Using the Cisco QuickVPN Software on page137 Using the Cisco QuickVPN Software NOTE If you wish to pre install user certificates on the client machines see Distributing Certificates to QuickVPN Users page 140 Pre installing a certificate on the u...

Page 138: ...ofile click Save If there are multiple sites to which you will need to create a tunnel you can create multiple profiles but note that only one tunnel can be active at a time To delete this profile click Delete For information click Help STEP 4 To begin your QuickVPN connection click Connect The connection s progress is displayed Connecting Provisioning Activating Policy and Verifying Network If a ...

Page 139: ...nge Password For information click Help STEP 6 If you clicked Change Password and have permission to change your own password you will see the Connect Virtual Private Connection window Enter your password in the Old Password field Enter your new password in the New Password field Then enter the new password again in the Confirm New Password field Click OK to save your new password Click Cancel to ...

Page 140: ...ministrator Distributing Certificates to QuickVPN Users Follow this procedure to export a certificate from the RVS4000 for distribution to QuickVPN users and to install the certificate on the QuickVPN users PCs STEP 1 Generate the certificate as follows a Log on to the configuration utility b Select VPN VPN Client Accounts c Click Generate to generate a new certificate d Click Export for Client an...

Page 141: ...ate as follows a Save the certificate into the directory where the QuickVPN Client is installed For example C Program Files Cisco QuickVPN Client b Launch the QuickVPN Client and specify the User Name Password and Server Address IP address or domain name c Click Connect For more information on certificate management go to section VPN VPN Client Accounts on page 64 in Chapter 5 Setting Up and Confi...

Page 142: ... Windows 2000 or XP computer You can find detailed information on configuring the Windows 2000 server at the Microsoft website Microsoft KB Q252735 How to Configure IPSec Tunneling in Windows 2000 http support microsoft com support kb articles Q252 7 35 asp Microsoft KB Q257225 Basic IPSec Troubleshooting in Windows 2000 http support microsoft com support kb articles Q257 2 25 asp NOTE Keep a reco...

Page 143: ...only an example Subnet Mask 255 255 255 0 RVS4000 WAN IP Address 140 111 1 1 User ISP provides IP Address this is only an example Subnet Mask 255 255 255 0 LAN IP Address 192 168 1 1 Subnet Mask 255 255 255 0 How to Establish a Secure IPSec Tunnel Establishing a secure IPSec tunnel requires these five steps that are described in this procedure Step 1 Create an IPSec Policy Step 2 Build Filter List...

Page 144: ... appears Local Security Settings b Right click IP Security Policies on Local Computer Windows XP or IP Security Policies on Local Machine Windows 2000 and click Create IP Security Policy c Click the Next button and then enter a name for your policy for example to_Router Then click Next d Uncheck the Activate the default response rule box and then click Next e Click Finish making sure the Edit box ...

Page 145: ...co RVS4000 Security Router with VPN Administrator Guide 145 C Filter List 1 win router a In the new policy s properties window verify that the Rules tab is selected Uncheck the Use Add Wizard box and click Add to create a new rule Rules Tab b Make sure the IP Filter List tab is selected Click Add ...

Page 146: ...ecure IPSec Tunnel Cisco RVS4000 Security Router with VPN Administrator Guide 146 C IP Filter List Tab c The IP Filter List window should appear Enter an appropriate name such as win Router for the filter list and uncheck the Use Add Wizard box Then click Add IP Filter List ...

Page 147: ...In the Source address field select My IP Address In the Destination address field select A specific IP Subnet and enter the IP Address 192 168 1 0 and Subnet mask 255 255 255 0 These are the router s default settings If you have changed these settings enter your new values e If you want to enter a description for your filter click the Description tab and enter the description there f Click OK Then...

Page 148: ...148 C Filter List 2 router win g The New Rule Properties window will appear Select the IP Filter List tab and make sure that win Router is highlighted Then click Add New Rules Properties h The IP Filter List window should appear Enter an appropriate name such as Router win for the filter list and uncheck the Use Add Wizard box Click Add IP Filter List ...

