manualshive.com logo in svg

Cisco ISA500 Series, Руководство администратора

"Серия Cisco ISA500 предлагает аппаратное обеспечение для безопасности малого бизнеса. Административное руководство может быть загружено бесплатно с официального веб-сайта. Получите подробное руководство по настройке и управлению продуктом на manualshive.com."

Поделиться
Скачать
background image

Firewall

Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic

Cisco ISA500 Series Integrated Security Appliance Administrator Guide

179

6

 

The default access behaviors for all predefined zones and new zones follow the 
above settings depending on their security levels. For example, if you create a 
new trusted zone called “Data”, a certain of firewall access rules are automatically 
generated to permit or block the traffic from the Data zone to other zones or from 
other zones to the Data zone. The permit or block action is determined by the 
security levels of the From and To zones. For example, the traffic from the Data 
zone to the predefined WAN zone is permitted, but the traffic from the Data zone to 
the predefined LAN zone is blocked. 

Use the Default Policy page to view the default firewall access settings for all 
predefined zones. 

STEP 1

Click 

Firewall

 

-> ACL Rules ->

 

Default Policy

The Default Policy window opens. The default access settings for all predefined 
zones are listed in the table. 

STEP 2

To expand the default access settings for a specific zone, click the 

Expand

 button. 

To hide the default access settings for a specific zone, click the 

Collapse

 button. 

The following behaviors are predefined on the security appliance. 

Public(50)

Deny

Deny

Deny

Permit

Permit

GUEST(25)

Deny

Deny

Deny

Deny

Permit

Untrust(0)

Deny

Deny

Deny

Deny

Deny

From\To

Trusted(100)

VPN(75)

Public(50)

GUEST(25)

Untrust(0)

From \To

LAN

VIOCE

VPN

SSLVPN

DMZ

GUEST

WAN

LAN

NA

Deny

Permit

Permit

Permit

Permit

Permit

VOICE

Deny

NA

Permit

Permit

Permit

Permit

Permit

VPN

Deny

Deny

NA

Deny

Permit

Permit

Permit

SSLVPN

Deny

Deny

Deny

NA

Permit

Permit

Permit

DMZ

Deny

Deny

Deny

Deny

NA

Permit

Permit

GUEST

Deny

Deny

Deny

Deny

Deny

NA

Permit

WAN

Deny

Deny

Deny

Deny

Deny

Deny

NA

Содержание ISA500 Series

Страница 1: ...Cisco Small Business ISA500 Series Integrated Security Appliance ADMINISTRATION GUIDE ...

Страница 2: ... and or its affiliates in the U S and other countries A listing of Cisco s trademarks can be found at www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1005R ...

Страница 3: ...orrect the interference by one of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio TV technician for help FCC Caution Any changes or modifications not expressly approved by the...

Страница 4: ...iated power e i r p is not more than that necessary for successful communication Le manuel d utilisation de dispositifs émetteurs équipés d antennes amovibles doit contenir les informations suivantes dans un endroit bien en vue Ce dispositif a été conçu pour fonctionner avec une antenne ayant un gain maximal de 1 8 dBi Une antenne à gain plus élevé est strictement interdite par les règlements d In...

Страница 5: ...ven to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring Appropriate consideration of equipment nameplate ratings should be used when addressing this concern ...

Страница 6: ...6 OL 23370 01 ...

Страница 7: ... Using the Help System 25 Using the Management Buttons 25 About the Default Settings 25 Performing Common Configuration Tasks 27 Changing the User Name and Password of the Default Administrator Account at Your First Login 27 Saving Your Configuration 28 Upgrading the Firmware if needed 29 Resetting the Device 30 Chapter 2 Wizards 32 Using the Startup Wizard 32 Using the Wireless Wizard to Configur...

Страница 8: ...icies 57 Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access 58 Using Cisco IPSec VPN to Establish the IPSec VPN Tunnels 58 Configuring the Cisco IPSec VPN User Groups 63 Using SSL VPN to Establish the SSL VPN Tunnels 63 Configuring the SSL VPN Group Policies 66 Configuring the SSL VPN User Groups 69 Chapter 3 Status 70 System Status 70 Interface ...

Страница 9: ...ccess Control on Physical Ports 98 Configuring the Port Mirroring 100 Configuring the WAN 101 Configuring the Primary WAN 101 Configuring the Secondary WAN 104 Configuring the Network Addressing Mode 106 Configuring the PPPoE Profiles 111 Configuring the WAN Redundancy 112 Loading Balancing for WAN Redundancy 113 Load Balancing with Policy based Routing Configuration Example 115 Failover for WAN R...

Страница 10: ...guring the WAN Queue Settings 142 Configuring the Traffic Selectors for WAN Interfaces 144 Configuring the WAN QoS Policy Profiles 145 Mapping the WAN QoS Policy Profiles to WAN Interfaces 146 Configuring the LAN QoS 147 Configuring the LAN Queue Settings 147 Configuring the LAN QoS Classification Methods 148 Mapping CoS to LAN Queue 149 Mapping DSCP to LAN Queue 149 Configuring Default CoS 149 Co...

Страница 11: ...4 Chapter 6 Firewall 177 Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic 178 Default Firewall Settings 178 Priorities of Firewall Access Rules 180 Preliminary Tasks for Configuring the Firewall Access Rules 180 General Settings for Configuring the Firewall Access Rules 181 Configuring a Firewall Access Rule 183 Configuring a Firewall Access Rule to Allow the Multicast...

Страница 12: ...g the Application Level Gateway 209 Chapter 7 Security Services 210 Managing the Security Services 210 About the Security Services 211 Security License 212 Priority of Security Services 212 Managing the Security Services 212 Viewing the Security Service Reports 214 Intrusion Prevention Service 214 General IPS Settings 215 Configuring the IPS Policy and Protocol Inspection 216 Blocking the Instant ...

Страница 13: ...ode 241 General Settings 242 Configuring the Group Policies for Cisco IPSec VPN Client 243 Configuring the Site to Site VPN 246 Configuration Tasks to Establish a Site to Site VPN 246 General Site to Site VPN Settings 247 Configuring the IPSec VPN Policies 248 Configuring the IPSec IKE Policies 254 Configuring the IPSec Transform Policies 256 Configuring the SSL VPN 257 Elements of the SSL VPN 258...

Страница 14: ...cation Settings 277 Authentication Methods for User Login 278 Using Local Database for Authentication 279 Using RADIUS Server for Authentication 279 Using Local Database and RADIUS Server for Authentication 282 Using LDAP for Authentication 283 Using Local Database and LDAP for Authentication 286 Configuring the User Session Settings 286 Viewing Active User Sessions 287 Chapter 10 Device Managemen...

Страница 15: ...the Logs 306 Managing the Security License 307 Checking the License Status 308 Renewing the Security License 309 Managing the Certificates for Authentication 310 Viewing the Certificate Status 310 Managing the Certificates 311 Exporting the Certificates to Local PC 312 Exporting the Certificates to a USB Device 313 Importing the Certificates from Your Local PC 313 Importing the Certificates from a...

Страница 16: ...tings 332 Appendix A Troubleshooting 333 Internet Connection 333 Date and Time 336 Pinging to Test LAN Connectivity 337 Testing the LAN Path from Your PC to Your Security Appliance 337 Testing the LAN Path from Your PC to a Remote Device 338 Restoring Factory Default Settings 339 Appendix B Technical Specifications and Environmental Requirements 340 Appendix C Factory Default Settings 343 Device M...

Страница 17: ...Cisco ISA500 Series Integrated Security Appliance Administration Guide 11 Contents Appendix D Where to Go From Here 365 ...

Страница 18: ... Started with the Configuration Utility page 23 About the Default Settings page 25 Performing Common Configuration Tasks page 27 Introduction The Cisco ISA500 Series Integrated Security Appliances are a set of Unified Threat Management UTM security appliances that provide business class security gateway solutions with zone based firewall site to site and remote access VPN including Cisco IPSec VPN...

Страница 19: ...orts 1 USB 2 0 port and 802 11b g n ISA570 Cisco ISA570 Integrated Security Appliance 1 WAN port 4 LAN ports 5 configurable ports and 1 USB 2 0 port ISA570W Cisco ISA570 Integrated Security Appliance with WiFi 1 WAN port 4 LAN ports 5 configurable ports 1 USB 2 0 port and 802 11b g n Feature ISA550 ISA550W ISA570 ISA570W Firewall Throughput 1000B 150 Mbps 150 Mbps 300 Mbps 300 Mbps Firewall Throug...

Страница 20: ...ck Panel page17 Front Panel ISA550 Front Panel ISA550W Front Panel Maximum Concurrent Sessions 15 000 15 000 40 000 40 000 Sessions per Seconds cps 2 500 2 500 3 000 3 000 Wireless 802 11b g n No Yes No Yes IPSec Tunnels 50 50 100 100 SSL VPN Tunnels 25 25 50 50 Feature ISA550 ISA550W ISA570 ISA570W 282351 Small Business 1 VPN USB WAN LAN CONFIGURABLE POWER SYS SPEED LINK ACT 2 3 4 5 6 7 ISA550 Ci...

Страница 21: ... CONFIGURABLE POWER SYS SPEED LINK ACT 9 10 2 3 4 5 6 7 8 WLAN 281980 ISA570W Cisco Lights Description POWER SYS Indicates the power status and system status Green lights when the system is powered on and operates normally Green flashes when the system is booting Amber flashes when the system booting has a problem a device error occurs or the system has a problem VPN Indicates the Site to Site VPN...

Страница 22: ...ansmitting and receiving data WLAN ISA550W and ISA570W only Indicates the WLAN status Green lights when the WLAN is enabled and associated Green flashes when the WLAN is transmitting and receiving data SPEED Indicates the traffic rate of the associated port Off when the traffic rate is 10 or 100 Mbps Green lights when the traffic rate is 1000 Mbps LINK ACT Indicates a connection is being made thro...

Страница 23: ...del ISA550 and ISA550W Back Panel ISA570 and ISA570W Back Panel 281984 ANT02 ANT01 RESET I O POWER 12VDC 4 5 6 7 CONFIGURABLE 2 3 LAN 1 WAN ANT01 ANT02 Reset Button Power Switch Power Connector WAN Port USB Port Configurable Ports LAN Ports 281981 I O RESET ANT02 ANT01 1 6 7 8 9 10 WAN CONFIGURABLE POWER 12VDC 2 3 4 5 LAN ANT01 ANT02 Reset Button Power Switch Power Connector WAN Port USB Port Conf...

Страница 24: ...ore the configurations or to upgrade the firmware images Configurable Ports Can be set to operate as WAN LAN or DMZ ports The ISA550 and ISA550W have 4 configurable ports The ISA570 and ISA570W have 5 configurable ports LAN Ports Connects PCs and other network appliances to the unit The ISA550 and ISA550W have 2 dedicated LAN ports The ISA570 and ISA570W have 4 dedicated LAN ports WAN Port Connect...

Страница 25: ...s and 4 washers NOTE The Wall mounting kit is not included RJ 45 Ethernet cables Category 5 or higher for connecting computers WAN and LAN interfaces or other devices A computer with Microsoft Internet Explorer 8 0 or Mozilla Firefox 3 6 x or later for using the web based Configuration Utility Installation Options You can place your security appliance on a desktop mount it on a wall or mount it in...

Страница 26: ...our security appliance to the wall or the ceiling WARNING Insecure mounting might damage the device or cause injury Cisco is not responsible for damages incurred by improper wall mounting To mount the security appliance to the wall STEP 1 Determine where you want to mount the security appliance Verify that the surface is smooth flat dry and sturdy STEP 2 Insert two 18 6 mm 0 73 inch screws with an...

Страница 27: ...1 Place one of the supplied silicon rubber spacers on the side of the security appliance so that the four holes align to the screw holes Place the rack mount bracket next to the silicon rubber spacer and install the M3 screws NOTE If the M3 screws are not long enough to reattach the bracket with the silicon rubber spacer attach the bracket directly to the case without the silicon rubber spacer STE...

Страница 28: ...twork devices connect an Ethernet network cable from the network device to one of the dedicated LAN ports on the back panel STEP 5 For a UC 500 or a UC 300 connect an Ethernet network cable from the WAN port of the UC 500 or a UC 300 to an available LAN port of the security appliance STEP 6 For a UC500 or a UC300 connect an Ethernet network cable from the WAN port of the UC500 or UC300 to an avail...

Страница 29: ...ge 25 Using the Management Buttons page 25 Launching the Configuration Utility STEP 1 Connect your computer to an available LAN port on the back panel of the security appliance STEP 2 Start a web browser In the Address bar enter the default IP address of the security appliance 192 168 1 1 NOTE The above address is the factory default LAN address If you change this setting in the DEFAULT VLAN confi...

Страница 30: ...on pane and content pane to perform the tasks in the Configuration Utility 1 2 Number Components Description 1 Left Hand Navigation Pane The left hand navigation pane provides easy navigation through the configurable features The main branches expand to provide the features Click on the main branch title to expand its contents Click on the right arrow of a feature to open its subfeatures or click ...

Страница 31: ...ate what the buttons or icons are used for About the Default Settings The security appliance is predefined with the settings that allow you to start using the device with minimal changes needed Depending the requirements of your Internet Service Provider ISP and the needs of your business you might need to modify some of these settings You can use the Configuration Utility to customize all setting...

Страница 32: ...ddresses to connected devices rather than allowing the security appliance to act as a DHCP server See Configuring the VLAN page118 VLAN Configuration The security appliance predefines a native VLAN DEFAULT and a guest VLAN GUEST You can customize new VLANs for your specific business needs See Configuring the VLAN page118 Configurable Ports By default all configurable ports are set to act as LAN po...

Страница 33: ...a SSL VPN gateway so that remote users can securely access the corporate network resources over the VPN tunnels You can also establish a secure IPSec VPN tunnel between two sites that are physically separated by using the Site to Site VPN feature For more information about how to configure the VPN features see VPN page 232 Performing Common Configuration Tasks We strongly recommend that you comple...

Страница 34: ...user name or the reversed user name The password cannot be set as cisco ocsic or any variant obtained by changing the capitalization of letters Confirm Password Enter the new password again for confirmation STEP 3 Click Save to apply your settings Saving Your Configuration At any point during the configuration process you can save your configurations Later if you make changes that you want to aban...

Страница 35: ...n optionally encrypt the configurations for security purposes check the Encrypt box and then enter the password in the Key field and then click OK Your current settings are saved as a configuration file on the root folder of the USB device Upgrading the Firmware if needed Before you do any other tasks ensure that you are using the latest firmware version You can upgrade from a firmware file stored...

Страница 36: ...k the mounting status of the USB device Make sure that the USB Driver Status shows as UP when you use the USB device to manage the firmware c In the USB Backup Restore Settings area all firmware images located on the USB device appears in the list To upgrade the firmware and keep using the current settings select the latest firmware image from the list and then click Upgrade To upgrade the firmwar...

Страница 37: ...pliance Administration Guide 31 1 STEP 1 Click Device Management Firmware and Configuration Configuration The Configuration window opens STEP 2 In the Backup Restore Settings Revert To Factory Default Settings area click Default The security appliance will reboot with the factory default settings ...

Страница 38: ...1 Using the Site to Site Wizard to Establish the Site to Site VPN Tunnels page 53 Using the Remote Access Wizard to Establish the IPSec VPN Tunnels or SSL VPN Tunnels for Remote Access page 58 To access the Wizards pages click Wizards in the left hand navigation pane Using the Startup Wizard The Startup Wizard helps you configure the remote management port WAN LAN DMZ and WLAN for ISA550W and ISA5...

Страница 39: ...r example https xxx xxx xxx xxx 8080 Enter the following information Remote Management Click On to enable remote management by using HTTPS or click Off to disable it We recommend that you use HTTPS for secure purposes HTTPS Listen Port Number If you enable remote management by using HTTPS enter the port number to be listened on By default the listened port for HTTPS is 8080 HTTP Enable Click On bo...

Страница 40: ...itch This is the default setting The security appliance is set to one WAN port WAN1 and nine LAN ports 1 WAN 1 DMZ and 8 LAN Switch The security appliance is set to one WAN port WAN1 one DMZ port and eight LAN ports The configurable port GE10 is set to a DMZ port 1 WAN 1 WAN Backup and 8 LAN Switch The security appliance is set to two WAN ports WAN1 is the primary WAN and WAN2 is the secondary WAN...

Страница 41: ... DMZ port NOTE The configurable ports can be set as the WAN LAN and DMZ ports Up to two WAN ports and four DMZ ports can be configured on the security appliance To configure multiple DMZ ports go to the Networking DMZ page For more information see Configuring the DMZ page123 STEP 4 After you are finished click Next The Primary WAN Connection window opens From this page you can configure the primar...

