background image

Networking

Configuring the Optional WAN

Cisco SA 500 Series Security Appliances Administration Guide

67

3

 

When the security appliance is configured in Load Balancing mode, it 
checks the connection of both the links at regular intervals to detect the 
status. 

NOTE

You can click the 

Protocol Bindings

 link to view, add, or edit the 

protocol bindings, but save your settings on this page first. 

Use only single WAN port: 

Choose this option if you are connected to only 

one ISP. Also select the WAN port that is connected to your ISP: 

Dedicated 

WAN

 or 

Optional WAN

. This option may be useful for debugging 

connection issues.

STEP 3

If you chose Auto-Rollover or Load Balancing for the Port Mode, configure the 

WAN 

Failure Detection Method

:

None:

 Choose this option to have no check for detecting WAN failure. This 

option is valid only if the port mode is set to Load Balancing. 

DNS lookup using WAN DNS Servers:

 Choose this option to detect a failure 

of a WAN link by using the DNS servers that are configured for the Dedicated 
WAN or Optional Port WAN.

DNS lookup using these DNS Servers:

 Choose this option to detect a 

failure of a WAN link by using the DNS servers that you specify in the fields 
below. 

-

Dedicated WAN

: Enter the IP address of the DNS servers for the 

Dedicated WAN.

-

Optional WAN

: Enter the IP address of the DNS server for the WAN 

interface on the Optional port.

Ping these IP addresses: 

Choose this option to detect WAN failure by 

pinging the IP addresses that you specify in the fields below. 

-

Dedicated WAN

: Enter a valid IP address to ping from the Dedicated 

WAN.

-

Optional WAN

: Enter a valid IP address to ping from the WAN interface on 

the Optional port.

Summary of Contents for Small Business Pro SA 520

Page 1: ...Cisco Small Business Pro SA 500 Series Security Appliances ADMINISTRATION GUIDE ...

Page 2: ...ress Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Collaboration Without Limitation EtherFast EtherSwitch Event Center Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone iQuick Study IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MeetingPlace Chime Sound MGX Networkers Networking Academy Network Registrar PCNow PIX...

Page 3: ...stem 23 About the Default Settings 24 Basic Tasks 25 Changing the Default User Name and Password 25 Backing Up Your Configuration 26 Upgrading the Firmware 26 Common Configuration Scenarios 27 Basic Network Configuration with Internet Access 28 Cisco Smart Business Communications System Configuration 30 Firewall for Controlling Inbound and Outbound Traffic 31 DMZ for Public Web Sites and Services ...

Page 4: ...ng PPPoE Profiles 55 Configuring the LAN 56 About the Default LAN Settings 56 Configuring the LAN 57 Viewing the LAN Status 59 DHCP Reserved IPs 60 DHCP Leased Clients 61 Configuring the Optional Port as a LAN Port 61 Configuring the Optional WAN 62 Configuring Auto Rollover Load Balancing and Failure Detection 65 Configuring the Protocol Bindings for Load Balancing 68 Configuring a DMZ 70 Configu...

Page 5: ...les 88 Creating Bandwidth Profiles 88 Traffic Selectors 90 Dynamic DNS 91 Configuring IPv6 Addressing 92 IP Routing Mode 93 Configuring the IPv6 WAN Connection 94 Configuring the IPv6 LAN 95 IPv6 LAN Address Pools 97 IPv6 Multi LAN 98 IPv6 Static Routing 99 Routing RIPng 100 6to4 Tunneling 101 IPv6 Tunnels Status 101 ISATAP Tunnels 102 MLD Tunnels 103 Router Advertisement Daemon RADVD 104 Configur...

Page 6: ...Rules 122 Configuring the Default Outbound Policy 125 Configuring a Firewall Rule for Outbound Traffic 126 Configuring a Firewall Rule for Inbound Traffic 129 Prioritizing Firewall Rules 132 Firewall Rule Configuration Examples 133 Using Other Tools to Prevent Attacks Restrict Access and Control Inbound Traffic 136 Configuring Attack Checks 136 Configuring MAC Filtering to Allow or Block Traffic 1...

Page 7: ...e User Database for the IPSec Remote Access VPN 159 Advanced Configuration of IPSec VPN 161 Viewing the Basic Setting Defaults for IPSec VPN 161 Configuring the IKE Policies for IPSec VPN 162 Configuring the IPSec VPN Policies 166 Configuring SSL VPN for Browser Based Remote Access 172 Access Options for SSL VPN 173 Security Tips for SSL VPN 173 Elements of the SSL VPN 174 Scenario Step 1 Customiz...

Page 8: ...h Configuration Files 199 Maintaining the USB Device 202 Using the Secondary Firmware 203 Diagnostics 204 Measuring and Limiting Traffic with the Traffic Meter 205 Configuring the Time Settings 207 Configuring the Logging Options 208 Local Logging Config 208 IPv6 Logging 209 Remote Logging 210 Logs Facility 211 Managing Certificates for Authentication 212 Configuring RADIUS Server Records 213 Chap...

Page 9: ... Test LAN Connectivity 224 Restoring Factory Default Configuration Settings 226 Appendix B Standard Services 227 Appendix C Technical Specifications and Environmental Requirements 230 Appendix D Factory Default Settings 233 General Settings 233 Router Settings 235 Wireless Settings 238 Storage 240 Security Settings 242 Appendix E Where to Go From Here 244 ...

Page 10: ...ion page16 Getting Started with the Configuration Utility page18 About the Default Settings page 24 Basic Tasks page 25 Common Configuration Scenarios page 27 Feature Overview The features of the SA 520 SA 520W and the SA 540 are compared in the following table Table1 Comparison of SA 500 Series Security Appliance Models Feature SA 520 SA 520W SA 540 Firewall Performance 200 Mbps 200 Mbps 300 Mbps...

Page 11: ...indicates the appliance is performing the power on diagnostics When off indicates the appliance has booted properly POWER LED Green When lit indicates the appliance is powered on DMZ LED Green When lit indicates the Optional port is configured as a Demilitarized Zone or Demarcation Zone which allows public services such as web servers without exposing your LAN SPEED LED Green or Orange Indicates t...

Page 12: ...puters and other network appliances to the security appliance The SA 520 and SA 520W have 4 LAN ports The SA 540 has 8 OPTIONAL Port Can be configured to operate as a WAN LAN or DMZ port A DMZ Demilitarized Zone or Demarcation Zone can be configured to allow public access to services such as web servers without exposing your LAN WAN Port Connects the security appliance to DSL a cable modem or anot...

Page 13: ...op mount it on a wall or mount it in a rack Placement Tips Ambient Temperature To prevent the security appliance from overheating do not operate it in an area that exceeds an ambient temperature of 104 F 40 C Air Flow Be sure that there is adequate air flow around the device Mechanical Loading Be sure that the security appliance is level and stable to avoid any hazardous conditions To place the se...

Page 14: ...llation Cisco SA 500 Series Security Appliances Administration Guide 14 1 Wall Mounting STEP 1 Insert two 17 mm screws with anchors into the wall 15 cm apart about 5 9 inches Leave 3 4 mm about 1 8 inch of the head exposed ...

Page 15: ...crews Slide the unit down until the screws fit snugly into the wall mount slots Rack Mounting You can mount the security appliance in any standard size 19 inch about 48 cm wide rack Each security appliance requires 1 rack unit RU of space which is 1 75 inches 44 45 mm high CAUTION Do not overload the power outlet or circuit when installing multiple devices in a rack ...

Page 16: ...ach the bracket with the spacer attach the bracket directly to the case without the spacer STEP 3 Install the security appliance into a standard rack as shown Hardware Installation Follow these steps to connect the equipment STEP 1 Connect the security appliance to power STEP 2 If you are installing the SA 520W screw each antenna onto a threaded connector on the back panel Orient each antenna to p...

Page 17: ...available LAN port of the security appliance NOTE For details about configuring the UC 500 and the security appliance to work together see the SA 500 Series Security Appliances Administration Guide on Cisco com See the documentation links in the Where to Go From Here section of this guide STEP 6 Power on the security appliance STEP 7 Power on the connected devices Each LED lights to show an active...

Page 18: ...STEP 2 Start a web browser and enter the following address 192 168 75 1 NOTE The above address is the factory default LAN address of the security appliance If you change this setting in the LAN configuration you will need to enter the new IP address to connect to the Configuration Utility STEP 3 When the Security Alert appears accept or install the certificate Internet Explorer Click Yes to procee...

Page 19: ...name cisco Password cisco STEP 5 Click Log In The Getting Started Basic page appears For more information see Using the Getting Started Pages page 20 You can use the Cisco Configuration Assistant to launch the Configuration Utility if you are using the security appliance with a CCA supported device such as the UC 500 For more information about CCA see www cisco com go configassist ...

Page 20: ...o return to the Getting Started Basic page at any time click the Getting Started button in the menu bar For help with advanced configuration tasks such as firewall NAT configuration optional WAN configuration DMZ configuration and VPN setup click the Getting Started Advanced link in the navigation pane and click the links to perform the tasks that you want to complete If you want to prevent the Ge...

Page 21: ...Getting Started Getting Started with the Configuration Utility Cisco SA 500 Series Security Appliances Administration Guide 21 1 Figure 2 Getting Started Advanced Page ...

Page 22: ...tion tree to perform tasks in the Configuration Utility Figure 3 Menu Bar and Navigation Tree 1 Menu Bar Click an item in the menu bar at the top of the page to choose a module of the Configuration Utility 2 Navigation Tree Top level links are indicated by arrows Click a top level link to open a list of options Then click a link in the list to open a page where you can review or modify the configu...

Page 23: ...ide 23 1 Using the Help System The Configuration Utility includes detailed Help files for all configuration tasks To view a Help page click the Help link in the top right corner of the screen A new window appears with information about the page that you are currently viewing Figure 4 Help Link Figure 5 Sample Help Screen ...

Page 24: ... the Internet you will need to enter the account information You can change other WAN settings as well For more information see Scenario 1 Basic Network Configuration with Internet Access page 28 LAN Configuration By default the LAN interface acts as a DHCP server for all connected devices For most deployment scenarios the default DHCP and TCP IP settings of the security appliance should be satisf...

Page 25: ...hese settings see Changing the Default User Name and Password page 25 Basic Tasks It is strongly recommended that you complete the following basic tasks before you begin configuring your security appliance Changing the Default User Name and Password To prevent unauthorized access immediately change the user name and password for the default Administrator account STEP 1 In the User Administration s...

Page 26: ... saved settings Backing Up Your Configuration At any point during the configuration process you can back up your configuration Later if you make changes that you want to abandon you easily can easily revert to a saved configuration For more information see Upgrading Firmware and Working with Configuration Files page 199 Upgrading the Firmware Before you do any other tasks you should upgrade your f...

