Removing and replacing frus from the routers (120 pages)
Summary of Contents for Cisco QuickVPN - PC
Page 1
ADMINISTRATION GUIDE Cisco Small Business Pro SA 500 Series Security Appliances...
Page 2
Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc.
Contents Chapter 1: Getting Started Feature Overview Device Overview Front Panel Rear Panel Installation Installation Options Hardware Installation Getting Started with the Configuration Utility Connecting to the Configuration Utility Using the Getting Started Pages Navigating Through the Configuration Utility Using the Help System About the Default Settings Basic Tasks Changing the Default User Name and Password...
Page 4
Contents VPN Status IPSec VPN Connection Status SSL VPN Status View Logs Status View All Logs IPSec VPN Logs Policy Enforcement Logs Active Users CDP Neighbor LAN Devices Chapter 3: Networking Configuring the WAN Connection Viewing the WAN Status Creating PPPoE Profiles Configuring the LAN About the Default LAN Settings Configuring the LAN...
Page 5
Contents Creating VLAN IDs Assigning VLANs to LAN Ports Multiple VLAN Subnets Routing Routing Static Routing Dynamic Routing Port Management Configuring the Ports Configuring SPAN (Port Mirroring) Bandwidth Profiles Creating Bandwidth Profiles Traffic Selectors Dynamic DNS Configuring IPv6 Addressing IP Routing Mode Configuring the IPv6 WAN Connection Configuring the IPv6 LAN IPv6 LAN Address Pools...
Page 6
Contents DSCP Remarking Chapter 4: Wireless Configuration for the SA 520W Configuring an Access Point Step 1: Configuring the Wireless Profiles Profile Advanced Configuration Configuring the QoS Settings for a Wireless Profile Controlling Wireless Access Based on MAC Addresses Step 2: Configuring the Access Points Configuring the Radio Basic Radio Configuration Advanced Radio Configuration...
Page 7
Contents Configuring IP/MAC Binding to Prevent Spoofing Chapter 6: Intrusion Prevention System Configuring IPS Configuring the IPS Policy Configuring the Protocol Inspection Settings Configuring Peer-to-Peer Blocking and Instant Messaging Chapter 7: Using Cisco ProtectLink Security Services Chapter 8: Configuring VPN About VPN Configuring a Site-to-Site VPN Tunnel Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client...
Page 8
Contents Managing User Credentials for VeriSign Service Chapter 9: Administration Users Domains Groups Adding or Editing User Settings Adding or Editing User Login Policies Maintenance Managing Licenses Upgrading Firmware and Working with Configuration Files Maintaining the USB Device Using the Secondary Firmware Diagnostics Measuring and Limiting Traffic with the Traffic Meter Configuring the Time Settings...
Page 9
Contents Appendix A: Trouble Shooting Internet Connection Date and Time Pinging to Test LAN Connectivity Restoring Factory-Default Configuration Settings Appendix B: Standard Services Appendix C: Technical Specifications and Environmental Requirements Appendix D: Factory Default Settings General Settings Router Settings Wireless Settings Storage Security Settings Appendix E: Where to Go From Here...
Getting Started This chapter describes the SA 500 and provides scenarios to help you to begin configuring your security appliance to meet the needs of your business. • Feature Overview, page 10 • Installation Options, page 13 • Hardware Installation, page 16 •...
Getting Started Feature Overview Feature SA 520 SA 520W SA 540 LAN Ports Wireless (802.11n) IPsec (# seats) Yes (50) Yes (50) Yes (100) SSL (# seats) Includes 2 seats. Includes 2 seats. Included (50) With license, up With license, up to 25 seats.
Getting Started Feature Overview LINK/ACT LED—(Green) When lit, indicates that a connection is being made through the port. When flashing, the port is active. WLAN LED—(Green) When lit, indicates that wireless is enabled (SA 520W). Rear Panel POWER Switch—Turns the security appliance on or off. POWER Connector—Connects the security appliance to power using the supplied power cable.
Getting Started Installation Installation This section guides you through the installation of your security appliance. Refer to the following topics: • Installation Options, page 13 • Hardware Installation, page 16 Installation Options You can place your security appliance on a desktop, mount it on a wall, or mount it in a rack.
Page 14
Getting Started Installation Wall Mounting Insert two 17 mm screws, with anchors, into the wall 15 cm apart (about 5.9 STEP 1 inches). Leave 3-4 mm (about 1/8 inch) of the head exposed. Cisco SA 500 Series Security Appliances Administration Guide...
Page 15
Getting Started Installation Position the unit so that the wall-mount slots are over the two screws. Slide the unit STEP 2 down until the screws fit snugly into the wall-mount slots. Rack Mounting You can mount the security appliance in any standard size, 19-inch (about 48 cm) wide rack.
Getting Started Installation Remove the four screws from each side of the security appliance. STEP 1 Place one of the supplied spacers on the side of the security appliance so that the STEP 2 four holes align to the screw holes. Place a rack mount bracket next to the spacer and reinstall the screws.
Page 17
Getting Started Installation For network devices, connect an Ethernet network cable from the network device STEP 4 to one of the dedicated LAN ports on the back panel. For a UC 500, connect an Ethernet network cable from the WAN port of the UC 500 STEP 5 to an available LAN port of the security appliance.
Getting Started Getting Started with the Configuration Utility Getting Started with the Configuration Utility The Configuration Utility web page is a web based device manager that is used to provision the SA 500 Series Security Appliances. To use this utility, you must be able to connect to the SA 500 Series Security Appliances from your administration PC or laptop.
Page 19
Getting Started Getting Started with the Configuration Utility Enter the default user name and password: STEP 4 • Username: cisco • Password: cisco Click Log In. The Getting Started (Basic) page appears. For more information, see STEP 5 Using the Getting Started Pages, page You can use the Cisco Configuration Assistant to launch the Configuration Utility if you are using the security appliance with a CCA-supported device, such as the UC 500.
Getting Started Getting Started with the Configuration Utility Using the Getting Started Pages The Getting Started pages provide help with common configuration tasks. • Find a task that you need to perform, and then click a link to get started. Proceed in order through the listed links.
Page 21
Getting Started Getting Started with the Configuration Utility Figure 2 Getting Started (Advanced) Page Cisco SA 500 Series Security Appliances Administration Guide...
Getting Started Getting Started with the Configuration Utility Navigating Through the Configuration Utility Use the menu bar and the navigation tree to perform tasks in the Configuration Utility. Figure 3 Menu Bar and Navigation Tree 1. Menu Bar: Click an item in the menu bar at the top of the page to choose a module of the Configuration Utility.
Getting Started Getting Started with the Configuration Utility Using the Help System The Configuration Utility includes detailed Help files for all configuration tasks. To view a Help page, click the Help link in the top right corner of the screen. A new window appears with information about the page that you are currently viewing.
Getting Started About the Default Settings About the Default Settings The SA 500 Series Security Appliances are pre-configured with settings that allow you to start using the device with minimal changes needed. Depending on the requirements of your Internet Service Provider (ISP) and the needs of your business, you might need to modify some of these settings.
Getting Started Basic Tasks However, for security purposes, it is strongly recommended that you configure the profile with the appropriate security settings. See Scenario 7: Wireless Networking, page • Administrative Access: You can access the Configuration Utility by using a web browser and entering the default IP address of 192.
Getting Started Basic Tasks The User Type and Group cannot be changed for this account. NOTE • Check to Edit Password: Check this box to enable the password fields. • Enter Your Password: Enter the current password. The default password for this new security appliance is cisco.
Getting Started Common Configuration Scenarios In the Upgrade Firmware section of the Getting Started (Basic) page, click the STEP 3 Install the updated firmware link. The Firmware & Configuration (Network) page appears. In the Firmware Upgrade area, click Browse. Find the file that you downloaded. STEP 4 Click Upload.
Getting Started Common Configuration Scenarios Scenario 1: Basic Network Configuration with Internet Access Laptop computer Outside Network Private Network Printer Internet Internet SA 500 Access Device Personal computer In a basic deployment for a small business, the security appliance enables communication between the devices on the private network and also allows computers to access the Internet.