Страница 42: ...width If you choose this mode then choose one of the following options and finish the setting Weighted By percentage Allows you to set the percentage for each WAN such as 80 percentage bandwidth for WAN1 and lest 20 percentage bandwidth for WAN2 Weighted By Link Bandwidth Allows you to set the rate limiting for each WAN such as 10 Mbps for WAN1 and 5 Mbps for WAN2 Use the Failover mode if you want...

Страница 43: ...the Relay IP field If you choose DHCP Server as the DHCP mode enter the following information Start IP Enter the starting IP address of the DHCP pool End IP Enter the ending IP address of the DHCP pool NOTE The starting and ending IP addresses should be in the same range as the LAN s subnet address Lease Time Enter the maximum connection time that a dynamic IP address is leased to a network user W...

Страница 44: ...the DHCP pool DHCP Relay Allows the security appliance to use a DHCP Relay If you choose DHCP Relay enter the IP address of the remote DHCP server in the Relay IP field If you choose DHCP Server as the DHCP mode enter the following information Start IP Enter the starting IP address of the DHCP pool End IP Enter the ending IP address of the DHCP pool NOTE The starting and ending IP addresses should...

Страница 45: ...ep 12 Wireless Network Mode Choose the 802 11 modulation technique The ISA550W and ISA550W supports the following radio modes 802 11b only Choose this mode if all devices in the wireless network use 802 11b Only 802 11b clients can connect to the access point 802 11g only Choose this mode if all devices in the wireless network use 802 11g Only 802 11g clients can connect to the access point 802 11...

Страница 46: ...ng the Wireless Wizard to Configure the Wireless Settings for ISA550W and ISA570W page 40 SSID Name The SSID name Security Mode Choose the encryption algorithm for data encryption for this SSID Depending on the selected security mode configure the corresponding settings See Configuring the Security Mode page162 VLAN Name Choose the VLAN to which this SSID is mapped All traffic from the wireless cl...

Страница 47: ... network use 802 11g Only 802 11g clients can connect to the access point 802 11b g mixed Choose this mode if some devices in the wireless network use 802 11b and others use 802 11g Both 802 11b and 802 11g clients can connect to the access point 802 11n only Choose this mode if all devices in the wireless network can support 802 11n Only 802 11n clients operating in the 2 4 GHz frequency can conn...

Страница 48: ... then be directed to a specified web portal after login successfully before they can access the Internet NOTE Only one SSID can be set for Guest WLAN access and Captive Portal WLAN access STEP 4 Specify the wireless connectivity settings for all enabled SSIDs Depending on the wireless connectivity type that you selected for the SSID you need to complete the relevant settings for each enabled SSID ...

Страница 49: ...et up a wireless connection to this SSID PC Visibility Check the box so that the wireless clients on the same SSID will be able to see eachother STEP 3 In the Security Settings area specify the wireless security settings Security Mode Choose the security mode and configure the correspoinding information For security purposes Cisco strongly recommends WPA2 for wireless security For example if you c...

Страница 50: ...ion SSID Enter the SSID name Broadcast SSID Check the box to broadcast the SSID in its beacon frames All wireless devices within range are able to see the SSID when they scan for available networks Uncheck the box to prevent auto detection of the SSID In this case users must know the SSID to set up a wireless connection to this SSID PC Visibility Check the box so that the wireless clients on the s...

Страница 51: ...e SSID In this case users must know the SSID to set up a wireless connection to this SSID PC Visibility Check the box so that the wireless clients on the same SSID are able to see eachother STEP 3 In the Security Settings area specify the wireless security settings Security Mode Choose the security mode and configure the correspoinding information For the complete details for how to configure the ...

Страница 52: ...r sends to your security appliance for authentication For example if you select Internal for authentication and the web portal is set to www ABcompanyC com when a wireless user tries to access the website www google com the default web authentication login page opens The user needs to enter the user name and password and then click Submit After login the user is directed to the www ABcompanyC com ...

Страница 53: ... provider Password Enter the password of the account that you registered in the DDNS provider Host Domain Name Specify the complete host name and domain name for the DDNS service STEP 3 After you are finised click Next The DMZ Configure window opens From this page you can the DMZ network For complete details see Configuring the DMZ page 48 STEP 4 After you are finished click Next The DMZ Service w...

Страница 54: ...onfigurable port from the Port list and click Access to add it to the Member list The selected configurable port will be set to a DMZ port with Access mode Zone Choose the default or custom DMZ zone to which the DMZ is mapped STEP 3 In the DHCP Pool Settings tab choose the DHCP mode from the DHCP Server drop down list Disable Choose this option if the computers on the DMZ are configured with stati...

Страница 55: ...e primary WINS server WINS 2 Optionally enter the IP address of a secondary WINS server Domain Name Optionally enter the domain name for the DMZ Default Gateway Enter the IP address of default gateway STEP 5 Click OK to save your settings STEP 6 Connect your local server to the specified DMZ port and then configure the DMZ service Configuring the DMZ Services In the DMZ Service window follow these...

Страница 56: ...r that will need to be translated You can get the IP address after you connect your local server to the specified DMZ port If the IP address you want is not in the list choose Create an IP Address to create a new IP address object To maintain the IP address objects go to the Networking Address Object Management page See Address Management page152 WAN Choose either WAN1 or WAN2 or both as the incom...

Страница 57: ... from GE 6 to GE10 as the secondary WAN interface The dedicated physical port GE1 is set as the primary WAN interface STEP 3 After you are finished click Next The Primary WAN Connection window opens Depending on the requirements of your ISP choose the network addressing mode from the IP Address Assignment drop down list for the primary WAN port and complete the corresponding fields The security ap...

Страница 58: ...2 as the primary link By default WAN1 is set as the primary link and WAN2 is set as the backup link You can also set WAN2 as the primary link Preempt Delay Timer Enter the time in seconds that the system will preempt the primary link from the backup link after the primary link is up again The default is 5 seconds STEP 6 After you are finished click Next The Network Detection window opens From this...

Страница 59: ...Wizard to Establish the Site to Site VPN tunnel page 53 Configuring the IKE Policies page 55 Configuring the Transform Policies page 57 NOTE Before you begin you need to know the subnet address of your local and remote networks and import the digital certificates for authentication between the two peers if needed Using the Site to Site Wizard to Establish the Site to Site VPN tunnel STEP 1 Click W...

Страница 60: ... same here and on the remote peer Certificate If you choose this option choose the local certificate and the peer certificate for authentication On the remote site the selected local certificate should be set as the peer certificate and the selected peer certificate should be set as the local certificate If the certificate you want is not in the list go to the Device Management Certificate Managem...

Страница 61: ...ance can support multiple subnets for IPSec VPN tunnel you may need to select a group address object including multiple VLANs for local and remote network STEP 6 After you are finished click Next The Summary window opens The Summary window displays the summary information for all configurations you made STEP 7 Click Submit to save your settings and exit the Site to Site Wizard Configuring the IKE ...

Страница 62: ... to authenticate RSA SIG is a digital certificate with keys generated by the RSA signatures algorithm In this case a certificate must be configured in order for the RSA Signature to work D H Group Choose the Diffie Hellman group identifier The identifier is used by two IPsec peers to derive a shared secret without transmitting it to each other The D H Group sets the strength of the algorithm in bi...

Страница 63: ...sures that a packet comes from where it says it comes from and that it has not been modified in transit The default is ESP_SHA1_HMAC ESP_SHA1_HMAC Authentication with SHA_1 160 bit ESP_MD5_HMAC Authentication with MD5 128 bit MD5 has a smaller digest and is considered to be slightly faster than SHA_1 A successful but extremely difficult attack against MD5 has occurred however the HMAC variant IKE ...

Страница 64: ...PSec VPN User Groups page 63 Using SSL VPN to Establish the SSL VPN Tunnels page 63 Configuring the SSL VPN Group Policies page 66 Configuring the SSL VPN User Groups page 69 Using Cisco IPSec VPN to Establish the IPSec VPN Tunnels The security appliance can function as a Cisco IPSec VPN server to allow the remote users to establish the IPSec tunnels and securely access the corporate network resou...

Страница 65: ...ose this option enter the desired value that the peer device must provide to establish a connection The pre shared key must be entered exactly the same here and on the remote clients Certificate If you choose this option choose a local certificate and a remote certificate for authentication On the remote clients the selected local certificate should be set as the remote certificate and the selecte...

Страница 66: ...is purpose Dynamic DNS has to be configured because the IP address will change due to failover or let the remote gateway use a dynamic IP address WAN Interface Choose the WAN interface that the traffic passes through over the IPSec VPN tunnel STEP 5 After you are finished click Next The Network Setting window opens From this page you can configure the mode of operation The operation mode determine...

Страница 67: ...rated by the Zone Access Control settings will be automatically added to the firewall access rule table with the priority higher than the default access rules but lower than the custom access rules STEP 7 After you are finished click Next The DNS WINS Setting window opens From this page you can specify the DNS and domain settings Primary DNS Server Enter the IP address of the primary DNS server Se...

Страница 68: ... enter the IP address in the IP filed and and netmask address in the Netmask filed and then click Add To delete a subnet choose a subnet from the list and then click Delete STEP 10 After you are finished click Next The Cisco IPSec VPN Group Policy Summary window opens The Group Policy Summary page displays the summary information for all configurations that you made for the Cisco IPSec VPN group p...

Страница 69: ...licy for the group The Cisco IPSec VPN service must be enabled for this user group so that all members of the group to securely access your network resources over the IPSec VPN tunnels STEP 3 In the Membership tab specify the members of the user group To add a member select an existing user from the User list and then click the right arrow The members of the groups appear in the Membership list To...

Страница 70: ... connectting purposes Certificate File Choose a certificate to authenticate the users who want to access your network resource through the SSL VPN tunnel Client Address Pool The SSL VPN gateway has a configurable address pool with maximum size of 255 which is used to allocate IP addresses to the remote clients Enter the IP address pool for all remote clients The client is assigned an IP address by...

Страница 71: ...L VPN client must send an IP address lease renewal request to the server Max MTU Enter the maximum transmission unit for the session Rekey Method Specify the session rekey method SSL or New Tunnel Rekey allows the SSL keys to be renegotiated after the session is established Rekey Interval Enter the frequency of the rekey in this field STEP 6 After you are finished click Next The SSL VPN Group Poli...

Страница 72: ...fter you click Add the Group Policy Add Edit window opens STEP 2 In the Basic Settings tab enter the following information Policy Name Enter the name for the SSLP VPN group policy Primary DNS Enter the IP address of the primary DNS server Secondary DNS Enter the IP address of the secondary DNS server Primary WINS Enter the IP address of the primary WINS server Secondary WINS Enter the IP address o...

Страница 73: ...d and excluded at the same time Enable Split Tunneling By default the SSL VPN gateway operates in full tunnel mode which means that all of traffic from the host is directed through the tunnel Check the box to enable the Split Tunnel mode so that the tunnel is used only for the traffic that is specified by the client routes Split Include If you enable split tunneling choose one of the following opt...

Страница 74: ...acket destined for myfavoritesearch com would be handled by the ISP s DNS By default this feature is configured on the SSL VPN gateway and is enabled on the client To use Split DNS you must also have Split Tunnel mode configured To add a domain to the Cisco AnyConnect VPN Client for tunneling packets to destinations in the private network end the domian name in the field and then click Add To dele...

Страница 75: ...he letters numbers or underline for the SSL VPN user group Services Specify the service policy for the group The SSL VPN service must be enabled for this user group Choose a SSL VPN group policy so that all members of the group at the remote site can establish the SSL VPN tunnels based on the selected SSL VPN group policy to access your network resources STEP 3 In the Membership tab specify the me...

Страница 76: ...s page 74 Wireless Status for ISA550W and ISA570W page 79 Active Users page 81 VPN Status page 81 Reports page 85 Process Status page 92 Resource Utilization page 92 To access the Status pages click Status in the left hand navigation pane System Status The Dashboard page displays the current system status To open this page click Status Dashboard Router Information System Name The device name of yo...

Страница 77: ...ult the security appliance boots up with the primary firmware To switch to the secondary firmware see Using the Secondary Firmware page 300 Bootloader Version The bootloader version Serial Number The security appliance serial number PID The product identifier PID of the security appliance also known as product name model name and product number UDI The Unique Device Identifier UDI of the security ...

Страница 78: ...s Click the number link for details Warning Total number of Warning logs Click the number link for details Notification Total number of Notification logs Click the number link for details Information Total number of Information logs SSL Users Total number of active SSL VPN sessions Click the SSL Users link for details IPSec Users Total number of active IPSec VPN sessions that initiated by your sec...

Страница 79: ...s for all VLANs click details DMZ Interface To see complete details for DMZ click details Wireless Interface To see complete details for all SSIDs click details Mode The link status of the physical interface WAN1 to WANx The name of the WAN interface IP Address The IP addresses assigned to the WAN interface Index The VLAN ID Name The VLAN name DHCP Mode The DHCP mode of the VLAN IP Address The sub...

Страница 80: ...g protocol that determines a network host s Link Layer or hardware address when only the Internet Layer IP or Network Layer address is known The ARP table displays the IP addresses and corresponding MAC addresses of the devices under your local network To open this page click Status Interface Status Show ARP Table SSID Number The SSID ID SSID Name The SSID name VLAN The VLANs to which the SSID is ...

Страница 81: ...e following information for all physical ports Device Indicates the interface for which the ARP parameters are defined IP Address The IP address assigned to the host or the remote device MAC Address The MAC address of the host or the remote device Lease Start Time The lease starting time of the IP address Lease End Time The lease ending time of the IP address Port The number of the physical port N...

Страница 82: ...nternet for the WAN interface Connection Time How long the WAN interface is connected in seconds Connection Status Shows if the WAN interface obtains an IP address successfully or not If yes the connection status shows as Connected MAC Address The MAC address of the WAN interface IP Address The IP address of the WAN interface that is accessible from the Internet Netmask The IP address of subnet ma...

Страница 83: ...able displays the traffic data for all active physical ports Name The VLAN name VID The VLAN ID Address The subnet IP address and netmask of the VLAN Physical Port The physical ports that are assigned to the VLAN Zone The zone to which the VLAN is mapped Name The DMZ name VID The VLAN ID Address The subnet IP address and netmask of the DMZ Physical Port The physical port that is assigned to the DM...

Страница 84: ...s received by the port per second Up Time How long the port has been active The uptime is reset to zero when the security appliance or the port is restarted Name The name of the WAN port Tx Pkts The number of IP packets going out of the WAN port Rx Pkts The number of IP packets received by the WAN port Collisions The number of signal collisions that have occurred on this WAN port Tx B s The number...

Страница 85: ...to view the wireless status and the number of client stations that are connected to the SSIDs It includes the following sections Wireless Status page 80 Client Status page 81 Collisions The number of signal collisions that have occurred on this VLAN Tx B s The number of bytes going out of the VLAN per second Rx B s The number of bytes received by the VLAN per second Up Time How long the LAN port h...

Страница 86: ...the following information of all active SSIDs Wireless Statistics Table This table displays the traffic data for a given SSID SSID Number The SSID ID SSID Name The SSID name MAC The MAC address of the SSID VLAN The VLAN to which the SSID is mapped Client List The number of client stations that are connected to the SSID Name The SSID name Tx Pkts The number of transmitted packets on the SSID Rx Pkt...

Страница 87: ...inate an active user session To open this page click Status Active Users You can check the following user session information VPN Status The VPN Status pages display the status and statistic information of IPSec and SSL VPN sessions You can manually connect or disconnect the VPN tunnels It includes the following sections IPSec VPN Status page 82 SSL VPN Status page 83 User Name The name of the log...

Страница 88: ...onnection type of the IPSec VPN session such as Site to Site Cisco IPSec VPN Server or Cisco IPSec VPN Client WAN Interface The WAN interface used for the IPSec VPN session Remote Gateway The IP address of the remote gateway for a Site to Site VPN session or the IP address of the remote VPN client for a Cisco IPSec VPN session Local Network The subnet IP address and netmask of your local network R...

Страница 89: ...traffic in Kilobytes transmitted from the VPN tunnel Rx Bytes The volume of traffic in Kilobytes received from the VPN tunnel Tx Pkts The number of IP packets transmitted from the VPN tunnel Rx Pkts The number of IP packets received from the VPN tunnel Session ID The SSL VPN session ID User Name The name of the connected SSL VPN user Client IP Actual The actual IP address used by the SSL VPN clien...

Страница 90: ...rames received from all clients In CSTP bytes The total number of bytes in the CSTP frames received from all clients In CSTP data The number of CSTP data frames received from all clients In CSTP control The number of CSTP control frames received from all clients Out CSTP frames The number of CSTP frames sent to all clients Out CSTP bytes The total number of bytes in the CSTP frames sent to all cli...

Страница 91: ...ontrol frames implement control functions within the protocol Data frames carry the client data such as the tunneled payload Reports The security appliance provides the report ability to help the operator or administrator analyze the system performance and security It includes the following sections Reports of Event Logs page 86 Reports of WAN Bandwidth page 87 Reports of Security Services page 87...