Page 149: ... the Addressing tab In the Source address field select A specific IP Subnet and enter the IP Address 192 168 1 0 and Subnet mask 255 255 255 0 Enter your new values if you have changed the default settings In the Destination address field select My IP Address Filters Properties j If you want to enter a description for your filter click the Description tab and enter the description there k Click OK...

Page 150: ... Router with VPN Administrator Guide 150 C The New Rule Properties window appears with the IP Filter List tab selected The window will contain listings for Router win and win Router New Rule Properties l Click OK Windows XP or Close Windows 2000 in the IP Filter List window STEP 3 Configure individual tunnel rules ...

Page 151: ... IPSec Tunnel Cisco RVS4000 Security Router with VPN Administrator Guide 151 C Tunnel 1 win Router a On the IP Filter List tab select filter list win Router IP Filter List Tab b Click the Filter Action tab and click the filter action Require Security radio button Then click Edit ...

Page 152: ... RVS4000 Security Router with VPN Administrator Guide 152 C Filter Action Tab c On the Security Methods tab verify that the Negotiate security option is enabled and uncheck the Accept unsecured communication but always respond using IPSec box Select Session key Perfect Forward Secrecy and click OK ...

Page 153: ...ec with a Windows 2000 or XP Computer How to Establish a Secure IPSec Tunnel Cisco RVS4000 Security Router with VPN Administrator Guide 153 C Security Methods Tab d Select the Authentication Methods tab and click Edit ...

Page 154: ...re IPSec Tunnel Cisco RVS4000 Security Router with VPN Administrator Guide 154 C Authentication Methods Tab e Change the authentication method to Use this string to protect the key exchange preshared key and enter the preshared key string such as XYZ12345 Click OK Preshared Key ...

Page 155: ...ator Guide 155 C f This new Preshared key will be displayed Click the Apply button to continue if it appears on your screen otherwise proceed to the next step New Preshared Key g Select the Tunnel Setting tab and click The tunnel endpoint is specified by this IP Address radio button Then enter the router s WAN IP Address Tunnel Setting Tab ...

Page 156: ...strator Guide 156 C h Select the Connection Type tab and click All network connections Then click the OK or Close button to finish this rule Connection Type Tab Tunnel 2 Router win i In the new policy s Properties window make sure that win Router is selected and uncheck the Use Add Wizard box Then click Add to create the second IP filter ...

Page 157: ...or Guide 157 C Properties Window j Go to the IP Filter List tab and click the filter list Router win IP Filter List Tab k Click the Filter Action tab and select the filter action Require Security Then click Edit On the Security Methods tab verify that the Negotiate security option is enabled and uncheck the Accept unsecured communication but ...

Page 158: ...000 Security Router with VPN Administrator Guide 158 C always respond using IPSec box Select Session key Perfect Forward Secrecy and click OK Filter Action Tab l Click the Authentication Methods tab and verify that the authentication method Kerberos is selected Then click Edit Authentication Methods Tab ...

Page 159: ...ation method to Use this string to protect the key exchange preshared key and enter the preshared key string such as XYZ12345 This is a sample key string Yours should be a key that is unique but easy to remember Then click OK Preshared Key n This new Preshared key will be displayed Click the Apply button to continue if it appears on your screen otherwise proceed to the next step ...

Page 160: ...ure IPSec Tunnel Cisco RVS4000 Security Router with VPN Administrator Guide 160 C New Preshared Key o Click the Tunnel Setting tab Click the radio button The tunnel endpoint is specified by this IP Address and enter the Windows 2000 XP computer s IP Address Tunnel Setting Tab ...

Page 161: ...nel Cisco RVS4000 Security Router with VPN Administrator Guide 161 C p Click the Connection Type tab and select All network connections Then click OK or Close to finish Connection Type Tab q On the Rules tab click the OK or Close button to return to the window showing the security policies ...

Page 162: ...PSec Tunnel Cisco RVS4000 Security Router with VPN Administrator Guide 162 C Rules Tab STEP 4 Assign new IPSec policy In the IP Security Policies on Local Machine window right click the policy named to_Router and click Assign A green arrow appears in the folder icon Local Computer ...