Page 29
Getting Started Common Configuration Scenarios Consider the following first steps: 1. Review the WAN configuration and make any changes that are needed to set up your Internet connection. In the WAN & LAN Connectivity section of the Getting Started (Basic) page, click the WAN settings link.
Getting Started Common Configuration Scenarios 6. Consider whether you need to allow access to your network from remote sites or remote workers. Scenario 6: Site-to-Site Networking and Remote Access, page 7. Consider whether you need to enable features such as logging or remote access to the configuration utility.
Getting Started Common Configuration Scenarios With the default configuration, the security appliance acts as a DCHP server that assigns IP addresses in the range of 192. 1 68.75.x. IP Phones are assigned IP addresses in the address range 10. 1 . 1 .x/24. 3.
Getting Started Common Configuration Scenarios Configuration tasks for this scenario: To start configuring your firewall rules, use the Firewall and NAT Rules links on the Getting Started (Advanced) page. For more information, see Configuring Firewall Rules to Control Inbound and Outbound Traffic, page 121.
Getting Started Common Configuration Scenarios The default WAN and LAN settings might be sufficient for your deployment, but NOTE consider the steps outlined in Scenario 1: Basic Network Configuration with Internet Access, page Configuration tasks for this scenario: To start configuring a DMZ, use the links in the DMZ Port section of the Getting Started (Advanced) page.
Page 34
Getting Started Common Configuration Scenarios IPSec VPN for Site-to-Site VPN For site-to-site VPN, you can configure an IPSec tunnel with advanced encryption to maintain network security. Internet Outside Outside 209.165.200.236 209.165.200.226 Site B Site A SA 500 SA 500 Inside Inside 10.10.10.0 10.20.20.0...
Page 35
Getting Started Common Configuration Scenarios IPSec VPN Remote Access with a VPN Client For remote access by users who have an IPSec VPN client on the PC, you can configure an IPSec VPN client tunnel for secure access. This option requires installing and maintaining the VPN client software for these remote sites and users.
Page 36
Getting Started Common Configuration Scenarios SSL VPN Remote Access With a Web Browser For remote access by users who have no special software on the PC, such as contractors who need access to some or all of your network resources, SSL VPN is a flexible and secure way to extend your network resources.
Getting Started Common Configuration Scenarios Scenario 7: Wireless Networking With the SA 520W, you can configure your wireless network to meet the demands of your physical environment and to control access to your network resources. Laptop computer Outside Network Private Network Printer Internet ISP Router...
Status You can use the Status pages to review the status of your security appliance and to view logs. • Device Status, page 38 • VPN Status, page 43 • Active Users, page 48 • View Logs Status, page 46 •...
Page 39
Status Device Status • Secondary Firmware Version: The previous version of firmware that was in use before the most recent upgrade. To switch to the secondary firmware version, see Using the Secondary Firmware, page 203. • Latest Image Available: Displays the latest image available for your device. This field is only displayed if automatic update is enabled from the Firmware &...
Page 40
Status Device Status • IPv4 Connection Type: The method for obtaining a public IPv4 address. The IP address may be obtained dynamically through a DHCP server or may be assigned statically by the user. • IPv6 Connection Type: The method for obtaining a public IPv6 address. The IP address may be obtained dynamically through a DHCPv6 server or may be assigned statically by the user.
Status Device Status • Primary DNS: The primary DNS server IP address of the Optional port. • Secondary DNS: The secondary DNS server IP address of the Optional port. Port Statistics Use this page to view current statistics for the Dedicated WAN, Optional, LAN, and WLAN ports.
Page 42
Status Device Status • Bytes: The number of transmitted/received (tx/rx) bytes of information reported to the radio, over all configured access points. • Errors: The number of transmitted/received (tx/rx) packet errors reported to the radio, over all configured access points •...
Status VPN Status VPN Status IPSec VPN Connection Status Use this page to view current statistics for the IPsec connections. You can use buttons on the page to start or stop a connection. To open this page, click Status on the menu bar, and then click VPN Status > IPSec Status in the navigation tree. •...
Status VPN Status SSL VPN Status This page displays the current statistics for the SSL VPN Tunnel connections. You can use the buttons on the page to either start or stop connections. To open this page, click Status on the menu bar, and then click VPN Status > SSL VPN Status in the navigation tree.
Page 45
Status VPN Status • Poll Interval: Enter a value in seconds for the poll interval. To modify the poll interval, click the Stop button and then click Start to restart the automatic refresh using the specified poll interval. • Start: Click to enable the automatic page refresh feature. •...
Status View Logs Status View Logs Status View All Logs Use this page to view the system message log contents generated by severity level and facility type. For information about configuring the logs, see Configuring the Logging Options, page 208. Click Status on the menu bar, and then click View Logs >...
Status View Logs Status Enter the Source and Destination IP address for filtering the firewall logs. STEP 3 Wildcard characters such as asterisk (*) and dot (.) are allowed in the source and destination address fields Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 The log information is displayed in the Log Area.
Status Active Users Policy Enforcement Logs Use this page to view the system log which can be configured to log system events related to URL filtering. To open this page, click Status on the menu bar, and then click View Logs > Policy Enforcement Logs in the navigation tree. •...
Status CDP Neighbor CDP Neighbor The Cisco Discovery Protocol (CDP) provides information about other devices that are connected to this device and that support the CDP protocol. The page displays information specific to the device and identifies the network interface of this device on which the neighbor was discovered.
Networking You can use the pages in the Networking module to configure your Internet connection, LAN, DMZ, VLAN, routing, and related features. • Configuring the WAN Connection, page 50 • Configuring the LAN, page 56 • Configuring the Optional WAN, page 62 •...
Page 51
Networking Configuring the WAN Connection Use the account information provided by your ISP to complete the fields on this page. Click Networking on the menu bar, and then click WAN > IPv4 Config in the STEP 1 navigation tree. —OR—From the Getting Started (Basic) page, under WAN & LAN Connectivity, click WAN settings.
Page 52
Networking Configuring the WAN Connection If your ISP does not require a login, enter the following information in the Internet STEP 4 (IP) Address and Dynamic Name System (DNS) Servers areas: • IP Address Source: Your ISP assigns you an IP address that is either dynamic (newly generated each time you log in) or static (permanent).
Page 53
Networking Configuring the WAN Connection If a MAC address source is required by your ISP, enter the following information in STEP 6 the Router’s MAC Address area: • MAC Address Source: Typically, you use the unique 48-bit local Ethernet address of the security appliance as your MAC address source. If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, you can enter a different MAC address to use for this purpose.
Networking Configuring the WAN Connection Viewing the WAN Status You can check the WAN status, renew the connection, or release the connection. Click Networking on the menu bar, and then click WAN > WAN Status. STEP 1 The WAN Status page appears. This page displays the following types of information about the dedicated WAN and the optional WAN (if applicable): •...
Networking Configuring the WAN Connection Creating PPPoE Profiles If you have multiple PPPoE accounts, you can use this page to maintain the information. You can then associate a profile with the WAN interface as part of the WAN configuration. Click Networking on the menu bar, and then click WAN > PPPoE Profiles in the STEP 1 navigation tree.
Networking Configuring the LAN Configuring the LAN For most applications, the default DHCP and TCP/IP settings of the security appliance are satisfactory. However, you can use the LAN Configuration page to change these and other settings. • About the Default LAN Settings, page 56 •...
Networking Configuring the LAN Configuring the LAN Click Networking on the menu bar, and then click LAN > IPv4 Config in the STEP 1 navigation tree. —OR—From the Getting Started (Basic) page, under WAN & LAN Connectivity, click LAN Settings. The IPv4 LAN Configuration page appears.
Page 58
Networking Configuring the LAN If you want to reserve certain IPs for particular devices, complete this NOTE procedure and then configure the reserved IP addresses. See DHCP Reserved IPs, page DHCP Relay: Choose this option to allow the security appliance to use a DHCP Relay.
Networking Configuring the LAN • Enable IGMP Proxy: Check this box to allow the security appliance to act as a proxy for all IGMP requests and to communicate with the IGMP servers of the ISP. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 5 Next steps: NOTE...