Страница 92: ...d IP Bandwidth This report lists the top 25 users of bandwidth usage It displays the number of megabytes transmitted per IP address since the system is up Service Bandwidth This report lists the top 25 Internet services that consume the most bandwidth It displays the number of megabytes received from the service since the system is up This report is helpful to determine whether the services being ...

Страница 93: ... for the primary WAN interface by hour in the past 24 hours STEP 5 If a secondary WAN interface is configured in the Secondary WAN tab you can see the run time network bandwidth usage for the secondary WAN interface by hour in the past 24 hours STEP 6 Click Reset to reset the network bandwidth usages for both the primary WAN and secondary WAN interfaces Reports of Security Services The Security Se...

Страница 94: ...umber of viruses detected by the Anti Virus service In the Anti Virus tab check the Enable Anti Virus Report box to enable this report and then click Save to save your settings After you enable this report the corresponding statistic information is displayed Device System Date The current date for counting the data Total since the service was actived The total number of web access requests process...

Страница 95: ...mber of files checked and the total number of viruses detected in last seven days Total for today The total number of files checked and the total number of viruses detected in one day Graph Shows the total number of files checked and the total number of viruses detected by day for last seven days Device System Date The current date for counting the data Total since the service was actived The tota...

Страница 96: ...kets dropped by the IPS service In the IPS Policy Protocol Inspection tab check the Enable IPS Policy Protocol Inspection Report box to enable this report and then click Save to save your settings After you enable this report the corresponding statistic information is displayed Device System Date The current date for counting the data Total since the service was actived The total number of packets...

Страница 97: ...er of packets for suspicious behaviors and attacks detected and the total number of packets dropped in last seven days Total for today The total number of packets for suspicious behaviors and attacks detected and the total number of packets dropped in one day Graph Shows the total number of packets for suspicious behaviors and attacks detected and the total number of packets dropped by day for las...

Страница 98: ... number of packets blocked by day for last seven days Name The process name that is running on your security appliance Description A brief description for the running process Protocol The protocol that is used by the socket Port The port number of the local end of the socket Local Address The IP address of the local end of the socket Foreign Address The IP address of the remote end of the socket C...

Страница 99: ...emory Utilization Total Memory The total amount of memory space available on the security appliance Used Memory The amount of memory space used by the processes at current time Free Memory The amount of memory space not used by the processes at current time Cached Memory The amount of memory space used as cache at current time Buffer Memory The amount of memory space used as buffers at current tim...

Страница 100: ...IP Routing Mode page 95 Port Management page 95 Configuring the WAN page101 Configuring the WAN Redundancy page112 Configuring the VLAN page118 Configuring the DMZ page 123 Configuring the Zones page127 Configuring the Routing page130 Dynamic DNS page136 IGMP page 138 VRRP page 139 Configuring the Quality of Service page 140 Address Management page 152 Service Management page154 To access the Netw...

Страница 101: ... addressing enable the IPv4 IPv6 mode STEP 1 Click Networking IPv4 IPv6 Routing Mode The IPv4 IPv6 Routing Mode window opens STEP 2 Click IPv4 IPv6 mode to enable both IPv4 and IPv6 addressing or click IPv4 only mode to enable only IPv4 addressing STEP 3 Click Save to save your settings Port Management This section describes how to configure the physical ports enable or disable the port mirroring ...

Страница 102: ...d to forward or filter the untagged packets coming into port The PVID of a trunk port is fixed to the DEFAULT VLAN 1 Speed Duplex The duplex mode speed and duplex setting of the physical port Link Status Shows if the physical port is connected or not If you are using the ISA550W or ISA570W in the Wireless Interfaces area all active SSIDs available on your security appliance are listed in the table...

Страница 103: ...t is tagged Untagged data coming into the port is not forwarded except for the DEFAULT VLAN which is untagged Trunk mode is recommended if the port is connected to a VLAN aware switch or router Port Click On to enable the port or click Off to disable it By default all ports are enabled VLAN You can assign the physical port to VLANs To assign the port to a VLAN choose an existing VLAN from the Avai...

Страница 104: ...authorized devices 802 1X capable clients from gaining access to the network The IEEE 802 1X standard defines a client server based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports The authentication server authenticates each client supplicant in Windows 2000 XP Vista Windows 7 and Mac OS connected to a port b...

Страница 105: ...rol Check the box to enable 802 1X access control This feature is not available for Trunk ports Authenticated VLAN If you enable 802 1X access control choose the authenticated VLAN to which this port is assigned The users who authenticated successfully can access the authenticated VLAN through the port If the authentication fails block the access on the port Guest Authenticated If you enable 802 1...

Страница 106: ...ns when the link state of the port transitions from down to up or when an EAPOL start frame is received The security appliance requests the identity of the client and begins relaying authentication messages between the client and the authentication server Each client attempting to access the network is uniquely identified by the security appliance by using the client s MAC address STEP 6 Click Sav...

Страница 107: ...d to receive a public IP address from your ISP automatically through DHCP Depending on the requirements of your ISP you may need to modify the WAN settings to ensure Internet connectivity This section describes how to configure the WAN connections by using the account information provided by your ISP It includes the following sections Configuring the Primary WAN page101 Configuring the Secondary W...

Страница 108: ...u can use the unique 48 bit local Ethernet address of the security appliance as your MAC address source Use Default MAC Address Choose this option to use the default MAC address Use the Following MAC Address If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP choose this option and enter the MAC address that your ISP requires for this connec...

Страница 109: ...s Enter the number of common initial bits in the network s addresses The default prefix length is 64 Default IPv6 Gateway Enter the IPv6 address of the gateway for your ISP This is usually provided by the ISP or your network administrator Primary DNS Server Enter a valid IP address of the primary DNS Server Secondary DNS Server Optional Optionally enter a valid IP address of the secondary DNS Serv...

Страница 110: ...oose the network addressing mode for the secondary WAN depending on the requirements of your ISP For complete details see Configuring the Network Addressing Mode page 106 DNS Server Source DNS servers map Internet domain names example www cisco com to IP addresses You can get DNS server addresses automatically from your ISP or use ISP specified addresses Get Dynamically from ISP Choose this option...

Страница 111: ...curity appliance can generate its own addresses using a combination of locally available information and information advertised by routers Static IP If your ISP assigned a static IPv6 address configure the IPv6 WAN connection in the following fields IPv6 Address Enter the static IP address that was provided by your ISP IPv6 Prefix Length The IPv6 network subnet is identified by the initial bits of...

Страница 112: ... port will be the DHCP client and get the IP address from your ISP or the peer router Choose DHCP for most of Internet service providers that use the cable modem Choose this option if your ISP automatically assigns you a dynamic IP address and enter the following information MTU The Maximum Transmission Unit is the size in bytes of the largest packet that can be passed on Choose Auto to use the de...

Страница 113: ...nter the IP address of the subnet mask Gateway Enter the IP address of default gateway DNS0 Enter the IP address of the primary DNS server DNS1 Enter the IP address of the secondary DNS server MTU The Maximum Transmission Unit is the size in bytes of the largest packet that can be passed on Choose Auto to use the default MTU size or choose Manual if you want to specify another size MTU Value If yo...

Страница 114: ...w PPPoE profile by choosing Create a PPPoE Profile See Configuring the PPPoE Profiles page111 User Name Password Enter the user name and password that are required to log into the ISP Authentication Type Choose the authentication type specified by your ISP Connect Idle Time Choose this option to let the security appliance disconnect from the Internet after a specified period of inactivity Idle Tim...

Страница 115: ... up connections or PPTP VPN connections Check the box to enable the MPPE encryption to provide data security for the PPTP connection that is between the VPN client and VPN server Connect Idle Time Choose this option to let the security appliance disconnect from the Internet after a specified period of inactivity Idle Time This choice is recommended if your ISP fees are based on the time that you s...

Страница 116: ...er the IP address of the L2TP server Secret Optional L2TP incorporates a simple optional CHAP like tunnel authentication system during control connection establishment Enter the secret for tunnel authentication if necessary Connect Idle Time Choose this option to let the security appliance disconnect from the Internet after a specified period of inactivity Idle Time This choice is recommended if y...

Страница 117: ...rofile User Name Enter the user name that is required to log into the ISP Password Enter the password that is required to log into the ISP Authentication Type Choose the method to authenticate the PPP sessions as specified by your ISP Auto The PPP protocol auto negotiates the authentication method PAP Password authentication protocol PAP is used by PPP protocol to validate the users before allowin...

Страница 118: ...mended if your ISP fees are based on the time that you spend online MTU The Maximum Transmission Unit MTU is the size in bytes of the largest packet that can be passed on Choose Auto to use the default MTU size or choose Manual if you want to specify another size MTU Size If you choose Manual enter the custom MTU size in bytes NOTE For PPPoE connections the default MTU size is 1492 bytes Unless a ...

Страница 119: ...ncy page117 Configuring the Link Failover Detection page117 Loading Balancing for WAN Redundancy The Load Balancing can segregate traffic between links that are not of the same speed For example you can bind the high volume services through the port that is connected to a high speed link and bind the low volume services to the port that is connected to the slower link The Load Balancing is impleme...

Страница 120: ...ted Load Balancing Distributes the bandwidth to two WAN ports by the weighted percange or by the weighted link bandwidth If you choose this mode choose one of the following options and finish the setting Weighted By Percentage Allows you to set the percentage for each WAN such as 80 percentage bandwidth for WAN1 and lest 20 percentage bandwidth for WAN2 Weighted By Link Bandwidth Allows you to set...

Страница 121: ...e DSL link As lots of secure websites such as bank or online shopping are sensitive to flip flop the source IP address let the traffic for https ftp video and game go through the cable link Configuration Tasks Configure a configurable port as the secondary WAN port WAN2 See Configuring the Secondary WAN page104 Connect the cable modem to the primary WAN port WAN1 and connect the DSL modem to the s...

Страница 122: ...igured with Failover Figure 3 Example Dual WAN Ports with Failover STEP 1 Click Networking WAN Redundancy WAN Redundancy Operation Configuration The WAN Redundancy Operation Configuration opens STEP 2 Choose Failover if you want to use one ISP link as a backup and enter the following information Auto Failover to Choose either WAN1 or WAN2 as the primary link By default WAN1 is set as the primary l...

Страница 123: ...orward the traffic to the primary WAN The traffic for other static routings are forwarded to the secondary WAN For more inforamtion to configure the static routing policies see Configuring the Static Routing page 132 NOTE The Link Failover Detection settings will be ignored if you enable the Routing Table feature Configuring the Link Failover Detection The Link Failover Detection feature detects t...

Страница 124: ...if the primary WAN remote host can be detected the network connection is active In Load Balancing mode if the primary WAN and secondary WAN remote hosts can be detected the WAN connection is active DNS Detection Choose this option to detect the WAN failure by looking up the DNS servers that you specify in the following fields DNS Lookup using WAN DNS Servers The security appliance sends the DNS qu...

Страница 125: ... After you click Add or Edit the VLAN Add Edit window opens STEP 3 In the Basic Setting tab enter the following information Name Enter a descriptive name for the VLAN VID Enter an unique identification number for the VLAN which can be any number from 3 to 4089 The VLAN ID 1 is reserved for the DEFAULT VLAN and the VLAN ID 2 is reserved for the GUEST VLAN IP Enter the subnet IP address for the VLAN...

Страница 126: ... LAN port Changing the port type will wipe out all configurations relative to the physical port Zone Choose the zone to which the VLAN is mapped By default the DEFAULT VLAN is mapped to the LAN zone and the GUEST VLAN is mapped to the GUEST zone STEP 4 In the DHCP Pool Settings tab choose the DHCP mode from the DHCP Server drop down list Disable Choose this option if the computers on the VLAN are ...

Страница 127: ...oot file name or configuration file name on the specified TFTP server Optional 150 Supports a list of TFTP servers 2 TFTP servers Enter the IP addresses of TFTP servers Separate multiple entries with commas NOTE Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution typically implement Cisco CallManager at a central office to control Cisco IP Phones at sma...

Страница 128: ...Use the Static IP Reservations page to bind the MAC address of the device with the desired IP address Whenever the DHCP server receives a request from a device the hardware address is compared with the database If the device is found then the reserved IP address is used Otherwise an IP address is assigned automatically from the DHCP pool STEP 1 Click Networking Static IP Reservations The Static IP...

Страница 129: ... include any hosts that must be exposed to the WAN such as web or email servers The DMZ configuration is identical to the VLAN configuration There are no restrictions on the IP address or subnet assigned to the DMZ port except it cannot be identical to the IP address given to the predefined VLANs Figure 4 Example DMZ with One Public IP Address for WAN and DMZ 235140 www example com Internet Public...

Страница 130: ... to the web server The same IP address is used for the WAN interface Figure 5 Example DMZ with Two Public IP Addresses In this scenario the ISP has supplied two static IP addresses 209 165 200 225 and 209 165 200 226 The address 209 165 200 225 is used for the security appliance s public IP address The administrator configures the configurable port to be used as a DMZ port and created a firewall a...

Страница 131: ... DMZ Netmask Enter the subnet mask for the DMZ Spanning Tree Check the box to enable the Spanning Tree feature to determine if there are loops in the network topology Port Specify a configurable port as a DMZ port The traffic through the DMZ port is directed to the DMZ All available configurable ports appears in the Port list choose a port and click Access to add it to the Member list The selected...

Страница 132: ... in the DHCP range End IP Enter the last IP address in the DHCP range Any new DHCP client joining the DMZ is assigned an IP address between the Start IP address and the End IP address NOTE The Start and End IP addresses must be in the same subnet with the DMZ s subnet IP address Lease Time Enter the maximum connection time that a dynamic IP address is leased to a network user When the time elapses...

Страница 133: ...les page195 or Configuring Advanced NAT Rules page197 and create a firewall access rule to allow the inbound access to the server see Configuring a Firewall Access Rule page183 If you want to reserve certain IP addresses for specified devices go to the Networking Static IP Reservations page See Configuring DHCP Reserved IPs page122 You must enable DCHP Server mode or DHCP Relay mode for this purpo...

Страница 134: ...t than a Guest zone but a lower level of trust than a VPN zone The DMZ zone is a public zone Guest 25 Offers a higher level of trust than an untrusted zone but a lower level of trust than a public zone Guest zones can only be used for guest access Untrusted 0 Offers the lowest level of trust It is used by both the WAN and the virtual multicast zones You can map one or multiple WAN interfaces to an...

Страница 135: ...s You can custom new zones for your specific business needs STEP 1 Click Networking Zone The Zone window opens All predefined and custom zones are listed in the table STEP 2 Click Reset Zone Configuration to restore your zone configurations to the factory default settings All custom zones will be removed and the relevant settings to these custom zones will be cleaned up after you perform this oper...

Страница 136: ...security level of the new zone By default the firewall prevents all inbound traffic and allows all outbound traffic To customize firewall access rules for the new zone go to the Firewall ACL Rules Rule page For more information see Configuring the Firewall Access Rules to Control Inbound and Outbound Traffic page178 Map the security services to zones If you enabled the security services such as IP...

Страница 137: ...our ISP assigns an IP address for each of the computers that you use click On to enable the Routing mode When you enable the Routing mode the NAT settings are disabled STEP 3 If you are sharing IP addresses across several devices such as your LAN and using other dedicated devices for the DMZ click Off to disable the Routing mode STEP 4 Click Save to apply your settings Viewing the Routing Table ST...

Страница 138: ... Networking Routing Static Routing The Static Routing window opens STEP 2 To add a static route click Add Other options To edit an entry click Edit To delete an entry click Delete To delete multiple entries check the boxes of multiple entries and click Delete Selection After you click Add or Edit the Static Routing Add Edit window opens STEP 3 Enter the following information Destination Address Ch...

Страница 139: ...h other routers and allows it to dynamically adjust its routing tables and adapt to changes in the network STEP 1 Click Networking Routing Dynamic RIP The Dynamic RIP window opens STEP 2 Enter the following information RIP Enable Click On to enable RIP or click Off to disable it By default RIP is disabled RIP Version If you enable RIP specify the RIP version The security appliance supports RIPv1 a...

Страница 140: ...ed Routing PBR allows users to specify the internal IP and or service going through a specified WAN port to provide more flexbile and granular traffic handling capabilities This feature can be used to segregate traffic between links that are not of the same speed High volume traffic can be routed through the port connected to a high speed link and low volume traffic can be routed through the port ...

Страница 141: ...se an internal IP address that passes through the specific WAN port Dest IP For service binding only choose Any For IP binding only choose an IP address as the destination IP address of the outbound traffic If the address object is not in the list choose Create New Address to create a new address object To main the address objects go to the Networking Address Object Management page See Address Man...