Page 27: ...nutes to complete the upgrade While the upgrade is in progress the Test LED on the front panel of the router is lit When the upgrade is complete the router automatically restarts Common Configuration Scenarios The SA 500 Series Security Appliances can be deployed to address the security concerns of your business As you get started using your security appliance consider the following configuration ...

Page 28: ...ices have access to the Internet but no inbound traffic is allowed from the Internet to any LAN devices Configuration tasks for this scenario The default configuration is sufficient for many small businesses and you might not need to change any of the WAN or LAN settings However depending on the requirements of your ISP as well your preferences for your LAN configuration you can make changes as ne...

Page 29: ...and configure your UC 500 See Scenario 2 Cisco Smart Business Communications System Configuration page 30 4 Consider how you want to use the Optional port If you need to host public services such as web sites you will need a DMZ For more information see Scenario 4 DMZ for Public Web Sites and Services page 32 For information about using the optional port as an extra LAN port see Configuring the Op...

Page 30: ...ons page 208 RMON Remote Management page 215 Scenario 2 Cisco Smart Business Communications System Configuration You can use the security appliance to protect your Cisco Smart Business Communications System network Configuration tasks for this scenario 1 Configure the WAN and LAN settings for your security appliance as needed See Scenario 1 Basic Network Configuration with Internet Access page 28 ...

Page 31: ...ne Help for the Cisco Configuration Assistant CCA Scenario 3 Firewall for Controlling Inbound and Outbound Traffic By default all outbound traffic is allowed and all inbound traffic is denied If you want to deny some outbound traffic or allow some inbound traffic you will need to configure a firewall rule To prevent unwanted traffic from the Internet and to ensure that your employees are using the...

Page 32: ...cess to those services without exposing your LAN You can address this concern by configuring the Optional port of the security appliance for use as a DMZ Demarcation Zone or Demilitarized Zone This zone acts as a separate network between your private LAN and the Internet After you configure your DMZ you can configure the firewall rules that enable traffic to connect only to the services that you s...

Page 33: ...tivirus and anti spyware and Web Reputation with URL Filtering As a result your network is protected from email threats in the Internet cloud and web threats in the Cisco security appliance providing access only to email and websites that are appropriate for your business Configuration tasks for this scenario In the ProtectLink Web Email Security section of the Getting Started Advanced page click ...

Page 34: ...Advanced page click the VPN Wizard link When the VPN Wizard appears choose the Site to Site option and enter the other settings Optionally you can use other links on the Getting Started Advanced page to review and modify the policies that were created by the Wizard For more information see Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client page157 235142 Site A SA 500 SA 500 Site ...

Page 35: ...click the VPN Wizard link When the VPN Wizard appears choose the Remote Access option and complete the fields on the page Return to the Getting Started Advanced page and click Add Users to add your VPN users Optionally you can use other links on the Getting Started Advanced page to review and modify the policies that were created by the Wizard For more information see Configuring an IPSec VPN Tunn...

Page 36: ...ials Configuration tasks for this scenario In the SSL VPN Remote Access section of the Getting Started Advanced page click the SSL VPN Portal Layouts link to review the default settings for the user portal Create new portals for different user groups if needed Return to the Getting Started Advanced page and click the Configure Users link to add your VPN users Optionally you can use other links to ...

Page 37: ... default WAN and LAN settings might be sufficient for your deployment but consider the steps outlined for Scenario 1 Basic Network Configuration with Internet Access page 28 2 Although you can begin using your wireless network right away you should configure the security settings to protect your network and the data that you transmit To configure your wireless network see Chapter 4 Wireless Config...

Page 38: ... Status The Device Status section includes the following pages Device Status page 38 Port Statistics page 41 Wireless Statistics for the SA 520W page 41 Device Status Use this page to view the current system information To open this page click Status on the menu bar and then click Device Status in the navigation tree System Info System Name The name of the device Primary Firmware Version The versi...

Page 39: ...tion if applicable LAN Info MAC Address The MAC address of the security appliance on the local network IP address The IP address for the security appliance on the local network with the subnet mask for the local network DHCP Status The status of the security appliance s DHCP server enabled or disabled When DHCP is enabled then the connected DHCP client machines receive their IP addresses dynamical...

Page 40: ...DNS The primary DNS server IP address of the WAN port Secondary DNS The secondary DNS server IP address of the WAN port Optional Port Info The Optional Port Info has the following information displayed for the port that the user assigns to be a WAN DMZ or LAN port Present Mode The currently configured mode WAN DMZ or LAN MAC Address The MAC address of the optional port IP Address The IP address of...

Page 41: ...to this port Tx B s The number of bytes going out of the port per second Rx B s The number of bytes received by the port per second Uptime The duration for which the port has been active The uptime will be reset to zero when the router or the port is restarted Poll Interval Enter a value in seconds for the poll interval To modify the poll interval click the Stop button and then click Start to rest...

Page 42: ...nsmit receive data for a given access point AP Name This is the name of the access point Radio This is the radio number on which the access point is configured Packets The number of transmitted received tx rx wireless packets on the access point Bytes The number of transmitted received tx rx bytes of information on the access point Errors The number of transmitted received tx rx packet errors repo...

Page 43: ...be either Not Connected or IPsec SA Established Action Click Start to establish an inactive SA connection or Stop to terminate an active SA connection NOTE When a VPN policy is in place and is enabled a connection is triggered by any traffic that matches the policy and the VPN tunnel is set up automatically However you can use the Connect Disconnect button to manually connect or disconnect the VPN...

Page 44: ...gned to ppp interface at the remote client side from where the tunnel is established Tx Packets The number of packets associated with the tunnel transferred by the remote client Tx Dropped Packets The number of packets associated with the tunnel dropped while transfering by the remote client Tx Bytes KB The total volume of sent traffic in Kilobytes associated with the tunnel Rx Packets The number ...

Page 45: ...ation tree UserName The name of the IPSec User associated with the QuickVPN tunnel Remote IP Displays the IP address of the remote QuickVPN client This could be NAT Public IP if the client is behind the NAT router Status Displays the current status of QuickVPN client OFFLINE means that QuickVPN tunnel is NOT initiated established by the IPSec user ONLINE means that QuickVPN Tunnel initiated establ...

Page 46: ...r Debugging For a description of these levels see Logs Facility page 211 For example If you select Critical all messages listed under the Critical Emergency and Alert categories are displayed Log Facility Choose the facility from which the logs are to be viewed All Displays all facility logs Kernel logs Displays logs that are a part of the kernel code System logs Displays user space applications l...

Page 47: ...n IP address of corresponding log Log Data Contents of each log Click Refresh Logs to see the entries added after the page was opened Click Clear Logs to delete all entries in the log window Click Send Logs to email the log messages that are currently displayed in the log window The logs are sent to the email addresses that you configured in Remote Logging Configuration page For more information s...

Page 48: ...Ensure that the e mail address and server information are configured on the Firewall Logs E mail page under Administration menu before clicking Send Log Active Users This page lists the administrator and SSL VPN users who are currently logged into the device A button on the page allows you to disconnect any user To open this page click Status on the menu bar and then click Active Users in the navi...

Page 49: ...plays the device identifier advertised by the neighbor Local Port The interface on which the neighbor was discovered Function The type of device R Router T Switch Bridge S Switch H Host I IGMP r repeater Platform The platform name of the neighboring device Interface ID The interface identifier of the neighbor NOTE For more information about CDP Global Configuration see CDP page 216 LAN Devices The...

Page 50: ...ting page 83 Port Management page 86 Bandwidth Profiles page 88 Dynamic DNS page 91 Configuring IPv6 Addressing page 92 802 1p page107 Configuring the WAN Connection By default your security appliance is configured to receive a public IP address from your ISP automatically through DHCP Depending on the requirements of your ISP you may need to modify these settings to ensure Internet connectivity F...

Page 51: ...in ISP Connection Type area ISP Connection Type Choose the connection type as specified by your service provider PPTP PPPoE or L2TP Then complete all fields that are highlighted with white backgrounds PPPoE Profile Name Choose a PPPoE profile To manage the profiles in the drop down list see Creating PPPoE Profiles page 55 User Name The user name that is required to log in Password The password tha...

Page 52: ...omatically from your ISP or use ISP specified addresses Get Dynamically from ISP Choose this option if you have not been assigned a static DNS IP address Use These DNS Servers Choose this option if your ISP assigned a static DNS IP address Also enter the addresses for the Primary DNS Server and the Secondary DNS Server STEP 5 If required by your ISP configure the following settings in the MTU Size...

Page 53: ... the MAC Address in the format XX XX XX XX XX XX where X is a number from 0 to 9 inclusive or an alphabetical letter between A and F inclusive as in the following example 01 23 45 67 89 ab STEP 7 Click Apply to save your settings or click Reset to revert to the saved settings NOTE Next steps If you are using the Getting Started Basic page click Getting Started in the menu bar and then continue wit...

Page 54: ...bout the dedicated WAN and the optional WAN if applicable Connection time Connection type Dynamic IP DHCP or Static IP Connection state Connected or Disconnected WAN state Up or Down Lease duration IP address Subnet mask Gateway DNS server STEP 2 If the WAN is configured using DHCP you can use buttons on the WAN Status page to renew or release the connection Click Renew to renew the connection Cli...

Page 55: ...f the heading row After you click Add or Edit the PPPoE Profile Configuration page appears STEP 3 Enter the following information Profile Name Enter a name for the profile User Name Enter the user name that is required to login to the ISP account Password Enter the password that is required to login to the ISP account Authentication Type Choose the authentication type as specified by your ISP Conn...

Page 56: ...rotocol DHCP server to the hosts on the WLAN or LAN network It can automatically assign IP addresses and DNS server addresses to the PCs and other devices on the LAN With DHCP enabled the IP address of the security appliance is the gateway address to your LAN If you want another PC on your network to be the DHCP server or if you are manually configuring the network settings of all of your PCs disa...

Page 57: ...he same subnet as the security appliance having received an IP address through DHCP based on the former address After you click Apply wait a few seconds to allow your computer to obtain a new IP address from newly assigned IP address pool or unplug and re insert the Ethernet cable to release and renew your IP address Then enter the new IP address of the security appliance in the Address bar of the...

Page 58: ...ss of the security appliance Primary DNS Server and Secondary DNS Server Optional Optionally enter the IP address of the primary DNS server and secondary DNS server for your service provider Primary Tftp Server and Secondary Tftp Server Optional Optionally enter the IP address of the primary Tftp server and secondary Tftp server for your service provider WINS Server Optional Enter the IP address f...

Page 59: ...rticular devices click LAN DHCP Reserved IPs in the navigation tree For more information see DHCP Reserved IPs page 60 To view a list of the connected devices click LAN DHCP Leased Clients For more information see DHCP Leased Clients page 61 If you need an extra LAN port and are not planning to configure either an optional WAN or a DMZ click Optional Port Optional Port Mode and choose LAN for the ...