Networking Configuring the LAN • DHCP server mode Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 2 DHCP Reserved IPs Even when the security appliance is configured to act as a DHCP server, you can reserve certain IP addresses always to be assigned to specified devices.
Networking Configuring the LAN Enter the IP address and the MAC address of the device that you want to add. STEP 3 Each reserved IP address should be outside the configured DHCP pool NOTE addresses. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 DHCP Leased Clients This page displays a list of the DHCP-assigned IP addresses and hardware...
Networking Configuring the Optional WAN Configuring the Optional WAN You can configure the Optional port for use as an optional WAN, allowing you to set up two ISP links for your network. You can use one link as the primary link and one for backup purposes, or you can configure load balancing to use both links at the same time.
Page 63
Networking Configuring the Optional WAN If your Internet connection requires a login, enter the settings in ISP Connection STEP 4 Type area: • ISP Connection Type: Choose the connection type, as specified by your service provider: PPTP, PPPoE, or L2TP. Then complete all fields that are highlighted with white backgrounds.
Page 64
Networking Configuring the Optional WAN • DNS Server Source: DNS servers map Internet domain names (example: www.cisco.com) to IP addresses. You can get DNS server addresses automatically from your ISP or use ISP-specified addresses. Get Dynamically from ISP: Choose this option if you have not been assigned a static DNS IP address.
Networking Configuring the Optional WAN XX:XX:XX:XX:XX:XX where X is a number from 0 to 9 (inclusive) or an alphabetical letter between A and F (inclusive), as in the following example: 01:23:45:67:89:ab Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 8 Next steps: STEP 9...
Page 66
Networking Configuring the Optional WAN If you want to configure load balancing, make sure that you configure NOTE both WAN ports with the Connectivity Type set to Keep Connection. If the WAN is configured to time out after a specified period of inactivity, then load balancing is not applicable.
Page 67
Networking Configuring the Optional WAN When the security appliance is configured in Load Balancing mode, it checks the connection of both the links at regular intervals to detect the status. You can click the Protocol Bindings link to view, add, or edit the NOTE protocol bindings, but save your settings on this page first.
Networking Configuring the Optional WAN • Retry Interval is: Specify how often, in seconds, the security appliance should run the above configured failure detection method. • Failover after: Specify the number of retries after which failover is initiated. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Next steps: NOTE...
Page 69
Networking Configuring the Optional WAN Click Networking on the menu bar, and then click Optional Port > Protocol STEP 1 Bindings in the navigation tree. —OR—From the Getting Started (Advanced) page, under Secondary WAN Port, click Configure Protocol Bindings (Optional - if WAN Mode set to Load Balancing).
Networking Configuring a DMZ Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 When you are ready, enable the new protocol bindings that you added. A new STEP 5 protocol binding is disabled until you enable it. Configuring a DMZ A DMZ (Demarcation Zone or Demilitarized Zone) is a subnetwork that is behind the firewall but that is open to the public.
Page 71
Networking Configuring a DMZ Figure 6 Example DMZ with One Public IP Address for WAN and DMZ www.example.com Internet Source Address Translation Public IP Address 209.165.200.225 172.16.2.30 209.165.200.225 DMZ Interface 172.16.2.1 SA 500 LAN Interface Web Server Private IP Address: 172.16.2.30 192.168.75.1 Public IP Address: 209.165.200.225 User...
Page 72
Networking Configuring a DMZ Figure 7 Example DMZ with Two Public IP Addresses www.example.com Internet Public IP Addresses Source Address Translation 209.165.200.225 (router) 209.165.200.226 172.16.2.30 209.165.200.226 (web server) DMZ interface 172.16.2.1 SA 500 Web Server LAN Interface Private IP Address: 172.16.2.30 192.168.75.1 Public IP Address: 209.165.200.226 User...
Networking Configuring a DMZ Configuring the DMZ Settings Follow this procedure to configure your DMZ port settings, and then create firewall rules to allow traffic to access the services on your DMZ. First configure the Optional port for use as a DMZ: STEP 1 a.
Page 74
Networking Configuring a DMZ DHCP Server: Choose this option to allow the security appliance to act as a DHCP server and to assign IP addresses to all devices that are connected to the DMZ network. Also complete the fields that are highlighted with white backgrounds.
Networking Configuring a DMZ Next steps: NOTE • If you are using the Getting Started (Advanced) page, click Getting Started in the menu bar, and then click Advanced in the navigation tree to continue with the list of configuration tasks. •...
Networking Configuring a DMZ Click Networking on the menu bar, and then click Optional Port > DMZ Reserved STEP 1 IPs in the navigation tree. —OR—From the Getting Started (Advanced) page, under DMZ Port, click Configure DMZ DHCP Reserved IPs (Optional). The DMZ Reserved IPs page appears.
Networking VLAN Configuration VLAN Configuration The security appliance supports Virtual LANs (VLANs), which allow you to segregate the network into LANs that are isolated from one another. The default configuration provides for a data VLAN and a voice VLAN, which can be treated like two separate networks.
Networking VLAN Configuration HTTP Remote Access: disable HTTPS Remote Access: disable • Voice VLAN: The VLAN is enabled with the VLAN ID 100. IP Address: 10. 1 . 1 . 1 IP Address Distribution: DHCP Server Start IP Address: 10. 1 . 1 .50 End IP Address: 10.
Networking VLAN Configuration Creating VLAN IDs Before you can configure a new VLAN, you need to create the VLAN IDs. Later you will assign VLAN IDs to ports on the Port VLANs page. Click Networking on the menu bar, and then click VLAN > Available VLANs in the STEP 1 navigation tree.
Networking VLAN Configuration Next steps: NOTE • Assign the VLANs to LAN ports. For more information, see Assigning VLANs to LAN Ports, page • Set up VLAN subnets. For more information, see Multiple VLAN Subnets, page Assigning VLANs to LAN Ports To assign a VLAN to a LAN port, choose the mode and assign VLAN membership.
Networking VLAN Configuration untagged. Trunk mode is recommended if the port is connected to a VLAN-aware switch or router. If you choose this option, also configure the VLAN Membership in the lower half of the page. • PVID: If you chose Access or General mode, enter the Port VLAN ID to be used to forward or filter the untagged packets coming into port.
Page 82
Networking VLAN Configuration • DHCP Relay: Choose this option to allow the security appliance to use a DHCP Relay for this VLAN. If you choose this mode, also enter the IP address of the Relay Gateway. If you chose DHCP Server for the DHCP Mode, enter the following information: STEP 4 •...
Networking Routing make requests to the router and the router, in turn, sends those requests to the DNS servers of the active connection. You also can enable the IGMP proxy on the respective LAN. Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 6 Routing If needed, you can change the routing mode, configure static routing, or configure...
Networking Routing Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Static Routing To configure static routes, enter a route name and specify the IP address and related information for the destination. Also assign a priority, which determines the route that is chosen when there are multiple routes to the same destination.
Networking Routing • Interface: From the list, choose the physical network interface (Dedicated WAN, Optional WAN, DMZ or LAN), through which this route is accessible. • Gateway IP Address: Enter the IP address of the gateway router through which the destination host or network can be reached. •...
Networking Port Management • RIP Version: Choose one of the following options: Disabled: If RIP is disabled, this is selected. RIP-1 is a class-based routing version that does not include subnet information. This is the most commonly supported version. RIP-2 includes all the functionality of RIPv1 plus it supports subnet information.
Networking Port Management Configuring the Ports Click Networking on the menu bar, and then click Port Management > Port STEP 1 Management in the navigation tree. The Port Management page appears. Choose the following options for each port: STEP 2 •...
Networking Bandwidth Profiles Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 Bandwidth Profiles Bandwidth limiting determines the speed with which the data is sent from a host. You can define a bandwidth profile to limit the outbound traffic, thus preventing the LAN users from consuming all the bandwidth of the Internet link.
Page 89
Networking Bandwidth Profiles In the Bandwidth Profiles Enable area, complete the following tasks: STEP 2 • Check the box to enable the bandwidth profiles, or uncheck the box to disable this feature. • Click Apply to save your settings, or click Reset to revert to the saved settings.