Page 163: ...rity Router with VPN Administrator Guide 163 C STEP 5 Create a tunnel through the configuration utility a Open your web browser and enter 192 168 1 1 in the Address field Press Enter b When the User name and Password fields appear enter the default user name and password admin Press Enter c Click VPN IPSec VPN ...

Page 164: ... with VPN Administrator Guide 164 C VPN IPSec VPN d Select the tunnel you wish to create in the Select Tunnel Entry drop down box Then click Enable Enter the name of the tunnel in the Tunnel Name field This is to allow you to identify multiple tunnels and does not have to match the name used at the other end of the tunnel ...

Page 165: ...h you wish to communicate in the Remote Group Setup fields g Select from two types of authentication MD5 and SHA1 SHA1 is recommended because it is more secure As with encryption either of these may be selected provided that the VPN device at the other end of the tunnel is using the same type of authentication Or both ends of the tunnel may choose to Disable authentication h From the Keying Mode l...

Page 166: ... page167 Configuration when the Remote Gateway Uses a Dynamic IP Address page172 Configuration When Both Gateways Use Dynamic IP Addresses page177 Before You Begin You need this equipment Two Windows desktop computers each computer will be connected to a VPN router Two VPN routers 4 Port Gigabit Security Router with VPN model number RVS4000 and 10 100 8 Port VPN Router model number RV082 that are ...

Page 167: ...Gateway IPSec VPN Tunnel Remote Gateway Using Static IP NOTE Each computer must have a network adapter installed STEP 1 Configuration of the RVS4000 Follow these instructions for the first VPN router designated RVS4000 The other VPN router is designated the RV082 a Launch the web browser for a networked computer designated PC 1 b Access the configuration utility of the RVS4000 Refer to Chapter 5 S...

Page 168: ...t Mask fields RVS4000 IPSec VPN Settings g For the Remote Security Gateway Type select IP address Enter the RV082 s WAN IP address in the IP Address field h For the Remote Security Group Type select Subnet Enter the RV082 s local network settings in the IP Address and Subnet Mask fields i In the IPSec Setup section select the appropriate encryption authentication and other key management settings ...

Page 169: ...e RV082 Follow similar instructions for the RV082 a Launch the web browser for a networked computer designated PC 2 b Access the configuration utility of the RV082 Refer to the of the RV082 for details c Click the IPSec VPN tab d Click the Gateway to Gateway tab e Enter a name in the Tunnel Name field f For the VPN Tunnel setting select Enable g The WAN IP address B B B B of the RV082 will be auto...

Page 170: ...ss Enter the RVS4000 s WAN IP address in the IP Address field i For the Remote Security Group Type select Subnet Enter the RVS4000 s local network settings in the IP Address and Subnet Mask fields j In the IPSec Setup section select the appropriate encryption authentication and other key management settings These should match the settings of the RVS4000 k In the Preshared Key field enter a string ...

Page 171: ...ator Guide 171 D RV082 IPSec Setup Settings 1 If you need more detailed settings click Advanced Settings Otherwise click Save STEP 3 Configuration of PC 1 and PC 2 Verify that PC 1 and PC 2 can ping each other refer to Windows Help for more information If the computers can ping each other then you know the VPN tunnel is configured correctly ...

Page 172: ...Gateway IPSec VPN Tunnel Remote Gateway Using Dynamic IP NOTE Each computer must have a network adapter installed STEP 1 Configuration of the RVS4000 Follow these instructions for the first VPN router designated RVS4000 The other VPN router is designated the RV082 a Launch the web browser for a networked computer designated PC 1 b Access the configuration utility of the RVS4000 Refer to Chapter 5 ...

Page 173: ... Mask fields RVS4000 IPSec VPN Settings g For the Remote Security Gateway Type select IP by DNS Resolved Enter the RV082 s domain name in the field provided h For the Remote Security Group Type select Subnet Enter the RV082 s local network settings in the IP Address and Subnet Mask fields i In the IPSec Setup section select the appropriate encryption authentication and other key management setting...