Page 60: ...n the reserved IP address is used Otherwise an IP address is assigned automatically from the DHCP pool NOTE The reserved IPs need to be outside the pool of the DHCP addresses that the DHCP server assigns dynamically STEP 1 Click Networking on the menu bar and then click LAN DHCP Reserved IPs in the navigation tree OR From the Getting Started Basic page under WAN LAN Connectivity click DHCP Reserve...

Page 61: ... list of the DHCP assigned IP addresses and hardware addresses of the LAN clients Click Networking on the menu bar and then click LAN DHCP Leased Clients in the navigation tree Configuring the Optional Port as a LAN Port If you are not planning to configure an optional WAN or a DMZ you can configure the Optional port for use as a LAN port STEP 1 Click Networking on the menu bar and then click Opti...

Page 62: ...c Click Apply to save your settings or click Reset to revert to the saved settings NOTE If you are using the Getting Started Advanced page click Getting Started on the menu bar and then click Advanced in the navigation tree to return to the list of configuration tasks STEP 2 Click Networking on the menu bar and then click Optional Port WAN in the navigation tree OR From the Getting Started Advance...

Page 63: ...e this option if you pay a flat fee for your Internet service Idle Time The security appliance disconnects from the Internet after a specified period of inactivity Idle Time If you choose this option also enter the Idle Time in minutes Choose this option if your ISP fees are based on the time that you spend online My IP Address Enter the IP address assigned to you by the ISP Server IP Address Ente...

Page 64: ...e in bytes NOTE The MTU Maximum Transmit Unit is the size of the largest packet that can be sent over the network The standard MTU value for Ethernet networks is usually 1500 Bytes For PPPoE connections it is 1492 Bytes Unless a change is required by your ISP it is recommended that the MTU values be left as is STEP 7 If a MAC address source is required by your ISP enter the following information i...

Page 65: ... page 220 in Appendix A Trouble Shooting Configuring Auto Rollover Load Balancing and Failure Detection If you configured two ISP links one for the dedicated WAN and one for the optional WAN you can configure the WAN Mode to determine how the two ISP links are used You can choose from the following features Auto Rollover Enable this feature when you want to use one ISP link as a backup If a failur...

Page 66: ...Click Networking on the menu bar and then click Optional Port WAN Mode in the navigation tree OR From the Getting Started Advanced page under Secondary WAN Port click Configure WAN Mode The WAN Mode page appears STEP 2 In the Port Mode area choose one of the following modes Auto Rollover using WAN port Choose this option If you have two ISP links and you want to use one link as a backup From the d...

Page 67: ...od None Choose this option to have no check for detecting WAN failure This option is valid only if the port mode is set to Load Balancing DNS lookup using WAN DNS Servers Choose this option to detect a failure of a WAN link by using the DNS servers that are configured for the Dedicated WAN or Optional Port WAN DNS lookup using these DNS Servers Choose this option to detect a failure of a WAN link ...

Page 68: ...Load Balancing If you chose Load Balancing as the Port Mode for your Optional WAN you configure protocol bindings to determine how the traffic is balanced between the two ISP links This feature can be used to segregate traffic between links that are not of the same speed High volume traffic can be routed through the port connected to a high speed link and low volume traffic can be routed through t...

Page 69: ...the heading row After you click Add or Edit the Protocol Bindings Configuration page appears STEP 3 Enter the following information Service Choose a service from the list NOTE The security appliance is configured with a list of standard services For information about adding your own custom services to the list see Creating Custom Services page122 Local Gateway Choose the interface that you want to...

Page 70: ...igure your DMZ to include any hosts that must be exposed to the WAN such as web or email servers DMZ configuration is identical to the LAN configuration There are no restrictions on the IP address or subnet assigned to the DMZ port other than the fact that it cannot be identical to the IP address given to the LAN interface of this gateway In this scenario the business has one public IP address 209...

Page 71: ...Public IP Address for WAN and DMZ 235140 www example com Internet Public IP Address 209 165 200 225 SA 500 User 192 168 75 10 LAN Interface 192 168 75 1 DMZ Interface 172 16 2 1 Web Server Private IP Address 172 16 2 30 Public IP Address 209 165 200 225 User 192 168 75 11 Source Address Translation 209 165 200 225 172 16 2 30 ...

Page 72: ...ll rule to allow inbound HTTP traffic to the web server at 172 16 2 30 The firewall rule specifies an external IP address of 209 165 200 226 Internet users can enter the domain name that is associated with the IP address 209 165 200 226 and they are connected to the web server User 192 168 75 10 235610 www example com Internet Public IP Addresses 209 165 200 225 router 209 165 200 226 web server L...

Page 73: ...arted Advanced page click Getting Started on the menu bar click Advanced in the navigation tree to return to the list of configuration tasks STEP 2 Click Networking on the menu bar and then click Optional Port DMZ Config in the navigation tree OR From the Getting Started Advanced page under DMZ Port click Configure DMZ settings The DMZ Configuration page appears STEP 3 In the DMZ Port Setup area e...

Page 74: ...ddress of the primary DNS server for the DMZ Optionally enter the IP address of a secondary DNS server Primary Tftp Server and Secondary Tftp Server Optional Enter the IP address of the primary and secondary Tftp servers for the DMZ WINS Server Optional Enter the IP address for the WINS server or if present in your network the Windows NetBios server Lease Time Enter the maximum connection time in ...

Page 75: ...ved IPs in the navigation tree For more information see DMZ Reserved IPs page 75 If you want to see a list of the DMZ DHCP clients click Optional Port DMZ DHCP Clients For more information see DMZ DHCP Leased Clients page 76 DMZ Reserved IPs If you configured your DMZ to act as a DHCP server you can reserve certain IP addresses always to be assigned to specified devices To do so add the hardware a...

Page 76: ...ddresses that the DMZ DHCP server assigns dynamically STEP 2 Click Add NOTE Other options Click Edit to edit an entry To delete an entry check the box and then click Delete To select all entries in the table check the box at the left side of the heading row After you click Add or Edit the DMZ Reserved IPs Configuration page appears STEP 3 Enter the IP Address and the MAC Address STEP 4 Click Apply...

Page 77: ...rt is on a separate VLAN and cannot access other VLANs unless you enable inter VLAN routing Refer to the following topics Default VLAN Settings page 77 Enabling or Disabling VLAN Support page 78 Creating VLAN IDs page 79 Assigning VLANs to LAN Ports page 80 Default VLAN Settings By default the data VLAN and the voice VLAN are enabled with the following settings Data VLAN The VLAN is enabled with t...

Page 78: ...255 0 Enabling or Disabling VLAN Support By default VLAN support is enabled If you do not want VLANs you can disable VLAN support STEP 1 Click Networking on the menu bar and then click VLAN VLAN Configuration in the navigation tree The VLAN Configuration page appears STEP 2 To enable VLAN support check the Enable VLAN box To disable VLAN support uncheck the box STEP 3 Click Apply to save your sett...

Page 79: ...he box and then click the Edit button To select all entries in the table check the box at the left side of the heading row After you click Add or Edit the VLAN Configuration page appears STEP 3 Enter the following information Name Enter a descriptive name for reference ID Enter a unique identification number which can be any number from 2 to 4091 NOTE VLAN ID 1 is reserved for the default VLAN whi...

Page 80: ...ing into and out of the access port is untagged By default all VLAN ports are in access mode Access mode is recommended if the port is connected to a single end user device which is VLAN unaware If you choose this option also enter a VLAN ID for the port in the PVID field General The port is a member of a specified set of VLANs The port sends and receives both tagged and untagged data Untagged dat...

Page 81: ...to enable communication between VLANs When you configure VLAN subnets the security appliance routes traffic between VLANs and provides services such as a DHCP server for the members of each VLAN STEP 1 Click Networking on the menu bar and then click VLAN Multiple VLAN Subnets in the navigation tree The Multiple VLAN Subnets page appears All VLANs from the Networking LAN Available VLANs page appear...

Page 82: ...imary DNS Server and Secondary DNS Server Optional Enter the IP address of the primary DNS server for the VLAN Optionally enter the IP address of a secondary DNS server Primary Tftp Server and Secondary Tftp Server Optional Enter the IP address of the primary and secondary Tftp servers for the VLAN WINS Server Optional Enter the IP address for the WINS server or if present in your network the Wind...

Page 83: ...default NAT is enabled Network Address Transalation NAT is a technique that allows several computers on a LAN to share an Internet connection The computers on the LAN use a private IP address range while the WAN port on the router is configured with a single public IP address Along with connection sharing NAT also hides internal IP addresses from the computers on the Internet STEP 1 Click Networki...

Page 84: ...o edit an entry To delete an entry check the box and then click Delete To select all entries in the table check the box at the left side of the heading row After you click Add or Edit the Static Routing Configuration page appears STEP 3 Enter the following information Name Enter a name for identification and management purposes Active Check this box to activate the route or clear the box to deacti...

Page 85: ...er to exchange its routing information automatically with other routers and allows it to dynamically adjust its routing tables and adapt to changes in the network NOTE RIP is disabled by default STEP 1 Click Networking on the menu bar and then click Routing Dynamic in the navigation tree The Dynamic Routing RIP page appears STEP 2 In the RIP Configuration area enter the following information RIP D...

Page 86: ...s STEP 3 In the Authentication for RIP 2B 2M area enter the following information Enabled Authentication for RIP 2B 2M Check this box to enable authentication for RIP 2B or RIP 2M First Key Parameters and Second Key Parameters MD5 Key ID Input the unique MD 5 key ID MD5 Auth Key Input the auth key for this MD5 key Not Valid Before Start date of the First Key for MD5 based authentication between ro...

Page 87: ...d Choose the port speed The default setting is 1000 Mbps for all ports STEP 3 Click Apply to save your settings or click Reset to revert to the saved settings Configuring SPAN Port Mirroring Port mirroring sometimes called Switched Port Analyzer allows the traffic on one port to be visible on another port This feature may be useful for debugging or for traffic monitoring by an external application...

Page 88: ...face that you specify in the Bandwidth Profiles Configuration page NOTE Bandwidth limiting is not applicable to a DMZ interface Configuring a bandwidth profile can be done in two steps Create a bandwidth profile to establish the parameters for the profile and then associate this profile with a traffic selector The traffic selector identifies the stream of traffic which will then be subject to the ...

Page 89: ...x at the left side of the heading row After you click Add or Edit the Bandwidth Profile Configuration page appears STEP 4 Choose the parameters to define a bandwidth profile Profile Name A symbolic name that is used to identify and associate the profile to traffic selection criteria Priority or Rate A method for limiting the bandwidth as described below Priority Limits the bandwidth based on the s...