Страница 142: ...Static Routing rules traffic A will be firstly handled by the PBR or Static Routing rules while other traffic follows the Weighted Loading Balance settings Dynamic DNS Dynamic DNS DDNS is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names If your ISP has not provided you with a static IP and your WAN connection is configured to use DH...

Страница 143: ...When WAN failover occurs DDNS will switch the traffic to the active WAN interface User Name Enter the user name of the account you registered in the DDNS provider Password Enter the password of the account you registered in the DDNS provider Host and Domain Name Specify the complete host name and domain name for the DDNS service Use wildcards Check this box to allow all subdomains of your DDNS hos...

Страница 144: ...on 3 that is backward compatible with the previous versions NOTE By default the multicast traffic from Any zone to Any zone is blocked by the default firewall access rules When you enable IGMP Proxy and want to receive the multicast packets from WAN to LAN you need to uncheck the Block Multicast Packets box in the Firewall Attack Protection page and create a firewall access rule to permit the mult...

Страница 145: ...ueries from either IGMP or the IGMP snooping querier Click On to enable IGMP Snooping or click Off to disable it STEP 3 Click Save to apply your settings VRRP The Virtual Router Redundancy Protocol VRRP is a redundancy protocol for LAN access device VRRP configures a groups of routers include a master router and several backup routers as a virtual router STEP 1 Click Networking VRRP The VRRP windo...

Страница 146: ...e current master virtual router NOTE All routers in a VRRP group must use the same advertisement interval value If the interval values are not same the routers in the VRRP group will not communicate with eachother and any misconfigured router will change its state to master Verify Click On to enable the authentication or click Off to disable it If you enable the authentication specify the authenti...

Страница 147: ... Networking QoS General Settings The General Settings window opens STEP 2 Enter the following information WAN QoS Check this box to enbale the WAN QoS feature By default WAN QoS is disabled LAN QoS The LAN QoS specifies priority values that can be used to differentiate the traffic and give preference to higher priority traffic such as telephone calls Check this box to enbale the LAN QoS feature By...

Страница 148: ...bps STEP 3 Click Save to apply your settings NOTE Next Steps To specify the WAN queue settings go to the WAN QoS Queue Settings page See Configuring the WAN Queue Settings page 142 To specify the traffic classes for WAN interfaces go to the WAN QoS Traffic Selector Classification page See Configuring the Traffic Selectors for WAN Interfaces page144 To create the WAN QoS policy profiles go to the W...

Страница 149: ...rly Detection RED mechanism RED is a congestion avoidance mechanism that takes advantage of TCP s congestion control mechanism By randomly dropping packets prior to periods of high congestion RED tells the packet source to decrease its transmission rate Assuming the packet source is using TCP it will decrease its transmission rate until all the packets reach their destination indicating that the c...

Страница 150: ...d in the table STEP 2 To add a new traffic selector click Add Other options To edit an entry click Edit To delete an entry click Delete After you click Add or Edit the QoS Class Add Edit window opens STEP 3 Enter the following information Class Name Enter a descriptive name for the traffic class Source Address Choose Any or choose an existing address or group address network that the traffic comes...

Страница 151: ... 0 and 7 that can be used to differentiate traffic and give preference to higher priority traffic Choose the CoS remarking value for the traffic class VLAN Choose the VLAN for identifying the host to which the traffic selector will apply NOTE The traffic that matches up with the above settings will be classified to a class for management purposes STEP 4 Click Save to apply your settings Configurin...

Страница 152: ... disabled for the inbound traffic policy profile DSCP Marking Choose the DSCP remarking value to assign the priority for the traffic CoS Marking For an inbound traffic policy profile choose the CoS remarking value to assign the priority for the inbound traffic This option will be disabled for the outbound traffic policy profile Policing Enter the amount of bandwidth limitation for the selected tra...

Страница 153: ...values that can be used to differentiate traffic and give preference to higher priority traffic such as telephone calls It includes the following topics Configuring the LAN Queue Settings page147 Configuring the LAN QoS Classification Methods page148 Mapping CoS to LAN Queue page 149 Mapping DSCP to LAN Queue page149 Configuring Default CoS page149 Configuring the LAN Queue Settings Use the Queue ...

Страница 154: ...lways sending traffic greater than the maximum bandwidth of the LAN ports STEP 4 Click Save to apply your settings NOTE Next Steps To specify the LAN QoS classification method go to the LAN QoS Classification Method page See Configuring the LAN QoS Classification Methods page148 To map the CoS to LAN queues go to the LAN QoS Mapping CoS to Queue page See Mapping CoS to LAN Queue page149 To map the...

Страница 155: ... where Q4 is the lowest and Q1 is the highest STEP 3 Click Save to apply your settings Mapping DSCP to LAN Queue STEP 1 Click Networking QoS LAN QoS Mapping DSCP to Queue The Mapping DSCP to Queue window opens STEP 2 Choose the traffic forwarding queue to which the DSCP priority tag value is mapped Four traffic priority queues are supported where Q4 is the lowest and Q1 is the highest STEP 3 Click...

Страница 156: ...ods page151 Mapping CoS to Wireless Queue page 151 Mapping DSCP to Wireless Queue page151 Default Wireless QoS Settings The Wireless QoS uses the default queuing method for wireless traffic Wireless traffic is always trusted The wireless QoS treats all untagged packets as tagged packets with the default CoS value 0 so that the security appliance can refer to the CoS to Queue mapping settings to ob...

Страница 157: ... Method window opens STEP 2 Depending on your networking design choose either DSCP or CoS remarking method for traffic through each active SSID STEP 3 Click Save to apply your settings Mapping CoS to Wireless Queue STEP 1 Click Networking QoS Wireless QoS Mapping CoS to Queue The Mapping CoS to Queue window opens STEP 2 Choose the traffic forwarding queue to which the CoS priority tag value is map...

Страница 158: ...e following topics Configuring the Addresses page152 Configuring the Group Addresses page153 Configuring the Addresses STEP 1 Click Networking Address Object Management The Address Object Management window opens All existing address objects are listed in the Address table STEP 2 In the Address Table area click Add to add a new address Other options To edit an entry check the box and click Edit To ...

Страница 159: ...s address and a corresponding netmask As a general rule the first address in a network the network address and the last address in a network the broadcast address are unusable If you choose Network enter the subnet IP address in the IP Address field and the broadcast address in the Netmask field MAC Identifies a host by its hardware address or MAC Media Access Control address MAC addresses are uni...

Страница 160: ...ck the left arrow STEP 6 Click OK to save your settings STEP 7 Click Save to apply your settings Service Management Use the Services page to maintain the service or group service objects The security appliance is configured with a long list of standard services so you can use to configure the firewall access rules port forwarding rules or other features For more information see Default Service Obj...

Страница 161: ...n TCP IP TCP ensures that a message is sent accurately and in its entirety If you choose this option enter the starting port number in the Port Range Start field and the ending port number in the Port Range End field UDP User Datagram Protocol UDP is a protocol within the TCP IP protocol suite that is used in place of TCP when a reliable delivery is not required If you choose this option enter the...

Страница 162: ... an entry click Delete To delete multiple entries check the boxs of multiple entries and click Delete Group After you click Add or Edit the Service Table Add Edit window opens STEP 3 Enter the name for the group service in the Name field STEP 4 To add the services to the group select the services from the Services list and click the right arrow to add them into the Member list STEP 5 To remove the...

Страница 163: ...Setup page172 Configuring Wireless Rogue AP Detection page173 Configuring Wireless Captive Portal page 174 To access the Wireless pages click Wireless in the left hand navigation pane Configuring the Radio Settings The ISA550W and ISA570W can function as an Internet or network gateway for the wireless clients The ISA550W and ISA570W supports wireless protocols called IEEE 802 11b 802 11g and 802 1...

Страница 164: ...radio modes 802 11b only Choose this mode if all devices in the wireless network use 802 11b Only 802 11b clients can connect to the access point 802 11g only Choose this mode if all devices in the wireless network use 802 11g Only 802 11g clients can connect to the access point 802 11b g mixed Choose this mode if some devices in the wireless network use 802 11b and others use 802 11g Both 802 11b...

Страница 165: ...nable the SSID uncheck the box to disable the SSID By default all four SSID are enabled SSID Name Enter an unique identifier for the SSID SSID Broadcast Check this box to broadcast the SSID in its beacon frames All wireless devices within range are able to see the SSID when they scan for available networks Uncheck this box to prevent auto detection of the SSID In this case users must know the SSID...

Страница 166: ...Settings The Wireless Advanced Settings window opens STEP 2 Enter the following information Guard Interval Choose either Long 800 ns or Short 400 ns that the security appliance will retry a frame transmission that fails NOTE The short frame is only available when the specified wireless network mode includes 802 11n CTS Protection Mode CTS Clear To Send Protection Mode function boosts the ability o...

Страница 167: ...To Send RTS Clear To Send CTS handshake before sending A low threshold setting can be useful in areas where many client devices are associating with the wireless device or in areas where the clients are far apart and can detect only the access point but not other clients Although a low threshold value consumes more bandwidth and reduces the throughput of the packet frequent RTS packets can help th...

Страница 168: ... multicast traffic which affects network performance This section includes the following topics Configuring the Security Mode page 162 Controlling the Wireless Access Based on MAC Addresses page169 Mapping the SSID to VLAN page 170 Configuring the SSID Schedule page171 Configuring the Security Mode This section describes how to configure the security mode for the SSID NOTE Cisco strongly recommend...

Страница 169: ... be configured in the SSID Security Mode Description Open Any wireless device that is in range can connect to the SSID WEP Wired Equivalent Privacy WEP is a data encryption protocol for 802 11 wireless networks All wireless stations and SSIDs on the network are configured with a static 64 bit or 128 bit Shared Key for data encryption The higher the bit for data encryption the more secure for your ...

Страница 170: ...tes Message Integrity Code MIC to provide protection against hackers AES uses symmetric 128 bit block data encryption WPA Enterprise WPA Enterprise uses an external RADIUS server for client authentication WPA Enterprise supports TKIP and AES encryption mechanisms default is TKIP This security mode is only available when a RADIUS server is connected to the SSID WPA2 WPA2 provides the best security ...

Страница 171: ...ndexes 1 through 4 are available WPA WPA2 This mode allows both WPA and WPA2 clients to connect simultaneously The SSID automatically chooses the encryption algorithm used by each client device This option is a good choice to enable a higher level of security while allowing access by devices that might not support WPA2 The following WPA WPA2 security modes are supported on your security appliance ...

Страница 172: ...g information Encryption Choose either TKIP or AES as the encryption algorithm for data encryption The default is TKIP Shared Secret The Pre shared Key PSK is the shared secret key for WPA Enter a string of at least 8 characters to a maximum of 63 characters Key Renewal Timeout Enter a value to set the interval at which the key is refreshed for clients associated to this SSID The valid range is 0 ...

Страница 173: ...Key Renewal Timeout Enter a value to set the interval at which the key is refreshed for clients associated to this AP The valid range is 0 to 86400 seconds A value of 0 indicates that the key is not refreshed The default is 3600 seconds RADIUS Server ID The security appliance predefines three RADIUS groups choose an existing RADIUS group for client authentication The following RADIUS server settin...

Страница 174: ...elected group are displayed You can also change the RADIUS server settings The RADIUS server settings you specify will replace the default settings of the selected group Go to the Device Management RADIUS Settings page to maintain the RADIUS server settings See Configuring the RADIUS Servers page 319 STEP 11 If you choose WPA WPA2 Enterprise Mixed as the security mode enter the following informati...

Страница 175: ...clients The default is Open access which means that the MAC filtering is disabled The MAC Filtering provides additional security but it also adds to the complexity and maintenance Be sure to enter each MAC address correctly to ensure that the policy is applied as intended Before performing this procedure decide whether you want to enter a list of MAC addresses that will be blocked or allowed acces...

Страница 176: ... You can add up to 16 MAC addresses you want to deny or permit STEP 5 Click OK to save your settings STEP 6 Click Save to apply your settings Mapping the SSID to VLAN STEP 1 Click Wireless Basic Settings The Wireless Basic Settings window opens STEP 2 In the SSID table area click Edit to edit the settings of the SSID After you click Edit the Edit window opens STEP 3 In the Edit VLAN tab enter the ...

Страница 177: ...ou can specify the time per day to keep the SSID active Enter the following information SSID Name The name of the SSID on which the schedule setting is applied Active Time Click On to enable the schedule feature for the SSID or click Off to disable it Disabling the schedule feature will keep the SSID active in 24 hours per day If you enable this feature configure the time range per day to keep thi...

Страница 178: ...client has a WPS button follow these steps to estabilsh the wireless connection a Press the WPS button on the wireless client b Click the WPS button on this page c Verify that the wireless client is connected to the SSID STEP 4 If the wireless client has a WPS PIN number follow these steps to establish the wireless connection a Get the PIN number on the wireless client b Enter the PIN number on th...

Страница 179: ...e its own wireless LAN Often employees seeking to enhance their productivity will innocently install an access point for their personal use on your network without understanding the security risks The security appliance is configurable by the network administrator to provide proactive rogue AP detection in the 2 4 GHz band Rogue AP Detection RAD is able to discover detect and report an unauthorize...

Страница 180: ...ist choose Merge click Browse to locate the file and then click OK STEP 6 Click Save to apply your settings Configuring Wireless Captive Portal The Captive Portal feature allows the wireless users who authenticated successfully to be directed to a specified web page portal before they can access the Internet The wireless users will be directed to a specified web authentication login page to authen...

Страница 181: ...with accept button Allows users to access the wireless network without entering a user name and password If you choose this option a web passthrough window is prompted Click the Accept button to access the network without the user name and password External Web Server Uses a customized web authentication login page on an external web server to authenticate the wireless users If you choose this opt...

Страница 182: ...e You can import your company logo to change the default Cisco logo that appears in the top right corner of the default page Click Browse to locate and select the logo file from your local PC and then click Upgrade To delete the upgraded logo file and revert the default Cisco logo click Delete STEP 3 In the Monitored HTTP Port List area you can specify the HTTP ports to be monitored The security a...

Страница 183: ...ic page178 Configuring the Firewall Schedule page 186 Firewall Access Rule Configuration Examples page187 Configuring the NAT Rules to Securely Access a Remote Network page192 Configuring the Session Settings page 200 Configuring the Content Filtering to Control Access to Internet page 201 Configuring the MAC Filtering to Permit or Block Traffic page 205 Configuring the IP MAC Binding to Prevent S...

Страница 184: ...ewall Access Rule to Allow the Multicast Traffic page185 NOTE For detailed firewall configuration examples see Firewall Access Rule Configuration Examples page187 Default Firewall Settings By default your firewall prevents all traffic from a lower security level to a higher security level commonly known as Inbound and allows all traffic from a higher security level to a lower security level common...

Страница 185: ...y page to view the default firewall access settings for all predefined zones STEP 1 Click Firewall ACL Rules Default Policy The Default Policy window opens The default access settings for all predefined zones are listed in the table STEP 2 To expand the default access settings for a specific zone click the Expand button To hide the default access settings for a specific zone click the Collapse but...

Страница 186: ...ntrol settings go to the VPN pages For more information about the VPN access control settings see VPN page 232 All firewall access rules are displayed in the Rule table and sorted by the priority The custom access rules have the highest priority The VPN access rules have higher priorities than the default access rules but lower than the custom access rules Preliminary Tasks for Configuring the Fir...

Страница 187: ...or move it to a specified location in the table MoveUp Moves the rule up one position MoveDown Moves the rule down one position Move Moves the rule to a specific location Enter the target index number to move the selected rule to For example A target index of 2 moves the rule to position 2 and moves the other rules down to position 3 in the list NOTE You cannot reorder the default access rules and...

Страница 188: ...ed to enable the Log feature set the log buffer size and the severity for local log and then check the Local Log box for the Firewall log facility To save the firewall logs to the remote syslog server if you have a remote syslog server support you need to enable the Log feature specify the Remote Log settings and then check the Remote Log box for the Firewall log facility For more information abou...

Страница 189: ...etworking Zone page For more information about zone configurations see Configuring the Zones page127 Services Choose an existing service or group service that is covered by this rule If the service or group service you want is not in the list choose Create New Service to create new service objects or choose Create New Group to create new group service objects To maintain the service and group serv...

Страница 190: ...og settings and log facilities and how to view the logs see Log Management page 302 Match Action Choose the action when the traffic match up with the access rule Deny Deny the access Permit Permit the access Accounting Increase the Hit Count number by one when the packet hits the access rule STEP 4 Click OK to save your settings STEP 5 Click Save to apply your settings NOTE In addition to configur...

Страница 191: ...d create a firewall access rule to permit the multicast traffic from WAN to LAN This section provides a configuration example about how to create a WAN to LAN access rule to permit the multicast traffic by using the predefined multicast address STEP 1 Click Firewall ACL Rules Rule The ACL Rules window opens STEP 2 To add a new access rule click Add After you click Add the Rule Add Edit window open...