Networking Bandwidth Profiles Traffic Selectors After you create a bandwidth profile, you can associate it with a traffic flow. Before you can create traffic selectors, you must enable bandwidth profiles and NOTE create at least one bandwidth profile. For more information, see Creating Bandwidth Profiles, page Click Networking on the menu bar, and then click Bandwidth Profiles >...
Networking Dynamic DNS Dynamic DNS Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. If your ISP has not provided you with a static IP, and your WAN connection is configured to use DHCP to get an IP address dynamically, then DDNS allows you to have a virtual static address for your website.
Networking Configuring IPv6 Addressing Configuring IPv6 Addressing Internet Protocol Version 6 (IPv6) is a new IP protocol designed to replace IPv4, the Internet protocol that is predominantly deployed and extensively used throughout the world. IPv6 quadruples the number of network address bits from 32 bits (in IPv4) to 128 bits, resulting in an exponentially larger address space.
Networking Configuring IPv6 Addressing IP Routing Mode To get started with the IPv6 configuration, first enable IPv4/IPv6 mode. IPv4 and IPv6 addressing are supported. Click Networking on the menu bar, and then click IPv6 > Routing Mode in the STEP 1 navigation tree.
Networking Configuring IPv6 Addressing Configuring the IPv6 WAN Connection By default, when you enable IPv6 mode, your security appliance is configured to be a DHCPv6 client of the ISP, with stateless autoconfiguration. If your ISP assigned a static IPv6 address, or if you need to change the DHCP autoconfiguration mode, configure the settings on this page.
Networking Configuring IPv6 Addressing Next steps: NOTE To configure the LAN, click IPv6 > IPv6 LAN Config. For more information, see Configuring the IPv6 LAN, page Configuring the IPv6 LAN In IPv6 mode, the LAN DHCP server is enabled by default (similar to IPv4 mode). The DHCPv6 server will serve IPv6 addresses from configured address pools with the IPv6 Prefix Length assigned to the LAN.
Page 96
Networking Configuring IPv6 Addressing In the DHCPv6 area, enter the following information: STEP 3 • DHCP Status: If you do not want the security appliance to act as a DHCP server, click Disable DHCPv6 Server (the default setting). If you want the security appliance to act as a DHCP server that dynamically assigns IP addresses to all connected devices, click Enable DHCPv6 Server, and then complete all fields that are highlighted with white backgrounds.
Networking Configuring IPv6 Addressing Next steps: NOTE • Required for stateless autoconfiguration: If you chose stateless autoconfiguration mode, click IPv6 > Router Advertisement to configure the Router Advertisement Deamon (RADVD). For more information, see Router Advertisement Daemon (RADVD), page 104. •...
Networking Configuring IPv6 Addressing Enter the following information: STEP 3 • Start IPv6 Address: Enter the first address in the range of addresses for this pool. • End IPv6 Address: Enter the final address in the range of addresses for this pool.
Networking Configuring IPv6 Addressing Enter the following information: STEP 3 • IPv6 Address: Enter the IPv6 LAN Alias address to be added. • Prefix Length: Enter the prefix length of the IPv6 address. The IPv6 network (subnet) is identified by the prefix, which consists of the initial bits of the address.
Networking Configuring IPv6 Addressing • IPv6 Destination: Enter the IPv6 address of the destination host or network for this route. • IPv6 Prefix Length: Enter the number of prefix bits in the IPv6 address to define the subnet. • Interface: Choose the physical network interface for this route (Dedicated WAN, Optional WAN, DMZ or LAN), through which this route is accessible.
Networking Configuring IPv6 Addressing Click Networking on the menu bar, and then click IPv6 > Routing (RIPng) in the STEP 1 navigation tree. The Routing (RIPng) page appears. Check the Enable RIPNG box to enable RIPng. Uncheck the box to disable this STEP 2 protocol.
Networking Configuring IPv6 Addressing ISATAP Tunnels Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is used to transmit IPv6 packets between dual-stack nodes over an IPv4 network. The security appliance is one endpoint (a node) for the tunnel. You must set a local endpoint as well as the ISATAP Subnet Prefix that defines the logical ISATAP subnet to configure a tunnel.
Networking Configuring IPv6 Addressing MLD Tunnels Multicast Listener Discovery (MLD) is an IPv6 protocol that discovers listeners for a specific multicast group. This protocol is similar to IGMP in IPv4. Click Networking on the menu bar, and then click IPv6 > MLD Tunnels in the STEP 1 navigation tree.
Networking Configuring IPv6 Addressing Router Advertisement Daemon (RADVD) If you configured the security appliance to use IPv4/IPv6 mode, you can configure the Router Advertisement Daemon (RADVD) on this device. The RADVD listens for router solicitations in the IPv6 LAN and responds with router advertisements as required.
Networking Configuring IPv6 Addressing • RA Flags: Choose one of the following options: Managed: Choose this option to use the administered/stateful protocol for address auto configuration. Other: Choose this option to allow the host to use the administered/ stateful protocol of other (i.e. non-address) information auto configuration. •...
Page 106
Networking Configuring IPv6 Addressing After you click Add or Edit, the RADVD Prefixes page appears. Enter the following information: STEP 3 • IPv6 Prefix Type: Choose whether to select the prefix type as 6to4 or Global/Local/ISATAP. Also complete the fields that are highlighted with white backgrounds.
Networking 802. 1 p 802.1p The security appliance provides QoS-based IEEE 802. 1 p class of service (CoS) values for implementing Quality of Service at the Media Access Control level. This QoS method specifies a priority value of between 0 and 7 that can be used to differentiate traffic and give preference to higher-priority traffic, such as telephone calls.
Networking 802. 1 p Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 3 DSCP Remarking DSCP is a field in an IP packet that enables different levels of service to be assigned to network traffic. Use the DSCP Remarking page to assign priorities for the eight different classes of services in 802.
Wireless Configuration for the SA 520W Use the Wireless pages to configure access points and the radio for the SA 520W. The router is configured with default settings for a simple wireless network. NOTE However, you must enable the access point before any wireless devices can connect.
Wireless Configuration for the SA 520W Configuring an Access Point Step 1: Configuring the Wireless Profiles A wireless profile specifies the security settings. Optionally, you can configure advanced wireless settings, QoS settings, and MAC filtering. After you configure a wireless profile, you can assign it to any access point. Cisco strongly recommends WPA2 for wireless security.
Page 111
Wireless Configuration for the SA 520W Configuring an Access Point WPA (Wi-Fi Protected Access): WPA provides better security than WEP because it uses dynamic key encryption. This standard was implemented as an intermediate measure to replace WEP, pending final completion of the 802. 1 1i standard for WPA2. WPA supports TKIP or TKIP+CCMP encryption (default is TKIP) and PSK/RADIUS authentication.
Page 112
Wireless Configuration for the SA 520W Configuring an Access Point • Encryption: Select the encryption type - 64 WEP or 128 WEP. The larger size keys provide stronger encryption, thus making the key more difficult to crack (i.e. 64 WEP has a 40-bit key which is less secure than the 128 WEP which has a 104-bit key).
Wireless Configuration for the SA 520W Configuring an Access Point • For RADIUS authentication, configure the RADIUS settings. See Configuring RADIUS Server Records, page 213. Profile Advanced Configuration Click Wireless on the menu bar, and then click Profiles in the navigation tree. STEP 1 The Profiles page appears.
Wireless Configuration for the SA 520W Configuring an Access Point You can choose from four Class of Service queues to prioritize the data traffic over the wireless link: • Voice: Highest priority queue, minimum delay. Used typically to send time- sensitive data such as Voice over IP (VoIP).
Page 115
Wireless Configuration for the SA 520W Configuring an Access Point MAC Filtering provides additional security, but it also adds to the complexity and maintenance. Be sure to enter each MAC address correctly to ensure that the policy is applied as intended. Before performing this procedure, decide whether you want to enter a list of addresses that will be denied access or a list that will be allowed access.
Wireless Configuration for the SA 520W Configuring an Access Point At the top of the MAC Filtering page, set the ACL Policy Status. From the list, STEP 5 choose one of the following options: • Open: MAC filtering is not enabled. Any device can use this access point. •...