Page 90: ...ctor NOTE Other options Click the Edit button to edit an entry To delete an entry check the box and then click Delete To select all entries in the table check the box at the left side of the heading row After you click Add or Edit the Traffic Selector Configuration page appears STEP 3 Enter the following information Available Profiles Select the bandwidth profile which will applied to this traffic...

Page 91: ...WAN Mode area the Current WAN Mode is displayed STEP 3 In the Dedicated WAN DDNS Status area or the Optional WAN DDN Status area enter the following information Select the Dynamic DNS Service Choose None or choose DynDNS com Host and Domain Name Specify the complete Host Name and Domain Name for the DDNS service User Name Enter the DynDNS account User Name Password Enter the password for the DynDN...

Page 92: ...ddress space You can configure the security appliance to support IPv6 addressing on the LAN and the Dedicated WAN NOTE IPv6 is not supported on the Optional port First enable IPv6 mode and then configure your WAN connection LAN connection routing and tunneling IP Routing Mode page 93 Configuring the IPv6 WAN Connection page 94 Configuring the IPv6 LAN page 95 IPv6 LAN Address Pools page 97 IPv6 Mu...

Page 93: ...rs STEP 2 Click IPv4 IPv6 mode to enable IPv6 addressing or click IPv4 only mode to enable only IPv4 addressing STEP 3 Click Apply to save your settings or click Reset to revert to the saved settings STEP 4 When the warning appears click OK to continue If you do not want to change the IP mode click Cancel NOTE Next steps To configure the WAN connection click IPv6 IPv6 WAN Config For more informati...

Page 94: ...ur Service Provider IPv6 Prefix Length The IPv6 network subnet is identified by the initial bits of the address called the prefix All hosts in the network have the identical initial bits for their IPv6 address Enter the number of common initial bits in the network s addresses The default prefix length is 64 Default IPv6 Gateway Enter the IPv6 address of the gateway for your ISP This is usually pro...

Page 95: ...ing information IPv6 Address Enter the IPv6 address The default IPv6 address for the gateway is fec0 1 You can change this 128 bit IPv6 address based on your network requirements NOTE If you change the IP address and click Apply then the browser connection is lost Wait a few seconds to allow your administration computer to obtain a new IP address from newly assigned IP address pool or release and ...

Page 96: ...tateful Choose this option to allow the IPv6 LAN host to rely on an external DHCPv6 server to provide required configuration settings Domain Name optional Enter a domain name for the DHCPv6 server Server Preference Enter a value from 0 to 255 to indicate the preference level for this DHCP server DHCPv6 clients will pick up the DHCPv6 server which has highest preference value The default is 255 DNS...

Page 97: ...For more information see IPv6 Static Routing page 99 IPv6 LAN Address Pools You can define the IPv6 delegation prefix for a range of IP addresses to be served by the DHCPv6 server By using a delegation prefix you can automate the process of informing other networking equipment on the LAN of the DHCP information for the assigned prefix STEP 1 Click Networking on the menu bar and then click IPv6 IPv...

Page 98: ... of common initial bits in the addresses is set by the prefix length field STEP 4 Click Apply to save your settings or click Reset to revert to the saved settings IPv6 Multi LAN You can use this page to configure an IPv6 LAN alias address STEP 1 Click Networking on the menu bar and then click IPv6 IPv6 Multi LAN in the navigation tree The IPv6 Multi LAN page appears Any existing alias addresses ar...

Page 99: ...Routing in the navigation tree The IPv6 Static Routing page appears Any existing static routes are listed in the List of IPv6 Static Routes table STEP 2 Click Add to add a new static route NOTE Other options Click the Edit button to edit an entry To delete an entry check the box and then click Delete To select all entries in the table check the box at the left side of the heading row After you cli...

Page 100: ...st metric STEP 4 Click Apply to save your settings or click Reset to revert to the saved settings Routing RIPng RIPng Routing Information Protocol next generation RFC 2080 is a routing protocol that uses UDP packets to exchange routing information through port 521 The distance to a destination is measured by the hop count as follows The hop count from a router to a directly connected network is 0 ...

Page 101: ...eature if you have an end site or end user that needs to connect to the IPv6 Internet using the existing IPv4 network STEP 1 Click Networking on the menu bar and then click IPv6 6to4 Tunneling in the navigation tree The 6to4 Tunneling page appears STEP 2 Check the box to enable automatic tunneling or uncheck the box to disable this feature STEP 3 Click Apply to save your settings or click Reset to...

Page 102: ...click Add NOTE Other options Click the Edit button to edit an entry To delete an entry check the box and then click Delete To select all entries in the table check the box at the left side of the heading row After you click Add or Edit the ISATAP Tunnel Configuration page appears STEP 3 Enter the following information ISATAP Subnet Prefix Enter the 64 bit subnet prefix that is assigned to the logi...

Page 103: ... the burstiness of MLD messages on the link larger values make the traffic less bursty as host responses are spread out over a larger interval The minimum value of this parameter is 5000 ms 5 seconds and maximum value is 1800000 ms 30 mins Robustness Variable Enter a value from 2 to 8 to allow tuning for the expected packet loss on a link Enter a higher value if a link is expected to be lossy The ...

Page 104: ...se mode STEP 1 Click Networking on the menu bar and then click IPv6 Router Advertisement in the navigation tree The RADVD page appears STEP 2 Enter the following information RADVD Status Enable or disable the RADVD process If you enable RADVD complete the fields that are highlighted with white backgrounds Advertise Mode Choose one of the following modes Unsolicited Multicast Choose this option to ...

Page 105: ...ll nodes on the network use the same MTU value in the cases where the LAN MTU is not well known The default is 1500 Router Lifetime Enter the lifetime in seconds of the route The default is 3600 seconds STEP 3 Click Apply to save your settings or click Reset to revert to the saved settings Adding RADVD Prefixes NOTE Before you can perform this procedure you must enable RADVD For more information s...

Page 106: ... SLA ID The SLA ID Site Level Aggregation Identifier in the 6to4 address prefix is set to the interface ID of the interface on which the advertisements are sent IPv6 Prefix Specify the IPv6 network address IPv6 Prefix Length Enter a decimal value that indicates the number of contiguous higher order bits of the address that make up the network portion of the address Prefix Lifetime Enter the maximu...

Page 107: ...ck the IEEE 802 1p Enable box to enable 802 1p quality of service Uncheck the box to disable this feature STEP 3 Click Apply to save your settings or click Reset to revert to the saved settings 802 1p Mapping Use the 802 1p to Queue Mapping page to map each 802 1p priority value to a QoS queue Lowest Priority to High Priority NOTE You can configure mappings only if you enabled 802 1p QoS on the 80...

Page 108: ...f service to be assigned to network traffic Use the DSCP Remarking page to assign priorities for the eight different classes of services in 802 1p STEP 1 Click Networking on the menu bar and then click DSCP Remarking in the navigation tree The DSCP Remarking page appears STEP 2 For each 802 1p priority value Priority 0 Priority 1 and so on enter a priority value STEP 3 Click Apply to save your set...

Page 109: ...co_1 The access point is enabled by default The security profile has Open security and is identifying itself to all wireless devices that are in range These settings make it easy for you to begin using your wireless network However for security purposes it is strongly recommended that you configure each profile with the highest level of security that is supported by the wireless devices that you w...

Page 110: ...k Add to add an entry Click the button in the Adv Config column the QoS Config column or the Configure MAC Filter column to edit other settings more information later in this chapter To delete a profile check the box and then click Delete To select all entries check the box in the first column of the table heading After you click Add or Edit the Profile Configuration page appears STEP 3 Enter the ...

Page 111: ...h WPA and WPA2 clients to connect simultaneously This option is a good choice to enable a higher level of security while allowing access by devices that might not support WPA2 Encryption Select the encryption method to be used For WPA the choices are TKIP or TKIP CCMP For WPA the choices are CCMP or CCMP TKIP CCMP is stronger than TKIP and is recommended However some wireless devices may support o...

Page 112: ...ed WEP key index is derived Different clients can have different numbering scheme for index For clients which have indexing starting with 0 WEP Key 1 to WEP Key 4 corresponds to index 0 to 3 Clients which have indexing starting with 1 WEP Key 1 to WEP Key 4 correspond to index 1 to 4 STEP 5 Click Apply to save your settings or click Reset to revert to the saved settings STEP 6 Repeat this procedur...

Page 113: ... has an option called PMKSA caching which means that the master keys derived from successful RADIUS authentication are cached for some time to avoid long RADIUS authentication every time a client connects This timeout interval specifies for how long this PMKSA is stored in the access point A client reconnecting within this interval after successful RADIUS authentication can skip the RADIUS authent...

Page 114: ... The Profiles page appears The existing profiles appear in the List of Profiles table STEP 2 Find the profile that you want to edit and click the button in the QoS Config column The QoS Configuration page appears STEP 3 Enter the following settings QoS Enable Check this box to enable QoS for this profile The settings on this page apply only if this box is checked Default Class Of Service Use this ...

Page 115: ...ly to the addresses that are in the table when you click Apply STEP 1 Click Wireless on the menu bar and then click Access Point in the navigation tree The Access Points page appears Existing access points are listed in the List of Available Access Points table STEP 2 Find the access point that you want to edit and click the button in the Configure MAC Filter column The MAC Filtering Configuration...

Page 116: ...ifier SSID or network name set the maximum number of clients and optionally specify a schedule STEP 1 Click Wireless on the menu bar and then click Access Point in the navigation tree The Access Points page appears Existing access points are listed in the List of Available Access Points table STEP 2 In the first row of the table click the button in the Edit column to configure the default access p...

Page 117: ...fier or network name that clients use to connect to the access point It is a good practice to replace the default SSID with a unique identifier Broadcast SSID Check this box to allow the security appliance to broadcast the SSID All wireless devices within range are able to see the SSID when they scan for available networks Uncheck this box to prevent auto detection of the SSID In this case users m...

Page 118: ... down list of regions Country Choose a country from the drop down list of countries This list is populated according to the region selected This impacts the available Wi Fi channels as determined by wireless authorities in the corresponding country region Mode Choose the 802 11 modulation technique g b Select this mode if some devices in the wireless network use 802 11g and others use 802 11b g on...

Page 119: ...ireless network Set the interval by entering a value in milliseconds The default setting is 100 which means that beacon frames are sent every 100 milliseconds 10 seconds Dtim Interval The Delivery Traffic Information Map DTIM message is an element that is included in some beacon frames It indicates the client stations that are currently sleeping in low power mode and have buffered data on the acce...

Page 120: ...nsmitted through the air The preamble can be either the traditional long preamble which requires 192 μs for transmission or it can be an optional short preamble that requires only 96 μs The long preamble is needed for compatibility with the legacy 802 11 systems operating at 1 and 2 Mbps The default is Long Protection Mode Select RTS CTS protection if you want the security appliance to perform a R...