Страница 192: ...s window opens STEP 2 To create a new schedule click Add Other options To edit an entry click Edit To delete an entry click Delete To delete multiple entries check the boxes of multiple entries and click Delete Selection After you click Add or Edit the Schedule Add Edit window opens STEP 3 Enter the following information Schedule Name Enter the name for the schedule Schedule Days Schedule the acce...

Страница 193: ...ddress User Case You host a FTP server on your LAN You want to open the FTP server to Internet by using the IP address of the WAN1 interface The inbound traffic is addressed to your WAN1 IP address but is directed to the FTP server Solution You can create a port forwarding rule or an Advanced NAT rule to open the internal FTP server to Internet and create a firewall access rule to allow the access...

Страница 194: ...to the Firewall ACL Rules Rule page to create a firewall access rule as follows to allow the access From WAN1 To DEFAULT Original source address ANY Original destination address WAN1_IP Original services FTP CONTROL Translated source address ANY Translated destination address InternalFTP Translated services FTP CONTROL From Zone WAN To Zone LAN Services FTP CONTROL Source Address ANY Destination A...

Страница 195: ...e as follows to allow inbound traffic to the RDP server Problem DMZ Wizard STEP 1 Set the IP address of 172 39 202 101 to the WAN interface STEP 2 Create a host address object with the IP 192 168 12 101 called RDPServer and a host address object with the IP 172 39 202 102 called PublicIP STEP 3 Create a TCP service object with the port range from 3389 to 3389 called RDP STEP 4 Go to the Firewall N...

Страница 196: ...54 Solution Create a range address object with the range 132 177 88 2 to 132 177 88 254 called OutsideNetwork and a host address object with the IP address 192 168 1 110 called InternalIP and then create an access rule as follows In the example connections for CU SeeMe an Internet video conferencing client are allowed only from a specified range of external IP addresses Original services RDP Trans...

Страница 197: ...cess rule is in effect and then configure an access rule as follows Blocking Outbound Traffic to an Offsite Mail Server User Case If you want to block access to the SMTP service to prevent a user from sending email through an offsite mail server Solution Create a host address object with the IP address 10 64 173 20 called OffsiteMail and then configure an access rule as follows Source Address Outs...

Страница 198: ...T can also provide the following benefits Security Keeping internal IP addresses hidden discourages direct attacks IP routing solutions Overlapping IP addresses are not a problem when you use NAT Flexibility You can change internal IP addressing schemes without affecting the public addresses available externally for example for a server accessible to the Internet you can maintain a fixed IP addres...

Страница 199: ...namic PAT The Dynamic PAT window opens STEP 2 Specify the PAT IP address for each WAN interface Auto Use the IP address of the WAN port as the translated IP address Manual Choose a single public IP address or a network address as the translated IP address If the address object you want is not in the list choose Create an IP Address to create a new address object To maintain the address objects go ...

Страница 200: ...to allow the access so that the Static NAT rule can function properly STEP 1 Click Firewall NAT Static NAT The Static NAT window opens STEP 2 To add a static NAT rule click Add Other options To edit an entry click Edit To delete an entry click Delete To delete multiple entries check the boxes of multiple entries and click Delete Selection After you click Add or Edit the Static NAT Add Edit window ...

Страница 201: ...firewall access rule to allow the access so that the port forwarding rule can function properly NOTE To open an internal FTP server to Internet make sure that the internal FTP server is listening on TCP port 21 or the FTP server and client must use the active mode when the internal FTP server is listening on some other TCP port Otherwise the FTP client cannot access the FTP server STEP 1 Click Fir...

Страница 202: ...lick Off to create only the port forwarding rule Description Enter the name for the port forwarding rule STEP 4 Click OK to save your settings STEP 5 Click Save to apply your settings Configuring Port Triggering Rules Port triggering opens an incoming port for a specified type of traffic on a defined outgoing port When a LAN device makes a connection on one of the defined outgoing ports the securi...

Страница 203: ... Edit To delete an entry click Delete To select multiple entries check the boxes of multiple entries and click Delete Selection After you click Add or Edit the Port Triggering Add Edit window opens STEP 4 Enter the following information Description Enter the name for the port triggering rule Trigger Service Choose an outgoing TCP or UDP service Opened Service Choose an incoming TCP or UDP service ...

Страница 204: ...you click Add the Add Edit Rule window opens STEP 3 Enter the following information Name Enter the name for the advanced NAT rule Enable Click On to enable the advanced NAT rule or click Off to create only the advanced NAT rule From Choose the WAN interface or the VLAN that the traffic originates from To Choose the VLAN or the WAN interface that the traffic goes to Original Source Address Choose t...

Страница 205: ... page to view the status of all NAT rules STEP 1 Click Firewall NAT NAT Status The NAT Status window opens All existing NAT rules are listed in the table You can check the following information Original Source Address The original source IP address in the packet Original Destination Address The original destination IP address in the packet Source Port The interface that the traffic comes from Dest...

Страница 206: ... Configuring the Session Settings Use the Session Settings page to configure the maximum number of connection sessions When the connnection table is full the new sessions that access the security appliance are dropped STEP 1 Click Firewall Session Settings The Session Settings window opens STEP 2 Enter the following information Current All Connections Displays the number of all current connected s...

Страница 207: ...er to block or forward the HTTP request from the hosts in the zone The blocked request will be logged This section includes the following topics Configuring the Content Filtering Policy Profiles page 201 Configuring the Website Access Control List page 203 Mapping the Content Filtering Policy Profiles to Zones page 204 Configuring Advanced Settings page 204 CAUTION Enabling the Web URL Filter serv...

Страница 208: ...bsites that you want to permit or block For complete details see Configuring the Website Access Control List page 203 STEP 5 In the For URLs not Specified Above area specify the action how to deal with the websites that are not specified in the whitelist or blacklist Permit Them If you choose this option all websites not specified in the list are permitted Deny Them If you choose this option all w...

Страница 209: ...reate only the access control rule URL Enter the domain name or URL keyword of a website that you want to permit or block Match Type Specify how to match up with this rule Domain If you choose this option permit or block the HTTP access of a website that fully matches up with the domain you entered in the URL field For example if you enter yahoo com in the URL field then it can match up with the w...

Страница 210: ...ck Save to apply your settings Configuring Advanced Settings STEP 1 Click Firewall Content Filtering Advanced Settings The Advanced Settings window opens STEP 2 Enter the following information Specify HTTP port for the filtering default 80 Enter the port number that is used for content filtering The default is 80 For example if you permit the HTTP access to the website http www ABcompanyC com and ...

Страница 211: ...an permit and deny network access from specific devices through the use of MAC address list The firewall MAC filtering settings apply for all traffic except the traffic for Intra VLAN and Intra SSID STEP 1 Click Firewall MAC Filtering MAC Filtering The MAC Filtering window opens STEP 2 Click On to enable the MAC Filtering feature or click Off to disable it STEP 3 If you enable MAC Filtering specif...

Страница 212: ...ique MAC address of device please ensure that traffic from the specified IP address is not spoofed If a violation the traffic s source IP address doesn t match up with the expected MAC address having the same IP address occurs the packets will be dropped and can be logged for diagnosis STEP 1 Click Firewall MAC Filtering IP MAC Binding The IP MAC Binding window opens STEP 2 To add an IP MAC bindin...

Страница 213: ... Protection The Attack Protection window opens STEP 2 In the WAN Security Checks area enter the following information Block Ping to WAN interface Check the box to prevent attackers from discovering your network through ICMP Echo ping requests We recommend that you disable this feature only if you need to allow the security appliance to respond to pings for diagnostic purposes Enable Stealth Mode C...

Страница 214: ...mit the multicast traffic will be overrided if you enable this feature STEP 5 In the DoS Attacks area enter the following information SYN Flood Detect Rate max sec Enter the maximum number of SYN packets per second that will cause the security appliance to determine that a SYN Flood Intrusion is occurring Enter a value from 0 to 10000 SYN packets per second A value of zero indicates that the SYN F...

Страница 215: ...1 Click Firewall Application Level Gateway The Application Level Gateway window opens STEP 2 Enter the following information SIP Protocol Support SIP ALG can rewrite the information within the SIP messages SIP headers and SDP body to make signaling and audio traffic between the client behind NAT and the SIP endpoint possible Check this box to allow the SIP sessions to pass through the security app...

Страница 216: ...irus page 220 Email Reputation Filter page 224 Web URL Filter page 226 Web Reputation Filter page 230 Network Reputation page 231 To access the Security Services pages click Security Services in the left hand navigation pane Managing the Security Services This section includes the following topics About the Security Services page 211 Security License page 212 Priority of Security Services page 212...

Страница 217: ...MAP For more information see Anti Virus page 220 Email Reputation Filter The Email Reputation Filter service detects the email sender s reputation score If the reputation score is below a threshold then the email is blocked or tagged as SPAM or SUSPECT SPAM For more information see Email Reputation Filter page 224 Web URL Filter The Web URL Filter service provides protection against URL categories...

Страница 218: ... is permitted by the Web URL Filter setting but it has reputation score lower than the web reputation threshold the connection to this website will be blocked even if it is in the whitelist unless you change the web reputation threshold Managing the Security Services Use the Dashboard page to view the status of the security license enable or disable the security services and check new updates for ...

Страница 219: ...yed in the Last Check column When the signature file is upated successfully the date and time of the last successful update are displayed in the Last Update column If a new signature file is available the new signature file will be downloaded to your local flash partition The registered CCO account is required to log into the Cisco server to download the signature file To configure your CCO accoun...

Страница 220: ... show the total number of web access requests processed and the total number of websites blocked by day for the last seven days For more information about the security service reports go to the Status Report Security Services page See Reports of Security Services page 87 Intrusion Prevention Service The Intrusion Prevention Service IPS feature can protect the zones for a given set of categories IP...

Страница 221: ...coming traffic from the selected zones WAN zone Choose this option to block the intrusion for incoming traffic from the WAN zone This is the default setting WAN VPN zone Choose this option to block the intrusion for incoming traffic from both WAN and VPN zones All zones Choose this option to block the intrusion for the incoming traffic from all zones STEP 4 In the IPS Status area you can perform t...

Страница 222: ...CCO account click Edit Account Setting Update Click this button to immediately update the IPS signatures if a new signature file is available The new signature file will be downloaded from the Cisco server and saved on the flash partition of your device Manual Signature Updates To manually update the IPS signatures you first need to download the latest signature file from the Cisco server to your ...

Страница 223: ...p tools cisco com security center search x search Signature to check the Small Business IPS signature definitions by using the Signature ID or other information STEP 3 Specify the inspection setting for all signatures under a category or for a signature only Disabled Click this option to disable checking the attacks Detect Only Click this option to check the attacks and to log the event when an at...

Страница 224: ...IPS Alert feature and configure the email account settings see Configuring the Email Alert Settings page 316 STEP 4 Click Save to apply your settings Blocking the Instant Messaging and Peer to Peer Applications Use the IM P2P blocking page to block Instant Message IM and Peer to Peer P2P traffic on the security appliance STEP 1 Click Security Services IPS IM P2P Blocking The IM P2P Blocking window...

Страница 225: ...the packet when an attack is detected To log the IPS events you first need to choose Detect Only or Detect and Prevent for the IM or P2P applications and then go to the Device Management Loggings pages to configure the log settings and log facilities To save the IPS logs in the lcoal syslog daemon you need to enable the Log feature set the log buffer size and the severity for local log and then ch...

Страница 226: ...Anti Virus feature supports virus scanning for one layer compressed files in the zip gzip tar bzip2 and rar2 0 formats CAUTION Enabling Anti Virus consumes additional system resources and may impact the system performance Go to the Status Dashboard page to view the CPU and memory utilizations To conserve the system resources disable the service when it is no longer needed This section includes the...

Страница 227: ...agement Loggings pages to configure the log settings and log facilities To save the Anti Virus logs in the lcoal syslog daemon you need to enable the Log feature set the log buffer size and the severity for local log and then check the Local Log box for the Anti Virus log facility To save the Anti Virus logs to the remote syslog server if you have a remote syslog server support you need to enable ...

Страница 228: ...s setting the compressed file will not be detected STEP 5 Click Save to apply your settings NOTE Next Steps If you select Alert or Alert Descruct File for SMTP or POP3 protocol go to the Email Notification page to configure the email notification settings See Configuring the Email Notification page 223 If you select Alert or Alert Drop Connection for HTTP protocol go to the HTTP Notification page ...

Страница 229: ...e Email Notification window opens STEP 2 Enter the following information Email Alert Status Shows if the Alert or Alert Destruct File action is selected or not for SMTP or POP3 protocol From Email Address The email address of the SMTP email account to send the alert email SMTP Server The IP address or Internet name of the SMTP server SMTP Authentication Shows if the SMTP authentication is enabled ...

Страница 230: ... Click Save to apply your settings Email Reputation Filter The Email Reputation Filter feature detects the email sender s reputation score The reputation scores range from 10 bad to 10 good An email is classified as SPAM if the sender s reputation is below the SPAM threshold or is classified as SUSPECT SPAM if the sender s reputation is between the SPAM threshold and SUSPECT SPAM threshold An emai...

Страница 231: ... sender s address is the address that initiated the connection to the SMTP server not an address within the email header STEP 3 Specify the actions for SPAM and SUSPECT SPAM emails Action for SPAM Is Choose Block to block the email or choose TAG to get the email tagged with SPAM Action for SUSPECT SPAM Is Choose Block to block the email or choose TAG to get the email tagged with SUSPECT SPAM STEP ...

Страница 232: ...s Configuring the Web URL Filter Policy Profiles page 226 Mapping the Web URL Filter Policy Profiles to Zones page 228 Configuring Advanced Web URL Filter Settings page 229 Configuring the Web URL Filter Policy Profiles A Web URL Filter policy profile is used to specify the URL categories to be blocked STEP 1 Click Security Services Web URL Filter Policy Profile The Web URL Filter Policy Profile w...

Страница 233: ...xample if the Sports category is blocked but you want to permit the www espn com you can add it to the whitelist STEP 5 Click Save to apply your settings NOTE Next Steps To map the Web URL Filter policy profile to zones go to the Zone Mapping page See Mapping the Web URL Filter Policy Profiles to Zones page 228 To configure advanced Web URL Filter settings go to the Advanced Settings page See Conf...

Страница 234: ...u enter yahoo com in the URL field then it can match up with the website such as http yahoo com but cannot match up with the website such as http yahoo com uk Keyword Permit or deny the HTTP access of a website that contains the keyword you entered in the URL field For example if you enter yahoo in the URL field then it can match up with the websites such as www yahoo com tw yahoo com www yahoo co...

Страница 235: ...s The default is 80 For example if you permit the HTTP access to the website http www ABcompanyC com and set the HTTP port to 80 The access to http www ABcompanyC com 8080 will be blocked Select which Web Components to block You can block or permit the web components like Proxy Java ActiveX and Cookies By default all of them are permitted Proxy Check the box to block proxy servers which can be use...

Страница 236: ...web page is blocked The default blocked page will display a message such as Access of this website is blocked due to security policy configurations on the security appliance You can edit the message in the Block Message field Redirect to this URL Enter the URL to be redirected if a web page is blocked STEP 3 Click Save to apply your settings Web Reputation Filter The Web Reputation Filter service ...

Страница 237: ...services are unavailable Block all web traffic until the web reputation filter services are restored If you choose this option all web traffic will be blocked until the Web Reputation Filter services are restored and the default blocked page will used The default blocked page displays a message to remind the user You can edit the message in the Block Message field Allow all web traffic until the w...

Страница 238: ...the VPN pages click VPN in the left hand navigation pane About VPN A VPN provides a secure communication channel tunnel between two gateway routers or between a remote PC and a gateway router The security appliance provides the following VPN solutions Cisco IPSec VPN Server The Cisco IPSec VPN Server feature allows the security appliance to act as a head end device in remote access VPNs The server...

Страница 239: ...emote users to access the corporate network by using the Cisco AnyConnect VPN Client Remote access is provided through a SSL VPN gateway See Configuring the SSL VPN page 257 L2TP L2TP allows remote clients to use a public IP network to secure communicate with private corporate network servers This protocol is based on the client and server model See Configuring the L2TP Server page 266 NOTE The se...

Страница 240: ...the following platforms Windows 7 32 bit x86 and 64 bit x64 Windows Vista 32 bit x86 and 64 bit x64 Windows XP 32 bit x86 and 64 bit x64 Mac OS X 10 5 and 10 6 You can find the software installers for Cisco VPN Client on the CD or download the software installers from Cisco com A registered CCO account is required to log into the website For more information about how to download install and confi...