Page 174: ... the RV082 Follow similar instructions for the RV082 a Launch the web browser for a networked computer designated PC 2 b Access the configuration utility of the RV082 Refer to the of the RV082 for details c Click the IPSec VPN tab d Click the Gateway to Gateway tab e Enter a name in the Tunnel Name field f For the VPN Tunnel setting select Enable g The WAN IP address B B B B of the RV082 will be a...

Page 175: ...ss Enter the RVS4000 s WAN IP address in the IP Address field i For the Remote Security Group Type select Subnet Enter the RVS4000 s local network settings in the IP Address and Subnet Mask fields j In the IPSec Setup section select the appropriate encryption authentication and other key management settings These should match the settings of the RVS4000 k In the Preshared Key field enter a string ...

Page 176: ...rator Guide 176 D RV082 IPSec Setup Settings l If you need more detailed settings click Advanced Settings Otherwise click Save STEP 3 Configuration of PC 1 and PC 2 Verify that PC 1 and PC 2 can ping each other refer to Windows Help for more information If the computers can ping each other then you know the VPN tunnel is configured correctly ...

Page 177: ...way IPSec VPN Tunnel Both Gateways Using Dynamic IP NOTE Each computer must have a network adapter installed STEP 1 Configuration of the RVS4000 Follow these instructions for the first VPN router designated RVS4000 The other VPN router is designated the RV082 a Launch the web browser for a networked computer designated PC 1 b Access the configuration utility of the RVS4000 Refer to Chapter 5 Setti...

Page 178: ...sk fields RVS4000 IPSec VPN Settings g For the Remote Security Gateway Type select IP by DNS Resolved Enter the RV082 s domain name in the field provided h For the Remote Security Group Type select Subnet Enter the RV082 s local network settings in the IP Address and Subnet Mask fields i In the IPSec Setup section select the appropriate encryption authentication and other key management settings j...

Page 179: ...e RV082 Follow similar instructions for the RV082 a Launch the web browser for a networked computer designated PC 2 b Access the configuration utility of the RV082 Refer to the of the RV082 for details c Click the IPSec VPN tab d Click the Gateway to Gateway tab e Enter a name in the Tunnel Name field f For the VPN Tunnel setting select Enable g The WAN IP address B B B B of the RV082 will be auto...

Page 180: ...solved Enter the RVS4000 s domain name in the field provided i For the Remote Security Group Type select Subnet Enter the RVS4000 s local network settings in the IP Address and Subnet Mask fields j In the IPSec Setup section select the appropriate encryption authentication and other key management settings These should match the settings of the RVS4000 k In the Preshared Key field enter a string f...

Page 181: ...or Guide 181 D RV082 IPSec Setup Settings l If you need more detailed settings click Advanced Settings Otherwise click Save STEP 3 Configuration of PC 1 and PC 2 Verify that PC 1 and PC 2 can ping each other refer to Windows Help for more information If the computers can ping each other then you know the VPN tunnel is configured correctly ...

Page 182: ... to Use the Service page185 How to Access the Configuration Utility STEP 1 For local access of the router s configuration utility launch your web browser and enter the router s default IP address 192 168 1 1 in the Address field Press the Enter key NOTE If the Remote Management feature on the Firewall General window has been enabled then users with administrative privileges can remotely access the...

Page 183: ... or Activate the Service You can purchase register or activate the service using the ProtectLink window ProtectLink Click the ProtectLink menu to display the ProtectLink window This window appears if ProtectLink has not yet been activated NOTE If the ProtectLink menu is not displayed upgrade the router s firmware For the firmware download link see Appendix G Where to Go From Here ...

Page 184: ... for the ProtectLink Web service on Cisco com I have purchased ProtectLink Web and want to register it If you already have a license click this link You will be redirected to the Cisco ProtectLink Web website Then follow the on screen instructions I have my Activation Code AC and want to activate ProtectLink Web If you have registered click this link A wizard begins Follow the on screen instructio...

Page 185: ... the menu ProtectLink Active How to Use the Service Configure the service to protect your network NOTE You need to purchase a ProtectLink Web license to use Web Protection If you do not have a license you will be prompted to purchase a license when you click ProtectLink Web Protection ProtectLink Web Protection The Web Protection features are provided by the router Configure the website filtering ...

Page 186: ...Cisco ProtectLink Web Service How to Use the Service Cisco RVS4000 Security Router with VPN Administrator Guide 186 E ProtectLink Web Protection ...

Page 187: ...ness hours select this option Instances Blocked The number of attempted visits is displayed Business Hour Setting Business Days Select the appropriate days The default days are Mon through Fri Business Times To specify entire days keep the default All day 24 hours To specify hours select Specify business hours For morning hours select Morning and then select the appropriate From and To times For a...

Page 188: ...clients select this option IP addresses range Enter the appropriate IP addresses or ranges Separate multiple URLs with semicolons For a range of IP addresses use a hyphen Example 10 1 1 0 10 1 1 10 Add To add the IP addresses or ranges click Add Approved Clients list The IP addresses or range of trusted clients are displayed To delete an IP address or range click its trash can icon URL Overflow Co...

Page 189: ...eats or view license information online ProtectLink License License Update Information To refresh the license information displayed on screen click Update Information License Information View detailed license online To view license information online click this link Status The status of your license Activated or Expired is displayed Platform The platform type Gateway Service is automatically displ...

Page 190: ...ance Setup Config Model RVS4000 Standards IEEE802 3 802 3u 802 1X RFC791 IP Protocol RFC2460 IPv4 RFC791 IPv6 RFC2460 RIPv1 RFC1058 RIPv2 RFC1723 Ports Ethernet Power Buttons Reset Cabling Type UTP CAT 5e or better LEDs POWER DIAG IPS ETHERNET 1 4 INTERNET Operating System Linux NAT Throughput 800 Mbps when IPS is disabled Web User Interface Built in web UI for easy browser based configuration HTT...

Page 191: ...t Filtering Static URL blocking or keyword blocking included Dynamic Filtering through Cisco ProtectLink Web Security Service optional IPS Intrusion Prevention System IP Sweep Detection Application Anomaly Detection HTTP FTP Telnet RCP P2P Control Instant Messenger Control L3 L4 Protocol IP TCP UDP ICMP Normalization L7 Signature Matching Secure Management HTTPS Username Password 802 1X Port based...

Page 192: ...Dual Stack IPv4 and IPv6 6to4 Stateless Address Auto Static DHCP DHCP Server supports static IP address based on MAC address 5 QuickVPN Tunnels for remote client access 5 IPSec Gateway to Gateway Tunnels for branch office connectivity 3DES Encryption MD5 SHA1 Authentication IPSec NAT T VPN Passthrough of PPTP L2TP and IPSec Static and RIP v1 v2 Inter VLAN Routing VLAN Port based and 802 1Q Tag bas...

Page 193: ... selected LAN port RSTP Supports Rapid Spanning Tree Protocol for loop detection and faster reconfiguration Dimensions 6 69 in x 1 61 in x 6 69 in W x H x D 170 mm x 41 mm x 170 mm Unit Weight 0 84 lb 0 38 kg Power 12V 1A Certification FCC Class B CE ICES 003 Operating Temp 32 to 104ºF 0 to 40ºC Storage Temp 4 to 158ºF 20 to 70ºC Operating Humidity 10 to 85 Noncondensing Storage Humidity 5 to 90 N...

Page 194: ... Support Community www cisco com go smallbizsupport Online Technical Support and Documentation www cisco com smallbizhelp Phone Support Contacts www cisco com go sbsc Cisco Small Business Firmware Downloads www cisco com go software Product Documentation Cisco Small Business Routers Resources www cisco com go smallbizrouters Cisco Small Business Cisco Partner Central for Small Business Partner Log...

Page 195: ...ion For hardware setup for the Cisco RVS4000 router see the Cisco Small Business Model RVS4000 4 Port Gigabit Security Router with VPN Quick Start Guide For compliance and safety information see the Regulatory Compliance and Safety Information for the Cisco Wired and Wireless Routers and Access Point Devices EMC Class B Devices ...

Reviews:

No comments