Page 117
Wireless Configuration for the SA 520W Configuring an Access Point • Active Time: Check this box to activate the access point only during specified hours of the day. Then enter the Start Time and Stop Time. Start Time: Enter the hour and minute when the active period begins. Choose AM or PM from the drop-down list.
Wireless Configuration for the SA 520W Configuring the Radio Configuring the Radio Basic Radio Configuration The radio card is preconfigured with standard settings. Use this page to modify the settings, as needed. For example, you can set a manual channel for operation to resolve issues with interference from other access points in the area.
Wireless Configuration for the SA 520W Configuring the Radio • Current Channel: This field displays the channel currently in use by the radio. • Channel: Select a channel from the list of channels or choose “auto” to let system determine the best channel to use based on the environmental noise levels for the available channels.
Page 120
Wireless Configuration for the SA 520W Configuring the Radio • Fragmentation Threshold: The fragmentation threshold is the frame length that requires packets to be broken up (fragmented) into two or more frames. Setting a lower value can reduce collisions because collisions occur more often in the transmission of long frames, which occupy the channel for a longer time.
Firewall Configuration You can use the Firewall pages to configure firewall rules that control outbound and inbound traffic and to specify other settings that protect your network. • Configuring Firewall Rules to Control Inbound and Outbound Traffic, page 121 • Prioritizing Firewall Rules, page 132 •...
Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic • Port triggers This section includes these topics: • Preliminary Tasks for Firewall Rules, page 122 • Configuring the Default Outbound Policy, page 125 • Configuring a Firewall Rule for Outbound Traffic, page 126 •...
Page 123
Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic —OR—From the Getting Started (Advanced) page, under Firewall and NAT Rules, click Configure Custom Services. The Custom Services page appears. Any existing custom services appear in the List of Available Custom Services table. To add a custom service, click Add.
Page 124
Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic For more information about the time settings for your security appliance, see NOTE Configuring the Time Settings, page 207. Click Firewall on the menu bar, and then click Firewall > Schedules. STEP 1 —OR—From the Getting Started (Advanced) page, under Firewall and NAT Rules, click Configure Schedules (Optional).
Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic Configuring IP Aliases for WAN interfaces IP aliases are useful when you have additional public IP address provided by your ISP and you want to these addresses to reach devices on your local network. Click Networking on the menu bar, and then click WAN >...
Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic Configuring a Firewall Rule for Outbound Traffic This procedure explains how to configure a firewall rule for the following traffic flows: • From the LAN to the WAN • From the LAN to the DMZ •...
Page 127
Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic The IPv4 Firewall Rules page includes the option to move a rule up, move a rule down, or move it to a specified location in the firewall rules list. For more information, see Prioritizing Firewall Rules, page 132.
Page 128
Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic If you choose Address Range, enter the first address in the From field and enter the last address in the To field. • Log: You can choose whether or not to log the packets for this rule. Click Never if you do not want to log the packets, or click Always to log the packets.
Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic Configuring a Firewall Rule for Inbound Traffic This procedure explains how to configure a firewall rule for the following traffic flows: • From the WAN to the LAN • From the WAN to the DMZ •...
Page 130
Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic For IPv4 rules, you can view the list of available rules by zone. Choose the source and destination from the From Zone and To Zone drop-down menu and click Display Rules.
Page 131
Firewall Configuration Configuring Firewall Rules to Control Inbound and Outbound Traffic For more information about schedules, see Creating Schedules for a NOTE Firewall Rules, page 123. • Source Hosts: You can apply the rule to all users or you can specify users by entering an IP address or address range.
Firewall Configuration Prioritizing Firewall Rules Optional WAN: The public will connect to this service by using the IP address that is associated with the WAN interface on the Optional port. Other: The public will connect to this service by using another IP address that your ISP has provided to you.
Firewall Configuration Firewall Rule Configuration Examples In the List of Available Firewall Rules table, check the box next the rule you want to STEP 4 reorder and select one of the following: • MoveUp: Moves the rule up one position. •...
Page 134
Firewall Configuration Firewall Rule Configuration Examples Allowing Inbound Traffic to a Web Server Using a Specified Public IP Address Situation: You host a public web server on your local DMZ network. You want to allow inbound HTTP requests from any outside IP address. Your ISP has provided a static IP address that you want to expose to the public as your web server address.
Page 135
Firewall Configuration Firewall Rule Configuration Examples Parameter Value Action ALLOW always Source Hosts Address Range From 132. 1 77.88.2 134. 1 77.88.254 Send to Local Server 192. 1 68.75. 1 1 (DNAT IP) (internal IP address) Blocking Outbound Traffic By Schedule and IP Address Range Use Case: Block all weekend Internet usage if the request originates from a specified range of IP addresses.
Firewall Configuration Using Other Tools to Prevent Attacks, Restrict Access, and Control Inbound Traffic Blocking Outbound Traffic to an Offsite Mail Server The following rule blocks access to the SMTP service to prevent a user from sending email through an offsite mail server. Parameter Value From Zone...
Page 137
Firewall Configuration Using Other Tools to Prevent Attacks, Restrict Access, and Control Inbound Traffic In the WAN Security Checks area, check the box for each feature that you want to STEP 2 enable: • Block Ping to WAN interface: Check this box to prevent attackers from discovering your network through ICMP Echo (ping) requests.
Firewall Configuration Using Other Tools to Prevent Attacks, Restrict Access, and Control Inbound Traffic • Echo Storm (ping pkts/sec): Enter the number of pings per second that will cause the security appliance to determine that an echo storm intrusion event is occurring.
Firewall Configuration Port Triggering Permit and block the rest: All addresses in the MAC Addresses table are permitted. All other addresses are blocked. Click Apply to save your settings, or click Reset to revert to the saved settings. To add a MAC address to the table, click Add. STEP 3 Other options: Click the Edit button to edit an entry.
Firewall Configuration Port Triggering Port triggering is not appropriate for servers on the LAN, since the LAN device must NOTE make an outgoing connection before an incoming port is opened. Configuring a Port Triggering Rule to Direct Traffic to Specified Ports Click Firewall on the menu bar, and then click Port Triggering >...
Firewall Configuration Port Triggering Viewing the Port Triggering Status The Port Triggering Status page provides information on the ports that have been opened as per the port triggering configuration rules. The ports are opened dynamically whenever the security appliance detects traffic that matches a port triggering rule.
Firewall Configuration Using Other Tools to Control Access to the Internet • TCP Session Timeout Duration (seconds): Inactive TCP sessions are removed from the session table after this duration. Most TCP sessions terminate normally when the RST or FIN flags are detected. This value can range between 0 and 4,294,967 seconds.
Firewall Configuration Using Other Tools to Control Access to the Internet Configuring Content Filtering to Allow or Block Web Components The security appliance supports a content filtering option that you can use to block access to certain Internet sites. Up to 32 key words can be specified for filtering.
Firewall Configuration Using Other Tools to Control Access to the Internet Configuring Approved URLs to Allow Access to Websites Use this page to create a list of websites that your users are allowed to access. You can specify exact domain names or keywords. This page is available only if you enabled Content Filtering.
Firewall Configuration Using Other Tools to Control Access to the Internet URL keyword: Choose this option to allow access to any URL that contains the keyword that you entered in the URL box. For example, if you entered yahoo, then your users can access websites such as www.yahoo.com, tw.yahoo.com, www.yahoo.com.uk, and www.yahoo.co.jp.
Firewall Configuration Using Other Tools to Control Access to the Internet • Match Type: Specify the method for applying this rule: Web site: Choose this option to block access to the domain name exactly as shown. For example, if you enter www.yahoo.com for the URL, then your users are prevented from accessing www.yahoo.com, but they can access www.yahoo.com.uk or www.yahoo.co.jp.
Firewall Configuration • MAC Address: Enter the MAC address. • IP Address: Enter the IP address. • Log Dropped Packets: Choose Enable to keep a log of all packets that are dropped as a result of this security feature. Otherwise, choose Disable. After you enable the logging, you can view these logs by clicking NOTE Status on the menu bar, and then clicking View Log >...