Page 121: ...and Control Inbound Traffic page136 Port Triggering page139 SIP page147 Configuring Firewall Rules to Control Inbound and Outbound Traffic By default your firewall prevents inbound access and allows all outbound access If you want to allow some inbound access or prevent some outbound access you must configure firewall rules You can choose how and to whom the rules apply and can specify these setti...

Page 122: ...rst create the records for the services See Creating Custom Services page122 If you want to create rules that apply only on specified days and times first create the schedules See Creating Schedules for a Firewall Rules page123 If you want to use additional public IP addresses typically assigned by your ISP for firewall rules other than the IP address configured on the WAN interface See Configurin...

Page 123: ...lick Add or Edit the Custom Services Configuration page appears STEP 3 Enter the following information Name Enter a name for this service Type Specify the protocol If you choose ICMP or ICMPv6 also enter the ICMP Type If you choose TCP or UDP also specify the port range by entering the Start Port and the Finish Port STEP 4 Click Apply to save your settings or click Reset to revert to the saved set...

Page 124: ...mn of the table heading To select all entries check the box in the first column of the table heading After you click Add or Edit the Schedules page appears STEP 3 Enter the following information Schedule Name Enter a name for the schedule The name will appear in the Select Schedule drop down list on the Firewall Rule Configuration page Scheduled Days From the drop down list choose All Days or Spec...

Page 125: ...to the saved settings Configuring the Default Outbound Policy The default outbound policy is used whenever there is no specified firewall rule that applies to the source destination service or other characteristics of the outbound traffic This policy applies to all traffic that is directed from the LAN to the WAN STEP 1 Click Firewall on the menu bar and then click Firewall Default Outbound Policy...

Page 126: ...r more information see Configuring Blocked URLs to Prevent Access to Websites page145 STEP 1 Click Firewall on the menu bar and then click Firewall IPv4 Rules or IPv6 Rules in the navigation tree OR For IPv4 rules you can use the Getting Started Advanced page In the Firewall and NAT Rules section click Configure Firewall and NAT Rules STEP 2 The Firewall Rules page appears Any existing rules appea...

Page 127: ... a server on your DMZ If the From Zone is the WAN the To Zone can be the public DMZ or secure LAN If the From Zone is the LAN then the To Zone can be the public DMZ or insecure WAN Service Choose from a list of common services or a custom defined service For more information see Appendix B Standard Services and Creating Custom Services page122 Action Choose how and when to apply the rule Select Sc...

Page 128: ...ost ToS 1 Maximize Reliability ToS 2 Maximize Throughput ToS 4 Minimize Delay ToS 8 highest QoS STEP 5 For a LAN to WAN rule only enter the following information in the Source NAT Settings area SNAT IP Type Source Network Address Translation SNAT requires re writing the source or destination IP address of incoming IP packets as they pass through the firewall Choose one of the following options WAN...

Page 129: ...ss the optional WAN address or another IP address that your ISP has provided to you For examples see Firewall Rule Configuration Examples page 133 NOTE In addition to configuring firewall rules you can use the following methods to control inbound traffic You can prevent common types of attacks For more information see Configuring Attack Checks page 136 You can allow or block traffic from specified...

Page 130: ...l Rules Configuration page appears STEP 3 In the Firewall Rule Configuration area enter the following information From Zone Chose the source of the traffic that is covered by this rule For an inbound rule choose INSECURE WAN if the traffic is coming from the Internet or choose DMZ if the traffic is coming from a server on your DMZ To Zone For an inbound rule choose SECURE LAN if the traffic is goi...

Page 131: ... If you choose Address Range enter the first address in the From field and enter the last address in the To field Local Server Shows the IP address of the local server only applies to IPv4 Firewall rules Log You can choose whether or not to log the packets for this rule Click Never if you do not want to log the packets or click Always to log the packets STEP 4 For a WAN to LAN or a WAN to DMZ rule...

Page 132: ... a specified location in the firewall rules list NOTE This feature only applies to IPv4 firewall rules STEP 1 Click Firewall on the menu bar and then click Firewall IPv4 Rules in the navigation tree OR you can use the Getting Started Advanced page In the Firewall and NAT Rules section click Configure Firewall and NAT Rules The IPv4 Firewall Rules page appears The firewall rules appear in the List ...

Page 133: ...n 3 in the list STEP 5 When finished you are returned to the IPv4 Firewall Rules page STEP 6 Verify that the rules were reordered by choosing the appropriate source and destination the Zone drop down menus and click Display Rules Firewall Rule Configuration Examples Allowing Inbound Traffic to a Web Server Using the WAN IP Address Situation You host a public web server on your DMZ You want to allo...

Page 134: ...ation about configuring aliases see Configuring IP Aliases for WAN interfaces page 125 Allowing Inbound Traffic from Specified Range of Outside Hosts Situation You want to allow incoming video conferencing to be initiated from a restricted range of outside IP addresses 132 177 88 2 132 177 88 254 Solution Create an inbound rule as shown below In the example connections for CU SeeMe an Internet vid...

Page 135: ... the time period when the rule is in effect Configure an outbound rule that applies to traffic from marketing group which has an IP address range of 10 1 1 1 to 10 1 1 100 Action ALLOW always Source Hosts Address Range From 132 177 88 2 To 134 177 88 254 Send to Local Server DNAT IP 192 168 75 11 internal IP address Parameter Value From Zone Secure LAN To Zone INSECURE Dedicated WAN Optional WAN S...

Page 136: ...ls to help you to protect your network from undesired inbound traffic Configuring Attack Checks page 136 Configuring MAC Filtering to Allow or Block Traffic page138 Configuring IP MAC Binding to Prevent Spoofing page146 Configuring a Port Triggering Rule to Direct Traffic to Specified Ports page140 Configuring Attack Checks Use this page to specify how you want to protect your network against comm...

Page 137: ...e your network is less susceptible to discovery and attacks Block TCP Flood Check this box to drop all invalid TCP packets This feature protects your network from a SYN flood attack in which an attacker sends a succession of SYN synchronize requests to a target system STEP 3 In the LAN Security Checks section check the Block UDP Flood box to prevent the security appliance from accepting more than ...

Page 138: ...ply to save your settings or click Reset to revert to the saved settings Configuring MAC Filtering to Allow or Block Traffic You can restrict WAN and DMZ traffic based on the MAC address of device The first step is to populate the list of MAC addresses to be covered by the filtering policy You can configure the policy either to block all MAC addresses in the list and permit the rest or to permit o...

Page 139: ...orts the security appliance opens the specified incoming port to support the exchange of data When the exchange is completed the ports are closed Port triggering is more flexible than the static port forwarding that you can configure in a firewall rule Port triggering rules do not have to reference specific LAN IP addresses or IP addresses ranges In addition the ports are not left open when they a...

Page 140: ...riggering rule click Add NOTE Other options Click the Edit button to edit an entry To delete an entry check the box and then click Delete To select all entries check the box in the first column of the table heading After you click Add or Edit the Port Triggering Configuration page appears STEP 3 In the Port Triggering Rule area enter the following information Name Enter a name for this rule Enable...

Page 141: ...ld displays the time for which the port will remain open when there is no activity on that port The time is reset when there is activity on the port Configuring Session Settings to Analyze Incoming Packets Use this page to configure how incoming packets are analyzed STEP 1 Click Firewall on the menu bar and then click Session Settings in the navigation tree The Session Settings page appears STEP 2...

Page 142: ... seconds The default is 60 seconds TCP Session Cleanup Latency seconds Maximum time for a session to remain in the session table after detecting both FIN flags This value can range between 0 and 4 294 967 seconds The default is 10 seconds STEP 3 Click Apply to save your settings or click Reset to revert to the saved settings Using Other Tools to Control Access to the Internet The gateway offers so...

Page 143: ...le area check the box to enable content filtering or uncheck the box to disable content filtering Content filtering must be enabled to configure and use features such as a list of Trusted Domains keyword filtering and so on STEP 3 In the Web Components area check the box for any component that you want to block Proxy Check this box to block proxy servers which can be used to circumvent certain fir...

Page 144: ...e the list of approved URLs or uncheck the box to disable this feature b Click Apply to save your settings or click Reset to revert to the saved settings STEP 3 To add a domain name or keyword to the Approved URLs List click Add NOTE Other options Click the Edit button to edit an entry To delete an entry check the box and then click Delete To select all entries check the box in the first column of...

Page 145: ...ssing You can specify exact domain names or keywords NOTE This page is available only if you enabled Content Filtering See Configuring Content Filtering to Allow or Block Web Components page 143 STEP 1 Click Firewall on the menu bar and then click Content Filtering Blocked URLs in the navigation tree The Blocked URLs page appears STEP 2 To add a domain name or keyword to the Blocked URLs List clic...

Page 146: ...ou can use IP MAC binding to allow traffic from the LAN to the WAN only when the host has an IP address that matches a specified MAC address By requiring the gateway to validate the source traffic s IP address with the unique MAC address of device the administrator can ensure that traffic from the specified IP address is not spoofed In the event of a violation the traffic s source IP address doesn...

Page 147: ...ession Initiation Protocol Application level gateway can rewrite information within the SIP messages SIP headers and SDP body to make signaling and audio traffic between the client behind NAT and the SIP endpoint possible NOTE SIP ALG should be enabled when voice devices such as the UC 500 or SIP phones are connected to the network behind the security appliance STEP 1 Click Firewall on the menu ba...

Page 148: ...decisions based on application content rather than IP address or ports You can configure IPS to protect network services such as Web instant messaging applications email file transfer Windows services and DNS It also protects applications against vulnerabilities such as viruses and worms peer to peer P2P applications and backdoor exploits Refer to the following topics to configure the IPS features...

Page 149: ...ture updates Click Update Now to immediately update new signatures if they are available This option is only active if the Automatically Update Signature box is checked Click the View IPS Logs link to view the IPS log messages To display messages generated by IPS you must choose IPS as the facility For more information see View Logs Status page 46 Automatic Signature Updates IPS uses signature fil...

Page 150: ... for troubleshooting purposes Detect and Prevent Choose this option to check for and prevent attacks on this category Upon detection a message is logged and a preventative action is taken For IPS messages to be logged you must configure IPS as the facility For more information see Logs Facility page 211 STEP 2 Click Apply to save your settings or click Reset to revert to the saved settings Configu...

Page 151: ...e you can specify what type of P2P and IM applications such as Gnutella BitTorrent AOL or Yahoo are blocked STEP 1 Click IPS on the menu bar and then click IPS IM and P2P Blocking in the navigation tree STEP 2 Select one of these options for each Peer to Peer and Instant Messaging services listed in the P2P and IM Blocking areas Disabled Choose this option to disable checking for this service Dete...