Страница 241: ... Other Options To edit an entry click Edit To delete an entry click Delete After you click Add or Edit the Cisco IPSec VPN Server Add Edit window opens STEP 4 In the Basic Settings tab enter the following information Group Name Enter the name for the group policy WAN Interface Choose the WAN interface that the traffic passes through over the IPSec VPN tunnel Authentication Method Choose the authen...

Страница 242: ...that works as the Cisco VPN hardware client The Cisco VPN hardware client can obtain a private IP address from a DHCP server over the IPSec VPN tunnel WAN Failover Click On to enable WAN Failover or click Off to disable it If you enable WAN Failover the traffic is automatically redirected to the secondary link when the primary link is down NOTE To enable the WAN Failover for Cisco IPSec VPN tunnel...

Страница 243: ...onnect to the backup server The backup server 1 has the highest priority and the backup server 3 has the lowest priority NOTE The backup servers that you specified on the Cisco IPSec VPN Server will be sent to the remote clients when initiating the VPN connection The remote clients will cache them Split Tunnel Click On to enable the split tunneling feature or click Off to disable it Split tunnelin...

Страница 244: ...e Cisco IPSec VPN Client feature minimizes the configuration requirements at remote locations by allowing the security appliance to work as a Cisco VPN hardware client to receive the security policies upon the VPN tunnel from a remote Cisco IPSec VPN Server This solution is ideal for remote offices with little IT support or for large customer premises equipment CPE deployments where it is impracti...

Страница 245: ...f only one destination peer If your application requires multiple VPN tunnels you must manually configure the IPSec VPN and Network Address Translation Peer Address Translation NAT PAT parameters on both client and server NOTE If you set the security appliance as a Cisco VPN hardware client the VPN tunnels established by Site to Site VPN or Cisco IPSec VPN Server are automatically disconnected The...

Страница 246: ...ther the inside hosts relative to the Cisco VPN hardware client are accessible from the corporate network over the tunnel Specifying a operation mode is mandatory before making a connection because the Cisco VPN hardware client does not have a default mode All modes of operation also optionally support split tunneling which allows secure access to corporate resources through the VPN tunnel while a...

Страница 247: ...ion Mode NEM specifies that the PCs and other hosts at the client end of the VPN tunnel should be given IP addresses that are fully routable and reachable by the destination network over the tunneled network so that they form one logical network PAT is not used which allows the client PCs and hosts to have direct access to the PCs and hosts at the destination network In NEM mode the Cisco VPN hard...

Страница 248: ...g that the destination routers are configured to properly route those IP addresses over the tunnel Figure 9 Cisco IPSec VPN Network Extension Connection General Settings You can enable the Cisco IPSec VPN Client feature configure the Auto Initiation Retry settings or manually connect or disconnect the IPSec VPN tunnels STEP 1 Click VPN Remote User Access Cisco IPSec VPN Client The Cisco IPSec VPN ...

Страница 249: ...N connection check the box of the group policy you want and then click Connect Disconnect To manuall terminate an estalished the IPsec VPN connection click Disconnect STEP 3 Click Save to apply your settings Configuring the Group Policies for Cisco IPSec VPN Client As a Cisco VPN hardware client the security appliance will initiate the VPN connection with a remote Cisco IPSec VPN Server You can sp...

Страница 250: ...l with the remote server The server pushes the security settings over the IPSec VPN tunnel to the clients Certificate If you choose this option choose a local certificate and a peer certificate for authentication On the remote server the selected local certificate should be set as the peer certificate and the selected peer certificate should be set as the local certificate If the certificates are ...

Страница 251: ...o the backup servers The backup server 1 has the highest priority and the backup server 3 has the lowest priority NOTE The Cisco VPN hardware client can get the backup servers from the remote Cisco IPSec VPN server during the tunnel negotiation The backup servers specified on the remote Cisco IPSec VPN server have higher priority than the back servers specified on the Cisco VPN hardware client Whe...

Страница 252: ...te to Site VPN page 246 General Site to Site VPN Settings page 247 Configuring the IPSec VPN Policies page 248 Configuring the IPSec IKE Policies page 254 Configuring the IPSec Transform Policies page 256 Configuration Tasks to Establish a Site to Site VPN To establish a Site to Site VPN tunnel complete the following configuration tasks Add the subnet IP address objects of the local network and re...

Страница 253: ...PSec VPN policy and then click Connect to initiate the IPSec VPN connection Check the status and statistic information for IPSec VPN tunnels See Monitoring the IPSec VPN Status page 269 General Site to Site VPN Settings STEP 1 Click VPN Site to Site IPSec Policies The IPSec Policies window opens All existing IPSec VPN policies are listed in the table You can check the following information of an I...

Страница 254: ...PN Policies The Site to Site VPN policy is used to establish the IPSec VPN tunnel between two peers The ISA550 and ISA550W supports up to 50 IPSec VPN tunnels The ISA570 and ISA570W supports up to 100 IPSec VPN tunnels NOTE Before you create an IPSec VPN policy make sure that the IKE and transform policies are configured Then you can apply the IKE and transform policy on the IPSec VPN policy STEP ...

Страница 255: ...200 236 in the Address field Authentication Method Choose the authentication method for the IPSec VPN policy Preshare Key If you choose this option enter the desired value that the peer device must provide to establish a connection The same pre shared key has to be entered on the remote peer device Certificate If you choose this option choose a local certificate and a remote certificate for authen...

Страница 256: ...ffie Hellman exchange is performed for every phase 2 negotiation PFS is desired on the keying channel of the VPN connection DPD Enable Click On to enable Dead Peer Detection DPD or click Off to disable it DPD is a method of detecting a dead Internet Key Exchange IKE peer The method uses IPsec traffic patterns to minimize the number of messages required to confirm the availability of a peer DPD is ...

Страница 257: ...at are automatically generated by the zone access control settings will be added in the firewall access rule table with the priority higher than the default firewall access rules but lower than the custom firewall access rules Apply NAT Policies Click On to apply the NAT settings for both the local network and remote network communicating over the VPN tunnel This option is particularly useful in c...

Страница 258: ...dressed host at Site B it connects to a 172 19 1 2 address rather than to the actual 172 16 1 2 address When the host at Site B to accesses Site A it connects to a 172 18 1 2 address NAT on Router A translates any 172 16 x x address to look like the matching 172 18 x x host entry NAT on Router B changes 172 16 x x to look like 172 19 x x NOTE This configuration only allows the two networks to comm...

Страница 259: ...nterface ensures that VPN traffic rolls over to the backup link whenever the primary link fails The security appliance will automatically update the local WAN gateway for the VPN tunnel based on the configurations of the backup WAN link For this purpose Dynamic DNS has to be configured because the IP address will change due to failover or let the remote gateway use dynamic IP address NOTE To enabl...

Страница 260: ...icies The Internet Key Exchange IKE protocol is a negotiation protocol that includes an encryption method to protect data and ensure privacy It is also an authentication method to verify the identity of devices that are trying to connect to your network You can create IKE policies to define the security parameters such as authentication of the peer encryption algorithms and so forth to be used for...

Страница 261: ... alpha numeric key is shared with IKE peer Pre shared keys do not scale well with a growing network but are easier to set up in a small network RSA SIG Uses a digital certificate to authenticate RSA SIG is a digital certificate with keys generated by the RSA signatures algorithm In this case a certificate must be configured in order for the RSA Signature to work D H Group Choose the Diffie Hellman...

Страница 262: ... an IPSec transform policy click Add Other options To edit an entry Edit To delete an entry click Delete The default transform policy DefaultTrans can not be edited or deleted After you click Add or Edit the Transform Policy Add Edit window opens STEP 3 Enter the following information Name Enter an unique name for the transform policy Integrity Choose the hash algorithm used to ensure the data int...

Страница 263: ..._192 Encryption with AES 192 bit ESP_AES_256 Encryption with AES 256 bit STEP 4 Click OK to save your settings STEP 5 Click Save to apply your settings Configuring the SSL VPN SSL VPN is a flexible and secure way to extend network resources to virtually any remote user The security appliance supports the SSL VPN and interoperates with the Cisco AnyConnect VPN Client software Figure 12 shows an exa...

Страница 264: ... s PC page 260 Importing the Certificates for User Authentication page 260 Configuring the SSL VPN Users page 260 Configuring the SSL VPN Gateway page 261 Configuring the SSL VPN Group Policies page 263 Configuring the SSL VPN Portal page 266 Elements of the SSL VPN Several elements work together to support SSL VPN SSL VPN Users Create your SSL VPN users The user groups to which the SSL VPN users ...

Страница 265: ...mote user s PC See Installing the Cisco AnyConnect VPN Client on User s PC page 260 Import the SSL VPN certificate to your security appliance used for user authentication See Importing the Certificates for User Authentication page 260 Enable and configure the SSL VPN gateway on your security appliance See Configuring the SSL VPN Gateway page 261 Define the SSL VPN group policies See Configuring th...

Страница 266: ... 6 x kernel You can find the software installer on the CD If you have a CCO account you can access the SSL VPN portal to download the software installer from Cisco com website For more information about the SSL VPN portal see Configuring the SSL VPN Portal page 266 Importing the Certificates for User Authentication The SSL VPN gateway holds a CA certificate that is presented to the client when the...

Страница 267: ...le SSL VPN or click Off to disable SSL VPN If you enable SSL VPN the security appliance is set as the SSL VPN server STEP 3 In the Gateway Mandatory area enter the following information Gateway Interface Choose the WAN interface that the traffic passes through over the SSL VPN tunnel Gateway Port Enter the port number used for the SSL VPN gateway By default HTTPS or SSL typically operates on port ...

Страница 268: ...the Gateway Optional area enter the following information Idle Timeout Enter the timeout value in seconds that the SSL VPN session can remain idle Session Timeout Enter the timeout value in seconds that a SSL VPN session can remain connected Client DPD Timeout Dead Peer Detection DPD allows detection of dead peers Enter the DPD timeout for client in this field Gateway DPD Timeout Enter the DPD tim...

Страница 269: ...or IP address range on the LAN or to other SSL VPN services that are supported by the security appliance NOTE The security appliance supports up to 32 SSL VPN goup policies STEP 1 Click VPN SSL Remote Acess SSL VPN Group Policies The SSL VPN Group Policies window opens The default and custom SSL VPN group policies are listed in the table STEP 2 To add a new SSL VPN group policy click Add Other opt...

Страница 270: ... number of the MSIE proxy server IE Proxy Exception If you choose Bypass Local enter the IP address or domain name of an exception host This option allows the browser not to send traffic for the given hostname or IP address through the proxy STEP 5 In the Split Tunneling Settings area enter the following information Split tunneling permits specific traffic to be carried outside of the SSL VPN tunn...

Страница 271: ...served through an external DNS serving your ISP or through SSL VPN tunnel to domains served by the corporate DNS For example a query for a packet destined for corporate com would go through the tunnel to the DNS that serves the private network while a query for a packet destined for myfavoritesearch com would be handled by the ISP s DNS By default this feature is configured on the SSL VPN gateway ...

Страница 272: ...e SSL VPN portal from LAN side STEP 1 Click VPN SSL Remote Acess SSL VPN Portal The SSL VPN Portal window opens STEP 2 Enter the message that you want to display on the SSL VPN portal STEP 3 The SSL VPN portal provides a link to download the Cisco AnyConnect VPN Client software installer from Cisco com website Click Download to open the website and enter your CCO account to login Depending on your...

Страница 273: ...ethod You can choose either CHAP or PAP or both to authenticate to the L2TP clients Click On to enable CHAP or PAP or click Off to disable it Local Service IP Enter the IP address of the established PPP link Address Pool The L2TP server assigns IP addresses to L2TP clients Enter the starting IP address in the Start IP field and the ending IP address in the End IP field DNS1 IP Enter the IP address...

Страница 274: ...net or click Off to disable it PPTP Click On to allow the hosts at LAN site to establish a tunnel with a PPTP server on Internet click Off to disable it IPSec Click On to allow the IPSec traffic to pass through the security appliance over the IPSec VPN tunnel or click Off to disable it The VPN tunnel can be established by a Site to Site VPN session or a Cisco IPSec VPN session STEP 3 Click Save to...

Страница 275: ...remote client for a Cisco IPSec VPN session Local Network The subnet IP address and netmask of your local network Remote Network The subnet IP address and netmask of the remote network Connect To manually establish a VPN connection click Connect Disconnect To terminate an active VPN connection click Disconnect NOTE When a VPN policy is in place and enabled a connection is triggered by any traffic ...

Страница 276: ...SL VPN sessions STEP 1 Click VPN Session Status SSL VPN Monitoring The SSL VPN Monitoring window opens STEP 2 In the Active Sessions tab all active SSL VPN sessions are listed in the table Session ID The SSL VPN session ID User Name The name of the logged SSL VPN user Client IP Actual The actual IP address used by the SSL VPN client Client IP VPN The virtual IP address of the SSL VPN client assign...

Страница 277: ...tic table lists the statistic information for each SSL VPN session The following information is displayed for a single SSL VPN session To clear the statistic information of the SSL VPN session click Clear Active Users The number of all connected SSL VPN users In CSTP frames The number of CSTP frames received from all clients In CSTP bytes The total number of bytes in the CSTP frames received from ...

Страница 278: ...he number of CSTP data frames received from the client In CSTP control The number of CSTP control frames received from the client Out CSTP frames The number of CSTP frames sent to the client Out CSTP bytes The total number of bytes in the CSTP frames sent to the client Out CSTP data The number of CSTP data frames sent to the client Out CSTP control The number of CSTP control frames sent to the cli...

Страница 279: ...s the user and user group information in the local database The local database supports up to 100 users and 16 user groups A user group can include up to 100 users Any user must be a member of a user group It includes the following sections Available Services for User Groups page 273 Default User and Group page 274 Preempt the Administrators page 274 Available Services for User Groups A user can o...

Страница 280: ...iple services need to authenticate at the same time Default User and Group The default administrator account user name cisco password cisco is an administrative account that has fully privilege to set the configurations and read the system status It does not belong to any user group To prevent unauthorized access you are forced to immediately change the default user name and password at its first ...

Страница 281: ...ick Add to add a user Other options To edit an entry click Edit To delete an entry click Delete To delete multiple entries check the boxes of multiple entries and click Delete Selection After you click Add Edit the Local User Add Edit window opens STEP 3 Enter the following information User Enter an unique identifier that contains the letters numbers or underline for the user New Password Enter th...

Страница 282: ...roups are listed in the Groups table STEP 2 In the Groups area click Add to add a user group Other options To edit an entry click Edit To delete an entry click Delete To delete multiple entries check the boxes of multiple entries and click Delete Selection After you click Add or Edit the Group Add Edit window opens STEP 3 In the Group Settings tab enter the following information Name Enter an uniq...

Страница 283: ...members of the user group who authenticated successfully will be directed to a specified web page portal before they can access the Internet This service only applies to the ISA550W and ISA570W STEP 4 In the Membership tab specify the members of the group To add a member select the member from the User list and click the right arrow The members of the groups appear in the Membership list To delete...

Страница 284: ...supports the following authentication methods for user login Local Database Allows you to use the local database for authentication if the number of users is relatively small Only the local users in local database are allowed to access the network resources See Using Local Database for Authentication page 279 RADIUS Allows you to use the RADIUS server for authentication if you have more than 100 u...

Страница 285: ...rver to authenticate the users when more than 100 users need to access the network The security appliance uses the Framed Filter ID attribute to store the user and group information in the RADIUS server and checks a user s credentials by using the Password Authentication Protocol PAP authentication scheme If you use RADIUS for user authentication users must log into the security appliance using HT...

Страница 286: ...connection is dropped The default value is 3 RADIUS Servers Choose the RADIUS group index from the drop down list The RADIUS server settings of the selected group are disaplayed You can edit these settings here but the settings you specify will replace the default settings of the selected group To maintain the RADIUS settings go to the Device Management RADIUS Settings page See Configuring the RAD...

Страница 287: ...local database has two user groups Group1 and Group2 The following table displays the user group membership settings In the above table if the User1 in the RADIUS server belongs to the Group1 and the User1 in the local database belongs to the Group2 then the User1 belongs to the Group2 after passed the RADIUS authentication If the User1 doex not exist in the local database it is set to the specifi...

Страница 288: ...appliance first verifies the user name and password information of the users through the RADIUS server The RADIUS server returns the authentication result to the security appliance For a valid RADIUS user the security appliance checks its user group service policy from the local database and allows the user to access the network For an invalid RADIUS user then the security appliance uses the local...

Страница 289: ...nter the number of the listening port used on the LDAP server Enter a value from 1 to 65535 The default is 389 Server Timeout Enter the amount of time in seconds that the security appliance will wait for a response from the LDAP server before timing out Login Method Choose one of the following login methods Annonymous Login Choose this option if the LDAP server allows for the user tree to be acces...

Страница 290: ...oprietary LDAP scheme configurations Object Class The object class of the individual user account Login Name Attribute The user name that is used for login authentication Qualified Login Name Attribute The attribute that sets an alternative login name for the user in name domain format User Group Membership Attribute The membership attribute that contains information about the group to which the u...