Intrusion Prevention System The SA 500 Series uses an Intrusion Prevention System (IPS) to protect the security zones for a given set of categories. IPS monitors network traffic for malicious or unwanted behavior on the device and can react, in real-time, to block or prevent those activities.
Page 149
Intrusion Prevention System Configuring IPS Click IPS on the menu bar, and then click IPS Setup in the navigation tree. STEP 1 —OR—From the Getting Started (Advanced) page, under Intrusion Prevention System, click Update Signatures. The IPS Configuration page appears. •...
Intrusion Prevention System Configuring the IPS Policy Configuring the IPS Policy You can configure the IPS Policy settings to protect the network against threats such as Denial-of-Service attacks, malware, and backdoor exploits. Click IPS on the menu bar, and then click IPS> IPS Policy in the navigation tree. STEP 1 —OR—From the Getting Started (Advanced) page, under Intrusion Prevention System, click Configure and Enable IPS Policies.
Intrusion Prevention System Configuring Peer-to-Peer Blocking and Instant Messaging • Detect and Prevent: Choose this option to check for and prevent attacks on this protocol. Upon detection, a message is logged and a preventative action is taken. For IPS messages to be logged, you must configure IPS as the facility. For more information, see Logs Facility, page 211 Click Apply to save your settings, or click Reset to revert to the saved settings.
Using Cisco ProtectLink Security Services The SA 500 Series supports Cisco ProtectLink security services. These services provide layers of protection against different security threats on your network. • Cisco ProtectLink Gateway is a hosted service that you can subscribe to. It integrates powerful anti-spam, anti-phishing, URL Content Filtering and WebThreat Protection to block standalone, blended-threat, and customer- specific attacks.
Configuring VPN You can use the VPN pages to configure Virtual Private Networks, allowing other sites and remote workers to access your network resources. • About VPN , page 153 • Configuring a Site-to-Site VPN Tunnel, page 154 • Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client, page 157 •...
Configuring VPN Configuring a Site-to-Site VPN Tunnel Configuring a Site-to-Site VPN Tunnel The configuration utility includes a VPN Wizard that makes it easy for you to configure your VPN settings the VPN settings to allow other sites to connect to your network.
Page 155
Configuring VPN Configuring a Site-to-Site VPN Tunnel In the About VPN Wizard area, choose Site-to-Site to create a site-to-site VPN STEP 2 tunnel from the security appliance to another VPN gateway. In the Connection Name and Remote IP Type area, enter the following information: STEP 3 •...
Page 156
Configuring VPN Configuring a Site-to-Site VPN Tunnel In the Secure Connection Remote Accessibility area, enter the following STEP 5 information about the LAN at the remote site: • Remote LAN IP Address: Enter the IP address of the remote LAN. For the example illustrated in Figure 8, the remote site, Site B, has a LAN IP...
Configuring VPN Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client The VPN Wizard helps you to set up an IPSec VPN tunnel to allow workers to connect to your network from remote locations, using an IPSec VPN client.
Page 158
Configuring VPN Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client Click VPN on the menu bar, and then click IPSec > VPN Wizard in the navigation STEP 1 tree. —OR—From the Getting Started (Advanced) page, under IPsec VPN Remote Access, click VPN Wizard.
Configuring VPN Configuring an IPSec VPN Tunnel for Remote Access with a VPN Client Next steps: NOTE • If you are using the Getting Started (Advanced) page, click Getting Started on the menu bar and then click Advanced in the navigation tree to return to the list of configuration tasks for IPsec Remote Access VPN.
Page 160
IPSec to provide user credentials. XAUTH can be used when additional client security is required with IPSec clients such as Greenbow. QuickVPN is a propriety Cisco/Linksys client which uses user authentication but the implementation is specific only to Quick VPN. This option should be selected when the clients use QuickVPN Client.
Configuring VPN Advanced Configuration of IPSec VPN Click Apply to save your settings, or click Reset to revert to the saved settings. STEP 4 Repeat as needed for each user that you need to add. STEP 5 Next steps: NOTE •...
Configuring VPN Advanced Configuration of IPSec VPN Configuring the IKE Policies for IPSec VPN The Internet Key Exchange (IKE) protocol is a negotiation protocol that includes an encryption method to protect data and ensure privacy. It is also an authentication method to verify the identity of devices that are trying to connect to your network.
Page 163
Configuring VPN Advanced Configuration of IPSec VPN • Direction/Type: Choose one of the following options: Initiator: The security appliance initiates the connection to the remote end. Responder: The security appliance waits passively and responds to remote IKE requests. Both: The security appliance works in either Initiator or Responder mode. •...
Page 164
Configuring VPN Advanced Configuration of IPSec VPN Typically, an IP address is used for site-to-site connections since the IP NOTE address or FQDN is well known. An IP address is required if you want to use Main Mode. For remote client connections, the User FQDN is never resolved but provides a means of identifying a client that can have different IP address depending on network that is used to make the connection.
Page 165
Configuring VPN Advanced Configuration of IPSec VPN • Pre-shared key: Enter the alpha-numeric key to be shared with IKE peer. • Diffie-Hellman (DH) Group: Choose the Diffie-Hellman algorithm to use when exchanging keys. The DH Group sets the strength of the algorithm in bits.
Configuring VPN Advanced Configuration of IPSec VPN Next steps: NOTE • To review or update the configured VPN policy click IPSec > VPN Policies in the navigation tree. For more information, see Configuring the IPSec VPN Policies, page 166. • To review or update the configured IKE policy, click IPSec >...
Page 167
Configuring VPN Advanced Configuration of IPSec VPN • List of back up Policies: This table lists all the policies that are configured as a backup policy. These policies are created when you create a new IKE policy and select the Enable Redundant Gateway option. The policy comes into effect only if the primary policy fails.
Page 168
Configuring VPN Advanced Configuration of IPSec VPN • Enable RollOver: This option is applicable if you have two ISP links and if you have enabled Auto-Rollover (see Configuring Auto-Rollover, Load Balancing, and Failure Detection, page 65). In this case, you can check the Enable RollOver box to ensure that VPN traffic rolls over to the backup link whenever the primary link fails.
Page 169
Configuring VPN Advanced Configuration of IPSec VPN AES-128: 16 characters AES-192: 24 characters AES-256: 32 characters AES-CCM: 16 characters • Integrity Algorithm: Choose the algorithm that is used to verify the integrity of the data. • Key-In: Enter the integrity key (for ESP with Integrity-mode) for the inbound policy.
Page 170
Configuring VPN Advanced Configuration of IPSec VPN expires frequently if the downstream traffic is very high, but the lifebyte of the upload stream expires less frequently or only when it reaches its timeout period. When setting the lifetime in both seconds and kilobytes, you should reduce the difference in expiry frequencies of the SAs;...
Page 171
Configuring VPN Advanced Configuration of IPSec VPN • Failback time to switch from back-up to primary: Enter the number of seconds that must pass to confirm that primary tunnel has recovered from a failure. If the primary tunnel is up for the specified number of seconds, the security appliance will switch to the primary tunnel by disabling the backup tunnel.
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access Configuring SSL VPN for Browser-Based Remote Access SSL VPN is a flexible and secure way to extend network resources to virtually any remote user who has access to the Internet and a Web browser. A benefit is that you do not have to install and maintain VPN client software on the remote machines.
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access The security appliance supports multiple concurrent sessions to allow remote users to access the LAN over an encrypted link through a customizable user portal interface. You can specify the user privileges and you can control each user’s access to network resources.
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access Internet. Then, you could configure links to specific targets on the internal network that you want users of Clientless SSL VPN to be able to access. • Educate users. If an SSL-enabled site is not inside the private network, users should not visit this site over a Clientless SSL VPN connection.
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access Scenario Step 1: Customizing the Portal Layout When a remote user wants to access your private network through an SSL tunnel, the user starts a web browser and enters a URL. The browser displays a login page with several features that you can configure: 1.
Page 176
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access To modify the default portal layout, click the pencil button in the Edit column. STEP 2 Other options: To add a portal layout, click Add. To delete a portal layout, NOTE check the box and then click Delete.