Page 152: ...sing through the security appliance and protect you from landing on web sites that are infected with spyware Cisco ProtectLink Endpoint is a client software that provides protection against spyware viruses and other malware for Windows PCs and servers It also offers automatic policy enforcement that restricts users from Internet access if their current PC security levels are out of date For inform...

Page 153: ...PN provides a secure communication channel tunnel between two gateway routers or between a remote PC and a gateway router as in the following scenarios Site to Site VPN The VPN Tunnel connects two routers to secure traffic between two sites that are physically separated See Configuring a Site to Site VPN Tunnel page154 Remote Access with IPSec VPN Client Software A remote worker uses a secure VPN ...

Page 154: ...NC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can update any of the parameters by using the other options in the navigation tree NOTE For information about the VPNC recommendations visit the following website www vpnc org vpn standards html STEP 1 Click VPN on the menu bar and then click IPSec VPN Wizard in the navigation tree...

Page 155: ...Remote Local WAN Addresses area enter the following information about the remote server and the local server Remote Gateway Type Choose IP Address if you want to enter the IP address of the remote device or choose Fully Qualified Domain Name FQDN if you want to enter the domain name of the remote network such as vpn company com Then enter that address or name in the Remote WAN s IP Address or Inte...

Page 156: ... the local LAN STEP 6 Click Apply to save your settings or click Reset to revert to the saved settings NOTE The settings are not saved on the Wizard page The Wizard creates a VPN policy and an IKE policy based on your entries NOTE Next steps If you are using the Getting Started Advanced page click Getting Started on the menu bar and then click Advanced in the navigation tree to return to the list ...

Page 157: ...tion tree With the Wizard s default settings you will need to add VPN users through the IPSec VPN users page after you complete the Wizard Alternatively you can edit the IKE policy to allow Extended Authentication XAUTH from user records stored on an external authentication server such as a RADIUS server NOTE For information about the VPNC recommendations visit the following website www vpnc org v...

Page 158: ... 49 characters and must be entered exactly the same here and on the remote client NOTE Do not use the double quote character in the pre shared key Local WAN Interface If you have configured two WANs choose the interface that you want to use for this VPN tunnel If you have only one WAN configured choose Dedicated WAN STEP 4 In the Remote Local WAN Addresses area enter the following information abou...

Page 159: ...view or update the configured VPN policy click IPSec VPN Policies in the navigation tree For more information see Configuring the IPSec VPN Policies page166 To review or update the configured IKE policy click IPSec IKE Policies in the navigation tree For more information see Configuring the IKE Policies for IPSec VPN page162 To configure IPSec passthrough click IPSec Passthrough For more informati...

Page 160: ...owing information User Name Enter a unique identifier for the XAUTH user Remote Peer Type Choose one of the following options Standard IPsec XAuth Cisco QuickVPN NOTE X Auth is an IPSec standard that extends the authentication in native IPSec to provide user credentials XAUTH can be used when additional client security is required with IPSec clients such as Greenbow QuickVPN is a propriety Cisco L...

Page 161: ...w and modify the default settings and policies See Advanced Configuration of IPSec VPN page161 For Cisco QuickVPN you also must enable Remote Management See RMON Remote Management page 215 Advanced Configuration of IPSec VPN The following topics are helpful for users who want to review and modify the settings that are created by the VPN Wizard Viewing the Basic Setting Defaults for IPSec VPN page ...

Page 162: ...page NOTE The VPN Wizard is the recommended method to create the corresponding IKE and VPN policies for a VPN tunnel After the Wizard creates the matching IKE and VPN policies you can make changes as needed Advanced users can create an IKE policy from Add but must be sure to use compatible encryption authentication and key group parameters for the VPN policy STEP 1 Click VPN on the menu bar and th...

Page 163: ... connection but increases security Aggressive Mode Choose this option if you want a faster connection but with lowered security In Aggressive Mode there are fewer key exchanges between the initiator and the receiver Both sides exchange information even before there is a secure channel This feature creates a faster connection but with less security than Main Mode NOTE If you choose Main Mode then y...

Page 164: ...se Main Mode STEP 6 In the IKE SA Parameters area enter the information about the Security Association SA parameters which define the strength and the mode for negotiating the SA Encryption Algorithm The algorithm used to negotiate the SA There are five algorithms supported by this router DES 3DES AES 128 AES 192 and AES 256 Authentication Algorithm Specify the authentication algorithm for the VPN...

Page 165: ...ou can enable the VPN gateway router to authenticate users from the User Database default choice or an external authentication server such as a RADIUS server Choose one of the following XAUTH Types None Choose this option to disable XAUTH User Database Choose this option if you want to authenticate users based on the accounts that you create in this Configuration Utility If you choose this option ...

Page 166: ...uring the User Database for the IPSec Remote Access VPN page 159 To configure the security appliance to work with your RADIUS server see Configuring RADIUS Server Records page 213 Configuring the IPSec VPN Policies You can use this page to manage the VPN policies This page contains two tables List of VPN Policies and List of back up Policies These tables list the policies that have been added and ...

Page 167: ...tion Policy Name Enter a unique name to identify the policy Policy Type Choose one of the following types Auto Some parameters for the VPN tunnel are generated automatically The IKE Internet Key Exchange protocol is used to perform negotiations between the two VPN endpoints To create an Auto VPN Policy you need to first create an IKE policy and then add the corresponding Auto Policy for that IKE P...

Page 168: ...llowing options Any Allows all traffic from the given end point Note that selecting Any for both local and remote end points is not valid Single Allows only one host to connect to the VPN If you choose this option also enter the IP address of the host in the Start IP Address field Range Allows all computers within an IP address range to connect to the VPN If you choose this option also specify the...

Page 169: ...e enter the following information in the Auto Policy Parameters area SA Lifetime Enter the lifetime of the Security Association and specify whether it is in seconds or kilobytes Seconds If you specify the SA Lifetime in seconds this value represents the interval after which the Security Association becomes invalid The SA is renegotiated after this interval The default value is 3600 seconds Kilobyt...

Page 170: ...improve security While this option is slower it ensures that a Diffie Hellman exchange is performed for every phase 2 negotiation Select IKE Policy Choose the IKE policy to define the characteristics of phase 1 of the negotiation Configuring the IKE Policies for IPSec VPN page162 STEP 7 In the Redundant VPN Gateway Parameters area enter the following information to create a backup policy for this ...

Page 171: ... menu bar and then click View Logs IPSec VPN Logs in the navigation tree For more information see IPSec VPN Logs page 47 To configure IPSec passthrough click IPSec Passthrough For more information see Configuring IPSec Passthrough page 171 To add the users for remote access VPN see Configuring the User Database for the IPSec Remote Access VPN page159 If you enabled rollover be sure to configure Dy...

Page 172: ...he network by using a web browser When the tunnel is established each user will have an IP address on the internal network such as 10 10 10 x in the above example You can use SSL VPN to provide access to the following types of services on your network Internal web sites Web enabled applications NT Active Directory and FTP file shares E mail proxies including POP3S IMAP4S and SMTPS MS Outlook Web A...

Page 173: ...allow the client to join the corporate LAN with pre configured access policy privileges At this point a virtual network interface is created on the user s PC and it is assigned an IP address and DNS server address from the security appliance To create a VPN tunnel see Elements of the SSL VPN page174 Port Forwarding Port Forwarding service supports TCP connections between the remote user and the se...

Page 174: ...resources On each portal layout you would customize the banner message to provide customized information for the portal users IMPORTANT If you plan to create different portal layouts for different user domains you must create the portal layouts first In the scenario start with Scenario Step 1 Customizing the Portal Layout page175 If you are not going to create different portal layouts you can star...

Page 175: ... your private network through an SSL tunnel the user starts a web browser and enters a URL The browser displays a login page with several features that you can configure 1 Portal Site Title 2 Banner Title 3 Banner Message Figure10 Configurable Areas of the SSL VPN Portal Layout STEP 1 Click VPN on the menu bar and then click SSL VPN Server Portal Layouts in the navigation tree The Portal Layouts p...

Page 176: ...haracters Only alphanumeric characters hyphens and underscore _ characters are allowed for this field Portal Site Title Enter the title that will appear at the top of the web browser window for the portal Banner Title Enter one word for the banner title Spaces and special characters are not allowed Banner Message Enter the message text to display along with the banner title For example enter instr...

Page 177: ...ovide to your users STEP 7 Repeat as needed to add more portal layouts NOTE Next steps Required Configure the SSL VPN Users See Chapter 8 Scenario Step 2 Adding the SSL VPN Users Scenario Step 2 Adding the SSL VPN Users Authentication of the remote SSL VPN user is done by the security appliance by using either a local database on the security appliance or external authentication servers i e LDAP o...

Page 178: ... the user It can include any alphanumeric characters First Name Enter the user s first name Last Name Enter the user s last name User Type Choose SSL VPN User Select Group Choose SSLVPN Password Enter a password that contains alphanumeric or _ characters Confirm Password Enter the password again Idle Timeout Enter the time in minutes that the user can be inactive before the session is disconnected...

Page 179: ...edence over a general policy For example a policy for a specific IP address takes precedence over a policy for a range of addresses that includes this IP address A policy can be offered to the VPN Tunnel Port Forwarding or both After you define a policy it goes into effect immediately However if Remote Management RMON is not enabled SSL VPN access will be blocked See RMON Remote Management page 21...

Page 180: ...lso choose the user from the Available Users list STEP 5 In the SSL VPN Policy area enter the following information Apply Policy to Choose to apply the policy to a Network Resource an IP address an IP network or All Addresses that are managed by the device Also complete the fields that are highlighted with white backgrounds Policy Name Enter a name to identify this policy NOTE If you create a poli...

Page 181: ...ork resources are services or groups of LAN IP addresses that are used to easily create and configure SSL VPN policies This shortcut saves time when creating similar policies for multiple remote SSL VPN users STEP 1 Click VPN on the menu bar and then click SSL VPN Server Resources in the navigation tree The Resources page appears STEP 2 To add a network resource click Add NOTE Other options Click ...

Page 182: ...mmon applications and corresponding TCP port numbers Adding a TCP Application Configuration for Port Forwarding TCP Application Configuration is required for port forwarding STEP 1 Click VPN on the menu bar and then click SSL VPN Server Port Forwarding in the navigation tree The Port Forwarding page appears This page includes two tables List of Configured Applications for Port Forwarding List of C...

Page 183: ...the port number of the TCP application that enables port forwarding STEP 4 Click Apply to save your settings or click Reset to revert to the saved settings Configuring Host Name Resolution for Port Forwarding Optionally you can configure a hostname FQDN for the network server to give users an easy way to connect to the server without having to remember and enter an IP address NOTE The local server...

Page 184: ... When a SSL VPN client is launched from the user portal a network adapter with an IP address from the corporate subnet DNS and WINS settings is automatically created This feature allows access to services on the private network without any special network configuration on the remote SSL VPN client machine Make sure that the virtual PPP interface address of the VPN tunnel client does not conflict w...