Страница 291: ...bject and are not used with AD To add an entry click Add To edit an entry click Edit To delete an entry click Remove To modify the location of an entry in the tree click Move Up or Move Down buttons NOTE All the above trees are given in the format of disginguished names cn users dc ExampleCorporation dc com STEP 7 In the LDAP Users tab enter the following information Allow Only Users Listed Locall...

Страница 292: ... settings see Using LDAP for Authentication page 283 STEP 4 Click Save to apply your settings Configuring the User Session Settings The user session settings are used for the web login service and are applicable for all authentication methods STEP 1 Click Users Settings The User Settings window opens STEP 2 In the User Session Settings area enter the following information Inactivity Timeout Enter ...

Страница 293: ...Sessions The Active Sessions window opens All active user sessions are listed in the table You can view the following user session information User Name The name of the logged user Address Information The host IP address from which the user accessed the security appliance Login Method How the user logs into the security appliance such as web login SSL VPN or Cisco IPSec VPN Session Duration How lo...

Страница 294: ...ion Management page 294 Firmware Management page 297 Log Management page 302 Managing the Security License page 307 Managing the Certificates for Authentication page 310 Configuring the Email Alert Settings page 316 Configuring the RADIUS Servers page 319 Configuring the Time Zone page 320 Device Discovery page 321 Diagnosing the Device page 324 Measuring and Limiting Traffic with the Traffic Mete...

Страница 295: ...ne who knows its IP address Since a malicious WAN user can reconfigure the security appliance and misuse it in many ways we highly recommend that you change the user name and password of the default administrator account cisco before continuing STEP 1 Click Device Management Remote Management The Remote Management window opens STEP 2 Enter the following information Remote Management Click On to en...

Страница 296: ...manage the device from WAN side STEP 3 Click Save to apply your settings Administration Use the Administration page to modify the user name and password of the default adminstrator account and configure the user session settings It includes the following topics Changing the User Name and Password for the Default Administrator Account page 290 Configuring the User Session Settings page 291 Changing...

Страница 297: ... password cannot be set as cisco ocsic or any variant obtained by changing the capitalization of letters Confirm New Password Enter the new password again for confirmation STEP 3 Click Save to apply your settings Configuring the User Session Settings The user session settings are used for the web login service and are applicable for all authentication methods STEP 1 Click Device Management Adminis...

Страница 298: ...to manage the configurations statistics collection performance and security STEP 1 Click Device Management SNMP The SNMP window opens STEP 2 Click On to enable SNMP or click Off to disable SNMP By default SNMP is disabled STEP 3 If you enable SNMP specify the SNMP version By default SNMP V1 V2 is selected SNMP V1 V2 SNMP version 1 SNMPv1 is the initial implementation of the SNMP protocol SNMPv1 is...

Страница 299: ...assword Enter the password for data encryption the minimum length of password is 8 charactors This is only available for SNMPV3 SNMP Engine ID Displays the engine ID of the SNMP entity The engine ID is used as an unique identification between two SNMP entities This is only available for SNMPV3 STEP 5 To enable the SNMP Trap enter the following information SNMP Read Only Community Enter the read on...

Страница 300: ...s a configuration file on the local PC or on a USB device if applicable NOTE When saving the configurations to a file the security license and self certificates will not be saved in the file STEP 1 Click Device Management Firmware and Configuration Configuration The Configuration window opens STEP 2 To save the current settings on your local PC perform the following steps a In Backup Restore Setti...

Страница 301: ...gurations check the Encrypt box and enter the password in the Key field and then click OK f After you click OK your current settings are saved as a configuration file on the root folder of the USB device Restoring your Settings from a Saved Configuration File You can restore the settings from a saved configuration file on your local PC or on a USB device if applicable STEP 1 Click Device Managemen...

Страница 302: ...on window opens Enter the password in the Key field and then click OK e The security appliance automatically reboots with the saved settings of the selected configuration file Reverting to the Factory Default Settings To revert your security appliance to the factory default settings you can press and hold the RESET button on the back panel for minimal three seconds or use the Revert to Factory Def...

Страница 303: ...ystem See Using the Rescue Mode to Recover the System page 302 Reboot the security appliance See Rebooting the Security Appliance page 302 CAUTION During a firmware upgrade do NOT try to go online turn off the device shut down the PC remove the cable or interrupt the process in anyway until the operation is complete This process should take several minutes or so including the reboot process Interr...

Страница 304: ...y reboots with the previous settings that were in use To upgrade the firmware and revert to the factory default settings click Upgrade Factory Reset When the operation is complete the security appliance automatically reboots with the factory default settings Checking for New Firmwares The security appliance uses a built in IDA client to query and upgrade the firmware The IDA client connects to Cis...

Страница 305: ...PC b To upgrade the firmware and keep using the current settings click Upgrade When the operation is complete the security appliance automatically reboots with the previous settings that were in use c To upgrade the firmware and revert to the factory default settings click Upgrade Factory Reset When the operation is complete the security appliance automatically reboots with the factory default set...

Страница 306: ... Do NOT go online 3 Do NOT turn off or power cycle the security appliance 4 Do NOT shutdown the computer 5 Do NOT remove the cable Using the Secondary Firmware If the primary firmware is not stable you can manually set the secondary firmware that was in use as the primary firmware The original primary firmware will then become the secondary firmware After you switch to the secondary firmware the s...

Страница 307: ...ader checks the CRC of the primary firmware 2 If the primary firmware occurs a CRC Error or a Boot Failure the Bootloader will switch to the secondary firmware and check the CRC for the secondary firmware CRC Error An error that the firmware cannot pass the CRC validation Downloading an incomplete firmware or incompletely writing the firmware to the flash may cause the CRC error Boot Failure A fai...

Страница 308: ...s 192 168 1 1 STEP 3 The security appliance will upgrade the firmware after you uploaded the image This process should take several minutes or so including the reboot process During firmware upgrade do NOT try to go online turn off the device shut down the PC interrupt the process or remove the cable in anyway until the operation is complete When the POWER SYS lights green color the system operate...

Страница 309: ... are not logged All Broadcast Multicast Traffic Click On to log all broadcast or multicast packets directed to the security appliance By default all broadcast or multicast packets are not logged STEP 4 In the Email Alert area specify the syslogs to be sent on schedule Email Alert Shows if the Syslog Email is enabled or disabled From Email Address The email address of the SMTP email account to send...

Страница 310: ...hoose this option specify the time to send the syslogs in the Time field Weekly Sends the syslogs on a weekly basis If you choose this option specify the day of the week in the Day field and the time in the Time field Day If syslogs are sent on a weekly basis choose the day of the week Time Choose the time of day when syslogs should be sent Severity Levels Description Emergency level 0 highest sev...

Страница 311: ...ample If you select Critical all log messages listed under the Critical Emergency and Alert categories are saved to the local syslog daemon STEP 7 Click Save to apply your settings Configuring the Log Facilities A variety of events can be captured and logged for review These logs can be saved to the local syslog daemon or to a specified remote syslog server or be emailed to a specified email addre...

Страница 312: ...Log heading to enable the local log settings for all log facilities or check the box of a log facility to enable the local log settings for the selected log facility If you enable this feature the logs that belong to the selected facilities and match up with the specified severity level for Local Log can be saved to the local syslog daemon NOTE For more information about the Email Alert Remote Log...

Страница 313: ... the Logs table The logs can be sorted by clicking the cellheading in the table By default the logs are sorted by the time For example if you click Severity the logs are sorted by the severity level in ascending sequence Double click Severity the logs are sorted by the severity level in descending sequence STEP 5 You can specify how many logs are displayed in the table per page If one page cannot ...

Страница 314: ...e Credentials The Device Credentials window opens The device credential information is requested by Cisco sales or support for licensing purpose STEP 3 Click Email Alert Settings the Email Alert Settings window opens You can see the following settings of the License Expiration Alert We recommend that you enable the License Expiration Alert feature so that the system can send an alert email to remi...

Страница 315: ...EP 3 Click Renew The Install License window opens STEP 4 The license can be a license code PAK or a license file downloaded from cisco com Choose the license type from the License Type drop down list License Code PAK from cisco com Automatically retrieves and installs the license on the security appliance from the Cisco server If you choose this option enter the following credential information Th...

Страница 316: ...cation It includes the following sections Viewing the Certificate Status page 310 Managing the Certificates page 311 Viewing the Certificate Status STEP 1 Click Device Management Certificate Management The Certificate Management window opens All existing certificates are listed in the table The following certificate information is displayed Certificate The certificate name Type The certificate typ...

Страница 317: ...Managing the Certificates Perform the following tasks to manage different types of certificates To export a local certificate or a CSR to your PC check the box and click Download See Exporting the Certificates to Local PC page 312 Certificate Types Details CA Certificate or Local Certificate Name Name used to identify this certificate Issuer Name of the CA that issued the certificate Subject Name ...

Страница 318: ...nerate a CSR click New Signing Request See Generating New Certificate Signing Requests page 315 To delete a certificate or a CSR check the box and click Delete To delete multiple entries check the boxes of multiple entires and click Delete Selection Exporting the Certificates to Local PC You can export a local certificate or a CSR to your local PC The CA certificate is not allowed to export STEP 1...

Страница 319: ...d USB device in PEM format If you are downloading a local certificate the Export Certificate to USB window opens Enter a password in the Enter Export Password field to protect the certificate file and then click Export The certificate file will be saved on the mounted USB device in p12 format Importing the Certificates from Your Local PC You can import a local or CA certificate from your local PC ...

Страница 320: ...EP 2 To import a local or CA certificate from the USB device click Import from USB The Import Certificates window opens All available local certificates and CA certificates appear in the list STEP 3 Check the box of the certificate file enter the certificate name in the Certificate Name field and the protection password in the Import Password field and then click Import Importing the Signed Certif...

Страница 321: ...s of your location Organization Name Enter your organization name Organization Unit Name Enter your department name Common Name Enter the common name for the certificate E mail Address Enter your email address Subject Distinguished Name After you enter the above information the Distinguished Name DN is created in this field Subject Key Type Displays the signature algorithm RSA used to sign the cer...

Страница 322: ...k On to enable SMTP authentication Users need to provide the SMTP account information for authentication Account Enter the user name of the SMTP email account Password Enter the password of the SMTP email account From Email Address Enter the email address to send the alert messages To Email Address Enter the email address to receive the alert messages This email address is used to receive all aler...

Страница 323: ... negotiation fails To Email Address Enter the email address to receive the alert messages IPS Alert Sends an alert email if an attack is detected over the specified email alert threshold for IPS categories or IM and P2P applications You first need to enable the IPS service and specify the email alert thresholds for the IM and P2P Blocking feature and or the IPS Policy and Protocol Inspection featu...

Страница 324: ...reshold Setting Enter the threshold value of CPU utilization Debug Support Sends the debug support package zip that is generated by the System Diagnostics settings for debugging purposes To specify the contents to be compressed in a file in the zip format see System Diagnostics page 327 To Email Address Enter the email address to receive the alert messages Anti Virus Alert Sends an alert email if ...

Страница 325: ...he table STEP 2 To edit the settings of the predefined RADIUS group click Edit in the Configuration column After you click Edit the RADIUS Group Edit window opens STEP 3 Enter the following information Primay RADIUS Server IP Enter the IP address of the primary RADIUS server Primay RADIUS Server Port Enter the port number on the primary RADIUS server that is used to send the RADIUS traffic The def...

Страница 326: ...ngs Configuring the Time Zone Use the Time Zone Clock Settings page to manually configure the time zone and clock settings or to dynamically synchronize the time zone and clock settings with the Network Time Protocol NTP server STEP 1 Click Device Management TimeZone Clock Settings The Time Zone and Clock Settings window opens STEP 2 Click Manual to manually set the date and time Enter the values ...

Страница 327: ...scovery The security appliance supports the following tools to discover the devices UPnP page 321 Bonjour page 322 CDP page 323 LLDP page 324 UPnP UPnP Universal Plug and Play allows for automatic discovery of devices that can communicate with your security appliance The UPnP Portmap table displays the port mapping entries of the UPnP enabled devices that accessed your security appliance STEP 1 Cl...

Страница 328: ...otocol Bonjour only advertises the default services configured on the security appliance when Bonjour is enabled STEP 1 Click Device Management Discovery Bonjour The Bonjour window opens STEP 2 In the Bonjour Configuration area click On to enable Bonjour or click Off to disable it If you enable Bonjour all default services are enabled STEP 3 In the Enabled Default Service area the default enabled ...

Страница 329: ...anagement Discovery CDP The CDP window opens STEP 2 In the CDP Configuration area enter the following information CDP Choose one of the following options Enable All Enables CDP on all ports supported by the security appliance Disable All Disables CDP on all ports supported by the security appliance Per Port Configures CDP on selective ports CDP Timer Enter the value of the time interval between tw...

Страница 330: ...formation Base MIB The network management system models the topology of the network by querying these MIB databases STEP 1 Click Device Management Discovery LLDP The LLDP window opens STEP 2 Click On to enable LLDP or click Off to disable it If you enable LLDP the LLDP neighbors are listed in the LLDP Neighbor table STEP 3 To view the detail of a LLDP neighbor check the box and click Details STEP ...

Страница 331: ...the range of 32 to 65500 bytes to ping The security appliance will send the packet with the specified size to the destination Ping Time Enter the times to ping The security appliance will send the packet for specific times to check the connectivity with the destination IP address STEP 3 Click Start Ping to ping the IP address or the URL or click Stop Ping to stop pinging Tracert Use the Tracert pa...

Страница 332: ...ok up in the IP Address or Domain Name field STEP 3 Click Run Lookup to query the server on the Internet If the host or domain name exists you will see a response with the IP address STEP 4 Click Cleanup Result to clean up the querying result Packet Capture Use the Packet Capture page to capture all packets that pass through a selected interface STEP 1 Click Device Management Diagnostics Packet Ca...

Страница 333: ...les for system diagnosis Syslog File Click On to compress the syslog files for system diagnosis System Status Click On to compress the system status data for system diagnosis STEP 3 In the Password Protection area you can set a password to secure the compressed file Password Protection Click On to enable password protection or click Off to disable it Password If you enable the password protection ...

Страница 334: ...asure and limit the traffic routed by the security appliance You can enable the traffic meter settings for both primary WAN and secondary WAN if applicable STEP 1 Click Device Management Traffic Meter Primary WAN Settings The Primary WAN Settings window opens NOTE To configure the traffic meter settings for the secondary WAN if applicable click Device Management Traffic Meter Secondary WAN Setting...

Страница 335: ...it if the monthly traffic limit has been reached or click Off to disable it If you enable this feature enter the amount of the increase in this field This Month Limit The data transfer limit applicable for this month that is the sum of the values in the Monthly Limit field and the Increase this month limit by field STEP 3 In the Traffic Counter area enter the following information Traffic Counter ...

Страница 336: ...itoring and management protocol If you enable ViewMaster the devices accept the HTTP or HTTPS connections with the Local Management Agent that is embodied in the security appliance STEP 1 Click Device Management ViewMaster The ViewMaster window opens Start Date Time The date on which the traffic meter was started or the last time when the traffic counter was reset Outgoing Traffic Volume The volum...

Страница 337: ... you want to download the IPS signatures or automatically update the IPS signatures you are required to provide the CCO account information To register a CCO account on the Cisco com go to https tools cisco com RPF register register do STEP 1 Click Device Management CCO Account The CCO Account window opens STEP 2 Enter the following information User Name Enter the name of your registered CCO accou...

Страница 338: ... an unique domain name to identify your network STEP 3 Click Save to apply your settings Configuring the Debug Settings Use the Debug Setting page to enable the SSH version 2 server for debugging purposes STEP 1 Click Device Management Debug Setting The Debug Setting window opens STEP 2 Click On to enable the SSH version 2 server for debugging or click Off to disable it This feature allows the eng...

Страница 339: ...n between the PC and the security appliance STEP 2 Ensure that the IP address of your PC is on the same subnet as the security appliance If you are using the recommended addressing scheme your PC s address should be in the range 192 168 1 100 to 192 168 1 200 STEP 3 Check the IP address of your PC If the PC cannot reach a DHCP server some versions of Windows and MacOS generate and assign an IP add...

Страница 340: ... LOCK is off when entering this information Symptom The security appliance does not save my configuration changes Recommended Actions STEP 1 When entering configuration settings click OK or Save before moving to another page or tab otherwise your changes are lost STEP 2 Click Refresh or Reload in the browser which will clear a cached copy of the old configuration Symptom The security appliance can...

Страница 341: ... obtain an IP address from the ISP Recommended Actions STEP 1 Click Networking WAN in the left hand navigation pane STEP 2 Click Edit The WAN Add Edit window opens STEP 3 Ask your ISP the following questions What type of network addressing mode is required for your Internet connection In the IPv4 tab choose the correct ISP connection type in the IP Address Assignment drop down list and then enter ...

Страница 342: ...ed a network Time Server NTS Recommended Actions STEP 1 If you have just configured the security appliance wait at least 5 minutes click Device Management Time Zone Clock Settings in the left hand navigation pane STEP 2 Review the settings for the date and time STEP 3 Verify your Internet access settings Symptom The time is off by one hour Possible Cause The security appliance does not automatical...

Страница 343: ...rity Appliance STEP 1 On your PC click the Windows Start button and then click Run STEP 2 Type ping IP_address where IP_address is the IP address of the security appliance Example ping 192 168 1 1 STEP 3 Click OK STEP 4 Observe the display If the path is working you see this message sequence Pinging IP address with 32 bytes of data Reply from IP address bytes 32 time NN ms TTL xxx If the path is n...

Страница 344: ...ollowing Check that the PC has the IP address of your security appliance is listed as the default gateway If the IP configuration of your PC is assigned by DHCP this information is not visible in your PC s Network Control Panel Verify that the network subnet address of your PC is different from the network address of the remote device Verify that the cable or DSL modem is connected and functioning...

Страница 345: ...nfiguration in the left hand navigation pane In the Backup Restore Settings area click Default Or press and hold the RESET button on the back panel of your security appliance for about 3 seconds until the LED lights and then blinks Release the button and wait for the security appliance to reboot If the security appliance does not restart automatically manually restart it to make the default settin...

Страница 346: ...NZS 60950 1 UL 60950 1 CAN CSA C22 2 No 60950 1 EN 60950 1 IEC 60950 1 AS NZS 60950 1 Standards EMC 47CFR FCC Part 15B Industry Canada ICES 003 EN55022 EN55024 EN61000 3 2 EN61000 3 3 CISPR22 CISPR24 AS NZS CISPR22 47CFR FCC Part 15B Industry Canada ICES 003 EN 301 489 01 EN 301 489 17 EN55024 EN61000 3 2 EN61000 3 3 CISPR22 CISPR24 AS NZS CISPR22 47CFR FCC Part 15B Industry Canada ICES 003 EN5502...

Страница 347: ... 45 connector for WAN port 4 X RJ 45 connector for LAN WAN or DMZ port 1 X USB connector for USB 2 0 1 X Power switch 2 X external antennas 4 X RJ 45 connectors for LAN port 1 X RJ 45 connector for WAN port 5 X RJ 45 connector for LAN WAN or DMZ port 1 X USB connector for USB 2 0 1 X Power switch 4 X RJ 45 connectors for LAN port 1 X RJ 45 connector for WAN port 5 X RJ 45 connector for LAN WAN or ...

Страница 348: ...Hz NormalFrequency 50 to 60 Hz Frequency Variation Range 47 Hz to 63 Hz NormalFrequency 50 to 60 Hz Frequency Variation Range 47 Hz to 63 Hz NormalFrequency 50 to 60 Hz Frequency Variation Range 47 Hz to 63 Hz Output Voltage Regulation 11 4 V to 12 6 V 11 4 V to 12 6 V 11 4 V to 12 6 V 11 4 V to 12 6 V Output Current MAX 2 5 A MAX 2 5 A MAX 1 667 A MAX 1 667 A Physical Specifications Form Factor 1...

Страница 349: ...efined service and address objects It includes the following setions Device Management page 343 User Management page 346 Networking page 347 Wireless page 352 VPN page 353 Security Services page 356 Firewall page 357 Reports page 359 Default Service Objects page 360 Default Address Objects page 363 Device Management Features Settings Remote Management enable Remote Managaement by using HTTPS enabl...

Страница 350: ...Maximum Hops for Tracert 5 System Diagnostics disable Password Protection disable Syslog Settings disable Logs Facility Email Alert Kernel System Remote Log Kernel System Local Log Kernel System Time Zone and Clock Settings Dynamic Date Time GMT 00 00 Edinburgh London Automatically Adjust for Daylight Savings Time disable Use Default NTP Servers enable Maximum Certificate Number 128 SNMP disable S...

Страница 351: ...Settings disable Traffic Meter Secondary WAN Settings disable ViewMaster enable RADIUS Groups 3 RADIUS Server Port 1812 SMTP Authentication disable Email Alert Settings disable WAN UP DOWN Alert disable IPSec Alert disable Firmware Upgrade Alert disable License Expiration Alert disable CPU Overload Alert disable Debug Support disable Anti Virus Alert disable Syslog Email disable Debug Support disa...

Страница 352: ... enable Default Administrator Account User Name cisco Password cisco Available User Login Authentication Methods Local Database RADIUS RADIUS Local Database LDAP LDAP Local Database Default User Login Authentication Method Local Database RADIUS Settings for Authentication RADIUS Server Index 1 RADIUS Server Timeout 10 seconds Retries 3 RADIUS Users Settings Allow Only Users Listed Locally disable ...

Страница 353: ...l Version LDAP version3 LDAP Schemas Microsoft Active Directory RFC2789 InetOrgPerson RFC2307 Network Information Service LDAP Users Allow Only Users Listed Locally disable LDAP Users Default LDAP User Group None User Session Settings Inactivity timeout 5 minutes Login Session Limit for Web Logins disable Feature Settings Feature Settings IPv4 IPv6 Routing Mode IPv4 only Physical Interface Number ...

Страница 354: ...ss Assignment DHCPC WAN1 MTU Auto WAN1 MTU Value 1500 WAN1 Zone Mapping WAN Port Based Access Control disable Default Setting for WAN Redundancy Equal load balancing Round robin Default Settings for Weighted Loading Balancing Weighted By Percentage WAN1 50 Weighted By Percentage WAN2 50 Weighted By Link Bandwidth WAN1 1 1 to 1000 Weighted By Link Bandwidth WAN2 1 1 to 1000 Default Settings for WAN...

Страница 355: ...DHCP Server DHCP Pool Start IP 192 168 1 100 DHCP Pool End IP 1 192 168 1 200 Lease Time 1 day Default Gateway 192 168 1 1 GUEST VLAN VID 2 IP Address 192 168 2 1 Subnet 255 255 255 0 Mapped Zone GUEST Spanning Tree disable DHCP Pool Settings DHCP Server DHCP Pool Start IP 192 168 2 100 DHCP Pool End IP 1 192 168 2 200 Lease Time 1 day Default Gateway 192 168 2 1 Zones Maximum number of Zones 32 P...

Страница 356: ...000000 WAN2 Upstream limit 0 0 to 1000000 WAN QoS Queue Settings WAN1 Queueing Method SP WAN2 Queueing Method SP Maximum number of Traffic Selectors 256 Maximum number of Traffic Selectors associated with one WAN QoS Policy Profile 64 LAN QOS disable LAN Queueing Method SP Classification Method DSCP for all ports Mapping Cos to Queue Mapping all CoS values to Queue4 Mapping DSCP to Queue Mapping a...

Страница 357: ...eue1 CoS 7 Queue1 Mapping DSCP to Queue DSCP 000xxx Queue3 DSCP 001xxx Queue4 DSCP 010xxx Queue4 DSCP 011xxx Queue3 DSCP 100xxx Queue2 DSCP 101xxx Queue2 DSCP 110xxx Queue1 DSCP 111xxx Queue1 Service Management Maximum number of Group Service Objects 64 Maximum number of Service Objects 256 Address Management Maximum number of Group Address Objects 64 Maximum number of Address Objects 512 VRRP dis...

Страница 358: ...adio enable Wireless Network Mode 802 11b g n mixed Wireless Channel Auto Bandwidth Channel Lower U APSD disable SSID Isolation between SSIDs disable Default SSIDs enable Default SSIDs cisco data cisco guest cisco3 cisco4 SSID Broadcast for All SSIDs enable Station Isolation between clients disable Security Mode for All SSIDs Open WMM for All SSIDs disable Connection Control MAC Address Filtering ...

Страница 359: ...46 Power Output 100 Wi Fi Protected Setup WPS disable Rogue AP Detection disable Captive Portal disable Feature Settings Feature Settings Site to Site VPN disable Site to Site VPN policies Maxinum number of Site to Site VPN policies 100 for ISA570 and ISA570W and 50 for ISA550 and ISA550W PFS enable DPD enable DPD Delay Time 30 10 to 300 DPD Detection Timeout 120 120 to 1800 DPD Action Hold Authen...

Страница 360: ... Hash SHA1 Authenication Pre shared Key D H Group group_5 Encryption AES256 Lifetime 24 hours Transform policies Maximum number of Transform policies 16 Integrity ESP_MD5_HMAC Encryption ESP_3DES Cisco IPSec VPN Server disable Maximum number of group policies 16 WAN Failover disable Authentication Method Pre shared Key Network Mode Client mode Zone based Access Control Permit Split Tunnel disable ...

Страница 361: ... Authentication Method Pre shared Key Network Mode Client mode Zone based Access Control Permit SSL VPN disable Gateway Interface WAN1 Gateway Port 443 Certificate File default Idle Timeout 2100 Session Timeout 43200 Client DPD Timeout 300 Gateway DPD Timeout 300 Keep Alive 30 Lease Duration 43200 Max MTU 1406 Rekey Method SSL Rekey Interval 3600 Maximum number of SSL VPN group policies 32 L2TP Se...

Страница 362: ...le IPSec Passthrough enable PPTP Passthrough enable L2TP Passthrough enable Feature Settings Feature Settings Intrusion Prevention Service disable Automatically Update Signatures disable Select which zone to block intrusion WAN zone Anti Virus disable Select which zone to scan for viruses WAN zone Maximum Scan Compression File Size 0 Web URL Filter disable Policy to zone mapping for all predefined...

Страница 363: ...ices are unavailable All all web traffic until Web Repuation Filter services are restored Email Reputation Filter disable Reputation Threshold Conservative Custom Spam Threshold 5 Custom Suspect Spam Threshold 3 Action for SPAM BLOCK Action for SUPECT SPAM TAG Action when Email Reputation Filter services are unavailable All all web traffic until Email Reputation Filter services are restored Networ...

Страница 364: ...s 15 Maximum number of Advanced NAT rules 16 Session Settings Maximum number of Connections 60000 1000 to 60000 TCP Timeout 1200 5 to 3600 UDP Timeout 180 5 to 3600 Attack Protection Block Ping WAN interface enable Enable Stealth Mode disable Block TCP Flood Threshold 200 per seconds disable Block UDP Flood Threshold 200 per seconds disable Block ICMP Notification enable Block Fragmented Packets d...

Страница 365: ...LG enable Content Filtering disable HTTP port for content filtering 80 Permit or block web components Proxy Java ActiveX Cookies permit MAC Filtering disable Maximum number of MAC Filtering rules 100 Maximum number of IP MAC Binding rules 100 Features Settings Feature Settings IP Bandwidth Report disable Service Bandwidth Report disable TopN Web Report disable WAN Bandwidth Report disable Security...

Страница 366: ...port disable Email Security Blocked Report disable Anti Virus Report disable Feature Settings Service Name Protocol Port Start Port End Remarks AIM CONNECT TCP 4443 4443 Direct connect AIM CHAT TCP 5190 5190 File transfer and chat BGP TCP 179 179 BOOTP_client UDP 68 68 BOOTP_server UDP 67 67 CU SEEME TCP UDP 7648 7652 Server control port 7648 Client contact port 7649 Data stream over UDP port 7648...

Страница 367: ...ou public it on the Internet or use the active mode for 21 public 21 active mode not passive HTTP TCP 80 80 HTTPS TCP 443 443 ICMP TYPE 0 ICMP ICMP TYPE 3 ICMP ICMP TYPE 4 ICMP ICMP TYPE 5 ICMP ICMP TYPE 6 ICMP Alternate host address ICMP TYPE 7 ICMP ICMP TYPE 8 ICMP ICMP TYPE 9 ICMP ICMP TYPE 10 ICMP ICMP TYPE 11 ICMP ICMP TYPE 13 ICMP ICQ TCP 5190 5190 IMAP TCP 143 143 IMAP2 TCP 143 143 Service ...

Страница 368: ...119 NNTP over SSL uses the port 563 POP3 TCP 110 110 PPTP TCP 1723 1723 L2TP UDP 1701 1701 RCMD TCP 512 512 REAL AUDIO TCP 7070 7070 REXEC TCP 512 512 RLOGIN TCP 513 513 RTELNET TCP 107 107 RTSP TCP UDP 554 554 SFTP TCP 115 115 SMTP TCP 25 25 SNMP TCP UDP 161 161 SNMP TRAPS TCP UDP 162 162 SQL NET TCP 1521 1521 SSH TCP UDP 22 22 STRMWORKS UDP 1558 1558 TACACS TCP 49 49 TELNET TCP 23 23 Service Nam...

Страница 369: ... 69 69 RIP UDP 520 520 IKE UDP 500 500 ISAKMP UDP 500 500 SHTTPD TCP 8080 8080 SHTTPDS TCP 443 443 IDENT TCP 113 113 VDOLIVE TCP 7000 7000 SSH TCP UDP 22 22 SIP TCP UDP 5060 5060 DHCP UDP 67 67 ESP IP Protocol 50 IPSEC UDP ENCAP UDP 4500 4500 Service Name Protocol Port Start Port End Remarks Address Name Type Start IP End IP WAN1_IP Host 192 168 100 100 192 168 100 100 WAN1_GW Host 192 168 100 1 1...

Страница 370: ...168 1 1 192 168 1 1 DEFAULT_WINS1 Host 192 168 1 1 192 168 1 1 DEFAULT_WINS2 Host 192 168 1 1 192 168 1 1 DEFAULT_NETWORK Network 192 168 1 0 192 168 1 255 GUEST_IP Host 192 168 2 1 192 168 2 1 GUEST_GW Host 192 168 2 1 192 168 2 1 GUEST_DNS1 Host 192 168 2 1 192 168 2 1 GUEST_DNS2 Host 192 168 2 1 192 168 2 1 GUEST_WINS1 Host 192 168 2 1 192 168 2 1 GUEST_WINS2 Host 192 168 2 1 192 168 2 1 GUEST_...

Страница 371: ...ort Community www cisco com go smallbizsupport Cisco Small Business Support and Resources www cisco com go smallbizhelp Phone Support Contacts www cisco com go sbsc Firmware Download www cisco com go isa500software Product Documentation Cisco ISA500 Series Integrated Security Appliance Technical Documentation www cisco com go isa500resources Cisco Small Business Cisco Partner Central for Small Bus...

Отзывы:

Нет отзывов

Похожие инструкции для ISA500 Series

IBM 2210 Installation And Initial Configuration Manual preview
2210
Бренд: IBM Страницы: 72
D-Link DXS-3610-54S Quick Installation Manual preview
DXS-3610-54S
Бренд: D-Link Страницы: 38
D-Link DWL-3150 Install Manual preview
DWL-3150
Бренд: D-Link Страницы: 8
D-Link DSS-8+ Manual preview
DSS-8+
Бренд: D-Link Страницы: 22
D-Link DSS-5+ Manual preview
DSS-5+
Бренд: D-Link Страницы: 20
D-Link DSS-24+ Technical Specifications preview
DSS-24+
Бренд: D-Link Страницы: 2
D-Link DSS-24+ Manual preview
DSS-24+
Бренд: D-Link Страницы: 16
D-Link DI-804V Quick Install Manual preview
DI-804V
Бренд: D-Link Страницы: 12
D-Link DIR-615 - Wireless N Router Installation Manual preview
DIR-615 - Wireless N Router
Бренд: D-Link Страницы: 13
D-Link Cobra DSL-5300 User Manual preview
Cobra DSL-5300
Бренд: D-Link Страницы: 124
D-Link Web Smart DES-1210-28P Selection Manual preview
Web Smart DES-1210-28P
Бренд: D-Link Страницы: 6
D-Link 2Voice + 4SW VoIP Router DVG-1402S User Manual preview
2Voice + 4SW VoIP Router DVG-1402S
Бренд: D-Link Страницы: 57
D-Link xStack Storage DSN-4000 Series Manual preview
xStack Storage DSN-4000 Series
Бренд: D-Link Страницы: 23
D-Link Express EtherNetwork DI-604 Brochure preview
Express EtherNetwork DI-604
Бренд: D-Link Страницы: 7
D-Link xStack Storage DSN-4000 Series Cli User'S Manual preview
xStack Storage DSN-4000 Series
Бренд: D-Link Страницы: 97
D-Link SharePort DIR-825 Quick Start Manual preview
SharePort DIR-825
Бренд: D-Link Страницы: 2
D-Link Amplifi DIR-645 Quick Installation Manual preview
Amplifi DIR-645
Бренд: D-Link Страницы: 28
GE Mini Field Agent User Manual preview
Mini Field Agent
Бренд: GE Страницы: 87

Бренды по названию

Популярные бренды

Загрузить еще бренды