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access In the SSL VPN Portal Pages to Display area, check the box for each SSL VPN STEP 4 Portal page that users can access through this portal. Any page that is not selected will not be visible from the SSL VPN portal NOTE navigation menu.
Page 178
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access Click Administration on the menu bar, and then click Users > Users in the STEP 1 navigation tree. The List of Users table appears. The User page appears. The default Administrator and Guest users appear in the List of Users table, along with any new users that you add.
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access Creating the SSL VPN Policies SSL VPN Policies give configured SSL users access to services and network resources. A policy applies to a specific network resource, IP address, or IP address range on the LAN, or to other SSL VPN services that are supported by the security appliance.
Page 180
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access • Available Users: If you chose User as the query type, choose the name from this list. • Click Display to run the query. To add an SSL VPN policy, click Add. STEP 3 Other options: Click the Edit button to edit an entry.
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access • Defined Resources: Choose the services for a particular policy. This option is available only for policies that are applied to a Network Resource. • Permission: Choose either Permit or Deny for this policy. Click Apply to save your settings, or click Reset to revert to the saved settings.
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access Configuring SSL VPN Port Forwarding Port Forwarding is used when you want to allow access only to a limited set of resources. For example, you may want the SSL VPN users to access the email service only.
Page 183
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access To add an application, click Add in the List of Configured Applications for Port STEP 2 Forwarding table. Other options: Click the Edit button to edit an entry. To delete an entry, check NOTE the box and then click Delete.
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access To add a configured host name, click Add in the List of Configured Host Names for STEP 2 Port Forwarding table. Other options: Click the Edit button to edit an entry. To delete an entry, check NOTE the box and then click Delete.
Page 185
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access The security appliance allows Full Tunnel and Split Tunnel support. • Full Tunnel Mode: The VPN Tunnel handles all traffic that is sent from the client. • Split Tunnel Mode: The VPN Tunnel handles only the traffic that is destined for the specified destination addresses in the configured client routes.
Page 186
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access Configure an IP address range that does not directly overlap with any NOTE of addresses on your local network. For example, the default range is 192. 1 68.251. 1 to 192. 1 68.251.254. Click Apply to save your settings, or click Reset to revert to the saved settings.
Configuring VPN Configuring SSL VPN for Browser-Based Remote Access To add a configured client route, click Add. STEP 2 Other options: Click the Edit button to edit an entry. To delete an entry, check NOTE the box and then click Delete. To select all entries, check the box in the first column of the table heading.
Configuring VPN VeriSign™ Identity Protection configuration NOTE 1. The Change Password section is available only for users who belong to the local data base. 2. The administrator can enable or disable certain features. 3. The user must ensure that Java, Java Script, Active-X controls are enabled or allowed in the web browser settings.
Configuring VPN VeriSign™ Identity Protection configuration • VIP Production: Choose this option if you have purchased VeriSign service. The service will use VIP production servers to authenticate your users. c. Click Apply to save your settings, or click Reset to revert to the saved settings. In the Upload Certificate area, complete the following tasks: STEP 3 a.
Page 190
Configuring VPN VeriSign™ Identity Protection configuration Enter the following information: STEP 3 • Credential Id: Enter the 6-digit alphanumeric number, which is typically found on the back of the physical token. Each credential identifier must be unique and must not be added if it is already present in the token configuration table.
Administration You can use the Administration pages to manage users, to perform maintenance operations such as firmware upgrade and configuration backup, and to configure logging and other features. • Users, page 191 • Maintenance, page 197 • Diagnostics, page 204 •...
Administration Users Domains All SSL VPN users are members of a group, and all groups are members of an authentication domain. The domain must be configured first before any groups and individual users can be assigned to it. Click Administration on the menu bar, and then click Users > Domains in the STEP 1 navigation tree.
Administration Users Groups Groups are used to create a logical grouping of SSL VPN users that share the authentication domain, LAN and service access rules, and idle timeout settings. They are associated to authenticating domains. Click Administration on the menu bar, and then click Users > Groups in the STEP 1 navigation tree.
Administration Users Adding or Editing User Settings The users are part of a group which in turn is a part of an authenticating domain. Before you configure users, configure the groups. See Groups, page 193. NOTE For security, a password should contain no dictionary words from any language, NOTE and should include a mixture of uppercase and lowercase letters, numbers, and symbols.
Administration Users • If you are updating a user’s settings, complete the following fields: Check to Edit Password: Check this box to enable the password fields. Enter Your Password: Enter your password, as a security check before you can change a password. New Password: Enter a password that contains alphanumeric, ‘—’...
Page 196
Administration Users Proceed as needed, based on the type of policy: STEP 2 • User Login Policy: Click the first button in the Edit User Policies column. When the User Login Policies page appears, enter the following information: Disable Login: Check this box to disable the account, or uncheck this box to enable the account.
Administration Maintenance Maintenance You can use the Maintenance page to manage software licenses, upgrade the firmware, configure backup and restore operations, and maintain the USB device. Refer to the following topics: • Managing Licenses, page 197 • Upgrading Firmware and Working with Configuration Files, page 199 •...
Page 198
Administration Maintenance You can download a 60-day Trial License for the IPS License. This license is NOTE not offered for SSL VPN. Click Administration on the menu bar, and then click License Management in the STEP 1 navigation tree. —OR—From the Getting Started (Advanced) page, under Intrusion Prevention System, click Install License.
Administration Maintenance Free Upgrade: Obtain a free license upgrade. This offer applies only to the SA 540. • Device Credentials: Read-Only. Displays the Unique Device Identifier (UDI) serial number of the device and the device credentials. To install the IPS license, select the feature and click Install. STEP 2 The Install License page appears.
Page 200
Administration Maintenance IMPORTANT! During a restore operation or firmware upgrade, do NOTE NOT try to go online, turn off the device, shut down the PC, or interrupt the process in anyway until the operation is complete. This process should take only two minutes or so including the reboot process. Interrupting the upgrade process at specific points when the flash is being written to can corrupt the flash memory and render the router unusable without a low-level process of restoring the flash firmware...
Page 201
Administration Maintenance • Check for New Firmware & Download: Check Periodically: Check this option to automatically check for firmware updates on a daily basis (every 24 hours). Enter your Cisco User Name and Password and click Apply to save your settings. If new firmware is available it is automatically downloaded to your device and you are prompted to install it.
Administration Maintenance Maintaining the USB Device You can use this page to perform the following maintenance tasks on the USB device: • Mount or unmount the USB device safely. • Upgrade the firmware for the security appliance. • Back up and restore the configuration settings for the USB device. IMPORTANT! Restoring a saved configuration will remove your current NOTE settings.
Administration Maintenance • Backup / Restore Settings / Software Upgrade To save a backup copy of current settings and digital certificates, click Backup. The file is saved as cisco.cfg. To restore the settings from a previously saved configuration file, click Restore.
Administration Diagnostics Diagnostics You can use the Diagnostics page to assess configuration of the security appliance and to monitor the overall network health. These features require an active WAN connection. NOTE Click Administration on the menu bar, and then click Diagnostics in the navigation STEP 1 tree.
Administration Measuring and Limiting Traffic with the Traffic Meter To capture all packets that pass through a selected interface, click Packet Trace. When the Capture Packets window appears, choose the interface: LAN, Dedicated WAN, or Optional WAN. Click Start to begin capturing packets.
Page 206
Administration Measuring and Limiting Traffic with the Traffic Meter • Monthly Limit: Enter the volume limit in the Monthly Limit field that is applicable for this month. This limit will apply to the type of direction (Download Only or Both) selected above. •...
Administration Configuring the Time Settings • Incoming Traffic Volume: The volume of traffic, in Megabytes, that was downloaded through this interface. • Total Traffic Volume: The amount of traffic, in Megabytes, that passed through this interface in both directions. • Average per day: The average volume of traffic that passed through this interface.
Administration Configuring the Logging Options Configuring the Logging Options You can configure logs for various events that occur on your network. Refer to the following topics: • Local Logging Config, page 208 • IPv6 Logging, page 209 • Remote Logging, page 210 •...
Administration Configuring the Logging Options Source MAC Filter: If checked, logs packets matched due to source MAC filtering. Uncheck to disable source MAC filtering logs. Output Blocking Event Log: If checked, the device displays logs for packets blocked by the ProtectLink service. Bandwidth Limit: If checked, displays logs related to packets dropped due to Bandwidth Limiting.
Administration Configuring the Logging Options that your default outbound policy is “Allow Always” and you have enabled a firewall rule to block SSH traffic from the LAN to the WAN. The firewall rule also must allow logging. For more information, see Configuring Firewall Rules to Control Inbound and Outbound Traffic, page 121.
Administration Configuring the Logging Options In the Send E-mail logs by Schedule area, configure the following settings to STEP 4 receive e-mail logs according to a schedule: • Unit: Select the period of time that you need to send the log: Hourly, Daily, or Weekly.
Administration Managing Certificates for Authentication Notification (level 5): Normal but significant condition. Syslog definition is LOG_NOTICE. Information (level 6): Informational messages only. Syslog definition is LOG_INFO. Debugging (level 7): Debugging messages. Syslog definition is LOG_DEBUG. For example: If you select Critical, all messages listed under the Critical, Emergency, and Alert categories are logged.
Administration Configuring RADIUS Server Records certificate request to be sent as a text file. You can view details of the request and copy the contents as required by clicking the Details button. Follow the instructions of the CA to complete the certificate signing process. Click Administration on the menu bar, and then click Authentication in the STEP 1 navigation tree.
Page 214
Administration Configuring RADIUS Server Records Enter the following information: STEP 3 • Authentication Server IP Address: Enter the IP address of the authenticating Radius Server. • Authentication Port: Enter the port number on the Radius server that is used to send the Radius traffic. •...
Network Management You can use the Network Management pages to configure remote management and other features: • RMON (Remote Management), page 215 • CDP, page 216 • SNMP, page 217 • UPnP, page 219 RMON (Remote Management) The primary means to configure this gateway via the browser-independent GUI. The GUI can be accessed from LAN node by using the gateway’s LAN IP address and HTTP, or from the WAN by using the gateway’s WAN IP address and HTTPS (HTTP over SSL).
Network Management Click Network Management on the menu bar, and then click RMON in the STEP 1 navigation tree. The RMON page appears. Enter the following information: STEP 2 • Enable Remote Management?: By default, Remote management is disabled. To enable WAN access to the configuration GUI check the box. •...
Network Management SNMP Click Network Management on the menu bar, and then click CDP in the navigation STEP 1 tree. The CDP page appears. Enter the following information: STEP 2 • CDP: Choose one of the following options: Enable All: Enable CDP on all port supported by the Device. Disable All: Disable CDP Per Port: Configure CDP on selective ports, displayed in the port information table.
Network Management SNMP Click the Edit button to edit an entry. To delete an entry, check the box and then click NOTE Delete. To select all entries, check the box in the first column of the table heading. The SNMP Configuration page appears. Enter the following information: STEP 3 •...
Network Management UPnP UPnP UPnP (Universal Plug and Play) is a feature that allows for automatic discovery of devices that can communicate with this security appliance. The UPnP Portmap Table displays the IP addresses and other settings of the UPnP devices that have accessed the security appliance.
Trouble Shooting Internet Connection Symptom: You cannot access the Configuration Utility from a PC on your LAN. Recommended action: Check the Ethernet connection between the PC and the security appliance. STEP 1 Ensure that the IP address of your PC is on the same subnet as the security STEP 2 appliance.
Page 221
Trouble Shooting Internet Connection Ensure that you are using the correct login information. The factory default login STEP 6 name is cisco and the password is cisco. Ensure that CAPS LOCK is off when entering this information. Symptom: The security appliance does not save my configuration changes. Recommended action: When entering configuration settings, click Apply before moving to another menu STEP 1...
Page 222
Trouble Shooting Internet Connection When the modem LEDs indicate that it has resynchronized with the ISP, reapply STEP 4 power to the security appliance. If the security appliance still cannot obtain an ISP address, see the next symptom. Symptom: The security appliance still cannot obtain an IP address from the ISP. Recommended action: Click Networking in the menu bar, and then click WAN >...
Trouble Shooting Date and Time Date and Time Symptom: Date shown is January 1, 2000. Possible cause: The security appliance has not yet successfully reached a network time server (NTS). Recommended action: If you have just configured the security appliance, wait at least 5 minutes, click STEP 1 Administration on the menu bar, and then click Time Zone in the navigation tree.
Trouble Shooting Pinging to Test LAN Connectivity Pinging to Test LAN Connectivity Most TCP/IP terminal devices and firewalls contain a ping utility that sends an ICMP echo-request packet to the designated device. The device responds with an echo reply. Troubleshooting a TCP/IP network is made very easy by using the ping utility in your PC or workstation.
Page 225
Trouble Shooting Pinging to Test LAN Connectivity Testing the LAN path from your PC to a remote device On your PC, click the Windows Start button, and then click Run. STEP 1 Type ping -n 10 <IP_address> where -n 10 specifies a maximum of 10 tries and STEP 2 <IP address>...
Trouble Shooting Restoring Factory-Default Configuration Settings Restoring Factory-Default Configuration Settings To restore factory-default configuration settings, take one of the following actions: • Launch the Configuration Utility and login. Click Administration on the menu bar, and then click Firmware & Configuration > Network in the navigation tree.
Standard Services The security appliance is configured with the following list of standard services that are available for port forwarding and firewall configuration. If you want to configure a port forwarding rule or a firewall rule for a service that is not on this list, you can create a custom service for that purpose.
Page 231
Technical Specifications and Environmental Requirements Feature SA 520 SA 520W SA 540 Physical 4 X RJ-45 4 X RJ-45 8 X RJ-45 Interfaces Connectors for Connectors for connectors for LAN port LAN port 10BASE-T, 100BASE-TX, 1 X RJ-45 1 X RJ-45 1000BASE-T Connector for Connector for...
Page 232
Technical Specifications and Environmental Requirements Feature SA 520 SA 520W SA 540 Output Current MAX 2.5A MAX 2.5A MAX 2.5A Physical Specifications Form Factor 1 RU, 19-in. rack- 1 RU, 19-in. rack- 1 RU, 19-in. rack- mountable mountable mountable Dimensions 1-3/4 x 12-1/8 x 7- 1-3/4 x 12-1/8 x 7- 1-3/4 x 12-1/8 x 7-...
Factory Default Settings General Settings Feature Setting Host Name Model number Device Name Model number Administrator Username cisco Administrator Password cisco Allow ICMP echo replies (good disable for validating connectivity) Date and Time - Automatic Time enable Update Date and Time - Daylight Savings enable Time Date and Time - Protocol...
Page 234
Factory Default Settings General Settings Feature Setting SNMP Agent disable SNMP Version SNMP V1 & V2c, SNMP V3 SNMP Read-Only Community public String SNMP Read-Write Community private String SNMP Traps disable System Logging - Notify Level Informational System Logging disable System Logging - Log enable UnAuthorized Login Attempts...
Factory Default Settings Storage Feature Setting MAC Authentication Default Permit Action Load Balancing Mode disabled 802.1d Spanning tree mode on disabled wired / WDS link Country or Band code for Radio Depends on SKU such as FCC, ETSI etc. Channel Bandwidth 40Mhz Maximum associations supported...
Page 241
Factory Default Settings Storage Feature Setting VLAN - Data, IP Address (Failover See Product Tab when no DHCP Server Available) VLAN - Data, Subnet Mask 255.255.255.0 (Failover when no DHCP Server Available) Windows workgroup name WORKGROUP HTTP Access Administration HTTP File Access 8080 FTP File Access HTTPS Administration Access...
Where to Go From Here Cisco provides a wide range of resources to help you and your customer obtain the full benefits of the SA 500 Series Security Appliances. Product Resources Resource Location Administration www.cisco.com/en/US/products/ps9932/ Guide tsd_products_support_series_home.html Customer Support www.cisco.com/en/US/support/tsd_cisco_ small_business_support_center_ contacts.html SA 500 Series www.cisco.com/go/sa500help...