Page 185: ...nformation Enable Split Tunnel Support Check this box to enable Split Tunnel Mode Support or uncheck this box for Full Tunnel Mode Support With Full Tunnel Mode all of the traffic from the host is directed through the tunnel By comparison with Split Tunnel Mode the tunnel is used only for the traffic that is specified by the client routes NOTE If you enable Split Tunnel Support you also will need ...

Page 186: ...SL VPN Client page then you must configure client routes for Split Tunnel Mode The Configured Client Routes entries are added by the SSL VPN Client such that only traffic to these destination addresses is redirected through the SSL VPN tunnels and all other traffic is redirected using the hosts SSL VPN Clients native network interface For example if the SSL VPN Client attempts to access this devic...

Page 187: ...e your settings or click Reset to revert to the saved settings Viewing the SSL VPN Client Portal To view the SSL VPN Client Portal click VPN on the menu bar and then click SSL VPN Client SSL VPN Client Portal in the navigation tree NOTE Remote users will use the Portal URL to access the VPN portal The client portal provides remote access to the corporate network through the following options in th...

Page 188: ...ecurity NOTE For more information or to order the VeriSign Identity Protection service visit the following website www cisco com go viptoken Configuring VeriSign Identity Protection STEP 1 Click VPN on the menu bar and then click VeriSign ID Protection VIP Configuration in the navigation tree The VIP Configuration page appears STEP 2 To activate or disable your service complete the following tasks...

Page 189: ...e RA file The password encrypts the private key provided in the certificate and is required to decrypt and use it b Click Upload to upload the certificate Managing User Credentials for VeriSign Service Use this page to associate VeriSign tokens with your users NOTE Your users must be configured in Administration first See Users page191 STEP 1 Click VPN on the menu bar and then click VeriSign ID Pr...

Page 190: ...ntial identifier must be unique and must not be added if it is already present in the token configuration table User Name Choose the user to associate with the token number Each credential identifier can be associated with only one user After the user has been associated with a credential the same user cannot be associated with a different credential Only available users are shown in the user list...

Page 191: ...ing Certificates for Authentication page 212 Configuring RADIUS Server Records page 213 Users You can use the Users page to assign user names passwords and access policies There are two default accounts You can change the user name and password for these accounts but you cannot change the user policies admin The administrator account which has read write access to all settings guest A guest accoun...

Page 192: ...ck the box and then click Delete To select all entries check the box in the first column of the table heading After you click Add or Edit the Domains Configuration page appears STEP 3 Enter the following information Domain Name Enter a unique identifier for the domain Authentication Type Choose the authentication type for this domain Portal Layout Name Choose a portal layout Layouts are configured...

Page 193: ...ntries check the box in the first column of the table heading After you click Add or Edit the Groups Configuration page appears STEP 3 Enter the following information Group Name Enter a unique identifier for the group You can use any alphanumeric characters Domain Assign a domain from the drop down list of authentication domains Idle Timeout Enter the number of minutes that a device can be idle be...

Page 194: ...ar and then click Users Users in the navigation tree The List of Users table appears The Users page appears STEP 2 To add a user click Add or to edit a user s information click the button in the Edit column The User Configuration page appears The Users Configuration page appears STEP 3 Enter the following information User Name Enter a unique identifier for the user It can include any alphanumeric ...

Page 195: ...to 999 The timeout value for the individual user has precedence over the timeout for the group If you want to ensure that the group s timeout settings are used set this value to 0 NOTE Every user is added as a local user with password and when the user is assigned to an external authentication mechanism based on the group certain attributes such as the local password are ignored STEP 4 Click Apply...

Page 196: ...the Edit User Policies column When the User Policy By Client Browser page appears enter the following information In the User Policy By Client Browser area choose whether to Deny Login from Defined Browsers or to Allow Login only from Defined Browsers To add a browser click Add choose the browser and then click Apply To delete a browser check the box and then click Delete User Login Policy By IP A...

Page 197: ...atically install it by using a PAK Product Authorization Key You install and manage licenses from the License Management page The device supports these types of licenses SSL VPN License provides remote access for employees partners and consultants This is a permanent license with no usage period and renewal required The default number of users that it supports is 2 For the SA 520 and SA 520W platf...

Page 198: ...ws if the license is installed or not installed If you are installing the security appliance for the first time the IPS license status is not installed For the SSL VPN license 2 licenses are installed by default Licenses cannot be transferred or revoked once they are installed Installed Current number of licenses installed Max Maximum number of licenses supported Expiration Date on which the licen...

Page 199: ...ter your PAK ID and Cisco com username and password These credentials are required for the device to authenticate to the Cisco server NOTE Make sure that the security appliance is set to the current time or the license will not install properly See Configuring the Time Settings page 207 License File downloaded from cisco com Installs a license that was previously downloaded to your PC STEP 3 After...

Page 200: ...Configuration Network in the navigation tree The Firmware Configuration Network page appears STEP 2 Perform the following tasks as needed Status Displays the firmware status Includes the primary and secondary firmware version the time when the firmware check was last performed the latest available image for your device and a link to latest firmware release notes on Cisco com See http www cisco com...

Page 201: ...ttings To upgrade your firmware and reset your security appliance to the factory default settings click Browse locate and select the configuration file and then click Upload Factory Reset When the operation is complete the security appliance restarts automatically with the new settings Backup Restore Settings To save a copy of your current settings click Backup Read the warning that appears and th...

Page 202: ...ngs will be lost Back up your settings to ensure that you can restore them later if needed Wait until the process is complete 1 Do NOT close the browser window 2 Do NOT go online 3 Do NOT turn off or power cycle the router 4 Do NOT shut down the computer 5 Do NOT remove or unmount the USB device STEP 1 Click Administration on the menu bar and then click Firmware Configuration USB in the navigation...

Page 203: ...or information about downloading firmware upgrade files see Upgrading the Firmware page 26 The router will take several minutes to complete the upgrade While the upgrade is in progress the Test LED on the front panel of the router will light up Wait until the light goes off before accessing the router again When the image upload is complete the router will automatically restart After a successful ...

Page 204: ...nd then click Ping The results appear in the Command Output page Click Back to return to the Diagnostics page To view the route between the security appliance and a destination enter the IP Address of the destination and then click Traceroute The results appear in the Command Output page The report includes up to 30 hops intermediate routers between this security appliance and the destination Clic...

Page 205: ...ing information Enabled Traffic Metering Check this box to enable traffic metering on the port The security appliance will keep a record of the volume of traffic going from this interface You also can configure the security appliance to place a restriction on the volume of data being transferred Traffic Limit Type Choose one of the following options No Limit The default option where no limits on d...

Page 206: ... Specific Time Choose this option if you want the counter to restart at a specified date and time Then enter the time in hours HH and minutes MM and select the day of the month 1st to Last Send E mail Report before restarting counter Choose this option to send an email report before the traffic counter is restarted The email is sent to the address configured in the Logging section if logging is en...

Page 207: ...your time zone whether or not to adjust for Daylight Savings Time and with which Network Time Protocol NTP server to synchronize the date and time The security appliance then gets its date and time information from the NTP server Please follow the steps below to configure NTP and time settings STEP 1 Click Administration on the menu bar and then click Time Zone in the navigation tree The Time Zone...

Page 208: ...sing through the router or packets that are dropped due to source MAC filtering NOTE Enabling logging options can generate a significant volume of log messages and is recommended for debugging purposes only STEP 1 Click Administration on the menu bar and then click Logging Logging Config in the navigation tree The Local Logging Config page appears STEP 2 Check the box for each logging option that ...

Page 209: ...egment This option is useful when the Default Outbound Policy is Block Always see the Firewall Rules page under the Firewall menu For example let s say that you want a record of every successful SSH connection from the LAN to the WAN You would check the LAN to WAN box under Accepted Packets Whenever a LAN machine makes an SSH connection to the WAN a message is logged This example assumes that your...

Page 210: ...ry logged message will include this identifier as a prefix for easier identification of the source of the message The log identifier is added to email and syslog messages STEP 3 In the Enable E Mail Logs area enter the following information Enable E Mail Logs Check this box to enable email logs E mail Server Address Enter the IP address or Internet Name of an email server The router will connect t...

Page 211: ...f the server in the SysLog Server field STEP 6 Click Apply to save your settings or click Reset to revert to the saved settings Logs Facility A variety of events can be captured and logged for review These logs can be sent to a syslog server or emailed to a specified address You can also specify which system messages are logged based on the facility that generated the message and its severity leve...

Page 212: ...icate the identity of users and systems and are issued by Certification Authorities CA such as VeriSign Thawte and other organizations Digital Certificates are used by this router during the Internet Key Exchange IKE authentication phase to authenticate connecting VPN gateways or clients or to be authenticated by remote entities Trusted Certificates CA Certificate Trusted Certificates or CA certif...

Page 213: ...cate from the PC or the USB device Click Browse find and select the certificate and then click Upload To delete a certificate check the box to select the certificate and then click Delete To get the router s certificate with pem extension click the check box to select the certificate and then click Download Configuring RADIUS Server Records This page allows the user to configure details of any RAD...

Page 214: ...he Radius server that is used to send the Radius traffic Secret Enter the shared key that is configured on the Radius server The Secret can contain all characters except for single quote double quote and space Timeout Enter the number of seconds that the connection can exist before re authentication is required Retries Enter the number of retries for the device to re authenticate with the Radius s...

Page 215: ...e gateway s LAN IP address and HTTP or from the WAN by using the gateway s WAN IP address and HTTPS HTTP over SSL The Remote Management page allows you to access the router from a remote WAN network The security appliance allows remote management securely using HTTPS i e https NOTE Disabling RMON prevents SSL VPN access NOTE IMPORTANT When remote management is enabled the router is accessible to a...

Page 216: ...rom the starting IP address for the allowed range To the ending IP address for the allowed range IP Address IP Address of the PC given remote management permissions Port Number Displays the port number used for remote connection STEP 3 Click Apply to save your settings or click Reset to revert to the saved settings CDP Cisco Discovery Protocol CDP is a device discovery protocol that runs on all Ci...

Page 217: ...mer is the amount of time the information sent in the CDP packet should be cached by the device which receives the CDP packet after which the information is expires STEP 3 Click Apply to save your settings or click Reset to revert to the saved settings SNMP Simple Network Management Protocol SNMP lets you monitor and manage your router from an SNMP manager SNMP provides a remote means to monitor a...

Page 218: ...rt of the IP address to which the trap messages will be sent STEP 4 Click Apply to save your settings or click Reset to revert to the saved settings Configuring SNMP System Info You can use this page to configure the MIB Management Information Base fields STEP 1 Click Network Management on the menu bar and then click SNMP SNMP System Info in the navigation tree The SNMP System Info page appears ST...

Page 219: ...The UPnP page appears STEP 2 Enter the following information Do you want to enable UPnP Check this box to enable UPnP support and uncheck to disable it If disabled the router will not allow for automatic device configuration Advertisement Period This is the period in seconds of how often this router will broadcast its UPnP information to all devices within range Advertisement Time to Live This is ...

Page 220: ...s These auto generated addresses are in the range 169 254 x x If your IP address is in this range check the connection from the PC to the firewall and reboot your PC STEP 4 If your IP address has changed and you don t know what it is reset the security appliance to the factory default settings including firewall IP address 192 168 75 1 NOTE If you do not want to reset to factory default settings a...

Page 221: ...ty appliance cannot access the Internet Possible cause If you use dynamic IP addresses your security appliance is not requesting an IP address from the ISP Recommended action STEP 1 Launch your browser and determine if you can connect to an external site such as www google com STEP 2 Launch the Configuration Utility STEP 3 Click Status on the menu bar and then click Device Status Device Status in ...

Page 222: ...gin Choose the correct ISP Connection Type and then enter the account information as specified by the ISP User Name Password and Secret if applicable Does your ISP checks for your PC s hostname If yes in the User Name field enter the PC hostname that is required for your ISP account Is your ISP expecting you to login from a particular Ethernet MAC address If yes in the Router s MAC Address area ch...

Page 223: ...ration on the menu bar and then click Time Zone in the navigation tree STEP 2 Review the settings for the date and time STEP 3 Verify your Internet access settings Symptom The time is off by one hour Possible cause The security appliance does not automatically adjust for Daylight Savings Time Recommended action STEP 1 Click Administration on the menu bar and then click Time Zone in the navigation ...

Page 224: ... path is working you see this message sequence Pinging IP address with 32 bytes of data Reply from IP address bytes 32 time NN ms TTL xxx If the path is not working you see this message sequence Pinging IP address with 32 bytes of data Request timed out STEP 5 If the path is not working test the physical connections between the PC and the security appliance If the LAN port LED is off go to the LED...

Page 225: ...uration of your PC is assigned by DHCP this information is not visible in your PC s Network Control Panel Verify that the network subnet address of your PC is different from the network address of the remote device Verify that the cable or DSL modem is connected and functioning Call your ISP and go through the questions listed in Symptom The security appliance still cannot obtain an IP address fro...

Page 226: ...the navigation tree In the Backup Restore Settings area click Default OR Press and hold the Reset button on the front panel about the security appliance for about 10 seconds until the test LED lights and then blinks Release the button and wait for the security appliance to reboot If the security appliance does not restart automatically manually restart it to make the default settings effective Aft...

Page 227: ...able for port forwarding and firewall configuration If you want to configure a port forwarding rule or a firewall rule for a service that is not on this list you can create a custom service for that purpose See Creating Custom Services page 122 ANY AIM BGP BOOTP_CLIENT BOOTP_SERVER CU SEEME UDP CU SEEME TCP DNS UDP DNS TCP FINGER FTP HTTP HTTPS ICMP TYPE 3 ICMP TYPE 4 ICMP TYPE 5 ...

Page 228: ... Appliances Administration Guide 228 B ICMP TYPE 6 ICMP TYPE 7 ICMP TYPE 8 ICMP TYPE 9 ICMP TYPE 10 ICMP TYPE 11 ICMP TYPE 13 ICQ IMAP2 IMAP3 IRC NEWS NFS NNTP PING POP3 PPTP RCMD REAL AUDIO REXEC RLOGIN RTELNET RTSP TCP RTSP UDP SFTP SMTP SNMP TCP ...

Page 229: ...Standard Services Cisco SA 500 Series Security Appliances Administration Guide 229 B SNMP UDP SNMP TRAPS TCP SNMP TRAPS UDP SQL NET SSH TCP SSH UDP STRMWORKS TACACS TELNET TFTP VDOLIVE ...

Page 230: ...lEEE 802 3x full duplex flow Control lEEE 802 3ab 1000BASE T Auto MDl1MDlX lEEE 802 3Z 1000BASE X lEEE 802 3 CSMA1CD lEEE 802 3i 10BASE T lEEE 802 3U 100BASE TX lEEE 802 3x full duplex flow Control lEEE 802 3ab 1000BASE T Auto MDl1MDlX lEEE 802 3Z 1000BASE X lEEE 802 11n lEEE 802 1b g and n IEEE 802 3 CSMA CD IEEE 802 3 10BASE T IEEE 802 3u 100BASE TX IEEE 802 3ab 1000BASE T IEEE 802 3x full duple...

Page 231: ... port 1 X USB connector for USB 2 0 Operating Temperature 32 to 104ºF 0 to 40ºC 32 to 104ºF 0 to 40ºC 32 to 104ºF 0 to 40ºC Storage Temperature 4 to 158 F 20 to 70 C 4 to 158 F 20 to 70 C 4 to 158 F 20 to 70 C Operating Humidity 10 to 90 percent relative humidity non condensing 10 to 90 percent relative humidity non condensing 10 to 90 percent relative humidity non condensing Storage Humidity 5 to...

Page 232: ...RU 19 in rack mountable 1 RU 19 in rack mountable 1 RU 19 in rack mountable Dimensions H x W x D 1 3 4 x 12 1 8 x 7 1 8 inches 44 x 308 x 180 mm 1 3 4 x 12 1 8 x 7 1 8 inches 44 x 308 x 180 mm Antenna adds approximately 6 3 4 inches 171 mm to height and 1 2 8 inches 30 mm to depth 1 3 4 x 12 1 8 x 7 1 8 inches 44 x 308 x 180 mm Weight with Power Supply 4 91 lb 5 15 5 14 lb Feature SA 520 SA 520W S...

Page 233: ...cisco Administrator Password cisco Allow ICMP echo replies good for validating connectivity disable Date and Time Automatic Time Update enable Date and Time Daylight Savings Time enable Date and Time Protocol NTP Date and Time Time Zone Pacific Time US Canada DDNS disable HTTP Remote Access enable HTTPS Remote Access enable Secure Telnet over SSL enable if applicable SNMP Trusted Peer IP address ...

Page 234: ...e System Logging Notify Level Informational System Logging disable System Logging Log UnAuthorized Login Attempts enable System Logging Log Authorized Login Attempts enable System Logging Log System Errors enable System Logging Configuration Changes enable Email Server Requires Authentication disable Cisco Discovery Protocol enabled on LAN disabled on WAN port Bonjour enabled on LAN disabled on WA...

Page 235: ...IP Address 10 1 1 50 VLAN Voice End IP Address 10 1 1 254 VLAN Voice Subnet Mask 255 255 255 0 VLAN Data Lease Time in Minutes 1440 HTTP Remote Access disable HTTPS Remote Access disable VLAN Data Name Data VLAN VLAN Data VLAN Number untagged packets 1 VLAN Data IP Address See Product Tab VLAN Data IP Address Distribution DHCP Server VLAN Data Start IP Address 192 168 x 50 VLAN Data End IP Address...

Page 236: ... client WAN2 MTU 1500 WAN2 Outgoing Traffic Bandwidth Limit disable Allow ICMP echo replies good for validating connectivity disable HTTPS Remote Access disable Routing RIP1 2 disable Inter VLAN routing enable disable on DMS VLAN Static Routing disable IPv4 and IPv6 IPv4 Only IPSec Signaling Authentication Key Exchange Method Automatic IPSec Signaling Authentication Auto Reconnect enable IPSec Sig...

Page 237: ...up 2 1024 bit IPSec Signaling Authentication Phase 1 Lifetime in Seconds 28800 IPSec Signaling Authentication Phase 1 Rekey Margin 540 IPSec Signaling Authentication Phase 1 Rekey Fuzz Percent 100 IPSec Signaling Authentication Phase 1 Negotiation Attempts Infinite IPSec Signaling Authentication Phase 2 Encryption Algorithm 3DES CBC AES 256 IPSec Signaling Authentication Phase 2 Authentication Alg...

Page 238: ...Setting VLAN Voice VLAN Number 802 1q tagged packets 100 VLAN Voice Name optional Voice VLAN SSID Name cisco voice SSID Broadcast disable Wireless Isolation within SSID disable 802 1q Priority 5 802 11e Priority 6 VLAN Data VLAN Number untagged packets 1 VLAN Data IP Address Assignment Management DHCP Client VLAN Data IP Address Failover when no DHCP Server Available See Product Tab VLAN Data Subn...

Page 239: ...abled Wireless Isolation between SSIDs enabled Wireless Network Mode Mixed 802 11b g n Wireless Channel Auto CTS Protection Mode disabled Basic Data Rates Advertised All Beacon Interval 100 ms DTIM Interval 2 ms RTS Threshold 2347 Fragmentation Threshold 2346 Power Output 100 Radio disabled 802 1x supplicant disabled Clustering of Access Points unique to AP54x disabled Broadcast Multicast Rate Lim...

Page 240: ...iations supported 200 Antenna Selection automatically selects best antenna Auto WMM APSD Power mode setting On AP Detection for neighbor AP both rogue and known APs enabled For a multiple radio AP which radio this WDS link is using Radio 1 Arbitration Inter Frame Spacing AIFS 4 queues 1ms 1ms 3ms 7ms Minimum contention window 4 queues 3ms 7ms 15ms 15ms Maximum Burst 4 queues 1 5ms 3ms 0ms 0ms Maxi...

Page 241: ... 21 HTTPS Administration Access 443 Dual Link Mode 802 3ad Link Aggregation Active Backup Active Backup Idle Drive Spin Down 1 8 hours 1 day 8 hours Public access to share Read only Idle Disconnect Timeout 5 minutes Banner Welcome to the Cisco Small Business FTP Server Allow Anonymous Access disable Allow Anonymous File Upload disable Allow Anonymous File Download enable Maximum Anonymous Transfer...

Page 242: ...e Setting Feature Setting UpNP Disabled Remote Management Disabled CDP Enabled on LAN disabled on WAN Disabled on WAN Firewall Inbound Deny Outbound Allow Respond to Ping on internet Disabled Enable Stealth Mode Enable Block TCP Flood Enable Block UDP Flood Enable Block ICMP Notification Enable Block Fragmented Packets Enable Block Multicast Packets Enable SYN Flood Detect Rate 128 max sec Echo St...

Page 243: ...Factory Default Settings Security Settings Cisco SA 500 Series Security Appliances Administration Guide 243 D ...

Page 244: ... Customer Support www cisco com en US support tsd_cisco_ small_business_support_center_ contacts html SA 500 Series Support www cisco com go sa500help QuickVPN Support www cisco com go quickvpn QuickVPN Software www cisco com go qvpnsoftware Warranty and End User License Agreement www cisco com go warranty Open Source License Notices www cisco com go osln Regulatory Compliance and Safety Informati...

Reviews: